From: Sasha Levin Date: Fri, 22 Dec 2023 22:48:13 +0000 (-0500) Subject: Fixes for 6.6 X-Git-Tag: v5.15.145~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=428ff67fc6ff54b070988a84744a91dfa2ed4ecd;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.6 Signed-off-by: Sasha Levin --- diff --git a/queue-6.6/afs-fix-dynamic-root-lookup-dns-check.patch b/queue-6.6/afs-fix-dynamic-root-lookup-dns-check.patch new file mode 100644 index 00000000000..fa9f74e9637 --- /dev/null +++ b/queue-6.6/afs-fix-dynamic-root-lookup-dns-check.patch @@ -0,0 +1,75 @@ +From 292eb4690f4907348ecfd5084d4bc8e873351b88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 15:15:02 +0000 +Subject: afs: Fix dynamic root lookup DNS check + +From: David Howells + +[ Upstream commit 74cef6872ceaefb5b6c5c60641371ea28702d358 ] + +In the afs dynamic root directory, the ->lookup() function does a DNS check +on the cell being asked for and if the DNS upcall reports an error it will +report an error back to userspace (typically ENOENT). + +However, if a failed DNS upcall returns a new-style result, it will return +a valid result, with the status field set appropriately to indicate the +type of failure - and in that case, dns_query() doesn't return an error and +we let stat() complete with no error - which can cause confusion in +userspace as subsequent calls that trigger d_automount then fail with +ENOENT. + +Fix this by checking the status result from a valid dns_query() and +returning an error if it indicates a failure. + +Fixes: bbb4c4323a4d ("dns: Allow the dns resolver to retrieve a server set") +Reported-by: Markus Suvanto +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=216637 +Signed-off-by: David Howells +Tested-by: Markus Suvanto +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Signed-off-by: Sasha Levin +--- + fs/afs/dynroot.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c +index cec7d8e5ad0c9..10905a53d5b27 100644 +--- a/fs/afs/dynroot.c ++++ b/fs/afs/dynroot.c +@@ -114,6 +114,7 @@ static int afs_probe_cell_name(struct dentry *dentry) + struct afs_net *net = afs_d2net(dentry); + const char *name = dentry->d_name.name; + size_t len = dentry->d_name.len; ++ char *result = NULL; + int ret; + + /* Names prefixed with a dot are R/W mounts. */ +@@ -131,9 +132,22 @@ static int afs_probe_cell_name(struct dentry *dentry) + } + + ret = dns_query(net->net, "afsdb", name, len, "srv=1", +- NULL, NULL, false); +- if (ret == -ENODATA || ret == -ENOKEY) ++ &result, NULL, false); ++ if (ret == -ENODATA || ret == -ENOKEY || ret == 0) + ret = -ENOENT; ++ if (ret > 0 && ret >= sizeof(struct dns_server_list_v1_header)) { ++ struct dns_server_list_v1_header *v1 = (void *)result; ++ ++ if (v1->hdr.zero == 0 && ++ v1->hdr.content == DNS_PAYLOAD_IS_SERVER_LIST && ++ v1->hdr.version == 1 && ++ (v1->status != DNS_LOOKUP_GOOD && ++ v1->status != DNS_LOOKUP_GOOD_WITH_BAD)) ++ return -ENOENT; ++ ++ } ++ ++ kfree(result); + return ret; + } + +-- +2.43.0 + diff --git a/queue-6.6/afs-fix-overwriting-of-result-of-dns-query.patch b/queue-6.6/afs-fix-overwriting-of-result-of-dns-query.patch new file mode 100644 index 00000000000..179121203ac --- /dev/null +++ b/queue-6.6/afs-fix-overwriting-of-result-of-dns-query.patch @@ -0,0 +1,58 @@ +From 7f321cd1157bb104913d03084067077f94a57850 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Dec 2023 15:09:31 +0000 +Subject: afs: Fix overwriting of result of DNS query + +From: David Howells + +[ Upstream commit a9e01ac8c5ff32669119c40dfdc9e80eb0b7d7aa ] + +In afs_update_cell(), ret is the result of the DNS lookup and the errors +are to be handled by a switch - however, the value gets clobbered in +between by setting it to -ENOMEM in case afs_alloc_vlserver_list() +fails. + +Fix this by moving the setting of -ENOMEM into the error handling for +OOM failure. Further, only do it if we don't have an alternative error +to return. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. Based +on a patch from Anastasia Belova [1]. + +Fixes: d5c32c89b208 ("afs: Fix cell DNS lookup") +Signed-off-by: David Howells +Reviewed-by: Jeffrey Altman +cc: Anastasia Belova +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +cc: lvc-project@linuxtesting.org +Link: https://lore.kernel.org/r/20231221085849.1463-1-abelova@astralinux.ru/ [1] +Link: https://lore.kernel.org/r/1700862.1703168632@warthog.procyon.org.uk/ # v1 +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/cell.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/afs/cell.c b/fs/afs/cell.c +index 988c2ac7cecec..926cb1188eba6 100644 +--- a/fs/afs/cell.c ++++ b/fs/afs/cell.c +@@ -409,10 +409,12 @@ static int afs_update_cell(struct afs_cell *cell) + if (ret == -ENOMEM) + goto out_wake; + +- ret = -ENOMEM; + vllist = afs_alloc_vlserver_list(0); +- if (!vllist) ++ if (!vllist) { ++ if (ret >= 0) ++ ret = -ENOMEM; + goto out_wake; ++ } + + switch (ret) { + case -ENODATA: +-- +2.43.0 + diff --git a/queue-6.6/afs-fix-the-dynamic-root-s-d_delete-to-always-delete.patch b/queue-6.6/afs-fix-the-dynamic-root-s-d_delete-to-always-delete.patch new file mode 100644 index 00000000000..bdeb3d606b3 --- /dev/null +++ b/queue-6.6/afs-fix-the-dynamic-root-s-d_delete-to-always-delete.patch @@ -0,0 +1,53 @@ +From cc461f90de18a6541d11e5af5ec97e4397b8de8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 15:08:57 +0000 +Subject: afs: Fix the dynamic root's d_delete to always delete unused dentries + +From: David Howells + +[ Upstream commit 71f8b55bc30e82d6355e07811213d847981a32e2 ] + +Fix the afs dynamic root's d_delete function to always delete unused +dentries rather than only deleting them if they're positive. With things +as they stand upstream, negative dentries stemming from failed DNS lookups +stick around preventing retries. + +Fixes: 66c7e1d319a5 ("afs: Split the dynroot stuff out and give it its own ops tables") +Signed-off-by: David Howells +Tested-by: Markus Suvanto +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Signed-off-by: Sasha Levin +--- + fs/afs/dynroot.c | 13 +------------ + 1 file changed, 1 insertion(+), 12 deletions(-) + +diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c +index 8081d68004d05..cec7d8e5ad0c9 100644 +--- a/fs/afs/dynroot.c ++++ b/fs/afs/dynroot.c +@@ -252,20 +252,9 @@ static int afs_dynroot_d_revalidate(struct dentry *dentry, unsigned int flags) + return 1; + } + +-/* +- * Allow the VFS to enquire as to whether a dentry should be unhashed (mustn't +- * sleep) +- * - called from dput() when d_count is going to 0. +- * - return 1 to request dentry be unhashed, 0 otherwise +- */ +-static int afs_dynroot_d_delete(const struct dentry *dentry) +-{ +- return d_really_is_positive(dentry); +-} +- + const struct dentry_operations afs_dynroot_dentry_operations = { + .d_revalidate = afs_dynroot_d_revalidate, +- .d_delete = afs_dynroot_d_delete, ++ .d_delete = always_delete_dentry, + .d_release = afs_d_release, + .d_automount = afs_d_automount, + }; +-- +2.43.0 + diff --git a/queue-6.6/afs-fix-use-after-free-due-to-get-remove-race-in-vol.patch b/queue-6.6/afs-fix-use-after-free-due-to-get-remove-race-in-vol.patch new file mode 100644 index 00000000000..455b24bd3c6 --- /dev/null +++ b/queue-6.6/afs-fix-use-after-free-due-to-get-remove-race-in-vol.patch @@ -0,0 +1,128 @@ +From 512a0275b4f301b3d4e8123fe97cb82e702cf1ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Dec 2023 13:57:31 +0000 +Subject: afs: Fix use-after-free due to get/remove race in volume tree + +From: David Howells + +[ Upstream commit 9a6b294ab496650e9f270123730df37030911b55 ] + +When an afs_volume struct is put, its refcount is reduced to 0 before +the cell->volume_lock is taken and the volume removed from the +cell->volumes tree. + +Unfortunately, this means that the lookup code can race and see a volume +with a zero ref in the tree, resulting in a use-after-free: + + refcount_t: addition on 0; use-after-free. + WARNING: CPU: 3 PID: 130782 at lib/refcount.c:25 refcount_warn_saturate+0x7a/0xda + ... + RIP: 0010:refcount_warn_saturate+0x7a/0xda + ... + Call Trace: + afs_get_volume+0x3d/0x55 + afs_create_volume+0x126/0x1de + afs_validate_fc+0xfe/0x130 + afs_get_tree+0x20/0x2e5 + vfs_get_tree+0x1d/0xc9 + do_new_mount+0x13b/0x22e + do_mount+0x5d/0x8a + __do_sys_mount+0x100/0x12a + do_syscall_64+0x3a/0x94 + entry_SYSCALL_64_after_hwframe+0x62/0x6a + +Fix this by: + + (1) When putting, use a flag to indicate if the volume has been removed + from the tree and skip the rb_erase if it has. + + (2) When looking up, use a conditional ref increment and if it fails + because the refcount is 0, replace the node in the tree and set the + removal flag. + +Fixes: 20325960f875 ("afs: Reorganise volume and server trees to be rooted on the cell") +Signed-off-by: David Howells +Reviewed-by: Jeffrey Altman +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/internal.h | 2 ++ + fs/afs/volume.c | 26 +++++++++++++++++++++++--- + 2 files changed, 25 insertions(+), 3 deletions(-) + +diff --git a/fs/afs/internal.h b/fs/afs/internal.h +index 5041eae64423a..c4bf8439bc9c9 100644 +--- a/fs/afs/internal.h ++++ b/fs/afs/internal.h +@@ -586,6 +586,7 @@ struct afs_volume { + #define AFS_VOLUME_OFFLINE 4 /* - T if volume offline notice given */ + #define AFS_VOLUME_BUSY 5 /* - T if volume busy notice given */ + #define AFS_VOLUME_MAYBE_NO_IBULK 6 /* - T if some servers don't have InlineBulkStatus */ ++#define AFS_VOLUME_RM_TREE 7 /* - Set if volume removed from cell->volumes */ + #ifdef CONFIG_AFS_FSCACHE + struct fscache_volume *cache; /* Caching cookie */ + #endif +@@ -1513,6 +1514,7 @@ extern struct afs_vlserver_list *afs_extract_vlserver_list(struct afs_cell *, + extern struct afs_volume *afs_create_volume(struct afs_fs_context *); + extern int afs_activate_volume(struct afs_volume *); + extern void afs_deactivate_volume(struct afs_volume *); ++bool afs_try_get_volume(struct afs_volume *volume, enum afs_volume_trace reason); + extern struct afs_volume *afs_get_volume(struct afs_volume *, enum afs_volume_trace); + extern void afs_put_volume(struct afs_net *, struct afs_volume *, enum afs_volume_trace); + extern int afs_check_volume_status(struct afs_volume *, struct afs_operation *); +diff --git a/fs/afs/volume.c b/fs/afs/volume.c +index 29d483c802813..115c081a8e2ce 100644 +--- a/fs/afs/volume.c ++++ b/fs/afs/volume.c +@@ -32,8 +32,13 @@ static struct afs_volume *afs_insert_volume_into_cell(struct afs_cell *cell, + } else if (p->vid > volume->vid) { + pp = &(*pp)->rb_right; + } else { +- volume = afs_get_volume(p, afs_volume_trace_get_cell_insert); +- goto found; ++ if (afs_try_get_volume(p, afs_volume_trace_get_cell_insert)) { ++ volume = p; ++ goto found; ++ } ++ ++ set_bit(AFS_VOLUME_RM_TREE, &volume->flags); ++ rb_replace_node_rcu(&p->cell_node, &volume->cell_node, &cell->volumes); + } + } + +@@ -56,7 +61,8 @@ static void afs_remove_volume_from_cell(struct afs_volume *volume) + afs_volume_trace_remove); + write_seqlock(&cell->volume_lock); + hlist_del_rcu(&volume->proc_link); +- rb_erase(&volume->cell_node, &cell->volumes); ++ if (!test_and_set_bit(AFS_VOLUME_RM_TREE, &volume->flags)) ++ rb_erase(&volume->cell_node, &cell->volumes); + write_sequnlock(&cell->volume_lock); + } + } +@@ -231,6 +237,20 @@ static void afs_destroy_volume(struct afs_net *net, struct afs_volume *volume) + _leave(" [destroyed]"); + } + ++/* ++ * Try to get a reference on a volume record. ++ */ ++bool afs_try_get_volume(struct afs_volume *volume, enum afs_volume_trace reason) ++{ ++ int r; ++ ++ if (__refcount_inc_not_zero(&volume->ref, &r)) { ++ trace_afs_volume(volume->vid, r + 1, reason); ++ return true; ++ } ++ return false; ++} ++ + /* + * Get a reference on a volume record. + */ +-- +2.43.0 + diff --git a/queue-6.6/arm-dts-dra7-fix-dra7-l3-noc-node-register-size.patch b/queue-6.6/arm-dts-dra7-fix-dra7-l3-noc-node-register-size.patch new file mode 100644 index 00000000000..c9d75671670 --- /dev/null +++ b/queue-6.6/arm-dts-dra7-fix-dra7-l3-noc-node-register-size.patch @@ -0,0 +1,38 @@ +From 516be30019e2ff53ab35a1c395477a68bf14237f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Nov 2023 12:16:04 -0600 +Subject: ARM: dts: dra7: Fix DRA7 L3 NoC node register size + +From: Andrew Davis + +[ Upstream commit 1e5caee2ba8f1426e8098afb4ca38dc40a0ca71b ] + +This node can access any part of the L3 configuration registers space, +including CLK1 and CLK2 which are 0x800000 offset. Restore this area +size to include these areas. + +Fixes: 7f2659ce657e ("ARM: dts: Move dra7 l3 noc to a separate node") +Signed-off-by: Andrew Davis +Message-ID: <20231113181604.546444-1-afd@ti.com> +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/ti/omap/dra7.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/ti/omap/dra7.dtsi b/arch/arm/boot/dts/ti/omap/dra7.dtsi +index 3f3e52e3b3752..6509c742fb58c 100644 +--- a/arch/arm/boot/dts/ti/omap/dra7.dtsi ++++ b/arch/arm/boot/dts/ti/omap/dra7.dtsi +@@ -147,7 +147,7 @@ + + l3-noc@44000000 { + compatible = "ti,dra7-l3-noc"; +- reg = <0x44000000 0x1000>, ++ reg = <0x44000000 0x1000000>, + <0x45000000 0x1000>; + interrupts-extended = <&crossbar_mpu GIC_SPI 4 IRQ_TYPE_LEVEL_HIGH>, + <&wakeupgen GIC_SPI 10 IRQ_TYPE_LEVEL_HIGH>; +-- +2.43.0 + diff --git a/queue-6.6/arm-omap2-fix-null-pointer-dereference-and-memory-le.patch b/queue-6.6/arm-omap2-fix-null-pointer-dereference-and-memory-le.patch new file mode 100644 index 00000000000..f4acfd995d6 --- /dev/null +++ b/queue-6.6/arm-omap2-fix-null-pointer-dereference-and-memory-le.patch @@ -0,0 +1,50 @@ +From 7b2cb62c1ffafb62105c7d0578718c818e22f730 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Nov 2023 22:52:37 +0800 +Subject: ARM: OMAP2+: Fix null pointer dereference and memory leak in + omap_soc_device_init + +From: Kunwu Chan + +[ Upstream commit c72b9c33ef9695ad7ce7a6eb39a9df8a01b70796 ] + +kasprintf() returns a pointer to dynamically allocated memory which can +be NULL upon failure. When 'soc_dev_attr->family' is NULL,it'll trigger +the null pointer dereference issue, such as in 'soc_info_show'. + +And when 'soc_device_register' fails, it's necessary to release +'soc_dev_attr->family' to avoid memory leaks. + +Fixes: 6770b2114325 ("ARM: OMAP2+: Export SoC information to userspace") +Signed-off-by: Kunwu Chan +Message-ID: <20231123145237.609442-1-chentao@kylinos.cn> +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/id.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm/mach-omap2/id.c b/arch/arm/mach-omap2/id.c +index 98999aa8cc0c0..7f387706368a6 100644 +--- a/arch/arm/mach-omap2/id.c ++++ b/arch/arm/mach-omap2/id.c +@@ -793,11 +793,16 @@ void __init omap_soc_device_init(void) + + soc_dev_attr->machine = soc_name; + soc_dev_attr->family = omap_get_family(); ++ if (!soc_dev_attr->family) { ++ kfree(soc_dev_attr); ++ return; ++ } + soc_dev_attr->revision = soc_rev; + soc_dev_attr->custom_attr_group = omap_soc_groups[0]; + + soc_dev = soc_device_register(soc_dev_attr); + if (IS_ERR(soc_dev)) { ++ kfree(soc_dev_attr->family); + kfree(soc_dev_attr); + return; + } +-- +2.43.0 + diff --git a/queue-6.6/arm64-dts-allwinner-h616-update-emac-for-orange-pi-z.patch b/queue-6.6/arm64-dts-allwinner-h616-update-emac-for-orange-pi-z.patch new file mode 100644 index 00000000000..5eb1d2a3e4b --- /dev/null +++ b/queue-6.6/arm64-dts-allwinner-h616-update-emac-for-orange-pi-z.patch @@ -0,0 +1,71 @@ +From 43e59a1ad33fb3c80b726b5bd603ecc0bbe89063 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Oct 2023 15:40:09 +0800 +Subject: arm64: dts: allwinner: h616: update emac for Orange Pi Zero 3 + +From: Chukun Pan + +[ Upstream commit b9622937d95809ef89904583191571a9fa326402 ] + +The current emac setting is not suitable for Orange Pi Zero 3, +move it back to Orange Pi Zero 2 DT. Also update phy mode and +delay values for emac on Orange Pi Zero 3. +With these changes, Ethernet now looks stable. + +Fixes: 322bf103204b ("arm64: dts: allwinner: h616: Split Orange Pi Zero 2 DT") +Signed-off-by: Chukun Pan +Reviewed-by: Jernej Skrabec +Link: https://lore.kernel.org/r/20231029074009.7820-2-amadeus@jmu.edu.cn +Signed-off-by: Jernej Skrabec +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/allwinner/sun50i-h616-orangepi-zero.dtsi | 3 --- + arch/arm64/boot/dts/allwinner/sun50i-h616-orangepi-zero2.dts | 3 +++ + arch/arm64/boot/dts/allwinner/sun50i-h618-orangepi-zero3.dts | 2 ++ + 3 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/boot/dts/allwinner/sun50i-h616-orangepi-zero.dtsi b/arch/arm64/boot/dts/allwinner/sun50i-h616-orangepi-zero.dtsi +index 15290e6892fca..fc7315b944065 100644 +--- a/arch/arm64/boot/dts/allwinner/sun50i-h616-orangepi-zero.dtsi ++++ b/arch/arm64/boot/dts/allwinner/sun50i-h616-orangepi-zero.dtsi +@@ -68,10 +68,7 @@ + &emac0 { + pinctrl-names = "default"; + pinctrl-0 = <&ext_rgmii_pins>; +- phy-mode = "rgmii"; + phy-handle = <&ext_rgmii_phy>; +- allwinner,rx-delay-ps = <3100>; +- allwinner,tx-delay-ps = <700>; + status = "okay"; + }; + +diff --git a/arch/arm64/boot/dts/allwinner/sun50i-h616-orangepi-zero2.dts b/arch/arm64/boot/dts/allwinner/sun50i-h616-orangepi-zero2.dts +index d83852e72f063..b5d713926a341 100644 +--- a/arch/arm64/boot/dts/allwinner/sun50i-h616-orangepi-zero2.dts ++++ b/arch/arm64/boot/dts/allwinner/sun50i-h616-orangepi-zero2.dts +@@ -13,6 +13,9 @@ + }; + + &emac0 { ++ allwinner,rx-delay-ps = <3100>; ++ allwinner,tx-delay-ps = <700>; ++ phy-mode = "rgmii"; + phy-supply = <®_dcdce>; + }; + +diff --git a/arch/arm64/boot/dts/allwinner/sun50i-h618-orangepi-zero3.dts b/arch/arm64/boot/dts/allwinner/sun50i-h618-orangepi-zero3.dts +index 00fe28caac939..b3b1b8692125f 100644 +--- a/arch/arm64/boot/dts/allwinner/sun50i-h618-orangepi-zero3.dts ++++ b/arch/arm64/boot/dts/allwinner/sun50i-h618-orangepi-zero3.dts +@@ -13,6 +13,8 @@ + }; + + &emac0 { ++ allwinner,tx-delay-ps = <700>; ++ phy-mode = "rgmii-rxid"; + phy-supply = <®_dldo1>; + }; + +-- +2.43.0 + diff --git a/queue-6.6/bluetooth-fix-deadlock-in-vhci_send_frame.patch b/queue-6.6/bluetooth-fix-deadlock-in-vhci_send_frame.patch new file mode 100644 index 00000000000..f312920c6b2 --- /dev/null +++ b/queue-6.6/bluetooth-fix-deadlock-in-vhci_send_frame.patch @@ -0,0 +1,133 @@ +From 53a14e49ad585b4a56b729b656e65859da243c6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Nov 2023 01:46:05 +0000 +Subject: Bluetooth: Fix deadlock in vhci_send_frame + +From: Ying Hsu + +[ Upstream commit 769bf60e17ee1a56a81e7c031192c3928312c52e ] + +syzbot found a potential circular dependency leading to a deadlock: + -> #3 (&hdev->req_lock){+.+.}-{3:3}: + __mutex_lock_common+0x1b6/0x1bc2 kernel/locking/mutex.c:599 + __mutex_lock kernel/locking/mutex.c:732 [inline] + mutex_lock_nested+0x17/0x1c kernel/locking/mutex.c:784 + hci_dev_do_close+0x3f/0x9f net/bluetooth/hci_core.c:551 + hci_rfkill_set_block+0x130/0x1ac net/bluetooth/hci_core.c:935 + rfkill_set_block+0x1e6/0x3b8 net/rfkill/core.c:345 + rfkill_fop_write+0x2d8/0x672 net/rfkill/core.c:1274 + vfs_write+0x277/0xcf5 fs/read_write.c:594 + ksys_write+0x19b/0x2bd fs/read_write.c:650 + do_syscall_x64 arch/x86/entry/common.c:55 [inline] + do_syscall_64+0x51/0xba arch/x86/entry/common.c:93 + entry_SYSCALL_64_after_hwframe+0x61/0xcb + + -> #2 (rfkill_global_mutex){+.+.}-{3:3}: + __mutex_lock_common+0x1b6/0x1bc2 kernel/locking/mutex.c:599 + __mutex_lock kernel/locking/mutex.c:732 [inline] + mutex_lock_nested+0x17/0x1c kernel/locking/mutex.c:784 + rfkill_register+0x30/0x7e3 net/rfkill/core.c:1045 + hci_register_dev+0x48f/0x96d net/bluetooth/hci_core.c:2622 + __vhci_create_device drivers/bluetooth/hci_vhci.c:341 [inline] + vhci_create_device+0x3ad/0x68f drivers/bluetooth/hci_vhci.c:374 + vhci_get_user drivers/bluetooth/hci_vhci.c:431 [inline] + vhci_write+0x37b/0x429 drivers/bluetooth/hci_vhci.c:511 + call_write_iter include/linux/fs.h:2109 [inline] + new_sync_write fs/read_write.c:509 [inline] + vfs_write+0xaa8/0xcf5 fs/read_write.c:596 + ksys_write+0x19b/0x2bd fs/read_write.c:650 + do_syscall_x64 arch/x86/entry/common.c:55 [inline] + do_syscall_64+0x51/0xba arch/x86/entry/common.c:93 + entry_SYSCALL_64_after_hwframe+0x61/0xcb + + -> #1 (&data->open_mutex){+.+.}-{3:3}: + __mutex_lock_common+0x1b6/0x1bc2 kernel/locking/mutex.c:599 + __mutex_lock kernel/locking/mutex.c:732 [inline] + mutex_lock_nested+0x17/0x1c kernel/locking/mutex.c:784 + vhci_send_frame+0x68/0x9c drivers/bluetooth/hci_vhci.c:75 + hci_send_frame+0x1cc/0x2ff net/bluetooth/hci_core.c:2989 + hci_sched_acl_pkt net/bluetooth/hci_core.c:3498 [inline] + hci_sched_acl net/bluetooth/hci_core.c:3583 [inline] + hci_tx_work+0xb94/0x1a60 net/bluetooth/hci_core.c:3654 + process_one_work+0x901/0xfb8 kernel/workqueue.c:2310 + worker_thread+0xa67/0x1003 kernel/workqueue.c:2457 + kthread+0x36a/0x430 kernel/kthread.c:319 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 + + -> #0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}: + check_prev_add kernel/locking/lockdep.c:3053 [inline] + check_prevs_add kernel/locking/lockdep.c:3172 [inline] + validate_chain kernel/locking/lockdep.c:3787 [inline] + __lock_acquire+0x2d32/0x77fa kernel/locking/lockdep.c:5011 + lock_acquire+0x273/0x4d5 kernel/locking/lockdep.c:5622 + __flush_work+0xee/0x19f kernel/workqueue.c:3090 + hci_dev_close_sync+0x32f/0x1113 net/bluetooth/hci_sync.c:4352 + hci_dev_do_close+0x47/0x9f net/bluetooth/hci_core.c:553 + hci_rfkill_set_block+0x130/0x1ac net/bluetooth/hci_core.c:935 + rfkill_set_block+0x1e6/0x3b8 net/rfkill/core.c:345 + rfkill_fop_write+0x2d8/0x672 net/rfkill/core.c:1274 + vfs_write+0x277/0xcf5 fs/read_write.c:594 + ksys_write+0x19b/0x2bd fs/read_write.c:650 + do_syscall_x64 arch/x86/entry/common.c:55 [inline] + do_syscall_64+0x51/0xba arch/x86/entry/common.c:93 + entry_SYSCALL_64_after_hwframe+0x61/0xcb + +This change removes the need for acquiring the open_mutex in +vhci_send_frame, thus eliminating the potential deadlock while +maintaining the required packet ordering. + +Fixes: 92d4abd66f70 ("Bluetooth: vhci: Fix race when opening vhci device") +Signed-off-by: Ying Hsu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_vhci.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c +index f3892e9ce800f..572d68d52965f 100644 +--- a/drivers/bluetooth/hci_vhci.c ++++ b/drivers/bluetooth/hci_vhci.c +@@ -11,6 +11,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -44,6 +45,7 @@ struct vhci_data { + bool wakeup; + __u16 msft_opcode; + bool aosp_capable; ++ atomic_t initialized; + }; + + static int vhci_open_dev(struct hci_dev *hdev) +@@ -75,11 +77,10 @@ static int vhci_send_frame(struct hci_dev *hdev, struct sk_buff *skb) + + memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1); + +- mutex_lock(&data->open_mutex); + skb_queue_tail(&data->readq, skb); +- mutex_unlock(&data->open_mutex); + +- wake_up_interruptible(&data->read_wait); ++ if (atomic_read(&data->initialized)) ++ wake_up_interruptible(&data->read_wait); + return 0; + } + +@@ -464,7 +465,8 @@ static int __vhci_create_device(struct vhci_data *data, __u8 opcode) + skb_put_u8(skb, 0xff); + skb_put_u8(skb, opcode); + put_unaligned_le16(hdev->id, skb_put(skb, 2)); +- skb_queue_tail(&data->readq, skb); ++ skb_queue_head(&data->readq, skb); ++ atomic_inc(&data->initialized); + + wake_up_interruptible(&data->read_wait); + return 0; +-- +2.43.0 + diff --git a/queue-6.6/bluetooth-fix-not-notifying-when-connection-encrypti.patch b/queue-6.6/bluetooth-fix-not-notifying-when-connection-encrypti.patch new file mode 100644 index 00000000000..b910d442b38 --- /dev/null +++ b/queue-6.6/bluetooth-fix-not-notifying-when-connection-encrypti.patch @@ -0,0 +1,51 @@ +From 86206b1d4d83416d395b9bea45ff656ee88a855d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Oct 2023 16:26:23 -0700 +Subject: Bluetooth: Fix not notifying when connection encryption changes + +From: Luiz Augusto von Dentz + +[ Upstream commit f67eabffb57d0bee379994a18ec5f462b2cbdf86 ] + +Some layers such as SMP depend on getting notified about encryption +changes immediately as they only allow certain PDU to be transmitted +over an encrypted link which may cause SMP implementation to reject +valid PDUs received thus causing pairing to fail when it shouldn't. + +Fixes: 7aca0ac4792e ("Bluetooth: Wait for HCI_OP_WRITE_AUTH_PAYLOAD_TO to complete") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index f6d3150bcbb03..da756cbf62206 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -820,8 +820,6 @@ static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data, + if (!rp->status) + conn->auth_payload_timeout = get_unaligned_le16(sent + 2); + +- hci_encrypt_cfm(conn, 0); +- + unlock: + hci_dev_unlock(hdev); + +@@ -3683,12 +3681,8 @@ static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data, + cp.handle = cpu_to_le16(conn->handle); + cp.timeout = cpu_to_le16(hdev->auth_payload_timeout); + if (hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO, +- sizeof(cp), &cp)) { ++ sizeof(cp), &cp)) + bt_dev_err(hdev, "write auth payload timeout failed"); +- goto notify; +- } +- +- goto unlock; + } + + notify: +-- +2.43.0 + diff --git a/queue-6.6/bluetooth-hci_core-fix-hci_conn_hash_lookup_cis.patch b/queue-6.6/bluetooth-hci_core-fix-hci_conn_hash_lookup_cis.patch new file mode 100644 index 00000000000..d3a852a97ba --- /dev/null +++ b/queue-6.6/bluetooth-hci_core-fix-hci_conn_hash_lookup_cis.patch @@ -0,0 +1,44 @@ +From 58d187c40c61a080e3b8345a44a2318ad89262a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Dec 2023 17:22:29 -0500 +Subject: Bluetooth: hci_core: Fix hci_conn_hash_lookup_cis + +From: Luiz Augusto von Dentz + +[ Upstream commit 50efc63d1a7a7b9a6ed21adae1b9a7123ec8abc0 ] + +hci_conn_hash_lookup_cis shall always match the requested CIG and CIS +ids even when they are unset as otherwise it result in not being able +to bind/connect different sockets to the same address as that would +result in having multiple sockets mapping to the same hci_conn which +doesn't really work and prevents BAP audio configuration such as +AC 6(i) when CIG and CIS are left unset. + +Fixes: c14516faede3 ("Bluetooth: hci_conn: Fix not matching by CIS ID") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci_core.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index 7fa95b72e5c85..22ce39a2aa7bc 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -1227,11 +1227,11 @@ static inline struct hci_conn *hci_conn_hash_lookup_cis(struct hci_dev *hdev, + continue; + + /* Match CIG ID if set */ +- if (cig != BT_ISO_QOS_CIG_UNSET && cig != c->iso_qos.ucast.cig) ++ if (cig != c->iso_qos.ucast.cig) + continue; + + /* Match CIS ID if set */ +- if (id != BT_ISO_QOS_CIS_UNSET && id != c->iso_qos.ucast.cis) ++ if (id != c->iso_qos.ucast.cis) + continue; + + /* Match destination address if set */ +-- +2.43.0 + diff --git a/queue-6.6/bluetooth-hci_event-shut-up-a-false-positive-warning.patch b/queue-6.6/bluetooth-hci_event-shut-up-a-false-positive-warning.patch new file mode 100644 index 00000000000..d90dd1fdfa5 --- /dev/null +++ b/queue-6.6/bluetooth-hci_event-shut-up-a-false-positive-warning.patch @@ -0,0 +1,51 @@ +From 7201279848404429b9c3d1082a1eed27708019db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Nov 2023 23:17:44 +0100 +Subject: Bluetooth: hci_event: shut up a false-positive warning + +From: Arnd Bergmann + +[ Upstream commit a5812c68d849505ea657f653446512b85887f813 ] + +Turning on -Wstringop-overflow globally exposed a misleading compiler +warning in bluetooth: + +net/bluetooth/hci_event.c: In function 'hci_cc_read_class_of_dev': +net/bluetooth/hci_event.c:524:9: error: 'memcpy' writing 3 bytes into a +region of size 0 overflows the destination [-Werror=stringop-overflow=] + 524 | memcpy(hdev->dev_class, rp->dev_class, 3); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The problem here is the check for hdev being NULL in bt_dev_dbg() that +leads the compiler to conclude that hdev->dev_class might be an invalid +pointer access. + +Add another explicit check for the same condition to make sure gcc sees +this cannot happen. + +Fixes: a9de9248064b ("[Bluetooth] Switch from OGF+OCF to using only opcodes") +Fixes: 1b56c90018f0 ("Makefile: Enable -Wstringop-overflow globally") +Signed-off-by: Arnd Bergmann +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index da756cbf62206..3661f8cdbab70 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -516,6 +516,9 @@ static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data, + { + struct hci_rp_read_class_of_dev *rp = data; + ++ if (WARN_ON(!hdev)) ++ return HCI_ERROR_UNSPECIFIED; ++ + bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); + + if (rp->status) +-- +2.43.0 + diff --git a/queue-6.6/bnxt_en-do-not-map-packet-buffers-twice.patch b/queue-6.6/bnxt_en-do-not-map-packet-buffers-twice.patch new file mode 100644 index 00000000000..29f68e8bccb --- /dev/null +++ b/queue-6.6/bnxt_en-do-not-map-packet-buffers-twice.patch @@ -0,0 +1,60 @@ +From f488b2ee6ed5108be49f716cd5cb1e03c5dec711 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 13:31:38 -0800 +Subject: bnxt_en: do not map packet buffers twice + +From: Andy Gospodarek + +[ Upstream commit 23c93c3b6275a59f2a685f4a693944b53c31df4e ] + +Remove double-mapping of DMA buffers as it can prevent page pool entries +from being freed. Mapping is managed by page pool infrastructure and +was previously managed by the driver in __bnxt_alloc_rx_page before +allowing the page pool infrastructure to manage it. + +Fixes: 578fcfd26e2a ("bnxt_en: Let the page pool manage the DMA mapping") +Reviewed-by: Somnath Kotur +Signed-off-by: Andy Gospodarek +Signed-off-by: Michael Chan +Reviewed-by: David Wei +Link: https://lore.kernel.org/r/20231214213138.98095-1-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c +index 96f5ca778c67d..8cb9a99154aad 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c +@@ -59,7 +59,6 @@ struct bnxt_sw_tx_bd *bnxt_xmit_bd(struct bnxt *bp, + for (i = 0; i < num_frags ; i++) { + skb_frag_t *frag = &sinfo->frags[i]; + struct bnxt_sw_tx_bd *frag_tx_buf; +- struct pci_dev *pdev = bp->pdev; + dma_addr_t frag_mapping; + int frag_len; + +@@ -73,16 +72,10 @@ struct bnxt_sw_tx_bd *bnxt_xmit_bd(struct bnxt *bp, + txbd = &txr->tx_desc_ring[TX_RING(prod)][TX_IDX(prod)]; + + frag_len = skb_frag_size(frag); +- frag_mapping = skb_frag_dma_map(&pdev->dev, frag, 0, +- frag_len, DMA_TO_DEVICE); +- +- if (unlikely(dma_mapping_error(&pdev->dev, frag_mapping))) +- return NULL; +- +- dma_unmap_addr_set(frag_tx_buf, mapping, frag_mapping); +- + flags = frag_len << TX_BD_LEN_SHIFT; + txbd->tx_bd_len_flags_type = cpu_to_le32(flags); ++ frag_mapping = page_pool_get_dma_addr(skb_frag_page(frag)) + ++ skb_frag_off(frag); + txbd->tx_bd_haddr = cpu_to_le64(frag_mapping); + + len = frag_len; +-- +2.43.0 + diff --git a/queue-6.6/bpf-syzkaller-found-null-ptr-deref-in-unix_bpf-proto.patch b/queue-6.6/bpf-syzkaller-found-null-ptr-deref-in-unix_bpf-proto.patch new file mode 100644 index 00000000000..4a2ef12fd87 --- /dev/null +++ b/queue-6.6/bpf-syzkaller-found-null-ptr-deref-in-unix_bpf-proto.patch @@ -0,0 +1,82 @@ +From fcdd3e4c99cec46ec935976379c7b8c1b8fd4527 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Dec 2023 10:01:38 -0800 +Subject: bpf: syzkaller found null ptr deref in unix_bpf proto add + +From: John Fastabend + +[ Upstream commit 8d6650646ce49e9a5b8c5c23eb94f74b1749f70f ] + +I added logic to track the sock pair for stream_unix sockets so that we +ensure lifetime of the sock matches the time a sockmap could reference +the sock (see fixes tag). I forgot though that we allow af_unix unconnected +sockets into a sock{map|hash} map. + +This is problematic because previous fixed expected sk_pair() to exist +and did not NULL check it. Because unconnected sockets have a NULL +sk_pair this resulted in the NULL ptr dereference found by syzkaller. + +BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171 +Write of size 4 at addr 0000000000000080 by task syz-executor360/5073 +Call Trace: + + ... + sock_hold include/net/sock.h:777 [inline] + unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171 + sock_map_init_proto net/core/sock_map.c:190 [inline] + sock_map_link+0xb87/0x1100 net/core/sock_map.c:294 + sock_map_update_common+0xf6/0x870 net/core/sock_map.c:483 + sock_map_update_elem_sys+0x5b6/0x640 net/core/sock_map.c:577 + bpf_map_update_value+0x3af/0x820 kernel/bpf/syscall.c:167 + +We considered just checking for the null ptr and skipping taking a ref +on the NULL peer sock. But, if the socket is then connected() after +being added to the sockmap we can cause the original issue again. So +instead this patch blocks adding af_unix sockets that are not in the +ESTABLISHED state. + +Reported-by: Eric Dumazet +Reported-by: syzbot+e8030702aefd3444fb9e@syzkaller.appspotmail.com +Fixes: 8866730aed51 ("bpf, sockmap: af_unix stream sockets need to hold ref for pair sock") +Acked-by: Jakub Sitnicki +Signed-off-by: John Fastabend +Link: https://lore.kernel.org/r/20231201180139.328529-2-john.fastabend@gmail.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 5 +++++ + net/core/sock_map.c | 2 ++ + 2 files changed, 7 insertions(+) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 7753354d59c0b..1b7ca8f35dd60 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -2798,6 +2798,11 @@ static inline bool sk_is_tcp(const struct sock *sk) + return sk->sk_type == SOCK_STREAM && sk->sk_protocol == IPPROTO_TCP; + } + ++static inline bool sk_is_stream_unix(const struct sock *sk) ++{ ++ return sk->sk_family == AF_UNIX && sk->sk_type == SOCK_STREAM; ++} ++ + /** + * sk_eat_skb - Release a skb if it is no longer needed + * @sk: socket to eat this skb from +diff --git a/net/core/sock_map.c b/net/core/sock_map.c +index 4292c2ed18286..27d733c0f65e1 100644 +--- a/net/core/sock_map.c ++++ b/net/core/sock_map.c +@@ -536,6 +536,8 @@ static bool sock_map_sk_state_allowed(const struct sock *sk) + { + if (sk_is_tcp(sk)) + return (1 << sk->sk_state) & (TCPF_ESTABLISHED | TCPF_LISTEN); ++ if (sk_is_stream_unix(sk)) ++ return (1 << sk->sk_state) & TCPF_ESTABLISHED; + return true; + } + +-- +2.43.0 + diff --git a/queue-6.6/ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch b/queue-6.6/ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch new file mode 100644 index 00000000000..6dc95f18c3e --- /dev/null +++ b/queue-6.6/ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch @@ -0,0 +1,44 @@ +From 5708519256ed2fec5a6fb8e23082e3e6fbaf4879 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 21:04:04 +0800 +Subject: ethernet: atheros: fix a memleak in atl1e_setup_ring_resources + +From: Zhipeng Lu + +[ Upstream commit 309fdb1c33fe726d92d0030481346f24e1b01f07 ] + +In the error handling of 'offset > adapter->ring_size', the +tx_ring->tx_buffer allocated by kzalloc should be freed, +instead of 'goto failed' instantly. + +Fixes: a6a5325239c2 ("atl1e: Atheros L1E Gigabit Ethernet driver") +Signed-off-by: Zhipeng Lu +Reviewed-by: Suman Ghosh +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/atheros/atl1e/atl1e_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c +index 5935be190b9e2..5f2a6fcba9670 100644 +--- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c ++++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c +@@ -866,10 +866,13 @@ static int atl1e_setup_ring_resources(struct atl1e_adapter *adapter) + netdev_err(adapter->netdev, "offset(%d) > ring size(%d) !!\n", + offset, adapter->ring_size); + err = -1; +- goto failed; ++ goto free_buffer; + } + + return 0; ++free_buffer: ++ kfree(tx_ring->tx_buffer); ++ tx_ring->tx_buffer = NULL; + failed: + if (adapter->ring_vir_addr != NULL) { + dma_free_coherent(&pdev->dev, adapter->ring_size, +-- +2.43.0 + diff --git a/queue-6.6/ice-alter-feature-support-check-for-sriov-and-lag.patch b/queue-6.6/ice-alter-feature-support-check-for-sriov-and-lag.patch new file mode 100644 index 00000000000..8fbce7f61fe --- /dev/null +++ b/queue-6.6/ice-alter-feature-support-check-for-sriov-and-lag.patch @@ -0,0 +1,54 @@ +From 156a1d520568749d8c9761676e3b28af7d8114aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 13:19:28 -0800 +Subject: ice: alter feature support check for SRIOV and LAG + +From: Dave Ertman + +[ Upstream commit 4d50fcdc2476eef94c14c6761073af5667bb43b6 ] + +Previously, the ice driver had support for using a handler for bonding +netdev events to ensure that conflicting features were not allowed to be +activated at the same time. While this was still in place, additional +support was added to specifically support SRIOV and LAG together. These +both utilized the netdev event handler, but the SRIOV and LAG feature was +behind a capabilities feature check to make sure the current NVM has +support. + +The exclusion part of the event handler should be removed since there are +users who have custom made solutions that depend on the non-exclusion of +features. + +Wrap the creation/registration and cleanup of the event handler and +associated structs in the probe flow with a feature check so that the +only systems that support the full implementation of LAG features will +initialize support. This will leave other systems unhindered with +functionality as it existed before any LAG code was added. + +Fixes: bb52f42acef6 ("ice: Add driver support for firmware changes for LAG") +Reviewed-by: Jesse Brandeburg +Signed-off-by: Dave Ertman +Reviewed-by: Simon Horman +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_lag.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ice/ice_lag.c b/drivers/net/ethernet/intel/ice/ice_lag.c +index d86e2460b5a4d..23e197c3d02a7 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lag.c ++++ b/drivers/net/ethernet/intel/ice/ice_lag.c +@@ -1963,6 +1963,8 @@ int ice_init_lag(struct ice_pf *pf) + int n, err; + + ice_lag_init_feature_support_flag(pf); ++ if (!ice_is_feature_supported(pf, ICE_F_SRIOV_LAG)) ++ return 0; + + pf->lag = kzalloc(sizeof(*lag), GFP_KERNEL); + if (!pf->lag) +-- +2.43.0 + diff --git a/queue-6.6/ice-fix-pf-with-enabled-xdp-going-no-carrier-after-r.patch b/queue-6.6/ice-fix-pf-with-enabled-xdp-going-no-carrier-after-r.patch new file mode 100644 index 00000000000..9b201611d8d --- /dev/null +++ b/queue-6.6/ice-fix-pf-with-enabled-xdp-going-no-carrier-after-r.patch @@ -0,0 +1,50 @@ +From 2509d14c00daac3d748dac92e74b92ccfdb1f205 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Dec 2023 10:29:01 +0100 +Subject: ice: Fix PF with enabled XDP going no-carrier after reset + +From: Larysa Zaremba + +[ Upstream commit f5728a418945ba53e2fdf38a6e5c5a2670965e85 ] + +Commit 6624e780a577fc596788 ("ice: split ice_vsi_setup into smaller +functions") has refactored a bunch of code involved in PFR. In this +process, TC queue number adjustment for XDP was lost. Bring it back. + +Lack of such adjustment causes interface to go into no-carrier after a +reset, if XDP program is attached, with the following message: + +ice 0000:b1:00.0: Failed to set LAN Tx queue context, error: -22 +ice 0000:b1:00.0 ens801f0np0: Failed to open VSI 0x0006 on switch 0x0001 +ice 0000:b1:00.0: enable VSI failed, err -22, VSI index 0, type ICE_VSI_PF +ice 0000:b1:00.0: PF VSI rebuild failed: -22 +ice 0000:b1:00.0: Rebuild failed, unload and reload driver + +Fixes: 6624e780a577 ("ice: split ice_vsi_setup into smaller functions") +Reviewed-by: Przemek Kitszel +Signed-off-by: Larysa Zaremba +Reviewed-by: Simon Horman +Tested-by: Chandan Kumar Rout (A Contingent Worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_lib.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c +index 8dbf7a381e49b..a66c3b6ccec1e 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_lib.c +@@ -2384,6 +2384,9 @@ static int ice_vsi_cfg_tc_lan(struct ice_pf *pf, struct ice_vsi *vsi) + } else { + max_txqs[i] = vsi->alloc_txq; + } ++ ++ if (vsi->type == ICE_VSI_PF) ++ max_txqs[i] += vsi->num_xdp_txq; + } + + dev_dbg(dev, "vsi->tc_cfg.ena_tc = %d\n", vsi->tc_cfg.ena_tc); +-- +2.43.0 + diff --git a/queue-6.6/ice-fix-theoretical-out-of-bounds-access-in-ethtool-.patch b/queue-6.6/ice-fix-theoretical-out-of-bounds-access-in-ethtool-.patch new file mode 100644 index 00000000000..0eeb3bc0959 --- /dev/null +++ b/queue-6.6/ice-fix-theoretical-out-of-bounds-access-in-ethtool-.patch @@ -0,0 +1,54 @@ +From a2cbc5ab7174c5d2d4c7dffb664733452215e4cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 17:58:06 +0100 +Subject: ice: fix theoretical out-of-bounds access in ethtool link modes + +From: Michal Schmidt + +[ Upstream commit 91f9181c738101a276d9da333e0ab665ad806e6d ] + +To map phy types reported by the hardware to ethtool link mode bits, +ice uses two lookup tables (phy_type_low_lkup, phy_type_high_lkup). +The "low" table has 64 elements to cover every possible bit the hardware +may report, but the "high" table has only 13. If the hardware reports a +higher bit in phy_types_high, the driver would access memory beyond the +lookup table's end. + +Instead of iterating through all 64 bits of phy_types_{low,high}, use +the sizes of the respective lookup tables. + +Fixes: 9136e1f1e5c3 ("ice: refactor PHY type to ethtool link mode") +Signed-off-by: Michal Schmidt +Reviewed-by: Przemek Kitszel +Reviewed-by: Simon Horman +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_ethtool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c +index ad4d4702129f0..9be13e9840917 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c ++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c +@@ -1757,14 +1757,14 @@ ice_phy_type_to_ethtool(struct net_device *netdev, + linkmode_zero(ks->link_modes.supported); + linkmode_zero(ks->link_modes.advertising); + +- for (i = 0; i < BITS_PER_TYPE(u64); i++) { ++ for (i = 0; i < ARRAY_SIZE(phy_type_low_lkup); i++) { + if (phy_types_low & BIT_ULL(i)) + ice_linkmode_set_bit(&phy_type_low_lkup[i], ks, + req_speeds, advert_phy_type_lo, + i); + } + +- for (i = 0; i < BITS_PER_TYPE(u64); i++) { ++ for (i = 0; i < ARRAY_SIZE(phy_type_high_lkup); i++) { + if (phy_types_high & BIT_ULL(i)) + ice_linkmode_set_bit(&phy_type_high_lkup[i], ks, + req_speeds, advert_phy_type_hi, +-- +2.43.0 + diff --git a/queue-6.6/ice-stop-trashing-vf-vsi-aggregator-node-id-informat.patch b/queue-6.6/ice-stop-trashing-vf-vsi-aggregator-node-id-informat.patch new file mode 100644 index 00000000000..aeaac6c1413 --- /dev/null +++ b/queue-6.6/ice-stop-trashing-vf-vsi-aggregator-node-id-informat.patch @@ -0,0 +1,79 @@ +From cce5c9515d63c1413870568e654f6a6dc6922c68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 12:19:05 -0800 +Subject: ice: stop trashing VF VSI aggregator node ID information + +From: Jacob Keller + +[ Upstream commit 7d881346121a97756f34e00e6296a5d63f001f7f ] + +When creating new VSIs, they are assigned into an aggregator node in the +scheduler tree. Information about which aggregator node a VSI is assigned +into is maintained by the vsi->agg_node structure. In ice_vsi_decfg(), this +information is being destroyed, by overwriting the valid flag and the +agg_id field to zero. + +For VF VSIs, this breaks the aggregator node configuration replay, which +depends on this information. This results in VFs being inserted into the +default aggregator node. The resulting configuration will have unexpected +Tx bandwidth sharing behavior. + +This was broken by commit 6624e780a577 ("ice: split ice_vsi_setup into +smaller functions"), which added the block to reset the agg_node data. + +The vsi->agg_node structure is not managed by the scheduler code, but is +instead a wrapper around an aggregator node ID that is tracked at the VSI +layer. Its been around for a long time, and its primary purpose was for +handling VFs. The SR-IOV VF reset flow does not make use of the standard VSI +rebuild/replay logic, and uses vsi->agg_node as part of its handling to +rebuild the aggregator node configuration. + +The logic for aggregator nodes stretches back to early ice driver code from +commit b126bd6bcd67 ("ice: create scheduler aggregator node config and move +VSIs") + +The logic in ice_vsi_decfg() which trashes the ice_agg_node data is clearly +wrong. It destroys information that is necessary for handling VF reset,. It +is also not the correct way to actually remove a VSI from an aggregator +node. For that, we need to implement logic in the scheduler code. Further, +non-VF VSIs properly replay their aggregator configuration using existing +scheduler replay logic. + +To fix the VF replay logic, remove this broken aggregator node cleanup +logic. This is the simplest way to immediately fix this. + +This ensures that VFs will have proper aggregate configuration after a +reset. This is especially important since VFs often perform resets as part +of their reconfiguration flows. Without fixing this, VFs will be placed in +the default aggregator node and Tx bandwidth will not be shared in the +expected and configured manner. + +Fixes: 6624e780a577 ("ice: split ice_vsi_setup into smaller functions") +Signed-off-by: Jacob Keller +Reviewed-by: Przemek Kitszel +Reviewed-by: Simon Horman +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_lib.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c +index 73bbf06a76db9..8dbf7a381e49b 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_lib.c +@@ -2633,10 +2633,6 @@ void ice_vsi_decfg(struct ice_vsi *vsi) + if (vsi->type == ICE_VSI_VF && + vsi->agg_node && vsi->agg_node->valid) + vsi->agg_node->num_vsis--; +- if (vsi->agg_node) { +- vsi->agg_node->valid = false; +- vsi->agg_node->agg_id = 0; +- } + } + + /** +-- +2.43.0 + diff --git a/queue-6.6/keys-dns-allow-key-types-eg.-dns-to-be-reclaimed-imm.patch b/queue-6.6/keys-dns-allow-key-types-eg.-dns-to-be-reclaimed-imm.patch new file mode 100644 index 00000000000..ab9a45eb077 --- /dev/null +++ b/queue-6.6/keys-dns-allow-key-types-eg.-dns-to-be-reclaimed-imm.patch @@ -0,0 +1,281 @@ +From 215ee067340a31c0ea47bcc9226458e3811be125 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Dec 2023 00:41:55 +0000 +Subject: keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on + expiry + +From: David Howells + +[ Upstream commit 39299bdd2546688d92ed9db4948f6219ca1b9542 ] + +If a key has an expiration time, then when that time passes, the key is +left around for a certain amount of time before being collected (5 mins by +default) so that EKEYEXPIRED can be returned instead of ENOKEY. This is a +problem for DNS keys because we want to redo the DNS lookup immediately at +that point. + +Fix this by allowing key types to be marked such that keys of that type +don't have this extra period, but are reclaimed as soon as they expire and +turn this on for dns_resolver-type keys. To make this easier to handle, +key->expiry is changed to be permanent if TIME64_MAX rather than 0. + +Furthermore, give such new-style negative DNS results a 1s default expiry +if no other expiry time is set rather than allowing it to stick around +indefinitely. This shouldn't be zero as ls will follow a failing stat call +immediately with a second with AT_SYMLINK_NOFOLLOW added. + +Fixes: 1a4240f4764a ("DNS: Separate out CIFS DNS Resolver code") +Signed-off-by: David Howells +Tested-by: Markus Suvanto +cc: Wang Lei +cc: Jeff Layton +cc: Steve French +cc: Marc Dionne +cc: Jarkko Sakkinen +cc: "David S. Miller" +cc: Eric Dumazet +cc: Jakub Kicinski +cc: Paolo Abeni +cc: linux-afs@lists.infradead.org +cc: linux-cifs@vger.kernel.org +cc: linux-nfs@vger.kernel.org +cc: ceph-devel@vger.kernel.org +cc: keyrings@vger.kernel.org +cc: netdev@vger.kernel.org +Signed-off-by: Sasha Levin +--- + include/linux/key-type.h | 1 + + net/dns_resolver/dns_key.c | 10 +++++++++- + security/keys/gc.c | 31 +++++++++++++++++++++---------- + security/keys/internal.h | 11 ++++++++++- + security/keys/key.c | 15 +++++---------- + security/keys/proc.c | 2 +- + 6 files changed, 47 insertions(+), 23 deletions(-) + +diff --git a/include/linux/key-type.h b/include/linux/key-type.h +index 7d985a1dfe4af..5caf3ce823733 100644 +--- a/include/linux/key-type.h ++++ b/include/linux/key-type.h +@@ -73,6 +73,7 @@ struct key_type { + + unsigned int flags; + #define KEY_TYPE_NET_DOMAIN 0x00000001 /* Keys of this type have a net namespace domain */ ++#define KEY_TYPE_INSTANT_REAP 0x00000002 /* Keys of this type don't have a delay after expiring */ + + /* vet a description */ + int (*vet_description)(const char *description); +diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c +index 01e54b46ae0b9..2a6d363763a2b 100644 +--- a/net/dns_resolver/dns_key.c ++++ b/net/dns_resolver/dns_key.c +@@ -91,6 +91,7 @@ const struct cred *dns_resolver_cache; + static int + dns_resolver_preparse(struct key_preparsed_payload *prep) + { ++ const struct dns_server_list_v1_header *v1; + const struct dns_payload_header *bin; + struct user_key_payload *upayload; + unsigned long derrno; +@@ -122,6 +123,13 @@ dns_resolver_preparse(struct key_preparsed_payload *prep) + return -EINVAL; + } + ++ v1 = (const struct dns_server_list_v1_header *)bin; ++ if ((v1->status != DNS_LOOKUP_GOOD && ++ v1->status != DNS_LOOKUP_GOOD_WITH_BAD)) { ++ if (prep->expiry == TIME64_MAX) ++ prep->expiry = ktime_get_real_seconds() + 1; ++ } ++ + result_len = datalen; + goto store_result; + } +@@ -314,7 +322,7 @@ static long dns_resolver_read(const struct key *key, + + struct key_type key_type_dns_resolver = { + .name = "dns_resolver", +- .flags = KEY_TYPE_NET_DOMAIN, ++ .flags = KEY_TYPE_NET_DOMAIN | KEY_TYPE_INSTANT_REAP, + .preparse = dns_resolver_preparse, + .free_preparse = dns_resolver_free_preparse, + .instantiate = generic_key_instantiate, +diff --git a/security/keys/gc.c b/security/keys/gc.c +index 3c90807476eb0..eaddaceda14ea 100644 +--- a/security/keys/gc.c ++++ b/security/keys/gc.c +@@ -66,6 +66,19 @@ void key_schedule_gc(time64_t gc_at) + } + } + ++/* ++ * Set the expiration time on a key. ++ */ ++void key_set_expiry(struct key *key, time64_t expiry) ++{ ++ key->expiry = expiry; ++ if (expiry != TIME64_MAX) { ++ if (!(key->type->flags & KEY_TYPE_INSTANT_REAP)) ++ expiry += key_gc_delay; ++ key_schedule_gc(expiry); ++ } ++} ++ + /* + * Schedule a dead links collection run. + */ +@@ -176,7 +189,6 @@ static void key_garbage_collector(struct work_struct *work) + static u8 gc_state; /* Internal persistent state */ + #define KEY_GC_REAP_AGAIN 0x01 /* - Need another cycle */ + #define KEY_GC_REAPING_LINKS 0x02 /* - We need to reap links */ +-#define KEY_GC_SET_TIMER 0x04 /* - We need to restart the timer */ + #define KEY_GC_REAPING_DEAD_1 0x10 /* - We need to mark dead keys */ + #define KEY_GC_REAPING_DEAD_2 0x20 /* - We need to reap dead key links */ + #define KEY_GC_REAPING_DEAD_3 0x40 /* - We need to reap dead keys */ +@@ -184,21 +196,17 @@ static void key_garbage_collector(struct work_struct *work) + + struct rb_node *cursor; + struct key *key; +- time64_t new_timer, limit; ++ time64_t new_timer, limit, expiry; + + kenter("[%lx,%x]", key_gc_flags, gc_state); + + limit = ktime_get_real_seconds(); +- if (limit > key_gc_delay) +- limit -= key_gc_delay; +- else +- limit = key_gc_delay; + + /* Work out what we're going to be doing in this pass */ + gc_state &= KEY_GC_REAPING_DEAD_1 | KEY_GC_REAPING_DEAD_2; + gc_state <<= 1; + if (test_and_clear_bit(KEY_GC_KEY_EXPIRED, &key_gc_flags)) +- gc_state |= KEY_GC_REAPING_LINKS | KEY_GC_SET_TIMER; ++ gc_state |= KEY_GC_REAPING_LINKS; + + if (test_and_clear_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags)) + gc_state |= KEY_GC_REAPING_DEAD_1; +@@ -233,8 +241,11 @@ static void key_garbage_collector(struct work_struct *work) + } + } + +- if (gc_state & KEY_GC_SET_TIMER) { +- if (key->expiry > limit && key->expiry < new_timer) { ++ expiry = key->expiry; ++ if (expiry != TIME64_MAX) { ++ if (!(key->type->flags & KEY_TYPE_INSTANT_REAP)) ++ expiry += key_gc_delay; ++ if (expiry > limit && expiry < new_timer) { + kdebug("will expire %x in %lld", + key_serial(key), key->expiry - limit); + new_timer = key->expiry; +@@ -276,7 +287,7 @@ static void key_garbage_collector(struct work_struct *work) + */ + kdebug("pass complete"); + +- if (gc_state & KEY_GC_SET_TIMER && new_timer != (time64_t)TIME64_MAX) { ++ if (new_timer != TIME64_MAX) { + new_timer += key_gc_delay; + key_schedule_gc(new_timer); + } +diff --git a/security/keys/internal.h b/security/keys/internal.h +index 3c1e7122076b9..ec2ec335b6133 100644 +--- a/security/keys/internal.h ++++ b/security/keys/internal.h +@@ -174,6 +174,7 @@ extern unsigned key_gc_delay; + extern void keyring_gc(struct key *keyring, time64_t limit); + extern void keyring_restriction_gc(struct key *keyring, + struct key_type *dead_type); ++void key_set_expiry(struct key *key, time64_t expiry); + extern void key_schedule_gc(time64_t gc_at); + extern void key_schedule_gc_links(void); + extern void key_gc_keytype(struct key_type *ktype); +@@ -222,10 +223,18 @@ extern struct key *key_get_instantiation_authkey(key_serial_t target_id); + */ + static inline bool key_is_dead(const struct key *key, time64_t limit) + { ++ time64_t expiry = key->expiry; ++ ++ if (expiry != TIME64_MAX) { ++ if (!(key->type->flags & KEY_TYPE_INSTANT_REAP)) ++ expiry += key_gc_delay; ++ if (expiry <= limit) ++ return true; ++ } ++ + return + key->flags & ((1 << KEY_FLAG_DEAD) | + (1 << KEY_FLAG_INVALIDATED)) || +- (key->expiry > 0 && key->expiry <= limit) || + key->domain_tag->removed; + } + +diff --git a/security/keys/key.c b/security/keys/key.c +index 5c0c7df833f8a..5f103b2713c64 100644 +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -294,6 +294,7 @@ struct key *key_alloc(struct key_type *type, const char *desc, + key->uid = uid; + key->gid = gid; + key->perm = perm; ++ key->expiry = TIME64_MAX; + key->restrict_link = restrict_link; + key->last_used_at = ktime_get_real_seconds(); + +@@ -463,10 +464,7 @@ static int __key_instantiate_and_link(struct key *key, + if (authkey) + key_invalidate(authkey); + +- if (prep->expiry != TIME64_MAX) { +- key->expiry = prep->expiry; +- key_schedule_gc(prep->expiry + key_gc_delay); +- } ++ key_set_expiry(key, prep->expiry); + } + } + +@@ -606,8 +604,7 @@ int key_reject_and_link(struct key *key, + atomic_inc(&key->user->nikeys); + mark_key_instantiated(key, -error); + notify_key(key, NOTIFY_KEY_INSTANTIATED, -error); +- key->expiry = ktime_get_real_seconds() + timeout; +- key_schedule_gc(key->expiry + key_gc_delay); ++ key_set_expiry(key, ktime_get_real_seconds() + timeout); + + if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) + awaken = 1; +@@ -722,16 +719,14 @@ struct key_type *key_type_lookup(const char *type) + + void key_set_timeout(struct key *key, unsigned timeout) + { +- time64_t expiry = 0; ++ time64_t expiry = TIME64_MAX; + + /* make the changes with the locks held to prevent races */ + down_write(&key->sem); + + if (timeout > 0) + expiry = ktime_get_real_seconds() + timeout; +- +- key->expiry = expiry; +- key_schedule_gc(key->expiry + key_gc_delay); ++ key_set_expiry(key, expiry); + + up_write(&key->sem); + } +diff --git a/security/keys/proc.c b/security/keys/proc.c +index d0cde6685627f..4f4e2c1824f18 100644 +--- a/security/keys/proc.c ++++ b/security/keys/proc.c +@@ -198,7 +198,7 @@ static int proc_keys_show(struct seq_file *m, void *v) + + /* come up with a suitable timeout value */ + expiry = READ_ONCE(key->expiry); +- if (expiry == 0) { ++ if (expiry == TIME64_MAX) { + memcpy(xbuf, "perm", 5); + } else if (now >= expiry) { + memcpy(xbuf, "expd", 5); +-- +2.43.0 + diff --git a/queue-6.6/net-check-dev-gso_max_size-in-gso_features_check.patch b/queue-6.6/net-check-dev-gso_max_size-in-gso_features_check.patch new file mode 100644 index 00000000000..73771d50b35 --- /dev/null +++ b/queue-6.6/net-check-dev-gso_max_size-in-gso_features_check.patch @@ -0,0 +1,49 @@ +From f7adf19ca88c8f5507cc968c7919db7bfd909c79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 12:53:31 +0000 +Subject: net: check dev->gso_max_size in gso_features_check() + +From: Eric Dumazet + +[ Upstream commit 24ab059d2ebd62fdccc43794796f6ffbabe49ebc ] + +Some drivers might misbehave if TSO packets get too big. + +GVE for instance uses a 16bit field in its TX descriptor, +and will do bad things if a packet is bigger than 2^16 bytes. + +Linux TCP stack honors dev->gso_max_size, but there are +other ways for too big packets to reach an ndo_start_xmit() +handler : virtio_net, af_packet, GRO... + +Add a generic check in gso_features_check() and fallback +to GSO when needed. + +gso_max_size was added in the blamed commit. + +Fixes: 82cc1a7a5687 ("[NET]: Add per-connection option to set max TSO frame size") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20231219125331.4127498-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 9bf90b2a75b6a..e480afb50d4c1 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3500,6 +3500,9 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb, + if (gso_segs > READ_ONCE(dev->gso_max_segs)) + return features & ~NETIF_F_GSO_MASK; + ++ if (unlikely(skb->len >= READ_ONCE(dev->gso_max_size))) ++ return features & ~NETIF_F_GSO_MASK; ++ + if (!skb_shinfo(skb)->gso_type) { + skb_warn_bad_offload(skb); + return features & ~NETIF_F_GSO_MASK; +-- +2.43.0 + diff --git a/queue-6.6/net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch b/queue-6.6/net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch new file mode 100644 index 00000000000..a37ed1c3b58 --- /dev/null +++ b/queue-6.6/net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch @@ -0,0 +1,99 @@ +From f87a74362d97119bc5f47e0717b2d5bac3b31de8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Dec 2023 15:52:18 +0800 +Subject: net: check vlan filter feature in vlan_vids_add_by_dev() and + vlan_vids_del_by_dev() + +From: Liu Jian + +[ Upstream commit 01a564bab4876007ce35f312e16797dfe40e4823 ] + +I got the below warning trace: + +WARNING: CPU: 4 PID: 4056 at net/core/dev.c:11066 unregister_netdevice_many_notify +CPU: 4 PID: 4056 Comm: ip Not tainted 6.7.0-rc4+ #15 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 +RIP: 0010:unregister_netdevice_many_notify+0x9a4/0x9b0 +Call Trace: + rtnl_dellink + rtnetlink_rcv_msg + netlink_rcv_skb + netlink_unicast + netlink_sendmsg + __sock_sendmsg + ____sys_sendmsg + ___sys_sendmsg + __sys_sendmsg + do_syscall_64 + entry_SYSCALL_64_after_hwframe + +It can be repoduced via: + + ip netns add ns1 + ip netns exec ns1 ip link add bond0 type bond mode 0 + ip netns exec ns1 ip link add bond_slave_1 type veth peer veth2 + ip netns exec ns1 ip link set bond_slave_1 master bond0 +[1] ip netns exec ns1 ethtool -K bond0 rx-vlan-filter off +[2] ip netns exec ns1 ip link add link bond_slave_1 name bond_slave_1.0 type vlan id 0 +[3] ip netns exec ns1 ip link add link bond0 name bond0.0 type vlan id 0 +[4] ip netns exec ns1 ip link set bond_slave_1 nomaster +[5] ip netns exec ns1 ip link del veth2 + ip netns del ns1 + +This is all caused by command [1] turning off the rx-vlan-filter function +of bond0. The reason is the same as commit 01f4fd270870 ("bonding: Fix +incorrect deletion of ETH_P_8021AD protocol vid from slaves"). Commands +[2] [3] add the same vid to slave and master respectively, causing +command [4] to empty slave->vlan_info. The following command [5] triggers +this problem. + +To fix this problem, we should add VLAN_FILTER feature checks in +vlan_vids_add_by_dev() and vlan_vids_del_by_dev() to prevent incorrect +addition or deletion of vlan_vid information. + +Fixes: 348a1443cc43 ("vlan: introduce functions to do mass addition/deletion of vids by another device") +Signed-off-by: Liu Jian +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/8021q/vlan_core.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c +index 0beb44f2fe1f0..f001582345052 100644 +--- a/net/8021q/vlan_core.c ++++ b/net/8021q/vlan_core.c +@@ -407,6 +407,8 @@ int vlan_vids_add_by_dev(struct net_device *dev, + return 0; + + list_for_each_entry(vid_info, &vlan_info->vid_list, list) { ++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto)) ++ continue; + err = vlan_vid_add(dev, vid_info->proto, vid_info->vid); + if (err) + goto unwind; +@@ -417,6 +419,8 @@ int vlan_vids_add_by_dev(struct net_device *dev, + list_for_each_entry_continue_reverse(vid_info, + &vlan_info->vid_list, + list) { ++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto)) ++ continue; + vlan_vid_del(dev, vid_info->proto, vid_info->vid); + } + +@@ -436,8 +440,11 @@ void vlan_vids_del_by_dev(struct net_device *dev, + if (!vlan_info) + return; + +- list_for_each_entry(vid_info, &vlan_info->vid_list, list) ++ list_for_each_entry(vid_info, &vlan_info->vid_list, list) { ++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto)) ++ continue; + vlan_vid_del(dev, vid_info->proto, vid_info->vid); ++ } + } + EXPORT_SYMBOL(vlan_vids_del_by_dev); + +-- +2.43.0 + diff --git a/queue-6.6/net-ethernet-mtk_wed-fix-possible-null-pointer-deref.patch b/queue-6.6/net-ethernet-mtk_wed-fix-possible-null-pointer-deref.patch new file mode 100644 index 00000000000..6134c3e5363 --- /dev/null +++ b/queue-6.6/net-ethernet-mtk_wed-fix-possible-null-pointer-deref.patch @@ -0,0 +1,40 @@ +From 6471b5ff6f3293b719e553af91333fef2962e397 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Dec 2023 16:37:40 +0100 +Subject: net: ethernet: mtk_wed: fix possible NULL pointer dereference in + mtk_wed_wo_queue_tx_clean() + +From: Lorenzo Bianconi + +[ Upstream commit 7cb8cd4daacfea646cf8b5925ca2c66c98b18480 ] + +In order to avoid a NULL pointer dereference, check entry->buf pointer before running +skb_free_frag in mtk_wed_wo_queue_tx_clean routine. + +Fixes: 799684448e3e ("net: ethernet: mtk_wed: introduce wed wo support") +Signed-off-by: Lorenzo Bianconi +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/3c1262464d215faa8acebfc08869798c81c96f4a.1702827359.git.lorenzo@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_wed_wo.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mediatek/mtk_wed_wo.c b/drivers/net/ethernet/mediatek/mtk_wed_wo.c +index 3bd51a3d66500..ae44ad5f8ce8a 100644 +--- a/drivers/net/ethernet/mediatek/mtk_wed_wo.c ++++ b/drivers/net/ethernet/mediatek/mtk_wed_wo.c +@@ -291,6 +291,9 @@ mtk_wed_wo_queue_tx_clean(struct mtk_wed_wo *wo, struct mtk_wed_wo_queue *q) + for (i = 0; i < q->n_desc; i++) { + struct mtk_wed_wo_queue_entry *entry = &q->entry[i]; + ++ if (!entry->buf) ++ continue; ++ + dma_unmap_single(wo->hw->dev, entry->addr, entry->len, + DMA_TO_DEVICE); + skb_free_frag(entry->buf); +-- +2.43.0 + diff --git a/queue-6.6/net-ipv6-revert-remove-expired-routes-with-a-separat.patch b/queue-6.6/net-ipv6-revert-remove-expired-routes-with-a-separat.patch new file mode 100644 index 00000000000..8ceded2ed3d --- /dev/null +++ b/queue-6.6/net-ipv6-revert-remove-expired-routes-with-a-separat.patch @@ -0,0 +1,278 @@ +From e7fbea123f2a76ff03c6c2161c69b4d7e53242f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Dec 2023 20:02:43 -0700 +Subject: net/ipv6: Revert remove expired routes with a separated list of + routes + +From: David Ahern + +[ Upstream commit dade3f6a1e4e35a5ae916d5e78b3229ec34c78ec ] + +This reverts commit 3dec89b14d37ee635e772636dad3f09f78f1ab87. + +The commit has some race conditions given how expires is managed on a +fib6_info in relation to gc start, adding the entry to the gc list and +setting the timer value leading to UAF. Revert the commit and try again +in a later release. + +Fixes: 3dec89b14d37 ("net/ipv6: Remove expired routes with a separated list of routes") +Cc: Kui-Feng Lee +Signed-off-by: David Ahern +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20231219030243.25687-1-dsahern@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/net/ip6_fib.h | 64 +++++++++---------------------------------- + net/ipv6/ip6_fib.c | 55 ++++--------------------------------- + net/ipv6/route.c | 6 ++-- + 3 files changed, 22 insertions(+), 103 deletions(-) + +diff --git a/include/net/ip6_fib.h b/include/net/ip6_fib.h +index 1ba9f4ddf2f6d..9ba6413fd2e3e 100644 +--- a/include/net/ip6_fib.h ++++ b/include/net/ip6_fib.h +@@ -179,9 +179,6 @@ struct fib6_info { + + refcount_t fib6_ref; + unsigned long expires; +- +- struct hlist_node gc_link; +- + struct dst_metrics *fib6_metrics; + #define fib6_pmtu fib6_metrics->metrics[RTAX_MTU-1] + +@@ -250,6 +247,19 @@ static inline bool fib6_requires_src(const struct fib6_info *rt) + return rt->fib6_src.plen > 0; + } + ++static inline void fib6_clean_expires(struct fib6_info *f6i) ++{ ++ f6i->fib6_flags &= ~RTF_EXPIRES; ++ f6i->expires = 0; ++} ++ ++static inline void fib6_set_expires(struct fib6_info *f6i, ++ unsigned long expires) ++{ ++ f6i->expires = expires; ++ f6i->fib6_flags |= RTF_EXPIRES; ++} ++ + static inline bool fib6_check_expired(const struct fib6_info *f6i) + { + if (f6i->fib6_flags & RTF_EXPIRES) +@@ -257,11 +267,6 @@ static inline bool fib6_check_expired(const struct fib6_info *f6i) + return false; + } + +-static inline bool fib6_has_expires(const struct fib6_info *f6i) +-{ +- return f6i->fib6_flags & RTF_EXPIRES; +-} +- + /* Function to safely get fn->fn_sernum for passed in rt + * and store result in passed in cookie. + * Return true if we can get cookie safely +@@ -383,7 +388,6 @@ struct fib6_table { + struct inet_peer_base tb6_peers; + unsigned int flags; + unsigned int fib_seq; +- struct hlist_head tb6_gc_hlist; /* GC candidates */ + #define RT6_TABLE_HAS_DFLT_ROUTER BIT(0) + }; + +@@ -500,48 +504,6 @@ void fib6_gc_cleanup(void); + + int fib6_init(void); + +-/* fib6_info must be locked by the caller, and fib6_info->fib6_table can be +- * NULL. +- */ +-static inline void fib6_set_expires_locked(struct fib6_info *f6i, +- unsigned long expires) +-{ +- struct fib6_table *tb6; +- +- tb6 = f6i->fib6_table; +- f6i->expires = expires; +- if (tb6 && !fib6_has_expires(f6i)) +- hlist_add_head(&f6i->gc_link, &tb6->tb6_gc_hlist); +- f6i->fib6_flags |= RTF_EXPIRES; +-} +- +-/* fib6_info must be locked by the caller, and fib6_info->fib6_table can be +- * NULL. If fib6_table is NULL, the fib6_info will no be inserted into the +- * list of GC candidates until it is inserted into a table. +- */ +-static inline void fib6_set_expires(struct fib6_info *f6i, +- unsigned long expires) +-{ +- spin_lock_bh(&f6i->fib6_table->tb6_lock); +- fib6_set_expires_locked(f6i, expires); +- spin_unlock_bh(&f6i->fib6_table->tb6_lock); +-} +- +-static inline void fib6_clean_expires_locked(struct fib6_info *f6i) +-{ +- if (fib6_has_expires(f6i)) +- hlist_del_init(&f6i->gc_link); +- f6i->fib6_flags &= ~RTF_EXPIRES; +- f6i->expires = 0; +-} +- +-static inline void fib6_clean_expires(struct fib6_info *f6i) +-{ +- spin_lock_bh(&f6i->fib6_table->tb6_lock); +- fib6_clean_expires_locked(f6i); +- spin_unlock_bh(&f6i->fib6_table->tb6_lock); +-} +- + struct ipv6_route_iter { + struct seq_net_private p; + struct fib6_walker w; +diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c +index 7772f42ff2b94..4fc2cae0d116c 100644 +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -160,8 +160,6 @@ struct fib6_info *fib6_info_alloc(gfp_t gfp_flags, bool with_fib6_nh) + INIT_LIST_HEAD(&f6i->fib6_siblings); + refcount_set(&f6i->fib6_ref, 1); + +- INIT_HLIST_NODE(&f6i->gc_link); +- + return f6i; + } + +@@ -248,7 +246,6 @@ static struct fib6_table *fib6_alloc_table(struct net *net, u32 id) + net->ipv6.fib6_null_entry); + table->tb6_root.fn_flags = RTN_ROOT | RTN_TL_ROOT | RTN_RTINFO; + inet_peer_base_init(&table->tb6_peers); +- INIT_HLIST_HEAD(&table->tb6_gc_hlist); + } + + return table; +@@ -1060,8 +1057,6 @@ static void fib6_purge_rt(struct fib6_info *rt, struct fib6_node *fn, + lockdep_is_held(&table->tb6_lock)); + } + } +- +- fib6_clean_expires_locked(rt); + } + + /* +@@ -1123,10 +1118,9 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, + if (!(iter->fib6_flags & RTF_EXPIRES)) + return -EEXIST; + if (!(rt->fib6_flags & RTF_EXPIRES)) +- fib6_clean_expires_locked(iter); ++ fib6_clean_expires(iter); + else +- fib6_set_expires_locked(iter, +- rt->expires); ++ fib6_set_expires(iter, rt->expires); + + if (rt->fib6_pmtu) + fib6_metric_set(iter, RTAX_MTU, +@@ -1485,10 +1479,6 @@ int fib6_add(struct fib6_node *root, struct fib6_info *rt, + if (rt->nh) + list_add(&rt->nh_list, &rt->nh->f6i_list); + __fib6_update_sernum_upto_root(rt, fib6_new_sernum(info->nl_net)); +- +- if (fib6_has_expires(rt)) +- hlist_add_head(&rt->gc_link, &table->tb6_gc_hlist); +- + fib6_start_gc(info->nl_net, rt); + } + +@@ -2291,8 +2281,9 @@ static void fib6_flush_trees(struct net *net) + * Garbage collection + */ + +-static int fib6_age(struct fib6_info *rt, struct fib6_gc_args *gc_args) ++static int fib6_age(struct fib6_info *rt, void *arg) + { ++ struct fib6_gc_args *gc_args = arg; + unsigned long now = jiffies; + + /* +@@ -2300,7 +2291,7 @@ static int fib6_age(struct fib6_info *rt, struct fib6_gc_args *gc_args) + * Routes are expired even if they are in use. + */ + +- if (fib6_has_expires(rt) && rt->expires) { ++ if (rt->fib6_flags & RTF_EXPIRES && rt->expires) { + if (time_after(now, rt->expires)) { + RT6_TRACE("expiring %p\n", rt); + return -1; +@@ -2317,40 +2308,6 @@ static int fib6_age(struct fib6_info *rt, struct fib6_gc_args *gc_args) + return 0; + } + +-static void fib6_gc_table(struct net *net, +- struct fib6_table *tb6, +- struct fib6_gc_args *gc_args) +-{ +- struct fib6_info *rt; +- struct hlist_node *n; +- struct nl_info info = { +- .nl_net = net, +- .skip_notify = false, +- }; +- +- hlist_for_each_entry_safe(rt, n, &tb6->tb6_gc_hlist, gc_link) +- if (fib6_age(rt, gc_args) == -1) +- fib6_del(rt, &info); +-} +- +-static void fib6_gc_all(struct net *net, struct fib6_gc_args *gc_args) +-{ +- struct fib6_table *table; +- struct hlist_head *head; +- unsigned int h; +- +- rcu_read_lock(); +- for (h = 0; h < FIB6_TABLE_HASHSZ; h++) { +- head = &net->ipv6.fib_table_hash[h]; +- hlist_for_each_entry_rcu(table, head, tb6_hlist) { +- spin_lock_bh(&table->tb6_lock); +- fib6_gc_table(net, table, gc_args); +- spin_unlock_bh(&table->tb6_lock); +- } +- } +- rcu_read_unlock(); +-} +- + void fib6_run_gc(unsigned long expires, struct net *net, bool force) + { + struct fib6_gc_args gc_args; +@@ -2366,7 +2323,7 @@ void fib6_run_gc(unsigned long expires, struct net *net, bool force) + net->ipv6.sysctl.ip6_rt_gc_interval; + gc_args.more = 0; + +- fib6_gc_all(net, &gc_args); ++ fib6_clean_all(net, fib6_age, &gc_args); + now = jiffies; + net->ipv6.ip6_rt_last_gc = now; + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 9c687b357e6a4..56525b5b95a2b 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -3763,10 +3763,10 @@ static struct fib6_info *ip6_route_info_create(struct fib6_config *cfg, + rt->dst_nocount = true; + + if (cfg->fc_flags & RTF_EXPIRES) +- fib6_set_expires_locked(rt, jiffies + +- clock_t_to_jiffies(cfg->fc_expires)); ++ fib6_set_expires(rt, jiffies + ++ clock_t_to_jiffies(cfg->fc_expires)); + else +- fib6_clean_expires_locked(rt); ++ fib6_clean_expires(rt); + + if (cfg->fc_protocol == RTPROT_UNSPEC) + cfg->fc_protocol = RTPROT_BOOT; +-- +2.43.0 + diff --git a/queue-6.6/net-mana-select-page_pool.patch b/queue-6.6/net-mana-select-page_pool.patch new file mode 100644 index 00000000000..2a5291c00a3 --- /dev/null +++ b/queue-6.6/net-mana-select-page_pool.patch @@ -0,0 +1,49 @@ +From f7ba325e48e47386f80cd4163f5bd1f2d3bb8c5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Dec 2023 12:33:53 -0800 +Subject: net: mana: select PAGE_POOL + +From: Yury Norov + +[ Upstream commit 340943fbff3d8faa44d2223ca04917df28786a07 ] + +Mana uses PAGE_POOL API. x86_64 defconfig doesn't select it: + +ld: vmlinux.o: in function `mana_create_page_pool.isra.0': +mana_en.c:(.text+0x9ae36f): undefined reference to `page_pool_create' +ld: vmlinux.o: in function `mana_get_rxfrag': +mana_en.c:(.text+0x9afed1): undefined reference to `page_pool_alloc_pages' +make[3]: *** [/home/yury/work/linux/scripts/Makefile.vmlinux:37: vmlinux] Error 1 +make[2]: *** [/home/yury/work/linux/Makefile:1154: vmlinux] Error 2 +make[1]: *** [/home/yury/work/linux/Makefile:234: __sub-make] Error 2 +make[1]: Leaving directory '/home/yury/work/build-linux-x86_64' +make: *** [Makefile:234: __sub-make] Error 2 + +So we need to select it explicitly. + +Signed-off-by: Yury Norov +Reviewed-by: Simon Horman +Tested-by: Simon Horman # build-tested +Fixes: ca9c54d2 ("net: mana: Add a driver for Microsoft Azure Network Adapter") +Link: https://lore.kernel.org/r/20231215203353.635379-1-yury.norov@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microsoft/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/microsoft/Kconfig b/drivers/net/ethernet/microsoft/Kconfig +index 090e6b9832431..01eb7445ead95 100644 +--- a/drivers/net/ethernet/microsoft/Kconfig ++++ b/drivers/net/ethernet/microsoft/Kconfig +@@ -20,6 +20,7 @@ config MICROSOFT_MANA + depends on PCI_MSI && X86_64 + depends on PCI_HYPERV + select AUXILIARY_BUS ++ select PAGE_POOL + help + This driver supports Microsoft Azure Network Adapter (MANA). + So far, the driver is only supported on X86_64. +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5-fix-fw-tracer-first-block-check.patch b/queue-6.6/net-mlx5-fix-fw-tracer-first-block-check.patch new file mode 100644 index 00000000000..6f2daee399d --- /dev/null +++ b/queue-6.6/net-mlx5-fix-fw-tracer-first-block-check.patch @@ -0,0 +1,39 @@ +From 77ec4b4fbdfd8473a3847f2f003403041d052515 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 11:30:34 +0200 +Subject: net/mlx5: Fix fw tracer first block check + +From: Moshe Shemesh + +[ Upstream commit 4261edf11cb7c9224af713a102e5616329306932 ] + +While handling new traces, to verify it is not the first block being +written, last_timestamp is checked. But instead of checking it is non +zero it is verified to be zero. Fix to verify last_timestamp is not +zero. + +Fixes: c71ad41ccb0c ("net/mlx5: FW tracer, events handling") +Signed-off-by: Moshe Shemesh +Reviewed-by: Feras Daoud +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +index ad789349c06e6..85d3bfa0780c6 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +@@ -718,7 +718,7 @@ static void mlx5_fw_tracer_handle_traces(struct work_struct *work) + + while (block_timestamp > tracer->last_timestamp) { + /* Check block override if it's not the first block */ +- if (!tracer->last_timestamp) { ++ if (tracer->last_timestamp) { + u64 *ts_event; + /* To avoid block override be the HW in case of buffer + * wraparound, the time stamp of the previous block +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5-refactor-mlx5_flow_destination-rep-pointer-.patch b/queue-6.6/net-mlx5-refactor-mlx5_flow_destination-rep-pointer-.patch new file mode 100644 index 00000000000..d400bd35c95 --- /dev/null +++ b/queue-6.6/net-mlx5-refactor-mlx5_flow_destination-rep-pointer-.patch @@ -0,0 +1,344 @@ +From 2649807704e6748ba789c0233b1a5317ced2ae1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Oct 2023 15:22:22 +0200 +Subject: net/mlx5: Refactor mlx5_flow_destination->rep pointer to vport num + +From: Vlad Buslov + +[ Upstream commit 04ad04e4fdd10f92ef4f2b3f6227ec9824682197 ] + +Currently the destination rep pointer is only used for comparisons or to +obtain vport number from it. Since it is used both during flow creation and +deletion it may point to representor of another eswitch instance which can +be deallocated during driver unload even when there are rules pointing to +it[0]. Refactor the code to store vport number and 'valid' flag instead of +the representor pointer. + +[0]: +[176805.886303] ================================================================== +[176805.889433] BUG: KASAN: slab-use-after-free in esw_cleanup_dests+0x390/0x440 [mlx5_core] +[176805.892981] Read of size 2 at addr ffff888155090aa0 by task modprobe/27280 + +[176805.895462] CPU: 3 PID: 27280 Comm: modprobe Tainted: G B 6.6.0-rc3+ #1 +[176805.896771] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +[176805.898514] Call Trace: +[176805.899026] +[176805.899519] dump_stack_lvl+0x33/0x50 +[176805.900221] print_report+0xc2/0x610 +[176805.900893] ? mlx5_chains_put_table+0x33d/0x8d0 [mlx5_core] +[176805.901897] ? esw_cleanup_dests+0x390/0x440 [mlx5_core] +[176805.902852] kasan_report+0xac/0xe0 +[176805.903509] ? esw_cleanup_dests+0x390/0x440 [mlx5_core] +[176805.904461] esw_cleanup_dests+0x390/0x440 [mlx5_core] +[176805.905223] __mlx5_eswitch_del_rule+0x1ae/0x460 [mlx5_core] +[176805.906044] ? esw_cleanup_dests+0x440/0x440 [mlx5_core] +[176805.906822] ? xas_find_conflict+0x420/0x420 +[176805.907496] ? down_read+0x11e/0x200 +[176805.908046] mlx5e_tc_rule_unoffload+0xc4/0x2a0 [mlx5_core] +[176805.908844] mlx5e_tc_del_fdb_flow+0x7da/0xb10 [mlx5_core] +[176805.909597] mlx5e_flow_put+0x4b/0x80 [mlx5_core] +[176805.910275] mlx5e_delete_flower+0x5b4/0xb70 [mlx5_core] +[176805.911010] tc_setup_cb_reoffload+0x27/0xb0 +[176805.911648] fl_reoffload+0x62d/0x900 [cls_flower] +[176805.912313] ? mlx5e_rep_indr_block_unbind+0xd0/0xd0 [mlx5_core] +[176805.913151] ? __fl_put+0x230/0x230 [cls_flower] +[176805.913768] ? filter_irq_stacks+0x90/0x90 +[176805.914335] ? kasan_save_stack+0x1e/0x40 +[176805.914893] ? kasan_set_track+0x21/0x30 +[176805.915484] ? kasan_save_free_info+0x27/0x40 +[176805.916105] tcf_block_playback_offloads+0x79/0x1f0 +[176805.916773] ? mlx5e_rep_indr_block_unbind+0xd0/0xd0 [mlx5_core] +[176805.917647] tcf_block_unbind+0x12d/0x330 +[176805.918239] tcf_block_offload_cmd.isra.0+0x24e/0x320 +[176805.918953] ? tcf_block_bind+0x770/0x770 +[176805.919551] ? _raw_read_unlock_irqrestore+0x30/0x30 +[176805.920236] ? mutex_lock+0x7d/0xd0 +[176805.920735] ? mutex_unlock+0x80/0xd0 +[176805.921255] tcf_block_offload_unbind+0xa5/0x120 +[176805.921909] __tcf_block_put+0xc2/0x2d0 +[176805.922467] ingress_destroy+0xf4/0x3d0 [sch_ingress] +[176805.923178] __qdisc_destroy+0x9d/0x280 +[176805.923741] dev_shutdown+0x1c6/0x330 +[176805.924295] unregister_netdevice_many_notify+0x6ef/0x1500 +[176805.925034] ? netdev_freemem+0x50/0x50 +[176805.925610] ? _raw_spin_lock_irq+0x7b/0xd0 +[176805.926235] ? _raw_spin_lock_bh+0xe0/0xe0 +[176805.926849] unregister_netdevice_queue+0x1e0/0x280 +[176805.927592] ? unregister_netdevice_many+0x10/0x10 +[176805.928275] unregister_netdev+0x18/0x20 +[176805.928835] mlx5e_vport_rep_unload+0xc0/0x200 [mlx5_core] +[176805.929608] mlx5_esw_offloads_unload_rep+0x9d/0xc0 [mlx5_core] +[176805.930492] mlx5_eswitch_unload_vf_vports+0x108/0x1a0 [mlx5_core] +[176805.931422] ? mlx5_eswitch_unload_sf_vport+0x50/0x50 [mlx5_core] +[176805.932304] ? rwsem_down_write_slowpath+0x11f0/0x11f0 +[176805.932987] mlx5_eswitch_disable_sriov+0x6f9/0xa60 [mlx5_core] +[176805.933807] ? mlx5_core_disable_hca+0xe1/0x130 [mlx5_core] +[176805.934576] ? mlx5_eswitch_disable_locked+0x580/0x580 [mlx5_core] +[176805.935463] mlx5_device_disable_sriov+0x138/0x490 [mlx5_core] +[176805.936308] mlx5_sriov_disable+0x8c/0xb0 [mlx5_core] +[176805.937063] remove_one+0x7f/0x210 [mlx5_core] +[176805.937711] pci_device_remove+0x96/0x1c0 +[176805.938289] device_release_driver_internal+0x361/0x520 +[176805.938981] ? kobject_put+0x5c/0x330 +[176805.939553] driver_detach+0xd7/0x1d0 +[176805.940101] bus_remove_driver+0x11f/0x290 +[176805.943847] pci_unregister_driver+0x23/0x1f0 +[176805.944505] mlx5_cleanup+0xc/0x20 [mlx5_core] +[176805.945189] __x64_sys_delete_module+0x2b3/0x450 +[176805.945837] ? module_flags+0x300/0x300 +[176805.946377] ? dput+0xc2/0x830 +[176805.946848] ? __kasan_record_aux_stack+0x9c/0xb0 +[176805.947555] ? __call_rcu_common.constprop.0+0x46c/0xb50 +[176805.948338] ? fpregs_assert_state_consistent+0x1d/0xa0 +[176805.949055] ? exit_to_user_mode_prepare+0x30/0x120 +[176805.949713] do_syscall_64+0x3d/0x90 +[176805.950226] entry_SYSCALL_64_after_hwframe+0x46/0xb0 +[176805.950904] RIP: 0033:0x7f7f42c3f5ab +[176805.951462] Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89 01 48 +[176805.953710] RSP: 002b:00007fff07dc9d08 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 +[176805.954691] RAX: ffffffffffffffda RBX: 000055b6e91c01e0 RCX: 00007f7f42c3f5ab +[176805.955691] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055b6e91c0248 +[176805.956662] RBP: 000055b6e91c01e0 R08: 0000000000000000 R09: 0000000000000000 +[176805.957601] R10: 00007f7f42d9eac0 R11: 0000000000000206 R12: 000055b6e91c0248 +[176805.958593] R13: 0000000000000000 R14: 000055b6e91bfb38 R15: 0000000000000000 +[176805.959599] + +[176805.960324] Allocated by task 20490: +[176805.960893] kasan_save_stack+0x1e/0x40 +[176805.961463] kasan_set_track+0x21/0x30 +[176805.962019] __kasan_kmalloc+0x77/0x90 +[176805.962554] esw_offloads_init+0x1bb/0x480 [mlx5_core] +[176805.963318] mlx5_eswitch_init+0xc70/0x15c0 [mlx5_core] +[176805.964092] mlx5_init_one_devl_locked+0x366/0x1230 [mlx5_core] +[176805.964902] probe_one+0x6f7/0xc90 [mlx5_core] +[176805.965541] local_pci_probe+0xd7/0x180 +[176805.966075] pci_device_probe+0x231/0x6f0 +[176805.966631] really_probe+0x1d4/0xb50 +[176805.967179] __driver_probe_device+0x18d/0x450 +[176805.967810] driver_probe_device+0x49/0x120 +[176805.968431] __driver_attach+0x1fb/0x490 +[176805.968976] bus_for_each_dev+0xed/0x170 +[176805.969560] bus_add_driver+0x21a/0x570 +[176805.970124] driver_register+0x133/0x460 +[176805.970684] 0xffffffffa0678065 +[176805.971180] do_one_initcall+0x92/0x2b0 +[176805.971744] do_init_module+0x22d/0x720 +[176805.972318] load_module+0x58c3/0x63b0 +[176805.972847] init_module_from_file+0xd2/0x130 +[176805.973441] __x64_sys_finit_module+0x389/0x7c0 +[176805.974045] do_syscall_64+0x3d/0x90 +[176805.974556] entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +[176805.975566] Freed by task 27280: +[176805.976077] kasan_save_stack+0x1e/0x40 +[176805.976655] kasan_set_track+0x21/0x30 +[176805.977221] kasan_save_free_info+0x27/0x40 +[176805.977834] ____kasan_slab_free+0x11a/0x1b0 +[176805.978505] __kmem_cache_free+0x163/0x2d0 +[176805.979113] esw_offloads_cleanup_reps+0xb8/0x120 [mlx5_core] +[176805.979963] mlx5_eswitch_cleanup+0x182/0x270 [mlx5_core] +[176805.980763] mlx5_cleanup_once+0x9a/0x1e0 [mlx5_core] +[176805.981477] mlx5_uninit_one+0xa9/0x180 [mlx5_core] +[176805.982196] remove_one+0x8f/0x210 [mlx5_core] +[176805.982868] pci_device_remove+0x96/0x1c0 +[176805.983461] device_release_driver_internal+0x361/0x520 +[176805.984169] driver_detach+0xd7/0x1d0 +[176805.984702] bus_remove_driver+0x11f/0x290 +[176805.985261] pci_unregister_driver+0x23/0x1f0 +[176805.985847] mlx5_cleanup+0xc/0x20 [mlx5_core] +[176805.986483] __x64_sys_delete_module+0x2b3/0x450 +[176805.987126] do_syscall_64+0x3d/0x90 +[176805.987665] entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +[176805.988667] Last potentially related work creation: +[176805.989305] kasan_save_stack+0x1e/0x40 +[176805.989839] __kasan_record_aux_stack+0x9c/0xb0 +[176805.990443] kvfree_call_rcu+0x84/0xa30 +[176805.990973] clean_xps_maps+0x265/0x6e0 +[176805.991547] netif_reset_xps_queues.part.0+0x3f/0x80 +[176805.992226] unregister_netdevice_many_notify+0xfcf/0x1500 +[176805.992966] unregister_netdevice_queue+0x1e0/0x280 +[176805.993638] unregister_netdev+0x18/0x20 +[176805.994205] mlx5e_remove+0xba/0x1e0 [mlx5_core] +[176805.994872] auxiliary_bus_remove+0x52/0x70 +[176805.995490] device_release_driver_internal+0x361/0x520 +[176805.996196] bus_remove_device+0x1e1/0x3d0 +[176805.996767] device_del+0x390/0x980 +[176805.997270] mlx5_rescan_drivers_locked.part.0+0x130/0x540 [mlx5_core] +[176805.998195] mlx5_unregister_device+0x77/0xc0 [mlx5_core] +[176805.998989] mlx5_uninit_one+0x41/0x180 [mlx5_core] +[176805.999719] remove_one+0x8f/0x210 [mlx5_core] +[176806.000387] pci_device_remove+0x96/0x1c0 +[176806.000938] device_release_driver_internal+0x361/0x520 +[176806.001612] unbind_store+0xd8/0xf0 +[176806.002108] kernfs_fop_write_iter+0x2c0/0x440 +[176806.002748] vfs_write+0x725/0xba0 +[176806.003294] ksys_write+0xed/0x1c0 +[176806.003823] do_syscall_64+0x3d/0x90 +[176806.004357] entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +[176806.005317] The buggy address belongs to the object at ffff888155090a80 + which belongs to the cache kmalloc-64 of size 64 +[176806.006774] The buggy address is located 32 bytes inside of + freed 64-byte region [ffff888155090a80, ffff888155090ac0) + +[176806.008773] The buggy address belongs to the physical page: +[176806.009480] page:00000000a407e0e6 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155090 +[176806.010633] flags: 0x200000000000800(slab|node=0|zone=2) +[176806.011352] page_type: 0xffffffff() +[176806.011905] raw: 0200000000000800 ffff888100042640 ffffea000422b1c0 dead000000000004 +[176806.012949] raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 +[176806.013933] page dumped because: kasan: bad access detected + +[176806.014935] Memory state around the buggy address: +[176806.015601] ffff888155090980: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +[176806.016568] ffff888155090a00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +[176806.017497] >ffff888155090a80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +[176806.018438] ^ +[176806.019007] ffff888155090b00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +[176806.020001] ffff888155090b80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +[176806.020996] ================================================================== + +Fixes: a508728a4c8b ("net/mlx5e: VF tunnel RX traffic offloading") +Signed-off-by: Vlad Buslov +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../mellanox/mlx5/core/en/tc/act/mirred.c | 5 +++-- + .../mellanox/mlx5/core/en/tc_tun_encap.c | 3 ++- + .../net/ethernet/mellanox/mlx5/core/eswitch.h | 3 ++- + .../mellanox/mlx5/core/eswitch_offloads.c | 19 +++++++++---------- + .../mlx5/core/eswitch_offloads_termtbl.c | 4 ++-- + 5 files changed, 18 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/mirred.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/mirred.c +index f63402c480280..1b418095b79a3 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/mirred.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/mirred.c +@@ -197,7 +197,7 @@ parse_mirred_encap(struct mlx5e_tc_act_parse_state *parse_state, + } + esw_attr->dests[esw_attr->out_count].flags |= MLX5_ESW_DEST_ENCAP; + esw_attr->out_count++; +- /* attr->dests[].rep is resolved when we handle encap */ ++ /* attr->dests[].vport is resolved when we handle encap */ + + return 0; + } +@@ -270,7 +270,8 @@ parse_mirred(struct mlx5e_tc_act_parse_state *parse_state, + + out_priv = netdev_priv(out_dev); + rpriv = out_priv->ppriv; +- esw_attr->dests[esw_attr->out_count].rep = rpriv->rep; ++ esw_attr->dests[esw_attr->out_count].vport_valid = true; ++ esw_attr->dests[esw_attr->out_count].vport = rpriv->rep->vport; + esw_attr->dests[esw_attr->out_count].mdev = out_priv->mdev; + + esw_attr->out_count++; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c +index b10e40e1a9c14..f1d1e1542e81b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c +@@ -1064,7 +1064,8 @@ int mlx5e_tc_tun_encap_dests_set(struct mlx5e_priv *priv, + + out_priv = netdev_priv(encap_dev); + rpriv = out_priv->ppriv; +- esw_attr->dests[out_index].rep = rpriv->rep; ++ esw_attr->dests[out_index].vport_valid = true; ++ esw_attr->dests[out_index].vport = rpriv->rep->vport; + esw_attr->dests[out_index].mdev = out_priv->mdev; + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +index b674b57d05aad..b4eb17141edf3 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +@@ -526,7 +526,8 @@ struct mlx5_esw_flow_attr { + u8 total_vlan; + struct { + u32 flags; +- struct mlx5_eswitch_rep *rep; ++ bool vport_valid; ++ u16 vport; + struct mlx5_pkt_reformat *pkt_reformat; + struct mlx5_core_dev *mdev; + struct mlx5_termtbl_handle *termtbl; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +index 9bd5609cf6597..b0455134c98ef 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +@@ -287,10 +287,9 @@ static void esw_put_dest_tables_loop(struct mlx5_eswitch *esw, struct mlx5_flow_ + for (i = from; i < to; i++) + if (esw_attr->dests[i].flags & MLX5_ESW_DEST_CHAIN_WITH_SRC_PORT_CHANGE) + mlx5_chains_put_table(chains, 0, 1, 0); +- else if (mlx5_esw_indir_table_needed(esw, attr, esw_attr->dests[i].rep->vport, ++ else if (mlx5_esw_indir_table_needed(esw, attr, esw_attr->dests[i].vport, + esw_attr->dests[i].mdev)) +- mlx5_esw_indir_table_put(esw, esw_attr->dests[i].rep->vport, +- false); ++ mlx5_esw_indir_table_put(esw, esw_attr->dests[i].vport, false); + } + + static bool +@@ -358,8 +357,8 @@ esw_is_indir_table(struct mlx5_eswitch *esw, struct mlx5_flow_attr *attr) + * this criteria. + */ + for (i = esw_attr->split_count; i < esw_attr->out_count; i++) { +- if (esw_attr->dests[i].rep && +- mlx5_esw_indir_table_needed(esw, attr, esw_attr->dests[i].rep->vport, ++ if (esw_attr->dests[i].vport_valid && ++ mlx5_esw_indir_table_needed(esw, attr, esw_attr->dests[i].vport, + esw_attr->dests[i].mdev)) { + result = true; + } else { +@@ -388,7 +387,7 @@ esw_setup_indir_table(struct mlx5_flow_destination *dest, + dest[*i].type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; + + dest[*i].ft = mlx5_esw_indir_table_get(esw, attr, +- esw_attr->dests[j].rep->vport, false); ++ esw_attr->dests[j].vport, false); + if (IS_ERR(dest[*i].ft)) { + err = PTR_ERR(dest[*i].ft); + goto err_indir_tbl_get; +@@ -432,11 +431,11 @@ static bool esw_setup_uplink_fwd_ipsec_needed(struct mlx5_eswitch *esw, + int attr_idx) + { + if (esw->offloads.ft_ipsec_tx_pol && +- esw_attr->dests[attr_idx].rep && +- esw_attr->dests[attr_idx].rep->vport == MLX5_VPORT_UPLINK && ++ esw_attr->dests[attr_idx].vport_valid && ++ esw_attr->dests[attr_idx].vport == MLX5_VPORT_UPLINK && + /* To be aligned with software, encryption is needed only for tunnel device */ + (esw_attr->dests[attr_idx].flags & MLX5_ESW_DEST_ENCAP_VALID) && +- esw_attr->dests[attr_idx].rep != esw_attr->in_rep && ++ esw_attr->dests[attr_idx].vport != esw_attr->in_rep->vport && + esw_same_vhca_id(esw_attr->dests[attr_idx].mdev, esw->dev)) + return true; + +@@ -469,7 +468,7 @@ esw_setup_dest_fwd_vport(struct mlx5_flow_destination *dest, struct mlx5_flow_ac + int attr_idx, int dest_idx, bool pkt_reformat) + { + dest[dest_idx].type = MLX5_FLOW_DESTINATION_TYPE_VPORT; +- dest[dest_idx].vport.num = esw_attr->dests[attr_idx].rep->vport; ++ dest[dest_idx].vport.num = esw_attr->dests[attr_idx].vport; + if (MLX5_CAP_ESW(esw->dev, merged_eswitch)) { + dest[dest_idx].vport.vhca_id = + MLX5_CAP_GEN(esw_attr->dests[attr_idx].mdev, vhca_id); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c +index edd9102583144..40bdc677f051d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c +@@ -233,8 +233,8 @@ mlx5_eswitch_termtbl_required(struct mlx5_eswitch *esw, + + /* hairpin */ + for (i = esw_attr->split_count; i < esw_attr->out_count; i++) +- if (!esw_attr->dest_int_port && esw_attr->dests[i].rep && +- esw_attr->dests[i].rep->vport == MLX5_VPORT_UPLINK) ++ if (!esw_attr->dest_int_port && esw_attr->dests[i].vport_valid && ++ esw_attr->dests[i].vport == MLX5_VPORT_UPLINK) + return true; + + return false; +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5e-correct-snprintf-truncation-handling-for-f.patch b/queue-6.6/net-mlx5e-correct-snprintf-truncation-handling-for-f.patch new file mode 100644 index 00000000000..17b3cfedb6a --- /dev/null +++ b/queue-6.6/net-mlx5e-correct-snprintf-truncation-handling-for-f.patch @@ -0,0 +1,42 @@ +From c3cc1a935ea3290fb361e47b3e745c80b6fbb577 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Nov 2023 15:00:21 -0800 +Subject: net/mlx5e: Correct snprintf truncation handling for fw_version buffer + +From: Rahul Rameshbabu + +[ Upstream commit ad436b9c1270c40554e274f067f1b78fcc06a004 ] + +snprintf returns the length of the formatted string, excluding the trailing +null, without accounting for truncation. This means that is the return +value is greater than or equal to the size parameter, the fw_version string +was truncated. + +Reported-by: David Laight +Closes: https://lore.kernel.org/netdev/81cae734ee1b4cde9b380a9a31006c1a@AcuMS.aculab.com/ +Link: https://docs.kernel.org/core-api/kernel-api.html#c.snprintf +Fixes: 41e63c2baa11 ("net/mlx5e: Check return value of snprintf writing to fw_version buffer") +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Simon Horman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index 7c66bd73ddfa2..38263d5c98b34 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -49,7 +49,7 @@ void mlx5e_ethtool_get_drvinfo(struct mlx5e_priv *priv, + count = snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version), + "%d.%d.%04d (%.16s)", fw_rev_maj(mdev), + fw_rev_min(mdev), fw_rev_sub(mdev), mdev->board_id); +- if (count == sizeof(drvinfo->fw_version)) ++ if (count >= sizeof(drvinfo->fw_version)) + snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version), + "%d.%d.%04d", fw_rev_maj(mdev), + fw_rev_min(mdev), fw_rev_sub(mdev)); +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5e-correct-snprintf-truncation-handling-for-f.patch-13064 b/queue-6.6/net-mlx5e-correct-snprintf-truncation-handling-for-f.patch-13064 new file mode 100644 index 00000000000..b6f2e3622ef --- /dev/null +++ b/queue-6.6/net-mlx5e-correct-snprintf-truncation-handling-for-f.patch-13064 @@ -0,0 +1,41 @@ +From e6f2012cbb5ca81318d93bbc048533c1e3e02e0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Nov 2023 15:00:22 -0800 +Subject: net/mlx5e: Correct snprintf truncation handling for fw_version buffer + used by representors + +From: Rahul Rameshbabu + +[ Upstream commit b13559b76157de9d74f04d3ca0e49d69de3b5675 ] + +snprintf returns the length of the formatted string, excluding the trailing +null, without accounting for truncation. This means that is the return +value is greater than or equal to the size parameter, the fw_version string +was truncated. + +Link: https://docs.kernel.org/core-api/kernel-api.html#c.snprintf +Fixes: 1b2bd0c0264f ("net/mlx5e: Check return value of snprintf writing to fw_version buffer for representors") +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Simon Horman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +index 007cb167cabc9..751d3ffcd2f6c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -78,7 +78,7 @@ static void mlx5e_rep_get_drvinfo(struct net_device *dev, + count = snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version), + "%d.%d.%04d (%.16s)", fw_rev_maj(mdev), + fw_rev_min(mdev), fw_rev_sub(mdev), mdev->board_id); +- if (count == sizeof(drvinfo->fw_version)) ++ if (count >= sizeof(drvinfo->fw_version)) + snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version), + "%d.%d.%04d", fw_rev_maj(mdev), + fw_rev_min(mdev), fw_rev_sub(mdev)); +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5e-decrease-num_block_tc-when-unblock-tc-offl.patch b/queue-6.6/net-mlx5e-decrease-num_block_tc-when-unblock-tc-offl.patch new file mode 100644 index 00000000000..3969486df68 --- /dev/null +++ b/queue-6.6/net-mlx5e-decrease-num_block_tc-when-unblock-tc-offl.patch @@ -0,0 +1,37 @@ +From 9e27462f02dce5469cfc3ba06c173b5a4724f33d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 04:53:32 +0200 +Subject: net/mlx5e: Decrease num_block_tc when unblock tc offload + +From: Chris Mi + +[ Upstream commit be86106fd74a145f24c56c9bc18d658e8fe6d4f4 ] + +The cited commit increases num_block_tc when unblock tc offload. +Actually should decrease it. + +Fixes: c8e350e62fc5 ("net/mlx5e: Make TC and IPsec offloads mutually exclusive on a netdev") +Signed-off-by: Chris Mi +Reviewed-by: Jianbo Liu +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c +index 03f69c485a006..81e6aa6434cf2 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c +@@ -1866,7 +1866,7 @@ static int mlx5e_ipsec_block_tc_offload(struct mlx5_core_dev *mdev) + + static void mlx5e_ipsec_unblock_tc_offload(struct mlx5_core_dev *mdev) + { +- mdev->num_block_tc++; ++ mdev->num_block_tc--; + } + + int mlx5e_accel_ipsec_fs_add_rule(struct mlx5e_ipsec_sa_entry *sa_entry) +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5e-fix-a-potential-double-free-in-fs_udp_crea.patch b/queue-6.6/net-mlx5e-fix-a-potential-double-free-in-fs_udp_crea.patch new file mode 100644 index 00000000000..509feb0abac --- /dev/null +++ b/queue-6.6/net-mlx5e-fix-a-potential-double-free-in-fs_udp_crea.patch @@ -0,0 +1,40 @@ +From 9178e89034961b28070a41f8d899c7f4745b998d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Nov 2023 17:40:53 +0800 +Subject: net/mlx5e: fix a potential double-free in fs_udp_create_groups + +From: Dinghao Liu + +[ Upstream commit e75efc6466ae289e599fb12a5a86545dff245c65 ] + +When kcalloc() for ft->g succeeds but kvzalloc() for in fails, +fs_udp_create_groups() will free ft->g. However, its caller +fs_udp_create_table() will free ft->g again through calling +mlx5e_destroy_flow_table(), which will lead to a double-free. +Fix this by setting ft->g to NULL in fs_udp_create_groups(). + +Fixes: 1c80bd684388 ("net/mlx5e: Introduce Flow Steering UDP API") +Signed-off-by: Dinghao Liu +Reviewed-by: Tariq Toukan +Reviewed-by: Simon Horman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c b/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c +index be83ad9db82a4..e1283531e0b81 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c +@@ -154,6 +154,7 @@ static int fs_udp_create_groups(struct mlx5e_flow_table *ft, enum fs_udp_type ty + in = kvzalloc(inlen, GFP_KERNEL); + if (!in || !ft->g) { + kfree(ft->g); ++ ft->g = NULL; + kvfree(in); + return -ENOMEM; + } +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5e-fix-a-race-in-command-alloc-flow.patch b/queue-6.6/net-mlx5e-fix-a-race-in-command-alloc-flow.patch new file mode 100644 index 00000000000..6e234797bcf --- /dev/null +++ b/queue-6.6/net-mlx5e-fix-a-race-in-command-alloc-flow.patch @@ -0,0 +1,126 @@ +From 73d7143365c14dbfd8317ebcb51ab00d17d38584 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Dec 2023 00:01:26 -0800 +Subject: net/mlx5e: Fix a race in command alloc flow + +From: Shifeng Li + +[ Upstream commit 8f5100da56b3980276234e812ce98d8f075194cd ] + +Fix a cmd->ent use after free due to a race on command entry. +Such race occurs when one of the commands releases its last refcount and +frees its index and entry while another process running command flush +flow takes refcount to this command entry. The process which handles +commands flush may see this command as needed to be flushed if the other +process allocated a ent->idx but didn't set ent to cmd->ent_arr in +cmd_work_handler(). Fix it by moving the assignment of cmd->ent_arr into +the spin lock. + +[70013.081955] BUG: KASAN: use-after-free in mlx5_cmd_trigger_completions+0x1e2/0x4c0 [mlx5_core] +[70013.081967] Write of size 4 at addr ffff88880b1510b4 by task kworker/26:1/1433361 +[70013.081968] +[70013.082028] Workqueue: events aer_isr +[70013.082053] Call Trace: +[70013.082067] dump_stack+0x8b/0xbb +[70013.082086] print_address_description+0x6a/0x270 +[70013.082102] kasan_report+0x179/0x2c0 +[70013.082173] mlx5_cmd_trigger_completions+0x1e2/0x4c0 [mlx5_core] +[70013.082267] mlx5_cmd_flush+0x80/0x180 [mlx5_core] +[70013.082304] mlx5_enter_error_state+0x106/0x1d0 [mlx5_core] +[70013.082338] mlx5_try_fast_unload+0x2ea/0x4d0 [mlx5_core] +[70013.082377] remove_one+0x200/0x2b0 [mlx5_core] +[70013.082409] pci_device_remove+0xf3/0x280 +[70013.082439] device_release_driver_internal+0x1c3/0x470 +[70013.082453] pci_stop_bus_device+0x109/0x160 +[70013.082468] pci_stop_and_remove_bus_device+0xe/0x20 +[70013.082485] pcie_do_fatal_recovery+0x167/0x550 +[70013.082493] aer_isr+0x7d2/0x960 +[70013.082543] process_one_work+0x65f/0x12d0 +[70013.082556] worker_thread+0x87/0xb50 +[70013.082571] kthread+0x2e9/0x3a0 +[70013.082592] ret_from_fork+0x1f/0x40 + +The logical relationship of this error is as follows: + + aer_recover_work | ent->work +-------------------------------------------+------------------------------ +aer_recover_work_func | +|- pcie_do_recovery | + |- report_error_detected | + |- mlx5_pci_err_detected |cmd_work_handler + |- mlx5_enter_error_state | |- cmd_alloc_index + |- enter_error_state | |- lock cmd->alloc_lock + |- mlx5_cmd_flush | |- clear_bit + |- mlx5_cmd_trigger_completions| |- unlock cmd->alloc_lock + |- lock cmd->alloc_lock | + |- vector = ~dev->cmd.vars.bitmask + |- for_each_set_bit | + |- cmd_ent_get(cmd->ent_arr[i]) (UAF) + |- unlock cmd->alloc_lock | |- cmd->ent_arr[ent->idx]=ent + +The cmd->ent_arr[ent->idx] assignment and the bit clearing are not +protected by the cmd->alloc_lock in cmd_work_handler(). + +Fixes: 50b2412b7e78 ("net/mlx5: Avoid possible free of command entry while timeout comp handler") +Reviewed-by: Moshe Shemesh +Signed-off-by: Shifeng Li +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index c22b0ad0c8701..7013e1c8741a3 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -156,15 +156,18 @@ static u8 alloc_token(struct mlx5_cmd *cmd) + return token; + } + +-static int cmd_alloc_index(struct mlx5_cmd *cmd) ++static int cmd_alloc_index(struct mlx5_cmd *cmd, struct mlx5_cmd_work_ent *ent) + { + unsigned long flags; + int ret; + + spin_lock_irqsave(&cmd->alloc_lock, flags); + ret = find_first_bit(&cmd->vars.bitmask, cmd->vars.max_reg_cmds); +- if (ret < cmd->vars.max_reg_cmds) ++ if (ret < cmd->vars.max_reg_cmds) { + clear_bit(ret, &cmd->vars.bitmask); ++ ent->idx = ret; ++ cmd->ent_arr[ent->idx] = ent; ++ } + spin_unlock_irqrestore(&cmd->alloc_lock, flags); + + return ret < cmd->vars.max_reg_cmds ? ret : -ENOMEM; +@@ -977,7 +980,7 @@ static void cmd_work_handler(struct work_struct *work) + sem = ent->page_queue ? &cmd->vars.pages_sem : &cmd->vars.sem; + down(sem); + if (!ent->page_queue) { +- alloc_ret = cmd_alloc_index(cmd); ++ alloc_ret = cmd_alloc_index(cmd, ent); + if (alloc_ret < 0) { + mlx5_core_err_rl(dev, "failed to allocate command entry\n"); + if (ent->callback) { +@@ -992,15 +995,14 @@ static void cmd_work_handler(struct work_struct *work) + up(sem); + return; + } +- ent->idx = alloc_ret; + } else { + ent->idx = cmd->vars.max_reg_cmds; + spin_lock_irqsave(&cmd->alloc_lock, flags); + clear_bit(ent->idx, &cmd->vars.bitmask); ++ cmd->ent_arr[ent->idx] = ent; + spin_unlock_irqrestore(&cmd->alloc_lock, flags); + } + +- cmd->ent_arr[ent->idx] = ent; + lay = get_inst(cmd, ent->idx); + ent->lay = lay; + memset(lay, 0, sizeof(*lay)); +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5e-fix-error-code-in-mlx5e_tc_action_miss_map.patch b/queue-6.6/net-mlx5e-fix-error-code-in-mlx5e_tc_action_miss_map.patch new file mode 100644 index 00000000000..75d285463ca --- /dev/null +++ b/queue-6.6/net-mlx5e-fix-error-code-in-mlx5e_tc_action_miss_map.patch @@ -0,0 +1,39 @@ +From 5c5b97a88c463423b701c67edb5e0996ad7132f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Dec 2023 17:08:17 +0300 +Subject: net/mlx5e: Fix error code in mlx5e_tc_action_miss_mapping_get() + +From: Dan Carpenter + +[ Upstream commit 86d5922679f3b6d02a64df66cdd777fdd4ea5c0d ] + +Preserve the error code if esw_add_restore_rule() fails. Don't return +success. + +Fixes: 6702782845a5 ("net/mlx5e: TC, Set CT miss to the specific ct action instance") +Signed-off-by: Dan Carpenter +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index 1bead98f73bf5..2cfbacf77535c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -5734,8 +5734,10 @@ int mlx5e_tc_action_miss_mapping_get(struct mlx5e_priv *priv, struct mlx5_flow_a + + esw = priv->mdev->priv.eswitch; + attr->act_id_restore_rule = esw_add_restore_rule(esw, *act_miss_mapping); +- if (IS_ERR(attr->act_id_restore_rule)) ++ if (IS_ERR(attr->act_id_restore_rule)) { ++ err = PTR_ERR(attr->act_id_restore_rule); + goto err_rule; ++ } + + return 0; + +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5e-fix-error-codes-in-alloc_branch_attr.patch b/queue-6.6/net-mlx5e-fix-error-codes-in-alloc_branch_attr.patch new file mode 100644 index 00000000000..56255143f1d --- /dev/null +++ b/queue-6.6/net-mlx5e-fix-error-codes-in-alloc_branch_attr.patch @@ -0,0 +1,46 @@ +From 821de6c1755897fa3dc38a317581d630be2585c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Dec 2023 17:08:57 +0300 +Subject: net/mlx5e: Fix error codes in alloc_branch_attr() + +From: Dan Carpenter + +[ Upstream commit d792e5f7f19b95f5ce41ac49df5ead4d280238f4 ] + +Set the error code if set_branch_dest_ft() fails. + +Fixes: ccbe33003b10 ("net/mlx5e: TC, Don't offload post action rule if not supported") +Signed-off-by: Dan Carpenter +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index 2cfbacf77535c..25e44ee5121a9 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -3776,7 +3776,8 @@ alloc_branch_attr(struct mlx5e_tc_flow *flow, + break; + case FLOW_ACTION_ACCEPT: + case FLOW_ACTION_PIPE: +- if (set_branch_dest_ft(flow->priv, attr)) ++ err = set_branch_dest_ft(flow->priv, attr); ++ if (err) + goto out_err; + break; + case FLOW_ACTION_JUMP: +@@ -3786,7 +3787,8 @@ alloc_branch_attr(struct mlx5e_tc_flow *flow, + goto out_err; + } + *jump_count = cond->extval; +- if (set_branch_dest_ft(flow->priv, attr)) ++ err = set_branch_dest_ft(flow->priv, attr); ++ if (err) + goto out_err; + break; + default: +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5e-fix-overrun-reported-by-coverity.patch b/queue-6.6/net-mlx5e-fix-overrun-reported-by-coverity.patch new file mode 100644 index 00000000000..791d432c128 --- /dev/null +++ b/queue-6.6/net-mlx5e-fix-overrun-reported-by-coverity.patch @@ -0,0 +1,62 @@ +From 92a982b437d410a3653e0077ae56aa366d6123fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Nov 2023 01:25:21 +0000 +Subject: net/mlx5e: Fix overrun reported by coverity + +From: Jianbo Liu + +[ Upstream commit da75fa542873e5f7d7f615566c0b00042d8a0437 ] + +Coverity Scan reports the following issue. But it's impossible that +mlx5_get_dev_index returns 7 for PF, even if the index is calculated +from PCI FUNC ID. So add the checking to make coverity slience. + +CID 610894 (#2 of 2): Out-of-bounds write (OVERRUN) +Overrunning array esw->fdb_table.offloads.peer_miss_rules of 4 8-byte +elements at element index 7 (byte offset 63) using index +mlx5_get_dev_index(peer_dev) (which evaluates to 7). + +Fixes: 9bee385a6e39 ("net/mlx5: E-switch, refactor FDB miss rule add/remove") +Signed-off-by: Jianbo Liu +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +index bb8bcb448ae90..9bd5609cf6597 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +@@ -1177,9 +1177,9 @@ static int esw_add_fdb_peer_miss_rules(struct mlx5_eswitch *esw, + struct mlx5_flow_handle *flow; + struct mlx5_flow_spec *spec; + struct mlx5_vport *vport; ++ int err, pfindex; + unsigned long i; + void *misc; +- int err; + + if (!MLX5_VPORT_MANAGER(esw->dev) && !mlx5_core_is_ecpf_esw_manager(esw->dev)) + return 0; +@@ -1255,7 +1255,15 @@ static int esw_add_fdb_peer_miss_rules(struct mlx5_eswitch *esw, + flows[vport->index] = flow; + } + } +- esw->fdb_table.offloads.peer_miss_rules[mlx5_get_dev_index(peer_dev)] = flows; ++ ++ pfindex = mlx5_get_dev_index(peer_dev); ++ if (pfindex >= MLX5_MAX_PORTS) { ++ esw_warn(esw->dev, "Peer dev index(%d) is over the max num defined(%d)\n", ++ pfindex, MLX5_MAX_PORTS); ++ err = -EINVAL; ++ goto add_ec_vf_flow_err; ++ } ++ esw->fdb_table.offloads.peer_miss_rules[pfindex] = flows; + + kvfree(spec); + return 0; +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5e-fix-slab-out-of-bounds-in-mlx5_query_nic_v.patch b/queue-6.6/net-mlx5e-fix-slab-out-of-bounds-in-mlx5_query_nic_v.patch new file mode 100644 index 00000000000..7e14771da72 --- /dev/null +++ b/queue-6.6/net-mlx5e-fix-slab-out-of-bounds-in-mlx5_query_nic_v.patch @@ -0,0 +1,58 @@ +From f0aae8f7d926c7f7112e1d58f98d2ffa5d01aaae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 01:46:56 -0800 +Subject: net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list() + +From: Shifeng Li + +[ Upstream commit ddb38ddff9c71026bad481b791a94d446ee37603 ] + +Out_sz that the size of out buffer is calculated using query_nic_vport +_context_in structure when driver query the MAC list. However query_nic +_vport_context_in structure is smaller than query_nic_vport_context_out. +When allowed_list_size is greater than 96, calling ether_addr_copy() will +trigger an slab-out-of-bounds. + +[ 1170.055866] BUG: KASAN: slab-out-of-bounds in mlx5_query_nic_vport_mac_list+0x481/0x4d0 [mlx5_core] +[ 1170.055869] Read of size 4 at addr ffff88bdbc57d912 by task kworker/u128:1/461 +[ 1170.055870] +[ 1170.055932] Workqueue: mlx5_esw_wq esw_vport_change_handler [mlx5_core] +[ 1170.055936] Call Trace: +[ 1170.055949] dump_stack+0x8b/0xbb +[ 1170.055958] print_address_description+0x6a/0x270 +[ 1170.055961] kasan_report+0x179/0x2c0 +[ 1170.056061] mlx5_query_nic_vport_mac_list+0x481/0x4d0 [mlx5_core] +[ 1170.056162] esw_update_vport_addr_list+0x2c5/0xcd0 [mlx5_core] +[ 1170.056257] esw_vport_change_handle_locked+0xd08/0x1a20 [mlx5_core] +[ 1170.056377] esw_vport_change_handler+0x6b/0x90 [mlx5_core] +[ 1170.056381] process_one_work+0x65f/0x12d0 +[ 1170.056383] worker_thread+0x87/0xb50 +[ 1170.056390] kthread+0x2e9/0x3a0 +[ 1170.056394] ret_from_fork+0x1f/0x40 + +Fixes: e16aea2744ab ("net/mlx5: Introduce access functions to modify/query vport mac lists") +Cc: Ding Hui +Signed-off-by: Shifeng Li +Reviewed-by: Simon Horman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/vport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vport.c b/drivers/net/ethernet/mellanox/mlx5/core/vport.c +index 5a31fb47ffa58..21753f3278685 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c +@@ -277,7 +277,7 @@ int mlx5_query_nic_vport_mac_list(struct mlx5_core_dev *dev, + req_list_size = max_list_size; + } + +- out_sz = MLX5_ST_SZ_BYTES(query_nic_vport_context_in) + ++ out_sz = MLX5_ST_SZ_BYTES(query_nic_vport_context_out) + + req_list_size * MLX5_ST_SZ_BYTES(mac_address_layout); + + out = kvzalloc(out_sz, GFP_KERNEL); +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5e-xdp-drop-fragmented-packets-larger-than-mt.patch b/queue-6.6/net-mlx5e-xdp-drop-fragmented-packets-larger-than-mt.patch new file mode 100644 index 00000000000..0f5078c360c --- /dev/null +++ b/queue-6.6/net-mlx5e-xdp-drop-fragmented-packets-larger-than-mt.patch @@ -0,0 +1,51 @@ +From e6b24fcd3b69ea2bf1495aaa6d84b0079be19a70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Nov 2023 16:11:20 +0200 +Subject: net/mlx5e: XDP, Drop fragmented packets larger than MTU size + +From: Carolina Jubran + +[ Upstream commit bcaf109f794744c14da0e9123b31d1f4571b0a35 ] + +XDP transmits fragmented packets that are larger than MTU size instead of +dropping those packets. The drop check that checks whether a packet is larger +than MTU is comparing MTU size against the linear part length only. + +Adjust the drop check to compare MTU size against both linear and non-linear +part lengths to avoid transmitting fragmented packets larger than MTU size. + +Fixes: 39a1665d16a2 ("net/mlx5e: Implement sending multi buffer XDP frames") +Signed-off-by: Carolina Jubran +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c +index 8bed17d8fe564..b723ff5e5249c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c +@@ -493,6 +493,7 @@ mlx5e_xmit_xdp_frame(struct mlx5e_xdpsq *sq, struct mlx5e_xmit_data *xdptxd, + dma_addr_t dma_addr = xdptxd->dma_addr; + u32 dma_len = xdptxd->len; + u16 ds_cnt, inline_hdr_sz; ++ unsigned int frags_size; + u8 num_wqebbs = 1; + int num_frags = 0; + bool inline_ok; +@@ -503,8 +504,9 @@ mlx5e_xmit_xdp_frame(struct mlx5e_xdpsq *sq, struct mlx5e_xmit_data *xdptxd, + + inline_ok = sq->min_inline_mode == MLX5_INLINE_MODE_NONE || + dma_len >= MLX5E_XDP_MIN_INLINE; ++ frags_size = xdptxd->has_frags ? xdptxdf->sinfo->xdp_frags_size : 0; + +- if (unlikely(!inline_ok || sq->hw_mtu < dma_len)) { ++ if (unlikely(!inline_ok || sq->hw_mtu < dma_len + frags_size)) { + stats->err++; + return false; + } +-- +2.43.0 + diff --git a/queue-6.6/net-mscc-ocelot-fix-emac-tx-rmon-stats-for-bucket-25.patch b/queue-6.6/net-mscc-ocelot-fix-emac-tx-rmon-stats-for-bucket-25.patch new file mode 100644 index 00000000000..29c3a1f9305 --- /dev/null +++ b/queue-6.6/net-mscc-ocelot-fix-emac-tx-rmon-stats-for-bucket-25.patch @@ -0,0 +1,49 @@ +From 1a0ca8058b9608e68e17a40362f398c52aeed9f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 02:09:01 +0200 +Subject: net: mscc: ocelot: fix eMAC TX RMON stats for bucket 256-511 and + above + +From: Vladimir Oltean + +[ Upstream commit 52eda4641d041667fa059f4855c5f88dcebd8afe ] + +There is a typo in the driver due to which we report incorrect TX RMON +counters for the 256-511 octet bucket and all the other buckets larger +than that. + +Bug found with the selftest at +https://patchwork.kernel.org/project/netdevbpf/patch/20231211223346.2497157-9-tobias@waldekranz.com/ + +Fixes: e32036e1ae7b ("net: mscc: ocelot: add support for all sorts of standardized counters present in DSA") +Signed-off-by: Vladimir Oltean +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20231214000902.545625-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot_stats.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mscc/ocelot_stats.c b/drivers/net/ethernet/mscc/ocelot_stats.c +index 5c55197c7327d..f29fa37263dae 100644 +--- a/drivers/net/ethernet/mscc/ocelot_stats.c ++++ b/drivers/net/ethernet/mscc/ocelot_stats.c +@@ -582,10 +582,10 @@ static void ocelot_port_rmon_stats_cb(struct ocelot *ocelot, int port, void *pri + rmon_stats->hist_tx[0] = s[OCELOT_STAT_TX_64]; + rmon_stats->hist_tx[1] = s[OCELOT_STAT_TX_65_127]; + rmon_stats->hist_tx[2] = s[OCELOT_STAT_TX_128_255]; +- rmon_stats->hist_tx[3] = s[OCELOT_STAT_TX_128_255]; +- rmon_stats->hist_tx[4] = s[OCELOT_STAT_TX_256_511]; +- rmon_stats->hist_tx[5] = s[OCELOT_STAT_TX_512_1023]; +- rmon_stats->hist_tx[6] = s[OCELOT_STAT_TX_1024_1526]; ++ rmon_stats->hist_tx[3] = s[OCELOT_STAT_TX_256_511]; ++ rmon_stats->hist_tx[4] = s[OCELOT_STAT_TX_512_1023]; ++ rmon_stats->hist_tx[5] = s[OCELOT_STAT_TX_1024_1526]; ++ rmon_stats->hist_tx[6] = s[OCELOT_STAT_TX_1527_MAX]; + } + + static void ocelot_port_pmac_rmon_stats_cb(struct ocelot *ocelot, int port, +-- +2.43.0 + diff --git a/queue-6.6/net-mscc-ocelot-fix-pmac-tx-rmon-stats-for-bucket-25.patch b/queue-6.6/net-mscc-ocelot-fix-pmac-tx-rmon-stats-for-bucket-25.patch new file mode 100644 index 00000000000..482ce7ccd0f --- /dev/null +++ b/queue-6.6/net-mscc-ocelot-fix-pmac-tx-rmon-stats-for-bucket-25.patch @@ -0,0 +1,46 @@ +From 3bf8796fb4aa73eb5f1257f252c4ea9cf68702fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 02:09:02 +0200 +Subject: net: mscc: ocelot: fix pMAC TX RMON stats for bucket 256-511 and + above + +From: Vladimir Oltean + +[ Upstream commit 70f010da00f90415296f93fb47a561977eae41cb ] + +The typo from ocelot_port_rmon_stats_cb() was also carried over to +ocelot_port_pmac_rmon_stats_cb() as well, leading to incorrect TX RMON +stats for the pMAC too. + +Fixes: ab3f97a9610a ("net: mscc: ocelot: export ethtool MAC Merge stats for Felix VSC9959") +Signed-off-by: Vladimir Oltean +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20231214000902.545625-2-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot_stats.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mscc/ocelot_stats.c b/drivers/net/ethernet/mscc/ocelot_stats.c +index f29fa37263dae..c018783757fb2 100644 +--- a/drivers/net/ethernet/mscc/ocelot_stats.c ++++ b/drivers/net/ethernet/mscc/ocelot_stats.c +@@ -610,10 +610,10 @@ static void ocelot_port_pmac_rmon_stats_cb(struct ocelot *ocelot, int port, + rmon_stats->hist_tx[0] = s[OCELOT_STAT_TX_PMAC_64]; + rmon_stats->hist_tx[1] = s[OCELOT_STAT_TX_PMAC_65_127]; + rmon_stats->hist_tx[2] = s[OCELOT_STAT_TX_PMAC_128_255]; +- rmon_stats->hist_tx[3] = s[OCELOT_STAT_TX_PMAC_128_255]; +- rmon_stats->hist_tx[4] = s[OCELOT_STAT_TX_PMAC_256_511]; +- rmon_stats->hist_tx[5] = s[OCELOT_STAT_TX_PMAC_512_1023]; +- rmon_stats->hist_tx[6] = s[OCELOT_STAT_TX_PMAC_1024_1526]; ++ rmon_stats->hist_tx[3] = s[OCELOT_STAT_TX_PMAC_256_511]; ++ rmon_stats->hist_tx[4] = s[OCELOT_STAT_TX_PMAC_512_1023]; ++ rmon_stats->hist_tx[5] = s[OCELOT_STAT_TX_PMAC_1024_1526]; ++ rmon_stats->hist_tx[6] = s[OCELOT_STAT_TX_PMAC_1527_MAX]; + } + + void ocelot_port_get_rmon_stats(struct ocelot *ocelot, int port, +-- +2.43.0 + diff --git a/queue-6.6/net-phy-skip-led-triggers-on-phys-on-sfp-modules.patch b/queue-6.6/net-phy-skip-led-triggers-on-phys-on-sfp-modules.patch new file mode 100644 index 00000000000..7311526e9c7 --- /dev/null +++ b/queue-6.6/net-phy-skip-led-triggers-on-phys-on-sfp-modules.patch @@ -0,0 +1,194 @@ +From 1d3525fa6b674e5fffdb6d376ef040c4b5b18a42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Dec 2023 00:05:35 +0000 +Subject: net: phy: skip LED triggers on PHYs on SFP modules + +From: Daniel Golle + +[ Upstream commit b1dfc0f76231bbf395c59d20a2070684620d5d0f ] + +Calling led_trigger_register() when attaching a PHY located on an SFP +module potentially (and practically) leads into a deadlock. +Fix this by not calling led_trigger_register() for PHYs localted on SFP +modules as such modules actually never got any LEDs. + +====================================================== +WARNING: possible circular locking dependency detected +6.7.0-rc4-next-20231208+ #0 Tainted: G O +------------------------------------------------------ +kworker/u8:2/43 is trying to acquire lock: +ffffffc08108c4e8 (triggers_list_lock){++++}-{3:3}, at: led_trigger_register+0x4c/0x1a8 + +but task is already holding lock: +ffffff80c5c6f318 (&sfp->sm_mutex){+.+.}-{3:3}, at: cleanup_module+0x2ba8/0x3120 [sfp] + +which lock already depends on the new lock. + +the existing dependency chain (in reverse order) is: + +-> #3 (&sfp->sm_mutex){+.+.}-{3:3}: + __mutex_lock+0x88/0x7a0 + mutex_lock_nested+0x20/0x28 + cleanup_module+0x2ae0/0x3120 [sfp] + sfp_register_bus+0x5c/0x9c + sfp_register_socket+0x48/0xd4 + cleanup_module+0x271c/0x3120 [sfp] + platform_probe+0x64/0xb8 + really_probe+0x17c/0x3c0 + __driver_probe_device+0x78/0x164 + driver_probe_device+0x3c/0xd4 + __driver_attach+0xec/0x1f0 + bus_for_each_dev+0x60/0xa0 + driver_attach+0x20/0x28 + bus_add_driver+0x108/0x208 + driver_register+0x5c/0x118 + __platform_driver_register+0x24/0x2c + init_module+0x28/0xa7c [sfp] + do_one_initcall+0x70/0x2ec + do_init_module+0x54/0x1e4 + load_module+0x1b78/0x1c8c + __do_sys_init_module+0x1bc/0x2cc + __arm64_sys_init_module+0x18/0x20 + invoke_syscall.constprop.0+0x4c/0xdc + do_el0_svc+0x3c/0xbc + el0_svc+0x34/0x80 + el0t_64_sync_handler+0xf8/0x124 + el0t_64_sync+0x150/0x154 + +-> #2 (rtnl_mutex){+.+.}-{3:3}: + __mutex_lock+0x88/0x7a0 + mutex_lock_nested+0x20/0x28 + rtnl_lock+0x18/0x20 + set_device_name+0x30/0x130 + netdev_trig_activate+0x13c/0x1ac + led_trigger_set+0x118/0x234 + led_trigger_write+0x104/0x17c + sysfs_kf_bin_write+0x64/0x80 + kernfs_fop_write_iter+0x128/0x1b4 + vfs_write+0x178/0x2a4 + ksys_write+0x58/0xd4 + __arm64_sys_write+0x18/0x20 + invoke_syscall.constprop.0+0x4c/0xdc + do_el0_svc+0x3c/0xbc + el0_svc+0x34/0x80 + el0t_64_sync_handler+0xf8/0x124 + el0t_64_sync+0x150/0x154 + +-> #1 (&led_cdev->trigger_lock){++++}-{3:3}: + down_write+0x4c/0x13c + led_trigger_write+0xf8/0x17c + sysfs_kf_bin_write+0x64/0x80 + kernfs_fop_write_iter+0x128/0x1b4 + vfs_write+0x178/0x2a4 + ksys_write+0x58/0xd4 + __arm64_sys_write+0x18/0x20 + invoke_syscall.constprop.0+0x4c/0xdc + do_el0_svc+0x3c/0xbc + el0_svc+0x34/0x80 + el0t_64_sync_handler+0xf8/0x124 + el0t_64_sync+0x150/0x154 + +-> #0 (triggers_list_lock){++++}-{3:3}: + __lock_acquire+0x12a0/0x2014 + lock_acquire+0x100/0x2ac + down_write+0x4c/0x13c + led_trigger_register+0x4c/0x1a8 + phy_led_triggers_register+0x9c/0x214 + phy_attach_direct+0x154/0x36c + phylink_attach_phy+0x30/0x60 + phylink_sfp_connect_phy+0x140/0x510 + sfp_add_phy+0x34/0x50 + init_module+0x15c/0xa7c [sfp] + cleanup_module+0x1d94/0x3120 [sfp] + cleanup_module+0x2bb4/0x3120 [sfp] + process_one_work+0x1f8/0x4ec + worker_thread+0x1e8/0x3d8 + kthread+0x104/0x110 + ret_from_fork+0x10/0x20 + +other info that might help us debug this: + +Chain exists of: + triggers_list_lock --> rtnl_mutex --> &sfp->sm_mutex + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&sfp->sm_mutex); + lock(rtnl_mutex); + lock(&sfp->sm_mutex); + lock(triggers_list_lock); + + *** DEADLOCK *** + +4 locks held by kworker/u8:2/43: + #0: ffffff80c000f938 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_one_work+0x150/0x4ec + #1: ffffffc08214bde8 ((work_completion)(&(&sfp->timeout)->work)){+.+.}-{0:0}, at: process_one_work+0x150/0x4ec + #2: ffffffc0810902f8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock+0x18/0x20 + #3: ffffff80c5c6f318 (&sfp->sm_mutex){+.+.}-{3:3}, at: cleanup_module+0x2ba8/0x3120 [sfp] + +stack backtrace: +CPU: 0 PID: 43 Comm: kworker/u8:2 Tainted: G O 6.7.0-rc4-next-20231208+ #0 +Hardware name: Bananapi BPI-R4 (DT) +Workqueue: events_power_efficient cleanup_module [sfp] +Call trace: + dump_backtrace+0xa8/0x10c + show_stack+0x14/0x1c + dump_stack_lvl+0x5c/0xa0 + dump_stack+0x14/0x1c + print_circular_bug+0x328/0x430 + check_noncircular+0x124/0x134 + __lock_acquire+0x12a0/0x2014 + lock_acquire+0x100/0x2ac + down_write+0x4c/0x13c + led_trigger_register+0x4c/0x1a8 + phy_led_triggers_register+0x9c/0x214 + phy_attach_direct+0x154/0x36c + phylink_attach_phy+0x30/0x60 + phylink_sfp_connect_phy+0x140/0x510 + sfp_add_phy+0x34/0x50 + init_module+0x15c/0xa7c [sfp] + cleanup_module+0x1d94/0x3120 [sfp] + cleanup_module+0x2bb4/0x3120 [sfp] + process_one_work+0x1f8/0x4ec + worker_thread+0x1e8/0x3d8 + kthread+0x104/0x110 + ret_from_fork+0x10/0x20 + +Signed-off-by: Daniel Golle +Fixes: 01e5b728e9e4 ("net: phy: Add a binding for PHY LEDs") +Link: https://lore.kernel.org/r/102a9dce38bdf00215735d04cd4704458273ad9c.1702339354.git.daniel@makrotopia.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index 2ce74593d6e4a..a42df2c1bd043 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -1548,7 +1548,8 @@ int phy_attach_direct(struct net_device *dev, struct phy_device *phydev, + goto error; + + phy_resume(phydev); +- phy_led_triggers_register(phydev); ++ if (!phydev->is_on_sfp_module) ++ phy_led_triggers_register(phydev); + + /** + * If the external phy used by current mac interface is managed by +@@ -1817,7 +1818,8 @@ void phy_detach(struct phy_device *phydev) + } + phydev->phylink = NULL; + +- phy_led_triggers_unregister(phydev); ++ if (!phydev->is_on_sfp_module) ++ phy_led_triggers_unregister(phydev); + + if (phydev->mdio.dev.driver) + module_put(phydev->mdio.dev.driver->owner); +-- +2.43.0 + diff --git a/queue-6.6/net-return-error-from-sk_stream_wait_connect-if-sk_w.patch b/queue-6.6/net-return-error-from-sk_stream_wait_connect-if-sk_w.patch new file mode 100644 index 00000000000..5141427b6f8 --- /dev/null +++ b/queue-6.6/net-return-error-from-sk_stream_wait_connect-if-sk_w.patch @@ -0,0 +1,74 @@ +From d9e938c38f35a26935647a8ad3921ef912ad4117 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 14:09:22 +0900 +Subject: net: Return error from sk_stream_wait_connect() if sk_wait_event() + fails + +From: Shigeru Yoshida + +[ Upstream commit cac23b7d7627915d967ce25436d7aae26e88ed06 ] + +The following NULL pointer dereference issue occurred: + +BUG: kernel NULL pointer dereference, address: 0000000000000000 +<...> +RIP: 0010:ccid_hc_tx_send_packet net/dccp/ccid.h:166 [inline] +RIP: 0010:dccp_write_xmit+0x49/0x140 net/dccp/output.c:356 +<...> +Call Trace: + + dccp_sendmsg+0x642/0x7e0 net/dccp/proto.c:801 + inet_sendmsg+0x63/0x90 net/ipv4/af_inet.c:846 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x83/0xe0 net/socket.c:745 + ____sys_sendmsg+0x443/0x510 net/socket.c:2558 + ___sys_sendmsg+0xe5/0x150 net/socket.c:2612 + __sys_sendmsg+0xa6/0x120 net/socket.c:2641 + __do_sys_sendmsg net/socket.c:2650 [inline] + __se_sys_sendmsg net/socket.c:2648 [inline] + __x64_sys_sendmsg+0x45/0x50 net/socket.c:2648 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x43/0x110 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +sk_wait_event() returns an error (-EPIPE) if disconnect() is called on the +socket waiting for the event. However, sk_stream_wait_connect() returns +success, i.e. zero, even if sk_wait_event() returns -EPIPE, so a function +that waits for a connection with sk_stream_wait_connect() may misbehave. + +In the case of the above DCCP issue, dccp_sendmsg() is waiting for the +connection. If disconnect() is called in concurrently, the above issue +occurs. + +This patch fixes the issue by returning error from sk_stream_wait_connect() +if sk_wait_event() fails. + +Fixes: 419ce133ab92 ("tcp: allow again tcp_disconnect() when threads are waiting") +Signed-off-by: Shigeru Yoshida +Reviewed-by: Kuniyuki Iwashima +Reported-by: syzbot+c71bc336c5061153b502@syzkaller.appspotmail.com +Reviewed-by: Eric Dumazet +Reported-by: syzbot +Reported-by: syzkaller +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/stream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/stream.c b/net/core/stream.c +index 96fbcb9bbb30a..b16dfa568a2d5 100644 +--- a/net/core/stream.c ++++ b/net/core/stream.c +@@ -79,7 +79,7 @@ int sk_stream_wait_connect(struct sock *sk, long *timeo_p) + remove_wait_queue(sk_sleep(sk), &wait); + sk->sk_write_pending--; + } while (!done); +- return 0; ++ return done < 0 ? done : 0; + } + EXPORT_SYMBOL(sk_stream_wait_connect); + +-- +2.43.0 + diff --git a/queue-6.6/net-rose-fix-races-in-rose_kill_by_device.patch b/queue-6.6/net-rose-fix-races-in-rose_kill_by_device.patch new file mode 100644 index 00000000000..3da1404577f --- /dev/null +++ b/queue-6.6/net-rose-fix-races-in-rose_kill_by_device.patch @@ -0,0 +1,177 @@ +From 984c9ba7a586ff79a984797d64fe18c5915f9d7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 15:27:47 +0000 +Subject: net/rose: fix races in rose_kill_by_device() + +From: Eric Dumazet + +[ Upstream commit 64b8bc7d5f1434c636a40bdcfcd42b278d1714be ] + +syzbot found an interesting netdev refcounting issue in +net/rose/af_rose.c, thanks to CONFIG_NET_DEV_REFCNT_TRACKER=y [1] + +Problem is that rose_kill_by_device() can change rose->device +while other threads do not expect the pointer to be changed. + +We have to first collect sockets in a temporary array, +then perform the changes while holding the socket +lock and rose_list_lock spinlock (in this order) + +Change rose_release() to also acquire rose_list_lock +before releasing the netdev refcount. + +[1] + +[ 1185.055088][ T7889] ref_tracker: reference already released. +[ 1185.061476][ T7889] ref_tracker: allocated in: +[ 1185.066081][ T7889] rose_bind+0x4ab/0xd10 +[ 1185.070446][ T7889] __sys_bind+0x1ec/0x220 +[ 1185.074818][ T7889] __x64_sys_bind+0x72/0xb0 +[ 1185.079356][ T7889] do_syscall_64+0x40/0x110 +[ 1185.083897][ T7889] entry_SYSCALL_64_after_hwframe+0x63/0x6b +[ 1185.089835][ T7889] ref_tracker: freed in: +[ 1185.094088][ T7889] rose_release+0x2f5/0x570 +[ 1185.098629][ T7889] __sock_release+0xae/0x260 +[ 1185.103262][ T7889] sock_close+0x1c/0x20 +[ 1185.107453][ T7889] __fput+0x270/0xbb0 +[ 1185.111467][ T7889] task_work_run+0x14d/0x240 +[ 1185.116085][ T7889] get_signal+0x106f/0x2790 +[ 1185.120622][ T7889] arch_do_signal_or_restart+0x90/0x7f0 +[ 1185.126205][ T7889] exit_to_user_mode_prepare+0x121/0x240 +[ 1185.131846][ T7889] syscall_exit_to_user_mode+0x1e/0x60 +[ 1185.137293][ T7889] do_syscall_64+0x4d/0x110 +[ 1185.141783][ T7889] entry_SYSCALL_64_after_hwframe+0x63/0x6b +[ 1185.148085][ T7889] ------------[ cut here ]------------ + +WARNING: CPU: 1 PID: 7889 at lib/ref_tracker.c:255 ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255 +Modules linked in: +CPU: 1 PID: 7889 Comm: syz-executor.2 Not tainted 6.7.0-rc4-syzkaller-00162-g65c95f78917e #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 +RIP: 0010:ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255 +Code: 00 44 8b 6b 18 31 ff 44 89 ee e8 21 62 f5 fc 45 85 ed 0f 85 a6 00 00 00 e8 a3 66 f5 fc 48 8b 34 24 48 89 ef e8 27 5f f1 05 90 <0f> 0b 90 bb ea ff ff ff e9 52 fd ff ff e8 84 66 f5 fc 4c 8d 6d 44 +RSP: 0018:ffffc90004917850 EFLAGS: 00010202 +RAX: 0000000000000201 RBX: ffff88802618f4c0 RCX: 0000000000000000 +RDX: 0000000000000202 RSI: ffffffff8accb920 RDI: 0000000000000001 +RBP: ffff8880269ea5b8 R08: 0000000000000001 R09: fffffbfff23e35f6 +R10: ffffffff91f1afb7 R11: 0000000000000001 R12: 1ffff92000922f0c +R13: 0000000005a2039b R14: ffff88802618f4d8 R15: 00000000ffffffff +FS: 00007f0a720ef6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f43a819d988 CR3: 0000000076c64000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +netdev_tracker_free include/linux/netdevice.h:4127 [inline] +netdev_put include/linux/netdevice.h:4144 [inline] +netdev_put include/linux/netdevice.h:4140 [inline] +rose_kill_by_device net/rose/af_rose.c:195 [inline] +rose_device_event+0x25d/0x330 net/rose/af_rose.c:218 +notifier_call_chain+0xb6/0x3b0 kernel/notifier.c:93 +call_netdevice_notifiers_info+0xbe/0x130 net/core/dev.c:1967 +call_netdevice_notifiers_extack net/core/dev.c:2005 [inline] +call_netdevice_notifiers net/core/dev.c:2019 [inline] +__dev_notify_flags+0x1f5/0x2e0 net/core/dev.c:8646 +dev_change_flags+0x122/0x170 net/core/dev.c:8682 +dev_ifsioc+0x9ad/0x1090 net/core/dev_ioctl.c:529 +dev_ioctl+0x224/0x1090 net/core/dev_ioctl.c:786 +sock_do_ioctl+0x198/0x270 net/socket.c:1234 +sock_ioctl+0x22e/0x6b0 net/socket.c:1339 +vfs_ioctl fs/ioctl.c:51 [inline] +__do_sys_ioctl fs/ioctl.c:871 [inline] +__se_sys_ioctl fs/ioctl.c:857 [inline] +__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857 +do_syscall_x64 arch/x86/entry/common.c:52 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 +entry_SYSCALL_64_after_hwframe+0x63/0x6b +RIP: 0033:0x7f0a7147cba9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f0a720ef0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007f0a7159bf80 RCX: 00007f0a7147cba9 +RDX: 0000000020000040 RSI: 0000000000008914 RDI: 0000000000000004 +RBP: 00007f0a714c847a R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007f0a7159bf80 R15: 00007ffc8bb3a5f8 + + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Bernard Pidoux +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rose/af_rose.c | 39 ++++++++++++++++++++++++++++++++++----- + 1 file changed, 34 insertions(+), 5 deletions(-) + +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index 4a5c2dc8dd7a9..42e8b9e37516b 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -182,21 +182,47 @@ void rose_kill_by_neigh(struct rose_neigh *neigh) + */ + static void rose_kill_by_device(struct net_device *dev) + { +- struct sock *s; ++ struct sock *sk, *array[16]; ++ struct rose_sock *rose; ++ bool rescan; ++ int i, cnt; + ++start: ++ rescan = false; ++ cnt = 0; + spin_lock_bh(&rose_list_lock); +- sk_for_each(s, &rose_list) { +- struct rose_sock *rose = rose_sk(s); ++ sk_for_each(sk, &rose_list) { ++ rose = rose_sk(sk); ++ if (rose->device == dev) { ++ if (cnt == ARRAY_SIZE(array)) { ++ rescan = true; ++ break; ++ } ++ sock_hold(sk); ++ array[cnt++] = sk; ++ } ++ } ++ spin_unlock_bh(&rose_list_lock); + ++ for (i = 0; i < cnt; i++) { ++ sk = array[cnt]; ++ rose = rose_sk(sk); ++ lock_sock(sk); ++ spin_lock_bh(&rose_list_lock); + if (rose->device == dev) { +- rose_disconnect(s, ENETUNREACH, ROSE_OUT_OF_ORDER, 0); ++ rose_disconnect(sk, ENETUNREACH, ROSE_OUT_OF_ORDER, 0); + if (rose->neighbour) + rose->neighbour->use--; + netdev_put(rose->device, &rose->dev_tracker); + rose->device = NULL; + } ++ spin_unlock_bh(&rose_list_lock); ++ release_sock(sk); ++ sock_put(sk); ++ cond_resched(); + } +- spin_unlock_bh(&rose_list_lock); ++ if (rescan) ++ goto start; + } + + /* +@@ -656,7 +682,10 @@ static int rose_release(struct socket *sock) + break; + } + ++ spin_lock_bh(&rose_list_lock); + netdev_put(rose->device, &rose->dev_tracker); ++ rose->device = NULL; ++ spin_unlock_bh(&rose_list_lock); + sock->sk = NULL; + release_sock(sk); + sock_put(sk); +-- +2.43.0 + diff --git a/queue-6.6/net-sched-ife-fix-potential-use-after-free.patch b/queue-6.6/net-sched-ife-fix-potential-use-after-free.patch new file mode 100644 index 00000000000..7cd455c204c --- /dev/null +++ b/queue-6.6/net-sched-ife-fix-potential-use-after-free.patch @@ -0,0 +1,238 @@ +From 8227564c2fa603094bba064bd6110cfeaf1295bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 11:30:38 +0000 +Subject: net: sched: ife: fix potential use-after-free + +From: Eric Dumazet + +[ Upstream commit 19391a2ca98baa7b80279306cdf7dd43f81fa595 ] + +ife_decode() calls pskb_may_pull() two times, we need to reload +ifehdr after the second one, or risk use-after-free as reported +by syzbot: + +BUG: KASAN: slab-use-after-free in __ife_tlv_meta_valid net/ife/ife.c:108 [inline] +BUG: KASAN: slab-use-after-free in ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131 +Read of size 2 at addr ffff88802d7300a4 by task syz-executor.5/22323 + +CPU: 0 PID: 22323 Comm: syz-executor.5 Not tainted 6.7.0-rc3-syzkaller-00804-g074ac38d5b95 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 +Call Trace: + +__dump_stack lib/dump_stack.c:88 [inline] +dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 +print_address_description mm/kasan/report.c:364 [inline] +print_report+0xc4/0x620 mm/kasan/report.c:475 +kasan_report+0xda/0x110 mm/kasan/report.c:588 +__ife_tlv_meta_valid net/ife/ife.c:108 [inline] +ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131 +tcf_ife_decode net/sched/act_ife.c:739 [inline] +tcf_ife_act+0x4e3/0x1cd0 net/sched/act_ife.c:879 +tc_act include/net/tc_wrapper.h:221 [inline] +tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079 +tcf_exts_exec include/net/pkt_cls.h:344 [inline] +mall_classify+0x201/0x310 net/sched/cls_matchall.c:42 +tc_classify include/net/tc_wrapper.h:227 [inline] +__tcf_classify net/sched/cls_api.c:1703 [inline] +tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800 +hfsc_classify net/sched/sch_hfsc.c:1147 [inline] +hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546 +dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739 +__dev_xmit_skb net/core/dev.c:3828 [inline] +__dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311 +dev_queue_xmit include/linux/netdevice.h:3165 [inline] +packet_xmit+0x237/0x350 net/packet/af_packet.c:276 +packet_snd net/packet/af_packet.c:3081 [inline] +packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg+0xd5/0x180 net/socket.c:745 +__sys_sendto+0x255/0x340 net/socket.c:2190 +__do_sys_sendto net/socket.c:2202 [inline] +__se_sys_sendto net/socket.c:2198 [inline] +__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 +do_syscall_x64 arch/x86/entry/common.c:51 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 +entry_SYSCALL_64_after_hwframe+0x63/0x6b +RIP: 0033:0x7fe9acc7cae9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fe9ada450c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 00007fe9acd9bf80 RCX: 00007fe9acc7cae9 +RDX: 000000000000fce0 RSI: 00000000200002c0 RDI: 0000000000000003 +RBP: 00007fe9accc847a R08: 0000000020000140 R09: 0000000000000014 +R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007fe9acd9bf80 R15: 00007ffd5427ae78 + + +Allocated by task 22323: +kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 +kasan_set_track+0x25/0x30 mm/kasan/common.c:52 +____kasan_kmalloc mm/kasan/common.c:374 [inline] +__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383 +kasan_kmalloc include/linux/kasan.h:198 [inline] +__do_kmalloc_node mm/slab_common.c:1007 [inline] +__kmalloc_node_track_caller+0x5a/0x90 mm/slab_common.c:1027 +kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582 +__alloc_skb+0x12b/0x330 net/core/skbuff.c:651 +alloc_skb include/linux/skbuff.h:1298 [inline] +alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331 +sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780 +packet_alloc_skb net/packet/af_packet.c:2930 [inline] +packet_snd net/packet/af_packet.c:3024 [inline] +packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg+0xd5/0x180 net/socket.c:745 +__sys_sendto+0x255/0x340 net/socket.c:2190 +__do_sys_sendto net/socket.c:2202 [inline] +__se_sys_sendto net/socket.c:2198 [inline] +__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 +do_syscall_x64 arch/x86/entry/common.c:51 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 +entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Freed by task 22323: +kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 +kasan_set_track+0x25/0x30 mm/kasan/common.c:52 +kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522 +____kasan_slab_free mm/kasan/common.c:236 [inline] +____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200 +kasan_slab_free include/linux/kasan.h:164 [inline] +slab_free_hook mm/slub.c:1800 [inline] +slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826 +slab_free mm/slub.c:3809 [inline] +__kmem_cache_free+0xc0/0x180 mm/slub.c:3822 +skb_kfree_head net/core/skbuff.c:950 [inline] +skb_free_head+0x110/0x1b0 net/core/skbuff.c:962 +pskb_expand_head+0x3c5/0x1170 net/core/skbuff.c:2130 +__pskb_pull_tail+0xe1/0x1830 net/core/skbuff.c:2655 +pskb_may_pull_reason include/linux/skbuff.h:2685 [inline] +pskb_may_pull include/linux/skbuff.h:2693 [inline] +ife_decode+0x394/0x4f0 net/ife/ife.c:82 +tcf_ife_decode net/sched/act_ife.c:727 [inline] +tcf_ife_act+0x43b/0x1cd0 net/sched/act_ife.c:879 +tc_act include/net/tc_wrapper.h:221 [inline] +tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079 +tcf_exts_exec include/net/pkt_cls.h:344 [inline] +mall_classify+0x201/0x310 net/sched/cls_matchall.c:42 +tc_classify include/net/tc_wrapper.h:227 [inline] +__tcf_classify net/sched/cls_api.c:1703 [inline] +tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800 +hfsc_classify net/sched/sch_hfsc.c:1147 [inline] +hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546 +dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739 +__dev_xmit_skb net/core/dev.c:3828 [inline] +__dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311 +dev_queue_xmit include/linux/netdevice.h:3165 [inline] +packet_xmit+0x237/0x350 net/packet/af_packet.c:276 +packet_snd net/packet/af_packet.c:3081 [inline] +packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg+0xd5/0x180 net/socket.c:745 +__sys_sendto+0x255/0x340 net/socket.c:2190 +__do_sys_sendto net/socket.c:2202 [inline] +__se_sys_sendto net/socket.c:2198 [inline] +__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 +do_syscall_x64 arch/x86/entry/common.c:51 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 +entry_SYSCALL_64_after_hwframe+0x63/0x6b + +The buggy address belongs to the object at ffff88802d730000 +which belongs to the cache kmalloc-8k of size 8192 +The buggy address is located 164 bytes inside of +freed 8192-byte region [ffff88802d730000, ffff88802d732000) + +The buggy address belongs to the physical page: +page:ffffea0000b5cc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2d730 +head:ffffea0000b5cc00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff) +page_type: 0xffffffff() +raw: 00fff00000000840 ffff888013042280 dead000000000122 0000000000000000 +raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 22323, tgid 22320 (syz-executor.5), ts 950317230369, free_ts 950233467461 +set_page_owner include/linux/page_owner.h:31 [inline] +post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1544 +prep_new_page mm/page_alloc.c:1551 [inline] +get_page_from_freelist+0xa28/0x3730 mm/page_alloc.c:3319 +__alloc_pages+0x22e/0x2420 mm/page_alloc.c:4575 +alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133 +alloc_slab_page mm/slub.c:1870 [inline] +allocate_slab mm/slub.c:2017 [inline] +new_slab+0x283/0x3c0 mm/slub.c:2070 +___slab_alloc+0x979/0x1500 mm/slub.c:3223 +__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322 +__slab_alloc_node mm/slub.c:3375 [inline] +slab_alloc_node mm/slub.c:3468 [inline] +__kmem_cache_alloc_node+0x131/0x310 mm/slub.c:3517 +__do_kmalloc_node mm/slab_common.c:1006 [inline] +__kmalloc_node_track_caller+0x4a/0x90 mm/slab_common.c:1027 +kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582 +__alloc_skb+0x12b/0x330 net/core/skbuff.c:651 +alloc_skb include/linux/skbuff.h:1298 [inline] +alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331 +sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780 +packet_alloc_skb net/packet/af_packet.c:2930 [inline] +packet_snd net/packet/af_packet.c:3024 [inline] +packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg+0xd5/0x180 net/socket.c:745 +__sys_sendto+0x255/0x340 net/socket.c:2190 +page last free stack trace: +reset_page_owner include/linux/page_owner.h:24 [inline] +free_pages_prepare mm/page_alloc.c:1144 [inline] +free_unref_page_prepare+0x53c/0xb80 mm/page_alloc.c:2354 +free_unref_page+0x33/0x3b0 mm/page_alloc.c:2494 +__unfreeze_partials+0x226/0x240 mm/slub.c:2655 +qlink_free mm/kasan/quarantine.c:168 [inline] +qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 +kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:294 +__kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305 +kasan_slab_alloc include/linux/kasan.h:188 [inline] +slab_post_alloc_hook mm/slab.h:763 [inline] +slab_alloc_node mm/slub.c:3478 [inline] +slab_alloc mm/slub.c:3486 [inline] +__kmem_cache_alloc_lru mm/slub.c:3493 [inline] +kmem_cache_alloc_lru+0x219/0x6f0 mm/slub.c:3509 +alloc_inode_sb include/linux/fs.h:2937 [inline] +ext4_alloc_inode+0x28/0x650 fs/ext4/super.c:1408 +alloc_inode+0x5d/0x220 fs/inode.c:261 +new_inode_pseudo fs/inode.c:1006 [inline] +new_inode+0x22/0x260 fs/inode.c:1032 +__ext4_new_inode+0x333/0x5200 fs/ext4/ialloc.c:958 +ext4_symlink+0x5d7/0xa20 fs/ext4/namei.c:3398 +vfs_symlink fs/namei.c:4464 [inline] +vfs_symlink+0x3e5/0x620 fs/namei.c:4448 +do_symlinkat+0x25f/0x310 fs/namei.c:4490 +__do_sys_symlinkat fs/namei.c:4506 [inline] +__se_sys_symlinkat fs/namei.c:4503 [inline] +__x64_sys_symlinkat+0x97/0xc0 fs/namei.c:4503 +do_syscall_x64 arch/x86/entry/common.c:51 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 + +Fixes: d57493d6d1be ("net: sched: ife: check on metadata length") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Jamal Hadi Salim +Cc: Alexander Aring +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ife/ife.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ife/ife.c b/net/ife/ife.c +index 13bbf8cb6a396..be05b690b9ef2 100644 +--- a/net/ife/ife.c ++++ b/net/ife/ife.c +@@ -82,6 +82,7 @@ void *ife_decode(struct sk_buff *skb, u16 *metalen) + if (unlikely(!pskb_may_pull(skb, total_pull))) + return NULL; + ++ ifehdr = (struct ifeheadr *)(skb->data + skb->dev->hard_header_len); + skb_set_mac_header(skb, total_pull); + __skb_pull(skb, total_pull); + *metalen = ifehdrln - IFE_METAHDRLEN; +-- +2.43.0 + diff --git a/queue-6.6/octeontx2-pf-fix-graceful-exit-during-pfc-configurat.patch b/queue-6.6/octeontx2-pf-fix-graceful-exit-during-pfc-configurat.patch new file mode 100644 index 00000000000..78d5ed08d77 --- /dev/null +++ b/queue-6.6/octeontx2-pf-fix-graceful-exit-during-pfc-configurat.patch @@ -0,0 +1,72 @@ +From 9eab68c6bfc63814820678ffd33bd39d1d23a737 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Dec 2023 23:40:44 +0530 +Subject: octeontx2-pf: Fix graceful exit during PFC configuration failure + +From: Suman Ghosh + +[ Upstream commit 8c97ab5448f2096daba11edf8d18a44e1eb6f31d ] + +During PFC configuration failure the code was not handling a graceful +exit. This patch fixes the same and add proper code for a graceful exit. + +Fixes: 99c969a83d82 ("octeontx2-pf: Add egress PFC support") +Signed-off-by: Suman Ghosh +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/marvell/octeontx2/nic/otx2_dcbnl.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c +index bfddbff7bcdfb..28fb643d2917f 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c +@@ -399,9 +399,10 @@ static int otx2_dcbnl_ieee_getpfc(struct net_device *dev, struct ieee_pfc *pfc) + static int otx2_dcbnl_ieee_setpfc(struct net_device *dev, struct ieee_pfc *pfc) + { + struct otx2_nic *pfvf = netdev_priv(dev); ++ u8 old_pfc_en; + int err; + +- /* Save PFC configuration to interface */ ++ old_pfc_en = pfvf->pfc_en; + pfvf->pfc_en = pfc->pfc_en; + + if (pfvf->hw.tx_queues >= NIX_PF_PFC_PRIO_MAX) +@@ -411,13 +412,17 @@ static int otx2_dcbnl_ieee_setpfc(struct net_device *dev, struct ieee_pfc *pfc) + * supported by the tx queue configuration + */ + err = otx2_check_pfc_config(pfvf); +- if (err) ++ if (err) { ++ pfvf->pfc_en = old_pfc_en; + return err; ++ } + + process_pfc: + err = otx2_config_priority_flow_ctrl(pfvf); +- if (err) ++ if (err) { ++ pfvf->pfc_en = old_pfc_en; + return err; ++ } + + /* Request Per channel Bpids */ + if (pfc->pfc_en) +@@ -425,6 +430,12 @@ static int otx2_dcbnl_ieee_setpfc(struct net_device *dev, struct ieee_pfc *pfc) + + err = otx2_pfc_txschq_update(pfvf); + if (err) { ++ if (pfc->pfc_en) ++ otx2_nix_config_bp(pfvf, false); ++ ++ otx2_pfc_txschq_stop(pfvf); ++ pfvf->pfc_en = old_pfc_en; ++ otx2_config_priority_flow_ctrl(pfvf); + dev_err(pfvf->dev, "%s failed to update TX schedulers\n", __func__); + return err; + } +-- +2.43.0 + diff --git a/queue-6.6/platform-x86-intel-pmc-fix-hang-in-pmc_core_send_ltr.patch b/queue-6.6/platform-x86-intel-pmc-fix-hang-in-pmc_core_send_ltr.patch new file mode 100644 index 00000000000..dc99f273fb2 --- /dev/null +++ b/queue-6.6/platform-x86-intel-pmc-fix-hang-in-pmc_core_send_ltr.patch @@ -0,0 +1,42 @@ +From acdc5c572764fe0b037148bfef72d96c4b15c282 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Dec 2023 17:16:50 -0800 +Subject: platform/x86/intel/pmc: Fix hang in pmc_core_send_ltr_ignore() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rajvi Jingar + +[ Upstream commit fbcf67ce5a9e2831c14bdfb895be05213e611724 ] + +For input value 0, PMC stays unassigned which causes crash while trying +to access PMC for register read/write. Include LTR index 0 in pmc_index +and ltr_index calculation. + +Fixes: 2bcef4529222 ("platform/x86:intel/pmc: Enable debugfs multiple PMC support") +Signed-off-by: Rajvi Jingar +Reviewed-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20231216011650.1973941-1-rajvi.jingar@linux.intel.com +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/pmc/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/intel/pmc/core.c b/drivers/platform/x86/intel/pmc/core.c +index 84c175b9721a0..e95d3011b9997 100644 +--- a/drivers/platform/x86/intel/pmc/core.c ++++ b/drivers/platform/x86/intel/pmc/core.c +@@ -472,7 +472,7 @@ int pmc_core_send_ltr_ignore(struct pmc_dev *pmcdev, u32 value) + * is based on the contiguous indexes from ltr_show output. + * pmc index and ltr index needs to be calculated from it. + */ +- for (pmc_index = 0; pmc_index < ARRAY_SIZE(pmcdev->pmcs) && ltr_index > 0; pmc_index++) { ++ for (pmc_index = 0; pmc_index < ARRAY_SIZE(pmcdev->pmcs) && ltr_index >= 0; pmc_index++) { + pmc = pmcdev->pmcs[pmc_index]; + + if (!pmc) +-- +2.43.0 + diff --git a/queue-6.6/reset-fix-crash-when-freeing-non-existent-optional-r.patch b/queue-6.6/reset-fix-crash-when-freeing-non-existent-optional-r.patch new file mode 100644 index 00000000000..10d3e58c8e1 --- /dev/null +++ b/queue-6.6/reset-fix-crash-when-freeing-non-existent-optional-r.patch @@ -0,0 +1,63 @@ +From 6282059e655e1883e53a5a02267afea741d6f2a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 17:55:33 +0100 +Subject: reset: Fix crash when freeing non-existent optional resets + +From: Geert Uytterhoeven + +[ Upstream commit 4a6756f56bcf8e64c87144a626ce53aea4899c0e ] + +When obtaining one or more optional resets, non-existent resets are +stored as NULL pointers, and all related error and cleanup paths need to +take this into account. + +Currently only reset_control_put() and reset_control_bulk_put() +get this right. All of __reset_control_bulk_get(), +of_reset_control_array_get(), and reset_control_array_put() lack the +proper checking, causing NULL pointer dereferences on failure or +release. + +Fix this by moving the existing check from reset_control_bulk_put() to +__reset_control_put_internal(), so it applies to all callers. +The double check in reset_control_put() doesn't hurt. + +Fixes: 17c82e206d2a3cd8 ("reset: Add APIs to manage array of resets") +Fixes: 48d71395896d54ee ("reset: Add reset_control_bulk API") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/2440edae7ca8534628cdbaf559ded288f2998178.1701276806.git.geert+renesas@glider.be +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/reset/core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/reset/core.c b/drivers/reset/core.c +index f0a076e94118f..92cc13ef3e566 100644 +--- a/drivers/reset/core.c ++++ b/drivers/reset/core.c +@@ -807,6 +807,9 @@ static void __reset_control_put_internal(struct reset_control *rstc) + { + lockdep_assert_held(&reset_list_mutex); + ++ if (IS_ERR_OR_NULL(rstc)) ++ return; ++ + kref_put(&rstc->refcnt, __reset_control_release); + } + +@@ -1017,11 +1020,8 @@ EXPORT_SYMBOL_GPL(reset_control_put); + void reset_control_bulk_put(int num_rstcs, struct reset_control_bulk_data *rstcs) + { + mutex_lock(&reset_list_mutex); +- while (num_rstcs--) { +- if (IS_ERR_OR_NULL(rstcs[num_rstcs].rstc)) +- continue; ++ while (num_rstcs--) + __reset_control_put_internal(rstcs[num_rstcs].rstc); +- } + mutex_unlock(&reset_list_mutex); + } + EXPORT_SYMBOL_GPL(reset_control_bulk_put); +-- +2.43.0 + diff --git a/queue-6.6/revert-net-mlx5e-fix-double-free-of-encap_header-in-.patch b/queue-6.6/revert-net-mlx5e-fix-double-free-of-encap_header-in-.patch new file mode 100644 index 00000000000..2efb206c10a --- /dev/null +++ b/queue-6.6/revert-net-mlx5e-fix-double-free-of-encap_header-in-.patch @@ -0,0 +1,87 @@ +From 6f98586f0f2ba9c581e49eaa15646e5c26b005ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Nov 2023 13:51:52 +0100 +Subject: Revert "net/mlx5e: fix double free of encap_header in update funcs" + +From: Vlad Buslov + +[ Upstream commit 66ca8d4deca09bce3fc7bcf8ea7997fa1a51c33c ] + +This reverts commit 3a4aa3cb83563df942be49d145ee3b7ddf17d6bb. + +This patch is causing a null ptr issue, the proper fix is in the next +patch. + +Fixes: 3a4aa3cb8356 ("net/mlx5e: fix double free of encap_header in update funcs") +Signed-off-by: Vlad Buslov +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../ethernet/mellanox/mlx5/core/en/tc_tun.c | 20 +++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c +index 668da5c70e63d..8bca696b6658c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c +@@ -403,12 +403,16 @@ int mlx5e_tc_tun_update_header_ipv4(struct mlx5e_priv *priv, + if (err) + goto free_encap; + ++ e->encap_size = ipv4_encap_size; ++ kfree(e->encap_header); ++ e->encap_header = encap_header; ++ + if (!(nud_state & NUD_VALID)) { + neigh_event_send(attr.n, NULL); + /* the encap entry will be made valid on neigh update event + * and not used before that. + */ +- goto free_encap; ++ goto release_neigh; + } + + memset(&reformat_params, 0, sizeof(reformat_params)); +@@ -422,10 +426,6 @@ int mlx5e_tc_tun_update_header_ipv4(struct mlx5e_priv *priv, + goto free_encap; + } + +- e->encap_size = ipv4_encap_size; +- kfree(e->encap_header); +- e->encap_header = encap_header; +- + e->flags |= MLX5_ENCAP_ENTRY_VALID; + mlx5e_rep_queue_neigh_stats_work(netdev_priv(attr.out_dev)); + mlx5e_route_lookup_ipv4_put(&attr); +@@ -669,12 +669,16 @@ int mlx5e_tc_tun_update_header_ipv6(struct mlx5e_priv *priv, + if (err) + goto free_encap; + ++ e->encap_size = ipv6_encap_size; ++ kfree(e->encap_header); ++ e->encap_header = encap_header; ++ + if (!(nud_state & NUD_VALID)) { + neigh_event_send(attr.n, NULL); + /* the encap entry will be made valid on neigh update event + * and not used before that. + */ +- goto free_encap; ++ goto release_neigh; + } + + memset(&reformat_params, 0, sizeof(reformat_params)); +@@ -688,10 +692,6 @@ int mlx5e_tc_tun_update_header_ipv6(struct mlx5e_priv *priv, + goto free_encap; + } + +- e->encap_size = ipv6_encap_size; +- kfree(e->encap_header); +- e->encap_header = encap_header; +- + e->flags |= MLX5_ENCAP_ENTRY_VALID; + mlx5e_rep_queue_neigh_stats_work(netdev_priv(attr.out_dev)); + mlx5e_route_lookup_ipv6_put(&attr); +-- +2.43.0 + diff --git a/queue-6.6/revert-net-mlx5e-fix-double-free-of-encap_header.patch b/queue-6.6/revert-net-mlx5e-fix-double-free-of-encap_header.patch new file mode 100644 index 00000000000..32037aa20f0 --- /dev/null +++ b/queue-6.6/revert-net-mlx5e-fix-double-free-of-encap_header.patch @@ -0,0 +1,67 @@ +From cf8793ef1bf5b4cbffcc4f1e3108e38ef0da1958 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Nov 2023 13:52:28 +0100 +Subject: Revert "net/mlx5e: fix double free of encap_header" + +From: Vlad Buslov + +[ Upstream commit 5d089684dc434a31e08d32f0530066d0025c52e4 ] + +This reverts commit 6f9b1a0731662648949a1c0587f6acb3b7f8acf1. + +This patch is causing a null ptr issue, the proper fix is in the next +patch. + +Fixes: 6f9b1a073166 ("net/mlx5e: fix double free of encap_header") +Signed-off-by: Vlad Buslov +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c +index 8bca696b6658c..00a04fdd756f5 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c +@@ -300,6 +300,9 @@ int mlx5e_tc_tun_create_header_ipv4(struct mlx5e_priv *priv, + if (err) + goto destroy_neigh_entry; + ++ e->encap_size = ipv4_encap_size; ++ e->encap_header = encap_header; ++ + if (!(nud_state & NUD_VALID)) { + neigh_event_send(attr.n, NULL); + /* the encap entry will be made valid on neigh update event +@@ -319,8 +322,6 @@ int mlx5e_tc_tun_create_header_ipv4(struct mlx5e_priv *priv, + goto destroy_neigh_entry; + } + +- e->encap_size = ipv4_encap_size; +- e->encap_header = encap_header; + e->flags |= MLX5_ENCAP_ENTRY_VALID; + mlx5e_rep_queue_neigh_stats_work(netdev_priv(attr.out_dev)); + mlx5e_route_lookup_ipv4_put(&attr); +@@ -567,6 +568,9 @@ int mlx5e_tc_tun_create_header_ipv6(struct mlx5e_priv *priv, + if (err) + goto destroy_neigh_entry; + ++ e->encap_size = ipv6_encap_size; ++ e->encap_header = encap_header; ++ + if (!(nud_state & NUD_VALID)) { + neigh_event_send(attr.n, NULL); + /* the encap entry will be made valid on neigh update event +@@ -586,8 +590,6 @@ int mlx5e_tc_tun_create_header_ipv6(struct mlx5e_priv *priv, + goto destroy_neigh_entry; + } + +- e->encap_size = ipv6_encap_size; +- e->encap_header = encap_header; + e->flags |= MLX5_ENCAP_ENTRY_VALID; + mlx5e_rep_queue_neigh_stats_work(netdev_priv(attr.out_dev)); + mlx5e_route_lookup_ipv6_put(&attr); +-- +2.43.0 + diff --git a/queue-6.6/s390-vx-fix-save-restore-of-fpu-kernel-context.patch b/queue-6.6/s390-vx-fix-save-restore-of-fpu-kernel-context.patch new file mode 100644 index 00000000000..0f4bd33173f --- /dev/null +++ b/queue-6.6/s390-vx-fix-save-restore-of-fpu-kernel-context.patch @@ -0,0 +1,49 @@ +From d1fe8368841f9b9e06f4a01c543858dbf141ad91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Dec 2023 15:03:15 +0100 +Subject: s390/vx: fix save/restore of fpu kernel context + +From: Heiko Carstens + +[ Upstream commit e6b2dab41888332bf83f592131e7ea07756770a4 ] + +The KERNEL_FPR mask only contains a flag for the first eight vector +registers. However floating point registers overlay parts of the first +sixteen vector registers. + +This could lead to vector register corruption if a kernel fpu context uses +any of the vector registers 8 to 15 and is interrupted or calls a +KERNEL_FPR context. If that context uses also vector registers 8 to 15, +their contents will be corrupted on return. + +Luckily this is currently not a real bug, since the kernel has only one +KERNEL_FPR user with s390_adjust_jiffies() and it is only using floating +point registers 0 to 2. + +Fix this by using the correct bits for KERNEL_FPR. + +Fixes: 7f79695cc1b6 ("s390/fpu: improve kernel_fpu_[begin|end]") +Signed-off-by: Heiko Carstens +Reviewed-by: Hendrik Brueckner +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/fpu/api.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/include/asm/fpu/api.h b/arch/s390/include/asm/fpu/api.h +index b714ed0ef6885..9acf48e53a87f 100644 +--- a/arch/s390/include/asm/fpu/api.h ++++ b/arch/s390/include/asm/fpu/api.h +@@ -79,7 +79,7 @@ static inline int test_fp_ctl(u32 fpc) + #define KERNEL_VXR_HIGH (KERNEL_VXR_V16V23|KERNEL_VXR_V24V31) + + #define KERNEL_VXR (KERNEL_VXR_LOW|KERNEL_VXR_HIGH) +-#define KERNEL_FPR (KERNEL_FPC|KERNEL_VXR_V0V7) ++#define KERNEL_FPR (KERNEL_FPC|KERNEL_VXR_LOW) + + struct kernel_fpu; + +-- +2.43.0 + diff --git a/queue-6.6/series b/queue-6.6/series index 3d3cf4bffa4..24b373c8149 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -11,3 +11,59 @@ drm-i915-edp-don-t-write-to-dp_link_bw_set-when-usin.patch drm-update-file-owner-during-use.patch drm-fix-fd-ownership-check-in-drm_master_check_perm.patch spi-spi-imx-correctly-configure-burst-length-when-us.patch +arm64-dts-allwinner-h616-update-emac-for-orange-pi-z.patch +arm-dts-dra7-fix-dra7-l3-noc-node-register-size.patch +arm-omap2-fix-null-pointer-dereference-and-memory-le.patch +reset-fix-crash-when-freeing-non-existent-optional-r.patch +s390-vx-fix-save-restore-of-fpu-kernel-context.patch +platform-x86-intel-pmc-fix-hang-in-pmc_core_send_ltr.patch +sunrpc-revert-5f7fc5d69f6e92ec0b38774c387f5cf7812c58.patch +wifi-ieee80211-don-t-require-protected-vendor-action.patch +wifi-iwlwifi-pcie-add-another-missing-bh-disable-for.patch +wifi-mac80211-check-if-the-existing-link-config-rema.patch +wifi-mac80211-don-t-re-add-debugfs-during-reconfig.patch +wifi-mac80211-check-defragmentation-succeeded.patch +wifi-mac80211-mesh-check-element-parsing-succeeded.patch +wifi-mac80211-mesh_plink-fix-matches_local-logic.patch +ice-fix-theoretical-out-of-bounds-access-in-ethtool-.patch +bpf-syzkaller-found-null-ptr-deref-in-unix_bpf-proto.patch +revert-net-mlx5e-fix-double-free-of-encap_header-in-.patch +revert-net-mlx5e-fix-double-free-of-encap_header.patch +net-mlx5e-fix-slab-out-of-bounds-in-mlx5_query_nic_v.patch +net-mlx5e-fix-a-race-in-command-alloc-flow.patch +net-mlx5e-fix-a-potential-double-free-in-fs_udp_crea.patch +net-mlx5e-fix-overrun-reported-by-coverity.patch +net-mlx5e-decrease-num_block_tc-when-unblock-tc-offl.patch +net-mlx5e-xdp-drop-fragmented-packets-larger-than-mt.patch +net-mlx5-fix-fw-tracer-first-block-check.patch +net-mlx5-refactor-mlx5_flow_destination-rep-pointer-.patch +net-mlx5e-fix-error-code-in-mlx5e_tc_action_miss_map.patch +net-mlx5e-fix-error-codes-in-alloc_branch_attr.patch +net-mlx5e-correct-snprintf-truncation-handling-for-f.patch +net-mlx5e-correct-snprintf-truncation-handling-for-f.patch-13064 +net-mscc-ocelot-fix-emac-tx-rmon-stats-for-bucket-25.patch +net-mscc-ocelot-fix-pmac-tx-rmon-stats-for-bucket-25.patch +octeontx2-pf-fix-graceful-exit-during-pfc-configurat.patch +net-return-error-from-sk_stream_wait_connect-if-sk_w.patch +net-sched-ife-fix-potential-use-after-free.patch +ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch +net-rose-fix-races-in-rose_kill_by_device.patch +bluetooth-fix-not-notifying-when-connection-encrypti.patch +bluetooth-fix-deadlock-in-vhci_send_frame.patch +bluetooth-hci_event-shut-up-a-false-positive-warning.patch +bluetooth-hci_core-fix-hci_conn_hash_lookup_cis.patch +bnxt_en-do-not-map-packet-buffers-twice.patch +net-phy-skip-led-triggers-on-phys-on-sfp-modules.patch +ice-stop-trashing-vf-vsi-aggregator-node-id-informat.patch +ice-alter-feature-support-check-for-sriov-and-lag.patch +ice-fix-pf-with-enabled-xdp-going-no-carrier-after-r.patch +net-mana-select-page_pool.patch +net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch +afs-fix-the-dynamic-root-s-d_delete-to-always-delete.patch +afs-fix-dynamic-root-lookup-dns-check.patch +net-ethernet-mtk_wed-fix-possible-null-pointer-deref.patch +net-ipv6-revert-remove-expired-routes-with-a-separat.patch +net-check-dev-gso_max_size-in-gso_features_check.patch +keys-dns-allow-key-types-eg.-dns-to-be-reclaimed-imm.patch +afs-fix-overwriting-of-result-of-dns-query.patch +afs-fix-use-after-free-due-to-get-remove-race-in-vol.patch diff --git a/queue-6.6/sunrpc-revert-5f7fc5d69f6e92ec0b38774c387f5cf7812c58.patch b/queue-6.6/sunrpc-revert-5f7fc5d69f6e92ec0b38774c387f5cf7812c58.patch new file mode 100644 index 00000000000..6a502fd47f1 --- /dev/null +++ b/queue-6.6/sunrpc-revert-5f7fc5d69f6e92ec0b38774c387f5cf7812c58.patch @@ -0,0 +1,51 @@ +From 1f7f52ecb95d59c2a9f314a77c4936177a5791bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Dec 2023 17:05:40 -0500 +Subject: SUNRPC: Revert 5f7fc5d69f6e92ec0b38774c387f5cf7812c5806 + +From: Chuck Lever + +[ Upstream commit bd018b98ba84ca0c80abac1ef23ce726a809e58c ] + +Guillaume says: +> I believe commit 5f7fc5d69f6e ("SUNRPC: Resupply rq_pages from +> node-local memory") in Linux 6.5+ is incorrect. It passes +> unconditionally rq_pool->sp_id as the NUMA node. +> +> While the comment in the svc_pool declaration in sunrpc/svc.h says +> that sp_id is also the NUMA node id, it might not be the case if +> the svc is created using svc_create_pooled(). svc_created_pooled() +> can use the per-cpu pool mode therefore in this case sp_id would +> be the cpu id. + +Fix this by reverting now. At a later point this minor optimization, +and the deceptive labeling of the sp_id field, can be revisited. + +Reported-by: Guillaume Morin +Closes: https://lore.kernel.org/linux-nfs/ZYC9rsno8qYggVt9@bender.morinfr.org/T/#u +Fixes: 5f7fc5d69f6e ("SUNRPC: Resupply rq_pages from node-local memory") +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/svc_xprt.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c +index 4cfe9640df481..5cfe5c7408b74 100644 +--- a/net/sunrpc/svc_xprt.c ++++ b/net/sunrpc/svc_xprt.c +@@ -666,9 +666,8 @@ static bool svc_alloc_arg(struct svc_rqst *rqstp) + } + + for (filled = 0; filled < pages; filled = ret) { +- ret = alloc_pages_bulk_array_node(GFP_KERNEL, +- rqstp->rq_pool->sp_id, +- pages, rqstp->rq_pages); ++ ret = alloc_pages_bulk_array(GFP_KERNEL, pages, ++ rqstp->rq_pages); + if (ret > filled) + /* Made progress, don't sleep yet */ + continue; +-- +2.43.0 + diff --git a/queue-6.6/wifi-ieee80211-don-t-require-protected-vendor-action.patch b/queue-6.6/wifi-ieee80211-don-t-require-protected-vendor-action.patch new file mode 100644 index 00000000000..780d4597d57 --- /dev/null +++ b/queue-6.6/wifi-ieee80211-don-t-require-protected-vendor-action.patch @@ -0,0 +1,46 @@ +From dad70659065731a236aa22154158f18313cbbaf0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 22:37:57 +0100 +Subject: wifi: ieee80211: don't require protected vendor action frames + +From: Johannes Berg + +[ Upstream commit 98fb9b9680c9f3895ced02d6a73e27f5d7b5892b ] + +For vendor action frames, whether a protected one should be +used or not is clearly up to the individual vendor and frame, +so even though a protected dual is defined, it may not get +used. Thus, don't require protection for vendor action frames +when they're used in a connection. + +Since we obviously don't process frames unknown to the kernel +in the kernel, it may makes sense to invert this list to have +all the ones the kernel processes and knows to be requiring +protection, but that'd be a different change. + +Fixes: 91535613b609 ("wifi: mac80211: don't drop all unprotected public action frames") +Reported-by: Jouni Malinen +Link: https://msgid.link/20231206223801.f6a2cf4e67ec.Ifa6acc774bd67801d3dafb405278f297683187aa@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + include/linux/ieee80211.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h +index b24fb80782c5a..2b0a73cb7cbb0 100644 +--- a/include/linux/ieee80211.h ++++ b/include/linux/ieee80211.h +@@ -4381,7 +4381,8 @@ ieee80211_is_protected_dual_of_public_action(struct sk_buff *skb) + action != WLAN_PUB_ACTION_LOC_TRACK_NOTI && + action != WLAN_PUB_ACTION_FTM_REQUEST && + action != WLAN_PUB_ACTION_FTM_RESPONSE && +- action != WLAN_PUB_ACTION_FILS_DISCOVERY; ++ action != WLAN_PUB_ACTION_FILS_DISCOVERY && ++ action != WLAN_PUB_ACTION_VENDOR_SPECIFIC; + } + + /** +-- +2.43.0 + diff --git a/queue-6.6/wifi-iwlwifi-pcie-add-another-missing-bh-disable-for.patch b/queue-6.6/wifi-iwlwifi-pcie-add-another-missing-bh-disable-for.patch new file mode 100644 index 00000000000..bce0d716f41 --- /dev/null +++ b/queue-6.6/wifi-iwlwifi-pcie-add-another-missing-bh-disable-for.patch @@ -0,0 +1,48 @@ +From 80d2ea04c84ad33fb96559413833d90772e923a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Dec 2023 18:32:02 +0200 +Subject: wifi: iwlwifi: pcie: add another missing bh-disable for rxq->lock + +From: Johannes Berg + +[ Upstream commit a4754182dc936b97ec7e9f6b08cdf7ed97ef9069 ] + +Evidently I had only looked at all the ones in rx.c, and missed this. +Add bh-disable to this use of the rxq->lock as well. + +Fixes: 25edc8f259c7 ("iwlwifi: pcie: properly implement NAPI") +Reported-by: Brian Norris +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20231208183100.e79ad3dae649.I8f19713c4383707f8be7fc20ff5cc1ecf12429bb@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +index 583d1011963ec..2e23ccd7d7938 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -3088,7 +3088,7 @@ static u32 iwl_trans_pcie_dump_rbs(struct iwl_trans *trans, + struct iwl_rxq *rxq = &trans_pcie->rxq[0]; + u32 i, r, j, rb_len = 0; + +- spin_lock(&rxq->lock); ++ spin_lock_bh(&rxq->lock); + + r = le16_to_cpu(iwl_get_closed_rb_stts(trans, rxq)) & 0x0FFF; + +@@ -3112,7 +3112,7 @@ static u32 iwl_trans_pcie_dump_rbs(struct iwl_trans *trans, + *data = iwl_fw_error_next_data(*data); + } + +- spin_unlock(&rxq->lock); ++ spin_unlock_bh(&rxq->lock); + + return rb_len; + } +-- +2.43.0 + diff --git a/queue-6.6/wifi-mac80211-check-defragmentation-succeeded.patch b/queue-6.6/wifi-mac80211-check-defragmentation-succeeded.patch new file mode 100644 index 00000000000..c675d0e1ff5 --- /dev/null +++ b/queue-6.6/wifi-mac80211-check-defragmentation-succeeded.patch @@ -0,0 +1,48 @@ +From cea2dde262894559c1151f0dd3d1595b5e6637d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 09:05:30 +0200 +Subject: wifi: mac80211: check defragmentation succeeded + +From: Johannes Berg + +[ Upstream commit 98849ba2aa9db46e62720fb686a9d63ed9887806 ] + +We need to check that cfg80211_defragment_element() +didn't return an error, since it can fail due to bad +input, and we didn't catch that before. + +Fixes: 8eb8dd2ffbbb ("wifi: mac80211: Support link removal using Reconfiguration ML element") +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20231211085121.8595a6b67fc0.I1225edd8f98355e007f96502e358e476c7971d8c@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mlme.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 0c9198997482b..73f8df03d159c 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -5805,7 +5805,7 @@ static void ieee80211_ml_reconfiguration(struct ieee80211_sub_if_data *sdata, + { + const struct ieee80211_multi_link_elem *ml; + const struct element *sub; +- size_t ml_len; ++ ssize_t ml_len; + unsigned long removed_links = 0; + u16 link_removal_timeout[IEEE80211_MLD_MAX_NUM_LINKS] = {}; + u8 link_id; +@@ -5821,6 +5821,8 @@ static void ieee80211_ml_reconfiguration(struct ieee80211_sub_if_data *sdata, + elems->scratch + elems->scratch_len - + elems->scratch_pos, + WLAN_EID_FRAGMENT); ++ if (ml_len < 0) ++ return; + + elems->ml_reconf = (const void *)elems->scratch_pos; + elems->ml_reconf_len = ml_len; +-- +2.43.0 + diff --git a/queue-6.6/wifi-mac80211-check-if-the-existing-link-config-rema.patch b/queue-6.6/wifi-mac80211-check-if-the-existing-link-config-rema.patch new file mode 100644 index 00000000000..1d833b30e8f --- /dev/null +++ b/queue-6.6/wifi-mac80211-check-if-the-existing-link-config-rema.patch @@ -0,0 +1,89 @@ +From c1c8666fb0cc19eb9e7ee72687fac7bae54b903d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 20:17:47 +0800 +Subject: wifi: mac80211: check if the existing link config remains unchanged + +From: Edward Adam Davis + +[ Upstream commit c1393c132b906fbdf91f6d1c9eb2ef7a00cce64e ] + +[Syz report] +WARNING: CPU: 1 PID: 5067 at net/mac80211/rate.c:48 rate_control_rate_init+0x540/0x690 net/mac80211/rate.c:48 +Modules linked in: +CPU: 1 PID: 5067 Comm: syz-executor413 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 +RIP: 0010:rate_control_rate_init+0x540/0x690 net/mac80211/rate.c:48 +Code: 48 c7 c2 00 46 0c 8c be 08 03 00 00 48 c7 c7 c0 45 0c 8c c6 05 70 79 0b 05 01 e8 1b a0 6f f7 e9 e0 fd ff ff e8 61 b3 8f f7 90 <0f> 0b 90 e9 36 ff ff ff e8 53 b3 8f f7 e8 5e 0b 78 f7 31 ff 89 c3 +RSP: 0018:ffffc90003c57248 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: ffff888016bc4000 RCX: ffffffff89f7d519 +RDX: ffff888076d43b80 RSI: ffffffff89f7d6df RDI: 0000000000000005 +RBP: ffff88801daaae20 R08: 0000000000000005 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000002 R12: 0000000000000001 +R13: 0000000000000000 R14: ffff888020030e20 R15: ffff888078f08000 +FS: 0000555556b94380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000005fdeb8 CR3: 0000000076d22000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + sta_apply_auth_flags.constprop.0+0x4b7/0x510 net/mac80211/cfg.c:1674 + sta_apply_parameters+0xaf1/0x16c0 net/mac80211/cfg.c:2002 + ieee80211_add_station+0x3fa/0x6c0 net/mac80211/cfg.c:2068 + rdev_add_station net/wireless/rdev-ops.h:201 [inline] + nl80211_new_station+0x13ba/0x1a70 net/wireless/nl80211.c:7603 + genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972 + genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline] + genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067 + netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2545 + genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076 + netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] + netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1368 + netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0xd5/0x180 net/socket.c:745 + ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584 + ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638 + __sys_sendmsg+0x117/0x1e0 net/socket.c:2667 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +[Analysis] +It is inappropriate to make a link configuration change judgment on an +non-existent and non new link. + +[Fix] +Quickly exit when there is a existent link and the link configuration has not +changed. + +Fixes: b303835dabe0 ("wifi: mac80211: accept STA changes without link changes") +Reported-and-tested-by: syzbot+62d7eef57b09bfebcd84@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Link: https://msgid.link/tencent_DE67FF86DB92ED465489A36ECD2EDDCC8C06@qq.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 715da615f0359..f7cb50b0dd4ed 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1806,10 +1806,10 @@ static int sta_link_apply_parameters(struct ieee80211_local *local, + lockdep_is_held(&local->sta_mtx)); + + /* +- * If there are no changes, then accept a link that doesn't exist, ++ * If there are no changes, then accept a link that exist, + * unless it's a new link. + */ +- if (params->link_id < 0 && !new_link && ++ if (params->link_id >= 0 && !new_link && + !params->link_mac && !params->txpwr_set && + !params->supported_rates_len && + !params->ht_capa && !params->vht_capa && +-- +2.43.0 + diff --git a/queue-6.6/wifi-mac80211-don-t-re-add-debugfs-during-reconfig.patch b/queue-6.6/wifi-mac80211-don-t-re-add-debugfs-during-reconfig.patch new file mode 100644 index 00000000000..0eb235a5c1e --- /dev/null +++ b/queue-6.6/wifi-mac80211-don-t-re-add-debugfs-during-reconfig.patch @@ -0,0 +1,52 @@ +From 4fdbad6c97044e0924c19eeacb0b9e087e748bea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 09:05:19 +0200 +Subject: wifi: mac80211: don't re-add debugfs during reconfig + +From: Johannes Berg + +[ Upstream commit 63bafd9d5421959b2124dd940ed8d7462d99f449 ] + +If we're doing reconfig, then we cannot add the debugfs +files that are already there from before the reconfig. +Skip that in drv_change_sta_links() during reconfig. + +Fixes: d2caad527c19 ("wifi: mac80211: add API to show the link STAs in debugfs") +Signed-off-by: Johannes Berg +Reviewed-by: Gregory Greenman +Reviewed-by: Benjamin Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20231211085121.88a950f43e16.Id71181780994649219685887c0fcad33d387cc78@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/driver-ops.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/driver-ops.c b/net/mac80211/driver-ops.c +index aa37a1410f377..f8af0c3d405ae 100644 +--- a/net/mac80211/driver-ops.c ++++ b/net/mac80211/driver-ops.c +@@ -1,7 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0-only + /* + * Copyright 2015 Intel Deutschland GmbH +- * Copyright (C) 2022 Intel Corporation ++ * Copyright (C) 2022-2023 Intel Corporation + */ + #include + #include "ieee80211_i.h" +@@ -564,6 +564,10 @@ int drv_change_sta_links(struct ieee80211_local *local, + if (ret) + return ret; + ++ /* during reconfig don't add it to debugfs again */ ++ if (local->in_reconfig) ++ return 0; ++ + for_each_set_bit(link_id, &links_to_add, IEEE80211_MLD_MAX_NUM_LINKS) { + link_sta = rcu_dereference_protected(info->link[link_id], + lockdep_is_held(&local->sta_mtx)); +-- +2.43.0 + diff --git a/queue-6.6/wifi-mac80211-mesh-check-element-parsing-succeeded.patch b/queue-6.6/wifi-mac80211-mesh-check-element-parsing-succeeded.patch new file mode 100644 index 00000000000..86bf109ff4b --- /dev/null +++ b/queue-6.6/wifi-mac80211-mesh-check-element-parsing-succeeded.patch @@ -0,0 +1,40 @@ +From 296b8a010a62ae0ac012ef39c762d6278b6b9138 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 09:05:32 +0200 +Subject: wifi: mac80211: mesh: check element parsing succeeded + +From: Johannes Berg + +[ Upstream commit 1fc4a3eec50d726f4663ad3c0bb0158354d6647a ] + +ieee802_11_parse_elems() can return NULL, so we must +check for the return value. + +Fixes: 5d24828d05f3 ("mac80211: always allocate struct ieee802_11_elems") +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20231211085121.93dea364f3d3.Ie87781c6c48979fb25a744b90af4a33dc2d83a28@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh_plink.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c +index a1e526419e9d2..5c8a3ff0ae0cc 100644 +--- a/net/mac80211/mesh_plink.c ++++ b/net/mac80211/mesh_plink.c +@@ -1243,6 +1243,8 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, + return; + } + elems = ieee802_11_parse_elems(baseaddr, len - baselen, true, NULL); +- mesh_process_plink_frame(sdata, mgmt, elems, rx_status); +- kfree(elems); ++ if (elems) { ++ mesh_process_plink_frame(sdata, mgmt, elems, rx_status); ++ kfree(elems); ++ } + } +-- +2.43.0 + diff --git a/queue-6.6/wifi-mac80211-mesh_plink-fix-matches_local-logic.patch b/queue-6.6/wifi-mac80211-mesh_plink-fix-matches_local-logic.patch new file mode 100644 index 00000000000..f6429be6435 --- /dev/null +++ b/queue-6.6/wifi-mac80211-mesh_plink-fix-matches_local-logic.patch @@ -0,0 +1,52 @@ +From 55117cbfab71eb4cfbafae1fbbd21d5704665bd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 09:05:31 +0200 +Subject: wifi: mac80211: mesh_plink: fix matches_local logic + +From: Johannes Berg + +[ Upstream commit 8c386b166e2517cf3a123018e77941ec22625d0f ] + +During refactoring the "else" here got lost, add it back. + +Fixes: c99a89edb106 ("mac80211: factor out plink event gathering") +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20231211085121.795480fa0e0b.I017d501196a5bbdcd9afd33338d342d6fe1edd79@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh_plink.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c +index 5c8a3ff0ae0cc..cc62c2a01f54f 100644 +--- a/net/mac80211/mesh_plink.c ++++ b/net/mac80211/mesh_plink.c +@@ -1064,8 +1064,8 @@ mesh_plink_get_event(struct ieee80211_sub_if_data *sdata, + case WLAN_SP_MESH_PEERING_OPEN: + if (!matches_local) + event = OPN_RJCT; +- if (!mesh_plink_free_count(sdata) || +- (sta->mesh->plid && sta->mesh->plid != plid)) ++ else if (!mesh_plink_free_count(sdata) || ++ (sta->mesh->plid && sta->mesh->plid != plid)) + event = OPN_IGNR; + else + event = OPN_ACPT; +@@ -1073,9 +1073,9 @@ mesh_plink_get_event(struct ieee80211_sub_if_data *sdata, + case WLAN_SP_MESH_PEERING_CONFIRM: + if (!matches_local) + event = CNF_RJCT; +- if (!mesh_plink_free_count(sdata) || +- sta->mesh->llid != llid || +- (sta->mesh->plid && sta->mesh->plid != plid)) ++ else if (!mesh_plink_free_count(sdata) || ++ sta->mesh->llid != llid || ++ (sta->mesh->plid && sta->mesh->plid != plid)) + event = CNF_IGNR; + else + event = CNF_ACPT; +-- +2.43.0 +