From: Sasha Levin Date: Fri, 4 Oct 2024 16:20:13 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v6.6.55~155 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=485237b73e72b4c173133ba66667cf19547529f5;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/bluetooth-btmrvl-use-irqf_no_autoen-flag-in-request_.patch b/queue-5.15/bluetooth-btmrvl-use-irqf_no_autoen-flag-in-request_.patch new file mode 100644 index 00000000000..47d1846796c --- /dev/null +++ b/queue-5.15/bluetooth-btmrvl-use-irqf_no_autoen-flag-in-request_.patch @@ -0,0 +1,45 @@ +From 89bb65d24472beca89936a5079fff3f595b863ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2024 11:12:04 +0800 +Subject: Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq() + +From: Jinjie Ruan + +[ Upstream commit 7b1ab460592ca818e7b52f27cd3ec86af79220d1 ] + +disable_irq() after request_irq() still has a time gap in which +interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will +disable IRQ auto-enable when request IRQ. + +Fixes: bb7f4f0bcee6 ("btmrvl: add platform specific wakeup interrupt support") +Signed-off-by: Jinjie Ruan +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btmrvl_sdio.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/bluetooth/btmrvl_sdio.c b/drivers/bluetooth/btmrvl_sdio.c +index 68378b42ea7fd..f71f32d4d4712 100644 +--- a/drivers/bluetooth/btmrvl_sdio.c ++++ b/drivers/bluetooth/btmrvl_sdio.c +@@ -105,7 +105,7 @@ static int btmrvl_sdio_probe_of(struct device *dev, + } else { + ret = devm_request_irq(dev, cfg->irq_bt, + btmrvl_wake_irq_bt, +- 0, "bt_wake", card); ++ IRQF_NO_AUTOEN, "bt_wake", card); + if (ret) { + dev_err(dev, + "Failed to request irq_bt %d (%d)\n", +@@ -114,7 +114,6 @@ static int btmrvl_sdio_probe_of(struct device *dev, + + /* Configure wakeup (enabled by default) */ + device_init_wakeup(dev, true); +- disable_irq(cfg->irq_bt); + } + } + +-- +2.43.0 + diff --git a/queue-5.15/ceph-remove-the-incorrect-fw-reference-check-when-di.patch b/queue-5.15/ceph-remove-the-incorrect-fw-reference-check-when-di.patch new file mode 100644 index 00000000000..5cbf2b50375 --- /dev/null +++ b/queue-5.15/ceph-remove-the-incorrect-fw-reference-check-when-di.patch @@ -0,0 +1,37 @@ +From 07a6e8dcb3880a961072300fd708baa00d842eb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Sep 2024 06:22:18 +0800 +Subject: ceph: remove the incorrect Fw reference check when dirtying pages + +From: Xiubo Li + +[ Upstream commit c08dfb1b49492c09cf13838c71897493ea3b424e ] + +When doing the direct-io reads it will also try to mark pages dirty, +but for the read path it won't hold the Fw caps and there is case +will it get the Fw reference. + +Fixes: 5dda377cf0a6 ("ceph: set i_head_snapc when getting CEPH_CAP_FILE_WR reference") +Signed-off-by: Xiubo Li +Reviewed-by: Patrick Donnelly +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/addr.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c +index b218a26291b8e..e1096ca1a39b1 100644 +--- a/fs/ceph/addr.c ++++ b/fs/ceph/addr.c +@@ -95,7 +95,6 @@ static int ceph_set_page_dirty(struct page *page) + + /* dirty the head */ + spin_lock(&ci->i_ceph_lock); +- BUG_ON(ci->i_wr_ref == 0); // caller should hold Fw reference + if (__ceph_have_pending_cap_snap(ci)) { + struct ceph_cap_snap *capsnap = + list_last_entry(&ci->i_cap_snaps, +-- +2.43.0 + diff --git a/queue-5.15/ieee802154-fix-build-error.patch b/queue-5.15/ieee802154-fix-build-error.patch new file mode 100644 index 00000000000..75ad24258a3 --- /dev/null +++ b/queue-5.15/ieee802154-fix-build-error.patch @@ -0,0 +1,40 @@ +From 66ed459ad641ec858fe3255281af199ed652b939 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 21:17:40 +0800 +Subject: ieee802154: Fix build error + +From: Jinjie Ruan + +[ Upstream commit addf89774e48c992316449ffab4f29c2309ebefb ] + +If REGMAP_SPI is m and IEEE802154_MCR20A is y, + + mcr20a.c:(.text+0x3ed6c5b): undefined reference to `__devm_regmap_init_spi' + ld: mcr20a.c:(.text+0x3ed6cb5): undefined reference to `__devm_regmap_init_spi' + +Select REGMAP_SPI for IEEE802154_MCR20A to fix it. + +Fixes: 8c6ad9cc5157 ("ieee802154: Add NXP MCR20A IEEE 802.15.4 transceiver driver") +Signed-off-by: Jinjie Ruan +Link: https://lore.kernel.org/20240909131740.1296608-1-ruanjinjie@huawei.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ieee802154/Kconfig b/drivers/net/ieee802154/Kconfig +index 0f7c6dc2ed154..26f393a0507c1 100644 +--- a/drivers/net/ieee802154/Kconfig ++++ b/drivers/net/ieee802154/Kconfig +@@ -108,6 +108,7 @@ config IEEE802154_CA8210_DEBUGFS + + config IEEE802154_MCR20A + tristate "MCR20A transceiver driver" ++ select REGMAP_SPI + depends on IEEE802154_DRIVERS && MAC802154 + depends on SPI + help +-- +2.43.0 + diff --git a/queue-5.15/ipv4-ip_gre-fix-drops-of-small-packets-in-ipgre_xmit.patch b/queue-5.15/ipv4-ip_gre-fix-drops-of-small-packets-in-ipgre_xmit.patch new file mode 100644 index 00000000000..93f642e7ede --- /dev/null +++ b/queue-5.15/ipv4-ip_gre-fix-drops-of-small-packets-in-ipgre_xmit.patch @@ -0,0 +1,89 @@ +From 38751832d086ec4f3cd3988891020066c64b1572 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2024 02:51:59 +0300 +Subject: ipv4: ip_gre: Fix drops of small packets in ipgre_xmit + +From: Anton Danilov + +[ Upstream commit c4a14f6d9d17ad1e41a36182dd3b8a5fd91efbd7 ] + +Regression Description: + +Depending on the options specified for the GRE tunnel device, small +packets may be dropped. This occurs because the pskb_network_may_pull +function fails due to the packet's insufficient length. + +For example, if only the okey option is specified for the tunnel device, +original (before encapsulation) packets smaller than 28 bytes (including +the IPv4 header) will be dropped. This happens because the required +length is calculated relative to the network header, not the skb->head. + +Here is how the required length is computed and checked: + +* The pull_len variable is set to 28 bytes, consisting of: + * IPv4 header: 20 bytes + * GRE header with Key field: 8 bytes + +* The pskb_network_may_pull function adds the network offset, shifting +the checkable space further to the beginning of the network header and +extending it to the beginning of the packet. As a result, the end of +the checkable space occurs beyond the actual end of the packet. + +Instead of ensuring that 28 bytes are present in skb->head, the function +is requesting these 28 bytes starting from the network header. For small +packets, this requested length exceeds the actual packet size, causing +the check to fail and the packets to be dropped. + +This issue affects both locally originated and forwarded packets in +DMVPN-like setups. + +How to reproduce (for local originated packets): + + ip link add dev gre1 type gre ikey 1.9.8.4 okey 1.9.8.4 \ + local remote 0.0.0.0 + + ip link set mtu 1400 dev gre1 + ip link set up dev gre1 + ip address add 192.168.13.1/24 dev gre1 + ip neighbor add 192.168.13.2 lladdr dev gre1 + ping -s 1374 -c 10 192.168.13.2 + tcpdump -vni gre1 + tcpdump -vni 'ip proto 47' + ip -s -s -d link show dev gre1 + +Solution: + +Use the pskb_may_pull function instead the pskb_network_may_pull. + +Fixes: 80d875cfc9d3 ("ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()") +Signed-off-by: Anton Danilov +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20240924235158.106062-1-littlesmilingcloud@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index cd967493bf371..b4bce749645bb 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -644,11 +644,11 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb, + if (skb_cow_head(skb, 0)) + goto free_skb; + +- tnl_params = (const struct iphdr *)skb->data; +- +- if (!pskb_network_may_pull(skb, pull_len)) ++ if (!pskb_may_pull(skb, pull_len)) + goto free_skb; + ++ tnl_params = (const struct iphdr *)skb->data; ++ + /* ip_tunnel_xmit() needs skb->data pointing to gre header. */ + skb_pull(skb, pull_len); + skb_reset_mac_header(skb); +-- +2.43.0 + diff --git a/queue-5.15/mailbox-bcm2835-fix-timeout-during-suspend-mode.patch b/queue-5.15/mailbox-bcm2835-fix-timeout-during-suspend-mode.patch new file mode 100644 index 00000000000..7486c5ac7dd --- /dev/null +++ b/queue-5.15/mailbox-bcm2835-fix-timeout-during-suspend-mode.patch @@ -0,0 +1,78 @@ +From f05031b6f3aaf52da01dacd0c3ef806b939f32c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 23:40:44 +0200 +Subject: mailbox: bcm2835: Fix timeout during suspend mode + +From: Stefan Wahren + +[ Upstream commit dc09f007caed3b2f6a3b6bd7e13777557ae22bfd ] + +During noirq suspend phase the Raspberry Pi power driver suffer of +firmware property timeouts. The reason is that the IRQ of the underlying +BCM2835 mailbox is disabled and rpi_firmware_property_list() will always +run into a timeout [1]. + +Since the VideoCore side isn't consider as a wakeup source, set the +IRQF_NO_SUSPEND flag for the mailbox IRQ in order to keep it enabled +during suspend-resume cycle. + +[1] +PM: late suspend of devices complete after 1.754 msecs +WARNING: CPU: 0 PID: 438 at drivers/firmware/raspberrypi.c:128 + rpi_firmware_property_list+0x204/0x22c +Firmware transaction 0x00028001 timeout +Modules linked in: +CPU: 0 PID: 438 Comm: bash Tainted: G C 6.9.3-dirty #17 +Hardware name: BCM2835 +Call trace: +unwind_backtrace from show_stack+0x18/0x1c +show_stack from dump_stack_lvl+0x34/0x44 +dump_stack_lvl from __warn+0x88/0xec +__warn from warn_slowpath_fmt+0x7c/0xb0 +warn_slowpath_fmt from rpi_firmware_property_list+0x204/0x22c +rpi_firmware_property_list from rpi_firmware_property+0x68/0x8c +rpi_firmware_property from rpi_firmware_set_power+0x54/0xc0 +rpi_firmware_set_power from _genpd_power_off+0xe4/0x148 +_genpd_power_off from genpd_sync_power_off+0x7c/0x11c +genpd_sync_power_off from genpd_finish_suspend+0xcc/0xe0 +genpd_finish_suspend from dpm_run_callback+0x78/0xd0 +dpm_run_callback from device_suspend_noirq+0xc0/0x238 +device_suspend_noirq from dpm_suspend_noirq+0xb0/0x168 +dpm_suspend_noirq from suspend_devices_and_enter+0x1b8/0x5ac +suspend_devices_and_enter from pm_suspend+0x254/0x2e4 +pm_suspend from state_store+0xa8/0xd4 +state_store from kernfs_fop_write_iter+0x154/0x1a0 +kernfs_fop_write_iter from vfs_write+0x12c/0x184 +vfs_write from ksys_write+0x78/0xc0 +ksys_write from ret_fast_syscall+0x0/0x54 +Exception stack(0xcc93dfa8 to 0xcc93dff0) +[...] +PM: noirq suspend of devices complete after 3095.584 msecs + +Link: https://github.com/raspberrypi/firmware/issues/1894 +Fixes: 0bae6af6d704 ("mailbox: Enable BCM2835 mailbox support") +Signed-off-by: Stefan Wahren +Reviewed-by: Florian Fainelli +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/bcm2835-mailbox.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/mailbox/bcm2835-mailbox.c b/drivers/mailbox/bcm2835-mailbox.c +index 86b7ce3549c5a..7b63967c30fab 100644 +--- a/drivers/mailbox/bcm2835-mailbox.c ++++ b/drivers/mailbox/bcm2835-mailbox.c +@@ -146,7 +146,8 @@ static int bcm2835_mbox_probe(struct platform_device *pdev) + spin_lock_init(&mbox->lock); + + ret = devm_request_irq(dev, irq_of_parse_and_map(dev->of_node, 0), +- bcm2835_mbox_irq, 0, dev_name(dev), mbox); ++ bcm2835_mbox_irq, IRQF_NO_SUSPEND, dev_name(dev), ++ mbox); + if (ret) { + dev_err(dev, "Failed to register a mailbox IRQ handler: %d\n", + ret); +-- +2.43.0 + diff --git a/queue-5.15/mailbox-rockchip-fix-a-typo-in-module-autoloading.patch b/queue-5.15/mailbox-rockchip-fix-a-typo-in-module-autoloading.patch new file mode 100644 index 00000000000..6da9d0c22d7 --- /dev/null +++ b/queue-5.15/mailbox-rockchip-fix-a-typo-in-module-autoloading.patch @@ -0,0 +1,39 @@ +From 474d84e4d5fa567f1ca5ba60ff9326ee000ccae5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Aug 2024 02:51:47 +0000 +Subject: mailbox: rockchip: fix a typo in module autoloading + +From: Liao Chen + +[ Upstream commit e92d87c9c5d769e4cb1dd7c90faa38dddd7e52e3 ] + +MODULE_DEVICE_TABLE(of, rockchip_mbox_of_match) could let the module +properly autoloaded based on the alias from of_device_id table. It +should be 'rockchip_mbox_of_match' instead of 'rockchp_mbox_of_match', +just fix it. + +Fixes: f70ed3b5dc8b ("mailbox: rockchip: Add Rockchip mailbox driver") +Signed-off-by: Liao Chen +Reviewed-by: Heiko Stuebner +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/rockchip-mailbox.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mailbox/rockchip-mailbox.c b/drivers/mailbox/rockchip-mailbox.c +index 979acc810f307..ca50f7f176f6a 100644 +--- a/drivers/mailbox/rockchip-mailbox.c ++++ b/drivers/mailbox/rockchip-mailbox.c +@@ -159,7 +159,7 @@ static const struct of_device_id rockchip_mbox_of_match[] = { + { .compatible = "rockchip,rk3368-mailbox", .data = &rk3368_drv_data}, + { }, + }; +-MODULE_DEVICE_TABLE(of, rockchp_mbox_of_match); ++MODULE_DEVICE_TABLE(of, rockchip_mbox_of_match); + + static int rockchip_mbox_probe(struct platform_device *pdev) + { +-- +2.43.0 + diff --git a/queue-5.15/net-add-more-sanity-checks-to-qdisc_pkt_len_init.patch b/queue-5.15/net-add-more-sanity-checks-to-qdisc_pkt_len_init.patch new file mode 100644 index 00000000000..2820f7fd1ca --- /dev/null +++ b/queue-5.15/net-add-more-sanity-checks-to-qdisc_pkt_len_init.patch @@ -0,0 +1,64 @@ +From ad68388f95278c7eab49036a69d9463557cabed4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2024 15:02:57 +0000 +Subject: net: add more sanity checks to qdisc_pkt_len_init() + +From: Eric Dumazet + +[ Upstream commit ab9a9a9e9647392a19e7a885b08000e89c86b535 ] + +One path takes care of SKB_GSO_DODGY, assuming +skb->len is bigger than hdr_len. + +virtio_net_hdr_to_skb() does not fully dissect TCP headers, +it only make sure it is at least 20 bytes. + +It is possible for an user to provide a malicious 'GSO' packet, +total length of 80 bytes. + +- 20 bytes of IPv4 header +- 60 bytes TCP header +- a small gso_size like 8 + +virtio_net_hdr_to_skb() would declare this packet as a normal +GSO packet, because it would see 40 bytes of payload, +bigger than gso_size. + +We need to make detect this case to not underflow +qdisc_skb_cb(skb)->pkt_len. + +Fixes: 1def9238d4aa ("net_sched: more precise pkt_len computation") +Signed-off-by: Eric Dumazet +Reviewed-by: Willem de Bruijn +Reviewed-by: David Ahern +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 96e093e2206f4..8a22ce15b7f53 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3795,10 +3795,14 @@ static void qdisc_pkt_len_init(struct sk_buff *skb) + hdr_len += sizeof(struct udphdr); + } + +- if (shinfo->gso_type & SKB_GSO_DODGY) +- gso_segs = DIV_ROUND_UP(skb->len - hdr_len, +- shinfo->gso_size); ++ if (unlikely(shinfo->gso_type & SKB_GSO_DODGY)) { ++ int payload = skb->len - hdr_len; + ++ /* Malicious packet. */ ++ if (payload <= 0) ++ return; ++ gso_segs = DIV_ROUND_UP(payload, shinfo->gso_size); ++ } + qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len; + } + } +-- +2.43.0 + diff --git a/queue-5.15/net-avoid-potential-underflow-in-qdisc_pkt_len_init-.patch b/queue-5.15/net-avoid-potential-underflow-in-qdisc_pkt_len_init-.patch new file mode 100644 index 00000000000..29234d4ee19 --- /dev/null +++ b/queue-5.15/net-avoid-potential-underflow-in-qdisc_pkt_len_init-.patch @@ -0,0 +1,141 @@ +From 9f894f92568bd5aea1f81c50c318709bf7062376 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2024 15:02:56 +0000 +Subject: net: avoid potential underflow in qdisc_pkt_len_init() with UFO + +From: Eric Dumazet + +[ Upstream commit c20029db28399ecc50e556964eaba75c43b1e2f1 ] + +After commit 7c6d2ecbda83 ("net: be more gentle about silly gso +requests coming from user") virtio_net_hdr_to_skb() had sanity check +to detect malicious attempts from user space to cook a bad GSO packet. + +Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count +transport header in UFO") while fixing one issue, allowed user space +to cook a GSO packet with the following characteristic : + +IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28. + +When this packet arrives in qdisc_pkt_len_init(), we end up +with hdr_len = 28 (IPv4 header + UDP header), matching skb->len + +Then the following sets gso_segs to 0 : + +gso_segs = DIV_ROUND_UP(skb->len - hdr_len, + shinfo->gso_size); + +Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/ + +qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len; + +This leads to the following crash in fq_codel [1] + +qdisc_pkt_len_init() is best effort, we only want an estimation +of the bytes sent on the wire, not crashing the kernel. + +This patch is fixing this particular issue, a following one +adds more sanity checks for another potential bug. + +[1] +[ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 70.724561] #PF: supervisor read access in kernel mode +[ 70.724561] #PF: error_code(0x0000) - not-present page +[ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0 +[ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI +[ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991 +[ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel +[ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49 +All code +======== + 0: 24 08 and $0x8,%al + 2: 49 c1 e1 06 shl $0x6,%r9 + 6: 44 89 7c 24 18 mov %r15d,0x18(%rsp) + b: 45 31 ed xor %r13d,%r13d + e: 45 31 c0 xor %r8d,%r8d + 11: 31 ff xor %edi,%edi + 13: 89 44 24 14 mov %eax,0x14(%rsp) + 17: 4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9 + 1e: eb 04 jmp 0x24 + 20: 39 ca cmp %ecx,%edx + 22: 73 37 jae 0x5b + 24: 4d 8b 39 mov (%r9),%r15 + 27: 83 c7 01 add $0x1,%edi + 2a:* 49 8b 17 mov (%r15),%rdx <-- trapping instruction + 2d: 49 89 11 mov %rdx,(%r9) + 30: 41 8b 57 28 mov 0x28(%r15),%edx + 34: 45 8b 5f 34 mov 0x34(%r15),%r11d + 38: 49 c7 07 00 00 00 00 movq $0x0,(%r15) + 3f: 49 rex.WB + +Code starting with the faulting instruction +=========================================== + 0: 49 8b 17 mov (%r15),%rdx + 3: 49 89 11 mov %rdx,(%r9) + 6: 41 8b 57 28 mov 0x28(%r15),%edx + a: 45 8b 5f 34 mov 0x34(%r15),%r11d + e: 49 c7 07 00 00 00 00 movq $0x0,(%r15) + 15: 49 rex.WB +[ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202 +[ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000 +[ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 +[ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000 +[ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58 +[ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000 +[ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000 +[ 70.724561] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 70.724561] CR2: 0000000000000000 CR3: 000000010c568000 CR4: 00000000000006f0 +[ 70.724561] Call Trace: +[ 70.724561] +[ 70.724561] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) +[ 70.724561] ? page_fault_oops (arch/x86/mm/fault.c:715) +[ 70.724561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539) +[ 70.724561] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623) +[ 70.724561] ? fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel +[ 70.724561] dev_qdisc_enqueue (net/core/dev.c:3784) +[ 70.724561] __dev_queue_xmit (net/core/dev.c:3880 (discriminator 2) net/core/dev.c:4390 (discriminator 2)) +[ 70.724561] ? irqentry_enter (kernel/entry/common.c:237) +[ 70.724561] ? sysvec_apic_timer_interrupt (./arch/x86/include/asm/hardirq.h:74 (discriminator 2) arch/x86/kernel/apic/apic.c:1043 (discriminator 2) arch/x86/kernel/apic/apic.c:1043 (discriminator 2)) +[ 70.724561] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:58 (discriminator 4)) +[ 70.724561] ? asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702) +[ 70.724561] ? virtio_net_hdr_to_skb.constprop.0 (./include/linux/virtio_net.h:129 (discriminator 1)) +[ 70.724561] packet_sendmsg (net/packet/af_packet.c:3145 (discriminator 1) net/packet/af_packet.c:3177 (discriminator 1)) +[ 70.724561] ? _raw_spin_lock_bh (./arch/x86/include/asm/atomic.h:107 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) ./include/asm-generic/qspinlock.h:111 (discriminator 4) ./include/linux/spinlock.h:187 (discriminator 4) ./include/linux/spinlock_api_smp.h:127 (discriminator 4) kernel/locking/spinlock.c:178 (discriminator 4)) +[ 70.724561] ? netdev_name_node_lookup_rcu (net/core/dev.c:325 (discriminator 1)) +[ 70.724561] __sys_sendto (net/socket.c:730 (discriminator 1) net/socket.c:745 (discriminator 1) net/socket.c:2210 (discriminator 1)) +[ 70.724561] ? __sys_setsockopt (./include/linux/file.h:34 net/socket.c:2355) +[ 70.724561] __x64_sys_sendto (net/socket.c:2222 (discriminator 1) net/socket.c:2218 (discriminator 1) net/socket.c:2218 (discriminator 1)) +[ 70.724561] do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1)) +[ 70.724561] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) +[ 70.724561] RIP: 0033:0x41ae09 + +Fixes: cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count transport header in UFO") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Jonathan Davies +Reviewed-by: Willem de Bruijn +Reviewed-by: Jonathan Davies +Reviewed-by: David Ahern +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index e86ef1a1647ec..96e093e2206f4 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3787,7 +3787,7 @@ static void qdisc_pkt_len_init(struct sk_buff *skb) + sizeof(_tcphdr), &_tcphdr); + if (likely(th)) + hdr_len += __tcp_hdrlen(th); +- } else { ++ } else if (shinfo->gso_type & SKB_GSO_UDP_L4) { + struct udphdr _udphdr; + + if (skb_header_pointer(skb, skb_transport_offset(skb), +-- +2.43.0 + diff --git a/queue-5.15/net-ethernet-lantiq_etop-fix-memory-disclosure.patch b/queue-5.15/net-ethernet-lantiq_etop-fix-memory-disclosure.patch new file mode 100644 index 00000000000..b87c49e8553 --- /dev/null +++ b/queue-5.15/net-ethernet-lantiq_etop-fix-memory-disclosure.patch @@ -0,0 +1,52 @@ +From 87b49e88dd4df5f1c5175726f2b25ded14684448 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Sep 2024 23:49:49 +0200 +Subject: net: ethernet: lantiq_etop: fix memory disclosure + +From: Aleksander Jan Bajkowski + +[ Upstream commit 45c0de18ff2dc9af01236380404bbd6a46502c69 ] + +When applying padding, the buffer is not zeroed, which results in memory +disclosure. The mentioned data is observed on the wire. This patch uses +skb_put_padto() to pad Ethernet frames properly. The mentioned function +zeroes the expanded buffer. + +In case the packet cannot be padded it is silently dropped. Statistics +are also not incremented. This driver does not support statistics in the +old 32-bit format or the new 64-bit format. These will be added in the +future. In its current form, the patch should be easily backported to +stable versions. + +Ethernet MACs on Amazon-SE and Danube cannot do padding of the packets +in hardware, so software padding must be applied. + +Fixes: 504d4721ee8e ("MIPS: Lantiq: Add ethernet driver") +Signed-off-by: Aleksander Jan Bajkowski +Reviewed-by: Jacob Keller +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20240923214949.231511-2-olek2@wp.pl +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/lantiq_etop.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/lantiq_etop.c b/drivers/net/ethernet/lantiq_etop.c +index c5faeda30c0b4..45a17422a937a 100644 +--- a/drivers/net/ethernet/lantiq_etop.c ++++ b/drivers/net/ethernet/lantiq_etop.c +@@ -464,7 +464,9 @@ ltq_etop_tx(struct sk_buff *skb, struct net_device *dev) + unsigned long flags; + u32 byte_offset; + +- len = skb->len < ETH_ZLEN ? ETH_ZLEN : skb->len; ++ if (skb_put_padto(skb, ETH_ZLEN)) ++ return NETDEV_TX_OK; ++ len = skb->len; + + if ((desc->ctl & (LTQ_DMA_OWN | LTQ_DMA_C)) || ch->skb[ch->dma.desc]) { + netdev_err(dev, "tx ring full\n"); +-- +2.43.0 + diff --git a/queue-5.15/net-ieee802154-mcr20a-use-irqf_no_autoen-flag-in-req.patch b/queue-5.15/net-ieee802154-mcr20a-use-irqf_no_autoen-flag-in-req.patch new file mode 100644 index 00000000000..721c22e60ed --- /dev/null +++ b/queue-5.15/net-ieee802154-mcr20a-use-irqf_no_autoen-flag-in-req.patch @@ -0,0 +1,48 @@ +From 020d7a89e9c0bd79dfde66ca97bda390a002d593 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 17:42:34 +0800 +Subject: net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq() + +From: Jinjie Ruan + +[ Upstream commit 09573b1cc76e7ff8f056ab29ea1cdc152ec8c653 ] + +disable_irq() after request_irq() still has a time gap in which +interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will +disable IRQ auto-enable when request IRQ. + +Fixes: 8c6ad9cc5157 ("ieee802154: Add NXP MCR20A IEEE 802.15.4 transceiver driver") +Reviewed-by: Miquel Raynal +Signed-off-by: Jinjie Ruan +Link: https://lore.kernel.org/20240911094234.1922418-1-ruanjinjie@huawei.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/mcr20a.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ieee802154/mcr20a.c b/drivers/net/ieee802154/mcr20a.c +index 383231b854642..16474990dc01e 100644 +--- a/drivers/net/ieee802154/mcr20a.c ++++ b/drivers/net/ieee802154/mcr20a.c +@@ -1311,16 +1311,13 @@ mcr20a_probe(struct spi_device *spi) + irq_type = IRQF_TRIGGER_FALLING; + + ret = devm_request_irq(&spi->dev, spi->irq, mcr20a_irq_isr, +- irq_type, dev_name(&spi->dev), lp); ++ irq_type | IRQF_NO_AUTOEN, dev_name(&spi->dev), lp); + if (ret) { + dev_err(&spi->dev, "could not request_irq for mcr20a\n"); + ret = -ENODEV; + goto free_dev; + } + +- /* disable_irq by default and wait for starting hardware */ +- disable_irq(spi->irq); +- + ret = ieee802154_register_hw(hw); + if (ret) { + dev_crit(&spi->dev, "ieee802154_register_hw failed\n"); +-- +2.43.0 + diff --git a/queue-5.15/net-mlx5-added-cond_resched-to-crdump-collection.patch b/queue-5.15/net-mlx5-added-cond_resched-to-crdump-collection.patch new file mode 100644 index 00000000000..479fea6a51c --- /dev/null +++ b/queue-5.15/net-mlx5-added-cond_resched-to-crdump-collection.patch @@ -0,0 +1,83 @@ +From c1274dc3417460a59fc47b332e0d80a12c4133bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 22:02:48 -0600 +Subject: net/mlx5: Added cond_resched() to crdump collection + +From: Mohamed Khalfella + +[ Upstream commit ec793155894140df7421d25903de2e6bc12c695b ] + +Collecting crdump involves reading vsc registers from pci config space +of mlx device, which can take long time to complete. This might result +in starving other threads waiting to run on the cpu. + +Numbers I got from testing ConnectX-5 Ex MCX516A-CDAT in the lab: + +- mlx5_vsc_gw_read_block_fast() was called with length = 1310716. +- mlx5_vsc_gw_read_fast() reads 4 bytes at a time. It was not used to + read the entire 1310716 bytes. It was called 53813 times because + there are jumps in read_addr. +- On average mlx5_vsc_gw_read_fast() took 35284.4ns. +- In total mlx5_vsc_wait_on_flag() called vsc_read() 54707 times. + The average time for each call was 17548.3ns. In some instances + vsc_read() was called more than one time when the flag was not set. + As expected the thread released the cpu after 16 iterations in + mlx5_vsc_wait_on_flag(). +- Total time to read crdump was 35284.4ns * 53813 ~= 1.898s. + +It was seen in the field that crdump can take more than 5 seconds to +complete. During that time mlx5_vsc_wait_on_flag() did not release the +cpu because it did not complete 16 iterations. It is believed that pci +config reads were slow. Adding cond_resched() every 128 register read +improves the situation. In the common case the, crdump takes ~1.8989s, +the thread yields the cpu every ~4.51ms. If crdump takes ~5s, the thread +yields the cpu every ~18.0ms. + +Fixes: 8b9d8baae1de ("net/mlx5: Add Crdump support") +Reviewed-by: Yuanyuan Zhong +Signed-off-by: Mohamed Khalfella +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c +index 6b774e0c27665..c14f9529c25f2 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c +@@ -24,6 +24,11 @@ + pci_write_config_dword((dev)->pdev, (dev)->vsc_addr + (offset), (val)) + #define VSC_MAX_RETRIES 2048 + ++/* Reading VSC registers can take relatively long time. ++ * Yield the cpu every 128 registers read. ++ */ ++#define VSC_GW_READ_BLOCK_COUNT 128 ++ + enum { + VSC_CTRL_OFFSET = 0x4, + VSC_COUNTER_OFFSET = 0x8, +@@ -269,6 +274,7 @@ int mlx5_vsc_gw_read_block_fast(struct mlx5_core_dev *dev, u32 *data, + { + unsigned int next_read_addr = 0; + unsigned int read_addr = 0; ++ unsigned int count = 0; + + while (read_addr < length) { + if (mlx5_vsc_gw_read_fast(dev, read_addr, &next_read_addr, +@@ -276,6 +282,10 @@ int mlx5_vsc_gw_read_block_fast(struct mlx5_core_dev *dev, u32 *data, + return read_addr; + + read_addr = next_read_addr; ++ if (++count == VSC_GW_READ_BLOCK_COUNT) { ++ cond_resched(); ++ count = 0; ++ } + } + return length; + } +-- +2.43.0 + diff --git a/queue-5.15/net-mlx5-fix-error-path-in-multi-packet-wqe-transmit.patch b/queue-5.15/net-mlx5-fix-error-path-in-multi-packet-wqe-transmit.patch new file mode 100644 index 00000000000..35ca6ca066b --- /dev/null +++ b/queue-5.15/net-mlx5-fix-error-path-in-multi-packet-wqe-transmit.patch @@ -0,0 +1,49 @@ +From 7411e2432a3b941095b38e064e6b1481f91b89bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Sep 2024 10:53:51 +0200 +Subject: net/mlx5: Fix error path in multi-packet WQE transmit + +From: Gerd Bayer + +[ Upstream commit 2bcae12c795f32ddfbf8c80d1b5f1d3286341c32 ] + +Remove the erroneous unmap in case no DMA mapping was established + +The multi-packet WQE transmit code attempts to obtain a DMA mapping for +the skb. This could fail, e.g. under memory pressure, when the IOMMU +driver just can't allocate more memory for page tables. While the code +tries to handle this in the path below the err_unmap label it erroneously +unmaps one entry from the sq's FIFO list of active mappings. Since the +current map attempt failed this unmap is removing some random DMA mapping +that might still be required. If the PCI function now presents that IOVA, +the IOMMU may assumes a rogue DMA access and e.g. on s390 puts the PCI +function in error state. + +The erroneous behavior was seen in a stress-test environment that created +memory pressure. + +Fixes: 5af75c747e2a ("net/mlx5e: Enhanced TX MPWQE for SKBs") +Signed-off-by: Gerd Bayer +Reviewed-by: Zhu Yanjun +Acked-by: Maxim Mikityanskiy +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c +index 6813279b57f89..7ec8a5ae7ea74 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c +@@ -685,7 +685,6 @@ mlx5e_sq_xmit_mpwqe(struct mlx5e_txqsq *sq, struct sk_buff *skb, + return; + + err_unmap: +- mlx5e_dma_unmap_wqe_err(sq, 1); + sq->stats->dropped++; + dev_kfree_skb_any(skb); + mlx5e_tx_flush(sq); +-- +2.43.0 + diff --git a/queue-5.15/net-mlx5e-fix-null-deref-in-mlx5e_tir_builder_alloc.patch b/queue-5.15/net-mlx5e-fix-null-deref-in-mlx5e_tir_builder_alloc.patch new file mode 100644 index 00000000000..a1e766d84bc --- /dev/null +++ b/queue-5.15/net-mlx5e-fix-null-deref-in-mlx5e_tir_builder_alloc.patch @@ -0,0 +1,44 @@ +From 6bc091a249437e93411c87e301fd1b79813c25df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2024 19:00:18 +0300 +Subject: net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc() + +From: Elena Salomatkina + +[ Upstream commit f25389e779500cf4a59ef9804534237841bce536 ] + +In mlx5e_tir_builder_alloc() kvzalloc() may return NULL +which is dereferenced on the next line in a reference +to the modify field. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: a6696735d694 ("net/mlx5e: Convert TIR to a dedicated object") +Signed-off-by: Elena Salomatkina +Reviewed-by: Simon Horman +Reviewed-by: Kalesh AP +Reviewed-by: Tariq Toukan +Reviewed-by: Gal Pressman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/tir.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c +index a1afb8585e37f..ae64d22d21613 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c +@@ -23,6 +23,9 @@ struct mlx5e_tir_builder *mlx5e_tir_builder_alloc(bool modify) + struct mlx5e_tir_builder *builder; + + builder = kvzalloc(sizeof(*builder), GFP_KERNEL); ++ if (!builder) ++ return NULL; ++ + builder->modify = modify; + + return builder; +-- +2.43.0 + diff --git a/queue-5.15/net-stmmac-disable-automatic-fcs-pad-stripping.patch b/queue-5.15/net-stmmac-disable-automatic-fcs-pad-stripping.patch new file mode 100644 index 00000000000..f3049549561 --- /dev/null +++ b/queue-5.15/net-stmmac-disable-automatic-fcs-pad-stripping.patch @@ -0,0 +1,183 @@ +From 2f0a59798e052fca3fe639d094342b5df9056475 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 15:01:55 +0200 +Subject: net: stmmac: Disable automatic FCS/Pad stripping + +From: Kurt Kanzenbach + +[ Upstream commit 929d43421ee526c5a3c4d6f7e2bb1b98b2cb1b1f ] + +The stmmac has the possibility to automatically strip the padding/FCS for IEEE +802.3 type frames. This feature is enabled conditionally. Therefore, the stmmac +receive path has to have a determination logic whether the FCS has to be +stripped in software or not. + +In fact, for DSA this ACS feature is disabled and the determination logic +doesn't check for it properly. For instance, when using DSA in combination with +an older stmmac (pre version 4), the FCS is not stripped by hardware or software +which is problematic. + +So either add another check for DSA to the fast path or simply disable ACS +feature completely. The latter approach has been chosen, because most of the +time the FCS is stripped in software anyway and it removes conditionals from the +receive fast path. + +Signed-off-by: Kurt Kanzenbach +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/87v8q8jjgh.fsf@kurt/ +Link: https://lore.kernel.org/r/20220905130155.193640-1-kurt@linutronix.de +Signed-off-by: Paolo Abeni +Stable-dep-of: 4c1b56671b68 ("net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit check") +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/dwmac100.h | 2 +- + .../net/ethernet/stmicro/stmmac/dwmac1000.h | 2 +- + .../ethernet/stmicro/stmmac/dwmac1000_core.c | 9 ------- + .../ethernet/stmicro/stmmac/dwmac100_core.c | 8 ------- + .../net/ethernet/stmicro/stmmac/dwmac4_core.c | 1 - + .../net/ethernet/stmicro/stmmac/stmmac_main.c | 24 ++++--------------- + 6 files changed, 6 insertions(+), 40 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac100.h b/drivers/net/ethernet/stmicro/stmmac/dwmac100.h +index 35ab8d0bdce71..7ab791c8d355f 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac100.h ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac100.h +@@ -56,7 +56,7 @@ + #define MAC_CONTROL_TE 0x00000008 /* Transmitter Enable */ + #define MAC_CONTROL_RE 0x00000004 /* Receiver Enable */ + +-#define MAC_CORE_INIT (MAC_CONTROL_HBD | MAC_CONTROL_ASTP) ++#define MAC_CORE_INIT (MAC_CONTROL_HBD) + + /* MAC FLOW CTRL defines */ + #define MAC_FLOW_CTRL_PT_MASK 0xffff0000 /* Pause Time Mask */ +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h +index 3c73453725f94..4296ddda8aaa6 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h +@@ -126,7 +126,7 @@ enum inter_frame_gap { + #define GMAC_CONTROL_TE 0x00000008 /* Transmitter Enable */ + #define GMAC_CONTROL_RE 0x00000004 /* Receiver Enable */ + +-#define GMAC_CORE_INIT (GMAC_CONTROL_JD | GMAC_CONTROL_PS | GMAC_CONTROL_ACS | \ ++#define GMAC_CORE_INIT (GMAC_CONTROL_JD | GMAC_CONTROL_PS | \ + GMAC_CONTROL_BE | GMAC_CONTROL_DCRS) + + /* GMAC Frame Filter defines */ +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c +index 76edb9b726756..0e00dd83d027a 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c +@@ -15,7 +15,6 @@ + #include + #include + #include +-#include + #include + #include "stmmac.h" + #include "stmmac_pcs.h" +@@ -24,7 +23,6 @@ + static void dwmac1000_core_init(struct mac_device_info *hw, + struct net_device *dev) + { +- struct stmmac_priv *priv = netdev_priv(dev); + void __iomem *ioaddr = hw->pcsr; + u32 value = readl(ioaddr + GMAC_CONTROL); + int mtu = dev->mtu; +@@ -32,13 +30,6 @@ static void dwmac1000_core_init(struct mac_device_info *hw, + /* Configure GMAC core */ + value |= GMAC_CORE_INIT; + +- /* Clear ACS bit because Ethernet switch tagging formats such as +- * Broadcom tags can look like invalid LLC/SNAP packets and cause the +- * hardware to truncate packets on reception. +- */ +- if (netdev_uses_dsa(dev) || !priv->plat->enh_desc) +- value &= ~GMAC_CONTROL_ACS; +- + if (mtu > 1500) + value |= GMAC_CONTROL_2K; + if (mtu > 2000) +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac100_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac100_core.c +index 75071a7d551a8..a6e8d7bd95886 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac100_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac100_core.c +@@ -15,7 +15,6 @@ + *******************************************************************************/ + + #include +-#include + #include + #include "stmmac.h" + #include "dwmac100.h" +@@ -28,13 +27,6 @@ static void dwmac100_core_init(struct mac_device_info *hw, + + value |= MAC_CORE_INIT; + +- /* Clear ASTP bit because Ethernet switch tagging formats such as +- * Broadcom tags can look like invalid LLC/SNAP packets and cause the +- * hardware to truncate packets on reception. +- */ +- if (netdev_uses_dsa(dev)) +- value &= ~MAC_CONTROL_ASTP; +- + writel(value, ioaddr + MAC_CONTROL); + + #ifdef STMMAC_VLAN_TAG_USED +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +index e5c5a9c5389c3..687eb17e41c6e 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +@@ -14,7 +14,6 @@ + #include + #include + #include +-#include + #include "stmmac.h" + #include "stmmac_pcs.h" + #include "dwmac4.h" +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 23c0355c13c18..b62d153f1676e 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -5045,16 +5045,8 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue) + buf1_len = stmmac_rx_buf1_len(priv, p, status, len); + len += buf1_len; + +- /* ACS is set; GMAC core strips PAD/FCS for IEEE 802.3 +- * Type frames (LLC/LLC-SNAP) +- * +- * llc_snap is never checked in GMAC >= 4, so this ACS +- * feature is always disabled and packets need to be +- * stripped manually. +- */ +- if (likely(!(status & rx_not_ls)) && +- (likely(priv->synopsys_id >= DWMAC_CORE_4_00) || +- unlikely(status != llc_snap))) { ++ /* ACS is disabled; strip manually. */ ++ if (likely(!(status & rx_not_ls))) { + buf1_len -= ETH_FCS_LEN; + len -= ETH_FCS_LEN; + } +@@ -5231,16 +5223,8 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + buf2_len = stmmac_rx_buf2_len(priv, p, status, len); + len += buf2_len; + +- /* ACS is set; GMAC core strips PAD/FCS for IEEE 802.3 +- * Type frames (LLC/LLC-SNAP) +- * +- * llc_snap is never checked in GMAC >= 4, so this ACS +- * feature is always disabled and packets need to be +- * stripped manually. +- */ +- if (likely(!(status & rx_not_ls)) && +- (likely(priv->synopsys_id >= DWMAC_CORE_4_00) || +- unlikely(status != llc_snap))) { ++ /* ACS is disabled; strip manually. */ ++ if (likely(!(status & rx_not_ls))) { + if (buf2_len) { + buf2_len -= ETH_FCS_LEN; + len -= ETH_FCS_LEN; +-- +2.43.0 + diff --git a/queue-5.15/net-stmmac-dwmac4-extend-timeout-for-vlan-tag-regist.patch b/queue-5.15/net-stmmac-dwmac4-extend-timeout-for-vlan-tag-regist.patch new file mode 100644 index 00000000000..008d9e3cea3 --- /dev/null +++ b/queue-5.15/net-stmmac-dwmac4-extend-timeout-for-vlan-tag-regist.patch @@ -0,0 +1,79 @@ +From 381386bc11a2d12af81f218497d8cd5138a2a1e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2024 15:54:24 -0500 +Subject: net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit + check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shenwei Wang + +[ Upstream commit 4c1b56671b68ffcbe6b78308bfdda6bcce6491ae ] + +Increase the timeout for checking the busy bit of the VLAN Tag register +from 10µs to 500ms. This change is necessary to accommodate scenarios +where Energy Efficient Ethernet (EEE) is enabled. + +Overnight testing revealed that when EEE is active, the busy bit can +remain set for up to approximately 300ms. The new 500ms timeout provides +a safety margin. + +Fixes: ed64639bc1e0 ("net: stmmac: Add support for VLAN Rx filtering") +Reviewed-by: Andrew Lunn +Signed-off-by: Shenwei Wang +Link: https://patch.msgid.link/20240924205424.573913-1-shenwei.wang@nxp.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/dwmac4_core.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +index 687eb17e41c6e..c75868f3ceae1 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include "stmmac.h" + #include "stmmac_pcs.h" + #include "dwmac4.h" +@@ -469,7 +470,7 @@ static int dwmac4_write_vlan_filter(struct net_device *dev, + u8 index, u32 data) + { + void __iomem *ioaddr = (void __iomem *)dev->base_addr; +- int i, timeout = 10; ++ int ret; + u32 val; + + if (index >= hw->num_vlan) +@@ -485,16 +486,15 @@ static int dwmac4_write_vlan_filter(struct net_device *dev, + + writel(val, ioaddr + GMAC_VLAN_TAG); + +- for (i = 0; i < timeout; i++) { +- val = readl(ioaddr + GMAC_VLAN_TAG); +- if (!(val & GMAC_VLAN_TAG_CTRL_OB)) +- return 0; +- udelay(1); ++ ret = readl_poll_timeout(ioaddr + GMAC_VLAN_TAG, val, ++ !(val & GMAC_VLAN_TAG_CTRL_OB), ++ 1000, 500000); ++ if (ret) { ++ netdev_err(dev, "Timeout accessing MAC_VLAN_Tag_Filter\n"); ++ return -EBUSY; + } + +- netdev_err(dev, "Timeout accessing MAC_VLAN_Tag_Filter\n"); +- +- return -EBUSY; ++ return 0; + } + + static int dwmac4_add_hw_vlan_rx_fltr(struct net_device *dev, +-- +2.43.0 + diff --git a/queue-5.15/netfilter-nf_tables-prevent-nf_skb_duplicated-corrup.patch b/queue-5.15/netfilter-nf_tables-prevent-nf_skb_duplicated-corrup.patch new file mode 100644 index 00000000000..6e2d34cf4f4 --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-prevent-nf_skb_duplicated-corrup.patch @@ -0,0 +1,134 @@ +From 490093359fc5f0ccb52f5032ac3094c5b673d927 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Sep 2024 18:56:11 +0000 +Subject: netfilter: nf_tables: prevent nf_skb_duplicated corruption + +From: Eric Dumazet + +[ Upstream commit 92ceba94de6fb4cee2bf40b485979c342f44a492 ] + +syzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write +per-cpu variable nf_skb_duplicated in an unsafe way [1]. + +Disabling preemption as hinted by the splat is not enough, +we have to disable soft interrupts as well. + +[1] +BUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316 + caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87 +CPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:93 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 + check_preemption_disabled+0x10e/0x120 lib/smp_processor_id.c:49 + nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87 + nft_dup_ipv4_eval+0x1db/0x300 net/ipv4/netfilter/nft_dup_ipv4.c:30 + expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] + nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288 + nft_do_chain_ipv4+0x202/0x320 net/netfilter/nft_chain_filter.c:23 + nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] + nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 + nf_hook+0x2c4/0x450 include/linux/netfilter.h:269 + NF_HOOK_COND include/linux/netfilter.h:302 [inline] + ip_output+0x185/0x230 net/ipv4/ip_output.c:433 + ip_local_out net/ipv4/ip_output.c:129 [inline] + ip_send_skb+0x74/0x100 net/ipv4/ip_output.c:1495 + udp_send_skb+0xacf/0x1650 net/ipv4/udp.c:981 + udp_sendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x1a6/0x270 net/socket.c:745 + ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 + ___sys_sendmsg net/socket.c:2651 [inline] + __sys_sendmmsg+0x3b2/0x740 net/socket.c:2737 + __do_sys_sendmmsg net/socket.c:2766 [inline] + __se_sys_sendmmsg net/socket.c:2763 [inline] + __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f4ce4f7def9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 +RAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9 +RDX: 0000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006 +RBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68 + + +Fixes: d877f07112f1 ("netfilter: nf_tables: add nft_dup expression") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv4/netfilter/nf_dup_ipv4.c | 7 +++++-- + net/ipv6/netfilter/nf_dup_ipv6.c | 7 +++++-- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/netfilter/nf_dup_ipv4.c b/net/ipv4/netfilter/nf_dup_ipv4.c +index 6cc5743c553a0..9a21175693db5 100644 +--- a/net/ipv4/netfilter/nf_dup_ipv4.c ++++ b/net/ipv4/netfilter/nf_dup_ipv4.c +@@ -52,8 +52,9 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum, + { + struct iphdr *iph; + ++ local_bh_disable(); + if (this_cpu_read(nf_skb_duplicated)) +- return; ++ goto out; + /* + * Copy the skb, and route the copy. Will later return %XT_CONTINUE for + * the original skb, which should continue on its way as if nothing has +@@ -61,7 +62,7 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum, + */ + skb = pskb_copy(skb, GFP_ATOMIC); + if (skb == NULL) +- return; ++ goto out; + + #if IS_ENABLED(CONFIG_NF_CONNTRACK) + /* Avoid counting cloned packets towards the original connection. */ +@@ -90,6 +91,8 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum, + } else { + kfree_skb(skb); + } ++out: ++ local_bh_enable(); + } + EXPORT_SYMBOL_GPL(nf_dup_ipv4); + +diff --git a/net/ipv6/netfilter/nf_dup_ipv6.c b/net/ipv6/netfilter/nf_dup_ipv6.c +index a0a2de30be3e7..0c39c77fe8a8a 100644 +--- a/net/ipv6/netfilter/nf_dup_ipv6.c ++++ b/net/ipv6/netfilter/nf_dup_ipv6.c +@@ -47,11 +47,12 @@ static bool nf_dup_ipv6_route(struct net *net, struct sk_buff *skb, + void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum, + const struct in6_addr *gw, int oif) + { ++ local_bh_disable(); + if (this_cpu_read(nf_skb_duplicated)) +- return; ++ goto out; + skb = pskb_copy(skb, GFP_ATOMIC); + if (skb == NULL) +- return; ++ goto out; + + #if IS_ENABLED(CONFIG_NF_CONNTRACK) + nf_reset_ct(skb); +@@ -69,6 +70,8 @@ void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum, + } else { + kfree_skb(skb); + } ++out: ++ local_bh_enable(); + } + EXPORT_SYMBOL_GPL(nf_dup_ipv6); + +-- +2.43.0 + diff --git a/queue-5.15/netfilter-uapi-nfta_flowtable_hook-is-nla_nested.patch b/queue-5.15/netfilter-uapi-nfta_flowtable_hook-is-nla_nested.patch new file mode 100644 index 00000000000..24fc60c3d51 --- /dev/null +++ b/queue-5.15/netfilter-uapi-nfta_flowtable_hook-is-nla_nested.patch @@ -0,0 +1,35 @@ +From 5d864e30af65c3421ed88dcd49e710c3054f811b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2024 20:01:20 +0200 +Subject: netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED + +From: Phil Sutter + +[ Upstream commit 76f1ed087b562a469f2153076f179854b749c09a ] + +Fix the comment which incorrectly defines it as NLA_U32. + +Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend") +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/uapi/linux/netfilter/nf_tables.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h +index c0edc1a2c8e65..598f782779f59 100644 +--- a/include/uapi/linux/netfilter/nf_tables.h ++++ b/include/uapi/linux/netfilter/nf_tables.h +@@ -1638,7 +1638,7 @@ enum nft_flowtable_flags { + * + * @NFTA_FLOWTABLE_TABLE: name of the table containing the expression (NLA_STRING) + * @NFTA_FLOWTABLE_NAME: name of this flow table (NLA_STRING) +- * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32) ++ * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration (NLA_NESTED) + * @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32) + * @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64) + * @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32) +-- +2.43.0 + diff --git a/queue-5.15/ppp-do-not-assume-bh-is-held-in-ppp_channel_bridge_i.patch b/queue-5.15/ppp-do-not-assume-bh-is-held-in-ppp_channel_bridge_i.patch new file mode 100644 index 00000000000..4d8b87b56df --- /dev/null +++ b/queue-5.15/ppp-do-not-assume-bh-is-held-in-ppp_channel_bridge_i.patch @@ -0,0 +1,142 @@ +From 82a3e8453878b2b6845a407f012b0fe6a932c34b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2024 07:45:53 +0000 +Subject: ppp: do not assume bh is held in ppp_channel_bridge_input() + +From: Eric Dumazet + +[ Upstream commit aec7291003df78cb71fd461d7b672912bde55807 ] + +Networking receive path is usually handled from BH handler. +However, some protocols need to acquire the socket lock, and +packets might be stored in the socket backlog is the socket was +owned by a user process. + +In this case, release_sock(), __release_sock(), and sk_backlog_rcv() +might call the sk->sk_backlog_rcv() handler in process context. + +sybot caught ppp was not considering this case in +ppp_channel_bridge_input() : + +WARNING: inconsistent lock state +6.11.0-rc7-syzkaller-g5f5673607153 #0 Not tainted +-------------------------------- +inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. +ksoftirqd/1/24 [HC0[0]:SC1[1]:HE1:SE0] takes: + ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] + ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline] + ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304 +{SOFTIRQ-ON-W} state was registered at: + lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759 + __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] + _raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154 + spin_lock include/linux/spinlock.h:351 [inline] + ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline] + ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304 + pppoe_rcv_core+0xfc/0x314 drivers/net/ppp/pppoe.c:379 + sk_backlog_rcv include/net/sock.h:1111 [inline] + __release_sock+0x1a8/0x3d8 net/core/sock.c:3004 + release_sock+0x68/0x1b8 net/core/sock.c:3558 + pppoe_sendmsg+0xc8/0x5d8 drivers/net/ppp/pppoe.c:903 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg net/socket.c:745 [inline] + __sys_sendto+0x374/0x4f4 net/socket.c:2204 + __do_sys_sendto net/socket.c:2216 [inline] + __se_sys_sendto net/socket.c:2212 [inline] + __arm64_sys_sendto+0xd8/0xf8 net/socket.c:2212 + __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] + invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 + el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 + do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 + el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 + el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 + el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 +irq event stamp: 282914 + hardirqs last enabled at (282914): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] + hardirqs last enabled at (282914): [] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194 + hardirqs last disabled at (282913): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] + hardirqs last disabled at (282913): [] _raw_spin_lock_irqsave+0x2c/0x7c kernel/locking/spinlock.c:162 + softirqs last enabled at (282904): [] softirq_handle_end kernel/softirq.c:400 [inline] + softirqs last enabled at (282904): [] handle_softirqs+0xa3c/0xbfc kernel/softirq.c:582 + softirqs last disabled at (282909): [] run_ksoftirqd+0x70/0x158 kernel/softirq.c:928 + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&pch->downl); + + lock(&pch->downl); + + *** DEADLOCK *** + +1 lock held by ksoftirqd/1/24: + #0: ffff80008f74dfa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:325 + +stack backtrace: +CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.11.0-rc7-syzkaller-g5f5673607153 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 +Call trace: + dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:319 + show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:326 + __dump_stack lib/dump_stack.c:93 [inline] + dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:119 + dump_stack+0x1c/0x28 lib/dump_stack.c:128 + print_usage_bug+0x698/0x9ac kernel/locking/lockdep.c:4000 + mark_lock_irq+0x980/0xd2c + mark_lock+0x258/0x360 kernel/locking/lockdep.c:4677 + __lock_acquire+0xf48/0x779c kernel/locking/lockdep.c:5096 + lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759 + __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] + _raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154 + spin_lock include/linux/spinlock.h:351 [inline] + ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline] + ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304 + ppp_async_process+0x98/0x150 drivers/net/ppp/ppp_async.c:495 + tasklet_action_common+0x318/0x3f4 kernel/softirq.c:785 + tasklet_action+0x68/0x8c kernel/softirq.c:811 + handle_softirqs+0x2e4/0xbfc kernel/softirq.c:554 + run_ksoftirqd+0x70/0x158 kernel/softirq.c:928 + smpboot_thread_fn+0x4b0/0x90c kernel/smpboot.c:164 + kthread+0x288/0x310 kernel/kthread.c:389 + ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 + +Fixes: 4cf476ced45d ("ppp: add PPPIOCBRIDGECHAN and PPPIOCUNBRIDGECHAN ioctls") +Reported-by: syzbot+bd8d55ee2acd0a71d8ce@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/66f661e2.050a0220.38ace9.000f.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Tom Parkin +Cc: James Chapman +Link: https://patch.msgid.link/20240927074553.341910-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_generic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index 7a8a717770fcc..590a8b2153392 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -2268,7 +2268,7 @@ static bool ppp_channel_bridge_input(struct channel *pch, struct sk_buff *skb) + if (!pchb) + goto out_rcu; + +- spin_lock(&pchb->downl); ++ spin_lock_bh(&pchb->downl); + if (!pchb->chan) { + /* channel got unregistered */ + kfree_skb(skb); +@@ -2280,7 +2280,7 @@ static bool ppp_channel_bridge_input(struct channel *pch, struct sk_buff *skb) + kfree_skb(skb); + + outl: +- spin_unlock(&pchb->downl); ++ spin_unlock_bh(&pchb->downl); + out_rcu: + rcu_read_unlock(); + +-- +2.43.0 + diff --git a/queue-5.15/sctp-set-sk_state-back-to-closed-if-autobind-fails-i.patch b/queue-5.15/sctp-set-sk_state-back-to-closed-if-autobind-fails-i.patch new file mode 100644 index 00000000000..f5d0f517890 --- /dev/null +++ b/queue-5.15/sctp-set-sk_state-back-to-closed-if-autobind-fails-i.patch @@ -0,0 +1,56 @@ +From b840b7c663dd5f4c7ce764cb60937b5d763256ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2024 16:49:51 -0400 +Subject: sctp: set sk_state back to CLOSED if autobind fails in + sctp_listen_start + +From: Xin Long + +[ Upstream commit 8beee4d8dee76b67c75dc91fd8185d91e845c160 ] + +In sctp_listen_start() invoked by sctp_inet_listen(), it should set the +sk_state back to CLOSED if sctp_autobind() fails due to whatever reason. + +Otherwise, next time when calling sctp_inet_listen(), if sctp_sk(sk)->reuse +is already set via setsockopt(SCTP_REUSE_PORT), sctp_sk(sk)->bind_hash will +be dereferenced as sk_state is LISTENING, which causes a crash as bind_hash +is NULL. + + KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + RIP: 0010:sctp_inet_listen+0x7f0/0xa20 net/sctp/socket.c:8617 + Call Trace: + + __sys_listen_socket net/socket.c:1883 [inline] + __sys_listen+0x1b7/0x230 net/socket.c:1894 + __do_sys_listen net/socket.c:1902 [inline] + +Fixes: 5e8f3f703ae4 ("sctp: simplify sctp listening code") +Reported-by: syzbot+f4e0f821e3a3b7cee51d@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Link: https://patch.msgid.link/a93e655b3c153dc8945d7a812e6d8ab0d52b7aa0.1727729391.git.lucien.xin@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sctp/socket.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 9fe13de66b272..2818cf160f3a3 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -8542,8 +8542,10 @@ static int sctp_listen_start(struct sock *sk, int backlog) + */ + inet_sk_set_state(sk, SCTP_SS_LISTENING); + if (!ep->base.bind_addr.port) { +- if (sctp_autobind(sk)) ++ if (sctp_autobind(sk)) { ++ inet_sk_set_state(sk, SCTP_SS_CLOSED); + return -EAGAIN; ++ } + } else { + if (sctp_get_port(sk, inet_sk(sk)->inet_num)) { + inet_sk_set_state(sk, SCTP_SS_CLOSED); +-- +2.43.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 67f0cc412ac..6ca1c815361 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -360,3 +360,25 @@ i2c-aspeed-update-the-stop-sw-state-when-the-bus-recovery-occurs.patch i2c-isch-add-missed-else.patch usb-yurex-fix-inconsistent-locking-bug-in-yurex_read.patch spi-lpspi-simplify-some-error-message.patch +static_call-handle-module-init-failure-correctly-in-.patch +static_call-replace-pointless-warn_on-in-static_call.patch +mailbox-rockchip-fix-a-typo-in-module-autoloading.patch +mailbox-bcm2835-fix-timeout-during-suspend-mode.patch +ceph-remove-the-incorrect-fw-reference-check-when-di.patch +ieee802154-fix-build-error.patch +net-mlx5-fix-error-path-in-multi-packet-wqe-transmit.patch +net-mlx5-added-cond_resched-to-crdump-collection.patch +net-mlx5e-fix-null-deref-in-mlx5e_tir_builder_alloc.patch +netfilter-uapi-nfta_flowtable_hook-is-nla_nested.patch +net-ieee802154-mcr20a-use-irqf_no_autoen-flag-in-req.patch +netfilter-nf_tables-prevent-nf_skb_duplicated-corrup.patch +bluetooth-btmrvl-use-irqf_no_autoen-flag-in-request_.patch +net-ethernet-lantiq_etop-fix-memory-disclosure.patch +net-avoid-potential-underflow-in-qdisc_pkt_len_init-.patch +net-add-more-sanity-checks-to-qdisc_pkt_len_init.patch +stmmac_pci-fix-underflow-size-in-stmmac_rx.patch +net-stmmac-disable-automatic-fcs-pad-stripping.patch +net-stmmac-dwmac4-extend-timeout-for-vlan-tag-regist.patch +ipv4-ip_gre-fix-drops-of-small-packets-in-ipgre_xmit.patch +ppp-do-not-assume-bh-is-held-in-ppp_channel_bridge_i.patch +sctp-set-sk_state-back-to-closed-if-autobind-fails-i.patch diff --git a/queue-5.15/static_call-handle-module-init-failure-correctly-in-.patch b/queue-5.15/static_call-handle-module-init-failure-correctly-in-.patch new file mode 100644 index 00000000000..22a63f46c92 --- /dev/null +++ b/queue-5.15/static_call-handle-module-init-failure-correctly-in-.patch @@ -0,0 +1,100 @@ +From 15b4d63616a57e74732f79d8f78a6901cae5ba6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 11:09:07 +0200 +Subject: static_call: Handle module init failure correctly in + static_call_del_module() + +From: Thomas Gleixner + +[ Upstream commit 4b30051c4864234ec57290c3d142db7c88f10d8a ] + +Module insertion invokes static_call_add_module() to initialize the static +calls in a module. static_call_add_module() invokes __static_call_init(), +which allocates a struct static_call_mod to either encapsulate the built-in +static call sites of the associated key into it so further modules can be +added or to append the module to the module chain. + +If that allocation fails the function returns with an error code and the +module core invokes static_call_del_module() to clean up eventually added +static_call_mod entries. + +This works correctly, when all keys used by the module were converted over +to a module chain before the failure. If not then static_call_del_module() +causes a #GP as it blindly assumes that key::mods points to a valid struct +static_call_mod. + +The problem is that key::mods is not a individual struct member of struct +static_call_key, it's part of a union to save space: + + union { + /* bit 0: 0 = mods, 1 = sites */ + unsigned long type; + struct static_call_mod *mods; + struct static_call_site *sites; + }; + +key::sites is a pointer to the list of built-in usage sites of the static +call. The type of the pointer is differentiated by bit 0. A mods pointer +has the bit clear, the sites pointer has the bit set. + +As static_call_del_module() blidly assumes that the pointer is a valid +static_call_mod type, it fails to check for this failure case and +dereferences the pointer to the list of built-in call sites, which is +obviously bogus. + +Cure it by checking whether the key has a sites or a mods pointer. + +If it's a sites pointer then the key is not to be touched. As the sites are +walked in the same order as in __static_call_init() the site walk can be +terminated because all subsequent sites have not been touched by the init +code due to the error exit. + +If it was converted before the allocation fail, then the inner loop which +searches for a module match will find nothing. + +A fail in the second allocation in __static_call_init() is harmless and +does not require special treatment. The first allocation succeeded and +converted the key to a module chain. That first entry has mod::mod == NULL +and mod::next == NULL, so the inner loop of static_call_del_module() will +neither find a module match nor a module chain. The next site in the walk +was either already converted, but can't match the module, or it will exit +the outer loop because it has a static_call_site pointer and not a +static_call_mod pointer. + +Fixes: 9183c3f9ed71 ("static_call: Add inline static call infrastructure") +Closes: https://lore.kernel.org/all/20230915082126.4187913-1-ruanjinjie@huawei.com +Reported-by: Jinjie Ruan +Signed-off-by: Thomas Gleixner +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Jinjie Ruan +Link: https://lore.kernel.org/r/87zfon6b0s.ffs@tglx +Signed-off-by: Sasha Levin +--- + kernel/static_call_inline.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/kernel/static_call_inline.c b/kernel/static_call_inline.c +index dc5665b628140..075194d9cbf5b 100644 +--- a/kernel/static_call_inline.c ++++ b/kernel/static_call_inline.c +@@ -400,6 +400,17 @@ static void static_call_del_module(struct module *mod) + + for (site = start; site < stop; site++) { + key = static_call_key(site); ++ ++ /* ++ * If the key was not updated due to a memory allocation ++ * failure in __static_call_init() then treating key::sites ++ * as key::mods in the code below would cause random memory ++ * access and #GP. In that case all subsequent sites have ++ * not been touched either, so stop iterating. ++ */ ++ if (!static_call_key_has_mods(key)) ++ break; ++ + if (key == prev_key) + continue; + +-- +2.43.0 + diff --git a/queue-5.15/static_call-replace-pointless-warn_on-in-static_call.patch b/queue-5.15/static_call-replace-pointless-warn_on-in-static_call.patch new file mode 100644 index 00000000000..4f7221058af --- /dev/null +++ b/queue-5.15/static_call-replace-pointless-warn_on-in-static_call.patch @@ -0,0 +1,47 @@ +From 20838f91a18908c529b9efc65dc551ec96649cca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 11:08:28 +0200 +Subject: static_call: Replace pointless WARN_ON() in + static_call_module_notify() + +From: Thomas Gleixner + +[ Upstream commit fe513c2ef0a172a58f158e2e70465c4317f0a9a2 ] + +static_call_module_notify() triggers a WARN_ON(), when memory allocation +fails in __static_call_add_module(). + +That's not really justified, because the failure case must be correctly +handled by the well known call chain and the error code is passed +through to the initiating userspace application. + +A memory allocation fail is not a fatal problem, but the WARN_ON() takes +the machine out when panic_on_warn is set. + +Replace it with a pr_warn(). + +Fixes: 9183c3f9ed71 ("static_call: Add inline static call infrastructure") +Signed-off-by: Thomas Gleixner +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/8734mf7pmb.ffs@tglx +Signed-off-by: Sasha Levin +--- + kernel/static_call_inline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/static_call_inline.c b/kernel/static_call_inline.c +index 075194d9cbf5b..6f566fe27ec1d 100644 +--- a/kernel/static_call_inline.c ++++ b/kernel/static_call_inline.c +@@ -442,7 +442,7 @@ static int static_call_module_notify(struct notifier_block *nb, + case MODULE_STATE_COMING: + ret = static_call_add_module(mod); + if (ret) { +- WARN(1, "Failed to allocate memory for static calls"); ++ pr_warn("Failed to allocate memory for static calls\n"); + static_call_del_module(mod); + } + break; +-- +2.43.0 + diff --git a/queue-5.15/stmmac_pci-fix-underflow-size-in-stmmac_rx.patch b/queue-5.15/stmmac_pci-fix-underflow-size-in-stmmac_rx.patch new file mode 100644 index 00000000000..2323b560660 --- /dev/null +++ b/queue-5.15/stmmac_pci-fix-underflow-size-in-stmmac_rx.patch @@ -0,0 +1,86 @@ +From cb0dccf0d82899c44274a74d34e659ef9b69491a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Nov 2021 16:42:47 -0500 +Subject: stmmac_pci: Fix underflow size in stmmac_rx + +From: Zekun Shen + +[ Upstream commit 0f296e782f21dc1c55475a3c107ac68ab09cc1cf ] + +This bug report came up when we were testing the device driver +by fuzzing. It shows that buf1_len can get underflowed and be +0xfffffffc (4294967292). + +This bug is triggerable with a compromised/malfunctioning device. +We found the bug through QEMU emulation tested the patch with +emulation. We did NOT test it on real hardware. + +Attached is the bug report by fuzzing. + +BUG: KASAN: use-after-free in stmmac_napi_poll_rx+0x1c08/0x36e0 [stmmac] +Read of size 4294967292 at addr ffff888016358000 by task ksoftirqd/0/9 + +CPU: 0 PID: 9 Comm: ksoftirqd/0 Tainted: G W 5.6.0 #1 +Call Trace: + dump_stack+0x76/0xa0 + print_address_description.constprop.0+0x16/0x200 + ? stmmac_napi_poll_rx+0x1c08/0x36e0 [stmmac] + ? stmmac_napi_poll_rx+0x1c08/0x36e0 [stmmac] + __kasan_report.cold+0x37/0x7c + ? stmmac_napi_poll_rx+0x1c08/0x36e0 [stmmac] + kasan_report+0xe/0x20 + check_memory_region+0x15a/0x1d0 + memcpy+0x20/0x50 + stmmac_napi_poll_rx+0x1c08/0x36e0 [stmmac] + ? stmmac_suspend+0x850/0x850 [stmmac] + ? __next_timer_interrupt+0xba/0xf0 + net_rx_action+0x363/0xbd0 + ? call_timer_fn+0x240/0x240 + ? __switch_to_asm+0x40/0x70 + ? napi_busy_loop+0x520/0x520 + ? __schedule+0x839/0x15a0 + __do_softirq+0x18c/0x634 + ? takeover_tasklets+0x5f0/0x5f0 + run_ksoftirqd+0x15/0x20 + smpboot_thread_fn+0x2f1/0x6b0 + ? smpboot_unregister_percpu_thread+0x160/0x160 + ? __kthread_parkme+0x80/0x100 + ? smpboot_unregister_percpu_thread+0x160/0x160 + kthread+0x2b5/0x3b0 + ? kthread_create_on_node+0xd0/0xd0 + ret_from_fork+0x22/0x40 + +Reported-by: Brendan Dolan-Gavitt +Signed-off-by: Zekun Shen +Signed-off-by: David S. Miller +Stable-dep-of: 4c1b56671b68 ("net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit check") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index cd92b8e03a9a1..23c0355c13c18 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -5241,12 +5241,13 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + if (likely(!(status & rx_not_ls)) && + (likely(priv->synopsys_id >= DWMAC_CORE_4_00) || + unlikely(status != llc_snap))) { +- if (buf2_len) ++ if (buf2_len) { + buf2_len -= ETH_FCS_LEN; +- else ++ len -= ETH_FCS_LEN; ++ } else if (buf1_len) { + buf1_len -= ETH_FCS_LEN; +- +- len -= ETH_FCS_LEN; ++ len -= ETH_FCS_LEN; ++ } + } + + if (!skb) { +-- +2.43.0 +