From: Sasha Levin Date: Mon, 17 Jul 2023 01:01:21 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v5.15.121~100^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5cccd857b91fc1b6ee3fe18476cde11ceec9e365;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch b/queue-4.19/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch new file mode 100644 index 00000000000..3227658c36f --- /dev/null +++ b/queue-4.19/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch @@ -0,0 +1,145 @@ +From 46ae827efd8dbae05deb396bf8beb1545f27f411 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 18:43:27 -0700 +Subject: icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in + icmp6_dev(). + +From: Kuniyuki Iwashima + +[ Upstream commit 2aaa8a15de73874847d62eb595c6683bface80fd ] + +With some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that +has the link-local address as src and dst IP and will be forwarded to +an external IP in the IPv6 Ext Hdr. + +For example, the script below generates a packet whose src IP is the +link-local address and dst is updated to 11::. + + # for f in $(find /proc/sys/net/ -name *seg6_enabled*); do echo 1 > $f; done + # python3 + >>> from socket import * + >>> from scapy.all import * + >>> + >>> SRC_ADDR = DST_ADDR = "fe80::5054:ff:fe12:3456" + >>> + >>> pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR) + >>> pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=["11::", "22::"], segleft=1) + >>> + >>> sk = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW) + >>> sk.sendto(bytes(pkt), (DST_ADDR, 0)) + +For such a packet, we call ip6_route_input() to look up a route for the +next destination in these three functions depending on the header type. + + * ipv6_rthdr_rcv() + * ipv6_rpl_srh_rcv() + * ipv6_srh_rcv() + +If no route is found, ip6_null_entry is set to skb, and the following +dst_input(skb) calls ip6_pkt_drop(). + +Finally, in icmp6_dev(), we dereference skb_rt6_info(skb)->rt6i_idev->dev +as the input device is the loopback interface. Then, we have to check if +skb_rt6_info(skb)->rt6i_idev is NULL or not to avoid NULL pointer deref +for ip6_null_entry. + +BUG: kernel NULL pointer dereference, address: 0000000000000000 + PF: supervisor read access in kernel mode + PF: error_code(0x0000) - not-present page +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP PTI +CPU: 0 PID: 157 Comm: python3 Not tainted 6.4.0-11996-gb121d614371c #35 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503) +Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01 +RSP: 0018:ffffc90000003c70 EFLAGS: 00000286 +RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0 +RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18 +RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001 +R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10 +R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0 +FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0 +PKRU: 55555554 +Call Trace: + + ip6_pkt_drop (net/ipv6/route.c:4513) + ipv6_rthdr_rcv (net/ipv6/exthdrs.c:640 net/ipv6/exthdrs.c:686) + ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5)) + ip6_input_finish (./include/linux/rcupdate.h:781 net/ipv6/ip6_input.c:483) + __netif_receive_skb_one_core (net/core/dev.c:5455) + process_backlog (./include/linux/rcupdate.h:781 net/core/dev.c:5895) + __napi_poll (net/core/dev.c:6460) + net_rx_action (net/core/dev.c:6529 net/core/dev.c:6660) + __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554) + do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) + + + __local_bh_enable_ip (kernel/softirq.c:381) + __dev_queue_xmit (net/core/dev.c:4231) + ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:135) + rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914) + sock_sendmsg (net/socket.c:725 net/socket.c:748) + __sys_sendto (net/socket.c:2134) + __x64_sys_sendto (net/socket.c:2146 net/socket.c:2142 net/socket.c:2142) + do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) +RIP: 0033:0x7f9dc751baea +Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 +RSP: 002b:00007ffe98712c38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 00007ffe98712cf8 RCX: 00007f9dc751baea +RDX: 0000000000000060 RSI: 00007f9dc6460b90 RDI: 0000000000000003 +RBP: 00007f9dc56e8be0 R08: 00007ffe98712d70 R09: 000000000000001c +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: ffffffffc4653600 R14: 0000000000000001 R15: 00007f9dc6af5d1b + +Modules linked in: +CR2: 0000000000000000 + ---[ end trace 0000000000000000 ]--- +RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503) +Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01 +RSP: 0018:ffffc90000003c70 EFLAGS: 00000286 +RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0 +RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18 +RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001 +R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10 +R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0 +FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0 +PKRU: 55555554 +Kernel panic - not syncing: Fatal exception in interrupt +Kernel Offset: disabled + +Fixes: 4832c30d5458 ("net: ipv6: put host and anycast routes on device with address") +Reported-by: Wang Yufen +Closes: https://lore.kernel.org/netdev/c41403a9-c2f6-3b7e-0c96-e1901e605cd0@huawei.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: David Ahern +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/icmp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c +index 1b86a2e03d049..bfafd7649ccb3 100644 +--- a/net/ipv6/icmp.c ++++ b/net/ipv6/icmp.c +@@ -407,7 +407,10 @@ static struct net_device *icmp6_dev(const struct sk_buff *skb) + if (unlikely(dev->ifindex == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) { + const struct rt6_info *rt6 = skb_rt6_info(skb); + +- if (rt6) ++ /* The destination could be an external IP in Ext Hdr (SRv6, RPL, etc.), ++ * and ip6_null_entry could be set to skb if no route is found. ++ */ ++ if (rt6 && rt6->rt6i_idev) + dev = rt6->rt6i_idev->dev; + } + +-- +2.39.2 + diff --git a/queue-4.19/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch b/queue-4.19/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch new file mode 100644 index 00000000000..eeacf645c73 --- /dev/null +++ b/queue-4.19/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch @@ -0,0 +1,53 @@ +From b6b485d5880cefb054197d49b212532df8ee9263 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jul 2023 14:59:10 +0800 +Subject: ipv6/addrconf: fix a potential refcount underflow for idev + +From: Ziyang Xuan + +[ Upstream commit 06a0716949c22e2aefb648526580671197151acc ] + +Now in addrconf_mod_rs_timer(), reference idev depends on whether +rs_timer is not pending. Then modify rs_timer timeout. + +There is a time gap in [1], during which if the pending rs_timer +becomes not pending. It will miss to hold idev, but the rs_timer +is activated. Thus rs_timer callback function addrconf_rs_timer() +will be executed and put idev later without holding idev. A refcount +underflow issue for idev can be caused by this. + + if (!timer_pending(&idev->rs_timer)) + in6_dev_hold(idev); + <--------------[1] + mod_timer(&idev->rs_timer, jiffies + when); + +To fix the issue, hold idev if mod_timer() return 0. + +Fixes: b7b1bfce0bb6 ("ipv6: split duplicate address detection and router solicitation timer") +Suggested-by: Eric Dumazet +Signed-off-by: Ziyang Xuan +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index f261c6d7f1f28..23edc325f70be 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -316,9 +316,8 @@ static void addrconf_del_dad_work(struct inet6_ifaddr *ifp) + static void addrconf_mod_rs_timer(struct inet6_dev *idev, + unsigned long when) + { +- if (!timer_pending(&idev->rs_timer)) ++ if (!mod_timer(&idev->rs_timer, jiffies + when)) + in6_dev_hold(idev); +- mod_timer(&idev->rs_timer, jiffies + when); + } + + static void addrconf_mod_dad_work(struct inet6_ifaddr *ifp, +-- +2.39.2 + diff --git a/queue-4.19/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch b/queue-4.19/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch new file mode 100644 index 00000000000..987b2a40ed8 --- /dev/null +++ b/queue-4.19/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch @@ -0,0 +1,48 @@ +From f9e8a622e20536ae06e72b75b9d71051521991fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 07:37:12 +0200 +Subject: net: mvneta: fix txq_map in case of txq_number==1 + +From: Klaus Kudielka + +[ Upstream commit 21327f81db6337c8843ce755b01523c7d3df715b ] + +If we boot with mvneta.txq_number=1, the txq_map is set incorrectly: +MVNETA_CPU_TXQ_ACCESS(1) refers to TX queue 1, but only TX queue 0 is +initialized. Fix this. + +Fixes: 50bf8cb6fc9c ("net: mvneta: Configure XPS support") +Signed-off-by: Klaus Kudielka +Reviewed-by: Michal Kubiak +Link: https://lore.kernel.org/r/20230705053712.3914-1-klaus.kudielka@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvneta.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index f1a4b11ce0d19..512f9cd68070a 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -1415,7 +1415,7 @@ static void mvneta_defaults_set(struct mvneta_port *pp) + */ + if (txq_number == 1) + txq_map = (cpu == pp->rxq_def) ? +- MVNETA_CPU_TXQ_ACCESS(1) : 0; ++ MVNETA_CPU_TXQ_ACCESS(0) : 0; + + } else { + txq_map = MVNETA_CPU_TXQ_ACCESS_ALL_MASK; +@@ -3665,7 +3665,7 @@ static void mvneta_percpu_elect(struct mvneta_port *pp) + */ + if (txq_number == 1) + txq_map = (cpu == elected_cpu) ? +- MVNETA_CPU_TXQ_ACCESS(1) : 0; ++ MVNETA_CPU_TXQ_ACCESS(0) : 0; + else + txq_map = mvreg_read(pp, MVNETA_CPU_MAP(cpu)) & + MVNETA_CPU_TXQ_ACCESS_ALL_MASK; +-- +2.39.2 + diff --git a/queue-4.19/net-sched-make-psched_mtu-rtnl-less-safe.patch b/queue-4.19/net-sched-make-psched_mtu-rtnl-less-safe.patch new file mode 100644 index 00000000000..0b060652053 --- /dev/null +++ b/queue-4.19/net-sched-make-psched_mtu-rtnl-less-safe.patch @@ -0,0 +1,49 @@ +From 19bfe7281d835cff53c41f2059bbd4222c112960 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 23:16:34 -0300 +Subject: net/sched: make psched_mtu() RTNL-less safe + +From: Pedro Tammela + +[ Upstream commit 150e33e62c1fa4af5aaab02776b6c3812711d478 ] + +Eric Dumazet says[1]: +------- +Speaking of psched_mtu(), I see that net/sched/sch_pie.c is using it +without holding RTNL, so dev->mtu can be changed underneath. +KCSAN could issue a warning. +------- + +Annotate dev->mtu with READ_ONCE() so KCSAN don't issue a warning. + +[1] https://lore.kernel.org/all/CANn89iJoJO5VtaJ-2=_d2aOQhb0Xw8iBT_Cxqp2HyuS-zj6azw@mail.gmail.com/ + +v1 -> v2: Fix commit message + +Fixes: d4b36210c2e6 ("net: pkt_sched: PIE AQM scheme") +Suggested-by: Eric Dumazet +Signed-off-by: Pedro Tammela +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230711021634.561598-1-pctammela@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/pkt_sched.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h +index e09ea6917c061..83a16f3bd6e6a 100644 +--- a/include/net/pkt_sched.h ++++ b/include/net/pkt_sched.h +@@ -131,7 +131,7 @@ extern const struct nla_policy rtm_tca_policy[TCA_MAX + 1]; + */ + static inline unsigned int psched_mtu(const struct net_device *dev) + { +- return dev->mtu + dev->hard_header_len; ++ return READ_ONCE(dev->mtu) + dev->hard_header_len; + } + + static inline struct net *qdisc_net(struct Qdisc *q) +-- +2.39.2 + diff --git a/queue-4.19/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch b/queue-4.19/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch new file mode 100644 index 00000000000..50404b9a780 --- /dev/null +++ b/queue-4.19/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch @@ -0,0 +1,64 @@ +From 5d7e064f00a219bea355726f35ad8949bc616514 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Nov 2022 09:43:09 +0000 +Subject: NTB: amd: Fix error handling in amd_ntb_pci_driver_init() + +From: Yuan Can + +[ Upstream commit 98af0a33c1101c29b3ce4f0cf4715fd927c717f9 ] + +A problem about ntb_hw_amd create debugfs failed is triggered with the +following log given: + + [ 618.431232] AMD(R) PCI-E Non-Transparent Bridge Driver 1.0 + [ 618.433284] debugfs: Directory 'ntb_hw_amd' with parent '/' already present! + +The reason is that amd_ntb_pci_driver_init() returns pci_register_driver() +directly without checking its return value, if pci_register_driver() +failed, it returns without destroy the newly created debugfs, resulting +the debugfs of ntb_hw_amd can never be created later. + + amd_ntb_pci_driver_init() + debugfs_create_dir() # create debugfs directory + pci_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without destroy debugfs directory + +Fix by removing debugfs when pci_register_driver() returns error. + +Fixes: a1b3695820aa ("NTB: Add support for AMD PCI-Express Non-Transparent Bridge") +Signed-off-by: Yuan Can +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/amd/ntb_hw_amd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/amd/ntb_hw_amd.c b/drivers/ntb/hw/amd/ntb_hw_amd.c +index 0b1fbb5dba9b6..7de7616803935 100644 +--- a/drivers/ntb/hw/amd/ntb_hw_amd.c ++++ b/drivers/ntb/hw/amd/ntb_hw_amd.c +@@ -1139,12 +1139,17 @@ static struct pci_driver amd_ntb_pci_driver = { + + static int __init amd_ntb_pci_driver_init(void) + { ++ int ret; + pr_info("%s %s\n", NTB_DESC, NTB_VER); + + if (debugfs_initialized()) + debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL); + +- return pci_register_driver(&amd_ntb_pci_driver); ++ ret = pci_register_driver(&amd_ntb_pci_driver); ++ if (ret) ++ debugfs_remove_recursive(debugfs_dir); ++ ++ return ret; + } + module_init(amd_ntb_pci_driver_init); + +-- +2.39.2 + diff --git a/queue-4.19/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch b/queue-4.19/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch new file mode 100644 index 00000000000..2613d7d0cfa --- /dev/null +++ b/queue-4.19/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch @@ -0,0 +1,66 @@ +From 6c414abbd187488cca9dedbfb323305e19628e74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Nov 2022 09:43:01 +0000 +Subject: ntb: idt: Fix error handling in idt_pci_driver_init() + +From: Yuan Can + +[ Upstream commit c012968259b451dc4db407f2310fe131eaefd800 ] + +A problem about ntb_hw_idt create debugfs failed is triggered with the +following log given: + + [ 1236.637636] IDT PCI-E Non-Transparent Bridge Driver 2.0 + [ 1236.639292] debugfs: Directory 'ntb_hw_idt' with parent '/' already present! + +The reason is that idt_pci_driver_init() returns pci_register_driver() +directly without checking its return value, if pci_register_driver() +failed, it returns without destroy the newly created debugfs, resulting +the debugfs of ntb_hw_idt can never be created later. + + idt_pci_driver_init() + debugfs_create_dir() # create debugfs directory + pci_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without destroy debugfs directory + +Fix by removing debugfs when pci_register_driver() returns error. + +Fixes: bf2a952d31d2 ("NTB: Add IDT 89HPESxNTx PCIe-switches support") +Signed-off-by: Yuan Can +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/idt/ntb_hw_idt.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/idt/ntb_hw_idt.c b/drivers/ntb/hw/idt/ntb_hw_idt.c +index a67ef23e81bca..82e08f583980b 100644 +--- a/drivers/ntb/hw/idt/ntb_hw_idt.c ++++ b/drivers/ntb/hw/idt/ntb_hw_idt.c +@@ -2692,6 +2692,7 @@ static struct pci_driver idt_pci_driver = { + + static int __init idt_pci_driver_init(void) + { ++ int ret; + pr_info("%s %s\n", NTB_DESC, NTB_VER); + + /* Create the top DebugFS directory if the FS is initialized */ +@@ -2699,7 +2700,11 @@ static int __init idt_pci_driver_init(void) + dbgfs_topdir = debugfs_create_dir(KBUILD_MODNAME, NULL); + + /* Register the NTB hardware driver to handle the PCI device */ +- return pci_register_driver(&idt_pci_driver); ++ ret = pci_register_driver(&idt_pci_driver); ++ if (ret) ++ debugfs_remove_recursive(dbgfs_topdir); ++ ++ return ret; + } + module_init(idt_pci_driver_init); + +-- +2.39.2 + diff --git a/queue-4.19/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch b/queue-4.19/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch new file mode 100644 index 00000000000..e1e8747c123 --- /dev/null +++ b/queue-4.19/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch @@ -0,0 +1,65 @@ +From 358aa040c10230eb3cb6ebcf84c9dfe99ded0948 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Nov 2022 09:43:22 +0000 +Subject: ntb: intel: Fix error handling in intel_ntb_pci_driver_init() + +From: Yuan Can + +[ Upstream commit 4c3c796aca02883ad35bb117468938cc4022ca41 ] + +A problem about ntb_hw_intel create debugfs failed is triggered with the +following log given: + + [ 273.112733] Intel(R) PCI-E Non-Transparent Bridge Driver 2.0 + [ 273.115342] debugfs: Directory 'ntb_hw_intel' with parent '/' already present! + +The reason is that intel_ntb_pci_driver_init() returns +pci_register_driver() directly without checking its return value, if +pci_register_driver() failed, it returns without destroy the newly created +debugfs, resulting the debugfs of ntb_hw_intel can never be created later. + + intel_ntb_pci_driver_init() + debugfs_create_dir() # create debugfs directory + pci_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without destroy debugfs directory + +Fix by removing debugfs when pci_register_driver() returns error. + +Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers") +Signed-off-by: Yuan Can +Acked-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/intel/ntb_hw_gen1.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/intel/ntb_hw_gen1.c b/drivers/ntb/hw/intel/ntb_hw_gen1.c +index 2ad263f708da7..084bd1d1ac1dc 100644 +--- a/drivers/ntb/hw/intel/ntb_hw_gen1.c ++++ b/drivers/ntb/hw/intel/ntb_hw_gen1.c +@@ -2052,12 +2052,17 @@ static struct pci_driver intel_ntb_pci_driver = { + + static int __init intel_ntb_pci_driver_init(void) + { ++ int ret; + pr_info("%s %s\n", NTB_DESC, NTB_VER); + + if (debugfs_initialized()) + debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL); + +- return pci_register_driver(&intel_ntb_pci_driver); ++ ret = pci_register_driver(&intel_ntb_pci_driver); ++ if (ret) ++ debugfs_remove_recursive(debugfs_dir); ++ ++ return ret; + } + module_init(intel_ntb_pci_driver_init); + +-- +2.39.2 + diff --git a/queue-4.19/ntb-ntb_tool-add-check-for-devm_kcalloc.patch b/queue-4.19/ntb-ntb_tool-add-check-for-devm_kcalloc.patch new file mode 100644 index 00000000000..eb80d5ff7cf --- /dev/null +++ b/queue-4.19/ntb-ntb_tool-add-check-for-devm_kcalloc.patch @@ -0,0 +1,39 @@ +From f72bc20308a55f4ea33714c839246367d246b89d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 11:32:44 +0800 +Subject: NTB: ntb_tool: Add check for devm_kcalloc + +From: Jiasheng Jiang + +[ Upstream commit 2790143f09938776a3b4f69685b380bae8fd06c7 ] + +As the devm_kcalloc may return NULL pointer, +it should be better to add check for the return +value, as same as the others. + +Fixes: 7f46c8b3a552 ("NTB: ntb_tool: Add full multi-port NTB API support") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Serge Semin +Reviewed-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/test/ntb_tool.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/ntb/test/ntb_tool.c b/drivers/ntb/test/ntb_tool.c +index 6301aa413c3b8..1f64146546221 100644 +--- a/drivers/ntb/test/ntb_tool.c ++++ b/drivers/ntb/test/ntb_tool.c +@@ -998,6 +998,8 @@ static int tool_init_mws(struct tool_ctx *tc) + tc->peers[pidx].outmws = + devm_kcalloc(&tc->ntb->dev, tc->peers[pidx].outmw_cnt, + sizeof(*tc->peers[pidx].outmws), GFP_KERNEL); ++ if (tc->peers[pidx].outmws == NULL) ++ return -ENOMEM; + + for (widx = 0; widx < tc->peers[pidx].outmw_cnt; widx++) { + tc->peers[pidx].outmws[widx].pidx = pidx; +-- +2.39.2 + diff --git a/queue-4.19/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch b/queue-4.19/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch new file mode 100644 index 00000000000..8fd7c5128b6 --- /dev/null +++ b/queue-4.19/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch @@ -0,0 +1,42 @@ +From 7b07412afefa9dcd30ba063fc844a1f2104b6fae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 23:19:17 +0800 +Subject: NTB: ntb_transport: fix possible memory leak while device_register() + fails + +From: Yang Yingliang + +[ Upstream commit 8623ccbfc55d962e19a3537652803676ad7acb90 ] + +If device_register() returns error, the name allocated by +dev_set_name() need be freed. As comment of device_register() +says, it should use put_device() to give up the reference in +the error path. So fix this by calling put_device(), then the +name can be freed in kobject_cleanup(), and client_dev is freed +in ntb_transport_client_release(). + +Fixes: fce8a7bb5b4b ("PCI-Express Non-Transparent Bridge Support") +Signed-off-by: Yang Yingliang +Reviewed-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/ntb_transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c +index 9398959664769..2d647a1cd0ee5 100644 +--- a/drivers/ntb/ntb_transport.c ++++ b/drivers/ntb/ntb_transport.c +@@ -393,7 +393,7 @@ int ntb_transport_register_client_dev(char *device_name) + + rc = device_register(dev); + if (rc) { +- kfree(client_dev); ++ put_device(dev); + goto err; + } + +-- +2.39.2 + diff --git a/queue-4.19/series b/queue-4.19/series index ae4e36dbf20..fa35ca48a01 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -134,3 +134,15 @@ netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch netfilter-nf_tables-fix-scheduling-while-atomic-splat.patch netfilter-conntrack-avoid-nf_ct_helper_hash-uses-after-free.patch netfilter-nf_tables-prevent-oob-access-in-nft_byteorder_eval.patch +net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch +vrf-increment-icmp6inmsgs-on-the-original-netdev.patch +icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch +udp6-fix-udp6_ehashfn-typo.patch +ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch +ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch +ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch +ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch +ntb-ntb_tool-add-check-for-devm_kcalloc.patch +ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch +wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch +net-sched-make-psched_mtu-rtnl-less-safe.patch diff --git a/queue-4.19/udp6-fix-udp6_ehashfn-typo.patch b/queue-4.19/udp6-fix-udp6_ehashfn-typo.patch new file mode 100644 index 00000000000..83cd000c763 --- /dev/null +++ b/queue-4.19/udp6-fix-udp6_ehashfn-typo.patch @@ -0,0 +1,40 @@ +From dd4780f2e582e32ee8f5c8c08d03b8b73e369d5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jul 2023 08:29:58 +0000 +Subject: udp6: fix udp6_ehashfn() typo + +From: Eric Dumazet + +[ Upstream commit 51d03e2f2203e76ed02d33fb5ffbb5fc85ffaf54 ] + +Amit Klein reported that udp6_ehash_secret was initialized but never used. + +Fixes: 1bbdceef1e53 ("inet: convert inet_ehash_secret and ipv6_hash_secret to net_get_random_once") +Reported-by: Amit Klein +Signed-off-by: Eric Dumazet +Cc: Willy Tarreau +Cc: Willem de Bruijn +Cc: David Ahern +Cc: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/udp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 9274603514e54..cf0bbe2e3a79f 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -99,7 +99,7 @@ static u32 udp6_ehashfn(const struct net *net, + fhash = __ipv6_addr_jhash(faddr, udp_ipv6_hash_secret); + + return __inet6_ehashfn(lhash, lport, fhash, fport, +- udp_ipv6_hash_secret + net_hash_mix(net)); ++ udp6_ehash_secret + net_hash_mix(net)); + } + + int udp_v6_get_port(struct sock *sk, unsigned short snum) +-- +2.39.2 + diff --git a/queue-4.19/vrf-increment-icmp6inmsgs-on-the-original-netdev.patch b/queue-4.19/vrf-increment-icmp6inmsgs-on-the-original-netdev.patch new file mode 100644 index 00000000000..fd7f5edd549 --- /dev/null +++ b/queue-4.19/vrf-increment-icmp6inmsgs-on-the-original-netdev.patch @@ -0,0 +1,127 @@ +From ca9b3ac6d3bbb8860c544487324e18a6481a20d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jun 2019 10:32:50 -0400 +Subject: vrf: Increment Icmp6InMsgs on the original netdev + +From: Stephen Suryaputra + +[ Upstream commit e1ae5c2ea4783b1fd87be250f9fcc9d9e1a6ba3f ] + +Get the ingress interface and increment ICMP counters based on that +instead of skb->dev when the the dev is a VRF device. + +This is a follow up on the following message: +https://www.spinics.net/lists/netdev/msg560268.html + +v2: Avoid changing skb->dev since it has unintended effect for local + delivery (David Ahern). +Signed-off-by: Stephen Suryaputra +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Stable-dep-of: 2aaa8a15de73 ("icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev().") +Signed-off-by: Sasha Levin +--- + include/net/addrconf.h | 16 ++++++++++++++++ + net/ipv6/icmp.c | 17 +++++++++++------ + net/ipv6/reassembly.c | 4 ++-- + 3 files changed, 29 insertions(+), 8 deletions(-) + +diff --git a/include/net/addrconf.h b/include/net/addrconf.h +index db2a87981dd46..9583d3bbab039 100644 +--- a/include/net/addrconf.h ++++ b/include/net/addrconf.h +@@ -340,6 +340,22 @@ static inline struct inet6_dev *__in6_dev_get(const struct net_device *dev) + return rcu_dereference_rtnl(dev->ip6_ptr); + } + ++/** ++ * __in6_dev_stats_get - get inet6_dev pointer for stats ++ * @dev: network device ++ * @skb: skb for original incoming interface if neeeded ++ * ++ * Caller must hold rcu_read_lock or RTNL, because this function ++ * does not take a reference on the inet6_dev. ++ */ ++static inline struct inet6_dev *__in6_dev_stats_get(const struct net_device *dev, ++ const struct sk_buff *skb) ++{ ++ if (netif_is_l3_master(dev)) ++ dev = dev_get_by_index_rcu(dev_net(dev), inet6_iif(skb)); ++ return __in6_dev_get(dev); ++} ++ + /** + * __in6_dev_get_safely - get inet6_dev pointer from netdevice + * @dev: network device +diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c +index fbc8746371b6d..1b86a2e03d049 100644 +--- a/net/ipv6/icmp.c ++++ b/net/ipv6/icmp.c +@@ -395,23 +395,28 @@ static struct dst_entry *icmpv6_route_lookup(struct net *net, + return ERR_PTR(err); + } + +-static int icmp6_iif(const struct sk_buff *skb) ++static struct net_device *icmp6_dev(const struct sk_buff *skb) + { +- int iif = skb->dev->ifindex; ++ struct net_device *dev = skb->dev; + + /* for local traffic to local address, skb dev is the loopback + * device. Check if there is a dst attached to the skb and if so + * get the real device index. Same is needed for replies to a link + * local address on a device enslaved to an L3 master device + */ +- if (unlikely(iif == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) { ++ if (unlikely(dev->ifindex == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) { + const struct rt6_info *rt6 = skb_rt6_info(skb); + + if (rt6) +- iif = rt6->rt6i_idev->dev->ifindex; ++ dev = rt6->rt6i_idev->dev; + } + +- return iif; ++ return dev; ++} ++ ++static int icmp6_iif(const struct sk_buff *skb) ++{ ++ return icmp6_dev(skb)->ifindex; + } + + /* +@@ -800,7 +805,7 @@ void icmpv6_notify(struct sk_buff *skb, u8 type, u8 code, __be32 info) + static int icmpv6_rcv(struct sk_buff *skb) + { + struct net *net = dev_net(skb->dev); +- struct net_device *dev = skb->dev; ++ struct net_device *dev = icmp6_dev(skb); + struct inet6_dev *idev = __in6_dev_get(dev); + const struct in6_addr *saddr, *daddr; + struct icmp6hdr *hdr; +diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c +index 60dfd0d118512..b596727f04978 100644 +--- a/net/ipv6/reassembly.c ++++ b/net/ipv6/reassembly.c +@@ -302,7 +302,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *skb, + skb_network_header_len(skb)); + + rcu_read_lock(); +- __IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_REASMOKS); ++ __IP6_INC_STATS(net, __in6_dev_stats_get(dev, skb), IPSTATS_MIB_REASMOKS); + rcu_read_unlock(); + fq->q.fragments = NULL; + fq->q.rb_fragments = RB_ROOT; +@@ -317,7 +317,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *skb, + net_dbg_ratelimited("ip6_frag_reasm: no memory for reassembly\n"); + out_fail: + rcu_read_lock(); +- __IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_REASMFAILS); ++ __IP6_INC_STATS(net, __in6_dev_stats_get(dev, skb), IPSTATS_MIB_REASMFAILS); + rcu_read_unlock(); + inet_frag_kill(&fq->q); + return -1; +-- +2.39.2 + diff --git a/queue-4.19/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch b/queue-4.19/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch new file mode 100644 index 00000000000..e6a83160c61 --- /dev/null +++ b/queue-4.19/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch @@ -0,0 +1,47 @@ +From 5f65296a9458994473a1830d34aed8a66606adf3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Jul 2023 06:31:54 -0700 +Subject: wifi: airo: avoid uninitialized warning in airo_get_rate() + +From: Randy Dunlap + +[ Upstream commit 9373771aaed17f5c2c38485f785568abe3a9f8c1 ] + +Quieten a gcc (11.3.0) build error or warning by checking the function +call status and returning -EBUSY if the function call failed. +This is similar to what several other wireless drivers do for the +SIOCGIWRATE ioctl call when there is a locking problem. + +drivers/net/wireless/cisco/airo.c: error: 'status_rid.currentXmitRate' is used uninitialized [-Werror=uninitialized] + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Randy Dunlap +Reported-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/39abf2c7-24a-f167-91da-ed4c5435d1c4@linux-m68k.org +Link: https://lore.kernel.org/r/20230709133154.26206-1-rdunlap@infradead.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/cisco/airo.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c +index 5a6ee0b014da0..a01b42c7c07ac 100644 +--- a/drivers/net/wireless/cisco/airo.c ++++ b/drivers/net/wireless/cisco/airo.c +@@ -6100,8 +6100,11 @@ static int airo_get_rate(struct net_device *dev, + { + struct airo_info *local = dev->ml_priv; + StatusRid status_rid; /* Card status info */ ++ int ret; + +- readStatusRid(local, &status_rid, 1); ++ ret = readStatusRid(local, &status_rid, 1); ++ if (ret) ++ return -EBUSY; + + vwrq->value = le16_to_cpu(status_rid.currentXmitRate) * 500000; + /* If more than one rate, set auto */ +-- +2.39.2 +