From: Sasha Levin Date: Mon, 28 Mar 2022 15:10:13 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.14.275~74 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5cfb6877b2d8169c32c879faba03cdf4bff2335c;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch b/queue-5.4/af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch new file mode 100644 index 00000000000..5cdfa65abf0 --- /dev/null +++ b/queue-5.4/af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch @@ -0,0 +1,43 @@ +From a97e16814e97ec31ac7327589228c0abee7885b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 11:20:28 +0800 +Subject: af_key: add __GFP_ZERO flag for compose_sadb_supported in function + pfkey_register + +From: Haimin Zhang + +[ Upstream commit 9a564bccb78a76740ea9d75a259942df8143d02c ] + +Add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register +to initialize the buffer of supp_skb to fix a kernel-info-leak issue. +1) Function pfkey_register calls compose_sadb_supported to request +a sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate +a sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then +compose_sadb_supported treats the memory as a struct sadb_supported and +begins to initialize. But it just initializes the field sadb_supported_len +and field sadb_supported_exttype without field sadb_supported_reserved. + +Reported-by: TCS Robot +Signed-off-by: Haimin Zhang +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 406e13478b01..2ac9560020f9 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1703,7 +1703,7 @@ static int pfkey_register(struct sock *sk, struct sk_buff *skb, const struct sad + + xfrm_probe_algs(); + +- supp_skb = compose_sadb_supported(hdr, GFP_KERNEL); ++ supp_skb = compose_sadb_supported(hdr, GFP_KERNEL | __GFP_ZERO); + if (!supp_skb) { + if (hdr->sadb_msg_satype != SADB_SATYPE_UNSPEC) + pfk->registered &= ~(1<sadb_msg_satype); +-- +2.34.1 + diff --git a/queue-5.4/ethernet-sun-free-the-coherent-when-failing-in-probi.patch b/queue-5.4/ethernet-sun-free-the-coherent-when-failing-in-probi.patch new file mode 100644 index 00000000000..fc2b5e6c2e2 --- /dev/null +++ b/queue-5.4/ethernet-sun-free-the-coherent-when-failing-in-probi.patch @@ -0,0 +1,47 @@ +From 446043f32f75ea99dcc7246f6747d87430ffbfa1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Mar 2022 14:55:04 +0000 +Subject: ethernet: sun: Free the coherent when failing in probing + +From: Zheyu Ma + +[ Upstream commit bb77bd31c281f70ec77c9c4f584950a779e05cf8 ] + +When the driver fails to register net device, it should free the DMA +region first, and then do other cleanup. + +Signed-off-by: Zheyu Ma +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/sunhme.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sun/sunhme.c b/drivers/net/ethernet/sun/sunhme.c +index d007dfeba5c3..3133f903279c 100644 +--- a/drivers/net/ethernet/sun/sunhme.c ++++ b/drivers/net/ethernet/sun/sunhme.c +@@ -3164,7 +3164,7 @@ static int happy_meal_pci_probe(struct pci_dev *pdev, + if (err) { + printk(KERN_ERR "happymeal(PCI): Cannot register net device, " + "aborting.\n"); +- goto err_out_iounmap; ++ goto err_out_free_coherent; + } + + pci_set_drvdata(pdev, hp); +@@ -3197,6 +3197,10 @@ static int happy_meal_pci_probe(struct pci_dev *pdev, + + return 0; + ++err_out_free_coherent: ++ dma_free_coherent(hp->dma_dev, PAGE_SIZE, ++ hp->happy_block, hp->hblock_dvma); ++ + err_out_iounmap: + iounmap(hp->gregs); + +-- +2.34.1 + diff --git a/queue-5.4/hid-logitech-dj-add-new-lightspeed-receiver-id.patch b/queue-5.4/hid-logitech-dj-add-new-lightspeed-receiver-id.patch new file mode 100644 index 00000000000..16a50714114 --- /dev/null +++ b/queue-5.4/hid-logitech-dj-add-new-lightspeed-receiver-id.patch @@ -0,0 +1,43 @@ +From 96c5c0ebc81f59316e1fe378daff016f8fc58cba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jan 2022 11:44:00 -0300 +Subject: HID: logitech-dj: add new lightspeed receiver id + +From: Lucas Zampieri + +[ Upstream commit 25666e8ccd952627899b09b68f7c9b68cfeaf028 ] + +As of logitech lightspeed receiver fw version 04.02.B0009, +HIDPP_PARAM_DEVICE_INFO is being reported as 0x11. + +With patch "HID: logitech-dj: add support for the new lightspeed receiver +iteration", the mouse starts to error out with: + logitech-djreceiver: unusable device of type UNKNOWN (0x011) connected on + slot 1 +and becomes unusable. + +This has been noticed on a Logitech G Pro X Superlight fw MPM 25.01.B0018. + +Signed-off-by: Lucas Zampieri +Acked-by: Nestor Lopez Casado +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-logitech-dj.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c +index 4267e2f2e70f..a663cbb7b683 100644 +--- a/drivers/hid/hid-logitech-dj.c ++++ b/drivers/hid/hid-logitech-dj.c +@@ -1000,6 +1000,7 @@ static void logi_hidpp_recv_queue_notif(struct hid_device *hdev, + workitem.reports_supported |= STD_KEYBOARD; + break; + case 0x0f: ++ case 0x11: + device_type = "eQUAD Lightspeed 1.2"; + logi_hidpp_dev_conn_notif_equad(hdev, hidpp_report, &workitem); + workitem.reports_supported |= STD_KEYBOARD; +-- +2.34.1 + diff --git a/queue-5.4/net-dsa-microchip-add-spi_device_id-tables.patch b/queue-5.4/net-dsa-microchip-add-spi_device_id-tables.patch new file mode 100644 index 00000000000..17a5f5c8ab5 --- /dev/null +++ b/queue-5.4/net-dsa-microchip-add-spi_device_id-tables.patch @@ -0,0 +1,80 @@ +From 640174a70dd9ba1ceafd38fe620117ff182e9d4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Mar 2022 13:17:16 +0200 +Subject: net: dsa: microchip: add spi_device_id tables + +From: Claudiu Beznea + +[ Upstream commit e981bc74aefc6a177b50c16cfa7023599799cf74 ] + +Add spi_device_id tables to avoid logs like "SPI driver ksz9477-switch +has no spi_device_id". + +Signed-off-by: Claudiu Beznea +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/microchip/ksz8795_spi.c | 11 +++++++++++ + drivers/net/dsa/microchip/ksz9477_spi.c | 12 ++++++++++++ + 2 files changed, 23 insertions(+) + +diff --git a/drivers/net/dsa/microchip/ksz8795_spi.c b/drivers/net/dsa/microchip/ksz8795_spi.c +index 8b00f8e6c02f..5639c5c59e25 100644 +--- a/drivers/net/dsa/microchip/ksz8795_spi.c ++++ b/drivers/net/dsa/microchip/ksz8795_spi.c +@@ -86,12 +86,23 @@ static const struct of_device_id ksz8795_dt_ids[] = { + }; + MODULE_DEVICE_TABLE(of, ksz8795_dt_ids); + ++static const struct spi_device_id ksz8795_spi_ids[] = { ++ { "ksz8765" }, ++ { "ksz8794" }, ++ { "ksz8795" }, ++ { "ksz8863" }, ++ { "ksz8873" }, ++ { }, ++}; ++MODULE_DEVICE_TABLE(spi, ksz8795_spi_ids); ++ + static struct spi_driver ksz8795_spi_driver = { + .driver = { + .name = "ksz8795-switch", + .owner = THIS_MODULE, + .of_match_table = of_match_ptr(ksz8795_dt_ids), + }, ++ .id_table = ksz8795_spi_ids, + .probe = ksz8795_spi_probe, + .remove = ksz8795_spi_remove, + .shutdown = ksz8795_spi_shutdown, +diff --git a/drivers/net/dsa/microchip/ksz9477_spi.c b/drivers/net/dsa/microchip/ksz9477_spi.c +index 1142768969c2..9bda83d063e8 100644 +--- a/drivers/net/dsa/microchip/ksz9477_spi.c ++++ b/drivers/net/dsa/microchip/ksz9477_spi.c +@@ -88,12 +88,24 @@ static const struct of_device_id ksz9477_dt_ids[] = { + }; + MODULE_DEVICE_TABLE(of, ksz9477_dt_ids); + ++static const struct spi_device_id ksz9477_spi_ids[] = { ++ { "ksz9477" }, ++ { "ksz9897" }, ++ { "ksz9893" }, ++ { "ksz9563" }, ++ { "ksz8563" }, ++ { "ksz9567" }, ++ { }, ++}; ++MODULE_DEVICE_TABLE(spi, ksz9477_spi_ids); ++ + static struct spi_driver ksz9477_spi_driver = { + .driver = { + .name = "ksz9477-switch", + .owner = THIS_MODULE, + .of_match_table = of_match_ptr(ksz9477_dt_ids), + }, ++ .id_table = ksz9477_spi_ids, + .probe = ksz9477_spi_probe, + .remove = ksz9477_spi_remove, + .shutdown = ksz9477_spi_shutdown, +-- +2.34.1 + diff --git a/queue-5.4/net-mcf8390-use-platform_get_irq-to-get-the-interrup.patch b/queue-5.4/net-mcf8390-use-platform_get_irq-to-get-the-interrup.patch new file mode 100644 index 00000000000..d58cd40f579 --- /dev/null +++ b/queue-5.4/net-mcf8390-use-platform_get_irq-to-get-the-interrup.patch @@ -0,0 +1,60 @@ +From 74e98c28aedc6ecb28a18c25683f17f5c4613f41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 06:43:09 +0000 +Subject: net:mcf8390: Use platform_get_irq() to get the interrupt + +From: Minghao Chi (CGEL ZTE) + +[ Upstream commit 2a760554dcba450d3ad61b32375b50ed6d59a87c ] + +It is not recommened to use platform_get_resource(pdev, IORESOURCE_IRQ) +for requesting IRQ's resources any more, as they can be not ready yet in +case of DT-booting. + +platform_get_irq() instead is a recommended way for getting IRQ even if +it was not retrieved earlier. + +It also makes code simpler because we're getting "int" value right away +and no conversion from resource to int is required. + +Reported-by: Zeal Robot +Signed-off-by: Minghao Chi (CGEL ZTE) +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/8390/mcf8390.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/8390/mcf8390.c b/drivers/net/ethernet/8390/mcf8390.c +index 4ad8031ab669..065fdbe66c42 100644 +--- a/drivers/net/ethernet/8390/mcf8390.c ++++ b/drivers/net/ethernet/8390/mcf8390.c +@@ -406,12 +406,12 @@ static int mcf8390_init(struct net_device *dev) + static int mcf8390_probe(struct platform_device *pdev) + { + struct net_device *dev; +- struct resource *mem, *irq; ++ struct resource *mem; + resource_size_t msize; +- int ret; ++ int ret, irq; + +- irq = platform_get_resource(pdev, IORESOURCE_IRQ, 0); +- if (irq == NULL) { ++ irq = platform_get_irq(pdev, 0); ++ if (irq < 0) { + dev_err(&pdev->dev, "no IRQ specified?\n"); + return -ENXIO; + } +@@ -434,7 +434,7 @@ static int mcf8390_probe(struct platform_device *pdev) + SET_NETDEV_DEV(dev, &pdev->dev); + platform_set_drvdata(pdev, dev); + +- dev->irq = irq->start; ++ dev->irq = irq; + dev->base_addr = mem->start; + + ret = mcf8390_init(dev); +-- +2.34.1 + diff --git a/queue-5.4/series b/queue-5.4/series index b3f6be98d6c..613d381b47d 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -3,3 +3,12 @@ usb-serial-pl2303-add-ibm-device-ids.patch usb-serial-simple-add-nokia-phone-driver.patch hv-utils-add-ptp_1588_clock-to-kconfig-to-fix-build.patch netdevice-add-the-case-if-dev-is-null.patch +hid-logitech-dj-add-new-lightspeed-receiver-id.patch +xfrm-fix-tunnel-model-fragmentation-behavior.patch +virtio_console-break-out-of-buf-poll-on-remove.patch +ethernet-sun-free-the-coherent-when-failing-in-probi.patch +spi-fix-invalid-sgs-value.patch +net-mcf8390-use-platform_get_irq-to-get-the-interrup.patch +spi-fix-erroneous-sgs-value-with-min_t.patch +af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch +net-dsa-microchip-add-spi_device_id-tables.patch diff --git a/queue-5.4/spi-fix-erroneous-sgs-value-with-min_t.patch b/queue-5.4/spi-fix-erroneous-sgs-value-with-min_t.patch new file mode 100644 index 00000000000..a75f295f249 --- /dev/null +++ b/queue-5.4/spi-fix-erroneous-sgs-value-with-min_t.patch @@ -0,0 +1,59 @@ +From 64d5cf2fadd5c5e0d1ff2b8541cd8e8f68cef737 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Mar 2022 17:53:17 +0000 +Subject: spi: Fix erroneous sgs value with min_t() + +From: Biju Das + +[ Upstream commit ebc4cb43ea5ada3db46c80156fca58a54b9bbca8 ] + +While computing sgs in spi_map_buf(), the data type +used in min_t() for max_seg_size is 'unsigned int' where +as that of ctlr->max_dma_len is 'size_t'. + +min_t(unsigned int,x,y) gives wrong results if one of x/y is +'size_t' + +Consider the below examples on a 64-bit machine (ie size_t is +64-bits, and unsigned int is 32-bit). + case 1) min_t(unsigned int, 5, 0x100000001); + case 2) min_t(size_t, 5, 0x100000001); + +Case 1 returns '1', where as case 2 returns '5'. As you can see +the result from case 1 is wrong. + +This patch fixes the above issue by using the data type of the +parameters that are used in min_t with maximum data length. + +Fixes: commit 1a4e53d2fc4f68aa ("spi: Fix invalid sgs value") +Reported-by: Linus Torvalds +Suggested-by: Geert Uytterhoeven +Signed-off-by: Biju Das +Reviewed-by: Lad Prabhakar +Link: https://lore.kernel.org/r/20220316175317.465-1-biju.das.jz@bp.renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c +index 837fa947dec7..b18ae50db1f5 100644 +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -844,10 +844,10 @@ int spi_map_buf(struct spi_controller *ctlr, struct device *dev, + int i, ret; + + if (vmalloced_buf || kmap_buf) { +- desc_len = min_t(unsigned int, max_seg_size, PAGE_SIZE); ++ desc_len = min_t(unsigned long, max_seg_size, PAGE_SIZE); + sgs = DIV_ROUND_UP(len + offset_in_page(buf), desc_len); + } else if (virt_addr_valid(buf)) { +- desc_len = min_t(unsigned int, max_seg_size, ctlr->max_dma_len); ++ desc_len = min_t(size_t, max_seg_size, ctlr->max_dma_len); + sgs = DIV_ROUND_UP(len, desc_len); + } else { + return -EINVAL; +-- +2.34.1 + diff --git a/queue-5.4/spi-fix-invalid-sgs-value.patch b/queue-5.4/spi-fix-invalid-sgs-value.patch new file mode 100644 index 00000000000..dcc1867edb3 --- /dev/null +++ b/queue-5.4/spi-fix-invalid-sgs-value.patch @@ -0,0 +1,47 @@ +From 49a42c37ab246a17db6d6ca9aa87ba8c5442361c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 18:48:43 +0000 +Subject: spi: Fix invalid sgs value + +From: Biju Das + +[ Upstream commit 1a4e53d2fc4f68aa654ad96d13ad042e1a8e8a7d ] + +max_seg_size is unsigned int and it can have a value up to 2^32 +(for eg:-RZ_DMAC driver sets dma_set_max_seg_size as U32_MAX) +When this value is used in min_t() as an integer type, it becomes +-1 and the value of sgs becomes 0. + +Fix this issue by replacing the 'int' data type with 'unsigned int' +in min_t(). + +Signed-off-by: Biju Das +Reviewed-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20220307184843.9994-1-biju.das.jz@bp.renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c +index ac05c9c86488..837fa947dec7 100644 +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -844,10 +844,10 @@ int spi_map_buf(struct spi_controller *ctlr, struct device *dev, + int i, ret; + + if (vmalloced_buf || kmap_buf) { +- desc_len = min_t(int, max_seg_size, PAGE_SIZE); ++ desc_len = min_t(unsigned int, max_seg_size, PAGE_SIZE); + sgs = DIV_ROUND_UP(len + offset_in_page(buf), desc_len); + } else if (virt_addr_valid(buf)) { +- desc_len = min_t(int, max_seg_size, ctlr->max_dma_len); ++ desc_len = min_t(unsigned int, max_seg_size, ctlr->max_dma_len); + sgs = DIV_ROUND_UP(len, desc_len); + } else { + return -EINVAL; +-- +2.34.1 + diff --git a/queue-5.4/virtio_console-break-out-of-buf-poll-on-remove.patch b/queue-5.4/virtio_console-break-out-of-buf-poll-on-remove.patch new file mode 100644 index 00000000000..c90568d263a --- /dev/null +++ b/queue-5.4/virtio_console-break-out-of-buf-poll-on-remove.patch @@ -0,0 +1,55 @@ +From 2088b5ab8f98be2c64e7d6ac997c442c2ab6c40d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 03:04:10 -0400 +Subject: virtio_console: break out of buf poll on remove + +From: Michael S. Tsirkin + +[ Upstream commit 0e7174b9d5877130fec41fb4a16e0c2ee4958d44 ] + +A common pattern for device reset is currently: +vdev->config->reset(vdev); +.. cleanup .. + +reset prevents new interrupts from arriving and waits for interrupt +handlers to finish. + +However if - as is common - the handler queues a work request which is +flushed during the cleanup stage, we have code adding buffers / trying +to get buffers while device is reset. Not good. + +This was reproduced by running + modprobe virtio_console + modprobe -r virtio_console +in a loop. + +Fix this up by calling virtio_break_device + flush before reset. + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1786239 +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/char/virtio_console.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c +index b453029487a1..2660a0c5483a 100644 +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -1961,6 +1961,13 @@ static void virtcons_remove(struct virtio_device *vdev) + list_del(&portdev->list); + spin_unlock_irq(&pdrvdata_lock); + ++ /* Device is going away, exit any polling for buffers */ ++ virtio_break_device(vdev); ++ if (use_multiport(portdev)) ++ flush_work(&portdev->control_work); ++ else ++ flush_work(&portdev->config_work); ++ + /* Disable interrupts for vqs */ + vdev->config->reset(vdev); + /* Finish up work that's lined up */ +-- +2.34.1 + diff --git a/queue-5.4/xfrm-fix-tunnel-model-fragmentation-behavior.patch b/queue-5.4/xfrm-fix-tunnel-model-fragmentation-behavior.patch new file mode 100644 index 00000000000..25de82f9262 --- /dev/null +++ b/queue-5.4/xfrm-fix-tunnel-model-fragmentation-behavior.patch @@ -0,0 +1,115 @@ +From a7d771bea3cf77f09ee53ac1c98af8892599db45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Feb 2022 15:48:01 +0800 +Subject: xfrm: fix tunnel model fragmentation behavior + +From: Lina Wang + +[ Upstream commit 4ff2980b6bd2aa6b4ded3ce3b7c0ccfab29980af ] + +in tunnel mode, if outer interface(ipv4) is less, it is easily to let +inner IPV6 mtu be less than 1280. If so, a Packet Too Big ICMPV6 message +is received. When send again, packets are fragmentized with 1280, they +are still rejected with ICMPV6(Packet Too Big) by xfrmi_xmit2(). + +According to RFC4213 Section3.2.2: +if (IPv4 path MTU - 20) is less than 1280 + if packet is larger than 1280 bytes + Send ICMPv6 "packet too big" with MTU=1280 + Drop packet + else + Encapsulate but do not set the Don't Fragment + flag in the IPv4 header. The resulting IPv4 + packet might be fragmented by the IPv4 layer + on the encapsulator or by some router along + the IPv4 path. + endif +else + if packet is larger than (IPv4 path MTU - 20) + Send ICMPv6 "packet too big" with + MTU = (IPv4 path MTU - 20). + Drop packet. + else + Encapsulate and set the Don't Fragment flag + in the IPv4 header. + endif +endif +Packets should be fragmentized with ipv4 outer interface, so change it. + +After it is fragemtized with ipv4, there will be double fragmenation. +No.48 & No.51 are ipv6 fragment packets, No.48 is double fragmentized, +then tunneled with IPv4(No.49& No.50), which obey spec. And received peer +cannot decrypt it rightly. + +48 2002::10 2002::11 1296(length) IPv6 fragment (off=0 more=y ident=0xa20da5bc nxt=50) +49 0x0000 (0) 2002::10 2002::11 1304 IPv6 fragment (off=0 more=y ident=0x7448042c nxt=44) +50 0x0000 (0) 2002::10 2002::11 200 ESP (SPI=0x00035000) +51 2002::10 2002::11 180 Echo (ping) request +52 0x56dc 2002::10 2002::11 248 IPv6 fragment (off=1232 more=n ident=0xa20da5bc nxt=50) + +xfrm6_noneed_fragment has fixed above issues. Finally, it acted like below: +1 0x6206 192.168.1.138 192.168.1.1 1316 Fragmented IP protocol (proto=Encap Security Payload 50, off=0, ID=6206) [Reassembled in #2] +2 0x6206 2002::10 2002::11 88 IPv6 fragment (off=0 more=y ident=0x1f440778 nxt=50) +3 0x0000 2002::10 2002::11 248 ICMPv6 Echo (ping) request + +Signed-off-by: Lina Wang +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv6/xfrm6_output.c | 16 ++++++++++++++++ + net/xfrm/xfrm_interface.c | 5 ++++- + 2 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c +index 6b0ed6c593e2..a6f13fab963f 100644 +--- a/net/ipv6/xfrm6_output.c ++++ b/net/ipv6/xfrm6_output.c +@@ -140,6 +140,19 @@ static int __xfrm6_output_finish(struct net *net, struct sock *sk, struct sk_buf + return __xfrm6_output_state_finish(x, sk, skb); + } + ++static int xfrm6_noneed_fragment(struct sk_buff *skb) ++{ ++ struct frag_hdr *fh; ++ u8 prevhdr = ipv6_hdr(skb)->nexthdr; ++ ++ if (prevhdr != NEXTHDR_FRAGMENT) ++ return 0; ++ fh = (struct frag_hdr *)(skb->data + sizeof(struct ipv6hdr)); ++ if (fh->nexthdr == NEXTHDR_ESP || fh->nexthdr == NEXTHDR_AUTH) ++ return 1; ++ return 0; ++} ++ + static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb) + { + struct dst_entry *dst = skb_dst(skb); +@@ -168,6 +181,9 @@ static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb) + xfrm6_local_rxpmtu(skb, mtu); + kfree_skb(skb); + return -EMSGSIZE; ++ } else if (toobig && xfrm6_noneed_fragment(skb)) { ++ skb->ignore_df = 1; ++ goto skip_frag; + } else if (!skb->ignore_df && toobig && skb->sk) { + xfrm_local_error(skb, mtu); + kfree_skb(skb); +diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c +index 3932d3aaff27..4cfa79e04e3d 100644 +--- a/net/xfrm/xfrm_interface.c ++++ b/net/xfrm/xfrm_interface.c +@@ -300,7 +300,10 @@ xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl) + if (mtu < IPV6_MIN_MTU) + mtu = IPV6_MIN_MTU; + +- icmpv6_ndo_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu); ++ if (skb->len > 1280) ++ icmpv6_ndo_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu); ++ else ++ goto xmit; + } else { + if (!(ip_hdr(skb)->frag_off & htons(IP_DF))) + goto xmit; +-- +2.34.1 +