From: Sasha Levin Date: Fri, 4 Oct 2024 16:20:12 +0000 (-0400) Subject: Fixes for 6.1 X-Git-Tag: v6.6.55~156 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=73a0b5cd286609cd9cce347afbd851c54805e402;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/bluetooth-btmrvl-use-irqf_no_autoen-flag-in-request_.patch b/queue-6.1/bluetooth-btmrvl-use-irqf_no_autoen-flag-in-request_.patch new file mode 100644 index 00000000000..68a67ef1c60 --- /dev/null +++ b/queue-6.1/bluetooth-btmrvl-use-irqf_no_autoen-flag-in-request_.patch @@ -0,0 +1,45 @@ +From d064f9ff18d8a5d4b77b11de6a6044784f5511f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2024 11:12:04 +0800 +Subject: Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq() + +From: Jinjie Ruan + +[ Upstream commit 7b1ab460592ca818e7b52f27cd3ec86af79220d1 ] + +disable_irq() after request_irq() still has a time gap in which +interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will +disable IRQ auto-enable when request IRQ. + +Fixes: bb7f4f0bcee6 ("btmrvl: add platform specific wakeup interrupt support") +Signed-off-by: Jinjie Ruan +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btmrvl_sdio.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/bluetooth/btmrvl_sdio.c b/drivers/bluetooth/btmrvl_sdio.c +index ba057ebfda5c2..981b43f79e4a3 100644 +--- a/drivers/bluetooth/btmrvl_sdio.c ++++ b/drivers/bluetooth/btmrvl_sdio.c +@@ -92,7 +92,7 @@ static int btmrvl_sdio_probe_of(struct device *dev, + } else { + ret = devm_request_irq(dev, cfg->irq_bt, + btmrvl_wake_irq_bt, +- 0, "bt_wake", card); ++ IRQF_NO_AUTOEN, "bt_wake", card); + if (ret) { + dev_err(dev, + "Failed to request irq_bt %d (%d)\n", +@@ -101,7 +101,6 @@ static int btmrvl_sdio_probe_of(struct device *dev, + + /* Configure wakeup (enabled by default) */ + device_init_wakeup(dev, true); +- disable_irq(cfg->irq_bt); + } + } + +-- +2.43.0 + diff --git a/queue-6.1/ceph-remove-the-incorrect-fw-reference-check-when-di.patch b/queue-6.1/ceph-remove-the-incorrect-fw-reference-check-when-di.patch new file mode 100644 index 00000000000..c8b753bc276 --- /dev/null +++ b/queue-6.1/ceph-remove-the-incorrect-fw-reference-check-when-di.patch @@ -0,0 +1,37 @@ +From ea4bd3d261fde80a3537b01fa9b7fb58bd3f3c58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Sep 2024 06:22:18 +0800 +Subject: ceph: remove the incorrect Fw reference check when dirtying pages + +From: Xiubo Li + +[ Upstream commit c08dfb1b49492c09cf13838c71897493ea3b424e ] + +When doing the direct-io reads it will also try to mark pages dirty, +but for the read path it won't hold the Fw caps and there is case +will it get the Fw reference. + +Fixes: 5dda377cf0a6 ("ceph: set i_head_snapc when getting CEPH_CAP_FILE_WR reference") +Signed-off-by: Xiubo Li +Reviewed-by: Patrick Donnelly +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/addr.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c +index dd2ce7fabbaee..6c325efa1c4e5 100644 +--- a/fs/ceph/addr.c ++++ b/fs/ceph/addr.c +@@ -94,7 +94,6 @@ static bool ceph_dirty_folio(struct address_space *mapping, struct folio *folio) + + /* dirty the head */ + spin_lock(&ci->i_ceph_lock); +- BUG_ON(ci->i_wr_ref == 0); // caller should hold Fw reference + if (__ceph_have_pending_cap_snap(ci)) { + struct ceph_cap_snap *capsnap = + list_last_entry(&ci->i_cap_snaps, +-- +2.43.0 + diff --git a/queue-6.1/fsdax-xfs-port-unshare-to-fsdax.patch b/queue-6.1/fsdax-xfs-port-unshare-to-fsdax.patch new file mode 100644 index 00000000000..0632a2ca72c --- /dev/null +++ b/queue-6.1/fsdax-xfs-port-unshare-to-fsdax.patch @@ -0,0 +1,126 @@ +From 9720d2239d04b6d2a2b961b35beaf1420468587d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 15:32:33 +0000 +Subject: fsdax,xfs: port unshare to fsdax + +From: Shiyang Ruan + +[ Upstream commit d984648e428bf88cbd94ebe346c73632cb92fffb ] + +Implement unshare in fsdax mode: copy data from srcmap to iomap. + +Link: https://lkml.kernel.org/r/1669908753-169-1-git-send-email-ruansy.fnst@fujitsu.com +Signed-off-by: Shiyang Ruan +Reviewed-by: Darrick J. Wong +Cc: Alistair Popple +Cc: Dan Williams +Cc: Dave Chinner +Cc: Jason Gunthorpe +Cc: John Hubbard +Signed-off-by: Andrew Morton +Stable-dep-of: a311a08a4237 ("iomap: constrain the file range passed to iomap_file_unshare") +Signed-off-by: Sasha Levin +--- + fs/dax.c | 52 ++++++++++++++++++++++++++++++++++++++++++++ + fs/xfs/xfs_reflink.c | 8 +++++-- + include/linux/dax.h | 2 ++ + 3 files changed, 60 insertions(+), 2 deletions(-) + +diff --git a/fs/dax.c b/fs/dax.c +index 1c6867810cbd6..626745bc1ad86 100644 +--- a/fs/dax.c ++++ b/fs/dax.c +@@ -1221,6 +1221,58 @@ static vm_fault_t dax_pmd_load_hole(struct xa_state *xas, struct vm_fault *vmf, + } + #endif /* CONFIG_FS_DAX_PMD */ + ++static s64 dax_unshare_iter(struct iomap_iter *iter) ++{ ++ struct iomap *iomap = &iter->iomap; ++ const struct iomap *srcmap = iomap_iter_srcmap(iter); ++ loff_t pos = iter->pos; ++ loff_t length = iomap_length(iter); ++ int id = 0; ++ s64 ret = 0; ++ void *daddr = NULL, *saddr = NULL; ++ ++ /* don't bother with blocks that are not shared to start with */ ++ if (!(iomap->flags & IOMAP_F_SHARED)) ++ return length; ++ /* don't bother with holes or unwritten extents */ ++ if (srcmap->type == IOMAP_HOLE || srcmap->type == IOMAP_UNWRITTEN) ++ return length; ++ ++ id = dax_read_lock(); ++ ret = dax_iomap_direct_access(iomap, pos, length, &daddr, NULL); ++ if (ret < 0) ++ goto out_unlock; ++ ++ ret = dax_iomap_direct_access(srcmap, pos, length, &saddr, NULL); ++ if (ret < 0) ++ goto out_unlock; ++ ++ ret = copy_mc_to_kernel(daddr, saddr, length); ++ if (ret) ++ ret = -EIO; ++ ++out_unlock: ++ dax_read_unlock(id); ++ return ret; ++} ++ ++int dax_file_unshare(struct inode *inode, loff_t pos, loff_t len, ++ const struct iomap_ops *ops) ++{ ++ struct iomap_iter iter = { ++ .inode = inode, ++ .pos = pos, ++ .len = len, ++ .flags = IOMAP_WRITE | IOMAP_UNSHARE | IOMAP_DAX, ++ }; ++ int ret; ++ ++ while ((ret = iomap_iter(&iter, ops)) > 0) ++ iter.processed = dax_unshare_iter(&iter); ++ return ret; ++} ++EXPORT_SYMBOL_GPL(dax_file_unshare); ++ + static int dax_memzero(struct iomap_iter *iter, loff_t pos, size_t size) + { + const struct iomap *iomap = &iter->iomap; +diff --git a/fs/xfs/xfs_reflink.c b/fs/xfs/xfs_reflink.c +index 93bdd25680bc9..fe46bce8cae63 100644 +--- a/fs/xfs/xfs_reflink.c ++++ b/fs/xfs/xfs_reflink.c +@@ -1693,8 +1693,12 @@ xfs_reflink_unshare( + + inode_dio_wait(inode); + +- error = iomap_file_unshare(inode, offset, len, +- &xfs_buffered_write_iomap_ops); ++ if (IS_DAX(inode)) ++ error = dax_file_unshare(inode, offset, len, ++ &xfs_dax_write_iomap_ops); ++ else ++ error = iomap_file_unshare(inode, offset, len, ++ &xfs_buffered_write_iomap_ops); + if (error) + goto out; + +diff --git a/include/linux/dax.h b/include/linux/dax.h +index ba985333e26bf..2b5ecb5910591 100644 +--- a/include/linux/dax.h ++++ b/include/linux/dax.h +@@ -205,6 +205,8 @@ static inline void dax_unlock_mapping_entry(struct address_space *mapping, + } + #endif + ++int dax_file_unshare(struct inode *inode, loff_t pos, loff_t len, ++ const struct iomap_ops *ops); + int dax_zero_range(struct inode *inode, loff_t pos, loff_t len, bool *did_zero, + const struct iomap_ops *ops); + int dax_truncate_page(struct inode *inode, loff_t pos, bool *did_zero, +-- +2.43.0 + diff --git a/queue-6.1/ieee802154-fix-build-error.patch b/queue-6.1/ieee802154-fix-build-error.patch new file mode 100644 index 00000000000..196b1e238ea --- /dev/null +++ b/queue-6.1/ieee802154-fix-build-error.patch @@ -0,0 +1,40 @@ +From 6627efe2916ac98b4f361588b4c7c26988614f40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 21:17:40 +0800 +Subject: ieee802154: Fix build error + +From: Jinjie Ruan + +[ Upstream commit addf89774e48c992316449ffab4f29c2309ebefb ] + +If REGMAP_SPI is m and IEEE802154_MCR20A is y, + + mcr20a.c:(.text+0x3ed6c5b): undefined reference to `__devm_regmap_init_spi' + ld: mcr20a.c:(.text+0x3ed6cb5): undefined reference to `__devm_regmap_init_spi' + +Select REGMAP_SPI for IEEE802154_MCR20A to fix it. + +Fixes: 8c6ad9cc5157 ("ieee802154: Add NXP MCR20A IEEE 802.15.4 transceiver driver") +Signed-off-by: Jinjie Ruan +Link: https://lore.kernel.org/20240909131740.1296608-1-ruanjinjie@huawei.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ieee802154/Kconfig b/drivers/net/ieee802154/Kconfig +index 95da876c56138..1075e24b11def 100644 +--- a/drivers/net/ieee802154/Kconfig ++++ b/drivers/net/ieee802154/Kconfig +@@ -101,6 +101,7 @@ config IEEE802154_CA8210_DEBUGFS + + config IEEE802154_MCR20A + tristate "MCR20A transceiver driver" ++ select REGMAP_SPI + depends on IEEE802154_DRIVERS && MAC802154 + depends on SPI + help +-- +2.43.0 + diff --git a/queue-6.1/iomap-constrain-the-file-range-passed-to-iomap_file_.patch b/queue-6.1/iomap-constrain-the-file-range-passed-to-iomap_file_.patch new file mode 100644 index 00000000000..cdc32d5587e --- /dev/null +++ b/queue-6.1/iomap-constrain-the-file-range-passed-to-iomap_file_.patch @@ -0,0 +1,70 @@ +From 87c98c6602e3276c98e55cb202e7220193d87fa7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2024 08:02:13 -0700 +Subject: iomap: constrain the file range passed to iomap_file_unshare + +From: Darrick J. Wong + +[ Upstream commit a311a08a4237241fb5b9d219d3e33346de6e83e0 ] + +File contents can only be shared (i.e. reflinked) below EOF, so it makes +no sense to try to unshare ranges beyond EOF. Constrain the file range +parameters here so that we don't have to do that in the callers. + +Fixes: 5f4e5752a8a3 ("fs: add iomap_file_dirty") +Signed-off-by: Darrick J. Wong +Link: https://lore.kernel.org/r/20241002150213.GC21853@frogsfrogsfrogs +Reviewed-by: Christoph Hellwig +Reviewed-by: Brian Foster +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/dax.c | 6 +++++- + fs/iomap/buffered-io.c | 6 +++++- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/fs/dax.c b/fs/dax.c +index 626745bc1ad86..7ecad1a28a894 100644 +--- a/fs/dax.c ++++ b/fs/dax.c +@@ -1262,11 +1262,15 @@ int dax_file_unshare(struct inode *inode, loff_t pos, loff_t len, + struct iomap_iter iter = { + .inode = inode, + .pos = pos, +- .len = len, + .flags = IOMAP_WRITE | IOMAP_UNSHARE | IOMAP_DAX, + }; ++ loff_t size = i_size_read(inode); + int ret; + ++ if (pos < 0 || pos >= size) ++ return 0; ++ ++ iter.len = min(len, size - pos); + while ((ret = iomap_iter(&iter, ops)) > 0) + iter.processed = dax_unshare_iter(&iter); + return ret; +diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c +index 0f7dabc6c764e..98617f00101d6 100644 +--- a/fs/iomap/buffered-io.c ++++ b/fs/iomap/buffered-io.c +@@ -1126,11 +1126,15 @@ iomap_file_unshare(struct inode *inode, loff_t pos, loff_t len, + struct iomap_iter iter = { + .inode = inode, + .pos = pos, +- .len = len, + .flags = IOMAP_WRITE | IOMAP_UNSHARE, + }; ++ loff_t size = i_size_read(inode); + int ret; + ++ if (pos < 0 || pos >= size) ++ return 0; ++ ++ iter.len = min(len, size - pos); + while ((ret = iomap_iter(&iter, ops)) > 0) + iter.processed = iomap_unshare_iter(&iter); + return ret; +-- +2.43.0 + diff --git a/queue-6.1/ipv4-ip_gre-fix-drops-of-small-packets-in-ipgre_xmit.patch b/queue-6.1/ipv4-ip_gre-fix-drops-of-small-packets-in-ipgre_xmit.patch new file mode 100644 index 00000000000..5960f808ec5 --- /dev/null +++ b/queue-6.1/ipv4-ip_gre-fix-drops-of-small-packets-in-ipgre_xmit.patch @@ -0,0 +1,89 @@ +From 9ad4317cc37981d3324111926a8a327815bda70a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2024 02:51:59 +0300 +Subject: ipv4: ip_gre: Fix drops of small packets in ipgre_xmit + +From: Anton Danilov + +[ Upstream commit c4a14f6d9d17ad1e41a36182dd3b8a5fd91efbd7 ] + +Regression Description: + +Depending on the options specified for the GRE tunnel device, small +packets may be dropped. This occurs because the pskb_network_may_pull +function fails due to the packet's insufficient length. + +For example, if only the okey option is specified for the tunnel device, +original (before encapsulation) packets smaller than 28 bytes (including +the IPv4 header) will be dropped. This happens because the required +length is calculated relative to the network header, not the skb->head. + +Here is how the required length is computed and checked: + +* The pull_len variable is set to 28 bytes, consisting of: + * IPv4 header: 20 bytes + * GRE header with Key field: 8 bytes + +* The pskb_network_may_pull function adds the network offset, shifting +the checkable space further to the beginning of the network header and +extending it to the beginning of the packet. As a result, the end of +the checkable space occurs beyond the actual end of the packet. + +Instead of ensuring that 28 bytes are present in skb->head, the function +is requesting these 28 bytes starting from the network header. For small +packets, this requested length exceeds the actual packet size, causing +the check to fail and the packets to be dropped. + +This issue affects both locally originated and forwarded packets in +DMVPN-like setups. + +How to reproduce (for local originated packets): + + ip link add dev gre1 type gre ikey 1.9.8.4 okey 1.9.8.4 \ + local remote 0.0.0.0 + + ip link set mtu 1400 dev gre1 + ip link set up dev gre1 + ip address add 192.168.13.1/24 dev gre1 + ip neighbor add 192.168.13.2 lladdr dev gre1 + ping -s 1374 -c 10 192.168.13.2 + tcpdump -vni gre1 + tcpdump -vni 'ip proto 47' + ip -s -s -d link show dev gre1 + +Solution: + +Use the pskb_may_pull function instead the pskb_network_may_pull. + +Fixes: 80d875cfc9d3 ("ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()") +Signed-off-by: Anton Danilov +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20240924235158.106062-1-littlesmilingcloud@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index 0267fa05374aa..2c311ed84a3b3 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -644,11 +644,11 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb, + if (skb_cow_head(skb, 0)) + goto free_skb; + +- tnl_params = (const struct iphdr *)skb->data; +- +- if (!pskb_network_may_pull(skb, pull_len)) ++ if (!pskb_may_pull(skb, pull_len)) + goto free_skb; + ++ tnl_params = (const struct iphdr *)skb->data; ++ + /* ip_tunnel_xmit() needs skb->data pointing to gre header. */ + skb_pull(skb, pull_len); + skb_reset_mac_header(skb); +-- +2.43.0 + diff --git a/queue-6.1/jump_label-fix-static_key_slow_dec-yet-again.patch b/queue-6.1/jump_label-fix-static_key_slow_dec-yet-again.patch new file mode 100644 index 00000000000..29c3a8c38f5 --- /dev/null +++ b/queue-6.1/jump_label-fix-static_key_slow_dec-yet-again.patch @@ -0,0 +1,125 @@ +From 99a8e51915dc3e8ae7d5a651eb9f6645ba9ad829 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 12:50:09 +0200 +Subject: jump_label: Fix static_key_slow_dec() yet again + +From: Peter Zijlstra + +[ Upstream commit 1d7f856c2ca449f04a22d876e36b464b7a9d28b6 ] + +While commit 83ab38ef0a0b ("jump_label: Fix concurrency issues in +static_key_slow_dec()") fixed one problem, it created yet another, +notably the following is now possible: + + slow_dec + if (try_dec) // dec_not_one-ish, false + // enabled == 1 + slow_inc + if (inc_not_disabled) // inc_not_zero-ish + // enabled == 2 + return + + guard((mutex)(&jump_label_mutex); + if (atomic_cmpxchg(1,0)==1) // false, we're 2 + + slow_dec + if (try-dec) // dec_not_one, true + // enabled == 1 + return + else + try_dec() // dec_not_one, false + WARN + +Use dec_and_test instead of cmpxchg(), like it was prior to +83ab38ef0a0b. Add a few WARNs for the paranoid. + +Fixes: 83ab38ef0a0b ("jump_label: Fix concurrency issues in static_key_slow_dec()") +Reported-by: "Darrick J. Wong" +Tested-by: Klara Modin +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Sasha Levin +--- + kernel/jump_label.c | 34 +++++++++++++++++++++++++++------- + 1 file changed, 27 insertions(+), 7 deletions(-) + +diff --git a/kernel/jump_label.c b/kernel/jump_label.c +index 7374053bbe049..554e04b25b13a 100644 +--- a/kernel/jump_label.c ++++ b/kernel/jump_label.c +@@ -165,7 +165,7 @@ bool static_key_slow_inc_cpuslocked(struct static_key *key) + jump_label_update(key); + /* + * Ensure that when static_key_fast_inc_not_disabled() or +- * static_key_slow_try_dec() observe the positive value, ++ * static_key_dec_not_one() observe the positive value, + * they must also observe all the text changes. + */ + atomic_set_release(&key->enabled, 1); +@@ -247,7 +247,7 @@ void static_key_disable(struct static_key *key) + } + EXPORT_SYMBOL_GPL(static_key_disable); + +-static bool static_key_slow_try_dec(struct static_key *key) ++static bool static_key_dec_not_one(struct static_key *key) + { + int v; + +@@ -271,6 +271,14 @@ static bool static_key_slow_try_dec(struct static_key *key) + * enabled. This suggests an ordering problem on the user side. + */ + WARN_ON_ONCE(v < 0); ++ ++ /* ++ * Warn about underflow, and lie about success in an attempt to ++ * not make things worse. ++ */ ++ if (WARN_ON_ONCE(v == 0)) ++ return true; ++ + if (v <= 1) + return false; + } while (!likely(atomic_try_cmpxchg(&key->enabled, &v, v - 1))); +@@ -281,15 +289,27 @@ static bool static_key_slow_try_dec(struct static_key *key) + static void __static_key_slow_dec_cpuslocked(struct static_key *key) + { + lockdep_assert_cpus_held(); ++ int val; + +- if (static_key_slow_try_dec(key)) ++ if (static_key_dec_not_one(key)) + return; + + guard(mutex)(&jump_label_mutex); +- if (atomic_cmpxchg(&key->enabled, 1, 0) == 1) ++ val = atomic_read(&key->enabled); ++ /* ++ * It should be impossible to observe -1 with jump_label_mutex held, ++ * see static_key_slow_inc_cpuslocked(). ++ */ ++ if (WARN_ON_ONCE(val == -1)) ++ return; ++ /* ++ * Cannot already be 0, something went sideways. ++ */ ++ if (WARN_ON_ONCE(val == 0)) ++ return; ++ ++ if (atomic_dec_and_test(&key->enabled)) + jump_label_update(key); +- else +- WARN_ON_ONCE(!static_key_slow_try_dec(key)); + } + + static void __static_key_slow_dec(struct static_key *key) +@@ -326,7 +346,7 @@ void __static_key_slow_dec_deferred(struct static_key *key, + { + STATIC_KEY_CHECK_USE(key); + +- if (static_key_slow_try_dec(key)) ++ if (static_key_dec_not_one(key)) + return; + + schedule_delayed_work(work, timeout); +-- +2.43.0 + diff --git a/queue-6.1/jump_label-simplify-and-clarify-static_key_fast_inc_.patch b/queue-6.1/jump_label-simplify-and-clarify-static_key_fast_inc_.patch new file mode 100644 index 00000000000..3739810fa61 --- /dev/null +++ b/queue-6.1/jump_label-simplify-and-clarify-static_key_fast_inc_.patch @@ -0,0 +1,62 @@ +From 38a2c28fef1e45582dceb06b0456d480e2668118 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jun 2024 14:46:39 +0200 +Subject: jump_label: Simplify and clarify static_key_fast_inc_cpus_locked() + +From: Thomas Gleixner + +[ Upstream commit 9bc2ff871f00437ad2f10c1eceff51aaa72b478f ] + +Make the code more obvious and add proper comments to avoid future head +scratching. + +Signed-off-by: Thomas Gleixner +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20240610124406.548322963@linutronix.de +Stable-dep-of: 1d7f856c2ca4 ("jump_label: Fix static_key_slow_dec() yet again") +Signed-off-by: Sasha Levin +--- + kernel/jump_label.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/kernel/jump_label.c b/kernel/jump_label.c +index 1ed269b2c4035..7374053bbe049 100644 +--- a/kernel/jump_label.c ++++ b/kernel/jump_label.c +@@ -159,22 +159,24 @@ bool static_key_slow_inc_cpuslocked(struct static_key *key) + if (static_key_fast_inc_not_disabled(key)) + return true; + +- jump_label_lock(); +- if (atomic_read(&key->enabled) == 0) { +- atomic_set(&key->enabled, -1); ++ guard(mutex)(&jump_label_mutex); ++ /* Try to mark it as 'enabling in progress. */ ++ if (!atomic_cmpxchg(&key->enabled, 0, -1)) { + jump_label_update(key); + /* +- * Ensure that if the above cmpxchg loop observes our positive +- * value, it must also observe all the text changes. ++ * Ensure that when static_key_fast_inc_not_disabled() or ++ * static_key_slow_try_dec() observe the positive value, ++ * they must also observe all the text changes. + */ + atomic_set_release(&key->enabled, 1); + } else { +- if (WARN_ON_ONCE(!static_key_fast_inc_not_disabled(key))) { +- jump_label_unlock(); ++ /* ++ * While holding the mutex this should never observe ++ * anything else than a value >= 1 and succeed ++ */ ++ if (WARN_ON_ONCE(!static_key_fast_inc_not_disabled(key))) + return false; +- } + } +- jump_label_unlock(); + return true; + } + +-- +2.43.0 + diff --git a/queue-6.1/mailbox-bcm2835-fix-timeout-during-suspend-mode.patch b/queue-6.1/mailbox-bcm2835-fix-timeout-during-suspend-mode.patch new file mode 100644 index 00000000000..08dc59ea414 --- /dev/null +++ b/queue-6.1/mailbox-bcm2835-fix-timeout-during-suspend-mode.patch @@ -0,0 +1,78 @@ +From f2db765bbffd913b4a70975147d2af2068241dc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 23:40:44 +0200 +Subject: mailbox: bcm2835: Fix timeout during suspend mode + +From: Stefan Wahren + +[ Upstream commit dc09f007caed3b2f6a3b6bd7e13777557ae22bfd ] + +During noirq suspend phase the Raspberry Pi power driver suffer of +firmware property timeouts. The reason is that the IRQ of the underlying +BCM2835 mailbox is disabled and rpi_firmware_property_list() will always +run into a timeout [1]. + +Since the VideoCore side isn't consider as a wakeup source, set the +IRQF_NO_SUSPEND flag for the mailbox IRQ in order to keep it enabled +during suspend-resume cycle. + +[1] +PM: late suspend of devices complete after 1.754 msecs +WARNING: CPU: 0 PID: 438 at drivers/firmware/raspberrypi.c:128 + rpi_firmware_property_list+0x204/0x22c +Firmware transaction 0x00028001 timeout +Modules linked in: +CPU: 0 PID: 438 Comm: bash Tainted: G C 6.9.3-dirty #17 +Hardware name: BCM2835 +Call trace: +unwind_backtrace from show_stack+0x18/0x1c +show_stack from dump_stack_lvl+0x34/0x44 +dump_stack_lvl from __warn+0x88/0xec +__warn from warn_slowpath_fmt+0x7c/0xb0 +warn_slowpath_fmt from rpi_firmware_property_list+0x204/0x22c +rpi_firmware_property_list from rpi_firmware_property+0x68/0x8c +rpi_firmware_property from rpi_firmware_set_power+0x54/0xc0 +rpi_firmware_set_power from _genpd_power_off+0xe4/0x148 +_genpd_power_off from genpd_sync_power_off+0x7c/0x11c +genpd_sync_power_off from genpd_finish_suspend+0xcc/0xe0 +genpd_finish_suspend from dpm_run_callback+0x78/0xd0 +dpm_run_callback from device_suspend_noirq+0xc0/0x238 +device_suspend_noirq from dpm_suspend_noirq+0xb0/0x168 +dpm_suspend_noirq from suspend_devices_and_enter+0x1b8/0x5ac +suspend_devices_and_enter from pm_suspend+0x254/0x2e4 +pm_suspend from state_store+0xa8/0xd4 +state_store from kernfs_fop_write_iter+0x154/0x1a0 +kernfs_fop_write_iter from vfs_write+0x12c/0x184 +vfs_write from ksys_write+0x78/0xc0 +ksys_write from ret_fast_syscall+0x0/0x54 +Exception stack(0xcc93dfa8 to 0xcc93dff0) +[...] +PM: noirq suspend of devices complete after 3095.584 msecs + +Link: https://github.com/raspberrypi/firmware/issues/1894 +Fixes: 0bae6af6d704 ("mailbox: Enable BCM2835 mailbox support") +Signed-off-by: Stefan Wahren +Reviewed-by: Florian Fainelli +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/bcm2835-mailbox.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/mailbox/bcm2835-mailbox.c b/drivers/mailbox/bcm2835-mailbox.c +index fbfd0202047c3..ea12fb8d24015 100644 +--- a/drivers/mailbox/bcm2835-mailbox.c ++++ b/drivers/mailbox/bcm2835-mailbox.c +@@ -145,7 +145,8 @@ static int bcm2835_mbox_probe(struct platform_device *pdev) + spin_lock_init(&mbox->lock); + + ret = devm_request_irq(dev, irq_of_parse_and_map(dev->of_node, 0), +- bcm2835_mbox_irq, 0, dev_name(dev), mbox); ++ bcm2835_mbox_irq, IRQF_NO_SUSPEND, dev_name(dev), ++ mbox); + if (ret) { + dev_err(dev, "Failed to register a mailbox IRQ handler: %d\n", + ret); +-- +2.43.0 + diff --git a/queue-6.1/mailbox-rockchip-fix-a-typo-in-module-autoloading.patch b/queue-6.1/mailbox-rockchip-fix-a-typo-in-module-autoloading.patch new file mode 100644 index 00000000000..0d3d43e6efe --- /dev/null +++ b/queue-6.1/mailbox-rockchip-fix-a-typo-in-module-autoloading.patch @@ -0,0 +1,39 @@ +From d9f7b2bff7c008f6a5602e616b8ce40d048c8a0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Aug 2024 02:51:47 +0000 +Subject: mailbox: rockchip: fix a typo in module autoloading + +From: Liao Chen + +[ Upstream commit e92d87c9c5d769e4cb1dd7c90faa38dddd7e52e3 ] + +MODULE_DEVICE_TABLE(of, rockchip_mbox_of_match) could let the module +properly autoloaded based on the alias from of_device_id table. It +should be 'rockchip_mbox_of_match' instead of 'rockchp_mbox_of_match', +just fix it. + +Fixes: f70ed3b5dc8b ("mailbox: rockchip: Add Rockchip mailbox driver") +Signed-off-by: Liao Chen +Reviewed-by: Heiko Stuebner +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/rockchip-mailbox.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mailbox/rockchip-mailbox.c b/drivers/mailbox/rockchip-mailbox.c +index 979acc810f307..ca50f7f176f6a 100644 +--- a/drivers/mailbox/rockchip-mailbox.c ++++ b/drivers/mailbox/rockchip-mailbox.c +@@ -159,7 +159,7 @@ static const struct of_device_id rockchip_mbox_of_match[] = { + { .compatible = "rockchip,rk3368-mailbox", .data = &rk3368_drv_data}, + { }, + }; +-MODULE_DEVICE_TABLE(of, rockchp_mbox_of_match); ++MODULE_DEVICE_TABLE(of, rockchip_mbox_of_match); + + static int rockchip_mbox_probe(struct platform_device *pdev) + { +-- +2.43.0 + diff --git a/queue-6.1/net-add-more-sanity-checks-to-qdisc_pkt_len_init.patch b/queue-6.1/net-add-more-sanity-checks-to-qdisc_pkt_len_init.patch new file mode 100644 index 00000000000..4bf47653e7b --- /dev/null +++ b/queue-6.1/net-add-more-sanity-checks-to-qdisc_pkt_len_init.patch @@ -0,0 +1,64 @@ +From 0856f6d881ef44e4b7eabe931d10c95d8babac01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2024 15:02:57 +0000 +Subject: net: add more sanity checks to qdisc_pkt_len_init() + +From: Eric Dumazet + +[ Upstream commit ab9a9a9e9647392a19e7a885b08000e89c86b535 ] + +One path takes care of SKB_GSO_DODGY, assuming +skb->len is bigger than hdr_len. + +virtio_net_hdr_to_skb() does not fully dissect TCP headers, +it only make sure it is at least 20 bytes. + +It is possible for an user to provide a malicious 'GSO' packet, +total length of 80 bytes. + +- 20 bytes of IPv4 header +- 60 bytes TCP header +- a small gso_size like 8 + +virtio_net_hdr_to_skb() would declare this packet as a normal +GSO packet, because it would see 40 bytes of payload, +bigger than gso_size. + +We need to make detect this case to not underflow +qdisc_skb_cb(skb)->pkt_len. + +Fixes: 1def9238d4aa ("net_sched: more precise pkt_len computation") +Signed-off-by: Eric Dumazet +Reviewed-by: Willem de Bruijn +Reviewed-by: David Ahern +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index d14b9484e2bc1..9a6c1603ef77e 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3805,10 +3805,14 @@ static void qdisc_pkt_len_init(struct sk_buff *skb) + hdr_len += sizeof(struct udphdr); + } + +- if (shinfo->gso_type & SKB_GSO_DODGY) +- gso_segs = DIV_ROUND_UP(skb->len - hdr_len, +- shinfo->gso_size); ++ if (unlikely(shinfo->gso_type & SKB_GSO_DODGY)) { ++ int payload = skb->len - hdr_len; + ++ /* Malicious packet. */ ++ if (payload <= 0) ++ return; ++ gso_segs = DIV_ROUND_UP(payload, shinfo->gso_size); ++ } + qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len; + } + } +-- +2.43.0 + diff --git a/queue-6.1/net-avoid-potential-underflow-in-qdisc_pkt_len_init-.patch b/queue-6.1/net-avoid-potential-underflow-in-qdisc_pkt_len_init-.patch new file mode 100644 index 00000000000..4393ea9cfc5 --- /dev/null +++ b/queue-6.1/net-avoid-potential-underflow-in-qdisc_pkt_len_init-.patch @@ -0,0 +1,141 @@ +From e94d70434a5927869c927d6d2403020adedd64a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2024 15:02:56 +0000 +Subject: net: avoid potential underflow in qdisc_pkt_len_init() with UFO + +From: Eric Dumazet + +[ Upstream commit c20029db28399ecc50e556964eaba75c43b1e2f1 ] + +After commit 7c6d2ecbda83 ("net: be more gentle about silly gso +requests coming from user") virtio_net_hdr_to_skb() had sanity check +to detect malicious attempts from user space to cook a bad GSO packet. + +Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count +transport header in UFO") while fixing one issue, allowed user space +to cook a GSO packet with the following characteristic : + +IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28. + +When this packet arrives in qdisc_pkt_len_init(), we end up +with hdr_len = 28 (IPv4 header + UDP header), matching skb->len + +Then the following sets gso_segs to 0 : + +gso_segs = DIV_ROUND_UP(skb->len - hdr_len, + shinfo->gso_size); + +Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/ + +qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len; + +This leads to the following crash in fq_codel [1] + +qdisc_pkt_len_init() is best effort, we only want an estimation +of the bytes sent on the wire, not crashing the kernel. + +This patch is fixing this particular issue, a following one +adds more sanity checks for another potential bug. + +[1] +[ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 70.724561] #PF: supervisor read access in kernel mode +[ 70.724561] #PF: error_code(0x0000) - not-present page +[ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0 +[ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI +[ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991 +[ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel +[ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49 +All code +======== + 0: 24 08 and $0x8,%al + 2: 49 c1 e1 06 shl $0x6,%r9 + 6: 44 89 7c 24 18 mov %r15d,0x18(%rsp) + b: 45 31 ed xor %r13d,%r13d + e: 45 31 c0 xor %r8d,%r8d + 11: 31 ff xor %edi,%edi + 13: 89 44 24 14 mov %eax,0x14(%rsp) + 17: 4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9 + 1e: eb 04 jmp 0x24 + 20: 39 ca cmp %ecx,%edx + 22: 73 37 jae 0x5b + 24: 4d 8b 39 mov (%r9),%r15 + 27: 83 c7 01 add $0x1,%edi + 2a:* 49 8b 17 mov (%r15),%rdx <-- trapping instruction + 2d: 49 89 11 mov %rdx,(%r9) + 30: 41 8b 57 28 mov 0x28(%r15),%edx + 34: 45 8b 5f 34 mov 0x34(%r15),%r11d + 38: 49 c7 07 00 00 00 00 movq $0x0,(%r15) + 3f: 49 rex.WB + +Code starting with the faulting instruction +=========================================== + 0: 49 8b 17 mov (%r15),%rdx + 3: 49 89 11 mov %rdx,(%r9) + 6: 41 8b 57 28 mov 0x28(%r15),%edx + a: 45 8b 5f 34 mov 0x34(%r15),%r11d + e: 49 c7 07 00 00 00 00 movq $0x0,(%r15) + 15: 49 rex.WB +[ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202 +[ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000 +[ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 +[ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000 +[ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58 +[ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000 +[ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000 +[ 70.724561] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 70.724561] CR2: 0000000000000000 CR3: 000000010c568000 CR4: 00000000000006f0 +[ 70.724561] Call Trace: +[ 70.724561] +[ 70.724561] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) +[ 70.724561] ? page_fault_oops (arch/x86/mm/fault.c:715) +[ 70.724561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539) +[ 70.724561] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623) +[ 70.724561] ? fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel +[ 70.724561] dev_qdisc_enqueue (net/core/dev.c:3784) +[ 70.724561] __dev_queue_xmit (net/core/dev.c:3880 (discriminator 2) net/core/dev.c:4390 (discriminator 2)) +[ 70.724561] ? irqentry_enter (kernel/entry/common.c:237) +[ 70.724561] ? sysvec_apic_timer_interrupt (./arch/x86/include/asm/hardirq.h:74 (discriminator 2) arch/x86/kernel/apic/apic.c:1043 (discriminator 2) arch/x86/kernel/apic/apic.c:1043 (discriminator 2)) +[ 70.724561] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:58 (discriminator 4)) +[ 70.724561] ? asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702) +[ 70.724561] ? virtio_net_hdr_to_skb.constprop.0 (./include/linux/virtio_net.h:129 (discriminator 1)) +[ 70.724561] packet_sendmsg (net/packet/af_packet.c:3145 (discriminator 1) net/packet/af_packet.c:3177 (discriminator 1)) +[ 70.724561] ? _raw_spin_lock_bh (./arch/x86/include/asm/atomic.h:107 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) ./include/asm-generic/qspinlock.h:111 (discriminator 4) ./include/linux/spinlock.h:187 (discriminator 4) ./include/linux/spinlock_api_smp.h:127 (discriminator 4) kernel/locking/spinlock.c:178 (discriminator 4)) +[ 70.724561] ? netdev_name_node_lookup_rcu (net/core/dev.c:325 (discriminator 1)) +[ 70.724561] __sys_sendto (net/socket.c:730 (discriminator 1) net/socket.c:745 (discriminator 1) net/socket.c:2210 (discriminator 1)) +[ 70.724561] ? __sys_setsockopt (./include/linux/file.h:34 net/socket.c:2355) +[ 70.724561] __x64_sys_sendto (net/socket.c:2222 (discriminator 1) net/socket.c:2218 (discriminator 1) net/socket.c:2218 (discriminator 1)) +[ 70.724561] do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1)) +[ 70.724561] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) +[ 70.724561] RIP: 0033:0x41ae09 + +Fixes: cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count transport header in UFO") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Jonathan Davies +Reviewed-by: Willem de Bruijn +Reviewed-by: Jonathan Davies +Reviewed-by: David Ahern +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 20d8b9195ef60..d14b9484e2bc1 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3797,7 +3797,7 @@ static void qdisc_pkt_len_init(struct sk_buff *skb) + sizeof(_tcphdr), &_tcphdr); + if (likely(th)) + hdr_len += __tcp_hdrlen(th); +- } else { ++ } else if (shinfo->gso_type & SKB_GSO_UDP_L4) { + struct udphdr _udphdr; + + if (skb_header_pointer(skb, skb_transport_offset(skb), +-- +2.43.0 + diff --git a/queue-6.1/net-ethernet-lantiq_etop-fix-memory-disclosure.patch b/queue-6.1/net-ethernet-lantiq_etop-fix-memory-disclosure.patch new file mode 100644 index 00000000000..d3b75a4bf77 --- /dev/null +++ b/queue-6.1/net-ethernet-lantiq_etop-fix-memory-disclosure.patch @@ -0,0 +1,52 @@ +From 3a5e18c37ffa1eb6da52382ebc2d1de8d93d1e3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Sep 2024 23:49:49 +0200 +Subject: net: ethernet: lantiq_etop: fix memory disclosure + +From: Aleksander Jan Bajkowski + +[ Upstream commit 45c0de18ff2dc9af01236380404bbd6a46502c69 ] + +When applying padding, the buffer is not zeroed, which results in memory +disclosure. The mentioned data is observed on the wire. This patch uses +skb_put_padto() to pad Ethernet frames properly. The mentioned function +zeroes the expanded buffer. + +In case the packet cannot be padded it is silently dropped. Statistics +are also not incremented. This driver does not support statistics in the +old 32-bit format or the new 64-bit format. These will be added in the +future. In its current form, the patch should be easily backported to +stable versions. + +Ethernet MACs on Amazon-SE and Danube cannot do padding of the packets +in hardware, so software padding must be applied. + +Fixes: 504d4721ee8e ("MIPS: Lantiq: Add ethernet driver") +Signed-off-by: Aleksander Jan Bajkowski +Reviewed-by: Jacob Keller +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20240923214949.231511-2-olek2@wp.pl +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/lantiq_etop.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/lantiq_etop.c b/drivers/net/ethernet/lantiq_etop.c +index 61baf1da76eea..c33c31019562f 100644 +--- a/drivers/net/ethernet/lantiq_etop.c ++++ b/drivers/net/ethernet/lantiq_etop.c +@@ -482,7 +482,9 @@ ltq_etop_tx(struct sk_buff *skb, struct net_device *dev) + unsigned long flags; + u32 byte_offset; + +- len = skb->len < ETH_ZLEN ? ETH_ZLEN : skb->len; ++ if (skb_put_padto(skb, ETH_ZLEN)) ++ return NETDEV_TX_OK; ++ len = skb->len; + + if ((desc->ctl & (LTQ_DMA_OWN | LTQ_DMA_C)) || ch->skb[ch->dma.desc]) { + netdev_err(dev, "tx ring full\n"); +-- +2.43.0 + diff --git a/queue-6.1/net-ieee802154-mcr20a-use-irqf_no_autoen-flag-in-req.patch b/queue-6.1/net-ieee802154-mcr20a-use-irqf_no_autoen-flag-in-req.patch new file mode 100644 index 00000000000..d11a7eb1f5c --- /dev/null +++ b/queue-6.1/net-ieee802154-mcr20a-use-irqf_no_autoen-flag-in-req.patch @@ -0,0 +1,48 @@ +From b88688253feff74253d3de2f8259015386cd3300 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 17:42:34 +0800 +Subject: net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq() + +From: Jinjie Ruan + +[ Upstream commit 09573b1cc76e7ff8f056ab29ea1cdc152ec8c653 ] + +disable_irq() after request_irq() still has a time gap in which +interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will +disable IRQ auto-enable when request IRQ. + +Fixes: 8c6ad9cc5157 ("ieee802154: Add NXP MCR20A IEEE 802.15.4 transceiver driver") +Reviewed-by: Miquel Raynal +Signed-off-by: Jinjie Ruan +Link: https://lore.kernel.org/20240911094234.1922418-1-ruanjinjie@huawei.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/mcr20a.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ieee802154/mcr20a.c b/drivers/net/ieee802154/mcr20a.c +index 2fe0e4a0a0c4c..2a03bc22ef535 100644 +--- a/drivers/net/ieee802154/mcr20a.c ++++ b/drivers/net/ieee802154/mcr20a.c +@@ -1306,16 +1306,13 @@ mcr20a_probe(struct spi_device *spi) + irq_type = IRQF_TRIGGER_FALLING; + + ret = devm_request_irq(&spi->dev, spi->irq, mcr20a_irq_isr, +- irq_type, dev_name(&spi->dev), lp); ++ irq_type | IRQF_NO_AUTOEN, dev_name(&spi->dev), lp); + if (ret) { + dev_err(&spi->dev, "could not request_irq for mcr20a\n"); + ret = -ENODEV; + goto free_dev; + } + +- /* disable_irq by default and wait for starting hardware */ +- disable_irq(spi->irq); +- + ret = ieee802154_register_hw(hw); + if (ret) { + dev_crit(&spi->dev, "ieee802154_register_hw failed\n"); +-- +2.43.0 + diff --git a/queue-6.1/net-mlx5-added-cond_resched-to-crdump-collection.patch b/queue-6.1/net-mlx5-added-cond_resched-to-crdump-collection.patch new file mode 100644 index 00000000000..3d467f116f3 --- /dev/null +++ b/queue-6.1/net-mlx5-added-cond_resched-to-crdump-collection.patch @@ -0,0 +1,83 @@ +From 547146d4f794eea089a8b5e119bc7fb45839a72e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 22:02:48 -0600 +Subject: net/mlx5: Added cond_resched() to crdump collection + +From: Mohamed Khalfella + +[ Upstream commit ec793155894140df7421d25903de2e6bc12c695b ] + +Collecting crdump involves reading vsc registers from pci config space +of mlx device, which can take long time to complete. This might result +in starving other threads waiting to run on the cpu. + +Numbers I got from testing ConnectX-5 Ex MCX516A-CDAT in the lab: + +- mlx5_vsc_gw_read_block_fast() was called with length = 1310716. +- mlx5_vsc_gw_read_fast() reads 4 bytes at a time. It was not used to + read the entire 1310716 bytes. It was called 53813 times because + there are jumps in read_addr. +- On average mlx5_vsc_gw_read_fast() took 35284.4ns. +- In total mlx5_vsc_wait_on_flag() called vsc_read() 54707 times. + The average time for each call was 17548.3ns. In some instances + vsc_read() was called more than one time when the flag was not set. + As expected the thread released the cpu after 16 iterations in + mlx5_vsc_wait_on_flag(). +- Total time to read crdump was 35284.4ns * 53813 ~= 1.898s. + +It was seen in the field that crdump can take more than 5 seconds to +complete. During that time mlx5_vsc_wait_on_flag() did not release the +cpu because it did not complete 16 iterations. It is believed that pci +config reads were slow. Adding cond_resched() every 128 register read +improves the situation. In the common case the, crdump takes ~1.8989s, +the thread yields the cpu every ~4.51ms. If crdump takes ~5s, the thread +yields the cpu every ~18.0ms. + +Fixes: 8b9d8baae1de ("net/mlx5: Add Crdump support") +Reviewed-by: Yuanyuan Zhong +Signed-off-by: Mohamed Khalfella +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c +index d0b595ba61101..432c98f2626db 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c +@@ -24,6 +24,11 @@ + pci_write_config_dword((dev)->pdev, (dev)->vsc_addr + (offset), (val)) + #define VSC_MAX_RETRIES 2048 + ++/* Reading VSC registers can take relatively long time. ++ * Yield the cpu every 128 registers read. ++ */ ++#define VSC_GW_READ_BLOCK_COUNT 128 ++ + enum { + VSC_CTRL_OFFSET = 0x4, + VSC_COUNTER_OFFSET = 0x8, +@@ -273,6 +278,7 @@ int mlx5_vsc_gw_read_block_fast(struct mlx5_core_dev *dev, u32 *data, + { + unsigned int next_read_addr = 0; + unsigned int read_addr = 0; ++ unsigned int count = 0; + + while (read_addr < length) { + if (mlx5_vsc_gw_read_fast(dev, read_addr, &next_read_addr, +@@ -280,6 +286,10 @@ int mlx5_vsc_gw_read_block_fast(struct mlx5_core_dev *dev, u32 *data, + return read_addr; + + read_addr = next_read_addr; ++ if (++count == VSC_GW_READ_BLOCK_COUNT) { ++ cond_resched(); ++ count = 0; ++ } + } + return length; + } +-- +2.43.0 + diff --git a/queue-6.1/net-mlx5-fix-error-path-in-multi-packet-wqe-transmit.patch b/queue-6.1/net-mlx5-fix-error-path-in-multi-packet-wqe-transmit.patch new file mode 100644 index 00000000000..6700636ae94 --- /dev/null +++ b/queue-6.1/net-mlx5-fix-error-path-in-multi-packet-wqe-transmit.patch @@ -0,0 +1,49 @@ +From 083dd2b2d34d11280570f15ed0b8ca38a6e8a94b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Sep 2024 10:53:51 +0200 +Subject: net/mlx5: Fix error path in multi-packet WQE transmit + +From: Gerd Bayer + +[ Upstream commit 2bcae12c795f32ddfbf8c80d1b5f1d3286341c32 ] + +Remove the erroneous unmap in case no DMA mapping was established + +The multi-packet WQE transmit code attempts to obtain a DMA mapping for +the skb. This could fail, e.g. under memory pressure, when the IOMMU +driver just can't allocate more memory for page tables. While the code +tries to handle this in the path below the err_unmap label it erroneously +unmaps one entry from the sq's FIFO list of active mappings. Since the +current map attempt failed this unmap is removing some random DMA mapping +that might still be required. If the PCI function now presents that IOVA, +the IOMMU may assumes a rogue DMA access and e.g. on s390 puts the PCI +function in error state. + +The erroneous behavior was seen in a stress-test environment that created +memory pressure. + +Fixes: 5af75c747e2a ("net/mlx5e: Enhanced TX MPWQE for SKBs") +Signed-off-by: Gerd Bayer +Reviewed-by: Zhu Yanjun +Acked-by: Maxim Mikityanskiy +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c +index e6e792a38a640..7aea25c09f72b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c +@@ -633,7 +633,6 @@ mlx5e_sq_xmit_mpwqe(struct mlx5e_txqsq *sq, struct sk_buff *skb, + return; + + err_unmap: +- mlx5e_dma_unmap_wqe_err(sq, 1); + sq->stats->dropped++; + dev_kfree_skb_any(skb); + mlx5e_tx_flush(sq); +-- +2.43.0 + diff --git a/queue-6.1/net-mlx5e-fix-null-deref-in-mlx5e_tir_builder_alloc.patch b/queue-6.1/net-mlx5e-fix-null-deref-in-mlx5e_tir_builder_alloc.patch new file mode 100644 index 00000000000..d37d68a357f --- /dev/null +++ b/queue-6.1/net-mlx5e-fix-null-deref-in-mlx5e_tir_builder_alloc.patch @@ -0,0 +1,44 @@ +From 3e9c2f75f07e289fd9b8192a44c0eeb5c78addd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2024 19:00:18 +0300 +Subject: net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc() + +From: Elena Salomatkina + +[ Upstream commit f25389e779500cf4a59ef9804534237841bce536 ] + +In mlx5e_tir_builder_alloc() kvzalloc() may return NULL +which is dereferenced on the next line in a reference +to the modify field. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: a6696735d694 ("net/mlx5e: Convert TIR to a dedicated object") +Signed-off-by: Elena Salomatkina +Reviewed-by: Simon Horman +Reviewed-by: Kalesh AP +Reviewed-by: Tariq Toukan +Reviewed-by: Gal Pressman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/tir.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c +index d4239e3b3c88e..11f724ad90dbf 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c +@@ -23,6 +23,9 @@ struct mlx5e_tir_builder *mlx5e_tir_builder_alloc(bool modify) + struct mlx5e_tir_builder *builder; + + builder = kvzalloc(sizeof(*builder), GFP_KERNEL); ++ if (!builder) ++ return NULL; ++ + builder->modify = modify; + + return builder; +-- +2.43.0 + diff --git a/queue-6.1/net-sparx5-fix-invalid-timestamps.patch b/queue-6.1/net-sparx5-fix-invalid-timestamps.patch new file mode 100644 index 00000000000..06ac9f5878f --- /dev/null +++ b/queue-6.1/net-sparx5-fix-invalid-timestamps.patch @@ -0,0 +1,45 @@ +From 6fdc52be286bfa2fb8fce4abc678e6c1db9fb344 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Sep 2024 22:18:29 -0700 +Subject: net: sparx5: Fix invalid timestamps + +From: Aakash Menon + +[ Upstream commit 151ac45348afc5b56baa584c7cd4876addf461ff ] + +Bit 270-271 are occasionally unexpectedly set by the hardware. This issue +was observed with 10G SFPs causing huge time errors (> 30ms) in PTP. Only +30 bits are needed for the nanosecond part of the timestamp, clear 2 most +significant bits before extracting timestamp from the internal frame +header. + +Fixes: 70dfe25cd866 ("net: sparx5: Update extraction/injection for timestamping") +Signed-off-by: Aakash Menon +Reviewed-by: Horatiu Vultur +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/sparx5/sparx5_packet.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c +index ac7e1cffbcecf..dcf2e342fc14a 100644 +--- a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c ++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c +@@ -45,8 +45,12 @@ void sparx5_ifh_parse(u32 *ifh, struct frame_info *info) + fwd = (fwd >> 5); + info->src_port = FIELD_GET(GENMASK(7, 1), fwd); + ++ /* ++ * Bit 270-271 are occasionally unexpectedly set by the hardware, ++ * clear bits before extracting timestamp ++ */ + info->timestamp = +- ((u64)xtr_hdr[2] << 24) | ++ ((u64)(xtr_hdr[2] & GENMASK(5, 0)) << 24) | + ((u64)xtr_hdr[3] << 16) | + ((u64)xtr_hdr[4] << 8) | + ((u64)xtr_hdr[5] << 0); +-- +2.43.0 + diff --git a/queue-6.1/net-stmmac-dwmac4-extend-timeout-for-vlan-tag-regist.patch b/queue-6.1/net-stmmac-dwmac4-extend-timeout-for-vlan-tag-regist.patch new file mode 100644 index 00000000000..d62c79a9d52 --- /dev/null +++ b/queue-6.1/net-stmmac-dwmac4-extend-timeout-for-vlan-tag-regist.patch @@ -0,0 +1,79 @@ +From d4b59c9127027b33e0612e2083ecfa032fe12954 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2024 15:54:24 -0500 +Subject: net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit + check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shenwei Wang + +[ Upstream commit 4c1b56671b68ffcbe6b78308bfdda6bcce6491ae ] + +Increase the timeout for checking the busy bit of the VLAN Tag register +from 10µs to 500ms. This change is necessary to accommodate scenarios +where Energy Efficient Ethernet (EEE) is enabled. + +Overnight testing revealed that when EEE is active, the busy bit can +remain set for up to approximately 300ms. The new 500ms timeout provides +a safety margin. + +Fixes: ed64639bc1e0 ("net: stmmac: Add support for VLAN Rx filtering") +Reviewed-by: Andrew Lunn +Signed-off-by: Shenwei Wang +Link: https://patch.msgid.link/20240924205424.573913-1-shenwei.wang@nxp.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/dwmac4_core.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +index 687eb17e41c6e..c75868f3ceae1 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include "stmmac.h" + #include "stmmac_pcs.h" + #include "dwmac4.h" +@@ -469,7 +470,7 @@ static int dwmac4_write_vlan_filter(struct net_device *dev, + u8 index, u32 data) + { + void __iomem *ioaddr = (void __iomem *)dev->base_addr; +- int i, timeout = 10; ++ int ret; + u32 val; + + if (index >= hw->num_vlan) +@@ -485,16 +486,15 @@ static int dwmac4_write_vlan_filter(struct net_device *dev, + + writel(val, ioaddr + GMAC_VLAN_TAG); + +- for (i = 0; i < timeout; i++) { +- val = readl(ioaddr + GMAC_VLAN_TAG); +- if (!(val & GMAC_VLAN_TAG_CTRL_OB)) +- return 0; +- udelay(1); ++ ret = readl_poll_timeout(ioaddr + GMAC_VLAN_TAG, val, ++ !(val & GMAC_VLAN_TAG_CTRL_OB), ++ 1000, 500000); ++ if (ret) { ++ netdev_err(dev, "Timeout accessing MAC_VLAN_Tag_Filter\n"); ++ return -EBUSY; + } + +- netdev_err(dev, "Timeout accessing MAC_VLAN_Tag_Filter\n"); +- +- return -EBUSY; ++ return 0; + } + + static int dwmac4_add_hw_vlan_rx_fltr(struct net_device *dev, +-- +2.43.0 + diff --git a/queue-6.1/net-wwan-qcom_bam_dmux-fix-missing-pm_runtime_disabl.patch b/queue-6.1/net-wwan-qcom_bam_dmux-fix-missing-pm_runtime_disabl.patch new file mode 100644 index 00000000000..8afd92441fd --- /dev/null +++ b/queue-6.1/net-wwan-qcom_bam_dmux-fix-missing-pm_runtime_disabl.patch @@ -0,0 +1,68 @@ +From 76edc53368a16b74c274afdcaf0db13a4c93a989 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Sep 2024 19:57:43 +0800 +Subject: net: wwan: qcom_bam_dmux: Fix missing pm_runtime_disable() + +From: Jinjie Ruan + +[ Upstream commit d505d3593b52b6c43507f119572409087416ba28 ] + +It's important to undo pm_runtime_use_autosuspend() with +pm_runtime_dont_use_autosuspend() at driver exit time. + +But the pm_runtime_disable() and pm_runtime_dont_use_autosuspend() +is missing in the error path for bam_dmux_probe(). So add it. + +Found by code review. Compile-tested only. + +Fixes: 21a0ffd9b38c ("net: wwan: Add Qualcomm BAM-DMUX WWAN network driver") +Suggested-by: Stephan Gerhold +Signed-off-by: Jinjie Ruan +Reviewed-by: Stephan Gerhold +Reviewed-by: Sergey Ryazanov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/qcom_bam_dmux.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wwan/qcom_bam_dmux.c b/drivers/net/wwan/qcom_bam_dmux.c +index 17d46f4d29139..174a9156b3233 100644 +--- a/drivers/net/wwan/qcom_bam_dmux.c ++++ b/drivers/net/wwan/qcom_bam_dmux.c +@@ -823,17 +823,17 @@ static int bam_dmux_probe(struct platform_device *pdev) + ret = devm_request_threaded_irq(dev, pc_ack_irq, NULL, bam_dmux_pc_ack_irq, + IRQF_ONESHOT, NULL, dmux); + if (ret) +- return ret; ++ goto err_disable_pm; + + ret = devm_request_threaded_irq(dev, dmux->pc_irq, NULL, bam_dmux_pc_irq, + IRQF_ONESHOT, NULL, dmux); + if (ret) +- return ret; ++ goto err_disable_pm; + + ret = irq_get_irqchip_state(dmux->pc_irq, IRQCHIP_STATE_LINE_LEVEL, + &dmux->pc_state); + if (ret) +- return ret; ++ goto err_disable_pm; + + /* Check if remote finished initialization before us */ + if (dmux->pc_state) { +@@ -844,6 +844,11 @@ static int bam_dmux_probe(struct platform_device *pdev) + } + + return 0; ++ ++err_disable_pm: ++ pm_runtime_disable(dev); ++ pm_runtime_dont_use_autosuspend(dev); ++ return ret; + } + + static int bam_dmux_remove(struct platform_device *pdev) +-- +2.43.0 + diff --git a/queue-6.1/netfilter-nf_tables-prevent-nf_skb_duplicated-corrup.patch b/queue-6.1/netfilter-nf_tables-prevent-nf_skb_duplicated-corrup.patch new file mode 100644 index 00000000000..59f03a90463 --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-prevent-nf_skb_duplicated-corrup.patch @@ -0,0 +1,134 @@ +From a9886557baf829ccc18b1deb8bc618f85d129fb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Sep 2024 18:56:11 +0000 +Subject: netfilter: nf_tables: prevent nf_skb_duplicated corruption + +From: Eric Dumazet + +[ Upstream commit 92ceba94de6fb4cee2bf40b485979c342f44a492 ] + +syzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write +per-cpu variable nf_skb_duplicated in an unsafe way [1]. + +Disabling preemption as hinted by the splat is not enough, +we have to disable soft interrupts as well. + +[1] +BUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316 + caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87 +CPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:93 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 + check_preemption_disabled+0x10e/0x120 lib/smp_processor_id.c:49 + nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87 + nft_dup_ipv4_eval+0x1db/0x300 net/ipv4/netfilter/nft_dup_ipv4.c:30 + expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] + nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288 + nft_do_chain_ipv4+0x202/0x320 net/netfilter/nft_chain_filter.c:23 + nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] + nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 + nf_hook+0x2c4/0x450 include/linux/netfilter.h:269 + NF_HOOK_COND include/linux/netfilter.h:302 [inline] + ip_output+0x185/0x230 net/ipv4/ip_output.c:433 + ip_local_out net/ipv4/ip_output.c:129 [inline] + ip_send_skb+0x74/0x100 net/ipv4/ip_output.c:1495 + udp_send_skb+0xacf/0x1650 net/ipv4/udp.c:981 + udp_sendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x1a6/0x270 net/socket.c:745 + ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 + ___sys_sendmsg net/socket.c:2651 [inline] + __sys_sendmmsg+0x3b2/0x740 net/socket.c:2737 + __do_sys_sendmmsg net/socket.c:2766 [inline] + __se_sys_sendmmsg net/socket.c:2763 [inline] + __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f4ce4f7def9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 +RAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9 +RDX: 0000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006 +RBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68 + + +Fixes: d877f07112f1 ("netfilter: nf_tables: add nft_dup expression") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv4/netfilter/nf_dup_ipv4.c | 7 +++++-- + net/ipv6/netfilter/nf_dup_ipv6.c | 7 +++++-- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/netfilter/nf_dup_ipv4.c b/net/ipv4/netfilter/nf_dup_ipv4.c +index 6cc5743c553a0..9a21175693db5 100644 +--- a/net/ipv4/netfilter/nf_dup_ipv4.c ++++ b/net/ipv4/netfilter/nf_dup_ipv4.c +@@ -52,8 +52,9 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum, + { + struct iphdr *iph; + ++ local_bh_disable(); + if (this_cpu_read(nf_skb_duplicated)) +- return; ++ goto out; + /* + * Copy the skb, and route the copy. Will later return %XT_CONTINUE for + * the original skb, which should continue on its way as if nothing has +@@ -61,7 +62,7 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum, + */ + skb = pskb_copy(skb, GFP_ATOMIC); + if (skb == NULL) +- return; ++ goto out; + + #if IS_ENABLED(CONFIG_NF_CONNTRACK) + /* Avoid counting cloned packets towards the original connection. */ +@@ -90,6 +91,8 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum, + } else { + kfree_skb(skb); + } ++out: ++ local_bh_enable(); + } + EXPORT_SYMBOL_GPL(nf_dup_ipv4); + +diff --git a/net/ipv6/netfilter/nf_dup_ipv6.c b/net/ipv6/netfilter/nf_dup_ipv6.c +index a0a2de30be3e7..0c39c77fe8a8a 100644 +--- a/net/ipv6/netfilter/nf_dup_ipv6.c ++++ b/net/ipv6/netfilter/nf_dup_ipv6.c +@@ -47,11 +47,12 @@ static bool nf_dup_ipv6_route(struct net *net, struct sk_buff *skb, + void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum, + const struct in6_addr *gw, int oif) + { ++ local_bh_disable(); + if (this_cpu_read(nf_skb_duplicated)) +- return; ++ goto out; + skb = pskb_copy(skb, GFP_ATOMIC); + if (skb == NULL) +- return; ++ goto out; + + #if IS_ENABLED(CONFIG_NF_CONNTRACK) + nf_reset_ct(skb); +@@ -69,6 +70,8 @@ void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum, + } else { + kfree_skb(skb); + } ++out: ++ local_bh_enable(); + } + EXPORT_SYMBOL_GPL(nf_dup_ipv6); + +-- +2.43.0 + diff --git a/queue-6.1/netfilter-uapi-nfta_flowtable_hook-is-nla_nested.patch b/queue-6.1/netfilter-uapi-nfta_flowtable_hook-is-nla_nested.patch new file mode 100644 index 00000000000..891d816a398 --- /dev/null +++ b/queue-6.1/netfilter-uapi-nfta_flowtable_hook-is-nla_nested.patch @@ -0,0 +1,35 @@ +From 0dfb891c58a22a9778d10cf4756d4d9e2ace2d1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2024 20:01:20 +0200 +Subject: netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED + +From: Phil Sutter + +[ Upstream commit 76f1ed087b562a469f2153076f179854b749c09a ] + +Fix the comment which incorrectly defines it as NLA_U32. + +Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend") +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/uapi/linux/netfilter/nf_tables.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h +index 672b2e1b47f24..557d57671cb51 100644 +--- a/include/uapi/linux/netfilter/nf_tables.h ++++ b/include/uapi/linux/netfilter/nf_tables.h +@@ -1642,7 +1642,7 @@ enum nft_flowtable_flags { + * + * @NFTA_FLOWTABLE_TABLE: name of the table containing the expression (NLA_STRING) + * @NFTA_FLOWTABLE_NAME: name of this flow table (NLA_STRING) +- * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32) ++ * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration (NLA_NESTED) + * @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32) + * @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64) + * @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32) +-- +2.43.0 + diff --git a/queue-6.1/ppp-do-not-assume-bh-is-held-in-ppp_channel_bridge_i.patch b/queue-6.1/ppp-do-not-assume-bh-is-held-in-ppp_channel_bridge_i.patch new file mode 100644 index 00000000000..43ff1516d87 --- /dev/null +++ b/queue-6.1/ppp-do-not-assume-bh-is-held-in-ppp_channel_bridge_i.patch @@ -0,0 +1,142 @@ +From 09ab1bcd660e0d6fe5d81b34dcd33a93fe124949 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2024 07:45:53 +0000 +Subject: ppp: do not assume bh is held in ppp_channel_bridge_input() + +From: Eric Dumazet + +[ Upstream commit aec7291003df78cb71fd461d7b672912bde55807 ] + +Networking receive path is usually handled from BH handler. +However, some protocols need to acquire the socket lock, and +packets might be stored in the socket backlog is the socket was +owned by a user process. + +In this case, release_sock(), __release_sock(), and sk_backlog_rcv() +might call the sk->sk_backlog_rcv() handler in process context. + +sybot caught ppp was not considering this case in +ppp_channel_bridge_input() : + +WARNING: inconsistent lock state +6.11.0-rc7-syzkaller-g5f5673607153 #0 Not tainted +-------------------------------- +inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. +ksoftirqd/1/24 [HC0[0]:SC1[1]:HE1:SE0] takes: + ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] + ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline] + ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304 +{SOFTIRQ-ON-W} state was registered at: + lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759 + __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] + _raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154 + spin_lock include/linux/spinlock.h:351 [inline] + ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline] + ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304 + pppoe_rcv_core+0xfc/0x314 drivers/net/ppp/pppoe.c:379 + sk_backlog_rcv include/net/sock.h:1111 [inline] + __release_sock+0x1a8/0x3d8 net/core/sock.c:3004 + release_sock+0x68/0x1b8 net/core/sock.c:3558 + pppoe_sendmsg+0xc8/0x5d8 drivers/net/ppp/pppoe.c:903 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg net/socket.c:745 [inline] + __sys_sendto+0x374/0x4f4 net/socket.c:2204 + __do_sys_sendto net/socket.c:2216 [inline] + __se_sys_sendto net/socket.c:2212 [inline] + __arm64_sys_sendto+0xd8/0xf8 net/socket.c:2212 + __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] + invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 + el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 + do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 + el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 + el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 + el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 +irq event stamp: 282914 + hardirqs last enabled at (282914): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] + hardirqs last enabled at (282914): [] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194 + hardirqs last disabled at (282913): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] + hardirqs last disabled at (282913): [] _raw_spin_lock_irqsave+0x2c/0x7c kernel/locking/spinlock.c:162 + softirqs last enabled at (282904): [] softirq_handle_end kernel/softirq.c:400 [inline] + softirqs last enabled at (282904): [] handle_softirqs+0xa3c/0xbfc kernel/softirq.c:582 + softirqs last disabled at (282909): [] run_ksoftirqd+0x70/0x158 kernel/softirq.c:928 + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&pch->downl); + + lock(&pch->downl); + + *** DEADLOCK *** + +1 lock held by ksoftirqd/1/24: + #0: ffff80008f74dfa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:325 + +stack backtrace: +CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.11.0-rc7-syzkaller-g5f5673607153 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 +Call trace: + dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:319 + show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:326 + __dump_stack lib/dump_stack.c:93 [inline] + dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:119 + dump_stack+0x1c/0x28 lib/dump_stack.c:128 + print_usage_bug+0x698/0x9ac kernel/locking/lockdep.c:4000 + mark_lock_irq+0x980/0xd2c + mark_lock+0x258/0x360 kernel/locking/lockdep.c:4677 + __lock_acquire+0xf48/0x779c kernel/locking/lockdep.c:5096 + lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759 + __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] + _raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154 + spin_lock include/linux/spinlock.h:351 [inline] + ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline] + ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304 + ppp_async_process+0x98/0x150 drivers/net/ppp/ppp_async.c:495 + tasklet_action_common+0x318/0x3f4 kernel/softirq.c:785 + tasklet_action+0x68/0x8c kernel/softirq.c:811 + handle_softirqs+0x2e4/0xbfc kernel/softirq.c:554 + run_ksoftirqd+0x70/0x158 kernel/softirq.c:928 + smpboot_thread_fn+0x4b0/0x90c kernel/smpboot.c:164 + kthread+0x288/0x310 kernel/kthread.c:389 + ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 + +Fixes: 4cf476ced45d ("ppp: add PPPIOCBRIDGECHAN and PPPIOCUNBRIDGECHAN ioctls") +Reported-by: syzbot+bd8d55ee2acd0a71d8ce@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/66f661e2.050a0220.38ace9.000f.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Tom Parkin +Cc: James Chapman +Link: https://patch.msgid.link/20240927074553.341910-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_generic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index 5a6fa566e722f..de14e89619c5e 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -2269,7 +2269,7 @@ static bool ppp_channel_bridge_input(struct channel *pch, struct sk_buff *skb) + if (!pchb) + goto out_rcu; + +- spin_lock(&pchb->downl); ++ spin_lock_bh(&pchb->downl); + if (!pchb->chan) { + /* channel got unregistered */ + kfree_skb(skb); +@@ -2281,7 +2281,7 @@ static bool ppp_channel_bridge_input(struct channel *pch, struct sk_buff *skb) + kfree_skb(skb); + + outl: +- spin_unlock(&pchb->downl); ++ spin_unlock_bh(&pchb->downl); + out_rcu: + rcu_read_unlock(); + +-- +2.43.0 + diff --git a/queue-6.1/scsi-pm8001-do-not-overwrite-pci-queue-mapping.patch b/queue-6.1/scsi-pm8001-do-not-overwrite-pci-queue-mapping.patch new file mode 100644 index 00000000000..f46b3b7d3e6 --- /dev/null +++ b/queue-6.1/scsi-pm8001-do-not-overwrite-pci-queue-mapping.patch @@ -0,0 +1,46 @@ +From 548d5e40077f0507cb3b4a7567e23e734e3a08d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2024 10:58:28 +0200 +Subject: scsi: pm8001: Do not overwrite PCI queue mapping + +From: Daniel Wagner + +[ Upstream commit a141c17a543332fc1238eb5cba562bfc66879126 ] + +blk_mq_pci_map_queues() maps all queues but right after this, we overwrite +these mappings by calling blk_mq_map_queues(). Just use one helper but not +both. + +Fixes: 42f22fe36d51 ("scsi: pm8001: Expose hardware queues for pm80xx") +Reviewed-by: Christoph Hellwig +Reviewed-by: John Garry +Signed-off-by: Daniel Wagner +Link: https://lore.kernel.org/r/20240912-do-not-overwrite-pci-mapping-v1-1-85724b6cec49@suse.de +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/pm8001/pm8001_init.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/pm8001/pm8001_init.c b/drivers/scsi/pm8001/pm8001_init.c +index da65234add432..18b150f27c868 100644 +--- a/drivers/scsi/pm8001/pm8001_init.c ++++ b/drivers/scsi/pm8001/pm8001_init.c +@@ -87,10 +87,12 @@ static void pm8001_map_queues(struct Scsi_Host *shost) + struct pm8001_hba_info *pm8001_ha = sha->lldd_ha; + struct blk_mq_queue_map *qmap = &shost->tag_set.map[HCTX_TYPE_DEFAULT]; + +- if (pm8001_ha->number_of_intr > 1) ++ if (pm8001_ha->number_of_intr > 1) { + blk_mq_pci_map_queues(qmap, pm8001_ha->pdev, 1); ++ return; ++ } + +- return blk_mq_map_queues(qmap); ++ blk_mq_map_queues(qmap); + } + + /* +-- +2.43.0 + diff --git a/queue-6.1/sctp-set-sk_state-back-to-closed-if-autobind-fails-i.patch b/queue-6.1/sctp-set-sk_state-back-to-closed-if-autobind-fails-i.patch new file mode 100644 index 00000000000..4b3a874f5db --- /dev/null +++ b/queue-6.1/sctp-set-sk_state-back-to-closed-if-autobind-fails-i.patch @@ -0,0 +1,56 @@ +From 8746f79046812f9b1f20600ebab53ee982eb9142 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2024 16:49:51 -0400 +Subject: sctp: set sk_state back to CLOSED if autobind fails in + sctp_listen_start + +From: Xin Long + +[ Upstream commit 8beee4d8dee76b67c75dc91fd8185d91e845c160 ] + +In sctp_listen_start() invoked by sctp_inet_listen(), it should set the +sk_state back to CLOSED if sctp_autobind() fails due to whatever reason. + +Otherwise, next time when calling sctp_inet_listen(), if sctp_sk(sk)->reuse +is already set via setsockopt(SCTP_REUSE_PORT), sctp_sk(sk)->bind_hash will +be dereferenced as sk_state is LISTENING, which causes a crash as bind_hash +is NULL. + + KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + RIP: 0010:sctp_inet_listen+0x7f0/0xa20 net/sctp/socket.c:8617 + Call Trace: + + __sys_listen_socket net/socket.c:1883 [inline] + __sys_listen+0x1b7/0x230 net/socket.c:1894 + __do_sys_listen net/socket.c:1902 [inline] + +Fixes: 5e8f3f703ae4 ("sctp: simplify sctp listening code") +Reported-by: syzbot+f4e0f821e3a3b7cee51d@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Link: https://patch.msgid.link/a93e655b3c153dc8945d7a812e6d8ab0d52b7aa0.1727729391.git.lucien.xin@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sctp/socket.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 9689d2f2d91f9..98b8eb9a21bdf 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -8546,8 +8546,10 @@ static int sctp_listen_start(struct sock *sk, int backlog) + */ + inet_sk_set_state(sk, SCTP_SS_LISTENING); + if (!ep->base.bind_addr.port) { +- if (sctp_autobind(sk)) ++ if (sctp_autobind(sk)) { ++ inet_sk_set_state(sk, SCTP_SS_CLOSED); + return -EAGAIN; ++ } + } else { + if (sctp_get_port(sk, inet_sk(sk)->inet_num)) { + inet_sk_set_state(sk, SCTP_SS_CLOSED); +-- +2.43.0 + diff --git a/queue-6.1/selftests-netfilter-fix-nft_audit.sh-for-newer-nft-b.patch b/queue-6.1/selftests-netfilter-fix-nft_audit.sh-for-newer-nft-b.patch new file mode 100644 index 00000000000..5302bd34123 --- /dev/null +++ b/queue-6.1/selftests-netfilter-fix-nft_audit.sh-for-newer-nft-b.patch @@ -0,0 +1,134 @@ +From 8aaa21c5dde59ba0d2c4f468e6d8c891c6baea80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Sep 2024 18:56:31 +0200 +Subject: selftests: netfilter: Fix nft_audit.sh for newer nft binaries + +From: Phil Sutter + +[ Upstream commit 8a89015644513ef69193a037eb966f2d55fe385a ] + +As a side-effect of nftables' commit dbff26bfba833 ("cache: consolidate +reset command"), audit logs changed when more objects were reset than +fit into a single netlink message. + +Since the objects' distribution in netlink messages is not relevant, +implement a summarizing function which combines repeated audit logs into +a single one with summed up 'entries=' value. + +Fixes: 203bb9d39866 ("selftests: netfilter: Extend nft_audit.sh") +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + .../testing/selftests/netfilter/nft_audit.sh | 57 ++++++++++--------- + 1 file changed, 29 insertions(+), 28 deletions(-) + +diff --git a/tools/testing/selftests/netfilter/nft_audit.sh b/tools/testing/selftests/netfilter/nft_audit.sh +index 99ed5bd6e8402..e4717444d38e7 100755 +--- a/tools/testing/selftests/netfilter/nft_audit.sh ++++ b/tools/testing/selftests/netfilter/nft_audit.sh +@@ -25,12 +25,31 @@ logread_pid=$! + trap 'kill $logread_pid; rm -f $logfile $rulefile' EXIT + exec 3<"$logfile" + ++lsplit='s/^\(.*\) entries=\([^ ]*\) \(.*\)$/pfx="\1"\nval="\2"\nsfx="\3"/' ++summarize_logs() { ++ sum=0 ++ while read line; do ++ eval $(sed "$lsplit" <<< "$line") ++ [[ $sum -gt 0 ]] && { ++ [[ "$pfx $sfx" == "$tpfx $tsfx" ]] && { ++ let "sum += val" ++ continue ++ } ++ echo "$tpfx entries=$sum $tsfx" ++ } ++ tpfx="$pfx" ++ tsfx="$sfx" ++ sum=$val ++ done ++ echo "$tpfx entries=$sum $tsfx" ++} ++ + do_test() { # (cmd, log) + echo -n "testing for cmd: $1 ... " + cat <&3 >/dev/null + $1 >/dev/null || exit 1 + sleep 0.1 +- res=$(diff -a -u <(echo "$2") - <&3) ++ res=$(diff -a -u <(echo "$2") <(summarize_logs <&3)) + [ $? -eq 0 ] && { echo "OK"; return; } + echo "FAIL" + grep -v '^\(---\|+++\|@@\)' <<< "$res" +@@ -129,31 +148,17 @@ do_test 'nft reset rules t1 c2' \ + 'table=t1 family=2 entries=3 op=nft_reset_rule' + + do_test 'nft reset rules table t1' \ +-'table=t1 family=2 entries=3 op=nft_reset_rule +-table=t1 family=2 entries=3 op=nft_reset_rule +-table=t1 family=2 entries=3 op=nft_reset_rule' ++'table=t1 family=2 entries=9 op=nft_reset_rule' + + do_test 'nft reset rules t2 c3' \ +-'table=t2 family=2 entries=189 op=nft_reset_rule +-table=t2 family=2 entries=188 op=nft_reset_rule +-table=t2 family=2 entries=126 op=nft_reset_rule' ++'table=t2 family=2 entries=503 op=nft_reset_rule' + + do_test 'nft reset rules t2' \ +-'table=t2 family=2 entries=3 op=nft_reset_rule +-table=t2 family=2 entries=3 op=nft_reset_rule +-table=t2 family=2 entries=186 op=nft_reset_rule +-table=t2 family=2 entries=188 op=nft_reset_rule +-table=t2 family=2 entries=129 op=nft_reset_rule' ++'table=t2 family=2 entries=509 op=nft_reset_rule' + + do_test 'nft reset rules' \ +-'table=t1 family=2 entries=3 op=nft_reset_rule +-table=t1 family=2 entries=3 op=nft_reset_rule +-table=t1 family=2 entries=3 op=nft_reset_rule +-table=t2 family=2 entries=3 op=nft_reset_rule +-table=t2 family=2 entries=3 op=nft_reset_rule +-table=t2 family=2 entries=180 op=nft_reset_rule +-table=t2 family=2 entries=188 op=nft_reset_rule +-table=t2 family=2 entries=135 op=nft_reset_rule' ++'table=t1 family=2 entries=9 op=nft_reset_rule ++table=t2 family=2 entries=509 op=nft_reset_rule' + + # resetting sets and elements + +@@ -177,13 +182,11 @@ do_test 'nft reset counters t1' \ + 'table=t1 family=2 entries=1 op=nft_reset_obj' + + do_test 'nft reset counters t2' \ +-'table=t2 family=2 entries=342 op=nft_reset_obj +-table=t2 family=2 entries=158 op=nft_reset_obj' ++'table=t2 family=2 entries=500 op=nft_reset_obj' + + do_test 'nft reset counters' \ + 'table=t1 family=2 entries=1 op=nft_reset_obj +-table=t2 family=2 entries=341 op=nft_reset_obj +-table=t2 family=2 entries=159 op=nft_reset_obj' ++table=t2 family=2 entries=500 op=nft_reset_obj' + + # resetting quotas + +@@ -194,13 +197,11 @@ do_test 'nft reset quotas t1' \ + 'table=t1 family=2 entries=1 op=nft_reset_obj' + + do_test 'nft reset quotas t2' \ +-'table=t2 family=2 entries=315 op=nft_reset_obj +-table=t2 family=2 entries=185 op=nft_reset_obj' ++'table=t2 family=2 entries=500 op=nft_reset_obj' + + do_test 'nft reset quotas' \ + 'table=t1 family=2 entries=1 op=nft_reset_obj +-table=t2 family=2 entries=314 op=nft_reset_obj +-table=t2 family=2 entries=186 op=nft_reset_obj' ++table=t2 family=2 entries=500 op=nft_reset_obj' + + # deleting rules + +-- +2.43.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 21a770fde35..ea90ad592d0 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -380,3 +380,31 @@ powerpc-allow-config_ppc64_big_endian_elf_abi_v2-with-ld.lld-15.patch pci-pm-mark-devices-disconnected-if-upstream-pcie-link-is-down-on-resume.patch x86-tdx-fix-in-kernel-mmio-check.patch wifi-mt76-do-not-run-mt76_unregister_device-on-unregistered-hw.patch +static_call-handle-module-init-failure-correctly-in-.patch +static_call-replace-pointless-warn_on-in-static_call.patch +jump_label-simplify-and-clarify-static_key_fast_inc_.patch +jump_label-fix-static_key_slow_dec-yet-again.patch +scsi-pm8001-do-not-overwrite-pci-queue-mapping.patch +mailbox-rockchip-fix-a-typo-in-module-autoloading.patch +mailbox-bcm2835-fix-timeout-during-suspend-mode.patch +ceph-remove-the-incorrect-fw-reference-check-when-di.patch +ieee802154-fix-build-error.patch +net-sparx5-fix-invalid-timestamps.patch +net-mlx5-fix-error-path-in-multi-packet-wqe-transmit.patch +net-mlx5-added-cond_resched-to-crdump-collection.patch +net-mlx5e-fix-null-deref-in-mlx5e_tir_builder_alloc.patch +netfilter-uapi-nfta_flowtable_hook-is-nla_nested.patch +net-ieee802154-mcr20a-use-irqf_no_autoen-flag-in-req.patch +net-wwan-qcom_bam_dmux-fix-missing-pm_runtime_disabl.patch +selftests-netfilter-fix-nft_audit.sh-for-newer-nft-b.patch +netfilter-nf_tables-prevent-nf_skb_duplicated-corrup.patch +bluetooth-btmrvl-use-irqf_no_autoen-flag-in-request_.patch +net-ethernet-lantiq_etop-fix-memory-disclosure.patch +net-avoid-potential-underflow-in-qdisc_pkt_len_init-.patch +net-add-more-sanity-checks-to-qdisc_pkt_len_init.patch +net-stmmac-dwmac4-extend-timeout-for-vlan-tag-regist.patch +ipv4-ip_gre-fix-drops-of-small-packets-in-ipgre_xmit.patch +ppp-do-not-assume-bh-is-held-in-ppp_channel_bridge_i.patch +fsdax-xfs-port-unshare-to-fsdax.patch +iomap-constrain-the-file-range-passed-to-iomap_file_.patch +sctp-set-sk_state-back-to-closed-if-autobind-fails-i.patch diff --git a/queue-6.1/static_call-handle-module-init-failure-correctly-in-.patch b/queue-6.1/static_call-handle-module-init-failure-correctly-in-.patch new file mode 100644 index 00000000000..5459997d0c6 --- /dev/null +++ b/queue-6.1/static_call-handle-module-init-failure-correctly-in-.patch @@ -0,0 +1,100 @@ +From 3bc919dc150efa83a095c31f1492fead4068987c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 11:09:07 +0200 +Subject: static_call: Handle module init failure correctly in + static_call_del_module() + +From: Thomas Gleixner + +[ Upstream commit 4b30051c4864234ec57290c3d142db7c88f10d8a ] + +Module insertion invokes static_call_add_module() to initialize the static +calls in a module. static_call_add_module() invokes __static_call_init(), +which allocates a struct static_call_mod to either encapsulate the built-in +static call sites of the associated key into it so further modules can be +added or to append the module to the module chain. + +If that allocation fails the function returns with an error code and the +module core invokes static_call_del_module() to clean up eventually added +static_call_mod entries. + +This works correctly, when all keys used by the module were converted over +to a module chain before the failure. If not then static_call_del_module() +causes a #GP as it blindly assumes that key::mods points to a valid struct +static_call_mod. + +The problem is that key::mods is not a individual struct member of struct +static_call_key, it's part of a union to save space: + + union { + /* bit 0: 0 = mods, 1 = sites */ + unsigned long type; + struct static_call_mod *mods; + struct static_call_site *sites; + }; + +key::sites is a pointer to the list of built-in usage sites of the static +call. The type of the pointer is differentiated by bit 0. A mods pointer +has the bit clear, the sites pointer has the bit set. + +As static_call_del_module() blidly assumes that the pointer is a valid +static_call_mod type, it fails to check for this failure case and +dereferences the pointer to the list of built-in call sites, which is +obviously bogus. + +Cure it by checking whether the key has a sites or a mods pointer. + +If it's a sites pointer then the key is not to be touched. As the sites are +walked in the same order as in __static_call_init() the site walk can be +terminated because all subsequent sites have not been touched by the init +code due to the error exit. + +If it was converted before the allocation fail, then the inner loop which +searches for a module match will find nothing. + +A fail in the second allocation in __static_call_init() is harmless and +does not require special treatment. The first allocation succeeded and +converted the key to a module chain. That first entry has mod::mod == NULL +and mod::next == NULL, so the inner loop of static_call_del_module() will +neither find a module match nor a module chain. The next site in the walk +was either already converted, but can't match the module, or it will exit +the outer loop because it has a static_call_site pointer and not a +static_call_mod pointer. + +Fixes: 9183c3f9ed71 ("static_call: Add inline static call infrastructure") +Closes: https://lore.kernel.org/all/20230915082126.4187913-1-ruanjinjie@huawei.com +Reported-by: Jinjie Ruan +Signed-off-by: Thomas Gleixner +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Jinjie Ruan +Link: https://lore.kernel.org/r/87zfon6b0s.ffs@tglx +Signed-off-by: Sasha Levin +--- + kernel/static_call_inline.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/kernel/static_call_inline.c b/kernel/static_call_inline.c +index dc5665b628140..075194d9cbf5b 100644 +--- a/kernel/static_call_inline.c ++++ b/kernel/static_call_inline.c +@@ -400,6 +400,17 @@ static void static_call_del_module(struct module *mod) + + for (site = start; site < stop; site++) { + key = static_call_key(site); ++ ++ /* ++ * If the key was not updated due to a memory allocation ++ * failure in __static_call_init() then treating key::sites ++ * as key::mods in the code below would cause random memory ++ * access and #GP. In that case all subsequent sites have ++ * not been touched either, so stop iterating. ++ */ ++ if (!static_call_key_has_mods(key)) ++ break; ++ + if (key == prev_key) + continue; + +-- +2.43.0 + diff --git a/queue-6.1/static_call-replace-pointless-warn_on-in-static_call.patch b/queue-6.1/static_call-replace-pointless-warn_on-in-static_call.patch new file mode 100644 index 00000000000..483a2ed2535 --- /dev/null +++ b/queue-6.1/static_call-replace-pointless-warn_on-in-static_call.patch @@ -0,0 +1,47 @@ +From 8c66470e8713a01faca639130bc79b612c749d8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 11:08:28 +0200 +Subject: static_call: Replace pointless WARN_ON() in + static_call_module_notify() + +From: Thomas Gleixner + +[ Upstream commit fe513c2ef0a172a58f158e2e70465c4317f0a9a2 ] + +static_call_module_notify() triggers a WARN_ON(), when memory allocation +fails in __static_call_add_module(). + +That's not really justified, because the failure case must be correctly +handled by the well known call chain and the error code is passed +through to the initiating userspace application. + +A memory allocation fail is not a fatal problem, but the WARN_ON() takes +the machine out when panic_on_warn is set. + +Replace it with a pr_warn(). + +Fixes: 9183c3f9ed71 ("static_call: Add inline static call infrastructure") +Signed-off-by: Thomas Gleixner +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/8734mf7pmb.ffs@tglx +Signed-off-by: Sasha Levin +--- + kernel/static_call_inline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/static_call_inline.c b/kernel/static_call_inline.c +index 075194d9cbf5b..6f566fe27ec1d 100644 +--- a/kernel/static_call_inline.c ++++ b/kernel/static_call_inline.c +@@ -442,7 +442,7 @@ static int static_call_module_notify(struct notifier_block *nb, + case MODULE_STATE_COMING: + ret = static_call_add_module(mod); + if (ret) { +- WARN(1, "Failed to allocate memory for static calls"); ++ pr_warn("Failed to allocate memory for static calls\n"); + static_call_del_module(mod); + } + break; +-- +2.43.0 +