From: Sasha Levin Date: Sun, 11 May 2025 17:52:42 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v5.15.183~66 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a0669c4f7b02919e2340f741954e9aeb7919a449;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/net-dsa-b53-fix-learning-on-vlan-unaware-bridges.patch b/queue-5.4/net-dsa-b53-fix-learning-on-vlan-unaware-bridges.patch new file mode 100644 index 0000000000..f4b94fe6cc --- /dev/null +++ b/queue-5.4/net-dsa-b53-fix-learning-on-vlan-unaware-bridges.patch @@ -0,0 +1,43 @@ +From 190ac739623080f7d7fb47e86743096076f07bb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Apr 2025 22:17:09 +0200 +Subject: net: dsa: b53: fix learning on VLAN unaware bridges + +From: Jonas Gorski + +[ Upstream commit 9f34ad89bcf0e6df6f8b01f1bdab211493fc66d1 ] + +When VLAN filtering is off, we configure the switch to forward, but not +learn on VLAN table misses. This effectively disables learning while not +filtering. + +Fix this by switching to forward and learn. Setting the learning disable +register will still control whether learning actually happens. + +Fixes: dad8d7c6452b ("net: dsa: b53: Properly account for VLAN filtering") +Signed-off-by: Jonas Gorski +Tested-by: Florian Fainelli +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20250429201710.330937-11-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 9f5852657852a..d41c9006a0281 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -381,7 +381,7 @@ static void b53_enable_vlan(struct b53_device *dev, bool enable, + vc4 |= VC4_ING_VID_VIO_DROP << VC4_ING_VID_CHECK_S; + vc5 |= VC5_DROP_VTABLE_MISS; + } else { +- vc4 |= VC4_ING_VID_VIO_FWD << VC4_ING_VID_CHECK_S; ++ vc4 |= VC4_NO_ING_VID_CHK << VC4_ING_VID_CHECK_S; + vc5 &= ~VC5_DROP_VTABLE_MISS; + } + +-- +2.39.5 + diff --git a/queue-5.4/netfilter-ipset-fix-region-locking-in-hash-types.patch b/queue-5.4/netfilter-ipset-fix-region-locking-in-hash-types.patch new file mode 100644 index 0000000000..b45090b5b7 --- /dev/null +++ b/queue-5.4/netfilter-ipset-fix-region-locking-in-hash-types.patch @@ -0,0 +1,42 @@ +From 5649d57a469e3923fe203f8437ada8dbf72d5a12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 May 2025 17:01:59 +0200 +Subject: netfilter: ipset: fix region locking in hash types + +From: Jozsef Kadlecsik + +[ Upstream commit 8478a729c0462273188263136880480729e9efca ] + +Region locking introduced in v5.6-rc4 contained three macros to handle +the region locks: ahash_bucket_start(), ahash_bucket_end() which gave +back the start and end hash bucket values belonging to a given region +lock and ahash_region() which should give back the region lock belonging +to a given hash bucket. The latter was incorrect which can lead to a +race condition between the garbage collector and adding new elements +when a hash type of set is defined with timeouts. + +Fixes: f66ee0410b1c ("netfilter: ipset: Fix "INFO: rcu detected stall in hash_xxx" reports") +Reported-by: Kota Toda +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_hash_gen.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h +index 30b8b3fad1500..297631f9717bc 100644 +--- a/net/netfilter/ipset/ip_set_hash_gen.h ++++ b/net/netfilter/ipset/ip_set_hash_gen.h +@@ -88,7 +88,7 @@ struct hbucket { + #define ahash_sizeof_regions(htable_bits) \ + (ahash_numof_locks(htable_bits) * sizeof(struct ip_set_region)) + #define ahash_region(n, htable_bits) \ +- ((n) % ahash_numof_locks(htable_bits)) ++ ((n) / jhash_size(HTABLE_REGION_BITS)) + #define ahash_bucket_start(h, htable_bits) \ + ((htable_bits) < HTABLE_REGION_BITS ? 0 \ + : (h) * jhash_size(HTABLE_REGION_BITS)) +-- +2.39.5 + diff --git a/queue-5.4/sch_htb-make-htb_deactivate-idempotent.patch b/queue-5.4/sch_htb-make-htb_deactivate-idempotent.patch new file mode 100644 index 0000000000..a2b467a15d --- /dev/null +++ b/queue-5.4/sch_htb-make-htb_deactivate-idempotent.patch @@ -0,0 +1,105 @@ +From e0a936d3aa8da03ac06cb988e90de4b0e2b8ca1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Apr 2025 16:29:54 -0700 +Subject: sch_htb: make htb_deactivate() idempotent + +From: Cong Wang + +[ Upstream commit 3769478610135e82b262640252d90f6efb05be71 ] + +Alan reported a NULL pointer dereference in htb_next_rb_node() +after we made htb_qlen_notify() idempotent. + +It turns out in the following case it introduced some regression: + +htb_dequeue_tree(): + |-> fq_codel_dequeue() + |-> qdisc_tree_reduce_backlog() + |-> htb_qlen_notify() + |-> htb_deactivate() + |-> htb_next_rb_node() + |-> htb_deactivate() + +For htb_next_rb_node(), after calling the 1st htb_deactivate(), the +clprio[prio]->ptr could be already set to NULL, which means +htb_next_rb_node() is vulnerable here. + +For htb_deactivate(), although we checked qlen before calling it, in +case of qlen==0 after qdisc_tree_reduce_backlog(), we may call it again +which triggers the warning inside. + +To fix the issues here, we need to: + +1) Make htb_deactivate() idempotent, that is, simply return if we + already call it before. +2) Make htb_next_rb_node() safe against ptr==NULL. + +Many thanks to Alan for testing and for the reproducer. + +Fixes: 5ba8b837b522 ("sch_htb: make htb_qlen_notify() idempotent") +Reported-by: Alan J. Wylie +Signed-off-by: Cong Wang +Link: https://patch.msgid.link/20250428232955.1740419-2-xiyou.wangcong@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_htb.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c +index 9506bf87c66bc..c618aae25b099 100644 +--- a/net/sched/sch_htb.c ++++ b/net/sched/sch_htb.c +@@ -331,7 +331,8 @@ static void htb_add_to_wait_tree(struct htb_sched *q, + */ + static inline void htb_next_rb_node(struct rb_node **n) + { +- *n = rb_next(*n); ++ if (*n) ++ *n = rb_next(*n); + } + + /** +@@ -573,8 +574,8 @@ static inline void htb_activate(struct htb_sched *q, struct htb_class *cl) + */ + static inline void htb_deactivate(struct htb_sched *q, struct htb_class *cl) + { +- WARN_ON(!cl->prio_activity); +- ++ if (!cl->prio_activity) ++ return; + htb_deactivate_prios(q, cl); + cl->prio_activity = 0; + } +@@ -1173,8 +1174,6 @@ static void htb_qlen_notify(struct Qdisc *sch, unsigned long arg) + { + struct htb_class *cl = (struct htb_class *)arg; + +- if (!cl->prio_activity) +- return; + htb_deactivate(qdisc_priv(sch), cl); + } + +@@ -1282,8 +1281,7 @@ static int htb_delete(struct Qdisc *sch, unsigned long arg) + if (cl->parent) + cl->parent->children--; + +- if (cl->prio_activity) +- htb_deactivate(q, cl); ++ htb_deactivate(q, cl); + + if (cl->cmode != HTB_CAN_SEND) + htb_safe_rb_erase(&cl->pq_node, +@@ -1408,8 +1406,7 @@ static int htb_change_class(struct Qdisc *sch, u32 classid, + /* turn parent into inner node */ + qdisc_purge_queue(parent->leaf.q); + parent_qdisc = parent->leaf.q; +- if (parent->prio_activity) +- htb_deactivate(q, parent); ++ htb_deactivate(q, parent); + + /* remove from evt list because of level change */ + if (parent->cmode != HTB_CAN_SEND) { +-- +2.39.5 + diff --git a/queue-5.4/series b/queue-5.4/series index 1ada3bb152..482515d555 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -31,3 +31,6 @@ arm64-dts-rockchip-fix-iface-clock-name-on-px30-iomm.patch iommu-amd-fix-potential-buffer-overflow-in-parse_ivr.patch dm-fix-copying-after-src-array-boundaries.patch scsi-target-fix-write_same-no-data-buffer-crash.patch +sch_htb-make-htb_deactivate-idempotent.patch +netfilter-ipset-fix-region-locking-in-hash-types.patch +net-dsa-b53-fix-learning-on-vlan-unaware-bridges.patch