From: Sasha Levin Date: Fri, 10 Jan 2025 14:26:08 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v6.1.125~66 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ea5dbd7beb523a1f6fa1112e0ad59a59244aecdb;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/ieee802154-ca8210-add-missing-check-for-kfifo_alloc-.patch b/queue-5.4/ieee802154-ca8210-add-missing-check-for-kfifo_alloc-.patch new file mode 100644 index 00000000000..63af716950c --- /dev/null +++ b/queue-5.4/ieee802154-ca8210-add-missing-check-for-kfifo_alloc-.patch @@ -0,0 +1,45 @@ +From e7ecb2168b11616a753ff961ea2be8d1613e2892 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2024 19:27:12 +0100 +Subject: ieee802154: ca8210: Add missing check for kfifo_alloc() in + ca8210_probe() + +From: Keisuke Nishimura + +[ Upstream commit 2c87309ea741341c6722efdf1fb3f50dd427c823 ] + +ca8210_test_interface_init() returns the result of kfifo_alloc(), +which can be non-zero in case of an error. The caller, ca8210_probe(), +should check the return value and do error-handling if it fails. + +Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") +Signed-off-by: Keisuke Nishimura +Reviewed-by: Simon Horman +Reviewed-by: Miquel Raynal +Link: https://lore.kernel.org/20241029182712.318271-1-keisuke.nishimura@inria.fr +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/ca8210.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c +index fdbdc22fe4e5..d394e2b65054 100644 +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -3124,7 +3124,11 @@ static int ca8210_probe(struct spi_device *spi_device) + spi_set_drvdata(priv->spi, priv); + if (IS_ENABLED(CONFIG_IEEE802154_CA8210_DEBUGFS)) { + cascoda_api_upstream = ca8210_test_int_driver_write; +- ca8210_test_interface_init(priv); ++ ret = ca8210_test_interface_init(priv); ++ if (ret) { ++ dev_crit(&spi_device->dev, "ca8210_test_interface_init failed\n"); ++ goto error; ++ } + } else { + cascoda_api_upstream = NULL; + } +-- +2.39.5 + diff --git a/queue-5.4/net-802-llc-snap-oid-pid-lookup-on-start-of-skb-data.patch b/queue-5.4/net-802-llc-snap-oid-pid-lookup-on-start-of-skb-data.patch new file mode 100644 index 00000000000..69b3b51e08e --- /dev/null +++ b/queue-5.4/net-802-llc-snap-oid-pid-lookup-on-start-of-skb-data.patch @@ -0,0 +1,56 @@ +From a482e201b6e5fb7ba1c37e980c7d5af28b91303e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jan 2025 20:23:00 -0500 +Subject: net: 802: LLC+SNAP OID:PID lookup on start of skb data + +From: Antonio Pastor + +[ Upstream commit 1e9b0e1c550c42c13c111d1a31e822057232abc4 ] + +802.2+LLC+SNAP frames received by napi_complete_done() with GRO and DSA +have skb->transport_header set two bytes short, or pointing 2 bytes +before network_header & skb->data. This was an issue as snap_rcv() +expected offset to point to SNAP header (OID:PID), causing packet to +be dropped. + +A fix at llc_fixup_skb() (a024e377efed) resets transport_header for any +LLC consumers that may care about it, and stops SNAP packets from being +dropped, but doesn't fix the problem which is that LLC and SNAP should +not use transport_header offset. + +Ths patch eliminates the use of transport_header offset for SNAP lookup +of OID:PID so that SNAP does not rely on the offset at all. +The offset is reset after pull for any SNAP packet consumers that may +(but shouldn't) use it. + +Fixes: fda55eca5a33 ("net: introduce skb_transport_header_was_set()") +Signed-off-by: Antonio Pastor +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20250103012303.746521-1-antonio.pastor@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/802/psnap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/802/psnap.c b/net/802/psnap.c +index 40ab2aea7b31..7431ec077273 100644 +--- a/net/802/psnap.c ++++ b/net/802/psnap.c +@@ -55,11 +55,11 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev, + goto drop; + + rcu_read_lock(); +- proto = find_snap_client(skb_transport_header(skb)); ++ proto = find_snap_client(skb->data); + if (proto) { + /* Pass the frame on. */ +- skb->transport_header += 5; + skb_pull_rcsum(skb, 5); ++ skb_reset_transport_header(skb); + rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev); + } + rcu_read_unlock(); +-- +2.39.5 + diff --git a/queue-5.4/net_sched-cls_flow-validate-tca_flow_rshift-attribut.patch b/queue-5.4/net_sched-cls_flow-validate-tca_flow_rshift-attribut.patch new file mode 100644 index 00000000000..df85719ea3f --- /dev/null +++ b/queue-5.4/net_sched-cls_flow-validate-tca_flow_rshift-attribut.patch @@ -0,0 +1,74 @@ +From 6433d2f171d9769febf3dc6975477bcc5e66a56e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jan 2025 10:45:46 +0000 +Subject: net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute + +From: Eric Dumazet + +[ Upstream commit a039e54397c6a75b713b9ce7894a62e06956aa92 ] + +syzbot found that TCA_FLOW_RSHIFT attribute was not validated. +Right shitfing a 32bit integer is undefined for large shift values. + +UBSAN: shift-out-of-bounds in net/sched/cls_flow.c:329:23 +shift exponent 9445 is too large for 32-bit type 'u32' (aka 'unsigned int') +CPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 Not tainted 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +Workqueue: ipv6_addrconf addrconf_dad_work +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + ubsan_epilogue lib/ubsan.c:231 [inline] + __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 + flow_classify+0x24d5/0x25b0 net/sched/cls_flow.c:329 + tc_classify include/net/tc_wrapper.h:197 [inline] + __tcf_classify net/sched/cls_api.c:1771 [inline] + tcf_classify+0x420/0x1160 net/sched/cls_api.c:1867 + sfb_classify net/sched/sch_sfb.c:260 [inline] + sfb_enqueue+0x3ad/0x18b0 net/sched/sch_sfb.c:318 + dev_qdisc_enqueue+0x4b/0x290 net/core/dev.c:3793 + __dev_xmit_skb net/core/dev.c:3889 [inline] + __dev_queue_xmit+0xf0e/0x3f50 net/core/dev.c:4400 + dev_queue_xmit include/linux/netdevice.h:3168 [inline] + neigh_hh_output include/net/neighbour.h:523 [inline] + neigh_output include/net/neighbour.h:537 [inline] + ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236 + iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82 + udp_tunnel_xmit_skb+0x262/0x3b0 net/ipv4/udp_tunnel_core.c:173 + geneve_xmit_skb drivers/net/geneve.c:916 [inline] + geneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039 + __netdev_start_xmit include/linux/netdevice.h:5002 [inline] + netdev_start_xmit include/linux/netdevice.h:5011 [inline] + xmit_one net/core/dev.c:3590 [inline] + dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3606 + __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4434 + +Fixes: e5dfb815181f ("[NET_SCHED]: Add flow classifier") +Reported-by: syzbot+1dbb57d994e54aaa04d2@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6777bf49.050a0220.178762.0040.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20250103104546.3714168-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_flow.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sched/cls_flow.c b/net/sched/cls_flow.c +index 87398af2715a..117c7b038591 100644 +--- a/net/sched/cls_flow.c ++++ b/net/sched/cls_flow.c +@@ -354,7 +354,8 @@ static const struct nla_policy flow_policy[TCA_FLOW_MAX + 1] = { + [TCA_FLOW_KEYS] = { .type = NLA_U32 }, + [TCA_FLOW_MODE] = { .type = NLA_U32 }, + [TCA_FLOW_BASECLASS] = { .type = NLA_U32 }, +- [TCA_FLOW_RSHIFT] = { .type = NLA_U32 }, ++ [TCA_FLOW_RSHIFT] = NLA_POLICY_MAX(NLA_U32, ++ 31 /* BITS_PER_U32 - 1 */), + [TCA_FLOW_ADDEND] = { .type = NLA_U32 }, + [TCA_FLOW_MASK] = { .type = NLA_U32 }, + [TCA_FLOW_XOR] = { .type = NLA_U32 }, +-- +2.39.5 + diff --git a/queue-5.4/series b/queue-5.4/series index 37a82f56b49..91e2deaafe8 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -2,3 +2,9 @@ jbd2-flush-filesystem-device-before-updating-tail-se.patch dm-array-fix-releasing-a-faulty-array-block-twice-in.patch dm-array-fix-unreleased-btree-blocks-on-closing-a-fa.patch dm-array-fix-cursor-index-when-skipping-across-block.patch +ieee802154-ca8210-add-missing-check-for-kfifo_alloc-.patch +net-802-llc-snap-oid-pid-lookup-on-start-of-skb-data.patch +tcp-dccp-complete-lockless-accesses-to-sk-sk_max_ack.patch +tcp-dccp-allow-a-connection-when-sk_max_ack_backlog-.patch +net_sched-cls_flow-validate-tca_flow_rshift-attribut.patch +tls-fix-tls_sw_sendmsg-error-handling.patch diff --git a/queue-5.4/tcp-dccp-allow-a-connection-when-sk_max_ack_backlog-.patch b/queue-5.4/tcp-dccp-allow-a-connection-when-sk_max_ack_backlog-.patch new file mode 100644 index 00000000000..7047d993337 --- /dev/null +++ b/queue-5.4/tcp-dccp-allow-a-connection-when-sk_max_ack_backlog-.patch @@ -0,0 +1,47 @@ +From 128361493b8dd84d354f0afa1fc8c9e2968b3d73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jan 2025 17:14:26 +0000 +Subject: tcp/dccp: allow a connection when sk_max_ack_backlog is zero + +From: Zhongqiu Duan + +[ Upstream commit 3479c7549fb1dfa7a1db4efb7347c7b8ef50de4b ] + +If the backlog of listen() is set to zero, sk_acceptq_is_full() allows +one connection to be made, but inet_csk_reqsk_queue_is_full() does not. +When the net.ipv4.tcp_syncookies is zero, inet_csk_reqsk_queue_is_full() +will cause an immediate drop before the sk_acceptq_is_full() check in +tcp_conn_request(), resulting in no connection can be made. + +This patch tries to keep consistent with 64a146513f8f ("[NET]: Revert +incorrect accept queue backlog changes."). + +Link: https://lore.kernel.org/netdev/20250102080258.53858-1-kuniyu@amazon.com/ +Fixes: ef547f2ac16b ("tcp: remove max_qlen_log") +Signed-off-by: Zhongqiu Duan +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Jason Xing +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20250102171426.915276-1-dzq.aishenghu0@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/inet_connection_sock.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h +index c81bbfc5f4df..05f07bf60c89 100644 +--- a/include/net/inet_connection_sock.h ++++ b/include/net/inet_connection_sock.h +@@ -285,7 +285,7 @@ static inline int inet_csk_reqsk_queue_len(const struct sock *sk) + + static inline int inet_csk_reqsk_queue_is_full(const struct sock *sk) + { +- return inet_csk_reqsk_queue_len(sk) >= READ_ONCE(sk->sk_max_ack_backlog); ++ return inet_csk_reqsk_queue_len(sk) > READ_ONCE(sk->sk_max_ack_backlog); + } + + bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req); +-- +2.39.5 + diff --git a/queue-5.4/tcp-dccp-complete-lockless-accesses-to-sk-sk_max_ack.patch b/queue-5.4/tcp-dccp-complete-lockless-accesses-to-sk-sk_max_ack.patch new file mode 100644 index 00000000000..c411be77ab8 --- /dev/null +++ b/queue-5.4/tcp-dccp-complete-lockless-accesses-to-sk-sk_max_ack.patch @@ -0,0 +1,40 @@ +From f7808f420a28fc5faec07f400eb308756e57f6b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Mar 2024 17:05:21 +0800 +Subject: tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog + +From: Jason Xing + +[ Upstream commit 9a79c65f00e2b036e17af3a3a607d7d732b7affb ] + +Since commit 099ecf59f05b ("net: annotate lockless accesses to +sk->sk_max_ack_backlog") decided to handle the sk_max_ack_backlog +locklessly, there is one more function mostly called in TCP/DCCP +cases. So this patch completes it:) + +Signed-off-by: Jason Xing +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240331090521.71965-1-kerneljasonxing@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 3479c7549fb1 ("tcp/dccp: allow a connection when sk_max_ack_backlog is zero") +Signed-off-by: Sasha Levin +--- + include/net/inet_connection_sock.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h +index 180ff3ca823a..c81bbfc5f4df 100644 +--- a/include/net/inet_connection_sock.h ++++ b/include/net/inet_connection_sock.h +@@ -285,7 +285,7 @@ static inline int inet_csk_reqsk_queue_len(const struct sock *sk) + + static inline int inet_csk_reqsk_queue_is_full(const struct sock *sk) + { +- return inet_csk_reqsk_queue_len(sk) >= sk->sk_max_ack_backlog; ++ return inet_csk_reqsk_queue_len(sk) >= READ_ONCE(sk->sk_max_ack_backlog); + } + + bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req); +-- +2.39.5 + diff --git a/queue-5.4/tls-fix-tls_sw_sendmsg-error-handling.patch b/queue-5.4/tls-fix-tls_sw_sendmsg-error-handling.patch new file mode 100644 index 00000000000..bb9bbe39c81 --- /dev/null +++ b/queue-5.4/tls-fix-tls_sw_sendmsg-error-handling.patch @@ -0,0 +1,46 @@ +From 216c80921f409bf887374dfe3ed3968edbe0e0c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Jan 2025 10:29:45 -0500 +Subject: tls: Fix tls_sw_sendmsg error handling + +From: Benjamin Coddington + +[ Upstream commit b341ca51d2679829d26a3f6a4aa9aee9abd94f92 ] + +We've noticed that NFS can hang when using RPC over TLS on an unstable +connection, and investigation shows that the RPC layer is stuck in a tight +loop attempting to transmit, but forever getting -EBADMSG back from the +underlying network. The loop begins when tcp_sendmsg_locked() returns +-EPIPE to tls_tx_records(), but that error is converted to -EBADMSG when +calling the socket's error reporting handler. + +Instead of converting errors from tcp_sendmsg_locked(), let's pass them +along in this path. The RPC layer handles -EPIPE by reconnecting the +transport, which prevents the endless attempts to transmit on a broken +connection. + +Signed-off-by: Benjamin Coddington +Fixes: a42055e8d2c3 ("net/tls: Add support for async encryption of records for performance") +Link: https://patch.msgid.link/9594185559881679d81f071b181a10eb07cd079f.1736004079.git.bcodding@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index 910da98d6bfb..03f608da594e 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -425,7 +425,7 @@ int tls_tx_records(struct sock *sk, int flags) + + tx_err: + if (rc < 0 && rc != -EAGAIN) +- tls_err_abort(sk, -EBADMSG); ++ tls_err_abort(sk, rc); + + return rc; + } +-- +2.39.5 +