From: Sasha Levin Date: Sat, 22 Jun 2024 23:36:17 +0000 (-0400) Subject: Fixes for 6.9 X-Git-Tag: v6.1.96~68 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f635684a71d263652dd2f3d993fb5a281fad8350;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.9 Signed-off-by: Sasha Levin --- diff --git a/queue-6.9/alsa-hda-cs35l41-component-should-be-unbound-before-.patch b/queue-6.9/alsa-hda-cs35l41-component-should-be-unbound-before-.patch new file mode 100644 index 00000000000..60487ff9def --- /dev/null +++ b/queue-6.9/alsa-hda-cs35l41-component-should-be-unbound-before-.patch @@ -0,0 +1,46 @@ +From 9534f75e57b96b816c17c52729b1351a4d25d7c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jun 2024 14:37:12 +0100 +Subject: ALSA: hda: cs35l41: Component should be unbound before deconstruction + +From: Simon Trimmer + +[ Upstream commit 6f9a40d61cad0f5560e8530b4dd4a05fc4d15987 ] + +The interface associated with the hda_component should be deactivated +before the driver is deconstructed during removal. + +Fixes: 7b2f3eb492da ("ALSA: hda: cs35l41: Add support for CS35L41 in HDA systems") +Signed-off-by: Simon Trimmer +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/r/20240613133713.75550-3-simont@opensource.cirrus.com +Signed-off-by: Sasha Levin +--- + sound/pci/hda/cs35l41_hda.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/cs35l41_hda.c b/sound/pci/hda/cs35l41_hda.c +index 25cf072a2a10b..ec688c60c153b 100644 +--- a/sound/pci/hda/cs35l41_hda.c ++++ b/sound/pci/hda/cs35l41_hda.c +@@ -1857,6 +1857,8 @@ void cs35l41_hda_remove(struct device *dev) + { + struct cs35l41_hda *cs35l41 = dev_get_drvdata(dev); + ++ component_del(cs35l41->dev, &cs35l41_hda_comp_ops); ++ + pm_runtime_get_sync(cs35l41->dev); + pm_runtime_dont_use_autosuspend(cs35l41->dev); + pm_runtime_disable(cs35l41->dev); +@@ -1864,8 +1866,6 @@ void cs35l41_hda_remove(struct device *dev) + if (cs35l41->halo_initialized) + cs35l41_remove_dsp(cs35l41); + +- component_del(cs35l41->dev, &cs35l41_hda_comp_ops); +- + acpi_dev_put(cs35l41->dacpi); + + pm_runtime_put_noidle(cs35l41->dev); +-- +2.43.0 + diff --git a/queue-6.9/alsa-hda-cs35l41-possible-null-pointer-dereference-i.patch b/queue-6.9/alsa-hda-cs35l41-possible-null-pointer-dereference-i.patch new file mode 100644 index 00000000000..4b434bee15d --- /dev/null +++ b/queue-6.9/alsa-hda-cs35l41-possible-null-pointer-dereference-i.patch @@ -0,0 +1,43 @@ +From c433d2f918d2d2e52913d681123ed344c0145b99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 May 2024 13:08:20 +0100 +Subject: ALSA: hda: cs35l41: Possible null pointer dereference in + cs35l41_hda_unbind() + +From: Simon Trimmer + +[ Upstream commit 6386682cdc8b41319c92fbbe421953e33a28840c ] + +The cs35l41_hda_unbind() function clears the hda_component entry +matching it's index and then dereferences the codec pointer held in the +first element of the hda_component array, this is an issue when the +device index was 0. + +Instead use the codec pointer stashed in the cs35l41_hda structure as it +will still be valid. + +Fixes: 7cf5ce66dfda ("ALSA: hda: cs35l41: Add device_link between HDA and cs35l41_hda") +Signed-off-by: Simon Trimmer +Link: https://lore.kernel.org/r/20240531120820.35367-1-simont@opensource.cirrus.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/cs35l41_hda.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/hda/cs35l41_hda.c b/sound/pci/hda/cs35l41_hda.c +index d3fa6e136744d..25cf072a2a10b 100644 +--- a/sound/pci/hda/cs35l41_hda.c ++++ b/sound/pci/hda/cs35l41_hda.c +@@ -1362,7 +1362,7 @@ static void cs35l41_hda_unbind(struct device *dev, struct device *master, void * + if (comps[cs35l41->index].dev == dev) { + memset(&comps[cs35l41->index], 0, sizeof(*comps)); + sleep_flags = lock_system_sleep(); +- device_link_remove(&comps->codec->core.dev, cs35l41->dev); ++ device_link_remove(&cs35l41->codec->core.dev, cs35l41->dev); + unlock_system_sleep(sleep_flags); + } + } +-- +2.43.0 + diff --git a/queue-6.9/alsa-hda-cs35l56-component-should-be-unbound-before-.patch b/queue-6.9/alsa-hda-cs35l56-component-should-be-unbound-before-.patch new file mode 100644 index 00000000000..1f3b36b5d8a --- /dev/null +++ b/queue-6.9/alsa-hda-cs35l56-component-should-be-unbound-before-.patch @@ -0,0 +1,43 @@ +From 85a84b9db1ea8f2dd08da563e0cc11572bd76866 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jun 2024 14:37:11 +0100 +Subject: ALSA: hda: cs35l56: Component should be unbound before deconstruction + +From: Simon Trimmer + +[ Upstream commit 721f2e6653f5ab0cc52b3a459c4a2158b92fcf80 ] + +The interface associated with the hda_component should be deactivated +before the driver is deconstructed during removal. + +Fixes: 73cfbfa9caea ("ALSA: hda/cs35l56: Add driver for Cirrus Logic CS35L56 amplifier") +Signed-off-by: Simon Trimmer +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/r/20240613133713.75550-2-simont@opensource.cirrus.com +Signed-off-by: Sasha Levin +--- + sound/pci/hda/cs35l56_hda.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/cs35l56_hda.c b/sound/pci/hda/cs35l56_hda.c +index 11b0570ff56d4..6b77c38a0e155 100644 +--- a/sound/pci/hda/cs35l56_hda.c ++++ b/sound/pci/hda/cs35l56_hda.c +@@ -1072,12 +1072,12 @@ void cs35l56_hda_remove(struct device *dev) + { + struct cs35l56_hda *cs35l56 = dev_get_drvdata(dev); + ++ component_del(cs35l56->base.dev, &cs35l56_hda_comp_ops); ++ + pm_runtime_dont_use_autosuspend(cs35l56->base.dev); + pm_runtime_get_sync(cs35l56->base.dev); + pm_runtime_disable(cs35l56->base.dev); + +- component_del(cs35l56->base.dev, &cs35l56_hda_comp_ops); +- + cs_dsp_remove(&cs35l56->cs_dsp); + + kfree(cs35l56->system_name); +-- +2.43.0 + diff --git a/queue-6.9/alsa-hda-intel-dsp-config-document-avs-as-dsp_driver.patch b/queue-6.9/alsa-hda-intel-dsp-config-document-avs-as-dsp_driver.patch new file mode 100644 index 00000000000..fb919b39323 --- /dev/null +++ b/queue-6.9/alsa-hda-intel-dsp-config-document-avs-as-dsp_driver.patch @@ -0,0 +1,38 @@ +From e2805d0c8ca40775301f58fa6007b46ce7a804b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jun 2024 09:00:21 +0300 +Subject: ALSA/hda: intel-dsp-config: Document AVS as dsp_driver option + +From: Peter Ujfalusi + +[ Upstream commit 2646b43910c0e6d7f4ad535919b44b88f98c688d ] + +dsp_driver=4 will force the AVS driver stack to be used, it is better to +docuement this. + +Fixes: 1affc44ea5dd ("ASoC: Intel: avs: PCI driver implementation") +Signed-off-by: Peter Ujfalusi +Reviewed-by: Cezary Rojewski +Link: https://lore.kernel.org/r/20240607060021.11503-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/intel-dsp-config.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/hda/intel-dsp-config.c b/sound/hda/intel-dsp-config.c +index d1f6cdcf1866e..e7c2ef6c6b4cb 100644 +--- a/sound/hda/intel-dsp-config.c ++++ b/sound/hda/intel-dsp-config.c +@@ -16,7 +16,7 @@ + static int dsp_driver; + + module_param(dsp_driver, int, 0444); +-MODULE_PARM_DESC(dsp_driver, "Force the DSP driver for Intel DSP (0=auto, 1=legacy, 2=SST, 3=SOF)"); ++MODULE_PARM_DESC(dsp_driver, "Force the DSP driver for Intel DSP (0=auto, 1=legacy, 2=SST, 3=SOF, 4=AVS)"); + + #define FLAG_SST BIT(0) + #define FLAG_SOF BIT(1) +-- +2.43.0 + diff --git a/queue-6.9/alsa-hda-realtek-enable-headset-mic-on-ideapad-330-1.patch b/queue-6.9/alsa-hda-realtek-enable-headset-mic-on-ideapad-330-1.patch new file mode 100644 index 00000000000..2b33589aac9 --- /dev/null +++ b/queue-6.9/alsa-hda-realtek-enable-headset-mic-on-ideapad-330-1.patch @@ -0,0 +1,38 @@ +From ce566ccfbfa0480d753ff51cd5d74a6e030fb6ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jun 2024 15:54:57 +0300 +Subject: ALSA: hda/realtek: Enable headset mic on IdeaPad 330-17IKB 81DM + +From: Ajrat Makhmutov + +[ Upstream commit b1fd0d1285b1eae8b99af36fb26ed2512b809af6 ] + +Headset microphone do not work out of the box with this laptop. This +quirk fixes it. Zihao Wang specified the wrong subsystem id in his patch. + +Link: https://lore.kernel.org/all/20220424084120.74125-1-wzhd@ustc.edu/ +Fixes: 3b79954fd00d ("ALSA: hda/realtek: Add quirk for Yoga Duet 7 13ITL6 speakers") +Signed-off-by: Ajrat Makhmutov +Link: https://lore.kernel.org/r/20240615125457.167844-1-rauty@altlinux.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 61cb908717f27..e1f757e541410 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10490,7 +10490,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x3813, "Legion 7i 15IMHG05", ALC287_FIXUP_LEGION_15IMHG05_SPEAKERS), + SND_PCI_QUIRK(0x17aa, 0x3818, "Lenovo C940 / Yoga Duet 7", ALC298_FIXUP_LENOVO_C940_DUET7), + SND_PCI_QUIRK(0x17aa, 0x3819, "Lenovo 13s Gen2 ITL", ALC287_FIXUP_13S_GEN2_SPEAKERS), +- SND_PCI_QUIRK(0x17aa, 0x3820, "Yoga Duet 7 13ITL6", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS), ++ SND_PCI_QUIRK(0x17aa, 0x3820, "IdeaPad 330-17IKB 81DM", ALC269_FIXUP_ASPIRE_HEADSET_MIC), + SND_PCI_QUIRK(0x17aa, 0x3824, "Legion Y9000X 2020", ALC285_FIXUP_LEGION_Y9000X_SPEAKERS), + SND_PCI_QUIRK(0x17aa, 0x3827, "Ideapad S740", ALC285_FIXUP_IDEAPAD_S740_COEF), + SND_PCI_QUIRK(0x17aa, 0x3834, "Lenovo IdeaPad Slim 9i 14ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS), +-- +2.43.0 + diff --git a/queue-6.9/alsa-hda-realtek-remove-framework-laptop-16-from-qui.patch b/queue-6.9/alsa-hda-realtek-remove-framework-laptop-16-from-qui.patch new file mode 100644 index 00000000000..3973bb1c7b2 --- /dev/null +++ b/queue-6.9/alsa-hda-realtek-remove-framework-laptop-16-from-qui.patch @@ -0,0 +1,38 @@ +From 3b7699111ce1e11d67815467592c2c3c690ac32d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jun 2024 12:01:32 -0500 +Subject: ALSA: hda/realtek: Remove Framework Laptop 16 from quirks + +From: Dustin L. Howett + +[ Upstream commit e799bdf51d54bebaf939fdb655aad424e624c1b1 ] + +The Framework Laptop 16 does not have a combination headphone/headset +3.5mm jack; however, applying the pincfg from the Laptop 13 (nid=0x19) +erroneously informs hda that the node is present. + +Fixes: 8804fa04a492 ("ALSA: hda/realtek: Add Framework laptop 16 to quirks") +Signed-off-by: Dustin L. Howett +Reviewed-by: Mario Limonciello +Link: https://lore.kernel.org/r/20240605-alsa-hda-realtek-remove-framework-laptop-16-from-quirks-v1-1-11d47fe8ec4d@howett.net +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 1e77bbba8de11..61cb908717f27 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10592,7 +10592,6 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x8086, 0x2081, "Intel NUC 10", ALC256_FIXUP_INTEL_NUC10), + SND_PCI_QUIRK(0x8086, 0x3038, "Intel NUC 13", ALC295_FIXUP_CHROME_BOOK), + SND_PCI_QUIRK(0xf111, 0x0001, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), +- SND_PCI_QUIRK(0xf111, 0x0005, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0xf111, 0x0006, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + + #if 0 +-- +2.43.0 + diff --git a/queue-6.9/alsa-hda-tas2781-component-should-be-unbound-before-.patch b/queue-6.9/alsa-hda-tas2781-component-should-be-unbound-before-.patch new file mode 100644 index 00000000000..9f95236e421 --- /dev/null +++ b/queue-6.9/alsa-hda-tas2781-component-should-be-unbound-before-.patch @@ -0,0 +1,42 @@ +From d0d0eb1f772b71eb4383d8fd41132be4d6e243bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jun 2024 14:37:13 +0100 +Subject: ALSA: hda: tas2781: Component should be unbound before deconstruction + +From: Simon Trimmer + +[ Upstream commit d832b5a03e94a2a9f866dab3d04937a0f84ea116 ] + +The interface associated with the hda_component should be deactivated +before the driver is deconstructed during removal. + +Fixes: 4e7914eb1dae ("ALSA: hda/tas2781: remove sound controls in unbind") +Signed-off-by: Simon Trimmer +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/r/20240613133713.75550-4-simont@opensource.cirrus.com +Signed-off-by: Sasha Levin +--- + sound/pci/hda/tas2781_hda_i2c.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/tas2781_hda_i2c.c b/sound/pci/hda/tas2781_hda_i2c.c +index 75f7674c66ee7..fdee6592c502d 100644 +--- a/sound/pci/hda/tas2781_hda_i2c.c ++++ b/sound/pci/hda/tas2781_hda_i2c.c +@@ -777,11 +777,11 @@ static void tas2781_hda_remove(struct device *dev) + { + struct tas2781_hda *tas_hda = dev_get_drvdata(dev); + ++ component_del(tas_hda->dev, &tas2781_hda_comp_ops); ++ + pm_runtime_get_sync(tas_hda->dev); + pm_runtime_disable(tas_hda->dev); + +- component_del(tas_hda->dev, &tas2781_hda_comp_ops); +- + pm_runtime_put_noidle(tas_hda->dev); + + tasdevice_remove(tas_hda->priv); +-- +2.43.0 + diff --git a/queue-6.9/alsa-seq-ump-fix-missing-system-reset-message-handli.patch b/queue-6.9/alsa-seq-ump-fix-missing-system-reset-message-handli.patch new file mode 100644 index 00000000000..6fba6698d63 --- /dev/null +++ b/queue-6.9/alsa-seq-ump-fix-missing-system-reset-message-handli.patch @@ -0,0 +1,36 @@ +From 1b908ca52371f597525561bd3190c1b7fa729626 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 May 2024 14:37:17 +0200 +Subject: ALSA: seq: ump: Fix missing System Reset message handling + +From: Takashi Iwai + +[ Upstream commit 55fac50ea46f46a22a92e2139b92afaa3822ad19 ] + +The conversion from System Reset event to UMP was missing. +Add the entry for a conversion to a proper UMP System message. + +Fixes: e9e02819a98a ("ALSA: seq: Automatic conversion of UMP events") +Link: https://lore.kernel.org/r/20240531123718.13420-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_ump_convert.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/core/seq/seq_ump_convert.c b/sound/core/seq/seq_ump_convert.c +index 171fb75267afa..d81f776a4c3dd 100644 +--- a/sound/core/seq/seq_ump_convert.c ++++ b/sound/core/seq/seq_ump_convert.c +@@ -1075,6 +1075,8 @@ static const struct seq_ev_to_ump seq_ev_ump_encoders[] = { + system_ev_to_ump_midi1, system_ev_to_ump_midi2 }, + { SNDRV_SEQ_EVENT_SENSING, UMP_SYSTEM_STATUS_ACTIVE_SENSING, + system_ev_to_ump_midi1, system_ev_to_ump_midi2 }, ++ { SNDRV_SEQ_EVENT_RESET, UMP_SYSTEM_STATUS_RESET, ++ system_ev_to_ump_midi1, system_ev_to_ump_midi2 }, + }; + + static const struct seq_ev_to_ump *find_ump_encoder(int type) +-- +2.43.0 + diff --git a/queue-6.9/bnxt_en-restore-ptp-tx_avail-count-in-case-of-skb_pa.patch b/queue-6.9/bnxt_en-restore-ptp-tx_avail-count-in-case-of-skb_pa.patch new file mode 100644 index 00000000000..4c860c55d8a --- /dev/null +++ b/queue-6.9/bnxt_en-restore-ptp-tx_avail-count-in-case-of-skb_pa.patch @@ -0,0 +1,53 @@ +From ed50f8af3ed3b732a23ee8f85af6404a5c4eb0f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jun 2024 14:53:13 -0700 +Subject: bnxt_en: Restore PTP tx_avail count in case of skb_pad() error + +From: Pavan Chebbi + +[ Upstream commit 1e7962114c10957fe4d10a15eb714578a394e90b ] + +The current code only restores PTP tx_avail count when we get DMA +mapping errors. Fix it so that the PTP tx_avail count will be +restored for both DMA mapping errors and skb_pad() errors. +Otherwise PTP TX timestamp will not be available after a PTP +packet hits the skb_pad() error. + +Fixes: 83bb623c968e ("bnxt_en: Transmit and retrieve packet timestamps") +Reviewed-by: Andy Gospodarek +Signed-off-by: Pavan Chebbi +Signed-off-by: Michael Chan +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240618215313.29631-4-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 2c2ee79c4d779..0fab62a56f3b3 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -730,9 +730,6 @@ static netdev_tx_t bnxt_start_xmit(struct sk_buff *skb, struct net_device *dev) + return NETDEV_TX_OK; + + tx_dma_error: +- if (BNXT_TX_PTP_IS_SET(lflags)) +- atomic_inc(&bp->ptp_cfg->tx_avail); +- + last_frag = i; + + /* start back at beginning and unmap skb */ +@@ -754,6 +751,8 @@ static netdev_tx_t bnxt_start_xmit(struct sk_buff *skb, struct net_device *dev) + tx_free: + dev_kfree_skb_any(skb); + tx_kick_pending: ++ if (BNXT_TX_PTP_IS_SET(lflags)) ++ atomic_inc(&bp->ptp_cfg->tx_avail); + if (txr->kick_pending) + bnxt_txr_db_kick(bp, txr, txr->tx_prod); + txr->tx_buf_ring[txr->tx_prod].skb = NULL; +-- +2.43.0 + diff --git a/queue-6.9/bpf-avoid-splat-in-pskb_pull_reason.patch b/queue-6.9/bpf-avoid-splat-in-pskb_pull_reason.patch new file mode 100644 index 00000000000..b24d67e7d46 --- /dev/null +++ b/queue-6.9/bpf-avoid-splat-in-pskb_pull_reason.patch @@ -0,0 +1,59 @@ +From b21c4322f909688d617567960b124ed86ff6b830 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jun 2024 12:17:33 +0200 +Subject: bpf: Avoid splat in pskb_pull_reason + +From: Florian Westphal + +[ Upstream commit 2bbe3e5a2f4ef69d13be54f1cf895b4658287080 ] + +syzkaller builds (CONFIG_DEBUG_NET=y) frequently trigger a debug +hint in pskb_may_pull. + +We'd like to retain this debug check because it might hint at integer +overflows and other issues (kernel code should pull headers, not huge +value). + +In bpf case, this splat isn't interesting at all: such (nonsensical) +bpf programs are typically generated by a fuzzer anyway. + +Do what Eric suggested and suppress such warning. + +For CONFIG_DEBUG_NET=n we don't need the extra check because +pskb_may_pull will do the right thing: return an error without the +WARN() backtrace. + +Fixes: 219eee9c0d16 ("net: skbuff: add overflow debug check to pull/push helpers") +Reported-by: syzbot+0c4150bff9fff3bf023c@syzkaller.appspotmail.com +Suggested-by: Eric Dumazet +Signed-off-by: Florian Westphal +Signed-off-by: Daniel Borkmann +Reviewed-by: Eric Dumazet +Acked-by: Daniel Borkmann +Closes: https://syzkaller.appspot.com/bug?extid=0c4150bff9fff3bf023c +Link: https://lore.kernel.org/netdev/9f254c96-54f2-4457-b7ab-1d9f6187939c@gmail.com/ +Link: https://lore.kernel.org/bpf/20240614101801.9496-1-fw@strlen.de +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/core/filter.c b/net/core/filter.c +index a5856a8b4498b..ce255e0a2fbd9 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -1662,6 +1662,11 @@ static DEFINE_PER_CPU(struct bpf_scratchpad, bpf_sp); + static inline int __bpf_try_make_writable(struct sk_buff *skb, + unsigned int write_len) + { ++#ifdef CONFIG_DEBUG_NET ++ /* Avoid a splat in pskb_may_pull_reason() */ ++ if (write_len > INT_MAX) ++ return -EINVAL; ++#endif + return skb_ensure_writable(skb, write_len); + } + +-- +2.43.0 + diff --git a/queue-6.9/bpf-fix-reg_set_min_max-corruption-of-fake_reg.patch b/queue-6.9/bpf-fix-reg_set_min_max-corruption-of-fake_reg.patch new file mode 100644 index 00000000000..c59277151ee --- /dev/null +++ b/queue-6.9/bpf-fix-reg_set_min_max-corruption-of-fake_reg.patch @@ -0,0 +1,158 @@ +From 03480fc9983361bf8250ee025efc6c214367abeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jun 2024 13:53:08 +0200 +Subject: bpf: Fix reg_set_min_max corruption of fake_reg +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Borkmann + +[ Upstream commit 92424801261d1564a0bb759da3cf3ccd69fdf5a2 ] + +Juan reported that after doing some changes to buzzer [0] and implementing +a new fuzzing strategy guided by coverage, they noticed the following in +one of the probes: + + [...] + 13: (79) r6 = *(u64 *)(r0 +0) ; R0=map_value(ks=4,vs=8) R6_w=scalar() + 14: (b7) r0 = 0 ; R0_w=0 + 15: (b4) w0 = -1 ; R0_w=0xffffffff + 16: (74) w0 >>= 1 ; R0_w=0x7fffffff + 17: (5c) w6 &= w0 ; R0_w=0x7fffffff R6_w=scalar(smin=smin32=0,smax=umax=umax32=0x7fffffff,var_off=(0x0; 0x7fffffff)) + 18: (44) w6 |= 2 ; R6_w=scalar(smin=umin=smin32=umin32=2,smax=umax=umax32=0x7fffffff,var_off=(0x2; 0x7ffffffd)) + 19: (56) if w6 != 0x7ffffffd goto pc+1 + REG INVARIANTS VIOLATION (true_reg2): range bounds violation u64=[0x7fffffff, 0x7ffffffd] s64=[0x7fffffff, 0x7ffffffd] u32=[0x7fffffff, 0x7ffffffd] s32=[0x7fffffff, 0x7ffffffd] var_off=(0x7fffffff, 0x0) + REG INVARIANTS VIOLATION (false_reg1): range bounds violation u64=[0x7fffffff, 0x7ffffffd] s64=[0x7fffffff, 0x7ffffffd] u32=[0x7fffffff, 0x7ffffffd] s32=[0x7fffffff, 0x7ffffffd] var_off=(0x7fffffff, 0x0) + REG INVARIANTS VIOLATION (false_reg2): const tnum out of sync with range bounds u64=[0x0, 0xffffffffffffffff] s64=[0x8000000000000000, 0x7fffffffffffffff] u32=[0x0, 0xffffffff] s32=[0x80000000, 0x7fffffff] var_off=(0x7fffffff, 0x0) + 19: R6_w=0x7fffffff + 20: (95) exit + + from 19 to 21: R0=0x7fffffff R6=scalar(smin=umin=smin32=umin32=2,smax=umax=smax32=umax32=0x7ffffffe,var_off=(0x2; 0x7ffffffd)) R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm + 21: R0=0x7fffffff R6=scalar(smin=umin=smin32=umin32=2,smax=umax=smax32=umax32=0x7ffffffe,var_off=(0x2; 0x7ffffffd)) R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm + 21: (14) w6 -= 2147483632 ; R6_w=scalar(smin=umin=umin32=2,smax=umax=0xffffffff,smin32=0x80000012,smax32=14,var_off=(0x2; 0xfffffffd)) + 22: (76) if w6 s>= 0xe goto pc+1 ; R6_w=scalar(smin=umin=umin32=2,smax=umax=0xffffffff,smin32=0x80000012,smax32=13,var_off=(0x2; 0xfffffffd)) + 23: (95) exit + + from 22 to 24: R0=0x7fffffff R6_w=14 R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm + 24: R0=0x7fffffff R6_w=14 R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm + 24: (14) w6 -= 14 ; R6_w=0 + [...] + +What can be seen here is a register invariant violation on line 19. After +the binary-or in line 18, the verifier knows that bit 2 is set but knows +nothing about the rest of the content which was loaded from a map value, +meaning, range is [2,0x7fffffff] with var_off=(0x2; 0x7ffffffd). When in +line 19 the verifier analyzes the branch, it splits the register states +in reg_set_min_max() into the registers of the true branch (true_reg1, +true_reg2) and the registers of the false branch (false_reg1, false_reg2). + +Since the test is w6 != 0x7ffffffd, the src_reg is a known constant. +Internally, the verifier creates a "fake" register initialized as scalar +to the value of 0x7ffffffd, and then passes it onto reg_set_min_max(). Now, +for line 19, it is mathematically impossible to take the false branch of +this program, yet the verifier analyzes it. It is impossible because the +second bit of r6 will be set due to the prior or operation and the +constant in the condition has that bit unset (hex(fd) == binary(1111 1101). + +When the verifier first analyzes the false / fall-through branch, it will +compute an intersection between the var_off of r6 and of the constant. This +is because the verifier creates a "fake" register initialized to the value +of the constant. The intersection result later refines both registers in +regs_refine_cond_op(): + + [...] + t = tnum_intersect(tnum_subreg(reg1->var_off), tnum_subreg(reg2->var_off)); + reg1->var_off = tnum_with_subreg(reg1->var_off, t); + reg2->var_off = tnum_with_subreg(reg2->var_off, t); + [...] + +Since the verifier is analyzing the false branch of the conditional jump, +reg1 is equal to false_reg1 and reg2 is equal to false_reg2, i.e. the reg2 +is the "fake" register that was meant to hold a constant value. The resulting +var_off of the intersection says that both registers now hold a known value +of var_off=(0x7fffffff, 0x0) or in other words: this operation manages to +make the verifier think that the "constant" value that was passed in the +jump operation now holds a different value. + +Normally this would not be an issue since it should not influence the true +branch, however, false_reg2 and true_reg2 are pointers to the same "fake" +register. Meaning, the false branch can influence the results of the true +branch. In line 24, the verifier assumes R6_w=0, but the actual runtime +value in this case is 1. The fix is simply not passing in the same "fake" +register location as inputs to reg_set_min_max(), but instead making a +copy. Moving the fake_reg into the env also reduces stack consumption by +120 bytes. With this, the verifier successfully rejects invalid accesses +from the test program. + + [0] https://github.com/google/buzzer + +Fixes: 67420501e868 ("bpf: generalize reg_set_min_max() to handle non-const register comparisons") +Reported-by: Juan José López Jaimez +Signed-off-by: Daniel Borkmann +Reviewed-by: John Fastabend +Link: https://lore.kernel.org/r/20240613115310.25383-1-daniel@iogearbox.net +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + include/linux/bpf_verifier.h | 2 ++ + kernel/bpf/verifier.c | 14 ++++++++++---- + 2 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h +index 7cb1b75eee381..e742db470a711 100644 +--- a/include/linux/bpf_verifier.h ++++ b/include/linux/bpf_verifier.h +@@ -737,6 +737,8 @@ struct bpf_verifier_env { + /* Same as scratched_regs but for stack slots */ + u64 scratched_stack_slots; + u64 prev_log_pos, prev_insn_print_pos; ++ /* buffer used to temporary hold constants as scalar registers */ ++ struct bpf_reg_state fake_reg[2]; + /* buffer used to generate temporary string representations, + * e.g., in reg_type_str() to generate reg_type string + */ +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 8a29309db4245..0ef18ae40bc5a 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -14973,7 +14973,6 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, + struct bpf_reg_state *regs = this_branch->frame[this_branch->curframe]->regs; + struct bpf_reg_state *dst_reg, *other_branch_regs, *src_reg = NULL; + struct bpf_reg_state *eq_branch_regs; +- struct bpf_reg_state fake_reg = {}; + u8 opcode = BPF_OP(insn->code); + bool is_jmp32; + int pred = -1; +@@ -15039,7 +15038,8 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, + verbose(env, "BPF_JMP/JMP32 uses reserved fields\n"); + return -EINVAL; + } +- src_reg = &fake_reg; ++ src_reg = &env->fake_reg[0]; ++ memset(src_reg, 0, sizeof(*src_reg)); + src_reg->type = SCALAR_VALUE; + __mark_reg_known(src_reg, insn->imm); + } +@@ -15099,10 +15099,16 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, + &other_branch_regs[insn->src_reg], + dst_reg, src_reg, opcode, is_jmp32); + } else /* BPF_SRC(insn->code) == BPF_K */ { ++ /* reg_set_min_max() can mangle the fake_reg. Make a copy ++ * so that these are two different memory locations. The ++ * src_reg is not used beyond here in context of K. ++ */ ++ memcpy(&env->fake_reg[1], &env->fake_reg[0], ++ sizeof(env->fake_reg[0])); + err = reg_set_min_max(env, + &other_branch_regs[insn->dst_reg], +- src_reg /* fake one */, +- dst_reg, src_reg /* same fake one */, ++ &env->fake_reg[0], ++ dst_reg, &env->fake_reg[1], + opcode, is_jmp32); + } + if (err) +-- +2.43.0 + diff --git a/queue-6.9/btrfs-zoned-allocate-dummy-checksums-for-zoned-nodat.patch b/queue-6.9/btrfs-zoned-allocate-dummy-checksums-for-zoned-nodat.patch new file mode 100644 index 00000000000..5ceda1cf759 --- /dev/null +++ b/queue-6.9/btrfs-zoned-allocate-dummy-checksums-for-zoned-nodat.patch @@ -0,0 +1,120 @@ +From d597542866567108912be6ca8059c6ea96e6472d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jun 2024 13:27:48 +0200 +Subject: btrfs: zoned: allocate dummy checksums for zoned NODATASUM writes + +From: Johannes Thumshirn + +[ Upstream commit cebae292e0c32a228e8f2219c270a7237be24a6a ] + +Shin'ichiro reported that when he's running fstests' test-case +btrfs/167 on emulated zoned devices, he's seeing the following NULL +pointer dereference in 'btrfs_zone_finish_endio()': + + Oops: general protection fault, probably for non-canonical address 0xdffffc0000000011: 0000 [#1] PREEMPT SMP KASAN NOPTI + KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f] + CPU: 4 PID: 2332440 Comm: kworker/u80:15 Tainted: G W 6.10.0-rc2-kts+ #4 + Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 + Workqueue: btrfs-endio-write btrfs_work_helper [btrfs] + RIP: 0010:btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs] + + RSP: 0018:ffff88867f107a90 EFLAGS: 00010206 + RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff893e5534 + RDX: 0000000000000011 RSI: 0000000000000004 RDI: 0000000000000088 + RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed1081696028 + R10: ffff88840b4b0143 R11: ffff88834dfff600 R12: ffff88840b4b0000 + R13: 0000000000020000 R14: 0000000000000000 R15: ffff888530ad5210 + FS: 0000000000000000(0000) GS:ffff888e3f800000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f87223fff38 CR3: 00000007a7c6a002 CR4: 00000000007706f0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + + ? __die_body.cold+0x19/0x27 + ? die_addr+0x46/0x70 + ? exc_general_protection+0x14f/0x250 + ? asm_exc_general_protection+0x26/0x30 + ? do_raw_read_unlock+0x44/0x70 + ? btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs] + btrfs_finish_one_ordered+0x5d9/0x19a0 [btrfs] + ? __pfx_lock_release+0x10/0x10 + ? do_raw_write_lock+0x90/0x260 + ? __pfx_do_raw_write_lock+0x10/0x10 + ? __pfx_btrfs_finish_one_ordered+0x10/0x10 [btrfs] + ? _raw_write_unlock+0x23/0x40 + ? btrfs_finish_ordered_zoned+0x5a9/0x850 [btrfs] + ? lock_acquire+0x435/0x500 + btrfs_work_helper+0x1b1/0xa70 [btrfs] + ? __schedule+0x10a8/0x60b0 + ? __pfx___might_resched+0x10/0x10 + process_one_work+0x862/0x1410 + ? __pfx_lock_acquire+0x10/0x10 + ? __pfx_process_one_work+0x10/0x10 + ? assign_work+0x16c/0x240 + worker_thread+0x5e6/0x1010 + ? __pfx_worker_thread+0x10/0x10 + kthread+0x2c3/0x3a0 + ? trace_irq_enable.constprop.0+0xce/0x110 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x31/0x70 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1a/0x30 + + +Enabling CONFIG_BTRFS_ASSERT revealed the following assertion to +trigger: + + assertion failed: !list_empty(&ordered->list), in fs/btrfs/zoned.c:1815 + +This indicates, that we're missing the checksums list on the +ordered_extent. As btrfs/167 is doing a NOCOW write this is to be +expected. + +Further analysis with drgn confirmed the assumption: + + >>> inode = prog.crashed_thread().stack_trace()[11]['ordered'].inode + >>> btrfs_inode = drgn.container_of(inode, "struct btrfs_inode", \ + "vfs_inode") + >>> print(btrfs_inode.flags) + (u32)1 + +As zoned emulation mode simulates conventional zones on regular devices, +we cannot use zone-append for writing. But we're only attaching dummy +checksums if we're doing a zone-append write. + +So for NOCOW zoned data writes on conventional zones, also attach a +dummy checksum. + +Reported-by: Shinichiro Kawasaki +Fixes: cbfce4c7fbde ("btrfs: optimize the logical to physical mapping for zoned writes") +CC: Naohiro Aota # 6.6+ +Tested-by: Shin'ichiro Kawasaki +Reviewed-by: Naohiro Aota +Signed-off-by: Johannes Thumshirn +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/bio.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/bio.c b/fs/btrfs/bio.c +index 477f350a8bd09..e3a57196b0ee0 100644 +--- a/fs/btrfs/bio.c ++++ b/fs/btrfs/bio.c +@@ -741,7 +741,9 @@ static bool btrfs_submit_chunk(struct btrfs_bio *bbio, int mirror_num) + ret = btrfs_bio_csum(bbio); + if (ret) + goto fail_put_bio; +- } else if (use_append) { ++ } else if (use_append || ++ (btrfs_is_zoned(fs_info) && inode && ++ inode->flags & BTRFS_INODE_NODATASUM)) { + ret = btrfs_alloc_dummy_sum(bbio); + if (ret) + goto fail_put_bio; +-- +2.43.0 + diff --git a/queue-6.9/cipso-fix-total-option-length-computation.patch b/queue-6.9/cipso-fix-total-option-length-computation.patch new file mode 100644 index 00000000000..02d7d415ab9 --- /dev/null +++ b/queue-6.9/cipso-fix-total-option-length-computation.patch @@ -0,0 +1,52 @@ +From d8c49bd433a5dd490db0c20c9e514e62a98ea752 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jun 2024 18:07:52 +0200 +Subject: cipso: fix total option length computation + +From: Ondrej Mosnacek + +[ Upstream commit 9f36169912331fa035d7b73a91252d7c2512eb1a ] + +As evident from the definition of ip_options_get(), the IP option +IPOPT_END is used to pad the IP option data array, not IPOPT_NOP. Yet +the loop that walks the IP options to determine the total IP options +length in cipso_v4_delopt() doesn't take IPOPT_END into account. + +Fix it by recognizing the IPOPT_END value as the end of actual options. + +Fixes: 014ab19a69c3 ("selinux: Set socket NetLabel based on connection endpoint") +Signed-off-by: Ondrej Mosnacek +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/cipso_ipv4.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c +index 8b17d83e5fde4..1eb98440c01ea 100644 +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -2012,12 +2012,16 @@ static int cipso_v4_delopt(struct ip_options_rcu __rcu **opt_ptr) + * from there we can determine the new total option length */ + iter = 0; + optlen_new = 0; +- while (iter < opt->opt.optlen) +- if (opt->opt.__data[iter] != IPOPT_NOP) { ++ while (iter < opt->opt.optlen) { ++ if (opt->opt.__data[iter] == IPOPT_END) { ++ break; ++ } else if (opt->opt.__data[iter] == IPOPT_NOP) { ++ iter++; ++ } else { + iter += opt->opt.__data[iter + 1]; + optlen_new = iter; +- } else +- iter++; ++ } ++ } + hdr_delta = opt->opt.optlen; + opt->opt.optlen = (optlen_new + 3) & ~3; + hdr_delta -= opt->opt.optlen; +-- +2.43.0 + diff --git a/queue-6.9/ice-avoid-irq-collision-to-fix-init-failure-on-acpi-.patch b/queue-6.9/ice-avoid-irq-collision-to-fix-init-failure-on-acpi-.patch new file mode 100644 index 00000000000..e424746d95e --- /dev/null +++ b/queue-6.9/ice-avoid-irq-collision-to-fix-init-failure-on-acpi-.patch @@ -0,0 +1,69 @@ +From 3c61e3f34fa38434b29b7527c737ef3a4e99e57e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 May 2024 22:21:31 +0800 +Subject: ice: avoid IRQ collision to fix init failure on ACPI S3 resume + +From: En-Wei Wu + +[ Upstream commit bc69ad74867dba1377abe14356c94a946d9837a3 ] + +A bug in https://bugzilla.kernel.org/show_bug.cgi?id=218906 describes +that irdma would break and report hardware initialization failed after +suspend/resume with Intel E810 NIC (tested on 6.9.0-rc5). + +The problem is caused due to the collision between the irq numbers +requested in irdma and the irq numbers requested in other drivers +after suspend/resume. + +The irq numbers used by irdma are derived from ice's ice_pf->msix_entries +which stores mappings between MSI-X index and Linux interrupt number. +It's supposed to be cleaned up when suspend and rebuilt in resume but +it's not, causing irdma using the old irq numbers stored in the old +ice_pf->msix_entries to request_irq() when resume. And eventually +collide with other drivers. + +This patch fixes this problem. On suspend, we call ice_deinit_rdma() to +clean up the ice_pf->msix_entries (and free the MSI-X vectors used by +irdma if we've dynamically allocated them). On resume, we call +ice_init_rdma() to rebuild the ice_pf->msix_entries (and allocate the +MSI-X vectors if we would like to dynamically allocate them). + +Fixes: f9f5301e7e2d ("ice: Register auxiliary device to provide RDMA") +Tested-by: Cyrus Lien +Signed-off-by: En-Wei Wu +Reviewed-by: Wojciech Drewek +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 10fef2e726b39..f052bccb50a08 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -5451,7 +5451,7 @@ static int __maybe_unused ice_suspend(struct device *dev) + */ + disabled = ice_service_task_stop(pf); + +- ice_unplug_aux_dev(pf); ++ ice_deinit_rdma(pf); + + /* Already suspended?, then there is nothing to do */ + if (test_and_set_bit(ICE_SUSPENDED, pf->state)) { +@@ -5531,6 +5531,11 @@ static int __maybe_unused ice_resume(struct device *dev) + if (ret) + dev_err(dev, "Cannot restore interrupt scheme: %d\n", ret); + ++ ret = ice_init_rdma(pf); ++ if (ret) ++ dev_err(dev, "Reinitialize RDMA during resume failed: %d\n", ++ ret); ++ + clear_bit(ICE_DOWN, pf->state); + /* Now perform PF reset and rebuild */ + reset_type = ICE_RESET_PFR; +-- +2.43.0 + diff --git a/queue-6.9/ice-fix-200g-link-speed-message-log.patch b/queue-6.9/ice-fix-200g-link-speed-message-log.patch new file mode 100644 index 00000000000..e895062f4a0 --- /dev/null +++ b/queue-6.9/ice-fix-200g-link-speed-message-log.patch @@ -0,0 +1,44 @@ +From 878964be648ff5d76ce68a704f62fcd5185051e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 May 2024 13:06:17 -0400 +Subject: ice: fix 200G link speed message log + +From: Paul Greenwalt + +[ Upstream commit aeccadb24d9dacdde673a0f68f0a9135c6be4993 ] + +Commit 24407a01e57c ("ice: Add 200G speed/phy type use") added support +for 200G PHY speeds, but did not include 200G link speed message +support. As a result the driver incorrectly reports Unknown for 200G +link speed. + +Fix this by adding 200G support to ice_print_link_msg(). + +Fixes: 24407a01e57c ("ice: Add 200G speed/phy type use") +Reviewed-by: Michal Swiatkowski +Signed-off-by: Paul Greenwalt +Reviewed-by: Jesse Brandeburg +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index f052bccb50a08..61eef3259cbaa 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -803,6 +803,9 @@ void ice_print_link_msg(struct ice_vsi *vsi, bool isup) + } + + switch (vsi->port_info->phy.link_info.link_speed) { ++ case ICE_AQ_LINK_SPEED_200GB: ++ speed = "200 G"; ++ break; + case ICE_AQ_LINK_SPEED_100GB: + speed = "100 G"; + break; +-- +2.43.0 + diff --git a/queue-6.9/ice-fix-vsi-list-rule-with-ice_sw_lkup_last-type.patch b/queue-6.9/ice-fix-vsi-list-rule-with-ice_sw_lkup_last-type.patch new file mode 100644 index 00000000000..d0ed028dc48 --- /dev/null +++ b/queue-6.9/ice-fix-vsi-list-rule-with-ice_sw_lkup_last-type.patch @@ -0,0 +1,65 @@ +From 8f3084caf4c85bf92780ed23779bbf81c4374d5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jun 2024 14:02:05 -0700 +Subject: ice: Fix VSI list rule with ICE_SW_LKUP_LAST type + +From: Marcin Szycik + +[ Upstream commit 74382aebc9035470ec4c789bdb0d09d8c14f261e ] + +Adding/updating VSI list rule, as well as allocating/freeing VSI list +resource are called several times with type ICE_SW_LKUP_LAST, which fails +because ice_update_vsi_list_rule() and ice_aq_alloc_free_vsi_list() +consider it invalid. Allow calling these functions with ICE_SW_LKUP_LAST. + +This fixes at least one issue in switchdev mode, where the same rule with +different action cannot be added, e.g.: + + tc filter add dev $PF1 ingress protocol arp prio 0 flower skip_sw \ + dst_mac ff:ff:ff:ff:ff:ff action mirred egress redirect dev $VF1_PR + tc filter add dev $PF1 ingress protocol arp prio 0 flower skip_sw \ + dst_mac ff:ff:ff:ff:ff:ff action mirred egress redirect dev $VF2_PR + +Fixes: 0f94570d0cae ("ice: allow adding advanced rules") +Suggested-by: Michal Swiatkowski +Reviewed-by: Michal Swiatkowski +Reviewed-by: Przemek Kitszel +Signed-off-by: Marcin Szycik +Reviewed-by: Jacob Keller +Reviewed-by: Simon Horman +Tested-by: Sujai Buvaneswaran +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20240618210206.981885-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_switch.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_switch.c b/drivers/net/ethernet/intel/ice/ice_switch.c +index b4ea935e83005..1472385eb68eb 100644 +--- a/drivers/net/ethernet/intel/ice/ice_switch.c ++++ b/drivers/net/ethernet/intel/ice/ice_switch.c +@@ -1825,7 +1825,8 @@ ice_aq_alloc_free_vsi_list(struct ice_hw *hw, u16 *vsi_list_id, + lkup_type == ICE_SW_LKUP_ETHERTYPE_MAC || + lkup_type == ICE_SW_LKUP_PROMISC || + lkup_type == ICE_SW_LKUP_PROMISC_VLAN || +- lkup_type == ICE_SW_LKUP_DFLT) { ++ lkup_type == ICE_SW_LKUP_DFLT || ++ lkup_type == ICE_SW_LKUP_LAST) { + sw_buf->res_type = cpu_to_le16(ICE_AQC_RES_TYPE_VSI_LIST_REP); + } else if (lkup_type == ICE_SW_LKUP_VLAN) { + if (opc == ice_aqc_opc_alloc_res) +@@ -2759,7 +2760,8 @@ ice_update_vsi_list_rule(struct ice_hw *hw, u16 *vsi_handle_arr, u16 num_vsi, + lkup_type == ICE_SW_LKUP_ETHERTYPE_MAC || + lkup_type == ICE_SW_LKUP_PROMISC || + lkup_type == ICE_SW_LKUP_PROMISC_VLAN || +- lkup_type == ICE_SW_LKUP_DFLT) ++ lkup_type == ICE_SW_LKUP_DFLT || ++ lkup_type == ICE_SW_LKUP_LAST) + rule_type = remove ? ICE_AQC_SW_RULES_T_VSI_LIST_CLEAR : + ICE_AQC_SW_RULES_T_VSI_LIST_SET; + else if (lkup_type == ICE_SW_LKUP_VLAN) +-- +2.43.0 + diff --git a/queue-6.9/ice-implement-aq-download-pkg-retry.patch b/queue-6.9/ice-implement-aq-download-pkg-retry.patch new file mode 100644 index 00000000000..501766abfbd --- /dev/null +++ b/queue-6.9/ice-implement-aq-download-pkg-retry.patch @@ -0,0 +1,70 @@ +From e667e7d2b000cd3a4a6af9c7903910d859827f36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 14:55:14 +0200 +Subject: ice: implement AQ download pkg retry + +From: Wojciech Drewek + +[ Upstream commit a27f6ac9d404ea84196639dcc456f969ef813c0f ] + +ice_aqc_opc_download_pkg (0x0C40) AQ sporadically returns error due +to FW issue. Fix this by retrying five times before moving to +Safe Mode. Sleep for 20 ms before retrying. This was tested with the +4.40 firmware. + +Fixes: c76488109616 ("ice: Implement Dynamic Device Personalization (DDP) download") +Reviewed-by: Michal Swiatkowski +Signed-off-by: Wojciech Drewek +Reviewed-by: Brett Creeley +Reviewed-by: Przemek Kitszel +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_ddp.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_ddp.c b/drivers/net/ethernet/intel/ice/ice_ddp.c +index 4df561d64bc38..6e7d58243c7cb 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ddp.c ++++ b/drivers/net/ethernet/intel/ice/ice_ddp.c +@@ -1329,6 +1329,7 @@ ice_dwnld_cfg_bufs_no_lock(struct ice_hw *hw, struct ice_buf *bufs, u32 start, + + for (i = 0; i < count; i++) { + bool last = false; ++ int try_cnt = 0; + int status; + + bh = (struct ice_buf_hdr *)(bufs + start + i); +@@ -1336,8 +1337,26 @@ ice_dwnld_cfg_bufs_no_lock(struct ice_hw *hw, struct ice_buf *bufs, u32 start, + if (indicate_last) + last = ice_is_last_download_buffer(bh, i, count); + +- status = ice_aq_download_pkg(hw, bh, ICE_PKG_BUF_SIZE, last, +- &offset, &info, NULL); ++ while (1) { ++ status = ice_aq_download_pkg(hw, bh, ICE_PKG_BUF_SIZE, ++ last, &offset, &info, ++ NULL); ++ if (hw->adminq.sq_last_status != ICE_AQ_RC_ENOSEC && ++ hw->adminq.sq_last_status != ICE_AQ_RC_EBADSIG) ++ break; ++ ++ try_cnt++; ++ ++ if (try_cnt == 5) ++ break; ++ ++ msleep(20); ++ } ++ ++ if (try_cnt) ++ dev_dbg(ice_hw_to_dev(hw), ++ "ice_aq_download_pkg number of retries: %d\n", ++ try_cnt); + + /* Save AQ status from download package */ + if (status) { +-- +2.43.0 + diff --git a/queue-6.9/ipv6-prevent-possible-null-deref-in-fib6_nh_init.patch b/queue-6.9/ipv6-prevent-possible-null-deref-in-fib6_nh_init.patch new file mode 100644 index 00000000000..0ee6b412b2f --- /dev/null +++ b/queue-6.9/ipv6-prevent-possible-null-deref-in-fib6_nh_init.patch @@ -0,0 +1,77 @@ +From 33ce98ddc6eba45aaddfd67dc016ecc18bc90fab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jun 2024 08:20:02 +0000 +Subject: ipv6: prevent possible NULL deref in fib6_nh_init() + +From: Eric Dumazet + +[ Upstream commit 2eab4543a2204092c3a7af81d7d6c506e59a03a6 ] + +syzbot reminds us that in6_dev_get() can return NULL. + +fib6_nh_init() + ip6_validate_gw( &idev ) + ip6_route_check_nh( idev ) + *idev = in6_dev_get(dev); // can be NULL + +Oops: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI +KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] +CPU: 0 PID: 11237 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00249-gbe27b8965297 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 + RIP: 0010:fib6_nh_init+0x640/0x2160 net/ipv6/route.c:3606 +Code: 00 00 fc ff df 4c 8b 64 24 58 48 8b 44 24 28 4c 8b 74 24 30 48 89 c1 48 89 44 24 28 48 8d 98 e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 b3 17 00 00 8b 1b 31 ff 89 de e8 b8 8b +RSP: 0018:ffffc900032775a0 EFLAGS: 00010202 +RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000000000 +RDX: 0000000000000010 RSI: ffffc90003277a54 RDI: ffff88802b3a08d8 +RBP: ffffc900032778b0 R08: 00000000000002fc R09: 0000000000000000 +R10: 00000000000002fc R11: 0000000000000000 R12: ffff88802b3a08b8 +R13: 1ffff9200064eec8 R14: ffffc90003277a00 R15: dffffc0000000000 +FS: 00007f940feb06c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000000 CR3: 00000000245e8000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + ip6_route_info_create+0x99e/0x12b0 net/ipv6/route.c:3809 + ip6_route_add+0x28/0x160 net/ipv6/route.c:3853 + ipv6_route_ioctl+0x588/0x870 net/ipv6/route.c:4483 + inet6_ioctl+0x21a/0x280 net/ipv6/af_inet6.c:579 + sock_do_ioctl+0x158/0x460 net/socket.c:1222 + sock_ioctl+0x629/0x8e0 net/socket.c:1341 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:907 [inline] + __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f940f07cea9 + +Fixes: 428604fb118f ("ipv6: do not set routes if disable_ipv6 has been enabled") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Acked-by: Lorenzo Bianconi +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20240614082002.26407-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 8f8c8fcfd1c21..ac867b99aa997 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -3603,7 +3603,7 @@ int fib6_nh_init(struct net *net, struct fib6_nh *fib6_nh, + if (!dev) + goto out; + +- if (idev->cnf.disable_ipv6) { ++ if (!idev || idev->cnf.disable_ipv6) { + NL_SET_ERR_MSG(extack, "IPv6 is disabled on nexthop device"); + err = -EACCES; + goto out; +-- +2.43.0 + diff --git a/queue-6.9/ipv6-prevent-possible-null-dereference-in-rt6_probe.patch b/queue-6.9/ipv6-prevent-possible-null-dereference-in-rt6_probe.patch new file mode 100644 index 00000000000..3d578ebf156 --- /dev/null +++ b/queue-6.9/ipv6-prevent-possible-null-dereference-in-rt6_probe.patch @@ -0,0 +1,86 @@ +From 4a0b6ed1337b833c799f16d38b568ce7192bb0c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jun 2024 15:14:54 +0000 +Subject: ipv6: prevent possible NULL dereference in rt6_probe() + +From: Eric Dumazet + +[ Upstream commit b86762dbe19a62e785c189f313cda5b989931f37 ] + +syzbot caught a NULL dereference in rt6_probe() [1] + +Bail out if __in6_dev_get() returns NULL. + +[1] +Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI +KASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f] +CPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 + RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline] + RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758 +Code: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19 +RSP: 0018:ffffc900034af070 EFLAGS: 00010203 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000 +RDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c +RBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a +R13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000 +FS: 00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784 + nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496 + __find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825 + find_rr_leaf net/ipv6/route.c:853 [inline] + rt6_select net/ipv6/route.c:897 [inline] + fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195 + ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231 + pol_lookup_func include/net/ip6_fib.h:616 [inline] + fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121 + ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline] + ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651 + ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147 + ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250 + rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898 + inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg net/socket.c:745 [inline] + sock_write_iter+0x4b8/0x5c0 net/socket.c:1160 + new_sync_write fs/read_write.c:497 [inline] + vfs_write+0x6b6/0x1140 fs/read_write.c:590 + ksys_write+0x1f8/0x260 fs/read_write.c:643 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 52e1635631b3 ("[IPV6]: ROUTE: Add router_probe_interval sysctl.") +Signed-off-by: Eric Dumazet +Reviewed-by: Jason Xing +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20240615151454.166404-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index ac867b99aa997..d7a5ca012a8fc 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -638,6 +638,8 @@ static void rt6_probe(struct fib6_nh *fib6_nh) + rcu_read_lock(); + last_probe = READ_ONCE(fib6_nh->last_probe); + idev = __in6_dev_get(dev); ++ if (!idev) ++ goto out; + neigh = __ipv6_neigh_lookup_noref(dev, nh_gw); + if (neigh) { + if (READ_ONCE(neigh->nud_state) & NUD_VALID) +-- +2.43.0 + diff --git a/queue-6.9/mips-bmips-bcm6358-make-sure-cbr-is-correctly-set.patch b/queue-6.9/mips-bmips-bcm6358-make-sure-cbr-is-correctly-set.patch new file mode 100644 index 00000000000..fc33190598b --- /dev/null +++ b/queue-6.9/mips-bmips-bcm6358-make-sure-cbr-is-correctly-set.patch @@ -0,0 +1,45 @@ +From 064932a5526c09e607916bd170cc909896209e66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jun 2024 13:35:33 +0200 +Subject: mips: bmips: BCM6358: make sure CBR is correctly set + +From: Christian Marangi + +[ Upstream commit ce5cdd3b05216b704a704f466fb4c2dff3778caf ] + +It was discovered that some device have CBR address set to 0 causing +kernel panic when arch_sync_dma_for_cpu_all is called. + +This was notice in situation where the system is booted from TP1 and +BMIPS_GET_CBR() returns 0 instead of a valid address and +!!(read_c0_brcm_cmt_local() & (1 << 31)); not failing. + +The current check whether RAC flush should be disabled or not are not +enough hence lets check if CBR is a valid address or not. + +Fixes: ab327f8acdf8 ("mips: bmips: BCM6358: disable RAC flush for TP1") +Signed-off-by: Christian Marangi +Acked-by: Florian Fainelli +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/bmips/setup.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/mips/bmips/setup.c b/arch/mips/bmips/setup.c +index ec180ab92eaa8..66a8ba19c2872 100644 +--- a/arch/mips/bmips/setup.c ++++ b/arch/mips/bmips/setup.c +@@ -110,7 +110,8 @@ static void bcm6358_quirks(void) + * RAC flush causes kernel panics on BCM6358 when booting from TP1 + * because the bootloader is not initializing it properly. + */ +- bmips_rac_flush_disable = !!(read_c0_brcm_cmt_local() & (1 << 31)); ++ bmips_rac_flush_disable = !!(read_c0_brcm_cmt_local() & (1 << 31)) || ++ !!BMIPS_GET_CBR(); + } + + static void bcm6368_quirks(void) +-- +2.43.0 + diff --git a/queue-6.9/mips-routerboard-532-fix-vendor-retry-check-code.patch b/queue-6.9/mips-routerboard-532-fix-vendor-retry-check-code.patch new file mode 100644 index 00000000000..34c8b92683d --- /dev/null +++ b/queue-6.9/mips-routerboard-532-fix-vendor-retry-check-code.patch @@ -0,0 +1,46 @@ +From ba9ef74b98da1f26fa8e48fa177bb2c827969369 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 15:07:00 +0300 +Subject: MIPS: Routerboard 532: Fix vendor retry check code +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit ae9daffd9028f2500c9ac1517e46d4f2b57efb80 ] + +read_config_dword() contains strange condition checking ret for a +number of values. The ret variable, however, is always zero because +config_access() never returns anything else. Thus, the retry is always +taken until number of tries is exceeded. + +The code looks like it wants to check *val instead of ret to see if the +read gave an error response. + +Fixes: 73b4390fb234 ("[MIPS] Routerboard 532: Support for base system") +Signed-off-by: Ilpo Järvinen +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/pci/ops-rc32434.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/pci/ops-rc32434.c b/arch/mips/pci/ops-rc32434.c +index 874ed6df97683..34b9323bdabb0 100644 +--- a/arch/mips/pci/ops-rc32434.c ++++ b/arch/mips/pci/ops-rc32434.c +@@ -112,8 +112,8 @@ static int read_config_dword(struct pci_bus *bus, unsigned int devfn, + * gives them time to settle + */ + if (where == PCI_VENDOR_ID) { +- if (ret == 0xffffffff || ret == 0x00000000 || +- ret == 0x0000ffff || ret == 0xffff0000) { ++ if (*val == 0xffffffff || *val == 0x00000000 || ++ *val == 0x0000ffff || *val == 0xffff0000) { + if (delay > 4) + return 0; + delay *= 2; +-- +2.43.0 + diff --git a/queue-6.9/net-lan743x-disable-wol-upon-resume-to-restore-full-.patch b/queue-6.9/net-lan743x-disable-wol-upon-resume-to-restore-full-.patch new file mode 100644 index 00000000000..f56e31dd7c1 --- /dev/null +++ b/queue-6.9/net-lan743x-disable-wol-upon-resume-to-restore-full-.patch @@ -0,0 +1,146 @@ +From 4b24aa167e75eb5062927c8c961e4ac6d651e0f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jun 2024 22:41:55 +0530 +Subject: net: lan743x: disable WOL upon resume to restore full data path + operation + +From: Raju Lakkaraju + +[ Upstream commit 7725363936a88351b71495774c1e0e852ae4cdca ] + +When Wake-on-LAN (WoL) is active and the system is in suspend mode, triggering +a system event can wake the system from sleep, which may block the data path. +To restore normal data path functionality after waking, disable all wake-up +events. Furthermore, clear all Write 1 to Clear (W1C) status bits by writing +1's to them. + +Fixes: 4d94282afd95 ("lan743x: Add power management support") +Reviewed-by: Wojciech Drewek +Signed-off-by: Raju Lakkaraju +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/lan743x_main.c | 30 ++++++++++++++++--- + drivers/net/ethernet/microchip/lan743x_main.h | 24 +++++++++++++++ + 2 files changed, 50 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c +index 75a988c0bd794..b88d99239a183 100644 +--- a/drivers/net/ethernet/microchip/lan743x_main.c ++++ b/drivers/net/ethernet/microchip/lan743x_main.c +@@ -3568,7 +3568,7 @@ static void lan743x_pm_set_wol(struct lan743x_adapter *adapter) + + /* clear wake settings */ + pmtctl = lan743x_csr_read(adapter, PMT_CTL); +- pmtctl |= PMT_CTL_WUPS_MASK_; ++ pmtctl |= PMT_CTL_WUPS_MASK_ | PMT_CTL_RES_CLR_WKP_MASK_; + pmtctl &= ~(PMT_CTL_GPIO_WAKEUP_EN_ | PMT_CTL_EEE_WAKEUP_EN_ | + PMT_CTL_WOL_EN_ | PMT_CTL_MAC_D3_RX_CLK_OVR_ | + PMT_CTL_RX_FCT_RFE_D3_CLK_OVR_ | PMT_CTL_ETH_PHY_WAKE_EN_); +@@ -3703,6 +3703,7 @@ static int lan743x_pm_resume(struct device *dev) + struct pci_dev *pdev = to_pci_dev(dev); + struct net_device *netdev = pci_get_drvdata(pdev); + struct lan743x_adapter *adapter = netdev_priv(netdev); ++ u32 data; + int ret; + + pci_set_power_state(pdev, PCI_D0); +@@ -3721,6 +3722,30 @@ static int lan743x_pm_resume(struct device *dev) + return ret; + } + ++ ret = lan743x_csr_read(adapter, MAC_WK_SRC); ++ netif_dbg(adapter, drv, adapter->netdev, ++ "Wakeup source : 0x%08X\n", ret); ++ ++ /* Clear the wol configuration and status bits. Note that ++ * the status bits are "Write One to Clear (W1C)" ++ */ ++ data = MAC_WUCSR_EEE_TX_WAKE_ | MAC_WUCSR_EEE_RX_WAKE_ | ++ MAC_WUCSR_RFE_WAKE_FR_ | MAC_WUCSR_PFDA_FR_ | MAC_WUCSR_WUFR_ | ++ MAC_WUCSR_MPR_ | MAC_WUCSR_BCAST_FR_; ++ lan743x_csr_write(adapter, MAC_WUCSR, data); ++ ++ data = MAC_WUCSR2_NS_RCD_ | MAC_WUCSR2_ARP_RCD_ | ++ MAC_WUCSR2_IPV6_TCPSYN_RCD_ | MAC_WUCSR2_IPV4_TCPSYN_RCD_; ++ lan743x_csr_write(adapter, MAC_WUCSR2, data); ++ ++ data = MAC_WK_SRC_ETH_PHY_WK_ | MAC_WK_SRC_IPV6_TCPSYN_RCD_WK_ | ++ MAC_WK_SRC_IPV4_TCPSYN_RCD_WK_ | MAC_WK_SRC_EEE_TX_WK_ | ++ MAC_WK_SRC_EEE_RX_WK_ | MAC_WK_SRC_RFE_FR_WK_ | ++ MAC_WK_SRC_PFDA_FR_WK_ | MAC_WK_SRC_MP_FR_WK_ | ++ MAC_WK_SRC_BCAST_FR_WK_ | MAC_WK_SRC_WU_FR_WK_ | ++ MAC_WK_SRC_WK_FR_SAVED_; ++ lan743x_csr_write(adapter, MAC_WK_SRC, data); ++ + /* open netdev when netdev is at running state while resume. + * For instance, it is true when system wakesup after pm-suspend + * However, it is false when system wakes up after suspend GUI menu +@@ -3729,9 +3754,6 @@ static int lan743x_pm_resume(struct device *dev) + lan743x_netdev_open(netdev); + + netif_device_attach(netdev); +- ret = lan743x_csr_read(adapter, MAC_WK_SRC); +- netif_info(adapter, drv, adapter->netdev, +- "Wakeup source : 0x%08X\n", ret); + + return 0; + } +diff --git a/drivers/net/ethernet/microchip/lan743x_main.h b/drivers/net/ethernet/microchip/lan743x_main.h +index 645bc048e52ef..fac0f33d10b2e 100644 +--- a/drivers/net/ethernet/microchip/lan743x_main.h ++++ b/drivers/net/ethernet/microchip/lan743x_main.h +@@ -61,6 +61,7 @@ + #define PMT_CTL_RX_FCT_RFE_D3_CLK_OVR_ BIT(18) + #define PMT_CTL_GPIO_WAKEUP_EN_ BIT(15) + #define PMT_CTL_EEE_WAKEUP_EN_ BIT(13) ++#define PMT_CTL_RES_CLR_WKP_MASK_ GENMASK(9, 8) + #define PMT_CTL_READY_ BIT(7) + #define PMT_CTL_ETH_PHY_RST_ BIT(4) + #define PMT_CTL_WOL_EN_ BIT(3) +@@ -227,12 +228,31 @@ + #define MAC_WUCSR (0x140) + #define MAC_MP_SO_EN_ BIT(21) + #define MAC_WUCSR_RFE_WAKE_EN_ BIT(14) ++#define MAC_WUCSR_EEE_TX_WAKE_ BIT(13) ++#define MAC_WUCSR_EEE_RX_WAKE_ BIT(11) ++#define MAC_WUCSR_RFE_WAKE_FR_ BIT(9) ++#define MAC_WUCSR_PFDA_FR_ BIT(7) ++#define MAC_WUCSR_WUFR_ BIT(6) ++#define MAC_WUCSR_MPR_ BIT(5) ++#define MAC_WUCSR_BCAST_FR_ BIT(4) + #define MAC_WUCSR_PFDA_EN_ BIT(3) + #define MAC_WUCSR_WAKE_EN_ BIT(2) + #define MAC_WUCSR_MPEN_ BIT(1) + #define MAC_WUCSR_BCST_EN_ BIT(0) + + #define MAC_WK_SRC (0x144) ++#define MAC_WK_SRC_ETH_PHY_WK_ BIT(17) ++#define MAC_WK_SRC_IPV6_TCPSYN_RCD_WK_ BIT(16) ++#define MAC_WK_SRC_IPV4_TCPSYN_RCD_WK_ BIT(15) ++#define MAC_WK_SRC_EEE_TX_WK_ BIT(14) ++#define MAC_WK_SRC_EEE_RX_WK_ BIT(13) ++#define MAC_WK_SRC_RFE_FR_WK_ BIT(12) ++#define MAC_WK_SRC_PFDA_FR_WK_ BIT(11) ++#define MAC_WK_SRC_MP_FR_WK_ BIT(10) ++#define MAC_WK_SRC_BCAST_FR_WK_ BIT(9) ++#define MAC_WK_SRC_WU_FR_WK_ BIT(8) ++#define MAC_WK_SRC_WK_FR_SAVED_ BIT(7) ++ + #define MAC_MP_SO_HI (0x148) + #define MAC_MP_SO_LO (0x14C) + +@@ -295,6 +315,10 @@ + #define RFE_INDX(index) (0x580 + (index << 2)) + + #define MAC_WUCSR2 (0x600) ++#define MAC_WUCSR2_NS_RCD_ BIT(7) ++#define MAC_WUCSR2_ARP_RCD_ BIT(6) ++#define MAC_WUCSR2_IPV6_TCPSYN_RCD_ BIT(5) ++#define MAC_WUCSR2_IPV4_TCPSYN_RCD_ BIT(4) + + #define SGMII_ACC (0x720) + #define SGMII_ACC_SGMII_BZY_ BIT(31) +-- +2.43.0 + diff --git a/queue-6.9/net-lan743x-support-wol-at-both-the-phy-and-mac-appr.patch b/queue-6.9/net-lan743x-support-wol-at-both-the-phy-and-mac-appr.patch new file mode 100644 index 00000000000..77ff170001e --- /dev/null +++ b/queue-6.9/net-lan743x-support-wol-at-both-the-phy-and-mac-appr.patch @@ -0,0 +1,165 @@ +From 2ae1017cc8c099d68dc732d4fede23914580f8d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jun 2024 22:41:56 +0530 +Subject: net: lan743x: Support WOL at both the PHY and MAC appropriately + +From: Raju Lakkaraju + +[ Upstream commit 8c248cd836014339498486f14f435c0e344183a7 ] + +Prevent options not supported by the PHY from being requested to it by the MAC +Whenever a WOL option is supported by both, the PHY is given priority +since that usually leads to better power savings. + +Fixes: e9e13b6adc33 ("lan743x: fix for potential NULL pointer dereference with bare card") +Reviewed-by: Wojciech Drewek +Signed-off-by: Raju Lakkaraju +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../net/ethernet/microchip/lan743x_ethtool.c | 44 +++++++++++++++++-- + drivers/net/ethernet/microchip/lan743x_main.c | 18 ++++++-- + drivers/net/ethernet/microchip/lan743x_main.h | 4 ++ + 3 files changed, 58 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/lan743x_ethtool.c b/drivers/net/ethernet/microchip/lan743x_ethtool.c +index 8a6ae171e375b..def932035cba4 100644 +--- a/drivers/net/ethernet/microchip/lan743x_ethtool.c ++++ b/drivers/net/ethernet/microchip/lan743x_ethtool.c +@@ -1148,8 +1148,12 @@ static void lan743x_ethtool_get_wol(struct net_device *netdev, + if (netdev->phydev) + phy_ethtool_get_wol(netdev->phydev, wol); + +- wol->supported |= WAKE_BCAST | WAKE_UCAST | WAKE_MCAST | +- WAKE_MAGIC | WAKE_PHY | WAKE_ARP; ++ if (wol->supported != adapter->phy_wol_supported) ++ netif_warn(adapter, drv, adapter->netdev, ++ "PHY changed its supported WOL! old=%x, new=%x\n", ++ adapter->phy_wol_supported, wol->supported); ++ ++ wol->supported |= MAC_SUPPORTED_WAKES; + + if (adapter->is_pci11x1x) + wol->supported |= WAKE_MAGICSECURE; +@@ -1164,7 +1168,39 @@ static int lan743x_ethtool_set_wol(struct net_device *netdev, + { + struct lan743x_adapter *adapter = netdev_priv(netdev); + ++ /* WAKE_MAGICSEGURE is a modifier of and only valid together with ++ * WAKE_MAGIC ++ */ ++ if ((wol->wolopts & WAKE_MAGICSECURE) && !(wol->wolopts & WAKE_MAGIC)) ++ return -EINVAL; ++ ++ if (netdev->phydev) { ++ struct ethtool_wolinfo phy_wol; ++ int ret; ++ ++ phy_wol.wolopts = wol->wolopts & adapter->phy_wol_supported; ++ ++ /* If WAKE_MAGICSECURE was requested, filter out WAKE_MAGIC ++ * for PHYs that do not support WAKE_MAGICSECURE ++ */ ++ if (wol->wolopts & WAKE_MAGICSECURE && ++ !(adapter->phy_wol_supported & WAKE_MAGICSECURE)) ++ phy_wol.wolopts &= ~WAKE_MAGIC; ++ ++ ret = phy_ethtool_set_wol(netdev->phydev, &phy_wol); ++ if (ret && (ret != -EOPNOTSUPP)) ++ return ret; ++ ++ if (ret == -EOPNOTSUPP) ++ adapter->phy_wolopts = 0; ++ else ++ adapter->phy_wolopts = phy_wol.wolopts; ++ } else { ++ adapter->phy_wolopts = 0; ++ } ++ + adapter->wolopts = 0; ++ wol->wolopts &= ~adapter->phy_wolopts; + if (wol->wolopts & WAKE_UCAST) + adapter->wolopts |= WAKE_UCAST; + if (wol->wolopts & WAKE_MCAST) +@@ -1185,10 +1221,10 @@ static int lan743x_ethtool_set_wol(struct net_device *netdev, + memset(adapter->sopass, 0, sizeof(u8) * SOPASS_MAX); + } + ++ wol->wolopts = adapter->wolopts | adapter->phy_wolopts; + device_set_wakeup_enable(&adapter->pdev->dev, (bool)wol->wolopts); + +- return netdev->phydev ? phy_ethtool_set_wol(netdev->phydev, wol) +- : -ENETDOWN; ++ return 0; + } + #endif /* CONFIG_PM */ + +diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c +index b88d99239a183..ecde3582e3dee 100644 +--- a/drivers/net/ethernet/microchip/lan743x_main.c ++++ b/drivers/net/ethernet/microchip/lan743x_main.c +@@ -3111,6 +3111,17 @@ static int lan743x_netdev_open(struct net_device *netdev) + if (ret) + goto close_tx; + } ++ ++#ifdef CONFIG_PM ++ if (adapter->netdev->phydev) { ++ struct ethtool_wolinfo wol = { .cmd = ETHTOOL_GWOL }; ++ ++ phy_ethtool_get_wol(netdev->phydev, &wol); ++ adapter->phy_wol_supported = wol.supported; ++ adapter->phy_wolopts = wol.wolopts; ++ } ++#endif ++ + return 0; + + close_tx: +@@ -3580,10 +3591,9 @@ static void lan743x_pm_set_wol(struct lan743x_adapter *adapter) + + pmtctl |= PMT_CTL_ETH_PHY_D3_COLD_OVR_ | PMT_CTL_ETH_PHY_D3_OVR_; + +- if (adapter->wolopts & WAKE_PHY) { +- pmtctl |= PMT_CTL_ETH_PHY_EDPD_PLL_CTL_; ++ if (adapter->phy_wolopts) + pmtctl |= PMT_CTL_ETH_PHY_WAKE_EN_; +- } ++ + if (adapter->wolopts & WAKE_MAGIC) { + wucsr |= MAC_WUCSR_MPEN_; + macrx |= MAC_RX_RXEN_; +@@ -3679,7 +3689,7 @@ static int lan743x_pm_suspend(struct device *dev) + lan743x_csr_write(adapter, MAC_WUCSR2, 0); + lan743x_csr_write(adapter, MAC_WK_SRC, 0xFFFFFFFF); + +- if (adapter->wolopts) ++ if (adapter->wolopts || adapter->phy_wolopts) + lan743x_pm_set_wol(adapter); + + if (adapter->is_pci11x1x) { +diff --git a/drivers/net/ethernet/microchip/lan743x_main.h b/drivers/net/ethernet/microchip/lan743x_main.h +index fac0f33d10b2e..3b2585a384e2c 100644 +--- a/drivers/net/ethernet/microchip/lan743x_main.h ++++ b/drivers/net/ethernet/microchip/lan743x_main.h +@@ -1042,6 +1042,8 @@ enum lan743x_sgmii_lsd { + LINK_2500_SLAVE + }; + ++#define MAC_SUPPORTED_WAKES (WAKE_BCAST | WAKE_UCAST | WAKE_MCAST | \ ++ WAKE_MAGIC | WAKE_ARP) + struct lan743x_adapter { + struct net_device *netdev; + struct mii_bus *mdiobus; +@@ -1049,6 +1051,8 @@ struct lan743x_adapter { + #ifdef CONFIG_PM + u32 wolopts; + u8 sopass[SOPASS_MAX]; ++ u32 phy_wolopts; ++ u32 phy_wol_supported; + #endif + struct pci_dev *pdev; + struct lan743x_csr csr; +-- +2.43.0 + diff --git a/queue-6.9/net-mvpp2-use-slab_build_skb-for-oversized-frames.patch b/queue-6.9/net-mvpp2-use-slab_build_skb-for-oversized-frames.patch new file mode 100644 index 00000000000..3329e4b984f --- /dev/null +++ b/queue-6.9/net-mvpp2-use-slab_build_skb-for-oversized-frames.patch @@ -0,0 +1,41 @@ +From 40d8fdb7119c652bb4f3379a884ce8a14f26313f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jun 2024 14:49:00 +1200 +Subject: net: mvpp2: use slab_build_skb for oversized frames + +From: Aryan Srivastava + +[ Upstream commit 4467c09bc7a66a17ffd84d6262d48279b26106ea ] + +Setting frag_size to 0 to indicate kmalloc has been deprecated, +use slab_build_skb directly. + +Fixes: ce098da1497c ("skbuff: Introduce slab_build_skb()") +Signed-off-by: Aryan Srivastava +Reviewed-by: Kees Cook +Link: https://lore.kernel.org/r/20240613024900.3842238-1-aryan.srivastava@alliedtelesis.co.nz +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index 23adf53c2aa1c..cebc79a710ec2 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -4013,7 +4013,10 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi, + } + } + +- skb = build_skb(data, frag_size); ++ if (frag_size) ++ skb = build_skb(data, frag_size); ++ else ++ skb = slab_build_skb(data); + if (!skb) { + netdev_warn(port->dev, "skb build failed\n"); + goto err_drop_frame; +-- +2.43.0 + diff --git a/queue-6.9/net-phy-mxl-gpy-remove-interrupt-mask-clearing-from-.patch b/queue-6.9/net-phy-mxl-gpy-remove-interrupt-mask-clearing-from-.patch new file mode 100644 index 00000000000..b16d4f9a0a1 --- /dev/null +++ b/queue-6.9/net-phy-mxl-gpy-remove-interrupt-mask-clearing-from-.patch @@ -0,0 +1,161 @@ +From 2018d0761fcc206f8bc23776d5fff557b90fadcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jun 2024 22:41:57 +0530 +Subject: net: phy: mxl-gpy: Remove interrupt mask clearing from config_init + +From: Raju Lakkaraju + +[ Upstream commit c44d3ffd85db03ebcc3090e55589e10d5af9f3a9 ] + +When the system resumes from sleep, the phy_init_hw() function invokes +config_init(), which clears all interrupt masks and causes wake events to be +lost in subsequent wake sequences. Remove interrupt mask clearing from +config_init() and preserve relevant masks in config_intr(). + +Fixes: 7d901a1e878a ("net: phy: add Maxlinear GPY115/21x/24x driver") +Reviewed-by: Wojciech Drewek +Signed-off-by: Raju Lakkaraju +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mxl-gpy.c | 58 +++++++++++++++++++++++++-------------- + 1 file changed, 38 insertions(+), 20 deletions(-) + +diff --git a/drivers/net/phy/mxl-gpy.c b/drivers/net/phy/mxl-gpy.c +index b2d36a3a96f1e..e5f8ac4b4604b 100644 +--- a/drivers/net/phy/mxl-gpy.c ++++ b/drivers/net/phy/mxl-gpy.c +@@ -107,6 +107,7 @@ struct gpy_priv { + + u8 fw_major; + u8 fw_minor; ++ u32 wolopts; + + /* It takes 3 seconds to fully switch out of loopback mode before + * it can safely re-enter loopback mode. Record the time when +@@ -221,6 +222,15 @@ static int gpy_hwmon_register(struct phy_device *phydev) + } + #endif + ++static int gpy_ack_interrupt(struct phy_device *phydev) ++{ ++ int ret; ++ ++ /* Clear all pending interrupts */ ++ ret = phy_read(phydev, PHY_ISTAT); ++ return ret < 0 ? ret : 0; ++} ++ + static int gpy_mbox_read(struct phy_device *phydev, u32 addr) + { + struct gpy_priv *priv = phydev->priv; +@@ -262,16 +272,8 @@ static int gpy_mbox_read(struct phy_device *phydev, u32 addr) + + static int gpy_config_init(struct phy_device *phydev) + { +- int ret; +- +- /* Mask all interrupts */ +- ret = phy_write(phydev, PHY_IMASK, 0); +- if (ret) +- return ret; +- +- /* Clear all pending interrupts */ +- ret = phy_read(phydev, PHY_ISTAT); +- return ret < 0 ? ret : 0; ++ /* Nothing to configure. Configuration Requirement Placeholder */ ++ return 0; + } + + static int gpy21x_config_init(struct phy_device *phydev) +@@ -627,11 +629,23 @@ static int gpy_read_status(struct phy_device *phydev) + + static int gpy_config_intr(struct phy_device *phydev) + { ++ struct gpy_priv *priv = phydev->priv; + u16 mask = 0; ++ int ret; ++ ++ ret = gpy_ack_interrupt(phydev); ++ if (ret) ++ return ret; + + if (phydev->interrupts == PHY_INTERRUPT_ENABLED) + mask = PHY_IMASK_MASK; + ++ if (priv->wolopts & WAKE_MAGIC) ++ mask |= PHY_IMASK_WOL; ++ ++ if (priv->wolopts & WAKE_PHY) ++ mask |= PHY_IMASK_LSTC; ++ + return phy_write(phydev, PHY_IMASK, mask); + } + +@@ -678,6 +692,7 @@ static int gpy_set_wol(struct phy_device *phydev, + struct ethtool_wolinfo *wol) + { + struct net_device *attach_dev = phydev->attached_dev; ++ struct gpy_priv *priv = phydev->priv; + int ret; + + if (wol->wolopts & WAKE_MAGIC) { +@@ -725,6 +740,8 @@ static int gpy_set_wol(struct phy_device *phydev, + ret = phy_read(phydev, PHY_ISTAT); + if (ret < 0) + return ret; ++ ++ priv->wolopts |= WAKE_MAGIC; + } else { + /* Disable magic packet matching */ + ret = phy_clear_bits_mmd(phydev, MDIO_MMD_VEND2, +@@ -732,6 +749,13 @@ static int gpy_set_wol(struct phy_device *phydev, + WOL_EN); + if (ret < 0) + return ret; ++ ++ /* Disable the WOL interrupt */ ++ ret = phy_clear_bits(phydev, PHY_IMASK, PHY_IMASK_WOL); ++ if (ret < 0) ++ return ret; ++ ++ priv->wolopts &= ~WAKE_MAGIC; + } + + if (wol->wolopts & WAKE_PHY) { +@@ -748,9 +772,11 @@ static int gpy_set_wol(struct phy_device *phydev, + if (ret & (PHY_IMASK_MASK & ~PHY_IMASK_LSTC)) + phy_trigger_machine(phydev); + ++ priv->wolopts |= WAKE_PHY; + return 0; + } + ++ priv->wolopts &= ~WAKE_PHY; + /* Disable the link state change interrupt */ + return phy_clear_bits(phydev, PHY_IMASK, PHY_IMASK_LSTC); + } +@@ -758,18 +784,10 @@ static int gpy_set_wol(struct phy_device *phydev, + static void gpy_get_wol(struct phy_device *phydev, + struct ethtool_wolinfo *wol) + { +- int ret; ++ struct gpy_priv *priv = phydev->priv; + + wol->supported = WAKE_MAGIC | WAKE_PHY; +- wol->wolopts = 0; +- +- ret = phy_read_mmd(phydev, MDIO_MMD_VEND2, VPSPEC2_WOL_CTL); +- if (ret & WOL_EN) +- wol->wolopts |= WAKE_MAGIC; +- +- ret = phy_read(phydev, PHY_IMASK); +- if (ret & PHY_IMASK_LSTC) +- wol->wolopts |= WAKE_PHY; ++ wol->wolopts = priv->wolopts; + } + + static int gpy_loopback(struct phy_device *phydev, bool enable) +-- +2.43.0 + diff --git a/queue-6.9/net-sched-act_api-fix-possible-infinite-loop-in-tcf_.patch b/queue-6.9/net-sched-act_api-fix-possible-infinite-loop-in-tcf_.patch new file mode 100644 index 00000000000..d1b875518ef --- /dev/null +++ b/queue-6.9/net-sched-act_api-fix-possible-infinite-loop-in-tcf_.patch @@ -0,0 +1,77 @@ +From b08452fe569a379468dd7c1a5d2034c55b45ea08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jun 2024 19:03:26 +0000 +Subject: net/sched: act_api: fix possible infinite loop in + tcf_idr_check_alloc() + +From: David Ruth + +[ Upstream commit d864319871b05fadd153e0aede4811ca7008f5d6 ] + +syzbot found hanging tasks waiting on rtnl_lock [1] + +A reproducer is available in the syzbot bug. + +When a request to add multiple actions with the same index is sent, the +second request will block forever on the first request. This holds +rtnl_lock, and causes tasks to hang. + +Return -EAGAIN to prevent infinite looping, while keeping documented +behavior. + +[1] + +INFO: task kworker/1:0:5088 blocked for more than 143 seconds. +Not tainted 6.9.0-rc4-syzkaller-00173-g3cdb45594619 #0 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +task:kworker/1:0 state:D stack:23744 pid:5088 tgid:5088 ppid:2 flags:0x00004000 +Workqueue: events_power_efficient reg_check_chans_work +Call Trace: + +context_switch kernel/sched/core.c:5409 [inline] +__schedule+0xf15/0x5d00 kernel/sched/core.c:6746 +__schedule_loop kernel/sched/core.c:6823 [inline] +schedule+0xe7/0x350 kernel/sched/core.c:6838 +schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6895 +__mutex_lock_common kernel/locking/mutex.c:684 [inline] +__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 +wiphy_lock include/net/cfg80211.h:5953 [inline] +reg_leave_invalid_chans net/wireless/reg.c:2466 [inline] +reg_check_chans_work+0x10a/0x10e0 net/wireless/reg.c:2481 + +Fixes: 0190c1d452a9 ("net: sched: atomically check-allocate action") +Reported-by: syzbot+b87c222546179f4513a7@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b87c222546179f4513a7 +Signed-off-by: David Ruth +Reviewed-by: Jamal Hadi Salim +Link: https://lore.kernel.org/r/20240614190326.1349786-1-druth@chromium.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/act_api.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/sched/act_api.c b/net/sched/act_api.c +index 9ee622fb1160f..2520708b06a12 100644 +--- a/net/sched/act_api.c ++++ b/net/sched/act_api.c +@@ -830,7 +830,6 @@ int tcf_idr_check_alloc(struct tc_action_net *tn, u32 *index, + u32 max; + + if (*index) { +-again: + rcu_read_lock(); + p = idr_find(&idrinfo->action_idr, *index); + +@@ -839,7 +838,7 @@ int tcf_idr_check_alloc(struct tc_action_net *tn, u32 *index, + * index but did not assign the pointer yet. + */ + rcu_read_unlock(); +- goto again; ++ return -EAGAIN; + } + + if (!p) { +-- +2.43.0 + diff --git a/queue-6.9/net-stmmac-no-need-to-calculate-speed-divider-when-o.patch b/queue-6.9/net-stmmac-no-need-to-calculate-speed-divider-when-o.patch new file mode 100644 index 00000000000..03573d898e0 --- /dev/null +++ b/queue-6.9/net-stmmac-no-need-to-calculate-speed-divider-when-o.patch @@ -0,0 +1,80 @@ +From 880d9ef96cbe0853dcfd147a2b6229c080683eba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 09:39:22 +0800 +Subject: net: stmmac: No need to calculate speed divider when offload is + disabled + +From: Xiaolei Wang + +[ Upstream commit b8c43360f6e424131fa81d3ba8792ad8ff25a09e ] + +commit be27b8965297 ("net: stmmac: replace priv->speed with +the portTransmitRate from the tc-cbs parameters") introduced +a problem. When deleting, it prompts "Invalid portTransmitRate +0 (idleSlope - sendSlope)" and exits. Add judgment on cbs.enable. +Only when offload is enabled, speed divider needs to be calculated. + +Fixes: be27b8965297 ("net: stmmac: replace priv->speed with the portTransmitRate from the tc-cbs parameters") +Signed-off-by: Xiaolei Wang +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240617013922.1035854-1-xiaolei.wang@windriver.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/stmmac_tc.c | 40 ++++++++++--------- + 1 file changed, 22 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c +index b1896379dbab5..7d240a2b54a85 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c +@@ -358,24 +358,28 @@ static int tc_setup_cbs(struct stmmac_priv *priv, + + port_transmit_rate_kbps = qopt->idleslope - qopt->sendslope; + +- /* Port Transmit Rate and Speed Divider */ +- switch (div_s64(port_transmit_rate_kbps, 1000)) { +- case SPEED_10000: +- case SPEED_5000: +- ptr = 32; +- break; +- case SPEED_2500: +- case SPEED_1000: +- ptr = 8; +- break; +- case SPEED_100: +- ptr = 4; +- break; +- default: +- netdev_err(priv->dev, +- "Invalid portTransmitRate %lld (idleSlope - sendSlope)\n", +- port_transmit_rate_kbps); +- return -EINVAL; ++ if (qopt->enable) { ++ /* Port Transmit Rate and Speed Divider */ ++ switch (div_s64(port_transmit_rate_kbps, 1000)) { ++ case SPEED_10000: ++ case SPEED_5000: ++ ptr = 32; ++ break; ++ case SPEED_2500: ++ case SPEED_1000: ++ ptr = 8; ++ break; ++ case SPEED_100: ++ ptr = 4; ++ break; ++ default: ++ netdev_err(priv->dev, ++ "Invalid portTransmitRate %lld (idleSlope - sendSlope)\n", ++ port_transmit_rate_kbps); ++ return -EINVAL; ++ } ++ } else { ++ ptr = 0; + } + + mode_to_use = priv->plat->tx_queues_cfg[queue].mode_to_use; +-- +2.43.0 + diff --git a/queue-6.9/net-usb-rtl8150-fix-unintiatilzed-variables-in-rtl81.patch b/queue-6.9/net-usb-rtl8150-fix-unintiatilzed-variables-in-rtl81.patch new file mode 100644 index 00000000000..70fa404d234 --- /dev/null +++ b/queue-6.9/net-usb-rtl8150-fix-unintiatilzed-variables-in-rtl81.patch @@ -0,0 +1,41 @@ +From a951d95224df2a637c549ecda80809c420f3f3e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jun 2024 15:28:03 +0200 +Subject: net: usb: rtl8150 fix unintiatilzed variables in + rtl8150_get_link_ksettings + +From: Oliver Neukum + +[ Upstream commit fba383985354e83474f95f36d7c65feb75dba19d ] + +This functions retrieves values by passing a pointer. As the function +that retrieves them can fail before touching the pointers, the variables +must be initialized. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+5186630949e3c55f0799@syzkaller.appspotmail.com +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20240619132816.11526-1-oneukum@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/rtl8150.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c +index 97afd7335d868..01a3b2417a540 100644 +--- a/drivers/net/usb/rtl8150.c ++++ b/drivers/net/usb/rtl8150.c +@@ -778,7 +778,8 @@ static int rtl8150_get_link_ksettings(struct net_device *netdev, + struct ethtool_link_ksettings *ecmd) + { + rtl8150_t *dev = netdev_priv(netdev); +- short lpa, bmcr; ++ short lpa = 0; ++ short bmcr = 0; + u32 supported; + + supported = (SUPPORTED_10baseT_Half | +-- +2.43.0 + diff --git a/queue-6.9/netdev-genl-fix-error-codes-when-outputting-xdp-feat.patch b/queue-6.9/netdev-genl-fix-error-codes-when-outputting-xdp-feat.patch new file mode 100644 index 00000000000..936ed4cb88c --- /dev/null +++ b/queue-6.9/netdev-genl-fix-error-codes-when-outputting-xdp-feat.patch @@ -0,0 +1,69 @@ +From 67135431db0fd1835ea4a9614ca865813cea7658 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jun 2024 14:30:44 -0700 +Subject: netdev-genl: fix error codes when outputting XDP features + +From: Jakub Kicinski + +[ Upstream commit 7ed352d34f1a09a7659c53de07785115587499fe ] + +-EINVAL will interrupt the dump. The correct error to return +if we have more data to dump is -EMSGSIZE. + +Discovered by doing: + + for i in `seq 80`; do ip link add type veth; done + ./cli.py --dbg-small-recv 5300 --spec netdev.yaml --dump dev-get >> /dev/null + [...] + nl_len = 64 (48) nl_flags = 0x0 nl_type = 19 + nl_len = 20 (4) nl_flags = 0x2 nl_type = 3 + error: -22 + +Fixes: d3d854fd6a1d ("netdev-genl: create a simple family for netdev stuff") +Reviewed-by: Amritha Nambiar +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240613213044.3675745-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/netdev-genl.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/net/core/netdev-genl.c b/net/core/netdev-genl.c +index 7004b3399c2b0..8c2d5a0bc208e 100644 +--- a/net/core/netdev-genl.c ++++ b/net/core/netdev-genl.c +@@ -59,22 +59,22 @@ XDP_METADATA_KFUNC_xxx + nla_put_u64_64bit(rsp, NETDEV_A_DEV_XDP_RX_METADATA_FEATURES, + xdp_rx_meta, NETDEV_A_DEV_PAD) || + nla_put_u64_64bit(rsp, NETDEV_A_DEV_XSK_FEATURES, +- xsk_features, NETDEV_A_DEV_PAD)) { +- genlmsg_cancel(rsp, hdr); +- return -EINVAL; +- } ++ xsk_features, NETDEV_A_DEV_PAD)) ++ goto err_cancel_msg; + + if (netdev->xdp_features & NETDEV_XDP_ACT_XSK_ZEROCOPY) { + if (nla_put_u32(rsp, NETDEV_A_DEV_XDP_ZC_MAX_SEGS, +- netdev->xdp_zc_max_segs)) { +- genlmsg_cancel(rsp, hdr); +- return -EINVAL; +- } ++ netdev->xdp_zc_max_segs)) ++ goto err_cancel_msg; + } + + genlmsg_end(rsp, hdr); + + return 0; ++ ++err_cancel_msg: ++ genlmsg_cancel(rsp, hdr); ++ return -EMSGSIZE; + } + + static void +-- +2.43.0 + diff --git a/queue-6.9/netfilter-ipset-fix-suspicious-rcu_dereference_prote.patch b/queue-6.9/netfilter-ipset-fix-suspicious-rcu_dereference_prote.patch new file mode 100644 index 00000000000..bb438bf387a --- /dev/null +++ b/queue-6.9/netfilter-ipset-fix-suspicious-rcu_dereference_prote.patch @@ -0,0 +1,61 @@ +From 0226dfa53edc90463c1b0d50167da948c88025ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 11:18:15 +0200 +Subject: netfilter: ipset: Fix suspicious rcu_dereference_protected() + +From: Jozsef Kadlecsik + +[ Upstream commit 8ecd06277a7664f4ef018abae3abd3451d64e7a6 ] + +When destroying all sets, we are either in pernet exit phase or +are executing a "destroy all sets command" from userspace. The latter +was taken into account in ip_set_dereference() (nfnetlink mutex is held), +but the former was not. The patch adds the required check to +rcu_dereference_protected() in ip_set_dereference(). + +Fixes: 4e7aaa6b82d6 ("netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type") +Reported-by: syzbot+b62c37cdd58103293a5a@syzkaller.appspotmail.com +Reported-by: syzbot+cfbe1da5fdfc39efc293@syzkaller.appspotmail.com +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202406141556.e0b6f17e-lkp@intel.com +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_core.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c +index c7ae4d9bf3d24..61431690cbd5f 100644 +--- a/net/netfilter/ipset/ip_set_core.c ++++ b/net/netfilter/ipset/ip_set_core.c +@@ -53,12 +53,13 @@ MODULE_DESCRIPTION("core IP set support"); + MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET); + + /* When the nfnl mutex or ip_set_ref_lock is held: */ +-#define ip_set_dereference(p) \ +- rcu_dereference_protected(p, \ ++#define ip_set_dereference(inst) \ ++ rcu_dereference_protected((inst)->ip_set_list, \ + lockdep_nfnl_is_held(NFNL_SUBSYS_IPSET) || \ +- lockdep_is_held(&ip_set_ref_lock)) ++ lockdep_is_held(&ip_set_ref_lock) || \ ++ (inst)->is_deleted) + #define ip_set(inst, id) \ +- ip_set_dereference((inst)->ip_set_list)[id] ++ ip_set_dereference(inst)[id] + #define ip_set_ref_netlink(inst,id) \ + rcu_dereference_raw((inst)->ip_set_list)[id] + #define ip_set_dereference_nfnl(p) \ +@@ -1133,7 +1134,7 @@ static int ip_set_create(struct sk_buff *skb, const struct nfnl_info *info, + if (!list) + goto cleanup; + /* nfnl mutex is held, both lists are valid */ +- tmp = ip_set_dereference(inst->ip_set_list); ++ tmp = ip_set_dereference(inst); + memcpy(list, tmp, sizeof(struct ip_set *) * inst->ip_set_max); + rcu_assign_pointer(inst->ip_set_list, list); + /* Make sure all current packets have passed through */ +-- +2.43.0 + diff --git a/queue-6.9/netfilter-move-the-sysctl-nf_hooks_lwtunnel-into-the.patch b/queue-6.9/netfilter-move-the-sysctl-nf_hooks_lwtunnel-into-the.patch new file mode 100644 index 00000000000..c5c02df147f --- /dev/null +++ b/queue-6.9/netfilter-move-the-sysctl-nf_hooks_lwtunnel-into-the.patch @@ -0,0 +1,213 @@ +From 7d156fafae2bba9b0407d0916461bd6721f88505 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jun 2024 17:42:47 +0800 +Subject: netfilter: move the sysctl nf_hooks_lwtunnel into the netfilter core + +From: Jianguo Wu + +[ Upstream commit a2225e0250c5fa397dcebf6ce65a9f05a114e0cf ] + +Currently, the sysctl net.netfilter.nf_hooks_lwtunnel depends on the +nf_conntrack module, but the nf_conntrack module is not always loaded. +Therefore, accessing net.netfilter.nf_hooks_lwtunnel may have an error. + +Move sysctl nf_hooks_lwtunnel into the netfilter core. + +Fixes: 7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane") +Suggested-by: Pablo Neira Ayuso +Signed-off-by: Jianguo Wu +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netns/netfilter.h | 3 ++ + net/netfilter/core.c | 13 ++++- + net/netfilter/nf_conntrack_standalone.c | 15 ------ + net/netfilter/nf_hooks_lwtunnel.c | 67 +++++++++++++++++++++++++ + net/netfilter/nf_internals.h | 6 +++ + 5 files changed, 87 insertions(+), 17 deletions(-) + +diff --git a/include/net/netns/netfilter.h b/include/net/netns/netfilter.h +index 02bbdc577f8e2..a6a0bf4a247e5 100644 +--- a/include/net/netns/netfilter.h ++++ b/include/net/netns/netfilter.h +@@ -15,6 +15,9 @@ struct netns_nf { + const struct nf_logger __rcu *nf_loggers[NFPROTO_NUMPROTO]; + #ifdef CONFIG_SYSCTL + struct ctl_table_header *nf_log_dir_header; ++#ifdef CONFIG_LWTUNNEL ++ struct ctl_table_header *nf_lwtnl_dir_header; ++#endif + #endif + struct nf_hook_entries __rcu *hooks_ipv4[NF_INET_NUMHOOKS]; + struct nf_hook_entries __rcu *hooks_ipv6[NF_INET_NUMHOOKS]; +diff --git a/net/netfilter/core.c b/net/netfilter/core.c +index 3126911f50425..b00fc285b3349 100644 +--- a/net/netfilter/core.c ++++ b/net/netfilter/core.c +@@ -815,12 +815,21 @@ int __init netfilter_init(void) + if (ret < 0) + goto err; + ++#ifdef CONFIG_LWTUNNEL ++ ret = netfilter_lwtunnel_init(); ++ if (ret < 0) ++ goto err_lwtunnel_pernet; ++#endif + ret = netfilter_log_init(); + if (ret < 0) +- goto err_pernet; ++ goto err_log_pernet; + + return 0; +-err_pernet: ++err_log_pernet: ++#ifdef CONFIG_LWTUNNEL ++ netfilter_lwtunnel_fini(); ++err_lwtunnel_pernet: ++#endif + unregister_pernet_subsys(&netfilter_net_ops); + err: + return ret; +diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c +index 2f226cfb32d04..f713df823daaf 100644 +--- a/net/netfilter/nf_conntrack_standalone.c ++++ b/net/netfilter/nf_conntrack_standalone.c +@@ -22,9 +22,6 @@ + #include + #include + #include +-#ifdef CONFIG_LWTUNNEL +-#include +-#endif + #include + + static bool enable_hooks __read_mostly; +@@ -612,9 +609,6 @@ enum nf_ct_sysctl_index { + NF_SYSCTL_CT_PROTO_TIMEOUT_GRE, + NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM, + #endif +-#ifdef CONFIG_LWTUNNEL +- NF_SYSCTL_CT_LWTUNNEL, +-#endif + + NF_SYSCTL_CT_LAST_SYSCTL, + }; +@@ -946,15 +940,6 @@ static struct ctl_table nf_ct_sysctl_table[] = { + .proc_handler = proc_dointvec_jiffies, + }, + #endif +-#ifdef CONFIG_LWTUNNEL +- [NF_SYSCTL_CT_LWTUNNEL] = { +- .procname = "nf_hooks_lwtunnel", +- .data = NULL, +- .maxlen = sizeof(int), +- .mode = 0644, +- .proc_handler = nf_hooks_lwtunnel_sysctl_handler, +- }, +-#endif + }; + + static struct ctl_table nf_ct_netfilter_table[] = { +diff --git a/net/netfilter/nf_hooks_lwtunnel.c b/net/netfilter/nf_hooks_lwtunnel.c +index 00e89ffd78f69..7cdb59bb4459f 100644 +--- a/net/netfilter/nf_hooks_lwtunnel.c ++++ b/net/netfilter/nf_hooks_lwtunnel.c +@@ -3,6 +3,9 @@ + #include + #include + #include ++#include ++ ++#include "nf_internals.h" + + static inline int nf_hooks_lwtunnel_get(void) + { +@@ -50,4 +53,68 @@ int nf_hooks_lwtunnel_sysctl_handler(struct ctl_table *table, int write, + return ret; + } + EXPORT_SYMBOL_GPL(nf_hooks_lwtunnel_sysctl_handler); ++ ++static struct ctl_table nf_lwtunnel_sysctl_table[] = { ++ { ++ .procname = "nf_hooks_lwtunnel", ++ .data = NULL, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = nf_hooks_lwtunnel_sysctl_handler, ++ }, ++}; ++ ++static int __net_init nf_lwtunnel_net_init(struct net *net) ++{ ++ struct ctl_table_header *hdr; ++ struct ctl_table *table; ++ ++ table = nf_lwtunnel_sysctl_table; ++ if (!net_eq(net, &init_net)) { ++ table = kmemdup(nf_lwtunnel_sysctl_table, ++ sizeof(nf_lwtunnel_sysctl_table), ++ GFP_KERNEL); ++ if (!table) ++ goto err_alloc; ++ } ++ ++ hdr = register_net_sysctl_sz(net, "net/netfilter", table, ++ ARRAY_SIZE(nf_lwtunnel_sysctl_table)); ++ if (!hdr) ++ goto err_reg; ++ ++ net->nf.nf_lwtnl_dir_header = hdr; ++ ++ return 0; ++err_reg: ++ if (!net_eq(net, &init_net)) ++ kfree(table); ++err_alloc: ++ return -ENOMEM; ++} ++ ++static void __net_exit nf_lwtunnel_net_exit(struct net *net) ++{ ++ const struct ctl_table *table; ++ ++ table = net->nf.nf_lwtnl_dir_header->ctl_table_arg; ++ unregister_net_sysctl_table(net->nf.nf_lwtnl_dir_header); ++ if (!net_eq(net, &init_net)) ++ kfree(table); ++} ++ ++static struct pernet_operations nf_lwtunnel_net_ops = { ++ .init = nf_lwtunnel_net_init, ++ .exit = nf_lwtunnel_net_exit, ++}; ++ ++int __init netfilter_lwtunnel_init(void) ++{ ++ return register_pernet_subsys(&nf_lwtunnel_net_ops); ++} ++ ++void netfilter_lwtunnel_fini(void) ++{ ++ unregister_pernet_subsys(&nf_lwtunnel_net_ops); ++} + #endif /* CONFIG_SYSCTL */ +diff --git a/net/netfilter/nf_internals.h b/net/netfilter/nf_internals.h +index 832ae64179f0f..25403023060b6 100644 +--- a/net/netfilter/nf_internals.h ++++ b/net/netfilter/nf_internals.h +@@ -29,6 +29,12 @@ void nf_queue_nf_hook_drop(struct net *net); + /* nf_log.c */ + int __init netfilter_log_init(void); + ++#ifdef CONFIG_LWTUNNEL ++/* nf_hooks_lwtunnel.c */ ++int __init netfilter_lwtunnel_init(void); ++void netfilter_lwtunnel_fini(void); ++#endif ++ + /* core.c */ + void nf_hook_entries_delete_raw(struct nf_hook_entries __rcu **pp, + const struct nf_hook_ops *reg); +-- +2.43.0 + diff --git a/queue-6.9/netfilter-remove-the-now-superfluous-sentinel-elemen.patch b/queue-6.9/netfilter-remove-the-now-superfluous-sentinel-elemen.patch new file mode 100644 index 00000000000..1f09afd8e6f --- /dev/null +++ b/queue-6.9/netfilter-remove-the-now-superfluous-sentinel-elemen.patch @@ -0,0 +1,193 @@ +From abb965a84121050216b70ecc618f16f2bd3fa027 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 May 2024 11:29:30 +0200 +Subject: netfilter: Remove the now superfluous sentinel elements from + ctl_table array + +From: Joel Granados + +[ Upstream commit 635470eb0aa71ba41c47593c66f65ac1e5d59dd7 ] + +This commit comes at the tail end of a greater effort to remove the +empty elements at the end of the ctl_table arrays (sentinels) which will +reduce the overall build time size of the kernel and run time memory +bloat by ~64 bytes per sentinel (further information Link : +https://lore.kernel.org/all/ZO5Yx5JFogGi%2FcBo@bombadil.infradead.org/) + +* Remove sentinel elements from ctl_table structs +* Remove instances where an array element is zeroed out to make it look + like a sentinel. This is not longer needed and is safe after commit + c899710fe7f9 ("networking: Update to register_net_sysctl_sz") added + the array size to the ctl_table registration +* Remove the need for having __NF_SYSCTL_CT_LAST_SYSCTL as the + sysctl array size is now in NF_SYSCTL_CT_LAST_SYSCTL +* Remove extra element in ctl_table arrays declarations + +Acked-by: Kees Cook # loadpin & yama +Signed-off-by: Joel Granados +Signed-off-by: David S. Miller +Stable-dep-of: a2225e0250c5 ("netfilter: move the sysctl nf_hooks_lwtunnel into the netfilter core") +Signed-off-by: Sasha Levin +--- + net/bridge/br_netfilter_hooks.c | 1 - + net/ipv6/netfilter/nf_conntrack_reasm.c | 1 - + net/netfilter/ipvs/ip_vs_ctl.c | 5 +---- + net/netfilter/ipvs/ip_vs_lblc.c | 5 +---- + net/netfilter/ipvs/ip_vs_lblcr.c | 5 +---- + net/netfilter/nf_conntrack_standalone.c | 6 +----- + net/netfilter/nf_log.c | 3 +-- + 7 files changed, 5 insertions(+), 21 deletions(-) + +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 22e35623c148a..7c9ea1e4a829c 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -1225,7 +1225,6 @@ static struct ctl_table brnf_table[] = { + .mode = 0644, + .proc_handler = brnf_sysctl_call_tables, + }, +- { } + }; + + static inline void br_netfilter_sysctl_default(struct brnf_net *brnf) +diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c +index d0dcbaca19943..abf6e24ae4ecf 100644 +--- a/net/ipv6/netfilter/nf_conntrack_reasm.c ++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c +@@ -62,7 +62,6 @@ static struct ctl_table nf_ct_frag6_sysctl_table[] = { + .mode = 0644, + .proc_handler = proc_doulongvec_minmax, + }, +- { } + }; + + static int nf_ct_frag6_sysctl_register(struct net *net) +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 143a341bbc0a4..50b5dbe40eb85 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -2263,7 +2263,6 @@ static struct ctl_table vs_vars[] = { + .proc_handler = proc_dointvec, + }, + #endif +- { } + }; + + #endif +@@ -4286,10 +4285,8 @@ static int __net_init ip_vs_control_net_init_sysctl(struct netns_ipvs *ipvs) + return -ENOMEM; + + /* Don't export sysctls to unprivileged users */ +- if (net->user_ns != &init_user_ns) { +- tbl[0].procname = NULL; ++ if (net->user_ns != &init_user_ns) + ctl_table_size = 0; +- } + } else + tbl = vs_vars; + /* Initialize sysctl defaults */ +diff --git a/net/netfilter/ipvs/ip_vs_lblc.c b/net/netfilter/ipvs/ip_vs_lblc.c +index 8ceec7a2fa8f3..2423513d701d4 100644 +--- a/net/netfilter/ipvs/ip_vs_lblc.c ++++ b/net/netfilter/ipvs/ip_vs_lblc.c +@@ -123,7 +123,6 @@ static struct ctl_table vs_vars_table[] = { + .mode = 0644, + .proc_handler = proc_dointvec_jiffies, + }, +- { } + }; + #endif + +@@ -563,10 +562,8 @@ static int __net_init __ip_vs_lblc_init(struct net *net) + return -ENOMEM; + + /* Don't export sysctls to unprivileged users */ +- if (net->user_ns != &init_user_ns) { +- ipvs->lblc_ctl_table[0].procname = NULL; ++ if (net->user_ns != &init_user_ns) + vars_table_size = 0; +- } + + } else + ipvs->lblc_ctl_table = vs_vars_table; +diff --git a/net/netfilter/ipvs/ip_vs_lblcr.c b/net/netfilter/ipvs/ip_vs_lblcr.c +index 0fb64707213f8..cdb1d4bf6761c 100644 +--- a/net/netfilter/ipvs/ip_vs_lblcr.c ++++ b/net/netfilter/ipvs/ip_vs_lblcr.c +@@ -294,7 +294,6 @@ static struct ctl_table vs_vars_table[] = { + .mode = 0644, + .proc_handler = proc_dointvec_jiffies, + }, +- { } + }; + #endif + +@@ -749,10 +748,8 @@ static int __net_init __ip_vs_lblcr_init(struct net *net) + return -ENOMEM; + + /* Don't export sysctls to unprivileged users */ +- if (net->user_ns != &init_user_ns) { +- ipvs->lblcr_ctl_table[0].procname = NULL; ++ if (net->user_ns != &init_user_ns) + vars_table_size = 0; +- } + } else + ipvs->lblcr_ctl_table = vs_vars_table; + ipvs->sysctl_lblcr_expiration = DEFAULT_EXPIRATION; +diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c +index 0ee98ce5b8165..2f226cfb32d04 100644 +--- a/net/netfilter/nf_conntrack_standalone.c ++++ b/net/netfilter/nf_conntrack_standalone.c +@@ -616,11 +616,9 @@ enum nf_ct_sysctl_index { + NF_SYSCTL_CT_LWTUNNEL, + #endif + +- __NF_SYSCTL_CT_LAST_SYSCTL, ++ NF_SYSCTL_CT_LAST_SYSCTL, + }; + +-#define NF_SYSCTL_CT_LAST_SYSCTL (__NF_SYSCTL_CT_LAST_SYSCTL + 1) +- + static struct ctl_table nf_ct_sysctl_table[] = { + [NF_SYSCTL_CT_MAX] = { + .procname = "nf_conntrack_max", +@@ -957,7 +955,6 @@ static struct ctl_table nf_ct_sysctl_table[] = { + .proc_handler = nf_hooks_lwtunnel_sysctl_handler, + }, + #endif +- {} + }; + + static struct ctl_table nf_ct_netfilter_table[] = { +@@ -968,7 +965,6 @@ static struct ctl_table nf_ct_netfilter_table[] = { + .mode = 0644, + .proc_handler = proc_dointvec, + }, +- { } + }; + + static void nf_conntrack_standalone_init_tcp_sysctl(struct net *net, +diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c +index 370f8231385ca..d42ba733496b2 100644 +--- a/net/netfilter/nf_log.c ++++ b/net/netfilter/nf_log.c +@@ -395,7 +395,7 @@ static const struct seq_operations nflog_seq_ops = { + + #ifdef CONFIG_SYSCTL + static char nf_log_sysctl_fnames[NFPROTO_NUMPROTO-NFPROTO_UNSPEC][3]; +-static struct ctl_table nf_log_sysctl_table[NFPROTO_NUMPROTO+1]; ++static struct ctl_table nf_log_sysctl_table[NFPROTO_NUMPROTO]; + static struct ctl_table_header *nf_log_sysctl_fhdr; + + static struct ctl_table nf_log_sysctl_ftable[] = { +@@ -406,7 +406,6 @@ static struct ctl_table nf_log_sysctl_ftable[] = { + .mode = 0644, + .proc_handler = proc_dointvec, + }, +- { } + }; + + static int nf_log_proc_dostring(struct ctl_table *table, int write, +-- +2.43.0 + diff --git a/queue-6.9/netns-make-get_net_ns-handle-zero-refcount-net.patch b/queue-6.9/netns-make-get_net_ns-handle-zero-refcount-net.patch new file mode 100644 index 00000000000..42d31ee6c3b --- /dev/null +++ b/queue-6.9/netns-make-get_net_ns-handle-zero-refcount-net.patch @@ -0,0 +1,113 @@ +From ff9d3a3b9ee4de9156ee500a4e9eca71beeda1d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jun 2024 21:13:02 +0800 +Subject: netns: Make get_net_ns() handle zero refcount net + +From: Yue Haibing + +[ Upstream commit ff960f9d3edbe08a736b5a224d91a305ccc946b0 ] + +Syzkaller hit a warning: +refcount_t: addition on 0; use-after-free. +WARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0 +Modules linked in: +CPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +RIP: 0010:refcount_warn_saturate+0xdf/0x1d0 +Code: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1 +RSP: 0018:ffff8881067b7da0 EFLAGS: 00010286 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac +RDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001 +RBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139 +R10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4 +R13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040 +FS: 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + ? show_regs+0xa3/0xc0 + ? __warn+0xa5/0x1c0 + ? refcount_warn_saturate+0xdf/0x1d0 + ? report_bug+0x1fc/0x2d0 + ? refcount_warn_saturate+0xdf/0x1d0 + ? handle_bug+0xa1/0x110 + ? exc_invalid_op+0x3c/0xb0 + ? asm_exc_invalid_op+0x1f/0x30 + ? __warn_printk+0xcc/0x140 + ? __warn_printk+0xd5/0x140 + ? refcount_warn_saturate+0xdf/0x1d0 + get_net_ns+0xa4/0xc0 + ? __pfx_get_net_ns+0x10/0x10 + open_related_ns+0x5a/0x130 + __tun_chr_ioctl+0x1616/0x2370 + ? __sanitizer_cov_trace_switch+0x58/0xa0 + ? __sanitizer_cov_trace_const_cmp2+0x1c/0x30 + ? __pfx_tun_chr_ioctl+0x10/0x10 + tun_chr_ioctl+0x2f/0x40 + __x64_sys_ioctl+0x11b/0x160 + x64_sys_call+0x1211/0x20d0 + do_syscall_64+0x9e/0x1d0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f5b28f165d7 +Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8 +RSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7 +RDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003 +RBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0 +R10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730 +R13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000 + +Kernel panic - not syncing: kernel: panic_on_warn set ... + +This is trigger as below: + ns0 ns1 +tun_set_iff() //dev is tun0 + tun->dev = dev +//ip link set tun0 netns ns1 + put_net() //ref is 0 +__tun_chr_ioctl() //TUNGETDEVNETNS + net = dev_net(tun->dev); + open_related_ns(&net->ns, get_net_ns); //ns1 + get_net_ns() + get_net() //addition on 0 + +Use maybe_get_net() in get_net_ns in case net's ref is zero to fix this + +Fixes: 0c3e0e3bb623 ("tun: Add ioctl() TUNGETDEVNETNS cmd to allow obtaining real net ns of tun device") +Signed-off-by: Yue Haibing +Link: https://lore.kernel.org/r/20240614131302.2698509-1-yuehaibing@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/net_namespace.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c +index 9d690d32da33a..b1dc84c4fda11 100644 +--- a/net/core/net_namespace.c ++++ b/net/core/net_namespace.c +@@ -693,11 +693,16 @@ EXPORT_SYMBOL_GPL(__put_net); + * get_net_ns - increment the refcount of the network namespace + * @ns: common namespace (net) + * +- * Returns the net's common namespace. ++ * Returns the net's common namespace or ERR_PTR() if ref is zero. + */ + struct ns_common *get_net_ns(struct ns_common *ns) + { +- return &get_net(container_of(ns, struct net, ns))->ns; ++ struct net *net; ++ ++ net = maybe_get_net(container_of(ns, struct net, ns)); ++ if (net) ++ return &net->ns; ++ return ERR_PTR(-EINVAL); + } + EXPORT_SYMBOL_GPL(get_net_ns); + +-- +2.43.0 + diff --git a/queue-6.9/netrom-fix-a-memory-leak-in-nr_heartbeat_expiry.patch b/queue-6.9/netrom-fix-a-memory-leak-in-nr_heartbeat_expiry.patch new file mode 100644 index 00000000000..8c53f97cf80 --- /dev/null +++ b/queue-6.9/netrom-fix-a-memory-leak-in-nr_heartbeat_expiry.patch @@ -0,0 +1,83 @@ +From 7185cda05fc5b6c8ed7f835c20a6a3c91a23b412 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jun 2024 08:23:00 +0000 +Subject: netrom: Fix a memory leak in nr_heartbeat_expiry() + +From: Gavrilov Ilia + +[ Upstream commit 0b9130247f3b6a1122478471ff0e014ea96bb735 ] + +syzbot reported a memory leak in nr_create() [0]. + +Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") +added sock_hold() to the nr_heartbeat_expiry() function, where +a) a socket has a SOCK_DESTROY flag or +b) a listening socket has a SOCK_DEAD flag. + +But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor +has already been closed and the nr_release() function has been called. +So it makes no sense to hold the reference count because no one will +call another nr_destroy_socket() and put it as in the case "b." + +nr_connect + nr_establish_data_link + nr_start_heartbeat + +nr_release + switch (nr->state) + case NR_STATE_3 + nr->state = NR_STATE_2 + sock_set_flag(sk, SOCK_DESTROY); + + nr_rx_frame + nr_process_rx_frame + switch (nr->state) + case NR_STATE_2 + nr_state2_machine() + nr_disconnect() + nr_sk(sk)->state = NR_STATE_0 + sock_set_flag(sk, SOCK_DEAD) + + nr_heartbeat_expiry + switch (nr->state) + case NR_STATE_0 + if (sock_flag(sk, SOCK_DESTROY) || + (sk->sk_state == TCP_LISTEN + && sock_flag(sk, SOCK_DEAD))) + sock_hold() // ( !!! ) + nr_destroy_socket() + +To fix the memory leak, let's call sock_hold() only for a listening socket. + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with Syzkaller. + +[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16 + +Reported-by: syzbot+d327a1f3b12e1e206c16@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16 +Fixes: 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") +Signed-off-by: Gavrilov Ilia +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netrom/nr_timer.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netrom/nr_timer.c b/net/netrom/nr_timer.c +index 4e7c968cde2dc..5e3ca068f04e0 100644 +--- a/net/netrom/nr_timer.c ++++ b/net/netrom/nr_timer.c +@@ -121,7 +121,8 @@ static void nr_heartbeat_expiry(struct timer_list *t) + is accepted() it isn't 'dead' so doesn't get removed. */ + if (sock_flag(sk, SOCK_DESTROY) || + (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) { +- sock_hold(sk); ++ if (sk->sk_state == TCP_LISTEN) ++ sock_hold(sk); + bh_unlock_sock(sk); + nr_destroy_socket(sk); + goto out; +-- +2.43.0 + diff --git a/queue-6.9/octeontx2-pf-add-error-handling-to-vlan-unoffload-ha.patch b/queue-6.9/octeontx2-pf-add-error-handling-to-vlan-unoffload-ha.patch new file mode 100644 index 00000000000..82ee0811038 --- /dev/null +++ b/queue-6.9/octeontx2-pf-add-error-handling-to-vlan-unoffload-ha.patch @@ -0,0 +1,50 @@ +From 3bbb3d6b24314583202883939f7b0f957b0c1c85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 17:50:26 +0100 +Subject: octeontx2-pf: Add error handling to VLAN unoffload handling + +From: Simon Horman + +[ Upstream commit b95a4afe2defd6f46891985f9436a568cd35a31c ] + +otx2_sq_append_skb makes used of __vlan_hwaccel_push_inside() +to unoffload VLANs - push them from skb meta data into skb data. +However, it omitts a check for __vlan_hwaccel_push_inside() +returning NULL. + +Found by inspection based on [1] and [2]. +Compile tested only. + +[1] Re: [PATCH net-next v1] net: stmmac: Enable TSO on VLANs + https://lore.kernel.org/all/ZmrN2W8Fye450TKs@shell.armlinux.org.uk/ +[2] Re: [PATCH net-next v2] net: stmmac: Enable TSO on VLANs + https://lore.kernel.org/all/CANn89i+11L5=tKsa7V7Aeyxaj6nYGRwy35PAbCRYJ73G+b25sg@mail.gmail.com/ + +Fixes: fd9d7859db6c ("octeontx2-pf: Implement ingress/egress VLAN offload") +Signed-off-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c +index f828d32737af0..04a49b9b545f3 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c +@@ -1171,8 +1171,11 @@ bool otx2_sq_append_skb(struct net_device *netdev, struct otx2_snd_queue *sq, + + if (skb_shinfo(skb)->gso_size && !is_hw_tso_supported(pfvf, skb)) { + /* Insert vlan tag before giving pkt to tso */ +- if (skb_vlan_tag_present(skb)) ++ if (skb_vlan_tag_present(skb)) { + skb = __vlan_hwaccel_push_inside(skb); ++ if (!skb) ++ return true; ++ } + otx2_sq_append_tso(pfvf, sq, skb, qidx); + return true; + } +-- +2.43.0 + diff --git a/queue-6.9/octeontx2-pf-fix-linking-objects-into-multiple-modul.patch b/queue-6.9/octeontx2-pf-fix-linking-objects-into-multiple-modul.patch new file mode 100644 index 00000000000..d1ac340b653 --- /dev/null +++ b/queue-6.9/octeontx2-pf-fix-linking-objects-into-multiple-modul.patch @@ -0,0 +1,123 @@ +From 2dfcb14cb233399668715b4c58630f86e9d5264b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jun 2024 11:41:22 +0530 +Subject: octeontx2-pf: Fix linking objects into multiple modules + +From: Geetha sowjanya + +[ Upstream commit 1062d03827b78614259b3b4b992deb27ee6aa84d ] + +This patch fixes the below build warning messages that are +caused due to linking same files to multiple modules by +exporting the required symbols. + +"scripts/Makefile.build:244: drivers/net/ethernet/marvell/octeontx2/nic/Makefile: +otx2_devlink.o is added to multiple modules: rvu_nicpf rvu_nicvf + +scripts/Makefile.build:244: drivers/net/ethernet/marvell/octeontx2/nic/Makefile: +otx2_dcbnl.o is added to multiple modules: rvu_nicpf rvu_nicvf" + +Fixes: 8e67558177f8 ("octeontx2-pf: PFC config support with DCBx"). +Signed-off-by: Geetha sowjanya +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/Makefile | 3 +-- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c | 7 +++++++ + drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.c | 2 ++ + 3 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/Makefile b/drivers/net/ethernet/marvell/octeontx2/nic/Makefile +index 5664f768cb0cd..64a97a0a10ed6 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/Makefile ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/Makefile +@@ -9,10 +9,9 @@ obj-$(CONFIG_OCTEONTX2_VF) += rvu_nicvf.o otx2_ptp.o + rvu_nicpf-y := otx2_pf.o otx2_common.o otx2_txrx.o otx2_ethtool.o \ + otx2_flows.o otx2_tc.o cn10k.o otx2_dmac_flt.o \ + otx2_devlink.o qos_sq.o qos.o +-rvu_nicvf-y := otx2_vf.o otx2_devlink.o ++rvu_nicvf-y := otx2_vf.o + + rvu_nicpf-$(CONFIG_DCB) += otx2_dcbnl.o +-rvu_nicvf-$(CONFIG_DCB) += otx2_dcbnl.o + rvu_nicpf-$(CONFIG_MACSEC) += cn10k_macsec.o + + ccflags-y += -I$(srctree)/drivers/net/ethernet/marvell/octeontx2/af +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c +index 28fb643d2917f..aa01110f04a33 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c +@@ -54,6 +54,7 @@ int otx2_pfc_txschq_config(struct otx2_nic *pfvf) + + return 0; + } ++EXPORT_SYMBOL(otx2_pfc_txschq_config); + + static int otx2_pfc_txschq_alloc_one(struct otx2_nic *pfvf, u8 prio) + { +@@ -122,6 +123,7 @@ int otx2_pfc_txschq_alloc(struct otx2_nic *pfvf) + + return 0; + } ++EXPORT_SYMBOL(otx2_pfc_txschq_alloc); + + static int otx2_pfc_txschq_stop_one(struct otx2_nic *pfvf, u8 prio) + { +@@ -260,6 +262,7 @@ int otx2_pfc_txschq_update(struct otx2_nic *pfvf) + + return 0; + } ++EXPORT_SYMBOL(otx2_pfc_txschq_update); + + int otx2_pfc_txschq_stop(struct otx2_nic *pfvf) + { +@@ -282,6 +285,7 @@ int otx2_pfc_txschq_stop(struct otx2_nic *pfvf) + + return 0; + } ++EXPORT_SYMBOL(otx2_pfc_txschq_stop); + + int otx2_config_priority_flow_ctrl(struct otx2_nic *pfvf) + { +@@ -321,6 +325,7 @@ int otx2_config_priority_flow_ctrl(struct otx2_nic *pfvf) + mutex_unlock(&pfvf->mbox.lock); + return err; + } ++EXPORT_SYMBOL(otx2_config_priority_flow_ctrl); + + void otx2_update_bpid_in_rqctx(struct otx2_nic *pfvf, int vlan_prio, int qidx, + bool pfc_enable) +@@ -385,6 +390,7 @@ void otx2_update_bpid_in_rqctx(struct otx2_nic *pfvf, int vlan_prio, int qidx, + "Updating BPIDs in CQ and Aura contexts of RQ%d failed with err %d\n", + qidx, err); + } ++EXPORT_SYMBOL(otx2_update_bpid_in_rqctx); + + static int otx2_dcbnl_ieee_getpfc(struct net_device *dev, struct ieee_pfc *pfc) + { +@@ -472,3 +478,4 @@ int otx2_dcbnl_set_ops(struct net_device *dev) + + return 0; + } ++EXPORT_SYMBOL(otx2_dcbnl_set_ops); +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.c +index 4e1130496573e..05956bf03c05d 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.c +@@ -112,6 +112,7 @@ int otx2_register_dl(struct otx2_nic *pfvf) + devlink_free(dl); + return err; + } ++EXPORT_SYMBOL(otx2_register_dl); + + void otx2_unregister_dl(struct otx2_nic *pfvf) + { +@@ -123,3 +124,4 @@ void otx2_unregister_dl(struct otx2_nic *pfvf) + ARRAY_SIZE(otx2_dl_params)); + devlink_free(dl); + } ++EXPORT_SYMBOL(otx2_unregister_dl); +-- +2.43.0 + diff --git a/queue-6.9/ptp-fix-integer-overflow-in-max_vclocks_store.patch b/queue-6.9/ptp-fix-integer-overflow-in-max_vclocks_store.patch new file mode 100644 index 00000000000..c7ec4e322b6 --- /dev/null +++ b/queue-6.9/ptp-fix-integer-overflow-in-max_vclocks_store.patch @@ -0,0 +1,41 @@ +From 113460d49227f58d1643400ce9b4503f388bcd0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 12:34:32 +0300 +Subject: ptp: fix integer overflow in max_vclocks_store + +From: Dan Carpenter + +[ Upstream commit 81d23d2a24012e448f651e007fac2cfd20a45ce0 ] + +On 32bit systems, the "4 * max" multiply can overflow. Use kcalloc() +to do the allocation to prevent this. + +Fixes: 44c494c8e30e ("ptp: track available ptp vclocks information") +Signed-off-by: Dan Carpenter +Reviewed-by: Wojciech Drewek +Reviewed-by: Jiri Pirko +Reviewed-by: Heng Qi +Link: https://lore.kernel.org/r/ee8110ed-6619-4bd7-9024-28c1f2ac24f4@moroto.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/ptp/ptp_sysfs.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/ptp/ptp_sysfs.c b/drivers/ptp/ptp_sysfs.c +index a15460aaa03b3..6b1b8f57cd951 100644 +--- a/drivers/ptp/ptp_sysfs.c ++++ b/drivers/ptp/ptp_sysfs.c +@@ -296,8 +296,7 @@ static ssize_t max_vclocks_store(struct device *dev, + if (max < ptp->n_vclocks) + goto out; + +- size = sizeof(int) * max; +- vclock_index = kzalloc(size, GFP_KERNEL); ++ vclock_index = kcalloc(max, sizeof(int), GFP_KERNEL); + if (!vclock_index) { + err = -ENOMEM; + goto out; +-- +2.43.0 + diff --git a/queue-6.9/qca_spi-make-interrupt-remembering-atomic.patch b/queue-6.9/qca_spi-make-interrupt-remembering-atomic.patch new file mode 100644 index 00000000000..8d99e6d148b --- /dev/null +++ b/queue-6.9/qca_spi-make-interrupt-remembering-atomic.patch @@ -0,0 +1,118 @@ +From 9f5e118c68dc162bdd3246b14dca9f15c287a5fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jun 2024 16:50:30 +0200 +Subject: qca_spi: Make interrupt remembering atomic + +From: Stefan Wahren + +[ Upstream commit 2d7198278ece01818cd95a3beffbdf8b2a353fa0 ] + +The whole mechanism to remember occurred SPI interrupts is not atomic, +which could lead to unexpected behavior. So fix this by using atomic bit +operations instead. + +Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") +Signed-off-by: Stefan Wahren +Link: https://lore.kernel.org/r/20240614145030.7781-1-wahrenst@gmx.net +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qualcomm/qca_debug.c | 6 ++---- + drivers/net/ethernet/qualcomm/qca_spi.c | 16 ++++++++-------- + drivers/net/ethernet/qualcomm/qca_spi.h | 3 +-- + 3 files changed, 11 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/qualcomm/qca_debug.c b/drivers/net/ethernet/qualcomm/qca_debug.c +index ff3b89e9028e9..ad06da0fdaa04 100644 +--- a/drivers/net/ethernet/qualcomm/qca_debug.c ++++ b/drivers/net/ethernet/qualcomm/qca_debug.c +@@ -98,10 +98,8 @@ qcaspi_info_show(struct seq_file *s, void *what) + + seq_printf(s, "IRQ : %d\n", + qca->spi_dev->irq); +- seq_printf(s, "INTR REQ : %u\n", +- qca->intr_req); +- seq_printf(s, "INTR SVC : %u\n", +- qca->intr_svc); ++ seq_printf(s, "INTR : %lx\n", ++ qca->intr); + + seq_printf(s, "SPI max speed : %lu\n", + (unsigned long)qca->spi_dev->max_speed_hz); +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c +index 5799ecc88a875..8f7ce6b51a1c9 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -35,6 +35,8 @@ + + #define MAX_DMA_BURST_LEN 5000 + ++#define SPI_INTR 0 ++ + /* Modules parameters */ + #define QCASPI_CLK_SPEED_MIN 1000000 + #define QCASPI_CLK_SPEED_MAX 16000000 +@@ -579,14 +581,14 @@ qcaspi_spi_thread(void *data) + continue; + } + +- if ((qca->intr_req == qca->intr_svc) && ++ if (!test_bit(SPI_INTR, &qca->intr) && + !qca->txr.skb[qca->txr.head]) + schedule(); + + set_current_state(TASK_RUNNING); + +- netdev_dbg(qca->net_dev, "have work to do. int: %d, tx_skb: %p\n", +- qca->intr_req - qca->intr_svc, ++ netdev_dbg(qca->net_dev, "have work to do. int: %lu, tx_skb: %p\n", ++ qca->intr, + qca->txr.skb[qca->txr.head]); + + qcaspi_qca7k_sync(qca, QCASPI_EVENT_UPDATE); +@@ -600,8 +602,7 @@ qcaspi_spi_thread(void *data) + msleep(QCASPI_QCA7K_REBOOT_TIME_MS); + } + +- if (qca->intr_svc != qca->intr_req) { +- qca->intr_svc = qca->intr_req; ++ if (test_and_clear_bit(SPI_INTR, &qca->intr)) { + start_spi_intr_handling(qca, &intr_cause); + + if (intr_cause & SPI_INT_CPU_ON) { +@@ -663,7 +664,7 @@ qcaspi_intr_handler(int irq, void *data) + { + struct qcaspi *qca = data; + +- qca->intr_req++; ++ set_bit(SPI_INTR, &qca->intr); + if (qca->spi_thread) + wake_up_process(qca->spi_thread); + +@@ -679,8 +680,7 @@ qcaspi_netdev_open(struct net_device *dev) + if (!qca) + return -EINVAL; + +- qca->intr_req = 1; +- qca->intr_svc = 0; ++ set_bit(SPI_INTR, &qca->intr); + qca->sync = QCASPI_SYNC_UNKNOWN; + qcafrm_fsm_init_spi(&qca->frm_handle); + +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.h b/drivers/net/ethernet/qualcomm/qca_spi.h +index d59cb2352ceec..8f4808695e820 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.h ++++ b/drivers/net/ethernet/qualcomm/qca_spi.h +@@ -81,8 +81,7 @@ struct qcaspi { + struct qcafrm_handle frm_handle; + struct sk_buff *rx_skb; + +- unsigned int intr_req; +- unsigned int intr_svc; ++ unsigned long intr; + u16 reset_count; + + #ifdef CONFIG_DEBUG_FS +-- +2.43.0 + diff --git a/queue-6.9/sched-act_ct-add-netns-into-the-key-of-tcf_ct_flow_t.patch b/queue-6.9/sched-act_ct-add-netns-into-the-key-of-tcf_ct_flow_t.patch new file mode 100644 index 00000000000..61f7fc5cf89 --- /dev/null +++ b/queue-6.9/sched-act_ct-add-netns-into-the-key-of-tcf_ct_flow_t.patch @@ -0,0 +1,103 @@ +From 64e96ede832be4d19f1ad6441a0ec06d3337405f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jun 2024 17:47:30 -0400 +Subject: sched: act_ct: add netns into the key of tcf_ct_flow_table + +From: Xin Long + +[ Upstream commit 88c67aeb14070bab61d3dd8be96c8b42ebcaf53a ] + +zones_ht is a global hashtable for flow_table with zone as key. However, +it does not consider netns when getting a flow_table from zones_ht in +tcf_ct_init(), and it means an act_ct action in netns A may get a +flow_table that belongs to netns B if it has the same zone value. + +In Shuang's test with the TOPO: + + tcf2_c <---> tcf2_sw1 <---> tcf2_sw2 <---> tcf2_s + +tcf2_sw1 and tcf2_sw2 saw the same flow and used the same flow table, +which caused their ct entries entering unexpected states and the +TCP connection not able to end normally. + +This patch fixes the issue simply by adding netns into the key of +tcf_ct_flow_table so that an act_ct action gets a flow_table that +belongs to its own netns in tcf_ct_init(). + +Note that for easy coding we don't use tcf_ct_flow_table.nf_ft.net, +as the ct_ft is initialized after inserting it to the hashtable in +tcf_ct_flow_table_get() and also it requires to implement several +functions in rhashtable_params including hashfn, obj_hashfn and +obj_cmpfn. + +Fixes: 64ff70b80fd4 ("net/sched: act_ct: Offload established connections to flow table") +Reported-by: Shuang Li +Signed-off-by: Xin Long +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/1db5b6cc6902c5fc6f8c6cbd85494a2008087be5.1718488050.git.lucien.xin@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/act_ct.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c +index baac083fd8f10..2a96d9c1db65b 100644 +--- a/net/sched/act_ct.c ++++ b/net/sched/act_ct.c +@@ -41,21 +41,26 @@ static struct workqueue_struct *act_ct_wq; + static struct rhashtable zones_ht; + static DEFINE_MUTEX(zones_mutex); + ++struct zones_ht_key { ++ struct net *net; ++ u16 zone; ++}; ++ + struct tcf_ct_flow_table { + struct rhash_head node; /* In zones tables */ + + struct rcu_work rwork; + struct nf_flowtable nf_ft; + refcount_t ref; +- u16 zone; ++ struct zones_ht_key key; + + bool dying; + }; + + static const struct rhashtable_params zones_params = { + .head_offset = offsetof(struct tcf_ct_flow_table, node), +- .key_offset = offsetof(struct tcf_ct_flow_table, zone), +- .key_len = sizeof_field(struct tcf_ct_flow_table, zone), ++ .key_offset = offsetof(struct tcf_ct_flow_table, key), ++ .key_len = sizeof_field(struct tcf_ct_flow_table, key), + .automatic_shrinking = true, + }; + +@@ -316,11 +321,12 @@ static struct nf_flowtable_type flowtable_ct = { + + static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params) + { ++ struct zones_ht_key key = { .net = net, .zone = params->zone }; + struct tcf_ct_flow_table *ct_ft; + int err = -ENOMEM; + + mutex_lock(&zones_mutex); +- ct_ft = rhashtable_lookup_fast(&zones_ht, ¶ms->zone, zones_params); ++ ct_ft = rhashtable_lookup_fast(&zones_ht, &key, zones_params); + if (ct_ft && refcount_inc_not_zero(&ct_ft->ref)) + goto out_unlock; + +@@ -329,7 +335,7 @@ static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params) + goto err_alloc; + refcount_set(&ct_ft->ref, 1); + +- ct_ft->zone = params->zone; ++ ct_ft->key = key; + err = rhashtable_insert_fast(&zones_ht, &ct_ft->node, zones_params); + if (err) + goto err_insert; +-- +2.43.0 + diff --git a/queue-6.9/seg6-fix-parameter-passing-when-calling-nf_hook-in-e.patch b/queue-6.9/seg6-fix-parameter-passing-when-calling-nf_hook-in-e.patch new file mode 100644 index 00000000000..f502d534393 --- /dev/null +++ b/queue-6.9/seg6-fix-parameter-passing-when-calling-nf_hook-in-e.patch @@ -0,0 +1,98 @@ +From e3607b5c0acaff69397bf06d896d5c9dfc03b0b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jun 2024 17:42:46 +0800 +Subject: seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and + End.DX6 behaviors + +From: Jianguo Wu + +[ Upstream commit 9a3bc8d16e0aacd65c31aaf23a2bced3288a7779 ] + +input_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for +PREROUTING hook, in PREROUTING hook, we should passing a valid indev, +and a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer +dereference, as below: + + [74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090 + [74830.655633] #PF: supervisor read access in kernel mode + [74830.657888] #PF: error_code(0x0000) - not-present page + [74830.659500] PGD 0 P4D 0 + [74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI + ... + [74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 + [74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter] + ... + [74830.689725] Call Trace: + [74830.690402] + [74830.690953] ? show_trace_log_lvl+0x1c4/0x2df + [74830.692020] ? show_trace_log_lvl+0x1c4/0x2df + [74830.693095] ? ipt_do_table+0x286/0x710 [ip_tables] + [74830.694275] ? __die_body.cold+0x8/0xd + [74830.695205] ? page_fault_oops+0xac/0x140 + [74830.696244] ? exc_page_fault+0x62/0x150 + [74830.697225] ? asm_exc_page_fault+0x22/0x30 + [74830.698344] ? rpfilter_mt+0x44/0x15e [ipt_rpfilter] + [74830.699540] ipt_do_table+0x286/0x710 [ip_tables] + [74830.700758] ? ip6_route_input+0x19d/0x240 + [74830.701752] nf_hook_slow+0x3f/0xb0 + [74830.702678] input_action_end_dx4+0x19b/0x1e0 + [74830.703735] ? input_action_end_t+0xe0/0xe0 + [74830.704734] seg6_local_input_core+0x2d/0x60 + [74830.705782] lwtunnel_input+0x5b/0xb0 + [74830.706690] __netif_receive_skb_one_core+0x63/0xa0 + [74830.707825] process_backlog+0x99/0x140 + [74830.709538] __napi_poll+0x2c/0x160 + [74830.710673] net_rx_action+0x296/0x350 + [74830.711860] __do_softirq+0xcb/0x2ac + [74830.713049] do_softirq+0x63/0x90 + +input_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally +trigger a NULL dereference in rpfilter_mt()->rpfilter_is_loopback(): + + static bool + rpfilter_is_loopback(const struct sk_buff *skb, + const struct net_device *in) + { + // in is NULL + return skb->pkt_type == PACKET_LOOPBACK || + in->flags & IFF_LOOPBACK; + } + +Fixes: 7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane") +Signed-off-by: Jianguo Wu +Reviewed-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6_local.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv6/seg6_local.c b/net/ipv6/seg6_local.c +index 24e2b4b494cb0..c434940131b1d 100644 +--- a/net/ipv6/seg6_local.c ++++ b/net/ipv6/seg6_local.c +@@ -941,8 +941,8 @@ static int input_action_end_dx6(struct sk_buff *skb, + + if (static_branch_unlikely(&nf_hooks_lwtunnel_enabled)) + return NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, +- dev_net(skb->dev), NULL, skb, NULL, +- skb_dst(skb)->dev, input_action_end_dx6_finish); ++ dev_net(skb->dev), NULL, skb, skb->dev, ++ NULL, input_action_end_dx6_finish); + + return input_action_end_dx6_finish(dev_net(skb->dev), NULL, skb); + drop: +@@ -991,8 +991,8 @@ static int input_action_end_dx4(struct sk_buff *skb, + + if (static_branch_unlikely(&nf_hooks_lwtunnel_enabled)) + return NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, +- dev_net(skb->dev), NULL, skb, NULL, +- skb_dst(skb)->dev, input_action_end_dx4_finish); ++ dev_net(skb->dev), NULL, skb, skb->dev, ++ NULL, input_action_end_dx4_finish); + + return input_action_end_dx4_finish(dev_net(skb->dev), NULL, skb); + drop: +-- +2.43.0 + diff --git a/queue-6.9/selftests-openvswitch-use-bash-as-interpreter.patch b/queue-6.9/selftests-openvswitch-use-bash-as-interpreter.patch new file mode 100644 index 00000000000..012b966e67e --- /dev/null +++ b/queue-6.9/selftests-openvswitch-use-bash-as-interpreter.patch @@ -0,0 +1,60 @@ +From c68e0609451e6f18e79e9cab5144abb0fef93c7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 09:28:33 +0100 +Subject: selftests: openvswitch: Use bash as interpreter + +From: Simon Horman + +[ Upstream commit e2b447c9a1bba718f9c07513a1e8958209e862a1 ] + +openvswitch.sh makes use of substitutions of the form ${ns:0:1}, to +obtain the first character of $ns. Empirically, this is works with bash +but not dash. When run with dash these evaluate to an empty string and +printing an error to stdout. + + # dash -c 'ns=client; echo "${ns:0:1}"' 2>error + # cat error + dash: 1: Bad substitution + # bash -c 'ns=client; echo "${ns:0:1}"' 2>error + c + # cat error + +This leads to tests that neither pass nor fail. +F.e. + + TEST: arp_ping [START] + adding sandbox 'test_arp_ping' + Adding DP/Bridge IF: sbx:test_arp_ping dp:arpping {, , } + create namespaces + ./openvswitch.sh: 282: eval: Bad substitution + TEST: ct_connect_v4 [START] + adding sandbox 'test_ct_connect_v4' + Adding DP/Bridge IF: sbx:test_ct_connect_v4 dp:ct4 {, , } + ./openvswitch.sh: 322: eval: Bad substitution + create namespaces + +Resolve this by making openvswitch.sh a bash script. + +Fixes: 918423fda910 ("selftests: openvswitch: add an initial flow programming case") +Signed-off-by: Simon Horman +Reviewed-by: Przemek Kitszel +Link: https://lore.kernel.org/r/20240617-ovs-selftest-bash-v1-1-7ae6ccd3617b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/openvswitch/openvswitch.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/openvswitch/openvswitch.sh b/tools/testing/selftests/net/openvswitch/openvswitch.sh +index 5cae535438491..15bca07087179 100755 +--- a/tools/testing/selftests/net/openvswitch/openvswitch.sh ++++ b/tools/testing/selftests/net/openvswitch/openvswitch.sh +@@ -1,4 +1,4 @@ +-#!/bin/sh ++#!/bin/bash + # SPDX-License-Identifier: GPL-2.0 + # + # OVS kernel module self tests +-- +2.43.0 + diff --git a/queue-6.9/series b/queue-6.9/series index 630f26ad86a..6346b54b8a1 100644 --- a/queue-6.9/series +++ b/queue-6.9/series @@ -93,3 +93,51 @@ cpufreq-amd-pstate-fix-memory-leak-on-cpu-epp-exit.patch acpi-ec-install-address-space-handler-at-the-namespa.patch pci-do-not-wait-for-disconnected-devices-when-resumi.patch opp-fix-required_opp_tables-for-multiple-genpds-usin.patch +alsa-hda-cs35l41-possible-null-pointer-dereference-i.patch +alsa-seq-ump-fix-missing-system-reset-message-handli.patch +mips-routerboard-532-fix-vendor-retry-check-code.patch +mips-bmips-bcm6358-make-sure-cbr-is-correctly-set.patch +tracing-build-event-generation-tests-only-as-modules.patch +wifi-iwlwifi-mvm-fix-roc-version-check.patch +wifi-mac80211-recalc-offload-when-monitor-stop.patch +alsa-hda-realtek-remove-framework-laptop-16-from-qui.patch +alsa-hda-intel-dsp-config-document-avs-as-dsp_driver.patch +ice-avoid-irq-collision-to-fix-init-failure-on-acpi-.patch +ice-fix-200g-link-speed-message-log.patch +ice-implement-aq-download-pkg-retry.patch +bpf-fix-reg_set_min_max-corruption-of-fake_reg.patch +btrfs-zoned-allocate-dummy-checksums-for-zoned-nodat.patch +net-mvpp2-use-slab_build_skb-for-oversized-frames.patch +cipso-fix-total-option-length-computation.patch +alsa-hda-cs35l56-component-should-be-unbound-before-.patch +alsa-hda-cs35l41-component-should-be-unbound-before-.patch +alsa-hda-tas2781-component-should-be-unbound-before-.patch +bpf-avoid-splat-in-pskb_pull_reason.patch +netdev-genl-fix-error-codes-when-outputting-xdp-feat.patch +alsa-hda-realtek-enable-headset-mic-on-ideapad-330-1.patch +netrom-fix-a-memory-leak-in-nr_heartbeat_expiry.patch +ipv6-prevent-possible-null-deref-in-fib6_nh_init.patch +ipv6-prevent-possible-null-dereference-in-rt6_probe.patch +xfrm6-check-ip6_dst_idev-return-value-in-xfrm6_get_s.patch +netns-make-get_net_ns-handle-zero-refcount-net.patch +qca_spi-make-interrupt-remembering-atomic.patch +net-lan743x-disable-wol-upon-resume-to-restore-full-.patch +net-lan743x-support-wol-at-both-the-phy-and-mac-appr.patch +net-phy-mxl-gpy-remove-interrupt-mask-clearing-from-.patch +net-sched-act_api-fix-possible-infinite-loop-in-tcf_.patch +tipc-force-a-dst-refcount-before-doing-decryption.patch +sched-act_ct-add-netns-into-the-key-of-tcf_ct_flow_t.patch +ptp-fix-integer-overflow-in-max_vclocks_store.patch +selftests-openvswitch-use-bash-as-interpreter.patch +net-stmmac-no-need-to-calculate-speed-divider-when-o.patch +virtio_net-checksum-offloading-handling-fix.patch +virtio_net-fixing-xdp-for-fully-checksummed-packets-.patch +octeontx2-pf-add-error-handling-to-vlan-unoffload-ha.patch +octeontx2-pf-fix-linking-objects-into-multiple-modul.patch +netfilter-ipset-fix-suspicious-rcu_dereference_prote.patch +seg6-fix-parameter-passing-when-calling-nf_hook-in-e.patch +netfilter-remove-the-now-superfluous-sentinel-elemen.patch +netfilter-move-the-sysctl-nf_hooks_lwtunnel-into-the.patch +ice-fix-vsi-list-rule-with-ice_sw_lkup_last-type.patch +bnxt_en-restore-ptp-tx_avail-count-in-case-of-skb_pa.patch +net-usb-rtl8150-fix-unintiatilzed-variables-in-rtl81.patch diff --git a/queue-6.9/tipc-force-a-dst-refcount-before-doing-decryption.patch b/queue-6.9/tipc-force-a-dst-refcount-before-doing-decryption.patch new file mode 100644 index 00000000000..ecd2dbd7935 --- /dev/null +++ b/queue-6.9/tipc-force-a-dst-refcount-before-doing-decryption.patch @@ -0,0 +1,58 @@ +From ca6ace5dca34f551e4ace782e29d7ea169dbef33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jun 2024 14:27:20 -0400 +Subject: tipc: force a dst refcount before doing decryption + +From: Xin Long + +[ Upstream commit 2ebe8f840c7450ecbfca9d18ac92e9ce9155e269 ] + +As it says in commit 3bc07321ccc2 ("xfrm: Force a dst refcount before +entering the xfrm type handlers"): + +"Crypto requests might return asynchronous. In this case we leave the + rcu protected region, so force a refcount on the skb's destination + entry before we enter the xfrm type input/output handlers." + +On TIPC decryption path it has the same problem, and skb_dst_force() +should be called before doing decryption to avoid a possible crash. + +Shuang reported this issue when this warning is triggered: + + [] WARNING: include/net/dst.h:337 tipc_sk_rcv+0x1055/0x1ea0 [tipc] + [] Kdump: loaded Tainted: G W --------- - - 4.18.0-496.el8.x86_64+debug + [] Workqueue: crypto cryptd_queue_worker + [] RIP: 0010:tipc_sk_rcv+0x1055/0x1ea0 [tipc] + [] Call Trace: + [] tipc_sk_mcast_rcv+0x548/0xea0 [tipc] + [] tipc_rcv+0xcf5/0x1060 [tipc] + [] tipc_aead_decrypt_done+0x215/0x2e0 [tipc] + [] cryptd_aead_crypt+0xdb/0x190 + [] cryptd_queue_worker+0xed/0x190 + [] process_one_work+0x93d/0x17e0 + +Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication") +Reported-by: Shuang Li +Signed-off-by: Xin Long +Link: https://lore.kernel.org/r/fbe3195fad6997a4eec62d9bf076b2ad03ac336b.1718476040.git.lucien.xin@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/tipc/node.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/tipc/node.c b/net/tipc/node.c +index c1e890a824347..500320e5ca479 100644 +--- a/net/tipc/node.c ++++ b/net/tipc/node.c +@@ -2105,6 +2105,7 @@ void tipc_rcv(struct net *net, struct sk_buff *skb, struct tipc_bearer *b) + } else { + n = tipc_node_find_by_id(net, ehdr->id); + } ++ skb_dst_force(skb); + tipc_crypto_rcv(net, (n) ? n->crypto_rx : NULL, &skb, b); + if (!skb) + return; +-- +2.43.0 + diff --git a/queue-6.9/tracing-build-event-generation-tests-only-as-modules.patch b/queue-6.9/tracing-build-event-generation-tests-only-as-modules.patch new file mode 100644 index 00000000000..d60c0f33cdc --- /dev/null +++ b/queue-6.9/tracing-build-event-generation-tests-only-as-modules.patch @@ -0,0 +1,107 @@ +From f43f2ebba4537038a38cfd467f40212f13cc01ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jun 2024 22:30:37 +0900 +Subject: tracing: Build event generation tests only as modules + +From: Masami Hiramatsu (Google) + +[ Upstream commit 3572bd5689b0812b161b40279e39ca5b66d73e88 ] + +The kprobes and synth event generation test modules add events and lock +(get a reference) those event file reference in module init function, +and unlock and delete it in module exit function. This is because those +are designed for playing as modules. + +If we make those modules as built-in, those events are left locked in the +kernel, and never be removed. This causes kprobe event self-test failure +as below. + +[ 97.349708] ------------[ cut here ]------------ +[ 97.353453] WARNING: CPU: 3 PID: 1 at kernel/trace/trace_kprobe.c:2133 kprobe_trace_self_tests_init+0x3f1/0x480 +[ 97.357106] Modules linked in: +[ 97.358488] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.9.0-g699646734ab5-dirty #14 +[ 97.361556] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +[ 97.363880] RIP: 0010:kprobe_trace_self_tests_init+0x3f1/0x480 +[ 97.365538] Code: a8 24 08 82 e9 ae fd ff ff 90 0f 0b 90 48 c7 c7 e5 aa 0b 82 e9 ee fc ff ff 90 0f 0b 90 48 c7 c7 2d 61 06 82 e9 8e fd ff ff 90 <0f> 0b 90 48 c7 c7 33 0b 0c 82 89 c6 e8 6e 03 1f ff 41 ff c7 e9 90 +[ 97.370429] RSP: 0000:ffffc90000013b50 EFLAGS: 00010286 +[ 97.371852] RAX: 00000000fffffff0 RBX: ffff888005919c00 RCX: 0000000000000000 +[ 97.373829] RDX: ffff888003f40000 RSI: ffffffff8236a598 RDI: ffff888003f40a68 +[ 97.375715] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 +[ 97.377675] R10: ffffffff811c9ae5 R11: ffffffff8120c4e0 R12: 0000000000000000 +[ 97.379591] R13: 0000000000000001 R14: 0000000000000015 R15: 0000000000000000 +[ 97.381536] FS: 0000000000000000(0000) GS:ffff88807dcc0000(0000) knlGS:0000000000000000 +[ 97.383813] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 97.385449] CR2: 0000000000000000 CR3: 0000000002244000 CR4: 00000000000006b0 +[ 97.387347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 97.389277] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 97.391196] Call Trace: +[ 97.391967] +[ 97.392647] ? __warn+0xcc/0x180 +[ 97.393640] ? kprobe_trace_self_tests_init+0x3f1/0x480 +[ 97.395181] ? report_bug+0xbd/0x150 +[ 97.396234] ? handle_bug+0x3e/0x60 +[ 97.397311] ? exc_invalid_op+0x1a/0x50 +[ 97.398434] ? asm_exc_invalid_op+0x1a/0x20 +[ 97.399652] ? trace_kprobe_is_busy+0x20/0x20 +[ 97.400904] ? tracing_reset_all_online_cpus+0x15/0x90 +[ 97.402304] ? kprobe_trace_self_tests_init+0x3f1/0x480 +[ 97.403773] ? init_kprobe_trace+0x50/0x50 +[ 97.404972] do_one_initcall+0x112/0x240 +[ 97.406113] do_initcall_level+0x95/0xb0 +[ 97.407286] ? kernel_init+0x1a/0x1a0 +[ 97.408401] do_initcalls+0x3f/0x70 +[ 97.409452] kernel_init_freeable+0x16f/0x1e0 +[ 97.410662] ? rest_init+0x1f0/0x1f0 +[ 97.411738] kernel_init+0x1a/0x1a0 +[ 97.412788] ret_from_fork+0x39/0x50 +[ 97.413817] ? rest_init+0x1f0/0x1f0 +[ 97.414844] ret_from_fork_asm+0x11/0x20 +[ 97.416285] +[ 97.417134] irq event stamp: 13437323 +[ 97.418376] hardirqs last enabled at (13437337): [] console_unlock+0x11c/0x150 +[ 97.421285] hardirqs last disabled at (13437370): [] console_unlock+0x101/0x150 +[ 97.423838] softirqs last enabled at (13437366): [] handle_softirqs+0x23f/0x2a0 +[ 97.426450] softirqs last disabled at (13437393): [] __irq_exit_rcu+0x66/0xd0 +[ 97.428850] ---[ end trace 0000000000000000 ]--- + +And also, since we can not cleanup dynamic_event file, ftracetest are +failed too. + +To avoid these issues, build these tests only as modules. + +Link: https://lore.kernel.org/all/171811263754.85078.5877446624311852525.stgit@devnote2/ + +Fixes: 9fe41efaca08 ("tracing: Add synth event generation test module") +Fixes: 64836248dda2 ("tracing: Add kprobe event command generation test module") +Signed-off-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/Kconfig b/kernel/trace/Kconfig +index 47345bf1d4a9f..34804c7152ddf 100644 +--- a/kernel/trace/Kconfig ++++ b/kernel/trace/Kconfig +@@ -1123,7 +1123,7 @@ config PREEMPTIRQ_DELAY_TEST + + config SYNTH_EVENT_GEN_TEST + tristate "Test module for in-kernel synthetic event generation" +- depends on SYNTH_EVENTS ++ depends on SYNTH_EVENTS && m + help + This option creates a test module to check the base + functionality of in-kernel synthetic event definition and +@@ -1136,7 +1136,7 @@ config SYNTH_EVENT_GEN_TEST + + config KPROBE_EVENT_GEN_TEST + tristate "Test module for in-kernel kprobe event generation" +- depends on KPROBE_EVENTS ++ depends on KPROBE_EVENTS && m + help + This option creates a test module to check the base + functionality of in-kernel kprobe event definition. +-- +2.43.0 + diff --git a/queue-6.9/virtio_net-checksum-offloading-handling-fix.patch b/queue-6.9/virtio_net-checksum-offloading-handling-fix.patch new file mode 100644 index 00000000000..2f5ac0ded2a --- /dev/null +++ b/queue-6.9/virtio_net-checksum-offloading-handling-fix.patch @@ -0,0 +1,64 @@ +From 2cd703084e613838d4a2a30f975b91dfa9427ca2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 21:15:23 +0800 +Subject: virtio_net: checksum offloading handling fix + +From: Heng Qi + +[ Upstream commit 604141c036e1b636e2a71cf6e1aa09d1e45f40c2 ] + +In virtio spec 0.95, VIRTIO_NET_F_GUEST_CSUM was designed to handle +partially checksummed packets, and the validation of fully checksummed +packets by the device is independent of VIRTIO_NET_F_GUEST_CSUM +negotiation. However, the specification erroneously stated: + + "If VIRTIO_NET_F_GUEST_CSUM is not negotiated, the device MUST set flags + to zero and SHOULD supply a fully checksummed packet to the driver." + +This statement is inaccurate because even without VIRTIO_NET_F_GUEST_CSUM +negotiation, the device can still set the VIRTIO_NET_HDR_F_DATA_VALID flag. +Essentially, the device can facilitate the validation of these packets' +checksums - a process known as RX checksum offloading - removing the need +for the driver to do so. + +This scenario is currently not implemented in the driver and requires +correction. The necessary specification correction[1] has been made and +approved in the virtio TC vote. +[1] https://lists.oasis-open.org/archives/virtio-comment/202401/msg00011.html + +Fixes: 4f49129be6fa ("virtio-net: Set RXCSUM feature if GUEST_CSUM is available") +Signed-off-by: Heng Qi +Reviewed-by: Jiri Pirko +Acked-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 574b052a517d7..633de371762b6 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -4698,8 +4698,16 @@ static int virtnet_probe(struct virtio_device *vdev) + dev->features |= dev->hw_features & NETIF_F_ALL_TSO; + /* (!csum && gso) case will be fixed by register_netdev() */ + } +- if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_CSUM)) +- dev->features |= NETIF_F_RXCSUM; ++ ++ /* 1. With VIRTIO_NET_F_GUEST_CSUM negotiation, the driver doesn't ++ * need to calculate checksums for partially checksummed packets, ++ * as they're considered valid by the upper layer. ++ * 2. Without VIRTIO_NET_F_GUEST_CSUM negotiation, the driver only ++ * receives fully checksummed packets. The device may assist in ++ * validating these packets' checksums, so the driver won't have to. ++ */ ++ dev->features |= NETIF_F_RXCSUM; ++ + if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO4) || + virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO6)) + dev->features |= NETIF_F_GRO_HW; +-- +2.43.0 + diff --git a/queue-6.9/virtio_net-fixing-xdp-for-fully-checksummed-packets-.patch b/queue-6.9/virtio_net-fixing-xdp-for-fully-checksummed-packets-.patch new file mode 100644 index 00000000000..ce6a37a2b5f --- /dev/null +++ b/queue-6.9/virtio_net-fixing-xdp-for-fully-checksummed-packets-.patch @@ -0,0 +1,88 @@ +From 4661913f6155bc04f6821f61be5c63278ddc5b10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 21:15:24 +0800 +Subject: virtio_net: fixing XDP for fully checksummed packets handling + +From: Heng Qi + +[ Upstream commit 703eec1b242276f2d97d98f04790ddad319ddde4 ] + +The XDP program can't correctly handle partially checksummed +packets, but works fine with fully checksummed packets. If the +device has already validated fully checksummed packets, then +the driver doesn't need to re-validate them, saving CPU resources. + +Additionally, the driver does not drop all partially checksummed +packets when VIRTIO_NET_F_GUEST_CSUM is not negotiated. This is +not a bug, as the driver has always done this. + +Fixes: 436c9453a1ac ("virtio-net: keep vnet header zeroed after processing XDP") +Signed-off-by: Heng Qi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 633de371762b6..290bec2926463 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1225,6 +1225,10 @@ static struct sk_buff *receive_small_xdp(struct net_device *dev, + if (unlikely(hdr->hdr.gso_type)) + goto err_xdp; + ++ /* Partially checksummed packets must be dropped. */ ++ if (unlikely(hdr->hdr.flags & VIRTIO_NET_HDR_F_NEEDS_CSUM)) ++ goto err_xdp; ++ + buflen = SKB_DATA_ALIGN(GOOD_PACKET_LEN + headroom) + + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); + +@@ -1542,6 +1546,10 @@ static void *mergeable_xdp_get_buf(struct virtnet_info *vi, + if (unlikely(hdr->hdr.gso_type)) + return NULL; + ++ /* Partially checksummed packets must be dropped. */ ++ if (unlikely(hdr->hdr.flags & VIRTIO_NET_HDR_F_NEEDS_CSUM)) ++ return NULL; ++ + /* Now XDP core assumes frag size is PAGE_SIZE, but buffers + * with headroom may add hole in truesize, which + * make their length exceed PAGE_SIZE. So we disabled the +@@ -1808,6 +1816,7 @@ static void receive_buf(struct virtnet_info *vi, struct receive_queue *rq, + struct net_device *dev = vi->dev; + struct sk_buff *skb; + struct virtio_net_common_hdr *hdr; ++ u8 flags; + + if (unlikely(len < vi->hdr_len + ETH_HLEN)) { + pr_debug("%s: short packet %i\n", dev->name, len); +@@ -1816,6 +1825,15 @@ static void receive_buf(struct virtnet_info *vi, struct receive_queue *rq, + return; + } + ++ /* 1. Save the flags early, as the XDP program might overwrite them. ++ * These flags ensure packets marked as VIRTIO_NET_HDR_F_DATA_VALID ++ * stay valid after XDP processing. ++ * 2. XDP doesn't work with partially checksummed packets (refer to ++ * virtnet_xdp_set()), so packets marked as ++ * VIRTIO_NET_HDR_F_NEEDS_CSUM get dropped during XDP processing. ++ */ ++ flags = ((struct virtio_net_common_hdr *)buf)->hdr.flags; ++ + if (vi->mergeable_rx_bufs) + skb = receive_mergeable(dev, vi, rq, buf, ctx, len, xdp_xmit, + stats); +@@ -1831,7 +1849,7 @@ static void receive_buf(struct virtnet_info *vi, struct receive_queue *rq, + if (dev->features & NETIF_F_RXHASH && vi->has_rss_hash_report) + virtio_skb_set_hash(&hdr->hash_v1_hdr, skb); + +- if (hdr->hdr.flags & VIRTIO_NET_HDR_F_DATA_VALID) ++ if (flags & VIRTIO_NET_HDR_F_DATA_VALID) + skb->ip_summed = CHECKSUM_UNNECESSARY; + + if (virtio_net_hdr_to_skb(skb, &hdr->hdr, +-- +2.43.0 + diff --git a/queue-6.9/wifi-iwlwifi-mvm-fix-roc-version-check.patch b/queue-6.9/wifi-iwlwifi-mvm-fix-roc-version-check.patch new file mode 100644 index 00000000000..db3c0f79353 --- /dev/null +++ b/queue-6.9/wifi-iwlwifi-mvm-fix-roc-version-check.patch @@ -0,0 +1,40 @@ +From d2a9649b498708d266e274dbde7fea8007ceb652 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jun 2024 14:05:05 +0300 +Subject: wifi: iwlwifi: mvm: fix ROC version check + +From: Shaul Triebitz + +[ Upstream commit 4c2bed6042fb6aca1d1d4f291f85461b1d5ac08c ] + +For using the ROC command, check that the ROC version +is *greater or equal* to 3, rather than *equal* to 3. +The ROC version was added to the TLV starting from +version 3. + +Fixes: 67ac248e4db0 ("wifi: iwlwifi: mvm: implement ROC version 3") +Signed-off-by: Shaul Triebitz +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240605140327.93d86cd188ad.Iceadef5a2f3cfa4a127e94a0405eba8342ec89c1@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +index 2403ac2fcdc3b..5f6b16d3fc8a3 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -4643,7 +4643,7 @@ static int iwl_mvm_roc_station(struct iwl_mvm *mvm, + + if (fw_ver == IWL_FW_CMD_VER_UNKNOWN) { + ret = iwl_mvm_send_aux_roc_cmd(mvm, channel, vif, duration); +- } else if (fw_ver == 3) { ++ } else if (fw_ver >= 3) { + ret = iwl_mvm_roc_add_cmd(mvm, channel, vif, duration, + ROC_ACTIVITY_HOTSPOT); + } else { +-- +2.43.0 + diff --git a/queue-6.9/wifi-mac80211-recalc-offload-when-monitor-stop.patch b/queue-6.9/wifi-mac80211-recalc-offload-when-monitor-stop.patch new file mode 100644 index 00000000000..d777faa86ba --- /dev/null +++ b/queue-6.9/wifi-mac80211-recalc-offload-when-monitor-stop.patch @@ -0,0 +1,42 @@ +From 9adf50bb552918d1280fabe7eda09c54c3524c50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 May 2024 18:07:33 +0200 +Subject: wifi: mac80211: Recalc offload when monitor stop + +From: Remi Pommarel + +[ Upstream commit 7d09e17c0415fe6d946044c7e70bce31cda952ec ] + +When a monitor interface is started, ieee80211_recalc_offload() is +called and 802.11 encapsulation offloading support get disabled so +monitor interface could get native wifi frames directly. But when +this interface is stopped there is no need to keep the 802.11 +encpasulation offloading off. + +This call ieee80211_recalc_offload() when monitor interface is stopped +so 802.11 encapsulation offloading gets re-activated if possible. + +Fixes: 6aea26ce5a4c ("mac80211: rework tx encapsulation offload API") +Signed-off-by: Remi Pommarel +Link: https://msgid.link/840baab454f83718e6e16fd836ac597d924e85b9.1716048326.git.repk@triplefau.lt +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/iface.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c +index ef6b0fc82d022..d759ef2b88c24 100644 +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -686,6 +686,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, bool going_do + ieee80211_del_virtual_monitor(local); + + ieee80211_recalc_idle(local); ++ ieee80211_recalc_offload(local); + + if (!(sdata->u.mntr.flags & MONITOR_FLAG_ACTIVE)) + break; +-- +2.43.0 + diff --git a/queue-6.9/xfrm6-check-ip6_dst_idev-return-value-in-xfrm6_get_s.patch b/queue-6.9/xfrm6-check-ip6_dst_idev-return-value-in-xfrm6_get_s.patch new file mode 100644 index 00000000000..a65a6e6951a --- /dev/null +++ b/queue-6.9/xfrm6-check-ip6_dst_idev-return-value-in-xfrm6_get_s.patch @@ -0,0 +1,92 @@ +From d5df95883f4ed0768b76c7344ee0a622bbddf8ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jun 2024 15:42:31 +0000 +Subject: xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() + +From: Eric Dumazet + +[ Upstream commit d46401052c2d5614da8efea5788532f0401cb164 ] + +ip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly. + +syzbot reported: + +Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +CPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 +Workqueue: wg-kex-wg1 wg_packet_handshake_send_worker + RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64 +Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00 +RSP: 0018:ffffc90000117378 EFLAGS: 00010246 +RAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7 +RDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98 +RBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000 +R10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +FS: 0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline] + xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline] + xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541 + xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835 + xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline] + xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201 + xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline] + xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309 + ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256 + send6+0x611/0xd20 drivers/net/wireguard/socket.c:139 + wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178 + wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200 + wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40 + wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51 + process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 + process_scheduled_works kernel/workqueue.c:3312 [inline] + worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393 + kthread+0x2c1/0x3a0 kernel/kthread.c:389 + ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20240615154231.234442-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/xfrm6_policy.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c +index ce48173c60e56..4332d4b82b1dc 100644 +--- a/net/ipv6/xfrm6_policy.c ++++ b/net/ipv6/xfrm6_policy.c +@@ -56,12 +56,18 @@ static int xfrm6_get_saddr(struct net *net, int oif, + { + struct dst_entry *dst; + struct net_device *dev; ++ struct inet6_dev *idev; + + dst = xfrm6_dst_lookup(net, 0, oif, NULL, daddr, mark); + if (IS_ERR(dst)) + return -EHOSTUNREACH; + +- dev = ip6_dst_idev(dst)->dev; ++ idev = ip6_dst_idev(dst); ++ if (!idev) { ++ dst_release(dst); ++ return -EHOSTUNREACH; ++ } ++ dev = idev->dev; + ipv6_dev_get_saddr(dev_net(dev), dev, &daddr->in6, 0, &saddr->in6); + dst_release(dst); + return 0; +-- +2.43.0 +