From 375fa77220c1dba8f0635e3fa7af1247d8b90f5a Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 28 Mar 2022 11:10:12 -0400 Subject: [PATCH] Fixes for 5.10 Signed-off-by: Sasha Levin --- ..._zero-flag-for-compose_sadb_supporte.patch | 43 +++++ ...arm-mstar-select-have_arm_arch_timer.patch | 36 +++++ ...om-c630-disable-crypto-due-to-serror.patch | 38 +++++ ...e-the-coherent-when-failing-in-probi.patch | 47 ++++++ ...t-regression-in-sysfs-gpio-gpiolib.c.patch | 60 +++++++ ...ch-dj-add-new-lightspeed-receiver-id.patch | 43 +++++ ...zinitix-do-not-report-shadow-fingers.patch | 150 ++++++++++++++++++ ...a-microchip-add-spi_device_id-tables.patch | 80 ++++++++++ ...platform_get_irq-to-get-the-interrup.patch | 60 +++++++ ...rt-regression-in-sysfs-gpio-gpiolib..patch | 61 +++++++ queue-5.10/series | 16 ++ ...i-fix-erroneous-sgs-value-with-min_t.patch | 59 +++++++ queue-5.10/spi-fix-invalid-sgs-value.patch | 47 ++++++ ...ols-virtio-fix-virtio_test-execution.patch | 38 +++++ ...-verify-ctrl_vq-feature-exists-for-m.patch | 81 ++++++++++ ...sole-break-out-of-buf-poll-on-remove.patch | 55 +++++++ ...-tunnel-model-fragmentation-behavior.patch | 115 ++++++++++++++ 17 files changed, 1029 insertions(+) create mode 100644 queue-5.10/af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch create mode 100644 queue-5.10/arm-mstar-select-have_arm_arch_timer.patch create mode 100644 queue-5.10/arm64-dts-qcom-c630-disable-crypto-due-to-serror.patch create mode 100644 queue-5.10/ethernet-sun-free-the-coherent-when-failing-in-probi.patch create mode 100644 queue-5.10/gpio-revert-regression-in-sysfs-gpio-gpiolib.c.patch create mode 100644 queue-5.10/hid-logitech-dj-add-new-lightspeed-receiver-id.patch create mode 100644 queue-5.10/input-zinitix-do-not-report-shadow-fingers.patch create mode 100644 queue-5.10/net-dsa-microchip-add-spi_device_id-tables.patch create mode 100644 queue-5.10/net-mcf8390-use-platform_get_irq-to-get-the-interrup.patch create mode 100644 queue-5.10/revert-gpio-revert-regression-in-sysfs-gpio-gpiolib..patch create mode 100644 queue-5.10/spi-fix-erroneous-sgs-value-with-min_t.patch create mode 100644 queue-5.10/spi-fix-invalid-sgs-value.patch create mode 100644 queue-5.10/tools-virtio-fix-virtio_test-execution.patch create mode 100644 queue-5.10/vdpa-mlx5-should-verify-ctrl_vq-feature-exists-for-m.patch create mode 100644 queue-5.10/virtio_console-break-out-of-buf-poll-on-remove.patch create mode 100644 queue-5.10/xfrm-fix-tunnel-model-fragmentation-behavior.patch diff --git a/queue-5.10/af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch b/queue-5.10/af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch new file mode 100644 index 00000000000..25ccbd7af66 --- /dev/null +++ b/queue-5.10/af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch @@ -0,0 +1,43 @@ +From 156993f1b50e83e9f3f6b8b3036ef3ebe70b0a73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 11:20:28 +0800 +Subject: af_key: add __GFP_ZERO flag for compose_sadb_supported in function + pfkey_register + +From: Haimin Zhang + +[ Upstream commit 9a564bccb78a76740ea9d75a259942df8143d02c ] + +Add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register +to initialize the buffer of supp_skb to fix a kernel-info-leak issue. +1) Function pfkey_register calls compose_sadb_supported to request +a sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate +a sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then +compose_sadb_supported treats the memory as a struct sadb_supported and +begins to initialize. But it just initializes the field sadb_supported_len +and field sadb_supported_exttype without field sadb_supported_reserved. + +Reported-by: TCS Robot +Signed-off-by: Haimin Zhang +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index d1364b858fdf..bd9b5c573b5a 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1703,7 +1703,7 @@ static int pfkey_register(struct sock *sk, struct sk_buff *skb, const struct sad + + xfrm_probe_algs(); + +- supp_skb = compose_sadb_supported(hdr, GFP_KERNEL); ++ supp_skb = compose_sadb_supported(hdr, GFP_KERNEL | __GFP_ZERO); + if (!supp_skb) { + if (hdr->sadb_msg_satype != SADB_SATYPE_UNSPEC) + pfk->registered &= ~(1<sadb_msg_satype); +-- +2.34.1 + diff --git a/queue-5.10/arm-mstar-select-have_arm_arch_timer.patch b/queue-5.10/arm-mstar-select-have_arm_arch_timer.patch new file mode 100644 index 00000000000..4dc84131f83 --- /dev/null +++ b/queue-5.10/arm-mstar-select-have_arm_arch_timer.patch @@ -0,0 +1,36 @@ +From 323515a6f0ddbfd6b48321e54e378b1bcb37af51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Mar 2022 19:43:49 +0900 +Subject: ARM: mstar: Select HAVE_ARM_ARCH_TIMER + +From: Daniel Palmer + +[ Upstream commit ea49432d184a6a09f84461604b7711a4e9f5ec9c ] + +The mstar SoCs have an arch timer but HAVE_ARM_ARCH_TIMER wasn't +selected. If MSC313E_TIMER isn't selected then the kernel gets +stuck at boot because there are no timers available. + +Signed-off-by: Daniel Palmer +Link: https://lore.kernel.org/r/20220301104349.3040422-1-daniel@0x0f.com' +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/mach-mstar/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-mstar/Kconfig b/arch/arm/mach-mstar/Kconfig +index 576d1ab293c8..30560fdf87ed 100644 +--- a/arch/arm/mach-mstar/Kconfig ++++ b/arch/arm/mach-mstar/Kconfig +@@ -3,6 +3,7 @@ menuconfig ARCH_MSTARV7 + depends on ARCH_MULTI_V7 + select ARM_GIC + select ARM_HEAVY_MB ++ select HAVE_ARM_ARCH_TIMER + select MST_IRQ + help + Support for newer MStar/Sigmastar SoC families that are +-- +2.34.1 + diff --git a/queue-5.10/arm64-dts-qcom-c630-disable-crypto-due-to-serror.patch b/queue-5.10/arm64-dts-qcom-c630-disable-crypto-due-to-serror.patch new file mode 100644 index 00000000000..c276219011b --- /dev/null +++ b/queue-5.10/arm64-dts-qcom-c630-disable-crypto-due-to-serror.patch @@ -0,0 +1,38 @@ +From 615d7ef2457e4eb3d58e677822c0dc9d61539d26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Nov 2021 22:52:32 -0500 +Subject: arm64: dts: qcom: c630: disable crypto due to serror + +From: Steev Klimaszewski + +[ Upstream commit 382e3e0eb6a83f1cf73d4dfa3448ade1ed721f22 ] + +Disable the crypto block due to it causing an SError in qce_start() on +the C630, which happens upon every boot when cryptomanager tests are +enabled. + +Signed-off-by: Steev Klimaszewski +[bjorn: Reworked commit message] +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20211105035235.2392-1-steev@kali.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts b/arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts +index e080c317b5e3..08d0e67751ed 100644 +--- a/arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts ++++ b/arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts +@@ -618,3 +618,8 @@ + + qcom,snoc-host-cap-8bit-quirk; + }; ++ ++&crypto { ++ /* FIXME: qce_start triggers an SError */ ++ status= "disable"; ++}; +-- +2.34.1 + diff --git a/queue-5.10/ethernet-sun-free-the-coherent-when-failing-in-probi.patch b/queue-5.10/ethernet-sun-free-the-coherent-when-failing-in-probi.patch new file mode 100644 index 00000000000..76b7ef737fc --- /dev/null +++ b/queue-5.10/ethernet-sun-free-the-coherent-when-failing-in-probi.patch @@ -0,0 +1,47 @@ +From 488091401dd85c81f2852234eab23aa8cd5b2822 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Mar 2022 14:55:04 +0000 +Subject: ethernet: sun: Free the coherent when failing in probing + +From: Zheyu Ma + +[ Upstream commit bb77bd31c281f70ec77c9c4f584950a779e05cf8 ] + +When the driver fails to register net device, it should free the DMA +region first, and then do other cleanup. + +Signed-off-by: Zheyu Ma +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/sunhme.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sun/sunhme.c b/drivers/net/ethernet/sun/sunhme.c +index 54b53dbdb33c..69fc47089e62 100644 +--- a/drivers/net/ethernet/sun/sunhme.c ++++ b/drivers/net/ethernet/sun/sunhme.c +@@ -3163,7 +3163,7 @@ static int happy_meal_pci_probe(struct pci_dev *pdev, + if (err) { + printk(KERN_ERR "happymeal(PCI): Cannot register net device, " + "aborting.\n"); +- goto err_out_iounmap; ++ goto err_out_free_coherent; + } + + pci_set_drvdata(pdev, hp); +@@ -3196,6 +3196,10 @@ static int happy_meal_pci_probe(struct pci_dev *pdev, + + return 0; + ++err_out_free_coherent: ++ dma_free_coherent(hp->dma_dev, PAGE_SIZE, ++ hp->happy_block, hp->hblock_dvma); ++ + err_out_iounmap: + iounmap(hp->gregs); + +-- +2.34.1 + diff --git a/queue-5.10/gpio-revert-regression-in-sysfs-gpio-gpiolib.c.patch b/queue-5.10/gpio-revert-regression-in-sysfs-gpio-gpiolib.c.patch new file mode 100644 index 00000000000..f64ffb49070 --- /dev/null +++ b/queue-5.10/gpio-revert-regression-in-sysfs-gpio-gpiolib.c.patch @@ -0,0 +1,60 @@ +From 72908756e3b4c6a44dcf6add2e12ad927890b877 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 10:57:24 +0100 +Subject: gpio: Revert regression in sysfs-gpio (gpiolib.c) + +From: Marcelo Roberto Jimenez + +[ Upstream commit fc328a7d1fcce263db0b046917a66f3aa6e68719 ] + +Some GPIO lines have stopped working after the patch +commit 2ab73c6d8323f ("gpio: Support GPIO controllers without pin-ranges") + +And this has supposedly been fixed in the following patches +commit 89ad556b7f96a ("gpio: Avoid using pin ranges with !PINCTRL") +commit 6dbbf84603961 ("gpiolib: Don't free if pin ranges are not defined") + +But an erratic behavior where some GPIO lines work while others do not work +has been introduced. + +This patch reverts those changes so that the sysfs-gpio interface works +properly again. + +Signed-off-by: Marcelo Roberto Jimenez +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index 00526fdd7691..bbf34d84636d 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -1804,11 +1804,6 @@ static inline void gpiochip_irqchip_free_valid_mask(struct gpio_chip *gc) + */ + int gpiochip_generic_request(struct gpio_chip *gc, unsigned offset) + { +-#ifdef CONFIG_PINCTRL +- if (list_empty(&gc->gpiodev->pin_ranges)) +- return 0; +-#endif +- + return pinctrl_gpio_request(gc->gpiodev->base + offset); + } + EXPORT_SYMBOL_GPL(gpiochip_generic_request); +@@ -1820,11 +1815,6 @@ EXPORT_SYMBOL_GPL(gpiochip_generic_request); + */ + void gpiochip_generic_free(struct gpio_chip *gc, unsigned offset) + { +-#ifdef CONFIG_PINCTRL +- if (list_empty(&gc->gpiodev->pin_ranges)) +- return; +-#endif +- + pinctrl_gpio_free(gc->gpiodev->base + offset); + } + EXPORT_SYMBOL_GPL(gpiochip_generic_free); +-- +2.34.1 + diff --git a/queue-5.10/hid-logitech-dj-add-new-lightspeed-receiver-id.patch b/queue-5.10/hid-logitech-dj-add-new-lightspeed-receiver-id.patch new file mode 100644 index 00000000000..0e39fff32bf --- /dev/null +++ b/queue-5.10/hid-logitech-dj-add-new-lightspeed-receiver-id.patch @@ -0,0 +1,43 @@ +From 85752506d240890fa83bc65d3a67b57700ae1080 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jan 2022 11:44:00 -0300 +Subject: HID: logitech-dj: add new lightspeed receiver id + +From: Lucas Zampieri + +[ Upstream commit 25666e8ccd952627899b09b68f7c9b68cfeaf028 ] + +As of logitech lightspeed receiver fw version 04.02.B0009, +HIDPP_PARAM_DEVICE_INFO is being reported as 0x11. + +With patch "HID: logitech-dj: add support for the new lightspeed receiver +iteration", the mouse starts to error out with: + logitech-djreceiver: unusable device of type UNKNOWN (0x011) connected on + slot 1 +and becomes unusable. + +This has been noticed on a Logitech G Pro X Superlight fw MPM 25.01.B0018. + +Signed-off-by: Lucas Zampieri +Acked-by: Nestor Lopez Casado +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-logitech-dj.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c +index a311b0a33eba..587259b3db97 100644 +--- a/drivers/hid/hid-logitech-dj.c ++++ b/drivers/hid/hid-logitech-dj.c +@@ -1000,6 +1000,7 @@ static void logi_hidpp_recv_queue_notif(struct hid_device *hdev, + workitem.reports_supported |= STD_KEYBOARD; + break; + case 0x0f: ++ case 0x11: + device_type = "eQUAD Lightspeed 1.2"; + logi_hidpp_dev_conn_notif_equad(hdev, hidpp_report, &workitem); + workitem.reports_supported |= STD_KEYBOARD; +-- +2.34.1 + diff --git a/queue-5.10/input-zinitix-do-not-report-shadow-fingers.patch b/queue-5.10/input-zinitix-do-not-report-shadow-fingers.patch new file mode 100644 index 00000000000..493ea3dfd0f --- /dev/null +++ b/queue-5.10/input-zinitix-do-not-report-shadow-fingers.patch @@ -0,0 +1,150 @@ +From de106b8a01f85f24b686ebeb5899aeb56ee8343e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Mar 2022 13:17:33 -0800 +Subject: Input: zinitix - do not report shadow fingers + +From: Linus Walleij + +[ Upstream commit e941dc13fd3717122207d74539ab95da07ef797f ] + +I observed the following problem with the BT404 touch pad +running the Phosh UI: + +When e.g. typing on the virtual keyboard pressing "g" would +produce "ggg". + +After some analysis it turns out the firmware reports that three +fingers hit that coordinate at the same time, finger 0, 2 and +4 (of the five available 0,1,2,3,4). + +DOWN + Zinitix-TS 3-0020: finger 0 down (246, 395) + Zinitix-TS 3-0020: finger 1 up (0, 0) + Zinitix-TS 3-0020: finger 2 down (246, 395) + Zinitix-TS 3-0020: finger 3 up (0, 0) + Zinitix-TS 3-0020: finger 4 down (246, 395) +UP + Zinitix-TS 3-0020: finger 0 up (246, 395) + Zinitix-TS 3-0020: finger 2 up (246, 395) + Zinitix-TS 3-0020: finger 4 up (246, 395) + +This is one touch and release: i.e. this is all reported on +touch (down) and release. + +There is a field in the struct touch_event called finger_cnt +which is actually a bitmask of the fingers active in the +event. + +Rename this field finger_mask as this matches the use contents +better, then use for_each_set_bit() to iterate over just the +fingers that are actally active. + +Factor out a finger reporting function zinitix_report_fingers() +to handle all fingers. + +Also be more careful in reporting finger down/up: we were +reporting every event with input_mt_report_slot_state(..., true); +but this should only be reported on finger down or move, +not on finger up, so also add code to check p->sub_status +to see what is happening and report correctly. + +After this my Zinitix BT404 touchscreen report fingers +flawlessly. + +The vendor drive I have notably does not use the "finger_cnt" +and contains obviously incorrect code like this: + + if (touch_dev->touch_info.finger_cnt > MAX_SUPPORTED_FINGER_NUM) + touch_dev->touch_info.finger_cnt = MAX_SUPPORTED_FINGER_NUM; + +As MAX_SUPPORTED_FINGER_NUM is an ordinal and the field is +a bitmask this seems quite confused. + +Signed-off-by: Linus Walleij +Link: https://lore.kernel.org/r/20220228233017.2270599-1-linus.walleij@linaro.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/zinitix.c | 44 +++++++++++++++++++++++------ + 1 file changed, 35 insertions(+), 9 deletions(-) + +diff --git a/drivers/input/touchscreen/zinitix.c b/drivers/input/touchscreen/zinitix.c +index 6df6f07f1ac6..17b10b81c713 100644 +--- a/drivers/input/touchscreen/zinitix.c ++++ b/drivers/input/touchscreen/zinitix.c +@@ -135,7 +135,7 @@ struct point_coord { + + struct touch_event { + __le16 status; +- u8 finger_cnt; ++ u8 finger_mask; + u8 time_stamp; + struct point_coord point_coord[MAX_SUPPORTED_FINGER_NUM]; + }; +@@ -311,11 +311,32 @@ static int zinitix_send_power_on_sequence(struct bt541_ts_data *bt541) + static void zinitix_report_finger(struct bt541_ts_data *bt541, int slot, + const struct point_coord *p) + { ++ u16 x, y; ++ ++ if (unlikely(!(p->sub_status & ++ (SUB_BIT_UP | SUB_BIT_DOWN | SUB_BIT_MOVE)))) { ++ dev_dbg(&bt541->client->dev, "unknown finger event %#02x\n", ++ p->sub_status); ++ return; ++ } ++ ++ x = le16_to_cpu(p->x); ++ y = le16_to_cpu(p->y); ++ + input_mt_slot(bt541->input_dev, slot); +- input_mt_report_slot_state(bt541->input_dev, MT_TOOL_FINGER, true); +- touchscreen_report_pos(bt541->input_dev, &bt541->prop, +- le16_to_cpu(p->x), le16_to_cpu(p->y), true); +- input_report_abs(bt541->input_dev, ABS_MT_TOUCH_MAJOR, p->width); ++ if (input_mt_report_slot_state(bt541->input_dev, MT_TOOL_FINGER, ++ !(p->sub_status & SUB_BIT_UP))) { ++ touchscreen_report_pos(bt541->input_dev, ++ &bt541->prop, x, y, true); ++ input_report_abs(bt541->input_dev, ++ ABS_MT_TOUCH_MAJOR, p->width); ++ dev_dbg(&bt541->client->dev, "finger %d %s (%u, %u)\n", ++ slot, p->sub_status & SUB_BIT_DOWN ? "down" : "move", ++ x, y); ++ } else { ++ dev_dbg(&bt541->client->dev, "finger %d up (%u, %u)\n", ++ slot, x, y); ++ } + } + + static irqreturn_t zinitix_ts_irq_handler(int irq, void *bt541_handler) +@@ -323,6 +344,7 @@ static irqreturn_t zinitix_ts_irq_handler(int irq, void *bt541_handler) + struct bt541_ts_data *bt541 = bt541_handler; + struct i2c_client *client = bt541->client; + struct touch_event touch_event; ++ unsigned long finger_mask; + int error; + int i; + +@@ -335,10 +357,14 @@ static irqreturn_t zinitix_ts_irq_handler(int irq, void *bt541_handler) + goto out; + } + +- for (i = 0; i < MAX_SUPPORTED_FINGER_NUM; i++) +- if (touch_event.point_coord[i].sub_status & SUB_BIT_EXIST) +- zinitix_report_finger(bt541, i, +- &touch_event.point_coord[i]); ++ finger_mask = touch_event.finger_mask; ++ for_each_set_bit(i, &finger_mask, MAX_SUPPORTED_FINGER_NUM) { ++ const struct point_coord *p = &touch_event.point_coord[i]; ++ ++ /* Only process contacts that are actually reported */ ++ if (p->sub_status & SUB_BIT_EXIST) ++ zinitix_report_finger(bt541, i, p); ++ } + + input_mt_sync_frame(bt541->input_dev); + input_sync(bt541->input_dev); +-- +2.34.1 + diff --git a/queue-5.10/net-dsa-microchip-add-spi_device_id-tables.patch b/queue-5.10/net-dsa-microchip-add-spi_device_id-tables.patch new file mode 100644 index 00000000000..7e78c5c0927 --- /dev/null +++ b/queue-5.10/net-dsa-microchip-add-spi_device_id-tables.patch @@ -0,0 +1,80 @@ +From fb877d6b01c23e6c321388936822cc58a62d781f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Mar 2022 13:17:16 +0200 +Subject: net: dsa: microchip: add spi_device_id tables + +From: Claudiu Beznea + +[ Upstream commit e981bc74aefc6a177b50c16cfa7023599799cf74 ] + +Add spi_device_id tables to avoid logs like "SPI driver ksz9477-switch +has no spi_device_id". + +Signed-off-by: Claudiu Beznea +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/microchip/ksz8795_spi.c | 11 +++++++++++ + drivers/net/dsa/microchip/ksz9477_spi.c | 12 ++++++++++++ + 2 files changed, 23 insertions(+) + +diff --git a/drivers/net/dsa/microchip/ksz8795_spi.c b/drivers/net/dsa/microchip/ksz8795_spi.c +index 8b00f8e6c02f..5639c5c59e25 100644 +--- a/drivers/net/dsa/microchip/ksz8795_spi.c ++++ b/drivers/net/dsa/microchip/ksz8795_spi.c +@@ -86,12 +86,23 @@ static const struct of_device_id ksz8795_dt_ids[] = { + }; + MODULE_DEVICE_TABLE(of, ksz8795_dt_ids); + ++static const struct spi_device_id ksz8795_spi_ids[] = { ++ { "ksz8765" }, ++ { "ksz8794" }, ++ { "ksz8795" }, ++ { "ksz8863" }, ++ { "ksz8873" }, ++ { }, ++}; ++MODULE_DEVICE_TABLE(spi, ksz8795_spi_ids); ++ + static struct spi_driver ksz8795_spi_driver = { + .driver = { + .name = "ksz8795-switch", + .owner = THIS_MODULE, + .of_match_table = of_match_ptr(ksz8795_dt_ids), + }, ++ .id_table = ksz8795_spi_ids, + .probe = ksz8795_spi_probe, + .remove = ksz8795_spi_remove, + .shutdown = ksz8795_spi_shutdown, +diff --git a/drivers/net/dsa/microchip/ksz9477_spi.c b/drivers/net/dsa/microchip/ksz9477_spi.c +index 1142768969c2..9bda83d063e8 100644 +--- a/drivers/net/dsa/microchip/ksz9477_spi.c ++++ b/drivers/net/dsa/microchip/ksz9477_spi.c +@@ -88,12 +88,24 @@ static const struct of_device_id ksz9477_dt_ids[] = { + }; + MODULE_DEVICE_TABLE(of, ksz9477_dt_ids); + ++static const struct spi_device_id ksz9477_spi_ids[] = { ++ { "ksz9477" }, ++ { "ksz9897" }, ++ { "ksz9893" }, ++ { "ksz9563" }, ++ { "ksz8563" }, ++ { "ksz9567" }, ++ { }, ++}; ++MODULE_DEVICE_TABLE(spi, ksz9477_spi_ids); ++ + static struct spi_driver ksz9477_spi_driver = { + .driver = { + .name = "ksz9477-switch", + .owner = THIS_MODULE, + .of_match_table = of_match_ptr(ksz9477_dt_ids), + }, ++ .id_table = ksz9477_spi_ids, + .probe = ksz9477_spi_probe, + .remove = ksz9477_spi_remove, + .shutdown = ksz9477_spi_shutdown, +-- +2.34.1 + diff --git a/queue-5.10/net-mcf8390-use-platform_get_irq-to-get-the-interrup.patch b/queue-5.10/net-mcf8390-use-platform_get_irq-to-get-the-interrup.patch new file mode 100644 index 00000000000..2c7483ff062 --- /dev/null +++ b/queue-5.10/net-mcf8390-use-platform_get_irq-to-get-the-interrup.patch @@ -0,0 +1,60 @@ +From 1f4ceaee3d9cb1b262b62d7c87797208cff2d07c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 06:43:09 +0000 +Subject: net:mcf8390: Use platform_get_irq() to get the interrupt + +From: Minghao Chi (CGEL ZTE) + +[ Upstream commit 2a760554dcba450d3ad61b32375b50ed6d59a87c ] + +It is not recommened to use platform_get_resource(pdev, IORESOURCE_IRQ) +for requesting IRQ's resources any more, as they can be not ready yet in +case of DT-booting. + +platform_get_irq() instead is a recommended way for getting IRQ even if +it was not retrieved earlier. + +It also makes code simpler because we're getting "int" value right away +and no conversion from resource to int is required. + +Reported-by: Zeal Robot +Signed-off-by: Minghao Chi (CGEL ZTE) +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/8390/mcf8390.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/8390/mcf8390.c b/drivers/net/ethernet/8390/mcf8390.c +index 4ad8031ab669..065fdbe66c42 100644 +--- a/drivers/net/ethernet/8390/mcf8390.c ++++ b/drivers/net/ethernet/8390/mcf8390.c +@@ -406,12 +406,12 @@ static int mcf8390_init(struct net_device *dev) + static int mcf8390_probe(struct platform_device *pdev) + { + struct net_device *dev; +- struct resource *mem, *irq; ++ struct resource *mem; + resource_size_t msize; +- int ret; ++ int ret, irq; + +- irq = platform_get_resource(pdev, IORESOURCE_IRQ, 0); +- if (irq == NULL) { ++ irq = platform_get_irq(pdev, 0); ++ if (irq < 0) { + dev_err(&pdev->dev, "no IRQ specified?\n"); + return -ENXIO; + } +@@ -434,7 +434,7 @@ static int mcf8390_probe(struct platform_device *pdev) + SET_NETDEV_DEV(dev, &pdev->dev); + platform_set_drvdata(pdev, dev); + +- dev->irq = irq->start; ++ dev->irq = irq; + dev->base_addr = mem->start; + + ret = mcf8390_init(dev); +-- +2.34.1 + diff --git a/queue-5.10/revert-gpio-revert-regression-in-sysfs-gpio-gpiolib..patch b/queue-5.10/revert-gpio-revert-regression-in-sysfs-gpio-gpiolib..patch new file mode 100644 index 00000000000..dba6880cca2 --- /dev/null +++ b/queue-5.10/revert-gpio-revert-regression-in-sysfs-gpio-gpiolib..patch @@ -0,0 +1,61 @@ +From 6e697cb9d79942a57293a12f0ecbb1b6502ffe4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Mar 2022 17:52:05 +0100 +Subject: Revert "gpio: Revert regression in sysfs-gpio (gpiolib.c)" + +From: Bartosz Golaszewski + +[ Upstream commit 56e337f2cf1326323844927a04e9dbce9a244835 ] + +This reverts commit fc328a7d1fcce263db0b046917a66f3aa6e68719. + +This commit - while attempting to fix a regression - has caused a number +of other problems. As the fallout from it is more significant than the +initial problem itself, revert it for now before we find a correct +solution. + +Link: https://lore.kernel.org/all/20220314192522.GA3031157@roeck-us.net/ +Link: https://lore.kernel.org/stable/20220314155509.552218-1-michael@walle.cc/ +Link: https://lore.kernel.org/all/20211217153555.9413-1-marcelo.jimenez@gmail.com/ +Signed-off-by: Bartosz Golaszewski +Reported-and-bisected-by: Guenter Roeck +Reported-by: Michael Walle +Cc: Thorsten Leemhuis +Cc: Marcelo Roberto Jimenez +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index bbf34d84636d..00526fdd7691 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -1804,6 +1804,11 @@ static inline void gpiochip_irqchip_free_valid_mask(struct gpio_chip *gc) + */ + int gpiochip_generic_request(struct gpio_chip *gc, unsigned offset) + { ++#ifdef CONFIG_PINCTRL ++ if (list_empty(&gc->gpiodev->pin_ranges)) ++ return 0; ++#endif ++ + return pinctrl_gpio_request(gc->gpiodev->base + offset); + } + EXPORT_SYMBOL_GPL(gpiochip_generic_request); +@@ -1815,6 +1820,11 @@ EXPORT_SYMBOL_GPL(gpiochip_generic_request); + */ + void gpiochip_generic_free(struct gpio_chip *gc, unsigned offset) + { ++#ifdef CONFIG_PINCTRL ++ if (list_empty(&gc->gpiodev->pin_ranges)) ++ return; ++#endif ++ + pinctrl_gpio_free(gc->gpiodev->base + offset); + } + EXPORT_SYMBOL_GPL(gpiochip_generic_free); +-- +2.34.1 + diff --git a/queue-5.10/series b/queue-5.10/series index b3f6be98d6c..3bbae40a191 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -3,3 +3,19 @@ usb-serial-pl2303-add-ibm-device-ids.patch usb-serial-simple-add-nokia-phone-driver.patch hv-utils-add-ptp_1588_clock-to-kconfig-to-fix-build.patch netdevice-add-the-case-if-dev-is-null.patch +arm64-dts-qcom-c630-disable-crypto-due-to-serror.patch +hid-logitech-dj-add-new-lightspeed-receiver-id.patch +xfrm-fix-tunnel-model-fragmentation-behavior.patch +arm-mstar-select-have_arm_arch_timer.patch +virtio_console-break-out-of-buf-poll-on-remove.patch +vdpa-mlx5-should-verify-ctrl_vq-feature-exists-for-m.patch +tools-virtio-fix-virtio_test-execution.patch +ethernet-sun-free-the-coherent-when-failing-in-probi.patch +gpio-revert-regression-in-sysfs-gpio-gpiolib.c.patch +spi-fix-invalid-sgs-value.patch +net-mcf8390-use-platform_get_irq-to-get-the-interrup.patch +revert-gpio-revert-regression-in-sysfs-gpio-gpiolib..patch +spi-fix-erroneous-sgs-value-with-min_t.patch +input-zinitix-do-not-report-shadow-fingers.patch +af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch +net-dsa-microchip-add-spi_device_id-tables.patch diff --git a/queue-5.10/spi-fix-erroneous-sgs-value-with-min_t.patch b/queue-5.10/spi-fix-erroneous-sgs-value-with-min_t.patch new file mode 100644 index 00000000000..db536f4c537 --- /dev/null +++ b/queue-5.10/spi-fix-erroneous-sgs-value-with-min_t.patch @@ -0,0 +1,59 @@ +From 5af6db678d65209c8f740ba30f97b5da09ddac1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Mar 2022 17:53:17 +0000 +Subject: spi: Fix erroneous sgs value with min_t() + +From: Biju Das + +[ Upstream commit ebc4cb43ea5ada3db46c80156fca58a54b9bbca8 ] + +While computing sgs in spi_map_buf(), the data type +used in min_t() for max_seg_size is 'unsigned int' where +as that of ctlr->max_dma_len is 'size_t'. + +min_t(unsigned int,x,y) gives wrong results if one of x/y is +'size_t' + +Consider the below examples on a 64-bit machine (ie size_t is +64-bits, and unsigned int is 32-bit). + case 1) min_t(unsigned int, 5, 0x100000001); + case 2) min_t(size_t, 5, 0x100000001); + +Case 1 returns '1', where as case 2 returns '5'. As you can see +the result from case 1 is wrong. + +This patch fixes the above issue by using the data type of the +parameters that are used in min_t with maximum data length. + +Fixes: commit 1a4e53d2fc4f68aa ("spi: Fix invalid sgs value") +Reported-by: Linus Torvalds +Suggested-by: Geert Uytterhoeven +Signed-off-by: Biju Das +Reviewed-by: Lad Prabhakar +Link: https://lore.kernel.org/r/20220316175317.465-1-biju.das.jz@bp.renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c +index 2396565fc91b..6ea7b286c80c 100644 +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -881,10 +881,10 @@ int spi_map_buf(struct spi_controller *ctlr, struct device *dev, + int i, ret; + + if (vmalloced_buf || kmap_buf) { +- desc_len = min_t(unsigned int, max_seg_size, PAGE_SIZE); ++ desc_len = min_t(unsigned long, max_seg_size, PAGE_SIZE); + sgs = DIV_ROUND_UP(len + offset_in_page(buf), desc_len); + } else if (virt_addr_valid(buf)) { +- desc_len = min_t(unsigned int, max_seg_size, ctlr->max_dma_len); ++ desc_len = min_t(size_t, max_seg_size, ctlr->max_dma_len); + sgs = DIV_ROUND_UP(len, desc_len); + } else { + return -EINVAL; +-- +2.34.1 + diff --git a/queue-5.10/spi-fix-invalid-sgs-value.patch b/queue-5.10/spi-fix-invalid-sgs-value.patch new file mode 100644 index 00000000000..8543fb05674 --- /dev/null +++ b/queue-5.10/spi-fix-invalid-sgs-value.patch @@ -0,0 +1,47 @@ +From 961983d5c06215efaf5b249b188090a3309d7a5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 18:48:43 +0000 +Subject: spi: Fix invalid sgs value + +From: Biju Das + +[ Upstream commit 1a4e53d2fc4f68aa654ad96d13ad042e1a8e8a7d ] + +max_seg_size is unsigned int and it can have a value up to 2^32 +(for eg:-RZ_DMAC driver sets dma_set_max_seg_size as U32_MAX) +When this value is used in min_t() as an integer type, it becomes +-1 and the value of sgs becomes 0. + +Fix this issue by replacing the 'int' data type with 'unsigned int' +in min_t(). + +Signed-off-by: Biju Das +Reviewed-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20220307184843.9994-1-biju.das.jz@bp.renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c +index 8c261eac2cee..2396565fc91b 100644 +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -881,10 +881,10 @@ int spi_map_buf(struct spi_controller *ctlr, struct device *dev, + int i, ret; + + if (vmalloced_buf || kmap_buf) { +- desc_len = min_t(int, max_seg_size, PAGE_SIZE); ++ desc_len = min_t(unsigned int, max_seg_size, PAGE_SIZE); + sgs = DIV_ROUND_UP(len + offset_in_page(buf), desc_len); + } else if (virt_addr_valid(buf)) { +- desc_len = min_t(int, max_seg_size, ctlr->max_dma_len); ++ desc_len = min_t(unsigned int, max_seg_size, ctlr->max_dma_len); + sgs = DIV_ROUND_UP(len, desc_len); + } else { + return -EINVAL; +-- +2.34.1 + diff --git a/queue-5.10/tools-virtio-fix-virtio_test-execution.patch b/queue-5.10/tools-virtio-fix-virtio_test-execution.patch new file mode 100644 index 00000000000..24f02464de5 --- /dev/null +++ b/queue-5.10/tools-virtio-fix-virtio_test-execution.patch @@ -0,0 +1,38 @@ +From 93ff2cc3e76255a20580cf6f423aaf38e9265c7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jan 2022 16:06:31 +0100 +Subject: tools/virtio: fix virtio_test execution + +From: Stefano Garzarella + +[ Upstream commit 32f1b53fe8f03d962423ba81f8e92af5839814da ] + +virtio_test hangs on __vring_new_virtqueue() because `vqs_list_lock` +is not initialized. + +Let's initialize it in vdev_info_init(). + +Signed-off-by: Stefano Garzarella +Link: https://lore.kernel.org/r/20220118150631.167015-1-sgarzare@redhat.com +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: Sasha Levin +--- + tools/virtio/virtio_test.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/virtio/virtio_test.c b/tools/virtio/virtio_test.c +index cb3f29c09aff..23f142af544a 100644 +--- a/tools/virtio/virtio_test.c ++++ b/tools/virtio/virtio_test.c +@@ -130,6 +130,7 @@ static void vdev_info_init(struct vdev_info* dev, unsigned long long features) + memset(dev, 0, sizeof *dev); + dev->vdev.features = features; + INIT_LIST_HEAD(&dev->vdev.vqs); ++ spin_lock_init(&dev->vdev.vqs_list_lock); + dev->buf_size = 1024; + dev->buf = malloc(dev->buf_size); + assert(dev->buf); +-- +2.34.1 + diff --git a/queue-5.10/vdpa-mlx5-should-verify-ctrl_vq-feature-exists-for-m.patch b/queue-5.10/vdpa-mlx5-should-verify-ctrl_vq-feature-exists-for-m.patch new file mode 100644 index 00000000000..e6fd121217e --- /dev/null +++ b/queue-5.10/vdpa-mlx5-should-verify-ctrl_vq-feature-exists-for-m.patch @@ -0,0 +1,81 @@ +From 66ac7fad08c32ac4ddb6abbb666bd6a15286b4f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jan 2022 19:28:00 -0500 +Subject: vdpa/mlx5: should verify CTRL_VQ feature exists for MQ + +From: Si-Wei Liu + +[ Upstream commit 30c22f3816ffef8aa21a000e93c4ee1402a6ea65 ] + +Per VIRTIO v1.1 specification, section 5.1.3.1 Feature bit requirements: +"VIRTIO_NET_F_MQ Requires VIRTIO_NET_F_CTRL_VQ". + +There's assumption in the mlx5_vdpa multiqueue code that MQ must come +together with CTRL_VQ. However, there's nowhere in the upper layer to +guarantee this assumption would hold. Were there an untrusted driver +sending down MQ without CTRL_VQ, it would compromise various spots for +e.g. is_index_valid() and is_ctrl_vq_idx(). Although this doesn't end +up with immediate panic or security loophole as of today's code, the +chance for this to be taken advantage of due to future code change is +not zero. + +Harden the crispy assumption by failing the set_driver_features() call +when seeing (MQ && !CTRL_VQ). For that end, verify_min_features() is +renamed to verify_driver_features() to reflect the fact that it now does +more than just validate the minimum features. verify_driver_features() +is now used to accommodate various checks against the driver features +for set_driver_features(). + +Signed-off-by: Si-Wei Liu +Link: https://lore.kernel.org/r/1642206481-30721-3-git-send-email-si-wei.liu@oracle.com +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Eli Cohen +Acked-by: Jason Wang +Signed-off-by: Sasha Levin +--- + drivers/vdpa/mlx5/net/mlx5_vnet.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c +index 65d6f8fd81e7..577ff786f11b 100644 +--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c ++++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c +@@ -1482,11 +1482,25 @@ static u64 mlx5_vdpa_get_features(struct vdpa_device *vdev) + return ndev->mvdev.mlx_features; + } + +-static int verify_min_features(struct mlx5_vdpa_dev *mvdev, u64 features) ++static int verify_driver_features(struct mlx5_vdpa_dev *mvdev, u64 features) + { ++ /* Minimum features to expect */ + if (!(features & BIT_ULL(VIRTIO_F_ACCESS_PLATFORM))) + return -EOPNOTSUPP; + ++ /* Double check features combination sent down by the driver. ++ * Fail invalid features due to absence of the depended feature. ++ * ++ * Per VIRTIO v1.1 specification, section 5.1.3.1 Feature bit ++ * requirements: "VIRTIO_NET_F_MQ Requires VIRTIO_NET_F_CTRL_VQ". ++ * By failing the invalid features sent down by untrusted drivers, ++ * we're assured the assumption made upon is_index_valid() and ++ * is_ctrl_vq_idx() will not be compromised. ++ */ ++ if ((features & (BIT_ULL(VIRTIO_NET_F_MQ) | BIT_ULL(VIRTIO_NET_F_CTRL_VQ))) == ++ BIT_ULL(VIRTIO_NET_F_MQ)) ++ return -EINVAL; ++ + return 0; + } + +@@ -1544,7 +1558,7 @@ static int mlx5_vdpa_set_features(struct vdpa_device *vdev, u64 features) + + print_features(mvdev, features, true); + +- err = verify_min_features(mvdev, features); ++ err = verify_driver_features(mvdev, features); + if (err) + return err; + +-- +2.34.1 + diff --git a/queue-5.10/virtio_console-break-out-of-buf-poll-on-remove.patch b/queue-5.10/virtio_console-break-out-of-buf-poll-on-remove.patch new file mode 100644 index 00000000000..5e381b722b3 --- /dev/null +++ b/queue-5.10/virtio_console-break-out-of-buf-poll-on-remove.patch @@ -0,0 +1,55 @@ +From dd1e212ea8840dc519978d248c1eec0bc9271b4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 03:04:10 -0400 +Subject: virtio_console: break out of buf poll on remove + +From: Michael S. Tsirkin + +[ Upstream commit 0e7174b9d5877130fec41fb4a16e0c2ee4958d44 ] + +A common pattern for device reset is currently: +vdev->config->reset(vdev); +.. cleanup .. + +reset prevents new interrupts from arriving and waits for interrupt +handlers to finish. + +However if - as is common - the handler queues a work request which is +flushed during the cleanup stage, we have code adding buffers / trying +to get buffers while device is reset. Not good. + +This was reproduced by running + modprobe virtio_console + modprobe -r virtio_console +in a loop. + +Fix this up by calling virtio_break_device + flush before reset. + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1786239 +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/char/virtio_console.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c +index 673522874cec..3dd4deb60adb 100644 +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -1959,6 +1959,13 @@ static void virtcons_remove(struct virtio_device *vdev) + list_del(&portdev->list); + spin_unlock_irq(&pdrvdata_lock); + ++ /* Device is going away, exit any polling for buffers */ ++ virtio_break_device(vdev); ++ if (use_multiport(portdev)) ++ flush_work(&portdev->control_work); ++ else ++ flush_work(&portdev->config_work); ++ + /* Disable interrupts for vqs */ + vdev->config->reset(vdev); + /* Finish up work that's lined up */ +-- +2.34.1 + diff --git a/queue-5.10/xfrm-fix-tunnel-model-fragmentation-behavior.patch b/queue-5.10/xfrm-fix-tunnel-model-fragmentation-behavior.patch new file mode 100644 index 00000000000..9107a747037 --- /dev/null +++ b/queue-5.10/xfrm-fix-tunnel-model-fragmentation-behavior.patch @@ -0,0 +1,115 @@ +From fad2498a99f2f6a56caa63afcaf95e1b955cba9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Feb 2022 15:48:01 +0800 +Subject: xfrm: fix tunnel model fragmentation behavior + +From: Lina Wang + +[ Upstream commit 4ff2980b6bd2aa6b4ded3ce3b7c0ccfab29980af ] + +in tunnel mode, if outer interface(ipv4) is less, it is easily to let +inner IPV6 mtu be less than 1280. If so, a Packet Too Big ICMPV6 message +is received. When send again, packets are fragmentized with 1280, they +are still rejected with ICMPV6(Packet Too Big) by xfrmi_xmit2(). + +According to RFC4213 Section3.2.2: +if (IPv4 path MTU - 20) is less than 1280 + if packet is larger than 1280 bytes + Send ICMPv6 "packet too big" with MTU=1280 + Drop packet + else + Encapsulate but do not set the Don't Fragment + flag in the IPv4 header. The resulting IPv4 + packet might be fragmented by the IPv4 layer + on the encapsulator or by some router along + the IPv4 path. + endif +else + if packet is larger than (IPv4 path MTU - 20) + Send ICMPv6 "packet too big" with + MTU = (IPv4 path MTU - 20). + Drop packet. + else + Encapsulate and set the Don't Fragment flag + in the IPv4 header. + endif +endif +Packets should be fragmentized with ipv4 outer interface, so change it. + +After it is fragemtized with ipv4, there will be double fragmenation. +No.48 & No.51 are ipv6 fragment packets, No.48 is double fragmentized, +then tunneled with IPv4(No.49& No.50), which obey spec. And received peer +cannot decrypt it rightly. + +48 2002::10 2002::11 1296(length) IPv6 fragment (off=0 more=y ident=0xa20da5bc nxt=50) +49 0x0000 (0) 2002::10 2002::11 1304 IPv6 fragment (off=0 more=y ident=0x7448042c nxt=44) +50 0x0000 (0) 2002::10 2002::11 200 ESP (SPI=0x00035000) +51 2002::10 2002::11 180 Echo (ping) request +52 0x56dc 2002::10 2002::11 248 IPv6 fragment (off=1232 more=n ident=0xa20da5bc nxt=50) + +xfrm6_noneed_fragment has fixed above issues. Finally, it acted like below: +1 0x6206 192.168.1.138 192.168.1.1 1316 Fragmented IP protocol (proto=Encap Security Payload 50, off=0, ID=6206) [Reassembled in #2] +2 0x6206 2002::10 2002::11 88 IPv6 fragment (off=0 more=y ident=0x1f440778 nxt=50) +3 0x0000 2002::10 2002::11 248 ICMPv6 Echo (ping) request + +Signed-off-by: Lina Wang +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv6/xfrm6_output.c | 16 ++++++++++++++++ + net/xfrm/xfrm_interface.c | 5 ++++- + 2 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c +index 6abb45a67199..ee349c243878 100644 +--- a/net/ipv6/xfrm6_output.c ++++ b/net/ipv6/xfrm6_output.c +@@ -52,6 +52,19 @@ static int __xfrm6_output_finish(struct net *net, struct sock *sk, struct sk_buf + return xfrm_output(sk, skb); + } + ++static int xfrm6_noneed_fragment(struct sk_buff *skb) ++{ ++ struct frag_hdr *fh; ++ u8 prevhdr = ipv6_hdr(skb)->nexthdr; ++ ++ if (prevhdr != NEXTHDR_FRAGMENT) ++ return 0; ++ fh = (struct frag_hdr *)(skb->data + sizeof(struct ipv6hdr)); ++ if (fh->nexthdr == NEXTHDR_ESP || fh->nexthdr == NEXTHDR_AUTH) ++ return 1; ++ return 0; ++} ++ + static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb) + { + struct dst_entry *dst = skb_dst(skb); +@@ -80,6 +93,9 @@ static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb) + xfrm6_local_rxpmtu(skb, mtu); + kfree_skb(skb); + return -EMSGSIZE; ++ } else if (toobig && xfrm6_noneed_fragment(skb)) { ++ skb->ignore_df = 1; ++ goto skip_frag; + } else if (!skb->ignore_df && toobig && skb->sk) { + xfrm_local_error(skb, mtu); + kfree_skb(skb); +diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c +index 4420c8fd318a..da518b4ca84c 100644 +--- a/net/xfrm/xfrm_interface.c ++++ b/net/xfrm/xfrm_interface.c +@@ -303,7 +303,10 @@ xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl) + if (mtu < IPV6_MIN_MTU) + mtu = IPV6_MIN_MTU; + +- icmpv6_ndo_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu); ++ if (skb->len > 1280) ++ icmpv6_ndo_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu); ++ else ++ goto xmit; + } else { + if (!(ip_hdr(skb)->frag_off & htons(IP_DF))) + goto xmit; +-- +2.34.1 + -- 2.47.3