From 5d330c0783d3ea250a606ad6f51d6f0fe7c22de3 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 12 Dec 2022 00:44:15 -0500 Subject: [PATCH] Fixes for 6.0 Signed-off-by: Sasha Levin --- ..._ns-from-in_skb-in-unix_diag_get_exa.patch | 166 ++++++++++ ...1-fix-build-for-sama5d3-w-o-l2-cache.patch | 42 +++ ...n-add-missing-hci_dev_put-in-get_l2c.patch | 35 +++ ...x-not-cleanup-led-when-bt_init-fails.patch | 57 ++++ ...pport-for-read-local-supported-codec.patch | 112 +++++++ ...nn-add-missing-hci_dev_put-in-iso_li.patch | 35 +++ ...-codec-id-field-in-vendor-codec-defi.patch | 36 +++ .../bonding-get-correct-na-dest-address.patch | 44 +++ ...-fix-crash-by-zero-initializing-data.patch | 40 +++ ...-memory-leak-in-dpaa2_switch_acl_ent.patch | 61 ++++ ...mi-fix-preference-of-rgb-modes-over-.patch | 56 ++++ ...65dsi86-fix-output-polarity-setting-.patch | 56 ++++ ...ix-race-issue-calling-pin_user_pages.patch | 54 ++++ .../e1000e-fix-tx-dispatch-condition.patch | 67 ++++ ...x-fix-potential-skb-leak-in-greth_in.patch | 39 +++ ...-fix-pci-device-reference-count-leak.patch | 54 ++++ ...x-refcount-leak-in-rockchip_gpiolib_.patch | 36 +++ ...ix-memory-leak-in-gpiochip_setup_dev.patch | 184 +++++++++++ ...i40e-disallow-ip4-and-ip6-l4_4_bytes.patch | 59 ++++ queue-6.0/i40e-fix-for-vf-mac-address-0.patch | 49 +++ ...setting-default-xps_cpus-after-reset.patch | 72 +++++ ...0-fix-error-return-code-in-cc2520_hw.patch | 37 +++ ...b-allocate-msi-x-vector-when-testing.patch | 69 +++++ ...ist_nulls-rcu-iterator-during-lookup.patch | 80 +++++ ...port-erspan-version-on-gre-interface.patch | 104 +++++++ ...ct-route-flushing-when-source-addres.patch | 134 ++++++++ ...ct-route-flushing-when-table-id-0-is.patch | 140 +++++++++ ...avoid-use-after-free-in-ip6_fragment.patch | 289 ++++++++++++++++++ ...ssing-init_list_head-in-ieee802154_i.patch | 56 ++++ ...ing-attribute-validation-for-offload.patch | 38 +++ ...-ptp_1588_clock_optional-dependency-.patch | 54 ++++ ...net-dsa-hellcreek-check-return-value.patch | 40 +++ .../net-dsa-ksz-check-return-value.patch | 42 +++ ...x-accept-phy-mode-internal-for-inter.patch | 57 ++++ .../net-dsa-sja1105-check-return-value.patch | 39 +++ ...fix-memory-leak-in-sja1105_setup_dev.patch | 39 +++ ...00-add-parentheses-to-fix-precedence.patch | 50 +++ ...ix-invalid-logic-in-reading-of-mista.patch | 52 ++++ ...am65-cpsw-fix-rgmii-configuration-at.patch | 43 +++ ...x-potential-use-after-free-in-hisi_f.patch | 37 +++ ...x-potential-use-after-free-in-hix5hd.patch | 37 +++ ...alanced-fwnode-reference-count-in-md.patch | 78 +++++ ...-double-put-fwnode-in-the-error-path.patch | 53 ++++ ...de_mdiobus_register_phy-rework-error.patch | 73 +++++ ...ip-sparx5-correctly-free-skb-in-xmit.patch | 107 +++++++ ...arx5-fix-missing-destroy_workqueue-o.patch | 47 +++ ...et-mvneta-fix-an-out-of-bounds-check.patch | 55 ++++ ...nt-out-of-bounds-read-in-mvneta_conf.patch | 41 +++ ...net-phy-mxl-gpy-add-mdint-workaround.patch | 177 +++++++++++ ...all-kfree_skb-dev_kfree_skb-under-sp.patch | 46 +++ ...nps-axi-config-node-property-parsing.patch | 45 +++ ...erbolt-fix-memory-leak-in-tbnet_open.patch | 39 +++ ...-missing-destroy_workqueue-of-nicvf_.patch | 47 +++ ...iosm-fix-memory-leak-in-ipc_mux_init.patch | 37 +++ ...ack-fix-using-__this_cpu_add-in-pree.patch | 78 +++++ ...ink-fix-compilation-warning-after-da.patch | 95 ++++++ ...ble_offload-fix-using-__this_cpu_add.patch | 68 +++++ ...t_pipapo-actually-validate-intervals.patch | 53 ++++ ...ounds-check-struct-nfc_target-arrays.patch | 62 ++++ ...esc-type-when-header-dma-len-is-4096.patch | 66 ++++ ...core-quirks-before-calling-nvme_init.patch | 57 ++++ ...-potential-memory-leak-in-otx2_init_.patch | 42 +++ ...tial-use-after-free-in-ravb_rx_gbeth.patch | 38 +++ ...s390-qeth-fix-use-after-free-in-hsci.patch | 154 ++++++++++ ...ink-correct-xfrm-policy-rule-in-kci_.patch | 41 +++ queue-6.0/series | 71 +++++ ...xc_xmit-without-holding-node_read_lo.patch | 145 +++++++++ ...potential-oob-in-tipc_link_proto_rcv.patch | 39 +++ ...ectly-report-encapsulated-lro-packet.patch | 86 ++++++ ...ect-intrconf-reference-when-using-ex.patch | 63 ++++ queue-6.0/xen-netback-fix-build-warning.patch | 40 +++ ...-fix-null-sring-after-live-migration.patch | 86 ++++++ 72 files changed, 4920 insertions(+) create mode 100644 queue-6.0/af_unix-get-user_ns-from-in_skb-in-unix_diag_get_exa.patch create mode 100644 queue-6.0/arm-at91-fix-build-for-sama5d3-w-o-l2-cache.patch create mode 100644 queue-6.0/bluetooth-6lowpan-add-missing-hci_dev_put-in-get_l2c.patch create mode 100644 queue-6.0/bluetooth-fix-not-cleanup-led-when-bt_init-fails.patch create mode 100644 queue-6.0/bluetooth-fix-support-for-read-local-supported-codec.patch create mode 100644 queue-6.0/bluetooth-hci_conn-add-missing-hci_dev_put-in-iso_li.patch create mode 100644 queue-6.0/bluetooth-remove-codec-id-field-in-vendor-codec-defi.patch create mode 100644 queue-6.0/bonding-get-correct-na-dest-address.patch create mode 100644 queue-6.0/ca8210-fix-crash-by-zero-initializing-data.patch create mode 100644 queue-6.0/dpaa2-switch-fix-memory-leak-in-dpaa2_switch_acl_ent.patch create mode 100644 queue-6.0/drm-bridge-dw_hdmi-fix-preference-of-rgb-modes-over-.patch create mode 100644 queue-6.0/drm-bridge-ti-sn65dsi86-fix-output-polarity-setting-.patch create mode 100644 queue-6.0/drm-vmwgfx-fix-race-issue-calling-pin_user_pages.patch create mode 100644 queue-6.0/e1000e-fix-tx-dispatch-condition.patch create mode 100644 queue-6.0/ethernet-aeroflex-fix-potential-skb-leak-in-greth_in.patch create mode 100644 queue-6.0/gpio-amd8111-fix-pci-device-reference-count-leak.patch create mode 100644 queue-6.0/gpio-rockchip-fix-refcount-leak-in-rockchip_gpiolib_.patch create mode 100644 queue-6.0/gpiolib-fix-memory-leak-in-gpiochip_setup_dev.patch create mode 100644 queue-6.0/i40e-disallow-ip4-and-ip6-l4_4_bytes.patch create mode 100644 queue-6.0/i40e-fix-for-vf-mac-address-0.patch create mode 100644 queue-6.0/i40e-fix-not-setting-default-xps_cpus-after-reset.patch create mode 100644 queue-6.0/ieee802154-cc2520-fix-error-return-code-in-cc2520_hw.patch create mode 100644 queue-6.0/igb-allocate-msi-x-vector-when-testing.patch create mode 100644 queue-6.0/inet-ping-use-hlist_nulls-rcu-iterator-during-lookup.patch create mode 100644 queue-6.0/ip_gre-do-not-report-erspan-version-on-gre-interface.patch create mode 100644 queue-6.0/ipv4-fix-incorrect-route-flushing-when-source-addres.patch create mode 100644 queue-6.0/ipv4-fix-incorrect-route-flushing-when-table-id-0-is.patch create mode 100644 queue-6.0/ipv6-avoid-use-after-free-in-ip6_fragment.patch create mode 100644 queue-6.0/mac802154-fix-missing-init_list_head-in-ieee802154_i.patch create mode 100644 queue-6.0/macsec-add-missing-attribute-validation-for-offload.patch create mode 100644 queue-6.0/net-broadcom-add-ptp_1588_clock_optional-dependency-.patch create mode 100644 queue-6.0/net-dsa-hellcreek-check-return-value.patch create mode 100644 queue-6.0/net-dsa-ksz-check-return-value.patch create mode 100644 queue-6.0/net-dsa-mv88e6xxx-accept-phy-mode-internal-for-inter.patch create mode 100644 queue-6.0/net-dsa-sja1105-check-return-value.patch create mode 100644 queue-6.0/net-dsa-sja1105-fix-memory-leak-in-sja1105_setup_dev.patch create mode 100644 queue-6.0/net-encx24j600-add-parentheses-to-fix-precedence.patch create mode 100644 queue-6.0/net-encx24j600-fix-invalid-logic-in-reading-of-mista.patch create mode 100644 queue-6.0/net-ethernet-ti-am65-cpsw-fix-rgmii-configuration-at.patch create mode 100644 queue-6.0/net-hisilicon-fix-potential-use-after-free-in-hisi_f.patch create mode 100644 queue-6.0/net-hisilicon-fix-potential-use-after-free-in-hix5hd.patch create mode 100644 queue-6.0/net-mdio-fix-unbalanced-fwnode-reference-count-in-md.patch create mode 100644 queue-6.0/net-mdiobus-fix-double-put-fwnode-in-the-error-path.patch create mode 100644 queue-6.0/net-mdiobus-fwnode_mdiobus_register_phy-rework-error.patch create mode 100644 queue-6.0/net-microchip-sparx5-correctly-free-skb-in-xmit.patch create mode 100644 queue-6.0/net-microchip-sparx5-fix-missing-destroy_workqueue-o.patch create mode 100644 queue-6.0/net-mvneta-fix-an-out-of-bounds-check.patch create mode 100644 queue-6.0/net-mvneta-prevent-out-of-bounds-read-in-mvneta_conf.patch create mode 100644 queue-6.0/net-phy-mxl-gpy-add-mdint-workaround.patch create mode 100644 queue-6.0/net-plip-don-t-call-kfree_skb-dev_kfree_skb-under-sp.patch create mode 100644 queue-6.0/net-stmmac-fix-snps-axi-config-node-property-parsing.patch create mode 100644 queue-6.0/net-thunderbolt-fix-memory-leak-in-tbnet_open.patch create mode 100644 queue-6.0/net-thunderx-fix-missing-destroy_workqueue-of-nicvf_.patch create mode 100644 queue-6.0/net-wwan-iosm-fix-memory-leak-in-ipc_mux_init.patch create mode 100644 queue-6.0/netfilter-conntrack-fix-using-__this_cpu_add-in-pree.patch create mode 100644 queue-6.0/netfilter-ctnetlink-fix-compilation-warning-after-da.patch create mode 100644 queue-6.0/netfilter-flowtable_offload-fix-using-__this_cpu_add.patch create mode 100644 queue-6.0/netfilter-nft_set_pipapo-actually-validate-intervals.patch create mode 100644 queue-6.0/nfc-nci-bounds-check-struct-nfc_target-arrays.patch create mode 100644 queue-6.0/nfp-correct-desc-type-when-header-dma-len-is-4096.patch create mode 100644 queue-6.0/nvme-initialize-core-quirks-before-calling-nvme_init.patch create mode 100644 queue-6.0/octeontx2-pf-fix-potential-memory-leak-in-otx2_init_.patch create mode 100644 queue-6.0/ravb-fix-potential-use-after-free-in-ravb_rx_gbeth.patch create mode 100644 queue-6.0/s390-qeth-fix-use-after-free-in-hsci.patch create mode 100644 queue-6.0/selftests-rtnetlink-correct-xfrm-policy-rule-in-kci_.patch create mode 100644 queue-6.0/tipc-call-tipc_lxc_xmit-without-holding-node_read_lo.patch create mode 100644 queue-6.0/tipc-fix-potential-oob-in-tipc_link_proto_rcv.patch create mode 100644 queue-6.0/vmxnet3-correctly-report-encapsulated-lro-packet.patch create mode 100644 queue-6.0/vmxnet3-use-correct-intrconf-reference-when-using-ex.patch create mode 100644 queue-6.0/xen-netback-fix-build-warning.patch create mode 100644 queue-6.0/xen-netfront-fix-null-sring-after-live-migration.patch diff --git a/queue-6.0/af_unix-get-user_ns-from-in_skb-in-unix_diag_get_exa.patch b/queue-6.0/af_unix-get-user_ns-from-in_skb-in-unix_diag_get_exa.patch new file mode 100644 index 00000000000..bc5595fcdd8 --- /dev/null +++ b/queue-6.0/af_unix-get-user_ns-from-in_skb-in-unix_diag_get_exa.patch @@ -0,0 +1,166 @@ +From 44e599ee2aafdbd0d0d10490b99cef90e353f4d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Nov 2022 10:24:11 +0900 +Subject: af_unix: Get user_ns from in_skb in unix_diag_get_exact(). + +From: Kuniyuki Iwashima + +[ Upstream commit b3abe42e94900bdd045c472f9c9be620ba5ce553 ] + +Wei Chen reported a NULL deref in sk_user_ns() [0][1], and Paolo diagnosed +the root cause: in unix_diag_get_exact(), the newly allocated skb does not +have sk. [2] + +We must get the user_ns from the NETLINK_CB(in_skb).sk and pass it to +sk_diag_fill(). + +[0]: +BUG: kernel NULL pointer dereference, address: 0000000000000270 +#PF: supervisor read access in kernel mode +#PF: error_code(0x0000) - not-present page +PGD 12bbce067 P4D 12bbce067 PUD 12bc40067 PMD 0 +Oops: 0000 [#1] PREEMPT SMP +CPU: 0 PID: 27942 Comm: syz-executor.0 Not tainted 6.1.0-rc5-next-20221118 #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014 +RIP: 0010:sk_user_ns include/net/sock.h:920 [inline] +RIP: 0010:sk_diag_dump_uid net/unix/diag.c:119 [inline] +RIP: 0010:sk_diag_fill+0x77d/0x890 net/unix/diag.c:170 +Code: 89 ef e8 66 d4 2d fd c7 44 24 40 00 00 00 00 49 8d 7c 24 18 e8 +54 d7 2d fd 49 8b 5c 24 18 48 8d bb 70 02 00 00 e8 43 d7 2d fd <48> 8b +9b 70 02 00 00 48 8d 7b 10 e8 33 d7 2d fd 48 8b 5b 10 48 8d +RSP: 0018:ffffc90000d67968 EFLAGS: 00010246 +RAX: ffff88812badaa48 RBX: 0000000000000000 RCX: ffffffff840d481d +RDX: 0000000000000465 RSI: 0000000000000000 RDI: 0000000000000270 +RBP: ffffc90000d679a8 R08: 0000000000000277 R09: 0000000000000000 +R10: 0001ffffffffffff R11: 0001c90000d679a8 R12: ffff88812ac03800 +R13: ffff88812c87c400 R14: ffff88812ae42210 R15: ffff888103026940 +FS: 00007f08b4e6f700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000270 CR3: 000000012c58b000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + unix_diag_get_exact net/unix/diag.c:285 [inline] + unix_diag_handler_dump+0x3f9/0x500 net/unix/diag.c:317 + __sock_diag_cmd net/core/sock_diag.c:235 [inline] + sock_diag_rcv_msg+0x237/0x250 net/core/sock_diag.c:266 + netlink_rcv_skb+0x13e/0x250 net/netlink/af_netlink.c:2564 + sock_diag_rcv+0x24/0x40 net/core/sock_diag.c:277 + netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline] + netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1356 + netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1932 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg net/socket.c:734 [inline] + ____sys_sendmsg+0x38f/0x500 net/socket.c:2476 + ___sys_sendmsg net/socket.c:2530 [inline] + __sys_sendmsg+0x197/0x230 net/socket.c:2559 + __do_sys_sendmsg net/socket.c:2568 [inline] + __se_sys_sendmsg net/socket.c:2566 [inline] + __x64_sys_sendmsg+0x42/0x50 net/socket.c:2566 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x4697f9 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 +89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d +01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f08b4e6ec48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004697f9 +RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 +RBP: 00000000004d29e9 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80 +R13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffdb36bc6c0 + +Modules linked in: +CR2: 0000000000000270 + +[1]: https://lore.kernel.org/netdev/CAO4mrfdvyjFpokhNsiwZiP-wpdSD0AStcJwfKcKQdAALQ9_2Qw@mail.gmail.com/ +[2]: https://lore.kernel.org/netdev/e04315e7c90d9a75613f3993c2baf2d344eef7eb.camel@redhat.com/ + +Fixes: cae9910e7344 ("net: Add UNIX_DIAG_UID to Netlink UNIX socket diagnostics.") +Reported-by: syzbot +Reported-by: Wei Chen +Diagnosed-by: Paolo Abeni +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/diag.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/net/unix/diag.c b/net/unix/diag.c +index 105f522a89fe..616b55c5b890 100644 +--- a/net/unix/diag.c ++++ b/net/unix/diag.c +@@ -114,14 +114,16 @@ static int sk_diag_show_rqlen(struct sock *sk, struct sk_buff *nlskb) + return nla_put(nlskb, UNIX_DIAG_RQLEN, sizeof(rql), &rql); + } + +-static int sk_diag_dump_uid(struct sock *sk, struct sk_buff *nlskb) ++static int sk_diag_dump_uid(struct sock *sk, struct sk_buff *nlskb, ++ struct user_namespace *user_ns) + { +- uid_t uid = from_kuid_munged(sk_user_ns(nlskb->sk), sock_i_uid(sk)); ++ uid_t uid = from_kuid_munged(user_ns, sock_i_uid(sk)); + return nla_put(nlskb, UNIX_DIAG_UID, sizeof(uid_t), &uid); + } + + static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct unix_diag_req *req, +- u32 portid, u32 seq, u32 flags, int sk_ino) ++ struct user_namespace *user_ns, ++ u32 portid, u32 seq, u32 flags, int sk_ino) + { + struct nlmsghdr *nlh; + struct unix_diag_msg *rep; +@@ -167,7 +169,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct unix_diag_r + goto out_nlmsg_trim; + + if ((req->udiag_show & UDIAG_SHOW_UID) && +- sk_diag_dump_uid(sk, skb)) ++ sk_diag_dump_uid(sk, skb, user_ns)) + goto out_nlmsg_trim; + + nlmsg_end(skb, nlh); +@@ -179,7 +181,8 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct unix_diag_r + } + + static int sk_diag_dump(struct sock *sk, struct sk_buff *skb, struct unix_diag_req *req, +- u32 portid, u32 seq, u32 flags) ++ struct user_namespace *user_ns, ++ u32 portid, u32 seq, u32 flags) + { + int sk_ino; + +@@ -190,7 +193,7 @@ static int sk_diag_dump(struct sock *sk, struct sk_buff *skb, struct unix_diag_r + if (!sk_ino) + return 0; + +- return sk_diag_fill(sk, skb, req, portid, seq, flags, sk_ino); ++ return sk_diag_fill(sk, skb, req, user_ns, portid, seq, flags, sk_ino); + } + + static int unix_diag_dump(struct sk_buff *skb, struct netlink_callback *cb) +@@ -214,7 +217,7 @@ static int unix_diag_dump(struct sk_buff *skb, struct netlink_callback *cb) + goto next; + if (!(req->udiag_states & (1 << sk->sk_state))) + goto next; +- if (sk_diag_dump(sk, skb, req, ++ if (sk_diag_dump(sk, skb, req, sk_user_ns(skb->sk), + NETLINK_CB(cb->skb).portid, + cb->nlh->nlmsg_seq, + NLM_F_MULTI) < 0) { +@@ -282,7 +285,8 @@ static int unix_diag_get_exact(struct sk_buff *in_skb, + if (!rep) + goto out; + +- err = sk_diag_fill(sk, rep, req, NETLINK_CB(in_skb).portid, ++ err = sk_diag_fill(sk, rep, req, sk_user_ns(NETLINK_CB(in_skb).sk), ++ NETLINK_CB(in_skb).portid, + nlh->nlmsg_seq, 0, req->udiag_ino); + if (err < 0) { + nlmsg_free(rep); +-- +2.35.1 + diff --git a/queue-6.0/arm-at91-fix-build-for-sama5d3-w-o-l2-cache.patch b/queue-6.0/arm-at91-fix-build-for-sama5d3-w-o-l2-cache.patch new file mode 100644 index 00000000000..aa2662fca5d --- /dev/null +++ b/queue-6.0/arm-at91-fix-build-for-sama5d3-w-o-l2-cache.patch @@ -0,0 +1,42 @@ +From 95717f5f9b406a279681218812582c2ace59eec8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Nov 2022 16:40:59 +0100 +Subject: ARM: at91: fix build for SAMA5D3 w/o L2 cache + +From: Peter Rosin + +[ Upstream commit 6a3fc8c330d1c1fa3d8773d7d38a7c55c4900dfe ] + +The L2 cache is present on the newer SAMA5D2 and SAMA5D4 families, but +apparently not for the older SAMA5D3. + +Solves a build-time regression with the following symptom: + +sama5.c:(.init.text+0x48): undefined reference to `outer_cache' + +Fixes: 3b5a7ca7d252 ("ARM: at91: setup outer cache .write_sec() callback if needed") +Signed-off-by: Peter Rosin +[claudiu.beznea: delete "At least not always." from commit description] +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/b7f8dacc-5e1f-0eb2-188e-3ad9a9f7613d@axentia.se +Signed-off-by: Sasha Levin +--- + arch/arm/mach-at91/sama5.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mach-at91/sama5.c b/arch/arm/mach-at91/sama5.c +index 67ed68fbe3a5..bf2b5c6a18c6 100644 +--- a/arch/arm/mach-at91/sama5.c ++++ b/arch/arm/mach-at91/sama5.c +@@ -26,7 +26,7 @@ static void sama5_l2c310_write_sec(unsigned long val, unsigned reg) + static void __init sama5_secure_cache_init(void) + { + sam_secure_init(); +- if (sam_linux_is_optee_available()) ++ if (IS_ENABLED(CONFIG_OUTER_CACHE) && sam_linux_is_optee_available()) + outer_cache.write_sec = sama5_l2c310_write_sec; + } + +-- +2.35.1 + diff --git a/queue-6.0/bluetooth-6lowpan-add-missing-hci_dev_put-in-get_l2c.patch b/queue-6.0/bluetooth-6lowpan-add-missing-hci_dev_put-in-get_l2c.patch new file mode 100644 index 00000000000..c0de5abfad8 --- /dev/null +++ b/queue-6.0/bluetooth-6lowpan-add-missing-hci_dev_put-in-get_l2c.patch @@ -0,0 +1,35 @@ +From 6ebe2d753d3f74f55012faddf277a0dc4ceb405e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 17:37:26 +0800 +Subject: Bluetooth: 6LoWPAN: add missing hci_dev_put() in get_l2cap_conn() + +From: Wang ShaoBo + +[ Upstream commit 747da1308bdd5021409974f9180f0d8ece53d142 ] + +hci_get_route() takes reference, we should use hci_dev_put() to release +it when not need anymore. + +Fixes: 6b8d4a6a0314 ("Bluetooth: 6LoWPAN: Use connected oriented channel instead of fixed one") +Signed-off-by: Wang ShaoBo +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/6lowpan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c +index 215af9b3b589..c57d643afb10 100644 +--- a/net/bluetooth/6lowpan.c ++++ b/net/bluetooth/6lowpan.c +@@ -972,6 +972,7 @@ static int get_l2cap_conn(char *buf, bdaddr_t *addr, u8 *addr_type, + hci_dev_lock(hdev); + hcon = hci_conn_hash_lookup_le(hdev, addr, *addr_type); + hci_dev_unlock(hdev); ++ hci_dev_put(hdev); + + if (!hcon) + return -ENOENT; +-- +2.35.1 + diff --git a/queue-6.0/bluetooth-fix-not-cleanup-led-when-bt_init-fails.patch b/queue-6.0/bluetooth-fix-not-cleanup-led-when-bt_init-fails.patch new file mode 100644 index 00000000000..1216397903e --- /dev/null +++ b/queue-6.0/bluetooth-fix-not-cleanup-led-when-bt_init-fails.patch @@ -0,0 +1,57 @@ +From 8c0e3c2d5755bb18ed44d8744fbcdee96f61135a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Nov 2022 17:25:56 +0800 +Subject: Bluetooth: Fix not cleanup led when bt_init fails + +From: Chen Zhongjin + +[ Upstream commit 2f3957c7eb4e07df944169a3e50a4d6790e1c744 ] + +bt_init() calls bt_leds_init() to register led, but if it fails later, +bt_leds_cleanup() is not called to unregister it. + +This can cause panic if the argument "bluetooth-power" in text is freed +and then another led_trigger_register() tries to access it: + +BUG: unable to handle page fault for address: ffffffffc06d3bc0 +RIP: 0010:strcmp+0xc/0x30 + Call Trace: + + led_trigger_register+0x10d/0x4f0 + led_trigger_register_simple+0x7d/0x100 + bt_init+0x39/0xf7 [bluetooth] + do_one_initcall+0xd0/0x4e0 + +Fixes: e64c97b53bc6 ("Bluetooth: Add combined LED trigger for controller power") +Signed-off-by: Chen Zhongjin +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/af_bluetooth.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c +index dc65974f5adb..1c3c7ff5c3c6 100644 +--- a/net/bluetooth/af_bluetooth.c ++++ b/net/bluetooth/af_bluetooth.c +@@ -737,7 +737,7 @@ static int __init bt_init(void) + + err = bt_sysfs_init(); + if (err < 0) +- return err; ++ goto cleanup_led; + + err = sock_register(&bt_sock_family_ops); + if (err) +@@ -773,6 +773,8 @@ static int __init bt_init(void) + sock_unregister(PF_BLUETOOTH); + cleanup_sysfs: + bt_sysfs_cleanup(); ++cleanup_led: ++ bt_leds_cleanup(); + return err; + } + +-- +2.35.1 + diff --git a/queue-6.0/bluetooth-fix-support-for-read-local-supported-codec.patch b/queue-6.0/bluetooth-fix-support-for-read-local-supported-codec.patch new file mode 100644 index 00000000000..a52e8ca77a6 --- /dev/null +++ b/queue-6.0/bluetooth-fix-support-for-read-local-supported-codec.patch @@ -0,0 +1,112 @@ +From f097429ec08be534eaf2f2ca2cb77fb7da04c521 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 14:32:57 +0530 +Subject: Bluetooth: Fix support for Read Local Supported Codecs V2 + +From: Chethan T N + +[ Upstream commit 828cea2b71de501827f62d3c92d149f6052ad01e ] + +Handling of Read Local Supported Codecs was broken during the +HCI serialization design change patches. + +Fixes: d0b137062b2d ("Bluetooth: hci_sync: Rework init stages") +Signed-off-by: Chethan T N +Signed-off-by: Kiran K +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_codec.c | 19 ++++++++++--------- + net/bluetooth/hci_sync.c | 10 ++++++---- + 2 files changed, 16 insertions(+), 13 deletions(-) + +diff --git a/net/bluetooth/hci_codec.c b/net/bluetooth/hci_codec.c +index 38201532f58e..3cc135bb1d30 100644 +--- a/net/bluetooth/hci_codec.c ++++ b/net/bluetooth/hci_codec.c +@@ -72,9 +72,8 @@ static void hci_read_codec_capabilities(struct hci_dev *hdev, __u8 transport, + continue; + } + +- skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_CODEC_CAPS, +- sizeof(*cmd), cmd, +- HCI_CMD_TIMEOUT); ++ skb = __hci_cmd_sync_sk(hdev, HCI_OP_READ_LOCAL_CODEC_CAPS, ++ sizeof(*cmd), cmd, 0, HCI_CMD_TIMEOUT, NULL); + if (IS_ERR(skb)) { + bt_dev_err(hdev, "Failed to read codec capabilities (%ld)", + PTR_ERR(skb)); +@@ -127,8 +126,8 @@ void hci_read_supported_codecs(struct hci_dev *hdev) + struct hci_op_read_local_codec_caps caps; + __u8 i; + +- skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_CODECS, 0, NULL, +- HCI_CMD_TIMEOUT); ++ skb = __hci_cmd_sync_sk(hdev, HCI_OP_READ_LOCAL_CODECS, 0, NULL, ++ 0, HCI_CMD_TIMEOUT, NULL); + + if (IS_ERR(skb)) { + bt_dev_err(hdev, "Failed to read local supported codecs (%ld)", +@@ -158,7 +157,8 @@ void hci_read_supported_codecs(struct hci_dev *hdev) + for (i = 0; i < std_codecs->num; i++) { + caps.id = std_codecs->codec[i]; + caps.direction = 0x00; +- hci_read_codec_capabilities(hdev, LOCAL_CODEC_ACL_MASK, &caps); ++ hci_read_codec_capabilities(hdev, ++ LOCAL_CODEC_ACL_MASK | LOCAL_CODEC_SCO_MASK, &caps); + } + + skb_pull(skb, flex_array_size(std_codecs, codec, std_codecs->num) +@@ -178,7 +178,8 @@ void hci_read_supported_codecs(struct hci_dev *hdev) + caps.cid = vnd_codecs->codec[i].cid; + caps.vid = vnd_codecs->codec[i].vid; + caps.direction = 0x00; +- hci_read_codec_capabilities(hdev, LOCAL_CODEC_ACL_MASK, &caps); ++ hci_read_codec_capabilities(hdev, ++ LOCAL_CODEC_ACL_MASK | LOCAL_CODEC_SCO_MASK, &caps); + } + + error: +@@ -194,8 +195,8 @@ void hci_read_supported_codecs_v2(struct hci_dev *hdev) + struct hci_op_read_local_codec_caps caps; + __u8 i; + +- skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_CODECS_V2, 0, NULL, +- HCI_CMD_TIMEOUT); ++ skb = __hci_cmd_sync_sk(hdev, HCI_OP_READ_LOCAL_CODECS_V2, 0, NULL, ++ 0, HCI_CMD_TIMEOUT, NULL); + + if (IS_ERR(skb)) { + bt_dev_err(hdev, "Failed to read local supported codecs (%ld)", +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 831e816e1d20..a5e89e1b5452 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -12,6 +12,7 @@ + #include + + #include "hci_request.h" ++#include "hci_codec.h" + #include "hci_debugfs.h" + #include "smp.h" + #include "eir.h" +@@ -3918,11 +3919,12 @@ static int hci_set_event_mask_page_2_sync(struct hci_dev *hdev) + /* Read local codec list if the HCI command is supported */ + static int hci_read_local_codecs_sync(struct hci_dev *hdev) + { +- if (!(hdev->commands[29] & 0x20)) +- return 0; ++ if (hdev->commands[45] & 0x04) ++ hci_read_supported_codecs_v2(hdev); ++ else if (hdev->commands[29] & 0x20) ++ hci_read_supported_codecs(hdev); + +- return __hci_cmd_sync_status(hdev, HCI_OP_READ_LOCAL_CODECS, 0, NULL, +- HCI_CMD_TIMEOUT); ++ return 0; + } + + /* Read local pairing options if the HCI command is supported */ +-- +2.35.1 + diff --git a/queue-6.0/bluetooth-hci_conn-add-missing-hci_dev_put-in-iso_li.patch b/queue-6.0/bluetooth-hci_conn-add-missing-hci_dev_put-in-iso_li.patch new file mode 100644 index 00000000000..e605e4fb1c1 --- /dev/null +++ b/queue-6.0/bluetooth-hci_conn-add-missing-hci_dev_put-in-iso_li.patch @@ -0,0 +1,35 @@ +From dd82068d978569c194a0792303f7a64f705b7a6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 10:39:06 +0800 +Subject: Bluetooth: hci_conn: add missing hci_dev_put() in iso_listen_bis() + +From: Wang ShaoBo + +[ Upstream commit 7e7df2c10c92cab7d1dde3b301e584e2e877fbda ] + +hci_get_route() takes reference, we should use hci_dev_put() to release +it when not need anymore. + +Fixes: f764a6c2c1e4 ("Bluetooth: ISO: Add broadcast support") +Signed-off-by: Wang ShaoBo +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/iso.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index f825857db6d0..26db929b97c4 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -879,6 +879,7 @@ static int iso_listen_bis(struct sock *sk) + iso_pi(sk)->bc_sid); + + hci_dev_unlock(hdev); ++ hci_dev_put(hdev); + + return err; + } +-- +2.35.1 + diff --git a/queue-6.0/bluetooth-remove-codec-id-field-in-vendor-codec-defi.patch b/queue-6.0/bluetooth-remove-codec-id-field-in-vendor-codec-defi.patch new file mode 100644 index 00000000000..f8153ac1831 --- /dev/null +++ b/queue-6.0/bluetooth-remove-codec-id-field-in-vendor-codec-defi.patch @@ -0,0 +1,36 @@ +From ff3d477d5230b4e69efaf279a6f0dcafca7d488b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 14:32:56 +0530 +Subject: Bluetooth: Remove codec id field in vendor codec definition + +From: Chethan T N + +[ Upstream commit 93df7d56f15e217009323c0fbb5213ab7a14520b ] + +As per the specfication vendor codec id is defined. +BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2127 + +Fixes: 9ae664028a9e ("Bluetooth: Add support for Read Local Supported Codecs V2") +Signed-off-by: Chethan T N +Signed-off-by: Kiran K +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci.h | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h +index a3c7dcfa0a05..4518c63e9d17 100644 +--- a/include/net/bluetooth/hci.h ++++ b/include/net/bluetooth/hci.h +@@ -1431,7 +1431,6 @@ struct hci_std_codecs_v2 { + } __packed; + + struct hci_vnd_codec_v2 { +- __u8 id; + __le16 cid; + __le16 vid; + __u8 transport; +-- +2.35.1 + diff --git a/queue-6.0/bonding-get-correct-na-dest-address.patch b/queue-6.0/bonding-get-correct-na-dest-address.patch new file mode 100644 index 00000000000..84f028f89c0 --- /dev/null +++ b/queue-6.0/bonding-get-correct-na-dest-address.patch @@ -0,0 +1,44 @@ +From bf9779a3f402b3e510997df49cc85135d0336469 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Dec 2022 11:20:55 +0800 +Subject: bonding: get correct NA dest address + +From: Hangbin Liu + +[ Upstream commit 1f154f3b56a1a172833eedf77b72745acc8d9259 ] + +In commit 4d633d1b468b ("bonding: fix ICMPv6 header handling when receiving +IPv6 messages"), there is a copy/paste issue for NA daddr. I found that +in my testing and fixed it in my local branch. But I forgot to re-format +the patch and sent the wrong mail. + +Fix it by reading the correct dest address. + +Fixes: 4d633d1b468b ("bonding: fix ICMPv6 header handling when receiving IPv6 messages") +Signed-off-by: Hangbin Liu +Reviewed-by: Eric Dumazet +Reviewed-by: Jiri Pirko +Acked-by: Jonathan Toppins +Link: https://lore.kernel.org/r/20221206032055.7517-1-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 76dd5ff1d99d..c2939621b683 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3247,7 +3247,7 @@ static int bond_na_rcv(const struct sk_buff *skb, struct bonding *bond, + goto out; + + saddr = &combined->ip6.saddr; +- daddr = &combined->ip6.saddr; ++ daddr = &combined->ip6.daddr; + + slave_dbg(bond->dev, slave->dev, "%s: %s/%d av %d sv %d sip %pI6c tip %pI6c\n", + __func__, slave->dev->name, bond_slave_state(slave), +-- +2.35.1 + diff --git a/queue-6.0/ca8210-fix-crash-by-zero-initializing-data.patch b/queue-6.0/ca8210-fix-crash-by-zero-initializing-data.patch new file mode 100644 index 00000000000..813a84e13a8 --- /dev/null +++ b/queue-6.0/ca8210-fix-crash-by-zero-initializing-data.patch @@ -0,0 +1,40 @@ +From 5731afb0e8aa7ed75f66a5190b80f9dae0120ca3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 01:22:01 +0100 +Subject: ca8210: Fix crash by zero initializing data + +From: Hauke Mehrtens + +[ Upstream commit 1e24c54da257ab93cff5826be8a793b014a5dc9c ] + +The struct cas_control embeds multiple generic SPI structures and we +have to make sure these structures are initialized to default values. +This driver does not set all attributes. When using kmalloc before some +attributes were not initialized and contained random data which caused +random crashes at bootup. + +Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") +Signed-off-by: Hauke Mehrtens +Link: https://lore.kernel.org/r/20221121002201.1339636-1-hauke@hauke-m.de +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/ca8210.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c +index 450b16ad40a4..e1a569b99e4a 100644 +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -885,7 +885,7 @@ static int ca8210_spi_transfer( + + dev_dbg(&spi->dev, "%s called\n", __func__); + +- cas_ctl = kmalloc(sizeof(*cas_ctl), GFP_ATOMIC); ++ cas_ctl = kzalloc(sizeof(*cas_ctl), GFP_ATOMIC); + if (!cas_ctl) + return -ENOMEM; + +-- +2.35.1 + diff --git a/queue-6.0/dpaa2-switch-fix-memory-leak-in-dpaa2_switch_acl_ent.patch b/queue-6.0/dpaa2-switch-fix-memory-leak-in-dpaa2_switch_acl_ent.patch new file mode 100644 index 00000000000..a3e133bf4b5 --- /dev/null +++ b/queue-6.0/dpaa2-switch-fix-memory-leak-in-dpaa2_switch_acl_ent.patch @@ -0,0 +1,61 @@ +From 7ba5dfdf59388b12cfd46a932e7202738f6b35d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 06:15:15 +0000 +Subject: dpaa2-switch: Fix memory leak in dpaa2_switch_acl_entry_add() and + dpaa2_switch_acl_entry_remove() + +From: Yuan Can + +[ Upstream commit 4fad22a1281c500f15b172c9d261eff347ca634b ] + +The cmd_buff needs to be freed when error happened in +dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove(). + +Fixes: 1110318d83e8 ("dpaa2-switch: add tc flower hardware offload on ingress traffic") +Signed-off-by: Yuan Can +Link: https://lore.kernel.org/r/20221205061515.115012-1-yuancan@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c +index cacd454ac696..c39b866e2582 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c +@@ -132,6 +132,7 @@ int dpaa2_switch_acl_entry_add(struct dpaa2_switch_filter_block *filter_block, + DMA_TO_DEVICE); + if (unlikely(dma_mapping_error(dev, acl_entry_cfg->key_iova))) { + dev_err(dev, "DMA mapping failed\n"); ++ kfree(cmd_buff); + return -EFAULT; + } + +@@ -142,6 +143,7 @@ int dpaa2_switch_acl_entry_add(struct dpaa2_switch_filter_block *filter_block, + DMA_TO_DEVICE); + if (err) { + dev_err(dev, "dpsw_acl_add_entry() failed %d\n", err); ++ kfree(cmd_buff); + return err; + } + +@@ -172,6 +174,7 @@ dpaa2_switch_acl_entry_remove(struct dpaa2_switch_filter_block *block, + DMA_TO_DEVICE); + if (unlikely(dma_mapping_error(dev, acl_entry_cfg->key_iova))) { + dev_err(dev, "DMA mapping failed\n"); ++ kfree(cmd_buff); + return -EFAULT; + } + +@@ -182,6 +185,7 @@ dpaa2_switch_acl_entry_remove(struct dpaa2_switch_filter_block *block, + DMA_TO_DEVICE); + if (err) { + dev_err(dev, "dpsw_acl_remove_entry() failed %d\n", err); ++ kfree(cmd_buff); + return err; + } + +-- +2.35.1 + diff --git a/queue-6.0/drm-bridge-dw_hdmi-fix-preference-of-rgb-modes-over-.patch b/queue-6.0/drm-bridge-dw_hdmi-fix-preference-of-rgb-modes-over-.patch new file mode 100644 index 00000000000..c6d1e978176 --- /dev/null +++ b/queue-6.0/drm-bridge-dw_hdmi-fix-preference-of-rgb-modes-over-.patch @@ -0,0 +1,56 @@ +From 1cffc2f107eaa7863802d17cc2ee0a46097819c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 15:35:23 +0100 +Subject: drm: bridge: dw_hdmi: fix preference of RGB modes over YUV420 + +From: Guillaume BRUN + +[ Upstream commit d3d6b1bf85aefe0ebc0624574b3bb62f0693914c ] + +Cheap monitors sometimes advertise YUV modes they don't really have +(HDMI specification mandates YUV support so even monitors without actual +support will often wrongfully advertise it) which results in YUV matches +and user forum complaints of a red tint to light colour display areas in +common desktop environments. + +Moving the default RGB fall-back before YUV selection results in RGB +mode matching in most cases, reducing complaints. + +Fixes: 6c3c719936da ("drm/bridge: synopsys: dw-hdmi: add bus format negociation") +Signed-off-by: Guillaume BRUN +Tested-by: Christian Hewitt +Reviewed-by: Robert Foss +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20221116143523.2126-1-the.cheaterman@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/synopsys/dw-hdmi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c +index 40d8ca37f5bc..aa51c61a78c7 100644 +--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c ++++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c +@@ -2720,6 +2720,9 @@ static u32 *dw_hdmi_bridge_atomic_get_output_bus_fmts(struct drm_bridge *bridge, + * if supported. In any case the default RGB888 format is added + */ + ++ /* Default 8bit RGB fallback */ ++ output_fmts[i++] = MEDIA_BUS_FMT_RGB888_1X24; ++ + if (max_bpc >= 16 && info->bpc == 16) { + if (info->color_formats & DRM_COLOR_FORMAT_YCBCR444) + output_fmts[i++] = MEDIA_BUS_FMT_YUV16_1X48; +@@ -2753,9 +2756,6 @@ static u32 *dw_hdmi_bridge_atomic_get_output_bus_fmts(struct drm_bridge *bridge, + if (info->color_formats & DRM_COLOR_FORMAT_YCBCR444) + output_fmts[i++] = MEDIA_BUS_FMT_YUV8_1X24; + +- /* Default 8bit RGB fallback */ +- output_fmts[i++] = MEDIA_BUS_FMT_RGB888_1X24; +- + *num_output_fmts = i; + + return output_fmts; +-- +2.35.1 + diff --git a/queue-6.0/drm-bridge-ti-sn65dsi86-fix-output-polarity-setting-.patch b/queue-6.0/drm-bridge-ti-sn65dsi86-fix-output-polarity-setting-.patch new file mode 100644 index 00000000000..02ef6b96e02 --- /dev/null +++ b/queue-6.0/drm-bridge-ti-sn65dsi86-fix-output-polarity-setting-.patch @@ -0,0 +1,56 @@ +From 2672b1c19c6a9afcac766043038f4e75d162b760 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 18:45:58 +0800 +Subject: drm/bridge: ti-sn65dsi86: Fix output polarity setting bug + +From: Qiqi Zhang + +[ Upstream commit 8c115864501fc09932cdfec53d9ec1cde82b4a28 ] + +According to the description in ti-sn65dsi86's datasheet: + +CHA_HSYNC_POLARITY: +0 = Active High Pulse. Synchronization signal is high for the sync +pulse width. (default) +1 = Active Low Pulse. Synchronization signal is low for the sync +pulse width. + +CHA_VSYNC_POLARITY: +0 = Active High Pulse. Synchronization signal is high for the sync +pulse width. (Default) +1 = Active Low Pulse. Synchronization signal is low for the sync +pulse width. + +We should only set these bits when the polarity is negative. + +Fixes: a095f15c00e2 ("drm/bridge: add support for sn65dsi86 bridge driver") +Signed-off-by: Qiqi Zhang +Reviewed-by: Douglas Anderson +Tested-by: Douglas Anderson +Reviewed-by: Tomi Valkeinen +Signed-off-by: Douglas Anderson +Link: https://patchwork.freedesktop.org/patch/msgid/20221125104558.84616-1-eddy.zhang@rock-chips.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/ti-sn65dsi86.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +index d6dd4d99a229..d72bd1392c84 100644 +--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c ++++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +@@ -906,9 +906,9 @@ static void ti_sn_bridge_set_video_timings(struct ti_sn65dsi86 *pdata) + &pdata->bridge.encoder->crtc->state->adjusted_mode; + u8 hsync_polarity = 0, vsync_polarity = 0; + +- if (mode->flags & DRM_MODE_FLAG_PHSYNC) ++ if (mode->flags & DRM_MODE_FLAG_NHSYNC) + hsync_polarity = CHA_HSYNC_POLARITY; +- if (mode->flags & DRM_MODE_FLAG_PVSYNC) ++ if (mode->flags & DRM_MODE_FLAG_NVSYNC) + vsync_polarity = CHA_VSYNC_POLARITY; + + ti_sn65dsi86_write_u16(pdata, SN_CHA_ACTIVE_LINE_LENGTH_LOW_REG, +-- +2.35.1 + diff --git a/queue-6.0/drm-vmwgfx-fix-race-issue-calling-pin_user_pages.patch b/queue-6.0/drm-vmwgfx-fix-race-issue-calling-pin_user_pages.patch new file mode 100644 index 00000000000..8a08b43f60a --- /dev/null +++ b/queue-6.0/drm-vmwgfx-fix-race-issue-calling-pin_user_pages.patch @@ -0,0 +1,54 @@ +From 492fb7e6ef4614702766e000b22876e408f14856 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 23:37:34 +0800 +Subject: drm/vmwgfx: Fix race issue calling pin_user_pages + +From: Dawei Li + +[ Upstream commit ed14d225cc7c842f6d4d5a3009f71a44f5852d09 ] + +pin_user_pages() is unsafe without protection of mmap_lock, +fix it by calling pin_user_pages_fast(). + +Fixes: 7a7a933edd6c ("drm/vmwgfx: Introduce VMware mks-guest-stats") +Signed-off-by: Dawei Li +Reviewed-by: Martin Krastev +Signed-off-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/TYWP286MB23193621CB443E1E1959A00BCA3E9@TYWP286MB2319.JPNP286.PROD.OUTLOOK.COM +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_msg.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c +index 089046fa21be..50fa3df0bc0c 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c +@@ -1085,21 +1085,21 @@ int vmw_mksstat_add_ioctl(struct drm_device *dev, void *data, + reset_ppn_array(pdesc->strsPPNs, ARRAY_SIZE(pdesc->strsPPNs)); + + /* Pin mksGuestStat user pages and store those in the instance descriptor */ +- nr_pinned_stat = pin_user_pages(arg->stat, num_pages_stat, FOLL_LONGTERM, pages_stat, NULL); ++ nr_pinned_stat = pin_user_pages_fast(arg->stat, num_pages_stat, FOLL_LONGTERM, pages_stat); + if (num_pages_stat != nr_pinned_stat) + goto err_pin_stat; + + for (i = 0; i < num_pages_stat; ++i) + pdesc->statPPNs[i] = page_to_pfn(pages_stat[i]); + +- nr_pinned_info = pin_user_pages(arg->info, num_pages_info, FOLL_LONGTERM, pages_info, NULL); ++ nr_pinned_info = pin_user_pages_fast(arg->info, num_pages_info, FOLL_LONGTERM, pages_info); + if (num_pages_info != nr_pinned_info) + goto err_pin_info; + + for (i = 0; i < num_pages_info; ++i) + pdesc->infoPPNs[i] = page_to_pfn(pages_info[i]); + +- nr_pinned_strs = pin_user_pages(arg->strs, num_pages_strs, FOLL_LONGTERM, pages_strs, NULL); ++ nr_pinned_strs = pin_user_pages_fast(arg->strs, num_pages_strs, FOLL_LONGTERM, pages_strs); + if (num_pages_strs != nr_pinned_strs) + goto err_pin_strs; + +-- +2.35.1 + diff --git a/queue-6.0/e1000e-fix-tx-dispatch-condition.patch b/queue-6.0/e1000e-fix-tx-dispatch-condition.patch new file mode 100644 index 00000000000..1fd0abc61dd --- /dev/null +++ b/queue-6.0/e1000e-fix-tx-dispatch-condition.patch @@ -0,0 +1,67 @@ +From 5ab6c11c2448a0a392cf404efc8913935553f7d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Oct 2022 22:00:00 +0900 +Subject: e1000e: Fix TX dispatch condition + +From: Akihiko Odaki + +[ Upstream commit eed913f6919e253f35d454b2f115f2a4db2b741a ] + +e1000_xmit_frame is expected to stop the queue and dispatch frames to +hardware if there is not sufficient space for the next frame in the +buffer, but sometimes it failed to do so because the estimated maximum +size of frame was wrong. As the consequence, the later invocation of +e1000_xmit_frame failed with NETDEV_TX_BUSY, and the frame in the buffer +remained forever, resulting in a watchdog failure. + +This change fixes the estimated size by making it match with the +condition for NETDEV_TX_BUSY. Apparently, the old estimation failed to +account for the following lines which determines the space requirement +for not causing NETDEV_TX_BUSY: + ``` + /* reserve a descriptor for the offload context */ + if ((mss) || (skb->ip_summed == CHECKSUM_PARTIAL)) + count++; + count++; + + count += DIV_ROUND_UP(len, adapter->tx_fifo_limit); + ``` + +This issue was found when running http-stress02 test included in Linux +Test Project 20220930 on QEMU with the following commandline: +``` +qemu-system-x86_64 -M q35,accel=kvm -m 8G -smp 8 + -drive if=virtio,format=raw,file=root.img,file.locking=on + -device e1000e,netdev=netdev + -netdev tap,script=ifup,downscript=no,id=netdev +``` + +Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)") +Signed-off-by: Akihiko Odaki +Tested-by: Gurucharan G (A Contingent worker at Intel) +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index 321f2a95ae3a..da113f5011e9 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -5936,9 +5936,9 @@ static netdev_tx_t e1000_xmit_frame(struct sk_buff *skb, + e1000_tx_queue(tx_ring, tx_flags, count); + /* Make sure there is space in the ring for the next send. */ + e1000_maybe_stop_tx(tx_ring, +- (MAX_SKB_FRAGS * ++ ((MAX_SKB_FRAGS + 1) * + DIV_ROUND_UP(PAGE_SIZE, +- adapter->tx_fifo_limit) + 2)); ++ adapter->tx_fifo_limit) + 4)); + + if (!netdev_xmit_more() || + netif_xmit_stopped(netdev_get_tx_queue(netdev, 0))) { +-- +2.35.1 + diff --git a/queue-6.0/ethernet-aeroflex-fix-potential-skb-leak-in-greth_in.patch b/queue-6.0/ethernet-aeroflex-fix-potential-skb-leak-in-greth_in.patch new file mode 100644 index 00000000000..95ccc2f0a83 --- /dev/null +++ b/queue-6.0/ethernet-aeroflex-fix-potential-skb-leak-in-greth_in.patch @@ -0,0 +1,39 @@ +From dc37a9f898e073daaf49fd62a01fc1bda5dfa407 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Dec 2022 14:09:08 +0800 +Subject: ethernet: aeroflex: fix potential skb leak in greth_init_rings() + +From: Zhang Changzhong + +[ Upstream commit 063a932b64db3317ec020c94466fe52923a15f60 ] + +The greth_init_rings() function won't free the newly allocated skb when +dma_mapping_error() returns error, so add dev_kfree_skb() to fix it. + +Compile tested only. + +Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver") +Signed-off-by: Zhang Changzhong +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/1670134149-29516-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aeroflex/greth.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/aeroflex/greth.c b/drivers/net/ethernet/aeroflex/greth.c +index 447dc64a17e5..4ce8367bb81c 100644 +--- a/drivers/net/ethernet/aeroflex/greth.c ++++ b/drivers/net/ethernet/aeroflex/greth.c +@@ -258,6 +258,7 @@ static int greth_init_rings(struct greth_private *greth) + if (dma_mapping_error(greth->dev, dma_addr)) { + if (netif_msg_ifup(greth)) + dev_err(greth->dev, "Could not create initial DMA mapping\n"); ++ dev_kfree_skb(skb); + goto cleanup; + } + greth->rx_skbuff[i] = skb; +-- +2.35.1 + diff --git a/queue-6.0/gpio-amd8111-fix-pci-device-reference-count-leak.patch b/queue-6.0/gpio-amd8111-fix-pci-device-reference-count-leak.patch new file mode 100644 index 00000000000..d0bd1005b73 --- /dev/null +++ b/queue-6.0/gpio-amd8111-fix-pci-device-reference-count-leak.patch @@ -0,0 +1,54 @@ +From 382dd9ac027cb044133d1985c548de8766eb0ec1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 20:35:08 +0800 +Subject: gpio: amd8111: Fix PCI device reference count leak + +From: Xiongfeng Wang + +[ Upstream commit 45fecdb9f658d9c82960c98240bc0770ade19aca ] + +for_each_pci_dev() is implemented by pci_get_device(). The comment of +pci_get_device() says that it will increase the reference count for the +returned pci_dev and also decrease the reference count for the input +pci_dev @from if it is not NULL. + +If we break for_each_pci_dev() loop with pdev not NULL, we need to call +pci_dev_put() to decrease the reference count. Add the missing +pci_dev_put() after the 'out' label. Since pci_dev_put() can handle NULL +input parameter, there is no problem for the 'Device not found' branch. +For the normal path, add pci_dev_put() in amd_gpio_exit(). + +Fixes: f942a7de047d ("gpio: add a driver for GPIO pins found on AMD-8111 south bridge chips") +Signed-off-by: Xiongfeng Wang +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-amd8111.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpio/gpio-amd8111.c b/drivers/gpio/gpio-amd8111.c +index 14e6b3e64add..6f3ded619c8b 100644 +--- a/drivers/gpio/gpio-amd8111.c ++++ b/drivers/gpio/gpio-amd8111.c +@@ -226,7 +226,10 @@ static int __init amd_gpio_init(void) + ioport_unmap(gp.pm); + goto out; + } ++ return 0; ++ + out: ++ pci_dev_put(pdev); + return err; + } + +@@ -234,6 +237,7 @@ static void __exit amd_gpio_exit(void) + { + gpiochip_remove(&gp.chip); + ioport_unmap(gp.pm); ++ pci_dev_put(gp.pdev); + } + + module_init(amd_gpio_init); +-- +2.35.1 + diff --git a/queue-6.0/gpio-rockchip-fix-refcount-leak-in-rockchip_gpiolib_.patch b/queue-6.0/gpio-rockchip-fix-refcount-leak-in-rockchip_gpiolib_.patch new file mode 100644 index 00000000000..1e0fced8915 --- /dev/null +++ b/queue-6.0/gpio-rockchip-fix-refcount-leak-in-rockchip_gpiolib_.patch @@ -0,0 +1,36 @@ +From 5270aabe9a7fd868301ee804560341d741bf27aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 14:19:56 +0800 +Subject: gpio/rockchip: fix refcount leak in rockchip_gpiolib_register() + +From: Wang Yufen + +[ Upstream commit 63ff545af73f759d1bd04198af8ed8577fb739fc ] + +The node returned by of_get_parent() with refcount incremented, +of_node_put() needs be called when finish using it. So add it in the +end of of_pinctrl_get(). + +Fixes: 936ee2675eee ("gpio/rockchip: add driver for rockchip gpio") +Signed-off-by: Wang Yufen +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-rockchip.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpio/gpio-rockchip.c b/drivers/gpio/gpio-rockchip.c +index 9c976ad7208e..09cfb49ed998 100644 +--- a/drivers/gpio/gpio-rockchip.c ++++ b/drivers/gpio/gpio-rockchip.c +@@ -621,6 +621,7 @@ static int rockchip_gpiolib_register(struct rockchip_pin_bank *bank) + return -ENODATA; + + pctldev = of_pinctrl_get(pctlnp); ++ of_node_put(pctlnp); + if (!pctldev) + return -ENODEV; + +-- +2.35.1 + diff --git a/queue-6.0/gpiolib-fix-memory-leak-in-gpiochip_setup_dev.patch b/queue-6.0/gpiolib-fix-memory-leak-in-gpiochip_setup_dev.patch new file mode 100644 index 00000000000..bea425c5b8a --- /dev/null +++ b/queue-6.0/gpiolib-fix-memory-leak-in-gpiochip_setup_dev.patch @@ -0,0 +1,184 @@ +From e81f5fdcfc5ae52800c466f7ae76cb1e619a345a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 22:07:57 +0100 +Subject: gpiolib: fix memory leak in gpiochip_setup_dev() + +From: Zeng Heng + +[ Upstream commit ec851b23084b3a0af8bf0f5e51d33a8d678bdc49 ] + +Here is a backtrace report about memory leak detected in +gpiochip_setup_dev(): + +unreferenced object 0xffff88810b406400 (size 512): + comm "python3", pid 1682, jiffies 4295346908 (age 24.090s) + backtrace: + kmalloc_trace + device_add device_private_init at drivers/base/core.c:3361 + (inlined by) device_add at drivers/base/core.c:3411 + cdev_device_add + gpiolib_cdev_register + gpiochip_setup_dev + gpiochip_add_data_with_key + +gcdev_register() & gcdev_unregister() would call device_add() & +device_del() (no matter CONFIG_GPIO_CDEV is enabled or not) to +register/unregister device. + +However, if device_add() succeeds, some resource (like +struct device_private allocated by device_private_init()) +is not released by device_del(). + +Therefore, after device_add() succeeds by gcdev_register(), it +needs to call put_device() to release resource in the error handle +path. + +Here we move forward the register of release function, and let it +release every piece of resource by put_device() instead of kfree(). + +While at it, fix another subtle issue, i.e. when gc->ngpio is equal +to 0, we still call kcalloc() and, in case of further error, kfree() +on the ZERO_PTR pointer, which is not NULL. It's not a bug per se, +but rather waste of the resources and potentially wrong expectation +about contents of the gdev->descs variable. + +Fixes: 159f3cd92f17 ("gpiolib: Defer gpio device setup until after gpiolib initialization") +Signed-off-by: Zeng Heng +Co-developed-by: Andy Shevchenko +Signed-off-by: Andy Shevchenko +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib.c | 42 ++++++++++++++++++++++++++---------------- + 1 file changed, 26 insertions(+), 16 deletions(-) + +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index cc9c0a12259e..eb7d00608c7f 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -526,12 +526,13 @@ static int gpiochip_setup_dev(struct gpio_device *gdev) + if (ret) + return ret; + ++ /* From this point, the .release() function cleans up gpio_device */ ++ gdev->dev.release = gpiodevice_release; ++ + ret = gpiochip_sysfs_register(gdev); + if (ret) + goto err_remove_device; + +- /* From this point, the .release() function cleans up gpio_device */ +- gdev->dev.release = gpiodevice_release; + dev_dbg(&gdev->dev, "registered GPIOs %d to %d on %s\n", gdev->base, + gdev->base + gdev->ngpio - 1, gdev->chip->label ? : "generic"); + +@@ -597,10 +598,10 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data, + struct fwnode_handle *fwnode = NULL; + struct gpio_device *gdev; + unsigned long flags; +- int base = gc->base; + unsigned int i; ++ u32 ngpios = 0; ++ int base = 0; + int ret = 0; +- u32 ngpios; + + if (gc->fwnode) + fwnode = gc->fwnode; +@@ -647,17 +648,12 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data, + else + gdev->owner = THIS_MODULE; + +- gdev->descs = kcalloc(gc->ngpio, sizeof(gdev->descs[0]), GFP_KERNEL); +- if (!gdev->descs) { +- ret = -ENOMEM; +- goto err_free_dev_name; +- } +- + /* + * Try the device properties if the driver didn't supply the number + * of GPIO lines. + */ +- if (gc->ngpio == 0) { ++ ngpios = gc->ngpio; ++ if (ngpios == 0) { + ret = device_property_read_u32(&gdev->dev, "ngpios", &ngpios); + if (ret == -ENODATA) + /* +@@ -668,7 +664,7 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data, + */ + ngpios = 0; + else if (ret) +- goto err_free_descs; ++ goto err_free_dev_name; + + gc->ngpio = ngpios; + } +@@ -676,13 +672,19 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data, + if (gc->ngpio == 0) { + chip_err(gc, "tried to insert a GPIO chip with zero lines\n"); + ret = -EINVAL; +- goto err_free_descs; ++ goto err_free_dev_name; + } + + if (gc->ngpio > FASTPATH_NGPIO) + chip_warn(gc, "line cnt %u is greater than fast path cnt %u\n", + gc->ngpio, FASTPATH_NGPIO); + ++ gdev->descs = kcalloc(gc->ngpio, sizeof(*gdev->descs), GFP_KERNEL); ++ if (!gdev->descs) { ++ ret = -ENOMEM; ++ goto err_free_dev_name; ++ } ++ + gdev->label = kstrdup_const(gc->label ?: "unknown", GFP_KERNEL); + if (!gdev->label) { + ret = -ENOMEM; +@@ -701,11 +703,13 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data, + * it may be a pipe dream. It will not happen before we get rid + * of the sysfs interface anyways. + */ ++ base = gc->base; + if (base < 0) { + base = gpiochip_find_base(gc->ngpio); + if (base < 0) { +- ret = base; + spin_unlock_irqrestore(&gpio_lock, flags); ++ ret = base; ++ base = 0; + goto err_free_label; + } + /* +@@ -816,6 +820,11 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data, + err_free_gpiochip_mask: + gpiochip_remove_pin_ranges(gc); + gpiochip_free_valid_mask(gc); ++ if (gdev->dev.release) { ++ /* release() has been registered by gpiochip_setup_dev() */ ++ put_device(&gdev->dev); ++ goto err_print_message; ++ } + err_remove_from_list: + spin_lock_irqsave(&gpio_lock, flags); + list_del(&gdev->list); +@@ -829,13 +838,14 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data, + err_free_ida: + ida_free(&gpio_ida, gdev->id); + err_free_gdev: ++ kfree(gdev); ++err_print_message: + /* failures here can mean systems won't boot... */ + if (ret != -EPROBE_DEFER) { + pr_err("%s: GPIOs %d..%d (%s) failed to register, %d\n", __func__, +- gdev->base, gdev->base + gdev->ngpio - 1, ++ base, base + (int)ngpios - 1, + gc->label ? : "generic", ret); + } +- kfree(gdev); + return ret; + } + EXPORT_SYMBOL_GPL(gpiochip_add_data_with_key); +-- +2.35.1 + diff --git a/queue-6.0/i40e-disallow-ip4-and-ip6-l4_4_bytes.patch b/queue-6.0/i40e-disallow-ip4-and-ip6-l4_4_bytes.patch new file mode 100644 index 00000000000..889aecee61c --- /dev/null +++ b/queue-6.0/i40e-disallow-ip4-and-ip6-l4_4_bytes.patch @@ -0,0 +1,59 @@ +From 1b98e659d48ae3d12f69f9a68f47f1ac0a53a19d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 09:49:25 +0100 +Subject: i40e: Disallow ip4 and ip6 l4_4_bytes + +From: Przemyslaw Patynowski + +[ Upstream commit d64aaf3f7869f915fd120763d75f11d6b116424d ] + +Return -EOPNOTSUPP, when user requests l4_4_bytes for raw IP4 or +IP6 flow director filters. Flow director does not support filtering +on l4 bytes for PCTYPEs used by IP4 and IP6 filters. +Without this patch, user could create filters with l4_4_bytes fields, +which did not do any filtering on L4, but only on L3 fields. + +Fixes: 36777d9fa24c ("i40e: check current configured input set when adding ntuple filters") +Signed-off-by: Przemyslaw Patynowski +Signed-off-by: Kamil Maziarz +Reviewed-by: Jacob Keller +Tested-by: Gurucharan G (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +index 6f0d4160ff82..d9368f7669aa 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +@@ -4464,11 +4464,7 @@ static int i40e_check_fdir_input_set(struct i40e_vsi *vsi, + return -EOPNOTSUPP; + + /* First 4 bytes of L4 header */ +- if (usr_ip4_spec->l4_4_bytes == htonl(0xFFFFFFFF)) +- new_mask |= I40E_L4_SRC_MASK | I40E_L4_DST_MASK; +- else if (!usr_ip4_spec->l4_4_bytes) +- new_mask &= ~(I40E_L4_SRC_MASK | I40E_L4_DST_MASK); +- else ++ if (usr_ip4_spec->l4_4_bytes) + return -EOPNOTSUPP; + + /* Filtering on Type of Service is not supported. */ +@@ -4507,11 +4503,7 @@ static int i40e_check_fdir_input_set(struct i40e_vsi *vsi, + else + return -EOPNOTSUPP; + +- if (usr_ip6_spec->l4_4_bytes == htonl(0xFFFFFFFF)) +- new_mask |= I40E_L4_SRC_MASK | I40E_L4_DST_MASK; +- else if (!usr_ip6_spec->l4_4_bytes) +- new_mask &= ~(I40E_L4_SRC_MASK | I40E_L4_DST_MASK); +- else ++ if (usr_ip6_spec->l4_4_bytes) + return -EOPNOTSUPP; + + /* Filtering on Traffic class is not supported. */ +-- +2.35.1 + diff --git a/queue-6.0/i40e-fix-for-vf-mac-address-0.patch b/queue-6.0/i40e-fix-for-vf-mac-address-0.patch new file mode 100644 index 00000000000..d05c9336a28 --- /dev/null +++ b/queue-6.0/i40e-fix-for-vf-mac-address-0.patch @@ -0,0 +1,49 @@ +From 32ed7c4bff16ad76fbf9e1de6923a3befeee18e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Oct 2022 13:00:28 +0100 +Subject: i40e: Fix for VF MAC address 0 + +From: Sylwester Dziedziuch + +[ Upstream commit 08501970472077ed5de346ad89943a37d1692e9b ] + +After spawning max VFs on a PF, some VFs were not getting resources and +their MAC addresses were 0. This was caused by PF sleeping before flushing +HW registers which caused VIRTCHNL_VFR_VFACTIVE to not be set in time for +VF. + +Fix by adding a sleep after hw flush. + +Fixes: e4b433f4a741 ("i40e: reset all VFs in parallel when rebuilding PF") +Signed-off-by: Sylwester Dziedziuch +Signed-off-by: Jan Sokolowski +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index 72ddcefc45b1..635f93d60318 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -1578,6 +1578,7 @@ bool i40e_reset_vf(struct i40e_vf *vf, bool flr) + i40e_cleanup_reset_vf(vf); + + i40e_flush(hw); ++ usleep_range(20000, 40000); + clear_bit(I40E_VF_STATE_RESETTING, &vf->vf_states); + + return true; +@@ -1701,6 +1702,7 @@ bool i40e_reset_all_vfs(struct i40e_pf *pf, bool flr) + } + + i40e_flush(hw); ++ usleep_range(20000, 40000); + clear_bit(__I40E_VF_DISABLE, pf->state); + + return true; +-- +2.35.1 + diff --git a/queue-6.0/i40e-fix-not-setting-default-xps_cpus-after-reset.patch b/queue-6.0/i40e-fix-not-setting-default-xps_cpus-after-reset.patch new file mode 100644 index 00000000000..d2c535a3c6f --- /dev/null +++ b/queue-6.0/i40e-fix-not-setting-default-xps_cpus-after-reset.patch @@ -0,0 +1,72 @@ +From 63b9103bc5f05f524caa1a85bf2ed425e44d3c16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Oct 2022 10:19:42 +0200 +Subject: i40e: Fix not setting default xps_cpus after reset + +From: Michal Jaron + +[ Upstream commit 82e0572b23029b380464fa9fdc125db9c1506d0a ] + +During tx rings configuration default XPS queue config is set and +__I40E_TX_XPS_INIT_DONE is locked. __I40E_TX_XPS_INIT_DONE state is +cleared and set again with default mapping only during queues build, +it means after first setup or reset with queues rebuild. (i.e. +ethtool -L combined ) After other resets (i.e. +ethtool -t ) XPS_INIT_DONE is not cleared and those default +maps cannot be set again. It results in cleared xps_cpus mapping +until queues are not rebuild or mapping is not set by user. + +Add clearing __I40E_TX_XPS_INIT_DONE state during reset to let +the driver set xps_cpus to defaults again after it was cleared. + +Fixes: 6f853d4f8e93 ("i40e: allow XPS with QoS enabled") +Signed-off-by: Michal Jaron +Signed-off-by: Kamil Maziarz +Tested-by: Gurucharan (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 023685cca2c1..e53ea7ed0b1d 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -10661,6 +10661,21 @@ static int i40e_rebuild_channels(struct i40e_vsi *vsi) + return 0; + } + ++/** ++ * i40e_clean_xps_state - clean xps state for every tx_ring ++ * @vsi: ptr to the VSI ++ **/ ++static void i40e_clean_xps_state(struct i40e_vsi *vsi) ++{ ++ int i; ++ ++ if (vsi->tx_rings) ++ for (i = 0; i < vsi->num_queue_pairs; i++) ++ if (vsi->tx_rings[i]) ++ clear_bit(__I40E_TX_XPS_INIT_DONE, ++ vsi->tx_rings[i]->state); ++} ++ + /** + * i40e_prep_for_reset - prep for the core to reset + * @pf: board private structure +@@ -10685,8 +10700,10 @@ static void i40e_prep_for_reset(struct i40e_pf *pf) + i40e_pf_quiesce_all_vsi(pf); + + for (v = 0; v < pf->num_alloc_vsi; v++) { +- if (pf->vsi[v]) ++ if (pf->vsi[v]) { ++ i40e_clean_xps_state(pf->vsi[v]); + pf->vsi[v]->seid = 0; ++ } + } + + i40e_shutdown_adminq(&pf->hw); +-- +2.35.1 + diff --git a/queue-6.0/ieee802154-cc2520-fix-error-return-code-in-cc2520_hw.patch b/queue-6.0/ieee802154-cc2520-fix-error-return-code-in-cc2520_hw.patch new file mode 100644 index 00000000000..c0ea1a677d9 --- /dev/null +++ b/queue-6.0/ieee802154-cc2520-fix-error-return-code-in-cc2520_hw.patch @@ -0,0 +1,37 @@ +From 93c445a9f3be5041bd09f4ecccbadb856d0ee5a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Nov 2022 15:50:46 +0800 +Subject: ieee802154: cc2520: Fix error return code in cc2520_hw_init() + +From: Ziyang Xuan + +[ Upstream commit 4d002d6a2a00ac1c433899bd7625c6400a74cfba ] + +In cc2520_hw_init(), if oscillator start failed, the error code +should be returned. + +Fixes: 0da6bc8cc341 ("ieee802154: cc2520: adds driver for TI CC2520 radio") +Signed-off-by: Ziyang Xuan +Link: https://lore.kernel.org/r/20221120075046.2213633-1-william.xuanziyang@huawei.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/cc2520.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ieee802154/cc2520.c b/drivers/net/ieee802154/cc2520.c +index c69b87d3837d..edc769daad07 100644 +--- a/drivers/net/ieee802154/cc2520.c ++++ b/drivers/net/ieee802154/cc2520.c +@@ -970,7 +970,7 @@ static int cc2520_hw_init(struct cc2520_private *priv) + + if (timeout-- <= 0) { + dev_err(&priv->spi->dev, "oscillator start failed!\n"); +- return ret; ++ return -ETIMEDOUT; + } + udelay(1); + } while (!(status & CC2520_STATUS_XOSC32M_STABLE)); +-- +2.35.1 + diff --git a/queue-6.0/igb-allocate-msi-x-vector-when-testing.patch b/queue-6.0/igb-allocate-msi-x-vector-when-testing.patch new file mode 100644 index 00000000000..5856fe4324b --- /dev/null +++ b/queue-6.0/igb-allocate-msi-x-vector-when-testing.patch @@ -0,0 +1,69 @@ +From b8b67e0864b71ee39270e3125d48fbb238155f3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 22:30:31 +0900 +Subject: igb: Allocate MSI-X vector when testing + +From: Akihiko Odaki + +[ Upstream commit 28e96556baca7056d11d9fb3cdd0aba4483e00d8 ] + +Without this change, the interrupt test fail with MSI-X environment: + +$ sudo ethtool -t enp0s2 offline +[ 43.921783] igb 0000:00:02.0: offline testing starting +[ 44.855824] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Down +[ 44.961249] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX +[ 51.272202] igb 0000:00:02.0: testing shared interrupt +[ 56.996975] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX +The test result is FAIL +The test extra info: +Register test (offline) 0 +Eeprom test (offline) 0 +Interrupt test (offline) 4 +Loopback test (offline) 0 +Link test (on/offline) 0 + +Here, "4" means an expected interrupt was not delivered. + +To fix this, route IRQs correctly to the first MSI-X vector by setting +IVAR_MISC. Also, set bit 0 of EIMS so that the vector will not be +masked. The interrupt test now runs properly with this change: + +$ sudo ethtool -t enp0s2 offline +[ 42.762985] igb 0000:00:02.0: offline testing starting +[ 50.141967] igb 0000:00:02.0: testing shared interrupt +[ 56.163957] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX +The test result is PASS +The test extra info: +Register test (offline) 0 +Eeprom test (offline) 0 +Interrupt test (offline) 0 +Loopback test (offline) 0 +Link test (on/offline) 0 + +Fixes: 4eefa8f01314 ("igb: add single vector msi-x testing to interrupt test") +Signed-off-by: Akihiko Odaki +Reviewed-by: Maciej Fijalkowski +Tested-by: Gurucharan G (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_ethtool.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_ethtool.c b/drivers/net/ethernet/intel/igb/igb_ethtool.c +index c14fc871dd41..677893f891ed 100644 +--- a/drivers/net/ethernet/intel/igb/igb_ethtool.c ++++ b/drivers/net/ethernet/intel/igb/igb_ethtool.c +@@ -1413,6 +1413,8 @@ static int igb_intr_test(struct igb_adapter *adapter, u64 *data) + *data = 1; + return -1; + } ++ wr32(E1000_IVAR_MISC, E1000_IVAR_VALID << 8); ++ wr32(E1000_EIMS, BIT(0)); + } else if (adapter->flags & IGB_FLAG_HAS_MSI) { + shared_int = false; + if (request_irq(irq, +-- +2.35.1 + diff --git a/queue-6.0/inet-ping-use-hlist_nulls-rcu-iterator-during-lookup.patch b/queue-6.0/inet-ping-use-hlist_nulls-rcu-iterator-during-lookup.patch new file mode 100644 index 00000000000..76da7e673f7 --- /dev/null +++ b/queue-6.0/inet-ping-use-hlist_nulls-rcu-iterator-during-lookup.patch @@ -0,0 +1,80 @@ +From 12efd6ec36687a927de34c8c7b5d311806742332 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Nov 2022 15:06:44 +0100 +Subject: inet: ping: use hlist_nulls rcu iterator during lookup + +From: Florian Westphal + +[ Upstream commit c25b7a7a565e5eeb2459b37583eea67942057511 ] + +ping_lookup() does not acquire the table spinlock, so iteration should +use hlist_nulls_for_each_entry_rcu(). + +Spotted during code review. + +Fixes: dbca1596bbb0 ("ping: convert to RCU lookups, get rid of rwlock") +Cc: Eric Dumazet +Signed-off-by: Florian Westphal +Link: https://lore.kernel.org/r/20221129140644.28525-1-fw@strlen.de +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .clang-format | 1 + + include/net/ping.h | 3 --- + net/ipv4/ping.c | 7 ++++++- + 3 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/.clang-format b/.clang-format +index 1247d54f9e49..8d01225bfcb7 100644 +--- a/.clang-format ++++ b/.clang-format +@@ -535,6 +535,7 @@ ForEachMacros: + - 'perf_hpp_list__for_each_sort_list_safe' + - 'perf_pmu__for_each_hybrid_pmu' + - 'ping_portaddr_for_each_entry' ++ - 'ping_portaddr_for_each_entry_rcu' + - 'plist_for_each' + - 'plist_for_each_continue' + - 'plist_for_each_entry' +diff --git a/include/net/ping.h b/include/net/ping.h +index e4ff3911cbf5..9233ad3de0ad 100644 +--- a/include/net/ping.h ++++ b/include/net/ping.h +@@ -16,9 +16,6 @@ + #define PING_HTABLE_SIZE 64 + #define PING_HTABLE_MASK (PING_HTABLE_SIZE-1) + +-#define ping_portaddr_for_each_entry(__sk, node, list) \ +- hlist_nulls_for_each_entry(__sk, node, list, sk_nulls_node) +- + /* + * gid_t is either uint or ushort. We want to pass it to + * proc_dointvec_minmax(), so it must not be larger than MAX_INT +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index b83c2bd9d722..3b2420829c23 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -48,6 +48,11 @@ + #include + #endif + ++#define ping_portaddr_for_each_entry(__sk, node, list) \ ++ hlist_nulls_for_each_entry(__sk, node, list, sk_nulls_node) ++#define ping_portaddr_for_each_entry_rcu(__sk, node, list) \ ++ hlist_nulls_for_each_entry_rcu(__sk, node, list, sk_nulls_node) ++ + struct ping_table { + struct hlist_nulls_head hash[PING_HTABLE_SIZE]; + spinlock_t lock; +@@ -191,7 +196,7 @@ static struct sock *ping_lookup(struct net *net, struct sk_buff *skb, u16 ident) + return NULL; + } + +- ping_portaddr_for_each_entry(sk, hnode, hslot) { ++ ping_portaddr_for_each_entry_rcu(sk, hnode, hslot) { + isk = inet_sk(sk); + + pr_debug("iterate\n"); +-- +2.35.1 + diff --git a/queue-6.0/ip_gre-do-not-report-erspan-version-on-gre-interface.patch b/queue-6.0/ip_gre-do-not-report-erspan-version-on-gre-interface.patch new file mode 100644 index 00000000000..1d83e5b4eeb --- /dev/null +++ b/queue-6.0/ip_gre-do-not-report-erspan-version-on-gre-interface.patch @@ -0,0 +1,104 @@ +From ac4d8adec383095f636edebc6f99a0b4eb258b8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 11:28:58 +0800 +Subject: ip_gre: do not report erspan version on GRE interface + +From: Hangbin Liu + +[ Upstream commit ee496694b9eea651ae1aa4c4667d886cdf74aa3b ] + +Although the type I ERSPAN is based on the barebones IP + GRE +encapsulation and no extra ERSPAN header. Report erspan version on GRE +interface looks unreasonable. Fix this by separating the erspan and gre +fill info. + +IPv6 GRE does not have this info as IPv6 only supports erspan version +1 and 2. + +Reported-by: Jianlin Shi +Fixes: f989d546a2d5 ("erspan: Add type I version 0 support.") +Signed-off-by: Hangbin Liu +Acked-by: William Tu +Link: https://lore.kernel.org/r/20221203032858.3130339-1-liuhangbin@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 48 ++++++++++++++++++++++++++++------------------- + 1 file changed, 29 insertions(+), 19 deletions(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index f866d6282b2b..cae9f1a4e059 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -1492,24 +1492,6 @@ static int ipgre_fill_info(struct sk_buff *skb, const struct net_device *dev) + struct ip_tunnel_parm *p = &t->parms; + __be16 o_flags = p->o_flags; + +- if (t->erspan_ver <= 2) { +- if (t->erspan_ver != 0 && !t->collect_md) +- o_flags |= TUNNEL_KEY; +- +- if (nla_put_u8(skb, IFLA_GRE_ERSPAN_VER, t->erspan_ver)) +- goto nla_put_failure; +- +- if (t->erspan_ver == 1) { +- if (nla_put_u32(skb, IFLA_GRE_ERSPAN_INDEX, t->index)) +- goto nla_put_failure; +- } else if (t->erspan_ver == 2) { +- if (nla_put_u8(skb, IFLA_GRE_ERSPAN_DIR, t->dir)) +- goto nla_put_failure; +- if (nla_put_u16(skb, IFLA_GRE_ERSPAN_HWID, t->hwid)) +- goto nla_put_failure; +- } +- } +- + if (nla_put_u32(skb, IFLA_GRE_LINK, p->link) || + nla_put_be16(skb, IFLA_GRE_IFLAGS, + gre_tnl_flags_to_gre_flags(p->i_flags)) || +@@ -1550,6 +1532,34 @@ static int ipgre_fill_info(struct sk_buff *skb, const struct net_device *dev) + return -EMSGSIZE; + } + ++static int erspan_fill_info(struct sk_buff *skb, const struct net_device *dev) ++{ ++ struct ip_tunnel *t = netdev_priv(dev); ++ ++ if (t->erspan_ver <= 2) { ++ if (t->erspan_ver != 0 && !t->collect_md) ++ t->parms.o_flags |= TUNNEL_KEY; ++ ++ if (nla_put_u8(skb, IFLA_GRE_ERSPAN_VER, t->erspan_ver)) ++ goto nla_put_failure; ++ ++ if (t->erspan_ver == 1) { ++ if (nla_put_u32(skb, IFLA_GRE_ERSPAN_INDEX, t->index)) ++ goto nla_put_failure; ++ } else if (t->erspan_ver == 2) { ++ if (nla_put_u8(skb, IFLA_GRE_ERSPAN_DIR, t->dir)) ++ goto nla_put_failure; ++ if (nla_put_u16(skb, IFLA_GRE_ERSPAN_HWID, t->hwid)) ++ goto nla_put_failure; ++ } ++ } ++ ++ return ipgre_fill_info(skb, dev); ++ ++nla_put_failure: ++ return -EMSGSIZE; ++} ++ + static void erspan_setup(struct net_device *dev) + { + struct ip_tunnel *t = netdev_priv(dev); +@@ -1628,7 +1638,7 @@ static struct rtnl_link_ops erspan_link_ops __read_mostly = { + .changelink = erspan_changelink, + .dellink = ip_tunnel_dellink, + .get_size = ipgre_get_size, +- .fill_info = ipgre_fill_info, ++ .fill_info = erspan_fill_info, + .get_link_net = ip_tunnel_get_link_net, + }; + +-- +2.35.1 + diff --git a/queue-6.0/ipv4-fix-incorrect-route-flushing-when-source-addres.patch b/queue-6.0/ipv4-fix-incorrect-route-flushing-when-source-addres.patch new file mode 100644 index 00000000000..3f4f59d00d4 --- /dev/null +++ b/queue-6.0/ipv4-fix-incorrect-route-flushing-when-source-addres.patch @@ -0,0 +1,134 @@ +From 81ea9836f689e235eb5cadab64f9efe3feef9744 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Dec 2022 09:50:44 +0200 +Subject: ipv4: Fix incorrect route flushing when source address is deleted + +From: Ido Schimmel + +[ Upstream commit f96a3d74554df537b6db5c99c27c80e7afadc8d1 ] + +Cited commit added the table ID to the FIB info structure, but did not +prevent structures with different table IDs from being consolidated. +This can lead to routes being flushed from a VRF when an address is +deleted from a different VRF. + +Fix by taking the table ID into account when looking for a matching FIB +info. This is already done for FIB info structures backed by a nexthop +object in fib_find_info_nh(). + +Add test cases that fail before the fix: + + # ./fib_tests.sh -t ipv4_del_addr + + IPv4 delete address route tests + Regular FIB info + TEST: Route removed from VRF when source address deleted [ OK ] + TEST: Route in default VRF not removed [ OK ] + TEST: Route removed in default VRF when source address deleted [ OK ] + TEST: Route in VRF is not removed by address delete [ OK ] + Identical FIB info with different table ID + TEST: Route removed from VRF when source address deleted [FAIL] + TEST: Route in default VRF not removed [ OK ] + RTNETLINK answers: File exists + TEST: Route removed in default VRF when source address deleted [ OK ] + TEST: Route in VRF is not removed by address delete [FAIL] + + Tests passed: 6 + Tests failed: 2 + +And pass after: + + # ./fib_tests.sh -t ipv4_del_addr + + IPv4 delete address route tests + Regular FIB info + TEST: Route removed from VRF when source address deleted [ OK ] + TEST: Route in default VRF not removed [ OK ] + TEST: Route removed in default VRF when source address deleted [ OK ] + TEST: Route in VRF is not removed by address delete [ OK ] + Identical FIB info with different table ID + TEST: Route removed from VRF when source address deleted [ OK ] + TEST: Route in default VRF not removed [ OK ] + TEST: Route removed in default VRF when source address deleted [ OK ] + TEST: Route in VRF is not removed by address delete [ OK ] + + Tests passed: 8 + Tests failed: 0 + +Fixes: 5a56a0b3a45d ("net: Don't delete routes in different VRFs") +Signed-off-by: Ido Schimmel +Reviewed-by: David Ahern +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_semantics.c | 1 + + tools/testing/selftests/net/fib_tests.sh | 27 ++++++++++++++++++++++++ + 2 files changed, 28 insertions(+) + +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index cb24260692e1..7885b2f15315 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -423,6 +423,7 @@ static struct fib_info *fib_find_info(struct fib_info *nfi) + nfi->fib_prefsrc == fi->fib_prefsrc && + nfi->fib_priority == fi->fib_priority && + nfi->fib_type == fi->fib_type && ++ nfi->fib_tb_id == fi->fib_tb_id && + memcmp(nfi->fib_metrics, fi->fib_metrics, + sizeof(u32) * RTAX_MAX) == 0 && + !((nfi->fib_flags ^ fi->fib_flags) & ~RTNH_COMPARE_MASK) && +diff --git a/tools/testing/selftests/net/fib_tests.sh b/tools/testing/selftests/net/fib_tests.sh +index 2271a8727f62..11c89148b19f 100755 +--- a/tools/testing/selftests/net/fib_tests.sh ++++ b/tools/testing/selftests/net/fib_tests.sh +@@ -1711,13 +1711,19 @@ ipv4_del_addr_test() + + $IP addr add dev dummy1 172.16.104.1/24 + $IP addr add dev dummy1 172.16.104.11/24 ++ $IP addr add dev dummy1 172.16.104.12/24 + $IP addr add dev dummy2 172.16.104.1/24 + $IP addr add dev dummy2 172.16.104.11/24 ++ $IP addr add dev dummy2 172.16.104.12/24 + $IP route add 172.16.105.0/24 via 172.16.104.2 src 172.16.104.11 ++ $IP route add 172.16.106.0/24 dev lo src 172.16.104.12 + $IP route add vrf red 172.16.105.0/24 via 172.16.104.2 src 172.16.104.11 ++ $IP route add vrf red 172.16.106.0/24 dev lo src 172.16.104.12 + set +e + + # removing address from device in vrf should only remove route from vrf table ++ echo " Regular FIB info" ++ + $IP addr del dev dummy2 172.16.104.11/24 + $IP ro ls vrf red | grep -q 172.16.105.0/24 + log_test $? 1 "Route removed from VRF when source address deleted" +@@ -1735,6 +1741,27 @@ ipv4_del_addr_test() + $IP ro ls vrf red | grep -q 172.16.105.0/24 + log_test $? 0 "Route in VRF is not removed by address delete" + ++ # removing address from device in vrf should only remove route from vrf ++ # table even when the associated fib info only differs in table ID ++ echo " Identical FIB info with different table ID" ++ ++ $IP addr del dev dummy2 172.16.104.12/24 ++ $IP ro ls vrf red | grep -q 172.16.106.0/24 ++ log_test $? 1 "Route removed from VRF when source address deleted" ++ ++ $IP ro ls | grep -q 172.16.106.0/24 ++ log_test $? 0 "Route in default VRF not removed" ++ ++ $IP addr add dev dummy2 172.16.104.12/24 ++ $IP route add vrf red 172.16.106.0/24 dev lo src 172.16.104.12 ++ ++ $IP addr del dev dummy1 172.16.104.12/24 ++ $IP ro ls | grep -q 172.16.106.0/24 ++ log_test $? 1 "Route removed in default VRF when source address deleted" ++ ++ $IP ro ls vrf red | grep -q 172.16.106.0/24 ++ log_test $? 0 "Route in VRF is not removed by address delete" ++ + $IP li del dummy1 + $IP li del dummy2 + cleanup +-- +2.35.1 + diff --git a/queue-6.0/ipv4-fix-incorrect-route-flushing-when-table-id-0-is.patch b/queue-6.0/ipv4-fix-incorrect-route-flushing-when-table-id-0-is.patch new file mode 100644 index 00000000000..af30223d282 --- /dev/null +++ b/queue-6.0/ipv4-fix-incorrect-route-flushing-when-table-id-0-is.patch @@ -0,0 +1,140 @@ +From 26c24e7639ac31a2afa351e2a208b4e501469648 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Dec 2022 09:50:45 +0200 +Subject: ipv4: Fix incorrect route flushing when table ID 0 is used + +From: Ido Schimmel + +[ Upstream commit c0d999348e01df03e0a7f550351f3907fabbf611 ] + +Cited commit added the table ID to the FIB info structure, but did not +properly initialize it when table ID 0 is used. This can lead to a route +in the default VRF with a preferred source address not being flushed +when the address is deleted. + +Consider the following example: + + # ip address add dev dummy1 192.0.2.1/28 + # ip address add dev dummy1 192.0.2.17/28 + # ip route add 198.51.100.0/24 via 192.0.2.2 src 192.0.2.17 metric 100 + # ip route add table 0 198.51.100.0/24 via 192.0.2.2 src 192.0.2.17 metric 200 + # ip route show 198.51.100.0/24 + 198.51.100.0/24 via 192.0.2.2 dev dummy1 src 192.0.2.17 metric 100 + 198.51.100.0/24 via 192.0.2.2 dev dummy1 src 192.0.2.17 metric 200 + +Both routes are installed in the default VRF, but they are using two +different FIB info structures. One with a metric of 100 and table ID of +254 (main) and one with a metric of 200 and table ID of 0. Therefore, +when the preferred source address is deleted from the default VRF, +the second route is not flushed: + + # ip address del dev dummy1 192.0.2.17/28 + # ip route show 198.51.100.0/24 + 198.51.100.0/24 via 192.0.2.2 dev dummy1 src 192.0.2.17 metric 200 + +Fix by storing a table ID of 254 instead of 0 in the route configuration +structure. + +Add a test case that fails before the fix: + + # ./fib_tests.sh -t ipv4_del_addr + + IPv4 delete address route tests + Regular FIB info + TEST: Route removed from VRF when source address deleted [ OK ] + TEST: Route in default VRF not removed [ OK ] + TEST: Route removed in default VRF when source address deleted [ OK ] + TEST: Route in VRF is not removed by address delete [ OK ] + Identical FIB info with different table ID + TEST: Route removed from VRF when source address deleted [ OK ] + TEST: Route in default VRF not removed [ OK ] + TEST: Route removed in default VRF when source address deleted [ OK ] + TEST: Route in VRF is not removed by address delete [ OK ] + Table ID 0 + TEST: Route removed in default VRF when source address deleted [FAIL] + + Tests passed: 8 + Tests failed: 1 + +And passes after: + + # ./fib_tests.sh -t ipv4_del_addr + + IPv4 delete address route tests + Regular FIB info + TEST: Route removed from VRF when source address deleted [ OK ] + TEST: Route in default VRF not removed [ OK ] + TEST: Route removed in default VRF when source address deleted [ OK ] + TEST: Route in VRF is not removed by address delete [ OK ] + Identical FIB info with different table ID + TEST: Route removed from VRF when source address deleted [ OK ] + TEST: Route in default VRF not removed [ OK ] + TEST: Route removed in default VRF when source address deleted [ OK ] + TEST: Route in VRF is not removed by address delete [ OK ] + Table ID 0 + TEST: Route removed in default VRF when source address deleted [ OK ] + + Tests passed: 9 + Tests failed: 0 + +Fixes: 5a56a0b3a45d ("net: Don't delete routes in different VRFs") +Reported-by: Donald Sharp +Signed-off-by: Ido Schimmel +Reviewed-by: David Ahern +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_frontend.c | 3 +++ + tools/testing/selftests/net/fib_tests.sh | 10 ++++++++++ + 2 files changed, 13 insertions(+) + +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index 943edf4ad4db..3528e8befa58 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -841,6 +841,9 @@ static int rtm_to_fib_config(struct net *net, struct sk_buff *skb, + return -EINVAL; + } + ++ if (!cfg->fc_table) ++ cfg->fc_table = RT_TABLE_MAIN; ++ + return 0; + errout: + return err; +diff --git a/tools/testing/selftests/net/fib_tests.sh b/tools/testing/selftests/net/fib_tests.sh +index 11c89148b19f..5637b5dadabd 100755 +--- a/tools/testing/selftests/net/fib_tests.sh ++++ b/tools/testing/selftests/net/fib_tests.sh +@@ -1712,11 +1712,13 @@ ipv4_del_addr_test() + $IP addr add dev dummy1 172.16.104.1/24 + $IP addr add dev dummy1 172.16.104.11/24 + $IP addr add dev dummy1 172.16.104.12/24 ++ $IP addr add dev dummy1 172.16.104.13/24 + $IP addr add dev dummy2 172.16.104.1/24 + $IP addr add dev dummy2 172.16.104.11/24 + $IP addr add dev dummy2 172.16.104.12/24 + $IP route add 172.16.105.0/24 via 172.16.104.2 src 172.16.104.11 + $IP route add 172.16.106.0/24 dev lo src 172.16.104.12 ++ $IP route add table 0 172.16.107.0/24 via 172.16.104.2 src 172.16.104.13 + $IP route add vrf red 172.16.105.0/24 via 172.16.104.2 src 172.16.104.11 + $IP route add vrf red 172.16.106.0/24 dev lo src 172.16.104.12 + set +e +@@ -1762,6 +1764,14 @@ ipv4_del_addr_test() + $IP ro ls vrf red | grep -q 172.16.106.0/24 + log_test $? 0 "Route in VRF is not removed by address delete" + ++ # removing address from device in default vrf should remove route from ++ # the default vrf even when route was inserted with a table ID of 0. ++ echo " Table ID 0" ++ ++ $IP addr del dev dummy1 172.16.104.13/24 ++ $IP ro ls | grep -q 172.16.107.0/24 ++ log_test $? 1 "Route removed in default VRF when source address deleted" ++ + $IP li del dummy1 + $IP li del dummy2 + cleanup +-- +2.35.1 + diff --git a/queue-6.0/ipv6-avoid-use-after-free-in-ip6_fragment.patch b/queue-6.0/ipv6-avoid-use-after-free-in-ip6_fragment.patch new file mode 100644 index 00000000000..2a7e0848661 --- /dev/null +++ b/queue-6.0/ipv6-avoid-use-after-free-in-ip6_fragment.patch @@ -0,0 +1,289 @@ +From 46ca68797b8e885704841f85952d8e96265cbfeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Dec 2022 10:13:51 +0000 +Subject: ipv6: avoid use-after-free in ip6_fragment() + +From: Eric Dumazet + +[ Upstream commit 803e84867de59a1e5d126666d25eb4860cfd2ebe ] + +Blamed commit claimed rcu_read_lock() was held by ip6_fragment() callers. + +It seems to not be always true, at least for UDP stack. + +syzbot reported: + +BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:245 [inline] +BUG: KASAN: use-after-free in ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951 +Read of size 8 at addr ffff88801d403e80 by task syz-executor.3/7618 + +CPU: 1 PID: 7618 Comm: syz-executor.3 Not tainted 6.1.0-rc6-syzkaller-00012-g4312098baf37 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:284 [inline] + print_report+0x15e/0x45d mm/kasan/report.c:395 + kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 + ip6_dst_idev include/net/ip6_fib.h:245 [inline] + ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951 + __ip6_finish_output net/ipv6/ip6_output.c:193 [inline] + ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206 + NF_HOOK_COND include/linux/netfilter.h:291 [inline] + ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227 + dst_output include/net/dst.h:445 [inline] + ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161 + ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966 + udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286 + udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313 + udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606 + inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg+0xd3/0x120 net/socket.c:734 + sock_write_iter+0x295/0x3d0 net/socket.c:1108 + call_write_iter include/linux/fs.h:2191 [inline] + new_sync_write fs/read_write.c:491 [inline] + vfs_write+0x9ed/0xdd0 fs/read_write.c:584 + ksys_write+0x1ec/0x250 fs/read_write.c:637 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7fde3588c0d9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fde365b6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 00007fde359ac050 RCX: 00007fde3588c0d9 +RDX: 000000000000ffdc RSI: 00000000200000c0 RDI: 000000000000000a +RBP: 00007fde358e7ae9 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007fde35acfb1f R14: 00007fde365b6300 R15: 0000000000022000 + + +Allocated by task 7618: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + __kasan_slab_alloc+0x82/0x90 mm/kasan/common.c:325 + kasan_slab_alloc include/linux/kasan.h:201 [inline] + slab_post_alloc_hook mm/slab.h:737 [inline] + slab_alloc_node mm/slub.c:3398 [inline] + slab_alloc mm/slub.c:3406 [inline] + __kmem_cache_alloc_lru mm/slub.c:3413 [inline] + kmem_cache_alloc+0x2b4/0x3d0 mm/slub.c:3422 + dst_alloc+0x14a/0x1f0 net/core/dst.c:92 + ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344 + ip6_rt_pcpu_alloc net/ipv6/route.c:1369 [inline] + rt6_make_pcpu_route net/ipv6/route.c:1417 [inline] + ip6_pol_route+0x901/0x1190 net/ipv6/route.c:2254 + pol_lookup_func include/net/ip6_fib.h:582 [inline] + fib6_rule_lookup+0x52e/0x6f0 net/ipv6/fib6_rules.c:121 + ip6_route_output_flags_noref+0x2e6/0x380 net/ipv6/route.c:2625 + ip6_route_output_flags+0x76/0x320 net/ipv6/route.c:2638 + ip6_route_output include/net/ip6_route.h:98 [inline] + ip6_dst_lookup_tail+0x5ab/0x1620 net/ipv6/ip6_output.c:1092 + ip6_dst_lookup_flow+0x90/0x1d0 net/ipv6/ip6_output.c:1222 + ip6_sk_dst_lookup_flow+0x553/0x980 net/ipv6/ip6_output.c:1260 + udpv6_sendmsg+0x151d/0x2c80 net/ipv6/udp.c:1554 + inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg+0xd3/0x120 net/socket.c:734 + __sys_sendto+0x23a/0x340 net/socket.c:2117 + __do_sys_sendto net/socket.c:2129 [inline] + __se_sys_sendto net/socket.c:2125 [inline] + __x64_sys_sendto+0xe1/0x1b0 net/socket.c:2125 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 7599: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:511 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + ____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200 + kasan_slab_free include/linux/kasan.h:177 [inline] + slab_free_hook mm/slub.c:1724 [inline] + slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1750 + slab_free mm/slub.c:3661 [inline] + kmem_cache_free+0xee/0x5c0 mm/slub.c:3683 + dst_destroy+0x2ea/0x400 net/core/dst.c:127 + rcu_do_batch kernel/rcu/tree.c:2250 [inline] + rcu_core+0x81f/0x1980 kernel/rcu/tree.c:2510 + __do_softirq+0x1fb/0xadc kernel/softirq.c:571 + +Last potentially related work creation: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481 + call_rcu+0x9d/0x820 kernel/rcu/tree.c:2798 + dst_release net/core/dst.c:177 [inline] + dst_release+0x7d/0xe0 net/core/dst.c:167 + refdst_drop include/net/dst.h:256 [inline] + skb_dst_drop include/net/dst.h:268 [inline] + skb_release_head_state+0x250/0x2a0 net/core/skbuff.c:838 + skb_release_all net/core/skbuff.c:852 [inline] + __kfree_skb net/core/skbuff.c:868 [inline] + kfree_skb_reason+0x151/0x4b0 net/core/skbuff.c:891 + kfree_skb_list_reason+0x4b/0x70 net/core/skbuff.c:901 + kfree_skb_list include/linux/skbuff.h:1227 [inline] + ip6_fragment+0x2026/0x2770 net/ipv6/ip6_output.c:949 + __ip6_finish_output net/ipv6/ip6_output.c:193 [inline] + ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206 + NF_HOOK_COND include/linux/netfilter.h:291 [inline] + ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227 + dst_output include/net/dst.h:445 [inline] + ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161 + ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966 + udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286 + udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313 + udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606 + inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg+0xd3/0x120 net/socket.c:734 + sock_write_iter+0x295/0x3d0 net/socket.c:1108 + call_write_iter include/linux/fs.h:2191 [inline] + new_sync_write fs/read_write.c:491 [inline] + vfs_write+0x9ed/0xdd0 fs/read_write.c:584 + ksys_write+0x1ec/0x250 fs/read_write.c:637 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Second to last potentially related work creation: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481 + call_rcu+0x9d/0x820 kernel/rcu/tree.c:2798 + dst_release net/core/dst.c:177 [inline] + dst_release+0x7d/0xe0 net/core/dst.c:167 + refdst_drop include/net/dst.h:256 [inline] + skb_dst_drop include/net/dst.h:268 [inline] + __dev_queue_xmit+0x1b9d/0x3ba0 net/core/dev.c:4211 + dev_queue_xmit include/linux/netdevice.h:3008 [inline] + neigh_resolve_output net/core/neighbour.c:1552 [inline] + neigh_resolve_output+0x51b/0x840 net/core/neighbour.c:1532 + neigh_output include/net/neighbour.h:546 [inline] + ip6_finish_output2+0x56c/0x1530 net/ipv6/ip6_output.c:134 + __ip6_finish_output net/ipv6/ip6_output.c:195 [inline] + ip6_finish_output+0x694/0x1170 net/ipv6/ip6_output.c:206 + NF_HOOK_COND include/linux/netfilter.h:291 [inline] + ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227 + dst_output include/net/dst.h:445 [inline] + NF_HOOK include/linux/netfilter.h:302 [inline] + NF_HOOK include/linux/netfilter.h:296 [inline] + mld_sendpack+0xa09/0xe70 net/ipv6/mcast.c:1820 + mld_send_cr net/ipv6/mcast.c:2121 [inline] + mld_ifc_work+0x720/0xdc0 net/ipv6/mcast.c:2653 + process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 + worker_thread+0x669/0x1090 kernel/workqueue.c:2436 + kthread+0x2e8/0x3a0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 + +The buggy address belongs to the object at ffff88801d403dc0 + which belongs to the cache ip6_dst_cache of size 240 +The buggy address is located 192 bytes inside of + 240-byte region [ffff88801d403dc0, ffff88801d403eb0) + +The buggy address belongs to the physical page: +page:ffffea00007500c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d403 +memcg:ffff888022f49c81 +flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) +raw: 00fff00000000200 ffffea0001ef6580 dead000000000002 ffff88814addf640 +raw: 0000000000000000 00000000800c000c 00000001ffffffff ffff888022f49c81 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 3719, tgid 3719 (kworker/0:6), ts 136223432244, free_ts 136222971441 + prep_new_page mm/page_alloc.c:2539 [inline] + get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4288 + __alloc_pages+0x1cb/0x5b0 mm/page_alloc.c:5555 + alloc_pages+0x1aa/0x270 mm/mempolicy.c:2285 + alloc_slab_page mm/slub.c:1794 [inline] + allocate_slab+0x213/0x300 mm/slub.c:1939 + new_slab mm/slub.c:1992 [inline] + ___slab_alloc+0xa91/0x1400 mm/slub.c:3180 + __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3279 + slab_alloc_node mm/slub.c:3364 [inline] + slab_alloc mm/slub.c:3406 [inline] + __kmem_cache_alloc_lru mm/slub.c:3413 [inline] + kmem_cache_alloc+0x31a/0x3d0 mm/slub.c:3422 + dst_alloc+0x14a/0x1f0 net/core/dst.c:92 + ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344 + icmp6_dst_alloc+0x71/0x680 net/ipv6/route.c:3261 + mld_sendpack+0x5de/0xe70 net/ipv6/mcast.c:1809 + mld_send_cr net/ipv6/mcast.c:2121 [inline] + mld_ifc_work+0x720/0xdc0 net/ipv6/mcast.c:2653 + process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 + worker_thread+0x669/0x1090 kernel/workqueue.c:2436 + kthread+0x2e8/0x3a0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 +page last free stack trace: + reset_page_owner include/linux/page_owner.h:24 [inline] + free_pages_prepare mm/page_alloc.c:1459 [inline] + free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1509 + free_unref_page_prepare mm/page_alloc.c:3387 [inline] + free_unref_page+0x1d/0x4d0 mm/page_alloc.c:3483 + __unfreeze_partials+0x17c/0x1a0 mm/slub.c:2586 + qlink_free mm/kasan/quarantine.c:168 [inline] + qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 + kasan_quarantine_reduce+0x184/0x210 mm/kasan/quarantine.c:294 + __kasan_slab_alloc+0x66/0x90 mm/kasan/common.c:302 + kasan_slab_alloc include/linux/kasan.h:201 [inline] + slab_post_alloc_hook mm/slab.h:737 [inline] + slab_alloc_node mm/slub.c:3398 [inline] + kmem_cache_alloc_node+0x304/0x410 mm/slub.c:3443 + __alloc_skb+0x214/0x300 net/core/skbuff.c:497 + alloc_skb include/linux/skbuff.h:1267 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1191 [inline] + netlink_sendmsg+0x9a6/0xe10 net/netlink/af_netlink.c:1896 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg+0xd3/0x120 net/socket.c:734 + __sys_sendto+0x23a/0x340 net/socket.c:2117 + __do_sys_sendto net/socket.c:2129 [inline] + __se_sys_sendto net/socket.c:2125 [inline] + __x64_sys_sendto+0xe1/0x1b0 net/socket.c:2125 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Fixes: 1758fd4688eb ("ipv6: remove unnecessary dst_hold() in ip6_fragment()") +Reported-by: syzbot+8c0ac31aa9681abb9e2d@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Cc: Wei Wang +Cc: Martin KaFai Lau +Link: https://lore.kernel.org/r/20221206101351.2037285-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_output.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index f152e51242cb..4fb5dd35af18 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -920,6 +920,9 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + if (err < 0) + goto fail; + ++ /* We prevent @rt from being freed. */ ++ rcu_read_lock(); ++ + for (;;) { + /* Prepare header of the next frame, + * before previous one went down. */ +@@ -943,6 +946,7 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + if (err == 0) { + IP6_INC_STATS(net, ip6_dst_idev(&rt->dst), + IPSTATS_MIB_FRAGOKS); ++ rcu_read_unlock(); + return 0; + } + +@@ -950,6 +954,7 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + + IP6_INC_STATS(net, ip6_dst_idev(&rt->dst), + IPSTATS_MIB_FRAGFAILS); ++ rcu_read_unlock(); + return err; + + slow_path_clean: +-- +2.35.1 + diff --git a/queue-6.0/mac802154-fix-missing-init_list_head-in-ieee802154_i.patch b/queue-6.0/mac802154-fix-missing-init_list_head-in-ieee802154_i.patch new file mode 100644 index 00000000000..54e4b890df3 --- /dev/null +++ b/queue-6.0/mac802154-fix-missing-init_list_head-in-ieee802154_i.patch @@ -0,0 +1,56 @@ +From 9806b8d0a7839f439a705e9c45d39b7fde0c3f52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Nov 2022 09:17:05 +0000 +Subject: mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() + +From: Wei Yongjun + +[ Upstream commit b3d72d3135d2ef68296c1ee174436efd65386f04 ] + +Kernel fault injection test reports null-ptr-deref as follows: + +BUG: kernel NULL pointer dereference, address: 0000000000000008 +RIP: 0010:cfg802154_netdev_notifier_call+0x120/0x310 include/linux/list.h:114 +Call Trace: + + raw_notifier_call_chain+0x6d/0xa0 kernel/notifier.c:87 + call_netdevice_notifiers_info+0x6e/0xc0 net/core/dev.c:1944 + unregister_netdevice_many_notify+0x60d/0xcb0 net/core/dev.c:1982 + unregister_netdevice_queue+0x154/0x1a0 net/core/dev.c:10879 + register_netdevice+0x9a8/0xb90 net/core/dev.c:10083 + ieee802154_if_add+0x6ed/0x7e0 net/mac802154/iface.c:659 + ieee802154_register_hw+0x29c/0x330 net/mac802154/main.c:229 + mcr20a_probe+0xaaa/0xcb1 drivers/net/ieee802154/mcr20a.c:1316 + +ieee802154_if_add() allocates wpan_dev as netdev's private data, but not +init the list in struct wpan_dev. cfg802154_netdev_notifier_call() manage +the list when device register/unregister, and may lead to null-ptr-deref. + +Use INIT_LIST_HEAD() on it to initialize it correctly. + +Fixes: fcf39e6e88e9 ("ieee802154: add wpan_dev_list") +Signed-off-by: Wei Yongjun +Acked-by: Alexander Aring + +Link: https://lore.kernel.org/r/20221130091705.1831140-1-weiyongjun@huaweicloud.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + net/mac802154/iface.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c +index 500ed1b81250..7e2065e72915 100644 +--- a/net/mac802154/iface.c ++++ b/net/mac802154/iface.c +@@ -662,6 +662,7 @@ ieee802154_if_add(struct ieee802154_local *local, const char *name, + sdata->dev = ndev; + sdata->wpan_dev.wpan_phy = local->hw.phy; + sdata->local = local; ++ INIT_LIST_HEAD(&sdata->wpan_dev.list); + + /* setup type-dependent data */ + ret = ieee802154_setup_sdata(sdata, type); +-- +2.35.1 + diff --git a/queue-6.0/macsec-add-missing-attribute-validation-for-offload.patch b/queue-6.0/macsec-add-missing-attribute-validation-for-offload.patch new file mode 100644 index 00000000000..9fdc5f6a0f4 --- /dev/null +++ b/queue-6.0/macsec-add-missing-attribute-validation-for-offload.patch @@ -0,0 +1,38 @@ +From 46fb3a09d7ef8c84ae879f004fbc3bc198d66f83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 12:16:18 +0200 +Subject: macsec: add missing attribute validation for offload + +From: Emeel Hakim + +[ Upstream commit 38099024e51ee37dee5f0f577ca37175c932e3f7 ] + +Add missing attribute validation for IFLA_MACSEC_OFFLOAD +to the netlink policy. + +Fixes: 791bb3fcafce ("net: macsec: add support for specifying offload upon link creation") +Signed-off-by: Emeel Hakim +Reviewed-by: Jiri Pirko +Reviewed-by: Sabrina Dubroca +Link: https://lore.kernel.org/r/20221207101618.989-1-ehakim@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index 104fc564a766..8dafc814282c 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -3720,6 +3720,7 @@ static const struct nla_policy macsec_rtnl_policy[IFLA_MACSEC_MAX + 1] = { + [IFLA_MACSEC_SCB] = { .type = NLA_U8 }, + [IFLA_MACSEC_REPLAY_PROTECT] = { .type = NLA_U8 }, + [IFLA_MACSEC_VALIDATION] = { .type = NLA_U8 }, ++ [IFLA_MACSEC_OFFLOAD] = { .type = NLA_U8 }, + }; + + static void macsec_free_netdev(struct net_device *dev) +-- +2.35.1 + diff --git a/queue-6.0/net-broadcom-add-ptp_1588_clock_optional-dependency-.patch b/queue-6.0/net-broadcom-add-ptp_1588_clock_optional-dependency-.patch new file mode 100644 index 00000000000..4cb2b6aa068 --- /dev/null +++ b/queue-6.0/net-broadcom-add-ptp_1588_clock_optional-dependency-.patch @@ -0,0 +1,54 @@ +From 02404bebc6973e1b3cc25f6919fede0008e3194d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 19:50:03 +0800 +Subject: net: broadcom: Add PTP_1588_CLOCK_OPTIONAL dependency for BCMGENET + under ARCH_BCM2835 + +From: YueHaibing + +[ Upstream commit 421f8663b3a775c32f724f793264097c60028f2e ] + +commit 8d820bc9d12b ("net: broadcom: Fix BCMGENET Kconfig") fixes the build +that contain 99addbe31f55 ("net: broadcom: Select BROADCOM_PHY for BCMGENET") +and enable BCMGENET=y but PTP_1588_CLOCK_OPTIONAL=m, which otherwise +leads to a link failure. However this may trigger a runtime failure. + +Fix the original issue by propagating the PTP_1588_CLOCK_OPTIONAL dependency +of BROADCOM_PHY down to BCMGENET. + +Fixes: 8d820bc9d12b ("net: broadcom: Fix BCMGENET Kconfig") +Fixes: 99addbe31f55 ("net: broadcom: Select BROADCOM_PHY for BCMGENET") +Reported-by: Naresh Kamboju +Suggested-by: Arnd Bergmann +Signed-off-by: YueHaibing +Acked-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20221125115003.30308-1-yuehaibing@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/Kconfig | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/Kconfig b/drivers/net/ethernet/broadcom/Kconfig +index 1cd3c289f49b..cd1706909044 100644 +--- a/drivers/net/ethernet/broadcom/Kconfig ++++ b/drivers/net/ethernet/broadcom/Kconfig +@@ -71,13 +71,14 @@ config BCM63XX_ENET + config BCMGENET + tristate "Broadcom GENET internal MAC support" + depends on HAS_IOMEM ++ depends on PTP_1588_CLOCK_OPTIONAL || !ARCH_BCM2835 + select MII + select PHYLIB + select FIXED_PHY + select BCM7XXX_PHY + select MDIO_BCM_UNIMAC + select DIMLIB +- select BROADCOM_PHY if (ARCH_BCM2835 && PTP_1588_CLOCK_OPTIONAL) ++ select BROADCOM_PHY if ARCH_BCM2835 + help + This driver supports the built-in Ethernet MACs found in the + Broadcom BCM7xxx Set Top Box family chipset. +-- +2.35.1 + diff --git a/queue-6.0/net-dsa-hellcreek-check-return-value.patch b/queue-6.0/net-dsa-hellcreek-check-return-value.patch new file mode 100644 index 00000000000..a985cf69607 --- /dev/null +++ b/queue-6.0/net-dsa-hellcreek-check-return-value.patch @@ -0,0 +1,40 @@ +From a96be8733105b177b0ae5cb3349e60b67e61c431 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 17:00:31 +0300 +Subject: net: dsa: hellcreek: Check return value + +From: Artem Chernyshev + +[ Upstream commit d4edb50688652eb10be270bc515da63815de428f ] + +Return NULL if we got unexpected value from skb_trim_rcsum() +in hellcreek_rcv() + +Fixes: 01ef09caad66 ("net: dsa: Add tag handling for Hirschmann Hellcreek switches") +Signed-off-by: Artem Chernyshev +Reviewed-by: Florian Fainelli +Reviewed-by: Kurt Kanzenbach +Link: https://lore.kernel.org/r/20221201140032.26746-2-artem.chernyshev@red-soft.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/dsa/tag_hellcreek.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/dsa/tag_hellcreek.c b/net/dsa/tag_hellcreek.c +index 846588c0070a..53a206d11685 100644 +--- a/net/dsa/tag_hellcreek.c ++++ b/net/dsa/tag_hellcreek.c +@@ -49,7 +49,8 @@ static struct sk_buff *hellcreek_rcv(struct sk_buff *skb, + return NULL; + } + +- pskb_trim_rcsum(skb, skb->len - HELLCREEK_TAG_LEN); ++ if (pskb_trim_rcsum(skb, skb->len - HELLCREEK_TAG_LEN)) ++ return NULL; + + dsa_default_offload_fwd_mark(skb); + +-- +2.35.1 + diff --git a/queue-6.0/net-dsa-ksz-check-return-value.patch b/queue-6.0/net-dsa-ksz-check-return-value.patch new file mode 100644 index 00000000000..e667d9b8059 --- /dev/null +++ b/queue-6.0/net-dsa-ksz-check-return-value.patch @@ -0,0 +1,42 @@ +From 4b25e5cdcf8742b8428590faec161434de2b5fd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 17:00:30 +0300 +Subject: net: dsa: ksz: Check return value + +From: Artem Chernyshev + +[ Upstream commit 3d8fdcbf1f42e2bb9ae8b8c0b6f202278c788a22 ] + +Return NULL if we got unexpected value from skb_trim_rcsum() +in ksz_common_rcv() + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: bafe9ba7d908 ("net: dsa: ksz: Factor out common tag code") +Signed-off-by: Artem Chernyshev +Reviewed-by: Vladimir Oltean +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20221201140032.26746-1-artem.chernyshev@red-soft.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/dsa/tag_ksz.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/dsa/tag_ksz.c b/net/dsa/tag_ksz.c +index 38fa19c1e2d5..429250298ac4 100644 +--- a/net/dsa/tag_ksz.c ++++ b/net/dsa/tag_ksz.c +@@ -21,7 +21,8 @@ static struct sk_buff *ksz_common_rcv(struct sk_buff *skb, + if (!skb->dev) + return NULL; + +- pskb_trim_rcsum(skb, skb->len - len); ++ if (pskb_trim_rcsum(skb, skb->len - len)) ++ return NULL; + + dsa_default_offload_fwd_mark(skb); + +-- +2.35.1 + diff --git a/queue-6.0/net-dsa-mv88e6xxx-accept-phy-mode-internal-for-inter.patch b/queue-6.0/net-dsa-mv88e6xxx-accept-phy-mode-internal-for-inter.patch new file mode 100644 index 00000000000..94b2a96bf17 --- /dev/null +++ b/queue-6.0/net-dsa-mv88e6xxx-accept-phy-mode-internal-for-inter.patch @@ -0,0 +1,57 @@ +From 381ba920210912a9b2ab6be55bb70c0ae80ef9bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 21:48:45 +0200 +Subject: net: dsa: mv88e6xxx: accept phy-mode = "internal" for internal PHY + ports + +From: Vladimir Oltean + +[ Upstream commit 87a39882b5ab3127700ac4b9277608075f98eda2 ] + +The ethernet-controller dt-schema, mostly pushed forward by Linux, has +the "internal" PHY mode for denoting MAC connections to an internal PHY. + +U-Boot may provide device tree blobs where this phy-mode is specified, +so make the Linux driver accept them. + +It appears that the current behavior with phy-mode = "internal" was +introduced when mv88e6xxx started reporting supported_interfaces to +phylink. Prior to that, I don't think it would have any issues accepting +this phy-mode. + +Fixes: d4ebf12bcec4 ("net: dsa: mv88e6xxx: populate supported_interfaces and mac_capabilities") +Link: https://lore.kernel.org/linux-arm-kernel/20221205172709.kglithpbhdbsakvd@skbuf/T/ +Reported-by: Tim Harvey +Signed-off-by: Vladimir Oltean +Reviewed-by: Florian Fainelli +Tested-by: Tim Harvey # imx6q-gw904.dts +Link: https://lore.kernel.org/r/20221205194845.2131161-1-vladimir.oltean@nxp.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 07e9a4da924c..546d90dae933 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -825,10 +825,13 @@ static void mv88e6xxx_get_caps(struct dsa_switch *ds, int port, + + chip->info->ops->phylink_get_caps(chip, port, config); + +- /* Internal ports need GMII for PHYLIB */ +- if (mv88e6xxx_phy_is_internal(ds, port)) ++ if (mv88e6xxx_phy_is_internal(ds, port)) { ++ __set_bit(PHY_INTERFACE_MODE_INTERNAL, ++ config->supported_interfaces); ++ /* Internal ports with no phy-mode need GMII for PHYLIB */ + __set_bit(PHY_INTERFACE_MODE_GMII, + config->supported_interfaces); ++ } + } + + static void mv88e6xxx_mac_config(struct dsa_switch *ds, int port, +-- +2.35.1 + diff --git a/queue-6.0/net-dsa-sja1105-check-return-value.patch b/queue-6.0/net-dsa-sja1105-check-return-value.patch new file mode 100644 index 00000000000..ff3f719e626 --- /dev/null +++ b/queue-6.0/net-dsa-sja1105-check-return-value.patch @@ -0,0 +1,39 @@ +From 6b7ef124860ae9da5bf9083e39ce43302c7b2695 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 17:00:32 +0300 +Subject: net: dsa: sja1105: Check return value + +From: Artem Chernyshev + +[ Upstream commit 8948876335b1752176afdff8e704099a3ea0f6e6 ] + +Return NULL if we got unexpected value from skb_trim_rcsum() in +sja1110_rcv_inband_control_extension() + +Fixes: 4913b8ebf8a9 ("net: dsa: add support for the SJA1110 native tagging protocol") +Signed-off-by: Artem Chernyshev +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20221201140032.26746-3-artem.chernyshev@red-soft.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/dsa/tag_sja1105.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/dsa/tag_sja1105.c b/net/dsa/tag_sja1105.c +index 83e4136516b0..1a85125bda6d 100644 +--- a/net/dsa/tag_sja1105.c ++++ b/net/dsa/tag_sja1105.c +@@ -665,7 +665,8 @@ static struct sk_buff *sja1110_rcv_inband_control_extension(struct sk_buff *skb, + * padding and trailer we need to account for the fact that + * skb->data points to skb_mac_header(skb) + ETH_HLEN. + */ +- pskb_trim_rcsum(skb, start_of_padding - ETH_HLEN); ++ if (pskb_trim_rcsum(skb, start_of_padding - ETH_HLEN)) ++ return NULL; + /* Trap-to-host frame, no timestamp trailer */ + } else { + *source_port = SJA1110_RX_HEADER_SRC_PORT(rx_header); +-- +2.35.1 + diff --git a/queue-6.0/net-dsa-sja1105-fix-memory-leak-in-sja1105_setup_dev.patch b/queue-6.0/net-dsa-sja1105-fix-memory-leak-in-sja1105_setup_dev.patch new file mode 100644 index 00000000000..311fc24e661 --- /dev/null +++ b/queue-6.0/net-dsa-sja1105-fix-memory-leak-in-sja1105_setup_dev.patch @@ -0,0 +1,39 @@ +From f7e4d1958095e0e1a23c1e6ce728abb9e0128daa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 09:21:32 +0800 +Subject: net: dsa: sja1105: fix memory leak in sja1105_setup_devlink_regions() + +From: Zhengchao Shao + +[ Upstream commit 78a9ea43fc1a7c06a420b132d2d47cbf4344a5df ] + +When dsa_devlink_region_create failed in sja1105_setup_devlink_regions(), +priv->regions is not released. + +Fixes: bf425b82059e ("net: dsa: sja1105: expose static config as devlink region") +Signed-off-by: Zhengchao Shao +Reviewed-by: Vladimir Oltean +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20221205012132.2110979-1-shaozhengchao@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/sja1105/sja1105_devlink.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/dsa/sja1105/sja1105_devlink.c b/drivers/net/dsa/sja1105/sja1105_devlink.c +index 10c6fea1227f..bdbbff2a7909 100644 +--- a/drivers/net/dsa/sja1105/sja1105_devlink.c ++++ b/drivers/net/dsa/sja1105/sja1105_devlink.c +@@ -95,6 +95,8 @@ static int sja1105_setup_devlink_regions(struct dsa_switch *ds) + if (IS_ERR(region)) { + while (--i >= 0) + dsa_devlink_region_destroy(priv->regions[i]); ++ ++ kfree(priv->regions); + return PTR_ERR(region); + } + +-- +2.35.1 + diff --git a/queue-6.0/net-encx24j600-add-parentheses-to-fix-precedence.patch b/queue-6.0/net-encx24j600-add-parentheses-to-fix-precedence.patch new file mode 100644 index 00000000000..0ec0c9c5252 --- /dev/null +++ b/queue-6.0/net-encx24j600-add-parentheses-to-fix-precedence.patch @@ -0,0 +1,50 @@ +From bed70fc0630054aeae253b5852a1aa6046ed2652 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 20:34:07 +0300 +Subject: net: encx24j600: Add parentheses to fix precedence + +From: Valentina Goncharenko + +[ Upstream commit 167b3f2dcc62c271f3555b33df17e361bb1fa0ee ] + +In functions regmap_encx24j600_phy_reg_read() and +regmap_encx24j600_phy_reg_write() in the conditions of the waiting +cycles for filling the variable 'ret' it is necessary to add parentheses +to prevent wrong assignment due to logical operations precedence. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: d70e53262f5c ("net: Microchip encx24j600 driver") +Signed-off-by: Valentina Goncharenko +Reviewed-by: Pavan Chebbi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/encx24j600-regmap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/encx24j600-regmap.c b/drivers/net/ethernet/microchip/encx24j600-regmap.c +index 81a8ccca7e5e..2e337c7a5773 100644 +--- a/drivers/net/ethernet/microchip/encx24j600-regmap.c ++++ b/drivers/net/ethernet/microchip/encx24j600-regmap.c +@@ -359,7 +359,7 @@ static int regmap_encx24j600_phy_reg_read(void *context, unsigned int reg, + goto err_out; + + usleep_range(26, 100); +- while ((ret = regmap_read(ctx->regmap, MISTAT, &mistat) != 0) && ++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) && + (mistat & BUSY)) + cpu_relax(); + +@@ -397,7 +397,7 @@ static int regmap_encx24j600_phy_reg_write(void *context, unsigned int reg, + goto err_out; + + usleep_range(26, 100); +- while ((ret = regmap_read(ctx->regmap, MISTAT, &mistat) != 0) && ++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) && + (mistat & BUSY)) + cpu_relax(); + +-- +2.35.1 + diff --git a/queue-6.0/net-encx24j600-fix-invalid-logic-in-reading-of-mista.patch b/queue-6.0/net-encx24j600-fix-invalid-logic-in-reading-of-mista.patch new file mode 100644 index 00000000000..796151a8cc7 --- /dev/null +++ b/queue-6.0/net-encx24j600-fix-invalid-logic-in-reading-of-mista.patch @@ -0,0 +1,52 @@ +From 4f78f9fc37b642951e31c8f28a50ec8a80ddbc30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 20:34:08 +0300 +Subject: net: encx24j600: Fix invalid logic in reading of MISTAT register + +From: Valentina Goncharenko + +[ Upstream commit 25f427ac7b8d89b0259f86c0c6407b329df742b2 ] + +A loop for reading MISTAT register continues while regmap_read() fails +and (mistat & BUSY), but if regmap_read() fails a value of mistat is +undefined. + +The patch proposes to check for BUSY flag only when regmap_read() +succeed. Compile test only. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: d70e53262f5c ("net: Microchip encx24j600 driver") +Signed-off-by: Valentina Goncharenko +Reviewed-by: Pavan Chebbi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/encx24j600-regmap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/encx24j600-regmap.c b/drivers/net/ethernet/microchip/encx24j600-regmap.c +index 2e337c7a5773..5693784eec5b 100644 +--- a/drivers/net/ethernet/microchip/encx24j600-regmap.c ++++ b/drivers/net/ethernet/microchip/encx24j600-regmap.c +@@ -359,7 +359,7 @@ static int regmap_encx24j600_phy_reg_read(void *context, unsigned int reg, + goto err_out; + + usleep_range(26, 100); +- while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) && ++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) == 0) && + (mistat & BUSY)) + cpu_relax(); + +@@ -397,7 +397,7 @@ static int regmap_encx24j600_phy_reg_write(void *context, unsigned int reg, + goto err_out; + + usleep_range(26, 100); +- while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) && ++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) == 0) && + (mistat & BUSY)) + cpu_relax(); + +-- +2.35.1 + diff --git a/queue-6.0/net-ethernet-ti-am65-cpsw-fix-rgmii-configuration-at.patch b/queue-6.0/net-ethernet-ti-am65-cpsw-fix-rgmii-configuration-at.patch new file mode 100644 index 00000000000..05691b7dde8 --- /dev/null +++ b/queue-6.0/net-ethernet-ti-am65-cpsw-fix-rgmii-configuration-at.patch @@ -0,0 +1,43 @@ +From a3485b048ddc8a3c4776275bad50f77df0918660 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Nov 2022 10:36:39 +0530 +Subject: net: ethernet: ti: am65-cpsw: Fix RGMII configuration at SPEED_10 + +From: Siddharth Vadapalli + +[ Upstream commit 6c681f899e0360803b924ac8c96ee21965118649 ] + +The am65-cpsw driver supports configuring all RGMII variants at interface +speed of 10 Mbps. However, in the process of shifting to the PHYLINK +framework, the support for all variants of RGMII except the +PHY_INTERFACE_MODE_RGMII variant was accidentally removed. + +Fix this by using phy_interface_mode_is_rgmii() to check for all variants +of RGMII mode. + +Fixes: e8609e69470f ("net: ethernet: ti: am65-cpsw: Convert to PHYLINK") +Reported-by: Schuyler Patton +Signed-off-by: Siddharth Vadapalli +Link: https://lore.kernel.org/r/20221129050639.111142-1-s-vadapalli@ti.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +index 95baacd6c761..47da11b9ac28 100644 +--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c ++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +@@ -1450,7 +1450,7 @@ static void am65_cpsw_nuss_mac_link_up(struct phylink_config *config, struct phy + + if (speed == SPEED_1000) + mac_control |= CPSW_SL_CTL_GIG; +- if (speed == SPEED_10 && interface == PHY_INTERFACE_MODE_RGMII) ++ if (speed == SPEED_10 && phy_interface_mode_is_rgmii(interface)) + /* Can be used with in band mode only */ + mac_control |= CPSW_SL_CTL_EXT_EN; + if (speed == SPEED_100 && interface == PHY_INTERFACE_MODE_RMII) +-- +2.35.1 + diff --git a/queue-6.0/net-hisilicon-fix-potential-use-after-free-in-hisi_f.patch b/queue-6.0/net-hisilicon-fix-potential-use-after-free-in-hisi_f.patch new file mode 100644 index 00000000000..83c57600d3b --- /dev/null +++ b/queue-6.0/net-hisilicon-fix-potential-use-after-free-in-hisi_f.patch @@ -0,0 +1,37 @@ +From 93f9e4a310b0c890670026b0caa9bb94f62ffd6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 17:42:39 +0800 +Subject: net: hisilicon: Fix potential use-after-free in hisi_femac_rx() + +From: Liu Jian + +[ Upstream commit 4640177049549de1a43e9bc49265f0cdfce08cfd ] + +The skb is delivered to napi_gro_receive() which may free it, after +calling this, dereferencing skb may trigger use-after-free. + +Fixes: 542ae60af24f ("net: hisilicon: Add Fast Ethernet MAC driver") +Signed-off-by: Liu Jian +Link: https://lore.kernel.org/r/20221203094240.1240211-1-liujian56@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hisi_femac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hisi_femac.c b/drivers/net/ethernet/hisilicon/hisi_femac.c +index 93846bace028..ce2571c16e43 100644 +--- a/drivers/net/ethernet/hisilicon/hisi_femac.c ++++ b/drivers/net/ethernet/hisilicon/hisi_femac.c +@@ -283,7 +283,7 @@ static int hisi_femac_rx(struct net_device *dev, int limit) + skb->protocol = eth_type_trans(skb, dev); + napi_gro_receive(&priv->napi, skb); + dev->stats.rx_packets++; +- dev->stats.rx_bytes += skb->len; ++ dev->stats.rx_bytes += len; + next: + pos = (pos + 1) % rxq->num; + if (rx_pkts_num >= limit) +-- +2.35.1 + diff --git a/queue-6.0/net-hisilicon-fix-potential-use-after-free-in-hix5hd.patch b/queue-6.0/net-hisilicon-fix-potential-use-after-free-in-hix5hd.patch new file mode 100644 index 00000000000..96280a1b639 --- /dev/null +++ b/queue-6.0/net-hisilicon-fix-potential-use-after-free-in-hix5hd.patch @@ -0,0 +1,37 @@ +From 946f7f805506aca96306bdbb60178c8696ea6a58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 17:42:40 +0800 +Subject: net: hisilicon: Fix potential use-after-free in hix5hd2_rx() + +From: Liu Jian + +[ Upstream commit 433c07a13f59856e4585e89e86b7d4cc59348fab ] + +The skb is delivered to napi_gro_receive() which may free it, after +calling this, dereferencing skb may trigger use-after-free. + +Fixes: 57c5bc9ad7d7 ("net: hisilicon: add hix5hd2 mac driver") +Signed-off-by: Liu Jian +Link: https://lore.kernel.org/r/20221203094240.1240211-2-liujian56@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hix5hd2_gmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c b/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c +index d7e62eca050f..b981b6cbe6ff 100644 +--- a/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c ++++ b/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c +@@ -550,7 +550,7 @@ static int hix5hd2_rx(struct net_device *dev, int limit) + skb->protocol = eth_type_trans(skb, dev); + napi_gro_receive(&priv->napi, skb); + dev->stats.rx_packets++; +- dev->stats.rx_bytes += skb->len; ++ dev->stats.rx_bytes += len; + next: + pos = dma_ring_incr(pos, RX_DESC_NUM); + } +-- +2.35.1 + diff --git a/queue-6.0/net-mdio-fix-unbalanced-fwnode-reference-count-in-md.patch b/queue-6.0/net-mdio-fix-unbalanced-fwnode-reference-count-in-md.patch new file mode 100644 index 00000000000..3a9d10885c4 --- /dev/null +++ b/queue-6.0/net-mdio-fix-unbalanced-fwnode-reference-count-in-md.patch @@ -0,0 +1,78 @@ +From f76018a252d3fb23946ee85556db58f77ec69ad8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 15:34:41 +0800 +Subject: net: mdio: fix unbalanced fwnode reference count in + mdio_device_release() + +From: Zeng Heng + +[ Upstream commit cb37617687f2bfa5b675df7779f869147c9002bd ] + +There is warning report about of_node refcount leak +while probing mdio device: + +OF: ERROR: memory leak, expected refcount 1 instead of 2, +of_node_get()/of_node_put() unbalanced - destroy cset entry: +attach overlay node /spi/soc@0/mdio@710700c0/ethernet@4 + +In of_mdiobus_register_device(), we increase fwnode refcount +by fwnode_handle_get() before associating the of_node with +mdio device, but it has never been decreased in normal path. +Since that, in mdio_device_release(), it needs to call +fwnode_handle_put() in addition instead of calling kfree() +directly. + +After above, just calling mdio_device_free() in the error handle +path of of_mdiobus_register_device() is enough to keep the +refcount balanced. + +Fixes: a9049e0c513c ("mdio: Add support for mdio drivers.") +Signed-off-by: Zeng Heng +Reviewed-by: Yang Yingliang +Reviewed-by: Russell King (Oracle) +Link: https://lore.kernel.org/r/20221203073441.3885317-1-zengheng4@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/of_mdio.c | 3 ++- + drivers/net/phy/mdio_device.c | 2 ++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/mdio/of_mdio.c b/drivers/net/mdio/of_mdio.c +index 796e9c7857d0..510822d6d0d9 100644 +--- a/drivers/net/mdio/of_mdio.c ++++ b/drivers/net/mdio/of_mdio.c +@@ -68,8 +68,9 @@ static int of_mdiobus_register_device(struct mii_bus *mdio, + /* All data is now stored in the mdiodev struct; register it. */ + rc = mdio_device_register(mdiodev); + if (rc) { ++ device_set_node(&mdiodev->dev, NULL); ++ fwnode_handle_put(fwnode); + mdio_device_free(mdiodev); +- of_node_put(child); + return rc; + } + +diff --git a/drivers/net/phy/mdio_device.c b/drivers/net/phy/mdio_device.c +index 250742ffdfd9..044828d081d2 100644 +--- a/drivers/net/phy/mdio_device.c ++++ b/drivers/net/phy/mdio_device.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + + void mdio_device_free(struct mdio_device *mdiodev) + { +@@ -30,6 +31,7 @@ EXPORT_SYMBOL(mdio_device_free); + + static void mdio_device_release(struct device *dev) + { ++ fwnode_handle_put(dev->fwnode); + kfree(to_mdio_device(dev)); + } + +-- +2.35.1 + diff --git a/queue-6.0/net-mdiobus-fix-double-put-fwnode-in-the-error-path.patch b/queue-6.0/net-mdiobus-fix-double-put-fwnode-in-the-error-path.patch new file mode 100644 index 00000000000..056b1ceddf5 --- /dev/null +++ b/queue-6.0/net-mdiobus-fix-double-put-fwnode-in-the-error-path.patch @@ -0,0 +1,53 @@ +From b8bc15a7b73fd6f8af71be6c87ef8ba35710d7b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 13:18:33 +0800 +Subject: net: mdiobus: fix double put fwnode in the error path + +From: Yang Yingliang + +[ Upstream commit 165df24186ecea95705505627df3dacf5e7ff6bf ] + +If phy_device_register() or fwnode_mdiobus_phy_device_register() +fail, phy_device_free() is called, the device refcount is decreased +to 0, then fwnode_handle_put() will be called in phy_device_release(), +but in the error path, fwnode_handle_put() has already been called, +so set fwnode to NULL after fwnode_handle_put() in the error path to +avoid double put. + +Fixes: cdde1560118f ("net: mdiobus: fix unbalanced node reference count") +Reported-by: Zeng Heng +Tested-by: Zeng Heng +Signed-off-by: Yang Yingliang +Reviewed-by: Zeng Heng +Tested-by: Zeng Heng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/fwnode_mdio.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/mdio/fwnode_mdio.c b/drivers/net/mdio/fwnode_mdio.c +index 403b07f8ec2c..2c47efdae73b 100644 +--- a/drivers/net/mdio/fwnode_mdio.c ++++ b/drivers/net/mdio/fwnode_mdio.c +@@ -77,6 +77,7 @@ int fwnode_mdiobus_phy_device_register(struct mii_bus *mdio, + */ + rc = phy_device_register(phy); + if (rc) { ++ device_set_node(&phy->mdio.dev, NULL); + fwnode_handle_put(child); + return rc; + } +@@ -125,7 +126,8 @@ int fwnode_mdiobus_register_phy(struct mii_bus *bus, + /* All data is now stored in the phy struct, so register it */ + rc = phy_device_register(phy); + if (rc) { +- fwnode_handle_put(phy->mdio.dev.fwnode); ++ phy->mdio.dev.fwnode = NULL; ++ fwnode_handle_put(child); + goto clean_phy; + } + } else if (is_of_node(child)) { +-- +2.35.1 + diff --git a/queue-6.0/net-mdiobus-fwnode_mdiobus_register_phy-rework-error.patch b/queue-6.0/net-mdiobus-fwnode_mdiobus_register_phy-rework-error.patch new file mode 100644 index 00000000000..8560ec490ea --- /dev/null +++ b/queue-6.0/net-mdiobus-fwnode_mdiobus_register_phy-rework-error.patch @@ -0,0 +1,73 @@ +From a29888f7ed1b766cb7ecac7942f28ae543aef9de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Oct 2022 08:51:58 +0200 +Subject: net: mdiobus: fwnode_mdiobus_register_phy() rework error handling + +From: Oleksij Rempel + +[ Upstream commit cfaa202a73eafaf91a3d0a86b5e5df006562f5c0 ] + +Rework error handling as preparation for PSE patch. This patch should +make it easier to extend this function. + +Signed-off-by: Oleksij Rempel +Reviewed-by: Andrew Lunn +Signed-off-by: Jakub Kicinski +Stable-dep-of: 165df24186ec ("net: mdiobus: fix double put fwnode in the error path") +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/fwnode_mdio.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/mdio/fwnode_mdio.c b/drivers/net/mdio/fwnode_mdio.c +index 40e745a1d185..403b07f8ec2c 100644 +--- a/drivers/net/mdio/fwnode_mdio.c ++++ b/drivers/net/mdio/fwnode_mdio.c +@@ -110,8 +110,8 @@ int fwnode_mdiobus_register_phy(struct mii_bus *bus, + else + phy = phy_device_create(bus, addr, phy_id, 0, NULL); + if (IS_ERR(phy)) { +- unregister_mii_timestamper(mii_ts); +- return PTR_ERR(phy); ++ rc = PTR_ERR(phy); ++ goto clean_mii_ts; + } + + if (is_acpi_node(child)) { +@@ -125,17 +125,13 @@ int fwnode_mdiobus_register_phy(struct mii_bus *bus, + /* All data is now stored in the phy struct, so register it */ + rc = phy_device_register(phy); + if (rc) { +- phy_device_free(phy); + fwnode_handle_put(phy->mdio.dev.fwnode); +- return rc; ++ goto clean_phy; + } + } else if (is_of_node(child)) { + rc = fwnode_mdiobus_phy_device_register(bus, phy, child, addr); +- if (rc) { +- unregister_mii_timestamper(mii_ts); +- phy_device_free(phy); +- return rc; +- } ++ if (rc) ++ goto clean_phy; + } + + /* phy->mii_ts may already be defined by the PHY driver. A +@@ -145,5 +141,12 @@ int fwnode_mdiobus_register_phy(struct mii_bus *bus, + if (mii_ts) + phy->mii_ts = mii_ts; + return 0; ++ ++clean_phy: ++ phy_device_free(phy); ++clean_mii_ts: ++ unregister_mii_timestamper(mii_ts); ++ ++ return rc; + } + EXPORT_SYMBOL(fwnode_mdiobus_register_phy); +-- +2.35.1 + diff --git a/queue-6.0/net-microchip-sparx5-correctly-free-skb-in-xmit.patch b/queue-6.0/net-microchip-sparx5-correctly-free-skb-in-xmit.patch new file mode 100644 index 00000000000..441eacbc834 --- /dev/null +++ b/queue-6.0/net-microchip-sparx5-correctly-free-skb-in-xmit.patch @@ -0,0 +1,107 @@ +From 3744f828968354345a400e468922483a08ccc5a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 09:35:44 +0100 +Subject: net: microchip: sparx5: correctly free skb in xmit + +From: Casper Andersson + +[ Upstream commit 121c6672b0191ffcebff4b88ec022c39e0a95789 ] + +consume_skb on transmitted, kfree_skb on dropped, do not free on +TX_BUSY. + +Previously the xmit function could return -EBUSY without freeing, which +supposedly is interpreted as a drop. And was using kfree on successfully +transmitted packets. + +sparx5_fdma_xmit and sparx5_inject returns error code, where -EBUSY +indicates TX_BUSY and any other error code indicates dropped. + +Fixes: f3cad2611a77 ("net: sparx5: add hostmode with phylink support") +Signed-off-by: Casper Andersson +Reviewed-by: Horatiu Vultur +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/microchip/sparx5/sparx5_fdma.c | 2 +- + .../ethernet/microchip/sparx5/sparx5_packet.c | 41 +++++++++++-------- + 2 files changed, 25 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_fdma.c b/drivers/net/ethernet/microchip/sparx5/sparx5_fdma.c +index 66360c8c5a38..141897dfe388 100644 +--- a/drivers/net/ethernet/microchip/sparx5/sparx5_fdma.c ++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_fdma.c +@@ -317,7 +317,7 @@ int sparx5_fdma_xmit(struct sparx5 *sparx5, u32 *ifh, struct sk_buff *skb) + next_dcb_hw = sparx5_fdma_next_dcb(tx, tx->curr_entry); + db_hw = &next_dcb_hw->db[0]; + if (!(db_hw->status & FDMA_DCB_STATUS_DONE)) +- tx->dropped++; ++ return -EINVAL; + db = list_first_entry(&tx->db_list, struct sparx5_db, list); + list_move_tail(&db->list, &tx->db_list); + next_dcb_hw->nextptr = FDMA_DCB_INVALID_DATA; +diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c +index 21844beba72d..0ce0fc985222 100644 +--- a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c ++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c +@@ -234,9 +234,8 @@ int sparx5_port_xmit_impl(struct sk_buff *skb, struct net_device *dev) + sparx5_set_port_ifh(ifh, port->portno); + + if (sparx5->ptp && skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP) { +- ret = sparx5_ptp_txtstamp_request(port, skb); +- if (ret) +- return ret; ++ if (sparx5_ptp_txtstamp_request(port, skb) < 0) ++ return NETDEV_TX_BUSY; + + sparx5_set_port_ifh_rew_op(ifh, SPARX5_SKB_CB(skb)->rew_op); + sparx5_set_port_ifh_pdu_type(ifh, SPARX5_SKB_CB(skb)->pdu_type); +@@ -250,23 +249,31 @@ int sparx5_port_xmit_impl(struct sk_buff *skb, struct net_device *dev) + else + ret = sparx5_inject(sparx5, ifh, skb, dev); + +- if (ret == NETDEV_TX_OK) { +- stats->tx_bytes += skb->len; +- stats->tx_packets++; ++ if (ret == -EBUSY) ++ goto busy; ++ if (ret < 0) ++ goto drop; + +- if (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP && +- SPARX5_SKB_CB(skb)->rew_op == IFH_REW_OP_TWO_STEP_PTP) +- return ret; ++ stats->tx_bytes += skb->len; ++ stats->tx_packets++; ++ sparx5->tx.packets++; + +- dev_kfree_skb_any(skb); +- } else { +- stats->tx_dropped++; ++ if (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP && ++ SPARX5_SKB_CB(skb)->rew_op == IFH_REW_OP_TWO_STEP_PTP) ++ return NETDEV_TX_OK; + +- if (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP && +- SPARX5_SKB_CB(skb)->rew_op == IFH_REW_OP_TWO_STEP_PTP) +- sparx5_ptp_txtstamp_release(port, skb); +- } +- return ret; ++ dev_consume_skb_any(skb); ++ return NETDEV_TX_OK; ++drop: ++ stats->tx_dropped++; ++ sparx5->tx.dropped++; ++ dev_kfree_skb_any(skb); ++ return NETDEV_TX_OK; ++busy: ++ if (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP && ++ SPARX5_SKB_CB(skb)->rew_op == IFH_REW_OP_TWO_STEP_PTP) ++ sparx5_ptp_txtstamp_release(port, skb); ++ return NETDEV_TX_BUSY; + } + + static enum hrtimer_restart sparx5_injection_timeout(struct hrtimer *tmr) +-- +2.35.1 + diff --git a/queue-6.0/net-microchip-sparx5-fix-missing-destroy_workqueue-o.patch b/queue-6.0/net-microchip-sparx5-fix-missing-destroy_workqueue-o.patch new file mode 100644 index 00000000000..6ca6116f5e3 --- /dev/null +++ b/queue-6.0/net-microchip-sparx5-fix-missing-destroy_workqueue-o.patch @@ -0,0 +1,47 @@ +From 9a83ea6fb68cb8b6f58b451c0cac5c3ce318a5a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 15:02:59 +0800 +Subject: net: microchip: sparx5: Fix missing destroy_workqueue of mact_queue + +From: Qiheng Lin + +[ Upstream commit 7b8232bdb1789a257de3129a9bb08c69b93a17db ] + +The mchp_sparx5_probe() won't destroy workqueue created by +create_singlethread_workqueue() in sparx5_start() when later +inits failed. Add destroy_workqueue in the cleanup_ports case, +also add it in mchp_sparx5_remove() + +Fixes: b37a1bae742f ("net: sparx5: add mactable support") +Signed-off-by: Qiheng Lin +Link: https://lore.kernel.org/r/20221203070259.19560-1-linqiheng@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/sparx5/sparx5_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_main.c b/drivers/net/ethernet/microchip/sparx5/sparx5_main.c +index 30815c0e3f76..e58de119186a 100644 +--- a/drivers/net/ethernet/microchip/sparx5/sparx5_main.c ++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_main.c +@@ -876,6 +876,8 @@ static int mchp_sparx5_probe(struct platform_device *pdev) + + cleanup_ports: + sparx5_cleanup_ports(sparx5); ++ if (sparx5->mact_queue) ++ destroy_workqueue(sparx5->mact_queue); + cleanup_config: + kfree(configs); + cleanup_pnode: +@@ -900,6 +902,7 @@ static int mchp_sparx5_remove(struct platform_device *pdev) + sparx5_cleanup_ports(sparx5); + /* Unregister netdevs */ + sparx5_unregister_notifier_blocks(sparx5); ++ destroy_workqueue(sparx5->mact_queue); + + return 0; + } +-- +2.35.1 + diff --git a/queue-6.0/net-mvneta-fix-an-out-of-bounds-check.patch b/queue-6.0/net-mvneta-fix-an-out-of-bounds-check.patch new file mode 100644 index 00000000000..35d318e7b8e --- /dev/null +++ b/queue-6.0/net-mvneta-fix-an-out-of-bounds-check.patch @@ -0,0 +1,55 @@ +From 9c1d663a25ca6388d20789959d6ab97aa2db62f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 10:06:31 +0300 +Subject: net: mvneta: Fix an out of bounds check + +From: Dan Carpenter + +[ Upstream commit cdd97383e19d4afe29adc3376025a15ae3bab3a3 ] + +In an earlier commit, I added a bounds check to prevent an out of bounds +read and a WARN(). On further discussion and consideration that check +was probably too aggressive. Instead of returning -EINVAL, a better fix +would be to just prevent the out of bounds read but continue the process. + +Background: The value of "pp->rxq_def" is a number between 0-7 by default, +or even higher depending on the value of "rxq_number", which is a module +parameter. If the value is more than the number of available CPUs then +it will trigger the WARN() in cpu_max_bits_warn(). + +Fixes: e8b4fc13900b ("net: mvneta: Prevent out of bounds read in mvneta_config_rss()") +Signed-off-by: Dan Carpenter +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/Y5A7d1E5ccwHTYPf@kadam +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvneta.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index 3805b61b9263..85c93ba6a82b 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -4271,7 +4271,7 @@ static void mvneta_percpu_elect(struct mvneta_port *pp) + /* Use the cpu associated to the rxq when it is online, in all + * the other cases, use the cpu 0 which can't be offline. + */ +- if (cpu_online(pp->rxq_def)) ++ if (pp->rxq_def < nr_cpu_ids && cpu_online(pp->rxq_def)) + elected_cpu = pp->rxq_def; + + max_cpu = num_present_cpus(); +@@ -4927,9 +4927,6 @@ static int mvneta_config_rss(struct mvneta_port *pp) + napi_disable(&pp->napi); + } + +- if (pp->indir[0] >= nr_cpu_ids) +- return -EINVAL; +- + pp->rxq_def = pp->indir[0]; + + /* Update unicast mapping */ +-- +2.35.1 + diff --git a/queue-6.0/net-mvneta-prevent-out-of-bounds-read-in-mvneta_conf.patch b/queue-6.0/net-mvneta-prevent-out-of-bounds-read-in-mvneta_conf.patch new file mode 100644 index 00000000000..9655852e2a7 --- /dev/null +++ b/queue-6.0/net-mvneta-prevent-out-of-bounds-read-in-mvneta_conf.patch @@ -0,0 +1,41 @@ +From addcd7a58ec22ca4fb340a6e301ba90f60394ab9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 12:58:26 +0300 +Subject: net: mvneta: Prevent out of bounds read in mvneta_config_rss() + +From: Dan Carpenter + +[ Upstream commit e8b4fc13900b8e8be48debffd0dfd391772501f7 ] + +The pp->indir[0] value comes from the user. It is passed to: + + if (cpu_online(pp->rxq_def)) + +inside the mvneta_percpu_elect() function. It needs bounds checkeding +to ensure that it is not beyond the end of the cpu bitmap. + +Fixes: cad5d847a093 ("net: mvneta: Fix the CPU choice in mvneta_percpu_elect") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvneta.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index 0caa2df87c04..3805b61b9263 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -4927,6 +4927,9 @@ static int mvneta_config_rss(struct mvneta_port *pp) + napi_disable(&pp->napi); + } + ++ if (pp->indir[0] >= nr_cpu_ids) ++ return -EINVAL; ++ + pp->rxq_def = pp->indir[0]; + + /* Update unicast mapping */ +-- +2.35.1 + diff --git a/queue-6.0/net-phy-mxl-gpy-add-mdint-workaround.patch b/queue-6.0/net-phy-mxl-gpy-add-mdint-workaround.patch new file mode 100644 index 00000000000..d9dbf453433 --- /dev/null +++ b/queue-6.0/net-phy-mxl-gpy-add-mdint-workaround.patch @@ -0,0 +1,177 @@ +From 6d8154490f343892299a2700ed3b6b526839094f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 21:04:53 +0100 +Subject: net: phy: mxl-gpy: add MDINT workaround + +From: Michael Walle + +[ Upstream commit 5f4d487d01ff5349da38f7a09ca36bf6aa2e29fb ] + +At least the GPY215B and GPY215C has a bug where it is still driving the +interrupt line (MDINT) even after the interrupt status register is read +and its bits are cleared. This will cause an interrupt storm. + +Although the MDINT is multiplexed with a GPIO pin and theoretically we +could switch the pinmux to GPIO input mode, this isn't possible because +the access to this register will stall exactly as long as the interrupt +line is asserted. We exploit this very fact and just read a random +internal register in our interrupt handler. This way, it will be delayed +until the external interrupt line is released and an interrupt storm is +avoided. + +The internal register access via the mailbox was deduced by looking at +the downstream PHY API because the datasheet doesn't mention any of +this. + +Fixes: 7d901a1e878a ("net: phy: add Maxlinear GPY115/21x/24x driver") +Signed-off-by: Michael Walle +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20221205200453.3447866-1-michael@walle.cc +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mxl-gpy.c | 85 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 85 insertions(+) + +diff --git a/drivers/net/phy/mxl-gpy.c b/drivers/net/phy/mxl-gpy.c +index 24bae27eedef..cae24091fb6f 100644 +--- a/drivers/net/phy/mxl-gpy.c ++++ b/drivers/net/phy/mxl-gpy.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -70,6 +71,14 @@ + #define VPSPEC1_TEMP_STA 0x0E + #define VPSPEC1_TEMP_STA_DATA GENMASK(9, 0) + ++/* Mailbox */ ++#define VSPEC1_MBOX_DATA 0x5 ++#define VSPEC1_MBOX_ADDRLO 0x6 ++#define VSPEC1_MBOX_CMD 0x7 ++#define VSPEC1_MBOX_CMD_ADDRHI GENMASK(7, 0) ++#define VSPEC1_MBOX_CMD_RD (0 << 8) ++#define VSPEC1_MBOX_CMD_READY BIT(15) ++ + /* WoL */ + #define VPSPEC2_WOL_CTL 0x0E06 + #define VPSPEC2_WOL_AD01 0x0E08 +@@ -77,7 +86,13 @@ + #define VPSPEC2_WOL_AD45 0x0E0A + #define WOL_EN BIT(0) + ++/* Internal registers, access via mbox */ ++#define REG_GPIO0_OUT 0xd3ce00 ++ + struct gpy_priv { ++ /* serialize mailbox acesses */ ++ struct mutex mbox_lock; ++ + u8 fw_major; + u8 fw_minor; + }; +@@ -187,6 +202,45 @@ static int gpy_hwmon_register(struct phy_device *phydev) + } + #endif + ++static int gpy_mbox_read(struct phy_device *phydev, u32 addr) ++{ ++ struct gpy_priv *priv = phydev->priv; ++ int val, ret; ++ u16 cmd; ++ ++ mutex_lock(&priv->mbox_lock); ++ ++ ret = phy_write_mmd(phydev, MDIO_MMD_VEND1, VSPEC1_MBOX_ADDRLO, ++ addr); ++ if (ret) ++ goto out; ++ ++ cmd = VSPEC1_MBOX_CMD_RD; ++ cmd |= FIELD_PREP(VSPEC1_MBOX_CMD_ADDRHI, addr >> 16); ++ ++ ret = phy_write_mmd(phydev, MDIO_MMD_VEND1, VSPEC1_MBOX_CMD, cmd); ++ if (ret) ++ goto out; ++ ++ /* The mbox read is used in the interrupt workaround. It was observed ++ * that a read might take up to 2.5ms. This is also the time for which ++ * the interrupt line is stuck low. To be on the safe side, poll the ++ * ready bit for 10ms. ++ */ ++ ret = phy_read_mmd_poll_timeout(phydev, MDIO_MMD_VEND1, ++ VSPEC1_MBOX_CMD, val, ++ (val & VSPEC1_MBOX_CMD_READY), ++ 500, 10000, false); ++ if (ret) ++ goto out; ++ ++ ret = phy_read_mmd(phydev, MDIO_MMD_VEND1, VSPEC1_MBOX_DATA); ++ ++out: ++ mutex_unlock(&priv->mbox_lock); ++ return ret; ++} ++ + static int gpy_config_init(struct phy_device *phydev) + { + int ret; +@@ -201,6 +255,13 @@ static int gpy_config_init(struct phy_device *phydev) + return ret < 0 ? ret : 0; + } + ++static bool gpy_has_broken_mdint(struct phy_device *phydev) ++{ ++ /* At least these PHYs are known to have broken interrupt handling */ ++ return phydev->drv->phy_id == PHY_ID_GPY215B || ++ phydev->drv->phy_id == PHY_ID_GPY215C; ++} ++ + static int gpy_probe(struct phy_device *phydev) + { + struct device *dev = &phydev->mdio.dev; +@@ -218,6 +279,7 @@ static int gpy_probe(struct phy_device *phydev) + if (!priv) + return -ENOMEM; + phydev->priv = priv; ++ mutex_init(&priv->mbox_lock); + + fw_version = phy_read(phydev, PHY_FWV); + if (fw_version < 0) +@@ -492,6 +554,29 @@ static irqreturn_t gpy_handle_interrupt(struct phy_device *phydev) + if (!(reg & PHY_IMASK_MASK)) + return IRQ_NONE; + ++ /* The PHY might leave the interrupt line asserted even after PHY_ISTAT ++ * is read. To avoid interrupt storms, delay the interrupt handling as ++ * long as the PHY drives the interrupt line. An internal bus read will ++ * stall as long as the interrupt line is asserted, thus just read a ++ * random register here. ++ * Because we cannot access the internal bus at all while the interrupt ++ * is driven by the PHY, there is no way to make the interrupt line ++ * unstuck (e.g. by changing the pinmux to GPIO input) during that time ++ * frame. Therefore, polling is the best we can do and won't do any more ++ * harm. ++ * It was observed that this bug happens on link state and link speed ++ * changes on a GPY215B and GYP215C independent of the firmware version ++ * (which doesn't mean that this list is exhaustive). ++ */ ++ if (gpy_has_broken_mdint(phydev) && ++ (reg & (PHY_IMASK_LSTC | PHY_IMASK_LSPC))) { ++ reg = gpy_mbox_read(phydev, REG_GPIO0_OUT); ++ if (reg < 0) { ++ phy_error(phydev); ++ return IRQ_NONE; ++ } ++ } ++ + phy_trigger_machine(phydev); + + return IRQ_HANDLED; +-- +2.35.1 + diff --git a/queue-6.0/net-plip-don-t-call-kfree_skb-dev_kfree_skb-under-sp.patch b/queue-6.0/net-plip-don-t-call-kfree_skb-dev_kfree_skb-under-sp.patch new file mode 100644 index 00000000000..a36aed0ce4c --- /dev/null +++ b/queue-6.0/net-plip-don-t-call-kfree_skb-dev_kfree_skb-under-sp.patch @@ -0,0 +1,46 @@ +From 46c4c521a485c3de94088dca12bdbd7e26f9ae83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 09:53:10 +0800 +Subject: net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq() + +From: Yang Yingliang + +[ Upstream commit 7d8c19bfc8ff3f78e5337107ca9246327fcb6b45 ] + +It is not allowed to call kfree_skb() or consume_skb() from +hardware interrupt context or with interrupts being disabled. +So replace kfree_skb/dev_kfree_skb() with dev_kfree_skb_irq() +and dev_consume_skb_irq() under spin_lock_irq(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20221207015310.2984909-1-yangyingliang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/plip/plip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/plip/plip.c b/drivers/net/plip/plip.c +index c8791e9b451d..40ce8abe6999 100644 +--- a/drivers/net/plip/plip.c ++++ b/drivers/net/plip/plip.c +@@ -450,12 +450,12 @@ plip_bh_timeout_error(struct net_device *dev, struct net_local *nl, + } + rcv->state = PLIP_PK_DONE; + if (rcv->skb) { +- kfree_skb(rcv->skb); ++ dev_kfree_skb_irq(rcv->skb); + rcv->skb = NULL; + } + snd->state = PLIP_PK_DONE; + if (snd->skb) { +- dev_kfree_skb(snd->skb); ++ dev_consume_skb_irq(snd->skb); + snd->skb = NULL; + } + spin_unlock_irq(&nl->lock); +-- +2.35.1 + diff --git a/queue-6.0/net-stmmac-fix-snps-axi-config-node-property-parsing.patch b/queue-6.0/net-stmmac-fix-snps-axi-config-node-property-parsing.patch new file mode 100644 index 00000000000..a7b1f3a2f1f --- /dev/null +++ b/queue-6.0/net-stmmac-fix-snps-axi-config-node-property-parsing.patch @@ -0,0 +1,45 @@ +From 65cff4ca9567f22dff10fe872973f5896507e852 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 00:17:39 +0800 +Subject: net: stmmac: fix "snps,axi-config" node property parsing + +From: Jisheng Zhang + +[ Upstream commit 61d4f140943c47c1386ed89f7260e00418dfad9d ] + +In dt-binding snps,dwmac.yaml, some properties under "snps,axi-config" +node are named without "axi_" prefix, but the driver expects the +prefix. Since the dt-binding has been there for a long time, we'd +better make driver match the binding for compatibility. + +Fixes: afea03656add ("stmmac: rework DMA bus setting and introduce new platform AXI structure") +Signed-off-by: Jisheng Zhang +Link: https://lore.kernel.org/r/20221202161739.2203-1-jszhang@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +index 9f5cac4000da..5c234a8158c7 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +@@ -108,10 +108,10 @@ static struct stmmac_axi *stmmac_axi_setup(struct platform_device *pdev) + + axi->axi_lpi_en = of_property_read_bool(np, "snps,lpi_en"); + axi->axi_xit_frm = of_property_read_bool(np, "snps,xit_frm"); +- axi->axi_kbbe = of_property_read_bool(np, "snps,axi_kbbe"); +- axi->axi_fb = of_property_read_bool(np, "snps,axi_fb"); +- axi->axi_mb = of_property_read_bool(np, "snps,axi_mb"); +- axi->axi_rb = of_property_read_bool(np, "snps,axi_rb"); ++ axi->axi_kbbe = of_property_read_bool(np, "snps,kbbe"); ++ axi->axi_fb = of_property_read_bool(np, "snps,fb"); ++ axi->axi_mb = of_property_read_bool(np, "snps,mb"); ++ axi->axi_rb = of_property_read_bool(np, "snps,rb"); + + if (of_property_read_u32(np, "snps,wr_osr_lmt", &axi->axi_wr_osr_lmt)) + axi->axi_wr_osr_lmt = 1; +-- +2.35.1 + diff --git a/queue-6.0/net-thunderbolt-fix-memory-leak-in-tbnet_open.patch b/queue-6.0/net-thunderbolt-fix-memory-leak-in-tbnet_open.patch new file mode 100644 index 00000000000..b8714b42fa6 --- /dev/null +++ b/queue-6.0/net-thunderbolt-fix-memory-leak-in-tbnet_open.patch @@ -0,0 +1,39 @@ +From 7b84065ee33c73cdc1af5ef3f743cdd735794f15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 09:50:01 +0800 +Subject: net: thunderbolt: fix memory leak in tbnet_open() + +From: Zhengchao Shao + +[ Upstream commit ed14e5903638f6eb868e3e2b4e610985e6a6c876 ] + +When tb_ring_alloc_rx() failed in tbnet_open(), ida that allocated in +tb_xdomain_alloc_out_hopid() is not released. Add +tb_xdomain_release_out_hopid() to the error path to release ida. + +Fixes: 180b0689425c ("thunderbolt: Allow multiple DMA tunnels over a single XDomain connection") +Signed-off-by: Zhengchao Shao +Acked-by: Mika Westerberg +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20221207015001.1755826-1-shaozhengchao@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/thunderbolt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/thunderbolt.c b/drivers/net/thunderbolt.c +index 8391f8303499..1f4dcadc284c 100644 +--- a/drivers/net/thunderbolt.c ++++ b/drivers/net/thunderbolt.c +@@ -902,6 +902,7 @@ static int tbnet_open(struct net_device *dev) + tbnet_start_poll, net); + if (!ring) { + netdev_err(dev, "failed to allocate Rx ring\n"); ++ tb_xdomain_release_out_hopid(xd, hopid); + tb_ring_free(net->tx_ring.ring); + net->tx_ring.ring = NULL; + return -ENOMEM; +-- +2.35.1 + diff --git a/queue-6.0/net-thunderx-fix-missing-destroy_workqueue-of-nicvf_.patch b/queue-6.0/net-thunderx-fix-missing-destroy_workqueue-of-nicvf_.patch new file mode 100644 index 00000000000..6a6533e8cec --- /dev/null +++ b/queue-6.0/net-thunderx-fix-missing-destroy_workqueue-of-nicvf_.patch @@ -0,0 +1,47 @@ +From a4079d4d21da94191ec0df2c791f5dd6e9d3a55d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 09:41:25 +0000 +Subject: net: thunderx: Fix missing destroy_workqueue of nicvf_rx_mode_wq + +From: Yongqiang Liu + +[ Upstream commit 42330a32933fb42180c52022804dcf09f47a2f99 ] + +The nicvf_probe() won't destroy workqueue when register_netdev() +failed. Add destroy_workqueue err handle case to fix this issue. + +Fixes: 2ecbe4f4a027 ("net: thunderx: replace global nicvf_rx_mode_wq work queue for all VFs to private for each of them.") +Signed-off-by: Yongqiang Liu +Reviewed-by: Pavan Chebbi +Link: https://lore.kernel.org/r/20221203094125.602812-1-liuyongqiang13@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/nicvf_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_main.c b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +index 768ea426d49f..745bd2dfb742 100644 +--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +@@ -2240,7 +2240,7 @@ static int nicvf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + err = register_netdev(netdev); + if (err) { + dev_err(dev, "Failed to register netdevice\n"); +- goto err_unregister_interrupts; ++ goto err_destroy_workqueue; + } + + nic->msg_enable = debug; +@@ -2249,6 +2249,8 @@ static int nicvf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + return 0; + ++err_destroy_workqueue: ++ destroy_workqueue(nic->nicvf_rx_mode_wq); + err_unregister_interrupts: + nicvf_unregister_interrupts(nic); + err_free_netdev: +-- +2.35.1 + diff --git a/queue-6.0/net-wwan-iosm-fix-memory-leak-in-ipc_mux_init.patch b/queue-6.0/net-wwan-iosm-fix-memory-leak-in-ipc_mux_init.patch new file mode 100644 index 00000000000..d07d1fc9c56 --- /dev/null +++ b/queue-6.0/net-wwan-iosm-fix-memory-leak-in-ipc_mux_init.patch @@ -0,0 +1,37 @@ +From d5b586cc3ab50a15c3438cade24f5c1bc11d1c53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 10:09:03 +0800 +Subject: net: wwan: iosm: fix memory leak in ipc_mux_init() + +From: Zhengchao Shao + +[ Upstream commit 23353efc26e98b61b925274ecbb8f0610f69a8aa ] + +When failed to alloc ipc_mux->ul_adb.pp_qlt in ipc_mux_init(), ipc_mux +is not released. + +Fixes: 1f52d7b62285 ("net: wwan: iosm: Enable M.2 7360 WWAN card support") +Signed-off-by: Zhengchao Shao +Reviewed-by: M Chetan Kumar +Link: https://lore.kernel.org/r/20221203020903.383235-1-shaozhengchao@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/iosm/iosm_ipc_mux.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wwan/iosm/iosm_ipc_mux.c b/drivers/net/wwan/iosm/iosm_ipc_mux.c +index 9c7a9a2a1f25..fc928b298a98 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_mux.c ++++ b/drivers/net/wwan/iosm/iosm_ipc_mux.c +@@ -332,6 +332,7 @@ struct iosm_mux *ipc_mux_init(struct ipc_mux_config *mux_cfg, + if (!ipc_mux->ul_adb.pp_qlt[i]) { + for (j = i - 1; j >= 0; j--) + kfree(ipc_mux->ul_adb.pp_qlt[j]); ++ kfree(ipc_mux); + return NULL; + } + } +-- +2.35.1 + diff --git a/queue-6.0/netfilter-conntrack-fix-using-__this_cpu_add-in-pree.patch b/queue-6.0/netfilter-conntrack-fix-using-__this_cpu_add-in-pree.patch new file mode 100644 index 00000000000..37cf47231a0 --- /dev/null +++ b/queue-6.0/netfilter-conntrack-fix-using-__this_cpu_add-in-pree.patch @@ -0,0 +1,78 @@ +From c2a1dfecd245d5d5d2e25a65af1a294d70cb3f43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 12:21:46 -0500 +Subject: netfilter: conntrack: fix using __this_cpu_add in preemptible + +From: Xin Long + +[ Upstream commit 9464d0b68f11a9bc768370c3260ec02b3550447b ] + +Currently in nf_conntrack_hash_check_insert(), when it fails in +nf_ct_ext_valid_pre/post(), NF_CT_STAT_INC() will be called in the +preemptible context, a call trace can be triggered: + + BUG: using __this_cpu_add() in preemptible [00000000] code: conntrack/1636 + caller is nf_conntrack_hash_check_insert+0x45/0x430 [nf_conntrack] + Call Trace: + + dump_stack_lvl+0x33/0x46 + check_preemption_disabled+0xc3/0xf0 + nf_conntrack_hash_check_insert+0x45/0x430 [nf_conntrack] + ctnetlink_create_conntrack+0x3cd/0x4e0 [nf_conntrack_netlink] + ctnetlink_new_conntrack+0x1c0/0x450 [nf_conntrack_netlink] + nfnetlink_rcv_msg+0x277/0x2f0 [nfnetlink] + netlink_rcv_skb+0x50/0x100 + nfnetlink_rcv+0x65/0x144 [nfnetlink] + netlink_unicast+0x1ae/0x290 + netlink_sendmsg+0x257/0x4f0 + sock_sendmsg+0x5f/0x70 + +This patch is to fix it by changing to use NF_CT_STAT_INC_ATOMIC() for +nf_ct_ext_valid_pre/post() check in nf_conntrack_hash_check_insert(), +as well as nf_ct_ext_valid_post() in __nf_conntrack_confirm(). + +Note that nf_ct_ext_valid_pre() check in __nf_conntrack_confirm() is +safe to use NF_CT_STAT_INC(), as it's under local_bh_disable(). + +Fixes: c56716c69ce1 ("netfilter: extensions: introduce extension genid count") +Signed-off-by: Xin Long +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index 60289c074eef..df46e9a35e47 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -891,7 +891,7 @@ nf_conntrack_hash_check_insert(struct nf_conn *ct) + zone = nf_ct_zone(ct); + + if (!nf_ct_ext_valid_pre(ct->ext)) { +- NF_CT_STAT_INC(net, insert_failed); ++ NF_CT_STAT_INC_ATOMIC(net, insert_failed); + return -ETIMEDOUT; + } + +@@ -938,7 +938,7 @@ nf_conntrack_hash_check_insert(struct nf_conn *ct) + + if (!nf_ct_ext_valid_post(ct->ext)) { + nf_ct_kill(ct); +- NF_CT_STAT_INC(net, drop); ++ NF_CT_STAT_INC_ATOMIC(net, drop); + return -ETIMEDOUT; + } + +@@ -1275,7 +1275,7 @@ __nf_conntrack_confirm(struct sk_buff *skb) + */ + if (!nf_ct_ext_valid_post(ct->ext)) { + nf_ct_kill(ct); +- NF_CT_STAT_INC(net, drop); ++ NF_CT_STAT_INC_ATOMIC(net, drop); + return NF_DROP; + } + +-- +2.35.1 + diff --git a/queue-6.0/netfilter-ctnetlink-fix-compilation-warning-after-da.patch b/queue-6.0/netfilter-ctnetlink-fix-compilation-warning-after-da.patch new file mode 100644 index 00000000000..9a683cbd7d9 --- /dev/null +++ b/queue-6.0/netfilter-ctnetlink-fix-compilation-warning-after-da.patch @@ -0,0 +1,95 @@ +From c4ad98e1e2dfe6f32063a1a2082f3c25755278c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 10:58:53 +0100 +Subject: netfilter: ctnetlink: fix compilation warning after data race fixes + in ct mark + +From: Pablo Neira Ayuso + +[ Upstream commit 1feeae071507ad65cf9f462a1bdd543a4bf89e71 ] + +All warnings (new ones prefixed by >>): + + net/netfilter/nf_conntrack_netlink.c: In function '__ctnetlink_glue_build': +>> net/netfilter/nf_conntrack_netlink.c:2674:13: warning: unused variable 'mark' [-Wunused-variable] + 2674 | u32 mark; + | ^~~~ + +Fixes: 52d1aa8b8249 ("netfilter: conntrack: Fix data-races around ct mark") +Reported-by: kernel test robot +Tested-by: Ivan Babrou +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index d71150a40fb0..1286ae7d4609 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -328,8 +328,13 @@ ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct) + } + + #ifdef CONFIG_NF_CONNTRACK_MARK +-static int ctnetlink_dump_mark(struct sk_buff *skb, u32 mark) ++static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct) + { ++ u32 mark = READ_ONCE(ct->mark); ++ ++ if (!mark) ++ return 0; ++ + if (nla_put_be32(skb, CTA_MARK, htonl(mark))) + goto nla_put_failure; + return 0; +@@ -543,7 +548,7 @@ static int ctnetlink_dump_extinfo(struct sk_buff *skb, + static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct) + { + if (ctnetlink_dump_status(skb, ct) < 0 || +- ctnetlink_dump_mark(skb, READ_ONCE(ct->mark)) < 0 || ++ ctnetlink_dump_mark(skb, ct) < 0 || + ctnetlink_dump_secctx(skb, ct) < 0 || + ctnetlink_dump_id(skb, ct) < 0 || + ctnetlink_dump_use(skb, ct) < 0 || +@@ -722,7 +727,6 @@ ctnetlink_conntrack_event(unsigned int events, const struct nf_ct_event *item) + struct sk_buff *skb; + unsigned int type; + unsigned int flags = 0, group; +- u32 mark; + int err; + + if (events & (1 << IPCT_DESTROY)) { +@@ -827,9 +831,8 @@ ctnetlink_conntrack_event(unsigned int events, const struct nf_ct_event *item) + } + + #ifdef CONFIG_NF_CONNTRACK_MARK +- mark = READ_ONCE(ct->mark); +- if ((events & (1 << IPCT_MARK) || mark) && +- ctnetlink_dump_mark(skb, mark) < 0) ++ if (events & (1 << IPCT_MARK) && ++ ctnetlink_dump_mark(skb, ct) < 0) + goto nla_put_failure; + #endif + nlmsg_end(skb, nlh); +@@ -2671,7 +2674,6 @@ static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct) + { + const struct nf_conntrack_zone *zone; + struct nlattr *nest_parms; +- u32 mark; + + zone = nf_ct_zone(ct); + +@@ -2733,8 +2735,7 @@ static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct) + goto nla_put_failure; + + #ifdef CONFIG_NF_CONNTRACK_MARK +- mark = READ_ONCE(ct->mark); +- if (mark && ctnetlink_dump_mark(skb, mark) < 0) ++ if (ctnetlink_dump_mark(skb, ct) < 0) + goto nla_put_failure; + #endif + if (ctnetlink_dump_labels(skb, ct) < 0) +-- +2.35.1 + diff --git a/queue-6.0/netfilter-flowtable_offload-fix-using-__this_cpu_add.patch b/queue-6.0/netfilter-flowtable_offload-fix-using-__this_cpu_add.patch new file mode 100644 index 00000000000..741d91c17de --- /dev/null +++ b/queue-6.0/netfilter-flowtable_offload-fix-using-__this_cpu_add.patch @@ -0,0 +1,68 @@ +From 69ab0f92f21a9426391fc42e16eaf42b17714521 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 12:54:10 -0500 +Subject: netfilter: flowtable_offload: fix using __this_cpu_add in preemptible + +From: Xin Long + +[ Upstream commit a81047154e7ce4eb8769d5d21adcbc9693542a79 ] + +flow_offload_queue_work() can be called in workqueue without +bh disabled, like the call trace showed in my act_ct testing, +calling NF_FLOW_TABLE_STAT_INC() there would cause a call +trace: + + BUG: using __this_cpu_add() in preemptible [00000000] code: kworker/u4:0/138560 + caller is flow_offload_queue_work+0xec/0x1b0 [nf_flow_table] + Workqueue: act_ct_workqueue tcf_ct_flow_table_cleanup_work [act_ct] + Call Trace: + + dump_stack_lvl+0x33/0x46 + check_preemption_disabled+0xc3/0xf0 + flow_offload_queue_work+0xec/0x1b0 [nf_flow_table] + nf_flow_table_iterate+0x138/0x170 [nf_flow_table] + nf_flow_table_free+0x140/0x1a0 [nf_flow_table] + tcf_ct_flow_table_cleanup_work+0x2f/0x2b0 [act_ct] + process_one_work+0x6a3/0x1030 + worker_thread+0x8a/0xdf0 + +This patch fixes it by using NF_FLOW_TABLE_STAT_INC_ATOMIC() +instead in flow_offload_queue_work(). + +Note that for FLOW_CLS_REPLACE branch in flow_offload_queue_work(), +it may not be called in preemptible path, but it's good to use +NF_FLOW_TABLE_STAT_INC_ATOMIC() for all cases in +flow_offload_queue_work(). + +Fixes: b038177636f8 ("netfilter: nf_flow_table: count pending offload workqueue tasks") +Signed-off-by: Xin Long +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_flow_table_offload.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c +index 00b522890d77..0fdcdb2c9ae4 100644 +--- a/net/netfilter/nf_flow_table_offload.c ++++ b/net/netfilter/nf_flow_table_offload.c +@@ -997,13 +997,13 @@ static void flow_offload_queue_work(struct flow_offload_work *offload) + struct net *net = read_pnet(&offload->flowtable->net); + + if (offload->cmd == FLOW_CLS_REPLACE) { +- NF_FLOW_TABLE_STAT_INC(net, count_wq_add); ++ NF_FLOW_TABLE_STAT_INC_ATOMIC(net, count_wq_add); + queue_work(nf_flow_offload_add_wq, &offload->work); + } else if (offload->cmd == FLOW_CLS_DESTROY) { +- NF_FLOW_TABLE_STAT_INC(net, count_wq_del); ++ NF_FLOW_TABLE_STAT_INC_ATOMIC(net, count_wq_del); + queue_work(nf_flow_offload_del_wq, &offload->work); + } else { +- NF_FLOW_TABLE_STAT_INC(net, count_wq_stats); ++ NF_FLOW_TABLE_STAT_INC_ATOMIC(net, count_wq_stats); + queue_work(nf_flow_offload_stats_wq, &offload->work); + } + } +-- +2.35.1 + diff --git a/queue-6.0/netfilter-nft_set_pipapo-actually-validate-intervals.patch b/queue-6.0/netfilter-nft_set_pipapo-actually-validate-intervals.patch new file mode 100644 index 00000000000..af9093cace3 --- /dev/null +++ b/queue-6.0/netfilter-nft_set_pipapo-actually-validate-intervals.patch @@ -0,0 +1,53 @@ +From 6b830477a31053eeed7adcfe24d793fb156cd0f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 13:04:37 +0100 +Subject: netfilter: nft_set_pipapo: Actually validate intervals in fields + after the first one + +From: Stefano Brivio + +[ Upstream commit 97d4d394b58777f7056ebba8ffdb4002d0563259 ] + +Embarrassingly, nft_pipapo_insert() checked for interval validity in +the first field only. + +The start_p and end_p pointers were reset to key data from the first +field at every iteration of the loop which was supposed to go over +the set fields. + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Reported-by: Pablo Neira Ayuso +Signed-off-by: Stefano Brivio +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index 4f9299b9dcdd..06d46d182634 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1162,6 +1162,7 @@ static int nft_pipapo_insert(const struct net *net, const struct nft_set *set, + struct nft_pipapo_match *m = priv->clone; + u8 genmask = nft_genmask_next(net); + struct nft_pipapo_field *f; ++ const u8 *start_p, *end_p; + int i, bsize_max, err = 0; + + if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) +@@ -1202,9 +1203,9 @@ static int nft_pipapo_insert(const struct net *net, const struct nft_set *set, + } + + /* Validate */ ++ start_p = start; ++ end_p = end; + nft_pipapo_for_each_field(f, i, m) { +- const u8 *start_p = start, *end_p = end; +- + if (f->rules >= (unsigned long)NFT_PIPAPO_RULE0_MAX) + return -ENOSPC; + +-- +2.35.1 + diff --git a/queue-6.0/nfc-nci-bounds-check-struct-nfc_target-arrays.patch b/queue-6.0/nfc-nci-bounds-check-struct-nfc_target-arrays.patch new file mode 100644 index 00000000000..3817896756d --- /dev/null +++ b/queue-6.0/nfc-nci-bounds-check-struct-nfc_target-arrays.patch @@ -0,0 +1,62 @@ +From 5e700e41df77106e3f6cbe211af999f1bdf0a571 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 13:44:14 -0800 +Subject: NFC: nci: Bounds check struct nfc_target arrays + +From: Kees Cook + +[ Upstream commit e329e71013c9b5a4535b099208493c7826ee4a64 ] + +While running under CONFIG_FORTIFY_SOURCE=y, syzkaller reported: + + memcpy: detected field-spanning write (size 129) of single field "target->sensf_res" at net/nfc/nci/ntf.c:260 (size 18) + +This appears to be a legitimate lack of bounds checking in +nci_add_new_protocol(). Add the missing checks. + +Reported-by: syzbot+210e196cef4711b65139@syzkaller.appspotmail.com +Link: https://lore.kernel.org/lkml/0000000000001c590f05ee7b3ff4@google.com +Fixes: 019c4fbaa790 ("NFC: Add NCI multiple targets support") +Signed-off-by: Kees Cook +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20221202214410.never.693-kees@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/nfc/nci/ntf.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c +index 282c51051dcc..994a0a1efb58 100644 +--- a/net/nfc/nci/ntf.c ++++ b/net/nfc/nci/ntf.c +@@ -240,6 +240,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev, + target->sens_res = nfca_poll->sens_res; + target->sel_res = nfca_poll->sel_res; + target->nfcid1_len = nfca_poll->nfcid1_len; ++ if (target->nfcid1_len > ARRAY_SIZE(target->nfcid1)) ++ return -EPROTO; + if (target->nfcid1_len > 0) { + memcpy(target->nfcid1, nfca_poll->nfcid1, + target->nfcid1_len); +@@ -248,6 +250,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev, + nfcb_poll = (struct rf_tech_specific_params_nfcb_poll *)params; + + target->sensb_res_len = nfcb_poll->sensb_res_len; ++ if (target->sensb_res_len > ARRAY_SIZE(target->sensb_res)) ++ return -EPROTO; + if (target->sensb_res_len > 0) { + memcpy(target->sensb_res, nfcb_poll->sensb_res, + target->sensb_res_len); +@@ -256,6 +260,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev, + nfcf_poll = (struct rf_tech_specific_params_nfcf_poll *)params; + + target->sensf_res_len = nfcf_poll->sensf_res_len; ++ if (target->sensf_res_len > ARRAY_SIZE(target->sensf_res)) ++ return -EPROTO; + if (target->sensf_res_len > 0) { + memcpy(target->sensf_res, nfcf_poll->sensf_res, + target->sensf_res_len); +-- +2.35.1 + diff --git a/queue-6.0/nfp-correct-desc-type-when-header-dma-len-is-4096.patch b/queue-6.0/nfp-correct-desc-type-when-header-dma-len-is-4096.patch new file mode 100644 index 00000000000..6b9fca2188c --- /dev/null +++ b/queue-6.0/nfp-correct-desc-type-when-header-dma-len-is-4096.patch @@ -0,0 +1,66 @@ +From f55e80e6ffb12592b35649c00ee858fe00199345 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 14:46:46 +0100 +Subject: nfp: correct desc type when header dma len is 4096 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yinjun Zhang + +[ Upstream commit 5c306de8f787ab7df51f846e57ac79cd713537d5 ] + +When there's only one buffer to dma and its length is 4096, then +only one data descriptor is needed to carry it according to current +descriptor definition. So the descriptor type should be `simple` +instead of `gather`, the latter requires more than one descriptor, +otherwise it'll be dropped by application firmware. + +Fixes: c10d12e3dce8 ("nfp: add support for NFDK data path") +Fixes: d9d950490a0a ("nfp: nfdk: implement xdp tx path for NFDK") +Signed-off-by: Yinjun Zhang +Reviewed-by: Richard Donkin +Reviewed-by: Niklas Söderlund +Signed-off-by: Simon Horman +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20221202134646.311108-1-simon.horman@corigine.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/netronome/nfp/nfdk/dp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/netronome/nfp/nfdk/dp.c b/drivers/net/ethernet/netronome/nfp/nfdk/dp.c +index 2b427d8ccb2f..ccacb6ab6c39 100644 +--- a/drivers/net/ethernet/netronome/nfp/nfdk/dp.c ++++ b/drivers/net/ethernet/netronome/nfp/nfdk/dp.c +@@ -282,7 +282,7 @@ netdev_tx_t nfp_nfdk_tx(struct sk_buff *skb, struct net_device *netdev) + dma_len = skb_headlen(skb); + if (skb_is_gso(skb)) + type = NFDK_DESC_TX_TYPE_TSO; +- else if (!nr_frags && dma_len < NFDK_TX_MAX_DATA_PER_HEAD) ++ else if (!nr_frags && dma_len <= NFDK_TX_MAX_DATA_PER_HEAD) + type = NFDK_DESC_TX_TYPE_SIMPLE; + else + type = NFDK_DESC_TX_TYPE_GATHER; +@@ -927,7 +927,7 @@ nfp_nfdk_tx_xdp_buf(struct nfp_net_dp *dp, struct nfp_net_rx_ring *rx_ring, + dma_len = pkt_len; + dma_addr = rxbuf->dma_addr + dma_off; + +- if (dma_len < NFDK_TX_MAX_DATA_PER_HEAD) ++ if (dma_len <= NFDK_TX_MAX_DATA_PER_HEAD) + type = NFDK_DESC_TX_TYPE_SIMPLE; + else + type = NFDK_DESC_TX_TYPE_GATHER; +@@ -1325,7 +1325,7 @@ nfp_nfdk_ctrl_tx_one(struct nfp_net *nn, struct nfp_net_r_vector *r_vec, + txbuf = &tx_ring->ktxbufs[wr_idx]; + + dma_len = skb_headlen(skb); +- if (dma_len < NFDK_TX_MAX_DATA_PER_HEAD) ++ if (dma_len <= NFDK_TX_MAX_DATA_PER_HEAD) + type = NFDK_DESC_TX_TYPE_SIMPLE; + else + type = NFDK_DESC_TX_TYPE_GATHER; +-- +2.35.1 + diff --git a/queue-6.0/nvme-initialize-core-quirks-before-calling-nvme_init.patch b/queue-6.0/nvme-initialize-core-quirks-before-calling-nvme_init.patch new file mode 100644 index 00000000000..2596ad14d67 --- /dev/null +++ b/queue-6.0/nvme-initialize-core-quirks-before-calling-nvme_init.patch @@ -0,0 +1,57 @@ +From c82b1bc1c9101f6150adb276da1bc079ce0ab74d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 13:52:34 +0100 +Subject: nvme initialize core quirks before calling nvme_init_subsystem + +From: Pankaj Raghav + +[ Upstream commit 6f2d71524bcfdeb1fcbd22a4a92a5b7b161ab224 ] + +A device might have a core quirk for NVME_QUIRK_IGNORE_DEV_SUBNQN +(such as Samsung X5) but it would still give a: + + "missing or invalid SUBNQN field" + +warning as core quirks are filled after calling nvme_init_subnqn. Fill +ctrl->quirks from struct core_quirks before calling nvme_init_subsystem +to fix this. + +Tested on a Samsung X5. + +Fixes: ab9e00cc72fa ("nvme: track subsystems") +Signed-off-by: Pankaj Raghav +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index f612a0ba64d0..aca50bb93750 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -3089,10 +3089,6 @@ static int nvme_init_identify(struct nvme_ctrl *ctrl) + if (!ctrl->identified) { + unsigned int i; + +- ret = nvme_init_subsystem(ctrl, id); +- if (ret) +- goto out_free; +- + /* + * Check for quirks. Quirk can depend on firmware version, + * so, in principle, the set of quirks present can change +@@ -3105,6 +3101,10 @@ static int nvme_init_identify(struct nvme_ctrl *ctrl) + if (quirk_matches(id, &core_quirks[i])) + ctrl->quirks |= core_quirks[i].quirks; + } ++ ++ ret = nvme_init_subsystem(ctrl, id); ++ if (ret) ++ goto out_free; + } + memcpy(ctrl->subsys->firmware_rev, id->fr, + sizeof(ctrl->subsys->firmware_rev)); +-- +2.35.1 + diff --git a/queue-6.0/octeontx2-pf-fix-potential-memory-leak-in-otx2_init_.patch b/queue-6.0/octeontx2-pf-fix-potential-memory-leak-in-otx2_init_.patch new file mode 100644 index 00000000000..1a573d7f1dc --- /dev/null +++ b/queue-6.0/octeontx2-pf-fix-potential-memory-leak-in-otx2_init_.patch @@ -0,0 +1,42 @@ +From 3ec8f5e759c575c6cd2a735227c26f6bdceeaabc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 19:04:30 +0800 +Subject: octeontx2-pf: Fix potential memory leak in otx2_init_tc() + +From: Ziyang Xuan + +[ Upstream commit fbf33f5ac76f2cdb47ad9763f620026d5cfa57ce ] + +In otx2_init_tc(), if rhashtable_init() failed, it does not free +tc->tc_entries_bitmap which is allocated in otx2_tc_alloc_ent_bitmap(). + +Fixes: 2e2a8126ffac ("octeontx2-pf: Unify flow management variables") +Signed-off-by: Ziyang Xuan +Reviewed-by: Leon Romanovsky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c +index e64318c110fd..6a01ab1a6e6f 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c +@@ -1134,7 +1134,12 @@ int otx2_init_tc(struct otx2_nic *nic) + return err; + + tc->flow_ht_params = tc_flow_ht_params; +- return rhashtable_init(&tc->flow_table, &tc->flow_ht_params); ++ err = rhashtable_init(&tc->flow_table, &tc->flow_ht_params); ++ if (err) { ++ kfree(tc->tc_entries_bitmap); ++ tc->tc_entries_bitmap = NULL; ++ } ++ return err; + } + EXPORT_SYMBOL(otx2_init_tc); + +-- +2.35.1 + diff --git a/queue-6.0/ravb-fix-potential-use-after-free-in-ravb_rx_gbeth.patch b/queue-6.0/ravb-fix-potential-use-after-free-in-ravb_rx_gbeth.patch new file mode 100644 index 00000000000..cd5188ff0aa --- /dev/null +++ b/queue-6.0/ravb-fix-potential-use-after-free-in-ravb_rx_gbeth.patch @@ -0,0 +1,38 @@ +From 53e9753fc123f1bb8efc1ae54d15537fd1539ee0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 17:29:41 +0800 +Subject: ravb: Fix potential use-after-free in ravb_rx_gbeth() + +From: YueHaibing + +[ Upstream commit 5a5a3e564de6a8db987410c5c2f4748d50ea82b8 ] + +The skb is delivered to napi_gro_receive() which may free it, after calling this, +dereferencing skb may trigger use-after-free. + +Fixes: 1c59eb678cbd ("ravb: Fillup ravb_rx_gbeth() stub") +Signed-off-by: YueHaibing +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20221203092941.10880-1-yuehaibing@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 44f9b31f8b99..77d4f3eab971 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -835,7 +835,7 @@ static bool ravb_rx_gbeth(struct net_device *ndev, int *quota, int q) + napi_gro_receive(&priv->napi[q], + priv->rx_1st_skb); + stats->rx_packets++; +- stats->rx_bytes += priv->rx_1st_skb->len; ++ stats->rx_bytes += pkt_len; + break; + } + } +-- +2.35.1 + diff --git a/queue-6.0/s390-qeth-fix-use-after-free-in-hsci.patch b/queue-6.0/s390-qeth-fix-use-after-free-in-hsci.patch new file mode 100644 index 00000000000..5992e9bd886 --- /dev/null +++ b/queue-6.0/s390-qeth-fix-use-after-free-in-hsci.patch @@ -0,0 +1,154 @@ +From 17286a9f5616ae64b3538709ca1b8f7fa0c62aa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 11:53:04 +0100 +Subject: s390/qeth: fix use-after-free in hsci + +From: Alexandra Winter + +[ Upstream commit ebaaadc332cd21e9df4dcf9ce12552d9354bbbe4 ] + +KASAN found that addr was dereferenced after br2dev_event_work was freed. + +================================================================== +BUG: KASAN: use-after-free in qeth_l2_br2dev_worker+0x5ba/0x6b0 +Read of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540 +CPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G E 6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1 +Hardware name: IBM 8561 T01 703 (LPAR) +Workqueue: 0.0.8000_event qeth_l2_br2dev_worker +Call Trace: + [<000000016944d4ce>] dump_stack_lvl+0xc6/0xf8 + [<000000016942cd9c>] print_address_description.constprop.0+0x34/0x2a0 + [<000000016942d118>] print_report+0x110/0x1f8 + [<0000000167a7bd04>] kasan_report+0xfc/0x128 + [<000000016938d79a>] qeth_l2_br2dev_worker+0x5ba/0x6b0 + [<00000001673edd1e>] process_one_work+0x76e/0x1128 + [<00000001673ee85c>] worker_thread+0x184/0x1098 + [<000000016740718a>] kthread+0x26a/0x310 + [<00000001672c606a>] __ret_from_fork+0x8a/0xe8 + [<00000001694711da>] ret_from_fork+0xa/0x40 +Allocated by task 108338: + kasan_save_stack+0x40/0x68 + kasan_set_track+0x36/0x48 + __kasan_kmalloc+0xa0/0xc0 + qeth_l2_switchdev_event+0x25a/0x738 + atomic_notifier_call_chain+0x9c/0xf8 + br_switchdev_fdb_notify+0xf4/0x110 + fdb_notify+0x122/0x180 + fdb_add_entry.constprop.0.isra.0+0x312/0x558 + br_fdb_add+0x59e/0x858 + rtnl_fdb_add+0x58a/0x928 + rtnetlink_rcv_msg+0x5f8/0x8d8 + netlink_rcv_skb+0x1f2/0x408 + netlink_unicast+0x570/0x790 + netlink_sendmsg+0x752/0xbe0 + sock_sendmsg+0xca/0x110 + ____sys_sendmsg+0x510/0x6a8 + ___sys_sendmsg+0x12a/0x180 + __sys_sendmsg+0xe6/0x168 + __do_sys_socketcall+0x3c8/0x468 + do_syscall+0x22c/0x328 + __do_syscall+0x94/0xf0 + system_call+0x82/0xb0 +Freed by task 540: + kasan_save_stack+0x40/0x68 + kasan_set_track+0x36/0x48 + kasan_save_free_info+0x4c/0x68 + ____kasan_slab_free+0x14e/0x1a8 + __kasan_slab_free+0x24/0x30 + __kmem_cache_free+0x168/0x338 + qeth_l2_br2dev_worker+0x154/0x6b0 + process_one_work+0x76e/0x1128 + worker_thread+0x184/0x1098 + kthread+0x26a/0x310 + __ret_from_fork+0x8a/0xe8 + ret_from_fork+0xa/0x40 +Last potentially related work creation: + kasan_save_stack+0x40/0x68 + __kasan_record_aux_stack+0xbe/0xd0 + insert_work+0x56/0x2e8 + __queue_work+0x4ce/0xd10 + queue_work_on+0xf4/0x100 + qeth_l2_switchdev_event+0x520/0x738 + atomic_notifier_call_chain+0x9c/0xf8 + br_switchdev_fdb_notify+0xf4/0x110 + fdb_notify+0x122/0x180 + fdb_add_entry.constprop.0.isra.0+0x312/0x558 + br_fdb_add+0x59e/0x858 + rtnl_fdb_add+0x58a/0x928 + rtnetlink_rcv_msg+0x5f8/0x8d8 + netlink_rcv_skb+0x1f2/0x408 + netlink_unicast+0x570/0x790 + netlink_sendmsg+0x752/0xbe0 + sock_sendmsg+0xca/0x110 + ____sys_sendmsg+0x510/0x6a8 + ___sys_sendmsg+0x12a/0x180 + __sys_sendmsg+0xe6/0x168 + __do_sys_socketcall+0x3c8/0x468 + do_syscall+0x22c/0x328 + __do_syscall+0x94/0xf0 + system_call+0x82/0xb0 +Second to last potentially related work creation: + kasan_save_stack+0x40/0x68 + __kasan_record_aux_stack+0xbe/0xd0 + kvfree_call_rcu+0xb2/0x760 + kernfs_unlink_open_file+0x348/0x430 + kernfs_fop_release+0xc2/0x320 + __fput+0x1ae/0x768 + task_work_run+0x1bc/0x298 + exit_to_user_mode_prepare+0x1a0/0x1a8 + __do_syscall+0x94/0xf0 + system_call+0x82/0xb0 +The buggy address belongs to the object at 00000000fdcea400 + which belongs to the cache kmalloc-96 of size 96 +The buggy address is located 64 bytes inside of + 96-byte region [00000000fdcea400, 00000000fdcea460) +The buggy address belongs to the physical page: +page:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea +flags: 0x3ffff00000000200(slab|node=0|zone=1|lastcpupid=0x1ffff) +raw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00 +raw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000 +page dumped because: kasan: bad access detected +Memory state around the buggy address: + 00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc + 00000000fdcea380: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc +>00000000fdcea400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc + ^ + 00000000fdcea480: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc + 00000000fdcea500: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc +================================================================== + +Fixes: f7936b7b2663 ("s390/qeth: Update MACs of LEARNING_SYNC device") +Reported-by: Thorsten Winkler +Signed-off-by: Alexandra Winter +Reviewed-by: Wenjia Zhang +Reviewed-by: Thorsten Winkler +Link: https://lore.kernel.org/r/20221207105304.20494-1-wintera@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/s390/net/qeth_l2_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c +index 2d4436cbcb47..b38024a79376 100644 +--- a/drivers/s390/net/qeth_l2_main.c ++++ b/drivers/s390/net/qeth_l2_main.c +@@ -758,7 +758,6 @@ static void qeth_l2_br2dev_worker(struct work_struct *work) + struct list_head *iter; + int err = 0; + +- kfree(br2dev_event_work); + QETH_CARD_TEXT_(card, 4, "b2dw%04lx", event); + QETH_CARD_TEXT_(card, 4, "ma%012llx", ether_addr_to_u64(addr)); + +@@ -815,6 +814,7 @@ static void qeth_l2_br2dev_worker(struct work_struct *work) + dev_put(brdev); + dev_put(lsyncdev); + dev_put(dstdev); ++ kfree(br2dev_event_work); + } + + static int qeth_l2_br2dev_queue_work(struct net_device *brdev, +-- +2.35.1 + diff --git a/queue-6.0/selftests-rtnetlink-correct-xfrm-policy-rule-in-kci_.patch b/queue-6.0/selftests-rtnetlink-correct-xfrm-policy-rule-in-kci_.patch new file mode 100644 index 00000000000..0659a12d773 --- /dev/null +++ b/queue-6.0/selftests-rtnetlink-correct-xfrm-policy-rule-in-kci_.patch @@ -0,0 +1,41 @@ +From 03318f795df0a835e96bd93ca0447d8c6f8df510 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 16:22:46 +0800 +Subject: selftests: rtnetlink: correct xfrm policy rule in + kci_test_ipsec_offload + +From: Zhengchao Shao + +[ Upstream commit 85a0506c073332a3057f5a9635fa0d4db5a8e03b ] + +When testing in kci_test_ipsec_offload, srcip is configured as $dstip, +it should add xfrm policy rule in instead of out. +The test result of this patch is as follows: +PASS: ipsec_offload + +Fixes: 2766a11161cc ("selftests: rtnetlink: add ipsec offload API test") +Signed-off-by: Zhengchao Shao +Acked-by: Hangbin Liu +Link: https://lore.kernel.org/r/20221201082246.14131-1-shaozhengchao@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/rtnetlink.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh +index 0900c5438fbb..275491be3da2 100755 +--- a/tools/testing/selftests/net/rtnetlink.sh ++++ b/tools/testing/selftests/net/rtnetlink.sh +@@ -782,7 +782,7 @@ kci_test_ipsec_offload() + tmpl proto esp src $srcip dst $dstip spi 9 \ + mode transport reqid 42 + check_err $? +- ip x p add dir out src $dstip/24 dst $srcip/24 \ ++ ip x p add dir in src $dstip/24 dst $srcip/24 \ + tmpl proto esp src $dstip dst $srcip spi 9 \ + mode transport reqid 42 + check_err $? +-- +2.35.1 + diff --git a/queue-6.0/series b/queue-6.0/series index 7d55b81053f..7308a23abb9 100644 --- a/queue-6.0/series +++ b/queue-6.0/series @@ -83,3 +83,74 @@ hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch hid-ite-enable-quirk_touchpad_on_off_report-on-acer-aspire-switch-v-10.patch arm-9278-1-kfence-only-handle-translation-faults.patch can-af_can-fix-null-pointer-dereference-in-can_rcv_filter.patch +arm-at91-fix-build-for-sama5d3-w-o-l2-cache.patch +gpiolib-fix-memory-leak-in-gpiochip_setup_dev.patch +netfilter-nft_set_pipapo-actually-validate-intervals.patch +netfilter-flowtable_offload-fix-using-__this_cpu_add.patch +drm-vmwgfx-fix-race-issue-calling-pin_user_pages.patch +ieee802154-cc2520-fix-error-return-code-in-cc2520_hw.patch +ca8210-fix-crash-by-zero-initializing-data.patch +netfilter-conntrack-fix-using-__this_cpu_add-in-pree.patch +netfilter-ctnetlink-fix-compilation-warning-after-da.patch +drm-bridge-ti-sn65dsi86-fix-output-polarity-setting-.patch +gpio-amd8111-fix-pci-device-reference-count-leak.patch +e1000e-fix-tx-dispatch-condition.patch +igb-allocate-msi-x-vector-when-testing.patch +net-broadcom-add-ptp_1588_clock_optional-dependency-.patch +net-ethernet-ti-am65-cpsw-fix-rgmii-configuration-at.patch +drm-bridge-dw_hdmi-fix-preference-of-rgb-modes-over-.patch +af_unix-get-user_ns-from-in_skb-in-unix_diag_get_exa.patch +inet-ping-use-hlist_nulls-rcu-iterator-during-lookup.patch +vmxnet3-correctly-report-encapsulated-lro-packet.patch +vmxnet3-use-correct-intrconf-reference-when-using-ex.patch +bluetooth-6lowpan-add-missing-hci_dev_put-in-get_l2c.patch +bluetooth-hci_conn-add-missing-hci_dev_put-in-iso_li.patch +bluetooth-remove-codec-id-field-in-vendor-codec-defi.patch +bluetooth-fix-support-for-read-local-supported-codec.patch +bluetooth-fix-not-cleanup-led-when-bt_init-fails.patch +net-dsa-ksz-check-return-value.patch +net-dsa-hellcreek-check-return-value.patch +net-dsa-sja1105-check-return-value.patch +selftests-rtnetlink-correct-xfrm-policy-rule-in-kci_.patch +nfp-correct-desc-type-when-header-dma-len-is-4096.patch +mac802154-fix-missing-init_list_head-in-ieee802154_i.patch +net-encx24j600-add-parentheses-to-fix-precedence.patch +net-encx24j600-fix-invalid-logic-in-reading-of-mista.patch +net-mdiobus-fwnode_mdiobus_register_phy-rework-error.patch +net-mdiobus-fix-double-put-fwnode-in-the-error-path.patch +octeontx2-pf-fix-potential-memory-leak-in-otx2_init_.patch +net-microchip-sparx5-correctly-free-skb-in-xmit.patch +xen-netfront-fix-null-sring-after-live-migration.patch +net-mvneta-prevent-out-of-bounds-read-in-mvneta_conf.patch +i40e-fix-not-setting-default-xps_cpus-after-reset.patch +i40e-fix-for-vf-mac-address-0.patch +i40e-disallow-ip4-and-ip6-l4_4_bytes.patch +nfc-nci-bounds-check-struct-nfc_target-arrays.patch +nvme-initialize-core-quirks-before-calling-nvme_init.patch +gpio-rockchip-fix-refcount-leak-in-rockchip_gpiolib_.patch +net-stmmac-fix-snps-axi-config-node-property-parsing.patch +net-wwan-iosm-fix-memory-leak-in-ipc_mux_init.patch +ip_gre-do-not-report-erspan-version-on-gre-interface.patch +net-microchip-sparx5-fix-missing-destroy_workqueue-o.patch +ravb-fix-potential-use-after-free-in-ravb_rx_gbeth.patch +net-thunderx-fix-missing-destroy_workqueue-of-nicvf_.patch +net-hisilicon-fix-potential-use-after-free-in-hisi_f.patch +net-mdio-fix-unbalanced-fwnode-reference-count-in-md.patch +net-hisilicon-fix-potential-use-after-free-in-hix5hd.patch +tipc-fix-potential-oob-in-tipc_link_proto_rcv.patch +bonding-get-correct-na-dest-address.patch +ipv4-fix-incorrect-route-flushing-when-source-addres.patch +ipv4-fix-incorrect-route-flushing-when-table-id-0-is.patch +net-dsa-sja1105-fix-memory-leak-in-sja1105_setup_dev.patch +tipc-call-tipc_lxc_xmit-without-holding-node_read_lo.patch +ethernet-aeroflex-fix-potential-skb-leak-in-greth_in.patch +dpaa2-switch-fix-memory-leak-in-dpaa2_switch_acl_ent.patch +xen-netback-fix-build-warning.patch +net-dsa-mv88e6xxx-accept-phy-mode-internal-for-inter.patch +net-phy-mxl-gpy-add-mdint-workaround.patch +net-plip-don-t-call-kfree_skb-dev_kfree_skb-under-sp.patch +ipv6-avoid-use-after-free-in-ip6_fragment.patch +net-thunderbolt-fix-memory-leak-in-tbnet_open.patch +net-mvneta-fix-an-out-of-bounds-check.patch +macsec-add-missing-attribute-validation-for-offload.patch +s390-qeth-fix-use-after-free-in-hsci.patch diff --git a/queue-6.0/tipc-call-tipc_lxc_xmit-without-holding-node_read_lo.patch b/queue-6.0/tipc-call-tipc_lxc_xmit-without-holding-node_read_lo.patch new file mode 100644 index 00000000000..d4f3ab01d5f --- /dev/null +++ b/queue-6.0/tipc-call-tipc_lxc_xmit-without-holding-node_read_lo.patch @@ -0,0 +1,145 @@ +From 43847a660cee02852f277c48c25dfb9d45663056 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 18:37:21 -0500 +Subject: tipc: call tipc_lxc_xmit without holding node_read_lock + +From: Xin Long + +[ Upstream commit 88956177db179e4eba7cd590971961857d1565b8 ] + +When sending packets between nodes in netns, it calls tipc_lxc_xmit() for +peer node to receive the packets where tipc_sk_mcast_rcv()/tipc_sk_rcv() +might be called, and it's pretty much like in tipc_rcv(). + +Currently the local 'node rw lock' is held during calling tipc_lxc_xmit() +to protect the peer_net not being freed by another thread. However, when +receiving these packets, tipc_node_add_conn() might be called where the +peer 'node rw lock' is acquired. Then a dead lock warning is triggered by +lockdep detector, although it is not a real dead lock: + + WARNING: possible recursive locking detected + -------------------------------------------- + conn_server/1086 is trying to acquire lock: + ffff8880065cb020 (&n->lock#2){++--}-{2:2}, \ + at: tipc_node_add_conn.cold.76+0xaa/0x211 [tipc] + + but task is already holding lock: + ffff8880065cd020 (&n->lock#2){++--}-{2:2}, \ + at: tipc_node_xmit+0x285/0xb30 [tipc] + + other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&n->lock#2); + lock(&n->lock#2); + + *** DEADLOCK *** + + May be due to missing lock nesting notation + + 4 locks held by conn_server/1086: + #0: ffff8880036d1e40 (sk_lock-AF_TIPC){+.+.}-{0:0}, \ + at: tipc_accept+0x9c0/0x10b0 [tipc] + #1: ffff8880036d5f80 (sk_lock-AF_TIPC/1){+.+.}-{0:0}, \ + at: tipc_accept+0x363/0x10b0 [tipc] + #2: ffff8880065cd020 (&n->lock#2){++--}-{2:2}, \ + at: tipc_node_xmit+0x285/0xb30 [tipc] + #3: ffff888012e13370 (slock-AF_TIPC){+...}-{2:2}, \ + at: tipc_sk_rcv+0x2da/0x1b40 [tipc] + + Call Trace: + + dump_stack_lvl+0x44/0x5b + __lock_acquire.cold.77+0x1f2/0x3d7 + lock_acquire+0x1d2/0x610 + _raw_write_lock_bh+0x38/0x80 + tipc_node_add_conn.cold.76+0xaa/0x211 [tipc] + tipc_sk_finish_conn+0x21e/0x640 [tipc] + tipc_sk_filter_rcv+0x147b/0x3030 [tipc] + tipc_sk_rcv+0xbb4/0x1b40 [tipc] + tipc_lxc_xmit+0x225/0x26b [tipc] + tipc_node_xmit.cold.82+0x4a/0x102 [tipc] + __tipc_sendstream+0x879/0xff0 [tipc] + tipc_accept+0x966/0x10b0 [tipc] + do_accept+0x37d/0x590 + +This patch avoids this warning by not holding the 'node rw lock' before +calling tipc_lxc_xmit(). As to protect the 'peer_net', rcu_read_lock() +should be enough, as in cleanup_net() when freeing the netns, it calls +synchronize_rcu() before the free is continued. + +Also since tipc_lxc_xmit() is like the RX path in tipc_rcv(), it makes +sense to call it under rcu_read_lock(). Note that the right lock order +must be: + + rcu_read_lock(); + tipc_node_read_lock(n); + tipc_node_read_unlock(n); + tipc_lxc_xmit(); + rcu_read_unlock(); + +instead of: + + tipc_node_read_lock(n); + rcu_read_lock(); + tipc_node_read_unlock(n); + tipc_lxc_xmit(); + rcu_read_unlock(); + +and we have to call tipc_node_read_lock/unlock() twice in +tipc_node_xmit(). + +Fixes: f73b12812a3d ("tipc: improve throughput between nodes in netns") +Reported-by: Shuang Li +Signed-off-by: Xin Long +Link: https://lore.kernel.org/r/5bdd1f8fee9db695cfff4528a48c9b9d0523fb00.1670110641.git.lucien.xin@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/tipc/node.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/net/tipc/node.c b/net/tipc/node.c +index b48d97cbbe29..49ddc484c4fe 100644 +--- a/net/tipc/node.c ++++ b/net/tipc/node.c +@@ -1689,6 +1689,7 @@ int tipc_node_xmit(struct net *net, struct sk_buff_head *list, + struct tipc_node *n; + struct sk_buff_head xmitq; + bool node_up = false; ++ struct net *peer_net; + int bearer_id; + int rc; + +@@ -1705,18 +1706,23 @@ int tipc_node_xmit(struct net *net, struct sk_buff_head *list, + return -EHOSTUNREACH; + } + ++ rcu_read_lock(); + tipc_node_read_lock(n); + node_up = node_is_up(n); +- if (node_up && n->peer_net && check_net(n->peer_net)) { ++ peer_net = n->peer_net; ++ tipc_node_read_unlock(n); ++ if (node_up && peer_net && check_net(peer_net)) { + /* xmit inner linux container */ +- tipc_lxc_xmit(n->peer_net, list); ++ tipc_lxc_xmit(peer_net, list); + if (likely(skb_queue_empty(list))) { +- tipc_node_read_unlock(n); ++ rcu_read_unlock(); + tipc_node_put(n); + return 0; + } + } ++ rcu_read_unlock(); + ++ tipc_node_read_lock(n); + bearer_id = n->active_links[selector & 1]; + if (unlikely(bearer_id == INVALID_BEARER_ID)) { + tipc_node_read_unlock(n); +-- +2.35.1 + diff --git a/queue-6.0/tipc-fix-potential-oob-in-tipc_link_proto_rcv.patch b/queue-6.0/tipc-fix-potential-oob-in-tipc_link_proto_rcv.patch new file mode 100644 index 00000000000..0996a6b2d39 --- /dev/null +++ b/queue-6.0/tipc-fix-potential-oob-in-tipc_link_proto_rcv.patch @@ -0,0 +1,39 @@ +From e32882ac4959fa92e104162f28db8a1b6ab7dc85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 17:46:35 +0800 +Subject: tipc: Fix potential OOB in tipc_link_proto_rcv() + +From: YueHaibing + +[ Upstream commit 743117a997bbd4840e827295c07e59bcd7f7caa3 ] + +Fix the potential risk of OOB if skb_linearize() fails in +tipc_link_proto_rcv(). + +Fixes: 5cbb28a4bf65 ("tipc: linearize arriving NAME_DISTR and LINK_PROTO buffers") +Signed-off-by: YueHaibing +Link: https://lore.kernel.org/r/20221203094635.29024-1-yuehaibing@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/tipc/link.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/tipc/link.c b/net/tipc/link.c +index e260c0d557f5..b3ce24823f50 100644 +--- a/net/tipc/link.c ++++ b/net/tipc/link.c +@@ -2224,7 +2224,9 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, + if (tipc_own_addr(l->net) > msg_prevnode(hdr)) + l->net_plane = msg_net_plane(hdr); + +- skb_linearize(skb); ++ if (skb_linearize(skb)) ++ goto exit; ++ + hdr = buf_msg(skb); + data = msg_data(hdr); + +-- +2.35.1 + diff --git a/queue-6.0/vmxnet3-correctly-report-encapsulated-lro-packet.patch b/queue-6.0/vmxnet3-correctly-report-encapsulated-lro-packet.patch new file mode 100644 index 00000000000..10fcb5e6475 --- /dev/null +++ b/queue-6.0/vmxnet3-correctly-report-encapsulated-lro-packet.patch @@ -0,0 +1,86 @@ +From f077bc52be1eb73e39a0dff01017f782fae74ff7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Nov 2022 00:21:46 -0800 +Subject: vmxnet3: correctly report encapsulated LRO packet + +From: Ronak Doshi + +[ Upstream commit 40b8c2a1af03ba3e8da55a4490d646bfa845e71a ] + +Commit dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload +support") added support for encapsulation offload. However, the +pathc did not report correctly the encapsulated packet which is +LRO'ed by the hypervisor. + +This patch fixes this issue by using correct callback for the LRO'ed +encapsulated packet. + +Fixes: dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload support") +Signed-off-by: Ronak Doshi +Acked-by: Guolin Yang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c +index 53b3b241e027..dd4fecbd1e2e 100644 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -1396,6 +1396,7 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq, + }; + u32 num_pkts = 0; + bool skip_page_frags = false; ++ bool encap_lro = false; + struct Vmxnet3_RxCompDesc *rcd; + struct vmxnet3_rx_ctx *ctx = &rq->rx_ctx; + u16 segCnt = 0, mss = 0; +@@ -1556,13 +1557,18 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq, + if (VMXNET3_VERSION_GE_2(adapter) && + rcd->type == VMXNET3_CDTYPE_RXCOMP_LRO) { + struct Vmxnet3_RxCompDescExt *rcdlro; ++ union Vmxnet3_GenericDesc *gdesc; ++ + rcdlro = (struct Vmxnet3_RxCompDescExt *)rcd; ++ gdesc = (union Vmxnet3_GenericDesc *)rcd; + + segCnt = rcdlro->segCnt; + WARN_ON_ONCE(segCnt == 0); + mss = rcdlro->mss; + if (unlikely(segCnt <= 1)) + segCnt = 0; ++ encap_lro = (le32_to_cpu(gdesc->dword[0]) & ++ (1UL << VMXNET3_RCD_HDR_INNER_SHIFT)); + } else { + segCnt = 0; + } +@@ -1630,7 +1636,7 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq, + vmxnet3_rx_csum(adapter, skb, + (union Vmxnet3_GenericDesc *)rcd); + skb->protocol = eth_type_trans(skb, adapter->netdev); +- if (!rcd->tcp || ++ if ((!rcd->tcp && !encap_lro) || + !(adapter->netdev->features & NETIF_F_LRO)) + goto not_lro; + +@@ -1639,7 +1645,7 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq, + SKB_GSO_TCPV4 : SKB_GSO_TCPV6; + skb_shinfo(skb)->gso_size = mss; + skb_shinfo(skb)->gso_segs = segCnt; +- } else if (segCnt != 0 || skb->len > mtu) { ++ } else if ((segCnt != 0 || skb->len > mtu) && !encap_lro) { + u32 hlen; + + hlen = vmxnet3_get_hdr_len(adapter, skb, +@@ -1668,6 +1674,7 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq, + napi_gro_receive(&rq->napi, skb); + + ctx->skb = NULL; ++ encap_lro = false; + num_pkts++; + } + +-- +2.35.1 + diff --git a/queue-6.0/vmxnet3-use-correct-intrconf-reference-when-using-ex.patch b/queue-6.0/vmxnet3-use-correct-intrconf-reference-when-using-ex.patch new file mode 100644 index 00000000000..de40853910c --- /dev/null +++ b/queue-6.0/vmxnet3-use-correct-intrconf-reference-when-using-ex.patch @@ -0,0 +1,63 @@ +From f1e75d7644ea28e9a7bd1cc9b954f0cb7ceebf99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Nov 2022 00:21:47 -0800 +Subject: vmxnet3: use correct intrConf reference when using extended queues + +From: Ronak Doshi + +[ Upstream commit 409e8ec8c5825591895937b8499b54aa2476fae7 ] + +Commit 39f9895a00f4 ("vmxnet3: add support for 32 Tx/Rx queues") +added support for 32Tx/Rx queues. As a part of this patch, intrConf +structure was extended to incorporate increased queues. + +This patch fixes the issue where incorrect reference is being used. + +Fixes: 39f9895a00f4 ("vmxnet3: add support for 32 Tx/Rx queues") +Signed-off-by: Ronak Doshi +Acked-by: Guolin Yang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c +index dd4fecbd1e2e..c28c4a654615 100644 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -75,8 +75,14 @@ vmxnet3_enable_all_intrs(struct vmxnet3_adapter *adapter) + + for (i = 0; i < adapter->intr.num_intrs; i++) + vmxnet3_enable_intr(adapter, i); +- adapter->shared->devRead.intrConf.intrCtrl &= ++ if (!VMXNET3_VERSION_GE_6(adapter) || ++ !adapter->queuesExtEnabled) { ++ adapter->shared->devRead.intrConf.intrCtrl &= + cpu_to_le32(~VMXNET3_IC_DISABLE_ALL); ++ } else { ++ adapter->shared->devReadExt.intrConfExt.intrCtrl &= ++ cpu_to_le32(~VMXNET3_IC_DISABLE_ALL); ++ } + } + + +@@ -85,8 +91,14 @@ vmxnet3_disable_all_intrs(struct vmxnet3_adapter *adapter) + { + int i; + +- adapter->shared->devRead.intrConf.intrCtrl |= ++ if (!VMXNET3_VERSION_GE_6(adapter) || ++ !adapter->queuesExtEnabled) { ++ adapter->shared->devRead.intrConf.intrCtrl |= + cpu_to_le32(VMXNET3_IC_DISABLE_ALL); ++ } else { ++ adapter->shared->devReadExt.intrConfExt.intrCtrl |= ++ cpu_to_le32(VMXNET3_IC_DISABLE_ALL); ++ } + for (i = 0; i < adapter->intr.num_intrs; i++) + vmxnet3_disable_intr(adapter, i); + } +-- +2.35.1 + diff --git a/queue-6.0/xen-netback-fix-build-warning.patch b/queue-6.0/xen-netback-fix-build-warning.patch new file mode 100644 index 00000000000..2436e35bfda --- /dev/null +++ b/queue-6.0/xen-netback-fix-build-warning.patch @@ -0,0 +1,40 @@ +From a34e5030758816decaf30fff316268c95b1bde3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 08:19:38 +0100 +Subject: xen/netback: fix build warning + +From: Juergen Gross + +[ Upstream commit 7dfa764e0223a324366a2a1fc056d4d9d4e95491 ] + +Commit ad7f402ae4f4 ("xen/netback: Ensure protocol headers don't fall in +the non-linear area") introduced a (valid) build warning. There have +even been reports of this problem breaking networking of Xen guests. + +Fixes: ad7f402ae4f4 ("xen/netback: Ensure protocol headers don't fall in the non-linear area") +Signed-off-by: Juergen Gross +Reviewed-by: Jan Beulich +Reviewed-by: Ross Lagerwall +Tested-by: Jason Andryuk +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netback/netback.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c +index 4962ff8b1534..82d7910f7ade 100644 +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -530,7 +530,7 @@ static int xenvif_tx_check_gop(struct xenvif_queue *queue, + const bool sharedslot = nr_frags && + frag_get_pending_idx(&shinfo->frags[0]) == + copy_pending_idx(skb, copy_count(skb) - 1); +- int i, err; ++ int i, err = 0; + + for (i = 0; i < copy_count(skb); i++) { + int newerr; +-- +2.35.1 + diff --git a/queue-6.0/xen-netfront-fix-null-sring-after-live-migration.patch b/queue-6.0/xen-netfront-fix-null-sring-after-live-migration.patch new file mode 100644 index 00000000000..c70852ccd21 --- /dev/null +++ b/queue-6.0/xen-netfront-fix-null-sring-after-live-migration.patch @@ -0,0 +1,86 @@ +From 5b3084d1f36ead9843ba1407d171b1195856f164 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 08:52:48 +0000 +Subject: xen-netfront: Fix NULL sring after live migration + +From: Lin Liu + +[ Upstream commit d50b7914fae04d840ce36491d22133070b18cca9 ] + +A NAPI is setup for each network sring to poll data to kernel +The sring with source host is destroyed before live migration and +new sring with target host is setup after live migration. +The NAPI for the old sring is not deleted until setup new sring +with target host after migration. With busy_poll/busy_read enabled, +the NAPI can be polled before got deleted when resume VM. + +BUG: unable to handle kernel NULL pointer dereference at +0000000000000008 +IP: xennet_poll+0xae/0xd20 +PGD 0 P4D 0 +Oops: 0000 [#1] SMP PTI +Call Trace: + finish_task_switch+0x71/0x230 + timerqueue_del+0x1d/0x40 + hrtimer_try_to_cancel+0xb5/0x110 + xennet_alloc_rx_buffers+0x2a0/0x2a0 + napi_busy_loop+0xdb/0x270 + sock_poll+0x87/0x90 + do_sys_poll+0x26f/0x580 + tracing_map_insert+0x1d4/0x2f0 + event_hist_trigger+0x14a/0x260 + + finish_task_switch+0x71/0x230 + __schedule+0x256/0x890 + recalc_sigpending+0x1b/0x50 + xen_sched_clock+0x15/0x20 + __rb_reserve_next+0x12d/0x140 + ring_buffer_lock_reserve+0x123/0x3d0 + event_triggers_call+0x87/0xb0 + trace_event_buffer_commit+0x1c4/0x210 + xen_clocksource_get_cycles+0x15/0x20 + ktime_get_ts64+0x51/0xf0 + SyS_ppoll+0x160/0x1a0 + SyS_ppoll+0x160/0x1a0 + do_syscall_64+0x73/0x130 + entry_SYSCALL_64_after_hwframe+0x41/0xa6 +... +RIP: xennet_poll+0xae/0xd20 RSP: ffffb4f041933900 +CR2: 0000000000000008 +---[ end trace f8601785b354351c ]--- + +xen frontend should remove the NAPIs for the old srings before live +migration as the bond srings are destroyed + +There is a tiny window between the srings are set to NULL and +the NAPIs are disabled, It is safe as the NAPI threads are still +frozen at that time + +Signed-off-by: Lin Liu +Fixes: 4ec2411980d0 ([NET]: Do not check netif_running() and carrier state in ->poll()) +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netfront.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index 27a11cc08c61..479e215159fc 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -1862,6 +1862,12 @@ static int netfront_resume(struct xenbus_device *dev) + netif_tx_unlock_bh(info->netdev); + + xennet_disconnect_backend(info); ++ ++ rtnl_lock(); ++ if (info->queues) ++ xennet_destroy_queues(info); ++ rtnl_unlock(); ++ + return 0; + } + +-- +2.35.1 + -- 2.47.3