From a165b2482f7dcbfc7fba1724528585c6bef81b51 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Wed, 5 Jun 2024 08:09:32 -0400 Subject: [PATCH] Fixes for 5.10 Signed-off-by: Sasha Levin --- ...-from-sockmap-sockhash-only-if-updat.patch | 79 +++++++++++ ...l-integer-overflow-in-resolve_btfids.patch | 41 ++++++ ...don-t-enable-irq-from-sync_print_obj.patch | 55 ++++++++ ...ngth-of-nl-attributes-in-enic_set_vf.patch | 69 ++++++++++ ...hwmon-shtc1-fix-property-misspelling.patch | 36 +++++ ...skb-sk-in-ipvlan_process_v-4-6-_outb.patch | 107 +++++++++++++++ ...x-comparison-to-constant-symbols-m-n.patch | 128 ++++++++++++++++++ queue-5.10/net-fec-add-fec_enet_deinit.patch | 63 +++++++++ ..._missed_errors-instead-of-rx_dropped.patch | 46 +++++++ ...-fix-changing-led_sel-bit-value-upda.patch | 68 ++++++++++ ...ink_queue-acquire-rcu_read_lock-in-i.patch | 79 +++++++++++ ...yload-restore-vlan-q-in-q-match-supp.patch | 74 ++++++++++ ...-bail-out-if-ip-has-been-disabled-on.patch | 45 ++++++ ...-fix-ns-enable-disable-possible-hang.patch | 59 ++++++++ ...use-asm-goto-for-get_user-when-compi.patch | 102 ++++++++++++++ ...uaccess-use-yz-asm-constraint-for-ld.patch | 64 +++++++++ queue-5.10/series | 18 +++ ...essage-dma-mapped-when-no-transfer-i.patch | 48 +++++++ ...don-t-warn-about-spurious-interrupts.patch | 43 ++++++ 19 files changed, 1224 insertions(+) create mode 100644 queue-5.10/bpf-allow-delete-from-sockmap-sockhash-only-if-updat.patch create mode 100644 queue-5.10/bpf-fix-potential-integer-overflow-in-resolve_btfids.patch create mode 100644 queue-5.10/dma-buf-sw-sync-don-t-enable-irq-from-sync_print_obj.patch create mode 100644 queue-5.10/enic-validate-length-of-nl-attributes-in-enic_set_vf.patch create mode 100644 queue-5.10/hwmon-shtc1-fix-property-misspelling.patch create mode 100644 queue-5.10/ipvlan-dont-use-skb-sk-in-ipvlan_process_v-4-6-_outb.patch create mode 100644 queue-5.10/kconfig-fix-comparison-to-constant-symbols-m-n.patch create mode 100644 queue-5.10/net-fec-add-fec_enet_deinit.patch create mode 100644 queue-5.10/net-mlx5e-use-rx_missed_errors-instead-of-rx_dropped.patch create mode 100644 queue-5.10/net-usb-smsc95xx-fix-changing-led_sel-bit-value-upda.patch create mode 100644 queue-5.10/netfilter-nfnetlink_queue-acquire-rcu_read_lock-in-i.patch create mode 100644 queue-5.10/netfilter-nft_payload-restore-vlan-q-in-q-match-supp.patch create mode 100644 queue-5.10/netfilter-tproxy-bail-out-if-ip-has-been-disabled-on.patch create mode 100644 queue-5.10/nvmet-fix-ns-enable-disable-possible-hang.patch create mode 100644 queue-5.10/powerpc-uaccess-use-asm-goto-for-get_user-when-compi.patch create mode 100644 queue-5.10/powerpc-uaccess-use-yz-asm-constraint-for-ld.patch create mode 100644 queue-5.10/spi-don-t-mark-message-dma-mapped-when-no-transfer-i.patch create mode 100644 queue-5.10/spi-stm32-don-t-warn-about-spurious-interrupts.patch diff --git a/queue-5.10/bpf-allow-delete-from-sockmap-sockhash-only-if-updat.patch b/queue-5.10/bpf-allow-delete-from-sockmap-sockhash-only-if-updat.patch new file mode 100644 index 00000000000..23d34a7e29f --- /dev/null +++ b/queue-5.10/bpf-allow-delete-from-sockmap-sockhash-only-if-updat.patch @@ -0,0 +1,79 @@ +From 43092c9bf3a22191509c8d211430e257273e332f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 May 2024 13:20:07 +0200 +Subject: bpf: Allow delete from sockmap/sockhash only if update is allowed + +From: Jakub Sitnicki + +[ Upstream commit 98e948fb60d41447fd8d2d0c3b8637fc6b6dc26d ] + +We have seen an influx of syzkaller reports where a BPF program attached to +a tracepoint triggers a locking rule violation by performing a map_delete +on a sockmap/sockhash. + +We don't intend to support this artificial use scenario. Extend the +existing verifier allowed-program-type check for updating sockmap/sockhash +to also cover deleting from a map. + +From now on only BPF programs which were previously allowed to update +sockmap/sockhash can delete from these map types. + +Fixes: ff9105993240 ("bpf, sockmap: Prevent lock inversion deadlock in map delete elem") +Reported-by: Tetsuo Handa +Reported-by: syzbot+ec941d6e24f633a59172@syzkaller.appspotmail.com +Signed-off-by: Jakub Sitnicki +Signed-off-by: Daniel Borkmann +Tested-by: syzbot+ec941d6e24f633a59172@syzkaller.appspotmail.com +Acked-by: John Fastabend +Closes: https://syzkaller.appspot.com/bug?extid=ec941d6e24f633a59172 +Link: https://lore.kernel.org/bpf/20240527-sockmap-verify-deletes-v1-1-944b372f2101@cloudflare.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 25f8a8716e88d..ad115ccc2fe0e 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -4890,7 +4890,8 @@ static bool may_update_sockmap(struct bpf_verifier_env *env, int func_id) + enum bpf_attach_type eatype = env->prog->expected_attach_type; + enum bpf_prog_type type = resolve_prog_type(env->prog); + +- if (func_id != BPF_FUNC_map_update_elem) ++ if (func_id != BPF_FUNC_map_update_elem && ++ func_id != BPF_FUNC_map_delete_elem) + return false; + + /* It's not possible to get access to a locked struct sock in these +@@ -4901,6 +4902,11 @@ static bool may_update_sockmap(struct bpf_verifier_env *env, int func_id) + if (eatype == BPF_TRACE_ITER) + return true; + break; ++ case BPF_PROG_TYPE_SOCK_OPS: ++ /* map_update allowed only via dedicated helpers with event type checks */ ++ if (func_id == BPF_FUNC_map_delete_elem) ++ return true; ++ break; + case BPF_PROG_TYPE_SOCKET_FILTER: + case BPF_PROG_TYPE_SCHED_CLS: + case BPF_PROG_TYPE_SCHED_ACT: +@@ -4988,7 +4994,6 @@ static int check_map_func_compatibility(struct bpf_verifier_env *env, + case BPF_MAP_TYPE_SOCKMAP: + if (func_id != BPF_FUNC_sk_redirect_map && + func_id != BPF_FUNC_sock_map_update && +- func_id != BPF_FUNC_map_delete_elem && + func_id != BPF_FUNC_msg_redirect_map && + func_id != BPF_FUNC_sk_select_reuseport && + func_id != BPF_FUNC_map_lookup_elem && +@@ -4998,7 +5003,6 @@ static int check_map_func_compatibility(struct bpf_verifier_env *env, + case BPF_MAP_TYPE_SOCKHASH: + if (func_id != BPF_FUNC_sk_redirect_hash && + func_id != BPF_FUNC_sock_hash_update && +- func_id != BPF_FUNC_map_delete_elem && + func_id != BPF_FUNC_msg_redirect_hash && + func_id != BPF_FUNC_sk_select_reuseport && + func_id != BPF_FUNC_map_lookup_elem && +-- +2.43.0 + diff --git a/queue-5.10/bpf-fix-potential-integer-overflow-in-resolve_btfids.patch b/queue-5.10/bpf-fix-potential-integer-overflow-in-resolve_btfids.patch new file mode 100644 index 00000000000..c04893f6be1 --- /dev/null +++ b/queue-5.10/bpf-fix-potential-integer-overflow-in-resolve_btfids.patch @@ -0,0 +1,41 @@ +From 4baebfd70c899c565cd2c7196745a568b14f49d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 May 2024 09:09:31 +0200 +Subject: bpf: Fix potential integer overflow in resolve_btfids + +From: Friedrich Vock + +[ Upstream commit 44382b3ed6b2787710c8ade06c0e97f5970a47c8 ] + +err is a 32-bit integer, but elf_update returns an off_t, which is 64-bit +at least on 64-bit platforms. If symbols_patch is called on a binary between +2-4GB in size, the result will be negative when cast to a 32-bit integer, +which the code assumes means an error occurred. This can wrongly trigger +build failures when building very large kernel images. + +Fixes: fbbb68de80a4 ("bpf: Add resolve_btfids tool to resolve BTF IDs in ELF object") +Signed-off-by: Friedrich Vock +Signed-off-by: Daniel Borkmann +Acked-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20240514070931.199694-1-friedrich.vock@gmx.de +Signed-off-by: Sasha Levin +--- + tools/bpf/resolve_btfids/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/bpf/resolve_btfids/main.c b/tools/bpf/resolve_btfids/main.c +index f32c059fbfb4f..8b2a2576fed66 100644 +--- a/tools/bpf/resolve_btfids/main.c ++++ b/tools/bpf/resolve_btfids/main.c +@@ -637,7 +637,7 @@ static int sets_patch(struct object *obj) + + static int symbols_patch(struct object *obj) + { +- int err; ++ off_t err; + + if (__symbols_patch(obj, &obj->structs) || + __symbols_patch(obj, &obj->unions) || +-- +2.43.0 + diff --git a/queue-5.10/dma-buf-sw-sync-don-t-enable-irq-from-sync_print_obj.patch b/queue-5.10/dma-buf-sw-sync-don-t-enable-irq-from-sync_print_obj.patch new file mode 100644 index 00000000000..a32f2c2d872 --- /dev/null +++ b/queue-5.10/dma-buf-sw-sync-don-t-enable-irq-from-sync_print_obj.patch @@ -0,0 +1,55 @@ +From 497765eb5533eb9d224a12085463d988f0ce279b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 May 2024 23:08:31 +0900 +Subject: dma-buf/sw-sync: don't enable IRQ from sync_print_obj() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tetsuo Handa + +[ Upstream commit b794918961516f667b0c745aebdfebbb8a98df39 ] + +Since commit a6aa8fca4d79 ("dma-buf/sw-sync: Reduce irqsave/irqrestore from +known context") by error replaced spin_unlock_irqrestore() with +spin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite +sync_print_obj() is called from sync_debugfs_show(), lockdep complains +inconsistent lock state warning. + +Use plain spin_{lock,unlock}() for sync_print_obj(), for +sync_debugfs_show() is already using spin_{lock,unlock}_irq(). + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=a225ee3df7e7f9372dbe +Fixes: a6aa8fca4d79 ("dma-buf/sw-sync: Reduce irqsave/irqrestore from known context") +Signed-off-by: Tetsuo Handa +Reviewed-by: Christian König +Link: https://patchwork.freedesktop.org/patch/msgid/c2e46020-aaa6-4e06-bf73-f05823f913f0@I-love.SAKURA.ne.jp +Signed-off-by: Christian König +Signed-off-by: Sasha Levin +--- + drivers/dma-buf/sync_debug.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma-buf/sync_debug.c b/drivers/dma-buf/sync_debug.c +index 101394f16930f..237bce21d1e72 100644 +--- a/drivers/dma-buf/sync_debug.c ++++ b/drivers/dma-buf/sync_debug.c +@@ -110,12 +110,12 @@ static void sync_print_obj(struct seq_file *s, struct sync_timeline *obj) + + seq_printf(s, "%s: %d\n", obj->name, obj->value); + +- spin_lock_irq(&obj->lock); ++ spin_lock(&obj->lock); /* Caller already disabled IRQ. */ + list_for_each(pos, &obj->pt_list) { + struct sync_pt *pt = container_of(pos, struct sync_pt, link); + sync_print_fence(s, &pt->base, false); + } +- spin_unlock_irq(&obj->lock); ++ spin_unlock(&obj->lock); + } + + static void sync_print_sync_file(struct seq_file *s, +-- +2.43.0 + diff --git a/queue-5.10/enic-validate-length-of-nl-attributes-in-enic_set_vf.patch b/queue-5.10/enic-validate-length-of-nl-attributes-in-enic_set_vf.patch new file mode 100644 index 00000000000..ba0f38f03ea --- /dev/null +++ b/queue-5.10/enic-validate-length-of-nl-attributes-in-enic_set_vf.patch @@ -0,0 +1,69 @@ +From 1f2181bc5f29c04cf1935787f154268aa768d415 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 May 2024 10:30:44 +0300 +Subject: enic: Validate length of nl attributes in enic_set_vf_port + +From: Roded Zats + +[ Upstream commit e8021b94b0412c37bcc79027c2e382086b6ce449 ] + +enic_set_vf_port assumes that the nl attribute IFLA_PORT_PROFILE +is of length PORT_PROFILE_MAX and that the nl attributes +IFLA_PORT_INSTANCE_UUID, IFLA_PORT_HOST_UUID are of length PORT_UUID_MAX. +These attributes are validated (in the function do_setlink in rtnetlink.c) +using the nla_policy ifla_port_policy. The policy defines IFLA_PORT_PROFILE +as NLA_STRING, IFLA_PORT_INSTANCE_UUID as NLA_BINARY and +IFLA_PORT_HOST_UUID as NLA_STRING. That means that the length validation +using the policy is for the max size of the attributes and not on exact +size so the length of these attributes might be less than the sizes that +enic_set_vf_port expects. This might cause an out of bands +read access in the memcpys of the data of these +attributes in enic_set_vf_port. + +Fixes: f8bd909183ac ("net: Add ndo_{set|get}_vf_port support for enic dynamic vnics") +Signed-off-by: Roded Zats +Link: https://lore.kernel.org/r/20240522073044.33519-1-rzats@paloaltonetworks.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cisco/enic/enic_main.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c +index 548d8095c0a79..b695f3f233286 100644 +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -1117,18 +1117,30 @@ static int enic_set_vf_port(struct net_device *netdev, int vf, + pp->request = nla_get_u8(port[IFLA_PORT_REQUEST]); + + if (port[IFLA_PORT_PROFILE]) { ++ if (nla_len(port[IFLA_PORT_PROFILE]) != PORT_PROFILE_MAX) { ++ memcpy(pp, &prev_pp, sizeof(*pp)); ++ return -EINVAL; ++ } + pp->set |= ENIC_SET_NAME; + memcpy(pp->name, nla_data(port[IFLA_PORT_PROFILE]), + PORT_PROFILE_MAX); + } + + if (port[IFLA_PORT_INSTANCE_UUID]) { ++ if (nla_len(port[IFLA_PORT_INSTANCE_UUID]) != PORT_UUID_MAX) { ++ memcpy(pp, &prev_pp, sizeof(*pp)); ++ return -EINVAL; ++ } + pp->set |= ENIC_SET_INSTANCE; + memcpy(pp->instance_uuid, + nla_data(port[IFLA_PORT_INSTANCE_UUID]), PORT_UUID_MAX); + } + + if (port[IFLA_PORT_HOST_UUID]) { ++ if (nla_len(port[IFLA_PORT_HOST_UUID]) != PORT_UUID_MAX) { ++ memcpy(pp, &prev_pp, sizeof(*pp)); ++ return -EINVAL; ++ } + pp->set |= ENIC_SET_HOST; + memcpy(pp->host_uuid, + nla_data(port[IFLA_PORT_HOST_UUID]), PORT_UUID_MAX); +-- +2.43.0 + diff --git a/queue-5.10/hwmon-shtc1-fix-property-misspelling.patch b/queue-5.10/hwmon-shtc1-fix-property-misspelling.patch new file mode 100644 index 00000000000..45e130b9e3d --- /dev/null +++ b/queue-5.10/hwmon-shtc1-fix-property-misspelling.patch @@ -0,0 +1,36 @@ +From 86e4531a88fd02ffc21f7f8ce77b8ea4ef1af502 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 May 2024 08:20:14 -0700 +Subject: hwmon: (shtc1) Fix property misspelling + +From: Guenter Roeck + +[ Upstream commit 52a2c70c3ec555e670a34dd1ab958986451d2dd2 ] + +The property name is "sensirion,low-precision", not +"sensicon,low-precision". + +Cc: Chris Ruehl +Fixes: be7373b60df5 ("hwmon: shtc1: add support for device tree bindings") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/shtc1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/shtc1.c b/drivers/hwmon/shtc1.c +index 18546ebc8e9f7..0365643029aee 100644 +--- a/drivers/hwmon/shtc1.c ++++ b/drivers/hwmon/shtc1.c +@@ -238,7 +238,7 @@ static int shtc1_probe(struct i2c_client *client) + + if (np) { + data->setup.blocking_io = of_property_read_bool(np, "sensirion,blocking-io"); +- data->setup.high_precision = !of_property_read_bool(np, "sensicon,low-precision"); ++ data->setup.high_precision = !of_property_read_bool(np, "sensirion,low-precision"); + } else { + if (client->dev.platform_data) + data->setup = *(struct shtc1_platform_data *)dev->platform_data; +-- +2.43.0 + diff --git a/queue-5.10/ipvlan-dont-use-skb-sk-in-ipvlan_process_v-4-6-_outb.patch b/queue-5.10/ipvlan-dont-use-skb-sk-in-ipvlan_process_v-4-6-_outb.patch new file mode 100644 index 00000000000..166b562d1c3 --- /dev/null +++ b/queue-5.10/ipvlan-dont-use-skb-sk-in-ipvlan_process_v-4-6-_outb.patch @@ -0,0 +1,107 @@ +From 588c66846d9c081fad33f9a543cb38b7e61b5741 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 May 2024 17:56:33 +0800 +Subject: ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound + +From: Yue Haibing + +[ Upstream commit b3dc6e8003b500861fa307e9a3400c52e78e4d3a ] + +Raw packet from PF_PACKET socket ontop of an IPv6-backed ipvlan device will +hit WARN_ON_ONCE() in sk_mc_loop() through sch_direct_xmit() path. + +WARNING: CPU: 2 PID: 0 at net/core/sock.c:775 sk_mc_loop+0x2d/0x70 +Modules linked in: sch_netem ipvlan rfkill cirrus drm_shmem_helper sg drm_kms_helper +CPU: 2 PID: 0 Comm: swapper/2 Kdump: loaded Not tainted 6.9.0+ #279 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +RIP: 0010:sk_mc_loop+0x2d/0x70 +Code: fa 0f 1f 44 00 00 65 0f b7 15 f7 96 a3 4f 31 c0 66 85 d2 75 26 48 85 ff 74 1c +RSP: 0018:ffffa9584015cd78 EFLAGS: 00010212 +RAX: 0000000000000011 RBX: ffff91e585793e00 RCX: 0000000002c6a001 +RDX: 0000000000000000 RSI: 0000000000000040 RDI: ffff91e589c0f000 +RBP: ffff91e5855bd100 R08: 0000000000000000 R09: 3d00545216f43d00 +R10: ffff91e584fdcc50 R11: 00000060dd8616f4 R12: ffff91e58132d000 +R13: ffff91e584fdcc68 R14: ffff91e5869ce800 R15: ffff91e589c0f000 +FS: 0000000000000000(0000) GS:ffff91e898100000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f788f7c44c0 CR3: 0000000008e1a000 CR4: 00000000000006f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + ? __warn (kernel/panic.c:693) + ? sk_mc_loop (net/core/sock.c:760) + ? report_bug (lib/bug.c:201 lib/bug.c:219) + ? handle_bug (arch/x86/kernel/traps.c:239) + ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1)) + ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621) + ? sk_mc_loop (net/core/sock.c:760) + ip6_finish_output2 (net/ipv6/ip6_output.c:83 (discriminator 1)) + ? nf_hook_slow (net/netfilter/core.c:626) + ip6_finish_output (net/ipv6/ip6_output.c:222) + ? __pfx_ip6_finish_output (net/ipv6/ip6_output.c:215) + ipvlan_xmit_mode_l3 (drivers/net/ipvlan/ipvlan_core.c:602) ipvlan + ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:226) ipvlan + dev_hard_start_xmit (net/core/dev.c:3594) + sch_direct_xmit (net/sched/sch_generic.c:343) + __qdisc_run (net/sched/sch_generic.c:416) + net_tx_action (net/core/dev.c:5286) + handle_softirqs (kernel/softirq.c:555) + __irq_exit_rcu (kernel/softirq.c:589) + sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1043) + +The warning triggers as this: +packet_sendmsg + packet_snd //skb->sk is packet sk + __dev_queue_xmit + __dev_xmit_skb //q->enqueue is not NULL + __qdisc_run + sch_direct_xmit + dev_hard_start_xmit + ipvlan_start_xmit + ipvlan_xmit_mode_l3 //l3 mode + ipvlan_process_outbound //vepa flag + ipvlan_process_v6_outbound + ip6_local_out + __ip6_finish_output + ip6_finish_output2 //multicast packet + sk_mc_loop //sk->sk_family is AF_PACKET + +Call ip{6}_local_out() with NULL sk in ipvlan as other tunnels to fix this. + +Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") +Suggested-by: Eric Dumazet +Signed-off-by: Yue Haibing +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240529095633.613103-1-yuehaibing@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvlan_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c +index bfea28bd45027..d04b1450875b6 100644 +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -440,7 +440,7 @@ static noinline_for_stack int ipvlan_process_v4_outbound(struct sk_buff *skb) + + memset(IPCB(skb), 0, sizeof(*IPCB(skb))); + +- err = ip_local_out(net, skb->sk, skb); ++ err = ip_local_out(net, NULL, skb); + if (unlikely(net_xmit_eval(err))) + DEV_STATS_INC(dev, tx_errors); + else +@@ -495,7 +495,7 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb) + + memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); + +- err = ip6_local_out(dev_net(dev), skb->sk, skb); ++ err = ip6_local_out(dev_net(dev), NULL, skb); + if (unlikely(net_xmit_eval(err))) + DEV_STATS_INC(dev, tx_errors); + else +-- +2.43.0 + diff --git a/queue-5.10/kconfig-fix-comparison-to-constant-symbols-m-n.patch b/queue-5.10/kconfig-fix-comparison-to-constant-symbols-m-n.patch new file mode 100644 index 00000000000..74c33b3ca61 --- /dev/null +++ b/queue-5.10/kconfig-fix-comparison-to-constant-symbols-m-n.patch @@ -0,0 +1,128 @@ +From 8bef2002b9e8afd14bb6934b1cdebc58c03fe1d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 May 2024 18:22:27 +0900 +Subject: kconfig: fix comparison to constant symbols, 'm', 'n' + +From: Masahiro Yamada + +[ Upstream commit aabdc960a283ba78086b0bf66ee74326f49e218e ] + +Currently, comparisons to 'm' or 'n' result in incorrect output. + +[Test Code] + + config MODULES + def_bool y + modules + + config A + def_tristate m + + config B + def_bool A > n + +CONFIG_B is unset, while CONFIG_B=y is expected. + +The reason for the issue is because Kconfig compares the tristate values +as strings. + +Currently, the .type fields in the constant symbol definitions, +symbol_{yes,mod,no} are unspecified, i.e., S_UNKNOWN. + +When expr_calc_value() evaluates 'A > n', it checks the types of 'A' and +'n' to determine how to compare them. + +The left-hand side, 'A', is a tristate symbol with a value of 'm', which +corresponds to a numeric value of 1. (Internally, 'y', 'm', and 'n' are +represented as 2, 1, and 0, respectively.) + +The right-hand side, 'n', has an unknown type, so it is treated as the +string "n" during the comparison. + +expr_calc_value() compares two values numerically only when both can +have numeric values. Otherwise, they are compared as strings. + + symbol numeric value ASCII code + ------------------------------------- + y 2 0x79 + m 1 0x6d + n 0 0x6e + +'m' is greater than 'n' if compared numerically (since 1 is greater +than 0), but smaller than 'n' if compared as strings (since the ASCII +code 0x6d is smaller than 0x6e). + +Specifying .type=S_TRISTATE for symbol_{yes,mod,no} fixes the above +test code. + +Doing so, however, would cause a regression to the following test code. + +[Test Code 2] + + config MODULES + def_bool n + modules + + config A + def_tristate n + + config B + def_bool A = m + +You would get CONFIG_B=y, while CONFIG_B should not be set. + +The reason is because sym_get_string_value() turns 'm' into 'n' when the +module feature is disabled. Consequently, expr_calc_value() evaluates +'A = n' instead of 'A = m'. This oddity has been hidden because the type +of 'm' was previously S_UNKNOWN instead of S_TRISTATE. + +sym_get_string_value() should not tweak the string because the tristate +value has already been correctly calculated. There is no reason to +return the string "n" where its tristate value is mod. + +Fixes: 31847b67bec0 ("kconfig: allow use of relations other than (in)equality") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/symbol.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/scripts/kconfig/symbol.c b/scripts/kconfig/symbol.c +index a2056fa80de2b..ff4c5d314b4d7 100644 +--- a/scripts/kconfig/symbol.c ++++ b/scripts/kconfig/symbol.c +@@ -13,18 +13,21 @@ + + struct symbol symbol_yes = { + .name = "y", ++ .type = S_TRISTATE, + .curr = { "y", yes }, + .flags = SYMBOL_CONST|SYMBOL_VALID, + }; + + struct symbol symbol_mod = { + .name = "m", ++ .type = S_TRISTATE, + .curr = { "m", mod }, + .flags = SYMBOL_CONST|SYMBOL_VALID, + }; + + struct symbol symbol_no = { + .name = "n", ++ .type = S_TRISTATE, + .curr = { "n", no }, + .flags = SYMBOL_CONST|SYMBOL_VALID, + }; +@@ -776,8 +779,7 @@ const char *sym_get_string_value(struct symbol *sym) + case no: + return "n"; + case mod: +- sym_calc_value(modules_sym); +- return (modules_sym->curr.tri == no) ? "n" : "m"; ++ return "m"; + case yes: + return "y"; + } +-- +2.43.0 + diff --git a/queue-5.10/net-fec-add-fec_enet_deinit.patch b/queue-5.10/net-fec-add-fec_enet_deinit.patch new file mode 100644 index 00000000000..ed55bd2381a --- /dev/null +++ b/queue-5.10/net-fec-add-fec_enet_deinit.patch @@ -0,0 +1,63 @@ +From edd16368d552e3cb0f7237bd18bea3b3d98fe936 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 May 2024 13:05:28 +0800 +Subject: net:fec: Add fec_enet_deinit() + +From: Xiaolei Wang + +[ Upstream commit bf0497f53c8535f99b72041529d3f7708a6e2c0d ] + +When fec_probe() fails or fec_drv_remove() needs to release the +fec queue and remove a NAPI context, therefore add a function +corresponding to fec_enet_init() and call fec_enet_deinit() which +does the opposite to release memory and remove a NAPI context. + +Fixes: 59d0f7465644 ("net: fec: init multi queue date structure") +Signed-off-by: Xiaolei Wang +Reviewed-by: Wei Fang +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20240524050528.4115581-1-xiaolei.wang@windriver.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index fe29769cb1589..adb76db66031f 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3443,6 +3443,14 @@ static int fec_enet_init(struct net_device *ndev) + return ret; + } + ++static void fec_enet_deinit(struct net_device *ndev) ++{ ++ struct fec_enet_private *fep = netdev_priv(ndev); ++ ++ netif_napi_del(&fep->napi); ++ fec_enet_free_queue(ndev); ++} ++ + #ifdef CONFIG_OF + static int fec_reset_phy(struct platform_device *pdev) + { +@@ -3813,6 +3821,7 @@ fec_probe(struct platform_device *pdev) + fec_enet_mii_remove(fep); + failed_mii_init: + failed_irq: ++ fec_enet_deinit(ndev); + failed_init: + fec_ptp_stop(pdev); + failed_reset: +@@ -3874,6 +3883,7 @@ fec_drv_remove(struct platform_device *pdev) + pm_runtime_put_noidle(&pdev->dev); + pm_runtime_disable(&pdev->dev); + ++ fec_enet_deinit(ndev); + free_netdev(ndev); + return 0; + } +-- +2.43.0 + diff --git a/queue-5.10/net-mlx5e-use-rx_missed_errors-instead-of-rx_dropped.patch b/queue-5.10/net-mlx5e-use-rx_missed_errors-instead-of-rx_dropped.patch new file mode 100644 index 00000000000..5d293733d43 --- /dev/null +++ b/queue-5.10/net-mlx5e-use-rx_missed_errors-instead-of-rx_dropped.patch @@ -0,0 +1,46 @@ +From 409f60f57af40bbfb56f67dbd2e715a18ebc7de1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 May 2024 22:26:58 +0300 +Subject: net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting + buffer exhaustion + +From: Carolina Jubran + +[ Upstream commit 5c74195d5dd977e97556e6fa76909b831c241230 ] + +Previously, the driver incorrectly used rx_dropped to report device +buffer exhaustion. + +According to the documentation, rx_dropped should not be used to count +packets dropped due to buffer exhaustion, which is the purpose of +rx_missed_errors. + +Use rx_missed_errors as intended for counting packets dropped due to +buffer exhaustion. + +Fixes: 269e6b3af3bf ("net/mlx5e: Report additional error statistics in get stats ndo") +Signed-off-by: Carolina Jubran +Signed-off-by: Tariq Toukan +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 5673a4113253b..f1834853872da 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3695,7 +3695,7 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats) + mlx5e_fold_sw_stats64(priv, stats); + } + +- stats->rx_dropped = priv->stats.qcnt.rx_out_of_buffer; ++ stats->rx_missed_errors = priv->stats.qcnt.rx_out_of_buffer; + + stats->rx_length_errors = + PPORT_802_3_GET(pstats, a_in_range_length_errors) + +-- +2.43.0 + diff --git a/queue-5.10/net-usb-smsc95xx-fix-changing-led_sel-bit-value-upda.patch b/queue-5.10/net-usb-smsc95xx-fix-changing-led_sel-bit-value-upda.patch new file mode 100644 index 00000000000..6f9eae4bf12 --- /dev/null +++ b/queue-5.10/net-usb-smsc95xx-fix-changing-led_sel-bit-value-upda.patch @@ -0,0 +1,68 @@ +From 15d5b40525ae26101e8afea161a84247c4ec48ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 May 2024 14:23:14 +0530 +Subject: net: usb: smsc95xx: fix changing LED_SEL bit value updated from + EEPROM + +From: Parthiban Veerasooran + +[ Upstream commit 52a2f0608366a629d43dacd3191039c95fef74ba ] + +LED Select (LED_SEL) bit in the LED General Purpose IO Configuration +register is used to determine the functionality of external LED pins +(Speed Indicator, Link and Activity Indicator, Full Duplex Link +Indicator). The default value for this bit is 0 when no EEPROM is +present. If a EEPROM is present, the default value is the value of the +LED Select bit in the Configuration Flags of the EEPROM. A USB Reset or +Lite Reset (LRST) will cause this bit to be restored to the image value +last loaded from EEPROM, or to be set to 0 if no EEPROM is present. + +While configuring the dual purpose GPIO/LED pins to LED outputs in the +LED General Purpose IO Configuration register, the LED_SEL bit is changed +as 0 and resulting the configured value from the EEPROM is cleared. The +issue is fixed by using read-modify-write approach. + +Fixes: f293501c61c5 ("smsc95xx: configure LED outputs") +Signed-off-by: Parthiban Veerasooran +Reviewed-by: Simon Horman +Reviewed-by: Woojung Huh +Link: https://lore.kernel.org/r/20240523085314.167650-1-Parthiban.Veerasooran@microchip.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc95xx.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c +index 2778ad6726f03..30e5f6910e6fd 100644 +--- a/drivers/net/usb/smsc95xx.c ++++ b/drivers/net/usb/smsc95xx.c +@@ -845,7 +845,7 @@ static int smsc95xx_start_rx_path(struct usbnet *dev, int in_pm) + static int smsc95xx_reset(struct usbnet *dev) + { + struct smsc95xx_priv *pdata = dev->driver_priv; +- u32 read_buf, write_buf, burst_cap; ++ u32 read_buf, burst_cap; + int ret = 0, timeout; + + netif_dbg(dev, ifup, dev->net, "entering smsc95xx_reset\n"); +@@ -987,10 +987,13 @@ static int smsc95xx_reset(struct usbnet *dev) + return ret; + netif_dbg(dev, ifup, dev->net, "ID_REV = 0x%08x\n", read_buf); + ++ ret = smsc95xx_read_reg(dev, LED_GPIO_CFG, &read_buf); ++ if (ret < 0) ++ return ret; + /* Configure GPIO pins as LED outputs */ +- write_buf = LED_GPIO_CFG_SPD_LED | LED_GPIO_CFG_LNK_LED | +- LED_GPIO_CFG_FDX_LED; +- ret = smsc95xx_write_reg(dev, LED_GPIO_CFG, write_buf); ++ read_buf |= LED_GPIO_CFG_SPD_LED | LED_GPIO_CFG_LNK_LED | ++ LED_GPIO_CFG_FDX_LED; ++ ret = smsc95xx_write_reg(dev, LED_GPIO_CFG, read_buf); + if (ret < 0) + return ret; + +-- +2.43.0 + diff --git a/queue-5.10/netfilter-nfnetlink_queue-acquire-rcu_read_lock-in-i.patch b/queue-5.10/netfilter-nfnetlink_queue-acquire-rcu_read_lock-in-i.patch new file mode 100644 index 00000000000..0579d78650d --- /dev/null +++ b/queue-5.10/netfilter-nfnetlink_queue-acquire-rcu_read_lock-in-i.patch @@ -0,0 +1,79 @@ +From f07635e0da3801e5bc88c9650c15d0cc1c81b732 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 May 2024 13:23:39 +0000 +Subject: netfilter: nfnetlink_queue: acquire rcu_read_lock() in + instance_destroy_rcu() + +From: Eric Dumazet + +[ Upstream commit dc21c6cc3d6986d938efbf95de62473982c98dec ] + +syzbot reported that nf_reinject() could be called without rcu_read_lock() : + +WARNING: suspicious RCU usage +6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Not tainted + +net/netfilter/nfnetlink_queue.c:263 suspicious rcu_dereference_check() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +2 locks held by syz-executor.4/13427: + #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] + #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2190 [inline] + #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_core+0xa86/0x1830 kernel/rcu/tree.c:2471 + #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] + #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: nfqnl_flush net/netfilter/nfnetlink_queue.c:405 [inline] + #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: instance_destroy_rcu+0x30/0x220 net/netfilter/nfnetlink_queue.c:172 + +stack backtrace: +CPU: 0 PID: 13427 Comm: syz-executor.4 Not tainted 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 + lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712 + nf_reinject net/netfilter/nfnetlink_queue.c:323 [inline] + nfqnl_reinject+0x6ec/0x1120 net/netfilter/nfnetlink_queue.c:397 + nfqnl_flush net/netfilter/nfnetlink_queue.c:410 [inline] + instance_destroy_rcu+0x1ae/0x220 net/netfilter/nfnetlink_queue.c:172 + rcu_do_batch kernel/rcu/tree.c:2196 [inline] + rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2471 + handle_softirqs+0x2d6/0x990 kernel/softirq.c:554 + __do_softirq kernel/softirq.c:588 [inline] + invoke_softirq kernel/softirq.c:428 [inline] + __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637 + irq_exit_rcu+0x9/0x30 kernel/softirq.c:649 + instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] + sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 + + + +Fixes: 9872bec773c2 ("[NETFILTER]: nfnetlink: use RCU for queue instances hash") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_queue.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index 9d87606c76ff4..dc6af1919deaf 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -167,7 +167,9 @@ instance_destroy_rcu(struct rcu_head *head) + struct nfqnl_instance *inst = container_of(head, struct nfqnl_instance, + rcu); + ++ rcu_read_lock(); + nfqnl_flush(inst, NULL, 0); ++ rcu_read_unlock(); + kfree(inst); + module_put(THIS_MODULE); + } +-- +2.43.0 + diff --git a/queue-5.10/netfilter-nft_payload-restore-vlan-q-in-q-match-supp.patch b/queue-5.10/netfilter-nft_payload-restore-vlan-q-in-q-match-supp.patch new file mode 100644 index 00000000000..30257c502aa --- /dev/null +++ b/queue-5.10/netfilter-nft_payload-restore-vlan-q-in-q-match-supp.patch @@ -0,0 +1,74 @@ +From b660f64d757e2a9b9b59bbc97e7b1835f303c62d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 23:02:24 +0200 +Subject: netfilter: nft_payload: restore vlan q-in-q match support + +From: Pablo Neira Ayuso + +[ Upstream commit aff5c01fa1284d606f8e7cbdaafeef2511bb46c1 ] + +Revert f6ae9f120dad ("netfilter: nft_payload: add C-VLAN support"). + +f41f72d09ee1 ("netfilter: nft_payload: simplify vlan header handling") +already allows to match on inner vlan tags by subtract the vlan header +size to the payload offset which has been popped and stored in skbuff +metadata fields. + +Fixes: f6ae9f120dad ("netfilter: nft_payload: add C-VLAN support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_payload.c | 23 +++++++---------------- + 1 file changed, 7 insertions(+), 16 deletions(-) + +diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c +index 56f6c05362ae8..fa64b1b8ae918 100644 +--- a/net/netfilter/nft_payload.c ++++ b/net/netfilter/nft_payload.c +@@ -44,36 +44,27 @@ nft_payload_copy_vlan(u32 *d, const struct sk_buff *skb, u8 offset, u8 len) + int mac_off = skb_mac_header(skb) - skb->data; + u8 *vlanh, *dst_u8 = (u8 *) d; + struct vlan_ethhdr veth; +- u8 vlan_hlen = 0; +- +- if ((skb->protocol == htons(ETH_P_8021AD) || +- skb->protocol == htons(ETH_P_8021Q)) && +- offset >= VLAN_ETH_HLEN && offset < VLAN_ETH_HLEN + VLAN_HLEN) +- vlan_hlen += VLAN_HLEN; + + vlanh = (u8 *) &veth; +- if (offset < VLAN_ETH_HLEN + vlan_hlen) { ++ if (offset < VLAN_ETH_HLEN) { + u8 ethlen = len; + +- if (vlan_hlen && +- skb_copy_bits(skb, mac_off, &veth, VLAN_ETH_HLEN) < 0) +- return false; +- else if (!nft_payload_rebuild_vlan_hdr(skb, mac_off, &veth)) ++ if (!nft_payload_rebuild_vlan_hdr(skb, mac_off, &veth)) + return false; + +- if (offset + len > VLAN_ETH_HLEN + vlan_hlen) +- ethlen -= offset + len - VLAN_ETH_HLEN - vlan_hlen; ++ if (offset + len > VLAN_ETH_HLEN) ++ ethlen -= offset + len - VLAN_ETH_HLEN; + +- memcpy(dst_u8, vlanh + offset - vlan_hlen, ethlen); ++ memcpy(dst_u8, vlanh + offset, ethlen); + + len -= ethlen; + if (len == 0) + return true; + + dst_u8 += ethlen; +- offset = ETH_HLEN + vlan_hlen; ++ offset = ETH_HLEN; + } else { +- offset -= VLAN_HLEN + vlan_hlen; ++ offset -= VLAN_HLEN; + } + + return skb_copy_bits(skb, offset + mac_off, dst_u8, len) == 0; +-- +2.43.0 + diff --git a/queue-5.10/netfilter-tproxy-bail-out-if-ip-has-been-disabled-on.patch b/queue-5.10/netfilter-tproxy-bail-out-if-ip-has-been-disabled-on.patch new file mode 100644 index 00000000000..b83274b8ddf --- /dev/null +++ b/queue-5.10/netfilter-tproxy-bail-out-if-ip-has-been-disabled-on.patch @@ -0,0 +1,45 @@ +From 82544584d756d7c15ea73e9e6d690eb152fe0bf8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 12:27:15 +0200 +Subject: netfilter: tproxy: bail out if IP has been disabled on the device + +From: Florian Westphal + +[ Upstream commit 21a673bddc8fd4873c370caf9ae70ffc6d47e8d3 ] + +syzbot reports: +general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI +KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] +[..] +RIP: 0010:nf_tproxy_laddr4+0xb7/0x340 net/ipv4/netfilter/nf_tproxy_ipv4.c:62 +Call Trace: + nft_tproxy_eval_v4 net/netfilter/nft_tproxy.c:56 [inline] + nft_tproxy_eval+0xa9a/0x1a00 net/netfilter/nft_tproxy.c:168 + +__in_dev_get_rcu() can return NULL, so check for this. + +Reported-and-tested-by: syzbot+b94a6818504ea90d7661@syzkaller.appspotmail.com +Fixes: cc6eb4338569 ("tproxy: use the interface primary IP address as a default value for --on-ip") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv4/netfilter/nf_tproxy_ipv4.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv4/netfilter/nf_tproxy_ipv4.c b/net/ipv4/netfilter/nf_tproxy_ipv4.c +index 61cb2341f50fe..7c1a0cd9f4359 100644 +--- a/net/ipv4/netfilter/nf_tproxy_ipv4.c ++++ b/net/ipv4/netfilter/nf_tproxy_ipv4.c +@@ -58,6 +58,8 @@ __be32 nf_tproxy_laddr4(struct sk_buff *skb, __be32 user_laddr, __be32 daddr) + + laddr = 0; + indev = __in_dev_get_rcu(skb->dev); ++ if (!indev) ++ return daddr; + + in_dev_for_each_ifa_rcu(ifa, indev) { + if (ifa->ifa_flags & IFA_F_SECONDARY) +-- +2.43.0 + diff --git a/queue-5.10/nvmet-fix-ns-enable-disable-possible-hang.patch b/queue-5.10/nvmet-fix-ns-enable-disable-possible-hang.patch new file mode 100644 index 00000000000..5b951f3547c --- /dev/null +++ b/queue-5.10/nvmet-fix-ns-enable-disable-possible-hang.patch @@ -0,0 +1,59 @@ +From 422323066755f405c090e75aad95c94821f79216 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 May 2024 23:20:28 +0300 +Subject: nvmet: fix ns enable/disable possible hang + +From: Sagi Grimberg + +[ Upstream commit f97914e35fd98b2b18fb8a092e0a0799f73afdfe ] + +When disabling an nvmet namespace, there is a period where the +subsys->lock is released, as the ns disable waits for backend IO to +complete, and the ns percpu ref to be properly killed. The original +intent was to avoid taking the subsystem lock for a prolong period as +other processes may need to acquire it (for example new incoming +connections). + +However, it opens up a window where another process may come in and +enable the ns, (re)intiailizing the ns percpu_ref, causing the disable +sequence to hang. + +Solve this by taking the global nvmet_config_sem over the entire configfs +enable/disable sequence. + +Fixes: a07b4970f464 ("nvmet: add a generic NVMe target") +Signed-off-by: Sagi Grimberg +Reviewed-by: Christoph Hellwig +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/configfs.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c +index 9aed5cc710960..f2d11fc047524 100644 +--- a/drivers/nvme/target/configfs.c ++++ b/drivers/nvme/target/configfs.c +@@ -532,10 +532,18 @@ static ssize_t nvmet_ns_enable_store(struct config_item *item, + if (strtobool(page, &enable)) + return -EINVAL; + ++ /* ++ * take a global nvmet_config_sem because the disable routine has a ++ * window where it releases the subsys-lock, giving a chance to ++ * a parallel enable to concurrently execute causing the disable to ++ * have a misaccounting of the ns percpu_ref. ++ */ ++ down_write(&nvmet_config_sem); + if (enable) + ret = nvmet_ns_enable(ns); + else + nvmet_ns_disable(ns); ++ up_write(&nvmet_config_sem); + + return ret ? ret : count; + } +-- +2.43.0 + diff --git a/queue-5.10/powerpc-uaccess-use-asm-goto-for-get_user-when-compi.patch b/queue-5.10/powerpc-uaccess-use-asm-goto-for-get_user-when-compi.patch new file mode 100644 index 00000000000..96c47209fe6 --- /dev/null +++ b/queue-5.10/powerpc-uaccess-use-asm-goto-for-get_user-when-compi.patch @@ -0,0 +1,102 @@ +From 4c528bdeb18f788ffe99be5c97c543fe980a5f00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Mar 2021 17:46:54 +0000 +Subject: powerpc/uaccess: Use asm goto for get_user when compiler supports it + +From: Christophe Leroy + +[ Upstream commit 5cd29b1fd3e8f2b45fe6d011588d832417defe31 ] + +clang 11 and future GCC are supporting asm goto with outputs. + +Use it to implement get_user in order to get better generated code. + +Note that clang requires to set x in the default branch of +__get_user_size_goto() otherwise is compliant about x not being +initialised :puzzled: + +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/403745b5aaa1b315bb4e8e46c1ba949e77eecec0.1615398265.git.christophe.leroy@csgroup.eu +Stable-dep-of: 50934945d542 ("powerpc/uaccess: Use YZ asm constraint for ld") +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/uaccess.h | 55 ++++++++++++++++++++++++++++++ + 1 file changed, 55 insertions(+) + +diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h +index 6b808bcdecd52..d4d59f57c42d9 100644 +--- a/arch/powerpc/include/asm/uaccess.h ++++ b/arch/powerpc/include/asm/uaccess.h +@@ -243,6 +243,59 @@ extern long __get_user_bad(void); + : "=r" (err) \ + : "b" (uaddr), "b" (kaddr), "i" (-EFAULT), "0" (err)) + ++#ifdef CONFIG_CC_HAS_ASM_GOTO_OUTPUT ++ ++#define __get_user_asm_goto(x, addr, label, op) \ ++ asm_volatile_goto( \ ++ "1: "op"%U1%X1 %0, %1 # get_user\n" \ ++ EX_TABLE(1b, %l2) \ ++ : "=r" (x) \ ++ : "m"UPD_CONSTR (*addr) \ ++ : \ ++ : label) ++ ++#ifdef __powerpc64__ ++#define __get_user_asm2_goto(x, addr, label) \ ++ __get_user_asm_goto(x, addr, label, "ld") ++#else /* __powerpc64__ */ ++#define __get_user_asm2_goto(x, addr, label) \ ++ asm_volatile_goto( \ ++ "1: lwz%X1 %0, %1\n" \ ++ "2: lwz%X1 %L0, %L1\n" \ ++ EX_TABLE(1b, %l2) \ ++ EX_TABLE(2b, %l2) \ ++ : "=r" (x) \ ++ : "m" (*addr) \ ++ : \ ++ : label) ++#endif /* __powerpc64__ */ ++ ++#define __get_user_size_goto(x, ptr, size, label) \ ++do { \ ++ BUILD_BUG_ON(size > sizeof(x)); \ ++ switch (size) { \ ++ case 1: __get_user_asm_goto(x, (u8 __user *)ptr, label, "lbz"); break; \ ++ case 2: __get_user_asm_goto(x, (u16 __user *)ptr, label, "lhz"); break; \ ++ case 4: __get_user_asm_goto(x, (u32 __user *)ptr, label, "lwz"); break; \ ++ case 8: __get_user_asm2_goto(x, (u64 __user *)ptr, label); break; \ ++ default: x = 0; BUILD_BUG(); \ ++ } \ ++} while (0) ++ ++#define __get_user_size_allowed(x, ptr, size, retval) \ ++do { \ ++ __label__ __gus_failed; \ ++ \ ++ __get_user_size_goto(x, ptr, size, __gus_failed); \ ++ retval = 0; \ ++ break; \ ++__gus_failed: \ ++ x = 0; \ ++ retval = -EFAULT; \ ++} while (0) ++ ++#else /* CONFIG_CC_HAS_ASM_GOTO_OUTPUT */ ++ + #define __get_user_asm(x, addr, err, op) \ + __asm__ __volatile__( \ + "1: "op"%U2%X2 %1, %2 # get_user\n" \ +@@ -299,6 +352,8 @@ do { \ + prevent_read_from_user(ptr, size); \ + } while (0) + ++#endif /* CONFIG_CC_HAS_ASM_GOTO_OUTPUT */ ++ + /* + * This is a type: either unsigned long, if the argument fits into + * that type, or otherwise unsigned long long. +-- +2.43.0 + diff --git a/queue-5.10/powerpc-uaccess-use-yz-asm-constraint-for-ld.patch b/queue-5.10/powerpc-uaccess-use-yz-asm-constraint-for-ld.patch new file mode 100644 index 00000000000..a4fa64cb07d --- /dev/null +++ b/queue-5.10/powerpc-uaccess-use-yz-asm-constraint-for-ld.patch @@ -0,0 +1,64 @@ +From aef23da48335eb44fe56060767d2bbf789ab6feb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 May 2024 22:30:29 +1000 +Subject: powerpc/uaccess: Use YZ asm constraint for ld + +From: Michael Ellerman + +[ Upstream commit 50934945d54238d2d6d8db4b7c1d4c90d2696c57 ] + +The 'ld' instruction requires a 4-byte aligned displacement because it +is a DS-form instruction. But the "m" asm constraint doesn't enforce +that. + +Add a special case of __get_user_asm2_goto() so that the "YZ" constraint +can be used for "ld". + +The "Z" constraint is documented in the GCC manual PowerPC machine +constraints, and specifies a "memory operand accessed with indexed or +indirect addressing". "Y" is not documented in the manual but specifies +a "memory operand for a DS-form instruction". Using both allows the +compiler to generate a DS-form "ld" or X-form "ldx" as appropriate. + +The change has to be conditional on CONFIG_PPC_KERNEL_PREFIXED because +the "Y" constraint does not guarantee 4-byte alignment when prefixed +instructions are enabled. + +No build errors have been reported due to this, but the possibility is +there depending on compiler code generation decisions. + +Fixes: c20beffeec3c ("powerpc/uaccess: Use flexible addressing with __put_user()/__get_user()") +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240529123029.146953-2-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/uaccess.h | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h +index d4d59f57c42d9..24ea177879b80 100644 +--- a/arch/powerpc/include/asm/uaccess.h ++++ b/arch/powerpc/include/asm/uaccess.h +@@ -255,8 +255,19 @@ extern long __get_user_bad(void); + : label) + + #ifdef __powerpc64__ ++#ifdef CONFIG_PPC_KERNEL_PREFIXED + #define __get_user_asm2_goto(x, addr, label) \ + __get_user_asm_goto(x, addr, label, "ld") ++#else ++#define __get_user_asm2_goto(x, addr, label) \ ++ asm_goto_output( \ ++ "1: ld%U1%X1 %0, %1 # get_user\n" \ ++ EX_TABLE(1b, %l2) \ ++ : "=r" (x) \ ++ : DS_FORM_CONSTRAINT (*addr) \ ++ : \ ++ : label) ++#endif // CONFIG_PPC_KERNEL_PREFIXED + #else /* __powerpc64__ */ + #define __get_user_asm2_goto(x, addr, label) \ + asm_volatile_goto( \ +-- +2.43.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 25bc2a16e5b..07c4481f774 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -244,3 +244,21 @@ tls-fix-missing-memory-barrier-in-tls_init.patch tcp-remove-64-kbyte-limit-for-initial-tp-rcv_wnd-val.patch nfc-nci-fix-kcov-check-in-nci_rx_work.patch nfc-nci-fix-handling-of-zero-length-payload-packets-.patch +netfilter-nfnetlink_queue-acquire-rcu_read_lock-in-i.patch +netfilter-nft_payload-restore-vlan-q-in-q-match-supp.patch +spi-don-t-mark-message-dma-mapped-when-no-transfer-i.patch +nvmet-fix-ns-enable-disable-possible-hang.patch +net-mlx5e-use-rx_missed_errors-instead-of-rx_dropped.patch +dma-buf-sw-sync-don-t-enable-irq-from-sync_print_obj.patch +bpf-fix-potential-integer-overflow-in-resolve_btfids.patch +enic-validate-length-of-nl-attributes-in-enic_set_vf.patch +net-usb-smsc95xx-fix-changing-led_sel-bit-value-upda.patch +bpf-allow-delete-from-sockmap-sockhash-only-if-updat.patch +net-fec-add-fec_enet_deinit.patch +netfilter-tproxy-bail-out-if-ip-has-been-disabled-on.patch +kconfig-fix-comparison-to-constant-symbols-m-n.patch +spi-stm32-don-t-warn-about-spurious-interrupts.patch +ipvlan-dont-use-skb-sk-in-ipvlan_process_v-4-6-_outb.patch +powerpc-uaccess-use-asm-goto-for-get_user-when-compi.patch +powerpc-uaccess-use-yz-asm-constraint-for-ld.patch +hwmon-shtc1-fix-property-misspelling.patch diff --git a/queue-5.10/spi-don-t-mark-message-dma-mapped-when-no-transfer-i.patch b/queue-5.10/spi-don-t-mark-message-dma-mapped-when-no-transfer-i.patch new file mode 100644 index 00000000000..1d0f2643656 --- /dev/null +++ b/queue-5.10/spi-don-t-mark-message-dma-mapped-when-no-transfer-i.patch @@ -0,0 +1,48 @@ +From 31f91d4aa337282c41ce9cba156b250c777bf240 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 May 2024 20:09:49 +0300 +Subject: spi: Don't mark message DMA mapped when no transfer in it is + +From: Andy Shevchenko + +[ Upstream commit 9f788ba457b45b0ce422943fcec9fa35c4587764 ] + +There is no need to set the DMA mapped flag of the message if it has +no mapped transfers. Moreover, it may give the code a chance to take +the wrong paths, i.e. to exercise DMA related APIs on unmapped data. +Make __spi_map_msg() to bail earlier on the above mentioned cases. + +Fixes: 99adef310f68 ("spi: Provide core support for DMA mapping transfers") +Signed-off-by: Andy Shevchenko +Link: https://msgid.link/r/20240522171018.3362521-2-andriy.shevchenko@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c +index 857a1399850c3..e84494eed1c11 100644 +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -970,6 +970,7 @@ static int __spi_map_msg(struct spi_controller *ctlr, struct spi_message *msg) + else + rx_dev = ctlr->dev.parent; + ++ ret = -ENOMSG; + list_for_each_entry(xfer, &msg->transfers, transfer_list) { + if (!ctlr->can_dma(ctlr, msg->spi, xfer)) + continue; +@@ -993,6 +994,9 @@ static int __spi_map_msg(struct spi_controller *ctlr, struct spi_message *msg) + } + } + } ++ /* No transfer has been mapped, bail out with success */ ++ if (ret) ++ return 0; + + ctlr->cur_msg_mapped = true; + +-- +2.43.0 + diff --git a/queue-5.10/spi-stm32-don-t-warn-about-spurious-interrupts.patch b/queue-5.10/spi-stm32-don-t-warn-about-spurious-interrupts.patch new file mode 100644 index 00000000000..d19e1855780 --- /dev/null +++ b/queue-5.10/spi-stm32-don-t-warn-about-spurious-interrupts.patch @@ -0,0 +1,43 @@ +From 9d91e6556710d116ec8ec17f1ac51d4860cd15e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 May 2024 12:52:42 +0200 +Subject: spi: stm32: Don't warn about spurious interrupts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 95d7c452a26564ef0c427f2806761b857106d8c4 ] + +The dev_warn to notify about a spurious interrupt was introduced with +the reasoning that these are unexpected. However spurious interrupts +tend to trigger continously and the error message on the serial console +prevents that the core's detection of spurious interrupts kicks in +(which disables the irq) and just floods the console. + +Fixes: c64e7efe46b7 ("spi: stm32: make spurious and overrun interrupts visible") +Signed-off-by: Uwe Kleine-König +Link: https://msgid.link/r/20240521105241.62400-2-u.kleine-koenig@pengutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-stm32.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-stm32.c b/drivers/spi/spi-stm32.c +index 9ec37cf10c010..f97b822cca19d 100644 +--- a/drivers/spi/spi-stm32.c ++++ b/drivers/spi/spi-stm32.c +@@ -931,7 +931,7 @@ static irqreturn_t stm32h7_spi_irq_thread(int irq, void *dev_id) + mask |= STM32H7_SPI_SR_TXP | STM32H7_SPI_SR_RXP; + + if (!(sr & mask)) { +- dev_warn(spi->dev, "spurious IT (sr=0x%08x, ier=0x%08x)\n", ++ dev_vdbg(spi->dev, "spurious IT (sr=0x%08x, ier=0x%08x)\n", + sr, ier); + spin_unlock_irqrestore(&spi->lock, flags); + return IRQ_NONE; +-- +2.43.0 + -- 2.47.3