From d9a26ea08504b157c0afcfcead48477037cd997f Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 30 Jul 2023 09:27:53 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...-value-check-in-be_lancer_xmit_worka.patch | 38 ++++ ...nd-s-flags-when-down-link-is-p2p-dev.patch | 61 +++++++ ...-fix-return-value-check-in-atl1e_tso.patch | 44 +++++ ...-vs-is_err-bug-for-debugfs_create_di.patch | 40 +++++ ...x-bug-where-deleting-a-mngtmpaddr-ca.patch | 96 ++++++++++ ...io-add-extack-to-mqprio_parse_nlattr.patch | 110 ++++++++++++ ...-add-length-check-for-tca_mqprio_-ma.patch | 63 +++++++ ...-refactor-nlattr-parsing-to-a-separa.patch | 165 ++++++++++++++++++ ...x-an-out-of-bounds-check-in-hisi_inn.patch | 44 +++++ ...-laptop-fix-rfkill-out-of-sync-on-ms.patch | 79 +++++++++ queue-4.19/series | 12 ++ ...chance-of-collisions-in-inet6_hashfn.patch | 75 ++++++++ ...s-flags-when-down-link-is-p2p-device.patch | 52 ++++++ 13 files changed, 879 insertions(+) create mode 100644 queue-4.19/benet-fix-return-value-check-in-be_lancer_xmit_worka.patch create mode 100644 queue-4.19/bonding-reset-bond-s-flags-when-down-link-is-p2p-dev.patch create mode 100644 queue-4.19/ethernet-atheros-fix-return-value-check-in-atl1e_tso.patch create mode 100644 queue-4.19/i40e-fix-an-null-vs-is_err-bug-for-debugfs_create_di.patch create mode 100644 queue-4.19/ipv6-addrconf-fix-bug-where-deleting-a-mngtmpaddr-ca.patch create mode 100644 queue-4.19/net-sched-mqprio-add-extack-to-mqprio_parse_nlattr.patch create mode 100644 queue-4.19/net-sched-mqprio-add-length-check-for-tca_mqprio_-ma.patch create mode 100644 queue-4.19/net-sched-mqprio-refactor-nlattr-parsing-to-a-separa.patch create mode 100644 queue-4.19/phy-hisilicon-fix-an-out-of-bounds-check-in-hisi_inn.patch create mode 100644 queue-4.19/platform-x86-msi-laptop-fix-rfkill-out-of-sync-on-ms.patch create mode 100644 queue-4.19/tcp-reduce-chance-of-collisions-in-inet6_hashfn.patch create mode 100644 queue-4.19/team-reset-team-s-flags-when-down-link-is-p2p-device.patch diff --git a/queue-4.19/benet-fix-return-value-check-in-be_lancer_xmit_worka.patch b/queue-4.19/benet-fix-return-value-check-in-be_lancer_xmit_worka.patch new file mode 100644 index 00000000000..d37917c1b3e --- /dev/null +++ b/queue-4.19/benet-fix-return-value-check-in-be_lancer_xmit_worka.patch @@ -0,0 +1,38 @@ +From 34c9d40d2309c97f68f5f8892aec83dd8d021e9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 11:27:26 +0800 +Subject: benet: fix return value check in be_lancer_xmit_workarounds() + +From: Yuanjun Gong + +[ Upstream commit 5c85f7065718a949902b238a6abd8fc907c5d3e0 ] + +in be_lancer_xmit_workarounds(), it should go to label 'tx_drop' +if an unexpected value is returned by pskb_trim(). + +Fixes: 93040ae5cc8d ("be2net: Fix to trim skb for padded vlan packets to workaround an ASIC Bug") +Signed-off-by: Yuanjun Gong +Link: https://lore.kernel.org/r/20230725032726.15002-1-ruc_gongyuanjun@163.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index 8603df2ae1736..d0d9a420f557e 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -1139,7 +1139,8 @@ static struct sk_buff *be_lancer_xmit_workarounds(struct be_adapter *adapter, + (lancer_chip(adapter) || BE3_chip(adapter) || + skb_vlan_tag_present(skb)) && is_ipv4_pkt(skb)) { + ip = (struct iphdr *)ip_hdr(skb); +- pskb_trim(skb, eth_hdr_len + ntohs(ip->tot_len)); ++ if (unlikely(pskb_trim(skb, eth_hdr_len + ntohs(ip->tot_len)))) ++ goto tx_drop; + } + + /* If vlan tag is already inlined in the packet, skip HW VLAN +-- +2.39.2 + diff --git a/queue-4.19/bonding-reset-bond-s-flags-when-down-link-is-p2p-dev.patch b/queue-4.19/bonding-reset-bond-s-flags-when-down-link-is-p2p-dev.patch new file mode 100644 index 00000000000..42fe1c3d663 --- /dev/null +++ b/queue-4.19/bonding-reset-bond-s-flags-when-down-link-is-p2p-dev.patch @@ -0,0 +1,61 @@ +From 3a2fb90a3e13a984390db66458f08a7b4198705c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jul 2023 12:03:55 +0800 +Subject: bonding: reset bond's flags when down link is P2P device + +From: Hangbin Liu + +[ Upstream commit da19a2b967cf1e2c426f50d28550d1915214a81d ] + +When adding a point to point downlink to the bond, we neglected to reset +the bond's flags, which were still using flags like BROADCAST and +MULTICAST. Consequently, this would initiate ARP/DAD for P2P downlink +interfaces, such as when adding a GRE device to the bonding. + +To address this issue, let's reset the bond's flags for P2P interfaces. + +Before fix: +7: gre0@NONE: mtu 1500 qdisc noqueue master bond0 state UNKNOWN group default qlen 1000 + link/gre6 2006:70:10::1 peer 2006:70:10::2 permaddr 167f:18:f188:: +8: bond0: mtu 1500 qdisc noqueue state UP group default qlen 1000 + link/gre6 2006:70:10::1 brd 2006:70:10::2 + inet6 fe80::200:ff:fe00:0/64 scope link + valid_lft forever preferred_lft forever + +After fix: +7: gre0@NONE: mtu 1500 qdisc noqueue master bond2 state UNKNOWN group default qlen 1000 + link/gre6 2006:70:10::1 peer 2006:70:10::2 permaddr c29e:557a:e9d9:: +8: bond0: mtu 1500 qdisc noqueue state UP group default qlen 1000 + link/gre6 2006:70:10::1 peer 2006:70:10::2 + inet6 fe80::1/64 scope link + valid_lft forever preferred_lft forever + +Reported-by: Liang Li +Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2221438 +Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER") +Signed-off-by: Hangbin Liu +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 4e4adacb5c2c1..47e02c5342b28 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1128,6 +1128,11 @@ static void bond_setup_by_slave(struct net_device *bond_dev, + + memcpy(bond_dev->broadcast, slave_dev->broadcast, + slave_dev->addr_len); ++ ++ if (slave_dev->flags & IFF_POINTOPOINT) { ++ bond_dev->flags &= ~(IFF_BROADCAST | IFF_MULTICAST); ++ bond_dev->flags |= (IFF_POINTOPOINT | IFF_NOARP); ++ } + } + + /* On bonding slaves other than the currently active slave, suppress +-- +2.39.2 + diff --git a/queue-4.19/ethernet-atheros-fix-return-value-check-in-atl1e_tso.patch b/queue-4.19/ethernet-atheros-fix-return-value-check-in-atl1e_tso.patch new file mode 100644 index 00000000000..28604e662b1 --- /dev/null +++ b/queue-4.19/ethernet-atheros-fix-return-value-check-in-atl1e_tso.patch @@ -0,0 +1,44 @@ +From dc73bc748ffb5f1dd2113f3a022e35527ea6d8e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 22:42:19 +0800 +Subject: ethernet: atheros: fix return value check in atl1e_tso_csum() + +From: Yuanjun Gong + +[ Upstream commit 69a184f7a372aac588babfb0bd681aaed9779f5b ] + +in atl1e_tso_csum, it should check the return value of pskb_trim(), +and return an error code if an unexpected value is returned +by pskb_trim(). + +Fixes: a6a5325239c2 ("atl1e: Atheros L1E Gigabit Ethernet driver") +Signed-off-by: Yuanjun Gong +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230720144219.39285-1-ruc_gongyuanjun@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/atheros/atl1e/atl1e_main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c +index 3164aad29bcf8..e4d58c7aeaf82 100644 +--- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c ++++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c +@@ -1651,8 +1651,11 @@ static int atl1e_tso_csum(struct atl1e_adapter *adapter, + real_len = (((unsigned char *)ip_hdr(skb) - skb->data) + + ntohs(ip_hdr(skb)->tot_len)); + +- if (real_len < skb->len) +- pskb_trim(skb, real_len); ++ if (real_len < skb->len) { ++ err = pskb_trim(skb, real_len); ++ if (err) ++ return err; ++ } + + hdr_len = (skb_transport_offset(skb) + tcp_hdrlen(skb)); + if (unlikely(skb->len == hdr_len)) { +-- +2.39.2 + diff --git a/queue-4.19/i40e-fix-an-null-vs-is_err-bug-for-debugfs_create_di.patch b/queue-4.19/i40e-fix-an-null-vs-is_err-bug-for-debugfs_create_di.patch new file mode 100644 index 00000000000..fc0de9e8dc4 --- /dev/null +++ b/queue-4.19/i40e-fix-an-null-vs-is_err-bug-for-debugfs_create_di.patch @@ -0,0 +1,40 @@ +From 8176cb1f4b43c8f0a5edbe6e647f381cddf77296 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 09:42:39 +0800 +Subject: i40e: Fix an NULL vs IS_ERR() bug for debugfs_create_dir() + +From: Wang Ming + +[ Upstream commit 043b1f185fb0f3939b7427f634787706f45411c4 ] + +The debugfs_create_dir() function returns error pointers. +It never returns NULL. Most incorrect error checks were fixed, +but the one in i40e_dbg_init() was forgotten. + +Fix the remaining error check. + +Fixes: 02e9c290814c ("i40e: debugfs interface") +Signed-off-by: Wang Ming +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c +index a66492b9403c4..5b82c89330e30 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c +@@ -1798,7 +1798,7 @@ void i40e_dbg_pf_exit(struct i40e_pf *pf) + void i40e_dbg_init(void) + { + i40e_dbg_root = debugfs_create_dir(i40e_driver_name, NULL); +- if (!i40e_dbg_root) ++ if (IS_ERR(i40e_dbg_root)) + pr_info("init of debugfs failed\n"); + } + +-- +2.39.2 + diff --git a/queue-4.19/ipv6-addrconf-fix-bug-where-deleting-a-mngtmpaddr-ca.patch b/queue-4.19/ipv6-addrconf-fix-bug-where-deleting-a-mngtmpaddr-ca.patch new file mode 100644 index 00000000000..4f2daddb2fb --- /dev/null +++ b/queue-4.19/ipv6-addrconf-fix-bug-where-deleting-a-mngtmpaddr-ca.patch @@ -0,0 +1,96 @@ +From e36f7f9c38a51c0b52e99dce3d9dce0ba3a2d794 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 09:00:22 -0700 +Subject: ipv6 addrconf: fix bug where deleting a mngtmpaddr can create a new + temporary address +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +[ Upstream commit 69172f0bcb6a09110c5d2a6d792627f5095a9018 ] + +currently on 6.4 net/main: + + # ip link add dummy1 type dummy + # echo 1 > /proc/sys/net/ipv6/conf/dummy1/use_tempaddr + # ip link set dummy1 up + # ip -6 addr add 2000::1/64 mngtmpaddr dev dummy1 + # ip -6 addr show dev dummy1 + + 11: dummy1: mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 + inet6 2000::44f3:581c:8ca:3983/64 scope global temporary dynamic + valid_lft 604800sec preferred_lft 86172sec + inet6 2000::1/64 scope global mngtmpaddr + valid_lft forever preferred_lft forever + inet6 fe80::e8a8:a6ff:fed5:56d4/64 scope link + valid_lft forever preferred_lft forever + + # ip -6 addr del 2000::44f3:581c:8ca:3983/64 dev dummy1 + + (can wait a few seconds if you want to, the above delete isn't [directly] the problem) + + # ip -6 addr show dev dummy1 + + 11: dummy1: mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 + inet6 2000::1/64 scope global mngtmpaddr + valid_lft forever preferred_lft forever + inet6 fe80::e8a8:a6ff:fed5:56d4/64 scope link + valid_lft forever preferred_lft forever + + # ip -6 addr del 2000::1/64 mngtmpaddr dev dummy1 + # ip -6 addr show dev dummy1 + + 11: dummy1: mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 + inet6 2000::81c9:56b7:f51a:b98f/64 scope global temporary dynamic + valid_lft 604797sec preferred_lft 86169sec + inet6 fe80::e8a8:a6ff:fed5:56d4/64 scope link + valid_lft forever preferred_lft forever + +This patch prevents this new 'global temporary dynamic' address from being +created by the deletion of the related (same subnet prefix) 'mngtmpaddr' +(which is triggered by there already being no temporary addresses). + +Cc: Jiri Pirko +Fixes: 53bd67491537 ("ipv6 addrconf: introduce IFA_F_MANAGETEMPADDR to tell kernel to manage temporary addresses") +Reported-by: Xiao Ma +Signed-off-by: Maciej Żenczykowski +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20230720160022.1887942-1-maze@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 23edc325f70be..5c5c5736f6892 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -2488,12 +2488,18 @@ static void manage_tempaddrs(struct inet6_dev *idev, + ipv6_ifa_notify(0, ift); + } + +- if ((create || list_empty(&idev->tempaddr_list)) && +- idev->cnf.use_tempaddr > 0) { ++ /* Also create a temporary address if it's enabled but no temporary ++ * address currently exists. ++ * However, we get called with valid_lft == 0, prefered_lft == 0, create == false ++ * as part of cleanup (ie. deleting the mngtmpaddr). ++ * We don't want that to result in creating a new temporary ip address. ++ */ ++ if (list_empty(&idev->tempaddr_list) && (valid_lft || prefered_lft)) ++ create = true; ++ ++ if (create && idev->cnf.use_tempaddr > 0) { + /* When a new public address is created as described + * in [ADDRCONF], also create a new temporary address. +- * Also create a temporary address if it's enabled but +- * no temporary address currently exists. + */ + read_unlock_bh(&idev->lock); + ipv6_create_tempaddr(ifp, NULL, false); +-- +2.39.2 + diff --git a/queue-4.19/net-sched-mqprio-add-extack-to-mqprio_parse_nlattr.patch b/queue-4.19/net-sched-mqprio-add-extack-to-mqprio_parse_nlattr.patch new file mode 100644 index 00000000000..2b9c9ebf60b --- /dev/null +++ b/queue-4.19/net-sched-mqprio-add-extack-to-mqprio_parse_nlattr.patch @@ -0,0 +1,110 @@ +From d96ce42e835ca09e24873f7eb4fb8a074b2e238e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Apr 2023 21:01:51 +0300 +Subject: net/sched: mqprio: add extack to mqprio_parse_nlattr() + +From: Vladimir Oltean + +[ Upstream commit 57f21bf85400abadac0cb2a4db5de1d663f8863f ] + +Netlink attribute parsing in mqprio is a minesweeper game, with many +options having the possibility of being passed incorrectly and the user +being none the wiser. + +Try to make errors less sour by giving user space some information +regarding what went wrong. + +Signed-off-by: Vladimir Oltean +Reviewed-by: Ferenc Fejes +Reviewed-by: Simon Horman +Acked-by: Jamal Hadi Salim +Signed-off-by: Jakub Kicinski +Stable-dep-of: 6c58c8816abb ("net/sched: mqprio: Add length check for TCA_MQPRIO_{MAX/MIN}_RATE64") +Signed-off-by: Sasha Levin +--- + net/sched/sch_mqprio.c | 30 +++++++++++++++++++++++------- + 1 file changed, 23 insertions(+), 7 deletions(-) + +diff --git a/net/sched/sch_mqprio.c b/net/sched/sch_mqprio.c +index 7726d8f623027..c9bdb4476a5bc 100644 +--- a/net/sched/sch_mqprio.c ++++ b/net/sched/sch_mqprio.c +@@ -133,7 +133,8 @@ static int parse_attr(struct nlattr *tb[], int maxtype, struct nlattr *nla, + } + + static int mqprio_parse_nlattr(struct Qdisc *sch, struct tc_mqprio_qopt *qopt, +- struct nlattr *opt) ++ struct nlattr *opt, ++ struct netlink_ext_ack *extack) + { + struct mqprio_sched *priv = qdisc_priv(sch); + struct nlattr *tb[TCA_MQPRIO_MAX + 1]; +@@ -145,8 +146,11 @@ static int mqprio_parse_nlattr(struct Qdisc *sch, struct tc_mqprio_qopt *qopt, + if (err < 0) + return err; + +- if (!qopt->hw) ++ if (!qopt->hw) { ++ NL_SET_ERR_MSG(extack, ++ "mqprio TCA_OPTIONS can only contain netlink attributes in hardware mode"); + return -EINVAL; ++ } + + if (tb[TCA_MQPRIO_MODE]) { + priv->flags |= TC_MQPRIO_F_MODE; +@@ -159,13 +163,19 @@ static int mqprio_parse_nlattr(struct Qdisc *sch, struct tc_mqprio_qopt *qopt, + } + + if (tb[TCA_MQPRIO_MIN_RATE64]) { +- if (priv->shaper != TC_MQPRIO_SHAPER_BW_RATE) ++ if (priv->shaper != TC_MQPRIO_SHAPER_BW_RATE) { ++ NL_SET_ERR_MSG_ATTR(extack, tb[TCA_MQPRIO_MIN_RATE64], ++ "min_rate accepted only when shaper is in bw_rlimit mode"); + return -EINVAL; ++ } + i = 0; + nla_for_each_nested(attr, tb[TCA_MQPRIO_MIN_RATE64], + rem) { +- if (nla_type(attr) != TCA_MQPRIO_MIN_RATE64) ++ if (nla_type(attr) != TCA_MQPRIO_MIN_RATE64) { ++ NL_SET_ERR_MSG_ATTR(extack, attr, ++ "Attribute type expected to be TCA_MQPRIO_MIN_RATE64"); + return -EINVAL; ++ } + if (i >= qopt->num_tc) + break; + priv->min_rate[i] = *(u64 *)nla_data(attr); +@@ -175,13 +185,19 @@ static int mqprio_parse_nlattr(struct Qdisc *sch, struct tc_mqprio_qopt *qopt, + } + + if (tb[TCA_MQPRIO_MAX_RATE64]) { +- if (priv->shaper != TC_MQPRIO_SHAPER_BW_RATE) ++ if (priv->shaper != TC_MQPRIO_SHAPER_BW_RATE) { ++ NL_SET_ERR_MSG_ATTR(extack, tb[TCA_MQPRIO_MAX_RATE64], ++ "max_rate accepted only when shaper is in bw_rlimit mode"); + return -EINVAL; ++ } + i = 0; + nla_for_each_nested(attr, tb[TCA_MQPRIO_MAX_RATE64], + rem) { +- if (nla_type(attr) != TCA_MQPRIO_MAX_RATE64) ++ if (nla_type(attr) != TCA_MQPRIO_MAX_RATE64) { ++ NL_SET_ERR_MSG_ATTR(extack, attr, ++ "Attribute type expected to be TCA_MQPRIO_MAX_RATE64"); + return -EINVAL; ++ } + if (i >= qopt->num_tc) + break; + priv->max_rate[i] = *(u64 *)nla_data(attr); +@@ -226,7 +242,7 @@ static int mqprio_init(struct Qdisc *sch, struct nlattr *opt, + + len = nla_len(opt) - NLA_ALIGN(sizeof(*qopt)); + if (len > 0) { +- err = mqprio_parse_nlattr(sch, qopt, opt); ++ err = mqprio_parse_nlattr(sch, qopt, opt, extack); + if (err) + return err; + } +-- +2.39.2 + diff --git a/queue-4.19/net-sched-mqprio-add-length-check-for-tca_mqprio_-ma.patch b/queue-4.19/net-sched-mqprio-add-length-check-for-tca_mqprio_-ma.patch new file mode 100644 index 00000000000..a81becb1d33 --- /dev/null +++ b/queue-4.19/net-sched-mqprio-add-length-check-for-tca_mqprio_-ma.patch @@ -0,0 +1,63 @@ +From 3b78acd7019c70b969b2308766587e4a4aa0880a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 10:42:27 +0800 +Subject: net/sched: mqprio: Add length check for TCA_MQPRIO_{MAX/MIN}_RATE64 + +From: Lin Ma + +[ Upstream commit 6c58c8816abb7b93b21fa3b1d0c1726402e5e568 ] + +The nla_for_each_nested parsing in function mqprio_parse_nlattr() does +not check the length of the nested attribute. This can lead to an +out-of-attribute read and allow a malformed nlattr (e.g., length 0) to +be viewed as 8 byte integer and passed to priv->max_rate/min_rate. + +This patch adds the check based on nla_len() when check the nla_type(), +which ensures that the length of these two attribute must equals +sizeof(u64). + +Fixes: 4e8b86c06269 ("mqprio: Introduce new hardware offload mode and shaper in mqprio") +Reviewed-by: Victor Nogueira +Signed-off-by: Lin Ma +Link: https://lore.kernel.org/r/20230725024227.426561-1-linma@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_mqprio.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/net/sched/sch_mqprio.c b/net/sched/sch_mqprio.c +index c9bdb4476a5bc..c0ab1e38e80c6 100644 +--- a/net/sched/sch_mqprio.c ++++ b/net/sched/sch_mqprio.c +@@ -176,6 +176,13 @@ static int mqprio_parse_nlattr(struct Qdisc *sch, struct tc_mqprio_qopt *qopt, + "Attribute type expected to be TCA_MQPRIO_MIN_RATE64"); + return -EINVAL; + } ++ ++ if (nla_len(attr) != sizeof(u64)) { ++ NL_SET_ERR_MSG_ATTR(extack, attr, ++ "Attribute TCA_MQPRIO_MIN_RATE64 expected to have 8 bytes length"); ++ return -EINVAL; ++ } ++ + if (i >= qopt->num_tc) + break; + priv->min_rate[i] = *(u64 *)nla_data(attr); +@@ -198,6 +205,13 @@ static int mqprio_parse_nlattr(struct Qdisc *sch, struct tc_mqprio_qopt *qopt, + "Attribute type expected to be TCA_MQPRIO_MAX_RATE64"); + return -EINVAL; + } ++ ++ if (nla_len(attr) != sizeof(u64)) { ++ NL_SET_ERR_MSG_ATTR(extack, attr, ++ "Attribute TCA_MQPRIO_MAX_RATE64 expected to have 8 bytes length"); ++ return -EINVAL; ++ } ++ + if (i >= qopt->num_tc) + break; + priv->max_rate[i] = *(u64 *)nla_data(attr); +-- +2.39.2 + diff --git a/queue-4.19/net-sched-mqprio-refactor-nlattr-parsing-to-a-separa.patch b/queue-4.19/net-sched-mqprio-refactor-nlattr-parsing-to-a-separa.patch new file mode 100644 index 00000000000..d96179beff4 --- /dev/null +++ b/queue-4.19/net-sched-mqprio-refactor-nlattr-parsing-to-a-separa.patch @@ -0,0 +1,165 @@ +From 8827fa5a2171cc075116ac1d3bc7fa0dc4ac18e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Feb 2023 15:52:55 +0200 +Subject: net/sched: mqprio: refactor nlattr parsing to a separate function + +From: Vladimir Oltean + +[ Upstream commit feb2cf3dcfb930aec2ca65c66d1365543d5ba943 ] + +mqprio_init() is quite large and unwieldy to add more code to. +Split the netlink attribute parsing to a dedicated function. + +Signed-off-by: Vladimir Oltean +Reviewed-by: Jacob Keller +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Stable-dep-of: 6c58c8816abb ("net/sched: mqprio: Add length check for TCA_MQPRIO_{MAX/MIN}_RATE64") +Signed-off-by: Sasha Levin +--- + net/sched/sch_mqprio.c | 114 +++++++++++++++++++++++------------------ + 1 file changed, 63 insertions(+), 51 deletions(-) + +diff --git a/net/sched/sch_mqprio.c b/net/sched/sch_mqprio.c +index 64d7f876d7de2..7726d8f623027 100644 +--- a/net/sched/sch_mqprio.c ++++ b/net/sched/sch_mqprio.c +@@ -132,6 +132,67 @@ static int parse_attr(struct nlattr *tb[], int maxtype, struct nlattr *nla, + return 0; + } + ++static int mqprio_parse_nlattr(struct Qdisc *sch, struct tc_mqprio_qopt *qopt, ++ struct nlattr *opt) ++{ ++ struct mqprio_sched *priv = qdisc_priv(sch); ++ struct nlattr *tb[TCA_MQPRIO_MAX + 1]; ++ struct nlattr *attr; ++ int i, rem, err; ++ ++ err = parse_attr(tb, TCA_MQPRIO_MAX, opt, mqprio_policy, ++ sizeof(*qopt)); ++ if (err < 0) ++ return err; ++ ++ if (!qopt->hw) ++ return -EINVAL; ++ ++ if (tb[TCA_MQPRIO_MODE]) { ++ priv->flags |= TC_MQPRIO_F_MODE; ++ priv->mode = *(u16 *)nla_data(tb[TCA_MQPRIO_MODE]); ++ } ++ ++ if (tb[TCA_MQPRIO_SHAPER]) { ++ priv->flags |= TC_MQPRIO_F_SHAPER; ++ priv->shaper = *(u16 *)nla_data(tb[TCA_MQPRIO_SHAPER]); ++ } ++ ++ if (tb[TCA_MQPRIO_MIN_RATE64]) { ++ if (priv->shaper != TC_MQPRIO_SHAPER_BW_RATE) ++ return -EINVAL; ++ i = 0; ++ nla_for_each_nested(attr, tb[TCA_MQPRIO_MIN_RATE64], ++ rem) { ++ if (nla_type(attr) != TCA_MQPRIO_MIN_RATE64) ++ return -EINVAL; ++ if (i >= qopt->num_tc) ++ break; ++ priv->min_rate[i] = *(u64 *)nla_data(attr); ++ i++; ++ } ++ priv->flags |= TC_MQPRIO_F_MIN_RATE; ++ } ++ ++ if (tb[TCA_MQPRIO_MAX_RATE64]) { ++ if (priv->shaper != TC_MQPRIO_SHAPER_BW_RATE) ++ return -EINVAL; ++ i = 0; ++ nla_for_each_nested(attr, tb[TCA_MQPRIO_MAX_RATE64], ++ rem) { ++ if (nla_type(attr) != TCA_MQPRIO_MAX_RATE64) ++ return -EINVAL; ++ if (i >= qopt->num_tc) ++ break; ++ priv->max_rate[i] = *(u64 *)nla_data(attr); ++ i++; ++ } ++ priv->flags |= TC_MQPRIO_F_MAX_RATE; ++ } ++ ++ return 0; ++} ++ + static int mqprio_init(struct Qdisc *sch, struct nlattr *opt, + struct netlink_ext_ack *extack) + { +@@ -141,9 +202,6 @@ static int mqprio_init(struct Qdisc *sch, struct nlattr *opt, + struct Qdisc *qdisc; + int i, err = -EOPNOTSUPP; + struct tc_mqprio_qopt *qopt = NULL; +- struct nlattr *tb[TCA_MQPRIO_MAX + 1]; +- struct nlattr *attr; +- int rem; + int len; + + BUILD_BUG_ON(TC_MAX_QUEUE != TC_QOPT_MAX_QUEUE); +@@ -168,55 +226,9 @@ static int mqprio_init(struct Qdisc *sch, struct nlattr *opt, + + len = nla_len(opt) - NLA_ALIGN(sizeof(*qopt)); + if (len > 0) { +- err = parse_attr(tb, TCA_MQPRIO_MAX, opt, mqprio_policy, +- sizeof(*qopt)); +- if (err < 0) ++ err = mqprio_parse_nlattr(sch, qopt, opt); ++ if (err) + return err; +- +- if (!qopt->hw) +- return -EINVAL; +- +- if (tb[TCA_MQPRIO_MODE]) { +- priv->flags |= TC_MQPRIO_F_MODE; +- priv->mode = *(u16 *)nla_data(tb[TCA_MQPRIO_MODE]); +- } +- +- if (tb[TCA_MQPRIO_SHAPER]) { +- priv->flags |= TC_MQPRIO_F_SHAPER; +- priv->shaper = *(u16 *)nla_data(tb[TCA_MQPRIO_SHAPER]); +- } +- +- if (tb[TCA_MQPRIO_MIN_RATE64]) { +- if (priv->shaper != TC_MQPRIO_SHAPER_BW_RATE) +- return -EINVAL; +- i = 0; +- nla_for_each_nested(attr, tb[TCA_MQPRIO_MIN_RATE64], +- rem) { +- if (nla_type(attr) != TCA_MQPRIO_MIN_RATE64) +- return -EINVAL; +- if (i >= qopt->num_tc) +- break; +- priv->min_rate[i] = *(u64 *)nla_data(attr); +- i++; +- } +- priv->flags |= TC_MQPRIO_F_MIN_RATE; +- } +- +- if (tb[TCA_MQPRIO_MAX_RATE64]) { +- if (priv->shaper != TC_MQPRIO_SHAPER_BW_RATE) +- return -EINVAL; +- i = 0; +- nla_for_each_nested(attr, tb[TCA_MQPRIO_MAX_RATE64], +- rem) { +- if (nla_type(attr) != TCA_MQPRIO_MAX_RATE64) +- return -EINVAL; +- if (i >= qopt->num_tc) +- break; +- priv->max_rate[i] = *(u64 *)nla_data(attr); +- i++; +- } +- priv->flags |= TC_MQPRIO_F_MAX_RATE; +- } + } + + /* pre-allocate qdisc, attachment can't fail */ +-- +2.39.2 + diff --git a/queue-4.19/phy-hisilicon-fix-an-out-of-bounds-check-in-hisi_inn.patch b/queue-4.19/phy-hisilicon-fix-an-out-of-bounds-check-in-hisi_inn.patch new file mode 100644 index 00000000000..1b5a45d3f64 --- /dev/null +++ b/queue-4.19/phy-hisilicon-fix-an-out-of-bounds-check-in-hisi_inn.patch @@ -0,0 +1,44 @@ +From 5e0f8a4dae4b91e5e583bb28e680461b3ee2b9e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jul 2023 02:05:55 -0700 +Subject: phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe() + +From: Harshit Mogalapalli + +[ Upstream commit 13c088cf3657d70893d75cf116be937f1509cc0f ] + +The size of array 'priv->ports[]' is INNO_PHY_PORT_NUM. + +In the for loop, 'i' is used as the index for array 'priv->ports[]' +with a check (i > INNO_PHY_PORT_NUM) which indicates that +INNO_PHY_PORT_NUM is allowed value for 'i' in the same loop. + +This > comparison needs to be changed to >=, otherwise it potentially leads +to an out of bounds write on the next iteration through the loop + +Fixes: ba8b0ee81fbb ("phy: add inno-usb2-phy driver for hi3798cv200 SoC") +Reported-by: Dan Carpenter +Signed-off-by: Harshit Mogalapalli +Link: https://lore.kernel.org/r/20230721090558.3588613-1-harshit.m.mogalapalli@oracle.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/hisilicon/phy-hisi-inno-usb2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/hisilicon/phy-hisi-inno-usb2.c b/drivers/phy/hisilicon/phy-hisi-inno-usb2.c +index 524381249a2b8..b51e19402ab0c 100644 +--- a/drivers/phy/hisilicon/phy-hisi-inno-usb2.c ++++ b/drivers/phy/hisilicon/phy-hisi-inno-usb2.c +@@ -167,7 +167,7 @@ static int hisi_inno_phy_probe(struct platform_device *pdev) + phy_set_drvdata(phy, &priv->ports[i]); + i++; + +- if (i > INNO_PHY_PORT_NUM) { ++ if (i >= INNO_PHY_PORT_NUM) { + dev_warn(dev, "Support %d ports in maximum\n", i); + break; + } +-- +2.39.2 + diff --git a/queue-4.19/platform-x86-msi-laptop-fix-rfkill-out-of-sync-on-ms.patch b/queue-4.19/platform-x86-msi-laptop-fix-rfkill-out-of-sync-on-ms.patch new file mode 100644 index 00000000000..8c16d789874 --- /dev/null +++ b/queue-4.19/platform-x86-msi-laptop-fix-rfkill-out-of-sync-on-ms.patch @@ -0,0 +1,79 @@ +From 4d5df8b6d39c7750506aec613ca918b6baa6da9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jul 2023 17:54:23 +0300 +Subject: platform/x86: msi-laptop: Fix rfkill out-of-sync on MSI Wind U100 + +From: Maxim Mikityanskiy + +[ Upstream commit ad084a6d99bc182bf109c190c808e2ea073ec57b ] + +Only the HW rfkill state is toggled on laptops with quirks->ec_read_only +(so far only MSI Wind U90/U100). There are, however, a few issues with +the implementation: + +1. The initial HW state is always unblocked, regardless of the actual + state on boot, because msi_init_rfkill only sets the SW state, + regardless of ec_read_only. + +2. The initial SW state corresponds to the actual state on boot, but it + can't be changed afterwards, because set_device_state returns + -EOPNOTSUPP. It confuses the userspace, making Wi-Fi and/or Bluetooth + unusable if it was blocked on boot, and breaking the airplane mode if + the rfkill was unblocked on boot. + +Address the above issues by properly initializing the HW state on +ec_read_only laptops and by allowing the userspace to toggle the SW +state. Don't set the SW state ourselves and let the userspace fully +control it. Toggling the SW state is a no-op, however, it allows the +userspace to properly toggle the airplane mode. The actual SW radio +disablement is handled by the corresponding rtl818x_pci and btusb +drivers that have their own rfkills. + +Tested on MSI Wind U100 Plus, BIOS ver 1.0G, EC ver 130. + +Fixes: 0816392b97d4 ("msi-laptop: merge quirk tables to one") +Fixes: 0de6575ad0a8 ("msi-laptop: Add MSI Wind U90/U100 support") +Signed-off-by: Maxim Mikityanskiy +Link: https://lore.kernel.org/r/20230721145423.161057-1-maxtram95@gmail.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/msi-laptop.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c +index 42b31c549db00..1781e67781a55 100644 +--- a/drivers/platform/x86/msi-laptop.c ++++ b/drivers/platform/x86/msi-laptop.c +@@ -223,7 +223,7 @@ static ssize_t set_device_state(const char *buf, size_t count, u8 mask) + return -EINVAL; + + if (quirks->ec_read_only) +- return -EOPNOTSUPP; ++ return 0; + + /* read current device state */ + result = ec_read(MSI_STANDARD_EC_COMMAND_ADDRESS, &rdata); +@@ -854,15 +854,15 @@ static bool msi_laptop_i8042_filter(unsigned char data, unsigned char str, + static void msi_init_rfkill(struct work_struct *ignored) + { + if (rfk_wlan) { +- rfkill_set_sw_state(rfk_wlan, !wlan_s); ++ msi_rfkill_set_state(rfk_wlan, !wlan_s); + rfkill_wlan_set(NULL, !wlan_s); + } + if (rfk_bluetooth) { +- rfkill_set_sw_state(rfk_bluetooth, !bluetooth_s); ++ msi_rfkill_set_state(rfk_bluetooth, !bluetooth_s); + rfkill_bluetooth_set(NULL, !bluetooth_s); + } + if (rfk_threeg) { +- rfkill_set_sw_state(rfk_threeg, !threeg_s); ++ msi_rfkill_set_state(rfk_threeg, !threeg_s); + rfkill_threeg_set(NULL, !threeg_s); + } + } +-- +2.39.2 + diff --git a/queue-4.19/series b/queue-4.19/series index 48b06df8c1a..3bb72832a35 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -235,3 +235,15 @@ ftrace-fix-possible-warning-on-checking-all-pages-us.patch scsi-qla2xxx-fix-inconsistent-format-argument-type-i.patch scsi-qla2xxx-array-index-may-go-out-of-bound.patch ext4-fix-to-check-return-value-of-freeze_bdev-in-ext.patch +i40e-fix-an-null-vs-is_err-bug-for-debugfs_create_di.patch +phy-hisilicon-fix-an-out-of-bounds-check-in-hisi_inn.patch +ethernet-atheros-fix-return-value-check-in-atl1e_tso.patch +ipv6-addrconf-fix-bug-where-deleting-a-mngtmpaddr-ca.patch +tcp-reduce-chance-of-collisions-in-inet6_hashfn.patch +bonding-reset-bond-s-flags-when-down-link-is-p2p-dev.patch +team-reset-team-s-flags-when-down-link-is-p2p-device.patch +platform-x86-msi-laptop-fix-rfkill-out-of-sync-on-ms.patch +net-sched-mqprio-refactor-nlattr-parsing-to-a-separa.patch +net-sched-mqprio-add-extack-to-mqprio_parse_nlattr.patch +net-sched-mqprio-add-length-check-for-tca_mqprio_-ma.patch +benet-fix-return-value-check-in-be_lancer_xmit_worka.patch diff --git a/queue-4.19/tcp-reduce-chance-of-collisions-in-inet6_hashfn.patch b/queue-4.19/tcp-reduce-chance-of-collisions-in-inet6_hashfn.patch new file mode 100644 index 00000000000..1cef14076da --- /dev/null +++ b/queue-4.19/tcp-reduce-chance-of-collisions-in-inet6_hashfn.patch @@ -0,0 +1,75 @@ +From d95f648ff0dd87b7b2b2a2f1ab78df433fec008f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jul 2023 15:24:10 -0700 +Subject: tcp: Reduce chance of collisions in inet6_hashfn(). + +From: Stewart Smith + +[ Upstream commit d11b0df7ddf1831f3e170972f43186dad520bfcc ] + +For both IPv4 and IPv6 incoming TCP connections are tracked in a hash +table with a hash over the source & destination addresses and ports. +However, the IPv6 hash is insufficient and can lead to a high rate of +collisions. + +The IPv6 hash used an XOR to fit everything into the 96 bits for the +fast jenkins hash, meaning it is possible for an external entity to +ensure the hash collides, thus falling back to a linear search in the +bucket, which is slow. + +We take the approach of hash the full length of IPv6 address in +__ipv6_addr_jhash() so that all users can benefit from a more secure +version. + +While this may look like it adds overhead, the reality of modern CPUs +means that this is unmeasurable in real world scenarios. + +In simulating with llvm-mca, the increase in cycles for the hashing +code was ~16 cycles on Skylake (from a base of ~155), and an extra ~9 +on Nehalem (base of ~173). + +In commit dd6d2910c5e0 ("netfilter: conntrack: switch to siphash") +netfilter switched from a jenkins hash to a siphash, but even the faster +hsiphash is a more significant overhead (~20-30%) in some preliminary +testing. So, in this patch, we keep to the more conservative approach to +ensure we don't add much overhead per SYN. + +In testing, this results in a consistently even spread across the +connection buckets. In both testing and real-world scenarios, we have +not found any measurable performance impact. + +Fixes: 08dcdbf6a7b9 ("ipv6: use a stronger hash for tcp") +Signed-off-by: Stewart Smith +Signed-off-by: Samuel Mendoza-Jonas +Suggested-by: Eric Dumazet +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230721222410.17914-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/ipv6.h | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/include/net/ipv6.h b/include/net/ipv6.h +index 0c883249814cc..3a55a0931ed86 100644 +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -602,12 +602,8 @@ static inline u32 ipv6_addr_hash(const struct in6_addr *a) + /* more secured version of ipv6_addr_hash() */ + static inline u32 __ipv6_addr_jhash(const struct in6_addr *a, const u32 initval) + { +- u32 v = (__force u32)a->s6_addr32[0] ^ (__force u32)a->s6_addr32[1]; +- +- return jhash_3words(v, +- (__force u32)a->s6_addr32[2], +- (__force u32)a->s6_addr32[3], +- initval); ++ return jhash2((__force const u32 *)a->s6_addr32, ++ ARRAY_SIZE(a->s6_addr32), initval); + } + + static inline bool ipv6_addr_loopback(const struct in6_addr *a) +-- +2.39.2 + diff --git a/queue-4.19/team-reset-team-s-flags-when-down-link-is-p2p-device.patch b/queue-4.19/team-reset-team-s-flags-when-down-link-is-p2p-device.patch new file mode 100644 index 00000000000..ebaaf561ca7 --- /dev/null +++ b/queue-4.19/team-reset-team-s-flags-when-down-link-is-p2p-device.patch @@ -0,0 +1,52 @@ +From 7c5da805034dbdac3cc7a3b55c772a16c55dba1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jul 2023 12:03:56 +0800 +Subject: team: reset team's flags when down link is P2P device + +From: Hangbin Liu + +[ Upstream commit fa532bee17d15acf8bba4bc8e2062b7a093ba801 ] + +When adding a point to point downlink to team device, we neglected to reset +the team's flags, which were still using flags like BROADCAST and +MULTICAST. Consequently, this would initiate ARP/DAD for P2P downlink +interfaces, such as when adding a GRE device to team device. Fix this by +remove multicast/broadcast flags and add p2p and noarp flags. + +After removing the none ethernet interface and adding an ethernet interface +to team, we need to reset team interface flags. Unlike bonding interface, +team do not need restore IFF_MASTER, IFF_SLAVE flags. + +Reported-by: Liang Li +Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2221438 +Fixes: 1d76efe1577b ("team: add support for non-ethernet devices") +Signed-off-by: Hangbin Liu +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/team/team.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index 2410f08e2bb5c..d80bc5f59b3fc 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -2103,6 +2103,15 @@ static void team_setup_by_port(struct net_device *dev, + dev->mtu = port_dev->mtu; + memcpy(dev->broadcast, port_dev->broadcast, port_dev->addr_len); + eth_hw_addr_inherit(dev, port_dev); ++ ++ if (port_dev->flags & IFF_POINTOPOINT) { ++ dev->flags &= ~(IFF_BROADCAST | IFF_MULTICAST); ++ dev->flags |= (IFF_POINTOPOINT | IFF_NOARP); ++ } else if ((port_dev->flags & (IFF_BROADCAST | IFF_MULTICAST)) == ++ (IFF_BROADCAST | IFF_MULTICAST)) { ++ dev->flags |= (IFF_BROADCAST | IFF_MULTICAST); ++ dev->flags &= ~(IFF_POINTOPOINT | IFF_NOARP); ++ } + } + + static int team_dev_type_check_change(struct net_device *dev, +-- +2.39.2 + -- 2.47.3