From f712f47893b2d580d385140dcdb4359618cb1a1f Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 22 May 2023 07:45:38 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...tional-tunnel-beet-mode-templates-in.patch | 71 ++++++++ ...mory-leak-in-the-error-handling-path.patch | 42 +++++ ...e-tsc-read-per-cpu-for-mperf-monitor.patch | 159 ++++++++++++++++++ ...ovide-devm_platform_ioremap_resource.patch | 74 ++++++++ ...2d_open-close-helper-function-defini.patch | 48 ++++++ ...roto-with-the-md-version-for-collect.patch | 81 +++++++++ ...igb-fix-bit_shift-to-be-in-1.8-range.patch | 50 ++++++ ...e-fix-skb_under_panic-in-__gre6_xmit.patch | 128 ++++++++++++++ ...-o_seqno-start-from-0-in-native-mode.patch | 70 ++++++++ ...ix-race-condition-on-o_seqno-in-coll.patch | 152 +++++++++++++++++ ...idvb-fix-use-after-free-at-del_timer.patch | 49 ++++++ ...ove-phy_stop-from-bcmgenet_netif_sto.patch | 37 ++++ ...tore-phy_stop-depending-upon-suspend.patch | 71 ++++++++ ...andle-pm_runtime_get-failing-in-.rem.patch | 64 +++++++ ...ect-mac_offset-to-unwind-gso-skb-in-.patch | 101 +++++++++++ ...fix-of_iomap-leak-in-arc_serial_prob.patch | 51 ++++++ queue-4.19/series | 18 ++ ...tial-uninit-value-in-vlan_dev_hard_s.patch | 93 ++++++++++ ...lose-connected-socket-after-the-time.patch | 54 ++++++ 19 files changed, 1413 insertions(+) create mode 100644 queue-4.19/af_key-reject-optional-tunnel-beet-mode-templates-in.patch create mode 100644 queue-4.19/cassini-fix-a-memory-leak-in-the-error-handling-path.patch create mode 100644 queue-4.19/cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch create mode 100644 queue-4.19/drivers-provide-devm_platform_ioremap_resource.patch create mode 100644 queue-4.19/drm-exynos-fix-g2d_open-close-helper-function-defini.patch create mode 100644 queue-4.19/erspan-get-the-proto-with-the-md-version-for-collect.patch create mode 100644 queue-4.19/igb-fix-bit_shift-to-be-in-1.8-range.patch create mode 100644 queue-4.19/ip6_gre-fix-skb_under_panic-in-__gre6_xmit.patch create mode 100644 queue-4.19/ip6_gre-make-o_seqno-start-from-0-in-native-mode.patch create mode 100644 queue-4.19/ip_gre-ip6_gre-fix-race-condition-on-o_seqno-in-coll.patch create mode 100644 queue-4.19/media-netup_unidvb-fix-use-after-free-at-del_timer.patch create mode 100644 queue-4.19/net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch create mode 100644 queue-4.19/net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch create mode 100644 queue-4.19/net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch create mode 100644 queue-4.19/net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch create mode 100644 queue-4.19/serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch create mode 100644 queue-4.19/vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch create mode 100644 queue-4.19/vsock-avoid-to-close-connected-socket-after-the-time.patch diff --git a/queue-4.19/af_key-reject-optional-tunnel-beet-mode-templates-in.patch b/queue-4.19/af_key-reject-optional-tunnel-beet-mode-templates-in.patch new file mode 100644 index 00000000000..696f6e1ebf2 --- /dev/null +++ b/queue-4.19/af_key-reject-optional-tunnel-beet-mode-templates-in.patch @@ -0,0 +1,71 @@ +From e6230b2426b99f4089230379821494a2413e5dc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 11:00:06 +0200 +Subject: af_key: Reject optional tunnel/BEET mode templates in outbound + policies + +From: Tobias Brunner + +[ Upstream commit cf3128a7aca55b2eefb68281d44749c683bdc96f ] + +xfrm_state_find() uses `encap_family` of the current template with +the passed local and remote addresses to find a matching state. +If an optional tunnel or BEET mode template is skipped in a mixed-family +scenario, there could be a mismatch causing an out-of-bounds read as +the addresses were not replaced to match the family of the next template. + +While there are theoretical use cases for optional templates in outbound +policies, the only practical one is to skip IPComp states in inbound +policies if uncompressed packets are received that are handled by an +implicitly created IPIP state instead. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Tobias Brunner +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 976b67089ac15..b8456e2f11673 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1950,7 +1950,8 @@ static u32 gen_reqid(struct net *net) + } + + static int +-parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq) ++parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_policy *pol, ++ struct sadb_x_ipsecrequest *rq) + { + struct net *net = xp_net(xp); + struct xfrm_tmpl *t = xp->xfrm_vec + xp->xfrm_nr; +@@ -1968,9 +1969,12 @@ parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq) + if ((mode = pfkey_mode_to_xfrm(rq->sadb_x_ipsecrequest_mode)) < 0) + return -EINVAL; + t->mode = mode; +- if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_USE) ++ if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_USE) { ++ if ((mode == XFRM_MODE_TUNNEL || mode == XFRM_MODE_BEET) && ++ pol->sadb_x_policy_dir == IPSEC_DIR_OUTBOUND) ++ return -EINVAL; + t->optional = 1; +- else if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_UNIQUE) { ++ } else if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_UNIQUE) { + t->reqid = rq->sadb_x_ipsecrequest_reqid; + if (t->reqid > IPSEC_MANUAL_REQID_MAX) + t->reqid = 0; +@@ -2012,7 +2016,7 @@ parse_ipsecrequests(struct xfrm_policy *xp, struct sadb_x_policy *pol) + rq->sadb_x_ipsecrequest_len < sizeof(*rq)) + return -EINVAL; + +- if ((err = parse_ipsecrequest(xp, rq)) < 0) ++ if ((err = parse_ipsecrequest(xp, pol, rq)) < 0) + return err; + len -= rq->sadb_x_ipsecrequest_len; + rq = (void*)((u8*)rq + rq->sadb_x_ipsecrequest_len); +-- +2.39.2 + diff --git a/queue-4.19/cassini-fix-a-memory-leak-in-the-error-handling-path.patch b/queue-4.19/cassini-fix-a-memory-leak-in-the-error-handling-path.patch new file mode 100644 index 00000000000..877697e15d3 --- /dev/null +++ b/queue-4.19/cassini-fix-a-memory-leak-in-the-error-handling-path.patch @@ -0,0 +1,42 @@ +From 9de602982ded302828d85b47c52009e30b2764aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 21:09:11 +0200 +Subject: cassini: Fix a memory leak in the error handling path of + cas_init_one() + +From: Christophe JAILLET + +[ Upstream commit 412cd77a2c24b191c65ea53025222418db09817c ] + +cas_saturn_firmware_init() allocates some memory using vmalloc(). This +memory is freed in the .remove() function but not it the error handling +path of the probe. + +Add the missing vfree() to avoid a memory leak, should an error occur. + +Fixes: fcaa40669cd7 ("cassini: use request_firmware") +Signed-off-by: Christophe JAILLET +Reviewed-by: Pavan Chebbi +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/cassini.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/sun/cassini.c b/drivers/net/ethernet/sun/cassini.c +index d323dd9daccb0..a3a5edb8bc666 100644 +--- a/drivers/net/ethernet/sun/cassini.c ++++ b/drivers/net/ethernet/sun/cassini.c +@@ -5138,6 +5138,8 @@ static int cas_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + cas_shutdown(cp); + mutex_unlock(&cp->pm_mutex); + ++ vfree(cp->fw_data); ++ + pci_iounmap(pdev, cp->regs); + + +-- +2.39.2 + diff --git a/queue-4.19/cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch b/queue-4.19/cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch new file mode 100644 index 00000000000..2d2b7fb7e2d --- /dev/null +++ b/queue-4.19/cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch @@ -0,0 +1,159 @@ +From 188f1cd1f5ecef090c5fb23babacacdff2895c7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 06:25:44 +0000 +Subject: cpupower: Make TSC read per CPU for Mperf monitor + +From: Wyes Karny + +[ Upstream commit c2adb1877b76fc81ae041e1db1a6ed2078c6746b ] + +System-wide TSC read could cause a drift in C0 percentage calculation. +Because if first TSC is read and then one by one mperf is read for all +cpus, this introduces drift between mperf reading of later CPUs and TSC +reading. To lower this drift read TSC per CPU and also just after mperf +read. This technique improves C0 percentage calculation in Mperf monitor. + +Before fix: (System 100% busy) + + | Mperf || RAPL || Idle_Stats + PKG|CORE| CPU| C0 | Cx | Freq || pack | core || POLL | C1 | C2 + 0| 0| 0| 87.15| 12.85| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 0| 256| 84.62| 15.38| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 1| 1| 87.15| 12.85| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 1| 257| 84.08| 15.92| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 2| 2| 86.61| 13.39| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 2| 258| 83.26| 16.74| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 3| 3| 86.61| 13.39| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 3| 259| 83.60| 16.40| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 4| 4| 86.33| 13.67| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 4| 260| 83.33| 16.67| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 5| 5| 86.06| 13.94| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 5| 261| 83.05| 16.95| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 6| 6| 85.51| 14.49| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + +After fix: (System 100% busy) + + | Mperf || RAPL || Idle_Stats + PKG|CORE| CPU| C0 | Cx | Freq || pack | core || POLL | C1 | C2 + 0| 0| 0| 98.03| 1.97| 2415||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 0| 256| 98.50| 1.50| 2394||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 1| 1| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 1| 257| 99.99| 0.01| 2375||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 2| 2| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 2| 258|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 3| 3|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 3| 259| 99.99| 0.01| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 4| 4|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 4| 260|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 5| 5| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 5| 261|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 6| 6|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 6| 262|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + +Cc: Thomas Renninger +Cc: Shuah Khan +Cc: Dominik Brodowski + +Fixes: 7fe2f6399a84 ("cpupowerutils - cpufrequtils extended with quite some features") +Signed-off-by: Wyes Karny +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../utils/idle_monitor/mperf_monitor.c | 31 +++++++++---------- + 1 file changed, 14 insertions(+), 17 deletions(-) + +diff --git a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c +index d7c2a6d13dea1..2221e43c63ce0 100644 +--- a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c ++++ b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c +@@ -67,8 +67,8 @@ static int max_freq_mode; + */ + static unsigned long max_frequency; + +-static unsigned long long tsc_at_measure_start; +-static unsigned long long tsc_at_measure_end; ++static unsigned long long *tsc_at_measure_start; ++static unsigned long long *tsc_at_measure_end; + static unsigned long long *mperf_previous_count; + static unsigned long long *aperf_previous_count; + static unsigned long long *mperf_current_count; +@@ -131,7 +131,7 @@ static int mperf_get_count_percent(unsigned int id, double *percent, + aperf_diff = aperf_current_count[cpu] - aperf_previous_count[cpu]; + + if (max_freq_mode == MAX_FREQ_TSC_REF) { +- tsc_diff = tsc_at_measure_end - tsc_at_measure_start; ++ tsc_diff = tsc_at_measure_end[cpu] - tsc_at_measure_start[cpu]; + *percent = 100.0 * mperf_diff / tsc_diff; + dprint("%s: TSC Ref - mperf_diff: %llu, tsc_diff: %llu\n", + mperf_cstates[id].name, mperf_diff, tsc_diff); +@@ -168,7 +168,7 @@ static int mperf_get_count_freq(unsigned int id, unsigned long long *count, + + if (max_freq_mode == MAX_FREQ_TSC_REF) { + /* Calculate max_freq from TSC count */ +- tsc_diff = tsc_at_measure_end - tsc_at_measure_start; ++ tsc_diff = tsc_at_measure_end[cpu] - tsc_at_measure_start[cpu]; + time_diff = timespec_diff_us(time_start, time_end); + max_frequency = tsc_diff / time_diff; + } +@@ -187,33 +187,27 @@ static int mperf_get_count_freq(unsigned int id, unsigned long long *count, + static int mperf_start(void) + { + int cpu; +- unsigned long long dbg; + + clock_gettime(CLOCK_REALTIME, &time_start); +- mperf_get_tsc(&tsc_at_measure_start); + +- for (cpu = 0; cpu < cpu_count; cpu++) ++ for (cpu = 0; cpu < cpu_count; cpu++) { ++ mperf_get_tsc(&tsc_at_measure_start[cpu]); + mperf_init_stats(cpu); ++ } + +- mperf_get_tsc(&dbg); +- dprint("TSC diff: %llu\n", dbg - tsc_at_measure_start); + return 0; + } + + static int mperf_stop(void) + { +- unsigned long long dbg; + int cpu; + +- for (cpu = 0; cpu < cpu_count; cpu++) ++ for (cpu = 0; cpu < cpu_count; cpu++) { + mperf_measure_stats(cpu); ++ mperf_get_tsc(&tsc_at_measure_end[cpu]); ++ } + +- mperf_get_tsc(&tsc_at_measure_end); + clock_gettime(CLOCK_REALTIME, &time_end); +- +- mperf_get_tsc(&dbg); +- dprint("TSC diff: %llu\n", dbg - tsc_at_measure_end); +- + return 0; + } + +@@ -311,7 +305,8 @@ struct cpuidle_monitor *mperf_register(void) + aperf_previous_count = calloc(cpu_count, sizeof(unsigned long long)); + mperf_current_count = calloc(cpu_count, sizeof(unsigned long long)); + aperf_current_count = calloc(cpu_count, sizeof(unsigned long long)); +- ++ tsc_at_measure_start = calloc(cpu_count, sizeof(unsigned long long)); ++ tsc_at_measure_end = calloc(cpu_count, sizeof(unsigned long long)); + mperf_monitor.name_len = strlen(mperf_monitor.name); + return &mperf_monitor; + } +@@ -322,6 +317,8 @@ void mperf_unregister(void) + free(aperf_previous_count); + free(mperf_current_count); + free(aperf_current_count); ++ free(tsc_at_measure_start); ++ free(tsc_at_measure_end); + free(is_valid); + } + +-- +2.39.2 + diff --git a/queue-4.19/drivers-provide-devm_platform_ioremap_resource.patch b/queue-4.19/drivers-provide-devm_platform_ioremap_resource.patch new file mode 100644 index 00000000000..092f2a4882e --- /dev/null +++ b/queue-4.19/drivers-provide-devm_platform_ioremap_resource.patch @@ -0,0 +1,74 @@ +From 17a5bcaed6ff4fa7dd95614539ea0eebcaca5b56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Feb 2019 11:12:39 +0000 +Subject: drivers: provide devm_platform_ioremap_resource() + +From: Bartosz Golaszewski + +[ Upstream commit 7945f929f1a77a1c8887a97ca07f87626858ff42 ] + +There are currently 1200+ instances of using platform_get_resource() +and devm_ioremap_resource() together in the kernel tree. + +This patch wraps these two calls in a single helper. Thanks to that +we don't have to declare a local variable for struct resource * and can +omit the redundant argument for resource type. We also have one +function call less. + +Signed-off-by: Bartosz Golaszewski +Acked-by: Greg Kroah-Hartman +Reviewed-by: Andy Shevchenko +Signed-off-by: Linus Walleij +Stable-dep-of: 8ab5fc55d7f6 ("serial: arc_uart: fix of_iomap leak in `arc_serial_probe`") +Signed-off-by: Sasha Levin +--- + drivers/base/platform.c | 18 ++++++++++++++++++ + include/linux/platform_device.h | 3 +++ + 2 files changed, 21 insertions(+) + +diff --git a/drivers/base/platform.c b/drivers/base/platform.c +index 349c2754eed78..ea83c279b8a36 100644 +--- a/drivers/base/platform.c ++++ b/drivers/base/platform.c +@@ -80,6 +80,24 @@ struct resource *platform_get_resource(struct platform_device *dev, + } + EXPORT_SYMBOL_GPL(platform_get_resource); + ++/** ++ * devm_platform_ioremap_resource - call devm_ioremap_resource() for a platform ++ * device ++ * ++ * @pdev: platform device to use both for memory resource lookup as well as ++ * resource managemend ++ * @index: resource index ++ */ ++void __iomem *devm_platform_ioremap_resource(struct platform_device *pdev, ++ unsigned int index) ++{ ++ struct resource *res; ++ ++ res = platform_get_resource(pdev, IORESOURCE_MEM, index); ++ return devm_ioremap_resource(&pdev->dev, res); ++} ++EXPORT_SYMBOL_GPL(devm_platform_ioremap_resource); ++ + /** + * platform_get_irq - get an IRQ for a device + * @dev: platform device +diff --git a/include/linux/platform_device.h b/include/linux/platform_device.h +index 1a9f38f27f656..9e5c98fcea8c6 100644 +--- a/include/linux/platform_device.h ++++ b/include/linux/platform_device.h +@@ -51,6 +51,9 @@ extern struct device platform_bus; + extern void arch_setup_pdev_archdata(struct platform_device *); + extern struct resource *platform_get_resource(struct platform_device *, + unsigned int, unsigned int); ++extern void __iomem * ++devm_platform_ioremap_resource(struct platform_device *pdev, ++ unsigned int index); + extern int platform_get_irq(struct platform_device *, unsigned int); + extern int platform_irq_count(struct platform_device *); + extern struct resource *platform_get_resource_byname(struct platform_device *, +-- +2.39.2 + diff --git a/queue-4.19/drm-exynos-fix-g2d_open-close-helper-function-defini.patch b/queue-4.19/drm-exynos-fix-g2d_open-close-helper-function-defini.patch new file mode 100644 index 00000000000..cc250b72986 --- /dev/null +++ b/queue-4.19/drm-exynos-fix-g2d_open-close-helper-function-defini.patch @@ -0,0 +1,48 @@ +From 1db295888bbc13bad4c23294abb3966efa6e32c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 23:04:11 +0200 +Subject: drm/exynos: fix g2d_open/close helper function definitions + +From: Arnd Bergmann + +[ Upstream commit 2ef0785b30bd6549ddbc124979f1b6596e065ae2 ] + +The empty stub functions are defined as global functions, which +causes a warning because of missing prototypes: + +drivers/gpu/drm/exynos/exynos_drm_g2d.h:37:5: error: no previous prototype for 'g2d_open' +drivers/gpu/drm/exynos/exynos_drm_g2d.h:42:5: error: no previous prototype for 'g2d_close' + +Mark them as 'static inline' to avoid the warning and to make +them behave as intended. + +Fixes: eb4d9796fa34 ("drm/exynos: g2d: Convert to driver component API") +Signed-off-by: Arnd Bergmann +Reviewed-by: Andi Shyti +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/exynos/exynos_drm_g2d.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/exynos/exynos_drm_g2d.h b/drivers/gpu/drm/exynos/exynos_drm_g2d.h +index 287b2ed8f1782..60e420cd4caaa 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.h ++++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.h +@@ -37,11 +37,11 @@ static inline int exynos_g2d_exec_ioctl(struct drm_device *dev, void *data, + return -ENODEV; + } + +-int g2d_open(struct drm_device *drm_dev, struct drm_file *file) ++static inline int g2d_open(struct drm_device *drm_dev, struct drm_file *file) + { + return 0; + } + +-void g2d_close(struct drm_device *drm_dev, struct drm_file *file) ++static inline void g2d_close(struct drm_device *drm_dev, struct drm_file *file) + { } + #endif +-- +2.39.2 + diff --git a/queue-4.19/erspan-get-the-proto-with-the-md-version-for-collect.patch b/queue-4.19/erspan-get-the-proto-with-the-md-version-for-collect.patch new file mode 100644 index 00000000000..82870231bfc --- /dev/null +++ b/queue-4.19/erspan-get-the-proto-with-the-md-version-for-collect.patch @@ -0,0 +1,81 @@ +From eb7697a5fcae3d58bd7430760f6e340eba33a7ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 19:22:11 -0400 +Subject: erspan: get the proto with the md version for collect_md + +From: Xin Long + +[ Upstream commit d80fc101d2eb9b3188c228d61223890aeea480a4 ] + +In commit 20704bd1633d ("erspan: build the header with the right proto +according to erspan_ver"), it gets the proto with t->parms.erspan_ver, +but t->parms.erspan_ver is not used by collect_md branch, and instead +it should get the proto with md->version for collect_md. + +Thanks to Kevin for pointing this out. + +Fixes: 20704bd1633d ("erspan: build the header with the right proto according to erspan_ver") +Fixes: 94d7d8f29287 ("ip6_gre: add erspan v2 support") +Reported-by: Kevin Traynor +Signed-off-by: Xin Long +Reviewed-by: Simon Horman +Reviewed-by: William Tu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index c74b4cf4b66a0..45c304b51b2b7 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1021,12 +1021,14 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + ntohl(tun_id), + ntohl(md->u.index), truncate, + false); ++ proto = htons(ETH_P_ERSPAN); + } else if (md->version == 2) { + erspan_build_header_v2(skb, + ntohl(tun_id), + md->u.md2.dir, + get_hwid(&md->u.md2), + truncate, false); ++ proto = htons(ETH_P_ERSPAN2); + } else { + goto tx_err; + } +@@ -1049,24 +1051,25 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + break; + } + +- if (t->parms.erspan_ver == 1) ++ if (t->parms.erspan_ver == 1) { + erspan_build_header(skb, ntohl(t->parms.o_key), + t->parms.index, + truncate, false); +- else if (t->parms.erspan_ver == 2) ++ proto = htons(ETH_P_ERSPAN); ++ } else if (t->parms.erspan_ver == 2) { + erspan_build_header_v2(skb, ntohl(t->parms.o_key), + t->parms.dir, + t->parms.hwid, + truncate, false); +- else ++ proto = htons(ETH_P_ERSPAN2); ++ } else { + goto tx_err; ++ } + + fl6.daddr = t->parms.raddr; + } + + /* Push GRE header. */ +- proto = (t->parms.erspan_ver == 1) ? htons(ETH_P_ERSPAN) +- : htons(ETH_P_ERSPAN2); + gre_build_header(skb, 8, TUNNEL_SEQ, proto, 0, htonl(atomic_fetch_inc(&t->o_seqno))); + + /* TooBig packet may have updated dst->dev's mtu */ +-- +2.39.2 + diff --git a/queue-4.19/igb-fix-bit_shift-to-be-in-1.8-range.patch b/queue-4.19/igb-fix-bit_shift-to-be-in-1.8-range.patch new file mode 100644 index 00000000000..c00593d58e7 --- /dev/null +++ b/queue-4.19/igb-fix-bit_shift-to-be-in-1.8-range.patch @@ -0,0 +1,50 @@ +From a87a6184863004c06df64da4f6b5cee006680ec1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 10:41:46 -0700 +Subject: igb: fix bit_shift to be in [1..8] range + +From: Aleksandr Loktionov + +[ Upstream commit 60d758659f1fb49e0d5b6ac2691ede8c0958795b ] + +In igb_hash_mc_addr() the expression: + "mc_addr[4] >> 8 - bit_shift", right shifting "mc_addr[4]" +shift by more than 7 bits always yields zero, so hash becomes not so different. +Add initialization with bit_shift = 1 and add a loop condition to ensure +bit_shift will be always in [1..8] range. + +Fixes: 9d5c824399de ("igb: PCI-Express 82575 Gigabit Ethernet driver") +Signed-off-by: Aleksandr Loktionov +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/e1000_mac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/e1000_mac.c b/drivers/net/ethernet/intel/igb/e1000_mac.c +index 79ee0a7472608..4e69cb2c025fd 100644 +--- a/drivers/net/ethernet/intel/igb/e1000_mac.c ++++ b/drivers/net/ethernet/intel/igb/e1000_mac.c +@@ -425,7 +425,7 @@ void igb_mta_set(struct e1000_hw *hw, u32 hash_value) + static u32 igb_hash_mc_addr(struct e1000_hw *hw, u8 *mc_addr) + { + u32 hash_value, hash_mask; +- u8 bit_shift = 0; ++ u8 bit_shift = 1; + + /* Register count multiplied by bits per register */ + hash_mask = (hw->mac.mta_reg_count * 32) - 1; +@@ -433,7 +433,7 @@ static u32 igb_hash_mc_addr(struct e1000_hw *hw, u8 *mc_addr) + /* For a mc_filter_type of 0, bit_shift is the number of left-shifts + * where 0xFF would still fall within the hash mask. + */ +- while (hash_mask >> bit_shift != 0xFF) ++ while (hash_mask >> bit_shift != 0xFF && bit_shift < 4) + bit_shift++; + + /* The portion of the address that is used for the hash table +-- +2.39.2 + diff --git a/queue-4.19/ip6_gre-fix-skb_under_panic-in-__gre6_xmit.patch b/queue-4.19/ip6_gre-fix-skb_under_panic-in-__gre6_xmit.patch new file mode 100644 index 00000000000..c4154fceaf4 --- /dev/null +++ b/queue-4.19/ip6_gre-fix-skb_under_panic-in-__gre6_xmit.patch @@ -0,0 +1,128 @@ +From bd2b9ccddda249bdb6bfadd142b587bac1c0cf64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Apr 2022 13:35:40 -0700 +Subject: ip6_gre: Fix skb_under_panic in __gre6_xmit() + +From: Peilin Ye + +[ Upstream commit ab198e1d0dd8dc4bc7575fb50758e2cbd51e14e1 ] + +Feng reported an skb_under_panic BUG triggered by running +test_ip6gretap() in tools/testing/selftests/bpf/test_tunnel.sh: + +[ 82.492551] skbuff: skb_under_panic: text:ffffffffb268bb8e len:403 put:12 head:ffff9997c5480000 data:ffff9997c547fff8 tail:0x18b end:0x2c0 dev:ip6gretap11 +<...> +[ 82.607380] Call Trace: +[ 82.609389] +[ 82.611136] skb_push.cold.109+0x10/0x10 +[ 82.614289] __gre6_xmit+0x41e/0x590 +[ 82.617169] ip6gre_tunnel_xmit+0x344/0x3f0 +[ 82.620526] dev_hard_start_xmit+0xf1/0x330 +[ 82.623882] sch_direct_xmit+0xe4/0x250 +[ 82.626961] __dev_queue_xmit+0x720/0xfe0 +<...> +[ 82.633431] packet_sendmsg+0x96a/0x1cb0 +[ 82.636568] sock_sendmsg+0x30/0x40 +<...> + +The following sequence of events caused the BUG: + +1. During ip6gretap device initialization, tunnel->tun_hlen (e.g. 4) is + calculated based on old flags (see ip6gre_calc_hlen()); +2. packet_snd() reserves header room for skb A, assuming + tunnel->tun_hlen is 4; +3. Later (in clsact Qdisc), the eBPF program sets a new tunnel key for + skb A using bpf_skb_set_tunnel_key() (see _ip6gretap_set_tunnel()); +4. __gre6_xmit() detects the new tunnel key, and recalculates + "tun_hlen" (e.g. 12) based on new flags (e.g. TUNNEL_KEY and + TUNNEL_SEQ); +5. gre_build_header() calls skb_push() with insufficient reserved header + room, triggering the BUG. + +As sugguested by Cong, fix it by moving the call to skb_cow_head() after +the recalculation of tun_hlen. + +Reproducer: + + OBJ=$LINUX/tools/testing/selftests/bpf/test_tunnel_kern.o + + ip netns add at_ns0 + ip link add veth0 type veth peer name veth1 + ip link set veth0 netns at_ns0 + ip netns exec at_ns0 ip addr add 172.16.1.100/24 dev veth0 + ip netns exec at_ns0 ip link set dev veth0 up + ip link set dev veth1 up mtu 1500 + ip addr add dev veth1 172.16.1.200/24 + + ip netns exec at_ns0 ip addr add ::11/96 dev veth0 + ip netns exec at_ns0 ip link set dev veth0 up + ip addr add dev veth1 ::22/96 + ip link set dev veth1 up + + ip netns exec at_ns0 \ + ip link add dev ip6gretap00 type ip6gretap seq flowlabel 0xbcdef key 2 \ + local ::11 remote ::22 + + ip netns exec at_ns0 ip addr add dev ip6gretap00 10.1.1.100/24 + ip netns exec at_ns0 ip addr add dev ip6gretap00 fc80::100/96 + ip netns exec at_ns0 ip link set dev ip6gretap00 up + + ip link add dev ip6gretap11 type ip6gretap external + ip addr add dev ip6gretap11 10.1.1.200/24 + ip addr add dev ip6gretap11 fc80::200/24 + ip link set dev ip6gretap11 up + + tc qdisc add dev ip6gretap11 clsact + tc filter add dev ip6gretap11 egress bpf da obj $OBJ sec ip6gretap_set_tunnel + tc filter add dev ip6gretap11 ingress bpf da obj $OBJ sec ip6gretap_get_tunnel + + ping6 -c 3 -w 10 -q ::11 + +Fixes: 6712abc168eb ("ip6_gre: add ip6 gre and gretap collect_md mode") +Reported-by: Feng Zhou +Co-developed-by: Cong Wang +Signed-off-by: Cong Wang +Signed-off-by: Peilin Ye +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 166b7544e54a4..17765865cb536 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -740,9 +740,6 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, + else + fl6->daddr = tunnel->parms.raddr; + +- if (skb_cow_head(skb, dev->needed_headroom ?: tunnel->hlen)) +- return -ENOMEM; +- + /* Push GRE header. */ + protocol = (dev->type == ARPHRD_ETHER) ? htons(ETH_P_TEB) : proto; + +@@ -770,6 +767,9 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, + (TUNNEL_CSUM | TUNNEL_KEY | TUNNEL_SEQ); + tun_hlen = gre_calc_hlen(flags); + ++ if (skb_cow_head(skb, dev->needed_headroom ?: tun_hlen + tunnel->encap_hlen)) ++ return -ENOMEM; ++ + gre_build_header(skb, tun_hlen, + flags, protocol, + tunnel_id_to_key32(tun_info->key.tun_id), +@@ -780,6 +780,9 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, + if (tunnel->parms.o_flags & TUNNEL_SEQ) + tunnel->o_seqno++; + ++ if (skb_cow_head(skb, dev->needed_headroom ?: tunnel->hlen)) ++ return -ENOMEM; ++ + gre_build_header(skb, tunnel->tun_hlen, tunnel->parms.o_flags, + protocol, tunnel->parms.o_key, + htonl(tunnel->o_seqno)); +-- +2.39.2 + diff --git a/queue-4.19/ip6_gre-make-o_seqno-start-from-0-in-native-mode.patch b/queue-4.19/ip6_gre-make-o_seqno-start-from-0-in-native-mode.patch new file mode 100644 index 00000000000..1e9fa4c350a --- /dev/null +++ b/queue-4.19/ip6_gre-make-o_seqno-start-from-0-in-native-mode.patch @@ -0,0 +1,70 @@ +From 4baf155589e720ac3302ef954de32a5959a6809a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Apr 2022 15:08:38 -0700 +Subject: ip6_gre: Make o_seqno start from 0 in native mode + +From: Peilin Ye + +[ Upstream commit fde98ae91f79cab4e020f40c35ed23cbdc59661c ] + +For IP6GRE and IP6GRETAP devices, currently o_seqno starts from 1 in +native mode. According to RFC 2890 2.2., "The first datagram is sent +with a sequence number of 0." Fix it. + +It is worth mentioning that o_seqno already starts from 0 in collect_md +mode, see the "if (tunnel->parms.collect_md)" clause in __gre6_xmit(), +where tunnel->o_seqno is passed to gre_build_header() before getting +incremented. + +Fixes: c12b395a4664 ("gre: Support GRE over IPv6") +Signed-off-by: Peilin Ye +Acked-by: William Tu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 17765865cb536..749b2e5adcb0a 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -731,6 +731,7 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, + { + struct ip6_tnl *tunnel = netdev_priv(dev); + __be16 protocol; ++ __be16 flags; + + if (dev->type == ARPHRD_ETHER) + IPCB(skb)->flags = 0; +@@ -746,7 +747,6 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, + if (tunnel->parms.collect_md) { + struct ip_tunnel_info *tun_info; + const struct ip_tunnel_key *key; +- __be16 flags; + int tun_hlen; + + tun_info = skb_tunnel_info(skb); +@@ -777,15 +777,14 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, + : 0); + + } else { +- if (tunnel->parms.o_flags & TUNNEL_SEQ) +- tunnel->o_seqno++; +- + if (skb_cow_head(skb, dev->needed_headroom ?: tunnel->hlen)) + return -ENOMEM; + +- gre_build_header(skb, tunnel->tun_hlen, tunnel->parms.o_flags, ++ flags = tunnel->parms.o_flags; ++ ++ gre_build_header(skb, tunnel->tun_hlen, flags, + protocol, tunnel->parms.o_key, +- htonl(tunnel->o_seqno)); ++ (flags & TUNNEL_SEQ) ? htonl(tunnel->o_seqno++) : 0); + } + + return ip6_tnl_xmit(skb, dev, dsfield, fl6, encap_limit, pmtu, +-- +2.39.2 + diff --git a/queue-4.19/ip_gre-ip6_gre-fix-race-condition-on-o_seqno-in-coll.patch b/queue-4.19/ip_gre-ip6_gre-fix-race-condition-on-o_seqno-in-coll.patch new file mode 100644 index 00000000000..b5aa0b286d4 --- /dev/null +++ b/queue-4.19/ip_gre-ip6_gre-fix-race-condition-on-o_seqno-in-coll.patch @@ -0,0 +1,152 @@ +From 4a74f2e9ef2d70dca7bf21bd599127f8b1e1ff65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Apr 2022 15:09:02 -0700 +Subject: ip_gre, ip6_gre: Fix race condition on o_seqno in collect_md mode + +From: Peilin Ye + +[ Upstream commit 31c417c948d7f6909cb63f0ac3298f3c38f8ce20 ] + +As pointed out by Jakub Kicinski, currently using TUNNEL_SEQ in +collect_md mode is racy for [IP6]GRE[TAP] devices. Consider the +following sequence of events: + +1. An [IP6]GRE[TAP] device is created in collect_md mode using "ip link + add ... external". "ip" ignores "[o]seq" if "external" is specified, + so TUNNEL_SEQ is off, and the device is marked as NETIF_F_LLTX (i.e. + it uses lockless TX); +2. Someone sets TUNNEL_SEQ on outgoing skb's, using e.g. + bpf_skb_set_tunnel_key() in an eBPF program attached to this device; +3. gre_fb_xmit() or __gre6_xmit() processes these skb's: + + gre_build_header(skb, tun_hlen, + flags, protocol, + tunnel_id_to_key32(tun_info->key.tun_id), + (flags & TUNNEL_SEQ) ? htonl(tunnel->o_seqno++) + : 0); ^^^^^^^^^^^^^^^^^ + +Since we are not using the TX lock (&txq->_xmit_lock), multiple CPUs may +try to do this tunnel->o_seqno++ in parallel, which is racy. Fix it by +making o_seqno atomic_t. + +As mentioned by Eric Dumazet in commit b790e01aee74 ("ip_gre: lockless +xmit"), making o_seqno atomic_t increases "chance for packets being out +of order at receiver" when NETIF_F_LLTX is on. + +Maybe a better fix would be: + +1. Do not ignore "oseq" in external mode. Users MUST specify "oseq" if + they want the kernel to allow sequencing of outgoing packets; +2. Reject all outgoing TUNNEL_SEQ packets if the device was not created + with "oseq". + +Unfortunately, that would break userspace. + +We could now make [IP6]GRE[TAP] devices always NETIF_F_LLTX, but let us +do it in separate patches to keep this fix minimal. + +Suggested-by: Jakub Kicinski +Fixes: 77a5196a804e ("gre: add sequence number for collect md mode.") +Signed-off-by: Peilin Ye +Acked-by: William Tu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/ip6_tunnel.h | 2 +- + include/net/ip_tunnels.h | 2 +- + net/ipv4/ip_gre.c | 6 +++--- + net/ipv6/ip6_gre.c | 7 ++++--- + 4 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h +index f594eb71c2746..c26b39a300000 100644 +--- a/include/net/ip6_tunnel.h ++++ b/include/net/ip6_tunnel.h +@@ -57,7 +57,7 @@ struct ip6_tnl { + + /* These fields used only by GRE */ + __u32 i_seqno; /* The last seen seqno */ +- __u32 o_seqno; /* The last output seqno */ ++ atomic_t o_seqno; /* The last output seqno */ + int hlen; /* tun_hlen + encap_hlen */ + int tun_hlen; /* Precalculated header length */ + int encap_hlen; /* Encap header length (FOU,GUE) */ +diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h +index f8873c4eb003a..bc2ae8ce5bd45 100644 +--- a/include/net/ip_tunnels.h ++++ b/include/net/ip_tunnels.h +@@ -113,7 +113,7 @@ struct ip_tunnel { + + /* These four fields used only by GRE */ + u32 i_seqno; /* The last seen seqno */ +- u32 o_seqno; /* The last output seqno */ ++ atomic_t o_seqno; /* The last output seqno */ + int tun_hlen; /* Precalculated header length */ + + /* These four fields used only by ERSPAN */ +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index 898753328c171..e16373640f4c2 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -440,7 +440,7 @@ static void __gre_xmit(struct sk_buff *skb, struct net_device *dev, + /* Push GRE header. */ + gre_build_header(skb, tunnel->tun_hlen, + flags, proto, tunnel->parms.o_key, +- (flags & TUNNEL_SEQ) ? htonl(tunnel->o_seqno++) : 0); ++ (flags & TUNNEL_SEQ) ? htonl(atomic_fetch_inc(&tunnel->o_seqno)) : 0); + + ip_tunnel_xmit(skb, dev, tnl_params, tnl_params->protocol); + } +@@ -546,7 +546,7 @@ static void gre_fb_xmit(struct sk_buff *skb, struct net_device *dev, + (TUNNEL_CSUM | TUNNEL_KEY | TUNNEL_SEQ); + gre_build_header(skb, tunnel_hlen, flags, proto, + tunnel_id_to_key32(tun_info->key.tun_id), +- (flags & TUNNEL_SEQ) ? htonl(tunnel->o_seqno++) : 0); ++ (flags & TUNNEL_SEQ) ? htonl(atomic_fetch_inc(&tunnel->o_seqno)) : 0); + + df = key->tun_flags & TUNNEL_DONT_FRAGMENT ? htons(IP_DF) : 0; + +@@ -635,7 +635,7 @@ static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev) + } + + gre_build_header(skb, 8, TUNNEL_SEQ, +- proto, 0, htonl(tunnel->o_seqno++)); ++ proto, 0, htonl(atomic_fetch_inc(&tunnel->o_seqno))); + + df = key->tun_flags & TUNNEL_DONT_FRAGMENT ? htons(IP_DF) : 0; + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 749b2e5adcb0a..c74b4cf4b66a0 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -773,7 +773,7 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, + gre_build_header(skb, tun_hlen, + flags, protocol, + tunnel_id_to_key32(tun_info->key.tun_id), +- (flags & TUNNEL_SEQ) ? htonl(tunnel->o_seqno++) ++ (flags & TUNNEL_SEQ) ? htonl(atomic_fetch_inc(&tunnel->o_seqno)) + : 0); + + } else { +@@ -784,7 +784,8 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, + + gre_build_header(skb, tunnel->tun_hlen, flags, + protocol, tunnel->parms.o_key, +- (flags & TUNNEL_SEQ) ? htonl(tunnel->o_seqno++) : 0); ++ (flags & TUNNEL_SEQ) ? htonl(atomic_fetch_inc(&tunnel->o_seqno)) ++ : 0); + } + + return ip6_tnl_xmit(skb, dev, dsfield, fl6, encap_limit, pmtu, +@@ -1066,7 +1067,7 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + /* Push GRE header. */ + proto = (t->parms.erspan_ver == 1) ? htons(ETH_P_ERSPAN) + : htons(ETH_P_ERSPAN2); +- gre_build_header(skb, 8, TUNNEL_SEQ, proto, 0, htonl(t->o_seqno++)); ++ gre_build_header(skb, 8, TUNNEL_SEQ, proto, 0, htonl(atomic_fetch_inc(&t->o_seqno))); + + /* TooBig packet may have updated dst->dev's mtu */ + if (!t->parms.collect_md && dst && dst_mtu(dst) > dst->dev->mtu) +-- +2.39.2 + diff --git a/queue-4.19/media-netup_unidvb-fix-use-after-free-at-del_timer.patch b/queue-4.19/media-netup_unidvb-fix-use-after-free-at-del_timer.patch new file mode 100644 index 00000000000..e7700548dfd --- /dev/null +++ b/queue-4.19/media-netup_unidvb-fix-use-after-free-at-del_timer.patch @@ -0,0 +1,49 @@ +From 4b6cb554231a73ceb9597804133b01163b1b596b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 12:55:14 +0000 +Subject: media: netup_unidvb: fix use-after-free at del_timer() + +From: Duoming Zhou + +[ Upstream commit 0f5bb36bf9b39a2a96e730bf4455095b50713f63 ] + +When Universal DVB card is detaching, netup_unidvb_dma_fini() +uses del_timer() to stop dma->timeout timer. But when timer +handler netup_unidvb_dma_timeout() is running, del_timer() +could not stop it. As a result, the use-after-free bug could +happen. The process is shown below: + + (cleanup routine) | (timer routine) + | mod_timer(&dev->tx_sim_timer, ..) +netup_unidvb_finidev() | (wait a time) + netup_unidvb_dma_fini() | netup_unidvb_dma_timeout() + del_timer(&dma->timeout); | + | ndev->pci_dev->dev //USE + +Fix by changing del_timer() to del_timer_sync(). + +Link: https://lore.kernel.org/linux-media/20230308125514.4208-1-duoming@zju.edu.cn +Fixes: 52b1eaf4c59a ("[media] netup_unidvb: NetUP Universal DVB-S/S2/T/T2/C PCI-E card driver") +Signed-off-by: Duoming Zhou +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/netup_unidvb/netup_unidvb_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c +index de3fc62810e6c..0ead74c40a7b7 100644 +--- a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c ++++ b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c +@@ -706,7 +706,7 @@ static void netup_unidvb_dma_fini(struct netup_unidvb_dev *ndev, int num) + netup_unidvb_dma_enable(dma, 0); + msleep(50); + cancel_work_sync(&dma->work); +- del_timer(&dma->timeout); ++ del_timer_sync(&dma->timeout); + } + + static int netup_unidvb_dma_setup(struct netup_unidvb_dev *ndev) +-- +2.39.2 + diff --git a/queue-4.19/net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch b/queue-4.19/net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch new file mode 100644 index 00000000000..8c4a64ae4d8 --- /dev/null +++ b/queue-4.19/net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch @@ -0,0 +1,37 @@ +From 64edcedb81aee6a7b12ceff25b2b64592e42ca32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 16:07:27 -0700 +Subject: net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop() + +From: Florian Fainelli + +[ Upstream commit 93e0401e0fc0c54b0ac05b687cd135c2ac38187c ] + +The call to phy_stop() races with the later call to phy_disconnect(), +resulting in concurrent phy_suspend() calls being run from different +CPUs. The final call to phy_disconnect() ensures that the PHY is +stopped and suspended, too. + +Fixes: c96e731c93ff ("net: bcmgenet: connect and disconnect from the PHY state machine") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index 84bcb3ce00f73..b3dedd56a9882 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -2995,7 +2995,6 @@ static void bcmgenet_netif_stop(struct net_device *dev) + /* Disable MAC transmit. TX DMA disabled must be done before this */ + umac_enable_set(priv, CMD_TX_EN, false); + +- phy_stop(dev->phydev); + bcmgenet_disable_rx_napi(priv); + bcmgenet_intr_disable(priv); + +-- +2.39.2 + diff --git a/queue-4.19/net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch b/queue-4.19/net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch new file mode 100644 index 00000000000..ad24b3723d3 --- /dev/null +++ b/queue-4.19/net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch @@ -0,0 +1,71 @@ +From 9fe4d29cc1cb397e78afe03a627558384f7303d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 19:56:07 -0700 +Subject: net: bcmgenet: Restore phy_stop() depending upon suspend/close + +From: Florian Fainelli + +[ Upstream commit 225c657945c4a6307741cb3cc89467eadcc26e9b ] + +Removing the phy_stop() from bcmgenet_netif_stop() ended up causing +warnings from the PHY library that phy_start() is called from the +RUNNING state since we are no longer stopping the PHY state machine +during bcmgenet_suspend(). + +Restore the call to phy_stop() but make it conditional on being called +from the close or suspend path. + +Fixes: c96e731c93ff ("net: bcmgenet: connect and disconnect from the PHY state machine") +Fixes: 93e0401e0fc0 ("net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop()") +Signed-off-by: Florian Fainelli +Reviewed-by: Pavan Chebbi +Link: https://lore.kernel.org/r/20230515025608.2587012-1-f.fainelli@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index b3dedd56a9882..d518577313145 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -2980,7 +2980,7 @@ static int bcmgenet_open(struct net_device *dev) + return ret; + } + +-static void bcmgenet_netif_stop(struct net_device *dev) ++static void bcmgenet_netif_stop(struct net_device *dev, bool stop_phy) + { + struct bcmgenet_priv *priv = netdev_priv(dev); + +@@ -2995,6 +2995,8 @@ static void bcmgenet_netif_stop(struct net_device *dev) + /* Disable MAC transmit. TX DMA disabled must be done before this */ + umac_enable_set(priv, CMD_TX_EN, false); + ++ if (stop_phy) ++ phy_stop(dev->phydev); + bcmgenet_disable_rx_napi(priv); + bcmgenet_intr_disable(priv); + +@@ -3020,7 +3022,7 @@ static int bcmgenet_close(struct net_device *dev) + + netif_dbg(priv, ifdown, dev, "bcmgenet_close\n"); + +- bcmgenet_netif_stop(dev); ++ bcmgenet_netif_stop(dev, false); + + /* Really kill the PHY state machine and disconnect from it */ + phy_disconnect(dev->phydev); +@@ -3720,7 +3722,7 @@ static int bcmgenet_suspend(struct device *d) + + netif_device_detach(dev); + +- bcmgenet_netif_stop(dev); ++ bcmgenet_netif_stop(dev, true); + + if (!device_may_wakeup(d)) + phy_suspend(dev->phydev); +-- +2.39.2 + diff --git a/queue-4.19/net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch b/queue-4.19/net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch new file mode 100644 index 00000000000..1aeb0dfca32 --- /dev/null +++ b/queue-4.19/net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch @@ -0,0 +1,64 @@ +From 6a61b40db6a0fd090028235aee6e1811ec63a4b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 22:00:20 +0200 +Subject: net: fec: Better handle pm_runtime_get() failing in .remove() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit f816b9829b19394d318e01953aa3b2721bca040d ] + +In the (unlikely) event that pm_runtime_get() (disguised as +pm_runtime_resume_and_get()) fails, the remove callback returned an +error early. The problem with this is that the driver core ignores the +error value and continues removing the device. This results in a +resource leak. Worse the devm allocated resources are freed and so if a +callback of the driver is called later the register mapping is already +gone which probably results in a crash. + +Fixes: a31eda65ba21 ("net: fec: fix clock count mis-match") +Signed-off-by: Uwe Kleine-König +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230510200020.1534610-1-u.kleine-koenig@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index e97ab9545a792..e4162c2271e3f 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3721,7 +3721,9 @@ fec_drv_remove(struct platform_device *pdev) + + ret = pm_runtime_get_sync(&pdev->dev); + if (ret < 0) +- return ret; ++ dev_err(&pdev->dev, ++ "Failed to resume device in remove callback (%pe)\n", ++ ERR_PTR(ret)); + + cancel_work_sync(&fep->tx_timeout_work); + fec_ptp_stop(pdev); +@@ -3734,8 +3736,13 @@ fec_drv_remove(struct platform_device *pdev) + of_phy_deregister_fixed_link(np); + of_node_put(fep->phy_node); + +- clk_disable_unprepare(fep->clk_ahb); +- clk_disable_unprepare(fep->clk_ipg); ++ /* After pm_runtime_get_sync() failed, the clks are still off, so skip ++ * disabling them again. ++ */ ++ if (ret >= 0) { ++ clk_disable_unprepare(fep->clk_ahb); ++ clk_disable_unprepare(fep->clk_ipg); ++ } + pm_runtime_put_noidle(&pdev->dev); + pm_runtime_disable(&pdev->dev); + +-- +2.39.2 + diff --git a/queue-4.19/net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch b/queue-4.19/net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch new file mode 100644 index 00000000000..105678e5b0a --- /dev/null +++ b/queue-4.19/net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch @@ -0,0 +1,101 @@ +From ef0f225a206707f33dc84bbeca5ab74ccb5e68ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 20:54:40 +0800 +Subject: net: nsh: Use correct mac_offset to unwind gso skb in + nsh_gso_segment() + +From: Dong Chenchen + +[ Upstream commit c83b49383b595be50647f0c764a48c78b5f3c4f8 ] + +As the call trace shows, skb_panic was caused by wrong skb->mac_header +in nsh_gso_segment(): + +invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1 +RIP: 0010:skb_panic+0xda/0xe0 +call Trace: + skb_push+0x91/0xa0 + nsh_gso_segment+0x4f3/0x570 + skb_mac_gso_segment+0x19e/0x270 + __skb_gso_segment+0x1e8/0x3c0 + validate_xmit_skb+0x452/0x890 + validate_xmit_skb_list+0x99/0xd0 + sch_direct_xmit+0x294/0x7c0 + __dev_queue_xmit+0x16f0/0x1d70 + packet_xmit+0x185/0x210 + packet_snd+0xc15/0x1170 + packet_sendmsg+0x7b/0xa0 + sock_sendmsg+0x14f/0x160 + +The root cause is: +nsh_gso_segment() use skb->network_header - nhoff to reset mac_header +in skb_gso_error_unwind() if inner-layer protocol gso fails. +However, skb->network_header may be reset by inner-layer protocol +gso function e.g. mpls_gso_segment. skb->mac_header reset by the +inaccurate network_header will be larger than skb headroom. + +nsh_gso_segment + nhoff = skb->network_header - skb->mac_header; + __skb_pull(skb,nsh_len) + skb_mac_gso_segment + mpls_gso_segment + skb_reset_network_header(skb);//skb->network_header+=nsh_len + return -EINVAL; + skb_gso_error_unwind + skb_push(skb, nsh_len); + skb->mac_header = skb->network_header - nhoff; + // skb->mac_header > skb->headroom, cause skb_push panic + +Use correct mac_offset to restore mac_header and get rid of nhoff. + +Fixes: c411ed854584 ("nsh: add GSO support") +Reported-by: syzbot+632b5d9964208bfef8c0@syzkaller.appspotmail.com +Suggested-by: Eric Dumazet +Signed-off-by: Dong Chenchen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nsh/nsh.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/net/nsh/nsh.c b/net/nsh/nsh.c +index 1a30e165eeb4f..a5fa25555d7eb 100644 +--- a/net/nsh/nsh.c ++++ b/net/nsh/nsh.c +@@ -80,13 +80,12 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb, + netdev_features_t features) + { + struct sk_buff *segs = ERR_PTR(-EINVAL); ++ u16 mac_offset = skb->mac_header; + unsigned int nsh_len, mac_len; + __be16 proto; +- int nhoff; + + skb_reset_network_header(skb); + +- nhoff = skb->network_header - skb->mac_header; + mac_len = skb->mac_len; + + if (unlikely(!pskb_may_pull(skb, NSH_BASE_HDR_LEN))) +@@ -111,15 +110,14 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb, + segs = skb_mac_gso_segment(skb, features); + if (IS_ERR_OR_NULL(segs)) { + skb_gso_error_unwind(skb, htons(ETH_P_NSH), nsh_len, +- skb->network_header - nhoff, +- mac_len); ++ mac_offset, mac_len); + goto out; + } + + for (skb = segs; skb; skb = skb->next) { + skb->protocol = htons(ETH_P_NSH); + __skb_push(skb, nsh_len); +- skb_set_mac_header(skb, -nhoff); ++ skb->mac_header = mac_offset; + skb->network_header = skb->mac_header + mac_len; + skb->mac_len = mac_len; + } +-- +2.39.2 + diff --git a/queue-4.19/serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch b/queue-4.19/serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch new file mode 100644 index 00000000000..b0e8987fef4 --- /dev/null +++ b/queue-4.19/serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch @@ -0,0 +1,51 @@ +From a0f4b9a7b10656984bed2eb3322d550c6fb6e07e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Apr 2023 11:16:36 +0800 +Subject: serial: arc_uart: fix of_iomap leak in `arc_serial_probe` + +From: Ke Zhang + +[ Upstream commit 8ab5fc55d7f65d58a3c3aeadf11bdf60267cd2bd ] + +Smatch reports: + +drivers/tty/serial/arc_uart.c:631 arc_serial_probe() warn: +'port->membase' from of_iomap() not released on lines: 631. + +In arc_serial_probe(), if uart_add_one_port() fails, +port->membase is not released, which would cause a resource leak. + +To fix this, I replace of_iomap with devm_platform_ioremap_resource. + +Fixes: 8dbe1d5e09a7 ("serial/arc: inline the probe helper") +Signed-off-by: Ke Zhang +Reviewed-by: Dongliang Mu +Link: https://lore.kernel.org/r/20230428031636.44642-1-m202171830@hust.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/arc_uart.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/serial/arc_uart.c b/drivers/tty/serial/arc_uart.c +index d904a3a345e74..dd4be3c8c049c 100644 +--- a/drivers/tty/serial/arc_uart.c ++++ b/drivers/tty/serial/arc_uart.c +@@ -613,10 +613,11 @@ static int arc_serial_probe(struct platform_device *pdev) + } + uart->baud = val; + +- port->membase = of_iomap(np, 0); +- if (!port->membase) ++ port->membase = devm_platform_ioremap_resource(pdev, 0); ++ if (IS_ERR(port->membase)) { + /* No point of dev_err since UART itself is hosed here */ +- return -ENXIO; ++ return PTR_ERR(port->membase); ++ } + + port->irq = irq_of_parse_and_map(np, 0); + +-- +2.39.2 + diff --git a/queue-4.19/series b/queue-4.19/series index 2f51dff63f0..0ad0aae38a2 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -46,3 +46,21 @@ phy-st-miphy28lp-use-_poll_timeout-functions-for-wai.patch mfd-dln2-fix-memory-leak-in-dln2_probe.patch btrfs-replace-calls-to-btrfs_find_free_ino-with-btrf.patch btrfs-fix-space-cache-inconsistency-after-error-load.patch +cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch +af_key-reject-optional-tunnel-beet-mode-templates-in.patch +net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch +vsock-avoid-to-close-connected-socket-after-the-time.patch +drivers-provide-devm_platform_ioremap_resource.patch +serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch +ip6_gre-fix-skb_under_panic-in-__gre6_xmit.patch +ip6_gre-make-o_seqno-start-from-0-in-native-mode.patch +ip_gre-ip6_gre-fix-race-condition-on-o_seqno-in-coll.patch +erspan-get-the-proto-with-the-md-version-for-collect.patch +media-netup_unidvb-fix-use-after-free-at-del_timer.patch +drm-exynos-fix-g2d_open-close-helper-function-defini.patch +net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch +net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch +net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch +cassini-fix-a-memory-leak-in-the-error-handling-path.patch +igb-fix-bit_shift-to-be-in-1.8-range.patch +vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch diff --git a/queue-4.19/vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch b/queue-4.19/vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch new file mode 100644 index 00000000000..e881cf83688 --- /dev/null +++ b/queue-4.19/vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch @@ -0,0 +1,93 @@ +From c472b1dab7c7ae5f1d3d50cc5c8430e4e69003ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 14:23:42 +0000 +Subject: vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit() + +From: Eric Dumazet + +[ Upstream commit dacab578c7c6cd06c50c89dfa36b0e0f10decd4e ] + +syzbot triggered the following splat [1], sending an empty message +through pppoe_sendmsg(). + +When VLAN_FLAG_REORDER_HDR flag is set, vlan_dev_hard_header() +does not push extra bytes for the VLAN header, because vlan is offloaded. + +Unfortunately vlan_dev_hard_start_xmit() first reads veth->h_vlan_proto +before testing (vlan->flags & VLAN_FLAG_REORDER_HDR). + +We need to swap the two conditions. + +[1] +BUG: KMSAN: uninit-value in vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111 +vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111 +__netdev_start_xmit include/linux/netdevice.h:4883 [inline] +netdev_start_xmit include/linux/netdevice.h:4897 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x253/0xa20 net/core/dev.c:3596 +__dev_queue_xmit+0x3c7f/0x5ac0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3053 [inline] +pppoe_sendmsg+0xa93/0xb80 drivers/net/ppp/pppoe.c:900 +sock_sendmsg_nosec net/socket.c:724 [inline] +sock_sendmsg net/socket.c:747 [inline] +____sys_sendmsg+0xa24/0xe40 net/socket.c:2501 +___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555 +__sys_sendmmsg+0x411/0xa50 net/socket.c:2641 +__do_sys_sendmmsg net/socket.c:2670 [inline] +__se_sys_sendmmsg net/socket.c:2667 [inline] +__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was created at: +slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:774 +slab_alloc_node mm/slub.c:3452 [inline] +kmem_cache_alloc_node+0x543/0xab0 mm/slub.c:3497 +kmalloc_reserve+0x148/0x470 net/core/skbuff.c:520 +__alloc_skb+0x3a7/0x850 net/core/skbuff.c:606 +alloc_skb include/linux/skbuff.h:1277 [inline] +sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2583 +pppoe_sendmsg+0x3af/0xb80 drivers/net/ppp/pppoe.c:867 +sock_sendmsg_nosec net/socket.c:724 [inline] +sock_sendmsg net/socket.c:747 [inline] +____sys_sendmsg+0xa24/0xe40 net/socket.c:2501 +___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555 +__sys_sendmmsg+0x411/0xa50 net/socket.c:2641 +__do_sys_sendmmsg net/socket.c:2670 [inline] +__se_sys_sendmmsg net/socket.c:2667 [inline] +__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +CPU: 0 PID: 29770 Comm: syz-executor.0 Not tainted 6.3.0-rc6-syzkaller-gc478e5b17829 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/8021q/vlan_dev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c +index c80add6edf598..ba9b8980f100d 100644 +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -115,8 +115,8 @@ static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb, + * NOTE: THIS ASSUMES DIX ETHERNET, SPECIFICALLY NOT SUPPORTING + * OTHER THINGS LIKE FDDI/TokenRing/802.3 SNAPs... + */ +- if (veth->h_vlan_proto != vlan->vlan_proto || +- vlan->flags & VLAN_FLAG_REORDER_HDR) { ++ if (vlan->flags & VLAN_FLAG_REORDER_HDR || ++ veth->h_vlan_proto != vlan->vlan_proto) { + u16 vlan_tci; + vlan_tci = vlan->vlan_id; + vlan_tci |= vlan_dev_get_egress_qos_mask(dev, skb->priority); +-- +2.39.2 + diff --git a/queue-4.19/vsock-avoid-to-close-connected-socket-after-the-time.patch b/queue-4.19/vsock-avoid-to-close-connected-socket-after-the-time.patch new file mode 100644 index 00000000000..cf792050d2d --- /dev/null +++ b/queue-4.19/vsock-avoid-to-close-connected-socket-after-the-time.patch @@ -0,0 +1,54 @@ +From e87accac7e6266a446e8d1cc2fef61a742637d7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 19:34:30 +0800 +Subject: vsock: avoid to close connected socket after the timeout +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zhuang Shengen + +[ Upstream commit 6d4486efe9c69626cab423456169e250a5cd3af5 ] + +When client and server establish a connection through vsock, +the client send a request to the server to initiate the connection, +then start a timer to wait for the server's response. When the server's +RESPONSE message arrives, the timer also times out and exits. The +server's RESPONSE message is processed first, and the connection is +established. However, the client's timer also times out, the original +processing logic of the client is to directly set the state of this vsock +to CLOSE and return ETIMEDOUT. It will not notify the server when the port +is released, causing the server port remain. +when client's vsock_connect timeout,it should check sk state is +ESTABLISHED or not. if sk state is ESTABLISHED, it means the connection +is established, the client should not set the sk state to CLOSE + +Note: I encountered this issue on kernel-4.18, which can be fixed by +this patch. Then I checked the latest code in the community +and found similar issue. + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Signed-off-by: Zhuang Shengen +Reviewed-by: Stefano Garzarella +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index d55a47858d6d3..0dfa2dfcb4bcb 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1240,7 +1240,7 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr, + vsock_transport_cancel_pkt(vsk); + vsock_remove_connected(vsk); + goto out_wait; +- } else if (timeout == 0) { ++ } else if ((sk->sk_state != TCP_ESTABLISHED) && (timeout == 0)) { + err = -ETIMEDOUT; + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; +-- +2.39.2 + -- 2.47.3