]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
5.10-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 2 Feb 2021 13:19:55 +0000 (14:19 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 2 Feb 2021 13:19:55 +0000 (14:19 +0100)
added patches:
asoc-mediatek-mt8183-da7219-ignore-tdm-dai-link-by-default.patch
asoc-mediatek-mt8183-mt6358-ignore-tdm-dai-link-by-default.patch
asoc-topology-fix-memory-corruption-in-soc_tplg_denum_create_values.patch
asoc-topology-properly-unregister-dai-on-removal.patch
nfc-fix-possible-resource-leak.patch
nfc-fix-resource-leak-when-target-index-is-invalid.patch
rxrpc-fix-memory-leak-in-rxrpc_lookup_local.patch
scsi-qla2xxx-fix-description-for-parameter-ql2xenforce_iocb_limit.patch
tcp-fix-tlp-timer-not-set-when-ca_state-changes-from-disorder-to-open.patch
tcp-make-tcp_user_timeout-accurate-for-zero-window-probes.patch
team-protect-features-update-by-rcu-to-avoid-deadlock.patch

12 files changed:
queue-5.10/asoc-mediatek-mt8183-da7219-ignore-tdm-dai-link-by-default.patch [new file with mode: 0644]
queue-5.10/asoc-mediatek-mt8183-mt6358-ignore-tdm-dai-link-by-default.patch [new file with mode: 0644]
queue-5.10/asoc-topology-fix-memory-corruption-in-soc_tplg_denum_create_values.patch [new file with mode: 0644]
queue-5.10/asoc-topology-properly-unregister-dai-on-removal.patch [new file with mode: 0644]
queue-5.10/nfc-fix-possible-resource-leak.patch [new file with mode: 0644]
queue-5.10/nfc-fix-resource-leak-when-target-index-is-invalid.patch [new file with mode: 0644]
queue-5.10/rxrpc-fix-memory-leak-in-rxrpc_lookup_local.patch [new file with mode: 0644]
queue-5.10/scsi-qla2xxx-fix-description-for-parameter-ql2xenforce_iocb_limit.patch [new file with mode: 0644]
queue-5.10/series
queue-5.10/tcp-fix-tlp-timer-not-set-when-ca_state-changes-from-disorder-to-open.patch [new file with mode: 0644]
queue-5.10/tcp-make-tcp_user_timeout-accurate-for-zero-window-probes.patch [new file with mode: 0644]
queue-5.10/team-protect-features-update-by-rcu-to-avoid-deadlock.patch [new file with mode: 0644]

diff --git a/queue-5.10/asoc-mediatek-mt8183-da7219-ignore-tdm-dai-link-by-default.patch b/queue-5.10/asoc-mediatek-mt8183-da7219-ignore-tdm-dai-link-by-default.patch
new file mode 100644 (file)
index 0000000..c9b6460
--- /dev/null
@@ -0,0 +1,44 @@
+From 4d36ed8eb0f749c9e781e0d3b041a7adeedcdaa9 Mon Sep 17 00:00:00 2001
+From: Tzung-Bi Shih <tzungbi@google.com>
+Date: Wed, 20 Jan 2021 17:22:37 +0800
+Subject: ASoC: mediatek: mt8183-da7219: ignore TDM DAI link by default
+
+From: Tzung-Bi Shih <tzungbi@google.com>
+
+commit 4d36ed8eb0f749c9e781e0d3b041a7adeedcdaa9 upstream.
+
+hdmi-codec is an optional property.  Ignore to bind TDM DAI link
+if the property isn't specified.
+
+Fixes: 5bdbe9771177 ("ASoC: mediatek: mt8183-da7219: use hdmi-codec")
+Signed-off-by: Tzung-Bi Shih <tzungbi@google.com>
+Link: https://lore.kernel.org/r/20210120092237.1553938-3-tzungbi@google.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c
++++ b/sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c
+@@ -532,6 +532,7 @@ static struct snd_soc_dai_link mt8183_da
+               .dpcm_playback = 1,
+               .ignore_suspend = 1,
+               .be_hw_params_fixup = mt8183_i2s_hw_params_fixup,
++              .ignore = 1,
+               .init = mt8183_da7219_max98357_hdmi_init,
+               SND_SOC_DAILINK_REG(tdm),
+       },
+@@ -754,8 +755,10 @@ static int mt8183_da7219_max98357_dev_pr
+                       }
+               }
+-              if (hdmi_codec && strcmp(dai_link->name, "TDM") == 0)
++              if (hdmi_codec && strcmp(dai_link->name, "TDM") == 0) {
+                       dai_link->codecs->of_node = hdmi_codec;
++                      dai_link->ignore = 0;
++              }
+               if (!dai_link->platforms->name)
+                       dai_link->platforms->of_node = platform_node;
diff --git a/queue-5.10/asoc-mediatek-mt8183-mt6358-ignore-tdm-dai-link-by-default.patch b/queue-5.10/asoc-mediatek-mt8183-mt6358-ignore-tdm-dai-link-by-default.patch
new file mode 100644 (file)
index 0000000..1a81664
--- /dev/null
@@ -0,0 +1,44 @@
+From 5ac154443e686b06242aa49de30a12b74ea9ca98 Mon Sep 17 00:00:00 2001
+From: Tzung-Bi Shih <tzungbi@google.com>
+Date: Wed, 20 Jan 2021 17:22:36 +0800
+Subject: ASoC: mediatek: mt8183-mt6358: ignore TDM DAI link by default
+
+From: Tzung-Bi Shih <tzungbi@google.com>
+
+commit 5ac154443e686b06242aa49de30a12b74ea9ca98 upstream.
+
+hdmi-codec is an optional property.  Ignore to bind TDM DAI link
+if the property isn't specified.
+
+Fixes: f2024dc55fcb ("ASoC: mediatek: mt8183: use hdmi-codec")
+Signed-off-by: Tzung-Bi Shih <tzungbi@google.com>
+Link: https://lore.kernel.org/r/20210120092237.1553938-2-tzungbi@google.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/mediatek/mt8183/mt8183-mt6358-ts3a227-max98357.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/sound/soc/mediatek/mt8183/mt8183-mt6358-ts3a227-max98357.c
++++ b/sound/soc/mediatek/mt8183/mt8183-mt6358-ts3a227-max98357.c
+@@ -515,6 +515,7 @@ static struct snd_soc_dai_link mt8183_mt
+               .ignore_suspend = 1,
+               .be_hw_params_fixup = mt8183_i2s_hw_params_fixup,
+               .ops = &mt8183_mt6358_tdm_ops,
++              .ignore = 1,
+               .init = mt8183_mt6358_ts3a227_max98357_hdmi_init,
+               SND_SOC_DAILINK_REG(tdm),
+       },
+@@ -661,8 +662,10 @@ mt8183_mt6358_ts3a227_max98357_dev_probe
+                                                   SND_SOC_DAIFMT_CBM_CFM;
+               }
+-              if (hdmi_codec && strcmp(dai_link->name, "TDM") == 0)
++              if (hdmi_codec && strcmp(dai_link->name, "TDM") == 0) {
+                       dai_link->codecs->of_node = hdmi_codec;
++                      dai_link->ignore = 0;
++              }
+               if (!dai_link->platforms->name)
+                       dai_link->platforms->of_node = platform_node;
diff --git a/queue-5.10/asoc-topology-fix-memory-corruption-in-soc_tplg_denum_create_values.patch b/queue-5.10/asoc-topology-fix-memory-corruption-in-soc_tplg_denum_create_values.patch
new file mode 100644 (file)
index 0000000..d68ce38
--- /dev/null
@@ -0,0 +1,34 @@
+From 543466ef3571069b8eb13a8ff7c7cfc8d8a75c43 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 20 Jan 2021 12:59:13 +0300
+Subject: ASoC: topology: Fix memory corruption in soc_tplg_denum_create_values()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 543466ef3571069b8eb13a8ff7c7cfc8d8a75c43 upstream.
+
+The allocation uses sizeof(u32) when it should use sizeof(unsigned long)
+so it leads to memory corruption later in the function when the data is
+initialized.
+
+Fixes: 5aebe7c7f9c2 ("ASoC: topology: fix endianness issues")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/YAf+8QZoOv+ct526@mwanda
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/soc-topology.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/soc-topology.c
++++ b/sound/soc/soc-topology.c
+@@ -987,7 +987,7 @@ static int soc_tplg_denum_create_values(
+               return -EINVAL;
+       se->dobj.control.dvalues = kzalloc(le32_to_cpu(ec->items) *
+-                                         sizeof(u32),
++                                         sizeof(*se->dobj.control.dvalues),
+                                          GFP_KERNEL);
+       if (!se->dobj.control.dvalues)
+               return -ENOMEM;
diff --git a/queue-5.10/asoc-topology-properly-unregister-dai-on-removal.patch b/queue-5.10/asoc-topology-properly-unregister-dai-on-removal.patch
new file mode 100644 (file)
index 0000000..f94e105
--- /dev/null
@@ -0,0 +1,69 @@
+From fc4cb1e15f0c66f2e37314349dc4a82bd946fbb1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?=
+ <amadeuszx.slawinski@linux.intel.com>
+Date: Wed, 20 Jan 2021 16:28:42 +0100
+Subject: ASoC: topology: Properly unregister DAI on removal
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+
+commit fc4cb1e15f0c66f2e37314349dc4a82bd946fbb1 upstream.
+
+DAIs need to be removed when topology unload function is called (usually
+done when component is being removed). We can't do this when device is
+being removed, as structures we operate on when removing DAI can already
+be freed.
+
+Fixes: 6ae4902f2f34 ("ASoC: soc-topology: use devm_snd_soc_register_dai()")
+Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Tested-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20210120152846.1703655-2-amadeuszx.slawinski@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/soc-topology.c |    9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/sound/soc/soc-topology.c
++++ b/sound/soc/soc-topology.c
+@@ -506,7 +506,7 @@ static void remove_dai(struct snd_soc_co
+ {
+       struct snd_soc_dai_driver *dai_drv =
+               container_of(dobj, struct snd_soc_dai_driver, dobj);
+-      struct snd_soc_dai *dai;
++      struct snd_soc_dai *dai, *_dai;
+       if (pass != SOC_TPLG_PASS_PCM_DAI)
+               return;
+@@ -514,9 +514,9 @@ static void remove_dai(struct snd_soc_co
+       if (dobj->ops && dobj->ops->dai_unload)
+               dobj->ops->dai_unload(comp, dobj);
+-      for_each_component_dais(comp, dai)
++      for_each_component_dais_safe(comp, dai, _dai)
+               if (dai->driver == dai_drv)
+-                      dai->driver = NULL;
++                      snd_soc_unregister_dai(dai);
+       kfree(dai_drv->playback.stream_name);
+       kfree(dai_drv->capture.stream_name);
+@@ -1876,7 +1876,7 @@ static int soc_tplg_dai_create(struct so
+       list_add(&dai_drv->dobj.list, &tplg->comp->dobj_list);
+       /* register the DAI to the component */
+-      dai = devm_snd_soc_register_dai(tplg->comp->dev, tplg->comp, dai_drv, false);
++      dai = snd_soc_register_dai(tplg->comp, dai_drv, false);
+       if (!dai)
+               return -ENOMEM;
+@@ -1884,6 +1884,7 @@ static int soc_tplg_dai_create(struct so
+       ret = snd_soc_dapm_new_dai_widgets(dapm, dai);
+       if (ret != 0) {
+               dev_err(dai->dev, "Failed to create DAI widgets %d\n", ret);
++              snd_soc_unregister_dai(dai);
+               return ret;
+       }
diff --git a/queue-5.10/nfc-fix-possible-resource-leak.patch b/queue-5.10/nfc-fix-possible-resource-leak.patch
new file mode 100644 (file)
index 0000000..efa3e6a
--- /dev/null
@@ -0,0 +1,32 @@
+From d8f923c3ab96dbbb4e3c22d1afc1dc1d3b195cd8 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Thu, 21 Jan 2021 07:37:45 -0800
+Subject: NFC: fix possible resource leak
+
+From: Pan Bian <bianpan2016@163.com>
+
+commit d8f923c3ab96dbbb4e3c22d1afc1dc1d3b195cd8 upstream.
+
+Put the device to avoid resource leak on path that the polling flag is
+invalid.
+
+Fixes: a831b9132065 ("NFC: Do not return EBUSY when stopping a poll that's already stopped")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Link: https://lore.kernel.org/r/20210121153745.122184-1-bianpan2016@163.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/netlink.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -852,6 +852,7 @@ static int nfc_genl_stop_poll(struct sk_
+       if (!dev->polling) {
+               device_unlock(&dev->dev);
++              nfc_put_device(dev);
+               return -EINVAL;
+       }
diff --git a/queue-5.10/nfc-fix-resource-leak-when-target-index-is-invalid.patch b/queue-5.10/nfc-fix-resource-leak-when-target-index-is-invalid.patch
new file mode 100644 (file)
index 0000000..9baa9fd
--- /dev/null
@@ -0,0 +1,33 @@
+From 3a30537cee233fb7da302491b28c832247d89bbe Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Thu, 21 Jan 2021 07:27:48 -0800
+Subject: NFC: fix resource leak when target index is invalid
+
+From: Pan Bian <bianpan2016@163.com>
+
+commit 3a30537cee233fb7da302491b28c832247d89bbe upstream.
+
+Goto to the label put_dev instead of the label error to fix potential
+resource leak on path that the target index is invalid.
+
+Fixes: c4fbb6515a4d ("NFC: The core part should generate the target index")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Link: https://lore.kernel.org/r/20210121152748.98409-1-bianpan2016@163.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/rawsock.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/nfc/rawsock.c
++++ b/net/nfc/rawsock.c
+@@ -105,7 +105,7 @@ static int rawsock_connect(struct socket
+       if (addr->target_idx > dev->target_next_idx - 1 ||
+           addr->target_idx < dev->target_next_idx - dev->n_targets) {
+               rc = -EINVAL;
+-              goto error;
++              goto put_dev;
+       }
+       rc = nfc_activate_target(dev, addr->target_idx, addr->nfc_protocol);
diff --git a/queue-5.10/rxrpc-fix-memory-leak-in-rxrpc_lookup_local.patch b/queue-5.10/rxrpc-fix-memory-leak-in-rxrpc_lookup_local.patch
new file mode 100644 (file)
index 0000000..99ef01b
--- /dev/null
@@ -0,0 +1,67 @@
+From b8323f7288abd71794cd7b11a4c0a38b8637c8b5 Mon Sep 17 00:00:00 2001
+From: Takeshi Misawa <jeliantsurux@gmail.com>
+Date: Thu, 28 Jan 2021 10:48:36 +0000
+Subject: rxrpc: Fix memory leak in rxrpc_lookup_local
+
+From: Takeshi Misawa <jeliantsurux@gmail.com>
+
+commit b8323f7288abd71794cd7b11a4c0a38b8637c8b5 upstream.
+
+Commit 9ebeddef58c4 ("rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record")
+Then release ref in __rxrpc_put_peer and rxrpc_put_peer_locked.
+
+       struct rxrpc_peer *rxrpc_alloc_peer(struct rxrpc_local *local, gfp_t gfp)
+       -               peer->local = local;
+       +               peer->local = rxrpc_get_local(local);
+
+rxrpc_discard_prealloc also need ref release in discarding.
+
+syzbot report:
+BUG: memory leak
+unreferenced object 0xffff8881080ddc00 (size 256):
+  comm "syz-executor339", pid 8462, jiffies 4294942238 (age 12.350s)
+  hex dump (first 32 bytes):
+    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+    00 00 00 00 0a 00 00 00 00 c0 00 08 81 88 ff ff  ................
+  backtrace:
+    [<000000002b6e495f>] kmalloc include/linux/slab.h:552 [inline]
+    [<000000002b6e495f>] kzalloc include/linux/slab.h:682 [inline]
+    [<000000002b6e495f>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline]
+    [<000000002b6e495f>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244
+    [<000000006b43a77b>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149
+    [<00000000fd447a55>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64
+    [<000000007fd8867c>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126
+    [<0000000063d80ec1>] ops_init+0x4e/0x190 net/core/net_namespace.c:152
+    [<00000000073c5efa>] setup_net+0xde/0x2d0 net/core/net_namespace.c:342
+    [<00000000a6744d5b>] copy_net_ns+0x19f/0x3e0 net/core/net_namespace.c:483
+    [<0000000017d3aec3>] create_new_namespaces+0x199/0x4f0 kernel/nsproxy.c:110
+    [<00000000186271ef>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
+    [<000000002de7bac4>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2957
+    [<00000000349b12ba>] __do_sys_unshare kernel/fork.c:3025 [inline]
+    [<00000000349b12ba>] __se_sys_unshare kernel/fork.c:3023 [inline]
+    [<00000000349b12ba>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3023
+    [<000000006d178ef7>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+    [<00000000637076d4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 9ebeddef58c4 ("rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record")
+Signed-off-by: Takeshi Misawa <jeliantsurux@gmail.com>
+Reported-and-tested-by: syzbot+305326672fed51b205f7@syzkaller.appspotmail.com
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/r/161183091692.3506637.3206605651502458810.stgit@warthog.procyon.org.uk
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rxrpc/call_accept.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/rxrpc/call_accept.c
++++ b/net/rxrpc/call_accept.c
+@@ -197,6 +197,7 @@ void rxrpc_discard_prealloc(struct rxrpc
+       tail = b->peer_backlog_tail;
+       while (CIRC_CNT(head, tail, size) > 0) {
+               struct rxrpc_peer *peer = b->peer_backlog[tail];
++              rxrpc_put_local(peer->local);
+               kfree(peer);
+               tail = (tail + 1) & (size - 1);
+       }
diff --git a/queue-5.10/scsi-qla2xxx-fix-description-for-parameter-ql2xenforce_iocb_limit.patch b/queue-5.10/scsi-qla2xxx-fix-description-for-parameter-ql2xenforce_iocb_limit.patch
new file mode 100644 (file)
index 0000000..2df63f5
--- /dev/null
@@ -0,0 +1,34 @@
+From aa2c24e7f415e9c13635cee22ff4e15a80215551 Mon Sep 17 00:00:00 2001
+From: Enzo Matsumiya <ematsumiya@suse.de>
+Date: Mon, 18 Jan 2021 15:49:22 -0300
+Subject: scsi: qla2xxx: Fix description for parameter ql2xenforce_iocb_limit
+
+From: Enzo Matsumiya <ematsumiya@suse.de>
+
+commit aa2c24e7f415e9c13635cee22ff4e15a80215551 upstream.
+
+Parameter ql2xenforce_iocb_limit is enabled by default.
+
+Link: https://lore.kernel.org/r/20210118184922.23793-1-ematsumiya@suse.de
+Fixes: 89c72f4245a8 ("scsi: qla2xxx: Add IOCB resource tracking")
+Reviewed-by: Daniel Wagner <dwagner@suse.de>
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_os.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -42,7 +42,7 @@ MODULE_PARM_DESC(ql2xfulldump_on_mpifail
+ int ql2xenforce_iocb_limit = 1;
+ module_param(ql2xenforce_iocb_limit, int, S_IRUGO | S_IWUSR);
+ MODULE_PARM_DESC(ql2xenforce_iocb_limit,
+-               "Enforce IOCB throttling, to avoid FW congestion. (default: 0)");
++               "Enforce IOCB throttling, to avoid FW congestion. (default: 1)");
+ /*
+  * CT6 CTX allocation cache
index 0b53d0ed8047d538a0ecc00441d810ca7e5d9ff1..0ccf879ed5baf10a3c0fa46a55bb6a76c911b7ba 100644 (file)
@@ -129,3 +129,14 @@ iommu-amd-use-ivhd-efr-for-early-initialization-of-i.patch
 iommu-vt-d-correctly-check-addr-alignment-in-qi_flus.patch
 nvme-multipath-early-exit-if-no-path-is-available.patch
 selftests-forwarding-specify-interface-when-invoking.patch
+rxrpc-fix-memory-leak-in-rxrpc_lookup_local.patch
+nfc-fix-resource-leak-when-target-index-is-invalid.patch
+nfc-fix-possible-resource-leak.patch
+asoc-mediatek-mt8183-da7219-ignore-tdm-dai-link-by-default.patch
+asoc-mediatek-mt8183-mt6358-ignore-tdm-dai-link-by-default.patch
+asoc-topology-properly-unregister-dai-on-removal.patch
+asoc-topology-fix-memory-corruption-in-soc_tplg_denum_create_values.patch
+scsi-qla2xxx-fix-description-for-parameter-ql2xenforce_iocb_limit.patch
+team-protect-features-update-by-rcu-to-avoid-deadlock.patch
+tcp-make-tcp_user_timeout-accurate-for-zero-window-probes.patch
+tcp-fix-tlp-timer-not-set-when-ca_state-changes-from-disorder-to-open.patch
diff --git a/queue-5.10/tcp-fix-tlp-timer-not-set-when-ca_state-changes-from-disorder-to-open.patch b/queue-5.10/tcp-fix-tlp-timer-not-set-when-ca_state-changes-from-disorder-to-open.patch
new file mode 100644 (file)
index 0000000..6ff2bb7
--- /dev/null
@@ -0,0 +1,111 @@
+From 62d9f1a6945ba69c125e548e72a36d203b30596e Mon Sep 17 00:00:00 2001
+From: Pengcheng Yang <yangpc@wangsu.com>
+Date: Sun, 24 Jan 2021 13:07:14 +0800
+Subject: tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN
+
+From: Pengcheng Yang <yangpc@wangsu.com>
+
+commit 62d9f1a6945ba69c125e548e72a36d203b30596e upstream.
+
+Upon receiving a cumulative ACK that changes the congestion state from
+Disorder to Open, the TLP timer is not set. If the sender is app-limited,
+it can only wait for the RTO timer to expire and retransmit.
+
+The reason for this is that the TLP timer is set before the congestion
+state changes in tcp_ack(), so we delay the time point of calling
+tcp_set_xmit_timer() until after tcp_fastretrans_alert() returns and
+remove the FLAG_SET_XMIT_TIMER from ack_flag when the RACK reorder timer
+is set.
+
+This commit has two additional benefits:
+1) Make sure to reset RTO according to RFC6298 when receiving ACK, to
+avoid spurious RTO caused by RTO timer early expires.
+2) Reduce the xmit timer reschedule once per ACK when the RACK reorder
+timer is set.
+
+Fixes: df92c8394e6e ("tcp: fix xmit timer to only be reset if data ACKed/SACKed")
+Link: https://lore.kernel.org/netdev/1611311242-6675-1-git-send-email-yangpc@wangsu.com
+Signed-off-by: Pengcheng Yang <yangpc@wangsu.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/1611464834-23030-1-git-send-email-yangpc@wangsu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/tcp.h       |    2 +-
+ net/ipv4/tcp_input.c    |   10 ++++++----
+ net/ipv4/tcp_recovery.c |    5 +++--
+ 3 files changed, 10 insertions(+), 7 deletions(-)
+
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -2066,7 +2066,7 @@ void tcp_mark_skb_lost(struct sock *sk,
+ void tcp_newreno_mark_lost(struct sock *sk, bool snd_una_advanced);
+ extern s32 tcp_rack_skb_timeout(struct tcp_sock *tp, struct sk_buff *skb,
+                               u32 reo_wnd);
+-extern void tcp_rack_mark_lost(struct sock *sk);
++extern bool tcp_rack_mark_lost(struct sock *sk);
+ extern void tcp_rack_advance(struct tcp_sock *tp, u8 sacked, u32 end_seq,
+                            u64 xmit_time);
+ extern void tcp_rack_reo_timeout(struct sock *sk);
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -2845,7 +2845,8 @@ static void tcp_identify_packet_loss(str
+       } else if (tcp_is_rack(sk)) {
+               u32 prior_retrans = tp->retrans_out;
+-              tcp_rack_mark_lost(sk);
++              if (tcp_rack_mark_lost(sk))
++                      *ack_flag &= ~FLAG_SET_XMIT_TIMER;
+               if (prior_retrans > tp->retrans_out)
+                       *ack_flag |= FLAG_LOST_RETRANS;
+       }
+@@ -3802,9 +3803,6 @@ static int tcp_ack(struct sock *sk, cons
+       if (tp->tlp_high_seq)
+               tcp_process_tlp_ack(sk, ack, flag);
+-      /* If needed, reset TLP/RTO timer; RACK may later override this. */
+-      if (flag & FLAG_SET_XMIT_TIMER)
+-              tcp_set_xmit_timer(sk);
+       if (tcp_ack_is_dubious(sk, flag)) {
+               if (!(flag & (FLAG_SND_UNA_ADVANCED | FLAG_NOT_DUP))) {
+@@ -3817,6 +3815,10 @@ static int tcp_ack(struct sock *sk, cons
+                                     &rexmit);
+       }
++      /* If needed, reset TLP/RTO timer when RACK doesn't set. */
++      if (flag & FLAG_SET_XMIT_TIMER)
++              tcp_set_xmit_timer(sk);
++
+       if ((flag & FLAG_FORWARD_PROGRESS) || !(flag & FLAG_NOT_DUP))
+               sk_dst_confirm(sk);
+--- a/net/ipv4/tcp_recovery.c
++++ b/net/ipv4/tcp_recovery.c
+@@ -96,13 +96,13 @@ static void tcp_rack_detect_loss(struct
+       }
+ }
+-void tcp_rack_mark_lost(struct sock *sk)
++bool tcp_rack_mark_lost(struct sock *sk)
+ {
+       struct tcp_sock *tp = tcp_sk(sk);
+       u32 timeout;
+       if (!tp->rack.advanced)
+-              return;
++              return false;
+       /* Reset the advanced flag to avoid unnecessary queue scanning */
+       tp->rack.advanced = 0;
+@@ -112,6 +112,7 @@ void tcp_rack_mark_lost(struct sock *sk)
+               inet_csk_reset_xmit_timer(sk, ICSK_TIME_REO_TIMEOUT,
+                                         timeout, inet_csk(sk)->icsk_rto);
+       }
++      return !!timeout;
+ }
+ /* Record the most recently (re)sent time among the (s)acked packets
diff --git a/queue-5.10/tcp-make-tcp_user_timeout-accurate-for-zero-window-probes.patch b/queue-5.10/tcp-make-tcp_user_timeout-accurate-for-zero-window-probes.patch
new file mode 100644 (file)
index 0000000..ac9b614
--- /dev/null
@@ -0,0 +1,96 @@
+From 344db93ae3ee69fc137bd6ed89a8ff1bf5b0db08 Mon Sep 17 00:00:00 2001
+From: Enke Chen <enchen@paloaltonetworks.com>
+Date: Fri, 22 Jan 2021 11:13:06 -0800
+Subject: tcp: make TCP_USER_TIMEOUT accurate for zero window probes
+
+From: Enke Chen <enchen@paloaltonetworks.com>
+
+commit 344db93ae3ee69fc137bd6ed89a8ff1bf5b0db08 upstream.
+
+The TCP_USER_TIMEOUT is checked by the 0-window probe timer. As the
+timer has backoff with a max interval of about two minutes, the
+actual timeout for TCP_USER_TIMEOUT can be off by up to two minutes.
+
+In this patch the TCP_USER_TIMEOUT is made more accurate by taking it
+into account when computing the timer value for the 0-window probes.
+
+This patch is similar to and builds on top of the one that made
+TCP_USER_TIMEOUT accurate for RTOs in commit b701a99e431d ("tcp: Add
+tcp_clamp_rto_to_user_timeout() helper to improve accuracy").
+
+Fixes: 9721e709fa68 ("tcp: simplify window probe aborting on USER_TIMEOUT")
+Signed-off-by: Enke Chen <enchen@paloaltonetworks.com>
+Reviewed-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20210122191306.GA99540@localhost.localdomain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/tcp.h     |    1 +
+ net/ipv4/tcp_input.c  |    4 ++--
+ net/ipv4/tcp_output.c |    2 ++
+ net/ipv4/tcp_timer.c  |   18 ++++++++++++++++++
+ 4 files changed, 23 insertions(+), 2 deletions(-)
+
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -625,6 +625,7 @@ static inline void tcp_clear_xmit_timers
+ unsigned int tcp_sync_mss(struct sock *sk, u32 pmtu);
+ unsigned int tcp_current_mss(struct sock *sk);
++u32 tcp_clamp_probe0_to_user_timeout(const struct sock *sk, u32 when);
+ /* Bound MSS / TSO packet size with the half of the window */
+ static inline int tcp_bound_to_half_wnd(struct tcp_sock *tp, int pktsize)
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -3378,8 +3378,8 @@ static void tcp_ack_probe(struct sock *s
+       } else {
+               unsigned long when = tcp_probe0_when(sk, TCP_RTO_MAX);
+-              tcp_reset_xmit_timer(sk, ICSK_TIME_PROBE0,
+-                                   when, TCP_RTO_MAX);
++              when = tcp_clamp_probe0_to_user_timeout(sk, when);
++              tcp_reset_xmit_timer(sk, ICSK_TIME_PROBE0, when, TCP_RTO_MAX);
+       }
+ }
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -4095,6 +4095,8 @@ void tcp_send_probe0(struct sock *sk)
+                */
+               timeout = TCP_RESOURCE_PROBE_INTERVAL;
+       }
++
++      timeout = tcp_clamp_probe0_to_user_timeout(sk, timeout);
+       tcp_reset_xmit_timer(sk, ICSK_TIME_PROBE0, timeout, TCP_RTO_MAX);
+ }
+--- a/net/ipv4/tcp_timer.c
++++ b/net/ipv4/tcp_timer.c
+@@ -40,6 +40,24 @@ static u32 tcp_clamp_rto_to_user_timeout
+       return min_t(u32, icsk->icsk_rto, msecs_to_jiffies(remaining));
+ }
++u32 tcp_clamp_probe0_to_user_timeout(const struct sock *sk, u32 when)
++{
++      struct inet_connection_sock *icsk = inet_csk(sk);
++      u32 remaining;
++      s32 elapsed;
++
++      if (!icsk->icsk_user_timeout || !icsk->icsk_probes_tstamp)
++              return when;
++
++      elapsed = tcp_jiffies32 - icsk->icsk_probes_tstamp;
++      if (unlikely(elapsed < 0))
++              elapsed = 0;
++      remaining = msecs_to_jiffies(icsk->icsk_user_timeout) - elapsed;
++      remaining = max_t(u32, remaining, TCP_TIMEOUT_MIN);
++
++      return min_t(u32, remaining, when);
++}
++
+ /**
+  *  tcp_write_err() - close socket and save error info
+  *  @sk:  The socket the error has appeared on.
diff --git a/queue-5.10/team-protect-features-update-by-rcu-to-avoid-deadlock.patch b/queue-5.10/team-protect-features-update-by-rcu-to-avoid-deadlock.patch
new file mode 100644 (file)
index 0000000..a3d4063
--- /dev/null
@@ -0,0 +1,80 @@
+From f0947d0d21b219e03940b9be6628a43445c0de7a Mon Sep 17 00:00:00 2001
+From: Ivan Vecera <ivecera@redhat.com>
+Date: Mon, 25 Jan 2021 08:44:16 +0100
+Subject: team: protect features update by RCU to avoid deadlock
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+commit f0947d0d21b219e03940b9be6628a43445c0de7a upstream.
+
+Function __team_compute_features() is protected by team->lock
+mutex when it is called from team_compute_features() used when
+features of an underlying device is changed. This causes
+a deadlock when NETDEV_FEAT_CHANGE notifier for underlying device
+is fired due to change propagated from team driver (e.g. MTU
+change). It's because callbacks like team_change_mtu() or
+team_vlan_rx_{add,del}_vid() protect their port list traversal
+by team->lock mutex.
+
+Example (r8169 case where this driver disables TSO for certain MTU
+values):
+...
+[ 6391.348202]  __mutex_lock.isra.6+0x2d0/0x4a0
+[ 6391.358602]  team_device_event+0x9d/0x160 [team]
+[ 6391.363756]  notifier_call_chain+0x47/0x70
+[ 6391.368329]  netdev_update_features+0x56/0x60
+[ 6391.373207]  rtl8169_change_mtu+0x14/0x50 [r8169]
+[ 6391.378457]  dev_set_mtu_ext+0xe1/0x1d0
+[ 6391.387022]  dev_set_mtu+0x52/0x90
+[ 6391.390820]  team_change_mtu+0x64/0xf0 [team]
+[ 6391.395683]  dev_set_mtu_ext+0xe1/0x1d0
+[ 6391.399963]  do_setlink+0x231/0xf50
+...
+
+In fact team_compute_features() called from team_device_event()
+does not need to be protected by team->lock mutex and rcu_read_lock()
+is sufficient there for port list traversal.
+
+Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device")
+Cc: Saeed Mahameed <saeed@kernel.org>
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Link: https://lore.kernel.org/r/20210125074416.4056484-1-ivecera@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/team/team.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -991,7 +991,8 @@ static void __team_compute_features(stru
+       unsigned int dst_release_flag = IFF_XMIT_DST_RELEASE |
+                                       IFF_XMIT_DST_RELEASE_PERM;
+-      list_for_each_entry(port, &team->port_list, list) {
++      rcu_read_lock();
++      list_for_each_entry_rcu(port, &team->port_list, list) {
+               vlan_features = netdev_increment_features(vlan_features,
+                                       port->dev->vlan_features,
+                                       TEAM_VLAN_FEATURES);
+@@ -1005,6 +1006,7 @@ static void __team_compute_features(stru
+               if (port->dev->hard_header_len > max_hard_header_len)
+                       max_hard_header_len = port->dev->hard_header_len;
+       }
++      rcu_read_unlock();
+       team->dev->vlan_features = vlan_features;
+       team->dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL |
+@@ -1020,9 +1022,7 @@ static void __team_compute_features(stru
+ static void team_compute_features(struct team *team)
+ {
+-      mutex_lock(&team->lock);
+       __team_compute_features(team);
+-      mutex_unlock(&team->lock);
+       netdev_change_features(team->dev);
+ }