From: Sasha Levin Date: Sun, 12 Jun 2022 13:42:02 +0000 (-0400) Subject: Fixes for 5.17 X-Git-Tag: v4.9.318~100 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=075129d825cdee1643577a4ac13e1be18632171b;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.17 Signed-off-by: Sasha Levin --- diff --git a/queue-5.17/af_unix-fix-a-data-race-in-unix_dgram_peer_wake_me.patch b/queue-5.17/af_unix-fix-a-data-race-in-unix_dgram_peer_wake_me.patch new file mode 100644 index 00000000000..5bd00658ab4 --- /dev/null +++ b/queue-5.17/af_unix-fix-a-data-race-in-unix_dgram_peer_wake_me.patch @@ -0,0 +1,39 @@ +From 04cf0980a1e8b7b9172e9078011b50c16264b523 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jun 2022 16:23:25 -0700 +Subject: af_unix: Fix a data-race in unix_dgram_peer_wake_me(). + +From: Kuniyuki Iwashima + +[ Upstream commit 662a80946ce13633ae90a55379f1346c10f0c432 ] + +unix_dgram_poll() calls unix_dgram_peer_wake_me() without `other`'s +lock held and check if its receive queue is full. Here we need to +use unix_recvq_full_lockless() instead of unix_recvq_full(), otherwise +KCSAN will report a data-race. + +Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue") +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20220605232325.11804-1-kuniyu@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 1e7ed5829ed5..99c56922abf5 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -490,7 +490,7 @@ static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other) + * -ECONNREFUSED. Otherwise, if we haven't queued any skbs + * to other and its full, we will hang waiting for POLLOUT. + */ +- if (unix_recvq_full(other) && !sock_flag(other, SOCK_DEAD)) ++ if (unix_recvq_full_lockless(other) && !sock_flag(other, SOCK_DEAD)) + return 1; + + if (connected) +-- +2.35.1 + diff --git a/queue-5.17/amt-fix-possible-null-ptr-deref-in-amt_rcv.patch b/queue-5.17/amt-fix-possible-null-ptr-deref-in-amt_rcv.patch new file mode 100644 index 00000000000..0651bd4b966 --- /dev/null +++ b/queue-5.17/amt-fix-possible-null-ptr-deref-in-amt_rcv.patch @@ -0,0 +1,44 @@ +From 5c2511b89195662ee762294f6b879daa04a68ba5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 14:01:07 +0000 +Subject: amt: fix possible null-ptr-deref in amt_rcv() + +From: Taehee Yoo + +[ Upstream commit d16207f92a4a823c48b4ea953ad51f4483456768 ] + +When amt interface receives amt message, it tries to obtain amt private +data from sock. +If there is no amt private data, it frees an skb immediately. +After kfree_skb(), it increases the rx_dropped stats. +But in order to use rx_dropped, amt private data is needed. +So, it makes amt_rcv() to do not increase rx_dropped stats when it can +not obtain amt private data. + +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Fixes: 1a1a0e80e005 ("amt: fix possible memory leak in amt_rcv()") +Signed-off-by: Taehee Yoo +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/amt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/amt.c b/drivers/net/amt.c +index d8c47c4e6559..e239c0262d56 100644 +--- a/drivers/net/amt.c ++++ b/drivers/net/amt.c +@@ -2698,7 +2698,8 @@ static int amt_rcv(struct sock *sk, struct sk_buff *skb) + amt = rcu_dereference_sk_user_data(sk); + if (!amt) { + err = true; +- goto drop; ++ kfree_skb(skb); ++ goto out; + } + + skb->dev = amt->dev; +-- +2.35.1 + diff --git a/queue-5.17/amt-fix-wrong-type-string-definition.patch b/queue-5.17/amt-fix-wrong-type-string-definition.patch new file mode 100644 index 00000000000..ca440d90d10 --- /dev/null +++ b/queue-5.17/amt-fix-wrong-type-string-definition.patch @@ -0,0 +1,36 @@ +From 42b64a24a3815c31ad4ecb82111ad5951e462f7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 14:01:08 +0000 +Subject: amt: fix wrong type string definition + +From: Taehee Yoo + +[ Upstream commit d7970039d87c926bb648982e920cb9851c19f3e1 ] + +amt message type definition starts from 1, not 0. +But type_str[] starts from 0. +So, it prints wrong type information. + +Fixes: cbc21dc1cfe9 ("amt: add data plane of amt interface") +Signed-off-by: Taehee Yoo +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/amt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/amt.c b/drivers/net/amt.c +index e239c0262d56..83e5fe784f5c 100644 +--- a/drivers/net/amt.c ++++ b/drivers/net/amt.c +@@ -51,6 +51,7 @@ static char *status_str[] = { + }; + + static char *type_str[] = { ++ "", /* Type 0 is not defined */ + "AMT_MSG_DISCOVERY", + "AMT_MSG_ADVERTISEMENT", + "AMT_MSG_REQUEST", +-- +2.35.1 + diff --git a/queue-5.17/amt-fix-wrong-usage-of-pskb_may_pull.patch b/queue-5.17/amt-fix-wrong-usage-of-pskb_may_pull.patch new file mode 100644 index 00000000000..ef21735e77e --- /dev/null +++ b/queue-5.17/amt-fix-wrong-usage-of-pskb_may_pull.patch @@ -0,0 +1,182 @@ +From 3f9f3cff883b83a403994bd3a920d25b84d40d9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 14:01:06 +0000 +Subject: amt: fix wrong usage of pskb_may_pull() + +From: Taehee Yoo + +[ Upstream commit f55a07074fdd38cab8c097ac5bd397d68eff733c ] + +It adds missing pskb_may_pull() in amt_update_handler() and +amt_multicast_data_handler(). +And it fixes wrong parameter of pskb_may_pull() in +amt_advertisement_handler() and amt_membership_query_handler(). + +Reported-by: Jakub Kicinski +Fixes: cbc21dc1cfe9 ("amt: add data plane of amt interface") +Signed-off-by: Taehee Yoo +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/amt.c | 55 +++++++++++++++++++++++++++++++---------------- + 1 file changed, 37 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/amt.c b/drivers/net/amt.c +index d23eac9ce858..d8c47c4e6559 100644 +--- a/drivers/net/amt.c ++++ b/drivers/net/amt.c +@@ -2220,8 +2220,7 @@ static bool amt_advertisement_handler(struct amt_dev *amt, struct sk_buff *skb) + struct amt_header_advertisement *amta; + int hdr_size; + +- hdr_size = sizeof(*amta) - sizeof(struct amt_header); +- ++ hdr_size = sizeof(*amta) + sizeof(struct udphdr); + if (!pskb_may_pull(skb, hdr_size)) + return true; + +@@ -2251,19 +2250,27 @@ static bool amt_multicast_data_handler(struct amt_dev *amt, struct sk_buff *skb) + struct ethhdr *eth; + struct iphdr *iph; + ++ hdr_size = sizeof(*amtmd) + sizeof(struct udphdr); ++ if (!pskb_may_pull(skb, hdr_size)) ++ return true; ++ + amtmd = (struct amt_header_mcast_data *)(udp_hdr(skb) + 1); + if (amtmd->reserved || amtmd->version) + return true; + +- hdr_size = sizeof(*amtmd) + sizeof(struct udphdr); + if (iptunnel_pull_header(skb, hdr_size, htons(ETH_P_IP), false)) + return true; ++ + skb_reset_network_header(skb); + skb_push(skb, sizeof(*eth)); + skb_reset_mac_header(skb); + skb_pull(skb, sizeof(*eth)); + eth = eth_hdr(skb); ++ ++ if (!pskb_may_pull(skb, sizeof(*iph))) ++ return true; + iph = ip_hdr(skb); ++ + if (iph->version == 4) { + if (!ipv4_is_multicast(iph->daddr)) + return true; +@@ -2274,6 +2281,9 @@ static bool amt_multicast_data_handler(struct amt_dev *amt, struct sk_buff *skb) + } else if (iph->version == 6) { + struct ipv6hdr *ip6h; + ++ if (!pskb_may_pull(skb, sizeof(*ip6h))) ++ return true; ++ + ip6h = ipv6_hdr(skb); + if (!ipv6_addr_is_multicast(&ip6h->daddr)) + return true; +@@ -2306,8 +2316,7 @@ static bool amt_membership_query_handler(struct amt_dev *amt, + struct iphdr *iph; + int hdr_size, len; + +- hdr_size = sizeof(*amtmq) - sizeof(struct amt_header); +- ++ hdr_size = sizeof(*amtmq) + sizeof(struct udphdr); + if (!pskb_may_pull(skb, hdr_size)) + return true; + +@@ -2315,22 +2324,27 @@ static bool amt_membership_query_handler(struct amt_dev *amt, + if (amtmq->reserved || amtmq->version) + return true; + +- hdr_size = sizeof(*amtmq) + sizeof(struct udphdr) - sizeof(*eth); ++ hdr_size -= sizeof(*eth); + if (iptunnel_pull_header(skb, hdr_size, htons(ETH_P_TEB), false)) + return true; ++ + oeth = eth_hdr(skb); + skb_reset_mac_header(skb); + skb_pull(skb, sizeof(*eth)); + skb_reset_network_header(skb); + eth = eth_hdr(skb); ++ if (!pskb_may_pull(skb, sizeof(*iph))) ++ return true; ++ + iph = ip_hdr(skb); + if (iph->version == 4) { +- if (!ipv4_is_multicast(iph->daddr)) +- return true; + if (!pskb_may_pull(skb, sizeof(*iph) + AMT_IPHDR_OPTS + + sizeof(*ihv3))) + return true; + ++ if (!ipv4_is_multicast(iph->daddr)) ++ return true; ++ + ihv3 = skb_pull(skb, sizeof(*iph) + AMT_IPHDR_OPTS); + skb_reset_transport_header(skb); + skb_push(skb, sizeof(*iph) + AMT_IPHDR_OPTS); +@@ -2345,15 +2359,17 @@ static bool amt_membership_query_handler(struct amt_dev *amt, + ip_eth_mc_map(iph->daddr, eth->h_dest); + #if IS_ENABLED(CONFIG_IPV6) + } else if (iph->version == 6) { +- struct ipv6hdr *ip6h = ipv6_hdr(skb); + struct mld2_query *mld2q; ++ struct ipv6hdr *ip6h; + +- if (!ipv6_addr_is_multicast(&ip6h->daddr)) +- return true; + if (!pskb_may_pull(skb, sizeof(*ip6h) + AMT_IP6HDR_OPTS + + sizeof(*mld2q))) + return true; + ++ ip6h = ipv6_hdr(skb); ++ if (!ipv6_addr_is_multicast(&ip6h->daddr)) ++ return true; ++ + mld2q = skb_pull(skb, sizeof(*ip6h) + AMT_IP6HDR_OPTS); + skb_reset_transport_header(skb); + skb_push(skb, sizeof(*ip6h) + AMT_IP6HDR_OPTS); +@@ -2389,23 +2405,23 @@ static bool amt_update_handler(struct amt_dev *amt, struct sk_buff *skb) + { + struct amt_header_membership_update *amtmu; + struct amt_tunnel_list *tunnel; +- struct udphdr *udph; + struct ethhdr *eth; + struct iphdr *iph; +- int len; ++ int len, hdr_size; + + iph = ip_hdr(skb); +- udph = udp_hdr(skb); + +- if (__iptunnel_pull_header(skb, sizeof(*udph), skb->protocol, +- false, false)) ++ hdr_size = sizeof(*amtmu) + sizeof(struct udphdr); ++ if (!pskb_may_pull(skb, hdr_size)) + return true; + +- amtmu = (struct amt_header_membership_update *)skb->data; ++ amtmu = (struct amt_header_membership_update *)(udp_hdr(skb) + 1); + if (amtmu->reserved || amtmu->version) + return true; + +- skb_pull(skb, sizeof(*amtmu)); ++ if (iptunnel_pull_header(skb, hdr_size, skb->protocol, false)) ++ return true; ++ + skb_reset_network_header(skb); + + list_for_each_entry_rcu(tunnel, &amt->tunnel_list, list) { +@@ -2426,6 +2442,9 @@ static bool amt_update_handler(struct amt_dev *amt, struct sk_buff *skb) + return true; + + report: ++ if (!pskb_may_pull(skb, sizeof(*iph))) ++ return true; ++ + iph = ip_hdr(skb); + if (iph->version == 4) { + if (ip_mc_check_igmp(skb)) { +-- +2.35.1 + diff --git a/queue-5.17/ata-pata_octeon_cf-fix-refcount-leak-in-octeon_cf_pr.patch b/queue-5.17/ata-pata_octeon_cf-fix-refcount-leak-in-octeon_cf_pr.patch new file mode 100644 index 00000000000..fa79dab76ef --- /dev/null +++ b/queue-5.17/ata-pata_octeon_cf-fix-refcount-leak-in-octeon_cf_pr.patch @@ -0,0 +1,52 @@ +From e1e91b6acafb8b02604e5996a83622e1ff8cf61a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jun 2022 12:59:26 +0400 +Subject: ata: pata_octeon_cf: Fix refcount leak in octeon_cf_probe + +From: Miaoqian Lin + +[ Upstream commit 10d6bdf532902be1d8aa5900b3c03c5671612aa2 ] + +of_find_device_by_node() takes reference, we should use put_device() +to release it when not need anymore. +Add missing put_device() to avoid refcount leak. + +Fixes: 43f01da0f279 ("MIPS/OCTEON/ata: Convert pata_octeon_cf.c to use device tree.") +Signed-off-by: Miaoqian Lin +Reviewed-by: Sergey Shtylyov +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/pata_octeon_cf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/ata/pata_octeon_cf.c b/drivers/ata/pata_octeon_cf.c +index 05c2ab375756..a2abf6c9a085 100644 +--- a/drivers/ata/pata_octeon_cf.c ++++ b/drivers/ata/pata_octeon_cf.c +@@ -856,12 +856,14 @@ static int octeon_cf_probe(struct platform_device *pdev) + int i; + res_dma = platform_get_resource(dma_dev, IORESOURCE_MEM, 0); + if (!res_dma) { ++ put_device(&dma_dev->dev); + of_node_put(dma_node); + return -EINVAL; + } + cf_port->dma_base = (u64)devm_ioremap(&pdev->dev, res_dma->start, + resource_size(res_dma)); + if (!cf_port->dma_base) { ++ put_device(&dma_dev->dev); + of_node_put(dma_node); + return -EINVAL; + } +@@ -871,6 +873,7 @@ static int octeon_cf_probe(struct platform_device *pdev) + irq = i; + irq_handler = octeon_cf_interrupt; + } ++ put_device(&dma_dev->dev); + } + of_node_put(dma_node); + } +-- +2.35.1 + diff --git a/queue-5.17/bpf-arm64-clear-prog-jited_len-along-prog-jited.patch b/queue-5.17/bpf-arm64-clear-prog-jited_len-along-prog-jited.patch new file mode 100644 index 00000000000..6dece57d3d3 --- /dev/null +++ b/queue-5.17/bpf-arm64-clear-prog-jited_len-along-prog-jited.patch @@ -0,0 +1,100 @@ +From 4d9d6b74d46c18db364af8f233298bc99da22306 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 May 2022 14:51:13 -0700 +Subject: bpf, arm64: Clear prog->jited_len along prog->jited + +From: Eric Dumazet + +[ Upstream commit 10f3b29c65bb2fe0d47c2945cd0b4087be1c5218 ] + +syzbot reported an illegal copy_to_user() attempt +from bpf_prog_get_info_by_fd() [1] + +There was no repro yet on this bug, but I think +that commit 0aef499f3172 ("mm/usercopy: Detect vmalloc overruns") +is exposing a prior bug in bpf arm64. + +bpf_prog_get_info_by_fd() looks at prog->jited_len +to determine if the JIT image can be copied out to user space. + +My theory is that syzbot managed to get a prog where prog->jited_len +has been set to 43, while prog->bpf_func has ben cleared. + +It is not clear why copy_to_user(uinsns, NULL, ulen) is triggering +this particular warning. + +I thought find_vma_area(NULL) would not find a vm_struct. +As we do not hold vmap_area_lock spinlock, it might be possible +that the found vm_struct was garbage. + +[1] +usercopy: Kernel memory exposure attempt detected from vmalloc (offset 792633534417210172, size 43)! +kernel BUG at mm/usercopy.c:101! +Internal error: Oops - BUG: 0 [#1] PREEMPT SMP +Modules linked in: +CPU: 0 PID: 25002 Comm: syz-executor.1 Not tainted 5.18.0-syzkaller-10139-g8291eaafed36 #0 +Hardware name: linux,dummy-virt (DT) +pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : usercopy_abort+0x90/0x94 mm/usercopy.c:101 +lr : usercopy_abort+0x90/0x94 mm/usercopy.c:89 +sp : ffff80000b773a20 +x29: ffff80000b773a30 x28: faff80000b745000 x27: ffff80000b773b48 +x26: 0000000000000000 x25: 000000000000002b x24: 0000000000000000 +x23: 00000000000000e0 x22: ffff80000b75db67 x21: 0000000000000001 +x20: 000000000000002b x19: ffff80000b75db3c x18: 00000000fffffffd +x17: 2820636f6c6c616d x16: 76206d6f72662064 x15: 6574636574656420 +x14: 74706d6574746120 x13: 2129333420657a69 x12: 73202c3237313031 +x11: 3237313434333533 x10: 3336323937207465 x9 : 657275736f707865 +x8 : ffff80000a30c550 x7 : ffff80000b773830 x6 : ffff80000b773830 +x5 : 0000000000000000 x4 : ffff00007fbbaa10 x3 : 0000000000000000 +x2 : 0000000000000000 x1 : f7ff000028fc0000 x0 : 0000000000000064 +Call trace: + usercopy_abort+0x90/0x94 mm/usercopy.c:89 + check_heap_object mm/usercopy.c:186 [inline] + __check_object_size mm/usercopy.c:252 [inline] + __check_object_size+0x198/0x36c mm/usercopy.c:214 + check_object_size include/linux/thread_info.h:199 [inline] + check_copy_size include/linux/thread_info.h:235 [inline] + copy_to_user include/linux/uaccess.h:159 [inline] + bpf_prog_get_info_by_fd.isra.0+0xf14/0xfdc kernel/bpf/syscall.c:3993 + bpf_obj_get_info_by_fd+0x12c/0x510 kernel/bpf/syscall.c:4253 + __sys_bpf+0x900/0x2150 kernel/bpf/syscall.c:4956 + __do_sys_bpf kernel/bpf/syscall.c:5021 [inline] + __se_sys_bpf kernel/bpf/syscall.c:5019 [inline] + __arm64_sys_bpf+0x28/0x40 kernel/bpf/syscall.c:5019 + __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] + invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:52 + el0_svc_common.constprop.0+0x44/0xec arch/arm64/kernel/syscall.c:142 + do_el0_svc+0xa0/0xc0 arch/arm64/kernel/syscall.c:206 + el0_svc+0x44/0xb0 arch/arm64/kernel/entry-common.c:624 + el0t_64_sync_handler+0x1ac/0x1b0 arch/arm64/kernel/entry-common.c:642 + el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:581 +Code: aa0003e3 d00038c0 91248000 97fff65f (d4210000) + +Fixes: db496944fdaa ("bpf: arm64: add JIT support for multi-function programs") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: Daniel Borkmann +Acked-by: Song Liu +Link: https://lore.kernel.org/bpf/20220531215113.1100754-1-eric.dumazet@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/arm64/net/bpf_jit_comp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c +index cbc41e261f1e..c679c57ec76e 100644 +--- a/arch/arm64/net/bpf_jit_comp.c ++++ b/arch/arm64/net/bpf_jit_comp.c +@@ -1120,6 +1120,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + bpf_jit_binary_free(header); + prog->bpf_func = NULL; + prog->jited = 0; ++ prog->jited_len = 0; + goto out_off; + } + bpf_jit_binary_lock_ro(header); +-- +2.35.1 + diff --git a/queue-5.17/drm-bridge-ti-sn65dsi83-handle-dsi_lanes-0-as-invali.patch b/queue-5.17/drm-bridge-ti-sn65dsi83-handle-dsi_lanes-0-as-invali.patch new file mode 100644 index 00000000000..4ed6f36fb01 --- /dev/null +++ b/queue-5.17/drm-bridge-ti-sn65dsi83-handle-dsi_lanes-0-as-invali.patch @@ -0,0 +1,46 @@ +From ae27bfdb812c8b48c752896f70339b4f51750ee6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 May 2022 01:38:44 +0200 +Subject: drm/bridge: ti-sn65dsi83: Handle dsi_lanes == 0 as invalid + +From: Marek Vasut + +[ Upstream commit edbc7960bef7fd71ef1e44d0df15b864784b14c8 ] + +Handle empty data-lanes = < >; property, which translates to +dsi_lanes = 0 as invalid. + +Fixes: ceb515ba29ba6 ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver") +Signed-off-by: Marek Vasut +Cc: Jonas Karlman +Cc: Laurent Pinchart +Cc: Lucas Stach +Cc: Marek Vasut +Cc: Maxime Ripard +Cc: Neil Armstrong +Cc: Robert Foss +Cc: Sam Ravnborg +Reviewed-by: Andrzej Hajda +Reviewed-by: Lucas Stach +Link: https://patchwork.freedesktop.org/patch/msgid/20220518233844.248504-1-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/ti-sn65dsi83.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi83.c b/drivers/gpu/drm/bridge/ti-sn65dsi83.c +index 314a84ffcea3..1b7eeefe6784 100644 +--- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c ++++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c +@@ -560,7 +560,7 @@ static int sn65dsi83_parse_dt(struct sn65dsi83 *ctx, enum sn65dsi83_model model) + ctx->host_node = of_graph_get_remote_port_parent(endpoint); + of_node_put(endpoint); + +- if (ctx->dsi_lanes < 0 || ctx->dsi_lanes > 4) { ++ if (ctx->dsi_lanes <= 0 || ctx->dsi_lanes > 4) { + ret = -EINVAL; + goto err_put_node; + } +-- +2.35.1 + diff --git a/queue-5.17/drm-imx-fix-compiler-warning-with-gcc-12.patch b/queue-5.17/drm-imx-fix-compiler-warning-with-gcc-12.patch new file mode 100644 index 00000000000..f727d63ce05 --- /dev/null +++ b/queue-5.17/drm-imx-fix-compiler-warning-with-gcc-12.patch @@ -0,0 +1,51 @@ +From 3d3dddc6b2e626b81eebb4222c7a32537c6655e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jun 2022 16:59:29 -0700 +Subject: drm: imx: fix compiler warning with gcc-12 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +[ Upstream commit 7aefd8b53815274f3ef398d370a3c9b27dd9f00c ] + +Gcc-12 correctly warned about this code using a non-NULL pointer as a +truth value: + + drivers/gpu/drm/imx/ipuv3-crtc.c: In function ‘ipu_crtc_disable_planes’: + drivers/gpu/drm/imx/ipuv3-crtc.c:72:21: error: the comparison will always evaluate as ‘true’ for the address of ‘plane’ will never be NULL [-Werror=address] + 72 | if (&ipu_crtc->plane[1] && plane == &ipu_crtc->plane[1]->base) + | ^ + +due to the extraneous '&' address-of operator. + +Philipp Zabel points out that The mistake had no adverse effect since +the following condition doesn't actually dereference the NULL pointer, +but the intent of the code was obviously to check for it, not to take +the address of the member. + +Fixes: eb8c88808c83 ("drm/imx: add deferred plane disabling") +Acked-by: Philipp Zabel +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/imx/ipuv3-crtc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/imx/ipuv3-crtc.c b/drivers/gpu/drm/imx/ipuv3-crtc.c +index 9c8829f945b2..f7863d6dea80 100644 +--- a/drivers/gpu/drm/imx/ipuv3-crtc.c ++++ b/drivers/gpu/drm/imx/ipuv3-crtc.c +@@ -69,7 +69,7 @@ static void ipu_crtc_disable_planes(struct ipu_crtc *ipu_crtc, + drm_atomic_crtc_state_for_each_plane(plane, old_crtc_state) { + if (plane == &ipu_crtc->plane[0]->base) + disable_full = true; +- if (&ipu_crtc->plane[1] && plane == &ipu_crtc->plane[1]->base) ++ if (ipu_crtc->plane[1] && plane == &ipu_crtc->plane[1]->base) + disable_partial = true; + } + +-- +2.35.1 + diff --git a/queue-5.17/drm-panfrost-job-should-reference-mmu-not-file_priv.patch b/queue-5.17/drm-panfrost-job-should-reference-mmu-not-file_priv.patch new file mode 100644 index 00000000000..071f2ceec13 --- /dev/null +++ b/queue-5.17/drm-panfrost-job-should-reference-mmu-not-file_priv.patch @@ -0,0 +1,104 @@ +From 3a9e4dca54e13cfa827bb857999d646680182d31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 May 2022 16:20:03 +0100 +Subject: drm/panfrost: Job should reference MMU not file_priv + +From: Steven Price + +[ Upstream commit 6e516faf04317db2c46cbec4e3b78b4653a5b109 ] + +For a while now it's been allowed for a MMU context to outlive it's +corresponding panfrost_priv, however the job structure still references +panfrost_priv to get hold of the MMU context. If panfrost_priv has been +freed this is a use-after-free which I've been able to trigger resulting +in a splat. + +To fix this, drop the reference to panfrost_priv in the job structure +and add a direct reference to the MMU structure which is what's actually +needed. + +Fixes: 7fdc48cc63a3 ("drm/panfrost: Make sure MMU context lifetime is not bound to panfrost_priv") +Signed-off-by: Steven Price +Acked-by: Alyssa Rosenzweig +Link: https://patchwork.freedesktop.org/patch/msgid/20220519152003.81081-1-steven.price@arm.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panfrost/panfrost_drv.c | 5 +++-- + drivers/gpu/drm/panfrost/panfrost_job.c | 6 +++--- + drivers/gpu/drm/panfrost/panfrost_job.h | 2 +- + 3 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/panfrost/panfrost_drv.c b/drivers/gpu/drm/panfrost/panfrost_drv.c +index 96bb5a465627..012af6eaaf62 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_drv.c ++++ b/drivers/gpu/drm/panfrost/panfrost_drv.c +@@ -233,6 +233,7 @@ static int panfrost_ioctl_submit(struct drm_device *dev, void *data, + struct drm_file *file) + { + struct panfrost_device *pfdev = dev->dev_private; ++ struct panfrost_file_priv *file_priv = file->driver_priv; + struct drm_panfrost_submit *args = data; + struct drm_syncobj *sync_out = NULL; + struct panfrost_job *job; +@@ -262,12 +263,12 @@ static int panfrost_ioctl_submit(struct drm_device *dev, void *data, + job->jc = args->jc; + job->requirements = args->requirements; + job->flush_id = panfrost_gpu_get_latest_flush_id(pfdev); +- job->file_priv = file->driver_priv; ++ job->mmu = file_priv->mmu; + + slot = panfrost_job_get_slot(job); + + ret = drm_sched_job_init(&job->base, +- &job->file_priv->sched_entity[slot], ++ &file_priv->sched_entity[slot], + NULL); + if (ret) + goto out_put_job; +diff --git a/drivers/gpu/drm/panfrost/panfrost_job.c b/drivers/gpu/drm/panfrost/panfrost_job.c +index 908d79520853..016bec72b7ce 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_job.c ++++ b/drivers/gpu/drm/panfrost/panfrost_job.c +@@ -201,7 +201,7 @@ static void panfrost_job_hw_submit(struct panfrost_job *job, int js) + return; + } + +- cfg = panfrost_mmu_as_get(pfdev, job->file_priv->mmu); ++ cfg = panfrost_mmu_as_get(pfdev, job->mmu); + + job_write(pfdev, JS_HEAD_NEXT_LO(js), lower_32_bits(jc_head)); + job_write(pfdev, JS_HEAD_NEXT_HI(js), upper_32_bits(jc_head)); +@@ -431,7 +431,7 @@ static void panfrost_job_handle_err(struct panfrost_device *pfdev, + job->jc = 0; + } + +- panfrost_mmu_as_put(pfdev, job->file_priv->mmu); ++ panfrost_mmu_as_put(pfdev, job->mmu); + panfrost_devfreq_record_idle(&pfdev->pfdevfreq); + + if (signal_fence) +@@ -452,7 +452,7 @@ static void panfrost_job_handle_done(struct panfrost_device *pfdev, + * happen when we receive the DONE interrupt while doing a GPU reset). + */ + job->jc = 0; +- panfrost_mmu_as_put(pfdev, job->file_priv->mmu); ++ panfrost_mmu_as_put(pfdev, job->mmu); + panfrost_devfreq_record_idle(&pfdev->pfdevfreq); + + dma_fence_signal_locked(job->done_fence); +diff --git a/drivers/gpu/drm/panfrost/panfrost_job.h b/drivers/gpu/drm/panfrost/panfrost_job.h +index 77e6d0e6f612..8becc1ba0eb9 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_job.h ++++ b/drivers/gpu/drm/panfrost/panfrost_job.h +@@ -17,7 +17,7 @@ struct panfrost_job { + struct kref refcount; + + struct panfrost_device *pfdev; +- struct panfrost_file_priv *file_priv; ++ struct panfrost_mmu *mmu; + + /* Fence to be signaled by IRQ handler when the job is complete. */ + struct dma_fence *done_fence; +-- +2.35.1 + diff --git a/queue-5.17/i40e-xsk-move-tmp-desc-array-from-driver-to-pool.patch b/queue-5.17/i40e-xsk-move-tmp-desc-array-from-driver-to-pool.patch new file mode 100644 index 00000000000..4b92a3f7037 --- /dev/null +++ b/queue-5.17/i40e-xsk-move-tmp-desc-array-from-driver-to-pool.patch @@ -0,0 +1,250 @@ +From a369533ac0210bdd6e19a66ddaedf82f5e1d4a6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jan 2022 17:04:43 +0100 +Subject: i40e: xsk: Move tmp desc array from driver to pool + +From: Magnus Karlsson + +[ Upstream commit d1bc532e99becf104635ed4da6fefa306f452321 ] + +Move desc_array from the driver to the pool. The reason behind this is +that we can then reuse this array as a temporary storage for descriptors +in all zero-copy drivers that use the batched interface. This will make +it easier to add batching to more drivers. + +i40e is the only driver that has a batched Tx zero-copy +implementation, so no need to touch any other driver. + +Signed-off-by: Magnus Karlsson +Signed-off-by: Daniel Borkmann +Reviewed-by: Alexander Lobakin +Link: https://lore.kernel.org/bpf/20220125160446.78976-6-maciej.fijalkowski@intel.com +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 11 ----------- + drivers/net/ethernet/intel/i40e/i40e_txrx.h | 1 - + drivers/net/ethernet/intel/i40e/i40e_xsk.c | 4 ++-- + include/net/xdp_sock_drv.h | 5 ++--- + include/net/xsk_buff_pool.h | 1 + + net/xdp/xsk.c | 13 ++++++------- + net/xdp/xsk_buff_pool.c | 7 +++++++ + net/xdp/xsk_queue.h | 12 ++++++------ + 8 files changed, 24 insertions(+), 30 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index 66cc79500c10..af9c88e71452 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -830,8 +830,6 @@ void i40e_free_tx_resources(struct i40e_ring *tx_ring) + i40e_clean_tx_ring(tx_ring); + kfree(tx_ring->tx_bi); + tx_ring->tx_bi = NULL; +- kfree(tx_ring->xsk_descs); +- tx_ring->xsk_descs = NULL; + + if (tx_ring->desc) { + dma_free_coherent(tx_ring->dev, tx_ring->size, +@@ -1433,13 +1431,6 @@ int i40e_setup_tx_descriptors(struct i40e_ring *tx_ring) + if (!tx_ring->tx_bi) + goto err; + +- if (ring_is_xdp(tx_ring)) { +- tx_ring->xsk_descs = kcalloc(I40E_MAX_NUM_DESCRIPTORS, sizeof(*tx_ring->xsk_descs), +- GFP_KERNEL); +- if (!tx_ring->xsk_descs) +- goto err; +- } +- + u64_stats_init(&tx_ring->syncp); + + /* round up to nearest 4K */ +@@ -1463,8 +1454,6 @@ int i40e_setup_tx_descriptors(struct i40e_ring *tx_ring) + return 0; + + err: +- kfree(tx_ring->xsk_descs); +- tx_ring->xsk_descs = NULL; + kfree(tx_ring->tx_bi); + tx_ring->tx_bi = NULL; + return -ENOMEM; +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.h b/drivers/net/ethernet/intel/i40e/i40e_txrx.h +index bfc2845c99d1..f6d91fa1562e 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.h +@@ -390,7 +390,6 @@ struct i40e_ring { + u16 rx_offset; + struct xdp_rxq_info xdp_rxq; + struct xsk_buff_pool *xsk_pool; +- struct xdp_desc *xsk_descs; /* For storing descriptors in the AF_XDP ZC path */ + } ____cacheline_internodealigned_in_smp; + + static inline bool ring_uses_build_skb(struct i40e_ring *ring) +diff --git a/drivers/net/ethernet/intel/i40e/i40e_xsk.c b/drivers/net/ethernet/intel/i40e/i40e_xsk.c +index e5e72b5bb619..c1d25b0b0ca2 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_xsk.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_xsk.c +@@ -470,11 +470,11 @@ static void i40e_set_rs_bit(struct i40e_ring *xdp_ring) + **/ + static bool i40e_xmit_zc(struct i40e_ring *xdp_ring, unsigned int budget) + { +- struct xdp_desc *descs = xdp_ring->xsk_descs; ++ struct xdp_desc *descs = xdp_ring->xsk_pool->tx_descs; + u32 nb_pkts, nb_processed = 0; + unsigned int total_bytes = 0; + +- nb_pkts = xsk_tx_peek_release_desc_batch(xdp_ring->xsk_pool, descs, budget); ++ nb_pkts = xsk_tx_peek_release_desc_batch(xdp_ring->xsk_pool, budget); + if (!nb_pkts) + return true; + +diff --git a/include/net/xdp_sock_drv.h b/include/net/xdp_sock_drv.h +index 443d45951564..4aa031849668 100644 +--- a/include/net/xdp_sock_drv.h ++++ b/include/net/xdp_sock_drv.h +@@ -13,7 +13,7 @@ + + void xsk_tx_completed(struct xsk_buff_pool *pool, u32 nb_entries); + bool xsk_tx_peek_desc(struct xsk_buff_pool *pool, struct xdp_desc *desc); +-u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, struct xdp_desc *desc, u32 max); ++u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, u32 max); + void xsk_tx_release(struct xsk_buff_pool *pool); + struct xsk_buff_pool *xsk_get_pool_from_qid(struct net_device *dev, + u16 queue_id); +@@ -142,8 +142,7 @@ static inline bool xsk_tx_peek_desc(struct xsk_buff_pool *pool, + return false; + } + +-static inline u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, struct xdp_desc *desc, +- u32 max) ++static inline u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, u32 max) + { + return 0; + } +diff --git a/include/net/xsk_buff_pool.h b/include/net/xsk_buff_pool.h +index ddeefc4a1040..5554ee75e7da 100644 +--- a/include/net/xsk_buff_pool.h ++++ b/include/net/xsk_buff_pool.h +@@ -60,6 +60,7 @@ struct xsk_buff_pool { + */ + dma_addr_t *dma_pages; + struct xdp_buff_xsk *heads; ++ struct xdp_desc *tx_descs; + u64 chunk_mask; + u64 addrs_cnt; + u32 free_list_cnt; +diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c +index 39a82bfb5caa..7d3a00cb24ec 100644 +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -343,9 +343,9 @@ bool xsk_tx_peek_desc(struct xsk_buff_pool *pool, struct xdp_desc *desc) + } + EXPORT_SYMBOL(xsk_tx_peek_desc); + +-static u32 xsk_tx_peek_release_fallback(struct xsk_buff_pool *pool, struct xdp_desc *descs, +- u32 max_entries) ++static u32 xsk_tx_peek_release_fallback(struct xsk_buff_pool *pool, u32 max_entries) + { ++ struct xdp_desc *descs = pool->tx_descs; + u32 nb_pkts = 0; + + while (nb_pkts < max_entries && xsk_tx_peek_desc(pool, &descs[nb_pkts])) +@@ -355,8 +355,7 @@ static u32 xsk_tx_peek_release_fallback(struct xsk_buff_pool *pool, struct xdp_d + return nb_pkts; + } + +-u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, struct xdp_desc *descs, +- u32 max_entries) ++u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, u32 max_entries) + { + struct xdp_sock *xs; + u32 nb_pkts; +@@ -365,7 +364,7 @@ u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, struct xdp_desc * + if (!list_is_singular(&pool->xsk_tx_list)) { + /* Fallback to the non-batched version */ + rcu_read_unlock(); +- return xsk_tx_peek_release_fallback(pool, descs, max_entries); ++ return xsk_tx_peek_release_fallback(pool, max_entries); + } + + xs = list_first_or_null_rcu(&pool->xsk_tx_list, struct xdp_sock, tx_list); +@@ -374,7 +373,7 @@ u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, struct xdp_desc * + goto out; + } + +- nb_pkts = xskq_cons_peek_desc_batch(xs->tx, descs, pool, max_entries); ++ nb_pkts = xskq_cons_peek_desc_batch(xs->tx, pool, max_entries); + if (!nb_pkts) { + xs->tx->queue_empty_descs++; + goto out; +@@ -386,7 +385,7 @@ u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, struct xdp_desc * + * packets. This avoids having to implement any buffering in + * the Tx path. + */ +- nb_pkts = xskq_prod_reserve_addr_batch(pool->cq, descs, nb_pkts); ++ nb_pkts = xskq_prod_reserve_addr_batch(pool->cq, pool->tx_descs, nb_pkts); + if (!nb_pkts) + goto out; + +diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c +index 0202a90b65e3..af040ffa14ff 100644 +--- a/net/xdp/xsk_buff_pool.c ++++ b/net/xdp/xsk_buff_pool.c +@@ -37,6 +37,7 @@ void xp_destroy(struct xsk_buff_pool *pool) + if (!pool) + return; + ++ kvfree(pool->tx_descs); + kvfree(pool->heads); + kvfree(pool); + } +@@ -58,6 +59,12 @@ struct xsk_buff_pool *xp_create_and_assign_umem(struct xdp_sock *xs, + if (!pool->heads) + goto out; + ++ if (xs->tx) { ++ pool->tx_descs = kcalloc(xs->tx->nentries, sizeof(*pool->tx_descs), GFP_KERNEL); ++ if (!pool->tx_descs) ++ goto out; ++ } ++ + pool->chunk_mask = ~((u64)umem->chunk_size - 1); + pool->addrs_cnt = umem->size; + pool->heads_cnt = umem->chunks; +diff --git a/net/xdp/xsk_queue.h b/net/xdp/xsk_queue.h +index e9aa2c236356..638138fbe475 100644 +--- a/net/xdp/xsk_queue.h ++++ b/net/xdp/xsk_queue.h +@@ -205,11 +205,11 @@ static inline bool xskq_cons_read_desc(struct xsk_queue *q, + return false; + } + +-static inline u32 xskq_cons_read_desc_batch(struct xsk_queue *q, +- struct xdp_desc *descs, +- struct xsk_buff_pool *pool, u32 max) ++static inline u32 xskq_cons_read_desc_batch(struct xsk_queue *q, struct xsk_buff_pool *pool, ++ u32 max) + { + u32 cached_cons = q->cached_cons, nb_entries = 0; ++ struct xdp_desc *descs = pool->tx_descs; + + while (cached_cons != q->cached_prod && nb_entries < max) { + struct xdp_rxtx_ring *ring = (struct xdp_rxtx_ring *)q->ring; +@@ -282,12 +282,12 @@ static inline bool xskq_cons_peek_desc(struct xsk_queue *q, + return xskq_cons_read_desc(q, desc, pool); + } + +-static inline u32 xskq_cons_peek_desc_batch(struct xsk_queue *q, struct xdp_desc *descs, +- struct xsk_buff_pool *pool, u32 max) ++static inline u32 xskq_cons_peek_desc_batch(struct xsk_queue *q, struct xsk_buff_pool *pool, ++ u32 max) + { + u32 entries = xskq_cons_nb_entries(q, max); + +- return xskq_cons_read_desc_batch(q, descs, pool, entries); ++ return xskq_cons_read_desc_batch(q, pool, entries); + } + + /* To improve performance in the xskq_cons_release functions, only update local state here. +-- +2.35.1 + diff --git a/queue-5.17/iov_iter-fix-iter_xarray_get_pages-_alloc.patch b/queue-5.17/iov_iter-fix-iter_xarray_get_pages-_alloc.patch new file mode 100644 index 00000000000..2d4b21af7e6 --- /dev/null +++ b/queue-5.17/iov_iter-fix-iter_xarray_get_pages-_alloc.patch @@ -0,0 +1,99 @@ +From 2f455ab73ea3b28fbfb3e88bdc3f64a8f9cbe62e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jun 2022 09:07:01 +0100 +Subject: iov_iter: Fix iter_xarray_get_pages{,_alloc}() + +From: David Howells + +[ Upstream commit 6c77676645ad42993e0a8bdb8dafa517851a352a ] + +The maths at the end of iter_xarray_get_pages() to calculate the actual +size doesn't work under some circumstances, such as when it's been asked to +extract a partial single page. Various terms of the equation cancel out +and you end up with actual == offset. The same issue exists in +iter_xarray_get_pages_alloc(). + +Fix these to just use min() to select the lesser amount from between the +amount of page content transcribed into the buffer, minus the offset, and +the size limit specified. + +This doesn't appear to have caused a problem yet upstream because network +filesystems aren't getting the pages from an xarray iterator, but rather +passing it directly to the socket, which just iterates over it. Cachefiles +*does* do DIO from one to/from ext4/xfs/btrfs/etc. but it always asks for +whole pages to be written or read. + +Fixes: 7ff5062079ef ("iov_iter: Add ITER_XARRAY") +Reported-by: Jeff Layton +Signed-off-by: David Howells +cc: Alexander Viro +cc: Dominique Martinet +cc: Mike Marshall +cc: Gao Xiang +cc: linux-afs@lists.infradead.org +cc: v9fs-developer@lists.sourceforge.net +cc: devel@lists.orangefs.org +cc: linux-erofs@lists.ozlabs.org +cc: linux-cachefs@redhat.com +cc: linux-fsdevel@vger.kernel.org +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + lib/iov_iter.c | 20 ++++---------------- + 1 file changed, 4 insertions(+), 16 deletions(-) + +diff --git a/lib/iov_iter.c b/lib/iov_iter.c +index 6dd5330f7a99..dda6d5f481c1 100644 +--- a/lib/iov_iter.c ++++ b/lib/iov_iter.c +@@ -1434,7 +1434,7 @@ static ssize_t iter_xarray_get_pages(struct iov_iter *i, + { + unsigned nr, offset; + pgoff_t index, count; +- size_t size = maxsize, actual; ++ size_t size = maxsize; + loff_t pos; + + if (!size || !maxpages) +@@ -1461,13 +1461,7 @@ static ssize_t iter_xarray_get_pages(struct iov_iter *i, + if (nr == 0) + return 0; + +- actual = PAGE_SIZE * nr; +- actual -= offset; +- if (nr == count && size > 0) { +- unsigned last_offset = (nr > 1) ? 0 : offset; +- actual -= PAGE_SIZE - (last_offset + size); +- } +- return actual; ++ return min(nr * PAGE_SIZE - offset, maxsize); + } + + /* must be done on non-empty ITER_IOVEC one */ +@@ -1602,7 +1596,7 @@ static ssize_t iter_xarray_get_pages_alloc(struct iov_iter *i, + struct page **p; + unsigned nr, offset; + pgoff_t index, count; +- size_t size = maxsize, actual; ++ size_t size = maxsize; + loff_t pos; + + if (!size) +@@ -1631,13 +1625,7 @@ static ssize_t iter_xarray_get_pages_alloc(struct iov_iter *i, + if (nr == 0) + return 0; + +- actual = PAGE_SIZE * nr; +- actual -= offset; +- if (nr == count && size > 0) { +- unsigned last_offset = (nr > 1) ? 0 : offset; +- actual -= PAGE_SIZE - (last_offset + size); +- } +- return actual; ++ return min(nr * PAGE_SIZE - offset, maxsize); + } + + ssize_t iov_iter_get_pages_alloc(struct iov_iter *i, +-- +2.35.1 + diff --git a/queue-5.17/ip_gre-test-csum_start-instead-of-transport-header.patch b/queue-5.17/ip_gre-test-csum_start-instead-of-transport-header.patch new file mode 100644 index 00000000000..28e08e2f3dc --- /dev/null +++ b/queue-5.17/ip_gre-test-csum_start-instead-of-transport-header.patch @@ -0,0 +1,87 @@ +From 8af9ccc2548f4f2a6f3eb0c7246ede40d98e8e8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 09:21:07 -0400 +Subject: ip_gre: test csum_start instead of transport header + +From: Willem de Bruijn + +[ Upstream commit 8d21e9963bec1aad2280cdd034c8993033ef2948 ] + +GRE with TUNNEL_CSUM will apply local checksum offload on +CHECKSUM_PARTIAL packets. + +ipgre_xmit must validate csum_start after an optional skb_pull, +else lco_csum may trigger an overflow. The original check was + + if (csum && skb_checksum_start(skb) < skb->data) + return -EINVAL; + +This had false positives when skb_checksum_start is undefined: +when ip_summed is not CHECKSUM_PARTIAL. A discussed refinement +was straightforward + + if (csum && skb->ip_summed == CHECKSUM_PARTIAL && + skb_checksum_start(skb) < skb->data) + return -EINVAL; + +But was eventually revised more thoroughly: +- restrict the check to the only branch where needed, in an + uncommon GRE path that uses header_ops and calls skb_pull. +- test skb_transport_header, which is set along with csum_start + in skb_partial_csum_set in the normal header_ops datapath. + +Turns out skbs can arrive in this branch without the transport +header set, e.g., through BPF redirection. + +Revise the check back to check csum_start directly, and only if +CHECKSUM_PARTIAL. Do leave the check in the updated location. +Check field regardless of whether TUNNEL_CSUM is configured. + +Link: https://lore.kernel.org/netdev/YS+h%2FtqCJJiQei+W@shredder/ +Link: https://lore.kernel.org/all/20210902193447.94039-2-willemdebruijn.kernel@gmail.com/T/#u +Fixes: 8a0ed250f911 ("ip_gre: validate csum_start only on pull") +Reported-by: syzbot +Signed-off-by: Willem de Bruijn +Reviewed-by: Eric Dumazet +Reviewed-by: Alexander Duyck +Link: https://lore.kernel.org/r/20220606132107.3582565-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index 8cf86e42c1d1..65b6d4c1698e 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -629,21 +629,20 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb, + } + + if (dev->header_ops) { +- const int pull_len = tunnel->hlen + sizeof(struct iphdr); +- + if (skb_cow_head(skb, 0)) + goto free_skb; + + tnl_params = (const struct iphdr *)skb->data; + +- if (pull_len > skb_transport_offset(skb)) +- goto free_skb; +- + /* Pull skb since ip_tunnel_xmit() needs skb->data pointing + * to gre header. + */ +- skb_pull(skb, pull_len); ++ skb_pull(skb, tunnel->hlen + sizeof(struct iphdr)); + skb_reset_mac_header(skb); ++ ++ if (skb->ip_summed == CHECKSUM_PARTIAL && ++ skb_checksum_start(skb) < skb->data) ++ goto free_skb; + } else { + if (skb_cow_head(skb, dev->needed_headroom)) + goto free_skb; +-- +2.35.1 + diff --git a/queue-5.17/net-altera-fix-refcount-leak-in-altera_tse_mdio_crea.patch b/queue-5.17/net-altera-fix-refcount-leak-in-altera_tse_mdio_crea.patch new file mode 100644 index 00000000000..dd8625c5872 --- /dev/null +++ b/queue-5.17/net-altera-fix-refcount-leak-in-altera_tse_mdio_crea.patch @@ -0,0 +1,59 @@ +From c9963bf52e00f8c57646985943b8aa022d842bbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jun 2022 08:11:43 +0400 +Subject: net: altera: Fix refcount leak in altera_tse_mdio_create + +From: Miaoqian Lin + +[ Upstream commit 11ec18b1d8d92b9df307d31950dcba0b3dd7283c ] + +Every iteration of for_each_child_of_node() decrements +the reference count of the previous node. +When break from a for_each_child_of_node() loop, +we need to explicitly call of_node_put() on the child node when +not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: bbd2190ce96d ("Altera TSE: Add main and header file for Altera Ethernet Driver") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220607041144.7553-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/altera/altera_tse_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/altera/altera_tse_main.c b/drivers/net/ethernet/altera/altera_tse_main.c +index 993b2fb42961..36bf3ce545c9 100644 +--- a/drivers/net/ethernet/altera/altera_tse_main.c ++++ b/drivers/net/ethernet/altera/altera_tse_main.c +@@ -163,7 +163,8 @@ static int altera_tse_mdio_create(struct net_device *dev, unsigned int id) + mdio = mdiobus_alloc(); + if (mdio == NULL) { + netdev_err(dev, "Error allocating MDIO bus\n"); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto put_node; + } + + mdio->name = ALTERA_TSE_RESOURCE_NAME; +@@ -180,6 +181,7 @@ static int altera_tse_mdio_create(struct net_device *dev, unsigned int id) + mdio->id); + goto out_free_mdio; + } ++ of_node_put(mdio_node); + + if (netif_msg_drv(priv)) + netdev_info(dev, "MDIO bus %s: created\n", mdio->id); +@@ -189,6 +191,8 @@ static int altera_tse_mdio_create(struct net_device *dev, unsigned int id) + out_free_mdio: + mdiobus_free(mdio); + mdio = NULL; ++put_node: ++ of_node_put(mdio_node); + return ret; + } + +-- +2.35.1 + diff --git a/queue-5.17/net-dsa-lantiq_gswip-fix-refcount-leak-in-gswip_gphy.patch b/queue-5.17/net-dsa-lantiq_gswip-fix-refcount-leak-in-gswip_gphy.patch new file mode 100644 index 00000000000..0f880c235eb --- /dev/null +++ b/queue-5.17/net-dsa-lantiq_gswip-fix-refcount-leak-in-gswip_gphy.patch @@ -0,0 +1,43 @@ +From adcd1f0c6d799e22b593462499bcec08f685a785 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jun 2022 11:23:34 +0400 +Subject: net: dsa: lantiq_gswip: Fix refcount leak in gswip_gphy_fw_list + +From: Miaoqian Lin + +[ Upstream commit 0737e018a05e2aa352828c52bdeed3b02cff2930 ] + +Every iteration of for_each_available_child_of_node() decrements +the reference count of the previous node. +when breaking early from a for_each_available_child_of_node() loop, +we need to explicitly call of_node_put() on the gphy_fw_np. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 14fceff4771e ("net: dsa: Add Lantiq / Intel DSA driver for vrx200") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220605072335.11257-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/lantiq_gswip.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/lantiq_gswip.c b/drivers/net/dsa/lantiq_gswip.c +index 8acec33a4702..9d8db457599c 100644 +--- a/drivers/net/dsa/lantiq_gswip.c ++++ b/drivers/net/dsa/lantiq_gswip.c +@@ -2021,8 +2021,10 @@ static int gswip_gphy_fw_list(struct gswip_priv *priv, + for_each_available_child_of_node(gphy_fw_list_np, gphy_fw_np) { + err = gswip_gphy_fw_probe(priv, &priv->gphy_fw[i], + gphy_fw_np, i); +- if (err) ++ if (err) { ++ of_node_put(gphy_fw_np); + goto remove_gphy; ++ } + i++; + } + +-- +2.35.1 + diff --git a/queue-5.17/net-dsa-mv88e6xxx-use-bmsr_anegcomplete-bit-for-fill.patch b/queue-5.17/net-dsa-mv88e6xxx-use-bmsr_anegcomplete-bit-for-fill.patch new file mode 100644 index 00000000000..4229fd3f8c7 --- /dev/null +++ b/queue-5.17/net-dsa-mv88e6xxx-use-bmsr_anegcomplete-bit-for-fill.patch @@ -0,0 +1,117 @@ +From 1511465a4c6c7c2c2a92efeb4633c988a12f2e4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jun 2022 12:28:42 +0100 +Subject: net: dsa: mv88e6xxx: use BMSR_ANEGCOMPLETE bit for filling + an_complete +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit 47e96930d6e6106d5252e85b868d3c7e29296de0 ] + +Commit ede359d8843a ("net: dsa: mv88e6xxx: Link in pcs_get_state() if AN +is bypassed") added the ability to link if AN was bypassed, and added +filling of state->an_complete field, but set it to true if AN was +enabled in BMCR, not when AN was reported complete in BMSR. + +This was done because for some reason, when I wanted to use BMSR value +to infer an_complete, I was looking at BMSR_ANEGCAPABLE bit (which was +always 1), instead of BMSR_ANEGCOMPLETE bit. + +Use BMSR_ANEGCOMPLETE for filling state->an_complete. + +Fixes: ede359d8843a ("net: dsa: mv88e6xxx: Link in pcs_get_state() if AN is bypassed") +Signed-off-by: Marek Behún +Signed-off-by: Russell King (Oracle) +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/serdes.c | 27 +++++++++++---------------- + 1 file changed, 11 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/serdes.c b/drivers/net/dsa/mv88e6xxx/serdes.c +index 2b05ead515cd..6ae7a0ed9e0b 100644 +--- a/drivers/net/dsa/mv88e6xxx/serdes.c ++++ b/drivers/net/dsa/mv88e6xxx/serdes.c +@@ -50,22 +50,17 @@ static int mv88e6390_serdes_write(struct mv88e6xxx_chip *chip, + } + + static int mv88e6xxx_serdes_pcs_get_state(struct mv88e6xxx_chip *chip, +- u16 ctrl, u16 status, u16 lpa, ++ u16 bmsr, u16 lpa, u16 status, + struct phylink_link_state *state) + { + state->link = !!(status & MV88E6390_SGMII_PHY_STATUS_LINK); ++ state->an_complete = !!(bmsr & BMSR_ANEGCOMPLETE); + + if (status & MV88E6390_SGMII_PHY_STATUS_SPD_DPL_VALID) { + /* The Spped and Duplex Resolved register is 1 if AN is enabled + * and complete, or if AN is disabled. So with disabled AN we +- * still get here on link up. But we want to set an_complete +- * only if AN was enabled, thus we look at BMCR_ANENABLE. +- * (According to 802.3-2008 section 22.2.4.2.10, we should be +- * able to get this same value from BMSR_ANEGCAPABLE, but tests +- * show that these Marvell PHYs don't conform to this part of +- * the specificaion - BMSR_ANEGCAPABLE is simply always 1.) ++ * still get here on link up. + */ +- state->an_complete = !!(ctrl & BMCR_ANENABLE); + state->duplex = status & + MV88E6390_SGMII_PHY_STATUS_DUPLEX_FULL ? + DUPLEX_FULL : DUPLEX_HALF; +@@ -191,12 +186,12 @@ int mv88e6352_serdes_pcs_config(struct mv88e6xxx_chip *chip, int port, + int mv88e6352_serdes_pcs_get_state(struct mv88e6xxx_chip *chip, int port, + int lane, struct phylink_link_state *state) + { +- u16 lpa, status, ctrl; ++ u16 bmsr, lpa, status; + int err; + +- err = mv88e6352_serdes_read(chip, MII_BMCR, &ctrl); ++ err = mv88e6352_serdes_read(chip, MII_BMSR, &bmsr); + if (err) { +- dev_err(chip->dev, "can't read Serdes PHY control: %d\n", err); ++ dev_err(chip->dev, "can't read Serdes BMSR: %d\n", err); + return err; + } + +@@ -212,7 +207,7 @@ int mv88e6352_serdes_pcs_get_state(struct mv88e6xxx_chip *chip, int port, + return err; + } + +- return mv88e6xxx_serdes_pcs_get_state(chip, ctrl, status, lpa, state); ++ return mv88e6xxx_serdes_pcs_get_state(chip, bmsr, lpa, status, state); + } + + int mv88e6352_serdes_pcs_an_restart(struct mv88e6xxx_chip *chip, int port, +@@ -915,13 +910,13 @@ int mv88e6390_serdes_pcs_config(struct mv88e6xxx_chip *chip, int port, + static int mv88e6390_serdes_pcs_get_state_sgmii(struct mv88e6xxx_chip *chip, + int port, int lane, struct phylink_link_state *state) + { +- u16 lpa, status, ctrl; ++ u16 bmsr, lpa, status; + int err; + + err = mv88e6390_serdes_read(chip, lane, MDIO_MMD_PHYXS, +- MV88E6390_SGMII_BMCR, &ctrl); ++ MV88E6390_SGMII_BMSR, &bmsr); + if (err) { +- dev_err(chip->dev, "can't read Serdes PHY control: %d\n", err); ++ dev_err(chip->dev, "can't read Serdes PHY BMSR: %d\n", err); + return err; + } + +@@ -939,7 +934,7 @@ static int mv88e6390_serdes_pcs_get_state_sgmii(struct mv88e6xxx_chip *chip, + return err; + } + +- return mv88e6xxx_serdes_pcs_get_state(chip, ctrl, status, lpa, state); ++ return mv88e6xxx_serdes_pcs_get_state(chip, bmsr, lpa, status, state); + } + + static int mv88e6390_serdes_pcs_get_state_10g(struct mv88e6xxx_chip *chip, +-- +2.35.1 + diff --git a/queue-5.17/net-ethernet-bgmac-fix-refcount-leak-in-bcma_mdio_mi.patch b/queue-5.17/net-ethernet-bgmac-fix-refcount-leak-in-bcma_mdio_mi.patch new file mode 100644 index 00000000000..735f0d6fb16 --- /dev/null +++ b/queue-5.17/net-ethernet-bgmac-fix-refcount-leak-in-bcma_mdio_mi.patch @@ -0,0 +1,38 @@ +From ca6cc881de796cc1ecb60f8657b35fce9b58a595 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jun 2022 17:32:38 +0400 +Subject: net: ethernet: bgmac: Fix refcount leak in bcma_mdio_mii_register + +From: Miaoqian Lin + +[ Upstream commit b8d91399775c55162073bb2aca061ec42e3d4bc1 ] + +of_get_child_by_name() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 55954f3bfdac ("net: ethernet: bgmac: move BCMA MDIO Phy code into a separate file") +Signed-off-by: Miaoqian Lin +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20220603133238.44114-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bgmac-bcma-mdio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/broadcom/bgmac-bcma-mdio.c b/drivers/net/ethernet/broadcom/bgmac-bcma-mdio.c +index 086739e4f40a..9b83d5361699 100644 +--- a/drivers/net/ethernet/broadcom/bgmac-bcma-mdio.c ++++ b/drivers/net/ethernet/broadcom/bgmac-bcma-mdio.c +@@ -234,6 +234,7 @@ struct mii_bus *bcma_mdio_mii_register(struct bgmac *bgmac) + np = of_get_child_by_name(core->dev.of_node, "mdio"); + + err = of_mdiobus_register(mii_bus, np); ++ of_node_put(np); + if (err) { + dev_err(&core->dev, "Registration of mii bus failed\n"); + goto err_free_bus; +-- +2.35.1 + diff --git a/queue-5.17/net-ipv6-unexport-__init-annotated-seg6_hmac_init.patch b/queue-5.17/net-ipv6-unexport-__init-annotated-seg6_hmac_init.patch new file mode 100644 index 00000000000..1e2fc58328f --- /dev/null +++ b/queue-5.17/net-ipv6-unexport-__init-annotated-seg6_hmac_init.patch @@ -0,0 +1,52 @@ +From f3fa8a2577e0a4fbff409ac9915e908e252b4533 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 13:53:55 +0900 +Subject: net: ipv6: unexport __init-annotated seg6_hmac_init() + +From: Masahiro Yamada + +[ Upstream commit 5801f064e35181c71857a80ff18af4dbec3c5f5c ] + +EXPORT_SYMBOL and __init is a bad combination because the .init.text +section is freed up after the initialization. Hence, modules cannot +use symbols annotated __init. The access to a freed symbol may end up +with kernel panic. + +modpost used to detect it, but it has been broken for a decade. + +Recently, I fixed modpost so it started to warn it again, then this +showed up in linux-next builds. + +There are two ways to fix it: + + - Remove __init + - Remove EXPORT_SYMBOL + +I chose the latter for this case because the caller (net/ipv6/seg6.c) +and the callee (net/ipv6/seg6_hmac.c) belong to the same module. +It seems an internal function call in ipv6.ko. + +Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support") +Reported-by: Stephen Rothwell +Signed-off-by: Masahiro Yamada +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6_hmac.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/ipv6/seg6_hmac.c b/net/ipv6/seg6_hmac.c +index 29bc4e7c3046..6de01185cc68 100644 +--- a/net/ipv6/seg6_hmac.c ++++ b/net/ipv6/seg6_hmac.c +@@ -399,7 +399,6 @@ int __init seg6_hmac_init(void) + { + return seg6_hmac_init_algo(); + } +-EXPORT_SYMBOL(seg6_hmac_init); + + int __net_init seg6_hmac_net_init(struct net *net) + { +-- +2.35.1 + diff --git a/queue-5.17/net-mdio-unexport-__init-annotated-mdio_bus_init.patch b/queue-5.17/net-mdio-unexport-__init-annotated-mdio_bus_init.patch new file mode 100644 index 00000000000..094a67444b7 --- /dev/null +++ b/queue-5.17/net-mdio-unexport-__init-annotated-mdio_bus_init.patch @@ -0,0 +1,54 @@ +From 04792734540b0887692b4a37ba59314b65b7899e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 13:53:53 +0900 +Subject: net: mdio: unexport __init-annotated mdio_bus_init() + +From: Masahiro Yamada + +[ Upstream commit 35b42dce619701f1300fb8498dae82c9bb1f0263 ] + +EXPORT_SYMBOL and __init is a bad combination because the .init.text +section is freed up after the initialization. Hence, modules cannot +use symbols annotated __init. The access to a freed symbol may end up +with kernel panic. + +modpost used to detect it, but it has been broken for a decade. + +Recently, I fixed modpost so it started to warn it again, then this +showed up in linux-next builds. + +There are two ways to fix it: + + - Remove __init + - Remove EXPORT_SYMBOL + +I chose the latter for this case because the only in-tree call-site, +drivers/net/phy/phy_device.c is never compiled as modular. +(CONFIG_PHYLIB is boolean) + +Fixes: 90eff9096c01 ("net: phy: Allow splitting MDIO bus/device support from PHYs") +Reported-by: Stephen Rothwell +Signed-off-by: Masahiro Yamada +Reviewed-by: Florian Fainelli +Reviewed-by: Russell King (Oracle) +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mdio_bus.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c +index 58d602985877..8a2dbe849866 100644 +--- a/drivers/net/phy/mdio_bus.c ++++ b/drivers/net/phy/mdio_bus.c +@@ -1046,7 +1046,6 @@ int __init mdio_bus_init(void) + + return ret; + } +-EXPORT_SYMBOL_GPL(mdio_bus_init); + + #if IS_ENABLED(CONFIG_PHYLIB) + void mdio_bus_exit(void) +-- +2.35.1 + diff --git a/queue-5.17/net-mlx4_en-fix-wrong-return-value-on-ioctl-eeprom-q.patch b/queue-5.17/net-mlx4_en-fix-wrong-return-value-on-ioctl-eeprom-q.patch new file mode 100644 index 00000000000..922c2a7c118 --- /dev/null +++ b/queue-5.17/net-mlx4_en-fix-wrong-return-value-on-ioctl-eeprom-q.patch @@ -0,0 +1,38 @@ +From a6e44509fe7b41474e2b1f6eb2fc8639568344bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 14:57:18 +0300 +Subject: net/mlx4_en: Fix wrong return value on ioctl EEPROM query failure + +From: Gal Pressman + +[ Upstream commit f5826c8c9d57210a17031af5527056eefdc2b7eb ] + +The ioctl EEPROM query wrongly returns success on read failures, fix +that by returning the appropriate error code. + +Fixes: 7202da8b7f71 ("ethtool, net/mlx4_en: Cable info, get_module_info/eeprom ethtool support") +Signed-off-by: Gal Pressman +Signed-off-by: Tariq Toukan +Link: https://lore.kernel.org/r/20220606115718.14233-1-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +index ed5038d98ef6..6400a827173c 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +@@ -2110,7 +2110,7 @@ static int mlx4_en_get_module_eeprom(struct net_device *dev, + en_err(priv, + "mlx4_get_module_info i(%d) offset(%d) bytes_to_read(%d) - FAILED (0x%x)\n", + i, offset, ee->len - i, ret); +- return 0; ++ return ret; + } + + i += ret; +-- +2.35.1 + diff --git a/queue-5.17/net-mlx5-fix-mlx5_get_next_dev-peer-device-matching.patch b/queue-5.17/net-mlx5-fix-mlx5_get_next_dev-peer-device-matching.patch new file mode 100644 index 00000000000..577b39e292d --- /dev/null +++ b/queue-5.17/net-mlx5-fix-mlx5_get_next_dev-peer-device-matching.patch @@ -0,0 +1,122 @@ +From 1c7f34db72f2cd466abed7a0c78da32464e0f056 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Feb 2021 23:10:47 -0800 +Subject: net/mlx5: Fix mlx5_get_next_dev() peer device matching + +From: Saeed Mahameed + +[ Upstream commit 1c5de097bea31760c3f0467ac0c84ba0dc3525d5 ] + +In some use-cases, mlx5 instances will need to search for their peer +device (the other port on the same HCA). For that, mlx5 device matching +mechanism relied on auxiliary_find_device() to search, and used a bad matching +callback function. + +This approach has two issues: + +1) next_phys_dev() the matching function, assumed all devices are + of the type mlx5_adev (mlx5 auxiliary device) which is wrong and + could lead to crashes, this worked for a while, since only lately + other drivers started registering auxiliary devices. + +2) using the auxiliary class bus (auxiliary_find_device) to search for + mlx5_core_dev devices, who are actually PCIe device instances, is wrong. + This works since mlx5_core always has at least one mlx5_adev instance + hanging around in the aux bus. + +As suggested by others we can fix 1. by comparing device names prefixes +if they have the string "mlx5_core" in them, which is not a best practice ! +but even with that fixed, still 2. needs fixing, we are trying to +match pcie device peers so we should look in the right bus (pci bus), +hence this fix. + +The fix: +1) search the pci bus for mlx5 peer devices, instead of the aux bus +2) to validated devices are the same type "mlx5_core_dev" compare if + they have the same driver, which is bulletproof. + + This wouldn't have worked with the aux bus since the various mlx5 aux + device types don't share the same driver, even if they share the same device + wrapper struct (mlx5_adev) "which helped to find the parent device" + +Fixes: a925b5e309c9 ("net/mlx5: Register mlx5 devices to auxiliary virtual bus") +Reported-by: Alexander Lobakin +Reported-by: Maher Sanalla +Signed-off-by: Saeed Mahameed +Reviewed-by: Leon Romanovsky +Reviewed-by: Mark Bloch +Reviewed-by: Maher Sanalla +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/dev.c | 34 +++++++++++++------ + 1 file changed, 23 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/dev.c b/drivers/net/ethernet/mellanox/mlx5/core/dev.c +index 3e750b827a19..c5d7bf662784 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/dev.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/dev.c +@@ -571,18 +571,32 @@ static int _next_phys_dev(struct mlx5_core_dev *mdev, + return 1; + } + ++static void *pci_get_other_drvdata(struct device *this, struct device *other) ++{ ++ if (this->driver != other->driver) ++ return NULL; ++ ++ return pci_get_drvdata(to_pci_dev(other)); ++} ++ + static int next_phys_dev(struct device *dev, const void *data) + { +- struct mlx5_adev *madev = container_of(dev, struct mlx5_adev, adev.dev); +- struct mlx5_core_dev *mdev = madev->mdev; ++ struct mlx5_core_dev *mdev, *this = (struct mlx5_core_dev *)data; ++ ++ mdev = pci_get_other_drvdata(this->device, dev); ++ if (!mdev) ++ return 0; + + return _next_phys_dev(mdev, data); + } + + static int next_phys_dev_lag(struct device *dev, const void *data) + { +- struct mlx5_adev *madev = container_of(dev, struct mlx5_adev, adev.dev); +- struct mlx5_core_dev *mdev = madev->mdev; ++ struct mlx5_core_dev *mdev, *this = (struct mlx5_core_dev *)data; ++ ++ mdev = pci_get_other_drvdata(this->device, dev); ++ if (!mdev) ++ return 0; + + if (!MLX5_CAP_GEN(mdev, vport_group_manager) || + !MLX5_CAP_GEN(mdev, lag_master) || +@@ -595,19 +609,17 @@ static int next_phys_dev_lag(struct device *dev, const void *data) + static struct mlx5_core_dev *mlx5_get_next_dev(struct mlx5_core_dev *dev, + int (*match)(struct device *dev, const void *data)) + { +- struct auxiliary_device *adev; +- struct mlx5_adev *madev; ++ struct device *next; + + if (!mlx5_core_is_pf(dev)) + return NULL; + +- adev = auxiliary_find_device(NULL, dev, match); +- if (!adev) ++ next = bus_find_device(&pci_bus_type, NULL, dev, match); ++ if (!next) + return NULL; + +- madev = container_of(adev, struct mlx5_adev, adev); +- put_device(&adev->dev); +- return madev->mdev; ++ put_device(next); ++ return pci_get_drvdata(to_pci_dev(next)); + } + + /* Must be called with intf_mutex held */ +-- +2.35.1 + diff --git a/queue-5.17/net-mlx5-fs-fail-conflicting-actions.patch b/queue-5.17/net-mlx5-fs-fail-conflicting-actions.patch new file mode 100644 index 00000000000..d90919afdd8 --- /dev/null +++ b/queue-5.17/net-mlx5-fs-fail-conflicting-actions.patch @@ -0,0 +1,91 @@ +From 703963ad8e8d06e4bb0daf380119c47d70933f12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 May 2022 10:46:59 +0300 +Subject: net/mlx5: fs, fail conflicting actions + +From: Mark Bloch + +[ Upstream commit 8fa5e7b20e01042b14f8cd684d2da9b638460c74 ] + +When combining two steering rules into one check +not only do they share the same actions but those +actions are also the same. This resolves an issue where +when creating two different rules with the same match +the actions are overwritten and one of the rules is deleted +a FW syndrome can be seen in dmesg. + +mlx5_core 0000:03:00.0: mlx5_cmd_check:819:(pid 2105): DEALLOC_MODIFY_HEADER_CONTEXT(0x941) op_mod(0x0) failed, status bad resource state(0x9), syndrome (0x1ab444) + +Fixes: 0d235c3fabb7 ("net/mlx5: Add hash table to search FTEs in a flow-group") +Signed-off-by: Mark Bloch +Reviewed-by: Maor Gottlieb +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/fs_core.c | 35 +++++++++++++++++-- + 1 file changed, 32 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index bd52b0b4eefa..add55195335c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -1560,9 +1560,22 @@ static struct mlx5_flow_rule *find_flow_rule(struct fs_fte *fte, + return NULL; + } + +-static bool check_conflicting_actions(u32 action1, u32 action2) ++static bool check_conflicting_actions_vlan(const struct mlx5_fs_vlan *vlan0, ++ const struct mlx5_fs_vlan *vlan1) + { +- u32 xored_actions = action1 ^ action2; ++ return vlan0->ethtype != vlan1->ethtype || ++ vlan0->vid != vlan1->vid || ++ vlan0->prio != vlan1->prio; ++} ++ ++static bool check_conflicting_actions(const struct mlx5_flow_act *act1, ++ const struct mlx5_flow_act *act2) ++{ ++ u32 action1 = act1->action; ++ u32 action2 = act2->action; ++ u32 xored_actions; ++ ++ xored_actions = action1 ^ action2; + + /* if one rule only wants to count, it's ok */ + if (action1 == MLX5_FLOW_CONTEXT_ACTION_COUNT || +@@ -1579,6 +1592,22 @@ static bool check_conflicting_actions(u32 action1, u32 action2) + MLX5_FLOW_CONTEXT_ACTION_VLAN_PUSH_2)) + return true; + ++ if (action1 & MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT && ++ act1->pkt_reformat != act2->pkt_reformat) ++ return true; ++ ++ if (action1 & MLX5_FLOW_CONTEXT_ACTION_MOD_HDR && ++ act1->modify_hdr != act2->modify_hdr) ++ return true; ++ ++ if (action1 & MLX5_FLOW_CONTEXT_ACTION_VLAN_PUSH && ++ check_conflicting_actions_vlan(&act1->vlan[0], &act2->vlan[0])) ++ return true; ++ ++ if (action1 & MLX5_FLOW_CONTEXT_ACTION_VLAN_PUSH_2 && ++ check_conflicting_actions_vlan(&act1->vlan[1], &act2->vlan[1])) ++ return true; ++ + return false; + } + +@@ -1586,7 +1615,7 @@ static int check_conflicting_ftes(struct fs_fte *fte, + const struct mlx5_flow_context *flow_context, + const struct mlx5_flow_act *flow_act) + { +- if (check_conflicting_actions(flow_act->action, fte->action.action)) { ++ if (check_conflicting_actions(flow_act, &fte->action)) { + mlx5_core_warn(get_dev(&fte->node), + "Found two FTEs with conflicting actions\n"); + return -EEXIST; +-- +2.35.1 + diff --git a/queue-5.17/net-mlx5-lag-filter-non-compatible-devices.patch b/queue-5.17/net-mlx5-lag-filter-non-compatible-devices.patch new file mode 100644 index 00000000000..f1c218e7ec3 --- /dev/null +++ b/queue-5.17/net-mlx5-lag-filter-non-compatible-devices.patch @@ -0,0 +1,152 @@ +From 669f8b4963b878107735cd1b657db81f2dcd0e48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Feb 2022 12:40:39 +0000 +Subject: net/mlx5: Lag, filter non compatible devices + +From: Mark Bloch + +[ Upstream commit bc4c2f2e017949646b43fdcad005a03462d437c6 ] + +When search for a peer lag device we can filter based on that +device's capabilities. + +Downstream patch will be less strict when filtering compatible devices +and remove the limitation where we require exact MLX5_MAX_PORTS and +change it to a range. + +Signed-off-by: Mark Bloch +Reviewed-by: Maor Gottlieb +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/dev.c | 48 +++++++++++++++---- + .../net/ethernet/mellanox/mlx5/core/lag/lag.c | 12 ++--- + .../ethernet/mellanox/mlx5/core/mlx5_core.h | 1 + + 3 files changed, 47 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/dev.c b/drivers/net/ethernet/mellanox/mlx5/core/dev.c +index ba6dad97e308..3e750b827a19 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/dev.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/dev.c +@@ -555,12 +555,9 @@ static u32 mlx5_gen_pci_id(const struct mlx5_core_dev *dev) + PCI_SLOT(dev->pdev->devfn)); + } + +-static int next_phys_dev(struct device *dev, const void *data) ++static int _next_phys_dev(struct mlx5_core_dev *mdev, ++ const struct mlx5_core_dev *curr) + { +- struct mlx5_adev *madev = container_of(dev, struct mlx5_adev, adev.dev); +- struct mlx5_core_dev *mdev = madev->mdev; +- const struct mlx5_core_dev *curr = data; +- + if (!mlx5_core_is_pf(mdev)) + return 0; + +@@ -574,8 +571,29 @@ static int next_phys_dev(struct device *dev, const void *data) + return 1; + } + +-/* Must be called with intf_mutex held */ +-struct mlx5_core_dev *mlx5_get_next_phys_dev(struct mlx5_core_dev *dev) ++static int next_phys_dev(struct device *dev, const void *data) ++{ ++ struct mlx5_adev *madev = container_of(dev, struct mlx5_adev, adev.dev); ++ struct mlx5_core_dev *mdev = madev->mdev; ++ ++ return _next_phys_dev(mdev, data); ++} ++ ++static int next_phys_dev_lag(struct device *dev, const void *data) ++{ ++ struct mlx5_adev *madev = container_of(dev, struct mlx5_adev, adev.dev); ++ struct mlx5_core_dev *mdev = madev->mdev; ++ ++ if (!MLX5_CAP_GEN(mdev, vport_group_manager) || ++ !MLX5_CAP_GEN(mdev, lag_master) || ++ MLX5_CAP_GEN(mdev, num_lag_ports) != MLX5_MAX_PORTS) ++ return 0; ++ ++ return _next_phys_dev(mdev, data); ++} ++ ++static struct mlx5_core_dev *mlx5_get_next_dev(struct mlx5_core_dev *dev, ++ int (*match)(struct device *dev, const void *data)) + { + struct auxiliary_device *adev; + struct mlx5_adev *madev; +@@ -583,7 +601,7 @@ struct mlx5_core_dev *mlx5_get_next_phys_dev(struct mlx5_core_dev *dev) + if (!mlx5_core_is_pf(dev)) + return NULL; + +- adev = auxiliary_find_device(NULL, dev, &next_phys_dev); ++ adev = auxiliary_find_device(NULL, dev, match); + if (!adev) + return NULL; + +@@ -592,6 +610,20 @@ struct mlx5_core_dev *mlx5_get_next_phys_dev(struct mlx5_core_dev *dev) + return madev->mdev; + } + ++/* Must be called with intf_mutex held */ ++struct mlx5_core_dev *mlx5_get_next_phys_dev(struct mlx5_core_dev *dev) ++{ ++ lockdep_assert_held(&mlx5_intf_mutex); ++ return mlx5_get_next_dev(dev, &next_phys_dev); ++} ++ ++/* Must be called with intf_mutex held */ ++struct mlx5_core_dev *mlx5_get_next_phys_dev_lag(struct mlx5_core_dev *dev) ++{ ++ lockdep_assert_held(&mlx5_intf_mutex); ++ return mlx5_get_next_dev(dev, &next_phys_dev_lag); ++} ++ + void mlx5_dev_list_lock(void) + { + mutex_lock(&mlx5_intf_mutex); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c +index 4ddf6b330a44..d4629f9bdab1 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c +@@ -804,12 +804,7 @@ static int __mlx5_lag_dev_add_mdev(struct mlx5_core_dev *dev) + struct mlx5_lag *ldev = NULL; + struct mlx5_core_dev *tmp_dev; + +- if (!MLX5_CAP_GEN(dev, vport_group_manager) || +- !MLX5_CAP_GEN(dev, lag_master) || +- MLX5_CAP_GEN(dev, num_lag_ports) != MLX5_MAX_PORTS) +- return 0; +- +- tmp_dev = mlx5_get_next_phys_dev(dev); ++ tmp_dev = mlx5_get_next_phys_dev_lag(dev); + if (tmp_dev) + ldev = tmp_dev->priv.lag; + +@@ -854,6 +849,11 @@ void mlx5_lag_add_mdev(struct mlx5_core_dev *dev) + { + int err; + ++ if (!MLX5_CAP_GEN(dev, vport_group_manager) || ++ !MLX5_CAP_GEN(dev, lag_master) || ++ MLX5_CAP_GEN(dev, num_lag_ports) != MLX5_MAX_PORTS) ++ return; ++ + recheck: + mlx5_dev_list_lock(); + err = __mlx5_lag_dev_add_mdev(dev); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h b/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h +index 2d2150fc7a0f..49c94acd75de 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h +@@ -210,6 +210,7 @@ void mlx5_detach_device(struct mlx5_core_dev *dev); + int mlx5_register_device(struct mlx5_core_dev *dev); + void mlx5_unregister_device(struct mlx5_core_dev *dev); + struct mlx5_core_dev *mlx5_get_next_phys_dev(struct mlx5_core_dev *dev); ++struct mlx5_core_dev *mlx5_get_next_phys_dev_lag(struct mlx5_core_dev *dev); + void mlx5_dev_list_lock(void); + void mlx5_dev_list_unlock(void); + int mlx5_dev_list_trylock(void); +-- +2.35.1 + diff --git a/queue-5.17/net-mlx5-rearm-the-fw-tracer-after-each-tracer-event.patch b/queue-5.17/net-mlx5-rearm-the-fw-tracer-after-each-tracer-event.patch new file mode 100644 index 00000000000..c653d3149e0 --- /dev/null +++ b/queue-5.17/net-mlx5-rearm-the-fw-tracer-after-each-tracer-event.patch @@ -0,0 +1,59 @@ +From a5a1af540dc6115449b6baa7ba74635f693ecd9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Mar 2022 21:47:48 +0200 +Subject: net/mlx5: Rearm the FW tracer after each tracer event + +From: Feras Daoud + +[ Upstream commit 8bf94e6414c9481bfa28269022688ab445d0081d ] + +The current design does not arm the tracer if traces are available before +the tracer string database is fully loaded, leading to an unfunctional tracer. +This fix will rearm the tracer every time the FW triggers tracer event +regardless of the tracer strings database status. + +Fixes: c71ad41ccb0c ("net/mlx5: FW tracer, events handling") +Signed-off-by: Feras Daoud +Signed-off-by: Roy Novich +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +index eae9aa9c0811..978a2bb8e122 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +@@ -675,6 +675,9 @@ static void mlx5_fw_tracer_handle_traces(struct work_struct *work) + if (!tracer->owner) + return; + ++ if (unlikely(!tracer->str_db.loaded)) ++ goto arm; ++ + block_count = tracer->buff.size / TRACER_BLOCK_SIZE_BYTE; + start_offset = tracer->buff.consumer_index * TRACER_BLOCK_SIZE_BYTE; + +@@ -732,6 +735,7 @@ static void mlx5_fw_tracer_handle_traces(struct work_struct *work) + &tmp_trace_block[TRACES_PER_BLOCK - 1]); + } + ++arm: + mlx5_fw_tracer_arm(dev); + } + +@@ -1136,8 +1140,7 @@ static int fw_tracer_event(struct notifier_block *nb, unsigned long action, void + queue_work(tracer->work_queue, &tracer->ownership_change_work); + break; + case MLX5_TRACER_SUBTYPE_TRACES_AVAILABLE: +- if (likely(tracer->str_db.loaded)) +- queue_work(tracer->work_queue, &tracer->handle_traces_work); ++ queue_work(tracer->work_queue, &tracer->handle_traces_work); + break; + default: + mlx5_core_dbg(dev, "FWTracer: Event with unrecognized subtype: sub_type %d\n", +-- +2.35.1 + diff --git a/queue-5.17/net-xfrm-unexport-__init-annotated-xfrm4_protocol_in.patch b/queue-5.17/net-xfrm-unexport-__init-annotated-xfrm4_protocol_in.patch new file mode 100644 index 00000000000..abe74b593ed --- /dev/null +++ b/queue-5.17/net-xfrm-unexport-__init-annotated-xfrm4_protocol_in.patch @@ -0,0 +1,50 @@ +From b954dbbf322f5e730e5f371851050138491e684c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 13:53:54 +0900 +Subject: net: xfrm: unexport __init-annotated xfrm4_protocol_init() + +From: Masahiro Yamada + +[ Upstream commit 4a388f08d8784af48f352193d2b72aaf167a57a1 ] + +EXPORT_SYMBOL and __init is a bad combination because the .init.text +section is freed up after the initialization. Hence, modules cannot +use symbols annotated __init. The access to a freed symbol may end up +with kernel panic. + +modpost used to detect it, but it has been broken for a decade. + +Recently, I fixed modpost so it started to warn it again, then this +showed up in linux-next builds. + +There are two ways to fix it: + + - Remove __init + - Remove EXPORT_SYMBOL + +I chose the latter for this case because the only in-tree call-site, +net/ipv4/xfrm4_policy.c is never compiled as modular. +(CONFIG_XFRM is boolean) + +Fixes: 2f32b51b609f ("xfrm: Introduce xfrm_input_afinfo to access the the callbacks properly") +Reported-by: Stephen Rothwell +Signed-off-by: Masahiro Yamada +Acked-by: Steffen Klassert +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/xfrm4_protocol.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/ipv4/xfrm4_protocol.c b/net/ipv4/xfrm4_protocol.c +index 2fe5860c21d6..b146ce88c5d0 100644 +--- a/net/ipv4/xfrm4_protocol.c ++++ b/net/ipv4/xfrm4_protocol.c +@@ -304,4 +304,3 @@ void __init xfrm4_protocol_init(void) + { + xfrm_input_register_afinfo(&xfrm4_input_afinfo); + } +-EXPORT_SYMBOL(xfrm4_protocol_init); +-- +2.35.1 + diff --git a/queue-5.17/netfilter-nat-really-support-inet-nat-without-l3-add.patch b/queue-5.17/netfilter-nat-really-support-inet-nat-without-l3-add.patch new file mode 100644 index 00000000000..b3c70dca605 --- /dev/null +++ b/queue-5.17/netfilter-nat-really-support-inet-nat-without-l3-add.patch @@ -0,0 +1,103 @@ +From a2875cdc83a310fd64448b6e02a4d05162ca033e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jun 2022 10:47:35 +0200 +Subject: netfilter: nat: really support inet nat without l3 address + +From: Florian Westphal + +[ Upstream commit 282e5f8fe907dc3f2fbf9f2103b0e62ffc3a68a5 ] + +When no l3 address is given, priv->family is set to NFPROTO_INET and +the evaluation function isn't called. + +Call it too so l4-only rewrite can work. +Also add a test case for this. + +Fixes: a33f387ecd5aa ("netfilter: nft_nat: allow to specify layer 4 protocol NAT only") +Reported-by: Yi Chen +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_nat.c | 3 +- + tools/testing/selftests/netfilter/nft_nat.sh | 43 ++++++++++++++++++++ + 2 files changed, 45 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c +index be1595d6979d..db8f9116eeb4 100644 +--- a/net/netfilter/nft_nat.c ++++ b/net/netfilter/nft_nat.c +@@ -334,7 +334,8 @@ static void nft_nat_inet_eval(const struct nft_expr *expr, + { + const struct nft_nat *priv = nft_expr_priv(expr); + +- if (priv->family == nft_pf(pkt)) ++ if (priv->family == nft_pf(pkt) || ++ priv->family == NFPROTO_INET) + nft_nat_eval(expr, regs, pkt); + } + +diff --git a/tools/testing/selftests/netfilter/nft_nat.sh b/tools/testing/selftests/netfilter/nft_nat.sh +index eb8543b9a5c4..924ecb3f1f73 100755 +--- a/tools/testing/selftests/netfilter/nft_nat.sh ++++ b/tools/testing/selftests/netfilter/nft_nat.sh +@@ -374,6 +374,45 @@ EOF + return $lret + } + ++test_local_dnat_portonly() ++{ ++ local family=$1 ++ local daddr=$2 ++ local lret=0 ++ local sr_s ++ local sr_r ++ ++ip netns exec "$ns0" nft -f /dev/stdin < +Date: Wed, 1 Jun 2022 17:49:36 +0200 +Subject: netfilter: nf_tables: always initialize flowtable hook list in + transaction + +From: Pablo Neira Ayuso + +[ Upstream commit 2c9e4559773c261900c674a86b8e455911675d71 ] + +The hook list is used if nft_trans_flowtable_update(trans) == true. However, +initialize this list for other cases for safety reasons. + +Fixes: 78d9f48f7f44 ("netfilter: nf_tables: add devices to existing flowtable") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index a7ed8fe46af1..ee7adb42a97d 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -544,6 +544,7 @@ static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type, + if (msg_type == NFT_MSG_NEWFLOWTABLE) + nft_activate_next(ctx->net, flowtable); + ++ INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); + nft_trans_flowtable(trans) = flowtable; + nft_trans_commit_list_add_tail(ctx->net, trans); + +-- +2.35.1 + diff --git a/queue-5.17/netfilter-nf_tables-bail-out-early-if-hardware-offlo.patch b/queue-5.17/netfilter-nf_tables-bail-out-early-if-hardware-offlo.patch new file mode 100644 index 00000000000..86128bb9544 --- /dev/null +++ b/queue-5.17/netfilter-nf_tables-bail-out-early-if-hardware-offlo.patch @@ -0,0 +1,122 @@ +From 027eec7d8dce54a288ab61877d3fdda3c204d82b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 17:31:29 +0200 +Subject: netfilter: nf_tables: bail out early if hardware offload is not + supported + +From: Pablo Neira Ayuso + +[ Upstream commit 3a41c64d9c1185a2f3a184015e2a9b78bfc99c71 ] + +If user requests for NFT_CHAIN_HW_OFFLOAD, then check if either device +provides the .ndo_setup_tc interface or there is an indirect flow block +that has been registered. Otherwise, bail out early from the preparation +phase. Moreover, validate that family == NFPROTO_NETDEV and hook is +NF_NETDEV_INGRESS. + +Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/flow_offload.h | 1 + + include/net/netfilter/nf_tables_offload.h | 2 +- + net/core/flow_offload.c | 6 ++++++ + net/netfilter/nf_tables_api.c | 2 +- + net/netfilter/nf_tables_offload.c | 23 ++++++++++++++++++++++- + 5 files changed, 31 insertions(+), 3 deletions(-) + +diff --git a/include/net/flow_offload.h b/include/net/flow_offload.h +index 5b8c54eb7a6b..7a10e4ed5540 100644 +--- a/include/net/flow_offload.h ++++ b/include/net/flow_offload.h +@@ -591,5 +591,6 @@ int flow_indr_dev_setup_offload(struct net_device *dev, struct Qdisc *sch, + enum tc_setup_type type, void *data, + struct flow_block_offload *bo, + void (*cleanup)(struct flow_block_cb *block_cb)); ++bool flow_indr_dev_exists(void); + + #endif /* _NET_FLOW_OFFLOAD_H */ +diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h +index 797147843958..3568b6a2f5f0 100644 +--- a/include/net/netfilter/nf_tables_offload.h ++++ b/include/net/netfilter/nf_tables_offload.h +@@ -92,7 +92,7 @@ int nft_flow_rule_offload_commit(struct net *net); + NFT_OFFLOAD_MATCH(__key, __base, __field, __len, __reg) \ + memset(&(__reg)->mask, 0xff, (__reg)->len); + +-int nft_chain_offload_priority(struct nft_base_chain *basechain); ++bool nft_chain_offload_support(const struct nft_base_chain *basechain); + + int nft_offload_init(void); + void nft_offload_exit(void); +diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c +index 73f68d4625f3..929f6379a279 100644 +--- a/net/core/flow_offload.c ++++ b/net/core/flow_offload.c +@@ -595,3 +595,9 @@ int flow_indr_dev_setup_offload(struct net_device *dev, struct Qdisc *sch, + return (bo && list_empty(&bo->cb_list)) ? -EOPNOTSUPP : count; + } + EXPORT_SYMBOL(flow_indr_dev_setup_offload); ++ ++bool flow_indr_dev_exists(void) ++{ ++ return !list_empty(&flow_block_indr_dev_list); ++} ++EXPORT_SYMBOL(flow_indr_dev_exists); +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 5a2d585e180c..8eac1915ec73 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2087,7 +2087,7 @@ static int nft_basechain_init(struct nft_base_chain *basechain, u8 family, + chain->flags |= NFT_CHAIN_BASE | flags; + basechain->policy = NF_ACCEPT; + if (chain->flags & NFT_CHAIN_HW_OFFLOAD && +- nft_chain_offload_priority(basechain) < 0) ++ !nft_chain_offload_support(basechain)) + return -EOPNOTSUPP; + + flow_block_init(&basechain->flow_block); +diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c +index 2d36952b1392..910ef881c3b8 100644 +--- a/net/netfilter/nf_tables_offload.c ++++ b/net/netfilter/nf_tables_offload.c +@@ -208,7 +208,7 @@ static int nft_setup_cb_call(enum tc_setup_type type, void *type_data, + return 0; + } + +-int nft_chain_offload_priority(struct nft_base_chain *basechain) ++static int nft_chain_offload_priority(const struct nft_base_chain *basechain) + { + if (basechain->ops.priority <= 0 || + basechain->ops.priority > USHRT_MAX) +@@ -217,6 +217,27 @@ int nft_chain_offload_priority(struct nft_base_chain *basechain) + return 0; + } + ++bool nft_chain_offload_support(const struct nft_base_chain *basechain) ++{ ++ struct net_device *dev; ++ struct nft_hook *hook; ++ ++ if (nft_chain_offload_priority(basechain) < 0) ++ return false; ++ ++ list_for_each_entry(hook, &basechain->hook_list, list) { ++ if (hook->ops.pf != NFPROTO_NETDEV || ++ hook->ops.hooknum != NF_NETDEV_INGRESS) ++ return false; ++ ++ dev = hook->ops.dev; ++ if (!dev->netdev_ops->ndo_setup_tc && !flow_indr_dev_exists()) ++ return false; ++ } ++ ++ return true; ++} ++ + static void nft_flow_cls_offload_setup(struct flow_cls_offload *cls_flow, + const struct nft_base_chain *basechain, + const struct nft_rule *rule, +-- +2.35.1 + diff --git a/queue-5.17/netfilter-nf_tables-delete-flowtable-hooks-via-trans.patch b/queue-5.17/netfilter-nf_tables-delete-flowtable-hooks-via-trans.patch new file mode 100644 index 00000000000..cd18b7edc97 --- /dev/null +++ b/queue-5.17/netfilter-nf_tables-delete-flowtable-hooks-via-trans.patch @@ -0,0 +1,136 @@ +From 4feeab10bbea50ae467b7168621a931f0fd63b31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 May 2022 18:40:06 +0200 +Subject: netfilter: nf_tables: delete flowtable hooks via transaction list + +From: Pablo Neira Ayuso + +[ Upstream commit b6d9014a3335194590abdd2a2471ef5147a67645 ] + +Remove inactive bool field in nft_hook object that was introduced in +abadb2f865d7 ("netfilter: nf_tables: delete devices from flowtable"). +Move stale flowtable hooks to transaction list instead. + +Deleting twice the same device does not result in ENOENT. + +Fixes: abadb2f865d7 ("netfilter: nf_tables: delete devices from flowtable") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 1 - + net/netfilter/nf_tables_api.c | 31 ++++++------------------------- + 2 files changed, 6 insertions(+), 26 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index c4c0861deac1..c3fdd9f71c05 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -1089,7 +1089,6 @@ struct nft_stats { + + struct nft_hook { + struct list_head list; +- bool inactive; + struct nf_hook_ops ops; + struct rcu_head rcu; + }; +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 07c842b65f6d..a7ed8fe46af1 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1835,7 +1835,6 @@ static struct nft_hook *nft_netdev_hook_alloc(struct net *net, + goto err_hook_dev; + } + hook->ops.dev = dev; +- hook->inactive = false; + + return hook; + +@@ -7533,6 +7532,7 @@ static int nft_delflowtable_hook(struct nft_ctx *ctx, + { + const struct nlattr * const *nla = ctx->nla; + struct nft_flowtable_hook flowtable_hook; ++ LIST_HEAD(flowtable_del_list); + struct nft_hook *this, *hook; + struct nft_trans *trans; + int err; +@@ -7548,7 +7548,7 @@ static int nft_delflowtable_hook(struct nft_ctx *ctx, + err = -ENOENT; + goto err_flowtable_del_hook; + } +- hook->inactive = true; ++ list_move(&hook->list, &flowtable_del_list); + } + + trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE, +@@ -7561,6 +7561,7 @@ static int nft_delflowtable_hook(struct nft_ctx *ctx, + nft_trans_flowtable(trans) = flowtable; + nft_trans_flowtable_update(trans) = true; + INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); ++ list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans)); + nft_flowtable_hook_release(&flowtable_hook); + + nft_trans_commit_list_add_tail(ctx->net, trans); +@@ -7568,13 +7569,7 @@ static int nft_delflowtable_hook(struct nft_ctx *ctx, + return 0; + + err_flowtable_del_hook: +- list_for_each_entry(this, &flowtable_hook.list, list) { +- hook = nft_hook_list_find(&flowtable->hook_list, this); +- if (!hook) +- break; +- +- hook->inactive = false; +- } ++ list_splice(&flowtable_del_list, &flowtable->hook_list); + nft_flowtable_hook_release(&flowtable_hook); + + return err; +@@ -8480,17 +8475,6 @@ void nft_chain_del(struct nft_chain *chain) + list_del_rcu(&chain->list); + } + +-static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable, +- struct list_head *hook_list) +-{ +- struct nft_hook *hook, *next; +- +- list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { +- if (hook->inactive) +- list_move(&hook->list, hook_list); +- } +-} +- + static void nf_tables_module_autoload_cleanup(struct net *net) + { + struct nftables_pernet *nft_net = nft_pernet(net); +@@ -8835,8 +8819,6 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) + break; + case NFT_MSG_DELFLOWTABLE: + if (nft_trans_flowtable_update(trans)) { +- nft_flowtable_hooks_del(nft_trans_flowtable(trans), +- &nft_trans_flowtable_hooks(trans)); + nf_tables_flowtable_notify(&trans->ctx, + nft_trans_flowtable(trans), + &nft_trans_flowtable_hooks(trans), +@@ -8917,7 +8899,6 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + struct nftables_pernet *nft_net = nft_pernet(net); + struct nft_trans *trans, *next; + struct nft_trans_elem *te; +- struct nft_hook *hook; + + if (action == NFNL_ABORT_VALIDATE && + nf_tables_validate(net) < 0) +@@ -9048,8 +9029,8 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + break; + case NFT_MSG_DELFLOWTABLE: + if (nft_trans_flowtable_update(trans)) { +- list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list) +- hook->inactive = false; ++ list_splice(&nft_trans_flowtable_hooks(trans), ++ &nft_trans_flowtable(trans)->hook_list); + } else { + trans->ctx.table->use++; + nft_clear(trans->ctx.net, nft_trans_flowtable(trans)); +-- +2.35.1 + diff --git a/queue-5.17/netfilter-nf_tables-memleak-flow-rule-from-commit-pa.patch b/queue-5.17/netfilter-nf_tables-memleak-flow-rule-from-commit-pa.patch new file mode 100644 index 00000000000..ad589c01979 --- /dev/null +++ b/queue-5.17/netfilter-nf_tables-memleak-flow-rule-from-commit-pa.patch @@ -0,0 +1,46 @@ +From 2a8d9fc898f22fe0bc9353a26889da292274ddaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 17:15:57 +0200 +Subject: netfilter: nf_tables: memleak flow rule from commit path + +From: Pablo Neira Ayuso + +[ Upstream commit 9dd732e0bdf538b1b76dc7c157e2b5e560ff30d3 ] + +Abort path release flow rule object, however, commit path does not. +Update code to destroy these objects before releasing the transaction. + +Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 2abad256f0aa..5a2d585e180c 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -8244,6 +8244,9 @@ static void nft_commit_release(struct nft_trans *trans) + nf_tables_chain_destroy(&trans->ctx); + break; + case NFT_MSG_DELRULE: ++ if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) ++ nft_flow_rule_destroy(nft_trans_flow_rule(trans)); ++ + nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); + break; + case NFT_MSG_DELSET: +@@ -8734,6 +8737,9 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) + nf_tables_rule_notify(&trans->ctx, + nft_trans_rule(trans), + NFT_MSG_NEWRULE); ++ if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) ++ nft_flow_rule_destroy(nft_trans_flow_rule(trans)); ++ + nft_trans_destroy(trans); + break; + case NFT_MSG_DELRULE: +-- +2.35.1 + diff --git a/queue-5.17/netfilter-nf_tables-release-new-hooks-on-unsupported.patch b/queue-5.17/netfilter-nf_tables-release-new-hooks-on-unsupported.patch new file mode 100644 index 00000000000..f5192bd788c --- /dev/null +++ b/queue-5.17/netfilter-nf_tables-release-new-hooks-on-unsupported.patch @@ -0,0 +1,47 @@ +From 12dd8ec624c5515dfb8a68e45b32554f579c09da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jun 2022 13:40:06 +0200 +Subject: netfilter: nf_tables: release new hooks on unsupported flowtable + flags + +From: Pablo Neira Ayuso + +[ Upstream commit c271cc9febaaa1bcbc0842d1ee30466aa6148ea8 ] + +Release the list of new hooks that are pending to be registered in case +that unsupported flowtable flags are provided. + +Fixes: 78d9f48f7f44 ("netfilter: nf_tables: add devices to existing flowtable") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index ee7adb42a97d..2abad256f0aa 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7348,11 +7348,15 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, + + if (nla[NFTA_FLOWTABLE_FLAGS]) { + flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); +- if (flags & ~NFT_FLOWTABLE_MASK) +- return -EOPNOTSUPP; ++ if (flags & ~NFT_FLOWTABLE_MASK) { ++ err = -EOPNOTSUPP; ++ goto err_flowtable_update_hook; ++ } + if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^ +- (flags & NFT_FLOWTABLE_HW_OFFLOAD)) +- return -EOPNOTSUPP; ++ (flags & NFT_FLOWTABLE_HW_OFFLOAD)) { ++ err = -EOPNOTSUPP; ++ goto err_flowtable_update_hook; ++ } + } else { + flags = flowtable->data.flags; + } +-- +2.35.1 + diff --git a/queue-5.17/netfilter-nf_tables-use-kfree_rcu-ptr-rcu-to-release.patch b/queue-5.17/netfilter-nf_tables-use-kfree_rcu-ptr-rcu-to-release.patch new file mode 100644 index 00000000000..b0ca0dd47fd --- /dev/null +++ b/queue-5.17/netfilter-nf_tables-use-kfree_rcu-ptr-rcu-to-release.patch @@ -0,0 +1,36 @@ +From 6357ee8acaf5c7b7cfddf0a4f31b65106b5d2089 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jun 2022 16:00:00 +0200 +Subject: netfilter: nf_tables: use kfree_rcu(ptr, rcu) to release hooks in + clean_net path + +From: Pablo Neira Ayuso + +[ Upstream commit ab5e5c062f67c5ae8cd07f0632ffa62dc0e7d169 ] + +Use kfree_rcu(ptr, rcu) variant instead as described by ae089831ff28 +("netfilter: nf_tables: prefer kfree_rcu(ptr, rcu) variant"). + +Fixes: f9a43007d3f7 ("netfilter: nf_tables: double hook unregistration in netns path") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 42cc703a68e5..07c842b65f6d 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7247,7 +7247,7 @@ static void __nft_unregister_flowtable_net_hooks(struct net *net, + nf_unregister_net_hook(net, &hook->ops); + if (release_netdev) { + list_del(&hook->list); +- kfree_rcu(hook); ++ kfree_rcu(hook, rcu); + } + } + } +-- +2.35.1 + diff --git a/queue-5.17/nfp-flower-restructure-flow-key-for-gre-vlan-combina.patch b/queue-5.17/nfp-flower-restructure-flow-key-for-gre-vlan-combina.patch new file mode 100644 index 00000000000..529416264ea --- /dev/null +++ b/queue-5.17/nfp-flower-restructure-flow-key-for-gre-vlan-combina.patch @@ -0,0 +1,129 @@ +From 6c16e65dcf0a0086d4a741c8422f16796122d6fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jun 2022 11:29:01 +0200 +Subject: nfp: flower: restructure flow-key for gre+vlan combination + +From: Etienne van der Linde + +[ Upstream commit a0b843340dae704e17c1ddfad0f85c583c36757f ] + +Swap around the GRE and VLAN parts in the flow-key offloaded by +the driver to fit in with other tunnel types and the firmware. +Without this change used cases with GRE+VLAN on the outer header +does not get offloaded as the flow-key mismatches what the +firmware expect. + +Fixes: 0d630f58989a ("nfp: flower: add support to offload QinQ match") +Fixes: 5a2b93041646 ("nfp: flower-ct: compile match sections of flow_payload") +Signed-off-by: Etienne van der Linde +Signed-off-by: Louis Peens +Signed-off-by: Yinjun Zhang +Signed-off-by: Simon Horman +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../ethernet/netronome/nfp/flower/conntrack.c | 32 +++++++++---------- + .../net/ethernet/netronome/nfp/flower/match.c | 16 +++++----- + 2 files changed, 24 insertions(+), 24 deletions(-) + +diff --git a/drivers/net/ethernet/netronome/nfp/flower/conntrack.c b/drivers/net/ethernet/netronome/nfp/flower/conntrack.c +index bfd7d1c35076..7e9fcc16286e 100644 +--- a/drivers/net/ethernet/netronome/nfp/flower/conntrack.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/conntrack.c +@@ -442,6 +442,11 @@ nfp_fl_calc_key_layers_sz(struct nfp_fl_key_ls in_key_ls, uint16_t *map) + key_size += sizeof(struct nfp_flower_ipv6); + } + ++ if (in_key_ls.key_layer_two & NFP_FLOWER_LAYER2_QINQ) { ++ map[FLOW_PAY_QINQ] = key_size; ++ key_size += sizeof(struct nfp_flower_vlan); ++ } ++ + if (in_key_ls.key_layer_two & NFP_FLOWER_LAYER2_GRE) { + map[FLOW_PAY_GRE] = key_size; + if (in_key_ls.key_layer_two & NFP_FLOWER_LAYER2_TUN_IPV6) +@@ -450,11 +455,6 @@ nfp_fl_calc_key_layers_sz(struct nfp_fl_key_ls in_key_ls, uint16_t *map) + key_size += sizeof(struct nfp_flower_ipv4_gre_tun); + } + +- if (in_key_ls.key_layer_two & NFP_FLOWER_LAYER2_QINQ) { +- map[FLOW_PAY_QINQ] = key_size; +- key_size += sizeof(struct nfp_flower_vlan); +- } +- + if ((in_key_ls.key_layer & NFP_FLOWER_LAYER_VXLAN) || + (in_key_ls.key_layer_two & NFP_FLOWER_LAYER2_GENEVE)) { + map[FLOW_PAY_UDP_TUN] = key_size; +@@ -693,6 +693,17 @@ static int nfp_fl_ct_add_offload(struct nfp_fl_nft_tc_merge *m_entry) + } + } + ++ if (NFP_FLOWER_LAYER2_QINQ & key_layer.key_layer_two) { ++ offset = key_map[FLOW_PAY_QINQ]; ++ key = kdata + offset; ++ msk = mdata + offset; ++ for (i = 0; i < _CT_TYPE_MAX; i++) { ++ nfp_flower_compile_vlan((struct nfp_flower_vlan *)key, ++ (struct nfp_flower_vlan *)msk, ++ rules[i]); ++ } ++ } ++ + if (key_layer.key_layer_two & NFP_FLOWER_LAYER2_GRE) { + offset = key_map[FLOW_PAY_GRE]; + key = kdata + offset; +@@ -733,17 +744,6 @@ static int nfp_fl_ct_add_offload(struct nfp_fl_nft_tc_merge *m_entry) + } + } + +- if (NFP_FLOWER_LAYER2_QINQ & key_layer.key_layer_two) { +- offset = key_map[FLOW_PAY_QINQ]; +- key = kdata + offset; +- msk = mdata + offset; +- for (i = 0; i < _CT_TYPE_MAX; i++) { +- nfp_flower_compile_vlan((struct nfp_flower_vlan *)key, +- (struct nfp_flower_vlan *)msk, +- rules[i]); +- } +- } +- + if (key_layer.key_layer & NFP_FLOWER_LAYER_VXLAN || + key_layer.key_layer_two & NFP_FLOWER_LAYER2_GENEVE) { + offset = key_map[FLOW_PAY_UDP_TUN]; +diff --git a/drivers/net/ethernet/netronome/nfp/flower/match.c b/drivers/net/ethernet/netronome/nfp/flower/match.c +index 9d86eea4dc16..fb8bd2135c63 100644 +--- a/drivers/net/ethernet/netronome/nfp/flower/match.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/match.c +@@ -602,6 +602,14 @@ int nfp_flower_compile_flow_match(struct nfp_app *app, + msk += sizeof(struct nfp_flower_ipv6); + } + ++ if (NFP_FLOWER_LAYER2_QINQ & key_ls->key_layer_two) { ++ nfp_flower_compile_vlan((struct nfp_flower_vlan *)ext, ++ (struct nfp_flower_vlan *)msk, ++ rule); ++ ext += sizeof(struct nfp_flower_vlan); ++ msk += sizeof(struct nfp_flower_vlan); ++ } ++ + if (key_ls->key_layer_two & NFP_FLOWER_LAYER2_GRE) { + if (key_ls->key_layer_two & NFP_FLOWER_LAYER2_TUN_IPV6) { + struct nfp_flower_ipv6_gre_tun *gre_match; +@@ -637,14 +645,6 @@ int nfp_flower_compile_flow_match(struct nfp_app *app, + } + } + +- if (NFP_FLOWER_LAYER2_QINQ & key_ls->key_layer_two) { +- nfp_flower_compile_vlan((struct nfp_flower_vlan *)ext, +- (struct nfp_flower_vlan *)msk, +- rule); +- ext += sizeof(struct nfp_flower_vlan); +- msk += sizeof(struct nfp_flower_vlan); +- } +- + if (key_ls->key_layer & NFP_FLOWER_LAYER_VXLAN || + key_ls->key_layer_two & NFP_FLOWER_LAYER2_GENEVE) { + if (key_ls->key_layer_two & NFP_FLOWER_LAYER2_TUN_IPV6) { +-- +2.35.1 + diff --git a/queue-5.17/powerpc-kasan-force-thread-size-increase-with-kasan.patch b/queue-5.17/powerpc-kasan-force-thread-size-increase-with-kasan.patch new file mode 100644 index 00000000000..e22aced0461 --- /dev/null +++ b/queue-5.17/powerpc-kasan-force-thread-size-increase-with-kasan.patch @@ -0,0 +1,71 @@ +From 389a0b5a9e43a8f89c64177b21107d0176ecfd8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 00:31:14 +1000 +Subject: powerpc/kasan: Force thread size increase with KASAN + +From: Michael Ellerman + +[ Upstream commit 3e8635fb2e072672cbc650989ffedf8300ad67fb ] + +KASAN causes increased stack usage, which can lead to stack overflows. + +The logic in Kconfig to suggest a larger default doesn't work if a user +has CONFIG_EXPERT enabled and has an existing .config with a smaller +value. + +Follow the lead of x86 and arm64, and force the thread size to be +increased when KASAN is enabled. + +That also has the effect of enlarging the stack for 64-bit KASAN builds, +which is also desirable. + +Fixes: edbadaf06710 ("powerpc/kasan: Fix stack overflow by increasing THREAD_SHIFT") +Reported-by: Erhard Furtner +Reported-by: Christophe Leroy +[mpe: Use MIN_THREAD_SHIFT as suggested by Christophe] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220601143114.133524-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/Kconfig | 1 - + arch/powerpc/include/asm/thread_info.h | 10 ++++++++-- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig +index b779603978e1..574e4ba13959 100644 +--- a/arch/powerpc/Kconfig ++++ b/arch/powerpc/Kconfig +@@ -764,7 +764,6 @@ config THREAD_SHIFT + range 13 15 + default "15" if PPC_256K_PAGES + default "14" if PPC64 +- default "14" if KASAN + default "13" + help + Used to define the stack size. The default is almost always what you +diff --git a/arch/powerpc/include/asm/thread_info.h b/arch/powerpc/include/asm/thread_info.h +index d6e649b3c70b..bc3e1de9d08b 100644 +--- a/arch/powerpc/include/asm/thread_info.h ++++ b/arch/powerpc/include/asm/thread_info.h +@@ -14,10 +14,16 @@ + + #ifdef __KERNEL__ + +-#if defined(CONFIG_VMAP_STACK) && CONFIG_THREAD_SHIFT < PAGE_SHIFT ++#ifdef CONFIG_KASAN ++#define MIN_THREAD_SHIFT (CONFIG_THREAD_SHIFT + 1) ++#else ++#define MIN_THREAD_SHIFT CONFIG_THREAD_SHIFT ++#endif ++ ++#if defined(CONFIG_VMAP_STACK) && MIN_THREAD_SHIFT < PAGE_SHIFT + #define THREAD_SHIFT PAGE_SHIFT + #else +-#define THREAD_SHIFT CONFIG_THREAD_SHIFT ++#define THREAD_SHIFT MIN_THREAD_SHIFT + #endif + + #define THREAD_SIZE (1 << THREAD_SHIFT) +-- +2.35.1 + diff --git a/queue-5.17/series b/queue-5.17/series index a2fcaacafa8..71f8d642528 100644 --- a/queue-5.17/series +++ b/queue-5.17/series @@ -154,3 +154,43 @@ m68knommu-fix-undefined-reference-to-mach_get_rtc_pl.patch rtla-makefile-properly-handle-dependencies.patch f2fs-fix-to-tag-gcing-flag-on-page-during-file-defra.patch xprtrdma-treat-all-calls-not-a-bcall-when-bc_serv-is.patch +drm-bridge-ti-sn65dsi83-handle-dsi_lanes-0-as-invali.patch +drm-panfrost-job-should-reference-mmu-not-file_priv.patch +netfilter-nat-really-support-inet-nat-without-l3-add.patch +netfilter-nf_tables-use-kfree_rcu-ptr-rcu-to-release.patch +netfilter-nf_tables-delete-flowtable-hooks-via-trans.patch +powerpc-kasan-force-thread-size-increase-with-kasan.patch +sunrpc-trap-rdma-segment-overflows.patch +netfilter-nf_tables-always-initialize-flowtable-hook.patch +ata-pata_octeon_cf-fix-refcount-leak-in-octeon_cf_pr.patch +netfilter-nf_tables-release-new-hooks-on-unsupported.patch +netfilter-nf_tables-memleak-flow-rule-from-commit-pa.patch +netfilter-nf_tables-bail-out-early-if-hardware-offlo.patch +amt-fix-wrong-usage-of-pskb_may_pull.patch +amt-fix-possible-null-ptr-deref-in-amt_rcv.patch +amt-fix-wrong-type-string-definition.patch +net-ethernet-bgmac-fix-refcount-leak-in-bcma_mdio_mi.patch +xen-unexport-__init-annotated-xen_xlate_map_balloone.patch +stmmac-intel-fix-an-error-handling-path-in-intel_eth.patch +af_unix-fix-a-data-race-in-unix_dgram_peer_wake_me.patch +x86-drop-bogus-cc-clobber-from-__try_cmpxchg_user_as.patch +bpf-arm64-clear-prog-jited_len-along-prog-jited.patch +net-dsa-lantiq_gswip-fix-refcount-leak-in-gswip_gphy.patch +net-mlx4_en-fix-wrong-return-value-on-ioctl-eeprom-q.patch +i40e-xsk-move-tmp-desc-array-from-driver-to-pool.patch +xsk-fix-handling-of-invalid-descriptors-in-xsk-tx-ba.patch +sunrpc-fix-the-calculation-of-xdr-end-in-xdr_get_nex.patch +net-mdio-unexport-__init-annotated-mdio_bus_init.patch +net-xfrm-unexport-__init-annotated-xfrm4_protocol_in.patch +net-ipv6-unexport-__init-annotated-seg6_hmac_init.patch +net-mlx5-lag-filter-non-compatible-devices.patch +net-mlx5-fix-mlx5_get_next_dev-peer-device-matching.patch +net-mlx5-rearm-the-fw-tracer-after-each-tracer-event.patch +net-mlx5-fs-fail-conflicting-actions.patch +ip_gre-test-csum_start-instead-of-transport-header.patch +net-altera-fix-refcount-leak-in-altera_tse_mdio_crea.patch +net-dsa-mv88e6xxx-use-bmsr_anegcomplete-bit-for-fill.patch +tcp-use-alloc_large_system_hash-to-allocate-table_pe.patch +drm-imx-fix-compiler-warning-with-gcc-12.patch +nfp-flower-restructure-flow-key-for-gre-vlan-combina.patch +iov_iter-fix-iter_xarray_get_pages-_alloc.patch diff --git a/queue-5.17/stmmac-intel-fix-an-error-handling-path-in-intel_eth.patch b/queue-5.17/stmmac-intel-fix-an-error-handling-path-in-intel_eth.patch new file mode 100644 index 00000000000..590a2dc1dda --- /dev/null +++ b/queue-5.17/stmmac-intel-fix-an-error-handling-path-in-intel_eth.patch @@ -0,0 +1,49 @@ +From f02bac5ef9ef90288997dbbf182e6f0362bf1ba0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jun 2022 22:50:48 +0200 +Subject: stmmac: intel: Fix an error handling path in intel_eth_pci_probe() + +From: Christophe JAILLET + +[ Upstream commit 5e74a4b3ec1816e3bbfd715d46ae29d2508079cb ] + +When the managed API is used, there is no need to explicitly call +pci_free_irq_vectors(). + +This looks to be a left-over from the commit in the Fixes tag. Only the +.remove() function had been updated. + +So remove this unused function call and update goto label accordingly. + +Fixes: 8accc467758e ("stmmac: intel: use managed PCI function on probe and resume") +Signed-off-by: Christophe JAILLET +Reviewed-by: Wong Vee Khee +Link: https://lore.kernel.org/r/1ac9b6787b0db83b0095711882c55c77c8ea8da0.1654462241.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c +index 6f87e296a410..502fbbc082fb 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c +@@ -1073,13 +1073,11 @@ static int intel_eth_pci_probe(struct pci_dev *pdev, + + ret = stmmac_dvr_probe(&pdev->dev, plat, &res); + if (ret) { +- goto err_dvr_probe; ++ goto err_alloc_irq; + } + + return 0; + +-err_dvr_probe: +- pci_free_irq_vectors(pdev); + err_alloc_irq: + clk_disable_unprepare(plat->stmmac_clk); + clk_unregister_fixed_rate(plat->stmmac_clk); +-- +2.35.1 + diff --git a/queue-5.17/sunrpc-fix-the-calculation-of-xdr-end-in-xdr_get_nex.patch b/queue-5.17/sunrpc-fix-the-calculation-of-xdr-end-in-xdr_get_nex.patch new file mode 100644 index 00000000000..14d5c35e97b --- /dev/null +++ b/queue-5.17/sunrpc-fix-the-calculation-of-xdr-end-in-xdr_get_nex.patch @@ -0,0 +1,49 @@ +From fa01b3d6341cab3a88e16d599201743846c2bb30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jun 2022 16:47:52 -0400 +Subject: SUNRPC: Fix the calculation of xdr->end in + xdr_get_next_encode_buffer() + +From: Chuck Lever + +[ Upstream commit 6c254bf3b637dd4ef4f78eb78c7447419c0161d7 ] + +I found that NFSD's new NFSv3 READDIRPLUS XDR encoder was screwing up +right at the end of the page array. xdr_get_next_encode_buffer() does +not compute the value of xdr->end correctly: + + * The check to see if we're on the final available page in xdr->buf + needs to account for the space consumed by @nbytes. + + * The new xdr->end value needs to account for the portion of @nbytes + that is to be encoded into the previous buffer. + +Fixes: 2825a7f90753 ("nfsd4: allow encoding across page boundaries") +Signed-off-by: Chuck Lever +Reviewed-by: NeilBrown +Reviewed-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + net/sunrpc/xdr.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c +index df194cc07035..b57cf9df4de8 100644 +--- a/net/sunrpc/xdr.c ++++ b/net/sunrpc/xdr.c +@@ -979,7 +979,11 @@ static __be32 *xdr_get_next_encode_buffer(struct xdr_stream *xdr, + */ + xdr->p = (void *)p + frag2bytes; + space_left = xdr->buf->buflen - xdr->buf->len; +- xdr->end = (void *)p + min_t(int, space_left, PAGE_SIZE); ++ if (space_left - nbytes >= PAGE_SIZE) ++ xdr->end = (void *)p + PAGE_SIZE; ++ else ++ xdr->end = (void *)p + space_left - frag1bytes; ++ + xdr->buf->page_len += frag2bytes; + xdr->buf->len += nbytes; + return p; +-- +2.35.1 + diff --git a/queue-5.17/sunrpc-trap-rdma-segment-overflows.patch b/queue-5.17/sunrpc-trap-rdma-segment-overflows.patch new file mode 100644 index 00000000000..65ce7ae3bbb --- /dev/null +++ b/queue-5.17/sunrpc-trap-rdma-segment-overflows.patch @@ -0,0 +1,42 @@ +From b892898e033d532d6459a6f2bfb68c5167c9807f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jun 2022 12:46:52 -0400 +Subject: SUNRPC: Trap RDMA segment overflows + +From: Chuck Lever + +[ Upstream commit f012e95b377c73c0283f009823c633104dedb337 ] + +Prevent svc_rdma_build_writes() from walking off the end of a Write +chunk's segment array. Caught with KASAN. + +The test that this fix replaces is invalid, and might have been left +over from an earlier prototype of the PCL work. + +Fixes: 7a1cbfa18059 ("svcrdma: Use parsed chunk lists to construct RDMA Writes") +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtrdma/svc_rdma_rw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/sunrpc/xprtrdma/svc_rdma_rw.c b/net/sunrpc/xprtrdma/svc_rdma_rw.c +index 5f0155fdefc7..11cf7c646644 100644 +--- a/net/sunrpc/xprtrdma/svc_rdma_rw.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_rw.c +@@ -478,10 +478,10 @@ svc_rdma_build_writes(struct svc_rdma_write_info *info, + unsigned int write_len; + u64 offset; + +- seg = &info->wi_chunk->ch_segments[info->wi_seg_no]; +- if (!seg) ++ if (info->wi_seg_no >= info->wi_chunk->ch_segcount) + goto out_overflow; + ++ seg = &info->wi_chunk->ch_segments[info->wi_seg_no]; + write_len = min(remaining, seg->rs_length - info->wi_seg_off); + if (!write_len) + goto out_overflow; +-- +2.35.1 + diff --git a/queue-5.17/tcp-use-alloc_large_system_hash-to-allocate-table_pe.patch b/queue-5.17/tcp-use-alloc_large_system_hash-to-allocate-table_pe.patch new file mode 100644 index 00000000000..283e07956aa --- /dev/null +++ b/queue-5.17/tcp-use-alloc_large_system_hash-to-allocate-table_pe.patch @@ -0,0 +1,47 @@ +From 7531dbffce20763b36880a39cd66e86883489536 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jun 2022 15:02:14 +0800 +Subject: tcp: use alloc_large_system_hash() to allocate table_perturb + +From: Muchun Song + +[ Upstream commit e67b72b90b7e19a4be4d9c29f3feea6f58ab43f8 ] + +In our server, there may be no high order (>= 6) memory since we reserve +lots of HugeTLB pages when booting. Then the system panic. So use +alloc_large_system_hash() to allocate table_perturb. + +Fixes: e9261476184b ("tcp: dynamically allocate the perturb table used by source ports") +Signed-off-by: Muchun Song +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20220607070214.94443-1-songmuchun@bytedance.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_hashtables.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index a5d57fa679ca..55654e335d43 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -917,10 +917,12 @@ void __init inet_hashinfo2_init(struct inet_hashinfo *h, const char *name, + init_hashinfo_lhash2(h); + + /* this one is used for source ports of outgoing connections */ +- table_perturb = kmalloc_array(INET_TABLE_PERTURB_SIZE, +- sizeof(*table_perturb), GFP_KERNEL); +- if (!table_perturb) +- panic("TCP: failed to alloc table_perturb"); ++ table_perturb = alloc_large_system_hash("Table-perturb", ++ sizeof(*table_perturb), ++ INET_TABLE_PERTURB_SIZE, ++ 0, 0, NULL, NULL, ++ INET_TABLE_PERTURB_SIZE, ++ INET_TABLE_PERTURB_SIZE); + } + + int inet_hashinfo2_init_mod(struct inet_hashinfo *h) +-- +2.35.1 + diff --git a/queue-5.17/x86-drop-bogus-cc-clobber-from-__try_cmpxchg_user_as.patch b/queue-5.17/x86-drop-bogus-cc-clobber-from-__try_cmpxchg_user_as.patch new file mode 100644 index 00000000000..d6fdf12522b --- /dev/null +++ b/queue-5.17/x86-drop-bogus-cc-clobber-from-__try_cmpxchg_user_as.patch @@ -0,0 +1,41 @@ +From 2f82258da76ad0ca4d1dbae4df53fc7c3e662fa3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jun 2022 17:00:53 +0200 +Subject: x86: drop bogus "cc" clobber from __try_cmpxchg_user_asm() + +From: Jan Beulich + +[ Upstream commit 1df931d95f4dc1c11db1123e85d4e08156e46ef9 ] + +As noted (and fixed) a couple of times in the past, "=@cc" outputs +and clobbering of "cc" don't work well together. The compiler appears to +mean to reject such, but doesn't - in its upstream form - quite manage +to yet for "cc". Furthermore two similar macros don't clobber "cc", and +clobbering "cc" is pointless in asm()-s for x86 anyway - the compiler +always assumes status flags to be clobbered there. + +Fixes: 989b5db215a2 ("x86/uaccess: Implement macros for CMPXCHG on user addresses") +Signed-off-by: Jan Beulich +Message-Id: <485c0c0b-a3a7-0b7c-5264-7d00c01de032@suse.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/uaccess.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h +index 1c14bcce88f2..729ecf1e546c 100644 +--- a/arch/x86/include/asm/uaccess.h ++++ b/arch/x86/include/asm/uaccess.h +@@ -466,7 +466,7 @@ do { \ + [ptr] "+m" (*_ptr), \ + [old] "+a" (__old) \ + : [new] ltype (__new) \ +- : "memory", "cc"); \ ++ : "memory"); \ + if (unlikely(__err)) \ + goto label; \ + if (unlikely(!success)) \ +-- +2.35.1 + diff --git a/queue-5.17/xen-unexport-__init-annotated-xen_xlate_map_balloone.patch b/queue-5.17/xen-unexport-__init-annotated-xen_xlate_map_balloone.patch new file mode 100644 index 00000000000..8c31f95980a --- /dev/null +++ b/queue-5.17/xen-unexport-__init-annotated-xen_xlate_map_balloone.patch @@ -0,0 +1,55 @@ +From 43bb2e768f6240f9a0639c88a13d8792c0c80797 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 13:59:20 +0900 +Subject: xen: unexport __init-annotated xen_xlate_map_ballooned_pages() + +From: Masahiro Yamada + +[ Upstream commit dbac14a5a05ff8e1ce7c0da0e1f520ce39ec62ea ] + +EXPORT_SYMBOL and __init is a bad combination because the .init.text +section is freed up after the initialization. Hence, modules cannot +use symbols annotated __init. The access to a freed symbol may end up +with kernel panic. + +modpost used to detect it, but it has been broken for a decade. + +Recently, I fixed modpost so it started to warn it again, then this +showed up in linux-next builds. + +There are two ways to fix it: + + - Remove __init + - Remove EXPORT_SYMBOL + +I chose the latter for this case because none of the in-tree call-sites +(arch/arm/xen/enlighten.c, arch/x86/xen/grant-table.c) is compiled as +modular. + +Fixes: 243848fc018c ("xen/grant-table: Move xlated_setup_gnttab_pages to common place") +Reported-by: Stephen Rothwell +Signed-off-by: Masahiro Yamada +Reviewed-by: Oleksandr Tyshchenko +Acked-by: Stefano Stabellini +Link: https://lore.kernel.org/r/20220606045920.4161881-1-masahiroy@kernel.org +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/xlate_mmu.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/xen/xlate_mmu.c b/drivers/xen/xlate_mmu.c +index 34742c6e189e..f17c4c03db30 100644 +--- a/drivers/xen/xlate_mmu.c ++++ b/drivers/xen/xlate_mmu.c +@@ -261,7 +261,6 @@ int __init xen_xlate_map_ballooned_pages(xen_pfn_t **gfns, void **virt, + + return 0; + } +-EXPORT_SYMBOL_GPL(xen_xlate_map_ballooned_pages); + + struct remap_pfn { + struct mm_struct *mm; +-- +2.35.1 + diff --git a/queue-5.17/xsk-fix-handling-of-invalid-descriptors-in-xsk-tx-ba.patch b/queue-5.17/xsk-fix-handling-of-invalid-descriptors-in-xsk-tx-ba.patch new file mode 100644 index 00000000000..40ef64ed8cf --- /dev/null +++ b/queue-5.17/xsk-fix-handling-of-invalid-descriptors-in-xsk-tx-ba.patch @@ -0,0 +1,85 @@ +From 6f154eef9f9da034be855154cd29a58770c35bea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jun 2022 16:22:00 +0200 +Subject: xsk: Fix handling of invalid descriptors in XSK TX batching API + +From: Maciej Fijalkowski + +[ Upstream commit d678cbd2f867a564a3c5b276c454e873f43f02f8 ] + +xdpxceiver run on a AF_XDP ZC enabled driver revealed a problem with XSK +Tx batching API. There is a test that checks how invalid Tx descriptors +are handled by AF_XDP. Each valid descriptor is followed by invalid one +on Tx side whereas the Rx side expects only to receive a set of valid +descriptors. + +In current xsk_tx_peek_release_desc_batch() function, the amount of +available descriptors is hidden inside xskq_cons_peek_desc_batch(). This +can be problematic in cases where invalid descriptors are present due to +the fact that xskq_cons_peek_desc_batch() returns only a count of valid +descriptors. This means that it is impossible to properly update XSK +ring state when calling xskq_cons_release_n(). + +To address this issue, pull out the contents of +xskq_cons_peek_desc_batch() so that callers (currently only +xsk_tx_peek_release_desc_batch()) will always be able to update the +state of ring properly, as total count of entries is now available and +use this value as an argument in xskq_cons_release_n(). By +doing so, xskq_cons_peek_desc_batch() can be dropped altogether. + +Fixes: 9349eb3a9d2a ("xsk: Introduce batched Tx descriptor interfaces") +Signed-off-by: Maciej Fijalkowski +Signed-off-by: Daniel Borkmann +Acked-by: Magnus Karlsson +Link: https://lore.kernel.org/bpf/20220607142200.576735-1-maciej.fijalkowski@intel.com +Signed-off-by: Sasha Levin +--- + net/xdp/xsk.c | 5 +++-- + net/xdp/xsk_queue.h | 8 -------- + 2 files changed, 3 insertions(+), 10 deletions(-) + +diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c +index 7d3a00cb24ec..4806fe35c657 100644 +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -373,7 +373,8 @@ u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, u32 max_entries) + goto out; + } + +- nb_pkts = xskq_cons_peek_desc_batch(xs->tx, pool, max_entries); ++ max_entries = xskq_cons_nb_entries(xs->tx, max_entries); ++ nb_pkts = xskq_cons_read_desc_batch(xs->tx, pool, max_entries); + if (!nb_pkts) { + xs->tx->queue_empty_descs++; + goto out; +@@ -389,7 +390,7 @@ u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, u32 max_entries) + if (!nb_pkts) + goto out; + +- xskq_cons_release_n(xs->tx, nb_pkts); ++ xskq_cons_release_n(xs->tx, max_entries); + __xskq_cons_release(xs->tx); + xs->sk.sk_write_space(&xs->sk); + +diff --git a/net/xdp/xsk_queue.h b/net/xdp/xsk_queue.h +index 638138fbe475..4d092e7a33d1 100644 +--- a/net/xdp/xsk_queue.h ++++ b/net/xdp/xsk_queue.h +@@ -282,14 +282,6 @@ static inline bool xskq_cons_peek_desc(struct xsk_queue *q, + return xskq_cons_read_desc(q, desc, pool); + } + +-static inline u32 xskq_cons_peek_desc_batch(struct xsk_queue *q, struct xsk_buff_pool *pool, +- u32 max) +-{ +- u32 entries = xskq_cons_nb_entries(q, max); +- +- return xskq_cons_read_desc_batch(q, pool, entries); +-} +- + /* To improve performance in the xskq_cons_release functions, only update local state here. + * Reflect this to global state when we get new entries from the ring in + * xskq_cons_get_entries() and whenever Rx or Tx processing are completed in the NAPI loop. +-- +2.35.1 +