From: Sasha Levin Date: Sun, 28 Mar 2021 03:51:20 +0000 (-0400) Subject: Fixes for 5.11 X-Git-Tag: v5.11.11~58 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1050cbe9ac41592e7a4bf4f9f29d4443bcf2d2f5;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.11 Signed-off-by: Sasha Levin --- diff --git a/queue-5.11/arm-dts-imx6ull-fix-ubi-filesystem-mount-failed.patch b/queue-5.11/arm-dts-imx6ull-fix-ubi-filesystem-mount-failed.patch new file mode 100644 index 00000000000..eb6c9d283cf --- /dev/null +++ b/queue-5.11/arm-dts-imx6ull-fix-ubi-filesystem-mount-failed.patch @@ -0,0 +1,49 @@ +From 2852b9d9e02ae17bf68d7bbeebb1baa5d5e31098 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Mar 2021 23:45:09 +0800 +Subject: ARM: dts: imx6ull: fix ubi filesystem mount failed + +From: dillon min + +[ Upstream commit e4817a1b6b77db538bc0141c3b138f2df803ce87 ] + +For NAND Ecc layout, there is a dependency from old kernel's nand driver +setting and current. if old kernel use 4 bit ecc , we should use 4 bit +in new kernel either. else will run into following error at filesystem +mounting. + +So, enable fsl,use-minimum-ecc from device tree, to fix this mismatch + +[ 9.449265] ubi0: scanning is finished +[ 9.463968] ubi0 warning: ubi_io_read: error -74 (ECC error) while reading +22528 bytes from PEB 513:4096, read only 22528 bytes, retry +[ 9.486940] ubi0 warning: ubi_io_read: error -74 (ECC error) while reading +22528 bytes from PEB 513:4096, read only 22528 bytes, retry +[ 9.509906] ubi0 warning: ubi_io_read: error -74 (ECC error) while reading +22528 bytes from PEB 513:4096, read only 22528 bytes, retry +[ 9.532845] ubi0 error: ubi_io_read: error -74 (ECC error) while reading +22528 bytes from PEB 513:4096, read 22528 bytes + +Fixes: f9ecf10cb88c ("ARM: dts: imx6ull: add MYiR MYS-6ULX SBC") +Signed-off-by: dillon min +Reviewed-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6ull-myir-mys-6ulx-eval.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/boot/dts/imx6ull-myir-mys-6ulx-eval.dts b/arch/arm/boot/dts/imx6ull-myir-mys-6ulx-eval.dts +index ecbb2cc5b9ab..79cc45728cd2 100644 +--- a/arch/arm/boot/dts/imx6ull-myir-mys-6ulx-eval.dts ++++ b/arch/arm/boot/dts/imx6ull-myir-mys-6ulx-eval.dts +@@ -14,5 +14,6 @@ + }; + + &gpmi { ++ fsl,use-minimum-ecc; + status = "okay"; + }; +-- +2.30.1 + diff --git a/queue-5.11/arm-omap2-fix-smartreflex-init-regression-after-drop.patch b/queue-5.11/arm-omap2-fix-smartreflex-init-regression-after-drop.patch new file mode 100644 index 00000000000..130f9fd2f58 --- /dev/null +++ b/queue-5.11/arm-omap2-fix-smartreflex-init-regression-after-drop.patch @@ -0,0 +1,162 @@ +From 4db96048f249f7215711c451294d9499578f8e57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Feb 2021 10:53:48 +0200 +Subject: ARM: OMAP2+: Fix smartreflex init regression after dropping legacy + data + +From: Tony Lindgren + +[ Upstream commit fbfa463be8dc7957ee4f81556e9e1ea2a951807d ] + +When I dropped legacy data for omap4 and dra7 smartreflex in favor of +device tree based data, it seems I only testd for the "SmartReflex Class3 +initialized" line in dmesg. I missed the fact that there is also +omap_devinit_smartreflex() that happens later, and now it produces an +error on boot for "No Voltage table for the corresponding vdd. Cannot +create debugfs entries for n-values". + +This happens as we no longer have the smartreflex instance legacy data, +and have not yet moved completely to device tree based booting for the +driver. Let's fix the issue by changing the smartreflex init to use names. +This should all eventually go away in favor of doing the init in the +driver based on devicetree compatible value. + +Note that dra7xx_init_early() is not calling any voltage domain init like +omap54xx_voltagedomains_init(), or a dra7 specific voltagedomains init. +This means that on dra7 smartreflex is still not fully initialized, and +also seems to be missing the related devicetree nodes. + +Fixes: a6b1e717e942 ("ARM: OMAP2+: Drop legacy platform data for omap4 smartreflex") +Fixes: e54740b4afe8 ("ARM: OMAP2+: Drop legacy platform data for dra7 smartreflex") +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/sr_device.c | 75 +++++++++++++++++++++++++-------- + 1 file changed, 58 insertions(+), 17 deletions(-) + +diff --git a/arch/arm/mach-omap2/sr_device.c b/arch/arm/mach-omap2/sr_device.c +index 62df666c2bd0..17b66f0d0dee 100644 +--- a/arch/arm/mach-omap2/sr_device.c ++++ b/arch/arm/mach-omap2/sr_device.c +@@ -88,34 +88,26 @@ static void __init sr_set_nvalues(struct omap_volt_data *volt_data, + + extern struct omap_sr_data omap_sr_pdata[]; + +-static int __init sr_dev_init(struct omap_hwmod *oh, void *user) ++static int __init sr_init_by_name(const char *name, const char *voltdm) + { + struct omap_sr_data *sr_data = NULL; + struct omap_volt_data *volt_data; +- struct omap_smartreflex_dev_attr *sr_dev_attr; + static int i; + +- if (!strncmp(oh->name, "smartreflex_mpu_iva", 20) || +- !strncmp(oh->name, "smartreflex_mpu", 16)) ++ if (!strncmp(name, "smartreflex_mpu_iva", 20) || ++ !strncmp(name, "smartreflex_mpu", 16)) + sr_data = &omap_sr_pdata[OMAP_SR_MPU]; +- else if (!strncmp(oh->name, "smartreflex_core", 17)) ++ else if (!strncmp(name, "smartreflex_core", 17)) + sr_data = &omap_sr_pdata[OMAP_SR_CORE]; +- else if (!strncmp(oh->name, "smartreflex_iva", 16)) ++ else if (!strncmp(name, "smartreflex_iva", 16)) + sr_data = &omap_sr_pdata[OMAP_SR_IVA]; + + if (!sr_data) { +- pr_err("%s: Unknown instance %s\n", __func__, oh->name); ++ pr_err("%s: Unknown instance %s\n", __func__, name); + return -EINVAL; + } + +- sr_dev_attr = (struct omap_smartreflex_dev_attr *)oh->dev_attr; +- if (!sr_dev_attr || !sr_dev_attr->sensor_voltdm_name) { +- pr_err("%s: No voltage domain specified for %s. Cannot initialize\n", +- __func__, oh->name); +- goto exit; +- } +- +- sr_data->name = oh->name; ++ sr_data->name = name; + if (cpu_is_omap343x()) + sr_data->ip_type = 1; + else +@@ -136,10 +128,10 @@ static int __init sr_dev_init(struct omap_hwmod *oh, void *user) + } + } + +- sr_data->voltdm = voltdm_lookup(sr_dev_attr->sensor_voltdm_name); ++ sr_data->voltdm = voltdm_lookup(voltdm); + if (!sr_data->voltdm) { + pr_err("%s: Unable to get voltage domain pointer for VDD %s\n", +- __func__, sr_dev_attr->sensor_voltdm_name); ++ __func__, voltdm); + goto exit; + } + +@@ -160,6 +152,20 @@ exit: + return 0; + } + ++static int __init sr_dev_init(struct omap_hwmod *oh, void *user) ++{ ++ struct omap_smartreflex_dev_attr *sr_dev_attr; ++ ++ sr_dev_attr = (struct omap_smartreflex_dev_attr *)oh->dev_attr; ++ if (!sr_dev_attr || !sr_dev_attr->sensor_voltdm_name) { ++ pr_err("%s: No voltage domain specified for %s. Cannot initialize\n", ++ __func__, oh->name); ++ return 0; ++ } ++ ++ return sr_init_by_name(oh->name, sr_dev_attr->sensor_voltdm_name); ++} ++ + /* + * API to be called from board files to enable smartreflex + * autocompensation at init. +@@ -169,7 +175,42 @@ void __init omap_enable_smartreflex_on_init(void) + sr_enable_on_init = true; + } + ++static const char * const omap4_sr_instances[] = { ++ "mpu", ++ "iva", ++ "core", ++}; ++ ++static const char * const dra7_sr_instances[] = { ++ "mpu", ++ "core", ++}; ++ + int __init omap_devinit_smartreflex(void) + { ++ const char * const *sr_inst; ++ int i, nr_sr = 0; ++ ++ if (soc_is_omap44xx()) { ++ sr_inst = omap4_sr_instances; ++ nr_sr = ARRAY_SIZE(omap4_sr_instances); ++ ++ } else if (soc_is_dra7xx()) { ++ sr_inst = dra7_sr_instances; ++ nr_sr = ARRAY_SIZE(dra7_sr_instances); ++ } ++ ++ if (nr_sr) { ++ const char *name, *voltdm; ++ ++ for (i = 0; i < nr_sr; i++) { ++ name = kasprintf(GFP_KERNEL, "smartreflex_%s", sr_inst[i]); ++ voltdm = sr_inst[i]; ++ sr_init_by_name(name, voltdm); ++ } ++ ++ return 0; ++ } ++ + return omap_hwmod_for_each_by_class("smartreflex", sr_dev_init, NULL); + } +-- +2.30.1 + diff --git a/queue-5.11/arm64-kdump-update-ppos-when-reading-elfcorehdr.patch b/queue-5.11/arm64-kdump-update-ppos-when-reading-elfcorehdr.patch new file mode 100644 index 00000000000..809436014c7 --- /dev/null +++ b/queue-5.11/arm64-kdump-update-ppos-when-reading-elfcorehdr.patch @@ -0,0 +1,40 @@ +From 463c5d0a1ae2df4cdbef27a783f63327df1e2eab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Mar 2021 16:50:54 -0400 +Subject: arm64: kdump: update ppos when reading elfcorehdr + +From: Pavel Tatashin + +[ Upstream commit 141f8202cfa4192c3af79b6cbd68e7760bb01b5a ] + +The ppos points to a position in the old kernel memory (and in case of +arm64 in the crash kernel since elfcorehdr is passed as a segment). The +function should update the ppos by the amount that was read. This bug is +not exposed by accident, but other platforms update this value properly. +So, fix it in ARM64 version of elfcorehdr_read() as well. + +Signed-off-by: Pavel Tatashin +Fixes: e62aaeac426a ("arm64: kdump: provide /proc/vmcore file") +Reviewed-by: Tyler Hicks +Link: https://lore.kernel.org/r/20210319205054.743368-1-pasha.tatashin@soleen.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/crash_dump.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/kernel/crash_dump.c b/arch/arm64/kernel/crash_dump.c +index e6e284265f19..58303a9ec32c 100644 +--- a/arch/arm64/kernel/crash_dump.c ++++ b/arch/arm64/kernel/crash_dump.c +@@ -64,5 +64,7 @@ ssize_t copy_oldmem_page(unsigned long pfn, char *buf, + ssize_t elfcorehdr_read(char *buf, size_t count, u64 *ppos) + { + memcpy(buf, phys_to_virt((phys_addr_t)*ppos), count); ++ *ppos += count; ++ + return count; + } +-- +2.30.1 + diff --git a/queue-5.11/arm64-mm-correct-the-inside-linear-map-range-during-.patch b/queue-5.11/arm64-mm-correct-the-inside-linear-map-range-during-.patch new file mode 100644 index 00000000000..66773dc48a8 --- /dev/null +++ b/queue-5.11/arm64-mm-correct-the-inside-linear-map-range-during-.patch @@ -0,0 +1,75 @@ +From 72b31a72819ae4245de59ab28613830148308de0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Feb 2021 10:03:51 -0500 +Subject: arm64: mm: correct the inside linear map range during hotplug check + +From: Pavel Tatashin + +[ Upstream commit ee7febce051945be28ad86d16a15886f878204de ] + +Memory hotplug may fail on systems with CONFIG_RANDOMIZE_BASE because the +linear map range is not checked correctly. + +The start physical address that linear map covers can be actually at the +end of the range because of randomization. Check that and if so reduce it +to 0. + +This can be verified on QEMU with setting kaslr-seed to ~0ul: + +memstart_offset_seed = 0xffff +START: __pa(_PAGE_OFFSET(vabits_actual)) = ffff9000c0000000 +END: __pa(PAGE_END - 1) = 1000bfffffff + +Signed-off-by: Pavel Tatashin +Fixes: 58284a901b42 ("arm64/mm: Validate hotplug range before creating linear mapping") +Tested-by: Tyler Hicks +Reviewed-by: Anshuman Khandual +Link: https://lore.kernel.org/r/20210216150351.129018-2-pasha.tatashin@soleen.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/mm/mmu.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c +index 92b3be127796..3ca02e917598 100644 +--- a/arch/arm64/mm/mmu.c ++++ b/arch/arm64/mm/mmu.c +@@ -1446,6 +1446,22 @@ static void __remove_pgd_mapping(pgd_t *pgdir, unsigned long start, u64 size) + struct range arch_get_mappable_range(void) + { + struct range mhp_range; ++ u64 start_linear_pa = __pa(_PAGE_OFFSET(vabits_actual)); ++ u64 end_linear_pa = __pa(PAGE_END - 1); ++ ++ if (IS_ENABLED(CONFIG_RANDOMIZE_BASE)) { ++ /* ++ * Check for a wrap, it is possible because of randomized linear ++ * mapping the start physical address is actually bigger than ++ * the end physical address. In this case set start to zero ++ * because [0, end_linear_pa] range must still be able to cover ++ * all addressable physical addresses. ++ */ ++ if (start_linear_pa > end_linear_pa) ++ start_linear_pa = 0; ++ } ++ ++ WARN_ON(start_linear_pa > end_linear_pa); + + /* + * Linear mapping region is the range [PAGE_OFFSET..(PAGE_END - 1)] +@@ -1453,8 +1469,9 @@ struct range arch_get_mappable_range(void) + * range which can be mapped inside this linear mapping range, must + * also be derived from its end points. + */ +- mhp_range.start = __pa(_PAGE_OFFSET(vabits_actual)); +- mhp_range.end = __pa(PAGE_END - 1); ++ mhp_range.start = start_linear_pa; ++ mhp_range.end = end_linear_pa; ++ + return mhp_range; + } + +-- +2.30.1 + diff --git a/queue-5.11/arm64-mm-define-arch_get_mappable_range.patch b/queue-5.11/arm64-mm-define-arch_get_mappable_range.patch new file mode 100644 index 00000000000..cbdf1add7df --- /dev/null +++ b/queue-5.11/arm64-mm-define-arch_get_mappable_range.patch @@ -0,0 +1,83 @@ +From c3a48fcf450b7769b5ee743f9eda4329f883b7e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Feb 2021 17:17:37 -0800 +Subject: arm64/mm: define arch_get_mappable_range() + +From: Anshuman Khandual + +[ Upstream commit 03aaf83fba6e5af08b5dd174c72edee9b7d9ed9b ] + +This overrides arch_get_mappable_range() on arm64 platform which will be +used with recently added generic framework. It drops +inside_linear_region() and subsequent check in arch_add_memory() which are +no longer required. It also adds a VM_BUG_ON() check that would ensure +that mhp_range_allowed() has already been called. + +Link: https://lkml.kernel.org/r/1612149902-7867-3-git-send-email-anshuman.khandual@arm.com +Signed-off-by: Anshuman Khandual +Reviewed-by: David Hildenbrand +Reviewed-by: Catalin Marinas +Cc: Will Deacon +Cc: Ard Biesheuvel +Cc: Mark Rutland +Cc: Heiko Carstens +Cc: Jason Wang +Cc: Jonathan Cameron +Cc: "Michael S. Tsirkin" +Cc: Michal Hocko +Cc: Oscar Salvador +Cc: Pankaj Gupta +Cc: Pankaj Gupta +Cc: teawater +Cc: Vasily Gorbik +Cc: Wei Yang +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/arm64/mm/mmu.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c +index 6f0648777d34..92b3be127796 100644 +--- a/arch/arm64/mm/mmu.c ++++ b/arch/arm64/mm/mmu.c +@@ -1443,16 +1443,19 @@ static void __remove_pgd_mapping(pgd_t *pgdir, unsigned long start, u64 size) + free_empty_tables(start, end, PAGE_OFFSET, PAGE_END); + } + +-static bool inside_linear_region(u64 start, u64 size) ++struct range arch_get_mappable_range(void) + { ++ struct range mhp_range; ++ + /* + * Linear mapping region is the range [PAGE_OFFSET..(PAGE_END - 1)] + * accommodating both its ends but excluding PAGE_END. Max physical + * range which can be mapped inside this linear mapping range, must + * also be derived from its end points. + */ +- return start >= __pa(_PAGE_OFFSET(vabits_actual)) && +- (start + size - 1) <= __pa(PAGE_END - 1); ++ mhp_range.start = __pa(_PAGE_OFFSET(vabits_actual)); ++ mhp_range.end = __pa(PAGE_END - 1); ++ return mhp_range; + } + + int arch_add_memory(int nid, u64 start, u64 size, +@@ -1460,11 +1463,7 @@ int arch_add_memory(int nid, u64 start, u64 size, + { + int ret, flags = 0; + +- if (!inside_linear_region(start, size)) { +- pr_err("[%llx %llx] is outside linear mapping region\n", start, start + size); +- return -EINVAL; +- } +- ++ VM_BUG_ON(!mhp_range_allowed(start, size, true)); + if (rodata_full || debug_pagealloc_enabled()) + flags = NO_BLOCK_MAPPINGS | NO_CONT_MAPPINGS; + +-- +2.30.1 + diff --git a/queue-5.11/bpf-change-inode_storage-s-lookup_elem-return-value-.patch b/queue-5.11/bpf-change-inode_storage-s-lookup_elem-return-value-.patch new file mode 100644 index 00000000000..73f742a2949 --- /dev/null +++ b/queue-5.11/bpf-change-inode_storage-s-lookup_elem-return-value-.patch @@ -0,0 +1,43 @@ +From 0643adc3be0f132ed85f576db272a70dda24b09a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Mar 2021 14:09:48 +0200 +Subject: bpf: Change inode_storage's lookup_elem return value from NULL to + -EBADF + +From: Tal Lossos + +[ Upstream commit 769c18b254ca191b45047e1fcb3b2ce56fada0b6 ] + +bpf_fd_inode_storage_lookup_elem() returned NULL when getting a bad FD, +which caused -ENOENT in bpf_map_copy_value. -EBADF error is better than +-ENOENT for a bad FD behaviour. + +The patch was partially contributed by CyberArk Software, Inc. + +Fixes: 8ea636848aca ("bpf: Implement bpf_local_storage for inodes") +Signed-off-by: Tal Lossos +Signed-off-by: Daniel Borkmann +Acked-by: Yonghong Song +Acked-by: KP Singh +Link: https://lore.kernel.org/bpf/20210307120948.61414-1-tallossos@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/bpf_inode_storage.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/bpf_inode_storage.c b/kernel/bpf/bpf_inode_storage.c +index 6639640523c0..b58b2efb9b43 100644 +--- a/kernel/bpf/bpf_inode_storage.c ++++ b/kernel/bpf/bpf_inode_storage.c +@@ -109,7 +109,7 @@ static void *bpf_fd_inode_storage_lookup_elem(struct bpf_map *map, void *key) + fd = *(int *)key; + f = fget_raw(fd); + if (!f) +- return NULL; ++ return ERR_PTR(-EBADF); + + sdata = inode_storage_lookup(f->f_inode, map, true); + fput(f); +-- +2.30.1 + diff --git a/queue-5.11/bpf-don-t-do-bpf_cgroup_storage_set-for-kuprobe-tp-p.patch b/queue-5.11/bpf-don-t-do-bpf_cgroup_storage_set-for-kuprobe-tp-p.patch new file mode 100644 index 00000000000..992fe0b9522 --- /dev/null +++ b/queue-5.11/bpf-don-t-do-bpf_cgroup_storage_set-for-kuprobe-tp-p.patch @@ -0,0 +1,87 @@ +From 02409671bb05fe171f9376cf6104483a7facbf2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Mar 2021 18:27:53 -0400 +Subject: bpf: Don't do bpf_cgroup_storage_set() for kuprobe/tp programs + +[ Upstream commit 05a68ce5fa51a83c360381630f823545c5757aa2 ] + +For kuprobe and tracepoint bpf programs, kernel calls +trace_call_bpf() which calls BPF_PROG_RUN_ARRAY_CHECK() +to run the program array. Currently, BPF_PROG_RUN_ARRAY_CHECK() +also calls bpf_cgroup_storage_set() to set percpu +cgroup local storage with NULL value. This is +due to Commit 394e40a29788 ("bpf: extend bpf_prog_array to store +pointers to the cgroup storage") which modified +__BPF_PROG_RUN_ARRAY() to call bpf_cgroup_storage_set() +and this macro is also used by BPF_PROG_RUN_ARRAY_CHECK(). + +kuprobe and tracepoint programs are not allowed to call +bpf_get_local_storage() helper hence does not +access percpu cgroup local storage. Let us +change BPF_PROG_RUN_ARRAY_CHECK() not to +modify percpu cgroup local storage. + +The issue is observed when I tried to debug [1] where +percpu data is overwritten due to + preempt_disable -> migration_disable +change. This patch does not completely fix the above issue, +which will be addressed separately, e.g., multiple cgroup +prog runs may preempt each other. But it does fix +any potential issue caused by tracing program +overwriting percpu cgroup storage: + - in a busy system, a tracing program is to run between + bpf_cgroup_storage_set() and the cgroup prog run. + - a kprobe program is triggered by a helper in cgroup prog + before bpf_get_local_storage() is called. + + [1] https://lore.kernel.org/bpf/CAKH8qBuXCfUz=w8L+Fj74OaUpbosO29niYwTki7e3Ag044_aww@mail.gmail.com/T + +Fixes: 394e40a29788 ("bpf: extend bpf_prog_array to store pointers to the cgroup storage") +Signed-off-by: Yonghong Song +Signed-off-by: Alexei Starovoitov +Acked-by: Roman Gushchin +Link: https://lore.kernel.org/bpf/20210309185028.3763817-1-yhs@fb.com +Signed-off-by: Sasha Levin +--- + include/linux/bpf.h | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/include/linux/bpf.h b/include/linux/bpf.h +index 6e585dbc10df..f4242865cc86 100644 +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -1066,7 +1066,7 @@ int bpf_prog_array_copy(struct bpf_prog_array *old_array, + struct bpf_prog *include_prog, + struct bpf_prog_array **new_array); + +-#define __BPF_PROG_RUN_ARRAY(array, ctx, func, check_non_null) \ ++#define __BPF_PROG_RUN_ARRAY(array, ctx, func, check_non_null, set_cg_storage) \ + ({ \ + struct bpf_prog_array_item *_item; \ + struct bpf_prog *_prog; \ +@@ -1079,7 +1079,8 @@ int bpf_prog_array_copy(struct bpf_prog_array *old_array, + goto _out; \ + _item = &_array->items[0]; \ + while ((_prog = READ_ONCE(_item->prog))) { \ +- bpf_cgroup_storage_set(_item->cgroup_storage); \ ++ if (set_cg_storage) \ ++ bpf_cgroup_storage_set(_item->cgroup_storage); \ + _ret &= func(_prog, ctx); \ + _item++; \ + } \ +@@ -1140,10 +1141,10 @@ _out: \ + }) + + #define BPF_PROG_RUN_ARRAY(array, ctx, func) \ +- __BPF_PROG_RUN_ARRAY(array, ctx, func, false) ++ __BPF_PROG_RUN_ARRAY(array, ctx, func, false, true) + + #define BPF_PROG_RUN_ARRAY_CHECK(array, ctx, func) \ +- __BPF_PROG_RUN_ARRAY(array, ctx, func, true) ++ __BPF_PROG_RUN_ARRAY(array, ctx, func, true, false) + + #ifdef CONFIG_BPF_SYSCALL + DECLARE_PER_CPU(int, bpf_prog_active); +-- +2.30.1 + diff --git a/queue-5.11/bpf-dont-allow-vmlinux-btf-to-be-used-in-map_create-.patch b/queue-5.11/bpf-dont-allow-vmlinux-btf-to-be-used-in-map_create-.patch new file mode 100644 index 00000000000..e5ef60ee219 --- /dev/null +++ b/queue-5.11/bpf-dont-allow-vmlinux-btf-to-be-used-in-map_create-.patch @@ -0,0 +1,61 @@ +From 7e4882d8610db9dbb3de4271fbfbf75596cb2681 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Mar 2021 14:52:48 -0800 +Subject: bpf: Dont allow vmlinux BTF to be used in map_create and prog_load. + +From: Alexei Starovoitov + +[ Upstream commit 350a5c4dd2452ea999cc5e1d4a8dbf12de2f97ef ] + +The syzbot got FD of vmlinux BTF and passed it into map_create which caused +crash in btf_type_id_size() when it tried to access resolved_ids. The vmlinux +BTF doesn't have 'resolved_ids' and 'resolved_sizes' initialized to save +memory. To avoid such issues disallow using vmlinux BTF in prog_load and +map_create commands. + +Fixes: 5329722057d4 ("bpf: Assign ID to vmlinux BTF and return extra info for BTF in GET_OBJ_INFO") +Reported-by: syzbot+8bab8ed346746e7540e8@syzkaller.appspotmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Daniel Borkmann +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20210307225248.79031-1-alexei.starovoitov@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/syscall.c | 5 +++++ + kernel/bpf/verifier.c | 4 ++++ + 2 files changed, 9 insertions(+) + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index e5999d86c76e..32ca33539052 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -854,6 +854,11 @@ static int map_create(union bpf_attr *attr) + err = PTR_ERR(btf); + goto free_map; + } ++ if (btf_is_kernel(btf)) { ++ btf_put(btf); ++ err = -EACCES; ++ goto free_map; ++ } + map->btf = btf; + + if (attr->btf_value_type_id) { +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index ab23dfb9df1b..5b233e911c2c 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -8580,6 +8580,10 @@ static int check_btf_info(struct bpf_verifier_env *env, + btf = btf_get_by_fd(attr->prog_btf_fd); + if (IS_ERR(btf)) + return PTR_ERR(btf); ++ if (btf_is_kernel(btf)) { ++ btf_put(btf); ++ return -EACCES; ++ } + env->prog->aux->btf = btf; + + err = check_btf_func(env, attr, uattr); +-- +2.30.1 + diff --git a/queue-5.11/bpf-fix-fexit-trampoline.patch b/queue-5.11/bpf-fix-fexit-trampoline.patch new file mode 100644 index 00000000000..c73d1c9d5c9 --- /dev/null +++ b/queue-5.11/bpf-fix-fexit-trampoline.patch @@ -0,0 +1,520 @@ +From 41bcace13519b62f264eb6e59faddc860df24b59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Mar 2021 14:00:07 -0700 +Subject: bpf: Fix fexit trampoline. + +From: Alexei Starovoitov + +[ Upstream commit e21aa341785c679dd409c8cb71f864c00fe6c463 ] + +The fexit/fmod_ret programs can be attached to kernel functions that can sleep. +The synchronize_rcu_tasks() will not wait for such tasks to complete. +In such case the trampoline image will be freed and when the task +wakes up the return IP will point to freed memory causing the crash. +Solve this by adding percpu_ref_get/put for the duration of trampoline +and separate trampoline vs its image life times. +The "half page" optimization has to be removed, since +first_half->second_half->first_half transition cannot be guaranteed to +complete in deterministic time. Every trampoline update becomes a new image. +The image with fmod_ret or fexit progs will be freed via percpu_ref_kill and +call_rcu_tasks. Together they will wait for the original function and +trampoline asm to complete. The trampoline is patched from nop to jmp to skip +fexit progs. They are freed independently from the trampoline. The image with +fentry progs only will be freed via call_rcu_tasks_trace+call_rcu_tasks which +will wait for both sleepable and non-sleepable progs to complete. + +Fixes: fec56f5890d9 ("bpf: Introduce BPF trampoline") +Reported-by: Andrii Nakryiko +Signed-off-by: Alexei Starovoitov +Signed-off-by: Daniel Borkmann +Acked-by: Paul E. McKenney # for RCU +Link: https://lore.kernel.org/bpf/20210316210007.38949-1-alexei.starovoitov@gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/net/bpf_jit_comp.c | 26 ++++- + include/linux/bpf.h | 24 +++- + kernel/bpf/bpf_struct_ops.c | 2 +- + kernel/bpf/core.c | 4 +- + kernel/bpf/trampoline.c | 218 +++++++++++++++++++++++++++--------- + 5 files changed, 213 insertions(+), 61 deletions(-) + +diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c +index 796506dcfc42..652bd64e422d 100644 +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -1735,7 +1735,7 @@ static int invoke_bpf_mod_ret(const struct btf_func_model *m, u8 **pprog, + * add rsp, 8 // skip eth_type_trans's frame + * ret // return to its caller + */ +-int arch_prepare_bpf_trampoline(void *image, void *image_end, ++int arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, void *image, void *image_end, + const struct btf_func_model *m, u32 flags, + struct bpf_tramp_progs *tprogs, + void *orig_call) +@@ -1774,6 +1774,15 @@ int arch_prepare_bpf_trampoline(void *image, void *image_end, + + save_regs(m, &prog, nr_args, stack_size); + ++ if (flags & BPF_TRAMP_F_CALL_ORIG) { ++ /* arg1: mov rdi, im */ ++ emit_mov_imm64(&prog, BPF_REG_1, (long) im >> 32, (u32) (long) im); ++ if (emit_call(&prog, __bpf_tramp_enter, prog)) { ++ ret = -EINVAL; ++ goto cleanup; ++ } ++ } ++ + if (fentry->nr_progs) + if (invoke_bpf(m, &prog, fentry, stack_size)) + return -EINVAL; +@@ -1792,8 +1801,7 @@ int arch_prepare_bpf_trampoline(void *image, void *image_end, + } + + if (flags & BPF_TRAMP_F_CALL_ORIG) { +- if (fentry->nr_progs || fmod_ret->nr_progs) +- restore_regs(m, &prog, nr_args, stack_size); ++ restore_regs(m, &prog, nr_args, stack_size); + + /* call original function */ + if (emit_call(&prog, orig_call, prog)) { +@@ -1802,6 +1810,8 @@ int arch_prepare_bpf_trampoline(void *image, void *image_end, + } + /* remember return value in a stack for bpf prog to access */ + emit_stx(&prog, BPF_DW, BPF_REG_FP, BPF_REG_0, -8); ++ im->ip_after_call = prog; ++ emit_nops(&prog, 5); + } + + if (fmod_ret->nr_progs) { +@@ -1832,9 +1842,17 @@ int arch_prepare_bpf_trampoline(void *image, void *image_end, + * the return value is only updated on the stack and still needs to be + * restored to R0. + */ +- if (flags & BPF_TRAMP_F_CALL_ORIG) ++ if (flags & BPF_TRAMP_F_CALL_ORIG) { ++ im->ip_epilogue = prog; ++ /* arg1: mov rdi, im */ ++ emit_mov_imm64(&prog, BPF_REG_1, (long) im >> 32, (u32) (long) im); ++ if (emit_call(&prog, __bpf_tramp_exit, prog)) { ++ ret = -EINVAL; ++ goto cleanup; ++ } + /* restore original return value back into RAX */ + emit_ldx(&prog, BPF_DW, BPF_REG_0, BPF_REG_FP, -8); ++ } + + EMIT1(0x5B); /* pop rbx */ + EMIT1(0xC9); /* leave */ +diff --git a/include/linux/bpf.h b/include/linux/bpf.h +index f4242865cc86..564ebf91793e 100644 +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + struct bpf_verifier_env; + struct bpf_verifier_log; +@@ -563,7 +564,8 @@ struct bpf_tramp_progs { + * fentry = a set of program to run before calling original function + * fexit = a set of program to run after original function + */ +-int arch_prepare_bpf_trampoline(void *image, void *image_end, ++struct bpf_tramp_image; ++int arch_prepare_bpf_trampoline(struct bpf_tramp_image *tr, void *image, void *image_end, + const struct btf_func_model *m, u32 flags, + struct bpf_tramp_progs *tprogs, + void *orig_call); +@@ -572,6 +574,8 @@ u64 notrace __bpf_prog_enter(void); + void notrace __bpf_prog_exit(struct bpf_prog *prog, u64 start); + void notrace __bpf_prog_enter_sleepable(void); + void notrace __bpf_prog_exit_sleepable(void); ++void notrace __bpf_tramp_enter(struct bpf_tramp_image *tr); ++void notrace __bpf_tramp_exit(struct bpf_tramp_image *tr); + + struct bpf_ksym { + unsigned long start; +@@ -590,6 +594,18 @@ enum bpf_tramp_prog_type { + BPF_TRAMP_REPLACE, /* more than MAX */ + }; + ++struct bpf_tramp_image { ++ void *image; ++ struct bpf_ksym ksym; ++ struct percpu_ref pcref; ++ void *ip_after_call; ++ void *ip_epilogue; ++ union { ++ struct rcu_head rcu; ++ struct work_struct work; ++ }; ++}; ++ + struct bpf_trampoline { + /* hlist for trampoline_table */ + struct hlist_node hlist; +@@ -612,9 +628,8 @@ struct bpf_trampoline { + /* Number of attached programs. A counter per kind. */ + int progs_cnt[BPF_TRAMP_MAX]; + /* Executable image of trampoline */ +- void *image; ++ struct bpf_tramp_image *cur_image; + u64 selector; +- struct bpf_ksym ksym; + }; + + struct bpf_attach_target_info { +@@ -698,6 +713,8 @@ void bpf_image_ksym_add(void *data, struct bpf_ksym *ksym); + void bpf_image_ksym_del(struct bpf_ksym *ksym); + void bpf_ksym_add(struct bpf_ksym *ksym); + void bpf_ksym_del(struct bpf_ksym *ksym); ++int bpf_jit_charge_modmem(u32 pages); ++void bpf_jit_uncharge_modmem(u32 pages); + #else + static inline int bpf_trampoline_link_prog(struct bpf_prog *prog, + struct bpf_trampoline *tr) +@@ -788,7 +805,6 @@ struct bpf_prog_aux { + bool func_proto_unreliable; + bool sleepable; + bool tail_call_reachable; +- enum bpf_tramp_prog_type trampoline_prog_type; + struct hlist_node tramp_hlist; + /* BTF_KIND_FUNC_PROTO for valid attach_btf_id */ + const struct btf_type *attach_func_proto; +diff --git a/kernel/bpf/bpf_struct_ops.c b/kernel/bpf/bpf_struct_ops.c +index 1a666a975416..70f6fd4fa305 100644 +--- a/kernel/bpf/bpf_struct_ops.c ++++ b/kernel/bpf/bpf_struct_ops.c +@@ -430,7 +430,7 @@ static int bpf_struct_ops_map_update_elem(struct bpf_map *map, void *key, + + tprogs[BPF_TRAMP_FENTRY].progs[0] = prog; + tprogs[BPF_TRAMP_FENTRY].nr_progs = 1; +- err = arch_prepare_bpf_trampoline(image, ++ err = arch_prepare_bpf_trampoline(NULL, image, + st_map->image + PAGE_SIZE, + &st_ops->func_models[i], 0, + tprogs, NULL); +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 261f8692d0d2..1de87fcaeabd 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -817,7 +817,7 @@ static int __init bpf_jit_charge_init(void) + } + pure_initcall(bpf_jit_charge_init); + +-static int bpf_jit_charge_modmem(u32 pages) ++int bpf_jit_charge_modmem(u32 pages) + { + if (atomic_long_add_return(pages, &bpf_jit_current) > + (bpf_jit_limit >> PAGE_SHIFT)) { +@@ -830,7 +830,7 @@ static int bpf_jit_charge_modmem(u32 pages) + return 0; + } + +-static void bpf_jit_uncharge_modmem(u32 pages) ++void bpf_jit_uncharge_modmem(u32 pages) + { + atomic_long_sub(pages, &bpf_jit_current); + } +diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c +index 35c5887d82ff..986dabc3d11f 100644 +--- a/kernel/bpf/trampoline.c ++++ b/kernel/bpf/trampoline.c +@@ -57,19 +57,10 @@ void bpf_image_ksym_del(struct bpf_ksym *ksym) + PAGE_SIZE, true, ksym->name); + } + +-static void bpf_trampoline_ksym_add(struct bpf_trampoline *tr) +-{ +- struct bpf_ksym *ksym = &tr->ksym; +- +- snprintf(ksym->name, KSYM_NAME_LEN, "bpf_trampoline_%llu", tr->key); +- bpf_image_ksym_add(tr->image, ksym); +-} +- + static struct bpf_trampoline *bpf_trampoline_lookup(u64 key) + { + struct bpf_trampoline *tr; + struct hlist_head *head; +- void *image; + int i; + + mutex_lock(&trampoline_mutex); +@@ -84,14 +75,6 @@ static struct bpf_trampoline *bpf_trampoline_lookup(u64 key) + if (!tr) + goto out; + +- /* is_root was checked earlier. No need for bpf_jit_charge_modmem() */ +- image = bpf_jit_alloc_exec_page(); +- if (!image) { +- kfree(tr); +- tr = NULL; +- goto out; +- } +- + tr->key = key; + INIT_HLIST_NODE(&tr->hlist); + hlist_add_head(&tr->hlist, head); +@@ -99,9 +82,6 @@ static struct bpf_trampoline *bpf_trampoline_lookup(u64 key) + mutex_init(&tr->mutex); + for (i = 0; i < BPF_TRAMP_MAX; i++) + INIT_HLIST_HEAD(&tr->progs_hlist[i]); +- tr->image = image; +- INIT_LIST_HEAD_RCU(&tr->ksym.lnode); +- bpf_trampoline_ksym_add(tr); + out: + mutex_unlock(&trampoline_mutex); + return tr; +@@ -185,10 +165,142 @@ bpf_trampoline_get_progs(const struct bpf_trampoline *tr, int *total) + return tprogs; + } + ++static void __bpf_tramp_image_put_deferred(struct work_struct *work) ++{ ++ struct bpf_tramp_image *im; ++ ++ im = container_of(work, struct bpf_tramp_image, work); ++ bpf_image_ksym_del(&im->ksym); ++ bpf_jit_free_exec(im->image); ++ bpf_jit_uncharge_modmem(1); ++ percpu_ref_exit(&im->pcref); ++ kfree_rcu(im, rcu); ++} ++ ++/* callback, fexit step 3 or fentry step 2 */ ++static void __bpf_tramp_image_put_rcu(struct rcu_head *rcu) ++{ ++ struct bpf_tramp_image *im; ++ ++ im = container_of(rcu, struct bpf_tramp_image, rcu); ++ INIT_WORK(&im->work, __bpf_tramp_image_put_deferred); ++ schedule_work(&im->work); ++} ++ ++/* callback, fexit step 2. Called after percpu_ref_kill confirms. */ ++static void __bpf_tramp_image_release(struct percpu_ref *pcref) ++{ ++ struct bpf_tramp_image *im; ++ ++ im = container_of(pcref, struct bpf_tramp_image, pcref); ++ call_rcu_tasks(&im->rcu, __bpf_tramp_image_put_rcu); ++} ++ ++/* callback, fexit or fentry step 1 */ ++static void __bpf_tramp_image_put_rcu_tasks(struct rcu_head *rcu) ++{ ++ struct bpf_tramp_image *im; ++ ++ im = container_of(rcu, struct bpf_tramp_image, rcu); ++ if (im->ip_after_call) ++ /* the case of fmod_ret/fexit trampoline and CONFIG_PREEMPTION=y */ ++ percpu_ref_kill(&im->pcref); ++ else ++ /* the case of fentry trampoline */ ++ call_rcu_tasks(&im->rcu, __bpf_tramp_image_put_rcu); ++} ++ ++static void bpf_tramp_image_put(struct bpf_tramp_image *im) ++{ ++ /* The trampoline image that calls original function is using: ++ * rcu_read_lock_trace to protect sleepable bpf progs ++ * rcu_read_lock to protect normal bpf progs ++ * percpu_ref to protect trampoline itself ++ * rcu tasks to protect trampoline asm not covered by percpu_ref ++ * (which are few asm insns before __bpf_tramp_enter and ++ * after __bpf_tramp_exit) ++ * ++ * The trampoline is unreachable before bpf_tramp_image_put(). ++ * ++ * First, patch the trampoline to avoid calling into fexit progs. ++ * The progs will be freed even if the original function is still ++ * executing or sleeping. ++ * In case of CONFIG_PREEMPT=y use call_rcu_tasks() to wait on ++ * first few asm instructions to execute and call into ++ * __bpf_tramp_enter->percpu_ref_get. ++ * Then use percpu_ref_kill to wait for the trampoline and the original ++ * function to finish. ++ * Then use call_rcu_tasks() to make sure few asm insns in ++ * the trampoline epilogue are done as well. ++ * ++ * In !PREEMPT case the task that got interrupted in the first asm ++ * insns won't go through an RCU quiescent state which the ++ * percpu_ref_kill will be waiting for. Hence the first ++ * call_rcu_tasks() is not necessary. ++ */ ++ if (im->ip_after_call) { ++ int err = bpf_arch_text_poke(im->ip_after_call, BPF_MOD_JUMP, ++ NULL, im->ip_epilogue); ++ WARN_ON(err); ++ if (IS_ENABLED(CONFIG_PREEMPTION)) ++ call_rcu_tasks(&im->rcu, __bpf_tramp_image_put_rcu_tasks); ++ else ++ percpu_ref_kill(&im->pcref); ++ return; ++ } ++ ++ /* The trampoline without fexit and fmod_ret progs doesn't call original ++ * function and doesn't use percpu_ref. ++ * Use call_rcu_tasks_trace() to wait for sleepable progs to finish. ++ * Then use call_rcu_tasks() to wait for the rest of trampoline asm ++ * and normal progs. ++ */ ++ call_rcu_tasks_trace(&im->rcu, __bpf_tramp_image_put_rcu_tasks); ++} ++ ++static struct bpf_tramp_image *bpf_tramp_image_alloc(u64 key, u32 idx) ++{ ++ struct bpf_tramp_image *im; ++ struct bpf_ksym *ksym; ++ void *image; ++ int err = -ENOMEM; ++ ++ im = kzalloc(sizeof(*im), GFP_KERNEL); ++ if (!im) ++ goto out; ++ ++ err = bpf_jit_charge_modmem(1); ++ if (err) ++ goto out_free_im; ++ ++ err = -ENOMEM; ++ im->image = image = bpf_jit_alloc_exec_page(); ++ if (!image) ++ goto out_uncharge; ++ ++ err = percpu_ref_init(&im->pcref, __bpf_tramp_image_release, 0, GFP_KERNEL); ++ if (err) ++ goto out_free_image; ++ ++ ksym = &im->ksym; ++ INIT_LIST_HEAD_RCU(&ksym->lnode); ++ snprintf(ksym->name, KSYM_NAME_LEN, "bpf_trampoline_%llu_%u", key, idx); ++ bpf_image_ksym_add(image, ksym); ++ return im; ++ ++out_free_image: ++ bpf_jit_free_exec(im->image); ++out_uncharge: ++ bpf_jit_uncharge_modmem(1); ++out_free_im: ++ kfree(im); ++out: ++ return ERR_PTR(err); ++} ++ + static int bpf_trampoline_update(struct bpf_trampoline *tr) + { +- void *old_image = tr->image + ((tr->selector + 1) & 1) * PAGE_SIZE/2; +- void *new_image = tr->image + (tr->selector & 1) * PAGE_SIZE/2; ++ struct bpf_tramp_image *im; + struct bpf_tramp_progs *tprogs; + u32 flags = BPF_TRAMP_F_RESTORE_REGS; + int err, total; +@@ -198,41 +310,42 @@ static int bpf_trampoline_update(struct bpf_trampoline *tr) + return PTR_ERR(tprogs); + + if (total == 0) { +- err = unregister_fentry(tr, old_image); ++ err = unregister_fentry(tr, tr->cur_image->image); ++ bpf_tramp_image_put(tr->cur_image); ++ tr->cur_image = NULL; + tr->selector = 0; + goto out; + } + ++ im = bpf_tramp_image_alloc(tr->key, tr->selector); ++ if (IS_ERR(im)) { ++ err = PTR_ERR(im); ++ goto out; ++ } ++ + if (tprogs[BPF_TRAMP_FEXIT].nr_progs || + tprogs[BPF_TRAMP_MODIFY_RETURN].nr_progs) + flags = BPF_TRAMP_F_CALL_ORIG | BPF_TRAMP_F_SKIP_FRAME; + +- /* Though the second half of trampoline page is unused a task could be +- * preempted in the middle of the first half of trampoline and two +- * updates to trampoline would change the code from underneath the +- * preempted task. Hence wait for tasks to voluntarily schedule or go +- * to userspace. +- * The same trampoline can hold both sleepable and non-sleepable progs. +- * synchronize_rcu_tasks_trace() is needed to make sure all sleepable +- * programs finish executing. +- * Wait for these two grace periods together. +- */ +- synchronize_rcu_mult(call_rcu_tasks, call_rcu_tasks_trace); +- +- err = arch_prepare_bpf_trampoline(new_image, new_image + PAGE_SIZE / 2, ++ err = arch_prepare_bpf_trampoline(im, im->image, im->image + PAGE_SIZE, + &tr->func.model, flags, tprogs, + tr->func.addr); + if (err < 0) + goto out; + +- if (tr->selector) ++ WARN_ON(tr->cur_image && tr->selector == 0); ++ WARN_ON(!tr->cur_image && tr->selector); ++ if (tr->cur_image) + /* progs already running at this address */ +- err = modify_fentry(tr, old_image, new_image); ++ err = modify_fentry(tr, tr->cur_image->image, im->image); + else + /* first time registering */ +- err = register_fentry(tr, new_image); ++ err = register_fentry(tr, im->image); + if (err) + goto out; ++ if (tr->cur_image) ++ bpf_tramp_image_put(tr->cur_image); ++ tr->cur_image = im; + tr->selector++; + out: + kfree(tprogs); +@@ -364,17 +477,12 @@ void bpf_trampoline_put(struct bpf_trampoline *tr) + goto out; + if (WARN_ON_ONCE(!hlist_empty(&tr->progs_hlist[BPF_TRAMP_FEXIT]))) + goto out; +- bpf_image_ksym_del(&tr->ksym); +- /* This code will be executed when all bpf progs (both sleepable and +- * non-sleepable) went through +- * bpf_prog_put()->call_rcu[_tasks_trace]()->bpf_prog_free_deferred(). +- * Hence no need for another synchronize_rcu_tasks_trace() here, +- * but synchronize_rcu_tasks() is still needed, since trampoline +- * may not have had any sleepable programs and we need to wait +- * for tasks to get out of trampoline code before freeing it. ++ /* This code will be executed even when the last bpf_tramp_image ++ * is alive. All progs are detached from the trampoline and the ++ * trampoline image is patched with jmp into epilogue to skip ++ * fexit progs. The fentry-only trampoline will be freed via ++ * multiple rcu callbacks. + */ +- synchronize_rcu_tasks(); +- bpf_jit_free_exec(tr->image); + hlist_del(&tr->hlist); + kfree(tr); + out: +@@ -433,8 +541,18 @@ void notrace __bpf_prog_exit_sleepable(void) + rcu_read_unlock_trace(); + } + ++void notrace __bpf_tramp_enter(struct bpf_tramp_image *tr) ++{ ++ percpu_ref_get(&tr->pcref); ++} ++ ++void notrace __bpf_tramp_exit(struct bpf_tramp_image *tr) ++{ ++ percpu_ref_put(&tr->pcref); ++} ++ + int __weak +-arch_prepare_bpf_trampoline(void *image, void *image_end, ++arch_prepare_bpf_trampoline(struct bpf_tramp_image *tr, void *image, void *image_end, + const struct btf_func_model *m, u32 flags, + struct bpf_tramp_progs *tprogs, + void *orig_call) +-- +2.30.1 + diff --git a/queue-5.11/bpf-fix-umd-memory-leak-in-copy_process.patch b/queue-5.11/bpf-fix-umd-memory-leak-in-copy_process.patch new file mode 100644 index 00000000000..09041da7b79 --- /dev/null +++ b/queue-5.11/bpf-fix-umd-memory-leak-in-copy_process.patch @@ -0,0 +1,141 @@ +From aecbc4c4f3fb271b960ef25d0cb854fc27fef5b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Mar 2021 11:09:15 +0800 +Subject: bpf: Fix umd memory leak in copy_process() + +From: Zqiang + +[ Upstream commit f60a85cad677c4f9bb4cadd764f1d106c38c7cf8 ] + +The syzbot reported a memleak as follows: + +BUG: memory leak +unreferenced object 0xffff888101b41d00 (size 120): + comm "kworker/u4:0", pid 8, jiffies 4294944270 (age 12.780s) + backtrace: + [] alloc_pid+0x66/0x560 + [] copy_process+0x1465/0x25e0 + [] kernel_clone+0xf3/0x670 + [] kernel_thread+0x61/0x80 + [] call_usermodehelper_exec_work + [] call_usermodehelper_exec_work+0xc4/0x120 + [] process_one_work+0x2c9/0x600 + [] worker_thread+0x59/0x5d0 + [] kthread+0x178/0x1b0 + [] ret_from_fork+0x1f/0x30 + +unreferenced object 0xffff888110ef5c00 (size 232): + comm "kworker/u4:0", pid 8414, jiffies 4294944270 (age 12.780s) + backtrace: + [] kmem_cache_zalloc + [] __alloc_file+0x1f/0xf0 + [] alloc_empty_file+0x69/0x120 + [] alloc_file+0x33/0x1b0 + [] alloc_file_pseudo+0xb2/0x140 + [] create_pipe_files+0x138/0x2e0 + [] umd_setup+0x33/0x220 + [] call_usermodehelper_exec_async+0xb4/0x1b0 + [] ret_from_fork+0x1f/0x30 + +After the UMD process exits, the pipe_to_umh/pipe_from_umh and +tgid need to be released. + +Fixes: d71fa5c9763c ("bpf: Add kernel module with user mode driver that populates bpffs.") +Reported-by: syzbot+44908bb56d2bfe56b28e@syzkaller.appspotmail.com +Signed-off-by: Zqiang +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20210317030915.2865-1-qiang.zhang@windriver.com +Signed-off-by: Sasha Levin +--- + include/linux/usermode_driver.h | 1 + + kernel/bpf/preload/bpf_preload_kern.c | 19 +++++++++++++++---- + kernel/usermode_driver.c | 21 +++++++++++++++------ + 3 files changed, 31 insertions(+), 10 deletions(-) + +diff --git a/include/linux/usermode_driver.h b/include/linux/usermode_driver.h +index 073a9e0ec07d..ad970416260d 100644 +--- a/include/linux/usermode_driver.h ++++ b/include/linux/usermode_driver.h +@@ -14,5 +14,6 @@ struct umd_info { + int umd_load_blob(struct umd_info *info, const void *data, size_t len); + int umd_unload_blob(struct umd_info *info); + int fork_usermode_driver(struct umd_info *info); ++void umd_cleanup_helper(struct umd_info *info); + + #endif /* __LINUX_USERMODE_DRIVER_H__ */ +diff --git a/kernel/bpf/preload/bpf_preload_kern.c b/kernel/bpf/preload/bpf_preload_kern.c +index 79c5772465f1..53736e52c1df 100644 +--- a/kernel/bpf/preload/bpf_preload_kern.c ++++ b/kernel/bpf/preload/bpf_preload_kern.c +@@ -60,9 +60,12 @@ static int finish(void) + &magic, sizeof(magic), &pos); + if (n != sizeof(magic)) + return -EPIPE; ++ + tgid = umd_ops.info.tgid; +- wait_event(tgid->wait_pidfd, thread_group_exited(tgid)); +- umd_ops.info.tgid = NULL; ++ if (tgid) { ++ wait_event(tgid->wait_pidfd, thread_group_exited(tgid)); ++ umd_cleanup_helper(&umd_ops.info); ++ } + return 0; + } + +@@ -80,10 +83,18 @@ static int __init load_umd(void) + + static void __exit fini_umd(void) + { ++ struct pid *tgid; ++ + bpf_preload_ops = NULL; ++ + /* kill UMD in case it's still there due to earlier error */ +- kill_pid(umd_ops.info.tgid, SIGKILL, 1); +- umd_ops.info.tgid = NULL; ++ tgid = umd_ops.info.tgid; ++ if (tgid) { ++ kill_pid(tgid, SIGKILL, 1); ++ ++ wait_event(tgid->wait_pidfd, thread_group_exited(tgid)); ++ umd_cleanup_helper(&umd_ops.info); ++ } + umd_unload_blob(&umd_ops.info); + } + late_initcall(load_umd); +diff --git a/kernel/usermode_driver.c b/kernel/usermode_driver.c +index 0b35212ffc3d..bb7bb3b478ab 100644 +--- a/kernel/usermode_driver.c ++++ b/kernel/usermode_driver.c +@@ -139,13 +139,22 @@ static void umd_cleanup(struct subprocess_info *info) + struct umd_info *umd_info = info->data; + + /* cleanup if umh_setup() was successful but exec failed */ +- if (info->retval) { +- fput(umd_info->pipe_to_umh); +- fput(umd_info->pipe_from_umh); +- put_pid(umd_info->tgid); +- umd_info->tgid = NULL; +- } ++ if (info->retval) ++ umd_cleanup_helper(umd_info); ++} ++ ++/** ++ * umd_cleanup_helper - release the resources which were allocated in umd_setup ++ * @info: information about usermode driver ++ */ ++void umd_cleanup_helper(struct umd_info *info) ++{ ++ fput(info->pipe_to_umh); ++ fput(info->pipe_from_umh); ++ put_pid(info->tgid); ++ info->tgid = NULL; + } ++EXPORT_SYMBOL_GPL(umd_cleanup_helper); + + /** + * fork_usermode_driver - fork a usermode driver +-- +2.30.1 + diff --git a/queue-5.11/bpf-use-nop_atomic5-instead-of-emit_nops-prog-5-for-.patch b/queue-5.11/bpf-use-nop_atomic5-instead-of-emit_nops-prog-5-for-.patch new file mode 100644 index 00000000000..309b2ceaa3d --- /dev/null +++ b/queue-5.11/bpf-use-nop_atomic5-instead-of-emit_nops-prog-5-for-.patch @@ -0,0 +1,45 @@ +From d5489575ee6bf9f1f5fcd486f5e209b474238e1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Mar 2021 17:00:01 -0700 +Subject: bpf: Use NOP_ATOMIC5 instead of emit_nops(&prog, 5) for + BPF_TRAMP_F_CALL_ORIG + +From: Stanislav Fomichev + +[ Upstream commit b9082970478009b778aa9b22d5561eef35b53b63 ] + +__bpf_arch_text_poke does rewrite only for atomic nop5, emit_nops(xxx, 5) +emits non-atomic one which breaks fentry/fexit with k8 atomics: + +P6_NOP5 == P6_NOP5_ATOMIC (0f1f440000 == 0f1f440000) +K8_NOP5 != K8_NOP5_ATOMIC (6666906690 != 6666666690) + +Can be reproduced by doing "ideal_nops = k8_nops" in "arch_init_ideal_nops() +and running fexit_bpf2bpf selftest. + +Fixes: e21aa341785c ("bpf: Fix fexit trampoline.") +Signed-off-by: Stanislav Fomichev +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20210320000001.915366-1-sdf@google.com +Signed-off-by: Sasha Levin +--- + arch/x86/net/bpf_jit_comp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c +index 652bd64e422d..023ac12f54a2 100644 +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -1811,7 +1811,8 @@ int arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, void *image, void *i + /* remember return value in a stack for bpf prog to access */ + emit_stx(&prog, BPF_DW, BPF_REG_FP, BPF_REG_0, -8); + im->ip_after_call = prog; +- emit_nops(&prog, 5); ++ memcpy(prog, ideal_nops[NOP_ATOMIC5], X86_PATCH_SIZE); ++ prog += X86_PATCH_SIZE; + } + + if (fmod_ret->nr_progs) { +-- +2.30.1 + diff --git a/queue-5.11/bus-omap_l3_noc-mark-l3-irqs-as-irqf_no_thread.patch b/queue-5.11/bus-omap_l3_noc-mark-l3-irqs-as-irqf_no_thread.patch new file mode 100644 index 00000000000..58278a6ff54 --- /dev/null +++ b/queue-5.11/bus-omap_l3_noc-mark-l3-irqs-as-irqf_no_thread.patch @@ -0,0 +1,51 @@ +From 0ec09a2205fe465d1a3f4292bc552c558fba31d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jan 2021 21:15:48 +0200 +Subject: bus: omap_l3_noc: mark l3 irqs as IRQF_NO_THREAD + +From: Grygorii Strashko + +[ Upstream commit 7d7275b3e866cf8092bd12553ec53ba26864f7bb ] + +The main purpose of l3 IRQs is to catch OCP bus access errors and identify +corresponding code places by showing call stack, so it's important to +handle L3 interconnect errors as fast as possible. On RT these IRQs will +became threaded and will be scheduled much more late from the moment actual +error occurred so showing completely useless information. + +Hence, mark l3 IRQs as IRQF_NO_THREAD so they will not be forced threaded +on RT or if force_irqthreads = true. + +Fixes: 0ee7261c9212 ("drivers: bus: Move the OMAP interconnect driver to drivers/bus/") +Signed-off-by: Grygorii Strashko +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + drivers/bus/omap_l3_noc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/bus/omap_l3_noc.c b/drivers/bus/omap_l3_noc.c +index b040447575ad..dcfb32ee5cb6 100644 +--- a/drivers/bus/omap_l3_noc.c ++++ b/drivers/bus/omap_l3_noc.c +@@ -285,7 +285,7 @@ static int omap_l3_probe(struct platform_device *pdev) + */ + l3->debug_irq = platform_get_irq(pdev, 0); + ret = devm_request_irq(l3->dev, l3->debug_irq, l3_interrupt_handler, +- 0x0, "l3-dbg-irq", l3); ++ IRQF_NO_THREAD, "l3-dbg-irq", l3); + if (ret) { + dev_err(l3->dev, "request_irq failed for %d\n", + l3->debug_irq); +@@ -294,7 +294,7 @@ static int omap_l3_probe(struct platform_device *pdev) + + l3->app_irq = platform_get_irq(pdev, 1); + ret = devm_request_irq(l3->dev, l3->app_irq, l3_interrupt_handler, +- 0x0, "l3-app-irq", l3); ++ IRQF_NO_THREAD, "l3-app-irq", l3); + if (ret) + dev_err(l3->dev, "request_irq failed for %d\n", l3->app_irq); + +-- +2.30.1 + diff --git a/queue-5.11/can-c_can-move-runtime-pm-enable-disable-to-c_can_pl.patch b/queue-5.11/can-c_can-move-runtime-pm-enable-disable-to-c_can_pl.patch new file mode 100644 index 00000000000..0bc99c777b9 --- /dev/null +++ b/queue-5.11/can-c_can-move-runtime-pm-enable-disable-to-c_can_pl.patch @@ -0,0 +1,136 @@ +From 9c34cec8cc40999fa7d6b054c4e33e15f513f506 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Mar 2021 21:55:40 -0500 +Subject: can: c_can: move runtime PM enable/disable to c_can_platform +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tong Zhang + +[ Upstream commit 6e2fe01dd6f98da6cae8b07cd5cfa67abc70d97d ] + +Currently doing modprobe c_can_pci will make the kernel complain: + + Unbalanced pm_runtime_enable! + +this is caused by pm_runtime_enable() called before pm is initialized. + +This fix is similar to 227619c3ff7c, move those pm_enable/disable code +to c_can_platform. + +Fixes: 4cdd34b26826 ("can: c_can: Add runtime PM support to Bosch C_CAN/D_CAN controller") +Link: http://lore.kernel.org/r/20210302025542.987600-1-ztong0001@gmail.com +Signed-off-by: Tong Zhang +Tested-by: Uwe Kleine-König +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/c_can/c_can.c | 24 +----------------------- + drivers/net/can/c_can/c_can_platform.c | 6 +++++- + 2 files changed, 6 insertions(+), 24 deletions(-) + +diff --git a/drivers/net/can/c_can/c_can.c b/drivers/net/can/c_can/c_can.c +index 63f48b016ecd..716d1a5bf17b 100644 +--- a/drivers/net/can/c_can/c_can.c ++++ b/drivers/net/can/c_can/c_can.c +@@ -212,18 +212,6 @@ static const struct can_bittiming_const c_can_bittiming_const = { + .brp_inc = 1, + }; + +-static inline void c_can_pm_runtime_enable(const struct c_can_priv *priv) +-{ +- if (priv->device) +- pm_runtime_enable(priv->device); +-} +- +-static inline void c_can_pm_runtime_disable(const struct c_can_priv *priv) +-{ +- if (priv->device) +- pm_runtime_disable(priv->device); +-} +- + static inline void c_can_pm_runtime_get_sync(const struct c_can_priv *priv) + { + if (priv->device) +@@ -1335,7 +1323,6 @@ static const struct net_device_ops c_can_netdev_ops = { + + int register_c_can_dev(struct net_device *dev) + { +- struct c_can_priv *priv = netdev_priv(dev); + int err; + + /* Deactivate pins to prevent DRA7 DCAN IP from being +@@ -1345,28 +1332,19 @@ int register_c_can_dev(struct net_device *dev) + */ + pinctrl_pm_select_sleep_state(dev->dev.parent); + +- c_can_pm_runtime_enable(priv); +- + dev->flags |= IFF_ECHO; /* we support local echo */ + dev->netdev_ops = &c_can_netdev_ops; + + err = register_candev(dev); +- if (err) +- c_can_pm_runtime_disable(priv); +- else ++ if (!err) + devm_can_led_init(dev); +- + return err; + } + EXPORT_SYMBOL_GPL(register_c_can_dev); + + void unregister_c_can_dev(struct net_device *dev) + { +- struct c_can_priv *priv = netdev_priv(dev); +- + unregister_candev(dev); +- +- c_can_pm_runtime_disable(priv); + } + EXPORT_SYMBOL_GPL(unregister_c_can_dev); + +diff --git a/drivers/net/can/c_can/c_can_platform.c b/drivers/net/can/c_can/c_can_platform.c +index 05f425ceb53a..47b251b1607c 100644 +--- a/drivers/net/can/c_can/c_can_platform.c ++++ b/drivers/net/can/c_can/c_can_platform.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -386,6 +387,7 @@ static int c_can_plat_probe(struct platform_device *pdev) + platform_set_drvdata(pdev, dev); + SET_NETDEV_DEV(dev, &pdev->dev); + ++ pm_runtime_enable(priv->device); + ret = register_c_can_dev(dev); + if (ret) { + dev_err(&pdev->dev, "registering %s failed (err=%d)\n", +@@ -398,6 +400,7 @@ static int c_can_plat_probe(struct platform_device *pdev) + return 0; + + exit_free_device: ++ pm_runtime_disable(priv->device); + free_c_can_dev(dev); + exit: + dev_err(&pdev->dev, "probe failed\n"); +@@ -408,9 +411,10 @@ exit: + static int c_can_plat_remove(struct platform_device *pdev) + { + struct net_device *dev = platform_get_drvdata(pdev); ++ struct c_can_priv *priv = netdev_priv(dev); + + unregister_c_can_dev(dev); +- ++ pm_runtime_disable(priv->device); + free_c_can_dev(dev); + + return 0; +-- +2.30.1 + diff --git a/queue-5.11/can-c_can_pci-c_can_pci_remove-fix-use-after-free.patch b/queue-5.11/can-c_can_pci-c_can_pci_remove-fix-use-after-free.patch new file mode 100644 index 00000000000..a6ee7061515 --- /dev/null +++ b/queue-5.11/can-c_can_pci-c_can_pci_remove-fix-use-after-free.patch @@ -0,0 +1,44 @@ +From ad6d84d02980c406849ee18177f5e3f2165b94b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Feb 2021 21:45:11 -0500 +Subject: can: c_can_pci: c_can_pci_remove(): fix use-after-free + +From: Tong Zhang + +[ Upstream commit 0429d6d89f97ebff4f17f13f5b5069c66bde8138 ] + +There is a UAF in c_can_pci_remove(). dev is released by +free_c_can_dev() and is used by pci_iounmap(pdev, priv->base) later. +To fix this issue, save the mmio address before releasing dev. + +Fixes: 5b92da0443c2 ("c_can_pci: generic module for C_CAN/D_CAN on PCI") +Link: https://lore.kernel.org/r/20210301024512.539039-1-ztong0001@gmail.com +Signed-off-by: Tong Zhang +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/c_can/c_can_pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/c_can/c_can_pci.c b/drivers/net/can/c_can/c_can_pci.c +index 406b4847e5dc..7efb60b50876 100644 +--- a/drivers/net/can/c_can/c_can_pci.c ++++ b/drivers/net/can/c_can/c_can_pci.c +@@ -239,12 +239,13 @@ static void c_can_pci_remove(struct pci_dev *pdev) + { + struct net_device *dev = pci_get_drvdata(pdev); + struct c_can_priv *priv = netdev_priv(dev); ++ void __iomem *addr = priv->base; + + unregister_c_can_dev(dev); + + free_c_can_dev(dev); + +- pci_iounmap(pdev, priv->base); ++ pci_iounmap(pdev, addr); + pci_disable_msi(pdev); + pci_clear_master(pdev); + pci_release_regions(pdev); +-- +2.30.1 + diff --git a/queue-5.11/can-flexcan-flexcan_chip_freeze-fix-chip-freeze-for-.patch b/queue-5.11/can-flexcan-flexcan_chip_freeze-fix-chip-freeze-for-.patch new file mode 100644 index 00000000000..2133b10fab4 --- /dev/null +++ b/queue-5.11/can-flexcan-flexcan_chip_freeze-fix-chip-freeze-for-.patch @@ -0,0 +1,55 @@ +From d59bdd42ef335bd965eb4e287ec26a1bfa362a89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Mar 2021 00:15:10 +0100 +Subject: can: flexcan: flexcan_chip_freeze(): fix chip freeze for missing + bitrate + +From: Angelo Dureghello + +[ Upstream commit 47c5e474bc1e1061fb037d13b5000b38967eb070 ] + +For cases when flexcan is built-in, bitrate is still not set at +registering. So flexcan_chip_freeze() generates: + +[ 1.860000] *** ZERO DIVIDE *** FORMAT=4 +[ 1.860000] Current process id is 1 +[ 1.860000] BAD KERNEL TRAP: 00000000 +[ 1.860000] PC: [<402e70c8>] flexcan_chip_freeze+0x1a/0xa8 + +To allow chip freeze, using an hardcoded timeout when bitrate is still +not set. + +Fixes: ec15e27cc890 ("can: flexcan: enable RX FIFO after FRZ/HALT valid") +Link: https://lore.kernel.org/r/20210315231510.650593-1-angelo@kernel-space.org +Signed-off-by: Angelo Dureghello +[mkl: use if instead of ? operator] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/flexcan.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c +index 2893297555eb..a9502fbc6dd6 100644 +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -697,9 +697,15 @@ static int flexcan_chip_disable(struct flexcan_priv *priv) + static int flexcan_chip_freeze(struct flexcan_priv *priv) + { + struct flexcan_regs __iomem *regs = priv->regs; +- unsigned int timeout = 1000 * 1000 * 10 / priv->can.bittiming.bitrate; ++ unsigned int timeout; ++ u32 bitrate = priv->can.bittiming.bitrate; + u32 reg; + ++ if (bitrate) ++ timeout = 1000 * 1000 * 10 / bitrate; ++ else ++ timeout = FLEXCAN_TIMEOUT_US / 10; ++ + reg = priv->read(®s->mcr); + reg |= FLEXCAN_MCR_FRZ | FLEXCAN_MCR_HALT; + priv->write(reg, ®s->mcr); +-- +2.30.1 + diff --git a/queue-5.11/can-isotp-isotp_setsockopt-only-allow-to-set-low-lev.patch b/queue-5.11/can-isotp-isotp_setsockopt-only-allow-to-set-low-lev.patch new file mode 100644 index 00000000000..22b6dd12c0a --- /dev/null +++ b/queue-5.11/can-isotp-isotp_setsockopt-only-allow-to-set-low-lev.patch @@ -0,0 +1,42 @@ +From 212be7dd93f82bcd53bac805a044e091404b6e7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Feb 2021 21:58:36 +0100 +Subject: can: isotp: isotp_setsockopt(): only allow to set low level TX flags + for CAN-FD + +From: Marc Kleine-Budde + +[ Upstream commit e4912459bd5edd493b61bc7c3a5d9b2eb17f5a89 ] + +CAN-FD frames have struct canfd_frame::flags, while classic CAN frames +don't. + +This patch refuses to set TX flags (struct +can_isotp_ll_options::tx_flags) on non CAN-FD isotp sockets. + +Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol") +Link: https://lore.kernel.org/r/20210218215434.1708249-2-mkl@pengutronix.de +Cc: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/isotp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/can/isotp.c b/net/can/isotp.c +index 3ef7f78e553b..e32d446c121e 100644 +--- a/net/can/isotp.c ++++ b/net/can/isotp.c +@@ -1228,7 +1228,8 @@ static int isotp_setsockopt(struct socket *sock, int level, int optname, + if (ll.mtu != CAN_MTU && ll.mtu != CANFD_MTU) + return -EINVAL; + +- if (ll.mtu == CAN_MTU && ll.tx_dl > CAN_MAX_DLEN) ++ if (ll.mtu == CAN_MTU && ++ (ll.tx_dl > CAN_MAX_DLEN || ll.tx_flags != 0)) + return -EINVAL; + + memcpy(&so->ll, &ll, sizeof(ll)); +-- +2.30.1 + diff --git a/queue-5.11/can-isotp-tx-path-ensure-that-can-frame-flags-are-in.patch b/queue-5.11/can-isotp-tx-path-ensure-that-can-frame-flags-are-in.patch new file mode 100644 index 00000000000..93f6a358c69 --- /dev/null +++ b/queue-5.11/can-isotp-tx-path-ensure-that-can-frame-flags-are-in.patch @@ -0,0 +1,71 @@ +From f462406337e7caf2566a8f63b6eb8a0593bfd6d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Feb 2021 21:24:20 +0100 +Subject: can: isotp: TX-path: ensure that CAN frame flags are initialized + +From: Marc Kleine-Budde + +[ Upstream commit d4eb538e1f48b3cf7bb6cb9eb39fe3e9e8a701f7 ] + +The previous patch ensures that the TX flags (struct +can_isotp_ll_options::tx_flags) are 0 for classic CAN frames or a user +configured value for CAN-FD frames. + +This patch sets the CAN frames flags unconditionally to the ISO-TP TX +flags, so that they are initialized to a proper value. Otherwise when +running "candump -x" on a classical CAN ISO-TP stream shows wrongly +set "B" and "E" flags. + +| $ candump any,0:0,#FFFFFFFF -extA +| [...] +| can0 TX B E 713 [8] 2B 0A 0B 0C 0D 0E 0F 00 +| can0 TX B E 713 [8] 2C 01 02 03 04 05 06 07 +| can0 TX B E 713 [8] 2D 08 09 0A 0B 0C 0D 0E +| can0 TX B E 713 [8] 2E 0F 00 01 02 03 04 05 + +Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol") +Link: https://lore.kernel.org/r/20210218215434.1708249-2-mkl@pengutronix.de +Cc: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/isotp.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/net/can/isotp.c b/net/can/isotp.c +index e32d446c121e..430976485d95 100644 +--- a/net/can/isotp.c ++++ b/net/can/isotp.c +@@ -215,8 +215,7 @@ static int isotp_send_fc(struct sock *sk, int ae, u8 flowstatus) + if (ae) + ncf->data[0] = so->opt.ext_address; + +- if (so->ll.mtu == CANFD_MTU) +- ncf->flags = so->ll.tx_flags; ++ ncf->flags = so->ll.tx_flags; + + can_send_ret = can_send(nskb, 1); + if (can_send_ret) +@@ -790,8 +789,7 @@ isotp_tx_burst: + so->tx.sn %= 16; + so->tx.bs++; + +- if (so->ll.mtu == CANFD_MTU) +- cf->flags = so->ll.tx_flags; ++ cf->flags = so->ll.tx_flags; + + skb->dev = dev; + can_skb_set_owner(skb, sk); +@@ -939,8 +937,7 @@ static int isotp_sendmsg(struct socket *sock, struct msghdr *msg, size_t size) + } + + /* send the first or only CAN frame */ +- if (so->ll.mtu == CANFD_MTU) +- cf->flags = so->ll.tx_flags; ++ cf->flags = so->ll.tx_flags; + + skb->dev = dev; + skb->sk = sk; +-- +2.30.1 + diff --git a/queue-5.11/can-isotp-tx-path-zero-initialize-outgoing-can-frame.patch b/queue-5.11/can-isotp-tx-path-zero-initialize-outgoing-can-frame.patch new file mode 100644 index 00000000000..949cdf9c815 --- /dev/null +++ b/queue-5.11/can-isotp-tx-path-zero-initialize-outgoing-can-frame.patch @@ -0,0 +1,64 @@ +From fba5b9f911327b6c1594d7f8492817012b34b27f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Mar 2021 11:06:19 +0100 +Subject: can: isotp: tx-path: zero initialize outgoing CAN frames + +From: Oliver Hartkopp + +[ Upstream commit b5f020f82a8e41201c6ede20fa00389d6980b223 ] + +Commit d4eb538e1f48 ("can: isotp: TX-path: ensure that CAN frame flags are +initialized") ensured the TX flags to be properly set for outgoing CAN +frames. + +In fact the root cause of the issue results from a missing initialization +of outgoing CAN frames created by isotp. This is no problem on the CAN bus +as the CAN driver only picks the correctly defined content from the struct +can(fd)_frame. But when the outgoing frames are monitored (e.g. with +candump) we potentially leak some bytes in the unused content of +struct can(fd)_frame. + +Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol") +Cc: Marc Kleine-Budde +Link: https://lore.kernel.org/r/20210319100619.10858-1-socketcan@hartkopp.net +Signed-off-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/isotp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/can/isotp.c b/net/can/isotp.c +index 430976485d95..15ea1234d457 100644 +--- a/net/can/isotp.c ++++ b/net/can/isotp.c +@@ -196,7 +196,7 @@ static int isotp_send_fc(struct sock *sk, int ae, u8 flowstatus) + nskb->dev = dev; + can_skb_set_owner(nskb, sk); + ncf = (struct canfd_frame *)nskb->data; +- skb_put(nskb, so->ll.mtu); ++ skb_put_zero(nskb, so->ll.mtu); + + /* create & send flow control reply */ + ncf->can_id = so->txid; +@@ -779,7 +779,7 @@ isotp_tx_burst: + can_skb_prv(skb)->skbcnt = 0; + + cf = (struct canfd_frame *)skb->data; +- skb_put(skb, so->ll.mtu); ++ skb_put_zero(skb, so->ll.mtu); + + /* create consecutive frame */ + isotp_fill_dataframe(cf, so, ae, 0); +@@ -895,7 +895,7 @@ static int isotp_sendmsg(struct socket *sock, struct msghdr *msg, size_t size) + so->tx.idx = 0; + + cf = (struct canfd_frame *)skb->data; +- skb_put(skb, so->ll.mtu); ++ skb_put_zero(skb, so->ll.mtu); + + /* check for single frame transmission depending on TX_DL */ + if (size <= so->tx.ll_dl - SF_PCI_SZ4 - ae - off) { +-- +2.30.1 + diff --git a/queue-5.11/can-kvaser_pciefd-always-disable-bus-load-reporting.patch b/queue-5.11/can-kvaser_pciefd-always-disable-bus-load-reporting.patch new file mode 100644 index 00000000000..a39422e8e5e --- /dev/null +++ b/queue-5.11/can-kvaser_pciefd-always-disable-bus-load-reporting.patch @@ -0,0 +1,56 @@ +From fb48325137c3a2df9578273f458f4df64f4fcf95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Mar 2021 10:17:23 +0100 +Subject: can: kvaser_pciefd: Always disable bus load reporting + +From: Jimmy Assarsson + +[ Upstream commit 7c6e6bce08f918b64459415f58061d4d6df44994 ] + +Under certain circumstances, when switching from Kvaser's linuxcan driver +(kvpciefd) to the SocketCAN driver (kvaser_pciefd), the bus load reporting +is not disabled. +This is flooding the kernel log with prints like: +[3485.574677] kvaser_pciefd 0000:02:00.0: Received unexpected packet type 0x00000009 + +Always put the controller in the expected state, instead of assuming that +bus load reporting is inactive. + +Note: If bus load reporting is enabled when the driver is loaded, you will + still get a number of bus load packages (and printouts), before it is + disabled. + +Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") +Link: https://lore.kernel.org/r/20210309091724.31262-1-jimmyassarsson@gmail.com +Signed-off-by: Jimmy Assarsson +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/kvaser_pciefd.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/can/kvaser_pciefd.c b/drivers/net/can/kvaser_pciefd.c +index 969cedb9b0b6..0d77c60f775e 100644 +--- a/drivers/net/can/kvaser_pciefd.c ++++ b/drivers/net/can/kvaser_pciefd.c +@@ -57,6 +57,7 @@ MODULE_DESCRIPTION("CAN driver for Kvaser CAN/PCIe devices"); + #define KVASER_PCIEFD_KCAN_STAT_REG 0x418 + #define KVASER_PCIEFD_KCAN_MODE_REG 0x41c + #define KVASER_PCIEFD_KCAN_BTRN_REG 0x420 ++#define KVASER_PCIEFD_KCAN_BUS_LOAD_REG 0x424 + #define KVASER_PCIEFD_KCAN_BTRD_REG 0x428 + #define KVASER_PCIEFD_KCAN_PWM_REG 0x430 + /* Loopback control register */ +@@ -949,6 +950,9 @@ static int kvaser_pciefd_setup_can_ctrls(struct kvaser_pciefd *pcie) + timer_setup(&can->bec_poll_timer, kvaser_pciefd_bec_poll_timer, + 0); + ++ /* Disable Bus load reporting */ ++ iowrite32(0, can->reg_base + KVASER_PCIEFD_KCAN_BUS_LOAD_REG); ++ + tx_npackets = ioread32(can->reg_base + + KVASER_PCIEFD_KCAN_TX_NPACKETS_REG); + if (((tx_npackets >> KVASER_PCIEFD_KCAN_TX_NPACKETS_MAX_SHIFT) & +-- +2.30.1 + diff --git a/queue-5.11/can-m_can-m_can_do_rx_poll-fix-extraneous-msg-loss-w.patch b/queue-5.11/can-m_can-m_can_do_rx_poll-fix-extraneous-msg-loss-w.patch new file mode 100644 index 00000000000..4c752e8a819 --- /dev/null +++ b/queue-5.11/can-m_can-m_can_do_rx_poll-fix-extraneous-msg-loss-w.patch @@ -0,0 +1,44 @@ +From c6d9ab03f7787b551ac84888c2d3a74d8907a7b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Mar 2021 10:31:52 +0000 +Subject: can: m_can: m_can_do_rx_poll(): fix extraneous msg loss warning + +From: Torin Cooper-Bennun + +[ Upstream commit c0e399f3baf42279f48991554240af8c457535d1 ] + +Message loss from RX FIFO 0 is already handled in +m_can_handle_lost_msg(), with netdev output included. + +Removing this warning also improves driver performance under heavy +load, where m_can_do_rx_poll() may be called many times before this +interrupt is cleared, causing this message to be output many +times (thanks Mariusz Madej for this report). + +Fixes: e0d1f4816f2a ("can: m_can: add Bosch M_CAN controller support") +Link: https://lore.kernel.org/r/20210303103151.3760532-1-torin@maxiluxsystems.com +Reported-by: Mariusz Madej +Signed-off-by: Torin Cooper-Bennun +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/m_can/m_can.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c +index da551fd0f502..678679a8c907 100644 +--- a/drivers/net/can/m_can/m_can.c ++++ b/drivers/net/can/m_can/m_can.c +@@ -501,9 +501,6 @@ static int m_can_do_rx_poll(struct net_device *dev, int quota) + } + + while ((rxfs & RXFS_FFL_MASK) && (quota > 0)) { +- if (rxfs & RXFS_RFL) +- netdev_warn(dev, "Rx FIFO 0 Message Lost\n"); +- + m_can_read_fifo(dev, rxfs); + + quota--; +-- +2.30.1 + diff --git a/queue-5.11/can-m_can-m_can_rx_peripheral-fix-rx-being-blocked-b.patch b/queue-5.11/can-m_can-m_can_rx_peripheral-fix-rx-being-blocked-b.patch new file mode 100644 index 00000000000..d2ed9b3ff39 --- /dev/null +++ b/queue-5.11/can-m_can-m_can_rx_peripheral-fix-rx-being-blocked-b.patch @@ -0,0 +1,42 @@ +From db0818383c08a6368fb082d85a542dd252c9e33f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Mar 2021 14:43:51 +0000 +Subject: can: m_can: m_can_rx_peripheral(): fix RX being blocked by errors + +From: Torin Cooper-Bennun + +[ Upstream commit e98d9ee64ee2cc9b1d1a8e26610ec4d0392ebe50 ] + +For M_CAN peripherals, m_can_rx_handler() was called with quota = 1, +which caused any error handling to block RX from taking place until +the next time the IRQ handler is called. This had been observed to +cause RX to be blocked indefinitely in some cases. + +This is fixed by calling m_can_rx_handler with a sensibly high quota. + +Fixes: f524f829b75a ("can: m_can: Create a m_can platform framework") +Link: https://lore.kernel.org/r/20210303144350.4093750-1-torin@maxiluxsystems.com +Suggested-by: Marc Kleine-Budde +Signed-off-by: Torin Cooper-Bennun +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/m_can/m_can.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c +index 678679a8c907..44b3f4b3aea5 100644 +--- a/drivers/net/can/m_can/m_can.c ++++ b/drivers/net/can/m_can/m_can.c +@@ -873,7 +873,7 @@ static int m_can_rx_peripheral(struct net_device *dev) + { + struct m_can_classdev *cdev = netdev_priv(dev); + +- m_can_rx_handler(dev, 1); ++ m_can_rx_handler(dev, M_CAN_NAPI_WEIGHT); + + m_can_enable_all_interrupts(cdev); + +-- +2.30.1 + diff --git a/queue-5.11/can-peak_usb-add-forgotten-supported-devices.patch b/queue-5.11/can-peak_usb-add-forgotten-supported-devices.patch new file mode 100644 index 00000000000..61ac1d85dc2 --- /dev/null +++ b/queue-5.11/can-peak_usb-add-forgotten-supported-devices.patch @@ -0,0 +1,39 @@ +From 3bc6ecf85ee2d1c48a14676364af0450830223af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Mar 2021 09:21:27 +0100 +Subject: can: peak_usb: add forgotten supported devices + +From: Stephane Grosjean + +[ Upstream commit 59ec7b89ed3e921cd0625a8c83f31a30d485fdf8 ] + +Since the peak_usb driver also supports the CAN-USB interfaces +"PCAN-USB X6" and "PCAN-Chip USB" from PEAK-System GmbH, this patch adds +their names to the list of explicitly supported devices. + +Fixes: ea8b65b596d7 ("can: usb: Add support of PCAN-Chip USB stamp module") +Fixes: f00b534ded60 ("can: peak: Add support for PCAN-USB X6 USB interface") +Link: https://lore.kernel.org/r/20210309082128.23125-3-s.grosjean@peak-system.com +Signed-off-by: Stephane Grosjean +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c +index f347ecc79aef..f1d018218c93 100644 +--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c +@@ -18,6 +18,8 @@ + + MODULE_SUPPORTED_DEVICE("PEAK-System PCAN-USB FD adapter"); + MODULE_SUPPORTED_DEVICE("PEAK-System PCAN-USB Pro FD adapter"); ++MODULE_SUPPORTED_DEVICE("PEAK-System PCAN-Chip USB"); ++MODULE_SUPPORTED_DEVICE("PEAK-System PCAN-USB X6 adapter"); + + #define PCAN_USBPROFD_CHANNEL_COUNT 2 + #define PCAN_USBFD_CHANNEL_COUNT 1 +-- +2.30.1 + diff --git a/queue-5.11/clk-qcom-gcc-sc7180-use-floor-ops-for-the-correct-sd.patch b/queue-5.11/clk-qcom-gcc-sc7180-use-floor-ops-for-the-correct-sd.patch new file mode 100644 index 00000000000..81baf427894 --- /dev/null +++ b/queue-5.11/clk-qcom-gcc-sc7180-use-floor-ops-for-the-correct-sd.patch @@ -0,0 +1,63 @@ +From 60a43fae8bb15abfc2305fc45b7b85676ad22226 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Feb 2021 09:50:25 -0800 +Subject: clk: qcom: gcc-sc7180: Use floor ops for the correct sdcc1 clk + +From: Douglas Anderson + +[ Upstream commit 148ddaa89d4a0a927c4353398096cc33687755c1 ] + +While picking commit a8cd989e1a57 ("mmc: sdhci-msm: Warn about +overclocking SD/MMC") back to my tree I was surprised that it was +reporting warnings. I thought I fixed those! Looking closer at the +fix, I see that I totally bungled it (or at least I halfway bungled +it). The SD card clock got fixed (and that was the one I was really +focused on fixing), but I totally adjusted the wrong clock for eMMC. +Sigh. Let's fix my dumb mistake. + +Now both SD and eMMC have floor for the "apps" clock. + +This doesn't matter a lot for the final clock rate for HS400 eMMC but +could matter if someone happens to put some slower eMMC on a sc7180. +We also transition through some of these lower rates sometimes and +having them wrong could cause problems during these transitions. +These were the messages I was seeing at boot: + mmc1: Card appears overclocked; req 52000000 Hz, actual 100000000 Hz + mmc1: Card appears overclocked; req 52000000 Hz, actual 100000000 Hz + mmc1: Card appears overclocked; req 104000000 Hz, actual 192000000 Hz + +Fixes: 6d37a8d19283 ("clk: qcom: gcc-sc7180: Use floor ops for sdcc clks") +Signed-off-by: Douglas Anderson +Link: https://lore.kernel.org/r/20210224095013.1.I2e2ba4978cfca06520dfb5d757768f9c42140f7c@changeid +Reviewed-by: Taniya Das +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-sc7180.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/qcom/gcc-sc7180.c b/drivers/clk/qcom/gcc-sc7180.c +index 88e896abb663..da8b627ca156 100644 +--- a/drivers/clk/qcom/gcc-sc7180.c ++++ b/drivers/clk/qcom/gcc-sc7180.c +@@ -620,7 +620,7 @@ static struct clk_rcg2 gcc_sdcc1_apps_clk_src = { + .name = "gcc_sdcc1_apps_clk_src", + .parent_data = gcc_parent_data_1, + .num_parents = 5, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_rcg2_floor_ops, + }, + }; + +@@ -642,7 +642,7 @@ static struct clk_rcg2 gcc_sdcc1_ice_core_clk_src = { + .name = "gcc_sdcc1_ice_core_clk_src", + .parent_data = gcc_parent_data_0, + .num_parents = 4, +- .ops = &clk_rcg2_floor_ops, ++ .ops = &clk_rcg2_ops, + }, + }; + +-- +2.30.1 + diff --git a/queue-5.11/dm-table-fix-zoned-model-check-and-zone-sectors-chec.patch b/queue-5.11/dm-table-fix-zoned-model-check-and-zone-sectors-chec.patch new file mode 100644 index 00000000000..0893ebe1182 --- /dev/null +++ b/queue-5.11/dm-table-fix-zoned-model-check-and-zone-sectors-chec.patch @@ -0,0 +1,163 @@ +From 7575ca7c4242f5b81b9e26855bd3a26b74b85b64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Mar 2021 13:36:02 +0900 +Subject: dm table: Fix zoned model check and zone sectors check + +From: Shin'ichiro Kawasaki + +[ Upstream commit 2d669ceb69c276f7637cf760287ca4187add082e ] + +Commit 24f6b6036c9e ("dm table: fix zoned iterate_devices based device +capability checks") triggered dm table load failure when dm-zoned device +is set up for zoned block devices and a regular device for cache. + +The commit inverted logic of two callback functions for iterate_devices: +device_is_zoned_model() and device_matches_zone_sectors(). The logic of +device_is_zoned_model() was inverted then all destination devices of all +targets in dm table are required to have the expected zoned model. This +is fine for dm-linear, dm-flakey and dm-crypt on zoned block devices +since each target has only one destination device. However, this results +in failure for dm-zoned with regular cache device since that target has +both regular block device and zoned block devices. + +As for device_matches_zone_sectors(), the commit inverted the logic to +require all zoned block devices in each target have the specified +zone_sectors. This check also fails for regular block device which does +not have zones. + +To avoid the check failures, fix the zone model check and the zone +sectors check. For zone model check, introduce the new feature flag +DM_TARGET_MIXED_ZONED_MODEL, and set it to dm-zoned target. When the +target has this flag, allow it to have destination devices with any +zoned model. For zone sectors check, skip the check if the destination +device is not a zoned block device. Also add comments and improve an +error message to clarify expectations to the two checks. + +Fixes: 24f6b6036c9e ("dm table: fix zoned iterate_devices based device capability checks") +Signed-off-by: Shin'ichiro Kawasaki +Signed-off-by: Damien Le Moal +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-table.c | 33 +++++++++++++++++++++++++-------- + drivers/md/dm-zoned-target.c | 2 +- + include/linux/device-mapper.h | 15 ++++++++++++++- + 3 files changed, 40 insertions(+), 10 deletions(-) + +diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c +index 77086db8b920..7291fd3106ff 100644 +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -1380,6 +1380,13 @@ static int device_not_zoned_model(struct dm_target *ti, struct dm_dev *dev, + return !q || blk_queue_zoned_model(q) != *zoned_model; + } + ++/* ++ * Check the device zoned model based on the target feature flag. If the target ++ * has the DM_TARGET_ZONED_HM feature flag set, host-managed zoned devices are ++ * also accepted but all devices must have the same zoned model. If the target ++ * has the DM_TARGET_MIXED_ZONED_MODEL feature set, the devices can have any ++ * zoned model with all zoned devices having the same zone size. ++ */ + static bool dm_table_supports_zoned_model(struct dm_table *t, + enum blk_zoned_model zoned_model) + { +@@ -1389,13 +1396,15 @@ static bool dm_table_supports_zoned_model(struct dm_table *t, + for (i = 0; i < dm_table_get_num_targets(t); i++) { + ti = dm_table_get_target(t, i); + +- if (zoned_model == BLK_ZONED_HM && +- !dm_target_supports_zoned_hm(ti->type)) +- return false; +- +- if (!ti->type->iterate_devices || +- ti->type->iterate_devices(ti, device_not_zoned_model, &zoned_model)) +- return false; ++ if (dm_target_supports_zoned_hm(ti->type)) { ++ if (!ti->type->iterate_devices || ++ ti->type->iterate_devices(ti, device_not_zoned_model, ++ &zoned_model)) ++ return false; ++ } else if (!dm_target_supports_mixed_zoned_model(ti->type)) { ++ if (zoned_model == BLK_ZONED_HM) ++ return false; ++ } + } + + return true; +@@ -1407,9 +1416,17 @@ static int device_not_matches_zone_sectors(struct dm_target *ti, struct dm_dev * + struct request_queue *q = bdev_get_queue(dev->bdev); + unsigned int *zone_sectors = data; + ++ if (!blk_queue_is_zoned(q)) ++ return 0; ++ + return !q || blk_queue_zone_sectors(q) != *zone_sectors; + } + ++/* ++ * Check consistency of zoned model and zone sectors across all targets. For ++ * zone sectors, if the destination device is a zoned block device, it shall ++ * have the specified zone_sectors. ++ */ + static int validate_hardware_zoned_model(struct dm_table *table, + enum blk_zoned_model zoned_model, + unsigned int zone_sectors) +@@ -1428,7 +1445,7 @@ static int validate_hardware_zoned_model(struct dm_table *table, + return -EINVAL; + + if (dm_table_any_dev_attr(table, device_not_matches_zone_sectors, &zone_sectors)) { +- DMERR("%s: zone sectors is not consistent across all devices", ++ DMERR("%s: zone sectors is not consistent across all zoned devices", + dm_device_name(table->md)); + return -EINVAL; + } +diff --git a/drivers/md/dm-zoned-target.c b/drivers/md/dm-zoned-target.c +index 697f9de37355..7e88df64d197 100644 +--- a/drivers/md/dm-zoned-target.c ++++ b/drivers/md/dm-zoned-target.c +@@ -1143,7 +1143,7 @@ static int dmz_message(struct dm_target *ti, unsigned int argc, char **argv, + static struct target_type dmz_type = { + .name = "zoned", + .version = {2, 0, 0}, +- .features = DM_TARGET_SINGLETON | DM_TARGET_ZONED_HM, ++ .features = DM_TARGET_SINGLETON | DM_TARGET_MIXED_ZONED_MODEL, + .module = THIS_MODULE, + .ctr = dmz_ctr, + .dtr = dmz_dtr, +diff --git a/include/linux/device-mapper.h b/include/linux/device-mapper.h +index d2d7f9b6a276..50cc070cb1f7 100644 +--- a/include/linux/device-mapper.h ++++ b/include/linux/device-mapper.h +@@ -246,7 +246,11 @@ struct target_type { + #define dm_target_passes_integrity(type) ((type)->features & DM_TARGET_PASSES_INTEGRITY) + + /* +- * Indicates that a target supports host-managed zoned block devices. ++ * Indicates support for zoned block devices: ++ * - DM_TARGET_ZONED_HM: the target also supports host-managed zoned ++ * block devices but does not support combining different zoned models. ++ * - DM_TARGET_MIXED_ZONED_MODEL: the target supports combining multiple ++ * devices with different zoned models. + */ + #define DM_TARGET_ZONED_HM 0x00000040 + #define dm_target_supports_zoned_hm(type) ((type)->features & DM_TARGET_ZONED_HM) +@@ -257,6 +261,15 @@ struct target_type { + #define DM_TARGET_NOWAIT 0x00000080 + #define dm_target_supports_nowait(type) ((type)->features & DM_TARGET_NOWAIT) + ++#ifdef CONFIG_BLK_DEV_ZONED ++#define DM_TARGET_MIXED_ZONED_MODEL 0x00000200 ++#define dm_target_supports_mixed_zoned_model(type) \ ++ ((type)->features & DM_TARGET_MIXED_ZONED_MODEL) ++#else ++#define DM_TARGET_MIXED_ZONED_MODEL 0x00000000 ++#define dm_target_supports_mixed_zoned_model(type) (false) ++#endif ++ + struct dm_target { + struct dm_table *table; + struct target_type *type; +-- +2.30.1 + diff --git a/queue-5.11/drm-msm-dsi-fix-check-before-set-in-the-7nm-dsi_pll-.patch b/queue-5.11/drm-msm-dsi-fix-check-before-set-in-the-7nm-dsi_pll-.patch new file mode 100644 index 00000000000..6c9c708e936 --- /dev/null +++ b/queue-5.11/drm-msm-dsi-fix-check-before-set-in-the-7nm-dsi_pll-.patch @@ -0,0 +1,82 @@ +From a3e476b3ec9a8053b82115749458512af69c20fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Feb 2021 01:47:51 +0300 +Subject: drm/msm/dsi: fix check-before-set in the 7nm dsi_pll code + +From: Dmitry Baryshkov + +[ Upstream commit 3b24cdfc721a5f1098da22f9f68ff5f4a5efccc9 ] + +Fix setting min/max DSI PLL rate for the V4.1 7nm DSI PLL (used on +sm8250). Current code checks for pll->type before it is set (as it is +set in the msm_dsi_pll_init() after calling device-specific functions. + +Cc: Jonathan Marek +Fixes: 1ef7c99d145c ("drm/msm/dsi: add support for 7nm DSI PHY/PLL") +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/pll/dsi_pll.c | 2 +- + drivers/gpu/drm/msm/dsi/pll/dsi_pll.h | 6 ++++-- + drivers/gpu/drm/msm/dsi/pll/dsi_pll_7nm.c | 5 +++-- + 3 files changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dsi/pll/dsi_pll.c b/drivers/gpu/drm/msm/dsi/pll/dsi_pll.c +index a45fe95aff49..3dc65877fa10 100644 +--- a/drivers/gpu/drm/msm/dsi/pll/dsi_pll.c ++++ b/drivers/gpu/drm/msm/dsi/pll/dsi_pll.c +@@ -163,7 +163,7 @@ struct msm_dsi_pll *msm_dsi_pll_init(struct platform_device *pdev, + break; + case MSM_DSI_PHY_7NM: + case MSM_DSI_PHY_7NM_V4_1: +- pll = msm_dsi_pll_7nm_init(pdev, id); ++ pll = msm_dsi_pll_7nm_init(pdev, type, id); + break; + default: + pll = ERR_PTR(-ENXIO); +diff --git a/drivers/gpu/drm/msm/dsi/pll/dsi_pll.h b/drivers/gpu/drm/msm/dsi/pll/dsi_pll.h +index 3405982a092c..bbecb1de5678 100644 +--- a/drivers/gpu/drm/msm/dsi/pll/dsi_pll.h ++++ b/drivers/gpu/drm/msm/dsi/pll/dsi_pll.h +@@ -117,10 +117,12 @@ msm_dsi_pll_10nm_init(struct platform_device *pdev, int id) + } + #endif + #ifdef CONFIG_DRM_MSM_DSI_7NM_PHY +-struct msm_dsi_pll *msm_dsi_pll_7nm_init(struct platform_device *pdev, int id); ++struct msm_dsi_pll *msm_dsi_pll_7nm_init(struct platform_device *pdev, ++ enum msm_dsi_phy_type type, int id); + #else + static inline struct msm_dsi_pll * +-msm_dsi_pll_7nm_init(struct platform_device *pdev, int id) ++msm_dsi_pll_7nm_init(struct platform_device *pdev, ++ enum msm_dsi_phy_type type, int id) + { + return ERR_PTR(-ENODEV); + } +diff --git a/drivers/gpu/drm/msm/dsi/pll/dsi_pll_7nm.c b/drivers/gpu/drm/msm/dsi/pll/dsi_pll_7nm.c +index 93bf142e4a4e..c1f6708367ae 100644 +--- a/drivers/gpu/drm/msm/dsi/pll/dsi_pll_7nm.c ++++ b/drivers/gpu/drm/msm/dsi/pll/dsi_pll_7nm.c +@@ -852,7 +852,8 @@ err_base_clk_hw: + return ret; + } + +-struct msm_dsi_pll *msm_dsi_pll_7nm_init(struct platform_device *pdev, int id) ++struct msm_dsi_pll *msm_dsi_pll_7nm_init(struct platform_device *pdev, ++ enum msm_dsi_phy_type type, int id) + { + struct dsi_pll_7nm *pll_7nm; + struct msm_dsi_pll *pll; +@@ -885,7 +886,7 @@ struct msm_dsi_pll *msm_dsi_pll_7nm_init(struct platform_device *pdev, int id) + pll = &pll_7nm->base; + pll->min_rate = 1000000000UL; + pll->max_rate = 3500000000UL; +- if (pll->type == MSM_DSI_PHY_7NM_V4_1) { ++ if (type == MSM_DSI_PHY_7NM_V4_1) { + pll->min_rate = 600000000UL; + pll->max_rate = (unsigned long)5000000000ULL; + /* workaround for max rate overflowing on 32-bit builds: */ +-- +2.30.1 + diff --git a/queue-5.11/drm-msm-fix-shutdown-hook-in-case-gpu-components-fai.patch b/queue-5.11/drm-msm-fix-shutdown-hook-in-case-gpu-components-fai.patch new file mode 100644 index 00000000000..4c8fbc39460 --- /dev/null +++ b/queue-5.11/drm-msm-fix-shutdown-hook-in-case-gpu-components-fai.patch @@ -0,0 +1,95 @@ +From 94052f50607ab1f526f8601b237d53d5e08249f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Mar 2021 08:56:02 -0300 +Subject: drm/msm: fix shutdown hook in case GPU components failed to bind + +From: Dmitry Baryshkov + +[ Upstream commit 623f279c77811475ac8fd5635cc4e4451aa71291 ] + +If GPU components have failed to bind, shutdown callback would fail with +the following backtrace. Add safeguard check to stop that oops from +happening and allow the board to reboot. + +[ 66.617046] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 +[ 66.626066] Mem abort info: +[ 66.628939] ESR = 0x96000006 +[ 66.632088] EC = 0x25: DABT (current EL), IL = 32 bits +[ 66.637542] SET = 0, FnV = 0 +[ 66.640688] EA = 0, S1PTW = 0 +[ 66.643924] Data abort info: +[ 66.646889] ISV = 0, ISS = 0x00000006 +[ 66.650832] CM = 0, WnR = 0 +[ 66.653890] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000107f81000 +[ 66.660505] [0000000000000000] pgd=0000000100bb2003, p4d=0000000100bb2003, pud=0000000100897003, pmd=0000000000000000 +[ 66.671398] Internal error: Oops: 96000006 [#1] PREEMPT SMP +[ 66.677115] Modules linked in: +[ 66.680261] CPU: 6 PID: 352 Comm: reboot Not tainted 5.11.0-rc2-00309-g79e3faa756b2 #38 +[ 66.688473] Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) +[ 66.695347] pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--) +[ 66.701507] pc : msm_atomic_commit_tail+0x78/0x4e0 +[ 66.706437] lr : commit_tail+0xa4/0x184 +[ 66.710381] sp : ffff8000108f3af0 +[ 66.713791] x29: ffff8000108f3af0 x28: ffff418c44337000 +[ 66.719242] x27: 0000000000000000 x26: ffff418c40a24490 +[ 66.724693] x25: ffffd3a842a4f1a0 x24: 0000000000000008 +[ 66.730146] x23: ffffd3a84313f030 x22: ffff418c444ce000 +[ 66.735598] x21: ffff418c408a4980 x20: 0000000000000000 +[ 66.741049] x19: 0000000000000000 x18: ffff800010710fbc +[ 66.746500] x17: 000000000000000c x16: 0000000000000001 +[ 66.751954] x15: 0000000000010008 x14: 0000000000000068 +[ 66.757405] x13: 0000000000000001 x12: 0000000000000000 +[ 66.762855] x11: 0000000000000001 x10: 00000000000009b0 +[ 66.768306] x9 : ffffd3a843192000 x8 : ffff418c44337000 +[ 66.773757] x7 : 0000000000000000 x6 : 00000000a401b34e +[ 66.779210] x5 : 00ffffffffffffff x4 : 0000000000000000 +[ 66.784660] x3 : 0000000000000000 x2 : ffff418c444ce000 +[ 66.790111] x1 : ffffd3a841dce530 x0 : ffff418c444cf000 +[ 66.795563] Call trace: +[ 66.798075] msm_atomic_commit_tail+0x78/0x4e0 +[ 66.802633] commit_tail+0xa4/0x184 +[ 66.806217] drm_atomic_helper_commit+0x160/0x390 +[ 66.811051] drm_atomic_commit+0x4c/0x60 +[ 66.815082] drm_atomic_helper_disable_all+0x1f4/0x210 +[ 66.820355] drm_atomic_helper_shutdown+0x80/0x130 +[ 66.825276] msm_pdev_shutdown+0x14/0x20 +[ 66.829303] platform_shutdown+0x28/0x40 +[ 66.833330] device_shutdown+0x158/0x330 +[ 66.837357] kernel_restart+0x40/0xa0 +[ 66.841122] __do_sys_reboot+0x228/0x250 +[ 66.845148] __arm64_sys_reboot+0x28/0x34 +[ 66.849264] el0_svc_common.constprop.0+0x74/0x190 +[ 66.854187] do_el0_svc+0x24/0x90 +[ 66.857595] el0_svc+0x14/0x20 +[ 66.860739] el0_sync_handler+0x1a4/0x1b0 +[ 66.864858] el0_sync+0x174/0x180 +[ 66.868269] Code: 1ac020a0 2a000273 eb02007f 54ffff01 (f9400285) +[ 66.874525] ---[ end trace 20dedb2a3229fec8 ]--- + +Fixes: 9d5cbf5fe46e ("drm/msm: add shutdown support for display platform_driver") +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Fabio Estevam +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_drv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c +index 94525ac76d4e..fd2ac54caf9f 100644 +--- a/drivers/gpu/drm/msm/msm_drv.c ++++ b/drivers/gpu/drm/msm/msm_drv.c +@@ -1311,6 +1311,10 @@ static int msm_pdev_remove(struct platform_device *pdev) + static void msm_pdev_shutdown(struct platform_device *pdev) + { + struct drm_device *drm = platform_get_drvdata(pdev); ++ struct msm_drm_private *priv = drm ? drm->dev_private : NULL; ++ ++ if (!priv || !priv->kms) ++ return; + + drm_atomic_helper_shutdown(drm); + } +-- +2.30.1 + diff --git a/queue-5.11/drm-msm-fix-suspend-resume-on-i.mx5.patch b/queue-5.11/drm-msm-fix-suspend-resume-on-i.mx5.patch new file mode 100644 index 00000000000..ecb86bf3fa1 --- /dev/null +++ b/queue-5.11/drm-msm-fix-suspend-resume-on-i.mx5.patch @@ -0,0 +1,79 @@ +From f218618d397071dfba9e2ea0509d3efe721e055b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Mar 2021 08:56:03 -0300 +Subject: drm/msm: Fix suspend/resume on i.MX5 + +From: Fabio Estevam + +[ Upstream commit a9748134ea4aad989e52a6a91479e0acfd306e5b ] + +When putting iMX5 into suspend, the following flow is +observed: + +[ 70.023427] [] (msm_atomic_commit_tail) from [] +(commit_tail+0x9c/0x18c) +[ 70.031890] [] (commit_tail) from [] +(drm_atomic_helper_commit+0x1a0/0x1d4) +[ 70.040627] [] (drm_atomic_helper_commit) from +[] (drm_atomic_helper_disable_all+0x1c4/0x1d4) +[ 70.050913] [] (drm_atomic_helper_disable_all) from +[] (drm_atomic_helper_suspend+0xb8/0x170) +[ 70.061198] [] (drm_atomic_helper_suspend) from +[] (drm_mode_config_helper_suspend+0x24/0x58) + +In the i.MX5 case, priv->kms is not populated (as i.MX5 does not use any +of the Qualcomm display controllers), causing a NULL pointer +dereference in msm_atomic_commit_tail(): + +[ 24.268964] 8<--- cut here --- +[ 24.274602] Unable to handle kernel NULL pointer dereference at +virtual address 00000000 +[ 24.283434] pgd = (ptrval) +[ 24.286387] [00000000] *pgd=ca212831 +[ 24.290788] Internal error: Oops: 17 [#1] SMP ARM +[ 24.295609] Modules linked in: +[ 24.298777] CPU: 0 PID: 197 Comm: init Not tainted 5.11.0-rc2-next-20210111 #333 +[ 24.306276] Hardware name: Freescale i.MX53 (Device Tree Support) +[ 24.312442] PC is at msm_atomic_commit_tail+0x54/0xb9c +[ 24.317743] LR is at commit_tail+0xa4/0x1b0 + +Fix the problem by calling drm_mode_config_helper_suspend/resume() +only when priv->kms is available. + +Fixes: ca8199f13498 ("drm/msm/dpu: ensure device suspend happens during PM sleep") +Signed-off-by: Fabio Estevam +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_drv.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c +index fd2ac54caf9f..a5c6b8c23336 100644 +--- a/drivers/gpu/drm/msm/msm_drv.c ++++ b/drivers/gpu/drm/msm/msm_drv.c +@@ -1072,6 +1072,10 @@ static int __maybe_unused msm_pm_resume(struct device *dev) + static int __maybe_unused msm_pm_prepare(struct device *dev) + { + struct drm_device *ddev = dev_get_drvdata(dev); ++ struct msm_drm_private *priv = ddev ? ddev->dev_private : NULL; ++ ++ if (!priv || !priv->kms) ++ return 0; + + return drm_mode_config_helper_suspend(ddev); + } +@@ -1079,6 +1083,10 @@ static int __maybe_unused msm_pm_prepare(struct device *dev) + static void __maybe_unused msm_pm_complete(struct device *dev) + { + struct drm_device *ddev = dev_get_drvdata(dev); ++ struct msm_drm_private *priv = ddev ? ddev->dev_private : NULL; ++ ++ if (!priv || !priv->kms) ++ return; + + drm_mode_config_helper_resume(ddev); + } +-- +2.30.1 + diff --git a/queue-5.11/drop_monitor-perform-cleanup-upon-probe-registration.patch b/queue-5.11/drop_monitor-perform-cleanup-upon-probe-registration.patch new file mode 100644 index 00000000000..68cd6406420 --- /dev/null +++ b/queue-5.11/drop_monitor-perform-cleanup-upon-probe-registration.patch @@ -0,0 +1,135 @@ +From 8061c9fdfc1662d2ee5da3ac737f0bf9241bc0fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Mar 2021 12:28:01 +0200 +Subject: drop_monitor: Perform cleanup upon probe registration failure + +From: Ido Schimmel + +[ Upstream commit 9398e9c0b1d44eeb700e9e766c02bcc765c82570 ] + +In the rare case that drop_monitor fails to register its probe on the +'napi_poll' tracepoint, it will not deactivate its hysteresis timer as +part of the error path. If the hysteresis timer was armed by the shortly +lived 'kfree_skb' probe and user space retries to initiate tracing, a +warning will be emitted for trying to initialize an active object [1]. + +Fix this by properly undoing all the operations that were done prior to +probe registration, in both software and hardware code paths. + +Note that syzkaller managed to fail probe registration by injecting a +slab allocation failure [2]. + +[1] +ODEBUG: init active (active state 0) object type: timer_list hint: sched_send_work+0x0/0x60 include/linux/list.h:135 +WARNING: CPU: 1 PID: 8649 at lib/debugobjects.c:505 debug_print_object+0x16e/0x250 lib/debugobjects.c:505 +Modules linked in: +CPU: 1 PID: 8649 Comm: syz-executor.0 Not tainted 5.11.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:debug_print_object+0x16e/0x250 lib/debugobjects.c:505 +[...] +Call Trace: + __debug_object_init+0x524/0xd10 lib/debugobjects.c:588 + debug_timer_init kernel/time/timer.c:722 [inline] + debug_init kernel/time/timer.c:770 [inline] + init_timer_key+0x2d/0x340 kernel/time/timer.c:814 + net_dm_trace_on_set net/core/drop_monitor.c:1111 [inline] + set_all_monitor_traces net/core/drop_monitor.c:1188 [inline] + net_dm_monitor_start net/core/drop_monitor.c:1295 [inline] + net_dm_cmd_trace+0x720/0x1220 net/core/drop_monitor.c:1339 + genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739 + genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] + genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502 + genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 + netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] + netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 + netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:672 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2348 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2402 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2435 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +[2] + FAULT_INJECTION: forcing a failure. + name failslab, interval 1, probability 0, space 0, times 1 + CPU: 1 PID: 8645 Comm: syz-executor.0 Not tainted 5.11.0-syzkaller #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + Call Trace: + dump_stack+0xfa/0x151 + should_fail.cold+0x5/0xa + should_failslab+0x5/0x10 + __kmalloc+0x72/0x3f0 + tracepoint_add_func+0x378/0x990 + tracepoint_probe_register+0x9c/0xe0 + net_dm_cmd_trace+0x7fc/0x1220 + genl_family_rcv_msg_doit+0x228/0x320 + genl_rcv_msg+0x328/0x580 + netlink_rcv_skb+0x153/0x420 + genl_rcv+0x24/0x40 + netlink_unicast+0x533/0x7d0 + netlink_sendmsg+0x856/0xd90 + sock_sendmsg+0xcf/0x120 + ____sys_sendmsg+0x6e8/0x810 + ___sys_sendmsg+0xf3/0x170 + __sys_sendmsg+0xe5/0x1b0 + do_syscall_64+0x2d/0x70 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: 70c69274f354 ("drop_monitor: Initialize timer and work item upon tracing enable") +Fixes: 8ee2267ad33e ("drop_monitor: Convert to using devlink tracepoint") +Reported-by: syzbot+779559d6503f3a56213d@syzkaller.appspotmail.com +Signed-off-by: Ido Schimmel +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/drop_monitor.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/net/core/drop_monitor.c b/net/core/drop_monitor.c +index 571f191c06d9..db65ce62b625 100644 +--- a/net/core/drop_monitor.c ++++ b/net/core/drop_monitor.c +@@ -1053,6 +1053,20 @@ static int net_dm_hw_monitor_start(struct netlink_ext_ack *extack) + return 0; + + err_module_put: ++ for_each_possible_cpu(cpu) { ++ struct per_cpu_dm_data *hw_data = &per_cpu(dm_hw_cpu_data, cpu); ++ struct sk_buff *skb; ++ ++ del_timer_sync(&hw_data->send_timer); ++ cancel_work_sync(&hw_data->dm_alert_work); ++ while ((skb = __skb_dequeue(&hw_data->drop_queue))) { ++ struct devlink_trap_metadata *hw_metadata; ++ ++ hw_metadata = NET_DM_SKB_CB(skb)->hw_metadata; ++ net_dm_hw_metadata_free(hw_metadata); ++ consume_skb(skb); ++ } ++ } + module_put(THIS_MODULE); + return rc; + } +@@ -1134,6 +1148,15 @@ static int net_dm_trace_on_set(struct netlink_ext_ack *extack) + err_unregister_trace: + unregister_trace_kfree_skb(ops->kfree_skb_probe, NULL); + err_module_put: ++ for_each_possible_cpu(cpu) { ++ struct per_cpu_dm_data *data = &per_cpu(dm_cpu_data, cpu); ++ struct sk_buff *skb; ++ ++ del_timer_sync(&data->send_timer); ++ cancel_work_sync(&data->dm_alert_work); ++ while ((skb = __skb_dequeue(&data->drop_queue))) ++ consume_skb(skb); ++ } + module_put(THIS_MODULE); + return rc; + } +-- +2.30.1 + diff --git a/queue-5.11/e1000e-add-rtnl_lock-to-e1000_reset_task.patch b/queue-5.11/e1000e-add-rtnl_lock-to-e1000_reset_task.patch new file mode 100644 index 00000000000..175f24e3e3b --- /dev/null +++ b/queue-5.11/e1000e-add-rtnl_lock-to-e1000_reset_task.patch @@ -0,0 +1,54 @@ +From b2c722a40d139be95942402fd7d94101a1cf6b04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Oct 2020 14:59:37 +0300 +Subject: e1000e: add rtnl_lock() to e1000_reset_task + +From: Vitaly Lifshits + +[ Upstream commit 21f857f0321d0d0ea9b1a758bd55dc63d1cb2437 ] + +A possible race condition was found in e1000_reset_task, +after discovering a similar issue in igb driver via +commit 024a8168b749 ("igb: reinit_locked() should be called +with rtnl_lock"). + +Added rtnl_lock() and rtnl_unlock() to avoid this. + +Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)") +Suggested-by: Jakub Kicinski +Signed-off-by: Vitaly Lifshits +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index e9b82c209c2d..a0948002ddf8 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -5974,15 +5974,19 @@ static void e1000_reset_task(struct work_struct *work) + struct e1000_adapter *adapter; + adapter = container_of(work, struct e1000_adapter, reset_task); + ++ rtnl_lock(); + /* don't run the task if already down */ +- if (test_bit(__E1000_DOWN, &adapter->state)) ++ if (test_bit(__E1000_DOWN, &adapter->state)) { ++ rtnl_unlock(); + return; ++ } + + if (!(adapter->flags & FLAG_RESTART_NOW)) { + e1000e_dump(adapter); + e_err("Reset adapter unexpectedly\n"); + } + e1000e_reinit_locked(adapter); ++ rtnl_unlock(); + } + + /** +-- +2.30.1 + diff --git a/queue-5.11/e1000e-fix-error-handling-in-e1000_set_d0_lplu_state.patch b/queue-5.11/e1000e-fix-error-handling-in-e1000_set_d0_lplu_state.patch new file mode 100644 index 00000000000..3c63c7ad756 --- /dev/null +++ b/queue-5.11/e1000e-fix-error-handling-in-e1000_set_d0_lplu_state.patch @@ -0,0 +1,40 @@ +From c88d28d3bdfbc98ea0593f1484afa9c115b84fb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Feb 2021 17:44:23 +0800 +Subject: e1000e: Fix error handling in e1000_set_d0_lplu_state_82571 + +From: Dinghao Liu + +[ Upstream commit b52912b8293f2c496f42583e65599aee606a0c18 ] + +There is one e1e_wphy() call in e1000_set_d0_lplu_state_82571 +that we have caught its return value but lack further handling. +Check and terminate the execution flow just like other e1e_wphy() +in this function. + +Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)") +Signed-off-by: Dinghao Liu +Acked-by: Sasha Neftin +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/82571.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/e1000e/82571.c b/drivers/net/ethernet/intel/e1000e/82571.c +index 88faf05e23ba..0b1e890dd583 100644 +--- a/drivers/net/ethernet/intel/e1000e/82571.c ++++ b/drivers/net/ethernet/intel/e1000e/82571.c +@@ -899,6 +899,8 @@ static s32 e1000_set_d0_lplu_state_82571(struct e1000_hw *hw, bool active) + } else { + data &= ~IGP02E1000_PM_D0_LPLU; + ret_val = e1e_wphy(hw, IGP02E1000_PHY_POWER_MGMT, data); ++ if (ret_val) ++ return ret_val; + /* LPLU and SmartSpeed are mutually exclusive. LPLU is used + * during Dx states where the power conservation is most + * important. During driver activity we should enable +-- +2.30.1 + diff --git a/queue-5.11/flow_dissector-fix-byteorder-of-dissected-icmp-id.patch b/queue-5.11/flow_dissector-fix-byteorder-of-dissected-icmp-id.patch new file mode 100644 index 00000000000..f5cc6fa2126 --- /dev/null +++ b/queue-5.11/flow_dissector-fix-byteorder-of-dissected-icmp-id.patch @@ -0,0 +1,42 @@ +From 6e02a78b61c85941f42670d64cbc0bd685319b37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Mar 2021 20:08:57 +0000 +Subject: flow_dissector: fix byteorder of dissected ICMP ID + +From: Alexander Lobakin + +[ Upstream commit a25f822285420486f5da434efc8d940d42a83bce ] + +flow_dissector_key_icmp::id is of type u16 (CPU byteorder), +ICMP header has its ID field in network byteorder obviously. +Sparse says: + +net/core/flow_dissector.c:178:43: warning: restricted __be16 degrades to integer + +Convert ID value to CPU byteorder when storing it into +flow_dissector_key_icmp. + +Fixes: 5dec597e5cd0 ("flow_dissector: extract more ICMP information") +Signed-off-by: Alexander Lobakin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/flow_dissector.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c +index 6f1adba6695f..7a06d4301617 100644 +--- a/net/core/flow_dissector.c ++++ b/net/core/flow_dissector.c +@@ -175,7 +175,7 @@ void skb_flow_get_icmp_tci(const struct sk_buff *skb, + * avoid confusion with packets without such field + */ + if (icmp_has_id(ih->type)) +- key_icmp->id = ih->un.echo.id ? : 1; ++ key_icmp->id = ih->un.echo.id ? ntohs(ih->un.echo.id) : 1; + else + key_icmp->id = 0; + } +-- +2.30.1 + diff --git a/queue-5.11/ftgmac100-restart-mac-hw-once.patch b/queue-5.11/ftgmac100-restart-mac-hw-once.patch new file mode 100644 index 00000000000..b3ed72a9bfe --- /dev/null +++ b/queue-5.11/ftgmac100-restart-mac-hw-once.patch @@ -0,0 +1,38 @@ +From 336fd5bec8ebfc39508049026090b87daca0315d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Mar 2021 11:04:05 +1030 +Subject: ftgmac100: Restart MAC HW once + +From: Dylan Hung + +[ Upstream commit 6897087323a2fde46df32917462750c069668b2f ] + +The interrupt handler may set the flag to reset the mac in the future, +but that flag is not cleared once the reset has occurred. + +Fixes: 10cbd6407609 ("ftgmac100: Rework NAPI & interrupts handling") +Signed-off-by: Dylan Hung +Acked-by: Benjamin Herrenschmidt +Reviewed-by: Joel Stanley +Signed-off-by: Joel Stanley +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/faraday/ftgmac100.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/faraday/ftgmac100.c b/drivers/net/ethernet/faraday/ftgmac100.c +index 88bfe2107938..04421aec2dfd 100644 +--- a/drivers/net/ethernet/faraday/ftgmac100.c ++++ b/drivers/net/ethernet/faraday/ftgmac100.c +@@ -1337,6 +1337,7 @@ static int ftgmac100_poll(struct napi_struct *napi, int budget) + */ + if (unlikely(priv->need_mac_restart)) { + ftgmac100_start_hw(priv); ++ priv->need_mac_restart = false; + + /* Re-enable "bad" interrupts */ + iowrite32(FTGMAC100_INT_BAD, +-- +2.30.1 + diff --git a/queue-5.11/ftrace-fix-modify_ftrace_direct.patch b/queue-5.11/ftrace-fix-modify_ftrace_direct.patch new file mode 100644 index 00000000000..c474551d363 --- /dev/null +++ b/queue-5.11/ftrace-fix-modify_ftrace_direct.patch @@ -0,0 +1,121 @@ +From bb0a5298c02cc51107cfdb28962faf80690b7272 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Mar 2021 12:58:15 -0700 +Subject: ftrace: Fix modify_ftrace_direct. + +From: Alexei Starovoitov + +[ Upstream commit 8a141dd7f7060d1e64c14a5257e0babae20ac99b ] + +The following sequence of commands: + register_ftrace_direct(ip, addr1); + modify_ftrace_direct(ip, addr1, addr2); + unregister_ftrace_direct(ip, addr2); +will cause the kernel to warn: +[ 30.179191] WARNING: CPU: 2 PID: 1961 at kernel/trace/ftrace.c:5223 unregister_ftrace_direct+0x130/0x150 +[ 30.180556] CPU: 2 PID: 1961 Comm: test_progs W O 5.12.0-rc2-00378-g86bc10a0a711-dirty #3246 +[ 30.182453] RIP: 0010:unregister_ftrace_direct+0x130/0x150 + +When modify_ftrace_direct() changes the addr from old to new it should update +the addr stored in ftrace_direct_funcs. Otherwise the final +unregister_ftrace_direct() won't find the address and will cause the splat. + +Fixes: 0567d6809182 ("ftrace: Add modify_ftrace_direct()") +Signed-off-by: Alexei Starovoitov +Signed-off-by: Daniel Borkmann +Reviewed-by: Steven Rostedt (VMware) +Link: https://lore.kernel.org/bpf/20210316195815.34714-1-alexei.starovoitov@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/trace/ftrace.c | 43 ++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 38 insertions(+), 5 deletions(-) + +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index 4d8e35575549..b7e29db127fa 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -5045,6 +5045,20 @@ struct ftrace_direct_func *ftrace_find_direct_func(unsigned long addr) + return NULL; + } + ++static struct ftrace_direct_func *ftrace_alloc_direct_func(unsigned long addr) ++{ ++ struct ftrace_direct_func *direct; ++ ++ direct = kmalloc(sizeof(*direct), GFP_KERNEL); ++ if (!direct) ++ return NULL; ++ direct->addr = addr; ++ direct->count = 0; ++ list_add_rcu(&direct->next, &ftrace_direct_funcs); ++ ftrace_direct_func_count++; ++ return direct; ++} ++ + /** + * register_ftrace_direct - Call a custom trampoline directly + * @ip: The address of the nop at the beginning of a function +@@ -5120,15 +5134,11 @@ int register_ftrace_direct(unsigned long ip, unsigned long addr) + + direct = ftrace_find_direct_func(addr); + if (!direct) { +- direct = kmalloc(sizeof(*direct), GFP_KERNEL); ++ direct = ftrace_alloc_direct_func(addr); + if (!direct) { + kfree(entry); + goto out_unlock; + } +- direct->addr = addr; +- direct->count = 0; +- list_add_rcu(&direct->next, &ftrace_direct_funcs); +- ftrace_direct_func_count++; + } + + entry->ip = ip; +@@ -5329,6 +5339,7 @@ int __weak ftrace_modify_direct_caller(struct ftrace_func_entry *entry, + int modify_ftrace_direct(unsigned long ip, + unsigned long old_addr, unsigned long new_addr) + { ++ struct ftrace_direct_func *direct, *new_direct = NULL; + struct ftrace_func_entry *entry; + struct dyn_ftrace *rec; + int ret = -ENODEV; +@@ -5344,6 +5355,20 @@ int modify_ftrace_direct(unsigned long ip, + if (entry->direct != old_addr) + goto out_unlock; + ++ direct = ftrace_find_direct_func(old_addr); ++ if (WARN_ON(!direct)) ++ goto out_unlock; ++ if (direct->count > 1) { ++ ret = -ENOMEM; ++ new_direct = ftrace_alloc_direct_func(new_addr); ++ if (!new_direct) ++ goto out_unlock; ++ direct->count--; ++ new_direct->count++; ++ } else { ++ direct->addr = new_addr; ++ } ++ + /* + * If there's no other ftrace callback on the rec->ip location, + * then it can be changed directly by the architecture. +@@ -5357,6 +5382,14 @@ int modify_ftrace_direct(unsigned long ip, + ret = 0; + } + ++ if (unlikely(ret && new_direct)) { ++ direct->count++; ++ list_del_rcu(&new_direct->next); ++ synchronize_rcu_tasks(); ++ kfree(new_direct); ++ ftrace_direct_func_count--; ++ } ++ + out_unlock: + mutex_unlock(&ftrace_lock); + mutex_unlock(&direct_mutex); +-- +2.30.1 + diff --git a/queue-5.11/ice-fix-napi-work-done-reporting-in-xsk-path.patch b/queue-5.11/ice-fix-napi-work-done-reporting-in-xsk-path.patch new file mode 100644 index 00000000000..bee540da255 --- /dev/null +++ b/queue-5.11/ice-fix-napi-work-done-reporting-in-xsk-path.patch @@ -0,0 +1,105 @@ +From 8495b21e40f81a9d5a90d3ef0d66b1343cc5928e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Feb 2021 10:09:04 +0100 +Subject: ice: fix napi work done reporting in xsk path + +From: Magnus Karlsson + +[ Upstream commit ed0907e3bdcfc7fe1c1756a480451e757b207a69 ] + +Fix the wrong napi work done reporting in the xsk path of the ice +driver. The code in the main Rx processing loop was written to assume +that the buffer allocation code returns true if all allocations where +successful and false if not. In contrast with all other Intel NIC xsk +drivers, the ice_alloc_rx_bufs_zc() has the inverted logic messing up +the work done reporting in the napi loop. + +This can be fixed either by inverting the return value from +ice_alloc_rx_bufs_zc() in the function that uses this in an incorrect +way, or by changing the return value of ice_alloc_rx_bufs_zc(). We +chose the latter as it makes all the xsk allocation functions for +Intel NICs behave in the same way. My guess is that it was this +unexpected discrepancy that gave rise to this bug in the first place. + +Fixes: 5bb0c4b5eb61 ("ice, xsk: Move Rx allocation out of while-loop") +Reported-by: Maciej Fijalkowski +Signed-off-by: Magnus Karlsson +Tested-by: Kiran Bhandare +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_base.c | 6 ++++-- + drivers/net/ethernet/intel/ice/ice_xsk.c | 10 +++++----- + 2 files changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_base.c b/drivers/net/ethernet/intel/ice/ice_base.c +index 3124a3bf519a..952e41a1e001 100644 +--- a/drivers/net/ethernet/intel/ice/ice_base.c ++++ b/drivers/net/ethernet/intel/ice/ice_base.c +@@ -418,6 +418,8 @@ int ice_setup_rx_ctx(struct ice_ring *ring) + writel(0, ring->tail); + + if (ring->xsk_pool) { ++ bool ok; ++ + if (!xsk_buff_can_alloc(ring->xsk_pool, num_bufs)) { + dev_warn(dev, "XSK buffer pool does not provide enough addresses to fill %d buffers on Rx ring %d\n", + num_bufs, ring->q_index); +@@ -426,8 +428,8 @@ int ice_setup_rx_ctx(struct ice_ring *ring) + return 0; + } + +- err = ice_alloc_rx_bufs_zc(ring, num_bufs); +- if (err) ++ ok = ice_alloc_rx_bufs_zc(ring, num_bufs); ++ if (!ok) + dev_info(dev, "Failed to allocate some buffers on XSK buffer pool enabled Rx ring %d (pf_q %d)\n", + ring->q_index, pf_q); + return 0; +diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c +index 1782146db644..69ee1a8e87ab 100644 +--- a/drivers/net/ethernet/intel/ice/ice_xsk.c ++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c +@@ -408,18 +408,18 @@ xsk_pool_if_up: + * This function allocates a number of Rx buffers from the fill ring + * or the internal recycle mechanism and places them on the Rx ring. + * +- * Returns false if all allocations were successful, true if any fail. ++ * Returns true if all allocations were successful, false if any fail. + */ + bool ice_alloc_rx_bufs_zc(struct ice_ring *rx_ring, u16 count) + { + union ice_32b_rx_flex_desc *rx_desc; + u16 ntu = rx_ring->next_to_use; + struct ice_rx_buf *rx_buf; +- bool ret = false; ++ bool ok = true; + dma_addr_t dma; + + if (!count) +- return false; ++ return true; + + rx_desc = ICE_RX_DESC(rx_ring, ntu); + rx_buf = &rx_ring->rx_buf[ntu]; +@@ -427,7 +427,7 @@ bool ice_alloc_rx_bufs_zc(struct ice_ring *rx_ring, u16 count) + do { + rx_buf->xdp = xsk_buff_alloc(rx_ring->xsk_pool); + if (!rx_buf->xdp) { +- ret = true; ++ ok = false; + break; + } + +@@ -452,7 +452,7 @@ bool ice_alloc_rx_bufs_zc(struct ice_ring *rx_ring, u16 count) + ice_release_rx_desc(rx_ring, ntu); + } + +- return ret; ++ return ok; + } + + /** +-- +2.30.1 + diff --git a/queue-5.11/igb-avoid-premature-rx-buffer-reuse.patch b/queue-5.11/igb-avoid-premature-rx-buffer-reuse.patch new file mode 100644 index 00000000000..3d9f2e23cb8 --- /dev/null +++ b/queue-5.11/igb-avoid-premature-rx-buffer-reuse.patch @@ -0,0 +1,161 @@ +From 8037798cefed8b32d5b6a036ce89c4747067a9a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jan 2021 13:54:23 -0800 +Subject: igb: avoid premature Rx buffer reuse + +From: Li RongQing + +[ Upstream commit 98dfb02aa22280bd8833836d1b00ab0488fa951f ] + +Igb needs a similar fix as commit 75aab4e10ae6a ("i40e: avoid +premature Rx buffer reuse") + +The page recycle code, incorrectly, relied on that a page fragment +could not be freed inside xdp_do_redirect(). This assumption leads to +that page fragments that are used by the stack/XDP redirect can be +reused and overwritten. + +To avoid this, store the page count prior invoking xdp_do_redirect(). + +Longer explanation: + +Intel NICs have a recycle mechanism. The main idea is that a page is +split into two parts. One part is owned by the driver, one part might +be owned by someone else, such as the stack. + +t0: Page is allocated, and put on the Rx ring + +--------------- +used by NIC ->| upper buffer +(rx_buffer) +--------------- + | lower buffer + +--------------- + page count == USHRT_MAX + rx_buffer->pagecnt_bias == USHRT_MAX + +t1: Buffer is received, and passed to the stack (e.g.) + +--------------- + | upper buff (skb) + +--------------- +used by NIC ->| lower buffer +(rx_buffer) +--------------- + page count == USHRT_MAX + rx_buffer->pagecnt_bias == USHRT_MAX - 1 + +t2: Buffer is received, and redirected + +--------------- + | upper buff (skb) + +--------------- +used by NIC ->| lower buffer +(rx_buffer) +--------------- + +Now, prior calling xdp_do_redirect(): + page count == USHRT_MAX + rx_buffer->pagecnt_bias == USHRT_MAX - 2 + +This means that buffer *cannot* be flipped/reused, because the skb is +still using it. + +The problem arises when xdp_do_redirect() actually frees the +segment. Then we get: + page count == USHRT_MAX - 1 + rx_buffer->pagecnt_bias == USHRT_MAX - 2 + +From a recycle perspective, the buffer can be flipped and reused, +which means that the skb data area is passed to the Rx HW ring! + +To work around this, the page count is stored prior calling +xdp_do_redirect(). + +Fixes: 9cbc948b5a20 ("igb: add XDP support") +Signed-off-by: Li RongQing +Reviewed-by: Alexander Duyck +Tested-by: Vishakha Jambekar +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index de0fab0e7ce2..0e8c17f7af28 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -8232,7 +8232,8 @@ static inline bool igb_page_is_reserved(struct page *page) + return (page_to_nid(page) != numa_mem_id()) || page_is_pfmemalloc(page); + } + +-static bool igb_can_reuse_rx_page(struct igb_rx_buffer *rx_buffer) ++static bool igb_can_reuse_rx_page(struct igb_rx_buffer *rx_buffer, ++ int rx_buf_pgcnt) + { + unsigned int pagecnt_bias = rx_buffer->pagecnt_bias; + struct page *page = rx_buffer->page; +@@ -8243,7 +8244,7 @@ static bool igb_can_reuse_rx_page(struct igb_rx_buffer *rx_buffer) + + #if (PAGE_SIZE < 8192) + /* if we are only owner of page we can reuse it */ +- if (unlikely((page_ref_count(page) - pagecnt_bias) > 1)) ++ if (unlikely((rx_buf_pgcnt - pagecnt_bias) > 1)) + return false; + #else + #define IGB_LAST_OFFSET \ +@@ -8633,11 +8634,17 @@ static unsigned int igb_rx_offset(struct igb_ring *rx_ring) + } + + static struct igb_rx_buffer *igb_get_rx_buffer(struct igb_ring *rx_ring, +- const unsigned int size) ++ const unsigned int size, int *rx_buf_pgcnt) + { + struct igb_rx_buffer *rx_buffer; + + rx_buffer = &rx_ring->rx_buffer_info[rx_ring->next_to_clean]; ++ *rx_buf_pgcnt = ++#if (PAGE_SIZE < 8192) ++ page_count(rx_buffer->page); ++#else ++ 0; ++#endif + prefetchw(rx_buffer->page); + + /* we are reusing so sync this buffer for CPU use */ +@@ -8653,9 +8660,9 @@ static struct igb_rx_buffer *igb_get_rx_buffer(struct igb_ring *rx_ring, + } + + static void igb_put_rx_buffer(struct igb_ring *rx_ring, +- struct igb_rx_buffer *rx_buffer) ++ struct igb_rx_buffer *rx_buffer, int rx_buf_pgcnt) + { +- if (igb_can_reuse_rx_page(rx_buffer)) { ++ if (igb_can_reuse_rx_page(rx_buffer, rx_buf_pgcnt)) { + /* hand second half of page back to the ring */ + igb_reuse_rx_page(rx_ring, rx_buffer); + } else { +@@ -8682,6 +8689,7 @@ static int igb_clean_rx_irq(struct igb_q_vector *q_vector, const int budget) + u16 cleaned_count = igb_desc_unused(rx_ring); + unsigned int xdp_xmit = 0; + struct xdp_buff xdp; ++ int rx_buf_pgcnt; + + xdp.rxq = &rx_ring->xdp_rxq; + +@@ -8712,7 +8720,7 @@ static int igb_clean_rx_irq(struct igb_q_vector *q_vector, const int budget) + */ + dma_rmb(); + +- rx_buffer = igb_get_rx_buffer(rx_ring, size); ++ rx_buffer = igb_get_rx_buffer(rx_ring, size, &rx_buf_pgcnt); + + /* retrieve a buffer from the ring */ + if (!skb) { +@@ -8755,7 +8763,7 @@ static int igb_clean_rx_irq(struct igb_q_vector *q_vector, const int budget) + break; + } + +- igb_put_rx_buffer(rx_ring, rx_buffer); ++ igb_put_rx_buffer(rx_ring, rx_buffer, rx_buf_pgcnt); + cleaned_count++; + + /* fetch next buffer in frame if non-eop */ +-- +2.30.1 + diff --git a/queue-5.11/igb-check-timestamp-validity.patch b/queue-5.11/igb-check-timestamp-validity.patch new file mode 100644 index 00000000000..49eebf64ed7 --- /dev/null +++ b/queue-5.11/igb-check-timestamp-validity.patch @@ -0,0 +1,154 @@ +From c11286650203e79264ae76dac1713da32d4762ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Mar 2021 12:51:03 -0800 +Subject: igb: check timestamp validity + +From: Jesse Brandeburg + +[ Upstream commit f0a03a026857d6c7766eb7d5835edbf5523ca15c ] + +Add a couple of checks to make sure timestamping is on and that the +timestamp value from DMA is valid. This avoids any functional issues +that could come from a misinterpreted time stamp. + +One of the functions changed doesn't need a return value added because +there was no value in checking from the calling locations. + +While here, fix a couple of reverse christmas tree issues next to +the code being changed. + +Fixes: f56e7bba22fa ("igb: Pull timestamp from fragment before adding it to skb") +Fixes: 9cbc948b5a20 ("igb: add XDP support") +Signed-off-by: Jesse Brandeburg +Tested-by: Dave Switzer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb.h | 4 +-- + drivers/net/ethernet/intel/igb/igb_main.c | 11 ++++---- + drivers/net/ethernet/intel/igb/igb_ptp.c | 31 ++++++++++++++++++----- + 3 files changed, 32 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb.h b/drivers/net/ethernet/intel/igb/igb.h +index aaa954aae574..7bda8c5edea5 100644 +--- a/drivers/net/ethernet/intel/igb/igb.h ++++ b/drivers/net/ethernet/intel/igb/igb.h +@@ -748,8 +748,8 @@ void igb_ptp_suspend(struct igb_adapter *adapter); + void igb_ptp_rx_hang(struct igb_adapter *adapter); + void igb_ptp_tx_hang(struct igb_adapter *adapter); + void igb_ptp_rx_rgtstamp(struct igb_q_vector *q_vector, struct sk_buff *skb); +-void igb_ptp_rx_pktstamp(struct igb_q_vector *q_vector, void *va, +- struct sk_buff *skb); ++int igb_ptp_rx_pktstamp(struct igb_q_vector *q_vector, void *va, ++ struct sk_buff *skb); + int igb_ptp_set_ts_config(struct net_device *netdev, struct ifreq *ifr); + int igb_ptp_get_ts_config(struct net_device *netdev, struct ifreq *ifr); + void igb_set_flag_queue_pairs(struct igb_adapter *, const u32); +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 03f78fdb0dcd..de0fab0e7ce2 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -8319,9 +8319,10 @@ static struct sk_buff *igb_construct_skb(struct igb_ring *rx_ring, + return NULL; + + if (unlikely(igb_test_staterr(rx_desc, E1000_RXDADV_STAT_TSIP))) { +- igb_ptp_rx_pktstamp(rx_ring->q_vector, xdp->data, skb); +- xdp->data += IGB_TS_HDR_LEN; +- size -= IGB_TS_HDR_LEN; ++ if (!igb_ptp_rx_pktstamp(rx_ring->q_vector, xdp->data, skb)) { ++ xdp->data += IGB_TS_HDR_LEN; ++ size -= IGB_TS_HDR_LEN; ++ } + } + + /* Determine available headroom for copy */ +@@ -8382,8 +8383,8 @@ static struct sk_buff *igb_build_skb(struct igb_ring *rx_ring, + + /* pull timestamp out of packet data */ + if (igb_test_staterr(rx_desc, E1000_RXDADV_STAT_TSIP)) { +- igb_ptp_rx_pktstamp(rx_ring->q_vector, skb->data, skb); +- __skb_pull(skb, IGB_TS_HDR_LEN); ++ if (!igb_ptp_rx_pktstamp(rx_ring->q_vector, skb->data, skb)) ++ __skb_pull(skb, IGB_TS_HDR_LEN); + } + + /* update buffer offset */ +diff --git a/drivers/net/ethernet/intel/igb/igb_ptp.c b/drivers/net/ethernet/intel/igb/igb_ptp.c +index 7cc5428c3b3d..86a576201f5f 100644 +--- a/drivers/net/ethernet/intel/igb/igb_ptp.c ++++ b/drivers/net/ethernet/intel/igb/igb_ptp.c +@@ -856,6 +856,9 @@ static void igb_ptp_tx_hwtstamp(struct igb_adapter *adapter) + dev_kfree_skb_any(skb); + } + ++#define IGB_RET_PTP_DISABLED 1 ++#define IGB_RET_PTP_INVALID 2 ++ + /** + * igb_ptp_rx_pktstamp - retrieve Rx per packet timestamp + * @q_vector: Pointer to interrupt specific structure +@@ -864,19 +867,29 @@ static void igb_ptp_tx_hwtstamp(struct igb_adapter *adapter) + * + * This function is meant to retrieve a timestamp from the first buffer of an + * incoming frame. The value is stored in little endian format starting on +- * byte 8. ++ * byte 8 ++ * ++ * Returns: 0 if success, nonzero if failure + **/ +-void igb_ptp_rx_pktstamp(struct igb_q_vector *q_vector, void *va, +- struct sk_buff *skb) ++int igb_ptp_rx_pktstamp(struct igb_q_vector *q_vector, void *va, ++ struct sk_buff *skb) + { +- __le64 *regval = (__le64 *)va; + struct igb_adapter *adapter = q_vector->adapter; ++ __le64 *regval = (__le64 *)va; + int adjust = 0; + ++ if (!(adapter->ptp_flags & IGB_PTP_ENABLED)) ++ return IGB_RET_PTP_DISABLED; ++ + /* The timestamp is recorded in little endian format. + * DWORD: 0 1 2 3 + * Field: Reserved Reserved SYSTIML SYSTIMH + */ ++ ++ /* check reserved dwords are zero, be/le doesn't matter for zero */ ++ if (regval[0]) ++ return IGB_RET_PTP_INVALID; ++ + igb_ptp_systim_to_hwtstamp(adapter, skb_hwtstamps(skb), + le64_to_cpu(regval[1])); + +@@ -896,6 +909,8 @@ void igb_ptp_rx_pktstamp(struct igb_q_vector *q_vector, void *va, + } + skb_hwtstamps(skb)->hwtstamp = + ktime_sub_ns(skb_hwtstamps(skb)->hwtstamp, adjust); ++ ++ return 0; + } + + /** +@@ -906,13 +921,15 @@ void igb_ptp_rx_pktstamp(struct igb_q_vector *q_vector, void *va, + * This function is meant to retrieve a timestamp from the internal registers + * of the adapter and store it in the skb. + **/ +-void igb_ptp_rx_rgtstamp(struct igb_q_vector *q_vector, +- struct sk_buff *skb) ++void igb_ptp_rx_rgtstamp(struct igb_q_vector *q_vector, struct sk_buff *skb) + { + struct igb_adapter *adapter = q_vector->adapter; + struct e1000_hw *hw = &adapter->hw; +- u64 regval; + int adjust = 0; ++ u64 regval; ++ ++ if (!(adapter->ptp_flags & IGB_PTP_ENABLED)) ++ return; + + /* If this bit is set, then the RX registers contain the time stamp. No + * other packet will be time stamped until we read these registers, so +-- +2.30.1 + diff --git a/queue-5.11/igc-fix-igc_ptp_rx_pktstamp.patch b/queue-5.11/igc-fix-igc_ptp_rx_pktstamp.patch new file mode 100644 index 00000000000..89eab10fe30 --- /dev/null +++ b/queue-5.11/igc-fix-igc_ptp_rx_pktstamp.patch @@ -0,0 +1,140 @@ +From 0cd407f2764b11714c3efb1d68f07f7925a0a00b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Mar 2021 22:42:56 -0800 +Subject: igc: Fix igc_ptp_rx_pktstamp() + +From: Andre Guedes + +[ Upstream commit fc9e5020971d57d7d0b3fef9e2ab2108fcb5588b ] + +The comment describing the timestamps layout in the packet buffer is +wrong and the code is actually retrieving the timestamp in Timer 1 +reference instead of Timer 0. This hasn't been a big issue so far +because hardware is configured to report both timestamps using Timer 0 +(see IGC_SRRCTL register configuration in igc_ptp_enable_rx_timestamp() +helper). This patch fixes the comment and the code so we retrieve the +timestamp in Timer 0 reference as expected. + +This patch also takes the opportunity to get rid of the hw.mac.type check +since it is not required. + +Fixes: 81b055205e8ba ("igc: Add support for RX timestamping") +Signed-off-by: Andre Guedes +Signed-off-by: Vedang Patel +Signed-off-by: Jithu Joseph +Reviewed-by: Maciej Fijalkowski +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc.h | 2 +- + drivers/net/ethernet/intel/igc/igc_ptp.c | 72 +++++++++++++----------- + 2 files changed, 41 insertions(+), 33 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h +index 35baae900c1f..6dca67d9c25d 100644 +--- a/drivers/net/ethernet/intel/igc/igc.h ++++ b/drivers/net/ethernet/intel/igc/igc.h +@@ -545,7 +545,7 @@ void igc_ptp_init(struct igc_adapter *adapter); + void igc_ptp_reset(struct igc_adapter *adapter); + void igc_ptp_suspend(struct igc_adapter *adapter); + void igc_ptp_stop(struct igc_adapter *adapter); +-void igc_ptp_rx_pktstamp(struct igc_q_vector *q_vector, void *va, ++void igc_ptp_rx_pktstamp(struct igc_q_vector *q_vector, __le32 *va, + struct sk_buff *skb); + int igc_ptp_set_ts_config(struct net_device *netdev, struct ifreq *ifr); + int igc_ptp_get_ts_config(struct net_device *netdev, struct ifreq *ifr); +diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c +index ac0b9c85da7c..545f4d0e67cf 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ptp.c ++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c +@@ -152,46 +152,54 @@ static void igc_ptp_systim_to_hwtstamp(struct igc_adapter *adapter, + } + + /** +- * igc_ptp_rx_pktstamp - retrieve Rx per packet timestamp ++ * igc_ptp_rx_pktstamp - Retrieve timestamp from Rx packet buffer + * @q_vector: Pointer to interrupt specific structure + * @va: Pointer to address containing Rx buffer + * @skb: Buffer containing timestamp and packet + * +- * This function is meant to retrieve the first timestamp from the +- * first buffer of an incoming frame. The value is stored in little +- * endian format starting on byte 0. There's a second timestamp +- * starting on byte 8. +- **/ +-void igc_ptp_rx_pktstamp(struct igc_q_vector *q_vector, void *va, ++ * This function retrieves the timestamp saved in the beginning of packet ++ * buffer. While two timestamps are available, one in timer0 reference and the ++ * other in timer1 reference, this function considers only the timestamp in ++ * timer0 reference. ++ */ ++void igc_ptp_rx_pktstamp(struct igc_q_vector *q_vector, __le32 *va, + struct sk_buff *skb) + { + struct igc_adapter *adapter = q_vector->adapter; +- __le64 *regval = (__le64 *)va; +- int adjust = 0; +- +- /* The timestamp is recorded in little endian format. +- * DWORD: | 0 | 1 | 2 | 3 +- * Field: | Timer0 Low | Timer0 High | Timer1 Low | Timer1 High ++ u64 regval; ++ int adjust; ++ ++ /* Timestamps are saved in little endian at the beginning of the packet ++ * buffer following the layout: ++ * ++ * DWORD: | 0 | 1 | 2 | 3 | ++ * Field: | Timer1 SYSTIML | Timer1 SYSTIMH | Timer0 SYSTIML | Timer0 SYSTIMH | ++ * ++ * SYSTIML holds the nanoseconds part while SYSTIMH holds the seconds ++ * part of the timestamp. + */ +- igc_ptp_systim_to_hwtstamp(adapter, skb_hwtstamps(skb), +- le64_to_cpu(regval[0])); +- +- /* adjust timestamp for the RX latency based on link speed */ +- if (adapter->hw.mac.type == igc_i225) { +- switch (adapter->link_speed) { +- case SPEED_10: +- adjust = IGC_I225_RX_LATENCY_10; +- break; +- case SPEED_100: +- adjust = IGC_I225_RX_LATENCY_100; +- break; +- case SPEED_1000: +- adjust = IGC_I225_RX_LATENCY_1000; +- break; +- case SPEED_2500: +- adjust = IGC_I225_RX_LATENCY_2500; +- break; +- } ++ regval = le32_to_cpu(va[2]); ++ regval |= (u64)le32_to_cpu(va[3]) << 32; ++ igc_ptp_systim_to_hwtstamp(adapter, skb_hwtstamps(skb), regval); ++ ++ /* Adjust timestamp for the RX latency based on link speed */ ++ switch (adapter->link_speed) { ++ case SPEED_10: ++ adjust = IGC_I225_RX_LATENCY_10; ++ break; ++ case SPEED_100: ++ adjust = IGC_I225_RX_LATENCY_100; ++ break; ++ case SPEED_1000: ++ adjust = IGC_I225_RX_LATENCY_1000; ++ break; ++ case SPEED_2500: ++ adjust = IGC_I225_RX_LATENCY_2500; ++ break; ++ default: ++ adjust = 0; ++ netdev_warn_once(adapter->netdev, "Imprecise timestamp\n"); ++ break; + } + skb_hwtstamps(skb)->hwtstamp = + ktime_sub_ns(skb_hwtstamps(skb)->hwtstamp, adjust); +-- +2.30.1 + diff --git a/queue-5.11/igc-fix-pause-frame-advertising.patch b/queue-5.11/igc-fix-pause-frame-advertising.patch new file mode 100644 index 00000000000..36ce3a9c423 --- /dev/null +++ b/queue-5.11/igc-fix-pause-frame-advertising.patch @@ -0,0 +1,48 @@ +From 50c9681739dc0e64a4fc29abe89fcc475ddfc21d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Feb 2021 00:36:47 +0800 +Subject: igc: Fix Pause Frame Advertising + +From: Muhammad Husaini Zulkifli + +[ Upstream commit 8876529465c368beafd51a70f79d7a738f2aadf4 ] + +Fix Pause Frame Advertising when getting the advertisement via ethtool. +Remove setting the "advertising" bit in link_ksettings during default +case when Tx and Rx are in off state with Auto Negotiate off. + +Below is the original output of advertisement link during Tx and Rx off: +Advertised pause frame use: Symmetric Receive-only + +Expected output: +Advertised pause frame use: No + +Fixes: 8c5ad0dae93c ("igc: Add ethtool support") +Signed-off-by: Muhammad Husaini Zulkifli +Reviewed-by: Malli C +Acked-by: Sasha Neftin +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_ethtool.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_ethtool.c b/drivers/net/ethernet/intel/igc/igc_ethtool.c +index ec8cd69d4992..35c104a02bed 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ethtool.c ++++ b/drivers/net/ethernet/intel/igc/igc_ethtool.c +@@ -1709,9 +1709,7 @@ static int igc_ethtool_get_link_ksettings(struct net_device *netdev, + Asym_Pause); + break; + default: +- ethtool_link_ksettings_add_link_mode(cmd, advertising, Pause); +- ethtool_link_ksettings_add_link_mode(cmd, advertising, +- Asym_Pause); ++ break; + } + + status = pm_runtime_suspended(&adapter->pdev->dev) ? +-- +2.30.1 + diff --git a/queue-5.11/igc-fix-supported-pause-frame-link-setting.patch b/queue-5.11/igc-fix-supported-pause-frame-link-setting.patch new file mode 100644 index 00000000000..be759fef57f --- /dev/null +++ b/queue-5.11/igc-fix-supported-pause-frame-link-setting.patch @@ -0,0 +1,47 @@ +From e26f503ea3d7e2f92bbee445e7bacf5d4e59dc53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Feb 2021 00:36:48 +0800 +Subject: igc: Fix Supported Pause Frame Link Setting + +From: Muhammad Husaini Zulkifli + +[ Upstream commit 9a4a1cdc5ab52118c1f2b216f4240830b6528d32 ] + +The Supported Pause Frame always display "No" even though the Advertised +pause frame showing the correct setting based on the pause parameters via +ethtool. Set bit in link_ksettings to "Supported" for Pause Frame. + +Before output: +Supported pause frame use: No + +Expected output: +Supported pause frame use: Symmetric + +Fixes: 8c5ad0dae93c ("igc: Add ethtool support") +Signed-off-by: Muhammad Husaini Zulkifli +Reviewed-by: Malli C +Tested-by: Dvora Fuxbrumer +Acked-by: Sasha Neftin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_ethtool.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igc/igc_ethtool.c b/drivers/net/ethernet/intel/igc/igc_ethtool.c +index 35c104a02bed..da259cd59add 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ethtool.c ++++ b/drivers/net/ethernet/intel/igc/igc_ethtool.c +@@ -1695,6 +1695,9 @@ static int igc_ethtool_get_link_ksettings(struct net_device *netdev, + Autoneg); + } + ++ /* Set pause flow control settings */ ++ ethtool_link_ksettings_add_link_mode(cmd, supported, Pause); ++ + switch (hw->fc.requested_mode) { + case igc_fc_full: + ethtool_link_ksettings_add_link_mode(cmd, advertising, Pause); +-- +2.30.1 + diff --git a/queue-5.11/igc-reinit_locked-should-be-called-with-rtnl_lock.patch b/queue-5.11/igc-reinit_locked-should-be-called-with-rtnl_lock.patch new file mode 100644 index 00000000000..8b97da89b9a --- /dev/null +++ b/queue-5.11/igc-reinit_locked-should-be-called-with-rtnl_lock.patch @@ -0,0 +1,51 @@ +From 540f29d30ff188c03157f22f81aba07a67cf48f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Oct 2020 16:34:00 +0300 +Subject: igc: reinit_locked() should be called with rtnl_lock + +From: Sasha Neftin + +[ Upstream commit 6da262378c99b17b1a1ac2e42aa65acc1bd471c7 ] + +This commit applies to the igc_reset_task the same changes that +were applied to the igb driver in commit 024a8168b749 ("igb: +reinit_locked() should be called with rtnl_lock") +and fix possible race in reset subtask. + +Fixes: 0507ef8a0372 ("igc: Add transmit and receive fastpath and interrupt handlers") +Suggested-by: Jakub Kicinski +Signed-off-by: Sasha Neftin +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index afd6a62da29d..93874e930abf 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -3847,10 +3847,19 @@ static void igc_reset_task(struct work_struct *work) + + adapter = container_of(work, struct igc_adapter, reset_task); + ++ rtnl_lock(); ++ /* If we're already down or resetting, just bail */ ++ if (test_bit(__IGC_DOWN, &adapter->state) || ++ test_bit(__IGC_RESETTING, &adapter->state)) { ++ rtnl_unlock(); ++ return; ++ } ++ + igc_rings_dump(adapter); + igc_regs_dump(adapter); + netdev_err(adapter->netdev, "Reset adapter\n"); + igc_reinit_locked(adapter); ++ rtnl_unlock(); + } + + /** +-- +2.30.1 + diff --git a/queue-5.11/ionic-linearize-tso-skb-with-too-many-frags.patch b/queue-5.11/ionic-linearize-tso-skb-with-too-many-frags.patch new file mode 100644 index 00000000000..7cb0552a473 --- /dev/null +++ b/queue-5.11/ionic-linearize-tso-skb-with-too-many-frags.patch @@ -0,0 +1,64 @@ +From cc46718cd92f8e4336d43043933698dcfb4c83ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Mar 2021 17:07:47 -0700 +Subject: ionic: linearize tso skb with too many frags + +From: Shannon Nelson + +[ Upstream commit d2c21422323b06938b3c070361dc544f047489d7 ] + +We were linearizing non-TSO skbs that had too many frags, but +we weren't checking number of frags on TSO skbs. This could +lead to a bad page reference when we received a TSO skb with +more frags than the Tx descriptor could support. + +v2: use gso_segs rather than yet another division + don't rework the check on the nr_frags + +Fixes: 0f3154e6bcb3 ("ionic: Add Tx and Rx handling") +Signed-off-by: Shannon Nelson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +index ac4cd5d82e69..b7601cadcb8c 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +@@ -1079,15 +1079,17 @@ static int ionic_tx_descs_needed(struct ionic_queue *q, struct sk_buff *skb) + { + int sg_elems = q->lif->qtype_info[IONIC_QTYPE_TXQ].max_sg_elems; + struct ionic_tx_stats *stats = q_to_tx_stats(q); ++ int ndescs; + int err; + +- /* If TSO, need roundup(skb->len/mss) descs */ ++ /* Each desc is mss long max, so a descriptor for each gso_seg */ + if (skb_is_gso(skb)) +- return (skb->len / skb_shinfo(skb)->gso_size) + 1; ++ ndescs = skb_shinfo(skb)->gso_segs; ++ else ++ ndescs = 1; + +- /* If non-TSO, just need 1 desc and nr_frags sg elems */ + if (skb_shinfo(skb)->nr_frags <= sg_elems) +- return 1; ++ return ndescs; + + /* Too many frags, so linearize */ + err = skb_linearize(skb); +@@ -1096,8 +1098,7 @@ static int ionic_tx_descs_needed(struct ionic_queue *q, struct sk_buff *skb) + + stats->linearize++; + +- /* Need 1 desc and zero sg elems */ +- return 1; ++ return ndescs; + } + + static int ionic_maybe_stop_tx(struct ionic_queue *q, int ndescs) +-- +2.30.1 + diff --git a/queue-5.11/ipv6-fix-suspecious-rcu-usage-warning.patch b/queue-5.11/ipv6-fix-suspecious-rcu-usage-warning.patch new file mode 100644 index 00000000000..15975d09a03 --- /dev/null +++ b/queue-5.11/ipv6-fix-suspecious-rcu-usage-warning.patch @@ -0,0 +1,127 @@ +From ab120d8ba55285c31e1b4158464639d122f11f16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Mar 2021 18:20:35 -0800 +Subject: ipv6: fix suspecious RCU usage warning + +From: Wei Wang + +[ Upstream commit 28259bac7f1dde06d8ba324e222bbec9d4e92f2b ] + +Syzbot reported the suspecious RCU usage in nexthop_fib6_nh() when +called from ipv6_route_seq_show(). The reason is ipv6_route_seq_start() +calls rcu_read_lock_bh(), while nexthop_fib6_nh() calls +rcu_dereference_rtnl(). +The fix proposed is to add a variant of nexthop_fib6_nh() to use +rcu_dereference_bh_rtnl() for ipv6_route_seq_show(). + +The reported trace is as follows: +./include/net/nexthop.h:416 suspicious rcu_dereference_check() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +2 locks held by syz-executor.0/17895: + at: seq_read+0x71/0x12a0 fs/seq_file.c:169 + at: seq_file_net include/linux/seq_file_net.h:19 [inline] + at: ipv6_route_seq_start+0xaf/0x300 net/ipv6/ip6_fib.c:2616 + +stack backtrace: +CPU: 1 PID: 17895 Comm: syz-executor.0 Not tainted 4.15.0-syzkaller #0 +Call Trace: + [] __dump_stack lib/dump_stack.c:17 [inline] + [] dump_stack+0xd8/0x147 lib/dump_stack.c:53 + [] lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:5745 + [] nexthop_fib6_nh include/net/nexthop.h:416 [inline] + [] ipv6_route_native_seq_show net/ipv6/ip6_fib.c:2488 [inline] + [] ipv6_route_seq_show+0x436/0x7a0 net/ipv6/ip6_fib.c:2673 + [] seq_read+0xccf/0x12a0 fs/seq_file.c:276 + [] proc_reg_read+0x10c/0x1d0 fs/proc/inode.c:231 + [] do_loop_readv_writev fs/read_write.c:714 [inline] + [] do_loop_readv_writev fs/read_write.c:701 [inline] + [] do_iter_read+0x49e/0x660 fs/read_write.c:935 + [] vfs_readv+0xfb/0x170 fs/read_write.c:997 + [] kernel_readv fs/splice.c:361 [inline] + [] default_file_splice_read+0x487/0x9c0 fs/splice.c:416 + [] do_splice_to+0x129/0x190 fs/splice.c:879 + [] splice_direct_to_actor+0x256/0x890 fs/splice.c:951 + [] do_splice_direct+0x1dd/0x2b0 fs/splice.c:1060 + [] do_sendfile+0x597/0xce0 fs/read_write.c:1459 + [] SYSC_sendfile64 fs/read_write.c:1520 [inline] + [] SyS_sendfile64+0x155/0x170 fs/read_write.c:1506 + [] do_syscall_64+0x1ff/0x310 arch/x86/entry/common.c:305 + [] entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +Fixes: f88d8ea67fbdb ("ipv6: Plumb support for nexthop object in a fib6_info") +Reported-by: syzbot +Signed-off-by: Wei Wang +Cc: David Ahern +Cc: Ido Schimmel +Cc: Petr Machata +Cc: Eric Dumazet +Reviewed-by: Ido Schimmel +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/nexthop.h | 24 ++++++++++++++++++++++++ + net/ipv6/ip6_fib.c | 2 +- + 2 files changed, 25 insertions(+), 1 deletion(-) + +diff --git a/include/net/nexthop.h b/include/net/nexthop.h +index 226930d66b63..abd620103cec 100644 +--- a/include/net/nexthop.h ++++ b/include/net/nexthop.h +@@ -400,6 +400,7 @@ static inline struct fib_nh *fib_info_nh(struct fib_info *fi, int nhsel) + int fib6_check_nexthop(struct nexthop *nh, struct fib6_config *cfg, + struct netlink_ext_ack *extack); + ++/* Caller should either hold rcu_read_lock(), or RTNL. */ + static inline struct fib6_nh *nexthop_fib6_nh(struct nexthop *nh) + { + struct nh_info *nhi; +@@ -420,6 +421,29 @@ static inline struct fib6_nh *nexthop_fib6_nh(struct nexthop *nh) + return NULL; + } + ++/* Variant of nexthop_fib6_nh(). ++ * Caller should either hold rcu_read_lock_bh(), or RTNL. ++ */ ++static inline struct fib6_nh *nexthop_fib6_nh_bh(struct nexthop *nh) ++{ ++ struct nh_info *nhi; ++ ++ if (nh->is_group) { ++ struct nh_group *nh_grp; ++ ++ nh_grp = rcu_dereference_bh_rtnl(nh->nh_grp); ++ nh = nexthop_mpath_select(nh_grp, 0); ++ if (!nh) ++ return NULL; ++ } ++ ++ nhi = rcu_dereference_bh_rtnl(nh->nh_info); ++ if (nhi->family == AF_INET6) ++ return &nhi->fib6_nh; ++ ++ return NULL; ++} ++ + static inline struct net_device *fib6_info_nh_dev(struct fib6_info *f6i) + { + struct fib6_nh *fib6_nh; +diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c +index f43e27555725..1fb79dbde0cb 100644 +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -2485,7 +2485,7 @@ static int ipv6_route_native_seq_show(struct seq_file *seq, void *v) + const struct net_device *dev; + + if (rt->nh) +- fib6_nh = nexthop_fib6_nh(rt->nh); ++ fib6_nh = nexthop_fib6_nh_bh(rt->nh); + + seq_printf(seq, "%pi6 %02x ", &rt->fib6_dst.addr, rt->fib6_dst.plen); + +-- +2.30.1 + diff --git a/queue-5.11/ipv6-weaken-the-v4mapped-source-check.patch b/queue-5.11/ipv6-weaken-the-v4mapped-source-check.patch new file mode 100644 index 00000000000..9ec162ec97f --- /dev/null +++ b/queue-5.11/ipv6-weaken-the-v4mapped-source-check.patch @@ -0,0 +1,119 @@ +From 0fca1c6044870aeca6a2a412d560fe780383f866 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Mar 2021 09:55:15 -0700 +Subject: ipv6: weaken the v4mapped source check + +From: Jakub Kicinski + +[ Upstream commit dcc32f4f183ab8479041b23a1525d48233df1d43 ] + +This reverts commit 6af1799aaf3f1bc8defedddfa00df3192445bbf3. + +Commit 6af1799aaf3f ("ipv6: drop incoming packets having a v4mapped +source address") introduced an input check against v4mapped addresses. +Use of such addresses on the wire is indeed questionable and not +allowed on public Internet. As the commit pointed out + + https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02 + +lists potential issues. + +Unfortunately there are applications which use v4mapped addresses, +and breaking them is a clear regression. For example v4mapped +addresses (or any semi-valid addresses, really) may be used +for uni-direction event streams or packet export. + +Since the issue which sparked the addition of the check was with +TCP and request_socks in particular push the check down to TCPv6 +and DCCP. This restores the ability to receive UDPv6 packets with +v4mapped address as the source. + +Keep using the IPSTATS_MIB_INHDRERRORS statistic to minimize the +user-visible changes. + +Fixes: 6af1799aaf3f ("ipv6: drop incoming packets having a v4mapped source address") +Reported-by: Sunyi Shao +Signed-off-by: Jakub Kicinski +Acked-by: Mat Martineau +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/dccp/ipv6.c | 5 +++++ + net/ipv6/ip6_input.c | 10 ---------- + net/ipv6/tcp_ipv6.c | 5 +++++ + net/mptcp/subflow.c | 5 +++++ + 4 files changed, 15 insertions(+), 10 deletions(-) + +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c +index 1f73603913f5..2be5c69824f9 100644 +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -319,6 +319,11 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb) + if (!ipv6_unicast_destination(skb)) + return 0; /* discard, don't send a reset here */ + ++ if (ipv6_addr_v4mapped(&ipv6_hdr(skb)->saddr)) { ++ __IP6_INC_STATS(sock_net(sk), NULL, IPSTATS_MIB_INHDRERRORS); ++ return 0; ++ } ++ + if (dccp_bad_service_code(sk, service)) { + dcb->dccpd_reset_code = DCCP_RESET_CODE_BAD_SERVICE_CODE; + goto drop; +diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c +index e96304d8a4a7..06d60662717d 100644 +--- a/net/ipv6/ip6_input.c ++++ b/net/ipv6/ip6_input.c +@@ -245,16 +245,6 @@ static struct sk_buff *ip6_rcv_core(struct sk_buff *skb, struct net_device *dev, + if (ipv6_addr_is_multicast(&hdr->saddr)) + goto err; + +- /* While RFC4291 is not explicit about v4mapped addresses +- * in IPv6 headers, it seems clear linux dual-stack +- * model can not deal properly with these. +- * Security models could be fooled by ::ffff:127.0.0.1 for example. +- * +- * https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02 +- */ +- if (ipv6_addr_v4mapped(&hdr->saddr)) +- goto err; +- + skb->transport_header = skb->network_header + sizeof(*hdr); + IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr); + +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 0e1509b02cb3..c07e5e8d557b 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1175,6 +1175,11 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb) + if (!ipv6_unicast_destination(skb)) + goto drop; + ++ if (ipv6_addr_v4mapped(&ipv6_hdr(skb)->saddr)) { ++ __IP6_INC_STATS(sock_net(sk), NULL, IPSTATS_MIB_INHDRERRORS); ++ return 0; ++ } ++ + return tcp_conn_request(&tcp6_request_sock_ops, + &tcp_request_sock_ipv6_ops, sk, skb); + +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index c3090003a17b..96e040951cd4 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -440,6 +440,11 @@ static int subflow_v6_conn_request(struct sock *sk, struct sk_buff *skb) + if (!ipv6_unicast_destination(skb)) + goto drop; + ++ if (ipv6_addr_v4mapped(&ipv6_hdr(skb)->saddr)) { ++ __IP6_INC_STATS(sock_net(sk), NULL, IPSTATS_MIB_INHDRERRORS); ++ return 0; ++ } ++ + return tcp_conn_request(&mptcp_subflow_request_sock_ops, + &subflow_request_sock_ipv6_ops, sk, skb); + +-- +2.30.1 + diff --git a/queue-5.11/kunit-tool-disable-page_poisoning-under-alltests.patch b/queue-5.11/kunit-tool-disable-page_poisoning-under-alltests.patch new file mode 100644 index 00000000000..04546d5a563 --- /dev/null +++ b/queue-5.11/kunit-tool-disable-page_poisoning-under-alltests.patch @@ -0,0 +1,53 @@ +From b0256cc57d342428db93096d223a716174a7e68d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Feb 2021 23:10:34 -0800 +Subject: kunit: tool: Disable PAGE_POISONING under --alltests + +From: David Gow + +[ Upstream commit 7fd53f41f771d250eb08db08650940f017e37c26 ] + +kunit_tool maintains a list of config options which are broken under +UML, which we exclude from an otherwise 'make ARCH=um allyesconfig' +build used to run all tests with the --alltests option. + +Something in UML allyesconfig is causing segfaults when page poisining +is enabled (and is poisoning with a non-zero value). Previously, this +didn't occur, as allyesconfig enabled the CONFIG_PAGE_POISONING_ZERO +option, which worked around the problem by zeroing memory. This option +has since been removed, and memory is now poisoned with 0xAA, which +triggers segfaults in many different codepaths, preventing UML from +booting. + +Note that we have to disable both CONFIG_PAGE_POISONING and +CONFIG_DEBUG_PAGEALLOC, as the latter will 'select' the former on +architectures (such as UML) which don't implement __kernel_map_pages(). + +Ideally, we'd fix this properly by tracking down the real root cause, +but since this is breaking KUnit's --alltests feature, it's worth +disabling there in the meantime so the kernel can boot to the point +where tests can actually run. + +Fixes: f289041ed4cf ("mm, page_poison: remove CONFIG_PAGE_POISONING_ZERO") +Signed-off-by: David Gow +Acked-by: Vlastimil Babka +Reviewed-by: Brendan Higgins +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/kunit/configs/broken_on_uml.config | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/testing/kunit/configs/broken_on_uml.config b/tools/testing/kunit/configs/broken_on_uml.config +index a7f0603d33f6..690870043ac0 100644 +--- a/tools/testing/kunit/configs/broken_on_uml.config ++++ b/tools/testing/kunit/configs/broken_on_uml.config +@@ -40,3 +40,5 @@ + # CONFIG_RESET_BRCMSTB_RESCAL is not set + # CONFIG_RESET_INTEL_GW is not set + # CONFIG_ADI_AXI_ADC is not set ++# CONFIG_DEBUG_PAGEALLOC is not set ++# CONFIG_PAGE_POISONING is not set +-- +2.30.1 + diff --git a/queue-5.11/libbpf-fix-btf-dump-of-pointer-to-array-of-struct.patch b/queue-5.11/libbpf-fix-btf-dump-of-pointer-to-array-of-struct.patch new file mode 100644 index 00000000000..8260e0ec0e5 --- /dev/null +++ b/queue-5.11/libbpf-fix-btf-dump-of-pointer-to-array-of-struct.patch @@ -0,0 +1,90 @@ +From 58486292c7009722888e6b2982c61e626cc5f2c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Mar 2021 12:25:54 +0100 +Subject: libbpf: Fix BTF dump of pointer-to-array-of-struct +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jean-Philippe Brucker + +[ Upstream commit 901ee1d750f29a335423eeb9463c3ca461ca18c2 ] + +The vmlinux.h generated from BTF is invalid when building +drivers/phy/ti/phy-gmii-sel.c with clang: + +vmlinux.h:61702:27: error: array type has incomplete element type ‘struct reg_field’ +61702 | const struct reg_field (*regfields)[3]; + | ^~~~~~~~~ + +bpftool generates a forward declaration for this struct regfield, which +compilers aren't happy about. Here's a simplified reproducer: + + struct inner { + int val; + }; + struct outer { + struct inner (*ptr_to_array)[2]; + } A; + +After build with clang -> bpftool btf dump c -> clang/gcc: +./def-clang.h:11:23: error: array has incomplete element type 'struct inner' + struct inner (*ptr_to_array)[2]; + +Member ptr_to_array of struct outer is a pointer to an array of struct +inner. In the DWARF generated by clang, struct outer appears before +struct inner, so when converting BTF of struct outer into C, bpftool +issues a forward declaration to struct inner. With GCC the DWARF info is +reversed so struct inner gets fully defined. + +That forward declaration is not sufficient when compilers handle an +array of the struct, even when it's only used through a pointer. Note +that we can trigger the same issue with an intermediate typedef: + + struct inner { + int val; + }; + typedef struct inner inner2_t[2]; + struct outer { + inner2_t *ptr_to_array; + } A; + +Becomes: + + struct inner; + typedef struct inner inner2_t[2]; + +And causes: + +./def-clang.h:10:30: error: array has incomplete element type 'struct inner' + typedef struct inner inner2_t[2]; + +To fix this, clear through_ptr whenever we encounter an intermediate +array, to make the inner struct part of a strong link and force full +declaration. + +Fixes: 351131b51c7a ("libbpf: add btf_dump API for BTF-to-C conversion") +Signed-off-by: Jean-Philippe Brucker +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20210319112554.794552-2-jean-philippe@linaro.org +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/btf_dump.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/btf_dump.c b/tools/lib/bpf/btf_dump.c +index 2f9d685bd522..0911aea4cdbe 100644 +--- a/tools/lib/bpf/btf_dump.c ++++ b/tools/lib/bpf/btf_dump.c +@@ -462,7 +462,7 @@ static int btf_dump_order_type(struct btf_dump *d, __u32 id, bool through_ptr) + return err; + + case BTF_KIND_ARRAY: +- return btf_dump_order_type(d, btf_array(t)->type, through_ptr); ++ return btf_dump_order_type(d, btf_array(t)->type, false); + + case BTF_KIND_STRUCT: + case BTF_KIND_UNION: { +-- +2.30.1 + diff --git a/queue-5.11/libbpf-fix-error-path-in-bpf_object__elf_init.patch b/queue-5.11/libbpf-fix-error-path-in-bpf_object__elf_init.patch new file mode 100644 index 00000000000..afa6aef2cfd --- /dev/null +++ b/queue-5.11/libbpf-fix-error-path-in-bpf_object__elf_init.patch @@ -0,0 +1,38 @@ +From c99ee9ee9b352920a25504c9c05aa562c05e9373 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Mar 2021 23:54:14 +0900 +Subject: libbpf: Fix error path in bpf_object__elf_init() + +From: Namhyung Kim + +[ Upstream commit 8f3f5792f2940c16ab63c614b26494c8689c9c1e ] + +When it failed to get section names, it should call into +bpf_object__elf_finish() like others. + +Fixes: 88a82120282b ("libbpf: Factor out common ELF operations and improve logging") +Signed-off-by: Namhyung Kim +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20210317145414.884817-1-namhyung@kernel.org +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index a0d4fc4de402..8913e5e7bedb 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -1180,7 +1180,8 @@ static int bpf_object__elf_init(struct bpf_object *obj) + if (!elf_rawdata(elf_getscn(obj->efile.elf, obj->efile.shstrndx), NULL)) { + pr_warn("elf: failed to get section names strings from %s: %s\n", + obj->path, elf_errmsg(-1)); +- return -LIBBPF_ERRNO__FORMAT; ++ err = -LIBBPF_ERRNO__FORMAT; ++ goto errout; + } + + /* Old LLVM set e_machine to EM_NONE */ +-- +2.30.1 + diff --git a/queue-5.11/libbpf-fix-install-flag-order.patch b/queue-5.11/libbpf-fix-install-flag-order.patch new file mode 100644 index 00000000000..5ab7292c28e --- /dev/null +++ b/queue-5.11/libbpf-fix-install-flag-order.patch @@ -0,0 +1,41 @@ +From 17c11a19fa073055861b817e399e8434c831cd2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Mar 2021 10:30:38 -0800 +Subject: libbpf: Fix INSTALL flag order + +From: Georgi Valkov + +[ Upstream commit e7fb6465d4c8e767e39cbee72464e0060ab3d20c ] + +It was reported ([0]) that having optional -m flag between source and +destination arguments in install command breaks bpftools cross-build +on MacOS. Move -m to the front to fix this issue. + + [0] https://github.com/openwrt/openwrt/pull/3959 + +Fixes: 7110d80d53f4 ("libbpf: Makefile set specified permission mode") +Signed-off-by: Georgi Valkov +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20210308183038.613432-1-andrii@kernel.org +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/Makefile b/tools/lib/bpf/Makefile +index 55bd78b3496f..310f647c2d5b 100644 +--- a/tools/lib/bpf/Makefile ++++ b/tools/lib/bpf/Makefile +@@ -236,7 +236,7 @@ define do_install + if [ ! -d '$(DESTDIR_SQ)$2' ]; then \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$2'; \ + fi; \ +- $(INSTALL) $1 $(if $3,-m $3,) '$(DESTDIR_SQ)$2' ++ $(INSTALL) $(if $3,-m $3,) $1 '$(DESTDIR_SQ)$2' + endef + + install_lib: all_cmd +-- +2.30.1 + diff --git a/queue-5.11/libbpf-use-sock_cloexec-when-opening-the-netlink-soc.patch b/queue-5.11/libbpf-use-sock_cloexec-when-opening-the-netlink-soc.patch new file mode 100644 index 00000000000..db456762595 --- /dev/null +++ b/queue-5.11/libbpf-use-sock_cloexec-when-opening-the-netlink-soc.patch @@ -0,0 +1,42 @@ +From fbaf6af31612a303614d2165144cde38a028fae0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Mar 2021 17:28:58 +0530 +Subject: libbpf: Use SOCK_CLOEXEC when opening the netlink socket +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kumar Kartikeya Dwivedi + +[ Upstream commit 58bfd95b554f1a23d01228672f86bb489bdbf4ba ] + +Otherwise, there exists a small window between the opening and closing +of the socket fd where it may leak into processes launched by some other +thread. + +Fixes: 949abbe88436 ("libbpf: add function to setup XDP") +Signed-off-by: Kumar Kartikeya Dwivedi +Signed-off-by: Daniel Borkmann +Acked-by: Toke Høiland-Jørgensen +Link: https://lore.kernel.org/bpf/20210317115857.6536-1-memxor@gmail.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/netlink.c b/tools/lib/bpf/netlink.c +index 4dd73de00b6f..d2cb28e9ef52 100644 +--- a/tools/lib/bpf/netlink.c ++++ b/tools/lib/bpf/netlink.c +@@ -40,7 +40,7 @@ static int libbpf_netlink_open(__u32 *nl_pid) + memset(&sa, 0, sizeof(sa)); + sa.nl_family = AF_NETLINK; + +- sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); ++ sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_ROUTE); + if (sock < 0) + return -errno; + +-- +2.30.1 + diff --git a/queue-5.11/mac80211-allow-he-operation-to-be-longer-than-expect.patch b/queue-5.11/mac80211-allow-he-operation-to-be-longer-than-expect.patch new file mode 100644 index 00000000000..f512d1465e2 --- /dev/null +++ b/queue-5.11/mac80211-allow-he-operation-to-be-longer-than-expect.patch @@ -0,0 +1,65 @@ +From 5d062b08398545cfd8b931e169b331e270616b76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Feb 2021 13:19:26 +0800 +Subject: mac80211: Allow HE operation to be longer than expected. + +From: Brian Norris + +[ Upstream commit 0f7e90faddeef53a3568f449a0c3992d77510b66 ] + +We observed some Cisco APs sending the following HE Operation IE in +associate response: + + ff 0a 24 f4 3f 00 01 fc ff 00 00 00 + +Its HE operation parameter is 0x003ff4, so the expected total length is +7 which does not match the actual length = 10. This causes association +failing with "HE AP is missing HE Capability/operation." + +According to P802.11ax_D4 Table9-94, HE operation is extensible, and +according to 802.11-2016 10.27.8, STA should discard the part beyond +the maximum length and parse the truncated element. + +Allow HE operation element to be longer than expected to handle this +case and future extensions. + +Fixes: e4d005b80dee ("mac80211: refactor extended element parsing") +Signed-off-by: Brian Norris +Signed-off-by: Yen-lin Lai +Link: https://lore.kernel.org/r/20210223051926.2653301-1-yenlinlai@chromium.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mlme.c | 2 +- + net/mac80211/util.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 0e4d950cf907..9db648a91a4f 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -5071,7 +5071,7 @@ static int ieee80211_prep_channel(struct ieee80211_sub_if_data *sdata, + he_oper_ie = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_OPERATION, + ies->data, ies->len); + if (he_oper_ie && +- he_oper_ie[1] == ieee80211_he_oper_size(&he_oper_ie[3])) ++ he_oper_ie[1] >= ieee80211_he_oper_size(&he_oper_ie[3])) + he_oper = (void *)(he_oper_ie + 3); + else + he_oper = NULL; +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index 8d3ae6b2f95f..f4507a708965 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -968,7 +968,7 @@ static void ieee80211_parse_extension_element(u32 *crc, + break; + case WLAN_EID_EXT_HE_OPERATION: + if (len >= sizeof(*elems->he_operation) && +- len == ieee80211_he_oper_size(data) - 1) { ++ len >= ieee80211_he_oper_size(data) - 1) { + if (crc) + *crc = crc32_be(*crc, (void *)elem, + elem->datalen + 2); +-- +2.30.1 + diff --git a/queue-5.11/mac80211-fix-rate-mask-reset.patch b/queue-5.11/mac80211-fix-rate-mask-reset.patch new file mode 100644 index 00000000000..f7fd2588aa9 --- /dev/null +++ b/queue-5.11/mac80211-fix-rate-mask-reset.patch @@ -0,0 +1,57 @@ +From 6b41de6b2c2e000ad7d7713650fb615fb9f39019 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Feb 2021 11:22:14 +0100 +Subject: mac80211: fix rate mask reset + +From: Johannes Berg + +[ Upstream commit 1944015fe9c1d9fa5e9eb7ffbbb5ef8954d6753b ] + +Coverity reported the strange "if (~...)" condition that's +always true. It suggested that ! was intended instead of ~, +but upon further analysis I'm convinced that what really was +intended was a comparison to 0xff/0xffff (in HT/VHT cases +respectively), since this indicates that all of the rates +are enabled. + +Change the comparison accordingly. + +I'm guessing this never really mattered because a reset to +not having a rate mask is basically equivalent to having a +mask that enables all rates. + +Reported-by: Colin Ian King +Fixes: 2ffbe6d33366 ("mac80211: fix and optimize MCS mask handling") +Fixes: b119ad6e726c ("mac80211: add rate mask logic for vht rates") +Reviewed-by: Colin Ian King +Link: https://lore.kernel.org/r/20210212112213.36b38078f569.I8546a20c80bc1669058eb453e213630b846e107b@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index c4c70e30ad7f..68a0de02b561 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -2950,14 +2950,14 @@ static int ieee80211_set_bitrate_mask(struct wiphy *wiphy, + continue; + + for (j = 0; j < IEEE80211_HT_MCS_MASK_LEN; j++) { +- if (~sdata->rc_rateidx_mcs_mask[i][j]) { ++ if (sdata->rc_rateidx_mcs_mask[i][j] != 0xff) { + sdata->rc_has_mcs_mask[i] = true; + break; + } + } + + for (j = 0; j < NL80211_VHT_NSS_MAX; j++) { +- if (~sdata->rc_rateidx_vht_mcs_mask[i][j]) { ++ if (sdata->rc_rateidx_vht_mcs_mask[i][j] != 0xffff) { + sdata->rc_has_vht_mcs_mask[i] = true; + break; + } +-- +2.30.1 + diff --git a/queue-5.11/macvlan-macvlan_count_rx-needs-to-be-aware-of-preemp.patch b/queue-5.11/macvlan-macvlan_count_rx-needs-to-be-aware-of-preemp.patch new file mode 100644 index 00000000000..d991ab5082c --- /dev/null +++ b/queue-5.11/macvlan-macvlan_count_rx-needs-to-be-aware-of-preemp.patch @@ -0,0 +1,89 @@ +From ea206881138fb795daa41fcb777568274a358930 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Mar 2021 01:56:36 -0800 +Subject: macvlan: macvlan_count_rx() needs to be aware of preemption + +From: Eric Dumazet + +[ Upstream commit dd4fa1dae9f4847cc1fd78ca468ad69e16e5db3e ] + +macvlan_count_rx() can be called from process context, it is thus +necessary to disable preemption before calling u64_stats_update_begin() + +syzbot was able to spot this on 32bit arch: + +WARNING: CPU: 1 PID: 4632 at include/linux/seqlock.h:271 __seqprop_assert include/linux/seqlock.h:271 [inline] +WARNING: CPU: 1 PID: 4632 at include/linux/seqlock.h:271 __seqprop_assert.constprop.0+0xf0/0x11c include/linux/seqlock.h:269 +Modules linked in: +Kernel panic - not syncing: panic_on_warn set ... +CPU: 1 PID: 4632 Comm: kworker/1:3 Not tainted 5.12.0-rc2-syzkaller #0 +Hardware name: ARM-Versatile Express +Workqueue: events macvlan_process_broadcast +Backtrace: +[<82740468>] (dump_backtrace) from [<827406dc>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:252) + r7:00000080 r6:60000093 r5:00000000 r4:8422a3c4 +[<827406c4>] (show_stack) from [<82751b58>] (__dump_stack lib/dump_stack.c:79 [inline]) +[<827406c4>] (show_stack) from [<82751b58>] (dump_stack+0xb8/0xe8 lib/dump_stack.c:120) +[<82751aa0>] (dump_stack) from [<82741270>] (panic+0x130/0x378 kernel/panic.c:231) + r7:830209b4 r6:84069ea4 r5:00000000 r4:844350d0 +[<82741140>] (panic) from [<80244924>] (__warn+0xb0/0x164 kernel/panic.c:605) + r3:8404ec8c r2:00000000 r1:00000000 r0:830209b4 + r7:0000010f +[<80244874>] (__warn) from [<82741520>] (warn_slowpath_fmt+0x68/0xd4 kernel/panic.c:628) + r7:81363f70 r6:0000010f r5:83018e50 r4:00000000 +[<827414bc>] (warn_slowpath_fmt) from [<81363f70>] (__seqprop_assert include/linux/seqlock.h:271 [inline]) +[<827414bc>] (warn_slowpath_fmt) from [<81363f70>] (__seqprop_assert.constprop.0+0xf0/0x11c include/linux/seqlock.h:269) + r8:5a109000 r7:0000000f r6:a568dac0 r5:89802300 r4:00000001 +[<81363e80>] (__seqprop_assert.constprop.0) from [<81364af0>] (u64_stats_update_begin include/linux/u64_stats_sync.h:128 [inline]) +[<81363e80>] (__seqprop_assert.constprop.0) from [<81364af0>] (macvlan_count_rx include/linux/if_macvlan.h:47 [inline]) +[<81363e80>] (__seqprop_assert.constprop.0) from [<81364af0>] (macvlan_broadcast+0x154/0x26c drivers/net/macvlan.c:291) + r5:89802300 r4:8a927740 +[<8136499c>] (macvlan_broadcast) from [<81365020>] (macvlan_process_broadcast+0x258/0x2d0 drivers/net/macvlan.c:317) + r10:81364f78 r9:8a86d000 r8:8a9c7e7c r7:8413aa5c r6:00000000 r5:00000000 + r4:89802840 +[<81364dc8>] (macvlan_process_broadcast) from [<802696a4>] (process_one_work+0x2d4/0x998 kernel/workqueue.c:2275) + r10:00000008 r9:8404ec98 r8:84367a02 r7:ddfe6400 r6:ddfe2d40 r5:898dac80 + r4:8a86d43c +[<802693d0>] (process_one_work) from [<80269dcc>] (worker_thread+0x64/0x54c kernel/workqueue.c:2421) + r10:00000008 r9:8a9c6000 r8:84006d00 r7:ddfe2d78 r6:898dac94 r5:ddfe2d40 + r4:898dac80 +[<80269d68>] (worker_thread) from [<80271f40>] (kthread+0x184/0x1a4 kernel/kthread.c:292) + r10:85247e64 r9:898dac80 r8:80269d68 r7:00000000 r6:8a9c6000 r5:89a2ee40 + r4:8a97bd00 +[<80271dbc>] (kthread) from [<80200114>] (ret_from_fork+0x14/0x20 arch/arm/kernel/entry-common.S:158) +Exception stack(0x8a9c7fb0 to 0x8a9c7ff8) + +Fixes: 412ca1550cbe ("macvlan: Move broadcasts into a work queue") +Signed-off-by: Eric Dumazet +Cc: Herbert Xu +Reported-by: syzbot +Acked-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/if_macvlan.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/linux/if_macvlan.h b/include/linux/if_macvlan.h +index 96556c64c95d..10c94a3936ca 100644 +--- a/include/linux/if_macvlan.h ++++ b/include/linux/if_macvlan.h +@@ -43,13 +43,14 @@ static inline void macvlan_count_rx(const struct macvlan_dev *vlan, + if (likely(success)) { + struct vlan_pcpu_stats *pcpu_stats; + +- pcpu_stats = this_cpu_ptr(vlan->pcpu_stats); ++ pcpu_stats = get_cpu_ptr(vlan->pcpu_stats); + u64_stats_update_begin(&pcpu_stats->syncp); + pcpu_stats->rx_packets++; + pcpu_stats->rx_bytes += len; + if (multicast) + pcpu_stats->rx_multicast++; + u64_stats_update_end(&pcpu_stats->syncp); ++ put_cpu_ptr(vlan->pcpu_stats); + } else { + this_cpu_inc(vlan->pcpu_stats->rx_errors); + } +-- +2.30.1 + diff --git a/queue-5.11/mfd-intel_quark_i2c_gpio-revert-constify-static-stru.patch b/queue-5.11/mfd-intel_quark_i2c_gpio-revert-constify-static-stru.patch new file mode 100644 index 00000000000..9c3b2cfaa5a --- /dev/null +++ b/queue-5.11/mfd-intel_quark_i2c_gpio-revert-constify-static-stru.patch @@ -0,0 +1,59 @@ +From cea215c14ab0b94565ba042e7e7636c58a44618e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Mar 2021 15:56:16 +0200 +Subject: mfd: intel_quark_i2c_gpio: Revert "Constify static struct resources" + +From: Andy Shevchenko + +[ Upstream commit a61f4661fba404418a7c77e86586dc52a58a93c6 ] + +The structures are used as place holders, so they are modified at run-time. +Obviously they may not be constants. + + BUG: unable to handle page fault for address: d0643220 + ... + CPU: 0 PID: 110 Comm: modprobe Not tainted 5.11.0+ #1 + Hardware name: Intel Corp. QUARK/GalileoGen2, BIOS 0x01000200 01/01/2014 + EIP: intel_quark_mfd_probe+0x93/0x1c0 [intel_quark_i2c_gpio] + +This partially reverts the commit c4a164f41554d2899bed94bdcc499263f41787b4. + +While at it, add a comment to avoid similar changes in the future. + +Fixes: c4a164f41554 ("mfd: Constify static struct resources") +Signed-off-by: Andy Shevchenko +Reviewed-by: Rikard Falkeborn +Tested-by: Tong Zhang +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/intel_quark_i2c_gpio.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/mfd/intel_quark_i2c_gpio.c b/drivers/mfd/intel_quark_i2c_gpio.c +index fe8ca945f367..b67cb0a3ab05 100644 +--- a/drivers/mfd/intel_quark_i2c_gpio.c ++++ b/drivers/mfd/intel_quark_i2c_gpio.c +@@ -72,7 +72,8 @@ static const struct dmi_system_id dmi_platform_info[] = { + {} + }; + +-static const struct resource intel_quark_i2c_res[] = { ++/* This is used as a place holder and will be modified at run-time */ ++static struct resource intel_quark_i2c_res[] = { + [INTEL_QUARK_IORES_MEM] = { + .flags = IORESOURCE_MEM, + }, +@@ -85,7 +86,8 @@ static struct mfd_cell_acpi_match intel_quark_acpi_match_i2c = { + .adr = MFD_ACPI_MATCH_I2C, + }; + +-static const struct resource intel_quark_gpio_res[] = { ++/* This is used as a place holder and will be modified at run-time */ ++static struct resource intel_quark_gpio_res[] = { + [INTEL_QUARK_IORES_MEM] = { + .flags = IORESOURCE_MEM, + }, +-- +2.30.1 + diff --git a/queue-5.11/mm-memblock-fix-section-mismatch-warning-again.patch b/queue-5.11/mm-memblock-fix-section-mismatch-warning-again.patch new file mode 100644 index 00000000000..fcdac30e4d1 --- /dev/null +++ b/queue-5.11/mm-memblock-fix-section-mismatch-warning-again.patch @@ -0,0 +1,65 @@ +From 6f0aa0146e08ccfeaa83af1ee20f03cbce5a2488 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Mar 2021 21:37:50 -0700 +Subject: mm: memblock: fix section mismatch warning again + +From: Mike Rapoport + +[ Upstream commit a024b7c2850dddd01e65b8270f0971deaf272f27 ] + +Commit 34dc2efb39a2 ("memblock: fix section mismatch warning") marked +memblock_bottom_up() and memblock_set_bottom_up() as __init, but they +could be referenced from non-init functions like +memblock_find_in_range_node() on architectures that enable +CONFIG_ARCH_KEEP_MEMBLOCK. + +For such builds kernel test robot reports: + + WARNING: modpost: vmlinux.o(.text+0x74fea4): Section mismatch in reference from the function memblock_find_in_range_node() to the function .init.text:memblock_bottom_up() + The function memblock_find_in_range_node() references the function __init memblock_bottom_up(). + This is often because memblock_find_in_range_node lacks a __init annotation or the annotation of memblock_bottom_up is wrong. + +Replace __init annotations with __init_memblock annotations so that the +appropriate section will be selected depending on +CONFIG_ARCH_KEEP_MEMBLOCK. + +Link: https://lore.kernel.org/lkml/202103160133.UzhgY0wt-lkp@intel.com +Link: https://lkml.kernel.org/r/20210316171347.14084-1-rppt@kernel.org +Fixes: 34dc2efb39a2 ("memblock: fix section mismatch warning") +Signed-off-by: Mike Rapoport +Reviewed-by: Arnd Bergmann +Reported-by: kernel test robot +Reviewed-by: David Hildenbrand +Acked-by: Nick Desaulniers +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/memblock.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/memblock.h b/include/linux/memblock.h +index 7643d2dfa959..4ce9c8f9e684 100644 +--- a/include/linux/memblock.h ++++ b/include/linux/memblock.h +@@ -460,7 +460,7 @@ static inline void memblock_free_late(phys_addr_t base, phys_addr_t size) + /* + * Set the allocation direction to bottom-up or top-down. + */ +-static inline __init void memblock_set_bottom_up(bool enable) ++static inline __init_memblock void memblock_set_bottom_up(bool enable) + { + memblock.bottom_up = enable; + } +@@ -470,7 +470,7 @@ static inline __init void memblock_set_bottom_up(bool enable) + * if this is true, that said, memblock will allocate memory + * in bottom-up direction. + */ +-static inline __init bool memblock_bottom_up(void) ++static inline __init_memblock bool memblock_bottom_up(void) + { + return memblock.bottom_up; + } +-- +2.30.1 + diff --git a/queue-5.11/mm-mmu_notifiers-ensure-range_end-is-paired-with-ran.patch b/queue-5.11/mm-mmu_notifiers-ensure-range_end-is-paired-with-ran.patch new file mode 100644 index 00000000000..23e3da04928 --- /dev/null +++ b/queue-5.11/mm-mmu_notifiers-ensure-range_end-is-paired-with-ran.patch @@ -0,0 +1,126 @@ +From 6f6bdbf1c62aa0d9f169be06d909f61721104260 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Mar 2021 21:37:23 -0700 +Subject: mm/mmu_notifiers: ensure range_end() is paired with range_start() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Christopherson + +[ Upstream commit c2655835fd8cabdfe7dab737253de3ffb88da126 ] + +If one or more notifiers fails .invalidate_range_start(), invoke +.invalidate_range_end() for "all" notifiers. If there are multiple +notifiers, those that did not fail are expecting _start() and _end() to +be paired, e.g. KVM's mmu_notifier_count would become imbalanced. +Disallow notifiers that can fail _start() from implementing _end() so +that it's unnecessary to either track which notifiers rejected _start(), +or had already succeeded prior to a failed _start(). + +Note, the existing behavior of calling _start() on all notifiers even +after a previous notifier failed _start() was an unintented "feature". +Make it canon now that the behavior is depended on for correctness. + +As of today, the bug is likely benign: + + 1. The only caller of the non-blocking notifier is OOM kill. + 2. The only notifiers that can fail _start() are the i915 and Nouveau + drivers. + 3. The only notifiers that utilize _end() are the SGI UV GRU driver + and KVM. + 4. The GRU driver will never coincide with the i195/Nouveau drivers. + 5. An imbalanced kvm->mmu_notifier_count only causes soft lockup in the + _guest_, and the guest is already doomed due to being an OOM victim. + +Fix the bug now to play nice with future usage, e.g. KVM has a +potential use case for blocking memslot updates in KVM while an +invalidation is in-progress, and failure to unblock would result in said +updates being blocked indefinitely and hanging. + +Found by inspection. Verified by adding a second notifier in KVM that +periodically returns -EAGAIN on non-blockable ranges, triggering OOM, +and observing that KVM exits with an elevated notifier count. + +Link: https://lkml.kernel.org/r/20210311180057.1582638-1-seanjc@google.com +Fixes: 93065ac753e4 ("mm, oom: distinguish blockable mode for mmu notifiers") +Signed-off-by: Sean Christopherson +Suggested-by: Jason Gunthorpe +Reviewed-by: Jason Gunthorpe +Cc: David Rientjes +Cc: Ben Gardon +Cc: Michal Hocko +Cc: "Jérôme Glisse" +Cc: Andrea Arcangeli +Cc: Johannes Weiner +Cc: Dimitri Sivanich +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/mmu_notifier.h | 10 +++++----- + mm/mmu_notifier.c | 23 +++++++++++++++++++++++ + 2 files changed, 28 insertions(+), 5 deletions(-) + +diff --git a/include/linux/mmu_notifier.h b/include/linux/mmu_notifier.h +index b8200782dede..1a6a9eb6d3fa 100644 +--- a/include/linux/mmu_notifier.h ++++ b/include/linux/mmu_notifier.h +@@ -169,11 +169,11 @@ struct mmu_notifier_ops { + * the last refcount is dropped. + * + * If blockable argument is set to false then the callback cannot +- * sleep and has to return with -EAGAIN. 0 should be returned +- * otherwise. Please note that if invalidate_range_start approves +- * a non-blocking behavior then the same applies to +- * invalidate_range_end. +- * ++ * sleep and has to return with -EAGAIN if sleeping would be required. ++ * 0 should be returned otherwise. Please note that notifiers that can ++ * fail invalidate_range_start are not allowed to implement ++ * invalidate_range_end, as there is no mechanism for informing the ++ * notifier that its start failed. + */ + int (*invalidate_range_start)(struct mmu_notifier *subscription, + const struct mmu_notifier_range *range); +diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c +index 61ee40ed804e..459d195d2ff6 100644 +--- a/mm/mmu_notifier.c ++++ b/mm/mmu_notifier.c +@@ -501,10 +501,33 @@ static int mn_hlist_invalidate_range_start( + ""); + WARN_ON(mmu_notifier_range_blockable(range) || + _ret != -EAGAIN); ++ /* ++ * We call all the notifiers on any EAGAIN, ++ * there is no way for a notifier to know if ++ * its start method failed, thus a start that ++ * does EAGAIN can't also do end. ++ */ ++ WARN_ON(ops->invalidate_range_end); + ret = _ret; + } + } + } ++ ++ if (ret) { ++ /* ++ * Must be non-blocking to get here. If there are multiple ++ * notifiers and one or more failed start, any that succeeded ++ * start are expecting their end to be called. Do so now. ++ */ ++ hlist_for_each_entry_rcu(subscription, &subscriptions->list, ++ hlist, srcu_read_lock_held(&srcu)) { ++ if (!subscription->ops->invalidate_range_end) ++ continue; ++ ++ subscription->ops->invalidate_range_end(subscription, ++ range); ++ } ++ } + srcu_read_unlock(&srcu, id); + + return ret; +-- +2.30.1 + diff --git a/queue-5.11/mptcp-fix-add_addr-hmac-in-case-port-is-specified.patch b/queue-5.11/mptcp-fix-add_addr-hmac-in-case-port-is-specified.patch new file mode 100644 index 00000000000..d70113a098f --- /dev/null +++ b/queue-5.11/mptcp-fix-add_addr-hmac-in-case-port-is-specified.patch @@ -0,0 +1,109 @@ +From 655b99e8e9ed95c550ad88726ab4c477fc560339 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Mar 2021 11:41:16 +0100 +Subject: mptcp: fix ADD_ADDR HMAC in case port is specified +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Davide Caratti + +[ Upstream commit 13832ae2755395b2585500c85b64f5109a44227e ] + +Currently, Linux computes the HMAC contained in ADD_ADDR sub-option using +the Address Id and the IP Address, and hardcodes a destination port equal +to zero. This is not ok for ADD_ADDR with port: ensure to account for the +endpoint port when computing the HMAC, in compliance with RFC8684 §3.4.1. + +Fixes: 22fb85ffaefb ("mptcp: add port support for ADD_ADDR suboption writing") +Reviewed-by: Mat Martineau +Acked-by: Geliang Tang +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/mptcp/options.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +diff --git a/net/mptcp/options.c b/net/mptcp/options.c +index 2e26e39169b8..37ef0bf098f6 100644 +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -555,15 +555,15 @@ static bool mptcp_established_options_dss(struct sock *sk, struct sk_buff *skb, + } + + static u64 add_addr_generate_hmac(u64 key1, u64 key2, u8 addr_id, +- struct in_addr *addr) ++ struct in_addr *addr, u16 port) + { + u8 hmac[SHA256_DIGEST_SIZE]; + u8 msg[7]; + + msg[0] = addr_id; + memcpy(&msg[1], &addr->s_addr, 4); +- msg[5] = 0; +- msg[6] = 0; ++ msg[5] = port >> 8; ++ msg[6] = port & 0xFF; + + mptcp_crypto_hmac_sha(key1, key2, msg, 7, hmac); + +@@ -572,15 +572,15 @@ static u64 add_addr_generate_hmac(u64 key1, u64 key2, u8 addr_id, + + #if IS_ENABLED(CONFIG_MPTCP_IPV6) + static u64 add_addr6_generate_hmac(u64 key1, u64 key2, u8 addr_id, +- struct in6_addr *addr) ++ struct in6_addr *addr, u16 port) + { + u8 hmac[SHA256_DIGEST_SIZE]; + u8 msg[19]; + + msg[0] = addr_id; + memcpy(&msg[1], &addr->s6_addr, 16); +- msg[17] = 0; +- msg[18] = 0; ++ msg[17] = port >> 8; ++ msg[18] = port & 0xFF; + + mptcp_crypto_hmac_sha(key1, key2, msg, 19, hmac); + +@@ -634,7 +634,8 @@ static bool mptcp_established_options_add_addr(struct sock *sk, struct sk_buff * + opts->ahmac = add_addr_generate_hmac(msk->local_key, + msk->remote_key, + opts->addr_id, +- &opts->addr); ++ &opts->addr, ++ opts->port); + } + } + #if IS_ENABLED(CONFIG_MPTCP_IPV6) +@@ -645,7 +646,8 @@ static bool mptcp_established_options_add_addr(struct sock *sk, struct sk_buff * + opts->ahmac = add_addr6_generate_hmac(msk->local_key, + msk->remote_key, + opts->addr_id, +- &opts->addr6); ++ &opts->addr6, ++ opts->port); + } + } + #endif +@@ -922,12 +924,14 @@ static bool add_addr_hmac_valid(struct mptcp_sock *msk, + if (mp_opt->family == MPTCP_ADDR_IPVERSION_4) + hmac = add_addr_generate_hmac(msk->remote_key, + msk->local_key, +- mp_opt->addr_id, &mp_opt->addr); ++ mp_opt->addr_id, &mp_opt->addr, ++ mp_opt->port); + #if IS_ENABLED(CONFIG_MPTCP_IPV6) + else + hmac = add_addr6_generate_hmac(msk->remote_key, + msk->local_key, +- mp_opt->addr_id, &mp_opt->addr6); ++ mp_opt->addr_id, &mp_opt->addr6, ++ mp_opt->port); + #endif + + pr_debug("msk=%p, ahmac=%llu, mp_opt->ahmac=%llu\n", +-- +2.30.1 + diff --git a/queue-5.11/net-axienet-fix-probe-error-cleanup.patch b/queue-5.11/net-axienet-fix-probe-error-cleanup.patch new file mode 100644 index 00000000000..bc90890b562 --- /dev/null +++ b/queue-5.11/net-axienet-fix-probe-error-cleanup.patch @@ -0,0 +1,133 @@ +From 8ed8f591d725a6c7ad39d3e9e537639c6f345155 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Mar 2021 14:05:18 -0600 +Subject: net: axienet: Fix probe error cleanup + +From: Robert Hancock + +[ Upstream commit 59cd4f19267a0aab87a8c07e4426eb7187ee548d ] + +The driver did not always clean up all allocated resources when probe +failed. Fix the probe cleanup path to clean up everything that was +allocated. + +Fixes: 57baf8cc70ea ("net: axienet: Handle deferred probe on clock properly") +Signed-off-by: Robert Hancock +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/xilinx/xilinx_axienet_main.c | 35 +++++++++++++------ + 1 file changed, 24 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index b4a0bfce5b76..4cd701a9277d 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -1835,7 +1835,7 @@ static int axienet_probe(struct platform_device *pdev) + if (IS_ERR(lp->regs)) { + dev_err(&pdev->dev, "could not map Axi Ethernet regs.\n"); + ret = PTR_ERR(lp->regs); +- goto free_netdev; ++ goto cleanup_clk; + } + lp->regs_start = ethres->start; + +@@ -1910,12 +1910,12 @@ static int axienet_probe(struct platform_device *pdev) + break; + default: + ret = -EINVAL; +- goto free_netdev; ++ goto cleanup_clk; + } + } else { + ret = of_get_phy_mode(pdev->dev.of_node, &lp->phy_mode); + if (ret) +- goto free_netdev; ++ goto cleanup_clk; + } + + /* Find the DMA node, map the DMA registers, and decode the DMA IRQs */ +@@ -1928,7 +1928,7 @@ static int axienet_probe(struct platform_device *pdev) + dev_err(&pdev->dev, + "unable to get DMA resource\n"); + of_node_put(np); +- goto free_netdev; ++ goto cleanup_clk; + } + lp->dma_regs = devm_ioremap_resource(&pdev->dev, + &dmares); +@@ -1948,12 +1948,12 @@ static int axienet_probe(struct platform_device *pdev) + if (IS_ERR(lp->dma_regs)) { + dev_err(&pdev->dev, "could not map DMA regs\n"); + ret = PTR_ERR(lp->dma_regs); +- goto free_netdev; ++ goto cleanup_clk; + } + if ((lp->rx_irq <= 0) || (lp->tx_irq <= 0)) { + dev_err(&pdev->dev, "could not determine irqs\n"); + ret = -ENOMEM; +- goto free_netdev; ++ goto cleanup_clk; + } + + /* Autodetect the need for 64-bit DMA pointers. +@@ -1983,7 +1983,7 @@ static int axienet_probe(struct platform_device *pdev) + ret = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(addr_width)); + if (ret) { + dev_err(&pdev->dev, "No suitable DMA available\n"); +- goto free_netdev; ++ goto cleanup_clk; + } + + /* Check for Ethernet core IRQ (optional) */ +@@ -2014,12 +2014,12 @@ static int axienet_probe(struct platform_device *pdev) + if (!lp->phy_node) { + dev_err(&pdev->dev, "phy-handle required for 1000BaseX/SGMII\n"); + ret = -EINVAL; +- goto free_netdev; ++ goto cleanup_mdio; + } + lp->pcs_phy = of_mdio_find_device(lp->phy_node); + if (!lp->pcs_phy) { + ret = -EPROBE_DEFER; +- goto free_netdev; ++ goto cleanup_mdio; + } + lp->phylink_config.pcs_poll = true; + } +@@ -2033,17 +2033,30 @@ static int axienet_probe(struct platform_device *pdev) + if (IS_ERR(lp->phylink)) { + ret = PTR_ERR(lp->phylink); + dev_err(&pdev->dev, "phylink_create error (%i)\n", ret); +- goto free_netdev; ++ goto cleanup_mdio; + } + + ret = register_netdev(lp->ndev); + if (ret) { + dev_err(lp->dev, "register_netdev() error (%i)\n", ret); +- goto free_netdev; ++ goto cleanup_phylink; + } + + return 0; + ++cleanup_phylink: ++ phylink_destroy(lp->phylink); ++ ++cleanup_mdio: ++ if (lp->pcs_phy) ++ put_device(&lp->pcs_phy->dev); ++ if (lp->mii_bus) ++ axienet_mdio_teardown(lp); ++ of_node_put(lp->phy_node); ++ ++cleanup_clk: ++ clk_disable_unprepare(lp->clk); ++ + free_netdev: + free_netdev(ndev); + +-- +2.30.1 + diff --git a/queue-5.11/net-bpf-fix-ip6ip6-crash-with-collect_md-populated-s.patch b/queue-5.11/net-bpf-fix-ip6ip6-crash-with-collect_md-populated-s.patch new file mode 100644 index 00000000000..26ee980d81c --- /dev/null +++ b/queue-5.11/net-bpf-fix-ip6ip6-crash-with-collect_md-populated-s.patch @@ -0,0 +1,90 @@ +From 84c0068ca83ee33f07fe9a1b2d4f0f648dff9c8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Mar 2021 01:38:10 +0100 +Subject: net, bpf: Fix ip6ip6 crash with collect_md populated skbs + +From: Daniel Borkmann + +[ Upstream commit a188bb5638d41aa99090ebf2f85d3505ab13fba5 ] + +I ran into a crash where setting up a ip6ip6 tunnel device which was /not/ +set to collect_md mode was receiving collect_md populated skbs for xmit. + +The BPF prog was populating the skb via bpf_skb_set_tunnel_key() which is +assigning special metadata dst entry and then redirecting the skb to the +device, taking ip6_tnl_start_xmit() -> ipxip6_tnl_xmit() -> ip6_tnl_xmit() +and in the latter it performs a neigh lookup based on skb_dst(skb) where +we trigger a NULL pointer dereference on dst->ops->neigh_lookup() since +the md_dst_ops do not populate neigh_lookup callback with a fake handler. + +Transform the md_dst_ops into generic dst_blackhole_ops that can also be +reused elsewhere when needed, and use them for the metadata dst entries as +callback ops. + +Also, remove the dst_md_discard{,_out}() ops and rely on dst_discard{,_out}() +from dst_init() which free the skb the same way modulo the splat. Given we +will be able to recover just fine from there, avoid any potential splats +iff this gets ever triggered in future (or worse, panic on warns when set). + +Fixes: f38a9eb1f77b ("dst: Metadata destinations") +Signed-off-by: Daniel Borkmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/dst.c | 31 +++++++++---------------------- + 1 file changed, 9 insertions(+), 22 deletions(-) + +diff --git a/net/core/dst.c b/net/core/dst.c +index 5f6315601776..fb3bcba87744 100644 +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -275,37 +275,24 @@ unsigned int dst_blackhole_mtu(const struct dst_entry *dst) + } + EXPORT_SYMBOL_GPL(dst_blackhole_mtu); + +-static struct dst_ops md_dst_ops = { +- .family = AF_UNSPEC, ++static struct dst_ops dst_blackhole_ops = { ++ .family = AF_UNSPEC, ++ .neigh_lookup = dst_blackhole_neigh_lookup, ++ .check = dst_blackhole_check, ++ .cow_metrics = dst_blackhole_cow_metrics, ++ .update_pmtu = dst_blackhole_update_pmtu, ++ .redirect = dst_blackhole_redirect, ++ .mtu = dst_blackhole_mtu, + }; + +-static int dst_md_discard_out(struct net *net, struct sock *sk, struct sk_buff *skb) +-{ +- WARN_ONCE(1, "Attempting to call output on metadata dst\n"); +- kfree_skb(skb); +- return 0; +-} +- +-static int dst_md_discard(struct sk_buff *skb) +-{ +- WARN_ONCE(1, "Attempting to call input on metadata dst\n"); +- kfree_skb(skb); +- return 0; +-} +- + static void __metadata_dst_init(struct metadata_dst *md_dst, + enum metadata_type type, u8 optslen) +- + { + struct dst_entry *dst; + + dst = &md_dst->dst; +- dst_init(dst, &md_dst_ops, NULL, 1, DST_OBSOLETE_NONE, ++ dst_init(dst, &dst_blackhole_ops, NULL, 1, DST_OBSOLETE_NONE, + DST_METADATA | DST_NOCOUNT); +- +- dst->input = dst_md_discard; +- dst->output = dst_md_discard_out; +- + memset(dst + 1, 0, sizeof(*md_dst) + optslen - sizeof(*dst)); + md_dst->type = type; + } +-- +2.30.1 + diff --git a/queue-5.11/net-bridge-don-t-notify-switchdev-for-local-fdb-addr.patch b/queue-5.11/net-bridge-don-t-notify-switchdev-for-local-fdb-addr.patch new file mode 100644 index 00000000000..5c3488c8ad2 --- /dev/null +++ b/queue-5.11/net-bridge-don-t-notify-switchdev-for-local-fdb-addr.patch @@ -0,0 +1,75 @@ +From 8eedbd1b9fc2482678d97ddbe0275f6e0f9afdc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Mar 2021 20:21:08 +0200 +Subject: net: bridge: don't notify switchdev for local FDB addresses + +From: Vladimir Oltean + +[ Upstream commit 6ab4c3117aec4e08007d9e971fa4133e1de1082d ] + +As explained in this discussion: +https://lore.kernel.org/netdev/20210117193009.io3nungdwuzmo5f7@skbuf/ + +the switchdev notifiers for FDB entries managed to have a zero-day bug. +The bridge would not say that this entry is local: + +ip link add br0 type bridge +ip link set swp0 master br0 +bridge fdb add dev swp0 00:01:02:03:04:05 master local + +and the switchdev driver would be more than happy to offload it as a +normal static FDB entry. This is despite the fact that 'local' and +non-'local' entries have completely opposite directions: a local entry +is locally terminated and not forwarded, whereas a static entry is +forwarded and not locally terminated. So, for example, DSA would install +this entry on swp0 instead of installing it on the CPU port as it should. + +There is an even sadder part, which is that the 'local' flag is implicit +if 'static' is not specified, meaning that this command produces the +same result of adding a 'local' entry: + +bridge fdb add dev swp0 00:01:02:03:04:05 master + +I've updated the man pages for 'bridge', and after reading it now, it +should be pretty clear to any user that the commands above were broken +and should have never resulted in the 00:01:02:03:04:05 address being +forwarded (this behavior is coherent with non-switchdev interfaces): +https://patchwork.kernel.org/project/netdevbpf/cover/20210211104502.2081443-1-olteanv@gmail.com/ +If you're a user reading this and this is what you want, just use: + +bridge fdb add dev swp0 00:01:02:03:04:05 master static + +Because switchdev should have given drivers the means from day one to +classify FDB entries as local/non-local, but didn't, it means that all +drivers are currently broken. So we can just as well omit the switchdev +notifications for local FDB entries, which is exactly what this patch +does to close the bug in stable trees. For further development work +where drivers might want to trap the local FDB entries to the host, we +can add a 'bool is_local' to br_switchdev_fdb_call_notifiers(), and +selectively make drivers act upon that bit, while all the others ignore +those entries if the 'is_local' bit is set. + +Fixes: 6b26b51b1d13 ("net: bridge: Add support for notifying devices about FDB add/del") +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_switchdev.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/bridge/br_switchdev.c b/net/bridge/br_switchdev.c +index 015209bf44aa..3c42095fa75f 100644 +--- a/net/bridge/br_switchdev.c ++++ b/net/bridge/br_switchdev.c +@@ -123,6 +123,8 @@ br_switchdev_fdb_notify(const struct net_bridge_fdb_entry *fdb, int type) + { + if (!fdb->dst) + return; ++ if (test_bit(BR_FDB_LOCAL, &fdb->flags)) ++ return; + + switch (type) { + case RTM_DELNEIGH: +-- +2.30.1 + diff --git a/queue-5.11/net-cdc-phonet-fix-data-interface-release-on-probe-f.patch b/queue-5.11/net-cdc-phonet-fix-data-interface-release-on-probe-f.patch new file mode 100644 index 00000000000..0c6042d7cc3 --- /dev/null +++ b/queue-5.11/net-cdc-phonet-fix-data-interface-release-on-probe-f.patch @@ -0,0 +1,37 @@ +From f290632dc2d2e40639082f235be1c59810e87657 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Mar 2021 16:57:49 +0100 +Subject: net: cdc-phonet: fix data-interface release on probe failure + +From: Johan Hovold + +[ Upstream commit c79a707072fe3fea0e3c92edee6ca85c1e53c29f ] + +Set the disconnected flag before releasing the data interface in case +netdev registration fails to avoid having the disconnect callback try to +deregister the never registered netdev (and trigger a WARN_ON()). + +Fixes: 87cf65601e17 ("USB host CDC Phonet network interface driver") +Signed-off-by: Johan Hovold +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc-phonet.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/cdc-phonet.c b/drivers/net/usb/cdc-phonet.c +index 02e6bbb17b15..8d1f69dad603 100644 +--- a/drivers/net/usb/cdc-phonet.c ++++ b/drivers/net/usb/cdc-phonet.c +@@ -387,6 +387,8 @@ static int usbpn_probe(struct usb_interface *intf, const struct usb_device_id *i + + err = register_netdev(dev); + if (err) { ++ /* Set disconnected flag so that disconnect() returns early. */ ++ pnd->disconnected = 1; + usb_driver_release_interface(&usbpn_driver, data_intf); + goto out; + } +-- +2.30.1 + diff --git a/queue-5.11/net-check-all-name-nodes-in-__dev_alloc_name.patch b/queue-5.11/net-check-all-name-nodes-in-__dev_alloc_name.patch new file mode 100644 index 00000000000..2ae58180114 --- /dev/null +++ b/queue-5.11/net-check-all-name-nodes-in-__dev_alloc_name.patch @@ -0,0 +1,65 @@ +From 7e00f839331938225189e042877d6eaf94f31d84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Mar 2021 04:42:53 +0100 +Subject: net: check all name nodes in __dev_alloc_name + +From: Jiri Bohac + +[ Upstream commit 6c015a2256801597fadcbc11d287774c9c512fa5 ] + +__dev_alloc_name(), when supplied with a name containing '%d', +will search for the first available device number to generate a +unique device name. + +Since commit ff92741270bf8b6e78aa885f166b68c7a67ab13a ("net: +introduce name_node struct to be used in hashlist") network +devices may have alternate names. __dev_alloc_name() does take +these alternate names into account, possibly generating a name +that is already taken and failing with -ENFILE as a result. + +This demonstrates the bug: + + # rmmod dummy 2>/dev/null + # ip link property add dev lo altname dummy0 + # modprobe dummy numdummies=1 + modprobe: ERROR: could not insert 'dummy': Too many open files in system + +Instead of creating a device named dummy1, modprobe fails. + +Fix this by checking all the names in the d->name_node list, not just d->name. + +Signed-off-by: Jiri Bohac +Fixes: ff92741270bf ("net: introduce name_node struct to be used in hashlist") +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/net/core/dev.c b/net/core/dev.c +index a5a1dbe66b76..541ee3bc467b 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -1182,6 +1182,18 @@ static int __dev_alloc_name(struct net *net, const char *name, char *buf) + return -ENOMEM; + + for_each_netdev(net, d) { ++ struct netdev_name_node *name_node; ++ list_for_each_entry(name_node, &d->name_node->list, list) { ++ if (!sscanf(name_node->name, name, &i)) ++ continue; ++ if (i < 0 || i >= max_netdevices) ++ continue; ++ ++ /* avoid cases where sscanf is not exact inverse of printf */ ++ snprintf(buf, IFNAMSIZ, name, i); ++ if (!strncmp(buf, name_node->name, IFNAMSIZ)) ++ set_bit(i, inuse); ++ } + if (!sscanf(d->name, name, &i)) + continue; + if (i < 0 || i >= max_netdevices) +-- +2.30.1 + diff --git a/queue-5.11/net-consolidate-common-blackhole-dst-ops.patch b/queue-5.11/net-consolidate-common-blackhole-dst-ops.patch new file mode 100644 index 00000000000..493fd44616f --- /dev/null +++ b/queue-5.11/net-consolidate-common-blackhole-dst-ops.patch @@ -0,0 +1,201 @@ +From 5abe5a1c5ff9fd26cd06d4cd7499619a35c0bdeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Mar 2021 01:38:09 +0100 +Subject: net: Consolidate common blackhole dst ops + +From: Daniel Borkmann + +[ Upstream commit c4c877b2732466b4c63217baad05c96f775912c7 ] + +Move generic blackhole dst ops to the core and use them from both +ipv4_dst_blackhole_ops and ip6_dst_blackhole_ops where possible. No +functional change otherwise. We need these also in other locations +and having to define them over and over again is not great. + +Signed-off-by: Daniel Borkmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/dst.h | 11 +++++++++++ + net/core/dst.c | 38 ++++++++++++++++++++++++++++++++++++++ + net/ipv4/route.c | 45 ++++++++------------------------------------- + net/ipv6/route.c | 36 +++++++++--------------------------- + 4 files changed, 66 insertions(+), 64 deletions(-) + +diff --git a/include/net/dst.h b/include/net/dst.h +index 10f0a8399867..8d7cf51766c4 100644 +--- a/include/net/dst.h ++++ b/include/net/dst.h +@@ -533,4 +533,15 @@ static inline void skb_dst_update_pmtu_no_confirm(struct sk_buff *skb, u32 mtu) + dst->ops->update_pmtu(dst, NULL, skb, mtu, false); + } + ++struct dst_entry *dst_blackhole_check(struct dst_entry *dst, u32 cookie); ++void dst_blackhole_update_pmtu(struct dst_entry *dst, struct sock *sk, ++ struct sk_buff *skb, u32 mtu, bool confirm_neigh); ++void dst_blackhole_redirect(struct dst_entry *dst, struct sock *sk, ++ struct sk_buff *skb); ++u32 *dst_blackhole_cow_metrics(struct dst_entry *dst, unsigned long old); ++struct neighbour *dst_blackhole_neigh_lookup(const struct dst_entry *dst, ++ struct sk_buff *skb, ++ const void *daddr); ++unsigned int dst_blackhole_mtu(const struct dst_entry *dst); ++ + #endif /* _NET_DST_H */ +diff --git a/net/core/dst.c b/net/core/dst.c +index 0c01bd8d9d81..5f6315601776 100644 +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -237,6 +237,44 @@ void __dst_destroy_metrics_generic(struct dst_entry *dst, unsigned long old) + } + EXPORT_SYMBOL(__dst_destroy_metrics_generic); + ++struct dst_entry *dst_blackhole_check(struct dst_entry *dst, u32 cookie) ++{ ++ return NULL; ++} ++ ++u32 *dst_blackhole_cow_metrics(struct dst_entry *dst, unsigned long old) ++{ ++ return NULL; ++} ++ ++struct neighbour *dst_blackhole_neigh_lookup(const struct dst_entry *dst, ++ struct sk_buff *skb, ++ const void *daddr) ++{ ++ return NULL; ++} ++ ++void dst_blackhole_update_pmtu(struct dst_entry *dst, struct sock *sk, ++ struct sk_buff *skb, u32 mtu, ++ bool confirm_neigh) ++{ ++} ++EXPORT_SYMBOL_GPL(dst_blackhole_update_pmtu); ++ ++void dst_blackhole_redirect(struct dst_entry *dst, struct sock *sk, ++ struct sk_buff *skb) ++{ ++} ++EXPORT_SYMBOL_GPL(dst_blackhole_redirect); ++ ++unsigned int dst_blackhole_mtu(const struct dst_entry *dst) ++{ ++ unsigned int mtu = dst_metric_raw(dst, RTAX_MTU); ++ ++ return mtu ? : dst->dev->mtu; ++} ++EXPORT_SYMBOL_GPL(dst_blackhole_mtu); ++ + static struct dst_ops md_dst_ops = { + .family = AF_UNSPEC, + }; +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index e26652ff7059..983b4db1868f 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -2682,44 +2682,15 @@ out: + return rth; + } + +-static struct dst_entry *ipv4_blackhole_dst_check(struct dst_entry *dst, u32 cookie) +-{ +- return NULL; +-} +- +-static unsigned int ipv4_blackhole_mtu(const struct dst_entry *dst) +-{ +- unsigned int mtu = dst_metric_raw(dst, RTAX_MTU); +- +- return mtu ? : dst->dev->mtu; +-} +- +-static void ipv4_rt_blackhole_update_pmtu(struct dst_entry *dst, struct sock *sk, +- struct sk_buff *skb, u32 mtu, +- bool confirm_neigh) +-{ +-} +- +-static void ipv4_rt_blackhole_redirect(struct dst_entry *dst, struct sock *sk, +- struct sk_buff *skb) +-{ +-} +- +-static u32 *ipv4_rt_blackhole_cow_metrics(struct dst_entry *dst, +- unsigned long old) +-{ +- return NULL; +-} +- + static struct dst_ops ipv4_dst_blackhole_ops = { +- .family = AF_INET, +- .check = ipv4_blackhole_dst_check, +- .mtu = ipv4_blackhole_mtu, +- .default_advmss = ipv4_default_advmss, +- .update_pmtu = ipv4_rt_blackhole_update_pmtu, +- .redirect = ipv4_rt_blackhole_redirect, +- .cow_metrics = ipv4_rt_blackhole_cow_metrics, +- .neigh_lookup = ipv4_neigh_lookup, ++ .family = AF_INET, ++ .default_advmss = ipv4_default_advmss, ++ .neigh_lookup = ipv4_neigh_lookup, ++ .check = dst_blackhole_check, ++ .cow_metrics = dst_blackhole_cow_metrics, ++ .update_pmtu = dst_blackhole_update_pmtu, ++ .redirect = dst_blackhole_redirect, ++ .mtu = dst_blackhole_mtu, + }; + + struct dst_entry *ipv4_blackhole_route(struct net *net, struct dst_entry *dst_orig) +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 188e114b29b4..0bbfaa55e3c8 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -258,34 +258,16 @@ static struct dst_ops ip6_dst_ops_template = { + .confirm_neigh = ip6_confirm_neigh, + }; + +-static unsigned int ip6_blackhole_mtu(const struct dst_entry *dst) +-{ +- unsigned int mtu = dst_metric_raw(dst, RTAX_MTU); +- +- return mtu ? : dst->dev->mtu; +-} +- +-static void ip6_rt_blackhole_update_pmtu(struct dst_entry *dst, struct sock *sk, +- struct sk_buff *skb, u32 mtu, +- bool confirm_neigh) +-{ +-} +- +-static void ip6_rt_blackhole_redirect(struct dst_entry *dst, struct sock *sk, +- struct sk_buff *skb) +-{ +-} +- + static struct dst_ops ip6_dst_blackhole_ops = { +- .family = AF_INET6, +- .destroy = ip6_dst_destroy, +- .check = ip6_dst_check, +- .mtu = ip6_blackhole_mtu, +- .default_advmss = ip6_default_advmss, +- .update_pmtu = ip6_rt_blackhole_update_pmtu, +- .redirect = ip6_rt_blackhole_redirect, +- .cow_metrics = dst_cow_metrics_generic, +- .neigh_lookup = ip6_dst_neigh_lookup, ++ .family = AF_INET6, ++ .default_advmss = ip6_default_advmss, ++ .neigh_lookup = ip6_dst_neigh_lookup, ++ .check = ip6_dst_check, ++ .destroy = ip6_dst_destroy, ++ .cow_metrics = dst_cow_metrics_generic, ++ .update_pmtu = dst_blackhole_update_pmtu, ++ .redirect = dst_blackhole_redirect, ++ .mtu = dst_blackhole_mtu, + }; + + static const u32 ip6_template_metrics[RTAX_MAX] = { +-- +2.30.1 + diff --git a/queue-5.11/net-dsa-bcm_sf2-qualify-phydev-dev_flags-based-on-po.patch b/queue-5.11/net-dsa-bcm_sf2-qualify-phydev-dev_flags-based-on-po.patch new file mode 100644 index 00000000000..f62c7d39528 --- /dev/null +++ b/queue-5.11/net-dsa-bcm_sf2-qualify-phydev-dev_flags-based-on-po.patch @@ -0,0 +1,43 @@ +From e70171d87028b2b07eff99003f43be26c747dea7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Mar 2021 14:17:58 -0800 +Subject: net: dsa: bcm_sf2: Qualify phydev->dev_flags based on port + +From: Florian Fainelli + +[ Upstream commit 47142ed6c34d544ae9f0463e58d482289cbe0d46 ] + +Similar to commit 92696286f3bb37ba50e4bd8d1beb24afb759a799 ("net: +bcmgenet: Set phydev->dev_flags only for internal PHYs") we need to +qualify the phydev->dev_flags based on whether the port is connected to +an internal or external PHY otherwise we risk having a flags collision +with a completely different interpretation depending on the driver. + +Fixes: aa9aef77c761 ("net: dsa: bcm_sf2: communicate integrated PHY revision to PHY driver") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/bcm_sf2.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c +index edb0a1027b38..510324916e91 100644 +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -584,8 +584,10 @@ static u32 bcm_sf2_sw_get_phy_flags(struct dsa_switch *ds, int port) + * in bits 15:8 and the patch level in bits 7:0 which is exactly what + * the REG_PHY_REVISION register layout is. + */ +- +- return priv->hw_params.gphy_rev; ++ if (priv->int_phy_mask & BIT(port)) ++ return priv->hw_params.gphy_rev; ++ else ++ return 0; + } + + static void bcm_sf2_sw_validate(struct dsa_switch *ds, int port, +-- +2.30.1 + diff --git a/queue-5.11/net-hdlc_x25-prevent-racing-between-x25_close-and-x2.patch b/queue-5.11/net-hdlc_x25-prevent-racing-between-x25_close-and-x2.patch new file mode 100644 index 00000000000..099c4714a12 --- /dev/null +++ b/queue-5.11/net-hdlc_x25-prevent-racing-between-x25_close-and-x2.patch @@ -0,0 +1,166 @@ +From c37129861d2add9659759b72e6bc3878ffb67683 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Mar 2021 04:21:01 -0700 +Subject: net: hdlc_x25: Prevent racing between "x25_close" and + "x25_xmit"/"x25_rx" + +From: Xie He + +[ Upstream commit bf0ffea336b493c0a8c8bc27b46683ecf1e8f294 ] + +"x25_close" is called by "hdlc_close" in "hdlc.c", which is called by +hardware drivers' "ndo_stop" function. +"x25_xmit" is called by "hdlc_start_xmit" in "hdlc.c", which is hardware +drivers' "ndo_start_xmit" function. +"x25_rx" is called by "hdlc_rcv" in "hdlc.c", which receives HDLC frames +from "net/core/dev.c". + +"x25_close" races with "x25_xmit" and "x25_rx" because their callers race. + +However, we need to ensure that the LAPB APIs called in "x25_xmit" and +"x25_rx" are called before "lapb_unregister" is called in "x25_close". + +This patch adds locking to ensure when "x25_xmit" and "x25_rx" are doing +their work, "lapb_unregister" is not yet called in "x25_close". + +Reasons for not solving the racing between "x25_close" and "x25_xmit" by +calling "netif_tx_disable" in "x25_close": +1. We still need to solve the racing between "x25_close" and "x25_rx"; +2. The design of the HDLC subsystem assumes the HDLC hardware drivers +have full control over the TX queue, and the HDLC protocol drivers (like +this driver) have no control. Controlling the queue here in the protocol +driver may interfere with hardware drivers' control of the queue. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xie He +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wan/hdlc_x25.c | 42 +++++++++++++++++++++++++++++++++++++- + 1 file changed, 41 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wan/hdlc_x25.c b/drivers/net/wan/hdlc_x25.c +index 4aaa6388b9ee..5a6a945f6c81 100644 +--- a/drivers/net/wan/hdlc_x25.c ++++ b/drivers/net/wan/hdlc_x25.c +@@ -23,6 +23,8 @@ + + struct x25_state { + x25_hdlc_proto settings; ++ bool up; ++ spinlock_t up_lock; /* Protects "up" */ + }; + + static int x25_ioctl(struct net_device *dev, struct ifreq *ifr); +@@ -104,6 +106,8 @@ static void x25_data_transmit(struct net_device *dev, struct sk_buff *skb) + + static netdev_tx_t x25_xmit(struct sk_buff *skb, struct net_device *dev) + { ++ hdlc_device *hdlc = dev_to_hdlc(dev); ++ struct x25_state *x25st = state(hdlc); + int result; + + /* There should be a pseudo header of 1 byte added by upper layers. +@@ -114,11 +118,19 @@ static netdev_tx_t x25_xmit(struct sk_buff *skb, struct net_device *dev) + return NETDEV_TX_OK; + } + ++ spin_lock_bh(&x25st->up_lock); ++ if (!x25st->up) { ++ spin_unlock_bh(&x25st->up_lock); ++ kfree_skb(skb); ++ return NETDEV_TX_OK; ++ } ++ + switch (skb->data[0]) { + case X25_IFACE_DATA: /* Data to be transmitted */ + skb_pull(skb, 1); + if ((result = lapb_data_request(dev, skb)) != LAPB_OK) + dev_kfree_skb(skb); ++ spin_unlock_bh(&x25st->up_lock); + return NETDEV_TX_OK; + + case X25_IFACE_CONNECT: +@@ -147,6 +159,7 @@ static netdev_tx_t x25_xmit(struct sk_buff *skb, struct net_device *dev) + break; + } + ++ spin_unlock_bh(&x25st->up_lock); + dev_kfree_skb(skb); + return NETDEV_TX_OK; + } +@@ -164,6 +177,7 @@ static int x25_open(struct net_device *dev) + .data_transmit = x25_data_transmit, + }; + hdlc_device *hdlc = dev_to_hdlc(dev); ++ struct x25_state *x25st = state(hdlc); + struct lapb_parms_struct params; + int result; + +@@ -190,6 +204,10 @@ static int x25_open(struct net_device *dev) + if (result != LAPB_OK) + return -EINVAL; + ++ spin_lock_bh(&x25st->up_lock); ++ x25st->up = true; ++ spin_unlock_bh(&x25st->up_lock); ++ + return 0; + } + +@@ -197,6 +215,13 @@ static int x25_open(struct net_device *dev) + + static void x25_close(struct net_device *dev) + { ++ hdlc_device *hdlc = dev_to_hdlc(dev); ++ struct x25_state *x25st = state(hdlc); ++ ++ spin_lock_bh(&x25st->up_lock); ++ x25st->up = false; ++ spin_unlock_bh(&x25st->up_lock); ++ + lapb_unregister(dev); + } + +@@ -205,15 +230,28 @@ static void x25_close(struct net_device *dev) + static int x25_rx(struct sk_buff *skb) + { + struct net_device *dev = skb->dev; ++ hdlc_device *hdlc = dev_to_hdlc(dev); ++ struct x25_state *x25st = state(hdlc); + + if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL) { + dev->stats.rx_dropped++; + return NET_RX_DROP; + } + +- if (lapb_data_received(dev, skb) == LAPB_OK) ++ spin_lock_bh(&x25st->up_lock); ++ if (!x25st->up) { ++ spin_unlock_bh(&x25st->up_lock); ++ kfree_skb(skb); ++ dev->stats.rx_dropped++; ++ return NET_RX_DROP; ++ } ++ ++ if (lapb_data_received(dev, skb) == LAPB_OK) { ++ spin_unlock_bh(&x25st->up_lock); + return NET_RX_SUCCESS; ++ } + ++ spin_unlock_bh(&x25st->up_lock); + dev->stats.rx_errors++; + dev_kfree_skb_any(skb); + return NET_RX_DROP; +@@ -298,6 +336,8 @@ static int x25_ioctl(struct net_device *dev, struct ifreq *ifr) + return result; + + memcpy(&state(hdlc)->settings, &new_settings, size); ++ state(hdlc)->up = false; ++ spin_lock_init(&state(hdlc)->up_lock); + + /* There's no header_ops so hard_header_len should be 0. */ + dev->hard_header_len = 0; +-- +2.30.1 + diff --git a/queue-5.11/net-ipa-terminate-message-handler-arrays.patch b/queue-5.11/net-ipa-terminate-message-handler-arrays.patch new file mode 100644 index 00000000000..5a9f15d3ba4 --- /dev/null +++ b/queue-5.11/net-ipa-terminate-message-handler-arrays.patch @@ -0,0 +1,55 @@ +From 52a787263111e2b413ad74d999566f4463f86a71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Mar 2021 09:12:48 -0600 +Subject: net: ipa: terminate message handler arrays + +From: Alex Elder + +[ Upstream commit 3a9ef3e11c5d33e5cb355b4aad1a4caad2407541 ] + +When a QMI handle is initialized, an array of message handler +structures is provided, defining how any received message should +be handled based on its type and message ID. The QMI core code +traverses this array when a message arrives and calls the function +associated with the (type, msg_id) found in the array. + +The array is supposed to be terminated with an empty (all zero) +entry though. Without it, an unsupported message will cause +the QMI core code to go past the end of the array. + +Fix this bug, by properly terminating the message handler arrays +provided when QMI handles are set up by the IPA driver. + +Fixes: 530f9216a9537 ("soc: qcom: ipa: AP/modem communications") +Reported-by: Sujit Kautkar +Signed-off-by: Alex Elder +Reviewed-by: Bjorn Andersson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ipa/ipa_qmi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ipa/ipa_qmi.c b/drivers/net/ipa/ipa_qmi.c +index 2fc64483f275..e594bf3b600f 100644 +--- a/drivers/net/ipa/ipa_qmi.c ++++ b/drivers/net/ipa/ipa_qmi.c +@@ -249,6 +249,7 @@ static const struct qmi_msg_handler ipa_server_msg_handlers[] = { + .decoded_size = IPA_QMI_DRIVER_INIT_COMPLETE_REQ_SZ, + .fn = ipa_server_driver_init_complete, + }, ++ { }, + }; + + /* Handle an INIT_DRIVER response message from the modem. */ +@@ -269,6 +270,7 @@ static const struct qmi_msg_handler ipa_client_msg_handlers[] = { + .decoded_size = IPA_QMI_INIT_DRIVER_RSP_SZ, + .fn = ipa_client_init_driver, + }, ++ { }, + }; + + /* Return a pointer to an init modem driver request structure, which contains +-- +2.30.1 + diff --git a/queue-5.11/net-mlx5-add-back-multicast-stats-for-uplink-represe.patch b/queue-5.11/net-mlx5-add-back-multicast-stats-for-uplink-represe.patch new file mode 100644 index 00000000000..4294b2d2ad5 --- /dev/null +++ b/queue-5.11/net-mlx5-add-back-multicast-stats-for-uplink-represe.patch @@ -0,0 +1,46 @@ +From 17aac2597dbdf7c2ef7a51d1d0c157126e2aaea4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Mar 2021 20:33:19 -0500 +Subject: net/mlx5: Add back multicast stats for uplink representor + +From: Huy Nguyen + +[ Upstream commit a07231084da2207629b42244380ae2f1e10bd9b4 ] + +The multicast counter got removed from uplink representor due to the +cited patch. + +Fixes: 47c97e6b10a1 ("net/mlx5e: Fix multicast counter not up-to-date in "ip -s"") +Signed-off-by: Huy Nguyen +Reviewed-by: Daniel Jurgens +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 1386212ad3f0..aaa5a56b44c7 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3703,10 +3703,17 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats) + } + + if (mlx5e_is_uplink_rep(priv)) { ++ struct mlx5e_vport_stats *vstats = &priv->stats.vport; ++ + stats->rx_packets = PPORT_802_3_GET(pstats, a_frames_received_ok); + stats->rx_bytes = PPORT_802_3_GET(pstats, a_octets_received_ok); + stats->tx_packets = PPORT_802_3_GET(pstats, a_frames_transmitted_ok); + stats->tx_bytes = PPORT_802_3_GET(pstats, a_octets_transmitted_ok); ++ ++ /* vport multicast also counts packets that are dropped due to steering ++ * or rx out of buffer ++ */ ++ stats->multicast = VPORT_COUNTER_GET(vstats, received_eth_multicast.packets); + } else { + mlx5e_fold_sw_stats64(priv, stats); + } +-- +2.30.1 + diff --git a/queue-5.11/net-mlx5e-allow-to-match-on-mpls-parameters-only-for.patch b/queue-5.11/net-mlx5e-allow-to-match-on-mpls-parameters-only-for.patch new file mode 100644 index 00000000000..2257e2ffa2b --- /dev/null +++ b/queue-5.11/net-mlx5e-allow-to-match-on-mpls-parameters-only-for.patch @@ -0,0 +1,48 @@ +From 3287b19c80edd52ba2b888b99f74749c593ff291 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Mar 2021 17:01:46 +0200 +Subject: net/mlx5e: Allow to match on MPLS parameters only for MPLS over UDP + +From: Alaa Hleihel + +[ Upstream commit 7d6c86e3ccb5ceea767df5c7a9a17cdfccd3df9a ] + +Currently, we support hardware offload only for MPLS over UDP. +However, rules matching on MPLS parameters are now wrongly offloaded +for regular MPLS, without actually taking the parameters into +consideration when doing the offload. +Fix it by rejecting such unsupported rules. + +Fixes: 72046a91d134 ("net/mlx5e: Allow to match on mpls parameters") +Signed-off-by: Alaa Hleihel +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index e9b7da05f14a..95cbefed1b32 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -2595,6 +2595,16 @@ static int __parse_cls_flower(struct mlx5e_priv *priv, + *match_level = MLX5_MATCH_L4; + } + ++ /* Currenlty supported only for MPLS over UDP */ ++ if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_MPLS) && ++ !netif_is_bareudp(filter_dev)) { ++ NL_SET_ERR_MSG_MOD(extack, ++ "Matching on MPLS is supported only for MPLS over UDP"); ++ netdev_err(priv->netdev, ++ "Matching on MPLS is supported only for MPLS over UDP\n"); ++ return -EOPNOTSUPP; ++ } ++ + return 0; + } + +-- +2.30.1 + diff --git a/queue-5.11/net-mlx5e-don-t-match-on-geneve-options-in-case-opti.patch b/queue-5.11/net-mlx5e-don-t-match-on-geneve-options-in-case-opti.patch new file mode 100644 index 00000000000..5721612a132 --- /dev/null +++ b/queue-5.11/net-mlx5e-don-t-match-on-geneve-options-in-case-opti.patch @@ -0,0 +1,46 @@ +From 63f99b7d11f38859b22cf999c00ad0435ed79e43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Feb 2021 13:39:18 +0200 +Subject: net/mlx5e: Don't match on Geneve options in case option masks are all + zero + +From: Maor Dickman + +[ Upstream commit 385d40b042e60aa0b677d7b400a0fefb44bcbaf4 ] + +The cited change added offload support for Geneve options without verifying +the validity of the options masks, this caused offload of rules with match +on Geneve options with class,type and data masks which are zero to fail. + +Fix by ignoring the match on Geneve options in case option masks are +all zero. + +Fixes: 9272e3df3023 ("net/mlx5e: Geneve, Add support for encap/decap flows offload") +Signed-off-by: Maor Dickman +Reviewed-by: Roi Dayan +Reviewed-by: Oz Shlomo +Reviewed-by: Yevgeny Kliteynik +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_geneve.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_geneve.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_geneve.c +index e472ed0eacfb..7ed3f9f79f11 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_geneve.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_geneve.c +@@ -227,6 +227,10 @@ static int mlx5e_tc_tun_parse_geneve_options(struct mlx5e_priv *priv, + option_key = (struct geneve_opt *)&enc_opts.key->data[0]; + option_mask = (struct geneve_opt *)&enc_opts.mask->data[0]; + ++ if (option_mask->opt_class == 0 && option_mask->type == 0 && ++ !memchr_inv(option_mask->opt_data, 0, option_mask->length * 4)) ++ return 0; ++ + if (option_key->length > max_tlv_option_data_len) { + NL_SET_ERR_MSG_MOD(extack, + "Matching on GENEVE options: unsupported option len"); +-- +2.30.1 + diff --git a/queue-5.11/net-mlx5e-e-switch-fix-rate-calculation-division.patch b/queue-5.11/net-mlx5e-e-switch-fix-rate-calculation-division.patch new file mode 100644 index 00000000000..72387560d54 --- /dev/null +++ b/queue-5.11/net-mlx5e-e-switch-fix-rate-calculation-division.patch @@ -0,0 +1,39 @@ +From 69358750006c1a8c7decfdbb22db190012d85b38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Feb 2021 08:23:29 +0200 +Subject: net/mlx5e: E-switch, Fix rate calculation division + +From: Parav Pandit + +[ Upstream commit 8b90d897823b28a51811931f3bdc79f8df79407e ] + +do_div() returns reminder, while cited patch wanted to use +quotient. +Fix it by using quotient. + +Fixes: 0e22bfb7c046 ("net/mlx5e: E-switch, Fix rate calculation for overflow") +Signed-off-by: Parav Pandit +Signed-off-by: Maor Dickman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index 717fbaa6ce73..e9b7da05f14a 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -5040,7 +5040,8 @@ static int apply_police_params(struct mlx5e_priv *priv, u64 rate, + */ + if (rate) { + rate = (rate * BITS_PER_BYTE) + 500000; +- rate_mbps = max_t(u64, do_div(rate, 1000000), 1); ++ do_div(rate, 1000000); ++ rate_mbps = max_t(u32, rate, 1); + } + + err = mlx5_esw_modify_vport_rate(esw, vport_num, rate_mbps); +-- +2.30.1 + diff --git a/queue-5.11/net-mlx5e-fix-error-path-for-ethtool-set-priv-flag.patch b/queue-5.11/net-mlx5e-fix-error-path-for-ethtool-set-priv-flag.patch new file mode 100644 index 00000000000..70689d315a8 --- /dev/null +++ b/queue-5.11/net-mlx5e-fix-error-path-for-ethtool-set-priv-flag.patch @@ -0,0 +1,48 @@ +From 4777148cb05a373aab17a66152b6ccfb6fe8c1f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Mar 2021 17:46:35 +0200 +Subject: net/mlx5e: Fix error path for ethtool set-priv-flag + +From: Aya Levin + +[ Upstream commit 4eacfe72e3e037e3fc019113df32c39a705148c2 ] + +Expose error value when failing to comply to command: +$ ethtool --set-priv-flags eth2 rx_cqe_compress [on/off] + +Fixes: be7e87f92b58 ("net/mlx5e: Fail safe cqe compressing/moderation mode setting") +Signed-off-by: Aya Levin +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index fdf5afc8b058..c9d01e705ab2 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -1876,6 +1876,7 @@ static int set_pflag_rx_cqe_compress(struct net_device *netdev, + { + struct mlx5e_priv *priv = netdev_priv(netdev); + struct mlx5_core_dev *mdev = priv->mdev; ++ int err; + + if (!MLX5_CAP_GEN(mdev, cqe_compression)) + return -EOPNOTSUPP; +@@ -1885,7 +1886,10 @@ static int set_pflag_rx_cqe_compress(struct net_device *netdev, + return -EINVAL; + } + +- mlx5e_modify_rx_cqe_compression_locked(priv, enable); ++ err = mlx5e_modify_rx_cqe_compression_locked(priv, enable); ++ if (err) ++ return err; ++ + priv->channels.params.rx_cqe_compress_def = enable; + + return 0; +-- +2.30.1 + diff --git a/queue-5.11/net-mlx5e-offload-tuple-rewrite-for-non-ct-flows.patch b/queue-5.11/net-mlx5e-offload-tuple-rewrite-for-non-ct-flows.patch new file mode 100644 index 00000000000..4041559bd87 --- /dev/null +++ b/queue-5.11/net-mlx5e-offload-tuple-rewrite-for-non-ct-flows.patch @@ -0,0 +1,108 @@ +From 705cbcc2d4de9d00f6413239826182887cc44b50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Mar 2021 21:28:11 +0200 +Subject: net/mlx5e: Offload tuple rewrite for non-CT flows + +From: Dima Chumak + +[ Upstream commit 96b5b4585843e3c83fb1930e5dfbefd0fb889c55 ] + +Setting connection tracking OVS flows and then setting non-CT flows that +use tuple rewrite action (e.g. mod_tp_dst), causes the latter flows not +being offloaded. + +Fix by using a stricter condition in modify_header_match_supported() to +check tuple rewrite support only for flows with CT action. The check is +factored out into standalone modify_tuple_supported() function to aid +readability. + +Fixes: 7e36feeb0467 ("net/mlx5e: CT: Don't offload tuple rewrites for established tuples") +Signed-off-by: Dima Chumak +Reviewed-by: Paul Blakey +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../ethernet/mellanox/mlx5/core/en/tc_ct.c | 3 +- + .../net/ethernet/mellanox/mlx5/core/en_tc.c | 44 ++++++++++++++----- + 2 files changed, 35 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c +index 24e2c0d955b9..b42396df3111 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c +@@ -1182,7 +1182,8 @@ int mlx5_tc_ct_add_no_trk_match(struct mlx5_flow_spec *spec) + + mlx5e_tc_match_to_reg_get_match(spec, CTSTATE_TO_REG, + &ctstate, &ctstate_mask); +- if (ctstate_mask) ++ ++ if ((ctstate & ctstate_mask) == MLX5_CT_STATE_TRK_BIT) + return -EOPNOTSUPP; + + ctstate_mask |= MLX5_CT_STATE_TRK_BIT; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index 95cbefed1b32..24fa399b1577 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -3208,6 +3208,37 @@ static int is_action_keys_supported(const struct flow_action_entry *act, + return 0; + } + ++static bool modify_tuple_supported(bool modify_tuple, bool ct_clear, ++ bool ct_flow, struct netlink_ext_ack *extack, ++ struct mlx5e_priv *priv, ++ struct mlx5_flow_spec *spec) ++{ ++ if (!modify_tuple || ct_clear) ++ return true; ++ ++ if (ct_flow) { ++ NL_SET_ERR_MSG_MOD(extack, ++ "can't offload tuple modification with non-clear ct()"); ++ netdev_info(priv->netdev, ++ "can't offload tuple modification with non-clear ct()"); ++ return false; ++ } ++ ++ /* Add ct_state=-trk match so it will be offloaded for non ct flows ++ * (or after clear action), as otherwise, since the tuple is changed, ++ * we can't restore ct state ++ */ ++ if (mlx5_tc_ct_add_no_trk_match(spec)) { ++ NL_SET_ERR_MSG_MOD(extack, ++ "can't offload tuple modification with ct matches and no ct(clear) action"); ++ netdev_info(priv->netdev, ++ "can't offload tuple modification with ct matches and no ct(clear) action"); ++ return false; ++ } ++ ++ return true; ++} ++ + static bool modify_header_match_supported(struct mlx5e_priv *priv, + struct mlx5_flow_spec *spec, + struct flow_action *flow_action, +@@ -3246,18 +3277,9 @@ static bool modify_header_match_supported(struct mlx5e_priv *priv, + return err; + } + +- /* Add ct_state=-trk match so it will be offloaded for non ct flows +- * (or after clear action), as otherwise, since the tuple is changed, +- * we can't restore ct state +- */ +- if (!ct_clear && modify_tuple && +- mlx5_tc_ct_add_no_trk_match(spec)) { +- NL_SET_ERR_MSG_MOD(extack, +- "can't offload tuple modify header with ct matches"); +- netdev_info(priv->netdev, +- "can't offload tuple modify header with ct matches"); ++ if (!modify_tuple_supported(modify_tuple, ct_clear, ct_flow, extack, ++ priv, spec)) + return false; +- } + + ip_proto = MLX5_GET(fte_match_set_lyr_2_4, headers_v, ip_protocol); + if (modify_ip_header && ip_proto != IPPROTO_TCP && +-- +2.30.1 + diff --git a/queue-5.11/net-mlx5e-revert-parameters-on-errors-when-changing-.patch b/queue-5.11/net-mlx5e-revert-parameters-on-errors-when-changing-.patch new file mode 100644 index 00000000000..18b8afa55b6 --- /dev/null +++ b/queue-5.11/net-mlx5e-revert-parameters-on-errors-when-changing-.patch @@ -0,0 +1,46 @@ +From aa10bac7bd66fb6741096dd30c3e1e107fb079a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jan 2021 14:04:34 +0200 +Subject: net/mlx5e: Revert parameters on errors when changing PTP state + without reset + +From: Maxim Mikityanskiy + +[ Upstream commit 74640f09735f935437bd8df9fe61a66f03eabb34 ] + +Port timestamping for PTP can be enabled/disabled while the channels are +closed. In that case mlx5e_safe_switch_channels is skipped, and the +preactivate hook is called directly. However, if that hook returns an +error, the channel parameters must be reverted back to their old values. +This commit adds missing handling on this case. + +Fixes: 145e5637d941 ("net/mlx5e: Add TX PTP port object support") +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index 8612c388db7d..fdf5afc8b058 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -1993,8 +1993,13 @@ static int set_pflag_tx_port_ts(struct net_device *netdev, bool enable) + */ + + if (!test_bit(MLX5E_STATE_OPENED, &priv->state)) { ++ struct mlx5e_params old_params; ++ ++ old_params = priv->channels.params; + priv->channels.params = new_channels.params; + err = mlx5e_num_channels_changed(priv); ++ if (err) ++ priv->channels.params = old_params; + goto out; + } + +-- +2.30.1 + diff --git a/queue-5.11/net-mlx5e-rx-mind-the-mpwqe-gaps-when-calculating-of.patch b/queue-5.11/net-mlx5e-rx-mind-the-mpwqe-gaps-when-calculating-of.patch new file mode 100644 index 00000000000..b97a1900b08 --- /dev/null +++ b/queue-5.11/net-mlx5e-rx-mind-the-mpwqe-gaps-when-calculating-of.patch @@ -0,0 +1,102 @@ +From 486e7d65fb32e2743f41472b56e3bc950efff470 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Jan 2021 13:21:17 +0200 +Subject: net/mlx5e: RX, Mind the MPWQE gaps when calculating offsets + +From: Tariq Toukan + +[ Upstream commit d5dd03b26ba49c4ffe67ee1937add82293c19794 ] + +Since cited patch, MLX5E_REQUIRED_WQE_MTTS is not a power of two. +Hence, usage of MLX5E_LOG_ALIGNED_MPWQE_PPW should be replaced, +as it lost some accuracy. Use the designated macro to calculate +the number of required MTTs. + +This makes sure the solution in cited patch works properly. + +While here, un-inline mlx5e_get_mpwqe_offset(), and remove the +unused RQ parameter. + +Fixes: c3c9402373fe ("net/mlx5e: Add resiliency in Striding RQ mode for packets larger than MTU") +Signed-off-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en.h | 7 ++++--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 6 +++--- + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 4 ++-- + 3 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h +index 055baf3b6cb1..f258f2f9b8cf 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h +@@ -90,14 +90,15 @@ struct page_pool; + MLX5_MPWRQ_LOG_WQE_SZ - PAGE_SHIFT : 0) + #define MLX5_MPWRQ_PAGES_PER_WQE BIT(MLX5_MPWRQ_WQE_PAGE_ORDER) + +-#define MLX5_MTT_OCTW(npages) (ALIGN(npages, 8) / 2) ++#define MLX5_ALIGN_MTTS(mtts) (ALIGN(mtts, 8)) ++#define MLX5_ALIGNED_MTTS_OCTW(mtts) ((mtts) / 2) ++#define MLX5_MTT_OCTW(mtts) (MLX5_ALIGNED_MTTS_OCTW(MLX5_ALIGN_MTTS(mtts))) + /* Add another page to MLX5E_REQUIRED_WQE_MTTS as a buffer between + * WQEs, This page will absorb write overflow by the hardware, when + * receiving packets larger than MTU. These oversize packets are + * dropped by the driver at a later stage. + */ +-#define MLX5E_REQUIRED_WQE_MTTS (ALIGN(MLX5_MPWRQ_PAGES_PER_WQE + 1, 8)) +-#define MLX5E_LOG_ALIGNED_MPWQE_PPW (ilog2(MLX5E_REQUIRED_WQE_MTTS)) ++#define MLX5E_REQUIRED_WQE_MTTS (MLX5_ALIGN_MTTS(MLX5_MPWRQ_PAGES_PER_WQE + 1)) + #define MLX5E_REQUIRED_MTTS(wqes) (wqes * MLX5E_REQUIRED_WQE_MTTS) + #define MLX5E_MAX_RQ_NUM_MTTS \ + ((1 << 16) * 2) /* So that MLX5_MTT_OCTW(num_mtts) fits into u16 */ +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index a2e0b548bf57..e479cce3e2b1 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -305,9 +305,9 @@ static int mlx5e_create_rq_umr_mkey(struct mlx5_core_dev *mdev, struct mlx5e_rq + rq->wqe_overflow.addr); + } + +-static inline u64 mlx5e_get_mpwqe_offset(struct mlx5e_rq *rq, u16 wqe_ix) ++static u64 mlx5e_get_mpwqe_offset(u16 wqe_ix) + { +- return (wqe_ix << MLX5E_LOG_ALIGNED_MPWQE_PPW) << PAGE_SHIFT; ++ return MLX5E_REQUIRED_MTTS(wqe_ix) << PAGE_SHIFT; + } + + static void mlx5e_init_frags_partition(struct mlx5e_rq *rq) +@@ -547,7 +547,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c, + mlx5_wq_ll_get_wqe(&rq->mpwqe.wq, i); + u32 byte_count = + rq->mpwqe.num_strides << rq->mpwqe.log_stride_sz; +- u64 dma_offset = mlx5e_get_mpwqe_offset(rq, i); ++ u64 dma_offset = mlx5e_get_mpwqe_offset(i); + + wqe->data[0].addr = cpu_to_be64(dma_offset + rq->buff.headroom); + wqe->data[0].byte_count = cpu_to_be32(byte_count); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +index 4864deed9dc9..b2e71a045df0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -505,7 +505,6 @@ static int mlx5e_alloc_rx_mpwqe(struct mlx5e_rq *rq, u16 ix) + struct mlx5e_icosq *sq = rq->icosq; + struct mlx5_wq_cyc *wq = &sq->wq; + struct mlx5e_umr_wqe *umr_wqe; +- u16 xlt_offset = ix << (MLX5E_LOG_ALIGNED_MPWQE_PPW - 1); + u16 pi; + int err; + int i; +@@ -536,7 +535,8 @@ static int mlx5e_alloc_rx_mpwqe(struct mlx5e_rq *rq, u16 ix) + umr_wqe->ctrl.opmod_idx_opcode = + cpu_to_be32((sq->pc << MLX5_WQE_CTRL_WQE_INDEX_SHIFT) | + MLX5_OPCODE_UMR); +- umr_wqe->uctrl.xlt_offset = cpu_to_be16(xlt_offset); ++ umr_wqe->uctrl.xlt_offset = ++ cpu_to_be16(MLX5_ALIGNED_MTTS_OCTW(MLX5E_REQUIRED_MTTS(ix))); + + sq->db.wqe_info[pi] = (struct mlx5e_icosq_wqe_info) { + .wqe_type = MLX5E_ICOSQ_WQE_UMR_RX, +-- +2.30.1 + diff --git a/queue-5.11/net-mlx5e-set-ptp-channel-pointer-explicitly-to-null.patch b/queue-5.11/net-mlx5e-set-ptp-channel-pointer-explicitly-to-null.patch new file mode 100644 index 00000000000..d10a9fb7163 --- /dev/null +++ b/queue-5.11/net-mlx5e-set-ptp-channel-pointer-explicitly-to-null.patch @@ -0,0 +1,42 @@ +From ae33137eca2cda342a7f9ee57151b1b6063c0744 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Jan 2021 13:34:29 +0200 +Subject: net/mlx5e: Set PTP channel pointer explicitly to NULL + +From: Aya Levin + +[ Upstream commit 1c2cdf0b603a3b0c763288ad92e9f3f1555925cf ] + +When closing the PTP channel, set its pointer explicitly to NULL. PTP +channel is opened on demand, the code verify the pointer validity before +access. Nullify it when closing the PTP channel to avoid unexpected +behavior. + +Fixes: 145e5637d941 ("net/mlx5e: Add TX PTP port object support") +Signed-off-by: Aya Levin +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index e479cce3e2b1..3248741af440 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -2443,8 +2443,10 @@ void mlx5e_close_channels(struct mlx5e_channels *chs) + { + int i; + +- if (chs->port_ptp) ++ if (chs->port_ptp) { + mlx5e_port_ptp_close(chs->port_ptp); ++ chs->port_ptp = NULL; ++ } + + for (i = 0; i < chs->num; i++) + mlx5e_close_channel(chs->c[i]); +-- +2.30.1 + diff --git a/queue-5.11/net-mlx5e-when-changing-xdp-program-without-reset-ta.patch b/queue-5.11/net-mlx5e-when-changing-xdp-program-without-reset-ta.patch new file mode 100644 index 00000000000..0ee5d919b1f --- /dev/null +++ b/queue-5.11/net-mlx5e-when-changing-xdp-program-without-reset-ta.patch @@ -0,0 +1,46 @@ +From 12ed2fc4440ef660b7ff8d24ccf40d689d99e84a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Feb 2021 15:51:11 +0200 +Subject: net/mlx5e: When changing XDP program without reset, take refs for XSK + RQs + +From: Maxim Mikityanskiy + +[ Upstream commit e5eb01344e9b09bb9d255b9727449186f7168df8 ] + +Each RQ (including XSK RQs) takes a reference to the XDP program. When +an XDP program is attached or detached, the channels and queues are +recreated, however, there is a special flow for changing an active XDP +program to another one. In that flow, channels and queues stay alive, +but the refcounts of the old and new XDP programs are adjusted. This +flow didn't increment refcount by the number of active XSK RQs, and this +commit fixes it. + +Fixes: db05815b36cb ("net/mlx5e: Add XSK zero-copy support") +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 3248741af440..1386212ad3f0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -4550,8 +4550,10 @@ static int mlx5e_xdp_set(struct net_device *netdev, struct bpf_prog *prog) + struct mlx5e_channel *c = priv->channels.c[i]; + + mlx5e_rq_replace_xdp_prog(&c->rq, prog); +- if (test_bit(MLX5E_CHANNEL_STATE_XSK, c->state)) ++ if (test_bit(MLX5E_CHANNEL_STATE_XSK, c->state)) { ++ bpf_prog_inc(prog); + mlx5e_rq_replace_xdp_prog(&c->xskrq, prog); ++ } + } + + unlock: +-- +2.30.1 + diff --git a/queue-5.11/net-phy-broadcom-add-power-down-exit-reset-state-del.patch b/queue-5.11/net-phy-broadcom-add-power-down-exit-reset-state-del.patch new file mode 100644 index 00000000000..83904efde4c --- /dev/null +++ b/queue-5.11/net-phy-broadcom-add-power-down-exit-reset-state-del.patch @@ -0,0 +1,41 @@ +From ba22ed21bf305694bdd89e2f9ab45a2b1ad51889 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Mar 2021 20:53:42 -0800 +Subject: net: phy: broadcom: Add power down exit reset state delay + +From: Florian Fainelli + +[ Upstream commit 7a1468ba0e02eee24ae1353e8933793a27198e20 ] + +Per the datasheet, when we clear the power down bit, the PHY remains in +an internal reset state for 40us and then resume normal operation. +Account for that delay to avoid any issues in the future if +genphy_resume() changes. + +Fixes: fe26821fa614 ("net: phy: broadcom: Wire suspend/resume for BCM54810") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/broadcom.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/phy/broadcom.c b/drivers/net/phy/broadcom.c +index 8a4ec3222168..ec45a1608309 100644 +--- a/drivers/net/phy/broadcom.c ++++ b/drivers/net/phy/broadcom.c +@@ -332,6 +332,11 @@ static int bcm54xx_resume(struct phy_device *phydev) + if (ret < 0) + return ret; + ++ /* Upon exiting power down, the PHY remains in an internal reset state ++ * for 40us ++ */ ++ fsleep(40); ++ + return bcm54xx_config_init(phydev); + } + +-- +2.30.1 + diff --git a/queue-5.11/net-phy-broadcom-avoid-forward-for-bcm54xx_config_cl.patch b/queue-5.11/net-phy-broadcom-avoid-forward-for-bcm54xx_config_cl.patch new file mode 100644 index 00000000000..0ab60136b54 --- /dev/null +++ b/queue-5.11/net-phy-broadcom-avoid-forward-for-bcm54xx_config_cl.patch @@ -0,0 +1,115 @@ +From 579c1bff84bde0b8d28f423f19e8cd948cb64964 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Feb 2021 19:46:30 -0800 +Subject: net: phy: broadcom: Avoid forward for bcm54xx_config_clock_delay() + +From: Florian Fainelli + +[ Upstream commit 133bf7b4fbbe58cff5492e37e95e75c88161f1b8 ] + +Avoid a forward declaration by moving the callers of +bcm54xx_config_clock_delay() below its body. + +Signed-off-by: Florian Fainelli +Reviewed-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/broadcom.c | 74 +++++++++++++++++++------------------- + 1 file changed, 36 insertions(+), 38 deletions(-) + +diff --git a/drivers/net/phy/broadcom.c b/drivers/net/phy/broadcom.c +index 48024ac85980..407626ddcae7 100644 +--- a/drivers/net/phy/broadcom.c ++++ b/drivers/net/phy/broadcom.c +@@ -26,44 +26,6 @@ MODULE_DESCRIPTION("Broadcom PHY driver"); + MODULE_AUTHOR("Maciej W. Rozycki"); + MODULE_LICENSE("GPL"); + +-static int bcm54xx_config_clock_delay(struct phy_device *phydev); +- +-static int bcm54210e_config_init(struct phy_device *phydev) +-{ +- int val; +- +- bcm54xx_config_clock_delay(phydev); +- +- if (phydev->dev_flags & PHY_BRCM_EN_MASTER_MODE) { +- val = phy_read(phydev, MII_CTRL1000); +- val |= CTL1000_AS_MASTER | CTL1000_ENABLE_MASTER; +- phy_write(phydev, MII_CTRL1000, val); +- } +- +- return 0; +-} +- +-static int bcm54612e_config_init(struct phy_device *phydev) +-{ +- int reg; +- +- bcm54xx_config_clock_delay(phydev); +- +- /* Enable CLK125 MUX on LED4 if ref clock is enabled. */ +- if (!(phydev->dev_flags & PHY_BRCM_RX_REFCLK_UNUSED)) { +- int err; +- +- reg = bcm_phy_read_exp(phydev, BCM54612E_EXP_SPARE0); +- err = bcm_phy_write_exp(phydev, BCM54612E_EXP_SPARE0, +- BCM54612E_LED4_CLK125OUT_EN | reg); +- +- if (err < 0) +- return err; +- } +- +- return 0; +-} +- + static int bcm54xx_config_clock_delay(struct phy_device *phydev) + { + int rc, val; +@@ -105,6 +67,42 @@ static int bcm54xx_config_clock_delay(struct phy_device *phydev) + return 0; + } + ++static int bcm54210e_config_init(struct phy_device *phydev) ++{ ++ int val; ++ ++ bcm54xx_config_clock_delay(phydev); ++ ++ if (phydev->dev_flags & PHY_BRCM_EN_MASTER_MODE) { ++ val = phy_read(phydev, MII_CTRL1000); ++ val |= CTL1000_AS_MASTER | CTL1000_ENABLE_MASTER; ++ phy_write(phydev, MII_CTRL1000, val); ++ } ++ ++ return 0; ++} ++ ++static int bcm54612e_config_init(struct phy_device *phydev) ++{ ++ int reg; ++ ++ bcm54xx_config_clock_delay(phydev); ++ ++ /* Enable CLK125 MUX on LED4 if ref clock is enabled. */ ++ if (!(phydev->dev_flags & PHY_BRCM_RX_REFCLK_UNUSED)) { ++ int err; ++ ++ reg = bcm_phy_read_exp(phydev, BCM54612E_EXP_SPARE0); ++ err = bcm_phy_write_exp(phydev, BCM54612E_EXP_SPARE0, ++ BCM54612E_LED4_CLK125OUT_EN | reg); ++ ++ if (err < 0) ++ return err; ++ } ++ ++ return 0; ++} ++ + /* Needs SMDSP clock enabled via bcm54xx_phydsp_config() */ + static int bcm50610_a0_workaround(struct phy_device *phydev) + { +-- +2.30.1 + diff --git a/queue-5.11/net-phy-broadcom-fix-rgmii-delays-for-bcm50160-and-b.patch b/queue-5.11/net-phy-broadcom-fix-rgmii-delays-for-bcm50160-and-b.patch new file mode 100644 index 00000000000..fb4d3deac53 --- /dev/null +++ b/queue-5.11/net-phy-broadcom-fix-rgmii-delays-for-bcm50160-and-b.patch @@ -0,0 +1,39 @@ +From 95db9ea7cc03fe125f6ec312447f98632d65589a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Mar 2021 16:52:50 -0800 +Subject: net: phy: broadcom: Fix RGMII delays for BCM50160 and BCM50610M + +From: Florian Fainelli + +[ Upstream commit b1dd9bf688b0dcc5a34dca660de46c7570bd9243 ] + +The PHY driver entry for BCM50160 and BCM50610M calls +bcm54xx_config_init() but does not call bcm54xx_config_clock_delay() in +order to configuration appropriate clock delays on the PHY, fix that. + +Fixes: 733336262b28 ("net: phy: Allow BCM5481x PHYs to setup internal TX/RX clock delay") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/broadcom.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/phy/broadcom.c b/drivers/net/phy/broadcom.c +index b160186dc766..07a98c324942 100644 +--- a/drivers/net/phy/broadcom.c ++++ b/drivers/net/phy/broadcom.c +@@ -340,6 +340,10 @@ static int bcm54xx_config_init(struct phy_device *phydev) + bcm54xx_adjust_rxrefclk(phydev); + + switch (BRCM_PHY_MODEL(phydev)) { ++ case PHY_ID_BCM50610: ++ case PHY_ID_BCM50610M: ++ err = bcm54xx_config_clock_delay(phydev); ++ break; + case PHY_ID_BCM54210E: + err = bcm54210e_config_init(phydev); + break; +-- +2.30.1 + diff --git a/queue-5.11/net-phy-broadcom-set-proper-1000basex-sgmii-interfac.patch b/queue-5.11/net-phy-broadcom-set-proper-1000basex-sgmii-interfac.patch new file mode 100644 index 00000000000..b64524046b0 --- /dev/null +++ b/queue-5.11/net-phy-broadcom-set-proper-1000basex-sgmii-interfac.patch @@ -0,0 +1,178 @@ +From 16f2d57bf08c4b6af68fc818a9be7097c00fe141 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Feb 2021 16:54:52 -0600 +Subject: net: phy: broadcom: Set proper 1000BaseX/SGMII interface mode for + BCM54616S + +From: Robert Hancock + +[ Upstream commit 3afd0218992a8d1398e9791d6c2edd4c948ae7ee ] + +The default configuration for the BCM54616S PHY may not match the desired +mode when using 1000BaseX or SGMII interface modes, such as when it is on +an SFP module. Add code to explicitly set the correct mode using +programming sequences provided by Bel-Fuse: + +https://www.belfuse.com/resources/datasheets/powersolutions/ds-bps-sfp-1gbt-05-series.pdf +https://www.belfuse.com/resources/datasheets/powersolutions/ds-bps-sfp-1gbt-06-series.pdf + +Signed-off-by: Robert Hancock +Acked-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/broadcom.c | 84 ++++++++++++++++++++++++++++++++------ + include/linux/brcmphy.h | 4 ++ + 2 files changed, 76 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/phy/broadcom.c b/drivers/net/phy/broadcom.c +index 407626ddcae7..b160186dc766 100644 +--- a/drivers/net/phy/broadcom.c ++++ b/drivers/net/phy/broadcom.c +@@ -103,6 +103,64 @@ static int bcm54612e_config_init(struct phy_device *phydev) + return 0; + } + ++static int bcm54616s_config_init(struct phy_device *phydev) ++{ ++ int rc, val; ++ ++ if (phydev->interface != PHY_INTERFACE_MODE_SGMII && ++ phydev->interface != PHY_INTERFACE_MODE_1000BASEX) ++ return 0; ++ ++ /* Ensure proper interface mode is selected. */ ++ /* Disable RGMII mode */ ++ val = bcm54xx_auxctl_read(phydev, MII_BCM54XX_AUXCTL_SHDWSEL_MISC); ++ if (val < 0) ++ return val; ++ val &= ~MII_BCM54XX_AUXCTL_SHDWSEL_MISC_RGMII_EN; ++ val |= MII_BCM54XX_AUXCTL_MISC_WREN; ++ rc = bcm54xx_auxctl_write(phydev, MII_BCM54XX_AUXCTL_SHDWSEL_MISC, ++ val); ++ if (rc < 0) ++ return rc; ++ ++ /* Select 1000BASE-X register set (primary SerDes) */ ++ val = bcm_phy_read_shadow(phydev, BCM54XX_SHD_MODE); ++ if (val < 0) ++ return val; ++ val |= BCM54XX_SHD_MODE_1000BX; ++ rc = bcm_phy_write_shadow(phydev, BCM54XX_SHD_MODE, val); ++ if (rc < 0) ++ return rc; ++ ++ /* Power down SerDes interface */ ++ rc = phy_set_bits(phydev, MII_BMCR, BMCR_PDOWN); ++ if (rc < 0) ++ return rc; ++ ++ /* Select proper interface mode */ ++ val &= ~BCM54XX_SHD_INTF_SEL_MASK; ++ val |= phydev->interface == PHY_INTERFACE_MODE_SGMII ? ++ BCM54XX_SHD_INTF_SEL_SGMII : ++ BCM54XX_SHD_INTF_SEL_GBIC; ++ rc = bcm_phy_write_shadow(phydev, BCM54XX_SHD_MODE, val); ++ if (rc < 0) ++ return rc; ++ ++ /* Power up SerDes interface */ ++ rc = phy_clear_bits(phydev, MII_BMCR, BMCR_PDOWN); ++ if (rc < 0) ++ return rc; ++ ++ /* Select copper register set */ ++ val &= ~BCM54XX_SHD_MODE_1000BX; ++ rc = bcm_phy_write_shadow(phydev, BCM54XX_SHD_MODE, val); ++ if (rc < 0) ++ return rc; ++ ++ /* Power up copper interface */ ++ return phy_clear_bits(phydev, MII_BMCR, BMCR_PDOWN); ++} ++ + /* Needs SMDSP clock enabled via bcm54xx_phydsp_config() */ + static int bcm50610_a0_workaround(struct phy_device *phydev) + { +@@ -281,15 +339,17 @@ static int bcm54xx_config_init(struct phy_device *phydev) + + bcm54xx_adjust_rxrefclk(phydev); + +- if (BRCM_PHY_MODEL(phydev) == PHY_ID_BCM54210E) { ++ switch (BRCM_PHY_MODEL(phydev)) { ++ case PHY_ID_BCM54210E: + err = bcm54210e_config_init(phydev); +- if (err) +- return err; +- } else if (BRCM_PHY_MODEL(phydev) == PHY_ID_BCM54612E) { ++ break; ++ case PHY_ID_BCM54612E: + err = bcm54612e_config_init(phydev); +- if (err) +- return err; +- } else if (BRCM_PHY_MODEL(phydev) == PHY_ID_BCM54810) { ++ break; ++ case PHY_ID_BCM54616S: ++ err = bcm54616s_config_init(phydev); ++ break; ++ case PHY_ID_BCM54810: + /* For BCM54810, we need to disable BroadR-Reach function */ + val = bcm_phy_read_exp(phydev, + BCM54810_EXP_BROADREACH_LRE_MISC_CTL); +@@ -297,9 +357,10 @@ static int bcm54xx_config_init(struct phy_device *phydev) + err = bcm_phy_write_exp(phydev, + BCM54810_EXP_BROADREACH_LRE_MISC_CTL, + val); +- if (err < 0) +- return err; ++ break; + } ++ if (err) ++ return err; + + bcm54xx_phydsp_config(phydev); + +@@ -478,7 +539,7 @@ static int bcm5481_config_aneg(struct phy_device *phydev) + + static int bcm54616s_probe(struct phy_device *phydev) + { +- int val, intf_sel; ++ int val; + + val = bcm_phy_read_shadow(phydev, BCM54XX_SHD_MODE); + if (val < 0) +@@ -490,8 +551,7 @@ static int bcm54616s_probe(struct phy_device *phydev) + * RGMII-1000Base-X is properly supported, but RGMII-100Base-FX + * support is still missing as of now. + */ +- intf_sel = (val & BCM54XX_SHD_INTF_SEL_MASK) >> 1; +- if (intf_sel == 1) { ++ if ((val & BCM54XX_SHD_INTF_SEL_MASK) == BCM54XX_SHD_INTF_SEL_RGMII) { + val = bcm_phy_read_shadow(phydev, BCM54616S_SHD_100FX_CTRL); + if (val < 0) + return val; +diff --git a/include/linux/brcmphy.h b/include/linux/brcmphy.h +index d0bd226d6bd9..54665952d6ad 100644 +--- a/include/linux/brcmphy.h ++++ b/include/linux/brcmphy.h +@@ -136,6 +136,7 @@ + + #define MII_BCM54XX_AUXCTL_SHDWSEL_MISC 0x07 + #define MII_BCM54XX_AUXCTL_SHDWSEL_MISC_WIRESPEED_EN 0x0010 ++#define MII_BCM54XX_AUXCTL_SHDWSEL_MISC_RGMII_EN 0x0080 + #define MII_BCM54XX_AUXCTL_SHDWSEL_MISC_RGMII_SKEW_EN 0x0100 + #define MII_BCM54XX_AUXCTL_MISC_FORCE_AMDIX 0x0200 + #define MII_BCM54XX_AUXCTL_MISC_WREN 0x8000 +@@ -222,6 +223,9 @@ + /* 11111: Mode Control Register */ + #define BCM54XX_SHD_MODE 0x1f + #define BCM54XX_SHD_INTF_SEL_MASK GENMASK(2, 1) /* INTERF_SEL[1:0] */ ++#define BCM54XX_SHD_INTF_SEL_RGMII 0x02 ++#define BCM54XX_SHD_INTF_SEL_SGMII 0x04 ++#define BCM54XX_SHD_INTF_SEL_GBIC 0x06 + #define BCM54XX_SHD_MODE_1000BX BIT(0) /* Enable 1000-X registers */ + + /* +-- +2.30.1 + diff --git a/queue-5.11/net-phy-introduce-phydev-port.patch b/queue-5.11/net-phy-introduce-phydev-port.patch new file mode 100644 index 00000000000..d1588d99faa --- /dev/null +++ b/queue-5.11/net-phy-introduce-phydev-port.patch @@ -0,0 +1,227 @@ +From c2d29de216b09659991cd533d560375a652c8328 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Feb 2021 17:38:52 +0100 +Subject: net: phy: introduce phydev->port + +From: Michael Walle + +[ Upstream commit 4217a64e18a1647a0dbc68cb3169a5a06f054ec8 ] + +At the moment, PORT_MII is reported in the ethtool ops. This is odd +because it is an interface between the MAC and the PHY and no external +port. Some network card drivers will overwrite the port to twisted pair +or fiber, though. Even worse, the MDI/MDIX setting is only used by +ethtool if the port is twisted pair. + +Set the port to PORT_TP by default because most PHY drivers are copper +ones. If there is fibre support and it is enabled, the PHY driver will +set it to PORT_FIBRE. + +This will change reporting PORT_MII to either PORT_TP or PORT_FIBRE; +except for the genphy fallback driver. + +Suggested-by: Andrew Lunn +Signed-off-by: Michael Walle +Reviewed-by: Florian Fainelli +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/broadcom.c | 2 ++ + drivers/net/phy/dp83822.c | 3 +++ + drivers/net/phy/dp83869.c | 4 ++++ + drivers/net/phy/lxt.c | 1 + + drivers/net/phy/marvell.c | 1 + + drivers/net/phy/marvell10g.c | 2 ++ + drivers/net/phy/micrel.c | 14 +++++++++++--- + drivers/net/phy/phy.c | 2 +- + drivers/net/phy/phy_device.c | 9 +++++++++ + include/linux/phy.h | 2 ++ + 10 files changed, 36 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/phy/broadcom.c b/drivers/net/phy/broadcom.c +index ec45a1608309..48024ac85980 100644 +--- a/drivers/net/phy/broadcom.c ++++ b/drivers/net/phy/broadcom.c +@@ -505,6 +505,8 @@ static int bcm54616s_probe(struct phy_device *phydev) + */ + if (!(val & BCM54616S_100FX_MODE)) + phydev->dev_flags |= PHY_BCM_FLAGS_MODE_1000BX; ++ ++ phydev->port = PORT_FIBRE; + } + + return 0; +diff --git a/drivers/net/phy/dp83822.c b/drivers/net/phy/dp83822.c +index 423952cb9e1c..f7a2ec150e54 100644 +--- a/drivers/net/phy/dp83822.c ++++ b/drivers/net/phy/dp83822.c +@@ -555,6 +555,9 @@ static int dp83822_probe(struct phy_device *phydev) + + dp83822_of_init(phydev); + ++ if (dp83822->fx_enabled) ++ phydev->port = PORT_FIBRE; ++ + return 0; + } + +diff --git a/drivers/net/phy/dp83869.c b/drivers/net/phy/dp83869.c +index b30bc142d82e..755220c6451f 100644 +--- a/drivers/net/phy/dp83869.c ++++ b/drivers/net/phy/dp83869.c +@@ -855,6 +855,10 @@ static int dp83869_probe(struct phy_device *phydev) + if (ret) + return ret; + ++ if (dp83869->mode == DP83869_RGMII_100_BASE || ++ dp83869->mode == DP83869_RGMII_1000_BASE) ++ phydev->port = PORT_FIBRE; ++ + return dp83869_config_init(phydev); + } + +diff --git a/drivers/net/phy/lxt.c b/drivers/net/phy/lxt.c +index 0ee23d29c0d4..bde3356a2f86 100644 +--- a/drivers/net/phy/lxt.c ++++ b/drivers/net/phy/lxt.c +@@ -292,6 +292,7 @@ static int lxt973_probe(struct phy_device *phydev) + phy_write(phydev, MII_BMCR, val); + /* Remember that the port is in fiber mode. */ + phydev->priv = lxt973_probe; ++ phydev->port = PORT_FIBRE; + } else { + phydev->priv = NULL; + } +diff --git a/drivers/net/phy/marvell.c b/drivers/net/phy/marvell.c +index 620052c023a5..2afef45d15b1 100644 +--- a/drivers/net/phy/marvell.c ++++ b/drivers/net/phy/marvell.c +@@ -1552,6 +1552,7 @@ static int marvell_read_status_page(struct phy_device *phydev, int page) + phydev->asym_pause = 0; + phydev->speed = SPEED_UNKNOWN; + phydev->duplex = DUPLEX_UNKNOWN; ++ phydev->port = fiber ? PORT_FIBRE : PORT_TP; + + if (phydev->autoneg == AUTONEG_ENABLE) + err = marvell_read_status_page_an(phydev, fiber, status); +diff --git a/drivers/net/phy/marvell10g.c b/drivers/net/phy/marvell10g.c +index 1901ba277413..b1bb9b8e1e4e 100644 +--- a/drivers/net/phy/marvell10g.c ++++ b/drivers/net/phy/marvell10g.c +@@ -631,6 +631,7 @@ static int mv3310_read_status_10gbaser(struct phy_device *phydev) + phydev->link = 1; + phydev->speed = SPEED_10000; + phydev->duplex = DUPLEX_FULL; ++ phydev->port = PORT_FIBRE; + + return 0; + } +@@ -690,6 +691,7 @@ static int mv3310_read_status_copper(struct phy_device *phydev) + + phydev->duplex = cssr1 & MV_PCS_CSSR1_DUPLEX_FULL ? + DUPLEX_FULL : DUPLEX_HALF; ++ phydev->port = PORT_TP; + phydev->mdix = cssr1 & MV_PCS_CSSR1_MDIX ? + ETH_TP_MDI_X : ETH_TP_MDI; + +diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c +index 57f8021b70af..a6c691938f94 100644 +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -341,14 +341,19 @@ static int kszphy_config_init(struct phy_device *phydev) + return kszphy_config_reset(phydev); + } + ++static int ksz8041_fiber_mode(struct phy_device *phydev) ++{ ++ struct device_node *of_node = phydev->mdio.dev.of_node; ++ ++ return of_property_read_bool(of_node, "micrel,fiber-mode"); ++} ++ + static int ksz8041_config_init(struct phy_device *phydev) + { + __ETHTOOL_DECLARE_LINK_MODE_MASK(mask) = { 0, }; + +- struct device_node *of_node = phydev->mdio.dev.of_node; +- + /* Limit supported and advertised modes in fiber mode */ +- if (of_property_read_bool(of_node, "micrel,fiber-mode")) { ++ if (ksz8041_fiber_mode(phydev)) { + phydev->dev_flags |= MICREL_PHY_FXEN; + linkmode_set_bit(ETHTOOL_LINK_MODE_100baseT_Full_BIT, mask); + linkmode_set_bit(ETHTOOL_LINK_MODE_100baseT_Half_BIT, mask); +@@ -1176,6 +1181,9 @@ static int kszphy_probe(struct phy_device *phydev) + } + } + ++ if (ksz8041_fiber_mode(phydev)) ++ phydev->port = PORT_FIBRE; ++ + /* Support legacy board-file configuration */ + if (phydev->dev_flags & MICREL_PHY_50MHZ_CLK) { + priv->rmii_ref_clk_sel = true; +diff --git a/drivers/net/phy/phy.c b/drivers/net/phy/phy.c +index b79c4068ee61..c93c295db3dc 100644 +--- a/drivers/net/phy/phy.c ++++ b/drivers/net/phy/phy.c +@@ -310,7 +310,7 @@ void phy_ethtool_ksettings_get(struct phy_device *phydev, + if (phydev->interface == PHY_INTERFACE_MODE_MOCA) + cmd->base.port = PORT_BNC; + else +- cmd->base.port = PORT_MII; ++ cmd->base.port = phydev->port; + cmd->base.transceiver = phy_is_internal(phydev) ? + XCVR_INTERNAL : XCVR_EXTERNAL; + cmd->base.phy_address = phydev->mdio.addr; +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index 1c6ae845e03f..d2fd54e4c612 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -576,6 +576,7 @@ struct phy_device *phy_device_create(struct mii_bus *bus, int addr, u32 phy_id, + dev->pause = 0; + dev->asym_pause = 0; + dev->link = 0; ++ dev->port = PORT_TP; + dev->interface = PHY_INTERFACE_MODE_GMII; + + dev->autoneg = AUTONEG_ENABLE; +@@ -1382,6 +1383,14 @@ int phy_attach_direct(struct net_device *dev, struct phy_device *phydev, + + phydev->state = PHY_READY; + ++ /* Port is set to PORT_TP by default and the actual PHY driver will set ++ * it to different value depending on the PHY configuration. If we have ++ * the generic PHY driver we can't figure it out, thus set the old ++ * legacy PORT_MII value. ++ */ ++ if (using_genphy) ++ phydev->port = PORT_MII; ++ + /* Initial carrier state is off as the phy is about to be + * (re)initialized. + */ +diff --git a/include/linux/phy.h b/include/linux/phy.h +index 9effb511acde..d0e64f3b53b9 100644 +--- a/include/linux/phy.h ++++ b/include/linux/phy.h +@@ -499,6 +499,7 @@ struct macsec_ops; + * + * @speed: Current link speed + * @duplex: Current duplex ++ * @port: Current port + * @pause: Current pause + * @asym_pause: Current asymmetric pause + * @supported: Combined MAC/PHY supported linkmodes +@@ -577,6 +578,7 @@ struct phy_device { + */ + int speed; + int duplex; ++ int port; + int pause; + int asym_pause; + u8 master_slave_get; +-- +2.30.1 + diff --git a/queue-5.11/net-phylink-fix-phylink_err-function-name-error-in-p.patch b/queue-5.11/net-phylink-fix-phylink_err-function-name-error-in-p.patch new file mode 100644 index 00000000000..39df0c5e973 --- /dev/null +++ b/queue-5.11/net-phylink-fix-phylink_err-function-name-error-in-p.patch @@ -0,0 +1,37 @@ +From 94fbb93448f0bdacaa186d1fe832ab312a384684 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Mar 2021 12:33:42 +0800 +Subject: net: phylink: Fix phylink_err() function name error in + phylink_major_config + +From: Ong Boon Leong + +[ Upstream commit d82c6c1aaccd2877b6082cebcb1746a13648a16d ] + +if pl->mac_ops->mac_finish() failed, phylink_err should use +"mac_finish" instead of "mac_prepare". + +Fixes: b7ad14c2fe2d4 ("net: phylink: re-implement interface configuration with PCS") +Signed-off-by: Ong Boon Leong +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phylink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c +index 84f6e197f965..add9156601af 100644 +--- a/drivers/net/phy/phylink.c ++++ b/drivers/net/phy/phylink.c +@@ -472,7 +472,7 @@ static void phylink_major_config(struct phylink *pl, bool restart, + err = pl->mac_ops->mac_finish(pl->config, pl->cur_link_an_mode, + state->interface); + if (err < 0) +- phylink_err(pl, "mac_prepare failed: %pe\n", ++ phylink_err(pl, "mac_finish failed: %pe\n", + ERR_PTR(err)); + } + } +-- +2.30.1 + diff --git a/queue-5.11/net-qlcnic-fix-a-use-after-free-in-qlcnic_83xx_get_m.patch b/queue-5.11/net-qlcnic-fix-a-use-after-free-in-qlcnic_83xx_get_m.patch new file mode 100644 index 00000000000..6471ef0343f --- /dev/null +++ b/queue-5.11/net-qlcnic-fix-a-use-after-free-in-qlcnic_83xx_get_m.patch @@ -0,0 +1,44 @@ +From 2781a56e60446224a695d25d26d5d2a3ab8d644f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Mar 2021 20:01:40 -0800 +Subject: net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template + +From: Lv Yunlong + +[ Upstream commit db74623a3850db99cb9692fda9e836a56b74198d ] + +In qlcnic_83xx_get_minidump_template, fw_dump->tmpl_hdr was freed by +vfree(). But unfortunately, it is used when extended is true. + +Fixes: 7061b2bdd620e ("qlogic: Deletion of unnecessary checks before two function calls") +Signed-off-by: Lv Yunlong +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c +index 7760a3394e93..7ecb3dfe30bd 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c +@@ -1425,6 +1425,7 @@ void qlcnic_83xx_get_minidump_template(struct qlcnic_adapter *adapter) + + if (fw_dump->tmpl_hdr == NULL || current_version > prev_version) { + vfree(fw_dump->tmpl_hdr); ++ fw_dump->tmpl_hdr = NULL; + + if (qlcnic_83xx_md_check_extended_dump_capability(adapter)) + extended = !qlcnic_83xx_extend_md_capab(adapter); +@@ -1443,6 +1444,8 @@ void qlcnic_83xx_get_minidump_template(struct qlcnic_adapter *adapter) + struct qlcnic_83xx_dump_template_hdr *hdr; + + hdr = fw_dump->tmpl_hdr; ++ if (!hdr) ++ return; + hdr->drv_cap_mask = 0x1f; + fw_dump->cap_mask = 0x1f; + dev_info(&pdev->dev, +-- +2.30.1 + diff --git a/queue-5.11/net-qrtr-fix-a-kernel-infoleak-in-qrtr_recvmsg.patch b/queue-5.11/net-qrtr-fix-a-kernel-infoleak-in-qrtr_recvmsg.patch new file mode 100644 index 00000000000..7cbae43176a --- /dev/null +++ b/queue-5.11/net-qrtr-fix-a-kernel-infoleak-in-qrtr_recvmsg.patch @@ -0,0 +1,82 @@ +From 65736bbc55a5b97c0aaff70b5f2d11b320180500 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Mar 2021 08:59:48 -0800 +Subject: net: qrtr: fix a kernel-infoleak in qrtr_recvmsg() + +From: Eric Dumazet + +[ Upstream commit 50535249f624d0072cd885bcdce4e4b6fb770160 ] + +struct sockaddr_qrtr has a 2-byte hole, and qrtr_recvmsg() currently +does not clear it before copying kernel data to user space. + +It might be too late to name the hole since sockaddr_qrtr structure is uapi. + +BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x9c/0xb0 mm/kmsan/kmsan_hooks.c:249 +CPU: 0 PID: 29705 Comm: syz-executor.3 Not tainted 5.11.0-rc7-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x21c/0x280 lib/dump_stack.c:120 + kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118 + kmsan_internal_check_memory+0x202/0x520 mm/kmsan/kmsan.c:402 + kmsan_copy_to_user+0x9c/0xb0 mm/kmsan/kmsan_hooks.c:249 + instrument_copy_to_user include/linux/instrumented.h:121 [inline] + _copy_to_user+0x1ac/0x270 lib/usercopy.c:33 + copy_to_user include/linux/uaccess.h:209 [inline] + move_addr_to_user+0x3a2/0x640 net/socket.c:237 + ____sys_recvmsg+0x696/0xd50 net/socket.c:2575 + ___sys_recvmsg net/socket.c:2610 [inline] + do_recvmmsg+0xa97/0x22d0 net/socket.c:2710 + __sys_recvmmsg net/socket.c:2789 [inline] + __do_sys_recvmmsg net/socket.c:2812 [inline] + __se_sys_recvmmsg+0x24a/0x410 net/socket.c:2805 + __x64_sys_recvmmsg+0x62/0x80 net/socket.c:2805 + do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x465f69 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f43659d6188 EFLAGS: 00000246 ORIG_RAX: 000000000000012b +RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000465f69 +RDX: 0000000000000008 RSI: 0000000020003e40 RDI: 0000000000000003 +RBP: 00000000004bfa8f R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000010060 R11: 0000000000000246 R12: 000000000056bf60 +R13: 0000000000a9fb1f R14: 00007f43659d6300 R15: 0000000000022000 + +Local variable ----addr@____sys_recvmsg created at: + ____sys_recvmsg+0x168/0xd50 net/socket.c:2550 + ____sys_recvmsg+0x168/0xd50 net/socket.c:2550 + +Bytes 2-3 of 12 are uninitialized +Memory access of size 12 starts at ffff88817c627b40 +Data copied to user address 0000000020000140 + +Fixes: bdabad3e363d ("net: Add Qualcomm IPC router") +Signed-off-by: Eric Dumazet +Cc: Courtney Cavin +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/qrtr/qrtr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c +index edb6ac17ceca..dfc820ee553a 100644 +--- a/net/qrtr/qrtr.c ++++ b/net/qrtr/qrtr.c +@@ -1058,6 +1058,11 @@ static int qrtr_recvmsg(struct socket *sock, struct msghdr *msg, + rc = copied; + + if (addr) { ++ /* There is an anonymous 2-byte hole after sq_family, ++ * make sure to clear it. ++ */ ++ memset(addr, 0, sizeof(*addr)); ++ + addr->sq_family = AF_QIPCRTR; + addr->sq_node = cb->src_node; + addr->sq_port = cb->src_port; +-- +2.30.1 + diff --git a/queue-5.11/net-sched-cls_flower-fix-only-mask-bit-check-in-the-.patch b/queue-5.11/net-sched-cls_flower-fix-only-mask-bit-check-in-the-.patch new file mode 100644 index 00000000000..bf28e767b44 --- /dev/null +++ b/queue-5.11/net-sched-cls_flower-fix-only-mask-bit-check-in-the-.patch @@ -0,0 +1,49 @@ +From 98135f7d58f43bb2154f28e2c3e8d2d248c8e2d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Mar 2021 12:02:43 +0800 +Subject: net/sched: cls_flower: fix only mask bit check in the + validate_ct_state + +From: wenxu + +[ Upstream commit afa536d8405a9ca36e45ba035554afbb8da27b82 ] + +The ct_state validate should not only check the mask bit and also +check mask_bit & key_bit.. +For the +new+est case example, The 'new' and 'est' bits should be +set in both state_mask and state flags. Or the -new-est case also +will be reject by kernel. +When Openvswitch with two flows +ct_state=+trk+new,action=commit,forward +ct_state=+trk+est,action=forward + +A packet go through the kernel and the contrack state is invalid, +The ct_state will be +trk-inv. Upcall to the ovs-vswitchd, the +finally dp action will be drop with -new-est+trk. + +Fixes: 1bcc51ac0731 ("net/sched: cls_flower: Reject invalid ct_state flags rules") +Fixes: 3aed8b63336c ("net/sched: cls_flower: validate ct_state for invalid and reply flags") +Signed-off-by: wenxu +Reviewed-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_flower.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c +index 46c1b3e9f66a..14316ba9b3b3 100644 +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -1432,7 +1432,7 @@ static int fl_set_key_ct(struct nlattr **tb, + &mask->ct_state, TCA_FLOWER_KEY_CT_STATE_MASK, + sizeof(key->ct_state)); + +- err = fl_validate_ct_state(mask->ct_state, ++ err = fl_validate_ct_state(key->ct_state & mask->ct_state, + tb[TCA_FLOWER_KEY_CT_STATE_MASK], + extack); + if (err) +-- +2.30.1 + diff --git a/queue-5.11/net-sched-validate-stab-values.patch b/queue-5.11/net-sched-validate-stab-values.patch new file mode 100644 index 00000000000..efd6cb3421f --- /dev/null +++ b/queue-5.11/net-sched-validate-stab-values.patch @@ -0,0 +1,191 @@ +From 345174bf67756fdc469ebb05edd08234cdeba455 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Mar 2021 08:26:41 -0800 +Subject: net: sched: validate stab values + +From: Eric Dumazet + +[ Upstream commit e323d865b36134e8c5c82c834df89109a5c60dab ] + +iproute2 package is well behaved, but malicious user space can +provide illegal shift values and trigger UBSAN reports. + +Add stab parameter to red_check_params() to validate user input. + +syzbot reported: + +UBSAN: shift-out-of-bounds in ./include/net/red.h:312:18 +shift exponent 111 is too large for 64-bit type 'long unsigned int' +CPU: 1 PID: 14662 Comm: syz-executor.3 Not tainted 5.12.0-rc2-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x141/0x1d7 lib/dump_stack.c:120 + ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 + __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327 + red_calc_qavg_from_idle_time include/net/red.h:312 [inline] + red_calc_qavg include/net/red.h:353 [inline] + choke_enqueue.cold+0x18/0x3dd net/sched/sch_choke.c:221 + __dev_xmit_skb net/core/dev.c:3837 [inline] + __dev_queue_xmit+0x1943/0x2e00 net/core/dev.c:4150 + neigh_hh_output include/net/neighbour.h:499 [inline] + neigh_output include/net/neighbour.h:508 [inline] + ip6_finish_output2+0x911/0x1700 net/ipv6/ip6_output.c:117 + __ip6_finish_output net/ipv6/ip6_output.c:182 [inline] + __ip6_finish_output+0x4c1/0xe10 net/ipv6/ip6_output.c:161 + ip6_finish_output+0x35/0x200 net/ipv6/ip6_output.c:192 + NF_HOOK_COND include/linux/netfilter.h:290 [inline] + ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:215 + dst_output include/net/dst.h:448 [inline] + NF_HOOK include/linux/netfilter.h:301 [inline] + NF_HOOK include/linux/netfilter.h:295 [inline] + ip6_xmit+0x127e/0x1eb0 net/ipv6/ip6_output.c:320 + inet6_csk_xmit+0x358/0x630 net/ipv6/inet6_connection_sock.c:135 + dccp_transmit_skb+0x973/0x12c0 net/dccp/output.c:138 + dccp_send_reset+0x21b/0x2b0 net/dccp/output.c:535 + dccp_finish_passive_close net/dccp/proto.c:123 [inline] + dccp_finish_passive_close+0xed/0x140 net/dccp/proto.c:118 + dccp_terminate_connection net/dccp/proto.c:958 [inline] + dccp_close+0xb3c/0xe60 net/dccp/proto.c:1028 + inet_release+0x12e/0x280 net/ipv4/af_inet.c:431 + inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:478 + __sock_release+0xcd/0x280 net/socket.c:599 + sock_close+0x18/0x20 net/socket.c:1258 + __fput+0x288/0x920 fs/file_table.c:280 + task_work_run+0xdd/0x1a0 kernel/task_work.c:140 + tracehook_notify_resume include/linux/tracehook.h:189 [inline] + +Fixes: 8afa10cbe281 ("net_sched: red: Avoid illegal values") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/red.h | 10 +++++++++- + net/sched/sch_choke.c | 7 ++++--- + net/sched/sch_gred.c | 2 +- + net/sched/sch_red.c | 7 +++++-- + net/sched/sch_sfq.c | 2 +- + 5 files changed, 20 insertions(+), 8 deletions(-) + +diff --git a/include/net/red.h b/include/net/red.h +index 932f0d79d60c..9e6647c4ccd1 100644 +--- a/include/net/red.h ++++ b/include/net/red.h +@@ -168,7 +168,8 @@ static inline void red_set_vars(struct red_vars *v) + v->qcount = -1; + } + +-static inline bool red_check_params(u32 qth_min, u32 qth_max, u8 Wlog, u8 Scell_log) ++static inline bool red_check_params(u32 qth_min, u32 qth_max, u8 Wlog, ++ u8 Scell_log, u8 *stab) + { + if (fls(qth_min) + Wlog > 32) + return false; +@@ -178,6 +179,13 @@ static inline bool red_check_params(u32 qth_min, u32 qth_max, u8 Wlog, u8 Scell_ + return false; + if (qth_max < qth_min) + return false; ++ if (stab) { ++ int i; ++ ++ for (i = 0; i < RED_STAB_SIZE; i++) ++ if (stab[i] >= 32) ++ return false; ++ } + return true; + } + +diff --git a/net/sched/sch_choke.c b/net/sched/sch_choke.c +index 50f680f03a54..2adbd945bf15 100644 +--- a/net/sched/sch_choke.c ++++ b/net/sched/sch_choke.c +@@ -345,6 +345,7 @@ static int choke_change(struct Qdisc *sch, struct nlattr *opt, + struct sk_buff **old = NULL; + unsigned int mask; + u32 max_P; ++ u8 *stab; + + if (opt == NULL) + return -EINVAL; +@@ -361,8 +362,8 @@ static int choke_change(struct Qdisc *sch, struct nlattr *opt, + max_P = tb[TCA_CHOKE_MAX_P] ? nla_get_u32(tb[TCA_CHOKE_MAX_P]) : 0; + + ctl = nla_data(tb[TCA_CHOKE_PARMS]); +- +- if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ctl->Scell_log)) ++ stab = nla_data(tb[TCA_CHOKE_STAB]); ++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ctl->Scell_log, stab)) + return -EINVAL; + + if (ctl->limit > CHOKE_MAX_QUEUE) +@@ -412,7 +413,7 @@ static int choke_change(struct Qdisc *sch, struct nlattr *opt, + + red_set_parms(&q->parms, ctl->qth_min, ctl->qth_max, ctl->Wlog, + ctl->Plog, ctl->Scell_log, +- nla_data(tb[TCA_CHOKE_STAB]), ++ stab, + max_P); + red_set_vars(&q->vars); + +diff --git a/net/sched/sch_gred.c b/net/sched/sch_gred.c +index e0bc77533acc..f4132dc25ac0 100644 +--- a/net/sched/sch_gred.c ++++ b/net/sched/sch_gred.c +@@ -480,7 +480,7 @@ static inline int gred_change_vq(struct Qdisc *sch, int dp, + struct gred_sched *table = qdisc_priv(sch); + struct gred_sched_data *q = table->tab[dp]; + +- if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ctl->Scell_log)) { ++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ctl->Scell_log, stab)) { + NL_SET_ERR_MSG_MOD(extack, "invalid RED parameters"); + return -EINVAL; + } +diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c +index b4ae34d7aa96..40adf1f07a82 100644 +--- a/net/sched/sch_red.c ++++ b/net/sched/sch_red.c +@@ -242,6 +242,7 @@ static int __red_change(struct Qdisc *sch, struct nlattr **tb, + unsigned char flags; + int err; + u32 max_P; ++ u8 *stab; + + if (tb[TCA_RED_PARMS] == NULL || + tb[TCA_RED_STAB] == NULL) +@@ -250,7 +251,9 @@ static int __red_change(struct Qdisc *sch, struct nlattr **tb, + max_P = tb[TCA_RED_MAX_P] ? nla_get_u32(tb[TCA_RED_MAX_P]) : 0; + + ctl = nla_data(tb[TCA_RED_PARMS]); +- if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ctl->Scell_log)) ++ stab = nla_data(tb[TCA_RED_STAB]); ++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ++ ctl->Scell_log, stab)) + return -EINVAL; + + err = red_get_flags(ctl->flags, TC_RED_HISTORIC_FLAGS, +@@ -288,7 +291,7 @@ static int __red_change(struct Qdisc *sch, struct nlattr **tb, + red_set_parms(&q->parms, + ctl->qth_min, ctl->qth_max, ctl->Wlog, + ctl->Plog, ctl->Scell_log, +- nla_data(tb[TCA_RED_STAB]), ++ stab, + max_P); + red_set_vars(&q->vars); + +diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c +index b25e51440623..066754a18569 100644 +--- a/net/sched/sch_sfq.c ++++ b/net/sched/sch_sfq.c +@@ -647,7 +647,7 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt) + } + + if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max, +- ctl_v1->Wlog, ctl_v1->Scell_log)) ++ ctl_v1->Wlog, ctl_v1->Scell_log, NULL)) + return -EINVAL; + if (ctl_v1 && ctl_v1->qth_min) { + p = kmalloc(sizeof(*p), GFP_KERNEL); +-- +2.30.1 + diff --git a/queue-5.11/net-stmmac-dwmac-sun8i-provide-tx-and-rx-fifo-sizes.patch b/queue-5.11/net-stmmac-dwmac-sun8i-provide-tx-and-rx-fifo-sizes.patch new file mode 100644 index 00000000000..f307fb695ae --- /dev/null +++ b/queue-5.11/net-stmmac-dwmac-sun8i-provide-tx-and-rx-fifo-sizes.patch @@ -0,0 +1,47 @@ +From 6a8b09f98122cd3820bc45a9fd2d3ce245423873 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Mar 2021 13:44:22 +0000 +Subject: net: stmmac: dwmac-sun8i: Provide TX and RX fifo sizes + +From: Corentin Labbe + +[ Upstream commit 014dfa26ce1c647af09bf506285ef67e0e3f0a6b ] + +MTU cannot be changed on dwmac-sun8i. (ip link set eth0 mtu xxx returning EINVAL) +This is due to tx_fifo_size being 0, since this value is used to compute valid +MTU range. +Like dwmac-sunxi (with commit 806fd188ce2a ("net: stmmac: dwmac-sunxi: Provide TX and RX fifo sizes")) +dwmac-sun8i need to have tx and rx fifo sizes set. +I have used values from datasheets. +After this patch, setting a non-default MTU (like 1000) value works and network is still useable. + +Tested-on: sun8i-h3-orangepi-pc +Tested-on: sun8i-r40-bananapi-m2-ultra +Tested-on: sun50i-a64-bananapi-m64 +Tested-on: sun50i-h5-nanopi-neo-plus2 +Tested-on: sun50i-h6-pine-h64 +Fixes: 9f93ac8d408 ("net-next: stmmac: Add dwmac-sun8i") +Reported-by: Belisko Marek +Signed-off-by: Corentin Labbe +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c +index a5e0eff4a387..9f5ccf1a0a54 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c +@@ -1217,6 +1217,8 @@ static int sun8i_dwmac_probe(struct platform_device *pdev) + plat_dat->init = sun8i_dwmac_init; + plat_dat->exit = sun8i_dwmac_exit; + plat_dat->setup = sun8i_dwmac_setup; ++ plat_dat->tx_fifo_size = 4096; ++ plat_dat->rx_fifo_size = 16384; + + ret = sun8i_dwmac_set_syscon(&pdev->dev, plat_dat); + if (ret) +-- +2.30.1 + diff --git a/queue-5.11/netfilter-ctnetlink-fix-dump-of-the-expect-mask-attr.patch b/queue-5.11/netfilter-ctnetlink-fix-dump-of-the-expect-mask-attr.patch new file mode 100644 index 00000000000..4c1bb19cb36 --- /dev/null +++ b/queue-5.11/netfilter-ctnetlink-fix-dump-of-the-expect-mask-attr.patch @@ -0,0 +1,41 @@ +From ee9deb50ffd0d503f433bafce281d203bffd46e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Mar 2021 11:31:09 +0100 +Subject: netfilter: ctnetlink: fix dump of the expect mask attribute + +From: Florian Westphal + +[ Upstream commit b58f33d49e426dc66e98ed73afb5d97b15a25f2d ] + +Before this change, the mask is never included in the netlink message, so +"conntrack -E expect" always prints 0.0.0.0. + +In older kernels the l3num callback struct was passed as argument, based +on tuple->src.l3num. After the l3num indirection got removed, the call +chain is based on m.src.l3num, but this value is 0xffff. + +Init l3num to the correct value. + +Fixes: f957be9d349a3 ("netfilter: conntrack: remove ctnetlink callbacks from l3 protocol trackers") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 84caf3316946..e0c566b3df90 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -2969,6 +2969,7 @@ static int ctnetlink_exp_dump_mask(struct sk_buff *skb, + memset(&m, 0xFF, sizeof(m)); + memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3)); + m.src.u.all = mask->src.u.all; ++ m.src.l3num = tuple->src.l3num; + m.dst.protonum = tuple->dst.protonum; + + nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK); +-- +2.30.1 + diff --git a/queue-5.11/netfilter-flowtable-make-sure-gc-works-periodically-.patch b/queue-5.11/netfilter-flowtable-make-sure-gc-works-periodically-.patch new file mode 100644 index 00000000000..fbdcc7dd37b --- /dev/null +++ b/queue-5.11/netfilter-flowtable-make-sure-gc-works-periodically-.patch @@ -0,0 +1,43 @@ +From 11e6d6235d844db738e08208d90a8d984c1a1bef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Mar 2021 13:42:24 +0100 +Subject: netfilter: flowtable: Make sure GC works periodically in idle system + +From: Yinjun Zhang + +[ Upstream commit 740b486a8d1f966e68ac0666f1fd57441a7cda94 ] + +Currently flowtable's GC work is initialized as deferrable, which +means GC cannot work on time when system is idle. So the hardware +offloaded flow may be deleted for timeout, since its used time is +not timely updated. + +Resolve it by initializing the GC work as delayed work instead of +deferrable. + +Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support") +Signed-off-by: Yinjun Zhang +Signed-off-by: Louis Peens +Signed-off-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_flow_table_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c +index 4a4acbba78ff..b03feb6e1226 100644 +--- a/net/netfilter/nf_flow_table_core.c ++++ b/net/netfilter/nf_flow_table_core.c +@@ -506,7 +506,7 @@ int nf_flow_table_init(struct nf_flowtable *flowtable) + { + int err; + +- INIT_DEFERRABLE_WORK(&flowtable->gc_work, nf_flow_offload_work_gc); ++ INIT_DELAYED_WORK(&flowtable->gc_work, nf_flow_offload_work_gc); + flow_block_init(&flowtable->flow_block); + init_rwsem(&flowtable->flow_block_lock); + +-- +2.30.1 + diff --git a/queue-5.11/netfilter-nftables-allow-to-update-flowtable-flags.patch b/queue-5.11/netfilter-nftables-allow-to-update-flowtable-flags.patch new file mode 100644 index 00000000000..10b913d2d27 --- /dev/null +++ b/queue-5.11/netfilter-nftables-allow-to-update-flowtable-flags.patch @@ -0,0 +1,91 @@ +From e8af242926f0aeac0cd41477055c492e1e656635 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Mar 2021 12:54:57 +0100 +Subject: netfilter: nftables: allow to update flowtable flags + +From: Pablo Neira Ayuso + +[ Upstream commit 7b35582cd04ace2fd1807c1b624934e465cc939d ] + +Honor flowtable flags from the control update path. Disallow disabling +to toggle hardware offload support though. + +Fixes: 8bb69f3b2918 ("netfilter: nf_tables: add flowtable offload control plane") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 3 +++ + net/netfilter/nf_tables_api.c | 15 +++++++++++++++ + 2 files changed, 18 insertions(+) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index 4b6ecf532623..6799f95eea65 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -1531,6 +1531,7 @@ struct nft_trans_flowtable { + struct nft_flowtable *flowtable; + bool update; + struct list_head hook_list; ++ u32 flags; + }; + + #define nft_trans_flowtable(trans) \ +@@ -1539,6 +1540,8 @@ struct nft_trans_flowtable { + (((struct nft_trans_flowtable *)trans->data)->update) + #define nft_trans_flowtable_hooks(trans) \ + (((struct nft_trans_flowtable *)trans->data)->hook_list) ++#define nft_trans_flowtable_flags(trans) \ ++ (((struct nft_trans_flowtable *)trans->data)->flags) + + int __init nft_chain_filter_init(void); + void nft_chain_filter_fini(void); +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 2aae0df0d70d..24a7a6b17268 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -6808,6 +6808,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, + struct nft_hook *hook, *next; + struct nft_trans *trans; + bool unregister = false; ++ u32 flags; + int err; + + err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK], +@@ -6822,6 +6823,17 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, + } + } + ++ if (nla[NFTA_FLOWTABLE_FLAGS]) { ++ flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); ++ if (flags & ~NFT_FLOWTABLE_MASK) ++ return -EOPNOTSUPP; ++ if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^ ++ (flags & NFT_FLOWTABLE_HW_OFFLOAD)) ++ return -EOPNOTSUPP; ++ } else { ++ flags = flowtable->data.flags; ++ } ++ + err = nft_register_flowtable_net_hooks(ctx->net, ctx->table, + &flowtable_hook.list, flowtable); + if (err < 0) +@@ -6835,6 +6847,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, + goto err_flowtable_update_hook; + } + ++ nft_trans_flowtable_flags(trans) = flags; + nft_trans_flowtable(trans) = flowtable; + nft_trans_flowtable_update(trans) = true; + INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); +@@ -8144,6 +8157,8 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) + break; + case NFT_MSG_NEWFLOWTABLE: + if (nft_trans_flowtable_update(trans)) { ++ nft_trans_flowtable(trans)->data.flags = ++ nft_trans_flowtable_flags(trans); + nf_tables_flowtable_notify(&trans->ctx, + nft_trans_flowtable(trans), + &nft_trans_flowtable_hooks(trans), +-- +2.30.1 + diff --git a/queue-5.11/netfilter-nftables-report-eopnotsupp-on-unsupported-.patch b/queue-5.11/netfilter-nftables-report-eopnotsupp-on-unsupported-.patch new file mode 100644 index 00000000000..97b05320638 --- /dev/null +++ b/queue-5.11/netfilter-nftables-report-eopnotsupp-on-unsupported-.patch @@ -0,0 +1,37 @@ +From e84a09cf913377aa04cd568ea5e20f24c5f5e109 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Mar 2021 11:31:55 +0100 +Subject: netfilter: nftables: report EOPNOTSUPP on unsupported flowtable flags + +From: Pablo Neira Ayuso + +[ Upstream commit 7e6136f1b7272b2202817cff37ada355eb5e6784 ] + +Error was not set accordingly. + +Fixes: 8bb69f3b2918 ("netfilter: nf_tables: add flowtable offload control plane") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 8ee9f40cc0ea..2aae0df0d70d 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -6929,8 +6929,10 @@ static int nf_tables_newflowtable(struct net *net, struct sock *nlsk, + if (nla[NFTA_FLOWTABLE_FLAGS]) { + flowtable->data.flags = + ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); +- if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) ++ if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) { ++ err = -EOPNOTSUPP; + goto err3; ++ } + } + + write_pnet(&flowtable->data.net, net); +-- +2.30.1 + diff --git a/queue-5.11/netfilter-x_tables-use-correct-memory-barriers.patch b/queue-5.11/netfilter-x_tables-use-correct-memory-barriers.patch new file mode 100644 index 00000000000..c4e9c850c55 --- /dev/null +++ b/queue-5.11/netfilter-x_tables-use-correct-memory-barriers.patch @@ -0,0 +1,63 @@ +From 7b2cb3fd4fe0e8e851782ef1449b82338621e485 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Mar 2021 14:24:13 +1300 +Subject: netfilter: x_tables: Use correct memory barriers. + +From: Mark Tomlinson + +[ Upstream commit 175e476b8cdf2a4de7432583b49c871345e4f8a1 ] + +When a new table value was assigned, it was followed by a write memory +barrier. This ensured that all writes before this point would complete +before any writes after this point. However, to determine whether the +rules are unused, the sequence counter is read. To ensure that all +writes have been done before these reads, a full memory barrier is +needed, not just a write memory barrier. The same argument applies when +incrementing the counter, before the rules are read. + +Changing to using smp_mb() instead of smp_wmb() fixes the kernel panic +reported in cc00bcaa5899 (which is still present), while still +maintaining the same speed of replacing tables. + +The smb_mb() barriers potentially slow the packet path, however testing +has shown no measurable change in performance on a 4-core MIPS64 +platform. + +Fixes: 7f5c6d4f665b ("netfilter: get rid of atomic ops in fast path") +Signed-off-by: Mark Tomlinson +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/linux/netfilter/x_tables.h | 2 +- + net/netfilter/x_tables.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h +index 5deb099d156d..8ec48466410a 100644 +--- a/include/linux/netfilter/x_tables.h ++++ b/include/linux/netfilter/x_tables.h +@@ -376,7 +376,7 @@ static inline unsigned int xt_write_recseq_begin(void) + * since addend is most likely 1 + */ + __this_cpu_add(xt_recseq.sequence, addend); +- smp_wmb(); ++ smp_mb(); + + return addend; + } +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index 7df3aef39c5c..6bd31a7a27fc 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -1389,7 +1389,7 @@ xt_replace_table(struct xt_table *table, + table->private = newinfo; + + /* make sure all cpus see new ->private value */ +- smp_wmb(); ++ smp_mb(); + + /* + * Even though table entries have now been swapped, other CPU's +-- +2.30.1 + diff --git a/queue-5.11/nfp-flower-add-ipv6-bit-to-pre_tunnel-control-messag.patch b/queue-5.11/nfp-flower-add-ipv6-bit-to-pre_tunnel-control-messag.patch new file mode 100644 index 00000000000..450905e2d05 --- /dev/null +++ b/queue-5.11/nfp-flower-add-ipv6-bit-to-pre_tunnel-control-messag.patch @@ -0,0 +1,64 @@ +From f4e6634422b00634433333a96f4fce7db2d26fd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Mar 2021 19:13:09 +0100 +Subject: nfp: flower: add ipv6 bit to pre_tunnel control message + +From: Louis Peens + +[ Upstream commit 5c4f5e19d6a8e159127b9d653bb67e0dc7a28047 ] + +Differentiate between ipv4 and ipv6 flows when configuring the pre_tunnel +table to prevent them trampling each other in the table. + +Fixes: 783461604f7e ("nfp: flower: update flow merge code to support IPv6 tunnels") +Signed-off-by: Louis Peens +Signed-off-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/netronome/nfp/flower/tunnel_conf.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c b/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c +index 7248d248f604..d19c02e99114 100644 +--- a/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c +@@ -16,8 +16,9 @@ + #define NFP_FL_MAX_ROUTES 32 + + #define NFP_TUN_PRE_TUN_RULE_LIMIT 32 +-#define NFP_TUN_PRE_TUN_RULE_DEL 0x1 +-#define NFP_TUN_PRE_TUN_IDX_BIT 0x8 ++#define NFP_TUN_PRE_TUN_RULE_DEL BIT(0) ++#define NFP_TUN_PRE_TUN_IDX_BIT BIT(3) ++#define NFP_TUN_PRE_TUN_IPV6_BIT BIT(7) + + /** + * struct nfp_tun_pre_run_rule - rule matched before decap +@@ -1268,6 +1269,7 @@ int nfp_flower_xmit_pre_tun_flow(struct nfp_app *app, + { + struct nfp_flower_priv *app_priv = app->priv; + struct nfp_tun_offloaded_mac *mac_entry; ++ struct nfp_flower_meta_tci *key_meta; + struct nfp_tun_pre_tun_rule payload; + struct net_device *internal_dev; + int err; +@@ -1290,6 +1292,15 @@ int nfp_flower_xmit_pre_tun_flow(struct nfp_app *app, + if (!mac_entry) + return -ENOENT; + ++ /* Set/clear IPV6 bit. cpu_to_be16() swap will lead to MSB being ++ * set/clear for port_idx. ++ */ ++ key_meta = (struct nfp_flower_meta_tci *)flow->unmasked_data; ++ if (key_meta->nfp_flow_key_layer & NFP_FLOWER_LAYER_IPV6) ++ mac_entry->index |= NFP_TUN_PRE_TUN_IPV6_BIT; ++ else ++ mac_entry->index &= ~NFP_TUN_PRE_TUN_IPV6_BIT; ++ + payload.port_idx = cpu_to_be16(mac_entry->index); + + /* Copy mac id and vlan to flow - dev may not exist at delete time. */ +-- +2.30.1 + diff --git a/queue-5.11/nfp-flower-fix-pre_tun-mask-id-allocation.patch b/queue-5.11/nfp-flower-fix-pre_tun-mask-id-allocation.patch new file mode 100644 index 00000000000..716e472ec8b --- /dev/null +++ b/queue-5.11/nfp-flower-fix-pre_tun-mask-id-allocation.patch @@ -0,0 +1,85 @@ +From 81cb67c376271754abc74acbae41a9995804c0dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Mar 2021 19:13:10 +0100 +Subject: nfp: flower: fix pre_tun mask id allocation + +From: Louis Peens + +[ Upstream commit d8ce0275e45ec809a33f98fc080fe7921b720dfb ] + +pre_tun_rule flows does not follow the usual add-flow path, instead +they are used to update the pre_tun table on the firmware. This means +that if the mask-id gets allocated here the firmware will never see the +"NFP_FL_META_FLAG_MANAGE_MASK" flag for the specific mask id, which +triggers the allocation on the firmware side. This leads to the firmware +mask being corrupted and causing all sorts of strange behaviour. + +Fixes: f12725d98cbe ("nfp: flower: offload pre-tunnel rules") +Signed-off-by: Louis Peens +Signed-off-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/netronome/nfp/flower/metadata.c | 24 +++++++++++++------ + 1 file changed, 17 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/netronome/nfp/flower/metadata.c b/drivers/net/ethernet/netronome/nfp/flower/metadata.c +index 5defd31d481c..aa06fcb38f8b 100644 +--- a/drivers/net/ethernet/netronome/nfp/flower/metadata.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/metadata.c +@@ -327,8 +327,14 @@ int nfp_compile_flow_metadata(struct nfp_app *app, + goto err_free_ctx_entry; + } + ++ /* Do net allocate a mask-id for pre_tun_rules. These flows are used to ++ * configure the pre_tun table and are never actually send to the ++ * firmware as an add-flow message. This causes the mask-id allocation ++ * on the firmware to get out of sync if allocated here. ++ */ + new_mask_id = 0; +- if (!nfp_check_mask_add(app, nfp_flow->mask_data, ++ if (!nfp_flow->pre_tun_rule.dev && ++ !nfp_check_mask_add(app, nfp_flow->mask_data, + nfp_flow->meta.mask_len, + &nfp_flow->meta.flags, &new_mask_id)) { + NL_SET_ERR_MSG_MOD(extack, "invalid entry: cannot allocate a new mask id"); +@@ -359,7 +365,8 @@ int nfp_compile_flow_metadata(struct nfp_app *app, + goto err_remove_mask; + } + +- if (!nfp_check_mask_remove(app, nfp_flow->mask_data, ++ if (!nfp_flow->pre_tun_rule.dev && ++ !nfp_check_mask_remove(app, nfp_flow->mask_data, + nfp_flow->meta.mask_len, + NULL, &new_mask_id)) { + NL_SET_ERR_MSG_MOD(extack, "invalid entry: cannot release mask id"); +@@ -374,8 +381,10 @@ int nfp_compile_flow_metadata(struct nfp_app *app, + return 0; + + err_remove_mask: +- nfp_check_mask_remove(app, nfp_flow->mask_data, nfp_flow->meta.mask_len, +- NULL, &new_mask_id); ++ if (!nfp_flow->pre_tun_rule.dev) ++ nfp_check_mask_remove(app, nfp_flow->mask_data, ++ nfp_flow->meta.mask_len, ++ NULL, &new_mask_id); + err_remove_rhash: + WARN_ON_ONCE(rhashtable_remove_fast(&priv->stats_ctx_table, + &ctx_entry->ht_node, +@@ -406,9 +415,10 @@ int nfp_modify_flow_metadata(struct nfp_app *app, + + __nfp_modify_flow_metadata(priv, nfp_flow); + +- nfp_check_mask_remove(app, nfp_flow->mask_data, +- nfp_flow->meta.mask_len, &nfp_flow->meta.flags, +- &new_mask_id); ++ if (!nfp_flow->pre_tun_rule.dev) ++ nfp_check_mask_remove(app, nfp_flow->mask_data, ++ nfp_flow->meta.mask_len, &nfp_flow->meta.flags, ++ &new_mask_id); + + /* Update flow payload with mask ids. */ + nfp_flow->unmasked_data[NFP_FL_MASK_ID_LOCATION] = new_mask_id; +-- +2.30.1 + diff --git a/queue-5.11/nfp-flower-fix-unsupported-pre_tunnel-flows.patch b/queue-5.11/nfp-flower-fix-unsupported-pre_tunnel-flows.patch new file mode 100644 index 00000000000..f527ea3114b --- /dev/null +++ b/queue-5.11/nfp-flower-fix-unsupported-pre_tunnel-flows.patch @@ -0,0 +1,71 @@ +From e4fc5934726c601183b27db378ce864768052a8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Mar 2021 19:13:08 +0100 +Subject: nfp: flower: fix unsupported pre_tunnel flows + +From: Louis Peens + +[ Upstream commit 982e5ee23d764fe6158f67a7813d416335e978b0 ] + +There are some pre_tunnel flows combinations which are incorrectly being +offloaded without proper support, fix these. + +- Matching on MPLS is not supported for pre_tun. +- Match on IPv4/IPv6 layer must be present. +- Destination MAC address must match pre_tun.dev MAC + +Fixes: 120ffd84a9ec ("nfp: flower: verify pre-tunnel rules") +Signed-off-by: Louis Peens +Signed-off-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/netronome/nfp/flower/offload.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/drivers/net/ethernet/netronome/nfp/flower/offload.c b/drivers/net/ethernet/netronome/nfp/flower/offload.c +index 1c59aff2163c..d72225d64a75 100644 +--- a/drivers/net/ethernet/netronome/nfp/flower/offload.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/offload.c +@@ -1142,6 +1142,12 @@ nfp_flower_validate_pre_tun_rule(struct nfp_app *app, + return -EOPNOTSUPP; + } + ++ if (!(key_layer & NFP_FLOWER_LAYER_IPV4) && ++ !(key_layer & NFP_FLOWER_LAYER_IPV6)) { ++ NL_SET_ERR_MSG_MOD(extack, "unsupported pre-tunnel rule: match on ipv4/ipv6 eth_type must be present"); ++ return -EOPNOTSUPP; ++ } ++ + /* Skip fields known to exist. */ + mask += sizeof(struct nfp_flower_meta_tci); + ext += sizeof(struct nfp_flower_meta_tci); +@@ -1152,6 +1158,13 @@ nfp_flower_validate_pre_tun_rule(struct nfp_app *app, + mask += sizeof(struct nfp_flower_in_port); + ext += sizeof(struct nfp_flower_in_port); + ++ /* Ensure destination MAC address matches pre_tun_dev. */ ++ mac = (struct nfp_flower_mac_mpls *)ext; ++ if (memcmp(&mac->mac_dst[0], flow->pre_tun_rule.dev->dev_addr, 6)) { ++ NL_SET_ERR_MSG_MOD(extack, "unsupported pre-tunnel rule: dest MAC must match output dev MAC"); ++ return -EOPNOTSUPP; ++ } ++ + /* Ensure destination MAC address is fully matched. */ + mac = (struct nfp_flower_mac_mpls *)mask; + if (!is_broadcast_ether_addr(&mac->mac_dst[0])) { +@@ -1159,6 +1172,11 @@ nfp_flower_validate_pre_tun_rule(struct nfp_app *app, + return -EOPNOTSUPP; + } + ++ if (mac->mpls_lse) { ++ NL_SET_ERR_MSG_MOD(extack, "unsupported pre-tunnel rule: MPLS not supported"); ++ return -EOPNOTSUPP; ++ } ++ + mask += sizeof(struct nfp_flower_mac_mpls); + ext += sizeof(struct nfp_flower_mac_mpls); + if (key_layer & NFP_FLOWER_LAYER_IPV4 || +-- +2.30.1 + diff --git a/queue-5.11/octeontx2-af-fix-infinite-loop-in-unmapping-npc-coun.patch b/queue-5.11/octeontx2-af-fix-infinite-loop-in-unmapping-npc-coun.patch new file mode 100644 index 00000000000..3933b1c6311 --- /dev/null +++ b/queue-5.11/octeontx2-af-fix-infinite-loop-in-unmapping-npc-coun.patch @@ -0,0 +1,47 @@ +From 3bef52fc12d8a9efb0195133ffbaa7f763fc7807 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Mar 2021 19:45:48 +0530 +Subject: octeontx2-af: fix infinite loop in unmapping NPC counter + +From: Hariprasad Kelam + +[ Upstream commit 64451b98306bf1334a62bcd020ec92bdb4cb68db ] + +unmapping npc counter works in a way by traversing all mcam +entries to find which mcam rule is associated with counter. +But loop cursor variable 'entry' is not incremented before +checking next mcam entry which resulting in infinite loop. + +This in turn hogs the kworker thread forever and no other +mbox message is processed by AF driver after that. +Fix this by updating entry value before checking next +mcam entry. + +Fixes: a958dd59f9ce ("octeontx2-af: Map or unmap NPC MCAM entry and counter") +Signed-off-by: Hariprasad Kelam +Signed-off-by: Sunil Kovvuri Goutham +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c +index 5cf9b7a907ae..b81539f3b2ac 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c +@@ -2490,10 +2490,10 @@ int rvu_mbox_handler_npc_mcam_free_counter(struct rvu *rvu, + index = find_next_bit(mcam->bmap, mcam->bmap_entries, entry); + if (index >= mcam->bmap_entries) + break; ++ entry = index + 1; + if (mcam->entry2cntr_map[index] != req->cntr) + continue; + +- entry = index + 1; + npc_unmap_mcam_entry_and_cntr(rvu, mcam, blkaddr, + index, req->cntr); + } +-- +2.30.1 + diff --git a/queue-5.11/octeontx2-af-fix-irq-free-in-rvu-teardown.patch b/queue-5.11/octeontx2-af-fix-irq-free-in-rvu-teardown.patch new file mode 100644 index 00000000000..341bcf8b41a --- /dev/null +++ b/queue-5.11/octeontx2-af-fix-irq-free-in-rvu-teardown.patch @@ -0,0 +1,53 @@ +From 79c9dcf6e6d21ff3c7a7a777bb8e2575b196e948 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Mar 2021 19:45:46 +0530 +Subject: octeontx2-af: Fix irq free in rvu teardown + +From: Geetha sowjanya + +[ Upstream commit ae2619dd4fccdad9876aa5f900bd85484179c50f ] + +Current devlink code try to free already freed irqs as the +irq_allocate flag is not cleared after free leading to kernel +crash while removing rvu driver. The patch fixes the irq free +sequence and clears the irq_allocate flag on free. + +Fixes: 7304ac4567bc ("octeontx2-af: Add mailbox IRQ and msg handlers") +Signed-off-by: Geetha sowjanya +Signed-off-by: Hariprasad Kelam +Signed-off-by: Sunil Kovvuri Goutham +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +index e8fd712860a1..e3fc6d1c0ec3 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +@@ -2358,8 +2358,10 @@ static void rvu_unregister_interrupts(struct rvu *rvu) + INTR_MASK(rvu->hw->total_pfs) & ~1ULL); + + for (irq = 0; irq < rvu->num_vec; irq++) { +- if (rvu->irq_allocated[irq]) ++ if (rvu->irq_allocated[irq]) { + free_irq(pci_irq_vector(rvu->pdev, irq), rvu); ++ rvu->irq_allocated[irq] = false; ++ } + } + + pci_free_irq_vectors(rvu->pdev); +@@ -2873,8 +2875,8 @@ static void rvu_remove(struct pci_dev *pdev) + struct rvu *rvu = pci_get_drvdata(pdev); + + rvu_dbg_exit(rvu); +- rvu_unregister_interrupts(rvu); + rvu_unregister_dl(rvu); ++ rvu_unregister_interrupts(rvu); + rvu_flr_wq_destroy(rvu); + rvu_cgx_exit(rvu); + rvu_fwdata_exit(rvu); +-- +2.30.1 + diff --git a/queue-5.11/octeontx2-af-fix-memory-leak-of-object-buf.patch b/queue-5.11/octeontx2-af-fix-memory-leak-of-object-buf.patch new file mode 100644 index 00000000000..a2412351c29 --- /dev/null +++ b/queue-5.11/octeontx2-af-fix-memory-leak-of-object-buf.patch @@ -0,0 +1,41 @@ +From 3056c233ccc217231f46ff37428bdcddddcce392 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Mar 2021 12:32:45 +0000 +Subject: octeontx2-af: Fix memory leak of object buf + +From: Colin Ian King + +[ Upstream commit 9e0a537d06fc36861e4f78d0a7df1fe2b3592714 ] + +Currently the error return path when lfs fails to allocate is not free'ing +the memory allocated to buf. Fix this by adding the missing kfree. + +Addresses-Coverity: ("Resource leak") +Fixes: f7884097141b ("octeontx2-af: Formatting debugfs entry rsrc_alloc.") +Signed-off-by: Colin Ian King +Acked-by: Sunil Goutham +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c +index ea1e520b6552..0488651a68d0 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c +@@ -169,8 +169,10 @@ static ssize_t rvu_dbg_rsrc_attach_status(struct file *filp, + return -ENOSPC; + + lfs = kzalloc(lf_str_size, GFP_KERNEL); +- if (!lfs) ++ if (!lfs) { ++ kfree(buf); + return -ENOMEM; ++ } + off += scnprintf(&buf[off], buf_size - 1 - off, "%-*s", lf_str_size, + "pcifunc"); + for (index = 0; index < BLK_COUNT; index++) +-- +2.30.1 + diff --git a/queue-5.11/octeontx2-af-formatting-debugfs-entry-rsrc_alloc.patch b/queue-5.11/octeontx2-af-formatting-debugfs-entry-rsrc_alloc.patch new file mode 100644 index 00000000000..6692c7d7213 --- /dev/null +++ b/queue-5.11/octeontx2-af-formatting-debugfs-entry-rsrc_alloc.patch @@ -0,0 +1,140 @@ +From e8379ce8b073adc56d6319245d2519985495f63a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Mar 2021 19:45:43 +0530 +Subject: octeontx2-af: Formatting debugfs entry rsrc_alloc. + +From: Rakesh Babu + +[ Upstream commit f7884097141b615b6ce89c16f456a53902b4eec3 ] + +With the existing rsrc_alloc's format, there is misalignment for the +pcifunc entries whose VF's index is a double digit. This patch fixes +this. + + pcifunc NPA NIX0 NIX1 SSO GROUP SSOWS + TIM CPT0 CPT1 REE0 REE1 + PF0:VF0 8 5 + PF0:VF1 9 3 + PF0:VF10 18 10 + PF0:VF11 19 8 + PF0:VF12 20 11 + PF0:VF13 21 9 + PF0:VF14 22 12 + PF0:VF15 23 10 + PF1 0 0 + +Fixes: 23205e6d06d4 ("octeontx2-af: Dump current resource provisioning status") +Signed-off-by: Rakesh Babu +Signed-off-by: Hariprasad Kelam +Signed-off-by: Sunil Kovvuri Goutham +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../marvell/octeontx2/af/rvu_debugfs.c | 46 ++++++++++++------- + 1 file changed, 29 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c +index bb3fdaf33751..ea1e520b6552 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c +@@ -150,12 +150,14 @@ static ssize_t rvu_dbg_rsrc_attach_status(struct file *filp, + char __user *buffer, + size_t count, loff_t *ppos) + { +- int index, off = 0, flag = 0, go_back = 0, off_prev; ++ int index, off = 0, flag = 0, go_back = 0, len = 0; + struct rvu *rvu = filp->private_data; + int lf, pf, vf, pcifunc; + struct rvu_block block; + int bytes_not_copied; ++ int lf_str_size = 12; + int buf_size = 2048; ++ char *lfs; + char *buf; + + /* don't allow partial reads */ +@@ -165,12 +167,18 @@ static ssize_t rvu_dbg_rsrc_attach_status(struct file *filp, + buf = kzalloc(buf_size, GFP_KERNEL); + if (!buf) + return -ENOSPC; +- off += scnprintf(&buf[off], buf_size - 1 - off, "\npcifunc\t\t"); ++ ++ lfs = kzalloc(lf_str_size, GFP_KERNEL); ++ if (!lfs) ++ return -ENOMEM; ++ off += scnprintf(&buf[off], buf_size - 1 - off, "%-*s", lf_str_size, ++ "pcifunc"); + for (index = 0; index < BLK_COUNT; index++) +- if (strlen(rvu->hw->block[index].name)) +- off += scnprintf(&buf[off], buf_size - 1 - off, +- "%*s\t", (index - 1) * 2, +- rvu->hw->block[index].name); ++ if (strlen(rvu->hw->block[index].name)) { ++ off += scnprintf(&buf[off], buf_size - 1 - off, ++ "%-*s", lf_str_size, ++ rvu->hw->block[index].name); ++ } + off += scnprintf(&buf[off], buf_size - 1 - off, "\n"); + for (pf = 0; pf < rvu->hw->total_pfs; pf++) { + for (vf = 0; vf <= rvu->hw->total_vfs; vf++) { +@@ -179,14 +187,15 @@ static ssize_t rvu_dbg_rsrc_attach_status(struct file *filp, + continue; + + if (vf) { ++ sprintf(lfs, "PF%d:VF%d", pf, vf - 1); + go_back = scnprintf(&buf[off], + buf_size - 1 - off, +- "PF%d:VF%d\t\t", pf, +- vf - 1); ++ "%-*s", lf_str_size, lfs); + } else { ++ sprintf(lfs, "PF%d", pf); + go_back = scnprintf(&buf[off], + buf_size - 1 - off, +- "PF%d\t\t", pf); ++ "%-*s", lf_str_size, lfs); + } + + off += go_back; +@@ -194,20 +203,22 @@ static ssize_t rvu_dbg_rsrc_attach_status(struct file *filp, + block = rvu->hw->block[index]; + if (!strlen(block.name)) + continue; +- off_prev = off; ++ len = 0; ++ lfs[len] = '\0'; + for (lf = 0; lf < block.lf.max; lf++) { + if (block.fn_map[lf] != pcifunc) + continue; + flag = 1; +- off += scnprintf(&buf[off], buf_size - 1 +- - off, "%3d,", lf); ++ len += sprintf(&lfs[len], "%d,", lf); + } +- if (flag && off_prev != off) +- off--; +- else +- go_back++; ++ ++ if (flag) ++ len--; ++ lfs[len] = '\0'; + off += scnprintf(&buf[off], buf_size - 1 - off, +- "\t"); ++ "%-*s", lf_str_size, lfs); ++ if (!strlen(lfs)) ++ go_back += lf_str_size; + } + if (!flag) + off -= go_back; +@@ -219,6 +230,7 @@ static ssize_t rvu_dbg_rsrc_attach_status(struct file *filp, + } + + bytes_not_copied = copy_to_user(buffer, buf, off); ++ kfree(lfs); + kfree(buf); + + if (bytes_not_copied) +-- +2.30.1 + diff --git a/queue-5.11/octeontx2-af-remove-tos-field-from-mkex-tx.patch b/queue-5.11/octeontx2-af-remove-tos-field-from-mkex-tx.patch new file mode 100644 index 00000000000..78792cb8bc0 --- /dev/null +++ b/queue-5.11/octeontx2-af-remove-tos-field-from-mkex-tx.patch @@ -0,0 +1,49 @@ +From 769240b1a5f42f3843add155b53da94b989dc302 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Mar 2021 19:45:44 +0530 +Subject: octeontx2-af: Remove TOS field from MKEX TX + +From: Subbaraya Sundeep + +[ Upstream commit ce86c2a531e2f2995ee55ea527c1f39ba1d95f73 ] + +The MKEX profile describes what packet fields need to be extracted from +the input packet and how to place those packet fields in the output key +for MCAM matching. The MKEX profile can be in a way where higher layer +packet fields can overwrite lower layer packet fields in output MCAM +Key. +Hence MKEX profile is always ensured that there are no overlaps between +any of the layers. But the commit 42006910b5ea +("octeontx2-af: cleanup KPU config data") introduced TX TOS field which +overlaps with DMAC in MCAM key. +This led to AF driver returning error when TX rule is installed with +DMAC as match criteria since DMAC gets overwritten and cannot be +supported. This patch fixes the issue by removing TOS field from MKEX TX +profile. + +Fixes: 42006910b5ea ("octeontx2-af: cleanup KPU config data") +Signed-off-by: Subbaraya Sundeep +Signed-off-by: Hariprasad Kelam +Signed-off-by: Sunil Kovvuri Goutham +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/npc_profile.h | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/npc_profile.h b/drivers/net/ethernet/marvell/octeontx2/af/npc_profile.h +index b192692b4fc4..5c372d2c24a1 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/npc_profile.h ++++ b/drivers/net/ethernet/marvell/octeontx2/af/npc_profile.h +@@ -13499,8 +13499,6 @@ static struct npc_mcam_kex npc_mkex_default = { + [NPC_LT_LC_IP] = { + /* SIP+DIP: 8 bytes, KW2[63:0] */ + KEX_LD_CFG(0x07, 0xc, 0x1, 0x0, 0x10), +- /* TOS: 1 byte, KW1[63:56] */ +- KEX_LD_CFG(0x0, 0x1, 0x1, 0x0, 0xf), + }, + /* Layer C: IPv6 */ + [NPC_LT_LC_IP6] = { +-- +2.30.1 + diff --git a/queue-5.11/octeontx2-pf-clear-rss-enable-flag-on-interace-down.patch b/queue-5.11/octeontx2-pf-clear-rss-enable-flag-on-interace-down.patch new file mode 100644 index 00000000000..e2f05507dfb --- /dev/null +++ b/queue-5.11/octeontx2-pf-clear-rss-enable-flag-on-interace-down.patch @@ -0,0 +1,51 @@ +From 3e65b0f2c6e4793ea6c31a869643c7e9093c0c6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Mar 2021 19:45:47 +0530 +Subject: octeontx2-pf: Clear RSS enable flag on interace down + +From: Geetha sowjanya + +[ Upstream commit f12098ce9b43e1a6fcaa524acbd90f9118a74c0a ] + +RSS configuration can not be get/set when interface is in down state +as they required mbox communication. RSS enable flag status +is used for set/get configuration. Current code do not clear the +RSS enable flag on interface down which lead to mbox error while +trying to set/get RSS configuration. + +Fixes: 85069e95e531 ("octeontx2-pf: Receive side scaling support") +Signed-off-by: Geetha sowjanya +Signed-off-by: Hariprasad Kelam +Signed-off-by: Sunil Kovvuri Goutham +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +index 634d60655a74..07e841df5678 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +@@ -1625,6 +1625,7 @@ int otx2_stop(struct net_device *netdev) + struct otx2_nic *pf = netdev_priv(netdev); + struct otx2_cq_poll *cq_poll = NULL; + struct otx2_qset *qset = &pf->qset; ++ struct otx2_rss_info *rss; + int qidx, vec, wrk; + + netif_carrier_off(netdev); +@@ -1637,6 +1638,10 @@ int otx2_stop(struct net_device *netdev) + /* First stop packet Rx/Tx */ + otx2_rxtx_enable(pf, false); + ++ /* Clear RSS enable flag */ ++ rss = &pf->hw.rss_info; ++ rss->enable = false; ++ + /* Cleanup Queue IRQ */ + vec = pci_irq_vector(pf->pdev, + pf->hw.nix_msixoff + NIX_LF_QINT_VEC_START); +-- +2.30.1 + diff --git a/queue-5.11/platform-x86-dell-wmi-sysman-cleanup-create_attribut.patch b/queue-5.11/platform-x86-dell-wmi-sysman-cleanup-create_attribut.patch new file mode 100644 index 00000000000..e0c2d10065e --- /dev/null +++ b/queue-5.11/platform-x86-dell-wmi-sysman-cleanup-create_attribut.patch @@ -0,0 +1,64 @@ +From bb2394f4db520c85cc40cbf14f51a5a7d9b9efcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Mar 2021 12:59:01 +0100 +Subject: platform/x86: dell-wmi-sysman: Cleanup + create_attributes_level_sysfs_files() + +From: Hans de Goede + +[ Upstream commit 35471138a9f7193482a2019e39643f575f8098dc ] + +Cleanup create_attributes_level_sysfs_files(): + +1. There is no need to call sysfs_remove_file() on error, sysman_init() +will already call release_attributes_data() on failure which already does +this. + +2. There is no need for the pr_debug() calls sysfs_create_file() should +never fail and if it does it will already complain about the problem +itself. + +Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems") +Cc: Divya Bharathi +Cc: Mario Limonciello +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20210321115901.35072-8-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/dell-wmi-sysman/sysman.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/drivers/platform/x86/dell-wmi-sysman/sysman.c b/drivers/platform/x86/dell-wmi-sysman/sysman.c +index 5dd9b29d939c..7410ccae650c 100644 +--- a/drivers/platform/x86/dell-wmi-sysman/sysman.c ++++ b/drivers/platform/x86/dell-wmi-sysman/sysman.c +@@ -210,19 +210,17 @@ static struct kobj_attribute pending_reboot = __ATTR_RO(pending_reboot); + */ + static int create_attributes_level_sysfs_files(void) + { +- int ret = sysfs_create_file(&wmi_priv.main_dir_kset->kobj, &reset_bios.attr); ++ int ret; + +- if (ret) { +- pr_debug("could not create reset_bios file\n"); ++ ret = sysfs_create_file(&wmi_priv.main_dir_kset->kobj, &reset_bios.attr); ++ if (ret) + return ret; +- } + + ret = sysfs_create_file(&wmi_priv.main_dir_kset->kobj, &pending_reboot.attr); +- if (ret) { +- pr_debug("could not create changing_pending_reboot file\n"); +- sysfs_remove_file(&wmi_priv.main_dir_kset->kobj, &reset_bios.attr); +- } +- return ret; ++ if (ret) ++ return ret; ++ ++ return 0; + } + + static ssize_t wmi_sysman_attr_show(struct kobject *kobj, struct attribute *attr, +-- +2.30.1 + diff --git a/queue-5.11/platform-x86-dell-wmi-sysman-cleanup-sysman_init-err.patch b/queue-5.11/platform-x86-dell-wmi-sysman-cleanup-sysman_init-err.patch new file mode 100644 index 00000000000..4e93ac5da60 --- /dev/null +++ b/queue-5.11/platform-x86-dell-wmi-sysman-cleanup-sysman_init-err.patch @@ -0,0 +1,153 @@ +From 9517ec3c41c4a8ab5d7f3eceed329fe1fde01739 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Mar 2021 12:58:59 +0100 +Subject: platform/x86: dell-wmi-sysman: Cleanup sysman_init() error-exit + handling + +From: Hans de Goede + +[ Upstream commit 9c90cd869747e3492a9306dcd8123c17502ff1fc ] + +Cleanup sysman_init() error-exit handling: + +1. There is no need for the fail_reset_bios and fail_authentication_kset + eror-exit cases, these can be handled by release_attributes_data() + +2. Rename all the labels from fail_what_failed, to err_what_to_cleanup + this is the usual way to name these and avoids the need to rename + them when extra steps are added. + +Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems") +Cc: Divya Bharathi +Cc: Mario Limonciello +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20210321115901.35072-6-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/dell-wmi-sysman/sysman.c | 45 +++++++------------ + 1 file changed, 16 insertions(+), 29 deletions(-) + +diff --git a/drivers/platform/x86/dell-wmi-sysman/sysman.c b/drivers/platform/x86/dell-wmi-sysman/sysman.c +index 58dc4571f987..99dc2f3bdf49 100644 +--- a/drivers/platform/x86/dell-wmi-sysman/sysman.c ++++ b/drivers/platform/x86/dell-wmi-sysman/sysman.c +@@ -508,100 +508,87 @@ static int __init sysman_init(void) + ret = init_bios_attr_set_interface(); + if (ret || !wmi_priv.bios_attr_wdev) { + pr_debug("failed to initialize set interface\n"); +- goto fail_set_interface; ++ return ret; + } + + ret = init_bios_attr_pass_interface(); + if (ret || !wmi_priv.password_attr_wdev) { + pr_debug("failed to initialize pass interface\n"); +- goto fail_pass_interface; ++ goto err_exit_bios_attr_set_interface; + } + + ret = class_register(&firmware_attributes_class); + if (ret) +- goto fail_class; ++ goto err_exit_bios_attr_pass_interface; + + wmi_priv.class_dev = device_create(&firmware_attributes_class, NULL, MKDEV(0, 0), + NULL, "%s", DRIVER_NAME); + if (IS_ERR(wmi_priv.class_dev)) { + ret = PTR_ERR(wmi_priv.class_dev); +- goto fail_classdev; ++ goto err_unregister_class; + } + + wmi_priv.main_dir_kset = kset_create_and_add("attributes", NULL, + &wmi_priv.class_dev->kobj); + if (!wmi_priv.main_dir_kset) { + ret = -ENOMEM; +- goto fail_main_kset; ++ goto err_destroy_classdev; + } + + wmi_priv.authentication_dir_kset = kset_create_and_add("authentication", NULL, + &wmi_priv.class_dev->kobj); + if (!wmi_priv.authentication_dir_kset) { + ret = -ENOMEM; +- goto fail_authentication_kset; ++ goto err_release_attributes_data; + } + + ret = create_attributes_level_sysfs_files(); + if (ret) { + pr_debug("could not create reset BIOS attribute\n"); +- goto fail_reset_bios; ++ goto err_release_attributes_data; + } + + ret = init_bios_attributes(ENUM, DELL_WMI_BIOS_ENUMERATION_ATTRIBUTE_GUID); + if (ret) { + pr_debug("failed to populate enumeration type attributes\n"); +- goto fail_create_group; ++ goto err_release_attributes_data; + } + + ret = init_bios_attributes(INT, DELL_WMI_BIOS_INTEGER_ATTRIBUTE_GUID); + if (ret) { + pr_debug("failed to populate integer type attributes\n"); +- goto fail_create_group; ++ goto err_release_attributes_data; + } + + ret = init_bios_attributes(STR, DELL_WMI_BIOS_STRING_ATTRIBUTE_GUID); + if (ret) { + pr_debug("failed to populate string type attributes\n"); +- goto fail_create_group; ++ goto err_release_attributes_data; + } + + ret = init_bios_attributes(PO, DELL_WMI_BIOS_PASSOBJ_ATTRIBUTE_GUID); + if (ret) { + pr_debug("failed to populate pass object type attributes\n"); +- goto fail_create_group; ++ goto err_release_attributes_data; + } + + return 0; + +-fail_create_group: ++err_release_attributes_data: + release_attributes_data(); + +-fail_reset_bios: +- if (wmi_priv.authentication_dir_kset) { +- kset_unregister(wmi_priv.authentication_dir_kset); +- wmi_priv.authentication_dir_kset = NULL; +- } +- +-fail_authentication_kset: +- if (wmi_priv.main_dir_kset) { +- kset_unregister(wmi_priv.main_dir_kset); +- wmi_priv.main_dir_kset = NULL; +- } +- +-fail_main_kset: ++err_destroy_classdev: + device_destroy(&firmware_attributes_class, MKDEV(0, 0)); + +-fail_classdev: ++err_unregister_class: + class_unregister(&firmware_attributes_class); + +-fail_class: ++err_exit_bios_attr_pass_interface: + exit_bios_attr_pass_interface(); + +-fail_pass_interface: ++err_exit_bios_attr_set_interface: + exit_bios_attr_set_interface(); + +-fail_set_interface: + return ret; + } + +-- +2.30.1 + diff --git a/queue-5.11/platform-x86-dell-wmi-sysman-fix-crash-caused-by-cal.patch b/queue-5.11/platform-x86-dell-wmi-sysman-fix-crash-caused-by-cal.patch new file mode 100644 index 00000000000..d29ffec7f4a --- /dev/null +++ b/queue-5.11/platform-x86-dell-wmi-sysman-fix-crash-caused-by-cal.patch @@ -0,0 +1,56 @@ +From 3ebf30cff473c347db169374502cb6938f3b22c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Mar 2021 12:58:55 +0100 +Subject: platform/x86: dell-wmi-sysman: Fix crash caused by calling + kset_unregister twice + +From: Hans de Goede + +[ Upstream commit d939cd96b9df6dcde1605fab23bbd6307e11f930 ] + +On some system the WMI GUIDs used by dell-wmi-sysman are present but there +are no enum type attributes, this causes init_bios_attributes() to return +-ENODEV, after which sysman_init() does a "goto fail_create_group" and then +calls release_attributes_data(). + +release_attributes_data() calls kset_unregister(wmi_priv.main_dir_kset); +but before this commit it was missing a "wmi_priv.main_dir_kset = NULL;" +statement; and after calling release_attributes_data() the sysman_init() +error handling does this: + + if (wmi_priv.main_dir_kset) { + kset_unregister(wmi_priv.main_dir_kset); + wmi_priv.main_dir_kset = NULL; + } + +Which causes a second kset_unregister(wmi_priv.main_dir_kset), leading to +a double-free, which causes a crash. + +Add the missing "wmi_priv.main_dir_kset = NULL;" statement to +release_attributes_data() to fix this double-free crash. + +Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems") +Cc: Divya Bharathi +Cc: Mario Limonciello +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20210321115901.35072-2-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/dell-wmi-sysman/sysman.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/dell-wmi-sysman/sysman.c b/drivers/platform/x86/dell-wmi-sysman/sysman.c +index cb81010ba1a2..c1997db74cca 100644 +--- a/drivers/platform/x86/dell-wmi-sysman/sysman.c ++++ b/drivers/platform/x86/dell-wmi-sysman/sysman.c +@@ -388,6 +388,7 @@ static void release_attributes_data(void) + if (wmi_priv.main_dir_kset) { + destroy_attribute_objs(wmi_priv.main_dir_kset); + kset_unregister(wmi_priv.main_dir_kset); ++ wmi_priv.main_dir_kset = NULL; + } + mutex_unlock(&wmi_priv.mutex); + +-- +2.30.1 + diff --git a/queue-5.11/platform-x86-dell-wmi-sysman-fix-possible-null-point.patch b/queue-5.11/platform-x86-dell-wmi-sysman-fix-possible-null-point.patch new file mode 100644 index 00000000000..eaead3f8a0c --- /dev/null +++ b/queue-5.11/platform-x86-dell-wmi-sysman-fix-possible-null-point.patch @@ -0,0 +1,70 @@ +From 20c9545eb3fea8a6a8b89e5eeeda5d3bda514818 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Mar 2021 12:58:56 +0100 +Subject: platform/x86: dell-wmi-sysman: Fix possible NULL pointer deref on + exit + +From: Hans de Goede + +[ Upstream commit c59ab4cedab70a1a117a2dba3c48bb78e66c55ca ] + +It is possible for release_attributes_data() to get called when the +main_dir_kset has not been created yet, move the removal of the bios-reset +sysfs attr to under a if (main_dir_kset) check to avoid a NULL pointer +deref. + +Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems") +Cc: Divya Bharathi +Cc: Mario Limonciello +Reported-by: Alexander Naumann +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20210321115901.35072-3-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/dell-wmi-sysman/sysman.c | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +diff --git a/drivers/platform/x86/dell-wmi-sysman/sysman.c b/drivers/platform/x86/dell-wmi-sysman/sysman.c +index c1997db74cca..8b251b2c37a2 100644 +--- a/drivers/platform/x86/dell-wmi-sysman/sysman.c ++++ b/drivers/platform/x86/dell-wmi-sysman/sysman.c +@@ -225,12 +225,6 @@ static int create_attributes_level_sysfs_files(void) + return ret; + } + +-static void release_reset_bios_data(void) +-{ +- sysfs_remove_file(&wmi_priv.main_dir_kset->kobj, &reset_bios.attr); +- sysfs_remove_file(&wmi_priv.main_dir_kset->kobj, &pending_reboot.attr); +-} +- + static ssize_t wmi_sysman_attr_show(struct kobject *kobj, struct attribute *attr, + char *buf) + { +@@ -373,8 +367,6 @@ static void destroy_attribute_objs(struct kset *kset) + */ + static void release_attributes_data(void) + { +- release_reset_bios_data(); +- + mutex_lock(&wmi_priv.mutex); + exit_enum_attributes(); + exit_int_attributes(); +@@ -386,12 +378,13 @@ static void release_attributes_data(void) + wmi_priv.authentication_dir_kset = NULL; + } + if (wmi_priv.main_dir_kset) { ++ sysfs_remove_file(&wmi_priv.main_dir_kset->kobj, &reset_bios.attr); ++ sysfs_remove_file(&wmi_priv.main_dir_kset->kobj, &pending_reboot.attr); + destroy_attribute_objs(wmi_priv.main_dir_kset); + kset_unregister(wmi_priv.main_dir_kset); + wmi_priv.main_dir_kset = NULL; + } + mutex_unlock(&wmi_priv.mutex); +- + } + + /** +-- +2.30.1 + diff --git a/queue-5.11/platform-x86-dell-wmi-sysman-fix-release_attributes_.patch b/queue-5.11/platform-x86-dell-wmi-sysman-fix-release_attributes_.patch new file mode 100644 index 00000000000..e32e586f5f3 --- /dev/null +++ b/queue-5.11/platform-x86-dell-wmi-sysman-fix-release_attributes_.patch @@ -0,0 +1,42 @@ +From ac38042c0e6166995b4e76f6d1c340b37131063c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Mar 2021 12:58:58 +0100 +Subject: platform/x86: dell-wmi-sysman: Fix release_attributes_data() getting + called twice on init_bios_attributes() failure + +From: Hans de Goede + +[ Upstream commit 59bbbeb9c22cc7c55965cd5ea8c16af7f16e61eb ] + +All calls of init_bios_attributes() will result in a +goto fail_create_group if they fail, which calls +release_attributes_data(). + +So there is no need to call release_attributes_data() from +init_bios_attributes() on failure itself. + +Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems") +Cc: Divya Bharathi +Cc: Mario Limonciello +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20210321115901.35072-5-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/dell-wmi-sysman/sysman.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/platform/x86/dell-wmi-sysman/sysman.c b/drivers/platform/x86/dell-wmi-sysman/sysman.c +index 8b251b2c37a2..58dc4571f987 100644 +--- a/drivers/platform/x86/dell-wmi-sysman/sysman.c ++++ b/drivers/platform/x86/dell-wmi-sysman/sysman.c +@@ -491,7 +491,6 @@ nextobj: + + err_attr_init: + mutex_unlock(&wmi_priv.mutex); +- release_attributes_data(); + kfree(obj); + return retval; + } +-- +2.30.1 + diff --git a/queue-5.11/platform-x86-dell-wmi-sysman-make-it-safe-to-call-ex.patch b/queue-5.11/platform-x86-dell-wmi-sysman-make-it-safe-to-call-ex.patch new file mode 100644 index 00000000000..731012ac774 --- /dev/null +++ b/queue-5.11/platform-x86-dell-wmi-sysman-make-it-safe-to-call-ex.patch @@ -0,0 +1,91 @@ +From 765dada34cba61d6c61dc9ef9637c578849959c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Mar 2021 12:58:57 +0100 +Subject: platform/x86: dell-wmi-sysman: Make it safe to call + exit_foo_attributes() multiple times + +From: Hans de Goede + +[ Upstream commit 2d0c418c91d8c86a1b9fb254dda842ada9919513 ] + +During some of the error-exit paths it is possible that +release_attributes_data() will get called multiple times, +which results in exit_foo_attributes() getting called multiple +times. + +Make it safe to call exit_foo_attributes() multiple times, +avoiding double-free()s in this case. + +Note that release_attributes_data() really should only be called +once during error-exit paths. This will be fixed in a separate patch +and it is good to have the exit_foo_attributes() functions modified +this way regardless. + +Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems") +Cc: Divya Bharathi +Cc: Mario Limonciello +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20210321115901.35072-4-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/dell-wmi-sysman/enum-attributes.c | 3 +++ + drivers/platform/x86/dell-wmi-sysman/int-attributes.c | 3 +++ + drivers/platform/x86/dell-wmi-sysman/passobj-attributes.c | 3 +++ + drivers/platform/x86/dell-wmi-sysman/string-attributes.c | 3 +++ + 4 files changed, 12 insertions(+) + +diff --git a/drivers/platform/x86/dell-wmi-sysman/enum-attributes.c b/drivers/platform/x86/dell-wmi-sysman/enum-attributes.c +index 80f4b7785c6c..091e48c217ed 100644 +--- a/drivers/platform/x86/dell-wmi-sysman/enum-attributes.c ++++ b/drivers/platform/x86/dell-wmi-sysman/enum-attributes.c +@@ -185,5 +185,8 @@ void exit_enum_attributes(void) + sysfs_remove_group(wmi_priv.enumeration_data[instance_id].attr_name_kobj, + &enumeration_attr_group); + } ++ wmi_priv.enumeration_instances_count = 0; ++ + kfree(wmi_priv.enumeration_data); ++ wmi_priv.enumeration_data = NULL; + } +diff --git a/drivers/platform/x86/dell-wmi-sysman/int-attributes.c b/drivers/platform/x86/dell-wmi-sysman/int-attributes.c +index 75aedbb733be..8a49ba6e44f9 100644 +--- a/drivers/platform/x86/dell-wmi-sysman/int-attributes.c ++++ b/drivers/platform/x86/dell-wmi-sysman/int-attributes.c +@@ -175,5 +175,8 @@ void exit_int_attributes(void) + sysfs_remove_group(wmi_priv.integer_data[instance_id].attr_name_kobj, + &integer_attr_group); + } ++ wmi_priv.integer_instances_count = 0; ++ + kfree(wmi_priv.integer_data); ++ wmi_priv.integer_data = NULL; + } +diff --git a/drivers/platform/x86/dell-wmi-sysman/passobj-attributes.c b/drivers/platform/x86/dell-wmi-sysman/passobj-attributes.c +index 3abcd95477c0..834b3e82ad9f 100644 +--- a/drivers/platform/x86/dell-wmi-sysman/passobj-attributes.c ++++ b/drivers/platform/x86/dell-wmi-sysman/passobj-attributes.c +@@ -183,5 +183,8 @@ void exit_po_attributes(void) + sysfs_remove_group(wmi_priv.po_data[instance_id].attr_name_kobj, + &po_attr_group); + } ++ wmi_priv.po_instances_count = 0; ++ + kfree(wmi_priv.po_data); ++ wmi_priv.po_data = NULL; + } +diff --git a/drivers/platform/x86/dell-wmi-sysman/string-attributes.c b/drivers/platform/x86/dell-wmi-sysman/string-attributes.c +index ac75dce88a4c..552537852459 100644 +--- a/drivers/platform/x86/dell-wmi-sysman/string-attributes.c ++++ b/drivers/platform/x86/dell-wmi-sysman/string-attributes.c +@@ -155,5 +155,8 @@ void exit_str_attributes(void) + sysfs_remove_group(wmi_priv.str_data[instance_id].attr_name_kobj, + &str_attr_group); + } ++ wmi_priv.str_instances_count = 0; ++ + kfree(wmi_priv.str_data); ++ wmi_priv.str_data = NULL; + } +-- +2.30.1 + diff --git a/queue-5.11/platform-x86-dell-wmi-sysman-make-sysman_init-return.patch b/queue-5.11/platform-x86-dell-wmi-sysman-make-sysman_init-return.patch new file mode 100644 index 00000000000..7d24f1a995e --- /dev/null +++ b/queue-5.11/platform-x86-dell-wmi-sysman-make-sysman_init-return.patch @@ -0,0 +1,54 @@ +From 0eaf860fa0bf4ef1656333288f00211c99220ea9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Mar 2021 12:59:00 +0100 +Subject: platform/x86: dell-wmi-sysman: Make sysman_init() return -ENODEV of + the interfaces are not found + +From: Hans de Goede + +[ Upstream commit 32418dd58c957f8fef25b97450d00275967604f1 ] + +When either the attributes or the password interface is not found, then +unregister the 2 wmi drivers again and return -ENODEV from sysman_init(). + +Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems") +Cc: Divya Bharathi +Cc: Mario Limonciello +Reported-by: Alexander Naumann +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20210321115901.35072-7-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/dell-wmi-sysman/sysman.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/platform/x86/dell-wmi-sysman/sysman.c b/drivers/platform/x86/dell-wmi-sysman/sysman.c +index 99dc2f3bdf49..5dd9b29d939c 100644 +--- a/drivers/platform/x86/dell-wmi-sysman/sysman.c ++++ b/drivers/platform/x86/dell-wmi-sysman/sysman.c +@@ -506,15 +506,17 @@ static int __init sysman_init(void) + } + + ret = init_bios_attr_set_interface(); +- if (ret || !wmi_priv.bios_attr_wdev) { +- pr_debug("failed to initialize set interface\n"); ++ if (ret) + return ret; +- } + + ret = init_bios_attr_pass_interface(); +- if (ret || !wmi_priv.password_attr_wdev) { +- pr_debug("failed to initialize pass interface\n"); ++ if (ret) + goto err_exit_bios_attr_set_interface; ++ ++ if (!wmi_priv.bios_attr_wdev || !wmi_priv.password_attr_wdev) { ++ pr_debug("failed to find set or pass interface\n"); ++ ret = -ENODEV; ++ goto err_exit_bios_attr_pass_interface; + } + + ret = class_register(&firmware_attributes_class); +-- +2.30.1 + diff --git a/queue-5.11/platform-x86-intel_pmt_crashlog-fix-incorrect-macros.patch b/queue-5.11/platform-x86-intel_pmt_crashlog-fix-incorrect-macros.patch new file mode 100644 index 00000000000..2d167d17713 --- /dev/null +++ b/queue-5.11/platform-x86-intel_pmt_crashlog-fix-incorrect-macros.patch @@ -0,0 +1,54 @@ +From 422cf8bd9e32f42530027f16df2eaf75ac73f060 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Mar 2021 19:44:55 -0700 +Subject: platform/x86: intel_pmt_crashlog: Fix incorrect macros + +From: David E. Box + +[ Upstream commit 10c931cdfe64ebc38a15a485dd794915044f2111 ] + +Fixes off-by-one bugs in the macro assignments for the crashlog control +bits. Was initially tested on emulation but bug revealed after testing on +silicon. + +Fixes: 5ef9998c96b0 ("platform/x86: Intel PMT Crashlog capability driver") +Signed-off-by: David E. Box +Link: https://lore.kernel.org/r/20210317024455.3071477-2-david.e.box@linux.intel.com +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel_pmt_crashlog.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/platform/x86/intel_pmt_crashlog.c b/drivers/platform/x86/intel_pmt_crashlog.c +index 97dd749c8290..92d315a16cfd 100644 +--- a/drivers/platform/x86/intel_pmt_crashlog.c ++++ b/drivers/platform/x86/intel_pmt_crashlog.c +@@ -23,18 +23,17 @@ + #define CRASH_TYPE_OOBMSM 1 + + /* Control Flags */ +-#define CRASHLOG_FLAG_DISABLE BIT(27) ++#define CRASHLOG_FLAG_DISABLE BIT(28) + + /* +- * Bits 28 and 29 control the state of bit 31. ++ * Bits 29 and 30 control the state of bit 31. + * +- * Bit 28 will clear bit 31, if set, allowing a new crashlog to be captured. +- * Bit 29 will immediately trigger a crashlog to be generated, setting bit 31. +- * Bit 30 is read-only and reserved as 0. ++ * Bit 29 will clear bit 31, if set, allowing a new crashlog to be captured. ++ * Bit 30 will immediately trigger a crashlog to be generated, setting bit 31. + * Bit 31 is the read-only status with a 1 indicating log is complete. + */ +-#define CRASHLOG_FLAG_TRIGGER_CLEAR BIT(28) +-#define CRASHLOG_FLAG_TRIGGER_EXECUTE BIT(29) ++#define CRASHLOG_FLAG_TRIGGER_CLEAR BIT(29) ++#define CRASHLOG_FLAG_TRIGGER_EXECUTE BIT(30) + #define CRASHLOG_FLAG_TRIGGER_COMPLETE BIT(31) + #define CRASHLOG_FLAG_TRIGGER_MASK GENMASK(31, 28) + +-- +2.30.1 + diff --git a/queue-5.11/pm-em-postpone-creating-the-debugfs-dir-till-fs_init.patch b/queue-5.11/pm-em-postpone-creating-the-debugfs-dir-till-fs_init.patch new file mode 100644 index 00000000000..9a9b5548a01 --- /dev/null +++ b/queue-5.11/pm-em-postpone-creating-the-debugfs-dir-till-fs_init.patch @@ -0,0 +1,52 @@ +From 4e9fa02984df4030ca96a4e762d553e98e638332 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Mar 2021 14:56:08 +0000 +Subject: PM: EM: postpone creating the debugfs dir till fs_initcall + +From: Lukasz Luba + +[ Upstream commit fb9d62b27ab1e07d625591549c314b7d406d21df ] + +The debugfs directory '/sys/kernel/debug/energy_model' is needed before +the Energy Model registration can happen. With the recent change in +debugfs subsystem it's not allowed to create this directory at early +stage (core_initcall). Thus creating this directory would fail. + +Postpone the creation of the EM debug dir to later stage: fs_initcall. + +It should be safe since all clients: CPUFreq drivers, Devfreq drivers +will be initialized in later stages. + +The custom debug log below prints the time of creation the EM debug dir +at fs_initcall and successful registration of EMs at later stages. + +[ 1.505717] energy_model: creating rootdir +[ 3.698307] cpu cpu0: EM: created perf domain +[ 3.709022] cpu cpu1: EM: created perf domain + +Fixes: 56348560d495 ("debugfs: do not attempt to create a new file before the filesystem is initalized") +Reported-by: Ionela Voinescu +Signed-off-by: Lukasz Luba +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/energy_model.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/power/energy_model.c b/kernel/power/energy_model.c +index 1358fa4abfa8..0f4530b3a8cd 100644 +--- a/kernel/power/energy_model.c ++++ b/kernel/power/energy_model.c +@@ -98,7 +98,7 @@ static int __init em_debug_init(void) + + return 0; + } +-core_initcall(em_debug_init); ++fs_initcall(em_debug_init); + #else /* CONFIG_DEBUG_FS */ + static void em_debug_create_pd(struct device *dev) {} + static void em_debug_remove_pd(struct device *dev) {} +-- +2.30.1 + diff --git a/queue-5.11/pm-runtime-defer-suspending-suppliers.patch b/queue-5.11/pm-runtime-defer-suspending-suppliers.patch new file mode 100644 index 00000000000..f5810c2f21e --- /dev/null +++ b/queue-5.11/pm-runtime-defer-suspending-suppliers.patch @@ -0,0 +1,131 @@ +From fe09e3ae0ccc27a3696f026d25cee99ae5763128 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Mar 2021 15:47:31 +0100 +Subject: PM: runtime: Defer suspending suppliers + +From: Rafael J. Wysocki + +[ Upstream commit 5244f5e2d801259af877ee759e8c22364c607072 ] + +Because the PM-runtime status of the device is not updated in +__rpm_callback(), attempts to suspend the suppliers of the given +device triggered by the rpm_put_suppliers() call in there may +cause a supplier to be suspended completely before the status of +the consumer is updated to RPM_SUSPENDED, which is confusing. + +To avoid that (1) modify __rpm_callback() to only decrease the +PM-runtime usage counter of each supplier and (2) make rpm_suspend() +try to suspend the suppliers after changing the consumer's status to +RPM_SUSPENDED, in analogy with the device's parent. + +Link: https://lore.kernel.org/linux-pm/CAPDyKFqm06KDw_p8WXsM4dijDbho4bb6T4k50UqqvR1_COsp8g@mail.gmail.com/ +Fixes: 21d5c57b3726 ("PM / runtime: Use device links") +Reported-by: elaine.zhang +Diagnosed-by: Ulf Hansson +Reviewed-by: Ulf Hansson +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/base/power/runtime.c | 45 +++++++++++++++++++++++++++++++----- + 1 file changed, 39 insertions(+), 6 deletions(-) + +diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c +index bfda153b1a41..5ef67bacb585 100644 +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -305,7 +305,7 @@ static int rpm_get_suppliers(struct device *dev) + return 0; + } + +-static void rpm_put_suppliers(struct device *dev) ++static void __rpm_put_suppliers(struct device *dev, bool try_to_suspend) + { + struct device_link *link; + +@@ -313,10 +313,30 @@ static void rpm_put_suppliers(struct device *dev) + device_links_read_lock_held()) { + + while (refcount_dec_not_one(&link->rpm_active)) +- pm_runtime_put(link->supplier); ++ pm_runtime_put_noidle(link->supplier); ++ ++ if (try_to_suspend) ++ pm_request_idle(link->supplier); + } + } + ++static void rpm_put_suppliers(struct device *dev) ++{ ++ __rpm_put_suppliers(dev, true); ++} ++ ++static void rpm_suspend_suppliers(struct device *dev) ++{ ++ struct device_link *link; ++ int idx = device_links_read_lock(); ++ ++ list_for_each_entry_rcu(link, &dev->links.suppliers, c_node, ++ device_links_read_lock_held()) ++ pm_request_idle(link->supplier); ++ ++ device_links_read_unlock(idx); ++} ++ + /** + * __rpm_callback - Run a given runtime PM callback for a given device. + * @cb: Runtime PM callback to run. +@@ -344,8 +364,10 @@ static int __rpm_callback(int (*cb)(struct device *), struct device *dev) + idx = device_links_read_lock(); + + retval = rpm_get_suppliers(dev); +- if (retval) ++ if (retval) { ++ rpm_put_suppliers(dev); + goto fail; ++ } + + device_links_read_unlock(idx); + } +@@ -368,9 +390,9 @@ static int __rpm_callback(int (*cb)(struct device *), struct device *dev) + || (dev->power.runtime_status == RPM_RESUMING && retval))) { + idx = device_links_read_lock(); + +- fail: +- rpm_put_suppliers(dev); ++ __rpm_put_suppliers(dev, false); + ++fail: + device_links_read_unlock(idx); + } + +@@ -642,8 +664,11 @@ static int rpm_suspend(struct device *dev, int rpmflags) + goto out; + } + ++ if (dev->power.irq_safe) ++ goto out; ++ + /* Maybe the parent is now able to suspend. */ +- if (parent && !parent->power.ignore_children && !dev->power.irq_safe) { ++ if (parent && !parent->power.ignore_children) { + spin_unlock(&dev->power.lock); + + spin_lock(&parent->power.lock); +@@ -652,6 +677,14 @@ static int rpm_suspend(struct device *dev, int rpmflags) + + spin_lock(&dev->power.lock); + } ++ /* Maybe the suppliers are now able to suspend. */ ++ if (dev->power.links_count > 0) { ++ spin_unlock_irq(&dev->power.lock); ++ ++ rpm_suspend_suppliers(dev); ++ ++ spin_lock_irq(&dev->power.lock); ++ } + + out: + trace_rpm_return_int_rcuidle(dev, _THIS_IP_, retval); +-- +2.30.1 + diff --git a/queue-5.11/r8152-limit-the-rx-buffer-size-of-rtl8153a-for-usb-2.patch b/queue-5.11/r8152-limit-the-rx-buffer-size-of-rtl8153a-for-usb-2.patch new file mode 100644 index 00000000000..82f55d85757 --- /dev/null +++ b/queue-5.11/r8152-limit-the-rx-buffer-size-of-rtl8153a-for-usb-2.patch @@ -0,0 +1,50 @@ +From a22cb48b754aa4c54ec137794363fc0e7c051de1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Mar 2021 15:37:21 +0800 +Subject: r8152: limit the RX buffer size of RTL8153A for USB 2.0 + +From: Hayes Wang + +[ Upstream commit f91a50d8b51b5c8ef1cfb08115a005bba4250507 ] + +If the USB host controller is EHCI, the throughput is reduced from +300Mb/s to 60Mb/s, when the rx buffer size is modified from 16K to +32K. + +According to the EHCI spec, the maximum size of the qTD is 20K. +Therefore, when the driver uses more than 20K buffer, the latency +time of EHCI would be increased. And, it let the RTL8153A get worse +throughput. + +However, the driver uses alloc_pages() for rx buffer, so I limit +the rx buffer to 16K rather than 20K. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=205923 +Fixes: ec5791c202ac ("r8152: separate the rx buffer size") +Reported-by: Robert Davies +Signed-off-by: Hayes Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index fd5ca11c4cbb..390d9e1fa7fe 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -6502,7 +6502,10 @@ static int rtl_ops_init(struct r8152 *tp) + ops->in_nway = rtl8153_in_nway; + ops->hw_phy_cfg = r8153_hw_phy_cfg; + ops->autosuspend_en = rtl8153_runtime_enable; +- tp->rx_buf_sz = 32 * 1024; ++ if (tp->udev->speed < USB_SPEED_SUPER) ++ tp->rx_buf_sz = 16 * 1024; ++ else ++ tp->rx_buf_sz = 32 * 1024; + tp->eee_en = true; + tp->eee_adv = MDIO_EEE_1000T | MDIO_EEE_100TX; + break; +-- +2.30.1 + diff --git a/queue-5.11/rdma-cxgb4-fix-adapter-le-hash-errors-while-destroyi.patch b/queue-5.11/rdma-cxgb4-fix-adapter-le-hash-errors-while-destroyi.patch new file mode 100644 index 00000000000..f177d76fe06 --- /dev/null +++ b/queue-5.11/rdma-cxgb4-fix-adapter-le-hash-errors-while-destroyi.patch @@ -0,0 +1,48 @@ +From 4893fb7032b9d55cf5b7c420fa7e14e0ed3cd586 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 00:34:53 +0530 +Subject: RDMA/cxgb4: Fix adapter LE hash errors while destroying ipv6 + listening server + +From: Potnuri Bharat Teja + +[ Upstream commit 3408be145a5d6418ff955fe5badde652be90e700 ] + +Not setting the ipv6 bit while destroying ipv6 listening servers may +result in potential fatal adapter errors due to lookup engine memory hash +errors. Therefore always set ipv6 field while destroying ipv6 listening +servers. + +Fixes: 830662f6f032 ("RDMA/cxgb4: Add support for active and passive open connection with IPv6 address") +Link: https://lore.kernel.org/r/20210324190453.8171-1-bharat@chelsio.com +Signed-off-by: Potnuri Bharat Teja +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/cm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index 8769e7aa097f..81903749d241 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -3610,13 +3610,13 @@ int c4iw_destroy_listen(struct iw_cm_id *cm_id) + ep->com.local_addr.ss_family == AF_INET) { + err = cxgb4_remove_server_filter( + ep->com.dev->rdev.lldi.ports[0], ep->stid, +- ep->com.dev->rdev.lldi.rxq_ids[0], 0); ++ ep->com.dev->rdev.lldi.rxq_ids[0], false); + } else { + struct sockaddr_in6 *sin6; + c4iw_init_wr_wait(ep->com.wr_waitp); + err = cxgb4_remove_server( + ep->com.dev->rdev.lldi.ports[0], ep->stid, +- ep->com.dev->rdev.lldi.rxq_ids[0], 0); ++ ep->com.dev->rdev.lldi.rxq_ids[0], true); + if (err) + goto done; + err = c4iw_wait_for_reply(&ep->com.dev->rdev, ep->com.wr_waitp, +-- +2.30.1 + diff --git a/queue-5.11/revert-netfilter-x_tables-switch-synchronization-to-.patch b/queue-5.11/revert-netfilter-x_tables-switch-synchronization-to-.patch new file mode 100644 index 00000000000..5c4a7d7becd --- /dev/null +++ b/queue-5.11/revert-netfilter-x_tables-switch-synchronization-to-.patch @@ -0,0 +1,363 @@ +From 61add682022f20bb0836b126583f80874692109a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Mar 2021 14:24:12 +1300 +Subject: Revert "netfilter: x_tables: Switch synchronization to RCU" + +From: Mark Tomlinson + +[ Upstream commit d3d40f237480abf3268956daf18cdc56edd32834 ] + +This reverts commit cc00bcaa589914096edef7fb87ca5cee4a166b5c. + +This (and the preceding) patch basically re-implemented the RCU +mechanisms of patch 784544739a25. That patch was replaced because of the +performance problems that it created when replacing tables. Now, we have +the same issue: the call to synchronize_rcu() makes replacing tables +slower by as much as an order of magnitude. + +Prior to using RCU a script calling "iptables" approx. 200 times was +taking 1.16s. With RCU this increased to 11.59s. + +Revert these patches and fix the issue in a different way. + +Signed-off-by: Mark Tomlinson +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/linux/netfilter/x_tables.h | 5 +-- + net/ipv4/netfilter/arp_tables.c | 14 ++++----- + net/ipv4/netfilter/ip_tables.c | 14 ++++----- + net/ipv6/netfilter/ip6_tables.c | 14 ++++----- + net/netfilter/x_tables.c | 49 +++++++++++++++++++++--------- + 5 files changed, 56 insertions(+), 40 deletions(-) + +diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h +index 8ebb64193757..5deb099d156d 100644 +--- a/include/linux/netfilter/x_tables.h ++++ b/include/linux/netfilter/x_tables.h +@@ -227,7 +227,7 @@ struct xt_table { + unsigned int valid_hooks; + + /* Man behind the curtain... */ +- struct xt_table_info __rcu *private; ++ struct xt_table_info *private; + + /* Set this to THIS_MODULE if you are a module, otherwise NULL */ + struct module *me; +@@ -448,9 +448,6 @@ xt_get_per_cpu_counter(struct xt_counters *cnt, unsigned int cpu) + + struct nf_hook_ops *xt_hook_ops_alloc(const struct xt_table *, nf_hookfn *); + +-struct xt_table_info +-*xt_table_get_private_protected(const struct xt_table *table); +- + #ifdef CONFIG_COMPAT + #include + +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index c576a63d09db..04a2010755a6 100644 +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -203,7 +203,7 @@ unsigned int arpt_do_table(struct sk_buff *skb, + + local_bh_disable(); + addend = xt_write_recseq_begin(); +- private = rcu_access_pointer(table->private); ++ private = READ_ONCE(table->private); /* Address dependency. */ + cpu = smp_processor_id(); + table_base = private->entries; + jumpstack = (struct arpt_entry **)private->jumpstack[cpu]; +@@ -649,7 +649,7 @@ static struct xt_counters *alloc_counters(const struct xt_table *table) + { + unsigned int countersize; + struct xt_counters *counters; +- const struct xt_table_info *private = xt_table_get_private_protected(table); ++ const struct xt_table_info *private = table->private; + + /* We need atomic snapshot of counters: rest doesn't change + * (other than comefrom, which userspace doesn't care +@@ -673,7 +673,7 @@ static int copy_entries_to_user(unsigned int total_size, + unsigned int off, num; + const struct arpt_entry *e; + struct xt_counters *counters; +- struct xt_table_info *private = xt_table_get_private_protected(table); ++ struct xt_table_info *private = table->private; + int ret = 0; + void *loc_cpu_entry; + +@@ -807,7 +807,7 @@ static int get_info(struct net *net, void __user *user, const int *len) + t = xt_request_find_table_lock(net, NFPROTO_ARP, name); + if (!IS_ERR(t)) { + struct arpt_getinfo info; +- const struct xt_table_info *private = xt_table_get_private_protected(t); ++ const struct xt_table_info *private = t->private; + #ifdef CONFIG_COMPAT + struct xt_table_info tmp; + +@@ -860,7 +860,7 @@ static int get_entries(struct net *net, struct arpt_get_entries __user *uptr, + + t = xt_find_table_lock(net, NFPROTO_ARP, get.name); + if (!IS_ERR(t)) { +- const struct xt_table_info *private = xt_table_get_private_protected(t); ++ const struct xt_table_info *private = t->private; + + if (get.size == private->size) + ret = copy_entries_to_user(private->size, +@@ -1017,7 +1017,7 @@ static int do_add_counters(struct net *net, sockptr_t arg, unsigned int len) + } + + local_bh_disable(); +- private = xt_table_get_private_protected(t); ++ private = t->private; + if (private->number != tmp.num_counters) { + ret = -EINVAL; + goto unlock_up_free; +@@ -1330,7 +1330,7 @@ static int compat_copy_entries_to_user(unsigned int total_size, + void __user *userptr) + { + struct xt_counters *counters; +- const struct xt_table_info *private = xt_table_get_private_protected(table); ++ const struct xt_table_info *private = table->private; + void __user *pos; + unsigned int size; + int ret = 0; +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c +index e8f6f9d86237..a5b63f92b7f3 100644 +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -258,7 +258,7 @@ ipt_do_table(struct sk_buff *skb, + WARN_ON(!(table->valid_hooks & (1 << hook))); + local_bh_disable(); + addend = xt_write_recseq_begin(); +- private = rcu_access_pointer(table->private); ++ private = READ_ONCE(table->private); /* Address dependency. */ + cpu = smp_processor_id(); + table_base = private->entries; + jumpstack = (struct ipt_entry **)private->jumpstack[cpu]; +@@ -791,7 +791,7 @@ static struct xt_counters *alloc_counters(const struct xt_table *table) + { + unsigned int countersize; + struct xt_counters *counters; +- const struct xt_table_info *private = xt_table_get_private_protected(table); ++ const struct xt_table_info *private = table->private; + + /* We need atomic snapshot of counters: rest doesn't change + (other than comefrom, which userspace doesn't care +@@ -815,7 +815,7 @@ copy_entries_to_user(unsigned int total_size, + unsigned int off, num; + const struct ipt_entry *e; + struct xt_counters *counters; +- const struct xt_table_info *private = xt_table_get_private_protected(table); ++ const struct xt_table_info *private = table->private; + int ret = 0; + const void *loc_cpu_entry; + +@@ -964,7 +964,7 @@ static int get_info(struct net *net, void __user *user, const int *len) + t = xt_request_find_table_lock(net, AF_INET, name); + if (!IS_ERR(t)) { + struct ipt_getinfo info; +- const struct xt_table_info *private = xt_table_get_private_protected(t); ++ const struct xt_table_info *private = t->private; + #ifdef CONFIG_COMPAT + struct xt_table_info tmp; + +@@ -1018,7 +1018,7 @@ get_entries(struct net *net, struct ipt_get_entries __user *uptr, + + t = xt_find_table_lock(net, AF_INET, get.name); + if (!IS_ERR(t)) { +- const struct xt_table_info *private = xt_table_get_private_protected(t); ++ const struct xt_table_info *private = t->private; + if (get.size == private->size) + ret = copy_entries_to_user(private->size, + t, uptr->entrytable); +@@ -1173,7 +1173,7 @@ do_add_counters(struct net *net, sockptr_t arg, unsigned int len) + } + + local_bh_disable(); +- private = xt_table_get_private_protected(t); ++ private = t->private; + if (private->number != tmp.num_counters) { + ret = -EINVAL; + goto unlock_up_free; +@@ -1543,7 +1543,7 @@ compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table, + void __user *userptr) + { + struct xt_counters *counters; +- const struct xt_table_info *private = xt_table_get_private_protected(table); ++ const struct xt_table_info *private = table->private; + void __user *pos; + unsigned int size; + int ret = 0; +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c +index 0d453fa9e327..81c042940b21 100644 +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -280,7 +280,7 @@ ip6t_do_table(struct sk_buff *skb, + + local_bh_disable(); + addend = xt_write_recseq_begin(); +- private = rcu_access_pointer(table->private); ++ private = READ_ONCE(table->private); /* Address dependency. */ + cpu = smp_processor_id(); + table_base = private->entries; + jumpstack = (struct ip6t_entry **)private->jumpstack[cpu]; +@@ -807,7 +807,7 @@ static struct xt_counters *alloc_counters(const struct xt_table *table) + { + unsigned int countersize; + struct xt_counters *counters; +- const struct xt_table_info *private = xt_table_get_private_protected(table); ++ const struct xt_table_info *private = table->private; + + /* We need atomic snapshot of counters: rest doesn't change + (other than comefrom, which userspace doesn't care +@@ -831,7 +831,7 @@ copy_entries_to_user(unsigned int total_size, + unsigned int off, num; + const struct ip6t_entry *e; + struct xt_counters *counters; +- const struct xt_table_info *private = xt_table_get_private_protected(table); ++ const struct xt_table_info *private = table->private; + int ret = 0; + const void *loc_cpu_entry; + +@@ -980,7 +980,7 @@ static int get_info(struct net *net, void __user *user, const int *len) + t = xt_request_find_table_lock(net, AF_INET6, name); + if (!IS_ERR(t)) { + struct ip6t_getinfo info; +- const struct xt_table_info *private = xt_table_get_private_protected(t); ++ const struct xt_table_info *private = t->private; + #ifdef CONFIG_COMPAT + struct xt_table_info tmp; + +@@ -1035,7 +1035,7 @@ get_entries(struct net *net, struct ip6t_get_entries __user *uptr, + + t = xt_find_table_lock(net, AF_INET6, get.name); + if (!IS_ERR(t)) { +- struct xt_table_info *private = xt_table_get_private_protected(t); ++ struct xt_table_info *private = t->private; + if (get.size == private->size) + ret = copy_entries_to_user(private->size, + t, uptr->entrytable); +@@ -1189,7 +1189,7 @@ do_add_counters(struct net *net, sockptr_t arg, unsigned int len) + } + + local_bh_disable(); +- private = xt_table_get_private_protected(t); ++ private = t->private; + if (private->number != tmp.num_counters) { + ret = -EINVAL; + goto unlock_up_free; +@@ -1552,7 +1552,7 @@ compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table, + void __user *userptr) + { + struct xt_counters *counters; +- const struct xt_table_info *private = xt_table_get_private_protected(table); ++ const struct xt_table_info *private = table->private; + void __user *pos; + unsigned int size; + int ret = 0; +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index bce6ca203d46..7df3aef39c5c 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -1351,14 +1351,6 @@ struct xt_counters *xt_counters_alloc(unsigned int counters) + } + EXPORT_SYMBOL(xt_counters_alloc); + +-struct xt_table_info +-*xt_table_get_private_protected(const struct xt_table *table) +-{ +- return rcu_dereference_protected(table->private, +- mutex_is_locked(&xt[table->af].mutex)); +-} +-EXPORT_SYMBOL(xt_table_get_private_protected); +- + struct xt_table_info * + xt_replace_table(struct xt_table *table, + unsigned int num_counters, +@@ -1366,6 +1358,7 @@ xt_replace_table(struct xt_table *table, + int *error) + { + struct xt_table_info *private; ++ unsigned int cpu; + int ret; + + ret = xt_jumpstack_alloc(newinfo); +@@ -1375,20 +1368,47 @@ xt_replace_table(struct xt_table *table, + } + + /* Do the substitution. */ +- private = xt_table_get_private_protected(table); ++ local_bh_disable(); ++ private = table->private; + + /* Check inside lock: is the old number correct? */ + if (num_counters != private->number) { + pr_debug("num_counters != table->private->number (%u/%u)\n", + num_counters, private->number); ++ local_bh_enable(); + *error = -EAGAIN; + return NULL; + } + + newinfo->initial_entries = private->initial_entries; ++ /* ++ * Ensure contents of newinfo are visible before assigning to ++ * private. ++ */ ++ smp_wmb(); ++ table->private = newinfo; ++ ++ /* make sure all cpus see new ->private value */ ++ smp_wmb(); + +- rcu_assign_pointer(table->private, newinfo); +- synchronize_rcu(); ++ /* ++ * Even though table entries have now been swapped, other CPU's ++ * may still be using the old entries... ++ */ ++ local_bh_enable(); ++ ++ /* ... so wait for even xt_recseq on all cpus */ ++ for_each_possible_cpu(cpu) { ++ seqcount_t *s = &per_cpu(xt_recseq, cpu); ++ u32 seq = raw_read_seqcount(s); ++ ++ if (seq & 1) { ++ do { ++ cond_resched(); ++ cpu_relax(); ++ } while (seq == raw_read_seqcount(s)); ++ } ++ } + + audit_log_nfcfg(table->name, table->af, private->number, + !private->number ? AUDIT_XT_OP_REGISTER : +@@ -1424,12 +1444,12 @@ struct xt_table *xt_register_table(struct net *net, + } + + /* Simplifies replace_table code. */ +- rcu_assign_pointer(table->private, bootstrap); ++ table->private = bootstrap; + + if (!xt_replace_table(table, 0, newinfo, &ret)) + goto unlock; + +- private = xt_table_get_private_protected(table); ++ private = table->private; + pr_debug("table->private->number = %u\n", private->number); + + /* save number of initial entries */ +@@ -1452,8 +1472,7 @@ void *xt_unregister_table(struct xt_table *table) + struct xt_table_info *private; + + mutex_lock(&xt[table->af].mutex); +- private = xt_table_get_private_protected(table); +- RCU_INIT_POINTER(table->private, NULL); ++ private = table->private; + list_del(&table->list); + mutex_unlock(&xt[table->af].mutex); + audit_log_nfcfg(table->name, table->af, private->number, +-- +2.30.1 + diff --git a/queue-5.11/revert-netfilter-x_tables-update-remaining-dereferen.patch b/queue-5.11/revert-netfilter-x_tables-update-remaining-dereferen.patch new file mode 100644 index 00000000000..8e1f0cd2c6d --- /dev/null +++ b/queue-5.11/revert-netfilter-x_tables-update-remaining-dereferen.patch @@ -0,0 +1,70 @@ +From 64eed52080fe893f5be70fe68b96aec7d970ed0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Mar 2021 14:24:11 +1300 +Subject: Revert "netfilter: x_tables: Update remaining dereference to RCU" + +From: Mark Tomlinson + +[ Upstream commit abe7034b9a8d57737e80cc16d60ed3666990bdbf ] + +This reverts commit 443d6e86f821a165fae3fc3fc13086d27ac140b1. + +This (and the following) patch basically re-implemented the RCU +mechanisms of patch 784544739a25. That patch was replaced because of the +performance problems that it created when replacing tables. Now, we have +the same issue: the call to synchronize_rcu() makes replacing tables +slower by as much as an order of magnitude. + +Revert these patches and fix the issue in a different way. + +Signed-off-by: Mark Tomlinson +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv4/netfilter/arp_tables.c | 2 +- + net/ipv4/netfilter/ip_tables.c | 2 +- + net/ipv6/netfilter/ip6_tables.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index 04a2010755a6..d1e04d2b5170 100644 +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -1379,7 +1379,7 @@ static int compat_get_entries(struct net *net, + xt_compat_lock(NFPROTO_ARP); + t = xt_find_table_lock(net, NFPROTO_ARP, get.name); + if (!IS_ERR(t)) { +- const struct xt_table_info *private = xt_table_get_private_protected(t); ++ const struct xt_table_info *private = t->private; + struct xt_table_info info; + + ret = compat_table_info(private, &info); +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c +index a5b63f92b7f3..f15bc21d7301 100644 +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1589,7 +1589,7 @@ compat_get_entries(struct net *net, struct compat_ipt_get_entries __user *uptr, + xt_compat_lock(AF_INET); + t = xt_find_table_lock(net, AF_INET, get.name); + if (!IS_ERR(t)) { +- const struct xt_table_info *private = xt_table_get_private_protected(t); ++ const struct xt_table_info *private = t->private; + struct xt_table_info info; + ret = compat_table_info(private, &info); + if (!ret && get.size == info.size) +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c +index 81c042940b21..2e2119bfcf13 100644 +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1598,7 +1598,7 @@ compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr, + xt_compat_lock(AF_INET6); + t = xt_find_table_lock(net, AF_INET6, get.name); + if (!IS_ERR(t)) { +- const struct xt_table_info *private = xt_table_get_private_protected(t); ++ const struct xt_table_info *private = t->private; + struct xt_table_info info; + ret = compat_table_info(private, &info); + if (!ret && get.size == info.size) +-- +2.30.1 + diff --git a/queue-5.11/sctp-move-sk_route_caps-check-and-set-into-sctp_outq.patch b/queue-5.11/sctp-move-sk_route_caps-check-and-set-into-sctp_outq.patch new file mode 100644 index 00000000000..c31ee1c8ea6 --- /dev/null +++ b/queue-5.11/sctp-move-sk_route_caps-check-and-set-into-sctp_outq.patch @@ -0,0 +1,83 @@ +From 92b6b55150c190502653237730e1feaa00358630 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Mar 2021 11:52:41 +0800 +Subject: sctp: move sk_route_caps check and set into + sctp_outq_flush_transports + +From: Xin Long + +[ Upstream commit 8ff0b1f08ea73e5c08f5addd23481e76a60e741c ] + +The sk's sk_route_caps is set in sctp_packet_config, and later it +only needs to change when traversing the transport_list in a loop, +as the dst might be changed in the tx path. + +So move sk_route_caps check and set into sctp_outq_flush_transports +from sctp_packet_transmit. This also fixes a dst leak reported by +Chen Yi: + + https://bugzilla.kernel.org/show_bug.cgi?id=212227 + +As calling sk_setup_caps() in sctp_packet_transmit may also set the +sk_route_caps for the ctrl sock in a netns. When the netns is being +deleted, the ctrl sock's releasing is later than dst dev's deleting, +which will cause this dev's deleting to hang and dmesg error occurs: + + unregister_netdevice: waiting for xxx to become free. Usage count = 1 + +Reported-by: Chen Yi +Fixes: bcd623d8e9fa ("sctp: call sk_setup_caps in sctp_packet_transmit instead") +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/output.c | 7 ------- + net/sctp/outqueue.c | 7 +++++++ + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/net/sctp/output.c b/net/sctp/output.c +index 6614c9fdc51e..a6aa17df09ef 100644 +--- a/net/sctp/output.c ++++ b/net/sctp/output.c +@@ -584,13 +584,6 @@ int sctp_packet_transmit(struct sctp_packet *packet, gfp_t gfp) + goto out; + } + +- rcu_read_lock(); +- if (__sk_dst_get(sk) != tp->dst) { +- dst_hold(tp->dst); +- sk_setup_caps(sk, tp->dst); +- } +- rcu_read_unlock(); +- + /* pack up chunks */ + pkt_count = sctp_packet_pack(packet, head, gso, gfp); + if (!pkt_count) { +diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c +index 3fd06a27105d..5cb1aa5f067b 100644 +--- a/net/sctp/outqueue.c ++++ b/net/sctp/outqueue.c +@@ -1135,6 +1135,7 @@ static void sctp_outq_flush_data(struct sctp_flush_ctx *ctx, + + static void sctp_outq_flush_transports(struct sctp_flush_ctx *ctx) + { ++ struct sock *sk = ctx->asoc->base.sk; + struct list_head *ltransport; + struct sctp_packet *packet; + struct sctp_transport *t; +@@ -1144,6 +1145,12 @@ static void sctp_outq_flush_transports(struct sctp_flush_ctx *ctx) + t = list_entry(ltransport, struct sctp_transport, send_ready); + packet = &t->packet; + if (!sctp_packet_empty(packet)) { ++ rcu_read_lock(); ++ if (t->dst && __sk_dst_get(sk) != t->dst) { ++ dst_hold(t->dst); ++ sk_setup_caps(sk, t->dst); ++ } ++ rcu_read_unlock(); + error = sctp_packet_transmit(packet, ctx->gfp); + if (error < 0) + ctx->q->asoc->base.sk->sk_err = -error; +-- +2.30.1 + diff --git a/queue-5.11/selftests-bpf-set-gopt-opt_class-to-0-if-get-tunnel-.patch b/queue-5.11/selftests-bpf-set-gopt-opt_class-to-0-if-get-tunnel-.patch new file mode 100644 index 00000000000..750203df65c --- /dev/null +++ b/queue-5.11/selftests-bpf-set-gopt-opt_class-to-0-if-get-tunnel-.patch @@ -0,0 +1,47 @@ +From 19e5566a025970f86429ef3e6efe756bc36dd16b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Mar 2021 11:22:14 +0800 +Subject: selftests/bpf: Set gopt opt_class to 0 if get tunnel opt failed + +From: Hangbin Liu + +[ Upstream commit 31254dc9566221429d2cfb45fd5737985d70f2b6 ] + +When fixing the bpf test_tunnel.sh geneve failure. I only fixed the IPv4 +part but forgot the IPv6 issue. Similar with the IPv4 fixes 557c223b643a +("selftests/bpf: No need to drop the packet when there is no geneve opt"), +when there is no tunnel option and bpf_skb_get_tunnel_opt() returns error, +there is no need to drop the packets and break all geneve rx traffic. +Just set opt_class to 0 and keep returning TC_ACT_OK at the end. + +Fixes: 557c223b643a ("selftests/bpf: No need to drop the packet when there is no geneve opt") +Fixes: 933a741e3b82 ("selftests/bpf: bpf tunnel test.") +Signed-off-by: Hangbin Liu +Signed-off-by: Daniel Borkmann +Acked-by: William Tu +Link: https://lore.kernel.org/bpf/20210309032214.2112438-1-liuhangbin@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/progs/test_tunnel_kern.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/bpf/progs/test_tunnel_kern.c b/tools/testing/selftests/bpf/progs/test_tunnel_kern.c +index 9afe947cfae9..ba6eadfec565 100644 +--- a/tools/testing/selftests/bpf/progs/test_tunnel_kern.c ++++ b/tools/testing/selftests/bpf/progs/test_tunnel_kern.c +@@ -508,10 +508,8 @@ int _ip6geneve_get_tunnel(struct __sk_buff *skb) + } + + ret = bpf_skb_get_tunnel_opt(skb, &gopt, sizeof(gopt)); +- if (ret < 0) { +- ERROR(ret); +- return TC_ACT_SHOT; +- } ++ if (ret < 0) ++ gopt.opt_class = 0; + + bpf_trace_printk(fmt, sizeof(fmt), + key.tunnel_id, key.remote_ipv4, gopt.opt_class); +-- +2.30.1 + diff --git a/queue-5.11/selftests-forwarding-vxlan_bridge_1d-fix-vxlan-ecn-d.patch b/queue-5.11/selftests-forwarding-vxlan_bridge_1d-fix-vxlan-ecn-d.patch new file mode 100644 index 00000000000..dded1612fbb --- /dev/null +++ b/queue-5.11/selftests-forwarding-vxlan_bridge_1d-fix-vxlan-ecn-d.patch @@ -0,0 +1,46 @@ +From cc6f1a40381a6cde8028ddb9e1f6e64045ffbcc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Mar 2021 22:33:14 +0800 +Subject: selftests: forwarding: vxlan_bridge_1d: Fix vxlan ecn decapsulate + value + +From: Hangbin Liu + +[ Upstream commit 5aa3c334a449bab24519c4967f5ac2b3304c8dcf ] + +The ECN bit defines ECT(1) = 1, ECT(0) = 2. So inner 0x02 + outer 0x01 +should be inner ECT(0) + outer ECT(1). Based on the description of +__INET_ECN_decapsulate, the final decapsulate value should be +ECT(1). So fix the test expect value to 0x01. + +Before the fix: +TEST: VXLAN: ECN decap: 01/02->0x02 [FAIL] + Expected to capture 10 packets, got 0. + +After the fix: +TEST: VXLAN: ECN decap: 01/02->0x01 [ OK ] + +Fixes: a0b61f3d8ebf ("selftests: forwarding: vxlan_bridge_1d: Add an ECN decap test") +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/forwarding/vxlan_bridge_1d.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/forwarding/vxlan_bridge_1d.sh b/tools/testing/selftests/net/forwarding/vxlan_bridge_1d.sh +index ce6bea9675c0..0ccb1dda099a 100755 +--- a/tools/testing/selftests/net/forwarding/vxlan_bridge_1d.sh ++++ b/tools/testing/selftests/net/forwarding/vxlan_bridge_1d.sh +@@ -658,7 +658,7 @@ test_ecn_decap() + # In accordance with INET_ECN_decapsulate() + __test_ecn_decap 00 00 0x00 + __test_ecn_decap 01 01 0x01 +- __test_ecn_decap 02 01 0x02 ++ __test_ecn_decap 02 01 0x01 + __test_ecn_decap 01 03 0x03 + __test_ecn_decap 02 03 0x03 + test_ecn_decap_error +-- +2.30.1 + diff --git a/queue-5.11/selftests-net-fix-warnings-on-reuseaddr_ports_exhaus.patch b/queue-5.11/selftests-net-fix-warnings-on-reuseaddr_ports_exhaus.patch new file mode 100644 index 00000000000..aee6349a7ff --- /dev/null +++ b/queue-5.11/selftests-net-fix-warnings-on-reuseaddr_ports_exhaus.patch @@ -0,0 +1,73 @@ +From 4ab6e984922c2b45b8111346ae48175d69970ae1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Mar 2021 01:04:29 +0000 +Subject: selftests/net: fix warnings on reuseaddr_ports_exhausted + +From: Carlos Llamas + +[ Upstream commit 81f711d67a973bf8a6db9556faf299b4074d536e ] + +Fix multiple warnings seen with gcc 10.2.1: +reuseaddr_ports_exhausted.c:32:41: warning: missing braces around initializer [-Wmissing-braces] + 32 | struct reuse_opts unreusable_opts[12] = { + | ^ + 33 | {0, 0, 0, 0}, + | { } { } + +Fixes: 7f204a7de8b0 ("selftests: net: Add SO_REUSEADDR test to check if 4-tuples are fully utilized.") +Signed-off-by: Carlos Llamas +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../selftests/net/reuseaddr_ports_exhausted.c | 32 +++++++++---------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/tools/testing/selftests/net/reuseaddr_ports_exhausted.c b/tools/testing/selftests/net/reuseaddr_ports_exhausted.c +index 7b01b7c2ec10..066efd30e294 100644 +--- a/tools/testing/selftests/net/reuseaddr_ports_exhausted.c ++++ b/tools/testing/selftests/net/reuseaddr_ports_exhausted.c +@@ -30,25 +30,25 @@ struct reuse_opts { + }; + + struct reuse_opts unreusable_opts[12] = { +- {0, 0, 0, 0}, +- {0, 0, 0, 1}, +- {0, 0, 1, 0}, +- {0, 0, 1, 1}, +- {0, 1, 0, 0}, +- {0, 1, 0, 1}, +- {0, 1, 1, 0}, +- {0, 1, 1, 1}, +- {1, 0, 0, 0}, +- {1, 0, 0, 1}, +- {1, 0, 1, 0}, +- {1, 0, 1, 1}, ++ {{0, 0}, {0, 0}}, ++ {{0, 0}, {0, 1}}, ++ {{0, 0}, {1, 0}}, ++ {{0, 0}, {1, 1}}, ++ {{0, 1}, {0, 0}}, ++ {{0, 1}, {0, 1}}, ++ {{0, 1}, {1, 0}}, ++ {{0, 1}, {1, 1}}, ++ {{1, 0}, {0, 0}}, ++ {{1, 0}, {0, 1}}, ++ {{1, 0}, {1, 0}}, ++ {{1, 0}, {1, 1}}, + }; + + struct reuse_opts reusable_opts[4] = { +- {1, 1, 0, 0}, +- {1, 1, 0, 1}, +- {1, 1, 1, 0}, +- {1, 1, 1, 1}, ++ {{1, 1}, {0, 0}}, ++ {{1, 1}, {0, 1}}, ++ {{1, 1}, {1, 0}}, ++ {{1, 1}, {1, 1}}, + }; + + int bind_port(struct __test_metadata *_metadata, int reuseaddr, int reuseport) +-- +2.30.1 + diff --git a/queue-5.11/selinux-vsock-set-sid-for-socket-returned-by-accept.patch b/queue-5.11/selinux-vsock-set-sid-for-socket-returned-by-accept.patch new file mode 100644 index 00000000000..e19c96b1116 --- /dev/null +++ b/queue-5.11/selinux-vsock-set-sid-for-socket-returned-by-accept.patch @@ -0,0 +1,41 @@ +From 340eae4632206208d0b0f64fddd7e4664d5d8826 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Mar 2021 13:05:41 +0000 +Subject: selinux: vsock: Set SID for socket returned by accept() + +From: David Brazdil + +[ Upstream commit 1f935e8e72ec28dddb2dc0650b3b6626a293d94b ] + +For AF_VSOCK, accept() currently returns sockets that are unlabelled. +Other socket families derive the child's SID from the SID of the parent +and the SID of the incoming packet. This is typically done as the +connected socket is placed in the queue that accept() removes from. + +Reuse the existing 'security_sk_clone' hook to copy the SID from the +parent (server) socket to the child. There is no packet SID in this +case. + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Signed-off-by: David Brazdil +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 5546710d8ac1..bc7fb9bf3351 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -755,6 +755,7 @@ static struct sock *__vsock_create(struct net *net, + vsk->buffer_size = psk->buffer_size; + vsk->buffer_min_size = psk->buffer_min_size; + vsk->buffer_max_size = psk->buffer_max_size; ++ security_sk_clone(parent, sk); + } else { + vsk->trusted = ns_capable_noaudit(&init_user_ns, CAP_NET_ADMIN); + vsk->owner = get_current_cred(); +-- +2.30.1 + diff --git a/queue-5.11/series b/queue-5.11/series index 5915feef6cf..1638accde8b 100644 --- a/queue-5.11/series +++ b/queue-5.11/series @@ -103,3 +103,127 @@ drm-i915-fix-the-gt-fence-revocation-runtime-pm-logic.patch dm-verity-fix-dm_verity_opts_max-value.patch dm-don-t-report-detected-capacity-change-on-device-creation.patch dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch +bus-omap_l3_noc-mark-l3-irqs-as-irqf_no_thread.patch +soc-ti-omap-prm-fix-reboot-issue-with-invalid-pcie-r.patch +arm-omap2-fix-smartreflex-init-regression-after-drop.patch +soc-ti-omap-prm-fix-occasional-abort-on-reset-deasse.patch +veth-store-queue_mapping-independently-of-xdp-prog-p.patch +bpf-dont-allow-vmlinux-btf-to-be-used-in-map_create-.patch +bpf-change-inode_storage-s-lookup_elem-return-value-.patch +libbpf-fix-install-flag-order.patch +net-mlx5e-rx-mind-the-mpwqe-gaps-when-calculating-of.patch +net-mlx5e-set-ptp-channel-pointer-explicitly-to-null.patch +net-mlx5e-when-changing-xdp-program-without-reset-ta.patch +net-mlx5e-revert-parameters-on-errors-when-changing-.patch +net-mlx5e-don-t-match-on-geneve-options-in-case-opti.patch +net-mlx5e-e-switch-fix-rate-calculation-division.patch +ipv6-fix-suspecious-rcu-usage-warning.patch +drop_monitor-perform-cleanup-upon-probe-registration.patch +macvlan-macvlan_count_rx-needs-to-be-aware-of-preemp.patch +net-sched-validate-stab-values.patch +net-dsa-bcm_sf2-qualify-phydev-dev_flags-based-on-po.patch +igc-reinit_locked-should-be-called-with-rtnl_lock.patch +igc-fix-pause-frame-advertising.patch +igc-fix-supported-pause-frame-link-setting.patch +igc-fix-igc_ptp_rx_pktstamp.patch +e1000e-add-rtnl_lock-to-e1000_reset_task.patch +e1000e-fix-error-handling-in-e1000_set_d0_lplu_state.patch +kunit-tool-disable-page_poisoning-under-alltests.patch +net-qlcnic-fix-a-use-after-free-in-qlcnic_83xx_get_m.patch +net-phy-broadcom-add-power-down-exit-reset-state-del.patch +ice-fix-napi-work-done-reporting-in-xsk-path.patch +ftgmac100-restart-mac-hw-once.patch +clk-qcom-gcc-sc7180-use-floor-ops-for-the-correct-sd.patch +net-ipa-terminate-message-handler-arrays.patch +net-qrtr-fix-a-kernel-infoleak-in-qrtr_recvmsg.patch +flow_dissector-fix-byteorder-of-dissected-icmp-id.patch +selftests-bpf-set-gopt-opt_class-to-0-if-get-tunnel-.patch +netfilter-ctnetlink-fix-dump-of-the-expect-mask-attr.patch +net-hdlc_x25-prevent-racing-between-x25_close-and-x2.patch +net-phylink-fix-phylink_err-function-name-error-in-p.patch +tipc-better-validate-user-input-in-tipc_nl_retrieve_.patch +tcp-relookup-sock-for-rst-ack-packets-handled-by-obs.patch +mptcp-fix-add_addr-hmac-in-case-port-is-specified.patch +can-isotp-isotp_setsockopt-only-allow-to-set-low-lev.patch +can-isotp-tx-path-ensure-that-can-frame-flags-are-in.patch +can-peak_usb-add-forgotten-supported-devices.patch +can-flexcan-flexcan_chip_freeze-fix-chip-freeze-for-.patch +can-kvaser_pciefd-always-disable-bus-load-reporting.patch +can-c_can_pci-c_can_pci_remove-fix-use-after-free.patch +can-c_can-move-runtime-pm-enable-disable-to-c_can_pl.patch +can-m_can-m_can_do_rx_poll-fix-extraneous-msg-loss-w.patch +can-m_can-m_can_rx_peripheral-fix-rx-being-blocked-b.patch +mac80211-fix-rate-mask-reset.patch +mac80211-allow-he-operation-to-be-longer-than-expect.patch +selftests-net-fix-warnings-on-reuseaddr_ports_exhaus.patch +nfp-flower-fix-unsupported-pre_tunnel-flows.patch +nfp-flower-add-ipv6-bit-to-pre_tunnel-control-messag.patch +nfp-flower-fix-pre_tun-mask-id-allocation.patch +ftrace-fix-modify_ftrace_direct.patch +drm-msm-dsi-fix-check-before-set-in-the-7nm-dsi_pll-.patch +ionic-linearize-tso-skb-with-too-many-frags.patch +net-sched-cls_flower-fix-only-mask-bit-check-in-the-.patch +netfilter-nftables-report-eopnotsupp-on-unsupported-.patch +netfilter-nftables-allow-to-update-flowtable-flags.patch +netfilter-flowtable-make-sure-gc-works-periodically-.patch +libbpf-fix-error-path-in-bpf_object__elf_init.patch +libbpf-use-sock_cloexec-when-opening-the-netlink-soc.patch +arm-dts-imx6ull-fix-ubi-filesystem-mount-failed.patch +ipv6-weaken-the-v4mapped-source-check.patch +octeontx2-af-formatting-debugfs-entry-rsrc_alloc.patch +octeontx2-af-remove-tos-field-from-mkex-tx.patch +octeontx2-af-fix-irq-free-in-rvu-teardown.patch +octeontx2-pf-clear-rss-enable-flag-on-interace-down.patch +octeontx2-af-fix-infinite-loop-in-unmapping-npc-coun.patch +net-check-all-name-nodes-in-__dev_alloc_name.patch +net-cdc-phonet-fix-data-interface-release-on-probe-f.patch +igb-check-timestamp-validity.patch +sctp-move-sk_route_caps-check-and-set-into-sctp_outq.patch +r8152-limit-the-rx-buffer-size-of-rtl8153a-for-usb-2.patch +net-stmmac-dwmac-sun8i-provide-tx-and-rx-fifo-sizes.patch +selinux-vsock-set-sid-for-socket-returned-by-accept.patch +selftests-forwarding-vxlan_bridge_1d-fix-vxlan-ecn-d.patch +libbpf-fix-btf-dump-of-pointer-to-array-of-struct.patch +bpf-fix-umd-memory-leak-in-copy_process.patch +can-isotp-tx-path-zero-initialize-outgoing-can-frame.patch +platform-x86-dell-wmi-sysman-fix-crash-caused-by-cal.patch +platform-x86-dell-wmi-sysman-fix-possible-null-point.patch +platform-x86-dell-wmi-sysman-make-it-safe-to-call-ex.patch +platform-x86-dell-wmi-sysman-fix-release_attributes_.patch +platform-x86-dell-wmi-sysman-cleanup-sysman_init-err.patch +platform-x86-dell-wmi-sysman-make-sysman_init-return.patch +drm-msm-fix-shutdown-hook-in-case-gpu-components-fai.patch +drm-msm-fix-suspend-resume-on-i.mx5.patch +arm64-kdump-update-ppos-when-reading-elfcorehdr.patch +pm-runtime-defer-suspending-suppliers.patch +net-mlx5-add-back-multicast-stats-for-uplink-represe.patch +net-mlx5e-allow-to-match-on-mpls-parameters-only-for.patch +net-mlx5e-offload-tuple-rewrite-for-non-ct-flows.patch +net-mlx5e-fix-error-path-for-ethtool-set-priv-flag.patch +mfd-intel_quark_i2c_gpio-revert-constify-static-stru.patch +pm-em-postpone-creating-the-debugfs-dir-till-fs_init.patch +platform-x86-intel_pmt_crashlog-fix-incorrect-macros.patch +net-bridge-don-t-notify-switchdev-for-local-fdb-addr.patch +octeontx2-af-fix-memory-leak-of-object-buf.patch +xen-x86-make-xen_balloon_memory_hotplug_limit-depend.patch +rdma-cxgb4-fix-adapter-le-hash-errors-while-destroyi.patch +mm-memblock-fix-section-mismatch-warning-again.patch +bpf-don-t-do-bpf_cgroup_storage_set-for-kuprobe-tp-p.patch +net-consolidate-common-blackhole-dst-ops.patch +net-bpf-fix-ip6ip6-crash-with-collect_md-populated-s.patch +igb-avoid-premature-rx-buffer-reuse.patch +net-axienet-fix-probe-error-cleanup.patch +net-phy-introduce-phydev-port.patch +net-phy-broadcom-avoid-forward-for-bcm54xx_config_cl.patch +net-phy-broadcom-set-proper-1000basex-sgmii-interfac.patch +net-phy-broadcom-fix-rgmii-delays-for-bcm50160-and-b.patch +revert-netfilter-x_tables-switch-synchronization-to-.patch +netfilter-x_tables-use-correct-memory-barriers.patch +bpf-fix-fexit-trampoline.patch +bpf-use-nop_atomic5-instead-of-emit_nops-prog-5-for-.patch +platform-x86-dell-wmi-sysman-cleanup-create_attribut.patch +arm64-mm-define-arch_get_mappable_range.patch +arm64-mm-correct-the-inside-linear-map-range-during-.patch +dm-table-fix-zoned-model-check-and-zone-sectors-chec.patch +mm-mmu_notifiers-ensure-range_end-is-paired-with-ran.patch +revert-netfilter-x_tables-update-remaining-dereferen.patch diff --git a/queue-5.11/soc-ti-omap-prm-fix-occasional-abort-on-reset-deasse.patch b/queue-5.11/soc-ti-omap-prm-fix-occasional-abort-on-reset-deasse.patch new file mode 100644 index 00000000000..cbbb6fd9750 --- /dev/null +++ b/queue-5.11/soc-ti-omap-prm-fix-occasional-abort-on-reset-deasse.patch @@ -0,0 +1,58 @@ +From f03ceadbd961ef76400d4e54da1fd61ad857199a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Feb 2021 13:46:33 +0200 +Subject: soc: ti: omap-prm: Fix occasional abort on reset deassert for dra7 + iva + +From: Tony Lindgren + +[ Upstream commit effe89e40037038db7711bdab5d3401fe297d72c ] + +On reset deassert, we must wait a bit after the rstst bit change before +we allow clockdomain autoidle again. Otherwise we get the following oops +sometimes on dra7 with iva: + +Unhandled fault: imprecise external abort (0x1406) at 0x00000000 +44000000.ocp:L3 Standard Error: MASTER MPU TARGET IVA_CONFIG (Read Link): +At Address: 0x0005A410 : Data Access in User mode during Functional access +Internal error: : 1406 [#1] SMP ARM +... +(sysc_write_sysconfig) from [] (sysc_enable_module+0xcc/0x260) +(sysc_enable_module) from [] (sysc_runtime_resume+0xc8/0x174) +(sysc_runtime_resume) from [] (genpd_runtime_resume+0x94/0x224) +(genpd_runtime_resume) from [] (__rpm_callback+0xd8/0x180) + +It is unclear what all devices this might affect, but presumably other +devices with the rstst bit too can be affected. So let's just enable the +delay for all the devices with rstst bit for now. Later on we may want to +limit the list to the know affected devices if needed. + +Fixes: d30cd83f6853 ("soc: ti: omap-prm: add support for denying idle for reset clockdomain") +Reported-by: Yongqin Liu +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + drivers/soc/ti/omap_prm.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/soc/ti/omap_prm.c b/drivers/soc/ti/omap_prm.c +index 17ea6a74a988..51143a68a889 100644 +--- a/drivers/soc/ti/omap_prm.c ++++ b/drivers/soc/ti/omap_prm.c +@@ -830,8 +830,12 @@ static int omap_reset_deassert(struct reset_controller_dev *rcdev, + reset->prm->data->name, id); + + exit: +- if (reset->clkdm) ++ if (reset->clkdm) { ++ /* At least dra7 iva needs a delay before clkdm idle */ ++ if (has_rstst) ++ udelay(1); + pdata->clkdm_allow_idle(reset->clkdm); ++ } + + return ret; + } +-- +2.30.1 + diff --git a/queue-5.11/soc-ti-omap-prm-fix-reboot-issue-with-invalid-pcie-r.patch b/queue-5.11/soc-ti-omap-prm-fix-reboot-issue-with-invalid-pcie-r.patch new file mode 100644 index 00000000000..679ee2a1b09 --- /dev/null +++ b/queue-5.11/soc-ti-omap-prm-fix-reboot-issue-with-invalid-pcie-r.patch @@ -0,0 +1,49 @@ +From 5a682ee8bfe415feeceb52a98e4135450614ee37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Feb 2021 10:37:51 +0200 +Subject: soc: ti: omap-prm: Fix reboot issue with invalid pcie reset map for + dra7 + +From: Tony Lindgren + +[ Upstream commit a249ca66d15fa4b54dc6deaff4155df3db1308e1 ] + +Yongqin Liu reported an issue where reboot hangs +on beagleboard-x15. This started happening after commit 7078a5ba7a58 +("soc: ti: omap-prm: Fix boot time errors for rst_map_012 bits 0 and 1"). + +We now assert any 012 type resets on init to prevent unconfigured +accelerator MMUs getting enabled on init depending on the bootloader or +kexec configured state. + +Turns out that we now also wrongly assert dra7 l3init domain PCIe reset +bits causing a hang during reboot. Let's fix the l3init reset bits to +use a 01 map instead of 012 map. There are only two rstctrl bits and not +three. This is documented in TRM "Table 3-1647. RM_PCIESS_RSTCTRL". + +Fixes: 5a68c87afde0 ("soc: ti: omap-prm: dra7: add genpd support for remaining PRM instances") +Fixes: 7078a5ba7a58 ("soc: ti: omap-prm: Fix boot time errors for rst_map_012 bits 0 and 1") +Cc: Kishon Vijay Abraham I +Reported-by: Yongqin Liu +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + drivers/soc/ti/omap_prm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/ti/omap_prm.c b/drivers/soc/ti/omap_prm.c +index bf1468e5bccb..17ea6a74a988 100644 +--- a/drivers/soc/ti/omap_prm.c ++++ b/drivers/soc/ti/omap_prm.c +@@ -332,7 +332,7 @@ static const struct omap_prm_data dra7_prm_data[] = { + { + .name = "l3init", .base = 0x4ae07300, + .pwrstctrl = 0x0, .pwrstst = 0x4, .dmap = &omap_prm_alwon, +- .rstctrl = 0x10, .rstst = 0x14, .rstmap = rst_map_012, ++ .rstctrl = 0x10, .rstst = 0x14, .rstmap = rst_map_01, + .clkdm_name = "pcie" + }, + { +-- +2.30.1 + diff --git a/queue-5.11/tcp-relookup-sock-for-rst-ack-packets-handled-by-obs.patch b/queue-5.11/tcp-relookup-sock-for-rst-ack-packets-handled-by-obs.patch new file mode 100644 index 00000000000..0ef9fd79690 --- /dev/null +++ b/queue-5.11/tcp-relookup-sock-for-rst-ack-packets-handled-by-obs.patch @@ -0,0 +1,88 @@ +From c3332785fc8f7cc97f2cef1d41713f04200284b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Mar 2021 14:05:45 +0300 +Subject: tcp: relookup sock for RST+ACK packets handled by obsolete req sock + +From: Alexander Ovechkin + +[ Upstream commit 7233da86697efef41288f8b713c10c2499cffe85 ] + +Currently tcp_check_req can be called with obsolete req socket for which big +socket have been already created (because of CPU race or early demux +assigning req socket to multiple packets in gro batch). + +Commit e0f9759f530bf789e984 ("tcp: try to keep packet if SYN_RCV race +is lost") added retry in case when tcp_check_req is called for PSH|ACK packet. +But if client sends RST+ACK immediatly after connection being +established (it is performing healthcheck, for example) retry does not +occur. In that case tcp_check_req tries to close req socket, +leaving big socket active. + +Fixes: e0f9759f530 ("tcp: try to keep packet if SYN_RCV race is lost") +Signed-off-by: Alexander Ovechkin +Reported-by: Oleg Senin +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/inet_connection_sock.h | 2 +- + net/ipv4/inet_connection_sock.c | 7 +++++-- + net/ipv4/tcp_minisocks.c | 7 +++++-- + 3 files changed, 11 insertions(+), 5 deletions(-) + +diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h +index 111d7771b208..aa92af3dd444 100644 +--- a/include/net/inet_connection_sock.h ++++ b/include/net/inet_connection_sock.h +@@ -284,7 +284,7 @@ static inline int inet_csk_reqsk_queue_is_full(const struct sock *sk) + return inet_csk_reqsk_queue_len(sk) >= sk->sk_max_ack_backlog; + } + +-void inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req); ++bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req); + void inet_csk_reqsk_queue_drop_and_put(struct sock *sk, struct request_sock *req); + + static inline void inet_csk_prepare_for_destroy_sock(struct sock *sk) +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index 6bd7ca09af03..fd472eae4f5c 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -705,12 +705,15 @@ static bool reqsk_queue_unlink(struct request_sock *req) + return found; + } + +-void inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req) ++bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req) + { +- if (reqsk_queue_unlink(req)) { ++ bool unlinked = reqsk_queue_unlink(req); ++ ++ if (unlinked) { + reqsk_queue_removed(&inet_csk(sk)->icsk_accept_queue, req); + reqsk_put(req); + } ++ return unlinked; + } + EXPORT_SYMBOL(inet_csk_reqsk_queue_drop); + +diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c +index 0055ae0a3bf8..7513ba45553d 100644 +--- a/net/ipv4/tcp_minisocks.c ++++ b/net/ipv4/tcp_minisocks.c +@@ -804,8 +804,11 @@ embryonic_reset: + tcp_reset(sk, skb); + } + if (!fastopen) { +- inet_csk_reqsk_queue_drop(sk, req); +- __NET_INC_STATS(sock_net(sk), LINUX_MIB_EMBRYONICRSTS); ++ bool unlinked = inet_csk_reqsk_queue_drop(sk, req); ++ ++ if (unlinked) ++ __NET_INC_STATS(sock_net(sk), LINUX_MIB_EMBRYONICRSTS); ++ *req_stolen = !unlinked; + } + return NULL; + } +-- +2.30.1 + diff --git a/queue-5.11/tipc-better-validate-user-input-in-tipc_nl_retrieve_.patch b/queue-5.11/tipc-better-validate-user-input-in-tipc_nl_retrieve_.patch new file mode 100644 index 00000000000..e4e7336487a --- /dev/null +++ b/queue-5.11/tipc-better-validate-user-input-in-tipc_nl_retrieve_.patch @@ -0,0 +1,130 @@ +From 0a3ee56b65d233acef17453a239fcbd5c8015757 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Mar 2021 03:06:58 -0700 +Subject: tipc: better validate user input in tipc_nl_retrieve_key() + +From: Eric Dumazet + +[ Upstream commit 0217ed2848e8538bcf9172d97ed2eeb4a26041bb ] + +Before calling tipc_aead_key_size(ptr), we need to ensure +we have enough data to dereference ptr->keylen. + +We probably also want to make sure tipc_aead_key_size() +wont overflow with malicious ptr->keylen values. + +Syzbot reported: + +BUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline] +BUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023 +CPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x21c/0x280 lib/dump_stack.c:120 + kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118 + __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197 + __tipc_nl_node_set_key net/tipc/node.c:2971 [inline] + tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023 + genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline] + genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] + genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800 + netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494 + genl_rcv+0x63/0x80 net/netlink/genetlink.c:811 + netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] + netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330 + netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg net/socket.c:672 [inline] + ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345 + ___sys_sendmsg net/socket.c:2399 [inline] + __sys_sendmsg+0x714/0x830 net/socket.c:2432 + __compat_sys_sendmsg net/compat.c:347 [inline] + __do_compat_sys_sendmsg net/compat.c:354 [inline] + __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351 + __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351 + do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline] + __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141 + do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166 + do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209 + entry_SYSENTER_compat_after_hwframe+0x4d/0x5c +RIP: 0023:0xf7f60549 +Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 +RSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172 +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline] + kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104 + kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76 + slab_alloc_node mm/slub.c:2907 [inline] + __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527 + __kmalloc_reserve net/core/skbuff.c:142 [inline] + __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210 + alloc_skb include/linux/skbuff.h:1099 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline] + netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg net/socket.c:672 [inline] + ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345 + ___sys_sendmsg net/socket.c:2399 [inline] + __sys_sendmsg+0x714/0x830 net/socket.c:2432 + __compat_sys_sendmsg net/compat.c:347 [inline] + __do_compat_sys_sendmsg net/compat.c:354 [inline] + __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351 + __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351 + do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline] + __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141 + do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166 + do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209 + entry_SYSENTER_compat_after_hwframe+0x4d/0x5c + +Fixes: e1f32190cf7d ("tipc: add support for AEAD key setting via netlink") +Signed-off-by: Eric Dumazet +Cc: Tuong Lien +Cc: Jon Maloy +Cc: Ying Xue +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/node.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/net/tipc/node.c b/net/tipc/node.c +index 008670d1f43e..136338b85504 100644 +--- a/net/tipc/node.c ++++ b/net/tipc/node.c +@@ -2895,17 +2895,22 @@ int tipc_nl_node_dump_monitor_peer(struct sk_buff *skb, + + #ifdef CONFIG_TIPC_CRYPTO + static int tipc_nl_retrieve_key(struct nlattr **attrs, +- struct tipc_aead_key **key) ++ struct tipc_aead_key **pkey) + { + struct nlattr *attr = attrs[TIPC_NLA_NODE_KEY]; ++ struct tipc_aead_key *key; + + if (!attr) + return -ENODATA; + +- *key = (struct tipc_aead_key *)nla_data(attr); +- if (nla_len(attr) < tipc_aead_key_size(*key)) ++ if (nla_len(attr) < sizeof(*key)) ++ return -EINVAL; ++ key = (struct tipc_aead_key *)nla_data(attr); ++ if (key->keylen > TIPC_AEAD_KEYLEN_MAX || ++ nla_len(attr) < tipc_aead_key_size(key)) + return -EINVAL; + ++ *pkey = key; + return 0; + } + +-- +2.30.1 + diff --git a/queue-5.11/veth-store-queue_mapping-independently-of-xdp-prog-p.patch b/queue-5.11/veth-store-queue_mapping-independently-of-xdp-prog-p.patch new file mode 100644 index 00000000000..36eaa122be9 --- /dev/null +++ b/queue-5.11/veth-store-queue_mapping-independently-of-xdp-prog-p.patch @@ -0,0 +1,46 @@ +From 57005483c0cfbed8d271d8fa0c8f6bb635f66492 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Mar 2021 16:29:03 +0100 +Subject: veth: Store queue_mapping independently of XDP prog presence + +From: Maciej Fijalkowski + +[ Upstream commit edbea922025169c0e5cdca5ebf7bf5374cc5566c ] + +Currently, veth_xmit() would call the skb_record_rx_queue() only when +there is XDP program loaded on peer interface in native mode. + +If peer has XDP prog in generic mode, then netif_receive_generic_xdp() +has a call to netif_get_rxqueue(skb), so for multi-queue veth it will +not be possible to grab a correct rxq. + +To fix that, store queue_mapping independently of XDP prog presence on +peer interface. + +Fixes: 638264dc9022 ("veth: Support per queue XDP ring") +Signed-off-by: Maciej Fijalkowski +Signed-off-by: Daniel Borkmann +Acked-by: Toshiaki Makita +Link: https://lore.kernel.org/bpf/20210303152903.11172-1-maciej.fijalkowski@intel.com +Signed-off-by: Sasha Levin +--- + drivers/net/veth.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/veth.c b/drivers/net/veth.c +index 02bfcdf50a7a..36abe756282e 100644 +--- a/drivers/net/veth.c ++++ b/drivers/net/veth.c +@@ -301,8 +301,7 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev) + if (rxq < rcv->real_num_rx_queues) { + rq = &rcv_priv->rq[rxq]; + rcv_xdp = rcu_access_pointer(rq->xdp_prog); +- if (rcv_xdp) +- skb_record_rx_queue(skb, rxq); ++ skb_record_rx_queue(skb, rxq); + } + + skb_tx_timestamp(skb); +-- +2.30.1 + diff --git a/queue-5.11/xen-x86-make-xen_balloon_memory_hotplug_limit-depend.patch b/queue-5.11/xen-x86-make-xen_balloon_memory_hotplug_limit-depend.patch new file mode 100644 index 00000000000..cd7d8896a6c --- /dev/null +++ b/queue-5.11/xen-x86-make-xen_balloon_memory_hotplug_limit-depend.patch @@ -0,0 +1,69 @@ +From 9ea37f748ddab87393e04ebf9ee148f9aa55255f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Mar 2021 13:24:23 +0100 +Subject: xen/x86: make XEN_BALLOON_MEMORY_HOTPLUG_LIMIT depend on + MEMORY_HOTPLUG +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Roger Pau Monne + +[ Upstream commit 2b514ec72706a31bea0c3b97e622b81535b5323a ] + +The Xen memory hotplug limit should depend on the memory hotplug +generic option, rather than the Xen balloon configuration. It's +possible to have a kernel with generic memory hotplug enabled, but +without Xen balloon enabled, at which point memory hotplug won't work +correctly due to the size limitation of the p2m. + +Rename the option to XEN_MEMORY_HOTPLUG_LIMIT since it's no longer +tied to ballooning. + +Fixes: 9e2369c06c8a18 ("xen: add helpers to allocate unpopulated memory") +Signed-off-by: Roger Pau Monné +Reviewed-by: Boris Ostrovsky +Link: https://lore.kernel.org/r/20210324122424.58685-2-roger.pau@citrix.com +Signed-off-by: Boris Ostrovsky +Signed-off-by: Sasha Levin +--- + arch/x86/xen/p2m.c | 4 ++-- + drivers/xen/Kconfig | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/xen/p2m.c b/arch/x86/xen/p2m.c +index a3cc33091f46..bee51ac92a18 100644 +--- a/arch/x86/xen/p2m.c ++++ b/arch/x86/xen/p2m.c +@@ -98,8 +98,8 @@ EXPORT_SYMBOL_GPL(xen_p2m_size); + unsigned long xen_max_p2m_pfn __read_mostly; + EXPORT_SYMBOL_GPL(xen_max_p2m_pfn); + +-#ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG_LIMIT +-#define P2M_LIMIT CONFIG_XEN_BALLOON_MEMORY_HOTPLUG_LIMIT ++#ifdef CONFIG_XEN_MEMORY_HOTPLUG_LIMIT ++#define P2M_LIMIT CONFIG_XEN_MEMORY_HOTPLUG_LIMIT + #else + #define P2M_LIMIT 0 + #endif +diff --git a/drivers/xen/Kconfig b/drivers/xen/Kconfig +index 41645fe6ad48..ea0efd290c37 100644 +--- a/drivers/xen/Kconfig ++++ b/drivers/xen/Kconfig +@@ -50,11 +50,11 @@ config XEN_BALLOON_MEMORY_HOTPLUG + + SUBSYSTEM=="memory", ACTION=="add", RUN+="/bin/sh -c '[ -f /sys$devpath/state ] && echo online > /sys$devpath/state'" + +-config XEN_BALLOON_MEMORY_HOTPLUG_LIMIT ++config XEN_MEMORY_HOTPLUG_LIMIT + int "Hotplugged memory limit (in GiB) for a PV guest" + default 512 + depends on XEN_HAVE_PVMMU +- depends on XEN_BALLOON_MEMORY_HOTPLUG ++ depends on MEMORY_HOTPLUG + help + Maxmium amount of memory (in GiB) that a PV guest can be + expanded to when using memory hotplug. +-- +2.30.1 +