From: Greg Kroah-Hartman Date: Mon, 9 May 2022 10:36:28 +0000 (+0200) Subject: 5.17-stable patches X-Git-Tag: v4.9.313~75 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2be4a0c9345dab0b354e7e3f2daf3d231ccbe023;p=thirdparty%2Fkernel%2Fstable-queue.git 5.17-stable patches added patches: alsa-hda-realtek-fix-mute-led-issue-on-thinkpad-with-cs35l41-s-codec.patch asoc-dmaengine-restore-null-prepare_slave_config-callback.patch asoc-meson-axg-card-fix-nonatomic-links.patch asoc-meson-axg-tdm-interface-fix-formatters-in-trigger.patch asoc-soc-ops-fix-error-handling.patch fbdev-make-fb_release-return-enodev-if-fbdev-was-unregistered.patch gpio-mvebu-drop-pwm-base-assignment.patch gpio-pca953x-fix-irq_stat-not-updated-when-irq-is-disabled-irq_mask-not-set.patch gpio-visconti-fix-fwnode-of-gpio-irq.patch hwmon-adt7470-fix-warning-on-module-removal.patch hwmon-pmbus-disable-pec-if-not-enabled.patch iommu-dart-check-return-value-after-calling-platform_get_resource.patch iommu-vt-d-drop-stop-marker-messages.patch net-mlx5-avoid-double-clear-or-set-of-sync-reset-requested.patch net-mlx5-fix-deadlock-in-sync-reset-flow.patch net-mlx5-fix-matching-on-inner-ttc.patch net-mlx5-fix-slab-out-of-bounds-while-reading-resource-dump-menu.patch net-mlx5e-ct-fix-queued-up-restore-put-executing-after-relevant-ft-release.patch net-mlx5e-don-t-match-double-vlan-packets-if-cvlan-is-not-set.patch net-mlx5e-fix-the-calling-of-update_buffer_lossy-api.patch net-mlx5e-fix-trust-state-reset-in-reload.patch net-mlx5e-fix-wrong-source-vport-matching-on-tunnel-rule.patch net-mlx5e-lag-don-t-skip-fib-events-on-current-dst.patch net-mlx5e-lag-fix-fib_info-pointer-assignment.patch net-mlx5e-lag-fix-use-after-free-in-fib-event-handler.patch net-mlx5e-tc-fix-decap-fallback-to-uplink-when-int-port-not-supported.patch nfc-netlink-fix-sleep-in-atomic-bug-when-firmware-download-timeout.patch nfc-nfcmrvl-main-reorder-destructive-operations-in-nfcmrvl_nci_unregister_dev-to-avoid-bugs.patch nfc-replace-improper-check-device_is_registered-in-netlink-related-functions.patch nfsv4-don-t-invalidate-inode-attributes-on-delegation-return.patch rdma-irdma-fix-possible-crash-due-to-null-netdev-in-notifier.patch rdma-irdma-flush-iwarp-qp-if-modified-to-err-from-rtr-state.patch rdma-irdma-reduce-iwarp-qp-destroy-time.patch rdma-siw-fix-a-condition-race-issue-in-mpa-request-processing.patch selftests-seccomp-don-t-call-read-on-tty-from-background-pgrp.patch sunrpc-release-the-transport-of-a-relocated-task-with-an-assigned-transport.patch --- diff --git a/queue-5.17/alsa-hda-realtek-fix-mute-led-issue-on-thinkpad-with-cs35l41-s-codec.patch b/queue-5.17/alsa-hda-realtek-fix-mute-led-issue-on-thinkpad-with-cs35l41-s-codec.patch new file mode 100644 index 00000000000..4be7cc5acfa --- /dev/null +++ b/queue-5.17/alsa-hda-realtek-fix-mute-led-issue-on-thinkpad-with-cs35l41-s-codec.patch @@ -0,0 +1,36 @@ +From a6ac60b36dade525c13c5bb0838589619533efb7 Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Fri, 22 Apr 2022 15:39:37 +0800 +Subject: ALSA: hda/realtek: Fix mute led issue on thinkpad with cs35l41 s-codec + +From: Hui Wang + +commit a6ac60b36dade525c13c5bb0838589619533efb7 upstream. + +The quirk ALC287_FIXUP_CS35L41_I2C_2 needs to chain the quirk +ALC269_FIXUP_THINKPAD_ACPI, otherwise the mute led will not work if a +thinkpad machine applies that quirk. + +And it will be safe if non-thinkpad machines apply that quirk since +hda_fixup_thinkpad_acpi() will check and return in this case. + +Fixes: ae7abe36e352e ("ALSA: hda/realtek: Add CS35L41 support for Thinkpad laptops") +Signed-off-by: Hui Wang +Link: https://lore.kernel.org/r/20220422073937.10073-1-hui.wang@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8759,6 +8759,8 @@ static const struct hda_fixup alc269_fix + [ALC287_FIXUP_CS35L41_I2C_2] = { + .type = HDA_FIXUP_FUNC, + .v.func = cs35l41_fixup_i2c_two, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_THINKPAD_ACPI, + }, + [ALC285_FIXUP_HP_SPEAKERS_MICMUTE_LED] = { + .type = HDA_FIXUP_VERBS, diff --git a/queue-5.17/asoc-dmaengine-restore-null-prepare_slave_config-callback.patch b/queue-5.17/asoc-dmaengine-restore-null-prepare_slave_config-callback.patch new file mode 100644 index 00000000000..29d002a1965 --- /dev/null +++ b/queue-5.17/asoc-dmaengine-restore-null-prepare_slave_config-callback.patch @@ -0,0 +1,49 @@ +From 660564fc9a92a893a14f255be434f7ea0b967901 Mon Sep 17 00:00:00 2001 +From: Codrin Ciubotariu +Date: Thu, 21 Apr 2022 15:54:02 +0300 +Subject: ASoC: dmaengine: Restore NULL prepare_slave_config() callback + +From: Codrin Ciubotariu + +commit 660564fc9a92a893a14f255be434f7ea0b967901 upstream. + +As pointed out by Sascha Hauer, this patch changes: +if (pmc->config && !pcm->config->prepare_slave_config) + +to: +if (pmc->config && !pcm->config->prepare_slave_config) + snd_dmaengine_pcm_prepare_slave_config() + +This breaks the drivers that do not need a call to +dmaengine_slave_config(). Drivers that still need to call +snd_dmaengine_pcm_prepare_slave_config(), but have a NULL +pcm->config->prepare_slave_config should use +snd_dmaengine_pcm_prepare_slave_config() as their prepare_slave_config +callback. + +Fixes: 9a1e13440a4f ("ASoC: dmaengine: do not use a NULL prepare_slave_config() callback") +Reported-by: Sascha Hauer +Signed-off-by: Codrin Ciubotariu +Link: https://lore.kernel.org/r/20220421125403.2180824-1-codrin.ciubotariu@microchip.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-generic-dmaengine-pcm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/soc/soc-generic-dmaengine-pcm.c ++++ b/sound/soc/soc-generic-dmaengine-pcm.c +@@ -86,10 +86,10 @@ static int dmaengine_pcm_hw_params(struc + + memset(&slave_config, 0, sizeof(slave_config)); + +- if (pcm->config && pcm->config->prepare_slave_config) +- prepare_slave_config = pcm->config->prepare_slave_config; +- else ++ if (!pcm->config) + prepare_slave_config = snd_dmaengine_pcm_prepare_slave_config; ++ else ++ prepare_slave_config = pcm->config->prepare_slave_config; + + if (prepare_slave_config) { + int ret = prepare_slave_config(substream, params, &slave_config); diff --git a/queue-5.17/asoc-meson-axg-card-fix-nonatomic-links.patch b/queue-5.17/asoc-meson-axg-card-fix-nonatomic-links.patch new file mode 100644 index 00000000000..1a4ba4d5b92 --- /dev/null +++ b/queue-5.17/asoc-meson-axg-card-fix-nonatomic-links.patch @@ -0,0 +1,57 @@ +From 0c9b152c72e53016e96593bdbb8cffe2176694b9 Mon Sep 17 00:00:00 2001 +From: Neil Armstrong +Date: Thu, 21 Apr 2022 17:57:25 +0200 +Subject: ASoC: meson: axg-card: Fix nonatomic links + +From: Neil Armstrong + +commit 0c9b152c72e53016e96593bdbb8cffe2176694b9 upstream. + +This commit e138233e56e9829e65b6293887063a1a3ccb2d68 causes the +following system crash when using audio on G12A/G12B & SM1 systems: + + BUG: sleeping function called from invalid context at kernel/locking/mutex.c:282 + in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 0, name: swapper/0 + preempt_count: 10001, expected: 0 + RCU nest depth: 0, expected: 0 + Preemption disabled at: + schedule_preempt_disabled+0x20/0x2c + + mutex_lock+0x24/0x60 + _snd_pcm_stream_lock_irqsave+0x20/0x3c + snd_pcm_period_elapsed+0x24/0xa4 + axg_fifo_pcm_irq_block+0x64/0xdc + __handle_irq_event_percpu+0x104/0x264 + handle_irq_event+0x48/0xb4 + ... + start_kernel+0x3f0/0x484 + __primary_switched+0xc0/0xc8 + +Revert this commit until the crash is fixed. + +Fixes: e138233e56e9829e65b6 ("ASoC: meson: axg-card: make links nonatomic") +Reported-by: Dmitry Shmidt +Signed-off-by: Neil Armstrong +Acked-by: Jerome Brunet +Link: https://lore.kernel.org/r/20220421155725.2589089-2-narmstrong@baylibre.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/meson/axg-card.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/sound/soc/meson/axg-card.c b/sound/soc/meson/axg-card.c +index cbbaa55d92a6..2b77010c2c5c 100644 +--- a/sound/soc/meson/axg-card.c ++++ b/sound/soc/meson/axg-card.c +@@ -320,7 +320,6 @@ static int axg_card_add_link(struct snd_soc_card *card, struct device_node *np, + + dai_link->cpus = cpu; + dai_link->num_cpus = 1; +- dai_link->nonatomic = true; + + ret = meson_card_parse_dai(card, np, &dai_link->cpus->of_node, + &dai_link->cpus->dai_name); +-- +2.36.1 + diff --git a/queue-5.17/asoc-meson-axg-tdm-interface-fix-formatters-in-trigger.patch b/queue-5.17/asoc-meson-axg-tdm-interface-fix-formatters-in-trigger.patch new file mode 100644 index 00000000000..69a91751723 --- /dev/null +++ b/queue-5.17/asoc-meson-axg-tdm-interface-fix-formatters-in-trigger.patch @@ -0,0 +1,76 @@ +From c26830b6c5c534d273ce007eb33d5a2d2ad4e969 Mon Sep 17 00:00:00 2001 +From: Neil Armstrong +Date: Thu, 21 Apr 2022 17:57:24 +0200 +Subject: ASoC: meson: axg-tdm-interface: Fix formatters in trigger" + +From: Neil Armstrong + +commit c26830b6c5c534d273ce007eb33d5a2d2ad4e969 upstream. + +This reverts commit bf5e4887eeddb48480568466536aa08ec7f179a5 because +the following and required commit e138233e56e9829e65b6293887063a1a3ccb2d68 +causes the following system crash when using audio: + BUG: sleeping function called from invalid context at kernel/locking/mutex.c:282 + +Fixes: bf5e4887eeddb4848056846 ("ASoC: meson: axg-tdm-interface: manage formatters in trigger") +Reported-by: Dmitry Shmidt +Signed-off-by: Neil Armstrong +Acked-by: Jerome Brunet +Link: https://lore.kernel.org/r/20220421155725.2589089-1-narmstrong@baylibre.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/meson/axg-tdm-interface.c | 26 +++++--------------------- + 1 file changed, 5 insertions(+), 21 deletions(-) + +diff --git a/sound/soc/meson/axg-tdm-interface.c b/sound/soc/meson/axg-tdm-interface.c +index 0c31934a9630..e076ced30025 100644 +--- a/sound/soc/meson/axg-tdm-interface.c ++++ b/sound/soc/meson/axg-tdm-interface.c +@@ -351,29 +351,13 @@ static int axg_tdm_iface_hw_free(struct snd_pcm_substream *substream, + return 0; + } + +-static int axg_tdm_iface_trigger(struct snd_pcm_substream *substream, +- int cmd, ++static int axg_tdm_iface_prepare(struct snd_pcm_substream *substream, + struct snd_soc_dai *dai) + { +- struct axg_tdm_stream *ts = +- snd_soc_dai_get_dma_data(dai, substream); +- +- switch (cmd) { +- case SNDRV_PCM_TRIGGER_START: +- case SNDRV_PCM_TRIGGER_RESUME: +- case SNDRV_PCM_TRIGGER_PAUSE_RELEASE: +- axg_tdm_stream_start(ts); +- break; +- case SNDRV_PCM_TRIGGER_SUSPEND: +- case SNDRV_PCM_TRIGGER_PAUSE_PUSH: +- case SNDRV_PCM_TRIGGER_STOP: +- axg_tdm_stream_stop(ts); +- break; +- default: +- return -EINVAL; +- } ++ struct axg_tdm_stream *ts = snd_soc_dai_get_dma_data(dai, substream); + +- return 0; ++ /* Force all attached formatters to update */ ++ return axg_tdm_stream_reset(ts); + } + + static int axg_tdm_iface_remove_dai(struct snd_soc_dai *dai) +@@ -413,8 +397,8 @@ static const struct snd_soc_dai_ops axg_tdm_iface_ops = { + .set_fmt = axg_tdm_iface_set_fmt, + .startup = axg_tdm_iface_startup, + .hw_params = axg_tdm_iface_hw_params, ++ .prepare = axg_tdm_iface_prepare, + .hw_free = axg_tdm_iface_hw_free, +- .trigger = axg_tdm_iface_trigger, + }; + + /* TDM Backend DAIs */ +-- +2.36.1 + diff --git a/queue-5.17/asoc-soc-ops-fix-error-handling.patch b/queue-5.17/asoc-soc-ops-fix-error-handling.patch new file mode 100644 index 00000000000..01d67be03d2 --- /dev/null +++ b/queue-5.17/asoc-soc-ops-fix-error-handling.patch @@ -0,0 +1,44 @@ +From eb5773201b1c5d603424bd21f161c8c2d1075b42 Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bossart +Date: Thu, 21 Apr 2022 11:23:28 -0500 +Subject: ASoC: soc-ops: fix error handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pierre-Louis Bossart + +commit eb5773201b1c5d603424bd21f161c8c2d1075b42 upstream. + +cppcheck throws the following warning: + +sound/soc/soc-ops.c:461:8: style: Variable 'ret' is assigned a value +that is never used. [unreadVariable] + ret = err; + ^ + +This seems to be a missing change in the return value. + +Fixes: 7f3d90a351968 ("ASoC: ops: Fix stereo change notifications in snd_soc_put_volsw_sx()") +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Bard Liao +Reviewed-by: Rander Wang +Reviewed-by: Péter Ujfalusi +Link: https://lore.kernel.org/r/20220421162328.302017-1-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-ops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/soc-ops.c ++++ b/sound/soc/soc-ops.c +@@ -461,7 +461,7 @@ int snd_soc_put_volsw_sx(struct snd_kcon + ret = err; + } + } +- return err; ++ return ret; + } + EXPORT_SYMBOL_GPL(snd_soc_put_volsw_sx); + diff --git a/queue-5.17/fbdev-make-fb_release-return-enodev-if-fbdev-was-unregistered.patch b/queue-5.17/fbdev-make-fb_release-return-enodev-if-fbdev-was-unregistered.patch new file mode 100644 index 00000000000..59b646a91c5 --- /dev/null +++ b/queue-5.17/fbdev-make-fb_release-return-enodev-if-fbdev-was-unregistered.patch @@ -0,0 +1,48 @@ +From aafa025c76dcc7d1a8c8f0bdefcbe4eb480b2f6a Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Mon, 2 May 2022 15:50:14 +0200 +Subject: fbdev: Make fb_release() return -ENODEV if fbdev was unregistered + +From: Javier Martinez Canillas + +commit aafa025c76dcc7d1a8c8f0bdefcbe4eb480b2f6a upstream. + +A reference to the framebuffer device struct fb_info is stored in the file +private data, but this reference could no longer be valid and must not be +accessed directly. Instead, the file_fb_info() accessor function must be +used since it does sanity checking to make sure that the fb_info is valid. + +This can happen for example if the registered framebuffer device is for a +driver that just uses a framebuffer provided by the system firmware. In +that case, the fbdev core would unregister the framebuffer device when a +real video driver is probed and ask to remove conflicting framebuffers. + +The bug has been present for a long time but commit 27599aacbaef ("fbdev: +Hot-unplug firmware fb devices on forced removal") unmasked it since the +fbdev core started unregistering the framebuffers' devices associated. + +Fixes: 27599aacbaef ("fbdev: Hot-unplug firmware fb devices on forced removal") +Reported-by: Maxime Ripard +Reported-by: Junxiao Chang +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20220502135014.377945-1-javierm@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fbmem.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -1438,7 +1438,10 @@ fb_release(struct inode *inode, struct f + __acquires(&info->lock) + __releases(&info->lock) + { +- struct fb_info * const info = file->private_data; ++ struct fb_info * const info = file_fb_info(file); ++ ++ if (!info) ++ return -ENODEV; + + lock_fb_info(info); + if (info->fbops->fb_release) diff --git a/queue-5.17/gpio-mvebu-drop-pwm-base-assignment.patch b/queue-5.17/gpio-mvebu-drop-pwm-base-assignment.patch new file mode 100644 index 00000000000..5daeecf8df4 --- /dev/null +++ b/queue-5.17/gpio-mvebu-drop-pwm-base-assignment.patch @@ -0,0 +1,43 @@ +From e5f6e5d554ac274f9c8ba60078103d0425b93c19 Mon Sep 17 00:00:00 2001 +From: Baruch Siach +Date: Mon, 11 Apr 2022 09:23:40 +0300 +Subject: gpio: mvebu: drop pwm base assignment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Baruch Siach + +commit e5f6e5d554ac274f9c8ba60078103d0425b93c19 upstream. + +pwmchip_add() unconditionally assigns the base ID dynamically. Commit +f9a8ee8c8bcd1 ("pwm: Always allocate PWM chip base ID dynamically") +dropped all base assignment from drivers under drivers/pwm/. It missed +this driver. Fix that. + +Fixes: f9a8ee8c8bcd1 ("pwm: Always allocate PWM chip base ID dynamically") +Signed-off-by: Baruch Siach +Reviewed-by: Uwe Kleine-König +Acked-by: Linus Walleij +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-mvebu.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/drivers/gpio/gpio-mvebu.c ++++ b/drivers/gpio/gpio-mvebu.c +@@ -871,13 +871,6 @@ static int mvebu_pwm_probe(struct platfo + mvpwm->chip.dev = dev; + mvpwm->chip.ops = &mvebu_pwm_ops; + mvpwm->chip.npwm = mvchip->chip.ngpio; +- /* +- * There may already be some PWM allocated, so we can't force +- * mvpwm->chip.base to a fixed point like mvchip->chip.base. +- * So, we let pwmchip_add() do the numbering and take the next free +- * region. +- */ +- mvpwm->chip.base = -1; + + spin_lock_init(&mvpwm->lock); + diff --git a/queue-5.17/gpio-pca953x-fix-irq_stat-not-updated-when-irq-is-disabled-irq_mask-not-set.patch b/queue-5.17/gpio-pca953x-fix-irq_stat-not-updated-when-irq-is-disabled-irq_mask-not-set.patch new file mode 100644 index 00000000000..e6f3f16cc37 --- /dev/null +++ b/queue-5.17/gpio-pca953x-fix-irq_stat-not-updated-when-irq-is-disabled-irq_mask-not-set.patch @@ -0,0 +1,39 @@ +From dba785798526a3282cc4d0f0ea751883715dbbb4 Mon Sep 17 00:00:00 2001 +From: Puyou Lu +Date: Fri, 6 May 2022 16:06:30 +0800 +Subject: gpio: pca953x: fix irq_stat not updated when irq is disabled (irq_mask not set) + +From: Puyou Lu + +commit dba785798526a3282cc4d0f0ea751883715dbbb4 upstream. + +When one port's input state get inverted (eg. from low to hight) after +pca953x_irq_setup but before setting irq_mask (by some other driver such as +"gpio-keys"), the next inversion of this port (eg. from hight to low) will not +be triggered any more (because irq_stat is not updated at the first time). Issue +should be fixed after this commit. + +Fixes: 89ea8bbe9c3e ("gpio: pca953x.c: add interrupt handling capability") +Signed-off-by: Puyou Lu +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-pca953x.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpio/gpio-pca953x.c ++++ b/drivers/gpio/gpio-pca953x.c +@@ -762,11 +762,11 @@ static bool pca953x_irq_pending(struct p + bitmap_xor(cur_stat, new_stat, old_stat, gc->ngpio); + bitmap_and(trigger, cur_stat, chip->irq_mask, gc->ngpio); + ++ bitmap_copy(chip->irq_stat, new_stat, gc->ngpio); ++ + if (bitmap_empty(trigger, gc->ngpio)) + return false; + +- bitmap_copy(chip->irq_stat, new_stat, gc->ngpio); +- + bitmap_and(cur_stat, chip->irq_trig_fall, old_stat, gc->ngpio); + bitmap_and(old_stat, chip->irq_trig_raise, new_stat, gc->ngpio); + bitmap_or(new_stat, old_stat, cur_stat, gc->ngpio); diff --git a/queue-5.17/gpio-visconti-fix-fwnode-of-gpio-irq.patch b/queue-5.17/gpio-visconti-fix-fwnode-of-gpio-irq.patch new file mode 100644 index 00000000000..d3b76435878 --- /dev/null +++ b/queue-5.17/gpio-visconti-fix-fwnode-of-gpio-irq.patch @@ -0,0 +1,57 @@ +From 171865dab096da1ab980a32eeea5d1b88cd7bc50 Mon Sep 17 00:00:00 2001 +From: Nobuhiro Iwamatsu +Date: Thu, 21 Apr 2022 18:42:28 +0900 +Subject: gpio: visconti: Fix fwnode of GPIO IRQ + +From: Nobuhiro Iwamatsu + +commit 171865dab096da1ab980a32eeea5d1b88cd7bc50 upstream. + +The fwnode of GPIO IRQ must be set to its own fwnode, not the fwnode of the +parent IRQ. Therefore, this sets own fwnode instead of the parent IRQ fwnode to +GPIO IRQ's. + +Fixes: 2ad74f40dacc ("gpio: visconti: Add Toshiba Visconti GPIO support") +Signed-off-by: Nobuhiro Iwamatsu +Reviewed-by: Linus Walleij +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-visconti.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/gpio/gpio-visconti.c ++++ b/drivers/gpio/gpio-visconti.c +@@ -130,7 +130,6 @@ static int visconti_gpio_probe(struct pl + struct gpio_irq_chip *girq; + struct irq_domain *parent; + struct device_node *irq_parent; +- struct fwnode_handle *fwnode; + int ret; + + priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL); +@@ -150,14 +149,12 @@ static int visconti_gpio_probe(struct pl + } + + parent = irq_find_host(irq_parent); ++ of_node_put(irq_parent); + if (!parent) { + dev_err(dev, "No IRQ parent domain\n"); + return -ENODEV; + } + +- fwnode = of_node_to_fwnode(irq_parent); +- of_node_put(irq_parent); +- + ret = bgpio_init(&priv->gpio_chip, dev, 4, + priv->base + GPIO_IDATA, + priv->base + GPIO_OSET, +@@ -180,7 +177,7 @@ static int visconti_gpio_probe(struct pl + + girq = &priv->gpio_chip.irq; + girq->chip = irq_chip; +- girq->fwnode = fwnode; ++ girq->fwnode = of_node_to_fwnode(dev->of_node); + girq->parent_domain = parent; + girq->child_to_parent_hwirq = visconti_gpio_child_to_parent_hwirq; + girq->populate_parent_alloc_arg = visconti_gpio_populate_parent_fwspec; diff --git a/queue-5.17/hwmon-adt7470-fix-warning-on-module-removal.patch b/queue-5.17/hwmon-adt7470-fix-warning-on-module-removal.patch new file mode 100644 index 00000000000..9eb8e4b7357 --- /dev/null +++ b/queue-5.17/hwmon-adt7470-fix-warning-on-module-removal.patch @@ -0,0 +1,57 @@ +From 7b2666ce445c700b8dcee994da44ddcf050a0842 Mon Sep 17 00:00:00 2001 +From: Armin Wolf +Date: Thu, 7 Apr 2022 12:13:12 +0200 +Subject: hwmon: (adt7470) Fix warning on module removal + +From: Armin Wolf + +commit 7b2666ce445c700b8dcee994da44ddcf050a0842 upstream. + +When removing the adt7470 module, a warning might be printed: + +do not call blocking ops when !TASK_RUNNING; state=1 +set at [] adt7470_update_thread+0x7b/0x130 [adt7470] + +This happens because adt7470_update_thread() can leave the kthread in +TASK_INTERRUPTIBLE state when the kthread is being stopped before +the call of set_current_state(). Since kthread_exit() might sleep in +exit_signals(), the warning is printed. +Fix that by using schedule_timeout_interruptible() and removing +the call of set_current_state(). +This causes TASK_INTERRUPTIBLE to be set after kthread_should_stop() +which might cause the kthread to exit. + +Reported-by: Zheyu Ma +Fixes: 93cacfd41f82 (hwmon: (adt7470) Allow faster removal) +Signed-off-by: Armin Wolf +Tested-by: Zheyu Ma +Link: https://lore.kernel.org/r/20220407101312.13331-1-W_Armin@gmx.de +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/adt7470.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/hwmon/adt7470.c ++++ b/drivers/hwmon/adt7470.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -294,11 +295,10 @@ static int adt7470_update_thread(void *p + adt7470_read_temperatures(data); + mutex_unlock(&data->lock); + +- set_current_state(TASK_INTERRUPTIBLE); + if (kthread_should_stop()) + break; + +- schedule_timeout(msecs_to_jiffies(data->auto_update_interval)); ++ schedule_timeout_interruptible(msecs_to_jiffies(data->auto_update_interval)); + } + + return 0; diff --git a/queue-5.17/hwmon-pmbus-disable-pec-if-not-enabled.patch b/queue-5.17/hwmon-pmbus-disable-pec-if-not-enabled.patch new file mode 100644 index 00000000000..8dd774daf4e --- /dev/null +++ b/queue-5.17/hwmon-pmbus-disable-pec-if-not-enabled.patch @@ -0,0 +1,43 @@ +From 75d2b2b06bd8407d03a3f126bc8b95eb356906c7 Mon Sep 17 00:00:00 2001 +From: Adam Wujek +Date: Wed, 20 Apr 2022 14:51:25 +0000 +Subject: hwmon: (pmbus) disable PEC if not enabled + +From: Adam Wujek + +commit 75d2b2b06bd8407d03a3f126bc8b95eb356906c7 upstream. + +Explicitly disable PEC when the client does not support it. +The problematic scenario is the following. A device with enabled PEC +support is up and running and a kernel driver is loaded. +Then the driver is unloaded (or device unbound), the HW device +is reconfigured externally (e.g. by i2cset) to advertise itself as not +supporting PEC. Without a new code, at the second load of the driver +(or bind) the "flags" variable is not updated to avoid PEC usage. As a +consequence the further communication with the device is done with +the PEC enabled, which is wrong and may fail. + +The implementation first disable the I2C_CLIENT_PEC flag, then the old +code enable it if needed. + +Fixes: 4e5418f787ec ("hwmon: (pmbus_core) Check adapter PEC support") +Signed-off-by: Adam Wujek +Link: https://lore.kernel.org/r/20220420145059.431061-1-dev_public@wujek.eu +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/pmbus/pmbus_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/hwmon/pmbus/pmbus_core.c ++++ b/drivers/hwmon/pmbus/pmbus_core.c +@@ -2326,6 +2326,9 @@ static int pmbus_init_common(struct i2c_ + data->has_status_word = true; + } + ++ /* Make sure PEC is disabled, will be enabled later if needed */ ++ client->flags &= ~I2C_CLIENT_PEC; ++ + /* Enable PEC if the controller and bus supports it */ + if (!(data->flags & PMBUS_NO_CAPABILITY)) { + ret = i2c_smbus_read_byte_data(client, PMBUS_CAPABILITY); diff --git a/queue-5.17/iommu-dart-check-return-value-after-calling-platform_get_resource.patch b/queue-5.17/iommu-dart-check-return-value-after-calling-platform_get_resource.patch new file mode 100644 index 00000000000..13fbeff43b8 --- /dev/null +++ b/queue-5.17/iommu-dart-check-return-value-after-calling-platform_get_resource.patch @@ -0,0 +1,47 @@ +From a15932f4377062364d22096afe25bc579134a1c3 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Mon, 25 Apr 2022 17:08:26 +0800 +Subject: iommu/dart: check return value after calling platform_get_resource() + +From: Yang Yingliang + +commit a15932f4377062364d22096afe25bc579134a1c3 upstream. + +It will cause null-ptr-deref in resource_size(), if platform_get_resource() +returns NULL, move calling resource_size() after devm_ioremap_resource() that +will check 'res' to avoid null-ptr-deref. +And use devm_platform_get_and_ioremap_resource() to simplify code. + +Fixes: 46d1fb072e76 ("iommu/dart: Add DART iommu driver") +Signed-off-by: Yang Yingliang +Reviewed-by: Sven Peter +Link: https://lore.kernel.org/r/20220425090826.2532165-1-yangyingliang@huawei.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/apple-dart.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/iommu/apple-dart.c ++++ b/drivers/iommu/apple-dart.c +@@ -857,16 +857,15 @@ static int apple_dart_probe(struct platf + dart->dev = dev; + spin_lock_init(&dart->lock); + +- res = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ dart->regs = devm_platform_get_and_ioremap_resource(pdev, 0, &res); ++ if (IS_ERR(dart->regs)) ++ return PTR_ERR(dart->regs); ++ + if (resource_size(res) < 0x4000) { + dev_err(dev, "MMIO region too small (%pr)\n", res); + return -EINVAL; + } + +- dart->regs = devm_ioremap_resource(dev, res); +- if (IS_ERR(dart->regs)) +- return PTR_ERR(dart->regs); +- + dart->irq = platform_get_irq(pdev, 0); + if (dart->irq < 0) + return -ENODEV; diff --git a/queue-5.17/iommu-vt-d-drop-stop-marker-messages.patch b/queue-5.17/iommu-vt-d-drop-stop-marker-messages.patch new file mode 100644 index 00000000000..240b242d80a --- /dev/null +++ b/queue-5.17/iommu-vt-d-drop-stop-marker-messages.patch @@ -0,0 +1,45 @@ +From da8669ff41fa31573375c9a4180f5c080677204b Mon Sep 17 00:00:00 2001 +From: Lu Baolu +Date: Sat, 23 Apr 2022 16:23:30 +0800 +Subject: iommu/vt-d: Drop stop marker messages + +From: Lu Baolu + +commit da8669ff41fa31573375c9a4180f5c080677204b upstream. + +The page fault handling framework in the IOMMU core explicitly states +that it doesn't handle PCI PASID Stop Marker and the IOMMU drivers must +discard them before reporting faults. This handles Stop Marker messages +in prq_event_thread() before reporting events to the core. + +The VT-d driver explicitly drains the pending page requests when a CPU +page table (represented by a mm struct) is unbound from a PASID according +to the procedures defined in the VT-d spec. The Stop Marker messages do +not need a response. Hence, it is safe to drop the Stop Marker messages +silently if any of them is found in the page request queue. + +Fixes: d5b9e4bfe0d88 ("iommu/vt-d: Report prq to io-pgfault framework") +Signed-off-by: Lu Baolu +Reviewed-by: Jacob Pan +Reviewed-by: Kevin Tian +Link: https://lore.kernel.org/r/20220421113558.3504874-1-baolu.lu@linux.intel.com +Link: https://lore.kernel.org/r/20220423082330.3897867-2-baolu.lu@linux.intel.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/intel/svm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/iommu/intel/svm.c ++++ b/drivers/iommu/intel/svm.c +@@ -956,6 +956,10 @@ bad_req: + goto bad_req; + } + ++ /* Drop Stop Marker message. No need for a response. */ ++ if (unlikely(req->lpig && !req->rd_req && !req->wr_req)) ++ goto prq_advance; ++ + if (!svm || svm->pasid != req->pasid) { + /* + * It can't go away, because the driver is not permitted diff --git a/queue-5.17/net-mlx5-avoid-double-clear-or-set-of-sync-reset-requested.patch b/queue-5.17/net-mlx5-avoid-double-clear-or-set-of-sync-reset-requested.patch new file mode 100644 index 00000000000..e09a4389818 --- /dev/null +++ b/queue-5.17/net-mlx5-avoid-double-clear-or-set-of-sync-reset-requested.patch @@ -0,0 +1,103 @@ +From fc3d3db07b35885f238e1fa06b9f04a8fa7a62d0 Mon Sep 17 00:00:00 2001 +From: Moshe Shemesh +Date: Mon, 11 Apr 2022 20:38:44 +0300 +Subject: net/mlx5: Avoid double clear or set of sync reset requested + +From: Moshe Shemesh + +commit fc3d3db07b35885f238e1fa06b9f04a8fa7a62d0 upstream. + +Double clear of reset requested state can lead to NULL pointer as it +will try to delete the timer twice. This can happen for example on a +race between abort from FW and pci error or reset. Avoid such case using +test_and_clear_bit() to verify only one time reset requested state clear +flow. Similarly use test_and_set_bit() to verify only one time reset +requested state set flow. + +Fixes: 7dd6df329d4c ("net/mlx5: Handle sync reset abort event") +Signed-off-by: Moshe Shemesh +Reviewed-by: Maher Sanalla +Reviewed-by: Shay Drory +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 28 ++++++++++++++------- + 1 file changed, 19 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c +@@ -135,14 +135,19 @@ static void mlx5_stop_sync_reset_poll(st + del_timer_sync(&fw_reset->timer); + } + +-static void mlx5_sync_reset_clear_reset_requested(struct mlx5_core_dev *dev, bool poll_health) ++static int mlx5_sync_reset_clear_reset_requested(struct mlx5_core_dev *dev, bool poll_health) + { + struct mlx5_fw_reset *fw_reset = dev->priv.fw_reset; + ++ if (!test_and_clear_bit(MLX5_FW_RESET_FLAGS_RESET_REQUESTED, &fw_reset->reset_flags)) { ++ mlx5_core_warn(dev, "Reset request was already cleared\n"); ++ return -EALREADY; ++ } ++ + mlx5_stop_sync_reset_poll(dev); +- clear_bit(MLX5_FW_RESET_FLAGS_RESET_REQUESTED, &fw_reset->reset_flags); + if (poll_health) + mlx5_start_health_poll(dev); ++ return 0; + } + + #define MLX5_RESET_POLL_INTERVAL (HZ / 10) +@@ -186,13 +191,17 @@ static int mlx5_fw_reset_set_reset_sync_ + return mlx5_reg_mfrl_set(dev, MLX5_MFRL_REG_RESET_LEVEL3, 0, 2, false); + } + +-static void mlx5_sync_reset_set_reset_requested(struct mlx5_core_dev *dev) ++static int mlx5_sync_reset_set_reset_requested(struct mlx5_core_dev *dev) + { + struct mlx5_fw_reset *fw_reset = dev->priv.fw_reset; + ++ if (test_and_set_bit(MLX5_FW_RESET_FLAGS_RESET_REQUESTED, &fw_reset->reset_flags)) { ++ mlx5_core_warn(dev, "Reset request was already set\n"); ++ return -EALREADY; ++ } + mlx5_stop_health_poll(dev, true); +- set_bit(MLX5_FW_RESET_FLAGS_RESET_REQUESTED, &fw_reset->reset_flags); + mlx5_start_sync_reset_poll(dev); ++ return 0; + } + + static void mlx5_fw_live_patch_event(struct work_struct *work) +@@ -221,7 +230,9 @@ static void mlx5_sync_reset_request_even + err ? "Failed" : "Sent"); + return; + } +- mlx5_sync_reset_set_reset_requested(dev); ++ if (mlx5_sync_reset_set_reset_requested(dev)) ++ return; ++ + err = mlx5_fw_reset_set_reset_sync_ack(dev); + if (err) + mlx5_core_warn(dev, "PCI Sync FW Update Reset Ack Failed. Error code: %d\n", err); +@@ -319,7 +330,8 @@ static void mlx5_sync_reset_now_event(st + struct mlx5_core_dev *dev = fw_reset->dev; + int err; + +- mlx5_sync_reset_clear_reset_requested(dev, false); ++ if (mlx5_sync_reset_clear_reset_requested(dev, false)) ++ return; + + mlx5_core_warn(dev, "Sync Reset now. Device is going to reset.\n"); + +@@ -348,10 +360,8 @@ static void mlx5_sync_reset_abort_event( + reset_abort_work); + struct mlx5_core_dev *dev = fw_reset->dev; + +- if (!test_bit(MLX5_FW_RESET_FLAGS_RESET_REQUESTED, &fw_reset->reset_flags)) ++ if (mlx5_sync_reset_clear_reset_requested(dev, true)) + return; +- +- mlx5_sync_reset_clear_reset_requested(dev, true); + mlx5_core_warn(dev, "PCI Sync FW Update Reset Aborted.\n"); + } + diff --git a/queue-5.17/net-mlx5-fix-deadlock-in-sync-reset-flow.patch b/queue-5.17/net-mlx5-fix-deadlock-in-sync-reset-flow.patch new file mode 100644 index 00000000000..0fc6a495109 --- /dev/null +++ b/queue-5.17/net-mlx5-fix-deadlock-in-sync-reset-flow.patch @@ -0,0 +1,100 @@ +From cb7786a76ea39f394f0a059787fe24fa8e340fb6 Mon Sep 17 00:00:00 2001 +From: Moshe Shemesh +Date: Mon, 11 Apr 2022 21:31:06 +0300 +Subject: net/mlx5: Fix deadlock in sync reset flow + +From: Moshe Shemesh + +commit cb7786a76ea39f394f0a059787fe24fa8e340fb6 upstream. + +The sync reset flow can lead to the following deadlock when +poll_sync_reset() is called by timer softirq and waiting on +del_timer_sync() for the same timer. Fix that by moving the part of the +flow that waits for the timer to reset_reload_work. + +It fixes the following kernel Trace: +RIP: 0010:del_timer_sync+0x32/0x40 +... +Call Trace: + + mlx5_sync_reset_clear_reset_requested+0x26/0x50 [mlx5_core] + poll_sync_reset.cold+0x36/0x52 [mlx5_core] + call_timer_fn+0x32/0x130 + __run_timers.part.0+0x180/0x280 + ? tick_sched_handle+0x33/0x60 + ? tick_sched_timer+0x3d/0x80 + ? ktime_get+0x3e/0xa0 + run_timer_softirq+0x2a/0x50 + __do_softirq+0xe1/0x2d6 + ? hrtimer_interrupt+0x136/0x220 + irq_exit+0xae/0xb0 + smp_apic_timer_interrupt+0x7b/0x140 + apic_timer_interrupt+0xf/0x20 + + +Fixes: 3c5193a87b0f ("net/mlx5: Use del_timer_sync in fw reset flow of halting poll") +Signed-off-by: Moshe Shemesh +Reviewed-by: Maher Sanalla +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 34 ++++++++++----------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c +@@ -112,22 +112,6 @@ static void mlx5_fw_reset_complete_reloa + } + } + +-static void mlx5_sync_reset_reload_work(struct work_struct *work) +-{ +- struct mlx5_fw_reset *fw_reset = container_of(work, struct mlx5_fw_reset, +- reset_reload_work); +- struct mlx5_core_dev *dev = fw_reset->dev; +- int err; +- +- mlx5_enter_error_state(dev, true); +- mlx5_unload_one(dev); +- err = mlx5_health_wait_pci_up(dev); +- if (err) +- mlx5_core_err(dev, "reset reload flow aborted, PCI reads still not working\n"); +- fw_reset->ret = err; +- mlx5_fw_reset_complete_reload(dev); +-} +- + static void mlx5_stop_sync_reset_poll(struct mlx5_core_dev *dev) + { + struct mlx5_fw_reset *fw_reset = dev->priv.fw_reset; +@@ -150,6 +134,23 @@ static int mlx5_sync_reset_clear_reset_r + return 0; + } + ++static void mlx5_sync_reset_reload_work(struct work_struct *work) ++{ ++ struct mlx5_fw_reset *fw_reset = container_of(work, struct mlx5_fw_reset, ++ reset_reload_work); ++ struct mlx5_core_dev *dev = fw_reset->dev; ++ int err; ++ ++ mlx5_sync_reset_clear_reset_requested(dev, false); ++ mlx5_enter_error_state(dev, true); ++ mlx5_unload_one(dev); ++ err = mlx5_health_wait_pci_up(dev); ++ if (err) ++ mlx5_core_err(dev, "reset reload flow aborted, PCI reads still not working\n"); ++ fw_reset->ret = err; ++ mlx5_fw_reset_complete_reload(dev); ++} ++ + #define MLX5_RESET_POLL_INTERVAL (HZ / 10) + static void poll_sync_reset(struct timer_list *t) + { +@@ -164,7 +165,6 @@ static void poll_sync_reset(struct timer + + if (fatal_error) { + mlx5_core_warn(dev, "Got Device Reset\n"); +- mlx5_sync_reset_clear_reset_requested(dev, false); + queue_work(fw_reset->wq, &fw_reset->reset_reload_work); + return; + } diff --git a/queue-5.17/net-mlx5-fix-matching-on-inner-ttc.patch b/queue-5.17/net-mlx5-fix-matching-on-inner-ttc.patch new file mode 100644 index 00000000000..efcea7c2137 --- /dev/null +++ b/queue-5.17/net-mlx5-fix-matching-on-inner-ttc.patch @@ -0,0 +1,53 @@ +From a042d7f5bb68c47f6e0e546ca367d14e1e4b25ba Mon Sep 17 00:00:00 2001 +From: Mark Bloch +Date: Sun, 10 Apr 2022 11:58:05 +0000 +Subject: net/mlx5: Fix matching on inner TTC + +From: Mark Bloch + +commit a042d7f5bb68c47f6e0e546ca367d14e1e4b25ba upstream. + +The cited commits didn't use proper matching on inner TTC +as a result distribution of encapsulated packets wasn't symmetric +between the physical ports. + +Fixes: 4c71ce50d2fe ("net/mlx5: Support partial TTC rules") +Fixes: 8e25a2bc6687 ("net/mlx5: Lag, add support to create TTC tables for LAG port selection") +Signed-off-by: Mark Bloch +Reviewed-by: Maor Gottlieb +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c | 2 +- + drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c +index a6592f9c3c05..5be322528279 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c +@@ -505,7 +505,7 @@ static int mlx5_lag_create_inner_ttc_table(struct mlx5_lag *ldev) + struct ttc_params ttc_params = {}; + + mlx5_lag_set_inner_ttc_params(ldev, &ttc_params); +- port_sel->inner.ttc = mlx5_create_ttc_table(dev, &ttc_params); ++ port_sel->inner.ttc = mlx5_create_inner_ttc_table(dev, &ttc_params); + if (IS_ERR(port_sel->inner.ttc)) + return PTR_ERR(port_sel->inner.ttc); + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c +index b63dec24747a..b78f2ba25c19 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c +@@ -408,6 +408,8 @@ static int mlx5_generate_inner_ttc_table_rules(struct mlx5_core_dev *dev, + for (tt = 0; tt < MLX5_NUM_TT; tt++) { + struct mlx5_ttc_rule *rule = &rules[tt]; + ++ if (test_bit(tt, params->ignore_dests)) ++ continue; + rule->rule = mlx5_generate_inner_ttc_rule(dev, ft, + ¶ms->dests[tt], + ttc_rules[tt].etype, +-- +2.36.1 + diff --git a/queue-5.17/net-mlx5-fix-slab-out-of-bounds-while-reading-resource-dump-menu.patch b/queue-5.17/net-mlx5-fix-slab-out-of-bounds-while-reading-resource-dump-menu.patch new file mode 100644 index 00000000000..a5ba585ede6 --- /dev/null +++ b/queue-5.17/net-mlx5-fix-slab-out-of-bounds-while-reading-resource-dump-menu.patch @@ -0,0 +1,146 @@ +From 7ba2d9d8de96696c1451fee1b01da11f45bdc2b9 Mon Sep 17 00:00:00 2001 +From: Aya Levin +Date: Thu, 3 Mar 2022 19:02:03 +0200 +Subject: net/mlx5: Fix slab-out-of-bounds while reading resource dump menu + +From: Aya Levin + +commit 7ba2d9d8de96696c1451fee1b01da11f45bdc2b9 upstream. + +Resource dump menu may span over more than a single page, support it. +Otherwise, menu read may result in a memory access violation: reading +outside of the allocated page. +Note that page format of the first menu page contains menu headers while +the proceeding menu pages contain only records. + +The KASAN logs are as follows: +BUG: KASAN: slab-out-of-bounds in strcmp+0x9b/0xb0 +Read of size 1 at addr ffff88812b2e1fd0 by task systemd-udevd/496 + +CPU: 5 PID: 496 Comm: systemd-udevd Tainted: G B 5.16.0_for_upstream_debug_2022_01_10_23_12 #1 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +Call Trace: + + dump_stack_lvl+0x57/0x7d + print_address_description.constprop.0+0x1f/0x140 + ? strcmp+0x9b/0xb0 + ? strcmp+0x9b/0xb0 + kasan_report.cold+0x83/0xdf + ? strcmp+0x9b/0xb0 + strcmp+0x9b/0xb0 + mlx5_rsc_dump_init+0x4ab/0x780 [mlx5_core] + ? mlx5_rsc_dump_destroy+0x80/0x80 [mlx5_core] + ? lockdep_hardirqs_on_prepare+0x286/0x400 + ? raw_spin_unlock_irqrestore+0x47/0x50 + ? aomic_notifier_chain_register+0x32/0x40 + mlx5_load+0x104/0x2e0 [mlx5_core] + mlx5_init_one+0x41b/0x610 [mlx5_core] + .... +The buggy address belongs to the object at ffff88812b2e0000 + which belongs to the cache kmalloc-4k of size 4096 +The buggy address is located 4048 bytes to the right of + 4096-byte region [ffff88812b2e0000, ffff88812b2e1000) +The buggy address belongs to the page: +page:000000009d69807a refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88812b2e6000 pfn:0x12b2e0 +head:000000009d69807a order:3 compound_mapcount:0 compound_pincount:0 +flags: 0x8000000000010200(slab|head|zone=2) +raw: 8000000000010200 0000000000000000 dead000000000001 ffff888100043040 +raw: ffff88812b2e6000 0000000080040000 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88812b2e1e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88812b2e1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff88812b2e1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff88812b2e2000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88812b2e2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +Fixes: 12206b17235a ("net/mlx5: Add support for resource dump") +Signed-off-by: Aya Levin +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/diag/rsc_dump.c | 31 ++++++++++++---- + 1 file changed, 25 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/rsc_dump.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/rsc_dump.c +@@ -31,6 +31,7 @@ static const char *const mlx5_rsc_sgmt_n + struct mlx5_rsc_dump { + u32 pdn; + u32 mkey; ++ u32 number_of_menu_items; + u16 fw_segment_type[MLX5_SGMT_TYPE_NUM]; + }; + +@@ -50,21 +51,37 @@ static int mlx5_rsc_dump_sgmt_get_by_nam + return -EINVAL; + } + +-static void mlx5_rsc_dump_read_menu_sgmt(struct mlx5_rsc_dump *rsc_dump, struct page *page) ++#define MLX5_RSC_DUMP_MENU_HEADER_SIZE (MLX5_ST_SZ_BYTES(resource_dump_info_segment) + \ ++ MLX5_ST_SZ_BYTES(resource_dump_command_segment) + \ ++ MLX5_ST_SZ_BYTES(resource_dump_menu_segment)) ++ ++static int mlx5_rsc_dump_read_menu_sgmt(struct mlx5_rsc_dump *rsc_dump, struct page *page, ++ int read_size, int start_idx) + { + void *data = page_address(page); + enum mlx5_sgmt_type sgmt_idx; + int num_of_items; + char *sgmt_name; + void *member; ++ int size = 0; + void *menu; + int i; + +- menu = MLX5_ADDR_OF(menu_resource_dump_response, data, menu); +- num_of_items = MLX5_GET(resource_dump_menu_segment, menu, num_of_records); ++ if (!start_idx) { ++ menu = MLX5_ADDR_OF(menu_resource_dump_response, data, menu); ++ rsc_dump->number_of_menu_items = MLX5_GET(resource_dump_menu_segment, menu, ++ num_of_records); ++ size = MLX5_RSC_DUMP_MENU_HEADER_SIZE; ++ data += size; ++ } ++ num_of_items = rsc_dump->number_of_menu_items; ++ ++ for (i = 0; start_idx + i < num_of_items; i++) { ++ size += MLX5_ST_SZ_BYTES(resource_dump_menu_record); ++ if (size >= read_size) ++ return start_idx + i; + +- for (i = 0; i < num_of_items; i++) { +- member = MLX5_ADDR_OF(resource_dump_menu_segment, menu, record[i]); ++ member = data + MLX5_ST_SZ_BYTES(resource_dump_menu_record) * i; + sgmt_name = MLX5_ADDR_OF(resource_dump_menu_record, member, segment_name); + sgmt_idx = mlx5_rsc_dump_sgmt_get_by_name(sgmt_name); + if (sgmt_idx == -EINVAL) +@@ -72,6 +89,7 @@ static void mlx5_rsc_dump_read_menu_sgmt + rsc_dump->fw_segment_type[sgmt_idx] = MLX5_GET(resource_dump_menu_record, + member, segment_type); + } ++ return 0; + } + + static int mlx5_rsc_dump_trigger(struct mlx5_core_dev *dev, struct mlx5_rsc_dump_cmd *cmd, +@@ -168,6 +186,7 @@ static int mlx5_rsc_dump_menu(struct mlx + struct mlx5_rsc_dump_cmd *cmd = NULL; + struct mlx5_rsc_key key = {}; + struct page *page; ++ int start_idx = 0; + int size; + int err; + +@@ -189,7 +208,7 @@ static int mlx5_rsc_dump_menu(struct mlx + if (err < 0) + goto destroy_cmd; + +- mlx5_rsc_dump_read_menu_sgmt(dev->rsc_dump, page); ++ start_idx = mlx5_rsc_dump_read_menu_sgmt(dev->rsc_dump, page, size, start_idx); + + } while (err > 0); + diff --git a/queue-5.17/net-mlx5e-ct-fix-queued-up-restore-put-executing-after-relevant-ft-release.patch b/queue-5.17/net-mlx5e-ct-fix-queued-up-restore-put-executing-after-relevant-ft-release.patch new file mode 100644 index 00000000000..6ea3c2e58c9 --- /dev/null +++ b/queue-5.17/net-mlx5e-ct-fix-queued-up-restore-put-executing-after-relevant-ft-release.patch @@ -0,0 +1,44 @@ +From b069e14fff46c8da9fcc79957f8acaa3e2dfdb6b Mon Sep 17 00:00:00 2001 +From: Paul Blakey +Date: Tue, 29 Mar 2022 17:42:46 +0300 +Subject: net/mlx5e: CT: Fix queued up restore put() executing after relevant ft release + +From: Paul Blakey + +commit b069e14fff46c8da9fcc79957f8acaa3e2dfdb6b upstream. + +__mlx5_tc_ct_entry_put() queues release of tuple related to some ct FT, +if that is the last reference to that tuple, the actual deletion of +the tuple can happen after the FT is already destroyed and freed. + +Flush the used workqueue before destroying the ct FT. + +Fixes: a2173131526d ("net/mlx5e: CT: manage the lifetime of the ct entry object") +Reviewed-by: Oz Shlomo +Signed-off-by: Paul Blakey +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c +@@ -1739,6 +1739,8 @@ mlx5_tc_ct_flush_ft_entry(void *ptr, voi + static void + mlx5_tc_ct_del_ft_cb(struct mlx5_tc_ct_priv *ct_priv, struct mlx5_ct_ft *ft) + { ++ struct mlx5e_priv *priv; ++ + if (!refcount_dec_and_test(&ft->refcount)) + return; + +@@ -1748,6 +1750,8 @@ mlx5_tc_ct_del_ft_cb(struct mlx5_tc_ct_p + rhashtable_free_and_destroy(&ft->ct_entries_ht, + mlx5_tc_ct_flush_ft_entry, + ct_priv); ++ priv = netdev_priv(ct_priv->netdev); ++ flush_workqueue(priv->wq); + mlx5_tc_ct_free_pre_ct_tables(ft); + mapping_remove(ct_priv->zone_mapping, ft->zone_restore_id); + kfree(ft); diff --git a/queue-5.17/net-mlx5e-don-t-match-double-vlan-packets-if-cvlan-is-not-set.patch b/queue-5.17/net-mlx5e-don-t-match-double-vlan-packets-if-cvlan-is-not-set.patch new file mode 100644 index 00000000000..c5a564d8d0d --- /dev/null +++ b/queue-5.17/net-mlx5e-don-t-match-double-vlan-packets-if-cvlan-is-not-set.patch @@ -0,0 +1,44 @@ +From ada09af92e621ab500dd80a16d1d0299a18a1180 Mon Sep 17 00:00:00 2001 +From: Vlad Buslov +Date: Mon, 28 Mar 2022 15:54:52 +0300 +Subject: net/mlx5e: Don't match double-vlan packets if cvlan is not set + +From: Vlad Buslov + +commit ada09af92e621ab500dd80a16d1d0299a18a1180 upstream. + +Currently, match VLAN rule also matches packets that have multiple VLAN +headers. This behavior is similar to buggy flower classifier behavior that +has recently been fixed. Fix the issue by matching on +outer_second_cvlan_tag with value 0 which will cause the HW to verify the +packet doesn't contain second vlan header. + +Fixes: 699e96ddf47f ("net/mlx5e: Support offloading tc double vlan headers match") +Signed-off-by: Vlad Buslov +Reviewed-by: Maor Dickman +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -2355,6 +2355,17 @@ static int __parse_cls_flower(struct mlx + match.key->vlan_priority); + + *match_level = MLX5_MATCH_L2; ++ ++ if (!flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_CVLAN) && ++ match.mask->vlan_eth_type && ++ MLX5_CAP_FLOWTABLE_TYPE(priv->mdev, ++ ft_field_support.outer_second_vid, ++ fs_type)) { ++ MLX5_SET(fte_match_set_misc, misc_c, ++ outer_second_cvlan_tag, 1); ++ spec->match_criteria_enable |= ++ MLX5_MATCH_MISC_PARAMETERS; ++ } + } + } else if (*match_level != MLX5_MATCH_NONE) { + /* cvlan_tag enabled in match criteria and diff --git a/queue-5.17/net-mlx5e-fix-the-calling-of-update_buffer_lossy-api.patch b/queue-5.17/net-mlx5e-fix-the-calling-of-update_buffer_lossy-api.patch new file mode 100644 index 00000000000..ea2707068d9 --- /dev/null +++ b/queue-5.17/net-mlx5e-fix-the-calling-of-update_buffer_lossy-api.patch @@ -0,0 +1,33 @@ +From c4d963a588a6e7c4ef31160e80697ae8e5a47746 Mon Sep 17 00:00:00 2001 +From: Mark Zhang +Date: Wed, 6 Apr 2022 10:30:21 +0300 +Subject: net/mlx5e: Fix the calling of update_buffer_lossy() API + +From: Mark Zhang + +commit c4d963a588a6e7c4ef31160e80697ae8e5a47746 upstream. + +The arguments of update_buffer_lossy() is in a wrong order. Fix it. + +Fixes: 88b3d5c90e96 ("net/mlx5e: Fix port buffers cell size value") +Signed-off-by: Mark Zhang +Reviewed-by: Maor Gottlieb +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c +@@ -309,8 +309,8 @@ int mlx5e_port_manual_buffer_config(stru + if (err) + return err; + +- err = update_buffer_lossy(max_mtu, curr_pfc_en, prio2buffer, port_buff_cell_sz, +- xoff, &port_buffer, &update_buffer); ++ err = update_buffer_lossy(max_mtu, curr_pfc_en, prio2buffer, xoff, ++ port_buff_cell_sz, &port_buffer, &update_buffer); + if (err) + return err; + } diff --git a/queue-5.17/net-mlx5e-fix-trust-state-reset-in-reload.patch b/queue-5.17/net-mlx5e-fix-trust-state-reset-in-reload.patch new file mode 100644 index 00000000000..bd736c6cced --- /dev/null +++ b/queue-5.17/net-mlx5e-fix-trust-state-reset-in-reload.patch @@ -0,0 +1,44 @@ +From b781bff882d16175277ca129c382886cb4c74a2c Mon Sep 17 00:00:00 2001 +From: Moshe Tal +Date: Wed, 9 Feb 2022 19:23:56 +0200 +Subject: net/mlx5e: Fix trust state reset in reload + +From: Moshe Tal + +commit b781bff882d16175277ca129c382886cb4c74a2c upstream. + +Setting dscp2prio during the driver reload can cause dcb ieee app list to +be not empty after the reload finish and as a result to a conflict between +the priority trust state reported by the app and the state in the device +register. + +Reset the dcb ieee app list on initialization in case this is +conflicting with the register status. + +Fixes: 2a5e7a1344f4 ("net/mlx5e: Add dcbnl dscp to priority support") +Signed-off-by: Moshe Tal +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c +@@ -1198,6 +1198,16 @@ static int mlx5e_trust_initialize(struct + if (err) + return err; + ++ if (priv->dcbx_dp.trust_state == MLX5_QPTS_TRUST_PCP && priv->dcbx.dscp_app_cnt) { ++ /* ++ * Align the driver state with the register state. ++ * Temporary state change is required to enable the app list reset. ++ */ ++ priv->dcbx_dp.trust_state = MLX5_QPTS_TRUST_DSCP; ++ mlx5e_dcbnl_delete_app(priv); ++ priv->dcbx_dp.trust_state = MLX5_QPTS_TRUST_PCP; ++ } ++ + mlx5e_params_calc_trust_tx_min_inline_mode(priv->mdev, &priv->channels.params, + priv->dcbx_dp.trust_state); + diff --git a/queue-5.17/net-mlx5e-fix-wrong-source-vport-matching-on-tunnel-rule.patch b/queue-5.17/net-mlx5e-fix-wrong-source-vport-matching-on-tunnel-rule.patch new file mode 100644 index 00000000000..165d4a10cc8 --- /dev/null +++ b/queue-5.17/net-mlx5e-fix-wrong-source-vport-matching-on-tunnel-rule.patch @@ -0,0 +1,46 @@ +From cb0d54cbf94866b48a73e10a73a55655f808cc7c Mon Sep 17 00:00:00 2001 +From: Ariel Levkovich +Date: Tue, 15 Mar 2022 18:20:48 +0200 +Subject: net/mlx5e: Fix wrong source vport matching on tunnel rule + +From: Ariel Levkovich + +commit cb0d54cbf94866b48a73e10a73a55655f808cc7c upstream. + +When OVS internal port is the vtep device, the first decap +rule is matching on the internal port's vport metadata value +and then changes the metadata to be the uplink's value. + +Therefore, following rules on the tunnel, in chain > 0, should +avoid matching on internal port metadata and use the uplink +vport metadata instead. + +Select the uplink's metadata value for the source vport match +in case the rule is in chain greater than zero, even if the tunnel +route device is internal port. + +Fixes: 166f431ec6be ("net/mlx5e: Add indirect tc offload of ovs internal port") +Signed-off-by: Ariel Levkovich +Reviewed-by: Maor Dickman +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +index 3f63df127091..3b151332e2f8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +@@ -139,7 +139,7 @@ mlx5_eswitch_set_rule_source_port(struct mlx5_eswitch *esw, + if (mlx5_esw_indir_table_decap_vport(attr)) + vport = mlx5_esw_indir_table_decap_vport(attr); + +- if (esw_attr->int_port) ++ if (attr && !attr->chain && esw_attr->int_port) + metadata = + mlx5e_tc_int_port_get_metadata_for_match(esw_attr->int_port); + else +-- +2.36.1 + diff --git a/queue-5.17/net-mlx5e-lag-don-t-skip-fib-events-on-current-dst.patch b/queue-5.17/net-mlx5e-lag-don-t-skip-fib-events-on-current-dst.patch new file mode 100644 index 00000000000..ea67c500e0a --- /dev/null +++ b/queue-5.17/net-mlx5e-lag-don-t-skip-fib-events-on-current-dst.patch @@ -0,0 +1,107 @@ +From 4a2a664ed87962c4ddb806a84b5c9634820bcf55 Mon Sep 17 00:00:00 2001 +From: Vlad Buslov +Date: Mon, 18 Apr 2022 17:40:37 +0300 +Subject: net/mlx5e: Lag, Don't skip fib events on current dst + +From: Vlad Buslov + +commit 4a2a664ed87962c4ddb806a84b5c9634820bcf55 upstream. + +Referenced change added check to skip updating fib when new fib instance +has same or lower priority. However, new fib instance can be an update on +same dst address as existing one even though the structure is another +instance that has different address. Ignoring events on such instances +causes multipath LAG state to not be correctly updated. + +Track 'dst' and 'dst_len' fields of fib event fib_entry_notifier_info +structure and don't skip events that have the same value of that fields. + +Fixes: ad11c4f1d8fd ("net/mlx5e: Lag, Only handle events from highest priority multipath entry") +Signed-off-by: Vlad Buslov +Reviewed-by: Maor Dickman +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c | 20 ++++++++++++-------- + drivers/net/ethernet/mellanox/mlx5/core/lag/mp.h | 2 ++ + 2 files changed, 14 insertions(+), 8 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c +@@ -100,10 +100,12 @@ static void mlx5_lag_fib_event_flush(str + flush_workqueue(mp->wq); + } + +-static void mlx5_lag_fib_set(struct lag_mp *mp, struct fib_info *fi) ++static void mlx5_lag_fib_set(struct lag_mp *mp, struct fib_info *fi, u32 dst, int dst_len) + { + mp->fib.mfi = fi; + mp->fib.priority = fi->fib_priority; ++ mp->fib.dst = dst; ++ mp->fib.dst_len = dst_len; + } + + struct mlx5_fib_event_work { +@@ -116,10 +118,10 @@ struct mlx5_fib_event_work { + }; + }; + +-static void mlx5_lag_fib_route_event(struct mlx5_lag *ldev, +- unsigned long event, +- struct fib_info *fi) ++static void mlx5_lag_fib_route_event(struct mlx5_lag *ldev, unsigned long event, ++ struct fib_entry_notifier_info *fen_info) + { ++ struct fib_info *fi = fen_info->fi; + struct lag_mp *mp = &ldev->lag_mp; + struct fib_nh *fib_nh0, *fib_nh1; + unsigned int nhs; +@@ -133,7 +135,9 @@ static void mlx5_lag_fib_route_event(str + } + + /* Handle multipath entry with lower priority value */ +- if (mp->fib.mfi && mp->fib.mfi != fi && fi->fib_priority >= mp->fib.priority) ++ if (mp->fib.mfi && mp->fib.mfi != fi && ++ (mp->fib.dst != fen_info->dst || mp->fib.dst_len != fen_info->dst_len) && ++ fi->fib_priority >= mp->fib.priority) + return; + + /* Handle add/replace event */ +@@ -149,7 +153,7 @@ static void mlx5_lag_fib_route_event(str + + i++; + mlx5_lag_set_port_affinity(ldev, i); +- mlx5_lag_fib_set(mp, fi); ++ mlx5_lag_fib_set(mp, fi, fen_info->dst, fen_info->dst_len); + } + + return; +@@ -179,7 +183,7 @@ static void mlx5_lag_fib_route_event(str + } + + mlx5_lag_set_port_affinity(ldev, MLX5_LAG_NORMAL_AFFINITY); +- mlx5_lag_fib_set(mp, fi); ++ mlx5_lag_fib_set(mp, fi, fen_info->dst, fen_info->dst_len); + } + + static void mlx5_lag_fib_nexthop_event(struct mlx5_lag *ldev, +@@ -220,7 +224,7 @@ static void mlx5_lag_fib_update(struct w + case FIB_EVENT_ENTRY_REPLACE: + case FIB_EVENT_ENTRY_DEL: + mlx5_lag_fib_route_event(ldev, fib_work->event, +- fib_work->fen_info.fi); ++ &fib_work->fen_info); + fib_info_put(fib_work->fen_info.fi); + break; + case FIB_EVENT_NH_ADD: +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.h +@@ -18,6 +18,8 @@ struct lag_mp { + struct { + const void *mfi; /* used in tracking fib events */ + u32 priority; ++ u32 dst; ++ int dst_len; + } fib; + struct workqueue_struct *wq; + }; diff --git a/queue-5.17/net-mlx5e-lag-fix-fib_info-pointer-assignment.patch b/queue-5.17/net-mlx5e-lag-fix-fib_info-pointer-assignment.patch new file mode 100644 index 00000000000..c2413fdd998 --- /dev/null +++ b/queue-5.17/net-mlx5e-lag-fix-fib_info-pointer-assignment.patch @@ -0,0 +1,35 @@ +From a6589155ec9847918e00e7279b8aa6d4c272bea7 Mon Sep 17 00:00:00 2001 +From: Vlad Buslov +Date: Mon, 18 Apr 2022 17:32:54 +0300 +Subject: net/mlx5e: Lag, Fix fib_info pointer assignment + +From: Vlad Buslov + +commit a6589155ec9847918e00e7279b8aa6d4c272bea7 upstream. + +Referenced change incorrectly sets single path fib_info even when LAG is +not active. Fix it by moving call to mlx5_lag_fib_set() into conditional +that verifies LAG state. + +Fixes: ad11c4f1d8fd ("net/mlx5e: Lag, Only handle events from highest priority multipath entry") +Signed-off-by: Vlad Buslov +Reviewed-by: Maor Dickman +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c +@@ -149,9 +149,9 @@ static void mlx5_lag_fib_route_event(str + + i++; + mlx5_lag_set_port_affinity(ldev, i); ++ mlx5_lag_fib_set(mp, fi); + } + +- mlx5_lag_fib_set(mp, fi); + return; + } + diff --git a/queue-5.17/net-mlx5e-lag-fix-use-after-free-in-fib-event-handler.patch b/queue-5.17/net-mlx5e-lag-fix-use-after-free-in-fib-event-handler.patch new file mode 100644 index 00000000000..091685a3bb8 --- /dev/null +++ b/queue-5.17/net-mlx5e-lag-fix-use-after-free-in-fib-event-handler.patch @@ -0,0 +1,240 @@ +From 27b0420fd959e38e3500e60b637d39dfab065645 Mon Sep 17 00:00:00 2001 +From: Vlad Buslov +Date: Mon, 18 Apr 2022 17:32:19 +0300 +Subject: net/mlx5e: Lag, Fix use-after-free in fib event handler + +From: Vlad Buslov + +commit 27b0420fd959e38e3500e60b637d39dfab065645 upstream. + +Recent commit that modified fib route event handler to handle events +according to their priority introduced use-after-free[0] in mp->mfi pointer +usage. The pointer now is not just cached in order to be compared to +following fib_info instances, but is also dereferenced to obtain +fib_priority. However, since mlx5 lag code doesn't hold the reference to +fin_info during whole mp->mfi lifetime, it could be used after fib_info +instance has already been freed be kernel infrastructure code. + +Don't ever dereference mp->mfi pointer. Refactor it to be 'const void*' +type and cache fib_info priority in dedicated integer. Group +fib_info-related data into dedicated 'fib' structure that will be further +extended by following patches in the series. + +[0]: + +[ 203.588029] ================================================================== +[ 203.590161] BUG: KASAN: use-after-free in mlx5_lag_fib_update+0xabd/0xd60 [mlx5_core] +[ 203.592386] Read of size 4 at addr ffff888144df2050 by task kworker/u20:4/138 + +[ 203.594766] CPU: 3 PID: 138 Comm: kworker/u20:4 Tainted: G B 5.17.0-rc7+ #6 +[ 203.596751] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +[ 203.598813] Workqueue: mlx5_lag_mp mlx5_lag_fib_update [mlx5_core] +[ 203.600053] Call Trace: +[ 203.600608] +[ 203.601110] dump_stack_lvl+0x48/0x5e +[ 203.601860] print_address_description.constprop.0+0x1f/0x160 +[ 203.602950] ? mlx5_lag_fib_update+0xabd/0xd60 [mlx5_core] +[ 203.604073] ? mlx5_lag_fib_update+0xabd/0xd60 [mlx5_core] +[ 203.605177] kasan_report.cold+0x83/0xdf +[ 203.605969] ? mlx5_lag_fib_update+0xabd/0xd60 [mlx5_core] +[ 203.607102] mlx5_lag_fib_update+0xabd/0xd60 [mlx5_core] +[ 203.608199] ? mlx5_lag_init_fib_work+0x1c0/0x1c0 [mlx5_core] +[ 203.609382] ? read_word_at_a_time+0xe/0x20 +[ 203.610463] ? strscpy+0xa0/0x2a0 +[ 203.611463] process_one_work+0x722/0x1270 +[ 203.612344] worker_thread+0x540/0x11e0 +[ 203.613136] ? rescuer_thread+0xd50/0xd50 +[ 203.613949] kthread+0x26e/0x300 +[ 203.614627] ? kthread_complete_and_exit+0x20/0x20 +[ 203.615542] ret_from_fork+0x1f/0x30 +[ 203.616273] + +[ 203.617174] Allocated by task 3746: +[ 203.617874] kasan_save_stack+0x1e/0x40 +[ 203.618644] __kasan_kmalloc+0x81/0xa0 +[ 203.619394] fib_create_info+0xb41/0x3c50 +[ 203.620213] fib_table_insert+0x190/0x1ff0 +[ 203.621020] fib_magic.isra.0+0x246/0x2e0 +[ 203.621803] fib_add_ifaddr+0x19f/0x670 +[ 203.622563] fib_inetaddr_event+0x13f/0x270 +[ 203.623377] blocking_notifier_call_chain+0xd4/0x130 +[ 203.624355] __inet_insert_ifa+0x641/0xb20 +[ 203.625185] inet_rtm_newaddr+0xc3d/0x16a0 +[ 203.626009] rtnetlink_rcv_msg+0x309/0x880 +[ 203.626826] netlink_rcv_skb+0x11d/0x340 +[ 203.627626] netlink_unicast+0x4cc/0x790 +[ 203.628430] netlink_sendmsg+0x762/0xc00 +[ 203.629230] sock_sendmsg+0xb2/0xe0 +[ 203.629955] ____sys_sendmsg+0x58a/0x770 +[ 203.630756] ___sys_sendmsg+0xd8/0x160 +[ 203.631523] __sys_sendmsg+0xb7/0x140 +[ 203.632294] do_syscall_64+0x35/0x80 +[ 203.633045] entry_SYSCALL_64_after_hwframe+0x44/0xae + +[ 203.634427] Freed by task 0: +[ 203.635063] kasan_save_stack+0x1e/0x40 +[ 203.635844] kasan_set_track+0x21/0x30 +[ 203.636618] kasan_set_free_info+0x20/0x30 +[ 203.637450] __kasan_slab_free+0xfc/0x140 +[ 203.638271] kfree+0x94/0x3b0 +[ 203.638903] rcu_core+0x5e4/0x1990 +[ 203.639640] __do_softirq+0x1ba/0x5d3 + +[ 203.640828] Last potentially related work creation: +[ 203.641785] kasan_save_stack+0x1e/0x40 +[ 203.642571] __kasan_record_aux_stack+0x9f/0xb0 +[ 203.643478] call_rcu+0x88/0x9c0 +[ 203.644178] fib_release_info+0x539/0x750 +[ 203.644997] fib_table_delete+0x659/0xb80 +[ 203.645809] fib_magic.isra.0+0x1a3/0x2e0 +[ 203.646617] fib_del_ifaddr+0x93f/0x1300 +[ 203.647415] fib_inetaddr_event+0x9f/0x270 +[ 203.648251] blocking_notifier_call_chain+0xd4/0x130 +[ 203.649225] __inet_del_ifa+0x474/0xc10 +[ 203.650016] devinet_ioctl+0x781/0x17f0 +[ 203.650788] inet_ioctl+0x1ad/0x290 +[ 203.651533] sock_do_ioctl+0xce/0x1c0 +[ 203.652315] sock_ioctl+0x27b/0x4f0 +[ 203.653058] __x64_sys_ioctl+0x124/0x190 +[ 203.653850] do_syscall_64+0x35/0x80 +[ 203.654608] entry_SYSCALL_64_after_hwframe+0x44/0xae + +[ 203.666952] The buggy address belongs to the object at ffff888144df2000 + which belongs to the cache kmalloc-256 of size 256 +[ 203.669250] The buggy address is located 80 bytes inside of + 256-byte region [ffff888144df2000, ffff888144df2100) +[ 203.671332] The buggy address belongs to the page: +[ 203.672273] page:00000000bf6c9314 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x144df0 +[ 203.674009] head:00000000bf6c9314 order:2 compound_mapcount:0 compound_pincount:0 +[ 203.675422] flags: 0x2ffff800010200(slab|head|node=0|zone=2|lastcpupid=0x1ffff) +[ 203.676819] raw: 002ffff800010200 0000000000000000 dead000000000122 ffff888100042b40 +[ 203.678384] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 +[ 203.679928] page dumped because: kasan: bad access detected + +[ 203.681455] Memory state around the buggy address: +[ 203.682421] ffff888144df1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 203.683863] ffff888144df1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 203.685310] >ffff888144df2000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 203.686701] ^ +[ 203.687820] ffff888144df2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 203.689226] ffff888144df2100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 203.690620] ================================================================== + +Fixes: ad11c4f1d8fd ("net/mlx5e: Lag, Only handle events from highest priority multipath entry") +Signed-off-by: Vlad Buslov +Reviewed-by: Maor Dickman +Reviewed-by: Leon Romanovsky +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c | 26 ++++++++++++++--------- + drivers/net/ethernet/mellanox/mlx5/core/lag/mp.h | 5 +++- + 2 files changed, 20 insertions(+), 11 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c +@@ -100,6 +100,12 @@ static void mlx5_lag_fib_event_flush(str + flush_workqueue(mp->wq); + } + ++static void mlx5_lag_fib_set(struct lag_mp *mp, struct fib_info *fi) ++{ ++ mp->fib.mfi = fi; ++ mp->fib.priority = fi->fib_priority; ++} ++ + struct mlx5_fib_event_work { + struct work_struct work; + struct mlx5_lag *ldev; +@@ -121,13 +127,13 @@ static void mlx5_lag_fib_route_event(str + /* Handle delete event */ + if (event == FIB_EVENT_ENTRY_DEL) { + /* stop track */ +- if (mp->mfi == fi) +- mp->mfi = NULL; ++ if (mp->fib.mfi == fi) ++ mp->fib.mfi = NULL; + return; + } + + /* Handle multipath entry with lower priority value */ +- if (mp->mfi && mp->mfi != fi && fi->fib_priority >= mp->mfi->fib_priority) ++ if (mp->fib.mfi && mp->fib.mfi != fi && fi->fib_priority >= mp->fib.priority) + return; + + /* Handle add/replace event */ +@@ -145,7 +151,7 @@ static void mlx5_lag_fib_route_event(str + mlx5_lag_set_port_affinity(ldev, i); + } + +- mp->mfi = fi; ++ mlx5_lag_fib_set(mp, fi); + return; + } + +@@ -165,7 +171,7 @@ static void mlx5_lag_fib_route_event(str + } + + /* First time we see multipath route */ +- if (!mp->mfi && !__mlx5_lag_is_active(ldev)) { ++ if (!mp->fib.mfi && !__mlx5_lag_is_active(ldev)) { + struct lag_tracker tracker; + + tracker = ldev->tracker; +@@ -173,7 +179,7 @@ static void mlx5_lag_fib_route_event(str + } + + mlx5_lag_set_port_affinity(ldev, MLX5_LAG_NORMAL_AFFINITY); +- mp->mfi = fi; ++ mlx5_lag_fib_set(mp, fi); + } + + static void mlx5_lag_fib_nexthop_event(struct mlx5_lag *ldev, +@@ -184,7 +190,7 @@ static void mlx5_lag_fib_nexthop_event(s + struct lag_mp *mp = &ldev->lag_mp; + + /* Check the nh event is related to the route */ +- if (!mp->mfi || mp->mfi != fi) ++ if (!mp->fib.mfi || mp->fib.mfi != fi) + return; + + /* nh added/removed */ +@@ -313,7 +319,7 @@ void mlx5_lag_mp_reset(struct mlx5_lag * + /* Clear mfi, as it might become stale when a route delete event + * has been missed, see mlx5_lag_fib_route_event(). + */ +- ldev->lag_mp.mfi = NULL; ++ ldev->lag_mp.fib.mfi = NULL; + } + + int mlx5_lag_mp_init(struct mlx5_lag *ldev) +@@ -324,7 +330,7 @@ int mlx5_lag_mp_init(struct mlx5_lag *ld + /* always clear mfi, as it might become stale when a route delete event + * has been missed + */ +- mp->mfi = NULL; ++ mp->fib.mfi = NULL; + + if (mp->fib_nb.notifier_call) + return 0; +@@ -354,5 +360,5 @@ void mlx5_lag_mp_cleanup(struct mlx5_lag + unregister_fib_notifier(&init_net, &mp->fib_nb); + destroy_workqueue(mp->wq); + mp->fib_nb.notifier_call = NULL; +- mp->mfi = NULL; ++ mp->fib.mfi = NULL; + } +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.h +@@ -15,7 +15,10 @@ enum mlx5_lag_port_affinity { + + struct lag_mp { + struct notifier_block fib_nb; +- struct fib_info *mfi; /* used in tracking fib events */ ++ struct { ++ const void *mfi; /* used in tracking fib events */ ++ u32 priority; ++ } fib; + struct workqueue_struct *wq; + }; + diff --git a/queue-5.17/net-mlx5e-tc-fix-decap-fallback-to-uplink-when-int-port-not-supported.patch b/queue-5.17/net-mlx5e-tc-fix-decap-fallback-to-uplink-when-int-port-not-supported.patch new file mode 100644 index 00000000000..1c9ab4247d5 --- /dev/null +++ b/queue-5.17/net-mlx5e-tc-fix-decap-fallback-to-uplink-when-int-port-not-supported.patch @@ -0,0 +1,51 @@ +From e3fdc71bcb6ffe1d4870a89252ba296a9558e294 Mon Sep 17 00:00:00 2001 +From: Ariel Levkovich +Date: Mon, 25 Apr 2022 17:12:12 +0300 +Subject: net/mlx5e: TC, fix decap fallback to uplink when int port not supported + +From: Ariel Levkovich + +commit e3fdc71bcb6ffe1d4870a89252ba296a9558e294 upstream. + +When resolving the decap route device for a tunnel decap rule, +the result may be an OVS internal port device. + +Prior to adding the support for internal port offload, such case +would result in using the uplink as the default decap route device +which allowed devices that can't support internal port offload +to offload this decap rule. + +This behavior got broken by adding the internal port offload which +will fail in case the device can't support internal port offload. + +To restore the old behavior, use the uplink device as the decap +route as before when internal port offload is not supported. + +Fixes: b16eb3c81fe2 ("net/mlx5: Support internal port as decap route device") +Signed-off-by: Ariel Levkovich +Reviewed-by: Maor Dickman +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c +@@ -713,6 +713,7 @@ int mlx5e_tc_tun_route_lookup(struct mlx + struct net_device *filter_dev) + { + struct mlx5_esw_flow_attr *esw_attr = flow_attr->esw_attr; ++ struct mlx5_eswitch *esw = priv->mdev->priv.eswitch; + struct mlx5e_tc_int_port *int_port; + TC_TUN_ROUTE_ATTR_INIT(attr); + u16 vport_num; +@@ -747,7 +748,7 @@ int mlx5e_tc_tun_route_lookup(struct mlx + esw_attr->rx_tun_attr->vni = MLX5_GET(fte_match_param, spec->match_value, + misc_parameters.vxlan_vni); + esw_attr->rx_tun_attr->decap_vport = vport_num; +- } else if (netif_is_ovs_master(attr.route_dev)) { ++ } else if (netif_is_ovs_master(attr.route_dev) && mlx5e_tc_int_port_supported(esw)) { + int_port = mlx5e_tc_int_port_get(mlx5e_get_int_port_priv(priv), + attr.route_dev->ifindex, + MLX5E_TC_INT_PORT_INGRESS); diff --git a/queue-5.17/nfc-netlink-fix-sleep-in-atomic-bug-when-firmware-download-timeout.patch b/queue-5.17/nfc-netlink-fix-sleep-in-atomic-bug-when-firmware-download-timeout.patch new file mode 100644 index 00000000000..111e09ecafc --- /dev/null +++ b/queue-5.17/nfc-netlink-fix-sleep-in-atomic-bug-when-firmware-download-timeout.patch @@ -0,0 +1,65 @@ +From 4071bf121d59944d5cd2238de0642f3d7995a997 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Wed, 4 May 2022 13:58:47 +0800 +Subject: NFC: netlink: fix sleep in atomic bug when firmware download timeout + +From: Duoming Zhou + +commit 4071bf121d59944d5cd2238de0642f3d7995a997 upstream. + +There are sleep in atomic bug that could cause kernel panic during +firmware download process. The root cause is that nlmsg_new with +GFP_KERNEL parameter is called in fw_dnld_timeout which is a timer +handler. The call trace is shown below: + +BUG: sleeping function called from invalid context at include/linux/sched/mm.h:265 +Call Trace: +kmem_cache_alloc_node +__alloc_skb +nfc_genl_fw_download_done +call_timer_fn +__run_timers.part.0 +run_timer_softirq +__do_softirq +... + +The nlmsg_new with GFP_KERNEL parameter may sleep during memory +allocation process, and the timer handler is run as the result of +a "software interrupt" that should not call any other function +that could sleep. + +This patch changes allocation mode of netlink message from GFP_KERNEL +to GFP_ATOMIC in order to prevent sleep in atomic bug. The GFP_ATOMIC +flag makes memory allocation operation could be used in atomic context. + +Fixes: 9674da8759df ("NFC: Add firmware upload netlink command") +Fixes: 9ea7187c53f6 ("NFC: netlink: Rename CMD_FW_UPLOAD to CMD_FW_DOWNLOAD") +Signed-off-by: Duoming Zhou +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220504055847.38026-1-duoming@zju.edu.cn +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/netlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -1244,7 +1244,7 @@ int nfc_genl_fw_download_done(struct nfc + struct sk_buff *msg; + void *hdr; + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); ++ msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); + if (!msg) + return -ENOMEM; + +@@ -1260,7 +1260,7 @@ int nfc_genl_fw_download_done(struct nfc + + genlmsg_end(msg, hdr); + +- genlmsg_multicast(&nfc_genl_family, msg, 0, 0, GFP_KERNEL); ++ genlmsg_multicast(&nfc_genl_family, msg, 0, 0, GFP_ATOMIC); + + return 0; + diff --git a/queue-5.17/nfc-nfcmrvl-main-reorder-destructive-operations-in-nfcmrvl_nci_unregister_dev-to-avoid-bugs.patch b/queue-5.17/nfc-nfcmrvl-main-reorder-destructive-operations-in-nfcmrvl_nci_unregister_dev-to-avoid-bugs.patch new file mode 100644 index 00000000000..53c7e59da33 --- /dev/null +++ b/queue-5.17/nfc-nfcmrvl-main-reorder-destructive-operations-in-nfcmrvl_nci_unregister_dev-to-avoid-bugs.patch @@ -0,0 +1,113 @@ +From d270453a0d9ec10bb8a802a142fb1b3601a83098 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Fri, 29 Apr 2022 20:45:51 +0800 +Subject: nfc: nfcmrvl: main: reorder destructive operations in nfcmrvl_nci_unregister_dev to avoid bugs + +From: Duoming Zhou + +commit d270453a0d9ec10bb8a802a142fb1b3601a83098 upstream. + +There are destructive operations such as nfcmrvl_fw_dnld_abort and +gpio_free in nfcmrvl_nci_unregister_dev. The resources such as firmware, +gpio and so on could be destructed while the upper layer functions such as +nfcmrvl_fw_dnld_start and nfcmrvl_nci_recv_frame is executing, which leads +to double-free, use-after-free and null-ptr-deref bugs. + +There are three situations that could lead to double-free bugs. + +The first situation is shown below: + + (Thread 1) | (Thread 2) +nfcmrvl_fw_dnld_start | + ... | nfcmrvl_nci_unregister_dev + release_firmware() | nfcmrvl_fw_dnld_abort + kfree(fw) //(1) | fw_dnld_over + | release_firmware + ... | kfree(fw) //(2) + | ... + +The second situation is shown below: + + (Thread 1) | (Thread 2) +nfcmrvl_fw_dnld_start | + ... | + mod_timer | + (wait a time) | + fw_dnld_timeout | nfcmrvl_nci_unregister_dev + fw_dnld_over | nfcmrvl_fw_dnld_abort + release_firmware | fw_dnld_over + kfree(fw) //(1) | release_firmware + ... | kfree(fw) //(2) + +The third situation is shown below: + + (Thread 1) | (Thread 2) +nfcmrvl_nci_recv_frame | + if(..->fw_download_in_progress)| + nfcmrvl_fw_dnld_recv_frame | + queue_work | + | +fw_dnld_rx_work | nfcmrvl_nci_unregister_dev + fw_dnld_over | nfcmrvl_fw_dnld_abort + release_firmware | fw_dnld_over + kfree(fw) //(1) | release_firmware + | kfree(fw) //(2) + +The firmware struct is deallocated in position (1) and deallocated +in position (2) again. + +The crash trace triggered by POC is like below: + +BUG: KASAN: double-free or invalid-free in fw_dnld_over +Call Trace: + kfree + fw_dnld_over + nfcmrvl_nci_unregister_dev + nci_uart_tty_close + tty_ldisc_kill + tty_ldisc_hangup + __tty_hangup.part.0 + tty_release + ... + +What's more, there are also use-after-free and null-ptr-deref bugs +in nfcmrvl_fw_dnld_start. If we deallocate firmware struct, gpio or +set null to the members of priv->fw_dnld in nfcmrvl_nci_unregister_dev, +then, we dereference firmware, gpio or the members of priv->fw_dnld in +nfcmrvl_fw_dnld_start, the UAF or NPD bugs will happen. + +This patch reorders destructive operations after nci_unregister_device +in order to synchronize between cleanup routine and firmware download +routine. + +The nci_unregister_device is well synchronized. If the device is +detaching, the firmware download routine will goto error. If firmware +download routine is executing, nci_unregister_device will wait until +firmware download routine is finished. + +Fixes: 3194c6870158 ("NFC: nfcmrvl: add firmware download support") +Signed-off-by: Duoming Zhou +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/nfcmrvl/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nfc/nfcmrvl/main.c ++++ b/drivers/nfc/nfcmrvl/main.c +@@ -183,6 +183,7 @@ void nfcmrvl_nci_unregister_dev(struct n + { + struct nci_dev *ndev = priv->ndev; + ++ nci_unregister_device(ndev); + if (priv->ndev->nfc_dev->fw_download_in_progress) + nfcmrvl_fw_dnld_abort(priv); + +@@ -191,7 +192,6 @@ void nfcmrvl_nci_unregister_dev(struct n + if (gpio_is_valid(priv->config.reset_n_io)) + gpio_free(priv->config.reset_n_io); + +- nci_unregister_device(ndev); + nci_free_device(ndev); + kfree(priv); + } diff --git a/queue-5.17/nfc-replace-improper-check-device_is_registered-in-netlink-related-functions.patch b/queue-5.17/nfc-replace-improper-check-device_is_registered-in-netlink-related-functions.patch new file mode 100644 index 00000000000..5fd0b0e2851 --- /dev/null +++ b/queue-5.17/nfc-replace-improper-check-device_is_registered-in-netlink-related-functions.patch @@ -0,0 +1,172 @@ +From da5c0f119203ad9728920456a0f52a6d850c01cd Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Fri, 29 Apr 2022 20:45:50 +0800 +Subject: nfc: replace improper check device_is_registered() in netlink related functions + +From: Duoming Zhou + +commit da5c0f119203ad9728920456a0f52a6d850c01cd upstream. + +The device_is_registered() in nfc core is used to check whether +nfc device is registered in netlink related functions such as +nfc_fw_download(), nfc_dev_up() and so on. Although device_is_registered() +is protected by device_lock, there is still a race condition between +device_del() and device_is_registered(). The root cause is that +kobject_del() in device_del() is not protected by device_lock. + + (cleanup task) | (netlink task) + | +nfc_unregister_device | nfc_fw_download + device_del | device_lock + ... | if (!device_is_registered)//(1) + kobject_del//(2) | ... + ... | device_unlock + +The device_is_registered() returns the value of state_in_sysfs and +the state_in_sysfs is set to zero in kobject_del(). If we pass check in +position (1), then set zero in position (2). As a result, the check +in position (1) is useless. + +This patch uses bool variable instead of device_is_registered() to judge +whether the nfc device is registered, which is well synchronized. + +Fixes: 3e256b8f8dfa ("NFC: add nfc subsystem core") +Signed-off-by: Duoming Zhou +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/core.c | 29 ++++++++++++++--------------- + 1 file changed, 14 insertions(+), 15 deletions(-) + +--- a/net/nfc/core.c ++++ b/net/nfc/core.c +@@ -38,7 +38,7 @@ int nfc_fw_download(struct nfc_dev *dev, + + device_lock(&dev->dev); + +- if (!device_is_registered(&dev->dev)) { ++ if (dev->shutting_down) { + rc = -ENODEV; + goto error; + } +@@ -94,7 +94,7 @@ int nfc_dev_up(struct nfc_dev *dev) + + device_lock(&dev->dev); + +- if (!device_is_registered(&dev->dev)) { ++ if (dev->shutting_down) { + rc = -ENODEV; + goto error; + } +@@ -142,7 +142,7 @@ int nfc_dev_down(struct nfc_dev *dev) + + device_lock(&dev->dev); + +- if (!device_is_registered(&dev->dev)) { ++ if (dev->shutting_down) { + rc = -ENODEV; + goto error; + } +@@ -207,7 +207,7 @@ int nfc_start_poll(struct nfc_dev *dev, + + device_lock(&dev->dev); + +- if (!device_is_registered(&dev->dev)) { ++ if (dev->shutting_down) { + rc = -ENODEV; + goto error; + } +@@ -246,7 +246,7 @@ int nfc_stop_poll(struct nfc_dev *dev) + + device_lock(&dev->dev); + +- if (!device_is_registered(&dev->dev)) { ++ if (dev->shutting_down) { + rc = -ENODEV; + goto error; + } +@@ -291,7 +291,7 @@ int nfc_dep_link_up(struct nfc_dev *dev, + + device_lock(&dev->dev); + +- if (!device_is_registered(&dev->dev)) { ++ if (dev->shutting_down) { + rc = -ENODEV; + goto error; + } +@@ -335,7 +335,7 @@ int nfc_dep_link_down(struct nfc_dev *de + + device_lock(&dev->dev); + +- if (!device_is_registered(&dev->dev)) { ++ if (dev->shutting_down) { + rc = -ENODEV; + goto error; + } +@@ -401,7 +401,7 @@ int nfc_activate_target(struct nfc_dev * + + device_lock(&dev->dev); + +- if (!device_is_registered(&dev->dev)) { ++ if (dev->shutting_down) { + rc = -ENODEV; + goto error; + } +@@ -448,7 +448,7 @@ int nfc_deactivate_target(struct nfc_dev + + device_lock(&dev->dev); + +- if (!device_is_registered(&dev->dev)) { ++ if (dev->shutting_down) { + rc = -ENODEV; + goto error; + } +@@ -495,7 +495,7 @@ int nfc_data_exchange(struct nfc_dev *de + + device_lock(&dev->dev); + +- if (!device_is_registered(&dev->dev)) { ++ if (dev->shutting_down) { + rc = -ENODEV; + kfree_skb(skb); + goto error; +@@ -552,7 +552,7 @@ int nfc_enable_se(struct nfc_dev *dev, u + + device_lock(&dev->dev); + +- if (!device_is_registered(&dev->dev)) { ++ if (dev->shutting_down) { + rc = -ENODEV; + goto error; + } +@@ -601,7 +601,7 @@ int nfc_disable_se(struct nfc_dev *dev, + + device_lock(&dev->dev); + +- if (!device_is_registered(&dev->dev)) { ++ if (dev->shutting_down) { + rc = -ENODEV; + goto error; + } +@@ -1134,6 +1134,7 @@ int nfc_register_device(struct nfc_dev * + dev->rfkill = NULL; + } + } ++ dev->shutting_down = false; + device_unlock(&dev->dev); + + rc = nfc_genl_device_added(dev); +@@ -1166,12 +1167,10 @@ void nfc_unregister_device(struct nfc_de + rfkill_unregister(dev->rfkill); + rfkill_destroy(dev->rfkill); + } ++ dev->shutting_down = true; + device_unlock(&dev->dev); + + if (dev->ops->check_presence) { +- device_lock(&dev->dev); +- dev->shutting_down = true; +- device_unlock(&dev->dev); + del_timer_sync(&dev->check_pres_timer); + cancel_work_sync(&dev->check_pres_work); + } diff --git a/queue-5.17/nfsv4-don-t-invalidate-inode-attributes-on-delegation-return.patch b/queue-5.17/nfsv4-don-t-invalidate-inode-attributes-on-delegation-return.patch new file mode 100644 index 00000000000..d1d3e021be7 --- /dev/null +++ b/queue-5.17/nfsv4-don-t-invalidate-inode-attributes-on-delegation-return.patch @@ -0,0 +1,51 @@ +From 00c94ebec5925593c0377b941289224469e72ac7 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 25 Apr 2022 18:04:27 -0400 +Subject: NFSv4: Don't invalidate inode attributes on delegation return + +From: Trond Myklebust + +commit 00c94ebec5925593c0377b941289224469e72ac7 upstream. + +There is no need to declare attributes such as the ctime, mtime and +block size invalid when we're just returning a delegation, so it is +inappropriate to call nfs_post_op_update_inode_force_wcc(). +Instead, just call nfs_refresh_inode() after faking up the change +attribute. We know that the GETATTR op occurs before the DELEGRETURN, so +we are safe when doing this. + +Fixes: 0bc2c9b4dca9 ("NFSv4: Don't discard the attributes returned by asynchronous DELEGRETURN") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -363,6 +363,14 @@ static void nfs4_setup_readdir(u64 cooki + kunmap_atomic(start); + } + ++static void nfs4_fattr_set_prechange(struct nfs_fattr *fattr, u64 version) ++{ ++ if (!(fattr->valid & NFS_ATTR_FATTR_PRECHANGE)) { ++ fattr->pre_change_attr = version; ++ fattr->valid |= NFS_ATTR_FATTR_PRECHANGE; ++ } ++} ++ + static void nfs4_test_and_free_stateid(struct nfs_server *server, + nfs4_stateid *stateid, + const struct cred *cred) +@@ -6556,7 +6564,9 @@ static void nfs4_delegreturn_release(voi + pnfs_roc_release(&data->lr.arg, &data->lr.res, + data->res.lr_ret); + if (inode) { +- nfs_post_op_update_inode_force_wcc(inode, &data->fattr); ++ nfs4_fattr_set_prechange(&data->fattr, ++ inode_peek_iversion_raw(inode)); ++ nfs_refresh_inode(inode, &data->fattr); + nfs_iput_and_deactive(inode); + } + kfree(calldata); diff --git a/queue-5.17/rdma-irdma-fix-possible-crash-due-to-null-netdev-in-notifier.patch b/queue-5.17/rdma-irdma-fix-possible-crash-due-to-null-netdev-in-notifier.patch new file mode 100644 index 00000000000..79d1a0c7639 --- /dev/null +++ b/queue-5.17/rdma-irdma-fix-possible-crash-due-to-null-netdev-in-notifier.patch @@ -0,0 +1,68 @@ +From 1c9043ae0667a43bd87beeebbdd4bed674713629 Mon Sep 17 00:00:00 2001 +From: Mustafa Ismail +Date: Mon, 25 Apr 2022 13:17:03 -0500 +Subject: RDMA/irdma: Fix possible crash due to NULL netdev in notifier + +From: Mustafa Ismail + +commit 1c9043ae0667a43bd87beeebbdd4bed674713629 upstream. + +For some net events in irdma_net_event notifier, the netdev can be NULL +which will cause a crash in rdma_vlan_dev_real_dev. Fix this by moving +all processing to the NETEVENT_NEIGH_UPDATE case where the netdev is +guaranteed to not be NULL. + +Fixes: 6702bc147448 ("RDMA/irdma: Fix netdev notifications for vlan's") +Link: https://lore.kernel.org/r/20220425181703.1634-4-shiraz.saleem@intel.com +Signed-off-by: Mustafa Ismail +Signed-off-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/irdma/utils.c | 21 +++++++++------------ + 1 file changed, 9 insertions(+), 12 deletions(-) + +--- a/drivers/infiniband/hw/irdma/utils.c ++++ b/drivers/infiniband/hw/irdma/utils.c +@@ -258,18 +258,16 @@ int irdma_net_event(struct notifier_bloc + u32 local_ipaddr[4] = {}; + bool ipv4 = true; + +- real_dev = rdma_vlan_dev_real_dev(netdev); +- if (!real_dev) +- real_dev = netdev; +- +- ibdev = ib_device_get_by_netdev(real_dev, RDMA_DRIVER_IRDMA); +- if (!ibdev) +- return NOTIFY_DONE; +- +- iwdev = to_iwdev(ibdev); +- + switch (event) { + case NETEVENT_NEIGH_UPDATE: ++ real_dev = rdma_vlan_dev_real_dev(netdev); ++ if (!real_dev) ++ real_dev = netdev; ++ ibdev = ib_device_get_by_netdev(real_dev, RDMA_DRIVER_IRDMA); ++ if (!ibdev) ++ return NOTIFY_DONE; ++ ++ iwdev = to_iwdev(ibdev); + p = (__be32 *)neigh->primary_key; + if (neigh->tbl->family == AF_INET6) { + ipv4 = false; +@@ -290,13 +288,12 @@ int irdma_net_event(struct notifier_bloc + irdma_manage_arp_cache(iwdev->rf, neigh->ha, + local_ipaddr, ipv4, + IRDMA_ARP_DELETE); ++ ib_device_put(ibdev); + break; + default: + break; + } + +- ib_device_put(ibdev); +- + return NOTIFY_DONE; + } + diff --git a/queue-5.17/rdma-irdma-flush-iwarp-qp-if-modified-to-err-from-rtr-state.patch b/queue-5.17/rdma-irdma-flush-iwarp-qp-if-modified-to-err-from-rtr-state.patch new file mode 100644 index 00000000000..d2921101422 --- /dev/null +++ b/queue-5.17/rdma-irdma-flush-iwarp-qp-if-modified-to-err-from-rtr-state.patch @@ -0,0 +1,79 @@ +From 7b8943b821bafab492f43aafbd006b57c6b65845 Mon Sep 17 00:00:00 2001 +From: Tatyana Nikolova +Date: Mon, 25 Apr 2022 13:17:01 -0500 +Subject: RDMA/irdma: Flush iWARP QP if modified to ERR from RTR state + +From: Tatyana Nikolova + +commit 7b8943b821bafab492f43aafbd006b57c6b65845 upstream. + +When connection establishment fails in iWARP mode, an app can drain the +QPs and hang because flush isn't issued when the QP is modified from RTR +state to error. Issue a flush in this case using function +irdma_cm_disconn(). + +Update irdma_cm_disconn() to do flush when cm_id is NULL, which is the +case when the QP is in RTR state and there is an error in the connection +establishment. + +Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") +Link: https://lore.kernel.org/r/20220425181703.1634-2-shiraz.saleem@intel.com +Signed-off-by: Tatyana Nikolova +Signed-off-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/irdma/cm.c | 16 +++++----------- + drivers/infiniband/hw/irdma/verbs.c | 4 ++-- + 2 files changed, 7 insertions(+), 13 deletions(-) + +--- a/drivers/infiniband/hw/irdma/cm.c ++++ b/drivers/infiniband/hw/irdma/cm.c +@@ -3465,12 +3465,6 @@ static void irdma_cm_disconn_true(struct + } + + cm_id = iwqp->cm_id; +- /* make sure we havent already closed this connection */ +- if (!cm_id) { +- spin_unlock_irqrestore(&iwqp->lock, flags); +- return; +- } +- + original_hw_tcp_state = iwqp->hw_tcp_state; + original_ibqp_state = iwqp->ibqp_state; + last_ae = iwqp->last_aeq; +@@ -3492,11 +3486,11 @@ static void irdma_cm_disconn_true(struct + disconn_status = -ECONNRESET; + } + +- if ((original_hw_tcp_state == IRDMA_TCP_STATE_CLOSED || +- original_hw_tcp_state == IRDMA_TCP_STATE_TIME_WAIT || +- last_ae == IRDMA_AE_RDMAP_ROE_BAD_LLP_CLOSE || +- last_ae == IRDMA_AE_BAD_CLOSE || +- last_ae == IRDMA_AE_LLP_CONNECTION_RESET || iwdev->rf->reset)) { ++ if (original_hw_tcp_state == IRDMA_TCP_STATE_CLOSED || ++ original_hw_tcp_state == IRDMA_TCP_STATE_TIME_WAIT || ++ last_ae == IRDMA_AE_RDMAP_ROE_BAD_LLP_CLOSE || ++ last_ae == IRDMA_AE_BAD_CLOSE || ++ last_ae == IRDMA_AE_LLP_CONNECTION_RESET || iwdev->rf->reset || !cm_id) { + issue_close = 1; + iwqp->cm_id = NULL; + qp->term_flags = 0; +--- a/drivers/infiniband/hw/irdma/verbs.c ++++ b/drivers/infiniband/hw/irdma/verbs.c +@@ -1620,13 +1620,13 @@ int irdma_modify_qp(struct ib_qp *ibqp, + + if (issue_modify_qp && iwqp->ibqp_state > IB_QPS_RTS) { + if (dont_wait) { +- if (iwqp->cm_id && iwqp->hw_tcp_state) { ++ if (iwqp->hw_tcp_state) { + spin_lock_irqsave(&iwqp->lock, flags); + iwqp->hw_tcp_state = IRDMA_TCP_STATE_CLOSED; + iwqp->last_aeq = IRDMA_AE_RESET_SENT; + spin_unlock_irqrestore(&iwqp->lock, flags); +- irdma_cm_disconn(iwqp); + } ++ irdma_cm_disconn(iwqp); + } else { + int close_timer_started; + diff --git a/queue-5.17/rdma-irdma-reduce-iwarp-qp-destroy-time.patch b/queue-5.17/rdma-irdma-reduce-iwarp-qp-destroy-time.patch new file mode 100644 index 00000000000..0fc8aa942f8 --- /dev/null +++ b/queue-5.17/rdma-irdma-reduce-iwarp-qp-destroy-time.patch @@ -0,0 +1,70 @@ +From 2df6d895907b2f5dfbc558cbff7801bba82cb3cc Mon Sep 17 00:00:00 2001 +From: Shiraz Saleem +Date: Mon, 25 Apr 2022 13:17:02 -0500 +Subject: RDMA/irdma: Reduce iWARP QP destroy time + +From: Shiraz Saleem + +commit 2df6d895907b2f5dfbc558cbff7801bba82cb3cc upstream. + +QP destroy is synchronous and waits for its refcnt to be decremented in +irdma_cm_node_free_cb (for iWARP) which fires after the RCU grace period +elapses. + +Applications running a large number of connections are exposed to high +wait times on destroy QP for events like SIGABORT. + +The long pole for this wait time is the firing of the call_rcu callback +during a CM node destroy which can be slow. It holds the QP reference +count and blocks the destroy QP from completing. + +call_rcu only needs to make sure that list walkers have a reference to the +cm_node object before freeing it and thus need to wait for grace period +elapse. The rest of the connection teardown in irdma_cm_node_free_cb is +moved out of the grace period wait in irdma_destroy_connection. Also, +replace call_rcu with a simple kfree_rcu as it just needs to do a kfree on +the cm_node + +Fixes: 146b9756f14c ("RDMA/irdma: Add connection manager") +Link: https://lore.kernel.org/r/20220425181703.1634-3-shiraz.saleem@intel.com +Signed-off-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/irdma/cm.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/infiniband/hw/irdma/cm.c ++++ b/drivers/infiniband/hw/irdma/cm.c +@@ -2305,10 +2305,8 @@ err: + return NULL; + } + +-static void irdma_cm_node_free_cb(struct rcu_head *rcu_head) ++static void irdma_destroy_connection(struct irdma_cm_node *cm_node) + { +- struct irdma_cm_node *cm_node = +- container_of(rcu_head, struct irdma_cm_node, rcu_head); + struct irdma_cm_core *cm_core = cm_node->cm_core; + struct irdma_qp *iwqp; + struct irdma_cm_info nfo; +@@ -2356,7 +2354,6 @@ static void irdma_cm_node_free_cb(struct + } + + cm_core->cm_free_ah(cm_node); +- kfree(cm_node); + } + + /** +@@ -2384,8 +2381,9 @@ void irdma_rem_ref_cm_node(struct irdma_ + + spin_unlock_irqrestore(&cm_core->ht_lock, flags); + +- /* wait for all list walkers to exit their grace period */ +- call_rcu(&cm_node->rcu_head, irdma_cm_node_free_cb); ++ irdma_destroy_connection(cm_node); ++ ++ kfree_rcu(cm_node, rcu_head); + } + + /** diff --git a/queue-5.17/rdma-siw-fix-a-condition-race-issue-in-mpa-request-processing.patch b/queue-5.17/rdma-siw-fix-a-condition-race-issue-in-mpa-request-processing.patch new file mode 100644 index 00000000000..913b3d77e74 --- /dev/null +++ b/queue-5.17/rdma-siw-fix-a-condition-race-issue-in-mpa-request-processing.patch @@ -0,0 +1,66 @@ +From ef91271c65c12d36e4c2b61c61d4849fb6d11aa0 Mon Sep 17 00:00:00 2001 +From: Cheng Xu +Date: Sun, 24 Apr 2022 16:01:03 +0800 +Subject: RDMA/siw: Fix a condition race issue in MPA request processing + +From: Cheng Xu + +commit ef91271c65c12d36e4c2b61c61d4849fb6d11aa0 upstream. + +The calling of siw_cm_upcall and detaching new_cep with its listen_cep +should be atomistic semantics. Otherwise siw_reject may be called in a +temporary state, e,g, siw_cm_upcall is called but the new_cep->listen_cep +has not being cleared. + +This fixes a WARN: + + WARNING: CPU: 7 PID: 201 at drivers/infiniband/sw/siw/siw_cm.c:255 siw_cep_put+0x125/0x130 [siw] + CPU: 2 PID: 201 Comm: kworker/u16:22 Kdump: loaded Tainted: G E 5.17.0-rc7 #1 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 + Workqueue: iw_cm_wq cm_work_handler [iw_cm] + RIP: 0010:siw_cep_put+0x125/0x130 [siw] + Call Trace: + + siw_reject+0xac/0x180 [siw] + iw_cm_reject+0x68/0xc0 [iw_cm] + cm_work_handler+0x59d/0xe20 [iw_cm] + process_one_work+0x1e2/0x3b0 + worker_thread+0x50/0x3a0 + ? rescuer_thread+0x390/0x390 + kthread+0xe5/0x110 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x1f/0x30 + + +Fixes: 6c52fdc244b5 ("rdma/siw: connection management") +Link: https://lore.kernel.org/r/d528d83466c44687f3872eadcb8c184528b2e2d4.1650526554.git.chengyou@linux.alibaba.com +Reported-by: Luis Chamberlain +Reviewed-by: Bernard Metzler +Signed-off-by: Cheng Xu +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/siw/siw_cm.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/sw/siw/siw_cm.c ++++ b/drivers/infiniband/sw/siw/siw_cm.c +@@ -968,14 +968,15 @@ static void siw_accept_newconn(struct si + + siw_cep_set_inuse(new_cep); + rv = siw_proc_mpareq(new_cep); +- siw_cep_set_free(new_cep); +- + if (rv != -EAGAIN) { + siw_cep_put(cep); + new_cep->listen_cep = NULL; +- if (rv) ++ if (rv) { ++ siw_cep_set_free(new_cep); + goto error; ++ } + } ++ siw_cep_set_free(new_cep); + } + return; + diff --git a/queue-5.17/selftests-seccomp-don-t-call-read-on-tty-from-background-pgrp.patch b/queue-5.17/selftests-seccomp-don-t-call-read-on-tty-from-background-pgrp.patch new file mode 100644 index 00000000000..24a74d3a8dd --- /dev/null +++ b/queue-5.17/selftests-seccomp-don-t-call-read-on-tty-from-background-pgrp.patch @@ -0,0 +1,73 @@ +From 2bfed7d2ffa5d86c462d3e2067f2832eaf8c04c7 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Sat, 19 Mar 2022 02:00:11 +0100 +Subject: selftests/seccomp: Don't call read() on TTY from background pgrp + +From: Jann Horn + +commit 2bfed7d2ffa5d86c462d3e2067f2832eaf8c04c7 upstream. + +Since commit 92d25637a3a4 ("kselftest: signal all child processes"), tests +are executed in background process groups. This means that trying to read +from stdin now throws SIGTTIN when stdin is a TTY, which breaks some +seccomp selftests that try to use read(0, NULL, 0) as a dummy syscall. + +The simplest way to fix that is probably to just use -1 instead of 0 as +the dummy read()'s FD. + +Fixes: 92d25637a3a4 ("kselftest: signal all child processes") +Signed-off-by: Jann Horn +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20220319010011.1374622-1-jannh@google.com +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/seccomp/seccomp_bpf.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/tools/testing/selftests/seccomp/seccomp_bpf.c ++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c +@@ -955,7 +955,7 @@ TEST(ERRNO_valid) + ASSERT_EQ(0, ret); + + EXPECT_EQ(parent, syscall(__NR_getppid)); +- EXPECT_EQ(-1, read(0, NULL, 0)); ++ EXPECT_EQ(-1, read(-1, NULL, 0)); + EXPECT_EQ(E2BIG, errno); + } + +@@ -974,7 +974,7 @@ TEST(ERRNO_zero) + + EXPECT_EQ(parent, syscall(__NR_getppid)); + /* "errno" of 0 is ok. */ +- EXPECT_EQ(0, read(0, NULL, 0)); ++ EXPECT_EQ(0, read(-1, NULL, 0)); + } + + /* +@@ -995,7 +995,7 @@ TEST(ERRNO_capped) + ASSERT_EQ(0, ret); + + EXPECT_EQ(parent, syscall(__NR_getppid)); +- EXPECT_EQ(-1, read(0, NULL, 0)); ++ EXPECT_EQ(-1, read(-1, NULL, 0)); + EXPECT_EQ(4095, errno); + } + +@@ -1026,7 +1026,7 @@ TEST(ERRNO_order) + ASSERT_EQ(0, ret); + + EXPECT_EQ(parent, syscall(__NR_getppid)); +- EXPECT_EQ(-1, read(0, NULL, 0)); ++ EXPECT_EQ(-1, read(-1, NULL, 0)); + EXPECT_EQ(12, errno); + } + +@@ -2623,7 +2623,7 @@ void *tsync_sibling(void *data) + ret = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0); + if (!ret) + return (void *)SIBLING_EXIT_NEWPRIVS; +- read(0, NULL, 0); ++ read(-1, NULL, 0); + return (void *)SIBLING_EXIT_UNKILLED; + } + diff --git a/queue-5.17/series b/queue-5.17/series index ba6c6d5d667..27c7a4f0668 100644 --- a/queue-5.17/series +++ b/queue-5.17/series @@ -48,3 +48,39 @@ can-isotp-remove-re-binding-of-bound-socket.patch can-grcan-use-ofdev-dev-when-allocating-dma-memory.patch can-grcan-grcan_probe-fix-broken-system-id-check-for-errata-workaround-needs.patch can-grcan-only-use-the-napi-poll-budget-for-rx.patch +nfc-replace-improper-check-device_is_registered-in-netlink-related-functions.patch +nfc-nfcmrvl-main-reorder-destructive-operations-in-nfcmrvl_nci_unregister_dev-to-avoid-bugs.patch +nfc-netlink-fix-sleep-in-atomic-bug-when-firmware-download-timeout.patch +gpio-mvebu-drop-pwm-base-assignment.patch +gpio-visconti-fix-fwnode-of-gpio-irq.patch +gpio-pca953x-fix-irq_stat-not-updated-when-irq-is-disabled-irq_mask-not-set.patch +hwmon-adt7470-fix-warning-on-module-removal.patch +hwmon-pmbus-disable-pec-if-not-enabled.patch +asoc-dmaengine-restore-null-prepare_slave_config-callback.patch +asoc-meson-axg-tdm-interface-fix-formatters-in-trigger.patch +asoc-meson-axg-card-fix-nonatomic-links.patch +asoc-soc-ops-fix-error-handling.patch +iommu-vt-d-drop-stop-marker-messages.patch +iommu-dart-check-return-value-after-calling-platform_get_resource.patch +fbdev-make-fb_release-return-enodev-if-fbdev-was-unregistered.patch +net-mlx5e-fix-trust-state-reset-in-reload.patch +net-mlx5-fix-slab-out-of-bounds-while-reading-resource-dump-menu.patch +net-mlx5e-fix-wrong-source-vport-matching-on-tunnel-rule.patch +net-mlx5e-don-t-match-double-vlan-packets-if-cvlan-is-not-set.patch +net-mlx5e-ct-fix-queued-up-restore-put-executing-after-relevant-ft-release.patch +net-mlx5e-fix-the-calling-of-update_buffer_lossy-api.patch +net-mlx5-fix-matching-on-inner-ttc.patch +net-mlx5-avoid-double-clear-or-set-of-sync-reset-requested.patch +net-mlx5-fix-deadlock-in-sync-reset-flow.patch +net-mlx5e-lag-fix-use-after-free-in-fib-event-handler.patch +net-mlx5e-lag-fix-fib_info-pointer-assignment.patch +net-mlx5e-lag-don-t-skip-fib-events-on-current-dst.patch +net-mlx5e-tc-fix-decap-fallback-to-uplink-when-int-port-not-supported.patch +selftests-seccomp-don-t-call-read-on-tty-from-background-pgrp.patch +alsa-hda-realtek-fix-mute-led-issue-on-thinkpad-with-cs35l41-s-codec.patch +sunrpc-release-the-transport-of-a-relocated-task-with-an-assigned-transport.patch +rdma-siw-fix-a-condition-race-issue-in-mpa-request-processing.patch +rdma-irdma-flush-iwarp-qp-if-modified-to-err-from-rtr-state.patch +rdma-irdma-reduce-iwarp-qp-destroy-time.patch +rdma-irdma-fix-possible-crash-due-to-null-netdev-in-notifier.patch +nfsv4-don-t-invalidate-inode-attributes-on-delegation-return.patch diff --git a/queue-5.17/sunrpc-release-the-transport-of-a-relocated-task-with-an-assigned-transport.patch b/queue-5.17/sunrpc-release-the-transport-of-a-relocated-task-with-an-assigned-transport.patch new file mode 100644 index 00000000000..274247b13a6 --- /dev/null +++ b/queue-5.17/sunrpc-release-the-transport-of-a-relocated-task-with-an-assigned-transport.patch @@ -0,0 +1,39 @@ +From e13433b4416fa31a24e621cbbbb39227a3d651dd Mon Sep 17 00:00:00 2001 +From: Olga Kornievskaia +Date: Thu, 21 Apr 2022 10:32:34 -0400 +Subject: SUNRPC release the transport of a relocated task with an assigned transport + +From: Olga Kornievskaia + +commit e13433b4416fa31a24e621cbbbb39227a3d651dd upstream. + +A relocated task must release its previous transport. + +Fixes: 82ee41b85cef1 ("SUNRPC don't resend a task on an offlined transport") +Signed-off-by: Olga Kornievskaia +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/clnt.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -1065,10 +1065,13 @@ rpc_task_get_next_xprt(struct rpc_clnt * + static + void rpc_task_set_transport(struct rpc_task *task, struct rpc_clnt *clnt) + { +- if (task->tk_xprt && +- !(test_bit(XPRT_OFFLINE, &task->tk_xprt->state) && +- (task->tk_flags & RPC_TASK_MOVEABLE))) +- return; ++ if (task->tk_xprt) { ++ if (!(test_bit(XPRT_OFFLINE, &task->tk_xprt->state) && ++ (task->tk_flags & RPC_TASK_MOVEABLE))) ++ return; ++ xprt_release(task); ++ xprt_put(task->tk_xprt); ++ } + if (task->tk_flags & RPC_TASK_NO_ROUND_ROBIN) + task->tk_xprt = rpc_task_get_first_xprt(clnt); + else