From: Sasha Levin Date: Sun, 15 May 2022 18:30:33 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v4.9.315~50 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2fb4a4ed5ad5bb6d8acd61186044b546b4078f56;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/asoc-max98090-generate-notifications-on-changes-for-.patch b/queue-5.10/asoc-max98090-generate-notifications-on-changes-for-.patch new file mode 100644 index 00000000000..af260550d38 --- /dev/null +++ b/queue-5.10/asoc-max98090-generate-notifications-on-changes-for-.patch @@ -0,0 +1,37 @@ +From 2d1df1e4f911736acb80d2faa5d3877541954256 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Apr 2022 20:34:54 +0100 +Subject: ASoC: max98090: Generate notifications on changes for custom control + +From: Mark Brown + +[ Upstream commit 13fcf676d9e102594effc686d98521ff5c90b925 ] + +The max98090 driver has some custom controls which share a put() function +which returns 0 unconditionally, meaning that events are not generated +when the value changes. Fix that. + +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20220420193454.2647908-2-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/max98090.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/max98090.c b/sound/soc/codecs/max98090.c +index 779845e3a9e3..5b6405392f08 100644 +--- a/sound/soc/codecs/max98090.c ++++ b/sound/soc/codecs/max98090.c +@@ -430,7 +430,7 @@ static int max98090_put_enab_tlv(struct snd_kcontrol *kcontrol, + mask << mc->shift, + sel << mc->shift); + +- return 0; ++ return *select != val; + } + + static const char *max98090_perf_pwr_text[] = +-- +2.35.1 + diff --git a/queue-5.10/asoc-max98090-reject-invalid-values-in-custom-contro.patch b/queue-5.10/asoc-max98090-reject-invalid-values-in-custom-contro.patch new file mode 100644 index 00000000000..d73f2772ed1 --- /dev/null +++ b/queue-5.10/asoc-max98090-reject-invalid-values-in-custom-contro.patch @@ -0,0 +1,40 @@ +From 9edeafe25287dce8a9b803f7e674aef837c54aff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Apr 2022 20:34:53 +0100 +Subject: ASoC: max98090: Reject invalid values in custom control put() + +From: Mark Brown + +[ Upstream commit 2fbe467bcbfc760a08f08475eea6bbd4c2874319 ] + +The max98090 driver has a custom put function for some controls which can +only be updated in certain circumstances which makes no effort to validate +that input is suitable for the control, allowing out of spec values to be +written to the hardware and presented to userspace. Fix this by returning +an error when invalid values are written. + +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20220420193454.2647908-1-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/max98090.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/codecs/max98090.c b/sound/soc/codecs/max98090.c +index 945a79e4f3eb..779845e3a9e3 100644 +--- a/sound/soc/codecs/max98090.c ++++ b/sound/soc/codecs/max98090.c +@@ -413,6 +413,9 @@ static int max98090_put_enab_tlv(struct snd_kcontrol *kcontrol, + + val = (val >> mc->shift) & mask; + ++ if (sel < 0 || sel > mc->max) ++ return -EINVAL; ++ + *select = sel; + + /* Setting a volume is only valid if it is already On */ +-- +2.35.1 + diff --git a/queue-5.10/asoc-ops-validate-input-values-in-snd_soc_put_volsw_.patch b/queue-5.10/asoc-ops-validate-input-values-in-snd_soc_put_volsw_.patch new file mode 100644 index 00000000000..ed603dd0ee6 --- /dev/null +++ b/queue-5.10/asoc-ops-validate-input-values-in-snd_soc_put_volsw_.patch @@ -0,0 +1,60 @@ +From a2e0275ac3fad9cabd079938ac4933c77f143db0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Apr 2022 14:12:39 +0100 +Subject: ASoC: ops: Validate input values in snd_soc_put_volsw_range() + +From: Mark Brown + +[ Upstream commit aa22125c57f9e577f0a667e4fa07fc3fa8ca1e60 ] + +Check that values written via snd_soc_put_volsw_range() are +within the range advertised by the control, ensuring that we +don't write out of spec values to the hardware. + +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20220423131239.3375261-1-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-ops.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c +index 2bc9fa6a34b8..15bfcdbdfaa4 100644 +--- a/sound/soc/soc-ops.c ++++ b/sound/soc/soc-ops.c +@@ -510,7 +510,15 @@ int snd_soc_put_volsw_range(struct snd_kcontrol *kcontrol, + unsigned int mask = (1 << fls(max)) - 1; + unsigned int invert = mc->invert; + unsigned int val, val_mask; +- int err, ret; ++ int err, ret, tmp; ++ ++ tmp = ucontrol->value.integer.value[0]; ++ if (tmp < 0) ++ return -EINVAL; ++ if (mc->platform_max && tmp > mc->platform_max) ++ return -EINVAL; ++ if (tmp > mc->max - mc->min + 1) ++ return -EINVAL; + + if (invert) + val = (max - ucontrol->value.integer.value[0]) & mask; +@@ -525,6 +533,14 @@ int snd_soc_put_volsw_range(struct snd_kcontrol *kcontrol, + ret = err; + + if (snd_soc_volsw_is_stereo(mc)) { ++ tmp = ucontrol->value.integer.value[1]; ++ if (tmp < 0) ++ return -EINVAL; ++ if (mc->platform_max && tmp > mc->platform_max) ++ return -EINVAL; ++ if (tmp > mc->max - mc->min + 1) ++ return -EINVAL; ++ + if (invert) + val = (max - ucontrol->value.integer.value[1]) & mask; + else +-- +2.35.1 + diff --git a/queue-5.10/batman-adv-don-t-skb_split-skbuffs-with-frag_list.patch b/queue-5.10/batman-adv-don-t-skb_split-skbuffs-with-frag_list.patch new file mode 100644 index 00000000000..8ea465a1053 --- /dev/null +++ b/queue-5.10/batman-adv-don-t-skb_split-skbuffs-with-frag_list.patch @@ -0,0 +1,60 @@ +From 69e20c736d1b21161ddfc8e10f7eb084194412e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Apr 2022 13:51:10 +0200 +Subject: batman-adv: Don't skb_split skbuffs with frag_list + +From: Sven Eckelmann + +[ Upstream commit a063f2fba3fa633a599253b62561051ac185fa99 ] + +The receiving interface might have used GRO to receive more fragments than +MAX_SKB_FRAGS fragments. In this case, these will not be stored in +skb_shinfo(skb)->frags but merged into the frag list. + +batman-adv relies on the function skb_split to split packets up into +multiple smaller packets which are not larger than the MTU on the outgoing +interface. But this function cannot handle frag_list entries and is only +operating on skb_shinfo(skb)->frags. If it is still trying to split such an +skb and xmit'ing it on an interface without support for NETIF_F_FRAGLIST, +then validate_xmit_skb() will try to linearize it. But this fails due to +inconsistent information. And __pskb_pull_tail will trigger a BUG_ON after +skb_copy_bits() returns an error. + +In case of entries in frag_list, just linearize the skb before operating on +it with skb_split(). + +Reported-by: Felix Kaechele +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Signed-off-by: Sven Eckelmann +Tested-by: Felix Kaechele +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/fragmentation.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c +index 1f1f5b0873b2..895d834d479d 100644 +--- a/net/batman-adv/fragmentation.c ++++ b/net/batman-adv/fragmentation.c +@@ -478,6 +478,17 @@ int batadv_frag_send_packet(struct sk_buff *skb, + goto free_skb; + } + ++ /* GRO might have added fragments to the fragment list instead of ++ * frags[]. But this is not handled by skb_split and must be ++ * linearized to avoid incorrect length information after all ++ * batman-adv fragments were created and submitted to the ++ * hard-interface ++ */ ++ if (skb_has_frag_list(skb) && __skb_linearize(skb)) { ++ ret = -ENOMEM; ++ goto free_skb; ++ } ++ + /* Create one header to be copied to all fragments */ + frag_header.packet_type = BATADV_UNICAST_FRAG; + frag_header.version = BATADV_COMPAT_VERSION; +-- +2.35.1 + diff --git a/queue-5.10/dim-initialize-all-struct-fields.patch b/queue-5.10/dim-initialize-all-struct-fields.patch new file mode 100644 index 00000000000..f93e200e929 --- /dev/null +++ b/queue-5.10/dim-initialize-all-struct-fields.patch @@ -0,0 +1,119 @@ +From 4fd5f6e2b87593c15824040c85700080e19edc83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 May 2022 18:10:38 -0700 +Subject: dim: initialize all struct fields +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jesse Brandeburg + +[ Upstream commit ee1444b5e1df4155b591d0d9b1e72853a99ea861 ] + +The W=2 build pointed out that the code wasn't initializing all the +variables in the dim_cq_moder declarations with the struct initializers. +The net change here is zero since these structs were already static +const globals and were initialized with zeros by the compiler, but +removing compiler warnings has value in and of itself. + +lib/dim/net_dim.c: At top level: +lib/dim/net_dim.c:54:9: warning: missing initializer for field ‘comps’ of ‘const struct dim_cq_moder’ [-Wmissing-field-initializers] + 54 | NET_DIM_RX_EQE_PROFILES, + | ^~~~~~~~~~~~~~~~~~~~~~~ +In file included from lib/dim/net_dim.c:6: +./include/linux/dim.h:45:13: note: ‘comps’ declared here + 45 | u16 comps; + | ^~~~~ + +and repeats for the tx struct, and once you fix the comps entry then +the cq_period_mode field needs the same treatment. + +Use the commonly accepted style to indicate to the compiler that we +know what we're doing, and add a comma at the end of each struct +initializer to clean up the issue, and use explicit initializers +for the fields we are initializing which makes the compiler happy. + +While here and fixing these lines, clean up the code slightly with +a fix for the super long lines by removing the word "_MODERATION" from a +couple defines only used in this file. + +Fixes: f8be17b81d44 ("lib/dim: Fix -Wunused-const-variable warnings") +Signed-off-by: Jesse Brandeburg +Link: https://lore.kernel.org/r/20220507011038.14568-1-jesse.brandeburg@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + lib/dim/net_dim.c | 44 ++++++++++++++++++++++---------------------- + 1 file changed, 22 insertions(+), 22 deletions(-) + +diff --git a/lib/dim/net_dim.c b/lib/dim/net_dim.c +index a4db51c21266..dae3b51ac3d9 100644 +--- a/lib/dim/net_dim.c ++++ b/lib/dim/net_dim.c +@@ -12,41 +12,41 @@ + * Each profile size must be of NET_DIM_PARAMS_NUM_PROFILES + */ + #define NET_DIM_PARAMS_NUM_PROFILES 5 +-#define NET_DIM_DEFAULT_RX_CQ_MODERATION_PKTS_FROM_EQE 256 +-#define NET_DIM_DEFAULT_TX_CQ_MODERATION_PKTS_FROM_EQE 128 ++#define NET_DIM_DEFAULT_RX_CQ_PKTS_FROM_EQE 256 ++#define NET_DIM_DEFAULT_TX_CQ_PKTS_FROM_EQE 128 + #define NET_DIM_DEF_PROFILE_CQE 1 + #define NET_DIM_DEF_PROFILE_EQE 1 + + #define NET_DIM_RX_EQE_PROFILES { \ +- {1, NET_DIM_DEFAULT_RX_CQ_MODERATION_PKTS_FROM_EQE}, \ +- {8, NET_DIM_DEFAULT_RX_CQ_MODERATION_PKTS_FROM_EQE}, \ +- {64, NET_DIM_DEFAULT_RX_CQ_MODERATION_PKTS_FROM_EQE}, \ +- {128, NET_DIM_DEFAULT_RX_CQ_MODERATION_PKTS_FROM_EQE}, \ +- {256, NET_DIM_DEFAULT_RX_CQ_MODERATION_PKTS_FROM_EQE}, \ ++ {.usec = 1, .pkts = NET_DIM_DEFAULT_RX_CQ_PKTS_FROM_EQE,}, \ ++ {.usec = 8, .pkts = NET_DIM_DEFAULT_RX_CQ_PKTS_FROM_EQE,}, \ ++ {.usec = 64, .pkts = NET_DIM_DEFAULT_RX_CQ_PKTS_FROM_EQE,}, \ ++ {.usec = 128, .pkts = NET_DIM_DEFAULT_RX_CQ_PKTS_FROM_EQE,}, \ ++ {.usec = 256, .pkts = NET_DIM_DEFAULT_RX_CQ_PKTS_FROM_EQE,} \ + } + + #define NET_DIM_RX_CQE_PROFILES { \ +- {2, 256}, \ +- {8, 128}, \ +- {16, 64}, \ +- {32, 64}, \ +- {64, 64} \ ++ {.usec = 2, .pkts = 256,}, \ ++ {.usec = 8, .pkts = 128,}, \ ++ {.usec = 16, .pkts = 64,}, \ ++ {.usec = 32, .pkts = 64,}, \ ++ {.usec = 64, .pkts = 64,} \ + } + + #define NET_DIM_TX_EQE_PROFILES { \ +- {1, NET_DIM_DEFAULT_TX_CQ_MODERATION_PKTS_FROM_EQE}, \ +- {8, NET_DIM_DEFAULT_TX_CQ_MODERATION_PKTS_FROM_EQE}, \ +- {32, NET_DIM_DEFAULT_TX_CQ_MODERATION_PKTS_FROM_EQE}, \ +- {64, NET_DIM_DEFAULT_TX_CQ_MODERATION_PKTS_FROM_EQE}, \ +- {128, NET_DIM_DEFAULT_TX_CQ_MODERATION_PKTS_FROM_EQE} \ ++ {.usec = 1, .pkts = NET_DIM_DEFAULT_TX_CQ_PKTS_FROM_EQE,}, \ ++ {.usec = 8, .pkts = NET_DIM_DEFAULT_TX_CQ_PKTS_FROM_EQE,}, \ ++ {.usec = 32, .pkts = NET_DIM_DEFAULT_TX_CQ_PKTS_FROM_EQE,}, \ ++ {.usec = 64, .pkts = NET_DIM_DEFAULT_TX_CQ_PKTS_FROM_EQE,}, \ ++ {.usec = 128, .pkts = NET_DIM_DEFAULT_TX_CQ_PKTS_FROM_EQE,} \ + } + + #define NET_DIM_TX_CQE_PROFILES { \ +- {5, 128}, \ +- {8, 64}, \ +- {16, 32}, \ +- {32, 32}, \ +- {64, 32} \ ++ {.usec = 5, .pkts = 128,}, \ ++ {.usec = 8, .pkts = 64,}, \ ++ {.usec = 16, .pkts = 32,}, \ ++ {.usec = 32, .pkts = 32,}, \ ++ {.usec = 64, .pkts = 32,} \ + } + + static const struct dim_cq_moder +-- +2.35.1 + diff --git a/queue-5.10/drm-nouveau-fix-a-potential-theorical-leak-in-nouvea.patch b/queue-5.10/drm-nouveau-fix-a-potential-theorical-leak-in-nouvea.patch new file mode 100644 index 00000000000..94b63621e8d --- /dev/null +++ b/queue-5.10/drm-nouveau-fix-a-potential-theorical-leak-in-nouvea.patch @@ -0,0 +1,72 @@ +From 7a4804417eab783c08c8e4f6dcebf231049b62a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Feb 2022 07:03:11 +0100 +Subject: drm/nouveau: Fix a potential theorical leak in + nouveau_get_backlight_name() + +From: Christophe JAILLET + +[ Upstream commit ab244be47a8f111bc82496a8a20c907236e37f95 ] + +If successful ida_simple_get() calls are not undone when needed, some +additional memory may be allocated and wasted. + +Here, an ID between 0 and MAX_INT is required. If this ID is >=100, it is +not taken into account and is wasted. It should be released. + +Instead of calling ida_simple_remove(), take advantage of the 'max' +parameter to require the ID not to be too big. Should it be too big, it +is not allocated and don't need to be freed. + +While at it, use ida_alloc_xxx()/ida_free() instead to +ida_simple_get()/ida_simple_remove(). +The latter is deprecated and more verbose. + +Fixes: db1a0ae21461 ("drm/nouveau/bl: Assign different names to interfaces") +Signed-off-by: Christophe JAILLET +Reviewed-by: Lyude Paul +[Fixed formatting warning from checkpatch] +Signed-off-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/9ba85bca59df6813dc029e743a836451d5173221.1644386541.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_backlight.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_backlight.c b/drivers/gpu/drm/nouveau/nouveau_backlight.c +index c7a94c94dbf3..f2f3280c3a50 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_backlight.c ++++ b/drivers/gpu/drm/nouveau/nouveau_backlight.c +@@ -51,8 +51,9 @@ static bool + nouveau_get_backlight_name(char backlight_name[BL_NAME_SIZE], + struct nouveau_backlight *bl) + { +- const int nb = ida_simple_get(&bl_ida, 0, 0, GFP_KERNEL); +- if (nb < 0 || nb >= 100) ++ const int nb = ida_alloc_max(&bl_ida, 99, GFP_KERNEL); ++ ++ if (nb < 0) + return false; + if (nb > 0) + snprintf(backlight_name, BL_NAME_SIZE, "nv_backlight%d", nb); +@@ -280,7 +281,7 @@ nouveau_backlight_init(struct drm_connector *connector) + nv_encoder, ops, &props); + if (IS_ERR(bl->dev)) { + if (bl->id >= 0) +- ida_simple_remove(&bl_ida, bl->id); ++ ida_free(&bl_ida, bl->id); + ret = PTR_ERR(bl->dev); + goto fail_alloc; + } +@@ -306,7 +307,7 @@ nouveau_backlight_fini(struct drm_connector *connector) + return; + + if (bl->id >= 0) +- ida_simple_remove(&bl_ida, bl->id); ++ ida_free(&bl_ida, bl->id); + + backlight_device_unregister(bl->dev); + nv_conn->backlight = NULL; +-- +2.35.1 + diff --git a/queue-5.10/gfs2-fix-filesystem-block-deallocation-for-short-wri.patch b/queue-5.10/gfs2-fix-filesystem-block-deallocation-for-short-wri.patch new file mode 100644 index 00000000000..8b628158cde --- /dev/null +++ b/queue-5.10/gfs2-fix-filesystem-block-deallocation-for-short-wri.patch @@ -0,0 +1,53 @@ +From 4dd8f06450541de07ddd8c8d74a11f9cd0eefc94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Apr 2022 17:52:39 +0200 +Subject: gfs2: Fix filesystem block deallocation for short writes + +From: Andreas Gruenbacher + +[ Upstream commit d031a8866e709c9d1ee5537a321b6192b4d2dc5b ] + +When a write cannot be carried out in full, gfs2_iomap_end() releases +blocks that have been allocated for this write but haven't been used. + +To compute the end of the allocation, gfs2_iomap_end() incorrectly +rounded the end of the attempted write down to the next block boundary +to arrive at the end of the allocation. It would have to round up, but +the end of the allocation is also available as iomap->offset + +iomap->length, so just use that instead. + +In addition, use round_up() for computing the start of the unused range. + +Fixes: 64bc06bb32ee ("gfs2: iomap buffered write support") +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/bmap.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/fs/gfs2/bmap.c b/fs/gfs2/bmap.c +index 6c047570d6a9..b4fde3a8eeb4 100644 +--- a/fs/gfs2/bmap.c ++++ b/fs/gfs2/bmap.c +@@ -1235,13 +1235,12 @@ static int gfs2_iomap_end(struct inode *inode, loff_t pos, loff_t length, + + if (length != written && (iomap->flags & IOMAP_F_NEW)) { + /* Deallocate blocks that were just allocated. */ +- loff_t blockmask = i_blocksize(inode) - 1; +- loff_t end = (pos + length) & ~blockmask; ++ loff_t hstart = round_up(pos + written, i_blocksize(inode)); ++ loff_t hend = iomap->offset + iomap->length; + +- pos = (pos + written + blockmask) & ~blockmask; +- if (pos < end) { +- truncate_pagecache_range(inode, pos, end - 1); +- punch_hole(ip, pos, end - pos); ++ if (hstart < hend) { ++ truncate_pagecache_range(inode, hstart, hend - 1); ++ punch_hole(ip, hstart, hend - hstart); + } + } + +-- +2.35.1 + diff --git a/queue-5.10/hwmon-f71882fg-fix-negative-temperature.patch b/queue-5.10/hwmon-f71882fg-fix-negative-temperature.patch new file mode 100644 index 00000000000..027476a562a --- /dev/null +++ b/queue-5.10/hwmon-f71882fg-fix-negative-temperature.patch @@ -0,0 +1,46 @@ +From fad311feab8af47fcc403d145e5f60a0157620d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Apr 2022 17:07:06 +0800 +Subject: hwmon: (f71882fg) Fix negative temperature + +From: Ji-Ze Hong (Peter Hong) + +[ Upstream commit 4aaaaf0f279836f06d3b9d0ffeec7a1e1a04ceef ] + +All temperature of Fintek superio hwmonitor that using 1-byte reg will use +2's complement. + +In show_temp() + temp = data->temp[nr] * 1000; + +When data->temp[nr] read as 255, it indicate -1C, but this code will report +255C to userspace. It'll be ok when change to: + temp = ((s8)data->temp[nr]) * 1000; + +Signed-off-by: Ji-Ze Hong (Peter Hong) +Link: https://lore.kernel.org/r/20220418090706.6339-1-hpeter+linux_kernel@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/f71882fg.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/f71882fg.c b/drivers/hwmon/f71882fg.c +index 4dec793fd07d..94b35723ee7a 100644 +--- a/drivers/hwmon/f71882fg.c ++++ b/drivers/hwmon/f71882fg.c +@@ -1577,8 +1577,9 @@ static ssize_t show_temp(struct device *dev, struct device_attribute *devattr, + temp *= 125; + if (sign) + temp -= 128000; +- } else +- temp = data->temp[nr] * 1000; ++ } else { ++ temp = ((s8)data->temp[nr]) * 1000; ++ } + + return sprintf(buf, "%d\n", temp); + } +-- +2.35.1 + diff --git a/queue-5.10/hwmon-ltq-cputemp-restrict-it-to-soc_xway.patch b/queue-5.10/hwmon-ltq-cputemp-restrict-it-to-soc_xway.patch new file mode 100644 index 00000000000..1f36c38a14f --- /dev/null +++ b/queue-5.10/hwmon-ltq-cputemp-restrict-it-to-soc_xway.patch @@ -0,0 +1,56 @@ +From 8629587b856601f6aa435a3046dc1c1bc667841f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 May 2022 16:47:40 -0700 +Subject: hwmon: (ltq-cputemp) restrict it to SOC_XWAY + +From: Randy Dunlap + +[ Upstream commit 151d6dcbed836270c6c240932da66f147950cbdb ] + +Building with SENSORS_LTQ_CPUTEMP=y with SOC_FALCON=y causes build +errors since FALCON does not support the same features as XWAY. + +Change this symbol to depend on SOC_XWAY since that provides the +necessary interfaces. + +Repairs these build errors: + +../drivers/hwmon/ltq-cputemp.c: In function 'ltq_cputemp_enable': +../drivers/hwmon/ltq-cputemp.c:23:9: error: implicit declaration of function 'ltq_cgu_w32'; did you mean 'ltq_ebu_w32'? [-Werror=implicit-function-declaration] + 23 | ltq_cgu_w32(ltq_cgu_r32(CGU_GPHY1_CR) | CGU_TEMP_PD, CGU_GPHY1_CR); +../drivers/hwmon/ltq-cputemp.c:23:21: error: implicit declaration of function 'ltq_cgu_r32'; did you mean 'ltq_ebu_r32'? [-Werror=implicit-function-declaration] + 23 | ltq_cgu_w32(ltq_cgu_r32(CGU_GPHY1_CR) | CGU_TEMP_PD, CGU_GPHY1_CR); +../drivers/hwmon/ltq-cputemp.c: In function 'ltq_cputemp_probe': +../drivers/hwmon/ltq-cputemp.c:92:31: error: 'SOC_TYPE_VR9_2' undeclared (first use in this function) + 92 | if (ltq_soc_type() != SOC_TYPE_VR9_2) + +Fixes: 7074d0a92758 ("hwmon: (ltq-cputemp) add cpu temp sensor driver") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Florian Eckert +Cc: Guenter Roeck +Cc: Jean Delvare +Cc: linux-hwmon@vger.kernel.org +Link: https://lore.kernel.org/r/20220509234740.26841-1-rdunlap@infradead.org +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/Kconfig b/drivers/hwmon/Kconfig +index 0c2b032ee617..f741c7492ee4 100644 +--- a/drivers/hwmon/Kconfig ++++ b/drivers/hwmon/Kconfig +@@ -922,7 +922,7 @@ config SENSORS_LTC4261 + + config SENSORS_LTQ_CPUTEMP + bool "Lantiq cpu temperature sensor driver" +- depends on LANTIQ ++ depends on SOC_XWAY + help + If you say yes here you get support for the temperature + sensor inside your CPU. +-- +2.35.1 + diff --git a/queue-5.10/hwmon-tmp401-add-of-device-id-table.patch b/queue-5.10/hwmon-tmp401-add-of-device-id-table.patch new file mode 100644 index 00000000000..29354778fe2 --- /dev/null +++ b/queue-5.10/hwmon-tmp401-add-of-device-id-table.patch @@ -0,0 +1,70 @@ +From bac5432684c011b31c494438d1fd66487678cc91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 May 2022 13:43:33 +0200 +Subject: hwmon: (tmp401) Add OF device ID table + +From: Camel Guo + +[ Upstream commit 3481551f035725fdc46885425eac3ef9b58ae7b7 ] + +This driver doesn't have of_match_table. This makes the kernel module +tmp401.ko lack alias patterns (e.g: of:N*T*Cti,tmp411) to match DT node +of the supported devices hence this kernel module will not be +automatically loaded. + +After adding of_match_table to this driver, the folllowing alias will be +added into tmp401.ko. +$ modinfo drivers/hwmon/tmp401.ko +filename: drivers/hwmon/tmp401.ko +...... +author: Hans de Goede +alias: of:N*T*Cti,tmp435C* +alias: of:N*T*Cti,tmp435 +alias: of:N*T*Cti,tmp432C* +alias: of:N*T*Cti,tmp432 +alias: of:N*T*Cti,tmp431C* +alias: of:N*T*Cti,tmp431 +alias: of:N*T*Cti,tmp411C* +alias: of:N*T*Cti,tmp411 +alias: of:N*T*Cti,tmp401C* +alias: of:N*T*Cti,tmp401 +...... + +Fixes: af503716ac14 ("i2c: core: report OF style module alias for devices registered via OF") +Signed-off-by: Camel Guo +Link: https://lore.kernel.org/r/20220503114333.456476-1-camel.guo@axis.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/tmp401.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/hwmon/tmp401.c b/drivers/hwmon/tmp401.c +index 9dc210b55e69..48466b0a4bb0 100644 +--- a/drivers/hwmon/tmp401.c ++++ b/drivers/hwmon/tmp401.c +@@ -730,10 +730,21 @@ static int tmp401_probe(struct i2c_client *client) + return 0; + } + ++static const struct of_device_id __maybe_unused tmp4xx_of_match[] = { ++ { .compatible = "ti,tmp401", }, ++ { .compatible = "ti,tmp411", }, ++ { .compatible = "ti,tmp431", }, ++ { .compatible = "ti,tmp432", }, ++ { .compatible = "ti,tmp435", }, ++ { }, ++}; ++MODULE_DEVICE_TABLE(of, tmp4xx_of_match); ++ + static struct i2c_driver tmp401_driver = { + .class = I2C_CLASS_HWMON, + .driver = { + .name = "tmp401", ++ .of_match_table = of_match_ptr(tmp4xx_of_match), + }, + .probe_new = tmp401_probe, + .id_table = tmp401_id, +-- +2.35.1 + diff --git a/queue-5.10/ionic-fix-missing-pci_release_regions-on-error-in-io.patch b/queue-5.10/ionic-fix-missing-pci_release_regions-on-error-in-io.patch new file mode 100644 index 00000000000..d775c62de84 --- /dev/null +++ b/queue-5.10/ionic-fix-missing-pci_release_regions-on-error-in-io.patch @@ -0,0 +1,44 @@ +From 5c4dd69ac0a565ca74a19ec1ac08a690a0107d9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 May 2022 11:40:40 +0800 +Subject: ionic: fix missing pci_release_regions() on error in ionic_probe() + +From: Yang Yingliang + +[ Upstream commit e4b1045bf9cfec6f70ac6d3783be06c3a88dcb25 ] + +If ionic_map_bars() fails, pci_release_regions() need be called. + +Fixes: fbfb8031533c ("ionic: Add hardware init and device commands") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20220506034040.2614129-1-yangyingliang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_bus_pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_bus_pci.c b/drivers/net/ethernet/pensando/ionic/ionic_bus_pci.c +index b0d8499d373b..31fbe8904222 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_bus_pci.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_bus_pci.c +@@ -251,7 +251,7 @@ static int ionic_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + err = ionic_map_bars(ionic); + if (err) +- goto err_out_pci_disable_device; ++ goto err_out_pci_release_regions; + + /* Configure the device */ + err = ionic_setup(ionic); +@@ -353,6 +353,7 @@ static int ionic_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + err_out_unmap_bars: + ionic_unmap_bars(ionic); ++err_out_pci_release_regions: + pci_release_regions(pdev); + err_out_pci_disable_device: + pci_disable_device(pdev); +-- +2.35.1 + diff --git a/queue-5.10/ipv4-drop-dst-in-multicast-routing-path.patch b/queue-5.10/ipv4-drop-dst-in-multicast-routing-path.patch new file mode 100644 index 00000000000..e7ab4db0765 --- /dev/null +++ b/queue-5.10/ipv4-drop-dst-in-multicast-routing-path.patch @@ -0,0 +1,67 @@ +From 417bf2da0b27c472c6c7f63d3d4927a09962cb39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 May 2022 14:00:17 +1200 +Subject: ipv4: drop dst in multicast routing path + +From: Lokesh Dhoundiyal + +[ Upstream commit 9e6c6d17d1d6a3f1515ce399f9a011629ec79aa0 ] + +kmemleak reports the following when routing multicast traffic over an +ipsec tunnel. + +Kmemleak output: +unreferenced object 0x8000000044bebb00 (size 256): + comm "softirq", pid 0, jiffies 4294985356 (age 126.810s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 80 00 00 00 05 13 74 80 ..............t. + 80 00 00 00 04 9b bf f9 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000f83947e0>] __kmalloc+0x1e8/0x300 + [<00000000b7ed8dca>] metadata_dst_alloc+0x24/0x58 + [<0000000081d32c20>] __ipgre_rcv+0x100/0x2b8 + [<00000000824f6cf1>] gre_rcv+0x178/0x540 + [<00000000ccd4e162>] gre_rcv+0x7c/0xd8 + [<00000000c024b148>] ip_protocol_deliver_rcu+0x124/0x350 + [<000000006a483377>] ip_local_deliver_finish+0x54/0x68 + [<00000000d9271b3a>] ip_local_deliver+0x128/0x168 + [<00000000bd4968ae>] xfrm_trans_reinject+0xb8/0xf8 + [<0000000071672a19>] tasklet_action_common.isra.16+0xc4/0x1b0 + [<0000000062e9c336>] __do_softirq+0x1fc/0x3e0 + [<00000000013d7914>] irq_exit+0xc4/0xe0 + [<00000000a4d73e90>] plat_irq_dispatch+0x7c/0x108 + [<000000000751eb8e>] handle_int+0x16c/0x178 + [<000000001668023b>] _raw_spin_unlock_irqrestore+0x1c/0x28 + +The metadata dst is leaked when ip_route_input_mc() updates the dst for +the skb. Commit f38a9eb1f77b ("dst: Metadata destinations") correctly +handled dropping the dst in ip_route_input_slow() but missed the +multicast case which is handled by ip_route_input_mc(). Drop the dst in +ip_route_input_mc() avoiding the leak. + +Fixes: f38a9eb1f77b ("dst: Metadata destinations") +Signed-off-by: Lokesh Dhoundiyal +Signed-off-by: Chris Packham +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20220505020017.3111846-1-chris.packham@alliedtelesis.co.nz +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index c72d0de8bf71..4080e3c6c50d 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1792,6 +1792,7 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr, + #endif + RT_CACHE_STAT_INC(in_slow_mc); + ++ skb_dst_drop(skb); + skb_dst_set(skb, &rth->dst); + return 0; + } +-- +2.35.1 + diff --git a/queue-5.10/iwlwifi-iwl-dbg-use-del_timer_sync-before-freeing.patch b/queue-5.10/iwlwifi-iwl-dbg-use-del_timer_sync-before-freeing.patch new file mode 100644 index 00000000000..35bbb67131f --- /dev/null +++ b/queue-5.10/iwlwifi-iwl-dbg-use-del_timer_sync-before-freeing.patch @@ -0,0 +1,49 @@ +From 8e30d38051a604838485e76219b8b697a21263b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Apr 2022 08:42:10 -0700 +Subject: iwlwifi: iwl-dbg: Use del_timer_sync() before freeing + +From: Guenter Roeck + +[ Upstream commit 7635a1ad8d92dcc8247b53f949e37795154b5b6f ] + +In Chrome OS, a large number of crashes is observed due to corrupted timer +lists. Steven Rostedt pointed out that this usually happens when a timer +is freed while still active, and that the problem is often triggered +by code calling del_timer() instead of del_timer_sync() just before +freeing. + +Steven also identified the iwlwifi driver as one of the possible culprits +since it does exactly that. + +Reported-by: Steven Rostedt +Cc: Steven Rostedt +Cc: Johannes Berg +Cc: Gregory Greenman +Fixes: 60e8abd9d3e91 ("iwlwifi: dbg_ini: add periodic trigger new API support") +Signed-off-by: Guenter Roeck +Acked-by: Gregory Greenman +Tested-by: Sedat Dilek # Linux v5.17.3-rc1 and Debian LLVM-14 +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220411154210.1870008-1-linux@roeck-us.net +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c +index fcad5cdcabfa..3c931b1b2a0b 100644 +--- a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c +@@ -367,7 +367,7 @@ void iwl_dbg_tlv_del_timers(struct iwl_trans *trans) + struct iwl_dbg_tlv_timer_node *node, *tmp; + + list_for_each_entry_safe(node, tmp, timer_list, list) { +- del_timer(&node->timer); ++ del_timer_sync(&node->timer); + list_del(&node->list); + kfree(node); + } +-- +2.35.1 + diff --git a/queue-5.10/mac80211-reset-mbssid-parameters-upon-connection.patch b/queue-5.10/mac80211-reset-mbssid-parameters-upon-connection.patch new file mode 100644 index 00000000000..e1b95f1991e --- /dev/null +++ b/queue-5.10/mac80211-reset-mbssid-parameters-upon-connection.patch @@ -0,0 +1,60 @@ +From 177179f7f3ee5b3b19ecfb1090f21e1151714e98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Apr 2022 10:57:44 +0530 +Subject: mac80211: Reset MBSSID parameters upon connection + +From: Manikanta Pubbisetty + +[ Upstream commit 86af062f40a73bf63321694e6bf637144f0383fe ] + +Currently MBSSID parameters in struct ieee80211_bss_conf +are not reset upon connection. This could be problematic +with some drivers in a scenario where the device first +connects to a non-transmit BSS and then connects to a +transmit BSS of a Multi BSS AP. The MBSSID parameters +which are set after connecting to a non-transmit BSS will +not be reset and the same parameters will be passed on to +the driver during the subsequent connection to a transmit +BSS of a Multi BSS AP. + +For example, firmware running on the ath11k device uses the +Multi BSS data for tracking the beacon of a non-transmit BSS +and reports the driver when there is a beacon miss. If we do +not reset the MBSSID parameters during the subsequent +connection to a transmit BSS, then the driver would have +wrong MBSSID data and FW would be looking for an incorrect +BSSID in the MBSSID beacon of a Multi BSS AP and reports +beacon loss leading to an unstable connection. + +Reset the MBSSID parameters upon every connection to solve this +problem. + +Fixes: 78ac51f81532 ("mac80211: support multi-bssid") +Signed-off-by: Manikanta Pubbisetty +Link: https://lore.kernel.org/r/20220428052744.27040-1-quic_mpubbise@quicinc.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mlme.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 0dba353d3f8f..3988403064ab 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -3528,6 +3528,12 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata, + cbss->transmitted_bss->bssid); + bss_conf->bssid_indicator = cbss->max_bssid_indicator; + bss_conf->bssid_index = cbss->bssid_index; ++ } else { ++ bss_conf->nontransmitted = false; ++ memset(bss_conf->transmitter_bssid, 0, ++ sizeof(bss_conf->transmitter_bssid)); ++ bss_conf->bssid_indicator = 0; ++ bss_conf->bssid_index = 0; + } + + /* +-- +2.35.1 + diff --git a/queue-5.10/mac80211_hwsim-call-ieee80211_tx_prepare_skb-under-r.patch b/queue-5.10/mac80211_hwsim-call-ieee80211_tx_prepare_skb-under-r.patch new file mode 100644 index 00000000000..aa4ea475a92 --- /dev/null +++ b/queue-5.10/mac80211_hwsim-call-ieee80211_tx_prepare_skb-under-r.patch @@ -0,0 +1,52 @@ +From 05e9c338c16fa429ff3c72c5d128b520e9cb331a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 May 2022 23:04:22 +0200 +Subject: mac80211_hwsim: call ieee80211_tx_prepare_skb under RCU protection + +From: Johannes Berg + +[ Upstream commit 9e2db50f1ef2238fc2f71c5de1c0418b7a5b0ea2 ] + +This is needed since it might use (and pass out) pointers to +e.g. keys protected by RCU. Can't really happen here as the +frames aren't encrypted, but we need to still adhere to the +rules. + +Fixes: cacfddf82baf ("mac80211_hwsim: initialize ieee80211_tx_info at hw_scan_work") +Signed-off-by: Johannes Berg +Link: https://lore.kernel.org/r/20220505230421.5f139f9de173.I77ae111a28f7c0e9fd1ebcee7f39dbec5c606770@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mac80211_hwsim.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index cc550ba0c9df..afd2d5add04b 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -2264,11 +2264,13 @@ static void hw_scan_work(struct work_struct *work) + if (req->ie_len) + skb_put_data(probe, req->ie, req->ie_len); + ++ rcu_read_lock(); + if (!ieee80211_tx_prepare_skb(hwsim->hw, + hwsim->hw_scan_vif, + probe, + hwsim->tmp_chan->band, + NULL)) { ++ rcu_read_unlock(); + kfree_skb(probe); + continue; + } +@@ -2276,6 +2278,7 @@ static void hw_scan_work(struct work_struct *work) + local_bh_disable(); + mac80211_hwsim_tx_frame(hwsim->hw, probe, + hwsim->tmp_chan); ++ rcu_read_unlock(); + local_bh_enable(); + } + } +-- +2.35.1 + diff --git a/queue-5.10/net-bcmgenet-check-for-wake-on-lan-interrupt-probe-d.patch b/queue-5.10/net-bcmgenet-check-for-wake-on-lan-interrupt-probe-d.patch new file mode 100644 index 00000000000..3865ef6de13 --- /dev/null +++ b/queue-5.10/net-bcmgenet-check-for-wake-on-lan-interrupt-probe-d.patch @@ -0,0 +1,44 @@ +From c4f7b03cabe6321123de0de216296043af8e66dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 May 2022 20:17:51 -0700 +Subject: net: bcmgenet: Check for Wake-on-LAN interrupt probe deferral + +From: Florian Fainelli + +[ Upstream commit 6b77c06655b8a749c1a3d9ebc51e9717003f7e5a ] + +The interrupt controller supplying the Wake-on-LAN interrupt line maybe +modular on some platforms (irq-bcm7038-l1.c) and might be probed at a +later time than the GENET driver. We need to specifically check for +-EPROBE_DEFER and propagate that error to ensure that we eventually +fetch the interrupt descriptor. + +Fixes: 9deb48b53e7f ("bcmgenet: add WOL IRQ check") +Fixes: 5b1f0e62941b ("net: bcmgenet: Avoid touching non-existent interrupt") +Signed-off-by: Florian Fainelli +Reviewed-by: Stefan Wahren +Link: https://lore.kernel.org/r/20220511031752.2245566-1-f.fainelli@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index 9ffdaa84ba12..e0a6a2e62d23 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -3946,6 +3946,10 @@ static int bcmgenet_probe(struct platform_device *pdev) + goto err; + } + priv->wol_irq = platform_get_irq_optional(pdev, 2); ++ if (priv->wol_irq == -EPROBE_DEFER) { ++ err = priv->wol_irq; ++ goto err; ++ } + + priv->base = devm_platform_ioremap_resource(pdev, 0); + if (IS_ERR(priv->base)) { +-- +2.35.1 + diff --git a/queue-5.10/net-dsa-bcm_sf2-fix-wake-on-lan-with-mac_link_down.patch b/queue-5.10/net-dsa-bcm_sf2-fix-wake-on-lan-with-mac_link_down.patch new file mode 100644 index 00000000000..24d703fddea --- /dev/null +++ b/queue-5.10/net-dsa-bcm_sf2-fix-wake-on-lan-with-mac_link_down.patch @@ -0,0 +1,43 @@ +From df3485846c86d6caee72274d38310933bdeb30f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2022 19:17:31 -0700 +Subject: net: dsa: bcm_sf2: Fix Wake-on-LAN with mac_link_down() + +From: Florian Fainelli + +[ Upstream commit b7be130c5d52e5224ac7d89568737b37b4c4b785 ] + +After commit 2d1f90f9ba83 ("net: dsa/bcm_sf2: fix incorrect usage of +state->link") the interface suspend path would call our mac_link_down() +call back which would forcibly set the link down, thus preventing +Wake-on-LAN packets from reaching our management port. + +Fix this by looking at whether the port is enabled for Wake-on-LAN and +not clearing the link status in that case to let packets go through. + +Fixes: 2d1f90f9ba83 ("net: dsa/bcm_sf2: fix incorrect usage of state->link") +Signed-off-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220512021731.2494261-1-f.fainelli@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/bcm_sf2.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c +index 08a675a5328d..b712b4f27efd 100644 +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -710,6 +710,9 @@ static void bcm_sf2_sw_mac_link_down(struct dsa_switch *ds, int port, + struct bcm_sf2_priv *priv = bcm_sf2_to_priv(ds); + u32 reg, offset; + ++ if (priv->wol_ports_mask & BIT(port)) ++ return; ++ + if (port != core_readl(priv, CORE_IMP0_PRT_ID)) { + if (priv->type == BCM7445_DEVICE_ID) + offset = CORE_STS_OVERRIDE_GMIIP_PORT(port); +-- +2.35.1 + diff --git a/queue-5.10/net-emaclite-don-t-advertise-1000base-t-and-do-auto-.patch b/queue-5.10/net-emaclite-don-t-advertise-1000base-t-and-do-auto-.patch new file mode 100644 index 00000000000..0909770ab03 --- /dev/null +++ b/queue-5.10/net-emaclite-don-t-advertise-1000base-t-and-do-auto-.patch @@ -0,0 +1,62 @@ +From fa37de2ed38212e026f907942b283b0acc201bca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 May 2022 12:57:49 +0530 +Subject: net: emaclite: Don't advertise 1000BASE-T and do auto negotiation + +From: Shravya Kumbham + +[ Upstream commit b800528b97d0adc3a5ba42d78a8b0d3f07a31f44 ] + +In xemaclite_open() function we are setting the max speed of +emaclite to 100Mb using phy_set_max_speed() function so, +there is no need to write the advertising registers to stop +giga-bit speed and the phy_start() function starts the +auto-negotiation so, there is no need to handle it separately +using advertising registers. Remove the phy_read and phy_write +of advertising registers in xemaclite_open() function. + +Signed-off-by: Shravya Kumbham +Signed-off-by: Radhey Shyam Pandey +Reviewed-by: Andrew Lunn +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/xilinx_emaclite.c | 15 --------------- + 1 file changed, 15 deletions(-) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_emaclite.c b/drivers/net/ethernet/xilinx/xilinx_emaclite.c +index e29b5523b19b..f6ea4a0ad5df 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c ++++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c +@@ -932,8 +932,6 @@ static int xemaclite_open(struct net_device *dev) + xemaclite_disable_interrupts(lp); + + if (lp->phy_node) { +- u32 bmcr; +- + lp->phy_dev = of_phy_connect(lp->ndev, lp->phy_node, + xemaclite_adjust_link, 0, + PHY_INTERFACE_MODE_MII); +@@ -944,19 +942,6 @@ static int xemaclite_open(struct net_device *dev) + + /* EmacLite doesn't support giga-bit speeds */ + phy_set_max_speed(lp->phy_dev, SPEED_100); +- +- /* Don't advertise 1000BASE-T Full/Half duplex speeds */ +- phy_write(lp->phy_dev, MII_CTRL1000, 0); +- +- /* Advertise only 10 and 100mbps full/half duplex speeds */ +- phy_write(lp->phy_dev, MII_ADVERTISE, ADVERTISE_ALL | +- ADVERTISE_CSMA); +- +- /* Restart auto negotiation */ +- bmcr = phy_read(lp->phy_dev, MII_BMCR); +- bmcr |= (BMCR_ANENABLE | BMCR_ANRESTART); +- phy_write(lp->phy_dev, MII_BMCR, bmcr); +- + phy_start(lp->phy_dev); + } + +-- +2.35.1 + diff --git a/queue-5.10/net-fix-features-skip-in-for_each_netdev_feature.patch b/queue-5.10/net-fix-features-skip-in-for_each_netdev_feature.patch new file mode 100644 index 00000000000..3ebcd6855b1 --- /dev/null +++ b/queue-5.10/net-fix-features-skip-in-for_each_netdev_feature.patch @@ -0,0 +1,49 @@ +From aaf1c483308bcae9c3f8ba6dc84aea686d385e69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 May 2022 11:09:14 +0300 +Subject: net: Fix features skip in for_each_netdev_feature() + +From: Tariq Toukan + +[ Upstream commit 85db6352fc8a158a893151baa1716463d34a20d0 ] + +The find_next_netdev_feature() macro gets the "remaining length", +not bit index. +Passing "bit - 1" for the following iteration is wrong as it skips +the adjacent bit. Pass "bit" instead. + +Fixes: 3b89ea9c5902 ("net: Fix for_each_netdev_feature on Big endian") +Signed-off-by: Tariq Toukan +Reviewed-by: Gal Pressman +Link: https://lore.kernel.org/r/20220504080914.1918-1-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/netdev_features.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/netdev_features.h b/include/linux/netdev_features.h +index f96b7f8d82e5..e2a92697a663 100644 +--- a/include/linux/netdev_features.h ++++ b/include/linux/netdev_features.h +@@ -158,7 +158,7 @@ enum { + #define NETIF_F_GSO_FRAGLIST __NETIF_F(GSO_FRAGLIST) + #define NETIF_F_HW_MACSEC __NETIF_F(HW_MACSEC) + +-/* Finds the next feature with the highest number of the range of start till 0. ++/* Finds the next feature with the highest number of the range of start-1 till 0. + */ + static inline int find_next_netdev_feature(u64 feature, unsigned long start) + { +@@ -177,7 +177,7 @@ static inline int find_next_netdev_feature(u64 feature, unsigned long start) + for ((bit) = find_next_netdev_feature((mask_addr), \ + NETDEV_FEATURE_COUNT); \ + (bit) >= 0; \ +- (bit) = find_next_netdev_feature((mask_addr), (bit) - 1)) ++ (bit) = find_next_netdev_feature((mask_addr), (bit))) + + /* Features valid for ethtool to change */ + /* = all defined minus driver/device-class-related */ +-- +2.35.1 + diff --git a/queue-5.10/net-mscc-ocelot-avoid-corrupting-hardware-counters-w.patch b/queue-5.10/net-mscc-ocelot-avoid-corrupting-hardware-counters-w.patch new file mode 100644 index 00000000000..26a10bbf72e --- /dev/null +++ b/queue-5.10/net-mscc-ocelot-avoid-corrupting-hardware-counters-w.patch @@ -0,0 +1,115 @@ +From 958325585cc89af8e3775af5a3cf322816bed87f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 May 2022 02:55:03 +0300 +Subject: net: mscc: ocelot: avoid corrupting hardware counters when moving + VCAP filters + +From: Vladimir Oltean + +[ Upstream commit 93a8417088ea570b5721d2b526337a2d3aed9fa3 ] + +Given the following order of operations: + +(1) we add filter A using tc-flower +(2) we send a packet that matches it +(3) we read the filter's statistics to find a hit count of 1 +(4) we add a second filter B with a higher preference than A, and A + moves one position to the right to make room in the TCAM for it +(5) we send another packet, and this matches the second filter B +(6) we read the filter statistics again. + +When this happens, the hit count of filter A is 2 and of filter B is 1, +despite a single packet having matched each filter. + +Furthermore, in an alternate history, reading the filter stats a second +time between steps (3) and (4) makes the hit count of filter A remain at +1 after step (6), as expected. + +The reason why this happens has to do with the filter->stats.pkts field, +which is written to hardware through the call path below: + + vcap_entry_set + / | \ + / | \ + / | \ + / | \ +es0_entry_set is1_entry_set is2_entry_set + \ | / + \ | / + \ | / + vcap_data_set(data.counter, ...) + +The primary role of filter->stats.pkts is to transport the filter hit +counters from the last readout all the way from vcap_entry_get() -> +ocelot_vcap_filter_stats_update() -> ocelot_cls_flower_stats(). +The reason why vcap_entry_set() writes it to hardware is so that the +counters (saturating and having a limited bit width) are cleared +after each user space readout. + +The writing of filter->stats.pkts to hardware during the TCAM entry +movement procedure is an unintentional consequence of the code design, +because the hit count isn't up to date at this point. + +So at step (4), when filter A is moved by ocelot_vcap_filter_add() to +make room for filter B, the hardware hit count is 0 (no packet matched +on it in the meantime), but filter->stats.pkts is 1, because the last +readout saw the earlier packet. The movement procedure programs the old +hit count back to hardware, so this creates the impression to user space +that more packets have been matched than they really were. + +The bug can be seen when running the gact_drop_and_ok_test() from the +tc_actions.sh selftest. + +Fix the issue by reading back the hit count to tmp->stats.pkts before +migrating the VCAP filter. Sure, this is a best-effort technique, since +the packets that hit the rule between vcap_entry_get() and +vcap_entry_set() won't be counted, but at least it allows the counters +to be reliably used for selftests where the traffic is under control. + +The vcap_entry_get() name is a bit unintuitive, but it only reads back +the counter portion of the TCAM entry, not the entire entry. + +The index from which we retrieve the counter is also a bit unintuitive +(i - 1 during add, i + 1 during del), but this is the way in which TCAM +entry movement works. The "entry index" isn't a stored integer for a +TCAM filter, instead it is dynamically computed by +ocelot_vcap_block_get_filter_index() based on the entry's position in +the &block->rules list. That position (as well as block->count) is +automatically updated by ocelot_vcap_filter_add_to_block() on add, and +by ocelot_vcap_block_remove_filter() on del. So "i" is the new filter +index, and "i - 1" or "i + 1" respectively are the old addresses of that +TCAM entry (we only support installing/deleting one filter at a time). + +Fixes: b596229448dd ("net: mscc: ocelot: Add support for tcam") +Signed-off-by: Vladimir Oltean +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot_vcap.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/mscc/ocelot_vcap.c b/drivers/net/ethernet/mscc/ocelot_vcap.c +index 709b304fde67..118572590607 100644 +--- a/drivers/net/ethernet/mscc/ocelot_vcap.c ++++ b/drivers/net/ethernet/mscc/ocelot_vcap.c +@@ -1142,6 +1142,8 @@ int ocelot_vcap_filter_add(struct ocelot *ocelot, + struct ocelot_vcap_filter *tmp; + + tmp = ocelot_vcap_block_find_filter_by_index(block, i); ++ /* Read back the filter's counters before moving it */ ++ vcap_entry_get(ocelot, i - 1, tmp); + vcap_entry_set(ocelot, i, tmp); + } + +@@ -1199,6 +1201,8 @@ int ocelot_vcap_filter_del(struct ocelot *ocelot, + struct ocelot_vcap_filter *tmp; + + tmp = ocelot_vcap_block_find_filter_by_index(block, i); ++ /* Read back the filter's counters before moving it */ ++ vcap_entry_get(ocelot, i + 1, tmp); + vcap_entry_set(ocelot, i, tmp); + } + +-- +2.35.1 + diff --git a/queue-5.10/net-mscc-ocelot-fix-last-vcap-is1-is2-filter-persist.patch b/queue-5.10/net-mscc-ocelot-fix-last-vcap-is1-is2-filter-persist.patch new file mode 100644 index 00000000000..fd7d4ba19f2 --- /dev/null +++ b/queue-5.10/net-mscc-ocelot-fix-last-vcap-is1-is2-filter-persist.patch @@ -0,0 +1,56 @@ +From f4c3a20224d65dabb7a42b74db1c33c16d04bcfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 May 2022 02:55:00 +0300 +Subject: net: mscc: ocelot: fix last VCAP IS1/IS2 filter persisting in + hardware when deleted + +From: Vladimir Oltean + +[ Upstream commit 16bbebd35629c93a8c68c6d8d28557e100bcee73 ] + +ocelot_vcap_filter_del() works by moving the next filters over the +current one, and then deleting the last filter by calling vcap_entry_set() +with a del_filter which was specially created by memsetting its memory +to zeroes. vcap_entry_set() then programs this to the TCAM and action +RAM via the cache registers. + +The problem is that vcap_entry_set() is a dispatch function which looks +at del_filter->block_id. But since del_filter is zeroized memory, the +block_id is 0, or otherwise said, VCAP_ES0. So practically, what we do +is delete the entry at the same TCAM index from VCAP ES0 instead of IS1 +or IS2. + +The code was not always like this. vcap_entry_set() used to simply be +is2_entry_set(), and then, the logic used to work. + +Restore the functionality by populating the block_id of the del_filter +based on the VCAP block of the filter that we're deleting. This makes +vcap_entry_set() know what to do. + +Fixes: 1397a2eb52e2 ("net: mscc: ocelot: create TCAM skeleton from tc filter chains") +Signed-off-by: Vladimir Oltean +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot_vcap.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/mscc/ocelot_vcap.c b/drivers/net/ethernet/mscc/ocelot_vcap.c +index d8c778ee6f1b..e47098900a69 100644 +--- a/drivers/net/ethernet/mscc/ocelot_vcap.c ++++ b/drivers/net/ethernet/mscc/ocelot_vcap.c +@@ -1181,7 +1181,11 @@ int ocelot_vcap_filter_del(struct ocelot *ocelot, + struct ocelot_vcap_filter del_filter; + int i, index; + ++ /* Need to inherit the block_id so that vcap_entry_set() ++ * does not get confused and knows where to install it. ++ */ + memset(&del_filter, 0, sizeof(del_filter)); ++ del_filter.block_id = filter->block_id; + + /* Gets index of the filter */ + index = ocelot_vcap_block_get_filter_index(block, filter); +-- +2.35.1 + diff --git a/queue-5.10/net-mscc-ocelot-fix-vcap-is2-filters-matching-on-bot.patch b/queue-5.10/net-mscc-ocelot-fix-vcap-is2-filters-matching-on-bot.patch new file mode 100644 index 00000000000..c59949ae8b4 --- /dev/null +++ b/queue-5.10/net-mscc-ocelot-fix-vcap-is2-filters-matching-on-bot.patch @@ -0,0 +1,69 @@ +From 60d1ef444c83fede5614762f7e82a4bda73471dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 May 2022 02:55:01 +0300 +Subject: net: mscc: ocelot: fix VCAP IS2 filters matching on both lookups + +From: Vladimir Oltean + +[ Upstream commit 6741e11880003e35802d78cc58035057934f4dab ] + +The VCAP IS2 TCAM is looked up twice per packet, and each filter can be +configured to only match during the first, second lookup, or both, or +none. + +The blamed commit wrote the code for making VCAP IS2 filters match only +on the given lookup. But right below that code, there was another line +that explicitly made the lookup a "don't care", and this is overwriting +the lookup we've selected. So the code had no effect. + +Some of the more noticeable effects of having filters match on both +lookups: + +- in "tc -s filter show dev swp0 ingress", we see each packet matching a + VCAP IS2 filter counted twice. This throws off scripts such as + tools/testing/selftests/net/forwarding/tc_actions.sh and makes them + fail. + +- a "tc-drop" action offloaded to VCAP IS2 needs a policer as well, + because once the CPU port becomes a member of the destination port + mask of a packet, nothing removes it, not even a PERMIT/DENY mask mode + with a port mask of 0. But VCAP IS2 rules with the POLICE_ENA bit in + the action vector can only appear in the first lookup. What happens + when a filter matches both lookups is that the action vector is + combined, and this makes the POLICE_ENA bit ineffective, since the + last lookup in which it has appeared is the second one. In other + words, "tc-drop" actions do not drop packets for the CPU port, dropped + packets are still seen by software unless there was an FDB entry that + directed those packets to some other place different from the CPU. + +The last bit used to work, because in the initial commit b596229448dd +("net: mscc: ocelot: Add support for tcam"), we were writing the FIRST +field of the VCAP IS2 half key with a 1, not with a "don't care". +The change to "don't care" was made inadvertently by me in commit +c1c3993edb7c ("net: mscc: ocelot: generalize existing code for VCAP"), +which I just realized, and which needs a separate fix from this one, +for "stable" kernels that lack the commit blamed below. + +Fixes: 226e9cd82a96 ("net: mscc: ocelot: only install TCAM entries into a specific lookup and PAG") +Signed-off-by: Vladimir Oltean +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot_vcap.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/mscc/ocelot_vcap.c b/drivers/net/ethernet/mscc/ocelot_vcap.c +index e47098900a69..709b304fde67 100644 +--- a/drivers/net/ethernet/mscc/ocelot_vcap.c ++++ b/drivers/net/ethernet/mscc/ocelot_vcap.c +@@ -373,7 +373,6 @@ static void is2_entry_set(struct ocelot *ocelot, int ix, + OCELOT_VCAP_BIT_0); + vcap_key_set(vcap, &data, VCAP_IS2_HK_IGR_PORT_MASK, 0, + ~filter->ingress_port_mask); +- vcap_key_bit_set(vcap, &data, VCAP_IS2_HK_FIRST, OCELOT_VCAP_BIT_ANY); + vcap_key_bit_set(vcap, &data, VCAP_IS2_HK_HOST_MATCH, + OCELOT_VCAP_BIT_ANY); + vcap_key_bit_set(vcap, &data, VCAP_IS2_HK_L2_MC, filter->dmac_mc); +-- +2.35.1 + diff --git a/queue-5.10/net-mscc-ocelot-restrict-tc-trap-actions-to-vcap-is2.patch b/queue-5.10/net-mscc-ocelot-restrict-tc-trap-actions-to-vcap-is2.patch new file mode 100644 index 00000000000..b7f6e75bf35 --- /dev/null +++ b/queue-5.10/net-mscc-ocelot-restrict-tc-trap-actions-to-vcap-is2.patch @@ -0,0 +1,52 @@ +From 4ebed4e05e1a995a94771277c57cc9245fdaf9b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 May 2022 02:55:02 +0300 +Subject: net: mscc: ocelot: restrict tc-trap actions to VCAP IS2 lookup 0 + +From: Vladimir Oltean + +[ Upstream commit 477d2b91623e682e9a8126ea92acb8f684969cc7 ] + +Once the CPU port was added to the destination port mask of a packet, it +can never be cleared, so even packets marked as dropped by the MASK_MODE +of a VCAP IS2 filter will still reach it. This is why we need the +OCELOT_POLICER_DISCARD to "kill dropped packets dead" and make software +stop seeing them. + +We disallow policer rules from being put on any other chain than the one +for the first lookup, but we don't do this for "drop" rules, although we +should. This change is merely ascertaining that the rules dont't +(completely) work and letting the user know. + +The blamed commit is the one that introduced the multi-chain architecture +in ocelot. Prior to that, we should have always offloaded the filters to +VCAP IS2 lookup 0, where they did work. + +Fixes: 1397a2eb52e2 ("net: mscc: ocelot: create TCAM skeleton from tc filter chains") +Signed-off-by: Vladimir Oltean +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot_flower.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mscc/ocelot_flower.c b/drivers/net/ethernet/mscc/ocelot_flower.c +index c4c4649b2088..b221b83ec5a6 100644 +--- a/drivers/net/ethernet/mscc/ocelot_flower.c ++++ b/drivers/net/ethernet/mscc/ocelot_flower.c +@@ -206,9 +206,10 @@ static int ocelot_flower_parse_action(struct ocelot *ocelot, int port, + filter->type = OCELOT_VCAP_FILTER_OFFLOAD; + break; + case FLOW_ACTION_TRAP: +- if (filter->block_id != VCAP_IS2) { ++ if (filter->block_id != VCAP_IS2 || ++ filter->lookup != 0) { + NL_SET_ERR_MSG_MOD(extack, +- "Trap action can only be offloaded to VCAP IS2"); ++ "Trap action can only be offloaded to VCAP IS2 lookup 0"); + return -EOPNOTSUPP; + } + if (filter->goto_target != -1) { +-- +2.35.1 + diff --git a/queue-5.10/net-sched-act_pedit-really-ensure-the-skb-is-writabl.patch b/queue-5.10/net-sched-act_pedit-really-ensure-the-skb-is-writabl.patch new file mode 100644 index 00000000000..c03f9c090f9 --- /dev/null +++ b/queue-5.10/net-sched-act_pedit-really-ensure-the-skb-is-writabl.patch @@ -0,0 +1,123 @@ +From d97035ca0d8130ef71e73c0718358b2530f428ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 May 2022 16:57:34 +0200 +Subject: net/sched: act_pedit: really ensure the skb is writable + +From: Paolo Abeni + +[ Upstream commit 8b796475fd7882663a870456466a4fb315cc1bd6 ] + +Currently pedit tries to ensure that the accessed skb offset +is writable via skb_unclone(). The action potentially allows +touching any skb bytes, so it may end-up modifying shared data. + +The above causes some sporadic MPTCP self-test failures, due to +this code: + + tc -n $ns2 filter add dev ns2eth$i egress \ + protocol ip prio 1000 \ + handle 42 fw \ + action pedit munge offset 148 u8 invert \ + pipe csum tcp \ + index 100 + +The above modifies a data byte outside the skb head and the skb is +a cloned one, carrying a TCP output packet. + +This change addresses the issue by keeping track of a rough +over-estimate highest skb offset accessed by the action and ensuring +such offset is really writable. + +Note that this may cause performance regressions in some scenarios, +but hopefully pedit is not in the critical path. + +Fixes: db2c24175d14 ("act_pedit: access skb->data safely") +Acked-by: Mat Martineau +Tested-by: Geliang Tang +Signed-off-by: Paolo Abeni +Acked-by: Jamal Hadi Salim +Link: https://lore.kernel.org/r/1fcf78e6679d0a287dd61bb0f04730ce33b3255d.1652194627.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tc_act/tc_pedit.h | 1 + + net/sched/act_pedit.c | 26 ++++++++++++++++++++++---- + 2 files changed, 23 insertions(+), 4 deletions(-) + +diff --git a/include/net/tc_act/tc_pedit.h b/include/net/tc_act/tc_pedit.h +index 748cf87a4d7e..3e02709a1df6 100644 +--- a/include/net/tc_act/tc_pedit.h ++++ b/include/net/tc_act/tc_pedit.h +@@ -14,6 +14,7 @@ struct tcf_pedit { + struct tc_action common; + unsigned char tcfp_nkeys; + unsigned char tcfp_flags; ++ u32 tcfp_off_max_hint; + struct tc_pedit_key *tcfp_keys; + struct tcf_pedit_key_ex *tcfp_keys_ex; + }; +diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c +index b45304446e13..90510298b32a 100644 +--- a/net/sched/act_pedit.c ++++ b/net/sched/act_pedit.c +@@ -149,7 +149,7 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla, + struct nlattr *pattr; + struct tcf_pedit *p; + int ret = 0, err; +- int ksize; ++ int i, ksize; + u32 index; + + if (!nla) { +@@ -228,6 +228,18 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla, + p->tcfp_nkeys = parm->nkeys; + } + memcpy(p->tcfp_keys, parm->keys, ksize); ++ p->tcfp_off_max_hint = 0; ++ for (i = 0; i < p->tcfp_nkeys; ++i) { ++ u32 cur = p->tcfp_keys[i].off; ++ ++ /* The AT option can read a single byte, we can bound the actual ++ * value with uchar max. ++ */ ++ cur += (0xff & p->tcfp_keys[i].offmask) >> p->tcfp_keys[i].shift; ++ ++ /* Each key touches 4 bytes starting from the computed offset */ ++ p->tcfp_off_max_hint = max(p->tcfp_off_max_hint, cur + 4); ++ } + + p->tcfp_flags = parm->flags; + goto_ch = tcf_action_set_ctrlact(*a, parm->action, goto_ch); +@@ -308,13 +320,18 @@ static int tcf_pedit_act(struct sk_buff *skb, const struct tc_action *a, + struct tcf_result *res) + { + struct tcf_pedit *p = to_pedit(a); ++ u32 max_offset; + int i; + +- if (skb_unclone(skb, GFP_ATOMIC)) +- return p->tcf_action; +- + spin_lock(&p->tcf_lock); + ++ max_offset = (skb_transport_header_was_set(skb) ? ++ skb_transport_offset(skb) : ++ skb_network_offset(skb)) + ++ p->tcfp_off_max_hint; ++ if (skb_ensure_writable(skb, min(skb->len, max_offset))) ++ goto unlock; ++ + tcf_lastuse_update(&p->tcf_tm); + + if (p->tcfp_nkeys > 0) { +@@ -403,6 +420,7 @@ static int tcf_pedit_act(struct sk_buff *skb, const struct tc_action *a, + p->tcf_qstats.overlimits++; + done: + bstats_update(&p->tcf_bstats, skb); ++unlock: + spin_unlock(&p->tcf_lock); + return p->tcf_action; + } +-- +2.35.1 + diff --git a/queue-5.10/net-sfc-ef10-fix-memory-leak-in-efx_ef10_mtd_probe.patch b/queue-5.10/net-sfc-ef10-fix-memory-leak-in-efx_ef10_mtd_probe.patch new file mode 100644 index 00000000000..94796596805 --- /dev/null +++ b/queue-5.10/net-sfc-ef10-fix-memory-leak-in-efx_ef10_mtd_probe.patch @@ -0,0 +1,72 @@ +From de89601363a1d32bb3dddf4f9a5610f199eb4aa6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 May 2022 05:47:09 +0000 +Subject: net: sfc: ef10: fix memory leak in efx_ef10_mtd_probe() + +From: Taehee Yoo + +[ Upstream commit 1fa89ffbc04545b7582518e57f4b63e2a062870f ] + +In the NIC ->probe() callback, ->mtd_probe() callback is called. +If NIC has 2 ports, ->probe() is called twice and ->mtd_probe() too. +In the ->mtd_probe(), which is efx_ef10_mtd_probe() it allocates and +initializes mtd partiion. +But mtd partition for sfc is shared data. +So that allocated mtd partition data from last called +efx_ef10_mtd_probe() will not be used. +Therefore it must be freed. +But it doesn't free a not used mtd partition data in efx_ef10_mtd_probe(). + +kmemleak reports: +unreferenced object 0xffff88811ddb0000 (size 63168): + comm "systemd-udevd", pid 265, jiffies 4294681048 (age 348.586s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmalloc_order_trace+0x19/0x120 + [] __kmalloc+0x20e/0x250 + [] efx_ef10_mtd_probe+0x11f/0x270 [sfc] + [] efx_pci_probe.cold.17+0x3df/0x53d [sfc] + [] local_pci_probe+0xdc/0x170 + [] pci_device_probe+0x235/0x680 + [] really_probe+0x1c2/0x8f0 + [] __driver_probe_device+0x2ab/0x460 + [] driver_probe_device+0x4a/0x120 + [] __driver_attach+0x16e/0x320 + [] bus_for_each_dev+0x110/0x190 + [] bus_add_driver+0x39e/0x560 + [] driver_register+0x18e/0x310 + [] 0xffffffffc02e2055 + [] do_one_initcall+0xc3/0x450 + [] do_init_module+0x1b4/0x700 + +Acked-by: Martin Habets +Fixes: 8127d661e77f ("sfc: Add support for Solarflare SFC9100 family") +Signed-off-by: Taehee Yoo +Link: https://lore.kernel.org/r/20220512054709.12513-1-ap420073@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/ef10.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c +index 4fa72b573c17..6f950979d25e 100644 +--- a/drivers/net/ethernet/sfc/ef10.c ++++ b/drivers/net/ethernet/sfc/ef10.c +@@ -3563,6 +3563,11 @@ static int efx_ef10_mtd_probe(struct efx_nic *efx) + n_parts++; + } + ++ if (!n_parts) { ++ kfree(parts); ++ return 0; ++ } ++ + rc = efx_mtd_add(efx, &parts[0].common, n_parts, sizeof(*parts)); + fail: + if (rc) +-- +2.35.1 + diff --git a/queue-5.10/net-sfc-fix-memory-leak-due-to-ptp-channel.patch b/queue-5.10/net-sfc-fix-memory-leak-due-to-ptp-channel.patch new file mode 100644 index 00000000000..84f3686f853 --- /dev/null +++ b/queue-5.10/net-sfc-fix-memory-leak-due-to-ptp-channel.patch @@ -0,0 +1,183 @@ +From 44bb01562d79a56cc127d37c3d5b0cb65f0b0f53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 May 2022 12:32:27 +0000 +Subject: net: sfc: fix memory leak due to ptp channel + +From: Taehee Yoo + +[ Upstream commit 49e6123c65dac6393b04f39ceabf79c44f66b8be ] + +It fixes memory leak in ring buffer change logic. + +When ring buffer size is changed(ethtool -G eth0 rx 4096), sfc driver +works like below. +1. stop all channels and remove ring buffers. +2. allocates new buffer array. +3. allocates rx buffers. +4. start channels. + +While the above steps are working, it skips some steps if the channel +doesn't have a ->copy callback function. +Due to ptp channel doesn't have ->copy callback, these above steps are +skipped for ptp channel. +It eventually makes some problems. +a. ptp channel's ring buffer size is not changed, it works only + 1024(default). +b. memory leak. + +The reason for memory leak is to use the wrong ring buffer values. +There are some values, which is related to ring buffer size. +a. efx->rxq_entries + - This is global value of rx queue size. +b. rx_queue->ptr_mask + - used for access ring buffer as circular ring. + - roundup_pow_of_two(efx->rxq_entries) - 1 +c. rx_queue->max_fill + - efx->rxq_entries - EFX_RXD_HEAD_ROOM + +These all values should be based on ring buffer size consistently. +But ptp channel's values are not. +a. efx->rxq_entries + - This is global(for sfc) value, always new ring buffer size. +b. rx_queue->ptr_mask + - This is always 1023(default). +c. rx_queue->max_fill + - This is new ring buffer size - EFX_RXD_HEAD_ROOM. + +Let's assume we set 4096 for rx ring buffer, + + normal channel ptp channel +efx->rxq_entries 4096 4096 +rx_queue->ptr_mask 4095 1023 +rx_queue->max_fill 4086 4086 + +sfc driver allocates rx ring buffers based on these values. +When it allocates ptp channel's ring buffer, 4086 ring buffers are +allocated then, these buffers are attached to the allocated array. +But ptp channel's ring buffer array size is still 1024(default) +and ptr_mask is still 1023 too. +So, 3062 ring buffers will be overwritten to the array. +This is the reason for memory leak. + +Test commands: + ethtool -G rx 4096 + while : + do + ip link set up + ip link set down + done + +In order to avoid this problem, it adds ->copy callback to ptp channel +type. +So that rx_queue->ptr_mask value will be updated correctly. + +Fixes: 7c236c43b838 ("sfc: Add support for IEEE-1588 PTP") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/efx_channels.c | 7 ++++++- + drivers/net/ethernet/sfc/ptp.c | 14 +++++++++++++- + drivers/net/ethernet/sfc/ptp.h | 1 + + 3 files changed, 20 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/sfc/efx_channels.c b/drivers/net/ethernet/sfc/efx_channels.c +index fe1ad682e3d5..2ab8571ef1cc 100644 +--- a/drivers/net/ethernet/sfc/efx_channels.c ++++ b/drivers/net/ethernet/sfc/efx_channels.c +@@ -744,7 +744,9 @@ void efx_remove_channels(struct efx_nic *efx) + + int efx_realloc_channels(struct efx_nic *efx, u32 rxq_entries, u32 txq_entries) + { +- struct efx_channel *other_channel[EFX_MAX_CHANNELS], *channel; ++ struct efx_channel *other_channel[EFX_MAX_CHANNELS], *channel, ++ *ptp_channel = efx_ptp_channel(efx); ++ struct efx_ptp_data *ptp_data = efx->ptp_data; + unsigned int i, next_buffer_table = 0; + u32 old_rxq_entries, old_txq_entries; + int rc, rc2; +@@ -814,6 +816,7 @@ int efx_realloc_channels(struct efx_nic *efx, u32 rxq_entries, u32 txq_entries) + } + + out: ++ efx->ptp_data = NULL; + /* Destroy unused channel structures */ + for (i = 0; i < efx->n_channels; i++) { + channel = other_channel[i]; +@@ -824,6 +827,7 @@ int efx_realloc_channels(struct efx_nic *efx, u32 rxq_entries, u32 txq_entries) + } + } + ++ efx->ptp_data = ptp_data; + rc2 = efx_soft_enable_interrupts(efx); + if (rc2) { + rc = rc ? rc : rc2; +@@ -842,6 +846,7 @@ int efx_realloc_channels(struct efx_nic *efx, u32 rxq_entries, u32 txq_entries) + efx->txq_entries = old_txq_entries; + for (i = 0; i < efx->n_channels; i++) + swap(efx->channel[i], other_channel[i]); ++ efx_ptp_update_channel(efx, ptp_channel); + goto out; + } + +diff --git a/drivers/net/ethernet/sfc/ptp.c b/drivers/net/ethernet/sfc/ptp.c +index 797e51802ccb..725b0f38813a 100644 +--- a/drivers/net/ethernet/sfc/ptp.c ++++ b/drivers/net/ethernet/sfc/ptp.c +@@ -45,6 +45,7 @@ + #include "farch_regs.h" + #include "tx.h" + #include "nic.h" /* indirectly includes ptp.h */ ++#include "efx_channels.h" + + /* Maximum number of events expected to make up a PTP event */ + #define MAX_EVENT_FRAGS 3 +@@ -541,6 +542,12 @@ struct efx_channel *efx_ptp_channel(struct efx_nic *efx) + return efx->ptp_data ? efx->ptp_data->channel : NULL; + } + ++void efx_ptp_update_channel(struct efx_nic *efx, struct efx_channel *channel) ++{ ++ if (efx->ptp_data) ++ efx->ptp_data->channel = channel; ++} ++ + static u32 last_sync_timestamp_major(struct efx_nic *efx) + { + struct efx_channel *channel = efx_ptp_channel(efx); +@@ -1443,6 +1450,11 @@ int efx_ptp_probe(struct efx_nic *efx, struct efx_channel *channel) + int rc = 0; + unsigned int pos; + ++ if (efx->ptp_data) { ++ efx->ptp_data->channel = channel; ++ return 0; ++ } ++ + ptp = kzalloc(sizeof(struct efx_ptp_data), GFP_KERNEL); + efx->ptp_data = ptp; + if (!efx->ptp_data) +@@ -2179,7 +2191,7 @@ static const struct efx_channel_type efx_ptp_channel_type = { + .pre_probe = efx_ptp_probe_channel, + .post_remove = efx_ptp_remove_channel, + .get_name = efx_ptp_get_channel_name, +- /* no copy operation; there is no need to reallocate this channel */ ++ .copy = efx_copy_channel, + .receive_skb = efx_ptp_rx, + .want_txqs = efx_ptp_want_txqs, + .keep_eventq = false, +diff --git a/drivers/net/ethernet/sfc/ptp.h b/drivers/net/ethernet/sfc/ptp.h +index 9855e8c9e544..7b1ef7002b3f 100644 +--- a/drivers/net/ethernet/sfc/ptp.h ++++ b/drivers/net/ethernet/sfc/ptp.h +@@ -16,6 +16,7 @@ struct ethtool_ts_info; + int efx_ptp_probe(struct efx_nic *efx, struct efx_channel *channel); + void efx_ptp_defer_probe_with_channel(struct efx_nic *efx); + struct efx_channel *efx_ptp_channel(struct efx_nic *efx); ++void efx_ptp_update_channel(struct efx_nic *efx, struct efx_channel *channel); + void efx_ptp_remove(struct efx_nic *efx); + int efx_ptp_set_ts_config(struct efx_nic *efx, struct ifreq *ifr); + int efx_ptp_get_ts_config(struct efx_nic *efx, struct ifreq *ifr); +-- +2.35.1 + diff --git a/queue-5.10/net-sfp-add-tx-fault-workaround-for-huawei-ma5671a-s.patch b/queue-5.10/net-sfp-add-tx-fault-workaround-for-huawei-ma5671a-s.patch new file mode 100644 index 00000000000..28e128da8a6 --- /dev/null +++ b/queue-5.10/net-sfp-add-tx-fault-workaround-for-huawei-ma5671a-s.patch @@ -0,0 +1,68 @@ +From 364bb5767dbd0eaa97ef817b54eacd677836602a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 May 2022 23:33:15 +0100 +Subject: net: sfp: Add tx-fault workaround for Huawei MA5671A SFP ONT + +From: Matthew Hagan + +[ Upstream commit 2069624dac19d62c558bb6468fe03678553ab01d ] + +As noted elsewhere, various GPON SFP modules exhibit non-standard +TX-fault behaviour. In the tested case, the Huawei MA5671A, when used +in combination with a Marvell mv88e6085 switch, was found to +persistently assert TX-fault, resulting in the module being disabled. + +This patch adds a quirk to ignore the SFP_F_TX_FAULT state, allowing the +module to function. + +Change from v1: removal of erroneous return statment (Andrew Lunn) + +Signed-off-by: Matthew Hagan +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20220502223315.1973376-1-mnhagan88@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/sfp.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c +index efffa65f8214..96068e0d841a 100644 +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -249,6 +249,7 @@ struct sfp { + struct sfp_eeprom_id id; + unsigned int module_power_mW; + unsigned int module_t_start_up; ++ bool tx_fault_ignore; + + #if IS_ENABLED(CONFIG_HWMON) + struct sfp_diag diag; +@@ -1893,6 +1894,12 @@ static int sfp_sm_mod_probe(struct sfp *sfp, bool report) + else + sfp->module_t_start_up = T_START_UP; + ++ if (!memcmp(id.base.vendor_name, "HUAWEI ", 16) && ++ !memcmp(id.base.vendor_pn, "MA5671A ", 16)) ++ sfp->tx_fault_ignore = true; ++ else ++ sfp->tx_fault_ignore = false; ++ + return 0; + } + +@@ -2320,7 +2327,10 @@ static void sfp_check_state(struct sfp *sfp) + mutex_lock(&sfp->st_mutex); + state = sfp_get_state(sfp); + changed = state ^ sfp->state; +- changed &= SFP_F_PRESENT | SFP_F_LOS | SFP_F_TX_FAULT; ++ if (sfp->tx_fault_ignore) ++ changed &= SFP_F_PRESENT | SFP_F_LOS; ++ else ++ changed &= SFP_F_PRESENT | SFP_F_LOS | SFP_F_TX_FAULT; + + for (i = 0; i < GPIO_MAX; i++) + if (changed & BIT(i)) +-- +2.35.1 + diff --git a/queue-5.10/net-smc-non-blocking-recvmsg-return-eagain-when-no-d.patch b/queue-5.10/net-smc-non-blocking-recvmsg-return-eagain-when-no-d.patch new file mode 100644 index 00000000000..898d2fa9d9d --- /dev/null +++ b/queue-5.10/net-smc-non-blocking-recvmsg-return-eagain-when-no-d.patch @@ -0,0 +1,49 @@ +From a50048ebe810bf44eb6842f73c55a03bcaae2a69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 May 2022 11:08:20 +0800 +Subject: net/smc: non blocking recvmsg() return -EAGAIN when no data and + signal_pending + +From: Guangguan Wang + +[ Upstream commit f3c46e41b32b6266cf60b0985c61748f53bf1c61 ] + +Non blocking sendmsg will return -EAGAIN when any signal pending +and no send space left, while non blocking recvmsg return -EINTR +when signal pending and no data received. This may makes confused. +As TCP returns -EAGAIN in the conditions described above. Align the +behavior of smc with TCP. + +Fixes: 846e344eb722 ("net/smc: add receive timeout check") +Signed-off-by: Guangguan Wang +Reviewed-by: Tony Lu +Acked-by: Karsten Graul +Link: https://lore.kernel.org/r/20220512030820.73848-1-guangguan.wang@linux.alibaba.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/smc_rx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/smc/smc_rx.c b/net/smc/smc_rx.c +index fcfac59f8b72..7f7e983e42b1 100644 +--- a/net/smc/smc_rx.c ++++ b/net/smc/smc_rx.c +@@ -346,12 +346,12 @@ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg, + } + break; + } ++ if (!timeo) ++ return -EAGAIN; + if (signal_pending(current)) { + read_done = sock_intr_errno(timeo); + break; + } +- if (!timeo) +- return -EAGAIN; + } + + if (!smc_rx_data_available(conn)) { +-- +2.35.1 + diff --git a/queue-5.10/netlink-do-not-reset-transport-header-in-netlink_rec.patch b/queue-5.10/netlink-do-not-reset-transport-header-in-netlink_rec.patch new file mode 100644 index 00000000000..e4a410383c8 --- /dev/null +++ b/queue-5.10/netlink-do-not-reset-transport-header-in-netlink_rec.patch @@ -0,0 +1,76 @@ +From 5d9fd6fafe23659e140e1fc381f1a1077e2c1690 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 May 2022 09:19:46 -0700 +Subject: netlink: do not reset transport header in netlink_recvmsg() + +From: Eric Dumazet + +[ Upstream commit d5076fe4049cadef1f040eda4aaa001bb5424225 ] + +netlink_recvmsg() does not need to change transport header. + +If transport header was needed, it should have been reset +by the producer (netlink_dump()), not the consumer(s). + +The following trace probably happened when multiple threads +were using MSG_PEEK. + +BUG: KCSAN: data-race in netlink_recvmsg / netlink_recvmsg + +write to 0xffff88811e9f15b2 of 2 bytes by task 32012 on cpu 1: + skb_reset_transport_header include/linux/skbuff.h:2760 [inline] + netlink_recvmsg+0x1de/0x790 net/netlink/af_netlink.c:1978 + sock_recvmsg_nosec net/socket.c:948 [inline] + sock_recvmsg net/socket.c:966 [inline] + __sys_recvfrom+0x204/0x2c0 net/socket.c:2097 + __do_sys_recvfrom net/socket.c:2115 [inline] + __se_sys_recvfrom net/socket.c:2111 [inline] + __x64_sys_recvfrom+0x74/0x90 net/socket.c:2111 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +write to 0xffff88811e9f15b2 of 2 bytes by task 32005 on cpu 0: + skb_reset_transport_header include/linux/skbuff.h:2760 [inline] + netlink_recvmsg+0x1de/0x790 net/netlink/af_netlink.c:1978 + ____sys_recvmsg+0x162/0x2f0 + ___sys_recvmsg net/socket.c:2674 [inline] + __sys_recvmsg+0x209/0x3f0 net/socket.c:2704 + __do_sys_recvmsg net/socket.c:2714 [inline] + __se_sys_recvmsg net/socket.c:2711 [inline] + __x64_sys_recvmsg+0x42/0x50 net/socket.c:2711 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0xffff -> 0x0000 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 32005 Comm: syz-executor.4 Not tainted 5.18.0-rc1-syzkaller-00328-ge1f700ebd6be-dirty #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Link: https://lore.kernel.org/r/20220505161946.2867638-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index cbfb601c4ee9..d96a610929d9 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1988,7 +1988,6 @@ static int netlink_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + copied = len; + } + +- skb_reset_transport_header(data_skb); + err = skb_copy_datagram_msg(data_skb, 0, msg, copied); + + if (msg->msg_name) { +-- +2.35.1 + diff --git a/queue-5.10/nfs-fix-broken-handling-of-the-softreval-mount-optio.patch b/queue-5.10/nfs-fix-broken-handling-of-the-softreval-mount-optio.patch new file mode 100644 index 00000000000..4ca42346ea7 --- /dev/null +++ b/queue-5.10/nfs-fix-broken-handling-of-the-softreval-mount-optio.patch @@ -0,0 +1,37 @@ +From 2bfa4d71acd280e9a3fbd59b415294de732c3a7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 May 2022 15:54:50 +0300 +Subject: nfs: fix broken handling of the softreval mount option + +From: Dan Aloni + +[ Upstream commit 085d16d5f949b64713d5e960d6c9bbf51bc1d511 ] + +Turns out that ever since this mount option was added, passing +`softreval` in NFS mount options cancelled all other flags while not +affecting the underlying flag `NFS_MOUNT_SOFTREVAL`. + +Fixes: c74dfe97c104 ("NFS: Add mount option 'softreval'") +Signed-off-by: Dan Aloni +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/fs_context.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/fs_context.c b/fs/nfs/fs_context.c +index 05b39e8f97b9..d60c086c6e9c 100644 +--- a/fs/nfs/fs_context.c ++++ b/fs/nfs/fs_context.c +@@ -476,7 +476,7 @@ static int nfs_fs_context_parse_param(struct fs_context *fc, + if (result.negated) + ctx->flags &= ~NFS_MOUNT_SOFTREVAL; + else +- ctx->flags &= NFS_MOUNT_SOFTREVAL; ++ ctx->flags |= NFS_MOUNT_SOFTREVAL; + break; + case Opt_posix: + if (result.negated) +-- +2.35.1 + diff --git a/queue-5.10/s390-ctcm-fix-potential-memory-leak.patch b/queue-5.10/s390-ctcm-fix-potential-memory-leak.patch new file mode 100644 index 00000000000..a6992a43b47 --- /dev/null +++ b/queue-5.10/s390-ctcm-fix-potential-memory-leak.patch @@ -0,0 +1,67 @@ +From 74a417571d5c3350730ca1dca0a9c7e36b33c037 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 May 2022 09:05:07 +0200 +Subject: s390/ctcm: fix potential memory leak + +From: Alexandra Winter + +[ Upstream commit 0c0b20587b9f25a2ad14db7f80ebe49bdf29920a ] + +smatch complains about +drivers/s390/net/ctcm_mpc.c:1210 ctcmpc_unpack_skb() warn: possible memory leak of 'mpcginfo' + +mpc_action_discontact() did not free mpcginfo. Consolidate the freeing in +ctcmpc_unpack_skb(). + +Fixes: 293d984f0e36 ("ctcm: infrastructure for replaced ctc driver") +Signed-off-by: Alexandra Winter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/ctcm_mpc.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/s390/net/ctcm_mpc.c b/drivers/s390/net/ctcm_mpc.c +index 85a1a4533cbe..20a6097e1b20 100644 +--- a/drivers/s390/net/ctcm_mpc.c ++++ b/drivers/s390/net/ctcm_mpc.c +@@ -626,8 +626,6 @@ static void mpc_rcvd_sweep_resp(struct mpcg_info *mpcginfo) + ctcm_clear_busy_do(dev); + } + +- kfree(mpcginfo); +- + return; + + } +@@ -1206,10 +1204,10 @@ static void ctcmpc_unpack_skb(struct channel *ch, struct sk_buff *pskb) + CTCM_FUNTAIL, dev->name); + priv->stats.rx_dropped++; + /* mpcginfo only used for non-data transfers */ +- kfree(mpcginfo); + if (do_debug_data) + ctcmpc_dump_skb(pskb, -8); + } ++ kfree(mpcginfo); + } + done: + +@@ -1991,7 +1989,6 @@ static void mpc_action_rcvd_xid0(fsm_instance *fsm, int event, void *arg) + } + break; + } +- kfree(mpcginfo); + + CTCM_PR_DEBUG("ctcmpc:%s() %s xid2:%i xid7:%i xidt_p2:%i \n", + __func__, ch->id, grp->outstanding_xid2, +@@ -2052,7 +2049,6 @@ static void mpc_action_rcvd_xid7(fsm_instance *fsm, int event, void *arg) + mpc_validate_xid(mpcginfo); + break; + } +- kfree(mpcginfo); + return; + } + +-- +2.35.1 + diff --git a/queue-5.10/s390-ctcm-fix-variable-dereferenced-before-check.patch b/queue-5.10/s390-ctcm-fix-variable-dereferenced-before-check.patch new file mode 100644 index 00000000000..e3366d78185 --- /dev/null +++ b/queue-5.10/s390-ctcm-fix-variable-dereferenced-before-check.patch @@ -0,0 +1,44 @@ +From c934ff09b4fe0e8d97c8a158f03937b5341bb5c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 May 2022 09:05:06 +0200 +Subject: s390/ctcm: fix variable dereferenced before check + +From: Alexandra Winter + +[ Upstream commit 2c50c6867c85afee6f2b3bcbc50fc9d0083d1343 ] + +Found by cppcheck and smatch. +smatch complains about +drivers/s390/net/ctcm_sysfs.c:43 ctcm_buffer_write() warn: variable dereferenced before check 'priv' (see line 42) + +Fixes: 3c09e2647b5e ("ctcm: rename READ/WRITE defines to avoid redefinitions") +Reported-by: Colin Ian King +Signed-off-by: Alexandra Winter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/ctcm_sysfs.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/s390/net/ctcm_sysfs.c b/drivers/s390/net/ctcm_sysfs.c +index ded1930a00b2..e3813a7aa5e6 100644 +--- a/drivers/s390/net/ctcm_sysfs.c ++++ b/drivers/s390/net/ctcm_sysfs.c +@@ -39,11 +39,12 @@ static ssize_t ctcm_buffer_write(struct device *dev, + struct ctcm_priv *priv = dev_get_drvdata(dev); + int rc; + +- ndev = priv->channel[CTCM_READ]->netdev; +- if (!(priv && priv->channel[CTCM_READ] && ndev)) { ++ if (!(priv && priv->channel[CTCM_READ] && ++ priv->channel[CTCM_READ]->netdev)) { + CTCM_DBF_TEXT(SETUP, CTC_DBF_ERROR, "bfnondev"); + return -ENODEV; + } ++ ndev = priv->channel[CTCM_READ]->netdev; + + rc = kstrtouint(buf, 0, &bs1); + if (rc) +-- +2.35.1 + diff --git a/queue-5.10/s390-disable-warray-bounds.patch b/queue-5.10/s390-disable-warray-bounds.patch new file mode 100644 index 00000000000..e9ba93214e0 --- /dev/null +++ b/queue-5.10/s390-disable-warray-bounds.patch @@ -0,0 +1,54 @@ +From aaa52ef93c743abace41cfb33073c048975691c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Apr 2022 14:17:42 +0200 +Subject: s390: disable -Warray-bounds + +From: Sven Schnelle + +[ Upstream commit 8b202ee218395319aec1ef44f72043e1fbaccdd6 ] + +gcc-12 shows a lot of array bound warnings on s390. This is caused +by the S390_lowcore macro which uses a hardcoded address of 0. + +Wrapping that with absolute_pointer() works, but gcc no longer knows +that a 12 bit displacement is sufficient to access lowcore. So it +emits instructions like 'lghi %r1,0; l %rx,xxx(%r1)' instead of a +single load/store instruction. As s390 stores variables often +read/written in lowcore, this is considered problematic. Therefore +disable -Warray-bounds on s390 for gcc-12 for the time being, until +there is a better solution. + +Signed-off-by: Sven Schnelle +Link: https://lore.kernel.org/r/yt9dzgkelelc.fsf@linux.ibm.com +Link: https://lore.kernel.org/r/20220422134308.1613610-1-svens@linux.ibm.com +Link: https://lore.kernel.org/r/20220425121742.3222133-1-svens@linux.ibm.com +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/Makefile | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/s390/Makefile b/arch/s390/Makefile +index 92506918da63..a8cb00f30a7c 100644 +--- a/arch/s390/Makefile ++++ b/arch/s390/Makefile +@@ -32,6 +32,16 @@ KBUILD_CFLAGS_DECOMPRESSOR += -fno-stack-protector + KBUILD_CFLAGS_DECOMPRESSOR += $(call cc-disable-warning, address-of-packed-member) + KBUILD_CFLAGS_DECOMPRESSOR += $(if $(CONFIG_DEBUG_INFO),-g) + KBUILD_CFLAGS_DECOMPRESSOR += $(if $(CONFIG_DEBUG_INFO_DWARF4), $(call cc-option, -gdwarf-4,)) ++ ++ifdef CONFIG_CC_IS_GCC ++ ifeq ($(call cc-ifversion, -ge, 1200, y), y) ++ ifeq ($(call cc-ifversion, -lt, 1300, y), y) ++ KBUILD_CFLAGS += $(call cc-disable-warning, array-bounds) ++ KBUILD_CFLAGS_DECOMPRESSOR += $(call cc-disable-warning, array-bounds) ++ endif ++ endif ++endif ++ + UTS_MACHINE := s390x + STACK_SIZE := $(if $(CONFIG_KASAN),65536,16384) + CHECKFLAGS += -D__s390__ -D__s390x__ +-- +2.35.1 + diff --git a/queue-5.10/s390-lcs-fix-variable-dereferenced-before-check.patch b/queue-5.10/s390-lcs-fix-variable-dereferenced-before-check.patch new file mode 100644 index 00000000000..19f1fb17e3a --- /dev/null +++ b/queue-5.10/s390-lcs-fix-variable-dereferenced-before-check.patch @@ -0,0 +1,42 @@ +From 0d5c08a8e90fbdc7d6798494f3e1036eee02f1ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 May 2022 09:05:08 +0200 +Subject: s390/lcs: fix variable dereferenced before check + +From: Alexandra Winter + +[ Upstream commit 671bb35c8e746439f0ed70815968f9a4f20a8deb ] + +smatch complains about +drivers/s390/net/lcs.c:1741 lcs_get_control() warn: variable dereferenced before check 'card->dev' (see line 1739) + +Fixes: 27eb5ac8f015 ("[PATCH] s390: lcs driver bug fixes and improvements [1/2]") +Signed-off-by: Alexandra Winter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/lcs.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/s390/net/lcs.c b/drivers/s390/net/lcs.c +index 440219bcaa2b..06a322bdced6 100644 +--- a/drivers/s390/net/lcs.c ++++ b/drivers/s390/net/lcs.c +@@ -1735,10 +1735,11 @@ lcs_get_control(struct lcs_card *card, struct lcs_cmd *cmd) + lcs_schedule_recovery(card); + break; + case LCS_CMD_STOPLAN: +- pr_warn("Stoplan for %s initiated by LGW\n", +- card->dev->name); +- if (card->dev) ++ if (card->dev) { ++ pr_warn("Stoplan for %s initiated by LGW\n", ++ card->dev->name); + netif_carrier_off(card->dev); ++ } + break; + default: + LCS_DBF_TEXT(5, trace, "noLGWcmd"); +-- +2.35.1 + diff --git a/queue-5.10/selftests-vm-makefile-rename-targets-to-vmtargets.patch b/queue-5.10/selftests-vm-makefile-rename-targets-to-vmtargets.patch new file mode 100644 index 00000000000..be6c849f643 --- /dev/null +++ b/queue-5.10/selftests-vm-makefile-rename-targets-to-vmtargets.patch @@ -0,0 +1,84 @@ +From 0b47d1a1ce50cd487ddce13d418b67db90437c93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 May 2022 17:34:29 -0700 +Subject: selftests: vm: Makefile: rename TARGETS to VMTARGETS + +From: Joel Savitz + +[ Upstream commit 41c240099fe09377b6b9f8272e45d2267c843d3e ] + +The tools/testing/selftests/vm/Makefile uses the variable TARGETS +internally to generate a list of platform-specific binary build targets +suffixed with _{32,64}. When building the selftests using its own +Makefile directly, such as via the following command run in a kernel tree: + +One receives an error such as the following: + +make: Entering directory '/root/linux/tools/testing/selftests' +make --no-builtin-rules ARCH=x86 -C ../../.. headers_install +make[1]: Entering directory '/root/linux' + INSTALL ./usr/include +make[1]: Leaving directory '/root/linux' +make[1]: Entering directory '/root/linux/tools/testing/selftests/vm' +make[1]: *** No rule to make target 'vm.c', needed by '/root/linux/tools/testing/selftests/vm/vm_64'. Stop. +make[1]: Leaving directory '/root/linux/tools/testing/selftests/vm' +make: *** [Makefile:175: all] Error 2 +make: Leaving directory '/root/linux/tools/testing/selftests' + +The TARGETS variable passed to tools/testing/selftests/Makefile collides +with the TARGETS used in tools/testing/selftests/vm/Makefile, so rename +the latter to VMTARGETS, eliminating the collision with no functional +change. + +Link: https://lkml.kernel.org/r/20220504213454.1282532-1-jsavitz@redhat.com +Fixes: f21fda8f6453 ("selftests: vm: pkeys: fix multilib builds for x86") +Signed-off-by: Joel Savitz +Acked-by: Nico Pache +Cc: Joel Savitz +Cc: Shuah Khan +Cc: Sandipan Das +Cc: Dave Hansen +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/vm/Makefile | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/tools/testing/selftests/vm/Makefile b/tools/testing/selftests/vm/Makefile +index 01ec6876e8f5..d8479552e222 100644 +--- a/tools/testing/selftests/vm/Makefile ++++ b/tools/testing/selftests/vm/Makefile +@@ -44,9 +44,9 @@ CAN_BUILD_I386 := $(shell ./../x86/check_cc.sh "$(CC)" ../x86/trivial_32bit_prog + CAN_BUILD_X86_64 := $(shell ./../x86/check_cc.sh "$(CC)" ../x86/trivial_64bit_program.c) + CAN_BUILD_WITH_NOPIE := $(shell ./../x86/check_cc.sh "$(CC)" ../x86/trivial_program.c -no-pie) + +-TARGETS := protection_keys +-BINARIES_32 := $(TARGETS:%=%_32) +-BINARIES_64 := $(TARGETS:%=%_64) ++VMTARGETS := protection_keys ++BINARIES_32 := $(VMTARGETS:%=%_32) ++BINARIES_64 := $(VMTARGETS:%=%_64) + + ifeq ($(CAN_BUILD_WITH_NOPIE),1) + CFLAGS += -no-pie +@@ -101,7 +101,7 @@ $(BINARIES_32): CFLAGS += -m32 + $(BINARIES_32): LDLIBS += -lrt -ldl -lm + $(BINARIES_32): $(OUTPUT)/%_32: %.c + $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(notdir $^) $(LDLIBS) -o $@ +-$(foreach t,$(TARGETS),$(eval $(call gen-target-rule-32,$(t)))) ++$(foreach t,$(VMTARGETS),$(eval $(call gen-target-rule-32,$(t)))) + endif + + ifeq ($(CAN_BUILD_X86_64),1) +@@ -109,7 +109,7 @@ $(BINARIES_64): CFLAGS += -m64 + $(BINARIES_64): LDLIBS += -lrt -ldl + $(BINARIES_64): $(OUTPUT)/%_64: %.c + $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(notdir $^) $(LDLIBS) -o $@ +-$(foreach t,$(TARGETS),$(eval $(call gen-target-rule-64,$(t)))) ++$(foreach t,$(VMTARGETS),$(eval $(call gen-target-rule-64,$(t)))) + endif + + # x86_64 users should be encouraged to install 32-bit libraries +-- +2.35.1 + diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 00000000000..5e805f7da20 --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1,38 @@ +batman-adv-don-t-skb_split-skbuffs-with-frag_list.patch +iwlwifi-iwl-dbg-use-del_timer_sync-before-freeing.patch +hwmon-tmp401-add-of-device-id-table.patch +mac80211-reset-mbssid-parameters-upon-connection.patch +net-fix-features-skip-in-for_each_netdev_feature.patch +net-mscc-ocelot-fix-last-vcap-is1-is2-filter-persist.patch +net-mscc-ocelot-fix-vcap-is2-filters-matching-on-bot.patch +net-mscc-ocelot-restrict-tc-trap-actions-to-vcap-is2.patch +net-mscc-ocelot-avoid-corrupting-hardware-counters-w.patch +ipv4-drop-dst-in-multicast-routing-path.patch +drm-nouveau-fix-a-potential-theorical-leak-in-nouvea.patch +netlink-do-not-reset-transport-header-in-netlink_rec.patch +sfc-use-swap-instead-of-open-coding-it.patch +net-sfc-fix-memory-leak-due-to-ptp-channel.patch +mac80211_hwsim-call-ieee80211_tx_prepare_skb-under-r.patch +nfs-fix-broken-handling-of-the-softreval-mount-optio.patch +ionic-fix-missing-pci_release_regions-on-error-in-io.patch +dim-initialize-all-struct-fields.patch +hwmon-ltq-cputemp-restrict-it-to-soc_xway.patch +selftests-vm-makefile-rename-targets-to-vmtargets.patch +s390-ctcm-fix-variable-dereferenced-before-check.patch +s390-ctcm-fix-potential-memory-leak.patch +s390-lcs-fix-variable-dereferenced-before-check.patch +net-sched-act_pedit-really-ensure-the-skb-is-writabl.patch +net-bcmgenet-check-for-wake-on-lan-interrupt-probe-d.patch +net-dsa-bcm_sf2-fix-wake-on-lan-with-mac_link_down.patch +net-smc-non-blocking-recvmsg-return-eagain-when-no-d.patch +net-sfc-ef10-fix-memory-leak-in-efx_ef10_mtd_probe.patch +tls-fix-context-leak-on-tls_device_down.patch +gfs2-fix-filesystem-block-deallocation-for-short-wri.patch +hwmon-f71882fg-fix-negative-temperature.patch +asoc-max98090-reject-invalid-values-in-custom-contro.patch +asoc-max98090-generate-notifications-on-changes-for-.patch +asoc-ops-validate-input-values-in-snd_soc_put_volsw_.patch +s390-disable-warray-bounds.patch +net-emaclite-don-t-advertise-1000base-t-and-do-auto-.patch +net-sfp-add-tx-fault-workaround-for-huawei-ma5671a-s.patch +tcp-resalt-the-secret-every-10-seconds.patch diff --git a/queue-5.10/sfc-use-swap-instead-of-open-coding-it.patch b/queue-5.10/sfc-use-swap-instead-of-open-coding-it.patch new file mode 100644 index 00000000000..34fd58fe8b1 --- /dev/null +++ b/queue-5.10/sfc-use-swap-instead-of-open-coding-it.patch @@ -0,0 +1,61 @@ +From 04d5d424558476f472a9918ae08d288850f51b49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jan 2022 23:22:37 +0800 +Subject: sfc: Use swap() instead of open coding it + +From: Jiapeng Chong + +[ Upstream commit 0cf765fb00ce083c017f2571ac449cf7912cdb06 ] + +Clean the following coccicheck warning: + +./drivers/net/ethernet/sfc/efx_channels.c:870:36-37: WARNING opportunity +for swap(). + +./drivers/net/ethernet/sfc/efx_channels.c:824:36-37: WARNING opportunity +for swap(). + +Reported-by: Abaci Robot +Signed-off-by: Jiapeng Chong +Acked-by: Martin Habets +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/efx_channels.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/sfc/efx_channels.c b/drivers/net/ethernet/sfc/efx_channels.c +index 0a8799a208cf..fe1ad682e3d5 100644 +--- a/drivers/net/ethernet/sfc/efx_channels.c ++++ b/drivers/net/ethernet/sfc/efx_channels.c +@@ -797,11 +797,8 @@ int efx_realloc_channels(struct efx_nic *efx, u32 rxq_entries, u32 txq_entries) + old_txq_entries = efx->txq_entries; + efx->rxq_entries = rxq_entries; + efx->txq_entries = txq_entries; +- for (i = 0; i < efx->n_channels; i++) { +- channel = efx->channel[i]; +- efx->channel[i] = other_channel[i]; +- other_channel[i] = channel; +- } ++ for (i = 0; i < efx->n_channels; i++) ++ swap(efx->channel[i], other_channel[i]); + + /* Restart buffer table allocation */ + efx->next_buffer_table = next_buffer_table; +@@ -843,11 +840,8 @@ int efx_realloc_channels(struct efx_nic *efx, u32 rxq_entries, u32 txq_entries) + /* Swap back */ + efx->rxq_entries = old_rxq_entries; + efx->txq_entries = old_txq_entries; +- for (i = 0; i < efx->n_channels; i++) { +- channel = efx->channel[i]; +- efx->channel[i] = other_channel[i]; +- other_channel[i] = channel; +- } ++ for (i = 0; i < efx->n_channels; i++) ++ swap(efx->channel[i], other_channel[i]); + goto out; + } + +-- +2.35.1 + diff --git a/queue-5.10/tcp-resalt-the-secret-every-10-seconds.patch b/queue-5.10/tcp-resalt-the-secret-every-10-seconds.patch new file mode 100644 index 00000000000..21881fd0e2d --- /dev/null +++ b/queue-5.10/tcp-resalt-the-secret-every-10-seconds.patch @@ -0,0 +1,70 @@ +From e4c53cfd9274fd5c1adb93d4d39c096ce784ee0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 May 2022 10:46:10 +0200 +Subject: tcp: resalt the secret every 10 seconds + +From: Eric Dumazet + +[ Upstream commit 4dfa9b438ee34caca4e6a4e5e961641807367f6f ] + +In order to limit the ability for an observer to recognize the source +ports sequence used to contact a set of destinations, we should +periodically shuffle the secret. 10 seconds looks effective enough +without causing particular issues. + +Cc: Moshe Kol +Cc: Yossi Gilad +Cc: Amit Klein +Cc: Jason A. Donenfeld +Tested-by: Willy Tarreau +Signed-off-by: Eric Dumazet +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/secure_seq.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c +index b5bc680d4755..b8a33c841846 100644 +--- a/net/core/secure_seq.c ++++ b/net/core/secure_seq.c +@@ -22,6 +22,8 @@ + static siphash_key_t net_secret __read_mostly; + static siphash_key_t ts_secret __read_mostly; + ++#define EPHEMERAL_PORT_SHUFFLE_PERIOD (10 * HZ) ++ + static __always_inline void net_secret_init(void) + { + net_get_random_once(&net_secret, sizeof(net_secret)); +@@ -100,11 +102,13 @@ u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr, + const struct { + struct in6_addr saddr; + struct in6_addr daddr; ++ unsigned int timeseed; + __be16 dport; + } __aligned(SIPHASH_ALIGNMENT) combined = { + .saddr = *(struct in6_addr *)saddr, + .daddr = *(struct in6_addr *)daddr, +- .dport = dport ++ .timeseed = jiffies / EPHEMERAL_PORT_SHUFFLE_PERIOD, ++ .dport = dport, + }; + net_secret_init(); + return siphash(&combined, offsetofend(typeof(combined), dport), +@@ -145,8 +149,10 @@ EXPORT_SYMBOL_GPL(secure_tcp_seq); + u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport) + { + net_secret_init(); +- return siphash_3u32((__force u32)saddr, (__force u32)daddr, +- (__force u16)dport, &net_secret); ++ return siphash_4u32((__force u32)saddr, (__force u32)daddr, ++ (__force u16)dport, ++ jiffies / EPHEMERAL_PORT_SHUFFLE_PERIOD, ++ &net_secret); + } + EXPORT_SYMBOL_GPL(secure_ipv4_port_ephemeral); + #endif +-- +2.35.1 + diff --git a/queue-5.10/tls-fix-context-leak-on-tls_device_down.patch b/queue-5.10/tls-fix-context-leak-on-tls_device_down.patch new file mode 100644 index 00000000000..c8807c7e495 --- /dev/null +++ b/queue-5.10/tls-fix-context-leak-on-tls_device_down.patch @@ -0,0 +1,53 @@ +From 60940d5b23ff81862ee82226b1871c77c3d8b52f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 May 2022 12:18:30 +0300 +Subject: tls: Fix context leak on tls_device_down + +From: Maxim Mikityanskiy + +[ Upstream commit 3740651bf7e200109dd42d5b2fb22226b26f960a ] + +The commit cited below claims to fix a use-after-free condition after +tls_device_down. Apparently, the description wasn't fully accurate. The +context stayed alive, but ctx->netdev became NULL, and the offload was +torn down without a proper fallback, so a bug was present, but a +different kind of bug. + +Due to misunderstanding of the issue, the original patch dropped the +refcount_dec_and_test line for the context to avoid the alleged +premature deallocation. That line has to be restored, because it matches +the refcount_inc_not_zero from the same function, otherwise the contexts +that survived tls_device_down are leaked. + +This patch fixes the described issue by restoring refcount_dec_and_test. +After this change, there is no leak anymore, and the fallback to +software kTLS still works. + +Fixes: c55dcdd435aa ("net/tls: Fix use-after-free after the TLS device goes down and up") +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Tariq Toukan +Link: https://lore.kernel.org/r/20220512091830.678684-1-maximmi@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tls/tls_device.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c +index 1f56225a10e3..3c82286e5bcc 100644 +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -1345,7 +1345,10 @@ static int tls_device_down(struct net_device *netdev) + + /* Device contexts for RX and TX will be freed in on sk_destruct + * by tls_device_free_ctx. rx_conf and tx_conf stay in TLS_HW. ++ * Now release the ref taken above. + */ ++ if (refcount_dec_and_test(&ctx->refcount)) ++ tls_device_free_ctx(ctx); + } + + up_write(&device_offload_lock); +-- +2.35.1 +