From: Greg Kroah-Hartman Date: Mon, 20 Sep 2021 09:11:11 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v4.4.284~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=31358e9bfb8981f2aa7e42e6f1739b9b8b6b7e50;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: bnxt_en-make-bnxt_free_skbs-safe-to-call-after-bnxt_free_mem.patch dccp-don-t-duplicate-ccid-when-cloning-dccp-sock.patch drm-rockchip-cdn-dp-core-make-cdn_dp_core_resume-__maybe_unused.patch dt-bindings-arm-fix-toradex-compatible-typo.patch events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch gen_compile_commands-fix-missing-sys-package.patch ibmvnic-check-failover_pending-in-login-response.patch kvm-ppc-book3s-hv-tolerate-treclaim.-in-fake-suspend-mode-changing-registers.patch net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch net-caif-avoid-user-triggerable-warn_on-1.patch net-dsa-destroy-the-phylink-instance-on-any-error-in-dsa_slave_phy_setup.patch net-hns3-change-affinity_mask-to-numa-node-range.patch net-hns3-disable-mac-in-flr-process.patch net-hns3-fix-the-timing-issue-of-vf-clearing-interrupt-sources.patch net-hns3-pad-the-short-tunnel-frame-before-sending-to-hardware.patch net-ipa-initialize-all-filter-table-slots.patch net-l2tp-fix-reference-count-leak-in-l2tp_udp_recv_core.patch net-mlx5-fix-potential-sleeping-in-atomic-context.patch net-mlx5-fwtrace-cancel-work-on-alloc-pd-error-flow.patch nvme-tcp-fix-io_work-priority-inversion.patch perf-machine-initialize-srcline-string-member-in-add_location-struct.patch ptp-dp83640-don-t-define-page0.patch qed-handle-management-fw-error.patch r6040-restore-mdio-clock-frequency-after-mac-reset.patch revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch selftest-net-fix-typo-in-altname-test.patch tcp-fix-tp-undo_retrans-accounting-in-tcp_sacktag_one.patch tipc-increase-timeout-in-tipc_sk_enqueue.patch udp_tunnel-fix-udp_tunnel_nic-work-queue-type.patch vhost_net-fix-oob-on-sendmsg-failure.patch x86-uaccess-fix-32-bit-__get_user_asm_u64-when-cc_has_asm_goto_output-y.patch --- diff --git a/queue-5.10/bnxt_en-make-bnxt_free_skbs-safe-to-call-after-bnxt_free_mem.patch b/queue-5.10/bnxt_en-make-bnxt_free_skbs-safe-to-call-after-bnxt_free_mem.patch new file mode 100644 index 00000000000..f23bcf6f7b4 --- /dev/null +++ b/queue-5.10/bnxt_en-make-bnxt_free_skbs-safe-to-call-after-bnxt_free_mem.patch @@ -0,0 +1,75 @@ +From 1affc01fdc6035189a5ab2a24948c9419ee0ecf2 Mon Sep 17 00:00:00 2001 +From: Edwin Peer +Date: Sun, 12 Sep 2021 12:34:48 -0400 +Subject: bnxt_en: make bnxt_free_skbs() safe to call after bnxt_free_mem() + +From: Edwin Peer + +commit 1affc01fdc6035189a5ab2a24948c9419ee0ecf2 upstream. + +The call to bnxt_free_mem(..., false) in the bnxt_half_open_nic() error +path will deallocate ring descriptor memory via bnxt_free_?x_rings(), +but because irq_re_init is false, the ring info itself is not freed. + +To simplify error paths, deallocation functions have generally been +written to be safe when called on unallocated memory. It should always +be safe to call dev_close(), which calls bnxt_free_skbs() a second time, +even in this semi- allocated ring state. + +Calling bnxt_free_skbs() a second time with the rings already freed will +cause NULL pointer dereference. Fix it by checking the rings are valid +before proceeding in bnxt_free_tx_skbs() and +bnxt_free_one_rx_ring_skbs(). + +Fixes: 975bc99a4a39 ("bnxt_en: Refactor bnxt_free_rx_skbs().") +Signed-off-by: Edwin Peer +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -2591,6 +2591,9 @@ static void bnxt_free_tx_skbs(struct bnx + struct bnxt_tx_ring_info *txr = &bp->tx_ring[i]; + int j; + ++ if (!txr->tx_buf_ring) ++ continue; ++ + for (j = 0; j < max_idx;) { + struct bnxt_sw_tx_bd *tx_buf = &txr->tx_buf_ring[j]; + struct sk_buff *skb; +@@ -2675,6 +2678,9 @@ static void bnxt_free_one_rx_ring_skbs(s + } + + skip_rx_tpa_free: ++ if (!rxr->rx_buf_ring) ++ goto skip_rx_buf_free; ++ + for (i = 0; i < max_idx; i++) { + struct bnxt_sw_rx_bd *rx_buf = &rxr->rx_buf_ring[i]; + dma_addr_t mapping = rx_buf->mapping; +@@ -2697,6 +2703,11 @@ skip_rx_tpa_free: + kfree(data); + } + } ++ ++skip_rx_buf_free: ++ if (!rxr->rx_agg_ring) ++ goto skip_rx_agg_free; ++ + for (i = 0; i < max_agg_idx; i++) { + struct bnxt_sw_rx_agg_bd *rx_agg_buf = &rxr->rx_agg_ring[i]; + struct page *page = rx_agg_buf->page; +@@ -2713,6 +2724,8 @@ skip_rx_tpa_free: + + __free_page(page); + } ++ ++skip_rx_agg_free: + if (rxr->rx_page) { + __free_page(rxr->rx_page); + rxr->rx_page = NULL; diff --git a/queue-5.10/dccp-don-t-duplicate-ccid-when-cloning-dccp-sock.patch b/queue-5.10/dccp-don-t-duplicate-ccid-when-cloning-dccp-sock.patch new file mode 100644 index 00000000000..fea77eca8f5 --- /dev/null +++ b/queue-5.10/dccp-don-t-duplicate-ccid-when-cloning-dccp-sock.patch @@ -0,0 +1,41 @@ +From d9ea761fdd197351890418acd462c51f241014a7 Mon Sep 17 00:00:00 2001 +From: "Lin, Zhenpeng" +Date: Wed, 8 Sep 2021 03:40:59 +0000 +Subject: dccp: don't duplicate ccid when cloning dccp sock + +From: Lin, Zhenpeng + +commit d9ea761fdd197351890418acd462c51f241014a7 upstream. + +Commit 2677d2067731 ("dccp: don't free ccid2_hc_tx_sock ...") fixed +a UAF but reintroduced CVE-2017-6074. + +When the sock is cloned, two dccps_hc_tx_ccid will reference to the +same ccid. So one can free the ccid object twice from two socks after +cloning. + +This issue was found by "Hadar Manor" as well and assigned with +CVE-2020-16119, which was fixed in Ubuntu's kernel. So here I port +the patch from Ubuntu to fix it. + +The patch prevents cloned socks from referencing the same ccid. + +Fixes: 2677d2067731410 ("dccp: don't free ccid2_hc_tx_sock ...") +Signed-off-by: Zhenpeng Lin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dccp/minisocks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/dccp/minisocks.c ++++ b/net/dccp/minisocks.c +@@ -94,6 +94,8 @@ struct sock *dccp_create_openreq_child(c + newdp->dccps_role = DCCP_ROLE_SERVER; + newdp->dccps_hc_rx_ackvec = NULL; + newdp->dccps_service_list = NULL; ++ newdp->dccps_hc_rx_ccid = NULL; ++ newdp->dccps_hc_tx_ccid = NULL; + newdp->dccps_service = dreq->dreq_service; + newdp->dccps_timestamp_echo = dreq->dreq_timestamp_echo; + newdp->dccps_timestamp_time = dreq->dreq_timestamp_time; diff --git a/queue-5.10/drm-rockchip-cdn-dp-core-make-cdn_dp_core_resume-__maybe_unused.patch b/queue-5.10/drm-rockchip-cdn-dp-core-make-cdn_dp_core_resume-__maybe_unused.patch new file mode 100644 index 00000000000..44d99050a02 --- /dev/null +++ b/queue-5.10/drm-rockchip-cdn-dp-core-make-cdn_dp_core_resume-__maybe_unused.patch @@ -0,0 +1,45 @@ +From 040b8907ccf1c78d020aca29800036565d761d73 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 28 Apr 2020 23:31:24 +0200 +Subject: drm/rockchip: cdn-dp-core: Make cdn_dp_core_resume __maybe_unused + +From: Arnd Bergmann + +commit 040b8907ccf1c78d020aca29800036565d761d73 upstream. + +With the new static annotation, the compiler warns when the functions +are actually unused: + + drivers/gpu/drm/rockchip/cdn-dp-core.c:1123:12: error: 'cdn_dp_resume' defined but not used [-Werror=unused-function] + 1123 | static int cdn_dp_resume(struct device *dev) + | ^~~~~~~~~~~~~ + +Mark them __maybe_unused to suppress that warning as well. + +[ Not so 'new' static annotations any more, and I removed the part of + the patch that added __maybe_unused to cdn_dp_suspend(), because it's + used by the shutdown/remove code. + + So only the resume function ends up possibly unused if CONFIG_PM isn't + set - Linus ] + +Fixes: 7c49abb4c2f8 ("drm/rockchip: cdn-dp-core: Make cdn_dp_core_suspend/resume static") +Signed-off-by: Arnd Bergmann +Reviewed-by: Enric Balletbo i Serra +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/rockchip/cdn-dp-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/rockchip/cdn-dp-core.c ++++ b/drivers/gpu/drm/rockchip/cdn-dp-core.c +@@ -1122,7 +1122,7 @@ static int cdn_dp_suspend(struct device + return ret; + } + +-static int cdn_dp_resume(struct device *dev) ++static __maybe_unused int cdn_dp_resume(struct device *dev) + { + struct cdn_dp_device *dp = dev_get_drvdata(dev); + diff --git a/queue-5.10/dt-bindings-arm-fix-toradex-compatible-typo.patch b/queue-5.10/dt-bindings-arm-fix-toradex-compatible-typo.patch new file mode 100644 index 00000000000..03a57bb7fa0 --- /dev/null +++ b/queue-5.10/dt-bindings-arm-fix-toradex-compatible-typo.patch @@ -0,0 +1,31 @@ +From 55c21d57eafb7b379bb7b3e93baf9ca2695895b0 Mon Sep 17 00:00:00 2001 +From: David Heidelberg +Date: Sun, 12 Sep 2021 18:51:20 +0200 +Subject: dt-bindings: arm: Fix Toradex compatible typo + +From: David Heidelberg + +commit 55c21d57eafb7b379bb7b3e93baf9ca2695895b0 upstream. + +Fix board compatible typo reported by dtbs_check. + +Fixes: f4d1577e9bc6 ("dt-bindings: arm: Convert Tegra board/soc bindings to json-schema") +Signed-off-by: David Heidelberg +Link: https://lore.kernel.org/r/20210912165120.188490-1-david@ixit.cz +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/arm/tegra.yaml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/arm/tegra.yaml ++++ b/Documentation/devicetree/bindings/arm/tegra.yaml +@@ -54,7 +54,7 @@ properties: + - const: toradex,apalis_t30 + - const: nvidia,tegra30 + - items: +- - const: toradex,apalis_t30-eval-v1.1 ++ - const: toradex,apalis_t30-v1.1-eval + - const: toradex,apalis_t30-eval + - const: toradex,apalis_t30-v1.1 + - const: toradex,apalis_t30 diff --git a/queue-5.10/events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch b/queue-5.10/events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch new file mode 100644 index 00000000000..3dbb3853ea7 --- /dev/null +++ b/queue-5.10/events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch @@ -0,0 +1,36 @@ +From b89a05b21f46150ac10a962aa50109250b56b03b Mon Sep 17 00:00:00 2001 +From: Baptiste Lepers +Date: Mon, 6 Sep 2021 11:53:10 +1000 +Subject: events: Reuse value read using READ_ONCE instead of re-reading it + +From: Baptiste Lepers + +commit b89a05b21f46150ac10a962aa50109250b56b03b upstream. + +In perf_event_addr_filters_apply, the task associated with +the event (event->ctx->task) is read using READ_ONCE at the beginning +of the function, checked, and then re-read from event->ctx->task, +voiding all guarantees of the checks. Reuse the value that was read by +READ_ONCE to ensure the consistency of the task struct throughout the +function. + +Fixes: 375637bc52495 ("perf/core: Introduce address range filtering") +Signed-off-by: Baptiste Lepers +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20210906015310.12802-1-baptiste.lepers@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -9973,7 +9973,7 @@ static void perf_event_addr_filters_appl + return; + + if (ifh->nr_file_filters) { +- mm = get_task_mm(event->ctx->task); ++ mm = get_task_mm(task); + if (!mm) + goto restart; + diff --git a/queue-5.10/gen_compile_commands-fix-missing-sys-package.patch b/queue-5.10/gen_compile_commands-fix-missing-sys-package.patch new file mode 100644 index 00000000000..4ad7ec686e7 --- /dev/null +++ b/queue-5.10/gen_compile_commands-fix-missing-sys-package.patch @@ -0,0 +1,31 @@ +From ec783c7cb2495c5a3b8ca10db8056d43c528f940 Mon Sep 17 00:00:00 2001 +From: Kortan +Date: Wed, 8 Sep 2021 11:28:48 +0800 +Subject: gen_compile_commands: fix missing 'sys' package + +From: Kortan + +commit ec783c7cb2495c5a3b8ca10db8056d43c528f940 upstream. + +We need to import the 'sys' package since the script has called +sys.exit() method. + +Fixes: 6ad7cbc01527 ("Makefile: Add clang-tidy and static analyzer support to makefile") +Signed-off-by: Kortan +Reviewed-by: Nathan Chancellor +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman +--- + scripts/clang-tools/gen_compile_commands.py | 1 + + 1 file changed, 1 insertion(+) + +--- a/scripts/clang-tools/gen_compile_commands.py ++++ b/scripts/clang-tools/gen_compile_commands.py +@@ -13,6 +13,7 @@ import logging + import os + import re + import subprocess ++import sys + + _DEFAULT_OUTPUT = 'compile_commands.json' + _DEFAULT_LOG_LEVEL = 'WARNING' diff --git a/queue-5.10/ibmvnic-check-failover_pending-in-login-response.patch b/queue-5.10/ibmvnic-check-failover_pending-in-login-response.patch new file mode 100644 index 00000000000..54dfd4fd9cb --- /dev/null +++ b/queue-5.10/ibmvnic-check-failover_pending-in-login-response.patch @@ -0,0 +1,38 @@ +From 273c29e944bda9a20a30c26cfc34c9a3f363280b Mon Sep 17 00:00:00 2001 +From: Sukadev Bhattiprolu +Date: Wed, 8 Sep 2021 09:58:20 -0700 +Subject: ibmvnic: check failover_pending in login response + +From: Sukadev Bhattiprolu + +commit 273c29e944bda9a20a30c26cfc34c9a3f363280b upstream. + +If a failover occurs before a login response is received, the login +response buffer maybe undefined. Check that there was no failover +before accessing the login response buffer. + +Fixes: 032c5e82847a ("Driver for IBM System i/p VNIC protocol") +Signed-off-by: Sukadev Bhattiprolu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -4478,6 +4478,14 @@ static int handle_login_rsp(union ibmvni + return 0; + } + ++ if (adapter->failover_pending) { ++ adapter->init_done_rc = -EAGAIN; ++ netdev_dbg(netdev, "Failover pending, ignoring login response\n"); ++ complete(&adapter->init_done); ++ /* login response buffer will be released on reset */ ++ return 0; ++ } ++ + netdev->mtu = adapter->req_mtu - ETH_HLEN; + + netdev_dbg(adapter->netdev, "Login Response Buffer:\n"); diff --git a/queue-5.10/kvm-ppc-book3s-hv-tolerate-treclaim.-in-fake-suspend-mode-changing-registers.patch b/queue-5.10/kvm-ppc-book3s-hv-tolerate-treclaim.-in-fake-suspend-mode-changing-registers.patch new file mode 100644 index 00000000000..2b149ef10b7 --- /dev/null +++ b/queue-5.10/kvm-ppc-book3s-hv-tolerate-treclaim.-in-fake-suspend-mode-changing-registers.patch @@ -0,0 +1,96 @@ +From 267cdfa21385d78c794768233678756e32b39ead Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Wed, 8 Sep 2021 20:17:18 +1000 +Subject: KVM: PPC: Book3S HV: Tolerate treclaim. in fake-suspend mode changing registers + +From: Nicholas Piggin + +commit 267cdfa21385d78c794768233678756e32b39ead upstream. + +POWER9 DD2.2 and 2.3 hardware implements a "fake-suspend" mode where +certain TM instructions executed in HV=0 mode cause softpatch interrupts +so the hypervisor can emulate them and prevent problematic processor +conditions. In this fake-suspend mode, the treclaim. instruction does +not modify registers. + +Unfortunately the rfscv instruction executed by the guest do not +generate softpatch interrupts, which can cause the hypervisor to lose +track of the fake-suspend mode, and it can execute this treclaim. while +not in fake-suspend mode. This modifies GPRs and crashes the hypervisor. + +It's not trivial to disable scv in the guest with HFSCR now, because +they assume a POWER9 has scv available. So this fix saves and restores +checkpointed registers across the treclaim. + +Fixes: 7854f7545bff ("KVM: PPC: Book3S: Rework TM save/restore code and make it C-callable") +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210908101718.118522-2-npiggin@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kvm/book3s_hv_rmhandlers.S | 36 ++++++++++++++++++++++++++++++-- + 1 file changed, 34 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S ++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +@@ -3146,7 +3146,7 @@ END_FTR_SECTION_IFCLR(CPU_FTR_P9_TM_HV_A + /* The following code handles the fake_suspend = 1 case */ + mflr r0 + std r0, PPC_LR_STKOFF(r1) +- stdu r1, -PPC_MIN_STKFRM(r1) ++ stdu r1, -TM_FRAME_SIZE(r1) + + /* Turn on TM. */ + mfmsr r8 +@@ -3161,10 +3161,42 @@ BEGIN_FTR_SECTION + END_FTR_SECTION_IFSET(CPU_FTR_P9_TM_XER_SO_BUG) + nop + ++ /* ++ * It's possible that treclaim. may modify registers, if we have lost ++ * track of fake-suspend state in the guest due to it using rfscv. ++ * Save and restore registers in case this occurs. ++ */ ++ mfspr r3, SPRN_DSCR ++ mfspr r4, SPRN_XER ++ mfspr r5, SPRN_AMR ++ /* SPRN_TAR would need to be saved here if the kernel ever used it */ ++ mfcr r12 ++ SAVE_NVGPRS(r1) ++ SAVE_GPR(2, r1) ++ SAVE_GPR(3, r1) ++ SAVE_GPR(4, r1) ++ SAVE_GPR(5, r1) ++ stw r12, 8(r1) ++ std r1, HSTATE_HOST_R1(r13) ++ + /* We have to treclaim here because that's the only way to do S->N */ + li r3, TM_CAUSE_KVM_RESCHED + TRECLAIM(R3) + ++ GET_PACA(r13) ++ ld r1, HSTATE_HOST_R1(r13) ++ REST_GPR(2, r1) ++ REST_GPR(3, r1) ++ REST_GPR(4, r1) ++ REST_GPR(5, r1) ++ lwz r12, 8(r1) ++ REST_NVGPRS(r1) ++ mtspr SPRN_DSCR, r3 ++ mtspr SPRN_XER, r4 ++ mtspr SPRN_AMR, r5 ++ mtcr r12 ++ HMT_MEDIUM ++ + /* + * We were in fake suspend, so we are not going to save the + * register state as the guest checkpointed state (since +@@ -3192,7 +3224,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_P9_TM_XER_ + std r5, VCPU_TFHAR(r9) + std r6, VCPU_TFIAR(r9) + +- addi r1, r1, PPC_MIN_STKFRM ++ addi r1, r1, TM_FRAME_SIZE + ld r0, PPC_LR_STKOFF(r1) + mtlr r0 + blr diff --git a/queue-5.10/net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch b/queue-5.10/net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch new file mode 100644 index 00000000000..b06798df2d1 --- /dev/null +++ b/queue-5.10/net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch @@ -0,0 +1,97 @@ +From 04f08eb44b5011493d77b602fdec29ff0f5c6cd5 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 8 Sep 2021 17:00:29 -0700 +Subject: net/af_unix: fix a data-race in unix_dgram_poll + +From: Eric Dumazet + +commit 04f08eb44b5011493d77b602fdec29ff0f5c6cd5 upstream. + +syzbot reported another data-race in af_unix [1] + +Lets change __skb_insert() to use WRITE_ONCE() when changing +skb head qlen. + +Also, change unix_dgram_poll() to use lockless version +of unix_recvq_full() + +It is verry possible we can switch all/most unix_recvq_full() +to the lockless version, this will be done in a future kernel version. + +[1] HEAD commit: 8596e589b787732c8346f0482919e83cc9362db1 + +BUG: KCSAN: data-race in skb_queue_tail / unix_dgram_poll + +write to 0xffff88814eeb24e0 of 4 bytes by task 25815 on cpu 0: + __skb_insert include/linux/skbuff.h:1938 [inline] + __skb_queue_before include/linux/skbuff.h:2043 [inline] + __skb_queue_tail include/linux/skbuff.h:2076 [inline] + skb_queue_tail+0x80/0xa0 net/core/skbuff.c:3264 + unix_dgram_sendmsg+0xff2/0x1600 net/unix/af_unix.c:1850 + sock_sendmsg_nosec net/socket.c:703 [inline] + sock_sendmsg net/socket.c:723 [inline] + ____sys_sendmsg+0x360/0x4d0 net/socket.c:2392 + ___sys_sendmsg net/socket.c:2446 [inline] + __sys_sendmmsg+0x315/0x4b0 net/socket.c:2532 + __do_sys_sendmmsg net/socket.c:2561 [inline] + __se_sys_sendmmsg net/socket.c:2558 [inline] + __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2558 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff88814eeb24e0 of 4 bytes by task 25834 on cpu 1: + skb_queue_len include/linux/skbuff.h:1869 [inline] + unix_recvq_full net/unix/af_unix.c:194 [inline] + unix_dgram_poll+0x2bc/0x3e0 net/unix/af_unix.c:2777 + sock_poll+0x23e/0x260 net/socket.c:1288 + vfs_poll include/linux/poll.h:90 [inline] + ep_item_poll fs/eventpoll.c:846 [inline] + ep_send_events fs/eventpoll.c:1683 [inline] + ep_poll fs/eventpoll.c:1798 [inline] + do_epoll_wait+0x6ad/0xf00 fs/eventpoll.c:2226 + __do_sys_epoll_wait fs/eventpoll.c:2238 [inline] + __se_sys_epoll_wait fs/eventpoll.c:2233 [inline] + __x64_sys_epoll_wait+0xf6/0x120 fs/eventpoll.c:2233 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x0000001b -> 0x00000001 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 25834 Comm: syz-executor.1 Tainted: G W 5.14.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 86b18aaa2b5b ("skbuff: fix a data race in skb_queue_len()") +Cc: Qian Cai +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 2 +- + net/unix/af_unix.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -1908,7 +1908,7 @@ static inline void __skb_insert(struct s + WRITE_ONCE(newsk->prev, prev); + WRITE_ONCE(next->prev, newsk); + WRITE_ONCE(prev->next, newsk); +- list->qlen++; ++ WRITE_ONCE(list->qlen, list->qlen + 1); + } + + static inline void __skb_queue_splice(const struct sk_buff_head *list, +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2769,7 +2769,7 @@ static __poll_t unix_dgram_poll(struct f + + other = unix_peer(sk); + if (other && unix_peer(other) != sk && +- unix_recvq_full(other) && ++ unix_recvq_full_lockless(other) && + unix_dgram_peer_wake_me(sk, other)) + writable = 0; + diff --git a/queue-5.10/net-caif-avoid-user-triggerable-warn_on-1.patch b/queue-5.10/net-caif-avoid-user-triggerable-warn_on-1.patch new file mode 100644 index 00000000000..f2126c095e3 --- /dev/null +++ b/queue-5.10/net-caif-avoid-user-triggerable-warn_on-1.patch @@ -0,0 +1,112 @@ +From 550ac9c1aaaaf51fd42e20d461f0b1cdbd55b3d2 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 13 Sep 2021 11:08:36 -0700 +Subject: net-caif: avoid user-triggerable WARN_ON(1) + +From: Eric Dumazet + +commit 550ac9c1aaaaf51fd42e20d461f0b1cdbd55b3d2 upstream. + +syszbot triggers this warning, which looks something +we can easily prevent. + +If we initialize priv->list_field in chnl_net_init(), +then always use list_del_init(), we can remove robust_list_del() +completely. + +WARNING: CPU: 0 PID: 3233 at net/caif/chnl_net.c:67 robust_list_del net/caif/chnl_net.c:67 [inline] +WARNING: CPU: 0 PID: 3233 at net/caif/chnl_net.c:67 chnl_net_uninit+0xc9/0x2e0 net/caif/chnl_net.c:375 +Modules linked in: +CPU: 0 PID: 3233 Comm: syz-executor.3 Not tainted 5.14.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:robust_list_del net/caif/chnl_net.c:67 [inline] +RIP: 0010:chnl_net_uninit+0xc9/0x2e0 net/caif/chnl_net.c:375 +Code: 89 eb e8 3a a3 ba f8 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 bf 01 00 00 48 81 fb 00 14 4e 8d 48 8b 2b 75 d0 e8 17 a3 ba f8 <0f> 0b 5b 5d 41 5c 41 5d e9 0a a3 ba f8 4c 89 e3 e8 02 a3 ba f8 4c +RSP: 0018:ffffc90009067248 EFLAGS: 00010202 +RAX: 0000000000008780 RBX: ffffffff8d4e1400 RCX: ffffc9000fd34000 +RDX: 0000000000040000 RSI: ffffffff88bb6e49 RDI: 0000000000000003 +RBP: ffff88802cd9ee08 R08: 0000000000000000 R09: ffffffff8d0e6647 +R10: ffffffff88bb6dc2 R11: 0000000000000000 R12: ffff88803791ae08 +R13: dffffc0000000000 R14: 00000000e600ffce R15: ffff888073ed3480 +FS: 00007fed10fa0700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b2c322000 CR3: 00000000164a6000 CR4: 00000000001506e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + register_netdevice+0xadf/0x1500 net/core/dev.c:10347 + ipcaif_newlink+0x4c/0x260 net/caif/chnl_net.c:468 + __rtnl_newlink+0x106d/0x1750 net/core/rtnetlink.c:3458 + rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3506 + rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5572 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504 + netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] + netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340 + netlink_sendmsg+0x86d/0xdb0 net/netlink/af_netlink.c:1929 + sock_sendmsg_nosec net/socket.c:704 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:724 + __sys_sendto+0x21c/0x320 net/socket.c:2036 + __do_sys_sendto net/socket.c:2048 [inline] + __se_sys_sendto net/socket.c:2044 [inline] + __x64_sys_sendto+0xdd/0x1b0 net/socket.c:2044 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: cc36a070b590 ("net-caif: add CAIF netdevice") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/caif/chnl_net.c | 19 +++---------------- + 1 file changed, 3 insertions(+), 16 deletions(-) + +--- a/net/caif/chnl_net.c ++++ b/net/caif/chnl_net.c +@@ -53,20 +53,6 @@ struct chnl_net { + enum caif_states state; + }; + +-static void robust_list_del(struct list_head *delete_node) +-{ +- struct list_head *list_node; +- struct list_head *n; +- ASSERT_RTNL(); +- list_for_each_safe(list_node, n, &chnl_net_list) { +- if (list_node == delete_node) { +- list_del(list_node); +- return; +- } +- } +- WARN_ON(1); +-} +- + static int chnl_recv_cb(struct cflayer *layr, struct cfpkt *pkt) + { + struct sk_buff *skb; +@@ -369,6 +355,7 @@ static int chnl_net_init(struct net_devi + ASSERT_RTNL(); + priv = netdev_priv(dev); + strncpy(priv->name, dev->name, sizeof(priv->name)); ++ INIT_LIST_HEAD(&priv->list_field); + return 0; + } + +@@ -377,7 +364,7 @@ static void chnl_net_uninit(struct net_d + struct chnl_net *priv; + ASSERT_RTNL(); + priv = netdev_priv(dev); +- robust_list_del(&priv->list_field); ++ list_del_init(&priv->list_field); + } + + static const struct net_device_ops netdev_ops = { +@@ -542,7 +529,7 @@ static void __exit chnl_exit_module(void + rtnl_lock(); + list_for_each_safe(list_node, _tmp, &chnl_net_list) { + dev = list_entry(list_node, struct chnl_net, list_field); +- list_del(list_node); ++ list_del_init(list_node); + delete_device(dev); + } + rtnl_unlock(); diff --git a/queue-5.10/net-dsa-destroy-the-phylink-instance-on-any-error-in-dsa_slave_phy_setup.patch b/queue-5.10/net-dsa-destroy-the-phylink-instance-on-any-error-in-dsa_slave_phy_setup.patch new file mode 100644 index 00000000000..caefba48e35 --- /dev/null +++ b/queue-5.10/net-dsa-destroy-the-phylink-instance-on-any-error-in-dsa_slave_phy_setup.patch @@ -0,0 +1,57 @@ +From 6a52e73368038f47f6618623d75061dc263b26ae Mon Sep 17 00:00:00 2001 +From: Vladimir Oltean +Date: Tue, 14 Sep 2021 16:43:31 +0300 +Subject: net: dsa: destroy the phylink instance on any error in dsa_slave_phy_setup + +From: Vladimir Oltean + +commit 6a52e73368038f47f6618623d75061dc263b26ae upstream. + +DSA supports connecting to a phy-handle, and has a fallback to a non-OF +based method of connecting to an internal PHY on the switch's own MDIO +bus, if no phy-handle and no fixed-link nodes were present. + +The -ENODEV error code from the first attempt (phylink_of_phy_connect) +is what triggers the second attempt (phylink_connect_phy). + +However, when the first attempt returns a different error code than +-ENODEV, this results in an unbalance of calls to phylink_create and +phylink_destroy by the time we exit the function. The phylink instance +has leaked. + +There are many other error codes that can be returned by +phylink_of_phy_connect. For example, phylink_validate returns -EINVAL. +So this is a practical issue too. + +Fixes: aab9c4067d23 ("net: dsa: Plug in PHYLINK support") +Signed-off-by: Vladimir Oltean +Reviewed-by: Florian Fainelli +Reviewed-by: Russell King (Oracle) +Link: https://lore.kernel.org/r/20210914134331.2303380-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/slave.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/net/dsa/slave.c ++++ b/net/dsa/slave.c +@@ -1728,13 +1728,11 @@ static int dsa_slave_phy_setup(struct ne + * use the switch internal MDIO bus instead + */ + ret = dsa_slave_phy_connect(slave_dev, dp->index); +- if (ret) { +- netdev_err(slave_dev, +- "failed to connect to port %d: %d\n", +- dp->index, ret); +- phylink_destroy(dp->pl); +- return ret; +- } ++ } ++ if (ret) { ++ netdev_err(slave_dev, "failed to connect to PHY: %pe\n", ++ ERR_PTR(ret)); ++ phylink_destroy(dp->pl); + } + + return ret; diff --git a/queue-5.10/net-hns3-change-affinity_mask-to-numa-node-range.patch b/queue-5.10/net-hns3-change-affinity_mask-to-numa-node-range.patch new file mode 100644 index 00000000000..485d1ec535d --- /dev/null +++ b/queue-5.10/net-hns3-change-affinity_mask-to-numa-node-range.patch @@ -0,0 +1,55 @@ +From 1dc839ec09d3ab2a4156dc98328b8bc3586f2b70 Mon Sep 17 00:00:00 2001 +From: Yufeng Mo +Date: Mon, 13 Sep 2021 21:08:22 +0800 +Subject: net: hns3: change affinity_mask to numa node range + +From: Yufeng Mo + +commit 1dc839ec09d3ab2a4156dc98328b8bc3586f2b70 upstream. + +Currently, affinity_mask is set to a single cpu. As a result, +irqbalance becomes invalid in SUBSET or EXACT mode. To solve +this problem, change affinity_mask to numa node range. In this +way, irqbalance can be performed on the cpu of the numa node. + +Fixes: 0812545487ec ("net: hns3: add interrupt affinity support for misc interrupt") +Signed-off-by: Yufeng Mo +Signed-off-by: Guangbin Huang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -1463,9 +1463,10 @@ static void hclge_init_kdump_kernel_conf + + static int hclge_configure(struct hclge_dev *hdev) + { ++ const struct cpumask *cpumask = cpu_online_mask; + struct hclge_cfg cfg; + unsigned int i; +- int ret; ++ int node, ret; + + ret = hclge_get_cfg(hdev, &cfg); + if (ret) +@@ -1526,11 +1527,12 @@ static int hclge_configure(struct hclge_ + + hclge_init_kdump_kernel_config(hdev); + +- /* Set the init affinity based on pci func number */ +- i = cpumask_weight(cpumask_of_node(dev_to_node(&hdev->pdev->dev))); +- i = i ? PCI_FUNC(hdev->pdev->devfn) % i : 0; +- cpumask_set_cpu(cpumask_local_spread(i, dev_to_node(&hdev->pdev->dev)), +- &hdev->affinity_mask); ++ /* Set the affinity based on numa node */ ++ node = dev_to_node(&hdev->pdev->dev); ++ if (node != NUMA_NO_NODE) ++ cpumask = cpumask_of_node(node); ++ ++ cpumask_copy(&hdev->affinity_mask, cpumask); + + return ret; + } diff --git a/queue-5.10/net-hns3-disable-mac-in-flr-process.patch b/queue-5.10/net-hns3-disable-mac-in-flr-process.patch new file mode 100644 index 00000000000..23dbbadf247 --- /dev/null +++ b/queue-5.10/net-hns3-disable-mac-in-flr-process.patch @@ -0,0 +1,39 @@ +From b81d8948746520f989e86d66292ff72b5056114a Mon Sep 17 00:00:00 2001 +From: Yufeng Mo +Date: Mon, 13 Sep 2021 21:08:23 +0800 +Subject: net: hns3: disable mac in flr process + +From: Yufeng Mo + +commit b81d8948746520f989e86d66292ff72b5056114a upstream. + +The firmware will not disable mac in flr process. Therefore, the driver +needs to proactively disable mac during flr, which is the same as the +function reset. + +Fixes: 35d93a30040c ("net: hns3: adjust the process of PF reset") +Signed-off-by: Yufeng Mo +Signed-off-by: Guangbin Huang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -7005,11 +7005,12 @@ static void hclge_ae_stop(struct hnae3_h + hclge_clear_arfs_rules(handle); + spin_unlock_bh(&hdev->fd_rule_lock); + +- /* If it is not PF reset, the firmware will disable the MAC, ++ /* If it is not PF reset or FLR, the firmware will disable the MAC, + * so it only need to stop phy here. + */ + if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state) && +- hdev->reset_type != HNAE3_FUNC_RESET) { ++ hdev->reset_type != HNAE3_FUNC_RESET && ++ hdev->reset_type != HNAE3_FLR_RESET) { + hclge_mac_stop_phy(hdev); + hclge_update_link_status(hdev); + return; diff --git a/queue-5.10/net-hns3-fix-the-timing-issue-of-vf-clearing-interrupt-sources.patch b/queue-5.10/net-hns3-fix-the-timing-issue-of-vf-clearing-interrupt-sources.patch new file mode 100644 index 00000000000..d4513236256 --- /dev/null +++ b/queue-5.10/net-hns3-fix-the-timing-issue-of-vf-clearing-interrupt-sources.patch @@ -0,0 +1,56 @@ +From 427900d27d86b820c559037a984bd403f910860f Mon Sep 17 00:00:00 2001 +From: Jiaran Zhang +Date: Mon, 13 Sep 2021 21:08:25 +0800 +Subject: net: hns3: fix the timing issue of VF clearing interrupt sources + +From: Jiaran Zhang + +commit 427900d27d86b820c559037a984bd403f910860f upstream. + +Currently, the VF does not clear the interrupt source immediately after +receiving the interrupt. As a result, if the second interrupt task is +triggered when processing the first interrupt task, clearing the +interrupt source before exiting will clear the interrupt sources of the +two tasks at the same time. As a result, no interrupt is triggered for +the second task. The VF detects the missed message only when the next +interrupt is generated. + +Clearing it immediately after executing check_evt_cause ensures that: +1. Even if two interrupt tasks are triggered at the same time, they can +be processed. +2. If the second task is triggered during the processing of the first +task and the interrupt source is not cleared, the interrupt is reported +after vector0 is enabled. + +Fixes: b90fcc5bd904 ("net: hns3: add reset handling for VF when doing Core/Global/IMP reset") +Signed-off-by: Jiaran Zhang +Signed-off-by: Guangbin Huang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +@@ -2352,6 +2352,8 @@ static irqreturn_t hclgevf_misc_irq_hand + + hclgevf_enable_vector(&hdev->misc_vector, false); + event_cause = hclgevf_check_evt_cause(hdev, &clearval); ++ if (event_cause != HCLGEVF_VECTOR0_EVENT_OTHER) ++ hclgevf_clear_event_cause(hdev, clearval); + + switch (event_cause) { + case HCLGEVF_VECTOR0_EVENT_RST: +@@ -2364,10 +2366,8 @@ static irqreturn_t hclgevf_misc_irq_hand + break; + } + +- if (event_cause != HCLGEVF_VECTOR0_EVENT_OTHER) { +- hclgevf_clear_event_cause(hdev, clearval); ++ if (event_cause != HCLGEVF_VECTOR0_EVENT_OTHER) + hclgevf_enable_vector(&hdev->misc_vector, true); +- } + + return IRQ_HANDLED; + } diff --git a/queue-5.10/net-hns3-pad-the-short-tunnel-frame-before-sending-to-hardware.patch b/queue-5.10/net-hns3-pad-the-short-tunnel-frame-before-sending-to-hardware.patch new file mode 100644 index 00000000000..e3c30b91c4c --- /dev/null +++ b/queue-5.10/net-hns3-pad-the-short-tunnel-frame-before-sending-to-hardware.patch @@ -0,0 +1,46 @@ +From d18e81183b1cb9c309266cbbce9acd3e0c528d04 Mon Sep 17 00:00:00 2001 +From: Yufeng Mo +Date: Mon, 13 Sep 2021 21:08:21 +0800 +Subject: net: hns3: pad the short tunnel frame before sending to hardware + +From: Yufeng Mo + +commit d18e81183b1cb9c309266cbbce9acd3e0c528d04 upstream. + +The hardware cannot handle short tunnel frames below 65 bytes, +and will cause vlan tag missing problem. So pads packet size to +65 bytes for tunnel frames to fix this bug. + +Fixes: 3db084d28dc0("net: hns3: Fix for vxlan tx checksum bug") +Signed-off-by: Yufeng Mo +Signed-off-by: Guangbin Huang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -60,6 +60,7 @@ MODULE_PARM_DESC(debug, " Network interf + #define HNS3_OUTER_VLAN_TAG 2 + + #define HNS3_MIN_TX_LEN 33U ++#define HNS3_MIN_TUN_PKT_LEN 65U + + /* hns3_pci_tbl - PCI Device ID Table + * +@@ -913,8 +914,11 @@ static int hns3_set_l2l3l4(struct sk_buf + l4.tcp->doff); + break; + case IPPROTO_UDP: +- if (hns3_tunnel_csum_bug(skb)) +- return skb_checksum_help(skb); ++ if (hns3_tunnel_csum_bug(skb)) { ++ int ret = skb_put_padto(skb, HNS3_MIN_TUN_PKT_LEN); ++ ++ return ret ? ret : skb_checksum_help(skb); ++ } + + hns3_set_field(*type_cs_vlan_tso, HNS3_TXD_L4CS_B, 1); + hns3_set_field(*type_cs_vlan_tso, HNS3_TXD_L4T_S, diff --git a/queue-5.10/net-ipa-initialize-all-filter-table-slots.patch b/queue-5.10/net-ipa-initialize-all-filter-table-slots.patch new file mode 100644 index 00000000000..fb86c268731 --- /dev/null +++ b/queue-5.10/net-ipa-initialize-all-filter-table-slots.patch @@ -0,0 +1,47 @@ +From b5c102238cea985d8126b173d06b9e1de88037ee Mon Sep 17 00:00:00 2001 +From: Alex Elder +Date: Tue, 7 Sep 2021 12:05:54 -0500 +Subject: net: ipa: initialize all filter table slots + +From: Alex Elder + +commit b5c102238cea985d8126b173d06b9e1de88037ee upstream. + +There is an off-by-one problem in ipa_table_init_add(), when +initializing filter tables. + +In that function, the number of filter table entries is determined +based on the number of set bits in the filter map. However that +count does *not* include the extra "slot" in the filter table that +holds the filter map itself. Meanwhile, ipa_table_addr() *does* +include the filter map in the memory it returns, but because the +count it's provided doesn't include it, it includes one too few +table entries. + +Fix this by including the extra slot for the filter map in the count +computed in ipa_table_init_add(). + +Note: ipa_filter_reset_table() does not have this problem; it resets +filter table entries one by one, but does not overwrite the filter +bitmap. + +Fixes: 2b9feef2b6c2 ("soc: qcom: ipa: filter and routing tables") +Signed-off-by: Alex Elder +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ipa/ipa_table.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ipa/ipa_table.c ++++ b/drivers/net/ipa/ipa_table.c +@@ -451,7 +451,8 @@ static void ipa_table_init_add(struct gs + * table region determines the number of entries it has. + */ + if (filter) { +- count = hweight32(ipa->filter_map); ++ /* Include one extra "slot" to hold the filter map itself */ ++ count = 1 + hweight32(ipa->filter_map); + hash_count = hash_mem->size ? count : 0; + } else { + count = mem->size / IPA_TABLE_ENTRY_SIZE; diff --git a/queue-5.10/net-l2tp-fix-reference-count-leak-in-l2tp_udp_recv_core.patch b/queue-5.10/net-l2tp-fix-reference-count-leak-in-l2tp_udp_recv_core.patch new file mode 100644 index 00000000000..02cd21cabfe --- /dev/null +++ b/queue-5.10/net-l2tp-fix-reference-count-leak-in-l2tp_udp_recv_core.patch @@ -0,0 +1,43 @@ +From 9b6ff7eb666415e1558f1ba8a742f5db6a9954de Mon Sep 17 00:00:00 2001 +From: Xiyu Yang +Date: Thu, 9 Sep 2021 12:32:00 +0800 +Subject: net/l2tp: Fix reference count leak in l2tp_udp_recv_core + +From: Xiyu Yang + +commit 9b6ff7eb666415e1558f1ba8a742f5db6a9954de upstream. + +The reference count leak issue may take place in an error handling +path. If both conditions of tunnel->version == L2TP_HDR_VER_3 and the +return value of l2tp_v3_ensure_opt_in_linear is nonzero, the function +would directly jump to label invalid, without decrementing the reference +count of the l2tp_session object session increased earlier by +l2tp_tunnel_get_session(). This may result in refcount leaks. + +Fix this issue by decrease the reference count before jumping to the +label invalid. + +Fixes: 4522a70db7aa ("l2tp: fix reading optional fields of L2TPv3") +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Xiong +Signed-off-by: Xin Tan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -869,8 +869,10 @@ static int l2tp_udp_recv_core(struct l2t + } + + if (tunnel->version == L2TP_HDR_VER_3 && +- l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) ++ l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) { ++ l2tp_session_dec_refcount(session); + goto invalid; ++ } + + l2tp_recv_common(session, skb, ptr, optr, hdrflags, length); + l2tp_session_dec_refcount(session); diff --git a/queue-5.10/net-mlx5-fix-potential-sleeping-in-atomic-context.patch b/queue-5.10/net-mlx5-fix-potential-sleeping-in-atomic-context.patch new file mode 100644 index 00000000000..ca3603143f9 --- /dev/null +++ b/queue-5.10/net-mlx5-fix-potential-sleeping-in-atomic-context.patch @@ -0,0 +1,45 @@ +From ee27e330a953595903979ffdb84926843595a9fe Mon Sep 17 00:00:00 2001 +From: Maor Gottlieb +Date: Wed, 1 Sep 2021 11:48:13 +0300 +Subject: net/mlx5: Fix potential sleeping in atomic context + +From: Maor Gottlieb + +commit ee27e330a953595903979ffdb84926843595a9fe upstream. + +Fixes the below flow of sleeping in atomic context by releasing +the RCU lock before calling to free_match_list. + +build_match_list() <- disables preempt +-> free_match_list() + -> tree_put_node() + -> down_write_ref_node() <- take write lock + +Fixes: 693c6883bbc4 ("net/mlx5: Add hash table for flow groups in flow table") +Reported-by: Dan Carpenter +Signed-off-by: Maor Gottlieb +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -1675,14 +1675,13 @@ static int build_match_list(struct match + + curr_match = kmalloc(sizeof(*curr_match), GFP_ATOMIC); + if (!curr_match) { ++ rcu_read_unlock(); + free_match_list(match_head, ft_locked); +- err = -ENOMEM; +- goto out; ++ return -ENOMEM; + } + curr_match->g = g; + list_add_tail(&curr_match->list, &match_head->list); + } +-out: + rcu_read_unlock(); + return err; + } diff --git a/queue-5.10/net-mlx5-fwtrace-cancel-work-on-alloc-pd-error-flow.patch b/queue-5.10/net-mlx5-fwtrace-cancel-work-on-alloc-pd-error-flow.patch new file mode 100644 index 00000000000..c48e2d538f7 --- /dev/null +++ b/queue-5.10/net-mlx5-fwtrace-cancel-work-on-alloc-pd-error-flow.patch @@ -0,0 +1,41 @@ +From dfe6fd72b5f1878b16aa2c8603e031bbcd66b96d Mon Sep 17 00:00:00 2001 +From: Saeed Mahameed +Date: Wed, 18 Aug 2021 13:09:26 -0700 +Subject: net/mlx5: FWTrace, cancel work on alloc pd error flow + +From: Saeed Mahameed + +commit dfe6fd72b5f1878b16aa2c8603e031bbcd66b96d upstream. + +Handle error flow on mlx5_core_alloc_pd() failure, +read_fw_strings_work must be canceled. + +Fixes: c71ad41ccb0c ("net/mlx5: FW tracer, events handling") +Reported-by: Pavel Machek (CIP) +Suggested-by: Pavel Machek (CIP) +Signed-off-by: Saeed Mahameed +Reviewed-by: Aya Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +@@ -1007,7 +1007,7 @@ int mlx5_fw_tracer_init(struct mlx5_fw_t + err = mlx5_core_alloc_pd(dev, &tracer->buff.pdn); + if (err) { + mlx5_core_warn(dev, "FWTracer: Failed to allocate PD %d\n", err); +- return err; ++ goto err_cancel_work; + } + + err = mlx5_fw_tracer_create_mkey(tracer); +@@ -1031,6 +1031,7 @@ err_notifier_unregister: + mlx5_core_destroy_mkey(dev, &tracer->buff.mkey); + err_dealloc_pd: + mlx5_core_dealloc_pd(dev, tracer->buff.pdn); ++err_cancel_work: + cancel_work_sync(&tracer->read_fw_strings_work); + return err; + } diff --git a/queue-5.10/nvme-tcp-fix-io_work-priority-inversion.patch b/queue-5.10/nvme-tcp-fix-io_work-priority-inversion.patch new file mode 100644 index 00000000000..26f17f6fbae --- /dev/null +++ b/queue-5.10/nvme-tcp-fix-io_work-priority-inversion.patch @@ -0,0 +1,81 @@ +From 70f437fb4395ad4d1d16fab9a1ad9fbc9fc0579b Mon Sep 17 00:00:00 2001 +From: Keith Busch +Date: Thu, 9 Sep 2021 08:54:52 -0700 +Subject: nvme-tcp: fix io_work priority inversion + +From: Keith Busch + +commit 70f437fb4395ad4d1d16fab9a1ad9fbc9fc0579b upstream. + +Dispatching requests inline with the .queue_rq() call may block while +holding the send_mutex. If the tcp io_work also happens to schedule, it +may see the req_list is non-empty, leaving "pending" true and remaining +in TASK_RUNNING. Since io_work is of higher scheduling priority, the +.queue_rq task may not get a chance to run, blocking forward progress +and leading to io timeouts. + +Instead of checking for pending requests within io_work, let the queueing +restart io_work outside the send_mutex lock if there is more work to be +done. + +Fixes: a0fdd1418007f ("nvme-tcp: rerun io_work if req_list is not empty") +Reported-by: Samuel Jones +Signed-off-by: Keith Busch +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/tcp.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -273,6 +273,12 @@ static inline void nvme_tcp_send_all(str + } while (ret > 0); + } + ++static inline bool nvme_tcp_queue_more(struct nvme_tcp_queue *queue) ++{ ++ return !list_empty(&queue->send_list) || ++ !llist_empty(&queue->req_list) || queue->more_requests; ++} ++ + static inline void nvme_tcp_queue_request(struct nvme_tcp_request *req, + bool sync, bool last) + { +@@ -293,9 +299,10 @@ static inline void nvme_tcp_queue_reques + nvme_tcp_send_all(queue); + queue->more_requests = false; + mutex_unlock(&queue->send_mutex); +- } else if (last) { +- queue_work_on(queue->io_cpu, nvme_tcp_wq, &queue->io_work); + } ++ ++ if (last && nvme_tcp_queue_more(queue)) ++ queue_work_on(queue->io_cpu, nvme_tcp_wq, &queue->io_work); + } + + static void nvme_tcp_process_req_list(struct nvme_tcp_queue *queue) +@@ -890,12 +897,6 @@ done: + read_unlock_bh(&sk->sk_callback_lock); + } + +-static inline bool nvme_tcp_queue_more(struct nvme_tcp_queue *queue) +-{ +- return !list_empty(&queue->send_list) || +- !llist_empty(&queue->req_list) || queue->more_requests; +-} +- + static inline void nvme_tcp_done_send_req(struct nvme_tcp_queue *queue) + { + queue->request = NULL; +@@ -1132,8 +1133,7 @@ static void nvme_tcp_io_work(struct work + pending = true; + else if (unlikely(result < 0)) + break; +- } else +- pending = !llist_empty(&queue->req_list); ++ } + + result = nvme_tcp_try_recv(queue); + if (result > 0) diff --git a/queue-5.10/perf-machine-initialize-srcline-string-member-in-add_location-struct.patch b/queue-5.10/perf-machine-initialize-srcline-string-member-in-add_location-struct.patch new file mode 100644 index 00000000000..e58265fbfa6 --- /dev/null +++ b/queue-5.10/perf-machine-initialize-srcline-string-member-in-add_location-struct.patch @@ -0,0 +1,132 @@ +From 57f0ff059e3daa4e70a811cb1d31a49968262d20 Mon Sep 17 00:00:00 2001 +From: Michael Petlan +Date: Mon, 19 Jul 2021 16:53:32 +0200 +Subject: perf machine: Initialize srcline string member in add_location struct + +From: Michael Petlan + +commit 57f0ff059e3daa4e70a811cb1d31a49968262d20 upstream. + +It's later supposed to be either a correct address or NULL. Without the +initialization, it may contain an undefined value which results in the +following segmentation fault: + + # perf top --sort comm -g --ignore-callees=do_idle + +terminates with: + + #0 0x00007ffff56b7685 in __strlen_avx2 () from /lib64/libc.so.6 + #1 0x00007ffff55e3802 in strdup () from /lib64/libc.so.6 + #2 0x00005555558cb139 in hist_entry__init (callchain_size=, sample_self=true, template=0x7fffde7fb110, he=0x7fffd801c250) at util/hist.c:489 + #3 hist_entry__new (template=template@entry=0x7fffde7fb110, sample_self=sample_self@entry=true) at util/hist.c:564 + #4 0x00005555558cb4ba in hists__findnew_entry (hists=hists@entry=0x5555561d9e38, entry=entry@entry=0x7fffde7fb110, al=al@entry=0x7fffde7fb420, + sample_self=sample_self@entry=true) at util/hist.c:657 + #5 0x00005555558cba1b in __hists__add_entry (hists=hists@entry=0x5555561d9e38, al=0x7fffde7fb420, sym_parent=, bi=bi@entry=0x0, mi=mi@entry=0x0, + sample=sample@entry=0x7fffde7fb4b0, sample_self=true, ops=0x0, block_info=0x0) at util/hist.c:288 + #6 0x00005555558cbb70 in hists__add_entry (sample_self=true, sample=0x7fffde7fb4b0, mi=0x0, bi=0x0, sym_parent=, al=, hists=0x5555561d9e38) + at util/hist.c:1056 + #7 iter_add_single_cumulative_entry (iter=0x7fffde7fb460, al=) at util/hist.c:1056 + #8 0x00005555558cc8a4 in hist_entry_iter__add (iter=iter@entry=0x7fffde7fb460, al=al@entry=0x7fffde7fb420, max_stack_depth=, arg=arg@entry=0x7fffffff7db0) + at util/hist.c:1231 + #9 0x00005555557cdc9a in perf_event__process_sample (machine=, sample=0x7fffde7fb4b0, evsel=, event=, tool=0x7fffffff7db0) + at builtin-top.c:842 + #10 deliver_event (qe=, qevent=) at builtin-top.c:1202 + #11 0x00005555558a9318 in do_flush (show_progress=false, oe=0x7fffffff80e0) at util/ordered-events.c:244 + #12 __ordered_events__flush (oe=oe@entry=0x7fffffff80e0, how=how@entry=OE_FLUSH__TOP, timestamp=timestamp@entry=0) at util/ordered-events.c:323 + #13 0x00005555558a9789 in __ordered_events__flush (timestamp=, how=, oe=) at util/ordered-events.c:339 + #14 ordered_events__flush (how=OE_FLUSH__TOP, oe=0x7fffffff80e0) at util/ordered-events.c:341 + #15 ordered_events__flush (oe=oe@entry=0x7fffffff80e0, how=how@entry=OE_FLUSH__TOP) at util/ordered-events.c:339 + #16 0x00005555557cd631 in process_thread (arg=0x7fffffff7db0) at builtin-top.c:1114 + #17 0x00007ffff7bb817a in start_thread () from /lib64/libpthread.so.0 + #18 0x00007ffff5656dc3 in clone () from /lib64/libc.so.6 + +If you look at the frame #2, the code is: + +488 if (he->srcline) { +489 he->srcline = strdup(he->srcline); +490 if (he->srcline == NULL) +491 goto err_rawdata; +492 } + +If he->srcline is not NULL (it is not NULL if it is uninitialized rubbish), +it gets strdupped and strdupping a rubbish random string causes the problem. + +Also, if you look at the commit 1fb7d06a509e, it adds the srcline property +into the struct, but not initializing it everywhere needed. + +Committer notes: + +Now I see, when using --ignore-callees=do_idle we end up here at line +2189 in add_callchain_ip(): + +2181 if (al.sym != NULL) { +2182 if (perf_hpp_list.parent && !*parent && +2183 symbol__match_regex(al.sym, &parent_regex)) +2184 *parent = al.sym; +2185 else if (have_ignore_callees && root_al && +2186 symbol__match_regex(al.sym, &ignore_callees_regex)) { +2187 /* Treat this symbol as the root, +2188 forgetting its callees. */ +2189 *root_al = al; +2190 callchain_cursor_reset(cursor); +2191 } +2192 } + +And the al that doesn't have the ->srcline field initialized will be +copied to the root_al, so then, back to: + +1211 int hist_entry_iter__add(struct hist_entry_iter *iter, struct addr_location *al, +1212 int max_stack_depth, void *arg) +1213 { +1214 int err, err2; +1215 struct map *alm = NULL; +1216 +1217 if (al) +1218 alm = map__get(al->map); +1219 +1220 err = sample__resolve_callchain(iter->sample, &callchain_cursor, &iter->parent, +1221 iter->evsel, al, max_stack_depth); +1222 if (err) { +1223 map__put(alm); +1224 return err; +1225 } +1226 +1227 err = iter->ops->prepare_entry(iter, al); +1228 if (err) +1229 goto out; +1230 +1231 err = iter->ops->add_single_entry(iter, al); +1232 if (err) +1233 goto out; +1234 + +That al at line 1221 is what hist_entry_iter__add() (called from +sample__resolve_callchain()) saw as 'root_al', and then: + + iter->ops->add_single_entry(iter, al); + +will go on with al->srcline with a bogus value, I'll add the above +sequence to the cset and apply, thanks! + +Signed-off-by: Michael Petlan +CC: Milian Wolff +Cc: Jiri Olsa +Fixes: 1fb7d06a509e ("perf report Use srcline from callchain for hist entries") +Link: https //lore.kernel.org/r/20210719145332.29747-1-mpetlan@redhat.com +Reported-by: Juri Lelli +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/machine.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/perf/util/machine.c ++++ b/tools/perf/util/machine.c +@@ -2100,6 +2100,7 @@ static int add_callchain_ip(struct threa + + al.filtered = 0; + al.sym = NULL; ++ al.srcline = NULL; + if (!cpumode) { + thread__find_cpumode_addr_location(thread, ip, &al); + } else { diff --git a/queue-5.10/ptp-dp83640-don-t-define-page0.patch b/queue-5.10/ptp-dp83640-don-t-define-page0.patch new file mode 100644 index 00000000000..6f7797f82b4 --- /dev/null +++ b/queue-5.10/ptp-dp83640-don-t-define-page0.patch @@ -0,0 +1,46 @@ +From 7366c23ff492ad260776a3ee1aaabba9fc773a8b Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Mon, 13 Sep 2021 15:06:05 -0700 +Subject: ptp: dp83640: don't define PAGE0 + +From: Randy Dunlap + +commit 7366c23ff492ad260776a3ee1aaabba9fc773a8b upstream. + +Building dp83640.c on arch/parisc/ produces a build warning for +PAGE0 being redefined. Since the macro is not used in the dp83640 +driver, just make it a comment for documentation purposes. + +In file included from ../drivers/net/phy/dp83640.c:23: +../drivers/net/phy/dp83640_reg.h:8: warning: "PAGE0" redefined + 8 | #define PAGE0 0x0000 + from ../drivers/net/phy/dp83640.c:11: +../arch/parisc/include/asm/page.h:187: note: this is the location of the previous definition + 187 | #define PAGE0 ((struct zeropage *)__PAGE_OFFSET) + +Fixes: cb646e2b02b2 ("ptp: Added a clock driver for the National Semiconductor PHYTER.") +Signed-off-by: Randy Dunlap +Reported-by: Geert Uytterhoeven +Cc: Richard Cochran +Cc: John Stultz +Cc: Heiner Kallweit +Cc: Russell King +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20210913220605.19682-1-rdunlap@infradead.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/dp83640_reg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/phy/dp83640_reg.h ++++ b/drivers/net/phy/dp83640_reg.h +@@ -5,7 +5,7 @@ + #ifndef HAVE_DP83640_REGISTERS + #define HAVE_DP83640_REGISTERS + +-#define PAGE0 0x0000 ++/* #define PAGE0 0x0000 */ + #define PHYCR2 0x001c /* PHY Control Register 2 */ + + #define PAGE4 0x0004 diff --git a/queue-5.10/qed-handle-management-fw-error.patch b/queue-5.10/qed-handle-management-fw-error.patch new file mode 100644 index 00000000000..383bbc02b57 --- /dev/null +++ b/queue-5.10/qed-handle-management-fw-error.patch @@ -0,0 +1,46 @@ +From 20e100f52730cd0db609e559799c1712b5f27582 Mon Sep 17 00:00:00 2001 +From: Shai Malin +Date: Fri, 10 Sep 2021 11:33:56 +0300 +Subject: qed: Handle management FW error + +From: Shai Malin + +commit 20e100f52730cd0db609e559799c1712b5f27582 upstream. + +Handle MFW (management FW) error response in order to avoid a crash +during recovery flows. + +Changes from v1: +- Add "Fixes tag". + +Fixes: tag 5e7ba042fd05 ("qed: Fix reading stale configuration information") +Signed-off-by: Ariel Elior +Signed-off-by: Shai Malin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_mcp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c +@@ -3376,6 +3376,7 @@ qed_mcp_get_nvm_image_att(struct qed_hwf + struct qed_nvm_image_att *p_image_att) + { + enum nvm_image_type type; ++ int rc; + u32 i; + + /* Translate image_id into MFW definitions */ +@@ -3404,7 +3405,10 @@ qed_mcp_get_nvm_image_att(struct qed_hwf + return -EINVAL; + } + +- qed_mcp_nvm_info_populate(p_hwfn); ++ rc = qed_mcp_nvm_info_populate(p_hwfn); ++ if (rc) ++ return rc; ++ + for (i = 0; i < p_hwfn->nvm_info.num_images; i++) + if (type == p_hwfn->nvm_info.image_att[i].image_type) + break; diff --git a/queue-5.10/r6040-restore-mdio-clock-frequency-after-mac-reset.patch b/queue-5.10/r6040-restore-mdio-clock-frequency-after-mac-reset.patch new file mode 100644 index 00000000000..c8f5d3b52a8 --- /dev/null +++ b/queue-5.10/r6040-restore-mdio-clock-frequency-after-mac-reset.patch @@ -0,0 +1,73 @@ +From e3f0cc1a945fcefec0c7c9d9dfd028a51daa1846 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Thu, 9 Sep 2021 10:33:28 -0700 +Subject: r6040: Restore MDIO clock frequency after MAC reset + +From: Florian Fainelli + +commit e3f0cc1a945fcefec0c7c9d9dfd028a51daa1846 upstream. + +A number of users have reported that they were not able to get the PHY +to successfully link up, especially after commit c36757eb9dee ("net: +phy: consider AN_RESTART status when reading link status") where we +stopped reading just BMSR, but we also read BMCR to determine the link +status. + +Andrius at NetBSD did a wonderful job at debugging the problem +and found out that the MDIO bus clock frequency would be incorrectly set +back to its default value which would prevent the MDIO bus controller +from reading PHY registers properly. Back when we only read BMSR, if we +read all 1s, we could falsely indicate a link status, though in general +there is a cable plugged in, so this went unnoticed. After a second read +of BMCR was added, a wrong read will lead to the inability to determine +a link UP condition which is when it started to be visibly broken, even +if it was long before that. + +The fix consists in restoring the value of the MD_CSR register that was +set prior to the MAC reset. + +Link: http://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=53494 +Fixes: 90f750a81a29 ("r6040: consolidate MAC reset to its own function") +Reported-by: Andrius V +Reported-by: Darek Strugacz +Tested-by: Darek Strugacz +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/rdc/r6040.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/rdc/r6040.c ++++ b/drivers/net/ethernet/rdc/r6040.c +@@ -119,6 +119,8 @@ + #define PHY_ST 0x8A /* PHY status register */ + #define MAC_SM 0xAC /* MAC status machine */ + #define MAC_SM_RST 0x0002 /* MAC status machine reset */ ++#define MD_CSC 0xb6 /* MDC speed control register */ ++#define MD_CSC_DEFAULT 0x0030 + #define MAC_ID 0xBE /* Identifier register */ + + #define TX_DCNT 0x80 /* TX descriptor count */ +@@ -355,8 +357,9 @@ static void r6040_reset_mac(struct r6040 + { + void __iomem *ioaddr = lp->base; + int limit = MAC_DEF_TIMEOUT; +- u16 cmd; ++ u16 cmd, md_csc; + ++ md_csc = ioread16(ioaddr + MD_CSC); + iowrite16(MAC_RST, ioaddr + MCR1); + while (limit--) { + cmd = ioread16(ioaddr + MCR1); +@@ -368,6 +371,10 @@ static void r6040_reset_mac(struct r6040 + iowrite16(MAC_SM_RST, ioaddr + MAC_SM); + iowrite16(0, ioaddr + MAC_SM); + mdelay(5); ++ ++ /* Restore MDIO clock frequency */ ++ if (md_csc != MD_CSC_DEFAULT) ++ iowrite16(md_csc, ioaddr + MD_CSC); + } + + static void r6040_init_mac_regs(struct net_device *dev) diff --git a/queue-5.10/revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch b/queue-5.10/revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch new file mode 100644 index 00000000000..1e88c0be8ff --- /dev/null +++ b/queue-5.10/revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch @@ -0,0 +1,81 @@ +From d7807a9adf4856171f8441f13078c33941df48ab Mon Sep 17 00:00:00 2001 +From: Yajun Deng +Date: Mon, 13 Sep 2021 12:04:42 +0800 +Subject: Revert "ipv4: fix memory leaks in ip_cmsg_send() callers" + +From: Yajun Deng + +commit d7807a9adf4856171f8441f13078c33941df48ab upstream. + +This reverts commit 919483096bfe75dda338e98d56da91a263746a0a. + +There is only when ip_options_get() return zero need to free. +It already called kfree() when return error. + +Fixes: 919483096bfe ("ipv4: fix memory leaks in ip_cmsg_send() callers") +Signed-off-by: Yajun Deng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_sockglue.c | 2 +- + net/ipv4/ping.c | 5 ++--- + net/ipv4/raw.c | 5 ++--- + net/ipv4/udp.c | 5 ++--- + 4 files changed, 7 insertions(+), 10 deletions(-) + +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -279,7 +279,7 @@ int ip_cmsg_send(struct sock *sk, struct + case IP_RETOPTS: + err = cmsg->cmsg_len - sizeof(struct cmsghdr); + +- /* Our caller is responsible for freeing ipc->opt */ ++ /* Our caller is responsible for freeing ipc->opt when err = 0 */ + err = ip_options_get(net, &ipc->opt, + KERNEL_SOCKPTR(CMSG_DATA(cmsg)), + err < 40 ? err : 40); +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -725,10 +725,9 @@ static int ping_v4_sendmsg(struct sock * + + if (msg->msg_controllen) { + err = ip_cmsg_send(sk, msg, &ipc, false); +- if (unlikely(err)) { +- kfree(ipc.opt); ++ if (unlikely(err)) + return err; +- } ++ + if (ipc.opt) + free = 1; + } +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -562,10 +562,9 @@ static int raw_sendmsg(struct sock *sk, + + if (msg->msg_controllen) { + err = ip_cmsg_send(sk, msg, &ipc, false); +- if (unlikely(err)) { +- kfree(ipc.opt); ++ if (unlikely(err)) + goto out; +- } ++ + if (ipc.opt) + free = 1; + } +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1104,10 +1104,9 @@ int udp_sendmsg(struct sock *sk, struct + if (err > 0) + err = ip_cmsg_send(sk, msg, &ipc, + sk->sk_family == AF_INET6); +- if (unlikely(err < 0)) { +- kfree(ipc.opt); ++ if (unlikely(err < 0)) + return err; +- } ++ + if (ipc.opt) + free = 1; + connected = 0; diff --git a/queue-5.10/selftest-net-fix-typo-in-altname-test.patch b/queue-5.10/selftest-net-fix-typo-in-altname-test.patch new file mode 100644 index 00000000000..bcfc165394f --- /dev/null +++ b/queue-5.10/selftest-net-fix-typo-in-altname-test.patch @@ -0,0 +1,34 @@ +From 1b704b27beb11ce147d64b21c914e57afbfb5656 Mon Sep 17 00:00:00 2001 +From: Andrea Claudi +Date: Sat, 11 Sep 2021 16:14:18 +0200 +Subject: selftest: net: fix typo in altname test + +From: Andrea Claudi + +commit 1b704b27beb11ce147d64b21c914e57afbfb5656 upstream. + +If altname deletion of the short alternative name fails, the error +message printed is: "Failed to add short alternative name". +This is obviously a typo, as we are testing altname deletion. + +Fix this using a proper error message. + +Fixes: f95e6c9c4617 ("selftest: net: add alternative names test") +Signed-off-by: Andrea Claudi +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/altnames.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/altnames.sh ++++ b/tools/testing/selftests/net/altnames.sh +@@ -45,7 +45,7 @@ altnames_test() + check_err $? "Got unexpected long alternative name from link show JSON" + + ip link property del $DUMMY_DEV altname $SHORT_NAME +- check_err $? "Failed to add short alternative name" ++ check_err $? "Failed to delete short alternative name" + + ip -j -p link show $SHORT_NAME &>/dev/null + check_fail $? "Unexpected success while trying to do link show with deleted short alternative name" diff --git a/queue-5.10/series b/queue-5.10/series index 468bc3668b9..c39d304febd 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -21,3 +21,34 @@ x86-mm-fix-kern_addr_valid-to-cope-with-existing-but-not-present-entries.patch tipc-fix-an-use-after-free-issue-in-tipc_recvmsg.patch ethtool-fix-rxnfc-copy-to-user-buffer-overflow.patch net-mlx5-nfp-bnxt-remove-unnecessary-rtnl-lock-assert.patch +net-caif-avoid-user-triggerable-warn_on-1.patch +ptp-dp83640-don-t-define-page0.patch +dccp-don-t-duplicate-ccid-when-cloning-dccp-sock.patch +net-l2tp-fix-reference-count-leak-in-l2tp_udp_recv_core.patch +r6040-restore-mdio-clock-frequency-after-mac-reset.patch +tipc-increase-timeout-in-tipc_sk_enqueue.patch +drm-rockchip-cdn-dp-core-make-cdn_dp_core_resume-__maybe_unused.patch +perf-machine-initialize-srcline-string-member-in-add_location-struct.patch +net-mlx5-fwtrace-cancel-work-on-alloc-pd-error-flow.patch +net-mlx5-fix-potential-sleeping-in-atomic-context.patch +nvme-tcp-fix-io_work-priority-inversion.patch +events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch +net-ipa-initialize-all-filter-table-slots.patch +gen_compile_commands-fix-missing-sys-package.patch +vhost_net-fix-oob-on-sendmsg-failure.patch +net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch +net-dsa-destroy-the-phylink-instance-on-any-error-in-dsa_slave_phy_setup.patch +revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch +x86-uaccess-fix-32-bit-__get_user_asm_u64-when-cc_has_asm_goto_output-y.patch +tcp-fix-tp-undo_retrans-accounting-in-tcp_sacktag_one.patch +selftest-net-fix-typo-in-altname-test.patch +qed-handle-management-fw-error.patch +udp_tunnel-fix-udp_tunnel_nic-work-queue-type.patch +dt-bindings-arm-fix-toradex-compatible-typo.patch +ibmvnic-check-failover_pending-in-login-response.patch +kvm-ppc-book3s-hv-tolerate-treclaim.-in-fake-suspend-mode-changing-registers.patch +bnxt_en-make-bnxt_free_skbs-safe-to-call-after-bnxt_free_mem.patch +net-hns3-pad-the-short-tunnel-frame-before-sending-to-hardware.patch +net-hns3-change-affinity_mask-to-numa-node-range.patch +net-hns3-disable-mac-in-flr-process.patch +net-hns3-fix-the-timing-issue-of-vf-clearing-interrupt-sources.patch diff --git a/queue-5.10/tcp-fix-tp-undo_retrans-accounting-in-tcp_sacktag_one.patch b/queue-5.10/tcp-fix-tp-undo_retrans-accounting-in-tcp_sacktag_one.patch new file mode 100644 index 00000000000..bc5899fd92e --- /dev/null +++ b/queue-5.10/tcp-fix-tp-undo_retrans-accounting-in-tcp_sacktag_one.patch @@ -0,0 +1,42 @@ +From 4f884f3962767877d7aabbc1ec124d2c307a4257 Mon Sep 17 00:00:00 2001 +From: zhenggy +Date: Tue, 14 Sep 2021 09:51:15 +0800 +Subject: tcp: fix tp->undo_retrans accounting in tcp_sacktag_one() + +From: zhenggy + +commit 4f884f3962767877d7aabbc1ec124d2c307a4257 upstream. + +Commit 10d3be569243 ("tcp-tso: do not split TSO packets at retransmit +time") may directly retrans a multiple segments TSO/GSO packet without +split, Since this commit, we can no longer assume that a retransmitted +packet is a single segment. + +This patch fixes the tp->undo_retrans accounting in tcp_sacktag_one() +that use the actual segments(pcount) of the retransmitted packet. + +Before that commit (10d3be569243), the assumption underlying the +tp->undo_retrans-- seems correct. + +Fixes: 10d3be569243 ("tcp-tso: do not split TSO packets at retransmit time") +Signed-off-by: zhenggy +Reviewed-by: Eric Dumazet +Acked-by: Yuchung Cheng +Acked-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -1314,7 +1314,7 @@ static u8 tcp_sacktag_one(struct sock *s + if (dup_sack && (sacked & TCPCB_RETRANS)) { + if (tp->undo_marker && tp->undo_retrans > 0 && + after(end_seq, tp->undo_marker)) +- tp->undo_retrans--; ++ tp->undo_retrans = max_t(int, 0, tp->undo_retrans - pcount); + if ((sacked & TCPCB_SACKED_ACKED) && + before(start_seq, state->reord)) + state->reord = start_seq; diff --git a/queue-5.10/tipc-increase-timeout-in-tipc_sk_enqueue.patch b/queue-5.10/tipc-increase-timeout-in-tipc_sk_enqueue.patch new file mode 100644 index 00000000000..935c1d75bb3 --- /dev/null +++ b/queue-5.10/tipc-increase-timeout-in-tipc_sk_enqueue.patch @@ -0,0 +1,39 @@ +From f4bb62e64c88c93060c051195d3bbba804e56945 Mon Sep 17 00:00:00 2001 +From: Hoang Le +Date: Mon, 13 Sep 2021 16:28:52 +0700 +Subject: tipc: increase timeout in tipc_sk_enqueue() + +From: Hoang Le + +commit f4bb62e64c88c93060c051195d3bbba804e56945 upstream. + +In tipc_sk_enqueue() we use hardcoded 2 jiffies to extract +socket buffer from generic queue to particular socket. +The 2 jiffies is too short in case there are other high priority +tasks get CPU cycles for multiple jiffies update. As result, no +buffer could be enqueued to particular socket. + +To solve this, we switch to use constant timeout 20msecs. +Then, the function will be expired between 2 jiffies (CONFIG_100HZ) +and 20 jiffies (CONFIG_1000HZ). + +Fixes: c637c1035534 ("tipc: resolve race problem at unicast message reception") +Acked-by: Jon Maloy +Signed-off-by: Hoang Le +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -2422,7 +2422,7 @@ static int tipc_sk_backlog_rcv(struct so + static void tipc_sk_enqueue(struct sk_buff_head *inputq, struct sock *sk, + u32 dport, struct sk_buff_head *xmitq) + { +- unsigned long time_limit = jiffies + 2; ++ unsigned long time_limit = jiffies + usecs_to_jiffies(20000); + struct sk_buff *skb; + unsigned int lim; + atomic_t *dcnt; diff --git a/queue-5.10/udp_tunnel-fix-udp_tunnel_nic-work-queue-type.patch b/queue-5.10/udp_tunnel-fix-udp_tunnel_nic-work-queue-type.patch new file mode 100644 index 00000000000..03abc114121 --- /dev/null +++ b/queue-5.10/udp_tunnel-fix-udp_tunnel_nic-work-queue-type.patch @@ -0,0 +1,64 @@ +From e50e711351bdc656a8e6ca1022b4293cae8dcd59 Mon Sep 17 00:00:00 2001 +From: Aya Levin +Date: Mon, 13 Sep 2021 10:53:49 +0300 +Subject: udp_tunnel: Fix udp_tunnel_nic work-queue type + +From: Aya Levin + +commit e50e711351bdc656a8e6ca1022b4293cae8dcd59 upstream. + +Turn udp_tunnel_nic work-queue to an ordered work-queue. This queue +holds the UDP-tunnel configuration commands of the different netdevs. +When the netdevs are functions of the same NIC the order of +execution may be crucial. + +Problem example: +NIC with 2 PFs, both PFs declare offload quota of up to 3 UDP-ports. + $ifconfig eth2 1.1.1.1/16 up + + $ip link add eth2_19503 type vxlan id 5049 remote 1.1.1.2 dev eth2 dstport 19053 + $ip link set dev eth2_19503 up + + $ip link add eth2_19504 type vxlan id 5049 remote 1.1.1.3 dev eth2 dstport 19054 + $ip link set dev eth2_19504 up + + $ip link add eth2_19505 type vxlan id 5049 remote 1.1.1.4 dev eth2 dstport 19055 + $ip link set dev eth2_19505 up + + $ip link add eth2_19506 type vxlan id 5049 remote 1.1.1.5 dev eth2 dstport 19056 + $ip link set dev eth2_19506 up + +NIC RX port offload infrastructure offloads the first 3 UDP-ports (on +all devices which sets NETIF_F_RX_UDP_TUNNEL_PORT feature) and not +UDP-port 19056. So both PFs gets this offload configuration. + + $ip link set dev eth2_19504 down + +This triggers udp-tunnel-core to remove the UDP-port 19504 from +offload-ports-list and offload UDP-port 19056 instead. + +In this scenario it is important that the UDP-port of 19504 will be +removed from both PFs before trying to add UDP-port 19056. The NIC can +stop offloading a UDP-port only when all references are removed. +Otherwise the NIC may report exceeding of the offload quota. + +Fixes: cc4e3835eff4 ("udp_tunnel: add central NIC RX port offload infrastructure") +Signed-off-by: Aya Levin +Reviewed-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp_tunnel_nic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/udp_tunnel_nic.c ++++ b/net/ipv4/udp_tunnel_nic.c +@@ -935,7 +935,7 @@ static int __init udp_tunnel_nic_init_mo + { + int err; + +- udp_tunnel_nic_workqueue = alloc_workqueue("udp_tunnel_nic", 0, 0); ++ udp_tunnel_nic_workqueue = alloc_ordered_workqueue("udp_tunnel_nic", 0); + if (!udp_tunnel_nic_workqueue) + return -ENOMEM; + diff --git a/queue-5.10/vhost_net-fix-oob-on-sendmsg-failure.patch b/queue-5.10/vhost_net-fix-oob-on-sendmsg-failure.patch new file mode 100644 index 00000000000..a820b7a29f5 --- /dev/null +++ b/queue-5.10/vhost_net-fix-oob-on-sendmsg-failure.patch @@ -0,0 +1,55 @@ +From 3c4cea8fa7f71f00c5279547043a84bc2a4d8b8c Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Wed, 8 Sep 2021 13:42:09 +0200 +Subject: vhost_net: fix OoB on sendmsg() failure. + +From: Paolo Abeni + +commit 3c4cea8fa7f71f00c5279547043a84bc2a4d8b8c upstream. + +If the sendmsg() call in vhost_tx_batch() fails, both the 'batched_xdp' +and 'done_idx' indexes are left unchanged. If such failure happens +when batched_xdp == VHOST_NET_BATCH, the next call to +vhost_net_build_xdp() will access and write memory outside the xdp +buffers area. + +Since sendmsg() can only error with EBADFD, this change addresses the +issue explicitly freeing the XDP buffers batch on error. + +Fixes: 0a0be13b8fe2 ("vhost_net: batch submitting XDP buffers to underlayer sockets") +Suggested-by: Jason Wang +Signed-off-by: Paolo Abeni +Acked-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/net.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -466,7 +466,7 @@ static void vhost_tx_batch(struct vhost_ + .num = nvq->batched_xdp, + .ptr = nvq->xdp, + }; +- int err; ++ int i, err; + + if (nvq->batched_xdp == 0) + goto signal_used; +@@ -475,6 +475,15 @@ static void vhost_tx_batch(struct vhost_ + err = sock->ops->sendmsg(sock, msghdr, 0); + if (unlikely(err < 0)) { + vq_err(&nvq->vq, "Fail to batch sending packets\n"); ++ ++ /* free pages owned by XDP; since this is an unlikely error path, ++ * keep it simple and avoid more complex bulk update for the ++ * used pages ++ */ ++ for (i = 0; i < nvq->batched_xdp; ++i) ++ put_page(virt_to_head_page(nvq->xdp[i].data)); ++ nvq->batched_xdp = 0; ++ nvq->done_idx = 0; + return; + } + diff --git a/queue-5.10/x86-uaccess-fix-32-bit-__get_user_asm_u64-when-cc_has_asm_goto_output-y.patch b/queue-5.10/x86-uaccess-fix-32-bit-__get_user_asm_u64-when-cc_has_asm_goto_output-y.patch new file mode 100644 index 00000000000..f188d74d0f9 --- /dev/null +++ b/queue-5.10/x86-uaccess-fix-32-bit-__get_user_asm_u64-when-cc_has_asm_goto_output-y.patch @@ -0,0 +1,59 @@ +From a69ae291e1cc2d08ae77c2029579c59c9bde5061 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Mon, 13 Sep 2021 17:35:47 +0100 +Subject: x86/uaccess: Fix 32-bit __get_user_asm_u64() when CC_HAS_ASM_GOTO_OUTPUT=y + +From: Will Deacon + +commit a69ae291e1cc2d08ae77c2029579c59c9bde5061 upstream. + +Commit 865c50e1d279 ("x86/uaccess: utilize CONFIG_CC_HAS_ASM_GOTO_OUTPUT") +added an optimised version of __get_user_asm() for x86 using 'asm goto'. + +Like the non-optimised code, the 32-bit implementation of 64-bit +get_user() expands to a pair of 32-bit accesses. Unlike the +non-optimised code, the _original_ pointer is incremented to copy the +high word instead of loading through a new pointer explicitly +constructed to point at a 32-bit type. Consequently, if the pointer +points at a 64-bit type then we end up loading the wrong data for the +upper 32-bits. + +This was observed as a mount() failure in Android targeting i686 after +b0cfcdd9b967 ("d_path: make 'prepend()' fill up the buffer exactly on +overflow") because the call to copy_from_kernel_nofault() from +prepend_copy() ends up in __get_kernel_nofault() and casts the source +pointer to a 'u64 __user *'. An attempt to mount at "/debug_ramdisk" +therefore ends up failing trying to mount "/debumdismdisk". + +Use the existing '__gu_ptr' source pointer to unsigned int for 32-bit +__get_user_asm_u64() instead of the original pointer. + +Cc: Bill Wendling +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Borislav Petkov +Cc: Peter Zijlstra +Reported-by: Greg Kroah-Hartman +Fixes: 865c50e1d279 ("x86/uaccess: utilize CONFIG_CC_HAS_ASM_GOTO_OUTPUT") +Signed-off-by: Will Deacon +Reviewed-by: Nick Desaulniers +Tested-by: Greg Kroah-Hartman +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/uaccess.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/include/asm/uaccess.h ++++ b/arch/x86/include/asm/uaccess.h +@@ -301,8 +301,8 @@ do { \ + unsigned int __gu_low, __gu_high; \ + const unsigned int __user *__gu_ptr; \ + __gu_ptr = (const void __user *)(ptr); \ +- __get_user_asm(__gu_low, ptr, "l", "=r", label); \ +- __get_user_asm(__gu_high, ptr+1, "l", "=r", label); \ ++ __get_user_asm(__gu_low, __gu_ptr, "l", "=r", label); \ ++ __get_user_asm(__gu_high, __gu_ptr+1, "l", "=r", label); \ + (x) = ((unsigned long long)__gu_high << 32) | __gu_low; \ + } while (0) + #else