From: Sasha Levin Date: Sat, 25 Dec 2021 21:31:50 +0000 (-0500) Subject: Fixes for 4.19 X-Git-Tag: v4.4.297~48 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4371ba9612929bea85b2b83c631acfacc74944aa;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/arm64-dts-allwinner-orangepi-zero-plus-fix-phy-mode.patch b/queue-4.19/arm64-dts-allwinner-orangepi-zero-plus-fix-phy-mode.patch new file mode 100644 index 00000000000..c781649b137 --- /dev/null +++ b/queue-4.19/arm64-dts-allwinner-orangepi-zero-plus-fix-phy-mode.patch @@ -0,0 +1,44 @@ +From cc14ea382815a7bb5163361b5d35bf409a309d60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Nov 2021 15:02:22 +0100 +Subject: arm64: dts: allwinner: orangepi-zero-plus: fix PHY mode + +From: Robert Marko + +[ Upstream commit 08d2061ff9c5319a07bf9ca6bbf11fdec68f704a ] + +Orange Pi Zero Plus uses a Realtek RTL8211E RGMII Gigabit PHY, but its +currently set to plain RGMII mode meaning that it doesn't introduce +delays. + +With this setup, TX packets are completely lost and changing the mode to +RGMII-ID so the PHY will add delays internally fixes the issue. + +Fixes: a7affb13b271 ("arm64: allwinner: H5: Add Xunlong Orange Pi Zero Plus") +Acked-by: Chen-Yu Tsai +Tested-by: Ron Goossens +Tested-by: Samuel Holland +Signed-off-by: Robert Marko +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20211117140222.43692-1-robert.marko@sartura.hr +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts b/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts +index 1238de25a9691..9b1789504f7a0 100644 +--- a/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts ++++ b/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts +@@ -72,7 +72,7 @@ + pinctrl-0 = <&emac_rgmii_pins>; + phy-supply = <®_gmac_3v3>; + phy-handle = <&ext_rgmii_phy>; +- phy-mode = "rgmii"; ++ phy-mode = "rgmii-id"; + status = "okay"; + }; + +-- +2.34.1 + diff --git a/queue-4.19/bonding-fix-ad_actor_system-option-setting-to-defaul.patch b/queue-4.19/bonding-fix-ad_actor_system-option-setting-to-defaul.patch new file mode 100644 index 00000000000..cbd4cb59707 --- /dev/null +++ b/queue-4.19/bonding-fix-ad_actor_system-option-setting-to-defaul.patch @@ -0,0 +1,65 @@ +From fa92127a0f7a4fd2e1c2f41eb394aee0479bbb09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Dec 2021 12:13:45 +0100 +Subject: bonding: fix ad_actor_system option setting to default + +From: Fernando Fernandez Mancera + +[ Upstream commit 1c15b05baea71a5ff98235783e3e4ad227760876 ] + +When 802.3ad bond mode is configured the ad_actor_system option is set to +"00:00:00:00:00:00". But when trying to set the all-zeroes MAC as actors' +system address it was failing with EINVAL. + +An all-zeroes ethernet address is valid, only multicast addresses are not +valid values. + +Fixes: 171a42c38c6e ("bonding: add netlink support for sys prio, actor sys mac, and port key") +Signed-off-by: Fernando Fernandez Mancera +Acked-by: Jay Vosburgh +Link: https://lore.kernel.org/r/20211221111345.2462-1-ffmancera@riseup.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + Documentation/networking/bonding.txt | 11 ++++++----- + drivers/net/bonding/bond_options.c | 2 +- + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/Documentation/networking/bonding.txt b/Documentation/networking/bonding.txt +index d3e5dd26db12d..4035a495c0606 100644 +--- a/Documentation/networking/bonding.txt ++++ b/Documentation/networking/bonding.txt +@@ -191,11 +191,12 @@ ad_actor_sys_prio + ad_actor_system + + In an AD system, this specifies the mac-address for the actor in +- protocol packet exchanges (LACPDUs). The value cannot be NULL or +- multicast. It is preferred to have the local-admin bit set for this +- mac but driver does not enforce it. If the value is not given then +- system defaults to using the masters' mac address as actors' system +- address. ++ protocol packet exchanges (LACPDUs). The value cannot be a multicast ++ address. If the all-zeroes MAC is specified, bonding will internally ++ use the MAC of the bond itself. It is preferred to have the ++ local-admin bit set for this mac but driver does not enforce it. If ++ the value is not given then system defaults to using the masters' ++ mac address as actors' system address. + + This parameter has effect only in 802.3ad mode and is available through + SysFs interface. +diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c +index 80867bd8f44c3..c9aa28eee191d 100644 +--- a/drivers/net/bonding/bond_options.c ++++ b/drivers/net/bonding/bond_options.c +@@ -1439,7 +1439,7 @@ static int bond_option_ad_actor_system_set(struct bonding *bond, + mac = (u8 *)&newval->value; + } + +- if (!is_valid_ether_addr(mac)) ++ if (is_multicast_ether_addr(mac)) + goto err; + + netdev_dbg(bond->dev, "Setting ad_actor_system to %pM\n", mac); +-- +2.34.1 + diff --git a/queue-4.19/drivers-net-smc911x-check-for-error-irq.patch b/queue-4.19/drivers-net-smc911x-check-for-error-irq.patch new file mode 100644 index 00000000000..8f32ac51e95 --- /dev/null +++ b/queue-4.19/drivers-net-smc911x-check-for-error-irq.patch @@ -0,0 +1,40 @@ +From 375600a149f57bb9b5d88ec5758b611de1821eab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 15:41:12 +0800 +Subject: drivers: net: smc911x: Check for error irq + +From: Jiasheng Jiang + +[ Upstream commit cb93b3e11d405f20a405a07482d01147ef4934a3 ] + +Because platform_get_irq() could fail and return error irq. +Therefore, it might be better to check it if order to avoid the use of +error irq. + +Fixes: ae150435b59e ("smsc: Move the SMC (SMSC) drivers") +Signed-off-by: Jiasheng Jiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/smsc/smc911x.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/smsc/smc911x.c b/drivers/net/ethernet/smsc/smc911x.c +index f97b35430c840..ac1ad00e2fc55 100644 +--- a/drivers/net/ethernet/smsc/smc911x.c ++++ b/drivers/net/ethernet/smsc/smc911x.c +@@ -2080,6 +2080,11 @@ static int smc911x_drv_probe(struct platform_device *pdev) + + ndev->dma = (unsigned char)-1; + ndev->irq = platform_get_irq(pdev, 0); ++ if (ndev->irq < 0) { ++ ret = ndev->irq; ++ goto release_both; ++ } ++ + lp = netdev_priv(ndev); + lp->netdev = ndev; + #ifdef SMC_DYNAMIC_BUS_CONFIG +-- +2.34.1 + diff --git a/queue-4.19/fjes-check-for-error-irq.patch b/queue-4.19/fjes-check-for-error-irq.patch new file mode 100644 index 00000000000..ee68b76869b --- /dev/null +++ b/queue-4.19/fjes-check-for-error-irq.patch @@ -0,0 +1,41 @@ +From fd98ac9cb1c02f406941df9ae10698022f2fdb93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 15:12:07 +0800 +Subject: fjes: Check for error irq + +From: Jiasheng Jiang + +[ Upstream commit db6d6afe382de5a65d6ccf51253ab48b8e8336c3 ] + +I find that platform_get_irq() will not always succeed. +It will return error irq in case of the failure. +Therefore, it might be better to check it if order to avoid the use of +error irq. + +Fixes: 658d439b2292 ("fjes: Introduce FUJITSU Extended Socket Network Device driver") +Signed-off-by: Jiasheng Jiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/fjes/fjes_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/fjes/fjes_main.c b/drivers/net/fjes/fjes_main.c +index 778d3729f460a..89b3bc389f469 100644 +--- a/drivers/net/fjes/fjes_main.c ++++ b/drivers/net/fjes/fjes_main.c +@@ -1284,6 +1284,11 @@ static int fjes_probe(struct platform_device *plat_dev) + hw->hw_res.start = res->start; + hw->hw_res.size = resource_size(res); + hw->hw_res.irq = platform_get_irq(plat_dev, 0); ++ if (hw->hw_res.irq < 0) { ++ err = hw->hw_res.irq; ++ goto err_free_control_wq; ++ } ++ + err = fjes_hw_init(&adapter->hw); + if (err) + goto err_free_control_wq; +-- +2.34.1 + diff --git a/queue-4.19/ib-qib-fix-memory-leak-in-qib_user_sdma_queue_pkts.patch b/queue-4.19/ib-qib-fix-memory-leak-in-qib_user_sdma_queue_pkts.patch new file mode 100644 index 00000000000..bddda12d7c4 --- /dev/null +++ b/queue-4.19/ib-qib-fix-memory-leak-in-qib_user_sdma_queue_pkts.patch @@ -0,0 +1,42 @@ +From 2fc132f8d23d194bcb8131a975e7c3190d3245e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Dec 2021 18:52:38 +0100 +Subject: IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +[ Upstream commit bee90911e0138c76ee67458ac0d58b38a3190f65 ] + +The wrong goto label was used for the error case and missed cleanup of the +pkt allocation. + +Fixes: d39bf40e55e6 ("IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields") +Link: https://lore.kernel.org/r/20211208175238.29983-1-jose.exposito89@gmail.com +Addresses-Coverity-ID: 1493352 ("Resource leak") +Signed-off-by: José Expósito +Acked-by: Mike Marciniszyn +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qib/qib_user_sdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/qib/qib_user_sdma.c b/drivers/infiniband/hw/qib/qib_user_sdma.c +index 47ed3ab25dc95..6e6730f036b03 100644 +--- a/drivers/infiniband/hw/qib/qib_user_sdma.c ++++ b/drivers/infiniband/hw/qib/qib_user_sdma.c +@@ -945,7 +945,7 @@ static int qib_user_sdma_queue_pkts(const struct qib_devdata *dd, + &addrlimit) || + addrlimit > type_max(typeof(pkt->addrlimit))) { + ret = -EINVAL; +- goto free_pbc; ++ goto free_pkt; + } + pkt->addrlimit = addrlimit; + +-- +2.34.1 + diff --git a/queue-4.19/ipmi-fix-uaf-when-uninstall-ipmi_si-and-ipmi_msghand.patch b/queue-4.19/ipmi-fix-uaf-when-uninstall-ipmi_si-and-ipmi_msghand.patch new file mode 100644 index 00000000000..a982683fea0 --- /dev/null +++ b/queue-4.19/ipmi-fix-uaf-when-uninstall-ipmi_si-and-ipmi_msghand.patch @@ -0,0 +1,143 @@ +From b4d71784323318b7d684870aa0843270f618ba4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Dec 2021 15:00:34 +0800 +Subject: ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module + +From: Wu Bo + +[ Upstream commit ffb76a86f8096a8206be03b14adda6092e18e275 ] + +Hi, + +When testing install and uninstall of ipmi_si.ko and ipmi_msghandler.ko, +the system crashed. + +The log as follows: +[ 141.087026] BUG: unable to handle kernel paging request at ffffffffc09b3a5a +[ 141.087241] PGD 8fe4c0d067 P4D 8fe4c0d067 PUD 8fe4c0f067 PMD 103ad89067 PTE 0 +[ 141.087464] Oops: 0010 [#1] SMP NOPTI +[ 141.087580] CPU: 67 PID: 668 Comm: kworker/67:1 Kdump: loaded Not tainted 4.18.0.x86_64 #47 +[ 141.088009] Workqueue: events 0xffffffffc09b3a40 +[ 141.088009] RIP: 0010:0xffffffffc09b3a5a +[ 141.088009] Code: Bad RIP value. +[ 141.088009] RSP: 0018:ffffb9094e2c3e88 EFLAGS: 00010246 +[ 141.088009] RAX: 0000000000000000 RBX: ffff9abfdb1f04a0 RCX: 0000000000000000 +[ 141.088009] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 +[ 141.088009] RBP: 0000000000000000 R08: ffff9abfffee3cb8 R09: 00000000000002e1 +[ 141.088009] R10: ffffb9094cb73d90 R11: 00000000000f4240 R12: ffff9abfffee8700 +[ 141.088009] R13: 0000000000000000 R14: ffff9abfdb1f04a0 R15: ffff9abfdb1f04a8 +[ 141.088009] FS: 0000000000000000(0000) GS:ffff9abfffec0000(0000) knlGS:0000000000000000 +[ 141.088009] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 141.088009] CR2: ffffffffc09b3a30 CR3: 0000008fe4c0a001 CR4: 00000000007606e0 +[ 141.088009] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 141.088009] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 141.088009] PKRU: 55555554 +[ 141.088009] Call Trace: +[ 141.088009] ? process_one_work+0x195/0x390 +[ 141.088009] ? worker_thread+0x30/0x390 +[ 141.088009] ? process_one_work+0x390/0x390 +[ 141.088009] ? kthread+0x10d/0x130 +[ 141.088009] ? kthread_flush_work_fn+0x10/0x10 +[ 141.088009] ? ret_from_fork+0x35/0x40] BUG: unable to handle kernel paging request at ffffffffc0b28a5a +[ 200.223240] PGD 97fe00d067 P4D 97fe00d067 PUD 97fe00f067 PMD a580cbf067 PTE 0 +[ 200.223464] Oops: 0010 [#1] SMP NOPTI +[ 200.223579] CPU: 63 PID: 664 Comm: kworker/63:1 Kdump: loaded Not tainted 4.18.0.x86_64 #46 +[ 200.224008] Workqueue: events 0xffffffffc0b28a40 +[ 200.224008] RIP: 0010:0xffffffffc0b28a5a +[ 200.224008] Code: Bad RIP value. +[ 200.224008] RSP: 0018:ffffbf3c8e2a3e88 EFLAGS: 00010246 +[ 200.224008] RAX: 0000000000000000 RBX: ffffa0799ad6bca0 RCX: 0000000000000000 +[ 200.224008] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 +[ 200.224008] RBP: 0000000000000000 R08: ffff9fe43fde3cb8 R09: 00000000000000d5 +[ 200.224008] R10: ffffbf3c8cb53d90 R11: 00000000000f4240 R12: ffff9fe43fde8700 +[ 200.224008] R13: 0000000000000000 R14: ffffa0799ad6bca0 R15: ffffa0799ad6bca8 +[ 200.224008] FS: 0000000000000000(0000) GS:ffff9fe43fdc0000(0000) knlGS:0000000000000000 +[ 200.224008] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 200.224008] CR2: ffffffffc0b28a30 CR3: 00000097fe00a002 CR4: 00000000007606e0 +[ 200.224008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 200.224008] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 200.224008] PKRU: 55555554 +[ 200.224008] Call Trace: +[ 200.224008] ? process_one_work+0x195/0x390 +[ 200.224008] ? worker_thread+0x30/0x390 +[ 200.224008] ? process_one_work+0x390/0x390 +[ 200.224008] ? kthread+0x10d/0x130 +[ 200.224008] ? kthread_flush_work_fn+0x10/0x10 +[ 200.224008] ? ret_from_fork+0x35/0x40 +[ 200.224008] kernel fault(0x1) notification starting on CPU 63 +[ 200.224008] kernel fault(0x1) notification finished on CPU 63 +[ 200.224008] CR2: ffffffffc0b28a5a +[ 200.224008] ---[ end trace c82a412d93f57412 ]--- + +The reason is as follows: +T1: rmmod ipmi_si. + ->ipmi_unregister_smi() + -> ipmi_bmc_unregister() + -> __ipmi_bmc_unregister() + -> kref_put(&bmc->usecount, cleanup_bmc_device); + -> schedule_work(&bmc->remove_work); + +T2: rmmod ipmi_msghandler. + ipmi_msghander module uninstalled, and the module space + will be freed. + +T3: bmc->remove_work doing cleanup the bmc resource. + -> cleanup_bmc_work() + -> platform_device_unregister(&bmc->pdev); + -> platform_device_del(pdev); + -> device_del(&pdev->dev); + -> kobject_uevent(&dev->kobj, KOBJ_REMOVE); + -> kobject_uevent_env() + -> dev_uevent() + -> if (dev->type && dev->type->name) + + 'dev->type'(bmc_device_type) pointer space has freed when uninstall + ipmi_msghander module, 'dev->type->name' cause the system crash. + +drivers/char/ipmi/ipmi_msghandler.c: +2820 static const struct device_type bmc_device_type = { +2821 .groups = bmc_dev_attr_groups, +2822 }; + +Steps to reproduce: +Add a time delay in cleanup_bmc_work() function, +and uninstall ipmi_si and ipmi_msghandler module. + +2910 static void cleanup_bmc_work(struct work_struct *work) +2911 { +2912 struct bmc_device *bmc = container_of(work, struct bmc_device, +2913 remove_work); +2914 int id = bmc->pdev.id; /* Unregister overwrites id */ +2915 +2916 msleep(3000); <--- +2917 platform_device_unregister(&bmc->pdev); +2918 ida_simple_remove(&ipmi_bmc_ida, id); +2919 } + +Use 'remove_work_wq' instead of 'system_wq' to solve this issues. + +Fixes: b2cfd8ab4add ("ipmi: Rework device id and guid handling to catch changing BMCs") +Signed-off-by: Wu Bo +Message-Id: <1640070034-56671-1-git-send-email-wubo40@huawei.com> +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_msghandler.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c +index 48929df7673b1..6db709e2c34b1 100644 +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -2863,7 +2863,7 @@ cleanup_bmc_device(struct kref *ref) + * with removing the device attributes while reading a device + * attribute. + */ +- schedule_work(&bmc->remove_work); ++ queue_work(remove_work_wq, &bmc->remove_work); + } + + /* +-- +2.34.1 + diff --git a/queue-4.19/net-accept-ufov6-packages-in-virtio_net_hdr_to_skb.patch b/queue-4.19/net-accept-ufov6-packages-in-virtio_net_hdr_to_skb.patch new file mode 100644 index 00000000000..da67ef6614d --- /dev/null +++ b/queue-4.19/net-accept-ufov6-packages-in-virtio_net_hdr_to_skb.patch @@ -0,0 +1,75 @@ +From ecbf3c24be303c82e6f4bdbc637971bc5df2b478 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 09:49:01 -0500 +Subject: net: accept UFOv6 packages in virtio_net_hdr_to_skb + +From: Willem de Bruijn + +[ Upstream commit 7e5cced9ca84df52d874aca6b632f930b3dc5bc6 ] + +Skb with skb->protocol 0 at the time of virtio_net_hdr_to_skb may have +a protocol inferred from virtio_net_hdr with virtio_net_hdr_set_proto. + +Unlike TCP, UDP does not have separate types for IPv4 and IPv6. Type +VIRTIO_NET_HDR_GSO_UDP is guessed to be IPv4/UDP. As of the below +commit, UFOv6 packets are dropped due to not matching the protocol as +obtained from dev_parse_header_protocol. + +Invert the test to take that L2 protocol field as starting point and +pass both UFOv4 and UFOv6 for VIRTIO_NET_HDR_GSO_UDP. + +Fixes: 924a9bc362a5 ("net: check if protocol extracted by virtio_net_hdr_set_proto is correct") +Link: https://lore.kernel.org/netdev/CABcq3pG9GRCYqFDBAJ48H1vpnnX=41u+MhQnayF1ztLH4WX0Fw@mail.gmail.com/ +Reported-by: Andrew Melnichenko +Signed-off-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20211220144901.2784030-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/virtio_net.h | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h +index e7330a9a7d7dc..8874b278cd34a 100644 +--- a/include/linux/virtio_net.h ++++ b/include/linux/virtio_net.h +@@ -7,6 +7,21 @@ + #include + #include + ++static inline bool virtio_net_hdr_match_proto(__be16 protocol, __u8 gso_type) ++{ ++ switch (gso_type & ~VIRTIO_NET_HDR_GSO_ECN) { ++ case VIRTIO_NET_HDR_GSO_TCPV4: ++ return protocol == cpu_to_be16(ETH_P_IP); ++ case VIRTIO_NET_HDR_GSO_TCPV6: ++ return protocol == cpu_to_be16(ETH_P_IPV6); ++ case VIRTIO_NET_HDR_GSO_UDP: ++ return protocol == cpu_to_be16(ETH_P_IP) || ++ protocol == cpu_to_be16(ETH_P_IPV6); ++ default: ++ return false; ++ } ++} ++ + static inline int virtio_net_hdr_set_proto(struct sk_buff *skb, + const struct virtio_net_hdr *hdr) + { +@@ -88,9 +103,12 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, + if (!skb->protocol) { + __be16 protocol = dev_parse_header_protocol(skb); + +- virtio_net_hdr_set_proto(skb, hdr); +- if (protocol && protocol != skb->protocol) ++ if (!protocol) ++ virtio_net_hdr_set_proto(skb, hdr); ++ else if (!virtio_net_hdr_match_proto(protocol, hdr->gso_type)) + return -EINVAL; ++ else ++ skb->protocol = protocol; + } + retry: + if (!skb_flow_dissect_flow_keys_basic(skb, &keys, +-- +2.34.1 + diff --git a/queue-4.19/net-skip-virtio_net_hdr_set_proto-if-protocol-alread.patch b/queue-4.19/net-skip-virtio_net_hdr_set_proto-if-protocol-alread.patch new file mode 100644 index 00000000000..4c859f42eb0 --- /dev/null +++ b/queue-4.19/net-skip-virtio_net_hdr_set_proto-if-protocol-alread.patch @@ -0,0 +1,46 @@ +From f3ff66a34c83e355ab4f79a552333a23ea16206f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 09:50:27 -0500 +Subject: net: skip virtio_net_hdr_set_proto if protocol already set + +From: Willem de Bruijn + +[ Upstream commit 1ed1d592113959f00cc552c3b9f47ca2d157768f ] + +virtio_net_hdr_set_proto infers skb->protocol from the virtio_net_hdr +gso_type, to avoid packets getting dropped for lack of a proto type. + +Its protocol choice is a guess, especially in the case of UFO, where +the single VIRTIO_NET_HDR_GSO_UDP label covers both UFOv4 and UFOv6. + +Skip this best effort if the field is already initialized. Whether +explicitly from userspace, or implicitly based on an earlier call to +dev_parse_header_protocol (which is more robust, but was introduced +after this patch). + +Fixes: 9d2f67e43b73 ("net/packet: fix packet drop as of virtio gso") +Signed-off-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20211220145027.2784293-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/virtio_net.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h +index 8874b278cd34a..faee73c084d49 100644 +--- a/include/linux/virtio_net.h ++++ b/include/linux/virtio_net.h +@@ -25,6 +25,9 @@ static inline bool virtio_net_hdr_match_proto(__be16 protocol, __u8 gso_type) + static inline int virtio_net_hdr_set_proto(struct sk_buff *skb, + const struct virtio_net_hdr *hdr) + { ++ if (skb->protocol) ++ return 0; ++ + switch (hdr->gso_type & ~VIRTIO_NET_HDR_GSO_ECN) { + case VIRTIO_NET_HDR_GSO_TCPV4: + case VIRTIO_NET_HDR_GSO_UDP: +-- +2.34.1 + diff --git a/queue-4.19/netfilter-fix-regression-in-looped-broad-multi-cast-.patch b/queue-4.19/netfilter-fix-regression-in-looped-broad-multi-cast-.patch new file mode 100644 index 00000000000..0719b5123f5 --- /dev/null +++ b/queue-4.19/netfilter-fix-regression-in-looped-broad-multi-cast-.patch @@ -0,0 +1,69 @@ +From bcee5f70b86204d3e449aaed23d2c6cd5781b960 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 16:31:27 +0100 +Subject: netfilter: fix regression in looped (broad|multi)cast's MAC handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ignacy Gawędzki + +[ Upstream commit ebb966d3bdfed581ecccbb4a7432341baf7619b4 ] + +In commit 5648b5e1169f ("netfilter: nfnetlink_queue: fix OOB when mac +header was cleared"), the test for non-empty MAC header introduced in +commit 2c38de4c1f8da7 ("netfilter: fix looped (broad|multi)cast's MAC +handling") has been replaced with a test for a set MAC header. + +This breaks the case when the MAC header has been reset (using +skb_reset_mac_header), as is the case with looped-back multicast +packets. As a result, the packets ending up in NFQUEUE get a bogus +hwaddr interpreted from the first bytes of the IP header. + +This patch adds a test for a non-empty MAC header in addition to the +test for a set MAC header. The same two tests are also implemented in +nfnetlink_log.c, where the initial code of commit 2c38de4c1f8da7 +("netfilter: fix looped (broad|multi)cast's MAC handling") has not been +touched, but where supposedly the same situation may happen. + +Fixes: 5648b5e1169f ("netfilter: nfnetlink_queue: fix OOB when mac header was cleared") +Signed-off-by: Ignacy Gawędzki +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_log.c | 3 ++- + net/netfilter/nfnetlink_queue.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c +index 25298b3eb8546..17ca9a681d47b 100644 +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -509,7 +509,8 @@ __build_packet_message(struct nfnl_log_net *log, + goto nla_put_failure; + + if (indev && skb->dev && +- skb->mac_header != skb->network_header) { ++ skb_mac_header_was_set(skb) && ++ skb_mac_header_len(skb) != 0) { + struct nfulnl_msg_packet_hw phw; + int len; + +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index eb5a052d3b252..8955431f2ab26 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -566,7 +566,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, + goto nla_put_failure; + + if (indev && entskb->dev && +- skb_mac_header_was_set(entskb)) { ++ skb_mac_header_was_set(entskb) && ++ skb_mac_header_len(entskb) != 0) { + struct nfqnl_msg_packet_hw phw; + int len; + +-- +2.34.1 + diff --git a/queue-4.19/qlcnic-potential-dereference-null-pointer-of-rx_queu.patch b/queue-4.19/qlcnic-potential-dereference-null-pointer-of-rx_queu.patch new file mode 100644 index 00000000000..59acdbcf54e --- /dev/null +++ b/queue-4.19/qlcnic-potential-dereference-null-pointer-of-rx_queu.patch @@ -0,0 +1,103 @@ +From 766634292b9584385b1a142fb4ebce8a42c26210 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Dec 2021 17:39:11 +0800 +Subject: qlcnic: potential dereference null pointer of rx_queue->page_ring + +From: Jiasheng Jiang + +[ Upstream commit 60ec7fcfe76892a1479afab51ff17a4281923156 ] + +The return value of kcalloc() needs to be checked. +To avoid dereference of null pointer in case of the failure of alloc. +Therefore, it might be better to change the return type of +qlcnic_sriov_alloc_vlans() and return -ENOMEM when alloc fails and +return 0 the others. +Also, qlcnic_sriov_set_guest_vlan_mode() and __qlcnic_pci_sriov_enable() +should deal with the return value of qlcnic_sriov_alloc_vlans(). + +Fixes: 154d0c810c53 ("qlcnic: VLAN enhancement for 84XX adapters") +Signed-off-by: Jiasheng Jiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h | 2 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 12 +++++++++--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c | 4 +++- + 3 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h +index 5f327659efa7a..85b688f60b876 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h +@@ -202,7 +202,7 @@ int qlcnic_sriov_get_vf_vport_info(struct qlcnic_adapter *, + struct qlcnic_info *, u16); + int qlcnic_sriov_cfg_vf_guest_vlan(struct qlcnic_adapter *, u16, u8); + void qlcnic_sriov_free_vlans(struct qlcnic_adapter *); +-void qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *); ++int qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *); + bool qlcnic_sriov_check_any_vlan(struct qlcnic_vf_info *); + void qlcnic_sriov_del_vlan_id(struct qlcnic_sriov *, + struct qlcnic_vf_info *, u16); +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +index 77e386ebff09c..98275f18a87b0 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +@@ -433,7 +433,7 @@ static int qlcnic_sriov_set_guest_vlan_mode(struct qlcnic_adapter *adapter, + struct qlcnic_cmd_args *cmd) + { + struct qlcnic_sriov *sriov = adapter->ahw->sriov; +- int i, num_vlans; ++ int i, num_vlans, ret; + u16 *vlans; + + if (sriov->allowed_vlans) +@@ -444,7 +444,9 @@ static int qlcnic_sriov_set_guest_vlan_mode(struct qlcnic_adapter *adapter, + dev_info(&adapter->pdev->dev, "Number of allowed Guest VLANs = %d\n", + sriov->num_allowed_vlans); + +- qlcnic_sriov_alloc_vlans(adapter); ++ ret = qlcnic_sriov_alloc_vlans(adapter); ++ if (ret) ++ return ret; + + if (!sriov->any_vlan) + return 0; +@@ -2164,7 +2166,7 @@ static int qlcnic_sriov_vf_resume(struct qlcnic_adapter *adapter) + return err; + } + +-void qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *adapter) ++int qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *adapter) + { + struct qlcnic_sriov *sriov = adapter->ahw->sriov; + struct qlcnic_vf_info *vf; +@@ -2174,7 +2176,11 @@ void qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *adapter) + vf = &sriov->vf_info[i]; + vf->sriov_vlans = kcalloc(sriov->num_allowed_vlans, + sizeof(*vf->sriov_vlans), GFP_KERNEL); ++ if (!vf->sriov_vlans) ++ return -ENOMEM; + } ++ ++ return 0; + } + + void qlcnic_sriov_free_vlans(struct qlcnic_adapter *adapter) +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c +index 50eaafa3eaba3..c9f2cd2462230 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c +@@ -598,7 +598,9 @@ static int __qlcnic_pci_sriov_enable(struct qlcnic_adapter *adapter, + if (err) + goto del_flr_queue; + +- qlcnic_sriov_alloc_vlans(adapter); ++ err = qlcnic_sriov_alloc_vlans(adapter); ++ if (err) ++ goto del_flr_queue; + + return err; + +-- +2.34.1 + diff --git a/queue-4.19/series b/queue-4.19/series index c48f4f11361..fdd64f66723 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -5,3 +5,15 @@ block-bfq-fix-decrement-of-num_active_groups.patch block-bfq-fix-queue-removal-from-weights-tree.patch block-bfq-fix-use-after-free-in-bfq_bfqq_expire.patch hid-holtek-fix-mouse-probing.patch +arm64-dts-allwinner-orangepi-zero-plus-fix-phy-mode.patch +spi-change-clk_disable_unprepare-to-clk_unprepare.patch +ib-qib-fix-memory-leak-in-qib_user_sdma_queue_pkts.patch +netfilter-fix-regression-in-looped-broad-multi-cast-.patch +qlcnic-potential-dereference-null-pointer-of-rx_queu.patch +net-accept-ufov6-packages-in-virtio_net_hdr_to_skb.patch +net-skip-virtio_net_hdr_set_proto-if-protocol-alread.patch +ipmi-fix-uaf-when-uninstall-ipmi_si-and-ipmi_msghand.patch +bonding-fix-ad_actor_system-option-setting-to-defaul.patch +fjes-check-for-error-irq.patch +drivers-net-smc911x-check-for-error-irq.patch +sfc-falcon-check-null-pointer-of-rx_queue-page_ring.patch diff --git a/queue-4.19/sfc-falcon-check-null-pointer-of-rx_queue-page_ring.patch b/queue-4.19/sfc-falcon-check-null-pointer-of-rx_queue-page_ring.patch new file mode 100644 index 00000000000..0555828a1db --- /dev/null +++ b/queue-4.19/sfc-falcon-check-null-pointer-of-rx_queue-page_ring.patch @@ -0,0 +1,42 @@ +From 14896a660935633e62ddd5e824c13f088ef84ce1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 22:03:44 +0800 +Subject: sfc: falcon: Check null pointer of rx_queue->page_ring + +From: Jiasheng Jiang + +[ Upstream commit 9b8bdd1eb5890aeeab7391dddcf8bd51f7b07216 ] + +Because of the possible failure of the kcalloc, it should be better to +set rx_queue->page_ptr_mask to 0 when it happens in order to maintain +the consistency. + +Fixes: 5a6681e22c14 ("sfc: separate out SFC4000 ("Falcon") support into new sfc-falcon driver") +Signed-off-by: Jiasheng Jiang +Acked-by: Martin Habets +Link: https://lore.kernel.org/r/20211220140344.978408-1-jiasheng@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/falcon/rx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sfc/falcon/rx.c b/drivers/net/ethernet/sfc/falcon/rx.c +index 02456ed13a7d4..5b93a3af4575d 100644 +--- a/drivers/net/ethernet/sfc/falcon/rx.c ++++ b/drivers/net/ethernet/sfc/falcon/rx.c +@@ -732,7 +732,10 @@ static void ef4_init_rx_recycle_ring(struct ef4_nic *efx, + efx->rx_bufs_per_page); + rx_queue->page_ring = kcalloc(page_ring_size, + sizeof(*rx_queue->page_ring), GFP_KERNEL); +- rx_queue->page_ptr_mask = page_ring_size - 1; ++ if (!rx_queue->page_ring) ++ rx_queue->page_ptr_mask = 0; ++ else ++ rx_queue->page_ptr_mask = page_ring_size - 1; + } + + void ef4_init_rx_queue(struct ef4_rx_queue *rx_queue) +-- +2.34.1 + diff --git a/queue-4.19/spi-change-clk_disable_unprepare-to-clk_unprepare.patch b/queue-4.19/spi-change-clk_disable_unprepare-to-clk_unprepare.patch new file mode 100644 index 00000000000..dc3ef7e8ebb --- /dev/null +++ b/queue-4.19/spi-change-clk_disable_unprepare-to-clk_unprepare.patch @@ -0,0 +1,39 @@ +From f55c1a3e802ff1009e3f480ce88c3f81ad2e1317 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Dec 2021 18:19:31 +0800 +Subject: spi: change clk_disable_unprepare to clk_unprepare + +From: Dongliang Mu + +[ Upstream commit db6689b643d8653092f5853751ea2cdbc299f8d3 ] + +The corresponding API for clk_prepare is clk_unprepare, other than +clk_disable_unprepare. + +Fix this by changing clk_disable_unprepare to clk_unprepare. + +Fixes: 5762ab71eb24 ("spi: Add support for Armada 3700 SPI Controller") +Signed-off-by: Dongliang Mu +Link: https://lore.kernel.org/r/20211206101931.2816597-1-mudongliangabcd@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-armada-3700.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-armada-3700.c b/drivers/spi/spi-armada-3700.c +index 7dcb14d303eb4..d8715954f4e08 100644 +--- a/drivers/spi/spi-armada-3700.c ++++ b/drivers/spi/spi-armada-3700.c +@@ -912,7 +912,7 @@ static int a3700_spi_probe(struct platform_device *pdev) + return 0; + + error_clk: +- clk_disable_unprepare(spi->clk); ++ clk_unprepare(spi->clk); + error: + spi_master_put(master); + out: +-- +2.34.1 +