From: Sasha Levin Date: Sun, 30 Jan 2022 15:28:01 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v5.4.176~20^2~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5091e9be78e33b5c8e409aed7883e00458aacc6a;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/arm-9170-1-fix-panic-when-kasan-and-kprobe-are-enabl.patch b/queue-5.4/arm-9170-1-fix-panic-when-kasan-and-kprobe-are-enabl.patch new file mode 100644 index 00000000000..5dce0b690b9 --- /dev/null +++ b/queue-5.4/arm-9170-1-fix-panic-when-kasan-and-kprobe-are-enabl.patch @@ -0,0 +1,119 @@ +From cddf7cf8863ae791d77a8a247b569344c888877f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Dec 2021 10:08:23 +0100 +Subject: ARM: 9170/1: fix panic when kasan and kprobe are enabled + +From: sparkhuang + +[ Upstream commit 8b59b0a53c840921b625378f137e88adfa87647e ] + +arm32 uses software to simulate the instruction replaced +by kprobe. some instructions may be simulated by constructing +assembly functions. therefore, before executing instruction +simulation, it is necessary to construct assembly function +execution environment in C language through binding registers. +after kasan is enabled, the register binding relationship will +be destroyed, resulting in instruction simulation errors and +causing kernel panic. + +the kprobe emulate instruction function is distributed in three +files: actions-common.c actions-arm.c actions-thumb.c, so disable +KASAN when compiling these files. + +for example, use kprobe insert on cap_capable+20 after kasan +enabled, the cap_capable assembly code is as follows: +: +e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} +e1a05000 mov r5, r0 +e280006c add r0, r0, #108 ; 0x6c +e1a04001 mov r4, r1 +e1a06002 mov r6, r2 +e59fa090 ldr sl, [pc, #144] ; +ebfc7bf8 bl c03aa4b4 <__asan_load4> +e595706c ldr r7, [r5, #108] ; 0x6c +e2859014 add r9, r5, #20 +...... +The emulate_ldr assembly code after enabling kasan is as follows: +c06f1384 : +e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} +e282803c add r8, r2, #60 ; 0x3c +e1a05000 mov r5, r0 +e7e37855 ubfx r7, r5, #16, #4 +e1a00008 mov r0, r8 +e1a09001 mov r9, r1 +e1a04002 mov r4, r2 +ebf35462 bl c03c6530 <__asan_load4> +e357000f cmp r7, #15 +e7e36655 ubfx r6, r5, #12, #4 +e205a00f and sl, r5, #15 +0a000001 beq c06f13bc +e0840107 add r0, r4, r7, lsl #2 +ebf3545c bl c03c6530 <__asan_load4> +e084010a add r0, r4, sl, lsl #2 +ebf3545a bl c03c6530 <__asan_load4> +e2890010 add r0, r9, #16 +ebf35458 bl c03c6530 <__asan_load4> +e5990010 ldr r0, [r9, #16] +e12fff30 blx r0 +e356000f cm r6, #15 +1a000014 bne c06f1430 +e1a06000 mov r6, r0 +e2840040 add r0, r4, #64 ; 0x40 +...... + +when running in emulate_ldr to simulate the ldr instruction, panic +occurred, and the log is as follows: +Unable to handle kernel NULL pointer dereference at virtual address +00000090 +pgd = ecb46400 +[00000090] *pgd=2e0fa003, *pmd=00000000 +Internal error: Oops: 206 [#1] SMP ARM +PC is at cap_capable+0x14/0xb0 +LR is at emulate_ldr+0x50/0xc0 +psr: 600d0293 sp : ecd63af8 ip : 00000004 fp : c0a7c30c +r10: 00000000 r9 : c30897f4 r8 : ecd63cd4 +r7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98 +r3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008 +Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user +Control: 32c5387d Table: 2d546400 DAC: 55555555 +Process bash (pid: 1643, stack limit = 0xecd60190) +(cap_capable) from (kprobe_handler+0x218/0x340) +(kprobe_handler) from (kprobe_trap_handler+0x24/0x48) +(kprobe_trap_handler) from (do_undefinstr+0x13c/0x364) +(do_undefinstr) from (__und_svc_finish+0x0/0x30) +(__und_svc_finish) from (cap_capable+0x18/0xb0) +(cap_capable) from (cap_vm_enough_memory+0x38/0x48) +(cap_vm_enough_memory) from +(security_vm_enough_memory_mm+0x48/0x6c) +(security_vm_enough_memory_mm) from +(copy_process.constprop.5+0x16b4/0x25c8) +(copy_process.constprop.5) from (_do_fork+0xe8/0x55c) +(_do_fork) from (SyS_clone+0x1c/0x24) +(SyS_clone) from (__sys_trace_return+0x0/0x10) +Code: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7) + +Fixes: 35aa1df43283 ("ARM kprobes: instruction single-stepping support") +Fixes: 421015713b30 ("ARM: 9017/2: Enable KASan for ARM") +Signed-off-by: huangshaobo +Acked-by: Ard Biesheuvel +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/probes/kprobes/Makefile | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/probes/kprobes/Makefile b/arch/arm/probes/kprobes/Makefile +index 14db56f49f0a3..6159010dac4a6 100644 +--- a/arch/arm/probes/kprobes/Makefile ++++ b/arch/arm/probes/kprobes/Makefile +@@ -1,4 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 ++KASAN_SANITIZE_actions-common.o := n ++KASAN_SANITIZE_actions-arm.o := n ++KASAN_SANITIZE_actions-thumb.o := n + obj-$(CONFIG_KPROBES) += core.o actions-common.o checkers-common.o + obj-$(CONFIG_ARM_KPROBES_TEST) += test-kprobes.o + test-kprobes-objs := test-core.o +-- +2.34.1 + diff --git a/queue-5.4/drm-msm-dsi-fix-missing-put_device-call-in-dsi_get_p.patch b/queue-5.4/drm-msm-dsi-fix-missing-put_device-call-in-dsi_get_p.patch new file mode 100644 index 00000000000..b5f8cb8a901 --- /dev/null +++ b/queue-5.4/drm-msm-dsi-fix-missing-put_device-call-in-dsi_get_p.patch @@ -0,0 +1,44 @@ +From eb2ae255ae077d3b38ad38c01326871a9575a720 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Dec 2021 07:09:40 +0000 +Subject: drm/msm/dsi: Fix missing put_device() call in dsi_get_phy + +From: Miaoqian Lin + +[ Upstream commit c04c3148ca12227d92f91b355b4538cc333c9922 ] + +If of_find_device_by_node() succeeds, dsi_get_phy() doesn't +a corresponding put_device(). Thus add put_device() to fix the exception +handling. + +Fixes: ec31abf ("drm/msm/dsi: Separate PHY to another platform device") +Signed-off-by: Miaoqian Lin +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20211230070943.18116-1-linmq006@gmail.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi.c b/drivers/gpu/drm/msm/dsi/dsi.c +index a11b98e990019..16194971a99f9 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi.c ++++ b/drivers/gpu/drm/msm/dsi/dsi.c +@@ -33,7 +33,12 @@ static int dsi_get_phy(struct msm_dsi *msm_dsi) + + of_node_put(phy_node); + +- if (!phy_pdev || !msm_dsi->phy) { ++ if (!phy_pdev) { ++ DRM_DEV_ERROR(&pdev->dev, "%s: phy driver is not ready\n", __func__); ++ return -EPROBE_DEFER; ++ } ++ if (!msm_dsi->phy) { ++ put_device(&phy_pdev->dev); + DRM_DEV_ERROR(&pdev->dev, "%s: phy driver is not ready\n", __func__); + return -EPROBE_DEFER; + } +-- +2.34.1 + diff --git a/queue-5.4/drm-msm-dsi-invalid-parameter-check-in-msm_dsi_phy_e.patch b/queue-5.4/drm-msm-dsi-invalid-parameter-check-in-msm_dsi_phy_e.patch new file mode 100644 index 00000000000..532aa638eba --- /dev/null +++ b/queue-5.4/drm-msm-dsi-invalid-parameter-check-in-msm_dsi_phy_e.patch @@ -0,0 +1,52 @@ +From 4f017c1c8f5bda120f6b4c1407253ffe0b804cc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Jan 2022 19:18:44 +0100 +Subject: drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +[ Upstream commit 5e761a2287234bc402ba7ef07129f5103bcd775c ] + +The function performs a check on the "phy" input parameter, however, it +is used before the check. + +Initialize the "dev" variable after the sanity check to avoid a possible +NULL pointer dereference. + +Fixes: 5c8290284402b ("drm/msm/dsi: Split PHY drivers to separate files") +Addresses-Coverity-ID: 1493860 ("Null pointer dereference") +Signed-off-by: José Expósito +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20220116181844.7400-1-jose.exposito89@gmail.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/phy/dsi_phy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c +index 21519229fe73a..60d50643d0b5c 100644 +--- a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c ++++ b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c +@@ -665,12 +665,14 @@ void __exit msm_dsi_phy_driver_unregister(void) + int msm_dsi_phy_enable(struct msm_dsi_phy *phy, int src_pll_id, + struct msm_dsi_phy_clk_request *clk_req) + { +- struct device *dev = &phy->pdev->dev; ++ struct device *dev; + int ret; + + if (!phy || !phy->cfg->ops.enable) + return -EINVAL; + ++ dev = &phy->pdev->dev; ++ + ret = dsi_phy_enable_resource(phy); + if (ret) { + DRM_DEV_ERROR(dev, "%s: resource enable failed, %d\n", +-- +2.34.1 + diff --git a/queue-5.4/drm-msm-fix-wrong-size-calculation.patch b/queue-5.4/drm-msm-fix-wrong-size-calculation.patch new file mode 100644 index 00000000000..7580681d81d --- /dev/null +++ b/queue-5.4/drm-msm-fix-wrong-size-calculation.patch @@ -0,0 +1,46 @@ +From a12b145243dec28a9681f2e7b506d2a9d93f9e2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jan 2022 20:33:34 +0800 +Subject: drm/msm: Fix wrong size calculation + +From: Xianting Tian + +[ Upstream commit 0a727b459ee39bd4c5ced19d6024258ac87b6b2e ] + +For example, memory-region in .dts as below, + reg = <0x0 0x50000000 0x0 0x20000000> + +We can get below values, +struct resource r; +r.start = 0x50000000; +r.end = 0x6fffffff; + +So the size should be: +size = r.end - r.start + 1 = 0x20000000 + +Signed-off-by: Xianting Tian +Fixes: 072f1f9168ed ("drm/msm: add support for "stolen" mem") +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20220112123334.749776-1-xianting.tian@linux.alibaba.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c +index 7443df77cadb5..407b51cf67909 100644 +--- a/drivers/gpu/drm/msm/msm_drv.c ++++ b/drivers/gpu/drm/msm/msm_drv.c +@@ -337,7 +337,7 @@ static int msm_init_vram(struct drm_device *dev) + of_node_put(node); + if (ret) + return ret; +- size = r.end - r.start; ++ size = r.end - r.start + 1; + DRM_INFO("using VRAM carveout: %lx@%pa\n", size, &r.start); + + /* if we have no IOMMU, then we need to use carveout allocator. +-- +2.34.1 + diff --git a/queue-5.4/drm-msm-hdmi-fix-missing-put_device-call-in-msm_hdmi.patch b/queue-5.4/drm-msm-hdmi-fix-missing-put_device-call-in-msm_hdmi.patch new file mode 100644 index 00000000000..42d49578530 --- /dev/null +++ b/queue-5.4/drm-msm-hdmi-fix-missing-put_device-call-in-msm_hdmi.patch @@ -0,0 +1,47 @@ +From 460e60dd42dfd47289537e1e4b130df4a3e62c88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jan 2022 08:50:22 +0000 +Subject: drm/msm/hdmi: Fix missing put_device() call in msm_hdmi_get_phy + +From: Miaoqian Lin + +[ Upstream commit 774fe0cd838d1b1419d41ab4ea0613c80d4ecbd7 ] + +The reference taken by 'of_find_device_by_node()' must be released when +not needed anymore. +Add the corresponding 'put_device()' in the error handling path. + +Fixes: e00012b256d4 ("drm/msm/hdmi: Make HDMI core get its PHY") +Signed-off-by: Miaoqian Lin +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20220107085026.23831-1-linmq006@gmail.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/hdmi/hdmi.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/hdmi/hdmi.c b/drivers/gpu/drm/msm/hdmi/hdmi.c +index 355afb936401a..1a7e77373407f 100644 +--- a/drivers/gpu/drm/msm/hdmi/hdmi.c ++++ b/drivers/gpu/drm/msm/hdmi/hdmi.c +@@ -97,10 +97,15 @@ static int msm_hdmi_get_phy(struct hdmi *hdmi) + + of_node_put(phy_node); + +- if (!phy_pdev || !hdmi->phy) { ++ if (!phy_pdev) { + DRM_DEV_ERROR(&pdev->dev, "phy driver is not ready\n"); + return -EPROBE_DEFER; + } ++ if (!hdmi->phy) { ++ DRM_DEV_ERROR(&pdev->dev, "phy driver is not ready\n"); ++ put_device(&phy_pdev->dev); ++ return -EPROBE_DEFER; ++ } + + hdmi->phy_dev = get_device(&phy_pdev->dev); + +-- +2.34.1 + diff --git a/queue-5.4/hwmon-lm90-mark-alert-as-broken-for-max6646-6647-664.patch b/queue-5.4/hwmon-lm90-mark-alert-as-broken-for-max6646-6647-664.patch new file mode 100644 index 00000000000..664b006f933 --- /dev/null +++ b/queue-5.4/hwmon-lm90-mark-alert-as-broken-for-max6646-6647-664.patch @@ -0,0 +1,36 @@ +From 5a6ca25432f3eba61b494075143e617c88dcee2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jan 2022 12:36:41 -0800 +Subject: hwmon: (lm90) Mark alert as broken for MAX6646/6647/6649 + +From: Guenter Roeck + +[ Upstream commit f614629f9c1080dcc844a8430e3fb4c37ebbf05d ] + +Experiments with MAX6646 and MAX6648 show that the alert function of those +chips is broken, similar to other chips supported by the lm90 driver. +Mark it accordingly. + +Fixes: 4667bcb8d8fc ("hwmon: (lm90) Introduce chip parameter structure") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/lm90.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/lm90.c b/drivers/hwmon/lm90.c +index 53364e8d1dbff..b62763a85d6e4 100644 +--- a/drivers/hwmon/lm90.c ++++ b/drivers/hwmon/lm90.c +@@ -394,7 +394,7 @@ static const struct lm90_params lm90_params[] = { + .max_convrate = 9, + }, + [max6646] = { +- .flags = LM90_HAVE_CRIT, ++ .flags = LM90_HAVE_CRIT | LM90_HAVE_BROKEN_ALERT, + .alert_alarms = 0x7c, + .max_convrate = 6, + .reg_local_ext = MAX6657_REG_R_LOCAL_TEMPL, +-- +2.34.1 + diff --git a/queue-5.4/hwmon-lm90-mark-alert-as-broken-for-max6654.patch b/queue-5.4/hwmon-lm90-mark-alert-as-broken-for-max6654.patch new file mode 100644 index 00000000000..3d19cd52e94 --- /dev/null +++ b/queue-5.4/hwmon-lm90-mark-alert-as-broken-for-max6654.patch @@ -0,0 +1,35 @@ +From 0ea5a17b399fb25d3a3a4fa96dada9162422159b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jan 2022 11:05:23 -0800 +Subject: hwmon: (lm90) Mark alert as broken for MAX6654 + +From: Guenter Roeck + +[ Upstream commit a53fff96f35763d132a36c620b183fdf11022d7a ] + +Experiments with MAX6654 show that its alert function is broken, +similar to other chips supported by the lm90 driver. Mark it accordingly. + +Fixes: 229d495d8189 ("hwmon: (lm90) Add max6654 support to lm90 driver") +Cc: Josh Lehan +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/lm90.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/lm90.c b/drivers/hwmon/lm90.c +index 0e3304d1c3f28..28b408728282d 100644 +--- a/drivers/hwmon/lm90.c ++++ b/drivers/hwmon/lm90.c +@@ -400,6 +400,7 @@ static const struct lm90_params lm90_params[] = { + .reg_local_ext = MAX6657_REG_R_LOCAL_TEMPL, + }, + [max6654] = { ++ .flags = LM90_HAVE_BROKEN_ALERT, + .alert_alarms = 0x7c, + .max_convrate = 7, + .reg_local_ext = MAX6657_REG_R_LOCAL_TEMPL, +-- +2.34.1 + diff --git a/queue-5.4/hwmon-lm90-mark-alert-as-broken-for-max6680.patch b/queue-5.4/hwmon-lm90-mark-alert-as-broken-for-max6680.patch new file mode 100644 index 00000000000..07729eeebcf --- /dev/null +++ b/queue-5.4/hwmon-lm90-mark-alert-as-broken-for-max6680.patch @@ -0,0 +1,36 @@ +From 795617baa42aa9f6ecde5f450020217222aee351 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jan 2022 11:11:00 -0800 +Subject: hwmon: (lm90) Mark alert as broken for MAX6680 + +From: Guenter Roeck + +[ Upstream commit 94746b0ba479743355e0d3cc1cb9cfe3011fb8be ] + +Experiments with MAX6680 and MAX6681 show that the alert function of those +chips is broken, similar to other chips supported by the lm90 driver. +Mark it accordingly. + +Fixes: 4667bcb8d8fc ("hwmon: (lm90) Introduce chip parameter structure") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/lm90.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/lm90.c b/drivers/hwmon/lm90.c +index 28b408728282d..53364e8d1dbff 100644 +--- a/drivers/hwmon/lm90.c ++++ b/drivers/hwmon/lm90.c +@@ -419,7 +419,7 @@ static const struct lm90_params lm90_params[] = { + }, + [max6680] = { + .flags = LM90_HAVE_OFFSET | LM90_HAVE_CRIT +- | LM90_HAVE_CRIT_ALRM_SWP, ++ | LM90_HAVE_CRIT_ALRM_SWP | LM90_HAVE_BROKEN_ALERT, + .alert_alarms = 0x7c, + .max_convrate = 7, + }, +-- +2.34.1 + diff --git a/queue-5.4/hwmon-lm90-reduce-maximum-conversion-rate-for-g781.patch b/queue-5.4/hwmon-lm90-reduce-maximum-conversion-rate-for-g781.patch new file mode 100644 index 00000000000..6d921c12fb8 --- /dev/null +++ b/queue-5.4/hwmon-lm90-reduce-maximum-conversion-rate-for-g781.patch @@ -0,0 +1,44 @@ +From 3f92e9e1ed431a073d4c0b1f16179d27b0dab624 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jan 2022 11:48:52 -0800 +Subject: hwmon: (lm90) Reduce maximum conversion rate for G781 + +From: Guenter Roeck + +[ Upstream commit a66c5ed539277b9f2363bbace0dba88b85b36c26 ] + +According to its datasheet, G781 supports a maximum conversion rate value +of 8 (62.5 ms). However, chips labeled G781 and G780 were found to only +support a maximum conversion rate value of 7 (125 ms). On the other side, +chips labeled G781-1 and G784 were found to support a conversion rate value +of 8. There is no known means to distinguish G780 from G781 or G784; all +chips report the same manufacturer ID and chip revision. +Setting the conversion rate register value to 8 on chips not supporting +it causes unexpected behavior since the real conversion rate is set to 0 +(16 seconds) if a value of 8 is written into the conversion rate register. +Limit the conversion rate register value to 7 for all G78x chips to avoid +the problem. + +Fixes: ae544f64cc7b ("hwmon: (lm90) Add support for GMT G781") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/lm90.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/lm90.c b/drivers/hwmon/lm90.c +index 9abb4507f572b..0e3304d1c3f28 100644 +--- a/drivers/hwmon/lm90.c ++++ b/drivers/hwmon/lm90.c +@@ -373,7 +373,7 @@ static const struct lm90_params lm90_params[] = { + .flags = LM90_HAVE_OFFSET | LM90_HAVE_REM_LIMIT_EXT + | LM90_HAVE_BROKEN_ALERT | LM90_HAVE_CRIT, + .alert_alarms = 0x7c, +- .max_convrate = 8, ++ .max_convrate = 7, + }, + [lm86] = { + .flags = LM90_HAVE_OFFSET | LM90_HAVE_REM_LIMIT_EXT +-- +2.34.1 + diff --git a/queue-5.4/ibmvnic-don-t-spin-in-tasklet.patch b/queue-5.4/ibmvnic-don-t-spin-in-tasklet.patch new file mode 100644 index 00000000000..671af809845 --- /dev/null +++ b/queue-5.4/ibmvnic-don-t-spin-in-tasklet.patch @@ -0,0 +1,47 @@ +From acc30d4db640544dd49af176c5238799cf49a396 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jan 2022 18:59:20 -0800 +Subject: ibmvnic: don't spin in tasklet + +From: Sukadev Bhattiprolu + +[ Upstream commit 48079e7fdd0269d66b1d7d66ae88bd03162464ad ] + +ibmvnic_tasklet() continuously spins waiting for responses to all +capability requests. It does this to avoid encountering an error +during initialization of the vnic. However if there is a bug in the +VIOS and we do not receive a response to one or more queries the +tasklet ends up spinning continuously leading to hard lock ups. + +If we fail to receive a message from the VIOS it is reasonable to +timeout the login attempt rather than spin indefinitely in the tasklet. + +Fixes: 249168ad07cd ("ibmvnic: Make CRQ interrupt tasklet wait for all capabilities crqs") +Signed-off-by: Sukadev Bhattiprolu +Reviewed-by: Dany Madden +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index 6ecbe70614378..26d49dcdbeb3e 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -4823,12 +4823,6 @@ static void ibmvnic_tasklet(void *data) + ibmvnic_handle_crq(crq, adapter); + crq->generic.first = 0; + } +- +- /* remain in tasklet until all +- * capabilities responses are received +- */ +- if (!adapter->wait_capability) +- done = true; + } + /* if capabilities CRQ's were sent in this tasklet, the following + * tasklet must wait until all responses are received +-- +2.34.1 + diff --git a/queue-5.4/ibmvnic-init-running_cap_crqs-early.patch b/queue-5.4/ibmvnic-init-running_cap_crqs-early.patch new file mode 100644 index 00000000000..84d548cc7ba --- /dev/null +++ b/queue-5.4/ibmvnic-init-running_cap_crqs-early.patch @@ -0,0 +1,327 @@ +From 5d77f8bd205577fbf6bc77881778532a19ba0cf6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jan 2022 18:59:19 -0800 +Subject: ibmvnic: init ->running_cap_crqs early + +From: Sukadev Bhattiprolu + +[ Upstream commit 151b6a5c06b678687f64f2d9a99fd04d5cd32b72 ] + +We use ->running_cap_crqs to determine when the ibmvnic_tasklet() should +send out the next protocol message type. i.e when we get back responses +to all our QUERY_CAPABILITY CRQs we send out REQUEST_CAPABILITY crqs. +Similiary, when we get responses to all the REQUEST_CAPABILITY crqs, we +send out the QUERY_IP_OFFLOAD CRQ. + +We currently increment ->running_cap_crqs as we send out each CRQ and +have the ibmvnic_tasklet() send out the next message type, when this +running_cap_crqs count drops to 0. + +This assumes that all the CRQs of the current type were sent out before +the count drops to 0. However it is possible that we send out say 6 CRQs, +get preempted and receive all the 6 responses before we send out the +remaining CRQs. This can result in ->running_cap_crqs count dropping to +zero before all messages of the current type were sent and we end up +sending the next protocol message too early. + +Instead initialize the ->running_cap_crqs upfront so the tasklet will +only send the next protocol message after all responses are received. + +Use the cap_reqs local variable to also detect any discrepancy (either +now or in future) in the number of capability requests we actually send. + +Currently only send_query_cap() is affected by this behavior (of sending +next message early) since it is called from the worker thread (during +reset) and from application thread (during ->ndo_open()) and they can be +preempted. send_request_cap() is only called from the tasklet which +processes CRQ responses sequentially, is not be affected. But to +maintain the existing symmtery with send_query_capability() we update +send_request_capability() also. + +Fixes: 249168ad07cd ("ibmvnic: Make CRQ interrupt tasklet wait for all capabilities crqs") +Signed-off-by: Sukadev Bhattiprolu +Reviewed-by: Dany Madden +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.c | 106 +++++++++++++++++++---------- + 1 file changed, 71 insertions(+), 35 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index 9adfc0a7ab823..6ecbe70614378 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -3258,11 +3258,25 @@ static void ibmvnic_send_req_caps(struct ibmvnic_adapter *adapter, int retry) + struct device *dev = &adapter->vdev->dev; + union ibmvnic_crq crq; + int max_entries; ++ int cap_reqs; ++ ++ /* We send out 6 or 7 REQUEST_CAPABILITY CRQs below (depending on ++ * the PROMISC flag). Initialize this count upfront. When the tasklet ++ * receives a response to all of these, it will send the next protocol ++ * message (QUERY_IP_OFFLOAD). ++ */ ++ if (!(adapter->netdev->flags & IFF_PROMISC) || ++ adapter->promisc_supported) ++ cap_reqs = 7; ++ else ++ cap_reqs = 6; + + if (!retry) { + /* Sub-CRQ entries are 32 byte long */ + int entries_page = 4 * PAGE_SIZE / (sizeof(u64) * 4); + ++ atomic_set(&adapter->running_cap_crqs, cap_reqs); ++ + if (adapter->min_tx_entries_per_subcrq > entries_page || + adapter->min_rx_add_entries_per_subcrq > entries_page) { + dev_err(dev, "Fatal, invalid entries per sub-crq\n"); +@@ -3323,44 +3337,45 @@ static void ibmvnic_send_req_caps(struct ibmvnic_adapter *adapter, int retry) + adapter->opt_rx_comp_queues; + + adapter->req_rx_add_queues = adapter->max_rx_add_queues; ++ } else { ++ atomic_add(cap_reqs, &adapter->running_cap_crqs); + } +- + memset(&crq, 0, sizeof(crq)); + crq.request_capability.first = IBMVNIC_CRQ_CMD; + crq.request_capability.cmd = REQUEST_CAPABILITY; + + crq.request_capability.capability = cpu_to_be16(REQ_TX_QUEUES); + crq.request_capability.number = cpu_to_be64(adapter->req_tx_queues); +- atomic_inc(&adapter->running_cap_crqs); ++ cap_reqs--; + ibmvnic_send_crq(adapter, &crq); + + crq.request_capability.capability = cpu_to_be16(REQ_RX_QUEUES); + crq.request_capability.number = cpu_to_be64(adapter->req_rx_queues); +- atomic_inc(&adapter->running_cap_crqs); ++ cap_reqs--; + ibmvnic_send_crq(adapter, &crq); + + crq.request_capability.capability = cpu_to_be16(REQ_RX_ADD_QUEUES); + crq.request_capability.number = cpu_to_be64(adapter->req_rx_add_queues); +- atomic_inc(&adapter->running_cap_crqs); ++ cap_reqs--; + ibmvnic_send_crq(adapter, &crq); + + crq.request_capability.capability = + cpu_to_be16(REQ_TX_ENTRIES_PER_SUBCRQ); + crq.request_capability.number = + cpu_to_be64(adapter->req_tx_entries_per_subcrq); +- atomic_inc(&adapter->running_cap_crqs); ++ cap_reqs--; + ibmvnic_send_crq(adapter, &crq); + + crq.request_capability.capability = + cpu_to_be16(REQ_RX_ADD_ENTRIES_PER_SUBCRQ); + crq.request_capability.number = + cpu_to_be64(adapter->req_rx_add_entries_per_subcrq); +- atomic_inc(&adapter->running_cap_crqs); ++ cap_reqs--; + ibmvnic_send_crq(adapter, &crq); + + crq.request_capability.capability = cpu_to_be16(REQ_MTU); + crq.request_capability.number = cpu_to_be64(adapter->req_mtu); +- atomic_inc(&adapter->running_cap_crqs); ++ cap_reqs--; + ibmvnic_send_crq(adapter, &crq); + + if (adapter->netdev->flags & IFF_PROMISC) { +@@ -3368,16 +3383,21 @@ static void ibmvnic_send_req_caps(struct ibmvnic_adapter *adapter, int retry) + crq.request_capability.capability = + cpu_to_be16(PROMISC_REQUESTED); + crq.request_capability.number = cpu_to_be64(1); +- atomic_inc(&adapter->running_cap_crqs); ++ cap_reqs--; + ibmvnic_send_crq(adapter, &crq); + } + } else { + crq.request_capability.capability = + cpu_to_be16(PROMISC_REQUESTED); + crq.request_capability.number = cpu_to_be64(0); +- atomic_inc(&adapter->running_cap_crqs); ++ cap_reqs--; + ibmvnic_send_crq(adapter, &crq); + } ++ ++ /* Keep at end to catch any discrepancy between expected and actual ++ * CRQs sent. ++ */ ++ WARN_ON(cap_reqs != 0); + } + + static int pending_scrq(struct ibmvnic_adapter *adapter, +@@ -3782,118 +3802,132 @@ static void send_map_query(struct ibmvnic_adapter *adapter) + static void send_cap_queries(struct ibmvnic_adapter *adapter) + { + union ibmvnic_crq crq; ++ int cap_reqs; ++ ++ /* We send out 25 QUERY_CAPABILITY CRQs below. Initialize this count ++ * upfront. When the tasklet receives a response to all of these, it ++ * can send out the next protocol messaage (REQUEST_CAPABILITY). ++ */ ++ cap_reqs = 25; ++ ++ atomic_set(&adapter->running_cap_crqs, cap_reqs); + +- atomic_set(&adapter->running_cap_crqs, 0); + memset(&crq, 0, sizeof(crq)); + crq.query_capability.first = IBMVNIC_CRQ_CMD; + crq.query_capability.cmd = QUERY_CAPABILITY; + + crq.query_capability.capability = cpu_to_be16(MIN_TX_QUEUES); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = cpu_to_be16(MIN_RX_QUEUES); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = cpu_to_be16(MIN_RX_ADD_QUEUES); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = cpu_to_be16(MAX_TX_QUEUES); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = cpu_to_be16(MAX_RX_QUEUES); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = cpu_to_be16(MAX_RX_ADD_QUEUES); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = + cpu_to_be16(MIN_TX_ENTRIES_PER_SUBCRQ); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = + cpu_to_be16(MIN_RX_ADD_ENTRIES_PER_SUBCRQ); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = + cpu_to_be16(MAX_TX_ENTRIES_PER_SUBCRQ); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = + cpu_to_be16(MAX_RX_ADD_ENTRIES_PER_SUBCRQ); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = cpu_to_be16(TCP_IP_OFFLOAD); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = cpu_to_be16(PROMISC_SUPPORTED); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = cpu_to_be16(MIN_MTU); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = cpu_to_be16(MAX_MTU); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = cpu_to_be16(MAX_MULTICAST_FILTERS); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = cpu_to_be16(VLAN_HEADER_INSERTION); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = cpu_to_be16(RX_VLAN_HEADER_INSERTION); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = cpu_to_be16(MAX_TX_SG_ENTRIES); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = cpu_to_be16(RX_SG_SUPPORTED); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = cpu_to_be16(OPT_TX_COMP_SUB_QUEUES); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = cpu_to_be16(OPT_RX_COMP_QUEUES); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = + cpu_to_be16(OPT_RX_BUFADD_Q_PER_RX_COMP_Q); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = + cpu_to_be16(OPT_TX_ENTRIES_PER_SUBCRQ); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = + cpu_to_be16(OPT_RXBA_ENTRIES_PER_SUBCRQ); +- atomic_inc(&adapter->running_cap_crqs); + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; + + crq.query_capability.capability = cpu_to_be16(TX_RX_DESC_REQ); +- atomic_inc(&adapter->running_cap_crqs); ++ + ibmvnic_send_crq(adapter, &crq); ++ cap_reqs--; ++ ++ /* Keep at end to catch any discrepancy between expected and actual ++ * CRQs sent. ++ */ ++ WARN_ON(cap_reqs != 0); + } + + static void handle_vpd_size_rsp(union ibmvnic_crq *crq, +@@ -4160,6 +4194,8 @@ static void handle_request_cap_rsp(union ibmvnic_crq *crq, + char *name; + + atomic_dec(&adapter->running_cap_crqs); ++ netdev_dbg(adapter->netdev, "Outstanding request-caps: %d\n", ++ atomic_read(&adapter->running_cap_crqs)); + switch (be16_to_cpu(crq->request_capability_rsp.capability)) { + case REQ_TX_QUEUES: + req_value = &adapter->req_tx_queues; +-- +2.34.1 + diff --git a/queue-5.4/ipv4-avoid-using-shared-ip-generator-for-connected-s.patch b/queue-5.4/ipv4-avoid-using-shared-ip-generator-for-connected-s.patch new file mode 100644 index 00000000000..96230b36af0 --- /dev/null +++ b/queue-5.4/ipv4-avoid-using-shared-ip-generator-for-connected-s.patch @@ -0,0 +1,70 @@ +From 1ca0d2999022beddeded8918ab6471448c0adad5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jan 2022 17:10:22 -0800 +Subject: ipv4: avoid using shared IP generator for connected sockets + +From: Eric Dumazet + +[ Upstream commit 23f57406b82de51809d5812afd96f210f8b627f3 ] + +ip_select_ident_segs() has been very conservative about using +the connected socket private generator only for packets with IP_DF +set, claiming it was needed for some VJ compression implementations. + +As mentioned in this referenced document, this can be abused. +(Ref: Off-Path TCP Exploits of the Mixed IPID Assignment) + +Before switching to pure random IPID generation and possibly hurt +some workloads, lets use the private inet socket generator. + +Not only this will remove one vulnerability, this will also +improve performance of TCP flows using pmtudisc==IP_PMTUDISC_DONT + +Fixes: 73f156a6e8c1 ("inetpeer: get rid of ip_id_count") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Reported-by: Ray Che +Cc: Willy Tarreau +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/ip.h | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +diff --git a/include/net/ip.h b/include/net/ip.h +index 52abfc00b5e3d..3f3ea86b2173c 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -509,19 +509,18 @@ static inline void ip_select_ident_segs(struct net *net, struct sk_buff *skb, + { + struct iphdr *iph = ip_hdr(skb); + ++ /* We had many attacks based on IPID, use the private ++ * generator as much as we can. ++ */ ++ if (sk && inet_sk(sk)->inet_daddr) { ++ iph->id = htons(inet_sk(sk)->inet_id); ++ inet_sk(sk)->inet_id += segs; ++ return; ++ } + if ((iph->frag_off & htons(IP_DF)) && !skb->ignore_df) { +- /* This is only to work around buggy Windows95/2000 +- * VJ compression implementations. If the ID field +- * does not change, they drop every other packet in +- * a TCP stream using header compression. +- */ +- if (sk && inet_sk(sk)->inet_daddr) { +- iph->id = htons(inet_sk(sk)->inet_id); +- inet_sk(sk)->inet_id += segs; +- } else { +- iph->id = 0; +- } ++ iph->id = 0; + } else { ++ /* Unfortunately we need the big hammer to get a suitable IPID */ + __ip_select_ident(net, iph, segs); + } + } +-- +2.34.1 + diff --git a/queue-5.4/ipv4-raw-lock-the-socket-in-raw_bind.patch b/queue-5.4/ipv4-raw-lock-the-socket-in-raw_bind.patch new file mode 100644 index 00000000000..f23fd5e3d52 --- /dev/null +++ b/queue-5.4/ipv4-raw-lock-the-socket-in-raw_bind.patch @@ -0,0 +1,78 @@ +From c013e26800e1c439513697a36b7130b0ec2c911b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jan 2022 16:51:16 -0800 +Subject: ipv4: raw: lock the socket in raw_bind() + +From: Eric Dumazet + +[ Upstream commit 153a0d187e767c68733b8e9f46218eb1f41ab902 ] + +For some reason, raw_bind() forgot to lock the socket. + +BUG: KCSAN: data-race in __ip4_datagram_connect / raw_bind + +write to 0xffff8881170d4308 of 4 bytes by task 5466 on cpu 0: + raw_bind+0x1b0/0x250 net/ipv4/raw.c:739 + inet_bind+0x56/0xa0 net/ipv4/af_inet.c:443 + __sys_bind+0x14b/0x1b0 net/socket.c:1697 + __do_sys_bind net/socket.c:1708 [inline] + __se_sys_bind net/socket.c:1706 [inline] + __x64_sys_bind+0x3d/0x50 net/socket.c:1706 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff8881170d4308 of 4 bytes by task 5468 on cpu 1: + __ip4_datagram_connect+0xb7/0x7b0 net/ipv4/datagram.c:39 + ip4_datagram_connect+0x2a/0x40 net/ipv4/datagram.c:89 + inet_dgram_connect+0x107/0x190 net/ipv4/af_inet.c:576 + __sys_connect_file net/socket.c:1900 [inline] + __sys_connect+0x197/0x1b0 net/socket.c:1917 + __do_sys_connect net/socket.c:1927 [inline] + __se_sys_connect net/socket.c:1924 [inline] + __x64_sys_connect+0x3d/0x50 net/socket.c:1924 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x00000000 -> 0x0003007f + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 5468 Comm: syz-executor.5 Not tainted 5.17.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/raw.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c +index 3183413ebc6c2..ddc24e57dc555 100644 +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -720,6 +720,7 @@ static int raw_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len) + int ret = -EINVAL; + int chk_addr_ret; + ++ lock_sock(sk); + if (sk->sk_state != TCP_CLOSE || addr_len < sizeof(struct sockaddr_in)) + goto out; + +@@ -739,7 +740,9 @@ static int raw_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len) + inet->inet_saddr = 0; /* Use device */ + sk_dst_reset(sk); + ret = 0; +-out: return ret; ++out: ++ release_sock(sk); ++ return ret; + } + + /* +-- +2.34.1 + diff --git a/queue-5.4/ipv4-remove-sparse-error-in-ip_neigh_gw4.patch b/queue-5.4/ipv4-remove-sparse-error-in-ip_neigh_gw4.patch new file mode 100644 index 00000000000..987ce033701 --- /dev/null +++ b/queue-5.4/ipv4-remove-sparse-error-in-ip_neigh_gw4.patch @@ -0,0 +1,39 @@ +From acf518445baf78f28bb1b276feb5e2a55d78f249 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jan 2022 17:34:04 -0800 +Subject: ipv4: remove sparse error in ip_neigh_gw4() + +From: Eric Dumazet + +[ Upstream commit 3c42b2019863b327caa233072c50739d4144dd16 ] + +./include/net/route.h:373:48: warning: incorrect type in argument 2 (different base types) +./include/net/route.h:373:48: expected unsigned int [usertype] key +./include/net/route.h:373:48: got restricted __be32 [usertype] daddr + +Fixes: 5c9f7c1dfc2e ("ipv4: Add helpers for neigh lookup for nexthop") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20220127013404.1279313-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/route.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/route.h b/include/net/route.h +index 6c516840380db..b85d1912d84fd 100644 +--- a/include/net/route.h ++++ b/include/net/route.h +@@ -359,7 +359,7 @@ static inline struct neighbour *ip_neigh_gw4(struct net_device *dev, + { + struct neighbour *neigh; + +- neigh = __ipv4_neigh_lookup_noref(dev, daddr); ++ neigh = __ipv4_neigh_lookup_noref(dev, (__force u32)daddr); + if (unlikely(!neigh)) + neigh = __neigh_create(&arp_tbl, &daddr, dev, false); + +-- +2.34.1 + diff --git a/queue-5.4/ipv4-tcp-send-zero-ipid-in-synack-messages.patch b/queue-5.4/ipv4-tcp-send-zero-ipid-in-synack-messages.patch new file mode 100644 index 00000000000..b5d5b9e192f --- /dev/null +++ b/queue-5.4/ipv4-tcp-send-zero-ipid-in-synack-messages.patch @@ -0,0 +1,77 @@ +From bdd209b7d4dd78c6b5d31ac7f5f0968118c9ac13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jan 2022 17:10:21 -0800 +Subject: ipv4: tcp: send zero IPID in SYNACK messages + +From: Eric Dumazet + +[ Upstream commit 970a5a3ea86da637471d3cd04d513a0755aba4bf ] + +In commit 431280eebed9 ("ipv4: tcp: send zero IPID for RST and +ACK sent in SYN-RECV and TIME-WAIT state") we took care of some +ctl packets sent by TCP. + +It turns out we need to use a similar strategy for SYNACK packets. + +By default, they carry IP_DF and IPID==0, but there are ways +to ask them to use the hashed IP ident generator and thus +be used to build off-path attacks. +(Ref: Off-Path TCP Exploits of the Mixed IPID Assignment) + +One of this way is to force (before listener is started) +echo 1 >/proc/sys/net/ipv4/ip_no_pmtu_disc + +Another way is using forged ICMP ICMP_FRAG_NEEDED +with a very small MTU (like 68) to force a false return from +ip_dont_fragment() + +In this patch, ip_build_and_send_pkt() uses the following +heuristics. + +1) Most SYNACK packets are smaller than IPV4_MIN_MTU and therefore +can use IP_DF regardless of the listener or route pmtu setting. + +2) In case the SYNACK packet is bigger than IPV4_MIN_MTU, +we use prandom_u32() generator instead of the IPv4 hashed ident one. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: Ray Che +Reviewed-by: David Ahern +Cc: Geoff Alexander +Cc: Willy Tarreau +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_output.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 0ec529d77a56e..418e939878004 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -161,12 +161,19 @@ int ip_build_and_send_pkt(struct sk_buff *skb, const struct sock *sk, + iph->daddr = (opt && opt->opt.srr ? opt->opt.faddr : daddr); + iph->saddr = saddr; + iph->protocol = sk->sk_protocol; +- if (ip_dont_fragment(sk, &rt->dst)) { ++ /* Do not bother generating IPID for small packets (eg SYNACK) */ ++ if (skb->len <= IPV4_MIN_MTU || ip_dont_fragment(sk, &rt->dst)) { + iph->frag_off = htons(IP_DF); + iph->id = 0; + } else { + iph->frag_off = 0; +- __ip_select_ident(net, iph, 1); ++ /* TCP packets here are SYNACK with fat IPv4/TCP options. ++ * Avoid using the hashed IP ident generator. ++ */ ++ if (sk->sk_protocol == IPPROTO_TCP) ++ iph->id = (__force __be16)prandom_u32(); ++ else ++ __ip_select_ident(net, iph, 1); + } + + if (opt && opt->opt.optlen) { +-- +2.34.1 + diff --git a/queue-5.4/ipv6_tunnel-rate-limit-warning-messages.patch b/queue-5.4/ipv6_tunnel-rate-limit-warning-messages.patch new file mode 100644 index 00000000000..6706a086482 --- /dev/null +++ b/queue-5.4/ipv6_tunnel-rate-limit-warning-messages.patch @@ -0,0 +1,51 @@ +From 5fb291a3ed8fd094b105206b055b07606d98e780 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jan 2022 10:05:46 +0200 +Subject: ipv6_tunnel: Rate limit warning messages + +From: Ido Schimmel + +[ Upstream commit 6cee105e7f2ced596373951d9ea08dacc3883c68 ] + +The warning messages can be invoked from the data path for every packet +transmitted through an ip6gre netdev, leading to high CPU utilization. + +Fix that by rate limiting the messages. + +Fixes: 09c6bbf090ec ("[IPV6]: Do mandatory IPv6 tunnel endpoint checks in realtime") +Reported-by: Maksym Yaremchuk +Tested-by: Maksym Yaremchuk +Signed-off-by: Ido Schimmel +Reviewed-by: Amit Cohen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_tunnel.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index fd0d1cee2d3f5..878a08c40fffd 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -1000,14 +1000,14 @@ int ip6_tnl_xmit_ctl(struct ip6_tnl *t, + + if (unlikely(!ipv6_chk_addr_and_flags(net, laddr, ldev, false, + 0, IFA_F_TENTATIVE))) +- pr_warn("%s xmit: Local address not yet configured!\n", +- p->name); ++ pr_warn_ratelimited("%s xmit: Local address not yet configured!\n", ++ p->name); + else if (!(p->flags & IP6_TNL_F_ALLOW_LOCAL_REMOTE) && + !ipv6_addr_is_multicast(raddr) && + unlikely(ipv6_chk_addr_and_flags(net, raddr, ldev, + true, 0, IFA_F_TENTATIVE))) +- pr_warn("%s xmit: Routing loop! Remote address found on this node!\n", +- p->name); ++ pr_warn_ratelimited("%s xmit: Routing loop! Remote address found on this node!\n", ++ p->name); + else + ret = 1; + rcu_read_unlock(); +-- +2.34.1 + diff --git a/queue-5.4/net-fix-information-leakage-in-proc-net-ptype.patch b/queue-5.4/net-fix-information-leakage-in-proc-net-ptype.patch new file mode 100644 index 00000000000..f321febd391 --- /dev/null +++ b/queue-5.4/net-fix-information-leakage-in-proc-net-ptype.patch @@ -0,0 +1,78 @@ +From b8d07de8672fd144aaea1dbae09faa26db1c8677 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jan 2022 14:20:13 -0500 +Subject: net: fix information leakage in /proc/net/ptype + +From: Congyu Liu + +[ Upstream commit 47934e06b65637c88a762d9c98329ae6e3238888 ] + +In one net namespace, after creating a packet socket without binding +it to a device, users in other net namespaces can observe the new +`packet_type` added by this packet socket by reading `/proc/net/ptype` +file. This is minor information leakage as packet socket is +namespace aware. + +Add a net pointer in `packet_type` to keep the net namespace of +of corresponding packet socket. In `ptype_seq_show`, this net pointer +must be checked when it is not NULL. + +Fixes: 2feb27dbe00c ("[NETNS]: Minor information leak via /proc/net/ptype file.") +Signed-off-by: Congyu Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 1 + + net/core/net-procfs.c | 3 ++- + net/packet/af_packet.c | 2 ++ + 3 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 4860944e936db..288a586782563 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -2397,6 +2397,7 @@ struct packet_type { + struct net_device *); + bool (*id_match)(struct packet_type *ptype, + struct sock *sk); ++ struct net *af_packet_net; + void *af_packet_priv; + struct list_head list; + }; +diff --git a/net/core/net-procfs.c b/net/core/net-procfs.c +index 36347933ec3af..f1e005c8a54f9 100644 +--- a/net/core/net-procfs.c ++++ b/net/core/net-procfs.c +@@ -252,7 +252,8 @@ static int ptype_seq_show(struct seq_file *seq, void *v) + + if (v == SEQ_START_TOKEN) + seq_puts(seq, "Type Device Function\n"); +- else if (pt->dev == NULL || dev_net(pt->dev) == seq_file_net(seq)) { ++ else if ((!pt->af_packet_net || net_eq(pt->af_packet_net, seq_file_net(seq))) && ++ (!pt->dev || net_eq(dev_net(pt->dev), seq_file_net(seq)))) { + if (pt->type == htons(ETH_P_ALL)) + seq_puts(seq, "ALL "); + else +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 6062bd5bf132b..839e1caa57a59 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -1715,6 +1715,7 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags) + match->prot_hook.dev = po->prot_hook.dev; + match->prot_hook.func = packet_rcv_fanout; + match->prot_hook.af_packet_priv = match; ++ match->prot_hook.af_packet_net = read_pnet(&match->net); + match->prot_hook.id_match = match_fanout_group; + list_add(&match->list, &fanout_list); + } +@@ -3294,6 +3295,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, + po->prot_hook.func = packet_rcv_spkt; + + po->prot_hook.af_packet_priv = sk; ++ po->prot_hook.af_packet_net = sock_net(sk); + + if (proto) { + po->prot_hook.type = proto; +-- +2.34.1 + diff --git a/queue-5.4/net-hns3-handle-empty-unknown-interrupt-for-vf.patch b/queue-5.4/net-hns3-handle-empty-unknown-interrupt-for-vf.patch new file mode 100644 index 00000000000..0975bc5e5f5 --- /dev/null +++ b/queue-5.4/net-hns3-handle-empty-unknown-interrupt-for-vf.patch @@ -0,0 +1,41 @@ +From 1824c134a944137bfcafaede70dc666a28139b2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jan 2022 15:03:12 +0800 +Subject: net: hns3: handle empty unknown interrupt for VF + +From: Yufeng Mo + +[ Upstream commit 2f61353cd2f789a4229b6f5c1c24a40a613357bb ] + +Since some interrupt states may be cleared by hardware, the driver +may receive an empty interrupt. Currently, the VF driver directly +disables the vector0 interrupt in this case. As a result, the VF +is unavailable. Therefore, the vector0 interrupt should be enabled +in this case. + +Fixes: b90fcc5bd904 ("net: hns3: add reset handling for VF when doing Core/Global/IMP reset") +Signed-off-by: Yufeng Mo +Signed-off-by: Guangbin Huang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +index ce6a4e1965e1d..403c1b9cf6ab8 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +@@ -1970,8 +1970,7 @@ static irqreturn_t hclgevf_misc_irq_handle(int irq, void *data) + break; + } + +- if (event_cause != HCLGEVF_VECTOR0_EVENT_OTHER) +- hclgevf_enable_vector(&hdev->misc_vector, true); ++ hclgevf_enable_vector(&hdev->misc_vector, true); + + return IRQ_HANDLED; + } +-- +2.34.1 + diff --git a/queue-5.4/net-phy-broadcom-hook-up-soft_reset-for-bcm54616s.patch b/queue-5.4/net-phy-broadcom-hook-up-soft_reset-for-bcm54616s.patch new file mode 100644 index 00000000000..2d71a7b41c8 --- /dev/null +++ b/queue-5.4/net-phy-broadcom-hook-up-soft_reset-for-bcm54616s.patch @@ -0,0 +1,61 @@ +From 568f376bea0ccdccfa137dbf6cb5c3ebd90ceec9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jan 2022 15:52:43 -0600 +Subject: net: phy: broadcom: hook up soft_reset for BCM54616S + +From: Robert Hancock + +[ Upstream commit d15c7e875d44367005370e6a82e8f3a382a04f9b ] + +A problem was encountered with the Bel-Fuse 1GBT-SFP05 SFP module (which +is a 1 Gbps copper module operating in SGMII mode with an internal +BCM54616S PHY device) using the Xilinx AXI Ethernet MAC core, where the +module would work properly on the initial insertion or boot of the +device, but after the device was rebooted, the link would either only +come up at 100 Mbps speeds or go up and down erratically. + +I found no meaningful changes in the PHY configuration registers between +the working and non-working boots, but the status registers seemed to +have a lot of error indications set on the SERDES side of the device on +the non-working boot. I suspect the problem is that whatever happens on +the SGMII link when the device is rebooted and the FPGA logic gets +reloaded ends up putting the module's onboard PHY into a bad state. + +Since commit 6e2d85ec0559 ("net: phy: Stop with excessive soft reset") +the genphy_soft_reset call is not made automatically by the PHY core +unless the callback is explicitly specified in the driver structure. For +most of these Broadcom devices, there is probably a hardware reset that +gets asserted to reset the PHY during boot, however for SFP modules +(where the BCM54616S is commonly found) no such reset line exists, so if +the board keeps the SFP cage powered up across a reboot, it will end up +with no reset occurring during reboots. + +Hook up the genphy_soft_reset callback for BCM54616S to ensure that a +PHY reset is performed before the device is initialized. This appears to +fix the issue with erratic operation after a reboot with this SFP +module. + +Fixes: 6e2d85ec0559 ("net: phy: Stop with excessive soft reset") +Signed-off-by: Robert Hancock +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/broadcom.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/phy/broadcom.c b/drivers/net/phy/broadcom.c +index 5e956089bf525..c23fec34b50e9 100644 +--- a/drivers/net/phy/broadcom.c ++++ b/drivers/net/phy/broadcom.c +@@ -646,6 +646,7 @@ static struct phy_driver broadcom_drivers[] = { + .phy_id_mask = 0xfffffff0, + .name = "Broadcom BCM54616S", + /* PHY_GBIT_FEATURES */ ++ .soft_reset = genphy_soft_reset, + .config_init = bcm54xx_config_init, + .config_aneg = bcm54616s_config_aneg, + .ack_interrupt = bcm_phy_ack_intr, +-- +2.34.1 + diff --git a/queue-5.4/net-procfs-show-net-devices-bound-packet-types.patch b/queue-5.4/net-procfs-show-net-devices-bound-packet-types.patch new file mode 100644 index 00000000000..e936116f295 --- /dev/null +++ b/queue-5.4/net-procfs-show-net-devices-bound-packet-types.patch @@ -0,0 +1,117 @@ +From e3c7418168203c9fd8514c5fdf7754302d8cf4e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jan 2022 17:15:31 +0800 +Subject: net-procfs: show net devices bound packet types + +From: Jianguo Wu + +[ Upstream commit 1d10f8a1f40b965d449e8f2d5ed7b96a7c138b77 ] + +After commit:7866a621043f ("dev: add per net_device packet type chains"), +we can not get packet types that are bound to a specified net device by +/proc/net/ptype, this patch fix the regression. + +Run "tcpdump -i ens192 udp -nns0" Before and after apply this patch: + +Before: + [root@localhost ~]# cat /proc/net/ptype + Type Device Function + 0800 ip_rcv + 0806 arp_rcv + 86dd ipv6_rcv + +After: + [root@localhost ~]# cat /proc/net/ptype + Type Device Function + ALL ens192 tpacket_rcv + 0800 ip_rcv + 0806 arp_rcv + 86dd ipv6_rcv + +v1 -> v2: + - fix the regression rather than adding new /proc API as + suggested by Stephen Hemminger. + +Fixes: 7866a621043f ("dev: add per net_device packet type chains") +Signed-off-by: Jianguo Wu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/net-procfs.c | 35 ++++++++++++++++++++++++++++++++--- + 1 file changed, 32 insertions(+), 3 deletions(-) + +diff --git a/net/core/net-procfs.c b/net/core/net-procfs.c +index f1e005c8a54f9..61f5570645e38 100644 +--- a/net/core/net-procfs.c ++++ b/net/core/net-procfs.c +@@ -182,12 +182,23 @@ static const struct seq_operations softnet_seq_ops = { + .show = softnet_seq_show, + }; + +-static void *ptype_get_idx(loff_t pos) ++static void *ptype_get_idx(struct seq_file *seq, loff_t pos) + { ++ struct list_head *ptype_list = NULL; + struct packet_type *pt = NULL; ++ struct net_device *dev; + loff_t i = 0; + int t; + ++ for_each_netdev_rcu(seq_file_net(seq), dev) { ++ ptype_list = &dev->ptype_all; ++ list_for_each_entry_rcu(pt, ptype_list, list) { ++ if (i == pos) ++ return pt; ++ ++i; ++ } ++ } ++ + list_for_each_entry_rcu(pt, &ptype_all, list) { + if (i == pos) + return pt; +@@ -208,22 +219,40 @@ static void *ptype_seq_start(struct seq_file *seq, loff_t *pos) + __acquires(RCU) + { + rcu_read_lock(); +- return *pos ? ptype_get_idx(*pos - 1) : SEQ_START_TOKEN; ++ return *pos ? ptype_get_idx(seq, *pos - 1) : SEQ_START_TOKEN; + } + + static void *ptype_seq_next(struct seq_file *seq, void *v, loff_t *pos) + { ++ struct net_device *dev; + struct packet_type *pt; + struct list_head *nxt; + int hash; + + ++*pos; + if (v == SEQ_START_TOKEN) +- return ptype_get_idx(0); ++ return ptype_get_idx(seq, 0); + + pt = v; + nxt = pt->list.next; ++ if (pt->dev) { ++ if (nxt != &pt->dev->ptype_all) ++ goto found; ++ ++ dev = pt->dev; ++ for_each_netdev_continue_rcu(seq_file_net(seq), dev) { ++ if (!list_empty(&dev->ptype_all)) { ++ nxt = dev->ptype_all.next; ++ goto found; ++ } ++ } ++ ++ nxt = ptype_all.next; ++ goto ptype_all; ++ } ++ + if (pt->type == htons(ETH_P_ALL)) { ++ptype_all: + if (nxt != &ptype_all) + goto found; + hash = 0; +-- +2.34.1 + diff --git a/queue-5.4/netfilter-conntrack-don-t-increment-invalid-counter-.patch b/queue-5.4/netfilter-conntrack-don-t-increment-invalid-counter-.patch new file mode 100644 index 00000000000..9861cbe3bb6 --- /dev/null +++ b/queue-5.4/netfilter-conntrack-don-t-increment-invalid-counter-.patch @@ -0,0 +1,51 @@ +From 196efa99030644060cc72a68911af186503fc6f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jan 2022 21:37:58 +0100 +Subject: netfilter: conntrack: don't increment invalid counter on NF_REPEAT + +From: Florian Westphal + +[ Upstream commit 830af2eba40327abec64325a5b08b1e85c37a2e0 ] + +The packet isn't invalid, REPEAT means we're trying again after cleaning +out a stale connection, e.g. via tcp tracker. + +This caused increases of invalid stat counter in a test case involving +frequent connection reuse, even though no packet is actually invalid. + +Fixes: 56a62e2218f5 ("netfilter: conntrack: fix NF_REPEAT handling") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_core.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index 4bcc36e4b2ef0..d9b6f2001d006 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -1709,15 +1709,17 @@ repeat: + pr_debug("nf_conntrack_in: Can't track with proto module\n"); + nf_conntrack_put(&ct->ct_general); + skb->_nfct = 0; +- NF_CT_STAT_INC_ATOMIC(state->net, invalid); +- if (ret == -NF_DROP) +- NF_CT_STAT_INC_ATOMIC(state->net, drop); + /* Special case: TCP tracker reports an attempt to reopen a + * closed/aborted connection. We have to go back and create a + * fresh conntrack. + */ + if (ret == -NF_REPEAT) + goto repeat; ++ ++ NF_CT_STAT_INC_ATOMIC(state->net, invalid); ++ if (ret == -NF_DROP) ++ NF_CT_STAT_INC_ATOMIC(state->net, drop); ++ + ret = -ret; + goto out; + } +-- +2.34.1 + diff --git a/queue-5.4/nfs-ensure-the-server-has-an-up-to-date-ctime-before.patch b/queue-5.4/nfs-ensure-the-server-has-an-up-to-date-ctime-before.patch new file mode 100644 index 00000000000..c1070b07071 --- /dev/null +++ b/queue-5.4/nfs-ensure-the-server-has-an-up-to-date-ctime-before.patch @@ -0,0 +1,37 @@ +From 07fdad97e93af9394000b9aba75d318f8692de8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Dec 2021 16:38:15 -0500 +Subject: NFS: Ensure the server has an up to date ctime before hardlinking + +From: Trond Myklebust + +[ Upstream commit 204975036b34f55237bc44c8a302a88468ef21b5 ] + +Creating a hard link is required by POSIX to update the file ctime, so +ensure that the file data is synced to disk so that we don't clobber the +updated ctime by writing back after creating the hard link. + +Fixes: 9f7682728728 ("NFS: Move the delegation return down into nfs4_proc_link()") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index e7c0790308fe0..c02bd12019c89 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -2035,6 +2035,8 @@ nfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *dentry) + + trace_nfs_link_enter(inode, dir, dentry); + d_drop(dentry); ++ if (S_ISREG(inode->i_mode)) ++ nfs_sync_inode(inode); + error = NFS_PROTO(dir)->link(inode, dir, &dentry->d_name); + if (error == 0) { + ihold(inode); +-- +2.34.1 + diff --git a/queue-5.4/nfs-ensure-the-server-has-an-up-to-date-ctime-before.patch-20580 b/queue-5.4/nfs-ensure-the-server-has-an-up-to-date-ctime-before.patch-20580 new file mode 100644 index 00000000000..e7dd250b151 --- /dev/null +++ b/queue-5.4/nfs-ensure-the-server-has-an-up-to-date-ctime-before.patch-20580 @@ -0,0 +1,37 @@ +From e98ffb09229939fed472d24a36e5f355353f48d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Dec 2021 16:38:16 -0500 +Subject: NFS: Ensure the server has an up to date ctime before renaming + +From: Trond Myklebust + +[ Upstream commit 6ff9d99bb88faebf134ca668842349d9718e5464 ] + +Renaming a file is required by POSIX to update the file ctime, so +ensure that the file data is synced to disk so that we don't clobber the +updated ctime by writing back after creating the hard link. + +Fixes: f2c2c552f119 ("NFS: Move delegation recall into the NFSv4 callback for rename_setup()") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index c02bd12019c89..1cbc2e50cc6c4 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -2125,6 +2125,8 @@ int nfs_rename(struct inode *old_dir, struct dentry *old_dentry, + } + } + ++ if (S_ISREG(old_inode->i_mode)) ++ nfs_sync_inode(old_inode); + task = nfs_async_rename(old_dir, new_dir, old_dentry, new_dentry, NULL); + if (IS_ERR(task)) { + error = PTR_ERR(task); +-- +2.34.1 + diff --git a/queue-5.4/nfsv4-handle-case-where-the-lookup-of-a-directory-fa.patch b/queue-5.4/nfsv4-handle-case-where-the-lookup-of-a-directory-fa.patch new file mode 100644 index 00000000000..8969e908592 --- /dev/null +++ b/queue-5.4/nfsv4-handle-case-where-the-lookup-of-a-directory-fa.patch @@ -0,0 +1,52 @@ +From 189f0e48d013b40ca7cae5062dc58585bc80e2fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jan 2022 18:24:02 -0500 +Subject: NFSv4: Handle case where the lookup of a directory fails + +From: Trond Myklebust + +[ Upstream commit ac795161c93699d600db16c1a8cc23a65a1eceaf ] + +If the application sets the O_DIRECTORY flag, and tries to open a +regular file, nfs_atomic_open() will punt to doing a regular lookup. +If the server then returns a regular file, we will happily return a +file descriptor with uninitialised open state. + +The fix is to return the expected ENOTDIR error in these cases. + +Reported-by: Lyu Tao +Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 1cbc2e50cc6c4..87d3b49a4c9f4 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1638,6 +1638,19 @@ out: + + no_open: + res = nfs_lookup(dir, dentry, lookup_flags); ++ if (!res) { ++ inode = d_inode(dentry); ++ if ((lookup_flags & LOOKUP_DIRECTORY) && inode && ++ !S_ISDIR(inode->i_mode)) ++ res = ERR_PTR(-ENOTDIR); ++ } else if (!IS_ERR(res)) { ++ inode = d_inode(res); ++ if ((lookup_flags & LOOKUP_DIRECTORY) && inode && ++ !S_ISDIR(inode->i_mode)) { ++ dput(res); ++ res = ERR_PTR(-ENOTDIR); ++ } ++ } + if (switched) { + d_lookup_done(dentry); + if (!res) +-- +2.34.1 + diff --git a/queue-5.4/nfsv4-nfs_atomic_open-can-race-when-looking-up-a-non.patch b/queue-5.4/nfsv4-nfs_atomic_open-can-race-when-looking-up-a-non.patch new file mode 100644 index 00000000000..487597a2857 --- /dev/null +++ b/queue-5.4/nfsv4-nfs_atomic_open-can-race-when-looking-up-a-non.patch @@ -0,0 +1,45 @@ +From 142e3c9bd150de1f5ec94eb951d32381ea815e07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jan 2022 18:24:03 -0500 +Subject: NFSv4: nfs_atomic_open() can race when looking up a non-regular file + +From: Trond Myklebust + +[ Upstream commit 1751fc1db36f6f411709e143d5393f92d12137a9 ] + +If the file type changes back to being a regular file on the server +between the failed OPEN and our LOOKUP, then we need to re-run the OPEN. + +Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 87d3b49a4c9f4..f1c99fe486c4d 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1643,12 +1643,17 @@ no_open: + if ((lookup_flags & LOOKUP_DIRECTORY) && inode && + !S_ISDIR(inode->i_mode)) + res = ERR_PTR(-ENOTDIR); ++ else if (inode && S_ISREG(inode->i_mode)) ++ res = ERR_PTR(-EOPENSTALE); + } else if (!IS_ERR(res)) { + inode = d_inode(res); + if ((lookup_flags & LOOKUP_DIRECTORY) && inode && + !S_ISDIR(inode->i_mode)) { + dput(res); + res = ERR_PTR(-ENOTDIR); ++ } else if (inode && S_ISREG(inode->i_mode)) { ++ dput(res); ++ res = ERR_PTR(-EOPENSTALE); + } + } + if (switched) { +-- +2.34.1 + diff --git a/queue-5.4/phylib-fix-potential-use-after-free.patch b/queue-5.4/phylib-fix-potential-use-after-free.patch new file mode 100644 index 00000000000..26f938702c6 --- /dev/null +++ b/queue-5.4/phylib-fix-potential-use-after-free.patch @@ -0,0 +1,58 @@ +From b55f67eeac67eadf1fc98c0384de6ec1622b3f7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jan 2022 17:27:48 +0100 +Subject: phylib: fix potential use-after-free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit cbda1b16687580d5beee38273f6241ae3725960c ] + +Commit bafbdd527d56 ("phylib: Add device reset GPIO support") added call +to phy_device_reset(phydev) after the put_device() call in phy_detach(). + +The comment before the put_device() call says that the phydev might go +away with put_device(). + +Fix potential use-after-free by calling phy_device_reset() before +put_device(). + +Fixes: bafbdd527d56 ("phylib: Add device reset GPIO support") +Signed-off-by: Marek Behún +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20220119162748.32418-1-kabel@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index 35ade5d21de51..78b918dcd5472 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -1433,6 +1433,9 @@ void phy_detach(struct phy_device *phydev) + phy_driver_is_genphy_10g(phydev)) + device_release_driver(&phydev->mdio.dev); + ++ /* Assert the reset signal */ ++ phy_device_reset(phydev, 1); ++ + /* + * The phydev might go away on the put_device() below, so avoid + * a use-after-free bug by reading the underlying bus first. +@@ -1444,9 +1447,6 @@ void phy_detach(struct phy_device *phydev) + ndev_owner = dev->dev.parent->driver->owner; + if (ndev_owner != bus->owner) + module_put(bus->owner); +- +- /* Assert the reset signal */ +- phy_device_reset(phydev, 1); + } + EXPORT_SYMBOL(phy_detach); + +-- +2.34.1 + diff --git a/queue-5.4/ping-fix-the-sk_bound_dev_if-match-in-ping_lookup.patch b/queue-5.4/ping-fix-the-sk_bound_dev_if-match-in-ping_lookup.patch new file mode 100644 index 00000000000..c61ec180a17 --- /dev/null +++ b/queue-5.4/ping-fix-the-sk_bound_dev_if-match-in-ping_lookup.patch @@ -0,0 +1,51 @@ +From dc318d26380953936c4b120d341c0332cdca4664 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Jan 2022 06:40:56 -0500 +Subject: ping: fix the sk_bound_dev_if match in ping_lookup + +From: Xin Long + +[ Upstream commit 2afc3b5a31f9edf3ef0f374f5d70610c79c93a42 ] + +When 'ping' changes to use PING socket instead of RAW socket by: + + # sysctl -w net.ipv4.ping_group_range="0 100" + +the selftests 'router_broadcast.sh' will fail, as such command + + # ip vrf exec vrf-h1 ping -I veth0 198.51.100.255 -b + +can't receive the response skb by the PING socket. It's caused by mismatch +of sk_bound_dev_if and dif in ping_rcv() when looking up the PING socket, +as dif is vrf-h1 if dif's master was set to vrf-h1. + +This patch is to fix this regression by also checking the sk_bound_dev_if +against sdif so that the packets can stil be received even if the socket +is not bound to the vrf device but to the real iif. + +Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") +Reported-by: Hangbin Liu +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/ping.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index 1c3d5d3702a10..b0f51c7cc0d90 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -220,7 +220,8 @@ static struct sock *ping_lookup(struct net *net, struct sk_buff *skb, u16 ident) + continue; + } + +- if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif) ++ if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif && ++ sk->sk_bound_dev_if != inet_sdif(skb)) + continue; + + sock_hold(sk); +-- +2.34.1 + diff --git a/queue-5.4/rxrpc-adjust-retransmission-backoff.patch b/queue-5.4/rxrpc-adjust-retransmission-backoff.patch new file mode 100644 index 00000000000..3b1df1c74e5 --- /dev/null +++ b/queue-5.4/rxrpc-adjust-retransmission-backoff.patch @@ -0,0 +1,93 @@ +From 29aee0be3d80b743ae4a7f62b7114c46e51f1f80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jan 2022 23:12:58 +0000 +Subject: rxrpc: Adjust retransmission backoff + +From: David Howells + +[ Upstream commit 2c13c05c5ff4b9fc907b07f7311821910ebaaf8a ] + +Improve retransmission backoff by only backing off when we retransmit data +packets rather than when we set the lost ack timer. + +To this end: + + (1) In rxrpc_resend(), use rxrpc_get_rto_backoff() when setting the + retransmission timer and only tell it that we are retransmitting if we + actually have things to retransmit. + + Note that it's possible for the retransmission algorithm to race with + the processing of a received ACK, so we may see no packets needing + retransmission. + + (2) In rxrpc_send_data_packet(), don't bump the backoff when setting the + ack_lost_at timer, as it may then get bumped twice. + +With this, when looking at one particular packet, the retransmission +intervals were seen to be 1.5ms, 2ms, 3ms, 5ms, 9ms, 17ms, 33ms, 71ms, +136ms, 264ms, 544ms, 1.088s, 2.1s, 4.2s and 8.3s. + +Fixes: c410bf01933e ("rxrpc: Fix the excessive initial retransmission timeout") +Suggested-by: Marc Dionne +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +Tested-by: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/164138117069.2023386.17446904856843997127.stgit@warthog.procyon.org.uk/ +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rxrpc/call_event.c | 8 +++----- + net/rxrpc/output.c | 2 +- + 2 files changed, 4 insertions(+), 6 deletions(-) + +diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c +index 9ff85ee8337cd..80e15310f1b29 100644 +--- a/net/rxrpc/call_event.c ++++ b/net/rxrpc/call_event.c +@@ -157,7 +157,7 @@ static void rxrpc_congestion_timeout(struct rxrpc_call *call) + static void rxrpc_resend(struct rxrpc_call *call, unsigned long now_j) + { + struct sk_buff *skb; +- unsigned long resend_at, rto_j; ++ unsigned long resend_at; + rxrpc_seq_t cursor, seq, top; + ktime_t now, max_age, oldest, ack_ts; + int ix; +@@ -165,10 +165,8 @@ static void rxrpc_resend(struct rxrpc_call *call, unsigned long now_j) + + _enter("{%d,%d}", call->tx_hard_ack, call->tx_top); + +- rto_j = call->peer->rto_j; +- + now = ktime_get_real(); +- max_age = ktime_sub(now, jiffies_to_usecs(rto_j)); ++ max_age = ktime_sub(now, jiffies_to_usecs(call->peer->rto_j)); + + spin_lock_bh(&call->lock); + +@@ -213,7 +211,7 @@ static void rxrpc_resend(struct rxrpc_call *call, unsigned long now_j) + } + + resend_at = nsecs_to_jiffies(ktime_to_ns(ktime_sub(now, oldest))); +- resend_at += jiffies + rto_j; ++ resend_at += jiffies + rxrpc_get_rto_backoff(call->peer, retrans); + WRITE_ONCE(call->resend_at, resend_at); + + if (unacked) +diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c +index f8b632a5c6197..a4a6f8ee07201 100644 +--- a/net/rxrpc/output.c ++++ b/net/rxrpc/output.c +@@ -426,7 +426,7 @@ done: + if (call->peer->rtt_count > 1) { + unsigned long nowj = jiffies, ack_lost_at; + +- ack_lost_at = rxrpc_get_rto_backoff(call->peer, retrans); ++ ack_lost_at = rxrpc_get_rto_backoff(call->peer, false); + ack_lost_at += nowj; + WRITE_ONCE(call->ack_lost_at, ack_lost_at); + rxrpc_reduce_call_timer(call, ack_lost_at, nowj, +-- +2.34.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 2114a482090..7245d7e18c9 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -29,3 +29,32 @@ i40e-fix-unsigned-stat-widths.patch rpmsg-char-fix-race-between-the-release-of-rpmsg_ctrldev-and-cdev.patch rpmsg-char-fix-race-between-the-release-of-rpmsg_eptdev-and-cdev.patch scsi-bnx2fc-flush-destroy_work-queue-before-calling-bnx2fc_interface_put.patch +nfs-ensure-the-server-has-an-up-to-date-ctime-before.patch +nfs-ensure-the-server-has-an-up-to-date-ctime-before.patch-20580 +nfsv4-handle-case-where-the-lookup-of-a-directory-fa.patch +nfsv4-nfs_atomic_open-can-race-when-looking-up-a-non.patch +netfilter-conntrack-don-t-increment-invalid-counter-.patch +arm-9170-1-fix-panic-when-kasan-and-kprobe-are-enabl.patch +net-fix-information-leakage-in-proc-net-ptype.patch +net-phy-broadcom-hook-up-soft_reset-for-bcm54616s.patch +ipv6_tunnel-rate-limit-warning-messages.patch +phylib-fix-potential-use-after-free.patch +rxrpc-adjust-retransmission-backoff.patch +hwmon-lm90-reduce-maximum-conversion-rate-for-g781.patch +hwmon-lm90-mark-alert-as-broken-for-max6654.patch +hwmon-lm90-mark-alert-as-broken-for-max6680.patch +hwmon-lm90-mark-alert-as-broken-for-max6646-6647-664.patch +net-procfs-show-net-devices-bound-packet-types.patch +ibmvnic-init-running_cap_crqs-early.patch +ibmvnic-don-t-spin-in-tasklet.patch +ping-fix-the-sk_bound_dev_if-match-in-ping_lookup.patch +drm-msm-dsi-fix-missing-put_device-call-in-dsi_get_p.patch +drm-msm-hdmi-fix-missing-put_device-call-in-msm_hdmi.patch +drm-msm-fix-wrong-size-calculation.patch +drm-msm-dsi-invalid-parameter-check-in-msm_dsi_phy_e.patch +yam-fix-a-memory-leak-in-yam_siocdevprivate.patch +net-hns3-handle-empty-unknown-interrupt-for-vf.patch +ipv4-raw-lock-the-socket-in-raw_bind.patch +ipv4-tcp-send-zero-ipid-in-synack-messages.patch +ipv4-avoid-using-shared-ip-generator-for-connected-s.patch +ipv4-remove-sparse-error-in-ip_neigh_gw4.patch diff --git a/queue-5.4/yam-fix-a-memory-leak-in-yam_siocdevprivate.patch b/queue-5.4/yam-fix-a-memory-leak-in-yam_siocdevprivate.patch new file mode 100644 index 00000000000..b6e3f2c7a96 --- /dev/null +++ b/queue-5.4/yam-fix-a-memory-leak-in-yam_siocdevprivate.patch @@ -0,0 +1,37 @@ +From bbb21108ed264f167847efb26febbb524a4b5a32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jan 2022 11:29:54 +0800 +Subject: yam: fix a memory leak in yam_siocdevprivate() + +From: Hangyu Hua + +[ Upstream commit 29eb31542787e1019208a2e1047bb7c76c069536 ] + +ym needs to be free when ym->cmd != SIOCYAMSMCS. + +Fixes: 0781168e23a2 ("yam: fix a missing-check bug") +Signed-off-by: Hangyu Hua +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hamradio/yam.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/hamradio/yam.c b/drivers/net/hamradio/yam.c +index 5ab53e9942f30..5d30b3e1806ab 100644 +--- a/drivers/net/hamradio/yam.c ++++ b/drivers/net/hamradio/yam.c +@@ -951,9 +951,7 @@ static int yam_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) + sizeof(struct yamdrv_ioctl_mcs)); + if (IS_ERR(ym)) + return PTR_ERR(ym); +- if (ym->cmd != SIOCYAMSMCS) +- return -EINVAL; +- if (ym->bitrate > YAM_MAXBITRATE) { ++ if (ym->cmd != SIOCYAMSMCS || ym->bitrate > YAM_MAXBITRATE) { + kfree(ym); + return -EINVAL; + } +-- +2.34.1 +