From: Greg Kroah-Hartman Date: Fri, 10 Dec 2021 12:06:39 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.4.295~64 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=588b508da566e73d7fab07ad8541f253f507038d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: can-kvaser_pciefd-kvaser_pciefd_rx_error_frame-increase-correct-stats-rx-tx-_errors-counter.patch can-kvaser_usb-get-can-clock-frequency-from-device.patch can-sja1000-fix-use-after-free-in-ems_pcmcia_add_card.patch ib-hfi1-fix-early-init-panic.patch ib-hfi1-fix-leak-of-rcvhdrtail_dummy_kvaddr.patch ib-hfi1-insure-use-of-smp_processor_id-is-preempt-disabled.patch net-dsa-mv88e6xxx-allow-use-of-phys-on-cpu-and-dsa-ports.patch nft_set_pipapo-fix-bucket-load-in-avx2-lookup-routine-for-six-8-bit-groups.patch x86-sme-explicitly-map-new-efi-memmap-table-as-encrypted.patch --- diff --git a/queue-5.10/can-kvaser_pciefd-kvaser_pciefd_rx_error_frame-increase-correct-stats-rx-tx-_errors-counter.patch b/queue-5.10/can-kvaser_pciefd-kvaser_pciefd_rx_error_frame-increase-correct-stats-rx-tx-_errors-counter.patch new file mode 100644 index 00000000000..091df3ad313 --- /dev/null +++ b/queue-5.10/can-kvaser_pciefd-kvaser_pciefd_rx_error_frame-increase-correct-stats-rx-tx-_errors-counter.patch @@ -0,0 +1,46 @@ +From 36aea60fc892ce73f96d45dc7eb239c7c4c1fa69 Mon Sep 17 00:00:00 2001 +From: Jimmy Assarsson +Date: Wed, 8 Dec 2021 16:21:21 +0100 +Subject: can: kvaser_pciefd: kvaser_pciefd_rx_error_frame(): increase correct stats->{rx,tx}_errors counter + +From: Jimmy Assarsson + +commit 36aea60fc892ce73f96d45dc7eb239c7c4c1fa69 upstream. + +Check the direction bit in the error frame packet (EPACK) to determine +which net_device_stats {rx,tx}_errors counter to increase. + +Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") +Link: https://lore.kernel.org/all/20211208152122.250852-1-extja@kvaser.com +Cc: stable@vger.kernel.org +Signed-off-by: Jimmy Assarsson +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/kvaser_pciefd.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/kvaser_pciefd.c ++++ b/drivers/net/can/kvaser_pciefd.c +@@ -248,6 +248,9 @@ MODULE_DESCRIPTION("CAN driver for Kvase + #define KVASER_PCIEFD_SPACK_EWLR BIT(23) + #define KVASER_PCIEFD_SPACK_EPLR BIT(24) + ++/* Kvaser KCAN_EPACK second word */ ++#define KVASER_PCIEFD_EPACK_DIR_TX BIT(0) ++ + struct kvaser_pciefd; + + struct kvaser_pciefd_can { +@@ -1285,7 +1288,10 @@ static int kvaser_pciefd_rx_error_frame( + + can->err_rep_cnt++; + can->can.can_stats.bus_error++; +- stats->rx_errors++; ++ if (p->header[1] & KVASER_PCIEFD_EPACK_DIR_TX) ++ stats->tx_errors++; ++ else ++ stats->rx_errors++; + + can->bec.txerr = bec.txerr; + can->bec.rxerr = bec.rxerr; diff --git a/queue-5.10/can-kvaser_usb-get-can-clock-frequency-from-device.patch b/queue-5.10/can-kvaser_usb-get-can-clock-frequency-from-device.patch new file mode 100644 index 00000000000..05b0fd2e798 --- /dev/null +++ b/queue-5.10/can-kvaser_usb-get-can-clock-frequency-from-device.patch @@ -0,0 +1,186 @@ +From fb12797ab1fef480ad8a32a30984844444eeb00d Mon Sep 17 00:00:00 2001 +From: Jimmy Assarsson +Date: Wed, 8 Dec 2021 16:21:22 +0100 +Subject: can: kvaser_usb: get CAN clock frequency from device + +From: Jimmy Assarsson + +commit fb12797ab1fef480ad8a32a30984844444eeb00d upstream. + +The CAN clock frequency is used when calculating the CAN bittiming +parameters. When wrong clock frequency is used, the device may end up +with wrong bittiming parameters, depending on user requested bittiming +parameters. + +To avoid this, get the CAN clock frequency from the device. Various +existing Kvaser Leaf products use different CAN clocks. + +Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices") +Link: https://lore.kernel.org/all/20211208152122.250852-2-extja@kvaser.com +Cc: stable@vger.kernel.org +Signed-off-by: Jimmy Assarsson +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 101 ++++++++++++++++------- + 1 file changed, 73 insertions(+), 28 deletions(-) + +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +@@ -28,10 +28,6 @@ + + #include "kvaser_usb.h" + +-/* Forward declaration */ +-static const struct kvaser_usb_dev_cfg kvaser_usb_leaf_dev_cfg; +- +-#define CAN_USB_CLOCK 8000000 + #define MAX_USBCAN_NET_DEVICES 2 + + /* Command header size */ +@@ -80,6 +76,12 @@ static const struct kvaser_usb_dev_cfg k + + #define CMD_LEAF_LOG_MESSAGE 106 + ++/* Leaf frequency options */ ++#define KVASER_USB_LEAF_SWOPTION_FREQ_MASK 0x60 ++#define KVASER_USB_LEAF_SWOPTION_FREQ_16_MHZ_CLK 0 ++#define KVASER_USB_LEAF_SWOPTION_FREQ_32_MHZ_CLK BIT(5) ++#define KVASER_USB_LEAF_SWOPTION_FREQ_24_MHZ_CLK BIT(6) ++ + /* error factors */ + #define M16C_EF_ACKE BIT(0) + #define M16C_EF_CRCE BIT(1) +@@ -340,6 +342,50 @@ struct kvaser_usb_err_summary { + }; + }; + ++static const struct can_bittiming_const kvaser_usb_leaf_bittiming_const = { ++ .name = "kvaser_usb", ++ .tseg1_min = KVASER_USB_TSEG1_MIN, ++ .tseg1_max = KVASER_USB_TSEG1_MAX, ++ .tseg2_min = KVASER_USB_TSEG2_MIN, ++ .tseg2_max = KVASER_USB_TSEG2_MAX, ++ .sjw_max = KVASER_USB_SJW_MAX, ++ .brp_min = KVASER_USB_BRP_MIN, ++ .brp_max = KVASER_USB_BRP_MAX, ++ .brp_inc = KVASER_USB_BRP_INC, ++}; ++ ++static const struct kvaser_usb_dev_cfg kvaser_usb_leaf_dev_cfg_8mhz = { ++ .clock = { ++ .freq = 8000000, ++ }, ++ .timestamp_freq = 1, ++ .bittiming_const = &kvaser_usb_leaf_bittiming_const, ++}; ++ ++static const struct kvaser_usb_dev_cfg kvaser_usb_leaf_dev_cfg_16mhz = { ++ .clock = { ++ .freq = 16000000, ++ }, ++ .timestamp_freq = 1, ++ .bittiming_const = &kvaser_usb_leaf_bittiming_const, ++}; ++ ++static const struct kvaser_usb_dev_cfg kvaser_usb_leaf_dev_cfg_24mhz = { ++ .clock = { ++ .freq = 24000000, ++ }, ++ .timestamp_freq = 1, ++ .bittiming_const = &kvaser_usb_leaf_bittiming_const, ++}; ++ ++static const struct kvaser_usb_dev_cfg kvaser_usb_leaf_dev_cfg_32mhz = { ++ .clock = { ++ .freq = 32000000, ++ }, ++ .timestamp_freq = 1, ++ .bittiming_const = &kvaser_usb_leaf_bittiming_const, ++}; ++ + static void * + kvaser_usb_leaf_frame_to_cmd(const struct kvaser_usb_net_priv *priv, + const struct sk_buff *skb, int *frame_len, +@@ -471,6 +517,27 @@ static int kvaser_usb_leaf_send_simple_c + return rc; + } + ++static void kvaser_usb_leaf_get_software_info_leaf(struct kvaser_usb *dev, ++ const struct leaf_cmd_softinfo *softinfo) ++{ ++ u32 sw_options = le32_to_cpu(softinfo->sw_options); ++ ++ dev->fw_version = le32_to_cpu(softinfo->fw_version); ++ dev->max_tx_urbs = le16_to_cpu(softinfo->max_outstanding_tx); ++ ++ switch (sw_options & KVASER_USB_LEAF_SWOPTION_FREQ_MASK) { ++ case KVASER_USB_LEAF_SWOPTION_FREQ_16_MHZ_CLK: ++ dev->cfg = &kvaser_usb_leaf_dev_cfg_16mhz; ++ break; ++ case KVASER_USB_LEAF_SWOPTION_FREQ_24_MHZ_CLK: ++ dev->cfg = &kvaser_usb_leaf_dev_cfg_24mhz; ++ break; ++ case KVASER_USB_LEAF_SWOPTION_FREQ_32_MHZ_CLK: ++ dev->cfg = &kvaser_usb_leaf_dev_cfg_32mhz; ++ break; ++ } ++} ++ + static int kvaser_usb_leaf_get_software_info_inner(struct kvaser_usb *dev) + { + struct kvaser_cmd cmd; +@@ -486,14 +553,13 @@ static int kvaser_usb_leaf_get_software_ + + switch (dev->card_data.leaf.family) { + case KVASER_LEAF: +- dev->fw_version = le32_to_cpu(cmd.u.leaf.softinfo.fw_version); +- dev->max_tx_urbs = +- le16_to_cpu(cmd.u.leaf.softinfo.max_outstanding_tx); ++ kvaser_usb_leaf_get_software_info_leaf(dev, &cmd.u.leaf.softinfo); + break; + case KVASER_USBCAN: + dev->fw_version = le32_to_cpu(cmd.u.usbcan.softinfo.fw_version); + dev->max_tx_urbs = + le16_to_cpu(cmd.u.usbcan.softinfo.max_outstanding_tx); ++ dev->cfg = &kvaser_usb_leaf_dev_cfg_8mhz; + break; + } + +@@ -1225,24 +1291,11 @@ static int kvaser_usb_leaf_init_card(str + { + struct kvaser_usb_dev_card_data *card_data = &dev->card_data; + +- dev->cfg = &kvaser_usb_leaf_dev_cfg; + card_data->ctrlmode_supported |= CAN_CTRLMODE_3_SAMPLES; + + return 0; + } + +-static const struct can_bittiming_const kvaser_usb_leaf_bittiming_const = { +- .name = "kvaser_usb", +- .tseg1_min = KVASER_USB_TSEG1_MIN, +- .tseg1_max = KVASER_USB_TSEG1_MAX, +- .tseg2_min = KVASER_USB_TSEG2_MIN, +- .tseg2_max = KVASER_USB_TSEG2_MAX, +- .sjw_max = KVASER_USB_SJW_MAX, +- .brp_min = KVASER_USB_BRP_MIN, +- .brp_max = KVASER_USB_BRP_MAX, +- .brp_inc = KVASER_USB_BRP_INC, +-}; +- + static int kvaser_usb_leaf_set_bittiming(struct net_device *netdev) + { + struct kvaser_usb_net_priv *priv = netdev_priv(netdev); +@@ -1348,11 +1401,3 @@ const struct kvaser_usb_dev_ops kvaser_u + .dev_read_bulk_callback = kvaser_usb_leaf_read_bulk_callback, + .dev_frame_to_cmd = kvaser_usb_leaf_frame_to_cmd, + }; +- +-static const struct kvaser_usb_dev_cfg kvaser_usb_leaf_dev_cfg = { +- .clock = { +- .freq = CAN_USB_CLOCK, +- }, +- .timestamp_freq = 1, +- .bittiming_const = &kvaser_usb_leaf_bittiming_const, +-}; diff --git a/queue-5.10/can-sja1000-fix-use-after-free-in-ems_pcmcia_add_card.patch b/queue-5.10/can-sja1000-fix-use-after-free-in-ems_pcmcia_add_card.patch new file mode 100644 index 00000000000..688b37ac92b --- /dev/null +++ b/queue-5.10/can-sja1000-fix-use-after-free-in-ems_pcmcia_add_card.patch @@ -0,0 +1,42 @@ +From 3ec6ca6b1a8e64389f0212b5a1b0f6fed1909e45 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 24 Nov 2021 17:50:41 +0300 +Subject: can: sja1000: fix use after free in ems_pcmcia_add_card() + +From: Dan Carpenter + +commit 3ec6ca6b1a8e64389f0212b5a1b0f6fed1909e45 upstream. + +If the last channel is not available then "dev" is freed. Fortunately, +we can just use "pdev->irq" instead. + +Also we should check if at least one channel was set up. + +Fixes: fd734c6f25ae ("can/sja1000: add driver for EMS PCMCIA card") +Link: https://lore.kernel.org/all/20211124145041.GB13656@kili +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Acked-by: Oliver Hartkopp +Tested-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/sja1000/ems_pcmcia.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/sja1000/ems_pcmcia.c ++++ b/drivers/net/can/sja1000/ems_pcmcia.c +@@ -235,7 +235,12 @@ static int ems_pcmcia_add_card(struct pc + free_sja1000dev(dev); + } + +- err = request_irq(dev->irq, &ems_pcmcia_interrupt, IRQF_SHARED, ++ if (!card->channels) { ++ err = -ENODEV; ++ goto failure_cleanup; ++ } ++ ++ err = request_irq(pdev->irq, &ems_pcmcia_interrupt, IRQF_SHARED, + DRV_NAME, card); + if (!err) + return 0; diff --git a/queue-5.10/ib-hfi1-fix-early-init-panic.patch b/queue-5.10/ib-hfi1-fix-early-init-panic.patch new file mode 100644 index 00000000000..5abaee0d6a5 --- /dev/null +++ b/queue-5.10/ib-hfi1-fix-early-init-panic.patch @@ -0,0 +1,117 @@ +From f6a3cfec3c01f9983e961c3327cef0db129a3c43 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Mon, 29 Nov 2021 14:20:03 -0500 +Subject: IB/hfi1: Fix early init panic + +From: Mike Marciniszyn + +commit f6a3cfec3c01f9983e961c3327cef0db129a3c43 upstream. + +The following trace can be observed with an init failure such as firmware +load failures: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 + PGD 0 P4D 0 + Oops: 0010 [#1] SMP PTI + CPU: 0 PID: 537 Comm: kworker/0:3 Tainted: G OE --------- - - 4.18.0-240.el8.x86_64 #1 + Workqueue: events work_for_cpu_fn + RIP: 0010:0x0 + Code: Bad RIP value. + RSP: 0000:ffffae5f878a3c98 EFLAGS: 00010046 + RAX: 0000000000000000 RBX: ffff95e48e025c00 RCX: 0000000000000000 + RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff95e48e025c00 + RBP: ffff95e4bf3660a4 R08: 0000000000000000 R09: ffffffff86d5e100 + R10: ffff95e49e1de600 R11: 0000000000000001 R12: ffff95e4bf366180 + R13: ffff95e48e025c00 R14: ffff95e4bf366028 R15: ffff95e4bf366000 + FS: 0000000000000000(0000) GS:ffff95e4df200000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffffffffffffffd6 CR3: 0000000f86a0a003 CR4: 00000000001606f0 + Call Trace: + receive_context_interrupt+0x1f/0x40 [hfi1] + __free_irq+0x201/0x300 + free_irq+0x2e/0x60 + pci_free_irq+0x18/0x30 + msix_free_irq.part.2+0x46/0x80 [hfi1] + msix_clean_up_interrupts+0x2b/0x70 [hfi1] + hfi1_init_dd+0x640/0x1a90 [hfi1] + do_init_one.isra.19+0x34d/0x680 [hfi1] + local_pci_probe+0x41/0x90 + work_for_cpu_fn+0x16/0x20 + process_one_work+0x1a7/0x360 + worker_thread+0x1cf/0x390 + ? create_worker+0x1a0/0x1a0 + kthread+0x112/0x130 + ? kthread_flush_work_fn+0x10/0x10 + ret_from_fork+0x35/0x40 + +The free_irq() results in a callback to the registered interrupt handler, +and rcd->do_interrupt is NULL because the receive context data structures +are not fully initialized. + +Fix by ensuring that the do_interrupt is always assigned and adding a +guards in the slow path handler to detect and handle a partially +initialized receive context and noop the receive. + +Link: https://lore.kernel.org/r/20211129192003.101968.33612.stgit@awfm-01.cornelisnetworks.com +Cc: stable@vger.kernel.org +Fixes: b0ba3c18d6bf ("IB/hfi1: Move normal functions from hfi1_devdata to const array") +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hfi1/chip.c | 2 ++ + drivers/infiniband/hw/hfi1/driver.c | 2 ++ + drivers/infiniband/hw/hfi1/init.c | 5 ++--- + 3 files changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/chip.c ++++ b/drivers/infiniband/hw/hfi1/chip.c +@@ -8456,6 +8456,8 @@ static void receive_interrupt_common(str + */ + static void __hfi1_rcd_eoi_intr(struct hfi1_ctxtdata *rcd) + { ++ if (!rcd->rcvhdrq) ++ return; + clear_recv_intr(rcd); + if (check_packet_present(rcd)) + force_recv_intr(rcd); +--- a/drivers/infiniband/hw/hfi1/driver.c ++++ b/drivers/infiniband/hw/hfi1/driver.c +@@ -1053,6 +1053,8 @@ int handle_receive_interrupt(struct hfi1 + struct hfi1_packet packet; + int skip_pkt = 0; + ++ if (!rcd->rcvhdrq) ++ return RCV_PKT_OK; + /* Control context will always use the slow path interrupt handler */ + needset = (rcd->ctxt == HFI1_CTRL_CTXT) ? 0 : 1; + +--- a/drivers/infiniband/hw/hfi1/init.c ++++ b/drivers/infiniband/hw/hfi1/init.c +@@ -154,7 +154,6 @@ static int hfi1_create_kctxt(struct hfi1 + rcd->fast_handler = get_dma_rtail_setting(rcd) ? + handle_receive_interrupt_dma_rtail : + handle_receive_interrupt_nodma_rtail; +- rcd->slow_handler = handle_receive_interrupt; + + hfi1_set_seq_cnt(rcd, 1); + +@@ -375,6 +374,8 @@ int hfi1_create_ctxtdata(struct hfi1_ppo + rcd->numa_id = numa; + rcd->rcv_array_groups = dd->rcv_entries.ngroups; + rcd->rhf_rcv_function_map = normal_rhf_rcv_functions; ++ rcd->slow_handler = handle_receive_interrupt; ++ rcd->do_interrupt = rcd->slow_handler; + rcd->msix_intr = CCE_NUM_MSIX_VECTORS; + + mutex_init(&rcd->exp_mutex); +@@ -939,8 +940,6 @@ int hfi1_init(struct hfi1_devdata *dd, i + if (!rcd) + continue; + +- rcd->do_interrupt = &handle_receive_interrupt; +- + lastfail = hfi1_create_rcvhdrq(dd, rcd); + if (!lastfail) + lastfail = hfi1_setup_eagerbufs(rcd); diff --git a/queue-5.10/ib-hfi1-fix-leak-of-rcvhdrtail_dummy_kvaddr.patch b/queue-5.10/ib-hfi1-fix-leak-of-rcvhdrtail_dummy_kvaddr.patch new file mode 100644 index 00000000000..d05ac4a8cc6 --- /dev/null +++ b/queue-5.10/ib-hfi1-fix-leak-of-rcvhdrtail_dummy_kvaddr.patch @@ -0,0 +1,109 @@ +From 60a8b5a1611b4a26de4839ab9c1fc2a9cf3e17c1 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Mon, 29 Nov 2021 14:20:08 -0500 +Subject: IB/hfi1: Fix leak of rcvhdrtail_dummy_kvaddr + +From: Mike Marciniszyn + +commit 60a8b5a1611b4a26de4839ab9c1fc2a9cf3e17c1 upstream. + +This buffer is currently allocated in hfi1_init(): + + if (reinit) + ret = init_after_reset(dd); + else + ret = loadtime_init(dd); + if (ret) + goto done; + + /* allocate dummy tail memory for all receive contexts */ + dd->rcvhdrtail_dummy_kvaddr = dma_alloc_coherent(&dd->pcidev->dev, + sizeof(u64), + &dd->rcvhdrtail_dummy_dma, + GFP_KERNEL); + + if (!dd->rcvhdrtail_dummy_kvaddr) { + dd_dev_err(dd, "cannot allocate dummy tail memory\n"); + ret = -ENOMEM; + goto done; + } + +The reinit triggered path will overwrite the old allocation and leak it. + +Fix by moving the allocation to hfi1_alloc_devdata() and the deallocation +to hfi1_free_devdata(). + +Link: https://lore.kernel.org/r/20211129192008.101968.91302.stgit@awfm-01.cornelisnetworks.com +Cc: stable@vger.kernel.org +Fixes: 46b010d3eeb8 ("staging/rdma/hfi1: Workaround to prevent corruption during packet delivery") +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hfi1/init.c | 33 ++++++++++++++------------------- + 1 file changed, 14 insertions(+), 19 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/init.c ++++ b/drivers/infiniband/hw/hfi1/init.c +@@ -916,18 +916,6 @@ int hfi1_init(struct hfi1_devdata *dd, i + if (ret) + goto done; + +- /* allocate dummy tail memory for all receive contexts */ +- dd->rcvhdrtail_dummy_kvaddr = dma_alloc_coherent(&dd->pcidev->dev, +- sizeof(u64), +- &dd->rcvhdrtail_dummy_dma, +- GFP_KERNEL); +- +- if (!dd->rcvhdrtail_dummy_kvaddr) { +- dd_dev_err(dd, "cannot allocate dummy tail memory\n"); +- ret = -ENOMEM; +- goto done; +- } +- + /* dd->rcd can be NULL if early initialization failed */ + for (i = 0; dd->rcd && i < dd->first_dyn_alloc_ctxt; ++i) { + /* +@@ -1241,6 +1229,11 @@ void hfi1_free_devdata(struct hfi1_devda + dd->tx_opstats = NULL; + kfree(dd->comp_vect); + dd->comp_vect = NULL; ++ if (dd->rcvhdrtail_dummy_kvaddr) ++ dma_free_coherent(&dd->pcidev->dev, sizeof(u64), ++ (void *)dd->rcvhdrtail_dummy_kvaddr, ++ dd->rcvhdrtail_dummy_dma); ++ dd->rcvhdrtail_dummy_kvaddr = NULL; + sdma_clean(dd, dd->num_sdma); + rvt_dealloc_device(&dd->verbs_dev.rdi); + } +@@ -1338,6 +1331,15 @@ static struct hfi1_devdata *hfi1_alloc_d + goto bail; + } + ++ /* allocate dummy tail memory for all receive contexts */ ++ dd->rcvhdrtail_dummy_kvaddr = ++ dma_alloc_coherent(&dd->pcidev->dev, sizeof(u64), ++ &dd->rcvhdrtail_dummy_dma, GFP_KERNEL); ++ if (!dd->rcvhdrtail_dummy_kvaddr) { ++ ret = -ENOMEM; ++ goto bail; ++ } ++ + atomic_set(&dd->ipoib_rsm_usr_num, 0); + return dd; + +@@ -1545,13 +1547,6 @@ static void cleanup_device_data(struct h + + free_credit_return(dd); + +- if (dd->rcvhdrtail_dummy_kvaddr) { +- dma_free_coherent(&dd->pcidev->dev, sizeof(u64), +- (void *)dd->rcvhdrtail_dummy_kvaddr, +- dd->rcvhdrtail_dummy_dma); +- dd->rcvhdrtail_dummy_kvaddr = NULL; +- } +- + /* + * Free any resources still in use (usually just kernel contexts) + * at unload; we do for ctxtcnt, because that's what we allocate. diff --git a/queue-5.10/ib-hfi1-insure-use-of-smp_processor_id-is-preempt-disabled.patch b/queue-5.10/ib-hfi1-insure-use-of-smp_processor_id-is-preempt-disabled.patch new file mode 100644 index 00000000000..1c2e1c67ff8 --- /dev/null +++ b/queue-5.10/ib-hfi1-insure-use-of-smp_processor_id-is-preempt-disabled.patch @@ -0,0 +1,62 @@ +From b6d57e24ce6cc3df8a8845e1b193e88a65d501b1 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Mon, 29 Nov 2021 14:19:58 -0500 +Subject: IB/hfi1: Insure use of smp_processor_id() is preempt disabled + +From: Mike Marciniszyn + +commit b6d57e24ce6cc3df8a8845e1b193e88a65d501b1 upstream. + +The following BUG has just surfaced with our 5.16 testing: + + BUG: using smp_processor_id() in preemptible [00000000] code: mpicheck/1581081 + caller is sdma_select_user_engine+0x72/0x210 [hfi1] + CPU: 0 PID: 1581081 Comm: mpicheck Tainted: G S 5.16.0-rc1+ #1 + Hardware name: Intel Corporation S2600WT2R/S2600WT2R, BIOS SE5C610.86B.01.01.0016.033120161139 03/31/2016 + Call Trace: + + dump_stack_lvl+0x33/0x42 + check_preemption_disabled+0xbf/0xe0 + sdma_select_user_engine+0x72/0x210 [hfi1] + ? _raw_spin_unlock_irqrestore+0x1f/0x31 + ? hfi1_mmu_rb_insert+0x6b/0x200 [hfi1] + hfi1_user_sdma_process_request+0xa02/0x1120 [hfi1] + ? hfi1_write_iter+0xb8/0x200 [hfi1] + hfi1_write_iter+0xb8/0x200 [hfi1] + do_iter_readv_writev+0x163/0x1c0 + do_iter_write+0x80/0x1c0 + vfs_writev+0x88/0x1a0 + ? recalibrate_cpu_khz+0x10/0x10 + ? ktime_get+0x3e/0xa0 + ? __fget_files+0x66/0xa0 + do_writev+0x65/0x100 + do_syscall_64+0x3a/0x80 + +Fix this long standing bug by moving the smp_processor_id() to after the +rcu_read_lock(). + +The rcu_read_lock() implicitly disables preemption. + +Link: https://lore.kernel.org/r/20211129191958.101968.87329.stgit@awfm-01.cornelisnetworks.com +Cc: stable@vger.kernel.org +Fixes: 0cb2aa690c7e ("IB/hfi1: Add sysfs interface for affinity setup") +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hfi1/sdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/hfi1/sdma.c ++++ b/drivers/infiniband/hw/hfi1/sdma.c +@@ -880,8 +880,8 @@ struct sdma_engine *sdma_select_user_eng + if (current->nr_cpus_allowed != 1) + goto out; + +- cpu_id = smp_processor_id(); + rcu_read_lock(); ++ cpu_id = smp_processor_id(); + rht_node = rhashtable_lookup(dd->sdma_rht, &cpu_id, + sdma_rht_params); + diff --git a/queue-5.10/net-dsa-mv88e6xxx-allow-use-of-phys-on-cpu-and-dsa-ports.patch b/queue-5.10/net-dsa-mv88e6xxx-allow-use-of-phys-on-cpu-and-dsa-ports.patch new file mode 100644 index 00000000000..cc3a461eb12 --- /dev/null +++ b/queue-5.10/net-dsa-mv88e6xxx-allow-use-of-phys-on-cpu-and-dsa-ports.patch @@ -0,0 +1,117 @@ +From 04ec4e6250e5f58b525b08f3dca45c7d7427620e Mon Sep 17 00:00:00 2001 +From: "Russell King (Oracle)" +Date: Thu, 9 Dec 2021 09:26:47 +0000 +Subject: net: dsa: mv88e6xxx: allow use of PHYs on CPU and DSA ports + +From: Russell King (Oracle) + +commit 04ec4e6250e5f58b525b08f3dca45c7d7427620e upstream. + +Martyn Welch reports that his CPU port is unable to link where it has +been necessary to use one of the switch ports with an internal PHY for +the CPU port. The reason behind this is the port control register is +left forcing the link down, preventing traffic flow. + +This occurs because during initialisation, phylink expects the link to +be down, and DSA forces the link down by synthesising a call to the +DSA drivers phylink_mac_link_down() method, but we don't touch the +forced-link state when we later reconfigure the port. + +Resolve this by also unforcing the link state when we are operating in +PHY mode and the PPU is set to poll the PHY to retrieve link status +information. + +Reported-by: Martyn Welch +Tested-by: Martyn Welch +Fixes: 3be98b2d5fbc ("net: dsa: Down cpu/dsa ports phylink will control") +Cc: # 5.7: 2b29cb9e3f7f: net: dsa: mv88e6xxx: fix "don't use PHY_DETECT on internal PHY's" +Signed-off-by: Russell King (Oracle) +Link: https://lore.kernel.org/r/E1mvFhP-00F8Zb-Ul@rmk-PC.armlinux.org.uk +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/chip.c | 66 ++++++++++++++++++++------------------- + 1 file changed, 35 insertions(+), 31 deletions(-) + +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -666,44 +666,48 @@ static void mv88e6xxx_mac_config(struct + { + struct mv88e6xxx_chip *chip = ds->priv; + struct mv88e6xxx_port *p; +- int err; ++ int err = 0; + + p = &chip->ports[port]; + +- /* FIXME: is this the correct test? If we're in fixed mode on an +- * internal port, why should we process this any different from +- * PHY mode? On the other hand, the port may be automedia between +- * an internal PHY and the serdes... +- */ +- if ((mode == MLO_AN_PHY) && mv88e6xxx_phy_is_internal(ds, port)) +- return; +- + mv88e6xxx_reg_lock(chip); +- /* In inband mode, the link may come up at any time while the link +- * is not forced down. Force the link down while we reconfigure the +- * interface mode. +- */ +- if (mode == MLO_AN_INBAND && p->interface != state->interface && +- chip->info->ops->port_set_link) +- chip->info->ops->port_set_link(chip, port, LINK_FORCED_DOWN); +- +- err = mv88e6xxx_port_config_interface(chip, port, state->interface); +- if (err && err != -EOPNOTSUPP) +- goto err_unlock; +- +- err = mv88e6xxx_serdes_pcs_config(chip, port, mode, state->interface, +- state->advertising); +- /* FIXME: we should restart negotiation if something changed - which +- * is something we get if we convert to using phylinks PCS operations. +- */ +- if (err > 0) +- err = 0; ++ ++ if (mode != MLO_AN_PHY || !mv88e6xxx_phy_is_internal(ds, port)) { ++ /* In inband mode, the link may come up at any time while the ++ * link is not forced down. Force the link down while we ++ * reconfigure the interface mode. ++ */ ++ if (mode == MLO_AN_INBAND && ++ p->interface != state->interface && ++ chip->info->ops->port_set_link) ++ chip->info->ops->port_set_link(chip, port, ++ LINK_FORCED_DOWN); ++ ++ err = mv88e6xxx_port_config_interface(chip, port, ++ state->interface); ++ if (err && err != -EOPNOTSUPP) ++ goto err_unlock; ++ ++ err = mv88e6xxx_serdes_pcs_config(chip, port, mode, ++ state->interface, ++ state->advertising); ++ /* FIXME: we should restart negotiation if something changed - ++ * which is something we get if we convert to using phylinks ++ * PCS operations. ++ */ ++ if (err > 0) ++ err = 0; ++ } + + /* Undo the forced down state above after completing configuration +- * irrespective of its state on entry, which allows the link to come up. ++ * irrespective of its state on entry, which allows the link to come ++ * up in the in-band case where there is no separate SERDES. Also ++ * ensure that the link can come up if the PPU is in use and we are ++ * in PHY mode (we treat the PPU as an effective in-band mechanism.) + */ +- if (mode == MLO_AN_INBAND && p->interface != state->interface && +- chip->info->ops->port_set_link) ++ if (chip->info->ops->port_set_link && ++ ((mode == MLO_AN_INBAND && p->interface != state->interface) || ++ (mode == MLO_AN_PHY && mv88e6xxx_port_ppu_updates(chip, port)))) + chip->info->ops->port_set_link(chip, port, LINK_UNFORCED); + + p->interface = state->interface; diff --git a/queue-5.10/nft_set_pipapo-fix-bucket-load-in-avx2-lookup-routine-for-six-8-bit-groups.patch b/queue-5.10/nft_set_pipapo-fix-bucket-load-in-avx2-lookup-routine-for-six-8-bit-groups.patch new file mode 100644 index 00000000000..ee4577add58 --- /dev/null +++ b/queue-5.10/nft_set_pipapo-fix-bucket-load-in-avx2-lookup-routine-for-six-8-bit-groups.patch @@ -0,0 +1,39 @@ +From b7e945e228d7df1b1473ef6fd2cdec67433065fb Mon Sep 17 00:00:00 2001 +From: Stefano Brivio +Date: Sat, 27 Nov 2021 11:33:37 +0100 +Subject: nft_set_pipapo: Fix bucket load in AVX2 lookup routine for six 8-bit groups + +From: Stefano Brivio + +commit b7e945e228d7df1b1473ef6fd2cdec67433065fb upstream. + +The sixth byte of packet data has to be looked up in the sixth group, +not in the seventh one, even if we load the bucket data into ymm6 +(and not ymm5, for convenience of tracking stalls). + +Without this fix, matching on a MAC address as first field of a set, +if 8-bit groups are selected (due to a small set size) would fail, +that is, the given MAC address would never match. + +Reported-by: Nikita Yushchenko +Cc: # 5.6.x +Fixes: 7400b063969b ("nft_set_pipapo: Introduce AVX2-based lookup implementation") +Signed-off-by: Stefano Brivio +Tested-By: Nikita Yushchenko +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_set_pipapo_avx2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nft_set_pipapo_avx2.c ++++ b/net/netfilter/nft_set_pipapo_avx2.c +@@ -887,7 +887,7 @@ static int nft_pipapo_avx2_lookup_8b_6(u + NFT_PIPAPO_AVX2_BUCKET_LOAD8(4, lt, 4, pkt[4], bsize); + + NFT_PIPAPO_AVX2_AND(5, 0, 1); +- NFT_PIPAPO_AVX2_BUCKET_LOAD8(6, lt, 6, pkt[5], bsize); ++ NFT_PIPAPO_AVX2_BUCKET_LOAD8(6, lt, 5, pkt[5], bsize); + NFT_PIPAPO_AVX2_AND(7, 2, 3); + + /* Stall */ diff --git a/queue-5.10/series b/queue-5.10/series index d8cb040659c..92814176d70 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -10,3 +10,12 @@ hid-add-usb_hid-dependancy-on-some-usb-hid-drivers.patch hid-bigbenff-prevent-null-pointer-dereference.patch hid-wacom-fix-problems-when-device-is-not-a-valid-usb-device.patch hid-check-for-valid-usb-device-for-many-hid-drivers.patch +nft_set_pipapo-fix-bucket-load-in-avx2-lookup-routine-for-six-8-bit-groups.patch +ib-hfi1-insure-use-of-smp_processor_id-is-preempt-disabled.patch +ib-hfi1-fix-early-init-panic.patch +ib-hfi1-fix-leak-of-rcvhdrtail_dummy_kvaddr.patch +can-kvaser_usb-get-can-clock-frequency-from-device.patch +can-kvaser_pciefd-kvaser_pciefd_rx_error_frame-increase-correct-stats-rx-tx-_errors-counter.patch +can-sja1000-fix-use-after-free-in-ems_pcmcia_add_card.patch +net-dsa-mv88e6xxx-allow-use-of-phys-on-cpu-and-dsa-ports.patch +x86-sme-explicitly-map-new-efi-memmap-table-as-encrypted.patch diff --git a/queue-5.10/x86-sme-explicitly-map-new-efi-memmap-table-as-encrypted.patch b/queue-5.10/x86-sme-explicitly-map-new-efi-memmap-table-as-encrypted.patch new file mode 100644 index 00000000000..22fe76d6dcf --- /dev/null +++ b/queue-5.10/x86-sme-explicitly-map-new-efi-memmap-table-as-encrypted.patch @@ -0,0 +1,60 @@ +From 1ff2fc02862d52e18fd3daabcfe840ec27e920a8 Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Wed, 20 Oct 2021 13:02:11 -0500 +Subject: x86/sme: Explicitly map new EFI memmap table as encrypted + +From: Tom Lendacky + +commit 1ff2fc02862d52e18fd3daabcfe840ec27e920a8 upstream. + +Reserving memory using efi_mem_reserve() calls into the x86 +efi_arch_mem_reserve() function. This function will insert a new EFI +memory descriptor into the EFI memory map representing the area of +memory to be reserved and marking it as EFI runtime memory. As part +of adding this new entry, a new EFI memory map is allocated and mapped. +The mapping is where a problem can occur. This new memory map is mapped +using early_memremap() and generally mapped encrypted, unless the new +memory for the mapping happens to come from an area of memory that is +marked as EFI_BOOT_SERVICES_DATA memory. In this case, the new memory will +be mapped unencrypted. However, during replacement of the old memory map, +efi_mem_type() is disabled, so the new memory map will now be long-term +mapped encrypted (in efi.memmap), resulting in the map containing invalid +data and causing the kernel boot to crash. + +Since it is known that the area will be mapped encrypted going forward, +explicitly map the new memory map as encrypted using early_memremap_prot(). + +Cc: # 4.14.x +Fixes: 8f716c9b5feb ("x86/mm: Add support to access boot related data in the clear") +Link: https://lore.kernel.org/all/ebf1eb2940405438a09d51d121ec0d02c8755558.1634752931.git.thomas.lendacky@amd.com/ +Signed-off-by: Tom Lendacky +[ardb: incorporate Kconfig fix by Arnd] +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/Kconfig | 1 + + arch/x86/platform/efi/quirks.c | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1939,6 +1939,7 @@ config EFI + depends on ACPI + select UCS2_STRING + select EFI_RUNTIME_WRAPPERS ++ select ARCH_USE_MEMREMAP_PROT + help + This enables the kernel to use EFI runtime services that are + available (such as the EFI variable services). +--- a/arch/x86/platform/efi/quirks.c ++++ b/arch/x86/platform/efi/quirks.c +@@ -277,7 +277,8 @@ void __init efi_arch_mem_reserve(phys_ad + return; + } + +- new = early_memremap(data.phys_map, data.size); ++ new = early_memremap_prot(data.phys_map, data.size, ++ pgprot_val(pgprot_encrypted(FIXMAP_PAGE_NORMAL))); + if (!new) { + pr_err("Failed to map new boot services memmap\n"); + return;