From: Sasha Levin Date: Sun, 19 Dec 2021 03:02:44 +0000 (-0500) Subject: Fixes for 5.15 X-Git-Tag: v4.4.296~57 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5965a831e89a767c13e1e42cee53598e73cfed64;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/afs-fix-mmap.patch b/queue-5.15/afs-fix-mmap.patch new file mode 100644 index 00000000000..dc372fd53aa --- /dev/null +++ b/queue-5.15/afs-fix-mmap.patch @@ -0,0 +1,61 @@ +From c2019975611f5beb89f05001afd9fd0edcccd2ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Dec 2021 09:22:12 +0000 +Subject: afs: Fix mmap + +From: David Howells + +[ Upstream commit 1744a22ae948799da7927b53ec97ccc877ff9d61 ] + +Fix afs_add_open_map() to check that the vnode isn't already on the list +when it adds it. It's possible that afs_drop_open_mmap() decremented +the cb_nr_mmap counter, but hadn't yet got into the locked section to +remove it. + +Also vnode->cb_mmap_link should be initialised, so fix that too. + +Fixes: 6e0e99d58a65 ("afs: Fix mmap coherency vs 3rd-party changes") +Reported-by: kafs-testing+fedora34_64checkkafs-build-300@auristor.com +Suggested-by: Marc Dionne +Signed-off-by: David Howells +Tested-by: kafs-testing+fedora34_64checkkafs-build-300@auristor.com +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/686465.1639435380@warthog.procyon.org.uk/ # v1 +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/file.c | 5 +++-- + fs/afs/super.c | 1 + + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/afs/file.c b/fs/afs/file.c +index e6c447ae91f38..b165377179c3c 100644 +--- a/fs/afs/file.c ++++ b/fs/afs/file.c +@@ -502,8 +502,9 @@ static void afs_add_open_mmap(struct afs_vnode *vnode) + if (atomic_inc_return(&vnode->cb_nr_mmap) == 1) { + down_write(&vnode->volume->cell->fs_open_mmaps_lock); + +- list_add_tail(&vnode->cb_mmap_link, +- &vnode->volume->cell->fs_open_mmaps); ++ if (list_empty(&vnode->cb_mmap_link)) ++ list_add_tail(&vnode->cb_mmap_link, ++ &vnode->volume->cell->fs_open_mmaps); + + up_write(&vnode->volume->cell->fs_open_mmaps_lock); + } +diff --git a/fs/afs/super.c b/fs/afs/super.c +index d110def8aa8eb..34c68724c98be 100644 +--- a/fs/afs/super.c ++++ b/fs/afs/super.c +@@ -667,6 +667,7 @@ static void afs_i_init_once(void *_vnode) + INIT_LIST_HEAD(&vnode->pending_locks); + INIT_LIST_HEAD(&vnode->granted_locks); + INIT_DELAYED_WORK(&vnode->lock_work, afs_lock_work); ++ INIT_LIST_HEAD(&vnode->cb_mmap_link); + seqlock_init(&vnode->cb_lock); + } + +-- +2.33.0 + diff --git a/queue-5.15/arm-socfpga-dts-fix-qspi-node-compatible.patch b/queue-5.15/arm-socfpga-dts-fix-qspi-node-compatible.patch new file mode 100644 index 00000000000..f48f768fb6a --- /dev/null +++ b/queue-5.15/arm-socfpga-dts-fix-qspi-node-compatible.patch @@ -0,0 +1,128 @@ +From a9e082b4c0aa3b7045347e8a7142380ddfa1300a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Nov 2021 19:36:30 -0500 +Subject: ARM: socfpga: dts: fix qspi node compatible + +From: Dinh Nguyen + +[ Upstream commit cb25b11943cbcc5a34531129952870420f8be858 ] + +The QSPI flash node needs to have the required "jedec,spi-nor" in the +compatible string. + +Fixes: 1df99da8953 ("ARM: dts: socfpga: Enable QSPI in Arria10 devkit") +Signed-off-by: Dinh Nguyen +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/socfpga_arria10_socdk_qspi.dts | 2 +- + arch/arm/boot/dts/socfpga_arria5_socdk.dts | 2 +- + arch/arm/boot/dts/socfpga_cyclone5_socdk.dts | 2 +- + arch/arm/boot/dts/socfpga_cyclone5_sockit.dts | 2 +- + arch/arm/boot/dts/socfpga_cyclone5_socrates.dts | 2 +- + arch/arm/boot/dts/socfpga_cyclone5_sodia.dts | 2 +- + arch/arm/boot/dts/socfpga_cyclone5_vining_fpga.dts | 4 ++-- + 7 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/arch/arm/boot/dts/socfpga_arria10_socdk_qspi.dts b/arch/arm/boot/dts/socfpga_arria10_socdk_qspi.dts +index 2b645642b9352..2a745522404d6 100644 +--- a/arch/arm/boot/dts/socfpga_arria10_socdk_qspi.dts ++++ b/arch/arm/boot/dts/socfpga_arria10_socdk_qspi.dts +@@ -12,7 +12,7 @@ &qspi { + flash0: n25q00@0 { + #address-cells = <1>; + #size-cells = <1>; +- compatible = "n25q00aa"; ++ compatible = "micron,mt25qu02g", "jedec,spi-nor"; + reg = <0>; + spi-max-frequency = <100000000>; + +diff --git a/arch/arm/boot/dts/socfpga_arria5_socdk.dts b/arch/arm/boot/dts/socfpga_arria5_socdk.dts +index 90e676e7019f2..1b02d46496a85 100644 +--- a/arch/arm/boot/dts/socfpga_arria5_socdk.dts ++++ b/arch/arm/boot/dts/socfpga_arria5_socdk.dts +@@ -119,7 +119,7 @@ &qspi { + flash: flash@0 { + #address-cells = <1>; + #size-cells = <1>; +- compatible = "n25q256a"; ++ compatible = "micron,n25q256a", "jedec,spi-nor"; + reg = <0>; + spi-max-frequency = <100000000>; + +diff --git a/arch/arm/boot/dts/socfpga_cyclone5_socdk.dts b/arch/arm/boot/dts/socfpga_cyclone5_socdk.dts +index 6f138b2b26163..51bb436784e24 100644 +--- a/arch/arm/boot/dts/socfpga_cyclone5_socdk.dts ++++ b/arch/arm/boot/dts/socfpga_cyclone5_socdk.dts +@@ -124,7 +124,7 @@ &qspi { + flash0: n25q00@0 { + #address-cells = <1>; + #size-cells = <1>; +- compatible = "n25q00"; ++ compatible = "micron,mt25qu02g", "jedec,spi-nor"; + reg = <0>; /* chip select */ + spi-max-frequency = <100000000>; + +diff --git a/arch/arm/boot/dts/socfpga_cyclone5_sockit.dts b/arch/arm/boot/dts/socfpga_cyclone5_sockit.dts +index c155ff02eb6e0..cae9ddd5ed38b 100644 +--- a/arch/arm/boot/dts/socfpga_cyclone5_sockit.dts ++++ b/arch/arm/boot/dts/socfpga_cyclone5_sockit.dts +@@ -169,7 +169,7 @@ &qspi { + flash: flash@0 { + #address-cells = <1>; + #size-cells = <1>; +- compatible = "n25q00"; ++ compatible = "micron,mt25qu02g", "jedec,spi-nor"; + reg = <0>; + spi-max-frequency = <100000000>; + +diff --git a/arch/arm/boot/dts/socfpga_cyclone5_socrates.dts b/arch/arm/boot/dts/socfpga_cyclone5_socrates.dts +index 8d5d3996f6f27..ca18b959e6559 100644 +--- a/arch/arm/boot/dts/socfpga_cyclone5_socrates.dts ++++ b/arch/arm/boot/dts/socfpga_cyclone5_socrates.dts +@@ -80,7 +80,7 @@ &qspi { + flash: flash@0 { + #address-cells = <1>; + #size-cells = <1>; +- compatible = "n25q256a"; ++ compatible = "micron,n25q256a", "jedec,spi-nor"; + reg = <0>; + spi-max-frequency = <100000000>; + m25p,fast-read; +diff --git a/arch/arm/boot/dts/socfpga_cyclone5_sodia.dts b/arch/arm/boot/dts/socfpga_cyclone5_sodia.dts +index 99a71757cdf46..3f7aa7bf0863a 100644 +--- a/arch/arm/boot/dts/socfpga_cyclone5_sodia.dts ++++ b/arch/arm/boot/dts/socfpga_cyclone5_sodia.dts +@@ -116,7 +116,7 @@ &qspi { + flash0: n25q512a@0 { + #address-cells = <1>; + #size-cells = <1>; +- compatible = "n25q512a"; ++ compatible = "micron,n25q512a", "jedec,spi-nor"; + reg = <0>; + spi-max-frequency = <100000000>; + +diff --git a/arch/arm/boot/dts/socfpga_cyclone5_vining_fpga.dts b/arch/arm/boot/dts/socfpga_cyclone5_vining_fpga.dts +index a060718758b67..25874e1b9c829 100644 +--- a/arch/arm/boot/dts/socfpga_cyclone5_vining_fpga.dts ++++ b/arch/arm/boot/dts/socfpga_cyclone5_vining_fpga.dts +@@ -224,7 +224,7 @@ &qspi { + n25q128@0 { + #address-cells = <1>; + #size-cells = <1>; +- compatible = "n25q128"; ++ compatible = "micron,n25q128", "jedec,spi-nor"; + reg = <0>; /* chip select */ + spi-max-frequency = <100000000>; + m25p,fast-read; +@@ -241,7 +241,7 @@ n25q128@0 { + n25q00@1 { + #address-cells = <1>; + #size-cells = <1>; +- compatible = "n25q00"; ++ compatible = "micron,mt25qu02g", "jedec,spi-nor"; + reg = <1>; /* chip select */ + spi-max-frequency = <100000000>; + m25p,fast-read; +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-imx8mq-remove-interconnect-property-from-l.patch b/queue-5.15/arm64-dts-imx8mq-remove-interconnect-property-from-l.patch new file mode 100644 index 00000000000..69a9315b358 --- /dev/null +++ b/queue-5.15/arm64-dts-imx8mq-remove-interconnect-property-from-l.patch @@ -0,0 +1,39 @@ +From 988ca265d9eadef7a771f6355af61eaad610ee71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Nov 2021 09:37:03 +0100 +Subject: arm64: dts: imx8mq: remove interconnect property from lcdif + +From: Martin Kepplinger + +[ Upstream commit e5e6268f77badf18bd6ab435364cfe21c7396c31 ] + +The mxsfb driver handling imx8mq lcdif doesn't yet request the +interconnect bandwidth that's needed at runtime when the description is +present in the DT node. + +So remove that description and bring it back when it's supported. + +Fixes: ad1abc8a03fd ("arm64: dts: imx8mq: Add interconnect for lcdif") +Signed-off-by: Martin Kepplinger +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mq.dtsi | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mq.dtsi b/arch/arm64/boot/dts/freescale/imx8mq.dtsi +index 4066b16126552..2bc57d8f29c7f 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mq.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mq.dtsi +@@ -524,8 +524,6 @@ lcdif: lcd-controller@30320000 { + <&clk IMX8MQ_VIDEO_PLL1>, + <&clk IMX8MQ_VIDEO_PLL1_OUT>; + assigned-clock-rates = <0>, <0>, <0>, <594000000>; +- interconnects = <&noc IMX8MQ_ICM_LCDIF &noc IMX8MQ_ICS_DRAM>; +- interconnect-names = "dram"; + status = "disabled"; + + port@0 { +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-rockchip-fix-audio-supply-for-rock-pi-4.patch b/queue-5.15/arm64-dts-rockchip-fix-audio-supply-for-rock-pi-4.patch new file mode 100644 index 00000000000..70e3dc05208 --- /dev/null +++ b/queue-5.15/arm64-dts-rockchip-fix-audio-supply-for-rock-pi-4.patch @@ -0,0 +1,46 @@ +From 7723fb0f41657d82c10e635dc71cdab4b1656c58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Oct 2021 16:37:25 +0200 +Subject: arm64: dts: rockchip: fix audio-supply for Rock Pi 4 + +From: Alex Bee + +[ Upstream commit 8240e87f16d17a9592c9d67857a3dcdbcb98f10d ] + +As stated in the schematics [1] and [2] P5 the APIO5 domain is supplied +by RK808-D Buck4, which in our case vcc1v8_codec - i.e. a 1.8 V regulator. + +Currently only white noise comes from the ES8316's output, which - for +whatever reason - came up only after the the correct switch from i2s0_8ch_bus +to i2s0_2ch_bus for i2s0's pinctrl was done. + +Fix this by setting the correct regulator for audio-supply. + +[1] https://dl.radxa.com/rockpi4/docs/hw/rockpi4/rockpi4_v13_sch_20181112.pdf +[2] https://dl.radxa.com/rockpi4/docs/hw/rockpi4/rockpi_4c_v12_sch_20200620.pdf + +Fixes: 1b5715c602fd ("arm64: dts: rockchip: add ROCK Pi 4 DTS support") +Signed-off-by: Alex Bee +Link: https://lore.kernel.org/r/20211027143726.165809-1-knaerzche@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi +index b28888ea9262e..100a769165ef9 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi +@@ -457,7 +457,7 @@ &io_domains { + status = "okay"; + + bt656-supply = <&vcc_3v0>; +- audio-supply = <&vcc_3v0>; ++ audio-supply = <&vcc1v8_codec>; + sdmmc-supply = <&vcc_sdio>; + gpio1830-supply = <&vcc_3v0>; + }; +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-rockchip-fix-poweroff-on-helios64.patch b/queue-5.15/arm64-dts-rockchip-fix-poweroff-on-helios64.patch new file mode 100644 index 00000000000..316b35f0270 --- /dev/null +++ b/queue-5.15/arm64-dts-rockchip-fix-poweroff-on-helios64.patch @@ -0,0 +1,37 @@ +From 62203660580a721a314c8a220bf969050c7d36c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 11:59:23 +0200 +Subject: arm64: dts: rockchip: fix poweroff on helios64 + +From: Florian Klink + +[ Upstream commit aef4b9a89a376a9cabe5e744729914e7766c59bb ] + +Adding the rockchip,system-power-controller property here will use the +rk808 to power off the system. + +Fixes: 09e006cfb43e ("arm64: dts: rockchip: Add basic support for Kobol's Helios64") +Signed-off-by: Florian Klink +Tested-by: Dennis Gilmore +Link: https://lore.kernel.org/r/20211020095926.735938-2-flokli@flokli.de +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts b/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts +index 738cfd21df3ef..354f54767bad8 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts +@@ -269,6 +269,7 @@ rk808: pmic@1b { + clock-output-names = "xin32k", "rk808-clkout2"; + pinctrl-names = "default"; + pinctrl-0 = <&pmic_int_l>; ++ rockchip,system-power-controller; + vcc1-supply = <&vcc5v0_sys>; + vcc2-supply = <&vcc5v0_sys>; + vcc3-supply = <&vcc5v0_sys>; +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-rockchip-fix-rk3308-roc-cc-vcc-sd-supply.patch b/queue-5.15/arm64-dts-rockchip-fix-rk3308-roc-cc-vcc-sd-supply.patch new file mode 100644 index 00000000000..aee02d7c21b --- /dev/null +++ b/queue-5.15/arm64-dts-rockchip-fix-rk3308-roc-cc-vcc-sd-supply.patch @@ -0,0 +1,38 @@ +From cb0bd3799d7bc1c157f711eb790523592d04c17e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Nov 2021 18:29:07 +0000 +Subject: arm64: dts: rockchip: fix rk3308-roc-cc vcc-sd supply + +From: John Keeping + +[ Upstream commit 772fb46109f635dd75db20c86b7eaf48efa46cef ] + +Correct a typo in the vin-supply property. The input supply is +always-on, so this mistake doesn't affect whether the supply is actually +enabled correctly. + +Fixes: 4403e1237be3 ("arm64: dts: rockchip: Add devicetree for board roc-rk3308-cc") +Signed-off-by: John Keeping +Link: https://lore.kernel.org/r/20211102182908.3409670-2-john@metanate.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3308-roc-cc.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3308-roc-cc.dts b/arch/arm64/boot/dts/rockchip/rk3308-roc-cc.dts +index 665b2e69455dd..ea6820902ede0 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3308-roc-cc.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3308-roc-cc.dts +@@ -97,7 +97,7 @@ vcc_sd: vcc-sd { + regulator-max-microvolt = <3300000>; + regulator-always-on; + regulator-boot-on; +- vim-supply = <&vcc_io>; ++ vin-supply = <&vcc_io>; + }; + + vdd_core: vdd-core { +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-rockchip-fix-rk3399-leez-p710-vcc3v3-lan-s.patch b/queue-5.15/arm64-dts-rockchip-fix-rk3399-leez-p710-vcc3v3-lan-s.patch new file mode 100644 index 00000000000..6de93fda428 --- /dev/null +++ b/queue-5.15/arm64-dts-rockchip-fix-rk3399-leez-p710-vcc3v3-lan-s.patch @@ -0,0 +1,38 @@ +From 73a3deacab51c8f902b6fb7ed6c06e37cc417750 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Nov 2021 18:29:08 +0000 +Subject: arm64: dts: rockchip: fix rk3399-leez-p710 vcc3v3-lan supply + +From: John Keeping + +[ Upstream commit 2b454a90e2ccdd6e03f88f930036da4df577be76 ] + +Correct a typo in the vin-supply property. The input supply is +always-on, so this mistake doesn't affect whether the supply is actually +enabled correctly. + +Fixes: fc702ed49a86 ("arm64: dts: rockchip: Add dts for Leez RK3399 P710 SBC") +Signed-off-by: John Keeping +Link: https://lore.kernel.org/r/20211102182908.3409670-3-john@metanate.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399-leez-p710.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-leez-p710.dts b/arch/arm64/boot/dts/rockchip/rk3399-leez-p710.dts +index 7c93f840bc64f..e890166e7fd43 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-leez-p710.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3399-leez-p710.dts +@@ -55,7 +55,7 @@ vcc3v3_lan: vcc3v3-lan { + regulator-boot-on; + regulator-min-microvolt = <3300000>; + regulator-max-microvolt = <3300000>; +- vim-supply = <&vcc3v3_sys>; ++ vin-supply = <&vcc3v3_sys>; + }; + + vcc3v3_sys: vcc3v3-sys { +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-rockchip-remove-mmc-hs400-enhanced-strobe-.patch b/queue-5.15/arm64-dts-rockchip-remove-mmc-hs400-enhanced-strobe-.patch new file mode 100644 index 00000000000..51343156ca7 --- /dev/null +++ b/queue-5.15/arm64-dts-rockchip-remove-mmc-hs400-enhanced-strobe-.patch @@ -0,0 +1,62 @@ +From 7bc96fc83bceec3f147fd3694b14dd7b4f0f526e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Nov 2021 16:33:21 +0800 +Subject: arm64: dts: rockchip: remove mmc-hs400-enhanced-strobe from + rk3399-khadas-edge + +From: Artem Lapkin + +[ Upstream commit 6dd0053683804427529ef3523f7872f473440a19 ] + +Remove mmc-hs400-enhanced-strobe from the rk3399-khadas-edge dts to +improve compatibility with a wider range of eMMC chips. + +Before (BJTD4R 29.1 GiB): + +[ 7.001493] mmc2: CQHCI version 5.10 +[ 7.027971] mmc2: SDHCI controller on fe330000.mmc [fe330000.mmc] using ADMA +....... +[ 7.207086] mmc2: mmc_select_hs400es failed, error -110 +[ 7.207129] mmc2: error -110 whilst initialising MMC card +[ 7.308893] mmc2: mmc_select_hs400es failed, error -110 +[ 7.308921] mmc2: error -110 whilst initialising MMC card +[ 7.427524] mmc2: mmc_select_hs400es failed, error -110 +[ 7.427546] mmc2: error -110 whilst initialising MMC card +[ 7.590993] mmc2: mmc_select_hs400es failed, error -110 +[ 7.591012] mmc2: error -110 whilst initialising MMC card + +After: + +[ 6.960785] mmc2: CQHCI version 5.10 +[ 6.984672] mmc2: SDHCI controller on fe330000.mmc [fe330000.mmc] using ADMA +[ 7.175021] mmc2: Command Queue Engine enabled +[ 7.175053] mmc2: new HS400 MMC card at address 0001 +[ 7.175808] mmcblk2: mmc2:0001 BJTD4R 29.1 GiB +[ 7.176033] mmcblk2boot0: mmc2:0001 BJTD4R 4.00 MiB +[ 7.176245] mmcblk2boot1: mmc2:0001 BJTD4R 4.00 MiB +[ 7.176495] mmcblk2rpmb: mmc2:0001 BJTD4R 4.00 MiB, chardev (242:0) + +Fixes: c2aacceedc86 ("arm64: dts: rockchip: Add support for Khadas Edge/Edge-V/Captain boards") +Signed-off-by: Artem Lapkin +Link: https://lore.kernel.org/r/20211115083321.2627461-1-art@khadas.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399-khadas-edge.dtsi | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-khadas-edge.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-khadas-edge.dtsi +index d5c7648c841dc..f1fcc6b5b402c 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-khadas-edge.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-khadas-edge.dtsi +@@ -705,7 +705,6 @@ &sdmmc { + &sdhci { + bus-width = <8>; + mmc-hs400-1_8v; +- mmc-hs400-enhanced-strobe; + non-removable; + status = "okay"; + }; +-- +2.33.0 + diff --git a/queue-5.15/arm64-kexec-fix-missing-error-code-ret-warning-in-lo.patch b/queue-5.15/arm64-kexec-fix-missing-error-code-ret-warning-in-lo.patch new file mode 100644 index 00000000000..90300995023 --- /dev/null +++ b/queue-5.15/arm64-kexec-fix-missing-error-code-ret-warning-in-lo.patch @@ -0,0 +1,51 @@ +From 198d369ae466a2c60e5c275010262be353f5fd53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Dec 2021 17:01:21 -0800 +Subject: arm64: kexec: Fix missing error code 'ret' warning in + load_other_segments() + +From: Lakshmi Ramasubramanian + +[ Upstream commit 9c5d89bc10551f1aecd768b00fca3339a7b8c8ee ] + +Since commit ac10be5cdbfa ("arm64: Use common +of_kexec_alloc_and_setup_fdt()"), smatch reports the following warning: + + arch/arm64/kernel/machine_kexec_file.c:152 load_other_segments() + warn: missing error code 'ret' + +Return code is not set to an error code in load_other_segments() when +of_kexec_alloc_and_setup_fdt() call returns a NULL dtb. This results +in status success (return code set to 0) being returned from +load_other_segments(). + +Set return code to -EINVAL if of_kexec_alloc_and_setup_fdt() returns +NULL dtb. + +Signed-off-by: Lakshmi Ramasubramanian +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Fixes: ac10be5cdbfa ("arm64: Use common of_kexec_alloc_and_setup_fdt()") +Link: https://lore.kernel.org/r/20211210010121.101823-1-nramas@linux.microsoft.com +Signed-off-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/machine_kexec_file.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c +index 63634b4d72c15..59c648d518488 100644 +--- a/arch/arm64/kernel/machine_kexec_file.c ++++ b/arch/arm64/kernel/machine_kexec_file.c +@@ -149,6 +149,7 @@ int load_other_segments(struct kimage *image, + initrd_len, cmdline, 0); + if (!dtb) { + pr_err("Preparing for new dtb failed\n"); ++ ret = -EINVAL; + goto out_err; + } + +-- +2.33.0 + diff --git a/queue-5.15/bpf-fix-extable-fixup-offset.patch b/queue-5.15/bpf-fix-extable-fixup-offset.patch new file mode 100644 index 00000000000..c878b277ba2 --- /dev/null +++ b/queue-5.15/bpf-fix-extable-fixup-offset.patch @@ -0,0 +1,39 @@ +From d9abd0eb941ae411b92c3e8a42d90402a09ff249 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Dec 2021 18:38:30 -0800 +Subject: bpf: Fix extable fixup offset. + +From: Alexei Starovoitov + +[ Upstream commit 433956e91200734d09958673a56df02d00a917c2 ] + +The prog - start_of_ldx is the offset before the faulting ldx to the location +after it, so this will be used to adjust pt_regs->ip for jumping over it and +continuing, and with old temp it would have been fixed up to the wrong offset, +causing crash. + +Fixes: 4c5de127598e ("bpf: Emit explicit NULL pointer checks for PROBE_LDX instructions.") +Signed-off-by: Alexei Starovoitov +Reviewed-by: Daniel Borkmann +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + arch/x86/net/bpf_jit_comp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c +index 9ea57389c554b..462d8e68b3f43 100644 +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -1332,7 +1332,7 @@ st: if (is_imm8(insn->off)) + * End result: x86 insn "mov rbx, qword ptr [rax+0x14]" + * of 4 bytes will be ignored and rbx will be zero inited. + */ +- ex->fixup = (prog - temp) | (reg2pt_regs[dst_reg] << 8); ++ ex->fixup = (prog - start_of_ldx) | (reg2pt_regs[dst_reg] << 8); + } + break; + +-- +2.33.0 + diff --git a/queue-5.15/bpf-selftests-fix-racing-issue-in-btf_skc_cls_ingres.patch b/queue-5.15/bpf-selftests-fix-racing-issue-in-btf_skc_cls_ingres.patch new file mode 100644 index 00000000000..ec8f246b75c --- /dev/null +++ b/queue-5.15/bpf-selftests-fix-racing-issue-in-btf_skc_cls_ingres.patch @@ -0,0 +1,98 @@ +From e6c8a341eb22d375fcd057f5b5cdc98fdf0d2e8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Dec 2021 11:16:30 -0800 +Subject: bpf, selftests: Fix racing issue in btf_skc_cls_ingress test + +From: Martin KaFai Lau + +[ Upstream commit c2fcbf81c332b42382a0c439bfe2414a241e4f5b ] + +The libbpf CI reported occasional failure in btf_skc_cls_ingress: + + test_syncookie:FAIL:Unexpected syncookie states gen_cookie:80326634 recv_cookie:0 + bpf prog error at line 97 + +"error at line 97" means the bpf prog cannot find the listening socket +when the final ack is received. It then skipped processing +the syncookie in the final ack which then led to "recv_cookie:0". + +The problem is the userspace program did not do accept() and went +ahead to close(listen_fd) before the kernel (and the bpf prog) had +a chance to process the final ack. + +The fix is to add accept() call so that the userspace will wait for +the kernel to finish processing the final ack first before close()-ing +everything. + +Fixes: 9a856cae2217 ("bpf: selftest: Add test_btf_skc_cls_ingress") +Reported-by: Andrii Nakryiko +Signed-off-by: Martin KaFai Lau +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20211216191630.466151-1-kafai@fb.com +Signed-off-by: Sasha Levin +--- + .../bpf/prog_tests/btf_skc_cls_ingress.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/btf_skc_cls_ingress.c b/tools/testing/selftests/bpf/prog_tests/btf_skc_cls_ingress.c +index 762f6a9da8b5e..664ffc0364f4f 100644 +--- a/tools/testing/selftests/bpf/prog_tests/btf_skc_cls_ingress.c ++++ b/tools/testing/selftests/bpf/prog_tests/btf_skc_cls_ingress.c +@@ -90,7 +90,7 @@ static void print_err_line(void) + + static void test_conn(void) + { +- int listen_fd = -1, cli_fd = -1, err; ++ int listen_fd = -1, cli_fd = -1, srv_fd = -1, err; + socklen_t addrlen = sizeof(srv_sa6); + int srv_port; + +@@ -112,6 +112,10 @@ static void test_conn(void) + if (CHECK_FAIL(cli_fd == -1)) + goto done; + ++ srv_fd = accept(listen_fd, NULL, NULL); ++ if (CHECK_FAIL(srv_fd == -1)) ++ goto done; ++ + if (CHECK(skel->bss->listen_tp_sport != srv_port || + skel->bss->req_sk_sport != srv_port, + "Unexpected sk src port", +@@ -134,11 +138,13 @@ static void test_conn(void) + close(listen_fd); + if (cli_fd != -1) + close(cli_fd); ++ if (srv_fd != -1) ++ close(srv_fd); + } + + static void test_syncookie(void) + { +- int listen_fd = -1, cli_fd = -1, err; ++ int listen_fd = -1, cli_fd = -1, srv_fd = -1, err; + socklen_t addrlen = sizeof(srv_sa6); + int srv_port; + +@@ -161,6 +167,10 @@ static void test_syncookie(void) + if (CHECK_FAIL(cli_fd == -1)) + goto done; + ++ srv_fd = accept(listen_fd, NULL, NULL); ++ if (CHECK_FAIL(srv_fd == -1)) ++ goto done; ++ + if (CHECK(skel->bss->listen_tp_sport != srv_port, + "Unexpected tp src port", + "listen_tp_sport:%u expected:%u\n", +@@ -188,6 +198,8 @@ static void test_syncookie(void) + close(listen_fd); + if (cli_fd != -1) + close(cli_fd); ++ if (srv_fd != -1) ++ close(srv_fd); + } + + struct test { +-- +2.33.0 + diff --git a/queue-5.15/ceph-fix-duplicate-increment-of-opened_inodes-metric.patch b/queue-5.15/ceph-fix-duplicate-increment-of-opened_inodes-metric.patch new file mode 100644 index 00000000000..ec52cb74639 --- /dev/null +++ b/queue-5.15/ceph-fix-duplicate-increment-of-opened_inodes-metric.patch @@ -0,0 +1,73 @@ +From 4c091ce39b6fef7827cc20bba06d3f222003de76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Nov 2021 22:22:12 +0800 +Subject: ceph: fix duplicate increment of opened_inodes metric + +From: Hu Weiwen + +[ Upstream commit 973e5245637accc4002843f6b888495a6a7762bc ] + +opened_inodes is incremented twice when the same inode is opened twice +with O_RDONLY and O_WRONLY respectively. + +To reproduce, run this python script, then check the metrics: + +import os +for _ in range(10000): + fd_r = os.open('a', os.O_RDONLY) + fd_w = os.open('a', os.O_WRONLY) + os.close(fd_r) + os.close(fd_w) + +Fixes: 1dd8d4708136 ("ceph: metrics for opened files, pinned caps and opened inodes") +Signed-off-by: Hu Weiwen +Reviewed-by: Xiubo Li +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/caps.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c +index 8f537f1d9d1d3..8be4da2e2b826 100644 +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -4349,7 +4349,7 @@ void ceph_get_fmode(struct ceph_inode_info *ci, int fmode, int count) + { + struct ceph_mds_client *mdsc = ceph_sb_to_mdsc(ci->vfs_inode.i_sb); + int bits = (fmode << 1) | 1; +- bool is_opened = false; ++ bool already_opened = false; + int i; + + if (count == 1) +@@ -4357,19 +4357,19 @@ void ceph_get_fmode(struct ceph_inode_info *ci, int fmode, int count) + + spin_lock(&ci->i_ceph_lock); + for (i = 0; i < CEPH_FILE_MODE_BITS; i++) { +- if (bits & (1 << i)) +- ci->i_nr_by_mode[i] += count; +- + /* +- * If any of the mode ref is larger than 1, ++ * If any of the mode ref is larger than 0, + * that means it has been already opened by + * others. Just skip checking the PIN ref. + */ +- if (i && ci->i_nr_by_mode[i] > 1) +- is_opened = true; ++ if (i && ci->i_nr_by_mode[i]) ++ already_opened = true; ++ ++ if (bits & (1 << i)) ++ ci->i_nr_by_mode[i] += count; + } + +- if (!is_opened) ++ if (!already_opened) + percpu_counter_inc(&mdsc->metric.opened_inodes); + spin_unlock(&ci->i_ceph_lock); + } +-- +2.33.0 + diff --git a/queue-5.15/ceph-initialize-pathlen-variable-in-reconnect_caps_c.patch b/queue-5.15/ceph-initialize-pathlen-variable-in-reconnect_caps_c.patch new file mode 100644 index 00000000000..ac27ccb1734 --- /dev/null +++ b/queue-5.15/ceph-initialize-pathlen-variable-in-reconnect_caps_c.patch @@ -0,0 +1,50 @@ +From e0d0178b3211493ca1a1754e803c86214d076b36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 19:20:34 +0800 +Subject: ceph: initialize pathlen variable in reconnect_caps_cb + +From: Xiubo Li + +[ Upstream commit ee2a095d3b24f300a5e11944d208801e928f108c ] + +The smatch static checker warned about an uninitialized symbol usage in +this function, in the case where ceph_mdsc_build_path returns an error. + +It turns out that that case is harmless, but it just looks sketchy. +Initialize the variable at declaration time, and remove the unneeded +setting of it later. + +Fixes: a33f6432b3a6 ("ceph: encode inodes' parent/d_name in cap reconnect message") +Reported-by: Dan Carpenter +Signed-off-by: Xiubo Li +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/mds_client.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c +index d64413adc0fd2..e9409c460acd0 100644 +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -3772,7 +3772,7 @@ static int reconnect_caps_cb(struct inode *inode, struct ceph_cap *cap, + struct ceph_pagelist *pagelist = recon_state->pagelist; + struct dentry *dentry; + char *path; +- int pathlen, err; ++ int pathlen = 0, err; + u64 pathbase; + u64 snap_follows; + +@@ -3792,7 +3792,6 @@ static int reconnect_caps_cb(struct inode *inode, struct ceph_cap *cap, + } + } else { + path = NULL; +- pathlen = 0; + pathbase = 0; + } + +-- +2.33.0 + diff --git a/queue-5.15/cfg80211-acquire-wiphy-mutex-on-regulatory-work.patch b/queue-5.15/cfg80211-acquire-wiphy-mutex-on-regulatory-work.patch new file mode 100644 index 00000000000..e3435f30567 --- /dev/null +++ b/queue-5.15/cfg80211-acquire-wiphy-mutex-on-regulatory-work.patch @@ -0,0 +1,52 @@ +From d1f578bca2bb2ca96560b6f33bf4e57cbbec599d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Dec 2021 15:28:54 +0200 +Subject: cfg80211: Acquire wiphy mutex on regulatory work + +From: Ilan Peer + +[ Upstream commit e08ebd6d7b90ae81f21425ca39136f5b2272580f ] + +The function cfg80211_reg_can_beacon_relax() expects wiphy +mutex to be held when it is being called. However, when +reg_leave_invalid_chans() is called the mutex is not held. +Fix it by acquiring the lock before calling the function. + +Fixes: a05829a7222e ("cfg80211: avoid holding the RTNL when calling the driver") +Signed-off-by: Ilan Peer +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20211202152831.527686cda037.I40ad9372a47cbad53b4aae7b5a6ccc0dc3fddf8b@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/reg.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index df87c7f3a0492..795e86b371bba 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2338,6 +2338,7 @@ static bool reg_wdev_chan_valid(struct wiphy *wiphy, struct wireless_dev *wdev) + struct cfg80211_chan_def chandef = {}; + struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); + enum nl80211_iftype iftype; ++ bool ret; + + wdev_lock(wdev); + iftype = wdev->iftype; +@@ -2387,7 +2388,11 @@ static bool reg_wdev_chan_valid(struct wiphy *wiphy, struct wireless_dev *wdev) + case NL80211_IFTYPE_AP: + case NL80211_IFTYPE_P2P_GO: + case NL80211_IFTYPE_ADHOC: +- return cfg80211_reg_can_beacon_relax(wiphy, &chandef, iftype); ++ wiphy_lock(wiphy); ++ ret = cfg80211_reg_can_beacon_relax(wiphy, &chandef, iftype); ++ wiphy_unlock(wiphy); ++ ++ return ret; + case NL80211_IFTYPE_STATION: + case NL80211_IFTYPE_P2P_CLIENT: + return cfg80211_chandef_usable(wiphy, &chandef, +-- +2.33.0 + diff --git a/queue-5.15/clk-don-t-parent-clks-until-the-parent-is-fully-regi.patch b/queue-5.15/clk-don-t-parent-clks-until-the-parent-is-fully-regi.patch new file mode 100644 index 00000000000..a86fce4ede3 --- /dev/null +++ b/queue-5.15/clk-don-t-parent-clks-until-the-parent-is-fully-regi.patch @@ -0,0 +1,126 @@ +From b0cdd5543afe5c39d29abe4563f864e41a1d0c16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Nov 2021 20:34:38 -0800 +Subject: clk: Don't parent clks until the parent is fully registered + +From: Mike Tipton + +[ Upstream commit 54baf56eaa40aa5cdcd02b3c20d593e4e1211220 ] + +Before commit fc0c209c147f ("clk: Allow parents to be specified without +string names") child clks couldn't find their parent until the parent +clk was added to a list in __clk_core_init(). After that commit, child +clks can reference their parent clks directly via a clk_hw pointer, or +they can lookup that clk_hw pointer via DT if the parent clk is +registered with an OF clk provider. + +The common clk framework treats hw->core being non-NULL as "the clk is +registered" per the logic within clk_core_fill_parent_index(): + + parent = entry->hw->core; + /* + * We have a direct reference but it isn't registered yet? + * Orphan it and let clk_reparent() update the orphan status + * when the parent is registered. + */ + if (!parent) + +Therefore we need to be extra careful to not set hw->core until the clk +is fully registered with the clk framework. Otherwise we can get into a +situation where a child finds a parent clk and we move the child clk off +the orphan list when the parent isn't actually registered, wrecking our +enable accounting and breaking critical clks. + +Consider the following scenario: + + CPU0 CPU1 + ---- ---- + struct clk_hw clkBad; + struct clk_hw clkA; + + clkA.init.parent_hws = { &clkBad }; + + clk_hw_register(&clkA) clk_hw_register(&clkBad) + ... __clk_register() + hw->core = core + ... + __clk_register() + __clk_core_init() + clk_prepare_lock() + __clk_init_parent() + clk_core_get_parent_by_index() + clk_core_fill_parent_index() + if (entry->hw) { + parent = entry->hw->core; + +At this point, 'parent' points to clkBad even though clkBad hasn't been +fully registered yet. Ouch! A similar problem can happen if a clk +controller registers orphan clks that are referenced in the DT node of +another clk controller. + +Let's fix all this by only setting the hw->core pointer underneath the +clk prepare lock in __clk_core_init(). This way we know that +clk_core_fill_parent_index() can't see hw->core be non-NULL until the +clk is fully registered. + +Fixes: fc0c209c147f ("clk: Allow parents to be specified without string names") +Signed-off-by: Mike Tipton +Link: https://lore.kernel.org/r/20211109043438.4639-1-quic_mdtipton@quicinc.com +[sboyd@kernel.org: Reword commit text, update comment] +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c +index 65508eb89ec99..a277fd4f2f0a6 100644 +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -3415,6 +3415,14 @@ static int __clk_core_init(struct clk_core *core) + + clk_prepare_lock(); + ++ /* ++ * Set hw->core after grabbing the prepare_lock to synchronize with ++ * callers of clk_core_fill_parent_index() where we treat hw->core ++ * being NULL as the clk not being registered yet. This is crucial so ++ * that clks aren't parented until their parent is fully registered. ++ */ ++ core->hw->core = core; ++ + ret = clk_pm_runtime_get(core); + if (ret) + goto unlock; +@@ -3579,8 +3587,10 @@ static int __clk_core_init(struct clk_core *core) + out: + clk_pm_runtime_put(core); + unlock: +- if (ret) ++ if (ret) { + hlist_del_init(&core->child_node); ++ core->hw->core = NULL; ++ } + + clk_prepare_unlock(); + +@@ -3844,7 +3854,6 @@ __clk_register(struct device *dev, struct device_node *np, struct clk_hw *hw) + core->num_parents = init->num_parents; + core->min_rate = 0; + core->max_rate = ULONG_MAX; +- hw->core = core; + + ret = clk_core_populate_parent_map(core, init); + if (ret) +@@ -3862,7 +3871,7 @@ __clk_register(struct device *dev, struct device_node *np, struct clk_hw *hw) + goto fail_create_clk; + } + +- clk_core_link_consumer(hw->core, hw->clk); ++ clk_core_link_consumer(core, hw->clk); + + ret = __clk_core_init(core); + if (!ret) +-- +2.33.0 + diff --git a/queue-5.15/dmaengine-idxd-add-halt-interrupt-support.patch b/queue-5.15/dmaengine-idxd-add-halt-interrupt-support.patch new file mode 100644 index 00000000000..15d3742f446 --- /dev/null +++ b/queue-5.15/dmaengine-idxd-add-halt-interrupt-support.patch @@ -0,0 +1,67 @@ +From 06bce7001bdd1f9e721e1ba9c21e53f2942fc5dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 16:04:03 -0700 +Subject: dmaengine: idxd: add halt interrupt support + +From: Dave Jiang + +[ Upstream commit 88d97ea82cbe352851a8654ee952d3a694c8c2c6 ] + +Add halt interrupt support. Given that the misc interrupt handler already +check halt state, the driver just need to run the halt handling code when +receiving the halt interrupt. + +Signed-off-by: Dave Jiang +Link: https://lore.kernel.org/r/163114224352.846654.14334468363464318828.stgit@djiang5-desk3.ch.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/idxd/irq.c | 5 +++++ + drivers/dma/idxd/registers.h | 1 + + 2 files changed, 6 insertions(+) + +diff --git a/drivers/dma/idxd/irq.c b/drivers/dma/idxd/irq.c +index ca88fa7a328e7..3261ea247e832 100644 +--- a/drivers/dma/idxd/irq.c ++++ b/drivers/dma/idxd/irq.c +@@ -63,6 +63,9 @@ static int process_misc_interrupts(struct idxd_device *idxd, u32 cause) + int i; + bool err = false; + ++ if (cause & IDXD_INTC_HALT_STATE) ++ goto halt; ++ + if (cause & IDXD_INTC_ERR) { + spin_lock(&idxd->dev_lock); + for (i = 0; i < 4; i++) +@@ -121,6 +124,7 @@ static int process_misc_interrupts(struct idxd_device *idxd, u32 cause) + if (!err) + return 0; + ++halt: + gensts.bits = ioread32(idxd->reg_base + IDXD_GENSTATS_OFFSET); + if (gensts.state == IDXD_DEVICE_STATE_HALT) { + idxd->state = IDXD_DEV_HALTED; +@@ -134,6 +138,7 @@ static int process_misc_interrupts(struct idxd_device *idxd, u32 cause) + queue_work(idxd->wq, &idxd->work); + } else { + spin_lock(&idxd->dev_lock); ++ idxd->state = IDXD_DEV_HALTED; + idxd_wqs_quiesce(idxd); + idxd_wqs_unmap_portal(idxd); + idxd_device_clear_state(idxd); +diff --git a/drivers/dma/idxd/registers.h b/drivers/dma/idxd/registers.h +index ffc7550a77eeb..97ffb06de9b0d 100644 +--- a/drivers/dma/idxd/registers.h ++++ b/drivers/dma/idxd/registers.h +@@ -158,6 +158,7 @@ enum idxd_device_reset_type { + #define IDXD_INTC_CMD 0x02 + #define IDXD_INTC_OCCUPY 0x04 + #define IDXD_INTC_PERFMON_OVFL 0x08 ++#define IDXD_INTC_HALT_STATE 0x10 + + #define IDXD_CMD_OFFSET 0xa0 + union idxd_command_reg { +-- +2.33.0 + diff --git a/queue-5.15/dmaengine-idxd-fix-calling-wq-quiesce-inside-spinloc.patch b/queue-5.15/dmaengine-idxd-fix-calling-wq-quiesce-inside-spinloc.patch new file mode 100644 index 00000000000..b25e5444084 --- /dev/null +++ b/queue-5.15/dmaengine-idxd-fix-calling-wq-quiesce-inside-spinloc.patch @@ -0,0 +1,43 @@ +From a6601352bfb191b4c69cedbca4db53b12abcb252 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Nov 2021 10:03:51 -0700 +Subject: dmaengine: idxd: fix calling wq quiesce inside spinlock + +From: Dave Jiang + +[ Upstream commit fa51b16d05583c7aebbc06330afb50276243d198 ] + +Dan reports that smatch has found idxd_wq_quiesce() is being called inside +the idxd->dev_lock. idxd_wq_quiesce() calls wait_for_completion() and +therefore it can sleep. Move the call outside of the spinlock as it does +not need device lock. + +Fixes: 5b0c68c473a1 ("dmaengine: idxd: support reporting of halt interrupt") +Reported-by: Dan Carpenter +Signed-off-by: Dave Jiang +Link: https://lore.kernel.org/r/163716858508.1721911.15051495873516709923.stgit@djiang5-desk3.ch.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/idxd/irq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/idxd/irq.c b/drivers/dma/idxd/irq.c +index 3261ea247e832..6d6af0dc3c0ec 100644 +--- a/drivers/dma/idxd/irq.c ++++ b/drivers/dma/idxd/irq.c +@@ -137,10 +137,10 @@ static int process_misc_interrupts(struct idxd_device *idxd, u32 cause) + INIT_WORK(&idxd->work, idxd_device_reinit); + queue_work(idxd->wq, &idxd->work); + } else { +- spin_lock(&idxd->dev_lock); + idxd->state = IDXD_DEV_HALTED; + idxd_wqs_quiesce(idxd); + idxd_wqs_unmap_portal(idxd); ++ spin_lock(&idxd->dev_lock); + idxd_device_clear_state(idxd); + dev_err(&idxd->pdev->dev, + "idxd halted, need %s.\n", +-- +2.33.0 + diff --git a/queue-5.15/dmaengine-idxd-fix-missed-completion-on-abort-path.patch b/queue-5.15/dmaengine-idxd-fix-missed-completion-on-abort-path.patch new file mode 100644 index 00000000000..d9fc5796846 --- /dev/null +++ b/queue-5.15/dmaengine-idxd-fix-missed-completion-on-abort-path.patch @@ -0,0 +1,84 @@ +From e1d11e16425fd96b8327ccdac2e206ec4af3f79d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Dec 2021 10:01:27 -0700 +Subject: dmaengine: idxd: fix missed completion on abort path + +From: Dave Jiang + +[ Upstream commit 8affd8a4b5ce356c8900cfb037674f3a4a11fbdb ] + +Ming reported that with the abort path of the descriptor submission, there +can be a window where a completed descriptor can be missed to be completed +by the irq completion thread: + +CPU A CPU B +Submit (successful) + +Submit (fail) + irq_process_work_list() // empty + +llist_abort_desc() +// remove all descs from pending list + + irq_process_pending_llist() // empty + exit idxd_wq_thread() with no processing + +Add opportunistic descriptor completion in the abort path in order to +remove the missed completion. + +Fixes: 6b4b87f2c31a ("dmaengine: idxd: fix submission race window") +Reported-by: Ming Li +Signed-off-by: Dave Jiang +Link: https://lore.kernel.org/r/163898288714.443911.16084982766671976640.stgit@djiang5-desk3.ch.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/idxd/submit.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/idxd/submit.c b/drivers/dma/idxd/submit.c +index de76fb4abac24..83452fbbb168b 100644 +--- a/drivers/dma/idxd/submit.c ++++ b/drivers/dma/idxd/submit.c +@@ -106,6 +106,7 @@ static void llist_abort_desc(struct idxd_wq *wq, struct idxd_irq_entry *ie, + { + struct idxd_desc *d, *t, *found = NULL; + struct llist_node *head; ++ LIST_HEAD(flist); + + desc->completion->status = IDXD_COMP_DESC_ABORT; + /* +@@ -120,7 +121,11 @@ static void llist_abort_desc(struct idxd_wq *wq, struct idxd_irq_entry *ie, + found = desc; + continue; + } +- list_add_tail(&desc->list, &ie->work_list); ++ ++ if (d->completion->status) ++ list_add_tail(&d->list, &flist); ++ else ++ list_add_tail(&d->list, &ie->work_list); + } + } + +@@ -130,6 +135,17 @@ static void llist_abort_desc(struct idxd_wq *wq, struct idxd_irq_entry *ie, + + if (found) + complete_desc(found, IDXD_COMPLETE_ABORT); ++ ++ /* ++ * complete_desc() will return desc to allocator and the desc can be ++ * acquired by a different process and the desc->list can be modified. ++ * Delete desc from list so the list trasversing does not get corrupted ++ * by the other process. ++ */ ++ list_for_each_entry_safe(d, t, &flist, list) { ++ list_del_init(&d->list); ++ complete_desc(d, IDXD_COMPLETE_NORMAL); ++ } + } + + int idxd_submit_desc(struct idxd_wq *wq, struct idxd_desc *desc) +-- +2.33.0 + diff --git a/queue-5.15/dmaengine-st_fdma-fix-module_alias.patch b/queue-5.15/dmaengine-st_fdma-fix-module_alias.patch new file mode 100644 index 00000000000..ece976d101f --- /dev/null +++ b/queue-5.15/dmaengine-st_fdma-fix-module_alias.patch @@ -0,0 +1,33 @@ +From 5c4c5d5e5171419653d853b27fb15f664a54f649 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Nov 2021 15:44:38 +0000 +Subject: dmaengine: st_fdma: fix MODULE_ALIAS + +From: Alyssa Ross + +[ Upstream commit 822c9f2b833c53fc67e8adf6f63ecc3ea24d502c ] + +modprobe can't handle spaces in aliases. + +Fixes: 6b4cd727eaf1 ("dmaengine: st_fdma: Add STMicroelectronics FDMA engine driver support") +Signed-off-by: Alyssa Ross +Link: https://lore.kernel.org/r/20211125154441.2626214-1-hi@alyssa.is +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/st_fdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/st_fdma.c b/drivers/dma/st_fdma.c +index 962b6e05287b5..d95c421877fb7 100644 +--- a/drivers/dma/st_fdma.c ++++ b/drivers/dma/st_fdma.c +@@ -874,4 +874,4 @@ MODULE_LICENSE("GPL v2"); + MODULE_DESCRIPTION("STMicroelectronics FDMA engine driver"); + MODULE_AUTHOR("Ludovic.barre "); + MODULE_AUTHOR("Peter Griffin "); +-MODULE_ALIAS("platform: " DRIVER_NAME); ++MODULE_ALIAS("platform:" DRIVER_NAME); +-- +2.33.0 + diff --git a/queue-5.15/drm-amd-display-set-exit_optimized_pwr_state-for-dcn.patch b/queue-5.15/drm-amd-display-set-exit_optimized_pwr_state-for-dcn.patch new file mode 100644 index 00000000000..50442302a8e --- /dev/null +++ b/queue-5.15/drm-amd-display-set-exit_optimized_pwr_state-for-dcn.patch @@ -0,0 +1,49 @@ +From 7f0f82e66ce9881c0c36db43142018562635a42c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 15:03:59 -0800 +Subject: drm/amd/display: Set exit_optimized_pwr_state for DCN31 + +From: Nicholas Kazlauskas + +[ Upstream commit 7e4d2f30df3fb48f75ce9e96867d42bdddab83ac ] + +[Why] +SMU now respects the PHY refclk disable request from driver. + +This causes a hang during hotplug when PHY refclk was disabled +because it's not being re-enabled and the transmitter control +starts on dc_link_detect. + +[How] +We normally would re-enable the clk with exit_optimized_pwr_state +but this is only set on DCN21 and DCN301. Set it for dcn31 as well. + +This fixes DMCUB timeouts in the PHY. + +Fixes: 64b1d0e8d500 ("drm/amd/display: Add DCN3.1 HWSEQ") + +Reviewed-by: Eric Yang +Acked-by: Pavle Kotarac +Tested-by: Daniel Wheeler +Signed-off-by: Nicholas Kazlauskas +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn31/dcn31_init.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_init.c b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_init.c +index 40011cd3c8ef0..ac8fb202fd5ee 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_init.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_init.c +@@ -100,6 +100,7 @@ static const struct hw_sequencer_funcs dcn31_funcs = { + .z10_save_init = dcn31_z10_save_init, + .is_abm_supported = dcn31_is_abm_supported, + .set_disp_pattern_generator = dcn30_set_disp_pattern_generator, ++ .exit_optimized_pwr_state = dcn21_exit_optimized_pwr_state, + .update_visual_confirm_color = dcn20_update_visual_confirm_color, + }; + +-- +2.33.0 + diff --git a/queue-5.15/drm-amd-pm-fix-a-potential-gpu_metrics_table-memory-.patch b/queue-5.15/drm-amd-pm-fix-a-potential-gpu_metrics_table-memory-.patch new file mode 100644 index 00000000000..1097b80cfaa --- /dev/null +++ b/queue-5.15/drm-amd-pm-fix-a-potential-gpu_metrics_table-memory-.patch @@ -0,0 +1,39 @@ +From b5886cdc7152f9b2a63854ac9782cc13af4e0de9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Dec 2021 15:25:54 +0800 +Subject: drm/amd/pm: fix a potential gpu_metrics_table memory leak + +From: Lang Yu + +[ Upstream commit aa464957f7e660abd554f2546a588f6533720e21 ] + +Memory is allocated for gpu_metrics_table in renoir_init_smc_tables(), +but not freed in int smu_v12_0_fini_smc_tables(). Free it! + +Fixes: 95868b85764a ("drm/amd/powerplay: add Renoir support for gpu metrics export") + +Signed-off-by: Lang Yu +Reviewed-by: Lijo Lazar +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c b/drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c +index d60b8c5e87157..43028f2cd28b5 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c +@@ -191,6 +191,9 @@ int smu_v12_0_fini_smc_tables(struct smu_context *smu) + kfree(smu_table->watermarks_table); + smu_table->watermarks_table = NULL; + ++ kfree(smu_table->gpu_metrics_table); ++ smu_table->gpu_metrics_table = NULL; ++ + return 0; + } + +-- +2.33.0 + diff --git a/queue-5.15/drm-ast-potential-dereference-of-null-pointer.patch b/queue-5.15/drm-ast-potential-dereference-of-null-pointer.patch new file mode 100644 index 00000000000..d2e12d8e7ce --- /dev/null +++ b/queue-5.15/drm-ast-potential-dereference-of-null-pointer.patch @@ -0,0 +1,41 @@ +From 6d0e110c2166f896b41364ddf2ff689f916b641f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Dec 2021 09:41:26 +0800 +Subject: drm/ast: potential dereference of null pointer + +From: Jiasheng Jiang + +[ Upstream commit fea3fdf975dd9f3e5248afaab8fe023db313f005 ] + +The return value of kzalloc() needs to be checked. +To avoid use of null pointer '&ast_state->base' in case of the +failure of alloc. + +Fixes: f0adbc382b8b ("drm/ast: Allocate initial CRTC state of the correct size") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20211214014126.2211535-1-jiasheng@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/ast/ast_mode.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/ast/ast_mode.c b/drivers/gpu/drm/ast/ast_mode.c +index 1e30eaeb0e1b3..d5c98f79d58d3 100644 +--- a/drivers/gpu/drm/ast/ast_mode.c ++++ b/drivers/gpu/drm/ast/ast_mode.c +@@ -1121,7 +1121,10 @@ static void ast_crtc_reset(struct drm_crtc *crtc) + if (crtc->state) + crtc->funcs->atomic_destroy_state(crtc, crtc->state); + +- __drm_atomic_helper_crtc_reset(crtc, &ast_state->base); ++ if (ast_state) ++ __drm_atomic_helper_crtc_reset(crtc, &ast_state->base); ++ else ++ __drm_atomic_helper_crtc_reset(crtc, NULL); + } + + static struct drm_crtc_state * +-- +2.33.0 + diff --git a/queue-5.15/drm-i915-display-fix-an-unsigned-subtraction-which-c.patch b/queue-5.15/drm-i915-display-fix-an-unsigned-subtraction-which-c.patch new file mode 100644 index 00000000000..70ae6c5ad61 --- /dev/null +++ b/queue-5.15/drm-i915-display-fix-an-unsigned-subtraction-which-c.patch @@ -0,0 +1,45 @@ +From 3c4da8b02fdc672492ce796a91cd35ee20bed487 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Dec 2021 20:41:24 -0800 +Subject: drm/i915/display: Fix an unsigned subtraction which can never be + negative. + +From: Harshit Mogalapalli + +[ Upstream commit 53b3495273282aa844c4613d19c3b30558c70c84 ] + +smatch warning: +drivers/gpu/drm/i915/display/intel_dmc.c:601 parse_dmc_fw() warn: +unsigned 'fw->size - offset' is never less than zero + +Firmware size is size_t and offset is u32. So the subtraction is +unsigned which can never be less than zero. + +Fixes: 3d5928a168a9 ("drm/i915/xelpd: Pipe A DMC plugging") +Signed-off-by: Harshit Mogalapalli +Reviewed-by: Lucas De Marchi +Signed-off-by: Lucas De Marchi +Link: https://patchwork.freedesktop.org/patch/msgid/20211210044129.12422-1-harshit.m.mogalapalli@oracle.com +(cherry picked from commit 87bb2a410dcfb617b88e4695edf4beb6336dc314) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_dmc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_dmc.c b/drivers/gpu/drm/i915/display/intel_dmc.c +index b3c8e1c450efb..73076737add75 100644 +--- a/drivers/gpu/drm/i915/display/intel_dmc.c ++++ b/drivers/gpu/drm/i915/display/intel_dmc.c +@@ -606,7 +606,7 @@ static void parse_dmc_fw(struct drm_i915_private *dev_priv, + continue; + + offset = readcount + dmc->dmc_info[id].dmc_offset * 4; +- if (fw->size - offset < 0) { ++ if (offset > fw->size) { + drm_err(&dev_priv->drm, "Reading beyond the fw_size\n"); + continue; + } +-- +2.33.0 + diff --git a/queue-5.15/drm-simpledrm-fix-wrong-unit-with-pixel-clock.patch b/queue-5.15/drm-simpledrm-fix-wrong-unit-with-pixel-clock.patch new file mode 100644 index 00000000000..edcb72fec51 --- /dev/null +++ b/queue-5.15/drm-simpledrm-fix-wrong-unit-with-pixel-clock.patch @@ -0,0 +1,36 @@ +From bf92850745f3f6f1826ac0a940bded44aac536ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Dec 2021 16:06:02 +0000 +Subject: drm: simpledrm: fix wrong unit with pixel clock + +From: Alejandro Concepcion-Rodriguez + +[ Upstream commit 5cf06065bd1f7b94fbb80e7eeb033899f77ab5ba ] + +Pixel clock has to be set in kHz. + +Signed-off-by: Alejandro Concepcion-Rodriguez +Fixes: 11e8f5fd223b ("drm: Add simpledrm driver") +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/6f8554ef-1305-0dda-821c-f7d2e5644a48@acoro.eu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tiny/simpledrm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tiny/simpledrm.c b/drivers/gpu/drm/tiny/simpledrm.c +index 481b48bde0473..5a6e89825bc2f 100644 +--- a/drivers/gpu/drm/tiny/simpledrm.c ++++ b/drivers/gpu/drm/tiny/simpledrm.c +@@ -458,7 +458,7 @@ static struct drm_display_mode simpledrm_mode(unsigned int width, + { + struct drm_display_mode mode = { SIMPLEDRM_MODE(width, height) }; + +- mode.clock = 60 /* Hz */ * mode.hdisplay * mode.vdisplay; ++ mode.clock = mode.hdisplay * mode.vdisplay * 60 / 1000 /* kHz */; + drm_mode_set_name(&mode); + + return mode; +-- +2.33.0 + diff --git a/queue-5.15/dsa-mv88e6xxx-fix-debug-print-for-speed_unforced.patch b/queue-5.15/dsa-mv88e6xxx-fix-debug-print-for-speed_unforced.patch new file mode 100644 index 00000000000..a53727592da --- /dev/null +++ b/queue-5.15/dsa-mv88e6xxx-fix-debug-print-for-speed_unforced.patch @@ -0,0 +1,48 @@ +From 0d9bd9d03ef432bd5b7d73c81786a87d45bbee4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Dec 2021 20:30:32 +0300 +Subject: dsa: mv88e6xxx: fix debug print for SPEED_UNFORCED + +From: Andrey Eremeev + +[ Upstream commit e08cdf63049b711099efff0811273449083bb958 ] + +Debug print uses invalid check to detect if speed is unforced: +(speed != SPEED_UNFORCED) should be used instead of (!speed). + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Andrey Eremeev +Fixes: 96a2b40c7bd3 ("net: dsa: mv88e6xxx: add port's MAC speed setter") +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/port.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/port.c b/drivers/net/dsa/mv88e6xxx/port.c +index d9817b20ea641..ab41619a809b3 100644 +--- a/drivers/net/dsa/mv88e6xxx/port.c ++++ b/drivers/net/dsa/mv88e6xxx/port.c +@@ -283,7 +283,7 @@ static int mv88e6xxx_port_set_speed_duplex(struct mv88e6xxx_chip *chip, + if (err) + return err; + +- if (speed) ++ if (speed != SPEED_UNFORCED) + dev_dbg(chip->dev, "p%d: Speed set to %d Mbps\n", port, speed); + else + dev_dbg(chip->dev, "p%d: Speed unforced\n", port); +@@ -516,7 +516,7 @@ int mv88e6393x_port_set_speed_duplex(struct mv88e6xxx_chip *chip, int port, + if (err) + return err; + +- if (speed) ++ if (speed != SPEED_UNFORCED) + dev_dbg(chip->dev, "p%d: Speed set to %d Mbps\n", port, speed); + else + dev_dbg(chip->dev, "p%d: Speed unforced\n", port); +-- +2.33.0 + diff --git a/queue-5.15/flow_offload-return-eopnotsupp-for-the-unsupported-m.patch b/queue-5.15/flow_offload-return-eopnotsupp-for-the-unsupported-m.patch new file mode 100644 index 00000000000..1edcac21fda --- /dev/null +++ b/queue-5.15/flow_offload-return-eopnotsupp-for-the-unsupported-m.patch @@ -0,0 +1,41 @@ +From cbfcee505704b9e4023fc27dded0e58220f09bee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Dec 2021 15:46:04 +0100 +Subject: flow_offload: return EOPNOTSUPP for the unsupported mpls action type + +From: Baowen Zheng + +[ Upstream commit 166b6a46b78bf8b9559a6620c3032f9fe492e082 ] + +We need to return EOPNOTSUPP for the unsupported mpls action type when +setup the flow action. + +In the original implement, we will return 0 for the unsupported mpls +action type, actually we do not setup it and the following actions +to the flow action entry. + +Fixes: 9838b20a7fb2 ("net: sched: take rtnl lock in tc_setup_flow_action()") +Signed-off-by: Baowen Zheng +Signed-off-by: Simon Horman +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c +index 2ef8f5a6205a9..e54f0a42270c1 100644 +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -3687,6 +3687,7 @@ int tc_setup_flow_action(struct flow_action *flow_action, + entry->mpls_mangle.ttl = tcf_mpls_ttl(act); + break; + default: ++ err = -EOPNOTSUPP; + goto err_out_locked; + } + } else if (is_tcf_skbedit_ptype(act)) { +-- +2.33.0 + diff --git a/queue-5.15/hv-utils-add-ptp_1588_clock-to-kconfig-to-fix-build.patch b/queue-5.15/hv-utils-add-ptp_1588_clock-to-kconfig-to-fix-build.patch new file mode 100644 index 00000000000..fc1f48661c7 --- /dev/null +++ b/queue-5.15/hv-utils-add-ptp_1588_clock-to-kconfig-to-fix-build.patch @@ -0,0 +1,54 @@ +From 9354a3f51e6e222dbdbe38f4e006d8b986185b1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Nov 2021 18:33:16 -0800 +Subject: hv: utils: add PTP_1588_CLOCK to Kconfig to fix build + +From: Randy Dunlap + +[ Upstream commit 1dc2f2b81a6a9895da59f3915760f6c0c3074492 ] + +The hyperv utilities use PTP clock interfaces and should depend a +a kconfig symbol such that they will be built as a loadable module or +builtin so that linker errors do not happen. + +Prevents these build errors: + +ld: drivers/hv/hv_util.o: in function `hv_timesync_deinit': +hv_util.c:(.text+0x37d): undefined reference to `ptp_clock_unregister' +ld: drivers/hv/hv_util.o: in function `hv_timesync_init': +hv_util.c:(.text+0x738): undefined reference to `ptp_clock_register' + +Fixes: 3716a49a81ba ("hv_utils: implement Hyper-V PTP source") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Arnd Bergmann +Cc: "K. Y. Srinivasan" +Cc: Haiyang Zhang +Cc: Stephen Hemminger +Cc: Wei Liu +Cc: Dexuan Cui +Cc: linux-hyperv@vger.kernel.org +Cc: Greg Kroah-Hartman +Reviewed-by: Michael Kelley +Link: https://lore.kernel.org/r/20211126023316.25184-1-rdunlap@infradead.org +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hv/Kconfig b/drivers/hv/Kconfig +index d1123ceb38f3f..9a074cbdef78c 100644 +--- a/drivers/hv/Kconfig ++++ b/drivers/hv/Kconfig +@@ -18,6 +18,7 @@ config HYPERV_TIMER + config HYPERV_UTILS + tristate "Microsoft Hyper-V Utilities driver" + depends on HYPERV && CONNECTOR && NLS ++ depends on PTP_1588_CLOCK_OPTIONAL + help + Select this option to enable the Hyper-V Utilities. + +-- +2.33.0 + diff --git a/queue-5.15/ice-don-t-put-stale-timestamps-in-the-skb.patch b/queue-5.15/ice-don-t-put-stale-timestamps-in-the-skb.patch new file mode 100644 index 00000000000..7644cc8c92a --- /dev/null +++ b/queue-5.15/ice-don-t-put-stale-timestamps-in-the-skb.patch @@ -0,0 +1,84 @@ +From b1c06dc1ccbb684d1adc71b784409192ee5246d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Nov 2021 13:07:14 +0100 +Subject: ice: Don't put stale timestamps in the skb + +From: Karol Kolacinski + +[ Upstream commit 37e738b6fdb14529534dca441e0222313688fde3 ] + +The driver has to check if it does not accidentally put the timestamp in +the SKB before previous timestamp gets overwritten. +Timestamp values in the PHY are read only and do not get cleared except +at hardware reset or when a new timestamp value is captured. +The cached_tstamp field is used to detect the case where a new timestamp +has not yet been captured, ensuring that we avoid sending stale +timestamp data to the stack. + +Fixes: ea9b847cda64 ("ice: enable transmit timestamps for E810 devices") +Signed-off-by: Karol Kolacinski +Tested-by: Gurucharan G +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_ptp.c | 11 ++++------- + drivers/net/ethernet/intel/ice/ice_ptp.h | 6 ++++++ + 2 files changed, 10 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.c b/drivers/net/ethernet/intel/ice/ice_ptp.c +index 9df546984de25..ac27a4fe8b94c 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ptp.c ++++ b/drivers/net/ethernet/intel/ice/ice_ptp.c +@@ -1182,19 +1182,16 @@ static void ice_ptp_tx_tstamp_work(struct kthread_work *work) + if (err) + continue; + +- /* Check if the timestamp is valid */ +- if (!(raw_tstamp & ICE_PTP_TS_VALID)) ++ /* Check if the timestamp is invalid or stale */ ++ if (!(raw_tstamp & ICE_PTP_TS_VALID) || ++ raw_tstamp == tx->tstamps[idx].cached_tstamp) + continue; + +- /* clear the timestamp register, so that it won't show valid +- * again when re-used. +- */ +- ice_clear_phy_tstamp(hw, tx->quad, phy_idx); +- + /* The timestamp is valid, so we'll go ahead and clear this + * index and then send the timestamp up to the stack. + */ + spin_lock(&tx->lock); ++ tx->tstamps[idx].cached_tstamp = raw_tstamp; + clear_bit(idx, tx->in_use); + skb = tx->tstamps[idx].skb; + tx->tstamps[idx].skb = NULL; +diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.h b/drivers/net/ethernet/intel/ice/ice_ptp.h +index e1c787bd5b967..8cdd6f7046b73 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ptp.h ++++ b/drivers/net/ethernet/intel/ice/ice_ptp.h +@@ -46,15 +46,21 @@ struct ice_perout_channel { + * struct ice_tx_tstamp - Tracking for a single Tx timestamp + * @skb: pointer to the SKB for this timestamp request + * @start: jiffies when the timestamp was first requested ++ * @cached_tstamp: last read timestamp + * + * This structure tracks a single timestamp request. The SKB pointer is + * provided when initiating a request. The start time is used to ensure that + * we discard old requests that were not fulfilled within a 2 second time + * window. ++ * Timestamp values in the PHY are read only and do not get cleared except at ++ * hardware reset or when a new timestamp value is captured. The cached_tstamp ++ * field is used to detect the case where a new timestamp has not yet been ++ * captured, ensuring that we avoid sending stale timestamp data to the stack. + */ + struct ice_tx_tstamp { + struct sk_buff *skb; + unsigned long start; ++ u64 cached_tstamp; + }; + + /** +-- +2.33.0 + diff --git a/queue-5.15/ice-use-div64_u64-instead-of-div_u64-in-adjfine.patch b/queue-5.15/ice-use-div64_u64-instead-of-div_u64-in-adjfine.patch new file mode 100644 index 00000000000..c2b79554e62 --- /dev/null +++ b/queue-5.15/ice-use-div64_u64-instead-of-div_u64-in-adjfine.patch @@ -0,0 +1,38 @@ +From ba27ab5da18954fa15184cf141da6d79b3a28417 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Nov 2021 14:52:11 +0100 +Subject: ice: Use div64_u64 instead of div_u64 in adjfine + +From: Karol Kolacinski + +[ Upstream commit 0013881c1145d36bf26165bb70fdd7560a5507a3 ] + +Change the division in ice_ptp_adjfine from div_u64 to div64_u64. +div_u64 is used when the divisor is 32 bit but in this case incval is +64 bit and it caused incorrect calculations and incval adjustments. + +Fixes: 06c16d89d2cb ("ice: register 1588 PTP clock device object for E810 devices") +Signed-off-by: Karol Kolacinski +Tested-by: Gurucharan G +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_ptp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.c b/drivers/net/ethernet/intel/ice/ice_ptp.c +index d1ef3d48a4b03..9df546984de25 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ptp.c ++++ b/drivers/net/ethernet/intel/ice/ice_ptp.c +@@ -459,7 +459,7 @@ static int ice_ptp_adjfine(struct ptp_clock_info *info, long scaled_ppm) + scaled_ppm = -scaled_ppm; + } + +- while ((u64)scaled_ppm > div_u64(U64_MAX, incval)) { ++ while ((u64)scaled_ppm > div64_u64(U64_MAX, incval)) { + /* handle overflow by scaling down the scaled_ppm and + * the divisor, losing some precision + */ +-- +2.33.0 + diff --git a/queue-5.15/igb-fix-removal-of-unicast-mac-filters-of-vfs.patch b/queue-5.15/igb-fix-removal-of-unicast-mac-filters-of-vfs.patch new file mode 100644 index 00000000000..5b67453aed1 --- /dev/null +++ b/queue-5.15/igb-fix-removal-of-unicast-mac-filters-of-vfs.patch @@ -0,0 +1,71 @@ +From 4d63adef9d915d5acfe86672d7a011eb206bf074 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Aug 2021 13:16:35 +0200 +Subject: igb: Fix removal of unicast MAC filters of VFs + +From: Karen Sornek + +[ Upstream commit 584af82154f56e6b2740160fcc84a2966d969e15 ] + +Move checking condition of VF MAC filter before clearing +or adding MAC filter to VF to prevent potential blackout caused +by removal of necessary and working VF's MAC filter. + +Fixes: 1b8b062a99dc ("igb: add VF trust infrastructure") +Signed-off-by: Karen Sornek +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 28 +++++++++++------------ + 1 file changed, 14 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 8f30577386b6f..533199d819501 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -7641,6 +7641,20 @@ static int igb_set_vf_mac_filter(struct igb_adapter *adapter, const int vf, + struct vf_mac_filter *entry = NULL; + int ret = 0; + ++ if ((vf_data->flags & IGB_VF_FLAG_PF_SET_MAC) && ++ !vf_data->trusted) { ++ dev_warn(&pdev->dev, ++ "VF %d requested MAC filter but is administratively denied\n", ++ vf); ++ return -EINVAL; ++ } ++ if (!is_valid_ether_addr(addr)) { ++ dev_warn(&pdev->dev, ++ "VF %d attempted to set invalid MAC filter\n", ++ vf); ++ return -EINVAL; ++ } ++ + switch (info) { + case E1000_VF_MAC_FILTER_CLR: + /* remove all unicast MAC filters related to the current VF */ +@@ -7654,20 +7668,6 @@ static int igb_set_vf_mac_filter(struct igb_adapter *adapter, const int vf, + } + break; + case E1000_VF_MAC_FILTER_ADD: +- if ((vf_data->flags & IGB_VF_FLAG_PF_SET_MAC) && +- !vf_data->trusted) { +- dev_warn(&pdev->dev, +- "VF %d requested MAC filter but is administratively denied\n", +- vf); +- return -EINVAL; +- } +- if (!is_valid_ether_addr(addr)) { +- dev_warn(&pdev->dev, +- "VF %d attempted to set invalid MAC filter\n", +- vf); +- return -EINVAL; +- } +- + /* try to find empty slot in the list */ + list_for_each(pos, &adapter->vf_macs.l) { + entry = list_entry(pos, struct vf_mac_filter, l); +-- +2.33.0 + diff --git a/queue-5.15/igbvf-fix-double-free-in-igbvf_probe.patch b/queue-5.15/igbvf-fix-double-free-in-igbvf_probe.patch new file mode 100644 index 00000000000..89806f4a156 --- /dev/null +++ b/queue-5.15/igbvf-fix-double-free-in-igbvf_probe.patch @@ -0,0 +1,80 @@ +From e292fb71c1667a0a25cab8175e8a5662e2b8c0bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Nov 2021 11:42:34 +0800 +Subject: igbvf: fix double free in `igbvf_probe` + +From: Letu Ren + +[ Upstream commit b6d335a60dc624c0d279333b22c737faa765b028 ] + +In `igbvf_probe`, if register_netdev() fails, the program will go to +label err_hw_init, and then to label err_ioremap. In free_netdev() which +is just below label err_ioremap, there is `list_for_each_entry_safe` and +`netif_napi_del` which aims to delete all entries in `dev->napi_list`. +The program has added an entry `adapter->rx_ring->napi` which is added by +`netif_napi_add` in igbvf_alloc_queues(). However, adapter->rx_ring has +been freed below label err_hw_init. So this a UAF. + +In terms of how to patch the problem, we can refer to igbvf_remove() and +delete the entry before `adapter->rx_ring`. + +The KASAN logs are as follows: + +[ 35.126075] BUG: KASAN: use-after-free in free_netdev+0x1fd/0x450 +[ 35.127170] Read of size 8 at addr ffff88810126d990 by task modprobe/366 +[ 35.128360] +[ 35.128643] CPU: 1 PID: 366 Comm: modprobe Not tainted 5.15.0-rc2+ #14 +[ 35.129789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +[ 35.131749] Call Trace: +[ 35.132199] dump_stack_lvl+0x59/0x7b +[ 35.132865] print_address_description+0x7c/0x3b0 +[ 35.133707] ? free_netdev+0x1fd/0x450 +[ 35.134378] __kasan_report+0x160/0x1c0 +[ 35.135063] ? free_netdev+0x1fd/0x450 +[ 35.135738] kasan_report+0x4b/0x70 +[ 35.136367] free_netdev+0x1fd/0x450 +[ 35.137006] igbvf_probe+0x121d/0x1a10 [igbvf] +[ 35.137808] ? igbvf_vlan_rx_add_vid+0x100/0x100 [igbvf] +[ 35.138751] local_pci_probe+0x13c/0x1f0 +[ 35.139461] pci_device_probe+0x37e/0x6c0 +[ 35.165526] +[ 35.165806] Allocated by task 366: +[ 35.166414] ____kasan_kmalloc+0xc4/0xf0 +[ 35.167117] foo_kmem_cache_alloc_trace+0x3c/0x50 [igbvf] +[ 35.168078] igbvf_probe+0x9c5/0x1a10 [igbvf] +[ 35.168866] local_pci_probe+0x13c/0x1f0 +[ 35.169565] pci_device_probe+0x37e/0x6c0 +[ 35.179713] +[ 35.179993] Freed by task 366: +[ 35.180539] kasan_set_track+0x4c/0x80 +[ 35.181211] kasan_set_free_info+0x1f/0x40 +[ 35.181942] ____kasan_slab_free+0x103/0x140 +[ 35.182703] kfree+0xe3/0x250 +[ 35.183239] igbvf_probe+0x1173/0x1a10 [igbvf] +[ 35.184040] local_pci_probe+0x13c/0x1f0 + +Fixes: d4e0fe01a38a0 (igbvf: add new driver to support 82576 virtual functions) +Reported-by: Zheyu Ma +Signed-off-by: Letu Ren +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igbvf/netdev.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/igbvf/netdev.c b/drivers/net/ethernet/intel/igbvf/netdev.c +index d32e72d953c8d..d051918dfdff9 100644 +--- a/drivers/net/ethernet/intel/igbvf/netdev.c ++++ b/drivers/net/ethernet/intel/igbvf/netdev.c +@@ -2861,6 +2861,7 @@ static int igbvf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + return 0; + + err_hw_init: ++ netif_napi_del(&adapter->rx_ring->napi); + kfree(adapter->tx_ring); + kfree(adapter->rx_ring); + err_sw_init: +-- +2.33.0 + diff --git a/queue-5.15/igc-fix-typo-in-i225-ltr-functions.patch b/queue-5.15/igc-fix-typo-in-i225-ltr-functions.patch new file mode 100644 index 00000000000..4911f7472ff --- /dev/null +++ b/queue-5.15/igc-fix-typo-in-i225-ltr-functions.patch @@ -0,0 +1,39 @@ +From 05693cd8178945ed60cd51adfa51435cdb6cf8f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Nov 2021 09:20:06 +0200 +Subject: igc: Fix typo in i225 LTR functions + +From: Sasha Neftin + +[ Upstream commit 0182d1f3fa640888a2ed7e3f6df2fdb10adee7c8 ] + +The LTR maximum value was incorrectly written using the scale from +the LTR minimum value. This would cause incorrect values to be sent, +in cases where the initial calculation lead to different min/max scales. + +Fixes: 707abf069548 ("igc: Add initial LTR support") +Suggested-by: Dima Ruinskiy +Signed-off-by: Sasha Neftin +Tested-by: Nechama Kraus +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_i225.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_i225.c b/drivers/net/ethernet/intel/igc/igc_i225.c +index b2ef9fde97b38..b6807e16eea93 100644 +--- a/drivers/net/ethernet/intel/igc/igc_i225.c ++++ b/drivers/net/ethernet/intel/igc/igc_i225.c +@@ -636,7 +636,7 @@ s32 igc_set_ltr_i225(struct igc_hw *hw, bool link) + ltrv = rd32(IGC_LTRMAXV); + if (ltr_max != (ltrv & IGC_LTRMAXV_LTRV_MASK)) { + ltrv = IGC_LTRMAXV_LSNP_REQ | ltr_max | +- (scale_min << IGC_LTRMAXV_SCALE_SHIFT); ++ (scale_max << IGC_LTRMAXV_SCALE_SHIFT); + wr32(IGC_LTRMAXV, ltrv); + } + } +-- +2.33.0 + diff --git a/queue-5.15/inet_diag-fix-kernel-infoleak-for-udp-sockets.patch b/queue-5.15/inet_diag-fix-kernel-infoleak-for-udp-sockets.patch new file mode 100644 index 00000000000..a08ee0057fe --- /dev/null +++ b/queue-5.15/inet_diag-fix-kernel-infoleak-for-udp-sockets.patch @@ -0,0 +1,117 @@ +From b0a0c1fd4d2e6094fab8ac957666f92ab94a7db4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Dec 2021 10:50:58 -0800 +Subject: inet_diag: fix kernel-infoleak for UDP sockets + +From: Eric Dumazet + +[ Upstream commit 71ddeac8cd1d217744a0e060ff520e147c9328d1 ] + +KMSAN reported a kernel-infoleak [1], that can exploited +by unpriv users. + +After analysis it turned out UDP was not initializing +r->idiag_expires. Other users of inet_sk_diag_fill() +might make the same mistake in the future, so fix this +in inet_sk_diag_fill(). + +[1] +BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline] +BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:156 [inline] +BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670 + instrument_copy_to_user include/linux/instrumented.h:121 [inline] + copyout lib/iov_iter.c:156 [inline] + _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670 + copy_to_iter include/linux/uio.h:155 [inline] + simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519 + __skb_datagram_iter+0x2cb/0x1280 net/core/datagram.c:425 + skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533 + skb_copy_datagram_msg include/linux/skbuff.h:3657 [inline] + netlink_recvmsg+0x660/0x1c60 net/netlink/af_netlink.c:1974 + sock_recvmsg_nosec net/socket.c:944 [inline] + sock_recvmsg net/socket.c:962 [inline] + sock_read_iter+0x5a9/0x630 net/socket.c:1035 + call_read_iter include/linux/fs.h:2156 [inline] + new_sync_read fs/read_write.c:400 [inline] + vfs_read+0x1631/0x1980 fs/read_write.c:481 + ksys_read+0x28c/0x520 fs/read_write.c:619 + __do_sys_read fs/read_write.c:629 [inline] + __se_sys_read fs/read_write.c:627 [inline] + __x64_sys_read+0xdb/0x120 fs/read_write.c:627 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Uninit was created at: + slab_post_alloc_hook mm/slab.h:524 [inline] + slab_alloc_node mm/slub.c:3251 [inline] + __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 + kmalloc_reserve net/core/skbuff.c:354 [inline] + __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 + alloc_skb include/linux/skbuff.h:1126 [inline] + netlink_dump+0x3d5/0x16a0 net/netlink/af_netlink.c:2245 + __netlink_dump_start+0xd1c/0xee0 net/netlink/af_netlink.c:2370 + netlink_dump_start include/linux/netlink.h:254 [inline] + inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1343 + sock_diag_rcv_msg+0x24a/0x620 + netlink_rcv_skb+0x447/0x800 net/netlink/af_netlink.c:2491 + sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:276 + netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] + netlink_unicast+0x1095/0x1360 net/netlink/af_netlink.c:1345 + netlink_sendmsg+0x16f3/0x1870 net/netlink/af_netlink.c:1916 + sock_sendmsg_nosec net/socket.c:704 [inline] + sock_sendmsg net/socket.c:724 [inline] + sock_write_iter+0x594/0x690 net/socket.c:1057 + do_iter_readv_writev+0xa7f/0xc70 + do_iter_write+0x52c/0x1500 fs/read_write.c:851 + vfs_writev fs/read_write.c:924 [inline] + do_writev+0x63f/0xe30 fs/read_write.c:967 + __do_sys_writev fs/read_write.c:1040 [inline] + __se_sys_writev fs/read_write.c:1037 [inline] + __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Bytes 68-71 of 312 are uninitialized +Memory access of size 312 starts at ffff88812ab54000 +Data copied to user address 0000000020001440 + +CPU: 1 PID: 6365 Comm: syz-executor801 Not tainted 5.16.0-rc3-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 3c4d05c80567 ("inet_diag: Introduce the inet socket dumping routine") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Link: https://lore.kernel.org/r/20211209185058.53917-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_diag.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c +index ef7897226f08e..ae70e07c52445 100644 +--- a/net/ipv4/inet_diag.c ++++ b/net/ipv4/inet_diag.c +@@ -261,6 +261,7 @@ int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk, + r->idiag_state = sk->sk_state; + r->idiag_timer = 0; + r->idiag_retrans = 0; ++ r->idiag_expires = 0; + + if (inet_diag_msg_attrs_fill(sk, skb, r, ext, + sk_user_ns(NETLINK_CB(cb->skb).sk), +@@ -314,9 +315,6 @@ int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk, + r->idiag_retrans = icsk->icsk_probes_out; + r->idiag_expires = + jiffies_delta_to_msecs(sk->sk_timer.expires - jiffies); +- } else { +- r->idiag_timer = 0; +- r->idiag_expires = 0; + } + + if ((ext & (1 << (INET_DIAG_INFO - 1))) && handler->idiag_info_size) { +-- +2.33.0 + diff --git a/queue-5.15/iwlwifi-mvm-don-t-crash-on-invalid-rate-w-o-sta.patch b/queue-5.15/iwlwifi-mvm-don-t-crash-on-invalid-rate-w-o-sta.patch new file mode 100644 index 00000000000..93966b4c50a --- /dev/null +++ b/queue-5.15/iwlwifi-mvm-don-t-crash-on-invalid-rate-w-o-sta.patch @@ -0,0 +1,52 @@ +From d5894ad30fee1c70afffcd4d5a33ff55d24b80aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Dec 2021 14:04:24 +0200 +Subject: iwlwifi: mvm: don't crash on invalid rate w/o STA + +From: Johannes Berg + +[ Upstream commit d599f714b73e4177dfdfe64fce09175568288ee9 ] + +If we get to the WARN_ONCE(..., "Got a HT rate (...)", ...) +here with a NULL sta, then we crash because mvmsta is bad +and we try to dereference it. Fix that by printing -1 as the +state if no station was given. + +Signed-off-by: Johannes Berg +Fixes: 6761a718263a ("iwlwifi: mvm: add explicit check for non-data frames in get Tx rate") +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20211203140410.1a1541d7dcb5.I606c746e11447fe168cf046376b70b04e278c3b4@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +index 0a13c2bda2eed..06fbd9ab37dfe 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +@@ -268,17 +268,18 @@ static u32 iwl_mvm_get_tx_rate(struct iwl_mvm *mvm, + int rate_idx = -1; + u8 rate_plcp; + u32 rate_flags = 0; +- struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta); + + /* info->control is only relevant for non HW rate control */ + if (!ieee80211_hw_check(mvm->hw, HAS_RATE_CONTROL)) { ++ struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta); ++ + /* HT rate doesn't make sense for a non data frame */ + WARN_ONCE(info->control.rates[0].flags & IEEE80211_TX_RC_MCS && + !ieee80211_is_data(fc), + "Got a HT rate (flags:0x%x/mcs:%d/fc:0x%x/state:%d) for a non data frame\n", + info->control.rates[0].flags, + info->control.rates[0].idx, +- le16_to_cpu(fc), mvmsta->sta_state); ++ le16_to_cpu(fc), sta ? mvmsta->sta_state : -1); + + rate_idx = info->control.rates[0].idx; + } +-- +2.33.0 + diff --git a/queue-5.15/ixgbe-document-how-to-enable-nbase-t-support.patch b/queue-5.15/ixgbe-document-how-to-enable-nbase-t-support.patch new file mode 100644 index 00000000000..25f72cf1883 --- /dev/null +++ b/queue-5.15/ixgbe-document-how-to-enable-nbase-t-support.patch @@ -0,0 +1,78 @@ +From 97ba926d6457565d4745d75f8d31448ed78dca7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 02:24:48 +0200 +Subject: ixgbe: Document how to enable NBASE-T support + +From: Robert Schlabbach + +[ Upstream commit 271225fd57c2f1e0b3f8826df51be6c634affefe ] + +Commit a296d665eae1 ("ixgbe: Add ethtool support to enable 2.5 and 5.0 +Gbps support") introduced suppression of the advertisement of NBASE-T +speeds by default, according to Todd Fujinaka to accommodate customers +with network switches which could not cope with advertised NBASE-T +speeds, as posted in the E1000-devel mailing list: + +https://sourceforge.net/p/e1000/mailman/message/37106269/ + +However, the suppression was not documented at all, nor was how to +enable NBASE-T support. + +Properly document the NBASE-T suppression and how to enable NBASE-T +support. + +Fixes: a296d665eae1 ("ixgbe: Add ethtool support to enable 2.5 and 5.0 Gbps support") +Reported-by: Robert Schlabbach +Signed-off-by: Robert Schlabbach +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + .../device_drivers/ethernet/intel/ixgbe.rst | 16 ++++++++++++++++ + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 4 ++++ + 2 files changed, 20 insertions(+) + +diff --git a/Documentation/networking/device_drivers/ethernet/intel/ixgbe.rst b/Documentation/networking/device_drivers/ethernet/intel/ixgbe.rst +index f1d5233e5e510..0a233b17c664e 100644 +--- a/Documentation/networking/device_drivers/ethernet/intel/ixgbe.rst ++++ b/Documentation/networking/device_drivers/ethernet/intel/ixgbe.rst +@@ -440,6 +440,22 @@ NOTE: For 82599-based network connections, if you are enabling jumbo frames in + a virtual function (VF), jumbo frames must first be enabled in the physical + function (PF). The VF MTU setting cannot be larger than the PF MTU. + ++NBASE-T Support ++--------------- ++The ixgbe driver supports NBASE-T on some devices. However, the advertisement ++of NBASE-T speeds is suppressed by default, to accommodate broken network ++switches which cannot cope with advertised NBASE-T speeds. Use the ethtool ++command to enable advertising NBASE-T speeds on devices which support it:: ++ ++ ethtool -s eth? advertise 0x1800000001028 ++ ++On Linux systems with INTERFACES(5), this can be specified as a pre-up command ++in /etc/network/interfaces so that the interface is always brought up with ++NBASE-T support, e.g.:: ++ ++ iface eth? inet dhcp ++ pre-up ethtool -s eth? advertise 0x1800000001028 || true ++ + Generic Receive Offload, aka GRO + -------------------------------- + The driver supports the in-kernel software implementation of GRO. GRO has +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +index 13c4782b920a7..750b02bb2fdc2 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -5526,6 +5526,10 @@ static int ixgbe_non_sfp_link_config(struct ixgbe_hw *hw) + if (!speed && hw->mac.ops.get_link_capabilities) { + ret = hw->mac.ops.get_link_capabilities(hw, &speed, + &autoneg); ++ /* remove NBASE-T speeds from default autonegotiation ++ * to accommodate broken network switches in the field ++ * which cannot cope with advertised NBASE-T speeds ++ */ + speed &= ~(IXGBE_LINK_SPEED_5GB_FULL | + IXGBE_LINK_SPEED_2_5GB_FULL); + } +-- +2.33.0 + diff --git a/queue-5.15/ixgbe-set-x550-mdio-speed-before-talking-to-phy.patch b/queue-5.15/ixgbe-set-x550-mdio-speed-before-talking-to-phy.patch new file mode 100644 index 00000000000..c34fbf3470e --- /dev/null +++ b/queue-5.15/ixgbe-set-x550-mdio-speed-before-talking-to-phy.patch @@ -0,0 +1,56 @@ +From a1832074a95013aa02705f8889245f6762da5a45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Nov 2021 18:39:36 -0700 +Subject: ixgbe: set X550 MDIO speed before talking to PHY + +From: Cyril Novikov + +[ Upstream commit bf0a375055bd1afbbf02a0ef45f7655da7b71317 ] + +The MDIO bus speed must be initialized before talking to the PHY the first +time in order to avoid talking to it using a speed that the PHY doesn't +support. + +This fixes HW initialization error -17 (IXGBE_ERR_PHY_ADDR_INVALID) on +Denverton CPUs (a.k.a. the Atom C3000 family) on ports with a 10Gb network +plugged in. On those devices, HLREG0[MDCSPD] resets to 1, which combined +with the 10Gb network results in a 24MHz MDIO speed, which is apparently +too fast for the connected PHY. PHY register reads over MDIO bus return +garbage, leading to initialization failure. + +Reproduced with Linux kernel 4.19 and 5.15-rc7. Can be reproduced using +the following setup: + +* Use an Atom C3000 family system with at least one X552 LAN on the SoC +* Disable PXE or other BIOS network initialization if possible + (the interface must not be initialized before Linux boots) +* Connect a live 10Gb Ethernet cable to an X550 port +* Power cycle (not reset, doesn't always work) the system and boot Linux +* Observe: ixgbe interfaces w/ 10GbE cables plugged in fail with error -17 + +Fixes: e84db7272798 ("ixgbe: Introduce function to control MDIO speed") +Signed-off-by: Cyril Novikov +Reviewed-by: Andrew Lunn +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c +index 9724ffb165189..e4b50c7781ffa 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c +@@ -3405,6 +3405,9 @@ static s32 ixgbe_reset_hw_X550em(struct ixgbe_hw *hw) + /* flush pending Tx transactions */ + ixgbe_clear_tx_pending(hw); + ++ /* set MDIO speed before talking to the PHY in case it's the 1st time */ ++ ixgbe_set_mdio_speed(hw); ++ + /* PHY ops must be identified and initialized prior to reset */ + status = hw->phy.ops.init(hw); + if (status == IXGBE_ERR_SFP_NOT_SUPPORTED || +-- +2.33.0 + diff --git a/queue-5.15/mac80211-agg-tx-don-t-schedule_and_wake_txq-under-st.patch b/queue-5.15/mac80211-agg-tx-don-t-schedule_and_wake_txq-under-st.patch new file mode 100644 index 00000000000..50136211f4b --- /dev/null +++ b/queue-5.15/mac80211-agg-tx-don-t-schedule_and_wake_txq-under-st.patch @@ -0,0 +1,94 @@ +From f949a9e1132fc40f05611af42dc4aaa201061c8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Dec 2021 15:26:25 +0200 +Subject: mac80211: agg-tx: don't schedule_and_wake_txq() under sta->lock + +From: Johannes Berg + +[ Upstream commit 06c41bda0ea14aa7fba932a9613c4ee239682cf0 ] + +When we call ieee80211_agg_start_txq(), that will in turn call +schedule_and_wake_txq(). Called from ieee80211_stop_tx_ba_cb() +this is done under sta->lock, which leads to certain circular +lock dependencies, as reported by Chris Murphy: +https://lore.kernel.org/r/CAJCQCtSXJ5qA4bqSPY=oLRMbv-irihVvP7A2uGutEbXQVkoNaw@mail.gmail.com + +In general, ieee80211_agg_start_txq() is usually not called +with sta->lock held, only in this one place. But it's always +called with sta->ampdu_mlme.mtx held, and that's therefore +clearly sufficient. + +Change ieee80211_stop_tx_ba_cb() to also call it without the +sta->lock held, by factoring it out of ieee80211_remove_tid_tx() +(which is only called in this one place). + +This breaks the locking chain and makes it less likely that +we'll have similar locking chain problems in the future. + +Fixes: ba8c3d6f16a1 ("mac80211: add an intermediate software queue implementation") +Reported-by: Chris Murphy +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20211202152554.f519884c8784.I555fef8e67d93fff3d9a304886c4a9f8b322e591@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/agg-tx.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c +index 58761ca7da3c5..74a878f213d3e 100644 +--- a/net/mac80211/agg-tx.c ++++ b/net/mac80211/agg-tx.c +@@ -9,7 +9,7 @@ + * Copyright 2007, Michael Wu + * Copyright 2007-2010, Intel Corporation + * Copyright(c) 2015-2017 Intel Deutschland GmbH +- * Copyright (C) 2018 - 2020 Intel Corporation ++ * Copyright (C) 2018 - 2021 Intel Corporation + */ + + #include +@@ -213,6 +213,8 @@ ieee80211_agg_start_txq(struct sta_info *sta, int tid, bool enable) + struct ieee80211_txq *txq = sta->sta.txq[tid]; + struct txq_info *txqi; + ++ lockdep_assert_held(&sta->ampdu_mlme.mtx); ++ + if (!txq) + return; + +@@ -290,7 +292,6 @@ static void ieee80211_remove_tid_tx(struct sta_info *sta, int tid) + ieee80211_assign_tid_tx(sta, tid, NULL); + + ieee80211_agg_splice_finish(sta->sdata, tid); +- ieee80211_agg_start_txq(sta, tid, false); + + kfree_rcu(tid_tx, rcu_head); + } +@@ -889,6 +890,7 @@ void ieee80211_stop_tx_ba_cb(struct sta_info *sta, int tid, + { + struct ieee80211_sub_if_data *sdata = sta->sdata; + bool send_delba = false; ++ bool start_txq = false; + + ht_dbg(sdata, "Stopping Tx BA session for %pM tid %d\n", + sta->sta.addr, tid); +@@ -906,10 +908,14 @@ void ieee80211_stop_tx_ba_cb(struct sta_info *sta, int tid, + send_delba = true; + + ieee80211_remove_tid_tx(sta, tid); ++ start_txq = true; + + unlock_sta: + spin_unlock_bh(&sta->lock); + ++ if (start_txq) ++ ieee80211_agg_start_txq(sta, tid, false); ++ + if (send_delba) + ieee80211_send_delba(sdata, sta->sta.addr, tid, + WLAN_BACK_INITIATOR, WLAN_REASON_QSTA_NOT_USE); +-- +2.33.0 + diff --git a/queue-5.15/mac80211-fix-lookup-when-adding-addba-extension-elem.patch b/queue-5.15/mac80211-fix-lookup-when-adding-addba-extension-elem.patch new file mode 100644 index 00000000000..49168b9e4a6 --- /dev/null +++ b/queue-5.15/mac80211-fix-lookup-when-adding-addba-extension-elem.patch @@ -0,0 +1,49 @@ +From ab12c37a550b20033dc16927667d9c5d11ef0a1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Nov 2021 15:32:46 +0200 +Subject: mac80211: fix lookup when adding AddBA extension element + +From: Johannes Berg + +[ Upstream commit 511ab0c1dfb260a6b17b8771109e8d63474473a7 ] + +We should be doing the HE capabilities lookup based on the full +interface type so if P2P doesn't have HE but client has it doesn't +get confused. Fix that. + +Fixes: 2ab45876756f ("mac80211: add support for the ADDBA extension element") +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20211129152938.010fc1d61137.If3a468145f29d670cb00a693bed559d8290ba693@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/agg-rx.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c +index cce28e3b22323..ef729b1e39ea3 100644 +--- a/net/mac80211/agg-rx.c ++++ b/net/mac80211/agg-rx.c +@@ -9,7 +9,7 @@ + * Copyright 2007, Michael Wu + * Copyright 2007-2010, Intel Corporation + * Copyright(c) 2015-2017 Intel Deutschland GmbH +- * Copyright (C) 2018-2020 Intel Corporation ++ * Copyright (C) 2018-2021 Intel Corporation + */ + + /** +@@ -191,7 +191,8 @@ static void ieee80211_add_addbaext(struct ieee80211_sub_if_data *sdata, + sband = ieee80211_get_sband(sdata); + if (!sband) + return; +- he_cap = ieee80211_get_he_iftype_cap(sband, sdata->vif.type); ++ he_cap = ieee80211_get_he_iftype_cap(sband, ++ ieee80211_vif_type_p2p(&sdata->vif)); + if (!he_cap) + return; + +-- +2.33.0 + diff --git a/queue-5.15/mac80211-track-only-qos-data-frames-for-admission-co.patch b/queue-5.15/mac80211-track-only-qos-data-frames-for-admission-co.patch new file mode 100644 index 00000000000..1d83a2583f0 --- /dev/null +++ b/queue-5.15/mac80211-track-only-qos-data-frames-for-admission-co.patch @@ -0,0 +1,57 @@ +From c58efd6aeaab0e44ac55bc79f8313eb3873ded44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Nov 2021 12:47:40 +0100 +Subject: mac80211: track only QoS data frames for admission control + +From: Johannes Berg + +[ Upstream commit d5e568c3a4ec2ddd23e7dc5ad5b0c64e4f22981a ] + +For admission control, obviously all of that only works for +QoS data frames, otherwise we cannot even access the QoS +field in the header. + +Syzbot reported (see below) an uninitialized value here due +to a status of a non-QoS nullfunc packet, which isn't even +long enough to contain the QoS header. + +Fix this to only do anything for QoS data packets. + +Reported-by: syzbot+614e82b88a1a4973e534@syzkaller.appspotmail.com +Fixes: 02219b3abca5 ("mac80211: add WMM admission control support") +Link: https://lore.kernel.org/r/20211122124737.dad29e65902a.Ieb04587afacb27c14e0de93ec1bfbefb238cc2a0@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mlme.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index c0ea3b1aa9e1c..dd42d83dbe33e 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -2446,11 +2446,18 @@ static void ieee80211_sta_tx_wmm_ac_notify(struct ieee80211_sub_if_data *sdata, + u16 tx_time) + { + struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; +- u16 tid = ieee80211_get_tid(hdr); +- int ac = ieee80211_ac_from_tid(tid); +- struct ieee80211_sta_tx_tspec *tx_tspec = &ifmgd->tx_tspec[ac]; ++ u16 tid; ++ int ac; ++ struct ieee80211_sta_tx_tspec *tx_tspec; + unsigned long now = jiffies; + ++ if (!ieee80211_is_data_qos(hdr->frame_control)) ++ return; ++ ++ tid = ieee80211_get_tid(hdr); ++ ac = ieee80211_ac_from_tid(tid); ++ tx_tspec = &ifmgd->tx_tspec[ac]; ++ + if (likely(!tx_tspec->admitted_time)) + return; + +-- +2.33.0 + diff --git a/queue-5.15/mptcp-clear-kern-flag-from-fallback-sockets.patch b/queue-5.15/mptcp-clear-kern-flag-from-fallback-sockets.patch new file mode 100644 index 00000000000..05abba118e0 --- /dev/null +++ b/queue-5.15/mptcp-clear-kern-flag-from-fallback-sockets.patch @@ -0,0 +1,58 @@ +From b1d8ed7848973f251d83ded94c1af4dadb7a51dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Dec 2021 15:16:02 -0800 +Subject: mptcp: clear 'kern' flag from fallback sockets + +From: Florian Westphal + +[ Upstream commit d6692b3b97bdc165d150f4c1505751a323a80717 ] + +The mptcp ULP extension relies on sk->sk_sock_kern being set correctly: +It prevents setsockopt(fd, IPPROTO_TCP, TCP_ULP, "mptcp", 6); from +working for plain tcp sockets (any userspace-exposed socket). + +But in case of fallback, accept() can return a plain tcp sk. +In such case, sk is still tagged as 'kernel' and setsockopt will work. + +This will crash the kernel, The subflow extension has a NULL ctx->conn +mptcp socket: + +BUG: KASAN: null-ptr-deref in subflow_data_ready+0x181/0x2b0 +Call Trace: + tcp_data_ready+0xf8/0x370 + [..] + +Fixes: cf7da0d66cc1 ("mptcp: Create SUBFLOW socket for incoming connections") +Signed-off-by: Florian Westphal +Signed-off-by: Mat Martineau +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/protocol.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index 421fa62ce5cdf..fdff811c9a0da 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -2901,7 +2901,7 @@ static struct sock *mptcp_accept(struct sock *sk, int flags, int *err, + */ + if (WARN_ON_ONCE(!new_mptcp_sock)) { + tcp_sk(newsk)->is_mptcp = 0; +- return newsk; ++ goto out; + } + + /* acquire the 2nd reference for the owning socket */ +@@ -2913,6 +2913,8 @@ static struct sock *mptcp_accept(struct sock *sk, int flags, int *err, + MPTCP_MIB_MPCAPABLEPASSIVEFALLBACK); + } + ++out: ++ newsk->sk_kern_sock = kern; + return newsk; + } + +-- +2.33.0 + diff --git a/queue-5.15/mptcp-fix-deadlock-in-__mptcp_push_pending.patch b/queue-5.15/mptcp-fix-deadlock-in-__mptcp_push_pending.patch new file mode 100644 index 00000000000..069a31db40b --- /dev/null +++ b/queue-5.15/mptcp-fix-deadlock-in-__mptcp_push_pending.patch @@ -0,0 +1,77 @@ +From a68a2fae83720bf2376cbd99391d7b48bd77d072 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Dec 2021 15:16:03 -0800 +Subject: mptcp: fix deadlock in __mptcp_push_pending() + +From: Maxim Galaganov + +[ Upstream commit 3d79e3756ca90f7a6087b77b62c1d9c0801e0820 ] + +__mptcp_push_pending() may call mptcp_flush_join_list() with subflow +socket lock held. If such call hits mptcp_sockopt_sync_all() then +subsequently __mptcp_sockopt_sync() could try to lock the subflow +socket for itself, causing a deadlock. + +sysrq: Show Blocked State +task:ss-server state:D stack: 0 pid: 938 ppid: 1 flags:0x00000000 +Call Trace: + + __schedule+0x2d6/0x10c0 + ? __mod_memcg_state+0x4d/0x70 + ? csum_partial+0xd/0x20 + ? _raw_spin_lock_irqsave+0x26/0x50 + schedule+0x4e/0xc0 + __lock_sock+0x69/0x90 + ? do_wait_intr_irq+0xa0/0xa0 + __lock_sock_fast+0x35/0x50 + mptcp_sockopt_sync_all+0x38/0xc0 + __mptcp_push_pending+0x105/0x200 + mptcp_sendmsg+0x466/0x490 + sock_sendmsg+0x57/0x60 + __sys_sendto+0xf0/0x160 + ? do_wait_intr_irq+0xa0/0xa0 + ? fpregs_restore_userregs+0x12/0xd0 + __x64_sys_sendto+0x20/0x30 + do_syscall_64+0x38/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7f9ba546c2d0 +RSP: 002b:00007ffdc3b762d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 00007f9ba56c8060 RCX: 00007f9ba546c2d0 +RDX: 000000000000077a RSI: 0000000000e5e180 RDI: 0000000000000234 +RBP: 0000000000cc57f0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9ba56c8060 +R13: 0000000000b6ba60 R14: 0000000000cc7840 R15: 41d8685b1d7901b8 + + +Fix the issue by using __mptcp_flush_join_list() instead of plain +mptcp_flush_join_list() inside __mptcp_push_pending(), as suggested by +Florian. The sockopt sync will be deferred to the workqueue. + +Fixes: 1b3e7ede1365 ("mptcp: setsockopt: handle SO_KEEPALIVE and SO_PRIORITY") +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/244 +Suggested-by: Florian Westphal +Reviewed-by: Florian Westphal +Signed-off-by: Maxim Galaganov +Signed-off-by: Mat Martineau +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/protocol.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index fdff811c9a0da..4c889552cde77 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -1549,7 +1549,7 @@ void __mptcp_push_pending(struct sock *sk, unsigned int flags) + int ret = 0; + + prev_ssk = ssk; +- mptcp_flush_join_list(msk); ++ __mptcp_flush_join_list(msk); + ssk = mptcp_subflow_get_send(msk); + + /* First check. If the ssk has changed since +-- +2.33.0 + diff --git a/queue-5.15/mptcp-never-allow-the-pm-to-close-a-listener-subflow.patch b/queue-5.15/mptcp-never-allow-the-pm-to-close-a-listener-subflow.patch new file mode 100644 index 00000000000..7aea4d160a0 --- /dev/null +++ b/queue-5.15/mptcp-never-allow-the-pm-to-close-a-listener-subflow.patch @@ -0,0 +1,96 @@ +From 49c896c9c7d30fa84a5e3b4bdfd0620d8164661e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Dec 2021 17:11:12 +0100 +Subject: mptcp: never allow the PM to close a listener subflow + +From: Paolo Abeni + +[ Upstream commit b0cdc5dbcf2ba0d99785da5aabf1b17943805b8a ] + +Currently, when deleting an endpoint the netlink PM treverses +all the local MPTCP sockets, regardless of their status. + +If an MPTCP listener socket is bound to the IP matching the +delete endpoint, the listener TCP socket will be closed. +That is unexpected, the PM should only affect data subflows. + +Additionally, syzbot was able to trigger a NULL ptr dereference +due to the above: + +general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] +CPU: 1 PID: 6550 Comm: syz-executor122 Not tainted 5.16.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:__lock_acquire+0xd7d/0x54a0 kernel/locking/lockdep.c:4897 +Code: 0f 0e 41 be 01 00 00 00 0f 86 c8 00 00 00 89 05 69 cc 0f 0e e9 bd 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 f3 2f 00 00 48 81 3b 20 75 17 8f 0f 84 52 f3 ff +RSP: 0018:ffffc90001f2f818 EFLAGS: 00010016 +RAX: dffffc0000000000 RBX: 0000000000000018 RCX: 0000000000000000 +RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000001 +RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 +R10: 0000000000000000 R11: 000000000000000a R12: 0000000000000000 +R13: ffff88801b98d700 R14: 0000000000000000 R15: 0000000000000001 +FS: 00007f177cd3d700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f177cd1b268 CR3: 000000001dd55000 CR4: 0000000000350ee0 +Call Trace: + + lock_acquire kernel/locking/lockdep.c:5637 [inline] + lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5602 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162 + finish_wait+0xc0/0x270 kernel/sched/wait.c:400 + inet_csk_wait_for_connect net/ipv4/inet_connection_sock.c:464 [inline] + inet_csk_accept+0x7de/0x9d0 net/ipv4/inet_connection_sock.c:497 + mptcp_accept+0xe5/0x500 net/mptcp/protocol.c:2865 + inet_accept+0xe4/0x7b0 net/ipv4/af_inet.c:739 + mptcp_stream_accept+0x2e7/0x10e0 net/mptcp/protocol.c:3345 + do_accept+0x382/0x510 net/socket.c:1773 + __sys_accept4_file+0x7e/0xe0 net/socket.c:1816 + __sys_accept4+0xb0/0x100 net/socket.c:1846 + __do_sys_accept net/socket.c:1864 [inline] + __se_sys_accept net/socket.c:1861 [inline] + __x64_sys_accept+0x71/0xb0 net/socket.c:1861 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7f177cd8b8e9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f177cd3d308 EFLAGS: 00000246 ORIG_RAX: 000000000000002b +RAX: ffffffffffffffda RBX: 00007f177ce13408 RCX: 00007f177cd8b8e9 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 +RBP: 00007f177ce13400 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f177ce1340c +R13: 00007f177cde1004 R14: 6d705f706374706d R15: 0000000000022000 + + +Fix the issue explicitly skipping MPTCP socket in TCP_LISTEN +status. + +Reported-and-tested-by: syzbot+e4d843bb96a9431e6331@syzkaller.appspotmail.com +Reviewed-by: Mat Martineau +Fixes: 740d798e8767 ("mptcp: remove id 0 address") +Signed-off-by: Paolo Abeni +Link: https://lore.kernel.org/r/ebc7594cdd420d241fb2172ddb8542ba64717657.1639238695.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/pm_netlink.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c +index 050eea231528b..b79251a36dcbc 100644 +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -700,6 +700,9 @@ static void mptcp_pm_nl_rm_addr_or_subflow(struct mptcp_sock *msk, + + msk_owned_by_me(msk); + ++ if (sk->sk_state == TCP_LISTEN) ++ return; ++ + if (!rm_list->nr) + return; + +-- +2.33.0 + diff --git a/queue-5.15/mptcp-remove-tcp-ulp-setsockopt-support.patch b/queue-5.15/mptcp-remove-tcp-ulp-setsockopt-support.patch new file mode 100644 index 00000000000..60f2d235da9 --- /dev/null +++ b/queue-5.15/mptcp-remove-tcp-ulp-setsockopt-support.patch @@ -0,0 +1,51 @@ +From c76a95ca76c5b679ea865f163c52a6d1efda9181 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Dec 2021 15:16:01 -0800 +Subject: mptcp: remove tcp ulp setsockopt support + +From: Florian Westphal + +[ Upstream commit 404cd9a22150f24acf23a8df2ad0c094ba379f57 ] + +TCP_ULP setsockopt cannot be used for mptcp because its already +used internally to plumb subflow (tcp) sockets to the mptcp layer. + +syzbot managed to trigger a crash for mptcp connections that are +in fallback mode: + +KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027] +CPU: 1 PID: 1083 Comm: syz-executor.3 Not tainted 5.16.0-rc2-syzkaller #0 +RIP: 0010:tls_build_proto net/tls/tls_main.c:776 [inline] +[..] + __tcp_set_ulp net/ipv4/tcp_ulp.c:139 [inline] + tcp_set_ulp+0x428/0x4c0 net/ipv4/tcp_ulp.c:160 + do_tcp_setsockopt+0x455/0x37c0 net/ipv4/tcp.c:3391 + mptcp_setsockopt+0x1b47/0x2400 net/mptcp/sockopt.c:638 + +Remove support for TCP_ULP setsockopt. + +Fixes: d9e4c1291810 ("mptcp: only admit explicitly supported sockopt") +Reported-by: syzbot+1fd9b69cde42967d1add@syzkaller.appspotmail.com +Signed-off-by: Florian Westphal +Signed-off-by: Mat Martineau +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/sockopt.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/mptcp/sockopt.c b/net/mptcp/sockopt.c +index 8c03afac5ca03..4bb305342fcc7 100644 +--- a/net/mptcp/sockopt.c ++++ b/net/mptcp/sockopt.c +@@ -523,7 +523,6 @@ static bool mptcp_supported_sockopt(int level, int optname) + case TCP_NODELAY: + case TCP_THIN_LINEAR_TIMEOUTS: + case TCP_CONGESTION: +- case TCP_ULP: + case TCP_CORK: + case TCP_KEEPIDLE: + case TCP_KEEPINTVL: +-- +2.33.0 + diff --git a/queue-5.15/net-dsa-mv88e6xxx-unforce-speed-duplex-in-mac_link_d.patch b/queue-5.15/net-dsa-mv88e6xxx-unforce-speed-duplex-in-mac_link_d.patch new file mode 100644 index 00000000000..f83fc991e8f --- /dev/null +++ b/queue-5.15/net-dsa-mv88e6xxx-unforce-speed-duplex-in-mac_link_d.patch @@ -0,0 +1,51 @@ +From 8b105520c0ce92864b4d1d4b547db87ef1a52d58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Dec 2021 23:51:41 +0100 +Subject: net: dsa: mv88e6xxx: Unforce speed & duplex in mac_link_down() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit 9d591fc028b6bddb38c6585874f331267cbdadae ] + +Commit 64d47d50be7a ("net: dsa: mv88e6xxx: configure interface settings +in mac_config") removed forcing of speed and duplex from +mv88e6xxx_mac_config(), where the link is forced down, and left it only +in mv88e6xxx_mac_link_up(), by which time link is unforced. + +It seems that (at least on 88E6190) when changing cmode to 2500base-x, +if the link is not forced down, but the speed or duplex are still +forced, the forcing of new settings for speed & duplex doesn't take in +mv88e6xxx_mac_link_up(). + +Fix this by unforcing speed & duplex in mv88e6xxx_mac_link_down(). + +Fixes: 64d47d50be7a ("net: dsa: mv88e6xxx: configure interface settings in mac_config") +Signed-off-by: Marek Behún +Reviewed-by: Russell King (Oracle) +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index a31cc0ab7c625..43d126628610b 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -769,6 +769,10 @@ static void mv88e6xxx_mac_link_down(struct dsa_switch *ds, int port, + if ((!mv88e6xxx_port_ppu_updates(chip, port) || + mode == MLO_AN_FIXED) && ops->port_sync_link) + err = ops->port_sync_link(chip, port, mode, false); ++ ++ if (!err && ops->port_set_speed_duplex) ++ err = ops->port_set_speed_duplex(chip, port, SPEED_UNFORCED, ++ DUPLEX_UNFORCED); + mv88e6xxx_reg_unlock(chip); + + if (err) +-- +2.33.0 + diff --git a/queue-5.15/net-fix-double-0x-prefix-print-in-skb-dump.patch b/queue-5.15/net-fix-double-0x-prefix-print-in-skb-dump.patch new file mode 100644 index 00000000000..2986eebe0b1 --- /dev/null +++ b/queue-5.15/net-fix-double-0x-prefix-print-in-skb-dump.patch @@ -0,0 +1,36 @@ +From b8d5fbecb0cbb6ffb62a9c565e7099f4ee901ba2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Dec 2021 11:28:25 +0200 +Subject: net: Fix double 0x prefix print in SKB dump + +From: Gal Pressman + +[ Upstream commit 8a03ef676ade55182f9b05115763aeda6dc08159 ] + +When printing netdev features %pNF already takes care of the 0x prefix, +remove the explicit one. + +Fixes: 6413139dfc64 ("skbuff: increase verbosity when dumping skb data") +Signed-off-by: Gal Pressman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/skbuff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 38d7dee4bbe9e..f7e003571a356 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -832,7 +832,7 @@ void skb_dump(const char *level, const struct sk_buff *skb, bool full_pkt) + ntohs(skb->protocol), skb->pkt_type, skb->skb_iif); + + if (dev) +- printk("%sdev name=%s feat=0x%pNF\n", ++ printk("%sdev name=%s feat=%pNF\n", + level, dev->name, &dev->features); + if (sk) + printk("%ssk family=%hu type=%u proto=%u\n", +-- +2.33.0 + diff --git a/queue-5.15/net-hns3-fix-race-condition-in-debugfs.patch b/queue-5.15/net-hns3-fix-race-condition-in-debugfs.patch new file mode 100644 index 00000000000..04ac9ad5d24 --- /dev/null +++ b/queue-5.15/net-hns3-fix-race-condition-in-debugfs.patch @@ -0,0 +1,117 @@ +From d5235c55cf1584f16ad517c71ab1ac12fc88a462 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 21:09:34 +0800 +Subject: net: hns3: fix race condition in debugfs + +From: Yufeng Mo + +[ Upstream commit 6dde452bceca3f2ed2b33bc46a16ff5682a03a2e ] + +When multiple threads concurrently access the debugfs content, data +and pointer exceptions may occur. Therefore, mutex lock protection is +added for debugfs. + +Fixes: 5e69ea7ee2a6 ("net: hns3: refactor the debugfs process") +Signed-off-by: Yufeng Mo +Signed-off-by: Guangbin Huang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hnae3.h | 2 ++ + .../ethernet/hisilicon/hns3/hns3_debugfs.c | 20 +++++++++++++------ + 2 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hnae3.h b/drivers/net/ethernet/hisilicon/hns3/hnae3.h +index d701451596c82..47bba4c62f040 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hnae3.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.h +@@ -830,6 +830,8 @@ struct hnae3_handle { + + u8 netdev_flags; + struct dentry *hnae3_dbgfs; ++ /* protects concurrent contention between debugfs commands */ ++ struct mutex dbgfs_lock; + + /* Network interface message level enabled bits */ + u32 msg_enable; +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +index e54f96251fea9..3205849bdb95b 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +@@ -1021,6 +1021,7 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer, + if (ret) + return ret; + ++ mutex_lock(&handle->dbgfs_lock); + save_buf = &hns3_dbg_cmd[index].buf; + + if (!test_bit(HNS3_NIC_STATE_INITED, &priv->state) || +@@ -1033,15 +1034,15 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer, + read_buf = *save_buf; + } else { + read_buf = kvzalloc(hns3_dbg_cmd[index].buf_len, GFP_KERNEL); +- if (!read_buf) +- return -ENOMEM; ++ if (!read_buf) { ++ ret = -ENOMEM; ++ goto out; ++ } + + /* save the buffer addr until the last read operation */ + *save_buf = read_buf; +- } + +- /* get data ready for the first time to read */ +- if (!*ppos) { ++ /* get data ready for the first time to read */ + ret = hns3_dbg_read_cmd(dbg_data, hns3_dbg_cmd[index].cmd, + read_buf, hns3_dbg_cmd[index].buf_len); + if (ret) +@@ -1050,8 +1051,10 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer, + + size = simple_read_from_buffer(buffer, count, ppos, read_buf, + strlen(read_buf)); +- if (size > 0) ++ if (size > 0) { ++ mutex_unlock(&handle->dbgfs_lock); + return size; ++ } + + out: + /* free the buffer for the last read operation */ +@@ -1060,6 +1063,7 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer, + *save_buf = NULL; + } + ++ mutex_unlock(&handle->dbgfs_lock); + return ret; + } + +@@ -1132,6 +1136,8 @@ int hns3_dbg_init(struct hnae3_handle *handle) + debugfs_create_dir(hns3_dbg_dentry[i].name, + handle->hnae3_dbgfs); + ++ mutex_init(&handle->dbgfs_lock); ++ + for (i = 0; i < ARRAY_SIZE(hns3_dbg_cmd); i++) { + if ((hns3_dbg_cmd[i].cmd == HNAE3_DBG_CMD_TM_NODES && + ae_dev->dev_version <= HNAE3_DEVICE_VERSION_V2) || +@@ -1158,6 +1164,7 @@ int hns3_dbg_init(struct hnae3_handle *handle) + return 0; + + out: ++ mutex_destroy(&handle->dbgfs_lock); + debugfs_remove_recursive(handle->hnae3_dbgfs); + handle->hnae3_dbgfs = NULL; + return ret; +@@ -1173,6 +1180,7 @@ void hns3_dbg_uninit(struct hnae3_handle *handle) + hns3_dbg_cmd[i].buf = NULL; + } + ++ mutex_destroy(&handle->dbgfs_lock); + debugfs_remove_recursive(handle->hnae3_dbgfs); + handle->hnae3_dbgfs = NULL; + } +-- +2.33.0 + diff --git a/queue-5.15/net-hns3-fix-use-after-free-bug-in-hclgevf_send_mbx_.patch b/queue-5.15/net-hns3-fix-use-after-free-bug-in-hclgevf_send_mbx_.patch new file mode 100644 index 00000000000..f0fa57d0b8b --- /dev/null +++ b/queue-5.15/net-hns3-fix-use-after-free-bug-in-hclgevf_send_mbx_.patch @@ -0,0 +1,43 @@ +From bd5b1e48bdd2fe7ab7ee311b52a9ccfa9dadc12a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 21:09:33 +0800 +Subject: net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg + +From: Jie Wang + +[ Upstream commit 27cbf64a766e86f068ce6214f04c00ceb4db1af4 ] + +Currently, the hns3_remove function firstly uninstall client instance, +and then uninstall acceletion engine device. The netdevice is freed in +client instance uninstall process, but acceletion engine device uninstall +process still use it to trace runtime information. This causes a use after +free problem. + +So fixes it by check the instance register state to avoid use after free. + +Fixes: d8355240cf8f ("net: hns3: add trace event support for PF/VF mailbox") +Signed-off-by: Jie Wang +Signed-off-by: Guangbin Huang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c +index fdc66fae09601..c5ac6ecf36e10 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c +@@ -114,7 +114,8 @@ int hclgevf_send_mbx_msg(struct hclgevf_dev *hdev, + + memcpy(&req->msg, send_msg, sizeof(struct hclge_vf_to_pf_msg)); + +- trace_hclge_vf_mbx_send(hdev, req); ++ if (test_bit(HCLGEVF_STATE_NIC_REGISTERED, &hdev->state)) ++ trace_hclge_vf_mbx_send(hdev, req); + + /* synchronous send */ + if (need_resp) { +-- +2.33.0 + diff --git a/queue-5.15/net-packet-rx_owner_map-depends-on-pg_vec.patch b/queue-5.15/net-packet-rx_owner_map-depends-on-pg_vec.patch new file mode 100644 index 00000000000..46fd6c3f0a3 --- /dev/null +++ b/queue-5.15/net-packet-rx_owner_map-depends-on-pg_vec.patch @@ -0,0 +1,46 @@ +From 0b057ccfaa19d2bcf7cd2de44ebfed33a00c07ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Dec 2021 09:39:37 -0500 +Subject: net/packet: rx_owner_map depends on pg_vec + +From: Willem de Bruijn + +[ Upstream commit ec6af094ea28f0f2dda1a6a33b14cd57e36a9755 ] + +Packet sockets may switch ring versions. Avoid misinterpreting state +between versions, whose fields share a union. rx_owner_map is only +allocated with a packet ring (pg_vec) and both are swapped together. +If pg_vec is NULL, meaning no packet ring was allocated, then neither +was rx_owner_map. And the field may be old state from a tpacket_v3. + +Fixes: 61fad6816fc1 ("net/packet: tpacket_rcv: avoid a producer race condition") +Reported-by: Syzbot +Signed-off-by: Willem de Bruijn +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20211215143937.106178-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 2a2bc64f75cfd..1bc7ef49e1487 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -4457,9 +4457,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + } + + out_free_pg_vec: +- bitmap_free(rx_owner_map); +- if (pg_vec) ++ if (pg_vec) { ++ bitmap_free(rx_owner_map); + free_pg_vec(pg_vec, order, req->tp_block_nr); ++ } + out: + return err; + } +-- +2.33.0 + diff --git a/queue-5.15/net-sched-sch_ets-don-t-remove-idle-classes-from-the.patch b/queue-5.15/net-sched-sch_ets-don-t-remove-idle-classes-from-the.patch new file mode 100644 index 00000000000..3beb63b1945 --- /dev/null +++ b/queue-5.15/net-sched-sch_ets-don-t-remove-idle-classes-from-the.patch @@ -0,0 +1,109 @@ +From dc0e81fea2b81a734525bda1bc5afb3ed38767e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 17:42:47 +0100 +Subject: net/sched: sch_ets: don't remove idle classes from the round-robin + list + +From: Davide Caratti + +[ Upstream commit c062f2a0b04d86c5b8c9d973bea43493eaca3d32 ] + +Shuang reported that the following script: + + 1) tc qdisc add dev ddd0 handle 10: parent 1: ets bands 8 strict 4 priomap 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 + 2) mausezahn ddd0 -A 10.10.10.1 -B 10.10.10.2 -c 0 -a own -b 00:c1:a0:c1:a0:00 -t udp & + 3) tc qdisc change dev ddd0 handle 10: ets bands 4 strict 2 quanta 2500 2500 priomap 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 + +crashes systematically when line 2) is commented: + + list_del corruption, ffff8e028404bd30->next is LIST_POISON1 (dead000000000100) + ------------[ cut here ]------------ + kernel BUG at lib/list_debug.c:47! + invalid opcode: 0000 [#1] PREEMPT SMP NOPTI + CPU: 0 PID: 954 Comm: tc Not tainted 5.16.0-rc4+ #478 + Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 + RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47 + Code: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff <0f> 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe + RSP: 0018:ffffae46807a3888 EFLAGS: 00010246 + RAX: 000000000000004e RBX: 0000000000000007 RCX: 0000000000000202 + RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff + RBP: ffffae46807a3a10 R08: 0000000000000000 R09: c0000000ffff7fff + R10: 0000000000000001 R11: ffffae46807a36a8 R12: ffff8e028404b800 + R13: ffff8e028404bd30 R14: dead000000000100 R15: ffff8e02fafa2400 + FS: 00007efdc92e4480(0000) GS:ffff8e02fb600000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000682f48 CR3: 00000001058be000 CR4: 0000000000350ef0 + Call Trace: + + ets_qdisc_change+0x58b/0xa70 [sch_ets] + tc_modify_qdisc+0x323/0x880 + rtnetlink_rcv_msg+0x169/0x4a0 + netlink_rcv_skb+0x50/0x100 + netlink_unicast+0x1a5/0x280 + netlink_sendmsg+0x257/0x4d0 + sock_sendmsg+0x5b/0x60 + ____sys_sendmsg+0x1f2/0x260 + ___sys_sendmsg+0x7c/0xc0 + __sys_sendmsg+0x57/0xa0 + do_syscall_64+0x3a/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + RIP: 0033:0x7efdc8031338 + Code: 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 25 43 2c 00 8b 00 85 c0 75 17 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 41 89 d4 55 + RSP: 002b:00007ffdf1ce9828 EFLAGS: 00000246 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 0000000061b37a97 RCX: 00007efdc8031338 + RDX: 0000000000000000 RSI: 00007ffdf1ce9890 RDI: 0000000000000003 + RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000078a940 + R10: 000000000000000c R11: 0000000000000246 R12: 0000000000000001 + R13: 0000000000688880 R14: 0000000000000000 R15: 0000000000000000 + + Modules linked in: sch_ets sch_tbf dummy rfkill iTCO_wdt iTCO_vendor_support intel_rapl_msr intel_rapl_common joydev pcspkr i2c_i801 virtio_balloon i2c_smbus lpc_ich ip_tables xfs libcrc32c crct10dif_pclmul crc32_pclmul crc32c_intel serio_raw ghash_clmulni_intel ahci libahci libata virtio_blk virtio_console virtio_net net_failover failover sunrpc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: sch_ets] + ---[ end trace f35878d1912655c2 ]--- + RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47 + Code: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff <0f> 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe + RSP: 0018:ffffae46807a3888 EFLAGS: 00010246 + RAX: 000000000000004e RBX: 0000000000000007 RCX: 0000000000000202 + RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff + RBP: ffffae46807a3a10 R08: 0000000000000000 R09: c0000000ffff7fff + R10: 0000000000000001 R11: ffffae46807a36a8 R12: ffff8e028404b800 + R13: ffff8e028404bd30 R14: dead000000000100 R15: ffff8e02fafa2400 + FS: 00007efdc92e4480(0000) GS:ffff8e02fb600000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000682f48 CR3: 00000001058be000 CR4: 0000000000350ef0 + Kernel panic - not syncing: Fatal exception in interrupt + Kernel Offset: 0x4e00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) + ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- + +we can remove 'q->classes[i].alist' only if DRR class 'i' was part of the +active list. In the ETS scheduler DRR classes belong to that list only if +the queue length is greater than zero: we need to test for non-zero value +of 'q->classes[i].qdisc->q.qlen' before removing from the list, similarly +to what has been done elsewhere in the ETS code. + +Fixes: de6d25924c2a ("net/sched: sch_ets: don't peek at classes beyond 'nbands'") +Reported-by: Shuang Li +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_ets.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/sched/sch_ets.c b/net/sched/sch_ets.c +index 92a686807971b..44fa2532a87c0 100644 +--- a/net/sched/sch_ets.c ++++ b/net/sched/sch_ets.c +@@ -668,9 +668,9 @@ static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt, + } + } + for (i = q->nbands; i < oldbands; i++) { +- qdisc_tree_flush_backlog(q->classes[i].qdisc); +- if (i >= q->nstrict) ++ if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) + list_del(&q->classes[i].alist); ++ qdisc_tree_flush_backlog(q->classes[i].qdisc); + } + q->nstrict = nstrict; + memcpy(q->prio2band, priomap, sizeof(priomap)); +-- +2.33.0 + diff --git a/queue-5.15/net-smc-prevent-smc_release-from-long-blocking.patch b/queue-5.15/net-smc-prevent-smc_release-from-long-blocking.patch new file mode 100644 index 00000000000..272c4d967a2 --- /dev/null +++ b/queue-5.15/net-smc-prevent-smc_release-from-long-blocking.patch @@ -0,0 +1,84 @@ +From 3d2b66853724fc7306cad991cfd9091a2983badb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Dec 2021 20:29:21 +0800 +Subject: net/smc: Prevent smc_release() from long blocking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: D. Wythe + +[ Upstream commit 5c15b3123f65f8fbb1b445d9a7e8812e0e435df2 ] + +In nginx/wrk benchmark, there's a hung problem with high probability +on case likes that: (client will last several minutes to exit) + +server: smc_run nginx + +client: smc_run wrk -c 10000 -t 1 http://server + +Client hangs with the following backtrace: + +0 [ffffa7ce8Of3bbf8] __schedule at ffffffff9f9eOd5f +1 [ffffa7ce8Of3bc88] schedule at ffffffff9f9eløe6 +2 [ffffa7ce8Of3bcaO] schedule_timeout at ffffffff9f9e3f3c +3 [ffffa7ce8Of3bd2O] wait_for_common at ffffffff9f9el9de +4 [ffffa7ce8Of3bd8O] __flush_work at ffffffff9fOfeOl3 +5 [ffffa7ce8øf3bdfO] smc_release at ffffffffcO697d24 [smc] +6 [ffffa7ce8Of3be2O] __sock_release at ffffffff9f8O2e2d +7 [ffffa7ce8Of3be4ø] sock_close at ffffffff9f8ø2ebl +8 [ffffa7ce8øf3be48] __fput at ffffffff9f334f93 +9 [ffffa7ce8Of3be78] task_work_run at ffffffff9flOlff5 +10 [ffffa7ce8Of3beaO] do_exit at ffffffff9fOe5Ol2 +11 [ffffa7ce8Of3bflO] do_group_exit at ffffffff9fOe592a +12 [ffffa7ce8Of3bf38] __x64_sys_exit_group at ffffffff9fOe5994 +13 [ffffa7ce8Of3bf4O] do_syscall_64 at ffffffff9f9d4373 +14 [ffffa7ce8Of3bfsO] entry_SYSCALL_64_after_hwframe at ffffffff9fa0007c + +This issue dues to flush_work(), which is used to wait for +smc_connect_work() to finish in smc_release(). Once lots of +smc_connect_work() was pending or all executing work dangling, +smc_release() has to block until one worker comes to free, which +is equivalent to wait another smc_connnect_work() to finish. + +In order to fix this, There are two changes: + +1. For those idle smc_connect_work(), cancel it from the workqueue; for + executing smc_connect_work(), waiting for it to finish. For that + purpose, replace flush_work() with cancel_work_sync(). + +2. Since smc_connect() hold a reference for passive closing, if + smc_connect_work() has been cancelled, release the reference. + +Fixes: 24ac3a08e658 ("net/smc: rebuild nonblocking connect") +Reported-by: Tony Lu +Tested-by: Dust Li +Reviewed-by: Dust Li +Reviewed-by: Tony Lu +Signed-off-by: D. Wythe +Acked-by: Karsten Graul +Link: https://lore.kernel.org/r/1639571361-101128-1-git-send-email-alibuda@linux.alibaba.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 06e4a07bdcdc1..eea6d4a854e90 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -193,7 +193,9 @@ static int smc_release(struct socket *sock) + /* cleanup for a dangling non-blocking connect */ + if (smc->connect_nonblock && sk->sk_state == SMC_INIT) + tcp_abort(smc->clcsock->sk, ECONNABORTED); +- flush_work(&smc->connect_work); ++ ++ if (cancel_work_sync(&smc->connect_work)) ++ sock_put(&smc->sk); /* sock_hold in smc_connect for passive closing */ + + if (sk->sk_state == SMC_LISTEN) + /* smc_close_non_accepted() is called and acquires +-- +2.33.0 + diff --git a/queue-5.15/net-stmmac-dwmac-rk-fix-oob-read-in-rk_gmac_setup.patch b/queue-5.15/net-stmmac-dwmac-rk-fix-oob-read-in-rk_gmac_setup.patch new file mode 100644 index 00000000000..8adb1ed2063 --- /dev/null +++ b/queue-5.15/net-stmmac-dwmac-rk-fix-oob-read-in-rk_gmac_setup.patch @@ -0,0 +1,62 @@ +From f0d6775ee75665c31683842302d3035ac3762183 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Dec 2021 19:10:09 +0000 +Subject: net: stmmac: dwmac-rk: fix oob read in rk_gmac_setup + +From: John Keeping + +[ Upstream commit 0546b224cc7717cc8a2db076b0bb069a9c430794 ] + +KASAN reports an out-of-bounds read in rk_gmac_setup on the line: + + while (ops->regs[i]) { + +This happens for most platforms since the regs flexible array member is +empty, so the memory after the ops structure is being read here. It +seems that mostly this happens to contain zero anyway, so we get lucky +and everything still works. + +To avoid adding redundant data to nearly all the ops structures, add a +new flag to indicate whether the regs field is valid and avoid this loop +when it is not. + +Fixes: 3bb3d6b1c195 ("net: stmmac: Add RK3566/RK3568 SoC support") +Signed-off-by: John Keeping +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c +index 6924a6aacbd53..c469abc91fa1b 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c +@@ -33,6 +33,7 @@ struct rk_gmac_ops { + void (*set_rgmii_speed)(struct rk_priv_data *bsp_priv, int speed); + void (*set_rmii_speed)(struct rk_priv_data *bsp_priv, int speed); + void (*integrated_phy_powerup)(struct rk_priv_data *bsp_priv); ++ bool regs_valid; + u32 regs[]; + }; + +@@ -1092,6 +1093,7 @@ static const struct rk_gmac_ops rk3568_ops = { + .set_to_rmii = rk3568_set_to_rmii, + .set_rgmii_speed = rk3568_set_gmac_speed, + .set_rmii_speed = rk3568_set_gmac_speed, ++ .regs_valid = true, + .regs = { + 0xfe2a0000, /* gmac0 */ + 0xfe010000, /* gmac1 */ +@@ -1383,7 +1385,7 @@ static struct rk_priv_data *rk_gmac_setup(struct platform_device *pdev, + * to be distinguished. + */ + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- if (res) { ++ if (res && ops->regs_valid) { + int i = 0; + + while (ops->regs[i]) { +-- +2.33.0 + diff --git a/queue-5.15/net-stmmac-fix-tc-flower-deletion-for-vlan-priority-.patch b/queue-5.15/net-stmmac-fix-tc-flower-deletion-for-vlan-priority-.patch new file mode 100644 index 00000000000..bfffdd376d0 --- /dev/null +++ b/queue-5.15/net-stmmac-fix-tc-flower-deletion-for-vlan-priority-.patch @@ -0,0 +1,259 @@ +From b3c06c0d9f832017e57042ac35e330a29d0f5ac4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Dec 2021 22:51:34 +0800 +Subject: net: stmmac: fix tc flower deletion for VLAN priority Rx steering + +From: Ong Boon Leong + +[ Upstream commit aeb7c75cb77478fdbf821628e9c95c4baa9adc63 ] + +To replicate the issue:- + +1) Add 1 flower filter for VLAN Priority based frame steering:- +$ IFDEVNAME=eth0 +$ tc qdisc add dev $IFDEVNAME ingress +$ tc qdisc add dev $IFDEVNAME root mqprio num_tc 8 \ + map 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 \ + queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0 +$ tc filter add dev $IFDEVNAME parent ffff: protocol 802.1Q \ + flower vlan_prio 0 hw_tc 0 + +2) Get the 'pref' id +$ tc filter show dev $IFDEVNAME ingress + +3) Delete a specific tc flower record (say pref 49151) +$ tc filter del dev $IFDEVNAME parent ffff: pref 49151 + +From dmesg, we will observe kernel NULL pointer ooops + +[ 197.170464] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 197.171367] #PF: supervisor read access in kernel mode +[ 197.171367] #PF: error_code(0x0000) - not-present page +[ 197.171367] PGD 0 P4D 0 +[ 197.171367] Oops: 0000 [#1] PREEMPT SMP NOPTI + + + +[ 197.171367] RIP: 0010:tc_setup_cls+0x20b/0x4a0 [stmmac] + + + +[ 197.171367] Call Trace: +[ 197.171367] +[ 197.171367] ? __stmmac_disable_all_queues+0xa8/0xe0 [stmmac] +[ 197.171367] stmmac_setup_tc_block_cb+0x70/0x110 [stmmac] +[ 197.171367] tc_setup_cb_destroy+0xb3/0x180 +[ 197.171367] fl_hw_destroy_filter+0x94/0xc0 [cls_flower] + +The above issue is due to previous incorrect implementation of +tc_del_vlan_flow(), shown below, that uses flow_cls_offload_flow_rule() +to get struct flow_rule *rule which is no longer valid for tc filter +delete operation. + + struct flow_rule *rule = flow_cls_offload_flow_rule(cls); + struct flow_dissector *dissector = rule->match.dissector; + +So, to ensure tc_del_vlan_flow() deletes the right VLAN cls record for +earlier configured RX queue (configured by hw_tc) in tc_add_vlan_flow(), +this patch introduces stmmac_rfs_entry as driver-side flow_cls_offload +record for 'RX frame steering' tc flower, currently used for VLAN +priority. The implementation has taken consideration for future extension +to include other type RX frame steering such as EtherType based. + +v2: + - Clean up overly extensive backtrace and rewrite git message to better + explain the kernel NULL pointer issue. + +Fixes: 0e039f5cf86c ("net: stmmac: add RX frame steering based on VLAN priority in tc flower") +Tested-by: Kurt Kanzenbach +Signed-off-by: Ong Boon Leong +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac.h | 17 ++++ + .../net/ethernet/stmicro/stmmac/stmmac_tc.c | 86 ++++++++++++++++--- + 2 files changed, 90 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac.h b/drivers/net/ethernet/stmicro/stmmac/stmmac.h +index 5f129733aabd2..873b9e3e5da25 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac.h ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac.h +@@ -172,6 +172,19 @@ struct stmmac_flow_entry { + int is_l4; + }; + ++/* Rx Frame Steering */ ++enum stmmac_rfs_type { ++ STMMAC_RFS_T_VLAN, ++ STMMAC_RFS_T_MAX, ++}; ++ ++struct stmmac_rfs_entry { ++ unsigned long cookie; ++ int in_use; ++ int type; ++ int tc; ++}; ++ + struct stmmac_priv { + /* Frequently used values are kept adjacent for cache effect */ + u32 tx_coal_frames[MTL_MAX_TX_QUEUES]; +@@ -289,6 +302,10 @@ struct stmmac_priv { + struct stmmac_tc_entry *tc_entries; + unsigned int flow_entries_max; + struct stmmac_flow_entry *flow_entries; ++ unsigned int rfs_entries_max[STMMAC_RFS_T_MAX]; ++ unsigned int rfs_entries_cnt[STMMAC_RFS_T_MAX]; ++ unsigned int rfs_entries_total; ++ struct stmmac_rfs_entry *rfs_entries; + + /* Pulse Per Second output */ + struct stmmac_pps_cfg pps[STMMAC_PPS_MAX]; +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c +index 1c4ea0b1b845b..d0a2b289f4603 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c +@@ -232,11 +232,33 @@ static int tc_setup_cls_u32(struct stmmac_priv *priv, + } + } + ++static int tc_rfs_init(struct stmmac_priv *priv) ++{ ++ int i; ++ ++ priv->rfs_entries_max[STMMAC_RFS_T_VLAN] = 8; ++ ++ for (i = 0; i < STMMAC_RFS_T_MAX; i++) ++ priv->rfs_entries_total += priv->rfs_entries_max[i]; ++ ++ priv->rfs_entries = devm_kcalloc(priv->device, ++ priv->rfs_entries_total, ++ sizeof(*priv->rfs_entries), ++ GFP_KERNEL); ++ if (!priv->rfs_entries) ++ return -ENOMEM; ++ ++ dev_info(priv->device, "Enabled RFS Flow TC (entries=%d)\n", ++ priv->rfs_entries_total); ++ ++ return 0; ++} ++ + static int tc_init(struct stmmac_priv *priv) + { + struct dma_features *dma_cap = &priv->dma_cap; + unsigned int count; +- int i; ++ int ret, i; + + if (dma_cap->l3l4fnum) { + priv->flow_entries_max = dma_cap->l3l4fnum; +@@ -250,10 +272,14 @@ static int tc_init(struct stmmac_priv *priv) + for (i = 0; i < priv->flow_entries_max; i++) + priv->flow_entries[i].idx = i; + +- dev_info(priv->device, "Enabled Flow TC (entries=%d)\n", ++ dev_info(priv->device, "Enabled L3L4 Flow TC (entries=%d)\n", + priv->flow_entries_max); + } + ++ ret = tc_rfs_init(priv); ++ if (ret) ++ return -ENOMEM; ++ + if (!priv->plat->fpe_cfg) { + priv->plat->fpe_cfg = devm_kzalloc(priv->device, + sizeof(*priv->plat->fpe_cfg), +@@ -607,16 +633,45 @@ static int tc_del_flow(struct stmmac_priv *priv, + return ret; + } + ++static struct stmmac_rfs_entry *tc_find_rfs(struct stmmac_priv *priv, ++ struct flow_cls_offload *cls, ++ bool get_free) ++{ ++ int i; ++ ++ for (i = 0; i < priv->rfs_entries_total; i++) { ++ struct stmmac_rfs_entry *entry = &priv->rfs_entries[i]; ++ ++ if (entry->cookie == cls->cookie) ++ return entry; ++ if (get_free && entry->in_use == false) ++ return entry; ++ } ++ ++ return NULL; ++} ++ + #define VLAN_PRIO_FULL_MASK (0x07) + + static int tc_add_vlan_flow(struct stmmac_priv *priv, + struct flow_cls_offload *cls) + { ++ struct stmmac_rfs_entry *entry = tc_find_rfs(priv, cls, false); + struct flow_rule *rule = flow_cls_offload_flow_rule(cls); + struct flow_dissector *dissector = rule->match.dissector; + int tc = tc_classid_to_hwtc(priv->dev, cls->classid); + struct flow_match_vlan match; + ++ if (!entry) { ++ entry = tc_find_rfs(priv, cls, true); ++ if (!entry) ++ return -ENOENT; ++ } ++ ++ if (priv->rfs_entries_cnt[STMMAC_RFS_T_VLAN] >= ++ priv->rfs_entries_max[STMMAC_RFS_T_VLAN]) ++ return -ENOENT; ++ + /* Nothing to do here */ + if (!dissector_uses_key(dissector, FLOW_DISSECTOR_KEY_VLAN)) + return -EINVAL; +@@ -638,6 +693,12 @@ static int tc_add_vlan_flow(struct stmmac_priv *priv, + + prio = BIT(match.key->vlan_priority); + stmmac_rx_queue_prio(priv, priv->hw, prio, tc); ++ ++ entry->in_use = true; ++ entry->cookie = cls->cookie; ++ entry->tc = tc; ++ entry->type = STMMAC_RFS_T_VLAN; ++ priv->rfs_entries_cnt[STMMAC_RFS_T_VLAN]++; + } + + return 0; +@@ -646,20 +707,19 @@ static int tc_add_vlan_flow(struct stmmac_priv *priv, + static int tc_del_vlan_flow(struct stmmac_priv *priv, + struct flow_cls_offload *cls) + { +- struct flow_rule *rule = flow_cls_offload_flow_rule(cls); +- struct flow_dissector *dissector = rule->match.dissector; +- int tc = tc_classid_to_hwtc(priv->dev, cls->classid); ++ struct stmmac_rfs_entry *entry = tc_find_rfs(priv, cls, false); + +- /* Nothing to do here */ +- if (!dissector_uses_key(dissector, FLOW_DISSECTOR_KEY_VLAN)) +- return -EINVAL; ++ if (!entry || !entry->in_use || entry->type != STMMAC_RFS_T_VLAN) ++ return -ENOENT; + +- if (tc < 0) { +- netdev_err(priv->dev, "Invalid traffic class\n"); +- return -EINVAL; +- } ++ stmmac_rx_queue_prio(priv, priv->hw, 0, entry->tc); ++ ++ entry->in_use = false; ++ entry->cookie = 0; ++ entry->tc = 0; ++ entry->type = 0; + +- stmmac_rx_queue_prio(priv, priv->hw, 0, tc); ++ priv->rfs_entries_cnt[STMMAC_RFS_T_VLAN]--; + + return 0; + } +-- +2.33.0 + diff --git a/queue-5.15/net-systemport-add-global-locking-for-descriptor-lif.patch b/queue-5.15/net-systemport-add-global-locking-for-descriptor-lif.patch new file mode 100644 index 00000000000..64bb4c37c85 --- /dev/null +++ b/queue-5.15/net-systemport-add-global-locking-for-descriptor-lif.patch @@ -0,0 +1,94 @@ +From 81f0b4faac4b0ba192f9cfa15c689a63d9ebb676 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Dec 2021 12:24:49 -0800 +Subject: net: systemport: Add global locking for descriptor lifecycle + +From: Florian Fainelli + +[ Upstream commit 8b8e6e782456f1ce02a7ae914bbd5b1053f0b034 ] + +The descriptor list is a shared resource across all of the transmit queues, and +the locking mechanism used today only protects concurrency across a given +transmit queue between the transmit and reclaiming. This creates an opportunity +for the SYSTEMPORT hardware to work on corrupted descriptors if we have +multiple producers at once which is the case when using multiple transmit +queues. + +This was particularly noticeable when using multiple flows/transmit queues and +it showed up in interesting ways in that UDP packets would get a correct UDP +header checksum being calculated over an incorrect packet length. Similarly TCP +packets would get an equally correct checksum computed by the hardware over an +incorrect packet length. + +The SYSTEMPORT hardware maintains an internal descriptor list that it re-arranges +when the driver produces a new descriptor anytime it writes to the +WRITE_PORT_{HI,LO} registers, there is however some delay in the hardware to +re-organize its descriptors and it is possible that concurrent TX queues +eventually break this internal allocation scheme to the point where the +length/status part of the descriptor gets used for an incorrect data buffer. + +The fix is to impose a global serialization for all TX queues in the short +section where we are writing to the WRITE_PORT_{HI,LO} registers which solves +the corruption even with multiple concurrent TX queues being used. + +Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver") +Signed-off-by: Florian Fainelli +Link: https://lore.kernel.org/r/20211215202450.4086240-1-f.fainelli@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 5 ++++- + drivers/net/ethernet/broadcom/bcmsysport.h | 1 + + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c +index 7fa1b695400d7..0877b3d7f88c5 100644 +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -1309,11 +1309,11 @@ static netdev_tx_t bcm_sysport_xmit(struct sk_buff *skb, + struct bcm_sysport_priv *priv = netdev_priv(dev); + struct device *kdev = &priv->pdev->dev; + struct bcm_sysport_tx_ring *ring; ++ unsigned long flags, desc_flags; + struct bcm_sysport_cb *cb; + struct netdev_queue *txq; + u32 len_status, addr_lo; + unsigned int skb_len; +- unsigned long flags; + dma_addr_t mapping; + u16 queue; + int ret; +@@ -1373,8 +1373,10 @@ static netdev_tx_t bcm_sysport_xmit(struct sk_buff *skb, + ring->desc_count--; + + /* Ports are latched, so write upper address first */ ++ spin_lock_irqsave(&priv->desc_lock, desc_flags); + tdma_writel(priv, len_status, TDMA_WRITE_PORT_HI(ring->index)); + tdma_writel(priv, addr_lo, TDMA_WRITE_PORT_LO(ring->index)); ++ spin_unlock_irqrestore(&priv->desc_lock, desc_flags); + + /* Check ring space and update SW control flow */ + if (ring->desc_count == 0) +@@ -2013,6 +2015,7 @@ static int bcm_sysport_open(struct net_device *dev) + } + + /* Initialize both hardware and software ring */ ++ spin_lock_init(&priv->desc_lock); + for (i = 0; i < dev->num_tx_queues; i++) { + ret = bcm_sysport_init_tx_ring(priv, i); + if (ret) { +diff --git a/drivers/net/ethernet/broadcom/bcmsysport.h b/drivers/net/ethernet/broadcom/bcmsysport.h +index 984f76e74b43e..16b73bb9acc78 100644 +--- a/drivers/net/ethernet/broadcom/bcmsysport.h ++++ b/drivers/net/ethernet/broadcom/bcmsysport.h +@@ -711,6 +711,7 @@ struct bcm_sysport_priv { + int wol_irq; + + /* Transmit rings */ ++ spinlock_t desc_lock; + struct bcm_sysport_tx_ring *tx_rings; + + /* Receive queue */ +-- +2.33.0 + diff --git a/queue-5.15/netdevsim-don-t-overwrite-read-only-ethtool-parms.patch b/queue-5.15/netdevsim-don-t-overwrite-read-only-ethtool-parms.patch new file mode 100644 index 00000000000..c6e6f4b2208 --- /dev/null +++ b/queue-5.15/netdevsim-don-t-overwrite-read-only-ethtool-parms.patch @@ -0,0 +1,45 @@ +From 3b3e5815da2d6b526c6bbaf0d7172002fa78d27f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 18:50:32 +0100 +Subject: netdevsim: don't overwrite read only ethtool parms + +From: Filip Pokryvka + +[ Upstream commit ee60e626d536da4c710b3634afe68fe7c6d69b59 ] + +Ethtool ring feature has _max_pending attributes read-only. +Set only read-write attributes in nsim_set_ringparam. + +This patch is useful, if netdevsim device is set-up using NetworkManager, +because NetworkManager sends 0 as MAX values, as it is pointless to +retrieve them in extra call, because they should be read-only. Then, +the device is left in incosistent state (value > MAX). + +Fixes: a7fc6db099b5 ("netdevsim: support ethtool ring and coalesce settings") +Signed-off-by: Filip Pokryvka +Link: https://lore.kernel.org/r/20211210175032.411872-1-fpokryvk@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/netdevsim/ethtool.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/netdevsim/ethtool.c b/drivers/net/netdevsim/ethtool.c +index b03a0513eb7e7..2e7c1cc16cb93 100644 +--- a/drivers/net/netdevsim/ethtool.c ++++ b/drivers/net/netdevsim/ethtool.c +@@ -77,7 +77,10 @@ static int nsim_set_ringparam(struct net_device *dev, + { + struct netdevsim *ns = netdev_priv(dev); + +- memcpy(&ns->ethtool.ring, ring, sizeof(ns->ethtool.ring)); ++ ns->ethtool.ring.rx_pending = ring->rx_pending; ++ ns->ethtool.ring.rx_jumbo_pending = ring->rx_jumbo_pending; ++ ns->ethtool.ring.rx_mini_pending = ring->rx_mini_pending; ++ ns->ethtool.ring.tx_pending = ring->tx_pending; + return 0; + } + +-- +2.33.0 + diff --git a/queue-5.15/netdevsim-zero-initialize-memory-for-new-map-s-value.patch b/queue-5.15/netdevsim-zero-initialize-memory-for-new-map-s-value.patch new file mode 100644 index 00000000000..032a793d2e7 --- /dev/null +++ b/queue-5.15/netdevsim-zero-initialize-memory-for-new-map-s-value.patch @@ -0,0 +1,49 @@ +From 23f4f623a2edcce7908253aa5c4072708a49fdfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Dec 2021 19:15:30 +0800 +Subject: netdevsim: Zero-initialize memory for new map's value in function + nsim_bpf_map_alloc + +From: Haimin Zhang + +[ Upstream commit 481221775d53d6215a6e5e9ce1cce6d2b4ab9a46 ] + +Zero-initialize memory for new map's value in function nsim_bpf_map_alloc +since it may cause a potential kernel information leak issue, as follows: +1. nsim_bpf_map_alloc calls nsim_map_alloc_elem to allocate elements for +a new map. +2. nsim_map_alloc_elem uses kmalloc to allocate map's value, but doesn't +zero it. +3. A user application can use IOCTL BPF_MAP_LOOKUP_ELEM to get specific +element's information in the map. +4. The kernel function map_lookup_elem will call bpf_map_copy_value to get +the information allocated at step-2, then use copy_to_user to copy to the +user buffer. +This can only leak information for an array map. + +Fixes: 395cacb5f1a0 ("netdevsim: bpf: support fake map offload") +Suggested-by: Jakub Kicinski +Acked-by: Jakub Kicinski +Signed-off-by: Haimin Zhang +Link: https://lore.kernel.org/r/20211215111530.72103-1-tcs.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/netdevsim/bpf.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/netdevsim/bpf.c b/drivers/net/netdevsim/bpf.c +index 90aafb56f1409..a438202129323 100644 +--- a/drivers/net/netdevsim/bpf.c ++++ b/drivers/net/netdevsim/bpf.c +@@ -514,6 +514,7 @@ nsim_bpf_map_alloc(struct netdevsim *ns, struct bpf_offloaded_map *offmap) + goto err_free; + key = nmap->entry[i].key; + *key = i; ++ memset(nmap->entry[i].value, 0, offmap->map.value_size); + } + } + +-- +2.33.0 + diff --git a/queue-5.15/rds-memory-leak-in-__rds_conn_create.patch b/queue-5.15/rds-memory-leak-in-__rds_conn_create.patch new file mode 100644 index 00000000000..1b64d4aad61 --- /dev/null +++ b/queue-5.15/rds-memory-leak-in-__rds_conn_create.patch @@ -0,0 +1,36 @@ +From e35a9d8d8574caa252ac982b363573552b1089b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Dec 2021 18:46:59 +0800 +Subject: rds: memory leak in __rds_conn_create() + +From: Hangyu Hua + +[ Upstream commit 5f9562ebe710c307adc5f666bf1a2162ee7977c0 ] + +__rds_conn_create() did not release conn->c_path when loop_trans != 0 and +trans->t_prefer_loopback != 0 and is_outgoing == 0. + +Fixes: aced3ce57cd3 ("RDS tcp loopback connection can hang") +Signed-off-by: Hangyu Hua +Reviewed-by: Sharath Srinivasan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rds/connection.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/rds/connection.c b/net/rds/connection.c +index a3bc4b54d4910..b4cc699c5fad3 100644 +--- a/net/rds/connection.c ++++ b/net/rds/connection.c +@@ -253,6 +253,7 @@ static struct rds_connection *__rds_conn_create(struct net *net, + * should end up here, but if it + * does, reset/destroy the connection. + */ ++ kfree(conn->c_path); + kmem_cache_free(rds_conn_slab, conn); + conn = ERR_PTR(-EOPNOTSUPP); + goto out; +-- +2.33.0 + diff --git a/queue-5.15/revert-drm-fb-helper-improve-drm-fbdev-emulation-dev.patch b/queue-5.15/revert-drm-fb-helper-improve-drm-fbdev-emulation-dev.patch new file mode 100644 index 00000000000..8812053eefe --- /dev/null +++ b/queue-5.15/revert-drm-fb-helper-improve-drm-fbdev-emulation-dev.patch @@ -0,0 +1,56 @@ +From 9dd5c04d5d18339044fc4475fa87fbd71a99ebc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 18:57:40 +0200 +Subject: Revert "drm/fb-helper: improve DRM fbdev emulation device names" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Javier Martinez Canillas + +[ Upstream commit 842470c4e211f284a224842849b1fa81b130c154 ] + +This reverts commit b3484d2b03e4c940a9598aa841a52d69729c582a. + +That change attempted to improve the DRM drivers fbdev emulation device +names to avoid having confusing names like "simpledrmdrmfb" in /proc/fb. + +But unfortunately, there are user-space programs such as pm-utils that +match against the fbdev names and so broke after the mentioned commit. + +Since the names in /proc/fb are used by tools that consider it an uAPI, +let's restore the old names even when this lead to silly names like the +one mentioned above. + +Fixes: b3484d2b03e4 ("drm/fb-helper: improve DRM fbdev emulation device names") +Reported-by: Johannes Stezenbach +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20211020165740.3011927-1-javierm@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_fb_helper.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c +index 8e7a124d6c5a3..22bf690910b25 100644 +--- a/drivers/gpu/drm/drm_fb_helper.c ++++ b/drivers/gpu/drm/drm_fb_helper.c +@@ -1743,7 +1743,13 @@ void drm_fb_helper_fill_info(struct fb_info *info, + sizes->fb_width, sizes->fb_height); + + info->par = fb_helper; +- snprintf(info->fix.id, sizeof(info->fix.id), "%s", ++ /* ++ * The DRM drivers fbdev emulation device name can be confusing if the ++ * driver name also has a "drm" suffix on it. Leading to names such as ++ * "simpledrmdrmfb" in /proc/fb. Unfortunately, it's an uAPI and can't ++ * be changed due user-space tools (e.g: pm-utils) matching against it. ++ */ ++ snprintf(info->fix.id, sizeof(info->fix.id), "%sdrmfb", + fb_helper->dev->driver->name); + + } +-- +2.33.0 + diff --git a/queue-5.15/s390-kexec_file-fix-error-handling-when-applying-rel.patch b/queue-5.15/s390-kexec_file-fix-error-handling-when-applying-rel.patch new file mode 100644 index 00000000000..1c602080e17 --- /dev/null +++ b/queue-5.15/s390-kexec_file-fix-error-handling-when-applying-rel.patch @@ -0,0 +1,63 @@ +From b41ab6dd653caef4abe650cc50b0470f01e86bff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Dec 2021 14:07:41 +0100 +Subject: s390/kexec_file: fix error handling when applying relocations + +From: Philipp Rudo + +[ Upstream commit 41967a37b8eedfee15b81406a9f3015be90d3980 ] + +arch_kexec_apply_relocations_add currently ignores all errors returned +by arch_kexec_do_relocs. This means that every unknown relocation is +silently skipped causing unpredictable behavior while the relocated code +runs. Fix this by checking for errors and fail kexec_file_load if an +unknown relocation type is encountered. + +The problem was found after gcc changed its behavior and used +R_390_PLT32DBL relocations for brasl instruction and relied on ld to +resolve the relocations in the final link in case direct calls are +possible. As the purgatory code is only linked partially (option -r) +ld didn't resolve the relocations leaving them for arch_kexec_do_relocs. +But arch_kexec_do_relocs doesn't know how to handle R_390_PLT32DBL +relocations so they were silently skipped. This ultimately caused an +endless loop in the purgatory as the brasl instructions kept branching +to itself. + +Fixes: 71406883fd35 ("s390/kexec_file: Add kexec_file_load system call") +Reported-by: Tao Liu +Signed-off-by: Philipp Rudo +Link: https://lore.kernel.org/r/20211208130741.5821-3-prudo@redhat.com +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/machine_kexec_file.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machine_kexec_file.c +index e7435f3a3d2d2..76cd09879eaf4 100644 +--- a/arch/s390/kernel/machine_kexec_file.c ++++ b/arch/s390/kernel/machine_kexec_file.c +@@ -277,6 +277,7 @@ int arch_kexec_apply_relocations_add(struct purgatory_info *pi, + { + Elf_Rela *relas; + int i, r_type; ++ int ret; + + relas = (void *)pi->ehdr + relsec->sh_offset; + +@@ -311,7 +312,11 @@ int arch_kexec_apply_relocations_add(struct purgatory_info *pi, + addr = section->sh_addr + relas[i].r_offset; + + r_type = ELF64_R_TYPE(relas[i].r_info); +- arch_kexec_do_relocs(r_type, loc, val, addr); ++ ret = arch_kexec_do_relocs(r_type, loc, val, addr); ++ if (ret) { ++ pr_err("Unknown rela relocation: %d\n", r_type); ++ return -ENOEXEC; ++ } + } + return 0; + } +-- +2.33.0 + diff --git a/queue-5.15/sch_cake-do-not-call-cake_destroy-from-cake_init.patch b/queue-5.15/sch_cake-do-not-call-cake_destroy-from-cake_init.patch new file mode 100644 index 00000000000..96e53fe1f1f --- /dev/null +++ b/queue-5.15/sch_cake-do-not-call-cake_destroy-from-cake_init.patch @@ -0,0 +1,105 @@ +From ac7aff6e716902a946fc38e7146e453d180460d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 06:20:46 -0800 +Subject: sch_cake: do not call cake_destroy() from cake_init() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eric Dumazet + +[ Upstream commit ab443c53916730862cec202078d36fd4008bea79 ] + +qdiscs are not supposed to call their own destroy() method +from init(), because core stack already does that. + +syzbot was able to trigger use after free: + +DEBUG_LOCKS_WARN_ON(lock->magic != lock) +WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock_common kernel/locking/mutex.c:586 [inline] +WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740 +Modules linked in: +CPU: 0 PID: 21902 Comm: syz-executor189 Not tainted 5.16.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:586 [inline] +RIP: 0010:__mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740 +Code: 08 84 d2 0f 85 19 08 00 00 8b 05 97 38 4b 04 85 c0 0f 85 27 f7 ff ff 48 c7 c6 20 00 ac 89 48 c7 c7 a0 fe ab 89 e8 bf 76 ba ff <0f> 0b e9 0d f7 ff ff 48 8b 44 24 40 48 8d b8 c8 08 00 00 48 89 f8 +RSP: 0018:ffffc9000627f290 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: ffff88802315d700 RSI: ffffffff815f1db8 RDI: fffff52000c4fe44 +RBP: ffff88818f28e000 R08: 0000000000000000 R09: 0000000000000000 +R10: ffffffff815ebb5e R11: 0000000000000000 R12: 0000000000000000 +R13: dffffc0000000000 R14: ffffc9000627f458 R15: 0000000093c30000 +FS: 0000555556abc400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fda689c3303 CR3: 000000001cfbb000 CR4: 0000000000350ef0 +Call Trace: + + tcf_chain0_head_change_cb_del+0x2e/0x3d0 net/sched/cls_api.c:810 + tcf_block_put_ext net/sched/cls_api.c:1381 [inline] + tcf_block_put_ext net/sched/cls_api.c:1376 [inline] + tcf_block_put+0xbc/0x130 net/sched/cls_api.c:1394 + cake_destroy+0x3f/0x80 net/sched/sch_cake.c:2695 + qdisc_create.constprop.0+0x9da/0x10f0 net/sched/sch_api.c:1293 + tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660 + rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2496 + netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] + netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345 + netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921 + sock_sendmsg_nosec net/socket.c:704 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:724 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2463 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7f1bb06badb9 +Code: Unable to access opcode bytes at RIP 0x7f1bb06bad8f. +RSP: 002b:00007fff3012a658 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1bb06badb9 +RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000003 +RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003 +R10: 0000000000000003 R11: 0000000000000246 R12: 00007fff3012a688 +R13: 00007fff3012a6a0 R14: 00007fff3012a6e0 R15: 00000000000013c2 + + +Fixes: 046f6fd5daef ("sched: Add Common Applications Kept Enhanced (cake) qdisc") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Acked-by: Toke Høiland-Jørgensen +Link: https://lore.kernel.org/r/20211210142046.698336-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_cake.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c +index 3c2300d144681..857aaebd49f43 100644 +--- a/net/sched/sch_cake.c ++++ b/net/sched/sch_cake.c +@@ -2736,7 +2736,7 @@ static int cake_init(struct Qdisc *sch, struct nlattr *opt, + q->tins = kvcalloc(CAKE_MAX_TINS, sizeof(struct cake_tin_data), + GFP_KERNEL); + if (!q->tins) +- goto nomem; ++ return -ENOMEM; + + for (i = 0; i < CAKE_MAX_TINS; i++) { + struct cake_tin_data *b = q->tins + i; +@@ -2766,10 +2766,6 @@ static int cake_init(struct Qdisc *sch, struct nlattr *opt, + q->min_netlen = ~0; + q->min_adjlen = ~0; + return 0; +- +-nomem: +- cake_destroy(sch); +- return -ENOMEM; + } + + static int cake_dump(struct Qdisc *sch, struct sk_buff *skb) +-- +2.33.0 + diff --git a/queue-5.15/selftest-net-forwarding-declare-netifs-p9-p10.patch b/queue-5.15/selftest-net-forwarding-declare-netifs-p9-p10.patch new file mode 100644 index 00000000000..23152a07775 --- /dev/null +++ b/queue-5.15/selftest-net-forwarding-declare-netifs-p9-p10.patch @@ -0,0 +1,41 @@ +From 4a960b2c3beae7e688a35827b870465f1f91d75d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Dec 2021 16:36:00 +0800 +Subject: selftest/net/forwarding: declare NETIFS p9 p10 + +From: Hangbin Liu + +[ Upstream commit 71da1aec215290e249d09c44c768df859f3a3bba ] + +The recent GRE selftests defined NUM_NETIFS=10. If the users copy +forwarding.config.sample to forwarding.config directly, they will get +error "Command line is not complete" when run the GRE tests, because +create_netif_veth() failed with no interface name defined. + +Fix it by extending the NETIFS with p9 and p10. + +Fixes: 2800f2485417 ("selftests: forwarding: Test multipath hashing on inner IP pkts for GRE tunnel") +Signed-off-by: Hangbin Liu +Reviewed-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/forwarding/forwarding.config.sample | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/testing/selftests/net/forwarding/forwarding.config.sample b/tools/testing/selftests/net/forwarding/forwarding.config.sample +index e5e2fbeca22ec..e51def39fd801 100644 +--- a/tools/testing/selftests/net/forwarding/forwarding.config.sample ++++ b/tools/testing/selftests/net/forwarding/forwarding.config.sample +@@ -13,6 +13,8 @@ NETIFS[p5]=veth4 + NETIFS[p6]=veth5 + NETIFS[p7]=veth6 + NETIFS[p8]=veth7 ++NETIFS[p9]=veth8 ++NETIFS[p10]=veth9 + + # Port that does not have a cable connected. + NETIF_NO_CABLE=eth8 +-- +2.33.0 + diff --git a/queue-5.15/selftests-add-duplicate-config-only-for-md5-vrf-test.patch b/queue-5.15/selftests-add-duplicate-config-only-for-md5-vrf-test.patch new file mode 100644 index 00000000000..87813e5f754 --- /dev/null +++ b/queue-5.15/selftests-add-duplicate-config-only-for-md5-vrf-test.patch @@ -0,0 +1,88 @@ +From 56945710f71fada09f3a00487a6be69393db0480 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Dec 2021 10:11:30 -0700 +Subject: selftests: Add duplicate config only for MD5 VRF tests + +From: David Ahern + +[ Upstream commit 7e0147592b5c4f9e2eb8c54a7857a56d4863f74e ] + +Commit referenced below added configuration in the default VRF that +duplicates a VRF to check MD5 passwords are properly used and fail +when expected. That config should not be added all the time as it +can cause tests to pass that should not (by matching on default VRF +setup when it should not). Move the duplicate setup to a function +that is only called for the MD5 tests and add a cleanup function +to remove it after the MD5 tests. + +Fixes: 5cad8bce26e0 ("fcnal-test: Add TCP MD5 tests for VRF") +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/fcnal-test.sh | 26 +++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh +index 966787c2f9f0f..8bcbb72f74c1f 100755 +--- a/tools/testing/selftests/net/fcnal-test.sh ++++ b/tools/testing/selftests/net/fcnal-test.sh +@@ -455,6 +455,22 @@ cleanup() + ip netns del ${NSC} >/dev/null 2>&1 + } + ++cleanup_vrf_dup() ++{ ++ ip link del ${NSA_DEV2} >/dev/null 2>&1 ++ ip netns pids ${NSC} | xargs kill 2>/dev/null ++ ip netns del ${NSC} >/dev/null 2>&1 ++} ++ ++setup_vrf_dup() ++{ ++ # some VRF tests use ns-C which has the same config as ++ # ns-B but for a device NOT in the VRF ++ create_ns ${NSC} "-" "-" ++ connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \ ++ ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 ++} ++ + setup() + { + local with_vrf=${1} +@@ -484,12 +500,6 @@ setup() + + ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV} + ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} +- +- # some VRF tests use ns-C which has the same config as +- # ns-B but for a device NOT in the VRF +- create_ns ${NSC} "-" "-" +- connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \ +- ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 + else + ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} + ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} +@@ -1240,7 +1250,9 @@ ipv4_tcp_vrf() + log_test_addr ${a} $? 1 "Global server, local connection" + + # run MD5 tests ++ setup_vrf_dup + ipv4_tcp_md5 ++ cleanup_vrf_dup + + # + # enable VRF global server +@@ -2719,7 +2731,9 @@ ipv6_tcp_vrf() + log_test_addr ${a} $? 1 "Global server, local connection" + + # run MD5 tests ++ setup_vrf_dup + ipv6_tcp_md5 ++ cleanup_vrf_dup + + # + # enable VRF global server +-- +2.33.0 + diff --git a/queue-5.15/selftests-fix-ipv6-address-bind-tests.patch b/queue-5.15/selftests-fix-ipv6-address-bind-tests.patch new file mode 100644 index 00000000000..dfca44b1545 --- /dev/null +++ b/queue-5.15/selftests-fix-ipv6-address-bind-tests.patch @@ -0,0 +1,63 @@ +From 2e58b108047692c1dd9be835011200bb715e30c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Dec 2021 11:26:16 -0700 +Subject: selftests: Fix IPv6 address bind tests + +From: David Ahern + +[ Upstream commit 28a2686c185e84b6aa6a4d9c9a972360eb7ca266 ] + +IPv6 allows binding a socket to a device then binding to an address +not on the device (__inet6_bind -> ipv6_chk_addr with strict flag +not set). Update the bind tests to reflect legacy behavior. + +Fixes: 34d0302ab861 ("selftests: Add ipv6 address bind tests to fcnal-test") +Reported-by: Li Zhijian +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/fcnal-test.sh | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh +index 9d2e8db8827e2..aec9e784d0b46 100755 +--- a/tools/testing/selftests/net/fcnal-test.sh ++++ b/tools/testing/selftests/net/fcnal-test.sh +@@ -3429,11 +3429,14 @@ ipv6_addr_bind_novrf() + run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b + log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" + ++ # Sadly, the kernel allows binding a socket to a device and then ++ # binding to an address not on the device. So this test passes ++ # when it really should not + a=${NSA_LO_IP6} + log_start +- show_hint "Should fail with 'Cannot assign requested address'" ++ show_hint "Tecnically should fail since address is not on device but kernel allows" + run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b +- log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" ++ log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address" + } + + ipv6_addr_bind_vrf() +@@ -3474,10 +3477,15 @@ ipv6_addr_bind_vrf() + run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b + log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind" + ++ # Sadly, the kernel allows binding a socket to a device and then ++ # binding to an address not on the device. The only restriction ++ # is that the address is valid in the L3 domain. So this test ++ # passes when it really should not + a=${VRF_IP6} + log_start ++ show_hint "Tecnically should fail since address is not on device but kernel allows" + run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b +- log_test_addr ${a} $? 1 "TCP socket bind to VRF address with device bind" ++ log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind" + + a=${NSA_LO_IP6} + log_start +-- +2.33.0 + diff --git a/queue-5.15/selftests-fix-raw-socket-bind-tests-with-vrf.patch b/queue-5.15/selftests-fix-raw-socket-bind-tests-with-vrf.patch new file mode 100644 index 00000000000..b6cc333b5e4 --- /dev/null +++ b/queue-5.15/selftests-fix-raw-socket-bind-tests-with-vrf.patch @@ -0,0 +1,43 @@ +From 841e8c665896406ee79d2287bfab2cbad36f0778 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Dec 2021 10:21:08 -0700 +Subject: selftests: Fix raw socket bind tests with VRF + +From: David Ahern + +[ Upstream commit 0f108ae4452025fef529671998f6c7f1c4526790 ] + +Commit referenced below added negative socket bind tests for VRF. The +socket binds should fail since the address to bind to is in a VRF yet +the socket is not bound to the VRF or a device within it. Update the +expected return code to check for 1 (bind failure) so the test passes +when the bind fails as expected. Add a 'show_hint' comment to explain +why the bind is expected to fail. + +Fixes: 75b2b2b3db4c ("selftests: Add ipv4 address bind tests to fcnal-test") +Reported-by: Li Zhijian +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/fcnal-test.sh | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh +index 8bcbb72f74c1f..9d2e8db8827e2 100755 +--- a/tools/testing/selftests/net/fcnal-test.sh ++++ b/tools/testing/selftests/net/fcnal-test.sh +@@ -1810,8 +1810,9 @@ ipv4_addr_bind_vrf() + for a in ${NSA_IP} ${VRF_IP} + do + log_start ++ show_hint "Socket not bound to VRF, but address is in VRF" + run_cmd nettest -s -R -P icmp -l ${a} -b +- log_test_addr ${a} $? 0 "Raw socket bind to local address" ++ log_test_addr ${a} $? 1 "Raw socket bind to local address" + + log_start + run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b +-- +2.33.0 + diff --git a/queue-5.15/selftests-icmp_redirect-pass-xfail-0-to-log_test.patch b/queue-5.15/selftests-icmp_redirect-pass-xfail-0-to-log_test.patch new file mode 100644 index 00000000000..d16b5eed15f --- /dev/null +++ b/queue-5.15/selftests-icmp_redirect-pass-xfail-0-to-log_test.patch @@ -0,0 +1,44 @@ +From 239f1391e4b0107ae3a6e208f142d24a7fb97566 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 15:25:23 +0800 +Subject: selftests: icmp_redirect: pass xfail=0 to log_test() + +From: Po-Hsu Lin + +[ Upstream commit 3748939bce3fc7a15ef07161826507fbe410bb7a ] + +If any sub-test in this icmp_redirect.sh is failing but not expected +to fail. The script will complain: + ./icmp_redirect.sh: line 72: [: 1: unary operator expected + +This is because when the sub-test is not expected to fail, we won't +pass any value for the xfail local variable in log_test() and thus +it's empty. Fix this by passing 0 as the 4th variable to log_test() +for non-xfail cases. + +v2: added fixes tag + +Fixes: 0a36a75c6818 ("selftests: icmp_redirect: support expected failures") +Signed-off-by: Po-Hsu Lin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/icmp_redirect.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/icmp_redirect.sh b/tools/testing/selftests/net/icmp_redirect.sh +index ecbf57f264ed9..7b9d6e31b8e7d 100755 +--- a/tools/testing/selftests/net/icmp_redirect.sh ++++ b/tools/testing/selftests/net/icmp_redirect.sh +@@ -311,7 +311,7 @@ check_exception() + ip -netns h1 ro get ${H1_VRF_ARG} ${H2_N2_IP} | \ + grep -E -v 'mtu|redirected' | grep -q "cache" + fi +- log_test $? 0 "IPv4: ${desc}" ++ log_test $? 0 "IPv4: ${desc}" 0 + + # No PMTU info for test "redirect" and "mtu exception plus redirect" + if [ "$with_redirect" = "yes" ] && [ "$desc" != "redirect exception plus mtu" ]; then +-- +2.33.0 + diff --git a/queue-5.15/selftests-net-correct-ping6-expected-rc-from-2-to-1.patch b/queue-5.15/selftests-net-correct-ping6-expected-rc-from-2-to-1.patch new file mode 100644 index 00000000000..f2812eeb3c2 --- /dev/null +++ b/queue-5.15/selftests-net-correct-ping6-expected-rc-from-2-to-1.patch @@ -0,0 +1,45 @@ +From f3155c39a21ca9b67e1379d35a57979fb7a31126 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Dec 2021 10:02:30 +0800 +Subject: selftests: net: Correct ping6 expected rc from 2 to 1 + +From: Jie2x Zhou + +[ Upstream commit 92816e2629808726af015c7f5b14adc8e4f8b147 ] + +./fcnal-test.sh -v -t ipv6_ping +TEST: ping out, VRF bind - ns-B IPv6 LLA [FAIL] +TEST: ping out, VRF bind - multicast IP [FAIL] + +ping6 is failing as it should. +COMMAND: ip netns exec ns-A /bin/ping6 -c1 -w1 fe80::7c4c:bcff:fe66:a63a%red +strace of ping6 shows it is failing with '1', +so change the expected rc from 2 to 1. + +Fixes: c0644e71df33 ("selftests: Add ipv6 ping tests to fcnal-test") +Reported-by: kernel test robot +Suggested-by: David Ahern +Signed-off-by: Jie2x Zhou +Link: https://lore.kernel.org/r/20211209020230.37270-1-jie2x.zhou@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/fcnal-test.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh +index 7f5b265fcb905..966787c2f9f0f 100755 +--- a/tools/testing/selftests/net/fcnal-test.sh ++++ b/tools/testing/selftests/net/fcnal-test.sh +@@ -2191,7 +2191,7 @@ ipv6_ping_vrf() + log_start + show_hint "Fails since VRF device does not support linklocal or multicast" + run_cmd ${ping6} -c1 -w1 ${a} +- log_test_addr ${a} $? 2 "ping out, VRF bind" ++ log_test_addr ${a} $? 1 "ping out, VRF bind" + done + + for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} +-- +2.33.0 + diff --git a/queue-5.15/selftests-net-toeplitz-fix-udp-option.patch b/queue-5.15/selftests-net-toeplitz-fix-udp-option.patch new file mode 100644 index 00000000000..f87f951fc58 --- /dev/null +++ b/queue-5.15/selftests-net-toeplitz-fix-udp-option.patch @@ -0,0 +1,37 @@ +From eea19d0445c2a80c6000a614c8c711c0f0c52eba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Dec 2021 14:30:31 -0500 +Subject: selftests/net: toeplitz: fix udp option + +From: Willem de Bruijn + +[ Upstream commit a8d13611b4a7b1b20d17bf2b9a89a3efcabde56c ] + +Tiny fix. Option -u ("use udp") does not take an argument. + +It can cause the next argument to silently be ignored. + +Fixes: 5ebfb4cc3048 ("selftests/net: toeplitz test") +Signed-off-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/toeplitz.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/toeplitz.c b/tools/testing/selftests/net/toeplitz.c +index 710ac956bdb33..c5489341cfb80 100644 +--- a/tools/testing/selftests/net/toeplitz.c ++++ b/tools/testing/selftests/net/toeplitz.c +@@ -498,7 +498,7 @@ static void parse_opts(int argc, char **argv) + bool have_toeplitz = false; + int index, c; + +- while ((c = getopt_long(argc, argv, "46C:d:i:k:r:stT:u:v", long_options, &index)) != -1) { ++ while ((c = getopt_long(argc, argv, "46C:d:i:k:r:stT:uv", long_options, &index)) != -1) { + switch (c) { + case '4': + cfg_family = AF_INET; +-- +2.33.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 9e4646df080..388cfb92641 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -35,3 +35,78 @@ scsi-ufs-core-retry-start_stop-on-unit_attention.patch drm-i915-hdmi-convert-intel_hdmi_to_dev-to-intel_hdmi_to_i915.patch drm-i915-hdmi-turn-dp-tmds-output-buffers-back-on-in-encoder-shutdown.patch pinctrl-amd-fix-wakeups-when-irq-is-shared-with-sci.patch +arm64-dts-rockchip-remove-mmc-hs400-enhanced-strobe-.patch +arm64-dts-rockchip-fix-rk3308-roc-cc-vcc-sd-supply.patch +arm64-dts-rockchip-fix-rk3399-leez-p710-vcc3v3-lan-s.patch +arm64-dts-rockchip-fix-audio-supply-for-rock-pi-4.patch +arm64-dts-rockchip-fix-poweroff-on-helios64.patch +dmaengine-idxd-add-halt-interrupt-support.patch +dmaengine-idxd-fix-calling-wq-quiesce-inside-spinloc.patch +mac80211-track-only-qos-data-frames-for-admission-co.patch +hv-utils-add-ptp_1588_clock-to-kconfig-to-fix-build.patch +tee-amdtee-fix-an-is_err-vs-null-bug.patch +ceph-fix-duplicate-increment-of-opened_inodes-metric.patch +ceph-initialize-pathlen-variable-in-reconnect_caps_c.patch +arm-socfpga-dts-fix-qspi-node-compatible.patch +arm64-dts-imx8mq-remove-interconnect-property-from-l.patch +clk-don-t-parent-clks-until-the-parent-is-fully-regi.patch +soc-imx-register-soc-device-only-on-i.mx-boards.patch +iwlwifi-mvm-don-t-crash-on-invalid-rate-w-o-sta.patch +virtio-always-enter-drivers-virtio.patch +virtio-vsock-fix-the-transport-to-work-with-vmaddr_c.patch +vdpa-consider-device-id-larger-than-31.patch +revert-drm-fb-helper-improve-drm-fbdev-emulation-dev.patch +selftests-net-correct-ping6-expected-rc-from-2-to-1.patch +s390-kexec_file-fix-error-handling-when-applying-rel.patch +sch_cake-do-not-call-cake_destroy-from-cake_init.patch +inet_diag-fix-kernel-infoleak-for-udp-sockets.patch +netdevsim-don-t-overwrite-read-only-ethtool-parms.patch +selftests-icmp_redirect-pass-xfail-0-to-log_test.patch +net-hns3-fix-use-after-free-bug-in-hclgevf_send_mbx_.patch +net-hns3-fix-race-condition-in-debugfs.patch +selftests-add-duplicate-config-only-for-md5-vrf-test.patch +selftests-fix-raw-socket-bind-tests-with-vrf.patch +selftests-fix-ipv6-address-bind-tests.patch +dmaengine-idxd-fix-missed-completion-on-abort-path.patch +dmaengine-st_fdma-fix-module_alias.patch +drm-simpledrm-fix-wrong-unit-with-pixel-clock.patch +net-sched-sch_ets-don-t-remove-idle-classes-from-the.patch +selftests-net-toeplitz-fix-udp-option.patch +net-dsa-mv88e6xxx-unforce-speed-duplex-in-mac_link_d.patch +selftest-net-forwarding-declare-netifs-p9-p10.patch +mptcp-never-allow-the-pm-to-close-a-listener-subflow.patch +drm-ast-potential-dereference-of-null-pointer.patch +drm-i915-display-fix-an-unsigned-subtraction-which-c.patch +mac80211-agg-tx-don-t-schedule_and_wake_txq-under-st.patch +cfg80211-acquire-wiphy-mutex-on-regulatory-work.patch +mac80211-fix-lookup-when-adding-addba-extension-elem.patch +net-stmmac-fix-tc-flower-deletion-for-vlan-priority-.patch +flow_offload-return-eopnotsupp-for-the-unsupported-m.patch +rds-memory-leak-in-__rds_conn_create.patch +xsk-do-not-sleep-in-poll-when-need_wakeup-set.patch +ice-use-div64_u64-instead-of-div_u64-in-adjfine.patch +ice-don-t-put-stale-timestamps-in-the-skb.patch +drm-amd-display-set-exit_optimized_pwr_state-for-dcn.patch +drm-amd-pm-fix-a-potential-gpu_metrics_table-memory-.patch +mptcp-remove-tcp-ulp-setsockopt-support.patch +mptcp-clear-kern-flag-from-fallback-sockets.patch +mptcp-fix-deadlock-in-__mptcp_push_pending.patch +soc-tegra-fuse-fix-bitwise-vs.-logical-or-warning.patch +igb-fix-removal-of-unicast-mac-filters-of-vfs.patch +igbvf-fix-double-free-in-igbvf_probe.patch +igc-fix-typo-in-i225-ltr-functions.patch +ixgbe-document-how-to-enable-nbase-t-support.patch +ixgbe-set-x550-mdio-speed-before-talking-to-phy.patch +netdevsim-zero-initialize-memory-for-new-map-s-value.patch +net-packet-rx_owner_map-depends-on-pg_vec.patch +net-stmmac-dwmac-rk-fix-oob-read-in-rk_gmac_setup.patch +sfc_ef100-potential-dereference-of-null-pointer.patch +dsa-mv88e6xxx-fix-debug-print-for-speed_unforced.patch +net-fix-double-0x-prefix-print-in-skb-dump.patch +net-smc-prevent-smc_release-from-long-blocking.patch +net-systemport-add-global-locking-for-descriptor-lif.patch +sit-do-not-call-ipip6_dev_free-from-sit_init_net.patch +afs-fix-mmap.patch +arm64-kexec-fix-missing-error-code-ret-warning-in-lo.patch +bpf-fix-extable-fixup-offset.patch +bpf-selftests-fix-racing-issue-in-btf_skc_cls_ingres.patch diff --git a/queue-5.15/sfc_ef100-potential-dereference-of-null-pointer.patch b/queue-5.15/sfc_ef100-potential-dereference-of-null-pointer.patch new file mode 100644 index 00000000000..e9ebd2ce25a --- /dev/null +++ b/queue-5.15/sfc_ef100-potential-dereference-of-null-pointer.patch @@ -0,0 +1,38 @@ +From 919579154d0ef21f863c91fc4f2fb175afb03286 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Dec 2021 22:37:31 +0800 +Subject: sfc_ef100: potential dereference of null pointer + +From: Jiasheng Jiang + +[ Upstream commit 407ecd1bd726f240123f704620d46e285ff30dd9 ] + +The return value of kmalloc() needs to be checked. +To avoid use in efx_nic_update_stats() in case of the failure of alloc. + +Fixes: b593b6f1b492 ("sfc_ef100: statistics gathering") +Signed-off-by: Jiasheng Jiang +Reported-by: kernel test robot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/ef100_nic.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/sfc/ef100_nic.c b/drivers/net/ethernet/sfc/ef100_nic.c +index 518268ce20644..d35cafd422b1c 100644 +--- a/drivers/net/ethernet/sfc/ef100_nic.c ++++ b/drivers/net/ethernet/sfc/ef100_nic.c +@@ -609,6 +609,9 @@ static size_t ef100_update_stats(struct efx_nic *efx, + ef100_common_stat_mask(mask); + ef100_ethtool_stat_mask(mask); + ++ if (!mc_stats) ++ return 0; ++ + efx_nic_copy_stats(efx, mc_stats); + efx_nic_update_stats(ef100_stat_desc, EF100_STAT_COUNT, mask, + stats, mc_stats, false); +-- +2.33.0 + diff --git a/queue-5.15/sit-do-not-call-ipip6_dev_free-from-sit_init_net.patch b/queue-5.15/sit-do-not-call-ipip6_dev_free-from-sit_init_net.patch new file mode 100644 index 00000000000..a29b09bab60 --- /dev/null +++ b/queue-5.15/sit-do-not-call-ipip6_dev_free-from-sit_init_net.patch @@ -0,0 +1,88 @@ +From 35da819b34ff73bb2a1bf629a11a1d15feb19190 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Dec 2021 03:17:41 -0800 +Subject: sit: do not call ipip6_dev_free() from sit_init_net() + +From: Eric Dumazet + +[ Upstream commit e28587cc491ef0f3c51258fdc87fbc386b1d4c59 ] + +ipip6_dev_free is sit dev->priv_destructor, already called +by register_netdevice() if something goes wrong. + +Alternative would be to make ipip6_dev_free() robust against +multiple invocations, but other drivers do not implement this +strategy. + +syzbot reported: + +dst_release underflow +WARNING: CPU: 0 PID: 5059 at net/core/dst.c:173 dst_release+0xd8/0xe0 net/core/dst.c:173 +Modules linked in: +CPU: 1 PID: 5059 Comm: syz-executor.4 Not tainted 5.16.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:dst_release+0xd8/0xe0 net/core/dst.c:173 +Code: 4c 89 f2 89 d9 31 c0 5b 41 5e 5d e9 da d5 44 f9 e8 1d 90 5f f9 c6 05 87 48 c6 05 01 48 c7 c7 80 44 99 8b 31 c0 e8 e8 67 29 f9 <0f> 0b eb 85 0f 1f 40 00 53 48 89 fb e8 f7 8f 5f f9 48 83 c3 a8 48 +RSP: 0018:ffffc9000aa5faa0 EFLAGS: 00010246 +RAX: d6894a925dd15a00 RBX: 00000000ffffffff RCX: 0000000000040000 +RDX: ffffc90005e19000 RSI: 000000000003ffff RDI: 0000000000040000 +RBP: 0000000000000000 R08: ffffffff816a1f42 R09: ffffed1017344f2c +R10: ffffed1017344f2c R11: 0000000000000000 R12: 0000607f462b1358 +R13: 1ffffffff1bfd305 R14: ffffe8ffffcb1358 R15: dffffc0000000000 +FS: 00007f66c71a2700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f88aaed5058 CR3: 0000000023e0f000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + dst_cache_destroy+0x107/0x1e0 net/core/dst_cache.c:160 + ipip6_dev_free net/ipv6/sit.c:1414 [inline] + sit_init_net+0x229/0x550 net/ipv6/sit.c:1936 + ops_init+0x313/0x430 net/core/net_namespace.c:140 + setup_net+0x35b/0x9d0 net/core/net_namespace.c:326 + copy_net_ns+0x359/0x5c0 net/core/net_namespace.c:470 + create_new_namespaces+0x4ce/0xa00 kernel/nsproxy.c:110 + unshare_nsproxy_namespaces+0x11e/0x180 kernel/nsproxy.c:226 + ksys_unshare+0x57d/0xb50 kernel/fork.c:3075 + __do_sys_unshare kernel/fork.c:3146 [inline] + __se_sys_unshare kernel/fork.c:3144 [inline] + __x64_sys_unshare+0x34/0x40 kernel/fork.c:3144 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7f66c882ce99 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f66c71a2168 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 +RAX: ffffffffffffffda RBX: 00007f66c893ff60 RCX: 00007f66c882ce99 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000048040200 +RBP: 00007f66c8886ff1 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007fff6634832f R14: 00007f66c71a2300 R15: 0000000000022000 + + +Fixes: cf124db566e6 ("net: Fix inconsistent teardown and release of private netdev state.") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Link: https://lore.kernel.org/r/20211216111741.1387540-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/sit.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c +index ef0c7a7c18e23..626cb53aa57ab 100644 +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -1933,7 +1933,6 @@ static int __net_init sit_init_net(struct net *net) + return 0; + + err_reg_dev: +- ipip6_dev_free(sitn->fb_tunnel_dev); + free_netdev(sitn->fb_tunnel_dev); + err_alloc_dev: + return err; +-- +2.33.0 + diff --git a/queue-5.15/soc-imx-register-soc-device-only-on-i.mx-boards.patch b/queue-5.15/soc-imx-register-soc-device-only-on-i.mx-boards.patch new file mode 100644 index 00000000000..fad4336273f --- /dev/null +++ b/queue-5.15/soc-imx-register-soc-device-only-on-i.mx-boards.patch @@ -0,0 +1,65 @@ +From 985a7cb3a5dded254e89b1594fe53153cddcde1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Dec 2021 12:38:28 +0100 +Subject: soc: imx: Register SoC device only on i.MX boards + +From: Stephan Gerhold + +[ Upstream commit 4ebd29f91629e69da7d57390cdc953772eee03ab ] + +At the moment, using the ARM32 multi_v7_defconfig always results in two +SoCs being exposed in sysfs. This is wrong, as far as I'm aware the +Qualcomm DragonBoard 410c does not actually make use of a i.MX SoC. :) + + qcom-db410c:/sys/devices/soc0$ grep . * + family:Freescale i.MX + machine:Qualcomm Technologies, Inc. APQ 8016 SBC + revision:0.0 + serial_number:0000000000000000 + soc_id:Unknown + + qcom-db410c:/sys/devices/soc1$ grep . * + family:Snapdragon + machine:APQ8016 + ... + +This happens because imx_soc_device_init() registers the soc device +unconditionally, even when running on devices that do not make use of i.MX. +Arnd already reported this more than a year ago and even suggested a fix +similar to this commit, but for some reason it was never submitted. + +Fix it by checking if the "__mxc_cpu_type" variable was actually +initialized by earlier platform code. On devices without i.MX it will +simply stay 0. + +Cc: Peng Fan +Fixes: d2199b34871b ("ARM: imx: use device_initcall for imx_soc_device_init") +Reported-by: Arnd Bergmann +Link: https://lore.kernel.org/r/CAK8P3a0hxO1TmK6oOMQ70AHSWJnP_CAq57YMOutrxkSYNjFeuw@mail.gmail.com/ +Signed-off-by: Stephan Gerhold +Reviewed-by: Fabio Estevam +Reviewed-by: Peng Fan +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + drivers/soc/imx/soc-imx.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/soc/imx/soc-imx.c b/drivers/soc/imx/soc-imx.c +index ac6d856ba228d..77bc12039c3d4 100644 +--- a/drivers/soc/imx/soc-imx.c ++++ b/drivers/soc/imx/soc-imx.c +@@ -36,6 +36,10 @@ static int __init imx_soc_device_init(void) + int ret; + int i; + ++ /* Return early if this is running on devices with different SoCs */ ++ if (!__mxc_cpu_type) ++ return 0; ++ + if (of_machine_is_compatible("fsl,ls1021a")) + return 0; + +-- +2.33.0 + diff --git a/queue-5.15/soc-tegra-fuse-fix-bitwise-vs.-logical-or-warning.patch b/queue-5.15/soc-tegra-fuse-fix-bitwise-vs.-logical-or-warning.patch new file mode 100644 index 00000000000..ff6c337fbb9 --- /dev/null +++ b/queue-5.15/soc-tegra-fuse-fix-bitwise-vs.-logical-or-warning.patch @@ -0,0 +1,76 @@ +From 5e77a18ac83fe917875b6317d6265ad26eed46ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 09:55:29 -0700 +Subject: soc/tegra: fuse: Fix bitwise vs. logical OR warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nathan Chancellor + +[ Upstream commit a7083763619f7485ccdade160deb81737cf2732f ] + +A new warning in clang points out two instances where boolean +expressions are being used with a bitwise OR instead of logical OR: + +drivers/soc/tegra/fuse/speedo-tegra20.c:72:9: warning: use of bitwise '|' with boolean operands [-Wbitwise-instead-of-logical] + reg = tegra_fuse_read_spare(i) | + ^~~~~~~~~~~~~~~~~~~~~~~~~~ + || +drivers/soc/tegra/fuse/speedo-tegra20.c:72:9: note: cast one or both operands to int to silence this warning +drivers/soc/tegra/fuse/speedo-tegra20.c:87:9: warning: use of bitwise '|' with boolean operands [-Wbitwise-instead-of-logical] + reg = tegra_fuse_read_spare(i) | + ^~~~~~~~~~~~~~~~~~~~~~~~~~ + || +drivers/soc/tegra/fuse/speedo-tegra20.c:87:9: note: cast one or both operands to int to silence this warning +2 warnings generated. + +The motivation for the warning is that logical operations short circuit +while bitwise operations do not. + +In this instance, tegra_fuse_read_spare() is not semantically returning +a boolean, it is returning a bit value. Use u32 for its return type so +that it can be used with either bitwise or boolean operators without any +warnings. + +Fixes: 25cd5a391478 ("ARM: tegra: Add speedo-based process identification") +Link: https://github.com/ClangBuiltLinux/linux/issues/1488 +Suggested-by: Michał Mirosław +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/soc/tegra/fuse/fuse-tegra.c | 2 +- + drivers/soc/tegra/fuse/fuse.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/tegra/fuse/fuse-tegra.c b/drivers/soc/tegra/fuse/fuse-tegra.c +index f2151815db585..e714ed3b61bc3 100644 +--- a/drivers/soc/tegra/fuse/fuse-tegra.c ++++ b/drivers/soc/tegra/fuse/fuse-tegra.c +@@ -320,7 +320,7 @@ static struct platform_driver tegra_fuse_driver = { + }; + builtin_platform_driver(tegra_fuse_driver); + +-bool __init tegra_fuse_read_spare(unsigned int spare) ++u32 __init tegra_fuse_read_spare(unsigned int spare) + { + unsigned int offset = fuse->soc->info->spare + spare * 4; + +diff --git a/drivers/soc/tegra/fuse/fuse.h b/drivers/soc/tegra/fuse/fuse.h +index de58feba04350..ecff0c08e9595 100644 +--- a/drivers/soc/tegra/fuse/fuse.h ++++ b/drivers/soc/tegra/fuse/fuse.h +@@ -65,7 +65,7 @@ struct tegra_fuse { + void tegra_init_revision(void); + void tegra_init_apbmisc(void); + +-bool __init tegra_fuse_read_spare(unsigned int spare); ++u32 __init tegra_fuse_read_spare(unsigned int spare); + u32 __init tegra_fuse_read_early(unsigned int offset); + + u8 tegra_get_major_rev(void); +-- +2.33.0 + diff --git a/queue-5.15/tee-amdtee-fix-an-is_err-vs-null-bug.patch b/queue-5.15/tee-amdtee-fix-an-is_err-vs-null-bug.patch new file mode 100644 index 00000000000..7390dc2b338 --- /dev/null +++ b/queue-5.15/tee-amdtee-fix-an-is_err-vs-null-bug.patch @@ -0,0 +1,40 @@ +From 34e7341d6fc4351d9d96ae81f1a6dc34fa60452f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Nov 2021 17:54:04 +0300 +Subject: tee: amdtee: fix an IS_ERR() vs NULL bug + +From: Dan Carpenter + +[ Upstream commit 9d7482771fac8d8e38e763263f2ca0ca12dd22c6 ] + +The __get_free_pages() function does not return error pointers it returns +NULL so fix this condition to avoid a NULL dereference. + +Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver") +Signed-off-by: Dan Carpenter +Acked-by: Rijo Thomas +Signed-off-by: Jens Wiklander +Signed-off-by: Sasha Levin +--- + drivers/tee/amdtee/core.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/tee/amdtee/core.c b/drivers/tee/amdtee/core.c +index da6b88e80dc07..297dc62bca298 100644 +--- a/drivers/tee/amdtee/core.c ++++ b/drivers/tee/amdtee/core.c +@@ -203,9 +203,8 @@ static int copy_ta_binary(struct tee_context *ctx, void *ptr, void **ta, + + *ta_size = roundup(fw->size, PAGE_SIZE); + *ta = (void *)__get_free_pages(GFP_KERNEL, get_order(*ta_size)); +- if (IS_ERR(*ta)) { +- pr_err("%s: get_free_pages failed 0x%llx\n", __func__, +- (u64)*ta); ++ if (!*ta) { ++ pr_err("%s: get_free_pages failed\n", __func__); + rc = -ENOMEM; + goto rel_fw; + } +-- +2.33.0 + diff --git a/queue-5.15/vdpa-consider-device-id-larger-than-31.patch b/queue-5.15/vdpa-consider-device-id-larger-than-31.patch new file mode 100644 index 00000000000..e85082dc431 --- /dev/null +++ b/queue-5.15/vdpa-consider-device-id-larger-than-31.patch @@ -0,0 +1,41 @@ +From 53e50ac8c9028f5e34971169cca1d01aeeba4d3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 06:29:49 +0200 +Subject: vdpa: Consider device id larger than 31 + +From: Parav Pandit + +[ Upstream commit bb47620be322c5e9e372536cb6b54e17b3a00258 ] + +virtio device id value can be more than 31. Hence, use BIT_ULL in +assignment. + +Fixes: 33b347503f01 ("vdpa: Define vdpa mgmt device, ops and a netlink interface") +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Signed-off-by: Parav Pandit +Acked-by: Jason Wang +Link: https://lore.kernel.org/r/20211130042949.88958-1-parav@nvidia.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/vdpa/vdpa.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c +index 1dc121a07a934..12bf3d16a40ff 100644 +--- a/drivers/vdpa/vdpa.c ++++ b/drivers/vdpa/vdpa.c +@@ -353,7 +353,8 @@ static int vdpa_mgmtdev_fill(const struct vdpa_mgmt_dev *mdev, struct sk_buff *m + goto msg_err; + + while (mdev->id_table[i].device) { +- supported_classes |= BIT(mdev->id_table[i].device); ++ if (mdev->id_table[i].device <= 63) ++ supported_classes |= BIT_ULL(mdev->id_table[i].device); + i++; + } + +-- +2.33.0 + diff --git a/queue-5.15/virtio-always-enter-drivers-virtio.patch b/queue-5.15/virtio-always-enter-drivers-virtio.patch new file mode 100644 index 00000000000..682df85f3ab --- /dev/null +++ b/queue-5.15/virtio-always-enter-drivers-virtio.patch @@ -0,0 +1,60 @@ +From 402ebeefb6703809f6d5c3502036aa7071655bb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Dec 2021 09:50:18 +0100 +Subject: virtio: always enter drivers/virtio/ + +From: Arnd Bergmann + +[ Upstream commit 27d9839f17940e8edc475df616bbd9cf7ede8d05 ] + +When neither VIRTIO_PCI_LIB nor VIRTIO are enabled, but the alibaba +vdpa driver is, the kernel runs into a link error because the legacy +virtio module never gets built: + +x86_64-linux-ld: drivers/vdpa/alibaba/eni_vdpa.o: in function `eni_vdpa_set_features': +eni_vdpa.c:(.text+0x23f): undefined reference to `vp_legacy_set_features' +x86_64-linux-ld: drivers/vdpa/alibaba/eni_vdpa.o: in function `eni_vdpa_set_vq_state': +eni_vdpa.c:(.text+0x2fe): undefined reference to `vp_legacy_get_queue_enable' +x86_64-linux-ld: drivers/vdpa/alibaba/eni_vdpa.o: in function `eni_vdpa_set_vq_address': +eni_vdpa.c:(.text+0x376): undefined reference to `vp_legacy_set_queue_address' +x86_64-linux-ld: drivers/vdpa/alibaba/eni_vdpa.o: in function `eni_vdpa_set_vq_ready': +eni_vdpa.c:(.text+0x3b4): undefined reference to `vp_legacy_set_queue_address' +x86_64-linux-ld: drivers/vdpa/alibaba/eni_vdpa.o: in function `eni_vdpa_free_irq': +eni_vdpa.c:(.text+0x460): undefined reference to `vp_legacy_queue_vector' +x86_64-linux-ld: eni_vdpa.c:(.text+0x4b7): undefined reference to `vp_legacy_config_vector' +x86_64-linux-ld: drivers/vdpa/alibaba/eni_vdpa.o: in function `eni_vdpa_reset': + +When VIRTIO_PCI_LIB was added, it was correctly added to drivers/Makefile +as well, but for the legacy module, this is missing. Solve this by always +entering drivers/virtio during the build and letting its Makefile take +care of the individual options, rather than having a separate line for +each sub-option. + +Fixes: 64b9f64f80a6 ("vdpa: introduce virtio pci driver") +Fixes: e85087beedca ("eni_vdpa: add vDPA driver for Alibaba ENI") +Fixes: d89c8169bd70 ("virtio-pci: introduce legacy device module") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20211206085034.2836099-1-arnd@kernel.org +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/Makefile | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/Makefile b/drivers/Makefile +index be5d40ae14882..a110338c860c7 100644 +--- a/drivers/Makefile ++++ b/drivers/Makefile +@@ -41,8 +41,7 @@ obj-$(CONFIG_DMADEVICES) += dma/ + # SOC specific infrastructure drivers. + obj-y += soc/ + +-obj-$(CONFIG_VIRTIO) += virtio/ +-obj-$(CONFIG_VIRTIO_PCI_LIB) += virtio/ ++obj-y += virtio/ + obj-$(CONFIG_VDPA) += vdpa/ + obj-$(CONFIG_XEN) += xen/ + +-- +2.33.0 + diff --git a/queue-5.15/virtio-vsock-fix-the-transport-to-work-with-vmaddr_c.patch b/queue-5.15/virtio-vsock-fix-the-transport-to-work-with-vmaddr_c.patch new file mode 100644 index 00000000000..03118addfc3 --- /dev/null +++ b/queue-5.15/virtio-vsock-fix-the-transport-to-work-with-vmaddr_c.patch @@ -0,0 +1,62 @@ +From b4a58f46aa93caf177bdf88082a89c4ead20472d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Nov 2021 20:18:23 -0500 +Subject: virtio/vsock: fix the transport to work with VMADDR_CID_ANY + +From: Wei Wang + +[ Upstream commit 1db8f5fc2e5c66a5c51e1f6488e0ba7d45c29ae4 ] + +The VMADDR_CID_ANY flag used by a socket means that the socket isn't bound +to any specific CID. For example, a host vsock server may want to be bound +with VMADDR_CID_ANY, so that a guest vsock client can connect to the host +server with CID=VMADDR_CID_HOST (i.e. 2), and meanwhile, a host vsock +client can connect to the same local server with CID=VMADDR_CID_LOCAL +(i.e. 1). + +The current implementation sets the destination socket's svm_cid to a +fixed CID value after the first client's connection, which isn't an +expected operation. For example, if the guest client first connects to the +host server, the server's svm_cid gets set to VMADDR_CID_HOST, then other +host clients won't be able to connect to the server anymore. + +Reproduce steps: +1. Run the host server: + socat VSOCK-LISTEN:1234,fork - +2. Run a guest client to connect to the host server: + socat - VSOCK-CONNECT:2:1234 +3. Run a host client to connect to the host server: + socat - VSOCK-CONNECT:1:1234 + +Without this patch, step 3. above fails to connect, and socat complains +"socat[1720] E connect(5, AF=40 cid:1 port:1234, 16): Connection +reset by peer". +With this patch, the above works well. + +Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") +Signed-off-by: Wei Wang +Link: https://lore.kernel.org/r/20211126011823.1760-1-wei.w.wang@intel.com +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Stefano Garzarella +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport_common.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index 59ee1be5a6dd3..ec2c2afbf0d06 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -1299,7 +1299,8 @@ void virtio_transport_recv_pkt(struct virtio_transport *t, + space_available = virtio_transport_space_update(sk, pkt); + + /* Update CID in case it has changed after a transport reset event */ +- vsk->local_addr.svm_cid = dst.svm_cid; ++ if (vsk->local_addr.svm_cid != VMADDR_CID_ANY) ++ vsk->local_addr.svm_cid = dst.svm_cid; + + if (space_available) + sk->sk_write_space(sk); +-- +2.33.0 + diff --git a/queue-5.15/xsk-do-not-sleep-in-poll-when-need_wakeup-set.patch b/queue-5.15/xsk-do-not-sleep-in-poll-when-need_wakeup-set.patch new file mode 100644 index 00000000000..6901af3c9a2 --- /dev/null +++ b/queue-5.15/xsk-do-not-sleep-in-poll-when-need_wakeup-set.patch @@ -0,0 +1,57 @@ +From c294ad4dbcde52cdc3e99b336e1369697074a768 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Dec 2021 11:26:07 +0100 +Subject: xsk: Do not sleep in poll() when need_wakeup set + +From: Magnus Karlsson + +[ Upstream commit bd0687c18e635b63233dc87f38058cd728802ab4 ] + +Do not sleep in poll() when the need_wakeup flag is set. When this +flag is set, the application needs to explicitly wake up the driver +with a syscall (poll, recvmsg, sendmsg, etc.) to guarantee that Rx +and/or Tx processing will be processed promptly. But the current code +in poll(), sleeps first then wakes up the driver. This means that no +driver processing will occur (baring any interrupts) until the timeout +has expired. + +Fix this by checking the need_wakeup flag first and if set, wake the +driver and return to the application. Only if need_wakeup is not set +should the process sleep if there is a timeout set in the poll() call. + +Fixes: 77cd0d7b3f25 ("xsk: add support for need_wakeup flag in AF_XDP rings") +Reported-by: Keith Wiles +Signed-off-by: Magnus Karlsson +Signed-off-by: Daniel Borkmann +Acked-by: Maciej Fijalkowski +Link: https://lore.kernel.org/bpf/20211214102607.7677-1-magnus.karlsson@gmail.com +Signed-off-by: Sasha Levin +--- + net/xdp/xsk.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c +index d6b500dc42084..d942e1bf443d9 100644 +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -692,8 +692,6 @@ static __poll_t xsk_poll(struct file *file, struct socket *sock, + struct xdp_sock *xs = xdp_sk(sk); + struct xsk_buff_pool *pool; + +- sock_poll_wait(file, sock, wait); +- + if (unlikely(!xsk_is_bound(xs))) + return mask; + +@@ -705,6 +703,8 @@ static __poll_t xsk_poll(struct file *file, struct socket *sock, + else + /* Poll needs to drive Tx also in copy mode */ + __xsk_sendmsg(sk); ++ } else { ++ sock_poll_wait(file, sock, wait); + } + + if (xs->rx && !xskq_prod_is_empty(xs->rx)) +-- +2.33.0 +