From: Sasha Levin Date: Sun, 28 Aug 2022 14:31:00 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v5.10.140~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7c6bd27f31dcabaa105b6d7fafecd96287c9836a;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/af_key-do-not-call-xfrm_probe_algs-in-parallel.patch b/queue-5.15/af_key-do-not-call-xfrm_probe_algs-in-parallel.patch new file mode 100644 index 00000000000..5dad4ee0185 --- /dev/null +++ b/queue-5.15/af_key-do-not-call-xfrm_probe_algs-in-parallel.patch @@ -0,0 +1,42 @@ +From bf07d4b20775f64eb594f6dfa85edd15065936a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 18:03:46 +0800 +Subject: af_key: Do not call xfrm_probe_algs in parallel + +From: Herbert Xu + +[ Upstream commit ba953a9d89a00c078b85f4b190bc1dde66fe16b5 ] + +When namespace support was added to xfrm/afkey, it caused the +previously single-threaded call to xfrm_probe_algs to become +multi-threaded. This is buggy and needs to be fixed with a mutex. + +Reported-by: Abhishek Shah +Fixes: 283bc9f35bbb ("xfrm: Namespacify xfrm state/policy locks") +Signed-off-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index d93bde6573593..53cca90191586 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1697,9 +1697,12 @@ static int pfkey_register(struct sock *sk, struct sk_buff *skb, const struct sad + pfk->registered |= (1<sadb_msg_satype); + } + ++ mutex_lock(&pfkey_mutex); + xfrm_probe_algs(); + + supp_skb = compose_sadb_supported(hdr, GFP_KERNEL | __GFP_ZERO); ++ mutex_unlock(&pfkey_mutex); ++ + if (!supp_skb) { + if (hdr->sadb_msg_satype != SADB_SATYPE_UNSPEC) + pfk->registered &= ~(1<sadb_msg_satype); +-- +2.35.1 + diff --git a/queue-5.15/bnxt_en-fix-nq-resource-accounting-during-vf-creatio.patch b/queue-5.15/bnxt_en-fix-nq-resource-accounting-during-vf-creatio.patch new file mode 100644 index 00000000000..e6e0ec1bc4e --- /dev/null +++ b/queue-5.15/bnxt_en-fix-nq-resource-accounting-during-vf-creatio.patch @@ -0,0 +1,44 @@ +From eba0b38ebfad187629d14e68f63f0ad9f70992b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 11:06:53 -0400 +Subject: bnxt_en: fix NQ resource accounting during vf creation on 57500 chips + +From: Vikas Gupta + +[ Upstream commit 09a89cc59ad67794a11e1d3dd13c5b3172adcc51 ] + +There are 2 issues: + +1. We should decrement hw_resc->max_nqs instead of hw_resc->max_irqs + with the number of NQs assigned to the VFs. The IRQs are fixed + on each function and cannot be re-assigned. Only the NQs are being + assigned to the VFs. + +2. vf_msix is the total number of NQs to be assigned to the VFs. So + we should decrement vf_msix from hw_resc->max_nqs. + +Fixes: b16b68918674 ("bnxt_en: Add SR-IOV support for 57500 chips.") +Signed-off-by: Vikas Gupta +Signed-off-by: Michael Chan +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c +index 70d8ca3039dcb..78763f5027d10 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c +@@ -623,7 +623,7 @@ static int bnxt_hwrm_func_vf_resc_cfg(struct bnxt *bp, int num_vfs, bool reset) + hw_resc->max_stat_ctxs -= le16_to_cpu(req->min_stat_ctx) * n; + hw_resc->max_vnics -= le16_to_cpu(req->min_vnics) * n; + if (bp->flags & BNXT_FLAG_CHIP_P5) +- hw_resc->max_irqs -= vf_msix * n; ++ hw_resc->max_nqs -= vf_msix; + + rc = pf->active_vfs; + } +-- +2.35.1 + diff --git a/queue-5.15/bonding-802.3ad-fix-no-transmission-of-lacpdus.patch b/queue-5.15/bonding-802.3ad-fix-no-transmission-of-lacpdus.patch new file mode 100644 index 00000000000..051e7eed67e --- /dev/null +++ b/queue-5.15/bonding-802.3ad-fix-no-transmission-of-lacpdus.patch @@ -0,0 +1,137 @@ +From 5e3325abd3c554a05c2e78d530c728ed8934e630 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 11:15:13 -0400 +Subject: bonding: 802.3ad: fix no transmission of LACPDUs + +From: Jonathan Toppins + +[ Upstream commit d745b5062ad2b5da90a5e728d7ca884fc07315fd ] + +This is caused by the global variable ad_ticks_per_sec being zero as +demonstrated by the reproducer script discussed below. This causes +all timer values in __ad_timer_to_ticks to be zero, resulting +in the periodic timer to never fire. + +To reproduce: +Run the script in +`tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh` which +puts bonding into a state where it never transmits LACPDUs. + +line 44: ip link add fbond type bond mode 4 miimon 200 \ + xmit_hash_policy 1 ad_actor_sys_prio 65535 lacp_rate fast +setting bond param: ad_actor_sys_prio +given: + params.ad_actor_system = 0 +call stack: + bond_option_ad_actor_sys_prio() + -> bond_3ad_update_ad_actor_settings() + -> set ad.system.sys_priority = bond->params.ad_actor_sys_prio + -> ad.system.sys_mac_addr = bond->dev->dev_addr; because + params.ad_actor_system == 0 +results: + ad.system.sys_mac_addr = bond->dev->dev_addr + +line 48: ip link set fbond address 52:54:00:3B:7C:A6 +setting bond MAC addr +call stack: + bond->dev->dev_addr = new_mac + +line 52: ip link set fbond type bond ad_actor_sys_prio 65535 +setting bond param: ad_actor_sys_prio +given: + params.ad_actor_system = 0 +call stack: + bond_option_ad_actor_sys_prio() + -> bond_3ad_update_ad_actor_settings() + -> set ad.system.sys_priority = bond->params.ad_actor_sys_prio + -> ad.system.sys_mac_addr = bond->dev->dev_addr; because + params.ad_actor_system == 0 +results: + ad.system.sys_mac_addr = bond->dev->dev_addr + +line 60: ip link set veth1-bond down master fbond +given: + params.ad_actor_system = 0 + params.mode = BOND_MODE_8023AD + ad.system.sys_mac_addr == bond->dev->dev_addr +call stack: + bond_enslave + -> bond_3ad_initialize(); because first slave + -> if ad.system.sys_mac_addr != bond->dev->dev_addr + return +results: + Nothing is run in bond_3ad_initialize() because dev_addr equals + sys_mac_addr leaving the global ad_ticks_per_sec zero as it is + never initialized anywhere else. + +The if check around the contents of bond_3ad_initialize() is no longer +needed due to commit 5ee14e6d336f ("bonding: 3ad: apply ad_actor settings +changes immediately") which sets ad.system.sys_mac_addr if any one of +the bonding parameters whos set function calls +bond_3ad_update_ad_actor_settings(). This is because if +ad.system.sys_mac_addr is zero it will be set to the current bond mac +address, this causes the if check to never be true. + +Fixes: 5ee14e6d336f ("bonding: 3ad: apply ad_actor settings changes immediately") +Signed-off-by: Jonathan Toppins +Acked-by: Jay Vosburgh +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_3ad.c | 38 ++++++++++++++-------------------- + 1 file changed, 16 insertions(+), 22 deletions(-) + +diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c +index d7fb33c078e81..1f0120cbe9e80 100644 +--- a/drivers/net/bonding/bond_3ad.c ++++ b/drivers/net/bonding/bond_3ad.c +@@ -2007,30 +2007,24 @@ void bond_3ad_initiate_agg_selection(struct bonding *bond, int timeout) + */ + void bond_3ad_initialize(struct bonding *bond, u16 tick_resolution) + { +- /* check that the bond is not initialized yet */ +- if (!MAC_ADDRESS_EQUAL(&(BOND_AD_INFO(bond).system.sys_mac_addr), +- bond->dev->dev_addr)) { +- +- BOND_AD_INFO(bond).aggregator_identifier = 0; +- +- BOND_AD_INFO(bond).system.sys_priority = +- bond->params.ad_actor_sys_prio; +- if (is_zero_ether_addr(bond->params.ad_actor_system)) +- BOND_AD_INFO(bond).system.sys_mac_addr = +- *((struct mac_addr *)bond->dev->dev_addr); +- else +- BOND_AD_INFO(bond).system.sys_mac_addr = +- *((struct mac_addr *)bond->params.ad_actor_system); ++ BOND_AD_INFO(bond).aggregator_identifier = 0; ++ BOND_AD_INFO(bond).system.sys_priority = ++ bond->params.ad_actor_sys_prio; ++ if (is_zero_ether_addr(bond->params.ad_actor_system)) ++ BOND_AD_INFO(bond).system.sys_mac_addr = ++ *((struct mac_addr *)bond->dev->dev_addr); ++ else ++ BOND_AD_INFO(bond).system.sys_mac_addr = ++ *((struct mac_addr *)bond->params.ad_actor_system); + +- /* initialize how many times this module is called in one +- * second (should be about every 100ms) +- */ +- ad_ticks_per_sec = tick_resolution; ++ /* initialize how many times this module is called in one ++ * second (should be about every 100ms) ++ */ ++ ad_ticks_per_sec = tick_resolution; + +- bond_3ad_initiate_agg_selection(bond, +- AD_AGGREGATOR_SELECTION_TIMER * +- ad_ticks_per_sec); +- } ++ bond_3ad_initiate_agg_selection(bond, ++ AD_AGGREGATOR_SELECTION_TIMER * ++ ad_ticks_per_sec); + } + + /** +-- +2.35.1 + diff --git a/queue-5.15/btrfs-pass-the-dentry-to-btrfs_log_new_name-instead-.patch b/queue-5.15/btrfs-pass-the-dentry-to-btrfs_log_new_name-instead-.patch new file mode 100644 index 00000000000..bcc6d7db95c --- /dev/null +++ b/queue-5.15/btrfs-pass-the-dentry-to-btrfs_log_new_name-instead-.patch @@ -0,0 +1,116 @@ +From a4654f060ca3aaa50af16b3fd785ac98e99d4f17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jan 2022 11:00:07 +0000 +Subject: btrfs: pass the dentry to btrfs_log_new_name() instead of the inode + +From: Filipe Manana + +[ Upstream commit d5f5bd546552a94eefd68c42f40f778c40a89d2c ] + +In the next patch in the series, there will be the need to access the old +name, and its length, of an inode when logging the inode during a rename. +So instead of passing the inode to btrfs_log_new_name() pass the dentry, +because from the dentry we can get the inode, the name and its length. + +This will avoid passing 3 new parameters to btrfs_log_new_name() in the +next patch - the name, its length and an index number. This way we end +up passing only 1 new parameter, the index number. + +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 8 ++++---- + fs/btrfs/tree-log.c | 19 +++++++++++++++---- + fs/btrfs/tree-log.h | 2 +- + 3 files changed, 20 insertions(+), 9 deletions(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 26a4acb856a38..428a56f248bba 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -6952,7 +6952,7 @@ static int btrfs_link(struct dentry *old_dentry, struct inode *dir, + goto fail; + } + d_instantiate(dentry, inode); +- btrfs_log_new_name(trans, BTRFS_I(inode), NULL, parent); ++ btrfs_log_new_name(trans, old_dentry, NULL, parent); + } + + fail: +@@ -9621,13 +9621,13 @@ static int btrfs_rename_exchange(struct inode *old_dir, + BTRFS_I(new_inode)->dir_index = new_idx; + + if (root_log_pinned) { +- btrfs_log_new_name(trans, BTRFS_I(old_inode), BTRFS_I(old_dir), ++ btrfs_log_new_name(trans, old_dentry, BTRFS_I(old_dir), + new_dentry->d_parent); + btrfs_end_log_trans(root); + root_log_pinned = false; + } + if (dest_log_pinned) { +- btrfs_log_new_name(trans, BTRFS_I(new_inode), BTRFS_I(new_dir), ++ btrfs_log_new_name(trans, new_dentry, BTRFS_I(new_dir), + old_dentry->d_parent); + btrfs_end_log_trans(dest); + dest_log_pinned = false; +@@ -9908,7 +9908,7 @@ static int btrfs_rename(struct user_namespace *mnt_userns, + BTRFS_I(old_inode)->dir_index = index; + + if (log_pinned) { +- btrfs_log_new_name(trans, BTRFS_I(old_inode), BTRFS_I(old_dir), ++ btrfs_log_new_name(trans, old_dentry, BTRFS_I(old_dir), + new_dentry->d_parent); + btrfs_end_log_trans(root); + log_pinned = false; +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index e9e1aae89030a..1d7e9812f55e1 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -6628,14 +6628,25 @@ void btrfs_record_snapshot_destroy(struct btrfs_trans_handle *trans, + mutex_unlock(&dir->log_mutex); + } + +-/* +- * Call this after adding a new name for a file and it will properly +- * update the log to reflect the new name. ++/** ++ * Update the log after adding a new name for an inode. ++ * ++ * @trans: Transaction handle. ++ * @old_dentry: The dentry associated with the old name and the old ++ * parent directory. ++ * @old_dir: The inode of the previous parent directory for the case ++ * of a rename. For a link operation, it must be NULL. ++ * @parent: The dentry associated with the directory under which the ++ * new name is located. ++ * ++ * Call this after adding a new name for an inode, as a result of a link or ++ * rename operation, and it will properly update the log to reflect the new name. + */ + void btrfs_log_new_name(struct btrfs_trans_handle *trans, +- struct btrfs_inode *inode, struct btrfs_inode *old_dir, ++ struct dentry *old_dentry, struct btrfs_inode *old_dir, + struct dentry *parent) + { ++ struct btrfs_inode *inode = BTRFS_I(d_inode(old_dentry)); + struct btrfs_log_ctx ctx; + + /* +diff --git a/fs/btrfs/tree-log.h b/fs/btrfs/tree-log.h +index 731bd9c029f55..7ffcac8a89905 100644 +--- a/fs/btrfs/tree-log.h ++++ b/fs/btrfs/tree-log.h +@@ -84,7 +84,7 @@ void btrfs_record_unlink_dir(struct btrfs_trans_handle *trans, + void btrfs_record_snapshot_destroy(struct btrfs_trans_handle *trans, + struct btrfs_inode *dir); + void btrfs_log_new_name(struct btrfs_trans_handle *trans, +- struct btrfs_inode *inode, struct btrfs_inode *old_dir, ++ struct dentry *old_dentry, struct btrfs_inode *old_dir, + struct dentry *parent); + + #endif +-- +2.35.1 + diff --git a/queue-5.15/btrfs-put-initial-index-value-of-a-directory-in-a-co.patch b/queue-5.15/btrfs-put-initial-index-value-of-a-directory-in-a-co.patch new file mode 100644 index 00000000000..86903ccc296 --- /dev/null +++ b/queue-5.15/btrfs-put-initial-index-value-of-a-directory-in-a-co.patch @@ -0,0 +1,86 @@ +From b98bf60ba7f3f2a51fd3ffa649259d93fdf58fc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Dec 2021 12:19:59 +0000 +Subject: btrfs: put initial index value of a directory in a constant + +From: Filipe Manana + +[ Upstream commit 528ee697126fddaff448897c2d649bd756153c79 ] + +At btrfs_set_inode_index_count() we refer twice to the number 2 as the +initial index value for a directory (when it's empty), with a proper +comment explaining the reason for that value. In the next patch I'll +have to use that magic value in the directory logging code, so put +the value in a #define at btrfs_inode.h, to avoid hardcoding the +magic value again at tree-log.c. + +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/btrfs_inode.h | 12 ++++++++++-- + fs/btrfs/inode.c | 10 ++-------- + 2 files changed, 12 insertions(+), 10 deletions(-) + +diff --git a/fs/btrfs/btrfs_inode.h b/fs/btrfs/btrfs_inode.h +index 76ee1452c57ba..37ceea85b871c 100644 +--- a/fs/btrfs/btrfs_inode.h ++++ b/fs/btrfs/btrfs_inode.h +@@ -13,6 +13,13 @@ + #include "ordered-data.h" + #include "delayed-inode.h" + ++/* ++ * Since we search a directory based on f_pos (struct dir_context::pos) we have ++ * to start at 2 since '.' and '..' have f_pos of 0 and 1 respectively, so ++ * everybody else has to start at 2 (see btrfs_real_readdir() and dir_emit_dots()). ++ */ ++#define BTRFS_DIR_START_INDEX 2 ++ + /* + * ordered_data_close is set by truncate when a file that used + * to have good data has been truncated to zero. When it is set +@@ -164,8 +171,9 @@ struct btrfs_inode { + u64 disk_i_size; + + /* +- * if this is a directory then index_cnt is the counter for the index +- * number for new files that are created ++ * If this is a directory then index_cnt is the counter for the index ++ * number for new files that are created. For an empty directory, this ++ * must be initialized to BTRFS_DIR_START_INDEX. + */ + u64 index_cnt; + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index ac6ba984973c0..26a4acb856a38 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -6396,14 +6396,8 @@ static int btrfs_set_inode_index_count(struct btrfs_inode *inode) + goto out; + ret = 0; + +- /* +- * MAGIC NUMBER EXPLANATION: +- * since we search a directory based on f_pos we have to start at 2 +- * since '.' and '..' have f_pos of 0 and 1 respectively, so everybody +- * else has to start at 2 +- */ + if (path->slots[0] == 0) { +- inode->index_cnt = 2; ++ inode->index_cnt = BTRFS_DIR_START_INDEX; + goto out; + } + +@@ -6414,7 +6408,7 @@ static int btrfs_set_inode_index_count(struct btrfs_inode *inode) + + if (found_key.objectid != btrfs_ino(inode) || + found_key.type != BTRFS_DIR_INDEX_KEY) { +- inode->index_cnt = 2; ++ inode->index_cnt = BTRFS_DIR_START_INDEX; + goto out; + } + +-- +2.35.1 + diff --git a/queue-5.15/btrfs-remove-unnecessary-parameter-delalloc_start-fo.patch b/queue-5.15/btrfs-remove-unnecessary-parameter-delalloc_start-fo.patch new file mode 100644 index 00000000000..4c18cdeb139 --- /dev/null +++ b/queue-5.15/btrfs-remove-unnecessary-parameter-delalloc_start-fo.patch @@ -0,0 +1,77 @@ +From 94387fc302212882a1e1528e9416e80d2ed23b89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 15:21:44 +0800 +Subject: btrfs: remove unnecessary parameter delalloc_start for + writepage_delalloc() + +From: Qu Wenruo + +[ Upstream commit cf3075fb36c6a98ea890f4a50b4419ff2fff9a2f ] + +In function __extent_writepage() we always pass page start to +@delalloc_start for writepage_delalloc(). + +Thus we don't really need @delalloc_start parameter as we can extract it +from @page. + +Remove @delalloc_start parameter and make __extent_writepage() to +declare @page_start and @page_end as const. + +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent_io.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c +index 41862045b3de3..a72a8d4d4a72e 100644 +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -3780,10 +3780,11 @@ static void update_nr_written(struct writeback_control *wbc, + */ + static noinline_for_stack int writepage_delalloc(struct btrfs_inode *inode, + struct page *page, struct writeback_control *wbc, +- u64 delalloc_start, unsigned long *nr_written) ++ unsigned long *nr_written) + { +- u64 page_end = delalloc_start + PAGE_SIZE - 1; ++ u64 page_end = page_offset(page) + PAGE_SIZE - 1; + bool found; ++ u64 delalloc_start = page_offset(page); + u64 delalloc_to_write = 0; + u64 delalloc_end = 0; + int ret; +@@ -4068,8 +4069,8 @@ static int __extent_writepage(struct page *page, struct writeback_control *wbc, + struct extent_page_data *epd) + { + struct inode *inode = page->mapping->host; +- u64 start = page_offset(page); +- u64 page_end = start + PAGE_SIZE - 1; ++ const u64 page_start = page_offset(page); ++ const u64 page_end = page_start + PAGE_SIZE - 1; + int ret; + int nr = 0; + size_t pg_offset; +@@ -4104,8 +4105,7 @@ static int __extent_writepage(struct page *page, struct writeback_control *wbc, + } + + if (!epd->extent_locked) { +- ret = writepage_delalloc(BTRFS_I(inode), page, wbc, start, +- &nr_written); ++ ret = writepage_delalloc(BTRFS_I(inode), page, wbc, &nr_written); + if (ret == 1) + return 0; + if (ret) +@@ -4155,7 +4155,7 @@ static int __extent_writepage(struct page *page, struct writeback_control *wbc, + * capable of that. + */ + if (PageError(page)) +- end_extent_writepage(page, ret, start, page_end); ++ end_extent_writepage(page, ret, page_start, page_end); + unlock_page(page); + ASSERT(ret <= 0); + return ret; +-- +2.35.1 + diff --git a/queue-5.15/drivers-base-fix-userspace-break-from-using-bin_attr.patch b/queue-5.15/drivers-base-fix-userspace-break-from-using-bin_attr.patch new file mode 100644 index 00000000000..d7bca126ddb --- /dev/null +++ b/queue-5.15/drivers-base-fix-userspace-break-from-using-bin_attr.patch @@ -0,0 +1,178 @@ +From a2f20888fba3056136dd0272c2ff2596b683cb29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 09:49:24 -0400 +Subject: drivers/base: fix userspace break from using bin_attributes for + cpumap and cpulist + +From: Phil Auld + +[ Upstream commit 7ee951acd31a88f941fd6535fbdee3a1567f1d63 ] + +Using bin_attributes with a 0 size causes fstat and friends to return that +0 size. This breaks userspace code that retrieves the size before reading +the file. Rather than reverting 75bd50fa841 ("drivers/base/node.c: use +bin_attribute to break the size limitation of cpumap ABI") let's put in a +size value at compile time. + +For cpulist the maximum size is on the order of + NR_CPUS * (ceil(log10(NR_CPUS)) + 1)/2 + +which for 8192 is 20480 (8192 * 5)/2. In order to get near that you'd need +a system with every other CPU on one node. For example: (0,2,4,8, ... ). +To simplify the math and support larger NR_CPUS in the future we are using +(NR_CPUS * 7)/2. We also set it to a min of PAGE_SIZE to retain the older +behavior for smaller NR_CPUS. + +The cpumap file the size works out to be NR_CPUS/4 + NR_CPUS/32 - 1 +(or NR_CPUS * 9/32 - 1) including the ","s. + +Add a set of macros for these values to cpumask.h so they can be used in +multiple places. Apply these to the handful of such files in +drivers/base/topology.c as well as node.c. + +As an example, on an 80 cpu 4-node system (NR_CPUS == 8192): + +before: + +-r--r--r--. 1 root root 0 Jul 12 14:08 system/node/node0/cpulist +-r--r--r--. 1 root root 0 Jul 11 17:25 system/node/node0/cpumap + +after: + +-r--r--r--. 1 root root 28672 Jul 13 11:32 system/node/node0/cpulist +-r--r--r--. 1 root root 4096 Jul 13 11:31 system/node/node0/cpumap + +CONFIG_NR_CPUS = 16384 +-r--r--r--. 1 root root 57344 Jul 13 14:03 system/node/node0/cpulist +-r--r--r--. 1 root root 4607 Jul 13 14:02 system/node/node0/cpumap + +The actual number of cpus doesn't matter for the reported size since they +are based on NR_CPUS. + +Fixes: 75bd50fa841d ("drivers/base/node.c: use bin_attribute to break the size limitation of cpumap ABI") +Fixes: bb9ec13d156e ("topology: use bin_attribute to break the size limitation of cpumap ABI") +Cc: Greg Kroah-Hartman +Cc: "Rafael J. Wysocki" +Cc: Yury Norov +Cc: stable@vger.kernel.org +Acked-by: Yury Norov (for include/linux/cpumask.h) +Signed-off-by: Phil Auld +Link: https://lore.kernel.org/r/20220715134924.3466194-1-pauld@redhat.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/node.c | 4 ++-- + drivers/base/topology.c | 28 ++++++++++++++-------------- + include/linux/cpumask.h | 18 ++++++++++++++++++ + 3 files changed, 34 insertions(+), 16 deletions(-) + +diff --git a/drivers/base/node.c b/drivers/base/node.c +index 0f5319b79fadc..5366d1b5359c8 100644 +--- a/drivers/base/node.c ++++ b/drivers/base/node.c +@@ -45,7 +45,7 @@ static inline ssize_t cpumap_read(struct file *file, struct kobject *kobj, + return n; + } + +-static BIN_ATTR_RO(cpumap, 0); ++static BIN_ATTR_RO(cpumap, CPUMAP_FILE_MAX_BYTES); + + static inline ssize_t cpulist_read(struct file *file, struct kobject *kobj, + struct bin_attribute *attr, char *buf, +@@ -66,7 +66,7 @@ static inline ssize_t cpulist_read(struct file *file, struct kobject *kobj, + return n; + } + +-static BIN_ATTR_RO(cpulist, 0); ++static BIN_ATTR_RO(cpulist, CPULIST_FILE_MAX_BYTES); + + /** + * struct node_access_nodes - Access class device to hold user visible +diff --git a/drivers/base/topology.c b/drivers/base/topology.c +index 43c0940643f5d..5df6d861bc21b 100644 +--- a/drivers/base/topology.c ++++ b/drivers/base/topology.c +@@ -52,39 +52,39 @@ define_id_show_func(core_id); + static DEVICE_ATTR_RO(core_id); + + define_siblings_read_func(thread_siblings, sibling_cpumask); +-static BIN_ATTR_RO(thread_siblings, 0); +-static BIN_ATTR_RO(thread_siblings_list, 0); ++static BIN_ATTR_RO(thread_siblings, CPUMAP_FILE_MAX_BYTES); ++static BIN_ATTR_RO(thread_siblings_list, CPULIST_FILE_MAX_BYTES); + + define_siblings_read_func(core_cpus, sibling_cpumask); +-static BIN_ATTR_RO(core_cpus, 0); +-static BIN_ATTR_RO(core_cpus_list, 0); ++static BIN_ATTR_RO(core_cpus, CPUMAP_FILE_MAX_BYTES); ++static BIN_ATTR_RO(core_cpus_list, CPULIST_FILE_MAX_BYTES); + + define_siblings_read_func(core_siblings, core_cpumask); +-static BIN_ATTR_RO(core_siblings, 0); +-static BIN_ATTR_RO(core_siblings_list, 0); ++static BIN_ATTR_RO(core_siblings, CPUMAP_FILE_MAX_BYTES); ++static BIN_ATTR_RO(core_siblings_list, CPULIST_FILE_MAX_BYTES); + + define_siblings_read_func(die_cpus, die_cpumask); +-static BIN_ATTR_RO(die_cpus, 0); +-static BIN_ATTR_RO(die_cpus_list, 0); ++static BIN_ATTR_RO(die_cpus, CPUMAP_FILE_MAX_BYTES); ++static BIN_ATTR_RO(die_cpus_list, CPULIST_FILE_MAX_BYTES); + + define_siblings_read_func(package_cpus, core_cpumask); +-static BIN_ATTR_RO(package_cpus, 0); +-static BIN_ATTR_RO(package_cpus_list, 0); ++static BIN_ATTR_RO(package_cpus, CPUMAP_FILE_MAX_BYTES); ++static BIN_ATTR_RO(package_cpus_list, CPULIST_FILE_MAX_BYTES); + + #ifdef CONFIG_SCHED_BOOK + define_id_show_func(book_id); + static DEVICE_ATTR_RO(book_id); + define_siblings_read_func(book_siblings, book_cpumask); +-static BIN_ATTR_RO(book_siblings, 0); +-static BIN_ATTR_RO(book_siblings_list, 0); ++static BIN_ATTR_RO(book_siblings, CPUMAP_FILE_MAX_BYTES); ++static BIN_ATTR_RO(book_siblings_list, CPULIST_FILE_MAX_BYTES); + #endif + + #ifdef CONFIG_SCHED_DRAWER + define_id_show_func(drawer_id); + static DEVICE_ATTR_RO(drawer_id); + define_siblings_read_func(drawer_siblings, drawer_cpumask); +-static BIN_ATTR_RO(drawer_siblings, 0); +-static BIN_ATTR_RO(drawer_siblings_list, 0); ++static BIN_ATTR_RO(drawer_siblings, CPUMAP_FILE_MAX_BYTES); ++static BIN_ATTR_RO(drawer_siblings_list, CPULIST_FILE_MAX_BYTES); + #endif + + static struct bin_attribute *bin_attrs[] = { +diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h +index 1e7399fc69c0a..054e654f06def 100644 +--- a/include/linux/cpumask.h ++++ b/include/linux/cpumask.h +@@ -1045,4 +1045,22 @@ cpumap_print_list_to_buf(char *buf, const struct cpumask *mask, + [0] = 1UL \ + } } + ++/* ++ * Provide a valid theoretical max size for cpumap and cpulist sysfs files ++ * to avoid breaking userspace which may allocate a buffer based on the size ++ * reported by e.g. fstat. ++ * ++ * for cpumap NR_CPUS * 9/32 - 1 should be an exact length. ++ * ++ * For cpulist 7 is (ceil(log10(NR_CPUS)) + 1) allowing for NR_CPUS to be up ++ * to 2 orders of magnitude larger than 8192. And then we divide by 2 to ++ * cover a worst-case of every other cpu being on one of two nodes for a ++ * very large NR_CPUS. ++ * ++ * Use PAGE_SIZE as a minimum for smaller configurations. ++ */ ++#define CPUMAP_FILE_MAX_BYTES ((((NR_CPUS * 9)/32 - 1) > PAGE_SIZE) \ ++ ? (NR_CPUS * 9)/32 - 1 : PAGE_SIZE) ++#define CPULIST_FILE_MAX_BYTES (((NR_CPUS * 7)/2 > PAGE_SIZE) ? (NR_CPUS * 7)/2 : PAGE_SIZE) ++ + #endif /* __LINUX_CPUMASK_H */ +-- +2.35.1 + diff --git a/queue-5.15/fs-require-cap_sys_admin-in-target-namespace-for-idm.patch b/queue-5.15/fs-require-cap_sys_admin-in-target-namespace-for-idm.patch new file mode 100644 index 00000000000..e9d4cfa761a --- /dev/null +++ b/queue-5.15/fs-require-cap_sys_admin-in-target-namespace-for-idm.patch @@ -0,0 +1,51 @@ +From ded2989c0c35503df1b976c03ecc2ff7e9ec2eae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 11:47:52 -0500 +Subject: fs: require CAP_SYS_ADMIN in target namespace for idmapped mounts + +From: Seth Forshee + +[ Upstream commit bf1ac16edf6770a92bc75cf2373f1f9feea398a4 ] + +Idmapped mounts should not allow a user to map file ownsership into a +range of ids which is not under the control of that user. However, we +currently don't check whether the mounter is privileged wrt to the +target user namespace. + +Currently no FS_USERNS_MOUNT filesystems support idmapped mounts, thus +this is not a problem as only CAP_SYS_ADMIN in init_user_ns is allowed +to set up idmapped mounts. But this could change in the future, so add a +check to refuse to create idmapped mounts when the mounter does not have +CAP_SYS_ADMIN in the target user namespace. + +Fixes: bd303368b776 ("fs: support mapped mounts of mapped filesystems") +Signed-off-by: Seth Forshee +Reviewed-by: Christian Brauner (Microsoft) +Link: https://lore.kernel.org/r/20220816164752.2595240-1-sforshee@digitalocean.com +Signed-off-by: Christian Brauner (Microsoft) +Signed-off-by: Sasha Levin +--- + fs/namespace.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/namespace.c b/fs/namespace.c +index dc31ad6b370f3..d946298691ed4 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -4168,6 +4168,13 @@ static int build_mount_idmapped(const struct mount_attr *attr, size_t usize, + err = -EPERM; + goto out_fput; + } ++ ++ /* We're not controlling the target namespace. */ ++ if (!ns_capable(mnt_userns, CAP_SYS_ADMIN)) { ++ err = -EPERM; ++ goto out_fput; ++ } ++ + kattr->mnt_userns = get_user_ns(mnt_userns); + + out_fput: +-- +2.35.1 + diff --git a/queue-5.15/i40e-fix-incorrect-address-type-for-ipv6-flow-rules.patch b/queue-5.15/i40e-fix-incorrect-address-type-for-ipv6-flow-rules.patch new file mode 100644 index 00000000000..b410554179a --- /dev/null +++ b/queue-5.15/i40e-fix-incorrect-address-type-for-ipv6-flow-rules.patch @@ -0,0 +1,42 @@ +From b9f858f2e1684cc548ed2aff5db341170f0d7df8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 12:45:52 +0200 +Subject: i40e: Fix incorrect address type for IPv6 flow rules + +From: Sylwester Dziedziuch + +[ Upstream commit bcf3a156429306070afbfda5544f2b492d25e75b ] + +It was not possible to create 1-tuple flow director +rule for IPv6 flow type. It was caused by incorrectly +checking for source IP address when validating user provided +destination IP address. + +Fix this by changing ip6src to correct ip6dst address +in destination IP address validation for IPv6 flow type. + +Fixes: efca91e89b67 ("i40e: Add flow director support for IPv6") +Signed-off-by: Sylwester Dziedziuch +Tested-by: Gurucharan (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +index 0e13ce9b4d009..669ae53f4c728 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +@@ -4385,7 +4385,7 @@ static int i40e_check_fdir_input_set(struct i40e_vsi *vsi, + (struct in6_addr *)&ipv6_full_mask)) + new_mask |= I40E_L3_V6_DST_MASK; + else if (ipv6_addr_any((struct in6_addr *) +- &usr_ip6_spec->ip6src)) ++ &usr_ip6_spec->ip6dst)) + new_mask &= ~I40E_L3_V6_DST_MASK; + else + return -EOPNOTSUPP; +-- +2.35.1 + diff --git a/queue-5.15/ice-xsk-force-rings-to-be-sized-to-power-of-2.patch b/queue-5.15/ice-xsk-force-rings-to-be-sized-to-power-of-2.patch new file mode 100644 index 00000000000..31f68d82dd3 --- /dev/null +++ b/queue-5.15/ice-xsk-force-rings-to-be-sized-to-power-of-2.patch @@ -0,0 +1,59 @@ +From d9f7972c00005c0f0ed38d8f41b27c2e01c907d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jan 2022 17:04:40 +0100 +Subject: ice: xsk: Force rings to be sized to power of 2 + +From: Maciej Fijalkowski + +[ Upstream commit 296f13ff3854535009a185aaf8e3603266d39d94 ] + +With the upcoming introduction of batching to XSK data path, +performance wise it will be the best to have the ring descriptor count +to be aligned to power of 2. + +Check if ring sizes that user is going to attach the XSK socket fulfill +the condition above. For Tx side, although check is being done against +the Tx queue and in the end the socket will be attached to the XDP +queue, it is fine since XDP queues get the ring->count setting from Tx +queues. + +Suggested-by: Alexander Lobakin +Signed-off-by: Maciej Fijalkowski +Signed-off-by: Daniel Borkmann +Reviewed-by: Alexander Lobakin +Acked-by: Magnus Karlsson +Link: https://lore.kernel.org/bpf/20220125160446.78976-3-maciej.fijalkowski@intel.com +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_xsk.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c +index 5581747947e57..0348cc4265034 100644 +--- a/drivers/net/ethernet/intel/ice/ice_xsk.c ++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c +@@ -321,6 +321,13 @@ int ice_xsk_pool_setup(struct ice_vsi *vsi, struct xsk_buff_pool *pool, u16 qid) + bool if_running, pool_present = !!pool; + int ret = 0, pool_failure = 0; + ++ if (!is_power_of_2(vsi->rx_rings[qid]->count) || ++ !is_power_of_2(vsi->tx_rings[qid]->count)) { ++ netdev_err(vsi->netdev, "Please align ring sizes to power of 2\n"); ++ pool_failure = -EINVAL; ++ goto failure; ++ } ++ + if_running = netif_running(vsi->netdev) && ice_is_xdp_ena_vsi(vsi); + + if (if_running) { +@@ -343,6 +350,7 @@ int ice_xsk_pool_setup(struct ice_vsi *vsi, struct xsk_buff_pool *pool, u16 qid) + netdev_err(vsi->netdev, "ice_qp_ena error = %d\n", ret); + } + ++failure: + if (pool_failure) { + netdev_err(vsi->netdev, "Could not %sable buffer pool, error = %d\n", + pool_present ? "en" : "dis", pool_failure); +-- +2.35.1 + diff --git a/queue-5.15/ice-xsk-prohibit-usage-of-non-balanced-queue-id.patch b/queue-5.15/ice-xsk-prohibit-usage-of-non-balanced-queue-id.patch new file mode 100644 index 00000000000..cf4537f82ac --- /dev/null +++ b/queue-5.15/ice-xsk-prohibit-usage-of-non-balanced-queue-id.patch @@ -0,0 +1,115 @@ +From 8380a3963630e53a4367e8ff0f6fecada01a7572 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Aug 2022 20:21:48 +0200 +Subject: ice: xsk: prohibit usage of non-balanced queue id + +From: Maciej Fijalkowski + +[ Upstream commit 5a42f112d367bb4700a8a41f5c12724fde6bfbb9 ] + +Fix the following scenario: +1. ethtool -L $IFACE rx 8 tx 96 +2. xdpsock -q 10 -t -z + +Above refers to a case where user would like to attach XSK socket in +txonly mode at a queue id that does not have a corresponding Rx queue. +At this moment ice's XSK logic is tightly bound to act on a "queue pair", +e.g. both Tx and Rx queues at a given queue id are disabled/enabled and +both of them will get XSK pool assigned, which is broken for the presented +queue configuration. This results in the splat included at the bottom, +which is basically an OOB access to Rx ring array. + +To fix this, allow using the ids only in scope of "combined" queues +reported by ethtool. However, logic should be rewritten to allow such +configurations later on, which would end up as a complete rewrite of the +control path, so let us go with this temporary fix. + +[420160.558008] BUG: kernel NULL pointer dereference, address: 0000000000000082 +[420160.566359] #PF: supervisor read access in kernel mode +[420160.572657] #PF: error_code(0x0000) - not-present page +[420160.579002] PGD 0 P4D 0 +[420160.582756] Oops: 0000 [#1] PREEMPT SMP NOPTI +[420160.588396] CPU: 10 PID: 21232 Comm: xdpsock Tainted: G OE 5.19.0-rc7+ #10 +[420160.597893] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 +[420160.609894] RIP: 0010:ice_xsk_pool_setup+0x44/0x7d0 [ice] +[420160.616968] Code: f3 48 83 ec 40 48 8b 4f 20 48 8b 3f 65 48 8b 04 25 28 00 00 00 48 89 44 24 38 31 c0 48 8d 04 ed 00 00 00 00 48 01 c1 48 8b 11 <0f> b7 92 82 00 00 00 48 85 d2 0f 84 2d 75 00 00 48 8d 72 ff 48 85 +[420160.639421] RSP: 0018:ffffc9002d2afd48 EFLAGS: 00010282 +[420160.646650] RAX: 0000000000000050 RBX: ffff88811d8bdd00 RCX: ffff888112c14ff8 +[420160.655893] RDX: 0000000000000000 RSI: ffff88811d8bdd00 RDI: ffff888109861000 +[420160.665166] RBP: 000000000000000a R08: 000000000000000a R09: 0000000000000000 +[420160.674493] R10: 000000000000889f R11: 0000000000000000 R12: 000000000000000a +[420160.683833] R13: 000000000000000a R14: 0000000000000000 R15: ffff888117611828 +[420160.693211] FS: 00007fa869fc1f80(0000) GS:ffff8897e0880000(0000) knlGS:0000000000000000 +[420160.703645] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[420160.711783] CR2: 0000000000000082 CR3: 00000001d076c001 CR4: 00000000007706e0 +[420160.721399] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[420160.731045] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[420160.740707] PKRU: 55555554 +[420160.745960] Call Trace: +[420160.750962] +[420160.755597] ? kmalloc_large_node+0x79/0x90 +[420160.762703] ? __kmalloc_node+0x3f5/0x4b0 +[420160.769341] xp_assign_dev+0xfd/0x210 +[420160.775661] ? shmem_file_read_iter+0x29a/0x420 +[420160.782896] xsk_bind+0x152/0x490 +[420160.788943] __sys_bind+0xd0/0x100 +[420160.795097] ? exit_to_user_mode_prepare+0x20/0x120 +[420160.802801] __x64_sys_bind+0x16/0x20 +[420160.809298] do_syscall_64+0x38/0x90 +[420160.815741] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[420160.823731] RIP: 0033:0x7fa86a0dd2fb +[420160.830264] Code: c3 66 0f 1f 44 00 00 48 8b 15 69 8b 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bc 0f 1f 44 00 00 f3 0f 1e fa b8 31 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 3d 8b 0c 00 f7 d8 64 89 01 48 +[420160.855410] RSP: 002b:00007ffc1146f618 EFLAGS: 00000246 ORIG_RAX: 0000000000000031 +[420160.866366] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa86a0dd2fb +[420160.876957] RDX: 0000000000000010 RSI: 00007ffc1146f680 RDI: 0000000000000003 +[420160.887604] RBP: 000055d7113a0520 R08: 00007fa868fb8000 R09: 0000000080000000 +[420160.898293] R10: 0000000000008001 R11: 0000000000000246 R12: 000055d7113a04e0 +[420160.909038] R13: 000055d7113a0320 R14: 000000000000000a R15: 0000000000000000 +[420160.919817] +[420160.925659] Modules linked in: ice(OE) af_packet binfmt_misc nls_iso8859_1 ipmi_ssif intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp mei_me coretemp ioatdma mei ipmi_si wmi ipmi_msghandler acpi_pad acpi_power_meter ip_tables x_tables autofs4 ixgbe i40e crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd ahci mdio dca libahci lpc_ich [last unloaded: ice] +[420160.977576] CR2: 0000000000000082 +[420160.985037] ---[ end trace 0000000000000000 ]--- +[420161.097724] RIP: 0010:ice_xsk_pool_setup+0x44/0x7d0 [ice] +[420161.107341] Code: f3 48 83 ec 40 48 8b 4f 20 48 8b 3f 65 48 8b 04 25 28 00 00 00 48 89 44 24 38 31 c0 48 8d 04 ed 00 00 00 00 48 01 c1 48 8b 11 <0f> b7 92 82 00 00 00 48 85 d2 0f 84 2d 75 00 00 48 8d 72 ff 48 85 +[420161.134741] RSP: 0018:ffffc9002d2afd48 EFLAGS: 00010282 +[420161.144274] RAX: 0000000000000050 RBX: ffff88811d8bdd00 RCX: ffff888112c14ff8 +[420161.155690] RDX: 0000000000000000 RSI: ffff88811d8bdd00 RDI: ffff888109861000 +[420161.168088] RBP: 000000000000000a R08: 000000000000000a R09: 0000000000000000 +[420161.179295] R10: 000000000000889f R11: 0000000000000000 R12: 000000000000000a +[420161.190420] R13: 000000000000000a R14: 0000000000000000 R15: ffff888117611828 +[420161.201505] FS: 00007fa869fc1f80(0000) GS:ffff8897e0880000(0000) knlGS:0000000000000000 +[420161.213628] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[420161.223413] CR2: 0000000000000082 CR3: 00000001d076c001 CR4: 00000000007706e0 +[420161.234653] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[420161.245893] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[420161.257052] PKRU: 55555554 + +Fixes: 2d4238f55697 ("ice: Add support for AF_XDP") +Signed-off-by: Maciej Fijalkowski +Tested-by: George Kuruvinakunnel +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_xsk.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c +index 0348cc4265034..60d8ef0c88595 100644 +--- a/drivers/net/ethernet/intel/ice/ice_xsk.c ++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c +@@ -321,6 +321,12 @@ int ice_xsk_pool_setup(struct ice_vsi *vsi, struct xsk_buff_pool *pool, u16 qid) + bool if_running, pool_present = !!pool; + int ret = 0, pool_failure = 0; + ++ if (qid >= vsi->num_rxq || qid >= vsi->num_txq) { ++ netdev_err(vsi->netdev, "Please use queue id in scope of combined queues count\n"); ++ pool_failure = -EINVAL; ++ goto failure; ++ } ++ + if (!is_power_of_2(vsi->rx_rings[qid]->count) || + !is_power_of_2(vsi->tx_rings[qid]->count)) { + netdev_err(vsi->netdev, "Please align ring sizes to power of 2\n"); +-- +2.35.1 + diff --git a/queue-5.15/input-i8042-add-additional-tuxedo-devices-to-i8042-q.patch b/queue-5.15/input-i8042-add-additional-tuxedo-devices-to-i8042-q.patch new file mode 100644 index 00000000000..5b9a940f199 --- /dev/null +++ b/queue-5.15/input-i8042-add-additional-tuxedo-devices-to-i8042-q.patch @@ -0,0 +1,124 @@ +From 91afacd973ba17563fd488dfb0aa402cda7be675 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Jul 2022 13:17:38 -0700 +Subject: Input: i8042 - add additional TUXEDO devices to i8042 quirk tables + +From: Werner Sembach + +[ Upstream commit 436d219069628f0f0ed27f606224d4ee02a0ca17 ] + +A lot of modern Clevo barebones have touchpad and/or keyboard issues after +suspend fixable with nomux + reset + noloop + nopnp. Luckily, none of them +have an external PS/2 port so this can safely be set for all of them. + +I'm not entirely sure if every device listed really needs all four quirks, +but after testing and production use. No negative effects could be +observed when setting all four. + +Signed-off-by: Werner Sembach +Reviewed-by: Hans de Goede +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220708161005.1251929-2-wse@tuxedocomputers.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/serio/i8042-x86ia64io.h | 76 ++++++++++++++++++++++++--- + 1 file changed, 68 insertions(+), 8 deletions(-) + +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h +index 184d7c30f732f..4b0201cf71f5e 100644 +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -900,14 +900,6 @@ static const struct dmi_system_id i8042_dmi_quirk_table[] __initconst = { + }, + .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, +- { +- /* Clevo P650RS, 650RP6, Sager NP8152-S, and others */ +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Notebook"), +- DMI_MATCH(DMI_PRODUCT_NAME, "P65xRP"), +- }, +- .driver_data = (void *)(SERIO_QUIRK_RESET_ALWAYS) +- }, + { + /* OQO Model 01 */ + .matches = { +@@ -1162,6 +1154,74 @@ static const struct dmi_system_id i8042_dmi_quirk_table[] __initconst = { + .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | + SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) + }, ++ { ++ /* ++ * This is only a partial board_name and might be followed by ++ * another letter or number. DMI_MATCH however does do partial ++ * matching. ++ */ ++ .matches = { ++ DMI_MATCH(DMI_PRODUCT_NAME, "P65xH"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | ++ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) ++ }, ++ { ++ /* Clevo P650RS, 650RP6, Sager NP8152-S, and others */ ++ .matches = { ++ DMI_MATCH(DMI_PRODUCT_NAME, "P65xRP"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | ++ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) ++ }, ++ { ++ /* ++ * This is only a partial board_name and might be followed by ++ * another letter or number. DMI_MATCH however does do partial ++ * matching. ++ */ ++ .matches = { ++ DMI_MATCH(DMI_PRODUCT_NAME, "P65_P67H"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | ++ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) ++ }, ++ { ++ /* ++ * This is only a partial board_name and might be followed by ++ * another letter or number. DMI_MATCH however does do partial ++ * matching. ++ */ ++ .matches = { ++ DMI_MATCH(DMI_PRODUCT_NAME, "P65_67RP"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | ++ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) ++ }, ++ { ++ /* ++ * This is only a partial board_name and might be followed by ++ * another letter or number. DMI_MATCH however does do partial ++ * matching. ++ */ ++ .matches = { ++ DMI_MATCH(DMI_PRODUCT_NAME, "P65_67RS"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | ++ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) ++ }, ++ { ++ /* ++ * This is only a partial board_name and might be followed by ++ * another letter or number. DMI_MATCH however does do partial ++ * matching. ++ */ ++ .matches = { ++ DMI_MATCH(DMI_PRODUCT_NAME, "P67xRP"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | ++ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) ++ }, + { + .matches = { + DMI_MATCH(DMI_BOARD_NAME, "PB50_70DFx,DDx"), +-- +2.35.1 + diff --git a/queue-5.15/input-i8042-add-tuxedo-devices-to-i8042-quirk-tables.patch b/queue-5.15/input-i8042-add-tuxedo-devices-to-i8042-quirk-tables.patch new file mode 100644 index 00000000000..cb1ddd2f79c --- /dev/null +++ b/queue-5.15/input-i8042-add-tuxedo-devices-to-i8042-quirk-tables.patch @@ -0,0 +1,186 @@ +From 9280bfe8f855751d435780b4f7e8379518e431a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jun 2022 17:38:52 -0700 +Subject: Input: i8042 - add TUXEDO devices to i8042 quirk tables + +From: Werner Sembach + +[ Upstream commit a6a87c36165e6791eeaed88025cde270536c3198 ] + +A lot of modern Clevo barebones have touchpad and/or keyboard issues after +suspend fixable with nomux + reset + noloop + nopnp. Luckily, none of them +have an external PS/2 port so this can safely be set for all of them. + +I'm not entirely sure if every device listed really needs all four quirks, +but after testing and production use. No negative effects could be +observed when setting all four. + +The list is quite massive as neither the TUXEDO nor the Clevo dmi strings +have been very consistent historically. I tried to keep the list as short +as possible without risking on missing an affected device. + +This is revision 3. The Clevo N150CU barebone is still removed as it might +have problems with the fix and needs further investigations. The +SchenkerTechnologiesGmbH System-/Board-Vendor string variations are +added. This is now based in the quirk table refactor. This now also +includes the additional noaux flag for the NS7xMU. + +Signed-off-by: Werner Sembach +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20220629112725.12922-5-wse@tuxedocomputers.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/serio/i8042-x86ia64io.h | 129 ++++++++++++++++++++++++++ + 1 file changed, 129 insertions(+) + +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h +index 1d2b34aac0c7f..184d7c30f732f 100644 +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -1025,6 +1025,29 @@ static const struct dmi_system_id i8042_dmi_quirk_table[] __initconst = { + }, + .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, ++ /* ++ * A lot of modern Clevo barebones have touchpad and/or keyboard issues ++ * after suspend fixable with nomux + reset + noloop + nopnp. Luckily, ++ * none of them have an external PS/2 port so this can safely be set for ++ * all of them. These two are based on a Clevo design, but have the ++ * board_name changed. ++ */ ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "TUXEDO"), ++ DMI_MATCH(DMI_BOARD_NAME, "AURA1501"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | ++ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "TUXEDO"), ++ DMI_MATCH(DMI_BOARD_NAME, "EDUBOOK1502"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | ++ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) ++ }, + { + /* Mivvy M310 */ + .matches = { +@@ -1054,6 +1077,112 @@ static const struct dmi_system_id i8042_dmi_quirk_table[] __initconst = { + }, + .driver_data = (void *)(SERIO_QUIRK_NOLOOP) + }, ++ /* ++ * A lot of modern Clevo barebones have touchpad and/or keyboard issues ++ * after suspend fixable with nomux + reset + noloop + nopnp. Luckily, ++ * none of them have an external PS/2 port so this can safely be set for ++ * all of them. ++ * Clevo barebones come with board_vendor and/or system_vendor set to ++ * either the very generic string "Notebook" and/or a different value ++ * for each individual reseller. The only somewhat universal way to ++ * identify them is by board_name. ++ */ ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "LAPQC71A"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | ++ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "LAPQC71B"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | ++ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "N140CU"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | ++ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "N141CU"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | ++ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "NH5xAx"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | ++ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | ++ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) ++ }, ++ /* ++ * At least one modern Clevo barebone has the touchpad connected both ++ * via PS/2 and i2c interface. This causes a race condition between the ++ * psmouse and i2c-hid driver. Since the full capability of the touchpad ++ * is available via the i2c interface and the device has no external ++ * PS/2 port, it is safe to just ignore all ps2 mouses here to avoid ++ * this issue. The known affected device is the ++ * TUXEDO InfinityBook S17 Gen6 / Clevo NS70MU which comes with one of ++ * the two different dmi strings below. NS50MU is not a typo! ++ */ ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "NS50MU"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOAUX | SERIO_QUIRK_NOMUX | ++ SERIO_QUIRK_RESET_ALWAYS | SERIO_QUIRK_NOLOOP | ++ SERIO_QUIRK_NOPNP) ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "NS50_70MU"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOAUX | SERIO_QUIRK_NOMUX | ++ SERIO_QUIRK_RESET_ALWAYS | SERIO_QUIRK_NOLOOP | ++ SERIO_QUIRK_NOPNP) ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "NJ50_70CU"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | ++ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "PB50_70DFx,DDx"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | ++ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "X170SM"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | ++ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "X170KM-G"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | ++ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) ++ }, + { } + }; + +-- +2.35.1 + diff --git a/queue-5.15/input-i8042-merge-quirk-tables.patch b/queue-5.15/input-i8042-merge-quirk-tables.patch new file mode 100644 index 00000000000..8a5ffb6076e --- /dev/null +++ b/queue-5.15/input-i8042-merge-quirk-tables.patch @@ -0,0 +1,1652 @@ +From a884e02e6f931a28b105dfdd8b3b0ac95e43f617 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jun 2022 17:38:07 -0700 +Subject: Input: i8042 - merge quirk tables + +From: Werner Sembach + +[ Upstream commit ff946268a0813c35b790dfbe07c3bfaa7bfb869c ] + +Merge i8042 quirk tables to reduce code duplication for devices that need +more than one quirk. Before every quirk had its own table with devices +needing that quirk. If a new quirk needed to be added a new table had to +be created. When a device needed multiple quirks, it appeared in multiple +tables. Now only one table called i8042_dmi_quirk_table exists. In it every +device has one entry and required quirks are coded in the .driver_data +field of the struct dmi_system_id used by this table. Multiple quirks for +one device can be applied by bitwise-or of the new SERIO_QUIRK_* defines. + +Also align quirkable options with command line parameters and make vendor +wide quirks per device overwriteable on a per device basis. The first match +is honored while following matches are ignored. So when a vendor wide quirk +is defined in the table, a device can inserted before and therefore +ignoring the vendor wide define. + +Signed-off-by: Werner Sembach +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20220629112725.12922-3-wse@tuxedocomputers.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/serio/i8042-x86ia64io.h | 1100 +++++++++++++------------ + 1 file changed, 595 insertions(+), 505 deletions(-) + +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h +index 91c6f24b48375..1d2b34aac0c7f 100644 +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -67,654 +67,735 @@ static inline void i8042_write_command(int val) + + #include + +-static const struct dmi_system_id __initconst i8042_dmi_noloop_table[] = { ++#define SERIO_QUIRK_NOKBD BIT(0) ++#define SERIO_QUIRK_NOAUX BIT(1) ++#define SERIO_QUIRK_NOMUX BIT(2) ++#define SERIO_QUIRK_FORCEMUX BIT(3) ++#define SERIO_QUIRK_UNLOCK BIT(4) ++#define SERIO_QUIRK_PROBE_DEFER BIT(5) ++#define SERIO_QUIRK_RESET_ALWAYS BIT(6) ++#define SERIO_QUIRK_RESET_NEVER BIT(7) ++#define SERIO_QUIRK_DIECT BIT(8) ++#define SERIO_QUIRK_DUMBKBD BIT(9) ++#define SERIO_QUIRK_NOLOOP BIT(10) ++#define SERIO_QUIRK_NOTIMEOUT BIT(11) ++#define SERIO_QUIRK_KBDRESET BIT(12) ++#define SERIO_QUIRK_DRITEK BIT(13) ++#define SERIO_QUIRK_NOPNP BIT(14) ++ ++/* Quirk table for different mainboards. Options similar or identical to i8042 ++ * module parameters. ++ * ORDERING IS IMPORTANT! The first match will be apllied and the rest ignored. ++ * This allows entries to overwrite vendor wide quirks on a per device basis. ++ * Where this is irrelevant, entries are sorted case sensitive by DMI_SYS_VENDOR ++ * and/or DMI_BOARD_VENDOR to make it easier to avoid dublicate entries. ++ */ ++static const struct dmi_system_id i8042_dmi_quirk_table[] __initconst = { + { +- /* +- * Arima-Rioworks HDAMB - +- * AUX LOOP command does not raise AUX IRQ +- */ + .matches = { +- DMI_MATCH(DMI_BOARD_VENDOR, "RIOWORKS"), +- DMI_MATCH(DMI_BOARD_NAME, "HDAMB"), +- DMI_MATCH(DMI_BOARD_VERSION, "Rev E"), ++ DMI_MATCH(DMI_SYS_VENDOR, "ALIENWARE"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Sentia"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* ASUS G1S */ + .matches = { +- DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK Computer Inc."), +- DMI_MATCH(DMI_BOARD_NAME, "G1S"), +- DMI_MATCH(DMI_BOARD_VERSION, "1.0"), ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "X750LN"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOLOOP) + }, + { +- /* ASUS P65UP5 - AUX LOOP command does not raise AUX IRQ */ ++ /* Asus X450LCP */ + .matches = { +- DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK Computer INC."), +- DMI_MATCH(DMI_BOARD_NAME, "P/I-P65UP5"), +- DMI_MATCH(DMI_BOARD_VERSION, "REV 2.X"), ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "X450LCP"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_NEVER) + }, + { ++ /* ASUS ZenBook UX425UA */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), +- DMI_MATCH(DMI_PRODUCT_NAME, "X750LN"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "ZenBook UX425UA"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_PROBE_DEFER | SERIO_QUIRK_RESET_NEVER) + }, + { ++ /* ASUS ZenBook UM325UA */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Compaq"), +- DMI_MATCH(DMI_PRODUCT_NAME , "ProLiant"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "8500"), ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "ZenBook UX325UA_UM325UA"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_PROBE_DEFER | SERIO_QUIRK_RESET_NEVER) + }, ++ /* ++ * On some Asus laptops, just running self tests cause problems. ++ */ + { + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Compaq"), +- DMI_MATCH(DMI_PRODUCT_NAME , "ProLiant"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "DL760"), ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_CHASSIS_TYPE, "10"), /* Notebook */ + }, ++ .driver_data = (void *)(SERIO_QUIRK_RESET_NEVER) + }, + { +- /* Dell Embedded Box PC 3000 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Embedded Box PC 3000"), ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_CHASSIS_TYPE, "31"), /* Convertible Notebook */ + }, ++ .driver_data = (void *)(SERIO_QUIRK_RESET_NEVER) + }, + { +- /* OQO Model 01 */ ++ /* ASUS P65UP5 - AUX LOOP command does not raise AUX IRQ */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "OQO"), +- DMI_MATCH(DMI_PRODUCT_NAME, "ZEPTO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "00"), ++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK Computer INC."), ++ DMI_MATCH(DMI_BOARD_NAME, "P/I-P65UP5"), ++ DMI_MATCH(DMI_BOARD_VERSION, "REV 2.X"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOLOOP) + }, + { +- /* ULI EV4873 - AUX LOOP does not work properly */ ++ /* ASUS G1S */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "ULI"), +- DMI_MATCH(DMI_PRODUCT_NAME, "EV4873"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "5a"), ++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK Computer Inc."), ++ DMI_MATCH(DMI_BOARD_NAME, "G1S"), ++ DMI_MATCH(DMI_BOARD_VERSION, "1.0"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOLOOP) + }, + { +- /* Microsoft Virtual Machine */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Microsoft Corporation"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Virtual Machine"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "VS2005R2"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 1360"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Medion MAM 2070 */ ++ /* Acer Aspire 5710 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Notebook"), +- DMI_MATCH(DMI_PRODUCT_NAME, "MAM 2070"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "5a"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 5710"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Medion Akoya E7225 */ ++ /* Acer Aspire 7738 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Medion"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Akoya E7225"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "1.0"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 7738"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Blue FB5601 */ ++ /* Acer Aspire 5536 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "blue"), +- DMI_MATCH(DMI_PRODUCT_NAME, "FB5601"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "M606"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 5536"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "0100"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Gigabyte M912 */ ++ /* ++ * Acer Aspire 5738z ++ * Touchpad stops working in mux mode when dis- + re-enabled ++ * with the touchpad enable/disable toggle hotkey ++ */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"), +- DMI_MATCH(DMI_PRODUCT_NAME, "M912"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "01"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 5738"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Gigabyte M1022M netbook */ ++ /* Acer Aspire One 150 */ + .matches = { +- DMI_MATCH(DMI_BOARD_VENDOR, "Gigabyte Technology Co.,Ltd."), +- DMI_MATCH(DMI_BOARD_NAME, "M1022E"), +- DMI_MATCH(DMI_BOARD_VERSION, "1.02"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "AOA150"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_RESET_ALWAYS) + }, + { +- /* Gigabyte Spring Peak - defines wrong chassis type */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Spring Peak"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire A114-31"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_RESET_ALWAYS) + }, + { +- /* Gigabyte T1005 - defines wrong chassis type ("Other") */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"), +- DMI_MATCH(DMI_PRODUCT_NAME, "T1005"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire A314-31"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_RESET_ALWAYS) + }, + { +- /* Gigabyte T1005M/P - defines wrong chassis type ("Other") */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"), +- DMI_MATCH(DMI_PRODUCT_NAME, "T1005M/P"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire A315-31"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_RESET_ALWAYS) + }, + { + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), +- DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion dv9700"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire ES1-132"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_RESET_ALWAYS) + }, + { + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "PEGATRON CORPORATION"), +- DMI_MATCH(DMI_PRODUCT_NAME, "C15B"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire ES1-332"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_RESET_ALWAYS) + }, + { + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "ByteSpeed LLC"), +- DMI_MATCH(DMI_PRODUCT_NAME, "ByteSpeed Laptop C15B"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire ES1-432"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_RESET_ALWAYS) + }, +- { } +-}; +- +-/* +- * Some Fujitsu notebooks are having trouble with touchpads if +- * active multiplexing mode is activated. Luckily they don't have +- * external PS/2 ports so we can safely disable it. +- * ... apparently some Toshibas don't like MUX mode either and +- * die horrible death on reboot. +- */ +-static const struct dmi_system_id __initconst i8042_dmi_nomux_table[] = { + { +- /* Fujitsu Lifebook P7010/P7010D */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), +- DMI_MATCH(DMI_PRODUCT_NAME, "P7010"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate Spin B118-RN"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_RESET_ALWAYS) + }, ++ /* ++ * Some Wistron based laptops need us to explicitly enable the 'Dritek ++ * keyboard extension' to make their extra keys start generating scancodes. ++ * Originally, this was just confined to older laptops, but a few Acer laptops ++ * have turned up in 2007 that also need this again. ++ */ + { +- /* Fujitsu Lifebook P7010 */ ++ /* Acer Aspire 5100 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU SIEMENS"), +- DMI_MATCH(DMI_PRODUCT_NAME, "0000000000"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 5100"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_DRITEK) + }, + { +- /* Fujitsu Lifebook P5020D */ ++ /* Acer Aspire 5610 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), +- DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook P Series"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 5610"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_DRITEK) + }, + { +- /* Fujitsu Lifebook S2000 */ ++ /* Acer Aspire 5630 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), +- DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook S Series"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 5630"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_DRITEK) + }, + { +- /* Fujitsu Lifebook S6230 */ ++ /* Acer Aspire 5650 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), +- DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook S6230"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 5650"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_DRITEK) + }, + { +- /* Fujitsu Lifebook T725 laptop */ ++ /* Acer Aspire 5680 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), +- DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK T725"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 5680"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_DRITEK) + }, + { +- /* Fujitsu Lifebook U745 */ ++ /* Acer Aspire 5720 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), +- DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK U745"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 5720"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_DRITEK) + }, + { +- /* Fujitsu T70H */ ++ /* Acer Aspire 9110 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), +- DMI_MATCH(DMI_PRODUCT_NAME, "FMVLT70H"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 9110"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_DRITEK) + }, + { +- /* Fujitsu-Siemens Lifebook T3010 */ ++ /* Acer TravelMate 660 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU SIEMENS"), +- DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK T3010"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 660"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_DRITEK) + }, + { +- /* Fujitsu-Siemens Lifebook E4010 */ ++ /* Acer TravelMate 2490 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU SIEMENS"), +- DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK E4010"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 2490"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_DRITEK) + }, + { +- /* Fujitsu-Siemens Amilo Pro 2010 */ ++ /* Acer TravelMate 4280 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU SIEMENS"), +- DMI_MATCH(DMI_PRODUCT_NAME, "AMILO Pro V2010"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 4280"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_DRITEK) + }, + { +- /* Fujitsu-Siemens Amilo Pro 2030 */ ++ /* Amoi M636/A737 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU SIEMENS"), +- DMI_MATCH(DMI_PRODUCT_NAME, "AMILO PRO V2030"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Amoi Electronics CO.,LTD."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "M636/A737 platform"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* +- * No data is coming from the touchscreen unless KBC +- * is in legacy mode. +- */ +- /* Panasonic CF-29 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Matsushita"), +- DMI_MATCH(DMI_PRODUCT_NAME, "CF-29"), ++ DMI_MATCH(DMI_SYS_VENDOR, "ByteSpeed LLC"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "ByteSpeed Laptop C15B"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOLOOP) + }, + { +- /* +- * HP Pavilion DV4017EA - +- * errors on MUX ports are reported without raising AUXDATA +- * causing "spurious NAK" messages. +- */ ++ /* Compal HEL80I */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Pavilion dv4000 (EA032EA#ABF)"), ++ DMI_MATCH(DMI_SYS_VENDOR, "COMPAL"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "HEL80I"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* +- * HP Pavilion ZT1000 - +- * like DV4017EA does not raise AUXERR for errors on MUX ports. +- */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), +- DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion Notebook PC"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "HP Pavilion Notebook ZT1000"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Compaq"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "8500"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOLOOP) + }, + { +- /* +- * HP Pavilion DV4270ca - +- * like DV4017EA does not raise AUXERR for errors on MUX ports. +- */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Pavilion dv4000 (EH476UA#ABL)"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Compaq"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "DL760"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOLOOP) + }, + { ++ /* Advent 4211 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Satellite P10"), ++ DMI_MATCH(DMI_SYS_VENDOR, "DIXONSXP"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Advent 4211"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_RESET_ALWAYS) + }, + { ++ /* Dell Embedded Box PC 3000 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"), +- DMI_MATCH(DMI_PRODUCT_NAME, "EQUIUM A110"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Embedded Box PC 3000"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOLOOP) + }, + { ++ /* Dell XPS M1530 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"), +- DMI_MATCH(DMI_PRODUCT_NAME, "SATELLITE C850D"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "XPS M1530"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { ++ /* Dell Vostro 1510 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "ALIENWARE"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Sentia"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Vostro1510"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Sharp Actius MM20 */ ++ /* Dell Vostro V13 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "SHARP"), +- DMI_MATCH(DMI_PRODUCT_NAME, "PC-MM20 Series"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Vostro V13"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_NOTIMEOUT) + }, + { +- /* Sony Vaio FS-115b */ ++ /* Dell Vostro 1320 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"), +- DMI_MATCH(DMI_PRODUCT_NAME, "VGN-FS115B"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1320"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_RESET_ALWAYS) + }, + { +- /* +- * Sony Vaio FZ-240E - +- * reset and GET ID commands issued via KBD port are +- * sometimes being delivered to AUX3. +- */ ++ /* Dell Vostro 1520 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"), +- DMI_MATCH(DMI_PRODUCT_NAME, "VGN-FZ240E"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1520"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_RESET_ALWAYS) + }, + { +- /* +- * Most (all?) VAIOs do not have external PS/2 ports nor +- * they implement active multiplexing properly, and +- * MUX discovery usually messes up keyboard/touchpad. +- */ ++ /* Dell Vostro 1720 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"), +- DMI_MATCH(DMI_BOARD_NAME, "VAIO"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1720"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_RESET_ALWAYS) + }, + { +- /* Amoi M636/A737 */ ++ /* Entroware Proteus */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Amoi Electronics CO.,LTD."), +- DMI_MATCH(DMI_PRODUCT_NAME, "M636/A737 platform"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Entroware"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Proteus"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "EL07R4"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS) + }, ++ /* ++ * Some Fujitsu notebooks are having trouble with touchpads if ++ * active multiplexing mode is activated. Luckily they don't have ++ * external PS/2 ports so we can safely disable it. ++ * ... apparently some Toshibas don't like MUX mode either and ++ * die horrible death on reboot. ++ */ + { +- /* Lenovo 3000 n100 */ ++ /* Fujitsu Lifebook P7010/P7010D */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_NAME, "076804U"), ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "P7010"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Lenovo XiaoXin Air 12 */ ++ /* Fujitsu Lifebook P5020D */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_NAME, "80UN"), ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook P Series"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { ++ /* Fujitsu Lifebook S2000 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Acer"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 1360"), ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook S Series"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Acer Aspire 5710 */ ++ /* Fujitsu Lifebook S6230 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Acer"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 5710"), ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook S6230"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Acer Aspire 7738 */ ++ /* Fujitsu Lifebook T725 laptop */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Acer"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 7738"), ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK T725"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_NOTIMEOUT) + }, + { +- /* Gericom Bellagio */ ++ /* Fujitsu Lifebook U745 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Gericom"), +- DMI_MATCH(DMI_PRODUCT_NAME, "N34AS6"), ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK U745"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* IBM 2656 */ ++ /* Fujitsu T70H */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "IBM"), +- DMI_MATCH(DMI_PRODUCT_NAME, "2656"), ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "FMVLT70H"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Dell XPS M1530 */ ++ /* Fujitsu A544 laptop */ ++ /* https://bugzilla.redhat.com/show_bug.cgi?id=1111138 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "XPS M1530"), ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK A544"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOTIMEOUT) + }, + { +- /* Compal HEL80I */ ++ /* Fujitsu AH544 laptop */ ++ /* https://bugzilla.kernel.org/show_bug.cgi?id=69731 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "COMPAL"), +- DMI_MATCH(DMI_PRODUCT_NAME, "HEL80I"), ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK AH544"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOTIMEOUT) + }, + { +- /* Dell Vostro 1510 */ ++ /* Fujitsu U574 laptop */ ++ /* https://bugzilla.kernel.org/show_bug.cgi?id=69731 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Vostro1510"), ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK U574"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOTIMEOUT) + }, + { +- /* Acer Aspire 5536 */ ++ /* Fujitsu UH554 laptop */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Acer"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 5536"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "0100"), ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK UH544"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOTIMEOUT) + }, + { +- /* Dell Vostro V13 */ ++ /* Fujitsu Lifebook P7010 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Vostro V13"), ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU SIEMENS"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "0000000000"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Newer HP Pavilion dv4 models */ ++ /* Fujitsu-Siemens Lifebook T3010 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), +- DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion dv4 Notebook PC"), ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU SIEMENS"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK T3010"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Asus X450LCP */ ++ /* Fujitsu-Siemens Lifebook E4010 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), +- DMI_MATCH(DMI_PRODUCT_NAME, "X450LCP"), ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU SIEMENS"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK E4010"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Avatar AVIU-145A6 */ ++ /* Fujitsu-Siemens Amilo Pro 2010 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Intel"), +- DMI_MATCH(DMI_PRODUCT_NAME, "IC4I"), ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU SIEMENS"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "AMILO Pro V2010"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* TUXEDO BU1406 */ ++ /* Fujitsu-Siemens Amilo Pro 2030 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Notebook"), +- DMI_MATCH(DMI_PRODUCT_NAME, "N24_25BU"), ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU SIEMENS"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "AMILO PRO V2030"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Lenovo LaVie Z */ ++ /* Gigabyte M912 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo LaVie Z"), ++ DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "M912"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "01"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOLOOP) + }, + { +- /* +- * Acer Aspire 5738z +- * Touchpad stops working in mux mode when dis- + re-enabled +- * with the touchpad enable/disable toggle hotkey +- */ ++ /* Gigabyte Spring Peak - defines wrong chassis type */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Acer"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 5738"), ++ DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Spring Peak"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOLOOP) + }, + { +- /* Entroware Proteus */ ++ /* Gigabyte T1005 - defines wrong chassis type ("Other") */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Entroware"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Proteus"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "EL07R4"), ++ DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "T1005"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOLOOP) + }, +- { } +-}; +- +-static const struct dmi_system_id i8042_dmi_forcemux_table[] __initconst = { + { +- /* +- * Sony Vaio VGN-CS series require MUX or the touch sensor +- * buttons will disturb touchpad operation +- */ ++ /* Gigabyte T1005M/P - defines wrong chassis type ("Other") */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"), +- DMI_MATCH(DMI_PRODUCT_NAME, "VGN-CS"), ++ DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "T1005M/P"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOLOOP) + }, +- { } +-}; +- +-/* +- * On some Asus laptops, just running self tests cause problems. +- */ +-static const struct dmi_system_id i8042_dmi_noselftest_table[] = { ++ /* ++ * Some laptops need keyboard reset before probing for the trackpad to get ++ * it detected, initialised & finally work. ++ */ + { ++ /* Gigabyte P35 v2 - Elantech touchpad */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), +- DMI_MATCH(DMI_CHASSIS_TYPE, "10"), /* Notebook */ +- }, +- }, { +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), +- DMI_MATCH(DMI_CHASSIS_TYPE, "31"), /* Convertible Notebook */ ++ DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "P35V2"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_KBDRESET) + }, +- { } +-}; +-static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = { +- { +- /* MSI Wind U-100 */ ++ { ++ /* Aorus branded Gigabyte X3 Plus - Elantech touchpad */ + .matches = { +- DMI_MATCH(DMI_BOARD_NAME, "U-100"), +- DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"), ++ DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "X3"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_KBDRESET) + }, + { +- /* LG Electronics X110 */ ++ /* Gigabyte P34 - Elantech touchpad */ + .matches = { +- DMI_MATCH(DMI_BOARD_NAME, "X110"), +- DMI_MATCH(DMI_BOARD_VENDOR, "LG Electronics Inc."), ++ DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "P34"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_KBDRESET) + }, + { +- /* Acer Aspire One 150 */ ++ /* Gigabyte P57 - Elantech touchpad */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Acer"), +- DMI_MATCH(DMI_PRODUCT_NAME, "AOA150"), ++ DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "P57"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_KBDRESET) + }, + { ++ /* Gericom Bellagio */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Acer"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Aspire A114-31"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Gericom"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "N34AS6"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { ++ /* Gigabyte M1022M netbook */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Acer"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Aspire A314-31"), ++ DMI_MATCH(DMI_BOARD_VENDOR, "Gigabyte Technology Co.,Ltd."), ++ DMI_MATCH(DMI_BOARD_NAME, "M1022E"), ++ DMI_MATCH(DMI_BOARD_VERSION, "1.02"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOLOOP) + }, + { + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Acer"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Aspire A315-31"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion dv9700"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOLOOP) + }, + { ++ /* ++ * HP Pavilion DV4017EA - ++ * errors on MUX ports are reported without raising AUXDATA ++ * causing "spurious NAK" messages. ++ */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Acer"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Aspire ES1-132"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Pavilion dv4000 (EA032EA#ABF)"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { ++ /* ++ * HP Pavilion ZT1000 - ++ * like DV4017EA does not raise AUXERR for errors on MUX ports. ++ */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Acer"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Aspire ES1-332"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion Notebook PC"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "HP Pavilion Notebook ZT1000"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { ++ /* ++ * HP Pavilion DV4270ca - ++ * like DV4017EA does not raise AUXERR for errors on MUX ports. ++ */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Acer"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Aspire ES1-432"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Pavilion dv4000 (EH476UA#ABL)"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { ++ /* Newer HP Pavilion dv4 models */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Acer"), +- DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate Spin B118-RN"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion dv4 Notebook PC"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_NOTIMEOUT) + }, + { +- /* Advent 4211 */ ++ /* IBM 2656 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "DIXONSXP"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Advent 4211"), ++ DMI_MATCH(DMI_SYS_VENDOR, "IBM"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "2656"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Medion Akoya Mini E1210 */ ++ /* Avatar AVIU-145A6 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "MEDION"), +- DMI_MATCH(DMI_PRODUCT_NAME, "E1210"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Intel"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "IC4I"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Medion Akoya E1222 */ ++ /* Intel MBO Desktop D845PESV */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "MEDION"), +- DMI_MATCH(DMI_PRODUCT_NAME, "E122X"), ++ DMI_MATCH(DMI_BOARD_VENDOR, "Intel Corporation"), ++ DMI_MATCH(DMI_BOARD_NAME, "D845PESV"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOPNP) + }, + { +- /* Mivvy M310 */ ++ /* ++ * Intel NUC D54250WYK - does not have i8042 controller but ++ * declares PS/2 devices in DSDT. ++ */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "VIOOO"), +- DMI_MATCH(DMI_PRODUCT_NAME, "N10"), ++ DMI_MATCH(DMI_BOARD_VENDOR, "Intel Corporation"), ++ DMI_MATCH(DMI_BOARD_NAME, "D54250WYK"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOPNP) + }, + { +- /* Dell Vostro 1320 */ ++ /* Lenovo 3000 n100 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1320"), ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "076804U"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Dell Vostro 1520 */ ++ /* Lenovo XiaoXin Air 12 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1520"), ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "80UN"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Dell Vostro 1720 */ ++ /* Lenovo LaVie Z */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1720"), ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo LaVie Z"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { + /* Lenovo Ideapad U455 */ +@@ -722,6 +803,7 @@ static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "20046"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_RESET_ALWAYS) + }, + { + /* Lenovo ThinkPad L460 */ +@@ -729,13 +811,7 @@ static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L460"), + }, +- }, +- { +- /* Clevo P650RS, 650RP6, Sager NP8152-S, and others */ +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Notebook"), +- DMI_MATCH(DMI_PRODUCT_NAME, "P65xRP"), +- }, ++ .driver_data = (void *)(SERIO_QUIRK_RESET_ALWAYS) + }, + { + /* Lenovo ThinkPad Twist S230u */ +@@ -743,275 +819,269 @@ static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "33474HU"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_RESET_ALWAYS) + }, + { +- /* Entroware Proteus */ ++ /* LG Electronics X110 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Entroware"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Proteus"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "EL07R4"), ++ DMI_MATCH(DMI_BOARD_VENDOR, "LG Electronics Inc."), ++ DMI_MATCH(DMI_BOARD_NAME, "X110"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_RESET_ALWAYS) + }, +- { } +-}; +- +-#ifdef CONFIG_PNP +-static const struct dmi_system_id __initconst i8042_dmi_nopnp_table[] = { + { +- /* Intel MBO Desktop D845PESV */ ++ /* Medion Akoya Mini E1210 */ + .matches = { +- DMI_MATCH(DMI_BOARD_NAME, "D845PESV"), +- DMI_MATCH(DMI_BOARD_VENDOR, "Intel Corporation"), ++ DMI_MATCH(DMI_SYS_VENDOR, "MEDION"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "E1210"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_RESET_ALWAYS) + }, + { +- /* +- * Intel NUC D54250WYK - does not have i8042 controller but +- * declares PS/2 devices in DSDT. +- */ ++ /* Medion Akoya E1222 */ + .matches = { +- DMI_MATCH(DMI_BOARD_NAME, "D54250WYK"), +- DMI_MATCH(DMI_BOARD_VENDOR, "Intel Corporation"), ++ DMI_MATCH(DMI_SYS_VENDOR, "MEDION"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "E122X"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_RESET_ALWAYS) + }, + { + /* MSI Wind U-100 */ + .matches = { +- DMI_MATCH(DMI_BOARD_NAME, "U-100"), +- DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"), +- }, +- }, +- { +- /* Acer Aspire 5 A515 */ +- .matches = { +- DMI_MATCH(DMI_BOARD_NAME, "Grumpy_PK"), +- DMI_MATCH(DMI_BOARD_VENDOR, "PK"), +- }, +- }, +- { } +-}; +- +-static const struct dmi_system_id i8042_dmi_laptop_table[] __initconst = { +- { +- .matches = { +- DMI_MATCH(DMI_CHASSIS_TYPE, "8"), /* Portable */ +- }, +- }, +- { +- .matches = { +- DMI_MATCH(DMI_CHASSIS_TYPE, "9"), /* Laptop */ ++ DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"), ++ DMI_MATCH(DMI_BOARD_NAME, "U-100"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_RESET_ALWAYS | SERIO_QUIRK_NOPNP) + }, + { ++ /* ++ * No data is coming from the touchscreen unless KBC ++ * is in legacy mode. ++ */ ++ /* Panasonic CF-29 */ + .matches = { +- DMI_MATCH(DMI_CHASSIS_TYPE, "10"), /* Notebook */ ++ DMI_MATCH(DMI_SYS_VENDOR, "Matsushita"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "CF-29"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { ++ /* Medion Akoya E7225 */ + .matches = { +- DMI_MATCH(DMI_CHASSIS_TYPE, "14"), /* Sub-Notebook */ ++ DMI_MATCH(DMI_SYS_VENDOR, "Medion"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Akoya E7225"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "1.0"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOLOOP) + }, +- { } +-}; +-#endif +- +-static const struct dmi_system_id __initconst i8042_dmi_notimeout_table[] = { + { +- /* Dell Vostro V13 */ ++ /* Microsoft Virtual Machine */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Vostro V13"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Microsoft Corporation"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Virtual Machine"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "VS2005R2"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOLOOP) + }, + { +- /* Newer HP Pavilion dv4 models */ ++ /* Medion MAM 2070 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), +- DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion dv4 Notebook PC"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Notebook"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "MAM 2070"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "5a"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOLOOP) + }, + { +- /* Fujitsu A544 laptop */ +- /* https://bugzilla.redhat.com/show_bug.cgi?id=1111138 */ ++ /* TUXEDO BU1406 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), +- DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK A544"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Notebook"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "N24_25BU"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Fujitsu AH544 laptop */ +- /* https://bugzilla.kernel.org/show_bug.cgi?id=69731 */ ++ /* Clevo P650RS, 650RP6, Sager NP8152-S, and others */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), +- DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK AH544"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Notebook"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "P65xRP"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_RESET_ALWAYS) + }, + { +- /* Fujitsu Lifebook T725 laptop */ ++ /* OQO Model 01 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), +- DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK T725"), ++ DMI_MATCH(DMI_SYS_VENDOR, "OQO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "ZEPTO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "00"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOLOOP) + }, + { +- /* Fujitsu U574 laptop */ +- /* https://bugzilla.kernel.org/show_bug.cgi?id=69731 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), +- DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK U574"), ++ DMI_MATCH(DMI_SYS_VENDOR, "PEGATRON CORPORATION"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "C15B"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOLOOP) + }, + { +- /* Fujitsu UH554 laptop */ ++ /* Acer Aspire 5 A515 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), +- DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK UH544"), ++ DMI_MATCH(DMI_BOARD_VENDOR, "PK"), ++ DMI_MATCH(DMI_BOARD_NAME, "Grumpy_PK"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOPNP) + }, +- { } +-}; +- +-/* +- * Some Wistron based laptops need us to explicitly enable the 'Dritek +- * keyboard extension' to make their extra keys start generating scancodes. +- * Originally, this was just confined to older laptops, but a few Acer laptops +- * have turned up in 2007 that also need this again. +- */ +-static const struct dmi_system_id __initconst i8042_dmi_dritek_table[] = { + { +- /* Acer Aspire 5100 */ ++ /* ULI EV4873 - AUX LOOP does not work properly */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Acer"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 5100"), ++ DMI_MATCH(DMI_SYS_VENDOR, "ULI"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "EV4873"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "5a"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOLOOP) + }, + { +- /* Acer Aspire 5610 */ ++ /* ++ * Arima-Rioworks HDAMB - ++ * AUX LOOP command does not raise AUX IRQ ++ */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Acer"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 5610"), ++ DMI_MATCH(DMI_BOARD_VENDOR, "RIOWORKS"), ++ DMI_MATCH(DMI_BOARD_NAME, "HDAMB"), ++ DMI_MATCH(DMI_BOARD_VERSION, "Rev E"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOLOOP) + }, + { +- /* Acer Aspire 5630 */ ++ /* Sharp Actius MM20 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Acer"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 5630"), ++ DMI_MATCH(DMI_SYS_VENDOR, "SHARP"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "PC-MM20 Series"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Acer Aspire 5650 */ ++ /* ++ * Sony Vaio FZ-240E - ++ * reset and GET ID commands issued via KBD port are ++ * sometimes being delivered to AUX3. ++ */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Acer"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 5650"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "VGN-FZ240E"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Acer Aspire 5680 */ ++ /* ++ * Most (all?) VAIOs do not have external PS/2 ports nor ++ * they implement active multiplexing properly, and ++ * MUX discovery usually messes up keyboard/touchpad. ++ */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Acer"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 5680"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"), ++ DMI_MATCH(DMI_BOARD_NAME, "VAIO"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Acer Aspire 5720 */ ++ /* Sony Vaio FS-115b */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Acer"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 5720"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "VGN-FS115B"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Acer Aspire 9110 */ ++ /* ++ * Sony Vaio VGN-CS series require MUX or the touch sensor ++ * buttons will disturb touchpad operation ++ */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Acer"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 9110"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "VGN-CS"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_FORCEMUX) + }, + { +- /* Acer TravelMate 660 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Acer"), +- DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 660"), ++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Satellite P10"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Acer TravelMate 2490 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Acer"), +- DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 2490"), ++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "EQUIUM A110"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { +- /* Acer TravelMate 4280 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Acer"), +- DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 4280"), ++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "SATELLITE C850D"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, +- { } +-}; +- +-/* +- * Some laptops need keyboard reset before probing for the trackpad to get +- * it detected, initialised & finally work. +- */ +-static const struct dmi_system_id __initconst i8042_dmi_kbdreset_table[] = { + { +- /* Gigabyte P35 v2 - Elantech touchpad */ ++ /* Mivvy M310 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"), +- DMI_MATCH(DMI_PRODUCT_NAME, "P35V2"), ++ DMI_MATCH(DMI_SYS_VENDOR, "VIOOO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "N10"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_RESET_ALWAYS) + }, +- { +- /* Aorus branded Gigabyte X3 Plus - Elantech touchpad */ ++ /* ++ * Some laptops need keyboard reset before probing for the trackpad to get ++ * it detected, initialised & finally work. ++ */ ++ { ++ /* Schenker XMG C504 - Elantech touchpad */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"), +- DMI_MATCH(DMI_PRODUCT_NAME, "X3"), ++ DMI_MATCH(DMI_SYS_VENDOR, "XMG"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "C504"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_KBDRESET) + }, + { +- /* Gigabyte P34 - Elantech touchpad */ ++ /* Blue FB5601 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"), +- DMI_MATCH(DMI_PRODUCT_NAME, "P34"), ++ DMI_MATCH(DMI_SYS_VENDOR, "blue"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "FB5601"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "M606"), + }, ++ .driver_data = (void *)(SERIO_QUIRK_NOLOOP) + }, ++ { } ++}; ++ ++#ifdef CONFIG_PNP ++static const struct dmi_system_id i8042_dmi_laptop_table[] __initconst = { + { +- /* Gigabyte P57 - Elantech touchpad */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"), +- DMI_MATCH(DMI_PRODUCT_NAME, "P57"), ++ DMI_MATCH(DMI_CHASSIS_TYPE, "8"), /* Portable */ + }, + }, + { +- /* Schenker XMG C504 - Elantech touchpad */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "XMG"), +- DMI_MATCH(DMI_PRODUCT_NAME, "C504"), ++ DMI_MATCH(DMI_CHASSIS_TYPE, "9"), /* Laptop */ + }, + }, +- { } +-}; +- +-static const struct dmi_system_id i8042_dmi_probe_defer_table[] __initconst = { + { +- /* ASUS ZenBook UX425UA */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), +- DMI_MATCH(DMI_PRODUCT_NAME, "ZenBook UX425UA"), ++ DMI_MATCH(DMI_CHASSIS_TYPE, "10"), /* Notebook */ + }, + }, + { +- /* ASUS ZenBook UM325UA */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), +- DMI_MATCH(DMI_PRODUCT_NAME, "ZenBook UX325UA_UM325UA"), ++ DMI_MATCH(DMI_CHASSIS_TYPE, "14"), /* Sub-Notebook */ + }, + }, + { } + }; ++#endif + + #endif /* CONFIG_X86 */ + +@@ -1167,11 +1237,6 @@ static int __init i8042_pnp_init(void) + bool pnp_data_busted = false; + int err; + +-#ifdef CONFIG_X86 +- if (dmi_check_system(i8042_dmi_nopnp_table)) +- i8042_nopnp = true; +-#endif +- + if (i8042_nopnp) { + pr_info("PNP detection disabled\n"); + return 0; +@@ -1275,6 +1340,59 @@ static inline int i8042_pnp_init(void) { return 0; } + static inline void i8042_pnp_exit(void) { } + #endif /* CONFIG_PNP */ + ++ ++#ifdef CONFIG_X86 ++static void __init i8042_check_quirks(void) ++{ ++ const struct dmi_system_id *device_quirk_info; ++ uintptr_t quirks; ++ ++ device_quirk_info = dmi_first_match(i8042_dmi_quirk_table); ++ if (!device_quirk_info) ++ return; ++ ++ quirks = (uintptr_t)device_quirk_info->driver_data; ++ ++ if (quirks & SERIO_QUIRK_NOKBD) ++ i8042_nokbd = true; ++ if (quirks & SERIO_QUIRK_NOAUX) ++ i8042_noaux = true; ++ if (quirks & SERIO_QUIRK_NOMUX) ++ i8042_nomux = true; ++ if (quirks & SERIO_QUIRK_FORCEMUX) ++ i8042_nomux = false; ++ if (quirks & SERIO_QUIRK_UNLOCK) ++ i8042_unlock = true; ++ if (quirks & SERIO_QUIRK_PROBE_DEFER) ++ i8042_probe_defer = true; ++ /* Honor module parameter when value is not default */ ++ if (i8042_reset == I8042_RESET_DEFAULT) { ++ if (quirks & SERIO_QUIRK_RESET_ALWAYS) ++ i8042_reset = I8042_RESET_ALWAYS; ++ if (quirks & SERIO_QUIRK_RESET_NEVER) ++ i8042_reset = I8042_RESET_NEVER; ++ } ++ if (quirks & SERIO_QUIRK_DIECT) ++ i8042_direct = true; ++ if (quirks & SERIO_QUIRK_DUMBKBD) ++ i8042_dumbkbd = true; ++ if (quirks & SERIO_QUIRK_NOLOOP) ++ i8042_noloop = true; ++ if (quirks & SERIO_QUIRK_NOTIMEOUT) ++ i8042_notimeout = true; ++ if (quirks & SERIO_QUIRK_KBDRESET) ++ i8042_kbdreset = true; ++ if (quirks & SERIO_QUIRK_DRITEK) ++ i8042_dritek = true; ++#ifdef CONFIG_PNP ++ if (quirks & SERIO_QUIRK_NOPNP) ++ i8042_nopnp = true; ++#endif ++} ++#else ++static inline void i8042_check_quirks(void) {} ++#endif ++ + static int __init i8042_platform_init(void) + { + int retval; +@@ -1297,45 +1415,17 @@ static int __init i8042_platform_init(void) + i8042_kbd_irq = I8042_MAP_IRQ(1); + i8042_aux_irq = I8042_MAP_IRQ(12); + +- retval = i8042_pnp_init(); +- if (retval) +- return retval; +- + #if defined(__ia64__) +- i8042_reset = I8042_RESET_ALWAYS; ++ i8042_reset = I8042_RESET_ALWAYS; + #endif + +-#ifdef CONFIG_X86 +- /* Honor module parameter when value is not default */ +- if (i8042_reset == I8042_RESET_DEFAULT) { +- if (dmi_check_system(i8042_dmi_reset_table)) +- i8042_reset = I8042_RESET_ALWAYS; +- +- if (dmi_check_system(i8042_dmi_noselftest_table)) +- i8042_reset = I8042_RESET_NEVER; +- } +- +- if (dmi_check_system(i8042_dmi_noloop_table)) +- i8042_noloop = true; +- +- if (dmi_check_system(i8042_dmi_nomux_table)) +- i8042_nomux = true; +- +- if (dmi_check_system(i8042_dmi_forcemux_table)) +- i8042_nomux = false; +- +- if (dmi_check_system(i8042_dmi_notimeout_table)) +- i8042_notimeout = true; +- +- if (dmi_check_system(i8042_dmi_dritek_table)) +- i8042_dritek = true; +- +- if (dmi_check_system(i8042_dmi_kbdreset_table)) +- i8042_kbdreset = true; ++ i8042_check_quirks(); + +- if (dmi_check_system(i8042_dmi_probe_defer_table)) +- i8042_probe_defer = true; ++ retval = i8042_pnp_init(); ++ if (retval) ++ return retval; + ++#ifdef CONFIG_X86 + /* + * A20 was already enabled during early kernel init. But some buggy + * BIOSes (in MSI Laptops) require A20 to be enabled using 8042 to +-- +2.35.1 + diff --git a/queue-5.15/input-i8042-move-__initconst-to-fix-code-styling-war.patch b/queue-5.15/input-i8042-move-__initconst-to-fix-code-styling-war.patch new file mode 100644 index 00000000000..6433e563bd3 --- /dev/null +++ b/queue-5.15/input-i8042-move-__initconst-to-fix-code-styling-war.patch @@ -0,0 +1,37 @@ +From ff49f04b1be80a800e145d25fb7be750c3400fc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jun 2022 17:34:42 -0700 +Subject: Input: i8042 - move __initconst to fix code styling warning + +From: Werner Sembach + +[ Upstream commit 95a9916c909f0b1d95e24b4232b4bc38ff755415 ] + +Move __intconst from before i8042_dmi_laptop_table[] to after it for +consistent code styling. + +Signed-off-by: Werner Sembach +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20220629112725.12922-2-wse@tuxedocomputers.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/serio/i8042-x86ia64io.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h +index 148a7c5fd0e22..91c6f24b48375 100644 +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -791,7 +791,7 @@ static const struct dmi_system_id __initconst i8042_dmi_nopnp_table[] = { + { } + }; + +-static const struct dmi_system_id __initconst i8042_dmi_laptop_table[] = { ++static const struct dmi_system_id i8042_dmi_laptop_table[] __initconst = { + { + .matches = { + DMI_MATCH(DMI_CHASSIS_TYPE, "8"), /* Portable */ +-- +2.35.1 + diff --git a/queue-5.15/ionic-clear-broken-state-on-generation-change.patch b/queue-5.15/ionic-clear-broken-state-on-generation-change.patch new file mode 100644 index 00000000000..223c30205d1 --- /dev/null +++ b/queue-5.15/ionic-clear-broken-state-on-generation-change.patch @@ -0,0 +1,43 @@ +From 477446582faa2ce170a38593767f43c5a27391de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 09:50:49 -0700 +Subject: ionic: clear broken state on generation change + +From: Shannon Nelson + +[ Upstream commit 9cb9dadb8f45c67e4310e002c2f221b70312b293 ] + +There is a case found in heavy testing where a link flap happens just +before a firmware Recovery event and the driver gets stuck in the +BROKEN state. This comes from the driver getting interrupted by a FW +generation change when coming back up from the link flap, and the call +to ionic_start_queues() in ionic_link_status_check() fails. This can be +addressed by having the fw_up code clear the BROKEN bit if seen, rather +than waiting for a user to manually force the interface down and then +back up. + +Fixes: 9e8eaf8427b6 ("ionic: stop watchdog when in broken state") +Signed-off-by: Shannon Nelson +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +index abfb5efc52b86..226867e65625e 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -3016,6 +3016,9 @@ static void ionic_lif_handle_fw_up(struct ionic_lif *lif) + + mutex_lock(&lif->queue_lock); + ++ if (test_and_clear_bit(IONIC_LIF_F_BROKEN, lif->state)) ++ dev_info(ionic->dev, "FW Up: clearing broken state\n"); ++ + err = ionic_qcqs_alloc(lif); + if (err) + goto err_unlock; +-- +2.35.1 + diff --git a/queue-5.15/ionic-fix-up-issues-with-handling-eagain-on-fw-cmds.patch b/queue-5.15/ionic-fix-up-issues-with-handling-eagain-on-fw-cmds.patch new file mode 100644 index 00000000000..c8f1949c866 --- /dev/null +++ b/queue-5.15/ionic-fix-up-issues-with-handling-eagain-on-fw-cmds.patch @@ -0,0 +1,53 @@ +From edd6eeb4a23dd0dd11f164865d8d8ddfeea6105a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 09:50:50 -0700 +Subject: ionic: fix up issues with handling EAGAIN on FW cmds + +From: Shannon Nelson + +[ Upstream commit 0fc4dd452d6c14828eed6369155c75c0ac15bab3 ] + +In looping on FW update tests we occasionally see the +FW_ACTIVATE_STATUS command fail while it is in its EAGAIN loop +waiting for the FW activate step to finsh inside the FW. The +firmware is complaining that the done bit is set when a new +dev_cmd is going to be processed. + +Doing a clean on the cmd registers and doorbell before exiting +the wait-for-done and cleaning the done bit before the sleep +prevents this from occurring. + +Fixes: fbfb8031533c ("ionic: Add hardware init and device commands") +Signed-off-by: Shannon Nelson +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_main.c b/drivers/net/ethernet/pensando/ionic/ionic_main.c +index 480f85bc17f99..9ede66842118f 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_main.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_main.c +@@ -395,8 +395,8 @@ int ionic_dev_cmd_wait(struct ionic *ionic, unsigned long max_seconds) + ionic_opcode_to_str(opcode), opcode, + ionic_error_to_str(err), err); + +- msleep(1000); + iowrite32(0, &idev->dev_cmd_regs->done); ++ msleep(1000); + iowrite32(1, &idev->dev_cmd_regs->doorbell); + goto try_again; + } +@@ -409,6 +409,8 @@ int ionic_dev_cmd_wait(struct ionic *ionic, unsigned long max_seconds) + return ionic_error_to_errno(err); + } + ++ ionic_dev_cmd_clean(ionic); ++ + return 0; + } + +-- +2.35.1 + diff --git a/queue-5.15/ionic-vf-initial-random-mac-address-if-no-assigned-m.patch b/queue-5.15/ionic-vf-initial-random-mac-address-if-no-assigned-m.patch new file mode 100644 index 00000000000..16ce8ffc28c --- /dev/null +++ b/queue-5.15/ionic-vf-initial-random-mac-address-if-no-assigned-m.patch @@ -0,0 +1,167 @@ +From 9af5234acf714d1f374b5d90a64306e260132326 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 09:50:51 -0700 +Subject: ionic: VF initial random MAC address if no assigned mac + +From: R Mohamed Shah + +[ Upstream commit 19058be7c48ceb3e60fa3948e24da1059bd68ee4 ] + +Assign a random mac address to the VF interface station +address if it boots with a zero mac address in order to match +similar behavior seen in other VF drivers. Handle the errors +where the older firmware does not allow the VF to set its own +station address. + +Newer firmware will allow the VF to set the station mac address +if it hasn't already been set administratively through the PF. +Setting it will also be allowed if the VF has trust. + +Fixes: fbb39807e9ae ("ionic: support sr-iov operations") +Signed-off-by: R Mohamed Shah +Signed-off-by: Shannon Nelson +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/pensando/ionic/ionic_lif.c | 92 ++++++++++++++++++- + 1 file changed, 87 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +index 226867e65625e..c713a3ee6571b 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -1692,8 +1692,67 @@ static int ionic_set_features(struct net_device *netdev, + return err; + } + ++static int ionic_set_attr_mac(struct ionic_lif *lif, u8 *mac) ++{ ++ struct ionic_admin_ctx ctx = { ++ .work = COMPLETION_INITIALIZER_ONSTACK(ctx.work), ++ .cmd.lif_setattr = { ++ .opcode = IONIC_CMD_LIF_SETATTR, ++ .index = cpu_to_le16(lif->index), ++ .attr = IONIC_LIF_ATTR_MAC, ++ }, ++ }; ++ ++ ether_addr_copy(ctx.cmd.lif_setattr.mac, mac); ++ return ionic_adminq_post_wait(lif, &ctx); ++} ++ ++static int ionic_get_attr_mac(struct ionic_lif *lif, u8 *mac_addr) ++{ ++ struct ionic_admin_ctx ctx = { ++ .work = COMPLETION_INITIALIZER_ONSTACK(ctx.work), ++ .cmd.lif_getattr = { ++ .opcode = IONIC_CMD_LIF_GETATTR, ++ .index = cpu_to_le16(lif->index), ++ .attr = IONIC_LIF_ATTR_MAC, ++ }, ++ }; ++ int err; ++ ++ err = ionic_adminq_post_wait(lif, &ctx); ++ if (err) ++ return err; ++ ++ ether_addr_copy(mac_addr, ctx.comp.lif_getattr.mac); ++ return 0; ++} ++ ++static int ionic_program_mac(struct ionic_lif *lif, u8 *mac) ++{ ++ u8 get_mac[ETH_ALEN]; ++ int err; ++ ++ err = ionic_set_attr_mac(lif, mac); ++ if (err) ++ return err; ++ ++ err = ionic_get_attr_mac(lif, get_mac); ++ if (err) ++ return err; ++ ++ /* To deal with older firmware that silently ignores the set attr mac: ++ * doesn't actually change the mac and doesn't return an error, so we ++ * do the get attr to verify whether or not the set actually happened ++ */ ++ if (!ether_addr_equal(get_mac, mac)) ++ return 1; ++ ++ return 0; ++} ++ + static int ionic_set_mac_address(struct net_device *netdev, void *sa) + { ++ struct ionic_lif *lif = netdev_priv(netdev); + struct sockaddr *addr = sa; + u8 *mac; + int err; +@@ -1702,6 +1761,14 @@ static int ionic_set_mac_address(struct net_device *netdev, void *sa) + if (ether_addr_equal(netdev->dev_addr, mac)) + return 0; + ++ err = ionic_program_mac(lif, mac); ++ if (err < 0) ++ return err; ++ ++ if (err > 0) ++ netdev_dbg(netdev, "%s: SET and GET ATTR Mac are not equal-due to old FW running\n", ++ __func__); ++ + err = eth_prepare_mac_addr_change(netdev, addr); + if (err) + return err; +@@ -3226,6 +3293,7 @@ static int ionic_station_set(struct ionic_lif *lif) + .attr = IONIC_LIF_ATTR_MAC, + }, + }; ++ u8 mac_address[ETH_ALEN]; + struct sockaddr addr; + int err; + +@@ -3234,8 +3302,23 @@ static int ionic_station_set(struct ionic_lif *lif) + return err; + netdev_dbg(lif->netdev, "found initial MAC addr %pM\n", + ctx.comp.lif_getattr.mac); +- if (is_zero_ether_addr(ctx.comp.lif_getattr.mac)) +- return 0; ++ ether_addr_copy(mac_address, ctx.comp.lif_getattr.mac); ++ ++ if (is_zero_ether_addr(mac_address)) { ++ eth_hw_addr_random(netdev); ++ netdev_dbg(netdev, "Random Mac generated: %pM\n", netdev->dev_addr); ++ ether_addr_copy(mac_address, netdev->dev_addr); ++ ++ err = ionic_program_mac(lif, mac_address); ++ if (err < 0) ++ return err; ++ ++ if (err > 0) { ++ netdev_dbg(netdev, "%s:SET/GET ATTR Mac are not same-due to old FW running\n", ++ __func__); ++ return 0; ++ } ++ } + + if (!is_zero_ether_addr(netdev->dev_addr)) { + /* If the netdev mac is non-zero and doesn't match the default +@@ -3243,12 +3326,11 @@ static int ionic_station_set(struct ionic_lif *lif) + * likely here again after a fw-upgrade reset. We need to be + * sure the netdev mac is in our filter list. + */ +- if (!ether_addr_equal(ctx.comp.lif_getattr.mac, +- netdev->dev_addr)) ++ if (!ether_addr_equal(mac_address, netdev->dev_addr)) + ionic_lif_addr_add(lif, netdev->dev_addr); + } else { + /* Update the netdev mac with the device's mac */ +- memcpy(addr.sa_data, ctx.comp.lif_getattr.mac, netdev->addr_len); ++ ether_addr_copy(addr.sa_data, mac_address); + addr.sa_family = AF_INET; + err = eth_prepare_mac_addr_change(netdev, &addr); + if (err) { +-- +2.35.1 + diff --git a/queue-5.15/ionic-widen-queue_lock-use-around-lif-init-and-deini.patch b/queue-5.15/ionic-widen-queue_lock-use-around-lif-init-and-deini.patch new file mode 100644 index 00000000000..aac6ee244c3 --- /dev/null +++ b/queue-5.15/ionic-widen-queue_lock-use-around-lif-init-and-deini.patch @@ -0,0 +1,82 @@ +From 4cda68b3a58208e7d1b51fa6dcda362ada58e001 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Oct 2021 11:05:54 -0700 +Subject: ionic: widen queue_lock use around lif init and deinit + +From: Shannon Nelson + +[ Upstream commit 2624d95972dbebe5f226361bfc51a83bdb68c93b ] + +Widen the coverage of the queue_lock to be sure the lif init +and lif deinit actions are protected. This addresses a hang +seen when a Tx Timeout action was attempted at the same time +as a FW Reset was started. + +Signed-off-by: Shannon Nelson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +index 781313dbd04f2..abfb5efc52b86 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -2974,11 +2974,10 @@ static void ionic_lif_handle_fw_down(struct ionic_lif *lif) + + netif_device_detach(lif->netdev); + ++ mutex_lock(&lif->queue_lock); + if (test_bit(IONIC_LIF_F_UP, lif->state)) { + dev_info(ionic->dev, "Surprise FW stop, stopping queues\n"); +- mutex_lock(&lif->queue_lock); + ionic_stop_queues(lif); +- mutex_unlock(&lif->queue_lock); + } + + if (netif_running(lif->netdev)) { +@@ -2989,6 +2988,8 @@ static void ionic_lif_handle_fw_down(struct ionic_lif *lif) + ionic_reset(ionic); + ionic_qcqs_free(lif); + ++ mutex_unlock(&lif->queue_lock); ++ + dev_info(ionic->dev, "FW Down: LIFs stopped\n"); + } + +@@ -3012,9 +3013,12 @@ static void ionic_lif_handle_fw_up(struct ionic_lif *lif) + err = ionic_port_init(ionic); + if (err) + goto err_out; ++ ++ mutex_lock(&lif->queue_lock); ++ + err = ionic_qcqs_alloc(lif); + if (err) +- goto err_out; ++ goto err_unlock; + + err = ionic_lif_init(lif); + if (err) +@@ -3035,6 +3039,8 @@ static void ionic_lif_handle_fw_up(struct ionic_lif *lif) + goto err_txrx_free; + } + ++ mutex_unlock(&lif->queue_lock); ++ + clear_bit(IONIC_LIF_F_FW_RESET, lif->state); + ionic_link_status_check_request(lif, CAN_SLEEP); + netif_device_attach(lif->netdev); +@@ -3051,6 +3057,8 @@ static void ionic_lif_handle_fw_up(struct ionic_lif *lif) + ionic_lif_deinit(lif); + err_qcqs_free: + ionic_qcqs_free(lif); ++err_unlock: ++ mutex_unlock(&lif->queue_lock); + err_out: + dev_err(ionic->dev, "FW Up: LIFs restart failed - err %d\n", err); + } +-- +2.35.1 + diff --git a/queue-5.15/ixgbe-stop-resetting-systime-in-ixgbe_ptp_start_cycl.patch b/queue-5.15/ixgbe-stop-resetting-systime-in-ixgbe_ptp_start_cycl.patch new file mode 100644 index 00000000000..05c1602accd --- /dev/null +++ b/queue-5.15/ixgbe-stop-resetting-systime-in-ixgbe_ptp_start_cycl.patch @@ -0,0 +1,137 @@ +From fab74463f4e80fac506ddd97b103dbe12cc09c43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 17:24:19 -0700 +Subject: ixgbe: stop resetting SYSTIME in ixgbe_ptp_start_cyclecounter + +From: Jacob Keller + +[ Upstream commit 25d7a5f5a6bb15a2dae0a3f39ea5dda215024726 ] + +The ixgbe_ptp_start_cyclecounter is intended to be called whenever the +cyclecounter parameters need to be changed. + +Since commit a9763f3cb54c ("ixgbe: Update PTP to support X550EM_x +devices"), this function has cleared the SYSTIME registers and reset the +TSAUXC DISABLE_SYSTIME bit. + +While these need to be cleared during ixgbe_ptp_reset, it is wrong to clear +them during ixgbe_ptp_start_cyclecounter. This function may be called +during both reset and link status change. When link changes, the SYSTIME +counter is still operating normally, but the cyclecounter should be updated +to account for the possibly changed parameters. + +Clearing SYSTIME when link changes causes the timecounter to jump because +the cycle counter now reads zero. + +Extract the SYSTIME initialization out to a new function and call this +during ixgbe_ptp_reset. This prevents the timecounter adjustment and avoids +an unnecessary reset of the current time. + +This also restores the original SYSTIME clearing that occurred during +ixgbe_ptp_reset before the commit above. + +Reported-by: Steve Payne +Reported-by: Ilya Evenbach +Fixes: a9763f3cb54c ("ixgbe: Update PTP to support X550EM_x devices") +Signed-off-by: Jacob Keller +Tested-by: Gurucharan (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 59 +++++++++++++++----- + 1 file changed, 46 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c +index 23ddfd79fc8b6..29be1d6eca436 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c +@@ -1212,7 +1212,6 @@ void ixgbe_ptp_start_cyclecounter(struct ixgbe_adapter *adapter) + struct cyclecounter cc; + unsigned long flags; + u32 incval = 0; +- u32 tsauxc = 0; + u32 fuse0 = 0; + + /* For some of the boards below this mask is technically incorrect. +@@ -1247,18 +1246,6 @@ void ixgbe_ptp_start_cyclecounter(struct ixgbe_adapter *adapter) + case ixgbe_mac_x550em_a: + case ixgbe_mac_X550: + cc.read = ixgbe_ptp_read_X550; +- +- /* enable SYSTIME counter */ +- IXGBE_WRITE_REG(hw, IXGBE_SYSTIMR, 0); +- IXGBE_WRITE_REG(hw, IXGBE_SYSTIML, 0); +- IXGBE_WRITE_REG(hw, IXGBE_SYSTIMH, 0); +- tsauxc = IXGBE_READ_REG(hw, IXGBE_TSAUXC); +- IXGBE_WRITE_REG(hw, IXGBE_TSAUXC, +- tsauxc & ~IXGBE_TSAUXC_DISABLE_SYSTIME); +- IXGBE_WRITE_REG(hw, IXGBE_TSIM, IXGBE_TSIM_TXTS); +- IXGBE_WRITE_REG(hw, IXGBE_EIMS, IXGBE_EIMS_TIMESYNC); +- +- IXGBE_WRITE_FLUSH(hw); + break; + case ixgbe_mac_X540: + cc.read = ixgbe_ptp_read_82599; +@@ -1290,6 +1277,50 @@ void ixgbe_ptp_start_cyclecounter(struct ixgbe_adapter *adapter) + spin_unlock_irqrestore(&adapter->tmreg_lock, flags); + } + ++/** ++ * ixgbe_ptp_init_systime - Initialize SYSTIME registers ++ * @adapter: the ixgbe private board structure ++ * ++ * Initialize and start the SYSTIME registers. ++ */ ++static void ixgbe_ptp_init_systime(struct ixgbe_adapter *adapter) ++{ ++ struct ixgbe_hw *hw = &adapter->hw; ++ u32 tsauxc; ++ ++ switch (hw->mac.type) { ++ case ixgbe_mac_X550EM_x: ++ case ixgbe_mac_x550em_a: ++ case ixgbe_mac_X550: ++ tsauxc = IXGBE_READ_REG(hw, IXGBE_TSAUXC); ++ ++ /* Reset SYSTIME registers to 0 */ ++ IXGBE_WRITE_REG(hw, IXGBE_SYSTIMR, 0); ++ IXGBE_WRITE_REG(hw, IXGBE_SYSTIML, 0); ++ IXGBE_WRITE_REG(hw, IXGBE_SYSTIMH, 0); ++ ++ /* Reset interrupt settings */ ++ IXGBE_WRITE_REG(hw, IXGBE_TSIM, IXGBE_TSIM_TXTS); ++ IXGBE_WRITE_REG(hw, IXGBE_EIMS, IXGBE_EIMS_TIMESYNC); ++ ++ /* Activate the SYSTIME counter */ ++ IXGBE_WRITE_REG(hw, IXGBE_TSAUXC, ++ tsauxc & ~IXGBE_TSAUXC_DISABLE_SYSTIME); ++ break; ++ case ixgbe_mac_X540: ++ case ixgbe_mac_82599EB: ++ /* Reset SYSTIME registers to 0 */ ++ IXGBE_WRITE_REG(hw, IXGBE_SYSTIML, 0); ++ IXGBE_WRITE_REG(hw, IXGBE_SYSTIMH, 0); ++ break; ++ default: ++ /* Other devices aren't supported */ ++ return; ++ }; ++ ++ IXGBE_WRITE_FLUSH(hw); ++} ++ + /** + * ixgbe_ptp_reset + * @adapter: the ixgbe private board structure +@@ -1316,6 +1347,8 @@ void ixgbe_ptp_reset(struct ixgbe_adapter *adapter) + + ixgbe_ptp_start_cyclecounter(adapter); + ++ ixgbe_ptp_init_systime(adapter); ++ + spin_lock_irqsave(&adapter->tmreg_lock, flags); + timecounter_init(&adapter->hw_tc, &adapter->hw_cc, + ktime_to_ns(ktime_get_real())); +-- +2.35.1 + diff --git a/queue-5.15/mm-smaps-don-t-access-young-dirty-bit-if-pte-unprese.patch b/queue-5.15/mm-smaps-don-t-access-young-dirty-bit-if-pte-unprese.patch new file mode 100644 index 00000000000..e3f3fc43354 --- /dev/null +++ b/queue-5.15/mm-smaps-don-t-access-young-dirty-bit-if-pte-unprese.patch @@ -0,0 +1,67 @@ +From 780b7ee0bfa93fdc2062d66c143a2f642f636dd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Aug 2022 12:00:03 -0400 +Subject: mm/smaps: don't access young/dirty bit if pte unpresent + +From: Peter Xu + +[ Upstream commit efd4149342db2df41b1bbe68972ead853b30e444 ] + +These bits should only be valid when the ptes are present. Introducing +two booleans for it and set it to false when !pte_present() for both pte +and pmd accountings. + +The bug is found during code reading and no real world issue reported, but +logically such an error can cause incorrect readings for either smaps or +smaps_rollup output on quite a few fields. + +For example, it could cause over-estimate on values like Shared_Dirty, +Private_Dirty, Referenced. Or it could also cause under-estimate on +values like LazyFree, Shared_Clean, Private_Clean. + +Link: https://lkml.kernel.org/r/20220805160003.58929-1-peterx@redhat.com +Fixes: b1d4d9e0cbd0 ("proc/smaps: carefully handle migration entries") +Fixes: c94b6923fa0a ("/proc/PID/smaps: Add PMD migration entry parsing") +Signed-off-by: Peter Xu +Reviewed-by: Vlastimil Babka +Reviewed-by: David Hildenbrand +Reviewed-by: Yang Shi +Cc: Konstantin Khlebnikov +Cc: Huang Ying +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/proc/task_mmu.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c +index 79ca4d69dfd6b..d9c07eecd7872 100644 +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -503,10 +503,12 @@ static void smaps_pte_entry(pte_t *pte, unsigned long addr, + struct vm_area_struct *vma = walk->vma; + bool locked = !!(vma->vm_flags & VM_LOCKED); + struct page *page = NULL; +- bool migration = false; ++ bool migration = false, young = false, dirty = false; + + if (pte_present(*pte)) { + page = vm_normal_page(vma, addr, *pte); ++ young = pte_young(*pte); ++ dirty = pte_dirty(*pte); + } else if (is_swap_pte(*pte)) { + swp_entry_t swpent = pte_to_swp_entry(*pte); + +@@ -540,8 +542,7 @@ static void smaps_pte_entry(pte_t *pte, unsigned long addr, + if (!page) + return; + +- smaps_account(mss, page, false, pte_young(*pte), pte_dirty(*pte), +- locked, migration); ++ smaps_account(mss, page, false, young, dirty, locked, migration); + } + + #ifdef CONFIG_TRANSPARENT_HUGEPAGE +-- +2.35.1 + diff --git a/queue-5.15/mptcp-stop-relying-on-tcp_tx_skb_cache.patch b/queue-5.15/mptcp-stop-relying-on-tcp_tx_skb_cache.patch new file mode 100644 index 00000000000..8b070e42e42 --- /dev/null +++ b/queue-5.15/mptcp-stop-relying-on-tcp_tx_skb_cache.patch @@ -0,0 +1,254 @@ +From a254284a82477e59d5bbe7b83bea513a802e1793 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Sep 2021 19:26:41 +0200 +Subject: mptcp: stop relying on tcp_tx_skb_cache + +From: Paolo Abeni + +[ Upstream commit f70cad1085d1e01d3ec73c1078405f906237feee ] + +We want to revert the skb TX cache, but MPTCP is currently +using it unconditionally. + +Rework the MPTCP tx code, so that tcp_tx_skb_cache is not +needed anymore: do the whole coalescing check, skb allocation +skb initialization/update inside mptcp_sendmsg_frag(), quite +alike the current TCP code. + +Reviewed-by: Mat Martineau +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/mptcp/protocol.c | 137 ++++++++++++++++++++++++------------------- + 1 file changed, 77 insertions(+), 60 deletions(-) + +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index 7f96e0c42a090..a089791414bfb 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -1224,6 +1224,7 @@ static struct sk_buff *__mptcp_do_alloc_tx_skb(struct sock *sk, gfp_t gfp) + if (likely(__mptcp_add_ext(skb, gfp))) { + skb_reserve(skb, MAX_TCP_HEADER); + skb->reserved_tailroom = skb->end - skb->tail; ++ INIT_LIST_HEAD(&skb->tcp_tsorted_anchor); + return skb; + } + __kfree_skb(skb); +@@ -1233,31 +1234,23 @@ static struct sk_buff *__mptcp_do_alloc_tx_skb(struct sock *sk, gfp_t gfp) + return NULL; + } + +-static bool __mptcp_alloc_tx_skb(struct sock *sk, struct sock *ssk, gfp_t gfp) ++static struct sk_buff *__mptcp_alloc_tx_skb(struct sock *sk, struct sock *ssk, gfp_t gfp) + { + struct sk_buff *skb; + +- if (ssk->sk_tx_skb_cache) { +- skb = ssk->sk_tx_skb_cache; +- if (unlikely(!skb_ext_find(skb, SKB_EXT_MPTCP) && +- !__mptcp_add_ext(skb, gfp))) +- return false; +- return true; +- } +- + skb = __mptcp_do_alloc_tx_skb(sk, gfp); + if (!skb) +- return false; ++ return NULL; + + if (likely(sk_wmem_schedule(ssk, skb->truesize))) { +- ssk->sk_tx_skb_cache = skb; +- return true; ++ tcp_skb_entail(ssk, skb); ++ return skb; + } + kfree_skb(skb); +- return false; ++ return NULL; + } + +-static bool mptcp_alloc_tx_skb(struct sock *sk, struct sock *ssk, bool data_lock_held) ++static struct sk_buff *mptcp_alloc_tx_skb(struct sock *sk, struct sock *ssk, bool data_lock_held) + { + gfp_t gfp = data_lock_held ? GFP_ATOMIC : sk->sk_allocation; + +@@ -1287,23 +1280,29 @@ static int mptcp_sendmsg_frag(struct sock *sk, struct sock *ssk, + struct mptcp_sendmsg_info *info) + { + u64 data_seq = dfrag->data_seq + info->sent; ++ int offset = dfrag->offset + info->sent; + struct mptcp_sock *msk = mptcp_sk(sk); + bool zero_window_probe = false; + struct mptcp_ext *mpext = NULL; +- struct sk_buff *skb, *tail; +- bool must_collapse = false; +- int size_bias = 0; +- int avail_size; +- size_t ret = 0; ++ bool can_coalesce = false; ++ bool reuse_skb = true; ++ struct sk_buff *skb; ++ size_t copy; ++ int i; + + pr_debug("msk=%p ssk=%p sending dfrag at seq=%llu len=%u already sent=%u", + msk, ssk, dfrag->data_seq, dfrag->data_len, info->sent); + ++ if (WARN_ON_ONCE(info->sent > info->limit || ++ info->limit > dfrag->data_len)) ++ return 0; ++ + /* compute send limit */ + info->mss_now = tcp_send_mss(ssk, &info->size_goal, info->flags); +- avail_size = info->size_goal; ++ copy = info->size_goal; ++ + skb = tcp_write_queue_tail(ssk); +- if (skb) { ++ if (skb && copy > skb->len) { + /* Limit the write to the size available in the + * current skb, if any, so that we create at most a new skb. + * Explicitly tells TCP internals to avoid collapsing on later +@@ -1316,62 +1315,80 @@ static int mptcp_sendmsg_frag(struct sock *sk, struct sock *ssk, + goto alloc_skb; + } + +- must_collapse = (info->size_goal > skb->len) && +- (skb_shinfo(skb)->nr_frags < sysctl_max_skb_frags); +- if (must_collapse) { +- size_bias = skb->len; +- avail_size = info->size_goal - skb->len; ++ i = skb_shinfo(skb)->nr_frags; ++ can_coalesce = skb_can_coalesce(skb, i, dfrag->page, offset); ++ if (!can_coalesce && i >= sysctl_max_skb_frags) { ++ tcp_mark_push(tcp_sk(ssk), skb); ++ goto alloc_skb; + } +- } + ++ copy -= skb->len; ++ } else { + alloc_skb: +- if (!must_collapse && +- !mptcp_alloc_tx_skb(sk, ssk, info->data_lock_held)) +- return 0; ++ skb = mptcp_alloc_tx_skb(sk, ssk, info->data_lock_held); ++ if (!skb) ++ return -ENOMEM; ++ ++ i = skb_shinfo(skb)->nr_frags; ++ reuse_skb = false; ++ mpext = skb_ext_find(skb, SKB_EXT_MPTCP); ++ } + + /* Zero window and all data acked? Probe. */ +- avail_size = mptcp_check_allowed_size(msk, data_seq, avail_size); +- if (avail_size == 0) { ++ copy = mptcp_check_allowed_size(msk, data_seq, copy); ++ if (copy == 0) { + u64 snd_una = READ_ONCE(msk->snd_una); + +- if (skb || snd_una != msk->snd_nxt) ++ if (snd_una != msk->snd_nxt) { ++ tcp_remove_empty_skb(ssk, tcp_write_queue_tail(ssk)); + return 0; ++ } ++ + zero_window_probe = true; + data_seq = snd_una - 1; +- avail_size = 1; +- } ++ copy = 1; + +- if (WARN_ON_ONCE(info->sent > info->limit || +- info->limit > dfrag->data_len)) +- return 0; ++ /* all mptcp-level data is acked, no skbs should be present into the ++ * ssk write queue ++ */ ++ WARN_ON_ONCE(reuse_skb); ++ } + +- ret = info->limit - info->sent; +- tail = tcp_build_frag(ssk, avail_size + size_bias, info->flags, +- dfrag->page, dfrag->offset + info->sent, &ret); +- if (!tail) { +- tcp_remove_empty_skb(sk, tcp_write_queue_tail(ssk)); ++ copy = min_t(size_t, copy, info->limit - info->sent); ++ if (!sk_wmem_schedule(ssk, copy)) { ++ tcp_remove_empty_skb(ssk, tcp_write_queue_tail(ssk)); + return -ENOMEM; + } + +- /* if the tail skb is still the cached one, collapsing really happened. +- */ +- if (skb == tail) { +- TCP_SKB_CB(tail)->tcp_flags &= ~TCPHDR_PSH; +- mpext->data_len += ret; ++ if (can_coalesce) { ++ skb_frag_size_add(&skb_shinfo(skb)->frags[i - 1], copy); ++ } else { ++ get_page(dfrag->page); ++ skb_fill_page_desc(skb, i, dfrag->page, offset, copy); ++ } ++ ++ skb->len += copy; ++ skb->data_len += copy; ++ skb->truesize += copy; ++ sk_wmem_queued_add(ssk, copy); ++ sk_mem_charge(ssk, copy); ++ skb->ip_summed = CHECKSUM_PARTIAL; ++ WRITE_ONCE(tcp_sk(ssk)->write_seq, tcp_sk(ssk)->write_seq + copy); ++ TCP_SKB_CB(skb)->end_seq += copy; ++ tcp_skb_pcount_set(skb, 0); ++ ++ /* on skb reuse we just need to update the DSS len */ ++ if (reuse_skb) { ++ TCP_SKB_CB(skb)->tcp_flags &= ~TCPHDR_PSH; ++ mpext->data_len += copy; + WARN_ON_ONCE(zero_window_probe); + goto out; + } + +- mpext = skb_ext_find(tail, SKB_EXT_MPTCP); +- if (WARN_ON_ONCE(!mpext)) { +- /* should never reach here, stream corrupted */ +- return -EINVAL; +- } +- + memset(mpext, 0, sizeof(*mpext)); + mpext->data_seq = data_seq; + mpext->subflow_seq = mptcp_subflow_ctx(ssk)->rel_write_seq; +- mpext->data_len = ret; ++ mpext->data_len = copy; + mpext->use_map = 1; + mpext->dsn64 = 1; + +@@ -1380,18 +1397,18 @@ static int mptcp_sendmsg_frag(struct sock *sk, struct sock *ssk, + mpext->dsn64); + + if (zero_window_probe) { +- mptcp_subflow_ctx(ssk)->rel_write_seq += ret; ++ mptcp_subflow_ctx(ssk)->rel_write_seq += copy; + mpext->frozen = 1; + if (READ_ONCE(msk->csum_enabled)) +- mptcp_update_data_checksum(tail, ret); ++ mptcp_update_data_checksum(skb, copy); + tcp_push_pending_frames(ssk); + return 0; + } + out: + if (READ_ONCE(msk->csum_enabled)) +- mptcp_update_data_checksum(tail, ret); +- mptcp_subflow_ctx(ssk)->rel_write_seq += ret; +- return ret; ++ mptcp_update_data_checksum(skb, copy); ++ mptcp_subflow_ctx(ssk)->rel_write_seq += copy; ++ return copy; + } + + #define MPTCP_SEND_BURST_SIZE ((1 << 16) - \ +-- +2.35.1 + diff --git a/queue-5.15/net-fix-a-data-race-around-netdev_budget.patch b/queue-5.15/net-fix-a-data-race-around-netdev_budget.patch new file mode 100644 index 00000000000..131a3ad7ea6 --- /dev/null +++ b/queue-5.15/net-fix-a-data-race-around-netdev_budget.patch @@ -0,0 +1,36 @@ +From caefda1c5a4cedde53419e679ac8ec11d955eccf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:53 -0700 +Subject: net: Fix a data-race around netdev_budget. + +From: Kuniyuki Iwashima + +[ Upstream commit 2e0c42374ee32e72948559d2ae2f7ba3dc6b977c ] + +While reading netdev_budget, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 51b0bdedb8e7 ("[NET]: Separate two usages of netdev_max_backlog.") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 28f623628876c..fefe8ddd282fd 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -7138,7 +7138,7 @@ static __latent_entropy void net_rx_action(struct softirq_action *h) + struct softnet_data *sd = this_cpu_ptr(&softnet_data); + unsigned long time_limit = jiffies + + usecs_to_jiffies(netdev_budget_usecs); +- int budget = netdev_budget; ++ int budget = READ_ONCE(netdev_budget); + LIST_HEAD(list); + LIST_HEAD(repoll); + +-- +2.35.1 + diff --git a/queue-5.15/net-fix-a-data-race-around-netdev_budget_usecs.patch b/queue-5.15/net-fix-a-data-race-around-netdev_budget_usecs.patch new file mode 100644 index 00000000000..ae702a3436a --- /dev/null +++ b/queue-5.15/net-fix-a-data-race-around-netdev_budget_usecs.patch @@ -0,0 +1,36 @@ +From 601bf4829aa09491e50f982d85f6ce0ca9f79a68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:55 -0700 +Subject: net: Fix a data-race around netdev_budget_usecs. + +From: Kuniyuki Iwashima + +[ Upstream commit fa45d484c52c73f79db2c23b0cdfc6c6455093ad ] + +While reading netdev_budget_usecs, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 7acf8a1e8a28 ("Replace 2 jiffies with sysctl netdev_budget_usecs to enable softirq tuning") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index fefe8ddd282fd..276cca563325e 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -7137,7 +7137,7 @@ static __latent_entropy void net_rx_action(struct softirq_action *h) + { + struct softnet_data *sd = this_cpu_ptr(&softnet_data); + unsigned long time_limit = jiffies + +- usecs_to_jiffies(netdev_budget_usecs); ++ usecs_to_jiffies(READ_ONCE(netdev_budget_usecs)); + int budget = READ_ONCE(netdev_budget); + LIST_HEAD(list); + LIST_HEAD(repoll); +-- +2.35.1 + diff --git a/queue-5.15/net-fix-a-data-race-around-sysctl_net_busy_poll.patch b/queue-5.15/net-fix-a-data-race-around-sysctl_net_busy_poll.patch new file mode 100644 index 00000000000..e41e98dbdf6 --- /dev/null +++ b/queue-5.15/net-fix-a-data-race-around-sysctl_net_busy_poll.patch @@ -0,0 +1,36 @@ +From 323d16ec073d7a8ae901c469b066c2b28b1ae688 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:51 -0700 +Subject: net: Fix a data-race around sysctl_net_busy_poll. + +From: Kuniyuki Iwashima + +[ Upstream commit c42b7cddea47503411bfb5f2f93a4154aaffa2d9 ] + +While reading sysctl_net_busy_poll, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 060212928670 ("net: add low latency socket poll") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/busy_poll.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/busy_poll.h b/include/net/busy_poll.h +index 40296ed976a97..3459a04a3d61c 100644 +--- a/include/net/busy_poll.h ++++ b/include/net/busy_poll.h +@@ -33,7 +33,7 @@ extern unsigned int sysctl_net_busy_poll __read_mostly; + + static inline bool net_busy_loop_on(void) + { +- return sysctl_net_busy_poll; ++ return READ_ONCE(sysctl_net_busy_poll); + } + + static inline bool sk_can_busy_loop(const struct sock *sk) +-- +2.35.1 + diff --git a/queue-5.15/net-fix-a-data-race-around-sysctl_net_busy_read.patch b/queue-5.15/net-fix-a-data-race-around-sysctl_net_busy_read.patch new file mode 100644 index 00000000000..ed0d7a3ca2b --- /dev/null +++ b/queue-5.15/net-fix-a-data-race-around-sysctl_net_busy_read.patch @@ -0,0 +1,36 @@ +From 4d52c3a8b6799cd483e5ec1e39578c2493a1952e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:52 -0700 +Subject: net: Fix a data-race around sysctl_net_busy_read. + +From: Kuniyuki Iwashima + +[ Upstream commit e59ef36f0795696ab229569c153936bfd068d21c ] + +While reading sysctl_net_busy_read, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 2d48d67fa8cd ("net: poll/select low latency socket support") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 5ab7b59cdab83..9bcffe1d5332a 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -3182,7 +3182,7 @@ void sock_init_data(struct socket *sock, struct sock *sk) + + #ifdef CONFIG_NET_RX_BUSY_POLL + sk->sk_napi_id = 0; +- sk->sk_ll_usec = sysctl_net_busy_read; ++ sk->sk_ll_usec = READ_ONCE(sysctl_net_busy_read); + #endif + + sk->sk_max_pacing_rate = ~0UL; +-- +2.35.1 + diff --git a/queue-5.15/net-fix-a-data-race-around-sysctl_somaxconn.patch b/queue-5.15/net-fix-a-data-race-around-sysctl_somaxconn.patch new file mode 100644 index 00000000000..65ee222eaec --- /dev/null +++ b/queue-5.15/net-fix-a-data-race-around-sysctl_somaxconn.patch @@ -0,0 +1,36 @@ +From 9a397864a9a24a37d29c8cf8f580b23f6f0c7a50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:47:00 -0700 +Subject: net: Fix a data-race around sysctl_somaxconn. + +From: Kuniyuki Iwashima + +[ Upstream commit 3c9ba81d72047f2e81bb535d42856517b613aba7 ] + +While reading sysctl_somaxconn, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/socket.c b/net/socket.c +index 5053eb0100e48..73666b878f2ce 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -1721,7 +1721,7 @@ int __sys_listen(int fd, int backlog) + + sock = sockfd_lookup_light(fd, &err, &fput_needed); + if (sock) { +- somaxconn = sock_net(sock->sk)->core.sysctl_somaxconn; ++ somaxconn = READ_ONCE(sock_net(sock->sk)->core.sysctl_somaxconn); + if ((unsigned int)backlog > somaxconn) + backlog = somaxconn; + +-- +2.35.1 + diff --git a/queue-5.15/net-fix-a-data-race-around-sysctl_tstamp_allow_data.patch b/queue-5.15/net-fix-a-data-race-around-sysctl_tstamp_allow_data.patch new file mode 100644 index 00000000000..1800a79b61f --- /dev/null +++ b/queue-5.15/net-fix-a-data-race-around-sysctl_tstamp_allow_data.patch @@ -0,0 +1,36 @@ +From f5669b8326b2cbc1d490583451d870b168aca256 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:50 -0700 +Subject: net: Fix a data-race around sysctl_tstamp_allow_data. + +From: Kuniyuki Iwashima + +[ Upstream commit d2154b0afa73c0159b2856f875c6b4fe7cf6a95e ] + +While reading sysctl_tstamp_allow_data, it can be changed +concurrently. Thus, we need to add READ_ONCE() to its reader. + +Fixes: b245be1f4db1 ("net-timestamp: no-payload only sysctl") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/skbuff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 5ebef94e14dc6..563848242ad33 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4892,7 +4892,7 @@ static bool skb_may_tx_timestamp(struct sock *sk, bool tsonly) + { + bool ret; + +- if (likely(sysctl_tstamp_allow_data || tsonly)) ++ if (likely(READ_ONCE(sysctl_tstamp_allow_data) || tsonly)) + return true; + + read_lock_bh(&sk->sk_callback_lock); +-- +2.35.1 + diff --git a/queue-5.15/net-fix-data-races-around-netdev_max_backlog.patch b/queue-5.15/net-fix-data-races-around-netdev_max_backlog.patch new file mode 100644 index 00000000000..cac3e1b64f2 --- /dev/null +++ b/queue-5.15/net-fix-data-races-around-netdev_max_backlog.patch @@ -0,0 +1,103 @@ +From 1fb30558960b93f0d48e7e43a3cc000139ce2f87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:46 -0700 +Subject: net: Fix data-races around netdev_max_backlog. + +From: Kuniyuki Iwashima + +[ Upstream commit 5dcd08cd19912892586c6082d56718333e2d19db ] + +While reading netdev_max_backlog, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its readers. + +While at it, we remove the unnecessary spaces in the doc. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + Documentation/admin-guide/sysctl/net.rst | 2 +- + net/core/dev.c | 4 ++-- + net/core/gro_cells.c | 2 +- + net/xfrm/espintcp.c | 2 +- + net/xfrm/xfrm_input.c | 2 +- + 5 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/Documentation/admin-guide/sysctl/net.rst b/Documentation/admin-guide/sysctl/net.rst +index 4150f74c521a8..5310f398794c1 100644 +--- a/Documentation/admin-guide/sysctl/net.rst ++++ b/Documentation/admin-guide/sysctl/net.rst +@@ -271,7 +271,7 @@ poll cycle or the number of packets processed reaches netdev_budget. + netdev_max_backlog + ------------------ + +-Maximum number of packets, queued on the INPUT side, when the interface ++Maximum number of packets, queued on the INPUT side, when the interface + receives packets faster than kernel can process them. + + netdev_rss_key +diff --git a/net/core/dev.c b/net/core/dev.c +index 1a0de071fcf45..87cf2e0d8f6f1 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4589,7 +4589,7 @@ static bool skb_flow_limit(struct sk_buff *skb, unsigned int qlen) + struct softnet_data *sd; + unsigned int old_flow, new_flow; + +- if (qlen < (netdev_max_backlog >> 1)) ++ if (qlen < (READ_ONCE(netdev_max_backlog) >> 1)) + return false; + + sd = this_cpu_ptr(&softnet_data); +@@ -4637,7 +4637,7 @@ static int enqueue_to_backlog(struct sk_buff *skb, int cpu, + if (!netif_running(skb->dev)) + goto drop; + qlen = skb_queue_len(&sd->input_pkt_queue); +- if (qlen <= netdev_max_backlog && !skb_flow_limit(skb, qlen)) { ++ if (qlen <= READ_ONCE(netdev_max_backlog) && !skb_flow_limit(skb, qlen)) { + if (qlen) { + enqueue: + __skb_queue_tail(&sd->input_pkt_queue, skb); +diff --git a/net/core/gro_cells.c b/net/core/gro_cells.c +index 6eb2e5ec2c506..2f66f3f295630 100644 +--- a/net/core/gro_cells.c ++++ b/net/core/gro_cells.c +@@ -26,7 +26,7 @@ int gro_cells_receive(struct gro_cells *gcells, struct sk_buff *skb) + + cell = this_cpu_ptr(gcells->cells); + +- if (skb_queue_len(&cell->napi_skbs) > netdev_max_backlog) { ++ if (skb_queue_len(&cell->napi_skbs) > READ_ONCE(netdev_max_backlog)) { + drop: + atomic_long_inc(&dev->rx_dropped); + kfree_skb(skb); +diff --git a/net/xfrm/espintcp.c b/net/xfrm/espintcp.c +index 1f08ebf7d80c5..24ca49ecebea3 100644 +--- a/net/xfrm/espintcp.c ++++ b/net/xfrm/espintcp.c +@@ -170,7 +170,7 @@ int espintcp_queue_out(struct sock *sk, struct sk_buff *skb) + { + struct espintcp_ctx *ctx = espintcp_getctx(sk); + +- if (skb_queue_len(&ctx->out_queue) >= netdev_max_backlog) ++ if (skb_queue_len(&ctx->out_queue) >= READ_ONCE(netdev_max_backlog)) + return -ENOBUFS; + + __skb_queue_tail(&ctx->out_queue, skb); +diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c +index 3df0861d4390f..5f34bc378fdcf 100644 +--- a/net/xfrm/xfrm_input.c ++++ b/net/xfrm/xfrm_input.c +@@ -782,7 +782,7 @@ int xfrm_trans_queue_net(struct net *net, struct sk_buff *skb, + + trans = this_cpu_ptr(&xfrm_trans_tasklet); + +- if (skb_queue_len(&trans->queue) >= netdev_max_backlog) ++ if (skb_queue_len(&trans->queue) >= READ_ONCE(netdev_max_backlog)) + return -ENOBUFS; + + BUILD_BUG_ON(sizeof(struct xfrm_trans_cb) > sizeof(skb->cb)); +-- +2.35.1 + diff --git a/queue-5.15/net-fix-data-races-around-netdev_tstamp_prequeue.patch b/queue-5.15/net-fix-data-races-around-netdev_tstamp_prequeue.patch new file mode 100644 index 00000000000..a88ea4e0f60 --- /dev/null +++ b/queue-5.15/net-fix-data-races-around-netdev_tstamp_prequeue.patch @@ -0,0 +1,63 @@ +From baace2fe0e41706ab3dad3cb2443301a91722d19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:47 -0700 +Subject: net: Fix data-races around netdev_tstamp_prequeue. + +From: Kuniyuki Iwashima + +[ Upstream commit 61adf447e38664447526698872e21c04623afb8e ] + +While reading netdev_tstamp_prequeue, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its readers. + +Fixes: 3b098e2d7c69 ("net: Consistent skb timestamping") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 87cf2e0d8f6f1..28f623628876c 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4893,7 +4893,7 @@ static int netif_rx_internal(struct sk_buff *skb) + { + int ret; + +- net_timestamp_check(netdev_tstamp_prequeue, skb); ++ net_timestamp_check(READ_ONCE(netdev_tstamp_prequeue), skb); + + trace_netif_rx(skb); + +@@ -5253,7 +5253,7 @@ static int __netif_receive_skb_core(struct sk_buff **pskb, bool pfmemalloc, + int ret = NET_RX_DROP; + __be16 type; + +- net_timestamp_check(!netdev_tstamp_prequeue, skb); ++ net_timestamp_check(!READ_ONCE(netdev_tstamp_prequeue), skb); + + trace_netif_receive_skb(skb); + +@@ -5634,7 +5634,7 @@ static int netif_receive_skb_internal(struct sk_buff *skb) + { + int ret; + +- net_timestamp_check(netdev_tstamp_prequeue, skb); ++ net_timestamp_check(READ_ONCE(netdev_tstamp_prequeue), skb); + + if (skb_defer_rx_timestamp(skb)) + return NET_RX_SUCCESS; +@@ -5664,7 +5664,7 @@ static void netif_receive_skb_list_internal(struct list_head *head) + + INIT_LIST_HEAD(&sublist); + list_for_each_entry_safe(skb, next, head, list) { +- net_timestamp_check(netdev_tstamp_prequeue, skb); ++ net_timestamp_check(READ_ONCE(netdev_tstamp_prequeue), skb); + skb_list_del_init(skb); + if (!skb_defer_rx_timestamp(skb)) + list_add_tail(&skb->list, &sublist); +-- +2.35.1 + diff --git a/queue-5.15/net-fix-data-races-around-sysctl_-rw-mem_-max-defaul.patch b/queue-5.15/net-fix-data-races-around-sysctl_-rw-mem_-max-defaul.patch new file mode 100644 index 00000000000..275d885f055 --- /dev/null +++ b/queue-5.15/net-fix-data-races-around-sysctl_-rw-mem_-max-defaul.patch @@ -0,0 +1,126 @@ +From 949991c56f82dbf940010cfabfb610d7cfd89bc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:44 -0700 +Subject: net: Fix data-races around sysctl_[rw]mem_(max|default). + +From: Kuniyuki Iwashima + +[ Upstream commit 1227c1771dd2ad44318aa3ab9e3a293b3f34ff2a ] + +While reading sysctl_[rw]mem_(max|default), they can be changed +concurrently. Thus, we need to add READ_ONCE() to its readers. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 4 ++-- + net/core/sock.c | 8 ++++---- + net/ipv4/ip_output.c | 2 +- + net/ipv4/tcp_output.c | 2 +- + net/netfilter/ipvs/ip_vs_sync.c | 4 ++-- + 5 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index ac64395611ae3..2da00f6329e83 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -4744,14 +4744,14 @@ static int _bpf_setsockopt(struct sock *sk, int level, int optname, + /* Only some socketops are supported */ + switch (optname) { + case SO_RCVBUF: +- val = min_t(u32, val, sysctl_rmem_max); ++ val = min_t(u32, val, READ_ONCE(sysctl_rmem_max)); + val = min_t(int, val, INT_MAX / 2); + sk->sk_userlocks |= SOCK_RCVBUF_LOCK; + WRITE_ONCE(sk->sk_rcvbuf, + max_t(int, val * 2, SOCK_MIN_RCVBUF)); + break; + case SO_SNDBUF: +- val = min_t(u32, val, sysctl_wmem_max); ++ val = min_t(u32, val, READ_ONCE(sysctl_wmem_max)); + val = min_t(int, val, INT_MAX / 2); + sk->sk_userlocks |= SOCK_SNDBUF_LOCK; + WRITE_ONCE(sk->sk_sndbuf, +diff --git a/net/core/sock.c b/net/core/sock.c +index deaed1b206823..62fd486213d2b 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1014,7 +1014,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname, + * play 'guess the biggest size' games. RCVBUF/SNDBUF + * are treated in BSD as hints + */ +- val = min_t(u32, val, sysctl_wmem_max); ++ val = min_t(u32, val, READ_ONCE(sysctl_wmem_max)); + set_sndbuf: + /* Ensure val * 2 fits into an int, to prevent max_t() + * from treating it as a negative value. +@@ -1046,7 +1046,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname, + * play 'guess the biggest size' games. RCVBUF/SNDBUF + * are treated in BSD as hints + */ +- __sock_set_rcvbuf(sk, min_t(u32, val, sysctl_rmem_max)); ++ __sock_set_rcvbuf(sk, min_t(u32, val, READ_ONCE(sysctl_rmem_max))); + break; + + case SO_RCVBUFFORCE: +@@ -3124,8 +3124,8 @@ void sock_init_data(struct socket *sock, struct sock *sk) + timer_setup(&sk->sk_timer, NULL, 0); + + sk->sk_allocation = GFP_KERNEL; +- sk->sk_rcvbuf = sysctl_rmem_default; +- sk->sk_sndbuf = sysctl_wmem_default; ++ sk->sk_rcvbuf = READ_ONCE(sysctl_rmem_default); ++ sk->sk_sndbuf = READ_ONCE(sysctl_wmem_default); + sk->sk_state = TCP_CLOSE; + sk_set_socket(sk, sock); + +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 131066d0319a2..7aff0179b3c2d 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -1712,7 +1712,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb, + + sk->sk_protocol = ip_hdr(skb)->protocol; + sk->sk_bound_dev_if = arg->bound_dev_if; +- sk->sk_sndbuf = sysctl_wmem_default; ++ sk->sk_sndbuf = READ_ONCE(sysctl_wmem_default); + ipc.sockc.mark = fl4.flowi4_mark; + err = ip_append_data(sk, &fl4, ip_reply_glue_bits, arg->iov->iov_base, + len, 0, &ipc, &rt, MSG_DONTWAIT); +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 40c9da4bd03e4..ed2e1836c0c05 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -239,7 +239,7 @@ void tcp_select_initial_window(const struct sock *sk, int __space, __u32 mss, + if (wscale_ok) { + /* Set window scaling on max possible window */ + space = max_t(u32, space, READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem[2])); +- space = max_t(u32, space, sysctl_rmem_max); ++ space = max_t(u32, space, READ_ONCE(sysctl_rmem_max)); + space = min_t(u32, space, *window_clamp); + *rcv_wscale = clamp_t(int, ilog2(space) - 15, + 0, TCP_MAX_WSCALE); +diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c +index 9d43277b8b4fe..a56fd0b5a430a 100644 +--- a/net/netfilter/ipvs/ip_vs_sync.c ++++ b/net/netfilter/ipvs/ip_vs_sync.c +@@ -1280,12 +1280,12 @@ static void set_sock_size(struct sock *sk, int mode, int val) + lock_sock(sk); + if (mode) { + val = clamp_t(int, val, (SOCK_MIN_SNDBUF + 1) / 2, +- sysctl_wmem_max); ++ READ_ONCE(sysctl_wmem_max)); + sk->sk_sndbuf = val * 2; + sk->sk_userlocks |= SOCK_SNDBUF_LOCK; + } else { + val = clamp_t(int, val, (SOCK_MIN_RCVBUF + 1) / 2, +- sysctl_rmem_max); ++ READ_ONCE(sysctl_rmem_max)); + sk->sk_rcvbuf = val * 2; + sk->sk_userlocks |= SOCK_RCVBUF_LOCK; + } +-- +2.35.1 + diff --git a/queue-5.15/net-fix-data-races-around-sysctl_devconf_inherit_ini.patch b/queue-5.15/net-fix-data-races-around-sysctl_devconf_inherit_ini.patch new file mode 100644 index 00000000000..8c18ba485b7 --- /dev/null +++ b/queue-5.15/net-fix-data-races-around-sysctl_devconf_inherit_ini.patch @@ -0,0 +1,99 @@ +From 8869d29426a4533dbecf1fbc670aae5601c2ab58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:57 -0700 +Subject: net: Fix data-races around sysctl_devconf_inherit_init_net. + +From: Kuniyuki Iwashima + +[ Upstream commit a5612ca10d1aa05624ebe72633e0c8c792970833 ] + +While reading sysctl_devconf_inherit_init_net, it can be changed +concurrently. Thus, we need to add READ_ONCE() to its readers. + +Fixes: 856c395cfa63 ("net: introduce a knob to control whether to inherit devconf config") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 9 +++++++++ + net/ipv4/devinet.c | 16 ++++++++++------ + net/ipv6/addrconf.c | 5 ++--- + 3 files changed, 21 insertions(+), 9 deletions(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index f9ed41ca7ac6d..3b97438afe3e2 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -636,6 +636,15 @@ static inline bool net_has_fallback_tunnels(const struct net *net) + #endif + } + ++static inline int net_inherit_devconf(void) ++{ ++#if IS_ENABLED(CONFIG_SYSCTL) ++ return READ_ONCE(sysctl_devconf_inherit_init_net); ++#else ++ return 0; ++#endif ++} ++ + static inline int netdev_queue_numa_node_read(const struct netdev_queue *q) + { + #if defined(CONFIG_XPS) && defined(CONFIG_NUMA) +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index 4744c7839de53..9ac41ffdc6344 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -2673,23 +2673,27 @@ static __net_init int devinet_init_net(struct net *net) + #endif + + if (!net_eq(net, &init_net)) { +- if (IS_ENABLED(CONFIG_SYSCTL) && +- sysctl_devconf_inherit_init_net == 3) { ++ switch (net_inherit_devconf()) { ++ case 3: + /* copy from the current netns */ + memcpy(all, current->nsproxy->net_ns->ipv4.devconf_all, + sizeof(ipv4_devconf)); + memcpy(dflt, + current->nsproxy->net_ns->ipv4.devconf_dflt, + sizeof(ipv4_devconf_dflt)); +- } else if (!IS_ENABLED(CONFIG_SYSCTL) || +- sysctl_devconf_inherit_init_net != 2) { +- /* inherit == 0 or 1: copy from init_net */ ++ break; ++ case 0: ++ case 1: ++ /* copy from init_net */ + memcpy(all, init_net.ipv4.devconf_all, + sizeof(ipv4_devconf)); + memcpy(dflt, init_net.ipv4.devconf_dflt, + sizeof(ipv4_devconf_dflt)); ++ break; ++ case 2: ++ /* use compiled values */ ++ break; + } +- /* else inherit == 2: use compiled values */ + } + + #ifdef CONFIG_SYSCTL +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 6dcf034835ecd..8800987fdb402 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -7128,9 +7128,8 @@ static int __net_init addrconf_init_net(struct net *net) + if (!dflt) + goto err_alloc_dflt; + +- if (IS_ENABLED(CONFIG_SYSCTL) && +- !net_eq(net, &init_net)) { +- switch (sysctl_devconf_inherit_init_net) { ++ if (!net_eq(net, &init_net)) { ++ switch (net_inherit_devconf()) { + case 1: /* copy from init_net */ + memcpy(all, init_net.ipv6.devconf_all, + sizeof(ipv6_devconf)); +-- +2.35.1 + diff --git a/queue-5.15/net-fix-data-races-around-sysctl_fb_tunnels_only_for.patch b/queue-5.15/net-fix-data-races-around-sysctl_fb_tunnels_only_for.patch new file mode 100644 index 00000000000..19c469c9aa6 --- /dev/null +++ b/queue-5.15/net-fix-data-races-around-sysctl_fb_tunnels_only_for.patch @@ -0,0 +1,45 @@ +From ca58edd34ccbf06e44e38d9195329a00ecd761a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:56 -0700 +Subject: net: Fix data-races around sysctl_fb_tunnels_only_for_init_net. + +From: Kuniyuki Iwashima + +[ Upstream commit af67508ea6cbf0e4ea27f8120056fa2efce127dd ] + +While reading sysctl_fb_tunnels_only_for_init_net, it can be changed +concurrently. Thus, we need to add READ_ONCE() to its readers. + +Fixes: 79134e6ce2c9 ("net: do not create fallback tunnels for non-default namespaces") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index f8d46dc62d658..f9ed41ca7ac6d 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -626,9 +626,14 @@ extern int sysctl_devconf_inherit_init_net; + */ + static inline bool net_has_fallback_tunnels(const struct net *net) + { +- return !IS_ENABLED(CONFIG_SYSCTL) || +- !sysctl_fb_tunnels_only_for_init_net || +- (net == &init_net && sysctl_fb_tunnels_only_for_init_net == 1); ++#if IS_ENABLED(CONFIG_SYSCTL) ++ int fb_tunnels_only_for_init_net = READ_ONCE(sysctl_fb_tunnels_only_for_init_net); ++ ++ return !fb_tunnels_only_for_init_net || ++ (net_eq(net, &init_net) && fb_tunnels_only_for_init_net == 1); ++#else ++ return true; ++#endif + } + + static inline int netdev_queue_numa_node_read(const struct netdev_queue *q) +-- +2.35.1 + diff --git a/queue-5.15/net-fix-data-races-around-sysctl_max_skb_frags.patch b/queue-5.15/net-fix-data-races-around-sysctl_max_skb_frags.patch new file mode 100644 index 00000000000..1cec28f542c --- /dev/null +++ b/queue-5.15/net-fix-data-races-around-sysctl_max_skb_frags.patch @@ -0,0 +1,59 @@ +From b5d6159813c34a4e0fc2b00195c6f768bc78bb27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:54 -0700 +Subject: net: Fix data-races around sysctl_max_skb_frags. + +From: Kuniyuki Iwashima + +[ Upstream commit 657b991afb89d25fe6c4783b1b75a8ad4563670d ] + +While reading sysctl_max_skb_frags, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its readers. + +Fixes: 5f74f82ea34c ("net:Add sysctl_max_skb_frags") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 4 ++-- + net/mptcp/protocol.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 52f51717f02f3..0ebef2a5950cd 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -991,7 +991,7 @@ struct sk_buff *tcp_build_frag(struct sock *sk, int size_goal, int flags, + + i = skb_shinfo(skb)->nr_frags; + can_coalesce = skb_can_coalesce(skb, i, page, offset); +- if (!can_coalesce && i >= sysctl_max_skb_frags) { ++ if (!can_coalesce && i >= READ_ONCE(sysctl_max_skb_frags)) { + tcp_mark_push(tp, skb); + goto new_segment; + } +@@ -1344,7 +1344,7 @@ int tcp_sendmsg_locked(struct sock *sk, struct msghdr *msg, size_t size) + + if (!skb_can_coalesce(skb, i, pfrag->page, + pfrag->offset)) { +- if (i >= sysctl_max_skb_frags) { ++ if (i >= READ_ONCE(sysctl_max_skb_frags)) { + tcp_mark_push(tp, skb); + goto new_segment; + } +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index a089791414bfb..5df60a4b09304 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -1317,7 +1317,7 @@ static int mptcp_sendmsg_frag(struct sock *sk, struct sock *ssk, + + i = skb_shinfo(skb)->nr_frags; + can_coalesce = skb_can_coalesce(skb, i, dfrag->page, offset); +- if (!can_coalesce && i >= sysctl_max_skb_frags) { ++ if (!can_coalesce && i >= READ_ONCE(sysctl_max_skb_frags)) { + tcp_mark_push(tcp_sk(ssk), skb); + goto alloc_skb; + } +-- +2.35.1 + diff --git a/queue-5.15/net-fix-data-races-around-sysctl_optmem_max.patch b/queue-5.15/net-fix-data-races-around-sysctl_optmem_max.patch new file mode 100644 index 00000000000..45e0f053000 --- /dev/null +++ b/queue-5.15/net-fix-data-races-around-sysctl_optmem_max.patch @@ -0,0 +1,161 @@ +From c9ef99c7b2b689f447f5d922e6e96fcb947f8b4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:49 -0700 +Subject: net: Fix data-races around sysctl_optmem_max. + +From: Kuniyuki Iwashima + +[ Upstream commit 7de6d09f51917c829af2b835aba8bb5040f8e86a ] + +While reading sysctl_optmem_max, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its readers. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/bpf_sk_storage.c | 5 +++-- + net/core/filter.c | 9 +++++---- + net/core/sock.c | 8 +++++--- + net/ipv4/ip_sockglue.c | 6 +++--- + net/ipv6/ipv6_sockglue.c | 4 ++-- + 5 files changed, 18 insertions(+), 14 deletions(-) + +diff --git a/net/core/bpf_sk_storage.c b/net/core/bpf_sk_storage.c +index d2745c54737e3..910ca41cb9e67 100644 +--- a/net/core/bpf_sk_storage.c ++++ b/net/core/bpf_sk_storage.c +@@ -305,11 +305,12 @@ BPF_CALL_2(bpf_sk_storage_delete, struct bpf_map *, map, struct sock *, sk) + static int bpf_sk_storage_charge(struct bpf_local_storage_map *smap, + void *owner, u32 size) + { ++ int optmem_max = READ_ONCE(sysctl_optmem_max); + struct sock *sk = (struct sock *)owner; + + /* same check as in sock_kmalloc() */ +- if (size <= sysctl_optmem_max && +- atomic_read(&sk->sk_omem_alloc) + size < sysctl_optmem_max) { ++ if (size <= optmem_max && ++ atomic_read(&sk->sk_omem_alloc) + size < optmem_max) { + atomic_add(size, &sk->sk_omem_alloc); + return 0; + } +diff --git a/net/core/filter.c b/net/core/filter.c +index 2da00f6329e83..fb5b9dbf3bc08 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -1213,10 +1213,11 @@ void sk_filter_uncharge(struct sock *sk, struct sk_filter *fp) + static bool __sk_filter_charge(struct sock *sk, struct sk_filter *fp) + { + u32 filter_size = bpf_prog_size(fp->prog->len); ++ int optmem_max = READ_ONCE(sysctl_optmem_max); + + /* same check as in sock_kmalloc() */ +- if (filter_size <= sysctl_optmem_max && +- atomic_read(&sk->sk_omem_alloc) + filter_size < sysctl_optmem_max) { ++ if (filter_size <= optmem_max && ++ atomic_read(&sk->sk_omem_alloc) + filter_size < optmem_max) { + atomic_add(filter_size, &sk->sk_omem_alloc); + return true; + } +@@ -1548,7 +1549,7 @@ int sk_reuseport_attach_filter(struct sock_fprog *fprog, struct sock *sk) + if (IS_ERR(prog)) + return PTR_ERR(prog); + +- if (bpf_prog_size(prog->len) > sysctl_optmem_max) ++ if (bpf_prog_size(prog->len) > READ_ONCE(sysctl_optmem_max)) + err = -ENOMEM; + else + err = reuseport_attach_prog(sk, prog); +@@ -1615,7 +1616,7 @@ int sk_reuseport_attach_bpf(u32 ufd, struct sock *sk) + } + } else { + /* BPF_PROG_TYPE_SOCKET_FILTER */ +- if (bpf_prog_size(prog->len) > sysctl_optmem_max) { ++ if (bpf_prog_size(prog->len) > READ_ONCE(sysctl_optmem_max)) { + err = -ENOMEM; + goto err_prog_put; + } +diff --git a/net/core/sock.c b/net/core/sock.c +index 62fd486213d2b..5ab7b59cdab83 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2368,7 +2368,7 @@ struct sk_buff *sock_omalloc(struct sock *sk, unsigned long size, + + /* small safe race: SKB_TRUESIZE may differ from final skb->truesize */ + if (atomic_read(&sk->sk_omem_alloc) + SKB_TRUESIZE(size) > +- sysctl_optmem_max) ++ READ_ONCE(sysctl_optmem_max)) + return NULL; + + skb = alloc_skb(size, priority); +@@ -2386,8 +2386,10 @@ struct sk_buff *sock_omalloc(struct sock *sk, unsigned long size, + */ + void *sock_kmalloc(struct sock *sk, int size, gfp_t priority) + { +- if ((unsigned int)size <= sysctl_optmem_max && +- atomic_read(&sk->sk_omem_alloc) + size < sysctl_optmem_max) { ++ int optmem_max = READ_ONCE(sysctl_optmem_max); ++ ++ if ((unsigned int)size <= optmem_max && ++ atomic_read(&sk->sk_omem_alloc) + size < optmem_max) { + void *mem; + /* First do the add, to avoid the race if kmalloc + * might sleep. +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c +index 38f296afb663d..1e2af5f8822df 100644 +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -772,7 +772,7 @@ static int ip_set_mcast_msfilter(struct sock *sk, sockptr_t optval, int optlen) + + if (optlen < GROUP_FILTER_SIZE(0)) + return -EINVAL; +- if (optlen > sysctl_optmem_max) ++ if (optlen > READ_ONCE(sysctl_optmem_max)) + return -ENOBUFS; + + gsf = memdup_sockptr(optval, optlen); +@@ -808,7 +808,7 @@ static int compat_ip_set_mcast_msfilter(struct sock *sk, sockptr_t optval, + + if (optlen < size0) + return -EINVAL; +- if (optlen > sysctl_optmem_max - 4) ++ if (optlen > READ_ONCE(sysctl_optmem_max) - 4) + return -ENOBUFS; + + p = kmalloc(optlen + 4, GFP_KERNEL); +@@ -1231,7 +1231,7 @@ static int do_ip_setsockopt(struct sock *sk, int level, int optname, + + if (optlen < IP_MSFILTER_SIZE(0)) + goto e_inval; +- if (optlen > sysctl_optmem_max) { ++ if (optlen > READ_ONCE(sysctl_optmem_max)) { + err = -ENOBUFS; + break; + } +diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c +index e4bdb09c55867..8a1c78f385084 100644 +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -208,7 +208,7 @@ static int ipv6_set_mcast_msfilter(struct sock *sk, sockptr_t optval, + + if (optlen < GROUP_FILTER_SIZE(0)) + return -EINVAL; +- if (optlen > sysctl_optmem_max) ++ if (optlen > READ_ONCE(sysctl_optmem_max)) + return -ENOBUFS; + + gsf = memdup_sockptr(optval, optlen); +@@ -242,7 +242,7 @@ static int compat_ipv6_set_mcast_msfilter(struct sock *sk, sockptr_t optval, + + if (optlen < size0) + return -EINVAL; +- if (optlen > sysctl_optmem_max - 4) ++ if (optlen > READ_ONCE(sysctl_optmem_max) - 4) + return -ENOBUFS; + + p = kmalloc(optlen + 4, GFP_KERNEL); +-- +2.35.1 + diff --git a/queue-5.15/net-fix-data-races-around-weight_p-and-dev_weight_-r.patch b/queue-5.15/net-fix-data-races-around-weight_p-and-dev_weight_-r.patch new file mode 100644 index 00000000000..ffd49c2a21c --- /dev/null +++ b/queue-5.15/net-fix-data-races-around-weight_p-and-dev_weight_-r.patch @@ -0,0 +1,85 @@ +From 2e47adaba901bfff382837d4d6376103eed48311 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:45 -0700 +Subject: net: Fix data-races around weight_p and dev_weight_[rt]x_bias. + +From: Kuniyuki Iwashima + +[ Upstream commit bf955b5ab8f6f7b0632cdef8e36b14e4f6e77829 ] + +While reading weight_p, it can be changed concurrently. Thus, we need +to add READ_ONCE() to its reader. + +Also, dev_[rt]x_weight can be read/written at the same time. So, we +need to use READ_ONCE() and WRITE_ONCE() for its access. Moreover, to +use the same weight_p while changing dev_[rt]x_weight, we add a mutex +in proc_do_dev_weight(). + +Fixes: 3d48b53fb2ae ("net: dev_weight: TX/RX orthogonality") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 2 +- + net/core/sysctl_net_core.c | 15 +++++++++------ + net/sched/sch_generic.c | 2 +- + 3 files changed, 11 insertions(+), 8 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 12b1811cb488b..1a0de071fcf45 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -6437,7 +6437,7 @@ static int process_backlog(struct napi_struct *napi, int quota) + net_rps_action_and_irq_enable(sd); + } + +- napi->weight = dev_rx_weight; ++ napi->weight = READ_ONCE(dev_rx_weight); + while (again) { + struct sk_buff *skb; + +diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c +index 5f88526ad61cc..ed20cbdd19315 100644 +--- a/net/core/sysctl_net_core.c ++++ b/net/core/sysctl_net_core.c +@@ -236,14 +236,17 @@ static int set_default_qdisc(struct ctl_table *table, int write, + static int proc_do_dev_weight(struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +- int ret; ++ static DEFINE_MUTEX(dev_weight_mutex); ++ int ret, weight; + ++ mutex_lock(&dev_weight_mutex); + ret = proc_dointvec(table, write, buffer, lenp, ppos); +- if (ret != 0) +- return ret; +- +- dev_rx_weight = weight_p * dev_weight_rx_bias; +- dev_tx_weight = weight_p * dev_weight_tx_bias; ++ if (!ret && write) { ++ weight = READ_ONCE(weight_p); ++ WRITE_ONCE(dev_rx_weight, weight * dev_weight_rx_bias); ++ WRITE_ONCE(dev_tx_weight, weight * dev_weight_tx_bias); ++ } ++ mutex_unlock(&dev_weight_mutex); + + return ret; + } +diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c +index 30c29a9a2efd2..250d87d993cb7 100644 +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -409,7 +409,7 @@ static inline bool qdisc_restart(struct Qdisc *q, int *packets) + + void __qdisc_run(struct Qdisc *q) + { +- int quota = dev_tx_weight; ++ int quota = READ_ONCE(dev_tx_weight); + int packets; + + while (qdisc_restart(q, &packets)) { +-- +2.35.1 + diff --git a/queue-5.15/net-ipa-don-t-assume-smem-is-page-aligned.patch b/queue-5.15/net-ipa-don-t-assume-smem-is-page-aligned.patch new file mode 100644 index 00000000000..8b1a33c8d62 --- /dev/null +++ b/queue-5.15/net-ipa-don-t-assume-smem-is-page-aligned.patch @@ -0,0 +1,48 @@ +From 71ba25e6004993025c084b7702f33e5a2e108ec8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 08:42:05 -0500 +Subject: net: ipa: don't assume SMEM is page-aligned + +From: Alex Elder + +[ Upstream commit b8d4380365c515d8e0351f2f46d371738dd19be1 ] + +In ipa_smem_init(), a Qualcomm SMEM region is allocated (if needed) +and then its virtual address is fetched using qcom_smem_get(). The +physical address associated with that region is also fetched. + +The physical address is adjusted so that it is page-aligned, and an +attempt is made to update the size of the region to compensate for +any non-zero adjustment. + +But that adjustment isn't done properly. The physical address is +aligned twice, and as a result the size is never actually adjusted. + +Fix this by *not* aligning the "addr" local variable, and instead +making the "phys" local variable be the adjusted "addr" value. + +Fixes: a0036bb413d5b ("net: ipa: define SMEM memory region for IPA") +Signed-off-by: Alex Elder +Link: https://lore.kernel.org/r/20220818134206.567618-1-elder@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ipa/ipa_mem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ipa/ipa_mem.c b/drivers/net/ipa/ipa_mem.c +index 4337b0920d3d7..cad0798985a13 100644 +--- a/drivers/net/ipa/ipa_mem.c ++++ b/drivers/net/ipa/ipa_mem.c +@@ -570,7 +570,7 @@ static int ipa_smem_init(struct ipa *ipa, u32 item, size_t size) + } + + /* Align the address down and the size up to a page boundary */ +- addr = qcom_smem_virt_to_phys(virt) & PAGE_MASK; ++ addr = qcom_smem_virt_to_phys(virt); + phys = addr & PAGE_MASK; + size = PAGE_ALIGN(size + addr - phys); + iova = phys; /* We just want a direct mapping */ +-- +2.35.1 + diff --git a/queue-5.15/net-ipvtap-add-__init-__exit-annotations-to-module-i.patch b/queue-5.15/net-ipvtap-add-__init-__exit-annotations-to-module-i.patch new file mode 100644 index 00000000000..1ef5a9f9b2e --- /dev/null +++ b/queue-5.15/net-ipvtap-add-__init-__exit-annotations-to-module-i.patch @@ -0,0 +1,50 @@ +From 9676d78b699b16cba4b14a595856c04e9f30ad70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Aug 2022 06:08:08 -0700 +Subject: net: ipvtap - add __init/__exit annotations to module init/exit funcs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Å»enczykowski + +[ Upstream commit 4b2e3a17e9f279325712b79fb01d1493f9e3e005 ] + +Looks to have been left out in an oversight. + +Cc: Mahesh Bandewar +Cc: Sainath Grandhi +Fixes: 235a9d89da97 ('ipvtap: IP-VLAN based tap driver') +Signed-off-by: Maciej Å»enczykowski +Link: https://lore.kernel.org/r/20220821130808.12143-1-zenczykowski@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvtap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ipvlan/ipvtap.c b/drivers/net/ipvlan/ipvtap.c +index 1cedb634f4f7b..f01078b2581ce 100644 +--- a/drivers/net/ipvlan/ipvtap.c ++++ b/drivers/net/ipvlan/ipvtap.c +@@ -194,7 +194,7 @@ static struct notifier_block ipvtap_notifier_block __read_mostly = { + .notifier_call = ipvtap_device_event, + }; + +-static int ipvtap_init(void) ++static int __init ipvtap_init(void) + { + int err; + +@@ -228,7 +228,7 @@ static int ipvtap_init(void) + } + module_init(ipvtap_init); + +-static void ipvtap_exit(void) ++static void __exit ipvtap_exit(void) + { + rtnl_link_unregister(&ipvtap_link_ops); + unregister_netdevice_notifier(&ipvtap_notifier_block); +-- +2.35.1 + diff --git a/queue-5.15/net-mlx5-avoid-false-positive-lockdep-warning-by-add.patch b/queue-5.15/net-mlx5-avoid-false-positive-lockdep-warning-by-add.patch new file mode 100644 index 00000000000..7e8b8b5ec76 --- /dev/null +++ b/queue-5.15/net-mlx5-avoid-false-positive-lockdep-warning-by-add.patch @@ -0,0 +1,207 @@ +From ce73d5cf82047e9cbbdd72a4e049fd093f0c808c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 10:49:23 +0300 +Subject: net/mlx5: Avoid false positive lockdep warning by adding + lock_class_key + +From: Moshe Shemesh + +[ Upstream commit d59b73a66e5e0682442b6d7b4965364e57078b80 ] + +Add a lock_class_key per mlx5 device to avoid a false positive +"possible circular locking dependency" warning by lockdep, on flows +which lock more than one mlx5 device, such as adding SF. + +kernel log: + ====================================================== + WARNING: possible circular locking dependency detected + 5.19.0-rc8+ #2 Not tainted + ------------------------------------------------------ + kworker/u20:0/8 is trying to acquire lock: + ffff88812dfe0d98 (&dev->intf_state_mutex){+.+.}-{3:3}, at: mlx5_init_one+0x2e/0x490 [mlx5_core] + + but task is already holding lock: + ffff888101aa7898 (&(¬ifier->n_head)->rwsem){++++}-{3:3}, at: blocking_notifier_call_chain+0x5a/0x130 + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #1 (&(¬ifier->n_head)->rwsem){++++}-{3:3}: + down_write+0x90/0x150 + blocking_notifier_chain_register+0x53/0xa0 + mlx5_sf_table_init+0x369/0x4a0 [mlx5_core] + mlx5_init_one+0x261/0x490 [mlx5_core] + probe_one+0x430/0x680 [mlx5_core] + local_pci_probe+0xd6/0x170 + work_for_cpu_fn+0x4e/0xa0 + process_one_work+0x7c2/0x1340 + worker_thread+0x6f6/0xec0 + kthread+0x28f/0x330 + ret_from_fork+0x1f/0x30 + + -> #0 (&dev->intf_state_mutex){+.+.}-{3:3}: + __lock_acquire+0x2fc7/0x6720 + lock_acquire+0x1c1/0x550 + __mutex_lock+0x12c/0x14b0 + mlx5_init_one+0x2e/0x490 [mlx5_core] + mlx5_sf_dev_probe+0x29c/0x370 [mlx5_core] + auxiliary_bus_probe+0x9d/0xe0 + really_probe+0x1e0/0xaa0 + __driver_probe_device+0x219/0x480 + driver_probe_device+0x49/0x130 + __device_attach_driver+0x1b8/0x280 + bus_for_each_drv+0x123/0x1a0 + __device_attach+0x1a3/0x460 + bus_probe_device+0x1a2/0x260 + device_add+0x9b1/0x1b40 + __auxiliary_device_add+0x88/0xc0 + mlx5_sf_dev_state_change_handler+0x67e/0x9d0 [mlx5_core] + blocking_notifier_call_chain+0xd5/0x130 + mlx5_vhca_state_work_handler+0x2b0/0x3f0 [mlx5_core] + process_one_work+0x7c2/0x1340 + worker_thread+0x59d/0xec0 + kthread+0x28f/0x330 + ret_from_fork+0x1f/0x30 + + other info that might help us debug this: + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&(¬ifier->n_head)->rwsem); + lock(&dev->intf_state_mutex); + lock(&(¬ifier->n_head)->rwsem); + lock(&dev->intf_state_mutex); + + *** DEADLOCK *** + + 4 locks held by kworker/u20:0/8: + #0: ffff888150612938 ((wq_completion)mlx5_events){+.+.}-{0:0}, at: process_one_work+0x6e2/0x1340 + #1: ffff888100cafdb8 ((work_completion)(&work->work)#3){+.+.}-{0:0}, at: process_one_work+0x70f/0x1340 + #2: ffff888101aa7898 (&(¬ifier->n_head)->rwsem){++++}-{3:3}, at: blocking_notifier_call_chain+0x5a/0x130 + #3: ffff88813682d0e8 (&dev->mutex){....}-{3:3}, at:__device_attach+0x76/0x460 + + stack backtrace: + CPU: 6 PID: 8 Comm: kworker/u20:0 Not tainted 5.19.0-rc8+ + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + Workqueue: mlx5_events mlx5_vhca_state_work_handler [mlx5_core] + Call Trace: + + dump_stack_lvl+0x57/0x7d + check_noncircular+0x278/0x300 + ? print_circular_bug+0x460/0x460 + ? lock_chain_count+0x20/0x20 + ? register_lock_class+0x1880/0x1880 + __lock_acquire+0x2fc7/0x6720 + ? register_lock_class+0x1880/0x1880 + ? register_lock_class+0x1880/0x1880 + lock_acquire+0x1c1/0x550 + ? mlx5_init_one+0x2e/0x490 [mlx5_core] + ? lockdep_hardirqs_on_prepare+0x400/0x400 + __mutex_lock+0x12c/0x14b0 + ? mlx5_init_one+0x2e/0x490 [mlx5_core] + ? mlx5_init_one+0x2e/0x490 [mlx5_core] + ? _raw_read_unlock+0x1f/0x30 + ? mutex_lock_io_nested+0x1320/0x1320 + ? __ioremap_caller.constprop.0+0x306/0x490 + ? mlx5_sf_dev_probe+0x269/0x370 [mlx5_core] + ? iounmap+0x160/0x160 + mlx5_init_one+0x2e/0x490 [mlx5_core] + mlx5_sf_dev_probe+0x29c/0x370 [mlx5_core] + ? mlx5_sf_dev_remove+0x130/0x130 [mlx5_core] + auxiliary_bus_probe+0x9d/0xe0 + really_probe+0x1e0/0xaa0 + __driver_probe_device+0x219/0x480 + ? auxiliary_match_id+0xe9/0x140 + driver_probe_device+0x49/0x130 + __device_attach_driver+0x1b8/0x280 + ? driver_allows_async_probing+0x140/0x140 + bus_for_each_drv+0x123/0x1a0 + ? bus_for_each_dev+0x1a0/0x1a0 + ? lockdep_hardirqs_on_prepare+0x286/0x400 + ? trace_hardirqs_on+0x2d/0x100 + __device_attach+0x1a3/0x460 + ? device_driver_attach+0x1e0/0x1e0 + ? kobject_uevent_env+0x22d/0xf10 + bus_probe_device+0x1a2/0x260 + device_add+0x9b1/0x1b40 + ? dev_set_name+0xab/0xe0 + ? __fw_devlink_link_to_suppliers+0x260/0x260 + ? memset+0x20/0x40 + ? lockdep_init_map_type+0x21a/0x7d0 + __auxiliary_device_add+0x88/0xc0 + ? auxiliary_device_init+0x86/0xa0 + mlx5_sf_dev_state_change_handler+0x67e/0x9d0 [mlx5_core] + blocking_notifier_call_chain+0xd5/0x130 + mlx5_vhca_state_work_handler+0x2b0/0x3f0 [mlx5_core] + ? mlx5_vhca_event_arm+0x100/0x100 [mlx5_core] + ? lock_downgrade+0x6e0/0x6e0 + ? lockdep_hardirqs_on_prepare+0x286/0x400 + process_one_work+0x7c2/0x1340 + ? lockdep_hardirqs_on_prepare+0x400/0x400 + ? pwq_dec_nr_in_flight+0x230/0x230 + ? rwlock_bug.part.0+0x90/0x90 + worker_thread+0x59d/0xec0 + ? process_one_work+0x1340/0x1340 + kthread+0x28f/0x330 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x1f/0x30 + + +Fixes: 6a3273217469 ("net/mlx5: SF, Port function state change support") +Signed-off-by: Moshe Shemesh +Reviewed-by: Shay Drory +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 4 ++++ + include/linux/mlx5/driver.h | 1 + + 2 files changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index 5a6606c843edf..740065e21181d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -1427,7 +1427,9 @@ int mlx5_mdev_init(struct mlx5_core_dev *dev, int profile_idx) + memcpy(&dev->profile, &profile[profile_idx], sizeof(dev->profile)); + INIT_LIST_HEAD(&priv->ctx_list); + spin_lock_init(&priv->ctx_lock); ++ lockdep_register_key(&dev->lock_key); + mutex_init(&dev->intf_state_mutex); ++ lockdep_set_class(&dev->intf_state_mutex, &dev->lock_key); + + mutex_init(&priv->bfregs.reg_head.lock); + mutex_init(&priv->bfregs.wc_head.lock); +@@ -1474,6 +1476,7 @@ int mlx5_mdev_init(struct mlx5_core_dev *dev, int profile_idx) + mutex_destroy(&priv->bfregs.wc_head.lock); + mutex_destroy(&priv->bfregs.reg_head.lock); + mutex_destroy(&dev->intf_state_mutex); ++ lockdep_unregister_key(&dev->lock_key); + return err; + } + +@@ -1491,6 +1494,7 @@ void mlx5_mdev_uninit(struct mlx5_core_dev *dev) + mutex_destroy(&priv->bfregs.wc_head.lock); + mutex_destroy(&priv->bfregs.reg_head.lock); + mutex_destroy(&dev->intf_state_mutex); ++ lockdep_unregister_key(&dev->lock_key); + } + + static int probe_one(struct pci_dev *pdev, const struct pci_device_id *id) +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index f17d2101af7a0..4c678de4608dd 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -759,6 +759,7 @@ struct mlx5_core_dev { + enum mlx5_device_state state; + /* sync interface state */ + struct mutex intf_state_mutex; ++ struct lock_class_key lock_key; + unsigned long intf_state; + struct mlx5_priv priv; + struct mlx5_profile profile; +-- +2.35.1 + diff --git a/queue-5.15/net-mlx5e-fix-wrong-application-of-the-lro-state.patch b/queue-5.15/net-mlx5e-fix-wrong-application-of-the-lro-state.patch new file mode 100644 index 00000000000..5f2357f5fdf --- /dev/null +++ b/queue-5.15/net-mlx5e-fix-wrong-application-of-the-lro-state.patch @@ -0,0 +1,54 @@ +From 1ddd1a47d24ddd14eccbdbdd2926c02af41213eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jun 2022 18:38:37 +0300 +Subject: net/mlx5e: Fix wrong application of the LRO state + +From: Aya Levin + +[ Upstream commit 7b3707fc79044871ab8f3d5fa5e9603155bb5577 ] + +Driver caches packet merge type in mlx5e_params instance which must be +in perfect sync with the netdev_feature's bit. +Prior to this patch, in certain conditions (*) LRO state was set in +mlx5e_params, while netdev_feature's bit was off. Causing the LRO to +be applied on the RQs (HW level). + +(*) This can happen only on profile init (mlx5e_build_nic_params()), +when RQ expect non-linear SKB and PCI is fast enough in comparison to +link width. + +Solution: remove setting of packet merge type from +mlx5e_build_nic_params() as netdev features are not updated. + +Fixes: 619a8f2a42f1 ("net/mlx5e: Use linear SKB in Striding RQ") +Signed-off-by: Aya Levin +Reviewed-by: Tariq Toukan +Reviewed-by: Maxim Mikityanskiy +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index e00648094fc2a..fdf8d9866042c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -4350,14 +4350,6 @@ void mlx5e_build_nic_params(struct mlx5e_priv *priv, struct mlx5e_xsk *xsk, u16 + /* RQ */ + mlx5e_build_rq_params(mdev, params); + +- /* HW LRO */ +- if (MLX5_CAP_ETH(mdev, lro_cap) && +- params->rq_wq_type == MLX5_WQ_TYPE_LINKED_LIST_STRIDING_RQ) { +- /* No XSK params: checking the availability of striding RQ in general. */ +- if (!mlx5e_rx_mpwqe_is_linear_skb(mdev, params, NULL)) +- params->packet_merge.type = slow_pci_heuristic(mdev) ? +- MLX5E_PACKET_MERGE_NONE : MLX5E_PACKET_MERGE_LRO; +- } + params->packet_merge.timeout = mlx5e_choose_lro_timeout(mdev, MLX5E_DEFAULT_LRO_TIMEOUT); + + /* CQ moderation params */ +-- +2.35.1 + diff --git a/queue-5.15/net-mlx5e-fix-wrong-tc-flag-used-when-set-hw-tc-offl.patch b/queue-5.15/net-mlx5e-fix-wrong-tc-flag-used-when-set-hw-tc-offl.patch new file mode 100644 index 00000000000..b98016b7d0a --- /dev/null +++ b/queue-5.15/net-mlx5e-fix-wrong-tc-flag-used-when-set-hw-tc-offl.patch @@ -0,0 +1,43 @@ +From a9531c2a21e7d4a373109ae1c389370840a8d360 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 15:28:42 +0300 +Subject: net/mlx5e: Fix wrong tc flag used when set hw-tc-offload off + +From: Maor Dickman + +[ Upstream commit 550f96432e6f6770efdaee0e65239d61431062a1 ] + +The cited commit reintroduced the ability to set hw-tc-offload +in switchdev mode by reusing NIC mode calls without modifying it +to support both modes, this can cause an illegal memory access +when trying to turn hw-tc-offload off. + +Fix this by using the right TC_FLAG when checking if tc rules +are installed while disabling hw-tc-offload. + +Fixes: d3cbd4254df8 ("net/mlx5e: Add ndo_set_feature for uplink representor") +Signed-off-by: Maor Dickman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index fdf8d9866042c..c1c4f380803a1 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3325,7 +3325,9 @@ static int set_feature_hw_tc(struct net_device *netdev, bool enable) + struct mlx5e_priv *priv = netdev_priv(netdev); + + #if IS_ENABLED(CONFIG_MLX5_CLS_ACT) +- if (!enable && mlx5e_tc_num_filters(priv, MLX5_TC_FLAG(NIC_OFFLOAD))) { ++ int tc_flag = mlx5e_is_uplink_rep(priv) ? MLX5_TC_FLAG(ESW_OFFLOAD) : ++ MLX5_TC_FLAG(NIC_OFFLOAD); ++ if (!enable && mlx5e_tc_num_filters(priv, tc_flag)) { + netdev_err(netdev, + "Active offloaded tc filters, can't turn hw_tc_offload off\n"); + return -EINVAL; +-- +2.35.1 + diff --git a/queue-5.15/net-mlx5e-properly-disable-vlan-strip-on-non-ul-reps.patch b/queue-5.15/net-mlx5e-properly-disable-vlan-strip-on-non-ul-reps.patch new file mode 100644 index 00000000000..003495bb125 --- /dev/null +++ b/queue-5.15/net-mlx5e-properly-disable-vlan-strip-on-non-ul-reps.patch @@ -0,0 +1,40 @@ +From 2a8247a8c9763df8016faa5c0cac2445ac5800b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 21:41:48 +0200 +Subject: net/mlx5e: Properly disable vlan strip on non-UL reps + +From: Vlad Buslov + +[ Upstream commit f37044fd759b6bc40b6398a978e0b1acdf717372 ] + +When querying mlx5 non-uplink representors capabilities with ethtool +rx-vlan-offload is marked as "off [fixed]". However, it is actually always +enabled because mlx5e_params->vlan_strip_disable is 0 by default when +initializing struct mlx5e_params instance. Fix the issue by explicitly +setting the vlan_strip_disable to 'true' for non-uplink representors. + +Fixes: cb67b832921c ("net/mlx5e: Introduce SRIOV VF representors") +Signed-off-by: Vlad Buslov +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +index 161b60e1139b3..3d614bf5cff9e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -618,6 +618,8 @@ static void mlx5e_build_rep_params(struct net_device *netdev) + + params->mqprio.num_tc = 1; + params->tunneled_offload_en = false; ++ if (rep->vport != MLX5_VPORT_UPLINK) ++ params->vlan_strip_disable = true; + + /* Set an initial non-zero value, so that mlx5e_select_queue won't + * divide by zero if called before first activating channels. +-- +2.35.1 + diff --git a/queue-5.15/net-moxa-get-rid-of-asymmetry-in-dma-mapping-unmappi.patch b/queue-5.15/net-moxa-get-rid-of-asymmetry-in-dma-mapping-unmappi.patch new file mode 100644 index 00000000000..e31e7b899c8 --- /dev/null +++ b/queue-5.15/net-moxa-get-rid-of-asymmetry-in-dma-mapping-unmappi.patch @@ -0,0 +1,104 @@ +From e41d99b7e2e80393083f61b20eab76b8294a6b62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 14:05:19 +0300 +Subject: net: moxa: get rid of asymmetry in DMA mapping/unmapping + +From: Sergei Antonov + +[ Upstream commit 0ee7828dfc56e97d71e51e6374dc7b4eb2b6e081 ] + +Since priv->rx_mapping[i] is maped in moxart_mac_open(), we +should unmap it from moxart_mac_stop(). Fixes 2 warnings. + +1. During error unwinding in moxart_mac_probe(): "goto init_fail;", +then moxart_mac_free_memory() calls dma_unmap_single() with +priv->rx_mapping[i] pointers zeroed. + +WARNING: CPU: 0 PID: 1 at kernel/dma/debug.c:963 check_unmap+0x704/0x980 +DMA-API: moxart-ethernet 92000000.mac: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=1600 bytes] +CPU: 0 PID: 1 Comm: swapper Not tainted 5.19.0+ #60 +Hardware name: Generic DT based system + unwind_backtrace from show_stack+0x10/0x14 + show_stack from dump_stack_lvl+0x34/0x44 + dump_stack_lvl from __warn+0xbc/0x1f0 + __warn from warn_slowpath_fmt+0x94/0xc8 + warn_slowpath_fmt from check_unmap+0x704/0x980 + check_unmap from debug_dma_unmap_page+0x8c/0x9c + debug_dma_unmap_page from moxart_mac_free_memory+0x3c/0xa8 + moxart_mac_free_memory from moxart_mac_probe+0x190/0x218 + moxart_mac_probe from platform_probe+0x48/0x88 + platform_probe from really_probe+0xc0/0x2e4 + +2. After commands: + ip link set dev eth0 down + ip link set dev eth0 up + +WARNING: CPU: 0 PID: 55 at kernel/dma/debug.c:570 add_dma_entry+0x204/0x2ec +DMA-API: moxart-ethernet 92000000.mac: cacheline tracking EEXIST, overlapping mappings aren't supported +CPU: 0 PID: 55 Comm: ip Not tainted 5.19.0+ #57 +Hardware name: Generic DT based system + unwind_backtrace from show_stack+0x10/0x14 + show_stack from dump_stack_lvl+0x34/0x44 + dump_stack_lvl from __warn+0xbc/0x1f0 + __warn from warn_slowpath_fmt+0x94/0xc8 + warn_slowpath_fmt from add_dma_entry+0x204/0x2ec + add_dma_entry from dma_map_page_attrs+0x110/0x328 + dma_map_page_attrs from moxart_mac_open+0x134/0x320 + moxart_mac_open from __dev_open+0x11c/0x1ec + __dev_open from __dev_change_flags+0x194/0x22c + __dev_change_flags from dev_change_flags+0x14/0x44 + dev_change_flags from devinet_ioctl+0x6d4/0x93c + devinet_ioctl from inet_ioctl+0x1ac/0x25c + +v1 -> v2: +Extraneous change removed. + +Fixes: 6c821bd9edc9 ("net: Add MOXA ART SoCs ethernet driver") +Signed-off-by: Sergei Antonov +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20220819110519.1230877-1-saproj@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/moxa/moxart_ether.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/moxa/moxart_ether.c b/drivers/net/ethernet/moxa/moxart_ether.c +index 54a91d2b33b53..fa4c596e6ec6f 100644 +--- a/drivers/net/ethernet/moxa/moxart_ether.c ++++ b/drivers/net/ethernet/moxa/moxart_ether.c +@@ -74,11 +74,6 @@ static int moxart_set_mac_address(struct net_device *ndev, void *addr) + static void moxart_mac_free_memory(struct net_device *ndev) + { + struct moxart_mac_priv_t *priv = netdev_priv(ndev); +- int i; +- +- for (i = 0; i < RX_DESC_NUM; i++) +- dma_unmap_single(&priv->pdev->dev, priv->rx_mapping[i], +- priv->rx_buf_size, DMA_FROM_DEVICE); + + if (priv->tx_desc_base) + dma_free_coherent(&priv->pdev->dev, +@@ -193,6 +188,7 @@ static int moxart_mac_open(struct net_device *ndev) + static int moxart_mac_stop(struct net_device *ndev) + { + struct moxart_mac_priv_t *priv = netdev_priv(ndev); ++ int i; + + napi_disable(&priv->napi); + +@@ -204,6 +200,11 @@ static int moxart_mac_stop(struct net_device *ndev) + /* disable all functions */ + writel(0, priv->base + REG_MAC_CTRL); + ++ /* unmap areas mapped in moxart_mac_setup_desc_ring() */ ++ for (i = 0; i < RX_DESC_NUM; i++) ++ dma_unmap_single(&priv->pdev->dev, priv->rx_mapping[i], ++ priv->rx_buf_size, DMA_FROM_DEVICE); ++ + return 0; + } + +-- +2.35.1 + diff --git a/queue-5.15/net-phy-don-t-warn-for-phy_ready-state-in-mdio_bus_p.patch b/queue-5.15/net-phy-don-t-warn-for-phy_ready-state-in-mdio_bus_p.patch new file mode 100644 index 00000000000..1e5fd753c26 --- /dev/null +++ b/queue-5.15/net-phy-don-t-warn-for-phy_ready-state-in-mdio_bus_p.patch @@ -0,0 +1,50 @@ +From 9cf64e37ca942aff05e008867830125f6ef13105 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 16:24:51 +0800 +Subject: net: phy: Don't WARN for PHY_READY state in mdio_bus_phy_resume() + +From: Xiaolei Wang + +[ Upstream commit 6dbe852c379ff032a70a6b13a91914918c82cb07 ] + +For some MAC drivers, they set the mac_managed_pm to true in its +->ndo_open() callback. So before the mac_managed_pm is set to true, +we still want to leverage the mdio_bus_phy_suspend()/resume() for +the phy device suspend and resume. In this case, the phy device is +in PHY_READY, and we shouldn't warn about this. It also seems that +the check of mac_managed_pm in WARN_ON is redundant since we already +check this in the entry of mdio_bus_phy_resume(), so drop it. + +Fixes: 744d23c71af3 ("net: phy: Warn about incorrect mdio_bus_phy_resume() state") +Signed-off-by: Xiaolei Wang +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220819082451.1992102-1-xiaolei.wang@windriver.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index 834a68d758327..b616f55ea222a 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -315,11 +315,11 @@ static __maybe_unused int mdio_bus_phy_resume(struct device *dev) + + phydev->suspended_by_mdio_bus = 0; + +- /* If we managed to get here with the PHY state machine in a state other +- * than PHY_HALTED this is an indication that something went wrong and +- * we should most likely be using MAC managed PM and we are not. ++ /* If we manged to get here with the PHY state machine in a state neither ++ * PHY_HALTED nor PHY_READY this is an indication that something went wrong ++ * and we should most likely be using MAC managed PM and we are not. + */ +- WARN_ON(phydev->state != PHY_HALTED && !phydev->mac_managed_pm); ++ WARN_ON(phydev->state != PHY_HALTED && phydev->state != PHY_READY); + + ret = phy_init_hw(phydev); + if (ret < 0) +-- +2.35.1 + diff --git a/queue-5.15/net-stmmac-work-around-sporadic-tx-issue-on-link-up.patch b/queue-5.15/net-stmmac-work-around-sporadic-tx-issue-on-link-up.patch new file mode 100644 index 00000000000..db81c3bfbba --- /dev/null +++ b/queue-5.15/net-stmmac-work-around-sporadic-tx-issue-on-link-up.patch @@ -0,0 +1,89 @@ +From eed68bd6d857b94a063455cf7ddc443cc61ab8a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 22:34:49 +0200 +Subject: net: stmmac: work around sporadic tx issue on link-up + +From: Heiner Kallweit + +[ Upstream commit a3a57bf07de23fe1ff779e0fdf710aa581c3ff73 ] + +This is a follow-up to the discussion in [0]. It seems to me that +at least the IP version used on Amlogic SoC's sometimes has a problem +if register MAC_CTRL_REG is written whilst the chip is still processing +a previous write. But that's just a guess. +Adding a delay between two writes to this register helps, but we can +also simply omit the offending second write. This patch uses the second +approach and is based on a suggestion from Qi Duan. +Benefit of this approach is that we can save few register writes, also +on not affected chip versions. + +[0] https://www.spinics.net/lists/netdev/msg831526.html + +Fixes: bfab27a146ed ("stmmac: add the experimental PCI support") +Suggested-by: Qi Duan +Suggested-by: Jerome Brunet +Signed-off-by: Heiner Kallweit +Link: https://lore.kernel.org/r/e99857ce-bd90-5093-ca8c-8cd480b5a0a2@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c | 8 ++++++-- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 9 +++++---- + 2 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c b/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c +index d1c31200bb911..01d0a14f67520 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c +@@ -258,14 +258,18 @@ EXPORT_SYMBOL_GPL(stmmac_set_mac_addr); + /* Enable disable MAC RX/TX */ + void stmmac_set_mac(void __iomem *ioaddr, bool enable) + { +- u32 value = readl(ioaddr + MAC_CTRL_REG); ++ u32 old_val, value; ++ ++ old_val = readl(ioaddr + MAC_CTRL_REG); ++ value = old_val; + + if (enable) + value |= MAC_ENABLE_RX | MAC_ENABLE_TX; + else + value &= ~(MAC_ENABLE_TX | MAC_ENABLE_RX); + +- writel(value, ioaddr + MAC_CTRL_REG); ++ if (value != old_val) ++ writel(value, ioaddr + MAC_CTRL_REG); + } + + void stmmac_get_mac_addr(void __iomem *ioaddr, unsigned char *addr, +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index b4f83c8655684..2569673559df3 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -1083,10 +1083,10 @@ static void stmmac_mac_link_up(struct phylink_config *config, + bool tx_pause, bool rx_pause) + { + struct stmmac_priv *priv = netdev_priv(to_net_dev(config->dev)); +- u32 ctrl; ++ u32 old_ctrl, ctrl; + +- ctrl = readl(priv->ioaddr + MAC_CTRL_REG); +- ctrl &= ~priv->hw->link.speed_mask; ++ old_ctrl = readl(priv->ioaddr + MAC_CTRL_REG); ++ ctrl = old_ctrl & ~priv->hw->link.speed_mask; + + if (interface == PHY_INTERFACE_MODE_USXGMII) { + switch (speed) { +@@ -1161,7 +1161,8 @@ static void stmmac_mac_link_up(struct phylink_config *config, + if (tx_pause && rx_pause) + stmmac_mac_flow_ctrl(priv, duplex); + +- writel(ctrl, priv->ioaddr + MAC_CTRL_REG); ++ if (ctrl != old_ctrl) ++ writel(ctrl, priv->ioaddr + MAC_CTRL_REG); + + stmmac_mac_set(priv, priv->ioaddr, true); + if (phy && priv->dma_cap.eee) { +-- +2.35.1 + diff --git a/queue-5.15/net-use-eth_hw_addr_set-instead-of-ether_addr_copy.patch b/queue-5.15/net-use-eth_hw_addr_set-instead-of-ether_addr_copy.patch new file mode 100644 index 00000000000..d39bed8c406 --- /dev/null +++ b/queue-5.15/net-use-eth_hw_addr_set-instead-of-ether_addr_copy.patch @@ -0,0 +1,151 @@ +From e7083965b44b46115f9c46bf9bb79c932834236c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Oct 2021 14:32:22 -0700 +Subject: net: use eth_hw_addr_set() instead of ether_addr_copy() + +From: Jakub Kicinski + +[ Upstream commit e35b8d7dbb094c79daf920797c372911edc2d525 ] + +Convert from ether_addr_copy() to eth_hw_addr_set(): + + @@ + expression dev, np; + @@ + - ether_addr_copy(dev->dev_addr, np) + + eth_hw_addr_set(dev, np) + +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvlan_main.c | 2 +- + drivers/net/macsec.c | 2 +- + drivers/net/macvlan.c | 2 +- + net/8021q/vlan_dev.c | 6 +++--- + net/dsa/slave.c | 4 ++-- + net/hsr/hsr_device.c | 2 +- + net/hsr/hsr_main.c | 2 +- + 7 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c +index c0b21a5580d52..3f43c253adaca 100644 +--- a/drivers/net/ipvlan/ipvlan_main.c ++++ b/drivers/net/ipvlan/ipvlan_main.c +@@ -787,7 +787,7 @@ static int ipvlan_device_event(struct notifier_block *unused, + + case NETDEV_CHANGEADDR: + list_for_each_entry(ipvlan, &port->ipvlans, pnode) { +- ether_addr_copy(ipvlan->dev->dev_addr, dev->dev_addr); ++ eth_hw_addr_set(ipvlan->dev, dev->dev_addr); + call_netdevice_notifiers(NETDEV_CHANGEADDR, ipvlan->dev); + } + break; +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index 354890948f8a1..0a860cbe03e76 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -3616,7 +3616,7 @@ static int macsec_set_mac_address(struct net_device *dev, void *p) + dev_uc_del(real_dev, dev->dev_addr); + + out: +- ether_addr_copy(dev->dev_addr, addr->sa_data); ++ eth_hw_addr_set(dev, addr->sa_data); + macsec->secy.sci = dev_to_sci(dev, MACSEC_PORT_ES); + + /* If h/w offloading is available, propagate to the device */ +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index a9a515cf5a460..6363459ba1d05 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -711,7 +711,7 @@ static int macvlan_sync_address(struct net_device *dev, unsigned char *addr) + + if (!(dev->flags & IFF_UP)) { + /* Just copy in the new address */ +- ether_addr_copy(dev->dev_addr, addr); ++ eth_hw_addr_set(dev, addr); + } else { + /* Rehash and update the device filters */ + if (macvlan_addr_busy(vlan->port, addr)) +diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c +index 8602885c8a8e0..a54535cbcf4cf 100644 +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -250,7 +250,7 @@ bool vlan_dev_inherit_address(struct net_device *dev, + if (dev->addr_assign_type != NET_ADDR_STOLEN) + return false; + +- ether_addr_copy(dev->dev_addr, real_dev->dev_addr); ++ eth_hw_addr_set(dev, real_dev->dev_addr); + call_netdevice_notifiers(NETDEV_CHANGEADDR, dev); + return true; + } +@@ -349,7 +349,7 @@ static int vlan_dev_set_mac_address(struct net_device *dev, void *p) + dev_uc_del(real_dev, dev->dev_addr); + + out: +- ether_addr_copy(dev->dev_addr, addr->sa_data); ++ eth_hw_addr_set(dev, addr->sa_data); + return 0; + } + +@@ -586,7 +586,7 @@ static int vlan_dev_init(struct net_device *dev) + dev->dev_id = real_dev->dev_id; + + if (is_zero_ether_addr(dev->dev_addr)) { +- ether_addr_copy(dev->dev_addr, real_dev->dev_addr); ++ eth_hw_addr_set(dev, real_dev->dev_addr); + dev->addr_assign_type = NET_ADDR_STOLEN; + } + if (is_zero_ether_addr(dev->broadcast)) +diff --git a/net/dsa/slave.c b/net/dsa/slave.c +index a2bf2d8ac65b7..11ec9e689589b 100644 +--- a/net/dsa/slave.c ++++ b/net/dsa/slave.c +@@ -174,7 +174,7 @@ static int dsa_slave_set_mac_address(struct net_device *dev, void *a) + dev_uc_del(master, dev->dev_addr); + + out: +- ether_addr_copy(dev->dev_addr, addr->sa_data); ++ eth_hw_addr_set(dev, addr->sa_data); + + return 0; + } +@@ -1954,7 +1954,7 @@ int dsa_slave_create(struct dsa_port *port) + + slave_dev->ethtool_ops = &dsa_slave_ethtool_ops; + if (!is_zero_ether_addr(port->mac)) +- ether_addr_copy(slave_dev->dev_addr, port->mac); ++ eth_hw_addr_set(slave_dev, port->mac); + else + eth_hw_addr_inherit(slave_dev, master); + slave_dev->priv_flags |= IFF_NO_QUEUE; +diff --git a/net/hsr/hsr_device.c b/net/hsr/hsr_device.c +index ea7b96e296ef0..a1045c3d71b4f 100644 +--- a/net/hsr/hsr_device.c ++++ b/net/hsr/hsr_device.c +@@ -493,7 +493,7 @@ int hsr_dev_finalize(struct net_device *hsr_dev, struct net_device *slave[2], + INIT_LIST_HEAD(&hsr->self_node_db); + spin_lock_init(&hsr->list_lock); + +- ether_addr_copy(hsr_dev->dev_addr, slave[0]->dev_addr); ++ eth_hw_addr_set(hsr_dev, slave[0]->dev_addr); + + /* initialize protocol specific functions */ + if (protocol_version == PRP_V1) { +diff --git a/net/hsr/hsr_main.c b/net/hsr/hsr_main.c +index f7e284f23b1f3..b099c31501509 100644 +--- a/net/hsr/hsr_main.c ++++ b/net/hsr/hsr_main.c +@@ -75,7 +75,7 @@ static int hsr_netdev_notify(struct notifier_block *nb, unsigned long event, + master = hsr_port_get_hsr(hsr, HSR_PT_MASTER); + + if (port->type == HSR_PT_SLAVE_A) { +- ether_addr_copy(master->dev->dev_addr, dev->dev_addr); ++ eth_hw_addr_set(master->dev, dev->dev_addr); + call_netdevice_notifiers(NETDEV_CHANGEADDR, + master->dev); + } +-- +2.35.1 + diff --git a/queue-5.15/netfilter-bitwise-improve-error-goto-labels.patch b/queue-5.15/netfilter-bitwise-improve-error-goto-labels.patch new file mode 100644 index 00000000000..41bfc9dde6c --- /dev/null +++ b/queue-5.15/netfilter-bitwise-improve-error-goto-labels.patch @@ -0,0 +1,54 @@ +From 66de0afd1cb0b81aacf5282289626ca856c9002c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Apr 2022 13:04:15 +0100 +Subject: netfilter: bitwise: improve error goto labels + +From: Jeremy Sowden + +[ Upstream commit 00bd435208e5201eb935d273052930bd3b272b6f ] + +Replace two labels (`err1` and `err2`) with more informative ones. + +Signed-off-by: Jeremy Sowden +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_bitwise.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c +index 47b0dba95054f..d0c648b64cd40 100644 +--- a/net/netfilter/nft_bitwise.c ++++ b/net/netfilter/nft_bitwise.c +@@ -109,22 +109,23 @@ static int nft_bitwise_init_bool(struct nft_bitwise *priv, + return err; + if (mask.type != NFT_DATA_VALUE || mask.len != priv->len) { + err = -EINVAL; +- goto err1; ++ goto err_mask_release; + } + + err = nft_data_init(NULL, &priv->xor, sizeof(priv->xor), &xor, + tb[NFTA_BITWISE_XOR]); + if (err < 0) +- goto err1; ++ goto err_mask_release; + if (xor.type != NFT_DATA_VALUE || xor.len != priv->len) { + err = -EINVAL; +- goto err2; ++ goto err_xor_release; + } + + return 0; +-err2: ++ ++err_xor_release: + nft_data_release(&priv->xor, xor.type); +-err1: ++err_mask_release: + nft_data_release(&priv->mask, mask.type); + return err; + } +-- +2.35.1 + diff --git a/queue-5.15/netfilter-ebtables-reject-blobs-that-don-t-provide-a.patch b/queue-5.15/netfilter-ebtables-reject-blobs-that-don-t-provide-a.patch new file mode 100644 index 00000000000..987a88304c7 --- /dev/null +++ b/queue-5.15/netfilter-ebtables-reject-blobs-that-don-t-provide-a.patch @@ -0,0 +1,165 @@ +From 49bf6eb2ad3494c2d108c75870fbfc3f63a3db67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Aug 2022 17:38:37 +0200 +Subject: netfilter: ebtables: reject blobs that don't provide all entry points + +From: Florian Westphal + +[ Upstream commit 7997eff82828304b780dc0a39707e1946d6f1ebf ] + +Harshit Mogalapalli says: + In ebt_do_table() function dereferencing 'private->hook_entry[hook]' + can lead to NULL pointer dereference. [..] Kernel panic: + +general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] +[..] +RIP: 0010:ebt_do_table+0x1dc/0x1ce0 +Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 5c 16 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 6c df 08 48 8d 7d 2c 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 88 +[..] +Call Trace: + nf_hook_slow+0xb1/0x170 + __br_forward+0x289/0x730 + maybe_deliver+0x24b/0x380 + br_flood+0xc6/0x390 + br_dev_xmit+0xa2e/0x12c0 + +For some reason ebtables rejects blobs that provide entry points that are +not supported by the table, but what it should instead reject is the +opposite: blobs that DO NOT provide an entry point supported by the table. + +t->valid_hooks is the bitmask of hooks (input, forward ...) that will see +packets. Providing an entry point that is not support is harmless +(never called/used), but the inverse isn't: it results in a crash +because the ebtables traverser doesn't expect a NULL blob for a location +its receiving packets for. + +Instead of fixing all the individual checks, do what iptables is doing and +reject all blobs that differ from the expected hooks. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Harshit Mogalapalli +Reported-by: syzkaller +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + include/linux/netfilter_bridge/ebtables.h | 4 ---- + net/bridge/netfilter/ebtable_broute.c | 8 -------- + net/bridge/netfilter/ebtable_filter.c | 8 -------- + net/bridge/netfilter/ebtable_nat.c | 8 -------- + net/bridge/netfilter/ebtables.c | 8 +------- + 5 files changed, 1 insertion(+), 35 deletions(-) + +diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h +index 10a01978bc0d3..bde9db771ae41 100644 +--- a/include/linux/netfilter_bridge/ebtables.h ++++ b/include/linux/netfilter_bridge/ebtables.h +@@ -94,10 +94,6 @@ struct ebt_table { + struct ebt_replace_kernel *table; + unsigned int valid_hooks; + rwlock_t lock; +- /* e.g. could be the table explicitly only allows certain +- * matches, targets, ... 0 == let it in */ +- int (*check)(const struct ebt_table_info *info, +- unsigned int valid_hooks); + /* the data used by the kernel */ + struct ebt_table_info *private; + struct nf_hook_ops *ops; +diff --git a/net/bridge/netfilter/ebtable_broute.c b/net/bridge/netfilter/ebtable_broute.c +index a7af4eaff17d3..3d4ea774d7e8f 100644 +--- a/net/bridge/netfilter/ebtable_broute.c ++++ b/net/bridge/netfilter/ebtable_broute.c +@@ -36,18 +36,10 @@ static struct ebt_replace_kernel initial_table = { + .entries = (char *)&initial_chain, + }; + +-static int check(const struct ebt_table_info *info, unsigned int valid_hooks) +-{ +- if (valid_hooks & ~(1 << NF_BR_BROUTING)) +- return -EINVAL; +- return 0; +-} +- + static const struct ebt_table broute_table = { + .name = "broute", + .table = &initial_table, + .valid_hooks = 1 << NF_BR_BROUTING, +- .check = check, + .me = THIS_MODULE, + }; + +diff --git a/net/bridge/netfilter/ebtable_filter.c b/net/bridge/netfilter/ebtable_filter.c +index c0b121df4a9af..257d63b5dec16 100644 +--- a/net/bridge/netfilter/ebtable_filter.c ++++ b/net/bridge/netfilter/ebtable_filter.c +@@ -43,18 +43,10 @@ static struct ebt_replace_kernel initial_table = { + .entries = (char *)initial_chains, + }; + +-static int check(const struct ebt_table_info *info, unsigned int valid_hooks) +-{ +- if (valid_hooks & ~FILTER_VALID_HOOKS) +- return -EINVAL; +- return 0; +-} +- + static const struct ebt_table frame_filter = { + .name = "filter", + .table = &initial_table, + .valid_hooks = FILTER_VALID_HOOKS, +- .check = check, + .me = THIS_MODULE, + }; + +diff --git a/net/bridge/netfilter/ebtable_nat.c b/net/bridge/netfilter/ebtable_nat.c +index 4078151c224fb..39179c2cf87d2 100644 +--- a/net/bridge/netfilter/ebtable_nat.c ++++ b/net/bridge/netfilter/ebtable_nat.c +@@ -43,18 +43,10 @@ static struct ebt_replace_kernel initial_table = { + .entries = (char *)initial_chains, + }; + +-static int check(const struct ebt_table_info *info, unsigned int valid_hooks) +-{ +- if (valid_hooks & ~NAT_VALID_HOOKS) +- return -EINVAL; +- return 0; +-} +- + static const struct ebt_table frame_nat = { + .name = "nat", + .table = &initial_table, + .valid_hooks = NAT_VALID_HOOKS, +- .check = check, + .me = THIS_MODULE, + }; + +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index ba045f35114dd..8905fe2fe023d 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1040,8 +1040,7 @@ static int do_replace_finish(struct net *net, struct ebt_replace *repl, + goto free_iterate; + } + +- /* the table doesn't like it */ +- if (t->check && (ret = t->check(newinfo, repl->valid_hooks))) ++ if (repl->valid_hooks != t->valid_hooks) + goto free_unlock; + + if (repl->num_counters && repl->num_counters != t->private->nentries) { +@@ -1231,11 +1230,6 @@ int ebt_register_table(struct net *net, const struct ebt_table *input_table, + if (ret != 0) + goto free_chainstack; + +- if (table->check && table->check(newinfo, table->valid_hooks)) { +- ret = -EINVAL; +- goto free_chainstack; +- } +- + table->private = newinfo; + rwlock_init(&table->lock); + mutex_lock(&ebt_mutex); +-- +2.35.1 + diff --git a/queue-5.15/netfilter-flowtable-add-function-to-invoke-garbage-c.patch b/queue-5.15/netfilter-flowtable-add-function-to-invoke-garbage-c.patch new file mode 100644 index 00000000000..d1648d0dc58 --- /dev/null +++ b/queue-5.15/netfilter-flowtable-add-function-to-invoke-garbage-c.patch @@ -0,0 +1,72 @@ +From 30079cb6733fce521dd4c54c8b73d9844782b5fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 23:13:00 +0200 +Subject: netfilter: flowtable: add function to invoke garbage collection + immediately + +From: Pablo Neira Ayuso + +[ Upstream commit 759eebbcfafcefa23b59e912396306543764bd3c ] + +Expose nf_flow_table_gc_run() to force a garbage collector run from the +offload infrastructure. + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_flow_table.h | 1 + + net/netfilter/nf_flow_table_core.c | 12 +++++++++--- + 2 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h +index 9f927c44087de..f337041dcc352 100644 +--- a/include/net/netfilter/nf_flow_table.h ++++ b/include/net/netfilter/nf_flow_table.h +@@ -266,6 +266,7 @@ void flow_offload_refresh(struct nf_flowtable *flow_table, + + struct flow_offload_tuple_rhash *flow_offload_lookup(struct nf_flowtable *flow_table, + struct flow_offload_tuple *tuple); ++void nf_flow_table_gc_run(struct nf_flowtable *flow_table); + void nf_flow_table_gc_cleanup(struct nf_flowtable *flowtable, + struct net_device *dev); + void nf_flow_table_cleanup(struct net_device *dev); +diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c +index 9fb407084c506..95ff1284d3d89 100644 +--- a/net/netfilter/nf_flow_table_core.c ++++ b/net/netfilter/nf_flow_table_core.c +@@ -436,12 +436,17 @@ static void nf_flow_offload_gc_step(struct nf_flowtable *flow_table, + } + } + ++void nf_flow_table_gc_run(struct nf_flowtable *flow_table) ++{ ++ nf_flow_table_iterate(flow_table, nf_flow_offload_gc_step, NULL); ++} ++ + static void nf_flow_offload_work_gc(struct work_struct *work) + { + struct nf_flowtable *flow_table; + + flow_table = container_of(work, struct nf_flowtable, gc_work.work); +- nf_flow_table_iterate(flow_table, nf_flow_offload_gc_step, NULL); ++ nf_flow_table_gc_run(flow_table); + queue_delayed_work(system_power_efficient_wq, &flow_table->gc_work, HZ); + } + +@@ -600,10 +605,11 @@ void nf_flow_table_free(struct nf_flowtable *flow_table) + + cancel_delayed_work_sync(&flow_table->gc_work); + nf_flow_table_iterate(flow_table, nf_flow_table_do_cleanup, NULL); +- nf_flow_table_iterate(flow_table, nf_flow_offload_gc_step, NULL); ++ nf_flow_table_gc_run(flow_table); + nf_flow_table_offload_flush(flow_table); + if (nf_flowtable_hw_offload(flow_table)) +- nf_flow_table_iterate(flow_table, nf_flow_offload_gc_step, NULL); ++ nf_flow_table_gc_run(flow_table); ++ + rhashtable_destroy(&flow_table->rhashtable); + } + EXPORT_SYMBOL_GPL(nf_flow_table_free); +-- +2.35.1 + diff --git a/queue-5.15/netfilter-flowtable-fix-stuck-flows-on-cleanup-due-t.patch b/queue-5.15/netfilter-flowtable-fix-stuck-flows-on-cleanup-due-t.patch new file mode 100644 index 00000000000..bb9207d86cb --- /dev/null +++ b/queue-5.15/netfilter-flowtable-fix-stuck-flows-on-cleanup-due-t.patch @@ -0,0 +1,134 @@ +From c32803d95c6eae931c2e8a9594b51f4516b262e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Nov 2021 22:24:15 +0100 +Subject: netfilter: flowtable: fix stuck flows on cleanup due to pending work + +From: Pablo Neira Ayuso + +[ Upstream commit 9afb4b27349a499483ae0134282cefd0c90f480f ] + +To clear the flow table on flow table free, the following sequence +normally happens in order: + + 1) gc_step work is stopped to disable any further stats/del requests. + 2) All flow table entries are set to teardown state. + 3) Run gc_step which will queue HW del work for each flow table entry. + 4) Waiting for the above del work to finish (flush). + 5) Run gc_step again, deleting all entries from the flow table. + 6) Flow table is freed. + +But if a flow table entry already has pending HW stats or HW add work +step 3 will not queue HW del work (it will be skipped), step 4 will wait +for the pending add/stats to finish, and step 5 will queue HW del work +which might execute after freeing of the flow table. + +To fix the above, this patch flushes the pending work, then it sets the +teardown flag to all flows in the flowtable and it forces a garbage +collector run to queue work to remove the flows from hardware, then it +flushes this new pending work and (finally) it forces another garbage +collector run to remove the entry from the software flowtable. + +Stack trace: +[47773.882335] BUG: KASAN: use-after-free in down_read+0x99/0x460 +[47773.883634] Write of size 8 at addr ffff888103b45aa8 by task kworker/u20:6/543704 +[47773.885634] CPU: 3 PID: 543704 Comm: kworker/u20:6 Not tainted 5.12.0-rc7+ #2 +[47773.886745] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009) +[47773.888438] Workqueue: nf_ft_offload_del flow_offload_work_handler [nf_flow_table] +[47773.889727] Call Trace: +[47773.890214] dump_stack+0xbb/0x107 +[47773.890818] print_address_description.constprop.0+0x18/0x140 +[47773.892990] kasan_report.cold+0x7c/0xd8 +[47773.894459] kasan_check_range+0x145/0x1a0 +[47773.895174] down_read+0x99/0x460 +[47773.899706] nf_flow_offload_tuple+0x24f/0x3c0 [nf_flow_table] +[47773.907137] flow_offload_work_handler+0x72d/0xbe0 [nf_flow_table] +[47773.913372] process_one_work+0x8ac/0x14e0 +[47773.921325] +[47773.921325] Allocated by task 592159: +[47773.922031] kasan_save_stack+0x1b/0x40 +[47773.922730] __kasan_kmalloc+0x7a/0x90 +[47773.923411] tcf_ct_flow_table_get+0x3cb/0x1230 [act_ct] +[47773.924363] tcf_ct_init+0x71c/0x1156 [act_ct] +[47773.925207] tcf_action_init_1+0x45b/0x700 +[47773.925987] tcf_action_init+0x453/0x6b0 +[47773.926692] tcf_exts_validate+0x3d0/0x600 +[47773.927419] fl_change+0x757/0x4a51 [cls_flower] +[47773.928227] tc_new_tfilter+0x89a/0x2070 +[47773.936652] +[47773.936652] Freed by task 543704: +[47773.937303] kasan_save_stack+0x1b/0x40 +[47773.938039] kasan_set_track+0x1c/0x30 +[47773.938731] kasan_set_free_info+0x20/0x30 +[47773.939467] __kasan_slab_free+0xe7/0x120 +[47773.940194] slab_free_freelist_hook+0x86/0x190 +[47773.941038] kfree+0xce/0x3a0 +[47773.941644] tcf_ct_flow_table_cleanup_work + +Original patch description and stack trace by Paul Blakey. + +Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support") +Reported-by: Paul Blakey +Tested-by: Paul Blakey +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_flow_table.h | 2 ++ + net/netfilter/nf_flow_table_core.c | 7 +++---- + net/netfilter/nf_flow_table_offload.c | 8 ++++++++ + 3 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h +index f337041dcc352..aaa518e777e9e 100644 +--- a/include/net/netfilter/nf_flow_table.h ++++ b/include/net/netfilter/nf_flow_table.h +@@ -303,6 +303,8 @@ void nf_flow_offload_stats(struct nf_flowtable *flowtable, + struct flow_offload *flow); + + void nf_flow_table_offload_flush(struct nf_flowtable *flowtable); ++void nf_flow_table_offload_flush_cleanup(struct nf_flowtable *flowtable); ++ + int nf_flow_table_offload_setup(struct nf_flowtable *flowtable, + struct net_device *dev, + enum flow_block_command cmd); +diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c +index 95ff1284d3d89..4f61eb1282834 100644 +--- a/net/netfilter/nf_flow_table_core.c ++++ b/net/netfilter/nf_flow_table_core.c +@@ -604,12 +604,11 @@ void nf_flow_table_free(struct nf_flowtable *flow_table) + mutex_unlock(&flowtable_lock); + + cancel_delayed_work_sync(&flow_table->gc_work); ++ nf_flow_table_offload_flush(flow_table); ++ /* ... no more pending work after this stage ... */ + nf_flow_table_iterate(flow_table, nf_flow_table_do_cleanup, NULL); + nf_flow_table_gc_run(flow_table); +- nf_flow_table_offload_flush(flow_table); +- if (nf_flowtable_hw_offload(flow_table)) +- nf_flow_table_gc_run(flow_table); +- ++ nf_flow_table_offload_flush_cleanup(flow_table); + rhashtable_destroy(&flow_table->rhashtable); + } + EXPORT_SYMBOL_GPL(nf_flow_table_free); +diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c +index b561e0a44a45f..c4559fae8acd5 100644 +--- a/net/netfilter/nf_flow_table_offload.c ++++ b/net/netfilter/nf_flow_table_offload.c +@@ -1050,6 +1050,14 @@ void nf_flow_offload_stats(struct nf_flowtable *flowtable, + flow_offload_queue_work(offload); + } + ++void nf_flow_table_offload_flush_cleanup(struct nf_flowtable *flowtable) ++{ ++ if (nf_flowtable_hw_offload(flowtable)) { ++ flush_workqueue(nf_flow_offload_del_wq); ++ nf_flow_table_gc_run(flowtable); ++ } ++} ++ + void nf_flow_table_offload_flush(struct nf_flowtable *flowtable) + { + if (nf_flowtable_hw_offload(flowtable)) { +-- +2.35.1 + diff --git a/queue-5.15/netfilter-nf_tables-consolidate-rule-verdict-trace-c.patch b/queue-5.15/netfilter-nf_tables-consolidate-rule-verdict-trace-c.patch new file mode 100644 index 00000000000..04f19dfa3ef --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-consolidate-rule-verdict-trace-c.patch @@ -0,0 +1,93 @@ +From 3a54d46856b0515740bbc90afa3392b53a7c517f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 00:10:12 +0100 +Subject: netfilter: nf_tables: consolidate rule verdict trace call + +From: Pablo Neira Ayuso + +[ Upstream commit 4765473fefd4403b5eeca371637065b561522c50 ] + +Add function to consolidate verdict tracing. + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_core.c | 39 ++++++++++++++++++++++++++++------ + 1 file changed, 32 insertions(+), 7 deletions(-) + +diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c +index d4d8f613af512..7defe5a92e47f 100644 +--- a/net/netfilter/nf_tables_core.c ++++ b/net/netfilter/nf_tables_core.c +@@ -67,6 +67,36 @@ static void nft_cmp_fast_eval(const struct nft_expr *expr, + regs->verdict.code = NFT_BREAK; + } + ++static noinline void __nft_trace_verdict(struct nft_traceinfo *info, ++ const struct nft_chain *chain, ++ const struct nft_regs *regs) ++{ ++ enum nft_trace_types type; ++ ++ switch (regs->verdict.code) { ++ case NFT_CONTINUE: ++ case NFT_RETURN: ++ type = NFT_TRACETYPE_RETURN; ++ break; ++ default: ++ type = NFT_TRACETYPE_RULE; ++ break; ++ } ++ ++ __nft_trace_packet(info, chain, type); ++} ++ ++static inline void nft_trace_verdict(struct nft_traceinfo *info, ++ const struct nft_chain *chain, ++ const struct nft_rule *rule, ++ const struct nft_regs *regs) ++{ ++ if (static_branch_unlikely(&nft_trace_enabled)) { ++ info->rule = rule; ++ __nft_trace_verdict(info, chain, regs); ++ } ++} ++ + static bool nft_payload_fast_eval(const struct nft_expr *expr, + struct nft_regs *regs, + const struct nft_pktinfo *pkt) +@@ -207,13 +237,13 @@ nft_do_chain(struct nft_pktinfo *pkt, void *priv) + break; + } + ++ nft_trace_verdict(&info, chain, rule, ®s); ++ + switch (regs.verdict.code & NF_VERDICT_MASK) { + case NF_ACCEPT: + case NF_DROP: + case NF_QUEUE: + case NF_STOLEN: +- nft_trace_packet(&info, chain, rule, +- NFT_TRACETYPE_RULE); + return regs.verdict.code; + } + +@@ -226,15 +256,10 @@ nft_do_chain(struct nft_pktinfo *pkt, void *priv) + stackptr++; + fallthrough; + case NFT_GOTO: +- nft_trace_packet(&info, chain, rule, +- NFT_TRACETYPE_RULE); +- + chain = regs.verdict.chain; + goto do_chain; + case NFT_CONTINUE: + case NFT_RETURN: +- nft_trace_packet(&info, chain, rule, +- NFT_TRACETYPE_RETURN); + break; + default: + WARN_ON(1); +-- +2.35.1 + diff --git a/queue-5.15/netfilter-nf_tables-disallow-binding-to-already-boun.patch b/queue-5.15/netfilter-nf_tables-disallow-binding-to-already-boun.patch new file mode 100644 index 00000000000..8e3e25a309c --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-disallow-binding-to-already-boun.patch @@ -0,0 +1,35 @@ +From 6108e026195c0e56f21a24c50a640cb16224620f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 11:06:39 +0200 +Subject: netfilter: nf_tables: disallow binding to already bound chain + +From: Pablo Neira Ayuso + +[ Upstream commit e02f0d3970404bfea385b6edb86f2d936db0ea2b ] + +Update nft_data_init() to report EINVAL if chain is already bound. + +Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") +Reported-by: Gwangun Jung +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 8bc4460b627ae..d8ca55d6be409 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -9505,6 +9505,8 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, + return PTR_ERR(chain); + if (nft_is_base_chain(chain)) + return -EOPNOTSUPP; ++ if (nft_chain_is_bound(chain)) ++ return -EINVAL; + if (desc->flags & NFT_DATA_DESC_SETELEM && + chain->flags & NFT_CHAIN_BINDING) + return -EINVAL; +-- +2.35.1 + diff --git a/queue-5.15/netfilter-nf_tables-disallow-jump-to-implicit-chain-.patch b/queue-5.15/netfilter-nf_tables-disallow-jump-to-implicit-chain-.patch new file mode 100644 index 00000000000..6b800744ab3 --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-disallow-jump-to-implicit-chain-.patch @@ -0,0 +1,69 @@ +From 448d27894995a7c52f381f8db62d2ec61fea9bb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Aug 2022 19:30:07 +0200 +Subject: netfilter: nf_tables: disallow jump to implicit chain from set + element + +From: Pablo Neira Ayuso + +[ Upstream commit f323ef3a0d49e147365284bc1f02212e617b7f09 ] + +Extend struct nft_data_desc to add a flag field that specifies +nft_data_init() is being called for set element data. + +Use it to disallow jump to implicit chain from set element, only jump +to chain via immediate expression is allowed. + +Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 5 +++++ + net/netfilter/nf_tables_api.c | 4 ++++ + 2 files changed, 9 insertions(+) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index 6a38bf8538f1e..53746494eb846 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -193,10 +193,15 @@ struct nft_ctx { + bool report; + }; + ++enum nft_data_desc_flags { ++ NFT_DATA_DESC_SETELEM = (1 << 0), ++}; ++ + struct nft_data_desc { + enum nft_data_types type; + unsigned int size; + unsigned int len; ++ unsigned int flags; + }; + + int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data, +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index b19f4255b9018..8bc4460b627ae 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -5144,6 +5144,7 @@ static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set, + desc->type = dtype; + desc->size = NFT_DATA_VALUE_MAXLEN; + desc->len = set->dlen; ++ desc->flags = NFT_DATA_DESC_SETELEM; + + return nft_data_init(ctx, data, desc, attr); + } +@@ -9504,6 +9505,9 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, + return PTR_ERR(chain); + if (nft_is_base_chain(chain)) + return -EOPNOTSUPP; ++ if (desc->flags & NFT_DATA_DESC_SETELEM && ++ chain->flags & NFT_CHAIN_BINDING) ++ return -EINVAL; + + chain->use++; + data->verdict.chain = chain; +-- +2.35.1 + diff --git a/queue-5.15/netfilter-nf_tables-disallow-updates-of-implicit-cha.patch b/queue-5.15/netfilter-nf_tables-disallow-updates-of-implicit-cha.patch new file mode 100644 index 00000000000..f60e375fe54 --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-disallow-updates-of-implicit-cha.patch @@ -0,0 +1,35 @@ +From beeb4d5d94e94c631581a8c53dc711d6c62f8352 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Aug 2022 10:28:25 +0200 +Subject: netfilter: nf_tables: disallow updates of implicit chain + +From: Pablo Neira Ayuso + +[ Upstream commit 5dc52d83baac30decf5f3b371d5eb41dfa1d1412 ] + +Updates on existing implicit chain make no sense, disallow this. + +Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 2f22a172a27e1..58f9513bd1419 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2479,6 +2479,9 @@ static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info, + nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); + + if (chain != NULL) { ++ if (chain->flags & NFT_CHAIN_BINDING) ++ return -EINVAL; ++ + if (info->nlh->nlmsg_flags & NLM_F_EXCL) { + NL_SET_BAD_ATTR(extack, attr); + return -EEXIST; +-- +2.35.1 + diff --git a/queue-5.15/netfilter-nf_tables-do-not-leave-chain-stats-enabled.patch b/queue-5.15/netfilter-nf_tables-do-not-leave-chain-stats-enabled.patch new file mode 100644 index 00000000000..3d60b9591dd --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-do-not-leave-chain-stats-enabled.patch @@ -0,0 +1,55 @@ +From 61551c2667b174b656a843391578aeb12409d0c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Aug 2022 12:41:33 +0200 +Subject: netfilter: nf_tables: do not leave chain stats enabled on error + +From: Pablo Neira Ayuso + +[ Upstream commit 43eb8949cfdffa764b92bc6c54b87cbe5b0003fe ] + +Error might occur later in the nf_tables_addchain() codepath, enable +static key only after transaction has been created. + +Fixes: 9f08ea848117 ("netfilter: nf_tables: keep chain counters away from hot path") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 96903c72ebb45..b4d38656d98fa 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2101,9 +2101,9 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, + struct netlink_ext_ack *extack) + { + const struct nlattr * const *nla = ctx->nla; ++ struct nft_stats __percpu *stats = NULL; + struct nft_table *table = ctx->table; + struct nft_base_chain *basechain; +- struct nft_stats __percpu *stats; + struct net *net = ctx->net; + char name[NFT_NAME_MAXLEN]; + struct nft_trans *trans; +@@ -2140,7 +2140,6 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, + return PTR_ERR(stats); + } + rcu_assign_pointer(basechain->stats, stats); +- static_branch_inc(&nft_counters_enabled); + } + + err = nft_basechain_init(basechain, family, &hook, flags); +@@ -2223,6 +2222,9 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, + goto err_unregister_hook; + } + ++ if (stats) ++ static_branch_inc(&nft_counters_enabled); ++ + table->use++; + + return 0; +-- +2.35.1 + diff --git a/queue-5.15/netfilter-nf_tables-make-table-handle-allocation-per.patch b/queue-5.15/netfilter-nf_tables-make-table-handle-allocation-per.patch new file mode 100644 index 00000000000..d153d861a21 --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-make-table-handle-allocation-per.patch @@ -0,0 +1,66 @@ +From b834dfb02b3a3bf218cac9e652f081fb07f8f78f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Aug 2022 10:52:48 +0200 +Subject: netfilter: nf_tables: make table handle allocation per-netns friendly + +From: Pablo Neira Ayuso + +[ Upstream commit ab482c6b66a4a8c0a8c0b0f577a785cf9ff1c2e2 ] + +mutex is per-netns, move table_netns to the pernet area. + +*read-write* to 0xffffffff883a01e8 of 8 bytes by task 6542 on cpu 0: + nf_tables_newtable+0x6dc/0xc00 net/netfilter/nf_tables_api.c:1221 + nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] + nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] + nfnetlink_rcv+0xa6a/0x13a0 net/netfilter/nfnetlink.c:652 + netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] + netlink_unicast+0x652/0x730 net/netlink/af_netlink.c:1345 + netlink_sendmsg+0x643/0x740 net/netlink/af_netlink.c:1921 + +Fixes: f102d66b335a ("netfilter: nf_tables: use dedicated mutex to guard transactions") +Reported-by: Abhishek Shah +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 1 + + net/netfilter/nf_tables_api.c | 3 +-- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index f56a1071c0052..af4d9f1049528 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -1595,6 +1595,7 @@ struct nftables_pernet { + struct list_head module_list; + struct list_head notify_list; + struct mutex commit_mutex; ++ u64 table_handle; + unsigned int base_seq; + u8 validate_state; + }; +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 58f9513bd1419..96903c72ebb45 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -32,7 +32,6 @@ static LIST_HEAD(nf_tables_objects); + static LIST_HEAD(nf_tables_flowtables); + static LIST_HEAD(nf_tables_destroy_list); + static DEFINE_SPINLOCK(nf_tables_destroy_list_lock); +-static u64 table_handle; + + enum { + NFT_VALIDATE_SKIP = 0, +@@ -1156,7 +1155,7 @@ static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info, + INIT_LIST_HEAD(&table->flowtables); + table->family = family; + table->flags = flags; +- table->handle = ++table_handle; ++ table->handle = ++nft_net->table_handle; + if (table->flags & NFT_TABLE_F_OWNER) + table->nlpid = NETLINK_CB(skb).portid; + +-- +2.35.1 + diff --git a/queue-5.15/netfilter-nf_tables-upfront-validation-of-data-via-n.patch b/queue-5.15/netfilter-nf_tables-upfront-validation-of-data-via-n.patch new file mode 100644 index 00000000000..6d62f383ff5 --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-upfront-validation-of-data-via-n.patch @@ -0,0 +1,528 @@ +From 46e69fabae333341fe5b953d78d540f100309929 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Aug 2022 19:30:06 +0200 +Subject: netfilter: nf_tables: upfront validation of data via nft_data_init() + +From: Pablo Neira Ayuso + +[ Upstream commit 341b6941608762d8235f3fd1e45e4d7114ed8c2c ] + +Instead of parsing the data and then validate that type and length are +correct, pass a description of the expected data so it can be validated +upfront before parsing it to bail out earlier. + +This patch adds a new .size field to specify the maximum size of the +data area. The .len field is optional and it is used as an input/output +field, it provides the specific length of the expected data in the input +path. If then .len field is not specified, then obtained length from the +netlink attribute is stored. This is required by cmp, bitwise, range and +immediate, which provide no netlink attribute that describes the data +length. The immediate expression uses the destination register type to +infer the expected data type. + +Relying on opencoded validation of the expected data might lead to +subtle bugs as described in 7e6bc1f6cabc ("netfilter: nf_tables: +stricter validation of element data"). + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 4 +- + net/netfilter/nf_tables_api.c | 78 ++++++++++++++++--------------- + net/netfilter/nft_bitwise.c | 66 +++++++++++++------------- + net/netfilter/nft_cmp.c | 44 ++++++++--------- + net/netfilter/nft_immediate.c | 22 +++++++-- + net/netfilter/nft_range.c | 27 +++++------ + 6 files changed, 126 insertions(+), 115 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index af4d9f1049528..6a38bf8538f1e 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -195,11 +195,11 @@ struct nft_ctx { + + struct nft_data_desc { + enum nft_data_types type; ++ unsigned int size; + unsigned int len; + }; + +-int nft_data_init(const struct nft_ctx *ctx, +- struct nft_data *data, unsigned int size, ++int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data, + struct nft_data_desc *desc, const struct nlattr *nla); + void nft_data_hold(const struct nft_data *data, enum nft_data_types type); + void nft_data_release(const struct nft_data *data, enum nft_data_types type); +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index b4d38656d98fa..b19f4255b9018 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -5120,19 +5120,13 @@ static int nft_setelem_parse_flags(const struct nft_set *set, + static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set, + struct nft_data *key, struct nlattr *attr) + { +- struct nft_data_desc desc; +- int err; +- +- err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr); +- if (err < 0) +- return err; +- +- if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) { +- nft_data_release(key, desc.type); +- return -EINVAL; +- } ++ struct nft_data_desc desc = { ++ .type = NFT_DATA_VALUE, ++ .size = NFT_DATA_VALUE_MAXLEN, ++ .len = set->klen, ++ }; + +- return 0; ++ return nft_data_init(ctx, key, &desc, attr); + } + + static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set, +@@ -5141,24 +5135,17 @@ static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set, + struct nlattr *attr) + { + u32 dtype; +- int err; +- +- err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr); +- if (err < 0) +- return err; + + if (set->dtype == NFT_DATA_VERDICT) + dtype = NFT_DATA_VERDICT; + else + dtype = NFT_DATA_VALUE; + +- if (dtype != desc->type || +- set->dlen != desc->len) { +- nft_data_release(data, desc->type); +- return -EINVAL; +- } ++ desc->type = dtype; ++ desc->size = NFT_DATA_VALUE_MAXLEN; ++ desc->len = set->dlen; + +- return 0; ++ return nft_data_init(ctx, data, desc, attr); + } + + static void *nft_setelem_catchall_get(const struct net *net, +@@ -9524,7 +9511,7 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, + } + + desc->len = sizeof(data->verdict); +- desc->type = NFT_DATA_VERDICT; ++ + return 0; + } + +@@ -9577,20 +9564,25 @@ int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v) + } + + static int nft_value_init(const struct nft_ctx *ctx, +- struct nft_data *data, unsigned int size, +- struct nft_data_desc *desc, const struct nlattr *nla) ++ struct nft_data *data, struct nft_data_desc *desc, ++ const struct nlattr *nla) + { + unsigned int len; + + len = nla_len(nla); + if (len == 0) + return -EINVAL; +- if (len > size) ++ if (len > desc->size) + return -EOVERFLOW; ++ if (desc->len) { ++ if (len != desc->len) ++ return -EINVAL; ++ } else { ++ desc->len = len; ++ } + + nla_memcpy(data->data, nla, len); +- desc->type = NFT_DATA_VALUE; +- desc->len = len; ++ + return 0; + } + +@@ -9610,7 +9602,6 @@ static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = { + * + * @ctx: context of the expression using the data + * @data: destination struct nft_data +- * @size: maximum data length + * @desc: data description + * @nla: netlink attribute containing data + * +@@ -9620,24 +9611,35 @@ static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = { + * The caller can indicate that it only wants to accept data of type + * NFT_DATA_VALUE by passing NULL for the ctx argument. + */ +-int nft_data_init(const struct nft_ctx *ctx, +- struct nft_data *data, unsigned int size, ++int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data, + struct nft_data_desc *desc, const struct nlattr *nla) + { + struct nlattr *tb[NFTA_DATA_MAX + 1]; + int err; + ++ if (WARN_ON_ONCE(!desc->size)) ++ return -EINVAL; ++ + err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla, + nft_data_policy, NULL); + if (err < 0) + return err; + +- if (tb[NFTA_DATA_VALUE]) +- return nft_value_init(ctx, data, size, desc, +- tb[NFTA_DATA_VALUE]); +- if (tb[NFTA_DATA_VERDICT] && ctx != NULL) +- return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]); +- return -EINVAL; ++ if (tb[NFTA_DATA_VALUE]) { ++ if (desc->type != NFT_DATA_VALUE) ++ return -EINVAL; ++ ++ err = nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]); ++ } else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) { ++ if (desc->type != NFT_DATA_VERDICT) ++ return -EINVAL; ++ ++ err = nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]); ++ } else { ++ err = -EINVAL; ++ } ++ ++ return err; + } + EXPORT_SYMBOL_GPL(nft_data_init); + +diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c +index d0c648b64cd40..d6ab7aa14adc2 100644 +--- a/net/netfilter/nft_bitwise.c ++++ b/net/netfilter/nft_bitwise.c +@@ -93,7 +93,16 @@ static const struct nla_policy nft_bitwise_policy[NFTA_BITWISE_MAX + 1] = { + static int nft_bitwise_init_bool(struct nft_bitwise *priv, + const struct nlattr *const tb[]) + { +- struct nft_data_desc mask, xor; ++ struct nft_data_desc mask = { ++ .type = NFT_DATA_VALUE, ++ .size = sizeof(priv->mask), ++ .len = priv->len, ++ }; ++ struct nft_data_desc xor = { ++ .type = NFT_DATA_VALUE, ++ .size = sizeof(priv->xor), ++ .len = priv->len, ++ }; + int err; + + if (tb[NFTA_BITWISE_DATA]) +@@ -103,37 +112,30 @@ static int nft_bitwise_init_bool(struct nft_bitwise *priv, + !tb[NFTA_BITWISE_XOR]) + return -EINVAL; + +- err = nft_data_init(NULL, &priv->mask, sizeof(priv->mask), &mask, +- tb[NFTA_BITWISE_MASK]); ++ err = nft_data_init(NULL, &priv->mask, &mask, tb[NFTA_BITWISE_MASK]); + if (err < 0) + return err; +- if (mask.type != NFT_DATA_VALUE || mask.len != priv->len) { +- err = -EINVAL; +- goto err_mask_release; +- } + +- err = nft_data_init(NULL, &priv->xor, sizeof(priv->xor), &xor, +- tb[NFTA_BITWISE_XOR]); ++ err = nft_data_init(NULL, &priv->xor, &xor, tb[NFTA_BITWISE_XOR]); + if (err < 0) +- goto err_mask_release; +- if (xor.type != NFT_DATA_VALUE || xor.len != priv->len) { +- err = -EINVAL; +- goto err_xor_release; +- } ++ goto err_xor_err; + + return 0; + +-err_xor_release: +- nft_data_release(&priv->xor, xor.type); +-err_mask_release: ++err_xor_err: + nft_data_release(&priv->mask, mask.type); ++ + return err; + } + + static int nft_bitwise_init_shift(struct nft_bitwise *priv, + const struct nlattr *const tb[]) + { +- struct nft_data_desc d; ++ struct nft_data_desc desc = { ++ .type = NFT_DATA_VALUE, ++ .size = sizeof(priv->data), ++ .len = sizeof(u32), ++ }; + int err; + + if (tb[NFTA_BITWISE_MASK] || +@@ -143,13 +145,12 @@ static int nft_bitwise_init_shift(struct nft_bitwise *priv, + if (!tb[NFTA_BITWISE_DATA]) + return -EINVAL; + +- err = nft_data_init(NULL, &priv->data, sizeof(priv->data), &d, +- tb[NFTA_BITWISE_DATA]); ++ err = nft_data_init(NULL, &priv->data, &desc, tb[NFTA_BITWISE_DATA]); + if (err < 0) + return err; +- if (d.type != NFT_DATA_VALUE || d.len != sizeof(u32) || +- priv->data.data[0] >= BITS_PER_TYPE(u32)) { +- nft_data_release(&priv->data, d.type); ++ ++ if (priv->data.data[0] >= BITS_PER_TYPE(u32)) { ++ nft_data_release(&priv->data, desc.type); + return -EINVAL; + } + +@@ -291,22 +292,21 @@ static const struct nft_expr_ops nft_bitwise_ops = { + static int + nft_bitwise_extract_u32_data(const struct nlattr * const tb, u32 *out) + { +- struct nft_data_desc desc; + struct nft_data data; +- int err = 0; ++ struct nft_data_desc desc = { ++ .type = NFT_DATA_VALUE, ++ .size = sizeof(data), ++ .len = sizeof(u32), ++ }; ++ int err; + +- err = nft_data_init(NULL, &data, sizeof(data), &desc, tb); ++ err = nft_data_init(NULL, &data, &desc, tb); + if (err < 0) + return err; + +- if (desc.type != NFT_DATA_VALUE || desc.len != sizeof(u32)) { +- err = -EINVAL; +- goto err; +- } + *out = data.data[0]; +-err: +- nft_data_release(&data, desc.type); +- return err; ++ ++ return 0; + } + + static int nft_bitwise_fast_init(const struct nft_ctx *ctx, +diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c +index 917072af09df9..461763a571f20 100644 +--- a/net/netfilter/nft_cmp.c ++++ b/net/netfilter/nft_cmp.c +@@ -73,20 +73,16 @@ static int nft_cmp_init(const struct nft_ctx *ctx, const struct nft_expr *expr, + const struct nlattr * const tb[]) + { + struct nft_cmp_expr *priv = nft_expr_priv(expr); +- struct nft_data_desc desc; ++ struct nft_data_desc desc = { ++ .type = NFT_DATA_VALUE, ++ .size = sizeof(priv->data), ++ }; + int err; + +- err = nft_data_init(NULL, &priv->data, sizeof(priv->data), &desc, +- tb[NFTA_CMP_DATA]); ++ err = nft_data_init(NULL, &priv->data, &desc, tb[NFTA_CMP_DATA]); + if (err < 0) + return err; + +- if (desc.type != NFT_DATA_VALUE) { +- err = -EINVAL; +- nft_data_release(&priv->data, desc.type); +- return err; +- } +- + err = nft_parse_register_load(tb[NFTA_CMP_SREG], &priv->sreg, desc.len); + if (err < 0) + return err; +@@ -201,12 +197,14 @@ static int nft_cmp_fast_init(const struct nft_ctx *ctx, + const struct nlattr * const tb[]) + { + struct nft_cmp_fast_expr *priv = nft_expr_priv(expr); +- struct nft_data_desc desc; + struct nft_data data; ++ struct nft_data_desc desc = { ++ .type = NFT_DATA_VALUE, ++ .size = sizeof(data), ++ }; + int err; + +- err = nft_data_init(NULL, &data, sizeof(data), &desc, +- tb[NFTA_CMP_DATA]); ++ err = nft_data_init(NULL, &data, &desc, tb[NFTA_CMP_DATA]); + if (err < 0) + return err; + +@@ -299,11 +297,13 @@ static int nft_cmp16_fast_init(const struct nft_ctx *ctx, + const struct nlattr * const tb[]) + { + struct nft_cmp16_fast_expr *priv = nft_expr_priv(expr); +- struct nft_data_desc desc; ++ struct nft_data_desc desc = { ++ .type = NFT_DATA_VALUE, ++ .size = sizeof(priv->data), ++ }; + int err; + +- err = nft_data_init(NULL, &priv->data, sizeof(priv->data), &desc, +- tb[NFTA_CMP_DATA]); ++ err = nft_data_init(NULL, &priv->data, &desc, tb[NFTA_CMP_DATA]); + if (err < 0) + return err; + +@@ -365,8 +365,11 @@ const struct nft_expr_ops nft_cmp16_fast_ops = { + static const struct nft_expr_ops * + nft_cmp_select_ops(const struct nft_ctx *ctx, const struct nlattr * const tb[]) + { +- struct nft_data_desc desc; + struct nft_data data; ++ struct nft_data_desc desc = { ++ .type = NFT_DATA_VALUE, ++ .size = sizeof(data), ++ }; + enum nft_cmp_ops op; + u8 sreg; + int err; +@@ -389,14 +392,10 @@ nft_cmp_select_ops(const struct nft_ctx *ctx, const struct nlattr * const tb[]) + return ERR_PTR(-EINVAL); + } + +- err = nft_data_init(NULL, &data, sizeof(data), &desc, +- tb[NFTA_CMP_DATA]); ++ err = nft_data_init(NULL, &data, &desc, tb[NFTA_CMP_DATA]); + if (err < 0) + return ERR_PTR(err); + +- if (desc.type != NFT_DATA_VALUE) +- goto err1; +- + sreg = ntohl(nla_get_be32(tb[NFTA_CMP_SREG])); + + if (op == NFT_CMP_EQ || op == NFT_CMP_NEQ) { +@@ -408,9 +407,6 @@ nft_cmp_select_ops(const struct nft_ctx *ctx, const struct nlattr * const tb[]) + return &nft_cmp16_fast_ops; + } + return &nft_cmp_ops; +-err1: +- nft_data_release(&data, desc.type); +- return ERR_PTR(-EINVAL); + } + + struct nft_expr_type nft_cmp_type __read_mostly = { +diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c +index d0f67d325bdfd..fcdbc5ed3f367 100644 +--- a/net/netfilter/nft_immediate.c ++++ b/net/netfilter/nft_immediate.c +@@ -29,20 +29,36 @@ static const struct nla_policy nft_immediate_policy[NFTA_IMMEDIATE_MAX + 1] = { + [NFTA_IMMEDIATE_DATA] = { .type = NLA_NESTED }, + }; + ++static enum nft_data_types nft_reg_to_type(const struct nlattr *nla) ++{ ++ enum nft_data_types type; ++ u8 reg; ++ ++ reg = ntohl(nla_get_be32(nla)); ++ if (reg == NFT_REG_VERDICT) ++ type = NFT_DATA_VERDICT; ++ else ++ type = NFT_DATA_VALUE; ++ ++ return type; ++} ++ + static int nft_immediate_init(const struct nft_ctx *ctx, + const struct nft_expr *expr, + const struct nlattr * const tb[]) + { + struct nft_immediate_expr *priv = nft_expr_priv(expr); +- struct nft_data_desc desc; ++ struct nft_data_desc desc = { ++ .size = sizeof(priv->data), ++ }; + int err; + + if (tb[NFTA_IMMEDIATE_DREG] == NULL || + tb[NFTA_IMMEDIATE_DATA] == NULL) + return -EINVAL; + +- err = nft_data_init(ctx, &priv->data, sizeof(priv->data), &desc, +- tb[NFTA_IMMEDIATE_DATA]); ++ desc.type = nft_reg_to_type(tb[NFTA_IMMEDIATE_DREG]); ++ err = nft_data_init(ctx, &priv->data, &desc, tb[NFTA_IMMEDIATE_DATA]); + if (err < 0) + return err; + +diff --git a/net/netfilter/nft_range.c b/net/netfilter/nft_range.c +index e4a1c44d7f513..e6bbe32c323df 100644 +--- a/net/netfilter/nft_range.c ++++ b/net/netfilter/nft_range.c +@@ -51,7 +51,14 @@ static int nft_range_init(const struct nft_ctx *ctx, const struct nft_expr *expr + const struct nlattr * const tb[]) + { + struct nft_range_expr *priv = nft_expr_priv(expr); +- struct nft_data_desc desc_from, desc_to; ++ struct nft_data_desc desc_from = { ++ .type = NFT_DATA_VALUE, ++ .size = sizeof(priv->data_from), ++ }; ++ struct nft_data_desc desc_to = { ++ .type = NFT_DATA_VALUE, ++ .size = sizeof(priv->data_to), ++ }; + int err; + u32 op; + +@@ -61,26 +68,16 @@ static int nft_range_init(const struct nft_ctx *ctx, const struct nft_expr *expr + !tb[NFTA_RANGE_TO_DATA]) + return -EINVAL; + +- err = nft_data_init(NULL, &priv->data_from, sizeof(priv->data_from), +- &desc_from, tb[NFTA_RANGE_FROM_DATA]); ++ err = nft_data_init(NULL, &priv->data_from, &desc_from, ++ tb[NFTA_RANGE_FROM_DATA]); + if (err < 0) + return err; + +- if (desc_from.type != NFT_DATA_VALUE) { +- err = -EINVAL; +- goto err1; +- } +- +- err = nft_data_init(NULL, &priv->data_to, sizeof(priv->data_to), +- &desc_to, tb[NFTA_RANGE_TO_DATA]); ++ err = nft_data_init(NULL, &priv->data_to, &desc_to, ++ tb[NFTA_RANGE_TO_DATA]); + if (err < 0) + goto err1; + +- if (desc_to.type != NFT_DATA_VALUE) { +- err = -EINVAL; +- goto err2; +- } +- + if (desc_from.len != desc_to.len) { + err = -EINVAL; + goto err2; +-- +2.35.1 + diff --git a/queue-5.15/netfilter-nft_cmp-optimize-comparison-for-16-bytes.patch b/queue-5.15/netfilter-nft_cmp-optimize-comparison-for-16-bytes.patch new file mode 100644 index 00000000000..0350bf0965d --- /dev/null +++ b/queue-5.15/netfilter-nft_cmp-optimize-comparison-for-16-bytes.patch @@ -0,0 +1,213 @@ +From 1efc3b2ac7c2d97c8912938f422553914353c771 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Feb 2022 19:25:08 +0100 +Subject: netfilter: nft_cmp: optimize comparison for 16-bytes + +From: Pablo Neira Ayuso + +[ Upstream commit 23f68d462984bfda47c7bf663dca347e8e3df549 ] + +Allow up to 16-byte comparisons with a new cmp fast version. Use two +64-bit words and calculate the mask representing the bits to be +compared. Make sure the comparison is 64-bit aligned and avoid +out-of-bound memory access on registers. + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables_core.h | 9 +++ + net/netfilter/nf_tables_core.c | 16 ++++ + net/netfilter/nft_cmp.c | 102 ++++++++++++++++++++++++- + 3 files changed, 125 insertions(+), 2 deletions(-) + +diff --git a/include/net/netfilter/nf_tables_core.h b/include/net/netfilter/nf_tables_core.h +index 0fa5a6d98a00b..9dfa11d4224d2 100644 +--- a/include/net/netfilter/nf_tables_core.h ++++ b/include/net/netfilter/nf_tables_core.h +@@ -40,6 +40,14 @@ struct nft_cmp_fast_expr { + bool inv; + }; + ++struct nft_cmp16_fast_expr { ++ struct nft_data data; ++ struct nft_data mask; ++ u8 sreg; ++ u8 len; ++ bool inv; ++}; ++ + struct nft_immediate_expr { + struct nft_data data; + u8 dreg; +@@ -57,6 +65,7 @@ static inline u32 nft_cmp_fast_mask(unsigned int len) + } + + extern const struct nft_expr_ops nft_cmp_fast_ops; ++extern const struct nft_expr_ops nft_cmp16_fast_ops; + + struct nft_payload { + enum nft_payload_bases base:8; +diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c +index 7defe5a92e47f..2ab4216d2a903 100644 +--- a/net/netfilter/nf_tables_core.c ++++ b/net/netfilter/nf_tables_core.c +@@ -67,6 +67,20 @@ static void nft_cmp_fast_eval(const struct nft_expr *expr, + regs->verdict.code = NFT_BREAK; + } + ++static void nft_cmp16_fast_eval(const struct nft_expr *expr, ++ struct nft_regs *regs) ++{ ++ const struct nft_cmp16_fast_expr *priv = nft_expr_priv(expr); ++ const u64 *reg_data = (const u64 *)®s->data[priv->sreg]; ++ const u64 *mask = (const u64 *)&priv->mask; ++ const u64 *data = (const u64 *)&priv->data; ++ ++ if (((reg_data[0] & mask[0]) == data[0] && ++ ((reg_data[1] & mask[1]) == data[1])) ^ priv->inv) ++ return; ++ regs->verdict.code = NFT_BREAK; ++} ++ + static noinline void __nft_trace_verdict(struct nft_traceinfo *info, + const struct nft_chain *chain, + const struct nft_regs *regs) +@@ -215,6 +229,8 @@ nft_do_chain(struct nft_pktinfo *pkt, void *priv) + nft_rule_for_each_expr(expr, last, rule) { + if (expr->ops == &nft_cmp_fast_ops) + nft_cmp_fast_eval(expr, ®s); ++ else if (expr->ops == &nft_cmp16_fast_ops) ++ nft_cmp16_fast_eval(expr, ®s); + else if (expr->ops == &nft_bitwise_fast_ops) + nft_bitwise_fast_eval(expr, ®s); + else if (expr->ops != &nft_payload_fast_ops || +diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c +index 47b6d05f1ae69..917072af09df9 100644 +--- a/net/netfilter/nft_cmp.c ++++ b/net/netfilter/nft_cmp.c +@@ -272,12 +272,103 @@ const struct nft_expr_ops nft_cmp_fast_ops = { + .offload = nft_cmp_fast_offload, + }; + ++static u32 nft_cmp_mask(u32 bitlen) ++{ ++ return (__force u32)cpu_to_le32(~0U >> (sizeof(u32) * BITS_PER_BYTE - bitlen)); ++} ++ ++static void nft_cmp16_fast_mask(struct nft_data *data, unsigned int bitlen) ++{ ++ int len = bitlen / BITS_PER_BYTE; ++ int i, words = len / sizeof(u32); ++ ++ for (i = 0; i < words; i++) { ++ data->data[i] = 0xffffffff; ++ bitlen -= sizeof(u32) * BITS_PER_BYTE; ++ } ++ ++ if (len % sizeof(u32)) ++ data->data[i++] = nft_cmp_mask(bitlen); ++ ++ for (; i < 4; i++) ++ data->data[i] = 0; ++} ++ ++static int nft_cmp16_fast_init(const struct nft_ctx *ctx, ++ const struct nft_expr *expr, ++ const struct nlattr * const tb[]) ++{ ++ struct nft_cmp16_fast_expr *priv = nft_expr_priv(expr); ++ struct nft_data_desc desc; ++ int err; ++ ++ err = nft_data_init(NULL, &priv->data, sizeof(priv->data), &desc, ++ tb[NFTA_CMP_DATA]); ++ if (err < 0) ++ return err; ++ ++ err = nft_parse_register_load(tb[NFTA_CMP_SREG], &priv->sreg, desc.len); ++ if (err < 0) ++ return err; ++ ++ nft_cmp16_fast_mask(&priv->mask, desc.len * BITS_PER_BYTE); ++ priv->inv = ntohl(nla_get_be32(tb[NFTA_CMP_OP])) != NFT_CMP_EQ; ++ priv->len = desc.len; ++ ++ return 0; ++} ++ ++static int nft_cmp16_fast_offload(struct nft_offload_ctx *ctx, ++ struct nft_flow_rule *flow, ++ const struct nft_expr *expr) ++{ ++ const struct nft_cmp16_fast_expr *priv = nft_expr_priv(expr); ++ struct nft_cmp_expr cmp = { ++ .data = priv->data, ++ .sreg = priv->sreg, ++ .len = priv->len, ++ .op = priv->inv ? NFT_CMP_NEQ : NFT_CMP_EQ, ++ }; ++ ++ return __nft_cmp_offload(ctx, flow, &cmp); ++} ++ ++static int nft_cmp16_fast_dump(struct sk_buff *skb, const struct nft_expr *expr) ++{ ++ const struct nft_cmp16_fast_expr *priv = nft_expr_priv(expr); ++ enum nft_cmp_ops op = priv->inv ? NFT_CMP_NEQ : NFT_CMP_EQ; ++ ++ if (nft_dump_register(skb, NFTA_CMP_SREG, priv->sreg)) ++ goto nla_put_failure; ++ if (nla_put_be32(skb, NFTA_CMP_OP, htonl(op))) ++ goto nla_put_failure; ++ ++ if (nft_data_dump(skb, NFTA_CMP_DATA, &priv->data, ++ NFT_DATA_VALUE, priv->len) < 0) ++ goto nla_put_failure; ++ return 0; ++ ++nla_put_failure: ++ return -1; ++} ++ ++ ++const struct nft_expr_ops nft_cmp16_fast_ops = { ++ .type = &nft_cmp_type, ++ .size = NFT_EXPR_SIZE(sizeof(struct nft_cmp16_fast_expr)), ++ .eval = NULL, /* inlined */ ++ .init = nft_cmp16_fast_init, ++ .dump = nft_cmp16_fast_dump, ++ .offload = nft_cmp16_fast_offload, ++}; ++ + static const struct nft_expr_ops * + nft_cmp_select_ops(const struct nft_ctx *ctx, const struct nlattr * const tb[]) + { + struct nft_data_desc desc; + struct nft_data data; + enum nft_cmp_ops op; ++ u8 sreg; + int err; + + if (tb[NFTA_CMP_SREG] == NULL || +@@ -306,9 +397,16 @@ nft_cmp_select_ops(const struct nft_ctx *ctx, const struct nlattr * const tb[]) + if (desc.type != NFT_DATA_VALUE) + goto err1; + +- if (desc.len <= sizeof(u32) && (op == NFT_CMP_EQ || op == NFT_CMP_NEQ)) +- return &nft_cmp_fast_ops; ++ sreg = ntohl(nla_get_be32(tb[NFTA_CMP_SREG])); + ++ if (op == NFT_CMP_EQ || op == NFT_CMP_NEQ) { ++ if (desc.len <= sizeof(u32)) ++ return &nft_cmp_fast_ops; ++ else if (desc.len <= sizeof(data) && ++ ((sreg >= NFT_REG_1 && sreg <= NFT_REG_4) || ++ (sreg >= NFT_REG32_00 && sreg <= NFT_REG32_12 && sreg % 2 == 0))) ++ return &nft_cmp16_fast_ops; ++ } + return &nft_cmp_ops; + err1: + nft_data_release(&data, desc.type); +-- +2.35.1 + diff --git a/queue-5.15/netfilter-nft_osf-restrict-osf-to-ipv4-ipv6-and-inet.patch b/queue-5.15/netfilter-nft_osf-restrict-osf-to-ipv4-ipv6-and-inet.patch new file mode 100644 index 00000000000..6704badabfd --- /dev/null +++ b/queue-5.15/netfilter-nft_osf-restrict-osf-to-ipv4-ipv6-and-inet.patch @@ -0,0 +1,50 @@ +From c06eca3e43c5d7516b98127a172726d4a59c571c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Aug 2022 16:25:07 +0200 +Subject: netfilter: nft_osf: restrict osf to ipv4, ipv6 and inet families + +From: Pablo Neira Ayuso + +[ Upstream commit 5f3b7aae14a706d0d7da9f9e39def52ff5fc3d39 ] + +As it was originally intended, restrict extension to supported families. + +Fixes: b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_osf.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c +index d82677e83400b..720dc9fba6d4f 100644 +--- a/net/netfilter/nft_osf.c ++++ b/net/netfilter/nft_osf.c +@@ -115,9 +115,21 @@ static int nft_osf_validate(const struct nft_ctx *ctx, + const struct nft_expr *expr, + const struct nft_data **data) + { +- return nft_chain_validate_hooks(ctx->chain, (1 << NF_INET_LOCAL_IN) | +- (1 << NF_INET_PRE_ROUTING) | +- (1 << NF_INET_FORWARD)); ++ unsigned int hooks; ++ ++ switch (ctx->family) { ++ case NFPROTO_IPV4: ++ case NFPROTO_IPV6: ++ case NFPROTO_INET: ++ hooks = (1 << NF_INET_LOCAL_IN) | ++ (1 << NF_INET_PRE_ROUTING) | ++ (1 << NF_INET_FORWARD); ++ break; ++ default: ++ return -EOPNOTSUPP; ++ } ++ ++ return nft_chain_validate_hooks(ctx->chain, hooks); + } + + static struct nft_expr_type nft_osf_type; +-- +2.35.1 + diff --git a/queue-5.15/netfilter-nft_payload-do-not-truncate-csum_offset-an.patch b/queue-5.15/netfilter-nft_payload-do-not-truncate-csum_offset-an.patch new file mode 100644 index 00000000000..5a4e687984e --- /dev/null +++ b/queue-5.15/netfilter-nft_payload-do-not-truncate-csum_offset-an.patch @@ -0,0 +1,72 @@ +From 6ae1b306e52657983a2b12fba831901d92b63f43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Aug 2022 11:55:19 +0200 +Subject: netfilter: nft_payload: do not truncate csum_offset and csum_type + +From: Pablo Neira Ayuso + +[ Upstream commit 7044ab281febae9e2fa9b0b247693d6026166293 ] + +Instead report ERANGE if csum_offset is too long, and EOPNOTSUPP if type +is not support. + +Fixes: 7ec3f7b47b8d ("netfilter: nft_payload: add packet mangling support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_payload.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c +index da0ed3430bb9d..da652c21368e1 100644 +--- a/net/netfilter/nft_payload.c ++++ b/net/netfilter/nft_payload.c +@@ -712,17 +712,23 @@ static int nft_payload_set_init(const struct nft_ctx *ctx, + const struct nlattr * const tb[]) + { + struct nft_payload_set *priv = nft_expr_priv(expr); ++ u32 csum_offset, csum_type = NFT_PAYLOAD_CSUM_NONE; ++ int err; + + priv->base = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE])); + priv->offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET])); + priv->len = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN])); + + if (tb[NFTA_PAYLOAD_CSUM_TYPE]) +- priv->csum_type = +- ntohl(nla_get_be32(tb[NFTA_PAYLOAD_CSUM_TYPE])); +- if (tb[NFTA_PAYLOAD_CSUM_OFFSET]) +- priv->csum_offset = +- ntohl(nla_get_be32(tb[NFTA_PAYLOAD_CSUM_OFFSET])); ++ csum_type = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_CSUM_TYPE])); ++ if (tb[NFTA_PAYLOAD_CSUM_OFFSET]) { ++ err = nft_parse_u32_check(tb[NFTA_PAYLOAD_CSUM_OFFSET], U8_MAX, ++ &csum_offset); ++ if (err < 0) ++ return err; ++ ++ priv->csum_offset = csum_offset; ++ } + if (tb[NFTA_PAYLOAD_CSUM_FLAGS]) { + u32 flags; + +@@ -733,7 +739,7 @@ static int nft_payload_set_init(const struct nft_ctx *ctx, + priv->csum_flags = flags; + } + +- switch (priv->csum_type) { ++ switch (csum_type) { + case NFT_PAYLOAD_CSUM_NONE: + case NFT_PAYLOAD_CSUM_INET: + break; +@@ -747,6 +753,7 @@ static int nft_payload_set_init(const struct nft_ctx *ctx, + default: + return -EOPNOTSUPP; + } ++ priv->csum_type = csum_type; + + return nft_parse_register_load(tb[NFTA_PAYLOAD_SREG], &priv->sreg, + priv->len); +-- +2.35.1 + diff --git a/queue-5.15/netfilter-nft_payload-report-erange-for-too-long-off.patch b/queue-5.15/netfilter-nft_payload-report-erange-for-too-long-off.patch new file mode 100644 index 00000000000..8891de18759 --- /dev/null +++ b/queue-5.15/netfilter-nft_payload-report-erange-for-too-long-off.patch @@ -0,0 +1,49 @@ +From 449c92834e16b2aa921646d767411ef49af10e97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Aug 2022 11:47:04 +0200 +Subject: netfilter: nft_payload: report ERANGE for too long offset and length + +From: Pablo Neira Ayuso + +[ Upstream commit 94254f990c07e9ddf1634e0b727fab821c3b5bf9 ] + +Instead of offset and length are truncation to u8, report ERANGE. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_payload.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c +index b46e01365bd96..da0ed3430bb9d 100644 +--- a/net/netfilter/nft_payload.c ++++ b/net/netfilter/nft_payload.c +@@ -785,6 +785,7 @@ nft_payload_select_ops(const struct nft_ctx *ctx, + { + enum nft_payload_bases base; + unsigned int offset, len; ++ int err; + + if (tb[NFTA_PAYLOAD_BASE] == NULL || + tb[NFTA_PAYLOAD_OFFSET] == NULL || +@@ -811,8 +812,13 @@ nft_payload_select_ops(const struct nft_ctx *ctx, + if (tb[NFTA_PAYLOAD_DREG] == NULL) + return ERR_PTR(-EINVAL); + +- offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET])); +- len = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN])); ++ err = nft_parse_u32_check(tb[NFTA_PAYLOAD_OFFSET], U8_MAX, &offset); ++ if (err < 0) ++ return ERR_PTR(err); ++ ++ err = nft_parse_u32_check(tb[NFTA_PAYLOAD_LEN], U8_MAX, &len); ++ if (err < 0) ++ return ERR_PTR(err); + + if (len <= 4 && is_power_of_2(len) && IS_ALIGNED(offset, len) && + base != NFT_PAYLOAD_LL_HEADER && base != NFT_PAYLOAD_INNER_HEADER) +-- +2.35.1 + diff --git a/queue-5.15/netfilter-nft_tunnel-restrict-it-to-netdev-family.patch b/queue-5.15/netfilter-nft_tunnel-restrict-it-to-netdev-family.patch new file mode 100644 index 00000000000..8ad57d15683 --- /dev/null +++ b/queue-5.15/netfilter-nft_tunnel-restrict-it-to-netdev-family.patch @@ -0,0 +1,33 @@ +From fb8a55d9ee84bf6adf9e8bd51edb02609c0f1bd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Aug 2022 16:32:44 +0200 +Subject: netfilter: nft_tunnel: restrict it to netdev family + +From: Pablo Neira Ayuso + +[ Upstream commit 01e4092d53bc4fe122a6e4b6d664adbd57528ca3 ] + +Only allow to use this expression from NFPROTO_NETDEV family. + +Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_tunnel.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c +index 3b27926d5382c..2ee50996da8cc 100644 +--- a/net/netfilter/nft_tunnel.c ++++ b/net/netfilter/nft_tunnel.c +@@ -133,6 +133,7 @@ static const struct nft_expr_ops nft_tunnel_get_ops = { + + static struct nft_expr_type nft_tunnel_type __read_mostly = { + .name = "tunnel", ++ .family = NFPROTO_NETDEV, + .ops = &nft_tunnel_get_ops, + .policy = nft_tunnel_policy, + .maxattr = NFTA_TUNNEL_MAX, +-- +2.35.1 + diff --git a/queue-5.15/nfc-pn533-fix-use-after-free-bugs-caused-by-pn532_cm.patch b/queue-5.15/nfc-pn533-fix-use-after-free-bugs-caused-by-pn532_cm.patch new file mode 100644 index 00000000000..7fbad260e9e --- /dev/null +++ b/queue-5.15/nfc-pn533-fix-use-after-free-bugs-caused-by-pn532_cm.patch @@ -0,0 +1,50 @@ +From 026159b03374fedf1fa7ee16d9b6016057a90e41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 17:06:21 +0800 +Subject: nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout + +From: Duoming Zhou + +[ Upstream commit f1e941dbf80a9b8bab0bffbc4cbe41cc7f4c6fb6 ] + +When the pn532 uart device is detaching, the pn532_uart_remove() +is called. But there are no functions in pn532_uart_remove() that +could delete the cmd_timeout timer, which will cause use-after-free +bugs. The process is shown below: + + (thread 1) | (thread 2) + | pn532_uart_send_frame +pn532_uart_remove | mod_timer(&pn532->cmd_timeout,...) + ... | (wait a time) + kfree(pn532) //FREE | pn532_cmd_timeout + | pn532_uart_send_frame + | pn532->... //USE + +This patch adds del_timer_sync() in pn532_uart_remove() in order to +prevent the use-after-free bugs. What's more, the pn53x_unregister_nfc() +is well synchronized, it sets nfc_dev->shutting_down to true and there +are no syscalls could restart the cmd_timeout timer. + +Fixes: c656aa4c27b1 ("nfc: pn533: add UART phy driver") +Signed-off-by: Duoming Zhou +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/pn533/uart.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nfc/pn533/uart.c b/drivers/nfc/pn533/uart.c +index 7bdaf82630706..7ad98973648cc 100644 +--- a/drivers/nfc/pn533/uart.c ++++ b/drivers/nfc/pn533/uart.c +@@ -310,6 +310,7 @@ static void pn532_uart_remove(struct serdev_device *serdev) + pn53x_unregister_nfc(pn532->priv); + serdev_device_close(serdev); + pn53x_common_clean(pn532->priv); ++ del_timer_sync(&pn532->cmd_timeout); + kfree_skb(pn532->recv_skb); + kfree(pn532); + } +-- +2.35.1 + diff --git a/queue-5.15/nfs-don-t-allocate-nfs_fattr-on-the-stack-in-__nfs42.patch b/queue-5.15/nfs-don-t-allocate-nfs_fattr-on-the-stack-in-__nfs42.patch new file mode 100644 index 00000000000..78983fca17c --- /dev/null +++ b/queue-5.15/nfs-don-t-allocate-nfs_fattr-on-the-stack-in-__nfs42.patch @@ -0,0 +1,64 @@ +From 45d4fdbae41223e8fa9e84989d462142b5b70889 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 14:23:30 -0400 +Subject: NFS: Don't allocate nfs_fattr on the stack in __nfs42_ssc_open() + +From: Trond Myklebust + +[ Upstream commit 156cd28562a4e8ca454d11b234d9f634a45d6390 ] + +The preferred behaviour is always to allocate struct nfs_fattr from the +slab. + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4file.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/nfs/nfs4file.c b/fs/nfs/nfs4file.c +index 4120e1cb3feef..61ee03c8bcd2d 100644 +--- a/fs/nfs/nfs4file.c ++++ b/fs/nfs/nfs4file.c +@@ -319,7 +319,7 @@ static int read_name_gen = 1; + static struct file *__nfs42_ssc_open(struct vfsmount *ss_mnt, + struct nfs_fh *src_fh, nfs4_stateid *stateid) + { +- struct nfs_fattr fattr; ++ struct nfs_fattr *fattr = nfs_alloc_fattr(); + struct file *filep, *res; + struct nfs_server *server; + struct inode *r_ino = NULL; +@@ -330,9 +330,10 @@ static struct file *__nfs42_ssc_open(struct vfsmount *ss_mnt, + + server = NFS_SERVER(ss_mnt->mnt_root->d_inode); + +- nfs_fattr_init(&fattr); ++ if (!fattr) ++ return ERR_PTR(-ENOMEM); + +- status = nfs4_proc_getattr(server, src_fh, &fattr, NULL, NULL); ++ status = nfs4_proc_getattr(server, src_fh, fattr, NULL, NULL); + if (status < 0) { + res = ERR_PTR(status); + goto out; +@@ -345,7 +346,7 @@ static struct file *__nfs42_ssc_open(struct vfsmount *ss_mnt, + goto out; + snprintf(read_name, len, SSC_READ_NAME_BODY, read_name_gen++); + +- r_ino = nfs_fhget(ss_mnt->mnt_root->d_inode->i_sb, src_fh, &fattr, ++ r_ino = nfs_fhget(ss_mnt->mnt_root->d_inode->i_sb, src_fh, fattr, + NULL); + if (IS_ERR(r_ino)) { + res = ERR_CAST(r_ino); +@@ -390,6 +391,7 @@ static struct file *__nfs42_ssc_open(struct vfsmount *ss_mnt, + out_free_name: + kfree(read_name); + out: ++ nfs_free_fattr(fattr); + return res; + out_stateowner: + nfs4_put_state_owner(sp); +-- +2.35.1 + diff --git a/queue-5.15/nfsv4.2-fix-problems-with-__nfs42_ssc_open.patch b/queue-5.15/nfsv4.2-fix-problems-with-__nfs42_ssc_open.patch new file mode 100644 index 00000000000..2d45785c6c8 --- /dev/null +++ b/queue-5.15/nfsv4.2-fix-problems-with-__nfs42_ssc_open.patch @@ -0,0 +1,51 @@ +From 0780e4e360ab25b6574c2d5934821d7805b3f2e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 15:07:05 -0400 +Subject: NFSv4.2 fix problems with __nfs42_ssc_open + +From: Olga Kornievskaia + +[ Upstream commit fcfc8be1e9cf2f12b50dce8b579b3ae54443a014 ] + +A destination server while doing a COPY shouldn't accept using the +passed in filehandle if its not a regular filehandle. + +If alloc_file_pseudo() has failed, we need to decrement a reference +on the newly created inode, otherwise it leaks. + +Reported-by: Al Viro +Fixes: ec4b092508982 ("NFS: inter ssc open") +Signed-off-by: Olga Kornievskaia +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4file.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/nfs/nfs4file.c b/fs/nfs/nfs4file.c +index 61ee03c8bcd2d..14f2efdecc2f8 100644 +--- a/fs/nfs/nfs4file.c ++++ b/fs/nfs/nfs4file.c +@@ -339,6 +339,11 @@ static struct file *__nfs42_ssc_open(struct vfsmount *ss_mnt, + goto out; + } + ++ if (!S_ISREG(fattr->mode)) { ++ res = ERR_PTR(-EBADF); ++ goto out; ++ } ++ + res = ERR_PTR(-ENOMEM); + len = strlen(SSC_READ_NAME_BODY) + 16; + read_name = kzalloc(len, GFP_NOFS); +@@ -357,6 +362,7 @@ static struct file *__nfs42_ssc_open(struct vfsmount *ss_mnt, + r_ino->i_fop); + if (IS_ERR(filep)) { + res = ERR_CAST(filep); ++ iput(r_ino); + goto out_free_name; + } + filep->f_mode |= FMODE_READ; +-- +2.35.1 + diff --git a/queue-5.15/ntfs-fix-acl-handling.patch b/queue-5.15/ntfs-fix-acl-handling.patch new file mode 100644 index 00000000000..cd4ce76609b --- /dev/null +++ b/queue-5.15/ntfs-fix-acl-handling.patch @@ -0,0 +1,109 @@ +From 0aafb2bfb4529a2c1def1bf048238a803b3a335b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jul 2022 14:32:52 +0200 +Subject: ntfs: fix acl handling + +From: Christian Brauner + +[ Upstream commit 0c3bc7899e6dfb52df1c46118a5a670ae619645f ] + +While looking at our current POSIX ACL handling in the context of some +overlayfs work I went through a range of other filesystems checking how they +handle them currently and encountered ntfs3. + +The posic_acl_{from,to}_xattr() helpers always need to operate on the +filesystem idmapping. Since ntfs3 can only be mounted in the initial user +namespace the relevant idmapping is init_user_ns. + +The posix_acl_{from,to}_xattr() helpers are concerned with translating between +the kernel internal struct posix_acl{_entry} and the uapi struct +posix_acl_xattr_{header,entry} and the kernel internal data structure is cached +filesystem wide. + +Additional idmappings such as the caller's idmapping or the mount's idmapping +are handled higher up in the VFS. Individual filesystems usually do not need to +concern themselves with these. + +The posix_acl_valid() helper is concerned with checking whether the values in +the kernel internal struct posix_acl can be represented in the filesystem's +idmapping. IOW, if they can be written to disk. So this helper too needs to +take the filesystem's idmapping. + +Fixes: be71b5cba2e6 ("fs/ntfs3: Add attrib operations") +Cc: Konstantin Komarov +Cc: ntfs3@lists.linux.dev +Signed-off-by: Christian Brauner (Microsoft) +Signed-off-by: Sasha Levin +--- + fs/ntfs3/xattr.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c +index 872eb56bb1706..e8bfa709270d1 100644 +--- a/fs/ntfs3/xattr.c ++++ b/fs/ntfs3/xattr.c +@@ -476,8 +476,7 @@ static noinline int ntfs_set_ea(struct inode *inode, const char *name, + } + + #ifdef CONFIG_NTFS3_FS_POSIX_ACL +-static struct posix_acl *ntfs_get_acl_ex(struct user_namespace *mnt_userns, +- struct inode *inode, int type, ++static struct posix_acl *ntfs_get_acl_ex(struct inode *inode, int type, + int locked) + { + struct ntfs_inode *ni = ntfs_i(inode); +@@ -512,7 +511,7 @@ static struct posix_acl *ntfs_get_acl_ex(struct user_namespace *mnt_userns, + + /* Translate extended attribute to acl. */ + if (err >= 0) { +- acl = posix_acl_from_xattr(mnt_userns, buf, err); ++ acl = posix_acl_from_xattr(&init_user_ns, buf, err); + } else if (err == -ENODATA) { + acl = NULL; + } else { +@@ -535,8 +534,7 @@ struct posix_acl *ntfs_get_acl(struct inode *inode, int type, bool rcu) + if (rcu) + return ERR_PTR(-ECHILD); + +- /* TODO: init_user_ns? */ +- return ntfs_get_acl_ex(&init_user_ns, inode, type, 0); ++ return ntfs_get_acl_ex(inode, type, 0); + } + + static noinline int ntfs_set_acl_ex(struct user_namespace *mnt_userns, +@@ -588,7 +586,7 @@ static noinline int ntfs_set_acl_ex(struct user_namespace *mnt_userns, + value = kmalloc(size, GFP_NOFS); + if (!value) + return -ENOMEM; +- err = posix_acl_to_xattr(mnt_userns, acl, value, size); ++ err = posix_acl_to_xattr(&init_user_ns, acl, value, size); + if (err < 0) + goto out; + flags = 0; +@@ -639,7 +637,7 @@ static int ntfs_xattr_get_acl(struct user_namespace *mnt_userns, + if (!acl) + return -ENODATA; + +- err = posix_acl_to_xattr(mnt_userns, acl, buffer, size); ++ err = posix_acl_to_xattr(&init_user_ns, acl, buffer, size); + posix_acl_release(acl); + + return err; +@@ -663,12 +661,12 @@ static int ntfs_xattr_set_acl(struct user_namespace *mnt_userns, + if (!value) { + acl = NULL; + } else { +- acl = posix_acl_from_xattr(mnt_userns, value, size); ++ acl = posix_acl_from_xattr(&init_user_ns, value, size); + if (IS_ERR(acl)) + return PTR_ERR(acl); + + if (acl) { +- err = posix_acl_valid(mnt_userns, acl); ++ err = posix_acl_valid(&init_user_ns, acl); + if (err) + goto release_and_out; + } +-- +2.35.1 + diff --git a/queue-5.15/r8152-fix-the-rx-fifo-settings-when-suspending.patch b/queue-5.15/r8152-fix-the-rx-fifo-settings-when-suspending.patch new file mode 100644 index 00000000000..11448ff115e --- /dev/null +++ b/queue-5.15/r8152-fix-the-rx-fifo-settings-when-suspending.patch @@ -0,0 +1,54 @@ +From 2d28e013c861c1da9a7ca0a753336c9c87b0d607 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 16:06:20 +0800 +Subject: r8152: fix the RX FIFO settings when suspending + +From: Hayes Wang + +[ Upstream commit b75d612014447e04abdf0e37ffb8f2fd8b0b49d6 ] + +The RX FIFO would be changed when suspending, so the related settings +have to be modified, too. Otherwise, the flow control would work +abnormally. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216333 +Reported-by: Mark Blakeney +Fixes: cdf0b86b250f ("r8152: fix a WOL issue") +Signed-off-by: Hayes Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index d18627a8539a4..7e821bed91ce5 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -5904,6 +5904,11 @@ static void r8153_enter_oob(struct r8152 *tp) + ocp_data &= ~NOW_IS_OOB; + ocp_write_byte(tp, MCU_TYPE_PLA, PLA_OOB_CTRL, ocp_data); + ++ /* RX FIFO settings for OOB */ ++ ocp_write_dword(tp, MCU_TYPE_PLA, PLA_RXFIFO_CTRL0, RXFIFO_THR1_OOB); ++ ocp_write_word(tp, MCU_TYPE_PLA, PLA_RXFIFO_CTRL1, RXFIFO_THR2_OOB); ++ ocp_write_word(tp, MCU_TYPE_PLA, PLA_RXFIFO_CTRL2, RXFIFO_THR3_OOB); ++ + rtl_disable(tp); + rtl_reset_bmu(tp); + +@@ -6542,6 +6547,11 @@ static void rtl8156_down(struct r8152 *tp) + ocp_data &= ~NOW_IS_OOB; + ocp_write_byte(tp, MCU_TYPE_PLA, PLA_OOB_CTRL, ocp_data); + ++ /* RX FIFO settings for OOB */ ++ ocp_write_word(tp, MCU_TYPE_PLA, PLA_RXFIFO_FULL, 64 / 16); ++ ocp_write_word(tp, MCU_TYPE_PLA, PLA_RX_FIFO_FULL, 1024 / 16); ++ ocp_write_word(tp, MCU_TYPE_PLA, PLA_RX_FIFO_EMPTY, 4096 / 16); ++ + rtl_disable(tp); + rtl_reset_bmu(tp); + +-- +2.35.1 + diff --git a/queue-5.15/r8152-fix-the-units-of-some-registers-for-rtl8156a.patch b/queue-5.15/r8152-fix-the-units-of-some-registers-for-rtl8156a.patch new file mode 100644 index 00000000000..d96bb78914e --- /dev/null +++ b/queue-5.15/r8152-fix-the-units-of-some-registers-for-rtl8156a.patch @@ -0,0 +1,50 @@ +From 08ec97165b8d63137a96b69baf3cac58e5aa4372 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 16:06:19 +0800 +Subject: r8152: fix the units of some registers for RTL8156A + +From: Hayes Wang + +[ Upstream commit 6dc4df12d741c0fe8f885778a43039e0619b9cd9 ] + +The units of PLA_RX_FIFO_FULL and PLA_RX_FIFO_EMPTY are 16 bytes. + +Fixes: 195aae321c82 ("r8152: support new chips") +Signed-off-by: Hayes Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 17 ++--------------- + 1 file changed, 2 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 0d1d92ef79099..d18627a8539a4 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -6429,21 +6429,8 @@ static void r8156_fc_parameter(struct r8152 *tp) + u32 pause_on = tp->fc_pause_on ? tp->fc_pause_on : fc_pause_on_auto(tp); + u32 pause_off = tp->fc_pause_off ? tp->fc_pause_off : fc_pause_off_auto(tp); + +- switch (tp->version) { +- case RTL_VER_10: +- case RTL_VER_11: +- ocp_write_word(tp, MCU_TYPE_PLA, PLA_RX_FIFO_FULL, pause_on / 8); +- ocp_write_word(tp, MCU_TYPE_PLA, PLA_RX_FIFO_EMPTY, pause_off / 8); +- break; +- case RTL_VER_12: +- case RTL_VER_13: +- case RTL_VER_15: +- ocp_write_word(tp, MCU_TYPE_PLA, PLA_RX_FIFO_FULL, pause_on / 16); +- ocp_write_word(tp, MCU_TYPE_PLA, PLA_RX_FIFO_EMPTY, pause_off / 16); +- break; +- default: +- break; +- } ++ ocp_write_word(tp, MCU_TYPE_PLA, PLA_RX_FIFO_FULL, pause_on / 16); ++ ocp_write_word(tp, MCU_TYPE_PLA, PLA_RX_FIFO_EMPTY, pause_off / 16); + } + + static void rtl8156_change_mtu(struct r8152 *tp) +-- +2.35.1 + diff --git a/queue-5.15/ratelimit-fix-data-races-in-___ratelimit.patch b/queue-5.15/ratelimit-fix-data-races-in-___ratelimit.patch new file mode 100644 index 00000000000..b53eb736b75 --- /dev/null +++ b/queue-5.15/ratelimit-fix-data-races-in-___ratelimit.patch @@ -0,0 +1,64 @@ +From 11b713037533e97a35e5a57e97134005ab4bad58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:48 -0700 +Subject: ratelimit: Fix data-races in ___ratelimit(). + +From: Kuniyuki Iwashima + +[ Upstream commit 6bae8ceb90ba76cdba39496db936164fa672b9be ] + +While reading rs->interval and rs->burst, they can be changed +concurrently via sysctl (e.g. net_ratelimit_state). Thus, we +need to add READ_ONCE() to their readers. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + lib/ratelimit.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/lib/ratelimit.c b/lib/ratelimit.c +index e01a93f46f833..ce945c17980b9 100644 +--- a/lib/ratelimit.c ++++ b/lib/ratelimit.c +@@ -26,10 +26,16 @@ + */ + int ___ratelimit(struct ratelimit_state *rs, const char *func) + { ++ /* Paired with WRITE_ONCE() in .proc_handler(). ++ * Changing two values seperately could be inconsistent ++ * and some message could be lost. (See: net_ratelimit_state). ++ */ ++ int interval = READ_ONCE(rs->interval); ++ int burst = READ_ONCE(rs->burst); + unsigned long flags; + int ret; + +- if (!rs->interval) ++ if (!interval) + return 1; + + /* +@@ -44,7 +50,7 @@ int ___ratelimit(struct ratelimit_state *rs, const char *func) + if (!rs->begin) + rs->begin = jiffies; + +- if (time_is_before_jiffies(rs->begin + rs->interval)) { ++ if (time_is_before_jiffies(rs->begin + interval)) { + if (rs->missed) { + if (!(rs->flags & RATELIMIT_MSG_ON_RELEASE)) { + printk_deferred(KERN_WARNING +@@ -56,7 +62,7 @@ int ___ratelimit(struct ratelimit_state *rs, const char *func) + rs->begin = jiffies; + rs->printed = 0; + } +- if (rs->burst && rs->burst > rs->printed) { ++ if (burst && burst > rs->printed) { + rs->printed++; + ret = 1; + } else { +-- +2.35.1 + diff --git a/queue-5.15/revert-net-macsec-update-sci-upon-mac-address-change.patch b/queue-5.15/revert-net-macsec-update-sci-upon-mac-address-change.patch new file mode 100644 index 00000000000..0dae5eab52a --- /dev/null +++ b/queue-5.15/revert-net-macsec-update-sci-upon-mac-address-change.patch @@ -0,0 +1,78 @@ +From aa2ece72643bd1181f27a8285a7774022c53f8b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Aug 2022 14:54:36 +0200 +Subject: Revert "net: macsec: update SCI upon MAC address change." + +From: Sabrina Dubroca + +[ Upstream commit e82c649e851c9c25367fb7a2a6cf3479187de467 ] + +This reverts commit 6fc498bc82929ee23aa2f35a828c6178dfd3f823. + +Commit 6fc498bc8292 states: + + SCI should be updated, because it contains MAC in its first 6 + octets. + +That's not entirely correct. The SCI can be based on the MAC address, +but doesn't have to be. We can also use any 64-bit number as the +SCI. When the SCI based on the MAC address, it uses a 16-bit "port +number" provided by userspace, which commit 6fc498bc8292 overwrites +with 1. + +In addition, changing the SCI after macsec has been setup can just +confuse the receiver. If we configure the RXSC on the peer based on +the original SCI, we should keep the same SCI on TX. + +When the macsec device is being managed by a userspace key negotiation +daemon such as wpa_supplicant, commit 6fc498bc8292 would also +overwrite the SCI defined by userspace. + +Fixes: 6fc498bc8292 ("net: macsec: update SCI upon MAC address change.") +Signed-off-by: Sabrina Dubroca +Link: https://lore.kernel.org/r/9b1a9d28327e7eb54550a92eebda45d25e54dd0d.1660667033.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index 0a860cbe03e76..71700f2792786 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -447,11 +447,6 @@ static struct macsec_eth_header *macsec_ethhdr(struct sk_buff *skb) + return (struct macsec_eth_header *)skb_mac_header(skb); + } + +-static sci_t dev_to_sci(struct net_device *dev, __be16 port) +-{ +- return make_sci(dev->dev_addr, port); +-} +- + static void __macsec_pn_wrapped(struct macsec_secy *secy, + struct macsec_tx_sa *tx_sa) + { +@@ -3617,7 +3612,6 @@ static int macsec_set_mac_address(struct net_device *dev, void *p) + + out: + eth_hw_addr_set(dev, addr->sa_data); +- macsec->secy.sci = dev_to_sci(dev, MACSEC_PORT_ES); + + /* If h/w offloading is available, propagate to the device */ + if (macsec_is_offloaded(macsec)) { +@@ -3953,6 +3947,11 @@ static bool sci_exists(struct net_device *dev, sci_t sci) + return false; + } + ++static sci_t dev_to_sci(struct net_device *dev, __be16 port) ++{ ++ return make_sci(dev->dev_addr, port); ++} ++ + static int macsec_add_dev(struct net_device *dev, sci_t sci, u8 icv_len) + { + struct macsec_dev *macsec = macsec_priv(dev); +-- +2.35.1 + diff --git a/queue-5.15/riscv-lib-uaccess-fix-csr_status-sr_sum-bit.patch b/queue-5.15/riscv-lib-uaccess-fix-csr_status-sr_sum-bit.patch new file mode 100644 index 00000000000..ba9dcf752c4 --- /dev/null +++ b/queue-5.15/riscv-lib-uaccess-fix-csr_status-sr_sum-bit.patch @@ -0,0 +1,53 @@ +From 97b9f91c607da3d629b11b17cc919c85ebea865a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jun 2022 09:47:14 +0800 +Subject: riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit + +From: Chen Lifu + +[ Upstream commit c08b4848f596fd95543197463b5162bd7bab2442 ] + +Since commit 5d8544e2d007 ("RISC-V: Generic library routines and assembly") +and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code"), +if __clear_user and __copy_user return from an fixup branch, +CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that +S-mode memory accesses to pages that are accessible by U-mode will success. +Disable S-mode access to U-mode memory should clear SR_SUM bit. + +Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly") +Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code") +Signed-off-by: Chen Lifu +Reviewed-by: Ben Dooks +Link: https://lore.kernel.org/r/20220615014714.1650349-1-chenlifu@huawei.com +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/lib/uaccess.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S +index ac34f0026adcd..2c7c1c5026af3 100644 +--- a/arch/riscv/lib/uaccess.S ++++ b/arch/riscv/lib/uaccess.S +@@ -177,7 +177,7 @@ ENTRY(__asm_copy_from_user) + /* Exception fixup code */ + 10: + /* Disable access to user memory */ +- csrs CSR_STATUS, t6 ++ csrc CSR_STATUS, t6 + mv a0, t5 + ret + ENDPROC(__asm_copy_to_user) +@@ -229,7 +229,7 @@ ENTRY(__clear_user) + /* Exception fixup code */ + 11: + /* Disable access to user memory */ +- csrs CSR_STATUS, t6 ++ csrc CSR_STATUS, t6 + mv a0, a1 + ret + ENDPROC(__clear_user) +-- +2.35.1 + diff --git a/queue-5.15/riscv-lib-uaccess-fold-fixups-into-body.patch b/queue-5.15/riscv-lib-uaccess-fold-fixups-into-body.patch new file mode 100644 index 00000000000..3728cc1862c --- /dev/null +++ b/queue-5.15/riscv-lib-uaccess-fold-fixups-into-body.patch @@ -0,0 +1,70 @@ +From 150edc0ef3a113ef100bb0b4d3ffb7a5b759273d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Nov 2021 19:25:14 +0800 +Subject: riscv: lib: uaccess: fold fixups into body + +From: Jisheng Zhang + +[ Upstream commit 9d504f9aa5c1b76673018da9503e76b351a24b8c ] + +uaccess functions such __asm_copy_to_user(), __arch_copy_from_user() +and __clear_user() place their exception fixups in the `.fixup` section +without any clear association with themselves. If we backtrace the +fixup code, it will be symbolized as an offset from the nearest prior +symbol. + +Similar as arm64 does, we must move fixups into the body of the +functions themselves, after the usual fast-path returns. + +Signed-off-by: Jisheng Zhang +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/lib/uaccess.S | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S +index 63bc691cff91b..ac34f0026adcd 100644 +--- a/arch/riscv/lib/uaccess.S ++++ b/arch/riscv/lib/uaccess.S +@@ -173,6 +173,13 @@ ENTRY(__asm_copy_from_user) + csrc CSR_STATUS, t6 + li a0, 0 + ret ++ ++ /* Exception fixup code */ ++10: ++ /* Disable access to user memory */ ++ csrs CSR_STATUS, t6 ++ mv a0, t5 ++ ret + ENDPROC(__asm_copy_to_user) + ENDPROC(__asm_copy_from_user) + EXPORT_SYMBOL(__asm_copy_to_user) +@@ -218,19 +225,12 @@ ENTRY(__clear_user) + addi a0, a0, 1 + bltu a0, a3, 5b + j 3b +-ENDPROC(__clear_user) +-EXPORT_SYMBOL(__clear_user) + +- .section .fixup,"ax" +- .balign 4 +- /* Fixup code for __copy_user(10) and __clear_user(11) */ +-10: +- /* Disable access to user memory */ +- csrs CSR_STATUS, t6 +- mv a0, t5 +- ret ++ /* Exception fixup code */ + 11: ++ /* Disable access to user memory */ + csrs CSR_STATUS, t6 + mv a0, a1 + ret +- .previous ++ENDPROC(__clear_user) ++EXPORT_SYMBOL(__clear_user) +-- +2.35.1 + diff --git a/queue-5.15/rose-check-null-rose_loopback_neigh-loopback.patch b/queue-5.15/rose-check-null-rose_loopback_neigh-loopback.patch new file mode 100644 index 00000000000..d8562b35c5e --- /dev/null +++ b/queue-5.15/rose-check-null-rose_loopback_neigh-loopback.patch @@ -0,0 +1,69 @@ +From 824e139333031c6c991817f8884ea2cbb1ba5cfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 02:02:13 +0200 +Subject: rose: check NULL rose_loopback_neigh->loopback + +From: Bernard Pidoux + +[ Upstream commit 3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8 ] + +Commit 3b3fd068c56e3fbea30090859216a368398e39bf added NULL check for +`rose_loopback_neigh->dev` in rose_loopback_timer() but omitted to +check rose_loopback_neigh->loopback. + +It thus prevents *all* rose connect. + +The reason is that a special rose_neigh loopback has a NULL device. + +/proc/net/rose_neigh illustrates it via rose_neigh_show() function : +[...] +seq_printf(seq, "%05d %-9s %-4s %3d %3d %3s %3s %3lu %3lu", + rose_neigh->number, + (rose_neigh->loopback) ? "RSLOOP-0" : ax2asc(buf, &rose_neigh->callsign), + rose_neigh->dev ? rose_neigh->dev->name : "???", + rose_neigh->count, + +/proc/net/rose_neigh displays special rose_loopback_neigh->loopback as +callsign RSLOOP-0: + +addr callsign dev count use mode restart t0 tf digipeaters +00001 RSLOOP-0 ??? 1 2 DCE yes 0 0 + +By checking rose_loopback_neigh->loopback, rose_rx_call_request() is called +even in case rose_loopback_neigh->dev is NULL. This repairs rose connections. + +Verification with rose client application FPAC: + +FPAC-Node v 4.1.3 (built Aug 5 2022) for LINUX (help = h) +F6BVP-4 (Commands = ?) : u +Users - AX.25 Level 2 sessions : +Port Callsign Callsign AX.25 state ROSE state NetRom status +axudp F6BVP-5 -> F6BVP-9 Connected Connected --------- + +Fixes: 3b3fd068c56e ("rose: Fix Null pointer dereference in rose_send_frame()") +Signed-off-by: Bernard Pidoux +Suggested-by: Francois Romieu +Cc: Thomas DL9SAU Osterried +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rose/rose_loopback.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c +index 11c45c8c6c164..036d92c0ad794 100644 +--- a/net/rose/rose_loopback.c ++++ b/net/rose/rose_loopback.c +@@ -96,7 +96,8 @@ static void rose_loopback_timer(struct timer_list *unused) + } + + if (frametype == ROSE_CALL_REQUEST) { +- if (!rose_loopback_neigh->dev) { ++ if (!rose_loopback_neigh->dev && ++ !rose_loopback_neigh->loopback) { + kfree_skb(skb); + continue; + } +-- +2.35.1 + diff --git a/queue-5.15/rxrpc-fix-locking-in-rxrpc-s-sendmsg.patch b/queue-5.15/rxrpc-fix-locking-in-rxrpc-s-sendmsg.patch new file mode 100644 index 00000000000..ab4c649e888 --- /dev/null +++ b/queue-5.15/rxrpc-fix-locking-in-rxrpc-s-sendmsg.patch @@ -0,0 +1,287 @@ +From c5292ef4a5a248ddcc58c216de77a63d73f3f972 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 17:35:45 +0100 +Subject: rxrpc: Fix locking in rxrpc's sendmsg + +From: David Howells + +[ Upstream commit b0f571ecd7943423c25947439045f0d352ca3dbf ] + +Fix three bugs in the rxrpc's sendmsg implementation: + + (1) rxrpc_new_client_call() should release the socket lock when returning + an error from rxrpc_get_call_slot(). + + (2) rxrpc_wait_for_tx_window_intr() will return without the call mutex + held in the event that we're interrupted by a signal whilst waiting + for tx space on the socket or relocking the call mutex afterwards. + + Fix this by: (a) moving the unlock/lock of the call mutex up to + rxrpc_send_data() such that the lock is not held around all of + rxrpc_wait_for_tx_window*() and (b) indicating to higher callers + whether we're return with the lock dropped. Note that this means + recvmsg() will not block on this call whilst we're waiting. + + (3) After dropping and regaining the call mutex, rxrpc_send_data() needs + to go and recheck the state of the tx_pending buffer and the + tx_total_len check in case we raced with another sendmsg() on the same + call. + +Thinking on this some more, it might make sense to have different locks for +sendmsg() and recvmsg(). There's probably no need to make recvmsg() wait +for sendmsg(). It does mean that recvmsg() can return MSG_EOR indicating +that a call is dead before a sendmsg() to that call returns - but that can +currently happen anyway. + +Without fix (2), something like the following can be induced: + + WARNING: bad unlock balance detected! + 5.16.0-rc6-syzkaller #0 Not tainted + ------------------------------------- + syz-executor011/3597 is trying to release lock (&call->user_mutex) at: + [] rxrpc_do_sendmsg+0xc13/0x1350 net/rxrpc/sendmsg.c:748 + but there are no more locks to release! + + other info that might help us debug this: + no locks held by syz-executor011/3597. + ... + Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + print_unlock_imbalance_bug include/trace/events/lock.h:58 [inline] + __lock_release kernel/locking/lockdep.c:5306 [inline] + lock_release.cold+0x49/0x4e kernel/locking/lockdep.c:5657 + __mutex_unlock_slowpath+0x99/0x5e0 kernel/locking/mutex.c:900 + rxrpc_do_sendmsg+0xc13/0x1350 net/rxrpc/sendmsg.c:748 + rxrpc_sendmsg+0x420/0x630 net/rxrpc/af_rxrpc.c:561 + sock_sendmsg_nosec net/socket.c:704 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:724 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2463 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +[Thanks to Hawkins Jiawei and Khalid Masum for their attempts to fix this] + +Fixes: bc5e3a546d55 ("rxrpc: Use MSG_WAITALL to tell sendmsg() to temporarily ignore signals") +Reported-by: syzbot+7f0483225d0c94cb3441@syzkaller.appspotmail.com +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +Tested-by: syzbot+7f0483225d0c94cb3441@syzkaller.appspotmail.com +cc: Hawkins Jiawei +cc: Khalid Masum +cc: Dan Carpenter +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/166135894583.600315.7170979436768124075.stgit@warthog.procyon.org.uk +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/rxrpc/call_object.c | 4 +- + net/rxrpc/sendmsg.c | 92 ++++++++++++++++++++++++----------------- + 2 files changed, 57 insertions(+), 39 deletions(-) + +diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c +index 25c9a2cbf048c..d674d90e70313 100644 +--- a/net/rxrpc/call_object.c ++++ b/net/rxrpc/call_object.c +@@ -285,8 +285,10 @@ struct rxrpc_call *rxrpc_new_client_call(struct rxrpc_sock *rx, + _enter("%p,%lx", rx, p->user_call_ID); + + limiter = rxrpc_get_call_slot(p, gfp); +- if (!limiter) ++ if (!limiter) { ++ release_sock(&rx->sk); + return ERR_PTR(-ERESTARTSYS); ++ } + + call = rxrpc_alloc_client_call(rx, srx, gfp, debug_id); + if (IS_ERR(call)) { +diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c +index 1d38e279e2efa..3c3a626459deb 100644 +--- a/net/rxrpc/sendmsg.c ++++ b/net/rxrpc/sendmsg.c +@@ -51,10 +51,7 @@ static int rxrpc_wait_for_tx_window_intr(struct rxrpc_sock *rx, + return sock_intr_errno(*timeo); + + trace_rxrpc_transmit(call, rxrpc_transmit_wait); +- mutex_unlock(&call->user_mutex); + *timeo = schedule_timeout(*timeo); +- if (mutex_lock_interruptible(&call->user_mutex) < 0) +- return sock_intr_errno(*timeo); + } + } + +@@ -290,37 +287,48 @@ static int rxrpc_queue_packet(struct rxrpc_sock *rx, struct rxrpc_call *call, + static int rxrpc_send_data(struct rxrpc_sock *rx, + struct rxrpc_call *call, + struct msghdr *msg, size_t len, +- rxrpc_notify_end_tx_t notify_end_tx) ++ rxrpc_notify_end_tx_t notify_end_tx, ++ bool *_dropped_lock) + { + struct rxrpc_skb_priv *sp; + struct sk_buff *skb; + struct sock *sk = &rx->sk; ++ enum rxrpc_call_state state; + long timeo; +- bool more; +- int ret, copied; ++ bool more = msg->msg_flags & MSG_MORE; ++ int ret, copied = 0; + + timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT); + + /* this should be in poll */ + sk_clear_bit(SOCKWQ_ASYNC_NOSPACE, sk); + ++reload: ++ ret = -EPIPE; + if (sk->sk_shutdown & SEND_SHUTDOWN) +- return -EPIPE; +- +- more = msg->msg_flags & MSG_MORE; +- ++ goto maybe_error; ++ state = READ_ONCE(call->state); ++ ret = -ESHUTDOWN; ++ if (state >= RXRPC_CALL_COMPLETE) ++ goto maybe_error; ++ ret = -EPROTO; ++ if (state != RXRPC_CALL_CLIENT_SEND_REQUEST && ++ state != RXRPC_CALL_SERVER_ACK_REQUEST && ++ state != RXRPC_CALL_SERVER_SEND_REPLY) ++ goto maybe_error; ++ ++ ret = -EMSGSIZE; + if (call->tx_total_len != -1) { +- if (len > call->tx_total_len) +- return -EMSGSIZE; +- if (!more && len != call->tx_total_len) +- return -EMSGSIZE; ++ if (len - copied > call->tx_total_len) ++ goto maybe_error; ++ if (!more && len - copied != call->tx_total_len) ++ goto maybe_error; + } + + skb = call->tx_pending; + call->tx_pending = NULL; + rxrpc_see_skb(skb, rxrpc_skb_seen); + +- copied = 0; + do { + /* Check to see if there's a ping ACK to reply to. */ + if (call->ackr_reason == RXRPC_ACK_PING_RESPONSE) +@@ -331,16 +339,8 @@ static int rxrpc_send_data(struct rxrpc_sock *rx, + + _debug("alloc"); + +- if (!rxrpc_check_tx_space(call, NULL)) { +- ret = -EAGAIN; +- if (msg->msg_flags & MSG_DONTWAIT) +- goto maybe_error; +- ret = rxrpc_wait_for_tx_window(rx, call, +- &timeo, +- msg->msg_flags & MSG_WAITALL); +- if (ret < 0) +- goto maybe_error; +- } ++ if (!rxrpc_check_tx_space(call, NULL)) ++ goto wait_for_space; + + /* Work out the maximum size of a packet. Assume that + * the security header is going to be in the padded +@@ -468,6 +468,27 @@ static int rxrpc_send_data(struct rxrpc_sock *rx, + efault: + ret = -EFAULT; + goto out; ++ ++wait_for_space: ++ ret = -EAGAIN; ++ if (msg->msg_flags & MSG_DONTWAIT) ++ goto maybe_error; ++ mutex_unlock(&call->user_mutex); ++ *_dropped_lock = true; ++ ret = rxrpc_wait_for_tx_window(rx, call, &timeo, ++ msg->msg_flags & MSG_WAITALL); ++ if (ret < 0) ++ goto maybe_error; ++ if (call->interruptibility == RXRPC_INTERRUPTIBLE) { ++ if (mutex_lock_interruptible(&call->user_mutex) < 0) { ++ ret = sock_intr_errno(timeo); ++ goto maybe_error; ++ } ++ } else { ++ mutex_lock(&call->user_mutex); ++ } ++ *_dropped_lock = false; ++ goto reload; + } + + /* +@@ -629,6 +650,7 @@ int rxrpc_do_sendmsg(struct rxrpc_sock *rx, struct msghdr *msg, size_t len) + enum rxrpc_call_state state; + struct rxrpc_call *call; + unsigned long now, j; ++ bool dropped_lock = false; + int ret; + + struct rxrpc_send_params p = { +@@ -737,21 +759,13 @@ int rxrpc_do_sendmsg(struct rxrpc_sock *rx, struct msghdr *msg, size_t len) + ret = rxrpc_send_abort_packet(call); + } else if (p.command != RXRPC_CMD_SEND_DATA) { + ret = -EINVAL; +- } else if (rxrpc_is_client_call(call) && +- state != RXRPC_CALL_CLIENT_SEND_REQUEST) { +- /* request phase complete for this client call */ +- ret = -EPROTO; +- } else if (rxrpc_is_service_call(call) && +- state != RXRPC_CALL_SERVER_ACK_REQUEST && +- state != RXRPC_CALL_SERVER_SEND_REPLY) { +- /* Reply phase not begun or not complete for service call. */ +- ret = -EPROTO; + } else { +- ret = rxrpc_send_data(rx, call, msg, len, NULL); ++ ret = rxrpc_send_data(rx, call, msg, len, NULL, &dropped_lock); + } + + out_put_unlock: +- mutex_unlock(&call->user_mutex); ++ if (!dropped_lock) ++ mutex_unlock(&call->user_mutex); + error_put: + rxrpc_put_call(call, rxrpc_call_put); + _leave(" = %d", ret); +@@ -779,6 +793,7 @@ int rxrpc_kernel_send_data(struct socket *sock, struct rxrpc_call *call, + struct msghdr *msg, size_t len, + rxrpc_notify_end_tx_t notify_end_tx) + { ++ bool dropped_lock = false; + int ret; + + _enter("{%d,%s},", call->debug_id, rxrpc_call_states[call->state]); +@@ -796,7 +811,7 @@ int rxrpc_kernel_send_data(struct socket *sock, struct rxrpc_call *call, + case RXRPC_CALL_SERVER_ACK_REQUEST: + case RXRPC_CALL_SERVER_SEND_REPLY: + ret = rxrpc_send_data(rxrpc_sk(sock->sk), call, msg, len, +- notify_end_tx); ++ notify_end_tx, &dropped_lock); + break; + case RXRPC_CALL_COMPLETE: + read_lock_bh(&call->state_lock); +@@ -810,7 +825,8 @@ int rxrpc_kernel_send_data(struct socket *sock, struct rxrpc_call *call, + break; + } + +- mutex_unlock(&call->user_mutex); ++ if (!dropped_lock) ++ mutex_unlock(&call->user_mutex); + _leave(" = %d", ret); + return ret; + } +-- +2.35.1 + diff --git a/queue-5.15/scsi-qla2xxx-edif-fix-dropped-ike-message.patch b/queue-5.15/scsi-qla2xxx-edif-fix-dropped-ike-message.patch new file mode 100644 index 00000000000..3262808544c --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-edif-fix-dropped-ike-message.patch @@ -0,0 +1,126 @@ +From 53497851f10798a2f603718bafd5fc1b60169106 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Jul 2022 22:20:40 -0700 +Subject: scsi: qla2xxx: edif: Fix dropped IKE message + +From: Quinn Tran + +[ Upstream commit c019cd656e717349ff22d0c41d6fbfc773f48c52 ] + +This patch fixes IKE message being dropped due to error in processing Purex +IOCB and Continuation IOCBs. + +Link: https://lore.kernel.org/r/20220713052045.10683-6-njavali@marvell.com +Fixes: fac2807946c1 ("scsi: qla2xxx: edif: Add extraction of auth_els from the wire") +Cc: stable@vger.kernel.org +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_isr.c | 54 +++++++++++++++------------------- + 1 file changed, 24 insertions(+), 30 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c +index ecbc0a5ffb3f5..59f5918dca95f 100644 +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -3707,12 +3707,11 @@ void qla24xx_nvme_ls4_iocb(struct scsi_qla_host *vha, + * Return: 0 all iocbs has arrived, xx- all iocbs have not arrived. + */ + static int qla_chk_cont_iocb_avail(struct scsi_qla_host *vha, +- struct rsp_que *rsp, response_t *pkt) ++ struct rsp_que *rsp, response_t *pkt, u32 rsp_q_in) + { +- int start_pkt_ring_index, end_pkt_ring_index, n_ring_index; +- response_t *end_pkt; ++ int start_pkt_ring_index; ++ u32 iocb_cnt = 0; + int rc = 0; +- u32 rsp_q_in; + + if (pkt->entry_count == 1) + return rc; +@@ -3723,34 +3722,18 @@ static int qla_chk_cont_iocb_avail(struct scsi_qla_host *vha, + else + start_pkt_ring_index = rsp->ring_index - 1; + +- if ((start_pkt_ring_index + pkt->entry_count) >= rsp->length) +- end_pkt_ring_index = start_pkt_ring_index + pkt->entry_count - +- rsp->length - 1; ++ if (rsp_q_in < start_pkt_ring_index) ++ /* q in ptr is wrapped */ ++ iocb_cnt = rsp->length - start_pkt_ring_index + rsp_q_in; + else +- end_pkt_ring_index = start_pkt_ring_index + pkt->entry_count - 1; ++ iocb_cnt = rsp_q_in - start_pkt_ring_index; + +- end_pkt = rsp->ring + end_pkt_ring_index; +- +- /* next pkt = end_pkt + 1 */ +- n_ring_index = end_pkt_ring_index + 1; +- if (n_ring_index >= rsp->length) +- n_ring_index = 0; +- +- rsp_q_in = rsp->qpair->use_shadow_reg ? *rsp->in_ptr : +- rd_reg_dword(rsp->rsp_q_in); +- +- /* rsp_q_in is either wrapped or pointing beyond endpkt */ +- if ((rsp_q_in < start_pkt_ring_index && rsp_q_in < n_ring_index) || +- rsp_q_in >= n_ring_index) +- /* all IOCBs arrived. */ +- rc = 0; +- else ++ if (iocb_cnt < pkt->entry_count) + rc = -EIO; + +- ql_dbg(ql_dbg_init + ql_dbg_verbose, vha, 0x5091, +- "%s - ring %p pkt %p end pkt %p entry count %#x rsp_q_in %d rc %d\n", +- __func__, rsp->ring, pkt, end_pkt, pkt->entry_count, +- rsp_q_in, rc); ++ ql_dbg(ql_dbg_init, vha, 0x5091, ++ "%s - ring %p pkt %p entry count %d iocb_cnt %d rsp_q_in %d rc %d\n", ++ __func__, rsp->ring, pkt, pkt->entry_count, iocb_cnt, rsp_q_in, rc); + + return rc; + } +@@ -3767,7 +3750,7 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha, + struct qla_hw_data *ha = vha->hw; + struct purex_entry_24xx *purex_entry; + struct purex_item *pure_item; +- u16 rsp_in = 0; ++ u16 rsp_in = 0, cur_ring_index; + int follow_inptr, is_shadow_hba; + + if (!ha->flags.fw_started) +@@ -3798,6 +3781,7 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha, + (!follow_inptr && + rsp->ring_ptr->signature != RESPONSE_PROCESSED)) { + pkt = (struct sts_entry_24xx *)rsp->ring_ptr; ++ cur_ring_index = rsp->ring_index; + + rsp->ring_index++; + if (rsp->ring_index == rsp->length) { +@@ -3918,7 +3902,17 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha, + break; + + case ELS_AUTH_ELS: +- if (qla_chk_cont_iocb_avail(vha, rsp, (response_t *)pkt)) { ++ if (qla_chk_cont_iocb_avail(vha, rsp, (response_t *)pkt, rsp_in)) { ++ /* ++ * ring_ptr and ring_index were ++ * pre-incremented above. Reset them ++ * back to current. Wait for next ++ * interrupt with all IOCBs to arrive ++ * and re-process. ++ */ ++ rsp->ring_ptr = (response_t *)pkt; ++ rsp->ring_index = cur_ring_index; ++ + ql_dbg(ql_dbg_init, vha, 0x5091, + "Defer processing ELS opcode %#x...\n", + purex_entry->els_frame_payload[3]); +-- +2.35.1 + diff --git a/queue-5.15/scsi-qla2xxx-fix-response-queue-handler-reading-stal.patch b/queue-5.15/scsi-qla2xxx-fix-response-queue-handler-reading-stal.patch new file mode 100644 index 00000000000..ce2120fc493 --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-fix-response-queue-handler-reading-stal.patch @@ -0,0 +1,128 @@ +From df64c8882f207a43fa5286f21aed8f77110a3d8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Jul 2022 22:20:39 -0700 +Subject: scsi: qla2xxx: Fix response queue handler reading stale packets + +From: Arun Easi + +[ Upstream commit b1f707146923335849fb70237eec27d4d1ae7d62 ] + +On some platforms, the current logic of relying on finding new packet +solely based on signature pattern can lead to driver reading stale +packets. Though this is a bug in those platforms, reduce such exposures by +limiting reading packets until the IN pointer. + +Two module parameters are introduced: + + ql2xrspq_follow_inptr: + + When set, on newer adapters that has queue pointer shadowing, look for + response packets only until response queue in pointer. + + When reset, response packets are read based on a signature pattern + logic (old way). + + ql2xrspq_follow_inptr_legacy: + + Like ql2xrspq_follow_inptr, but for those adapters where there is no + queue pointer shadowing. + +Link: https://lore.kernel.org/r/20220713052045.10683-5-njavali@marvell.com +Cc: stable@vger.kernel.org +Reviewed-by: Himanshu Madhani +Signed-off-by: Arun Easi +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_gbl.h | 2 ++ + drivers/scsi/qla2xxx/qla_isr.c | 24 +++++++++++++++++++++++- + drivers/scsi/qla2xxx/qla_os.c | 10 ++++++++++ + 3 files changed, 35 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h +index 2a6d613a76cf3..f82e4a348330a 100644 +--- a/drivers/scsi/qla2xxx/qla_gbl.h ++++ b/drivers/scsi/qla2xxx/qla_gbl.h +@@ -192,6 +192,8 @@ extern int ql2xfulldump_on_mpifail; + extern int ql2xsecenable; + extern int ql2xenforce_iocb_limit; + extern int ql2xabts_wait_nvme; ++extern int ql2xrspq_follow_inptr; ++extern int ql2xrspq_follow_inptr_legacy; + + extern int qla2x00_loop_reset(scsi_qla_host_t *); + extern void qla2x00_abort_all_cmds(scsi_qla_host_t *, int); +diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c +index b218f97396195..ecbc0a5ffb3f5 100644 +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -3767,6 +3767,8 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha, + struct qla_hw_data *ha = vha->hw; + struct purex_entry_24xx *purex_entry; + struct purex_item *pure_item; ++ u16 rsp_in = 0; ++ int follow_inptr, is_shadow_hba; + + if (!ha->flags.fw_started) + return; +@@ -3776,7 +3778,25 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha, + qla_cpu_update(rsp->qpair, smp_processor_id()); + } + +- while (rsp->ring_ptr->signature != RESPONSE_PROCESSED) { ++#define __update_rsp_in(_update, _is_shadow_hba, _rsp, _rsp_in) \ ++ do { \ ++ if (_update) { \ ++ _rsp_in = _is_shadow_hba ? *(_rsp)->in_ptr : \ ++ rd_reg_dword_relaxed((_rsp)->rsp_q_in); \ ++ } \ ++ } while (0) ++ ++ is_shadow_hba = IS_SHADOW_REG_CAPABLE(ha); ++ follow_inptr = is_shadow_hba ? ql2xrspq_follow_inptr : ++ ql2xrspq_follow_inptr_legacy; ++ ++ __update_rsp_in(follow_inptr, is_shadow_hba, rsp, rsp_in); ++ ++ while ((likely(follow_inptr && ++ rsp->ring_index != rsp_in && ++ rsp->ring_ptr->signature != RESPONSE_PROCESSED)) || ++ (!follow_inptr && ++ rsp->ring_ptr->signature != RESPONSE_PROCESSED)) { + pkt = (struct sts_entry_24xx *)rsp->ring_ptr; + + rsp->ring_index++; +@@ -3889,6 +3909,8 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha, + } + pure_item = qla27xx_copy_fpin_pkt(vha, + (void **)&pkt, &rsp); ++ __update_rsp_in(follow_inptr, is_shadow_hba, ++ rsp, rsp_in); + if (!pure_item) + break; + qla24xx_queue_purex_item(vha, pure_item, +diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c +index 6542a258cb751..00e97f0a07ebe 100644 +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -338,6 +338,16 @@ module_param(ql2xdelay_before_pci_error_handling, uint, 0644); + MODULE_PARM_DESC(ql2xdelay_before_pci_error_handling, + "Number of seconds delayed before qla begin PCI error self-handling (default: 5).\n"); + ++int ql2xrspq_follow_inptr = 1; ++module_param(ql2xrspq_follow_inptr, int, 0644); ++MODULE_PARM_DESC(ql2xrspq_follow_inptr, ++ "Follow RSP IN pointer for RSP updates for HBAs 27xx and newer (default: 1)."); ++ ++int ql2xrspq_follow_inptr_legacy = 1; ++module_param(ql2xrspq_follow_inptr_legacy, int, 0644); ++MODULE_PARM_DESC(ql2xrspq_follow_inptr_legacy, ++ "Follow RSP IN pointer for RSP updates for HBAs older than 27XX. (default: 1)."); ++ + static void qla2x00_clear_drv_active(struct qla_hw_data *); + static void qla2x00_free_device(scsi_qla_host_t *); + static int qla2xxx_map_queues(struct Scsi_Host *shost); +-- +2.35.1 + diff --git a/queue-5.15/series b/queue-5.15/series index 469c0f6cc1e..48cbf58a5e5 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -11,3 +11,84 @@ block-add-bdev_max_segments-helper.patch btrfs-zoned-revive-max_zone_append_bytes.patch btrfs-replace-btrfs_max_extent_size-with-fs_info-max_extent_size.patch btrfs-convert-count_max_extents-to-use-fs_info-max_extent_size.patch +input-i8042-move-__initconst-to-fix-code-styling-war.patch +input-i8042-merge-quirk-tables.patch +input-i8042-add-tuxedo-devices-to-i8042-quirk-tables.patch +input-i8042-add-additional-tuxedo-devices-to-i8042-q.patch +drivers-base-fix-userspace-break-from-using-bin_attr.patch +scsi-qla2xxx-fix-response-queue-handler-reading-stal.patch +scsi-qla2xxx-edif-fix-dropped-ike-message.patch +btrfs-put-initial-index-value-of-a-directory-in-a-co.patch +btrfs-pass-the-dentry-to-btrfs_log_new_name-instead-.patch +btrfs-remove-unnecessary-parameter-delalloc_start-fo.patch +riscv-lib-uaccess-fold-fixups-into-body.patch +riscv-lib-uaccess-fix-csr_status-sr_sum-bit.patch +xfrm-fix-refcount-leak-in-__xfrm_policy_check.patch +xfrm-clone-missing-x-lastused-in-xfrm_do_migrate.patch +af_key-do-not-call-xfrm_probe_algs-in-parallel.patch +xfrm-policy-fix-metadata-dst-dev-xmit-null-pointer-d.patch +fs-require-cap_sys_admin-in-target-namespace-for-idm.patch +net-use-eth_hw_addr_set-instead-of-ether_addr_copy.patch +revert-net-macsec-update-sci-upon-mac-address-change.patch +nfs-don-t-allocate-nfs_fattr-on-the-stack-in-__nfs42.patch +nfsv4.2-fix-problems-with-__nfs42_ssc_open.patch +sunrpc-rpc-level-errors-should-set-task-tk_rpc_statu.patch +mm-smaps-don-t-access-young-dirty-bit-if-pte-unprese.patch +ntfs-fix-acl-handling.patch +rose-check-null-rose_loopback_neigh-loopback.patch +r8152-fix-the-units-of-some-registers-for-rtl8156a.patch +r8152-fix-the-rx-fifo-settings-when-suspending.patch +nfc-pn533-fix-use-after-free-bugs-caused-by-pn532_cm.patch +ice-xsk-force-rings-to-be-sized-to-power-of-2.patch +ice-xsk-prohibit-usage-of-non-balanced-queue-id.patch +net-mlx5e-properly-disable-vlan-strip-on-non-ul-reps.patch +net-mlx5-avoid-false-positive-lockdep-warning-by-add.patch +net-mlx5e-fix-wrong-application-of-the-lro-state.patch +net-mlx5e-fix-wrong-tc-flag-used-when-set-hw-tc-offl.patch +net-ipa-don-t-assume-smem-is-page-aligned.patch +net-phy-don-t-warn-for-phy_ready-state-in-mdio_bus_p.patch +net-moxa-get-rid-of-asymmetry-in-dma-mapping-unmappi.patch +bonding-802.3ad-fix-no-transmission-of-lacpdus.patch +net-ipvtap-add-__init-__exit-annotations-to-module-i.patch +netfilter-ebtables-reject-blobs-that-don-t-provide-a.patch +bnxt_en-fix-nq-resource-accounting-during-vf-creatio.patch +netfilter-nf_tables-disallow-updates-of-implicit-cha.patch +netfilter-nf_tables-make-table-handle-allocation-per.patch +netfilter-nft_payload-report-erange-for-too-long-off.patch +netfilter-nft_payload-do-not-truncate-csum_offset-an.patch +netfilter-nf_tables-do-not-leave-chain-stats-enabled.patch +netfilter-nft_osf-restrict-osf-to-ipv4-ipv6-and-inet.patch +netfilter-nft_tunnel-restrict-it-to-netdev-family.patch +netfilter-nf_tables-consolidate-rule-verdict-trace-c.patch +netfilter-nft_cmp-optimize-comparison-for-16-bytes.patch +netfilter-bitwise-improve-error-goto-labels.patch +netfilter-nf_tables-upfront-validation-of-data-via-n.patch +netfilter-nf_tables-disallow-jump-to-implicit-chain-.patch +netfilter-nf_tables-disallow-binding-to-already-boun.patch +netfilter-flowtable-add-function-to-invoke-garbage-c.patch +netfilter-flowtable-fix-stuck-flows-on-cleanup-due-t.patch +net-fix-data-races-around-sysctl_-rw-mem_-max-defaul.patch +net-fix-data-races-around-weight_p-and-dev_weight_-r.patch +net-fix-data-races-around-netdev_max_backlog.patch +net-fix-data-races-around-netdev_tstamp_prequeue.patch +ratelimit-fix-data-races-in-___ratelimit.patch +net-fix-data-races-around-sysctl_optmem_max.patch +net-fix-a-data-race-around-sysctl_tstamp_allow_data.patch +net-fix-a-data-race-around-sysctl_net_busy_poll.patch +net-fix-a-data-race-around-sysctl_net_busy_read.patch +net-fix-a-data-race-around-netdev_budget.patch +tcp-expose-the-tcp_mark_push-and-tcp_skb_entail-help.patch +mptcp-stop-relying-on-tcp_tx_skb_cache.patch +net-fix-data-races-around-sysctl_max_skb_frags.patch +net-fix-a-data-race-around-netdev_budget_usecs.patch +net-fix-data-races-around-sysctl_fb_tunnels_only_for.patch +net-fix-data-races-around-sysctl_devconf_inherit_ini.patch +net-fix-a-data-race-around-sysctl_somaxconn.patch +ixgbe-stop-resetting-systime-in-ixgbe_ptp_start_cycl.patch +i40e-fix-incorrect-address-type-for-ipv6-flow-rules.patch +rxrpc-fix-locking-in-rxrpc-s-sendmsg.patch +ionic-widen-queue_lock-use-around-lif-init-and-deini.patch +ionic-clear-broken-state-on-generation-change.patch +ionic-fix-up-issues-with-handling-eagain-on-fw-cmds.patch +ionic-vf-initial-random-mac-address-if-no-assigned-m.patch +net-stmmac-work-around-sporadic-tx-issue-on-link-up.patch diff --git a/queue-5.15/sunrpc-rpc-level-errors-should-set-task-tk_rpc_statu.patch b/queue-5.15/sunrpc-rpc-level-errors-should-set-task-tk_rpc_statu.patch new file mode 100644 index 00000000000..30d0baf86bb --- /dev/null +++ b/queue-5.15/sunrpc-rpc-level-errors-should-set-task-tk_rpc_statu.patch @@ -0,0 +1,35 @@ +From 26810c1672b37cb1c320ca90dee5d8eba3c9d0d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 14:55:03 -0400 +Subject: SUNRPC: RPC level errors should set task->tk_rpc_status + +From: Trond Myklebust + +[ Upstream commit ed06fce0b034b2e25bd93430f5c4cbb28036cc1a ] + +Fix up a case in call_encode() where we're failing to set +task->tk_rpc_status when an RPC level error occurred. + +Fixes: 9c5948c24869 ("SUNRPC: task should be exit if encode return EKEYEXPIRED more times") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/clnt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index 6a035e9339d20..ca2a494d727b2 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -1881,7 +1881,7 @@ call_encode(struct rpc_task *task) + break; + case -EKEYEXPIRED: + if (!task->tk_cred_retry) { +- rpc_exit(task, task->tk_status); ++ rpc_call_rpcerror(task, task->tk_status); + } else { + task->tk_action = call_refresh; + task->tk_cred_retry--; +-- +2.35.1 + diff --git a/queue-5.15/tcp-expose-the-tcp_mark_push-and-tcp_skb_entail-help.patch b/queue-5.15/tcp-expose-the-tcp_mark_push-and-tcp_skb_entail-help.patch new file mode 100644 index 00000000000..423bd99ddd4 --- /dev/null +++ b/queue-5.15/tcp-expose-the-tcp_mark_push-and-tcp_skb_entail-help.patch @@ -0,0 +1,83 @@ +From 9c6964453808bf5fb89592b83e04e1df6b9a7dfd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Sep 2021 19:26:40 +0200 +Subject: tcp: expose the tcp_mark_push() and tcp_skb_entail() helpers + +From: Paolo Abeni + +[ Upstream commit 04d8825c30b718781197c8f07b1915a11bfb8685 ] + +the tcp_skb_entail() helper is actually skb_entail(), renamed +to provide proper scope. + + The two helper will be used by the next patch. + +RFC -> v1: + - rename skb_entail to tcp_skb_entail (Eric) + +Acked-by: Mat Martineau +Signed-off-by: Paolo Abeni +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 2 ++ + net/ipv4/tcp.c | 8 ++++---- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 76b0d7f2b967f..d3646645cb9ec 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -571,6 +571,8 @@ __u32 cookie_v6_init_sequence(const struct sk_buff *skb, __u16 *mss); + #endif + /* tcp_output.c */ + ++void tcp_skb_entail(struct sock *sk, struct sk_buff *skb); ++void tcp_mark_push(struct tcp_sock *tp, struct sk_buff *skb); + void __tcp_push_pending_frames(struct sock *sk, unsigned int cur_mss, + int nonagle); + int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs); +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 2097eeaf30a67..52f51717f02f3 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -644,7 +644,7 @@ int tcp_ioctl(struct sock *sk, int cmd, unsigned long arg) + } + EXPORT_SYMBOL(tcp_ioctl); + +-static inline void tcp_mark_push(struct tcp_sock *tp, struct sk_buff *skb) ++void tcp_mark_push(struct tcp_sock *tp, struct sk_buff *skb) + { + TCP_SKB_CB(skb)->tcp_flags |= TCPHDR_PSH; + tp->pushed_seq = tp->write_seq; +@@ -655,7 +655,7 @@ static inline bool forced_push(const struct tcp_sock *tp) + return after(tp->write_seq, tp->pushed_seq + (tp->max_window >> 1)); + } + +-static void skb_entail(struct sock *sk, struct sk_buff *skb) ++void tcp_skb_entail(struct sock *sk, struct sk_buff *skb) + { + struct tcp_sock *tp = tcp_sk(sk); + struct tcp_skb_cb *tcb = TCP_SKB_CB(skb); +@@ -982,7 +982,7 @@ struct sk_buff *tcp_build_frag(struct sock *sk, int size_goal, int flags, + #ifdef CONFIG_TLS_DEVICE + skb->decrypted = !!(flags & MSG_SENDPAGE_DECRYPTED); + #endif +- skb_entail(sk, skb); ++ tcp_skb_entail(sk, skb); + copy = size_goal; + } + +@@ -1312,7 +1312,7 @@ int tcp_sendmsg_locked(struct sock *sk, struct msghdr *msg, size_t size) + process_backlog++; + skb->ip_summed = CHECKSUM_PARTIAL; + +- skb_entail(sk, skb); ++ tcp_skb_entail(sk, skb); + copy = size_goal; + + /* All packets are restored as if they have +-- +2.35.1 + diff --git a/queue-5.15/xfrm-clone-missing-x-lastused-in-xfrm_do_migrate.patch b/queue-5.15/xfrm-clone-missing-x-lastused-in-xfrm_do_migrate.patch new file mode 100644 index 00000000000..aa6648584dd --- /dev/null +++ b/queue-5.15/xfrm-clone-missing-x-lastused-in-xfrm_do_migrate.patch @@ -0,0 +1,35 @@ +From 308017a16b75dbd560c91bfc349023dcd60275ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jul 2022 17:41:22 +0200 +Subject: xfrm: clone missing x->lastused in xfrm_do_migrate + +From: Antony Antony + +[ Upstream commit 6aa811acdb76facca0b705f4e4c1d948ccb6af8b ] + +x->lastused was not cloned in xfrm_do_migrate. Add it to clone during +migrate. + +Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)") +Signed-off-by: Antony Antony +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index b1a04a22166f7..15132b080614c 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1591,6 +1591,7 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, + x->replay = orig->replay; + x->preplay = orig->preplay; + x->mapping_maxage = orig->mapping_maxage; ++ x->lastused = orig->lastused; + x->new_mapping = 0; + x->new_mapping_sport = 0; + +-- +2.35.1 + diff --git a/queue-5.15/xfrm-fix-refcount-leak-in-__xfrm_policy_check.patch b/queue-5.15/xfrm-fix-refcount-leak-in-__xfrm_policy_check.patch new file mode 100644 index 00000000000..a335386ffc5 --- /dev/null +++ b/queue-5.15/xfrm-fix-refcount-leak-in-__xfrm_policy_check.patch @@ -0,0 +1,41 @@ +From 0c350794832836d9aba2181e3f6a20e3129aa78a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Jul 2022 17:55:58 +0800 +Subject: xfrm: fix refcount leak in __xfrm_policy_check() + +From: Xin Xiong + +[ Upstream commit 9c9cb23e00ddf45679b21b4dacc11d1ae7961ebe ] + +The issue happens on an error path in __xfrm_policy_check(). When the +fetching process of the object `pols[1]` fails, the function simply +returns 0, forgetting to decrement the reference count of `pols[0]`, +which is incremented earlier by either xfrm_sk_policy_lookup() or +xfrm_policy_lookup(). This may result in memory leaks. + +Fix it by decreasing the reference count of `pols[0]` in that path. + +Fixes: 134b0fc544ba ("IPsec: propagate security module errors up from flow_cache_lookup") +Signed-off-by: Xin Xiong +Signed-off-by: Xin Tan +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_policy.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index fb198f9490a0f..036d7de164914 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -3600,6 +3600,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, + if (pols[1]) { + if (IS_ERR(pols[1])) { + XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR); ++ xfrm_pol_put(pols[0]); + return 0; + } + pols[1]->curlft.use_time = ktime_get_real_seconds(); +-- +2.35.1 + diff --git a/queue-5.15/xfrm-policy-fix-metadata-dst-dev-xmit-null-pointer-d.patch b/queue-5.15/xfrm-policy-fix-metadata-dst-dev-xmit-null-pointer-d.patch new file mode 100644 index 00000000000..00f9e68a950 --- /dev/null +++ b/queue-5.15/xfrm-policy-fix-metadata-dst-dev-xmit-null-pointer-d.patch @@ -0,0 +1,95 @@ +From 6f199e322f6aaf0909b08d8197899d34b79ffdfc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 18:30:50 +0300 +Subject: xfrm: policy: fix metadata dst->dev xmit null pointer dereference + +From: Nikolay Aleksandrov + +[ Upstream commit 17ecd4a4db4783392edd4944f5e8268205083f70 ] + +When we try to transmit an skb with metadata_dst attached (i.e. dst->dev +== NULL) through xfrm interface we can hit a null pointer dereference[1] +in xfrmi_xmit2() -> xfrm_lookup_with_ifid() due to the check for a +loopback skb device when there's no policy which dereferences dst->dev +unconditionally. Not having dst->dev can be interepreted as it not being +a loopback device, so just add a check for a null dst_orig->dev. + +With this fix xfrm interface's Tx error counters go up as usual. + +[1] net-next calltrace captured via netconsole: + BUG: kernel NULL pointer dereference, address: 00000000000000c0 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] PREEMPT SMP + CPU: 1 PID: 7231 Comm: ping Kdump: loaded Not tainted 5.19.0+ #24 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-1.fc36 04/01/2014 + RIP: 0010:xfrm_lookup_with_ifid+0x5eb/0xa60 + Code: 8d 74 24 38 e8 26 a4 37 00 48 89 c1 e9 12 fc ff ff 49 63 ed 41 83 fd be 0f 85 be 01 00 00 41 be ff ff ff ff 45 31 ed 48 8b 03 80 c0 00 00 00 08 75 0f 41 80 bc 24 19 0d 00 00 01 0f 84 1e 02 + RSP: 0018:ffffb0db82c679f0 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: ffffd0db7fcad430 RCX: ffffb0db82c67a10 + RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb0db82c67a80 + RBP: ffffb0db82c67a80 R08: ffffb0db82c67a14 R09: 0000000000000000 + R10: 0000000000000000 R11: ffff8fa449667dc8 R12: ffffffff966db880 + R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000 + FS: 00007ff35c83f000(0000) GS:ffff8fa478480000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00000000000000c0 CR3: 000000001ebb7000 CR4: 0000000000350ee0 + Call Trace: + + xfrmi_xmit+0xde/0x460 + ? tcf_bpf_act+0x13d/0x2a0 + dev_hard_start_xmit+0x72/0x1e0 + __dev_queue_xmit+0x251/0xd30 + ip_finish_output2+0x140/0x550 + ip_push_pending_frames+0x56/0x80 + raw_sendmsg+0x663/0x10a0 + ? try_charge_memcg+0x3fd/0x7a0 + ? __mod_memcg_lruvec_state+0x93/0x110 + ? sock_sendmsg+0x30/0x40 + sock_sendmsg+0x30/0x40 + __sys_sendto+0xeb/0x130 + ? handle_mm_fault+0xae/0x280 + ? do_user_addr_fault+0x1e7/0x680 + ? kvm_read_and_reset_apf_flags+0x3b/0x50 + __x64_sys_sendto+0x20/0x30 + do_syscall_64+0x34/0x80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + RIP: 0033:0x7ff35cac1366 + Code: eb 0b 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 72 c3 90 55 48 83 ec 30 44 89 4c 24 2c 4c 89 + RSP: 002b:00007fff738e4028 EFLAGS: 00000246 ORIG_RAX: 000000000000002c + RAX: ffffffffffffffda RBX: 00007fff738e57b0 RCX: 00007ff35cac1366 + RDX: 0000000000000040 RSI: 0000557164e4b450 RDI: 0000000000000003 + RBP: 0000557164e4b450 R08: 00007fff738e7a2c R09: 0000000000000010 + R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 + R13: 00007fff738e5770 R14: 00007fff738e4030 R15: 0000001d00000001 + + Modules linked in: netconsole veth br_netfilter bridge bonding virtio_net [last unloaded: netconsole] + CR2: 00000000000000c0 + +CC: Steffen Klassert +CC: Daniel Borkmann +Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy") +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_policy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 036d7de164914..ba58b963f4827 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -3162,7 +3162,7 @@ struct dst_entry *xfrm_lookup_with_ifid(struct net *net, + return dst; + + nopol: +- if (!(dst_orig->dev->flags & IFF_LOOPBACK) && ++ if ((!dst_orig->dev || !(dst_orig->dev->flags & IFF_LOOPBACK)) && + net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK) { + err = -EPERM; + goto error; +-- +2.35.1 +