From: Sasha Levin Date: Sun, 12 Jun 2022 13:42:02 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v4.9.318~99 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7fd1a31d0c895b9ea2acfe40de21eb777a3e95d4;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/af_unix-fix-a-data-race-in-unix_dgram_peer_wake_me.patch b/queue-5.15/af_unix-fix-a-data-race-in-unix_dgram_peer_wake_me.patch new file mode 100644 index 00000000000..fea9270ab43 --- /dev/null +++ b/queue-5.15/af_unix-fix-a-data-race-in-unix_dgram_peer_wake_me.patch @@ -0,0 +1,39 @@ +From 82f41f525b78d53db6774197dbb7486ab1151849 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jun 2022 16:23:25 -0700 +Subject: af_unix: Fix a data-race in unix_dgram_peer_wake_me(). + +From: Kuniyuki Iwashima + +[ Upstream commit 662a80946ce13633ae90a55379f1346c10f0c432 ] + +unix_dgram_poll() calls unix_dgram_peer_wake_me() without `other`'s +lock held and check if its receive queue is full. Here we need to +use unix_recvq_full_lockless() instead of unix_recvq_full(), otherwise +KCSAN will report a data-race. + +Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue") +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20220605232325.11804-1-kuniyu@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 62f47821d783..b7be8d066753 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -446,7 +446,7 @@ static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other) + * -ECONNREFUSED. Otherwise, if we haven't queued any skbs + * to other and its full, we will hang waiting for POLLOUT. + */ +- if (unix_recvq_full(other) && !sock_flag(other, SOCK_DEAD)) ++ if (unix_recvq_full_lockless(other) && !sock_flag(other, SOCK_DEAD)) + return 1; + + if (connected) +-- +2.35.1 + diff --git a/queue-5.15/ata-pata_octeon_cf-fix-refcount-leak-in-octeon_cf_pr.patch b/queue-5.15/ata-pata_octeon_cf-fix-refcount-leak-in-octeon_cf_pr.patch new file mode 100644 index 00000000000..a42370d6c9f --- /dev/null +++ b/queue-5.15/ata-pata_octeon_cf-fix-refcount-leak-in-octeon_cf_pr.patch @@ -0,0 +1,52 @@ +From b83c98c2927a5dddff7c7329fdc797eb5bbe0386 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jun 2022 12:59:26 +0400 +Subject: ata: pata_octeon_cf: Fix refcount leak in octeon_cf_probe + +From: Miaoqian Lin + +[ Upstream commit 10d6bdf532902be1d8aa5900b3c03c5671612aa2 ] + +of_find_device_by_node() takes reference, we should use put_device() +to release it when not need anymore. +Add missing put_device() to avoid refcount leak. + +Fixes: 43f01da0f279 ("MIPS/OCTEON/ata: Convert pata_octeon_cf.c to use device tree.") +Signed-off-by: Miaoqian Lin +Reviewed-by: Sergey Shtylyov +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/pata_octeon_cf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/ata/pata_octeon_cf.c b/drivers/ata/pata_octeon_cf.c +index b5a3f710d76d..4cc8a1027888 100644 +--- a/drivers/ata/pata_octeon_cf.c ++++ b/drivers/ata/pata_octeon_cf.c +@@ -888,12 +888,14 @@ static int octeon_cf_probe(struct platform_device *pdev) + int i; + res_dma = platform_get_resource(dma_dev, IORESOURCE_MEM, 0); + if (!res_dma) { ++ put_device(&dma_dev->dev); + of_node_put(dma_node); + return -EINVAL; + } + cf_port->dma_base = (u64)devm_ioremap(&pdev->dev, res_dma->start, + resource_size(res_dma)); + if (!cf_port->dma_base) { ++ put_device(&dma_dev->dev); + of_node_put(dma_node); + return -EINVAL; + } +@@ -903,6 +905,7 @@ static int octeon_cf_probe(struct platform_device *pdev) + irq = i; + irq_handler = octeon_cf_interrupt; + } ++ put_device(&dma_dev->dev); + } + of_node_put(dma_node); + } +-- +2.35.1 + diff --git a/queue-5.15/bpf-arm64-clear-prog-jited_len-along-prog-jited.patch b/queue-5.15/bpf-arm64-clear-prog-jited_len-along-prog-jited.patch new file mode 100644 index 00000000000..28a6a2475b1 --- /dev/null +++ b/queue-5.15/bpf-arm64-clear-prog-jited_len-along-prog-jited.patch @@ -0,0 +1,100 @@ +From 43bf4aed53864f493ac7f6b151b7cacaca2cf849 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 May 2022 14:51:13 -0700 +Subject: bpf, arm64: Clear prog->jited_len along prog->jited + +From: Eric Dumazet + +[ Upstream commit 10f3b29c65bb2fe0d47c2945cd0b4087be1c5218 ] + +syzbot reported an illegal copy_to_user() attempt +from bpf_prog_get_info_by_fd() [1] + +There was no repro yet on this bug, but I think +that commit 0aef499f3172 ("mm/usercopy: Detect vmalloc overruns") +is exposing a prior bug in bpf arm64. + +bpf_prog_get_info_by_fd() looks at prog->jited_len +to determine if the JIT image can be copied out to user space. + +My theory is that syzbot managed to get a prog where prog->jited_len +has been set to 43, while prog->bpf_func has ben cleared. + +It is not clear why copy_to_user(uinsns, NULL, ulen) is triggering +this particular warning. + +I thought find_vma_area(NULL) would not find a vm_struct. +As we do not hold vmap_area_lock spinlock, it might be possible +that the found vm_struct was garbage. + +[1] +usercopy: Kernel memory exposure attempt detected from vmalloc (offset 792633534417210172, size 43)! +kernel BUG at mm/usercopy.c:101! +Internal error: Oops - BUG: 0 [#1] PREEMPT SMP +Modules linked in: +CPU: 0 PID: 25002 Comm: syz-executor.1 Not tainted 5.18.0-syzkaller-10139-g8291eaafed36 #0 +Hardware name: linux,dummy-virt (DT) +pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : usercopy_abort+0x90/0x94 mm/usercopy.c:101 +lr : usercopy_abort+0x90/0x94 mm/usercopy.c:89 +sp : ffff80000b773a20 +x29: ffff80000b773a30 x28: faff80000b745000 x27: ffff80000b773b48 +x26: 0000000000000000 x25: 000000000000002b x24: 0000000000000000 +x23: 00000000000000e0 x22: ffff80000b75db67 x21: 0000000000000001 +x20: 000000000000002b x19: ffff80000b75db3c x18: 00000000fffffffd +x17: 2820636f6c6c616d x16: 76206d6f72662064 x15: 6574636574656420 +x14: 74706d6574746120 x13: 2129333420657a69 x12: 73202c3237313031 +x11: 3237313434333533 x10: 3336323937207465 x9 : 657275736f707865 +x8 : ffff80000a30c550 x7 : ffff80000b773830 x6 : ffff80000b773830 +x5 : 0000000000000000 x4 : ffff00007fbbaa10 x3 : 0000000000000000 +x2 : 0000000000000000 x1 : f7ff000028fc0000 x0 : 0000000000000064 +Call trace: + usercopy_abort+0x90/0x94 mm/usercopy.c:89 + check_heap_object mm/usercopy.c:186 [inline] + __check_object_size mm/usercopy.c:252 [inline] + __check_object_size+0x198/0x36c mm/usercopy.c:214 + check_object_size include/linux/thread_info.h:199 [inline] + check_copy_size include/linux/thread_info.h:235 [inline] + copy_to_user include/linux/uaccess.h:159 [inline] + bpf_prog_get_info_by_fd.isra.0+0xf14/0xfdc kernel/bpf/syscall.c:3993 + bpf_obj_get_info_by_fd+0x12c/0x510 kernel/bpf/syscall.c:4253 + __sys_bpf+0x900/0x2150 kernel/bpf/syscall.c:4956 + __do_sys_bpf kernel/bpf/syscall.c:5021 [inline] + __se_sys_bpf kernel/bpf/syscall.c:5019 [inline] + __arm64_sys_bpf+0x28/0x40 kernel/bpf/syscall.c:5019 + __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] + invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:52 + el0_svc_common.constprop.0+0x44/0xec arch/arm64/kernel/syscall.c:142 + do_el0_svc+0xa0/0xc0 arch/arm64/kernel/syscall.c:206 + el0_svc+0x44/0xb0 arch/arm64/kernel/entry-common.c:624 + el0t_64_sync_handler+0x1ac/0x1b0 arch/arm64/kernel/entry-common.c:642 + el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:581 +Code: aa0003e3 d00038c0 91248000 97fff65f (d4210000) + +Fixes: db496944fdaa ("bpf: arm64: add JIT support for multi-function programs") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: Daniel Borkmann +Acked-by: Song Liu +Link: https://lore.kernel.org/bpf/20220531215113.1100754-1-eric.dumazet@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/arm64/net/bpf_jit_comp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c +index b56e7bd96594..95439bbe5df8 100644 +--- a/arch/arm64/net/bpf_jit_comp.c ++++ b/arch/arm64/net/bpf_jit_comp.c +@@ -1113,6 +1113,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + bpf_jit_binary_free(header); + prog->bpf_func = NULL; + prog->jited = 0; ++ prog->jited_len = 0; + goto out_off; + } + bpf_jit_binary_lock_ro(header); +-- +2.35.1 + diff --git a/queue-5.15/drm-bridge-sn65dsi83-fix-an-error-handling-path-in-s.patch b/queue-5.15/drm-bridge-sn65dsi83-fix-an-error-handling-path-in-s.patch new file mode 100644 index 00000000000..ee5810eed3c --- /dev/null +++ b/queue-5.15/drm-bridge-sn65dsi83-fix-an-error-handling-path-in-s.patch @@ -0,0 +1,100 @@ +From 5a01d63372511c76a83cbaee9fc66d3fadfbc2f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Dec 2021 09:58:44 +0100 +Subject: drm/bridge: sn65dsi83: Fix an error handling path in + sn65dsi83_probe() + +From: Christophe JAILLET + +[ Upstream commit 6edf615618b8259f16eeb1df98f0ba0d2312c22e ] + +sn65dsi83_parse_dt() takes a reference on 'ctx->host_node' that must be +released in the error handling path of this function and of the probe. +This is only done in the remove function up to now. + +Fixes: ceb515ba29ba ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver") +Signed-off-by: Christophe JAILLET +Reviewed-by: Laurent Pinchart +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/4bc21aed4b60d3d5ac4b28d8b07a6fdd8da6a536.1640768126.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/ti-sn65dsi83.c | 34 ++++++++++++++++++++------- + 1 file changed, 25 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi83.c b/drivers/gpu/drm/bridge/ti-sn65dsi83.c +index a32f70bc68ea..bf469e8ac563 100644 +--- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c ++++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c +@@ -608,10 +608,14 @@ static int sn65dsi83_parse_dt(struct sn65dsi83 *ctx, enum sn65dsi83_model model) + ctx->host_node = of_graph_get_remote_port_parent(endpoint); + of_node_put(endpoint); + +- if (ctx->dsi_lanes < 0 || ctx->dsi_lanes > 4) +- return -EINVAL; +- if (!ctx->host_node) +- return -ENODEV; ++ if (ctx->dsi_lanes < 0 || ctx->dsi_lanes > 4) { ++ ret = -EINVAL; ++ goto err_put_node; ++ } ++ if (!ctx->host_node) { ++ ret = -ENODEV; ++ goto err_put_node; ++ } + + ctx->lvds_dual_link = false; + ctx->lvds_dual_link_even_odd_swap = false; +@@ -638,16 +642,22 @@ static int sn65dsi83_parse_dt(struct sn65dsi83 *ctx, enum sn65dsi83_model model) + + ret = drm_of_find_panel_or_bridge(dev->of_node, 2, 0, &panel, &panel_bridge); + if (ret < 0) +- return ret; ++ goto err_put_node; + if (panel) { + panel_bridge = devm_drm_panel_bridge_add(dev, panel); +- if (IS_ERR(panel_bridge)) +- return PTR_ERR(panel_bridge); ++ if (IS_ERR(panel_bridge)) { ++ ret = PTR_ERR(panel_bridge); ++ goto err_put_node; ++ } + } + + ctx->panel_bridge = panel_bridge; + + return 0; ++ ++err_put_node: ++ of_node_put(ctx->host_node); ++ return ret; + } + + static int sn65dsi83_probe(struct i2c_client *client, +@@ -680,8 +690,10 @@ static int sn65dsi83_probe(struct i2c_client *client, + return ret; + + ctx->regmap = devm_regmap_init_i2c(client, &sn65dsi83_regmap_config); +- if (IS_ERR(ctx->regmap)) +- return PTR_ERR(ctx->regmap); ++ if (IS_ERR(ctx->regmap)) { ++ ret = PTR_ERR(ctx->regmap); ++ goto err_put_node; ++ } + + dev_set_drvdata(dev, ctx); + i2c_set_clientdata(client, ctx); +@@ -691,6 +703,10 @@ static int sn65dsi83_probe(struct i2c_client *client, + drm_bridge_add(&ctx->bridge); + + return 0; ++ ++err_put_node: ++ of_node_put(ctx->host_node); ++ return ret; + } + + static int sn65dsi83_remove(struct i2c_client *client) +-- +2.35.1 + diff --git a/queue-5.15/drm-bridge-ti-sn65dsi83-handle-dsi_lanes-0-as-invali.patch b/queue-5.15/drm-bridge-ti-sn65dsi83-handle-dsi_lanes-0-as-invali.patch new file mode 100644 index 00000000000..9fba711c031 --- /dev/null +++ b/queue-5.15/drm-bridge-ti-sn65dsi83-handle-dsi_lanes-0-as-invali.patch @@ -0,0 +1,46 @@ +From b21d444815041e98979bb9f7dfb2096bd0fdf676 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 May 2022 01:38:44 +0200 +Subject: drm/bridge: ti-sn65dsi83: Handle dsi_lanes == 0 as invalid + +From: Marek Vasut + +[ Upstream commit edbc7960bef7fd71ef1e44d0df15b864784b14c8 ] + +Handle empty data-lanes = < >; property, which translates to +dsi_lanes = 0 as invalid. + +Fixes: ceb515ba29ba6 ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver") +Signed-off-by: Marek Vasut +Cc: Jonas Karlman +Cc: Laurent Pinchart +Cc: Lucas Stach +Cc: Marek Vasut +Cc: Maxime Ripard +Cc: Neil Armstrong +Cc: Robert Foss +Cc: Sam Ravnborg +Reviewed-by: Andrzej Hajda +Reviewed-by: Lucas Stach +Link: https://patchwork.freedesktop.org/patch/msgid/20220518233844.248504-1-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/ti-sn65dsi83.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi83.c b/drivers/gpu/drm/bridge/ti-sn65dsi83.c +index bf469e8ac563..c901c0e1a3b0 100644 +--- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c ++++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c +@@ -608,7 +608,7 @@ static int sn65dsi83_parse_dt(struct sn65dsi83 *ctx, enum sn65dsi83_model model) + ctx->host_node = of_graph_get_remote_port_parent(endpoint); + of_node_put(endpoint); + +- if (ctx->dsi_lanes < 0 || ctx->dsi_lanes > 4) { ++ if (ctx->dsi_lanes <= 0 || ctx->dsi_lanes > 4) { + ret = -EINVAL; + goto err_put_node; + } +-- +2.35.1 + diff --git a/queue-5.15/drm-imx-fix-compiler-warning-with-gcc-12.patch b/queue-5.15/drm-imx-fix-compiler-warning-with-gcc-12.patch new file mode 100644 index 00000000000..aaa20c42f47 --- /dev/null +++ b/queue-5.15/drm-imx-fix-compiler-warning-with-gcc-12.patch @@ -0,0 +1,51 @@ +From 744427d82dd6c91e0f97ab155fcd801424929a21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jun 2022 16:59:29 -0700 +Subject: drm: imx: fix compiler warning with gcc-12 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +[ Upstream commit 7aefd8b53815274f3ef398d370a3c9b27dd9f00c ] + +Gcc-12 correctly warned about this code using a non-NULL pointer as a +truth value: + + drivers/gpu/drm/imx/ipuv3-crtc.c: In function ‘ipu_crtc_disable_planes’: + drivers/gpu/drm/imx/ipuv3-crtc.c:72:21: error: the comparison will always evaluate as ‘true’ for the address of ‘plane’ will never be NULL [-Werror=address] + 72 | if (&ipu_crtc->plane[1] && plane == &ipu_crtc->plane[1]->base) + | ^ + +due to the extraneous '&' address-of operator. + +Philipp Zabel points out that The mistake had no adverse effect since +the following condition doesn't actually dereference the NULL pointer, +but the intent of the code was obviously to check for it, not to take +the address of the member. + +Fixes: eb8c88808c83 ("drm/imx: add deferred plane disabling") +Acked-by: Philipp Zabel +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/imx/ipuv3-crtc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/imx/ipuv3-crtc.c b/drivers/gpu/drm/imx/ipuv3-crtc.c +index 9c8829f945b2..f7863d6dea80 100644 +--- a/drivers/gpu/drm/imx/ipuv3-crtc.c ++++ b/drivers/gpu/drm/imx/ipuv3-crtc.c +@@ -69,7 +69,7 @@ static void ipu_crtc_disable_planes(struct ipu_crtc *ipu_crtc, + drm_atomic_crtc_state_for_each_plane(plane, old_crtc_state) { + if (plane == &ipu_crtc->plane[0]->base) + disable_full = true; +- if (&ipu_crtc->plane[1] && plane == &ipu_crtc->plane[1]->base) ++ if (ipu_crtc->plane[1] && plane == &ipu_crtc->plane[1]->base) + disable_partial = true; + } + +-- +2.35.1 + diff --git a/queue-5.15/i40e-xsk-move-tmp-desc-array-from-driver-to-pool.patch b/queue-5.15/i40e-xsk-move-tmp-desc-array-from-driver-to-pool.patch new file mode 100644 index 00000000000..a0b45065bef --- /dev/null +++ b/queue-5.15/i40e-xsk-move-tmp-desc-array-from-driver-to-pool.patch @@ -0,0 +1,250 @@ +From 73c0d498d71fed62e76ce0f4d362194dfb8a0575 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jan 2022 17:04:43 +0100 +Subject: i40e: xsk: Move tmp desc array from driver to pool + +From: Magnus Karlsson + +[ Upstream commit d1bc532e99becf104635ed4da6fefa306f452321 ] + +Move desc_array from the driver to the pool. The reason behind this is +that we can then reuse this array as a temporary storage for descriptors +in all zero-copy drivers that use the batched interface. This will make +it easier to add batching to more drivers. + +i40e is the only driver that has a batched Tx zero-copy +implementation, so no need to touch any other driver. + +Signed-off-by: Magnus Karlsson +Signed-off-by: Daniel Borkmann +Reviewed-by: Alexander Lobakin +Link: https://lore.kernel.org/bpf/20220125160446.78976-6-maciej.fijalkowski@intel.com +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 11 ----------- + drivers/net/ethernet/intel/i40e/i40e_txrx.h | 1 - + drivers/net/ethernet/intel/i40e/i40e_xsk.c | 4 ++-- + include/net/xdp_sock_drv.h | 5 ++--- + include/net/xsk_buff_pool.h | 1 + + net/xdp/xsk.c | 13 ++++++------- + net/xdp/xsk_buff_pool.c | 7 +++++++ + net/xdp/xsk_queue.h | 12 ++++++------ + 8 files changed, 24 insertions(+), 30 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index 10a83e5385c7..d3a4a33977ee 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -830,8 +830,6 @@ void i40e_free_tx_resources(struct i40e_ring *tx_ring) + i40e_clean_tx_ring(tx_ring); + kfree(tx_ring->tx_bi); + tx_ring->tx_bi = NULL; +- kfree(tx_ring->xsk_descs); +- tx_ring->xsk_descs = NULL; + + if (tx_ring->desc) { + dma_free_coherent(tx_ring->dev, tx_ring->size, +@@ -1433,13 +1431,6 @@ int i40e_setup_tx_descriptors(struct i40e_ring *tx_ring) + if (!tx_ring->tx_bi) + goto err; + +- if (ring_is_xdp(tx_ring)) { +- tx_ring->xsk_descs = kcalloc(I40E_MAX_NUM_DESCRIPTORS, sizeof(*tx_ring->xsk_descs), +- GFP_KERNEL); +- if (!tx_ring->xsk_descs) +- goto err; +- } +- + u64_stats_init(&tx_ring->syncp); + + /* round up to nearest 4K */ +@@ -1463,8 +1454,6 @@ int i40e_setup_tx_descriptors(struct i40e_ring *tx_ring) + return 0; + + err: +- kfree(tx_ring->xsk_descs); +- tx_ring->xsk_descs = NULL; + kfree(tx_ring->tx_bi); + tx_ring->tx_bi = NULL; + return -ENOMEM; +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.h b/drivers/net/ethernet/intel/i40e/i40e_txrx.h +index bfc2845c99d1..f6d91fa1562e 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.h +@@ -390,7 +390,6 @@ struct i40e_ring { + u16 rx_offset; + struct xdp_rxq_info xdp_rxq; + struct xsk_buff_pool *xsk_pool; +- struct xdp_desc *xsk_descs; /* For storing descriptors in the AF_XDP ZC path */ + } ____cacheline_internodealigned_in_smp; + + static inline bool ring_uses_build_skb(struct i40e_ring *ring) +diff --git a/drivers/net/ethernet/intel/i40e/i40e_xsk.c b/drivers/net/ethernet/intel/i40e/i40e_xsk.c +index 3f27a8ebe2ec..54c91dc459dd 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_xsk.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_xsk.c +@@ -473,11 +473,11 @@ static void i40e_set_rs_bit(struct i40e_ring *xdp_ring) + **/ + static bool i40e_xmit_zc(struct i40e_ring *xdp_ring, unsigned int budget) + { +- struct xdp_desc *descs = xdp_ring->xsk_descs; ++ struct xdp_desc *descs = xdp_ring->xsk_pool->tx_descs; + u32 nb_pkts, nb_processed = 0; + unsigned int total_bytes = 0; + +- nb_pkts = xsk_tx_peek_release_desc_batch(xdp_ring->xsk_pool, descs, budget); ++ nb_pkts = xsk_tx_peek_release_desc_batch(xdp_ring->xsk_pool, budget); + if (!nb_pkts) + return true; + +diff --git a/include/net/xdp_sock_drv.h b/include/net/xdp_sock_drv.h +index 4e295541e396..ffe13a10bc96 100644 +--- a/include/net/xdp_sock_drv.h ++++ b/include/net/xdp_sock_drv.h +@@ -13,7 +13,7 @@ + + void xsk_tx_completed(struct xsk_buff_pool *pool, u32 nb_entries); + bool xsk_tx_peek_desc(struct xsk_buff_pool *pool, struct xdp_desc *desc); +-u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, struct xdp_desc *desc, u32 max); ++u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, u32 max); + void xsk_tx_release(struct xsk_buff_pool *pool); + struct xsk_buff_pool *xsk_get_pool_from_qid(struct net_device *dev, + u16 queue_id); +@@ -129,8 +129,7 @@ static inline bool xsk_tx_peek_desc(struct xsk_buff_pool *pool, + return false; + } + +-static inline u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, struct xdp_desc *desc, +- u32 max) ++static inline u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, u32 max) + { + return 0; + } +diff --git a/include/net/xsk_buff_pool.h b/include/net/xsk_buff_pool.h +index 7a9a23e7a604..ee152f031d0c 100644 +--- a/include/net/xsk_buff_pool.h ++++ b/include/net/xsk_buff_pool.h +@@ -60,6 +60,7 @@ struct xsk_buff_pool { + */ + dma_addr_t *dma_pages; + struct xdp_buff_xsk *heads; ++ struct xdp_desc *tx_descs; + u64 chunk_mask; + u64 addrs_cnt; + u32 free_list_cnt; +diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c +index 444ad0bc0908..404cbfde2f84 100644 +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -358,9 +358,9 @@ bool xsk_tx_peek_desc(struct xsk_buff_pool *pool, struct xdp_desc *desc) + } + EXPORT_SYMBOL(xsk_tx_peek_desc); + +-static u32 xsk_tx_peek_release_fallback(struct xsk_buff_pool *pool, struct xdp_desc *descs, +- u32 max_entries) ++static u32 xsk_tx_peek_release_fallback(struct xsk_buff_pool *pool, u32 max_entries) + { ++ struct xdp_desc *descs = pool->tx_descs; + u32 nb_pkts = 0; + + while (nb_pkts < max_entries && xsk_tx_peek_desc(pool, &descs[nb_pkts])) +@@ -370,8 +370,7 @@ static u32 xsk_tx_peek_release_fallback(struct xsk_buff_pool *pool, struct xdp_d + return nb_pkts; + } + +-u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, struct xdp_desc *descs, +- u32 max_entries) ++u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, u32 max_entries) + { + struct xdp_sock *xs; + u32 nb_pkts; +@@ -380,7 +379,7 @@ u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, struct xdp_desc * + if (!list_is_singular(&pool->xsk_tx_list)) { + /* Fallback to the non-batched version */ + rcu_read_unlock(); +- return xsk_tx_peek_release_fallback(pool, descs, max_entries); ++ return xsk_tx_peek_release_fallback(pool, max_entries); + } + + xs = list_first_or_null_rcu(&pool->xsk_tx_list, struct xdp_sock, tx_list); +@@ -389,7 +388,7 @@ u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, struct xdp_desc * + goto out; + } + +- nb_pkts = xskq_cons_peek_desc_batch(xs->tx, descs, pool, max_entries); ++ nb_pkts = xskq_cons_peek_desc_batch(xs->tx, pool, max_entries); + if (!nb_pkts) { + xs->tx->queue_empty_descs++; + goto out; +@@ -401,7 +400,7 @@ u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, struct xdp_desc * + * packets. This avoids having to implement any buffering in + * the Tx path. + */ +- nb_pkts = xskq_prod_reserve_addr_batch(pool->cq, descs, nb_pkts); ++ nb_pkts = xskq_prod_reserve_addr_batch(pool->cq, pool->tx_descs, nb_pkts); + if (!nb_pkts) + goto out; + +diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c +index 8de01aaac4a0..23fbef4aef74 100644 +--- a/net/xdp/xsk_buff_pool.c ++++ b/net/xdp/xsk_buff_pool.c +@@ -37,6 +37,7 @@ void xp_destroy(struct xsk_buff_pool *pool) + if (!pool) + return; + ++ kvfree(pool->tx_descs); + kvfree(pool->heads); + kvfree(pool); + } +@@ -57,6 +58,12 @@ struct xsk_buff_pool *xp_create_and_assign_umem(struct xdp_sock *xs, + if (!pool->heads) + goto out; + ++ if (xs->tx) { ++ pool->tx_descs = kcalloc(xs->tx->nentries, sizeof(*pool->tx_descs), GFP_KERNEL); ++ if (!pool->tx_descs) ++ goto out; ++ } ++ + pool->chunk_mask = ~((u64)umem->chunk_size - 1); + pool->addrs_cnt = umem->size; + pool->heads_cnt = umem->chunks; +diff --git a/net/xdp/xsk_queue.h b/net/xdp/xsk_queue.h +index 9ae13cccfb28..b721795fe50c 100644 +--- a/net/xdp/xsk_queue.h ++++ b/net/xdp/xsk_queue.h +@@ -201,11 +201,11 @@ static inline bool xskq_cons_read_desc(struct xsk_queue *q, + return false; + } + +-static inline u32 xskq_cons_read_desc_batch(struct xsk_queue *q, +- struct xdp_desc *descs, +- struct xsk_buff_pool *pool, u32 max) ++static inline u32 xskq_cons_read_desc_batch(struct xsk_queue *q, struct xsk_buff_pool *pool, ++ u32 max) + { + u32 cached_cons = q->cached_cons, nb_entries = 0; ++ struct xdp_desc *descs = pool->tx_descs; + + while (cached_cons != q->cached_prod && nb_entries < max) { + struct xdp_rxtx_ring *ring = (struct xdp_rxtx_ring *)q->ring; +@@ -278,12 +278,12 @@ static inline bool xskq_cons_peek_desc(struct xsk_queue *q, + return xskq_cons_read_desc(q, desc, pool); + } + +-static inline u32 xskq_cons_peek_desc_batch(struct xsk_queue *q, struct xdp_desc *descs, +- struct xsk_buff_pool *pool, u32 max) ++static inline u32 xskq_cons_peek_desc_batch(struct xsk_queue *q, struct xsk_buff_pool *pool, ++ u32 max) + { + u32 entries = xskq_cons_nb_entries(q, max); + +- return xskq_cons_read_desc_batch(q, descs, pool, entries); ++ return xskq_cons_read_desc_batch(q, pool, entries); + } + + /* To improve performance in the xskq_cons_release functions, only update local state here. +-- +2.35.1 + diff --git a/queue-5.15/iov_iter-fix-iter_xarray_get_pages-_alloc.patch b/queue-5.15/iov_iter-fix-iter_xarray_get_pages-_alloc.patch new file mode 100644 index 00000000000..c5995695c99 --- /dev/null +++ b/queue-5.15/iov_iter-fix-iter_xarray_get_pages-_alloc.patch @@ -0,0 +1,99 @@ +From 4e8740f11c8d3d533dc2efc9031c1b370b416299 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jun 2022 09:07:01 +0100 +Subject: iov_iter: Fix iter_xarray_get_pages{,_alloc}() + +From: David Howells + +[ Upstream commit 6c77676645ad42993e0a8bdb8dafa517851a352a ] + +The maths at the end of iter_xarray_get_pages() to calculate the actual +size doesn't work under some circumstances, such as when it's been asked to +extract a partial single page. Various terms of the equation cancel out +and you end up with actual == offset. The same issue exists in +iter_xarray_get_pages_alloc(). + +Fix these to just use min() to select the lesser amount from between the +amount of page content transcribed into the buffer, minus the offset, and +the size limit specified. + +This doesn't appear to have caused a problem yet upstream because network +filesystems aren't getting the pages from an xarray iterator, but rather +passing it directly to the socket, which just iterates over it. Cachefiles +*does* do DIO from one to/from ext4/xfs/btrfs/etc. but it always asks for +whole pages to be written or read. + +Fixes: 7ff5062079ef ("iov_iter: Add ITER_XARRAY") +Reported-by: Jeff Layton +Signed-off-by: David Howells +cc: Alexander Viro +cc: Dominique Martinet +cc: Mike Marshall +cc: Gao Xiang +cc: linux-afs@lists.infradead.org +cc: v9fs-developer@lists.sourceforge.net +cc: devel@lists.orangefs.org +cc: linux-erofs@lists.ozlabs.org +cc: linux-cachefs@redhat.com +cc: linux-fsdevel@vger.kernel.org +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + lib/iov_iter.c | 20 ++++---------------- + 1 file changed, 4 insertions(+), 16 deletions(-) + +diff --git a/lib/iov_iter.c b/lib/iov_iter.c +index 6d146f77601d..be07eb24ab2f 100644 +--- a/lib/iov_iter.c ++++ b/lib/iov_iter.c +@@ -1436,7 +1436,7 @@ static ssize_t iter_xarray_get_pages(struct iov_iter *i, + { + unsigned nr, offset; + pgoff_t index, count; +- size_t size = maxsize, actual; ++ size_t size = maxsize; + loff_t pos; + + if (!size || !maxpages) +@@ -1463,13 +1463,7 @@ static ssize_t iter_xarray_get_pages(struct iov_iter *i, + if (nr == 0) + return 0; + +- actual = PAGE_SIZE * nr; +- actual -= offset; +- if (nr == count && size > 0) { +- unsigned last_offset = (nr > 1) ? 0 : offset; +- actual -= PAGE_SIZE - (last_offset + size); +- } +- return actual; ++ return min(nr * PAGE_SIZE - offset, maxsize); + } + + /* must be done on non-empty ITER_IOVEC one */ +@@ -1604,7 +1598,7 @@ static ssize_t iter_xarray_get_pages_alloc(struct iov_iter *i, + struct page **p; + unsigned nr, offset; + pgoff_t index, count; +- size_t size = maxsize, actual; ++ size_t size = maxsize; + loff_t pos; + + if (!size) +@@ -1633,13 +1627,7 @@ static ssize_t iter_xarray_get_pages_alloc(struct iov_iter *i, + if (nr == 0) + return 0; + +- actual = PAGE_SIZE * nr; +- actual -= offset; +- if (nr == count && size > 0) { +- unsigned last_offset = (nr > 1) ? 0 : offset; +- actual -= PAGE_SIZE - (last_offset + size); +- } +- return actual; ++ return min(nr * PAGE_SIZE - offset, maxsize); + } + + ssize_t iov_iter_get_pages_alloc(struct iov_iter *i, +-- +2.35.1 + diff --git a/queue-5.15/ip_gre-test-csum_start-instead-of-transport-header.patch b/queue-5.15/ip_gre-test-csum_start-instead-of-transport-header.patch new file mode 100644 index 00000000000..15c97b74c87 --- /dev/null +++ b/queue-5.15/ip_gre-test-csum_start-instead-of-transport-header.patch @@ -0,0 +1,87 @@ +From 098aeb4431039392ad2450787b5c4b8b0f642152 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 09:21:07 -0400 +Subject: ip_gre: test csum_start instead of transport header + +From: Willem de Bruijn + +[ Upstream commit 8d21e9963bec1aad2280cdd034c8993033ef2948 ] + +GRE with TUNNEL_CSUM will apply local checksum offload on +CHECKSUM_PARTIAL packets. + +ipgre_xmit must validate csum_start after an optional skb_pull, +else lco_csum may trigger an overflow. The original check was + + if (csum && skb_checksum_start(skb) < skb->data) + return -EINVAL; + +This had false positives when skb_checksum_start is undefined: +when ip_summed is not CHECKSUM_PARTIAL. A discussed refinement +was straightforward + + if (csum && skb->ip_summed == CHECKSUM_PARTIAL && + skb_checksum_start(skb) < skb->data) + return -EINVAL; + +But was eventually revised more thoroughly: +- restrict the check to the only branch where needed, in an + uncommon GRE path that uses header_ops and calls skb_pull. +- test skb_transport_header, which is set along with csum_start + in skb_partial_csum_set in the normal header_ops datapath. + +Turns out skbs can arrive in this branch without the transport +header set, e.g., through BPF redirection. + +Revise the check back to check csum_start directly, and only if +CHECKSUM_PARTIAL. Do leave the check in the updated location. +Check field regardless of whether TUNNEL_CSUM is configured. + +Link: https://lore.kernel.org/netdev/YS+h%2FtqCJJiQei+W@shredder/ +Link: https://lore.kernel.org/all/20210902193447.94039-2-willemdebruijn.kernel@gmail.com/T/#u +Fixes: 8a0ed250f911 ("ip_gre: validate csum_start only on pull") +Reported-by: syzbot +Signed-off-by: Willem de Bruijn +Reviewed-by: Eric Dumazet +Reviewed-by: Alexander Duyck +Link: https://lore.kernel.org/r/20220606132107.3582565-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index 276a3b7b0e9c..f23528c77539 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -629,21 +629,20 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb, + } + + if (dev->header_ops) { +- const int pull_len = tunnel->hlen + sizeof(struct iphdr); +- + if (skb_cow_head(skb, 0)) + goto free_skb; + + tnl_params = (const struct iphdr *)skb->data; + +- if (pull_len > skb_transport_offset(skb)) +- goto free_skb; +- + /* Pull skb since ip_tunnel_xmit() needs skb->data pointing + * to gre header. + */ +- skb_pull(skb, pull_len); ++ skb_pull(skb, tunnel->hlen + sizeof(struct iphdr)); + skb_reset_mac_header(skb); ++ ++ if (skb->ip_summed == CHECKSUM_PARTIAL && ++ skb_checksum_start(skb) < skb->data) ++ goto free_skb; + } else { + if (skb_cow_head(skb, dev->needed_headroom)) + goto free_skb; +-- +2.35.1 + diff --git a/queue-5.15/net-altera-fix-refcount-leak-in-altera_tse_mdio_crea.patch b/queue-5.15/net-altera-fix-refcount-leak-in-altera_tse_mdio_crea.patch new file mode 100644 index 00000000000..d2517ef3ad0 --- /dev/null +++ b/queue-5.15/net-altera-fix-refcount-leak-in-altera_tse_mdio_crea.patch @@ -0,0 +1,59 @@ +From 9fbb5acd95eae42e5673605157f7108516fdf41a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jun 2022 08:11:43 +0400 +Subject: net: altera: Fix refcount leak in altera_tse_mdio_create + +From: Miaoqian Lin + +[ Upstream commit 11ec18b1d8d92b9df307d31950dcba0b3dd7283c ] + +Every iteration of for_each_child_of_node() decrements +the reference count of the previous node. +When break from a for_each_child_of_node() loop, +we need to explicitly call of_node_put() on the child node when +not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: bbd2190ce96d ("Altera TSE: Add main and header file for Altera Ethernet Driver") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220607041144.7553-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/altera/altera_tse_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/altera/altera_tse_main.c b/drivers/net/ethernet/altera/altera_tse_main.c +index 804b37c76b1e..b51f5b9577e0 100644 +--- a/drivers/net/ethernet/altera/altera_tse_main.c ++++ b/drivers/net/ethernet/altera/altera_tse_main.c +@@ -163,7 +163,8 @@ static int altera_tse_mdio_create(struct net_device *dev, unsigned int id) + mdio = mdiobus_alloc(); + if (mdio == NULL) { + netdev_err(dev, "Error allocating MDIO bus\n"); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto put_node; + } + + mdio->name = ALTERA_TSE_RESOURCE_NAME; +@@ -180,6 +181,7 @@ static int altera_tse_mdio_create(struct net_device *dev, unsigned int id) + mdio->id); + goto out_free_mdio; + } ++ of_node_put(mdio_node); + + if (netif_msg_drv(priv)) + netdev_info(dev, "MDIO bus %s: created\n", mdio->id); +@@ -189,6 +191,8 @@ static int altera_tse_mdio_create(struct net_device *dev, unsigned int id) + out_free_mdio: + mdiobus_free(mdio); + mdio = NULL; ++put_node: ++ of_node_put(mdio_node); + return ret; + } + +-- +2.35.1 + diff --git a/queue-5.15/net-dsa-lantiq_gswip-fix-refcount-leak-in-gswip_gphy.patch b/queue-5.15/net-dsa-lantiq_gswip-fix-refcount-leak-in-gswip_gphy.patch new file mode 100644 index 00000000000..454ceebd815 --- /dev/null +++ b/queue-5.15/net-dsa-lantiq_gswip-fix-refcount-leak-in-gswip_gphy.patch @@ -0,0 +1,43 @@ +From 7f37806ea2b1b0797acc1fb5aff45a483b21483a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jun 2022 11:23:34 +0400 +Subject: net: dsa: lantiq_gswip: Fix refcount leak in gswip_gphy_fw_list + +From: Miaoqian Lin + +[ Upstream commit 0737e018a05e2aa352828c52bdeed3b02cff2930 ] + +Every iteration of for_each_available_child_of_node() decrements +the reference count of the previous node. +when breaking early from a for_each_available_child_of_node() loop, +we need to explicitly call of_node_put() on the gphy_fw_np. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 14fceff4771e ("net: dsa: Add Lantiq / Intel DSA driver for vrx200") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220605072335.11257-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/lantiq_gswip.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/lantiq_gswip.c b/drivers/net/dsa/lantiq_gswip.c +index 8a8f392813d8..2240a3d35122 100644 +--- a/drivers/net/dsa/lantiq_gswip.c ++++ b/drivers/net/dsa/lantiq_gswip.c +@@ -2047,8 +2047,10 @@ static int gswip_gphy_fw_list(struct gswip_priv *priv, + for_each_available_child_of_node(gphy_fw_list_np, gphy_fw_np) { + err = gswip_gphy_fw_probe(priv, &priv->gphy_fw[i], + gphy_fw_np, i); +- if (err) ++ if (err) { ++ of_node_put(gphy_fw_np); + goto remove_gphy; ++ } + i++; + } + +-- +2.35.1 + diff --git a/queue-5.15/net-dsa-mv88e6xxx-use-bmsr_anegcomplete-bit-for-fill.patch b/queue-5.15/net-dsa-mv88e6xxx-use-bmsr_anegcomplete-bit-for-fill.patch new file mode 100644 index 00000000000..3d79f563b87 --- /dev/null +++ b/queue-5.15/net-dsa-mv88e6xxx-use-bmsr_anegcomplete-bit-for-fill.patch @@ -0,0 +1,117 @@ +From 3e62d28f6265d36b8267efacdad1c625187a3c91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jun 2022 12:28:42 +0100 +Subject: net: dsa: mv88e6xxx: use BMSR_ANEGCOMPLETE bit for filling + an_complete +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit 47e96930d6e6106d5252e85b868d3c7e29296de0 ] + +Commit ede359d8843a ("net: dsa: mv88e6xxx: Link in pcs_get_state() if AN +is bypassed") added the ability to link if AN was bypassed, and added +filling of state->an_complete field, but set it to true if AN was +enabled in BMCR, not when AN was reported complete in BMSR. + +This was done because for some reason, when I wanted to use BMSR value +to infer an_complete, I was looking at BMSR_ANEGCAPABLE bit (which was +always 1), instead of BMSR_ANEGCOMPLETE bit. + +Use BMSR_ANEGCOMPLETE for filling state->an_complete. + +Fixes: ede359d8843a ("net: dsa: mv88e6xxx: Link in pcs_get_state() if AN is bypassed") +Signed-off-by: Marek Behún +Signed-off-by: Russell King (Oracle) +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/serdes.c | 27 +++++++++++---------------- + 1 file changed, 11 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/serdes.c b/drivers/net/dsa/mv88e6xxx/serdes.c +index 2b05ead515cd..6ae7a0ed9e0b 100644 +--- a/drivers/net/dsa/mv88e6xxx/serdes.c ++++ b/drivers/net/dsa/mv88e6xxx/serdes.c +@@ -50,22 +50,17 @@ static int mv88e6390_serdes_write(struct mv88e6xxx_chip *chip, + } + + static int mv88e6xxx_serdes_pcs_get_state(struct mv88e6xxx_chip *chip, +- u16 ctrl, u16 status, u16 lpa, ++ u16 bmsr, u16 lpa, u16 status, + struct phylink_link_state *state) + { + state->link = !!(status & MV88E6390_SGMII_PHY_STATUS_LINK); ++ state->an_complete = !!(bmsr & BMSR_ANEGCOMPLETE); + + if (status & MV88E6390_SGMII_PHY_STATUS_SPD_DPL_VALID) { + /* The Spped and Duplex Resolved register is 1 if AN is enabled + * and complete, or if AN is disabled. So with disabled AN we +- * still get here on link up. But we want to set an_complete +- * only if AN was enabled, thus we look at BMCR_ANENABLE. +- * (According to 802.3-2008 section 22.2.4.2.10, we should be +- * able to get this same value from BMSR_ANEGCAPABLE, but tests +- * show that these Marvell PHYs don't conform to this part of +- * the specificaion - BMSR_ANEGCAPABLE is simply always 1.) ++ * still get here on link up. + */ +- state->an_complete = !!(ctrl & BMCR_ANENABLE); + state->duplex = status & + MV88E6390_SGMII_PHY_STATUS_DUPLEX_FULL ? + DUPLEX_FULL : DUPLEX_HALF; +@@ -191,12 +186,12 @@ int mv88e6352_serdes_pcs_config(struct mv88e6xxx_chip *chip, int port, + int mv88e6352_serdes_pcs_get_state(struct mv88e6xxx_chip *chip, int port, + int lane, struct phylink_link_state *state) + { +- u16 lpa, status, ctrl; ++ u16 bmsr, lpa, status; + int err; + +- err = mv88e6352_serdes_read(chip, MII_BMCR, &ctrl); ++ err = mv88e6352_serdes_read(chip, MII_BMSR, &bmsr); + if (err) { +- dev_err(chip->dev, "can't read Serdes PHY control: %d\n", err); ++ dev_err(chip->dev, "can't read Serdes BMSR: %d\n", err); + return err; + } + +@@ -212,7 +207,7 @@ int mv88e6352_serdes_pcs_get_state(struct mv88e6xxx_chip *chip, int port, + return err; + } + +- return mv88e6xxx_serdes_pcs_get_state(chip, ctrl, status, lpa, state); ++ return mv88e6xxx_serdes_pcs_get_state(chip, bmsr, lpa, status, state); + } + + int mv88e6352_serdes_pcs_an_restart(struct mv88e6xxx_chip *chip, int port, +@@ -915,13 +910,13 @@ int mv88e6390_serdes_pcs_config(struct mv88e6xxx_chip *chip, int port, + static int mv88e6390_serdes_pcs_get_state_sgmii(struct mv88e6xxx_chip *chip, + int port, int lane, struct phylink_link_state *state) + { +- u16 lpa, status, ctrl; ++ u16 bmsr, lpa, status; + int err; + + err = mv88e6390_serdes_read(chip, lane, MDIO_MMD_PHYXS, +- MV88E6390_SGMII_BMCR, &ctrl); ++ MV88E6390_SGMII_BMSR, &bmsr); + if (err) { +- dev_err(chip->dev, "can't read Serdes PHY control: %d\n", err); ++ dev_err(chip->dev, "can't read Serdes PHY BMSR: %d\n", err); + return err; + } + +@@ -939,7 +934,7 @@ static int mv88e6390_serdes_pcs_get_state_sgmii(struct mv88e6xxx_chip *chip, + return err; + } + +- return mv88e6xxx_serdes_pcs_get_state(chip, ctrl, status, lpa, state); ++ return mv88e6xxx_serdes_pcs_get_state(chip, bmsr, lpa, status, state); + } + + static int mv88e6390_serdes_pcs_get_state_10g(struct mv88e6xxx_chip *chip, +-- +2.35.1 + diff --git a/queue-5.15/net-ipv6-unexport-__init-annotated-seg6_hmac_init.patch b/queue-5.15/net-ipv6-unexport-__init-annotated-seg6_hmac_init.patch new file mode 100644 index 00000000000..dd80b03164c --- /dev/null +++ b/queue-5.15/net-ipv6-unexport-__init-annotated-seg6_hmac_init.patch @@ -0,0 +1,52 @@ +From 4981db2245fd8b1b4bd9280d2caba1d2001f7e20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 13:53:55 +0900 +Subject: net: ipv6: unexport __init-annotated seg6_hmac_init() + +From: Masahiro Yamada + +[ Upstream commit 5801f064e35181c71857a80ff18af4dbec3c5f5c ] + +EXPORT_SYMBOL and __init is a bad combination because the .init.text +section is freed up after the initialization. Hence, modules cannot +use symbols annotated __init. The access to a freed symbol may end up +with kernel panic. + +modpost used to detect it, but it has been broken for a decade. + +Recently, I fixed modpost so it started to warn it again, then this +showed up in linux-next builds. + +There are two ways to fix it: + + - Remove __init + - Remove EXPORT_SYMBOL + +I chose the latter for this case because the caller (net/ipv6/seg6.c) +and the callee (net/ipv6/seg6_hmac.c) belong to the same module. +It seems an internal function call in ipv6.ko. + +Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support") +Reported-by: Stephen Rothwell +Signed-off-by: Masahiro Yamada +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6_hmac.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/ipv6/seg6_hmac.c b/net/ipv6/seg6_hmac.c +index 687d95dce085..5b2c9ce53395 100644 +--- a/net/ipv6/seg6_hmac.c ++++ b/net/ipv6/seg6_hmac.c +@@ -399,7 +399,6 @@ int __init seg6_hmac_init(void) + { + return seg6_hmac_init_algo(); + } +-EXPORT_SYMBOL(seg6_hmac_init); + + int __net_init seg6_hmac_net_init(struct net *net) + { +-- +2.35.1 + diff --git a/queue-5.15/net-mdio-unexport-__init-annotated-mdio_bus_init.patch b/queue-5.15/net-mdio-unexport-__init-annotated-mdio_bus_init.patch new file mode 100644 index 00000000000..079f5be73c5 --- /dev/null +++ b/queue-5.15/net-mdio-unexport-__init-annotated-mdio_bus_init.patch @@ -0,0 +1,54 @@ +From f756c9b7ba1459b0a6a81ae1187e10cad360be09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 13:53:53 +0900 +Subject: net: mdio: unexport __init-annotated mdio_bus_init() + +From: Masahiro Yamada + +[ Upstream commit 35b42dce619701f1300fb8498dae82c9bb1f0263 ] + +EXPORT_SYMBOL and __init is a bad combination because the .init.text +section is freed up after the initialization. Hence, modules cannot +use symbols annotated __init. The access to a freed symbol may end up +with kernel panic. + +modpost used to detect it, but it has been broken for a decade. + +Recently, I fixed modpost so it started to warn it again, then this +showed up in linux-next builds. + +There are two ways to fix it: + + - Remove __init + - Remove EXPORT_SYMBOL + +I chose the latter for this case because the only in-tree call-site, +drivers/net/phy/phy_device.c is never compiled as modular. +(CONFIG_PHYLIB is boolean) + +Fixes: 90eff9096c01 ("net: phy: Allow splitting MDIO bus/device support from PHYs") +Reported-by: Stephen Rothwell +Signed-off-by: Masahiro Yamada +Reviewed-by: Florian Fainelli +Reviewed-by: Russell King (Oracle) +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mdio_bus.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c +index 8dc6e6269c65..2c0216fe58de 100644 +--- a/drivers/net/phy/mdio_bus.c ++++ b/drivers/net/phy/mdio_bus.c +@@ -1011,7 +1011,6 @@ int __init mdio_bus_init(void) + + return ret; + } +-EXPORT_SYMBOL_GPL(mdio_bus_init); + + #if IS_ENABLED(CONFIG_PHYLIB) + void mdio_bus_exit(void) +-- +2.35.1 + diff --git a/queue-5.15/net-mlx4_en-fix-wrong-return-value-on-ioctl-eeprom-q.patch b/queue-5.15/net-mlx4_en-fix-wrong-return-value-on-ioctl-eeprom-q.patch new file mode 100644 index 00000000000..9a316d661fa --- /dev/null +++ b/queue-5.15/net-mlx4_en-fix-wrong-return-value-on-ioctl-eeprom-q.patch @@ -0,0 +1,38 @@ +From 74a002a504b3709b14f173072c1dff36375e62cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 14:57:18 +0300 +Subject: net/mlx4_en: Fix wrong return value on ioctl EEPROM query failure + +From: Gal Pressman + +[ Upstream commit f5826c8c9d57210a17031af5527056eefdc2b7eb ] + +The ioctl EEPROM query wrongly returns success on read failures, fix +that by returning the appropriate error code. + +Fixes: 7202da8b7f71 ("ethtool, net/mlx4_en: Cable info, get_module_info/eeprom ethtool support") +Signed-off-by: Gal Pressman +Signed-off-by: Tariq Toukan +Link: https://lore.kernel.org/r/20220606115718.14233-1-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +index fde521b1eeca..c3cffb32fb06 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +@@ -2103,7 +2103,7 @@ static int mlx4_en_get_module_eeprom(struct net_device *dev, + en_err(priv, + "mlx4_get_module_info i(%d) offset(%d) bytes_to_read(%d) - FAILED (0x%x)\n", + i, offset, ee->len - i, ret); +- return 0; ++ return ret; + } + + i += ret; +-- +2.35.1 + diff --git a/queue-5.15/net-mlx5-fix-mlx5_get_next_dev-peer-device-matching.patch b/queue-5.15/net-mlx5-fix-mlx5_get_next_dev-peer-device-matching.patch new file mode 100644 index 00000000000..a52cab1c666 --- /dev/null +++ b/queue-5.15/net-mlx5-fix-mlx5_get_next_dev-peer-device-matching.patch @@ -0,0 +1,122 @@ +From 6c6b1e05942bf4499ccc46b128a5ddd1fdca3e22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Feb 2021 23:10:47 -0800 +Subject: net/mlx5: Fix mlx5_get_next_dev() peer device matching + +From: Saeed Mahameed + +[ Upstream commit 1c5de097bea31760c3f0467ac0c84ba0dc3525d5 ] + +In some use-cases, mlx5 instances will need to search for their peer +device (the other port on the same HCA). For that, mlx5 device matching +mechanism relied on auxiliary_find_device() to search, and used a bad matching +callback function. + +This approach has two issues: + +1) next_phys_dev() the matching function, assumed all devices are + of the type mlx5_adev (mlx5 auxiliary device) which is wrong and + could lead to crashes, this worked for a while, since only lately + other drivers started registering auxiliary devices. + +2) using the auxiliary class bus (auxiliary_find_device) to search for + mlx5_core_dev devices, who are actually PCIe device instances, is wrong. + This works since mlx5_core always has at least one mlx5_adev instance + hanging around in the aux bus. + +As suggested by others we can fix 1. by comparing device names prefixes +if they have the string "mlx5_core" in them, which is not a best practice ! +but even with that fixed, still 2. needs fixing, we are trying to +match pcie device peers so we should look in the right bus (pci bus), +hence this fix. + +The fix: +1) search the pci bus for mlx5 peer devices, instead of the aux bus +2) to validated devices are the same type "mlx5_core_dev" compare if + they have the same driver, which is bulletproof. + + This wouldn't have worked with the aux bus since the various mlx5 aux + device types don't share the same driver, even if they share the same device + wrapper struct (mlx5_adev) "which helped to find the parent device" + +Fixes: a925b5e309c9 ("net/mlx5: Register mlx5 devices to auxiliary virtual bus") +Reported-by: Alexander Lobakin +Reported-by: Maher Sanalla +Signed-off-by: Saeed Mahameed +Reviewed-by: Leon Romanovsky +Reviewed-by: Mark Bloch +Reviewed-by: Maher Sanalla +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/dev.c | 34 +++++++++++++------ + 1 file changed, 23 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/dev.c b/drivers/net/ethernet/mellanox/mlx5/core/dev.c +index 94411b34799e..949f12ede3d2 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/dev.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/dev.c +@@ -559,18 +559,32 @@ static int _next_phys_dev(struct mlx5_core_dev *mdev, + return 1; + } + ++static void *pci_get_other_drvdata(struct device *this, struct device *other) ++{ ++ if (this->driver != other->driver) ++ return NULL; ++ ++ return pci_get_drvdata(to_pci_dev(other)); ++} ++ + static int next_phys_dev(struct device *dev, const void *data) + { +- struct mlx5_adev *madev = container_of(dev, struct mlx5_adev, adev.dev); +- struct mlx5_core_dev *mdev = madev->mdev; ++ struct mlx5_core_dev *mdev, *this = (struct mlx5_core_dev *)data; ++ ++ mdev = pci_get_other_drvdata(this->device, dev); ++ if (!mdev) ++ return 0; + + return _next_phys_dev(mdev, data); + } + + static int next_phys_dev_lag(struct device *dev, const void *data) + { +- struct mlx5_adev *madev = container_of(dev, struct mlx5_adev, adev.dev); +- struct mlx5_core_dev *mdev = madev->mdev; ++ struct mlx5_core_dev *mdev, *this = (struct mlx5_core_dev *)data; ++ ++ mdev = pci_get_other_drvdata(this->device, dev); ++ if (!mdev) ++ return 0; + + if (!MLX5_CAP_GEN(mdev, vport_group_manager) || + !MLX5_CAP_GEN(mdev, lag_master) || +@@ -583,19 +597,17 @@ static int next_phys_dev_lag(struct device *dev, const void *data) + static struct mlx5_core_dev *mlx5_get_next_dev(struct mlx5_core_dev *dev, + int (*match)(struct device *dev, const void *data)) + { +- struct auxiliary_device *adev; +- struct mlx5_adev *madev; ++ struct device *next; + + if (!mlx5_core_is_pf(dev)) + return NULL; + +- adev = auxiliary_find_device(NULL, dev, match); +- if (!adev) ++ next = bus_find_device(&pci_bus_type, NULL, dev, match); ++ if (!next) + return NULL; + +- madev = container_of(adev, struct mlx5_adev, adev); +- put_device(&adev->dev); +- return madev->mdev; ++ put_device(next); ++ return pci_get_drvdata(to_pci_dev(next)); + } + + /* Must be called with intf_mutex held */ +-- +2.35.1 + diff --git a/queue-5.15/net-mlx5-fs-fail-conflicting-actions.patch b/queue-5.15/net-mlx5-fs-fail-conflicting-actions.patch new file mode 100644 index 00000000000..5cb1af6ce86 --- /dev/null +++ b/queue-5.15/net-mlx5-fs-fail-conflicting-actions.patch @@ -0,0 +1,91 @@ +From 54f9c3bff5eb17edf0adb7c6d24028e08c0d0288 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 May 2022 10:46:59 +0300 +Subject: net/mlx5: fs, fail conflicting actions + +From: Mark Bloch + +[ Upstream commit 8fa5e7b20e01042b14f8cd684d2da9b638460c74 ] + +When combining two steering rules into one check +not only do they share the same actions but those +actions are also the same. This resolves an issue where +when creating two different rules with the same match +the actions are overwritten and one of the rules is deleted +a FW syndrome can be seen in dmesg. + +mlx5_core 0000:03:00.0: mlx5_cmd_check:819:(pid 2105): DEALLOC_MODIFY_HEADER_CONTEXT(0x941) op_mod(0x0) failed, status bad resource state(0x9), syndrome (0x1ab444) + +Fixes: 0d235c3fabb7 ("net/mlx5: Add hash table to search FTEs in a flow-group") +Signed-off-by: Mark Bloch +Reviewed-by: Maor Gottlieb +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/fs_core.c | 35 +++++++++++++++++-- + 1 file changed, 32 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index 379130ed300c..cb3f9de3d00b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -1527,9 +1527,22 @@ static struct mlx5_flow_rule *find_flow_rule(struct fs_fte *fte, + return NULL; + } + +-static bool check_conflicting_actions(u32 action1, u32 action2) ++static bool check_conflicting_actions_vlan(const struct mlx5_fs_vlan *vlan0, ++ const struct mlx5_fs_vlan *vlan1) + { +- u32 xored_actions = action1 ^ action2; ++ return vlan0->ethtype != vlan1->ethtype || ++ vlan0->vid != vlan1->vid || ++ vlan0->prio != vlan1->prio; ++} ++ ++static bool check_conflicting_actions(const struct mlx5_flow_act *act1, ++ const struct mlx5_flow_act *act2) ++{ ++ u32 action1 = act1->action; ++ u32 action2 = act2->action; ++ u32 xored_actions; ++ ++ xored_actions = action1 ^ action2; + + /* if one rule only wants to count, it's ok */ + if (action1 == MLX5_FLOW_CONTEXT_ACTION_COUNT || +@@ -1546,6 +1559,22 @@ static bool check_conflicting_actions(u32 action1, u32 action2) + MLX5_FLOW_CONTEXT_ACTION_VLAN_PUSH_2)) + return true; + ++ if (action1 & MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT && ++ act1->pkt_reformat != act2->pkt_reformat) ++ return true; ++ ++ if (action1 & MLX5_FLOW_CONTEXT_ACTION_MOD_HDR && ++ act1->modify_hdr != act2->modify_hdr) ++ return true; ++ ++ if (action1 & MLX5_FLOW_CONTEXT_ACTION_VLAN_PUSH && ++ check_conflicting_actions_vlan(&act1->vlan[0], &act2->vlan[0])) ++ return true; ++ ++ if (action1 & MLX5_FLOW_CONTEXT_ACTION_VLAN_PUSH_2 && ++ check_conflicting_actions_vlan(&act1->vlan[1], &act2->vlan[1])) ++ return true; ++ + return false; + } + +@@ -1553,7 +1582,7 @@ static int check_conflicting_ftes(struct fs_fte *fte, + const struct mlx5_flow_context *flow_context, + const struct mlx5_flow_act *flow_act) + { +- if (check_conflicting_actions(flow_act->action, fte->action.action)) { ++ if (check_conflicting_actions(flow_act, &fte->action)) { + mlx5_core_warn(get_dev(&fte->node), + "Found two FTEs with conflicting actions\n"); + return -EEXIST; +-- +2.35.1 + diff --git a/queue-5.15/net-mlx5-lag-filter-non-compatible-devices.patch b/queue-5.15/net-mlx5-lag-filter-non-compatible-devices.patch new file mode 100644 index 00000000000..b584727059e --- /dev/null +++ b/queue-5.15/net-mlx5-lag-filter-non-compatible-devices.patch @@ -0,0 +1,152 @@ +From 36178c2f16b7e4fc888b3f651778b53e5bbe72ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Feb 2022 12:40:39 +0000 +Subject: net/mlx5: Lag, filter non compatible devices + +From: Mark Bloch + +[ Upstream commit bc4c2f2e017949646b43fdcad005a03462d437c6 ] + +When search for a peer lag device we can filter based on that +device's capabilities. + +Downstream patch will be less strict when filtering compatible devices +and remove the limitation where we require exact MLX5_MAX_PORTS and +change it to a range. + +Signed-off-by: Mark Bloch +Reviewed-by: Maor Gottlieb +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/dev.c | 48 +++++++++++++++---- + drivers/net/ethernet/mellanox/mlx5/core/lag.c | 12 ++--- + .../ethernet/mellanox/mlx5/core/mlx5_core.h | 1 + + 3 files changed, 47 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/dev.c b/drivers/net/ethernet/mellanox/mlx5/core/dev.c +index e8093c4e09d4..94411b34799e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/dev.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/dev.c +@@ -544,12 +544,9 @@ static u32 mlx5_gen_pci_id(const struct mlx5_core_dev *dev) + PCI_SLOT(dev->pdev->devfn)); + } + +-static int next_phys_dev(struct device *dev, const void *data) ++static int _next_phys_dev(struct mlx5_core_dev *mdev, ++ const struct mlx5_core_dev *curr) + { +- struct mlx5_adev *madev = container_of(dev, struct mlx5_adev, adev.dev); +- struct mlx5_core_dev *mdev = madev->mdev; +- const struct mlx5_core_dev *curr = data; +- + if (!mlx5_core_is_pf(mdev)) + return 0; + +@@ -562,8 +559,29 @@ static int next_phys_dev(struct device *dev, const void *data) + return 1; + } + +-/* Must be called with intf_mutex held */ +-struct mlx5_core_dev *mlx5_get_next_phys_dev(struct mlx5_core_dev *dev) ++static int next_phys_dev(struct device *dev, const void *data) ++{ ++ struct mlx5_adev *madev = container_of(dev, struct mlx5_adev, adev.dev); ++ struct mlx5_core_dev *mdev = madev->mdev; ++ ++ return _next_phys_dev(mdev, data); ++} ++ ++static int next_phys_dev_lag(struct device *dev, const void *data) ++{ ++ struct mlx5_adev *madev = container_of(dev, struct mlx5_adev, adev.dev); ++ struct mlx5_core_dev *mdev = madev->mdev; ++ ++ if (!MLX5_CAP_GEN(mdev, vport_group_manager) || ++ !MLX5_CAP_GEN(mdev, lag_master) || ++ MLX5_CAP_GEN(mdev, num_lag_ports) != MLX5_MAX_PORTS) ++ return 0; ++ ++ return _next_phys_dev(mdev, data); ++} ++ ++static struct mlx5_core_dev *mlx5_get_next_dev(struct mlx5_core_dev *dev, ++ int (*match)(struct device *dev, const void *data)) + { + struct auxiliary_device *adev; + struct mlx5_adev *madev; +@@ -571,7 +589,7 @@ struct mlx5_core_dev *mlx5_get_next_phys_dev(struct mlx5_core_dev *dev) + if (!mlx5_core_is_pf(dev)) + return NULL; + +- adev = auxiliary_find_device(NULL, dev, &next_phys_dev); ++ adev = auxiliary_find_device(NULL, dev, match); + if (!adev) + return NULL; + +@@ -580,6 +598,20 @@ struct mlx5_core_dev *mlx5_get_next_phys_dev(struct mlx5_core_dev *dev) + return madev->mdev; + } + ++/* Must be called with intf_mutex held */ ++struct mlx5_core_dev *mlx5_get_next_phys_dev(struct mlx5_core_dev *dev) ++{ ++ lockdep_assert_held(&mlx5_intf_mutex); ++ return mlx5_get_next_dev(dev, &next_phys_dev); ++} ++ ++/* Must be called with intf_mutex held */ ++struct mlx5_core_dev *mlx5_get_next_phys_dev_lag(struct mlx5_core_dev *dev) ++{ ++ lockdep_assert_held(&mlx5_intf_mutex); ++ return mlx5_get_next_dev(dev, &next_phys_dev_lag); ++} ++ + void mlx5_dev_list_lock(void) + { + mutex_lock(&mlx5_intf_mutex); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag.c b/drivers/net/ethernet/mellanox/mlx5/core/lag.c +index c19d9327095b..57d86d47ec2a 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag.c +@@ -752,12 +752,7 @@ static int __mlx5_lag_dev_add_mdev(struct mlx5_core_dev *dev) + struct mlx5_lag *ldev = NULL; + struct mlx5_core_dev *tmp_dev; + +- if (!MLX5_CAP_GEN(dev, vport_group_manager) || +- !MLX5_CAP_GEN(dev, lag_master) || +- MLX5_CAP_GEN(dev, num_lag_ports) != MLX5_MAX_PORTS) +- return 0; +- +- tmp_dev = mlx5_get_next_phys_dev(dev); ++ tmp_dev = mlx5_get_next_phys_dev_lag(dev); + if (tmp_dev) + ldev = tmp_dev->priv.lag; + +@@ -802,6 +797,11 @@ void mlx5_lag_add_mdev(struct mlx5_core_dev *dev) + { + int err; + ++ if (!MLX5_CAP_GEN(dev, vport_group_manager) || ++ !MLX5_CAP_GEN(dev, lag_master) || ++ MLX5_CAP_GEN(dev, num_lag_ports) != MLX5_MAX_PORTS) ++ return; ++ + recheck: + mlx5_dev_list_lock(); + err = __mlx5_lag_dev_add_mdev(dev); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h b/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h +index 230eab7e3bc9..3f3ea8d268ce 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h +@@ -186,6 +186,7 @@ void mlx5_detach_device(struct mlx5_core_dev *dev); + int mlx5_register_device(struct mlx5_core_dev *dev); + void mlx5_unregister_device(struct mlx5_core_dev *dev); + struct mlx5_core_dev *mlx5_get_next_phys_dev(struct mlx5_core_dev *dev); ++struct mlx5_core_dev *mlx5_get_next_phys_dev_lag(struct mlx5_core_dev *dev); + void mlx5_dev_list_lock(void); + void mlx5_dev_list_unlock(void); + int mlx5_dev_list_trylock(void); +-- +2.35.1 + diff --git a/queue-5.15/net-mlx5-rearm-the-fw-tracer-after-each-tracer-event.patch b/queue-5.15/net-mlx5-rearm-the-fw-tracer-after-each-tracer-event.patch new file mode 100644 index 00000000000..f0680d5fa66 --- /dev/null +++ b/queue-5.15/net-mlx5-rearm-the-fw-tracer-after-each-tracer-event.patch @@ -0,0 +1,59 @@ +From 767787815a18d198d4d6574566ad88170f772094 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Mar 2022 21:47:48 +0200 +Subject: net/mlx5: Rearm the FW tracer after each tracer event + +From: Feras Daoud + +[ Upstream commit 8bf94e6414c9481bfa28269022688ab445d0081d ] + +The current design does not arm the tracer if traces are available before +the tracer string database is fully loaded, leading to an unfunctional tracer. +This fix will rearm the tracer every time the FW triggers tracer event +regardless of the tracer strings database status. + +Fixes: c71ad41ccb0c ("net/mlx5: FW tracer, events handling") +Signed-off-by: Feras Daoud +Signed-off-by: Roy Novich +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +index f9cf9fb31547..ea46152816f9 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +@@ -675,6 +675,9 @@ static void mlx5_fw_tracer_handle_traces(struct work_struct *work) + if (!tracer->owner) + return; + ++ if (unlikely(!tracer->str_db.loaded)) ++ goto arm; ++ + block_count = tracer->buff.size / TRACER_BLOCK_SIZE_BYTE; + start_offset = tracer->buff.consumer_index * TRACER_BLOCK_SIZE_BYTE; + +@@ -732,6 +735,7 @@ static void mlx5_fw_tracer_handle_traces(struct work_struct *work) + &tmp_trace_block[TRACES_PER_BLOCK - 1]); + } + ++arm: + mlx5_fw_tracer_arm(dev); + } + +@@ -1137,8 +1141,7 @@ static int fw_tracer_event(struct notifier_block *nb, unsigned long action, void + queue_work(tracer->work_queue, &tracer->ownership_change_work); + break; + case MLX5_TRACER_SUBTYPE_TRACES_AVAILABLE: +- if (likely(tracer->str_db.loaded)) +- queue_work(tracer->work_queue, &tracer->handle_traces_work); ++ queue_work(tracer->work_queue, &tracer->handle_traces_work); + break; + default: + mlx5_core_dbg(dev, "FWTracer: Event with unrecognized subtype: sub_type %d\n", +-- +2.35.1 + diff --git a/queue-5.15/net-xfrm-unexport-__init-annotated-xfrm4_protocol_in.patch b/queue-5.15/net-xfrm-unexport-__init-annotated-xfrm4_protocol_in.patch new file mode 100644 index 00000000000..0cc4aa1153d --- /dev/null +++ b/queue-5.15/net-xfrm-unexport-__init-annotated-xfrm4_protocol_in.patch @@ -0,0 +1,50 @@ +From d26ae4ee3b96b09f00805ebad182e5a0cf71a42f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 13:53:54 +0900 +Subject: net: xfrm: unexport __init-annotated xfrm4_protocol_init() + +From: Masahiro Yamada + +[ Upstream commit 4a388f08d8784af48f352193d2b72aaf167a57a1 ] + +EXPORT_SYMBOL and __init is a bad combination because the .init.text +section is freed up after the initialization. Hence, modules cannot +use symbols annotated __init. The access to a freed symbol may end up +with kernel panic. + +modpost used to detect it, but it has been broken for a decade. + +Recently, I fixed modpost so it started to warn it again, then this +showed up in linux-next builds. + +There are two ways to fix it: + + - Remove __init + - Remove EXPORT_SYMBOL + +I chose the latter for this case because the only in-tree call-site, +net/ipv4/xfrm4_policy.c is never compiled as modular. +(CONFIG_XFRM is boolean) + +Fixes: 2f32b51b609f ("xfrm: Introduce xfrm_input_afinfo to access the the callbacks properly") +Reported-by: Stephen Rothwell +Signed-off-by: Masahiro Yamada +Acked-by: Steffen Klassert +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/xfrm4_protocol.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/ipv4/xfrm4_protocol.c b/net/ipv4/xfrm4_protocol.c +index 2fe5860c21d6..b146ce88c5d0 100644 +--- a/net/ipv4/xfrm4_protocol.c ++++ b/net/ipv4/xfrm4_protocol.c +@@ -304,4 +304,3 @@ void __init xfrm4_protocol_init(void) + { + xfrm_input_register_afinfo(&xfrm4_input_afinfo); + } +-EXPORT_SYMBOL(xfrm4_protocol_init); +-- +2.35.1 + diff --git a/queue-5.15/netfilter-nat-really-support-inet-nat-without-l3-add.patch b/queue-5.15/netfilter-nat-really-support-inet-nat-without-l3-add.patch new file mode 100644 index 00000000000..739dd817d27 --- /dev/null +++ b/queue-5.15/netfilter-nat-really-support-inet-nat-without-l3-add.patch @@ -0,0 +1,103 @@ +From 4897ce2a6fe4adc37945fbdd4f369f3123a9ce76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jun 2022 10:47:35 +0200 +Subject: netfilter: nat: really support inet nat without l3 address + +From: Florian Westphal + +[ Upstream commit 282e5f8fe907dc3f2fbf9f2103b0e62ffc3a68a5 ] + +When no l3 address is given, priv->family is set to NFPROTO_INET and +the evaluation function isn't called. + +Call it too so l4-only rewrite can work. +Also add a test case for this. + +Fixes: a33f387ecd5aa ("netfilter: nft_nat: allow to specify layer 4 protocol NAT only") +Reported-by: Yi Chen +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_nat.c | 3 +- + tools/testing/selftests/netfilter/nft_nat.sh | 43 ++++++++++++++++++++ + 2 files changed, 45 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c +index be1595d6979d..db8f9116eeb4 100644 +--- a/net/netfilter/nft_nat.c ++++ b/net/netfilter/nft_nat.c +@@ -334,7 +334,8 @@ static void nft_nat_inet_eval(const struct nft_expr *expr, + { + const struct nft_nat *priv = nft_expr_priv(expr); + +- if (priv->family == nft_pf(pkt)) ++ if (priv->family == nft_pf(pkt) || ++ priv->family == NFPROTO_INET) + nft_nat_eval(expr, regs, pkt); + } + +diff --git a/tools/testing/selftests/netfilter/nft_nat.sh b/tools/testing/selftests/netfilter/nft_nat.sh +index 781fa2d9ea9d..032f2de6e14e 100755 +--- a/tools/testing/selftests/netfilter/nft_nat.sh ++++ b/tools/testing/selftests/netfilter/nft_nat.sh +@@ -374,6 +374,45 @@ EOF + return $lret + } + ++test_local_dnat_portonly() ++{ ++ local family=$1 ++ local daddr=$2 ++ local lret=0 ++ local sr_s ++ local sr_r ++ ++ip netns exec "$ns0" nft -f /dev/stdin < +Date: Wed, 1 Jun 2022 17:49:36 +0200 +Subject: netfilter: nf_tables: always initialize flowtable hook list in + transaction + +From: Pablo Neira Ayuso + +[ Upstream commit 2c9e4559773c261900c674a86b8e455911675d71 ] + +The hook list is used if nft_trans_flowtable_update(trans) == true. However, +initialize this list for other cases for safety reasons. + +Fixes: 78d9f48f7f44 ("netfilter: nf_tables: add devices to existing flowtable") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index b19974073156..5c0379394b4a 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -544,6 +544,7 @@ static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type, + if (msg_type == NFT_MSG_NEWFLOWTABLE) + nft_activate_next(ctx->net, flowtable); + ++ INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); + nft_trans_flowtable(trans) = flowtable; + nft_trans_commit_list_add_tail(ctx->net, trans); + +-- +2.35.1 + diff --git a/queue-5.15/netfilter-nf_tables-bail-out-early-if-hardware-offlo.patch b/queue-5.15/netfilter-nf_tables-bail-out-early-if-hardware-offlo.patch new file mode 100644 index 00000000000..d1fe0d85e0b --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-bail-out-early-if-hardware-offlo.patch @@ -0,0 +1,122 @@ +From d1aa2e469f7785e86d396d0b1f8facdd15100dda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 17:31:29 +0200 +Subject: netfilter: nf_tables: bail out early if hardware offload is not + supported + +From: Pablo Neira Ayuso + +[ Upstream commit 3a41c64d9c1185a2f3a184015e2a9b78bfc99c71 ] + +If user requests for NFT_CHAIN_HW_OFFLOAD, then check if either device +provides the .ndo_setup_tc interface or there is an indirect flow block +that has been registered. Otherwise, bail out early from the preparation +phase. Moreover, validate that family == NFPROTO_NETDEV and hook is +NF_NETDEV_INGRESS. + +Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/flow_offload.h | 1 + + include/net/netfilter/nf_tables_offload.h | 2 +- + net/core/flow_offload.c | 6 ++++++ + net/netfilter/nf_tables_api.c | 2 +- + net/netfilter/nf_tables_offload.c | 23 ++++++++++++++++++++++- + 5 files changed, 31 insertions(+), 3 deletions(-) + +diff --git a/include/net/flow_offload.h b/include/net/flow_offload.h +index 3961461d9c8b..7a2b0223a02c 100644 +--- a/include/net/flow_offload.h ++++ b/include/net/flow_offload.h +@@ -575,5 +575,6 @@ int flow_indr_dev_setup_offload(struct net_device *dev, struct Qdisc *sch, + enum tc_setup_type type, void *data, + struct flow_block_offload *bo, + void (*cleanup)(struct flow_block_cb *block_cb)); ++bool flow_indr_dev_exists(void); + + #endif /* _NET_FLOW_OFFLOAD_H */ +diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h +index 797147843958..3568b6a2f5f0 100644 +--- a/include/net/netfilter/nf_tables_offload.h ++++ b/include/net/netfilter/nf_tables_offload.h +@@ -92,7 +92,7 @@ int nft_flow_rule_offload_commit(struct net *net); + NFT_OFFLOAD_MATCH(__key, __base, __field, __len, __reg) \ + memset(&(__reg)->mask, 0xff, (__reg)->len); + +-int nft_chain_offload_priority(struct nft_base_chain *basechain); ++bool nft_chain_offload_support(const struct nft_base_chain *basechain); + + int nft_offload_init(void); + void nft_offload_exit(void); +diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c +index 6beaea13564a..fb11103fa8af 100644 +--- a/net/core/flow_offload.c ++++ b/net/core/flow_offload.c +@@ -565,3 +565,9 @@ int flow_indr_dev_setup_offload(struct net_device *dev, struct Qdisc *sch, + return list_empty(&bo->cb_list) ? -EOPNOTSUPP : 0; + } + EXPORT_SYMBOL(flow_indr_dev_setup_offload); ++ ++bool flow_indr_dev_exists(void) ++{ ++ return !list_empty(&flow_block_indr_dev_list); ++} ++EXPORT_SYMBOL(flow_indr_dev_exists); +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 1528620df34c..1b4bc588f8d6 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2072,7 +2072,7 @@ static int nft_basechain_init(struct nft_base_chain *basechain, u8 family, + chain->flags |= NFT_CHAIN_BASE | flags; + basechain->policy = NF_ACCEPT; + if (chain->flags & NFT_CHAIN_HW_OFFLOAD && +- nft_chain_offload_priority(basechain) < 0) ++ !nft_chain_offload_support(basechain)) + return -EOPNOTSUPP; + + flow_block_init(&basechain->flow_block); +diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c +index 2d36952b1392..910ef881c3b8 100644 +--- a/net/netfilter/nf_tables_offload.c ++++ b/net/netfilter/nf_tables_offload.c +@@ -208,7 +208,7 @@ static int nft_setup_cb_call(enum tc_setup_type type, void *type_data, + return 0; + } + +-int nft_chain_offload_priority(struct nft_base_chain *basechain) ++static int nft_chain_offload_priority(const struct nft_base_chain *basechain) + { + if (basechain->ops.priority <= 0 || + basechain->ops.priority > USHRT_MAX) +@@ -217,6 +217,27 @@ int nft_chain_offload_priority(struct nft_base_chain *basechain) + return 0; + } + ++bool nft_chain_offload_support(const struct nft_base_chain *basechain) ++{ ++ struct net_device *dev; ++ struct nft_hook *hook; ++ ++ if (nft_chain_offload_priority(basechain) < 0) ++ return false; ++ ++ list_for_each_entry(hook, &basechain->hook_list, list) { ++ if (hook->ops.pf != NFPROTO_NETDEV || ++ hook->ops.hooknum != NF_NETDEV_INGRESS) ++ return false; ++ ++ dev = hook->ops.dev; ++ if (!dev->netdev_ops->ndo_setup_tc && !flow_indr_dev_exists()) ++ return false; ++ } ++ ++ return true; ++} ++ + static void nft_flow_cls_offload_setup(struct flow_cls_offload *cls_flow, + const struct nft_base_chain *basechain, + const struct nft_rule *rule, +-- +2.35.1 + diff --git a/queue-5.15/netfilter-nf_tables-delete-flowtable-hooks-via-trans.patch b/queue-5.15/netfilter-nf_tables-delete-flowtable-hooks-via-trans.patch new file mode 100644 index 00000000000..ebe8e6208b5 --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-delete-flowtable-hooks-via-trans.patch @@ -0,0 +1,136 @@ +From 4b67aff8a20653a3d9d95de37b37f643dab0cdc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 May 2022 18:40:06 +0200 +Subject: netfilter: nf_tables: delete flowtable hooks via transaction list + +From: Pablo Neira Ayuso + +[ Upstream commit b6d9014a3335194590abdd2a2471ef5147a67645 ] + +Remove inactive bool field in nft_hook object that was introduced in +abadb2f865d7 ("netfilter: nf_tables: delete devices from flowtable"). +Move stale flowtable hooks to transaction list instead. + +Deleting twice the same device does not result in ENOENT. + +Fixes: abadb2f865d7 ("netfilter: nf_tables: delete devices from flowtable") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 1 - + net/netfilter/nf_tables_api.c | 31 ++++++------------------------- + 2 files changed, 6 insertions(+), 26 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index d52a5d776e76..2af1c2c64128 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -1053,7 +1053,6 @@ struct nft_stats { + + struct nft_hook { + struct list_head list; +- bool inactive; + struct nf_hook_ops ops; + struct rcu_head rcu; + }; +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 5833fe17be43..b19974073156 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1835,7 +1835,6 @@ static struct nft_hook *nft_netdev_hook_alloc(struct net *net, + goto err_hook_dev; + } + hook->ops.dev = dev; +- hook->inactive = false; + + return hook; + +@@ -7517,6 +7516,7 @@ static int nft_delflowtable_hook(struct nft_ctx *ctx, + { + const struct nlattr * const *nla = ctx->nla; + struct nft_flowtable_hook flowtable_hook; ++ LIST_HEAD(flowtable_del_list); + struct nft_hook *this, *hook; + struct nft_trans *trans; + int err; +@@ -7532,7 +7532,7 @@ static int nft_delflowtable_hook(struct nft_ctx *ctx, + err = -ENOENT; + goto err_flowtable_del_hook; + } +- hook->inactive = true; ++ list_move(&hook->list, &flowtable_del_list); + } + + trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE, +@@ -7545,6 +7545,7 @@ static int nft_delflowtable_hook(struct nft_ctx *ctx, + nft_trans_flowtable(trans) = flowtable; + nft_trans_flowtable_update(trans) = true; + INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); ++ list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans)); + nft_flowtable_hook_release(&flowtable_hook); + + nft_trans_commit_list_add_tail(ctx->net, trans); +@@ -7552,13 +7553,7 @@ static int nft_delflowtable_hook(struct nft_ctx *ctx, + return 0; + + err_flowtable_del_hook: +- list_for_each_entry(this, &flowtable_hook.list, list) { +- hook = nft_hook_list_find(&flowtable->hook_list, this); +- if (!hook) +- break; +- +- hook->inactive = false; +- } ++ list_splice(&flowtable_del_list, &flowtable->hook_list); + nft_flowtable_hook_release(&flowtable_hook); + + return err; +@@ -8413,17 +8408,6 @@ void nft_chain_del(struct nft_chain *chain) + list_del_rcu(&chain->list); + } + +-static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable, +- struct list_head *hook_list) +-{ +- struct nft_hook *hook, *next; +- +- list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { +- if (hook->inactive) +- list_move(&hook->list, hook_list); +- } +-} +- + static void nf_tables_module_autoload_cleanup(struct net *net) + { + struct nftables_pernet *nft_net = nft_pernet(net); +@@ -8768,8 +8752,6 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) + break; + case NFT_MSG_DELFLOWTABLE: + if (nft_trans_flowtable_update(trans)) { +- nft_flowtable_hooks_del(nft_trans_flowtable(trans), +- &nft_trans_flowtable_hooks(trans)); + nf_tables_flowtable_notify(&trans->ctx, + nft_trans_flowtable(trans), + &nft_trans_flowtable_hooks(trans), +@@ -8850,7 +8832,6 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + struct nftables_pernet *nft_net = nft_pernet(net); + struct nft_trans *trans, *next; + struct nft_trans_elem *te; +- struct nft_hook *hook; + + if (action == NFNL_ABORT_VALIDATE && + nf_tables_validate(net) < 0) +@@ -8981,8 +8962,8 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + break; + case NFT_MSG_DELFLOWTABLE: + if (nft_trans_flowtable_update(trans)) { +- list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list) +- hook->inactive = false; ++ list_splice(&nft_trans_flowtable_hooks(trans), ++ &nft_trans_flowtable(trans)->hook_list); + } else { + trans->ctx.table->use++; + nft_clear(trans->ctx.net, nft_trans_flowtable(trans)); +-- +2.35.1 + diff --git a/queue-5.15/netfilter-nf_tables-memleak-flow-rule-from-commit-pa.patch b/queue-5.15/netfilter-nf_tables-memleak-flow-rule-from-commit-pa.patch new file mode 100644 index 00000000000..2346e969d67 --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-memleak-flow-rule-from-commit-pa.patch @@ -0,0 +1,46 @@ +From 6337db5e6f11411b1d67600f8f7307c3298b8b45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 17:15:57 +0200 +Subject: netfilter: nf_tables: memleak flow rule from commit path + +From: Pablo Neira Ayuso + +[ Upstream commit 9dd732e0bdf538b1b76dc7c157e2b5e560ff30d3 ] + +Abort path release flow rule object, however, commit path does not. +Update code to destroy these objects before releasing the transaction. + +Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index af2ae42cc5c7..1528620df34c 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -8228,6 +8228,9 @@ static void nft_commit_release(struct nft_trans *trans) + nf_tables_chain_destroy(&trans->ctx); + break; + case NFT_MSG_DELRULE: ++ if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) ++ nft_flow_rule_destroy(nft_trans_flow_rule(trans)); ++ + nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); + break; + case NFT_MSG_DELSET: +@@ -8667,6 +8670,9 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) + nf_tables_rule_notify(&trans->ctx, + nft_trans_rule(trans), + NFT_MSG_NEWRULE); ++ if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) ++ nft_flow_rule_destroy(nft_trans_flow_rule(trans)); ++ + nft_trans_destroy(trans); + break; + case NFT_MSG_DELRULE: +-- +2.35.1 + diff --git a/queue-5.15/netfilter-nf_tables-release-new-hooks-on-unsupported.patch b/queue-5.15/netfilter-nf_tables-release-new-hooks-on-unsupported.patch new file mode 100644 index 00000000000..218993e7d48 --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-release-new-hooks-on-unsupported.patch @@ -0,0 +1,47 @@ +From 0bb2a0f4882462004cbd2603fab6ecc4200d9069 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jun 2022 13:40:06 +0200 +Subject: netfilter: nf_tables: release new hooks on unsupported flowtable + flags + +From: Pablo Neira Ayuso + +[ Upstream commit c271cc9febaaa1bcbc0842d1ee30466aa6148ea8 ] + +Release the list of new hooks that are pending to be registered in case +that unsupported flowtable flags are provided. + +Fixes: 78d9f48f7f44 ("netfilter: nf_tables: add devices to existing flowtable") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 5c0379394b4a..af2ae42cc5c7 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7332,11 +7332,15 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, + + if (nla[NFTA_FLOWTABLE_FLAGS]) { + flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); +- if (flags & ~NFT_FLOWTABLE_MASK) +- return -EOPNOTSUPP; ++ if (flags & ~NFT_FLOWTABLE_MASK) { ++ err = -EOPNOTSUPP; ++ goto err_flowtable_update_hook; ++ } + if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^ +- (flags & NFT_FLOWTABLE_HW_OFFLOAD)) +- return -EOPNOTSUPP; ++ (flags & NFT_FLOWTABLE_HW_OFFLOAD)) { ++ err = -EOPNOTSUPP; ++ goto err_flowtable_update_hook; ++ } + } else { + flags = flowtable->data.flags; + } +-- +2.35.1 + diff --git a/queue-5.15/netfilter-nf_tables-use-kfree_rcu-ptr-rcu-to-release.patch b/queue-5.15/netfilter-nf_tables-use-kfree_rcu-ptr-rcu-to-release.patch new file mode 100644 index 00000000000..35aff4a39db --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-use-kfree_rcu-ptr-rcu-to-release.patch @@ -0,0 +1,36 @@ +From c8b0f900cc2fd66e869e0470494d655e3e9dcc49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jun 2022 16:00:00 +0200 +Subject: netfilter: nf_tables: use kfree_rcu(ptr, rcu) to release hooks in + clean_net path + +From: Pablo Neira Ayuso + +[ Upstream commit ab5e5c062f67c5ae8cd07f0632ffa62dc0e7d169 ] + +Use kfree_rcu(ptr, rcu) variant instead as described by ae089831ff28 +("netfilter: nf_tables: prefer kfree_rcu(ptr, rcu) variant"). + +Fixes: f9a43007d3f7 ("netfilter: nf_tables: double hook unregistration in netns path") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 79e8fc687fdd..5833fe17be43 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7231,7 +7231,7 @@ static void __nft_unregister_flowtable_net_hooks(struct net *net, + nf_unregister_net_hook(net, &hook->ops); + if (release_netdev) { + list_del(&hook->list); +- kfree_rcu(hook); ++ kfree_rcu(hook, rcu); + } + } + } +-- +2.35.1 + diff --git a/queue-5.15/nfp-flower-restructure-flow-key-for-gre-vlan-combina.patch b/queue-5.15/nfp-flower-restructure-flow-key-for-gre-vlan-combina.patch new file mode 100644 index 00000000000..3771ca4cd61 --- /dev/null +++ b/queue-5.15/nfp-flower-restructure-flow-key-for-gre-vlan-combina.patch @@ -0,0 +1,129 @@ +From eb013e1184b0a2bdb56d8d825f2aea1ed45146f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jun 2022 11:29:01 +0200 +Subject: nfp: flower: restructure flow-key for gre+vlan combination + +From: Etienne van der Linde + +[ Upstream commit a0b843340dae704e17c1ddfad0f85c583c36757f ] + +Swap around the GRE and VLAN parts in the flow-key offloaded by +the driver to fit in with other tunnel types and the firmware. +Without this change used cases with GRE+VLAN on the outer header +does not get offloaded as the flow-key mismatches what the +firmware expect. + +Fixes: 0d630f58989a ("nfp: flower: add support to offload QinQ match") +Fixes: 5a2b93041646 ("nfp: flower-ct: compile match sections of flow_payload") +Signed-off-by: Etienne van der Linde +Signed-off-by: Louis Peens +Signed-off-by: Yinjun Zhang +Signed-off-by: Simon Horman +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../ethernet/netronome/nfp/flower/conntrack.c | 32 +++++++++---------- + .../net/ethernet/netronome/nfp/flower/match.c | 16 +++++----- + 2 files changed, 24 insertions(+), 24 deletions(-) + +diff --git a/drivers/net/ethernet/netronome/nfp/flower/conntrack.c b/drivers/net/ethernet/netronome/nfp/flower/conntrack.c +index bfd7d1c35076..7e9fcc16286e 100644 +--- a/drivers/net/ethernet/netronome/nfp/flower/conntrack.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/conntrack.c +@@ -442,6 +442,11 @@ nfp_fl_calc_key_layers_sz(struct nfp_fl_key_ls in_key_ls, uint16_t *map) + key_size += sizeof(struct nfp_flower_ipv6); + } + ++ if (in_key_ls.key_layer_two & NFP_FLOWER_LAYER2_QINQ) { ++ map[FLOW_PAY_QINQ] = key_size; ++ key_size += sizeof(struct nfp_flower_vlan); ++ } ++ + if (in_key_ls.key_layer_two & NFP_FLOWER_LAYER2_GRE) { + map[FLOW_PAY_GRE] = key_size; + if (in_key_ls.key_layer_two & NFP_FLOWER_LAYER2_TUN_IPV6) +@@ -450,11 +455,6 @@ nfp_fl_calc_key_layers_sz(struct nfp_fl_key_ls in_key_ls, uint16_t *map) + key_size += sizeof(struct nfp_flower_ipv4_gre_tun); + } + +- if (in_key_ls.key_layer_two & NFP_FLOWER_LAYER2_QINQ) { +- map[FLOW_PAY_QINQ] = key_size; +- key_size += sizeof(struct nfp_flower_vlan); +- } +- + if ((in_key_ls.key_layer & NFP_FLOWER_LAYER_VXLAN) || + (in_key_ls.key_layer_two & NFP_FLOWER_LAYER2_GENEVE)) { + map[FLOW_PAY_UDP_TUN] = key_size; +@@ -693,6 +693,17 @@ static int nfp_fl_ct_add_offload(struct nfp_fl_nft_tc_merge *m_entry) + } + } + ++ if (NFP_FLOWER_LAYER2_QINQ & key_layer.key_layer_two) { ++ offset = key_map[FLOW_PAY_QINQ]; ++ key = kdata + offset; ++ msk = mdata + offset; ++ for (i = 0; i < _CT_TYPE_MAX; i++) { ++ nfp_flower_compile_vlan((struct nfp_flower_vlan *)key, ++ (struct nfp_flower_vlan *)msk, ++ rules[i]); ++ } ++ } ++ + if (key_layer.key_layer_two & NFP_FLOWER_LAYER2_GRE) { + offset = key_map[FLOW_PAY_GRE]; + key = kdata + offset; +@@ -733,17 +744,6 @@ static int nfp_fl_ct_add_offload(struct nfp_fl_nft_tc_merge *m_entry) + } + } + +- if (NFP_FLOWER_LAYER2_QINQ & key_layer.key_layer_two) { +- offset = key_map[FLOW_PAY_QINQ]; +- key = kdata + offset; +- msk = mdata + offset; +- for (i = 0; i < _CT_TYPE_MAX; i++) { +- nfp_flower_compile_vlan((struct nfp_flower_vlan *)key, +- (struct nfp_flower_vlan *)msk, +- rules[i]); +- } +- } +- + if (key_layer.key_layer & NFP_FLOWER_LAYER_VXLAN || + key_layer.key_layer_two & NFP_FLOWER_LAYER2_GENEVE) { + offset = key_map[FLOW_PAY_UDP_TUN]; +diff --git a/drivers/net/ethernet/netronome/nfp/flower/match.c b/drivers/net/ethernet/netronome/nfp/flower/match.c +index 9d86eea4dc16..fb8bd2135c63 100644 +--- a/drivers/net/ethernet/netronome/nfp/flower/match.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/match.c +@@ -602,6 +602,14 @@ int nfp_flower_compile_flow_match(struct nfp_app *app, + msk += sizeof(struct nfp_flower_ipv6); + } + ++ if (NFP_FLOWER_LAYER2_QINQ & key_ls->key_layer_two) { ++ nfp_flower_compile_vlan((struct nfp_flower_vlan *)ext, ++ (struct nfp_flower_vlan *)msk, ++ rule); ++ ext += sizeof(struct nfp_flower_vlan); ++ msk += sizeof(struct nfp_flower_vlan); ++ } ++ + if (key_ls->key_layer_two & NFP_FLOWER_LAYER2_GRE) { + if (key_ls->key_layer_two & NFP_FLOWER_LAYER2_TUN_IPV6) { + struct nfp_flower_ipv6_gre_tun *gre_match; +@@ -637,14 +645,6 @@ int nfp_flower_compile_flow_match(struct nfp_app *app, + } + } + +- if (NFP_FLOWER_LAYER2_QINQ & key_ls->key_layer_two) { +- nfp_flower_compile_vlan((struct nfp_flower_vlan *)ext, +- (struct nfp_flower_vlan *)msk, +- rule); +- ext += sizeof(struct nfp_flower_vlan); +- msk += sizeof(struct nfp_flower_vlan); +- } +- + if (key_ls->key_layer & NFP_FLOWER_LAYER_VXLAN || + key_ls->key_layer_two & NFP_FLOWER_LAYER2_GENEVE) { + if (key_ls->key_layer_two & NFP_FLOWER_LAYER2_TUN_IPV6) { +-- +2.35.1 + diff --git a/queue-5.15/powerpc-kasan-force-thread-size-increase-with-kasan.patch b/queue-5.15/powerpc-kasan-force-thread-size-increase-with-kasan.patch new file mode 100644 index 00000000000..37eafab9078 --- /dev/null +++ b/queue-5.15/powerpc-kasan-force-thread-size-increase-with-kasan.patch @@ -0,0 +1,71 @@ +From cc4399557e1fe72669a442a3fe9e299ce0daed6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 00:31:14 +1000 +Subject: powerpc/kasan: Force thread size increase with KASAN + +From: Michael Ellerman + +[ Upstream commit 3e8635fb2e072672cbc650989ffedf8300ad67fb ] + +KASAN causes increased stack usage, which can lead to stack overflows. + +The logic in Kconfig to suggest a larger default doesn't work if a user +has CONFIG_EXPERT enabled and has an existing .config with a smaller +value. + +Follow the lead of x86 and arm64, and force the thread size to be +increased when KASAN is enabled. + +That also has the effect of enlarging the stack for 64-bit KASAN builds, +which is also desirable. + +Fixes: edbadaf06710 ("powerpc/kasan: Fix stack overflow by increasing THREAD_SHIFT") +Reported-by: Erhard Furtner +Reported-by: Christophe Leroy +[mpe: Use MIN_THREAD_SHIFT as suggested by Christophe] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220601143114.133524-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/Kconfig | 1 - + arch/powerpc/include/asm/thread_info.h | 10 ++++++++-- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig +index 6b9f523882c5..3bd3a3f16648 100644 +--- a/arch/powerpc/Kconfig ++++ b/arch/powerpc/Kconfig +@@ -768,7 +768,6 @@ config THREAD_SHIFT + range 13 15 + default "15" if PPC_256K_PAGES + default "14" if PPC64 +- default "14" if KASAN + default "13" + help + Used to define the stack size. The default is almost always what you +diff --git a/arch/powerpc/include/asm/thread_info.h b/arch/powerpc/include/asm/thread_info.h +index 2a4ea0e213a9..87013ac2a640 100644 +--- a/arch/powerpc/include/asm/thread_info.h ++++ b/arch/powerpc/include/asm/thread_info.h +@@ -14,10 +14,16 @@ + + #ifdef __KERNEL__ + +-#if defined(CONFIG_VMAP_STACK) && CONFIG_THREAD_SHIFT < PAGE_SHIFT ++#ifdef CONFIG_KASAN ++#define MIN_THREAD_SHIFT (CONFIG_THREAD_SHIFT + 1) ++#else ++#define MIN_THREAD_SHIFT CONFIG_THREAD_SHIFT ++#endif ++ ++#if defined(CONFIG_VMAP_STACK) && MIN_THREAD_SHIFT < PAGE_SHIFT + #define THREAD_SHIFT PAGE_SHIFT + #else +-#define THREAD_SHIFT CONFIG_THREAD_SHIFT ++#define THREAD_SHIFT MIN_THREAD_SHIFT + #endif + + #define THREAD_SIZE (1 << THREAD_SHIFT) +-- +2.35.1 + diff --git a/queue-5.15/series b/queue-5.15/series index 8bea7c63270..8a3942a4fff 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -128,3 +128,38 @@ risc-v-use-memcpy-for-kexec_file-mode.patch m68knommu-fix-undefined-reference-to-mach_get_rtc_pl.patch f2fs-fix-to-tag-gcing-flag-on-page-during-file-defra.patch xprtrdma-treat-all-calls-not-a-bcall-when-bc_serv-is.patch +drm-bridge-sn65dsi83-fix-an-error-handling-path-in-s.patch +drm-bridge-ti-sn65dsi83-handle-dsi_lanes-0-as-invali.patch +netfilter-nat-really-support-inet-nat-without-l3-add.patch +netfilter-nf_tables-use-kfree_rcu-ptr-rcu-to-release.patch +netfilter-nf_tables-delete-flowtable-hooks-via-trans.patch +powerpc-kasan-force-thread-size-increase-with-kasan.patch +sunrpc-trap-rdma-segment-overflows.patch +netfilter-nf_tables-always-initialize-flowtable-hook.patch +ata-pata_octeon_cf-fix-refcount-leak-in-octeon_cf_pr.patch +netfilter-nf_tables-release-new-hooks-on-unsupported.patch +netfilter-nf_tables-memleak-flow-rule-from-commit-pa.patch +netfilter-nf_tables-bail-out-early-if-hardware-offlo.patch +xen-unexport-__init-annotated-xen_xlate_map_balloone.patch +stmmac-intel-fix-an-error-handling-path-in-intel_eth.patch +af_unix-fix-a-data-race-in-unix_dgram_peer_wake_me.patch +bpf-arm64-clear-prog-jited_len-along-prog-jited.patch +net-dsa-lantiq_gswip-fix-refcount-leak-in-gswip_gphy.patch +net-mlx4_en-fix-wrong-return-value-on-ioctl-eeprom-q.patch +i40e-xsk-move-tmp-desc-array-from-driver-to-pool.patch +xsk-fix-handling-of-invalid-descriptors-in-xsk-tx-ba.patch +sunrpc-fix-the-calculation-of-xdr-end-in-xdr_get_nex.patch +net-mdio-unexport-__init-annotated-mdio_bus_init.patch +net-xfrm-unexport-__init-annotated-xfrm4_protocol_in.patch +net-ipv6-unexport-__init-annotated-seg6_hmac_init.patch +net-mlx5-lag-filter-non-compatible-devices.patch +net-mlx5-fix-mlx5_get_next_dev-peer-device-matching.patch +net-mlx5-rearm-the-fw-tracer-after-each-tracer-event.patch +net-mlx5-fs-fail-conflicting-actions.patch +ip_gre-test-csum_start-instead-of-transport-header.patch +net-altera-fix-refcount-leak-in-altera_tse_mdio_crea.patch +net-dsa-mv88e6xxx-use-bmsr_anegcomplete-bit-for-fill.patch +tcp-use-alloc_large_system_hash-to-allocate-table_pe.patch +drm-imx-fix-compiler-warning-with-gcc-12.patch +nfp-flower-restructure-flow-key-for-gre-vlan-combina.patch +iov_iter-fix-iter_xarray_get_pages-_alloc.patch diff --git a/queue-5.15/stmmac-intel-fix-an-error-handling-path-in-intel_eth.patch b/queue-5.15/stmmac-intel-fix-an-error-handling-path-in-intel_eth.patch new file mode 100644 index 00000000000..3b288260c30 --- /dev/null +++ b/queue-5.15/stmmac-intel-fix-an-error-handling-path-in-intel_eth.patch @@ -0,0 +1,49 @@ +From b9f87bfbd2d96d720c5778ee9592a0a25ef2ce26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jun 2022 22:50:48 +0200 +Subject: stmmac: intel: Fix an error handling path in intel_eth_pci_probe() + +From: Christophe JAILLET + +[ Upstream commit 5e74a4b3ec1816e3bbfd715d46ae29d2508079cb ] + +When the managed API is used, there is no need to explicitly call +pci_free_irq_vectors(). + +This looks to be a left-over from the commit in the Fixes tag. Only the +.remove() function had been updated. + +So remove this unused function call and update goto label accordingly. + +Fixes: 8accc467758e ("stmmac: intel: use managed PCI function on probe and resume") +Signed-off-by: Christophe JAILLET +Reviewed-by: Wong Vee Khee +Link: https://lore.kernel.org/r/1ac9b6787b0db83b0095711882c55c77c8ea8da0.1654462241.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c +index 6f87e296a410..502fbbc082fb 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c +@@ -1073,13 +1073,11 @@ static int intel_eth_pci_probe(struct pci_dev *pdev, + + ret = stmmac_dvr_probe(&pdev->dev, plat, &res); + if (ret) { +- goto err_dvr_probe; ++ goto err_alloc_irq; + } + + return 0; + +-err_dvr_probe: +- pci_free_irq_vectors(pdev); + err_alloc_irq: + clk_disable_unprepare(plat->stmmac_clk); + clk_unregister_fixed_rate(plat->stmmac_clk); +-- +2.35.1 + diff --git a/queue-5.15/sunrpc-fix-the-calculation-of-xdr-end-in-xdr_get_nex.patch b/queue-5.15/sunrpc-fix-the-calculation-of-xdr-end-in-xdr_get_nex.patch new file mode 100644 index 00000000000..1191626a9dc --- /dev/null +++ b/queue-5.15/sunrpc-fix-the-calculation-of-xdr-end-in-xdr_get_nex.patch @@ -0,0 +1,49 @@ +From 5f50715b570e4b519114e5780b11b9e31d6099d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jun 2022 16:47:52 -0400 +Subject: SUNRPC: Fix the calculation of xdr->end in + xdr_get_next_encode_buffer() + +From: Chuck Lever + +[ Upstream commit 6c254bf3b637dd4ef4f78eb78c7447419c0161d7 ] + +I found that NFSD's new NFSv3 READDIRPLUS XDR encoder was screwing up +right at the end of the page array. xdr_get_next_encode_buffer() does +not compute the value of xdr->end correctly: + + * The check to see if we're on the final available page in xdr->buf + needs to account for the space consumed by @nbytes. + + * The new xdr->end value needs to account for the portion of @nbytes + that is to be encoded into the previous buffer. + +Fixes: 2825a7f90753 ("nfsd4: allow encoding across page boundaries") +Signed-off-by: Chuck Lever +Reviewed-by: NeilBrown +Reviewed-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + net/sunrpc/xdr.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c +index ca10ba2626f2..85473264cccf 100644 +--- a/net/sunrpc/xdr.c ++++ b/net/sunrpc/xdr.c +@@ -979,7 +979,11 @@ static __be32 *xdr_get_next_encode_buffer(struct xdr_stream *xdr, + */ + xdr->p = (void *)p + frag2bytes; + space_left = xdr->buf->buflen - xdr->buf->len; +- xdr->end = (void *)p + min_t(int, space_left, PAGE_SIZE); ++ if (space_left - nbytes >= PAGE_SIZE) ++ xdr->end = (void *)p + PAGE_SIZE; ++ else ++ xdr->end = (void *)p + space_left - frag1bytes; ++ + xdr->buf->page_len += frag2bytes; + xdr->buf->len += nbytes; + return p; +-- +2.35.1 + diff --git a/queue-5.15/sunrpc-trap-rdma-segment-overflows.patch b/queue-5.15/sunrpc-trap-rdma-segment-overflows.patch new file mode 100644 index 00000000000..82276345203 --- /dev/null +++ b/queue-5.15/sunrpc-trap-rdma-segment-overflows.patch @@ -0,0 +1,42 @@ +From f2d898c0dea92ae833f643f5fa2176edfcff9577 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jun 2022 12:46:52 -0400 +Subject: SUNRPC: Trap RDMA segment overflows + +From: Chuck Lever + +[ Upstream commit f012e95b377c73c0283f009823c633104dedb337 ] + +Prevent svc_rdma_build_writes() from walking off the end of a Write +chunk's segment array. Caught with KASAN. + +The test that this fix replaces is invalid, and might have been left +over from an earlier prototype of the PCL work. + +Fixes: 7a1cbfa18059 ("svcrdma: Use parsed chunk lists to construct RDMA Writes") +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtrdma/svc_rdma_rw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/sunrpc/xprtrdma/svc_rdma_rw.c b/net/sunrpc/xprtrdma/svc_rdma_rw.c +index e27433f08ca7..50bf62f85166 100644 +--- a/net/sunrpc/xprtrdma/svc_rdma_rw.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_rw.c +@@ -456,10 +456,10 @@ svc_rdma_build_writes(struct svc_rdma_write_info *info, + unsigned int write_len; + u64 offset; + +- seg = &info->wi_chunk->ch_segments[info->wi_seg_no]; +- if (!seg) ++ if (info->wi_seg_no >= info->wi_chunk->ch_segcount) + goto out_overflow; + ++ seg = &info->wi_chunk->ch_segments[info->wi_seg_no]; + write_len = min(remaining, seg->rs_length - info->wi_seg_off); + if (!write_len) + goto out_overflow; +-- +2.35.1 + diff --git a/queue-5.15/tcp-use-alloc_large_system_hash-to-allocate-table_pe.patch b/queue-5.15/tcp-use-alloc_large_system_hash-to-allocate-table_pe.patch new file mode 100644 index 00000000000..596b2ef2023 --- /dev/null +++ b/queue-5.15/tcp-use-alloc_large_system_hash-to-allocate-table_pe.patch @@ -0,0 +1,47 @@ +From 4d08ef33381bd72b77481281a56bb03a1c54d95e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jun 2022 15:02:14 +0800 +Subject: tcp: use alloc_large_system_hash() to allocate table_perturb + +From: Muchun Song + +[ Upstream commit e67b72b90b7e19a4be4d9c29f3feea6f58ab43f8 ] + +In our server, there may be no high order (>= 6) memory since we reserve +lots of HugeTLB pages when booting. Then the system panic. So use +alloc_large_system_hash() to allocate table_perturb. + +Fixes: e9261476184b ("tcp: dynamically allocate the perturb table used by source ports") +Signed-off-by: Muchun Song +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20220607070214.94443-1-songmuchun@bytedance.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_hashtables.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index ee9c587031b4..342f3df77835 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -917,10 +917,12 @@ void __init inet_hashinfo2_init(struct inet_hashinfo *h, const char *name, + init_hashinfo_lhash2(h); + + /* this one is used for source ports of outgoing connections */ +- table_perturb = kmalloc_array(INET_TABLE_PERTURB_SIZE, +- sizeof(*table_perturb), GFP_KERNEL); +- if (!table_perturb) +- panic("TCP: failed to alloc table_perturb"); ++ table_perturb = alloc_large_system_hash("Table-perturb", ++ sizeof(*table_perturb), ++ INET_TABLE_PERTURB_SIZE, ++ 0, 0, NULL, NULL, ++ INET_TABLE_PERTURB_SIZE, ++ INET_TABLE_PERTURB_SIZE); + } + + int inet_hashinfo2_init_mod(struct inet_hashinfo *h) +-- +2.35.1 + diff --git a/queue-5.15/xen-unexport-__init-annotated-xen_xlate_map_balloone.patch b/queue-5.15/xen-unexport-__init-annotated-xen_xlate_map_balloone.patch new file mode 100644 index 00000000000..67dee83ffe2 --- /dev/null +++ b/queue-5.15/xen-unexport-__init-annotated-xen_xlate_map_balloone.patch @@ -0,0 +1,55 @@ +From 76fbe83a6a11683c8a965a90f03444ccd98dc87d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 13:59:20 +0900 +Subject: xen: unexport __init-annotated xen_xlate_map_ballooned_pages() + +From: Masahiro Yamada + +[ Upstream commit dbac14a5a05ff8e1ce7c0da0e1f520ce39ec62ea ] + +EXPORT_SYMBOL and __init is a bad combination because the .init.text +section is freed up after the initialization. Hence, modules cannot +use symbols annotated __init. The access to a freed symbol may end up +with kernel panic. + +modpost used to detect it, but it has been broken for a decade. + +Recently, I fixed modpost so it started to warn it again, then this +showed up in linux-next builds. + +There are two ways to fix it: + + - Remove __init + - Remove EXPORT_SYMBOL + +I chose the latter for this case because none of the in-tree call-sites +(arch/arm/xen/enlighten.c, arch/x86/xen/grant-table.c) is compiled as +modular. + +Fixes: 243848fc018c ("xen/grant-table: Move xlated_setup_gnttab_pages to common place") +Reported-by: Stephen Rothwell +Signed-off-by: Masahiro Yamada +Reviewed-by: Oleksandr Tyshchenko +Acked-by: Stefano Stabellini +Link: https://lore.kernel.org/r/20220606045920.4161881-1-masahiroy@kernel.org +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/xlate_mmu.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/xen/xlate_mmu.c b/drivers/xen/xlate_mmu.c +index 34742c6e189e..f17c4c03db30 100644 +--- a/drivers/xen/xlate_mmu.c ++++ b/drivers/xen/xlate_mmu.c +@@ -261,7 +261,6 @@ int __init xen_xlate_map_ballooned_pages(xen_pfn_t **gfns, void **virt, + + return 0; + } +-EXPORT_SYMBOL_GPL(xen_xlate_map_ballooned_pages); + + struct remap_pfn { + struct mm_struct *mm; +-- +2.35.1 + diff --git a/queue-5.15/xsk-fix-handling-of-invalid-descriptors-in-xsk-tx-ba.patch b/queue-5.15/xsk-fix-handling-of-invalid-descriptors-in-xsk-tx-ba.patch new file mode 100644 index 00000000000..1e4e1ee3f31 --- /dev/null +++ b/queue-5.15/xsk-fix-handling-of-invalid-descriptors-in-xsk-tx-ba.patch @@ -0,0 +1,85 @@ +From 9a29ae0b21e9c8c5d715c9a83f1c9060bd25b6f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jun 2022 16:22:00 +0200 +Subject: xsk: Fix handling of invalid descriptors in XSK TX batching API + +From: Maciej Fijalkowski + +[ Upstream commit d678cbd2f867a564a3c5b276c454e873f43f02f8 ] + +xdpxceiver run on a AF_XDP ZC enabled driver revealed a problem with XSK +Tx batching API. There is a test that checks how invalid Tx descriptors +are handled by AF_XDP. Each valid descriptor is followed by invalid one +on Tx side whereas the Rx side expects only to receive a set of valid +descriptors. + +In current xsk_tx_peek_release_desc_batch() function, the amount of +available descriptors is hidden inside xskq_cons_peek_desc_batch(). This +can be problematic in cases where invalid descriptors are present due to +the fact that xskq_cons_peek_desc_batch() returns only a count of valid +descriptors. This means that it is impossible to properly update XSK +ring state when calling xskq_cons_release_n(). + +To address this issue, pull out the contents of +xskq_cons_peek_desc_batch() so that callers (currently only +xsk_tx_peek_release_desc_batch()) will always be able to update the +state of ring properly, as total count of entries is now available and +use this value as an argument in xskq_cons_release_n(). By +doing so, xskq_cons_peek_desc_batch() can be dropped altogether. + +Fixes: 9349eb3a9d2a ("xsk: Introduce batched Tx descriptor interfaces") +Signed-off-by: Maciej Fijalkowski +Signed-off-by: Daniel Borkmann +Acked-by: Magnus Karlsson +Link: https://lore.kernel.org/bpf/20220607142200.576735-1-maciej.fijalkowski@intel.com +Signed-off-by: Sasha Levin +--- + net/xdp/xsk.c | 5 +++-- + net/xdp/xsk_queue.h | 8 -------- + 2 files changed, 3 insertions(+), 10 deletions(-) + +diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c +index 404cbfde2f84..b9e70931c794 100644 +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -388,7 +388,8 @@ u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, u32 max_entries) + goto out; + } + +- nb_pkts = xskq_cons_peek_desc_batch(xs->tx, pool, max_entries); ++ max_entries = xskq_cons_nb_entries(xs->tx, max_entries); ++ nb_pkts = xskq_cons_read_desc_batch(xs->tx, pool, max_entries); + if (!nb_pkts) { + xs->tx->queue_empty_descs++; + goto out; +@@ -404,7 +405,7 @@ u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, u32 max_entries) + if (!nb_pkts) + goto out; + +- xskq_cons_release_n(xs->tx, nb_pkts); ++ xskq_cons_release_n(xs->tx, max_entries); + __xskq_cons_release(xs->tx); + xs->sk.sk_write_space(&xs->sk); + +diff --git a/net/xdp/xsk_queue.h b/net/xdp/xsk_queue.h +index b721795fe50c..491a18c1f786 100644 +--- a/net/xdp/xsk_queue.h ++++ b/net/xdp/xsk_queue.h +@@ -278,14 +278,6 @@ static inline bool xskq_cons_peek_desc(struct xsk_queue *q, + return xskq_cons_read_desc(q, desc, pool); + } + +-static inline u32 xskq_cons_peek_desc_batch(struct xsk_queue *q, struct xsk_buff_pool *pool, +- u32 max) +-{ +- u32 entries = xskq_cons_nb_entries(q, max); +- +- return xskq_cons_read_desc_batch(q, pool, entries); +-} +- + /* To improve performance in the xskq_cons_release functions, only update local state here. + * Reflect this to global state when we get new entries from the ring in + * xskq_cons_get_entries() and whenever Rx or Tx processing are completed in the NAPI loop. +-- +2.35.1 +