From: Sasha Levin Date: Mon, 3 Aug 2020 01:29:25 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v5.7.13~17^2~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=81fa1d03628f34644b1bf3306569c35fd82109f7;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/arm64-alternatives-move-length-validation-inside-the.patch b/queue-4.19/arm64-alternatives-move-length-validation-inside-the.patch new file mode 100644 index 00000000000..d2b0c57d89a --- /dev/null +++ b/queue-4.19/arm64-alternatives-move-length-validation-inside-the.patch @@ -0,0 +1,45 @@ +From 0282a2b989deb4a6f680d47143c6dadaea36e6a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jul 2020 08:37:01 -0700 +Subject: arm64/alternatives: move length validation inside the subsection + +From: Sami Tolvanen + +[ Upstream commit 966a0acce2fca776391823381dba95c40e03c339 ] + +Commit f7b93d42945c ("arm64/alternatives: use subsections for replacement +sequences") breaks LLVM's integrated assembler, because due to its +one-pass design, it cannot compute instruction sequence lengths before the +layout for the subsection has been finalized. This change fixes the build +by moving the .org directives inside the subsection, so they are processed +after the subsection layout is known. + +Fixes: f7b93d42945c ("arm64/alternatives: use subsections for replacement sequences") +Signed-off-by: Sami Tolvanen +Link: https://github.com/ClangBuiltLinux/linux/issues/1078 +Link: https://lore.kernel.org/r/20200730153701.3892953-1-samitolvanen@google.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/alternative.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/include/asm/alternative.h b/arch/arm64/include/asm/alternative.h +index 849d891c60a81..844f05b23115a 100644 +--- a/arch/arm64/include/asm/alternative.h ++++ b/arch/arm64/include/asm/alternative.h +@@ -77,9 +77,9 @@ static inline void apply_alternatives_module(void *start, size_t length) { } + "663:\n\t" \ + newinstr "\n" \ + "664:\n\t" \ +- ".previous\n\t" \ + ".org . - (664b-663b) + (662b-661b)\n\t" \ +- ".org . - (662b-661b) + (664b-663b)\n" \ ++ ".org . - (662b-661b) + (664b-663b)\n\t" \ ++ ".previous\n" \ + ".endif\n" + + #define __ALTERNATIVE_CFG_CB(oldinstr, feature, cfg_enabled, cb) \ +-- +2.25.1 + diff --git a/queue-4.19/arm64-csum-fix-handling-of-bad-packets.patch b/queue-4.19/arm64-csum-fix-handling-of-bad-packets.patch new file mode 100644 index 00000000000..c3300622f2f --- /dev/null +++ b/queue-4.19/arm64-csum-fix-handling-of-bad-packets.patch @@ -0,0 +1,50 @@ +From eeef023785dd857cdef367f9283899eb324cb535 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jul 2020 10:56:49 +0100 +Subject: arm64: csum: Fix handling of bad packets + +From: Robin Murphy + +[ Upstream commit 05fb3dbda187bbd9cc1cd0e97e5d6595af570ac6 ] + +Although iph is expected to point to at least 20 bytes of valid memory, +ihl may be bogus, for example on reception of a corrupt packet. If it +happens to be less than 5, we really don't want to run away and +dereference 16GB worth of memory until it wraps back to exactly zero... + +Fixes: 0e455d8e80aa ("arm64: Implement optimised IP checksum helpers") +Reported-by: guodeqing +Signed-off-by: Robin Murphy +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/checksum.h | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/include/asm/checksum.h b/arch/arm64/include/asm/checksum.h +index 0b6f5a7d4027c..fd11e0d70e446 100644 +--- a/arch/arm64/include/asm/checksum.h ++++ b/arch/arm64/include/asm/checksum.h +@@ -30,16 +30,17 @@ static inline __sum16 ip_fast_csum(const void *iph, unsigned int ihl) + { + __uint128_t tmp; + u64 sum; ++ int n = ihl; /* we want it signed */ + + tmp = *(const __uint128_t *)iph; + iph += 16; +- ihl -= 4; ++ n -= 4; + tmp += ((tmp >> 64) | (tmp << 64)); + sum = tmp >> 64; + do { + sum += *(const u32 *)iph; + iph += 4; +- } while (--ihl); ++ } while (--n > 0); + + sum += ((sum >> 32) | (sum << 32)); + return csum_fold((__force u32)(sum >> 32)); +-- +2.25.1 + diff --git a/queue-4.19/bluetooth-fix-kernel-oops-in-store_pending_adv_repor.patch b/queue-4.19/bluetooth-fix-kernel-oops-in-store_pending_adv_repor.patch new file mode 100644 index 00000000000..f24d8739c8e --- /dev/null +++ b/queue-4.19/bluetooth-fix-kernel-oops-in-store_pending_adv_repor.patch @@ -0,0 +1,155 @@ +From 83ba71a531fa2bf86a28f6dfdfdb358b0fc83471 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jul 2020 20:48:55 +0000 +Subject: Bluetooth: fix kernel oops in store_pending_adv_report + +From: Alain Michaud + +[ Upstream commit a2ec905d1e160a33b2e210e45ad30445ef26ce0e ] + +Fix kernel oops observed when an ext adv data is larger than 31 bytes. + +This can be reproduced by setting up an advertiser with advertisement +larger than 31 bytes. The issue is not sensitive to the advertisement +content. In particular, this was reproduced with an advertisement of +229 bytes filled with 'A'. See stack trace below. + +This is fixed by not catching ext_adv as legacy adv are only cached to +be able to concatenate a scanable adv with its scan response before +sending it up through mgmt. + +With ext_adv, this is no longer necessary. + + general protection fault: 0000 [#1] SMP PTI + CPU: 6 PID: 205 Comm: kworker/u17:0 Not tainted 5.4.0-37-generic #41-Ubuntu + Hardware name: Dell Inc. XPS 15 7590/0CF6RR, BIOS 1.7.0 05/11/2020 + Workqueue: hci0 hci_rx_work [bluetooth] + RIP: 0010:hci_bdaddr_list_lookup+0x1e/0x40 [bluetooth] + Code: ff ff e9 26 ff ff ff 0f 1f 44 00 00 0f 1f 44 00 00 55 48 8b 07 48 89 e5 48 39 c7 75 0a eb 24 48 8b 00 48 39 f8 74 1c 44 8b 06 <44> 39 40 10 75 ef 44 0f b7 4e 04 66 44 39 48 14 75 e3 38 50 16 75 + RSP: 0018:ffffbc6a40493c70 EFLAGS: 00010286 + RAX: 4141414141414141 RBX: 000000000000001b RCX: 0000000000000000 + RDX: 0000000000000000 RSI: ffff9903e76c100f RDI: ffff9904289d4b28 + RBP: ffffbc6a40493c70 R08: 0000000093570362 R09: 0000000000000000 + R10: 0000000000000000 R11: ffff9904344eae38 R12: ffff9904289d4000 + R13: 0000000000000000 R14: 00000000ffffffa3 R15: ffff9903e76c100f + FS: 0000000000000000(0000) GS:ffff990434580000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007feed125a000 CR3: 00000001b860a003 CR4: 00000000003606e0 + Call Trace: + process_adv_report+0x12e/0x560 [bluetooth] + hci_le_meta_evt+0x7b2/0xba0 [bluetooth] + hci_event_packet+0x1c29/0x2a90 [bluetooth] + hci_rx_work+0x19b/0x360 [bluetooth] + process_one_work+0x1eb/0x3b0 + worker_thread+0x4d/0x400 + kthread+0x104/0x140 + +Fixes: c215e9397b00 ("Bluetooth: Process extended ADV report event") +Reported-by: Andy Nguyen +Reported-by: Linus Torvalds +Reported-by: Balakrishna Godavarthi +Signed-off-by: Alain Michaud +Tested-by: Sonny Sasaka +Acked-by: Marcel Holtmann +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 26 +++++++++++++++++++------- + 1 file changed, 19 insertions(+), 7 deletions(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index a044e6bb12b84..cdb92b129906f 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -1229,6 +1229,9 @@ static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr, + { + struct discovery_state *d = &hdev->discovery; + ++ if (len > HCI_MAX_AD_LENGTH) ++ return; ++ + bacpy(&d->last_adv_addr, bdaddr); + d->last_adv_addr_type = bdaddr_type; + d->last_adv_rssi = rssi; +@@ -5116,7 +5119,8 @@ static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev, + + static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, + u8 bdaddr_type, bdaddr_t *direct_addr, +- u8 direct_addr_type, s8 rssi, u8 *data, u8 len) ++ u8 direct_addr_type, s8 rssi, u8 *data, u8 len, ++ bool ext_adv) + { + struct discovery_state *d = &hdev->discovery; + struct smp_irk *irk; +@@ -5138,6 +5142,11 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, + return; + } + ++ if (!ext_adv && len > HCI_MAX_AD_LENGTH) { ++ bt_dev_err_ratelimited(hdev, "legacy adv larger than 31 bytes"); ++ return; ++ } ++ + /* Find the end of the data in case the report contains padded zero + * bytes at the end causing an invalid length value. + * +@@ -5197,7 +5206,7 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, + */ + conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type, + direct_addr); +- if (conn && type == LE_ADV_IND) { ++ if (!ext_adv && conn && type == LE_ADV_IND && len <= HCI_MAX_AD_LENGTH) { + /* Store report for later inclusion by + * mgmt_device_connected + */ +@@ -5251,7 +5260,7 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, + * event or send an immediate device found event if the data + * should not be stored for later. + */ +- if (!has_pending_adv_report(hdev)) { ++ if (!ext_adv && !has_pending_adv_report(hdev)) { + /* If the report will trigger a SCAN_REQ store it for + * later merging. + */ +@@ -5286,7 +5295,8 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, + /* If the new report will trigger a SCAN_REQ store it for + * later merging. + */ +- if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) { ++ if (!ext_adv && (type == LE_ADV_IND || ++ type == LE_ADV_SCAN_IND)) { + store_pending_adv_report(hdev, bdaddr, bdaddr_type, + rssi, flags, data, len); + return; +@@ -5326,7 +5336,7 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) + rssi = ev->data[ev->length]; + process_adv_report(hdev, ev->evt_type, &ev->bdaddr, + ev->bdaddr_type, NULL, 0, rssi, +- ev->data, ev->length); ++ ev->data, ev->length, false); + } else { + bt_dev_err(hdev, "Dropping invalid advertising data"); + } +@@ -5400,7 +5410,8 @@ static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) + if (legacy_evt_type != LE_ADV_INVALID) { + process_adv_report(hdev, legacy_evt_type, &ev->bdaddr, + ev->bdaddr_type, NULL, 0, ev->rssi, +- ev->data, ev->length); ++ ev->data, ev->length, ++ !(evt_type & LE_EXT_ADV_LEGACY_PDU)); + } + + ptr += sizeof(*ev) + ev->length + 1; +@@ -5598,7 +5609,8 @@ static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, + + process_adv_report(hdev, ev->evt_type, &ev->bdaddr, + ev->bdaddr_type, &ev->direct_addr, +- ev->direct_addr_type, ev->rssi, NULL, 0); ++ ev->direct_addr_type, ev->rssi, NULL, 0, ++ false); + + ptr += sizeof(*ev); + } +-- +2.25.1 + diff --git a/queue-4.19/bpf-fix-map-leak-in-hash_of_maps-map.patch b/queue-4.19/bpf-fix-map-leak-in-hash_of_maps-map.patch new file mode 100644 index 00000000000..1bad0fc382f --- /dev/null +++ b/queue-4.19/bpf-fix-map-leak-in-hash_of_maps-map.patch @@ -0,0 +1,63 @@ +From 2f4163dfd99468d89d44c899b70c9de4c482eb71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jul 2020 21:09:12 -0700 +Subject: bpf: Fix map leak in HASH_OF_MAPS map + +From: Andrii Nakryiko + +[ Upstream commit 1d4e1eab456e1ee92a94987499b211db05f900ea ] + +Fix HASH_OF_MAPS bug of not putting inner map pointer on bpf_map_elem_update() +operation. This is due to per-cpu extra_elems optimization, which bypassed +free_htab_elem() logic doing proper clean ups. Make sure that inner map is put +properly in optimized case as well. + +Fixes: 8c290e60fa2a ("bpf: fix hashmap extra_elems logic") +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Acked-by: Song Liu +Link: https://lore.kernel.org/bpf/20200729040913.2815687-1-andriin@fb.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/hashtab.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c +index 6fe72792312d8..1b28fb006763a 100644 +--- a/kernel/bpf/hashtab.c ++++ b/kernel/bpf/hashtab.c +@@ -678,15 +678,20 @@ static void htab_elem_free_rcu(struct rcu_head *head) + preempt_enable(); + } + +-static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l) ++static void htab_put_fd_value(struct bpf_htab *htab, struct htab_elem *l) + { + struct bpf_map *map = &htab->map; ++ void *ptr; + + if (map->ops->map_fd_put_ptr) { +- void *ptr = fd_htab_map_get_ptr(map, l); +- ++ ptr = fd_htab_map_get_ptr(map, l); + map->ops->map_fd_put_ptr(ptr); + } ++} ++ ++static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l) ++{ ++ htab_put_fd_value(htab, l); + + if (htab_is_prealloc(htab)) { + __pcpu_freelist_push(&htab->freelist, &l->fnode); +@@ -747,6 +752,7 @@ static struct htab_elem *alloc_htab_elem(struct bpf_htab *htab, void *key, + */ + pl_new = this_cpu_ptr(htab->extra_elems); + l_new = *pl_new; ++ htab_put_fd_value(htab, old_elem); + *pl_new = old_elem; + } else { + struct pcpu_freelist_node *l; +-- +2.25.1 + diff --git a/queue-4.19/cxgb4-add-missing-release-on-skb-in-uld_send.patch b/queue-4.19/cxgb4-add-missing-release-on-skb-in-uld_send.patch new file mode 100644 index 00000000000..ac965474adc --- /dev/null +++ b/queue-4.19/cxgb4-add-missing-release-on-skb-in-uld_send.patch @@ -0,0 +1,34 @@ +From 9582e6daa11f178ccc3e36dcf3f9ba43c8612981 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jul 2020 21:58:39 -0500 +Subject: cxgb4: add missing release on skb in uld_send() + +From: Navid Emamdoost + +[ Upstream commit e6827d1abdc9b061a57d7b7d3019c4e99fabea2f ] + +In the implementation of uld_send(), the skb is consumed on all +execution paths except one. Release skb when returning NET_XMIT_DROP. + +Signed-off-by: Navid Emamdoost +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/sge.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/sge.c b/drivers/net/ethernet/chelsio/cxgb4/sge.c +index 3d4a765e9e61d..7801f2aeeb30e 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/sge.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/sge.c +@@ -2367,6 +2367,7 @@ static inline int uld_send(struct adapter *adap, struct sk_buff *skb, + txq_info = adap->sge.uld_txq_info[tx_uld_type]; + if (unlikely(!txq_info)) { + WARN_ON(true); ++ kfree_skb(skb); + return NET_XMIT_DROP; + } + +-- +2.25.1 + diff --git a/queue-4.19/ibmvnic-fix-irq-mapping-disposal-in-error-path.patch b/queue-4.19/ibmvnic-fix-irq-mapping-disposal-in-error-path.patch new file mode 100644 index 00000000000..44d5165f2c9 --- /dev/null +++ b/queue-4.19/ibmvnic-fix-irq-mapping-disposal-in-error-path.patch @@ -0,0 +1,37 @@ +From b79125da58853ef4af0d88f0a9d5301a7fdb4abe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jul 2020 16:36:32 -0500 +Subject: ibmvnic: Fix IRQ mapping disposal in error path + +From: Thomas Falcon + +[ Upstream commit 27a2145d6f826d1fad9de06ac541b1016ced3427 ] + +RX queue IRQ mappings are disposed in both the TX IRQ and RX IRQ +error paths. Fix this and dispose of TX IRQ mappings correctly in +case of an error. + +Fixes: ea22d51a7831 ("ibmvnic: simplify and improve driver probe function") +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index 5e9e45befc875..d8115a9333e05 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -2926,7 +2926,7 @@ req_rx_irq_failed: + req_tx_irq_failed: + for (j = 0; j < i; j++) { + free_irq(adapter->tx_scrq[j]->irq, adapter->tx_scrq[j]); +- irq_dispose_mapping(adapter->rx_scrq[j]->irq); ++ irq_dispose_mapping(adapter->tx_scrq[j]->irq); + } + release_sub_crqs(adapter, 1); + return rc; +-- +2.25.1 + diff --git a/queue-4.19/mac80211-mesh-free-ie-data-when-leaving-mesh.patch b/queue-4.19/mac80211-mesh-free-ie-data-when-leaving-mesh.patch new file mode 100644 index 00000000000..15eb5ee293c --- /dev/null +++ b/queue-4.19/mac80211-mesh-free-ie-data-when-leaving-mesh.patch @@ -0,0 +1,61 @@ +From bcb289b7b8c4b274f79f68f474405f61b852408c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Jul 2020 15:50:07 +0200 +Subject: mac80211: mesh: Free ie data when leaving mesh + +From: Remi Pommarel + +[ Upstream commit 6a01afcf8468d3ca2bd8bbb27503f60dcf643b20 ] + +At ieee80211_join_mesh() some ie data could have been allocated (see +copy_mesh_setup()) and need to be cleaned up when leaving the mesh. + +This fixes the following kmemleak report: + +unreferenced object 0xffff0000116bc600 (size 128): + comm "wpa_supplicant", pid 608, jiffies 4294898983 (age 293.484s) + hex dump (first 32 bytes): + 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 0............... + 00 0f ac 08 00 00 00 00 c4 65 40 00 00 00 00 00 .........e@..... + backtrace: + [<00000000bebe439d>] __kmalloc_track_caller+0x1c0/0x330 + [<00000000a349dbe1>] kmemdup+0x28/0x50 + [<0000000075d69baa>] ieee80211_join_mesh+0x6c/0x3b8 [mac80211] + [<00000000683bb98b>] __cfg80211_join_mesh+0x1e8/0x4f0 [cfg80211] + [<0000000072cb507f>] nl80211_join_mesh+0x520/0x6b8 [cfg80211] + [<0000000077e9bcf9>] genl_family_rcv_msg+0x374/0x680 + [<00000000b1bd936d>] genl_rcv_msg+0x78/0x108 + [<0000000022c53788>] netlink_rcv_skb+0xb0/0x1c0 + [<0000000011af8ec9>] genl_rcv+0x34/0x48 + [<0000000069e41f53>] netlink_unicast+0x268/0x2e8 + [<00000000a7517316>] netlink_sendmsg+0x320/0x4c0 + [<0000000069cba205>] ____sys_sendmsg+0x354/0x3a0 + [<00000000e06bab0f>] ___sys_sendmsg+0xd8/0x120 + [<0000000037340728>] __sys_sendmsg+0xa4/0xf8 + [<000000004fed9776>] __arm64_sys_sendmsg+0x44/0x58 + [<000000001c1e5647>] el0_svc_handler+0xd0/0x1a0 + +Fixes: c80d545da3f7 (mac80211: Let userspace enable and configure vendor specific path selection.) +Signed-off-by: Remi Pommarel +Link: https://lore.kernel.org/r/20200704135007.27292-1-repk@triplefau.lt +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index cb7076d9a7698..b6670e74aeb7b 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -2011,6 +2011,7 @@ static int ieee80211_leave_mesh(struct wiphy *wiphy, struct net_device *dev) + ieee80211_stop_mesh(sdata); + mutex_lock(&sdata->local->mtx); + ieee80211_vif_release_channel(sdata); ++ kfree(sdata->u.mesh.ie); + mutex_unlock(&sdata->local->mtx); + + return 0; +-- +2.25.1 + diff --git a/queue-4.19/mac80211-mesh-free-pending-skb-when-destroying-a-mpa.patch b/queue-4.19/mac80211-mesh-free-pending-skb-when-destroying-a-mpa.patch new file mode 100644 index 00000000000..a83a57ad070 --- /dev/null +++ b/queue-4.19/mac80211-mesh-free-pending-skb-when-destroying-a-mpa.patch @@ -0,0 +1,74 @@ +From 74563714d2df05f693d2b123388e1c7328208afe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Jul 2020 15:54:19 +0200 +Subject: mac80211: mesh: Free pending skb when destroying a mpath + +From: Remi Pommarel + +[ Upstream commit 5e43540c2af0a0c0a18e39579b1ad49541f87506 ] + +A mpath object can hold reference on a list of skb that are waiting for +mpath resolution to be sent. When destroying a mpath this skb list +should be cleaned up in order to not leak memory. + +Fixing that kind of leak: + +unreferenced object 0xffff0000181c9300 (size 1088): + comm "openvpn", pid 1782, jiffies 4295071698 (age 80.416s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 f9 80 36 00 00 00 00 00 ..........6..... + 02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............ + backtrace: + [<000000004bc6a443>] kmem_cache_alloc+0x1a4/0x2f0 + [<000000002caaef13>] sk_prot_alloc.isra.39+0x34/0x178 + [<00000000ceeaa916>] sk_alloc+0x34/0x228 + [<00000000ca1f1d04>] inet_create+0x198/0x518 + [<0000000035626b1c>] __sock_create+0x134/0x328 + [<00000000a12b3a87>] __sys_socket+0xb0/0x158 + [<00000000ff859f23>] __arm64_sys_socket+0x40/0x58 + [<00000000263486ec>] el0_svc_handler+0xd0/0x1a0 + [<0000000005b5157d>] el0_svc+0x8/0xc +unreferenced object 0xffff000012973a40 (size 216): + comm "openvpn", pid 1782, jiffies 4295082137 (age 38.660s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 c0 06 16 00 00 ff ff 00 93 1c 18 00 00 ff ff ................ + backtrace: + [<000000004bc6a443>] kmem_cache_alloc+0x1a4/0x2f0 + [<0000000023c8c8f9>] __alloc_skb+0xc0/0x2b8 + [<000000007ad950bb>] alloc_skb_with_frags+0x60/0x320 + [<00000000ef90023a>] sock_alloc_send_pskb+0x388/0x3c0 + [<00000000104fb1a3>] sock_alloc_send_skb+0x1c/0x28 + [<000000006919d2dd>] __ip_append_data+0xba4/0x11f0 + [<0000000083477587>] ip_make_skb+0x14c/0x1a8 + [<0000000024f3d592>] udp_sendmsg+0xaf0/0xcf0 + [<000000005aabe255>] inet_sendmsg+0x5c/0x80 + [<000000008651ea08>] __sys_sendto+0x15c/0x218 + [<000000003505c99b>] __arm64_sys_sendto+0x74/0x90 + [<00000000263486ec>] el0_svc_handler+0xd0/0x1a0 + [<0000000005b5157d>] el0_svc+0x8/0xc + +Fixes: 2bdaf386f99c (mac80211: mesh: move path tables into if_mesh) +Signed-off-by: Remi Pommarel +Link: https://lore.kernel.org/r/20200704135419.27703-1-repk@triplefau.lt +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh_pathtbl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c +index ac1f5db529945..4fc720c77e37e 100644 +--- a/net/mac80211/mesh_pathtbl.c ++++ b/net/mac80211/mesh_pathtbl.c +@@ -532,6 +532,7 @@ static void mesh_path_free_rcu(struct mesh_table *tbl, + del_timer_sync(&mpath->timer); + atomic_dec(&sdata->u.mesh.mpaths); + atomic_dec(&tbl->entries); ++ mesh_path_flush_pending(mpath); + kfree_rcu(mpath, rcu); + } + +-- +2.25.1 + diff --git a/queue-4.19/mlx4-disable-device-on-shutdown.patch b/queue-4.19/mlx4-disable-device-on-shutdown.patch new file mode 100644 index 00000000000..0c20fb035bc --- /dev/null +++ b/queue-4.19/mlx4-disable-device-on-shutdown.patch @@ -0,0 +1,74 @@ +From 4df41ee5a3e73d98c8a235e1f0cec0d78900903b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jul 2020 16:15:43 -0700 +Subject: mlx4: disable device on shutdown + +From: Jakub Kicinski + +[ Upstream commit 3cab8c65525920f00d8f4997b3e9bb73aecb3a8e ] + +It appears that not disabling a PCI device on .shutdown may lead to +a Hardware Error with particular (perhaps buggy) BIOS versions: + + mlx4_en: eth0: Close port called + mlx4_en 0000:04:00.0: removed PHC + reboot: Restarting system + {1}[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1 + {1}[Hardware Error]: event severity: fatal + {1}[Hardware Error]: Error 0, type: fatal + {1}[Hardware Error]: section_type: PCIe error + {1}[Hardware Error]: port_type: 4, root port + {1}[Hardware Error]: version: 1.16 + {1}[Hardware Error]: command: 0x4010, status: 0x0143 + {1}[Hardware Error]: device_id: 0000:00:02.2 + {1}[Hardware Error]: slot: 0 + {1}[Hardware Error]: secondary_bus: 0x04 + {1}[Hardware Error]: vendor_id: 0x8086, device_id: 0x2f06 + {1}[Hardware Error]: class_code: 000604 + {1}[Hardware Error]: bridge: secondary_status: 0x2000, control: 0x0003 + {1}[Hardware Error]: aer_uncor_status: 0x00100000, aer_uncor_mask: 0x00000000 + {1}[Hardware Error]: aer_uncor_severity: 0x00062030 + {1}[Hardware Error]: TLP Header: 40000018 040000ff 791f4080 00000000 +[hw error repeats] + Kernel panic - not syncing: Fatal hardware error! + CPU: 0 PID: 2189 Comm: reboot Kdump: loaded Not tainted 5.6.x-blabla #1 + Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 05/05/2017 + +Fix the mlx4 driver. + +This is a very similar problem to what had been fixed in: +commit 0d98ba8d70b0 ("scsi: hpsa: disable device during shutdown") +to address https://bugzilla.kernel.org/show_bug.cgi?id=199779. + +Fixes: 2ba5fbd62b25 ("net/mlx4_core: Handle AER flow properly") +Reported-by: Jake Lawrence +Signed-off-by: Jakub Kicinski +Reviewed-by: Saeed Mahameed +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/main.c b/drivers/net/ethernet/mellanox/mlx4/main.c +index f7825c7b92fe3..8d7bb9a889677 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/main.c ++++ b/drivers/net/ethernet/mellanox/mlx4/main.c +@@ -4311,12 +4311,14 @@ end: + static void mlx4_shutdown(struct pci_dev *pdev) + { + struct mlx4_dev_persistent *persist = pci_get_drvdata(pdev); ++ struct mlx4_dev *dev = persist->dev; + + mlx4_info(persist->dev, "mlx4_shutdown was called\n"); + mutex_lock(&persist->interface_state_mutex); + if (persist->interface_state & MLX4_INTERFACE_STATE_UP) + mlx4_unload_one(pdev); + mutex_unlock(&persist->interface_state_mutex); ++ mlx4_pci_disable_device(dev); + } + + static const struct pci_error_handlers mlx4_err_handler = { +-- +2.25.1 + diff --git a/queue-4.19/mlxsw-core-free-emad-transactions-using-kfree_rcu.patch b/queue-4.19/mlxsw-core-free-emad-transactions-using-kfree_rcu.patch new file mode 100644 index 00000000000..3011600771c --- /dev/null +++ b/queue-4.19/mlxsw-core-free-emad-transactions-using-kfree_rcu.patch @@ -0,0 +1,152 @@ +From 4210d7741e1c5a19006c6f10be81d34c5d2c3d3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jul 2020 12:26:46 +0300 +Subject: mlxsw: core: Free EMAD transactions using kfree_rcu() + +From: Ido Schimmel + +[ Upstream commit 3c8ce24b037648a5a15b85888b259a74b05ff97d ] + +The lifetime of EMAD transactions (i.e., 'struct mlxsw_reg_trans') is +managed using RCU. They are freed using kfree_rcu() once the transaction +ends. + +However, in case the transaction failed it is freed immediately after being +removed from the active transactions list. This is problematic because it is +still possible for a different CPU to dereference the transaction from an RCU +read-side critical section while traversing the active transaction list in +mlxsw_emad_rx_listener_func(). In which case, a use-after-free is triggered +[1]. + +Fix this by freeing the transaction after a grace period by calling +kfree_rcu(). + +[1] +BUG: KASAN: use-after-free in mlxsw_emad_rx_listener_func+0x969/0xac0 drivers/net/ethernet/mellanox/mlxsw/core.c:671 +Read of size 8 at addr ffff88800b7964e8 by task syz-executor.2/2881 + +CPU: 0 PID: 2881 Comm: syz-executor.2 Not tainted 5.8.0-rc4+ #44 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xf6/0x16e lib/dump_stack.c:118 + print_address_description.constprop.0+0x1c/0x250 mm/kasan/report.c:383 + __kasan_report mm/kasan/report.c:513 [inline] + kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 + mlxsw_emad_rx_listener_func+0x969/0xac0 drivers/net/ethernet/mellanox/mlxsw/core.c:671 + mlxsw_core_skb_receive+0x571/0x700 drivers/net/ethernet/mellanox/mlxsw/core.c:2061 + mlxsw_pci_cqe_rdq_handle drivers/net/ethernet/mellanox/mlxsw/pci.c:595 [inline] + mlxsw_pci_cq_tasklet+0x12a6/0x2520 drivers/net/ethernet/mellanox/mlxsw/pci.c:651 + tasklet_action_common.isra.0+0x13f/0x3e0 kernel/softirq.c:550 + __do_softirq+0x223/0x964 kernel/softirq.c:292 + asm_call_on_stack+0x12/0x20 arch/x86/entry/entry_64.S:711 + + __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline] + run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline] + do_softirq_own_stack+0x109/0x140 arch/x86/kernel/irq_64.c:77 + invoke_softirq kernel/softirq.c:387 [inline] + __irq_exit_rcu kernel/softirq.c:417 [inline] + irq_exit_rcu+0x16f/0x1a0 kernel/softirq.c:429 + sysvec_apic_timer_interrupt+0x4e/0xd0 arch/x86/kernel/apic/apic.c:1091 + asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:587 +RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline] +RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline] +RIP: 0010:_raw_spin_unlock_irqrestore+0x3b/0x40 kernel/locking/spinlock.c:191 +Code: e8 2a c3 f4 fc 48 89 ef e8 12 96 f5 fc f6 c7 02 75 11 53 9d e8 d6 db 11 fd 65 ff 0d 1f 21 b3 56 5b 5d c3 e8 a7 d7 11 fd 53 9d ed 0f 1f 00 55 48 89 fd 65 ff 05 05 21 b3 56 ff 74 24 08 48 8d +RSP: 0018:ffff8880446ffd80 EFLAGS: 00000286 +RAX: 0000000000000006 RBX: 0000000000000286 RCX: 0000000000000006 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffa94ecea9 +RBP: ffff888012934408 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000001 R11: fffffbfff57be301 R12: 1ffff110088dffc1 +R13: ffff888037b817c0 R14: ffff88802442415a R15: ffff888024424000 + __do_sys_perf_event_open+0x1b5d/0x2bd0 kernel/events/core.c:11874 + do_syscall_64+0x56/0xa0 arch/x86/entry/common.c:384 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x473dbd +Code: Bad RIP value. +RSP: 002b:00007f21e5e9cc28 EFLAGS: 00000246 ORIG_RAX: 000000000000012a +RAX: ffffffffffffffda RBX: 000000000057bf00 RCX: 0000000000473dbd +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000040 +RBP: 000000000057bf00 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000003 R11: 0000000000000246 R12: 000000000057bf0c +R13: 00007ffd0493503f R14: 00000000004d0f46 R15: 00007f21e5e9cd80 + +Allocated by task 871: + save_stack+0x1b/0x40 mm/kasan/common.c:48 + set_track mm/kasan/common.c:56 [inline] + __kasan_kmalloc mm/kasan/common.c:494 [inline] + __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:467 + kmalloc include/linux/slab.h:555 [inline] + kzalloc include/linux/slab.h:669 [inline] + mlxsw_core_reg_access_emad+0x70/0x1410 drivers/net/ethernet/mellanox/mlxsw/core.c:1812 + mlxsw_core_reg_access+0xeb/0x540 drivers/net/ethernet/mellanox/mlxsw/core.c:1991 + mlxsw_sp_port_get_hw_xstats+0x335/0x7e0 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1130 + update_stats_cache+0xf4/0x140 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1173 + process_one_work+0xa3e/0x17a0 kernel/workqueue.c:2269 + worker_thread+0x9e/0x1050 kernel/workqueue.c:2415 + kthread+0x355/0x470 kernel/kthread.c:291 + ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:293 + +Freed by task 871: + save_stack+0x1b/0x40 mm/kasan/common.c:48 + set_track mm/kasan/common.c:56 [inline] + kasan_set_free_info mm/kasan/common.c:316 [inline] + __kasan_slab_free+0x12c/0x170 mm/kasan/common.c:455 + slab_free_hook mm/slub.c:1474 [inline] + slab_free_freelist_hook mm/slub.c:1507 [inline] + slab_free mm/slub.c:3072 [inline] + kfree+0xe6/0x320 mm/slub.c:4052 + mlxsw_core_reg_access_emad+0xd45/0x1410 drivers/net/ethernet/mellanox/mlxsw/core.c:1819 + mlxsw_core_reg_access+0xeb/0x540 drivers/net/ethernet/mellanox/mlxsw/core.c:1991 + mlxsw_sp_port_get_hw_xstats+0x335/0x7e0 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1130 + update_stats_cache+0xf4/0x140 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1173 + process_one_work+0xa3e/0x17a0 kernel/workqueue.c:2269 + worker_thread+0x9e/0x1050 kernel/workqueue.c:2415 + kthread+0x355/0x470 kernel/kthread.c:291 + ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:293 + +The buggy address belongs to the object at ffff88800b796400 + which belongs to the cache kmalloc-512 of size 512 +The buggy address is located 232 bytes inside of + 512-byte region [ffff88800b796400, ffff88800b796600) +The buggy address belongs to the page: +page:ffffea00002de500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea00002de500 order:2 compound_mapcount:0 compound_pincount:0 +flags: 0x100000000010200(slab|head) +raw: 0100000000010200 dead000000000100 dead000000000122 ffff88806c402500 +raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88800b796380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88800b796400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff88800b796480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff88800b796500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88800b796580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: caf7297e7ab5 ("mlxsw: core: Introduce support for asynchronous EMAD register access") +Signed-off-by: Ido Schimmel +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c b/drivers/net/ethernet/mellanox/mlxsw/core.c +index 3cebea6f3e6ad..d8e7ca48753fb 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/core.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c +@@ -1384,7 +1384,7 @@ static int mlxsw_core_reg_access_emad(struct mlxsw_core *mlxsw_core, + err = mlxsw_emad_reg_access(mlxsw_core, reg, payload, type, trans, + bulk_list, cb, cb_priv, tid); + if (err) { +- kfree(trans); ++ kfree_rcu(trans, rcu); + return err; + } + return 0; +-- +2.25.1 + diff --git a/queue-4.19/mlxsw-core-increase-scope-of-rcu-read-side-critical-.patch b/queue-4.19/mlxsw-core-increase-scope-of-rcu-read-side-critical-.patch new file mode 100644 index 00000000000..27a0c6494ab --- /dev/null +++ b/queue-4.19/mlxsw-core-increase-scope-of-rcu-read-side-critical-.patch @@ -0,0 +1,47 @@ +From c66d511754f9e63ee5d4d5821c643bea47c6afa9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jul 2020 12:26:45 +0300 +Subject: mlxsw: core: Increase scope of RCU read-side critical section + +From: Ido Schimmel + +[ Upstream commit 7d8e8f3433dc8d1dc87c1aabe73a154978fb4c4d ] + +The lifetime of the Rx listener item ('rxl_item') is managed using RCU, +but is dereferenced outside of RCU read-side critical section, which can +lead to a use-after-free. + +Fix this by increasing the scope of the RCU read-side critical section. + +Fixes: 93c1edb27f9e ("mlxsw: Introduce Mellanox switch driver core") +Signed-off-by: Ido Schimmel +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c b/drivers/net/ethernet/mellanox/mlxsw/core.c +index e180ec4f1a248..3cebea6f3e6ad 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/core.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c +@@ -1605,11 +1605,13 @@ void mlxsw_core_skb_receive(struct mlxsw_core *mlxsw_core, struct sk_buff *skb, + break; + } + } +- rcu_read_unlock(); +- if (!found) ++ if (!found) { ++ rcu_read_unlock(); + goto drop; ++ } + + rxl->func(skb, local_port, rxl_item->priv); ++ rcu_read_unlock(); + return; + + drop: +-- +2.25.1 + diff --git a/queue-4.19/net-ethernet-ravb-exit-if-re-initialization-fails-in.patch b/queue-4.19/net-ethernet-ravb-exit-if-re-initialization-fails-in.patch new file mode 100644 index 00000000000..80bd127dd60 --- /dev/null +++ b/queue-4.19/net-ethernet-ravb-exit-if-re-initialization-fails-in.patch @@ -0,0 +1,91 @@ +From 1844ba03930381d4dfd0b3fdd656f11a282c7d8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jul 2020 15:23:12 +0900 +Subject: net: ethernet: ravb: exit if re-initialization fails in tx timeout + +From: Yoshihiro Shimoda + +[ Upstream commit 015c5d5e6aa3523c758a70eb87b291cece2dbbb4 ] + +According to the report of [1], this driver is possible to cause +the following error in ravb_tx_timeout_work(). + +ravb e6800000.ethernet ethernet: failed to switch device to config mode + +This error means that the hardware could not change the state +from "Operation" to "Configuration" while some tx and/or rx queue +are operating. After that, ravb_config() in ravb_dmac_init() will fail, +and then any descriptors will be not allocaled anymore so that NULL +pointer dereference happens after that on ravb_start_xmit(). + +To fix the issue, the ravb_tx_timeout_work() should check +the return values of ravb_stop_dma() and ravb_dmac_init(). +If ravb_stop_dma() fails, ravb_tx_timeout_work() re-enables TX and RX +and just exits. If ravb_dmac_init() fails, just exits. + +[1] +https://lore.kernel.org/linux-renesas-soc/20200518045452.2390-1-dirk.behme@de.bosch.com/ + +Reported-by: Dirk Behme +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 26 ++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index faaf74073a120..569e698b5c807 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1445,6 +1445,7 @@ static void ravb_tx_timeout_work(struct work_struct *work) + struct ravb_private *priv = container_of(work, struct ravb_private, + work); + struct net_device *ndev = priv->ndev; ++ int error; + + netif_tx_stop_all_queues(ndev); + +@@ -1453,15 +1454,36 @@ static void ravb_tx_timeout_work(struct work_struct *work) + ravb_ptp_stop(ndev); + + /* Wait for DMA stopping */ +- ravb_stop_dma(ndev); ++ if (ravb_stop_dma(ndev)) { ++ /* If ravb_stop_dma() fails, the hardware is still operating ++ * for TX and/or RX. So, this should not call the following ++ * functions because ravb_dmac_init() is possible to fail too. ++ * Also, this should not retry ravb_stop_dma() again and again ++ * here because it's possible to wait forever. So, this just ++ * re-enables the TX and RX and skip the following ++ * re-initialization procedure. ++ */ ++ ravb_rcv_snd_enable(ndev); ++ goto out; ++ } + + ravb_ring_free(ndev, RAVB_BE); + ravb_ring_free(ndev, RAVB_NC); + + /* Device init */ +- ravb_dmac_init(ndev); ++ error = ravb_dmac_init(ndev); ++ if (error) { ++ /* If ravb_dmac_init() fails, descriptors are freed. So, this ++ * should return here to avoid re-enabling the TX and RX in ++ * ravb_emac_init(). ++ */ ++ netdev_err(ndev, "%s: ravb_dmac_init() failed, error %d\n", ++ __func__, error); ++ return; ++ } + ravb_emac_init(ndev); + ++out: + /* Initialise PTP Clock driver */ + if (priv->chip_id == RCAR_GEN2) + ravb_ptp_init(ndev, priv->pdev); +-- +2.25.1 + diff --git a/queue-4.19/net-gemini-fix-missing-clk_disable_unprepare-in-erro.patch b/queue-4.19/net-gemini-fix-missing-clk_disable_unprepare-in-erro.patch new file mode 100644 index 00000000000..329122b768d --- /dev/null +++ b/queue-4.19/net-gemini-fix-missing-clk_disable_unprepare-in-erro.patch @@ -0,0 +1,49 @@ +From 7b53f434172eb488a1fc84fe93af65df261e9287 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jul 2020 15:30:00 +0800 +Subject: net: gemini: Fix missing clk_disable_unprepare() in error path of + gemini_ethernet_port_probe() + +From: Wang Hai + +[ Upstream commit 85496a29224188051b6135eb38da8afd4c584765 ] + +Fix the missing clk_disable_unprepare() before return +from gemini_ethernet_port_probe() in the error handling case. + +Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cortina/gemini.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c +index 01a2120978360..f402af39da42a 100644 +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -2451,6 +2451,7 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev) + port->reset = devm_reset_control_get_exclusive(dev, NULL); + if (IS_ERR(port->reset)) { + dev_err(dev, "no reset\n"); ++ clk_disable_unprepare(port->pclk); + return PTR_ERR(port->reset); + } + reset_control_reset(port->reset); +@@ -2506,8 +2507,10 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev) + IRQF_SHARED, + port_names[port->id], + port); +- if (ret) ++ if (ret) { ++ clk_disable_unprepare(port->pclk); + return ret; ++ } + + ret = register_netdev(netdev); + if (!ret) { +-- +2.25.1 + diff --git a/queue-4.19/net-lan78xx-add-missing-endpoint-sanity-check.patch b/queue-4.19/net-lan78xx-add-missing-endpoint-sanity-check.patch new file mode 100644 index 00000000000..1dafd10bb67 --- /dev/null +++ b/queue-4.19/net-lan78xx-add-missing-endpoint-sanity-check.patch @@ -0,0 +1,45 @@ +From 1ca9d969652cc898db5e0825b7e93c642e64c3f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jul 2020 14:10:29 +0200 +Subject: net: lan78xx: add missing endpoint sanity check + +From: Johan Hovold + +[ Upstream commit 8d8e95fd6d69d774013f51e5f2ee10c6e6d1fc14 ] + +Add the missing endpoint sanity check to prevent a NULL-pointer +dereference should a malicious device lack the expected endpoints. + +Note that the driver has a broken endpoint-lookup helper, +lan78xx_get_endpoints(), which can end up accepting interfaces in an +altsetting without endpoints as long as *some* altsetting has a bulk-in +and a bulk-out endpoint. + +Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver") +Cc: Woojung.Huh@microchip.com +Signed-off-by: Johan Hovold +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/lan78xx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index 92548887df2fe..2dff233814ea5 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -3786,6 +3786,11 @@ static int lan78xx_probe(struct usb_interface *intf, + netdev->max_mtu = MAX_SINGLE_PACKET_SIZE; + netif_set_gso_max_size(netdev, MAX_SINGLE_PACKET_SIZE - MAX_HEADER); + ++ if (intf->cur_altsetting->desc.bNumEndpoints < 3) { ++ ret = -ENODEV; ++ goto out3; ++ } ++ + dev->ep_blkin = (intf->cur_altsetting)->endpoint + 0; + dev->ep_blkout = (intf->cur_altsetting)->endpoint + 1; + dev->ep_intr = (intf->cur_altsetting)->endpoint + 2; +-- +2.25.1 + diff --git a/queue-4.19/net-lan78xx-fix-transfer-buffer-memory-leak.patch b/queue-4.19/net-lan78xx-fix-transfer-buffer-memory-leak.patch new file mode 100644 index 00000000000..2a28c07efc5 --- /dev/null +++ b/queue-4.19/net-lan78xx-fix-transfer-buffer-memory-leak.patch @@ -0,0 +1,36 @@ +From c81578f38ddf12afccb584cc29493c1151dfdc0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jul 2020 14:10:30 +0200 +Subject: net: lan78xx: fix transfer-buffer memory leak + +From: Johan Hovold + +[ Upstream commit 63634aa679ba8b5e306ad0727120309ae6ba8a8e ] + +The interrupt URB transfer-buffer was never freed on disconnect or after +probe errors. + +Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver") +Cc: Woojung.Huh@microchip.com +Signed-off-by: Johan Hovold +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/lan78xx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index 2dff233814ea5..d198f36785a46 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -3815,6 +3815,7 @@ static int lan78xx_probe(struct usb_interface *intf, + usb_fill_int_urb(dev->urb_intr, dev->udev, + dev->pipe_intr, buf, maxp, + intr_complete, dev, period); ++ dev->urb_intr->transfer_flags |= URB_FREE_BUFFER; + } + } + +-- +2.25.1 + diff --git a/queue-4.19/net-mlx5-verify-hardware-supports-requested-ptp-func.patch b/queue-4.19/net-mlx5-verify-hardware-supports-requested-ptp-func.patch new file mode 100644 index 00000000000..48f4cc01fad --- /dev/null +++ b/queue-4.19/net-mlx5-verify-hardware-supports-requested-ptp-func.patch @@ -0,0 +1,62 @@ +From 46dd550f3da031813e848b57e536cc23c61e144d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jul 2020 11:10:01 +0300 +Subject: net/mlx5: Verify Hardware supports requested ptp function on a given + pin + +From: Eran Ben Elisha + +[ Upstream commit 071995c877a8646209d55ff8edddd2b054e7424c ] + +Fix a bug where driver did not verify Hardware pin capabilities for +PTP functions. + +Fixes: ee7f12205abc ("net/mlx5e: Implement 1PPS support") +Signed-off-by: Eran Ben Elisha +Reviewed-by: Ariel Levkovich +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../ethernet/mellanox/mlx5/core/lib/clock.c | 23 ++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c +index 54f1a40a68edd..d359e850dbf07 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c +@@ -366,10 +366,31 @@ static int mlx5_ptp_enable(struct ptp_clock_info *ptp, + return 0; + } + ++enum { ++ MLX5_MTPPS_REG_CAP_PIN_X_MODE_SUPPORT_PPS_IN = BIT(0), ++ MLX5_MTPPS_REG_CAP_PIN_X_MODE_SUPPORT_PPS_OUT = BIT(1), ++}; ++ + static int mlx5_ptp_verify(struct ptp_clock_info *ptp, unsigned int pin, + enum ptp_pin_function func, unsigned int chan) + { +- return (func == PTP_PF_PHYSYNC) ? -EOPNOTSUPP : 0; ++ struct mlx5_clock *clock = container_of(ptp, struct mlx5_clock, ++ ptp_info); ++ ++ switch (func) { ++ case PTP_PF_NONE: ++ return 0; ++ case PTP_PF_EXTTS: ++ return !(clock->pps_info.pin_caps[pin] & ++ MLX5_MTPPS_REG_CAP_PIN_X_MODE_SUPPORT_PPS_IN); ++ case PTP_PF_PEROUT: ++ return !(clock->pps_info.pin_caps[pin] & ++ MLX5_MTPPS_REG_CAP_PIN_X_MODE_SUPPORT_PPS_OUT); ++ default: ++ return -EOPNOTSUPP; ++ } ++ ++ return -EOPNOTSUPP; + } + + static const struct ptp_clock_info mlx5_ptp_clock_info = { +-- +2.25.1 + diff --git a/queue-4.19/net-mlx5e-fix-bpf_prog-reference-count-leaks-in-mlx5.patch b/queue-4.19/net-mlx5e-fix-bpf_prog-reference-count-leaks-in-mlx5.patch new file mode 100644 index 00000000000..acc064f61f8 --- /dev/null +++ b/queue-4.19/net-mlx5e-fix-bpf_prog-reference-count-leaks-in-mlx5.patch @@ -0,0 +1,55 @@ +From 224dcc81ef9b5044dbabc698ec63437d3413e41c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jul 2020 18:29:41 +0800 +Subject: net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq + +From: Xin Xiong + +[ Upstream commit e692139e6af339a1495ef401b2d95f7f9d1c7a44 ] + +The function invokes bpf_prog_inc(), which increases the reference +count of a bpf_prog object "rq->xdp_prog" if the object isn't NULL. + +The refcount leak issues take place in two error handling paths. When +either mlx5_wq_ll_create() or mlx5_wq_cyc_create() fails, the function +simply returns the error code and forgets to drop the reference count +increased earlier, causing a reference count leak of "rq->xdp_prog". + +Fix this issue by jumping to the error handling path err_rq_wq_destroy +while either function fails. + +Fixes: 422d4c401edd ("net/mlx5e: RX, Split WQ objects for different RQ types") +Signed-off-by: Xin Xiong +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 7e6706333fa8d..51edc507b7b5d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -519,7 +519,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c, + err = mlx5_wq_ll_create(mdev, &rqp->wq, rqc_wq, &rq->mpwqe.wq, + &rq->wq_ctrl); + if (err) +- return err; ++ goto err_rq_wq_destroy; + + rq->mpwqe.wq.db = &rq->mpwqe.wq.db[MLX5_RCV_DBR]; + +@@ -564,7 +564,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c, + err = mlx5_wq_cyc_create(mdev, &rqp->wq, rqc_wq, &rq->wqe.wq, + &rq->wq_ctrl); + if (err) +- return err; ++ goto err_rq_wq_destroy; + + rq->wqe.wq.db = &rq->wqe.wq.db[MLX5_RCV_DBR]; + +-- +2.25.1 + diff --git a/queue-4.19/nfc-s3fwrn5-add-missing-release-on-skb-in-s3fwrn5_re.patch b/queue-4.19/nfc-s3fwrn5-add-missing-release-on-skb-in-s3fwrn5_re.patch new file mode 100644 index 00000000000..434decad401 --- /dev/null +++ b/queue-4.19/nfc-s3fwrn5-add-missing-release-on-skb-in-s3fwrn5_re.patch @@ -0,0 +1,34 @@ +From 980c194d0a2c5aeb67872d8d8feaed38c795cad8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Jul 2020 00:31:49 -0500 +Subject: nfc: s3fwrn5: add missing release on skb in s3fwrn5_recv_frame + +From: Navid Emamdoost + +[ Upstream commit 1e8fd3a97f2d83a7197876ceb4f37b4c2b00a0f3 ] + +The implementation of s3fwrn5_recv_frame() is supposed to consume skb on +all execution paths. Release skb before returning -ENODEV. + +Signed-off-by: Navid Emamdoost +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/s3fwrn5/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nfc/s3fwrn5/core.c b/drivers/nfc/s3fwrn5/core.c +index 9d9c8d57a042d..64b58455e620b 100644 +--- a/drivers/nfc/s3fwrn5/core.c ++++ b/drivers/nfc/s3fwrn5/core.c +@@ -209,6 +209,7 @@ int s3fwrn5_recv_frame(struct nci_dev *ndev, struct sk_buff *skb, + case S3FWRN5_MODE_FW: + return s3fwrn5_fw_recv_frame(ndev, skb); + default: ++ kfree_skb(skb); + return -ENODEV; + } + } +-- +2.25.1 + diff --git a/queue-4.19/parisc-add-support-for-cmpxchg-on-u8-pointers.patch b/queue-4.19/parisc-add-support-for-cmpxchg-on-u8-pointers.patch new file mode 100644 index 00000000000..8454d05b3c4 --- /dev/null +++ b/queue-4.19/parisc-add-support-for-cmpxchg-on-u8-pointers.patch @@ -0,0 +1,74 @@ +From 87d7bd4e301df54adae65f98ed712b740f7abc00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Jul 2020 16:10:21 -0400 +Subject: parisc: add support for cmpxchg on u8 pointers + +From: Liam Beguin + +[ Upstream commit b344d6a83d01c52fddbefa6b3b4764da5b1022a0 ] + +The kernel test bot reported[1] that using set_mask_bits on a u8 causes +the following issue on parisc: + + hppa-linux-ld: drivers/phy/ti/phy-tusb1210.o: in function `tusb1210_probe': + >> (.text+0x2f4): undefined reference to `__cmpxchg_called_with_bad_pointer' + >> hppa-linux-ld: (.text+0x324): undefined reference to `__cmpxchg_called_with_bad_pointer' + hppa-linux-ld: (.text+0x354): undefined reference to `__cmpxchg_called_with_bad_pointer' + +Add support for cmpxchg on u8 pointers. + +[1] https://lore.kernel.org/patchwork/patch/1272617/#1468946 + +Reported-by: kernel test robot +Signed-off-by: Liam Beguin +Tested-by: Dave Anglin +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + arch/parisc/include/asm/cmpxchg.h | 2 ++ + arch/parisc/lib/bitops.c | 12 ++++++++++++ + 2 files changed, 14 insertions(+) + +diff --git a/arch/parisc/include/asm/cmpxchg.h b/arch/parisc/include/asm/cmpxchg.h +index ab5c215cf46c3..0689585758717 100644 +--- a/arch/parisc/include/asm/cmpxchg.h ++++ b/arch/parisc/include/asm/cmpxchg.h +@@ -60,6 +60,7 @@ extern void __cmpxchg_called_with_bad_pointer(void); + extern unsigned long __cmpxchg_u32(volatile unsigned int *m, unsigned int old, + unsigned int new_); + extern u64 __cmpxchg_u64(volatile u64 *ptr, u64 old, u64 new_); ++extern u8 __cmpxchg_u8(volatile u8 *ptr, u8 old, u8 new_); + + /* don't worry...optimizer will get rid of most of this */ + static inline unsigned long +@@ -71,6 +72,7 @@ __cmpxchg(volatile void *ptr, unsigned long old, unsigned long new_, int size) + #endif + case 4: return __cmpxchg_u32((unsigned int *)ptr, + (unsigned int)old, (unsigned int)new_); ++ case 1: return __cmpxchg_u8((u8 *)ptr, (u8)old, (u8)new_); + } + __cmpxchg_called_with_bad_pointer(); + return old; +diff --git a/arch/parisc/lib/bitops.c b/arch/parisc/lib/bitops.c +index 70ffbcf889b8e..2e4d1f05a9264 100644 +--- a/arch/parisc/lib/bitops.c ++++ b/arch/parisc/lib/bitops.c +@@ -79,3 +79,15 @@ unsigned long __cmpxchg_u32(volatile unsigned int *ptr, unsigned int old, unsign + _atomic_spin_unlock_irqrestore(ptr, flags); + return (unsigned long)prev; + } ++ ++u8 __cmpxchg_u8(volatile u8 *ptr, u8 old, u8 new) ++{ ++ unsigned long flags; ++ u8 prev; ++ ++ _atomic_spin_lock_irqsave(ptr, flags); ++ if ((prev = *ptr) == old) ++ *ptr = new; ++ _atomic_spin_unlock_irqrestore(ptr, flags); ++ return prev; ++} +-- +2.25.1 + diff --git a/queue-4.19/qed-disable-mfw-indication-via-attention-spam-every-.patch b/queue-4.19/qed-disable-mfw-indication-via-attention-spam-every-.patch new file mode 100644 index 00000000000..50d6336dbba --- /dev/null +++ b/queue-4.19/qed-disable-mfw-indication-via-attention-spam-every-.patch @@ -0,0 +1,38 @@ +From d6040543a66789febfbfdc12c47088d30da7a2cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jul 2020 18:08:05 -0400 +Subject: qed: Disable "MFW indication via attention" SPAM every 5 minutes + +From: Laurence Oberman + +[ Upstream commit 1d61e21852d3161f234b9656797669fe185c251b ] + +This is likely firmware causing this but its starting to annoy customers. +Change the message level to verbose to prevent the spam. +Note that this seems to only show up with ISCSI enabled on the HBA via the +qedi driver. + +Signed-off-by: Laurence Oberman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_int.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_int.c b/drivers/net/ethernet/qlogic/qed/qed_int.c +index f9e475075d3ea..61d5d76545687 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_int.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_int.c +@@ -1015,7 +1015,8 @@ static int qed_int_attentions(struct qed_hwfn *p_hwfn) + index, attn_bits, attn_acks, asserted_bits, + deasserted_bits, p_sb_attn_sw->known_attn); + } else if (asserted_bits == 0x100) { +- DP_INFO(p_hwfn, "MFW indication via attention\n"); ++ DP_VERBOSE(p_hwfn, NETIF_MSG_INTR, ++ "MFW indication via attention\n"); + } else { + DP_VERBOSE(p_hwfn, NETIF_MSG_INTR, + "MFW indication [deassertion]\n"); +-- +2.25.1 + diff --git a/queue-4.19/revert-i2c-cadence-fix-the-hold-bit-setting.patch b/queue-4.19/revert-i2c-cadence-fix-the-hold-bit-setting.patch new file mode 100644 index 00000000000..ffd5ee71ae8 --- /dev/null +++ b/queue-4.19/revert-i2c-cadence-fix-the-hold-bit-setting.patch @@ -0,0 +1,74 @@ +From 293fb05a2ce068b49bf594ea62f91dd4e16a5c74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jul 2020 19:25:49 +0530 +Subject: Revert "i2c: cadence: Fix the hold bit setting" + +From: Raviteja Narayanam + +[ Upstream commit 0db9254d6b896b587759e2c844c277fb1a6da5b9 ] + +This reverts commit d358def706880defa4c9e87381c5bf086a97d5f9. + +There are two issues with "i2c: cadence: Fix the hold bit setting" commit. + +1. In case of combined message request from user space, when the HOLD +bit is cleared in cdns_i2c_mrecv function, a STOP condition is sent +on the bus even before the last message is started. This is because when +the HOLD bit is cleared, the FIFOS are empty and there is no pending +transfer. The STOP condition should occur only after the last message +is completed. + +2. The code added by the commit is redundant. Driver is handling the +setting/clearing of HOLD bit in right way before the commit. + +The setting of HOLD bit based on 'bus_hold_flag' is taken care in +cdns_i2c_master_xfer function even before cdns_i2c_msend/cdns_i2c_recv +functions. + +The clearing of HOLD bit is taken care at the end of cdns_i2c_msend and +cdns_i2c_recv functions based on bus_hold_flag and byte count. +Since clearing of HOLD bit is done after the slave address is written to +the register (writing to address register triggers the message transfer), +it is ensured that STOP condition occurs at the right time after +completion of the pending transfer (last message). + +Signed-off-by: Raviteja Narayanam +Acked-by: Michal Simek +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-cadence.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c +index d917cefc5a19c..b136057182916 100644 +--- a/drivers/i2c/busses/i2c-cadence.c ++++ b/drivers/i2c/busses/i2c-cadence.c +@@ -382,10 +382,8 @@ static void cdns_i2c_mrecv(struct cdns_i2c *id) + * Check for the message size against FIFO depth and set the + * 'hold bus' bit if it is greater than FIFO depth. + */ +- if ((id->recv_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag) ++ if (id->recv_count > CDNS_I2C_FIFO_DEPTH) + ctrl_reg |= CDNS_I2C_CR_HOLD; +- else +- ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD; + + cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET); + +@@ -442,11 +440,8 @@ static void cdns_i2c_msend(struct cdns_i2c *id) + * Check for the message size against FIFO depth and set the + * 'hold bus' bit if it is greater than FIFO depth. + */ +- if ((id->send_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag) ++ if (id->send_count > CDNS_I2C_FIFO_DEPTH) + ctrl_reg |= CDNS_I2C_CR_HOLD; +- else +- ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD; +- + cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET); + + /* Clear the interrupts in interrupt status register. */ +-- +2.25.1 + diff --git a/queue-4.19/selftests-net-psock_fanout-fix-clang-issues-for-targ.patch b/queue-4.19/selftests-net-psock_fanout-fix-clang-issues-for-targ.patch new file mode 100644 index 00000000000..51d0c552b99 --- /dev/null +++ b/queue-4.19/selftests-net-psock_fanout-fix-clang-issues-for-targ.patch @@ -0,0 +1,42 @@ +From b59f1c355717b9730a7f41e8bc47cf7180016147 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jul 2020 12:25:29 -0400 +Subject: selftests/net: psock_fanout: fix clang issues for target arch PowerPC + +From: Tanner Love + +[ Upstream commit 64f9ede2274980076423583683d44480909b7a40 ] + +Clang 9 threw: +warning: format specifies type 'unsigned short' but the argument has \ +type 'int' [-Wformat] + typeflags, PORT_BASE, PORT_BASE + port_off); + +Tested: make -C tools/testing/selftests TARGETS="net" run_tests + +Fixes: 77f65ebdca50 ("packet: packet fanout rollover during socket overload") +Signed-off-by: Tanner Love +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/psock_fanout.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/psock_fanout.c b/tools/testing/selftests/net/psock_fanout.c +index bd9b9632c72b0..f496ba3b1cd37 100644 +--- a/tools/testing/selftests/net/psock_fanout.c ++++ b/tools/testing/selftests/net/psock_fanout.c +@@ -364,7 +364,8 @@ static int test_datapath(uint16_t typeflags, int port_off, + int fds[2], fds_udp[2][2], ret; + + fprintf(stderr, "\ntest: datapath 0x%hx ports %hu,%hu\n", +- typeflags, PORT_BASE, PORT_BASE + port_off); ++ typeflags, (uint16_t)PORT_BASE, ++ (uint16_t)(PORT_BASE + port_off)); + + fds[0] = sock_fanout_open(typeflags, 0); + fds[1] = sock_fanout_open(typeflags, 0); +-- +2.25.1 + diff --git a/queue-4.19/selftests-net-rxtimestamp-fix-clang-issues-for-targe.patch b/queue-4.19/selftests-net-rxtimestamp-fix-clang-issues-for-targe.patch new file mode 100644 index 00000000000..778079fd9eb --- /dev/null +++ b/queue-4.19/selftests-net-rxtimestamp-fix-clang-issues-for-targe.patch @@ -0,0 +1,43 @@ +From d68b1ad051fbf138a6636e1ad66952690875ad31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jul 2020 12:25:28 -0400 +Subject: selftests/net: rxtimestamp: fix clang issues for target arch PowerPC + +From: Tanner Love + +[ Upstream commit 955cbe91bcf782c09afe369c95a20f0a4b6dcc3c ] + +The signedness of char is implementation-dependent. Some systems +(including PowerPC and ARM) use unsigned char. Clang 9 threw: +warning: result of comparison of constant -1 with expression of type \ +'char' is always true [-Wtautological-constant-out-of-range-compare] + &arg_index)) != -1) { + +Tested: make -C tools/testing/selftests TARGETS="net" run_tests + +Fixes: 16e781224198 ("selftests/net: Add a test to validate behavior of rx timestamps") +Signed-off-by: Tanner Love +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/networking/timestamping/rxtimestamp.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/networking/timestamping/rxtimestamp.c b/tools/testing/selftests/networking/timestamping/rxtimestamp.c +index 7a573fb4c1c4e..c6428f1ac22fb 100644 +--- a/tools/testing/selftests/networking/timestamping/rxtimestamp.c ++++ b/tools/testing/selftests/networking/timestamping/rxtimestamp.c +@@ -328,8 +328,7 @@ int main(int argc, char **argv) + bool all_tests = true; + int arg_index = 0; + int failures = 0; +- int s, t; +- char opt; ++ int s, t, opt; + + while ((opt = getopt_long(argc, argv, "", long_options, + &arg_index)) != -1) { +-- +2.25.1 + diff --git a/queue-4.19/series b/queue-4.19/series index 074c19294b9..428039e1700 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -22,3 +22,31 @@ random-fix-circular-include-dependency-on-arm64-after-addition-of-percpu.h.patch random32-remove-net_rand_state-from-the-latent-entropy-gcc-plugin.patch rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch xfs-fix-missed-wakeup-on-l_flush_wait.patch +xfrm-fix-crash-when-the-hold-queue-is-used.patch +selftests-net-rxtimestamp-fix-clang-issues-for-targe.patch +selftests-net-psock_fanout-fix-clang-issues-for-targ.patch +sh-fix-validation-of-system-call-number.patch +net-mlx5-verify-hardware-supports-requested-ptp-func.patch +net-lan78xx-add-missing-endpoint-sanity-check.patch +net-lan78xx-fix-transfer-buffer-memory-leak.patch +mlx4-disable-device-on-shutdown.patch +mlxsw-core-increase-scope-of-rcu-read-side-critical-.patch +mlxsw-core-free-emad-transactions-using-kfree_rcu.patch +ibmvnic-fix-irq-mapping-disposal-in-error-path.patch +bpf-fix-map-leak-in-hash_of_maps-map.patch +mac80211-mesh-free-ie-data-when-leaving-mesh.patch +mac80211-mesh-free-pending-skb-when-destroying-a-mpa.patch +arm64-alternatives-move-length-validation-inside-the.patch +arm64-csum-fix-handling-of-bad-packets.patch +bluetooth-fix-kernel-oops-in-store_pending_adv_repor.patch +net-gemini-fix-missing-clk_disable_unprepare-in-erro.patch +net-mlx5e-fix-bpf_prog-reference-count-leaks-in-mlx5.patch +usb-hso-fix-debug-compile-warning-on-sparc32.patch +qed-disable-mfw-indication-via-attention-spam-every-.patch +nfc-s3fwrn5-add-missing-release-on-skb-in-s3fwrn5_re.patch +parisc-add-support-for-cmpxchg-on-u8-pointers.patch +net-ethernet-ravb-exit-if-re-initialization-fails-in.patch +revert-i2c-cadence-fix-the-hold-bit-setting.patch +x86-unwind-orc-fix-orc-for-newly-forked-tasks.patch +cxgb4-add-missing-release-on-skb-in-uld_send.patch +xen-netfront-fix-potential-deadlock-in-xennet_remove.patch diff --git a/queue-4.19/sh-fix-validation-of-system-call-number.patch b/queue-4.19/sh-fix-validation-of-system-call-number.patch new file mode 100644 index 00000000000..d00f5ff9b59 --- /dev/null +++ b/queue-4.19/sh-fix-validation-of-system-call-number.patch @@ -0,0 +1,57 @@ +From 64ee8ca747e14737793e33d69b742b4cec106039 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jul 2020 01:13:19 +0200 +Subject: sh: Fix validation of system call number + +From: Michael Karcher + +[ Upstream commit 04a8a3d0a73f51c7c2da84f494db7ec1df230e69 ] + +The slow path for traced system call entries accessed a wrong memory +location to get the number of the maximum allowed system call number. +Renumber the numbered "local" label for the correct location to avoid +collisions with actual local labels. + +Signed-off-by: Michael Karcher +Tested-by: John Paul Adrian Glaubitz +Fixes: f3a8308864f920d2 ("sh: Add a few missing irqflags tracing markers.") +Signed-off-by: Rich Felker +Signed-off-by: Sasha Levin +--- + arch/sh/kernel/entry-common.S | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/sh/kernel/entry-common.S b/arch/sh/kernel/entry-common.S +index 28cc61216b649..ed5b758c650d7 100644 +--- a/arch/sh/kernel/entry-common.S ++++ b/arch/sh/kernel/entry-common.S +@@ -203,7 +203,7 @@ syscall_trace_entry: + mov.l @(OFF_R7,r15), r7 ! arg3 + mov.l @(OFF_R3,r15), r3 ! syscall_nr + ! +- mov.l 2f, r10 ! Number of syscalls ++ mov.l 6f, r10 ! Number of syscalls + cmp/hs r10, r3 + bf syscall_call + mov #-ENOSYS, r0 +@@ -357,7 +357,7 @@ ENTRY(system_call) + tst r9, r8 + bf syscall_trace_entry + ! +- mov.l 2f, r8 ! Number of syscalls ++ mov.l 6f, r8 ! Number of syscalls + cmp/hs r8, r3 + bt syscall_badsys + ! +@@ -396,7 +396,7 @@ syscall_exit: + #if !defined(CONFIG_CPU_SH2) + 1: .long TRA + #endif +-2: .long NR_syscalls ++6: .long NR_syscalls + 3: .long sys_call_table + 7: .long do_syscall_trace_enter + 8: .long do_syscall_trace_leave +-- +2.25.1 + diff --git a/queue-4.19/usb-hso-fix-debug-compile-warning-on-sparc32.patch b/queue-4.19/usb-hso-fix-debug-compile-warning-on-sparc32.patch new file mode 100644 index 00000000000..fc762ab8136 --- /dev/null +++ b/queue-4.19/usb-hso-fix-debug-compile-warning-on-sparc32.patch @@ -0,0 +1,55 @@ +From 422ed34bb78a87ffe55b4dbea1a55f7a295eb9f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jul 2020 13:05:13 +0200 +Subject: usb: hso: Fix debug compile warning on sparc32 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit e0484010ec05191a8edf980413fc92f28050c1cc ] + +On sparc32, tcflag_t is "unsigned long", unlike on all other +architectures, where it is "unsigned int": + + drivers/net/usb/hso.c: In function ‘hso_serial_set_termios’: + include/linux/kern_levels.h:5:18: warning: format ‘%d’ expects argument of type ‘unsigned int’, but argument 4 has type ‘tcflag_t {aka long unsigned int}’ [-Wformat=] + drivers/net/usb/hso.c:1393:3: note: in expansion of macro ‘hso_dbg’ + hso_dbg(0x16, "Termios called with: cflags new[%d] - old[%d]\n", + ^~~~~~~ + include/linux/kern_levels.h:5:18: warning: format ‘%d’ expects argument of type ‘unsigned int’, but argument 5 has type ‘tcflag_t {aka long unsigned int}’ [-Wformat=] + drivers/net/usb/hso.c:1393:3: note: in expansion of macro ‘hso_dbg’ + hso_dbg(0x16, "Termios called with: cflags new[%d] - old[%d]\n", + ^~~~~~~ + +As "unsigned long" is 32-bit on sparc32, fix this by casting all tcflag_t +parameters to "unsigned int". +While at it, use "%u" to format unsigned numbers. + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/hso.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c +index 5251c5f6f96ed..61b9d33681484 100644 +--- a/drivers/net/usb/hso.c ++++ b/drivers/net/usb/hso.c +@@ -1403,8 +1403,9 @@ static void hso_serial_set_termios(struct tty_struct *tty, struct ktermios *old) + unsigned long flags; + + if (old) +- hso_dbg(0x16, "Termios called with: cflags new[%d] - old[%d]\n", +- tty->termios.c_cflag, old->c_cflag); ++ hso_dbg(0x16, "Termios called with: cflags new[%u] - old[%u]\n", ++ (unsigned int)tty->termios.c_cflag, ++ (unsigned int)old->c_cflag); + + /* the actual setup */ + spin_lock_irqsave(&serial->serial_lock, flags); +-- +2.25.1 + diff --git a/queue-4.19/x86-unwind-orc-fix-orc-for-newly-forked-tasks.patch b/queue-4.19/x86-unwind-orc-fix-orc-for-newly-forked-tasks.patch new file mode 100644 index 00000000000..910853ccdb9 --- /dev/null +++ b/queue-4.19/x86-unwind-orc-fix-orc-for-newly-forked-tasks.patch @@ -0,0 +1,57 @@ +From 32aaa8b3b9e3b4dee0f23e52acfd9f2570310be3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jul 2020 09:04:25 -0500 +Subject: x86/unwind/orc: Fix ORC for newly forked tasks + +From: Josh Poimboeuf + +[ Upstream commit 372a8eaa05998cd45b3417d0e0ffd3a70978211a ] + +The ORC unwinder fails to unwind newly forked tasks which haven't yet +run on the CPU. It correctly reads the 'ret_from_fork' instruction +pointer from the stack, but it incorrectly interprets that value as a +call stack address rather than a "signal" one, so the address gets +incorrectly decremented in the call to orc_find(), resulting in bad ORC +data. + +Fix it by forcing 'ret_from_fork' frames to be signal frames. + +Reported-by: Wang ShaoBo +Signed-off-by: Josh Poimboeuf +Signed-off-by: Thomas Gleixner +Tested-by: Wang ShaoBo +Link: https://lkml.kernel.org/r/f91a8778dde8aae7f71884b5df2b16d552040441.1594994374.git.jpoimboe@redhat.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/unwind_orc.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c +index 2701b370e58fe..1d264ba1e56d1 100644 +--- a/arch/x86/kernel/unwind_orc.c ++++ b/arch/x86/kernel/unwind_orc.c +@@ -420,8 +420,11 @@ bool unwind_next_frame(struct unwind_state *state) + /* + * Find the orc_entry associated with the text address. + * +- * Decrement call return addresses by one so they work for sibling +- * calls and calls to noreturn functions. ++ * For a call frame (as opposed to a signal frame), state->ip points to ++ * the instruction after the call. That instruction's stack layout ++ * could be different from the call instruction's layout, for example ++ * if the call was to a noreturn function. So get the ORC data for the ++ * call instruction itself. + */ + orc = orc_find(state->signal ? state->ip : state->ip - 1); + if (!orc) +@@ -634,6 +637,7 @@ void __unwind_start(struct unwind_state *state, struct task_struct *task, + state->sp = task->thread.sp; + state->bp = READ_ONCE_NOCHECK(frame->bp); + state->ip = READ_ONCE_NOCHECK(frame->ret_addr); ++ state->signal = (void *)state->ip == ret_from_fork; + } + + if (get_stack_info((unsigned long *)state->sp, state->task, +-- +2.25.1 + diff --git a/queue-4.19/xen-netfront-fix-potential-deadlock-in-xennet_remove.patch b/queue-4.19/xen-netfront-fix-potential-deadlock-in-xennet_remove.patch new file mode 100644 index 00000000000..d4afa4cced4 --- /dev/null +++ b/queue-4.19/xen-netfront-fix-potential-deadlock-in-xennet_remove.patch @@ -0,0 +1,134 @@ +From fac19a5bcbb6afa63667c37576ce0f086ec7413f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jul 2020 10:59:10 +0200 +Subject: xen-netfront: fix potential deadlock in xennet_remove() + +From: Andrea Righi + +[ Upstream commit c2c633106453611be07821f53dff9e93a9d1c3f0 ] + +There's a potential race in xennet_remove(); this is what the driver is +doing upon unregistering a network device: + + 1. state = read bus state + 2. if state is not "Closed": + 3. request to set state to "Closing" + 4. wait for state to be set to "Closing" + 5. request to set state to "Closed" + 6. wait for state to be set to "Closed" + +If the state changes to "Closed" immediately after step 1 we are stuck +forever in step 4, because the state will never go back from "Closed" to +"Closing". + +Make sure to check also for state == "Closed" in step 4 to prevent the +deadlock. + +Also add a 5 sec timeout any time we wait for the bus state to change, +to avoid getting stuck forever in wait_event(). + +Signed-off-by: Andrea Righi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netfront.c | 64 +++++++++++++++++++++++++------------- + 1 file changed, 42 insertions(+), 22 deletions(-) + +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index 6b4675a9494b2..c8e84276e6397 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -63,6 +63,8 @@ module_param_named(max_queues, xennet_max_queues, uint, 0644); + MODULE_PARM_DESC(max_queues, + "Maximum number of queues per virtual interface"); + ++#define XENNET_TIMEOUT (5 * HZ) ++ + static const struct ethtool_ops xennet_ethtool_ops; + + struct netfront_cb { +@@ -1337,12 +1339,15 @@ static struct net_device *xennet_create_dev(struct xenbus_device *dev) + + netif_carrier_off(netdev); + +- xenbus_switch_state(dev, XenbusStateInitialising); +- wait_event(module_wq, +- xenbus_read_driver_state(dev->otherend) != +- XenbusStateClosed && +- xenbus_read_driver_state(dev->otherend) != +- XenbusStateUnknown); ++ do { ++ xenbus_switch_state(dev, XenbusStateInitialising); ++ err = wait_event_timeout(module_wq, ++ xenbus_read_driver_state(dev->otherend) != ++ XenbusStateClosed && ++ xenbus_read_driver_state(dev->otherend) != ++ XenbusStateUnknown, XENNET_TIMEOUT); ++ } while (!err); ++ + return netdev; + + exit: +@@ -2142,28 +2147,43 @@ static const struct attribute_group xennet_dev_group = { + }; + #endif /* CONFIG_SYSFS */ + +-static int xennet_remove(struct xenbus_device *dev) ++static void xennet_bus_close(struct xenbus_device *dev) + { +- struct netfront_info *info = dev_get_drvdata(&dev->dev); +- +- dev_dbg(&dev->dev, "%s\n", dev->nodename); ++ int ret; + +- if (xenbus_read_driver_state(dev->otherend) != XenbusStateClosed) { ++ if (xenbus_read_driver_state(dev->otherend) == XenbusStateClosed) ++ return; ++ do { + xenbus_switch_state(dev, XenbusStateClosing); +- wait_event(module_wq, +- xenbus_read_driver_state(dev->otherend) == +- XenbusStateClosing || +- xenbus_read_driver_state(dev->otherend) == +- XenbusStateUnknown); ++ ret = wait_event_timeout(module_wq, ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateClosing || ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateClosed || ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateUnknown, ++ XENNET_TIMEOUT); ++ } while (!ret); ++ ++ if (xenbus_read_driver_state(dev->otherend) == XenbusStateClosed) ++ return; + ++ do { + xenbus_switch_state(dev, XenbusStateClosed); +- wait_event(module_wq, +- xenbus_read_driver_state(dev->otherend) == +- XenbusStateClosed || +- xenbus_read_driver_state(dev->otherend) == +- XenbusStateUnknown); +- } ++ ret = wait_event_timeout(module_wq, ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateClosed || ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateUnknown, ++ XENNET_TIMEOUT); ++ } while (!ret); ++} ++ ++static int xennet_remove(struct xenbus_device *dev) ++{ ++ struct netfront_info *info = dev_get_drvdata(&dev->dev); + ++ xennet_bus_close(dev); + xennet_disconnect_backend(info); + + if (info->netdev->reg_state == NETREG_REGISTERED) +-- +2.25.1 + diff --git a/queue-4.19/xfrm-fix-crash-when-the-hold-queue-is-used.patch b/queue-4.19/xfrm-fix-crash-when-the-hold-queue-is-used.patch new file mode 100644 index 00000000000..5acc9420ef0 --- /dev/null +++ b/queue-4.19/xfrm-fix-crash-when-the-hold-queue-is-used.patch @@ -0,0 +1,54 @@ +From 83ac19abce18534e415eedded32e614a532ef2cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jul 2020 10:34:27 +0200 +Subject: xfrm: Fix crash when the hold queue is used. + +From: Steffen Klassert + +[ Upstream commit 101dde4207f1daa1fda57d714814a03835dccc3f ] + +The commits "xfrm: Move dst->path into struct xfrm_dst" +and "net: Create and use new helper xfrm_dst_child()." +changed xfrm bundle handling under the assumption +that xdst->path and dst->child are not a NULL pointer +only if dst->xfrm is not a NULL pointer. That is true +with one exception. If the xfrm hold queue is used +to wait until a SA is installed by the key manager, +we create a dummy bundle without a valid dst->xfrm +pointer. The current xfrm bundle handling crashes +in that case. Fix this by extending the NULL check +of dst->xfrm with a test of the DST_XFRM_QUEUE flag. + +Fixes: 0f6c480f23f4 ("xfrm: Move dst->path into struct xfrm_dst") +Fixes: b92cf4aab8e6 ("net: Create and use new helper xfrm_dst_child().") +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + include/net/xfrm.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index f087c8d125b8f..3a0b5de742e9b 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -1016,7 +1016,7 @@ struct xfrm_dst { + static inline struct dst_entry *xfrm_dst_path(const struct dst_entry *dst) + { + #ifdef CONFIG_XFRM +- if (dst->xfrm) { ++ if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) { + const struct xfrm_dst *xdst = (const struct xfrm_dst *) dst; + + return xdst->path; +@@ -1028,7 +1028,7 @@ static inline struct dst_entry *xfrm_dst_path(const struct dst_entry *dst) + static inline struct dst_entry *xfrm_dst_child(const struct dst_entry *dst) + { + #ifdef CONFIG_XFRM +- if (dst->xfrm) { ++ if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) { + struct xfrm_dst *xdst = (struct xfrm_dst *) dst; + return xdst->child; + } +-- +2.25.1 +