From: Sasha Levin Date: Sun, 1 Aug 2021 02:52:09 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v4.4.278~40 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=accca32723694473870ad0c647234daddc81a7fa;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/bpf-fix-oob-read-when-printing-xdp-link-fdinfo.patch b/queue-5.10/bpf-fix-oob-read-when-printing-xdp-link-fdinfo.patch new file mode 100644 index 00000000000..731cb7ca266 --- /dev/null +++ b/queue-5.10/bpf-fix-oob-read-when-printing-xdp-link-fdinfo.patch @@ -0,0 +1,77 @@ +From 3ccfb3d50b5bec53dc73a378e504e92dd598d1bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jul 2021 09:51:34 +0100 +Subject: bpf: Fix OOB read when printing XDP link fdinfo + +From: Lorenz Bauer + +[ Upstream commit d6371c76e20d7d3f61b05fd67b596af4d14a8886 ] + +We got the following UBSAN report on one of our testing machines: + + ================================================================================ + UBSAN: array-index-out-of-bounds in kernel/bpf/syscall.c:2389:24 + index 6 is out of range for type 'char *[6]' + CPU: 43 PID: 930921 Comm: systemd-coredum Tainted: G O 5.10.48-cloudflare-kasan-2021.7.0 #1 + Hardware name: + Call Trace: + dump_stack+0x7d/0xa3 + ubsan_epilogue+0x5/0x40 + __ubsan_handle_out_of_bounds.cold+0x43/0x48 + ? seq_printf+0x17d/0x250 + bpf_link_show_fdinfo+0x329/0x380 + ? bpf_map_value_size+0xe0/0xe0 + ? put_files_struct+0x20/0x2d0 + ? __kasan_kmalloc.constprop.0+0xc2/0xd0 + seq_show+0x3f7/0x540 + seq_read_iter+0x3f8/0x1040 + seq_read+0x329/0x500 + ? seq_read_iter+0x1040/0x1040 + ? __fsnotify_parent+0x80/0x820 + ? __fsnotify_update_child_dentry_flags+0x380/0x380 + vfs_read+0x123/0x460 + ksys_read+0xed/0x1c0 + ? __x64_sys_pwrite64+0x1f0/0x1f0 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + + ================================================================================ + ================================================================================ + UBSAN: object-size-mismatch in kernel/bpf/syscall.c:2384:2 + +From the report, we can infer that some array access in bpf_link_show_fdinfo at index 6 +is out of bounds. The obvious candidate is bpf_link_type_strs[BPF_LINK_TYPE_XDP] with +BPF_LINK_TYPE_XDP == 6. It turns out that BPF_LINK_TYPE_XDP is missing from bpf_types.h +and therefore doesn't have an entry in bpf_link_type_strs: + + pos: 0 + flags: 02000000 + mnt_id: 13 + link_type: (null) + link_id: 4 + prog_tag: bcf7977d3b93787c + prog_id: 4 + ifindex: 1 + +Fixes: aa8d3a716b59 ("bpf, xdp: Add bpf_link-based XDP attachment API") +Signed-off-by: Lorenz Bauer +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20210719085134.43325-2-lmb@cloudflare.com +Signed-off-by: Sasha Levin +--- + include/linux/bpf_types.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/bpf_types.h b/include/linux/bpf_types.h +index 2e6f568377f1..a8137bb6dd3c 100644 +--- a/include/linux/bpf_types.h ++++ b/include/linux/bpf_types.h +@@ -133,4 +133,5 @@ BPF_LINK_TYPE(BPF_LINK_TYPE_CGROUP, cgroup) + BPF_LINK_TYPE(BPF_LINK_TYPE_ITER, iter) + #ifdef CONFIG_NET + BPF_LINK_TYPE(BPF_LINK_TYPE_NETNS, netns) ++BPF_LINK_TYPE(BPF_LINK_TYPE_XDP, xdp) + #endif +-- +2.30.2 + diff --git a/queue-5.10/can-hi311x-fix-a-signedness-bug-in-hi3110_cmd.patch b/queue-5.10/can-hi311x-fix-a-signedness-bug-in-hi3110_cmd.patch new file mode 100644 index 00000000000..97f97f86285 --- /dev/null +++ b/queue-5.10/can-hi311x-fix-a-signedness-bug-in-hi3110_cmd.patch @@ -0,0 +1,38 @@ +From 9a3bc639f96b98b7787e5a495a0be61bcb046b1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jul 2021 17:12:46 +0300 +Subject: can: hi311x: fix a signedness bug in hi3110_cmd() + +From: Dan Carpenter + +[ Upstream commit f6b3c7848e66e9046c8a79a5b88fd03461cc252b ] + +The hi3110_cmd() is supposed to return zero on success and negative +error codes on failure, but it was accidentally declared as a u8 when +it needs to be an int type. + +Fixes: 57e83fb9b746 ("can: hi311x: Add Holt HI-311x CAN driver") +Link: https://lore.kernel.org/r/20210729141246.GA1267@kili +Signed-off-by: Dan Carpenter +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/hi311x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/spi/hi311x.c b/drivers/net/can/spi/hi311x.c +index 73d48c3b8ded..7d2315c8cacb 100644 +--- a/drivers/net/can/spi/hi311x.c ++++ b/drivers/net/can/spi/hi311x.c +@@ -218,7 +218,7 @@ static int hi3110_spi_trans(struct spi_device *spi, int len) + return ret; + } + +-static u8 hi3110_cmd(struct spi_device *spi, u8 command) ++static int hi3110_cmd(struct spi_device *spi, u8 command) + { + struct hi3110_priv *priv = spi_get_drvdata(spi); + +-- +2.30.2 + diff --git a/queue-5.10/drm-msm-dp-initialize-the-intf_config-register.patch b/queue-5.10/drm-msm-dp-initialize-the-intf_config-register.patch new file mode 100644 index 00000000000..77894600601 --- /dev/null +++ b/queue-5.10/drm-msm-dp-initialize-the-intf_config-register.patch @@ -0,0 +1,38 @@ +From 3243fe42fe87da66708c71559a91641af70c1e63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 19:44:34 -0700 +Subject: drm/msm/dp: Initialize the INTF_CONFIG register + +From: Bjorn Andersson + +[ Upstream commit f9a39932fa54b6421e751ada7a285da809146421 ] + +Some bootloaders set the widebus enable bit in the INTF_CONFIG register, +but configuration of widebus isn't yet supported ensure that the +register has a known value, with widebus disabled. + +Fixes: c943b4948b58 ("drm/msm/dp: add displayPort driver support") +Signed-off-by: Bjorn Andersson +Reviewed-by: Stephen Boyd +Link: https://lore.kernel.org/r/20210722024434.3313167-1-bjorn.andersson@linaro.org +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_catalog.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/msm/dp/dp_catalog.c b/drivers/gpu/drm/msm/dp/dp_catalog.c +index 4963bfe6a472..aeca8b2ac5c6 100644 +--- a/drivers/gpu/drm/msm/dp/dp_catalog.c ++++ b/drivers/gpu/drm/msm/dp/dp_catalog.c +@@ -740,6 +740,7 @@ int dp_catalog_panel_timing_cfg(struct dp_catalog *dp_catalog) + dp_write_link(catalog, REG_DP_HSYNC_VSYNC_WIDTH_POLARITY, + dp_catalog->width_blanking); + dp_write_link(catalog, REG_DP_ACTIVE_HOR_VER, dp_catalog->dp_active); ++ dp_write_p0(catalog, MMSS_DP_INTF_CONFIG, 0); + return 0; + } + +-- +2.30.2 + diff --git a/queue-5.10/drm-msm-dpu-fix-sm8250_mdp-register-length.patch b/queue-5.10/drm-msm-dpu-fix-sm8250_mdp-register-length.patch new file mode 100644 index 00000000000..627c2055848 --- /dev/null +++ b/queue-5.10/drm-msm-dpu-fix-sm8250_mdp-register-length.patch @@ -0,0 +1,39 @@ +From e135157775e8382283c8ebe8f7ece5bdcfa4d621 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jun 2021 10:50:33 +0200 +Subject: drm/msm/dpu: Fix sm8250_mdp register length + +From: Robert Foss + +[ Upstream commit b910a0206b59eb90ea8ff76d146f4c3156da61e9 ] + +The downstream dts lists this value as 0x494, and not +0x45c. + +Fixes: af776a3e1c30 ("drm/msm/dpu: add SM8250 to hw catalog") +Signed-off-by: Robert Foss +Reviewed-by: Dmitry Baryshkov +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20210628085033.9905-1-robert.foss@linaro.org +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +index 60b304b72b7c..b39980b9db1d 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +@@ -168,7 +168,7 @@ static const struct dpu_mdp_cfg sc7180_mdp[] = { + static const struct dpu_mdp_cfg sm8250_mdp[] = { + { + .name = "top_0", .id = MDP_TOP, +- .base = 0x0, .len = 0x45C, ++ .base = 0x0, .len = 0x494, + .features = 0, + .highest_bank_bit = 0x3, /* TODO: 2 for LP_DDR4 */ + .clk_ctrls[DPU_CLK_CTRL_VIG0] = { +-- +2.30.2 + diff --git a/queue-5.10/i40e-fix-firmware-lldp-agent-related-warning.patch b/queue-5.10/i40e-fix-firmware-lldp-agent-related-warning.patch new file mode 100644 index 00000000000..1ca9b0976b1 --- /dev/null +++ b/queue-5.10/i40e-fix-firmware-lldp-agent-related-warning.patch @@ -0,0 +1,49 @@ +From f8216f0663d566cde91b3b05c654f2a6f040fe85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 May 2021 18:41:26 +0200 +Subject: i40e: Fix firmware LLDP agent related warning + +From: Arkadiusz Kubalewski + +[ Upstream commit 71d6fdba4b2d82fdd883fec31dee77fbcf59773a ] + +Make warning meaningful for the user. + +Previously the trace: +"Starting FW LLDP agent failed: error: I40E_ERR_ADMIN_QUEUE_ERROR, I40E_AQ_RC_EAGAIN" +was produced when user tried to start Firmware LLDP agent, +just after it was stopped with sequence: +ethtool --set-priv-flags disable-fw-lldp on +ethtool --set-priv-flags disable-fw-lldp off +(without any delay between the commands) +At that point the firmware is still processing stop command, the behavior +is expected. + +Fixes: c1041d070437 ("i40e: Missing response checks in driver when starting/stopping FW LLDP") +Signed-off-by: Aleksandr Loktionov +Signed-off-by: Arkadiusz Kubalewski +Tested-by: Imam Hassan Reza Biswas +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +index 874073f7f024..a952ae07d253 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +@@ -5106,6 +5106,10 @@ flags_complete: + dev_warn(&pf->pdev->dev, + "Device configuration forbids SW from starting the LLDP agent.\n"); + return -EINVAL; ++ case I40E_AQ_RC_EAGAIN: ++ dev_warn(&pf->pdev->dev, ++ "Stop FW LLDP agent command is still being processed, please try again in a second.\n"); ++ return -EBUSY; + default: + dev_warn(&pf->pdev->dev, + "Starting FW LLDP agent failed: error: %s, %s\n", +-- +2.30.2 + diff --git a/queue-5.10/i40e-fix-log-tc-creation-failure-when-max-num-of-que.patch b/queue-5.10/i40e-fix-log-tc-creation-failure-when-max-num-of-que.patch new file mode 100644 index 00000000000..354a9a393eb --- /dev/null +++ b/queue-5.10/i40e-fix-log-tc-creation-failure-when-max-num-of-que.patch @@ -0,0 +1,38 @@ +From 955a21b4fc4e6e41093568d35e97545bff481aac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 08:49:49 +0000 +Subject: i40e: Fix log TC creation failure when max num of queues is exceeded + +From: Jedrzej Jagielski + +[ Upstream commit ea52faae1d17cd3048681d86d2e8641f44de484d ] + +Fix missing failed message if driver does not have enough queues to +complete TC command. Without this fix no message is displayed in dmesg. + +Fixes: a9ce82f744dc ("i40e: Enable 'channel' mode in mqprio for TC configs") +Signed-off-by: Grzegorz Szczurek +Signed-off-by: Jedrzej Jagielski +Tested-by: Imam Hassan Reza Biswas +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index b3a9dec414a5..bc648ce0743c 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -6933,6 +6933,8 @@ static int i40e_validate_mqprio_qopt(struct i40e_vsi *vsi, + } + if (vsi->num_queue_pairs < + (mqprio_qopt->qopt.offset[i] + mqprio_qopt->qopt.count[i])) { ++ dev_err(&vsi->back->pdev->dev, ++ "Failed to create traffic channel, insufficient number of queues.\n"); + return -EINVAL; + } + if (sum_max_rate > i40e_get_link_speed(vsi)) { +-- +2.30.2 + diff --git a/queue-5.10/i40e-fix-logic-of-disabling-queues.patch b/queue-5.10/i40e-fix-logic-of-disabling-queues.patch new file mode 100644 index 00000000000..4c09b838419 --- /dev/null +++ b/queue-5.10/i40e-fix-logic-of-disabling-queues.patch @@ -0,0 +1,159 @@ +From 1952ef82b04313dd812cca7514047a23338077c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Apr 2021 19:49:47 +0200 +Subject: i40e: Fix logic of disabling queues + +From: Arkadiusz Kubalewski + +[ Upstream commit 65662a8dcdd01342b71ee44234bcfd0162e195af ] + +Correct the message flow between driver and firmware when disabling +queues. + +Previously in case of PF reset (due to required reinit after reconfig), +the error like: "VSI seid 397 Tx ring 60 disable timeout" could show up +occasionally. The error was not a real issue of hardware or firmware, +it was caused by wrong sequence of messages invoked by the driver. + +Fixes: 41c445ff0f48 ("i40e: main driver core") +Signed-off-by: Aleksandr Loktionov +Signed-off-by: Arkadiusz Kubalewski +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 58 ++++++++++++--------- + 1 file changed, 34 insertions(+), 24 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 52e31f712a54..112a18dd13c4 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -4425,11 +4425,10 @@ int i40e_control_wait_tx_q(int seid, struct i40e_pf *pf, int pf_q, + } + + /** +- * i40e_vsi_control_tx - Start or stop a VSI's rings ++ * i40e_vsi_enable_tx - Start a VSI's rings + * @vsi: the VSI being configured +- * @enable: start or stop the rings + **/ +-static int i40e_vsi_control_tx(struct i40e_vsi *vsi, bool enable) ++static int i40e_vsi_enable_tx(struct i40e_vsi *vsi) + { + struct i40e_pf *pf = vsi->back; + int i, pf_q, ret = 0; +@@ -4438,7 +4437,7 @@ static int i40e_vsi_control_tx(struct i40e_vsi *vsi, bool enable) + for (i = 0; i < vsi->num_queue_pairs; i++, pf_q++) { + ret = i40e_control_wait_tx_q(vsi->seid, pf, + pf_q, +- false /*is xdp*/, enable); ++ false /*is xdp*/, true); + if (ret) + break; + +@@ -4447,7 +4446,7 @@ static int i40e_vsi_control_tx(struct i40e_vsi *vsi, bool enable) + + ret = i40e_control_wait_tx_q(vsi->seid, pf, + pf_q + vsi->alloc_queue_pairs, +- true /*is xdp*/, enable); ++ true /*is xdp*/, true); + if (ret) + break; + } +@@ -4545,32 +4544,25 @@ int i40e_control_wait_rx_q(struct i40e_pf *pf, int pf_q, bool enable) + } + + /** +- * i40e_vsi_control_rx - Start or stop a VSI's rings ++ * i40e_vsi_enable_rx - Start a VSI's rings + * @vsi: the VSI being configured +- * @enable: start or stop the rings + **/ +-static int i40e_vsi_control_rx(struct i40e_vsi *vsi, bool enable) ++static int i40e_vsi_enable_rx(struct i40e_vsi *vsi) + { + struct i40e_pf *pf = vsi->back; + int i, pf_q, ret = 0; + + pf_q = vsi->base_queue; + for (i = 0; i < vsi->num_queue_pairs; i++, pf_q++) { +- ret = i40e_control_wait_rx_q(pf, pf_q, enable); ++ ret = i40e_control_wait_rx_q(pf, pf_q, true); + if (ret) { + dev_info(&pf->pdev->dev, +- "VSI seid %d Rx ring %d %sable timeout\n", +- vsi->seid, pf_q, (enable ? "en" : "dis")); ++ "VSI seid %d Rx ring %d enable timeout\n", ++ vsi->seid, pf_q); + break; + } + } + +- /* Due to HW errata, on Rx disable only, the register can indicate done +- * before it really is. Needs 50ms to be sure +- */ +- if (!enable) +- mdelay(50); +- + return ret; + } + +@@ -4583,29 +4575,47 @@ int i40e_vsi_start_rings(struct i40e_vsi *vsi) + int ret = 0; + + /* do rx first for enable and last for disable */ +- ret = i40e_vsi_control_rx(vsi, true); ++ ret = i40e_vsi_enable_rx(vsi); + if (ret) + return ret; +- ret = i40e_vsi_control_tx(vsi, true); ++ ret = i40e_vsi_enable_tx(vsi); + + return ret; + } + ++#define I40E_DISABLE_TX_GAP_MSEC 50 ++ + /** + * i40e_vsi_stop_rings - Stop a VSI's rings + * @vsi: the VSI being configured + **/ + void i40e_vsi_stop_rings(struct i40e_vsi *vsi) + { ++ struct i40e_pf *pf = vsi->back; ++ int pf_q, err, q_end; ++ + /* When port TX is suspended, don't wait */ + if (test_bit(__I40E_PORT_SUSPENDED, vsi->back->state)) + return i40e_vsi_stop_rings_no_wait(vsi); + +- /* do rx first for enable and last for disable +- * Ignore return value, we need to shutdown whatever we can +- */ +- i40e_vsi_control_tx(vsi, false); +- i40e_vsi_control_rx(vsi, false); ++ q_end = vsi->base_queue + vsi->num_queue_pairs; ++ for (pf_q = vsi->base_queue; pf_q < q_end; pf_q++) ++ i40e_pre_tx_queue_cfg(&pf->hw, (u32)pf_q, false); ++ ++ for (pf_q = vsi->base_queue; pf_q < q_end; pf_q++) { ++ err = i40e_control_wait_rx_q(pf, pf_q, false); ++ if (err) ++ dev_info(&pf->pdev->dev, ++ "VSI seid %d Rx ring %d dissable timeout\n", ++ vsi->seid, pf_q); ++ } ++ ++ msleep(I40E_DISABLE_TX_GAP_MSEC); ++ pf_q = vsi->base_queue; ++ for (pf_q = vsi->base_queue; pf_q < q_end; pf_q++) ++ wr32(&pf->hw, I40E_QTX_ENA(pf_q), 0); ++ ++ i40e_vsi_wait_queues_disabled(vsi); + } + + /** +-- +2.30.2 + diff --git a/queue-5.10/i40e-fix-queue-to-tc-mapping-on-tx.patch b/queue-5.10/i40e-fix-queue-to-tc-mapping-on-tx.patch new file mode 100644 index 00000000000..f93a58ac5e8 --- /dev/null +++ b/queue-5.10/i40e-fix-queue-to-tc-mapping-on-tx.patch @@ -0,0 +1,118 @@ +From 54925b281319b53e825ddeb4c52d6cba91ed65e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jun 2021 00:47:03 +0000 +Subject: i40e: Fix queue-to-TC mapping on Tx + +From: Jedrzej Jagielski + +[ Upstream commit 89ec1f0886c127c7e41ac61a6b6d539f4fb2510b ] + +In SW DCB mode the packets sent receive incorrect UP tags. They are +constructed correctly and put into tx_ring, but UP is later remapped by +HW on the basis of TCTUPR register contents according to Tx queue +selected, and BW used is consistent with the new UP values. This is +caused by Tx queue selection in kernel not taking into account DCB +configuration. This patch fixes the issue by implementing the +ndo_select_queue NDO callback. + +Fixes: fd0a05ce74ef ("i40e: transmit, receive, and NAPI") +Signed-off-by: Arkadiusz Kubalewski +Signed-off-by: Jedrzej Jagielski +Tested-by: Imam Hassan Reza Biswas +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 1 + + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 50 +++++++++++++++++++++ + drivers/net/ethernet/intel/i40e/i40e_txrx.h | 2 + + 3 files changed, 53 insertions(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 112a18dd13c4..b3a9dec414a5 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -12809,6 +12809,7 @@ static const struct net_device_ops i40e_netdev_ops = { + .ndo_poll_controller = i40e_netpoll, + #endif + .ndo_setup_tc = __i40e_setup_tc, ++ .ndo_select_queue = i40e_lan_select_queue, + .ndo_set_features = i40e_set_features, + .ndo_set_vf_mac = i40e_ndo_set_vf_mac, + .ndo_set_vf_vlan = i40e_ndo_set_vf_port_vlan, +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index c40ac82db863..615802b07521 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -3524,6 +3524,56 @@ dma_error: + return -1; + } + ++static u16 i40e_swdcb_skb_tx_hash(struct net_device *dev, ++ const struct sk_buff *skb, ++ u16 num_tx_queues) ++{ ++ u32 jhash_initval_salt = 0xd631614b; ++ u32 hash; ++ ++ if (skb->sk && skb->sk->sk_hash) ++ hash = skb->sk->sk_hash; ++ else ++ hash = (__force u16)skb->protocol ^ skb->hash; ++ ++ hash = jhash_1word(hash, jhash_initval_salt); ++ ++ return (u16)(((u64)hash * num_tx_queues) >> 32); ++} ++ ++u16 i40e_lan_select_queue(struct net_device *netdev, ++ struct sk_buff *skb, ++ struct net_device __always_unused *sb_dev) ++{ ++ struct i40e_netdev_priv *np = netdev_priv(netdev); ++ struct i40e_vsi *vsi = np->vsi; ++ struct i40e_hw *hw; ++ u16 qoffset; ++ u16 qcount; ++ u8 tclass; ++ u16 hash; ++ u8 prio; ++ ++ /* is DCB enabled at all? */ ++ if (vsi->tc_config.numtc == 1) ++ return i40e_swdcb_skb_tx_hash(netdev, skb, ++ netdev->real_num_tx_queues); ++ ++ prio = skb->priority; ++ hw = &vsi->back->hw; ++ tclass = hw->local_dcbx_config.etscfg.prioritytable[prio]; ++ /* sanity check */ ++ if (unlikely(!(vsi->tc_config.enabled_tc & BIT(tclass)))) ++ tclass = 0; ++ ++ /* select a queue assigned for the given TC */ ++ qcount = vsi->tc_config.tc_info[tclass].qcount; ++ hash = i40e_swdcb_skb_tx_hash(netdev, skb, qcount); ++ ++ qoffset = vsi->tc_config.tc_info[tclass].qoffset; ++ return qoffset + hash; ++} ++ + /** + * i40e_xmit_xdp_ring - transmits an XDP buffer to an XDP Tx ring + * @xdpf: data to transmit +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.h b/drivers/net/ethernet/intel/i40e/i40e_txrx.h +index 2feed920ef8a..93ac201f68b8 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.h +@@ -449,6 +449,8 @@ static inline unsigned int i40e_rx_pg_order(struct i40e_ring *ring) + + bool i40e_alloc_rx_buffers(struct i40e_ring *rxr, u16 cleaned_count); + netdev_tx_t i40e_lan_xmit_frame(struct sk_buff *skb, struct net_device *netdev); ++u16 i40e_lan_select_queue(struct net_device *netdev, struct sk_buff *skb, ++ struct net_device *sb_dev); + void i40e_clean_tx_ring(struct i40e_ring *tx_ring); + void i40e_clean_rx_ring(struct i40e_ring *rx_ring); + int i40e_setup_tx_descriptors(struct i40e_ring *tx_ring); +-- +2.30.2 + diff --git a/queue-5.10/ionic-count-csum_none-when-offload-enabled.patch b/queue-5.10/ionic-count-csum_none-when-offload-enabled.patch new file mode 100644 index 00000000000..f6e10c389c9 --- /dev/null +++ b/queue-5.10/ionic-count-csum_none-when-offload-enabled.patch @@ -0,0 +1,45 @@ +From 0e304fceb36b8b5d61e86428b98d0c0796ad0680 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jul 2021 11:02:49 -0700 +Subject: ionic: count csum_none when offload enabled + +From: Shannon Nelson + +[ Upstream commit f07f9815b7046e25cc32bf8542c9c0bbc5eb6e0e ] + +Be sure to count the csum_none cases when csum offload is +enabled. + +Fixes: 0f3154e6bcb3 ("ionic: Add Tx and Rx handling") +Signed-off-by: Shannon Nelson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +index 52213fee054d..46dbb49f837c 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +@@ -197,12 +197,11 @@ static void ionic_rx_clean(struct ionic_queue *q, + } + } + +- if (likely(netdev->features & NETIF_F_RXCSUM)) { +- if (comp->csum_flags & IONIC_RXQ_COMP_CSUM_F_CALC) { +- skb->ip_summed = CHECKSUM_COMPLETE; +- skb->csum = (__force __wsum)le16_to_cpu(comp->csum); +- stats->csum_complete++; +- } ++ if (likely(netdev->features & NETIF_F_RXCSUM) && ++ (comp->csum_flags & IONIC_RXQ_COMP_CSUM_F_CALC)) { ++ skb->ip_summed = CHECKSUM_COMPLETE; ++ skb->csum = (__force __wsum)le16_to_cpu(comp->csum); ++ stats->csum_complete++; + } else { + stats->csum_none++; + } +-- +2.30.2 + diff --git a/queue-5.10/ionic-fix-up-dim-accounting-for-tx-and-rx.patch b/queue-5.10/ionic-fix-up-dim-accounting-for-tx-and-rx.patch new file mode 100644 index 00000000000..d48109a0ec1 --- /dev/null +++ b/queue-5.10/ionic-fix-up-dim-accounting-for-tx-and-rx.patch @@ -0,0 +1,96 @@ +From 2accb06fc228cc427be58f69bb49b9f6b5a8eb5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jul 2021 11:02:48 -0700 +Subject: ionic: fix up dim accounting for tx and rx + +From: Shannon Nelson + +[ Upstream commit 76ed8a4a00b484dcccef819ef2618bcf8e46f560 ] + +We need to count the correct Tx and/or Rx packets for dynamic +interrupt moderation, depending on which we're processing on +the queue interrupt. + +Fixes: 04a834592bf5 ("ionic: dynamic interrupt moderation") +Signed-off-by: Shannon Nelson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/pensando/ionic/ionic_txrx.c | 28 ++++++++++++++----- + 1 file changed, 21 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +index ec064327c998..52213fee054d 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +@@ -417,11 +417,12 @@ void ionic_rx_empty(struct ionic_queue *q) + } + } + +-static void ionic_dim_update(struct ionic_qcq *qcq) ++static void ionic_dim_update(struct ionic_qcq *qcq, int napi_mode) + { + struct dim_sample dim_sample; + struct ionic_lif *lif; + unsigned int qi; ++ u64 pkts, bytes; + + if (!qcq->intr.dim_coal_hw) + return; +@@ -429,10 +430,23 @@ static void ionic_dim_update(struct ionic_qcq *qcq) + lif = qcq->q.lif; + qi = qcq->cq.bound_q->index; + ++ switch (napi_mode) { ++ case IONIC_LIF_F_TX_DIM_INTR: ++ pkts = lif->txqstats[qi].pkts; ++ bytes = lif->txqstats[qi].bytes; ++ break; ++ case IONIC_LIF_F_RX_DIM_INTR: ++ pkts = lif->rxqstats[qi].pkts; ++ bytes = lif->rxqstats[qi].bytes; ++ break; ++ default: ++ pkts = lif->txqstats[qi].pkts + lif->rxqstats[qi].pkts; ++ bytes = lif->txqstats[qi].bytes + lif->rxqstats[qi].bytes; ++ break; ++ } ++ + dim_update_sample(qcq->cq.bound_intr->rearm_count, +- lif->txqstats[qi].pkts, +- lif->txqstats[qi].bytes, +- &dim_sample); ++ pkts, bytes, &dim_sample); + + net_dim(&qcq->dim, dim_sample); + } +@@ -453,7 +467,7 @@ int ionic_tx_napi(struct napi_struct *napi, int budget) + ionic_tx_service, NULL, NULL); + + if (work_done < budget && napi_complete_done(napi, work_done)) { +- ionic_dim_update(qcq); ++ ionic_dim_update(qcq, IONIC_LIF_F_TX_DIM_INTR); + flags |= IONIC_INTR_CRED_UNMASK; + cq->bound_intr->rearm_count++; + } +@@ -489,7 +503,7 @@ int ionic_rx_napi(struct napi_struct *napi, int budget) + ionic_rx_fill(cq->bound_q); + + if (work_done < budget && napi_complete_done(napi, work_done)) { +- ionic_dim_update(qcq); ++ ionic_dim_update(qcq, IONIC_LIF_F_RX_DIM_INTR); + flags |= IONIC_INTR_CRED_UNMASK; + cq->bound_intr->rearm_count++; + } +@@ -531,7 +545,7 @@ int ionic_txrx_napi(struct napi_struct *napi, int budget) + ionic_rx_fill_cb(rxcq->bound_q); + + if (rx_work_done < budget && napi_complete_done(napi, rx_work_done)) { +- ionic_dim_update(qcq); ++ ionic_dim_update(qcq, 0); + flags |= IONIC_INTR_CRED_UNMASK; + rxcq->bound_intr->rearm_count++; + } +-- +2.30.2 + diff --git a/queue-5.10/ionic-remove-intr-coalesce-update-from-napi.patch b/queue-5.10/ionic-remove-intr-coalesce-update-from-napi.patch new file mode 100644 index 00000000000..7b8bdbe81b2 --- /dev/null +++ b/queue-5.10/ionic-remove-intr-coalesce-update-from-napi.patch @@ -0,0 +1,65 @@ +From ca9cc8937b7ff02d5cabf48df05f9a8f687d0b76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jul 2021 11:02:47 -0700 +Subject: ionic: remove intr coalesce update from napi + +From: Shannon Nelson + +[ Upstream commit a6ff85e0a2d9d074a4b4c291ba9ec1e5b0aba22b ] + +Move the interrupt coalesce value update out of the napi +thread and into the dim_work thread and set it only when it +has actually changed. + +Fixes: 04a834592bf5 ("ionic: dynamic interrupt moderation") +Signed-off-by: Shannon Nelson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 14 +++++++++++++- + drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 4 ---- + 2 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +index d0ae1cf43592..6dc7ce649448 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -52,7 +52,19 @@ static void ionic_dim_work(struct work_struct *work) + cur_moder = net_dim_get_rx_moderation(dim->mode, dim->profile_ix); + qcq = container_of(dim, struct ionic_qcq, dim); + new_coal = ionic_coal_usec_to_hw(qcq->q.lif->ionic, cur_moder.usec); +- qcq->intr.dim_coal_hw = new_coal ? new_coal : 1; ++ new_coal = new_coal ? new_coal : 1; ++ ++ if (qcq->intr.dim_coal_hw != new_coal) { ++ unsigned int qi = qcq->cq.bound_q->index; ++ struct ionic_lif *lif = qcq->q.lif; ++ ++ qcq->intr.dim_coal_hw = new_coal; ++ ++ ionic_intr_coal_init(lif->ionic->idev.intr_ctrl, ++ lif->rxqcqs[qi]->intr.index, ++ qcq->intr.dim_coal_hw); ++ } ++ + dim->state = DIM_START_MEASURE; + } + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +index 909eca14f647..ec064327c998 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +@@ -429,10 +429,6 @@ static void ionic_dim_update(struct ionic_qcq *qcq) + lif = qcq->q.lif; + qi = qcq->cq.bound_q->index; + +- ionic_intr_coal_init(lif->ionic->idev.intr_ctrl, +- lif->rxqcqs[qi]->intr.index, +- qcq->intr.dim_coal_hw); +- + dim_update_sample(qcq->cq.bound_intr->rearm_count, + lif->txqstats[qi].pkts, + lif->txqstats[qi].bytes, +-- +2.30.2 + diff --git a/queue-5.10/kvm-x86-check-the-right-feature-bit-for-msr_kvm_asyn.patch b/queue-5.10/kvm-x86-check-the-right-feature-bit-for-msr_kvm_asyn.patch new file mode 100644 index 00000000000..0ef398d7f4e --- /dev/null +++ b/queue-5.10/kvm-x86-check-the-right-feature-bit-for-msr_kvm_asyn.patch @@ -0,0 +1,49 @@ +From 63b73d649fe0f9fc9d9b3caaf39976a4c433ae4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jul 2021 14:30:18 +0200 +Subject: KVM: x86: Check the right feature bit for MSR_KVM_ASYNC_PF_ACK access + +From: Vitaly Kuznetsov + +[ Upstream commit 0a31df6823232516f61f174907e444f710941dfe ] + +MSR_KVM_ASYNC_PF_ACK MSR is part of interrupt based asynchronous page fault +interface and not the original (deprecated) KVM_FEATURE_ASYNC_PF. This is +stated in Documentation/virt/kvm/msr.rst. + +Fixes: 66570e966dd9 ("kvm: x86: only provide PV features if enabled in guest's CPUID") +Signed-off-by: Vitaly Kuznetsov +Reviewed-by: Maxim Levitsky +Reviewed-by: Oliver Upton +Message-Id: <20210722123018.260035-1-vkuznets@redhat.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/x86.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 3ad6f77ea1c4..27faa00fff71 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -3205,7 +3205,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + return 1; + break; + case MSR_KVM_ASYNC_PF_ACK: +- if (!guest_pv_has(vcpu, KVM_FEATURE_ASYNC_PF)) ++ if (!guest_pv_has(vcpu, KVM_FEATURE_ASYNC_PF_INT)) + return 1; + if (data & 0x1) { + vcpu->arch.apf.pageready_pending = false; +@@ -3534,7 +3534,7 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + msr_info->data = vcpu->arch.apf.msr_int_val; + break; + case MSR_KVM_ASYNC_PF_ACK: +- if (!guest_pv_has(vcpu, KVM_FEATURE_ASYNC_PF)) ++ if (!guest_pv_has(vcpu, KVM_FEATURE_ASYNC_PF_INT)) + return 1; + + msr_info->data = 0; +-- +2.30.2 + diff --git a/queue-5.10/mac80211-fix-enabling-4-address-mode-on-a-sta-vif-af.patch b/queue-5.10/mac80211-fix-enabling-4-address-mode-on-a-sta-vif-af.patch new file mode 100644 index 00000000000..25ca319835b --- /dev/null +++ b/queue-5.10/mac80211-fix-enabling-4-address-mode-on-a-sta-vif-af.patch @@ -0,0 +1,92 @@ +From 7154b7330b6982cd980567b84e20272ba3b4ca5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jul 2021 07:01:11 +0200 +Subject: mac80211: fix enabling 4-address mode on a sta vif after assoc + +From: Felix Fietkau + +[ Upstream commit a5d3cbdb09ff1f52cbe040932e06c8b9915c6dad ] + +Notify the driver about the 4-address mode change and also send a nulldata +packet to the AP to notify it about the change + +Fixes: 1ff4e8f2dec8 ("mac80211: notify the driver when a sta uses 4-address mode") +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20210702050111.47546-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 19 +++++++++++++++++++ + net/mac80211/ieee80211_i.h | 2 ++ + net/mac80211/mlme.c | 4 ++-- + 3 files changed, 23 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 6a96deded763..e429dbb10df7 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -152,6 +152,8 @@ static int ieee80211_change_iface(struct wiphy *wiphy, + struct vif_params *params) + { + struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev); ++ struct ieee80211_local *local = sdata->local; ++ struct sta_info *sta; + int ret; + + ret = ieee80211_if_change_type(sdata, type); +@@ -162,7 +164,24 @@ static int ieee80211_change_iface(struct wiphy *wiphy, + RCU_INIT_POINTER(sdata->u.vlan.sta, NULL); + ieee80211_check_fast_rx_iface(sdata); + } else if (type == NL80211_IFTYPE_STATION && params->use_4addr >= 0) { ++ struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; ++ ++ if (params->use_4addr == ifmgd->use_4addr) ++ return 0; ++ + sdata->u.mgd.use_4addr = params->use_4addr; ++ if (!ifmgd->associated) ++ return 0; ++ ++ mutex_lock(&local->sta_mtx); ++ sta = sta_info_get(sdata, ifmgd->bssid); ++ if (sta) ++ drv_sta_set_4addr(local, sdata, &sta->sta, ++ params->use_4addr); ++ mutex_unlock(&local->sta_mtx); ++ ++ if (params->use_4addr) ++ ieee80211_send_4addr_nullfunc(local, sdata); + } + + if (sdata->vif.type == NL80211_IFTYPE_MONITOR) { +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index a83f0c2fcdf7..7f2be08b72a5 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -2051,6 +2051,8 @@ void ieee80211_dynamic_ps_timer(struct timer_list *t); + void ieee80211_send_nullfunc(struct ieee80211_local *local, + struct ieee80211_sub_if_data *sdata, + bool powersave); ++void ieee80211_send_4addr_nullfunc(struct ieee80211_local *local, ++ struct ieee80211_sub_if_data *sdata); + void ieee80211_sta_tx_notify(struct ieee80211_sub_if_data *sdata, + struct ieee80211_hdr *hdr, bool ack, u16 tx_time); + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 142bb28199c4..32bc30ec50ec 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1115,8 +1115,8 @@ void ieee80211_send_nullfunc(struct ieee80211_local *local, + ieee80211_tx_skb(sdata, skb); + } + +-static void ieee80211_send_4addr_nullfunc(struct ieee80211_local *local, +- struct ieee80211_sub_if_data *sdata) ++void ieee80211_send_4addr_nullfunc(struct ieee80211_local *local, ++ struct ieee80211_sub_if_data *sdata) + { + struct sk_buff *skb; + struct ieee80211_hdr *nullfunc; +-- +2.30.2 + diff --git a/queue-5.10/mlx4-fix-missing-error-code-in-mlx4_load_one.patch b/queue-5.10/mlx4-fix-missing-error-code-in-mlx4_load_one.patch new file mode 100644 index 00000000000..4f2c3a0ef65 --- /dev/null +++ b/queue-5.10/mlx4-fix-missing-error-code-in-mlx4_load_one.patch @@ -0,0 +1,42 @@ +From c5f2b99234e91052591656fb8823b0234eb53245 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jul 2021 18:36:09 +0800 +Subject: mlx4: Fix missing error code in mlx4_load_one() + +From: Jiapeng Chong + +[ Upstream commit 7e4960b3d66d7248b23de3251118147812b42da2 ] + +The error code is missing in this code scenario, add the error code +'-EINVAL' to the return value 'err'. + +Eliminate the follow smatch warning: + +drivers/net/ethernet/mellanox/mlx4/main.c:3538 mlx4_load_one() warn: +missing error code 'err'. + +Reported-by: Abaci Robot +Fixes: 7ae0e400cd93 ("net/mlx4_core: Flexible (asymmetric) allocation of EQs and MSI-X vectors for PF/VFs") +Signed-off-by: Jiapeng Chong +Reviewed-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/main.c b/drivers/net/ethernet/mellanox/mlx4/main.c +index 00c84656b2e7..28ac4693da3c 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/main.c ++++ b/drivers/net/ethernet/mellanox/mlx4/main.c +@@ -3535,6 +3535,7 @@ slave_start: + + if (!SRIOV_VALID_STATE(dev->flags)) { + mlx4_err(dev, "Invalid SRIOV state\n"); ++ err = -EINVAL; + goto err_close; + } + } +-- +2.30.2 + diff --git a/queue-5.10/net-llc-fix-skb_over_panic.patch b/queue-5.10/net-llc-fix-skb_over_panic.patch new file mode 100644 index 00000000000..54cec2625c4 --- /dev/null +++ b/queue-5.10/net-llc-fix-skb_over_panic.patch @@ -0,0 +1,161 @@ +From ab507b0ca15ceff9d1438e04754c8b10724e6624 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Jul 2021 00:11:59 +0300 +Subject: net: llc: fix skb_over_panic + +From: Pavel Skripkin + +[ Upstream commit c7c9d2102c9c098916ab9e0ab248006107d00d6c ] + +Syzbot reported skb_over_panic() in llc_pdu_init_as_xid_cmd(). The +problem was in wrong LCC header manipulations. + +Syzbot's reproducer tries to send XID packet. llc_ui_sendmsg() is +doing following steps: + + 1. skb allocation with size = len + header size + len is passed from userpace and header size + is 3 since addr->sllc_xid is set. + + 2. skb_reserve() for header_len = 3 + 3. filling all other space with memcpy_from_msg() + +Ok, at this moment we have fully loaded skb, only headers needs to be +filled. + +Then code comes to llc_sap_action_send_xid_c(). This function pushes 3 +bytes for LLC PDU header and initializes it. Then comes +llc_pdu_init_as_xid_cmd(). It initalizes next 3 bytes *AFTER* LLC PDU +header and call skb_push(skb, 3). This looks wrong for 2 reasons: + + 1. Bytes rigth after LLC header are user data, so this function + was overwriting payload. + + 2. skb_push(skb, 3) call can cause skb_over_panic() since + all free space was filled in llc_ui_sendmsg(). (This can + happen is user passed 686 len: 686 + 14 (eth header) + 3 (LLC + header) = 703. SKB_DATA_ALIGN(703) = 704) + +So, in this patch I added 2 new private constansts: LLC_PDU_TYPE_U_XID +and LLC_PDU_LEN_U_XID. LLC_PDU_LEN_U_XID is used to correctly reserve +header size to handle LLC + XID case. LLC_PDU_TYPE_U_XID is used by +llc_pdu_header_init() function to push 6 bytes instead of 3. And finally +I removed skb_push() call from llc_pdu_init_as_xid_cmd(). + +This changes should not affect other parts of LLC, since after +all steps we just transmit buffer. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-and-tested-by: syzbot+5e5a981ad7cc54c4b2b4@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/llc_pdu.h | 31 +++++++++++++++++++++++-------- + net/llc/af_llc.c | 10 +++++++++- + net/llc/llc_s_ac.c | 2 +- + 3 files changed, 33 insertions(+), 10 deletions(-) + +diff --git a/include/net/llc_pdu.h b/include/net/llc_pdu.h +index c0f0a13ed818..49aa79c7b278 100644 +--- a/include/net/llc_pdu.h ++++ b/include/net/llc_pdu.h +@@ -15,9 +15,11 @@ + #include + + /* Lengths of frame formats */ +-#define LLC_PDU_LEN_I 4 /* header and 2 control bytes */ +-#define LLC_PDU_LEN_S 4 +-#define LLC_PDU_LEN_U 3 /* header and 1 control byte */ ++#define LLC_PDU_LEN_I 4 /* header and 2 control bytes */ ++#define LLC_PDU_LEN_S 4 ++#define LLC_PDU_LEN_U 3 /* header and 1 control byte */ ++/* header and 1 control byte and XID info */ ++#define LLC_PDU_LEN_U_XID (LLC_PDU_LEN_U + sizeof(struct llc_xid_info)) + /* Known SAP addresses */ + #define LLC_GLOBAL_SAP 0xFF + #define LLC_NULL_SAP 0x00 /* not network-layer visible */ +@@ -50,9 +52,10 @@ + #define LLC_PDU_TYPE_U_MASK 0x03 /* 8-bit control field */ + #define LLC_PDU_TYPE_MASK 0x03 + +-#define LLC_PDU_TYPE_I 0 /* first bit */ +-#define LLC_PDU_TYPE_S 1 /* first two bits */ +-#define LLC_PDU_TYPE_U 3 /* first two bits */ ++#define LLC_PDU_TYPE_I 0 /* first bit */ ++#define LLC_PDU_TYPE_S 1 /* first two bits */ ++#define LLC_PDU_TYPE_U 3 /* first two bits */ ++#define LLC_PDU_TYPE_U_XID 4 /* private type for detecting XID commands */ + + #define LLC_PDU_TYPE_IS_I(pdu) \ + ((!(pdu->ctrl_1 & LLC_PDU_TYPE_I_MASK)) ? 1 : 0) +@@ -230,9 +233,18 @@ static inline struct llc_pdu_un *llc_pdu_un_hdr(struct sk_buff *skb) + static inline void llc_pdu_header_init(struct sk_buff *skb, u8 type, + u8 ssap, u8 dsap, u8 cr) + { +- const int hlen = type == LLC_PDU_TYPE_U ? 3 : 4; ++ int hlen = 4; /* default value for I and S types */ + struct llc_pdu_un *pdu; + ++ switch (type) { ++ case LLC_PDU_TYPE_U: ++ hlen = 3; ++ break; ++ case LLC_PDU_TYPE_U_XID: ++ hlen = 6; ++ break; ++ } ++ + skb_push(skb, hlen); + skb_reset_network_header(skb); + pdu = llc_pdu_un_hdr(skb); +@@ -374,7 +386,10 @@ static inline void llc_pdu_init_as_xid_cmd(struct sk_buff *skb, + xid_info->fmt_id = LLC_XID_FMT_ID; /* 0x81 */ + xid_info->type = svcs_supported; + xid_info->rw = rx_window << 1; /* size of receive window */ +- skb_put(skb, sizeof(struct llc_xid_info)); ++ ++ /* no need to push/put since llc_pdu_header_init() has already ++ * pushed 3 + 3 bytes ++ */ + } + + /** +diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c +index 7180979114e4..ac5cadd02cfa 100644 +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -98,8 +98,16 @@ static inline u8 llc_ui_header_len(struct sock *sk, struct sockaddr_llc *addr) + { + u8 rc = LLC_PDU_LEN_U; + +- if (addr->sllc_test || addr->sllc_xid) ++ if (addr->sllc_test) + rc = LLC_PDU_LEN_U; ++ else if (addr->sllc_xid) ++ /* We need to expand header to sizeof(struct llc_xid_info) ++ * since llc_pdu_init_as_xid_cmd() sets 4,5,6 bytes of LLC header ++ * as XID PDU. In llc_ui_sendmsg() we reserved header size and then ++ * filled all other space with user data. If we won't reserve this ++ * bytes, llc_pdu_init_as_xid_cmd() will overwrite user data ++ */ ++ rc = LLC_PDU_LEN_U_XID; + else if (sk->sk_type == SOCK_STREAM) + rc = LLC_PDU_LEN_I; + return rc; +diff --git a/net/llc/llc_s_ac.c b/net/llc/llc_s_ac.c +index 7ae4cc684d3a..9fa3342c7a82 100644 +--- a/net/llc/llc_s_ac.c ++++ b/net/llc/llc_s_ac.c +@@ -79,7 +79,7 @@ int llc_sap_action_send_xid_c(struct llc_sap *sap, struct sk_buff *skb) + struct llc_sap_state_ev *ev = llc_sap_ev(skb); + int rc; + +- llc_pdu_header_init(skb, LLC_PDU_TYPE_U, ev->saddr.lsap, ++ llc_pdu_header_init(skb, LLC_PDU_TYPE_U_XID, ev->saddr.lsap, + ev->daddr.lsap, LLC_PDU_CMD); + llc_pdu_init_as_xid_cmd(skb, LLC_XID_NULL_CLASS_2, 0); + rc = llc_mac_hdr_init(skb, ev->saddr.mac, ev->daddr.mac); +-- +2.30.2 + diff --git a/queue-5.10/net-mlx5-fix-flow-table-chaining.patch b/queue-5.10/net-mlx5-fix-flow-table-chaining.patch new file mode 100644 index 00000000000..4248068fdde --- /dev/null +++ b/queue-5.10/net-mlx5-fix-flow-table-chaining.patch @@ -0,0 +1,88 @@ +From dd163d8a8cf4935aaffd7cac49d55379daf56cca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jul 2021 09:20:14 +0300 +Subject: net/mlx5: Fix flow table chaining + +From: Maor Gottlieb + +[ Upstream commit 8b54874ef1617185048029a3083d510569e93751 ] + +Fix a bug when flow table is created in priority that already +has other flow tables as shown in the below diagram. +If the new flow table (FT-B) has the lowest level in the priority, +we need to connect the flow tables from the previous priority (p0) +to this new table. In addition when this flow table is destroyed +(FT-B), we need to connect the flow tables from the previous +priority (p0) to the next level flow table (FT-C) in the same +priority of the destroyed table (if exists). + + --------- + |root_ns| + --------- + | + -------------------------------- + | | | + ---------- ---------- --------- + |p(prio)-x| | p-y | | p-n | + ---------- ---------- --------- + | | + ---------------- ------------------ + |ns(e.g bypass)| |ns(e.g. kernel) | + ---------------- ------------------ + | | | + ------- ------ ---- + | p0 | | p1 | |p2| + ------- ------ ---- + | | \ + -------- ------- ------ + | FT-A | |FT-B | |FT-C| + -------- ------- ------ + +Fixes: f90edfd279f3 ("net/mlx5_core: Connect flow tables") +Signed-off-by: Maor Gottlieb +Reviewed-by: Mark Bloch +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index 79fc5755735f..1d4b4e6f6fb4 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -1024,17 +1024,19 @@ static int connect_fwd_rules(struct mlx5_core_dev *dev, + static int connect_flow_table(struct mlx5_core_dev *dev, struct mlx5_flow_table *ft, + struct fs_prio *prio) + { +- struct mlx5_flow_table *next_ft; ++ struct mlx5_flow_table *next_ft, *first_ft; + int err = 0; + + /* Connect_prev_fts and update_root_ft_create are mutually exclusive */ + +- if (list_empty(&prio->node.children)) { ++ first_ft = list_first_entry_or_null(&prio->node.children, ++ struct mlx5_flow_table, node.list); ++ if (!first_ft || first_ft->level > ft->level) { + err = connect_prev_fts(dev, ft, prio); + if (err) + return err; + +- next_ft = find_next_chained_ft(prio); ++ next_ft = first_ft ? first_ft : find_next_chained_ft(prio); + err = connect_fwd_rules(dev, ft, next_ft); + if (err) + return err; +@@ -2113,7 +2115,7 @@ static int disconnect_flow_table(struct mlx5_flow_table *ft) + node.list) == ft)) + return 0; + +- next_ft = find_next_chained_ft(prio); ++ next_ft = find_next_ft(ft); + err = connect_fwd_rules(dev, next_ft, ft); + if (err) + return err; +-- +2.30.2 + diff --git a/queue-5.10/net-mlx5e-fix-nullptr-in-mlx5e_hairpin_get_mdev.patch b/queue-5.10/net-mlx5e-fix-nullptr-in-mlx5e_hairpin_get_mdev.patch new file mode 100644 index 00000000000..c2834b46beb --- /dev/null +++ b/queue-5.10/net-mlx5e-fix-nullptr-in-mlx5e_hairpin_get_mdev.patch @@ -0,0 +1,97 @@ +From 941b1a55997b0264195f4be6389934fe3bce10e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Apr 2021 15:16:26 +0300 +Subject: net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev() + +From: Dima Chumak + +[ Upstream commit b1c2f6312c5005c928a72e668bf305a589d828d4 ] + +The result of __dev_get_by_index() is not checked for NULL and then gets +dereferenced immediately. + +Also, __dev_get_by_index() must be called while holding either RTNL lock +or @dev_base_lock, which isn't satisfied by mlx5e_hairpin_get_mdev() or +its callers. This makes the underlying hlist_for_each_entry() loop not +safe, and can have adverse effects in itself. + +Fix by using dev_get_by_index() and handling nullptr return value when +ifindex device is not found. Update mlx5e_hairpin_get_mdev() callers to +check for possible PTR_ERR() result. + +Fixes: 77ab67b7f0f9 ("net/mlx5e: Basic setup of hairpin object") +Addresses-Coverity: ("Dereference null return value") +Signed-off-by: Dima Chumak +Reviewed-by: Vlad Buslov +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_tc.c | 33 +++++++++++++++++-- + 1 file changed, 31 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index 59837af959d0..1ad1692a5b2d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -481,12 +481,32 @@ static void mlx5e_detach_mod_hdr(struct mlx5e_priv *priv, + static + struct mlx5_core_dev *mlx5e_hairpin_get_mdev(struct net *net, int ifindex) + { ++ struct mlx5_core_dev *mdev; + struct net_device *netdev; + struct mlx5e_priv *priv; + +- netdev = __dev_get_by_index(net, ifindex); ++ netdev = dev_get_by_index(net, ifindex); ++ if (!netdev) ++ return ERR_PTR(-ENODEV); ++ + priv = netdev_priv(netdev); +- return priv->mdev; ++ mdev = priv->mdev; ++ dev_put(netdev); ++ ++ /* Mirred tc action holds a refcount on the ifindex net_device (see ++ * net/sched/act_mirred.c:tcf_mirred_get_dev). So, it's okay to continue using mdev ++ * after dev_put(netdev), while we're in the context of adding a tc flow. ++ * ++ * The mdev pointer corresponds to the peer/out net_device of a hairpin. It is then ++ * stored in a hairpin object, which exists until all flows, that refer to it, get ++ * removed. ++ * ++ * On the other hand, after a hairpin object has been created, the peer net_device may ++ * be removed/unbound while there are still some hairpin flows that are using it. This ++ * case is handled by mlx5e_tc_hairpin_update_dead_peer, which is hooked to ++ * NETDEV_UNREGISTER event of the peer net_device. ++ */ ++ return mdev; + } + + static int mlx5e_hairpin_create_transport(struct mlx5e_hairpin *hp) +@@ -685,6 +705,10 @@ mlx5e_hairpin_create(struct mlx5e_priv *priv, struct mlx5_hairpin_params *params + + func_mdev = priv->mdev; + peer_mdev = mlx5e_hairpin_get_mdev(dev_net(priv->netdev), peer_ifindex); ++ if (IS_ERR(peer_mdev)) { ++ err = PTR_ERR(peer_mdev); ++ goto create_pair_err; ++ } + + pair = mlx5_core_hairpin_create(func_mdev, peer_mdev, params); + if (IS_ERR(pair)) { +@@ -823,6 +847,11 @@ static int mlx5e_hairpin_flow_add(struct mlx5e_priv *priv, + int err; + + peer_mdev = mlx5e_hairpin_get_mdev(dev_net(priv->netdev), peer_ifindex); ++ if (IS_ERR(peer_mdev)) { ++ NL_SET_ERR_MSG_MOD(extack, "invalid ifindex of mirred device"); ++ return PTR_ERR(peer_mdev); ++ } ++ + if (!MLX5_CAP_GEN(priv->mdev, hairpin) || !MLX5_CAP_GEN(peer_mdev, hairpin)) { + NL_SET_ERR_MSG_MOD(extack, "hairpin is not supported"); + return -EOPNOTSUPP; +-- +2.30.2 + diff --git a/queue-5.10/net-qrtr-fix-memory-leaks.patch b/queue-5.10/net-qrtr-fix-memory-leaks.patch new file mode 100644 index 00000000000..45fd32b3523 --- /dev/null +++ b/queue-5.10/net-qrtr-fix-memory-leaks.patch @@ -0,0 +1,66 @@ +From 027bb2a05d06ac57b4ab1df636568121a83b62b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jul 2021 18:31:32 +0300 +Subject: net: qrtr: fix memory leaks + +From: Pavel Skripkin + +[ Upstream commit 52f3456a96c06760b9bfae460e39596fec7af22e ] + +Syzbot reported memory leak in qrtr. The problem was in unputted +struct sock. qrtr_local_enqueue() function calls qrtr_port_lookup() +which takes sock reference if port was found. Then there is the following +check: + +if (!ipc || &ipc->sk == skb->sk) { + ... + return -ENODEV; +} + +Since we should drop the reference before returning from this function and +ipc can be non-NULL inside this if, we should add qrtr_port_put() inside +this if. + +The similar corner case is in qrtr_endpoint_post() as Manivannan +reported. In case of sock_queue_rcv_skb() failure we need to put +port reference to avoid leaking struct sock pointer. + +Fixes: e04df98adf7d ("net: qrtr: Remove receive worker") +Fixes: bdabad3e363d ("net: Add Qualcomm IPC router") +Reported-and-tested-by: syzbot+35a511c72ea7356cdcf3@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/qrtr/qrtr.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c +index 0d9baddb9cd4..6826558483f9 100644 +--- a/net/qrtr/qrtr.c ++++ b/net/qrtr/qrtr.c +@@ -504,8 +504,10 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len) + if (!ipc) + goto err; + +- if (sock_queue_rcv_skb(&ipc->sk, skb)) ++ if (sock_queue_rcv_skb(&ipc->sk, skb)) { ++ qrtr_port_put(ipc); + goto err; ++ } + + qrtr_port_put(ipc); + } +@@ -830,6 +832,8 @@ static int qrtr_local_enqueue(struct qrtr_node *node, struct sk_buff *skb, + + ipc = qrtr_port_lookup(to->sq_port); + if (!ipc || &ipc->sk == skb->sk) { /* do not send to self */ ++ if (ipc) ++ qrtr_port_put(ipc); + kfree_skb(skb); + return -ENODEV; + } +-- +2.30.2 + diff --git a/queue-5.10/net-set-true-network-header-for-ecn-decapsulation.patch b/queue-5.10/net-set-true-network-header-for-ecn-decapsulation.patch new file mode 100644 index 00000000000..fe284e341ea --- /dev/null +++ b/queue-5.10/net-set-true-network-header-for-ecn-decapsulation.patch @@ -0,0 +1,97 @@ +From 5153f2fc5039e5ee4be6e07389639a457d4f2a8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jul 2021 20:01:28 +0300 +Subject: net: Set true network header for ECN decapsulation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gilad Naaman + +[ Upstream commit 227adfb2b1dfbc53dfc53b9dd7a93a6298ff7c56 ] + +In cases where the header straight after the tunnel header was +another ethernet header (TEB), instead of the network header, +the ECN decapsulation code would treat the ethernet header as if +it was an IP header, resulting in mishandling and possible +wrong drops or corruption of the IP header. + +In this case, ECT(1) is sent, so IP_ECN_decapsulate tries to copy it to the +inner IPv4 header, and correct its checksum. + +The offset of the ECT bits in an IPv4 header corresponds to the +lower 2 bits of the second octet of the destination MAC address +in the ethernet header. +The IPv4 checksum corresponds to end of the source address. + +In order to reproduce: + + $ ip netns add A + $ ip netns add B + $ ip -n A link add _v0 type veth peer name _v1 netns B + $ ip -n A link set _v0 up + $ ip -n A addr add dev _v0 10.254.3.1/24 + $ ip -n A route add default dev _v0 scope global + $ ip -n B link set _v1 up + $ ip -n B addr add dev _v1 10.254.1.6/24 + $ ip -n B route add default dev _v1 scope global + $ ip -n B link add gre1 type gretap local 10.254.1.6 remote 10.254.3.1 key 0x49000000 + $ ip -n B link set gre1 up + + # Now send an IPv4/GRE/Eth/IPv4 frame where the outer header has ECT(1), + # and the inner header has no ECT bits set: + + $ cat send_pkt.py + #!/usr/bin/env python3 + from scapy.all import * + + pkt = IP(b'E\x01\x00\xa7\x00\x00\x00\x00@/`%\n\xfe\x03\x01\n\xfe\x01\x06 \x00eXI\x00' + b'\x00\x00\x18\xbe\x92\xa0\xee&\x18\xb0\x92\xa0l&\x08\x00E\x00\x00}\x8b\x85' + b'@\x00\x01\x01\xe4\xf2\x82\x82\x82\x01\x82\x82\x82\x02\x08\x00d\x11\xa6\xeb' + b'3\x1e\x1e\\xf3\\xf7`\x00\x00\x00\x00ZN\x00\x00\x00\x00\x00\x00\x10\x11\x12' + b'\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./01234' + b'56789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ') + + send(pkt) + $ sudo ip netns exec B tcpdump -neqlllvi gre1 icmp & ; sleep 1 + $ sudo ip netns exec A python3 send_pkt.py + +In the original packet, the source/destinatio MAC addresses are +dst=18:be:92:a0:ee:26 src=18:b0:92:a0:6c:26 + +In the received packet, they are +dst=18:bd:92:a0:ee:26 src=18:b0:92:a0:6c:27 + +Thanks to Lahav Schlesinger and Isaac Garzon +for helping me pinpoint the origin. + +Fixes: b723748750ec ("tunnel: Propagate ECT(1) when decapsulating as recommended by RFC6040") +Cc: David S. Miller +Cc: Hideaki YOSHIFUJI +Cc: David Ahern +Cc: Jakub Kicinski +Cc: Toke Høiland-Jørgensen +Signed-off-by: Gilad Naaman +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c +index 0dca00745ac3..be75b409445c 100644 +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -390,7 +390,7 @@ int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb, + tunnel->i_seqno = ntohl(tpi->seq) + 1; + } + +- skb_reset_network_header(skb); ++ skb_set_network_header(skb, (tunnel->dev->type == ARPHRD_ETHER) ? ETH_HLEN : 0); + + err = IP_ECN_decapsulate(iph, skb); + if (unlikely(err)) { +-- +2.30.2 + diff --git a/queue-5.10/netfilter-conntrack-adjust-stop-timestamp-to-real-ex.patch b/queue-5.10/netfilter-conntrack-adjust-stop-timestamp-to-real-ex.patch new file mode 100644 index 00000000000..4c90687e37c --- /dev/null +++ b/queue-5.10/netfilter-conntrack-adjust-stop-timestamp-to-real-ex.patch @@ -0,0 +1,44 @@ +From 8685bd1e19781d36ec6b234e1fba3f07e0d78866 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 18:36:00 +0200 +Subject: netfilter: conntrack: adjust stop timestamp to real expiry value + +From: Florian Westphal + +[ Upstream commit 30a56a2b881821625f79837d4d968c679852444e ] + +In case the entry is evicted via garbage collection there is +delay between the timeout value and the eviction event. + +This adjusts the stop value based on how much time has passed. + +Fixes: b87a2f9199ea82 ("netfilter: conntrack: add gc worker to remove timed-out entries") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index ff0168736f6e..f9f2af26ccb3 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -661,8 +661,13 @@ bool nf_ct_delete(struct nf_conn *ct, u32 portid, int report) + return false; + + tstamp = nf_conn_tstamp_find(ct); +- if (tstamp && tstamp->stop == 0) ++ if (tstamp) { ++ s32 timeout = ct->timeout - nfct_time_stamp; ++ + tstamp->stop = ktime_get_real_ns(); ++ if (timeout < 0) ++ tstamp->stop -= jiffies_to_nsecs(-timeout); ++ } + + if (nf_conntrack_event_report(IPCT_DESTROY, ct, + portid, report) < 0) { +-- +2.30.2 + diff --git a/queue-5.10/netfilter-nft_nat-allow-to-specify-layer-4-protocol-.patch b/queue-5.10/netfilter-nft_nat-allow-to-specify-layer-4-protocol-.patch new file mode 100644 index 00000000000..5cdfa3a540c --- /dev/null +++ b/queue-5.10/netfilter-nft_nat-allow-to-specify-layer-4-protocol-.patch @@ -0,0 +1,36 @@ +From cca5838a3c9ae1249b20deb1d724abe1193b0b21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 18:22:50 +0200 +Subject: netfilter: nft_nat: allow to specify layer 4 protocol NAT only + +From: Pablo Neira Ayuso + +[ Upstream commit a33f387ecd5aafae514095c2c4a8c24f7aea7e8b ] + +nft_nat reports a bogus EAFNOSUPPORT if no layer 3 information is specified. + +Fixes: d07db9884a5f ("netfilter: nf_tables: introduce nft_validate_register_load()") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_nat.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c +index 4bcf33b049c4..ea53fd999f46 100644 +--- a/net/netfilter/nft_nat.c ++++ b/net/netfilter/nft_nat.c +@@ -201,7 +201,9 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr, + alen = sizeof_field(struct nf_nat_range, min_addr.ip6); + break; + default: +- return -EAFNOSUPPORT; ++ if (tb[NFTA_NAT_REG_ADDR_MIN]) ++ return -EAFNOSUPPORT; ++ break; + } + priv->family = family; + +-- +2.30.2 + diff --git a/queue-5.10/octeontx2-pf-fix-interface-down-flag-on-error.patch b/queue-5.10/octeontx2-pf-fix-interface-down-flag-on-error.patch new file mode 100644 index 00000000000..05d08059056 --- /dev/null +++ b/queue-5.10/octeontx2-pf-fix-interface-down-flag-on-error.patch @@ -0,0 +1,89 @@ +From aead170e18f1a3cf686d9fd6482d287ed9869187 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Jul 2021 13:29:03 +0530 +Subject: octeontx2-pf: Fix interface down flag on error + +From: Geetha sowjanya + +[ Upstream commit 69f0aeb13bb548e2d5710a350116e03f0273302e ] + +In the existing code while changing the number of TX/RX +queues using ethtool the PF/VF interface resources are +freed and reallocated (otx2_stop and otx2_open is called) +if the device is in running state. If any resource allocation +fails in otx2_open, driver free already allocated resources +and return. But again, when the number of queues changes +as the device state still running oxt2_stop is called. +In which we try to free already freed resources leading +to driver crash. +This patch fixes the issue by setting the INTF_DOWN flag on +error and free the resources in otx2_stop only if the flag is +not set. + +Fixes: 50fe6c02e5ad ("octeontx2-pf: Register and handle link notifications") +Signed-off-by: Geetha sowjanya +Signed-off-by: Sunil Kovvuri Goutham +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 7 +++---- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 5 +++++ + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c +index 662fb80dbb9d..c6d408de0605 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c +@@ -230,15 +230,14 @@ static int otx2_set_channels(struct net_device *dev, + err = otx2_set_real_num_queues(dev, channel->tx_count, + channel->rx_count); + if (err) +- goto fail; ++ return err; + + pfvf->hw.rx_queues = channel->rx_count; + pfvf->hw.tx_queues = channel->tx_count; + pfvf->qset.cq_cnt = pfvf->hw.tx_queues + pfvf->hw.rx_queues; + +-fail: + if (if_up) +- dev->netdev_ops->ndo_open(dev); ++ err = dev->netdev_ops->ndo_open(dev); + + netdev_info(dev, "Setting num Tx rings to %d, Rx rings to %d success\n", + pfvf->hw.tx_queues, pfvf->hw.rx_queues); +@@ -342,7 +341,7 @@ static int otx2_set_ringparam(struct net_device *netdev, + qs->rqe_cnt = rx_count; + + if (if_up) +- netdev->netdev_ops->ndo_open(netdev); ++ return netdev->netdev_ops->ndo_open(netdev); + + return 0; + } +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +index 9fef9be015e5..044a5b1196ac 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +@@ -1592,6 +1592,7 @@ int otx2_open(struct net_device *netdev) + err_tx_stop_queues: + netif_tx_stop_all_queues(netdev); + netif_carrier_off(netdev); ++ pf->flags |= OTX2_FLAG_INTF_DOWN; + err_free_cints: + otx2_free_cints(pf, qidx); + vec = pci_irq_vector(pf->pdev, +@@ -1619,6 +1620,10 @@ int otx2_stop(struct net_device *netdev) + struct otx2_rss_info *rss; + int qidx, vec, wrk; + ++ /* If the DOWN flag is set resources are already freed */ ++ if (pf->flags & OTX2_FLAG_INTF_DOWN) ++ return 0; ++ + netif_carrier_off(netdev); + netif_tx_stop_all_queues(netdev); + +-- +2.30.2 + diff --git a/queue-5.10/rdma-bnxt_re-fix-stats-counters.patch b/queue-5.10/rdma-bnxt_re-fix-stats-counters.patch new file mode 100644 index 00000000000..0c8416748ce --- /dev/null +++ b/queue-5.10/rdma-bnxt_re-fix-stats-counters.patch @@ -0,0 +1,110 @@ +From 182ef70324f44d55a36744050a1088698af4eab1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Jul 2021 06:31:36 -0700 +Subject: RDMA/bnxt_re: Fix stats counters + +From: Naresh Kumar PBS + +[ Upstream commit 0c23af52ccd1605926480b5dfd1dd857ef604611 ] + +Statistical counters are not incrementing in some adapter versions with +newer FW. This is due to the stats context length mismatch between FW and +driver. Since the L2 driver updates the length correctly, use the stats +length from L2 driver while allocating the DMA'able memory and creating +the stats context. + +Fixes: 9d6b648c3112 ("bnxt_en: Update firmware interface spec to 1.10.1.65.") +Link: https://lore.kernel.org/r/1626010296-6076-1-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Naresh Kumar PBS +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/main.c | 4 +++- + drivers/infiniband/hw/bnxt_re/qplib_res.c | 10 ++++------ + drivers/infiniband/hw/bnxt_re/qplib_res.h | 1 + + 3 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c +index 04621ba8fa76..1fadca8af71a 100644 +--- a/drivers/infiniband/hw/bnxt_re/main.c ++++ b/drivers/infiniband/hw/bnxt_re/main.c +@@ -119,6 +119,7 @@ static int bnxt_re_setup_chip_ctx(struct bnxt_re_dev *rdev, u8 wqe_mode) + if (!chip_ctx) + return -ENOMEM; + chip_ctx->chip_num = bp->chip_num; ++ chip_ctx->hw_stats_size = bp->hw_ring_stats_size; + + rdev->chip_ctx = chip_ctx; + /* rest members to follow eventually */ +@@ -507,6 +508,7 @@ static int bnxt_re_net_stats_ctx_alloc(struct bnxt_re_dev *rdev, + dma_addr_t dma_map, + u32 *fw_stats_ctx_id) + { ++ struct bnxt_qplib_chip_ctx *chip_ctx = rdev->chip_ctx; + struct hwrm_stat_ctx_alloc_output resp = {0}; + struct hwrm_stat_ctx_alloc_input req = {0}; + struct bnxt_en_dev *en_dev = rdev->en_dev; +@@ -523,7 +525,7 @@ static int bnxt_re_net_stats_ctx_alloc(struct bnxt_re_dev *rdev, + bnxt_re_init_hwrm_hdr(rdev, (void *)&req, HWRM_STAT_CTX_ALLOC, -1, -1); + req.update_period_ms = cpu_to_le32(1000); + req.stats_dma_addr = cpu_to_le64(dma_map); +- req.stats_dma_length = cpu_to_le16(sizeof(struct ctx_hw_stats_ext)); ++ req.stats_dma_length = cpu_to_le16(chip_ctx->hw_stats_size); + req.stat_ctx_flags = STAT_CTX_ALLOC_REQ_STAT_CTX_FLAGS_ROCE; + bnxt_re_fill_fw_msg(&fw_msg, (void *)&req, sizeof(req), (void *)&resp, + sizeof(resp), DFLT_HWRM_CMD_TIMEOUT); +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c +index 3ca47004b752..754dcebeb4ca 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c +@@ -56,6 +56,7 @@ + static void bnxt_qplib_free_stats_ctx(struct pci_dev *pdev, + struct bnxt_qplib_stats *stats); + static int bnxt_qplib_alloc_stats_ctx(struct pci_dev *pdev, ++ struct bnxt_qplib_chip_ctx *cctx, + struct bnxt_qplib_stats *stats); + + /* PBL */ +@@ -559,7 +560,7 @@ int bnxt_qplib_alloc_ctx(struct bnxt_qplib_res *res, + goto fail; + stats_alloc: + /* Stats */ +- rc = bnxt_qplib_alloc_stats_ctx(res->pdev, &ctx->stats); ++ rc = bnxt_qplib_alloc_stats_ctx(res->pdev, res->cctx, &ctx->stats); + if (rc) + goto fail; + +@@ -889,15 +890,12 @@ static void bnxt_qplib_free_stats_ctx(struct pci_dev *pdev, + } + + static int bnxt_qplib_alloc_stats_ctx(struct pci_dev *pdev, ++ struct bnxt_qplib_chip_ctx *cctx, + struct bnxt_qplib_stats *stats) + { + memset(stats, 0, sizeof(*stats)); + stats->fw_id = -1; +- /* 128 byte aligned context memory is required only for 57500. +- * However making this unconditional, it does not harm previous +- * generation. +- */ +- stats->size = ALIGN(sizeof(struct ctx_hw_stats), 128); ++ stats->size = cctx->hw_stats_size; + stats->dma = dma_alloc_coherent(&pdev->dev, stats->size, + &stats->dma_map, GFP_KERNEL); + if (!stats->dma) { +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.h b/drivers/infiniband/hw/bnxt_re/qplib_res.h +index 7a1ab38b95da..58bad6f78456 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.h ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.h +@@ -60,6 +60,7 @@ struct bnxt_qplib_chip_ctx { + u16 chip_num; + u8 chip_rev; + u8 chip_metal; ++ u16 hw_stats_size; + struct bnxt_qplib_drv_modes modes; + }; + +-- +2.30.2 + diff --git a/queue-5.10/sctp-fix-return-value-check-in-__sctp_rcv_asconf_loo.patch b/queue-5.10/sctp-fix-return-value-check-in-__sctp_rcv_asconf_loo.patch new file mode 100644 index 00000000000..d729693d4a7 --- /dev/null +++ b/queue-5.10/sctp-fix-return-value-check-in-__sctp_rcv_asconf_loo.patch @@ -0,0 +1,38 @@ +From 64b50ed5db670ccfd3422e71ee00868ec3da8e06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jul 2021 23:40:54 -0300 +Subject: sctp: fix return value check in __sctp_rcv_asconf_lookup + +From: Marcelo Ricardo Leitner + +[ Upstream commit 557fb5862c9272ad9b21407afe1da8acfd9b53eb ] + +As Ben Hutchings noticed, this check should have been inverted: the call +returns true in case of success. + +Reported-by: Ben Hutchings +Fixes: 0c5dc070ff3d ("sctp: validate from_addr_param return") +Signed-off-by: Marcelo Ricardo Leitner +Reviewed-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sctp/input.c b/net/sctp/input.c +index f72bff93745c..ddb5b5c2550e 100644 +--- a/net/sctp/input.c ++++ b/net/sctp/input.c +@@ -1175,7 +1175,7 @@ static struct sctp_association *__sctp_rcv_asconf_lookup( + if (unlikely(!af)) + return NULL; + +- if (af->from_addr_param(&paddr, param, peer_port, 0)) ++ if (!af->from_addr_param(&paddr, param, peer_port, 0)) + return NULL; + + return __sctp_lookup_association(net, laddr, &paddr, transportp); +-- +2.30.2 + diff --git a/queue-5.10/series b/queue-5.10/series index fe10e918ec2..cbef3a7661b 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -25,3 +25,33 @@ drm-amdgpu-fix-resource-leak-on-probe-error-path.patch blk-iocost-fix-operation-ordering-in-iocg_wake_fn.patch nfc-nfcsim-fix-use-after-free-during-module-unload.patch cfg80211-fix-possible-memory-leak-in-function-cfg80211_bss_update.patch +rdma-bnxt_re-fix-stats-counters.patch +bpf-fix-oob-read-when-printing-xdp-link-fdinfo.patch +mac80211-fix-enabling-4-address-mode-on-a-sta-vif-af.patch +netfilter-conntrack-adjust-stop-timestamp-to-real-ex.patch +netfilter-nft_nat-allow-to-specify-layer-4-protocol-.patch +i40e-fix-logic-of-disabling-queues.patch +i40e-fix-firmware-lldp-agent-related-warning.patch +i40e-fix-queue-to-tc-mapping-on-tx.patch +i40e-fix-log-tc-creation-failure-when-max-num-of-que.patch +tipc-fix-implicit-connect-for-syn.patch +tipc-fix-sleeping-in-tipc-accept-routine.patch +net-set-true-network-header-for-ecn-decapsulation.patch +net-qrtr-fix-memory-leaks.patch +ionic-remove-intr-coalesce-update-from-napi.patch +ionic-fix-up-dim-accounting-for-tx-and-rx.patch +ionic-count-csum_none-when-offload-enabled.patch +tipc-do-not-write-skb_shinfo-frags-when-doing-decryt.patch +octeontx2-pf-fix-interface-down-flag-on-error.patch +mlx4-fix-missing-error-code-in-mlx4_load_one.patch +kvm-x86-check-the-right-feature-bit-for-msr_kvm_asyn.patch +net-llc-fix-skb_over_panic.patch +drm-msm-dpu-fix-sm8250_mdp-register-length.patch +drm-msm-dp-initialize-the-intf_config-register.patch +skmsg-make-sk_psock_destroy-static.patch +net-mlx5-fix-flow-table-chaining.patch +net-mlx5e-fix-nullptr-in-mlx5e_hairpin_get_mdev.patch +sctp-fix-return-value-check-in-__sctp_rcv_asconf_loo.patch +tulip-windbond-840-fix-missing-pci_disable_device-in.patch +sis900-fix-missing-pci_disable_device-in-probe-and-r.patch +can-hi311x-fix-a-signedness-bug-in-hi3110_cmd.patch diff --git a/queue-5.10/sis900-fix-missing-pci_disable_device-in-probe-and-r.patch b/queue-5.10/sis900-fix-missing-pci_disable_device-in-probe-and-r.patch new file mode 100644 index 00000000000..231c8b55fa1 --- /dev/null +++ b/queue-5.10/sis900-fix-missing-pci_disable_device-in-probe-and-r.patch @@ -0,0 +1,64 @@ +From 1973cecf16580a2ae9079aacd691c89968e205c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jul 2021 20:11:07 +0800 +Subject: sis900: Fix missing pci_disable_device() in probe and remove + +From: Wang Hai + +[ Upstream commit 89fb62fde3b226f99b7015280cf132e2a7438edf ] + +Replace pci_enable_device() with pcim_enable_device(), +pci_disable_device() and pci_release_regions() will be +called in release automatically. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sis/sis900.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/sis/sis900.c b/drivers/net/ethernet/sis/sis900.c +index 620c26f71be8..e267b7ce3a45 100644 +--- a/drivers/net/ethernet/sis/sis900.c ++++ b/drivers/net/ethernet/sis/sis900.c +@@ -443,7 +443,7 @@ static int sis900_probe(struct pci_dev *pci_dev, + #endif + + /* setup various bits in PCI command register */ +- ret = pci_enable_device(pci_dev); ++ ret = pcim_enable_device(pci_dev); + if(ret) return ret; + + i = dma_set_mask(&pci_dev->dev, DMA_BIT_MASK(32)); +@@ -469,7 +469,7 @@ static int sis900_probe(struct pci_dev *pci_dev, + ioaddr = pci_iomap(pci_dev, 0, 0); + if (!ioaddr) { + ret = -ENOMEM; +- goto err_out_cleardev; ++ goto err_out; + } + + sis_priv = netdev_priv(net_dev); +@@ -581,8 +581,6 @@ err_unmap_tx: + sis_priv->tx_ring_dma); + err_out_unmap: + pci_iounmap(pci_dev, ioaddr); +-err_out_cleardev: +- pci_release_regions(pci_dev); + err_out: + free_netdev(net_dev); + return ret; +@@ -2499,7 +2497,6 @@ static void sis900_remove(struct pci_dev *pci_dev) + sis_priv->tx_ring_dma); + pci_iounmap(pci_dev, sis_priv->ioaddr); + free_netdev(net_dev); +- pci_release_regions(pci_dev); + } + + static int __maybe_unused sis900_suspend(struct device *dev) +-- +2.30.2 + diff --git a/queue-5.10/skmsg-make-sk_psock_destroy-static.patch b/queue-5.10/skmsg-make-sk_psock_destroy-static.patch new file mode 100644 index 00000000000..2dbb34fc368 --- /dev/null +++ b/queue-5.10/skmsg-make-sk_psock_destroy-static.patch @@ -0,0 +1,59 @@ +From 83cff927615e38180967710de974e540a8d0ab44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jan 2021 14:15:01 -0800 +Subject: skmsg: Make sk_psock_destroy() static + +From: Cong Wang + +[ Upstream commit 8063e184e49011f6f3f34f6c358dc8a83890bb5b ] + +sk_psock_destroy() is a RCU callback, I can't see any reason why +it could be used outside. + +Signed-off-by: Cong Wang +Signed-off-by: Daniel Borkmann +Cc: John Fastabend +Cc: Jakub Sitnicki +Cc: Lorenz Bauer +Link: https://lore.kernel.org/bpf/20210127221501.46866-1-xiyou.wangcong@gmail.com +Signed-off-by: Sasha Levin +--- + include/linux/skmsg.h | 1 - + net/core/skmsg.c | 3 +-- + 2 files changed, 1 insertion(+), 3 deletions(-) + +diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h +index 82126d529798..822c048934e3 100644 +--- a/include/linux/skmsg.h ++++ b/include/linux/skmsg.h +@@ -395,7 +395,6 @@ static inline struct sk_psock *sk_psock_get(struct sock *sk) + } + + void sk_psock_stop(struct sock *sk, struct sk_psock *psock); +-void sk_psock_destroy(struct rcu_head *rcu); + void sk_psock_drop(struct sock *sk, struct sk_psock *psock); + + static inline void sk_psock_put(struct sock *sk, struct sk_psock *psock) +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index c4c224a5b9de..5dd5569f89bf 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -676,14 +676,13 @@ static void sk_psock_destroy_deferred(struct work_struct *gc) + kfree(psock); + } + +-void sk_psock_destroy(struct rcu_head *rcu) ++static void sk_psock_destroy(struct rcu_head *rcu) + { + struct sk_psock *psock = container_of(rcu, struct sk_psock, rcu); + + INIT_WORK(&psock->gc, sk_psock_destroy_deferred); + schedule_work(&psock->gc); + } +-EXPORT_SYMBOL_GPL(sk_psock_destroy); + + void sk_psock_drop(struct sock *sk, struct sk_psock *psock) + { +-- +2.30.2 + diff --git a/queue-5.10/tipc-do-not-write-skb_shinfo-frags-when-doing-decryt.patch b/queue-5.10/tipc-do-not-write-skb_shinfo-frags-when-doing-decryt.patch new file mode 100644 index 00000000000..2561e359679 --- /dev/null +++ b/queue-5.10/tipc-do-not-write-skb_shinfo-frags-when-doing-decryt.patch @@ -0,0 +1,60 @@ +From de8602f4b6801bf45ee7a61f20a14429e4684355 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jul 2021 18:46:01 -0400 +Subject: tipc: do not write skb_shinfo frags when doing decrytion + +From: Xin Long + +[ Upstream commit 3cf4375a090473d240281a0d2b04a3a5aaeac34b ] + +One skb's skb_shinfo frags are not writable, and they can be shared with +other skbs' like by pskb_copy(). To write the frags may cause other skb's +data crash. + +So before doing en/decryption, skb_cow_data() should always be called for +a cloned or nonlinear skb if req dst is using the same sg as req src. +While at it, the likely branch can be removed, as it will be covered +by skb_cow_data(). + +Note that esp_input() has the same issue, and I will fix it in another +patch. tipc_aead_encrypt() doesn't have this issue, as it only processes +linear data in the unlikely branch. + +Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication") +Reported-by: Shuang Li +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/crypto.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c +index 2301b66280de..f8e73c4a0093 100644 +--- a/net/tipc/crypto.c ++++ b/net/tipc/crypto.c +@@ -891,16 +891,10 @@ static int tipc_aead_decrypt(struct net *net, struct tipc_aead *aead, + if (unlikely(!aead)) + return -ENOKEY; + +- /* Cow skb data if needed */ +- if (likely(!skb_cloned(skb) && +- (!skb_is_nonlinear(skb) || !skb_has_frag_list(skb)))) { +- nsg = 1 + skb_shinfo(skb)->nr_frags; +- } else { +- nsg = skb_cow_data(skb, 0, &unused); +- if (unlikely(nsg < 0)) { +- pr_err("RX: skb_cow_data() returned %d\n", nsg); +- return nsg; +- } ++ nsg = skb_cow_data(skb, 0, &unused); ++ if (unlikely(nsg < 0)) { ++ pr_err("RX: skb_cow_data() returned %d\n", nsg); ++ return nsg; + } + + /* Allocate memory for the AEAD operation */ +-- +2.30.2 + diff --git a/queue-5.10/tipc-fix-implicit-connect-for-syn.patch b/queue-5.10/tipc-fix-implicit-connect-for-syn.patch new file mode 100644 index 00000000000..1ff63dd8bac --- /dev/null +++ b/queue-5.10/tipc-fix-implicit-connect-for-syn.patch @@ -0,0 +1,109 @@ +From 34c0e3f43720e810af35a8e5a1b2dfd74e74726b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jul 2021 12:05:41 -0400 +Subject: tipc: fix implicit-connect for SYN+ + +From: Xin Long + +[ Upstream commit f8dd60de194817c86bf812700980762bb5a8d9a4 ] + +For implicit-connect, when it's either SYN- or SYN+, an ACK should +be sent back to the client immediately. It's not appropriate for +the client to enter established state only after receiving data +from the server. + +On client side, after the SYN is sent out, tipc_wait_for_connect() +should be called to wait for the ACK if timeout is set. + +This patch also restricts __tipc_sendstream() to call __sendmsg() +only when it's in TIPC_OPEN state, so that the client can program +in a single loop doing both connecting and data sending like: + + for (...) + sendmsg(dest, buf); + +This makes the implicit-connect more implicit. + +Fixes: b97bf3fd8f6a ("[TIPC] Initial merge") +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/socket.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/net/tipc/socket.c b/net/tipc/socket.c +index 9f7cc9e1e4ef..694c432b9710 100644 +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -148,6 +148,7 @@ static void tipc_sk_remove(struct tipc_sock *tsk); + static int __tipc_sendstream(struct socket *sock, struct msghdr *m, size_t dsz); + static int __tipc_sendmsg(struct socket *sock, struct msghdr *m, size_t dsz); + static void tipc_sk_push_backlog(struct tipc_sock *tsk, bool nagle_ack); ++static int tipc_wait_for_connect(struct socket *sock, long *timeo_p); + + static const struct proto_ops packet_ops; + static const struct proto_ops stream_ops; +@@ -1508,8 +1509,13 @@ static int __tipc_sendmsg(struct socket *sock, struct msghdr *m, size_t dlen) + rc = 0; + } + +- if (unlikely(syn && !rc)) ++ if (unlikely(syn && !rc)) { + tipc_set_sk_state(sk, TIPC_CONNECTING); ++ if (timeout) { ++ timeout = msecs_to_jiffies(timeout); ++ tipc_wait_for_connect(sock, &timeout); ++ } ++ } + + return rc ? rc : dlen; + } +@@ -1557,7 +1563,7 @@ static int __tipc_sendstream(struct socket *sock, struct msghdr *m, size_t dlen) + return -EMSGSIZE; + + /* Handle implicit connection setup */ +- if (unlikely(dest)) { ++ if (unlikely(dest && sk->sk_state == TIPC_OPEN)) { + rc = __tipc_sendmsg(sock, m, dlen); + if (dlen && dlen == rc) { + tsk->peer_caps = tipc_node_get_capabilities(net, dnode); +@@ -2686,9 +2692,10 @@ static int tipc_accept(struct socket *sock, struct socket *new_sock, int flags, + bool kern) + { + struct sock *new_sk, *sk = sock->sk; +- struct sk_buff *buf; + struct tipc_sock *new_tsock; ++ struct msghdr m = {NULL,}; + struct tipc_msg *msg; ++ struct sk_buff *buf; + long timeo; + int res; + +@@ -2733,19 +2740,17 @@ static int tipc_accept(struct socket *sock, struct socket *new_sock, int flags, + } + + /* +- * Respond to 'SYN-' by discarding it & returning 'ACK'-. +- * Respond to 'SYN+' by queuing it on new socket. ++ * Respond to 'SYN-' by discarding it & returning 'ACK'. ++ * Respond to 'SYN+' by queuing it on new socket & returning 'ACK'. + */ + if (!msg_data_sz(msg)) { +- struct msghdr m = {NULL,}; +- + tsk_advance_rx_queue(sk); +- __tipc_sendstream(new_sock, &m, 0); + } else { + __skb_dequeue(&sk->sk_receive_queue); + __skb_queue_head(&new_sk->sk_receive_queue, buf); + skb_set_owner_r(buf, new_sk); + } ++ __tipc_sendstream(new_sock, &m, 0); + release_sock(new_sk); + exit: + release_sock(sk); +-- +2.30.2 + diff --git a/queue-5.10/tipc-fix-sleeping-in-tipc-accept-routine.patch b/queue-5.10/tipc-fix-sleeping-in-tipc-accept-routine.patch new file mode 100644 index 00000000000..6003fe60a30 --- /dev/null +++ b/queue-5.10/tipc-fix-sleeping-in-tipc-accept-routine.patch @@ -0,0 +1,62 @@ +From 7042669301766ade7e932f24a5656c4ef0a13376 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jul 2021 09:25:34 +0700 +Subject: tipc: fix sleeping in tipc accept routine + +From: Hoang Le + +[ Upstream commit d237a7f11719ff9320721be5818352e48071aab6 ] + +The release_sock() is blocking function, it would change the state +after sleeping. In order to evaluate the stated condition outside +the socket lock context, switch to use wait_woken() instead. + +Fixes: 6398e23cdb1d8 ("tipc: standardize accept routine") +Acked-by: Jon Maloy +Signed-off-by: Hoang Le +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/socket.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/net/tipc/socket.c b/net/tipc/socket.c +index 694c432b9710..4f9bd95b4eee 100644 +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -2650,7 +2650,7 @@ static int tipc_listen(struct socket *sock, int len) + static int tipc_wait_for_accept(struct socket *sock, long timeo) + { + struct sock *sk = sock->sk; +- DEFINE_WAIT(wait); ++ DEFINE_WAIT_FUNC(wait, woken_wake_function); + int err; + + /* True wake-one mechanism for incoming connections: only +@@ -2659,12 +2659,12 @@ static int tipc_wait_for_accept(struct socket *sock, long timeo) + * anymore, the common case will execute the loop only once. + */ + for (;;) { +- prepare_to_wait_exclusive(sk_sleep(sk), &wait, +- TASK_INTERRUPTIBLE); + if (timeo && skb_queue_empty(&sk->sk_receive_queue)) { ++ add_wait_queue(sk_sleep(sk), &wait); + release_sock(sk); +- timeo = schedule_timeout(timeo); ++ timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo); + lock_sock(sk); ++ remove_wait_queue(sk_sleep(sk), &wait); + } + err = 0; + if (!skb_queue_empty(&sk->sk_receive_queue)) +@@ -2676,7 +2676,6 @@ static int tipc_wait_for_accept(struct socket *sock, long timeo) + if (signal_pending(current)) + break; + } +- finish_wait(sk_sleep(sk), &wait); + return err; + } + +-- +2.30.2 + diff --git a/queue-5.10/tulip-windbond-840-fix-missing-pci_disable_device-in.patch b/queue-5.10/tulip-windbond-840-fix-missing-pci_disable_device-in.patch new file mode 100644 index 00000000000..d7c8fc235e5 --- /dev/null +++ b/queue-5.10/tulip-windbond-840-fix-missing-pci_disable_device-in.patch @@ -0,0 +1,65 @@ +From 61a224ec24e5ccb11255dfd917cceb125957e1b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jul 2021 15:43:13 +0800 +Subject: tulip: windbond-840: Fix missing pci_disable_device() in probe and + remove + +From: Wang Hai + +[ Upstream commit 76a16be07b209a3f507c72abe823bd3af1c8661a ] + +Replace pci_enable_device() with pcim_enable_device(), +pci_disable_device() and pci_release_regions() will be +called in release automatically. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/dec/tulip/winbond-840.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/dec/tulip/winbond-840.c b/drivers/net/ethernet/dec/tulip/winbond-840.c +index 89cbdc1f4857..6161e1c604c0 100644 +--- a/drivers/net/ethernet/dec/tulip/winbond-840.c ++++ b/drivers/net/ethernet/dec/tulip/winbond-840.c +@@ -357,7 +357,7 @@ static int w840_probe1(struct pci_dev *pdev, const struct pci_device_id *ent) + int i, option = find_cnt < MAX_UNITS ? options[find_cnt] : 0; + void __iomem *ioaddr; + +- i = pci_enable_device(pdev); ++ i = pcim_enable_device(pdev); + if (i) return i; + + pci_set_master(pdev); +@@ -379,7 +379,7 @@ static int w840_probe1(struct pci_dev *pdev, const struct pci_device_id *ent) + + ioaddr = pci_iomap(pdev, TULIP_BAR, netdev_res_size); + if (!ioaddr) +- goto err_out_free_res; ++ goto err_out_netdev; + + for (i = 0; i < 3; i++) + ((__le16 *)dev->dev_addr)[i] = cpu_to_le16(eeprom_read(ioaddr, i)); +@@ -458,8 +458,6 @@ static int w840_probe1(struct pci_dev *pdev, const struct pci_device_id *ent) + + err_out_cleardev: + pci_iounmap(pdev, ioaddr); +-err_out_free_res: +- pci_release_regions(pdev); + err_out_netdev: + free_netdev (dev); + return -ENODEV; +@@ -1526,7 +1524,6 @@ static void w840_remove1(struct pci_dev *pdev) + if (dev) { + struct netdev_private *np = netdev_priv(dev); + unregister_netdev(dev); +- pci_release_regions(pdev); + pci_iounmap(pdev, np->base_addr); + free_netdev(dev); + } +-- +2.30.2 +