From: Sasha Levin Date: Sat, 25 Dec 2021 21:31:49 +0000 (-0500) Subject: Fixes for 5.10 X-Git-Tag: v4.4.297~50 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c053523094b43b8b1f1b8d28cc0a97a9bfabf0a2;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/arm-dts-imx6qdl-wandboard-fix-ethernet-support.patch b/queue-5.10/arm-dts-imx6qdl-wandboard-fix-ethernet-support.patch new file mode 100644 index 00000000000..f46cc4bcb99 --- /dev/null +++ b/queue-5.10/arm-dts-imx6qdl-wandboard-fix-ethernet-support.patch @@ -0,0 +1,46 @@ +From b8bb10e4ae6ed246d55517c8bf4dfb39ac4a7606 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Dec 2021 09:30:30 -0300 +Subject: ARM: dts: imx6qdl-wandboard: Fix Ethernet support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Martin Haaß + +[ Upstream commit 39e660687ac0c57499134765abbecf71cfd11eae ] + +Currently, the imx6q-wandboard Ethernet does not transmit any +data. + +This issue has been exposed by commit f5d9aa79dfdf ("ARM: imx6q: +remove clk-out fixup for the Atheros AR8031 and AR8035 PHYs"). + +Fix it by describing the qca,clk-out-frequency property as suggested +by the commit above. + +Fixes: 77591e42458d ("ARM: dts: imx6qdl-wandboard: add ethernet PHY description") +Signed-off-by: Martin Haaß +Tested-by: Fabio Estevam +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6qdl-wandboard.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/boot/dts/imx6qdl-wandboard.dtsi b/arch/arm/boot/dts/imx6qdl-wandboard.dtsi +index c070893c509ee..5bad982bc5a05 100644 +--- a/arch/arm/boot/dts/imx6qdl-wandboard.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-wandboard.dtsi +@@ -289,6 +289,7 @@ + + ethphy: ethernet-phy@1 { + reg = <1>; ++ qca,clk-out-frequency = <125000000>; + }; + }; + }; +-- +2.34.1 + diff --git a/queue-5.10/arm64-dts-allwinner-orangepi-zero-plus-fix-phy-mode.patch b/queue-5.10/arm64-dts-allwinner-orangepi-zero-plus-fix-phy-mode.patch new file mode 100644 index 00000000000..9a49b7932a2 --- /dev/null +++ b/queue-5.10/arm64-dts-allwinner-orangepi-zero-plus-fix-phy-mode.patch @@ -0,0 +1,44 @@ +From 7b3551efc4d5a242ae198c1532f6206271da1808 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Nov 2021 15:02:22 +0100 +Subject: arm64: dts: allwinner: orangepi-zero-plus: fix PHY mode + +From: Robert Marko + +[ Upstream commit 08d2061ff9c5319a07bf9ca6bbf11fdec68f704a ] + +Orange Pi Zero Plus uses a Realtek RTL8211E RGMII Gigabit PHY, but its +currently set to plain RGMII mode meaning that it doesn't introduce +delays. + +With this setup, TX packets are completely lost and changing the mode to +RGMII-ID so the PHY will add delays internally fixes the issue. + +Fixes: a7affb13b271 ("arm64: allwinner: H5: Add Xunlong Orange Pi Zero Plus") +Acked-by: Chen-Yu Tsai +Tested-by: Ron Goossens +Tested-by: Samuel Holland +Signed-off-by: Robert Marko +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20211117140222.43692-1-robert.marko@sartura.hr +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts b/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts +index ef5ca64442203..de448ca51e216 100644 +--- a/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts ++++ b/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts +@@ -69,7 +69,7 @@ + pinctrl-0 = <&emac_rgmii_pins>; + phy-supply = <®_gmac_3v3>; + phy-handle = <&ext_rgmii_phy>; +- phy-mode = "rgmii"; ++ phy-mode = "rgmii-id"; + status = "okay"; + }; + +-- +2.34.1 + diff --git a/queue-5.10/asoc-meson-aiu-fifo-add-missing-dma_coerce_mask_and_.patch b/queue-5.10/asoc-meson-aiu-fifo-add-missing-dma_coerce_mask_and_.patch new file mode 100644 index 00000000000..60ca7d805d0 --- /dev/null +++ b/queue-5.10/asoc-meson-aiu-fifo-add-missing-dma_coerce_mask_and_.patch @@ -0,0 +1,49 @@ +From e90e00c582c09059b77fdd4dc41c9eb9c70d928d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Dec 2021 22:08:03 +0100 +Subject: ASoC: meson: aiu: fifo: Add missing dma_coerce_mask_and_coherent() + +From: Martin Blumenstingl + +[ Upstream commit 1bcd326631dc4faa3322d60b4fc45e8b3747993e ] + +The FIFO registers which take an DMA-able address are only 32-bit wide +on AIU. Add dma_coerce_mask_and_coherent() to make the DMA core aware of +this limitation. + +Fixes: 6ae9ca9ce986bf ("ASoC: meson: aiu: add i2s and spdif support") +Signed-off-by: Martin Blumenstingl +Link: https://lore.kernel.org/r/20211206210804.2512999-2-martin.blumenstingl@googlemail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/meson/aiu-fifo.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/sound/soc/meson/aiu-fifo.c b/sound/soc/meson/aiu-fifo.c +index aa88aae8e517d..3efc3cad0b4ec 100644 +--- a/sound/soc/meson/aiu-fifo.c ++++ b/sound/soc/meson/aiu-fifo.c +@@ -5,6 +5,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -192,6 +193,11 @@ int aiu_fifo_pcm_new(struct snd_soc_pcm_runtime *rtd, + struct snd_card *card = rtd->card->snd_card; + struct aiu_fifo *fifo = dai->playback_dma_data; + size_t size = fifo->pcm->buffer_bytes_max; ++ int ret; ++ ++ ret = dma_coerce_mask_and_coherent(card->dev, DMA_BIT_MASK(32)); ++ if (ret) ++ return ret; + + snd_pcm_lib_preallocate_pages(substream, + SNDRV_DMA_TYPE_DEV, +-- +2.34.1 + diff --git a/queue-5.10/bonding-fix-ad_actor_system-option-setting-to-defaul.patch b/queue-5.10/bonding-fix-ad_actor_system-option-setting-to-defaul.patch new file mode 100644 index 00000000000..48b390b0088 --- /dev/null +++ b/queue-5.10/bonding-fix-ad_actor_system-option-setting-to-defaul.patch @@ -0,0 +1,65 @@ +From 4eeb083ce1c3f696733a2dc444c527ca6dc74512 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Dec 2021 12:13:45 +0100 +Subject: bonding: fix ad_actor_system option setting to default + +From: Fernando Fernandez Mancera + +[ Upstream commit 1c15b05baea71a5ff98235783e3e4ad227760876 ] + +When 802.3ad bond mode is configured the ad_actor_system option is set to +"00:00:00:00:00:00". But when trying to set the all-zeroes MAC as actors' +system address it was failing with EINVAL. + +An all-zeroes ethernet address is valid, only multicast addresses are not +valid values. + +Fixes: 171a42c38c6e ("bonding: add netlink support for sys prio, actor sys mac, and port key") +Signed-off-by: Fernando Fernandez Mancera +Acked-by: Jay Vosburgh +Link: https://lore.kernel.org/r/20211221111345.2462-1-ffmancera@riseup.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + Documentation/networking/bonding.rst | 11 ++++++----- + drivers/net/bonding/bond_options.c | 2 +- + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/Documentation/networking/bonding.rst b/Documentation/networking/bonding.rst +index adc314639085b..413dca513e1db 100644 +--- a/Documentation/networking/bonding.rst ++++ b/Documentation/networking/bonding.rst +@@ -196,11 +196,12 @@ ad_actor_sys_prio + ad_actor_system + + In an AD system, this specifies the mac-address for the actor in +- protocol packet exchanges (LACPDUs). The value cannot be NULL or +- multicast. It is preferred to have the local-admin bit set for this +- mac but driver does not enforce it. If the value is not given then +- system defaults to using the masters' mac address as actors' system +- address. ++ protocol packet exchanges (LACPDUs). The value cannot be a multicast ++ address. If the all-zeroes MAC is specified, bonding will internally ++ use the MAC of the bond itself. It is preferred to have the ++ local-admin bit set for this mac but driver does not enforce it. If ++ the value is not given then system defaults to using the masters' ++ mac address as actors' system address. + + This parameter has effect only in 802.3ad mode and is available through + SysFs interface. +diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c +index a4e4e15f574df..fe55c81608daa 100644 +--- a/drivers/net/bonding/bond_options.c ++++ b/drivers/net/bonding/bond_options.c +@@ -1466,7 +1466,7 @@ static int bond_option_ad_actor_system_set(struct bonding *bond, + mac = (u8 *)&newval->value; + } + +- if (!is_valid_ether_addr(mac)) ++ if (is_multicast_ether_addr(mac)) + goto err; + + netdev_dbg(bond->dev, "Setting ad_actor_system to %pM\n", mac); +-- +2.34.1 + diff --git a/queue-5.10/drivers-net-smc911x-check-for-error-irq.patch b/queue-5.10/drivers-net-smc911x-check-for-error-irq.patch new file mode 100644 index 00000000000..40d2413b626 --- /dev/null +++ b/queue-5.10/drivers-net-smc911x-check-for-error-irq.patch @@ -0,0 +1,40 @@ +From dc59f7ee710bd9f606af64fb32b5ae19b9c9f1c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 15:41:12 +0800 +Subject: drivers: net: smc911x: Check for error irq + +From: Jiasheng Jiang + +[ Upstream commit cb93b3e11d405f20a405a07482d01147ef4934a3 ] + +Because platform_get_irq() could fail and return error irq. +Therefore, it might be better to check it if order to avoid the use of +error irq. + +Fixes: ae150435b59e ("smsc: Move the SMC (SMSC) drivers") +Signed-off-by: Jiasheng Jiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/smsc/smc911x.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/smsc/smc911x.c b/drivers/net/ethernet/smsc/smc911x.c +index 01069dfaf75c9..288b420f88d42 100644 +--- a/drivers/net/ethernet/smsc/smc911x.c ++++ b/drivers/net/ethernet/smsc/smc911x.c +@@ -2069,6 +2069,11 @@ static int smc911x_drv_probe(struct platform_device *pdev) + + ndev->dma = (unsigned char)-1; + ndev->irq = platform_get_irq(pdev, 0); ++ if (ndev->irq < 0) { ++ ret = ndev->irq; ++ goto release_both; ++ } ++ + lp = netdev_priv(ndev); + lp->netdev = ndev; + #ifdef SMC_DYNAMIC_BUS_CONFIG +-- +2.34.1 + diff --git a/queue-5.10/fjes-check-for-error-irq.patch b/queue-5.10/fjes-check-for-error-irq.patch new file mode 100644 index 00000000000..27c3d8a289b --- /dev/null +++ b/queue-5.10/fjes-check-for-error-irq.patch @@ -0,0 +1,41 @@ +From 1680495eae52ba50641a2e56094f96d0ddb5d365 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 15:12:07 +0800 +Subject: fjes: Check for error irq + +From: Jiasheng Jiang + +[ Upstream commit db6d6afe382de5a65d6ccf51253ab48b8e8336c3 ] + +I find that platform_get_irq() will not always succeed. +It will return error irq in case of the failure. +Therefore, it might be better to check it if order to avoid the use of +error irq. + +Fixes: 658d439b2292 ("fjes: Introduce FUJITSU Extended Socket Network Device driver") +Signed-off-by: Jiasheng Jiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/fjes/fjes_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/fjes/fjes_main.c b/drivers/net/fjes/fjes_main.c +index e449d94661225..2a569eea4ee8f 100644 +--- a/drivers/net/fjes/fjes_main.c ++++ b/drivers/net/fjes/fjes_main.c +@@ -1269,6 +1269,11 @@ static int fjes_probe(struct platform_device *plat_dev) + hw->hw_res.start = res->start; + hw->hw_res.size = resource_size(res); + hw->hw_res.irq = platform_get_irq(plat_dev, 0); ++ if (hw->hw_res.irq < 0) { ++ err = hw->hw_res.irq; ++ goto err_free_control_wq; ++ } ++ + err = fjes_hw_init(&adapter->hw); + if (err) + goto err_free_control_wq; +-- +2.34.1 + diff --git a/queue-5.10/ib-qib-fix-memory-leak-in-qib_user_sdma_queue_pkts.patch b/queue-5.10/ib-qib-fix-memory-leak-in-qib_user_sdma_queue_pkts.patch new file mode 100644 index 00000000000..9b10214ce5a --- /dev/null +++ b/queue-5.10/ib-qib-fix-memory-leak-in-qib_user_sdma_queue_pkts.patch @@ -0,0 +1,42 @@ +From 4c238335ae6a0cf10ea0d6898f60102c38ca9f2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Dec 2021 18:52:38 +0100 +Subject: IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +[ Upstream commit bee90911e0138c76ee67458ac0d58b38a3190f65 ] + +The wrong goto label was used for the error case and missed cleanup of the +pkt allocation. + +Fixes: d39bf40e55e6 ("IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields") +Link: https://lore.kernel.org/r/20211208175238.29983-1-jose.exposito89@gmail.com +Addresses-Coverity-ID: 1493352 ("Resource leak") +Signed-off-by: José Expósito +Acked-by: Mike Marciniszyn +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qib/qib_user_sdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/qib/qib_user_sdma.c b/drivers/infiniband/hw/qib/qib_user_sdma.c +index ac11943a5ddb0..bf2f30d67949d 100644 +--- a/drivers/infiniband/hw/qib/qib_user_sdma.c ++++ b/drivers/infiniband/hw/qib/qib_user_sdma.c +@@ -941,7 +941,7 @@ static int qib_user_sdma_queue_pkts(const struct qib_devdata *dd, + &addrlimit) || + addrlimit > type_max(typeof(pkt->addrlimit))) { + ret = -EINVAL; +- goto free_pbc; ++ goto free_pkt; + } + pkt->addrlimit = addrlimit; + +-- +2.34.1 + diff --git a/queue-5.10/igb-fix-deadlock-caused-by-taking-rtnl-in-rpm-resume.patch b/queue-5.10/igb-fix-deadlock-caused-by-taking-rtnl-in-rpm-resume.patch new file mode 100644 index 00000000000..9bc5c29bc85 --- /dev/null +++ b/queue-5.10/igb-fix-deadlock-caused-by-taking-rtnl-in-rpm-resume.patch @@ -0,0 +1,102 @@ +From e72a03eebb5add5cbfaf22db5f5aa6fde20118b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 12:18:44 -0800 +Subject: igb: fix deadlock caused by taking RTNL in RPM resume path + +From: Heiner Kallweit + +[ Upstream commit ac8c58f5b535d6272324e2b8b4a0454781c9147e ] + +Recent net core changes caused an issue with few Intel drivers +(reportedly igb), where taking RTNL in RPM resume path results in a +deadlock. See [0] for a bug report. I don't think the core changes +are wrong, but taking RTNL in RPM resume path isn't needed. +The Intel drivers are the only ones doing this. See [1] for a +discussion on the issue. Following patch changes the RPM resume path +to not take RTNL. + +[0] https://bugzilla.kernel.org/show_bug.cgi?id=215129 +[1] https://lore.kernel.org/netdev/20211125074949.5f897431@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com/t/ + +Fixes: bd869245a3dc ("net: core: try to runtime-resume detached device in __dev_open") +Fixes: f32a21376573 ("ethtool: runtime-resume netdev parent before ethtool ioctl ops") +Tested-by: Martin Stolpe +Signed-off-by: Heiner Kallweit +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20211220201844.2714498-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 1662c0985eca4..f854d41c6c94d 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -9260,7 +9260,7 @@ static int __maybe_unused igb_suspend(struct device *dev) + return __igb_shutdown(to_pci_dev(dev), NULL, 0); + } + +-static int __maybe_unused igb_resume(struct device *dev) ++static int __maybe_unused __igb_resume(struct device *dev, bool rpm) + { + struct pci_dev *pdev = to_pci_dev(dev); + struct net_device *netdev = pci_get_drvdata(pdev); +@@ -9303,17 +9303,24 @@ static int __maybe_unused igb_resume(struct device *dev) + + wr32(E1000_WUS, ~0); + +- rtnl_lock(); ++ if (!rpm) ++ rtnl_lock(); + if (!err && netif_running(netdev)) + err = __igb_open(netdev, true); + + if (!err) + netif_device_attach(netdev); +- rtnl_unlock(); ++ if (!rpm) ++ rtnl_unlock(); + + return err; + } + ++static int __maybe_unused igb_resume(struct device *dev) ++{ ++ return __igb_resume(dev, false); ++} ++ + static int __maybe_unused igb_runtime_idle(struct device *dev) + { + struct net_device *netdev = dev_get_drvdata(dev); +@@ -9332,7 +9339,7 @@ static int __maybe_unused igb_runtime_suspend(struct device *dev) + + static int __maybe_unused igb_runtime_resume(struct device *dev) + { +- return igb_resume(dev); ++ return __igb_resume(dev, true); + } + + static void igb_shutdown(struct pci_dev *pdev) +@@ -9448,7 +9455,7 @@ static pci_ers_result_t igb_io_error_detected(struct pci_dev *pdev, + * @pdev: Pointer to PCI device + * + * Restart the card from scratch, as if from a cold-boot. Implementation +- * resembles the first-half of the igb_resume routine. ++ * resembles the first-half of the __igb_resume routine. + **/ + static pci_ers_result_t igb_io_slot_reset(struct pci_dev *pdev) + { +@@ -9488,7 +9495,7 @@ static pci_ers_result_t igb_io_slot_reset(struct pci_dev *pdev) + * + * This callback is called when the error recovery driver tells us that + * its OK to resume normal operation. Implementation resembles the +- * second-half of the igb_resume routine. ++ * second-half of the __igb_resume routine. + */ + static void igb_io_resume(struct pci_dev *pdev) + { +-- +2.34.1 + diff --git a/queue-5.10/ipmi-fix-uaf-when-uninstall-ipmi_si-and-ipmi_msghand.patch b/queue-5.10/ipmi-fix-uaf-when-uninstall-ipmi_si-and-ipmi_msghand.patch new file mode 100644 index 00000000000..6621460be04 --- /dev/null +++ b/queue-5.10/ipmi-fix-uaf-when-uninstall-ipmi_si-and-ipmi_msghand.patch @@ -0,0 +1,143 @@ +From f31599a7ef8bd3342b722ce1eac9264a4dfc2dce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Dec 2021 15:00:34 +0800 +Subject: ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module + +From: Wu Bo + +[ Upstream commit ffb76a86f8096a8206be03b14adda6092e18e275 ] + +Hi, + +When testing install and uninstall of ipmi_si.ko and ipmi_msghandler.ko, +the system crashed. + +The log as follows: +[ 141.087026] BUG: unable to handle kernel paging request at ffffffffc09b3a5a +[ 141.087241] PGD 8fe4c0d067 P4D 8fe4c0d067 PUD 8fe4c0f067 PMD 103ad89067 PTE 0 +[ 141.087464] Oops: 0010 [#1] SMP NOPTI +[ 141.087580] CPU: 67 PID: 668 Comm: kworker/67:1 Kdump: loaded Not tainted 4.18.0.x86_64 #47 +[ 141.088009] Workqueue: events 0xffffffffc09b3a40 +[ 141.088009] RIP: 0010:0xffffffffc09b3a5a +[ 141.088009] Code: Bad RIP value. +[ 141.088009] RSP: 0018:ffffb9094e2c3e88 EFLAGS: 00010246 +[ 141.088009] RAX: 0000000000000000 RBX: ffff9abfdb1f04a0 RCX: 0000000000000000 +[ 141.088009] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 +[ 141.088009] RBP: 0000000000000000 R08: ffff9abfffee3cb8 R09: 00000000000002e1 +[ 141.088009] R10: ffffb9094cb73d90 R11: 00000000000f4240 R12: ffff9abfffee8700 +[ 141.088009] R13: 0000000000000000 R14: ffff9abfdb1f04a0 R15: ffff9abfdb1f04a8 +[ 141.088009] FS: 0000000000000000(0000) GS:ffff9abfffec0000(0000) knlGS:0000000000000000 +[ 141.088009] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 141.088009] CR2: ffffffffc09b3a30 CR3: 0000008fe4c0a001 CR4: 00000000007606e0 +[ 141.088009] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 141.088009] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 141.088009] PKRU: 55555554 +[ 141.088009] Call Trace: +[ 141.088009] ? process_one_work+0x195/0x390 +[ 141.088009] ? worker_thread+0x30/0x390 +[ 141.088009] ? process_one_work+0x390/0x390 +[ 141.088009] ? kthread+0x10d/0x130 +[ 141.088009] ? kthread_flush_work_fn+0x10/0x10 +[ 141.088009] ? ret_from_fork+0x35/0x40] BUG: unable to handle kernel paging request at ffffffffc0b28a5a +[ 200.223240] PGD 97fe00d067 P4D 97fe00d067 PUD 97fe00f067 PMD a580cbf067 PTE 0 +[ 200.223464] Oops: 0010 [#1] SMP NOPTI +[ 200.223579] CPU: 63 PID: 664 Comm: kworker/63:1 Kdump: loaded Not tainted 4.18.0.x86_64 #46 +[ 200.224008] Workqueue: events 0xffffffffc0b28a40 +[ 200.224008] RIP: 0010:0xffffffffc0b28a5a +[ 200.224008] Code: Bad RIP value. +[ 200.224008] RSP: 0018:ffffbf3c8e2a3e88 EFLAGS: 00010246 +[ 200.224008] RAX: 0000000000000000 RBX: ffffa0799ad6bca0 RCX: 0000000000000000 +[ 200.224008] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 +[ 200.224008] RBP: 0000000000000000 R08: ffff9fe43fde3cb8 R09: 00000000000000d5 +[ 200.224008] R10: ffffbf3c8cb53d90 R11: 00000000000f4240 R12: ffff9fe43fde8700 +[ 200.224008] R13: 0000000000000000 R14: ffffa0799ad6bca0 R15: ffffa0799ad6bca8 +[ 200.224008] FS: 0000000000000000(0000) GS:ffff9fe43fdc0000(0000) knlGS:0000000000000000 +[ 200.224008] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 200.224008] CR2: ffffffffc0b28a30 CR3: 00000097fe00a002 CR4: 00000000007606e0 +[ 200.224008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 200.224008] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 200.224008] PKRU: 55555554 +[ 200.224008] Call Trace: +[ 200.224008] ? process_one_work+0x195/0x390 +[ 200.224008] ? worker_thread+0x30/0x390 +[ 200.224008] ? process_one_work+0x390/0x390 +[ 200.224008] ? kthread+0x10d/0x130 +[ 200.224008] ? kthread_flush_work_fn+0x10/0x10 +[ 200.224008] ? ret_from_fork+0x35/0x40 +[ 200.224008] kernel fault(0x1) notification starting on CPU 63 +[ 200.224008] kernel fault(0x1) notification finished on CPU 63 +[ 200.224008] CR2: ffffffffc0b28a5a +[ 200.224008] ---[ end trace c82a412d93f57412 ]--- + +The reason is as follows: +T1: rmmod ipmi_si. + ->ipmi_unregister_smi() + -> ipmi_bmc_unregister() + -> __ipmi_bmc_unregister() + -> kref_put(&bmc->usecount, cleanup_bmc_device); + -> schedule_work(&bmc->remove_work); + +T2: rmmod ipmi_msghandler. + ipmi_msghander module uninstalled, and the module space + will be freed. + +T3: bmc->remove_work doing cleanup the bmc resource. + -> cleanup_bmc_work() + -> platform_device_unregister(&bmc->pdev); + -> platform_device_del(pdev); + -> device_del(&pdev->dev); + -> kobject_uevent(&dev->kobj, KOBJ_REMOVE); + -> kobject_uevent_env() + -> dev_uevent() + -> if (dev->type && dev->type->name) + + 'dev->type'(bmc_device_type) pointer space has freed when uninstall + ipmi_msghander module, 'dev->type->name' cause the system crash. + +drivers/char/ipmi/ipmi_msghandler.c: +2820 static const struct device_type bmc_device_type = { +2821 .groups = bmc_dev_attr_groups, +2822 }; + +Steps to reproduce: +Add a time delay in cleanup_bmc_work() function, +and uninstall ipmi_si and ipmi_msghandler module. + +2910 static void cleanup_bmc_work(struct work_struct *work) +2911 { +2912 struct bmc_device *bmc = container_of(work, struct bmc_device, +2913 remove_work); +2914 int id = bmc->pdev.id; /* Unregister overwrites id */ +2915 +2916 msleep(3000); <--- +2917 platform_device_unregister(&bmc->pdev); +2918 ida_simple_remove(&ipmi_bmc_ida, id); +2919 } + +Use 'remove_work_wq' instead of 'system_wq' to solve this issues. + +Fixes: b2cfd8ab4add ("ipmi: Rework device id and guid handling to catch changing BMCs") +Signed-off-by: Wu Bo +Message-Id: <1640070034-56671-1-git-send-email-wubo40@huawei.com> +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_msghandler.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c +index 38b545bef05a3..fc6445ed7c377 100644 +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -2945,7 +2945,7 @@ cleanup_bmc_device(struct kref *ref) + * with removing the device attributes while reading a device + * attribute. + */ +- schedule_work(&bmc->remove_work); ++ queue_work(remove_work_wq, &bmc->remove_work); + } + + /* +-- +2.34.1 + diff --git a/queue-5.10/net-accept-ufov6-packages-in-virtio_net_hdr_to_skb.patch b/queue-5.10/net-accept-ufov6-packages-in-virtio_net_hdr_to_skb.patch new file mode 100644 index 00000000000..958fc82da96 --- /dev/null +++ b/queue-5.10/net-accept-ufov6-packages-in-virtio_net_hdr_to_skb.patch @@ -0,0 +1,75 @@ +From ef8e88cc1911cad131621f850f936dbc7622361a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 09:49:01 -0500 +Subject: net: accept UFOv6 packages in virtio_net_hdr_to_skb + +From: Willem de Bruijn + +[ Upstream commit 7e5cced9ca84df52d874aca6b632f930b3dc5bc6 ] + +Skb with skb->protocol 0 at the time of virtio_net_hdr_to_skb may have +a protocol inferred from virtio_net_hdr with virtio_net_hdr_set_proto. + +Unlike TCP, UDP does not have separate types for IPv4 and IPv6. Type +VIRTIO_NET_HDR_GSO_UDP is guessed to be IPv4/UDP. As of the below +commit, UFOv6 packets are dropped due to not matching the protocol as +obtained from dev_parse_header_protocol. + +Invert the test to take that L2 protocol field as starting point and +pass both UFOv4 and UFOv6 for VIRTIO_NET_HDR_GSO_UDP. + +Fixes: 924a9bc362a5 ("net: check if protocol extracted by virtio_net_hdr_set_proto is correct") +Link: https://lore.kernel.org/netdev/CABcq3pG9GRCYqFDBAJ48H1vpnnX=41u+MhQnayF1ztLH4WX0Fw@mail.gmail.com/ +Reported-by: Andrew Melnichenko +Signed-off-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20211220144901.2784030-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/virtio_net.h | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h +index 04e87f4b9417c..22dd48c825600 100644 +--- a/include/linux/virtio_net.h ++++ b/include/linux/virtio_net.h +@@ -7,6 +7,21 @@ + #include + #include + ++static inline bool virtio_net_hdr_match_proto(__be16 protocol, __u8 gso_type) ++{ ++ switch (gso_type & ~VIRTIO_NET_HDR_GSO_ECN) { ++ case VIRTIO_NET_HDR_GSO_TCPV4: ++ return protocol == cpu_to_be16(ETH_P_IP); ++ case VIRTIO_NET_HDR_GSO_TCPV6: ++ return protocol == cpu_to_be16(ETH_P_IPV6); ++ case VIRTIO_NET_HDR_GSO_UDP: ++ return protocol == cpu_to_be16(ETH_P_IP) || ++ protocol == cpu_to_be16(ETH_P_IPV6); ++ default: ++ return false; ++ } ++} ++ + static inline int virtio_net_hdr_set_proto(struct sk_buff *skb, + const struct virtio_net_hdr *hdr) + { +@@ -88,9 +103,12 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, + if (!skb->protocol) { + __be16 protocol = dev_parse_header_protocol(skb); + +- virtio_net_hdr_set_proto(skb, hdr); +- if (protocol && protocol != skb->protocol) ++ if (!protocol) ++ virtio_net_hdr_set_proto(skb, hdr); ++ else if (!virtio_net_hdr_match_proto(protocol, hdr->gso_type)) + return -EINVAL; ++ else ++ skb->protocol = protocol; + } + retry: + if (!skb_flow_dissect_flow_keys_basic(NULL, skb, &keys, +-- +2.34.1 + diff --git a/queue-5.10/net-ks8851-check-for-error-irq.patch b/queue-5.10/net-ks8851-check-for-error-irq.patch new file mode 100644 index 00000000000..6f37f8bd311 --- /dev/null +++ b/queue-5.10/net-ks8851-check-for-error-irq.patch @@ -0,0 +1,37 @@ +From a9fa947b8ab93e57a97f856af00d444a0c218139 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 15:59:44 +0800 +Subject: net: ks8851: Check for error irq + +From: Jiasheng Jiang + +[ Upstream commit 99d7fbb5cedf598f67e8be106d6c7b8d91366aef ] + +Because platform_get_irq() could fail and return error irq. +Therefore, it might be better to check it if order to avoid the use of +error irq. + +Fixes: 797047f875b5 ("net: ks8851: Implement Parallel bus operations") +Signed-off-by: Jiasheng Jiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/micrel/ks8851_par.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/micrel/ks8851_par.c b/drivers/net/ethernet/micrel/ks8851_par.c +index 3bab0cb2b1a56..c7c99cc54ca11 100644 +--- a/drivers/net/ethernet/micrel/ks8851_par.c ++++ b/drivers/net/ethernet/micrel/ks8851_par.c +@@ -323,6 +323,8 @@ static int ks8851_probe_par(struct platform_device *pdev) + return ret; + + netdev->irq = platform_get_irq(pdev, 0); ++ if (netdev->irq < 0) ++ return netdev->irq; + + return ks8851_probe_common(netdev, dev, msg_enable); + } +-- +2.34.1 + diff --git a/queue-5.10/net-marvell-prestera-fix-incorrect-return-of-port_fi.patch b/queue-5.10/net-marvell-prestera-fix-incorrect-return-of-port_fi.patch new file mode 100644 index 00000000000..9ec746775ac --- /dev/null +++ b/queue-5.10/net-marvell-prestera-fix-incorrect-return-of-port_fi.patch @@ -0,0 +1,64 @@ +From 3814cbc51c9dc61a24fa02966c0b938c22934e5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Dec 2021 19:07:36 +0200 +Subject: net: marvell: prestera: fix incorrect return of port_find + +From: Yevhen Orlov + +[ Upstream commit 8b681bd7c301c423fbe97a6b23388a2180ff04ca ] + +In case, when some ports is in list and we don't find requested - we +return last iterator state and not return NULL as expected. + +Fixes: 501ef3066c89 ("net: marvell: prestera: Add driver for Prestera family ASIC devices") +Signed-off-by: Yevhen Orlov +Link: https://lore.kernel.org/r/20211216170736.8851-1-yevhen.orlov@plvision.eu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../ethernet/marvell/prestera/prestera_main.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/prestera/prestera_main.c b/drivers/net/ethernet/marvell/prestera/prestera_main.c +index feb69fcd908e3..f406f5b517b02 100644 +--- a/drivers/net/ethernet/marvell/prestera/prestera_main.c ++++ b/drivers/net/ethernet/marvell/prestera/prestera_main.c +@@ -50,12 +50,14 @@ int prestera_port_pvid_set(struct prestera_port *port, u16 vid) + struct prestera_port *prestera_port_find_by_hwid(struct prestera_switch *sw, + u32 dev_id, u32 hw_id) + { +- struct prestera_port *port = NULL; ++ struct prestera_port *port = NULL, *tmp; + + read_lock(&sw->port_list_lock); +- list_for_each_entry(port, &sw->port_list, list) { +- if (port->dev_id == dev_id && port->hw_id == hw_id) ++ list_for_each_entry(tmp, &sw->port_list, list) { ++ if (tmp->dev_id == dev_id && tmp->hw_id == hw_id) { ++ port = tmp; + break; ++ } + } + read_unlock(&sw->port_list_lock); + +@@ -64,12 +66,14 @@ struct prestera_port *prestera_port_find_by_hwid(struct prestera_switch *sw, + + struct prestera_port *prestera_find_port(struct prestera_switch *sw, u32 id) + { +- struct prestera_port *port = NULL; ++ struct prestera_port *port = NULL, *tmp; + + read_lock(&sw->port_list_lock); +- list_for_each_entry(port, &sw->port_list, list) { +- if (port->id == id) ++ list_for_each_entry(tmp, &sw->port_list, list) { ++ if (tmp->id == id) { ++ port = tmp; + break; ++ } + } + read_unlock(&sw->port_list_lock); + +-- +2.34.1 + diff --git a/queue-5.10/net-skip-virtio_net_hdr_set_proto-if-protocol-alread.patch b/queue-5.10/net-skip-virtio_net_hdr_set_proto-if-protocol-alread.patch new file mode 100644 index 00000000000..d290428f890 --- /dev/null +++ b/queue-5.10/net-skip-virtio_net_hdr_set_proto-if-protocol-alread.patch @@ -0,0 +1,46 @@ +From 682515a40efec010623f3276bca914805a6a8069 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 09:50:27 -0500 +Subject: net: skip virtio_net_hdr_set_proto if protocol already set + +From: Willem de Bruijn + +[ Upstream commit 1ed1d592113959f00cc552c3b9f47ca2d157768f ] + +virtio_net_hdr_set_proto infers skb->protocol from the virtio_net_hdr +gso_type, to avoid packets getting dropped for lack of a proto type. + +Its protocol choice is a guess, especially in the case of UFO, where +the single VIRTIO_NET_HDR_GSO_UDP label covers both UFOv4 and UFOv6. + +Skip this best effort if the field is already initialized. Whether +explicitly from userspace, or implicitly based on an earlier call to +dev_parse_header_protocol (which is more robust, but was introduced +after this patch). + +Fixes: 9d2f67e43b73 ("net/packet: fix packet drop as of virtio gso") +Signed-off-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20211220145027.2784293-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/virtio_net.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h +index 22dd48c825600..a960de68ac69e 100644 +--- a/include/linux/virtio_net.h ++++ b/include/linux/virtio_net.h +@@ -25,6 +25,9 @@ static inline bool virtio_net_hdr_match_proto(__be16 protocol, __u8 gso_type) + static inline int virtio_net_hdr_set_proto(struct sk_buff *skb, + const struct virtio_net_hdr *hdr) + { ++ if (skb->protocol) ++ return 0; ++ + switch (hdr->gso_type & ~VIRTIO_NET_HDR_GSO_ECN) { + case VIRTIO_NET_HDR_GSO_TCPV4: + case VIRTIO_NET_HDR_GSO_UDP: +-- +2.34.1 + diff --git a/queue-5.10/netfilter-fix-regression-in-looped-broad-multi-cast-.patch b/queue-5.10/netfilter-fix-regression-in-looped-broad-multi-cast-.patch new file mode 100644 index 00000000000..be754ba5c65 --- /dev/null +++ b/queue-5.10/netfilter-fix-regression-in-looped-broad-multi-cast-.patch @@ -0,0 +1,69 @@ +From 6aab226d6a9aedf1418355356dfb4822261cfef2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 16:31:27 +0100 +Subject: netfilter: fix regression in looped (broad|multi)cast's MAC handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ignacy Gawędzki + +[ Upstream commit ebb966d3bdfed581ecccbb4a7432341baf7619b4 ] + +In commit 5648b5e1169f ("netfilter: nfnetlink_queue: fix OOB when mac +header was cleared"), the test for non-empty MAC header introduced in +commit 2c38de4c1f8da7 ("netfilter: fix looped (broad|multi)cast's MAC +handling") has been replaced with a test for a set MAC header. + +This breaks the case when the MAC header has been reset (using +skb_reset_mac_header), as is the case with looped-back multicast +packets. As a result, the packets ending up in NFQUEUE get a bogus +hwaddr interpreted from the first bytes of the IP header. + +This patch adds a test for a non-empty MAC header in addition to the +test for a set MAC header. The same two tests are also implemented in +nfnetlink_log.c, where the initial code of commit 2c38de4c1f8da7 +("netfilter: fix looped (broad|multi)cast's MAC handling") has not been +touched, but where supposedly the same situation may happen. + +Fixes: 5648b5e1169f ("netfilter: nfnetlink_queue: fix OOB when mac header was cleared") +Signed-off-by: Ignacy Gawędzki +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_log.c | 3 ++- + net/netfilter/nfnetlink_queue.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c +index b35e8d9a5b37e..33c13edbca4bb 100644 +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -557,7 +557,8 @@ __build_packet_message(struct nfnl_log_net *log, + goto nla_put_failure; + + if (indev && skb->dev && +- skb->mac_header != skb->network_header) { ++ skb_mac_header_was_set(skb) && ++ skb_mac_header_len(skb) != 0) { + struct nfulnl_msg_packet_hw phw; + int len; + +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index 98994fe677fe9..b0358f30947ea 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -562,7 +562,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, + goto nla_put_failure; + + if (indev && entskb->dev && +- skb_mac_header_was_set(entskb)) { ++ skb_mac_header_was_set(entskb) && ++ skb_mac_header_len(entskb) != 0) { + struct nfqnl_msg_packet_hw phw; + int len; + +-- +2.34.1 + diff --git a/queue-5.10/qlcnic-potential-dereference-null-pointer-of-rx_queu.patch b/queue-5.10/qlcnic-potential-dereference-null-pointer-of-rx_queu.patch new file mode 100644 index 00000000000..0fc89da8cff --- /dev/null +++ b/queue-5.10/qlcnic-potential-dereference-null-pointer-of-rx_queu.patch @@ -0,0 +1,103 @@ +From 4b2c5f2bc8dcea1a54469b340142d4d5cc122873 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Dec 2021 17:39:11 +0800 +Subject: qlcnic: potential dereference null pointer of rx_queue->page_ring + +From: Jiasheng Jiang + +[ Upstream commit 60ec7fcfe76892a1479afab51ff17a4281923156 ] + +The return value of kcalloc() needs to be checked. +To avoid dereference of null pointer in case of the failure of alloc. +Therefore, it might be better to change the return type of +qlcnic_sriov_alloc_vlans() and return -ENOMEM when alloc fails and +return 0 the others. +Also, qlcnic_sriov_set_guest_vlan_mode() and __qlcnic_pci_sriov_enable() +should deal with the return value of qlcnic_sriov_alloc_vlans(). + +Fixes: 154d0c810c53 ("qlcnic: VLAN enhancement for 84XX adapters") +Signed-off-by: Jiasheng Jiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h | 2 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 12 +++++++++--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c | 4 +++- + 3 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h +index 7160b42f51ddd..d0111cb3b40e1 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h +@@ -201,7 +201,7 @@ int qlcnic_sriov_get_vf_vport_info(struct qlcnic_adapter *, + struct qlcnic_info *, u16); + int qlcnic_sriov_cfg_vf_guest_vlan(struct qlcnic_adapter *, u16, u8); + void qlcnic_sriov_free_vlans(struct qlcnic_adapter *); +-void qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *); ++int qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *); + bool qlcnic_sriov_check_any_vlan(struct qlcnic_vf_info *); + void qlcnic_sriov_del_vlan_id(struct qlcnic_sriov *, + struct qlcnic_vf_info *, u16); +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +index 30e52f9697593..8367891bfb139 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +@@ -432,7 +432,7 @@ static int qlcnic_sriov_set_guest_vlan_mode(struct qlcnic_adapter *adapter, + struct qlcnic_cmd_args *cmd) + { + struct qlcnic_sriov *sriov = adapter->ahw->sriov; +- int i, num_vlans; ++ int i, num_vlans, ret; + u16 *vlans; + + if (sriov->allowed_vlans) +@@ -443,7 +443,9 @@ static int qlcnic_sriov_set_guest_vlan_mode(struct qlcnic_adapter *adapter, + dev_info(&adapter->pdev->dev, "Number of allowed Guest VLANs = %d\n", + sriov->num_allowed_vlans); + +- qlcnic_sriov_alloc_vlans(adapter); ++ ret = qlcnic_sriov_alloc_vlans(adapter); ++ if (ret) ++ return ret; + + if (!sriov->any_vlan) + return 0; +@@ -2159,7 +2161,7 @@ static int qlcnic_sriov_vf_resume(struct qlcnic_adapter *adapter) + return err; + } + +-void qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *adapter) ++int qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *adapter) + { + struct qlcnic_sriov *sriov = adapter->ahw->sriov; + struct qlcnic_vf_info *vf; +@@ -2169,7 +2171,11 @@ void qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *adapter) + vf = &sriov->vf_info[i]; + vf->sriov_vlans = kcalloc(sriov->num_allowed_vlans, + sizeof(*vf->sriov_vlans), GFP_KERNEL); ++ if (!vf->sriov_vlans) ++ return -ENOMEM; + } ++ ++ return 0; + } + + void qlcnic_sriov_free_vlans(struct qlcnic_adapter *adapter) +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c +index 447720b93e5ab..e90fa97c0ae6c 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c +@@ -597,7 +597,9 @@ static int __qlcnic_pci_sriov_enable(struct qlcnic_adapter *adapter, + if (err) + goto del_flr_queue; + +- qlcnic_sriov_alloc_vlans(adapter); ++ err = qlcnic_sriov_alloc_vlans(adapter); ++ if (err) ++ goto del_flr_queue; + + return err; + +-- +2.34.1 + diff --git a/queue-5.10/rdma-hns-replace-kfree-with-kvfree.patch b/queue-5.10/rdma-hns-replace-kfree-with-kvfree.patch new file mode 100644 index 00000000000..081c7ace678 --- /dev/null +++ b/queue-5.10/rdma-hns-replace-kfree-with-kvfree.patch @@ -0,0 +1,39 @@ +From 29f032803d6ad630cd01d0779e6c48bc68786ad3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 01:42:34 -0800 +Subject: RDMA/hns: Replace kfree() with kvfree() + +From: Jiacheng Shi + +[ Upstream commit 12d3bbdd6bd2780b71cc466f3fbc6eb7d43bbc2a ] + +Variables allocated by kvmalloc_array() should not be freed by kfree. +Because they may be allocated by vmalloc. So we replace kfree() with +kvfree() here. + +Fixes: 6fd610c5733d ("RDMA/hns: Support 0 hop addressing for SRQ buffer") +Link: https://lore.kernel.org/r/20211210094234.5829-1-billsjc@sjtu.edu.cn +Signed-off-by: Jiacheng Shi +Acked-by: Wenpeng Liang +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_srq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_srq.c b/drivers/infiniband/hw/hns/hns_roce_srq.c +index f27523e1a12d7..08df97e0a6654 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_srq.c ++++ b/drivers/infiniband/hw/hns/hns_roce_srq.c +@@ -277,7 +277,7 @@ static int alloc_srq_wrid(struct hns_roce_dev *hr_dev, struct hns_roce_srq *srq) + + static void free_srq_wrid(struct hns_roce_srq *srq) + { +- kfree(srq->wrid); ++ kvfree(srq->wrid); + srq->wrid = NULL; + } + +-- +2.34.1 + diff --git a/queue-5.10/series b/queue-5.10/series index 4f5f16c23e3..82acf6b31bc 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -6,3 +6,22 @@ ext4-check-for-out-of-order-index-extents-in-ext4_valid_extent_entries.patch ext4-check-for-inconsistent-extents-between-index-and-leaf-block.patch hid-holtek-fix-mouse-probing.patch hid-potential-dereference-of-null-pointer.patch +arm64-dts-allwinner-orangepi-zero-plus-fix-phy-mode.patch +spi-change-clk_disable_unprepare-to-clk_unprepare.patch +asoc-meson-aiu-fifo-add-missing-dma_coerce_mask_and_.patch +ib-qib-fix-memory-leak-in-qib_user_sdma_queue_pkts.patch +rdma-hns-replace-kfree-with-kvfree.patch +netfilter-fix-regression-in-looped-broad-multi-cast-.patch +arm-dts-imx6qdl-wandboard-fix-ethernet-support.patch +net-marvell-prestera-fix-incorrect-return-of-port_fi.patch +qlcnic-potential-dereference-null-pointer-of-rx_queu.patch +net-accept-ufov6-packages-in-virtio_net_hdr_to_skb.patch +net-skip-virtio_net_hdr_set_proto-if-protocol-alread.patch +igb-fix-deadlock-caused-by-taking-rtnl-in-rpm-resume.patch +ipmi-fix-uaf-when-uninstall-ipmi_si-and-ipmi_msghand.patch +bonding-fix-ad_actor_system-option-setting-to-defaul.patch +fjes-check-for-error-irq.patch +drivers-net-smc911x-check-for-error-irq.patch +net-ks8851-check-for-error-irq.patch +sfc-check-null-pointer-of-rx_queue-page_ring.patch +sfc-falcon-check-null-pointer-of-rx_queue-page_ring.patch diff --git a/queue-5.10/sfc-check-null-pointer-of-rx_queue-page_ring.patch b/queue-5.10/sfc-check-null-pointer-of-rx_queue-page_ring.patch new file mode 100644 index 00000000000..fc7d2068b12 --- /dev/null +++ b/queue-5.10/sfc-check-null-pointer-of-rx_queue-page_ring.patch @@ -0,0 +1,42 @@ +From 55ae962a24fdbf94bee6fa3f0736255c5bcb3388 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 21:56:03 +0800 +Subject: sfc: Check null pointer of rx_queue->page_ring + +From: Jiasheng Jiang + +[ Upstream commit bdf1b5c3884f6a0dc91b0dbdb8c3b7d205f449e0 ] + +Because of the possible failure of the kcalloc, it should be better to +set rx_queue->page_ptr_mask to 0 when it happens in order to maintain +the consistency. + +Fixes: 5a6681e22c14 ("sfc: separate out SFC4000 ("Falcon") support into new sfc-falcon driver") +Signed-off-by: Jiasheng Jiang +Acked-by: Martin Habets +Link: https://lore.kernel.org/r/20211220135603.954944-1-jiasheng@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/rx_common.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sfc/rx_common.c b/drivers/net/ethernet/sfc/rx_common.c +index 19cf7cac1e6e9..8834bcb12fa97 100644 +--- a/drivers/net/ethernet/sfc/rx_common.c ++++ b/drivers/net/ethernet/sfc/rx_common.c +@@ -150,7 +150,10 @@ static void efx_init_rx_recycle_ring(struct efx_rx_queue *rx_queue) + efx->rx_bufs_per_page); + rx_queue->page_ring = kcalloc(page_ring_size, + sizeof(*rx_queue->page_ring), GFP_KERNEL); +- rx_queue->page_ptr_mask = page_ring_size - 1; ++ if (!rx_queue->page_ring) ++ rx_queue->page_ptr_mask = 0; ++ else ++ rx_queue->page_ptr_mask = page_ring_size - 1; + } + + static void efx_fini_rx_recycle_ring(struct efx_rx_queue *rx_queue) +-- +2.34.1 + diff --git a/queue-5.10/sfc-falcon-check-null-pointer-of-rx_queue-page_ring.patch b/queue-5.10/sfc-falcon-check-null-pointer-of-rx_queue-page_ring.patch new file mode 100644 index 00000000000..1e549826fcd --- /dev/null +++ b/queue-5.10/sfc-falcon-check-null-pointer-of-rx_queue-page_ring.patch @@ -0,0 +1,42 @@ +From 79a2bb772690719ae5b5b59b965e526288f7c743 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 22:03:44 +0800 +Subject: sfc: falcon: Check null pointer of rx_queue->page_ring + +From: Jiasheng Jiang + +[ Upstream commit 9b8bdd1eb5890aeeab7391dddcf8bd51f7b07216 ] + +Because of the possible failure of the kcalloc, it should be better to +set rx_queue->page_ptr_mask to 0 when it happens in order to maintain +the consistency. + +Fixes: 5a6681e22c14 ("sfc: separate out SFC4000 ("Falcon") support into new sfc-falcon driver") +Signed-off-by: Jiasheng Jiang +Acked-by: Martin Habets +Link: https://lore.kernel.org/r/20211220140344.978408-1-jiasheng@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/falcon/rx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sfc/falcon/rx.c b/drivers/net/ethernet/sfc/falcon/rx.c +index 966f13e7475dd..11a6aee852e92 100644 +--- a/drivers/net/ethernet/sfc/falcon/rx.c ++++ b/drivers/net/ethernet/sfc/falcon/rx.c +@@ -728,7 +728,10 @@ static void ef4_init_rx_recycle_ring(struct ef4_nic *efx, + efx->rx_bufs_per_page); + rx_queue->page_ring = kcalloc(page_ring_size, + sizeof(*rx_queue->page_ring), GFP_KERNEL); +- rx_queue->page_ptr_mask = page_ring_size - 1; ++ if (!rx_queue->page_ring) ++ rx_queue->page_ptr_mask = 0; ++ else ++ rx_queue->page_ptr_mask = page_ring_size - 1; + } + + void ef4_init_rx_queue(struct ef4_rx_queue *rx_queue) +-- +2.34.1 + diff --git a/queue-5.10/spi-change-clk_disable_unprepare-to-clk_unprepare.patch b/queue-5.10/spi-change-clk_disable_unprepare-to-clk_unprepare.patch new file mode 100644 index 00000000000..4e83750becc --- /dev/null +++ b/queue-5.10/spi-change-clk_disable_unprepare-to-clk_unprepare.patch @@ -0,0 +1,39 @@ +From 3b3948c6ccb3a1f1a6b30b776d7ff9b68042ad8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Dec 2021 18:19:31 +0800 +Subject: spi: change clk_disable_unprepare to clk_unprepare + +From: Dongliang Mu + +[ Upstream commit db6689b643d8653092f5853751ea2cdbc299f8d3 ] + +The corresponding API for clk_prepare is clk_unprepare, other than +clk_disable_unprepare. + +Fix this by changing clk_disable_unprepare to clk_unprepare. + +Fixes: 5762ab71eb24 ("spi: Add support for Armada 3700 SPI Controller") +Signed-off-by: Dongliang Mu +Link: https://lore.kernel.org/r/20211206101931.2816597-1-mudongliangabcd@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-armada-3700.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-armada-3700.c b/drivers/spi/spi-armada-3700.c +index 46feafe4e201c..d8cc4b270644a 100644 +--- a/drivers/spi/spi-armada-3700.c ++++ b/drivers/spi/spi-armada-3700.c +@@ -901,7 +901,7 @@ static int a3700_spi_probe(struct platform_device *pdev) + return 0; + + error_clk: +- clk_disable_unprepare(spi->clk); ++ clk_unprepare(spi->clk); + error: + spi_master_put(master); + out: +-- +2.34.1 +