From: Sasha Levin Date: Sun, 28 Mar 2021 03:51:23 +0000 (-0400) Subject: Fixes for 4.9 X-Git-Tag: v5.11.11~53 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c7b12eeb71b1fdbcf2fdbdf7fee99f62cee27850;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/bus-omap_l3_noc-mark-l3-irqs-as-irqf_no_thread.patch b/queue-4.9/bus-omap_l3_noc-mark-l3-irqs-as-irqf_no_thread.patch new file mode 100644 index 00000000000..5d699116af3 --- /dev/null +++ b/queue-4.9/bus-omap_l3_noc-mark-l3-irqs-as-irqf_no_thread.patch @@ -0,0 +1,51 @@ +From 2370dbb092ff1d9f364541e55590bc7a0c3ad1d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jan 2021 21:15:48 +0200 +Subject: bus: omap_l3_noc: mark l3 irqs as IRQF_NO_THREAD + +From: Grygorii Strashko + +[ Upstream commit 7d7275b3e866cf8092bd12553ec53ba26864f7bb ] + +The main purpose of l3 IRQs is to catch OCP bus access errors and identify +corresponding code places by showing call stack, so it's important to +handle L3 interconnect errors as fast as possible. On RT these IRQs will +became threaded and will be scheduled much more late from the moment actual +error occurred so showing completely useless information. + +Hence, mark l3 IRQs as IRQF_NO_THREAD so they will not be forced threaded +on RT or if force_irqthreads = true. + +Fixes: 0ee7261c9212 ("drivers: bus: Move the OMAP interconnect driver to drivers/bus/") +Signed-off-by: Grygorii Strashko +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + drivers/bus/omap_l3_noc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/bus/omap_l3_noc.c b/drivers/bus/omap_l3_noc.c +index 5012e3ad1225..624f74d03a83 100644 +--- a/drivers/bus/omap_l3_noc.c ++++ b/drivers/bus/omap_l3_noc.c +@@ -285,7 +285,7 @@ static int omap_l3_probe(struct platform_device *pdev) + */ + l3->debug_irq = platform_get_irq(pdev, 0); + ret = devm_request_irq(l3->dev, l3->debug_irq, l3_interrupt_handler, +- 0x0, "l3-dbg-irq", l3); ++ IRQF_NO_THREAD, "l3-dbg-irq", l3); + if (ret) { + dev_err(l3->dev, "request_irq failed for %d\n", + l3->debug_irq); +@@ -294,7 +294,7 @@ static int omap_l3_probe(struct platform_device *pdev) + + l3->app_irq = platform_get_irq(pdev, 1); + ret = devm_request_irq(l3->dev, l3->app_irq, l3_interrupt_handler, +- 0x0, "l3-app-irq", l3); ++ IRQF_NO_THREAD, "l3-app-irq", l3); + if (ret) + dev_err(l3->dev, "request_irq failed for %d\n", l3->app_irq); + +-- +2.30.1 + diff --git a/queue-4.9/can-c_can-move-runtime-pm-enable-disable-to-c_can_pl.patch b/queue-4.9/can-c_can-move-runtime-pm-enable-disable-to-c_can_pl.patch new file mode 100644 index 00000000000..7fc19296f02 --- /dev/null +++ b/queue-4.9/can-c_can-move-runtime-pm-enable-disable-to-c_can_pl.patch @@ -0,0 +1,136 @@ +From 573b262428386f468eb6d5fcdcdf4acabad33502 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Mar 2021 21:55:40 -0500 +Subject: can: c_can: move runtime PM enable/disable to c_can_platform +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tong Zhang + +[ Upstream commit 6e2fe01dd6f98da6cae8b07cd5cfa67abc70d97d ] + +Currently doing modprobe c_can_pci will make the kernel complain: + + Unbalanced pm_runtime_enable! + +this is caused by pm_runtime_enable() called before pm is initialized. + +This fix is similar to 227619c3ff7c, move those pm_enable/disable code +to c_can_platform. + +Fixes: 4cdd34b26826 ("can: c_can: Add runtime PM support to Bosch C_CAN/D_CAN controller") +Link: http://lore.kernel.org/r/20210302025542.987600-1-ztong0001@gmail.com +Signed-off-by: Tong Zhang +Tested-by: Uwe Kleine-König +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/c_can/c_can.c | 24 +----------------------- + drivers/net/can/c_can/c_can_platform.c | 6 +++++- + 2 files changed, 6 insertions(+), 24 deletions(-) + +diff --git a/drivers/net/can/c_can/c_can.c b/drivers/net/can/c_can/c_can.c +index 4ead5a18b794..c41ab2cb272e 100644 +--- a/drivers/net/can/c_can/c_can.c ++++ b/drivers/net/can/c_can/c_can.c +@@ -212,18 +212,6 @@ static const struct can_bittiming_const c_can_bittiming_const = { + .brp_inc = 1, + }; + +-static inline void c_can_pm_runtime_enable(const struct c_can_priv *priv) +-{ +- if (priv->device) +- pm_runtime_enable(priv->device); +-} +- +-static inline void c_can_pm_runtime_disable(const struct c_can_priv *priv) +-{ +- if (priv->device) +- pm_runtime_disable(priv->device); +-} +- + static inline void c_can_pm_runtime_get_sync(const struct c_can_priv *priv) + { + if (priv->device) +@@ -1318,7 +1306,6 @@ static const struct net_device_ops c_can_netdev_ops = { + + int register_c_can_dev(struct net_device *dev) + { +- struct c_can_priv *priv = netdev_priv(dev); + int err; + + /* Deactivate pins to prevent DRA7 DCAN IP from being +@@ -1328,28 +1315,19 @@ int register_c_can_dev(struct net_device *dev) + */ + pinctrl_pm_select_sleep_state(dev->dev.parent); + +- c_can_pm_runtime_enable(priv); +- + dev->flags |= IFF_ECHO; /* we support local echo */ + dev->netdev_ops = &c_can_netdev_ops; + + err = register_candev(dev); +- if (err) +- c_can_pm_runtime_disable(priv); +- else ++ if (!err) + devm_can_led_init(dev); +- + return err; + } + EXPORT_SYMBOL_GPL(register_c_can_dev); + + void unregister_c_can_dev(struct net_device *dev) + { +- struct c_can_priv *priv = netdev_priv(dev); +- + unregister_candev(dev); +- +- c_can_pm_runtime_disable(priv); + } + EXPORT_SYMBOL_GPL(unregister_c_can_dev); + +diff --git a/drivers/net/can/c_can/c_can_platform.c b/drivers/net/can/c_can/c_can_platform.c +index 717530eac70c..c6a03f565e3f 100644 +--- a/drivers/net/can/c_can/c_can_platform.c ++++ b/drivers/net/can/c_can/c_can_platform.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -385,6 +386,7 @@ static int c_can_plat_probe(struct platform_device *pdev) + platform_set_drvdata(pdev, dev); + SET_NETDEV_DEV(dev, &pdev->dev); + ++ pm_runtime_enable(priv->device); + ret = register_c_can_dev(dev); + if (ret) { + dev_err(&pdev->dev, "registering %s failed (err=%d)\n", +@@ -397,6 +399,7 @@ static int c_can_plat_probe(struct platform_device *pdev) + return 0; + + exit_free_device: ++ pm_runtime_disable(priv->device); + free_c_can_dev(dev); + exit: + dev_err(&pdev->dev, "probe failed\n"); +@@ -407,9 +410,10 @@ exit: + static int c_can_plat_remove(struct platform_device *pdev) + { + struct net_device *dev = platform_get_drvdata(pdev); ++ struct c_can_priv *priv = netdev_priv(dev); + + unregister_c_can_dev(dev); +- ++ pm_runtime_disable(priv->device); + free_c_can_dev(dev); + + return 0; +-- +2.30.1 + diff --git a/queue-4.9/can-c_can_pci-c_can_pci_remove-fix-use-after-free.patch b/queue-4.9/can-c_can_pci-c_can_pci_remove-fix-use-after-free.patch new file mode 100644 index 00000000000..74192ec0cd0 --- /dev/null +++ b/queue-4.9/can-c_can_pci-c_can_pci_remove-fix-use-after-free.patch @@ -0,0 +1,44 @@ +From cd3dc8da49b8808a209d422478c096e9125ca999 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Feb 2021 21:45:11 -0500 +Subject: can: c_can_pci: c_can_pci_remove(): fix use-after-free + +From: Tong Zhang + +[ Upstream commit 0429d6d89f97ebff4f17f13f5b5069c66bde8138 ] + +There is a UAF in c_can_pci_remove(). dev is released by +free_c_can_dev() and is used by pci_iounmap(pdev, priv->base) later. +To fix this issue, save the mmio address before releasing dev. + +Fixes: 5b92da0443c2 ("c_can_pci: generic module for C_CAN/D_CAN on PCI") +Link: https://lore.kernel.org/r/20210301024512.539039-1-ztong0001@gmail.com +Signed-off-by: Tong Zhang +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/c_can/c_can_pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/c_can/c_can_pci.c b/drivers/net/can/c_can/c_can_pci.c +index d065c0e2d18e..f3e0b2124a37 100644 +--- a/drivers/net/can/c_can/c_can_pci.c ++++ b/drivers/net/can/c_can/c_can_pci.c +@@ -239,12 +239,13 @@ static void c_can_pci_remove(struct pci_dev *pdev) + { + struct net_device *dev = pci_get_drvdata(pdev); + struct c_can_priv *priv = netdev_priv(dev); ++ void __iomem *addr = priv->base; + + unregister_c_can_dev(dev); + + free_c_can_dev(dev); + +- pci_iounmap(pdev, priv->base); ++ pci_iounmap(pdev, addr); + pci_disable_msi(pdev); + pci_clear_master(pdev); + pci_release_regions(pdev); +-- +2.30.1 + diff --git a/queue-4.9/can-m_can-m_can_do_rx_poll-fix-extraneous-msg-loss-w.patch b/queue-4.9/can-m_can-m_can_do_rx_poll-fix-extraneous-msg-loss-w.patch new file mode 100644 index 00000000000..ec607e94360 --- /dev/null +++ b/queue-4.9/can-m_can-m_can_do_rx_poll-fix-extraneous-msg-loss-w.patch @@ -0,0 +1,44 @@ +From db3a52fd934f5b11ff8941cde1c962460ae1a632 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Mar 2021 10:31:52 +0000 +Subject: can: m_can: m_can_do_rx_poll(): fix extraneous msg loss warning + +From: Torin Cooper-Bennun + +[ Upstream commit c0e399f3baf42279f48991554240af8c457535d1 ] + +Message loss from RX FIFO 0 is already handled in +m_can_handle_lost_msg(), with netdev output included. + +Removing this warning also improves driver performance under heavy +load, where m_can_do_rx_poll() may be called many times before this +interrupt is cleared, causing this message to be output many +times (thanks Mariusz Madej for this report). + +Fixes: e0d1f4816f2a ("can: m_can: add Bosch M_CAN controller support") +Link: https://lore.kernel.org/r/20210303103151.3760532-1-torin@maxiluxsystems.com +Reported-by: Mariusz Madej +Signed-off-by: Torin Cooper-Bennun +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/m_can/m_can.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c +index 0bd7e7164796..197c27d8f584 100644 +--- a/drivers/net/can/m_can/m_can.c ++++ b/drivers/net/can/m_can/m_can.c +@@ -428,9 +428,6 @@ static int m_can_do_rx_poll(struct net_device *dev, int quota) + } + + while ((rxfs & RXFS_FFL_MASK) && (quota > 0)) { +- if (rxfs & RXFS_RFL) +- netdev_warn(dev, "Rx FIFO 0 Message Lost\n"); +- + m_can_read_fifo(dev, rxfs); + + quota--; +-- +2.30.1 + diff --git a/queue-4.9/e1000e-add-rtnl_lock-to-e1000_reset_task.patch b/queue-4.9/e1000e-add-rtnl_lock-to-e1000_reset_task.patch new file mode 100644 index 00000000000..954740eebd6 --- /dev/null +++ b/queue-4.9/e1000e-add-rtnl_lock-to-e1000_reset_task.patch @@ -0,0 +1,54 @@ +From 958876a97d421590186f1366d9d4f56f489d65d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Oct 2020 14:59:37 +0300 +Subject: e1000e: add rtnl_lock() to e1000_reset_task + +From: Vitaly Lifshits + +[ Upstream commit 21f857f0321d0d0ea9b1a758bd55dc63d1cb2437 ] + +A possible race condition was found in e1000_reset_task, +after discovering a similar issue in igb driver via +commit 024a8168b749 ("igb: reinit_locked() should be called +with rtnl_lock"). + +Added rtnl_lock() and rtnl_unlock() to avoid this. + +Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)") +Suggested-by: Jakub Kicinski +Signed-off-by: Vitaly Lifshits +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index 3c01bc43889a..46323019aa63 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -5920,15 +5920,19 @@ static void e1000_reset_task(struct work_struct *work) + struct e1000_adapter *adapter; + adapter = container_of(work, struct e1000_adapter, reset_task); + ++ rtnl_lock(); + /* don't run the task if already down */ +- if (test_bit(__E1000_DOWN, &adapter->state)) ++ if (test_bit(__E1000_DOWN, &adapter->state)) { ++ rtnl_unlock(); + return; ++ } + + if (!(adapter->flags & FLAG_RESTART_NOW)) { + e1000e_dump(adapter); + e_err("Reset adapter unexpectedly\n"); + } + e1000e_reinit_locked(adapter); ++ rtnl_unlock(); + } + + /** +-- +2.30.1 + diff --git a/queue-4.9/e1000e-fix-error-handling-in-e1000_set_d0_lplu_state.patch b/queue-4.9/e1000e-fix-error-handling-in-e1000_set_d0_lplu_state.patch new file mode 100644 index 00000000000..560e693d1db --- /dev/null +++ b/queue-4.9/e1000e-fix-error-handling-in-e1000_set_d0_lplu_state.patch @@ -0,0 +1,40 @@ +From b16e7c8a149f0dfafc9ffe6bfce6d337c58ee568 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Feb 2021 17:44:23 +0800 +Subject: e1000e: Fix error handling in e1000_set_d0_lplu_state_82571 + +From: Dinghao Liu + +[ Upstream commit b52912b8293f2c496f42583e65599aee606a0c18 ] + +There is one e1e_wphy() call in e1000_set_d0_lplu_state_82571 +that we have caught its return value but lack further handling. +Check and terminate the execution flow just like other e1e_wphy() +in this function. + +Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)") +Signed-off-by: Dinghao Liu +Acked-by: Sasha Neftin +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/82571.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/e1000e/82571.c b/drivers/net/ethernet/intel/e1000e/82571.c +index 6b03c8553e59..65deaf8f3004 100644 +--- a/drivers/net/ethernet/intel/e1000e/82571.c ++++ b/drivers/net/ethernet/intel/e1000e/82571.c +@@ -917,6 +917,8 @@ static s32 e1000_set_d0_lplu_state_82571(struct e1000_hw *hw, bool active) + } else { + data &= ~IGP02E1000_PM_D0_LPLU; + ret_val = e1e_wphy(hw, IGP02E1000_PHY_POWER_MGMT, data); ++ if (ret_val) ++ return ret_val; + /* LPLU and SmartSpeed are mutually exclusive. LPLU is used + * during Dx states where the power conservation is most + * important. During driver activity we should enable +-- +2.30.1 + diff --git a/queue-4.9/mac80211-fix-rate-mask-reset.patch b/queue-4.9/mac80211-fix-rate-mask-reset.patch new file mode 100644 index 00000000000..4b1b833ec8a --- /dev/null +++ b/queue-4.9/mac80211-fix-rate-mask-reset.patch @@ -0,0 +1,57 @@ +From e29681610329397029e50d3dc8ed11d75ecae65f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Feb 2021 11:22:14 +0100 +Subject: mac80211: fix rate mask reset + +From: Johannes Berg + +[ Upstream commit 1944015fe9c1d9fa5e9eb7ffbbb5ef8954d6753b ] + +Coverity reported the strange "if (~...)" condition that's +always true. It suggested that ! was intended instead of ~, +but upon further analysis I'm convinced that what really was +intended was a comparison to 0xff/0xffff (in HT/VHT cases +respectively), since this indicates that all of the rates +are enabled. + +Change the comparison accordingly. + +I'm guessing this never really mattered because a reset to +not having a rate mask is basically equivalent to having a +mask that enables all rates. + +Reported-by: Colin Ian King +Fixes: 2ffbe6d33366 ("mac80211: fix and optimize MCS mask handling") +Fixes: b119ad6e726c ("mac80211: add rate mask logic for vht rates") +Reviewed-by: Colin Ian King +Link: https://lore.kernel.org/r/20210212112213.36b38078f569.I8546a20c80bc1669058eb453e213630b846e107b@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 1a13715b9a59..f37fbc71fc1d 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -2681,14 +2681,14 @@ static int ieee80211_set_bitrate_mask(struct wiphy *wiphy, + continue; + + for (j = 0; j < IEEE80211_HT_MCS_MASK_LEN; j++) { +- if (~sdata->rc_rateidx_mcs_mask[i][j]) { ++ if (sdata->rc_rateidx_mcs_mask[i][j] != 0xff) { + sdata->rc_has_mcs_mask[i] = true; + break; + } + } + + for (j = 0; j < NL80211_VHT_NSS_MAX; j++) { +- if (~sdata->rc_rateidx_vht_mcs_mask[i][j]) { ++ if (sdata->rc_rateidx_vht_mcs_mask[i][j] != 0xffff) { + sdata->rc_has_vht_mcs_mask[i] = true; + break; + } +-- +2.30.1 + diff --git a/queue-4.9/macvlan-macvlan_count_rx-needs-to-be-aware-of-preemp.patch b/queue-4.9/macvlan-macvlan_count_rx-needs-to-be-aware-of-preemp.patch new file mode 100644 index 00000000000..b4799217b14 --- /dev/null +++ b/queue-4.9/macvlan-macvlan_count_rx-needs-to-be-aware-of-preemp.patch @@ -0,0 +1,89 @@ +From 108b924d56c5b48122fe37c3d51f6538384e8614 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Mar 2021 01:56:36 -0800 +Subject: macvlan: macvlan_count_rx() needs to be aware of preemption + +From: Eric Dumazet + +[ Upstream commit dd4fa1dae9f4847cc1fd78ca468ad69e16e5db3e ] + +macvlan_count_rx() can be called from process context, it is thus +necessary to disable preemption before calling u64_stats_update_begin() + +syzbot was able to spot this on 32bit arch: + +WARNING: CPU: 1 PID: 4632 at include/linux/seqlock.h:271 __seqprop_assert include/linux/seqlock.h:271 [inline] +WARNING: CPU: 1 PID: 4632 at include/linux/seqlock.h:271 __seqprop_assert.constprop.0+0xf0/0x11c include/linux/seqlock.h:269 +Modules linked in: +Kernel panic - not syncing: panic_on_warn set ... +CPU: 1 PID: 4632 Comm: kworker/1:3 Not tainted 5.12.0-rc2-syzkaller #0 +Hardware name: ARM-Versatile Express +Workqueue: events macvlan_process_broadcast +Backtrace: +[<82740468>] (dump_backtrace) from [<827406dc>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:252) + r7:00000080 r6:60000093 r5:00000000 r4:8422a3c4 +[<827406c4>] (show_stack) from [<82751b58>] (__dump_stack lib/dump_stack.c:79 [inline]) +[<827406c4>] (show_stack) from [<82751b58>] (dump_stack+0xb8/0xe8 lib/dump_stack.c:120) +[<82751aa0>] (dump_stack) from [<82741270>] (panic+0x130/0x378 kernel/panic.c:231) + r7:830209b4 r6:84069ea4 r5:00000000 r4:844350d0 +[<82741140>] (panic) from [<80244924>] (__warn+0xb0/0x164 kernel/panic.c:605) + r3:8404ec8c r2:00000000 r1:00000000 r0:830209b4 + r7:0000010f +[<80244874>] (__warn) from [<82741520>] (warn_slowpath_fmt+0x68/0xd4 kernel/panic.c:628) + r7:81363f70 r6:0000010f r5:83018e50 r4:00000000 +[<827414bc>] (warn_slowpath_fmt) from [<81363f70>] (__seqprop_assert include/linux/seqlock.h:271 [inline]) +[<827414bc>] (warn_slowpath_fmt) from [<81363f70>] (__seqprop_assert.constprop.0+0xf0/0x11c include/linux/seqlock.h:269) + r8:5a109000 r7:0000000f r6:a568dac0 r5:89802300 r4:00000001 +[<81363e80>] (__seqprop_assert.constprop.0) from [<81364af0>] (u64_stats_update_begin include/linux/u64_stats_sync.h:128 [inline]) +[<81363e80>] (__seqprop_assert.constprop.0) from [<81364af0>] (macvlan_count_rx include/linux/if_macvlan.h:47 [inline]) +[<81363e80>] (__seqprop_assert.constprop.0) from [<81364af0>] (macvlan_broadcast+0x154/0x26c drivers/net/macvlan.c:291) + r5:89802300 r4:8a927740 +[<8136499c>] (macvlan_broadcast) from [<81365020>] (macvlan_process_broadcast+0x258/0x2d0 drivers/net/macvlan.c:317) + r10:81364f78 r9:8a86d000 r8:8a9c7e7c r7:8413aa5c r6:00000000 r5:00000000 + r4:89802840 +[<81364dc8>] (macvlan_process_broadcast) from [<802696a4>] (process_one_work+0x2d4/0x998 kernel/workqueue.c:2275) + r10:00000008 r9:8404ec98 r8:84367a02 r7:ddfe6400 r6:ddfe2d40 r5:898dac80 + r4:8a86d43c +[<802693d0>] (process_one_work) from [<80269dcc>] (worker_thread+0x64/0x54c kernel/workqueue.c:2421) + r10:00000008 r9:8a9c6000 r8:84006d00 r7:ddfe2d78 r6:898dac94 r5:ddfe2d40 + r4:898dac80 +[<80269d68>] (worker_thread) from [<80271f40>] (kthread+0x184/0x1a4 kernel/kthread.c:292) + r10:85247e64 r9:898dac80 r8:80269d68 r7:00000000 r6:8a9c6000 r5:89a2ee40 + r4:8a97bd00 +[<80271dbc>] (kthread) from [<80200114>] (ret_from_fork+0x14/0x20 arch/arm/kernel/entry-common.S:158) +Exception stack(0x8a9c7fb0 to 0x8a9c7ff8) + +Fixes: 412ca1550cbe ("macvlan: Move broadcasts into a work queue") +Signed-off-by: Eric Dumazet +Cc: Herbert Xu +Reported-by: syzbot +Acked-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/if_macvlan.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/linux/if_macvlan.h b/include/linux/if_macvlan.h +index a4ccc3122f93..cfcbc49f4ddf 100644 +--- a/include/linux/if_macvlan.h ++++ b/include/linux/if_macvlan.h +@@ -70,13 +70,14 @@ static inline void macvlan_count_rx(const struct macvlan_dev *vlan, + if (likely(success)) { + struct vlan_pcpu_stats *pcpu_stats; + +- pcpu_stats = this_cpu_ptr(vlan->pcpu_stats); ++ pcpu_stats = get_cpu_ptr(vlan->pcpu_stats); + u64_stats_update_begin(&pcpu_stats->syncp); + pcpu_stats->rx_packets++; + pcpu_stats->rx_bytes += len; + if (multicast) + pcpu_stats->rx_multicast++; + u64_stats_update_end(&pcpu_stats->syncp); ++ put_cpu_ptr(vlan->pcpu_stats); + } else { + this_cpu_inc(vlan->pcpu_stats->rx_errors); + } +-- +2.30.1 + diff --git a/queue-4.9/net-cdc-phonet-fix-data-interface-release-on-probe-f.patch b/queue-4.9/net-cdc-phonet-fix-data-interface-release-on-probe-f.patch new file mode 100644 index 00000000000..35fd439e2da --- /dev/null +++ b/queue-4.9/net-cdc-phonet-fix-data-interface-release-on-probe-f.patch @@ -0,0 +1,37 @@ +From 77a82383600eadfc18186e35b9b8ff879c176683 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Mar 2021 16:57:49 +0100 +Subject: net: cdc-phonet: fix data-interface release on probe failure + +From: Johan Hovold + +[ Upstream commit c79a707072fe3fea0e3c92edee6ca85c1e53c29f ] + +Set the disconnected flag before releasing the data interface in case +netdev registration fails to avoid having the disconnect callback try to +deregister the never registered netdev (and trigger a WARN_ON()). + +Fixes: 87cf65601e17 ("USB host CDC Phonet network interface driver") +Signed-off-by: Johan Hovold +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc-phonet.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/cdc-phonet.c b/drivers/net/usb/cdc-phonet.c +index ff2270ead2e6..84e0e7f78029 100644 +--- a/drivers/net/usb/cdc-phonet.c ++++ b/drivers/net/usb/cdc-phonet.c +@@ -406,6 +406,8 @@ static int usbpn_probe(struct usb_interface *intf, const struct usb_device_id *i + + err = register_netdev(dev); + if (err) { ++ /* Set disconnected flag so that disconnect() returns early. */ ++ pnd->disconnected = 1; + usb_driver_release_interface(&usbpn_driver, data_intf); + goto out; + } +-- +2.30.1 + diff --git a/queue-4.9/net-dsa-bcm_sf2-qualify-phydev-dev_flags-based-on-po.patch b/queue-4.9/net-dsa-bcm_sf2-qualify-phydev-dev_flags-based-on-po.patch new file mode 100644 index 00000000000..5bd7162a547 --- /dev/null +++ b/queue-4.9/net-dsa-bcm_sf2-qualify-phydev-dev_flags-based-on-po.patch @@ -0,0 +1,43 @@ +From 4701caa939dffea7c65c17194be503d42cbc1ca4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Mar 2021 14:17:58 -0800 +Subject: net: dsa: bcm_sf2: Qualify phydev->dev_flags based on port + +From: Florian Fainelli + +[ Upstream commit 47142ed6c34d544ae9f0463e58d482289cbe0d46 ] + +Similar to commit 92696286f3bb37ba50e4bd8d1beb24afb759a799 ("net: +bcmgenet: Set phydev->dev_flags only for internal PHYs") we need to +qualify the phydev->dev_flags based on whether the port is connected to +an internal or external PHY otherwise we risk having a flags collision +with a completely different interpretation depending on the driver. + +Fixes: aa9aef77c761 ("net: dsa: bcm_sf2: communicate integrated PHY revision to PHY driver") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/bcm_sf2.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c +index 0c69d5858558..40b3adf7ad99 100644 +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -588,8 +588,10 @@ static u32 bcm_sf2_sw_get_phy_flags(struct dsa_switch *ds, int port) + * in bits 15:8 and the patch level in bits 7:0 which is exactly what + * the REG_PHY_REVISION register layout is. + */ +- +- return priv->hw_params.gphy_rev; ++ if (priv->int_phy_mask & BIT(port)) ++ return priv->hw_params.gphy_rev; ++ else ++ return 0; + } + + static void bcm_sf2_sw_adjust_link(struct dsa_switch *ds, int port, +-- +2.30.1 + diff --git a/queue-4.9/net-qlcnic-fix-a-use-after-free-in-qlcnic_83xx_get_m.patch b/queue-4.9/net-qlcnic-fix-a-use-after-free-in-qlcnic_83xx_get_m.patch new file mode 100644 index 00000000000..9c8254adb6e --- /dev/null +++ b/queue-4.9/net-qlcnic-fix-a-use-after-free-in-qlcnic_83xx_get_m.patch @@ -0,0 +1,44 @@ +From 5a9c07fe1469afd31428b04995d1a4c8a020af26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Mar 2021 20:01:40 -0800 +Subject: net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template + +From: Lv Yunlong + +[ Upstream commit db74623a3850db99cb9692fda9e836a56b74198d ] + +In qlcnic_83xx_get_minidump_template, fw_dump->tmpl_hdr was freed by +vfree(). But unfortunately, it is used when extended is true. + +Fixes: 7061b2bdd620e ("qlogic: Deletion of unnecessary checks before two function calls") +Signed-off-by: Lv Yunlong +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c +index 5174e0bd75d1..625336264a44 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c +@@ -1426,6 +1426,7 @@ void qlcnic_83xx_get_minidump_template(struct qlcnic_adapter *adapter) + + if (fw_dump->tmpl_hdr == NULL || current_version > prev_version) { + vfree(fw_dump->tmpl_hdr); ++ fw_dump->tmpl_hdr = NULL; + + if (qlcnic_83xx_md_check_extended_dump_capability(adapter)) + extended = !qlcnic_83xx_extend_md_capab(adapter); +@@ -1444,6 +1445,8 @@ void qlcnic_83xx_get_minidump_template(struct qlcnic_adapter *adapter) + struct qlcnic_83xx_dump_template_hdr *hdr; + + hdr = fw_dump->tmpl_hdr; ++ if (!hdr) ++ return; + hdr->drv_cap_mask = 0x1f; + fw_dump->cap_mask = 0x1f; + dev_info(&pdev->dev, +-- +2.30.1 + diff --git a/queue-4.9/rdma-cxgb4-fix-adapter-le-hash-errors-while-destroyi.patch b/queue-4.9/rdma-cxgb4-fix-adapter-le-hash-errors-while-destroyi.patch new file mode 100644 index 00000000000..deaf50459a9 --- /dev/null +++ b/queue-4.9/rdma-cxgb4-fix-adapter-le-hash-errors-while-destroyi.patch @@ -0,0 +1,48 @@ +From 0473928db5a497d0d31b5614176e6816c41831a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 00:34:53 +0530 +Subject: RDMA/cxgb4: Fix adapter LE hash errors while destroying ipv6 + listening server + +From: Potnuri Bharat Teja + +[ Upstream commit 3408be145a5d6418ff955fe5badde652be90e700 ] + +Not setting the ipv6 bit while destroying ipv6 listening servers may +result in potential fatal adapter errors due to lookup engine memory hash +errors. Therefore always set ipv6 field while destroying ipv6 listening +servers. + +Fixes: 830662f6f032 ("RDMA/cxgb4: Add support for active and passive open connection with IPv6 address") +Link: https://lore.kernel.org/r/20210324190453.8171-1-bharat@chelsio.com +Signed-off-by: Potnuri Bharat Teja +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/cm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index a60e1c1b4b5e..8bd062635399 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -3472,13 +3472,13 @@ int c4iw_destroy_listen(struct iw_cm_id *cm_id) + ep->com.local_addr.ss_family == AF_INET) { + err = cxgb4_remove_server_filter( + ep->com.dev->rdev.lldi.ports[0], ep->stid, +- ep->com.dev->rdev.lldi.rxq_ids[0], 0); ++ ep->com.dev->rdev.lldi.rxq_ids[0], false); + } else { + struct sockaddr_in6 *sin6; + c4iw_init_wr_wait(&ep->com.wr_wait); + err = cxgb4_remove_server( + ep->com.dev->rdev.lldi.ports[0], ep->stid, +- ep->com.dev->rdev.lldi.rxq_ids[0], 0); ++ ep->com.dev->rdev.lldi.rxq_ids[0], true); + if (err) + goto done; + err = c4iw_wait_for_reply(&ep->com.dev->rdev, &ep->com.wr_wait, +-- +2.30.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 9554d9cdff4..4d916dfd365 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -18,3 +18,15 @@ x86-tlb-flush-global-mappings-when-kaiser-is-disable.patch squashfs-fix-inode-lookup-sanity-checks.patch squashfs-fix-xattr-id-and-id-lookup-sanity-checks.patch arm64-dts-ls1043a-mark-crypto-engine-dma-coherent.patch +bus-omap_l3_noc-mark-l3-irqs-as-irqf_no_thread.patch +macvlan-macvlan_count_rx-needs-to-be-aware-of-preemp.patch +net-dsa-bcm_sf2-qualify-phydev-dev_flags-based-on-po.patch +e1000e-add-rtnl_lock-to-e1000_reset_task.patch +e1000e-fix-error-handling-in-e1000_set_d0_lplu_state.patch +net-qlcnic-fix-a-use-after-free-in-qlcnic_83xx_get_m.patch +can-c_can_pci-c_can_pci_remove-fix-use-after-free.patch +can-c_can-move-runtime-pm-enable-disable-to-c_can_pl.patch +can-m_can-m_can_do_rx_poll-fix-extraneous-msg-loss-w.patch +mac80211-fix-rate-mask-reset.patch +net-cdc-phonet-fix-data-interface-release-on-probe-f.patch +rdma-cxgb4-fix-adapter-le-hash-errors-while-destroyi.patch