From: Sasha Levin Date: Mon, 23 May 2022 03:03:30 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.9.316~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cb8150224b4e5593dca94a999eb45ab2ce25001d;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/arm-9196-1-spectre-bhb-enable-for-cortex-a15.patch b/queue-5.4/arm-9196-1-spectre-bhb-enable-for-cortex-a15.patch new file mode 100644 index 00000000000..9aa187de1ba --- /dev/null +++ b/queue-5.4/arm-9196-1-spectre-bhb-enable-for-cortex-a15.patch @@ -0,0 +1,36 @@ +From 5ccb7a3bf6279bc3b49f4e9b421480553df33963 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Apr 2022 09:44:51 +0100 +Subject: ARM: 9196/1: spectre-bhb: enable for Cortex-A15 + +From: Ard Biesheuvel + +[ Upstream commit 0dc14aa94ccd8ba35eb17a0f9b123d1566efd39e ] + +The Spectre-BHB mitigations were inadvertently left disabled for +Cortex-A15, due to the fact that cpu_v7_bugs_init() is not called in +that case. So fix that. + +Fixes: b9baf5c8c5c3 ("ARM: Spectre-BHB workaround") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/mm/proc-v7-bugs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mm/proc-v7-bugs.c b/arch/arm/mm/proc-v7-bugs.c +index 097ef85bb7f2..bcb9181601d9 100644 +--- a/arch/arm/mm/proc-v7-bugs.c ++++ b/arch/arm/mm/proc-v7-bugs.c +@@ -301,6 +301,7 @@ void cpu_v7_ca15_ibe(void) + { + if (check_spectre_auxcr(this_cpu_ptr(&spectre_warned), BIT(0))) + cpu_v7_spectre_v2_init(); ++ cpu_v7_spectre_bhb_init(); + } + + void cpu_v7_bugs_init(void) +-- +2.35.1 + diff --git a/queue-5.4/arm-9197-1-spectre-bhb-fix-loop8-sequence-for-thumb2.patch b/queue-5.4/arm-9197-1-spectre-bhb-fix-loop8-sequence-for-thumb2.patch new file mode 100644 index 00000000000..c42e8f27364 --- /dev/null +++ b/queue-5.4/arm-9197-1-spectre-bhb-fix-loop8-sequence-for-thumb2.patch @@ -0,0 +1,37 @@ +From c74e2c8672a1030896b4e66d77f1cce506fd09e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Apr 2022 09:46:17 +0100 +Subject: ARM: 9197/1: spectre-bhb: fix loop8 sequence for Thumb2 + +From: Ard Biesheuvel + +[ Upstream commit 3cfb3019979666bdf33a1010147363cf05e0f17b ] + +In Thumb2, 'b . + 4' produces a branch instruction that uses a narrow +encoding, and so it does not jump to the following instruction as +expected. So use W(b) instead. + +Fixes: 6c7cb60bff7a ("ARM: fix Thumb2 regression with Spectre BHB") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/entry-armv.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S +index 3d65fa56a0e5..8e8efe28d799 100644 +--- a/arch/arm/kernel/entry-armv.S ++++ b/arch/arm/kernel/entry-armv.S +@@ -1043,7 +1043,7 @@ vector_bhb_loop8_\name: + + @ bhb workaround + mov r0, #8 +-3: b . + 4 ++3: W(b) . + 4 + subs r0, r0, #1 + bne 3b + dsb +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-aspeed-g6-fix-spi1-spi2-quad-pin-group.patch b/queue-5.4/arm-dts-aspeed-g6-fix-spi1-spi2-quad-pin-group.patch new file mode 100644 index 00000000000..6663b237236 --- /dev/null +++ b/queue-5.4/arm-dts-aspeed-g6-fix-spi1-spi2-quad-pin-group.patch @@ -0,0 +1,45 @@ +From 52480e665f311d57de1aa1f1db662435730c4f48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Mar 2022 10:39:32 -0700 +Subject: ARM: dts: aspeed-g6: fix SPI1/SPI2 quad pin group + +From: Jae Hyun Yoo + +[ Upstream commit 890362d41b244536ab63591f813393f5fdf59ed7 ] + +Fix incorrect function mappings in pinctrl_qspi1_default and +pinctrl_qspi2_default since their function should be SPI1 and +SPI2 respectively. + +Fixes: f510f04c8c83 ("ARM: dts: aspeed: Add AST2600 pinmux nodes") +Signed-off-by: Jae Hyun Yoo +Reviewed-by: Andrew Jeffery +Link: https://lore.kernel.org/r/20220329173932.2588289-8-quic_jaehyoo@quicinc.com +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi b/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi +index 4792b3d9459d..ac723fe898c7 100644 +--- a/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi ++++ b/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi +@@ -648,12 +648,12 @@ pinctrl_pwm9g1_default: pwm9g1_default { + }; + + pinctrl_qspi1_default: qspi1_default { +- function = "QSPI1"; ++ function = "SPI1"; + groups = "QSPI1"; + }; + + pinctrl_qspi2_default: qspi2_default { +- function = "QSPI2"; ++ function = "SPI2"; + groups = "QSPI2"; + }; + +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-aspeed-g6-remove-fwqspid-group-in-pinctrl-dt.patch b/queue-5.4/arm-dts-aspeed-g6-remove-fwqspid-group-in-pinctrl-dt.patch new file mode 100644 index 00000000000..819c94f0687 --- /dev/null +++ b/queue-5.4/arm-dts-aspeed-g6-remove-fwqspid-group-in-pinctrl-dt.patch @@ -0,0 +1,43 @@ +From 4571e7a71fed42845dd4505a600fcf0a7b66287e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Mar 2022 10:39:26 -0700 +Subject: ARM: dts: aspeed-g6: remove FWQSPID group in pinctrl dtsi + +From: Jae Hyun Yoo + +[ Upstream commit efddaa397cceefb61476e383c26fafd1f8ab6356 ] + +FWSPIDQ2 and FWSPIDQ3 are not part of FWSPI18 interface so remove +FWQSPID group in pinctrl dtsi. These pins must be used with the +FWSPI pins that are dedicated for boot SPI interface which provides +same 3.3v logic level. + +Fixes: 2f6edb6bcb2f ("ARM: dts: aspeed: Fix AST2600 quad spi group") +Signed-off-by: Jae Hyun Yoo +Reviewed-by: Andrew Jeffery +Link: https://lore.kernel.org/r/20220329173932.2588289-2-quic_jaehyoo@quicinc.com +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi b/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi +index f310f4d3bcc7..4792b3d9459d 100644 +--- a/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi ++++ b/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi +@@ -117,11 +117,6 @@ pinctrl_fwspid_default: fwspid_default { + groups = "FWSPID"; + }; + +- pinctrl_fwqspid_default: fwqspid_default { +- function = "FWSPID"; +- groups = "FWQSPID"; +- }; +- + pinctrl_fwspiwp_default: fwspiwp_default { + function = "FWSPIWP"; + groups = "FWSPIWP"; +-- +2.35.1 + diff --git a/queue-5.4/clk-at91-generated-consider-range-when-calculating-b.patch b/queue-5.4/clk-at91-generated-consider-range-when-calculating-b.patch new file mode 100644 index 00000000000..93eef8f0b44 --- /dev/null +++ b/queue-5.4/clk-at91-generated-consider-range-when-calculating-b.patch @@ -0,0 +1,42 @@ +From c70543a4aaaafcaa1796af850005753f4bf99ed5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Apr 2022 10:13:18 +0300 +Subject: clk: at91: generated: consider range when calculating best rate + +From: Codrin Ciubotariu + +[ Upstream commit d0031e6fbed955ff8d5f5bbc8fe7382482559cec ] + +clk_generated_best_diff() helps in finding the parent and the divisor to +compute a rate closest to the required one. However, it doesn't take into +account the request's range for the new rate. Make sure the new rate +is within the required range. + +Fixes: 8a8f4bf0c480 ("clk: at91: clk-generated: create function to find best_diff") +Signed-off-by: Codrin Ciubotariu +Link: https://lore.kernel.org/r/20220413071318.244912-1-codrin.ciubotariu@microchip.com +Reviewed-by: Claudiu Beznea +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/at91/clk-generated.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/clk/at91/clk-generated.c b/drivers/clk/at91/clk-generated.c +index d7fe1303f79d..0e7ec5075689 100644 +--- a/drivers/clk/at91/clk-generated.c ++++ b/drivers/clk/at91/clk-generated.c +@@ -105,6 +105,10 @@ static void clk_generated_best_diff(struct clk_rate_request *req, + tmp_rate = parent_rate; + else + tmp_rate = parent_rate / div; ++ ++ if (tmp_rate < req->min_rate || tmp_rate > req->max_rate) ++ return; ++ + tmp_diff = abs(req->rate - tmp_rate); + + if (*best_diff < 0 || *best_diff >= tmp_diff) { +-- +2.35.1 + diff --git a/queue-5.4/ethernet-tulip-fix-missing-pci_disable_device-on-err.patch b/queue-5.4/ethernet-tulip-fix-missing-pci_disable_device-on-err.patch new file mode 100644 index 00000000000..4482fcbe2c9 --- /dev/null +++ b/queue-5.4/ethernet-tulip-fix-missing-pci_disable_device-on-err.patch @@ -0,0 +1,49 @@ +From 65ed4e3a18e4c1ff5bf20126f449dfe974a49b03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 May 2022 17:42:50 +0800 +Subject: ethernet: tulip: fix missing pci_disable_device() on error in + tulip_init_one() + +From: Yang Yingliang + +[ Upstream commit 51ca86b4c9c7c75f5630fa0dbe5f8f0bd98e3c3e ] + +Fix the missing pci_disable_device() before return +from tulip_init_one() in the error handling case. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20220506094250.3630615-1-yangyingliang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/dec/tulip/tulip_core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/dec/tulip/tulip_core.c b/drivers/net/ethernet/dec/tulip/tulip_core.c +index 3e3e08698876..fea4223ad6f1 100644 +--- a/drivers/net/ethernet/dec/tulip/tulip_core.c ++++ b/drivers/net/ethernet/dec/tulip/tulip_core.c +@@ -1410,8 +1410,10 @@ static int tulip_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + + /* alloc_etherdev ensures aligned and zeroed private structures */ + dev = alloc_etherdev (sizeof (*tp)); +- if (!dev) ++ if (!dev) { ++ pci_disable_device(pdev); + return -ENOMEM; ++ } + + SET_NETDEV_DEV(dev, &pdev->dev); + if (pci_resource_len (pdev, 0) < tulip_tbl[chip_idx].io_size) { +@@ -1788,6 +1790,7 @@ static int tulip_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + + err_out_free_netdev: + free_netdev (dev); ++ pci_disable_device(pdev); + return -ENODEV; + } + +-- +2.35.1 + diff --git a/queue-5.4/gpio-gpio-vf610-do-not-touch-other-bits-when-set-the.patch b/queue-5.4/gpio-gpio-vf610-do-not-touch-other-bits-when-set-the.patch new file mode 100644 index 00000000000..6f44b75eaa5 --- /dev/null +++ b/queue-5.4/gpio-gpio-vf610-do-not-touch-other-bits-when-set-the.patch @@ -0,0 +1,45 @@ +From 3ff72a1b599a6b4634eeb1d42ceb97de098ad005 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2022 10:15:04 +0800 +Subject: gpio: gpio-vf610: do not touch other bits when set the target bit + +From: Haibo Chen + +[ Upstream commit 9bf3ac466faa83d51a8fe9212131701e58fdef74 ] + +For gpio controller contain register PDDR, when set one target bit, +current logic will clear all other bits, this is wrong. Use operator +'|=' to fix it. + +Fixes: 659d8a62311f ("gpio: vf610: add imx7ulp support") +Reviewed-by: Peng Fan +Signed-off-by: Haibo Chen +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-vf610.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpio-vf610.c b/drivers/gpio/gpio-vf610.c +index 58776f2d69ff..1ae612c796ee 100644 +--- a/drivers/gpio/gpio-vf610.c ++++ b/drivers/gpio/gpio-vf610.c +@@ -125,9 +125,13 @@ static int vf610_gpio_direction_output(struct gpio_chip *chip, unsigned gpio, + { + struct vf610_gpio_port *port = gpiochip_get_data(chip); + unsigned long mask = BIT(gpio); ++ u32 val; + +- if (port->sdata && port->sdata->have_paddr) +- vf610_gpio_writel(mask, port->gpio_base + GPIO_PDDR); ++ if (port->sdata && port->sdata->have_paddr) { ++ val = vf610_gpio_readl(port->gpio_base + GPIO_PDDR); ++ val |= mask; ++ vf610_gpio_writel(val, port->gpio_base + GPIO_PDDR); ++ } + + vf610_gpio_set(chip, gpio, value); + +-- +2.35.1 + diff --git a/queue-5.4/gpio-mvebu-pwm-refuse-requests-with-inverted-polarit.patch b/queue-5.4/gpio-mvebu-pwm-refuse-requests-with-inverted-polarit.patch new file mode 100644 index 00000000000..36d79a6c259 --- /dev/null +++ b/queue-5.4/gpio-mvebu-pwm-refuse-requests-with-inverted-polarit.patch @@ -0,0 +1,40 @@ +From 4adcbf0fb1c9018cf36654909e7f8baf5bdc67ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2022 09:58:56 +0200 +Subject: gpio: mvebu/pwm: Refuse requests with inverted polarity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 3ecb10175b1f776f076553c24e2689e42953fef5 ] + +The driver doesn't take struct pwm_state::polarity into account when +configuring the hardware, so refuse requests for inverted polarity. + +Fixes: 757642f9a584 ("gpio: mvebu: Add limited PWM support") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-mvebu.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpio/gpio-mvebu.c b/drivers/gpio/gpio-mvebu.c +index 89a053b1d279..b5ae28fce9a8 100644 +--- a/drivers/gpio/gpio-mvebu.c ++++ b/drivers/gpio/gpio-mvebu.c +@@ -697,6 +697,9 @@ static int mvebu_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm, + unsigned long flags; + unsigned int on, off; + ++ if (state->polarity != PWM_POLARITY_NORMAL) ++ return -EINVAL; ++ + val = (unsigned long long) mvpwm->clk_rate * state->duty_cycle; + do_div(val, NSEC_PER_SEC); + if (val > UINT_MAX) +-- +2.35.1 + diff --git a/queue-5.4/ice-fix-possible-under-reporting-of-ethtool-tx-and-r.patch b/queue-5.4/ice-fix-possible-under-reporting-of-ethtool-tx-and-r.patch new file mode 100644 index 00000000000..921da5abf67 --- /dev/null +++ b/queue-5.4/ice-fix-possible-under-reporting-of-ethtool-tx-and-r.patch @@ -0,0 +1,51 @@ +From b89632c2f6e973f99ed3060a11adef77b8c12ce0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Apr 2022 14:11:42 -0700 +Subject: ice: fix possible under reporting of ethtool Tx and Rx statistics + +From: Paul Greenwalt + +[ Upstream commit 31b6298fd8e29effe9ed6b77351ac5969be56ce0 ] + +The hardware statistics counters are not cleared during resets so the +drivers first access is to initialize the baseline and then subsequent +reads are for reporting the counters. The statistics counters are read +during the watchdog subtask when the interface is up. If the baseline +is not initialized before the interface is up, then there can be a brief +window in which some traffic can be transmitted/received before the +initial baseline reading takes place. + +Directly initialize ethtool statistics in driver open so the baseline will +be initialized when the interface is up, and any dropped packets +incremented before the interface is up won't be reported. + +Fixes: 28dc1b86f8ea9 ("ice: ignore dropped packets during init") +Signed-off-by: Paul Greenwalt +Tested-by: Gurucharan (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 3eea68f3a526..88750a96cb3f 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -3561,9 +3561,10 @@ static int ice_up_complete(struct ice_vsi *vsi) + netif_carrier_on(vsi->netdev); + } + +- /* clear this now, and the first stats read will be used as baseline */ +- vsi->stat_offsets_loaded = false; +- ++ /* Perform an initial read of the statistics registers now to ++ * set the baseline so counters are ready when interface is up ++ */ ++ ice_update_eth_stats(vsi); + ice_service_task_schedule(pf); + + return 0; +-- +2.35.1 + diff --git a/queue-5.4/igb-skip-phy-status-check-where-unavailable.patch b/queue-5.4/igb-skip-phy-status-check-where-unavailable.patch new file mode 100644 index 00000000000..bdc0224ae56 --- /dev/null +++ b/queue-5.4/igb-skip-phy-status-check-where-unavailable.patch @@ -0,0 +1,46 @@ +From 8dcda4c66e634bdca02b39c4167b57b18cb47707 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 11:01:05 -0700 +Subject: igb: skip phy status check where unavailable + +From: Kevin Mitchell + +[ Upstream commit 942d2ad5d2e0df758a645ddfadffde2795322728 ] + +igb_read_phy_reg() will silently return, leaving phy_data untouched, if +hw->ops.read_reg isn't set. Depending on the uninitialized value of +phy_data, this led to the phy status check either succeeding immediately +or looping continuously for 2 seconds before emitting a noisy err-level +timeout. This message went out to the console even though there was no +actual problem. + +Instead, first check if there is read_reg function pointer. If not, +proceed without trying to check the phy status register. + +Fixes: b72f3f72005d ("igb: When GbE link up, wait for Remote receiver status condition") +Signed-off-by: Kevin Mitchell +Tested-by: Gurucharan (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 3df25b231ab5..26c8d09ad4dd 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -5318,7 +5318,8 @@ static void igb_watchdog_task(struct work_struct *work) + break; + } + +- if (adapter->link_speed != SPEED_1000) ++ if (adapter->link_speed != SPEED_1000 || ++ !hw->phy.ops.read_reg) + goto no_wait; + + /* wait for Remote receiver status OK */ +-- +2.35.1 + diff --git a/queue-5.4/mac80211-fix-rx-reordering-with-non-explicit-psmp-ac.patch b/queue-5.4/mac80211-fix-rx-reordering-with-non-explicit-psmp-ac.patch new file mode 100644 index 00000000000..22c4b18c384 --- /dev/null +++ b/queue-5.4/mac80211-fix-rx-reordering-with-non-explicit-psmp-ac.patch @@ -0,0 +1,38 @@ +From ffe0b341a3932cd407f872617c3f90a141f8bfd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Apr 2022 12:50:38 +0200 +Subject: mac80211: fix rx reordering with non explicit / psmp ack policy + +From: Felix Fietkau + +[ Upstream commit 5e469ed9764d4722c59562da13120bd2dc6834c5 ] + +When the QoS ack policy was set to non explicit / psmp ack, frames are treated +as not being part of a BA session, which causes extra latency on reordering. +Fix this by only bypassing reordering for packets with no-ack policy + +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20220420105038.36443-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/rx.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index ab91683d9459..99d5f8b58e92 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -1400,8 +1400,7 @@ static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx, + goto dont_reorder; + + /* not part of a BA session */ +- if (ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK && +- ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_NORMAL) ++ if (ack_policy == IEEE80211_QOS_CTL_ACK_POLICY_NOACK) + goto dont_reorder; + + /* new, potentially un-ordered, ampdu frame - process it */ +-- +2.35.1 + diff --git a/queue-5.4/net-af_key-add-check-for-pfkey_broadcast-in-function.patch b/queue-5.4/net-af_key-add-check-for-pfkey_broadcast-in-function.patch new file mode 100644 index 00000000000..e54edba179a --- /dev/null +++ b/queue-5.4/net-af_key-add-check-for-pfkey_broadcast-in-function.patch @@ -0,0 +1,42 @@ +From 07194e1d8fb64d4930745781c13a946c0742c044 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 17:42:31 +0800 +Subject: net: af_key: add check for pfkey_broadcast in function pfkey_process + +From: Jiasheng Jiang + +[ Upstream commit 4dc2a5a8f6754492180741facf2a8787f2c415d7 ] + +If skb_clone() returns null pointer, pfkey_broadcast() will +return error. +Therefore, it should be better to check the return value of +pfkey_broadcast() and return error if fails. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 2ac9560020f9..f67d3ba72c49 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -2830,8 +2830,10 @@ static int pfkey_process(struct sock *sk, struct sk_buff *skb, const struct sadb + void *ext_hdrs[SADB_EXT_MAX]; + int err; + +- pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL, +- BROADCAST_PROMISC_ONLY, NULL, sock_net(sk)); ++ err = pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL, ++ BROADCAST_PROMISC_ONLY, NULL, sock_net(sk)); ++ if (err) ++ return err; + + memset(ext_hdrs, 0, sizeof(ext_hdrs)); + err = parse_exthdrs(skb, hdr, ext_hdrs); +-- +2.35.1 + diff --git a/queue-5.4/net-atlantic-verify-hw_head_-lies-within-tx-buffer-r.patch b/queue-5.4/net-atlantic-verify-hw_head_-lies-within-tx-buffer-r.patch new file mode 100644 index 00000000000..53a4d6077a1 --- /dev/null +++ b/queue-5.4/net-atlantic-verify-hw_head_-lies-within-tx-buffer-r.patch @@ -0,0 +1,43 @@ +From 06f8665f60fcbdb36611d343c1736f2097b23a61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 May 2022 19:28:26 -0700 +Subject: net: atlantic: verify hw_head_ lies within TX buffer ring + +From: Grant Grundler + +[ Upstream commit 2120b7f4d128433ad8c5f503a9584deba0684901 ] + +Bounds check hw_head index provided by NIC to verify it lies +within the TX buffer ring. + +Reported-by: Aashay Shringarpure +Reported-by: Yi Chou +Reported-by: Shervin Oloumi +Signed-off-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c +index 2ad3fa6316ce..cb5954eeb409 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c ++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c +@@ -674,6 +674,13 @@ static int hw_atl_b0_hw_ring_tx_head_update(struct aq_hw_s *self, + err = -ENXIO; + goto err_exit; + } ++ ++ /* Validate that the new hw_head_ is reasonable. */ ++ if (hw_head_ >= ring->size) { ++ err = -ENXIO; ++ goto err_exit; ++ } ++ + ring->hw_head = hw_head_; + err = aq_hw_err_from_flags(self); + +-- +2.35.1 + diff --git a/queue-5.4/net-bridge-clear-offload_fwd_mark-when-passing-frame.patch b/queue-5.4/net-bridge-clear-offload_fwd_mark-when-passing-frame.patch new file mode 100644 index 00000000000..0adce12ad24 --- /dev/null +++ b/queue-5.4/net-bridge-clear-offload_fwd_mark-when-passing-frame.patch @@ -0,0 +1,72 @@ +From 123ca2460c7aa475fe7ce5255b16837da89db58a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 02:58:40 +0200 +Subject: net: bridge: Clear offload_fwd_mark when passing frame up bridge + interface. + +From: Andrew Lunn + +[ Upstream commit fbb3abdf2223cd0dfc07de85fe5a43ba7f435bdf ] + +It is possible to stack bridges on top of each other. Consider the +following which makes use of an Ethernet switch: + + br1 + / \ + / \ + / \ + br0.11 wlan0 + | + br0 + / | \ +p1 p2 p3 + +br0 is offloaded to the switch. Above br0 is a vlan interface, for +vlan 11. This vlan interface is then a slave of br1. br1 also has a +wireless interface as a slave. This setup trunks wireless lan traffic +over the copper network inside a VLAN. + +A frame received on p1 which is passed up to the bridge has the +skb->offload_fwd_mark flag set to true, indicating that the switch has +dealt with forwarding the frame out ports p2 and p3 as needed. This +flag instructs the software bridge it does not need to pass the frame +back down again. However, the flag is not getting reset when the frame +is passed upwards. As a result br1 sees the flag, wrongly interprets +it, and fails to forward the frame to wlan0. + +When passing a frame upwards, clear the flag. This is the Rx +equivalent of br_switchdev_frame_unmark() in br_dev_xmit(). + +Fixes: f1c2eddf4cb6 ("bridge: switchdev: Use an helper to clear forward mark") +Signed-off-by: Andrew Lunn +Reviewed-by: Ido Schimmel +Tested-by: Ido Schimmel +Acked-by: Nikolay Aleksandrov +Link: https://lore.kernel.org/r/20220518005840.771575-1-andrew@lunn.ch +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/bridge/br_input.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c +index 09b1dd8cd853..464f6a619444 100644 +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -42,6 +42,13 @@ static int br_pass_frame_up(struct sk_buff *skb) + u64_stats_update_end(&brstats->syncp); + + vg = br_vlan_group_rcu(br); ++ ++ /* Reset the offload_fwd_mark because there could be a stacked ++ * bridge above, and it should not think this bridge it doing ++ * that bridge's work forwarding out its ports. ++ */ ++ br_switchdev_frame_unmark(skb); ++ + /* Bridge is just like any other port. Make sure the + * packet is allowed except in promisc modue when someone + * may be running packet capture. +-- +2.35.1 + diff --git a/queue-5.4/net-macb-increment-rx-bd-head-after-allocating-skb-a.patch b/queue-5.4/net-macb-increment-rx-bd-head-after-allocating-skb-a.patch new file mode 100644 index 00000000000..7402608a906 --- /dev/null +++ b/queue-5.4/net-macb-increment-rx-bd-head-after-allocating-skb-a.patch @@ -0,0 +1,53 @@ +From 13d433ee99d619d5c6ee57405e1e582346bad488 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 May 2022 22:49:00 +0530 +Subject: net: macb: Increment rx bd head after allocating skb and buffer + +From: Harini Katakam + +[ Upstream commit 9500acc631dbb8b73166e25700e656b11f6007b6 ] + +In gem_rx_refill rx_prepared_head is incremented at the beginning of +the while loop preparing the skb and data buffers. If the skb or data +buffer allocation fails, this BD will be unusable BDs until the head +loops back to the same BD (and obviously buffer allocation succeeds). +In the unlikely event that there's a string of allocation failures, +there will be an equal number of unusable BDs and an inconsistent RX +BD chain. Hence increment the head at the end of the while loop to be +clean. + +Fixes: 4df95131ea80 ("net/macb: change RX path for GEM") +Signed-off-by: Harini Katakam +Signed-off-by: Michal Simek +Signed-off-by: Radhey Shyam Pandey +Reviewed-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20220512171900.32593-1-harini.katakam@xilinx.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 002a374f197b..78219a9943a7 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -927,7 +927,6 @@ static void gem_rx_refill(struct macb_queue *queue) + /* Make hw descriptor updates visible to CPU */ + rmb(); + +- queue->rx_prepared_head++; + desc = macb_rx_desc(queue, entry); + + if (!queue->rx_skbuff[entry]) { +@@ -966,6 +965,7 @@ static void gem_rx_refill(struct macb_queue *queue) + dma_wmb(); + desc->addr &= ~MACB_BIT(RX_USED); + } ++ queue->rx_prepared_head++; + } + + /* Make descriptor updates visible to hardware */ +-- +2.35.1 + diff --git a/queue-5.4/net-mlx5e-properly-block-lro-when-xdp-is-enabled.patch b/queue-5.4/net-mlx5e-properly-block-lro-when-xdp-is-enabled.patch new file mode 100644 index 00000000000..c6f8cd9c875 --- /dev/null +++ b/queue-5.4/net-mlx5e-properly-block-lro-when-xdp-is-enabled.patch @@ -0,0 +1,47 @@ +From 04208115fed9da15950053dac141246ff117d363 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 18:37:03 +0300 +Subject: net/mlx5e: Properly block LRO when XDP is enabled + +From: Maxim Mikityanskiy + +[ Upstream commit cf6e34c8c22fba66bd21244b95ea47e235f68974 ] + +LRO is incompatible and mutually exclusive with XDP. However, the needed +checks are only made when enabling XDP. If LRO is enabled when XDP is +already active, the command will succeed, and XDP will be skipped in the +data path, although still enabled. + +This commit fixes the bug by checking the XDP status in +mlx5e_fix_features and disabling LRO if XDP is enabled. + +Fixes: 86994156c736 ("net/mlx5e: XDP fast RX drop bpf programs support") +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 2465165cbea7..73291051808f 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3980,6 +3980,13 @@ static netdev_features_t mlx5e_fix_features(struct net_device *netdev, + } + } + ++ if (params->xdp_prog) { ++ if (features & NETIF_F_LRO) { ++ netdev_warn(netdev, "LRO is incompatible with XDP\n"); ++ features &= ~NETIF_F_LRO; ++ } ++ } ++ + if (MLX5E_GET_PFLAG(params, MLX5E_PFLAG_RX_CQE_COMPRESS)) { + features &= ~NETIF_F_RXHASH; + if (netdev->features & NETIF_F_RXHASH) +-- +2.35.1 + diff --git a/queue-5.4/net-qla3xxx-fix-a-test-in-ql_reset_work.patch b/queue-5.4/net-qla3xxx-fix-a-test-in-ql_reset_work.patch new file mode 100644 index 00000000000..673e175f497 --- /dev/null +++ b/queue-5.4/net-qla3xxx-fix-a-test-in-ql_reset_work.patch @@ -0,0 +1,48 @@ +From fb93c66ad7955eccfefa5c2c05b18fbefbd9f556 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 May 2022 20:07:02 +0200 +Subject: net/qla3xxx: Fix a test in ql_reset_work() + +From: Christophe JAILLET + +[ Upstream commit 5361448e45fac6fb96738df748229432a62d78b6 ] + +test_bit() tests if one bit is set or not. +Here the logic seems to check of bit QL_RESET_PER_SCSI (i.e. 4) OR bit +QL_RESET_START (i.e. 3) is set. + +In fact, it checks if bit 7 (4 | 3 = 7) is set, that is to say +QL_ADAPTER_UP. + +This looks harmless, because this bit is likely be set, and when the +ql_reset_work() delayed work is scheduled in ql3xxx_isr() (the only place +that schedule this work), QL_RESET_START or QL_RESET_PER_SCSI is set. + +This has been spotted by smatch. + +Fixes: 5a4faa873782 ("[PATCH] qla3xxx NIC driver") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/80e73e33f390001d9c0140ffa9baddf6466a41a2.1652637337.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qla3xxx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c +index da2862d59681..5e81cd317a32 100644 +--- a/drivers/net/ethernet/qlogic/qla3xxx.c ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c +@@ -3629,7 +3629,8 @@ static void ql_reset_work(struct work_struct *work) + qdev->mem_map_registers; + unsigned long hw_flags; + +- if (test_bit((QL_RESET_PER_SCSI | QL_RESET_START), &qdev->flags)) { ++ if (test_bit(QL_RESET_PER_SCSI, &qdev->flags) || ++ test_bit(QL_RESET_START, &qdev->flags)) { + clear_bit(QL_LINK_MASTER, &qdev->flags); + + /* +-- +2.35.1 + diff --git a/queue-5.4/net-sched-act_pedit-sanitize-shift-argument-before-u.patch b/queue-5.4/net-sched-act_pedit-sanitize-shift-argument-before-u.patch new file mode 100644 index 00000000000..be1cb8fccfa --- /dev/null +++ b/queue-5.4/net-sched-act_pedit-sanitize-shift-argument-before-u.patch @@ -0,0 +1,84 @@ +From 5039fb6cb6f9f77c7698e02386e189c2a021a5b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 May 2022 11:27:06 +0200 +Subject: net/sched: act_pedit: sanitize shift argument before usage + +From: Paolo Abeni + +[ Upstream commit 4d42d54a7d6aa6d29221d3fd4f2ae9503e94f011 ] + +syzbot was able to trigger an Out-of-Bound on the pedit action: + +UBSAN: shift-out-of-bounds in net/sched/act_pedit.c:238:43 +shift exponent 1400735974 is too large for 32-bit type 'unsigned int' +CPU: 0 PID: 3606 Comm: syz-executor151 Not tainted 5.18.0-rc5-syzkaller-00165-g810c2f0a3f86 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + ubsan_epilogue+0xb/0x50 lib/ubsan.c:151 + __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x187 lib/ubsan.c:322 + tcf_pedit_init.cold+0x1a/0x1f net/sched/act_pedit.c:238 + tcf_action_init_1+0x414/0x690 net/sched/act_api.c:1367 + tcf_action_init+0x530/0x8d0 net/sched/act_api.c:1432 + tcf_action_add+0xf9/0x480 net/sched/act_api.c:1956 + tc_ctl_action+0x346/0x470 net/sched/act_api.c:2015 + rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5993 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502 + netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] + netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345 + netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1921 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:725 + ____sys_sendmsg+0x6e2/0x800 net/socket.c:2413 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2467 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2496 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7fe36e9e1b59 +Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffef796fe88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe36e9e1b59 +RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003 +RBP: 00007fe36e9a5d00 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe36e9a5d90 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + +The 'shift' field is not validated, and any value above 31 will +trigger out-of-bounds. The issue predates the git history, but +syzbot was able to trigger it only after the commit mentioned in +the fixes tag, and this change only applies on top of such commit. + +Address the issue bounding the 'shift' value to the maximum allowed +by the relevant operator. + +Reported-and-tested-by: syzbot+8ed8fc4c57e9dcf23ca6@syzkaller.appspotmail.com +Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable") +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/act_pedit.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c +index 305cb190e997..f095a0fb75c6 100644 +--- a/net/sched/act_pedit.c ++++ b/net/sched/act_pedit.c +@@ -231,6 +231,10 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla, + for (i = 0; i < p->tcfp_nkeys; ++i) { + u32 cur = p->tcfp_keys[i].off; + ++ /* sanitize the shift value for any later use */ ++ p->tcfp_keys[i].shift = min_t(size_t, BITS_PER_TYPE(int) - 1, ++ p->tcfp_keys[i].shift); ++ + /* The AT option can read a single byte, we can bound the actual + * value with uchar max. + */ +-- +2.35.1 + diff --git a/queue-5.4/net-stmmac-fix-missing-pci_disable_device-on-error-i.patch b/queue-5.4/net-stmmac-fix-missing-pci_disable_device-on-error-i.patch new file mode 100644 index 00000000000..61edc48ff67 --- /dev/null +++ b/queue-5.4/net-stmmac-fix-missing-pci_disable_device-on-error-i.patch @@ -0,0 +1,46 @@ +From 28446adc03ca400f3f5ac1a0e4b8b09eb73820d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 May 2022 11:13:16 +0800 +Subject: net: stmmac: fix missing pci_disable_device() on error in + stmmac_pci_probe() + +From: Yang Yingliang + +[ Upstream commit 0807ce0b010418a191e0e4009803b2d74c3245d5 ] + +Switch to using pcim_enable_device() to avoid missing pci_disable_device(). + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20220510031316.1780409-1-yangyingliang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c +index 292045f4581f..fceb0f9e797f 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c +@@ -481,7 +481,7 @@ static int stmmac_pci_probe(struct pci_dev *pdev, + return -ENOMEM; + + /* Enable pci device */ +- ret = pci_enable_device(pdev); ++ ret = pcim_enable_device(pdev); + if (ret) { + dev_err(&pdev->dev, "%s: ERROR: failed to enable device\n", + __func__); +@@ -538,8 +538,6 @@ static void stmmac_pci_remove(struct pci_dev *pdev) + pcim_iounmap_regions(pdev, BIT(i)); + break; + } +- +- pci_disable_device(pdev); + } + + static int __maybe_unused stmmac_pci_suspend(struct device *dev) +-- +2.35.1 + diff --git a/queue-5.4/net-vmxnet3-fix-possible-null-pointer-dereference-in.patch b/queue-5.4/net-vmxnet3-fix-possible-null-pointer-dereference-in.patch new file mode 100644 index 00000000000..84720f62af4 --- /dev/null +++ b/queue-5.4/net-vmxnet3-fix-possible-null-pointer-dereference-in.patch @@ -0,0 +1,68 @@ +From 9999be05d6c55abb617332102a9803ed85875117 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 May 2022 13:07:11 +0800 +Subject: net: vmxnet3: fix possible NULL pointer dereference in + vmxnet3_rq_cleanup() + +From: Zixuan Fu + +[ Upstream commit edf410cb74dc612fd47ef5be319c5a0bcd6e6ccd ] + +In vmxnet3_rq_create(), when dma_alloc_coherent() fails, +vmxnet3_rq_destroy() is called. It sets rq->rx_ring[i].base to NULL. Then +vmxnet3_rq_create() returns an error to its callers mxnet3_rq_create_all() +-> vmxnet3_change_mtu(). Then vmxnet3_change_mtu() calls +vmxnet3_force_close() -> dev_close() in error handling code. And the driver +calls vmxnet3_close() -> vmxnet3_quiesce_dev() -> vmxnet3_rq_cleanup_all() +-> vmxnet3_rq_cleanup(). In vmxnet3_rq_cleanup(), +rq->rx_ring[ring_idx].base is accessed, but this variable is NULL, causing +a NULL pointer dereference. + +To fix this possible bug, an if statement is added to check whether +rq->rx_ring[0].base is NULL in vmxnet3_rq_cleanup() and exit early if so. + +The error log in our fault-injection testing is shown as follows: + +[ 65.220135] BUG: kernel NULL pointer dereference, address: 0000000000000008 +... +[ 65.222633] RIP: 0010:vmxnet3_rq_cleanup_all+0x396/0x4e0 [vmxnet3] +... +[ 65.227977] Call Trace: +... +[ 65.228262] vmxnet3_quiesce_dev+0x80f/0x8a0 [vmxnet3] +[ 65.228580] vmxnet3_close+0x2c4/0x3f0 [vmxnet3] +[ 65.228866] __dev_close_many+0x288/0x350 +[ 65.229607] dev_close_many+0xa4/0x480 +[ 65.231124] dev_close+0x138/0x230 +[ 65.231933] vmxnet3_force_close+0x1f0/0x240 [vmxnet3] +[ 65.232248] vmxnet3_change_mtu+0x75d/0x920 [vmxnet3] +... + +Fixes: d1a890fa37f27 ("net: VMware virtual Ethernet NIC driver: vmxnet3") +Reported-by: TOTE Robot +Signed-off-by: Zixuan Fu +Link: https://lore.kernel.org/r/20220514050711.2636709-1-r33s3n6@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c +index b71a019e9867..609f65530b9b 100644 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -1586,6 +1586,10 @@ vmxnet3_rq_cleanup(struct vmxnet3_rx_queue *rq, + u32 i, ring_idx; + struct Vmxnet3_RxDesc *rxd; + ++ /* ring has already been cleaned up */ ++ if (!rq->rx_ring[0].base) ++ return; ++ + for (ring_idx = 0; ring_idx < 2; ring_idx++) { + for (i = 0; i < rq->rx_ring[ring_idx].size; i++) { + #ifdef __BIG_ENDIAN_BITFIELD +-- +2.35.1 + diff --git a/queue-5.4/net-vmxnet3-fix-possible-use-after-free-bugs-in-vmxn.patch b/queue-5.4/net-vmxnet3-fix-possible-use-after-free-bugs-in-vmxn.patch new file mode 100644 index 00000000000..35c60507c4b --- /dev/null +++ b/queue-5.4/net-vmxnet3-fix-possible-use-after-free-bugs-in-vmxn.patch @@ -0,0 +1,94 @@ +From 2fe96feae0bf25b8639f42a684fa38be20d5df41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 May 2022 13:06:56 +0800 +Subject: net: vmxnet3: fix possible use-after-free bugs in + vmxnet3_rq_alloc_rx_buf() + +From: Zixuan Fu + +[ Upstream commit 9e7fef9521e73ca8afd7da9e58c14654b02dfad8 ] + +In vmxnet3_rq_alloc_rx_buf(), when dma_map_single() fails, rbi->skb is +freed immediately. Similarly, in another branch, when dma_map_page() fails, +rbi->page is also freed. In the two cases, vmxnet3_rq_alloc_rx_buf() +returns an error to its callers vmxnet3_rq_init() -> vmxnet3_rq_init_all() +-> vmxnet3_activate_dev(). Then vmxnet3_activate_dev() calls +vmxnet3_rq_cleanup_all() in error handling code, and rbi->skb or rbi->page +are freed again in vmxnet3_rq_cleanup_all(), causing use-after-free bugs. + +To fix these possible bugs, rbi->skb and rbi->page should be cleared after +they are freed. + +The error log in our fault-injection testing is shown as follows: + +[ 14.319016] BUG: KASAN: use-after-free in consume_skb+0x2f/0x150 +... +[ 14.321586] Call Trace: +... +[ 14.325357] consume_skb+0x2f/0x150 +[ 14.325671] vmxnet3_rq_cleanup_all+0x33a/0x4e0 [vmxnet3] +[ 14.326150] vmxnet3_activate_dev+0xb9d/0x2ca0 [vmxnet3] +[ 14.326616] vmxnet3_open+0x387/0x470 [vmxnet3] +... +[ 14.361675] Allocated by task 351: +... +[ 14.362688] __netdev_alloc_skb+0x1b3/0x6f0 +[ 14.362960] vmxnet3_rq_alloc_rx_buf+0x1b0/0x8d0 [vmxnet3] +[ 14.363317] vmxnet3_activate_dev+0x3e3/0x2ca0 [vmxnet3] +[ 14.363661] vmxnet3_open+0x387/0x470 [vmxnet3] +... +[ 14.367309] +[ 14.367412] Freed by task 351: +... +[ 14.368932] __dev_kfree_skb_any+0xd2/0xe0 +[ 14.369193] vmxnet3_rq_alloc_rx_buf+0x71e/0x8d0 [vmxnet3] +[ 14.369544] vmxnet3_activate_dev+0x3e3/0x2ca0 [vmxnet3] +[ 14.369883] vmxnet3_open+0x387/0x470 [vmxnet3] +[ 14.370174] __dev_open+0x28a/0x420 +[ 14.370399] __dev_change_flags+0x192/0x590 +[ 14.370667] dev_change_flags+0x7a/0x180 +[ 14.370919] do_setlink+0xb28/0x3570 +[ 14.371150] rtnl_newlink+0x1160/0x1740 +[ 14.371399] rtnetlink_rcv_msg+0x5bf/0xa50 +[ 14.371661] netlink_rcv_skb+0x1cd/0x3e0 +[ 14.371913] netlink_unicast+0x5dc/0x840 +[ 14.372169] netlink_sendmsg+0x856/0xc40 +[ 14.372420] ____sys_sendmsg+0x8a7/0x8d0 +[ 14.372673] __sys_sendmsg+0x1c2/0x270 +[ 14.372914] do_syscall_64+0x41/0x90 +[ 14.373145] entry_SYSCALL_64_after_hwframe+0x44/0xae +... + +Fixes: 5738a09d58d5a ("vmxnet3: fix checks for dma mapping errors") +Reported-by: TOTE Robot +Signed-off-by: Zixuan Fu +Link: https://lore.kernel.org/r/20220514050656.2636588-1-r33s3n6@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c +index cf090f88dac0..b71a019e9867 100644 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -595,6 +595,7 @@ vmxnet3_rq_alloc_rx_buf(struct vmxnet3_rx_queue *rq, u32 ring_idx, + if (dma_mapping_error(&adapter->pdev->dev, + rbi->dma_addr)) { + dev_kfree_skb_any(rbi->skb); ++ rbi->skb = NULL; + rq->stats.rx_buf_alloc_failure++; + break; + } +@@ -619,6 +620,7 @@ vmxnet3_rq_alloc_rx_buf(struct vmxnet3_rx_queue *rq, u32 ring_idx, + if (dma_mapping_error(&adapter->pdev->dev, + rbi->dma_addr)) { + put_page(rbi->page); ++ rbi->page = NULL; + rq->stats.rx_buf_alloc_failure++; + break; + } +-- +2.35.1 + diff --git a/queue-5.4/nfc-nci-fix-sleep-in-atomic-context-bugs-caused-by-n.patch b/queue-5.4/nfc-nci-fix-sleep-in-atomic-context-bugs-caused-by-n.patch new file mode 100644 index 00000000000..34c719ec40c --- /dev/null +++ b/queue-5.4/nfc-nci-fix-sleep-in-atomic-context-bugs-caused-by-n.patch @@ -0,0 +1,81 @@ +From 2cd9818b71f38d40485e5af60b0c8709123e2a82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 09:25:30 +0800 +Subject: NFC: nci: fix sleep in atomic context bugs caused by nci_skb_alloc + +From: Duoming Zhou + +[ Upstream commit 23dd4581350d4ffa23d58976ec46408f8f4c1e16 ] + +There are sleep in atomic context bugs when the request to secure +element of st-nci is timeout. The root cause is that nci_skb_alloc +with GFP_KERNEL parameter is called in st_nci_se_wt_timeout which is +a timer handler. The call paths that could trigger bugs are shown below: + + (interrupt context 1) +st_nci_se_wt_timeout + nci_hci_send_event + nci_hci_send_data + nci_skb_alloc(..., GFP_KERNEL) //may sleep + + (interrupt context 2) +st_nci_se_wt_timeout + nci_hci_send_event + nci_hci_send_data + nci_send_data + nci_queue_tx_data_frags + nci_skb_alloc(..., GFP_KERNEL) //may sleep + +This patch changes allocation mode of nci_skb_alloc from GFP_KERNEL to +GFP_ATOMIC in order to prevent atomic context sleeping. The GFP_ATOMIC +flag makes memory allocation operation could be used in atomic context. + +Fixes: ed06aeefdac3 ("nfc: st-nci: Rename st21nfcb to st-nci") +Signed-off-by: Duoming Zhou +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220517012530.75714-1-duoming@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/nfc/nci/data.c | 2 +- + net/nfc/nci/hci.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/nfc/nci/data.c b/net/nfc/nci/data.c +index ce3382be937f..b002e18f38c8 100644 +--- a/net/nfc/nci/data.c ++++ b/net/nfc/nci/data.c +@@ -118,7 +118,7 @@ static int nci_queue_tx_data_frags(struct nci_dev *ndev, + + skb_frag = nci_skb_alloc(ndev, + (NCI_DATA_HDR_SIZE + frag_len), +- GFP_KERNEL); ++ GFP_ATOMIC); + if (skb_frag == NULL) { + rc = -ENOMEM; + goto free_exit; +diff --git a/net/nfc/nci/hci.c b/net/nfc/nci/hci.c +index 04e55ccb3383..4fe336ff2bfa 100644 +--- a/net/nfc/nci/hci.c ++++ b/net/nfc/nci/hci.c +@@ -153,7 +153,7 @@ static int nci_hci_send_data(struct nci_dev *ndev, u8 pipe, + + i = 0; + skb = nci_skb_alloc(ndev, conn_info->max_pkt_payload_len + +- NCI_DATA_HDR_SIZE, GFP_KERNEL); ++ NCI_DATA_HDR_SIZE, GFP_ATOMIC); + if (!skb) + return -ENOMEM; + +@@ -186,7 +186,7 @@ static int nci_hci_send_data(struct nci_dev *ndev, u8 pipe, + if (i < data_len) { + skb = nci_skb_alloc(ndev, + conn_info->max_pkt_payload_len + +- NCI_DATA_HDR_SIZE, GFP_KERNEL); ++ NCI_DATA_HDR_SIZE, GFP_ATOMIC); + if (!skb) + return -ENOMEM; + +-- +2.35.1 + diff --git a/queue-5.4/perf-bench-numa-address-compiler-error-on-s390.patch b/queue-5.4/perf-bench-numa-address-compiler-error-on-s390.patch new file mode 100644 index 00000000000..8d3285e0e5b --- /dev/null +++ b/queue-5.4/perf-bench-numa-address-compiler-error-on-s390.patch @@ -0,0 +1,67 @@ +From 45e0bcbad6a103618957bfa3e7c84393e83682a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 May 2022 10:11:58 +0200 +Subject: perf bench numa: Address compiler error on s390 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Richter + +[ Upstream commit f8ac1c478424a9a14669b8cef7389b1e14e5229d ] + +The compilation on s390 results in this error: + + # make DEBUG=y bench/numa.o + ... + bench/numa.c: In function ‘__bench_numa’: + bench/numa.c:1749:81: error: ‘%d’ directive output may be truncated + writing between 1 and 11 bytes into a region of size between + 10 and 20 [-Werror=format-truncation=] + 1749 | snprintf(tname, sizeof(tname), "process%d:thread%d", p, t); + ^~ + ... + bench/numa.c:1749:64: note: directive argument in the range + [-2147483647, 2147483646] + ... + # + +The maximum length of the %d replacement is 11 characters because of the +negative sign. Therefore extend the array by two more characters. + +Output after: + + # make DEBUG=y bench/numa.o > /dev/null 2>&1; ll bench/numa.o + -rw-r--r-- 1 root root 418320 May 19 09:11 bench/numa.o + # + +Fixes: 3aff8ba0a4c9c919 ("perf bench numa: Avoid possible truncation when using snprintf()") +Suggested-by: Namhyung Kim +Signed-off-by: Thomas Richter +Cc: Heiko Carstens +Cc: Sumanth Korikkar +Cc: Sven Schnelle +Cc: Vasily Gorbik +Link: https://lore.kernel.org/r/20220520081158.2990006-1-tmricht@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/bench/numa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/bench/numa.c b/tools/perf/bench/numa.c +index 5797253b9700..69d62e57a0c3 100644 +--- a/tools/perf/bench/numa.c ++++ b/tools/perf/bench/numa.c +@@ -1630,7 +1630,7 @@ static int __bench_numa(const char *name) + "GB/sec,", "total-speed", "GB/sec total speed"); + + if (g->p.show_details >= 2) { +- char tname[14 + 2 * 10 + 1]; ++ char tname[14 + 2 * 11 + 1]; + struct thread_data *td; + for (p = 0; p < g->p.nr_proc; p++) { + for (t = 0; t < g->p.nr_threads; t++) { +-- +2.35.1 + diff --git a/queue-5.4/scsi-qla2xxx-fix-missed-dma-unmap-for-aborted-comman.patch b/queue-5.4/scsi-qla2xxx-fix-missed-dma-unmap-for-aborted-comman.patch new file mode 100644 index 00000000000..5d0481d1b6d --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-fix-missed-dma-unmap-for-aborted-comman.patch @@ -0,0 +1,51 @@ +From 69dd7453c6b17f37195869548eca5d2f1d7deb4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Apr 2022 12:42:29 +0000 +Subject: scsi: qla2xxx: Fix missed DMA unmap for aborted commands + +From: Gleb Chesnokov + +[ Upstream commit 26f9ce53817a8fd84b69a73473a7de852a24c897 ] + +Aborting commands that have already been sent to the firmware can +cause BUG in qlt_free_cmd(): BUG_ON(cmd->sg_mapped) + +For instance: + + - Command passes rdx_to_xfer state, maps sgl, sends to the firmware + + - Reset occurs, qla2xxx performs ISP error recovery, aborts the command + + - Target stack calls qlt_abort_cmd() and then qlt_free_cmd() + + - BUG_ON(cmd->sg_mapped) in qlt_free_cmd() occurs because sgl was not + unmapped + +Thus, unmap sgl in qlt_abort_cmd() for commands with the aborted flag set. + +Link: https://lore.kernel.org/r/AS8PR10MB4952D545F84B6B1DFD39EC1E9DEE9@AS8PR10MB4952.EURPRD10.PROD.OUTLOOK.COM +Reviewed-by: Himanshu Madhani +Signed-off-by: Gleb Chesnokov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_target.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c +index df598c377161..cb97565b6a33 100644 +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -3768,6 +3768,9 @@ int qlt_abort_cmd(struct qla_tgt_cmd *cmd) + + spin_lock_irqsave(&cmd->cmd_lock, flags); + if (cmd->aborted) { ++ if (cmd->sg_mapped) ++ qlt_unmap_sg(vha, cmd); ++ + spin_unlock_irqrestore(&cmd->cmd_lock, flags); + /* + * It's normal to see 2 calls in this path: +-- +2.35.1 + diff --git a/queue-5.4/selftests-add-ping-test-with-ping_group_range-tuned.patch b/queue-5.4/selftests-add-ping-test-with-ping_group_range-tuned.patch new file mode 100644 index 00000000000..ca63bf00300 --- /dev/null +++ b/queue-5.4/selftests-add-ping-test-with-ping_group_range-tuned.patch @@ -0,0 +1,67 @@ +From 4b9ab559610b3cb5b080e77f4847078eb066ea2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 May 2022 11:07:39 +0200 +Subject: selftests: add ping test with ping_group_range tuned + +From: Nicolas Dichtel + +[ Upstream commit e71b7f1f44d3d88c677769c85ef0171caf9fc89f ] + +The 'ping' utility is able to manage two kind of sockets (raw or icmp), +depending on the sysctl ping_group_range. By default, ping_group_range is +set to '1 0', which forces ping to use an ip raw socket. + +Let's replay the ping tests by allowing 'ping' to use the ip icmp socket. +After the previous patch, ipv4 tests results are the same with both kinds +of socket. For ipv6, there are a lot a new failures (the previous patch +fixes only two cases). + +Signed-off-by: Nicolas Dichtel +Reviewed-by: David Ahern +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/fcnal-test.sh | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh +index 157822331954..d2ac09b35dcf 100755 +--- a/tools/testing/selftests/net/fcnal-test.sh ++++ b/tools/testing/selftests/net/fcnal-test.sh +@@ -757,10 +757,16 @@ ipv4_ping() + setup + set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null + ipv4_ping_novrf ++ setup ++ set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null ++ ipv4_ping_novrf + + log_subsection "With VRF" + setup "yes" + ipv4_ping_vrf ++ setup "yes" ++ set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null ++ ipv4_ping_vrf + } + + ################################################################################ +@@ -2005,10 +2011,16 @@ ipv6_ping() + log_subsection "No VRF" + setup + ipv6_ping_novrf ++ setup ++ set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null ++ ipv6_ping_novrf + + log_subsection "With VRF" + setup "yes" + ipv6_ping_vrf ++ setup "yes" ++ set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null ++ ipv6_ping_vrf + } + + ################################################################################ +-- +2.35.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 64dbde6b7fa..ff634f31ad3 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -31,3 +31,28 @@ kvm-x86-mmu-update-number-of-zapped-pages-even-if-page-list-is-stable.patch crypto-qcom-rng-fix-infinite-loop-on-requests-not-multiple-of-word_sz.patch drm-dp-mst-fix-a-possible-memory-leak-in-fetch_monitor_name.patch dma-buf-fix-use-of-dma_buf_set_name_-a-b-in-userspace.patch +arm-dts-aspeed-g6-remove-fwqspid-group-in-pinctrl-dt.patch +arm-dts-aspeed-g6-fix-spi1-spi2-quad-pin-group.patch +net-macb-increment-rx-bd-head-after-allocating-skb-a.patch +net-sched-act_pedit-sanitize-shift-argument-before-u.patch +net-vmxnet3-fix-possible-use-after-free-bugs-in-vmxn.patch +net-vmxnet3-fix-possible-null-pointer-dereference-in.patch +ice-fix-possible-under-reporting-of-ethtool-tx-and-r.patch +clk-at91-generated-consider-range-when-calculating-b.patch +net-qla3xxx-fix-a-test-in-ql_reset_work.patch +nfc-nci-fix-sleep-in-atomic-context-bugs-caused-by-n.patch +net-mlx5e-properly-block-lro-when-xdp-is-enabled.patch +net-af_key-add-check-for-pfkey_broadcast-in-function.patch +arm-9196-1-spectre-bhb-enable-for-cortex-a15.patch +arm-9197-1-spectre-bhb-fix-loop8-sequence-for-thumb2.patch +igb-skip-phy-status-check-where-unavailable.patch +net-bridge-clear-offload_fwd_mark-when-passing-frame.patch +gpio-gpio-vf610-do-not-touch-other-bits-when-set-the.patch +gpio-mvebu-pwm-refuse-requests-with-inverted-polarit.patch +perf-bench-numa-address-compiler-error-on-s390.patch +scsi-qla2xxx-fix-missed-dma-unmap-for-aborted-comman.patch +mac80211-fix-rx-reordering-with-non-explicit-psmp-ac.patch +selftests-add-ping-test-with-ping_group_range-tuned.patch +ethernet-tulip-fix-missing-pci_disable_device-on-err.patch +net-stmmac-fix-missing-pci_disable_device-on-error-i.patch +net-atlantic-verify-hw_head_-lies-within-tx-buffer-r.patch