From: Greg Kroah-Hartman Date: Fri, 7 Jan 2022 13:27:18 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.4.299~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ec12650c7230621313f965fbbdaa13cf07569a3c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: i40e-fix-to-not-show-opcode-msg-on-unsuccessful-vf-mac-change.patch iavf-fix-limit-of-total-number-of-queues-to-active-queues-of-vf.patch mac80211-initialize-variable-have_higher_than_11mbit.patch mac80211-mesh-embedd-mesh_paths-and-mpp_paths-into-ieee80211_if_mesh.patch netrom-fix-copying-in-user-data-in-nr_setsockopt.patch rdma-core-don-t-infoleak-grh-fields.patch rdma-uverbs-check-for-null-return-of-kmalloc_array.patch revert-net-usb-r8152-add-mac-passthrough-support-for-more-lenovo-docks.patch --- diff --git a/queue-5.15/i40e-fix-to-not-show-opcode-msg-on-unsuccessful-vf-mac-change.patch b/queue-5.15/i40e-fix-to-not-show-opcode-msg-on-unsuccessful-vf-mac-change.patch new file mode 100644 index 00000000000..0c0ac140fcb --- /dev/null +++ b/queue-5.15/i40e-fix-to-not-show-opcode-msg-on-unsuccessful-vf-mac-change.patch @@ -0,0 +1,150 @@ +From 01cbf50877e602e2376af89e4a51c30bc574c618 Mon Sep 17 00:00:00 2001 +From: Mateusz Palczewski +Date: Wed, 3 Mar 2021 11:45:33 +0000 +Subject: i40e: Fix to not show opcode msg on unsuccessful VF MAC change + +From: Mateusz Palczewski + +commit 01cbf50877e602e2376af89e4a51c30bc574c618 upstream. + +Hide i40e opcode information sent during response to VF in case when +untrusted VF tried to change MAC on the VF interface. + +This is implemented by adding an additional parameter 'hide' to the +response sent to VF function that hides the display of error +information, but forwards the error code to VF. + +Previously it was not possible to send response with some error code +to VF without displaying opcode information. + +Fixes: 5c3c48ac6bf5 ("i40e: implement virtual device interface") +Signed-off-by: Grzegorz Szczurek +Signed-off-by: Mateusz Palczewski +Reviewed-by: Paul M Stillwell Jr +Reviewed-by: Aleksandr Loktionov +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 40 ++++++++++++++++----- + 1 file changed, 32 insertions(+), 8 deletions(-) + +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -1877,17 +1877,19 @@ sriov_configure_out: + /***********************virtual channel routines******************/ + + /** +- * i40e_vc_send_msg_to_vf ++ * i40e_vc_send_msg_to_vf_ex + * @vf: pointer to the VF info + * @v_opcode: virtual channel opcode + * @v_retval: virtual channel return value + * @msg: pointer to the msg buffer + * @msglen: msg length ++ * @is_quiet: true for not printing unsuccessful return values, false otherwise + * + * send msg to VF + **/ +-static int i40e_vc_send_msg_to_vf(struct i40e_vf *vf, u32 v_opcode, +- u32 v_retval, u8 *msg, u16 msglen) ++static int i40e_vc_send_msg_to_vf_ex(struct i40e_vf *vf, u32 v_opcode, ++ u32 v_retval, u8 *msg, u16 msglen, ++ bool is_quiet) + { + struct i40e_pf *pf; + struct i40e_hw *hw; +@@ -1903,7 +1905,7 @@ static int i40e_vc_send_msg_to_vf(struct + abs_vf_id = vf->vf_id + hw->func_caps.vf_base_id; + + /* single place to detect unsuccessful return values */ +- if (v_retval) { ++ if (v_retval && !is_quiet) { + vf->num_invalid_msgs++; + dev_info(&pf->pdev->dev, "VF %d failed opcode %d, retval: %d\n", + vf->vf_id, v_opcode, v_retval); +@@ -1934,6 +1936,23 @@ static int i40e_vc_send_msg_to_vf(struct + } + + /** ++ * i40e_vc_send_msg_to_vf ++ * @vf: pointer to the VF info ++ * @v_opcode: virtual channel opcode ++ * @v_retval: virtual channel return value ++ * @msg: pointer to the msg buffer ++ * @msglen: msg length ++ * ++ * send msg to VF ++ **/ ++static int i40e_vc_send_msg_to_vf(struct i40e_vf *vf, u32 v_opcode, ++ u32 v_retval, u8 *msg, u16 msglen) ++{ ++ return i40e_vc_send_msg_to_vf_ex(vf, v_opcode, v_retval, ++ msg, msglen, false); ++} ++ ++/** + * i40e_vc_send_resp_to_vf + * @vf: pointer to the VF info + * @opcode: operation code +@@ -2695,6 +2714,7 @@ error_param: + * i40e_check_vf_permission + * @vf: pointer to the VF info + * @al: MAC address list from virtchnl ++ * @is_quiet: set true for printing msg without opcode info, false otherwise + * + * Check that the given list of MAC addresses is allowed. Will return -EPERM + * if any address in the list is not valid. Checks the following conditions: +@@ -2709,13 +2729,15 @@ error_param: + * addresses might not be accurate. + **/ + static inline int i40e_check_vf_permission(struct i40e_vf *vf, +- struct virtchnl_ether_addr_list *al) ++ struct virtchnl_ether_addr_list *al, ++ bool *is_quiet) + { + struct i40e_pf *pf = vf->pf; + struct i40e_vsi *vsi = pf->vsi[vf->lan_vsi_idx]; + int mac2add_cnt = 0; + int i; + ++ *is_quiet = false; + for (i = 0; i < al->num_elements; i++) { + struct i40e_mac_filter *f; + u8 *addr = al->list[i].addr; +@@ -2739,6 +2761,7 @@ static inline int i40e_check_vf_permissi + !ether_addr_equal(addr, vf->default_lan_addr.addr)) { + dev_err(&pf->pdev->dev, + "VF attempting to override administratively set MAC address, bring down and up the VF interface to resume normal operation\n"); ++ *is_quiet = true; + return -EPERM; + } + +@@ -2775,6 +2798,7 @@ static int i40e_vc_add_mac_addr_msg(stru + (struct virtchnl_ether_addr_list *)msg; + struct i40e_pf *pf = vf->pf; + struct i40e_vsi *vsi = NULL; ++ bool is_quiet = false; + i40e_status ret = 0; + int i; + +@@ -2791,7 +2815,7 @@ static int i40e_vc_add_mac_addr_msg(stru + */ + spin_lock_bh(&vsi->mac_filter_hash_lock); + +- ret = i40e_check_vf_permission(vf, al); ++ ret = i40e_check_vf_permission(vf, al, &is_quiet); + if (ret) { + spin_unlock_bh(&vsi->mac_filter_hash_lock); + goto error_param; +@@ -2829,8 +2853,8 @@ static int i40e_vc_add_mac_addr_msg(stru + + error_param: + /* send the response to the VF */ +- return i40e_vc_send_resp_to_vf(vf, VIRTCHNL_OP_ADD_ETH_ADDR, +- ret); ++ return i40e_vc_send_msg_to_vf_ex(vf, VIRTCHNL_OP_ADD_ETH_ADDR, ++ ret, NULL, 0, is_quiet); + } + + /** diff --git a/queue-5.15/iavf-fix-limit-of-total-number-of-queues-to-active-queues-of-vf.patch b/queue-5.15/iavf-fix-limit-of-total-number-of-queues-to-active-queues-of-vf.patch new file mode 100644 index 00000000000..fc2ee90b05c --- /dev/null +++ b/queue-5.15/iavf-fix-limit-of-total-number-of-queues-to-active-queues-of-vf.patch @@ -0,0 +1,43 @@ +From b712941c8085e638bb92456e866ed3de4404e3d5 Mon Sep 17 00:00:00 2001 +From: Karen Sornek +Date: Wed, 1 Sep 2021 09:21:46 +0200 +Subject: iavf: Fix limit of total number of queues to active queues of VF + +From: Karen Sornek + +commit b712941c8085e638bb92456e866ed3de4404e3d5 upstream. + +In the absence of this validation, if the user requests to +configure queues more than the enabled queues, it results in +sending the requested number of queues to the kernel stack +(due to the asynchronous nature of VF response), in which +case the stack might pick a queue to transmit that is not +enabled and result in Tx hang. Fix this bug by +limiting the total number of queues allocated for VF to +active queues of VF. + +Fixes: d5b33d024496 ("i40evf: add ndo_setup_tc callback to i40evf") +Signed-off-by: Ashwin Vijayavel +Signed-off-by: Karen Sornek +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -2652,8 +2652,11 @@ static int iavf_validate_ch_config(struc + total_max_rate += tx_rate; + num_qps += mqprio_qopt->qopt.count[i]; + } +- if (num_qps > IAVF_MAX_REQ_QUEUES) ++ if (num_qps > adapter->num_active_queues) { ++ dev_err(&adapter->pdev->dev, ++ "Cannot support requested number of queues\n"); + return -EINVAL; ++ } + + ret = iavf_validate_tx_bandwidth(adapter, total_max_rate); + return ret; diff --git a/queue-5.15/mac80211-initialize-variable-have_higher_than_11mbit.patch b/queue-5.15/mac80211-initialize-variable-have_higher_than_11mbit.patch new file mode 100644 index 00000000000..ef121e589dd --- /dev/null +++ b/queue-5.15/mac80211-initialize-variable-have_higher_than_11mbit.patch @@ -0,0 +1,41 @@ +From 68a18ad71378a56858141c4449e02a30c829763e Mon Sep 17 00:00:00 2001 +From: Tom Rix +Date: Thu, 23 Dec 2021 08:28:48 -0800 +Subject: mac80211: initialize variable have_higher_than_11mbit + +From: Tom Rix + +commit 68a18ad71378a56858141c4449e02a30c829763e upstream. + +Clang static analysis reports this warnings + +mlme.c:5332:7: warning: Branch condition evaluates to a + garbage value + have_higher_than_11mbit) + ^~~~~~~~~~~~~~~~~~~~~~~ + +have_higher_than_11mbit is only set to true some of the time in +ieee80211_get_rates() but is checked all of the time. So +have_higher_than_11mbit needs to be initialized to false. + +Fixes: 5d6a1b069b7f ("mac80211: set basic rates earlier") +Signed-off-by: Tom Rix +Reviewed-by: Nick Desaulniers +Link: https://lore.kernel.org/r/20211223162848.3243702-1-trix@redhat.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mlme.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -5216,7 +5216,7 @@ static int ieee80211_prep_connection(str + */ + if (new_sta) { + u32 rates = 0, basic_rates = 0; +- bool have_higher_than_11mbit; ++ bool have_higher_than_11mbit = false; + int min_rate = INT_MAX, min_rate_index = -1; + const struct cfg80211_bss_ies *ies; + int shift = ieee80211_vif_get_shift(&sdata->vif); diff --git a/queue-5.15/mac80211-mesh-embedd-mesh_paths-and-mpp_paths-into-ieee80211_if_mesh.patch b/queue-5.15/mac80211-mesh-embedd-mesh_paths-and-mpp_paths-into-ieee80211_if_mesh.patch new file mode 100644 index 00000000000..9b18aa89e52 --- /dev/null +++ b/queue-5.15/mac80211-mesh-embedd-mesh_paths-and-mpp_paths-into-ieee80211_if_mesh.patch @@ -0,0 +1,326 @@ +From 8b5cb7e41d9d77ffca036b0239177de123394a55 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Thu, 30 Dec 2021 22:55:47 +0300 +Subject: mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh + +From: Pavel Skripkin + +commit 8b5cb7e41d9d77ffca036b0239177de123394a55 upstream. + +Syzbot hit NULL deref in rhashtable_free_and_destroy(). The problem was +in mesh_paths and mpp_paths being NULL. + +mesh_pathtbl_init() could fail in case of memory allocation failure, but +nobody cared, since ieee80211_mesh_init_sdata() returns void. It led to +leaving 2 pointers as NULL. Syzbot has found null deref on exit path, +but it could happen anywhere else, because code assumes these pointers are +valid. + +Since all ieee80211_*_setup_sdata functions are void and do not fail, +let's embedd mesh_paths and mpp_paths into parent struct to avoid +adding error handling on higher levels and follow the pattern of others +setup_sdata functions + +Fixes: 60854fd94573 ("mac80211: mesh: convert path table to rhashtable") +Reported-and-tested-by: syzbot+860268315ba86ea6b96b@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Link: https://lore.kernel.org/r/20211230195547.23977-1-paskripkin@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/ieee80211_i.h | 24 ++++++++++- + net/mac80211/mesh.h | 22 ---------- + net/mac80211/mesh_pathtbl.c | 91 +++++++++++++++----------------------------- + 3 files changed, 55 insertions(+), 82 deletions(-) + +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -648,6 +648,26 @@ struct mesh_csa_settings { + struct cfg80211_csa_settings settings; + }; + ++/** ++ * struct mesh_table ++ * ++ * @known_gates: list of known mesh gates and their mpaths by the station. The ++ * gate's mpath may or may not be resolved and active. ++ * @gates_lock: protects updates to known_gates ++ * @rhead: the rhashtable containing struct mesh_paths, keyed by dest addr ++ * @walk_head: linked list containing all mesh_path objects ++ * @walk_lock: lock protecting walk_head ++ * @entries: number of entries in the table ++ */ ++struct mesh_table { ++ struct hlist_head known_gates; ++ spinlock_t gates_lock; ++ struct rhashtable rhead; ++ struct hlist_head walk_head; ++ spinlock_t walk_lock; ++ atomic_t entries; /* Up to MAX_MESH_NEIGHBOURS */ ++}; ++ + struct ieee80211_if_mesh { + struct timer_list housekeeping_timer; + struct timer_list mesh_path_timer; +@@ -722,8 +742,8 @@ struct ieee80211_if_mesh { + /* offset from skb->data while building IE */ + int meshconf_offset; + +- struct mesh_table *mesh_paths; +- struct mesh_table *mpp_paths; /* Store paths for MPP&MAP */ ++ struct mesh_table mesh_paths; ++ struct mesh_table mpp_paths; /* Store paths for MPP&MAP */ + int mesh_paths_generation; + int mpp_paths_generation; + }; +--- a/net/mac80211/mesh.h ++++ b/net/mac80211/mesh.h +@@ -127,26 +127,6 @@ struct mesh_path { + u32 path_change_count; + }; + +-/** +- * struct mesh_table +- * +- * @known_gates: list of known mesh gates and their mpaths by the station. The +- * gate's mpath may or may not be resolved and active. +- * @gates_lock: protects updates to known_gates +- * @rhead: the rhashtable containing struct mesh_paths, keyed by dest addr +- * @walk_head: linked list containing all mesh_path objects +- * @walk_lock: lock protecting walk_head +- * @entries: number of entries in the table +- */ +-struct mesh_table { +- struct hlist_head known_gates; +- spinlock_t gates_lock; +- struct rhashtable rhead; +- struct hlist_head walk_head; +- spinlock_t walk_lock; +- atomic_t entries; /* Up to MAX_MESH_NEIGHBOURS */ +-}; +- + /* Recent multicast cache */ + /* RMC_BUCKETS must be a power of 2, maximum 256 */ + #define RMC_BUCKETS 256 +@@ -308,7 +288,7 @@ int mesh_path_error_tx(struct ieee80211_ + void mesh_path_assign_nexthop(struct mesh_path *mpath, struct sta_info *sta); + void mesh_path_flush_pending(struct mesh_path *mpath); + void mesh_path_tx_pending(struct mesh_path *mpath); +-int mesh_pathtbl_init(struct ieee80211_sub_if_data *sdata); ++void mesh_pathtbl_init(struct ieee80211_sub_if_data *sdata); + void mesh_pathtbl_unregister(struct ieee80211_sub_if_data *sdata); + int mesh_path_del(struct ieee80211_sub_if_data *sdata, const u8 *addr); + void mesh_path_timer(struct timer_list *t); +--- a/net/mac80211/mesh_pathtbl.c ++++ b/net/mac80211/mesh_pathtbl.c +@@ -47,32 +47,24 @@ static void mesh_path_rht_free(void *ptr + mesh_path_free_rcu(tbl, mpath); + } + +-static struct mesh_table *mesh_table_alloc(void) ++static void mesh_table_init(struct mesh_table *tbl) + { +- struct mesh_table *newtbl; +- +- newtbl = kmalloc(sizeof(struct mesh_table), GFP_ATOMIC); +- if (!newtbl) +- return NULL; +- +- INIT_HLIST_HEAD(&newtbl->known_gates); +- INIT_HLIST_HEAD(&newtbl->walk_head); +- atomic_set(&newtbl->entries, 0); +- spin_lock_init(&newtbl->gates_lock); +- spin_lock_init(&newtbl->walk_lock); +- if (rhashtable_init(&newtbl->rhead, &mesh_rht_params)) { +- kfree(newtbl); +- return NULL; +- } +- +- return newtbl; ++ INIT_HLIST_HEAD(&tbl->known_gates); ++ INIT_HLIST_HEAD(&tbl->walk_head); ++ atomic_set(&tbl->entries, 0); ++ spin_lock_init(&tbl->gates_lock); ++ spin_lock_init(&tbl->walk_lock); ++ ++ /* rhashtable_init() may fail only in case of wrong ++ * mesh_rht_params ++ */ ++ WARN_ON(rhashtable_init(&tbl->rhead, &mesh_rht_params)); + } + + static void mesh_table_free(struct mesh_table *tbl) + { + rhashtable_free_and_destroy(&tbl->rhead, + mesh_path_rht_free, tbl); +- kfree(tbl); + } + + /** +@@ -238,13 +230,13 @@ static struct mesh_path *mpath_lookup(st + struct mesh_path * + mesh_path_lookup(struct ieee80211_sub_if_data *sdata, const u8 *dst) + { +- return mpath_lookup(sdata->u.mesh.mesh_paths, dst, sdata); ++ return mpath_lookup(&sdata->u.mesh.mesh_paths, dst, sdata); + } + + struct mesh_path * + mpp_path_lookup(struct ieee80211_sub_if_data *sdata, const u8 *dst) + { +- return mpath_lookup(sdata->u.mesh.mpp_paths, dst, sdata); ++ return mpath_lookup(&sdata->u.mesh.mpp_paths, dst, sdata); + } + + static struct mesh_path * +@@ -281,7 +273,7 @@ __mesh_path_lookup_by_idx(struct mesh_ta + struct mesh_path * + mesh_path_lookup_by_idx(struct ieee80211_sub_if_data *sdata, int idx) + { +- return __mesh_path_lookup_by_idx(sdata->u.mesh.mesh_paths, idx); ++ return __mesh_path_lookup_by_idx(&sdata->u.mesh.mesh_paths, idx); + } + + /** +@@ -296,7 +288,7 @@ mesh_path_lookup_by_idx(struct ieee80211 + struct mesh_path * + mpp_path_lookup_by_idx(struct ieee80211_sub_if_data *sdata, int idx) + { +- return __mesh_path_lookup_by_idx(sdata->u.mesh.mpp_paths, idx); ++ return __mesh_path_lookup_by_idx(&sdata->u.mesh.mpp_paths, idx); + } + + /** +@@ -309,7 +301,7 @@ int mesh_path_add_gate(struct mesh_path + int err; + + rcu_read_lock(); +- tbl = mpath->sdata->u.mesh.mesh_paths; ++ tbl = &mpath->sdata->u.mesh.mesh_paths; + + spin_lock_bh(&mpath->state_lock); + if (mpath->is_gate) { +@@ -418,7 +410,7 @@ struct mesh_path *mesh_path_add(struct i + if (!new_mpath) + return ERR_PTR(-ENOMEM); + +- tbl = sdata->u.mesh.mesh_paths; ++ tbl = &sdata->u.mesh.mesh_paths; + spin_lock_bh(&tbl->walk_lock); + mpath = rhashtable_lookup_get_insert_fast(&tbl->rhead, + &new_mpath->rhash, +@@ -460,7 +452,7 @@ int mpp_path_add(struct ieee80211_sub_if + return -ENOMEM; + + memcpy(new_mpath->mpp, mpp, ETH_ALEN); +- tbl = sdata->u.mesh.mpp_paths; ++ tbl = &sdata->u.mesh.mpp_paths; + + spin_lock_bh(&tbl->walk_lock); + ret = rhashtable_lookup_insert_fast(&tbl->rhead, +@@ -489,7 +481,7 @@ int mpp_path_add(struct ieee80211_sub_if + void mesh_plink_broken(struct sta_info *sta) + { + struct ieee80211_sub_if_data *sdata = sta->sdata; +- struct mesh_table *tbl = sdata->u.mesh.mesh_paths; ++ struct mesh_table *tbl = &sdata->u.mesh.mesh_paths; + static const u8 bcast[ETH_ALEN] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; + struct mesh_path *mpath; + +@@ -548,7 +540,7 @@ static void __mesh_path_del(struct mesh_ + void mesh_path_flush_by_nexthop(struct sta_info *sta) + { + struct ieee80211_sub_if_data *sdata = sta->sdata; +- struct mesh_table *tbl = sdata->u.mesh.mesh_paths; ++ struct mesh_table *tbl = &sdata->u.mesh.mesh_paths; + struct mesh_path *mpath; + struct hlist_node *n; + +@@ -563,7 +555,7 @@ void mesh_path_flush_by_nexthop(struct s + static void mpp_flush_by_proxy(struct ieee80211_sub_if_data *sdata, + const u8 *proxy) + { +- struct mesh_table *tbl = sdata->u.mesh.mpp_paths; ++ struct mesh_table *tbl = &sdata->u.mesh.mpp_paths; + struct mesh_path *mpath; + struct hlist_node *n; + +@@ -597,8 +589,8 @@ static void table_flush_by_iface(struct + */ + void mesh_path_flush_by_iface(struct ieee80211_sub_if_data *sdata) + { +- table_flush_by_iface(sdata->u.mesh.mesh_paths); +- table_flush_by_iface(sdata->u.mesh.mpp_paths); ++ table_flush_by_iface(&sdata->u.mesh.mesh_paths); ++ table_flush_by_iface(&sdata->u.mesh.mpp_paths); + } + + /** +@@ -644,7 +636,7 @@ int mesh_path_del(struct ieee80211_sub_i + /* flush relevant mpp entries first */ + mpp_flush_by_proxy(sdata, addr); + +- err = table_path_del(sdata->u.mesh.mesh_paths, sdata, addr); ++ err = table_path_del(&sdata->u.mesh.mesh_paths, sdata, addr); + sdata->u.mesh.mesh_paths_generation++; + return err; + } +@@ -682,7 +674,7 @@ int mesh_path_send_to_gates(struct mesh_ + struct mesh_path *gate; + bool copy = false; + +- tbl = sdata->u.mesh.mesh_paths; ++ tbl = &sdata->u.mesh.mesh_paths; + + rcu_read_lock(); + hlist_for_each_entry_rcu(gate, &tbl->known_gates, gate_list) { +@@ -762,29 +754,10 @@ void mesh_path_fix_nexthop(struct mesh_p + mesh_path_tx_pending(mpath); + } + +-int mesh_pathtbl_init(struct ieee80211_sub_if_data *sdata) ++void mesh_pathtbl_init(struct ieee80211_sub_if_data *sdata) + { +- struct mesh_table *tbl_path, *tbl_mpp; +- int ret; +- +- tbl_path = mesh_table_alloc(); +- if (!tbl_path) +- return -ENOMEM; +- +- tbl_mpp = mesh_table_alloc(); +- if (!tbl_mpp) { +- ret = -ENOMEM; +- goto free_path; +- } +- +- sdata->u.mesh.mesh_paths = tbl_path; +- sdata->u.mesh.mpp_paths = tbl_mpp; +- +- return 0; +- +-free_path: +- mesh_table_free(tbl_path); +- return ret; ++ mesh_table_init(&sdata->u.mesh.mesh_paths); ++ mesh_table_init(&sdata->u.mesh.mpp_paths); + } + + static +@@ -806,12 +779,12 @@ void mesh_path_tbl_expire(struct ieee802 + + void mesh_path_expire(struct ieee80211_sub_if_data *sdata) + { +- mesh_path_tbl_expire(sdata, sdata->u.mesh.mesh_paths); +- mesh_path_tbl_expire(sdata, sdata->u.mesh.mpp_paths); ++ mesh_path_tbl_expire(sdata, &sdata->u.mesh.mesh_paths); ++ mesh_path_tbl_expire(sdata, &sdata->u.mesh.mpp_paths); + } + + void mesh_pathtbl_unregister(struct ieee80211_sub_if_data *sdata) + { +- mesh_table_free(sdata->u.mesh.mesh_paths); +- mesh_table_free(sdata->u.mesh.mpp_paths); ++ mesh_table_free(&sdata->u.mesh.mesh_paths); ++ mesh_table_free(&sdata->u.mesh.mpp_paths); + } diff --git a/queue-5.15/netrom-fix-copying-in-user-data-in-nr_setsockopt.patch b/queue-5.15/netrom-fix-copying-in-user-data-in-nr_setsockopt.patch new file mode 100644 index 00000000000..a081320c5ee --- /dev/null +++ b/queue-5.15/netrom-fix-copying-in-user-data-in-nr_setsockopt.patch @@ -0,0 +1,32 @@ +From 3087a6f36ee028ec095c04a8531d7d33899b7fed Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Tue, 4 Jan 2022 10:21:26 +0100 +Subject: netrom: fix copying in user data in nr_setsockopt + +From: Christoph Hellwig + +commit 3087a6f36ee028ec095c04a8531d7d33899b7fed upstream. + +This code used to copy in an unsigned long worth of data before +the sockptr_t conversion, so restore that. + +Fixes: a7b75c5a8c41 ("net: pass a sockptr_t into ->setsockopt") +Reported-by: Dan Carpenter +Signed-off-by: Christoph Hellwig +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netrom/af_netrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -306,7 +306,7 @@ static int nr_setsockopt(struct socket * + if (optlen < sizeof(unsigned int)) + return -EINVAL; + +- if (copy_from_sockptr(&opt, optval, sizeof(unsigned int))) ++ if (copy_from_sockptr(&opt, optval, sizeof(unsigned long))) + return -EFAULT; + + switch (optname) { diff --git a/queue-5.15/rdma-core-don-t-infoleak-grh-fields.patch b/queue-5.15/rdma-core-don-t-infoleak-grh-fields.patch new file mode 100644 index 00000000000..4492fb60b21 --- /dev/null +++ b/queue-5.15/rdma-core-don-t-infoleak-grh-fields.patch @@ -0,0 +1,64 @@ +From b35a0f4dd544eaa6162b6d2f13a2557a121ae5fd Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Tue, 4 Jan 2022 14:21:52 +0200 +Subject: RDMA/core: Don't infoleak GRH fields + +From: Leon Romanovsky + +commit b35a0f4dd544eaa6162b6d2f13a2557a121ae5fd upstream. + +If dst->is_global field is not set, the GRH fields are not cleared +and the following infoleak is reported. + +===================================================== +BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline] +BUG: KMSAN: kernel-infoleak in _copy_to_user+0x1c9/0x270 lib/usercopy.c:33 + instrument_copy_to_user include/linux/instrumented.h:121 [inline] + _copy_to_user+0x1c9/0x270 lib/usercopy.c:33 + copy_to_user include/linux/uaccess.h:209 [inline] + ucma_init_qp_attr+0x8c7/0xb10 drivers/infiniband/core/ucma.c:1242 + ucma_write+0x637/0x6c0 drivers/infiniband/core/ucma.c:1732 + vfs_write+0x8ce/0x2030 fs/read_write.c:588 + ksys_write+0x28b/0x510 fs/read_write.c:643 + __do_sys_write fs/read_write.c:655 [inline] + __se_sys_write fs/read_write.c:652 [inline] + __ia32_sys_write+0xdb/0x120 fs/read_write.c:652 + do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline] + __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180 + do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205 + do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248 + entry_SYSENTER_compat_after_hwframe+0x4d/0x5c + +Local variable resp created at: + ucma_init_qp_attr+0xa4/0xb10 drivers/infiniband/core/ucma.c:1214 + ucma_write+0x637/0x6c0 drivers/infiniband/core/ucma.c:1732 + +Bytes 40-59 of 144 are uninitialized +Memory access of size 144 starts at ffff888167523b00 +Data copied to user address 0000000020000100 + +CPU: 1 PID: 25910 Comm: syz-executor.1 Not tainted 5.16.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +===================================================== + +Fixes: 4ba66093bdc6 ("IB/core: Check for global flag when using ah_attr") +Link: https://lore.kernel.org/r/0e9dd51f93410b7b2f4f5562f52befc878b71afa.1641298868.git.leonro@nvidia.com +Reported-by: syzbot+6d532fa8f9463da290bc@syzkaller.appspotmail.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/uverbs_marshall.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/core/uverbs_marshall.c ++++ b/drivers/infiniband/core/uverbs_marshall.c +@@ -66,7 +66,7 @@ void ib_copy_ah_attr_to_user(struct ib_d + struct rdma_ah_attr *src = ah_attr; + struct rdma_ah_attr conv_ah; + +- memset(&dst->grh.reserved, 0, sizeof(dst->grh.reserved)); ++ memset(&dst->grh, 0, sizeof(dst->grh)); + + if ((ah_attr->type == RDMA_AH_ATTR_TYPE_OPA) && + (rdma_ah_get_dlid(ah_attr) > be16_to_cpu(IB_LID_PERMISSIVE)) && diff --git a/queue-5.15/rdma-uverbs-check-for-null-return-of-kmalloc_array.patch b/queue-5.15/rdma-uverbs-check-for-null-return-of-kmalloc_array.patch new file mode 100644 index 00000000000..8d134b04bed --- /dev/null +++ b/queue-5.15/rdma-uverbs-check-for-null-return-of-kmalloc_array.patch @@ -0,0 +1,35 @@ +From 7694a7de22c53a312ea98960fcafc6ec62046531 Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Fri, 31 Dec 2021 17:33:15 +0800 +Subject: RDMA/uverbs: Check for null return of kmalloc_array + +From: Jiasheng Jiang + +commit 7694a7de22c53a312ea98960fcafc6ec62046531 upstream. + +Because of the possible failure of the allocation, data might be NULL +pointer and will cause the dereference of the NULL pointer later. +Therefore, it might be better to check it and return -ENOMEM. + +Fixes: 6884c6c4bd09 ("RDMA/verbs: Store the write/write_ex uapi entry points in the uverbs_api") +Link: https://lore.kernel.org/r/20211231093315.1917667-1-jiasheng@iscas.ac.cn +Signed-off-by: Jiasheng Jiang +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/uverbs_uapi.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/core/uverbs_uapi.c ++++ b/drivers/infiniband/core/uverbs_uapi.c +@@ -447,6 +447,9 @@ static int uapi_finalize(struct uverbs_a + uapi->num_write_ex = max_write_ex + 1; + data = kmalloc_array(uapi->num_write + uapi->num_write_ex, + sizeof(*uapi->write_methods), GFP_KERNEL); ++ if (!data) ++ return -ENOMEM; ++ + for (i = 0; i != uapi->num_write + uapi->num_write_ex; i++) + data[i] = &uapi->notsupp_method; + uapi->write_methods = data; diff --git a/queue-5.15/revert-net-usb-r8152-add-mac-passthrough-support-for-more-lenovo-docks.patch b/queue-5.15/revert-net-usb-r8152-add-mac-passthrough-support-for-more-lenovo-docks.patch new file mode 100644 index 00000000000..6a9ee710048 --- /dev/null +++ b/queue-5.15/revert-net-usb-r8152-add-mac-passthrough-support-for-more-lenovo-docks.patch @@ -0,0 +1,41 @@ +From 00fcf8c7dd564c44448ff6a39728d2ca0c8efbd8 Mon Sep 17 00:00:00 2001 +From: Aaron Ma +Date: Wed, 5 Jan 2022 23:51:02 +0800 +Subject: Revert "net: usb: r8152: Add MAC passthrough support for more Lenovo Docks" + +From: Aaron Ma + +commit 00fcf8c7dd564c44448ff6a39728d2ca0c8efbd8 upstream. + +This reverts commit f77b83b5bbab53d2be339184838b19ed2c62c0a5. + +This change breaks multiple usb to ethernet dongles attached on Lenovo +USB hub. + +Fixes: f77b83b5bbab ("net: usb: r8152: Add MAC passthrough support for more Lenovo Docks") +Signed-off-by: Aaron Ma +Link: https://lore.kernel.org/r/20220105155102.8557-1-aaron.ma@canonical.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/r8152.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -9638,9 +9638,12 @@ static int rtl8152_probe(struct usb_inte + netdev->hw_features &= ~NETIF_F_RXCSUM; + } + +- if (udev->parent && +- le16_to_cpu(udev->parent->descriptor.idVendor) == VENDOR_ID_LENOVO) { +- tp->lenovo_macpassthru = 1; ++ if (le16_to_cpu(udev->descriptor.idVendor) == VENDOR_ID_LENOVO) { ++ switch (le16_to_cpu(udev->descriptor.idProduct)) { ++ case DEVICE_ID_THINKPAD_THUNDERBOLT3_DOCK_GEN2: ++ case DEVICE_ID_THINKPAD_USB_C_DOCK_GEN2: ++ tp->lenovo_macpassthru = 1; ++ } + } + + if (le16_to_cpu(udev->descriptor.bcdDevice) == 0x3011 && udev->serial && diff --git a/queue-5.15/series b/queue-5.15/series index 2b84a064da9..74f96d40ae8 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -4,3 +4,11 @@ tracing-fix-check-for-trace_percpu_buffer-validity-in-get_trace_buf.patch tracing-tag-trace_percpu_buffer-as-a-percpu-pointer.patch revert-rdma-mlx5-fix-releasing-unallocated-memory-in-dereg-mr-flow.patch ieee802154-atusb-fix-uninit-value-in-atusb_set_extended_addr.patch +i40e-fix-to-not-show-opcode-msg-on-unsuccessful-vf-mac-change.patch +iavf-fix-limit-of-total-number-of-queues-to-active-queues-of-vf.patch +rdma-core-don-t-infoleak-grh-fields.patch +revert-net-usb-r8152-add-mac-passthrough-support-for-more-lenovo-docks.patch +netrom-fix-copying-in-user-data-in-nr_setsockopt.patch +rdma-uverbs-check-for-null-return-of-kmalloc_array.patch +mac80211-initialize-variable-have_higher_than_11mbit.patch +mac80211-mesh-embedd-mesh_paths-and-mpp_paths-into-ieee80211_if_mesh.patch