From: Sasha Levin Date: Mon, 12 Oct 2020 02:46:07 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.4.239~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f40bba84e21d1164c354ceda1de054a06dc30178;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/bonding-set-dev-needed_headroom-in-bond_setup_by_sla.patch b/queue-5.4/bonding-set-dev-needed_headroom-in-bond_setup_by_sla.patch new file mode 100644 index 00000000000..9f68d62d993 --- /dev/null +++ b/queue-5.4/bonding-set-dev-needed_headroom-in-bond_setup_by_sla.patch @@ -0,0 +1,71 @@ +From d0344cab11a2b5ee82ae6737d064f0c12a8d22af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 06:38:07 -0700 +Subject: bonding: set dev->needed_headroom in bond_setup_by_slave() + +From: Eric Dumazet + +[ Upstream commit f32f19339596b214c208c0dba716f4b6cc4f6958 ] + +syzbot managed to crash a host by creating a bond +with a GRE device. + +For non Ethernet device, bonding calls bond_setup_by_slave() +instead of ether_setup(), and unfortunately dev->needed_headroom +was not copied from the new added member. + +[ 171.243095] skbuff: skb_under_panic: text:ffffffffa184b9ea len:116 put:20 head:ffff883f84012dc0 data:ffff883f84012dbc tail:0x70 end:0xd00 dev:bond0 +[ 171.243111] ------------[ cut here ]------------ +[ 171.243112] kernel BUG at net/core/skbuff.c:112! +[ 171.243117] invalid opcode: 0000 [#1] SMP KASAN PTI +[ 171.243469] gsmi: Log Shutdown Reason 0x03 +[ 171.243505] Call Trace: +[ 171.243506] +[ 171.243512] [] skb_push+0x49/0x50 +[ 171.243516] [] ipgre_header+0x2a/0xf0 +[ 171.243520] [] neigh_connected_output+0xb7/0x100 +[ 171.243524] [] ip6_finish_output2+0x383/0x490 +[ 171.243528] [] __ip6_finish_output+0xa2/0x110 +[ 171.243531] [] ip6_finish_output+0x2c/0xa0 +[ 171.243534] [] ip6_output+0x69/0x110 +[ 171.243537] [] ? ip6_output+0x110/0x110 +[ 171.243541] [] mld_sendpack+0x1b2/0x2d0 +[ 171.243544] [] ? mld_send_report+0xf0/0xf0 +[ 171.243548] [] mld_ifc_timer_expire+0x2d7/0x3b0 +[ 171.243551] [] ? mld_gq_timer_expire+0x50/0x50 +[ 171.243556] [] call_timer_fn+0x30/0x130 +[ 171.243559] [] expire_timers+0x4c/0x110 +[ 171.243563] [] __run_timers+0x213/0x260 +[ 171.243566] [] ? ktime_get+0x3d/0xa0 +[ 171.243570] [] ? clockevents_program_event+0x7e/0xe0 +[ 171.243574] [] ? sched_clock_cpu+0x15/0x190 +[ 171.243577] [] run_timer_softirq+0x1d/0x40 +[ 171.243581] [] __do_softirq+0x152/0x2f0 +[ 171.243585] [] irq_exit+0x9f/0xb0 +[ 171.243588] [] smp_apic_timer_interrupt+0xfd/0x1a0 +[ 171.243591] [] apic_timer_interrupt+0x86/0x90 + +Fixes: f5184d267c1a ("net: Allow netdevices to specify needed head/tailroom") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 0d7a173f8e61c..6862c2ef24424 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1148,6 +1148,7 @@ static void bond_setup_by_slave(struct net_device *bond_dev, + + bond_dev->type = slave_dev->type; + bond_dev->hard_header_len = slave_dev->hard_header_len; ++ bond_dev->needed_headroom = slave_dev->needed_headroom; + bond_dev->addr_len = slave_dev->addr_len; + + memcpy(bond_dev->broadcast, slave_dev->broadcast, +-- +2.25.1 + diff --git a/queue-5.4/iavf-fix-incorrect-adapter-get-in-iavf_resume.patch b/queue-5.4/iavf-fix-incorrect-adapter-get-in-iavf_resume.patch new file mode 100644 index 00000000000..eb487955dcf --- /dev/null +++ b/queue-5.4/iavf-fix-incorrect-adapter-get-in-iavf_resume.patch @@ -0,0 +1,42 @@ +From cc3a81f9e8cf3715aee1a9417fff87d8a0c1623d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 12:54:59 +0000 +Subject: iavf: Fix incorrect adapter get in iavf_resume + +From: Sylwester Dziedziuch + +[ Upstream commit 75598a8fc0e0dff2aa5d46c62531b36a595f1d4f ] + +When calling iavf_resume there was a crash because wrong +function was used to get iavf_adapter and net_device pointers. +Changed how iavf_resume is getting iavf_adapter and net_device +pointers from pci_dev. + +Fixes: 5eae00c57f5e ("i40evf: main driver core") +Signed-off-by: Sylwester Dziedziuch +Reviewed-by: Aleksandr Loktionov +Tested-by: Aaron Brown +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index bcb95b2ea792f..cd95d6af8fc1b 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -3813,8 +3813,8 @@ static int __maybe_unused iavf_suspend(struct device *dev_d) + static int __maybe_unused iavf_resume(struct device *dev_d) + { + struct pci_dev *pdev = to_pci_dev(dev_d); +- struct iavf_adapter *adapter = pci_get_drvdata(pdev); +- struct net_device *netdev = adapter->netdev; ++ struct net_device *netdev = pci_get_drvdata(pdev); ++ struct iavf_adapter *adapter = netdev_priv(netdev); + u32 err; + + pci_set_master(pdev); +-- +2.25.1 + diff --git a/queue-5.4/iavf-use-generic-power-management.patch b/queue-5.4/iavf-use-generic-power-management.patch new file mode 100644 index 00000000000..934f988df67 --- /dev/null +++ b/queue-5.4/iavf-use-generic-power-management.patch @@ -0,0 +1,130 @@ +From 7063761771cfe18d4fa83817475f2e62904c29f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 14:59:39 +0530 +Subject: iavf: use generic power management + +From: Vaibhav Gupta + +[ Upstream commit bc5cbd73eb493944b8665dc517f684c40eb18a4a ] + +With the support of generic PM callbacks, drivers no longer need to use +legacy .suspend() and .resume() in which they had to maintain PCI states +changes and device's power state themselves. The required operations are +done by PCI core. + +PCI drivers are not expected to invoke PCI helper functions like +pci_save/restore_state(), pci_enable/disable_device(), +pci_set_power_state(), etc. Their tasks are completed by PCI core itself. + +Compile-tested only. + +Signed-off-by: Vaibhav Gupta +Tested-by: Andrew Bowers +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 45 ++++++--------------- + 1 file changed, 12 insertions(+), 33 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 222ae76809aa1..bcb95b2ea792f 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -3773,7 +3773,6 @@ err_dma: + return err; + } + +-#ifdef CONFIG_PM + /** + * iavf_suspend - Power management suspend routine + * @pdev: PCI device information struct +@@ -3781,11 +3780,10 @@ err_dma: + * + * Called when the system (VM) is entering sleep/suspend. + **/ +-static int iavf_suspend(struct pci_dev *pdev, pm_message_t state) ++static int __maybe_unused iavf_suspend(struct device *dev_d) + { +- struct net_device *netdev = pci_get_drvdata(pdev); ++ struct net_device *netdev = dev_get_drvdata(dev_d); + struct iavf_adapter *adapter = netdev_priv(netdev); +- int retval = 0; + + netif_device_detach(netdev); + +@@ -3803,12 +3801,6 @@ static int iavf_suspend(struct pci_dev *pdev, pm_message_t state) + + clear_bit(__IAVF_IN_CRITICAL_TASK, &adapter->crit_section); + +- retval = pci_save_state(pdev); +- if (retval) +- return retval; +- +- pci_disable_device(pdev); +- + return 0; + } + +@@ -3818,24 +3810,13 @@ static int iavf_suspend(struct pci_dev *pdev, pm_message_t state) + * + * Called when the system (VM) is resumed from sleep/suspend. + **/ +-static int iavf_resume(struct pci_dev *pdev) ++static int __maybe_unused iavf_resume(struct device *dev_d) + { ++ struct pci_dev *pdev = to_pci_dev(dev_d); + struct iavf_adapter *adapter = pci_get_drvdata(pdev); + struct net_device *netdev = adapter->netdev; + u32 err; + +- pci_set_power_state(pdev, PCI_D0); +- pci_restore_state(pdev); +- /* pci_restore_state clears dev->state_saved so call +- * pci_save_state to restore it. +- */ +- pci_save_state(pdev); +- +- err = pci_enable_device_mem(pdev); +- if (err) { +- dev_err(&pdev->dev, "Cannot enable PCI device from suspend.\n"); +- return err; +- } + pci_set_master(pdev); + + rtnl_lock(); +@@ -3859,7 +3840,6 @@ static int iavf_resume(struct pci_dev *pdev) + return err; + } + +-#endif /* CONFIG_PM */ + /** + * iavf_remove - Device Removal Routine + * @pdev: PCI device information struct +@@ -3961,16 +3941,15 @@ static void iavf_remove(struct pci_dev *pdev) + pci_disable_device(pdev); + } + ++static SIMPLE_DEV_PM_OPS(iavf_pm_ops, iavf_suspend, iavf_resume); ++ + static struct pci_driver iavf_driver = { +- .name = iavf_driver_name, +- .id_table = iavf_pci_tbl, +- .probe = iavf_probe, +- .remove = iavf_remove, +-#ifdef CONFIG_PM +- .suspend = iavf_suspend, +- .resume = iavf_resume, +-#endif +- .shutdown = iavf_shutdown, ++ .name = iavf_driver_name, ++ .id_table = iavf_pci_tbl, ++ .probe = iavf_probe, ++ .remove = iavf_remove, ++ .driver.pm = &iavf_pm_ops, ++ .shutdown = iavf_shutdown, + }; + + /** +-- +2.25.1 + diff --git a/queue-5.4/mdio-fix-mdio-thunder.c-dependency-build-error.patch b/queue-5.4/mdio-fix-mdio-thunder.c-dependency-build-error.patch new file mode 100644 index 00000000000..029c7cd4ec3 --- /dev/null +++ b/queue-5.4/mdio-fix-mdio-thunder.c-dependency-build-error.patch @@ -0,0 +1,45 @@ +From d902934e24c4ed4d307e242274e822215266d866 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Sep 2020 21:33:43 -0700 +Subject: mdio: fix mdio-thunder.c dependency & build error + +From: Randy Dunlap + +[ Upstream commit 7dbbcf496f2a4b6d82cfc7810a0746e160b79762 ] + +Fix build error by selecting MDIO_DEVRES for MDIO_THUNDER. +Fixes this build error: + +ld: drivers/net/phy/mdio-thunder.o: in function `thunder_mdiobus_pci_probe': +drivers/net/phy/mdio-thunder.c:78: undefined reference to `devm_mdiobus_alloc_size' + +Fixes: 379d7ac7ca31 ("phy: mdio-thunder: Add driver for Cavium Thunder SoC MDIO buses.") +Reported-by: kernel test robot +Signed-off-by: Randy Dunlap +Cc: Bartosz Golaszewski +Cc: Andrew Lunn +Cc: Heiner Kallweit +Cc: netdev@vger.kernel.org +Cc: David Daney +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/phy/Kconfig b/drivers/net/phy/Kconfig +index fe602648b99f5..dcf2051ef2c04 100644 +--- a/drivers/net/phy/Kconfig ++++ b/drivers/net/phy/Kconfig +@@ -193,6 +193,7 @@ config MDIO_THUNDER + depends on 64BIT + depends on PCI + select MDIO_CAVIUM ++ select MDIO_DEVRES + help + This driver supports the MDIO interfaces found on Cavium + ThunderX SoCs when the MDIO bus device appears as a PCI +-- +2.25.1 + diff --git a/queue-5.4/mlxsw-spectrum_acl-fix-mlxsw_sp_acl_tcam_group_add-s.patch b/queue-5.4/mlxsw-spectrum_acl-fix-mlxsw_sp_acl_tcam_group_add-s.patch new file mode 100644 index 00000000000..6d0397eaceb --- /dev/null +++ b/queue-5.4/mlxsw-spectrum_acl-fix-mlxsw_sp_acl_tcam_group_add-s.patch @@ -0,0 +1,47 @@ +From 5340445dddba8017547c048acd4da032ff270ddb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Sep 2020 09:42:11 +0300 +Subject: mlxsw: spectrum_acl: Fix mlxsw_sp_acl_tcam_group_add()'s error path + +From: Ido Schimmel + +[ Upstream commit 72865028582a678be1e05240e55d452e5c258eca ] + +If mlxsw_sp_acl_tcam_group_id_get() fails, the mutex initialized earlier +is not destroyed. + +Fix this by initializing the mutex after calling the function. This is +symmetric to mlxsw_sp_acl_tcam_group_del(). + +Fixes: 5ec2ee28d27b ("mlxsw: spectrum_acl: Introduce a mutex to guard region list updates") +Signed-off-by: Ido Schimmel +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c +index 295b27112d367..ec0d5a4a60a98 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c +@@ -290,13 +290,14 @@ mlxsw_sp_acl_tcam_group_add(struct mlxsw_sp_acl_tcam *tcam, + int err; + + group->tcam = tcam; +- mutex_init(&group->lock); + INIT_LIST_HEAD(&group->region_list); + + err = mlxsw_sp_acl_tcam_group_id_get(tcam, &group->id); + if (err) + return err; + ++ mutex_init(&group->lock); ++ + return 0; + } + +-- +2.25.1 + diff --git a/queue-5.4/mmc-core-don-t-set-limits.discard_granularity-as-0.patch b/queue-5.4/mmc-core-don-t-set-limits.discard_granularity-as-0.patch new file mode 100644 index 00000000000..d23d2357f82 --- /dev/null +++ b/queue-5.4/mmc-core-don-t-set-limits.discard_granularity-as-0.patch @@ -0,0 +1,70 @@ +From b639a8e20348dd68435035d6fff9c7bdc6d424bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Oct 2020 09:38:52 +0800 +Subject: mmc: core: don't set limits.discard_granularity as 0 + +From: Coly Li + +[ Upstream commit 4243219141b67d7c2fdb2d8073c17c539b9263eb ] + +In mmc_queue_setup_discard() the mmc driver queue's discard_granularity +might be set as 0 (when card->pref_erase > max_discard) while the mmc +device still declares to support discard operation. This is buggy and +triggered the following kernel warning message, + +WARNING: CPU: 0 PID: 135 at __blkdev_issue_discard+0x200/0x294 +CPU: 0 PID: 135 Comm: f2fs_discard-17 Not tainted 5.9.0-rc6 #1 +Hardware name: Google Kevin (DT) +pstate: 00000005 (nzcv daif -PAN -UAO BTYPE=--) +pc : __blkdev_issue_discard+0x200/0x294 +lr : __blkdev_issue_discard+0x54/0x294 +sp : ffff800011dd3b10 +x29: ffff800011dd3b10 x28: 0000000000000000 x27: ffff800011dd3cc4 x26: ffff800011dd3e18 x25: 000000000004e69b x24: 0000000000000c40 x23: ffff0000f1deaaf0 x22: ffff0000f2849200 x21: 00000000002734d8 x20: 0000000000000008 x19: 0000000000000000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000394 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 00000000000008b0 x9 : ffff800011dd3cb0 x8 : 000000000004e69b x7 : 0000000000000000 x6 : ffff0000f1926400 x5 : ffff0000f1940800 x4 : 0000000000000000 x3 : 0000000000000c40 x2 : 0000000000000008 x1 : 00000000002734d8 x0 : 0000000000000000 Call trace: +__blkdev_issue_discard+0x200/0x294 +__submit_discard_cmd+0x128/0x374 +__issue_discard_cmd_orderly+0x188/0x244 +__issue_discard_cmd+0x2e8/0x33c +issue_discard_thread+0xe8/0x2f0 +kthread+0x11c/0x120 +ret_from_fork+0x10/0x1c +---[ end trace e4c8023d33dfe77a ]--- + +This patch fixes the issue by setting discard_granularity as SECTOR_SIZE +instead of 0 when (card->pref_erase > max_discard) is true. Now no more +complain from __blkdev_issue_discard() for the improper value of discard +granularity. + +This issue is exposed after commit b35fd7422c2f ("block: check queue's +limits.discard_granularity in __blkdev_issue_discard()"), a "Fixes:" tag +is also added for the commit to make sure people won't miss this patch +after applying the change of __blkdev_issue_discard(). + +Fixes: e056a1b5b67b ("mmc: queue: let host controllers specify maximum discard timeout") +Fixes: b35fd7422c2f ("block: check queue's limits.discard_granularity in __blkdev_issue_discard()"). +Reported-and-tested-by: Vicente Bergas +Signed-off-by: Coly Li +Acked-by: Adrian Hunter +Cc: Ulf Hansson +Link: https://lore.kernel.org/r/20201002013852.51968-1-colyli@suse.de +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/queue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/core/queue.c b/drivers/mmc/core/queue.c +index 9c0ccb3744c28..81b8d5ede484e 100644 +--- a/drivers/mmc/core/queue.c ++++ b/drivers/mmc/core/queue.c +@@ -184,7 +184,7 @@ static void mmc_queue_setup_discard(struct request_queue *q, + q->limits.discard_granularity = card->pref_erase << 9; + /* granularity must not be greater than max. discard */ + if (card->pref_erase > max_discard) +- q->limits.discard_granularity = 0; ++ q->limits.discard_granularity = SECTOR_SIZE; + if (mmc_can_secure_erase_trim(card)) + blk_queue_flag_set(QUEUE_FLAG_SECERASE, q); + } +-- +2.25.1 + diff --git a/queue-5.4/net-ethernet-cavium-octeon_mgmt-use-phy_start-and-ph.patch b/queue-5.4/net-ethernet-cavium-octeon_mgmt-use-phy_start-and-ph.patch new file mode 100644 index 00000000000..25d50cd401e --- /dev/null +++ b/queue-5.4/net-ethernet-cavium-octeon_mgmt-use-phy_start-and-ph.patch @@ -0,0 +1,54 @@ +From cd1098b34cadf6c739fd24c88e18cb95e7a6838d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 15:44:39 +0300 +Subject: net: ethernet: cavium: octeon_mgmt: use phy_start and phy_stop + +From: Ivan Khoronzhuk + +[ Upstream commit 4663ff60257aec4ee1e2e969a7c046f0aff35ab8 ] + +To start also "phy state machine", with UP state as it should be, +the phy_start() has to be used, in another case machine even is not +triggered. After this change negotiation is supposed to be triggered +by SM workqueue. + +It's not correct usage, but it appears after the following patch, +so add it as a fix. + +Fixes: 74a992b3598a ("net: phy: add phy_check_link_status") +Signed-off-by: Ivan Khoronzhuk +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/octeon/octeon_mgmt.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/octeon/octeon_mgmt.c b/drivers/net/ethernet/cavium/octeon/octeon_mgmt.c +index d375e438d8054..4fa9d485e2096 100644 +--- a/drivers/net/ethernet/cavium/octeon/octeon_mgmt.c ++++ b/drivers/net/ethernet/cavium/octeon/octeon_mgmt.c +@@ -1222,7 +1222,7 @@ static int octeon_mgmt_open(struct net_device *netdev) + */ + if (netdev->phydev) { + netif_carrier_off(netdev); +- phy_start_aneg(netdev->phydev); ++ phy_start(netdev->phydev); + } + + netif_wake_queue(netdev); +@@ -1250,8 +1250,10 @@ static int octeon_mgmt_stop(struct net_device *netdev) + napi_disable(&p->napi); + netif_stop_queue(netdev); + +- if (netdev->phydev) ++ if (netdev->phydev) { ++ phy_stop(netdev->phydev); + phy_disconnect(netdev->phydev); ++ } + + netif_carrier_off(netdev); + +-- +2.25.1 + diff --git a/queue-5.4/net-mlx5-avoid-possible-free-of-command-entry-while-.patch b/queue-5.4/net-mlx5-avoid-possible-free-of-command-entry-while-.patch new file mode 100644 index 00000000000..40c410a13a2 --- /dev/null +++ b/queue-5.4/net-mlx5-avoid-possible-free-of-command-entry-while-.patch @@ -0,0 +1,337 @@ +From a6d6ca10c490986fad330be9cdd4bf6910463137 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Aug 2020 10:40:21 +0300 +Subject: net/mlx5: Avoid possible free of command entry while timeout comp + handler + +From: Eran Ben Elisha + +[ Upstream commit 50b2412b7e7862c5af0cbf4b10d93bc5c712d021 ] + +Upon command completion timeout, driver simulates a forced command +completion. In a rare case where real interrupt for that command arrives +simultaneously, it might release the command entry while the forced +handler might still access it. + +Fix that by adding an entry refcount, to track current amount of allowed +handlers. Command entry to be released only when this refcount is +decremented to zero. + +Command refcount is always initialized to one. For callback commands, +command completion handler is the symmetric flow to decrement it. For +non-callback commands, it is wait_func(). + +Before ringing the doorbell, increment the refcount for the real completion +handler. Once the real completion handler is called, it will decrement it. + +For callback commands, once the delayed work is scheduled, increment the +refcount. Upon callback command completion handler, we will try to cancel +the timeout callback. In case of success, we need to decrement the callback +refcount as it will never run. + +In addition, gather the entry index free and the entry free into a one +flow for all command types release. + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Signed-off-by: Eran Ben Elisha +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 109 ++++++++++++------ + include/linux/mlx5/driver.h | 2 + + 2 files changed, 73 insertions(+), 38 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index b6a3370068f1c..7089ffcc4e512 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -69,12 +69,10 @@ enum { + MLX5_CMD_DELIVERY_STAT_CMD_DESCR_ERR = 0x10, + }; + +-static struct mlx5_cmd_work_ent *alloc_cmd(struct mlx5_cmd *cmd, +- struct mlx5_cmd_msg *in, +- struct mlx5_cmd_msg *out, +- void *uout, int uout_size, +- mlx5_cmd_cbk_t cbk, +- void *context, int page_queue) ++static struct mlx5_cmd_work_ent * ++cmd_alloc_ent(struct mlx5_cmd *cmd, struct mlx5_cmd_msg *in, ++ struct mlx5_cmd_msg *out, void *uout, int uout_size, ++ mlx5_cmd_cbk_t cbk, void *context, int page_queue) + { + gfp_t alloc_flags = cbk ? GFP_ATOMIC : GFP_KERNEL; + struct mlx5_cmd_work_ent *ent; +@@ -83,6 +81,7 @@ static struct mlx5_cmd_work_ent *alloc_cmd(struct mlx5_cmd *cmd, + if (!ent) + return ERR_PTR(-ENOMEM); + ++ ent->idx = -EINVAL; + ent->in = in; + ent->out = out; + ent->uout = uout; +@@ -91,10 +90,16 @@ static struct mlx5_cmd_work_ent *alloc_cmd(struct mlx5_cmd *cmd, + ent->context = context; + ent->cmd = cmd; + ent->page_queue = page_queue; ++ refcount_set(&ent->refcnt, 1); + + return ent; + } + ++static void cmd_free_ent(struct mlx5_cmd_work_ent *ent) ++{ ++ kfree(ent); ++} ++ + static u8 alloc_token(struct mlx5_cmd *cmd) + { + u8 token; +@@ -109,7 +114,7 @@ static u8 alloc_token(struct mlx5_cmd *cmd) + return token; + } + +-static int alloc_ent(struct mlx5_cmd *cmd) ++static int cmd_alloc_index(struct mlx5_cmd *cmd) + { + unsigned long flags; + int ret; +@@ -123,7 +128,7 @@ static int alloc_ent(struct mlx5_cmd *cmd) + return ret < cmd->max_reg_cmds ? ret : -ENOMEM; + } + +-static void free_ent(struct mlx5_cmd *cmd, int idx) ++static void cmd_free_index(struct mlx5_cmd *cmd, int idx) + { + unsigned long flags; + +@@ -132,6 +137,22 @@ static void free_ent(struct mlx5_cmd *cmd, int idx) + spin_unlock_irqrestore(&cmd->alloc_lock, flags); + } + ++static void cmd_ent_get(struct mlx5_cmd_work_ent *ent) ++{ ++ refcount_inc(&ent->refcnt); ++} ++ ++static void cmd_ent_put(struct mlx5_cmd_work_ent *ent) ++{ ++ if (!refcount_dec_and_test(&ent->refcnt)) ++ return; ++ ++ if (ent->idx >= 0) ++ cmd_free_index(ent->cmd, ent->idx); ++ ++ cmd_free_ent(ent); ++} ++ + static struct mlx5_cmd_layout *get_inst(struct mlx5_cmd *cmd, int idx) + { + return cmd->cmd_buf + (idx << cmd->log_stride); +@@ -219,11 +240,6 @@ static void poll_timeout(struct mlx5_cmd_work_ent *ent) + ent->ret = -ETIMEDOUT; + } + +-static void free_cmd(struct mlx5_cmd_work_ent *ent) +-{ +- kfree(ent); +-} +- + static int verify_signature(struct mlx5_cmd_work_ent *ent) + { + struct mlx5_cmd_mailbox *next = ent->out->next; +@@ -842,6 +858,7 @@ static void cb_timeout_handler(struct work_struct *work) + mlx5_command_str(msg_to_opcode(ent->in)), + msg_to_opcode(ent->in)); + mlx5_cmd_comp_handler(dev, 1UL << ent->idx, true); ++ cmd_ent_put(ent); /* for the cmd_ent_get() took on schedule delayed work */ + } + + static void free_msg(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *msg); +@@ -865,14 +882,14 @@ static void cmd_work_handler(struct work_struct *work) + sem = ent->page_queue ? &cmd->pages_sem : &cmd->sem; + down(sem); + if (!ent->page_queue) { +- alloc_ret = alloc_ent(cmd); ++ alloc_ret = cmd_alloc_index(cmd); + if (alloc_ret < 0) { + mlx5_core_err(dev, "failed to allocate command entry\n"); + if (ent->callback) { + ent->callback(-EAGAIN, ent->context); + mlx5_free_cmd_msg(dev, ent->out); + free_msg(dev, ent->in); +- free_cmd(ent); ++ cmd_ent_put(ent); + } else { + ent->ret = -EAGAIN; + complete(&ent->done); +@@ -908,8 +925,8 @@ static void cmd_work_handler(struct work_struct *work) + ent->ts1 = ktime_get_ns(); + cmd_mode = cmd->mode; + +- if (ent->callback) +- schedule_delayed_work(&ent->cb_timeout_work, cb_timeout); ++ if (ent->callback && schedule_delayed_work(&ent->cb_timeout_work, cb_timeout)) ++ cmd_ent_get(ent); + set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state); + + /* Skip sending command to fw if internal error */ +@@ -923,13 +940,10 @@ static void cmd_work_handler(struct work_struct *work) + MLX5_SET(mbox_out, ent->out, syndrome, drv_synd); + + mlx5_cmd_comp_handler(dev, 1UL << ent->idx, true); +- /* no doorbell, no need to keep the entry */ +- free_ent(cmd, ent->idx); +- if (ent->callback) +- free_cmd(ent); + return; + } + ++ cmd_ent_get(ent); /* for the _real_ FW event on completion */ + /* ring doorbell after the descriptor is valid */ + mlx5_core_dbg(dev, "writing 0x%x to command doorbell\n", 1 << ent->idx); + wmb(); +@@ -1029,11 +1043,16 @@ static int mlx5_cmd_invoke(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *in, + if (callback && page_queue) + return -EINVAL; + +- ent = alloc_cmd(cmd, in, out, uout, uout_size, callback, context, +- page_queue); ++ ent = cmd_alloc_ent(cmd, in, out, uout, uout_size, ++ callback, context, page_queue); + if (IS_ERR(ent)) + return PTR_ERR(ent); + ++ /* put for this ent is when consumed, depending on the use case ++ * 1) (!callback) blocking flow: by caller after wait_func completes ++ * 2) (callback) flow: by mlx5_cmd_comp_handler() when ent is handled ++ */ ++ + ent->token = token; + ent->polling = force_polling; + +@@ -1052,12 +1071,10 @@ static int mlx5_cmd_invoke(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *in, + } + + if (callback) +- goto out; ++ goto out; /* mlx5_cmd_comp_handler() will put(ent) */ + + err = wait_func(dev, ent); +- if (err == -ETIMEDOUT) +- goto out; +- if (err == -ECANCELED) ++ if (err == -ETIMEDOUT || err == -ECANCELED) + goto out_free; + + ds = ent->ts2 - ent->ts1; +@@ -1075,7 +1092,7 @@ static int mlx5_cmd_invoke(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *in, + *status = ent->status; + + out_free: +- free_cmd(ent); ++ cmd_ent_put(ent); + out: + return err; + } +@@ -1490,14 +1507,19 @@ static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool force + if (!forced) { + mlx5_core_err(dev, "Command completion arrived after timeout (entry idx = %d).\n", + ent->idx); +- free_ent(cmd, ent->idx); +- free_cmd(ent); ++ cmd_ent_put(ent); + } + continue; + } + +- if (ent->callback) +- cancel_delayed_work(&ent->cb_timeout_work); ++ if (ent->callback && cancel_delayed_work(&ent->cb_timeout_work)) ++ cmd_ent_put(ent); /* timeout work was canceled */ ++ ++ if (!forced || /* Real FW completion */ ++ pci_channel_offline(dev->pdev) || /* FW is inaccessible */ ++ dev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR) ++ cmd_ent_put(ent); ++ + if (ent->page_queue) + sem = &cmd->pages_sem; + else +@@ -1519,10 +1541,6 @@ static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool force + ent->ret, deliv_status_to_str(ent->status), ent->status); + } + +- /* only real completion will free the entry slot */ +- if (!forced) +- free_ent(cmd, ent->idx); +- + if (ent->callback) { + ds = ent->ts2 - ent->ts1; + if (ent->op < ARRAY_SIZE(cmd->stats)) { +@@ -1550,10 +1568,13 @@ static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool force + free_msg(dev, ent->in); + + err = err ? err : ent->status; +- if (!forced) +- free_cmd(ent); ++ /* final consumer is done, release ent */ ++ cmd_ent_put(ent); + callback(err, context); + } else { ++ /* release wait_func() so mlx5_cmd_invoke() ++ * can make the final ent_put() ++ */ + complete(&ent->done); + } + up(sem); +@@ -1563,8 +1584,11 @@ static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool force + + void mlx5_cmd_trigger_completions(struct mlx5_core_dev *dev) + { ++ struct mlx5_cmd *cmd = &dev->cmd; ++ unsigned long bitmask; + unsigned long flags; + u64 vector; ++ int i; + + /* wait for pending handlers to complete */ + mlx5_eq_synchronize_cmd_irq(dev); +@@ -1573,11 +1597,20 @@ void mlx5_cmd_trigger_completions(struct mlx5_core_dev *dev) + if (!vector) + goto no_trig; + ++ bitmask = vector; ++ /* we must increment the allocated entries refcount before triggering the completions ++ * to guarantee pending commands will not get freed in the meanwhile. ++ * For that reason, it also has to be done inside the alloc_lock. ++ */ ++ for_each_set_bit(i, &bitmask, (1 << cmd->log_sz)) ++ cmd_ent_get(cmd->ent_arr[i]); + vector |= MLX5_TRIGGERED_CMD_COMP; + spin_unlock_irqrestore(&dev->cmd.alloc_lock, flags); + + mlx5_core_dbg(dev, "vector 0x%llx\n", vector); + mlx5_cmd_comp_handler(dev, vector, true); ++ for_each_set_bit(i, &bitmask, (1 << cmd->log_sz)) ++ cmd_ent_put(cmd->ent_arr[i]); + return; + + no_trig: +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index 897829651204b..6b4f86dfca382 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -769,6 +769,8 @@ struct mlx5_cmd_work_ent { + u64 ts2; + u16 op; + bool polling; ++ /* Track the max comp handlers */ ++ refcount_t refcnt; + }; + + struct mlx5_pas { +-- +2.25.1 + diff --git a/queue-5.4/net-mlx5-fix-request_irqs-error-flow.patch b/queue-5.4/net-mlx5-fix-request_irqs-error-flow.patch new file mode 100644 index 00000000000..36c90fad3a1 --- /dev/null +++ b/queue-5.4/net-mlx5-fix-request_irqs-error-flow.patch @@ -0,0 +1,80 @@ +From 6fe832bede36e40431d79c0ba29ae8712b76b88e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Aug 2020 21:37:31 +0300 +Subject: net/mlx5: Fix request_irqs error flow + +From: Maor Gottlieb + +[ Upstream commit 732ebfab7fe96b7ac9a3df3208f14752a4bb6db3 ] + +Fix error flow handling in request_irqs which try to free irq +that we failed to request. +It fixes the below trace. + +WARNING: CPU: 1 PID: 7587 at kernel/irq/manage.c:1684 free_irq+0x4d/0x60 +CPU: 1 PID: 7587 Comm: bash Tainted: G W OE 4.15.15-1.el7MELLANOXsmp-x86_64 #1 +Hardware name: Advantech SKY-6200/SKY-6200, BIOS F2.00 08/06/2020 +RIP: 0010:free_irq+0x4d/0x60 +RSP: 0018:ffffc9000ef47af0 EFLAGS: 00010282 +RAX: ffff88001476ae00 RBX: 0000000000000655 RCX: 0000000000000000 +RDX: ffff88001476ae00 RSI: ffffc9000ef47ab8 RDI: ffff8800398bb478 +RBP: ffff88001476a838 R08: ffff88001476ae00 R09: 000000000000156d +R10: 0000000000000000 R11: 0000000000000004 R12: ffff88001476a838 +R13: 0000000000000006 R14: ffff88001476a888 R15: 00000000ffffffe4 +FS: 00007efeadd32740(0000) GS:ffff88047fc40000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fc9cc010008 CR3: 00000001a2380004 CR4: 00000000007606e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + mlx5_irq_table_create+0x38d/0x400 [mlx5_core] + ? atomic_notifier_chain_register+0x50/0x60 + mlx5_load_one+0x7ee/0x1130 [mlx5_core] + init_one+0x4c9/0x650 [mlx5_core] + pci_device_probe+0xb8/0x120 + driver_probe_device+0x2a1/0x470 + ? driver_allows_async_probing+0x30/0x30 + bus_for_each_drv+0x54/0x80 + __device_attach+0xa3/0x100 + pci_bus_add_device+0x4a/0x90 + pci_iov_add_virtfn+0x2dc/0x2f0 + pci_enable_sriov+0x32e/0x420 + mlx5_core_sriov_configure+0x61/0x1b0 [mlx5_core] + ? kstrtoll+0x22/0x70 + num_vf_store+0x4b/0x70 [mlx5_core] + kernfs_fop_write+0x102/0x180 + __vfs_write+0x26/0x140 + ? rcu_all_qs+0x5/0x80 + ? _cond_resched+0x15/0x30 + ? __sb_start_write+0x41/0x80 + vfs_write+0xad/0x1a0 + SyS_write+0x42/0x90 + do_syscall_64+0x60/0x110 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +Fixes: 24163189da48 ("net/mlx5: Separate IRQ request/free from EQ life cycle") +Signed-off-by: Maor Gottlieb +Reviewed-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c b/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c +index 373981a659c7c..6fd9749203944 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c +@@ -115,7 +115,7 @@ static int request_irqs(struct mlx5_core_dev *dev, int nvec) + return 0; + + err_request_irq: +- for (; i >= 0; i--) { ++ while (i--) { + struct mlx5_irq *irq = mlx5_irq_get(dev, i); + int irqn = pci_irq_vector(dev->pdev, i); + +-- +2.25.1 + diff --git a/queue-5.4/net-mlx5e-add-resiliency-in-striding-rq-mode-for-pac.patch b/queue-5.4/net-mlx5e-add-resiliency-in-striding-rq-mode-for-pac.patch new file mode 100644 index 00000000000..3a55946e9c7 --- /dev/null +++ b/queue-5.4/net-mlx5e-add-resiliency-in-striding-rq-mode-for-pac.patch @@ -0,0 +1,199 @@ +From 18cc0f9662d871b469c0e7ea6605bb62ec2097fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jul 2020 16:53:18 +0300 +Subject: net/mlx5e: Add resiliency in Striding RQ mode for packets larger than + MTU + +From: Aya Levin + +[ Upstream commit c3c9402373fe20e2d08c04f437ce4dcd252cffb2 ] + +Prior to this fix, in Striding RQ mode the driver was vulnerable when +receiving packets in the range (stride size - headroom, stride size]. +Where stride size is calculated by mtu+headroom+tailroom aligned to the +closest power of 2. +Usually, this filtering is performed by the HW, except for a few cases: +- Between 2 VFs over the same PF with different MTUs +- On bluefield, when the host physical function sets a larger MTU than + the ARM has configured on its representor and uplink representor. + +When the HW filtering is not present, packets that are larger than MTU +might be harmful for the RQ's integrity, in the following impacts: +1) Overflow from one WQE to the next, causing a memory corruption that +in most cases is unharmful: as the write happens to the headroom of next +packet, which will be overwritten by build_skb(). In very rare cases, +high stress/load, this is harmful. When the next WQE is not yet reposted +and points to existing SKB head. +2) Each oversize packet overflows to the headroom of the next WQE. On +the last WQE of the WQ, where addresses wrap-around, the address of the +remainder headroom does not belong to the next WQE, but it is out of the +memory region range. This results in a HW CQE error that moves the RQ +into an error state. + +Solution: +Add a page buffer at the end of each WQE to absorb the leak. Actually +the maximal overflow size is headroom but since all memory units must be +of the same size, we use page size to comply with UMR WQEs. The increase +in memory consumption is of a single page per RQ. Initialize the mkey +with all MTTs pointing to a default page. When the channels are +activated, UMR WQEs will redirect the RX WQEs to the actual memory from +the RQ's pool, while the overflow MTTs remain mapped to the default page. + +Fixes: 73281b78a37a ("net/mlx5e: Derive Striding RQ size from MTU") +Signed-off-by: Aya Levin +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en.h | 8 ++- + .../net/ethernet/mellanox/mlx5/core/en_main.c | 55 +++++++++++++++++-- + 2 files changed, 58 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h +index 98304c42e4952..b5c8afe8cd10d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h +@@ -92,7 +92,12 @@ struct page_pool; + #define MLX5_MPWRQ_PAGES_PER_WQE BIT(MLX5_MPWRQ_WQE_PAGE_ORDER) + + #define MLX5_MTT_OCTW(npages) (ALIGN(npages, 8) / 2) +-#define MLX5E_REQUIRED_WQE_MTTS (ALIGN(MLX5_MPWRQ_PAGES_PER_WQE, 8)) ++/* Add another page to MLX5E_REQUIRED_WQE_MTTS as a buffer between ++ * WQEs, This page will absorb write overflow by the hardware, when ++ * receiving packets larger than MTU. These oversize packets are ++ * dropped by the driver at a later stage. ++ */ ++#define MLX5E_REQUIRED_WQE_MTTS (ALIGN(MLX5_MPWRQ_PAGES_PER_WQE + 1, 8)) + #define MLX5E_LOG_ALIGNED_MPWQE_PPW (ilog2(MLX5E_REQUIRED_WQE_MTTS)) + #define MLX5E_REQUIRED_MTTS(wqes) (wqes * MLX5E_REQUIRED_WQE_MTTS) + #define MLX5E_MAX_RQ_NUM_MTTS \ +@@ -694,6 +699,7 @@ struct mlx5e_rq { + u32 rqn; + struct mlx5_core_dev *mdev; + struct mlx5_core_mkey umr_mkey; ++ struct mlx5e_dma_info wqe_overflow; + + /* XDP read-mostly */ + struct xdp_rxq_info xdp_rxq; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index ee0d78f801af5..fc710648d2ef3 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -266,12 +266,17 @@ static int mlx5e_rq_alloc_mpwqe_info(struct mlx5e_rq *rq, + + static int mlx5e_create_umr_mkey(struct mlx5_core_dev *mdev, + u64 npages, u8 page_shift, +- struct mlx5_core_mkey *umr_mkey) ++ struct mlx5_core_mkey *umr_mkey, ++ dma_addr_t filler_addr) + { +- int inlen = MLX5_ST_SZ_BYTES(create_mkey_in); ++ struct mlx5_mtt *mtt; ++ int inlen; + void *mkc; + u32 *in; + int err; ++ int i; ++ ++ inlen = MLX5_ST_SZ_BYTES(create_mkey_in) + sizeof(*mtt) * npages; + + in = kvzalloc(inlen, GFP_KERNEL); + if (!in) +@@ -291,6 +296,18 @@ static int mlx5e_create_umr_mkey(struct mlx5_core_dev *mdev, + MLX5_SET(mkc, mkc, translations_octword_size, + MLX5_MTT_OCTW(npages)); + MLX5_SET(mkc, mkc, log_page_size, page_shift); ++ MLX5_SET(create_mkey_in, in, translations_octword_actual_size, ++ MLX5_MTT_OCTW(npages)); ++ ++ /* Initialize the mkey with all MTTs pointing to a default ++ * page (filler_addr). When the channels are activated, UMR ++ * WQEs will redirect the RX WQEs to the actual memory from ++ * the RQ's pool, while the gaps (wqe_overflow) remain mapped ++ * to the default page. ++ */ ++ mtt = MLX5_ADDR_OF(create_mkey_in, in, klm_pas_mtt); ++ for (i = 0 ; i < npages ; i++) ++ mtt[i].ptag = cpu_to_be64(filler_addr); + + err = mlx5_core_create_mkey(mdev, umr_mkey, in, inlen); + +@@ -302,7 +319,8 @@ static int mlx5e_create_rq_umr_mkey(struct mlx5_core_dev *mdev, struct mlx5e_rq + { + u64 num_mtts = MLX5E_REQUIRED_MTTS(mlx5_wq_ll_get_size(&rq->mpwqe.wq)); + +- return mlx5e_create_umr_mkey(mdev, num_mtts, PAGE_SHIFT, &rq->umr_mkey); ++ return mlx5e_create_umr_mkey(mdev, num_mtts, PAGE_SHIFT, &rq->umr_mkey, ++ rq->wqe_overflow.addr); + } + + static inline u64 mlx5e_get_mpwqe_offset(struct mlx5e_rq *rq, u16 wqe_ix) +@@ -370,6 +388,28 @@ static void mlx5e_rq_err_cqe_work(struct work_struct *recover_work) + mlx5e_reporter_rq_cqe_err(rq); + } + ++static int mlx5e_alloc_mpwqe_rq_drop_page(struct mlx5e_rq *rq) ++{ ++ rq->wqe_overflow.page = alloc_page(GFP_KERNEL); ++ if (!rq->wqe_overflow.page) ++ return -ENOMEM; ++ ++ rq->wqe_overflow.addr = dma_map_page(rq->pdev, rq->wqe_overflow.page, 0, ++ PAGE_SIZE, rq->buff.map_dir); ++ if (dma_mapping_error(rq->pdev, rq->wqe_overflow.addr)) { ++ __free_page(rq->wqe_overflow.page); ++ return -ENOMEM; ++ } ++ return 0; ++} ++ ++static void mlx5e_free_mpwqe_rq_drop_page(struct mlx5e_rq *rq) ++{ ++ dma_unmap_page(rq->pdev, rq->wqe_overflow.addr, PAGE_SIZE, ++ rq->buff.map_dir); ++ __free_page(rq->wqe_overflow.page); ++} ++ + static int mlx5e_alloc_rq(struct mlx5e_channel *c, + struct mlx5e_params *params, + struct mlx5e_xsk_param *xsk, +@@ -434,6 +474,10 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c, + if (err) + goto err_rq_wq_destroy; + ++ err = mlx5e_alloc_mpwqe_rq_drop_page(rq); ++ if (err) ++ goto err_rq_wq_destroy; ++ + rq->mpwqe.wq.db = &rq->mpwqe.wq.db[MLX5_RCV_DBR]; + + wq_sz = mlx5_wq_ll_get_size(&rq->mpwqe.wq); +@@ -474,7 +518,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c, + + err = mlx5e_create_rq_umr_mkey(mdev, rq); + if (err) +- goto err_rq_wq_destroy; ++ goto err_rq_drop_page; + rq->mkey_be = cpu_to_be32(rq->umr_mkey.key); + + err = mlx5e_rq_alloc_mpwqe_info(rq, c); +@@ -622,6 +666,8 @@ err_free: + case MLX5_WQ_TYPE_LINKED_LIST_STRIDING_RQ: + kvfree(rq->mpwqe.info); + mlx5_core_destroy_mkey(mdev, &rq->umr_mkey); ++err_rq_drop_page: ++ mlx5e_free_mpwqe_rq_drop_page(rq); + break; + default: /* MLX5_WQ_TYPE_CYCLIC */ + kvfree(rq->wqe.frags); +@@ -649,6 +695,7 @@ static void mlx5e_free_rq(struct mlx5e_rq *rq) + case MLX5_WQ_TYPE_LINKED_LIST_STRIDING_RQ: + kvfree(rq->mpwqe.info); + mlx5_core_destroy_mkey(rq->mdev, &rq->umr_mkey); ++ mlx5e_free_mpwqe_rq_drop_page(rq); + break; + default: /* MLX5_WQ_TYPE_CYCLIC */ + kvfree(rq->wqe.frags); +-- +2.25.1 + diff --git a/queue-5.4/net-mlx5e-fix-vlan-cleanup-flow.patch b/queue-5.4/net-mlx5e-fix-vlan-cleanup-flow.patch new file mode 100644 index 00000000000..e3265c9263f --- /dev/null +++ b/queue-5.4/net-mlx5e-fix-vlan-cleanup-flow.patch @@ -0,0 +1,82 @@ +From 9c165c4d9a1dd1371666faa3ced60140d9b0a899 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Sep 2020 17:57:23 +0300 +Subject: net/mlx5e: Fix VLAN cleanup flow + +From: Aya Levin + +[ Upstream commit 8c7353b6f716436ad0bfda2b5c5524ab2dde5894 ] + +Prior to this patch unloading an interface in promiscuous mode with RX +VLAN filtering feature turned off - resulted in a warning. This is due +to a wrong condition in the VLAN rules cleanup flow, which left the +any-vid rules in the VLAN steering table. These rules prevented +destroying the flow group and the flow table. + +The any-vid rules are removed in 2 flows, but none of them remove it in +case both promiscuous is set and VLAN filtering is off. Fix the issue by +changing the condition of the VLAN table cleanup flow to clean also in +case of promiscuous mode. + +mlx5_core 0000:00:08.0: mlx5_destroy_flow_group:2123:(pid 28729): Flow group 20 wasn't destroyed, refcount > 1 +mlx5_core 0000:00:08.0: mlx5_destroy_flow_group:2123:(pid 28729): Flow group 19 wasn't destroyed, refcount > 1 +mlx5_core 0000:00:08.0: mlx5_destroy_flow_table:2112:(pid 28729): Flow table 262149 wasn't destroyed, refcount > 1 +... +... +------------[ cut here ]------------ +FW pages counter is 11560 after reclaiming all pages +WARNING: CPU: 1 PID: 28729 at +drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c:660 +mlx5_reclaim_startup_pages+0x178/0x230 [mlx5_core] +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS +rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +Call Trace: + mlx5_function_teardown+0x2f/0x90 [mlx5_core] + mlx5_unload_one+0x71/0x110 [mlx5_core] + remove_one+0x44/0x80 [mlx5_core] + pci_device_remove+0x3e/0xc0 + device_release_driver_internal+0xfb/0x1c0 + device_release_driver+0x12/0x20 + pci_stop_bus_device+0x68/0x90 + pci_stop_and_remove_bus_device+0x12/0x20 + hv_eject_device_work+0x6f/0x170 [pci_hyperv] + ? __schedule+0x349/0x790 + process_one_work+0x206/0x400 + worker_thread+0x34/0x3f0 + ? process_one_work+0x400/0x400 + kthread+0x126/0x140 + ? kthread_park+0x90/0x90 + ret_from_fork+0x22/0x30 + ---[ end trace 6283bde8d26170dc ]--- + +Fixes: 9df30601c843 ("net/mlx5e: Restore vlan filter after seamless reset") +Signed-off-by: Aya Levin +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c +index 73d3dc07331f1..c5be0cdfaf0fa 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c +@@ -415,8 +415,12 @@ static void mlx5e_del_vlan_rules(struct mlx5e_priv *priv) + for_each_set_bit(i, priv->fs.vlan.active_svlans, VLAN_N_VID) + mlx5e_del_vlan_rule(priv, MLX5E_VLAN_RULE_TYPE_MATCH_STAG_VID, i); + +- if (priv->fs.vlan.cvlan_filter_disabled && +- !(priv->netdev->flags & IFF_PROMISC)) ++ WARN_ON_ONCE(!(test_bit(MLX5E_STATE_DESTROYING, &priv->state))); ++ ++ /* must be called after DESTROY bit is set and ++ * set_rx_mode is called and flushed ++ */ ++ if (priv->fs.vlan.cvlan_filter_disabled) + mlx5e_del_any_vid_rules(priv); + } + +-- +2.25.1 + diff --git a/queue-5.4/net-mlx5e-fix-vlan-create-flow.patch b/queue-5.4/net-mlx5e-fix-vlan-create-flow.patch new file mode 100644 index 00000000000..e3a1e713a2f --- /dev/null +++ b/queue-5.4/net-mlx5e-fix-vlan-create-flow.patch @@ -0,0 +1,55 @@ +From 49d4353e393b9158195c8d270fd814be57e9c3a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Sep 2020 18:05:40 +0300 +Subject: net/mlx5e: Fix VLAN create flow + +From: Aya Levin + +[ Upstream commit d4a16052bccdd695982f89d815ca075825115821 ] + +When interface is attached while in promiscuous mode and with VLAN +filtering turned off, both configurations are not respected and VLAN +filtering is performed. +There are 2 flows which add the any-vid rules during interface attach: +VLAN creation table and set rx mode. Each is relaying on the other to +add any-vid rules, eventually non of them does. + +Fix this by adding any-vid rules on VLAN creation regardless of +promiscuous mode. + +Fixes: 9df30601c843 ("net/mlx5e: Restore vlan filter after seamless reset") +Signed-off-by: Aya Levin +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c +index c5be0cdfaf0fa..713dc210f710c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c +@@ -217,6 +217,9 @@ static int __mlx5e_add_vlan_rule(struct mlx5e_priv *priv, + break; + } + ++ if (WARN_ONCE(*rule_p, "VLAN rule already exists type %d", rule_type)) ++ return 0; ++ + *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); + + if (IS_ERR(*rule_p)) { +@@ -397,8 +400,7 @@ static void mlx5e_add_vlan_rules(struct mlx5e_priv *priv) + for_each_set_bit(i, priv->fs.vlan.active_svlans, VLAN_N_VID) + mlx5e_add_vlan_rule(priv, MLX5E_VLAN_RULE_TYPE_MATCH_STAG_VID, i); + +- if (priv->fs.vlan.cvlan_filter_disabled && +- !(priv->netdev->flags & IFF_PROMISC)) ++ if (priv->fs.vlan.cvlan_filter_disabled) + mlx5e_add_any_vid_rules(priv); + } + +-- +2.25.1 + diff --git a/queue-5.4/net-stmmac-removed-enabling-eee-in-eee-set-callback.patch b/queue-5.4/net-stmmac-removed-enabling-eee-in-eee-set-callback.patch new file mode 100644 index 00000000000..eff84677f13 --- /dev/null +++ b/queue-5.4/net-stmmac-removed-enabling-eee-in-eee-set-callback.patch @@ -0,0 +1,66 @@ +From 9b6fb670f840e832e3f7df42a03c20fc887e8e96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 16:56:14 +0800 +Subject: net: stmmac: removed enabling eee in EEE set callback + +From: Voon Weifeng + +[ Upstream commit 7241c5a697479c7d0c5a96595822cdab750d41ae ] + +EEE should be only be enabled during stmmac_mac_link_up() when the +link are up and being set up properly. set_eee should only do settings +configuration and disabling the eee. + +Without this fix, turning on EEE using ethtool will return +"Operation not supported". This is due to the driver is in a dead loop +waiting for eee to be advertised in the for eee to be activated but the +driver will only configure the EEE advertisement after the eee is +activated. + +Ethtool should only return "Operation not supported" if there is no EEE +capbility in the MAC controller. + +Fixes: 8a7493e58ad6 ("net: stmmac: Fix a race in EEE enable callback") +Signed-off-by: Voon Weifeng +Acked-by: Mark Gross +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 15 ++++----------- + 1 file changed, 4 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c +index 1a768837ca728..ce1346c14b05a 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c +@@ -662,23 +662,16 @@ static int stmmac_ethtool_op_set_eee(struct net_device *dev, + struct stmmac_priv *priv = netdev_priv(dev); + int ret; + +- if (!edata->eee_enabled) { ++ if (!priv->dma_cap.eee) ++ return -EOPNOTSUPP; ++ ++ if (!edata->eee_enabled) + stmmac_disable_eee_mode(priv); +- } else { +- /* We are asking for enabling the EEE but it is safe +- * to verify all by invoking the eee_init function. +- * In case of failure it will return an error. +- */ +- edata->eee_enabled = stmmac_eee_init(priv); +- if (!edata->eee_enabled) +- return -EOPNOTSUPP; +- } + + ret = phylink_ethtool_set_eee(priv->phylink, edata); + if (ret) + return ret; + +- priv->eee_enabled = edata->eee_enabled; + priv->tx_lpi_timer = edata->tx_lpi_timer; + return 0; + } +-- +2.25.1 + diff --git a/queue-5.4/net-usb-ax88179_178a-fix-missing-stop-entry-in-drive.patch b/queue-5.4/net-usb-ax88179_178a-fix-missing-stop-entry-in-drive.patch new file mode 100644 index 00000000000..9edc4e99843 --- /dev/null +++ b/queue-5.4/net-usb-ax88179_178a-fix-missing-stop-entry-in-drive.patch @@ -0,0 +1,34 @@ +From cf2ff975222d9d98611bf59d39b301ea8cf9b69a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 11:01:04 +0200 +Subject: net: usb: ax88179_178a: fix missing stop entry in driver_info + +From: Wilken Gottwalt + +[ Upstream commit 9666ea66a74adfe295cb3a8760c76e1ef70f9caf ] + +Adds the missing .stop entry in the Belkin driver_info structure. + +Fixes: e20bd60bf62a ("net: usb: asix88179_178a: Add support for the Belkin B2B128") +Signed-off-by: Wilken Gottwalt +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/ax88179_178a.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c +index df2f7cc6dc03a..8e37e1f58c4b9 100644 +--- a/drivers/net/usb/ax88179_178a.c ++++ b/drivers/net/usb/ax88179_178a.c +@@ -1719,6 +1719,7 @@ static const struct driver_info belkin_info = { + .status = ax88179_status, + .link_reset = ax88179_link_reset, + .reset = ax88179_reset, ++ .stop = ax88179_stop, + .flags = FLAG_ETHER | FLAG_FRAMING_AX, + .rx_fixup = ax88179_rx_fixup, + .tx_fixup = ax88179_tx_fixup, +-- +2.25.1 + diff --git a/queue-5.4/perf-fix-task_function_call-error-handling.patch b/queue-5.4/perf-fix-task_function_call-error-handling.patch new file mode 100644 index 00000000000..6d2f9b5957c --- /dev/null +++ b/queue-5.4/perf-fix-task_function_call-error-handling.patch @@ -0,0 +1,57 @@ +From 57ff29b6f941afda4aeb55ee95b0bf1273cc1fe8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 12:17:32 +0530 +Subject: perf: Fix task_function_call() error handling + +From: Kajol Jain + +[ Upstream commit 6d6b8b9f4fceab7266ca03d194f60ec72bd4b654 ] + +The error handling introduced by commit: + + 2ed6edd33a21 ("perf: Add cond_resched() to task_function_call()") + +looses any return value from smp_call_function_single() that is not +{0, -EINVAL}. This is a problem because it will return -EXNIO when the +target CPU is offline. Worse, in that case it'll turn into an infinite +loop. + +Fixes: 2ed6edd33a21 ("perf: Add cond_resched() to task_function_call()") +Reported-by: Srikar Dronamraju +Signed-off-by: Kajol Jain +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Reviewed-by: Barret Rhoden +Tested-by: Srikar Dronamraju +Link: https://lkml.kernel.org/r/20200827064732.20860-1-kjain@linux.ibm.com +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 47646050efa0c..09e1cc22221fe 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -97,7 +97,7 @@ static void remote_function(void *data) + * retry due to any failures in smp_call_function_single(), such as if the + * task_cpu() goes offline concurrently. + * +- * returns @func return value or -ESRCH when the process isn't running ++ * returns @func return value or -ESRCH or -ENXIO when the process isn't running + */ + static int + task_function_call(struct task_struct *p, remote_function_f func, void *info) +@@ -113,7 +113,8 @@ task_function_call(struct task_struct *p, remote_function_f func, void *info) + for (;;) { + ret = smp_call_function_single(task_cpu(p), remote_function, + &data, 1); +- ret = !ret ? data.ret : -EAGAIN; ++ if (!ret) ++ ret = data.ret; + + if (ret != -EAGAIN) + break; +-- +2.25.1 + diff --git a/queue-5.4/platform-x86-fix-kconfig-dependency-warning-for-fuji.patch b/queue-5.4/platform-x86-fix-kconfig-dependency-warning-for-fuji.patch new file mode 100644 index 00000000000..5cac8b91883 --- /dev/null +++ b/queue-5.4/platform-x86-fix-kconfig-dependency-warning-for-fuji.patch @@ -0,0 +1,46 @@ +From 599f63e279fd37af9c6b13ef20fb7a672fb65c41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 19:16:53 +0300 +Subject: platform/x86: fix kconfig dependency warning for FUJITSU_LAPTOP + +From: Necip Fazil Yildiran + +[ Upstream commit afdd1ebb72051e8b6b83c4d7dc542a9be0e1352d ] + +When FUJITSU_LAPTOP is enabled and NEW_LEDS is disabled, it results in the +following Kbuild warning: + +WARNING: unmet direct dependencies detected for LEDS_CLASS + Depends on [n]: NEW_LEDS [=n] + Selected by [y]: + - FUJITSU_LAPTOP [=y] && X86 [=y] && X86_PLATFORM_DEVICES [=y] && ACPI [=y] && INPUT [=y] && BACKLIGHT_CLASS_DEVICE [=y] && (ACPI_VIDEO [=n] || ACPI_VIDEO [=n]=n) + +The reason is that FUJITSU_LAPTOP selects LEDS_CLASS without depending on +or selecting NEW_LEDS while LEDS_CLASS is subordinate to NEW_LEDS. + +Honor the kconfig menu hierarchy to remove kconfig dependency warnings. + +Reported-by: Hans de Goede +Fixes: d89bcc83e709 ("platform/x86: fujitsu-laptop: select LEDS_CLASS") +Signed-off-by: Necip Fazil Yildiran +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig +index 1cab993205142..000d5693fae74 100644 +--- a/drivers/platform/x86/Kconfig ++++ b/drivers/platform/x86/Kconfig +@@ -269,6 +269,7 @@ config FUJITSU_LAPTOP + depends on BACKLIGHT_CLASS_DEVICE + depends on ACPI_VIDEO || ACPI_VIDEO = n + select INPUT_SPARSEKMAP ++ select NEW_LEDS + select LEDS_CLASS + ---help--- + This is a driver for laptops built by Fujitsu: +-- +2.25.1 + diff --git a/queue-5.4/r8169-fix-rtl8168f-rtl8411-ephy-config.patch b/queue-5.4/r8169-fix-rtl8168f-rtl8411-ephy-config.patch new file mode 100644 index 00000000000..8c6a701bd9c --- /dev/null +++ b/queue-5.4/r8169-fix-rtl8168f-rtl8411-ephy-config.patch @@ -0,0 +1,44 @@ +From f010fdb11c6ed4fe0a5dde8b90ac778887e07629 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Sep 2020 19:44:29 +0200 +Subject: r8169: fix RTL8168f/RTL8411 EPHY config + +From: Heiner Kallweit + +[ Upstream commit 709a16be0593c08190982cfbdca6df95e6d5823b ] + +Mistakenly bit 2 was set instead of bit 3 as in the vendor driver. + +Fixes: a7a92cf81589 ("r8169: sync PCIe PHY init with vendor driver 8.047.01") +Signed-off-by: Heiner Kallweit +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index 903212ad9bb2f..66c97049f52b7 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4701,7 +4701,7 @@ static void rtl_hw_start_8168f_1(struct rtl8169_private *tp) + { 0x08, 0x0001, 0x0002 }, + { 0x09, 0x0000, 0x0080 }, + { 0x19, 0x0000, 0x0224 }, +- { 0x00, 0x0000, 0x0004 }, ++ { 0x00, 0x0000, 0x0008 }, + { 0x0c, 0x3df0, 0x0200 }, + }; + +@@ -4718,7 +4718,7 @@ static void rtl_hw_start_8411(struct rtl8169_private *tp) + { 0x06, 0x00c0, 0x0020 }, + { 0x0f, 0xffff, 0x5200 }, + { 0x19, 0x0000, 0x0224 }, +- { 0x00, 0x0000, 0x0004 }, ++ { 0x00, 0x0000, 0x0008 }, + { 0x0c, 0x3df0, 0x0200 }, + }; + +-- +2.25.1 + diff --git a/queue-5.4/rxrpc-downgrade-the-bug-for-unsupported-token-type-i.patch b/queue-5.4/rxrpc-downgrade-the-bug-for-unsupported-token-type-i.patch new file mode 100644 index 00000000000..7db66f5b1bb --- /dev/null +++ b/queue-5.4/rxrpc-downgrade-the-bug-for-unsupported-token-type-i.patch @@ -0,0 +1,47 @@ +From e69359a0e7af35cdcaf94984a7e29967da149e0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 22:09:04 +0100 +Subject: rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read() + +From: David Howells + +[ Upstream commit 9a059cd5ca7d9c5c4ca5a6e755cf72f230176b6a ] + +If rxrpc_read() (which allows KEYCTL_READ to read a key), sees a token of a +type it doesn't recognise, it can BUG in a couple of places, which is +unnecessary as it can easily get back to userspace. + +Fix this to print an error message instead. + +Fixes: 99455153d067 ("RxRPC: Parse security index 5 keys (Kerberos 5)") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/key.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c +index d77e89766406a..32f46edcf7c67 100644 +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -1108,7 +1108,8 @@ static long rxrpc_read(const struct key *key, + break; + + default: /* we have a ticket we can't encode */ +- BUG(); ++ pr_err("Unsupported key token type (%u)\n", ++ token->security_index); + continue; + } + +@@ -1224,7 +1225,6 @@ static long rxrpc_read(const struct key *key, + break; + + default: +- BUG(); + break; + } + +-- +2.25.1 + diff --git a/queue-5.4/rxrpc-fix-rxkad-token-xdr-encoding.patch b/queue-5.4/rxrpc-fix-rxkad-token-xdr-encoding.patch new file mode 100644 index 00000000000..bb12dce3dd4 --- /dev/null +++ b/queue-5.4/rxrpc-fix-rxkad-token-xdr-encoding.patch @@ -0,0 +1,68 @@ +From 8ada0b56a41a542a864dc87fb456d393684bce07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 14:01:24 -0300 +Subject: rxrpc: Fix rxkad token xdr encoding + +From: Marc Dionne + +[ Upstream commit 56305118e05b2db8d0395bba640ac9a3aee92624 ] + +The session key should be encoded with just the 8 data bytes and +no length; ENCODE_DATA precedes it with a 4 byte length, which +confuses some existing tools that try to parse this format. + +Add an ENCODE_BYTES macro that does not include a length, and use +it for the key. Also adjust the expected length. + +Note that commit 774521f353e1d ("rxrpc: Fix an assertion in +rxrpc_read()") had fixed a BUG by changing the length rather than +fixing the encoding. The original length was correct. + +Fixes: 99455153d067 ("RxRPC: Parse security index 5 keys (Kerberos 5)") +Signed-off-by: Marc Dionne +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/key.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c +index 0c98313dd7a8c..d77e89766406a 100644 +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -1073,7 +1073,7 @@ static long rxrpc_read(const struct key *key, + + switch (token->security_index) { + case RXRPC_SECURITY_RXKAD: +- toksize += 9 * 4; /* viceid, kvno, key*2 + len, begin, ++ toksize += 8 * 4; /* viceid, kvno, key*2, begin, + * end, primary, tktlen */ + toksize += RND(token->kad->ticket_len); + break; +@@ -1139,6 +1139,14 @@ static long rxrpc_read(const struct key *key, + memcpy((u8 *)xdr + _l, &zero, 4 - (_l & 3)); \ + xdr += (_l + 3) >> 2; \ + } while(0) ++#define ENCODE_BYTES(l, s) \ ++ do { \ ++ u32 _l = (l); \ ++ memcpy(xdr, (s), _l); \ ++ if (_l & 3) \ ++ memcpy((u8 *)xdr + _l, &zero, 4 - (_l & 3)); \ ++ xdr += (_l + 3) >> 2; \ ++ } while(0) + #define ENCODE64(x) \ + do { \ + __be64 y = cpu_to_be64(x); \ +@@ -1166,7 +1174,7 @@ static long rxrpc_read(const struct key *key, + case RXRPC_SECURITY_RXKAD: + ENCODE(token->kad->vice_id); + ENCODE(token->kad->kvno); +- ENCODE_DATA(8, token->kad->session_key); ++ ENCODE_BYTES(8, token->kad->session_key); + ENCODE(token->kad->start); + ENCODE(token->kad->expiry); + ENCODE(token->kad->primary_flag); +-- +2.25.1 + diff --git a/queue-5.4/rxrpc-fix-server-keyring-leak.patch b/queue-5.4/rxrpc-fix-server-keyring-leak.patch new file mode 100644 index 00000000000..0b87205268a --- /dev/null +++ b/queue-5.4/rxrpc-fix-server-keyring-leak.patch @@ -0,0 +1,37 @@ +From 4ccac4fb1ced957ffbb6e8191d66179994d7701f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Oct 2020 14:04:51 +0100 +Subject: rxrpc: Fix server keyring leak + +From: David Howells + +[ Upstream commit 38b1dc47a35ba14c3f4472138ea56d014c2d609b ] + +If someone calls setsockopt() twice to set a server key keyring, the first +keyring is leaked. + +Fix it to return an error instead if the server key keyring is already set. + +Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c +index 64cbbd2f16944..85a9ff8cd236a 100644 +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -903,7 +903,7 @@ int rxrpc_request_key(struct rxrpc_sock *rx, char __user *optval, int optlen) + + _enter(""); + +- if (optlen <= 0 || optlen > PAGE_SIZE - 1) ++ if (optlen <= 0 || optlen > PAGE_SIZE - 1 || rx->securities) + return -EINVAL; + + description = memdup_user_nul(optval, optlen); +-- +2.25.1 + diff --git a/queue-5.4/rxrpc-fix-some-missing-_bh-annotations-on-locking-co.patch b/queue-5.4/rxrpc-fix-some-missing-_bh-annotations-on-locking-co.patch new file mode 100644 index 00000000000..d8e4e609033 --- /dev/null +++ b/queue-5.4/rxrpc-fix-some-missing-_bh-annotations-on-locking-co.patch @@ -0,0 +1,51 @@ +From 72e7806cb9459eb2a4d7b374d62d153f0db40d2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Oct 2020 11:57:40 +0100 +Subject: rxrpc: Fix some missing _bh annotations on locking conn->state_lock + +From: David Howells + +[ Upstream commit fa1d113a0f96f9ab7e4fe4f8825753ba1e34a9d3 ] + +conn->state_lock may be taken in softirq mode, but a previous patch +replaced an outer lock in the response-packet event handling code, and lost +the _bh from that when doing so. + +Fix this by applying the _bh annotation to the state_lock locking. + +Fixes: a1399f8bb033 ("rxrpc: Call channels should have separate call number spaces") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/conn_event.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c +index 06fcff2ebbba1..b5864683f200d 100644 +--- a/net/rxrpc/conn_event.c ++++ b/net/rxrpc/conn_event.c +@@ -341,18 +341,18 @@ static int rxrpc_process_event(struct rxrpc_connection *conn, + return ret; + + spin_lock(&conn->channel_lock); +- spin_lock(&conn->state_lock); ++ spin_lock_bh(&conn->state_lock); + + if (conn->state == RXRPC_CONN_SERVICE_CHALLENGING) { + conn->state = RXRPC_CONN_SERVICE; +- spin_unlock(&conn->state_lock); ++ spin_unlock_bh(&conn->state_lock); + for (loop = 0; loop < RXRPC_MAXCALLS; loop++) + rxrpc_call_is_secure( + rcu_dereference_protected( + conn->channels[loop].call, + lockdep_is_held(&conn->channel_lock))); + } else { +- spin_unlock(&conn->state_lock); ++ spin_unlock_bh(&conn->state_lock); + } + + spin_unlock(&conn->channel_lock); +-- +2.25.1 + diff --git a/queue-5.4/rxrpc-the-server-keyring-isn-t-network-namespaced.patch b/queue-5.4/rxrpc-the-server-keyring-isn-t-network-namespaced.patch new file mode 100644 index 00000000000..aa13e4d21fd --- /dev/null +++ b/queue-5.4/rxrpc-the-server-keyring-isn-t-network-namespaced.patch @@ -0,0 +1,36 @@ +From 095b25533f5e7fc776bcbcf057b57b6a3d46dc1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Sep 2020 19:52:08 +0100 +Subject: rxrpc: The server keyring isn't network-namespaced + +From: David Howells + +[ Upstream commit fea99111244bae44e7d82a973744d27ea1567814 ] + +The keyring containing the server's tokens isn't network-namespaced, so it +shouldn't be looked up with a network namespace. It is expected to be +owned specifically by the server, so namespacing is unnecessary. + +Fixes: a58946c158a0 ("keys: Pass the network namespace into request_key mechanism") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c +index 32f46edcf7c67..64cbbd2f16944 100644 +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -941,7 +941,7 @@ int rxrpc_server_keyring(struct rxrpc_sock *rx, char __user *optval, + if (IS_ERR(description)) + return PTR_ERR(description); + +- key = request_key_net(&key_type_keyring, description, sock_net(&rx->sk), NULL); ++ key = request_key(&key_type_keyring, description, NULL); + if (IS_ERR(key)) { + kfree(description); + _leave(" = %ld", PTR_ERR(key)); +-- +2.25.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 5427ff56fb0..8fb00556729 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -46,3 +46,31 @@ net-team-fix-memory-leak-in-__team_options_register.patch openvswitch-handle-dnat-tuple-collision.patch drm-amdgpu-prevent-double-kfree-ttm-sg.patch iommu-vt-d-fix-lockdep-splat-in-iommu_flush_dev_iotl.patch +xfrm-clone-xfrma_set_mark-in-xfrm_do_migrate.patch +xfrm-clone-xfrma_replay_esn_val-in-xfrm_do_migrate.patch +xfrm-clone-xfrma_sec_ctx-in-xfrm_do_migrate.patch +xfrm-clone-whole-liftime_cur-structure-in-xfrm_do_mi.patch +net-stmmac-removed-enabling-eee-in-eee-set-callback.patch +platform-x86-fix-kconfig-dependency-warning-for-fuji.patch +xfrm-use-correct-address-family-in-xfrm_state_find.patch +iavf-use-generic-power-management.patch +iavf-fix-incorrect-adapter-get-in-iavf_resume.patch +net-ethernet-cavium-octeon_mgmt-use-phy_start-and-ph.patch +bonding-set-dev-needed_headroom-in-bond_setup_by_sla.patch +mdio-fix-mdio-thunder.c-dependency-build-error.patch +mlxsw-spectrum_acl-fix-mlxsw_sp_acl_tcam_group_add-s.patch +r8169-fix-rtl8168f-rtl8411-ephy-config.patch +net-usb-ax88179_178a-fix-missing-stop-entry-in-drive.patch +virtio-net-don-t-disable-guest-csum-when-disable-lro.patch +net-mlx5-avoid-possible-free-of-command-entry-while-.patch +net-mlx5-fix-request_irqs-error-flow.patch +net-mlx5e-add-resiliency-in-striding-rq-mode-for-pac.patch +net-mlx5e-fix-vlan-cleanup-flow.patch +net-mlx5e-fix-vlan-create-flow.patch +rxrpc-fix-rxkad-token-xdr-encoding.patch +rxrpc-downgrade-the-bug-for-unsupported-token-type-i.patch +rxrpc-fix-some-missing-_bh-annotations-on-locking-co.patch +rxrpc-the-server-keyring-isn-t-network-namespaced.patch +rxrpc-fix-server-keyring-leak.patch +perf-fix-task_function_call-error-handling.patch +mmc-core-don-t-set-limits.discard_granularity-as-0.patch diff --git a/queue-5.4/virtio-net-don-t-disable-guest-csum-when-disable-lro.patch b/queue-5.4/virtio-net-don-t-disable-guest-csum-when-disable-lro.patch new file mode 100644 index 00000000000..e53f9d7dea5 --- /dev/null +++ b/queue-5.4/virtio-net-don-t-disable-guest-csum-when-disable-lro.patch @@ -0,0 +1,54 @@ +From 2551e13ad0573461640c5d346089312bb8eb9295 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 09:58:06 +0800 +Subject: virtio-net: don't disable guest csum when disable LRO + +From: Tonghao Zhang + +[ Upstream commit 1a03b8a35a957f9f38ecb8a97443b7380bbf6a8b ] + +Open vSwitch and Linux bridge will disable LRO of the interface +when this interface added to them. Now when disable the LRO, the +virtio-net csum is disable too. That drops the forwarding performance. + +Fixes: a02e8964eaf9 ("virtio-net: ethtool configurable LRO") +Cc: Michael S. Tsirkin +Cc: Jason Wang +Cc: Willem de Bruijn +Signed-off-by: Tonghao Zhang +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 030d30603c295..99e1a7bc06886 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -63,6 +63,11 @@ static const unsigned long guest_offloads[] = { + VIRTIO_NET_F_GUEST_CSUM + }; + ++#define GUEST_OFFLOAD_LRO_MASK ((1ULL << VIRTIO_NET_F_GUEST_TSO4) | \ ++ (1ULL << VIRTIO_NET_F_GUEST_TSO6) | \ ++ (1ULL << VIRTIO_NET_F_GUEST_ECN) | \ ++ (1ULL << VIRTIO_NET_F_GUEST_UFO)) ++ + struct virtnet_stat_desc { + char desc[ETH_GSTRING_LEN]; + size_t offset; +@@ -2572,7 +2577,8 @@ static int virtnet_set_features(struct net_device *dev, + if (features & NETIF_F_LRO) + offloads = vi->guest_offloads_capable; + else +- offloads = 0; ++ offloads = vi->guest_offloads_capable & ++ ~GUEST_OFFLOAD_LRO_MASK; + + err = virtnet_set_guest_offloads(vi, offloads); + if (err) +-- +2.25.1 + diff --git a/queue-5.4/xfrm-clone-whole-liftime_cur-structure-in-xfrm_do_mi.patch b/queue-5.4/xfrm-clone-whole-liftime_cur-structure-in-xfrm_do_mi.patch new file mode 100644 index 00000000000..b7e95e4ff13 --- /dev/null +++ b/queue-5.4/xfrm-clone-whole-liftime_cur-structure-in-xfrm_do_mi.patch @@ -0,0 +1,39 @@ +From 183f4b7479af357e339d44ec4685f5d809c68376 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 08:50:29 +0200 +Subject: xfrm: clone whole liftime_cur structure in xfrm_do_migrate + +From: Antony Antony + +[ Upstream commit 8366685b2883e523f91e9816d7be371eb1144749 ] + +When we clone state only add_time was cloned. It missed values like +bytes, packets. Now clone the all members of the structure. + +v1->v3: + - use memcpy to copy the entire structure + +Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)") +Signed-off-by: Antony Antony +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index fc1b391ba1554..8df460eaac275 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1547,7 +1547,7 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, + x->tfcpad = orig->tfcpad; + x->replay_maxdiff = orig->replay_maxdiff; + x->replay_maxage = orig->replay_maxage; +- x->curlft.add_time = orig->curlft.add_time; ++ memcpy(&x->curlft, &orig->curlft, sizeof(x->curlft)); + x->km.state = orig->km.state; + x->km.seq = orig->km.seq; + x->replay = orig->replay; +-- +2.25.1 + diff --git a/queue-5.4/xfrm-clone-xfrma_replay_esn_val-in-xfrm_do_migrate.patch b/queue-5.4/xfrm-clone-xfrma_replay_esn_val-in-xfrm_do_migrate.patch new file mode 100644 index 00000000000..f953cc8442d --- /dev/null +++ b/queue-5.4/xfrm-clone-xfrma_replay_esn_val-in-xfrm_do_migrate.patch @@ -0,0 +1,58 @@ +From 324db4382c9cc627ed46fc5a9703cb18dac6abb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 08:49:55 +0200 +Subject: xfrm: clone XFRMA_REPLAY_ESN_VAL in xfrm_do_migrate + +From: Antony Antony + +[ Upstream commit 91a46c6d1b4fcbfa4773df9421b8ad3e58088101 ] + +XFRMA_REPLAY_ESN_VAL was not cloned completely from the old to the new. +Migrate this attribute during XFRMA_MSG_MIGRATE + +v1->v2: + - move curleft cloning to a separate patch + +Fixes: af2f464e326e ("xfrm: Assign esn pointers when cloning a state") +Signed-off-by: Antony Antony +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + include/net/xfrm.h | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index 12aa6e15e43f6..c00b9ae71ae40 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -1773,21 +1773,17 @@ static inline unsigned int xfrm_replay_state_esn_len(struct xfrm_replay_state_es + static inline int xfrm_replay_clone(struct xfrm_state *x, + struct xfrm_state *orig) + { +- x->replay_esn = kzalloc(xfrm_replay_state_esn_len(orig->replay_esn), ++ ++ x->replay_esn = kmemdup(orig->replay_esn, ++ xfrm_replay_state_esn_len(orig->replay_esn), + GFP_KERNEL); + if (!x->replay_esn) + return -ENOMEM; +- +- x->replay_esn->bmp_len = orig->replay_esn->bmp_len; +- x->replay_esn->replay_window = orig->replay_esn->replay_window; +- +- x->preplay_esn = kmemdup(x->replay_esn, +- xfrm_replay_state_esn_len(x->replay_esn), ++ x->preplay_esn = kmemdup(orig->preplay_esn, ++ xfrm_replay_state_esn_len(orig->preplay_esn), + GFP_KERNEL); +- if (!x->preplay_esn) { +- kfree(x->replay_esn); ++ if (!x->preplay_esn) + return -ENOMEM; +- } + + return 0; + } +-- +2.25.1 + diff --git a/queue-5.4/xfrm-clone-xfrma_sec_ctx-in-xfrm_do_migrate.patch b/queue-5.4/xfrm-clone-xfrma_sec_ctx-in-xfrm_do_migrate.patch new file mode 100644 index 00000000000..aa7484c097b --- /dev/null +++ b/queue-5.4/xfrm-clone-xfrma_sec_ctx-in-xfrm_do_migrate.patch @@ -0,0 +1,74 @@ +From 41bbccbb622dbc3c2764aa4ef84521f3bdc8bcab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 08:50:11 +0200 +Subject: xfrm: clone XFRMA_SEC_CTX in xfrm_do_migrate + +From: Antony Antony + +[ Upstream commit 7aa05d304785204703a67a6aa7f1db402889a172 ] + +XFRMA_SEC_CTX was not cloned from the old to the new. +Migrate this attribute during XFRMA_MSG_MIGRATE + +v1->v2: + - return -ENOMEM on error +v2->v3: + - fix return type to int + +Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)") +Signed-off-by: Antony Antony +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index 10d30f0338d72..fc1b391ba1554 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1438,6 +1438,30 @@ out: + EXPORT_SYMBOL(xfrm_state_add); + + #ifdef CONFIG_XFRM_MIGRATE ++static inline int clone_security(struct xfrm_state *x, struct xfrm_sec_ctx *security) ++{ ++ struct xfrm_user_sec_ctx *uctx; ++ int size = sizeof(*uctx) + security->ctx_len; ++ int err; ++ ++ uctx = kmalloc(size, GFP_KERNEL); ++ if (!uctx) ++ return -ENOMEM; ++ ++ uctx->exttype = XFRMA_SEC_CTX; ++ uctx->len = size; ++ uctx->ctx_doi = security->ctx_doi; ++ uctx->ctx_alg = security->ctx_alg; ++ uctx->ctx_len = security->ctx_len; ++ memcpy(uctx + 1, security->ctx_str, security->ctx_len); ++ err = security_xfrm_state_alloc(x, uctx); ++ kfree(uctx); ++ if (err) ++ return err; ++ ++ return 0; ++} ++ + static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, + struct xfrm_encap_tmpl *encap) + { +@@ -1494,6 +1518,10 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, + goto error; + } + ++ if (orig->security) ++ if (clone_security(x, orig->security)) ++ goto error; ++ + if (orig->coaddr) { + x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr), + GFP_KERNEL); +-- +2.25.1 + diff --git a/queue-5.4/xfrm-clone-xfrma_set_mark-in-xfrm_do_migrate.patch b/queue-5.4/xfrm-clone-xfrma_set_mark-in-xfrm_do_migrate.patch new file mode 100644 index 00000000000..a52fc25859b --- /dev/null +++ b/queue-5.4/xfrm-clone-xfrma_set_mark-in-xfrm_do_migrate.patch @@ -0,0 +1,35 @@ +From 68b9e644eab0891de58787d1f67d37178ea7d7e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 08:49:38 +0200 +Subject: xfrm: clone XFRMA_SET_MARK in xfrm_do_migrate + +From: Antony Antony + +[ Upstream commit 545e5c571662b1cd79d9588f9d3b6e36985b8007 ] + +XFRMA_SET_MARK and XFRMA_SET_MARK_MASK was not cloned from the old +to the new. Migrate these two attributes during XFRMA_MSG_MIGRATE + +Fixes: 9b42c1f179a6 ("xfrm: Extend the output_mark to support input direction and masking.") +Signed-off-by: Antony Antony +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index f3423562d9336..10d30f0338d72 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1507,6 +1507,7 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, + } + + memcpy(&x->mark, &orig->mark, sizeof(x->mark)); ++ memcpy(&x->props.smark, &orig->props.smark, sizeof(x->props.smark)); + + if (xfrm_init_state(x) < 0) + goto error; +-- +2.25.1 + diff --git a/queue-5.4/xfrm-use-correct-address-family-in-xfrm_state_find.patch b/queue-5.4/xfrm-use-correct-address-family-in-xfrm_state_find.patch new file mode 100644 index 00000000000..80dbe2ca797 --- /dev/null +++ b/queue-5.4/xfrm-use-correct-address-family-in-xfrm_state_find.patch @@ -0,0 +1,82 @@ +From 0e6a6e460eddd116adf83eb7340541b27224b603 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 14:42:56 +1000 +Subject: xfrm: Use correct address family in xfrm_state_find + +From: Herbert Xu + +[ Upstream commit e94ee171349db84c7cfdc5fefbebe414054d0924 ] + +The struct flowi must never be interpreted by itself as its size +depends on the address family. Therefore it must always be grouped +with its original family value. + +In this particular instance, the original family value is lost in +the function xfrm_state_find. Therefore we get a bogus read when +it's coupled with the wrong family which would occur with inter- +family xfrm states. + +This patch fixes it by keeping the original family value. + +Note that the same bug could potentially occur in LSM through +the xfrm_state_pol_flow_match hook. I checked the current code +there and it seems to be safe for now as only secid is used which +is part of struct flowi_common. But that API should be changed +so that so that we don't get new bugs in the future. We could +do that by replacing fl with just secid or adding a family field. + +Reported-by: syzbot+577fbac3145a6eb2e7a5@syzkaller.appspotmail.com +Fixes: 48b8d78315bf ("[XFRM]: State selection update to use inner...") +Signed-off-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index 8df460eaac275..aaea8cb7459d8 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1016,7 +1016,8 @@ static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x, + */ + if (x->km.state == XFRM_STATE_VALID) { + if ((x->sel.family && +- !xfrm_selector_match(&x->sel, fl, x->sel.family)) || ++ (x->sel.family != family || ++ !xfrm_selector_match(&x->sel, fl, family))) || + !security_xfrm_state_pol_flow_match(x, pol, fl)) + return; + +@@ -1029,7 +1030,9 @@ static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x, + *acq_in_progress = 1; + } else if (x->km.state == XFRM_STATE_ERROR || + x->km.state == XFRM_STATE_EXPIRED) { +- if (xfrm_selector_match(&x->sel, fl, x->sel.family) && ++ if ((!x->sel.family || ++ (x->sel.family == family && ++ xfrm_selector_match(&x->sel, fl, family))) && + security_xfrm_state_pol_flow_match(x, pol, fl)) + *error = -ESRCH; + } +@@ -1069,7 +1072,7 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr, + tmpl->mode == x->props.mode && + tmpl->id.proto == x->id.proto && + (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) +- xfrm_state_look_at(pol, x, fl, encap_family, ++ xfrm_state_look_at(pol, x, fl, family, + &best, &acquire_in_progress, &error); + } + if (best || acquire_in_progress) +@@ -1086,7 +1089,7 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr, + tmpl->mode == x->props.mode && + tmpl->id.proto == x->id.proto && + (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) +- xfrm_state_look_at(pol, x, fl, encap_family, ++ xfrm_state_look_at(pol, x, fl, family, + &best, &acquire_in_progress, &error); + } + +-- +2.25.1 +