From: Sasha Levin Date: Sun, 25 Sep 2022 01:52:31 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.9.330~64 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f6db4fc7e33d1a8ab9dc590e151c8d05ea698472;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/arm64-dts-rockchip-pull-up-wlan-wake-on-gru-bob.patch b/queue-5.4/arm64-dts-rockchip-pull-up-wlan-wake-on-gru-bob.patch new file mode 100644 index 00000000000..308745c8668 --- /dev/null +++ b/queue-5.4/arm64-dts-rockchip-pull-up-wlan-wake-on-gru-bob.patch @@ -0,0 +1,62 @@ +From 40e32a33f4cf60e04a034eeeec3f8497798c86f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 16:45:04 -0700 +Subject: arm64: dts: rockchip: Pull up wlan wake# on Gru-Bob + +From: Brian Norris + +[ Upstream commit e5467359a725de90b6b8d0dd865500f6373828ca ] + +The Gru-Bob board does not have a pull-up resistor on its +WLAN_HOST_WAKE# pin, but Kevin does. The production/vendor kernel +specified the pin configuration correctly as a pull-up, but this didn't +get ported correctly to upstream. + +This means Bob's WLAN_HOST_WAKE# pin is floating, causing inconsistent +wakeup behavior. + +Note that bt_host_wake_l has a similar dynamic, but apparently the +upstream choice was to redundantly configure both internal and external +pull-up on Kevin (see the "Kevin has an external pull up" comment in +rk3399-gru.dtsi). This doesn't cause any functional problem, although +it's perhaps wasteful. + +Fixes: 8559bbeeb849 ("arm64: dts: rockchip: add Google Bob") +Signed-off-by: Brian Norris +Reviewed-by: Douglas Anderson +Link: https://lore.kernel.org/r/20220822164453.1.I75c57b48b0873766ec993bdfb7bc1e63da5a1637@changeid +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399-gru-bob.dts | 5 +++++ + arch/arm64/boot/dts/rockchip/rk3399-gru-chromebook.dtsi | 1 + + 2 files changed, 6 insertions(+) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-gru-bob.dts b/arch/arm64/boot/dts/rockchip/rk3399-gru-bob.dts +index a9f4d6d7d2b7..586351340da6 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-gru-bob.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3399-gru-bob.dts +@@ -77,3 +77,8 @@ h1_int_od_l: h1-int-od-l { + }; + }; + }; ++ ++&wlan_host_wake_l { ++ /* Kevin has an external pull up, but Bob does not. */ ++ rockchip,pins = <0 RK_PB0 RK_FUNC_GPIO &pcfg_pull_up>; ++}; +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-gru-chromebook.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-gru-chromebook.dtsi +index 7cd6d470c1cb..53185404d3c8 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-gru-chromebook.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-gru-chromebook.dtsi +@@ -397,6 +397,7 @@ wifi_perst_l: wifi-perst-l { + }; + + wlan_host_wake_l: wlan-host-wake-l { ++ /* Kevin has an external pull up, but Bob does not */ + rockchip,pins = <0 RK_PB0 RK_FUNC_GPIO &pcfg_pull_none>; + }; + }; +-- +2.35.1 + diff --git a/queue-5.4/arm64-dts-rockchip-remove-enable-active-low-from-rk3.patch b/queue-5.4/arm64-dts-rockchip-remove-enable-active-low-from-rk3.patch new file mode 100644 index 00000000000..c3a293e2b83 --- /dev/null +++ b/queue-5.4/arm64-dts-rockchip-remove-enable-active-low-from-rk3.patch @@ -0,0 +1,40 @@ +From ddc0ee0fdc403db0cdf7a25c28e6fba9040176af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Aug 2022 14:51:39 -0300 +Subject: arm64: dts: rockchip: Remove 'enable-active-low' from rk3399-puma + +From: Fabio Estevam + +[ Upstream commit a994b34b9abb9c08ee09e835b4027ff2147f9d94 ] + +The 'enable-active-low' property is not a valid one. + +Only 'enable-active-high' is valid, and when this property is absent +the gpio regulator will act as active low by default. + +Remove the invalid 'enable-active-low' property. + +Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM") +Signed-off-by: Fabio Estevam +Link: https://lore.kernel.org/r/20220827175140.1696699-1-festevam@denx.de +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +index 390b86ec6538..365fa9a3c5bf 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +@@ -102,7 +102,6 @@ vcc3v3_sys: vcc3v3-sys { + vcc5v0_host: vcc5v0-host-regulator { + compatible = "regulator-fixed"; + gpio = <&gpio4 RK_PA3 GPIO_ACTIVE_LOW>; +- enable-active-low; + pinctrl-names = "default"; + pinctrl-0 = <&vcc5v0_host_en>; + regulator-name = "vcc5v0_host"; +-- +2.35.1 + diff --git a/queue-5.4/arm64-dts-rockchip-set-rk3399-gru-pclk_edp-to-24-mhz.patch b/queue-5.4/arm64-dts-rockchip-set-rk3399-gru-pclk_edp-to-24-mhz.patch new file mode 100644 index 00000000000..9f6eb2cd934 --- /dev/null +++ b/queue-5.4/arm64-dts-rockchip-set-rk3399-gru-pclk_edp-to-24-mhz.patch @@ -0,0 +1,51 @@ +From 5aa4083bf445274a6da7ff70aceef94d954cb09a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 13:16:17 -0700 +Subject: arm64: dts: rockchip: Set RK3399-Gru PCLK_EDP to 24 MHz + +From: zain wang + +[ Upstream commit 8123437cf46ea5a0f6ca5cb3c528d8b6db97b9c2 ] + +We've found the AUX channel to be less reliable with PCLK_EDP at a +higher rate (typically 25 MHz). This is especially important on systems +with PSR-enabled panels (like Gru-Kevin), since we make heavy, constant +use of AUX. + +According to Rockchip, using any rate other than 24 MHz can cause +"problems between syncing the PHY an PCLK", which leads to all sorts of +unreliabilities around register operations. + +Fixes: d67a38c5a623 ("arm64: dts: rockchip: move core edp from rk3399-kevin to shared chromebook") +Reviewed-by: Douglas Anderson +Signed-off-by: zain wang +Signed-off-by: Brian Norris +Link: https://lore.kernel.org/r/20220830131212.v2.1.I98d30623f13b785ca77094d0c0fd4339550553b6@changeid +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399-gru-chromebook.dtsi | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-gru-chromebook.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-gru-chromebook.dtsi +index 53185404d3c8..7416db3d27a7 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-gru-chromebook.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-gru-chromebook.dtsi +@@ -237,6 +237,14 @@ &cdn_dp { + &edp { + status = "okay"; + ++ /* ++ * eDP PHY/clk don't sync reliably at anything other than 24 MHz. Only ++ * set this here, because rk3399-gru.dtsi ensures we can generate this ++ * off GPLL=600MHz, whereas some other RK3399 boards may not. ++ */ ++ assigned-clocks = <&cru PCLK_EDP>; ++ assigned-clock-rates = <24000000>; ++ + ports { + edp_out: port@1 { + reg = <1>; +-- +2.35.1 + diff --git a/queue-5.4/can-gs_usb-gs_can_open-fix-race-dev-can.state-condit.patch b/queue-5.4/can-gs_usb-gs_can_open-fix-race-dev-can.state-condit.patch new file mode 100644 index 00000000000..4c4784d3a2b --- /dev/null +++ b/queue-5.4/can-gs_usb-gs_can_open-fix-race-dev-can.state-condit.patch @@ -0,0 +1,55 @@ +From 83223682ee0aada50bee466736af3947e212597f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 11:40:56 +0200 +Subject: can: gs_usb: gs_can_open(): fix race dev->can.state condition + +From: Marc Kleine-Budde + +[ Upstream commit 5440428b3da65408dba0241985acb7a05258b85e ] + +The dev->can.state is set to CAN_STATE_ERROR_ACTIVE, after the device +has been started. On busy networks the CAN controller might receive +CAN frame between and go into an error state before the dev->can.state +is assigned. + +Assign dev->can.state before starting the controller to close the race +window. + +Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") +Link: https://lore.kernel.org/all/20220920195216.232481-1-mkl@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/gs_usb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c +index bf4ab30186af..abd2a57b18cb 100644 +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -678,6 +678,7 @@ static int gs_can_open(struct net_device *netdev) + flags |= GS_CAN_MODE_TRIPLE_SAMPLE; + + /* finally start device */ ++ dev->can.state = CAN_STATE_ERROR_ACTIVE; + dm->mode = cpu_to_le32(GS_CAN_MODE_START); + dm->flags = cpu_to_le32(flags); + rc = usb_control_msg(interface_to_usbdev(dev->iface), +@@ -694,13 +695,12 @@ static int gs_can_open(struct net_device *netdev) + if (rc < 0) { + netdev_err(netdev, "Couldn't start device (err=%d)\n", rc); + kfree(dm); ++ dev->can.state = CAN_STATE_STOPPED; + return rc; + } + + kfree(dm); + +- dev->can.state = CAN_STATE_ERROR_ACTIVE; +- + parent->active_channels++; + if (!(dev->can.ctrlmode & CAN_CTRLMODE_LISTENONLY)) + netif_start_queue(netdev); +-- +2.35.1 + diff --git a/queue-5.4/i40e-fix-set-max_tx_rate-when-it-is-lower-than-1-mbp.patch b/queue-5.4/i40e-fix-set-max_tx_rate-when-it-is-lower-than-1-mbp.patch new file mode 100644 index 00000000000..0af2c82b40d --- /dev/null +++ b/queue-5.4/i40e-fix-set-max_tx_rate-when-it-is-lower-than-1-mbp.patch @@ -0,0 +1,100 @@ +From c900b50a44bb92e2a648c4af56f1544dc88e004c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 09:49:33 +0200 +Subject: i40e: Fix set max_tx_rate when it is lower than 1 Mbps + +From: Michal Jaron + +[ Upstream commit 198eb7e1b81d8ba676d0f4f120c092032ae69a8e ] + +While converting max_tx_rate from bytes to Mbps, this value was set to 0, +if the original value was lower than 125000 bytes (1 Mbps). This would +cause no transmission rate limiting to occur. This happened due to lack of +check of max_tx_rate against the 1 Mbps value for max_tx_rate and the +following division by 125000. Fix this issue by adding a helper +i40e_bw_bytes_to_mbits() which sets max_tx_rate to minimum usable value of +50 Mbps, if its value is less than 1 Mbps, otherwise do the required +conversion by dividing by 125000. + +Fixes: 5ecae4120a6b ("i40e: Refactor VF BW rate limiting") +Signed-off-by: Michal Jaron +Signed-off-by: Andrii Staikov +Tested-by: Bharathi Sreenivas +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 32 +++++++++++++++++---- + 1 file changed, 26 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 2d01eaeb703a..15f177185d71 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -5638,6 +5638,26 @@ static int i40e_get_link_speed(struct i40e_vsi *vsi) + } + } + ++/** ++ * i40e_bw_bytes_to_mbits - Convert max_tx_rate from bytes to mbits ++ * @vsi: Pointer to vsi structure ++ * @max_tx_rate: max TX rate in bytes to be converted into Mbits ++ * ++ * Helper function to convert units before send to set BW limit ++ **/ ++static u64 i40e_bw_bytes_to_mbits(struct i40e_vsi *vsi, u64 max_tx_rate) ++{ ++ if (max_tx_rate < I40E_BW_MBPS_DIVISOR) { ++ dev_warn(&vsi->back->pdev->dev, ++ "Setting max tx rate to minimum usable value of 50Mbps.\n"); ++ max_tx_rate = I40E_BW_CREDIT_DIVISOR; ++ } else { ++ do_div(max_tx_rate, I40E_BW_MBPS_DIVISOR); ++ } ++ ++ return max_tx_rate; ++} ++ + /** + * i40e_set_bw_limit - setup BW limit for Tx traffic based on max_tx_rate + * @vsi: VSI to be configured +@@ -5660,10 +5680,10 @@ int i40e_set_bw_limit(struct i40e_vsi *vsi, u16 seid, u64 max_tx_rate) + max_tx_rate, seid); + return -EINVAL; + } +- if (max_tx_rate && max_tx_rate < 50) { ++ if (max_tx_rate && max_tx_rate < I40E_BW_CREDIT_DIVISOR) { + dev_warn(&pf->pdev->dev, + "Setting max tx rate to minimum usable value of 50Mbps.\n"); +- max_tx_rate = 50; ++ max_tx_rate = I40E_BW_CREDIT_DIVISOR; + } + + /* Tx rate credits are in values of 50Mbps, 0 is disabled */ +@@ -7591,9 +7611,9 @@ static int i40e_setup_tc(struct net_device *netdev, void *type_data) + + if (pf->flags & I40E_FLAG_TC_MQPRIO) { + if (vsi->mqprio_qopt.max_rate[0]) { +- u64 max_tx_rate = vsi->mqprio_qopt.max_rate[0]; ++ u64 max_tx_rate = i40e_bw_bytes_to_mbits(vsi, ++ vsi->mqprio_qopt.max_rate[0]); + +- do_div(max_tx_rate, I40E_BW_MBPS_DIVISOR); + ret = i40e_set_bw_limit(vsi, vsi->seid, max_tx_rate); + if (!ret) { + u64 credits = max_tx_rate; +@@ -10247,10 +10267,10 @@ static void i40e_rebuild(struct i40e_pf *pf, bool reinit, bool lock_acquired) + } + + if (vsi->mqprio_qopt.max_rate[0]) { +- u64 max_tx_rate = vsi->mqprio_qopt.max_rate[0]; ++ u64 max_tx_rate = i40e_bw_bytes_to_mbits(vsi, ++ vsi->mqprio_qopt.max_rate[0]); + u64 credits = 0; + +- do_div(max_tx_rate, I40E_BW_MBPS_DIVISOR); + ret = i40e_set_bw_limit(vsi, vsi->seid, max_tx_rate); + if (ret) + goto end_unlock; +-- +2.35.1 + diff --git a/queue-5.4/i40e-fix-vf-set-max-mtu-size.patch b/queue-5.4/i40e-fix-vf-set-max-mtu-size.patch new file mode 100644 index 00000000000..b77f7289223 --- /dev/null +++ b/queue-5.4/i40e-fix-vf-set-max-mtu-size.patch @@ -0,0 +1,67 @@ +From f4940166637d3a7b634c9ed8eebba3977c3a8a6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Sep 2022 15:38:36 +0200 +Subject: i40e: Fix VF set max MTU size + +From: Michal Jaron + +[ Upstream commit 372539def2824c43b6afe2403045b140f65c5acc ] + +Max MTU sent to VF is set to 0 during memory allocation. It cause +that max MTU on VF is changed to IAVF_MAX_RXBUFFER and does not +depend on data from HW. + +Set max_mtu field in virtchnl_vf_resource struct to inform +VF in GET_VF_RESOURCES msg what size should be max frame. + +Fixes: dab86afdbbd1 ("i40e/i40evf: Change the way we limit the maximum frame size for Rx") +Signed-off-by: Michal Jaron +Signed-off-by: Mateusz Palczewski +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + .../ethernet/intel/i40e/i40e_virtchnl_pf.c | 20 +++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index 4080fdacca4c..16f5baafbbd5 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -1873,6 +1873,25 @@ static void i40e_del_qch(struct i40e_vf *vf) + } + } + ++/** ++ * i40e_vc_get_max_frame_size ++ * @vf: pointer to the VF ++ * ++ * Max frame size is determined based on the current port's max frame size and ++ * whether a port VLAN is configured on this VF. The VF is not aware whether ++ * it's in a port VLAN so the PF needs to account for this in max frame size ++ * checks and sending the max frame size to the VF. ++ **/ ++static u16 i40e_vc_get_max_frame_size(struct i40e_vf *vf) ++{ ++ u16 max_frame_size = vf->pf->hw.phy.link_info.max_frame_size; ++ ++ if (vf->port_vlan_id) ++ max_frame_size -= VLAN_HLEN; ++ ++ return max_frame_size; ++} ++ + /** + * i40e_vc_get_vf_resources_msg + * @vf: pointer to the VF info +@@ -1973,6 +1992,7 @@ static int i40e_vc_get_vf_resources_msg(struct i40e_vf *vf, u8 *msg) + vfres->max_vectors = pf->hw.func_caps.num_msix_vectors_vf; + vfres->rss_key_size = I40E_HKEY_ARRAY_SIZE; + vfres->rss_lut_size = I40E_VF_HLUT_ARRAY_SIZE; ++ vfres->max_mtu = i40e_vc_get_max_frame_size(vf); + + if (vf->lan_vsi_idx) { + vfres->vsi_res[0].vsi_id = vf->lan_vsi_id; +-- +2.35.1 + diff --git a/queue-5.4/iavf-fix-bad-page-state.patch b/queue-5.4/iavf-fix-bad-page-state.patch new file mode 100644 index 00000000000..35f7a08717f --- /dev/null +++ b/queue-5.4/iavf-fix-bad-page-state.patch @@ -0,0 +1,50 @@ +From daff985c781a25fcd447573ec276d1493d69d785 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Sep 2022 15:39:13 +0200 +Subject: iavf: Fix bad page state + +From: Norbert Zulinski + +[ Upstream commit 66039eb9015eee4f7ff0c99b83c65c7ecb3c8190 ] + +Fix bad page state, free inappropriate page in handling dummy +descriptor. iavf_build_skb now has to check not only if rx_buffer is +NULL but also if size is zero, same thing in iavf_clean_rx_irq. +Without this patch driver would free page that will be used +by napi_build_skb. + +Fixes: a9f49e006030 ("iavf: Fix handling of dummy receive descriptors") +Signed-off-by: Norbert Zulinski +Signed-off-by: Mateusz Palczewski +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_txrx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.c b/drivers/net/ethernet/intel/iavf/iavf_txrx.c +index ce2f6d1ca79f..1f7b842c6763 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_txrx.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.c +@@ -1374,7 +1374,7 @@ static struct sk_buff *iavf_build_skb(struct iavf_ring *rx_ring, + #endif + struct sk_buff *skb; + +- if (!rx_buffer) ++ if (!rx_buffer || !size) + return NULL; + /* prefetch first cache line of first page */ + va = page_address(rx_buffer->page) + rx_buffer->page_offset; +@@ -1534,7 +1534,7 @@ static int iavf_clean_rx_irq(struct iavf_ring *rx_ring, int budget) + /* exit if we failed to retrieve a buffer */ + if (!skb) { + rx_ring->rx_stats.alloc_buff_failed++; +- if (rx_buffer) ++ if (rx_buffer && size) + rx_buffer->pagecnt_bias++; + break; + } +-- +2.35.1 + diff --git a/queue-5.4/iavf-fix-cached-head-and-tail-value-for-iavf_get_tx_.patch b/queue-5.4/iavf-fix-cached-head-and-tail-value-for-iavf_get_tx_.patch new file mode 100644 index 00000000000..8019445fae3 --- /dev/null +++ b/queue-5.4/iavf-fix-cached-head-and-tail-value-for-iavf_get_tx_.patch @@ -0,0 +1,45 @@ +From 81fecbe16ae85a2753726092c369168fd1872044 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 16:34:40 +0200 +Subject: iavf: Fix cached head and tail value for iavf_get_tx_pending + +From: Brett Creeley + +[ Upstream commit 809f23c0423a43266e47a7dc67e95b5cb4d1cbfc ] + +The underlying hardware may or may not allow reading of the head or tail +registers and it really makes no difference if we use the software +cached values. So, always used the software cached values. + +Fixes: 9c6c12595b73 ("i40e: Detection and recovery of TX queue hung logic moved to service_task from tx_timeout") +Signed-off-by: Brett Creeley +Co-developed-by: Norbert Zulinski +Signed-off-by: Norbert Zulinski +Signed-off-by: Mateusz Palczewski +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_txrx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.c b/drivers/net/ethernet/intel/iavf/iavf_txrx.c +index c6905d1b6182..ce2f6d1ca79f 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_txrx.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.c +@@ -114,8 +114,11 @@ u32 iavf_get_tx_pending(struct iavf_ring *ring, bool in_sw) + { + u32 head, tail; + ++ /* underlying hardware might not allow access and/or always return ++ * 0 for the head/tail registers so just use the cached values ++ */ + head = ring->next_to_clean; +- tail = readl(ring->tail); ++ tail = ring->next_to_use; + + if (head != tail) + return (head < tail) ? +-- +2.35.1 + diff --git a/queue-5.4/iavf-fix-set-max-mtu-size-with-port-vlan-and-jumbo-f.patch b/queue-5.4/iavf-fix-set-max-mtu-size-with-port-vlan-and-jumbo-f.patch new file mode 100644 index 00000000000..de6f10cb409 --- /dev/null +++ b/queue-5.4/iavf-fix-set-max-mtu-size-with-port-vlan-and-jumbo-f.patch @@ -0,0 +1,59 @@ +From 2b399c880e77afff0015f4e78d30a9f45e0b25e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Sep 2022 15:38:35 +0200 +Subject: iavf: Fix set max MTU size with port VLAN and jumbo frames + +From: Michal Jaron + +[ Upstream commit 399c98c4dc50b7eb7e9f24da7ffdda6f025676ef ] + +After setting port VLAN and MTU to 9000 on VF with ice driver there +was an iavf error +"PF returned error -5 (IAVF_ERR_PARAM) to our request 6". + +During queue configuration, VF's max packet size was set to +IAVF_MAX_RXBUFFER but on ice max frame size was smaller by VLAN_HLEN +due to making some space for port VLAN as VF is not aware whether it's +in a port VLAN. This mismatch in sizes caused ice to reject queue +configuration with ERR_PARAM error. Proper max_mtu is sent from ice PF +to VF with GET_VF_RESOURCES msg but VF does not look at this. + +In iavf change max_frame from IAVF_MAX_RXBUFFER to max_mtu +received from pf with GET_VF_RESOURCES msg to make vf's +max_frame_size dependent from pf. Add check if received max_mtu is +not in eligible range then set it to IAVF_MAX_RXBUFFER. + +Fixes: dab86afdbbd1 ("i40e/i40evf: Change the way we limit the maximum frame size for Rx") +Signed-off-by: Michal Jaron +Signed-off-by: Mateusz Palczewski +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_virtchnl.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +index 4d471a6f2946..7a17694b6a0b 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +@@ -241,11 +241,14 @@ int iavf_get_vf_config(struct iavf_adapter *adapter) + void iavf_configure_queues(struct iavf_adapter *adapter) + { + struct virtchnl_vsi_queue_config_info *vqci; +- struct virtchnl_queue_pair_info *vqpi; ++ int i, max_frame = adapter->vf_res->max_mtu; + int pairs = adapter->num_active_queues; +- int i, max_frame = IAVF_MAX_RXBUFFER; ++ struct virtchnl_queue_pair_info *vqpi; + size_t len; + ++ if (max_frame > IAVF_MAX_RXBUFFER || !max_frame) ++ max_frame = IAVF_MAX_RXBUFFER; ++ + if (adapter->current_op != VIRTCHNL_OP_UNKNOWN) { + /* bail because we already have a command pending */ + dev_err(&adapter->pdev->dev, "Cannot configure queues, command %d pending\n", +-- +2.35.1 + diff --git a/queue-5.4/ipvlan-fix-out-of-bound-bugs-caused-by-unset-skb-mac.patch b/queue-5.4/ipvlan-fix-out-of-bound-bugs-caused-by-unset-skb-mac.patch new file mode 100644 index 00000000000..e77dc94fc6c --- /dev/null +++ b/queue-5.4/ipvlan-fix-out-of-bound-bugs-caused-by-unset-skb-mac.patch @@ -0,0 +1,98 @@ +From 614a6b2b27406482a78e2db88825d0a56c5f3398 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 18:12:04 +0800 +Subject: ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header + +From: Lu Wei + +[ Upstream commit 81225b2ea161af48e093f58e8dfee6d705b16af4 ] + +If an AF_PACKET socket is used to send packets through ipvlan and the +default xmit function of the AF_PACKET socket is changed from +dev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option +name of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and +remains as the initial value of 65535, this may trigger slab-out-of-bounds +bugs as following: + +================================================================= +UG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] +PU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6 +ardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 +all Trace: +print_address_description.constprop.0+0x1d/0x160 +print_report.cold+0x4f/0x112 +kasan_report+0xa3/0x130 +ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] +ipvlan_start_xmit+0x29/0xa0 [ipvlan] +__dev_direct_xmit+0x2e2/0x380 +packet_direct_xmit+0x22/0x60 +packet_snd+0x7c9/0xc40 +sock_sendmsg+0x9a/0xa0 +__sys_sendto+0x18a/0x230 +__x64_sys_sendto+0x74/0x90 +do_syscall_64+0x3b/0x90 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +The root cause is: + 1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW + and skb->protocol is not specified as in packet_parse_headers() + + 2. packet_direct_xmit() doesn't reset skb->mac_header as dev_queue_xmit() + +In this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is +called. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which +use "skb->head + skb->mac_header", out-of-bound access occurs. + +This patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2() +and reset mac header in multicast to solve this out-of-bound bug. + +Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") +Signed-off-by: Lu Wei +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvlan_core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c +index 8801d093135c..a33149ee0ddc 100644 +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -496,7 +496,6 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb) + + static int ipvlan_process_outbound(struct sk_buff *skb) + { +- struct ethhdr *ethh = eth_hdr(skb); + int ret = NET_XMIT_DROP; + + /* The ipvlan is a pseudo-L2 device, so the packets that we receive +@@ -506,6 +505,8 @@ static int ipvlan_process_outbound(struct sk_buff *skb) + if (skb_mac_header_was_set(skb)) { + /* In this mode we dont care about + * multicast and broadcast traffic */ ++ struct ethhdr *ethh = eth_hdr(skb); ++ + if (is_multicast_ether_addr(ethh->h_dest)) { + pr_debug_ratelimited( + "Dropped {multi|broad}cast of type=[%x]\n", +@@ -590,7 +591,7 @@ static int ipvlan_xmit_mode_l3(struct sk_buff *skb, struct net_device *dev) + static int ipvlan_xmit_mode_l2(struct sk_buff *skb, struct net_device *dev) + { + const struct ipvl_dev *ipvlan = netdev_priv(dev); +- struct ethhdr *eth = eth_hdr(skb); ++ struct ethhdr *eth = skb_eth_hdr(skb); + struct ipvl_addr *addr; + void *lyr3h; + int addr_type; +@@ -620,6 +621,7 @@ static int ipvlan_xmit_mode_l2(struct sk_buff *skb, struct net_device *dev) + return dev_forward_skb(ipvlan->phy_dev, skb); + + } else if (is_multicast_ether_addr(eth->h_dest)) { ++ skb_reset_mac_header(skb); + ipvlan_skb_crossing_ns(skb, NULL); + ipvlan_multicast_enqueue(ipvlan->port, skb, true); + return NET_XMIT_SUCCESS; +-- +2.35.1 + diff --git a/queue-5.4/mips-lantiq-export-clk_get_io-for-lantiq_wdt.ko.patch b/queue-5.4/mips-lantiq-export-clk_get_io-for-lantiq_wdt.ko.patch new file mode 100644 index 00000000000..b093a5f371f --- /dev/null +++ b/queue-5.4/mips-lantiq-export-clk_get_io-for-lantiq_wdt.ko.patch @@ -0,0 +1,41 @@ +From 2a3832f6a14a42b8c0032593ea4950d3d58fb176 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Sep 2022 16:25:40 -0700 +Subject: MIPS: lantiq: export clk_get_io() for lantiq_wdt.ko + +From: Randy Dunlap + +[ Upstream commit 502550123bee6a2ffa438409b5b9aad4d6db3a8c ] + +The lantiq WDT driver uses clk_get_io(), which is not exported, +so export it to fix a build error: + +ERROR: modpost: "clk_get_io" [drivers/watchdog/lantiq_wdt.ko] undefined! + +Fixes: 287e3f3f4e68 ("MIPS: lantiq: implement support for clkdev api") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Thomas Bogendoerfer +Cc: John Crispin +Cc: linux-mips@vger.kernel.org +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/lantiq/clk.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/mips/lantiq/clk.c b/arch/mips/lantiq/clk.c +index 7a623684d9b5..2d5a0bcb0cec 100644 +--- a/arch/mips/lantiq/clk.c ++++ b/arch/mips/lantiq/clk.c +@@ -50,6 +50,7 @@ struct clk *clk_get_io(void) + { + return &cpu_clk_generic[2]; + } ++EXPORT_SYMBOL_GPL(clk_get_io); + + struct clk *clk_get_ppe(void) + { +-- +2.35.1 + diff --git a/queue-5.4/mips-loongson32-fix-phy-mode-being-left-unspecified.patch b/queue-5.4/mips-loongson32-fix-phy-mode-being-left-unspecified.patch new file mode 100644 index 00000000000..fe4a1c58c41 --- /dev/null +++ b/queue-5.4/mips-loongson32-fix-phy-mode-being-left-unspecified.patch @@ -0,0 +1,99 @@ +From f52000a9eb0f6d4ef8ef0d1f1d3771aa7eca2924 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 00:10:09 +0800 +Subject: MIPS: Loongson32: Fix PHY-mode being left unspecified + +From: Serge Semin + +[ Upstream commit e9f3f8f488005f6da3cfb66070706770ecaef747 ] + +commit 0060c8783330 ("net: stmmac: implement support for passive mode +converters via dt") has changed the plat->interface field semantics from +containing the PHY-mode to specifying the MAC-PCS interface mode. Due to +that the loongson32 platform code will leave the phylink interface +uninitialized with the PHY-mode intended by the means of the actual +platform setup. The commit-author most likely has just missed the +arch-specific code to fix. Let's mend the Loongson32 platform code then by +assigning the PHY-mode to the phy_interface field of the STMMAC platform +data. + +Fixes: 0060c8783330 ("net: stmmac: implement support for passive mode converters via dt") +Signed-off-by: Serge Semin +Signed-off-by: Keguang Zhang +Tested-by: Keguang Zhang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/loongson32/common/platform.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/arch/mips/loongson32/common/platform.c b/arch/mips/loongson32/common/platform.c +index 794c96c2a4cd..311dc1580bbd 100644 +--- a/arch/mips/loongson32/common/platform.c ++++ b/arch/mips/loongson32/common/platform.c +@@ -98,7 +98,7 @@ int ls1x_eth_mux_init(struct platform_device *pdev, void *priv) + if (plat_dat->bus_id) { + __raw_writel(__raw_readl(LS1X_MUX_CTRL0) | GMAC1_USE_UART1 | + GMAC1_USE_UART0, LS1X_MUX_CTRL0); +- switch (plat_dat->interface) { ++ switch (plat_dat->phy_interface) { + case PHY_INTERFACE_MODE_RGMII: + val &= ~(GMAC1_USE_TXCLK | GMAC1_USE_PWM23); + break; +@@ -107,12 +107,12 @@ int ls1x_eth_mux_init(struct platform_device *pdev, void *priv) + break; + default: + pr_err("unsupported mii mode %d\n", +- plat_dat->interface); ++ plat_dat->phy_interface); + return -ENOTSUPP; + } + val &= ~GMAC1_SHUT; + } else { +- switch (plat_dat->interface) { ++ switch (plat_dat->phy_interface) { + case PHY_INTERFACE_MODE_RGMII: + val &= ~(GMAC0_USE_TXCLK | GMAC0_USE_PWM01); + break; +@@ -121,7 +121,7 @@ int ls1x_eth_mux_init(struct platform_device *pdev, void *priv) + break; + default: + pr_err("unsupported mii mode %d\n", +- plat_dat->interface); ++ plat_dat->phy_interface); + return -ENOTSUPP; + } + val &= ~GMAC0_SHUT; +@@ -131,7 +131,7 @@ int ls1x_eth_mux_init(struct platform_device *pdev, void *priv) + plat_dat = dev_get_platdata(&pdev->dev); + + val &= ~PHY_INTF_SELI; +- if (plat_dat->interface == PHY_INTERFACE_MODE_RMII) ++ if (plat_dat->phy_interface == PHY_INTERFACE_MODE_RMII) + val |= 0x4 << PHY_INTF_SELI_SHIFT; + __raw_writel(val, LS1X_MUX_CTRL1); + +@@ -146,9 +146,9 @@ static struct plat_stmmacenet_data ls1x_eth0_pdata = { + .bus_id = 0, + .phy_addr = -1, + #if defined(CONFIG_LOONGSON1_LS1B) +- .interface = PHY_INTERFACE_MODE_MII, ++ .phy_interface = PHY_INTERFACE_MODE_MII, + #elif defined(CONFIG_LOONGSON1_LS1C) +- .interface = PHY_INTERFACE_MODE_RMII, ++ .phy_interface = PHY_INTERFACE_MODE_RMII, + #endif + .mdio_bus_data = &ls1x_mdio_bus_data, + .dma_cfg = &ls1x_eth_dma_cfg, +@@ -186,7 +186,7 @@ struct platform_device ls1x_eth0_pdev = { + static struct plat_stmmacenet_data ls1x_eth1_pdata = { + .bus_id = 1, + .phy_addr = -1, +- .interface = PHY_INTERFACE_MODE_MII, ++ .phy_interface = PHY_INTERFACE_MODE_MII, + .mdio_bus_data = &ls1x_mdio_bus_data, + .dma_cfg = &ls1x_eth_dma_cfg, + .has_gmac = 1, +-- +2.35.1 + diff --git a/queue-5.4/net-sched-fix-possible-refcount-leak-in-tc_new_tfilt.patch b/queue-5.4/net-sched-fix-possible-refcount-leak-in-tc_new_tfilt.patch new file mode 100644 index 00000000000..0a17dab40ef --- /dev/null +++ b/queue-5.4/net-sched-fix-possible-refcount-leak-in-tc_new_tfilt.patch @@ -0,0 +1,38 @@ +From f5275f98812bbb7ab2584e868fc11a5f9fb7af3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 17:27:34 +0800 +Subject: net: sched: fix possible refcount leak in tc_new_tfilter() + +From: Hangyu Hua + +[ Upstream commit c2e1cfefcac35e0eea229e148c8284088ce437b5 ] + +tfilter_put need to be called to put the refount got by tp->ops->get to +avoid possible refcount leak when chain->tmplt_ops != NULL and +chain->tmplt_ops != tp->ops. + +Fixes: 7d5509fa0d3d ("net: sched: extend proto ops with 'put' callback") +Signed-off-by: Hangyu Hua +Reviewed-by: Vlad Buslov +Link: https://lore.kernel.org/r/20220921092734.31700-1-hbh25y@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c +index 919c7fa5f02d..48a8c7daa635 100644 +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -2098,6 +2098,7 @@ static int tc_new_tfilter(struct sk_buff *skb, struct nlmsghdr *n, + } + + if (chain->tmplt_ops && chain->tmplt_ops != tp->ops) { ++ tfilter_put(tp, fh); + NL_SET_ERR_MSG(extack, "Chain template is set to a different filter kind"); + err = -EINVAL; + goto errout; +-- +2.35.1 + diff --git a/queue-5.4/net-sched-taprio-avoid-disabling-offload-when-it-was.patch b/queue-5.4/net-sched-taprio-avoid-disabling-offload-when-it-was.patch new file mode 100644 index 00000000000..577fa564be1 --- /dev/null +++ b/queue-5.4/net-sched-taprio-avoid-disabling-offload-when-it-was.patch @@ -0,0 +1,146 @@ +From d34b89090ad47fea3b46a368d347b7938fcd8523 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 13:08:01 +0300 +Subject: net/sched: taprio: avoid disabling offload when it was never enabled + +From: Vladimir Oltean + +[ Upstream commit db46e3a88a09c5cf7e505664d01da7238cd56c92 ] + +In an incredibly strange API design decision, qdisc->destroy() gets +called even if qdisc->init() never succeeded, not exclusively since +commit 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation"), +but apparently also earlier (in the case of qdisc_create_dflt()). + +The taprio qdisc does not fully acknowledge this when it attempts full +offload, because it starts off with q->flags = TAPRIO_FLAGS_INVALID in +taprio_init(), then it replaces q->flags with TCA_TAPRIO_ATTR_FLAGS +parsed from netlink (in taprio_change(), tail called from taprio_init()). + +But in taprio_destroy(), we call taprio_disable_offload(), and this +determines what to do based on FULL_OFFLOAD_IS_ENABLED(q->flags). + +But looking at the implementation of FULL_OFFLOAD_IS_ENABLED() +(a bitwise check of bit 1 in q->flags), it is invalid to call this macro +on q->flags when it contains TAPRIO_FLAGS_INVALID, because that is set +to U32_MAX, and therefore FULL_OFFLOAD_IS_ENABLED() will return true on +an invalid set of flags. + +As a result, it is possible to crash the kernel if user space forces an +error between setting q->flags = TAPRIO_FLAGS_INVALID, and the calling +of taprio_enable_offload(). This is because drivers do not expect the +offload to be disabled when it was never enabled. + +The error that we force here is to attach taprio as a non-root qdisc, +but instead as child of an mqprio root qdisc: + +$ tc qdisc add dev swp0 root handle 1: \ + mqprio num_tc 8 map 0 1 2 3 4 5 6 7 \ + queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0 +$ tc qdisc replace dev swp0 parent 1:1 \ + taprio num_tc 8 map 0 1 2 3 4 5 6 7 \ + queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \ + sched-entry S 0x7f 990000 sched-entry S 0x80 100000 \ + flags 0x0 clockid CLOCK_TAI +Unable to handle kernel paging request at virtual address fffffffffffffff8 +[fffffffffffffff8] pgd=0000000000000000, p4d=0000000000000000 +Internal error: Oops: 96000004 [#1] PREEMPT SMP +Call trace: + taprio_dump+0x27c/0x310 + vsc9959_port_setup_tc+0x1f4/0x460 + felix_port_setup_tc+0x24/0x3c + dsa_slave_setup_tc+0x54/0x27c + taprio_disable_offload.isra.0+0x58/0xe0 + taprio_destroy+0x80/0x104 + qdisc_create+0x240/0x470 + tc_modify_qdisc+0x1fc/0x6b0 + rtnetlink_rcv_msg+0x12c/0x390 + netlink_rcv_skb+0x5c/0x130 + rtnetlink_rcv+0x1c/0x2c + +Fix this by keeping track of the operations we made, and undo the +offload only if we actually did it. + +I've added "bool offloaded" inside a 4 byte hole between "int clockid" +and "atomic64_t picos_per_byte". Now the first cache line looks like +below: + +$ pahole -C taprio_sched net/sched/sch_taprio.o +struct taprio_sched { + struct Qdisc * * qdiscs; /* 0 8 */ + struct Qdisc * root; /* 8 8 */ + u32 flags; /* 16 4 */ + enum tk_offsets tk_offset; /* 20 4 */ + int clockid; /* 24 4 */ + bool offloaded; /* 28 1 */ + + /* XXX 3 bytes hole, try to pack */ + + atomic64_t picos_per_byte; /* 32 0 */ + + /* XXX 8 bytes hole, try to pack */ + + spinlock_t current_entry_lock; /* 40 0 */ + + /* XXX 8 bytes hole, try to pack */ + + struct sched_entry * current_entry; /* 48 8 */ + struct sched_gate_list * oper_sched; /* 56 8 */ + /* --- cacheline 1 boundary (64 bytes) --- */ + +Fixes: 9c66d1564676 ("taprio: Add support for hardware offloading") +Signed-off-by: Vladimir Oltean +Reviewed-by: Vinicius Costa Gomes +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_taprio.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c +index 4c26f7fb32b3..842ccdcc0db2 100644 +--- a/net/sched/sch_taprio.c ++++ b/net/sched/sch_taprio.c +@@ -65,6 +65,7 @@ struct taprio_sched { + u32 flags; + enum tk_offsets tk_offset; + int clockid; ++ bool offloaded; + atomic64_t picos_per_byte; /* Using picoseconds because for 10Gbps+ + * speeds it's sub-nanoseconds per byte + */ +@@ -1268,6 +1269,8 @@ static int taprio_enable_offload(struct net_device *dev, + goto done; + } + ++ q->offloaded = true; ++ + done: + taprio_offload_free(offload); + +@@ -1282,12 +1285,9 @@ static int taprio_disable_offload(struct net_device *dev, + struct tc_taprio_qopt_offload *offload; + int err; + +- if (!FULL_OFFLOAD_IS_ENABLED(q->flags)) ++ if (!q->offloaded) + return 0; + +- if (!ops->ndo_setup_tc) +- return -EOPNOTSUPP; +- + offload = taprio_offload_alloc(0); + if (!offload) { + NL_SET_ERR_MSG(extack, +@@ -1303,6 +1303,8 @@ static int taprio_disable_offload(struct net_device *dev, + goto out; + } + ++ q->offloaded = false; ++ + out: + taprio_offload_free(offload); + +-- +2.35.1 + diff --git a/queue-5.4/net-sched-taprio-make-qdisc_leaf-see-the-per-netdev-.patch b/queue-5.4/net-sched-taprio-make-qdisc_leaf-see-the-per-netdev-.patch new file mode 100644 index 00000000000..bbd327dbf49 --- /dev/null +++ b/queue-5.4/net-sched-taprio-make-qdisc_leaf-see-the-per-netdev-.patch @@ -0,0 +1,122 @@ +From 27d54b6ac5e8dc861eccb3fa779afae3e026ad78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 13:08:02 +0300 +Subject: net/sched: taprio: make qdisc_leaf() see the per-netdev-queue pfifo + child qdiscs + +From: Vladimir Oltean + +[ Upstream commit 1461d212ab277d8bba1a753d33e9afe03d81f9d4 ] + +taprio can only operate as root qdisc, and to that end, there exists the +following check in taprio_init(), just as in mqprio: + + if (sch->parent != TC_H_ROOT) + return -EOPNOTSUPP; + +And indeed, when we try to attach taprio to an mqprio child, it fails as +expected: + +$ tc qdisc add dev swp0 root handle 1: mqprio num_tc 8 \ + map 0 1 2 3 4 5 6 7 \ + queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0 +$ tc qdisc replace dev swp0 parent 1:2 taprio num_tc 8 \ + map 0 1 2 3 4 5 6 7 \ + queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 \ + base-time 0 sched-entry S 0x7f 990000 sched-entry S 0x80 100000 \ + flags 0x0 clockid CLOCK_TAI +Error: sch_taprio: Can only be attached as root qdisc. + +(extack message added by me) + +But when we try to attach a taprio child to a taprio root qdisc, +surprisingly it doesn't fail: + +$ tc qdisc replace dev swp0 root handle 1: taprio num_tc 8 \ + map 0 1 2 3 4 5 6 7 queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 \ + base-time 0 sched-entry S 0x7f 990000 sched-entry S 0x80 100000 \ + flags 0x0 clockid CLOCK_TAI +$ tc qdisc replace dev swp0 parent 1:2 taprio num_tc 8 \ + map 0 1 2 3 4 5 6 7 \ + queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 \ + base-time 0 sched-entry S 0x7f 990000 sched-entry S 0x80 100000 \ + flags 0x0 clockid CLOCK_TAI + +This is because tc_modify_qdisc() behaves differently when mqprio is +root, vs when taprio is root. + +In the mqprio case, it finds the parent qdisc through +p = qdisc_lookup(dev, TC_H_MAJ(clid)), and then the child qdisc through +q = qdisc_leaf(p, clid). This leaf qdisc q has handle 0, so it is +ignored according to the comment right below ("It may be default qdisc, +ignore it"). As a result, tc_modify_qdisc() goes through the +qdisc_create() code path, and this gives taprio_init() a chance to check +for sch_parent != TC_H_ROOT and error out. + +Whereas in the taprio case, the returned q = qdisc_leaf(p, clid) is +different. It is not the default qdisc created for each netdev queue +(both taprio and mqprio call qdisc_create_dflt() and keep them in +a private q->qdiscs[], or priv->qdiscs[], respectively). Instead, taprio +makes qdisc_leaf() return the _root_ qdisc, aka itself. + +When taprio does that, tc_modify_qdisc() goes through the qdisc_change() +code path, because the qdisc layer never finds out about the child qdisc +of the root. And through the ->change() ops, taprio has no reason to +check whether its parent is root or not, just through ->init(), which is +not called. + +The problem is the taprio_leaf() implementation. Even though code wise, +it does the exact same thing as mqprio_leaf() which it is copied from, +it works with different input data. This is because mqprio does not +attach itself (the root) to each device TX queue, but one of the default +qdiscs from its private array. + +In fact, since commit 13511704f8d7 ("net: taprio offload: enforce qdisc +to netdev queue mapping"), taprio does this too, but just for the full +offload case. So if we tried to attach a taprio child to a fully +offloaded taprio root qdisc, it would properly fail too; just not to a +software root taprio. + +To fix the problem, stop looking at the Qdisc that's attached to the TX +queue, and instead, always return the default qdiscs that we've +allocated (and to which we privately enqueue and dequeue, in software +scheduling mode). + +Since Qdisc_class_ops :: leaf is only called from tc_modify_qdisc(), +the risk of unforeseen side effects introduced by this change is +minimal. + +Fixes: 5a781ccbd19e ("tc: Add support for configuring the taprio scheduler") +Signed-off-by: Vladimir Oltean +Reviewed-by: Vinicius Costa Gomes +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_taprio.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c +index 842ccdcc0db2..506ebae1f72c 100644 +--- a/net/sched/sch_taprio.c ++++ b/net/sched/sch_taprio.c +@@ -1906,12 +1906,14 @@ static int taprio_dump(struct Qdisc *sch, struct sk_buff *skb) + + static struct Qdisc *taprio_leaf(struct Qdisc *sch, unsigned long cl) + { +- struct netdev_queue *dev_queue = taprio_queue_get(sch, cl); ++ struct taprio_sched *q = qdisc_priv(sch); ++ struct net_device *dev = qdisc_dev(sch); ++ unsigned int ntx = cl - 1; + +- if (!dev_queue) ++ if (ntx >= dev->num_tx_queues) + return NULL; + +- return dev_queue->qdisc_sleeping; ++ return q->qdiscs[ntx]; + } + + static unsigned long taprio_find(struct Qdisc *sch, u32 classid) +-- +2.35.1 + diff --git a/queue-5.4/net-sunhme-fix-packet-reception-for-len-rx_copy_thre.patch b/queue-5.4/net-sunhme-fix-packet-reception-for-len-rx_copy_thre.patch new file mode 100644 index 00000000000..30958c07994 --- /dev/null +++ b/queue-5.4/net-sunhme-fix-packet-reception-for-len-rx_copy_thre.patch @@ -0,0 +1,58 @@ +From f12c4150522a7853254450f54c8641c2969db664 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 19:50:18 -0400 +Subject: net: sunhme: Fix packet reception for len < RX_COPY_THRESHOLD + +From: Sean Anderson + +[ Upstream commit 878e2405710aacfeeb19364c300f38b7a9abfe8f ] + +There is a separate receive path for small packets (under 256 bytes). +Instead of allocating a new dma-capable skb to be used for the next packet, +this path allocates a skb and copies the data into it (reusing the existing +sbk for the next packet). There are two bytes of junk data at the beginning +of every packet. I believe these are inserted in order to allow aligned DMA +and IP headers. We skip over them using skb_reserve. Before copying over +the data, we must use a barrier to ensure we see the whole packet. The +current code only synchronizes len bytes, starting from the beginning of +the packet, including the junk bytes. However, this leaves off the final +two bytes in the packet. Synchronize the whole packet. + +To reproduce this problem, ping a HME with a payload size between 17 and +214 + + $ ping -s 17 + +which will complain rather loudly about the data mismatch. Small packets +(below 60 bytes on the wire) do not have this issue. I suspect this is +related to the padding added to increase the minimum packet size. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Sean Anderson +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20220920235018.1675956-1-seanga2@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/sunhme.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/sun/sunhme.c b/drivers/net/ethernet/sun/sunhme.c +index 3133f903279c..dbbbb6ea9f2b 100644 +--- a/drivers/net/ethernet/sun/sunhme.c ++++ b/drivers/net/ethernet/sun/sunhme.c +@@ -2064,9 +2064,9 @@ static void happy_meal_rx(struct happy_meal *hp, struct net_device *dev) + + skb_reserve(copy_skb, 2); + skb_put(copy_skb, len); +- dma_sync_single_for_cpu(hp->dma_dev, dma_addr, len, DMA_FROM_DEVICE); ++ dma_sync_single_for_cpu(hp->dma_dev, dma_addr, len + 2, DMA_FROM_DEVICE); + skb_copy_from_linear_data(skb, copy_skb->data, len); +- dma_sync_single_for_device(hp->dma_dev, dma_addr, len, DMA_FROM_DEVICE); ++ dma_sync_single_for_device(hp->dma_dev, dma_addr, len + 2, DMA_FROM_DEVICE); + /* Reuse original ring buffer. */ + hme_write_rxd(hp, this, + (RXFLAG_OWN|((RX_BUF_ALLOC_SIZE-RX_OFFSET)<<16)), +-- +2.35.1 + diff --git a/queue-5.4/net-team-unsync-device-addresses-on-ndo_stop.patch b/queue-5.4/net-team-unsync-device-addresses-on-ndo_stop.patch new file mode 100644 index 00000000000..f8dffd227b8 --- /dev/null +++ b/queue-5.4/net-team-unsync-device-addresses-on-ndo_stop.patch @@ -0,0 +1,87 @@ +From e232d8530fd907a3cec1288dccd68df9eda15c59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 16:56:41 +0900 +Subject: net: team: Unsync device addresses on ndo_stop + +From: Benjamin Poirier + +[ Upstream commit bd60234222b2fd5573526da7bcd422801f271f5f ] + +Netdev drivers are expected to call dev_{uc,mc}_sync() in their +ndo_set_rx_mode method and dev_{uc,mc}_unsync() in their ndo_stop method. +This is mentioned in the kerneldoc for those dev_* functions. + +The team driver calls dev_{uc,mc}_unsync() during ndo_uninit instead of +ndo_stop. This is ineffective because address lists (dev->{uc,mc}) have +already been emptied in unregister_netdevice_many() before ndo_uninit is +called. This mistake can result in addresses being leftover on former team +ports after a team device has been deleted; see test_LAG_cleanup() in the +last patch in this series. + +Add unsync calls at their expected location, team_close(). + +v3: +* When adding or deleting a port, only sync/unsync addresses if the team + device is up. In other cases, it is taken care of at the right time by + ndo_open/ndo_set_rx_mode/ndo_stop. + +Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device") +Signed-off-by: Benjamin Poirier +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/team/team.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index 0eb894b7c0bd..da74ec778b6e 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -1270,10 +1270,12 @@ static int team_port_add(struct team *team, struct net_device *port_dev, + } + } + +- netif_addr_lock_bh(dev); +- dev_uc_sync_multiple(port_dev, dev); +- dev_mc_sync_multiple(port_dev, dev); +- netif_addr_unlock_bh(dev); ++ if (dev->flags & IFF_UP) { ++ netif_addr_lock_bh(dev); ++ dev_uc_sync_multiple(port_dev, dev); ++ dev_mc_sync_multiple(port_dev, dev); ++ netif_addr_unlock_bh(dev); ++ } + + port->index = -1; + list_add_tail_rcu(&port->list, &team->port_list); +@@ -1344,8 +1346,10 @@ static int team_port_del(struct team *team, struct net_device *port_dev) + netdev_rx_handler_unregister(port_dev); + team_port_disable_netpoll(port); + vlan_vids_del_by_dev(port_dev, dev); +- dev_uc_unsync(port_dev, dev); +- dev_mc_unsync(port_dev, dev); ++ if (dev->flags & IFF_UP) { ++ dev_uc_unsync(port_dev, dev); ++ dev_mc_unsync(port_dev, dev); ++ } + dev_close(port_dev); + team_port_leave(team, port); + +@@ -1694,6 +1698,14 @@ static int team_open(struct net_device *dev) + + static int team_close(struct net_device *dev) + { ++ struct team *team = netdev_priv(dev); ++ struct team_port *port; ++ ++ list_for_each_entry(port, &team->port_list, list) { ++ dev_uc_unsync(port->dev, dev); ++ dev_mc_unsync(port->dev, dev); ++ } ++ + return 0; + } + +-- +2.35.1 + diff --git a/queue-5.4/netfilter-ebtables-fix-memory-leak-when-blob-is-malf.patch b/queue-5.4/netfilter-ebtables-fix-memory-leak-when-blob-is-malf.patch new file mode 100644 index 00000000000..576c105b5ab --- /dev/null +++ b/queue-5.4/netfilter-ebtables-fix-memory-leak-when-blob-is-malf.patch @@ -0,0 +1,40 @@ +From c862ccae084d483e6c92b2938aed25a026002863 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 14:20:17 +0200 +Subject: netfilter: ebtables: fix memory leak when blob is malformed + +From: Florian Westphal + +[ Upstream commit 62ce44c4fff947eebdf10bb582267e686e6835c9 ] + +The bug fix was incomplete, it "replaced" crash with a memory leak. +The old code had an assignment to "ret" embedded into the conditional, +restore this. + +Fixes: 7997eff82828 ("netfilter: ebtables: reject blobs that don't provide all entry points") +Reported-and-tested-by: syzbot+a24c5252f3e3ab733464@syzkaller.appspotmail.com +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/bridge/netfilter/ebtables.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index ddb988c339c1..f6853fc0fcc0 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -999,8 +999,10 @@ static int do_replace_finish(struct net *net, struct ebt_replace *repl, + goto free_iterate; + } + +- if (repl->valid_hooks != t->valid_hooks) ++ if (repl->valid_hooks != t->valid_hooks) { ++ ret = -EINVAL; + goto free_unlock; ++ } + + if (repl->num_counters && repl->num_counters != t->private->nentries) { + ret = -EINVAL; +-- +2.35.1 + diff --git a/queue-5.4/netfilter-nf_conntrack_irc-tighten-matching-on-dcc-m.patch b/queue-5.4/netfilter-nf_conntrack_irc-tighten-matching-on-dcc-m.patch new file mode 100644 index 00000000000..ed06c503ec4 --- /dev/null +++ b/queue-5.4/netfilter-nf_conntrack_irc-tighten-matching-on-dcc-m.patch @@ -0,0 +1,84 @@ +From c7cbc892ce7193974b4db682849ab78b22d0fe39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 14:56:57 +1000 +Subject: netfilter: nf_conntrack_irc: Tighten matching on DCC message + +From: David Leadbeater + +[ Upstream commit e8d5dfd1d8747b56077d02664a8838c71ced948e ] + +CTCP messages should only be at the start of an IRC message, not +anywhere within it. + +While the helper only decodes packes in the ORIGINAL direction, its +possible to make a client send a CTCP message back by empedding one into +a PING request. As-is, thats enough to make the helper believe that it +saw a CTCP message. + +Fixes: 869f37d8e48f ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port") +Signed-off-by: David Leadbeater +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_irc.c | 34 ++++++++++++++++++++++++++------ + 1 file changed, 28 insertions(+), 6 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c +index 26245419ef4a..65b5b05fe38d 100644 +--- a/net/netfilter/nf_conntrack_irc.c ++++ b/net/netfilter/nf_conntrack_irc.c +@@ -148,15 +148,37 @@ static int help(struct sk_buff *skb, unsigned int protoff, + data = ib_ptr; + data_limit = ib_ptr + skb->len - dataoff; + +- /* strlen("\1DCC SENT t AAAAAAAA P\1\n")=24 +- * 5+MINMATCHLEN+strlen("t AAAAAAAA P\1\n")=14 */ +- while (data < data_limit - (19 + MINMATCHLEN)) { +- if (memcmp(data, "\1DCC ", 5)) { ++ /* Skip any whitespace */ ++ while (data < data_limit - 10) { ++ if (*data == ' ' || *data == '\r' || *data == '\n') ++ data++; ++ else ++ break; ++ } ++ ++ /* strlen("PRIVMSG x ")=10 */ ++ if (data < data_limit - 10) { ++ if (strncasecmp("PRIVMSG ", data, 8)) ++ goto out; ++ data += 8; ++ } ++ ++ /* strlen(" :\1DCC SENT t AAAAAAAA P\1\n")=26 ++ * 7+MINMATCHLEN+strlen("t AAAAAAAA P\1\n")=26 ++ */ ++ while (data < data_limit - (21 + MINMATCHLEN)) { ++ /* Find first " :", the start of message */ ++ if (memcmp(data, " :", 2)) { + data++; + continue; + } ++ data += 2; ++ ++ /* then check that place only for the DCC command */ ++ if (memcmp(data, "\1DCC ", 5)) ++ goto out; + data += 5; +- /* we have at least (19+MINMATCHLEN)-5 bytes valid data left */ ++ /* we have at least (21+MINMATCHLEN)-(2+5) bytes valid data left */ + + iph = ip_hdr(skb); + pr_debug("DCC found in master %pI4:%u %pI4:%u\n", +@@ -172,7 +194,7 @@ static int help(struct sk_buff *skb, unsigned int protoff, + pr_debug("DCC %s detected\n", dccprotos[i]); + + /* we have at least +- * (19+MINMATCHLEN)-5-dccprotos[i].matchlen bytes valid ++ * (21+MINMATCHLEN)-7-dccprotos[i].matchlen bytes valid + * data left (== 14/13 bytes) */ + if (parse_dcc(data, data_limit, &dcc_ip, + &dcc_port, &addr_beg_p, &addr_end_p)) { +-- +2.35.1 + diff --git a/queue-5.4/netfilter-nf_conntrack_sip-fix-ct_sip_walk_headers.patch b/queue-5.4/netfilter-nf_conntrack_sip-fix-ct_sip_walk_headers.patch new file mode 100644 index 00000000000..0a73595993f --- /dev/null +++ b/queue-5.4/netfilter-nf_conntrack_sip-fix-ct_sip_walk_headers.patch @@ -0,0 +1,60 @@ +From c2afdc6a165d3592b116170a62125ff94f37d61d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jun 2019 12:32:40 +0300 +Subject: netfilter: nf_conntrack_sip: fix ct_sip_walk_headers + +From: Igor Ryzhov + +[ Upstream commit 39aebedeaaa95757f5c1f2ddb5f43fdddbf478ca ] + +ct_sip_next_header and ct_sip_get_header return an absolute +value of matchoff, not a shift from current dataoff. +So dataoff should be assigned matchoff, not incremented by it. + +This issue can be seen in the scenario when there are multiple +Contact headers and the first one is using a hostname and other headers +use IP addresses. In this case, ct_sip_walk_headers will work as follows: + +The first ct_sip_get_header call to will find the first Contact header +but will return -1 as the header uses a hostname. But matchoff will +be changed to the offset of this header. After that, dataoff should be +set to matchoff, so that the next ct_sip_get_header call find the next +Contact header. But instead of assigning dataoff to matchoff, it is +incremented by it, which is not correct, as matchoff is an absolute +value of the offset. So on the next call to the ct_sip_get_header, +dataoff will be incorrect, and the next Contact header may not be +found at all. + +Fixes: 05e3ced297fe ("[NETFILTER]: nf_conntrack_sip: introduce SIP-URI parsing helper") +Signed-off-by: Igor Ryzhov +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_sip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c +index b83dc9bf0a5d..78fd9122b70c 100644 +--- a/net/netfilter/nf_conntrack_sip.c ++++ b/net/netfilter/nf_conntrack_sip.c +@@ -477,7 +477,7 @@ static int ct_sip_walk_headers(const struct nf_conn *ct, const char *dptr, + return ret; + if (ret == 0) + break; +- dataoff += *matchoff; ++ dataoff = *matchoff; + } + *in_header = 0; + } +@@ -489,7 +489,7 @@ static int ct_sip_walk_headers(const struct nf_conn *ct, const char *dptr, + break; + if (ret == 0) + return ret; +- dataoff += *matchoff; ++ dataoff = *matchoff; + } + + if (in_header) +-- +2.35.1 + diff --git a/queue-5.4/netfilter-nfnetlink_osf-fix-possible-bogus-match-in-.patch b/queue-5.4/netfilter-nfnetlink_osf-fix-possible-bogus-match-in-.patch new file mode 100644 index 00000000000..099750c4b92 --- /dev/null +++ b/queue-5.4/netfilter-nfnetlink_osf-fix-possible-bogus-match-in-.patch @@ -0,0 +1,49 @@ +From 44dd8eab211aabe5145859c16e2fcbda68aa58d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 10:26:18 +0200 +Subject: netfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find() + +From: Pablo Neira Ayuso + +[ Upstream commit 559c36c5a8d730c49ef805a72b213d3bba155cc8 ] + +nf_osf_find() incorrectly returns true on mismatch, this leads to +copying uninitialized memory area in nft_osf which can be used to leak +stale kernel stack data to userspace. + +Fixes: 22c7652cdaa8 ("netfilter: nft_osf: Add version option support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_osf.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c +index 79fbf37291f3..51e3953b414c 100644 +--- a/net/netfilter/nfnetlink_osf.c ++++ b/net/netfilter/nfnetlink_osf.c +@@ -269,6 +269,7 @@ bool nf_osf_find(const struct sk_buff *skb, + struct nf_osf_hdr_ctx ctx; + const struct tcphdr *tcp; + struct tcphdr _tcph; ++ bool found = false; + + memset(&ctx, 0, sizeof(ctx)); + +@@ -283,10 +284,11 @@ bool nf_osf_find(const struct sk_buff *skb, + + data->genre = f->genre; + data->version = f->version; ++ found = true; + break; + } + +- return true; ++ return found; + } + EXPORT_SYMBOL_GPL(nf_osf_find); + +-- +2.35.1 + diff --git a/queue-5.4/of-mdio-add-of_node_put-when-breaking-out-of-for_eac.patch b/queue-5.4/of-mdio-add-of_node_put-when-breaking-out-of-for_eac.patch new file mode 100644 index 00000000000..ee5a9f72ad9 --- /dev/null +++ b/queue-5.4/of-mdio-add-of_node_put-when-breaking-out-of-for_eac.patch @@ -0,0 +1,38 @@ +From cc9d97af6d570cb0a59abb0f7bea3d96bd365bf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Sep 2022 20:56:59 +0800 +Subject: of: mdio: Add of_node_put() when breaking out of for_each_xx + +From: Liang He + +[ Upstream commit 1c48709e6d9d353acaaac1d8e33474756b121d78 ] + +In of_mdiobus_register(), we should call of_node_put() for 'child' +escaped out of for_each_available_child_of_node(). + +Fixes: 66bdede495c7 ("of_mdio: Fix broken PHY IRQ in case of probe deferral") +Co-developed-by: Miaoqian Lin +Signed-off-by: Miaoqian Lin +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220913125659.3331969-1-windhl@126.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/of/of_mdio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/of/of_mdio.c b/drivers/of/of_mdio.c +index 26ddb4cc675a..7a3de2b5de0c 100644 +--- a/drivers/of/of_mdio.c ++++ b/drivers/of/of_mdio.c +@@ -281,6 +281,7 @@ int of_mdiobus_register(struct mii_bus *mdio, struct device_node *np) + return 0; + + unregister: ++ of_node_put(child); + mdiobus_unregister(mdio); + return rc; + } +-- +2.35.1 + diff --git a/queue-5.4/perf-jit-include-program-header-in-elf-files.patch b/queue-5.4/perf-jit-include-program-header-in-elf-files.patch new file mode 100644 index 00000000000..e8d36deab79 --- /dev/null +++ b/queue-5.4/perf-jit-include-program-header-in-elf-files.patch @@ -0,0 +1,86 @@ +From 39a81cde0f94f4257583d5a9eb6bc9480560696c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 11:29:10 +0200 +Subject: perf jit: Include program header in ELF files + +From: Lieven Hey + +[ Upstream commit babd04386b1df8c364cdaa39ac0e54349502e1e5 ] + +The missing header makes it hard for programs like elfutils to open +these files. + +Fixes: 2d86612aacb7805f ("perf symbol: Correct address for bss symbols") +Reviewed-by: Leo Yan +Signed-off-by: Lieven Hey +Tested-by: Leo Yan +Cc: Leo Yan +Link: https://lore.kernel.org/r/20220915092910.711036-1-lieven.hey@kdab.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/genelf.c | 14 ++++++++++++++ + tools/perf/util/genelf.h | 4 ++++ + 2 files changed, 18 insertions(+) + +diff --git a/tools/perf/util/genelf.c b/tools/perf/util/genelf.c +index 17b74aba8b9a..69744fd5db39 100644 +--- a/tools/perf/util/genelf.c ++++ b/tools/perf/util/genelf.c +@@ -256,6 +256,7 @@ jit_write_elf(int fd, uint64_t load_addr, const char *sym, + Elf_Data *d; + Elf_Scn *scn; + Elf_Ehdr *ehdr; ++ Elf_Phdr *phdr; + Elf_Shdr *shdr; + uint64_t eh_frame_base_offset; + char *strsym = NULL; +@@ -290,6 +291,19 @@ jit_write_elf(int fd, uint64_t load_addr, const char *sym, + ehdr->e_version = EV_CURRENT; + ehdr->e_shstrndx= unwinding ? 4 : 2; /* shdr index for section name */ + ++ /* ++ * setup program header ++ */ ++ phdr = elf_newphdr(e, 1); ++ phdr[0].p_type = PT_LOAD; ++ phdr[0].p_offset = 0; ++ phdr[0].p_vaddr = 0; ++ phdr[0].p_paddr = 0; ++ phdr[0].p_filesz = csize; ++ phdr[0].p_memsz = csize; ++ phdr[0].p_flags = PF_X | PF_R; ++ phdr[0].p_align = 8; ++ + /* + * setup text section + */ +diff --git a/tools/perf/util/genelf.h b/tools/perf/util/genelf.h +index d4137559be05..ac638945b4cb 100644 +--- a/tools/perf/util/genelf.h ++++ b/tools/perf/util/genelf.h +@@ -50,8 +50,10 @@ int jit_add_debug_info(Elf *e, uint64_t code_addr, void *debug, int nr_debug_ent + + #if GEN_ELF_CLASS == ELFCLASS64 + #define elf_newehdr elf64_newehdr ++#define elf_newphdr elf64_newphdr + #define elf_getshdr elf64_getshdr + #define Elf_Ehdr Elf64_Ehdr ++#define Elf_Phdr Elf64_Phdr + #define Elf_Shdr Elf64_Shdr + #define Elf_Sym Elf64_Sym + #define ELF_ST_TYPE(a) ELF64_ST_TYPE(a) +@@ -59,8 +61,10 @@ int jit_add_debug_info(Elf *e, uint64_t code_addr, void *debug, int nr_debug_ent + #define ELF_ST_VIS(a) ELF64_ST_VISIBILITY(a) + #else + #define elf_newehdr elf32_newehdr ++#define elf_newphdr elf32_newphdr + #define elf_getshdr elf32_getshdr + #define Elf_Ehdr Elf32_Ehdr ++#define Elf_Phdr Elf32_Phdr + #define Elf_Shdr Elf32_Shdr + #define Elf_Sym Elf32_Sym + #define ELF_ST_TYPE(a) ELF32_ST_TYPE(a) +-- +2.35.1 + diff --git a/queue-5.4/perf-kcore_copy-do-not-check-proc-modules-is-unchang.patch b/queue-5.4/perf-kcore_copy-do-not-check-proc-modules-is-unchang.patch new file mode 100644 index 00000000000..ecfd5bdd828 --- /dev/null +++ b/queue-5.4/perf-kcore_copy-do-not-check-proc-modules-is-unchang.patch @@ -0,0 +1,62 @@ +From 65cee4639755125ccceddecc31a9b1ad0b2e04d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Sep 2022 15:24:29 +0300 +Subject: perf kcore_copy: Do not check /proc/modules is unchanged + +From: Adrian Hunter + +[ Upstream commit 5b427df27b94aec1312cace48a746782a0925c53 ] + +/proc/kallsyms and /proc/modules are compared before and after the copy +in order to ensure no changes during the copy. + +However /proc/modules also might change due to reference counts changing +even though that does not make any difference. + +Any modules loaded or unloaded should be visible in changes to kallsyms, +so it is not necessary to check /proc/modules also anyway. + +Remove the comparison checking that /proc/modules is unchanged. + +Fixes: fc1b691d7651d949 ("perf buildid-cache: Add ability to add kcore to the cache") +Reported-by: Daniel Dao +Signed-off-by: Adrian Hunter +Tested-by: Daniel Dao +Acked-by: Namhyung Kim +Cc: Ian Rogers +Cc: Jiri Olsa +Link: https://lore.kernel.org/r/20220914122429.8770-1-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/symbol-elf.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c +index a04a7dfb8ec0..f15258fbe9db 100644 +--- a/tools/perf/util/symbol-elf.c ++++ b/tools/perf/util/symbol-elf.c +@@ -1912,8 +1912,8 @@ static int kcore_copy__compare_file(const char *from_dir, const char *to_dir, + * unusual. One significant peculiarity is that the mapping (start -> pgoff) + * is not the same for the kernel map and the modules map. That happens because + * the data is copied adjacently whereas the original kcore has gaps. Finally, +- * kallsyms and modules files are compared with their copies to check that +- * modules have not been loaded or unloaded while the copies were taking place. ++ * kallsyms file is compared with its copy to check that modules have not been ++ * loaded or unloaded while the copies were taking place. + * + * Return: %0 on success, %-1 on failure. + */ +@@ -1976,9 +1976,6 @@ int kcore_copy(const char *from_dir, const char *to_dir) + goto out_extract_close; + } + +- if (kcore_copy__compare_file(from_dir, to_dir, "modules")) +- goto out_extract_close; +- + if (kcore_copy__compare_file(from_dir, to_dir, "kallsyms")) + goto out_extract_close; + +-- +2.35.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 6b7eb1912f4..3a9fb708aa8 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -68,3 +68,27 @@ alsa-hda-realtek-enable-4-speaker-output-dell-precision-5530-laptop.patch efi-libstub-check-shim-mode-using-moksbstatert.patch riscv-fix-a-nasty-sigreturn-bug.patch mm-slub-fix-to-return-errno-if-kmalloc-fails.patch +arm64-dts-rockchip-pull-up-wlan-wake-on-gru-bob.patch +arm64-dts-rockchip-set-rk3399-gru-pclk_edp-to-24-mhz.patch +arm64-dts-rockchip-remove-enable-active-low-from-rk3.patch +netfilter-nf_conntrack_sip-fix-ct_sip_walk_headers.patch +netfilter-nf_conntrack_irc-tighten-matching-on-dcc-m.patch +netfilter-nfnetlink_osf-fix-possible-bogus-match-in-.patch +iavf-fix-cached-head-and-tail-value-for-iavf_get_tx_.patch +ipvlan-fix-out-of-bound-bugs-caused-by-unset-skb-mac.patch +net-team-unsync-device-addresses-on-ndo_stop.patch +mips-lantiq-export-clk_get_io-for-lantiq_wdt.ko.patch +mips-loongson32-fix-phy-mode-being-left-unspecified.patch +iavf-fix-bad-page-state.patch +iavf-fix-set-max-mtu-size-with-port-vlan-and-jumbo-f.patch +i40e-fix-vf-set-max-mtu-size.patch +i40e-fix-set-max_tx_rate-when-it-is-lower-than-1-mbp.patch +of-mdio-add-of_node_put-when-breaking-out-of-for_eac.patch +net-sched-taprio-avoid-disabling-offload-when-it-was.patch +net-sched-taprio-make-qdisc_leaf-see-the-per-netdev-.patch +netfilter-ebtables-fix-memory-leak-when-blob-is-malf.patch +can-gs_usb-gs_can_open-fix-race-dev-can.state-condit.patch +perf-jit-include-program-header-in-elf-files.patch +perf-kcore_copy-do-not-check-proc-modules-is-unchang.patch +net-sunhme-fix-packet-reception-for-len-rx_copy_thre.patch +net-sched-fix-possible-refcount-leak-in-tc_new_tfilt.patch