From: Sasha Levin Date: Mon, 23 May 2022 03:03:28 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v4.9.316~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fada2f04c9b59c60ddb81c08d4227751f30c165c;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/alsa-hda-fix-unused-realtek-function-when-pm-is-not-.patch b/queue-5.15/alsa-hda-fix-unused-realtek-function-when-pm-is-not-.patch new file mode 100644 index 00000000000..ff208b1017f --- /dev/null +++ b/queue-5.15/alsa-hda-fix-unused-realtek-function-when-pm-is-not-.patch @@ -0,0 +1,63 @@ +From e9123250c169b1faf33ee84e3991de7f9196b7bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Apr 2022 12:33:18 -0700 +Subject: ALSA: hda - fix unused Realtek function when PM is not enabled + +From: Randy Dunlap + +[ Upstream commit c3d9ca93f1e3bd3d1adfc4479a12c82fed424c87 ] + +When CONFIG_PM is not enabled, alc_shutup() is not needed, +so move it inside the #ifdef CONFIG_PM guard. +Also drop some contiguous #endif / #ifdef CONFIG_PM for simplicity. + +Fixes this build warning: +sound/pci/hda/patch_realtek.c:886:20: warning: unused function 'alc_shutup' + +Fixes: 08c189f2c552 ("ALSA: hda - Use generic parser codes for Realtek driver") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Link: https://lore.kernel.org/r/20220430193318.29024-1-rdunlap@infradead.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 1880e30341a0..040825ea9a08 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -932,6 +932,9 @@ static int alc_init(struct hda_codec *codec) + return 0; + } + ++#define alc_free snd_hda_gen_free ++ ++#ifdef CONFIG_PM + static inline void alc_shutup(struct hda_codec *codec) + { + struct alc_spec *spec = codec->spec; +@@ -945,9 +948,6 @@ static inline void alc_shutup(struct hda_codec *codec) + alc_shutup_pins(codec); + } + +-#define alc_free snd_hda_gen_free +- +-#ifdef CONFIG_PM + static void alc_power_eapd(struct hda_codec *codec) + { + alc_auto_setup_eapd(codec, false); +@@ -961,9 +961,7 @@ static int alc_suspend(struct hda_codec *codec) + spec->power_hook(codec); + return 0; + } +-#endif + +-#ifdef CONFIG_PM + static int alc_resume(struct hda_codec *codec) + { + struct alc_spec *spec = codec->spec; +-- +2.35.1 + diff --git a/queue-5.15/arm-9196-1-spectre-bhb-enable-for-cortex-a15.patch b/queue-5.15/arm-9196-1-spectre-bhb-enable-for-cortex-a15.patch new file mode 100644 index 00000000000..97cbb90ac05 --- /dev/null +++ b/queue-5.15/arm-9196-1-spectre-bhb-enable-for-cortex-a15.patch @@ -0,0 +1,36 @@ +From faf7e1187bb88747d40677ea427d637709acc968 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Apr 2022 09:44:51 +0100 +Subject: ARM: 9196/1: spectre-bhb: enable for Cortex-A15 + +From: Ard Biesheuvel + +[ Upstream commit 0dc14aa94ccd8ba35eb17a0f9b123d1566efd39e ] + +The Spectre-BHB mitigations were inadvertently left disabled for +Cortex-A15, due to the fact that cpu_v7_bugs_init() is not called in +that case. So fix that. + +Fixes: b9baf5c8c5c3 ("ARM: Spectre-BHB workaround") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/mm/proc-v7-bugs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mm/proc-v7-bugs.c b/arch/arm/mm/proc-v7-bugs.c +index 06dbfb968182..fb9f3eb6bf48 100644 +--- a/arch/arm/mm/proc-v7-bugs.c ++++ b/arch/arm/mm/proc-v7-bugs.c +@@ -288,6 +288,7 @@ void cpu_v7_ca15_ibe(void) + { + if (check_spectre_auxcr(this_cpu_ptr(&spectre_warned), BIT(0))) + cpu_v7_spectre_v2_init(); ++ cpu_v7_spectre_bhb_init(); + } + + void cpu_v7_bugs_init(void) +-- +2.35.1 + diff --git a/queue-5.15/arm-9197-1-spectre-bhb-fix-loop8-sequence-for-thumb2.patch b/queue-5.15/arm-9197-1-spectre-bhb-fix-loop8-sequence-for-thumb2.patch new file mode 100644 index 00000000000..ad0d9337c86 --- /dev/null +++ b/queue-5.15/arm-9197-1-spectre-bhb-fix-loop8-sequence-for-thumb2.patch @@ -0,0 +1,37 @@ +From de15ad79ebca8d603124476ba944f8ddccf42c7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Apr 2022 09:46:17 +0100 +Subject: ARM: 9197/1: spectre-bhb: fix loop8 sequence for Thumb2 + +From: Ard Biesheuvel + +[ Upstream commit 3cfb3019979666bdf33a1010147363cf05e0f17b ] + +In Thumb2, 'b . + 4' produces a branch instruction that uses a narrow +encoding, and so it does not jump to the following instruction as +expected. So use W(b) instead. + +Fixes: 6c7cb60bff7a ("ARM: fix Thumb2 regression with Spectre BHB") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/entry-armv.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S +index 46b697dfa4cf..68261a83b7ad 100644 +--- a/arch/arm/kernel/entry-armv.S ++++ b/arch/arm/kernel/entry-armv.S +@@ -1038,7 +1038,7 @@ vector_bhb_loop8_\name: + + @ bhb workaround + mov r0, #8 +-3: b . + 4 ++3: W(b) . + 4 + subs r0, r0, #1 + bne 3b + dsb +-- +2.35.1 + diff --git a/queue-5.15/arm-dts-aspeed-add-adc-for-ast2600-and-enable-for-ra.patch b/queue-5.15/arm-dts-aspeed-add-adc-for-ast2600-and-enable-for-ra.patch new file mode 100644 index 00000000000..2061f34d142 --- /dev/null +++ b/queue-5.15/arm-dts-aspeed-add-adc-for-ast2600-and-enable-for-ra.patch @@ -0,0 +1,114 @@ +From 41c1f2d5bcaa97e9d90450341cec813d06b099de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 16:00:45 -0500 +Subject: ARM: dts: aspeed: Add ADC for AST2600 and enable for Rainier and + Everest + +From: Eddie James + +[ Upstream commit eaad40466bd715c4b342ac9f7c889f5281714feb ] + +Add the ADC nodes to the AST2600 devicetree. Enable ADC1 for Rainier and +Everest systems and add an iio-hwmon node for the 7th channel to report +the battery voltage. + +Tested on Rainier: +~# cat /sys/class/hwmon/hwmon11/in1_input +1347 + +Signed-off-by: Eddie James +Link: https://lore.kernel.org/r/20210916210045.31769-1-eajames@linux.ibm.com +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/aspeed-bmc-ibm-everest.dts | 15 +++++++++++++++ + arch/arm/boot/dts/aspeed-bmc-ibm-rainier.dts | 15 +++++++++++++++ + arch/arm/boot/dts/aspeed-g6.dtsi | 20 ++++++++++++++++++++ + 3 files changed, 50 insertions(+) + +diff --git a/arch/arm/boot/dts/aspeed-bmc-ibm-everest.dts b/arch/arm/boot/dts/aspeed-bmc-ibm-everest.dts +index 2efd70666738..af7ea7cab8cf 100644 +--- a/arch/arm/boot/dts/aspeed-bmc-ibm-everest.dts ++++ b/arch/arm/boot/dts/aspeed-bmc-ibm-everest.dts +@@ -231,6 +231,21 @@ led-pcieslot-power { + gpios = <&gpio0 ASPEED_GPIO(P, 4) GPIO_ACTIVE_LOW>; + }; + }; ++ ++ iio-hwmon { ++ compatible = "iio-hwmon"; ++ io-channels = <&adc1 7>; ++ }; ++}; ++ ++&adc1 { ++ status = "okay"; ++ aspeed,int-vref-microvolt = <2500000>; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&pinctrl_adc8_default &pinctrl_adc9_default ++ &pinctrl_adc10_default &pinctrl_adc11_default ++ &pinctrl_adc12_default &pinctrl_adc13_default ++ &pinctrl_adc14_default &pinctrl_adc15_default>; + }; + + &gpio0 { +diff --git a/arch/arm/boot/dts/aspeed-bmc-ibm-rainier.dts b/arch/arm/boot/dts/aspeed-bmc-ibm-rainier.dts +index 6419c9762c0b..6c9f34396a3a 100644 +--- a/arch/arm/boot/dts/aspeed-bmc-ibm-rainier.dts ++++ b/arch/arm/boot/dts/aspeed-bmc-ibm-rainier.dts +@@ -246,6 +246,21 @@ fan5-presence { + linux,code = <11>; + }; + }; ++ ++ iio-hwmon { ++ compatible = "iio-hwmon"; ++ io-channels = <&adc1 7>; ++ }; ++}; ++ ++&adc1 { ++ status = "okay"; ++ aspeed,int-vref-microvolt = <2500000>; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&pinctrl_adc8_default &pinctrl_adc9_default ++ &pinctrl_adc10_default &pinctrl_adc11_default ++ &pinctrl_adc12_default &pinctrl_adc13_default ++ &pinctrl_adc14_default &pinctrl_adc15_default>; + }; + + &ehci1 { +diff --git a/arch/arm/boot/dts/aspeed-g6.dtsi b/arch/arm/boot/dts/aspeed-g6.dtsi +index 1b47be1704f8..ee171b3364fa 100644 +--- a/arch/arm/boot/dts/aspeed-g6.dtsi ++++ b/arch/arm/boot/dts/aspeed-g6.dtsi +@@ -364,6 +364,26 @@ xdma: xdma@1e6e7000 { + status = "disabled"; + }; + ++ adc0: adc@1e6e9000 { ++ compatible = "aspeed,ast2600-adc0"; ++ reg = <0x1e6e9000 0x100>; ++ clocks = <&syscon ASPEED_CLK_APB2>; ++ resets = <&syscon ASPEED_RESET_ADC>; ++ interrupts = ; ++ #io-channel-cells = <1>; ++ status = "disabled"; ++ }; ++ ++ adc1: adc@1e6e9100 { ++ compatible = "aspeed,ast2600-adc1"; ++ reg = <0x1e6e9100 0x100>; ++ clocks = <&syscon ASPEED_CLK_APB2>; ++ resets = <&syscon ASPEED_RESET_ADC>; ++ interrupts = ; ++ #io-channel-cells = <1>; ++ status = "disabled"; ++ }; ++ + gpio0: gpio@1e780000 { + #gpio-cells = <2>; + gpio-controller; +-- +2.35.1 + diff --git a/queue-5.15/arm-dts-aspeed-add-secure-boot-controller-node.patch b/queue-5.15/arm-dts-aspeed-add-secure-boot-controller-node.patch new file mode 100644 index 00000000000..9d170264090 --- /dev/null +++ b/queue-5.15/arm-dts-aspeed-add-secure-boot-controller-node.patch @@ -0,0 +1,39 @@ +From e60af54048d79ba34d8c40a5edbf3d11084d7815 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Nov 2021 11:51:05 +0800 +Subject: ARM: dts: aspeed: Add secure boot controller node + +From: Joel Stanley + +[ Upstream commit fea289467608ffddb2f8d3a740912047974bb183 ] + +The ast2600 has a secure boot controller. + +Signed-off-by: Joel Stanley +Reviewed-by: Ryan Chen +Link: https://lore.kernel.org/r/20211117035106.321454-3-joel@jms.id.au +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/aspeed-g6.dtsi | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm/boot/dts/aspeed-g6.dtsi b/arch/arm/boot/dts/aspeed-g6.dtsi +index ee171b3364fa..8f947ed47fc5 100644 +--- a/arch/arm/boot/dts/aspeed-g6.dtsi ++++ b/arch/arm/boot/dts/aspeed-g6.dtsi +@@ -384,6 +384,11 @@ adc1: adc@1e6e9100 { + status = "disabled"; + }; + ++ sbc: secure-boot-controller@1e6f2000 { ++ compatible = "aspeed,ast2600-sbc"; ++ reg = <0x1e6f2000 0x1000>; ++ }; ++ + gpio0: gpio@1e780000 { + #gpio-cells = <2>; + gpio-controller; +-- +2.35.1 + diff --git a/queue-5.15/arm-dts-aspeed-add-video-engine-to-g6.patch b/queue-5.15/arm-dts-aspeed-add-video-engine-to-g6.patch new file mode 100644 index 00000000000..af0f1d7652a --- /dev/null +++ b/queue-5.15/arm-dts-aspeed-add-video-engine-to-g6.patch @@ -0,0 +1,45 @@ +From 191bc836c4be71ecc0c43c7975d188771aaf49ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Mar 2022 03:23:51 +0000 +Subject: ARM: dts: aspeed: Add video engine to g6 + +From: Howard Chiu + +[ Upstream commit 32e62d1beab70d485980013312e747a25c4e13f7 ] + +This node was accidentally removed by commit 645afe73f951 ("ARM: dts: +aspeed: ast2600: Update XDMA engine node"). + +Fixes: 645afe73f951 ("ARM: dts: aspeed: ast2600: Update XDMA engine node") +Signed-off-by: Howard Chiu +Link: https://lore.kernel.org/r/SG2PR06MB2315C57600A0132FEF40F21EE61E9@SG2PR06MB2315.apcprd06.prod.outlook.com +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/aspeed-g6.dtsi | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/arm/boot/dts/aspeed-g6.dtsi b/arch/arm/boot/dts/aspeed-g6.dtsi +index 8f947ed47fc5..e5724b1a2e20 100644 +--- a/arch/arm/boot/dts/aspeed-g6.dtsi ++++ b/arch/arm/boot/dts/aspeed-g6.dtsi +@@ -389,6 +389,16 @@ sbc: secure-boot-controller@1e6f2000 { + reg = <0x1e6f2000 0x1000>; + }; + ++ video: video@1e700000 { ++ compatible = "aspeed,ast2600-video-engine"; ++ reg = <0x1e700000 0x1000>; ++ clocks = <&syscon ASPEED_CLK_GATE_VCLK>, ++ <&syscon ASPEED_CLK_GATE_ECLK>; ++ clock-names = "vclk", "eclk"; ++ interrupts = ; ++ status = "disabled"; ++ }; ++ + gpio0: gpio@1e780000 { + #gpio-cells = <2>; + gpio-controller; +-- +2.35.1 + diff --git a/queue-5.15/arm-dts-aspeed-g6-fix-spi1-spi2-quad-pin-group.patch b/queue-5.15/arm-dts-aspeed-g6-fix-spi1-spi2-quad-pin-group.patch new file mode 100644 index 00000000000..af77a8ff362 --- /dev/null +++ b/queue-5.15/arm-dts-aspeed-g6-fix-spi1-spi2-quad-pin-group.patch @@ -0,0 +1,45 @@ +From 65539a46a1a9860e7d5fd3959e5d21970c79bf47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Mar 2022 10:39:32 -0700 +Subject: ARM: dts: aspeed-g6: fix SPI1/SPI2 quad pin group + +From: Jae Hyun Yoo + +[ Upstream commit 890362d41b244536ab63591f813393f5fdf59ed7 ] + +Fix incorrect function mappings in pinctrl_qspi1_default and +pinctrl_qspi2_default since their function should be SPI1 and +SPI2 respectively. + +Fixes: f510f04c8c83 ("ARM: dts: aspeed: Add AST2600 pinmux nodes") +Signed-off-by: Jae Hyun Yoo +Reviewed-by: Andrew Jeffery +Link: https://lore.kernel.org/r/20220329173932.2588289-8-quic_jaehyoo@quicinc.com +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi b/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi +index 06d60a8540e9..ac07c240419a 100644 +--- a/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi ++++ b/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi +@@ -648,12 +648,12 @@ pinctrl_pwm9g1_default: pwm9g1_default { + }; + + pinctrl_qspi1_default: qspi1_default { +- function = "QSPI1"; ++ function = "SPI1"; + groups = "QSPI1"; + }; + + pinctrl_qspi2_default: qspi2_default { +- function = "QSPI2"; ++ function = "SPI2"; + groups = "QSPI2"; + }; + +-- +2.35.1 + diff --git a/queue-5.15/arm-dts-aspeed-g6-remove-fwqspid-group-in-pinctrl-dt.patch b/queue-5.15/arm-dts-aspeed-g6-remove-fwqspid-group-in-pinctrl-dt.patch new file mode 100644 index 00000000000..fd3d72008de --- /dev/null +++ b/queue-5.15/arm-dts-aspeed-g6-remove-fwqspid-group-in-pinctrl-dt.patch @@ -0,0 +1,43 @@ +From 614a5eed28d6ed38845ac4953ad8ad44dc338d23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Mar 2022 10:39:26 -0700 +Subject: ARM: dts: aspeed-g6: remove FWQSPID group in pinctrl dtsi + +From: Jae Hyun Yoo + +[ Upstream commit efddaa397cceefb61476e383c26fafd1f8ab6356 ] + +FWSPIDQ2 and FWSPIDQ3 are not part of FWSPI18 interface so remove +FWQSPID group in pinctrl dtsi. These pins must be used with the +FWSPI pins that are dedicated for boot SPI interface which provides +same 3.3v logic level. + +Fixes: 2f6edb6bcb2f ("ARM: dts: aspeed: Fix AST2600 quad spi group") +Signed-off-by: Jae Hyun Yoo +Reviewed-by: Andrew Jeffery +Link: https://lore.kernel.org/r/20220329173932.2588289-2-quic_jaehyoo@quicinc.com +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi b/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi +index e4775bbceecc..06d60a8540e9 100644 +--- a/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi ++++ b/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi +@@ -117,11 +117,6 @@ pinctrl_fwspid_default: fwspid_default { + groups = "FWSPID"; + }; + +- pinctrl_fwqspid_default: fwqspid_default { +- function = "FWSPID"; +- groups = "FWQSPID"; +- }; +- + pinctrl_fwspiwp_default: fwspiwp_default { + function = "FWSPIWP"; + groups = "FWSPIWP"; +-- +2.35.1 + diff --git a/queue-5.15/arm64-enable-repeat-tlbi-workaround-on-kryo4xx-gold-.patch b/queue-5.15/arm64-enable-repeat-tlbi-workaround-on-kryo4xx-gold-.patch new file mode 100644 index 00000000000..b156ae3c0c8 --- /dev/null +++ b/queue-5.15/arm64-enable-repeat-tlbi-workaround-on-kryo4xx-gold-.patch @@ -0,0 +1,57 @@ +From 999db8d485f4830465db0734a89df709fa537740 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 May 2022 16:31:34 +0530 +Subject: arm64: Enable repeat tlbi workaround on KRYO4XX gold CPUs + +From: Shreyas K K + +[ Upstream commit 51f559d66527e238f9a5f82027bff499784d4eac ] + +Add KRYO4XX gold/big cores to the list of CPUs that need the +repeat TLBI workaround. Apply this to the affected +KRYO4XX cores (rcpe to rfpe). + +The variant and revision bits are implementation defined and are +different from the their Cortex CPU counterparts on which they are +based on, i.e., (r0p0 to r3p0) is equivalent to (rcpe to rfpe). + +Signed-off-by: Shreyas K K +Reviewed-by: Sai Prakash Ranjan +Link: https://lore.kernel.org/r/20220512110134.12179-1-quic_shrekk@quicinc.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + Documentation/arm64/silicon-errata.rst | 3 +++ + arch/arm64/kernel/cpu_errata.c | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst +index d410a47ffa57..7c1750bcc5bd 100644 +--- a/Documentation/arm64/silicon-errata.rst ++++ b/Documentation/arm64/silicon-errata.rst +@@ -163,6 +163,9 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | Qualcomm Tech. | Kryo4xx Silver | N/A | ARM64_ERRATUM_1024718 | + +----------------+-----------------+-----------------+-----------------------------+ ++| Qualcomm Tech. | Kryo4xx Gold | N/A | ARM64_ERRATUM_1286807 | +++----------------+-----------------+-----------------+-----------------------------+ ++ + +----------------+-----------------+-----------------+-----------------------------+ + | Fujitsu | A64FX | E#010001 | FUJITSU_ERRATUM_010001 | + +----------------+-----------------+-----------------+-----------------------------+ +diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c +index a33d7b8f3b93..c67c19d70159 100644 +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -208,6 +208,8 @@ static const struct arm64_cpu_capabilities arm64_repeat_tlbi_list[] = { + #ifdef CONFIG_ARM64_ERRATUM_1286807 + { + ERRATA_MIDR_RANGE(MIDR_CORTEX_A76, 0, 0, 3, 0), ++ /* Kryo4xx Gold (rcpe to rfpe) => (r0p0 to r3p0) */ ++ ERRATA_MIDR_RANGE(MIDR_QCOM_KRYO_4XX_GOLD, 0xc, 0xe, 0xf, 0xe), + }, + #endif + {}, +-- +2.35.1 + diff --git a/queue-5.15/clk-at91-generated-consider-range-when-calculating-b.patch b/queue-5.15/clk-at91-generated-consider-range-when-calculating-b.patch new file mode 100644 index 00000000000..694af2f47b2 --- /dev/null +++ b/queue-5.15/clk-at91-generated-consider-range-when-calculating-b.patch @@ -0,0 +1,42 @@ +From 8df4a99f240ad11d963cccb087bf5d10b6a72add Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Apr 2022 10:13:18 +0300 +Subject: clk: at91: generated: consider range when calculating best rate + +From: Codrin Ciubotariu + +[ Upstream commit d0031e6fbed955ff8d5f5bbc8fe7382482559cec ] + +clk_generated_best_diff() helps in finding the parent and the divisor to +compute a rate closest to the required one. However, it doesn't take into +account the request's range for the new rate. Make sure the new rate +is within the required range. + +Fixes: 8a8f4bf0c480 ("clk: at91: clk-generated: create function to find best_diff") +Signed-off-by: Codrin Ciubotariu +Link: https://lore.kernel.org/r/20220413071318.244912-1-codrin.ciubotariu@microchip.com +Reviewed-by: Claudiu Beznea +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/at91/clk-generated.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/clk/at91/clk-generated.c b/drivers/clk/at91/clk-generated.c +index b656d25a9767..fe772baeb15f 100644 +--- a/drivers/clk/at91/clk-generated.c ++++ b/drivers/clk/at91/clk-generated.c +@@ -106,6 +106,10 @@ static void clk_generated_best_diff(struct clk_rate_request *req, + tmp_rate = parent_rate; + else + tmp_rate = parent_rate / div; ++ ++ if (tmp_rate < req->min_rate || tmp_rate > req->max_rate) ++ return; ++ + tmp_diff = abs(req->rate - tmp_rate); + + if (*best_diff < 0 || *best_diff >= tmp_diff) { +-- +2.35.1 + diff --git a/queue-5.15/ethernet-tulip-fix-missing-pci_disable_device-on-err.patch b/queue-5.15/ethernet-tulip-fix-missing-pci_disable_device-on-err.patch new file mode 100644 index 00000000000..0d7c7d3d000 --- /dev/null +++ b/queue-5.15/ethernet-tulip-fix-missing-pci_disable_device-on-err.patch @@ -0,0 +1,49 @@ +From fb8cee6c016bd535c9ff0c21a212b606b1986f78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 May 2022 17:42:50 +0800 +Subject: ethernet: tulip: fix missing pci_disable_device() on error in + tulip_init_one() + +From: Yang Yingliang + +[ Upstream commit 51ca86b4c9c7c75f5630fa0dbe5f8f0bd98e3c3e ] + +Fix the missing pci_disable_device() before return +from tulip_init_one() in the error handling case. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20220506094250.3630615-1-yangyingliang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/dec/tulip/tulip_core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/dec/tulip/tulip_core.c b/drivers/net/ethernet/dec/tulip/tulip_core.c +index fcedd733bacb..834a3f8c80da 100644 +--- a/drivers/net/ethernet/dec/tulip/tulip_core.c ++++ b/drivers/net/ethernet/dec/tulip/tulip_core.c +@@ -1398,8 +1398,10 @@ static int tulip_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + + /* alloc_etherdev ensures aligned and zeroed private structures */ + dev = alloc_etherdev (sizeof (*tp)); +- if (!dev) ++ if (!dev) { ++ pci_disable_device(pdev); + return -ENOMEM; ++ } + + SET_NETDEV_DEV(dev, &pdev->dev); + if (pci_resource_len (pdev, 0) < tulip_tbl[chip_idx].io_size) { +@@ -1778,6 +1780,7 @@ static int tulip_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + + err_out_free_netdev: + free_netdev (dev); ++ pci_disable_device(pdev); + return -ENODEV; + } + +-- +2.35.1 + diff --git a/queue-5.15/fbdev-prevent-possible-use-after-free-in-fb_release.patch b/queue-5.15/fbdev-prevent-possible-use-after-free-in-fb_release.patch new file mode 100644 index 00000000000..ae5de5911a1 --- /dev/null +++ b/queue-5.15/fbdev-prevent-possible-use-after-free-in-fb_release.patch @@ -0,0 +1,47 @@ +From 6482e9f6a97501252eac6bf4a54636431b05e80e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 May 2022 00:04:13 +0200 +Subject: fbdev: Prevent possible use-after-free in fb_release() + +From: Daniel Vetter + +[ Upstream commit 89bfd4017e58faaf70411555e7f508495114e90b ] + +Most fbdev drivers have issues with the fb_info lifetime, because call to +framebuffer_release() from their driver's .remove callback, rather than +doing from fbops.fb_destroy callback. + +Doing that will destroy the fb_info too early, while references to it may +still exist, leading to a use-after-free error. + +To prevent this, check the fb_info reference counter when attempting to +kfree the data structure in framebuffer_release(). That will leak it but +at least will prevent the mentioned error. + +Signed-off-by: Daniel Vetter +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20220505220413.365977-1-javierm@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/core/fbsysfs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/video/fbdev/core/fbsysfs.c b/drivers/video/fbdev/core/fbsysfs.c +index 65dae05fff8e..ce699396d6ba 100644 +--- a/drivers/video/fbdev/core/fbsysfs.c ++++ b/drivers/video/fbdev/core/fbsysfs.c +@@ -80,6 +80,10 @@ void framebuffer_release(struct fb_info *info) + { + if (!info) + return; ++ ++ if (WARN_ON(refcount_read(&info->count))) ++ return; ++ + kfree(info->apertures); + kfree(info); + } +-- +2.35.1 + diff --git a/queue-5.15/gpio-gpio-vf610-do-not-touch-other-bits-when-set-the.patch b/queue-5.15/gpio-gpio-vf610-do-not-touch-other-bits-when-set-the.patch new file mode 100644 index 00000000000..cd07f3deaec --- /dev/null +++ b/queue-5.15/gpio-gpio-vf610-do-not-touch-other-bits-when-set-the.patch @@ -0,0 +1,45 @@ +From d46dd4bcb031b2ced3912d59bdc29d492e365b64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2022 10:15:04 +0800 +Subject: gpio: gpio-vf610: do not touch other bits when set the target bit + +From: Haibo Chen + +[ Upstream commit 9bf3ac466faa83d51a8fe9212131701e58fdef74 ] + +For gpio controller contain register PDDR, when set one target bit, +current logic will clear all other bits, this is wrong. Use operator +'|=' to fix it. + +Fixes: 659d8a62311f ("gpio: vf610: add imx7ulp support") +Reviewed-by: Peng Fan +Signed-off-by: Haibo Chen +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-vf610.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpio-vf610.c b/drivers/gpio/gpio-vf610.c +index e0f2b67558e7..47e191e11c69 100644 +--- a/drivers/gpio/gpio-vf610.c ++++ b/drivers/gpio/gpio-vf610.c +@@ -125,9 +125,13 @@ static int vf610_gpio_direction_output(struct gpio_chip *chip, unsigned gpio, + { + struct vf610_gpio_port *port = gpiochip_get_data(chip); + unsigned long mask = BIT(gpio); ++ u32 val; + +- if (port->sdata && port->sdata->have_paddr) +- vf610_gpio_writel(mask, port->gpio_base + GPIO_PDDR); ++ if (port->sdata && port->sdata->have_paddr) { ++ val = vf610_gpio_readl(port->gpio_base + GPIO_PDDR); ++ val |= mask; ++ vf610_gpio_writel(val, port->gpio_base + GPIO_PDDR); ++ } + + vf610_gpio_set(chip, gpio, value); + +-- +2.35.1 + diff --git a/queue-5.15/gpio-mvebu-pwm-refuse-requests-with-inverted-polarit.patch b/queue-5.15/gpio-mvebu-pwm-refuse-requests-with-inverted-polarit.patch new file mode 100644 index 00000000000..8ac4da036e5 --- /dev/null +++ b/queue-5.15/gpio-mvebu-pwm-refuse-requests-with-inverted-polarit.patch @@ -0,0 +1,40 @@ +From 61fe15ade8736a78cd3b3fa5054e421867fdd5cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2022 09:58:56 +0200 +Subject: gpio: mvebu/pwm: Refuse requests with inverted polarity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 3ecb10175b1f776f076553c24e2689e42953fef5 ] + +The driver doesn't take struct pwm_state::polarity into account when +configuring the hardware, so refuse requests for inverted polarity. + +Fixes: 757642f9a584 ("gpio: mvebu: Add limited PWM support") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-mvebu.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpio/gpio-mvebu.c b/drivers/gpio/gpio-mvebu.c +index ad8822da7c27..1448dc874dfc 100644 +--- a/drivers/gpio/gpio-mvebu.c ++++ b/drivers/gpio/gpio-mvebu.c +@@ -707,6 +707,9 @@ static int mvebu_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm, + unsigned long flags; + unsigned int on, off; + ++ if (state->polarity != PWM_POLARITY_NORMAL) ++ return -EINVAL; ++ + val = (unsigned long long) mvpwm->clk_rate * state->duty_cycle; + do_div(val, NSEC_PER_SEC); + if (val > UINT_MAX + 1ULL) +-- +2.35.1 + diff --git a/queue-5.15/ice-fix-crash-when-writing-timestamp-on-rx-rings.patch b/queue-5.15/ice-fix-crash-when-writing-timestamp-on-rx-rings.patch new file mode 100644 index 00000000000..14c3e9dfc15 --- /dev/null +++ b/queue-5.15/ice-fix-crash-when-writing-timestamp-on-rx-rings.patch @@ -0,0 +1,107 @@ +From f72290165d2098f75ff54691a0033ce6478585c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Apr 2022 10:33:50 +0200 +Subject: ice: fix crash when writing timestamp on RX rings + +From: Arkadiusz Kubalewski + +[ Upstream commit 4503cc7fdf9a84cd631b0cb8ecb3c9b1bdbf3594 ] + +Do not allow to write timestamps on RX rings if PF is being configured. +When PF is being configured RX rings can be freed or rebuilt. If at the +same time timestamps are updated, the kernel will crash by dereferencing +null RX ring pointer. + +PID: 1449 TASK: ff187d28ed658040 CPU: 34 COMMAND: "ice-ptp-0000:51" + #0 [ff1966a94a713bb0] machine_kexec at ffffffff9d05a0be + #1 [ff1966a94a713c08] __crash_kexec at ffffffff9d192e9d + #2 [ff1966a94a713cd0] crash_kexec at ffffffff9d1941bd + #3 [ff1966a94a713ce8] oops_end at ffffffff9d01bd54 + #4 [ff1966a94a713d08] no_context at ffffffff9d06bda4 + #5 [ff1966a94a713d60] __bad_area_nosemaphore at ffffffff9d06c10c + #6 [ff1966a94a713da8] do_page_fault at ffffffff9d06cae4 + #7 [ff1966a94a713de0] page_fault at ffffffff9da0107e + [exception RIP: ice_ptp_update_cached_phctime+91] + RIP: ffffffffc076db8b RSP: ff1966a94a713e98 RFLAGS: 00010246 + RAX: 16e3db9c6b7ccae4 RBX: ff187d269dd3c180 RCX: ff187d269cd4d018 + RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 + RBP: ff187d269cfcc644 R8: ff187d339b9641b0 R9: 0000000000000000 + R10: 0000000000000002 R11: 0000000000000000 R12: ff187d269cfcc648 + R13: ffffffff9f128784 R14: ffffffff9d101b70 R15: ff187d269cfcc640 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + #8 [ff1966a94a713ea0] ice_ptp_periodic_work at ffffffffc076dbef [ice] + #9 [ff1966a94a713ee0] kthread_worker_fn at ffffffff9d101c1b + #10 [ff1966a94a713f10] kthread at ffffffff9d101b4d + #11 [ff1966a94a713f50] ret_from_fork at ffffffff9da0023f + +Fixes: 77a781155a65 ("ice: enable receive hardware timestamping") +Signed-off-by: Arkadiusz Kubalewski +Reviewed-by: Michal Schmidt +Tested-by: Dave Cain +Tested-by: Gurucharan (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_ptp.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.c b/drivers/net/ethernet/intel/ice/ice_ptp.c +index ef26ff351b57..9b50e9e6042a 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ptp.c ++++ b/drivers/net/ethernet/intel/ice/ice_ptp.c +@@ -254,12 +254,19 @@ ice_ptp_read_src_clk_reg(struct ice_pf *pf, struct ptp_system_timestamp *sts) + * This function must be called periodically to ensure that the cached value + * is never more than 2 seconds old. It must also be called whenever the PHC + * time has been changed. ++ * ++ * Return: ++ * * 0 - OK, successfully updated ++ * * -EAGAIN - PF was busy, need to reschedule the update + */ +-static void ice_ptp_update_cached_phctime(struct ice_pf *pf) ++static int ice_ptp_update_cached_phctime(struct ice_pf *pf) + { + u64 systime; + int i; + ++ if (test_and_set_bit(ICE_CFG_BUSY, pf->state)) ++ return -EAGAIN; ++ + /* Read the current PHC time */ + systime = ice_ptp_read_src_clk_reg(pf, NULL); + +@@ -282,6 +289,9 @@ static void ice_ptp_update_cached_phctime(struct ice_pf *pf) + WRITE_ONCE(vsi->rx_rings[j]->cached_phctime, systime); + } + } ++ clear_bit(ICE_CFG_BUSY, pf->state); ++ ++ return 0; + } + + /** +@@ -1418,17 +1428,18 @@ static void ice_ptp_periodic_work(struct kthread_work *work) + { + struct ice_ptp *ptp = container_of(work, struct ice_ptp, work.work); + struct ice_pf *pf = container_of(ptp, struct ice_pf, ptp); ++ int err; + + if (!test_bit(ICE_FLAG_PTP, pf->flags)) + return; + +- ice_ptp_update_cached_phctime(pf); ++ err = ice_ptp_update_cached_phctime(pf); + + ice_ptp_tx_tstamp_cleanup(&pf->hw, &pf->ptp.port.tx); + +- /* Run twice a second */ ++ /* Run twice a second or reschedule if phc update failed */ + kthread_queue_delayed_work(ptp->kworker, &ptp->work, +- msecs_to_jiffies(500)); ++ msecs_to_jiffies(err ? 10 : 500)); + } + + /** +-- +2.35.1 + diff --git a/queue-5.15/ice-fix-interrupt-moderation-settings-getting-cleare.patch b/queue-5.15/ice-fix-interrupt-moderation-settings-getting-cleare.patch new file mode 100644 index 00000000000..dccbab34753 --- /dev/null +++ b/queue-5.15/ice-fix-interrupt-moderation-settings-getting-cleare.patch @@ -0,0 +1,116 @@ +From 916421f94edea4360daf71aec9c0ddaa3ac5c918 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 May 2022 19:33:48 -0400 +Subject: ice: Fix interrupt moderation settings getting cleared + +From: Michal Wilczynski + +[ Upstream commit bf13502ed5f941b0777b3fd1e24dac5d93f3886c ] + +Adaptive-rx and Adaptive-tx are interrupt moderation settings +that can be enabled/disabled using ethtool: +ethtool -C ethX adaptive-rx on/off adaptive-tx on/off + +Unfortunately those settings are getting cleared after +changing number of queues, or in ethtool world 'channels': +ethtool -L ethX rx 1 tx 1 + +Clearing was happening due to introduction of bit fields +in ice_ring_container struct. This way only itr_setting +bits were rebuilt during ice_vsi_rebuild_set_coalesce(). + +Introduce an anonymous struct of bitfields and create a +union to refer to them as a single variable. +This way variable can be easily saved and restored. + +Fixes: 61dc79ced7aa ("ice: Restore interrupt throttle settings after VSI rebuild") +Signed-off-by: Michal Wilczynski +Tested-by: Gurucharan (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_lib.c | 16 ++++++++-------- + drivers/net/ethernet/intel/ice/ice_txrx.h | 11 ++++++++--- + 2 files changed, 16 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c +index 653996e8fd30..4417238b0e64 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_lib.c +@@ -2980,8 +2980,8 @@ ice_vsi_rebuild_get_coalesce(struct ice_vsi *vsi, + ice_for_each_q_vector(vsi, i) { + struct ice_q_vector *q_vector = vsi->q_vectors[i]; + +- coalesce[i].itr_tx = q_vector->tx.itr_setting; +- coalesce[i].itr_rx = q_vector->rx.itr_setting; ++ coalesce[i].itr_tx = q_vector->tx.itr_settings; ++ coalesce[i].itr_rx = q_vector->rx.itr_settings; + coalesce[i].intrl = q_vector->intrl; + + if (i < vsi->num_txq) +@@ -3037,21 +3037,21 @@ ice_vsi_rebuild_set_coalesce(struct ice_vsi *vsi, + */ + if (i < vsi->alloc_rxq && coalesce[i].rx_valid) { + rc = &vsi->q_vectors[i]->rx; +- rc->itr_setting = coalesce[i].itr_rx; ++ rc->itr_settings = coalesce[i].itr_rx; + ice_write_itr(rc, rc->itr_setting); + } else if (i < vsi->alloc_rxq) { + rc = &vsi->q_vectors[i]->rx; +- rc->itr_setting = coalesce[0].itr_rx; ++ rc->itr_settings = coalesce[0].itr_rx; + ice_write_itr(rc, rc->itr_setting); + } + + if (i < vsi->alloc_txq && coalesce[i].tx_valid) { + rc = &vsi->q_vectors[i]->tx; +- rc->itr_setting = coalesce[i].itr_tx; ++ rc->itr_settings = coalesce[i].itr_tx; + ice_write_itr(rc, rc->itr_setting); + } else if (i < vsi->alloc_txq) { + rc = &vsi->q_vectors[i]->tx; +- rc->itr_setting = coalesce[0].itr_tx; ++ rc->itr_settings = coalesce[0].itr_tx; + ice_write_itr(rc, rc->itr_setting); + } + +@@ -3065,12 +3065,12 @@ ice_vsi_rebuild_set_coalesce(struct ice_vsi *vsi, + for (; i < vsi->num_q_vectors; i++) { + /* transmit */ + rc = &vsi->q_vectors[i]->tx; +- rc->itr_setting = coalesce[0].itr_tx; ++ rc->itr_settings = coalesce[0].itr_tx; + ice_write_itr(rc, rc->itr_setting); + + /* receive */ + rc = &vsi->q_vectors[i]->rx; +- rc->itr_setting = coalesce[0].itr_rx; ++ rc->itr_settings = coalesce[0].itr_rx; + ice_write_itr(rc, rc->itr_setting); + + vsi->q_vectors[i]->intrl = coalesce[0].intrl; +diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.h b/drivers/net/ethernet/intel/ice/ice_txrx.h +index 69f78a1c234f..4adc3dff04ba 100644 +--- a/drivers/net/ethernet/intel/ice/ice_txrx.h ++++ b/drivers/net/ethernet/intel/ice/ice_txrx.h +@@ -345,9 +345,14 @@ struct ice_ring_container { + /* this matches the maximum number of ITR bits, but in usec + * values, so it is shifted left one bit (bit zero is ignored) + */ +- u16 itr_setting:13; +- u16 itr_reserved:2; +- u16 itr_mode:1; ++ union { ++ struct { ++ u16 itr_setting:13; ++ u16 itr_reserved:2; ++ u16 itr_mode:1; ++ }; ++ u16 itr_settings; ++ }; + enum ice_container_type type; + }; + +-- +2.35.1 + diff --git a/queue-5.15/ice-fix-possible-under-reporting-of-ethtool-tx-and-r.patch b/queue-5.15/ice-fix-possible-under-reporting-of-ethtool-tx-and-r.patch new file mode 100644 index 00000000000..ef0947a6890 --- /dev/null +++ b/queue-5.15/ice-fix-possible-under-reporting-of-ethtool-tx-and-r.patch @@ -0,0 +1,51 @@ +From 9941498e532f3ddaddcb431c243424f3c7c80f1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Apr 2022 14:11:42 -0700 +Subject: ice: fix possible under reporting of ethtool Tx and Rx statistics + +From: Paul Greenwalt + +[ Upstream commit 31b6298fd8e29effe9ed6b77351ac5969be56ce0 ] + +The hardware statistics counters are not cleared during resets so the +drivers first access is to initialize the baseline and then subsequent +reads are for reporting the counters. The statistics counters are read +during the watchdog subtask when the interface is up. If the baseline +is not initialized before the interface is up, then there can be a brief +window in which some traffic can be transmitted/received before the +initial baseline reading takes place. + +Directly initialize ethtool statistics in driver open so the baseline will +be initialized when the interface is up, and any dropped packets +incremented before the interface is up won't be reported. + +Fixes: 28dc1b86f8ea9 ("ice: ignore dropped packets during init") +Signed-off-by: Paul Greenwalt +Tested-by: Gurucharan (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 27b5c75ce386..188abf36a5b2 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -5656,9 +5656,10 @@ static int ice_up_complete(struct ice_vsi *vsi) + netif_carrier_on(vsi->netdev); + } + +- /* clear this now, and the first stats read will be used as baseline */ +- vsi->stat_offsets_loaded = false; +- ++ /* Perform an initial read of the statistics registers now to ++ * set the baseline so counters are ready when interface is up ++ */ ++ ice_update_eth_stats(vsi); + ice_service_task_schedule(pf); + + return 0; +-- +2.35.1 + diff --git a/queue-5.15/ice-move-ice_container_type-onto-ice_ring_container.patch b/queue-5.15/ice-move-ice_container_type-onto-ice_ring_container.patch new file mode 100644 index 00000000000..8b8d795193c --- /dev/null +++ b/queue-5.15/ice-move-ice_container_type-onto-ice_ring_container.patch @@ -0,0 +1,203 @@ +From 848b770db3e16d851639f6c14463651aca2eed23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Aug 2021 13:59:57 +0200 +Subject: ice: move ice_container_type onto ice_ring_container + +From: Maciej Fijalkowski + +[ Upstream commit dc23715cf30a9acb808f5b08962877c390d3e6ea ] + +Currently ice_container_type is scoped only for ice_ethtool.c. Next +commit that will split the ice_ring struct onto Rx/Tx specific ring +structs is going to also modify the type of linked list of rings that is +within ice_ring_container. Therefore, the functions that are taking the +ice_ring_container as an input argument will need to be aware of a ring +type that will be looked up. + +Embed ice_container_type within ice_ring_container and initialize it +properly when allocating the q_vectors. + +Signed-off-by: Maciej Fijalkowski +Tested-by: Gurucharan G +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_base.c | 2 ++ + drivers/net/ethernet/intel/ice/ice_ethtool.c | 38 ++++++++------------ + drivers/net/ethernet/intel/ice/ice_txrx.h | 6 ++++ + 3 files changed, 23 insertions(+), 23 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_base.c b/drivers/net/ethernet/intel/ice/ice_base.c +index f74610442bda..533a953f15ac 100644 +--- a/drivers/net/ethernet/intel/ice/ice_base.c ++++ b/drivers/net/ethernet/intel/ice/ice_base.c +@@ -115,6 +115,8 @@ static int ice_vsi_alloc_q_vector(struct ice_vsi *vsi, u16 v_idx) + q_vector->rx.itr_setting = ICE_DFLT_RX_ITR; + q_vector->tx.itr_mode = ITR_DYNAMIC; + q_vector->rx.itr_mode = ITR_DYNAMIC; ++ q_vector->tx.type = ICE_TX_CONTAINER; ++ q_vector->rx.type = ICE_RX_CONTAINER; + + if (vsi->type == ICE_VSI_VF) + goto out; +diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c +index 38c2d9a5574a..19f115402969 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c ++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c +@@ -3466,15 +3466,9 @@ static int ice_set_wol(struct net_device *netdev, struct ethtool_wolinfo *wol) + return 0; + } + +-enum ice_container_type { +- ICE_RX_CONTAINER, +- ICE_TX_CONTAINER, +-}; +- + /** + * ice_get_rc_coalesce - get ITR values for specific ring container + * @ec: ethtool structure to fill with driver's coalesce settings +- * @c_type: container type, Rx or Tx + * @rc: ring container that the ITR values will come from + * + * Query the device for ice_ring_container specific ITR values. This is +@@ -3484,13 +3478,12 @@ enum ice_container_type { + * Returns 0 on success, negative otherwise. + */ + static int +-ice_get_rc_coalesce(struct ethtool_coalesce *ec, enum ice_container_type c_type, +- struct ice_ring_container *rc) ++ice_get_rc_coalesce(struct ethtool_coalesce *ec, struct ice_ring_container *rc) + { + if (!rc->ring) + return -EINVAL; + +- switch (c_type) { ++ switch (rc->type) { + case ICE_RX_CONTAINER: + ec->use_adaptive_rx_coalesce = ITR_IS_DYNAMIC(rc); + ec->rx_coalesce_usecs = rc->itr_setting; +@@ -3501,7 +3494,7 @@ ice_get_rc_coalesce(struct ethtool_coalesce *ec, enum ice_container_type c_type, + ec->tx_coalesce_usecs = rc->itr_setting; + break; + default: +- dev_dbg(ice_pf_to_dev(rc->ring->vsi->back), "Invalid c_type %d\n", c_type); ++ dev_dbg(ice_pf_to_dev(rc->ring->vsi->back), "Invalid c_type %d\n", rc->type); + return -EINVAL; + } + +@@ -3522,18 +3515,18 @@ static int + ice_get_q_coalesce(struct ice_vsi *vsi, struct ethtool_coalesce *ec, int q_num) + { + if (q_num < vsi->num_rxq && q_num < vsi->num_txq) { +- if (ice_get_rc_coalesce(ec, ICE_RX_CONTAINER, ++ if (ice_get_rc_coalesce(ec, + &vsi->rx_rings[q_num]->q_vector->rx)) + return -EINVAL; +- if (ice_get_rc_coalesce(ec, ICE_TX_CONTAINER, ++ if (ice_get_rc_coalesce(ec, + &vsi->tx_rings[q_num]->q_vector->tx)) + return -EINVAL; + } else if (q_num < vsi->num_rxq) { +- if (ice_get_rc_coalesce(ec, ICE_RX_CONTAINER, ++ if (ice_get_rc_coalesce(ec, + &vsi->rx_rings[q_num]->q_vector->rx)) + return -EINVAL; + } else if (q_num < vsi->num_txq) { +- if (ice_get_rc_coalesce(ec, ICE_TX_CONTAINER, ++ if (ice_get_rc_coalesce(ec, + &vsi->tx_rings[q_num]->q_vector->tx)) + return -EINVAL; + } else { +@@ -3585,7 +3578,6 @@ ice_get_per_q_coalesce(struct net_device *netdev, u32 q_num, + + /** + * ice_set_rc_coalesce - set ITR values for specific ring container +- * @c_type: container type, Rx or Tx + * @ec: ethtool structure from user to update ITR settings + * @rc: ring container that the ITR values will come from + * @vsi: VSI associated to the ring container +@@ -3597,10 +3589,10 @@ ice_get_per_q_coalesce(struct net_device *netdev, u32 q_num, + * Returns 0 on success, negative otherwise. + */ + static int +-ice_set_rc_coalesce(enum ice_container_type c_type, struct ethtool_coalesce *ec, ++ice_set_rc_coalesce(struct ethtool_coalesce *ec, + struct ice_ring_container *rc, struct ice_vsi *vsi) + { +- const char *c_type_str = (c_type == ICE_RX_CONTAINER) ? "rx" : "tx"; ++ const char *c_type_str = (rc->type == ICE_RX_CONTAINER) ? "rx" : "tx"; + u32 use_adaptive_coalesce, coalesce_usecs; + struct ice_pf *pf = vsi->back; + u16 itr_setting; +@@ -3608,7 +3600,7 @@ ice_set_rc_coalesce(enum ice_container_type c_type, struct ethtool_coalesce *ec, + if (!rc->ring) + return -EINVAL; + +- switch (c_type) { ++ switch (rc->type) { + case ICE_RX_CONTAINER: + if (ec->rx_coalesce_usecs_high > ICE_MAX_INTRL || + (ec->rx_coalesce_usecs_high && +@@ -3641,7 +3633,7 @@ ice_set_rc_coalesce(enum ice_container_type c_type, struct ethtool_coalesce *ec, + break; + default: + dev_dbg(ice_pf_to_dev(pf), "Invalid container type %d\n", +- c_type); ++ rc->type); + return -EINVAL; + } + +@@ -3690,22 +3682,22 @@ static int + ice_set_q_coalesce(struct ice_vsi *vsi, struct ethtool_coalesce *ec, int q_num) + { + if (q_num < vsi->num_rxq && q_num < vsi->num_txq) { +- if (ice_set_rc_coalesce(ICE_RX_CONTAINER, ec, ++ if (ice_set_rc_coalesce(ec, + &vsi->rx_rings[q_num]->q_vector->rx, + vsi)) + return -EINVAL; + +- if (ice_set_rc_coalesce(ICE_TX_CONTAINER, ec, ++ if (ice_set_rc_coalesce(ec, + &vsi->tx_rings[q_num]->q_vector->tx, + vsi)) + return -EINVAL; + } else if (q_num < vsi->num_rxq) { +- if (ice_set_rc_coalesce(ICE_RX_CONTAINER, ec, ++ if (ice_set_rc_coalesce(ec, + &vsi->rx_rings[q_num]->q_vector->rx, + vsi)) + return -EINVAL; + } else if (q_num < vsi->num_txq) { +- if (ice_set_rc_coalesce(ICE_TX_CONTAINER, ec, ++ if (ice_set_rc_coalesce(ec, + &vsi->tx_rings[q_num]->q_vector->tx, + vsi)) + return -EINVAL; +diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.h b/drivers/net/ethernet/intel/ice/ice_txrx.h +index 7c2328529ff8..69f78a1c234f 100644 +--- a/drivers/net/ethernet/intel/ice/ice_txrx.h ++++ b/drivers/net/ethernet/intel/ice/ice_txrx.h +@@ -332,6 +332,11 @@ static inline bool ice_ring_is_xdp(struct ice_ring *ring) + return !!(ring->flags & ICE_TX_FLAGS_RING_XDP); + } + ++enum ice_container_type { ++ ICE_RX_CONTAINER, ++ ICE_TX_CONTAINER, ++}; ++ + struct ice_ring_container { + /* head of linked-list of rings */ + struct ice_ring *ring; +@@ -343,6 +348,7 @@ struct ice_ring_container { + u16 itr_setting:13; + u16 itr_reserved:2; + u16 itr_mode:1; ++ enum ice_container_type type; + }; + + struct ice_coalesce_stored { +-- +2.35.1 + diff --git a/queue-5.15/igb-skip-phy-status-check-where-unavailable.patch b/queue-5.15/igb-skip-phy-status-check-where-unavailable.patch new file mode 100644 index 00000000000..b088b63a0ca --- /dev/null +++ b/queue-5.15/igb-skip-phy-status-check-where-unavailable.patch @@ -0,0 +1,46 @@ +From e617ce6c7d41fcca93f2e46e30f04e6037e8effa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 11:01:05 -0700 +Subject: igb: skip phy status check where unavailable + +From: Kevin Mitchell + +[ Upstream commit 942d2ad5d2e0df758a645ddfadffde2795322728 ] + +igb_read_phy_reg() will silently return, leaving phy_data untouched, if +hw->ops.read_reg isn't set. Depending on the uninitialized value of +phy_data, this led to the phy status check either succeeding immediately +or looping continuously for 2 seconds before emitting a noisy err-level +timeout. This message went out to the console even though there was no +actual problem. + +Instead, first check if there is read_reg function pointer. If not, +proceed without trying to check the phy status register. + +Fixes: b72f3f72005d ("igb: When GbE link up, wait for Remote receiver status condition") +Signed-off-by: Kevin Mitchell +Tested-by: Gurucharan (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index bf8ef81f6c0e..b88303351484 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -5505,7 +5505,8 @@ static void igb_watchdog_task(struct work_struct *work) + break; + } + +- if (adapter->link_speed != SPEED_1000) ++ if (adapter->link_speed != SPEED_1000 || ++ !hw->phy.ops.read_reg) + goto no_wait; + + /* wait for Remote receiver status OK */ +-- +2.35.1 + diff --git a/queue-5.15/mac80211-fix-rx-reordering-with-non-explicit-psmp-ac.patch b/queue-5.15/mac80211-fix-rx-reordering-with-non-explicit-psmp-ac.patch new file mode 100644 index 00000000000..b86e2d866ab --- /dev/null +++ b/queue-5.15/mac80211-fix-rx-reordering-with-non-explicit-psmp-ac.patch @@ -0,0 +1,38 @@ +From ba5a40044f44ddb92fcee4ac53d782d3fdadff7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Apr 2022 12:50:38 +0200 +Subject: mac80211: fix rx reordering with non explicit / psmp ack policy + +From: Felix Fietkau + +[ Upstream commit 5e469ed9764d4722c59562da13120bd2dc6834c5 ] + +When the QoS ack policy was set to non explicit / psmp ack, frames are treated +as not being part of a BA session, which causes extra latency on reordering. +Fix this by only bypassing reordering for packets with no-ack policy + +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20220420105038.36443-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/rx.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index eab6283b3479..743e97ba352c 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -1400,8 +1400,7 @@ static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx, + goto dont_reorder; + + /* not part of a BA session */ +- if (ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK && +- ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_NORMAL) ++ if (ack_policy == IEEE80211_QOS_CTL_ACK_POLICY_NOACK) + goto dont_reorder; + + /* new, potentially un-ordered, ampdu frame - process it */ +-- +2.35.1 + diff --git a/queue-5.15/mptcp-change-the-parameter-of-__mptcp_make_csum.patch b/queue-5.15/mptcp-change-the-parameter-of-__mptcp_make_csum.patch new file mode 100644 index 00000000000..61832221d66 --- /dev/null +++ b/queue-5.15/mptcp-change-the-parameter-of-__mptcp_make_csum.patch @@ -0,0 +1,75 @@ +From dd50d9b5c1dbf42f6c8068c7f935166d5520faa7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jan 2022 11:25:23 -0800 +Subject: mptcp: change the parameter of __mptcp_make_csum + +From: Geliang Tang + +[ Upstream commit c312ee219100e86143a1d3cc10b367bc43a0e0b8 ] + +This patch changed the type of the last parameter of __mptcp_make_csum() +from __sum16 to __wsum. And export this function in protocol.h. + +Signed-off-by: Geliang Tang +Signed-off-by: Mat Martineau +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/options.c | 8 ++++---- + net/mptcp/protocol.h | 1 + + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/mptcp/options.c b/net/mptcp/options.c +index e515ba9ccb5d..d158f53d3bc3 100644 +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -1214,7 +1214,7 @@ static void mptcp_set_rwin(const struct tcp_sock *tp) + WRITE_ONCE(msk->rcv_wnd_sent, ack_seq); + } + +-static u16 __mptcp_make_csum(u64 data_seq, u32 subflow_seq, u16 data_len, __sum16 sum) ++u16 __mptcp_make_csum(u64 data_seq, u32 subflow_seq, u16 data_len, __wsum sum) + { + struct csum_pseudo_header header; + __wsum csum; +@@ -1229,14 +1229,14 @@ static u16 __mptcp_make_csum(u64 data_seq, u32 subflow_seq, u16 data_len, __sum1 + header.data_len = htons(data_len); + header.csum = 0; + +- csum = csum_partial(&header, sizeof(header), ~csum_unfold(sum)); ++ csum = csum_partial(&header, sizeof(header), sum); + return (__force u16)csum_fold(csum); + } + + static u16 mptcp_make_csum(const struct mptcp_ext *mpext) + { + return __mptcp_make_csum(mpext->data_seq, mpext->subflow_seq, mpext->data_len, +- mpext->csum); ++ ~csum_unfold(mpext->csum)); + } + + void mptcp_write_options(__be32 *ptr, const struct tcp_sock *tp, +@@ -1368,7 +1368,7 @@ void mptcp_write_options(__be32 *ptr, const struct tcp_sock *tp, + __mptcp_make_csum(opts->data_seq, + opts->subflow_seq, + opts->data_len, +- opts->csum), ptr); ++ ~csum_unfold(opts->csum)), ptr); + } else { + put_unaligned_be32(opts->data_len << 16 | + TCPOPT_NOP << 8 | TCPOPT_NOP, ptr); +diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h +index 82c5dc4d6b49..6bcdaf01f483 100644 +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -718,6 +718,7 @@ void mptcp_token_destroy(struct mptcp_sock *msk); + void mptcp_crypto_key_sha(u64 key, u32 *token, u64 *idsn); + + void mptcp_crypto_hmac_sha(u64 key1, u64 key2, u8 *msg, int len, void *hmac); ++u16 __mptcp_make_csum(u64 data_seq, u32 subflow_seq, u16 data_len, __wsum sum); + + void __init mptcp_pm_init(void); + void mptcp_pm_data_init(struct mptcp_sock *msk); +-- +2.35.1 + diff --git a/queue-5.15/mptcp-do-tcp-fallback-on-early-dss-checksum-failure.patch b/queue-5.15/mptcp-do-tcp-fallback-on-early-dss-checksum-failure.patch new file mode 100644 index 00000000000..1ee4c2eb2e0 --- /dev/null +++ b/queue-5.15/mptcp-do-tcp-fallback-on-early-dss-checksum-failure.patch @@ -0,0 +1,105 @@ +From 4f06dacef3a5b9868dce9d9cecb2fcd7bae9833e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 11:02:12 -0700 +Subject: mptcp: Do TCP fallback on early DSS checksum failure + +From: Mat Martineau + +[ Upstream commit ae66fb2ba6c3dcaf8b9612b65aa949a1a4bed150 ] + +RFC 8684 section 3.7 describes several opportunities for a MPTCP +connection to "fall back" to regular TCP early in the connection +process, before it has been confirmed that MPTCP options can be +successfully propagated on all SYN, SYN/ACK, and data packets. If a peer +acknowledges the first received data packet with a regular TCP header +(no MPTCP options), fallback is allowed. + +If the recipient of that first data packet finds a MPTCP DSS checksum +error, this provides an opportunity to fail gracefully with a TCP +fallback rather than resetting the connection (as might happen if a +checksum failure were detected later). + +This commit modifies the checksum failure code to attempt fallback on +the initial subflow of a MPTCP connection, only if it's a failure in the +first data mapping. In cases where the peer initiates the connection, +requests checksums, is the first to send data, and the peer is sending +incorrect checksums (see +https://github.com/multipath-tcp/mptcp_net-next/issues/275), this allows +the connection to proceed as TCP rather than reset. + +Fixes: dd8bcd1768ff ("mptcp: validate the data checksum") +Acked-by: Paolo Abeni +Signed-off-by: Mat Martineau +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/mptcp/protocol.h | 3 ++- + net/mptcp/subflow.c | 21 ++++++++++++++++++--- + 2 files changed, 20 insertions(+), 4 deletions(-) + +diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h +index 8d70e491139a..62ad31482644 100644 +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -437,7 +437,8 @@ struct mptcp_subflow_context { + can_ack : 1, /* only after processing the remote a key */ + disposable : 1, /* ctx can be free at ulp release time */ + stale : 1, /* unable to snd/rcv data, do not use for xmit */ +- local_id_valid : 1; /* local_id is correctly initialized */ ++ local_id_valid : 1, /* local_id is correctly initialized */ ++ valid_csum_seen : 1; /* at least one csum validated */ + enum mptcp_data_avail data_avail; + u32 remote_nonce; + u64 thmac; +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index 204dfb82f697..c52a824c0669 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -958,11 +958,14 @@ static enum mapping_status validate_data_csum(struct sock *ssk, struct sk_buff * + subflow->map_data_csum); + if (unlikely(csum)) { + MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_DATACSUMERR); +- subflow->send_mp_fail = 1; +- MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_MPFAILTX); ++ if (subflow->mp_join || subflow->valid_csum_seen) { ++ subflow->send_mp_fail = 1; ++ MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_MPFAILTX); ++ } + return subflow->mp_join ? MAPPING_INVALID : MAPPING_DUMMY; + } + ++ subflow->valid_csum_seen = 1; + return MAPPING_OK; + } + +@@ -1144,6 +1147,18 @@ static void subflow_sched_work_if_closed(struct mptcp_sock *msk, struct sock *ss + } + } + ++static bool subflow_can_fallback(struct mptcp_subflow_context *subflow) ++{ ++ struct mptcp_sock *msk = mptcp_sk(subflow->conn); ++ ++ if (subflow->mp_join) ++ return false; ++ else if (READ_ONCE(msk->csum_enabled)) ++ return !subflow->valid_csum_seen; ++ else ++ return !subflow->fully_established; ++} ++ + static bool subflow_check_data_avail(struct sock *ssk) + { + struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk); +@@ -1221,7 +1236,7 @@ static bool subflow_check_data_avail(struct sock *ssk) + return true; + } + +- if (subflow->mp_join || subflow->fully_established) { ++ if (!subflow_can_fallback(subflow)) { + /* fatal protocol error, close the socket. + * subflow_error_report() will introduce the appropriate barriers + */ +-- +2.35.1 + diff --git a/queue-5.15/mptcp-fix-checksum-byte-order.patch b/queue-5.15/mptcp-fix-checksum-byte-order.patch new file mode 100644 index 00000000000..efefb804ba9 --- /dev/null +++ b/queue-5.15/mptcp-fix-checksum-byte-order.patch @@ -0,0 +1,153 @@ +From fff083d410a7822fc2b9860828ea28d12da2922e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 11:02:11 -0700 +Subject: mptcp: fix checksum byte order + +From: Paolo Abeni + +[ Upstream commit ba2c89e0ea74a904d5231643245753d77422e7f5 ] + +The MPTCP code typecasts the checksum value to u16 and +then converts it to big endian while storing the value into +the MPTCP option. + +As a result, the wire encoding for little endian host is +wrong, and that causes interoperabilty interoperability +issues with other implementation or host with different endianness. + +Address the issue writing in the packet the unmodified __sum16 value. + +MPTCP checksum is disabled by default, interoperating with systems +with bad mptcp-level csum encoding should cause fallback to TCP. + +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/275 +Fixes: c5b39e26d003 ("mptcp: send out checksum for DSS") +Fixes: 390b95a5fb84 ("mptcp: receive checksum for DSS") +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/mptcp/options.c | 36 ++++++++++++++++++++++++------------ + net/mptcp/protocol.h | 2 +- + net/mptcp/subflow.c | 2 +- + 3 files changed, 26 insertions(+), 14 deletions(-) + +diff --git a/net/mptcp/options.c b/net/mptcp/options.c +index d158f53d3bc3..193f0fcce8d8 100644 +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -107,7 +107,7 @@ static void mptcp_parse_option(const struct sk_buff *skb, + ptr += 2; + } + if (opsize == TCPOLEN_MPTCP_MPC_ACK_DATA_CSUM) { +- mp_opt->csum = (__force __sum16)get_unaligned_be16(ptr); ++ mp_opt->csum = get_unaligned((__force __sum16 *)ptr); + mp_opt->suboptions |= OPTION_MPTCP_CSUMREQD; + ptr += 2; + } +@@ -221,7 +221,7 @@ static void mptcp_parse_option(const struct sk_buff *skb, + + if (opsize == expected_opsize + TCPOLEN_MPTCP_DSS_CHECKSUM) { + mp_opt->suboptions |= OPTION_MPTCP_CSUMREQD; +- mp_opt->csum = (__force __sum16)get_unaligned_be16(ptr); ++ mp_opt->csum = get_unaligned((__force __sum16 *)ptr); + ptr += 2; + } + +@@ -1214,7 +1214,7 @@ static void mptcp_set_rwin(const struct tcp_sock *tp) + WRITE_ONCE(msk->rcv_wnd_sent, ack_seq); + } + +-u16 __mptcp_make_csum(u64 data_seq, u32 subflow_seq, u16 data_len, __wsum sum) ++__sum16 __mptcp_make_csum(u64 data_seq, u32 subflow_seq, u16 data_len, __wsum sum) + { + struct csum_pseudo_header header; + __wsum csum; +@@ -1230,15 +1230,25 @@ u16 __mptcp_make_csum(u64 data_seq, u32 subflow_seq, u16 data_len, __wsum sum) + header.csum = 0; + + csum = csum_partial(&header, sizeof(header), sum); +- return (__force u16)csum_fold(csum); ++ return csum_fold(csum); + } + +-static u16 mptcp_make_csum(const struct mptcp_ext *mpext) ++static __sum16 mptcp_make_csum(const struct mptcp_ext *mpext) + { + return __mptcp_make_csum(mpext->data_seq, mpext->subflow_seq, mpext->data_len, + ~csum_unfold(mpext->csum)); + } + ++static void put_len_csum(u16 len, __sum16 csum, void *data) ++{ ++ __sum16 *sumptr = data + 2; ++ __be16 *ptr = data; ++ ++ put_unaligned_be16(len, ptr); ++ ++ put_unaligned(csum, sumptr); ++} ++ + void mptcp_write_options(__be32 *ptr, const struct tcp_sock *tp, + struct mptcp_out_options *opts) + { +@@ -1315,8 +1325,9 @@ void mptcp_write_options(__be32 *ptr, const struct tcp_sock *tp, + put_unaligned_be32(mpext->subflow_seq, ptr); + ptr += 1; + if (opts->csum_reqd) { +- put_unaligned_be32(mpext->data_len << 16 | +- mptcp_make_csum(mpext), ptr); ++ put_len_csum(mpext->data_len, ++ mptcp_make_csum(mpext), ++ ptr); + } else { + put_unaligned_be32(mpext->data_len << 16 | + TCPOPT_NOP << 8 | TCPOPT_NOP, ptr); +@@ -1364,11 +1375,12 @@ void mptcp_write_options(__be32 *ptr, const struct tcp_sock *tp, + goto mp_capable_done; + + if (opts->csum_reqd) { +- put_unaligned_be32(opts->data_len << 16 | +- __mptcp_make_csum(opts->data_seq, +- opts->subflow_seq, +- opts->data_len, +- ~csum_unfold(opts->csum)), ptr); ++ put_len_csum(opts->data_len, ++ __mptcp_make_csum(opts->data_seq, ++ opts->subflow_seq, ++ opts->data_len, ++ ~csum_unfold(opts->csum)), ++ ptr); + } else { + put_unaligned_be32(opts->data_len << 16 | + TCPOPT_NOP << 8 | TCPOPT_NOP, ptr); +diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h +index 6bcdaf01f483..72a259a74b57 100644 +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -718,7 +718,7 @@ void mptcp_token_destroy(struct mptcp_sock *msk); + void mptcp_crypto_key_sha(u64 key, u32 *token, u64 *idsn); + + void mptcp_crypto_hmac_sha(u64 key1, u64 key2, u8 *msg, int len, void *hmac); +-u16 __mptcp_make_csum(u64 data_seq, u32 subflow_seq, u16 data_len, __wsum sum); ++__sum16 __mptcp_make_csum(u64 data_seq, u32 subflow_seq, u16 data_len, __wsum sum); + + void __init mptcp_pm_init(void); + void mptcp_pm_data_init(struct mptcp_sock *msk); +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index 04afead7316f..9c7deffe7cb6 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -846,7 +846,7 @@ static enum mapping_status validate_data_csum(struct sock *ssk, struct sk_buff * + { + struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk); + u32 offset, seq, delta; +- u16 csum; ++ __sum16 csum; + int len; + + if (!csum_reqd) +-- +2.35.1 + diff --git a/queue-5.15/mptcp-reuse-__mptcp_make_csum-in-validate_data_csum.patch b/queue-5.15/mptcp-reuse-__mptcp_make_csum-in-validate_data_csum.patch new file mode 100644 index 00000000000..b9887c25880 --- /dev/null +++ b/queue-5.15/mptcp-reuse-__mptcp_make_csum-in-validate_data_csum.patch @@ -0,0 +1,57 @@ +From c2f97c875f720486060fa9263316cb67318c7165 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jan 2022 11:25:24 -0800 +Subject: mptcp: reuse __mptcp_make_csum in validate_data_csum + +From: Geliang Tang + +[ Upstream commit 8401e87f5a36d370cbf1e9d4ba602a553ce9324a ] + +This patch reused __mptcp_make_csum() in validate_data_csum() instead of +open-coding. + +Signed-off-by: Geliang Tang +Signed-off-by: Mat Martineau +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/subflow.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index 6172f380dfb7..04afead7316f 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -845,9 +845,8 @@ static enum mapping_status validate_data_csum(struct sock *ssk, struct sk_buff * + bool csum_reqd) + { + struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk); +- struct csum_pseudo_header header; + u32 offset, seq, delta; +- __wsum csum; ++ u16 csum; + int len; + + if (!csum_reqd) +@@ -908,13 +907,11 @@ static enum mapping_status validate_data_csum(struct sock *ssk, struct sk_buff * + * while the pseudo header requires the original DSS data len, + * including that + */ +- header.data_seq = cpu_to_be64(subflow->map_seq); +- header.subflow_seq = htonl(subflow->map_subflow_seq); +- header.data_len = htons(subflow->map_data_len + subflow->map_data_fin); +- header.csum = 0; +- +- csum = csum_partial(&header, sizeof(header), subflow->map_data_csum); +- if (unlikely(csum_fold(csum))) { ++ csum = __mptcp_make_csum(subflow->map_seq, ++ subflow->map_subflow_seq, ++ subflow->map_data_len + subflow->map_data_fin, ++ subflow->map_data_csum); ++ if (unlikely(csum)) { + MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_DATACSUMERR); + subflow->send_mp_fail = 1; + MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_MPFAILTX); +-- +2.35.1 + diff --git a/queue-5.15/mptcp-strict-local-address-id-selection.patch b/queue-5.15/mptcp-strict-local-address-id-selection.patch new file mode 100644 index 00000000000..1169286aa73 --- /dev/null +++ b/queue-5.15/mptcp-strict-local-address-id-selection.patch @@ -0,0 +1,224 @@ +From a8838be5ddf0965ef545407208757c69cc57edad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 12:44:37 -0800 +Subject: mptcp: strict local address ID selection + +From: Paolo Abeni + +[ Upstream commit 4cf86ae84c718333928fd2d43168a1e359a28329 ] + +The address ID selection for MPJ subflows created in response +to incoming ADD_ADDR option is currently unreliable: it happens +at MPJ socket creation time, when the local address could be +unknown. + +Additionally, if the no local endpoint is available for the local +address, a new dummy endpoint is created, confusing the user-land. + +This change refactor the code to move the address ID selection inside +the rebuild_header() helper, when the local address eventually +selected by the route lookup is finally known. If the address used +is not mapped by any endpoint - and thus can't be advertised/removed +pick the id 0 instead of allocate a new endpoint. + +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/pm_netlink.c | 13 -------- + net/mptcp/protocol.c | 3 ++ + net/mptcp/protocol.h | 3 +- + net/mptcp/subflow.c | 67 ++++++++++++++++++++++++++++++++++++------ + 4 files changed, 63 insertions(+), 23 deletions(-) + +diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c +index cf0f700f46dd..e6b95d1cba70 100644 +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -86,16 +86,6 @@ static bool addresses_equal(const struct mptcp_addr_info *a, + return a->port == b->port; + } + +-static bool address_zero(const struct mptcp_addr_info *addr) +-{ +- struct mptcp_addr_info zero; +- +- memset(&zero, 0, sizeof(zero)); +- zero.family = addr->family; +- +- return addresses_equal(addr, &zero, true); +-} +- + static void local_address(const struct sock_common *skc, + struct mptcp_addr_info *addr) + { +@@ -954,9 +944,6 @@ int mptcp_pm_nl_get_local_id(struct mptcp_sock *msk, struct sock_common *skc) + if (addresses_equal(&msk_local, &skc_local, false)) + return 0; + +- if (address_zero(&skc_local)) +- return 0; +- + pernet = net_generic(sock_net((struct sock *)msk), pm_nl_pernet_id); + + rcu_read_lock(); +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index d6def23b8cba..c293742fc461 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -115,6 +115,9 @@ static int __mptcp_socket_create(struct mptcp_sock *msk) + list_add(&subflow->node, &msk->conn_list); + sock_hold(ssock->sk); + subflow->request_mptcp = 1; ++ ++ /* This is the first subflow, always with id 0 */ ++ subflow->local_id_valid = 1; + mptcp_sock_graft(msk->first, sk->sk_socket); + + return 0; +diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h +index 72a259a74b57..8d70e491139a 100644 +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -436,7 +436,8 @@ struct mptcp_subflow_context { + rx_eof : 1, + can_ack : 1, /* only after processing the remote a key */ + disposable : 1, /* ctx can be free at ulp release time */ +- stale : 1; /* unable to snd/rcv data, do not use for xmit */ ++ stale : 1, /* unable to snd/rcv data, do not use for xmit */ ++ local_id_valid : 1; /* local_id is correctly initialized */ + enum mptcp_data_avail data_avail; + u32 remote_nonce; + u64 thmac; +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index 9c7deffe7cb6..204dfb82f697 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -483,6 +483,51 @@ static void subflow_finish_connect(struct sock *sk, const struct sk_buff *skb) + mptcp_subflow_reset(sk); + } + ++static void subflow_set_local_id(struct mptcp_subflow_context *subflow, int local_id) ++{ ++ subflow->local_id = local_id; ++ subflow->local_id_valid = 1; ++} ++ ++static int subflow_chk_local_id(struct sock *sk) ++{ ++ struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk); ++ struct mptcp_sock *msk = mptcp_sk(subflow->conn); ++ int err; ++ ++ if (likely(subflow->local_id_valid)) ++ return 0; ++ ++ err = mptcp_pm_get_local_id(msk, (struct sock_common *)sk); ++ if (err < 0) ++ return err; ++ ++ subflow_set_local_id(subflow, err); ++ return 0; ++} ++ ++static int subflow_rebuild_header(struct sock *sk) ++{ ++ int err = subflow_chk_local_id(sk); ++ ++ if (unlikely(err < 0)) ++ return err; ++ ++ return inet_sk_rebuild_header(sk); ++} ++ ++#if IS_ENABLED(CONFIG_MPTCP_IPV6) ++static int subflow_v6_rebuild_header(struct sock *sk) ++{ ++ int err = subflow_chk_local_id(sk); ++ ++ if (unlikely(err < 0)) ++ return err; ++ ++ return inet6_sk_rebuild_header(sk); ++} ++#endif ++ + struct request_sock_ops mptcp_subflow_request_sock_ops; + EXPORT_SYMBOL_GPL(mptcp_subflow_request_sock_ops); + static struct tcp_request_sock_ops subflow_request_sock_ipv4_ops; +@@ -1402,13 +1447,8 @@ int __mptcp_subflow_connect(struct sock *sk, const struct mptcp_addr_info *loc, + get_random_bytes(&subflow->local_nonce, sizeof(u32)); + } while (!subflow->local_nonce); + +- if (!local_id) { +- err = mptcp_pm_get_local_id(msk, (struct sock_common *)ssk); +- if (err < 0) +- goto failed; +- +- local_id = err; +- } ++ if (local_id) ++ subflow_set_local_id(subflow, local_id); + + mptcp_pm_get_flags_and_ifindex_by_id(sock_net(sk), local_id, + &flags, &ifindex); +@@ -1431,7 +1471,6 @@ int __mptcp_subflow_connect(struct sock *sk, const struct mptcp_addr_info *loc, + pr_debug("msk=%p remote_token=%u local_id=%d remote_id=%d", msk, + remote_token, local_id, remote_id); + subflow->remote_token = remote_token; +- subflow->local_id = local_id; + subflow->remote_id = remote_id; + subflow->request_join = 1; + subflow->request_bkup = !!(flags & MPTCP_PM_ADDR_FLAG_BACKUP); +@@ -1734,15 +1773,22 @@ static void subflow_ulp_clone(const struct request_sock *req, + new_ctx->token = subflow_req->token; + new_ctx->ssn_offset = subflow_req->ssn_offset; + new_ctx->idsn = subflow_req->idsn; ++ ++ /* this is the first subflow, id is always 0 */ ++ new_ctx->local_id_valid = 1; + } else if (subflow_req->mp_join) { + new_ctx->ssn_offset = subflow_req->ssn_offset; + new_ctx->mp_join = 1; + new_ctx->fully_established = 1; + new_ctx->backup = subflow_req->backup; +- new_ctx->local_id = subflow_req->local_id; + new_ctx->remote_id = subflow_req->remote_id; + new_ctx->token = subflow_req->token; + new_ctx->thmac = subflow_req->thmac; ++ ++ /* the subflow req id is valid, fetched via subflow_check_req() ++ * and subflow_token_join_request() ++ */ ++ subflow_set_local_id(new_ctx, subflow_req->local_id); + } + } + +@@ -1795,6 +1841,7 @@ void __init mptcp_subflow_init(void) + subflow_specific.conn_request = subflow_v4_conn_request; + subflow_specific.syn_recv_sock = subflow_syn_recv_sock; + subflow_specific.sk_rx_dst_set = subflow_finish_connect; ++ subflow_specific.rebuild_header = subflow_rebuild_header; + + tcp_prot_override = tcp_prot; + tcp_prot_override.release_cb = tcp_release_cb_override; +@@ -1807,6 +1854,7 @@ void __init mptcp_subflow_init(void) + subflow_v6_specific.conn_request = subflow_v6_conn_request; + subflow_v6_specific.syn_recv_sock = subflow_syn_recv_sock; + subflow_v6_specific.sk_rx_dst_set = subflow_finish_connect; ++ subflow_v6_specific.rebuild_header = subflow_v6_rebuild_header; + + subflow_v6m_specific = subflow_v6_specific; + subflow_v6m_specific.queue_xmit = ipv4_specific.queue_xmit; +@@ -1814,6 +1862,7 @@ void __init mptcp_subflow_init(void) + subflow_v6m_specific.net_header_len = ipv4_specific.net_header_len; + subflow_v6m_specific.mtu_reduced = ipv4_specific.mtu_reduced; + subflow_v6m_specific.net_frag_header_len = 0; ++ subflow_v6m_specific.rebuild_header = subflow_rebuild_header; + + tcpv6_prot_override = tcpv6_prot; + tcpv6_prot_override.release_cb = tcp_release_cb_override; +-- +2.35.1 + diff --git a/queue-5.15/net-af_key-add-check-for-pfkey_broadcast-in-function.patch b/queue-5.15/net-af_key-add-check-for-pfkey_broadcast-in-function.patch new file mode 100644 index 00000000000..3307af28340 --- /dev/null +++ b/queue-5.15/net-af_key-add-check-for-pfkey_broadcast-in-function.patch @@ -0,0 +1,42 @@ +From f61754d7051cb4d34f2183dfb35a131501b3db7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 17:42:31 +0800 +Subject: net: af_key: add check for pfkey_broadcast in function pfkey_process + +From: Jiasheng Jiang + +[ Upstream commit 4dc2a5a8f6754492180741facf2a8787f2c415d7 ] + +If skb_clone() returns null pointer, pfkey_broadcast() will +return error. +Therefore, it should be better to check the return value of +pfkey_broadcast() and return error if fails. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index fd51db3be91c..92e9d75dba2f 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -2826,8 +2826,10 @@ static int pfkey_process(struct sock *sk, struct sk_buff *skb, const struct sadb + void *ext_hdrs[SADB_EXT_MAX]; + int err; + +- pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL, +- BROADCAST_PROMISC_ONLY, NULL, sock_net(sk)); ++ err = pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL, ++ BROADCAST_PROMISC_ONLY, NULL, sock_net(sk)); ++ if (err) ++ return err; + + memset(ext_hdrs, 0, sizeof(ext_hdrs)); + err = parse_exthdrs(skb, hdr, ext_hdrs); +-- +2.35.1 + diff --git a/queue-5.15/net-atlantic-add-check-for-max_skb_frags.patch b/queue-5.15/net-atlantic-add-check-for-max_skb_frags.patch new file mode 100644 index 00000000000..e0a3d02bd88 --- /dev/null +++ b/queue-5.15/net-atlantic-add-check-for-max_skb_frags.patch @@ -0,0 +1,55 @@ +From 5efdf8534a12e9e1e46395844bb807dec1e2cc21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 May 2022 19:28:25 -0700 +Subject: net: atlantic: add check for MAX_SKB_FRAGS + +From: Grant Grundler + +[ Upstream commit 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f ] + +Enforce that the CPU can not get stuck in an infinite loop. + +Reported-by: Aashay Shringarpure +Reported-by: Yi Chou +Reported-by: Shervin Oloumi +Signed-off-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +index 339efdfb1d49..e9c6f1fa0b1a 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +@@ -362,6 +362,7 @@ int aq_ring_rx_clean(struct aq_ring_s *self, + continue; + + if (!buff->is_eop) { ++ unsigned int frag_cnt = 0U; + buff_ = buff; + do { + bool is_rsc_completed = true; +@@ -370,6 +371,8 @@ int aq_ring_rx_clean(struct aq_ring_s *self, + err = -EIO; + goto err_exit; + } ++ ++ frag_cnt++; + next_ = buff_->next, + buff_ = &self->buff_ring[next_]; + is_rsc_completed = +@@ -377,7 +380,8 @@ int aq_ring_rx_clean(struct aq_ring_s *self, + next_, + self->hw_head); + +- if (unlikely(!is_rsc_completed)) { ++ if (unlikely(!is_rsc_completed) || ++ frag_cnt > MAX_SKB_FRAGS) { + err = 0; + goto err_exit; + } +-- +2.35.1 + diff --git a/queue-5.15/net-atlantic-fix-frag-0-not-initialized.patch b/queue-5.15/net-atlantic-fix-frag-0-not-initialized.patch new file mode 100644 index 00000000000..355d5e4fc1c --- /dev/null +++ b/queue-5.15/net-atlantic-fix-frag-0-not-initialized.patch @@ -0,0 +1,53 @@ +From 99fd549729ff61ecc2d55226077f3943dac32e12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 May 2022 19:28:23 -0700 +Subject: net: atlantic: fix "frag[0] not initialized" + +From: Grant Grundler + +[ Upstream commit 62e0ae0f4020250f961cf8d0103a4621be74e077 ] + +In aq_ring_rx_clean(), if buff->is_eop is not set AND +buff->len < AQ_CFG_RX_HDR_SIZE, then hdr_len remains equal to +buff->len and skb_add_rx_frag(xxx, *0*, ...) is not called. + +The loop following this code starts calling skb_add_rx_frag() starting +with i=1 and thus frag[0] is never initialized. Since i is initialized +to zero at the top of the primary loop, we can just reference and +post-increment i instead of hardcoding the 0 when calling +skb_add_rx_frag() the first time. + +Reported-by: Aashay Shringarpure +Reported-by: Yi Chou +Reported-by: Shervin Oloumi +Signed-off-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +index 72f8751784c3..7cf5a48e9a7d 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +@@ -445,7 +445,7 @@ int aq_ring_rx_clean(struct aq_ring_s *self, + ALIGN(hdr_len, sizeof(long))); + + if (buff->len - hdr_len > 0) { +- skb_add_rx_frag(skb, 0, buff->rxdata.page, ++ skb_add_rx_frag(skb, i++, buff->rxdata.page, + buff->rxdata.pg_off + hdr_len, + buff->len - hdr_len, + AQ_CFG_RX_FRAME_MAX); +@@ -454,7 +454,6 @@ int aq_ring_rx_clean(struct aq_ring_s *self, + + if (!buff->is_eop) { + buff_ = buff; +- i = 1U; + do { + next_ = buff_->next; + buff_ = &self->buff_ring[next_]; +-- +2.35.1 + diff --git a/queue-5.15/net-atlantic-reduce-scope-of-is_rsc_complete.patch b/queue-5.15/net-atlantic-reduce-scope-of-is_rsc_complete.patch new file mode 100644 index 00000000000..605567eb357 --- /dev/null +++ b/queue-5.15/net-atlantic-reduce-scope-of-is_rsc_complete.patch @@ -0,0 +1,68 @@ +From 442e74b4b50e3eabaf85ebe20c3e1bc04b7ee36e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 May 2022 19:28:24 -0700 +Subject: net: atlantic: reduce scope of is_rsc_complete + +From: Grant Grundler + +[ Upstream commit 79784d77ebbd3ec516b7a5ce555d979fb7946202 ] + +Don't defer handling the err case outside the loop. That's pointless. + +And since is_rsc_complete is only used inside this loop, declare +it inside the loop to reduce it's scope. + +Signed-off-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +index 7cf5a48e9a7d..339efdfb1d49 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +@@ -345,7 +345,6 @@ int aq_ring_rx_clean(struct aq_ring_s *self, + int budget) + { + struct net_device *ndev = aq_nic_get_ndev(self->aq_nic); +- bool is_rsc_completed = true; + int err = 0; + + for (; (self->sw_head != self->hw_head) && budget; +@@ -365,6 +364,8 @@ int aq_ring_rx_clean(struct aq_ring_s *self, + if (!buff->is_eop) { + buff_ = buff; + do { ++ bool is_rsc_completed = true; ++ + if (buff_->next >= self->size) { + err = -EIO; + goto err_exit; +@@ -376,18 +377,16 @@ int aq_ring_rx_clean(struct aq_ring_s *self, + next_, + self->hw_head); + +- if (unlikely(!is_rsc_completed)) +- break; ++ if (unlikely(!is_rsc_completed)) { ++ err = 0; ++ goto err_exit; ++ } + + buff->is_error |= buff_->is_error; + buff->is_cso_err |= buff_->is_cso_err; + + } while (!buff_->is_eop); + +- if (!is_rsc_completed) { +- err = 0; +- goto err_exit; +- } + if (buff->is_error || + (buff->is_lro && buff->is_cso_err)) { + buff_ = buff; +-- +2.35.1 + diff --git a/queue-5.15/net-atlantic-verify-hw_head_-lies-within-tx-buffer-r.patch b/queue-5.15/net-atlantic-verify-hw_head_-lies-within-tx-buffer-r.patch new file mode 100644 index 00000000000..21da16a3576 --- /dev/null +++ b/queue-5.15/net-atlantic-verify-hw_head_-lies-within-tx-buffer-r.patch @@ -0,0 +1,43 @@ +From c6b7ecc7d69908e21a4df97ffd3d5b60ea1d953d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 May 2022 19:28:26 -0700 +Subject: net: atlantic: verify hw_head_ lies within TX buffer ring + +From: Grant Grundler + +[ Upstream commit 2120b7f4d128433ad8c5f503a9584deba0684901 ] + +Bounds check hw_head index provided by NIC to verify it lies +within the TX buffer ring. + +Reported-by: Aashay Shringarpure +Reported-by: Yi Chou +Reported-by: Shervin Oloumi +Signed-off-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c +index 9f1b15077e7d..45c17c585d74 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c ++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c +@@ -889,6 +889,13 @@ int hw_atl_b0_hw_ring_tx_head_update(struct aq_hw_s *self, + err = -ENXIO; + goto err_exit; + } ++ ++ /* Validate that the new hw_head_ is reasonable. */ ++ if (hw_head_ >= ring->size) { ++ err = -ENXIO; ++ goto err_exit; ++ } ++ + ring->hw_head = hw_head_; + err = aq_hw_err_from_flags(self); + +-- +2.35.1 + diff --git a/queue-5.15/net-bridge-clear-offload_fwd_mark-when-passing-frame.patch b/queue-5.15/net-bridge-clear-offload_fwd_mark-when-passing-frame.patch new file mode 100644 index 00000000000..7a535c10e89 --- /dev/null +++ b/queue-5.15/net-bridge-clear-offload_fwd_mark-when-passing-frame.patch @@ -0,0 +1,72 @@ +From a036464c713e84e5ab6352f04d70953662efa622 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 02:58:40 +0200 +Subject: net: bridge: Clear offload_fwd_mark when passing frame up bridge + interface. + +From: Andrew Lunn + +[ Upstream commit fbb3abdf2223cd0dfc07de85fe5a43ba7f435bdf ] + +It is possible to stack bridges on top of each other. Consider the +following which makes use of an Ethernet switch: + + br1 + / \ + / \ + / \ + br0.11 wlan0 + | + br0 + / | \ +p1 p2 p3 + +br0 is offloaded to the switch. Above br0 is a vlan interface, for +vlan 11. This vlan interface is then a slave of br1. br1 also has a +wireless interface as a slave. This setup trunks wireless lan traffic +over the copper network inside a VLAN. + +A frame received on p1 which is passed up to the bridge has the +skb->offload_fwd_mark flag set to true, indicating that the switch has +dealt with forwarding the frame out ports p2 and p3 as needed. This +flag instructs the software bridge it does not need to pass the frame +back down again. However, the flag is not getting reset when the frame +is passed upwards. As a result br1 sees the flag, wrongly interprets +it, and fails to forward the frame to wlan0. + +When passing a frame upwards, clear the flag. This is the Rx +equivalent of br_switchdev_frame_unmark() in br_dev_xmit(). + +Fixes: f1c2eddf4cb6 ("bridge: switchdev: Use an helper to clear forward mark") +Signed-off-by: Andrew Lunn +Reviewed-by: Ido Schimmel +Tested-by: Ido Schimmel +Acked-by: Nikolay Aleksandrov +Link: https://lore.kernel.org/r/20220518005840.771575-1-andrew@lunn.ch +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/bridge/br_input.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c +index b50382f957c1..6743c8a0fe8e 100644 +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -39,6 +39,13 @@ static int br_pass_frame_up(struct sk_buff *skb) + dev_sw_netstats_rx_add(brdev, skb->len); + + vg = br_vlan_group_rcu(br); ++ ++ /* Reset the offload_fwd_mark because there could be a stacked ++ * bridge above, and it should not think this bridge it doing ++ * that bridge's work forwarding out its ports. ++ */ ++ br_switchdev_frame_unmark(skb); ++ + /* Bridge is just like any other port. Make sure the + * packet is allowed except in promisc mode when someone + * may be running packet capture. +-- +2.35.1 + diff --git a/queue-5.15/net-fix-dev_fill_forward_path-with-pppoe-bridge.patch b/queue-5.15/net-fix-dev_fill_forward_path-with-pppoe-bridge.patch new file mode 100644 index 00000000000..ee0f4e37b19 --- /dev/null +++ b/queue-5.15/net-fix-dev_fill_forward_path-with-pppoe-bridge.patch @@ -0,0 +1,69 @@ +From 8700c287eb74cc013a02439f997e5bf26c1bee28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 May 2022 14:26:15 +0200 +Subject: net: fix dev_fill_forward_path with pppoe + bridge + +From: Felix Fietkau + +[ Upstream commit cf2df74e202d81b09f09d84c2d8903e0e87e9274 ] + +When calling dev_fill_forward_path on a pppoe device, the provided destination +address is invalid. In order for the bridge fdb lookup to succeed, the pppoe +code needs to update ctx->daddr to the correct value. +Fix this by storing the address inside struct net_device_path_ctx + +Fixes: f6efc675c9dd ("net: ppp: resolve forwarding path for bridge pppoe devices") +Signed-off-by: Felix Fietkau +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/pppoe.c | 1 + + include/linux/netdevice.h | 2 +- + net/core/dev.c | 2 +- + 3 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c +index 3619520340b7..e172743948ed 100644 +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -988,6 +988,7 @@ static int pppoe_fill_forward_path(struct net_device_path_ctx *ctx, + path->encap.proto = htons(ETH_P_PPP_SES); + path->encap.id = be16_to_cpu(po->num); + memcpy(path->encap.h_dest, po->pppoe_pa.remote, ETH_ALEN); ++ memcpy(ctx->daddr, po->pppoe_pa.remote, ETH_ALEN); + path->dev = ctx->dev; + ctx->dev = dev; + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 62ff09467776..39f1893ecac0 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -887,7 +887,7 @@ struct net_device_path_stack { + + struct net_device_path_ctx { + const struct net_device *dev; +- const u8 *daddr; ++ u8 daddr[ETH_ALEN]; + + int num_vlans; + struct { +diff --git a/net/core/dev.c b/net/core/dev.c +index 804aba2228c2..5907212c00f3 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -741,11 +741,11 @@ int dev_fill_forward_path(const struct net_device *dev, const u8 *daddr, + const struct net_device *last_dev; + struct net_device_path_ctx ctx = { + .dev = dev, +- .daddr = daddr, + }; + struct net_device_path *path; + int ret = 0; + ++ memcpy(ctx.daddr, daddr, sizeof(ctx.daddr)); + stack->num_paths = 0; + while (ctx.dev && ctx.dev->netdev_ops->ndo_fill_forward_path) { + last_dev = ctx.dev; +-- +2.35.1 + diff --git a/queue-5.15/net-fix-wrong-network-header-length.patch b/queue-5.15/net-fix-wrong-network-header-length.patch new file mode 100644 index 00000000000..b088a20e29c --- /dev/null +++ b/queue-5.15/net-fix-wrong-network-header-length.patch @@ -0,0 +1,71 @@ +From 522c47125e95fd82472978fcd46295fc96db24e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 May 2022 13:48:49 +0800 +Subject: net: fix wrong network header length + +From: Lina Wang + +[ Upstream commit cf3ab8d4a797960b4be20565abb3bcd227b18a68 ] + +When clatd starts with ebpf offloaing, and NETIF_F_GRO_FRAGLIST is enable, +several skbs are gathered in skb_shinfo(skb)->frag_list. The first skb's +ipv6 header will be changed to ipv4 after bpf_skb_proto_6_to_4, +network_header\transport_header\mac_header have been updated as ipv4 acts, +but other skbs in frag_list didnot update anything, just ipv6 packets. + +udp_queue_rcv_skb will call skb_segment_list to traverse other skbs in +frag_list and make sure right udp payload is delivered to user space. +Unfortunately, other skbs in frag_list who are still ipv6 packets are +updated like the first skb and will have wrong transport header length. + +e.g.before bpf_skb_proto_6_to_4,the first skb and other skbs in frag_list +has the same network_header(24)& transport_header(64), after +bpf_skb_proto_6_to_4, ipv6 protocol has been changed to ipv4, the first +skb's network_header is 44,transport_header is 64, other skbs in frag_list +didnot change.After skb_segment_list, the other skbs in frag_list has +different network_header(24) and transport_header(44), so there will be 20 +bytes different from original,that is difference between ipv6 header and +ipv4 header. Just change transport_header to be the same with original. + +Actually, there are two solutions to fix it, one is traversing all skbs +and changing every skb header in bpf_skb_proto_6_to_4, the other is +modifying frag_list skb's header in skb_segment_list. Considering +efficiency, adopt the second one--- when the first skb and other skbs in +frag_list has different network_header length, restore them to make sure +right udp payload is delivered to user space. + +Signed-off-by: Lina Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/skbuff.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index e4badc189e37..7ef0f5a8ab03 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3873,7 +3873,7 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, + unsigned int delta_len = 0; + struct sk_buff *tail = NULL; + struct sk_buff *nskb, *tmp; +- int err; ++ int len_diff, err; + + skb_push(skb, -skb_network_offset(skb) + offset); + +@@ -3913,9 +3913,11 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, + skb_push(nskb, -skb_network_offset(nskb) + offset); + + skb_release_head_state(nskb); ++ len_diff = skb_network_header_len(nskb) - skb_network_header_len(skb); + __copy_skb_header(nskb, skb); + + skb_headers_offset_update(nskb, skb_headroom(nskb) - skb_headroom(skb)); ++ nskb->transport_header += len_diff; + skb_copy_from_linear_data_offset(skb, -tnl_hlen, + nskb->data - tnl_hlen, + offset + tnl_hlen); +-- +2.35.1 + diff --git a/queue-5.15/net-ipa-record-proper-rx-transaction-count.patch b/queue-5.15/net-ipa-record-proper-rx-transaction-count.patch new file mode 100644 index 00000000000..6946ab0dd69 --- /dev/null +++ b/queue-5.15/net-ipa-record-proper-rx-transaction-count.patch @@ -0,0 +1,61 @@ +From 249279000aa001b703d0f32bab13e95f6bf06237 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 May 2022 10:10:32 -0500 +Subject: net: ipa: record proper RX transaction count + +From: Alex Elder + +[ Upstream commit d8290cbe1111105f92f0c8ab455bec8bf98d0630 ] + +Each time we are notified that some number of transactions on an RX +channel has completed, we record the number of bytes that have been +transferred since the previous notification. We also track the +number of transactions completed, but that is not currently being +calculated correctly; we're currently counting the number of such +notifications, but each notification can represent many transaction +completions. Fix this. + +Fixes: 650d1603825d8 ("soc: qcom: ipa: the generic software interface") +Signed-off-by: Alex Elder +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ipa/gsi.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ipa/gsi.c b/drivers/net/ipa/gsi.c +index a2fcdb1abdb9..a734e5576729 100644 +--- a/drivers/net/ipa/gsi.c ++++ b/drivers/net/ipa/gsi.c +@@ -1370,9 +1370,10 @@ static void gsi_evt_ring_rx_update(struct gsi_evt_ring *evt_ring, u32 index) + struct gsi_event *event_done; + struct gsi_event *event; + struct gsi_trans *trans; ++ u32 trans_count = 0; + u32 byte_count = 0; +- u32 old_index; + u32 event_avail; ++ u32 old_index; + + trans_info = &channel->trans_info; + +@@ -1393,6 +1394,7 @@ static void gsi_evt_ring_rx_update(struct gsi_evt_ring *evt_ring, u32 index) + do { + trans->len = __le16_to_cpu(event->len); + byte_count += trans->len; ++ trans_count++; + + /* Move on to the next event and transaction */ + if (--event_avail) +@@ -1404,7 +1406,7 @@ static void gsi_evt_ring_rx_update(struct gsi_evt_ring *evt_ring, u32 index) + + /* We record RX bytes when they are received */ + channel->byte_count += byte_count; +- channel->trans_count++; ++ channel->trans_count += trans_count; + } + + /* Initialize a ring, including allocating DMA memory for its entries */ +-- +2.35.1 + diff --git a/queue-5.15/net-macb-increment-rx-bd-head-after-allocating-skb-a.patch b/queue-5.15/net-macb-increment-rx-bd-head-after-allocating-skb-a.patch new file mode 100644 index 00000000000..ca8599b570c --- /dev/null +++ b/queue-5.15/net-macb-increment-rx-bd-head-after-allocating-skb-a.patch @@ -0,0 +1,53 @@ +From 7ad07ac2150dd471f3d5c388de495a9a7245e004 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 May 2022 22:49:00 +0530 +Subject: net: macb: Increment rx bd head after allocating skb and buffer + +From: Harini Katakam + +[ Upstream commit 9500acc631dbb8b73166e25700e656b11f6007b6 ] + +In gem_rx_refill rx_prepared_head is incremented at the beginning of +the while loop preparing the skb and data buffers. If the skb or data +buffer allocation fails, this BD will be unusable BDs until the head +loops back to the same BD (and obviously buffer allocation succeeds). +In the unlikely event that there's a string of allocation failures, +there will be an equal number of unusable BDs and an inconsistent RX +BD chain. Hence increment the head at the end of the while loop to be +clean. + +Fixes: 4df95131ea80 ("net/macb: change RX path for GEM") +Signed-off-by: Harini Katakam +Signed-off-by: Michal Simek +Signed-off-by: Radhey Shyam Pandey +Reviewed-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20220512171900.32593-1-harini.katakam@xilinx.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 217c1a0f8940..2fd3dd4b8b81 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -1250,7 +1250,6 @@ static void gem_rx_refill(struct macb_queue *queue) + /* Make hw descriptor updates visible to CPU */ + rmb(); + +- queue->rx_prepared_head++; + desc = macb_rx_desc(queue, entry); + + if (!queue->rx_skbuff[entry]) { +@@ -1289,6 +1288,7 @@ static void gem_rx_refill(struct macb_queue *queue) + dma_wmb(); + desc->addr &= ~MACB_BIT(RX_USED); + } ++ queue->rx_prepared_head++; + } + + /* Make descriptor updates visible to hardware */ +-- +2.35.1 + diff --git a/queue-5.15/net-mlx5-dr-fix-missing-flow_source-when-creating-mu.patch b/queue-5.15/net-mlx5-dr-fix-missing-flow_source-when-creating-mu.patch new file mode 100644 index 00000000000..25e839e3023 --- /dev/null +++ b/queue-5.15/net-mlx5-dr-fix-missing-flow_source-when-creating-mu.patch @@ -0,0 +1,127 @@ +From 95460d412afc0e32069fa06cad1287134ff5a51b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Mar 2022 10:07:44 +0200 +Subject: net/mlx5: DR, Fix missing flow_source when creating multi-destination + FW table + +From: Maor Dickman + +[ Upstream commit 2c5fc6cd269ad3476da99dad02521d2af4a8e906 ] + +In order to support multiple destination FTEs with SW steering +FW table is created with single FTE with multiple actions and +SW steering rule forward to it. When creating this table, flow +source isn't set according to the original FTE. + +Fix this by passing the original FTE flow source to the created +FW table. + +Fixes: 34583beea4b7 ("net/mlx5: DR, Create multi-destination table for SW-steering use") +Signed-off-by: Maor Dickman +Reviewed-by: Yevgeny Kliteynik +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/steering/dr_action.c | 6 ++++-- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_fw.c | 4 +++- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h | 3 ++- + drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c | 4 +++- + drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h | 3 ++- + 5 files changed, 14 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +index a5b9f65db23c..897c7f852123 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c +@@ -846,7 +846,8 @@ struct mlx5dr_action * + mlx5dr_action_create_mult_dest_tbl(struct mlx5dr_domain *dmn, + struct mlx5dr_action_dest *dests, + u32 num_of_dests, +- bool ignore_flow_level) ++ bool ignore_flow_level, ++ u32 flow_source) + { + struct mlx5dr_cmd_flow_destination_hw_info *hw_dests; + struct mlx5dr_action **ref_actions; +@@ -914,7 +915,8 @@ mlx5dr_action_create_mult_dest_tbl(struct mlx5dr_domain *dmn, + reformat_req, + &action->dest_tbl->fw_tbl.id, + &action->dest_tbl->fw_tbl.group_id, +- ignore_flow_level); ++ ignore_flow_level, ++ flow_source); + if (ret) + goto free_action; + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_fw.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_fw.c +index 0d6f86eb248b..c74083de1801 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_fw.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_fw.c +@@ -104,7 +104,8 @@ int mlx5dr_fw_create_md_tbl(struct mlx5dr_domain *dmn, + bool reformat_req, + u32 *tbl_id, + u32 *group_id, +- bool ignore_flow_level) ++ bool ignore_flow_level, ++ u32 flow_source) + { + struct mlx5dr_cmd_create_flow_table_attr ft_attr = {}; + struct mlx5dr_cmd_fte_info fte_info = {}; +@@ -139,6 +140,7 @@ int mlx5dr_fw_create_md_tbl(struct mlx5dr_domain *dmn, + fte_info.val = val; + fte_info.dest_arr = dest; + fte_info.ignore_flow_level = ignore_flow_level; ++ fte_info.flow_context.flow_source = flow_source; + + ret = mlx5dr_cmd_set_fte(dmn->mdev, 0, 0, &ft_info, *group_id, &fte_info); + if (ret) { +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +index 3d4e035698dd..bc206836af6a 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +@@ -1394,7 +1394,8 @@ int mlx5dr_fw_create_md_tbl(struct mlx5dr_domain *dmn, + bool reformat_req, + u32 *tbl_id, + u32 *group_id, +- bool ignore_flow_level); ++ bool ignore_flow_level, ++ u32 flow_source); + void mlx5dr_fw_destroy_md_tbl(struct mlx5dr_domain *dmn, u32 tbl_id, + u32 group_id); + #endif /* _DR_TYPES_H_ */ +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c +index 7e58f4e594b7..ae4597118f8b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c +@@ -492,11 +492,13 @@ static int mlx5_cmd_dr_create_fte(struct mlx5_flow_root_namespace *ns, + } else if (num_term_actions > 1) { + bool ignore_flow_level = + !!(fte->action.flags & FLOW_ACT_IGNORE_FLOW_LEVEL); ++ u32 flow_source = fte->flow_context.flow_source; + + tmp_action = mlx5dr_action_create_mult_dest_tbl(domain, + term_actions, + num_term_actions, +- ignore_flow_level); ++ ignore_flow_level, ++ flow_source); + if (!tmp_action) { + err = -EOPNOTSUPP; + goto free_actions; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h +index 5ef199543479..7806e5c05b67 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h +@@ -96,7 +96,8 @@ struct mlx5dr_action * + mlx5dr_action_create_mult_dest_tbl(struct mlx5dr_domain *dmn, + struct mlx5dr_action_dest *dests, + u32 num_of_dests, +- bool ignore_flow_level); ++ bool ignore_flow_level, ++ u32 flow_source); + + struct mlx5dr_action *mlx5dr_action_create_drop(void); + +-- +2.35.1 + diff --git a/queue-5.15/net-mlx5e-properly-block-lro-when-xdp-is-enabled.patch b/queue-5.15/net-mlx5e-properly-block-lro-when-xdp-is-enabled.patch new file mode 100644 index 00000000000..50323723f1b --- /dev/null +++ b/queue-5.15/net-mlx5e-properly-block-lro-when-xdp-is-enabled.patch @@ -0,0 +1,47 @@ +From 39e3c681b3e2d1c82e836a209dbbb5952363239f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 18:37:03 +0300 +Subject: net/mlx5e: Properly block LRO when XDP is enabled + +From: Maxim Mikityanskiy + +[ Upstream commit cf6e34c8c22fba66bd21244b95ea47e235f68974 ] + +LRO is incompatible and mutually exclusive with XDP. However, the needed +checks are only made when enabling XDP. If LRO is enabled when XDP is +already active, the command will succeed, and XDP will be skipped in the +data path, although still enabled. + +This commit fixes the bug by checking the XDP status in +mlx5e_fix_features and disabling LRO if XDP is enabled. + +Fixes: 86994156c736 ("net/mlx5e: XDP fast RX drop bpf programs support") +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 01301bee420c..7efb898e9f96 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3542,6 +3542,13 @@ static netdev_features_t mlx5e_fix_features(struct net_device *netdev, + } + } + ++ if (params->xdp_prog) { ++ if (features & NETIF_F_LRO) { ++ netdev_warn(netdev, "LRO is incompatible with XDP\n"); ++ features &= ~NETIF_F_LRO; ++ } ++ } ++ + if (MLX5E_GET_PFLAG(params, MLX5E_PFLAG_RX_CQE_COMPRESS)) { + features &= ~NETIF_F_RXHASH; + if (netdev->features & NETIF_F_RXHASH) +-- +2.35.1 + diff --git a/queue-5.15/net-qla3xxx-fix-a-test-in-ql_reset_work.patch b/queue-5.15/net-qla3xxx-fix-a-test-in-ql_reset_work.patch new file mode 100644 index 00000000000..ecebba47ce5 --- /dev/null +++ b/queue-5.15/net-qla3xxx-fix-a-test-in-ql_reset_work.patch @@ -0,0 +1,48 @@ +From e1a7e922bc6c3b0e2123d1ee87b40647e696e6e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 May 2022 20:07:02 +0200 +Subject: net/qla3xxx: Fix a test in ql_reset_work() + +From: Christophe JAILLET + +[ Upstream commit 5361448e45fac6fb96738df748229432a62d78b6 ] + +test_bit() tests if one bit is set or not. +Here the logic seems to check of bit QL_RESET_PER_SCSI (i.e. 4) OR bit +QL_RESET_START (i.e. 3) is set. + +In fact, it checks if bit 7 (4 | 3 = 7) is set, that is to say +QL_ADAPTER_UP. + +This looks harmless, because this bit is likely be set, and when the +ql_reset_work() delayed work is scheduled in ql3xxx_isr() (the only place +that schedule this work), QL_RESET_START or QL_RESET_PER_SCSI is set. + +This has been spotted by smatch. + +Fixes: 5a4faa873782 ("[PATCH] qla3xxx NIC driver") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/80e73e33f390001d9c0140ffa9baddf6466a41a2.1652637337.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qla3xxx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c +index 4eb9ea280474..40d14d80f6f1 100644 +--- a/drivers/net/ethernet/qlogic/qla3xxx.c ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c +@@ -3612,7 +3612,8 @@ static void ql_reset_work(struct work_struct *work) + qdev->mem_map_registers; + unsigned long hw_flags; + +- if (test_bit((QL_RESET_PER_SCSI | QL_RESET_START), &qdev->flags)) { ++ if (test_bit(QL_RESET_PER_SCSI, &qdev->flags) || ++ test_bit(QL_RESET_START, &qdev->flags)) { + clear_bit(QL_LINK_MASTER, &qdev->flags); + + /* +-- +2.35.1 + diff --git a/queue-5.15/net-sched-act_pedit-sanitize-shift-argument-before-u.patch b/queue-5.15/net-sched-act_pedit-sanitize-shift-argument-before-u.patch new file mode 100644 index 00000000000..b9c258ba25f --- /dev/null +++ b/queue-5.15/net-sched-act_pedit-sanitize-shift-argument-before-u.patch @@ -0,0 +1,84 @@ +From 8082e0f6406b972bc00a41dfa874badaa6cd1725 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 May 2022 11:27:06 +0200 +Subject: net/sched: act_pedit: sanitize shift argument before usage + +From: Paolo Abeni + +[ Upstream commit 4d42d54a7d6aa6d29221d3fd4f2ae9503e94f011 ] + +syzbot was able to trigger an Out-of-Bound on the pedit action: + +UBSAN: shift-out-of-bounds in net/sched/act_pedit.c:238:43 +shift exponent 1400735974 is too large for 32-bit type 'unsigned int' +CPU: 0 PID: 3606 Comm: syz-executor151 Not tainted 5.18.0-rc5-syzkaller-00165-g810c2f0a3f86 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + ubsan_epilogue+0xb/0x50 lib/ubsan.c:151 + __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x187 lib/ubsan.c:322 + tcf_pedit_init.cold+0x1a/0x1f net/sched/act_pedit.c:238 + tcf_action_init_1+0x414/0x690 net/sched/act_api.c:1367 + tcf_action_init+0x530/0x8d0 net/sched/act_api.c:1432 + tcf_action_add+0xf9/0x480 net/sched/act_api.c:1956 + tc_ctl_action+0x346/0x470 net/sched/act_api.c:2015 + rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5993 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502 + netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] + netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345 + netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1921 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:725 + ____sys_sendmsg+0x6e2/0x800 net/socket.c:2413 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2467 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2496 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7fe36e9e1b59 +Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffef796fe88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe36e9e1b59 +RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003 +RBP: 00007fe36e9a5d00 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe36e9a5d90 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + +The 'shift' field is not validated, and any value above 31 will +trigger out-of-bounds. The issue predates the git history, but +syzbot was able to trigger it only after the commit mentioned in +the fixes tag, and this change only applies on top of such commit. + +Address the issue bounding the 'shift' value to the maximum allowed +by the relevant operator. + +Reported-and-tested-by: syzbot+8ed8fc4c57e9dcf23ca6@syzkaller.appspotmail.com +Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable") +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/act_pedit.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c +index cfadd613644a..1262a84b725f 100644 +--- a/net/sched/act_pedit.c ++++ b/net/sched/act_pedit.c +@@ -232,6 +232,10 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla, + for (i = 0; i < p->tcfp_nkeys; ++i) { + u32 cur = p->tcfp_keys[i].off; + ++ /* sanitize the shift value for any later use */ ++ p->tcfp_keys[i].shift = min_t(size_t, BITS_PER_TYPE(int) - 1, ++ p->tcfp_keys[i].shift); ++ + /* The AT option can read a single byte, we can bound the actual + * value with uchar max. + */ +-- +2.35.1 + diff --git a/queue-5.15/net-stmmac-fix-missing-pci_disable_device-on-error-i.patch b/queue-5.15/net-stmmac-fix-missing-pci_disable_device-on-error-i.patch new file mode 100644 index 00000000000..e7d735e8372 --- /dev/null +++ b/queue-5.15/net-stmmac-fix-missing-pci_disable_device-on-error-i.patch @@ -0,0 +1,46 @@ +From 5bfd9f17bef2bef233185e03d97490d227120c1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 May 2022 11:13:16 +0800 +Subject: net: stmmac: fix missing pci_disable_device() on error in + stmmac_pci_probe() + +From: Yang Yingliang + +[ Upstream commit 0807ce0b010418a191e0e4009803b2d74c3245d5 ] + +Switch to using pcim_enable_device() to avoid missing pci_disable_device(). + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20220510031316.1780409-1-yangyingliang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c +index fcf17d8a0494..644bb54f5f02 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c +@@ -181,7 +181,7 @@ static int stmmac_pci_probe(struct pci_dev *pdev, + return -ENOMEM; + + /* Enable pci device */ +- ret = pci_enable_device(pdev); ++ ret = pcim_enable_device(pdev); + if (ret) { + dev_err(&pdev->dev, "%s: ERROR: failed to enable device\n", + __func__); +@@ -241,8 +241,6 @@ static void stmmac_pci_remove(struct pci_dev *pdev) + pcim_iounmap_regions(pdev, BIT(i)); + break; + } +- +- pci_disable_device(pdev); + } + + static int __maybe_unused stmmac_pci_suspend(struct device *dev) +-- +2.35.1 + diff --git a/queue-5.15/net-systemport-fix-an-error-handling-path-in-bcm_sys.patch b/queue-5.15/net-systemport-fix-an-error-handling-path-in-bcm_sys.patch new file mode 100644 index 00000000000..a93ab07039f --- /dev/null +++ b/queue-5.15/net-systemport-fix-an-error-handling-path-in-bcm_sys.patch @@ -0,0 +1,44 @@ +From 3ccc3c8824789bff61d4427c6628f2fd340d22ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 May 2022 19:01:56 +0200 +Subject: net: systemport: Fix an error handling path in bcm_sysport_probe() + +From: Christophe JAILLET + +[ Upstream commit ef6b1cd11962aec21c58d137006ab122dbc8d6fd ] + +if devm_clk_get_optional() fails, we still need to go through the error +handling path. + +Add the missing goto. + +Fixes: 6328a126896ea ("net: systemport: Manage Wake-on-LAN clock") +Signed-off-by: Christophe JAILLET +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/99d70634a81c229885ae9e4ee69b2035749f7edc.1652634040.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c +index 0877b3d7f88c..ae541a9d1eee 100644 +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -2585,8 +2585,10 @@ static int bcm_sysport_probe(struct platform_device *pdev) + device_set_wakeup_capable(&pdev->dev, 1); + + priv->wol_clk = devm_clk_get_optional(&pdev->dev, "sw_sysportwol"); +- if (IS_ERR(priv->wol_clk)) +- return PTR_ERR(priv->wol_clk); ++ if (IS_ERR(priv->wol_clk)) { ++ ret = PTR_ERR(priv->wol_clk); ++ goto err_deregister_fixed_link; ++ } + + /* Set the needed headroom once and for all */ + BUILD_BUG_ON(sizeof(struct bcm_tsb) != 8); +-- +2.35.1 + diff --git a/queue-5.15/net-vmxnet3-fix-possible-null-pointer-dereference-in.patch b/queue-5.15/net-vmxnet3-fix-possible-null-pointer-dereference-in.patch new file mode 100644 index 00000000000..0a3dd333b51 --- /dev/null +++ b/queue-5.15/net-vmxnet3-fix-possible-null-pointer-dereference-in.patch @@ -0,0 +1,68 @@ +From 5a3cc1e7c7fe84a875e629cf68626818580a97ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 May 2022 13:07:11 +0800 +Subject: net: vmxnet3: fix possible NULL pointer dereference in + vmxnet3_rq_cleanup() + +From: Zixuan Fu + +[ Upstream commit edf410cb74dc612fd47ef5be319c5a0bcd6e6ccd ] + +In vmxnet3_rq_create(), when dma_alloc_coherent() fails, +vmxnet3_rq_destroy() is called. It sets rq->rx_ring[i].base to NULL. Then +vmxnet3_rq_create() returns an error to its callers mxnet3_rq_create_all() +-> vmxnet3_change_mtu(). Then vmxnet3_change_mtu() calls +vmxnet3_force_close() -> dev_close() in error handling code. And the driver +calls vmxnet3_close() -> vmxnet3_quiesce_dev() -> vmxnet3_rq_cleanup_all() +-> vmxnet3_rq_cleanup(). In vmxnet3_rq_cleanup(), +rq->rx_ring[ring_idx].base is accessed, but this variable is NULL, causing +a NULL pointer dereference. + +To fix this possible bug, an if statement is added to check whether +rq->rx_ring[0].base is NULL in vmxnet3_rq_cleanup() and exit early if so. + +The error log in our fault-injection testing is shown as follows: + +[ 65.220135] BUG: kernel NULL pointer dereference, address: 0000000000000008 +... +[ 65.222633] RIP: 0010:vmxnet3_rq_cleanup_all+0x396/0x4e0 [vmxnet3] +... +[ 65.227977] Call Trace: +... +[ 65.228262] vmxnet3_quiesce_dev+0x80f/0x8a0 [vmxnet3] +[ 65.228580] vmxnet3_close+0x2c4/0x3f0 [vmxnet3] +[ 65.228866] __dev_close_many+0x288/0x350 +[ 65.229607] dev_close_many+0xa4/0x480 +[ 65.231124] dev_close+0x138/0x230 +[ 65.231933] vmxnet3_force_close+0x1f0/0x240 [vmxnet3] +[ 65.232248] vmxnet3_change_mtu+0x75d/0x920 [vmxnet3] +... + +Fixes: d1a890fa37f27 ("net: VMware virtual Ethernet NIC driver: vmxnet3") +Reported-by: TOTE Robot +Signed-off-by: Zixuan Fu +Link: https://lore.kernel.org/r/20220514050711.2636709-1-r33s3n6@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c +index 8ab86bbdbf5e..bc3192cf48e3 100644 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -1668,6 +1668,10 @@ vmxnet3_rq_cleanup(struct vmxnet3_rx_queue *rq, + u32 i, ring_idx; + struct Vmxnet3_RxDesc *rxd; + ++ /* ring has already been cleaned up */ ++ if (!rq->rx_ring[0].base) ++ return; ++ + for (ring_idx = 0; ring_idx < 2; ring_idx++) { + for (i = 0; i < rq->rx_ring[ring_idx].size; i++) { + #ifdef __BIG_ENDIAN_BITFIELD +-- +2.35.1 + diff --git a/queue-5.15/net-vmxnet3-fix-possible-use-after-free-bugs-in-vmxn.patch b/queue-5.15/net-vmxnet3-fix-possible-use-after-free-bugs-in-vmxn.patch new file mode 100644 index 00000000000..11df4517b3f --- /dev/null +++ b/queue-5.15/net-vmxnet3-fix-possible-use-after-free-bugs-in-vmxn.patch @@ -0,0 +1,94 @@ +From fe7f2458fb066b75a767043710f56139dff33078 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 May 2022 13:06:56 +0800 +Subject: net: vmxnet3: fix possible use-after-free bugs in + vmxnet3_rq_alloc_rx_buf() + +From: Zixuan Fu + +[ Upstream commit 9e7fef9521e73ca8afd7da9e58c14654b02dfad8 ] + +In vmxnet3_rq_alloc_rx_buf(), when dma_map_single() fails, rbi->skb is +freed immediately. Similarly, in another branch, when dma_map_page() fails, +rbi->page is also freed. In the two cases, vmxnet3_rq_alloc_rx_buf() +returns an error to its callers vmxnet3_rq_init() -> vmxnet3_rq_init_all() +-> vmxnet3_activate_dev(). Then vmxnet3_activate_dev() calls +vmxnet3_rq_cleanup_all() in error handling code, and rbi->skb or rbi->page +are freed again in vmxnet3_rq_cleanup_all(), causing use-after-free bugs. + +To fix these possible bugs, rbi->skb and rbi->page should be cleared after +they are freed. + +The error log in our fault-injection testing is shown as follows: + +[ 14.319016] BUG: KASAN: use-after-free in consume_skb+0x2f/0x150 +... +[ 14.321586] Call Trace: +... +[ 14.325357] consume_skb+0x2f/0x150 +[ 14.325671] vmxnet3_rq_cleanup_all+0x33a/0x4e0 [vmxnet3] +[ 14.326150] vmxnet3_activate_dev+0xb9d/0x2ca0 [vmxnet3] +[ 14.326616] vmxnet3_open+0x387/0x470 [vmxnet3] +... +[ 14.361675] Allocated by task 351: +... +[ 14.362688] __netdev_alloc_skb+0x1b3/0x6f0 +[ 14.362960] vmxnet3_rq_alloc_rx_buf+0x1b0/0x8d0 [vmxnet3] +[ 14.363317] vmxnet3_activate_dev+0x3e3/0x2ca0 [vmxnet3] +[ 14.363661] vmxnet3_open+0x387/0x470 [vmxnet3] +... +[ 14.367309] +[ 14.367412] Freed by task 351: +... +[ 14.368932] __dev_kfree_skb_any+0xd2/0xe0 +[ 14.369193] vmxnet3_rq_alloc_rx_buf+0x71e/0x8d0 [vmxnet3] +[ 14.369544] vmxnet3_activate_dev+0x3e3/0x2ca0 [vmxnet3] +[ 14.369883] vmxnet3_open+0x387/0x470 [vmxnet3] +[ 14.370174] __dev_open+0x28a/0x420 +[ 14.370399] __dev_change_flags+0x192/0x590 +[ 14.370667] dev_change_flags+0x7a/0x180 +[ 14.370919] do_setlink+0xb28/0x3570 +[ 14.371150] rtnl_newlink+0x1160/0x1740 +[ 14.371399] rtnetlink_rcv_msg+0x5bf/0xa50 +[ 14.371661] netlink_rcv_skb+0x1cd/0x3e0 +[ 14.371913] netlink_unicast+0x5dc/0x840 +[ 14.372169] netlink_sendmsg+0x856/0xc40 +[ 14.372420] ____sys_sendmsg+0x8a7/0x8d0 +[ 14.372673] __sys_sendmsg+0x1c2/0x270 +[ 14.372914] do_syscall_64+0x41/0x90 +[ 14.373145] entry_SYSCALL_64_after_hwframe+0x44/0xae +... + +Fixes: 5738a09d58d5a ("vmxnet3: fix checks for dma mapping errors") +Reported-by: TOTE Robot +Signed-off-by: Zixuan Fu +Link: https://lore.kernel.org/r/20220514050656.2636588-1-r33s3n6@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c +index 5b0215b7c176..8ab86bbdbf5e 100644 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -589,6 +589,7 @@ vmxnet3_rq_alloc_rx_buf(struct vmxnet3_rx_queue *rq, u32 ring_idx, + if (dma_mapping_error(&adapter->pdev->dev, + rbi->dma_addr)) { + dev_kfree_skb_any(rbi->skb); ++ rbi->skb = NULL; + rq->stats.rx_buf_alloc_failure++; + break; + } +@@ -613,6 +614,7 @@ vmxnet3_rq_alloc_rx_buf(struct vmxnet3_rx_queue *rq, u32 ring_idx, + if (dma_mapping_error(&adapter->pdev->dev, + rbi->dma_addr)) { + put_page(rbi->page); ++ rbi->page = NULL; + rq->stats.rx_buf_alloc_failure++; + break; + } +-- +2.35.1 + diff --git a/queue-5.15/netfilter-flowtable-fix-excessive-hw-offload-attempt.patch b/queue-5.15/netfilter-flowtable-fix-excessive-hw-offload-attempt.patch new file mode 100644 index 00000000000..dcf0fd60fc0 --- /dev/null +++ b/queue-5.15/netfilter-flowtable-fix-excessive-hw-offload-attempt.patch @@ -0,0 +1,41 @@ +From 129d5913bba96dc9fdae1f06e2948e0c1343e519 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 May 2022 14:26:13 +0200 +Subject: netfilter: flowtable: fix excessive hw offload attempts after failure + +From: Felix Fietkau + +[ Upstream commit 396ef64113a8ba01c46315d67a99db8dde3eef51 ] + +If a flow cannot be offloaded, the code currently repeatedly tries again as +quickly as possible, which can significantly increase system load. +Fix this by limiting flow timeout update and hardware offload retry to once +per second. + +Fixes: c07531c01d82 ("netfilter: flowtable: Remove redundant hw refresh bit") +Signed-off-by: Felix Fietkau +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_flow_table_core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c +index b90eca7a2f22..52e7f94d2450 100644 +--- a/net/netfilter/nf_flow_table_core.c ++++ b/net/netfilter/nf_flow_table_core.c +@@ -329,8 +329,10 @@ void flow_offload_refresh(struct nf_flowtable *flow_table, + u32 timeout; + + timeout = nf_flowtable_time_stamp + flow_offload_get_timeout(flow); +- if (READ_ONCE(flow->timeout) != timeout) ++ if (timeout - READ_ONCE(flow->timeout) > HZ) + WRITE_ONCE(flow->timeout, timeout); ++ else ++ return; + + if (likely(!nf_flowtable_hw_offload(flow_table))) + return; +-- +2.35.1 + diff --git a/queue-5.15/netfilter-flowtable-fix-tcp-flow-teardown.patch b/queue-5.15/netfilter-flowtable-fix-tcp-flow-teardown.patch new file mode 100644 index 00000000000..3041a486981 --- /dev/null +++ b/queue-5.15/netfilter-flowtable-fix-tcp-flow-teardown.patch @@ -0,0 +1,162 @@ +From 7a2a5b79d89d8832182b0bbc4c41f0edfefd5fe2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 10:44:14 +0200 +Subject: netfilter: flowtable: fix TCP flow teardown + +From: Pablo Neira Ayuso + +[ Upstream commit e5eaac2beb54f0a16ff851125082d9faeb475572 ] + +This patch addresses three possible problems: + +1. ct gc may race to undo the timeout adjustment of the packet path, leaving + the conntrack entry in place with the internal offload timeout (one day). + +2. ct gc removes the ct because the IPS_OFFLOAD_BIT is not set and the CLOSE + timeout is reached before the flow offload del. + +3. tcp ct is always set to ESTABLISHED with a very long timeout + in flow offload teardown/delete even though the state might be already + CLOSED. Also as a remark we cannot assume that the FIN or RST packet + is hitting flow table teardown as the packet might get bumped to the + slow path in nftables. + +This patch resets IPS_OFFLOAD_BIT from flow_offload_teardown(), so +conntrack handles the tcp rst/fin packet which triggers the CLOSE/FIN +state transition. + +Moreover, teturn the connection's ownership to conntrack upon teardown +by clearing the offload flag and fixing the established timeout value. +The flow table GC thread will asynchonrnously free the flow table and +hardware offload entries. + +Before this patch, the IPS_OFFLOAD_BIT remained set for expired flows on +which is also misleading since the flow is back to classic conntrack +path. + +If nf_ct_delete() removes the entry from the conntrack table, then it +calls nf_ct_put() which decrements the refcnt. This is not a problem +because the flowtable holds a reference to the conntrack object from +flow_offload_alloc() path which is released via flow_offload_free(). + +This patch also updates nft_flow_offload to skip packets in SYN_RECV +state. Since we might miss or bump packets to slow path, we do not know +what will happen there while we are still in SYN_RECV, this patch +postpones offload up to the next packet which also aligns to the +existing behaviour in tc-ct. + +flow_offload_teardown() does not reset the existing tcp state from +flow_offload_fixup_tcp() to ESTABLISHED anymore, packets bump to slow +path might have already update the state to CLOSE/FIN. + +Joint work with Oz and Sven. + +Fixes: 1e5b2471bcc4 ("netfilter: nf_flow_table: teardown flow timeout race") +Signed-off-by: Oz Shlomo +Signed-off-by: Sven Auhagen +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_flow_table_core.c | 33 +++++++----------------------- + net/netfilter/nft_flow_offload.c | 3 ++- + 2 files changed, 9 insertions(+), 27 deletions(-) + +diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c +index 52e7f94d2450..58f3f77b3eb2 100644 +--- a/net/netfilter/nf_flow_table_core.c ++++ b/net/netfilter/nf_flow_table_core.c +@@ -173,12 +173,11 @@ EXPORT_SYMBOL_GPL(flow_offload_route_init); + + static void flow_offload_fixup_tcp(struct ip_ct_tcp *tcp) + { +- tcp->state = TCP_CONNTRACK_ESTABLISHED; + tcp->seen[0].td_maxwin = 0; + tcp->seen[1].td_maxwin = 0; + } + +-static void flow_offload_fixup_ct_timeout(struct nf_conn *ct) ++static void flow_offload_fixup_ct(struct nf_conn *ct) + { + struct net *net = nf_ct_net(ct); + int l4num = nf_ct_protonum(ct); +@@ -187,7 +186,9 @@ static void flow_offload_fixup_ct_timeout(struct nf_conn *ct) + if (l4num == IPPROTO_TCP) { + struct nf_tcp_net *tn = nf_tcp_pernet(net); + +- timeout = tn->timeouts[TCP_CONNTRACK_ESTABLISHED]; ++ flow_offload_fixup_tcp(&ct->proto.tcp); ++ ++ timeout = tn->timeouts[ct->proto.tcp.state]; + timeout -= tn->offload_timeout; + } else if (l4num == IPPROTO_UDP) { + struct nf_udp_net *tn = nf_udp_pernet(net); +@@ -205,18 +206,6 @@ static void flow_offload_fixup_ct_timeout(struct nf_conn *ct) + WRITE_ONCE(ct->timeout, nfct_time_stamp + timeout); + } + +-static void flow_offload_fixup_ct_state(struct nf_conn *ct) +-{ +- if (nf_ct_protonum(ct) == IPPROTO_TCP) +- flow_offload_fixup_tcp(&ct->proto.tcp); +-} +- +-static void flow_offload_fixup_ct(struct nf_conn *ct) +-{ +- flow_offload_fixup_ct_state(ct); +- flow_offload_fixup_ct_timeout(ct); +-} +- + static void flow_offload_route_release(struct flow_offload *flow) + { + nft_flow_dst_release(flow, FLOW_OFFLOAD_DIR_ORIGINAL); +@@ -355,22 +344,14 @@ static void flow_offload_del(struct nf_flowtable *flow_table, + rhashtable_remove_fast(&flow_table->rhashtable, + &flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].node, + nf_flow_offload_rhash_params); +- +- clear_bit(IPS_OFFLOAD_BIT, &flow->ct->status); +- +- if (nf_flow_has_expired(flow)) +- flow_offload_fixup_ct(flow->ct); +- else +- flow_offload_fixup_ct_timeout(flow->ct); +- + flow_offload_free(flow); + } + + void flow_offload_teardown(struct flow_offload *flow) + { ++ clear_bit(IPS_OFFLOAD_BIT, &flow->ct->status); + set_bit(NF_FLOW_TEARDOWN, &flow->flags); +- +- flow_offload_fixup_ct_state(flow->ct); ++ flow_offload_fixup_ct(flow->ct); + } + EXPORT_SYMBOL_GPL(flow_offload_teardown); + +@@ -460,7 +441,7 @@ static void nf_flow_offload_gc_step(struct flow_offload *flow, void *data) + if (nf_flow_has_expired(flow) || + nf_ct_is_dying(flow->ct) || + nf_flow_has_stale_dst(flow)) +- set_bit(NF_FLOW_TEARDOWN, &flow->flags); ++ flow_offload_teardown(flow); + + if (test_bit(NF_FLOW_TEARDOWN, &flow->flags)) { + if (test_bit(NF_FLOW_HW, &flow->flags)) { +diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c +index 12145a80ef03..aac6db8680d4 100644 +--- a/net/netfilter/nft_flow_offload.c ++++ b/net/netfilter/nft_flow_offload.c +@@ -298,7 +298,8 @@ static void nft_flow_offload_eval(const struct nft_expr *expr, + case IPPROTO_TCP: + tcph = skb_header_pointer(pkt->skb, nft_thoff(pkt), + sizeof(_tcph), &_tcph); +- if (unlikely(!tcph || tcph->fin || tcph->rst)) ++ if (unlikely(!tcph || tcph->fin || tcph->rst || ++ !nf_conntrack_tcp_established(ct))) + goto out; + break; + case IPPROTO_UDP: +-- +2.35.1 + diff --git a/queue-5.15/netfilter-flowtable-move-dst_check-to-packet-path.patch b/queue-5.15/netfilter-flowtable-move-dst_check-to-packet-path.patch new file mode 100644 index 00000000000..2ab669a695e --- /dev/null +++ b/queue-5.15/netfilter-flowtable-move-dst_check-to-packet-path.patch @@ -0,0 +1,110 @@ +From 1e3a216879f34e39478ec210602375936a8f1c3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 12:55:30 +0200 +Subject: netfilter: flowtable: move dst_check to packet path + +From: Ritaro Takenaka + +[ Upstream commit 2738d9d963bd1f06d5114c2b4fa5771a95703991 ] + +Fixes sporadic IPv6 packet loss when flow offloading is enabled. + +IPv6 route GC and flowtable GC are not synchronized. +When dst_cache becomes stale and a packet passes through the flow before +the flowtable GC teardowns it, the packet can be dropped. +So, it is necessary to check dst every time in packet path. + +Fixes: 227e1e4d0d6c ("netfilter: nf_flowtable: skip device lookup from interface index") +Signed-off-by: Ritaro Takenaka +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_flow_table_core.c | 23 +---------------------- + net/netfilter/nf_flow_table_ip.c | 19 +++++++++++++++++++ + 2 files changed, 20 insertions(+), 22 deletions(-) + +diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c +index de783c9094d7..9fb407084c50 100644 +--- a/net/netfilter/nf_flow_table_core.c ++++ b/net/netfilter/nf_flow_table_core.c +@@ -415,32 +415,11 @@ nf_flow_table_iterate(struct nf_flowtable *flow_table, + return err; + } + +-static bool flow_offload_stale_dst(struct flow_offload_tuple *tuple) +-{ +- struct dst_entry *dst; +- +- if (tuple->xmit_type == FLOW_OFFLOAD_XMIT_NEIGH || +- tuple->xmit_type == FLOW_OFFLOAD_XMIT_XFRM) { +- dst = tuple->dst_cache; +- if (!dst_check(dst, tuple->dst_cookie)) +- return true; +- } +- +- return false; +-} +- +-static bool nf_flow_has_stale_dst(struct flow_offload *flow) +-{ +- return flow_offload_stale_dst(&flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple) || +- flow_offload_stale_dst(&flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple); +-} +- + static void nf_flow_offload_gc_step(struct nf_flowtable *flow_table, + struct flow_offload *flow, void *data) + { + if (nf_flow_has_expired(flow) || +- nf_ct_is_dying(flow->ct) || +- nf_flow_has_stale_dst(flow)) ++ nf_ct_is_dying(flow->ct)) + flow_offload_teardown(flow); + + if (test_bit(NF_FLOW_TEARDOWN, &flow->flags)) { +diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c +index 6257d87c3a56..28026467b54c 100644 +--- a/net/netfilter/nf_flow_table_ip.c ++++ b/net/netfilter/nf_flow_table_ip.c +@@ -227,6 +227,15 @@ static bool nf_flow_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu) + return true; + } + ++static inline bool nf_flow_dst_check(struct flow_offload_tuple *tuple) ++{ ++ if (tuple->xmit_type != FLOW_OFFLOAD_XMIT_NEIGH && ++ tuple->xmit_type != FLOW_OFFLOAD_XMIT_XFRM) ++ return true; ++ ++ return dst_check(tuple->dst_cache, tuple->dst_cookie); ++} ++ + static unsigned int nf_flow_xmit_xfrm(struct sk_buff *skb, + const struct nf_hook_state *state, + struct dst_entry *dst) +@@ -346,6 +355,11 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, + if (nf_flow_state_check(flow, iph->protocol, skb, thoff)) + return NF_ACCEPT; + ++ if (!nf_flow_dst_check(&tuplehash->tuple)) { ++ flow_offload_teardown(flow); ++ return NF_ACCEPT; ++ } ++ + if (skb_try_make_writable(skb, thoff + hdrsize)) + return NF_DROP; + +@@ -582,6 +596,11 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb, + if (nf_flow_state_check(flow, ip6h->nexthdr, skb, thoff)) + return NF_ACCEPT; + ++ if (!nf_flow_dst_check(&tuplehash->tuple)) { ++ flow_offload_teardown(flow); ++ return NF_ACCEPT; ++ } ++ + if (skb_try_make_writable(skb, thoff + hdrsize)) + return NF_DROP; + +-- +2.35.1 + diff --git a/queue-5.15/netfilter-flowtable-pass-flowtable-to-nf_flow_table_.patch b/queue-5.15/netfilter-flowtable-pass-flowtable-to-nf_flow_table_.patch new file mode 100644 index 00000000000..4862e405746 --- /dev/null +++ b/queue-5.15/netfilter-flowtable-pass-flowtable-to-nf_flow_table_.patch @@ -0,0 +1,90 @@ +From 4bae4b2a3bd61a1b6aef2c671b1b4491ebd06b7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Mar 2022 13:11:24 +0100 +Subject: netfilter: flowtable: pass flowtable to nf_flow_table_iterate() + +From: Pablo Neira Ayuso + +[ Upstream commit 217cff36e885627c41a14e803fc44f9cbc945767 ] + +The flowtable object is already passed as argument to +nf_flow_table_iterate(), do use not data pointer to pass flowtable. + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_flow_table_core.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c +index 58f3f77b3eb2..de783c9094d7 100644 +--- a/net/netfilter/nf_flow_table_core.c ++++ b/net/netfilter/nf_flow_table_core.c +@@ -382,7 +382,8 @@ EXPORT_SYMBOL_GPL(flow_offload_lookup); + + static int + nf_flow_table_iterate(struct nf_flowtable *flow_table, +- void (*iter)(struct flow_offload *flow, void *data), ++ void (*iter)(struct nf_flowtable *flowtable, ++ struct flow_offload *flow, void *data), + void *data) + { + struct flow_offload_tuple_rhash *tuplehash; +@@ -406,7 +407,7 @@ nf_flow_table_iterate(struct nf_flowtable *flow_table, + + flow = container_of(tuplehash, struct flow_offload, tuplehash[0]); + +- iter(flow, data); ++ iter(flow_table, flow, data); + } + rhashtable_walk_stop(&hti); + rhashtable_walk_exit(&hti); +@@ -434,10 +435,9 @@ static bool nf_flow_has_stale_dst(struct flow_offload *flow) + flow_offload_stale_dst(&flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple); + } + +-static void nf_flow_offload_gc_step(struct flow_offload *flow, void *data) ++static void nf_flow_offload_gc_step(struct nf_flowtable *flow_table, ++ struct flow_offload *flow, void *data) + { +- struct nf_flowtable *flow_table = data; +- + if (nf_flow_has_expired(flow) || + nf_ct_is_dying(flow->ct) || + nf_flow_has_stale_dst(flow)) +@@ -462,7 +462,7 @@ static void nf_flow_offload_work_gc(struct work_struct *work) + struct nf_flowtable *flow_table; + + flow_table = container_of(work, struct nf_flowtable, gc_work.work); +- nf_flow_table_iterate(flow_table, nf_flow_offload_gc_step, flow_table); ++ nf_flow_table_iterate(flow_table, nf_flow_offload_gc_step, NULL); + queue_delayed_work(system_power_efficient_wq, &flow_table->gc_work, HZ); + } + +@@ -578,7 +578,8 @@ int nf_flow_table_init(struct nf_flowtable *flowtable) + } + EXPORT_SYMBOL_GPL(nf_flow_table_init); + +-static void nf_flow_table_do_cleanup(struct flow_offload *flow, void *data) ++static void nf_flow_table_do_cleanup(struct nf_flowtable *flow_table, ++ struct flow_offload *flow, void *data) + { + struct net_device *dev = data; + +@@ -620,11 +621,10 @@ void nf_flow_table_free(struct nf_flowtable *flow_table) + + cancel_delayed_work_sync(&flow_table->gc_work); + nf_flow_table_iterate(flow_table, nf_flow_table_do_cleanup, NULL); +- nf_flow_table_iterate(flow_table, nf_flow_offload_gc_step, flow_table); ++ nf_flow_table_iterate(flow_table, nf_flow_offload_gc_step, NULL); + nf_flow_table_offload_flush(flow_table); + if (nf_flowtable_hw_offload(flow_table)) +- nf_flow_table_iterate(flow_table, nf_flow_offload_gc_step, +- flow_table); ++ nf_flow_table_iterate(flow_table, nf_flow_offload_gc_step, NULL); + rhashtable_destroy(&flow_table->rhashtable); + } + EXPORT_SYMBOL_GPL(nf_flow_table_free); +-- +2.35.1 + diff --git a/queue-5.15/netfilter-nft_flow_offload-fix-offload-with-pppoe-vl.patch b/queue-5.15/netfilter-nft_flow_offload-fix-offload-with-pppoe-vl.patch new file mode 100644 index 00000000000..7ce83321ea7 --- /dev/null +++ b/queue-5.15/netfilter-nft_flow_offload-fix-offload-with-pppoe-vl.patch @@ -0,0 +1,38 @@ +From 9fba8c78cdec2cf8c4d4d5342398e6eb4f55e630 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 May 2022 14:26:16 +0200 +Subject: netfilter: nft_flow_offload: fix offload with pppoe + vlan + +From: Felix Fietkau + +[ Upstream commit 2456074935003b66c40f78df6adfc722435d43ea ] + +When running a combination of PPPoE on top of a VLAN, we need to set +info->outdev to the PPPoE device, otherwise PPPoE encap is skipped +during software offload. + +Fixes: 72efd585f714 ("netfilter: flowtable: add pppoe support") +Signed-off-by: Felix Fietkau +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_flow_offload.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c +index dd824193c920..12145a80ef03 100644 +--- a/net/netfilter/nft_flow_offload.c ++++ b/net/netfilter/nft_flow_offload.c +@@ -123,7 +123,8 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack, + info->indev = NULL; + break; + } +- info->outdev = path->dev; ++ if (!info->outdev) ++ info->outdev = path->dev; + info->encap[info->num_encaps].id = path->encap.id; + info->encap[info->num_encaps].proto = path->encap.proto; + info->num_encaps++; +-- +2.35.1 + diff --git a/queue-5.15/netfilter-nft_flow_offload-skip-dst-neigh-lookup-for.patch b/queue-5.15/netfilter-nft_flow_offload-skip-dst-neigh-lookup-for.patch new file mode 100644 index 00000000000..d346fb4cc21 --- /dev/null +++ b/queue-5.15/netfilter-nft_flow_offload-skip-dst-neigh-lookup-for.patch @@ -0,0 +1,78 @@ +From 86840b7b679c451094acf4b72eef17fa6a962dc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 May 2022 14:26:14 +0200 +Subject: netfilter: nft_flow_offload: skip dst neigh lookup for ppp devices + +From: Felix Fietkau + +[ Upstream commit 45ca3e61999e9a30ca2b7cfbf9da8a9f8d13be31 ] + +The dst entry does not contain a valid hardware address, so skip the lookup +in order to avoid running into errors here. +The proper hardware address is filled in from nft_dev_path_info + +Fixes: 72efd585f714 ("netfilter: flowtable: add pppoe support") +Signed-off-by: Felix Fietkau +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_flow_offload.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c +index 0af34ad41479..dd824193c920 100644 +--- a/net/netfilter/nft_flow_offload.c ++++ b/net/netfilter/nft_flow_offload.c +@@ -36,6 +36,15 @@ static void nft_default_forward_path(struct nf_flow_route *route, + route->tuple[dir].xmit_type = nft_xmit_type(dst_cache); + } + ++static bool nft_is_valid_ether_device(const struct net_device *dev) ++{ ++ if (!dev || (dev->flags & IFF_LOOPBACK) || dev->type != ARPHRD_ETHER || ++ dev->addr_len != ETH_ALEN || !is_valid_ether_addr(dev->dev_addr)) ++ return false; ++ ++ return true; ++} ++ + static int nft_dev_fill_forward_path(const struct nf_flow_route *route, + const struct dst_entry *dst_cache, + const struct nf_conn *ct, +@@ -47,6 +56,9 @@ static int nft_dev_fill_forward_path(const struct nf_flow_route *route, + struct neighbour *n; + u8 nud_state; + ++ if (!nft_is_valid_ether_device(dev)) ++ goto out; ++ + n = dst_neigh_lookup(dst_cache, daddr); + if (!n) + return -1; +@@ -60,6 +72,7 @@ static int nft_dev_fill_forward_path(const struct nf_flow_route *route, + if (!(nud_state & NUD_VALID)) + return -1; + ++out: + return dev_fill_forward_path(dev, ha, stack); + } + +@@ -78,15 +91,6 @@ struct nft_forward_info { + enum flow_offload_xmit_type xmit_type; + }; + +-static bool nft_is_valid_ether_device(const struct net_device *dev) +-{ +- if (!dev || (dev->flags & IFF_LOOPBACK) || dev->type != ARPHRD_ETHER || +- dev->addr_len != ETH_ALEN || !is_valid_ether_addr(dev->dev_addr)) +- return false; +- +- return true; +-} +- + static void nft_dev_path_info(const struct net_device_path_stack *stack, + struct nft_forward_info *info, + unsigned char *ha, struct nf_flowtable *flowtable) +-- +2.35.1 + diff --git a/queue-5.15/nfc-nci-fix-sleep-in-atomic-context-bugs-caused-by-n.patch b/queue-5.15/nfc-nci-fix-sleep-in-atomic-context-bugs-caused-by-n.patch new file mode 100644 index 00000000000..7f2b2b52116 --- /dev/null +++ b/queue-5.15/nfc-nci-fix-sleep-in-atomic-context-bugs-caused-by-n.patch @@ -0,0 +1,81 @@ +From f7db74577281d9b3c70b9fcf0c9b9ab5f1b78326 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 09:25:30 +0800 +Subject: NFC: nci: fix sleep in atomic context bugs caused by nci_skb_alloc + +From: Duoming Zhou + +[ Upstream commit 23dd4581350d4ffa23d58976ec46408f8f4c1e16 ] + +There are sleep in atomic context bugs when the request to secure +element of st-nci is timeout. The root cause is that nci_skb_alloc +with GFP_KERNEL parameter is called in st_nci_se_wt_timeout which is +a timer handler. The call paths that could trigger bugs are shown below: + + (interrupt context 1) +st_nci_se_wt_timeout + nci_hci_send_event + nci_hci_send_data + nci_skb_alloc(..., GFP_KERNEL) //may sleep + + (interrupt context 2) +st_nci_se_wt_timeout + nci_hci_send_event + nci_hci_send_data + nci_send_data + nci_queue_tx_data_frags + nci_skb_alloc(..., GFP_KERNEL) //may sleep + +This patch changes allocation mode of nci_skb_alloc from GFP_KERNEL to +GFP_ATOMIC in order to prevent atomic context sleeping. The GFP_ATOMIC +flag makes memory allocation operation could be used in atomic context. + +Fixes: ed06aeefdac3 ("nfc: st-nci: Rename st21nfcb to st-nci") +Signed-off-by: Duoming Zhou +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220517012530.75714-1-duoming@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/nfc/nci/data.c | 2 +- + net/nfc/nci/hci.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/nfc/nci/data.c b/net/nfc/nci/data.c +index 6055dc9a82aa..aa5e712adf07 100644 +--- a/net/nfc/nci/data.c ++++ b/net/nfc/nci/data.c +@@ -118,7 +118,7 @@ static int nci_queue_tx_data_frags(struct nci_dev *ndev, + + skb_frag = nci_skb_alloc(ndev, + (NCI_DATA_HDR_SIZE + frag_len), +- GFP_KERNEL); ++ GFP_ATOMIC); + if (skb_frag == NULL) { + rc = -ENOMEM; + goto free_exit; +diff --git a/net/nfc/nci/hci.c b/net/nfc/nci/hci.c +index e199912ee1e5..85b808fdcbc3 100644 +--- a/net/nfc/nci/hci.c ++++ b/net/nfc/nci/hci.c +@@ -153,7 +153,7 @@ static int nci_hci_send_data(struct nci_dev *ndev, u8 pipe, + + i = 0; + skb = nci_skb_alloc(ndev, conn_info->max_pkt_payload_len + +- NCI_DATA_HDR_SIZE, GFP_KERNEL); ++ NCI_DATA_HDR_SIZE, GFP_ATOMIC); + if (!skb) + return -ENOMEM; + +@@ -184,7 +184,7 @@ static int nci_hci_send_data(struct nci_dev *ndev, u8 pipe, + if (i < data_len) { + skb = nci_skb_alloc(ndev, + conn_info->max_pkt_payload_len + +- NCI_DATA_HDR_SIZE, GFP_KERNEL); ++ NCI_DATA_HDR_SIZE, GFP_ATOMIC); + if (!skb) + return -ENOMEM; + +-- +2.35.1 + diff --git a/queue-5.15/nl80211-fix-locking-in-nl80211_set_tx_bitrate_mask.patch b/queue-5.15/nl80211-fix-locking-in-nl80211_set_tx_bitrate_mask.patch new file mode 100644 index 00000000000..923a1d3b3da --- /dev/null +++ b/queue-5.15/nl80211-fix-locking-in-nl80211_set_tx_bitrate_mask.patch @@ -0,0 +1,53 @@ +From 01ff0fd1c5cc66cd11be4afd8f5edd8537d0911a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 May 2022 10:21:38 +0200 +Subject: nl80211: fix locking in nl80211_set_tx_bitrate_mask() + +From: Johannes Berg + +[ Upstream commit f971e1887fdb3ab500c9bebf4b98f62d49a20655 ] + +This accesses the wdev's chandef etc., so cannot safely +be used without holding the lock. + +Signed-off-by: Johannes Berg +Link: https://lore.kernel.org/r/20220506102136.06b7205419e6.I2a87c05fbd8bc5e565e84d190d4cfd2e92695a90@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 9fae09e860e1..7c65ad17bf50 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -11341,18 +11341,23 @@ static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb, + struct cfg80211_bitrate_mask mask; + struct cfg80211_registered_device *rdev = info->user_ptr[0]; + struct net_device *dev = info->user_ptr[1]; ++ struct wireless_dev *wdev = dev->ieee80211_ptr; + int err; + + if (!rdev->ops->set_bitrate_mask) + return -EOPNOTSUPP; + ++ wdev_lock(wdev); + err = nl80211_parse_tx_bitrate_mask(info, info->attrs, + NL80211_ATTR_TX_RATES, &mask, + dev, true); + if (err) +- return err; ++ goto out; + +- return rdev_set_bitrate_mask(rdev, dev, NULL, &mask); ++ err = rdev_set_bitrate_mask(rdev, dev, NULL, &mask); ++out: ++ wdev_unlock(wdev); ++ return err; + } + + static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info) +-- +2.35.1 + diff --git a/queue-5.15/nl80211-validate-s1g-channel-width.patch b/queue-5.15/nl80211-validate-s1g-channel-width.patch new file mode 100644 index 00000000000..88f93065c46 --- /dev/null +++ b/queue-5.15/nl80211-validate-s1g-channel-width.patch @@ -0,0 +1,44 @@ +From 182f81fb9e99b7f85813c27250e421592431c8ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Apr 2022 04:13:21 +0000 +Subject: nl80211: validate S1G channel width + +From: Kieran Frewen + +[ Upstream commit 5d087aa759eb82b8208411913f6c2158bd85abc0 ] + +Validate the S1G channel width input by user to ensure it matches +that of the requested channel + +Signed-off-by: Kieran Frewen +Signed-off-by: Bassem Dawood +Link: https://lore.kernel.org/r/20220420041321.3788789-2-kieran.frewen@morsemicro.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index fe9cade6b4fb..9fae09e860e1 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -3080,6 +3080,15 @@ int nl80211_parse_chandef(struct cfg80211_registered_device *rdev, + } else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) { + chandef->width = + nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]); ++ if (chandef->chan->band == NL80211_BAND_S1GHZ) { ++ /* User input error for channel width doesn't match channel */ ++ if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) { ++ NL_SET_ERR_MSG_ATTR(extack, ++ attrs[NL80211_ATTR_CHANNEL_WIDTH], ++ "bad channel width"); ++ return -EINVAL; ++ } ++ } + if (attrs[NL80211_ATTR_CENTER_FREQ1]) { + chandef->center_freq1 = + nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]); +-- +2.35.1 + diff --git a/queue-5.15/perf-bench-numa-address-compiler-error-on-s390.patch b/queue-5.15/perf-bench-numa-address-compiler-error-on-s390.patch new file mode 100644 index 00000000000..364334eb47e --- /dev/null +++ b/queue-5.15/perf-bench-numa-address-compiler-error-on-s390.patch @@ -0,0 +1,67 @@ +From 0d2a678acd2f6f5c108cf0095fe634357b7bc897 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 May 2022 10:11:58 +0200 +Subject: perf bench numa: Address compiler error on s390 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Richter + +[ Upstream commit f8ac1c478424a9a14669b8cef7389b1e14e5229d ] + +The compilation on s390 results in this error: + + # make DEBUG=y bench/numa.o + ... + bench/numa.c: In function ‘__bench_numa’: + bench/numa.c:1749:81: error: ‘%d’ directive output may be truncated + writing between 1 and 11 bytes into a region of size between + 10 and 20 [-Werror=format-truncation=] + 1749 | snprintf(tname, sizeof(tname), "process%d:thread%d", p, t); + ^~ + ... + bench/numa.c:1749:64: note: directive argument in the range + [-2147483647, 2147483646] + ... + # + +The maximum length of the %d replacement is 11 characters because of the +negative sign. Therefore extend the array by two more characters. + +Output after: + + # make DEBUG=y bench/numa.o > /dev/null 2>&1; ll bench/numa.o + -rw-r--r-- 1 root root 418320 May 19 09:11 bench/numa.o + # + +Fixes: 3aff8ba0a4c9c919 ("perf bench numa: Avoid possible truncation when using snprintf()") +Suggested-by: Namhyung Kim +Signed-off-by: Thomas Richter +Cc: Heiko Carstens +Cc: Sumanth Korikkar +Cc: Sven Schnelle +Cc: Vasily Gorbik +Link: https://lore.kernel.org/r/20220520081158.2990006-1-tmricht@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/bench/numa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/bench/numa.c b/tools/perf/bench/numa.c +index f2640179ada9..c2c81567afa5 100644 +--- a/tools/perf/bench/numa.c ++++ b/tools/perf/bench/numa.c +@@ -1672,7 +1672,7 @@ static int __bench_numa(const char *name) + "GB/sec,", "total-speed", "GB/sec total speed"); + + if (g->p.show_details >= 2) { +- char tname[14 + 2 * 10 + 1]; ++ char tname[14 + 2 * 11 + 1]; + struct thread_data *td; + for (p = 0; p < g->p.nr_proc; p++) { + for (t = 0; t < g->p.nr_threads; t++) { +-- +2.35.1 + diff --git a/queue-5.15/perf-build-fix-check-for-btf__load_from_kernel_by_id.patch b/queue-5.15/perf-build-fix-check-for-btf__load_from_kernel_by_id.patch new file mode 100644 index 00000000000..ca03a4fa955 --- /dev/null +++ b/queue-5.15/perf-build-fix-check-for-btf__load_from_kernel_by_id.patch @@ -0,0 +1,186 @@ +From e4acb4dfffab6695c32d0a3d17a360f437b1f408 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 May 2022 21:25:12 -0300 +Subject: perf build: Fix check for btf__load_from_kernel_by_id() in libbpf +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 0ae065a5d265bc5ada13e350015458e0c5e5c351 ] + +Avi Kivity reported a problem where the __weak +btf__load_from_kernel_by_id() in tools/perf/util/bpf-event.c was being +used and it called btf__get_from_id() in tools/lib/bpf/btf.c that in +turn called back to btf__load_from_kernel_by_id(), resulting in an +endless loop. + +Fix this by adding a feature test to check if +btf__load_from_kernel_by_id() is available when building perf with +LIBBPF_DYNAMIC=1, and if not then provide the fallback to the old +btf__get_from_id(), that doesn't call back to btf__load_from_kernel_by_id() +since at that time it didn't exist at all. + +Tested on Fedora 35 where we have libbpf-devel 0.4.0 with LIBBPF_DYNAMIC +where we don't have btf__load_from_kernel_by_id() and thus its feature +test fail, not defining HAVE_LIBBPF_BTF__LOAD_FROM_KERNEL_BY_ID: + + $ cat /tmp/build/perf-urgent/feature/test-libbpf-btf__load_from_kernel_by_id.make.output + test-libbpf-btf__load_from_kernel_by_id.c: In function ‘main’: + test-libbpf-btf__load_from_kernel_by_id.c:6:16: error: implicit declaration of function ‘btf__load_from_kernel_by_id’ [-Werror=implicit-function-declaration] + 6 | return btf__load_from_kernel_by_id(20151128, NULL); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ + cc1: all warnings being treated as errors + $ + + $ nm /tmp/build/perf-urgent/perf | grep btf__load_from_kernel_by_id + 00000000005ba180 T btf__load_from_kernel_by_id + $ + + $ objdump --disassemble=btf__load_from_kernel_by_id -S /tmp/build/perf-urgent/perf + + /tmp/build/perf-urgent/perf: file format elf64-x86-64 + + 00000000005ba180 : + #include "record.h" + #include "util/synthetic-events.h" + + #ifndef HAVE_LIBBPF_BTF__LOAD_FROM_KERNEL_BY_ID + struct btf *btf__load_from_kernel_by_id(__u32 id) + { + 5ba180: 55 push %rbp + 5ba181: 48 89 e5 mov %rsp,%rbp + 5ba184: 48 83 ec 10 sub $0x10,%rsp + 5ba188: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax + 5ba18f: 00 00 + 5ba191: 48 89 45 f8 mov %rax,-0x8(%rbp) + 5ba195: 31 c0 xor %eax,%eax + struct btf *btf; + #pragma GCC diagnostic push + #pragma GCC diagnostic ignored "-Wdeprecated-declarations" + int err = btf__get_from_id(id, &btf); + 5ba197: 48 8d 75 f0 lea -0x10(%rbp),%rsi + 5ba19b: e8 a0 57 e5 ff call 40f940 + 5ba1a0: 89 c2 mov %eax,%edx + #pragma GCC diagnostic pop + + return err ? ERR_PTR(err) : btf; + 5ba1a2: 48 98 cltq + 5ba1a4: 85 d2 test %edx,%edx + 5ba1a6: 48 0f 44 45 f0 cmove -0x10(%rbp),%rax + } + + +Fixes: 218e7b775d368f38 ("perf bpf: Provide a weak btf__load_from_kernel_by_id() for older libbpf versions") +Reported-by: Avi Kivity +Link: https://lore.kernel.org/linux-perf-users/f0add43b-3de5-20c5-22c4-70aff4af959f@scylladb.com +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: https://lore.kernel.org/linux-perf-users/YobjjFOblY4Xvwo7@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/build/Makefile.feature | 1 + + tools/build/feature/Makefile | 4 ++++ + .../feature/test-libbpf-btf__load_from_kernel_by_id.c | 7 +++++++ + tools/perf/Makefile.config | 7 +++++++ + tools/perf/util/bpf-event.c | 4 +++- + 5 files changed, 22 insertions(+), 1 deletion(-) + create mode 100644 tools/build/feature/test-libbpf-btf__load_from_kernel_by_id.c + +diff --git a/tools/build/Makefile.feature b/tools/build/Makefile.feature +index 88dd7db55d38..6abde487bba1 100644 +--- a/tools/build/Makefile.feature ++++ b/tools/build/Makefile.feature +@@ -97,6 +97,7 @@ FEATURE_TESTS_EXTRA := \ + llvm-version \ + clang \ + libbpf \ ++ libbpf-btf__load_from_kernel_by_id \ + libpfm4 \ + libdebuginfod \ + clang-bpf-co-re +diff --git a/tools/build/feature/Makefile b/tools/build/feature/Makefile +index 0e6d685b8617..69a43d9ea331 100644 +--- a/tools/build/feature/Makefile ++++ b/tools/build/feature/Makefile +@@ -56,6 +56,7 @@ FILES= \ + test-lzma.bin \ + test-bpf.bin \ + test-libbpf.bin \ ++ test-libbpf-btf__load_from_kernel_by_id.bin \ + test-get_cpuid.bin \ + test-sdt.bin \ + test-cxx.bin \ +@@ -283,6 +284,9 @@ $(OUTPUT)test-bpf.bin: + $(OUTPUT)test-libbpf.bin: + $(BUILD) -lbpf + ++$(OUTPUT)test-libbpf-btf__load_from_kernel_by_id.bin: ++ $(BUILD) -lbpf ++ + $(OUTPUT)test-sdt.bin: + $(BUILD) + +diff --git a/tools/build/feature/test-libbpf-btf__load_from_kernel_by_id.c b/tools/build/feature/test-libbpf-btf__load_from_kernel_by_id.c +new file mode 100644 +index 000000000000..f7c084428735 +--- /dev/null ++++ b/tools/build/feature/test-libbpf-btf__load_from_kernel_by_id.c +@@ -0,0 +1,7 @@ ++// SPDX-License-Identifier: GPL-2.0 ++#include ++ ++int main(void) ++{ ++ return btf__load_from_kernel_by_id(20151128, NULL); ++} +diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config +index a92f0f025ec7..e0660bc76b7b 100644 +--- a/tools/perf/Makefile.config ++++ b/tools/perf/Makefile.config +@@ -548,9 +548,16 @@ ifndef NO_LIBELF + ifeq ($(feature-libbpf), 1) + EXTLIBS += -lbpf + $(call detected,CONFIG_LIBBPF_DYNAMIC) ++ ++ $(call feature_check,libbpf-btf__load_from_kernel_by_id) ++ ifeq ($(feature-libbpf-btf__load_from_kernel_by_id), 1) ++ CFLAGS += -DHAVE_LIBBPF_BTF__LOAD_FROM_KERNEL_BY_ID ++ endif + else + dummy := $(error Error: No libbpf devel library found, please install libbpf-devel); + endif ++ else ++ CFLAGS += -DHAVE_LIBBPF_BTF__LOAD_FROM_KERNEL_BY_ID + endif + endif + +diff --git a/tools/perf/util/bpf-event.c b/tools/perf/util/bpf-event.c +index 16ad0e6e9e9c..cf1b9f6ec0db 100644 +--- a/tools/perf/util/bpf-event.c ++++ b/tools/perf/util/bpf-event.c +@@ -21,7 +21,8 @@ + #include "record.h" + #include "util/synthetic-events.h" + +-struct btf * __weak btf__load_from_kernel_by_id(__u32 id) ++#ifndef HAVE_LIBBPF_BTF__LOAD_FROM_KERNEL_BY_ID ++struct btf *btf__load_from_kernel_by_id(__u32 id) + { + struct btf *btf; + #pragma GCC diagnostic push +@@ -31,6 +32,7 @@ struct btf * __weak btf__load_from_kernel_by_id(__u32 id) + + return err ? ERR_PTR(err) : btf; + } ++#endif + + #define ptr_to_u64(ptr) ((__u64)(unsigned long)(ptr)) + +-- +2.35.1 + diff --git a/queue-5.15/perf-regs-x86-fix-arch__intr_reg_mask-for-the-hybrid.patch b/queue-5.15/perf-regs-x86-fix-arch__intr_reg_mask-for-the-hybrid.patch new file mode 100644 index 00000000000..5cd45229e13 --- /dev/null +++ b/queue-5.15/perf-regs-x86-fix-arch__intr_reg_mask-for-the-hybrid.patch @@ -0,0 +1,90 @@ +From 175d9d52560d47afb326cfbd3418cfd3dbb1cffb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 07:51:25 -0700 +Subject: perf regs x86: Fix arch__intr_reg_mask() for the hybrid platform + +From: Kan Liang + +[ Upstream commit 01b28e4a58152e8906eeb5f1b55a0c404c48c7c8 ] + +The X86 specific arch__intr_reg_mask() is to check whether the kernel +and hardware can collect XMM registers. But it doesn't work on some +hybrid platform. + +Without the patch on ADL-N: + + $ perf record -I? + available registers: AX BX CX DX SI DI BP SP IP FLAGS CS SS R8 R9 R10 + R11 R12 R13 R14 R15 + +The config of the test event doesn't contain the PMU information. The +kernel may fail to initialize it on the correct hybrid PMU and return +the wrong non-supported information. + +Add the PMU information into the config for the hybrid platform. The +same register set is supported among different hybrid PMUs. Checking +the first available one is good enough. + +With the patch on ADL-N: + + $ perf record -I? + available registers: AX BX CX DX SI DI BP SP IP FLAGS CS SS R8 R9 R10 + R11 R12 R13 R14 R15 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 XMM7 XMM8 XMM9 + XMM10 XMM11 XMM12 XMM13 XMM14 XMM15 + +Fixes: 6466ec14aaf44ff1 ("perf regs x86: Add X86 specific arch__intr_reg_mask()") +Reported-by: Ammy Yi +Signed-off-by: Kan Liang +Acked-by: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Xing Zhengjun +Link: https://lore.kernel.org/r/20220518145125.1494156-1-kan.liang@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/arch/x86/util/perf_regs.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/tools/perf/arch/x86/util/perf_regs.c b/tools/perf/arch/x86/util/perf_regs.c +index 207c56805c55..0ed177991ad0 100644 +--- a/tools/perf/arch/x86/util/perf_regs.c ++++ b/tools/perf/arch/x86/util/perf_regs.c +@@ -9,6 +9,8 @@ + #include "../../../util/perf_regs.h" + #include "../../../util/debug.h" + #include "../../../util/event.h" ++#include "../../../util/pmu.h" ++#include "../../../util/pmu-hybrid.h" + + const struct sample_reg sample_reg_masks[] = { + SMPL_REG(AX, PERF_REG_X86_AX), +@@ -284,12 +286,22 @@ uint64_t arch__intr_reg_mask(void) + .disabled = 1, + .exclude_kernel = 1, + }; ++ struct perf_pmu *pmu; + int fd; + /* + * In an unnamed union, init it here to build on older gcc versions + */ + attr.sample_period = 1; + ++ if (perf_pmu__has_hybrid()) { ++ /* ++ * The same register set is supported among different hybrid PMUs. ++ * Only check the first available one. ++ */ ++ pmu = list_first_entry(&perf_pmu__hybrid_pmus, typeof(*pmu), hybrid_list); ++ attr.config |= (__u64)pmu->type << PERF_PMU_TYPE_SHIFT; ++ } ++ + event_attr_init(&attr); + + fd = sys_perf_event_open(&attr, 0, -1, -1, 0); +-- +2.35.1 + diff --git a/queue-5.15/pinctrl-mediatek-mt8365-fix-ies-control-pins.patch b/queue-5.15/pinctrl-mediatek-mt8365-fix-ies-control-pins.patch new file mode 100644 index 00000000000..528d40e4579 --- /dev/null +++ b/queue-5.15/pinctrl-mediatek-mt8365-fix-ies-control-pins.patch @@ -0,0 +1,45 @@ +From 78c0b6051e88d047e7009403c4cc7fd453fb909a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Apr 2022 14:57:14 +0200 +Subject: pinctrl: mediatek: mt8365: fix IES control pins + +From: Mattijs Korpershoek + +[ Upstream commit f680058f406863b55ac226d1c157701939c63db4 ] + +IES26 (BIT 16 of IES1_CFG_ADDR) controls the following pads: + +- PAD_I2S_DATA_IN (GPIO114) +- PAD_I2S_LRCK (GPIO115) +- PAD_I2S_BCK (GPIO116) + +The pinctrl table is wrong since it lists pins 114 to 112. + +Update the table with the correct values. + +Fixes: e94d8b6fb83a ("pinctrl: mediatek: add support for mt8365 SoC") +Reported-by: Youngmin Han +Signed-off-by: Mattijs Korpershoek +Link: https://lore.kernel.org/r/20220426125714.298907-1-mkorpershoek@baylibre.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mediatek/pinctrl-mt8365.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/mediatek/pinctrl-mt8365.c b/drivers/pinctrl/mediatek/pinctrl-mt8365.c +index 79b1fee5a1eb..ddee0db72d26 100644 +--- a/drivers/pinctrl/mediatek/pinctrl-mt8365.c ++++ b/drivers/pinctrl/mediatek/pinctrl-mt8365.c +@@ -259,7 +259,7 @@ static const struct mtk_pin_ies_smt_set mt8365_ies_set[] = { + MTK_PIN_IES_SMT_SPEC(104, 104, 0x420, 13), + MTK_PIN_IES_SMT_SPEC(105, 109, 0x420, 14), + MTK_PIN_IES_SMT_SPEC(110, 113, 0x420, 15), +- MTK_PIN_IES_SMT_SPEC(114, 112, 0x420, 16), ++ MTK_PIN_IES_SMT_SPEC(114, 116, 0x420, 16), + MTK_PIN_IES_SMT_SPEC(117, 119, 0x420, 17), + MTK_PIN_IES_SMT_SPEC(120, 122, 0x420, 18), + MTK_PIN_IES_SMT_SPEC(123, 125, 0x420, 19), +-- +2.35.1 + diff --git a/queue-5.15/pinctrl-pinctrl-aspeed-g6-remove-fwqspid-group-in-pi.patch b/queue-5.15/pinctrl-pinctrl-aspeed-g6-remove-fwqspid-group-in-pi.patch new file mode 100644 index 00000000000..efb5dfb3490 --- /dev/null +++ b/queue-5.15/pinctrl-pinctrl-aspeed-g6-remove-fwqspid-group-in-pi.patch @@ -0,0 +1,71 @@ +From 9d0fb38924b67f279b29a07250a257a2e6ec08e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Mar 2022 10:39:27 -0700 +Subject: pinctrl: pinctrl-aspeed-g6: remove FWQSPID group in pinctrl + +From: Jae Hyun Yoo + +[ Upstream commit 3eef2f48ba0933ba995529f522554ad5c276c39b ] + +FWSPIDQ2 and FWSPIDQ3 are not part of FWSPI18 interface so remove +FWQSPID group in pinctrl. These pins must be used with the FWSPI +pins that are dedicated for boot SPI interface which provides +same 3.3v logic level. + +Fixes: 2eda1cdec49f ("pinctrl: aspeed: Add AST2600 pinmux support") +Signed-off-by: Jae Hyun Yoo +Reviewed-by: Andrew Jeffery +Link: https://lore.kernel.org/r/20220329173932.2588289-3-quic_jaehyoo@quicinc.com +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +diff --git a/drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c b/drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c +index a3fa03bcd9a3..54064714d73f 100644 +--- a/drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c ++++ b/drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c +@@ -1236,18 +1236,12 @@ FUNC_GROUP_DECL(SALT8, AA12); + FUNC_GROUP_DECL(WDTRST4, AA12); + + #define AE12 196 +-SIG_EXPR_LIST_DECL_SEMG(AE12, FWSPIDQ2, FWQSPID, FWSPID, +- SIG_DESC_SET(SCU438, 4)); + SIG_EXPR_LIST_DECL_SESG(AE12, GPIOY4, GPIOY4); +-PIN_DECL_(AE12, SIG_EXPR_LIST_PTR(AE12, FWSPIDQ2), +- SIG_EXPR_LIST_PTR(AE12, GPIOY4)); ++PIN_DECL_(AE12, SIG_EXPR_LIST_PTR(AE12, GPIOY4)); + + #define AF12 197 +-SIG_EXPR_LIST_DECL_SEMG(AF12, FWSPIDQ3, FWQSPID, FWSPID, +- SIG_DESC_SET(SCU438, 5)); + SIG_EXPR_LIST_DECL_SESG(AF12, GPIOY5, GPIOY5); +-PIN_DECL_(AF12, SIG_EXPR_LIST_PTR(AF12, FWSPIDQ3), +- SIG_EXPR_LIST_PTR(AF12, GPIOY5)); ++PIN_DECL_(AF12, SIG_EXPR_LIST_PTR(AF12, GPIOY5)); + + #define AC12 198 + SSSF_PIN_DECL(AC12, GPIOY6, FWSPIABR, SIG_DESC_SET(SCU438, 6)); +@@ -1520,9 +1514,8 @@ SIG_EXPR_LIST_DECL_SEMG(Y4, EMMCDAT7, EMMCG8, EMMC, SIG_DESC_SET(SCU404, 3)); + PIN_DECL_3(Y4, GPIO18E3, FWSPIDMISO, VBMISO, EMMCDAT7); + + GROUP_DECL(FWSPID, Y1, Y2, Y3, Y4); +-GROUP_DECL(FWQSPID, Y1, Y2, Y3, Y4, AE12, AF12); + GROUP_DECL(EMMCG8, AB4, AA4, AC4, AA5, Y5, AB5, AB6, AC5, Y1, Y2, Y3, Y4); +-FUNC_DECL_2(FWSPID, FWSPID, FWQSPID); ++FUNC_DECL_1(FWSPID, FWSPID); + FUNC_GROUP_DECL(VB, Y1, Y2, Y3, Y4); + FUNC_DECL_3(EMMC, EMMCG1, EMMCG4, EMMCG8); + /* +@@ -1918,7 +1911,6 @@ static const struct aspeed_pin_group aspeed_g6_groups[] = { + ASPEED_PINCTRL_GROUP(FSI2), + ASPEED_PINCTRL_GROUP(FWSPIABR), + ASPEED_PINCTRL_GROUP(FWSPID), +- ASPEED_PINCTRL_GROUP(FWQSPID), + ASPEED_PINCTRL_GROUP(FWSPIWP), + ASPEED_PINCTRL_GROUP(GPIT0), + ASPEED_PINCTRL_GROUP(GPIT1), +-- +2.35.1 + diff --git a/queue-5.15/revert-fbdev-make-fb_release-return-enodev-if-fbdev-.patch b/queue-5.15/revert-fbdev-make-fb_release-return-enodev-if-fbdev-.patch new file mode 100644 index 00000000000..45a8e5841ff --- /dev/null +++ b/queue-5.15/revert-fbdev-make-fb_release-return-enodev-if-fbdev-.patch @@ -0,0 +1,57 @@ +From 520380c39bd75da5178b67d7e5f8cd682e5a81cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 May 2022 13:59:17 +0200 +Subject: Revert "fbdev: Make fb_release() return -ENODEV if fbdev was + unregistered" + +From: Javier Martinez Canillas + +[ Upstream commit 135332f34ba2662bc1e32b5c612e06a8cc41a053 ] + +This reverts commit aafa025c76dcc7d1a8c8f0bdefcbe4eb480b2f6a. That commit +attempted to fix a NULL pointer dereference, caused by the struct fb_info +associated with a framebuffer device to not longer be valid when the file +descriptor was closed. + +The issue was exposed by commit 27599aacbaef ("fbdev: Hot-unplug firmware +fb devices on forced removal"), which added a new path that goes through +the struct device removal instead of directly unregistering the fb. + +Most fbdev drivers have issues with the fb_info lifetime, because call to +framebuffer_release() from their driver's .remove callback, rather than +doing from fbops.fb_destroy callback. This meant that due to this switch, +the fb_info was now destroyed too early, while references still existed, +while before it was simply leaked. + +The patch we're reverting here reinstated that leak, hence "fixed" the +regression. But the proper solution is to fix the drivers to not release +the fb_info too soon. + +Suggested-by: Daniel Vetter +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20220504115917.758787-1-javierm@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/core/fbmem.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c +index 8e38a7a5cf2f..0371ad233fdf 100644 +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -1436,10 +1436,7 @@ fb_release(struct inode *inode, struct file *file) + __acquires(&info->lock) + __releases(&info->lock) + { +- struct fb_info * const info = file_fb_info(file); +- +- if (!info) +- return -ENODEV; ++ struct fb_info * const info = file->private_data; + + lock_fb_info(info); + if (info->fbops->fb_release) +-- +2.35.1 + diff --git a/queue-5.15/revert-pci-aardvark-rewrite-irq-code-to-chained-irq-.patch b/queue-5.15/revert-pci-aardvark-rewrite-irq-code-to-chained-irq-.patch new file mode 100644 index 00000000000..14c6dd9cc36 --- /dev/null +++ b/queue-5.15/revert-pci-aardvark-rewrite-irq-code-to-chained-irq-.patch @@ -0,0 +1,135 @@ +From f4ce0091eaa52ce31b964cf2c7dc1aed7b2cc022 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 May 2022 14:58:15 +0200 +Subject: Revert "PCI: aardvark: Rewrite IRQ code to chained IRQ handler" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit a3b69dd0ad6265c29c4b6fb381cd76fb3bebdf8c ] + +This reverts commit 1571d67dc190e50c6c56e8f88cdc39f7cc53166e. + +This commit broke support for setting interrupt affinity. It looks like +that it is related to the chained IRQ handler. Revert this commit until +issue with setting interrupt affinity is fixed. + +Fixes: 1571d67dc190 ("PCI: aardvark: Rewrite IRQ code to chained IRQ handler") +Link: https://lore.kernel.org/r/20220515125815.30157-1-pali@kernel.org +Signed-off-by: Pali Rohár +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-aardvark.c | 48 ++++++++++++--------------- + 1 file changed, 22 insertions(+), 26 deletions(-) + +diff --git a/drivers/pci/controller/pci-aardvark.c b/drivers/pci/controller/pci-aardvark.c +index ff45052cf48d..7cc2c54daad0 100644 +--- a/drivers/pci/controller/pci-aardvark.c ++++ b/drivers/pci/controller/pci-aardvark.c +@@ -272,7 +272,6 @@ struct advk_pcie { + u32 actions; + } wins[OB_WIN_COUNT]; + u8 wins_count; +- int irq; + struct irq_domain *rp_irq_domain; + struct irq_domain *irq_domain; + struct irq_chip irq_chip; +@@ -1572,26 +1571,21 @@ static void advk_pcie_handle_int(struct advk_pcie *pcie) + } + } + +-static void advk_pcie_irq_handler(struct irq_desc *desc) ++static irqreturn_t advk_pcie_irq_handler(int irq, void *arg) + { +- struct advk_pcie *pcie = irq_desc_get_handler_data(desc); +- struct irq_chip *chip = irq_desc_get_chip(desc); +- u32 val, mask, status; ++ struct advk_pcie *pcie = arg; ++ u32 status; + +- chained_irq_enter(chip, desc); ++ status = advk_readl(pcie, HOST_CTRL_INT_STATUS_REG); ++ if (!(status & PCIE_IRQ_CORE_INT)) ++ return IRQ_NONE; + +- val = advk_readl(pcie, HOST_CTRL_INT_STATUS_REG); +- mask = advk_readl(pcie, HOST_CTRL_INT_MASK_REG); +- status = val & ((~mask) & PCIE_IRQ_ALL_MASK); ++ advk_pcie_handle_int(pcie); + +- if (status & PCIE_IRQ_CORE_INT) { +- advk_pcie_handle_int(pcie); ++ /* Clear interrupt */ ++ advk_writel(pcie, PCIE_IRQ_CORE_INT, HOST_CTRL_INT_STATUS_REG); + +- /* Clear interrupt */ +- advk_writel(pcie, PCIE_IRQ_CORE_INT, HOST_CTRL_INT_STATUS_REG); +- } +- +- chained_irq_exit(chip, desc); ++ return IRQ_HANDLED; + } + + static int advk_pcie_map_irq(const struct pci_dev *dev, u8 slot, u8 pin) +@@ -1673,7 +1667,7 @@ static int advk_pcie_probe(struct platform_device *pdev) + struct advk_pcie *pcie; + struct pci_host_bridge *bridge; + struct resource_entry *entry; +- int ret; ++ int ret, irq; + + bridge = devm_pci_alloc_host_bridge(dev, sizeof(struct advk_pcie)); + if (!bridge) +@@ -1759,9 +1753,17 @@ static int advk_pcie_probe(struct platform_device *pdev) + if (IS_ERR(pcie->base)) + return PTR_ERR(pcie->base); + +- pcie->irq = platform_get_irq(pdev, 0); +- if (pcie->irq < 0) +- return pcie->irq; ++ irq = platform_get_irq(pdev, 0); ++ if (irq < 0) ++ return irq; ++ ++ ret = devm_request_irq(dev, irq, advk_pcie_irq_handler, ++ IRQF_SHARED | IRQF_NO_THREAD, "advk-pcie", ++ pcie); ++ if (ret) { ++ dev_err(dev, "Failed to register interrupt\n"); ++ return ret; ++ } + + pcie->reset_gpio = devm_gpiod_get_from_of_node(dev, dev->of_node, + "reset-gpios", 0, +@@ -1818,15 +1820,12 @@ static int advk_pcie_probe(struct platform_device *pdev) + return ret; + } + +- irq_set_chained_handler_and_data(pcie->irq, advk_pcie_irq_handler, pcie); +- + bridge->sysdata = pcie; + bridge->ops = &advk_pcie_ops; + bridge->map_irq = advk_pcie_map_irq; + + ret = pci_host_probe(bridge); + if (ret < 0) { +- irq_set_chained_handler_and_data(pcie->irq, NULL, NULL); + advk_pcie_remove_rp_irq_domain(pcie); + advk_pcie_remove_msi_irq_domain(pcie); + advk_pcie_remove_irq_domain(pcie); +@@ -1875,9 +1874,6 @@ static int advk_pcie_remove(struct platform_device *pdev) + advk_writel(pcie, PCIE_ISR1_ALL_MASK, PCIE_ISR1_REG); + advk_writel(pcie, PCIE_IRQ_ALL_MASK, HOST_CTRL_INT_STATUS_REG); + +- /* Remove IRQ handler */ +- irq_set_chained_handler_and_data(pcie->irq, NULL, NULL); +- + /* Remove IRQ domains */ + advk_pcie_remove_rp_irq_domain(pcie); + advk_pcie_remove_msi_irq_domain(pcie); +-- +2.35.1 + diff --git a/queue-5.15/riscv-dts-sifive-fu540-c000-align-dma-node-name-with.patch b/queue-5.15/riscv-dts-sifive-fu540-c000-align-dma-node-name-with.patch new file mode 100644 index 00000000000..06c329df509 --- /dev/null +++ b/queue-5.15/riscv-dts-sifive-fu540-c000-align-dma-node-name-with.patch @@ -0,0 +1,38 @@ +From 6b78a923c8f5fcef603fad4820a2193cbcba2250 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 21:38:56 +0200 +Subject: riscv: dts: sifive: fu540-c000: align dma node name with dtschema + +From: Krzysztof Kozlowski + +[ Upstream commit b17410182b6f98191fbf7f42d3b4a78512769d29 ] + +Fixes dtbs_check warnings like: + + dma@3000000: $nodename:0: 'dma@3000000' does not match '^dma-controller(@.*)?$' + +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220407193856.18223-1-krzysztof.kozlowski@linaro.org +Fixes: c5ab54e9945b ("riscv: dts: add support for PDMA device of HiFive Unleashed Rev A00") +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/boot/dts/sifive/fu540-c000.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/boot/dts/sifive/fu540-c000.dtsi b/arch/riscv/boot/dts/sifive/fu540-c000.dtsi +index 7db861053483..64c06c9b41dc 100644 +--- a/arch/riscv/boot/dts/sifive/fu540-c000.dtsi ++++ b/arch/riscv/boot/dts/sifive/fu540-c000.dtsi +@@ -166,7 +166,7 @@ uart0: serial@10010000 { + clocks = <&prci PRCI_CLK_TLCLK>; + status = "disabled"; + }; +- dma: dma@3000000 { ++ dma: dma-controller@3000000 { + compatible = "sifive,fu540-c000-pdma"; + reg = <0x0 0x3000000 0x0 0x8000>; + interrupt-parent = <&plic0>; +-- +2.35.1 + diff --git a/queue-5.15/scsi-qla2xxx-fix-missed-dma-unmap-for-aborted-comman.patch b/queue-5.15/scsi-qla2xxx-fix-missed-dma-unmap-for-aborted-comman.patch new file mode 100644 index 00000000000..9824b68e4e8 --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-fix-missed-dma-unmap-for-aborted-comman.patch @@ -0,0 +1,51 @@ +From b53c79885ab25dd2e43891184f367cb6c203b925 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Apr 2022 12:42:29 +0000 +Subject: scsi: qla2xxx: Fix missed DMA unmap for aborted commands + +From: Gleb Chesnokov + +[ Upstream commit 26f9ce53817a8fd84b69a73473a7de852a24c897 ] + +Aborting commands that have already been sent to the firmware can +cause BUG in qlt_free_cmd(): BUG_ON(cmd->sg_mapped) + +For instance: + + - Command passes rdx_to_xfer state, maps sgl, sends to the firmware + + - Reset occurs, qla2xxx performs ISP error recovery, aborts the command + + - Target stack calls qlt_abort_cmd() and then qlt_free_cmd() + + - BUG_ON(cmd->sg_mapped) in qlt_free_cmd() occurs because sgl was not + unmapped + +Thus, unmap sgl in qlt_abort_cmd() for commands with the aborted flag set. + +Link: https://lore.kernel.org/r/AS8PR10MB4952D545F84B6B1DFD39EC1E9DEE9@AS8PR10MB4952.EURPRD10.PROD.OUTLOOK.COM +Reviewed-by: Himanshu Madhani +Signed-off-by: Gleb Chesnokov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_target.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c +index f5d32d830a9b..ae5eaa4a9283 100644 +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -3837,6 +3837,9 @@ int qlt_abort_cmd(struct qla_tgt_cmd *cmd) + + spin_lock_irqsave(&cmd->cmd_lock, flags); + if (cmd->aborted) { ++ if (cmd->sg_mapped) ++ qlt_unmap_sg(vha, cmd); ++ + spin_unlock_irqrestore(&cmd->cmd_lock, flags); + /* + * It's normal to see 2 calls in this path: +-- +2.35.1 + diff --git a/queue-5.15/scsi-scsi_dh_alua-properly-handle-the-alua-transitio.patch b/queue-5.15/scsi-scsi_dh_alua-properly-handle-the-alua-transitio.patch new file mode 100644 index 00000000000..ea8a4268b82 --- /dev/null +++ b/queue-5.15/scsi-scsi_dh_alua-properly-handle-the-alua-transitio.patch @@ -0,0 +1,59 @@ +From 0589297f3b0c5d6bedd218b8cdb5ffb54b4893ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 May 2022 08:09:17 -0700 +Subject: scsi: scsi_dh_alua: Properly handle the ALUA transitioning state + +From: Brian Bunker + +[ Upstream commit 6056a92ceb2a7705d61df7ec5370548e96aee258 ] + +The handling of the ALUA transitioning state is currently broken. When a +target goes into this state, it is expected that the target is allowed to +stay in this state for the implicit transition timeout without a path +failure. The handler has this logic, but it gets skipped currently. + +When the target transitions, there is in-flight I/O from the initiator. The +first of these responses from the target will be a unit attention letting +the initiator know that the ALUA state has changed. The remaining +in-flight I/Os, before the initiator finds out that the portal state has +changed, will return not ready, ALUA state is transitioning. The portal +state will change to SCSI_ACCESS_STATE_TRANSITIONING. This will lead to all +new I/O immediately failing the path unexpectedly. The path failure happens +in less than a second instead of the expected successes until the +transition timer is exceeded. + +Allow I/Os to continue while the path is in the ALUA transitioning +state. The handler already takes care of a target that stays in the +transitioning state for too long by changing the state to ALUA state +standby once the transition timeout is exceeded at which point the path +will fail. + +Link: https://lore.kernel.org/r/CAHZQxy+4sTPz9+pY3=7VJH+CLUJsDct81KtnR2be8ycN5mhqTg@mail.gmail.com +Reviewed-by: Hannes Reinecke +Acked-by: Krishna Kant +Acked-by: Seamus Connor +Signed-off-by: Brian Bunker +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/device_handler/scsi_dh_alua.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c +index 37d06f993b76..1d9be771f3ee 100644 +--- a/drivers/scsi/device_handler/scsi_dh_alua.c ++++ b/drivers/scsi/device_handler/scsi_dh_alua.c +@@ -1172,9 +1172,8 @@ static blk_status_t alua_prep_fn(struct scsi_device *sdev, struct request *req) + case SCSI_ACCESS_STATE_OPTIMAL: + case SCSI_ACCESS_STATE_ACTIVE: + case SCSI_ACCESS_STATE_LBA: +- return BLK_STS_OK; + case SCSI_ACCESS_STATE_TRANSITIONING: +- return BLK_STS_AGAIN; ++ return BLK_STS_OK; + default: + req->rq_flags |= RQF_QUIET; + return BLK_STS_IOERR; +-- +2.35.1 + diff --git a/queue-5.15/scsi-ufs-core-fix-referencing-invalid-rsp-field.patch b/queue-5.15/scsi-ufs-core-fix-referencing-invalid-rsp-field.patch new file mode 100644 index 00000000000..1b9942a104f --- /dev/null +++ b/queue-5.15/scsi-ufs-core-fix-referencing-invalid-rsp-field.patch @@ -0,0 +1,63 @@ +From 78887d1d3922346e020e99a066d9be2d3fe61822 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 May 2022 15:05:29 +0900 +Subject: scsi: ufs: core: Fix referencing invalid rsp field + +From: Daejun Park + +[ Upstream commit d5d92b64408443e113b9742f8f1c35278910dd4d ] + +Fix referencing sense data when it is invalid. When the length of the data +segment is 0, there is no valid information in the rsp field, so +ufshpb_rsp_upiu() is returned without additional operation. + +Link: https://lore.kernel.org/r/252651381.41652940482659.JavaMail.epsvc@epcpadp4 +Fixes: 4b5f49079c52 ("scsi: ufs: ufshpb: L2P map management for HPB read") +Acked-by: Avri Altman +Signed-off-by: Daejun Park +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshpb.c | 19 +++++++------------ + 1 file changed, 7 insertions(+), 12 deletions(-) + +diff --git a/drivers/scsi/ufs/ufshpb.c b/drivers/scsi/ufs/ufshpb.c +index f7eaf64293a4..14300896c57f 100644 +--- a/drivers/scsi/ufs/ufshpb.c ++++ b/drivers/scsi/ufs/ufshpb.c +@@ -1257,6 +1257,13 @@ void ufshpb_rsp_upiu(struct ufs_hba *hba, struct ufshcd_lrb *lrbp) + struct utp_hpb_rsp *rsp_field = &lrbp->ucd_rsp_ptr->hr; + int data_seg_len; + ++ data_seg_len = be32_to_cpu(lrbp->ucd_rsp_ptr->header.dword_2) ++ & MASK_RSP_UPIU_DATA_SEG_LEN; ++ ++ /* If data segment length is zero, rsp_field is not valid */ ++ if (!data_seg_len) ++ return; ++ + if (unlikely(lrbp->lun != rsp_field->lun)) { + struct scsi_device *sdev; + bool found = false; +@@ -1291,18 +1298,6 @@ void ufshpb_rsp_upiu(struct ufs_hba *hba, struct ufshcd_lrb *lrbp) + return; + } + +- data_seg_len = be32_to_cpu(lrbp->ucd_rsp_ptr->header.dword_2) +- & MASK_RSP_UPIU_DATA_SEG_LEN; +- +- /* To flush remained rsp_list, we queue the map_work task */ +- if (!data_seg_len) { +- if (!ufshpb_is_general_lun(hpb->lun)) +- return; +- +- ufshpb_kick_map_work(hpb); +- return; +- } +- + BUILD_BUG_ON(sizeof(struct utp_hpb_rsp) != UTP_HPB_RSP_SIZE); + + if (!ufshpb_is_hpb_rsp_valid(hba, lrbp, rsp_field)) +-- +2.35.1 + diff --git a/queue-5.15/selftests-add-ping-test-with-ping_group_range-tuned.patch b/queue-5.15/selftests-add-ping-test-with-ping_group_range-tuned.patch new file mode 100644 index 00000000000..835bb443fac --- /dev/null +++ b/queue-5.15/selftests-add-ping-test-with-ping_group_range-tuned.patch @@ -0,0 +1,67 @@ +From ae7104a5f45163dfaa75afd1137970114547cf02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 May 2022 11:07:39 +0200 +Subject: selftests: add ping test with ping_group_range tuned + +From: Nicolas Dichtel + +[ Upstream commit e71b7f1f44d3d88c677769c85ef0171caf9fc89f ] + +The 'ping' utility is able to manage two kind of sockets (raw or icmp), +depending on the sysctl ping_group_range. By default, ping_group_range is +set to '1 0', which forces ping to use an ip raw socket. + +Let's replay the ping tests by allowing 'ping' to use the ip icmp socket. +After the previous patch, ipv4 tests results are the same with both kinds +of socket. For ipv6, there are a lot a new failures (the previous patch +fixes only two cases). + +Signed-off-by: Nicolas Dichtel +Reviewed-by: David Ahern +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/fcnal-test.sh | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh +index aec9e784d0b4..91f54112167f 100755 +--- a/tools/testing/selftests/net/fcnal-test.sh ++++ b/tools/testing/selftests/net/fcnal-test.sh +@@ -803,10 +803,16 @@ ipv4_ping() + setup + set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null + ipv4_ping_novrf ++ setup ++ set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null ++ ipv4_ping_novrf + + log_subsection "With VRF" + setup "yes" + ipv4_ping_vrf ++ setup "yes" ++ set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null ++ ipv4_ping_vrf + } + + ################################################################################ +@@ -2324,10 +2330,16 @@ ipv6_ping() + log_subsection "No VRF" + setup + ipv6_ping_novrf ++ setup ++ set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null ++ ipv6_ping_novrf + + log_subsection "With VRF" + setup "yes" + ipv6_ping_vrf ++ setup "yes" ++ set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null ++ ipv6_ping_vrf + } + + ################################################################################ +-- +2.35.1 + diff --git a/queue-5.15/series b/queue-5.15/series index 8b4c3e2ac4c..4670c950665 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -59,3 +59,69 @@ drm-i915-dmc-add-mmio-range-restrictions.patch drm-dp-mst-fix-a-possible-memory-leak-in-fetch_monitor_name.patch dma-buf-fix-use-of-dma_buf_set_name_-a-b-in-userspace.patch dma-buf-ensure-unique-directory-name-for-dmabuf-stats.patch +arm-dts-aspeed-g6-remove-fwqspid-group-in-pinctrl-dt.patch +pinctrl-pinctrl-aspeed-g6-remove-fwqspid-group-in-pi.patch +arm-dts-aspeed-g6-fix-spi1-spi2-quad-pin-group.patch +arm-dts-aspeed-add-adc-for-ast2600-and-enable-for-ra.patch +arm-dts-aspeed-add-secure-boot-controller-node.patch +arm-dts-aspeed-add-video-engine-to-g6.patch +pinctrl-mediatek-mt8365-fix-ies-control-pins.patch +alsa-hda-fix-unused-realtek-function-when-pm-is-not-.patch +net-ipa-record-proper-rx-transaction-count.patch +net-macb-increment-rx-bd-head-after-allocating-skb-a.patch +xfrm-rework-default-policy-structure.patch +xfrm-fix-disable_policy-flag-use-when-arriving-from-.patch +net-sched-act_pedit-sanitize-shift-argument-before-u.patch +netfilter-flowtable-fix-excessive-hw-offload-attempt.patch +netfilter-nft_flow_offload-skip-dst-neigh-lookup-for.patch +net-fix-dev_fill_forward_path-with-pppoe-bridge.patch +netfilter-nft_flow_offload-fix-offload-with-pppoe-vl.patch +revert-pci-aardvark-rewrite-irq-code-to-chained-irq-.patch +net-systemport-fix-an-error-handling-path-in-bcm_sys.patch +net-vmxnet3-fix-possible-use-after-free-bugs-in-vmxn.patch +net-vmxnet3-fix-possible-null-pointer-dereference-in.patch +ice-fix-crash-when-writing-timestamp-on-rx-rings.patch +ice-fix-possible-under-reporting-of-ethtool-tx-and-r.patch +ice-move-ice_container_type-onto-ice_ring_container.patch +ice-fix-interrupt-moderation-settings-getting-cleare.patch +clk-at91-generated-consider-range-when-calculating-b.patch +net-qla3xxx-fix-a-test-in-ql_reset_work.patch +nfc-nci-fix-sleep-in-atomic-context-bugs-caused-by-n.patch +net-mlx5-dr-fix-missing-flow_source-when-creating-mu.patch +net-mlx5e-properly-block-lro-when-xdp-is-enabled.patch +net-af_key-add-check-for-pfkey_broadcast-in-function.patch +arm-9196-1-spectre-bhb-enable-for-cortex-a15.patch +arm-9197-1-spectre-bhb-fix-loop8-sequence-for-thumb2.patch +mptcp-change-the-parameter-of-__mptcp_make_csum.patch +mptcp-reuse-__mptcp_make_csum-in-validate_data_csum.patch +mptcp-fix-checksum-byte-order.patch +mptcp-strict-local-address-id-selection.patch +mptcp-do-tcp-fallback-on-early-dss-checksum-failure.patch +igb-skip-phy-status-check-where-unavailable.patch +netfilter-flowtable-fix-tcp-flow-teardown.patch +netfilter-flowtable-pass-flowtable-to-nf_flow_table_.patch +netfilter-flowtable-move-dst_check-to-packet-path.patch +net-bridge-clear-offload_fwd_mark-when-passing-frame.patch +riscv-dts-sifive-fu540-c000-align-dma-node-name-with.patch +scsi-ufs-core-fix-referencing-invalid-rsp-field.patch +perf-build-fix-check-for-btf__load_from_kernel_by_id.patch +gpio-gpio-vf610-do-not-touch-other-bits-when-set-the.patch +gpio-mvebu-pwm-refuse-requests-with-inverted-polarit.patch +perf-regs-x86-fix-arch__intr_reg_mask-for-the-hybrid.patch +perf-bench-numa-address-compiler-error-on-s390.patch +scsi-scsi_dh_alua-properly-handle-the-alua-transitio.patch +scsi-qla2xxx-fix-missed-dma-unmap-for-aborted-comman.patch +mac80211-fix-rx-reordering-with-non-explicit-psmp-ac.patch +nl80211-validate-s1g-channel-width.patch +selftests-add-ping-test-with-ping_group_range-tuned.patch +revert-fbdev-make-fb_release-return-enodev-if-fbdev-.patch +fbdev-prevent-possible-use-after-free-in-fb_release.patch +net-fix-wrong-network-header-length.patch +nl80211-fix-locking-in-nl80211_set_tx_bitrate_mask.patch +ethernet-tulip-fix-missing-pci_disable_device-on-err.patch +net-stmmac-fix-missing-pci_disable_device-on-error-i.patch +net-atlantic-fix-frag-0-not-initialized.patch +net-atlantic-reduce-scope-of-is_rsc_complete.patch +net-atlantic-add-check-for-max_skb_frags.patch +net-atlantic-verify-hw_head_-lies-within-tx-buffer-r.patch +arm64-enable-repeat-tlbi-workaround-on-kryo4xx-gold-.patch diff --git a/queue-5.15/xfrm-fix-disable_policy-flag-use-when-arriving-from-.patch b/queue-5.15/xfrm-fix-disable_policy-flag-use-when-arriving-from-.patch new file mode 100644 index 00000000000..66adcc13e69 --- /dev/null +++ b/queue-5.15/xfrm-fix-disable_policy-flag-use-when-arriving-from-.patch @@ -0,0 +1,183 @@ +From da76b68b43b9ba0d0bdcf896bb0f5669b55ce6d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 May 2022 23:34:02 +0300 +Subject: xfrm: fix "disable_policy" flag use when arriving from different + devices + +From: Eyal Birger + +[ Upstream commit e6175a2ed1f18bf2f649625bf725e07adcfa6a28 ] + +In IPv4 setting the "disable_policy" flag on a device means no policy +should be enforced for traffic originating from the device. This was +implemented by seting the DST_NOPOLICY flag in the dst based on the +originating device. + +However, dsts are cached in nexthops regardless of the originating +devices, in which case, the DST_NOPOLICY flag value may be incorrect. + +Consider the following setup: + + +------------------------------+ + | ROUTER | + +-------------+ | +-----------------+ | + | ipsec src |----|-|ipsec0 | | + +-------------+ | |disable_policy=0 | +----+ | + | +-----------------+ |eth1|-|----- + +-------------+ | +-----------------+ +----+ | + | noipsec src |----|-|eth0 | | + +-------------+ | |disable_policy=1 | | + | +-----------------+ | + +------------------------------+ + +Where ROUTER has a default route towards eth1. + +dst entries for traffic arriving from eth0 would have DST_NOPOLICY +and would be cached and therefore can be reused by traffic originating +from ipsec0, skipping policy check. + +Fix by setting a IPSKB_NOPOLICY flag in IPCB and observing it instead +of the DST in IN/FWD IPv4 policy checks. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Shmulik Ladkani +Signed-off-by: Eyal Birger +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + include/net/ip.h | 1 + + include/net/xfrm.h | 14 +++++++++++++- + net/ipv4/route.c | 23 ++++++++++++++++++----- + 3 files changed, 32 insertions(+), 6 deletions(-) + +diff --git a/include/net/ip.h b/include/net/ip.h +index 0106c6590ee7..a77a9e1c6c04 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -55,6 +55,7 @@ struct inet_skb_parm { + #define IPSKB_DOREDIRECT BIT(5) + #define IPSKB_FRAG_PMTU BIT(6) + #define IPSKB_L3SLAVE BIT(7) ++#define IPSKB_NOPOLICY BIT(8) + + u16 frag_max_size; + }; +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index e03f0f882226..65242172e41c 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -1092,6 +1092,18 @@ static inline bool __xfrm_check_nopolicy(struct net *net, struct sk_buff *skb, + return false; + } + ++static inline bool __xfrm_check_dev_nopolicy(struct sk_buff *skb, ++ int dir, unsigned short family) ++{ ++ if (dir != XFRM_POLICY_OUT && family == AF_INET) { ++ /* same dst may be used for traffic originating from ++ * devices with different policy settings. ++ */ ++ return IPCB(skb)->flags & IPSKB_NOPOLICY; ++ } ++ return skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY); ++} ++ + static inline int __xfrm_policy_check2(struct sock *sk, int dir, + struct sk_buff *skb, + unsigned int family, int reverse) +@@ -1103,7 +1115,7 @@ static inline int __xfrm_policy_check2(struct sock *sk, int dir, + return __xfrm_policy_check(sk, ndir, skb, family); + + return __xfrm_check_nopolicy(net, skb, dir) || +- (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) || ++ __xfrm_check_dev_nopolicy(skb, dir, family) || + __xfrm_policy_check(sk, ndir, skb, family); + } + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 6e8020a3bd67..1db2fda22830 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1727,6 +1727,7 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr, + struct in_device *in_dev = __in_dev_get_rcu(dev); + unsigned int flags = RTCF_MULTICAST; + struct rtable *rth; ++ bool no_policy; + u32 itag = 0; + int err; + +@@ -1737,8 +1738,12 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr, + if (our) + flags |= RTCF_LOCAL; + ++ no_policy = IN_DEV_ORCONF(in_dev, NOPOLICY); ++ if (no_policy) ++ IPCB(skb)->flags |= IPSKB_NOPOLICY; ++ + rth = rt_dst_alloc(dev_net(dev)->loopback_dev, flags, RTN_MULTICAST, +- IN_DEV_ORCONF(in_dev, NOPOLICY), false); ++ no_policy, false); + if (!rth) + return -ENOBUFS; + +@@ -1797,7 +1802,7 @@ static int __mkroute_input(struct sk_buff *skb, + struct rtable *rth; + int err; + struct in_device *out_dev; +- bool do_cache; ++ bool do_cache, no_policy; + u32 itag = 0; + + /* get a working reference to the output device */ +@@ -1842,6 +1847,10 @@ static int __mkroute_input(struct sk_buff *skb, + } + } + ++ no_policy = IN_DEV_ORCONF(in_dev, NOPOLICY); ++ if (no_policy) ++ IPCB(skb)->flags |= IPSKB_NOPOLICY; ++ + fnhe = find_exception(nhc, daddr); + if (do_cache) { + if (fnhe) +@@ -1854,8 +1863,7 @@ static int __mkroute_input(struct sk_buff *skb, + } + } + +- rth = rt_dst_alloc(out_dev->dev, 0, res->type, +- IN_DEV_ORCONF(in_dev, NOPOLICY), ++ rth = rt_dst_alloc(out_dev->dev, 0, res->type, no_policy, + IN_DEV_ORCONF(out_dev, NOXFRM)); + if (!rth) { + err = -ENOBUFS; +@@ -2230,6 +2238,7 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, + struct rtable *rth; + struct flowi4 fl4; + bool do_cache = true; ++ bool no_policy; + + /* IP on this device is disabled. */ + +@@ -2347,6 +2356,10 @@ out: return err; + RT_CACHE_STAT_INC(in_brd); + + local_input: ++ no_policy = IN_DEV_ORCONF(in_dev, NOPOLICY); ++ if (no_policy) ++ IPCB(skb)->flags |= IPSKB_NOPOLICY; ++ + do_cache &= res->fi && !itag; + if (do_cache) { + struct fib_nh_common *nhc = FIB_RES_NHC(*res); +@@ -2361,7 +2374,7 @@ out: return err; + + rth = rt_dst_alloc(ip_rt_get_dev(net, res), + flags | RTCF_LOCAL, res->type, +- IN_DEV_ORCONF(in_dev, NOPOLICY), false); ++ no_policy, false); + if (!rth) + goto e_nobufs; + +-- +2.35.1 + diff --git a/queue-5.15/xfrm-rework-default-policy-structure.patch b/queue-5.15/xfrm-rework-default-policy-structure.patch new file mode 100644 index 00000000000..1e8b6a99379 --- /dev/null +++ b/queue-5.15/xfrm-rework-default-policy-structure.patch @@ -0,0 +1,237 @@ +From 9d94eb536fbe30be4f337603c4a732fafffb9ba1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Mar 2022 11:38:22 +0100 +Subject: xfrm: rework default policy structure + +From: Nicolas Dichtel + +[ Upstream commit b58b1f563ab78955d37e9e43e02790a85c66ac05 ] + +This is a follow up of commit f8d858e607b2 ("xfrm: make user policy API +complete"). The goal is to align userland API to the internal structures. + +Signed-off-by: Nicolas Dichtel +Reviewed-by: Antony Antony +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + include/net/netns/xfrm.h | 6 +---- + include/net/xfrm.h | 48 +++++++++++++++------------------------- + net/xfrm/xfrm_policy.c | 10 ++++++--- + net/xfrm/xfrm_user.c | 43 +++++++++++++++-------------------- + 4 files changed, 44 insertions(+), 63 deletions(-) + +diff --git a/include/net/netns/xfrm.h b/include/net/netns/xfrm.h +index 947733a639a6..bd7c3be4af5d 100644 +--- a/include/net/netns/xfrm.h ++++ b/include/net/netns/xfrm.h +@@ -66,11 +66,7 @@ struct netns_xfrm { + int sysctl_larval_drop; + u32 sysctl_acq_expires; + +- u8 policy_default; +-#define XFRM_POL_DEFAULT_IN 1 +-#define XFRM_POL_DEFAULT_OUT 2 +-#define XFRM_POL_DEFAULT_FWD 4 +-#define XFRM_POL_DEFAULT_MASK 7 ++ u8 policy_default[XFRM_POLICY_MAX]; + + #ifdef CONFIG_SYSCTL + struct ctl_table_header *sysctl_hdr; +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index 358dfe6fefef..e03f0f882226 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -1080,25 +1080,18 @@ xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, un + } + + #ifdef CONFIG_XFRM +-static inline bool +-xfrm_default_allow(struct net *net, int dir) +-{ +- u8 def = net->xfrm.policy_default; +- +- switch (dir) { +- case XFRM_POLICY_IN: +- return def & XFRM_POL_DEFAULT_IN ? false : true; +- case XFRM_POLICY_OUT: +- return def & XFRM_POL_DEFAULT_OUT ? false : true; +- case XFRM_POLICY_FWD: +- return def & XFRM_POL_DEFAULT_FWD ? false : true; +- } +- return false; +-} +- + int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, + unsigned short family); + ++static inline bool __xfrm_check_nopolicy(struct net *net, struct sk_buff *skb, ++ int dir) ++{ ++ if (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) ++ return net->xfrm.policy_default[dir] == XFRM_USERPOLICY_ACCEPT; ++ ++ return false; ++} ++ + static inline int __xfrm_policy_check2(struct sock *sk, int dir, + struct sk_buff *skb, + unsigned int family, int reverse) +@@ -1109,13 +1102,9 @@ static inline int __xfrm_policy_check2(struct sock *sk, int dir, + if (sk && sk->sk_policy[XFRM_POLICY_IN]) + return __xfrm_policy_check(sk, ndir, skb, family); + +- if (xfrm_default_allow(net, dir)) +- return (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) || +- (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) || +- __xfrm_policy_check(sk, ndir, skb, family); +- else +- return (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) || +- __xfrm_policy_check(sk, ndir, skb, family); ++ return __xfrm_check_nopolicy(net, skb, dir) || ++ (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) || ++ __xfrm_policy_check(sk, ndir, skb, family); + } + + static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) +@@ -1167,13 +1156,12 @@ static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family) + { + struct net *net = dev_net(skb->dev); + +- if (xfrm_default_allow(net, XFRM_POLICY_OUT)) +- return !net->xfrm.policy_count[XFRM_POLICY_OUT] || +- (skb_dst(skb)->flags & DST_NOXFRM) || +- __xfrm_route_forward(skb, family); +- else +- return (skb_dst(skb)->flags & DST_NOXFRM) || +- __xfrm_route_forward(skb, family); ++ if (!net->xfrm.policy_count[XFRM_POLICY_OUT] && ++ net->xfrm.policy_default[XFRM_POLICY_OUT] == XFRM_USERPOLICY_ACCEPT) ++ return true; ++ ++ return (skb_dst(skb)->flags & DST_NOXFRM) || ++ __xfrm_route_forward(skb, family); + } + + static inline int xfrm4_route_forward(struct sk_buff *skb) +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 02099d113a0a..a6271b955e11 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -3160,7 +3160,7 @@ struct dst_entry *xfrm_lookup_with_ifid(struct net *net, + + nopol: + if (!(dst_orig->dev->flags & IFF_LOOPBACK) && +- !xfrm_default_allow(net, dir)) { ++ net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK) { + err = -EPERM; + goto error; + } +@@ -3572,7 +3572,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, + } + + if (!pol) { +- if (!xfrm_default_allow(net, dir)) { ++ if (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK) { + XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS); + return 0; + } +@@ -3632,7 +3632,8 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, + } + xfrm_nr = ti; + +- if (!xfrm_default_allow(net, dir) && !xfrm_nr) { ++ if (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK && ++ !xfrm_nr) { + XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOSTATES); + goto reject; + } +@@ -4121,6 +4122,9 @@ static int __net_init xfrm_net_init(struct net *net) + spin_lock_init(&net->xfrm.xfrm_policy_lock); + seqcount_spinlock_init(&net->xfrm.xfrm_policy_hash_generation, &net->xfrm.xfrm_policy_lock); + mutex_init(&net->xfrm.xfrm_cfg_mutex); ++ net->xfrm.policy_default[XFRM_POLICY_IN] = XFRM_USERPOLICY_ACCEPT; ++ net->xfrm.policy_default[XFRM_POLICY_FWD] = XFRM_USERPOLICY_ACCEPT; ++ net->xfrm.policy_default[XFRM_POLICY_OUT] = XFRM_USERPOLICY_ACCEPT; + + rv = xfrm_statistics_init(net); + if (rv < 0) +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 2acba159327c..5fba82757ce5 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1993,12 +1993,9 @@ static int xfrm_notify_userpolicy(struct net *net) + } + + up = nlmsg_data(nlh); +- up->in = net->xfrm.policy_default & XFRM_POL_DEFAULT_IN ? +- XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; +- up->fwd = net->xfrm.policy_default & XFRM_POL_DEFAULT_FWD ? +- XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; +- up->out = net->xfrm.policy_default & XFRM_POL_DEFAULT_OUT ? +- XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; ++ up->in = net->xfrm.policy_default[XFRM_POLICY_IN]; ++ up->fwd = net->xfrm.policy_default[XFRM_POLICY_FWD]; ++ up->out = net->xfrm.policy_default[XFRM_POLICY_OUT]; + + nlmsg_end(skb, nlh); + +@@ -2009,26 +2006,26 @@ static int xfrm_notify_userpolicy(struct net *net) + return err; + } + ++static bool xfrm_userpolicy_is_valid(__u8 policy) ++{ ++ return policy == XFRM_USERPOLICY_BLOCK || ++ policy == XFRM_USERPOLICY_ACCEPT; ++} ++ + static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh, + struct nlattr **attrs) + { + struct net *net = sock_net(skb->sk); + struct xfrm_userpolicy_default *up = nlmsg_data(nlh); + +- if (up->in == XFRM_USERPOLICY_BLOCK) +- net->xfrm.policy_default |= XFRM_POL_DEFAULT_IN; +- else if (up->in == XFRM_USERPOLICY_ACCEPT) +- net->xfrm.policy_default &= ~XFRM_POL_DEFAULT_IN; ++ if (xfrm_userpolicy_is_valid(up->in)) ++ net->xfrm.policy_default[XFRM_POLICY_IN] = up->in; + +- if (up->fwd == XFRM_USERPOLICY_BLOCK) +- net->xfrm.policy_default |= XFRM_POL_DEFAULT_FWD; +- else if (up->fwd == XFRM_USERPOLICY_ACCEPT) +- net->xfrm.policy_default &= ~XFRM_POL_DEFAULT_FWD; ++ if (xfrm_userpolicy_is_valid(up->fwd)) ++ net->xfrm.policy_default[XFRM_POLICY_FWD] = up->fwd; + +- if (up->out == XFRM_USERPOLICY_BLOCK) +- net->xfrm.policy_default |= XFRM_POL_DEFAULT_OUT; +- else if (up->out == XFRM_USERPOLICY_ACCEPT) +- net->xfrm.policy_default &= ~XFRM_POL_DEFAULT_OUT; ++ if (xfrm_userpolicy_is_valid(up->out)) ++ net->xfrm.policy_default[XFRM_POLICY_OUT] = up->out; + + rt_genid_bump_all(net); + +@@ -2058,13 +2055,9 @@ static int xfrm_get_default(struct sk_buff *skb, struct nlmsghdr *nlh, + } + + r_up = nlmsg_data(r_nlh); +- +- r_up->in = net->xfrm.policy_default & XFRM_POL_DEFAULT_IN ? +- XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; +- r_up->fwd = net->xfrm.policy_default & XFRM_POL_DEFAULT_FWD ? +- XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; +- r_up->out = net->xfrm.policy_default & XFRM_POL_DEFAULT_OUT ? +- XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; ++ r_up->in = net->xfrm.policy_default[XFRM_POLICY_IN]; ++ r_up->fwd = net->xfrm.policy_default[XFRM_POLICY_FWD]; ++ r_up->out = net->xfrm.policy_default[XFRM_POLICY_OUT]; + nlmsg_end(r_skb, r_nlh); + + return nlmsg_unicast(net->xfrm.nlsk, r_skb, portid); +-- +2.35.1 +