From 16796d7ff432bb1af1f352f7ffb7b97f86f6e14a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 28 Dec 2019 05:59:26 -0500 Subject: [PATCH] 4.19-stable patches added patches: af_packet-set-defaule-value-for-tmo.patch fjes-fix-missed-check-in-fjes_acpi_add.patch mod_devicetable-fix-phy-module-format.patch net-dst-force-4-byte-alignment-of-dst_metrics.patch net-gemini-fix-memory-leak-in-gmac_setup_txqs.patch net-hisilicon-fix-a-bug-trigered-by-wrong-bytes_compl.patch net-nfc-nci-fix-a-possible-sleep-in-atomic-context-bug-in-nci_uart_tty_receive.patch net-qlogic-fix-error-paths-in-ql_alloc_large_buffers.patch net-usb-lan78xx-fix-suspend-resume-phy-register-access-error.patch qede-disable-hardware-gro-when-xdp-prog-is-installed.patch qede-fix-multicast-mac-configuration.patch sctp-fully-initialize-v4-addr-in-some-functions.patch selftests-forwarding-delete-ipv6-address-at-the-end.patch --- .../af_packet-set-defaule-value-for-tmo.patch | 54 +++++++++ ...es-fix-missed-check-in-fjes_acpi_add.patch | 32 ++++++ ...od_devicetable-fix-phy-module-format.patch | 43 +++++++ ...orce-4-byte-alignment-of-dst_metrics.patch | 60 ++++++++++ ...i-fix-memory-leak-in-gmac_setup_txqs.patch | 33 ++++++ ...-a-bug-trigered-by-wrong-bytes_compl.patch | 90 +++++++++++++++ ...-context-bug-in-nci_uart_tty_receive.patch | 45 ++++++++ ...rror-paths-in-ql_alloc_large_buffers.patch | 76 +++++++++++++ ...end-resume-phy-register-access-error.patch | 34 ++++++ ...dware-gro-when-xdp-prog-is-installed.patch | 51 +++++++++ ...qede-fix-multicast-mac-configuration.patch | 33 ++++++ ...initialize-v4-addr-in-some-functions.patch | 107 ++++++++++++++++++ ...rding-delete-ipv6-address-at-the-end.patch | 44 +++++++ queue-4.19/series | 13 +++ 14 files changed, 715 insertions(+) create mode 100644 queue-4.19/af_packet-set-defaule-value-for-tmo.patch create mode 100644 queue-4.19/fjes-fix-missed-check-in-fjes_acpi_add.patch create mode 100644 queue-4.19/mod_devicetable-fix-phy-module-format.patch create mode 100644 queue-4.19/net-dst-force-4-byte-alignment-of-dst_metrics.patch create mode 100644 queue-4.19/net-gemini-fix-memory-leak-in-gmac_setup_txqs.patch create mode 100644 queue-4.19/net-hisilicon-fix-a-bug-trigered-by-wrong-bytes_compl.patch create mode 100644 queue-4.19/net-nfc-nci-fix-a-possible-sleep-in-atomic-context-bug-in-nci_uart_tty_receive.patch create mode 100644 queue-4.19/net-qlogic-fix-error-paths-in-ql_alloc_large_buffers.patch create mode 100644 queue-4.19/net-usb-lan78xx-fix-suspend-resume-phy-register-access-error.patch create mode 100644 queue-4.19/qede-disable-hardware-gro-when-xdp-prog-is-installed.patch create mode 100644 queue-4.19/qede-fix-multicast-mac-configuration.patch create mode 100644 queue-4.19/sctp-fully-initialize-v4-addr-in-some-functions.patch create mode 100644 queue-4.19/selftests-forwarding-delete-ipv6-address-at-the-end.patch diff --git a/queue-4.19/af_packet-set-defaule-value-for-tmo.patch b/queue-4.19/af_packet-set-defaule-value-for-tmo.patch new file mode 100644 index 00000000000..b6b61a945eb --- /dev/null +++ b/queue-4.19/af_packet-set-defaule-value-for-tmo.patch @@ -0,0 +1,54 @@ +From foo@baz Sat 28 Dec 2019 05:58:10 AM EST +From: Mao Wenan +Date: Mon, 9 Dec 2019 21:31:25 +0800 +Subject: af_packet: set defaule value for tmo + +From: Mao Wenan + +[ Upstream commit b43d1f9f7067c6759b1051e8ecb84e82cef569fe ] + +There is softlockup when using TPACKET_V3: +... +NMI watchdog: BUG: soft lockup - CPU#2 stuck for 60010ms! +(__irq_svc) from [] (_raw_spin_unlock_irqrestore+0x44/0x54) +(_raw_spin_unlock_irqrestore) from [] (mod_timer+0x210/0x25c) +(mod_timer) from [] +(prb_retire_rx_blk_timer_expired+0x68/0x11c) +(prb_retire_rx_blk_timer_expired) from [] +(call_timer_fn+0x90/0x17c) +(call_timer_fn) from [] (run_timer_softirq+0x2d4/0x2fc) +(run_timer_softirq) from [] (__do_softirq+0x218/0x318) +(__do_softirq) from [] (irq_exit+0x88/0xac) +(irq_exit) from [] (msa_irq_exit+0x11c/0x1d4) +(msa_irq_exit) from [] (handle_IPI+0x650/0x7f4) +(handle_IPI) from [] (gic_handle_irq+0x108/0x118) +(gic_handle_irq) from [] (__irq_usr+0x44/0x5c) +... + +If __ethtool_get_link_ksettings() is failed in +prb_calc_retire_blk_tmo(), msec and tmo will be zero, so tov_in_jiffies +is zero and the timer expire for retire_blk_timer is turn to +mod_timer(&pkc->retire_blk_timer, jiffies + 0), +which will trigger cpu usage of softirq is 100%. + +Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") +Tested-by: Xiao Jiangfeng +Signed-off-by: Mao Wenan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -552,7 +552,8 @@ static int prb_calc_retire_blk_tmo(struc + msec = 1; + div = ecmd.base.speed / 1000; + } +- } ++ } else ++ return DEFAULT_PRB_RETIRE_TOV; + + mbits = (blk_size_in_bytes * 8) / (1024 * 1024); + diff --git a/queue-4.19/fjes-fix-missed-check-in-fjes_acpi_add.patch b/queue-4.19/fjes-fix-missed-check-in-fjes_acpi_add.patch new file mode 100644 index 00000000000..118087bd530 --- /dev/null +++ b/queue-4.19/fjes-fix-missed-check-in-fjes_acpi_add.patch @@ -0,0 +1,32 @@ +From foo@baz Sat 28 Dec 2019 05:58:10 AM EST +From: Chuhong Yuan +Date: Tue, 10 Dec 2019 00:22:07 +0800 +Subject: fjes: fix missed check in fjes_acpi_add + +From: Chuhong Yuan + +[ Upstream commit a288f105a03a7e0e629a8da2b31f34ebf0343ee2 ] + +fjes_acpi_add() misses a check for platform_device_register_simple(). +Add a check to fix it. + +Fixes: 658d439b2292 ("fjes: Introduce FUJITSU Extended Socket Network Device driver") +Signed-off-by: Chuhong Yuan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/fjes/fjes_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/fjes/fjes_main.c ++++ b/drivers/net/fjes/fjes_main.c +@@ -181,6 +181,9 @@ static int fjes_acpi_add(struct acpi_dev + /* create platform_device */ + plat_dev = platform_device_register_simple(DRV_NAME, 0, fjes_resource, + ARRAY_SIZE(fjes_resource)); ++ if (IS_ERR(plat_dev)) ++ return PTR_ERR(plat_dev); ++ + device->driver_data = plat_dev; + + return 0; diff --git a/queue-4.19/mod_devicetable-fix-phy-module-format.patch b/queue-4.19/mod_devicetable-fix-phy-module-format.patch new file mode 100644 index 00000000000..e3a62012bcd --- /dev/null +++ b/queue-4.19/mod_devicetable-fix-phy-module-format.patch @@ -0,0 +1,43 @@ +From foo@baz Sat 28 Dec 2019 05:58:10 AM EST +From: Russell King +Date: Thu, 19 Dec 2019 23:24:47 +0000 +Subject: mod_devicetable: fix PHY module format + +From: Russell King + +[ Upstream commit d2ed49cf6c13e379c5819aa5ac20e1f9674ebc89 ] + +When a PHY is probed, if the top bit is set, we end up requesting a +module with the string "mdio:-10101110000000100101000101010001" - +the top bit is printed to a signed -1 value. This leads to the module +not being loaded. + +Fix the module format string and the macro generating the values for +it to ensure that we only print unsigned types and the top bit is +always 0/1. We correctly end up with +"mdio:10101110000000100101000101010001". + +Fixes: 8626d3b43280 ("phylib: Support phy module autoloading") +Reviewed-by: Andrew Lunn +Signed-off-by: Russell King +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/mod_devicetable.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/mod_devicetable.h ++++ b/include/linux/mod_devicetable.h +@@ -551,9 +551,9 @@ struct platform_device_id { + #define MDIO_NAME_SIZE 32 + #define MDIO_MODULE_PREFIX "mdio:" + +-#define MDIO_ID_FMT "%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d" ++#define MDIO_ID_FMT "%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u" + #define MDIO_ID_ARGS(_id) \ +- (_id)>>31, ((_id)>>30) & 1, ((_id)>>29) & 1, ((_id)>>28) & 1, \ ++ ((_id)>>31) & 1, ((_id)>>30) & 1, ((_id)>>29) & 1, ((_id)>>28) & 1, \ + ((_id)>>27) & 1, ((_id)>>26) & 1, ((_id)>>25) & 1, ((_id)>>24) & 1, \ + ((_id)>>23) & 1, ((_id)>>22) & 1, ((_id)>>21) & 1, ((_id)>>20) & 1, \ + ((_id)>>19) & 1, ((_id)>>18) & 1, ((_id)>>17) & 1, ((_id)>>16) & 1, \ diff --git a/queue-4.19/net-dst-force-4-byte-alignment-of-dst_metrics.patch b/queue-4.19/net-dst-force-4-byte-alignment-of-dst_metrics.patch new file mode 100644 index 00000000000..65cb48795b7 --- /dev/null +++ b/queue-4.19/net-dst-force-4-byte-alignment-of-dst_metrics.patch @@ -0,0 +1,60 @@ +From foo@baz Sat 28 Dec 2019 05:58:10 AM EST +From: Geert Uytterhoeven +Date: Fri, 20 Dec 2019 14:31:40 +0100 +Subject: net: dst: Force 4-byte alignment of dst_metrics + +From: Geert Uytterhoeven + +[ Upstream commit 258a980d1ec23e2c786e9536a7dd260bea74bae6 ] + +When storing a pointer to a dst_metrics structure in dst_entry._metrics, +two flags are added in the least significant bits of the pointer value. +Hence this assumes all pointers to dst_metrics structures have at least +4-byte alignment. + +However, on m68k, the minimum alignment of 32-bit values is 2 bytes, not +4 bytes. Hence in some kernel builds, dst_default_metrics may be only +2-byte aligned, leading to obscure boot warnings like: + + WARNING: CPU: 0 PID: 7 at lib/refcount.c:28 refcount_warn_saturate+0x44/0x9a + refcount_t: underflow; use-after-free. + Modules linked in: + CPU: 0 PID: 7 Comm: ksoftirqd/0 Tainted: G W 5.5.0-rc2-atari-01448-g114a1a1038af891d-dirty #261 + Stack from 10835e6c: + 10835e6c 0038134f 00023fa6 00394b0f 0000001c 00000009 00321560 00023fea + 00394b0f 0000001c 001a70f8 00000009 00000000 10835eb4 00000001 00000000 + 04208040 0000000a 00394b4a 10835ed4 00043aa8 001a70f8 00394b0f 0000001c + 00000009 00394b4a 0026aba8 003215a4 00000003 00000000 0026d5a8 00000001 + 003215a4 003a4361 003238d6 000001f0 00000000 003215a4 10aa3b00 00025e84 + 003ddb00 10834000 002416a8 10aa3b00 00000000 00000080 000aa038 0004854a + Call Trace: [<00023fa6>] __warn+0xb2/0xb4 + [<00023fea>] warn_slowpath_fmt+0x42/0x64 + [<001a70f8>] refcount_warn_saturate+0x44/0x9a + [<00043aa8>] printk+0x0/0x18 + [<001a70f8>] refcount_warn_saturate+0x44/0x9a + [<0026aba8>] refcount_sub_and_test.constprop.73+0x38/0x3e + [<0026d5a8>] ipv4_dst_destroy+0x5e/0x7e + [<00025e84>] __local_bh_enable_ip+0x0/0x8e + [<002416a8>] dst_destroy+0x40/0xae + +Fix this by forcing 4-byte alignment of all dst_metrics structures. + +Fixes: e5fd387ad5b30ca3 ("ipv6: do not overwrite inetpeer metrics prematurely") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/dst.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/dst.h ++++ b/include/net/dst.h +@@ -93,7 +93,7 @@ struct dst_entry { + struct dst_metrics { + u32 metrics[RTAX_MAX]; + refcount_t refcnt; +-}; ++} __aligned(4); /* Low pointer bits contain DST_METRICS_FLAGS */ + extern const struct dst_metrics dst_default_metrics; + + u32 *dst_cow_metrics_generic(struct dst_entry *dst, unsigned long old); diff --git a/queue-4.19/net-gemini-fix-memory-leak-in-gmac_setup_txqs.patch b/queue-4.19/net-gemini-fix-memory-leak-in-gmac_setup_txqs.patch new file mode 100644 index 00000000000..f1902eddeb7 --- /dev/null +++ b/queue-4.19/net-gemini-fix-memory-leak-in-gmac_setup_txqs.patch @@ -0,0 +1,33 @@ +From foo@baz Sat 28 Dec 2019 05:58:10 AM EST +From: Navid Emamdoost +Date: Sat, 14 Dec 2019 19:10:44 -0600 +Subject: net: gemini: Fix memory leak in gmac_setup_txqs + +From: Navid Emamdoost + +[ Upstream commit f37f710353677639bc5d37ee785335994adf2529 ] + +In the implementation of gmac_setup_txqs() the allocated desc_ring is +leaked if TX queue base is not aligned. Release it via +dma_free_coherent. + +Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet") +Signed-off-by: Navid Emamdoost +Reviewed-by: Linus Walleij +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cortina/gemini.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -577,6 +577,8 @@ static int gmac_setup_txqs(struct net_de + + if (port->txq_dma_base & ~DMA_Q_BASE_MASK) { + dev_warn(geth->dev, "TX queue base is not aligned\n"); ++ dma_free_coherent(geth->dev, len * sizeof(*desc_ring), ++ desc_ring, port->txq_dma_base); + kfree(skb_tab); + return -ENOMEM; + } diff --git a/queue-4.19/net-hisilicon-fix-a-bug-trigered-by-wrong-bytes_compl.patch b/queue-4.19/net-hisilicon-fix-a-bug-trigered-by-wrong-bytes_compl.patch new file mode 100644 index 00000000000..8da8904a145 --- /dev/null +++ b/queue-4.19/net-hisilicon-fix-a-bug-trigered-by-wrong-bytes_compl.patch @@ -0,0 +1,90 @@ +From foo@baz Sat 28 Dec 2019 05:58:10 AM EST +From: Jiangfeng Xiao +Date: Thu, 19 Dec 2019 10:08:07 +0800 +Subject: net: hisilicon: Fix a BUG trigered by wrong bytes_compl + +From: Jiangfeng Xiao + +[ Upstream commit 90b3b339364c76baa2436445401ea9ade040c216 ] + +When doing stress test, we get the following trace: +kernel BUG at lib/dynamic_queue_limits.c:26! +Internal error: Oops - BUG: 0 [#1] SMP ARM +Modules linked in: hip04_eth +CPU: 0 PID: 2003 Comm: tDblStackPcap0 Tainted: G O L 4.4.197 #1 +Hardware name: Hisilicon A15 +task: c3637668 task.stack: de3bc000 +PC is at dql_completed+0x18/0x154 +LR is at hip04_tx_reclaim+0x110/0x174 [hip04_eth] +pc : [] lr : [] psr: 800f0313 +sp : de3bdc2c ip : 00000000 fp : c020fb10 +r10: 00000000 r9 : c39b4224 r8 : 00000001 +r7 : 00000046 r6 : c39b4000 r5 : 0078f392 r4 : 0078f392 +r3 : 00000047 r2 : 00000000 r1 : 00000046 r0 : df5d5c80 +Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user +Control: 32c5387d Table: 1e189b80 DAC: 55555555 +Process tDblStackPcap0 (pid: 2003, stack limit = 0xde3bc190) +Stack: (0xde3bdc2c to 0xde3be000) +[] (dql_completed) from [] (hip04_tx_reclaim+0x110/0x174 [hip04_eth]) +[] (hip04_tx_reclaim [hip04_eth]) from [] (hip04_rx_poll+0x20/0x388 [hip04_eth]) +[] (hip04_rx_poll [hip04_eth]) from [] (net_rx_action+0x120/0x374) +[] (net_rx_action) from [] (__do_softirq+0x218/0x318) +[] (__do_softirq) from [] (irq_exit+0x88/0xac) +[] (irq_exit) from [] (msa_irq_exit+0x11c/0x1d4) +[] (msa_irq_exit) from [] (__handle_domain_irq+0x110/0x148) +[] (__handle_domain_irq) from [] (gic_handle_irq+0xd4/0x118) +[] (gic_handle_irq) from [] (__irq_svc+0x40/0x58) +Exception stack(0xde3bdde0 to 0xde3bde28) +dde0: 00000000 00008001 c3637668 00000000 00000000 a00f0213 dd3627a0 c0af6380 +de00: c086d380 a00f0213 c0a22a50 de3bde6c 00000002 de3bde30 c0558138 c055813c +de20: 600f0213 ffffffff +[] (__irq_svc) from [] (_raw_spin_unlock_irqrestore+0x44/0x54) +Kernel panic - not syncing: Fatal exception in interrupt + +Pre-modification code: +int hip04_mac_start_xmit(struct sk_buff *skb, struct net_device *ndev) +{ +[...] +[1] priv->tx_head = TX_NEXT(tx_head); +[2] count++; +[3] netdev_sent_queue(ndev, skb->len); +[...] +} +An rx interrupt occurs if hip04_mac_start_xmit just executes to the line 2, +tx_head has been updated, but corresponding 'skb->len' has not been +added to dql_queue. + +And then +hip04_mac_interrupt->__napi_schedule->hip04_rx_poll->hip04_tx_reclaim + +In hip04_tx_reclaim, because tx_head has been updated, +bytes_compl will plus an additional "skb-> len" +which has not been added to dql_queue. And then +trigger the BUG_ON(bytes_compl > num_queued - dql->num_completed). + +To solve the problem described above, we put +"netdev_sent_queue(ndev, skb->len);" +before +"priv->tx_head = TX_NEXT(tx_head);" + +Fixes: a41ea46a9a12 ("net: hisilicon: new hip04 ethernet driver") +Signed-off-by: Jiangfeng Xiao +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hip04_eth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/hisilicon/hip04_eth.c ++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c +@@ -456,9 +456,9 @@ hip04_mac_start_xmit(struct sk_buff *skb + skb_tx_timestamp(skb); + + hip04_set_xmit_desc(priv, phys); +- priv->tx_head = TX_NEXT(tx_head); + count++; + netdev_sent_queue(ndev, skb->len); ++ priv->tx_head = TX_NEXT(tx_head); + + stats->tx_bytes += skb->len; + stats->tx_packets++; diff --git a/queue-4.19/net-nfc-nci-fix-a-possible-sleep-in-atomic-context-bug-in-nci_uart_tty_receive.patch b/queue-4.19/net-nfc-nci-fix-a-possible-sleep-in-atomic-context-bug-in-nci_uart_tty_receive.patch new file mode 100644 index 00000000000..afee59ae7d0 --- /dev/null +++ b/queue-4.19/net-nfc-nci-fix-a-possible-sleep-in-atomic-context-bug-in-nci_uart_tty_receive.patch @@ -0,0 +1,45 @@ +From foo@baz Sat 28 Dec 2019 05:58:10 AM EST +From: Jia-Ju Bai +Date: Wed, 18 Dec 2019 17:21:55 +0800 +Subject: net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive() + +From: Jia-Ju Bai + +[ Upstream commit b7ac893652cafadcf669f78452329727e4e255cc ] + +The kernel may sleep while holding a spinlock. +The function call path (from bottom to top) in Linux 4.19 is: + +net/nfc/nci/uart.c, 349: + nci_skb_alloc in nci_uart_default_recv_buf +net/nfc/nci/uart.c, 255: + (FUNC_PTR)nci_uart_default_recv_buf in nci_uart_tty_receive +net/nfc/nci/uart.c, 254: + spin_lock in nci_uart_tty_receive + +nci_skb_alloc(GFP_KERNEL) can sleep at runtime. +(FUNC_PTR) means a function pointer is called. + +To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC for +nci_skb_alloc(). + +This bug is found by a static analysis tool STCheck written by myself. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/nci/uart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/nfc/nci/uart.c ++++ b/net/nfc/nci/uart.c +@@ -348,7 +348,7 @@ static int nci_uart_default_recv_buf(str + nu->rx_packet_len = -1; + nu->rx_skb = nci_skb_alloc(nu->ndev, + NCI_MAX_PACKET_SIZE, +- GFP_KERNEL); ++ GFP_ATOMIC); + if (!nu->rx_skb) + return -ENOMEM; + } diff --git a/queue-4.19/net-qlogic-fix-error-paths-in-ql_alloc_large_buffers.patch b/queue-4.19/net-qlogic-fix-error-paths-in-ql_alloc_large_buffers.patch new file mode 100644 index 00000000000..624a6a74577 --- /dev/null +++ b/queue-4.19/net-qlogic-fix-error-paths-in-ql_alloc_large_buffers.patch @@ -0,0 +1,76 @@ +From foo@baz Sat 28 Dec 2019 05:58:10 AM EST +From: Ben Hutchings +Date: Tue, 17 Dec 2019 01:57:40 +0000 +Subject: net: qlogic: Fix error paths in ql_alloc_large_buffers() + +From: Ben Hutchings + +[ Upstream commit cad46039e4c99812db067c8ac22a864960e7acc4 ] + +ql_alloc_large_buffers() has the usual RX buffer allocation +loop where it allocates skbs and maps them for DMA. It also +treats failure as a fatal error. + +There are (at least) three bugs in the error paths: + +1. ql_free_large_buffers() assumes that the lrg_buf[] entry for the +first buffer that couldn't be allocated will have .skb == NULL. +But the qla_buf[] array is not zero-initialised. + +2. ql_free_large_buffers() DMA-unmaps all skbs in lrg_buf[]. This is +incorrect for the last allocated skb, if DMA mapping failed. + +3. Commit 1acb8f2a7a9f ("net: qlogic: Fix memory leak in +ql_alloc_large_buffers") added a direct call to dev_kfree_skb_any() +after the skb is recorded in lrg_buf[], so ql_free_large_buffers() +will double-free it. + +The bugs are somewhat inter-twined, so fix them all at once: + +* Clear each entry in qla_buf[] before attempting to allocate + an skb for it. This goes half-way to fixing bug 1. +* Set the .skb field only after the skb is DMA-mapped. This + fixes the rest. + +Fixes: 1357bfcf7106 ("qla3xxx: Dynamically size the rx buffer queue ...") +Fixes: 0f8ab89e825f ("qla3xxx: Check return code from pci_map_single() ...") +Fixes: 1acb8f2a7a9f ("net: qlogic: Fix memory leak in ql_alloc_large_buffers") +Signed-off-by: Ben Hutchings +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qla3xxx.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qla3xxx.c ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c +@@ -2757,6 +2757,9 @@ static int ql_alloc_large_buffers(struct + int err; + + for (i = 0; i < qdev->num_large_buffers; i++) { ++ lrg_buf_cb = &qdev->lrg_buf[i]; ++ memset(lrg_buf_cb, 0, sizeof(struct ql_rcv_buf_cb)); ++ + skb = netdev_alloc_skb(qdev->ndev, + qdev->lrg_buffer_len); + if (unlikely(!skb)) { +@@ -2767,11 +2770,7 @@ static int ql_alloc_large_buffers(struct + ql_free_large_buffers(qdev); + return -ENOMEM; + } else { +- +- lrg_buf_cb = &qdev->lrg_buf[i]; +- memset(lrg_buf_cb, 0, sizeof(struct ql_rcv_buf_cb)); + lrg_buf_cb->index = i; +- lrg_buf_cb->skb = skb; + /* + * We save some space to copy the ethhdr from first + * buffer +@@ -2793,6 +2792,7 @@ static int ql_alloc_large_buffers(struct + return -ENOMEM; + } + ++ lrg_buf_cb->skb = skb; + dma_unmap_addr_set(lrg_buf_cb, mapaddr, map); + dma_unmap_len_set(lrg_buf_cb, maplen, + qdev->lrg_buffer_len - diff --git a/queue-4.19/net-usb-lan78xx-fix-suspend-resume-phy-register-access-error.patch b/queue-4.19/net-usb-lan78xx-fix-suspend-resume-phy-register-access-error.patch new file mode 100644 index 00000000000..b1c9493048f --- /dev/null +++ b/queue-4.19/net-usb-lan78xx-fix-suspend-resume-phy-register-access-error.patch @@ -0,0 +1,34 @@ +From foo@baz Sat 28 Dec 2019 05:58:10 AM EST +From: Cristian Birsan +Date: Thu, 12 Dec 2019 13:52:47 +0200 +Subject: net: usb: lan78xx: Fix suspend/resume PHY register access error + +From: Cristian Birsan + +[ Upstream commit 20032b63586ac6c28c936dff696981159913a13f ] + +Lan78xx driver accesses the PHY registers through MDIO bus over USB +connection. When performing a suspend/resume, the PHY registers can be +accessed before the USB connection is resumed. This will generate an +error and will prevent the device to resume correctly. +This patch adds the dependency between the MDIO bus and USB device to +allow correct handling of suspend/resume. + +Fixes: ce85e13ad6ef ("lan78xx: Update to use phylib instead of mii_if_info.") +Signed-off-by: Cristian Birsan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/lan78xx.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -1823,6 +1823,7 @@ static int lan78xx_mdio_init(struct lan7 + dev->mdiobus->read = lan78xx_mdiobus_read; + dev->mdiobus->write = lan78xx_mdiobus_write; + dev->mdiobus->name = "lan78xx-mdiobus"; ++ dev->mdiobus->parent = &dev->udev->dev; + + snprintf(dev->mdiobus->id, MII_BUS_ID_SIZE, "usb-%03d:%03d", + dev->udev->bus->busnum, dev->udev->devnum); diff --git a/queue-4.19/qede-disable-hardware-gro-when-xdp-prog-is-installed.patch b/queue-4.19/qede-disable-hardware-gro-when-xdp-prog-is-installed.patch new file mode 100644 index 00000000000..9a14bffe854 --- /dev/null +++ b/queue-4.19/qede-disable-hardware-gro-when-xdp-prog-is-installed.patch @@ -0,0 +1,51 @@ +From foo@baz Sat 28 Dec 2019 05:58:10 AM EST +From: Manish Chopra +Date: Thu, 19 Dec 2019 10:35:16 -0800 +Subject: qede: Disable hardware gro when xdp prog is installed + +From: Manish Chopra + +[ Upstream commit 4c8dc00503db24deaf0b89dddfa84b7cba7cd4ce ] + +commit 18c602dee472 ("qede: Use NETIF_F_GRO_HW.") introduced +a regression in driver that when xdp program is installed on +qede device, device's aggregation feature (hardware GRO) is not +getting disabled, which is unexpected with xdp. + +Fixes: 18c602dee472 ("qede: Use NETIF_F_GRO_HW.") +Signed-off-by: Manish Chopra +Signed-off-by: Ariel Elior +Reviewed-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qede/qede_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qede/qede_main.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_main.c +@@ -1362,6 +1362,7 @@ static int qede_alloc_mem_rxq(struct qed + rxq->rx_buf_seg_size = roundup_pow_of_two(size); + } else { + rxq->rx_buf_seg_size = PAGE_SIZE; ++ edev->ndev->features &= ~NETIF_F_GRO_HW; + } + + /* Allocate the parallel driver ring for Rx buffers */ +@@ -1406,6 +1407,7 @@ static int qede_alloc_mem_rxq(struct qed + } + } + ++ edev->gro_disable = !(edev->ndev->features & NETIF_F_GRO_HW); + if (!edev->gro_disable) + qede_set_tpa_param(rxq); + err: +@@ -1606,8 +1608,6 @@ static void qede_init_fp(struct qede_dev + snprintf(fp->name, sizeof(fp->name), "%s-fp-%d", + edev->ndev->name, queue_id); + } +- +- edev->gro_disable = !(edev->ndev->features & NETIF_F_GRO_HW); + } + + static int qede_set_real_num_queues(struct qede_dev *edev) diff --git a/queue-4.19/qede-fix-multicast-mac-configuration.patch b/queue-4.19/qede-fix-multicast-mac-configuration.patch new file mode 100644 index 00000000000..6b43899f7a1 --- /dev/null +++ b/queue-4.19/qede-fix-multicast-mac-configuration.patch @@ -0,0 +1,33 @@ +From foo@baz Sat 28 Dec 2019 05:58:10 AM EST +From: Manish Chopra +Date: Thu, 12 Dec 2019 06:49:28 -0800 +Subject: qede: Fix multicast mac configuration + +From: Manish Chopra + +[ Upstream commit 0af67e49b018e7280a4227bfe7b6005bc9d3e442 ] + +Driver doesn't accommodate the configuration for max number +of multicast mac addresses, in such particular case it leaves +the device with improper/invalid multicast configuration state, +causing connectivity issues (in lacp bonding like scenarios). + +Signed-off-by: Manish Chopra +Signed-off-by: Ariel Elior +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qede/qede_filter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/qede/qede_filter.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_filter.c +@@ -1230,7 +1230,7 @@ qede_configure_mcast_filtering(struct ne + netif_addr_lock_bh(ndev); + + mc_count = netdev_mc_count(ndev); +- if (mc_count < 64) { ++ if (mc_count <= 64) { + netdev_for_each_mc_addr(ha, ndev) { + ether_addr_copy(temp, ha->addr); + temp += ETH_ALEN; diff --git a/queue-4.19/sctp-fully-initialize-v4-addr-in-some-functions.patch b/queue-4.19/sctp-fully-initialize-v4-addr-in-some-functions.patch new file mode 100644 index 00000000000..1ede2602158 --- /dev/null +++ b/queue-4.19/sctp-fully-initialize-v4-addr-in-some-functions.patch @@ -0,0 +1,107 @@ +From foo@baz Sat 28 Dec 2019 05:58:10 AM EST +From: Xin Long +Date: Mon, 9 Dec 2019 13:45:54 +0800 +Subject: sctp: fully initialize v4 addr in some functions + +From: Xin Long + +[ Upstream commit b6f3320b1d5267e7b583a6d0c88dda518101740c ] + +Syzbot found a crash: + + BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:112 [inline] + BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline] + BUG: KMSAN: uninit-value in __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202 + Call Trace: + crc32_body lib/crc32.c:112 [inline] + crc32_le_generic lib/crc32.c:179 [inline] + __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202 + chksum_update+0xb2/0x110 crypto/crc32c_generic.c:90 + crypto_shash_update+0x4c5/0x530 crypto/shash.c:107 + crc32c+0x150/0x220 lib/libcrc32c.c:47 + sctp_csum_update+0x89/0xa0 include/net/sctp/checksum.h:36 + __skb_checksum+0x1297/0x12a0 net/core/skbuff.c:2640 + sctp_compute_cksum include/net/sctp/checksum.h:59 [inline] + sctp_packet_pack net/sctp/output.c:528 [inline] + sctp_packet_transmit+0x40fb/0x4250 net/sctp/output.c:597 + sctp_outq_flush_transports net/sctp/outqueue.c:1146 [inline] + sctp_outq_flush+0x1823/0x5d80 net/sctp/outqueue.c:1194 + sctp_outq_uncork+0xd0/0xf0 net/sctp/outqueue.c:757 + sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1781 [inline] + sctp_side_effects net/sctp/sm_sideeffect.c:1184 [inline] + sctp_do_sm+0x8fe1/0x9720 net/sctp/sm_sideeffect.c:1155 + sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185 + sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433 + sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline] + sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672 + +The issue was caused by transport->ipaddr set with uninit addr param, which +was passed by: + + sctp_transport_init net/sctp/transport.c:47 [inline] + sctp_transport_new+0x248/0xa00 net/sctp/transport.c:100 + sctp_assoc_add_peer+0x5ba/0x2030 net/sctp/associola.c:611 + sctp_process_param net/sctp/sm_make_chunk.c:2524 [inline] + +where 'addr' is set by sctp_v4_from_addr_param(), and it doesn't initialize +the padding of addr->v4. + +Later when calling sctp_make_heartbeat(), hbinfo.daddr(=transport->ipaddr) +will become the part of skb, and the issue occurs. + +This patch is to fix it by initializing the padding of addr->v4 in +sctp_v4_from_addr_param(), as well as other functions that do the similar +thing, and these functions shouldn't trust that the caller initializes the +memory, as Marcelo suggested. + +Reported-by: syzbot+6dcbfea81cd3d4dd0b02@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/protocol.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/sctp/protocol.c ++++ b/net/sctp/protocol.c +@@ -242,6 +242,7 @@ static void sctp_v4_from_skb(union sctp_ + sa->sin_port = sh->dest; + sa->sin_addr.s_addr = ip_hdr(skb)->daddr; + } ++ memset(sa->sin_zero, 0, sizeof(sa->sin_zero)); + } + + /* Initialize an sctp_addr from a socket. */ +@@ -250,6 +251,7 @@ static void sctp_v4_from_sk(union sctp_a + addr->v4.sin_family = AF_INET; + addr->v4.sin_port = 0; + addr->v4.sin_addr.s_addr = inet_sk(sk)->inet_rcv_saddr; ++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); + } + + /* Initialize sk->sk_rcv_saddr from sctp_addr. */ +@@ -272,6 +274,7 @@ static void sctp_v4_from_addr_param(unio + addr->v4.sin_family = AF_INET; + addr->v4.sin_port = port; + addr->v4.sin_addr.s_addr = param->v4.addr.s_addr; ++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); + } + + /* Initialize an address parameter from a sctp_addr and return the length +@@ -296,6 +299,7 @@ static void sctp_v4_dst_saddr(union sctp + saddr->v4.sin_family = AF_INET; + saddr->v4.sin_port = port; + saddr->v4.sin_addr.s_addr = fl4->saddr; ++ memset(saddr->v4.sin_zero, 0, sizeof(saddr->v4.sin_zero)); + } + + /* Compare two addresses exactly. */ +@@ -318,6 +322,7 @@ static void sctp_v4_inaddr_any(union sct + addr->v4.sin_family = AF_INET; + addr->v4.sin_addr.s_addr = htonl(INADDR_ANY); + addr->v4.sin_port = port; ++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); + } + + /* Is this a wildcard address? */ diff --git a/queue-4.19/selftests-forwarding-delete-ipv6-address-at-the-end.patch b/queue-4.19/selftests-forwarding-delete-ipv6-address-at-the-end.patch new file mode 100644 index 00000000000..0f266bdda6e --- /dev/null +++ b/queue-4.19/selftests-forwarding-delete-ipv6-address-at-the-end.patch @@ -0,0 +1,44 @@ +From foo@baz Sat 28 Dec 2019 05:58:10 AM EST +From: Ido Schimmel +Date: Mon, 9 Dec 2019 08:56:34 +0200 +Subject: selftests: forwarding: Delete IPv6 address at the end + +From: Ido Schimmel + +[ Upstream commit 65cb13986229cec02635a1ecbcd1e2dd18353201 ] + +When creating the second host in h2_create(), two addresses are assigned +to the interface, but only one is deleted. When running the test twice +in a row the following error is observed: + +$ ./router_bridge_vlan.sh +TEST: ping [ OK ] +TEST: ping6 [ OK ] +TEST: vlan [ OK ] +$ ./router_bridge_vlan.sh +RTNETLINK answers: File exists +TEST: ping [ OK ] +TEST: ping6 [ OK ] +TEST: vlan [ OK ] + +Fix this by deleting the address during cleanup. + +Fixes: 5b1e7f9ebd56 ("selftests: forwarding: Test routed bridge interface") +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/forwarding/router_bridge_vlan.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/forwarding/router_bridge_vlan.sh ++++ b/tools/testing/selftests/net/forwarding/router_bridge_vlan.sh +@@ -36,7 +36,7 @@ h2_destroy() + { + ip -6 route del 2001:db8:1::/64 vrf v$h2 + ip -4 route del 192.0.2.0/28 vrf v$h2 +- simple_if_fini $h2 192.0.2.130/28 ++ simple_if_fini $h2 192.0.2.130/28 2001:db8:2::2/64 + } + + router_create() diff --git a/queue-4.19/series b/queue-4.19/series index 51f10b70a0c..f388d083f67 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -1,3 +1,16 @@ +af_packet-set-defaule-value-for-tmo.patch +fjes-fix-missed-check-in-fjes_acpi_add.patch +mod_devicetable-fix-phy-module-format.patch +net-dst-force-4-byte-alignment-of-dst_metrics.patch +net-gemini-fix-memory-leak-in-gmac_setup_txqs.patch +net-hisilicon-fix-a-bug-trigered-by-wrong-bytes_compl.patch +net-nfc-nci-fix-a-possible-sleep-in-atomic-context-bug-in-nci_uart_tty_receive.patch +net-qlogic-fix-error-paths-in-ql_alloc_large_buffers.patch +net-usb-lan78xx-fix-suspend-resume-phy-register-access-error.patch +qede-disable-hardware-gro-when-xdp-prog-is-installed.patch +qede-fix-multicast-mac-configuration.patch +sctp-fully-initialize-v4-addr-in-some-functions.patch +selftests-forwarding-delete-ipv6-address-at-the-end.patch btrfs-don-t-double-lock-the-subvol_sem-for-rename-exchange.patch btrfs-do-not-call-synchronize_srcu-in-inode_tree_del.patch btrfs-fix-missing-data-checksums-after-replaying-a-log-tree.patch -- 2.47.3