From 249fb3bc6005275b184ffd876d0ee90789461010 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 22 May 2022 23:03:31 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...-1-spectre-bhb-enable-for-cortex-a15.patch | 36 +++++++ ...re-bhb-fix-loop8-sequence-for-thumb2.patch | 37 ++++++++ ...ed-consider-range-when-calculating-b.patch | 42 +++++++++ ...ix-missing-pci_disable_device-on-err.patch | 49 ++++++++++ ...do-not-touch-other-bits-when-set-the.patch | 45 +++++++++ ...efuse-requests-with-inverted-polarit.patch | 40 ++++++++ ...p-phy-status-check-where-unavailable.patch | 46 +++++++++ ...reordering-with-non-explicit-psmp-ac.patch | 38 ++++++++ ...heck-for-pfkey_broadcast-in-function.patch | 42 +++++++++ ...ify-hw_head_-lies-within-tx-buffer-r.patch | 43 +++++++++ ...-offload_fwd_mark-when-passing-frame.patch | 72 ++++++++++++++ ...nt-rx-bd-head-after-allocating-skb-a.patch | 53 +++++++++++ ...operly-block-lro-when-xdp-is-enabled.patch | 47 ++++++++++ ...-qla3xxx-fix-a-test-in-ql_reset_work.patch | 48 ++++++++++ ...dit-sanitize-shift-argument-before-u.patch | 84 +++++++++++++++++ ...issing-pci_disable_device-on-error-i.patch | 46 +++++++++ ...possible-null-pointer-dereference-in.patch | 68 ++++++++++++++ ...possible-use-after-free-bugs-in-vmxn.patch | 94 +++++++++++++++++++ ...p-in-atomic-context-bugs-caused-by-n.patch | 81 ++++++++++++++++ ...-numa-address-compiler-error-on-s390.patch | 67 +++++++++++++ ...-missed-dma-unmap-for-aborted-comman.patch | 51 ++++++++++ queue-4.19/series | 21 +++++ 22 files changed, 1150 insertions(+) create mode 100644 queue-4.19/arm-9196-1-spectre-bhb-enable-for-cortex-a15.patch create mode 100644 queue-4.19/arm-9197-1-spectre-bhb-fix-loop8-sequence-for-thumb2.patch create mode 100644 queue-4.19/clk-at91-generated-consider-range-when-calculating-b.patch create mode 100644 queue-4.19/ethernet-tulip-fix-missing-pci_disable_device-on-err.patch create mode 100644 queue-4.19/gpio-gpio-vf610-do-not-touch-other-bits-when-set-the.patch create mode 100644 queue-4.19/gpio-mvebu-pwm-refuse-requests-with-inverted-polarit.patch create mode 100644 queue-4.19/igb-skip-phy-status-check-where-unavailable.patch create mode 100644 queue-4.19/mac80211-fix-rx-reordering-with-non-explicit-psmp-ac.patch create mode 100644 queue-4.19/net-af_key-add-check-for-pfkey_broadcast-in-function.patch create mode 100644 queue-4.19/net-atlantic-verify-hw_head_-lies-within-tx-buffer-r.patch create mode 100644 queue-4.19/net-bridge-clear-offload_fwd_mark-when-passing-frame.patch create mode 100644 queue-4.19/net-macb-increment-rx-bd-head-after-allocating-skb-a.patch create mode 100644 queue-4.19/net-mlx5e-properly-block-lro-when-xdp-is-enabled.patch create mode 100644 queue-4.19/net-qla3xxx-fix-a-test-in-ql_reset_work.patch create mode 100644 queue-4.19/net-sched-act_pedit-sanitize-shift-argument-before-u.patch create mode 100644 queue-4.19/net-stmmac-fix-missing-pci_disable_device-on-error-i.patch create mode 100644 queue-4.19/net-vmxnet3-fix-possible-null-pointer-dereference-in.patch create mode 100644 queue-4.19/net-vmxnet3-fix-possible-use-after-free-bugs-in-vmxn.patch create mode 100644 queue-4.19/nfc-nci-fix-sleep-in-atomic-context-bugs-caused-by-n.patch create mode 100644 queue-4.19/perf-bench-numa-address-compiler-error-on-s390.patch create mode 100644 queue-4.19/scsi-qla2xxx-fix-missed-dma-unmap-for-aborted-comman.patch diff --git a/queue-4.19/arm-9196-1-spectre-bhb-enable-for-cortex-a15.patch b/queue-4.19/arm-9196-1-spectre-bhb-enable-for-cortex-a15.patch new file mode 100644 index 00000000000..234a3fe90c0 --- /dev/null +++ b/queue-4.19/arm-9196-1-spectre-bhb-enable-for-cortex-a15.patch @@ -0,0 +1,36 @@ +From e773648f194e9bef9039507c5c89bd3bfdc8a17e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Apr 2022 09:44:51 +0100 +Subject: ARM: 9196/1: spectre-bhb: enable for Cortex-A15 + +From: Ard Biesheuvel + +[ Upstream commit 0dc14aa94ccd8ba35eb17a0f9b123d1566efd39e ] + +The Spectre-BHB mitigations were inadvertently left disabled for +Cortex-A15, due to the fact that cpu_v7_bugs_init() is not called in +that case. So fix that. + +Fixes: b9baf5c8c5c3 ("ARM: Spectre-BHB workaround") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/mm/proc-v7-bugs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mm/proc-v7-bugs.c b/arch/arm/mm/proc-v7-bugs.c +index 8394307272d6..0381e1495486 100644 +--- a/arch/arm/mm/proc-v7-bugs.c ++++ b/arch/arm/mm/proc-v7-bugs.c +@@ -302,6 +302,7 @@ void cpu_v7_ca15_ibe(void) + { + if (check_spectre_auxcr(this_cpu_ptr(&spectre_warned), BIT(0))) + cpu_v7_spectre_v2_init(); ++ cpu_v7_spectre_bhb_init(); + } + + void cpu_v7_bugs_init(void) +-- +2.35.1 + diff --git a/queue-4.19/arm-9197-1-spectre-bhb-fix-loop8-sequence-for-thumb2.patch b/queue-4.19/arm-9197-1-spectre-bhb-fix-loop8-sequence-for-thumb2.patch new file mode 100644 index 00000000000..60f06578c00 --- /dev/null +++ b/queue-4.19/arm-9197-1-spectre-bhb-fix-loop8-sequence-for-thumb2.patch @@ -0,0 +1,37 @@ +From e66614993f53ab1ea57406653df34106acd776e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Apr 2022 09:46:17 +0100 +Subject: ARM: 9197/1: spectre-bhb: fix loop8 sequence for Thumb2 + +From: Ard Biesheuvel + +[ Upstream commit 3cfb3019979666bdf33a1010147363cf05e0f17b ] + +In Thumb2, 'b . + 4' produces a branch instruction that uses a narrow +encoding, and so it does not jump to the following instruction as +expected. So use W(b) instead. + +Fixes: 6c7cb60bff7a ("ARM: fix Thumb2 regression with Spectre BHB") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/entry-armv.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S +index a929b6acb149..d779cd1a3b0c 100644 +--- a/arch/arm/kernel/entry-armv.S ++++ b/arch/arm/kernel/entry-armv.S +@@ -1067,7 +1067,7 @@ vector_bhb_loop8_\name: + + @ bhb workaround + mov r0, #8 +-3: b . + 4 ++3: W(b) . + 4 + subs r0, r0, #1 + bne 3b + dsb +-- +2.35.1 + diff --git a/queue-4.19/clk-at91-generated-consider-range-when-calculating-b.patch b/queue-4.19/clk-at91-generated-consider-range-when-calculating-b.patch new file mode 100644 index 00000000000..cfe77913f8d --- /dev/null +++ b/queue-4.19/clk-at91-generated-consider-range-when-calculating-b.patch @@ -0,0 +1,42 @@ +From 31a31f12d9add81a024cc51a666fdcf61a872579 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Apr 2022 10:13:18 +0300 +Subject: clk: at91: generated: consider range when calculating best rate + +From: Codrin Ciubotariu + +[ Upstream commit d0031e6fbed955ff8d5f5bbc8fe7382482559cec ] + +clk_generated_best_diff() helps in finding the parent and the divisor to +compute a rate closest to the required one. However, it doesn't take into +account the request's range for the new rate. Make sure the new rate +is within the required range. + +Fixes: 8a8f4bf0c480 ("clk: at91: clk-generated: create function to find best_diff") +Signed-off-by: Codrin Ciubotariu +Link: https://lore.kernel.org/r/20220413071318.244912-1-codrin.ciubotariu@microchip.com +Reviewed-by: Claudiu Beznea +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/at91/clk-generated.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/clk/at91/clk-generated.c b/drivers/clk/at91/clk-generated.c +index ea23002be4de..b397556c34d9 100644 +--- a/drivers/clk/at91/clk-generated.c ++++ b/drivers/clk/at91/clk-generated.c +@@ -119,6 +119,10 @@ static void clk_generated_best_diff(struct clk_rate_request *req, + tmp_rate = parent_rate; + else + tmp_rate = parent_rate / div; ++ ++ if (tmp_rate < req->min_rate || tmp_rate > req->max_rate) ++ return; ++ + tmp_diff = abs(req->rate - tmp_rate); + + if (*best_diff < 0 || *best_diff > tmp_diff) { +-- +2.35.1 + diff --git a/queue-4.19/ethernet-tulip-fix-missing-pci_disable_device-on-err.patch b/queue-4.19/ethernet-tulip-fix-missing-pci_disable_device-on-err.patch new file mode 100644 index 00000000000..310d7395c85 --- /dev/null +++ b/queue-4.19/ethernet-tulip-fix-missing-pci_disable_device-on-err.patch @@ -0,0 +1,49 @@ +From cf5a1cb902c6178146df881b6b811c5683f322fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 May 2022 17:42:50 +0800 +Subject: ethernet: tulip: fix missing pci_disable_device() on error in + tulip_init_one() + +From: Yang Yingliang + +[ Upstream commit 51ca86b4c9c7c75f5630fa0dbe5f8f0bd98e3c3e ] + +Fix the missing pci_disable_device() before return +from tulip_init_one() in the error handling case. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20220506094250.3630615-1-yangyingliang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/dec/tulip/tulip_core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/dec/tulip/tulip_core.c b/drivers/net/ethernet/dec/tulip/tulip_core.c +index 3e3e08698876..fea4223ad6f1 100644 +--- a/drivers/net/ethernet/dec/tulip/tulip_core.c ++++ b/drivers/net/ethernet/dec/tulip/tulip_core.c +@@ -1410,8 +1410,10 @@ static int tulip_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + + /* alloc_etherdev ensures aligned and zeroed private structures */ + dev = alloc_etherdev (sizeof (*tp)); +- if (!dev) ++ if (!dev) { ++ pci_disable_device(pdev); + return -ENOMEM; ++ } + + SET_NETDEV_DEV(dev, &pdev->dev); + if (pci_resource_len (pdev, 0) < tulip_tbl[chip_idx].io_size) { +@@ -1788,6 +1790,7 @@ static int tulip_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + + err_out_free_netdev: + free_netdev (dev); ++ pci_disable_device(pdev); + return -ENODEV; + } + +-- +2.35.1 + diff --git a/queue-4.19/gpio-gpio-vf610-do-not-touch-other-bits-when-set-the.patch b/queue-4.19/gpio-gpio-vf610-do-not-touch-other-bits-when-set-the.patch new file mode 100644 index 00000000000..f51450d4964 --- /dev/null +++ b/queue-4.19/gpio-gpio-vf610-do-not-touch-other-bits-when-set-the.patch @@ -0,0 +1,45 @@ +From f17ab87b98b727adeda761e43fce256a6866247c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2022 10:15:04 +0800 +Subject: gpio: gpio-vf610: do not touch other bits when set the target bit + +From: Haibo Chen + +[ Upstream commit 9bf3ac466faa83d51a8fe9212131701e58fdef74 ] + +For gpio controller contain register PDDR, when set one target bit, +current logic will clear all other bits, this is wrong. Use operator +'|=' to fix it. + +Fixes: 659d8a62311f ("gpio: vf610: add imx7ulp support") +Reviewed-by: Peng Fan +Signed-off-by: Haibo Chen +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-vf610.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpio-vf610.c b/drivers/gpio/gpio-vf610.c +index a9cb5571de54..f7692999df47 100644 +--- a/drivers/gpio/gpio-vf610.c ++++ b/drivers/gpio/gpio-vf610.c +@@ -135,9 +135,13 @@ static int vf610_gpio_direction_output(struct gpio_chip *chip, unsigned gpio, + { + struct vf610_gpio_port *port = gpiochip_get_data(chip); + unsigned long mask = BIT(gpio); ++ u32 val; + +- if (port->sdata && port->sdata->have_paddr) +- vf610_gpio_writel(mask, port->gpio_base + GPIO_PDDR); ++ if (port->sdata && port->sdata->have_paddr) { ++ val = vf610_gpio_readl(port->gpio_base + GPIO_PDDR); ++ val |= mask; ++ vf610_gpio_writel(val, port->gpio_base + GPIO_PDDR); ++ } + + vf610_gpio_set(chip, gpio, value); + +-- +2.35.1 + diff --git a/queue-4.19/gpio-mvebu-pwm-refuse-requests-with-inverted-polarit.patch b/queue-4.19/gpio-mvebu-pwm-refuse-requests-with-inverted-polarit.patch new file mode 100644 index 00000000000..4070b178d15 --- /dev/null +++ b/queue-4.19/gpio-mvebu-pwm-refuse-requests-with-inverted-polarit.patch @@ -0,0 +1,40 @@ +From e8d30fe54586d1d5b2686fd6a527680f1a24b795 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2022 09:58:56 +0200 +Subject: gpio: mvebu/pwm: Refuse requests with inverted polarity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 3ecb10175b1f776f076553c24e2689e42953fef5 ] + +The driver doesn't take struct pwm_state::polarity into account when +configuring the hardware, so refuse requests for inverted polarity. + +Fixes: 757642f9a584 ("gpio: mvebu: Add limited PWM support") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-mvebu.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpio/gpio-mvebu.c b/drivers/gpio/gpio-mvebu.c +index 874caed72390..199b96967ca2 100644 +--- a/drivers/gpio/gpio-mvebu.c ++++ b/drivers/gpio/gpio-mvebu.c +@@ -690,6 +690,9 @@ static int mvebu_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm, + unsigned long flags; + unsigned int on, off; + ++ if (state->polarity != PWM_POLARITY_NORMAL) ++ return -EINVAL; ++ + val = (unsigned long long) mvpwm->clk_rate * state->duty_cycle; + do_div(val, NSEC_PER_SEC); + if (val > UINT_MAX) +-- +2.35.1 + diff --git a/queue-4.19/igb-skip-phy-status-check-where-unavailable.patch b/queue-4.19/igb-skip-phy-status-check-where-unavailable.patch new file mode 100644 index 00000000000..984c2e1bdfa --- /dev/null +++ b/queue-4.19/igb-skip-phy-status-check-where-unavailable.patch @@ -0,0 +1,46 @@ +From e06d9a9a4f98b3f40f4cc34a07df04be4758b8e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 11:01:05 -0700 +Subject: igb: skip phy status check where unavailable + +From: Kevin Mitchell + +[ Upstream commit 942d2ad5d2e0df758a645ddfadffde2795322728 ] + +igb_read_phy_reg() will silently return, leaving phy_data untouched, if +hw->ops.read_reg isn't set. Depending on the uninitialized value of +phy_data, this led to the phy status check either succeeding immediately +or looping continuously for 2 seconds before emitting a noisy err-level +timeout. This message went out to the console even though there was no +actual problem. + +Instead, first check if there is read_reg function pointer. If not, +proceed without trying to check the phy status register. + +Fixes: b72f3f72005d ("igb: When GbE link up, wait for Remote receiver status condition") +Signed-off-by: Kevin Mitchell +Tested-by: Gurucharan (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 74b50f17832d..a93edd31011f 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -5346,7 +5346,8 @@ static void igb_watchdog_task(struct work_struct *work) + break; + } + +- if (adapter->link_speed != SPEED_1000) ++ if (adapter->link_speed != SPEED_1000 || ++ !hw->phy.ops.read_reg) + goto no_wait; + + /* wait for Remote receiver status OK */ +-- +2.35.1 + diff --git a/queue-4.19/mac80211-fix-rx-reordering-with-non-explicit-psmp-ac.patch b/queue-4.19/mac80211-fix-rx-reordering-with-non-explicit-psmp-ac.patch new file mode 100644 index 00000000000..9302ea6fa71 --- /dev/null +++ b/queue-4.19/mac80211-fix-rx-reordering-with-non-explicit-psmp-ac.patch @@ -0,0 +1,38 @@ +From b20e7412f16b9dfd9878d9b1dfb00a2d0e21187f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Apr 2022 12:50:38 +0200 +Subject: mac80211: fix rx reordering with non explicit / psmp ack policy + +From: Felix Fietkau + +[ Upstream commit 5e469ed9764d4722c59562da13120bd2dc6834c5 ] + +When the QoS ack policy was set to non explicit / psmp ack, frames are treated +as not being part of a BA session, which causes extra latency on reordering. +Fix this by only bypassing reordering for packets with no-ack policy + +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20220420105038.36443-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/rx.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index f30b732af61d..3598ebe52d08 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -1322,8 +1322,7 @@ static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx, + goto dont_reorder; + + /* not part of a BA session */ +- if (ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK && +- ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_NORMAL) ++ if (ack_policy == IEEE80211_QOS_CTL_ACK_POLICY_NOACK) + goto dont_reorder; + + /* new, potentially un-ordered, ampdu frame - process it */ +-- +2.35.1 + diff --git a/queue-4.19/net-af_key-add-check-for-pfkey_broadcast-in-function.patch b/queue-4.19/net-af_key-add-check-for-pfkey_broadcast-in-function.patch new file mode 100644 index 00000000000..4454e8c83db --- /dev/null +++ b/queue-4.19/net-af_key-add-check-for-pfkey_broadcast-in-function.patch @@ -0,0 +1,42 @@ +From 21ab661ad33ae05f822638295c6b6e2b57e72fc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 17:42:31 +0800 +Subject: net: af_key: add check for pfkey_broadcast in function pfkey_process + +From: Jiasheng Jiang + +[ Upstream commit 4dc2a5a8f6754492180741facf2a8787f2c415d7 ] + +If skb_clone() returns null pointer, pfkey_broadcast() will +return error. +Therefore, it should be better to check the return value of +pfkey_broadcast() and return error if fails. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index a416c0f90056..170960ef7e36 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -2836,8 +2836,10 @@ static int pfkey_process(struct sock *sk, struct sk_buff *skb, const struct sadb + void *ext_hdrs[SADB_EXT_MAX]; + int err; + +- pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL, +- BROADCAST_PROMISC_ONLY, NULL, sock_net(sk)); ++ err = pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL, ++ BROADCAST_PROMISC_ONLY, NULL, sock_net(sk)); ++ if (err) ++ return err; + + memset(ext_hdrs, 0, sizeof(ext_hdrs)); + err = parse_exthdrs(skb, hdr, ext_hdrs); +-- +2.35.1 + diff --git a/queue-4.19/net-atlantic-verify-hw_head_-lies-within-tx-buffer-r.patch b/queue-4.19/net-atlantic-verify-hw_head_-lies-within-tx-buffer-r.patch new file mode 100644 index 00000000000..fb9c9666bfd --- /dev/null +++ b/queue-4.19/net-atlantic-verify-hw_head_-lies-within-tx-buffer-r.patch @@ -0,0 +1,43 @@ +From dc570aef6136cba440e15c4d0fa3d0362c514a60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 May 2022 19:28:26 -0700 +Subject: net: atlantic: verify hw_head_ lies within TX buffer ring + +From: Grant Grundler + +[ Upstream commit 2120b7f4d128433ad8c5f503a9584deba0684901 ] + +Bounds check hw_head index provided by NIC to verify it lies +within the TX buffer ring. + +Reported-by: Aashay Shringarpure +Reported-by: Yi Chou +Reported-by: Shervin Oloumi +Signed-off-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c +index c4f914a29c38..bdb0b37c048a 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c ++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c +@@ -637,6 +637,13 @@ static int hw_atl_b0_hw_ring_tx_head_update(struct aq_hw_s *self, + err = -ENXIO; + goto err_exit; + } ++ ++ /* Validate that the new hw_head_ is reasonable. */ ++ if (hw_head_ >= ring->size) { ++ err = -ENXIO; ++ goto err_exit; ++ } ++ + ring->hw_head = hw_head_; + err = aq_hw_err_from_flags(self); + +-- +2.35.1 + diff --git a/queue-4.19/net-bridge-clear-offload_fwd_mark-when-passing-frame.patch b/queue-4.19/net-bridge-clear-offload_fwd_mark-when-passing-frame.patch new file mode 100644 index 00000000000..81d6881dfec --- /dev/null +++ b/queue-4.19/net-bridge-clear-offload_fwd_mark-when-passing-frame.patch @@ -0,0 +1,72 @@ +From a86b70fc560e7f568de7db769da25a420a569e87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 02:58:40 +0200 +Subject: net: bridge: Clear offload_fwd_mark when passing frame up bridge + interface. + +From: Andrew Lunn + +[ Upstream commit fbb3abdf2223cd0dfc07de85fe5a43ba7f435bdf ] + +It is possible to stack bridges on top of each other. Consider the +following which makes use of an Ethernet switch: + + br1 + / \ + / \ + / \ + br0.11 wlan0 + | + br0 + / | \ +p1 p2 p3 + +br0 is offloaded to the switch. Above br0 is a vlan interface, for +vlan 11. This vlan interface is then a slave of br1. br1 also has a +wireless interface as a slave. This setup trunks wireless lan traffic +over the copper network inside a VLAN. + +A frame received on p1 which is passed up to the bridge has the +skb->offload_fwd_mark flag set to true, indicating that the switch has +dealt with forwarding the frame out ports p2 and p3 as needed. This +flag instructs the software bridge it does not need to pass the frame +back down again. However, the flag is not getting reset when the frame +is passed upwards. As a result br1 sees the flag, wrongly interprets +it, and fails to forward the frame to wlan0. + +When passing a frame upwards, clear the flag. This is the Rx +equivalent of br_switchdev_frame_unmark() in br_dev_xmit(). + +Fixes: f1c2eddf4cb6 ("bridge: switchdev: Use an helper to clear forward mark") +Signed-off-by: Andrew Lunn +Reviewed-by: Ido Schimmel +Tested-by: Ido Schimmel +Acked-by: Nikolay Aleksandrov +Link: https://lore.kernel.org/r/20220518005840.771575-1-andrew@lunn.ch +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/bridge/br_input.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c +index 2532c1a19645..14c2fdc268ea 100644 +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -47,6 +47,13 @@ static int br_pass_frame_up(struct sk_buff *skb) + u64_stats_update_end(&brstats->syncp); + + vg = br_vlan_group_rcu(br); ++ ++ /* Reset the offload_fwd_mark because there could be a stacked ++ * bridge above, and it should not think this bridge it doing ++ * that bridge's work forwarding out its ports. ++ */ ++ br_switchdev_frame_unmark(skb); ++ + /* Bridge is just like any other port. Make sure the + * packet is allowed except in promisc modue when someone + * may be running packet capture. +-- +2.35.1 + diff --git a/queue-4.19/net-macb-increment-rx-bd-head-after-allocating-skb-a.patch b/queue-4.19/net-macb-increment-rx-bd-head-after-allocating-skb-a.patch new file mode 100644 index 00000000000..d67ac3d72d3 --- /dev/null +++ b/queue-4.19/net-macb-increment-rx-bd-head-after-allocating-skb-a.patch @@ -0,0 +1,53 @@ +From 8850acfa274205d766de71351a9d3ede2002d288 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 May 2022 22:49:00 +0530 +Subject: net: macb: Increment rx bd head after allocating skb and buffer + +From: Harini Katakam + +[ Upstream commit 9500acc631dbb8b73166e25700e656b11f6007b6 ] + +In gem_rx_refill rx_prepared_head is incremented at the beginning of +the while loop preparing the skb and data buffers. If the skb or data +buffer allocation fails, this BD will be unusable BDs until the head +loops back to the same BD (and obviously buffer allocation succeeds). +In the unlikely event that there's a string of allocation failures, +there will be an equal number of unusable BDs and an inconsistent RX +BD chain. Hence increment the head at the end of the while loop to be +clean. + +Fixes: 4df95131ea80 ("net/macb: change RX path for GEM") +Signed-off-by: Harini Katakam +Signed-off-by: Michal Simek +Signed-off-by: Radhey Shyam Pandey +Reviewed-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20220512171900.32593-1-harini.katakam@xilinx.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index d8e4842af055..50331b202f73 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -915,7 +915,6 @@ static void gem_rx_refill(struct macb_queue *queue) + /* Make hw descriptor updates visible to CPU */ + rmb(); + +- queue->rx_prepared_head++; + desc = macb_rx_desc(queue, entry); + + if (!queue->rx_skbuff[entry]) { +@@ -954,6 +953,7 @@ static void gem_rx_refill(struct macb_queue *queue) + dma_wmb(); + desc->addr &= ~MACB_BIT(RX_USED); + } ++ queue->rx_prepared_head++; + } + + /* Make descriptor updates visible to hardware */ +-- +2.35.1 + diff --git a/queue-4.19/net-mlx5e-properly-block-lro-when-xdp-is-enabled.patch b/queue-4.19/net-mlx5e-properly-block-lro-when-xdp-is-enabled.patch new file mode 100644 index 00000000000..19d7ea16a8f --- /dev/null +++ b/queue-4.19/net-mlx5e-properly-block-lro-when-xdp-is-enabled.patch @@ -0,0 +1,47 @@ +From a8dfea6c75dd9d4e01a8139a7b9ba693177e4426 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 18:37:03 +0300 +Subject: net/mlx5e: Properly block LRO when XDP is enabled + +From: Maxim Mikityanskiy + +[ Upstream commit cf6e34c8c22fba66bd21244b95ea47e235f68974 ] + +LRO is incompatible and mutually exclusive with XDP. However, the needed +checks are only made when enabling XDP. If LRO is enabled when XDP is +already active, the command will succeed, and XDP will be skipped in the +data path, although still enabled. + +This commit fixes the bug by checking the XDP status in +mlx5e_fix_features and disabling LRO if XDP is enabled. + +Fixes: 86994156c736 ("net/mlx5e: XDP fast RX drop bpf programs support") +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 5979fcf124bb..75872aef44d0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3739,6 +3739,13 @@ static netdev_features_t mlx5e_fix_features(struct net_device *netdev, + netdev_warn(netdev, "Disabling LRO, not supported in legacy RQ\n"); + } + ++ if (params->xdp_prog) { ++ if (features & NETIF_F_LRO) { ++ netdev_warn(netdev, "LRO is incompatible with XDP\n"); ++ features &= ~NETIF_F_LRO; ++ } ++ } ++ + if (MLX5E_GET_PFLAG(params, MLX5E_PFLAG_RX_CQE_COMPRESS)) { + features &= ~NETIF_F_RXHASH; + if (netdev->features & NETIF_F_RXHASH) +-- +2.35.1 + diff --git a/queue-4.19/net-qla3xxx-fix-a-test-in-ql_reset_work.patch b/queue-4.19/net-qla3xxx-fix-a-test-in-ql_reset_work.patch new file mode 100644 index 00000000000..020d5cadded --- /dev/null +++ b/queue-4.19/net-qla3xxx-fix-a-test-in-ql_reset_work.patch @@ -0,0 +1,48 @@ +From 9cad30b79ff18ae1ee1dbbae670c770daebe66f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 May 2022 20:07:02 +0200 +Subject: net/qla3xxx: Fix a test in ql_reset_work() + +From: Christophe JAILLET + +[ Upstream commit 5361448e45fac6fb96738df748229432a62d78b6 ] + +test_bit() tests if one bit is set or not. +Here the logic seems to check of bit QL_RESET_PER_SCSI (i.e. 4) OR bit +QL_RESET_START (i.e. 3) is set. + +In fact, it checks if bit 7 (4 | 3 = 7) is set, that is to say +QL_ADAPTER_UP. + +This looks harmless, because this bit is likely be set, and when the +ql_reset_work() delayed work is scheduled in ql3xxx_isr() (the only place +that schedule this work), QL_RESET_START or QL_RESET_PER_SCSI is set. + +This has been spotted by smatch. + +Fixes: 5a4faa873782 ("[PATCH] qla3xxx NIC driver") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/80e73e33f390001d9c0140ffa9baddf6466a41a2.1652637337.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qla3xxx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c +index f38dda1d92e2..51e17a635d4b 100644 +--- a/drivers/net/ethernet/qlogic/qla3xxx.c ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c +@@ -3630,7 +3630,8 @@ static void ql_reset_work(struct work_struct *work) + qdev->mem_map_registers; + unsigned long hw_flags; + +- if (test_bit((QL_RESET_PER_SCSI | QL_RESET_START), &qdev->flags)) { ++ if (test_bit(QL_RESET_PER_SCSI, &qdev->flags) || ++ test_bit(QL_RESET_START, &qdev->flags)) { + clear_bit(QL_LINK_MASTER, &qdev->flags); + + /* +-- +2.35.1 + diff --git a/queue-4.19/net-sched-act_pedit-sanitize-shift-argument-before-u.patch b/queue-4.19/net-sched-act_pedit-sanitize-shift-argument-before-u.patch new file mode 100644 index 00000000000..f1df30893ca --- /dev/null +++ b/queue-4.19/net-sched-act_pedit-sanitize-shift-argument-before-u.patch @@ -0,0 +1,84 @@ +From 4055117aee3e66ed724ce1bfb365a49255ed4cb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 May 2022 11:27:06 +0200 +Subject: net/sched: act_pedit: sanitize shift argument before usage + +From: Paolo Abeni + +[ Upstream commit 4d42d54a7d6aa6d29221d3fd4f2ae9503e94f011 ] + +syzbot was able to trigger an Out-of-Bound on the pedit action: + +UBSAN: shift-out-of-bounds in net/sched/act_pedit.c:238:43 +shift exponent 1400735974 is too large for 32-bit type 'unsigned int' +CPU: 0 PID: 3606 Comm: syz-executor151 Not tainted 5.18.0-rc5-syzkaller-00165-g810c2f0a3f86 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + ubsan_epilogue+0xb/0x50 lib/ubsan.c:151 + __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x187 lib/ubsan.c:322 + tcf_pedit_init.cold+0x1a/0x1f net/sched/act_pedit.c:238 + tcf_action_init_1+0x414/0x690 net/sched/act_api.c:1367 + tcf_action_init+0x530/0x8d0 net/sched/act_api.c:1432 + tcf_action_add+0xf9/0x480 net/sched/act_api.c:1956 + tc_ctl_action+0x346/0x470 net/sched/act_api.c:2015 + rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5993 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502 + netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] + netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345 + netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1921 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:725 + ____sys_sendmsg+0x6e2/0x800 net/socket.c:2413 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2467 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2496 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7fe36e9e1b59 +Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffef796fe88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe36e9e1b59 +RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003 +RBP: 00007fe36e9a5d00 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe36e9a5d90 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + +The 'shift' field is not validated, and any value above 31 will +trigger out-of-bounds. The issue predates the git history, but +syzbot was able to trigger it only after the commit mentioned in +the fixes tag, and this change only applies on top of such commit. + +Address the issue bounding the 'shift' value to the maximum allowed +by the relevant operator. + +Reported-and-tested-by: syzbot+8ed8fc4c57e9dcf23ca6@syzkaller.appspotmail.com +Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable") +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/act_pedit.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c +index fec0f7fdb015..aeb8f84cbd9e 100644 +--- a/net/sched/act_pedit.c ++++ b/net/sched/act_pedit.c +@@ -225,6 +225,10 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla, + for (i = 0; i < p->tcfp_nkeys; ++i) { + u32 cur = p->tcfp_keys[i].off; + ++ /* sanitize the shift value for any later use */ ++ p->tcfp_keys[i].shift = min_t(size_t, BITS_PER_TYPE(int) - 1, ++ p->tcfp_keys[i].shift); ++ + /* The AT option can read a single byte, we can bound the actual + * value with uchar max. + */ +-- +2.35.1 + diff --git a/queue-4.19/net-stmmac-fix-missing-pci_disable_device-on-error-i.patch b/queue-4.19/net-stmmac-fix-missing-pci_disable_device-on-error-i.patch new file mode 100644 index 00000000000..8ead5f2f5d7 --- /dev/null +++ b/queue-4.19/net-stmmac-fix-missing-pci_disable_device-on-error-i.patch @@ -0,0 +1,46 @@ +From a4f48b4c2c0151a2370b7e0b21d703bcfae67e5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 May 2022 11:13:16 +0800 +Subject: net: stmmac: fix missing pci_disable_device() on error in + stmmac_pci_probe() + +From: Yang Yingliang + +[ Upstream commit 0807ce0b010418a191e0e4009803b2d74c3245d5 ] + +Switch to using pcim_enable_device() to avoid missing pci_disable_device(). + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20220510031316.1780409-1-yangyingliang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c +index cc1e887e47b5..3dec109251ad 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c +@@ -261,7 +261,7 @@ static int stmmac_pci_probe(struct pci_dev *pdev, + return -ENOMEM; + + /* Enable pci device */ +- ret = pci_enable_device(pdev); ++ ret = pcim_enable_device(pdev); + if (ret) { + dev_err(&pdev->dev, "%s: ERROR: failed to enable device\n", + __func__); +@@ -313,8 +313,6 @@ static void stmmac_pci_remove(struct pci_dev *pdev) + pcim_iounmap_regions(pdev, BIT(i)); + break; + } +- +- pci_disable_device(pdev); + } + + static int __maybe_unused stmmac_pci_suspend(struct device *dev) +-- +2.35.1 + diff --git a/queue-4.19/net-vmxnet3-fix-possible-null-pointer-dereference-in.patch b/queue-4.19/net-vmxnet3-fix-possible-null-pointer-dereference-in.patch new file mode 100644 index 00000000000..4dd6f16ec99 --- /dev/null +++ b/queue-4.19/net-vmxnet3-fix-possible-null-pointer-dereference-in.patch @@ -0,0 +1,68 @@ +From c87fd29f8d64445d475ce69ad4ac28a2da85dd59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 May 2022 13:07:11 +0800 +Subject: net: vmxnet3: fix possible NULL pointer dereference in + vmxnet3_rq_cleanup() + +From: Zixuan Fu + +[ Upstream commit edf410cb74dc612fd47ef5be319c5a0bcd6e6ccd ] + +In vmxnet3_rq_create(), when dma_alloc_coherent() fails, +vmxnet3_rq_destroy() is called. It sets rq->rx_ring[i].base to NULL. Then +vmxnet3_rq_create() returns an error to its callers mxnet3_rq_create_all() +-> vmxnet3_change_mtu(). Then vmxnet3_change_mtu() calls +vmxnet3_force_close() -> dev_close() in error handling code. And the driver +calls vmxnet3_close() -> vmxnet3_quiesce_dev() -> vmxnet3_rq_cleanup_all() +-> vmxnet3_rq_cleanup(). In vmxnet3_rq_cleanup(), +rq->rx_ring[ring_idx].base is accessed, but this variable is NULL, causing +a NULL pointer dereference. + +To fix this possible bug, an if statement is added to check whether +rq->rx_ring[0].base is NULL in vmxnet3_rq_cleanup() and exit early if so. + +The error log in our fault-injection testing is shown as follows: + +[ 65.220135] BUG: kernel NULL pointer dereference, address: 0000000000000008 +... +[ 65.222633] RIP: 0010:vmxnet3_rq_cleanup_all+0x396/0x4e0 [vmxnet3] +... +[ 65.227977] Call Trace: +... +[ 65.228262] vmxnet3_quiesce_dev+0x80f/0x8a0 [vmxnet3] +[ 65.228580] vmxnet3_close+0x2c4/0x3f0 [vmxnet3] +[ 65.228866] __dev_close_many+0x288/0x350 +[ 65.229607] dev_close_many+0xa4/0x480 +[ 65.231124] dev_close+0x138/0x230 +[ 65.231933] vmxnet3_force_close+0x1f0/0x240 [vmxnet3] +[ 65.232248] vmxnet3_change_mtu+0x75d/0x920 [vmxnet3] +... + +Fixes: d1a890fa37f27 ("net: VMware virtual Ethernet NIC driver: vmxnet3") +Reported-by: TOTE Robot +Signed-off-by: Zixuan Fu +Link: https://lore.kernel.org/r/20220514050711.2636709-1-r33s3n6@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c +index 1df67c899d4f..a57ea3914968 100644 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -1586,6 +1586,10 @@ vmxnet3_rq_cleanup(struct vmxnet3_rx_queue *rq, + u32 i, ring_idx; + struct Vmxnet3_RxDesc *rxd; + ++ /* ring has already been cleaned up */ ++ if (!rq->rx_ring[0].base) ++ return; ++ + for (ring_idx = 0; ring_idx < 2; ring_idx++) { + for (i = 0; i < rq->rx_ring[ring_idx].size; i++) { + #ifdef __BIG_ENDIAN_BITFIELD +-- +2.35.1 + diff --git a/queue-4.19/net-vmxnet3-fix-possible-use-after-free-bugs-in-vmxn.patch b/queue-4.19/net-vmxnet3-fix-possible-use-after-free-bugs-in-vmxn.patch new file mode 100644 index 00000000000..d2aad558b50 --- /dev/null +++ b/queue-4.19/net-vmxnet3-fix-possible-use-after-free-bugs-in-vmxn.patch @@ -0,0 +1,94 @@ +From 98e34521b484d9d90fa8aa26fdfb5386283ab955 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 May 2022 13:06:56 +0800 +Subject: net: vmxnet3: fix possible use-after-free bugs in + vmxnet3_rq_alloc_rx_buf() + +From: Zixuan Fu + +[ Upstream commit 9e7fef9521e73ca8afd7da9e58c14654b02dfad8 ] + +In vmxnet3_rq_alloc_rx_buf(), when dma_map_single() fails, rbi->skb is +freed immediately. Similarly, in another branch, when dma_map_page() fails, +rbi->page is also freed. In the two cases, vmxnet3_rq_alloc_rx_buf() +returns an error to its callers vmxnet3_rq_init() -> vmxnet3_rq_init_all() +-> vmxnet3_activate_dev(). Then vmxnet3_activate_dev() calls +vmxnet3_rq_cleanup_all() in error handling code, and rbi->skb or rbi->page +are freed again in vmxnet3_rq_cleanup_all(), causing use-after-free bugs. + +To fix these possible bugs, rbi->skb and rbi->page should be cleared after +they are freed. + +The error log in our fault-injection testing is shown as follows: + +[ 14.319016] BUG: KASAN: use-after-free in consume_skb+0x2f/0x150 +... +[ 14.321586] Call Trace: +... +[ 14.325357] consume_skb+0x2f/0x150 +[ 14.325671] vmxnet3_rq_cleanup_all+0x33a/0x4e0 [vmxnet3] +[ 14.326150] vmxnet3_activate_dev+0xb9d/0x2ca0 [vmxnet3] +[ 14.326616] vmxnet3_open+0x387/0x470 [vmxnet3] +... +[ 14.361675] Allocated by task 351: +... +[ 14.362688] __netdev_alloc_skb+0x1b3/0x6f0 +[ 14.362960] vmxnet3_rq_alloc_rx_buf+0x1b0/0x8d0 [vmxnet3] +[ 14.363317] vmxnet3_activate_dev+0x3e3/0x2ca0 [vmxnet3] +[ 14.363661] vmxnet3_open+0x387/0x470 [vmxnet3] +... +[ 14.367309] +[ 14.367412] Freed by task 351: +... +[ 14.368932] __dev_kfree_skb_any+0xd2/0xe0 +[ 14.369193] vmxnet3_rq_alloc_rx_buf+0x71e/0x8d0 [vmxnet3] +[ 14.369544] vmxnet3_activate_dev+0x3e3/0x2ca0 [vmxnet3] +[ 14.369883] vmxnet3_open+0x387/0x470 [vmxnet3] +[ 14.370174] __dev_open+0x28a/0x420 +[ 14.370399] __dev_change_flags+0x192/0x590 +[ 14.370667] dev_change_flags+0x7a/0x180 +[ 14.370919] do_setlink+0xb28/0x3570 +[ 14.371150] rtnl_newlink+0x1160/0x1740 +[ 14.371399] rtnetlink_rcv_msg+0x5bf/0xa50 +[ 14.371661] netlink_rcv_skb+0x1cd/0x3e0 +[ 14.371913] netlink_unicast+0x5dc/0x840 +[ 14.372169] netlink_sendmsg+0x856/0xc40 +[ 14.372420] ____sys_sendmsg+0x8a7/0x8d0 +[ 14.372673] __sys_sendmsg+0x1c2/0x270 +[ 14.372914] do_syscall_64+0x41/0x90 +[ 14.373145] entry_SYSCALL_64_after_hwframe+0x44/0xae +... + +Fixes: 5738a09d58d5a ("vmxnet3: fix checks for dma mapping errors") +Reported-by: TOTE Robot +Signed-off-by: Zixuan Fu +Link: https://lore.kernel.org/r/20220514050656.2636588-1-r33s3n6@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c +index c004819bebe3..1df67c899d4f 100644 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -595,6 +595,7 @@ vmxnet3_rq_alloc_rx_buf(struct vmxnet3_rx_queue *rq, u32 ring_idx, + if (dma_mapping_error(&adapter->pdev->dev, + rbi->dma_addr)) { + dev_kfree_skb_any(rbi->skb); ++ rbi->skb = NULL; + rq->stats.rx_buf_alloc_failure++; + break; + } +@@ -619,6 +620,7 @@ vmxnet3_rq_alloc_rx_buf(struct vmxnet3_rx_queue *rq, u32 ring_idx, + if (dma_mapping_error(&adapter->pdev->dev, + rbi->dma_addr)) { + put_page(rbi->page); ++ rbi->page = NULL; + rq->stats.rx_buf_alloc_failure++; + break; + } +-- +2.35.1 + diff --git a/queue-4.19/nfc-nci-fix-sleep-in-atomic-context-bugs-caused-by-n.patch b/queue-4.19/nfc-nci-fix-sleep-in-atomic-context-bugs-caused-by-n.patch new file mode 100644 index 00000000000..2889efcc03f --- /dev/null +++ b/queue-4.19/nfc-nci-fix-sleep-in-atomic-context-bugs-caused-by-n.patch @@ -0,0 +1,81 @@ +From 4197587afade218daa579305ffc5d6f647f1209f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 09:25:30 +0800 +Subject: NFC: nci: fix sleep in atomic context bugs caused by nci_skb_alloc + +From: Duoming Zhou + +[ Upstream commit 23dd4581350d4ffa23d58976ec46408f8f4c1e16 ] + +There are sleep in atomic context bugs when the request to secure +element of st-nci is timeout. The root cause is that nci_skb_alloc +with GFP_KERNEL parameter is called in st_nci_se_wt_timeout which is +a timer handler. The call paths that could trigger bugs are shown below: + + (interrupt context 1) +st_nci_se_wt_timeout + nci_hci_send_event + nci_hci_send_data + nci_skb_alloc(..., GFP_KERNEL) //may sleep + + (interrupt context 2) +st_nci_se_wt_timeout + nci_hci_send_event + nci_hci_send_data + nci_send_data + nci_queue_tx_data_frags + nci_skb_alloc(..., GFP_KERNEL) //may sleep + +This patch changes allocation mode of nci_skb_alloc from GFP_KERNEL to +GFP_ATOMIC in order to prevent atomic context sleeping. The GFP_ATOMIC +flag makes memory allocation operation could be used in atomic context. + +Fixes: ed06aeefdac3 ("nfc: st-nci: Rename st21nfcb to st-nci") +Signed-off-by: Duoming Zhou +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220517012530.75714-1-duoming@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/nfc/nci/data.c | 2 +- + net/nfc/nci/hci.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/nfc/nci/data.c b/net/nfc/nci/data.c +index 5405d073804c..9e3f9460f14f 100644 +--- a/net/nfc/nci/data.c ++++ b/net/nfc/nci/data.c +@@ -130,7 +130,7 @@ static int nci_queue_tx_data_frags(struct nci_dev *ndev, + + skb_frag = nci_skb_alloc(ndev, + (NCI_DATA_HDR_SIZE + frag_len), +- GFP_KERNEL); ++ GFP_ATOMIC); + if (skb_frag == NULL) { + rc = -ENOMEM; + goto free_exit; +diff --git a/net/nfc/nci/hci.c b/net/nfc/nci/hci.c +index c972c212e7ca..e5c5cff33236 100644 +--- a/net/nfc/nci/hci.c ++++ b/net/nfc/nci/hci.c +@@ -165,7 +165,7 @@ static int nci_hci_send_data(struct nci_dev *ndev, u8 pipe, + + i = 0; + skb = nci_skb_alloc(ndev, conn_info->max_pkt_payload_len + +- NCI_DATA_HDR_SIZE, GFP_KERNEL); ++ NCI_DATA_HDR_SIZE, GFP_ATOMIC); + if (!skb) + return -ENOMEM; + +@@ -198,7 +198,7 @@ static int nci_hci_send_data(struct nci_dev *ndev, u8 pipe, + if (i < data_len) { + skb = nci_skb_alloc(ndev, + conn_info->max_pkt_payload_len + +- NCI_DATA_HDR_SIZE, GFP_KERNEL); ++ NCI_DATA_HDR_SIZE, GFP_ATOMIC); + if (!skb) + return -ENOMEM; + +-- +2.35.1 + diff --git a/queue-4.19/perf-bench-numa-address-compiler-error-on-s390.patch b/queue-4.19/perf-bench-numa-address-compiler-error-on-s390.patch new file mode 100644 index 00000000000..2145d50a438 --- /dev/null +++ b/queue-4.19/perf-bench-numa-address-compiler-error-on-s390.patch @@ -0,0 +1,67 @@ +From eb872e6e27703beaaf72580a5b5a523943c2030e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 May 2022 10:11:58 +0200 +Subject: perf bench numa: Address compiler error on s390 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Richter + +[ Upstream commit f8ac1c478424a9a14669b8cef7389b1e14e5229d ] + +The compilation on s390 results in this error: + + # make DEBUG=y bench/numa.o + ... + bench/numa.c: In function ‘__bench_numa’: + bench/numa.c:1749:81: error: ‘%d’ directive output may be truncated + writing between 1 and 11 bytes into a region of size between + 10 and 20 [-Werror=format-truncation=] + 1749 | snprintf(tname, sizeof(tname), "process%d:thread%d", p, t); + ^~ + ... + bench/numa.c:1749:64: note: directive argument in the range + [-2147483647, 2147483646] + ... + # + +The maximum length of the %d replacement is 11 characters because of the +negative sign. Therefore extend the array by two more characters. + +Output after: + + # make DEBUG=y bench/numa.o > /dev/null 2>&1; ll bench/numa.o + -rw-r--r-- 1 root root 418320 May 19 09:11 bench/numa.o + # + +Fixes: 3aff8ba0a4c9c919 ("perf bench numa: Avoid possible truncation when using snprintf()") +Suggested-by: Namhyung Kim +Signed-off-by: Thomas Richter +Cc: Heiko Carstens +Cc: Sumanth Korikkar +Cc: Sven Schnelle +Cc: Vasily Gorbik +Link: https://lore.kernel.org/r/20220520081158.2990006-1-tmricht@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/bench/numa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/bench/numa.c b/tools/perf/bench/numa.c +index 91c0a4434da2..e7fde88a0845 100644 +--- a/tools/perf/bench/numa.c ++++ b/tools/perf/bench/numa.c +@@ -1631,7 +1631,7 @@ static int __bench_numa(const char *name) + "GB/sec,", "total-speed", "GB/sec total speed"); + + if (g->p.show_details >= 2) { +- char tname[14 + 2 * 10 + 1]; ++ char tname[14 + 2 * 11 + 1]; + struct thread_data *td; + for (p = 0; p < g->p.nr_proc; p++) { + for (t = 0; t < g->p.nr_threads; t++) { +-- +2.35.1 + diff --git a/queue-4.19/scsi-qla2xxx-fix-missed-dma-unmap-for-aborted-comman.patch b/queue-4.19/scsi-qla2xxx-fix-missed-dma-unmap-for-aborted-comman.patch new file mode 100644 index 00000000000..f8276a9c429 --- /dev/null +++ b/queue-4.19/scsi-qla2xxx-fix-missed-dma-unmap-for-aborted-comman.patch @@ -0,0 +1,51 @@ +From f69d68eec83e2e64553a18109a4afe9a82bef358 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Apr 2022 12:42:29 +0000 +Subject: scsi: qla2xxx: Fix missed DMA unmap for aborted commands + +From: Gleb Chesnokov + +[ Upstream commit 26f9ce53817a8fd84b69a73473a7de852a24c897 ] + +Aborting commands that have already been sent to the firmware can +cause BUG in qlt_free_cmd(): BUG_ON(cmd->sg_mapped) + +For instance: + + - Command passes rdx_to_xfer state, maps sgl, sends to the firmware + + - Reset occurs, qla2xxx performs ISP error recovery, aborts the command + + - Target stack calls qlt_abort_cmd() and then qlt_free_cmd() + + - BUG_ON(cmd->sg_mapped) in qlt_free_cmd() occurs because sgl was not + unmapped + +Thus, unmap sgl in qlt_abort_cmd() for commands with the aborted flag set. + +Link: https://lore.kernel.org/r/AS8PR10MB4952D545F84B6B1DFD39EC1E9DEE9@AS8PR10MB4952.EURPRD10.PROD.OUTLOOK.COM +Reviewed-by: Himanshu Madhani +Signed-off-by: Gleb Chesnokov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_target.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c +index 09c52ef66887..27d3293eadf5 100644 +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -3753,6 +3753,9 @@ int qlt_abort_cmd(struct qla_tgt_cmd *cmd) + + spin_lock_irqsave(&cmd->cmd_lock, flags); + if (cmd->aborted) { ++ if (cmd->sg_mapped) ++ qlt_unmap_sg(vha, cmd); ++ + spin_unlock_irqrestore(&cmd->cmd_lock, flags); + /* + * It's normal to see 2 calls in this path: +-- +2.35.1 + diff --git a/queue-4.19/series b/queue-4.19/series index d466f1fba3f..b45f6267c39 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -18,3 +18,24 @@ mmc-core-cleanup-bkops-support.patch mmc-core-specify-timeouts-for-bkops-and-cache_flush-for-emmc.patch mmc-block-use-generic_cmd6_time-when-modifying-inand_cmd38_arg_ext_csd.patch mmc-core-default-to-generic_cmd6_time-as-timeout-in-__mmc_switch.patch +net-macb-increment-rx-bd-head-after-allocating-skb-a.patch +net-sched-act_pedit-sanitize-shift-argument-before-u.patch +net-vmxnet3-fix-possible-use-after-free-bugs-in-vmxn.patch +net-vmxnet3-fix-possible-null-pointer-dereference-in.patch +clk-at91-generated-consider-range-when-calculating-b.patch +net-qla3xxx-fix-a-test-in-ql_reset_work.patch +nfc-nci-fix-sleep-in-atomic-context-bugs-caused-by-n.patch +net-mlx5e-properly-block-lro-when-xdp-is-enabled.patch +net-af_key-add-check-for-pfkey_broadcast-in-function.patch +arm-9196-1-spectre-bhb-enable-for-cortex-a15.patch +arm-9197-1-spectre-bhb-fix-loop8-sequence-for-thumb2.patch +igb-skip-phy-status-check-where-unavailable.patch +net-bridge-clear-offload_fwd_mark-when-passing-frame.patch +gpio-gpio-vf610-do-not-touch-other-bits-when-set-the.patch +gpio-mvebu-pwm-refuse-requests-with-inverted-polarit.patch +perf-bench-numa-address-compiler-error-on-s390.patch +scsi-qla2xxx-fix-missed-dma-unmap-for-aborted-comman.patch +mac80211-fix-rx-reordering-with-non-explicit-psmp-ac.patch +ethernet-tulip-fix-missing-pci_disable_device-on-err.patch +net-stmmac-fix-missing-pci_disable_device-on-error-i.patch +net-atlantic-verify-hw_head_-lies-within-tx-buffer-r.patch -- 2.47.3