From 40f4d7b076a3b29919fed30fcb325023b6a23d89 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 5 Dec 2021 15:01:56 +0100 Subject: [PATCH] 5.4-stable patches added patches: drm-msm-do-hw_init-before-capturing-gpu-state.patch ipv4-convert-fib_num_tclassid_users-to-atomic_t.patch ipv6-fix-memory-leak-in-fib6_rule_suppress.patch net-annotate-data-races-on-txq-xmit_lock_owner.patch net-marvell-mvpp2-fix-the-computation-of-shared-cpus.patch net-mlx4_en-fix-an-use-after-free-bug-in-mlx4_en_try_alloc_resources.patch net-rds-correct-socket-tunable-error-in-rds_tcp_tune.patch net-smc-keep-smc_close_final-rc-during-active-close.patch net-usb-lan78xx-lan78xx_phy_init-use-phy_poll-instead-of-0-if-no-irq-is-available.patch rxrpc-fix-rxrpc_local-leak-in-rxrpc_lookup_peer.patch selftests-net-correct-case-name.patch --- ...o-hw_init-before-capturing-gpu-state.patch | 35 ++++ ...t-fib_num_tclassid_users-to-atomic_t.patch | 102 +++++++++ ...ix-memory-leak-in-fib6_rule_suppress.patch | 111 ++++++++++ ...te-data-races-on-txq-xmit_lock_owner.patch | 193 ++++++++++++++++++ ...2-fix-the-computation-of-shared-cpus.patch | 33 +++ ...e-bug-in-mlx4_en_try_alloc_resources.patch | 59 ++++++ ...socket-tunable-error-in-rds_tcp_tune.patch | 32 +++ ...c_close_final-rc-during-active-close.patch | 53 +++++ ...-instead-of-0-if-no-irq-is-available.patch | 33 +++ ...xrpc_local-leak-in-rxrpc_lookup_peer.patch | 69 +++++++ .../selftests-net-correct-case-name.patch | 34 +++ queue-5.4/series | 11 + 12 files changed, 765 insertions(+) create mode 100644 queue-5.4/drm-msm-do-hw_init-before-capturing-gpu-state.patch create mode 100644 queue-5.4/ipv4-convert-fib_num_tclassid_users-to-atomic_t.patch create mode 100644 queue-5.4/ipv6-fix-memory-leak-in-fib6_rule_suppress.patch create mode 100644 queue-5.4/net-annotate-data-races-on-txq-xmit_lock_owner.patch create mode 100644 queue-5.4/net-marvell-mvpp2-fix-the-computation-of-shared-cpus.patch create mode 100644 queue-5.4/net-mlx4_en-fix-an-use-after-free-bug-in-mlx4_en_try_alloc_resources.patch create mode 100644 queue-5.4/net-rds-correct-socket-tunable-error-in-rds_tcp_tune.patch create mode 100644 queue-5.4/net-smc-keep-smc_close_final-rc-during-active-close.patch create mode 100644 queue-5.4/net-usb-lan78xx-lan78xx_phy_init-use-phy_poll-instead-of-0-if-no-irq-is-available.patch create mode 100644 queue-5.4/rxrpc-fix-rxrpc_local-leak-in-rxrpc_lookup_peer.patch create mode 100644 queue-5.4/selftests-net-correct-case-name.patch diff --git a/queue-5.4/drm-msm-do-hw_init-before-capturing-gpu-state.patch b/queue-5.4/drm-msm-do-hw_init-before-capturing-gpu-state.patch new file mode 100644 index 00000000000..1fdbe03a726 --- /dev/null +++ b/queue-5.4/drm-msm-do-hw_init-before-capturing-gpu-state.patch @@ -0,0 +1,35 @@ +From e4840d537c2c6b1189d4de16ee0f4820e069dcea Mon Sep 17 00:00:00 2001 +From: Rob Clark +Date: Mon, 8 Nov 2021 10:01:22 -0800 +Subject: drm/msm: Do hw_init() before capturing GPU state + +From: Rob Clark + +commit e4840d537c2c6b1189d4de16ee0f4820e069dcea upstream. + +In particular, we need to ensure all the necessary blocks are switched +to 64b mode (a5xx+) otherwise the high bits of the address of the BO to +snapshot state into will be ignored, resulting in: + + *** gpu fault: ttbr0=0000000000000000 iova=0000000000012000 dir=READ type=TRANSLATION source=CP (0,0,0,0) + platform 506a000.gmu: [drm:a6xx_gmu_set_oob] *ERROR* Timeout waiting for GMU OOB set BOOT_SLUMBER: 0x0 + +Fixes: 4f776f4511c7 ("drm/msm/gpu: Convert the GPU show function to use the GPU state") +Signed-off-by: Rob Clark +Link: https://lore.kernel.org/r/20211108180122.487859-1-robdclark@gmail.com +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/msm_debugfs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/msm/msm_debugfs.c ++++ b/drivers/gpu/drm/msm/msm_debugfs.c +@@ -77,6 +77,7 @@ static int msm_gpu_open(struct inode *in + goto free_priv; + + pm_runtime_get_sync(&gpu->pdev->dev); ++ msm_gpu_hw_init(gpu); + show_priv->state = gpu->funcs->gpu_state_get(gpu); + pm_runtime_put_sync(&gpu->pdev->dev); + diff --git a/queue-5.4/ipv4-convert-fib_num_tclassid_users-to-atomic_t.patch b/queue-5.4/ipv4-convert-fib_num_tclassid_users-to-atomic_t.patch new file mode 100644 index 00000000000..3d14e84418f --- /dev/null +++ b/queue-5.4/ipv4-convert-fib_num_tclassid_users-to-atomic_t.patch @@ -0,0 +1,102 @@ +From 213f5f8f31f10aa1e83187ae20fb7fa4e626b724 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 1 Dec 2021 18:26:35 -0800 +Subject: ipv4: convert fib_num_tclassid_users to atomic_t + +From: Eric Dumazet + +commit 213f5f8f31f10aa1e83187ae20fb7fa4e626b724 upstream. + +Before commit faa041a40b9f ("ipv4: Create cleanup helper for fib_nh") +changes to net->ipv4.fib_num_tclassid_users were protected by RTNL. + +After the change, this is no longer the case, as free_fib_info_rcu() +runs after rcu grace period, without rtnl being held. + +Fixes: faa041a40b9f ("ipv4: Create cleanup helper for fib_nh") +Signed-off-by: Eric Dumazet +Cc: David Ahern +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ip_fib.h | 2 +- + include/net/netns/ipv4.h | 2 +- + net/ipv4/fib_frontend.c | 2 +- + net/ipv4/fib_rules.c | 4 ++-- + net/ipv4/fib_semantics.c | 4 ++-- + 5 files changed, 7 insertions(+), 7 deletions(-) + +--- a/include/net/ip_fib.h ++++ b/include/net/ip_fib.h +@@ -412,7 +412,7 @@ int fib_validate_source(struct sk_buff * + #ifdef CONFIG_IP_ROUTE_CLASSID + static inline int fib_num_tclassid_users(struct net *net) + { +- return net->ipv4.fib_num_tclassid_users; ++ return atomic_read(&net->ipv4.fib_num_tclassid_users); + } + #else + static inline int fib_num_tclassid_users(struct net *net) +--- a/include/net/netns/ipv4.h ++++ b/include/net/netns/ipv4.h +@@ -61,7 +61,7 @@ struct netns_ipv4 { + #endif + bool fib_has_custom_local_routes; + #ifdef CONFIG_IP_ROUTE_CLASSID +- int fib_num_tclassid_users; ++ atomic_t fib_num_tclassid_users; + #endif + struct hlist_head *fib_table_hash; + bool fib_offload_disabled; +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -1588,7 +1588,7 @@ static int __net_init fib_net_init(struc + int error; + + #ifdef CONFIG_IP_ROUTE_CLASSID +- net->ipv4.fib_num_tclassid_users = 0; ++ atomic_set(&net->ipv4.fib_num_tclassid_users, 0); + #endif + error = ip_fib_net_init(net); + if (error < 0) +--- a/net/ipv4/fib_rules.c ++++ b/net/ipv4/fib_rules.c +@@ -258,7 +258,7 @@ static int fib4_rule_configure(struct fi + if (tb[FRA_FLOW]) { + rule4->tclassid = nla_get_u32(tb[FRA_FLOW]); + if (rule4->tclassid) +- net->ipv4.fib_num_tclassid_users++; ++ atomic_inc(&net->ipv4.fib_num_tclassid_users); + } + #endif + +@@ -290,7 +290,7 @@ static int fib4_rule_delete(struct fib_r + + #ifdef CONFIG_IP_ROUTE_CLASSID + if (((struct fib4_rule *)rule)->tclassid) +- net->ipv4.fib_num_tclassid_users--; ++ atomic_dec(&net->ipv4.fib_num_tclassid_users); + #endif + net->ipv4.fib_has_custom_rules = true; + +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -222,7 +222,7 @@ void fib_nh_release(struct net *net, str + { + #ifdef CONFIG_IP_ROUTE_CLASSID + if (fib_nh->nh_tclassid) +- net->ipv4.fib_num_tclassid_users--; ++ atomic_dec(&net->ipv4.fib_num_tclassid_users); + #endif + fib_nh_common_release(&fib_nh->nh_common); + } +@@ -624,7 +624,7 @@ int fib_nh_init(struct net *net, struct + #ifdef CONFIG_IP_ROUTE_CLASSID + nh->nh_tclassid = cfg->fc_flow; + if (nh->nh_tclassid) +- net->ipv4.fib_num_tclassid_users++; ++ atomic_inc(&net->ipv4.fib_num_tclassid_users); + #endif + #ifdef CONFIG_IP_ROUTE_MULTIPATH + nh->fib_nh_weight = nh_weight; diff --git a/queue-5.4/ipv6-fix-memory-leak-in-fib6_rule_suppress.patch b/queue-5.4/ipv6-fix-memory-leak-in-fib6_rule_suppress.patch new file mode 100644 index 00000000000..2d3952b7743 --- /dev/null +++ b/queue-5.4/ipv6-fix-memory-leak-in-fib6_rule_suppress.patch @@ -0,0 +1,111 @@ +From cdef485217d30382f3bf6448c54b4401648fe3f1 Mon Sep 17 00:00:00 2001 +From: msizanoen1 +Date: Tue, 23 Nov 2021 13:48:32 +0100 +Subject: ipv6: fix memory leak in fib6_rule_suppress + +From: msizanoen1 + +commit cdef485217d30382f3bf6448c54b4401648fe3f1 upstream. + +The kernel leaks memory when a `fib` rule is present in IPv6 nftables +firewall rules and a suppress_prefix rule is present in the IPv6 routing +rules (used by certain tools such as wg-quick). In such scenarios, every +incoming packet will leak an allocation in `ip6_dst_cache` slab cache. + +After some hours of `bpftrace`-ing and source code reading, I tracked +down the issue to ca7a03c41753 ("ipv6: do not free rt if +FIB_LOOKUP_NOREF is set on suppress rule"). + +The problem with that change is that the generic `args->flags` always have +`FIB_LOOKUP_NOREF` set[1][2] but the IPv6-specific flag +`RT6_LOOKUP_F_DST_NOREF` might not be, leading to `fib6_rule_suppress` not +decreasing the refcount when needed. + +How to reproduce: + - Add the following nftables rule to a prerouting chain: + meta nfproto ipv6 fib saddr . mark . iif oif missing drop + This can be done with: + sudo nft create table inet test + sudo nft create chain inet test test_chain '{ type filter hook prerouting priority filter + 10; policy accept; }' + sudo nft add rule inet test test_chain meta nfproto ipv6 fib saddr . mark . iif oif missing drop + - Run: + sudo ip -6 rule add table main suppress_prefixlength 0 + - Watch `sudo slabtop -o | grep ip6_dst_cache` to see memory usage increase + with every incoming ipv6 packet. + +This patch exposes the protocol-specific flags to the protocol +specific `suppress` function, and check the protocol-specific `flags` +argument for RT6_LOOKUP_F_DST_NOREF instead of the generic +FIB_LOOKUP_NOREF when decreasing the refcount, like this. + +[1]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L71 +[2]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L99 + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215105 +Fixes: ca7a03c41753 ("ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule") +Cc: stable@vger.kernel.org +Signed-off-by: Jason A. Donenfeld +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/fib_rules.h | 2 +- + net/core/fib_rules.c | 2 +- + net/ipv4/fib_rules.c | 2 +- + net/ipv6/fib6_rules.c | 5 ++--- + 4 files changed, 5 insertions(+), 6 deletions(-) + +--- a/include/net/fib_rules.h ++++ b/include/net/fib_rules.h +@@ -68,7 +68,7 @@ struct fib_rules_ops { + int (*action)(struct fib_rule *, + struct flowi *, int, + struct fib_lookup_arg *); +- bool (*suppress)(struct fib_rule *, ++ bool (*suppress)(struct fib_rule *, int, + struct fib_lookup_arg *); + int (*match)(struct fib_rule *, + struct flowi *, int); +--- a/net/core/fib_rules.c ++++ b/net/core/fib_rules.c +@@ -300,7 +300,7 @@ jumped: + else + err = ops->action(rule, fl, flags, arg); + +- if (!err && ops->suppress && ops->suppress(rule, arg)) ++ if (!err && ops->suppress && ops->suppress(rule, flags, arg)) + continue; + + if (err != -EAGAIN) { +--- a/net/ipv4/fib_rules.c ++++ b/net/ipv4/fib_rules.c +@@ -137,7 +137,7 @@ static int fib4_rule_action(struct fib_r + return err; + } + +-static bool fib4_rule_suppress(struct fib_rule *rule, struct fib_lookup_arg *arg) ++static bool fib4_rule_suppress(struct fib_rule *rule, int flags, struct fib_lookup_arg *arg) + { + struct fib_result *result = (struct fib_result *) arg->result; + struct net_device *dev = NULL; +--- a/net/ipv6/fib6_rules.c ++++ b/net/ipv6/fib6_rules.c +@@ -260,7 +260,7 @@ static int fib6_rule_action(struct fib_r + return __fib6_rule_action(rule, flp, flags, arg); + } + +-static bool fib6_rule_suppress(struct fib_rule *rule, struct fib_lookup_arg *arg) ++static bool fib6_rule_suppress(struct fib_rule *rule, int flags, struct fib_lookup_arg *arg) + { + struct fib6_result *res = arg->result; + struct rt6_info *rt = res->rt6; +@@ -287,8 +287,7 @@ static bool fib6_rule_suppress(struct fi + return false; + + suppress_route: +- if (!(arg->flags & FIB_LOOKUP_NOREF)) +- ip6_rt_put(rt); ++ ip6_rt_put_flags(rt, flags); + return true; + } + diff --git a/queue-5.4/net-annotate-data-races-on-txq-xmit_lock_owner.patch b/queue-5.4/net-annotate-data-races-on-txq-xmit_lock_owner.patch new file mode 100644 index 00000000000..9905a4ee0ea --- /dev/null +++ b/queue-5.4/net-annotate-data-races-on-txq-xmit_lock_owner.patch @@ -0,0 +1,193 @@ +From 7a10d8c810cfad3e79372d7d1c77899d86cd6662 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 30 Nov 2021 09:01:55 -0800 +Subject: net: annotate data-races on txq->xmit_lock_owner + +From: Eric Dumazet + +commit 7a10d8c810cfad3e79372d7d1c77899d86cd6662 upstream. + +syzbot found that __dev_queue_xmit() is reading txq->xmit_lock_owner +without annotations. + +No serious issue there, let's document what is happening there. + +BUG: KCSAN: data-race in __dev_queue_xmit / __dev_queue_xmit + +write to 0xffff888139d09484 of 4 bytes by interrupt on cpu 0: + __netif_tx_unlock include/linux/netdevice.h:4437 [inline] + __dev_queue_xmit+0x948/0xf70 net/core/dev.c:4229 + dev_queue_xmit_accel+0x19/0x20 net/core/dev.c:4265 + macvlan_queue_xmit drivers/net/macvlan.c:543 [inline] + macvlan_start_xmit+0x2b3/0x3d0 drivers/net/macvlan.c:567 + __netdev_start_xmit include/linux/netdevice.h:4987 [inline] + netdev_start_xmit include/linux/netdevice.h:5001 [inline] + xmit_one+0x105/0x2f0 net/core/dev.c:3590 + dev_hard_start_xmit+0x72/0x120 net/core/dev.c:3606 + sch_direct_xmit+0x1b2/0x7c0 net/sched/sch_generic.c:342 + __dev_xmit_skb+0x83d/0x1370 net/core/dev.c:3817 + __dev_queue_xmit+0x590/0xf70 net/core/dev.c:4194 + dev_queue_xmit+0x13/0x20 net/core/dev.c:4259 + neigh_hh_output include/net/neighbour.h:511 [inline] + neigh_output include/net/neighbour.h:525 [inline] + ip6_finish_output2+0x995/0xbb0 net/ipv6/ip6_output.c:126 + __ip6_finish_output net/ipv6/ip6_output.c:191 [inline] + ip6_finish_output+0x444/0x4c0 net/ipv6/ip6_output.c:201 + NF_HOOK_COND include/linux/netfilter.h:296 [inline] + ip6_output+0x10e/0x210 net/ipv6/ip6_output.c:224 + dst_output include/net/dst.h:450 [inline] + NF_HOOK include/linux/netfilter.h:307 [inline] + ndisc_send_skb+0x486/0x610 net/ipv6/ndisc.c:508 + ndisc_send_rs+0x3b0/0x3e0 net/ipv6/ndisc.c:702 + addrconf_rs_timer+0x370/0x540 net/ipv6/addrconf.c:3898 + call_timer_fn+0x2e/0x240 kernel/time/timer.c:1421 + expire_timers+0x116/0x240 kernel/time/timer.c:1466 + __run_timers+0x368/0x410 kernel/time/timer.c:1734 + run_timer_softirq+0x2e/0x60 kernel/time/timer.c:1747 + __do_softirq+0x158/0x2de kernel/softirq.c:558 + __irq_exit_rcu kernel/softirq.c:636 [inline] + irq_exit_rcu+0x37/0x70 kernel/softirq.c:648 + sysvec_apic_timer_interrupt+0x3e/0xb0 arch/x86/kernel/apic/apic.c:1097 + asm_sysvec_apic_timer_interrupt+0x12/0x20 + +read to 0xffff888139d09484 of 4 bytes by interrupt on cpu 1: + __dev_queue_xmit+0x5e3/0xf70 net/core/dev.c:4213 + dev_queue_xmit_accel+0x19/0x20 net/core/dev.c:4265 + macvlan_queue_xmit drivers/net/macvlan.c:543 [inline] + macvlan_start_xmit+0x2b3/0x3d0 drivers/net/macvlan.c:567 + __netdev_start_xmit include/linux/netdevice.h:4987 [inline] + netdev_start_xmit include/linux/netdevice.h:5001 [inline] + xmit_one+0x105/0x2f0 net/core/dev.c:3590 + dev_hard_start_xmit+0x72/0x120 net/core/dev.c:3606 + sch_direct_xmit+0x1b2/0x7c0 net/sched/sch_generic.c:342 + __dev_xmit_skb+0x83d/0x1370 net/core/dev.c:3817 + __dev_queue_xmit+0x590/0xf70 net/core/dev.c:4194 + dev_queue_xmit+0x13/0x20 net/core/dev.c:4259 + neigh_resolve_output+0x3db/0x410 net/core/neighbour.c:1523 + neigh_output include/net/neighbour.h:527 [inline] + ip6_finish_output2+0x9be/0xbb0 net/ipv6/ip6_output.c:126 + __ip6_finish_output net/ipv6/ip6_output.c:191 [inline] + ip6_finish_output+0x444/0x4c0 net/ipv6/ip6_output.c:201 + NF_HOOK_COND include/linux/netfilter.h:296 [inline] + ip6_output+0x10e/0x210 net/ipv6/ip6_output.c:224 + dst_output include/net/dst.h:450 [inline] + NF_HOOK include/linux/netfilter.h:307 [inline] + ndisc_send_skb+0x486/0x610 net/ipv6/ndisc.c:508 + ndisc_send_rs+0x3b0/0x3e0 net/ipv6/ndisc.c:702 + addrconf_rs_timer+0x370/0x540 net/ipv6/addrconf.c:3898 + call_timer_fn+0x2e/0x240 kernel/time/timer.c:1421 + expire_timers+0x116/0x240 kernel/time/timer.c:1466 + __run_timers+0x368/0x410 kernel/time/timer.c:1734 + run_timer_softirq+0x2e/0x60 kernel/time/timer.c:1747 + __do_softirq+0x158/0x2de kernel/softirq.c:558 + __irq_exit_rcu kernel/softirq.c:636 [inline] + irq_exit_rcu+0x37/0x70 kernel/softirq.c:648 + sysvec_apic_timer_interrupt+0x8d/0xb0 arch/x86/kernel/apic/apic.c:1097 + asm_sysvec_apic_timer_interrupt+0x12/0x20 + kcsan_setup_watchpoint+0x94/0x420 kernel/kcsan/core.c:443 + folio_test_anon include/linux/page-flags.h:581 [inline] + PageAnon include/linux/page-flags.h:586 [inline] + zap_pte_range+0x5ac/0x10e0 mm/memory.c:1347 + zap_pmd_range mm/memory.c:1467 [inline] + zap_pud_range mm/memory.c:1496 [inline] + zap_p4d_range mm/memory.c:1517 [inline] + unmap_page_range+0x2dc/0x3d0 mm/memory.c:1538 + unmap_single_vma+0x157/0x210 mm/memory.c:1583 + unmap_vmas+0xd0/0x180 mm/memory.c:1615 + exit_mmap+0x23d/0x470 mm/mmap.c:3170 + __mmput+0x27/0x1b0 kernel/fork.c:1113 + mmput+0x3d/0x50 kernel/fork.c:1134 + exit_mm+0xdb/0x170 kernel/exit.c:507 + do_exit+0x608/0x17a0 kernel/exit.c:819 + do_group_exit+0xce/0x180 kernel/exit.c:929 + get_signal+0xfc3/0x1550 kernel/signal.c:2852 + arch_do_signal_or_restart+0x8c/0x2e0 arch/x86/kernel/signal.c:868 + handle_signal_work kernel/entry/common.c:148 [inline] + exit_to_user_mode_loop kernel/entry/common.c:172 [inline] + exit_to_user_mode_prepare+0x113/0x190 kernel/entry/common.c:207 + __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] + syscall_exit_to_user_mode+0x20/0x40 kernel/entry/common.c:300 + do_syscall_64+0x50/0xd0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x00000000 -> 0xffffffff + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 28712 Comm: syz-executor.0 Tainted: G W 5.16.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Link: https://lore.kernel.org/r/20211130170155.2331929-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/netdevice.h | 19 +++++++++++++------ + net/core/dev.c | 5 ++++- + 2 files changed, 17 insertions(+), 7 deletions(-) + +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -3943,7 +3943,8 @@ static inline u32 netif_msg_init(int deb + static inline void __netif_tx_lock(struct netdev_queue *txq, int cpu) + { + spin_lock(&txq->_xmit_lock); +- txq->xmit_lock_owner = cpu; ++ /* Pairs with READ_ONCE() in __dev_queue_xmit() */ ++ WRITE_ONCE(txq->xmit_lock_owner, cpu); + } + + static inline bool __netif_tx_acquire(struct netdev_queue *txq) +@@ -3960,26 +3961,32 @@ static inline void __netif_tx_release(st + static inline void __netif_tx_lock_bh(struct netdev_queue *txq) + { + spin_lock_bh(&txq->_xmit_lock); +- txq->xmit_lock_owner = smp_processor_id(); ++ /* Pairs with READ_ONCE() in __dev_queue_xmit() */ ++ WRITE_ONCE(txq->xmit_lock_owner, smp_processor_id()); + } + + static inline bool __netif_tx_trylock(struct netdev_queue *txq) + { + bool ok = spin_trylock(&txq->_xmit_lock); +- if (likely(ok)) +- txq->xmit_lock_owner = smp_processor_id(); ++ ++ if (likely(ok)) { ++ /* Pairs with READ_ONCE() in __dev_queue_xmit() */ ++ WRITE_ONCE(txq->xmit_lock_owner, smp_processor_id()); ++ } + return ok; + } + + static inline void __netif_tx_unlock(struct netdev_queue *txq) + { +- txq->xmit_lock_owner = -1; ++ /* Pairs with READ_ONCE() in __dev_queue_xmit() */ ++ WRITE_ONCE(txq->xmit_lock_owner, -1); + spin_unlock(&txq->_xmit_lock); + } + + static inline void __netif_tx_unlock_bh(struct netdev_queue *txq) + { +- txq->xmit_lock_owner = -1; ++ /* Pairs with READ_ONCE() in __dev_queue_xmit() */ ++ WRITE_ONCE(txq->xmit_lock_owner, -1); + spin_unlock_bh(&txq->_xmit_lock); + } + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3766,7 +3766,10 @@ static int __dev_queue_xmit(struct sk_bu + if (dev->flags & IFF_UP) { + int cpu = smp_processor_id(); /* ok because BHs are off */ + +- if (txq->xmit_lock_owner != cpu) { ++ /* Other cpus might concurrently change txq->xmit_lock_owner ++ * to -1 or to their cpu id, but not to our id. ++ */ ++ if (READ_ONCE(txq->xmit_lock_owner) != cpu) { + if (dev_xmit_recursion()) + goto recursion_alert; + diff --git a/queue-5.4/net-marvell-mvpp2-fix-the-computation-of-shared-cpus.patch b/queue-5.4/net-marvell-mvpp2-fix-the-computation-of-shared-cpus.patch new file mode 100644 index 00000000000..3597bdb6fe1 --- /dev/null +++ b/queue-5.4/net-marvell-mvpp2-fix-the-computation-of-shared-cpus.patch @@ -0,0 +1,33 @@ +From b83f5ac7d922e69a109261f5f940eebbd4e514c4 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Mon, 29 Nov 2021 22:53:27 +0100 +Subject: net: marvell: mvpp2: Fix the computation of shared CPUs + +From: Christophe JAILLET + +commit b83f5ac7d922e69a109261f5f940eebbd4e514c4 upstream. + +'bitmap_fill()' fills a bitmap one 'long' at a time. +It is likely that an exact number of bits is expected. + +Use 'bitmap_set()' instead in order not to set unexpected bits. + +Fixes: e531f76757eb ("net: mvpp2: handle cases where more CPUs are available than s/w threads") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -5773,7 +5773,7 @@ static int mvpp2_probe(struct platform_d + + shared = num_present_cpus() - priv->nthreads; + if (shared > 0) +- bitmap_fill(&priv->lock_map, ++ bitmap_set(&priv->lock_map, 0, + min_t(int, shared, MVPP2_MAX_THREADS)); + + for (i = 0; i < MVPP2_MAX_THREADS; i++) { diff --git a/queue-5.4/net-mlx4_en-fix-an-use-after-free-bug-in-mlx4_en_try_alloc_resources.patch b/queue-5.4/net-mlx4_en-fix-an-use-after-free-bug-in-mlx4_en_try_alloc_resources.patch new file mode 100644 index 00000000000..261ff536dd8 --- /dev/null +++ b/queue-5.4/net-mlx4_en-fix-an-use-after-free-bug-in-mlx4_en_try_alloc_resources.patch @@ -0,0 +1,59 @@ +From addad7643142f500080417dd7272f49b7a185570 Mon Sep 17 00:00:00 2001 +From: Zhou Qingyang +Date: Wed, 1 Dec 2021 00:44:38 +0800 +Subject: net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() + +From: Zhou Qingyang + +commit addad7643142f500080417dd7272f49b7a185570 upstream. + +In mlx4_en_try_alloc_resources(), mlx4_en_copy_priv() is called and +tmp->tx_cq will be freed on the error path of mlx4_en_copy_priv(). +After that mlx4_en_alloc_resources() is called and there is a dereference +of &tmp->tx_cq[t][i] in mlx4_en_alloc_resources(), which could lead to +a use after free problem on failure of mlx4_en_copy_priv(). + +Fix this bug by adding a check of mlx4_en_copy_priv() + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_MLX4_EN=m show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: ec25bc04ed8e ("net/mlx4_en: Add resilience in low memory systems") +Signed-off-by: Zhou Qingyang +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20211130164438.190591-1-zhou1615@umn.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c +@@ -2281,9 +2281,14 @@ int mlx4_en_try_alloc_resources(struct m + bool carry_xdp_prog) + { + struct bpf_prog *xdp_prog; +- int i, t; ++ int i, t, ret; + +- mlx4_en_copy_priv(tmp, priv, prof); ++ ret = mlx4_en_copy_priv(tmp, priv, prof); ++ if (ret) { ++ en_warn(priv, "%s: mlx4_en_copy_priv() failed, return\n", ++ __func__); ++ return ret; ++ } + + if (mlx4_en_alloc_resources(tmp)) { + en_warn(priv, diff --git a/queue-5.4/net-rds-correct-socket-tunable-error-in-rds_tcp_tune.patch b/queue-5.4/net-rds-correct-socket-tunable-error-in-rds_tcp_tune.patch new file mode 100644 index 00000000000..4fc9961aee0 --- /dev/null +++ b/queue-5.4/net-rds-correct-socket-tunable-error-in-rds_tcp_tune.patch @@ -0,0 +1,32 @@ +From 19f36edf14bcdb783aef3af8217df96f76a8ce34 Mon Sep 17 00:00:00 2001 +From: William Kucharski +Date: Wed, 1 Dec 2021 07:45:22 -0700 +Subject: net/rds: correct socket tunable error in rds_tcp_tune() + +From: William Kucharski + +commit 19f36edf14bcdb783aef3af8217df96f76a8ce34 upstream. + +Correct an error where setting /proc/sys/net/rds/tcp/rds_tcp_rcvbuf would +instead modify the socket's sk_sndbuf and would leave sk_rcvbuf untouched. + +Fixes: c6a58ffed536 ("RDS: TCP: Add sysctl tunables for sndbuf/rcvbuf on rds-tcp socket") +Signed-off-by: William Kucharski +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/tcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/rds/tcp.c ++++ b/net/rds/tcp.c +@@ -510,7 +510,7 @@ void rds_tcp_tune(struct socket *sock) + sk->sk_userlocks |= SOCK_SNDBUF_LOCK; + } + if (rtn->rcvbuf_size > 0) { +- sk->sk_sndbuf = rtn->rcvbuf_size; ++ sk->sk_rcvbuf = rtn->rcvbuf_size; + sk->sk_userlocks |= SOCK_RCVBUF_LOCK; + } + release_sock(sk); diff --git a/queue-5.4/net-smc-keep-smc_close_final-rc-during-active-close.patch b/queue-5.4/net-smc-keep-smc_close_final-rc-during-active-close.patch new file mode 100644 index 00000000000..204710430ed --- /dev/null +++ b/queue-5.4/net-smc-keep-smc_close_final-rc-during-active-close.patch @@ -0,0 +1,53 @@ +From 00e158fb91dfaff3f94746f260d11f1a4853506e Mon Sep 17 00:00:00 2001 +From: Tony Lu +Date: Wed, 1 Dec 2021 14:42:16 +0800 +Subject: net/smc: Keep smc_close_final rc during active close + +From: Tony Lu + +commit 00e158fb91dfaff3f94746f260d11f1a4853506e upstream. + +When smc_close_final() returns error, the return code overwrites by +kernel_sock_shutdown() in smc_close_active(). The return code of +smc_close_final() is more important than kernel_sock_shutdown(), and it +will pass to userspace directly. + +Fix it by keeping both return codes, if smc_close_final() raises an +error, return it or kernel_sock_shutdown()'s. + +Link: https://lore.kernel.org/linux-s390/1f67548e-cbf6-0dce-82b5-10288a4583bd@linux.ibm.com/ +Fixes: 606a63c9783a ("net/smc: Ensure the active closing peer first closes clcsock") +Suggested-by: Karsten Graul +Signed-off-by: Tony Lu +Reviewed-by: Wen Gu +Acked-by: Karsten Graul +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/smc_close.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/smc/smc_close.c ++++ b/net/smc/smc_close.c +@@ -183,6 +183,7 @@ int smc_close_active(struct smc_sock *sm + int old_state; + long timeout; + int rc = 0; ++ int rc1 = 0; + + timeout = current->flags & PF_EXITING ? + 0 : sock_flag(sk, SOCK_LINGER) ? +@@ -222,8 +223,11 @@ again: + /* actively shutdown clcsock before peer close it, + * prevent peer from entering TIME_WAIT state. + */ +- if (smc->clcsock && smc->clcsock->sk) +- rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR); ++ if (smc->clcsock && smc->clcsock->sk) { ++ rc1 = kernel_sock_shutdown(smc->clcsock, ++ SHUT_RDWR); ++ rc = rc ? rc : rc1; ++ } + } else { + /* peer event has changed the state */ + goto again; diff --git a/queue-5.4/net-usb-lan78xx-lan78xx_phy_init-use-phy_poll-instead-of-0-if-no-irq-is-available.patch b/queue-5.4/net-usb-lan78xx-lan78xx_phy_init-use-phy_poll-instead-of-0-if-no-irq-is-available.patch new file mode 100644 index 00000000000..dd0e096e034 --- /dev/null +++ b/queue-5.4/net-usb-lan78xx-lan78xx_phy_init-use-phy_poll-instead-of-0-if-no-irq-is-available.patch @@ -0,0 +1,33 @@ +From 817b653160db9852d5a0498a31f047e18ce27e5b Mon Sep 17 00:00:00 2001 +From: Sven Schuchmann +Date: Sat, 27 Nov 2021 11:47:07 +0100 +Subject: net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ is available + +From: Sven Schuchmann + +commit 817b653160db9852d5a0498a31f047e18ce27e5b upstream. + +On most systems request for IRQ 0 will fail, phylib will print an error message +and fall back to polling. To fix this set the phydev->irq to PHY_POLL if no IRQ +is available. + +Fixes: cc89c323a30e ("lan78xx: Use irq_domain for phy interrupt from USB Int. EP") +Reviewed-by: Andrew Lunn +Signed-off-by: Sven Schuchmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/lan78xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -2136,7 +2136,7 @@ static int lan78xx_phy_init(struct lan78 + if (dev->domain_data.phyirq > 0) + phydev->irq = dev->domain_data.phyirq; + else +- phydev->irq = 0; ++ phydev->irq = PHY_POLL; + netdev_dbg(dev->net, "phydev->irq = %d\n", phydev->irq); + + /* set to AUTOMDIX */ diff --git a/queue-5.4/rxrpc-fix-rxrpc_local-leak-in-rxrpc_lookup_peer.patch b/queue-5.4/rxrpc-fix-rxrpc_local-leak-in-rxrpc_lookup_peer.patch new file mode 100644 index 00000000000..6bca6506e8c --- /dev/null +++ b/queue-5.4/rxrpc-fix-rxrpc_local-leak-in-rxrpc_lookup_peer.patch @@ -0,0 +1,69 @@ +From beacff50edbd6c9659a6f15fc7f6126909fade29 Mon Sep 17 00:00:00 2001 +From: Eiichi Tsukata +Date: Sun, 21 Nov 2021 04:16:08 +0000 +Subject: rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer() + +From: Eiichi Tsukata + +commit beacff50edbd6c9659a6f15fc7f6126909fade29 upstream. + +Need to call rxrpc_put_local() for peer candidate before kfree() as it +holds a ref to rxrpc_local. + +[DH: v2: Changed to abstract the peer freeing code out into a function] + +Fixes: 9ebeddef58c4 ("rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record") +Signed-off-by: Eiichi Tsukata +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/all/20211121041608.133740-2-eiichi.tsukata@nutanix.com/ # v1 +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/peer_object.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/net/rxrpc/peer_object.c ++++ b/net/rxrpc/peer_object.c +@@ -297,6 +297,12 @@ static struct rxrpc_peer *rxrpc_create_p + return peer; + } + ++static void rxrpc_free_peer(struct rxrpc_peer *peer) ++{ ++ rxrpc_put_local(peer->local); ++ kfree_rcu(peer, rcu); ++} ++ + /* + * Set up a new incoming peer. There shouldn't be any other matching peers + * since we've already done a search in the list from the non-reentrant context +@@ -363,7 +369,7 @@ struct rxrpc_peer *rxrpc_lookup_peer(str + spin_unlock_bh(&rxnet->peer_hash_lock); + + if (peer) +- kfree(candidate); ++ rxrpc_free_peer(candidate); + else + peer = candidate; + } +@@ -418,8 +424,7 @@ static void __rxrpc_put_peer(struct rxrp + list_del_init(&peer->keepalive_link); + spin_unlock_bh(&rxnet->peer_hash_lock); + +- rxrpc_put_local(peer->local); +- kfree_rcu(peer, rcu); ++ rxrpc_free_peer(peer); + } + + /* +@@ -455,8 +460,7 @@ void rxrpc_put_peer_locked(struct rxrpc_ + if (n == 0) { + hash_del_rcu(&peer->hash_link); + list_del_init(&peer->keepalive_link); +- rxrpc_put_local(peer->local); +- kfree_rcu(peer, rcu); ++ rxrpc_free_peer(peer); + } + } + diff --git a/queue-5.4/selftests-net-correct-case-name.patch b/queue-5.4/selftests-net-correct-case-name.patch new file mode 100644 index 00000000000..47f8772b85e --- /dev/null +++ b/queue-5.4/selftests-net-correct-case-name.patch @@ -0,0 +1,34 @@ +From a05431b22be819d75db72ca3d44381d18a37b092 Mon Sep 17 00:00:00 2001 +From: Li Zhijian +Date: Thu, 2 Dec 2021 10:28:41 +0800 +Subject: selftests: net: Correct case name + +From: Li Zhijian + +commit a05431b22be819d75db72ca3d44381d18a37b092 upstream. + +ipv6_addr_bind/ipv4_addr_bind are function names. Previously, bind test +would not be run by default due to the wrong case names + +Fixes: 34d0302ab861 ("selftests: Add ipv6 address bind tests to fcnal-test") +Fixes: 75b2b2b3db4c ("selftests: Add ipv4 address bind tests to fcnal-test") +Signed-off-by: Li Zhijian +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/fcnal-test.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/net/fcnal-test.sh ++++ b/tools/testing/selftests/net/fcnal-test.sh +@@ -3450,8 +3450,8 @@ EOF + ################################################################################ + # main + +-TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_addr_bind ipv4_runtime ipv4_netfilter" +-TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_addr_bind ipv6_runtime ipv6_netfilter" ++TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter" ++TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter" + TESTS_OTHER="use_cases" + + PAUSE_ON_FAIL=no diff --git a/queue-5.4/series b/queue-5.4/series index e7c002960d6..1cfea475345 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -37,3 +37,14 @@ natsemi-xtensa-fix-section-mismatch-warnings.patch net-qlogic-qlcnic-fix-a-null-pointer-dereference-in-qlcnic_83xx_add_rings.patch net-mpls-fix-notifications-when-deleting-a-device.patch siphash-use-_unaligned-version-by-default.patch +net-mlx4_en-fix-an-use-after-free-bug-in-mlx4_en_try_alloc_resources.patch +selftests-net-correct-case-name.patch +rxrpc-fix-rxrpc_local-leak-in-rxrpc_lookup_peer.patch +net-usb-lan78xx-lan78xx_phy_init-use-phy_poll-instead-of-0-if-no-irq-is-available.patch +net-marvell-mvpp2-fix-the-computation-of-shared-cpus.patch +net-annotate-data-races-on-txq-xmit_lock_owner.patch +ipv4-convert-fib_num_tclassid_users-to-atomic_t.patch +net-rds-correct-socket-tunable-error-in-rds_tcp_tune.patch +net-smc-keep-smc_close_final-rc-during-active-close.patch +drm-msm-do-hw_init-before-capturing-gpu-state.patch +ipv6-fix-memory-leak-in-fib6_rule_suppress.patch -- 2.47.2