From 59fa0e4e1c5036dbbddbf3dcbc0e662a8504a4e8 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 12 Jul 2020 23:21:58 -0400 Subject: [PATCH] Fixes for 5.7 Signed-off-by: Sasha Levin --- ...s-fix-partial_drain-completion-state.patch | 90 ++++++++ ...-single-step-exception-handling-oops.patch | 115 ++++++++++ ...-t-check-clock-is-null-before-callin.patch | 58 +++++ ...-unchecked-return-value-for-clk_prep.patch | 52 +++++ ...-dereference-in-case-sr-iov-configur.patch | 93 ++++++++ ...w-btf_ctx_access-with-__int128-types.patch | 76 +++++++ ...dereferenced-psock-may-be-used-outsi.patch | 93 ++++++++ ...splat-with-redirect-and-strparser-er.patch | 161 ++++++++++++++ ...m_size-counter-leak-after-stealing-f.patch | 97 +++++++++ ...4-fix-all-mask-ip-address-comparison.patch | 48 +++++ ...ck-plane-visibility-in-atomic_update.patch | 74 +++++++ ...x-setting-the-osd-burst-length-in-vi.patch | 90 ++++++++ ...-direction-setting-when-configure-an.patch | 56 +++++ ...-gpio-resource-leak-on-intel-galileo.patch | 46 ++++ ...rride-irq-for-one-of-the-expanders-o.patch | 132 ++++++++++++ ...nchronize-interrupt-handler-properly.patch | 109 ++++++++++ .../ib-mlx5-fix-50g-per-lane-indication.patch | 47 ++++ ...use-after-free-in-ib_nl_make_request.patch | 130 +++++++++++ .../ionic-centralize-queue-reset-code.patch | 204 ++++++++++++++++++ ...4-plug-race-between-non-residency-an.patch | 87 ++++++++ ...pping-broadcast-packets-in-802.11-en.patch | 37 ++++ ...e-after-free-in-case-of-failed-devli.patch | 195 +++++++++++++++++ ...outer-remove-inappropriate-usage-of-.patch | 49 +++++ ...et-master-partition-panic-write-flag.patch | 40 ++++ ...bd-fix-memory-leak-in-nbd_add_socket.patch | 80 +++++++ ...-fix-ip-dst-and-ipv6-address-filters.patch | 63 ++++++ ...fix-return-error-value-in-t4_prep_fw.patch | 58 +++++ ...chip-set-the-correct-number-of-ports.patch | 56 +++++ ...issing-uninit-debugfs-when-unload-dr.patch | 38 ++++ ...heck-reset-pending-after-flr-prepare.patch | 38 ++++ ...-mishandle-of-asserting-vf-reset-fai.patch | 41 ++++ ...-use-after-free-when-doing-self-test.patch | 85 ++++++++ ...pa-fix-qmi-structure-definition-bugs.patch | 60 ++++++ ...o-checksum-offload-for-sdm845-lan-rx.patch | 38 ++++ ...l-to-pm_runtime-in-the-suspend-resum.patch | 52 +++++ ...b_get-set_wol-when-moving-to-phylink.patch | 73 +++++++ ...b_suspend-by-removing-call-to-netif_.patch | 40 ++++ ...eup-test-in-runtime-suspend-resume-r.patch | 53 +++++ ...vice-wake-capable-when-magic-packet-.patch | 50 +++++ ...x5-fix-eeprom-support-for-sfp-module.patch | 173 +++++++++++++++ ...-mlx5e-ct-fix-memory-leak-in-cleanup.patch | 37 ++++ ...et-mlx5e-fix-50g-per-lane-indication.patch | 134 ++++++++++++ ...u-mapping-after-function-reload-to-a.patch | 84 ++++++++ ...lan-configuration-restore-after-func.patch | 59 +++++ .../net-mvneta-fix-use-of-state-speed.patch | 41 ++++ ...qed-fix-buffer-overflow-on-ethtool-d.patch | 107 +++++++++ ...-allow-to-add-multiple-bridge-interf.patch | 89 ++++++++ .../net-rmnet-fix-lower-interface-leak.patch | 136 ++++++++++++ ...ack-refetch-conntrack-after-nf_connt.patch | 55 +++++ ...et-call-ip_set_free-instead-of-kfree.patch | 134 ++++++++++++ ...turn-err-unconditionally-in-nl80211_.patch | 41 ++++ ...ry-leak-when-parsing-nl80211_attr_he.patch | 38 ++++ ...pt-fix-pebs-sample-for-xmm-registers.patch | 49 +++++ ...x-recording-pebs-via-pt-with-registe.patch | 69 ++++++ ...fix-segmentation-fault-in-perf_evsel.patch | 84 ++++++++ ...ption-fix-0x1500-interrupt-handler-c.patch | 46 ++++ ...-file-attributes-while-reading-nvm-c.patch | 129 +++++++++++ ...dma-siw-fix-reporting-vendor_part_id.patch | 46 ++++ ...ts-bpf-fix-detach-from-sockmap-tests.patch | 79 +++++++ queue-5.7/series | 61 ++++++ ...x-avoid-memory-leak-in-smsc95xx_bind.patch | 39 ++++ ...check-return-value-of-smsc95xx_reset.patch | 48 +++++ 62 files changed, 4782 insertions(+) create mode 100644 queue-5.7/alsa-compress-fix-partial_drain-completion-state.patch create mode 100644 queue-5.7/arm64-kgdb-fix-single-step-exception-handling-oops.patch create mode 100644 queue-5.7/asoc-fsl_mqs-don-t-check-clock-is-null-before-callin.patch create mode 100644 queue-5.7/asoc-fsl_mqs-fix-unchecked-return-value-for-clk_prep.patch create mode 100644 queue-5.7/bnxt_en-fix-null-dereference-in-case-sr-iov-configur.patch create mode 100644 queue-5.7/bpf-do-not-allow-btf_ctx_access-with-__int128-types.patch create mode 100644 queue-5.7/bpf-sockmap-rcu-dereferenced-psock-may-be-used-outsi.patch create mode 100644 queue-5.7/bpf-sockmap-rcu-splat-with-redirect-and-strparser-er.patch create mode 100644 queue-5.7/btrfs-fix-reclaim_size-counter-leak-after-stealing-f.patch create mode 100644 queue-5.7/cxgb4-fix-all-mask-ip-address-comparison.patch create mode 100644 queue-5.7/drm-mediatek-check-plane-visibility-in-atomic_update.patch create mode 100644 queue-5.7/drm-meson-viu-fix-setting-the-osd-burst-length-in-vi.patch create mode 100644 queue-5.7/gpio-pca953x-fix-direction-setting-when-configure-an.patch create mode 100644 queue-5.7/gpio-pca953x-fix-gpio-resource-leak-on-intel-galileo.patch create mode 100644 queue-5.7/gpio-pca953x-override-irq-for-one-of-the-expanders-o.patch create mode 100644 queue-5.7/gpio-pca953x-synchronize-interrupt-handler-properly.patch create mode 100644 queue-5.7/ib-mlx5-fix-50g-per-lane-indication.patch create mode 100644 queue-5.7/ib-sa-resolv-use-after-free-in-ib_nl_make_request.patch create mode 100644 queue-5.7/ionic-centralize-queue-reset-code.patch create mode 100644 queue-5.7/kvm-arm64-vgic-v4-plug-race-between-non-residency-an.patch create mode 100644 queue-5.7/mac80211-fix-dropping-broadcast-packets-in-802.11-en.patch create mode 100644 queue-5.7/mlxsw-pci-fix-use-after-free-in-case-of-failed-devli.patch create mode 100644 queue-5.7/mlxsw-spectrum_router-remove-inappropriate-usage-of-.patch create mode 100644 queue-5.7/mtd-set-master-partition-panic-write-flag.patch create mode 100644 queue-5.7/nbd-fix-memory-leak-in-nbd_add_socket.patch create mode 100644 queue-5.7/net-atlantic-fix-ip-dst-and-ipv6-address-filters.patch create mode 100644 queue-5.7/net-cxgb4-fix-return-error-value-in-t4_prep_fw.patch create mode 100644 queue-5.7/net-dsa-microchip-set-the-correct-number-of-ports.patch create mode 100644 queue-5.7/net-hns3-add-a-missing-uninit-debugfs-when-unload-dr.patch create mode 100644 queue-5.7/net-hns3-check-reset-pending-after-flr-prepare.patch create mode 100644 queue-5.7/net-hns3-fix-for-mishandle-of-asserting-vf-reset-fai.patch create mode 100644 queue-5.7/net-hns3-fix-use-after-free-when-doing-self-test.patch create mode 100644 queue-5.7/net-ipa-fix-qmi-structure-definition-bugs.patch create mode 100644 queue-5.7/net-ipa-no-checksum-offload-for-sdm845-lan-rx.patch create mode 100644 queue-5.7/net-macb-fix-call-to-pm_runtime-in-the-suspend-resum.patch create mode 100644 queue-5.7/net-macb-fix-macb_get-set_wol-when-moving-to-phylink.patch create mode 100644 queue-5.7/net-macb-fix-macb_suspend-by-removing-call-to-netif_.patch create mode 100644 queue-5.7/net-macb-fix-wakeup-test-in-runtime-suspend-resume-r.patch create mode 100644 queue-5.7/net-macb-mark-device-wake-capable-when-magic-packet-.patch create mode 100644 queue-5.7/net-mlx5-fix-eeprom-support-for-sfp-module.patch create mode 100644 queue-5.7/net-mlx5e-ct-fix-memory-leak-in-cleanup.patch create mode 100644 queue-5.7/net-mlx5e-fix-50g-per-lane-indication.patch create mode 100644 queue-5.7/net-mlx5e-fix-cpu-mapping-after-function-reload-to-a.patch create mode 100644 queue-5.7/net-mlx5e-fix-vxlan-configuration-restore-after-func.patch create mode 100644 queue-5.7/net-mvneta-fix-use-of-state-speed.patch create mode 100644 queue-5.7/net-qed-fix-buffer-overflow-on-ethtool-d.patch create mode 100644 queue-5.7/net-rmnet-do-not-allow-to-add-multiple-bridge-interf.patch create mode 100644 queue-5.7/net-rmnet-fix-lower-interface-leak.patch create mode 100644 queue-5.7/netfilter-conntrack-refetch-conntrack-after-nf_connt.patch create mode 100644 queue-5.7/netfilter-ipset-call-ip_set_free-instead-of-kfree.patch create mode 100644 queue-5.7/nl80211-don-t-return-err-unconditionally-in-nl80211_.patch create mode 100644 queue-5.7/nl80211-fix-memory-leak-when-parsing-nl80211_attr_he.patch create mode 100644 queue-5.7/perf-intel-pt-fix-pebs-sample-for-xmm-registers.patch create mode 100644 queue-5.7/perf-intel-pt-fix-recording-pebs-via-pt-with-registe.patch create mode 100644 queue-5.7/perf-report-tui-fix-segmentation-fault-in-perf_evsel.patch create mode 100644 queue-5.7/powerpc-64s-exception-fix-0x1500-interrupt-handler-c.patch create mode 100644 queue-5.7/qed-populate-nvm-file-attributes-while-reading-nvm-c.patch create mode 100644 queue-5.7/rdma-siw-fix-reporting-vendor_part_id.patch create mode 100644 queue-5.7/selftests-bpf-fix-detach-from-sockmap-tests.patch create mode 100644 queue-5.7/smsc95xx-avoid-memory-leak-in-smsc95xx_bind.patch create mode 100644 queue-5.7/smsc95xx-check-return-value-of-smsc95xx_reset.patch diff --git a/queue-5.7/alsa-compress-fix-partial_drain-completion-state.patch b/queue-5.7/alsa-compress-fix-partial_drain-completion-state.patch new file mode 100644 index 00000000000..ef86aa69984 --- /dev/null +++ b/queue-5.7/alsa-compress-fix-partial_drain-completion-state.patch @@ -0,0 +1,90 @@ +From 1f2aefecafaf915f76b13346b1cbad9213eeccc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 19:17:37 +0530 +Subject: ALSA: compress: fix partial_drain completion state + +From: Vinod Koul + +[ Upstream commit f79a732a8325dfbd570d87f1435019d7e5501c6d ] + +On partial_drain completion we should be in SNDRV_PCM_STATE_RUNNING +state, so set that for partially draining streams in +snd_compr_drain_notify() and use a flag for partially draining streams + +While at it, add locks for stream state change in +snd_compr_drain_notify() as well. + +Fixes: f44f2a5417b2 ("ALSA: compress: fix drain calls blocking other compress functions (v6)") +Reviewed-by: Srinivas Kandagatla +Tested-by: Srinivas Kandagatla +Reviewed-by: Charles Keepax +Tested-by: Charles Keepax +Signed-off-by: Vinod Koul +Link: https://lore.kernel.org/r/20200629134737.105993-4-vkoul@kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/sound/compress_driver.h | 10 +++++++++- + sound/core/compress_offload.c | 4 ++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/include/sound/compress_driver.h b/include/sound/compress_driver.h +index 6ce8effa0b128..70cbc5095e725 100644 +--- a/include/sound/compress_driver.h ++++ b/include/sound/compress_driver.h +@@ -66,6 +66,7 @@ struct snd_compr_runtime { + * @direction: stream direction, playback/recording + * @metadata_set: metadata set flag, true when set + * @next_track: has userspace signal next track transition, true when set ++ * @partial_drain: undergoing partial_drain for stream, true when set + * @private_data: pointer to DSP private data + * @dma_buffer: allocated buffer if any + */ +@@ -78,6 +79,7 @@ struct snd_compr_stream { + enum snd_compr_direction direction; + bool metadata_set; + bool next_track; ++ bool partial_drain; + void *private_data; + struct snd_dma_buffer dma_buffer; + }; +@@ -182,7 +184,13 @@ static inline void snd_compr_drain_notify(struct snd_compr_stream *stream) + if (snd_BUG_ON(!stream)) + return; + +- stream->runtime->state = SNDRV_PCM_STATE_SETUP; ++ /* for partial_drain case we are back to running state on success */ ++ if (stream->partial_drain) { ++ stream->runtime->state = SNDRV_PCM_STATE_RUNNING; ++ stream->partial_drain = false; /* clear this flag as well */ ++ } else { ++ stream->runtime->state = SNDRV_PCM_STATE_SETUP; ++ } + + wake_up(&stream->runtime->sleep); + } +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index 509290f2efa8e..0e53f6f319167 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -764,6 +764,9 @@ static int snd_compr_stop(struct snd_compr_stream *stream) + + retval = stream->ops->trigger(stream, SNDRV_PCM_TRIGGER_STOP); + if (!retval) { ++ /* clear flags and stop any drain wait */ ++ stream->partial_drain = false; ++ stream->metadata_set = false; + snd_compr_drain_notify(stream); + stream->runtime->total_bytes_available = 0; + stream->runtime->total_bytes_transferred = 0; +@@ -921,6 +924,7 @@ static int snd_compr_partial_drain(struct snd_compr_stream *stream) + if (stream->next_track == false) + return -EPERM; + ++ stream->partial_drain = true; + retval = stream->ops->trigger(stream, SND_COMPR_TRIGGER_PARTIAL_DRAIN); + if (retval) { + pr_debug("Partial drain returned failure\n"); +-- +2.25.1 + diff --git a/queue-5.7/arm64-kgdb-fix-single-step-exception-handling-oops.patch b/queue-5.7/arm64-kgdb-fix-single-step-exception-handling-oops.patch new file mode 100644 index 00000000000..16ed8a4951f --- /dev/null +++ b/queue-5.7/arm64-kgdb-fix-single-step-exception-handling-oops.patch @@ -0,0 +1,115 @@ +From 2504466d764cc63b2a3035283355e21c3dda31c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 May 2020 05:41:56 +0800 +Subject: arm64: kgdb: Fix single-step exception handling oops + +From: Wei Li + +[ Upstream commit 8523c006264df65aac7d77284cc69aac46a6f842 ] + +After entering kdb due to breakpoint, when we execute 'ss' or 'go' (will +delay installing breakpoints, do single-step first), it won't work +correctly, and it will enter kdb due to oops. + +It's because the reason gotten in kdb_stub() is not as expected, and it +seems that the ex_vector for single-step should be 0, like what arch +powerpc/sh/parisc has implemented. + +Before the patch: +Entering kdb (current=0xffff8000119e2dc0, pid 0) on processor 0 due to Keyboard Entry +[0]kdb> bp printk +Instruction(i) BP #0 at 0xffff8000101486cc (printk) + is enabled addr at ffff8000101486cc, hardtype=0 installed=0 + +[0]kdb> g + +/ # echo h > /proc/sysrq-trigger + +Entering kdb (current=0xffff0000fa878040, pid 266) on processor 3 due to Breakpoint @ 0xffff8000101486cc +[3]kdb> ss + +Entering kdb (current=0xffff0000fa878040, pid 266) on processor 3 Oops: (null) +due to oops @ 0xffff800010082ab8 +CPU: 3 PID: 266 Comm: sh Not tainted 5.7.0-rc4-13839-gf0e5ad491718 #6 +Hardware name: linux,dummy-virt (DT) +pstate: 00000085 (nzcv daIf -PAN -UAO) +pc : el1_irq+0x78/0x180 +lr : __handle_sysrq+0x80/0x190 +sp : ffff800015003bf0 +x29: ffff800015003d20 x28: ffff0000fa878040 +x27: 0000000000000000 x26: ffff80001126b1f0 +x25: ffff800011b6a0d8 x24: 0000000000000000 +x23: 0000000080200005 x22: ffff8000101486cc +x21: ffff800015003d30 x20: 0000ffffffffffff +x19: ffff8000119f2000 x18: 0000000000000000 +x17: 0000000000000000 x16: 0000000000000000 +x15: 0000000000000000 x14: 0000000000000000 +x13: 0000000000000000 x12: 0000000000000000 +x11: 0000000000000000 x10: 0000000000000000 +x9 : 0000000000000000 x8 : ffff800015003e50 +x7 : 0000000000000002 x6 : 00000000380b9990 +x5 : ffff8000106e99e8 x4 : ffff0000fadd83c0 +x3 : 0000ffffffffffff x2 : ffff800011b6a0d8 +x1 : ffff800011b6a000 x0 : ffff80001130c9d8 +Call trace: + el1_irq+0x78/0x180 + printk+0x0/0x84 + write_sysrq_trigger+0xb0/0x118 + proc_reg_write+0xb4/0xe0 + __vfs_write+0x18/0x40 + vfs_write+0xb0/0x1b8 + ksys_write+0x64/0xf0 + __arm64_sys_write+0x14/0x20 + el0_svc_common.constprop.2+0xb0/0x168 + do_el0_svc+0x20/0x98 + el0_sync_handler+0xec/0x1a8 + el0_sync+0x140/0x180 + +[3]kdb> + +After the patch: +Entering kdb (current=0xffff8000119e2dc0, pid 0) on processor 0 due to Keyboard Entry +[0]kdb> bp printk +Instruction(i) BP #0 at 0xffff8000101486cc (printk) + is enabled addr at ffff8000101486cc, hardtype=0 installed=0 + +[0]kdb> g + +/ # echo h > /proc/sysrq-trigger + +Entering kdb (current=0xffff0000fa852bc0, pid 268) on processor 0 due to Breakpoint @ 0xffff8000101486cc +[0]kdb> g + +Entering kdb (current=0xffff0000fa852bc0, pid 268) on processor 0 due to Breakpoint @ 0xffff8000101486cc +[0]kdb> ss + +Entering kdb (current=0xffff0000fa852bc0, pid 268) on processor 0 due to SS trap @ 0xffff800010082ab8 +[0]kdb> + +Fixes: 44679a4f142b ("arm64: KGDB: Add step debugging support") +Signed-off-by: Wei Li +Tested-by: Douglas Anderson +Reviewed-by: Douglas Anderson +Link: https://lore.kernel.org/r/20200509214159.19680-2-liwei391@huawei.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/kgdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/kgdb.c b/arch/arm64/kernel/kgdb.c +index 43119922341f8..1a157ca33262d 100644 +--- a/arch/arm64/kernel/kgdb.c ++++ b/arch/arm64/kernel/kgdb.c +@@ -252,7 +252,7 @@ static int kgdb_step_brk_fn(struct pt_regs *regs, unsigned int esr) + if (!kgdb_single_step) + return DBG_HOOK_ERROR; + +- kgdb_handle_exception(1, SIGTRAP, 0, regs); ++ kgdb_handle_exception(0, SIGTRAP, 0, regs); + return DBG_HOOK_HANDLED; + } + NOKPROBE_SYMBOL(kgdb_step_brk_fn); +-- +2.25.1 + diff --git a/queue-5.7/asoc-fsl_mqs-don-t-check-clock-is-null-before-callin.patch b/queue-5.7/asoc-fsl_mqs-don-t-check-clock-is-null-before-callin.patch new file mode 100644 index 00000000000..82430ce08f3 --- /dev/null +++ b/queue-5.7/asoc-fsl_mqs-don-t-check-clock-is-null-before-callin.patch @@ -0,0 +1,58 @@ +From de6ffe27a827c47ce0bd031d94f670fd345350f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jun 2020 14:01:11 +0800 +Subject: ASoC: fsl_mqs: Don't check clock is NULL before calling clk API + +From: Shengjiu Wang + +[ Upstream commit adf46113a608d9515801997fc96cbfe8ffa89ed3 ] + +Because clk_prepare_enable and clk_disable_unprepare should +check input clock parameter is NULL or not internally, then +we don't need to check them before calling the function. + +Fixes: 9e28f6532c61 ("ASoC: fsl_mqs: Add MQS component driver") +Signed-off-by: Shengjiu Wang +Acked-by: Nicolin Chen +Link: https://lore.kernel.org/r/743be216bd504c26e8d45d5ce4a84561b67a122b.1592888591.git.shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_mqs.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +diff --git a/sound/soc/fsl/fsl_mqs.c b/sound/soc/fsl/fsl_mqs.c +index 0c813a45bba7c..b44b134390a39 100644 +--- a/sound/soc/fsl/fsl_mqs.c ++++ b/sound/soc/fsl/fsl_mqs.c +@@ -266,11 +266,9 @@ static int fsl_mqs_runtime_resume(struct device *dev) + { + struct fsl_mqs *mqs_priv = dev_get_drvdata(dev); + +- if (mqs_priv->ipg) +- clk_prepare_enable(mqs_priv->ipg); ++ clk_prepare_enable(mqs_priv->ipg); + +- if (mqs_priv->mclk) +- clk_prepare_enable(mqs_priv->mclk); ++ clk_prepare_enable(mqs_priv->mclk); + + if (mqs_priv->use_gpr) + regmap_write(mqs_priv->regmap, IOMUXC_GPR2, +@@ -292,11 +290,8 @@ static int fsl_mqs_runtime_suspend(struct device *dev) + regmap_read(mqs_priv->regmap, REG_MQS_CTRL, + &mqs_priv->reg_mqs_ctrl); + +- if (mqs_priv->mclk) +- clk_disable_unprepare(mqs_priv->mclk); +- +- if (mqs_priv->ipg) +- clk_disable_unprepare(mqs_priv->ipg); ++ clk_disable_unprepare(mqs_priv->mclk); ++ clk_disable_unprepare(mqs_priv->ipg); + + return 0; + } +-- +2.25.1 + diff --git a/queue-5.7/asoc-fsl_mqs-fix-unchecked-return-value-for-clk_prep.patch b/queue-5.7/asoc-fsl_mqs-fix-unchecked-return-value-for-clk_prep.patch new file mode 100644 index 00000000000..bd0a4f32c68 --- /dev/null +++ b/queue-5.7/asoc-fsl_mqs-fix-unchecked-return-value-for-clk_prep.patch @@ -0,0 +1,52 @@ +From b65c10794a9ffbfa7b1326b14d9198f814836564 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jun 2020 14:01:12 +0800 +Subject: ASoC: fsl_mqs: Fix unchecked return value for clk_prepare_enable + +From: Shengjiu Wang + +[ Upstream commit 15217d170a4461c1d4c1ea7c497e1fc1122e42a9 ] + +Fix unchecked return value for clk_prepare_enable, add error +handler in fsl_mqs_runtime_resume. + +Fixes: 9e28f6532c61 ("ASoC: fsl_mqs: Add MQS component driver") +Signed-off-by: Shengjiu Wang +Acked-by: Nicolin Chen +Link: https://lore.kernel.org/r/5edd68d03def367d96268f1a9a00bd528ea5aaf2.1592888591.git.shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_mqs.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/fsl/fsl_mqs.c b/sound/soc/fsl/fsl_mqs.c +index b44b134390a39..69aeb0e71844d 100644 +--- a/sound/soc/fsl/fsl_mqs.c ++++ b/sound/soc/fsl/fsl_mqs.c +@@ -265,10 +265,20 @@ static int fsl_mqs_remove(struct platform_device *pdev) + static int fsl_mqs_runtime_resume(struct device *dev) + { + struct fsl_mqs *mqs_priv = dev_get_drvdata(dev); ++ int ret; + +- clk_prepare_enable(mqs_priv->ipg); ++ ret = clk_prepare_enable(mqs_priv->ipg); ++ if (ret) { ++ dev_err(dev, "failed to enable ipg clock\n"); ++ return ret; ++ } + +- clk_prepare_enable(mqs_priv->mclk); ++ ret = clk_prepare_enable(mqs_priv->mclk); ++ if (ret) { ++ dev_err(dev, "failed to enable mclk clock\n"); ++ clk_disable_unprepare(mqs_priv->ipg); ++ return ret; ++ } + + if (mqs_priv->use_gpr) + regmap_write(mqs_priv->regmap, IOMUXC_GPR2, +-- +2.25.1 + diff --git a/queue-5.7/bnxt_en-fix-null-dereference-in-case-sr-iov-configur.patch b/queue-5.7/bnxt_en-fix-null-dereference-in-case-sr-iov-configur.patch new file mode 100644 index 00000000000..417ed94252e --- /dev/null +++ b/queue-5.7/bnxt_en-fix-null-dereference-in-case-sr-iov-configur.patch @@ -0,0 +1,93 @@ +From d2230da81cd870e88aaae86592b4e5bdab5365ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 12:55:08 +0200 +Subject: bnxt_en: fix NULL dereference in case SR-IOV configuration fails + +From: Davide Caratti + +[ Upstream commit c8b1d7436045d3599bae56aef1682813ecccaad7 ] + +we need to set 'active_vfs' back to 0, if something goes wrong during the +allocation of SR-IOV resources: otherwise, further VF configurations will +wrongly assume that bp->pf.vf[x] are valid memory locations, and commands +like the ones in the following sequence: + + # echo 2 >/sys/bus/pci/devices/${ADDR}/sriov_numvfs + # ip link set dev ens1f0np0 up + # ip link set dev ens1f0np0 vf 0 trust on + +will cause a kernel crash similar to this: + + bnxt_en 0000:3b:00.0: not enough MMIO resources for SR-IOV + BUG: kernel NULL pointer dereference, address: 0000000000000014 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] SMP PTI + CPU: 43 PID: 2059 Comm: ip Tainted: G I 5.8.0-rc2.upstream+ #871 + Hardware name: Dell Inc. PowerEdge R740/08D89F, BIOS 2.2.11 06/13/2019 + RIP: 0010:bnxt_set_vf_trust+0x5b/0x110 [bnxt_en] + Code: 44 24 58 31 c0 e8 f5 fb ff ff 85 c0 0f 85 b6 00 00 00 48 8d 1c 5b 41 89 c6 b9 0b 00 00 00 48 c1 e3 04 49 03 9c 24 f0 0e 00 00 <8b> 43 14 89 c2 83 c8 10 83 e2 ef 45 84 ed 49 89 e5 0f 44 c2 4c 89 + RSP: 0018:ffffac6246a1f570 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000b + RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff98b28f538900 + RBP: ffff98b28f538900 R08: 0000000000000000 R09: 0000000000000008 + R10: ffffffffb9515be0 R11: ffffac6246a1f678 R12: ffff98b28f538000 + R13: 0000000000000001 R14: 0000000000000000 R15: ffffffffc05451e0 + FS: 00007fde0f688800(0000) GS:ffff98baffd40000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000014 CR3: 000000104bb0a003 CR4: 00000000007606e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + do_setlink+0x994/0xfe0 + __rtnl_newlink+0x544/0x8d0 + rtnl_newlink+0x47/0x70 + rtnetlink_rcv_msg+0x29f/0x350 + netlink_rcv_skb+0x4a/0x110 + netlink_unicast+0x21d/0x300 + netlink_sendmsg+0x329/0x450 + sock_sendmsg+0x5b/0x60 + ____sys_sendmsg+0x204/0x280 + ___sys_sendmsg+0x88/0xd0 + __sys_sendmsg+0x5e/0xa0 + do_syscall_64+0x47/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: c0c050c58d840 ("bnxt_en: New Broadcom ethernet driver.") +Reported-by: Fei Liu +CC: Jonathan Toppins +CC: Michael Chan +Signed-off-by: Davide Caratti +Reviewed-by: Michael Chan +Acked-by: Jonathan Toppins +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c +index cea2f9958a1df..2295f539a6414 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c +@@ -396,6 +396,7 @@ static void bnxt_free_vf_resources(struct bnxt *bp) + } + } + ++ bp->pf.active_vfs = 0; + kfree(bp->pf.vf); + bp->pf.vf = NULL; + } +@@ -835,7 +836,6 @@ void bnxt_sriov_disable(struct bnxt *bp) + + bnxt_free_vf_resources(bp); + +- bp->pf.active_vfs = 0; + /* Reclaim all resources for the PF. */ + rtnl_lock(); + bnxt_restore_pf_fw_resources(bp); +-- +2.25.1 + diff --git a/queue-5.7/bpf-do-not-allow-btf_ctx_access-with-__int128-types.patch b/queue-5.7/bpf-do-not-allow-btf_ctx_access-with-__int128-types.patch new file mode 100644 index 00000000000..19ac61f34bd --- /dev/null +++ b/queue-5.7/bpf-do-not-allow-btf_ctx_access-with-__int128-types.patch @@ -0,0 +1,76 @@ +From 7c089a07e0ef389bee519a3a1a272fc016d5bb01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jun 2020 15:20:39 -0700 +Subject: bpf: Do not allow btf_ctx_access with __int128 types + +From: John Fastabend + +[ Upstream commit a9b59159d338d414acaa8e2f569d129d51c76452 ] + +To ensure btf_ctx_access() is safe the verifier checks that the BTF +arg type is an int, enum, or pointer. When the function does the +BTF arg lookup it uses the calculation 'arg = off / 8' using the +fact that registers are 8B. This requires that the first arg is +in the first reg, the second in the second, and so on. However, +for __int128 the arg will consume two registers by default LLVM +implementation. So this will cause the arg layout assumed by the +'arg = off / 8' calculation to be incorrect. + +Because __int128 is uncommon this patch applies the easiest fix and +will force int types to be sizeof(u64) or smaller so that they will +fit in a single register. + +v2: remove unneeded parens per Andrii's feedback + +Fixes: 9e15db66136a1 ("bpf: Implement accurate raw_tp context access via BTF") +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/159303723962.11287.13309537171132420717.stgit@john-Precision-5820-Tower +Signed-off-by: Sasha Levin +--- + include/linux/btf.h | 5 +++++ + kernel/bpf/btf.c | 4 ++-- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/include/linux/btf.h b/include/linux/btf.h +index 5c1ea99b480fa..8b81fbb4497cf 100644 +--- a/include/linux/btf.h ++++ b/include/linux/btf.h +@@ -82,6 +82,11 @@ static inline bool btf_type_is_int(const struct btf_type *t) + return BTF_INFO_KIND(t->info) == BTF_KIND_INT; + } + ++static inline bool btf_type_is_small_int(const struct btf_type *t) ++{ ++ return btf_type_is_int(t) && t->size <= sizeof(u64); ++} ++ + static inline bool btf_type_is_enum(const struct btf_type *t) + { + return BTF_INFO_KIND(t->info) == BTF_KIND_ENUM; +diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c +index d65c6912bdaf6..d1f5d428c9fe2 100644 +--- a/kernel/bpf/btf.c ++++ b/kernel/bpf/btf.c +@@ -3744,7 +3744,7 @@ bool btf_ctx_access(int off, int size, enum bpf_access_type type, + return false; + + t = btf_type_skip_modifiers(btf, t->type, NULL); +- if (!btf_type_is_int(t)) { ++ if (!btf_type_is_small_int(t)) { + bpf_log(log, + "ret type %s not allowed for fmod_ret\n", + btf_kind_str[BTF_INFO_KIND(t->info)]); +@@ -3766,7 +3766,7 @@ bool btf_ctx_access(int off, int size, enum bpf_access_type type, + /* skip modifiers */ + while (btf_type_is_modifier(t)) + t = btf_type_by_id(btf, t->type); +- if (btf_type_is_int(t) || btf_type_is_enum(t)) ++ if (btf_type_is_small_int(t) || btf_type_is_enum(t)) + /* accessing a scalar */ + return true; + if (!btf_type_is_ptr(t)) { +-- +2.25.1 + diff --git a/queue-5.7/bpf-sockmap-rcu-dereferenced-psock-may-be-used-outsi.patch b/queue-5.7/bpf-sockmap-rcu-dereferenced-psock-may-be-used-outsi.patch new file mode 100644 index 00000000000..f63365b050a --- /dev/null +++ b/queue-5.7/bpf-sockmap-rcu-dereferenced-psock-may-be-used-outsi.patch @@ -0,0 +1,93 @@ +From ab35b699f77973cd5dc34689751925f75eb3736b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jun 2020 16:13:18 -0700 +Subject: bpf, sockmap: RCU dereferenced psock may be used outside RCU block + +From: John Fastabend + +[ Upstream commit 8025751d4d55a2f32be6bdf825b6a80c299875f5 ] + +If an ingress verdict program specifies message sizes greater than +skb->len and there is an ENOMEM error due to memory pressure we +may call the rcv_msg handler outside the strp_data_ready() caller +context. This is because on an ENOMEM error the strparser will +retry from a workqueue. The caller currently protects the use of +psock by calling the strp_data_ready() inside a rcu_read_lock/unlock +block. + +But, in above workqueue error case the psock is accessed outside +the read_lock/unlock block of the caller. So instead of using +psock directly we must do a look up against the sk again to +ensure the psock is available. + +There is an an ugly piece here where we must handle +the case where we paused the strp and removed the psock. On +psock removal we first pause the strparser and then remove +the psock. If the strparser is paused while an skb is +scheduled on the workqueue the skb will be dropped on the +flow and kfree_skb() is called. If the workqueue manages +to get called before we pause the strparser but runs the rcvmsg +callback after the psock is removed we will hit the unlikely +case where we run the sockmap rcvmsg handler but do not have +a psock. For now we will follow strparser logic and drop the +skb on the floor with skb_kfree(). This is ugly because the +data is dropped. To date this has not caused problems in practice +because either the application controlling the sockmap is +coordinating with the datapath so that skbs are "flushed" +before removal or we simply wait for the sock to be closed before +removing it. + +This patch fixes the describe RCU bug and dropping the skb doesn't +make things worse. Future patches will improve this by allowing +the normal case where skbs are not merged to skip the strparser +altogether. In practice many (most?) use cases have no need to +merge skbs so its both a code complexity hit as seen above and +a performance issue. For example, in the Cilium case we always +set the strparser up to return sbks 1:1 without any merging and +have avoided above issues. + +Fixes: e91de6afa81c1 ("bpf: Fix running sk_skb program types with ktls") +Signed-off-by: John Fastabend +Signed-off-by: Alexei Starovoitov +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/159312679888.18340.15248924071966273998.stgit@john-XPS-13-9370 +Signed-off-by: Sasha Levin +--- + net/core/skmsg.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index c41ab6906b210..6a32a1fd34f8c 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -781,11 +781,18 @@ static void sk_psock_verdict_apply(struct sk_psock *psock, + + static void sk_psock_strp_read(struct strparser *strp, struct sk_buff *skb) + { +- struct sk_psock *psock = sk_psock_from_strp(strp); ++ struct sk_psock *psock; + struct bpf_prog *prog; + int ret = __SK_DROP; ++ struct sock *sk; + + rcu_read_lock(); ++ sk = strp->sk; ++ psock = sk_psock(sk); ++ if (unlikely(!psock)) { ++ kfree_skb(skb); ++ goto out; ++ } + prog = READ_ONCE(psock->progs.skb_verdict); + if (likely(prog)) { + skb_orphan(skb); +@@ -794,6 +801,7 @@ static void sk_psock_strp_read(struct strparser *strp, struct sk_buff *skb) + ret = sk_psock_map_verd(ret, tcp_skb_bpf_redirect_fetch(skb)); + } + sk_psock_verdict_apply(psock, skb, ret); ++out: + rcu_read_unlock(); + } + +-- +2.25.1 + diff --git a/queue-5.7/bpf-sockmap-rcu-splat-with-redirect-and-strparser-er.patch b/queue-5.7/bpf-sockmap-rcu-splat-with-redirect-and-strparser-er.patch new file mode 100644 index 00000000000..0a1809a5930 --- /dev/null +++ b/queue-5.7/bpf-sockmap-rcu-splat-with-redirect-and-strparser-er.patch @@ -0,0 +1,161 @@ +From c0275cc5c194e722b5675106ce5def7aea817de9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jun 2020 16:12:59 -0700 +Subject: bpf, sockmap: RCU splat with redirect and strparser error or TLS + +From: John Fastabend + +[ Upstream commit 93dd5f185916b05e931cffae636596f21f98546e ] + +There are two paths to generate the below RCU splat the first and +most obvious is the result of the BPF verdict program issuing a +redirect on a TLS socket (This is the splat shown below). Unlike +the non-TLS case the caller of the *strp_read() hooks does not +wrap the call in a rcu_read_lock/unlock. Then if the BPF program +issues a redirect action we hit the RCU splat. + +However, in the non-TLS socket case the splat appears to be +relatively rare, because the skmsg caller into the strp_data_ready() +is wrapped in a rcu_read_lock/unlock. Shown here, + + static void sk_psock_strp_data_ready(struct sock *sk) + { + struct sk_psock *psock; + + rcu_read_lock(); + psock = sk_psock(sk); + if (likely(psock)) { + if (tls_sw_has_ctx_rx(sk)) { + psock->parser.saved_data_ready(sk); + } else { + write_lock_bh(&sk->sk_callback_lock); + strp_data_ready(&psock->parser.strp); + write_unlock_bh(&sk->sk_callback_lock); + } + } + rcu_read_unlock(); + } + +If the above was the only way to run the verdict program we +would be safe. But, there is a case where the strparser may throw an +ENOMEM error while parsing the skb. This is a result of a failed +skb_clone, or alloc_skb_for_msg while building a new merged skb when +the msg length needed spans multiple skbs. This will in turn put the +skb on the strp_wrk workqueue in the strparser code. The skb will +later be dequeued and verdict programs run, but now from a +different context without the rcu_read_lock()/unlock() critical +section in sk_psock_strp_data_ready() shown above. In practice +I have not seen this yet, because as far as I know most users of the +verdict programs are also only working on single skbs. In this case no +merge happens which could trigger the above ENOMEM errors. In addition +the system would need to be under memory pressure. For example, we +can't hit the above case in selftests because we missed having tests +to merge skbs. (Added in later patch) + +To fix the below splat extend the rcu_read_lock/unnlock block to +include the call to sk_psock_tls_verdict_apply(). This will fix both +TLS redirect case and non-TLS redirect+error case. Also remove +psock from the sk_psock_tls_verdict_apply() function signature its +not used there. + +[ 1095.937597] WARNING: suspicious RCU usage +[ 1095.940964] 5.7.0-rc7-02911-g463bac5f1ca79 #1 Tainted: G W +[ 1095.944363] ----------------------------- +[ 1095.947384] include/linux/skmsg.h:284 suspicious rcu_dereference_check() usage! +[ 1095.950866] +[ 1095.950866] other info that might help us debug this: +[ 1095.950866] +[ 1095.957146] +[ 1095.957146] rcu_scheduler_active = 2, debug_locks = 1 +[ 1095.961482] 1 lock held by test_sockmap/15970: +[ 1095.964501] #0: ffff9ea6b25de660 (sk_lock-AF_INET){+.+.}-{0:0}, at: tls_sw_recvmsg+0x13a/0x840 [tls] +[ 1095.968568] +[ 1095.968568] stack backtrace: +[ 1095.975001] CPU: 1 PID: 15970 Comm: test_sockmap Tainted: G W 5.7.0-rc7-02911-g463bac5f1ca79 #1 +[ 1095.977883] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +[ 1095.980519] Call Trace: +[ 1095.982191] dump_stack+0x8f/0xd0 +[ 1095.984040] sk_psock_skb_redirect+0xa6/0xf0 +[ 1095.986073] sk_psock_tls_strp_read+0x1d8/0x250 +[ 1095.988095] tls_sw_recvmsg+0x714/0x840 [tls] + +v2: Improve commit message to identify non-TLS redirect plus error case + condition as well as more common TLS case. In the process I decided + doing the rcu_read_unlock followed by the lock/unlock inside branches + was unnecessarily complex. We can just extend the current rcu block + and get the same effeective without the shuffling and branching. + Thanks Martin! + +Fixes: e91de6afa81c1 ("bpf: Fix running sk_skb program types with ktls") +Reported-by: Jakub Sitnicki +Reported-by: kernel test robot +Signed-off-by: John Fastabend +Signed-off-by: Alexei Starovoitov +Acked-by: Martin KaFai Lau +Acked-by: Jakub Sitnicki +Link: https://lore.kernel.org/bpf/159312677907.18340.11064813152758406626.stgit@john-XPS-13-9370 +Signed-off-by: Sasha Levin +--- + net/core/skmsg.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index 351afbf6bfbac..c41ab6906b210 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -683,7 +683,7 @@ static struct sk_psock *sk_psock_from_strp(struct strparser *strp) + return container_of(parser, struct sk_psock, parser); + } + +-static void sk_psock_skb_redirect(struct sk_psock *psock, struct sk_buff *skb) ++static void sk_psock_skb_redirect(struct sk_buff *skb) + { + struct sk_psock *psock_other; + struct sock *sk_other; +@@ -715,12 +715,11 @@ static void sk_psock_skb_redirect(struct sk_psock *psock, struct sk_buff *skb) + } + } + +-static void sk_psock_tls_verdict_apply(struct sk_psock *psock, +- struct sk_buff *skb, int verdict) ++static void sk_psock_tls_verdict_apply(struct sk_buff *skb, int verdict) + { + switch (verdict) { + case __SK_REDIRECT: +- sk_psock_skb_redirect(psock, skb); ++ sk_psock_skb_redirect(skb); + break; + case __SK_PASS: + case __SK_DROP: +@@ -741,8 +740,8 @@ int sk_psock_tls_strp_read(struct sk_psock *psock, struct sk_buff *skb) + ret = sk_psock_bpf_run(psock, prog, skb); + ret = sk_psock_map_verd(ret, tcp_skb_bpf_redirect_fetch(skb)); + } ++ sk_psock_tls_verdict_apply(skb, ret); + rcu_read_unlock(); +- sk_psock_tls_verdict_apply(psock, skb, ret); + return ret; + } + EXPORT_SYMBOL_GPL(sk_psock_tls_strp_read); +@@ -770,7 +769,7 @@ static void sk_psock_verdict_apply(struct sk_psock *psock, + } + goto out_free; + case __SK_REDIRECT: +- sk_psock_skb_redirect(psock, skb); ++ sk_psock_skb_redirect(skb); + break; + case __SK_DROP: + /* fall-through */ +@@ -794,8 +793,8 @@ static void sk_psock_strp_read(struct strparser *strp, struct sk_buff *skb) + ret = sk_psock_bpf_run(psock, prog, skb); + ret = sk_psock_map_verd(ret, tcp_skb_bpf_redirect_fetch(skb)); + } +- rcu_read_unlock(); + sk_psock_verdict_apply(psock, skb, ret); ++ rcu_read_unlock(); + } + + static int sk_psock_strp_read_done(struct strparser *strp, int err) +-- +2.25.1 + diff --git a/queue-5.7/btrfs-fix-reclaim_size-counter-leak-after-stealing-f.patch b/queue-5.7/btrfs-fix-reclaim_size-counter-leak-after-stealing-f.patch new file mode 100644 index 00000000000..f62d32d9000 --- /dev/null +++ b/queue-5.7/btrfs-fix-reclaim_size-counter-leak-after-stealing-f.patch @@ -0,0 +1,97 @@ +From 76a71da4888d19a4771dcc0419e40118556516f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Jun 2020 11:40:44 +0100 +Subject: btrfs: fix reclaim_size counter leak after stealing from global + reserve + +From: Filipe Manana + +[ Upstream commit 6d548b9e5d56067cff17ff77585167cd65375e4b ] + +Commit 7f9fe614407692 ("btrfs: improve global reserve stealing logic"), +added in the 5.8 merge window, introduced another leak for the space_info's +reclaim_size counter. This is very often triggered by the test cases +generic/269 and generic/416 from fstests, producing a stack trace like the +following during unmount: + +[37079.155499] ------------[ cut here ]------------ +[37079.156844] WARNING: CPU: 2 PID: 2000423 at fs/btrfs/block-group.c:3422 btrfs_free_block_groups+0x2eb/0x300 [btrfs] +[37079.158090] Modules linked in: dm_snapshot btrfs dm_thin_pool (...) +[37079.164440] CPU: 2 PID: 2000423 Comm: umount Tainted: G W 5.7.0-rc7-btrfs-next-62 #1 +[37079.165422] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...) +[37079.167384] RIP: 0010:btrfs_free_block_groups+0x2eb/0x300 [btrfs] +[37079.168375] Code: bd 58 ff ff ff 00 4c 8d (...) +[37079.170199] RSP: 0018:ffffaa53875c7de0 EFLAGS: 00010206 +[37079.171120] RAX: ffff98099e701cf8 RBX: ffff98099e2d4000 RCX: 0000000000000000 +[37079.172057] RDX: 0000000000000001 RSI: ffffffffc0acc5b1 RDI: 00000000ffffffff +[37079.173002] RBP: ffff98099e701cf8 R08: 0000000000000000 R09: 0000000000000000 +[37079.173886] R10: 0000000000000000 R11: 0000000000000000 R12: ffff98099e701c00 +[37079.174730] R13: ffff98099e2d5100 R14: dead000000000122 R15: dead000000000100 +[37079.175578] FS: 00007f4d7d0a5840(0000) GS:ffff9809ec600000(0000) knlGS:0000000000000000 +[37079.176434] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[37079.177289] CR2: 0000559224dcc000 CR3: 000000012207a004 CR4: 00000000003606e0 +[37079.178152] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[37079.178935] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[37079.179675] Call Trace: +[37079.180419] close_ctree+0x291/0x2d1 [btrfs] +[37079.181162] generic_shutdown_super+0x6c/0x100 +[37079.181898] kill_anon_super+0x14/0x30 +[37079.182641] btrfs_kill_super+0x12/0x20 [btrfs] +[37079.183371] deactivate_locked_super+0x31/0x70 +[37079.184012] cleanup_mnt+0x100/0x160 +[37079.184650] task_work_run+0x68/0xb0 +[37079.185284] exit_to_usermode_loop+0xf9/0x100 +[37079.185920] do_syscall_64+0x20d/0x260 +[37079.186556] entry_SYSCALL_64_after_hwframe+0x49/0xb3 +[37079.187197] RIP: 0033:0x7f4d7d2d9357 +[37079.187836] Code: eb 0b 00 f7 d8 64 89 01 48 (...) +[37079.189180] RSP: 002b:00007ffee4e0d368 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 +[37079.189845] RAX: 0000000000000000 RBX: 00007f4d7d3fb224 RCX: 00007f4d7d2d9357 +[37079.190515] RDX: ffffffffffffff78 RSI: 0000000000000000 RDI: 0000559224dc5c90 +[37079.191173] RBP: 0000559224dc1970 R08: 0000000000000000 R09: 00007ffee4e0c0e0 +[37079.191815] R10: 0000559224dc7b00 R11: 0000000000000246 R12: 0000000000000000 +[37079.192451] R13: 0000559224dc5c90 R14: 0000559224dc1a80 R15: 0000559224dc1ba0 +[37079.193096] irq event stamp: 0 +[37079.193729] hardirqs last enabled at (0): [<0000000000000000>] 0x0 +[37079.194379] hardirqs last disabled at (0): [] copy_process+0x755/0x1ea0 +[37079.195033] softirqs last enabled at (0): [] copy_process+0x755/0x1ea0 +[37079.195700] softirqs last disabled at (0): [<0000000000000000>] 0x0 +[37079.196318] ---[ end trace b32710d864dea887 ]--- + +In the past commit d611add48b717a ("btrfs: fix reclaim counter leak of +space_info objects") fixed similar cases. That commit however has a date +more recent (April 7 2020) then the commit mentioned before (March 13 +2020), however it was merged in kernel 5.7 while the older commit, which +introduces a new leak, was merged only in the 5.8 merge window. So the +leak sneaked in unnoticed. + +Fix this by making steal_from_global_rsv() remove the ticket using the +helper remove_ticket(), which decrements the reclaim_size counter of the +space_info object. + +Fixes: 7f9fe614407692 ("btrfs: improve global reserve stealing logic") +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/space-info.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c +index eee6748c49e4e..756950aba1a66 100644 +--- a/fs/btrfs/space-info.c ++++ b/fs/btrfs/space-info.c +@@ -879,8 +879,8 @@ static bool steal_from_global_rsv(struct btrfs_fs_info *fs_info, + return false; + } + global_rsv->reserved -= ticket->bytes; ++ remove_ticket(space_info, ticket); + ticket->bytes = 0; +- list_del_init(&ticket->list); + wake_up(&ticket->wait); + space_info->tickets_id++; + if (global_rsv->reserved < global_rsv->size) +-- +2.25.1 + diff --git a/queue-5.7/cxgb4-fix-all-mask-ip-address-comparison.patch b/queue-5.7/cxgb4-fix-all-mask-ip-address-comparison.patch new file mode 100644 index 00000000000..7e0b96ac907 --- /dev/null +++ b/queue-5.7/cxgb4-fix-all-mask-ip-address-comparison.patch @@ -0,0 +1,48 @@ +From f7719bca3250d3732a7088f8b54e12bc774d2be1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jul 2020 03:14:27 +0530 +Subject: cxgb4: fix all-mask IP address comparison + +From: Rahul Lakkireddy + +[ Upstream commit 76c4d85c9260c3d741cbd194c30c61983d0a4303 ] + +Convert all-mask IP address to Big Endian, instead, for comparison. + +Fixes: f286dd8eaad5 ("cxgb4: use correct type for all-mask IP address comparison") +Signed-off-by: Rahul Lakkireddy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c +index 7a7f61a8cdf40..d02d346629b36 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c +@@ -1112,16 +1112,16 @@ static bool is_addr_all_mask(u8 *ipmask, int family) + struct in_addr *addr; + + addr = (struct in_addr *)ipmask; +- if (ntohl(addr->s_addr) == 0xffffffff) ++ if (addr->s_addr == htonl(0xffffffff)) + return true; + } else if (family == AF_INET6) { + struct in6_addr *addr6; + + addr6 = (struct in6_addr *)ipmask; +- if (ntohl(addr6->s6_addr32[0]) == 0xffffffff && +- ntohl(addr6->s6_addr32[1]) == 0xffffffff && +- ntohl(addr6->s6_addr32[2]) == 0xffffffff && +- ntohl(addr6->s6_addr32[3]) == 0xffffffff) ++ if (addr6->s6_addr32[0] == htonl(0xffffffff) && ++ addr6->s6_addr32[1] == htonl(0xffffffff) && ++ addr6->s6_addr32[2] == htonl(0xffffffff) && ++ addr6->s6_addr32[3] == htonl(0xffffffff)) + return true; + } + return false; +-- +2.25.1 + diff --git a/queue-5.7/drm-mediatek-check-plane-visibility-in-atomic_update.patch b/queue-5.7/drm-mediatek-check-plane-visibility-in-atomic_update.patch new file mode 100644 index 00000000000..5783a134bae --- /dev/null +++ b/queue-5.7/drm-mediatek-check-plane-visibility-in-atomic_update.patch @@ -0,0 +1,74 @@ +From 0aecae61df0fc093c2e58e24c01f05c14ccf1aab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jun 2020 23:57:53 +0800 +Subject: drm/mediatek: Check plane visibility in atomic_update + +From: Hsin-Yi Wang + +[ Upstream commit c0b8892e2461b5fa740e47efbb1269a487b04020 ] + +Disable the plane if it's not visible. Otherwise mtk_ovl_layer_config() +would proceed with invalid plane and we may see vblank timeout. + +Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") +Signed-off-by: Hsin-Yi Wang +Reviewed-by: Tomasz Figa +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_plane.c | 25 ++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c b/drivers/gpu/drm/mediatek/mtk_drm_plane.c +index c2bd683a87c82..92141a19681b9 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c +@@ -164,6 +164,16 @@ static int mtk_plane_atomic_check(struct drm_plane *plane, + true, true); + } + ++static void mtk_plane_atomic_disable(struct drm_plane *plane, ++ struct drm_plane_state *old_state) ++{ ++ struct mtk_plane_state *state = to_mtk_plane_state(plane->state); ++ ++ state->pending.enable = false; ++ wmb(); /* Make sure the above parameter is set before update */ ++ state->pending.dirty = true; ++} ++ + static void mtk_plane_atomic_update(struct drm_plane *plane, + struct drm_plane_state *old_state) + { +@@ -178,6 +188,11 @@ static void mtk_plane_atomic_update(struct drm_plane *plane, + if (!crtc || WARN_ON(!fb)) + return; + ++ if (!plane->state->visible) { ++ mtk_plane_atomic_disable(plane, old_state); ++ return; ++ } ++ + gem = fb->obj[0]; + mtk_gem = to_mtk_gem_obj(gem); + addr = mtk_gem->dma_addr; +@@ -200,16 +215,6 @@ static void mtk_plane_atomic_update(struct drm_plane *plane, + state->pending.dirty = true; + } + +-static void mtk_plane_atomic_disable(struct drm_plane *plane, +- struct drm_plane_state *old_state) +-{ +- struct mtk_plane_state *state = to_mtk_plane_state(plane->state); +- +- state->pending.enable = false; +- wmb(); /* Make sure the above parameter is set before update */ +- state->pending.dirty = true; +-} +- + static const struct drm_plane_helper_funcs mtk_plane_helper_funcs = { + .prepare_fb = drm_gem_fb_prepare_fb, + .atomic_check = mtk_plane_atomic_check, +-- +2.25.1 + diff --git a/queue-5.7/drm-meson-viu-fix-setting-the-osd-burst-length-in-vi.patch b/queue-5.7/drm-meson-viu-fix-setting-the-osd-burst-length-in-vi.patch new file mode 100644 index 00000000000..96d74cb42fa --- /dev/null +++ b/queue-5.7/drm-meson-viu-fix-setting-the-osd-burst-length-in-vi.patch @@ -0,0 +1,90 @@ +From 6dc0075d485bdf00da762331cad72c5b78559818 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Jun 2020 17:57:52 +0200 +Subject: drm/meson: viu: fix setting the OSD burst length in + VIU_OSD1_FIFO_CTRL_STAT + +From: Martin Blumenstingl + +[ Upstream commit 17f64701ea6f541db7eb5d7423a830cb929b3052 ] + +The burst length is configured in VIU_OSD1_FIFO_CTRL_STAT[31] and +VIU_OSD1_FIFO_CTRL_STAT[11:10]. The public S905D3 datasheet describes +this as: +- 0x0 = up to 24 per burst +- 0x1 = up to 32 per burst +- 0x2 = up to 48 per burst +- 0x3 = up to 64 per burst +- 0x4 = up to 96 per burst +- 0x5 = up to 128 per burst + +The lower two bits map to VIU_OSD1_FIFO_CTRL_STAT[11:10] while the upper +bit maps to VIU_OSD1_FIFO_CTRL_STAT[31]. + +Replace meson_viu_osd_burst_length_reg() with pre-defined macros which +set these values. meson_viu_osd_burst_length_reg() always returned 0 +(for the two used values: 32 and 64 at least) and thus incorrectly set +the burst size to 24. + +Fixes: 147ae1cbaa1842 ("drm: meson: viu: use proper macros instead of magic constants") +Signed-off-by: Martin Blumenstingl +Signed-off-by: Neil Armstrong +Reviewed-by: Neil Armstrong +Tested-by: Christian Hewitt +Link: https://patchwork.freedesktop.org/patch/msgid/20200620155752.21065-1-martin.blumenstingl@googlemail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_registers.h | 6 ++++++ + drivers/gpu/drm/meson/meson_viu.c | 11 ++--------- + 2 files changed, 8 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/meson/meson_registers.h b/drivers/gpu/drm/meson/meson_registers.h +index 8ea00546cd4e2..049c4bfe2a3ae 100644 +--- a/drivers/gpu/drm/meson/meson_registers.h ++++ b/drivers/gpu/drm/meson/meson_registers.h +@@ -261,6 +261,12 @@ + #define VIU_OSD_FIFO_DEPTH_VAL(val) ((val & 0x7f) << 12) + #define VIU_OSD_WORDS_PER_BURST(words) (((words & 0x4) >> 1) << 22) + #define VIU_OSD_FIFO_LIMITS(size) ((size & 0xf) << 24) ++#define VIU_OSD_BURST_LENGTH_24 (0x0 << 31 | 0x0 << 10) ++#define VIU_OSD_BURST_LENGTH_32 (0x0 << 31 | 0x1 << 10) ++#define VIU_OSD_BURST_LENGTH_48 (0x0 << 31 | 0x2 << 10) ++#define VIU_OSD_BURST_LENGTH_64 (0x0 << 31 | 0x3 << 10) ++#define VIU_OSD_BURST_LENGTH_96 (0x1 << 31 | 0x0 << 10) ++#define VIU_OSD_BURST_LENGTH_128 (0x1 << 31 | 0x1 << 10) + + #define VD1_IF0_GEN_REG 0x1a50 + #define VD1_IF0_CANVAS0 0x1a51 +diff --git a/drivers/gpu/drm/meson/meson_viu.c b/drivers/gpu/drm/meson/meson_viu.c +index 304f8ff1339cb..aede0c67a57f0 100644 +--- a/drivers/gpu/drm/meson/meson_viu.c ++++ b/drivers/gpu/drm/meson/meson_viu.c +@@ -411,13 +411,6 @@ void meson_viu_gxm_disable_osd1_afbc(struct meson_drm *priv) + priv->io_base + _REG(VIU_MISC_CTRL1)); + } + +-static inline uint32_t meson_viu_osd_burst_length_reg(uint32_t length) +-{ +- uint32_t val = (((length & 0x80) % 24) / 12); +- +- return (((val & 0x3) << 10) | (((val & 0x4) >> 2) << 31)); +-} +- + void meson_viu_init(struct meson_drm *priv) + { + uint32_t reg; +@@ -444,9 +437,9 @@ void meson_viu_init(struct meson_drm *priv) + VIU_OSD_FIFO_LIMITS(2); /* fifo_lim: 2*16=32 */ + + if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_G12A)) +- reg |= meson_viu_osd_burst_length_reg(32); ++ reg |= VIU_OSD_BURST_LENGTH_32; + else +- reg |= meson_viu_osd_burst_length_reg(64); ++ reg |= VIU_OSD_BURST_LENGTH_64; + + writel_relaxed(reg, priv->io_base + _REG(VIU_OSD1_FIFO_CTRL_STAT)); + writel_relaxed(reg, priv->io_base + _REG(VIU_OSD2_FIFO_CTRL_STAT)); +-- +2.25.1 + diff --git a/queue-5.7/gpio-pca953x-fix-direction-setting-when-configure-an.patch b/queue-5.7/gpio-pca953x-fix-direction-setting-when-configure-an.patch new file mode 100644 index 00000000000..5d2cea6f33c --- /dev/null +++ b/queue-5.7/gpio-pca953x-fix-direction-setting-when-configure-an.patch @@ -0,0 +1,56 @@ +From f99a72fa72ad0db844e4633a318b94f483cbc538 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2020 16:40:35 +0300 +Subject: gpio: pca953x: Fix direction setting when configure an IRQ + +From: Andy Shevchenko + +[ Upstream commit 0b22c25e1b81c5f718e89c4d759e6a359be24417 ] + +The commit 0f25fda840a9 ("gpio: pca953x: Zap ad-hoc reg_direction cache") +seems inadvertently made a typo in pca953x_irq_bus_sync_unlock(). + +When the direction bit is 1 it means input, and the piece of code in question +was looking for output ones that should be turned to inputs. + +Fix direction setting when configure an IRQ by injecting a bitmap complement +operation. + +Fixes: 0f25fda840a9 ("gpio: pca953x: Zap ad-hoc reg_direction cache") +Depends-on: 35d13d94893f ("gpio: pca953x: convert to use bitmap API") +Cc: Marek Vasut +Signed-off-by: Andy Shevchenko +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-pca953x.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c +index 8571e54512476..a10411958e3f2 100644 +--- a/drivers/gpio/gpio-pca953x.c ++++ b/drivers/gpio/gpio-pca953x.c +@@ -686,8 +686,6 @@ static void pca953x_irq_bus_sync_unlock(struct irq_data *d) + DECLARE_BITMAP(reg_direction, MAX_LINE); + int level; + +- pca953x_read_regs(chip, chip->regs->direction, reg_direction); +- + if (chip->driver_data & PCA_PCAL) { + /* Enable latch on interrupt-enabled inputs */ + pca953x_write_regs(chip, PCAL953X_IN_LATCH, chip->irq_mask); +@@ -698,7 +696,11 @@ static void pca953x_irq_bus_sync_unlock(struct irq_data *d) + pca953x_write_regs(chip, PCAL953X_INT_MASK, irq_mask); + } + ++ /* Switch direction to input if needed */ ++ pca953x_read_regs(chip, chip->regs->direction, reg_direction); ++ + bitmap_or(irq_mask, chip->irq_trig_fall, chip->irq_trig_raise, gc->ngpio); ++ bitmap_complement(reg_direction, reg_direction, gc->ngpio); + bitmap_and(irq_mask, irq_mask, reg_direction, gc->ngpio); + + /* Look for any newly setup interrupt */ +-- +2.25.1 + diff --git a/queue-5.7/gpio-pca953x-fix-gpio-resource-leak-on-intel-galileo.patch b/queue-5.7/gpio-pca953x-fix-gpio-resource-leak-on-intel-galileo.patch new file mode 100644 index 00000000000..3c25d6da596 --- /dev/null +++ b/queue-5.7/gpio-pca953x-fix-gpio-resource-leak-on-intel-galileo.patch @@ -0,0 +1,46 @@ +From a4c6f5f54db1de0606aca268229b5d80ee19b29c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jun 2020 14:49:06 +0300 +Subject: gpio: pca953x: Fix GPIO resource leak on Intel Galileo Gen 2 + +From: Andy Shevchenko + +[ Upstream commit 5d8913504ccfeea6120df5ae1c6f4479ff09b931 ] + +When adding a quirk for IRQ on Intel Galileo Gen 2 the commit ba8c90c61847 +("gpio: pca953x: Override IRQ for one of the expanders on Galileo Gen 2") +missed GPIO resource release. We can safely do this in the same quirk, since +IRQ will be locked by GPIO framework when requested and unlocked on freeing. + +Fixes: ba8c90c61847 ("gpio: pca953x: Override IRQ for one of the expanders on Galileo Gen 2") +Signed-off-by: Andy Shevchenko +Cc: Mika Westerberg +Reviewed-by: Mika Westerberg +Reviewed-by: Linus Walleij +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-pca953x.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c +index a10411958e3f2..48bea0997e70c 100644 +--- a/drivers/gpio/gpio-pca953x.c ++++ b/drivers/gpio/gpio-pca953x.c +@@ -176,7 +176,12 @@ static int pca953x_acpi_get_irq(struct device *dev) + if (ret) + return ret; + +- return gpio_to_irq(pin); ++ ret = gpio_to_irq(pin); ++ ++ /* When pin is used as an IRQ, no need to keep it requested */ ++ gpio_free(pin); ++ ++ return ret; + } + #endif + +-- +2.25.1 + diff --git a/queue-5.7/gpio-pca953x-override-irq-for-one-of-the-expanders-o.patch b/queue-5.7/gpio-pca953x-override-irq-for-one-of-the-expanders-o.patch new file mode 100644 index 00000000000..bdc60403502 --- /dev/null +++ b/queue-5.7/gpio-pca953x-override-irq-for-one-of-the-expanders-o.patch @@ -0,0 +1,132 @@ +From e4bef1b85839f0478139cefb9aa512ab926b247c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2020 16:40:34 +0300 +Subject: gpio: pca953x: Override IRQ for one of the expanders on Galileo Gen 2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andy Shevchenko + +[ Upstream commit ba8c90c6184784b397807b72403656085ac2f8c1 ] + +ACPI table on Intel Galileo Gen 2 has wrong pin number for IRQ resource +of one of the I²C GPIO expanders. Since we know what that number is and +luckily have GPIO bases fixed for SoC's controllers, we may use a simple +DMI quirk to match the platform and retrieve GpioInt() pin on it for +the expander in question. + +Mika suggested the way to avoid a quirk in the GPIO ACPI library and +here is the second, almost rewritten version of it. + +Fixes: f32517bf1ae0 ("gpio: pca953x: support ACPI devices found on Galileo Gen2") +Depends-on: 25e3ef894eef ("gpio: acpi: Split out acpi_gpio_get_irq_resource() helper") +Suggested-by: Mika Westerberg +Reviewed-by: Mika Westerberg +Signed-off-by: Andy Shevchenko +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-pca953x.c | 79 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 79 insertions(+) + +diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c +index d8ba6c5195be7..8571e54512476 100644 +--- a/drivers/gpio/gpio-pca953x.c ++++ b/drivers/gpio/gpio-pca953x.c +@@ -107,6 +107,79 @@ static const struct i2c_device_id pca953x_id[] = { + }; + MODULE_DEVICE_TABLE(i2c, pca953x_id); + ++#ifdef CONFIG_GPIO_PCA953X_IRQ ++ ++#include ++#include ++#include ++ ++static const struct dmi_system_id pca953x_dmi_acpi_irq_info[] = { ++ { ++ /* ++ * On Intel Galileo Gen 2 board the IRQ pin of one of ++ * the I²C GPIO expanders, which has GpioInt() resource, ++ * is provided as an absolute number instead of being ++ * relative. Since first controller (gpio-sch.c) and ++ * second (gpio-dwapb.c) are at the fixed bases, we may ++ * safely refer to the number in the global space to get ++ * an IRQ out of it. ++ */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_BOARD_NAME, "GalileoGen2"), ++ }, ++ }, ++ {} ++}; ++ ++#ifdef CONFIG_ACPI ++static int pca953x_acpi_get_pin(struct acpi_resource *ares, void *data) ++{ ++ struct acpi_resource_gpio *agpio; ++ int *pin = data; ++ ++ if (acpi_gpio_get_irq_resource(ares, &agpio)) ++ *pin = agpio->pin_table[0]; ++ return 1; ++} ++ ++static int pca953x_acpi_find_pin(struct device *dev) ++{ ++ struct acpi_device *adev = ACPI_COMPANION(dev); ++ int pin = -ENOENT, ret; ++ LIST_HEAD(r); ++ ++ ret = acpi_dev_get_resources(adev, &r, pca953x_acpi_get_pin, &pin); ++ acpi_dev_free_resource_list(&r); ++ if (ret < 0) ++ return ret; ++ ++ return pin; ++} ++#else ++static inline int pca953x_acpi_find_pin(struct device *dev) { return -ENXIO; } ++#endif ++ ++static int pca953x_acpi_get_irq(struct device *dev) ++{ ++ int pin, ret; ++ ++ pin = pca953x_acpi_find_pin(dev); ++ if (pin < 0) ++ return pin; ++ ++ dev_info(dev, "Applying ACPI interrupt quirk (GPIO %d)\n", pin); ++ ++ if (!gpio_is_valid(pin)) ++ return -EINVAL; ++ ++ ret = gpio_request(pin, "pca953x interrupt"); ++ if (ret) ++ return ret; ++ ++ return gpio_to_irq(pin); ++} ++#endif ++ + static const struct acpi_device_id pca953x_acpi_ids[] = { + { "INT3491", 16 | PCA953X_TYPE | PCA_LATCH_INT, }, + { } +@@ -744,6 +817,12 @@ static int pca953x_irq_setup(struct pca953x_chip *chip, int irq_base) + DECLARE_BITMAP(irq_stat, MAX_LINE); + int ret; + ++ if (dmi_first_match(pca953x_dmi_acpi_irq_info)) { ++ ret = pca953x_acpi_get_irq(&client->dev); ++ if (ret > 0) ++ client->irq = ret; ++ } ++ + if (!client->irq) + return 0; + +-- +2.25.1 + diff --git a/queue-5.7/gpio-pca953x-synchronize-interrupt-handler-properly.patch b/queue-5.7/gpio-pca953x-synchronize-interrupt-handler-properly.patch new file mode 100644 index 00000000000..7b36f17d3d9 --- /dev/null +++ b/queue-5.7/gpio-pca953x-synchronize-interrupt-handler-properly.patch @@ -0,0 +1,109 @@ +From 3b1aec5087e2ad1c2504fdbe4a96a3ad358c4087 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2020 16:40:33 +0300 +Subject: gpio: pca953x: Synchronize interrupt handler properly + +From: Andy Shevchenko + +[ Upstream commit 064c73afe7385de99e5b2785b88c83dc5d84403b ] + +Since the commit aa58a21ae378 ("gpio: pca953x: disable regmap locking") +the locking of regmap is disabled and that immediately introduces +a synchronization issue. It's easy to see when we try to monitor +more than one interrupt from the same chip. + +It seems that the problem exists from the day one and even commit +6e20fb18054c ("drivers/gpio/pca953x.c: add a mutex to fix race condition") +missed this. + +Below are the traces and shell reproducers before and after proposed change. +Note duplicates in the IRQ events. /proc/interrupts also shows a deviation, +i.e. sum of children interrupts higher than parent's one. + +When locking is disabled for regmap and no protection in IRQ handler +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ... + gpioset-194 regmap_hw_write_start: i2c-INT3491:02 reg=2 count=1 + irq/31-i2c-INT3-139 regmap_hw_read_start: i2c-INT3491:02 reg=4c count=2 + gpioset-194 regmap_hw_write_done: i2c-INT3491:02 reg=2 count=1 + gpioset-194 regmap_reg_read_cache: i2c-INT3491:02 reg=6 val=f5 + gpioset-194 regmap_reg_write: i2c-INT3491:02 reg=6 val=f5 + gpioset-194 regmap_hw_write_start: i2c-INT3491:02 reg=6 count=1 + irq/31-i2c-INT3-139 regmap_hw_read_done: i2c-INT3491:02 reg=4c count=2 + ... + + % gpiomon gpiochip3 0 & + % gpioset gpiochip3 1=0 + % gpioset gpiochip3 1=1 + event: RISING EDGE offset: 0 timestamp: [ 302.782583765] + % gpiomon gpiochip3 2 & + % gpioset gpiochip3 1=0 + event: RISING EDGE offset: 2 timestamp: [ 312.033148829] + event: FALLING EDGE offset: 0 timestamp: [ 312.022757525] + % gpioset gpiochip3 1=1 + event: RISING EDGE offset: 2 timestamp: [ 316.201148473] + event: RISING EDGE offset: 0 timestamp: [ 316.191759599] + +When locking is disabled for regmap and protection in IRQ handler +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ... + gpioset-202 regmap_hw_write_start: i2c-INT3491:02 reg=2 count=1 + gpioset-202 regmap_hw_write_done: i2c-INT3491:02 reg=2 count=1 + gpioset-202 regmap_reg_read_cache: i2c-INT3491:02 reg=6 val=fd + gpioset-202 regmap_reg_write: i2c-INT3491:02 reg=6 val=fd + gpioset-202 regmap_hw_write_start: i2c-INT3491:02 reg=6 count=1 + gpioset-202 regmap_hw_write_done: i2c-INT3491:02 reg=6 count=1 + irq/31-i2c-INT3-139 regmap_hw_read_start: i2c-INT3491:02 reg=4c count=2 + irq/31-i2c-INT3-139 regmap_hw_read_done: i2c-INT3491:02 reg=4c count=2 + ... + + % gpiomon gpiochip3 0 & + % gpioset gpiochip3 1=0 + event: FALLING EDGE offset: 0 timestamp: [ 531.330078107] + % gpioset gpiochip3 1=1 + event: RISING EDGE offset: 0 timestamp: [ 532.912239128] + % gpiomon gpiochip3 2 & + % gpioset gpiochip3 1=0 + event: FALLING EDGE offset: 0 timestamp: [ 539.633669484] + % gpioset gpiochip3 1=1 + event: RISING EDGE offset: 0 timestamp: [ 542.256978461] + +Fixes: 6e20fb18054c ("drivers/gpio/pca953x.c: add a mutex to fix race condition") +Depends-on: 35d13d94893f ("gpio: pca953x: convert to use bitmap API") +Depends-on: 49427232764d ("gpio: pca953x: Perform basic regmap conversion") +Cc: Marek Vasut +Cc: Roland Stigge +Signed-off-by: Andy Shevchenko +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-pca953x.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c +index 01011a780688a..d8ba6c5195be7 100644 +--- a/drivers/gpio/gpio-pca953x.c ++++ b/drivers/gpio/gpio-pca953x.c +@@ -724,14 +724,16 @@ static irqreturn_t pca953x_irq_handler(int irq, void *devid) + struct gpio_chip *gc = &chip->gpio_chip; + DECLARE_BITMAP(pending, MAX_LINE); + int level; ++ bool ret; + +- if (!pca953x_irq_pending(chip, pending)) +- return IRQ_NONE; ++ mutex_lock(&chip->i2c_lock); ++ ret = pca953x_irq_pending(chip, pending); ++ mutex_unlock(&chip->i2c_lock); + + for_each_set_bit(level, pending, gc->ngpio) + handle_nested_irq(irq_find_mapping(gc->irq.domain, level)); + +- return IRQ_HANDLED; ++ return IRQ_RETVAL(ret); + } + + static int pca953x_irq_setup(struct pca953x_chip *chip, int irq_base) +-- +2.25.1 + diff --git a/queue-5.7/ib-mlx5-fix-50g-per-lane-indication.patch b/queue-5.7/ib-mlx5-fix-50g-per-lane-indication.patch new file mode 100644 index 00000000000..60bfffdd72b --- /dev/null +++ b/queue-5.7/ib-mlx5-fix-50g-per-lane-indication.patch @@ -0,0 +1,47 @@ +From 66858e95f56b3551e9fff85010a84a9c8717f681 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jul 2020 14:06:11 +0300 +Subject: IB/mlx5: Fix 50G per lane indication + +From: Aya Levin + +[ Upstream commit 530c8632b547ff72f11ff83654b22462a73f1f7b ] + +Some released FW versions mistakenly don't set the capability that 50G per +lane link-modes are supported for VFs (ptys_extended_ethernet capability +bit). + +Use PTYS.ext_eth_proto_capability instead, as this indication is always +accurate. If PTYS.ext_eth_proto_capability is valid +(has a non-zero value) conclude that the HCA supports 50G per lane. + +Otherwise, conclude that the HCA doesn't support 50G per lane. + +Fixes: 08e8676f1607 ("IB/mlx5: Add support for 50Gbps per lane link modes") +Link: https://lore.kernel.org/r/20200707110612.882962-3-leon@kernel.org +Signed-off-by: Aya Levin +Reviewed-by: Eran Ben Elisha +Reviewed-by: Saeed Mahameed +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index 6679756506e60..820e407b3e260 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -515,7 +515,7 @@ static int mlx5_query_port_roce(struct ib_device *device, u8 port_num, + mdev_port_num); + if (err) + goto out; +- ext = MLX5_CAP_PCAM_FEATURE(dev->mdev, ptys_extended_ethernet); ++ ext = !!MLX5_GET_ETH_PROTO(ptys_reg, out, true, eth_proto_capability); + eth_prot_oper = MLX5_GET_ETH_PROTO(ptys_reg, out, ext, eth_proto_oper); + + props->active_width = IB_WIDTH_4X; +-- +2.25.1 + diff --git a/queue-5.7/ib-sa-resolv-use-after-free-in-ib_nl_make_request.patch b/queue-5.7/ib-sa-resolv-use-after-free-in-ib_nl_make_request.patch new file mode 100644 index 00000000000..3ed67d99c43 --- /dev/null +++ b/queue-5.7/ib-sa-resolv-use-after-free-in-ib_nl_make_request.patch @@ -0,0 +1,130 @@ +From 6c31a61bdb42c1288d4a166c9e5042f4e144a20f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jun 2020 19:13:09 -0700 +Subject: IB/sa: Resolv use-after-free in ib_nl_make_request() + +From: Divya Indi + +[ Upstream commit f427f4d6214c183c474eeb46212d38e6c7223d6a ] + +There is a race condition where ib_nl_make_request() inserts the request +data into the linked list but the timer in ib_nl_request_timeout() can see +it and destroy it before ib_nl_send_msg() is done touching it. This could +happen, for instance, if there is a long delay allocating memory during +nlmsg_new() + +This causes a use-after-free in the send_mad() thread: + + [] ? ib_pack+0x17b/0x240 [ib_core] + [ ] ib_sa_path_rec_get+0x181/0x200 [ib_sa] + [] rdma_resolve_route+0x3c0/0x8d0 [rdma_cm] + [] ? cma_bind_port+0xa0/0xa0 [rdma_cm] + [] ? rds_rdma_cm_event_handler_cmn+0x850/0x850 [rds_rdma] + [] rds_rdma_cm_event_handler_cmn+0x22c/0x850 [rds_rdma] + [] rds_rdma_cm_event_handler+0x10/0x20 [rds_rdma] + [] addr_handler+0x9e/0x140 [rdma_cm] + [] process_req+0x134/0x190 [ib_addr] + [] process_one_work+0x169/0x4a0 + [] worker_thread+0x5b/0x560 + [] ? flush_delayed_work+0x50/0x50 + [] kthread+0xcb/0xf0 + [] ? __schedule+0x24a/0x810 + [] ? __schedule+0x24a/0x810 + [] ? kthread_create_on_node+0x180/0x180 + [] ret_from_fork+0x47/0x90 + [] ? kthread_create_on_node+0x180/0x180 + +The ownership rule is once the request is on the list, ownership transfers +to the list and the local thread can't touch it any more, just like for +the normal MAD case in send_mad(). + +Thus, instead of adding before send and then trying to delete after on +errors, move the entire thing under the spinlock so that the send and +update of the lists are atomic to the conurrent threads. Lightly reoganize +things so spinlock safe memory allocations are done in the final NL send +path and the rest of the setup work is done before and outside the lock. + +Fixes: 3ebd2fd0d011 ("IB/sa: Put netlink request into the request list before sending") +Link: https://lore.kernel.org/r/1592964789-14533-1-git-send-email-divya.indi@oracle.com +Signed-off-by: Divya Indi +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/sa_query.c | 38 +++++++++++++----------------- + 1 file changed, 17 insertions(+), 21 deletions(-) + +diff --git a/drivers/infiniband/core/sa_query.c b/drivers/infiniband/core/sa_query.c +index 74e0058fcf9e1..0c14ab2244d47 100644 +--- a/drivers/infiniband/core/sa_query.c ++++ b/drivers/infiniband/core/sa_query.c +@@ -829,13 +829,20 @@ static int ib_nl_get_path_rec_attrs_len(ib_sa_comp_mask comp_mask) + return len; + } + +-static int ib_nl_send_msg(struct ib_sa_query *query, gfp_t gfp_mask) ++static int ib_nl_make_request(struct ib_sa_query *query, gfp_t gfp_mask) + { + struct sk_buff *skb = NULL; + struct nlmsghdr *nlh; + void *data; + struct ib_sa_mad *mad; + int len; ++ unsigned long flags; ++ unsigned long delay; ++ gfp_t gfp_flag; ++ int ret; ++ ++ INIT_LIST_HEAD(&query->list); ++ query->seq = (u32)atomic_inc_return(&ib_nl_sa_request_seq); + + mad = query->mad_buf->mad; + len = ib_nl_get_path_rec_attrs_len(mad->sa_hdr.comp_mask); +@@ -860,36 +867,25 @@ static int ib_nl_send_msg(struct ib_sa_query *query, gfp_t gfp_mask) + /* Repair the nlmsg header length */ + nlmsg_end(skb, nlh); + +- return rdma_nl_multicast(&init_net, skb, RDMA_NL_GROUP_LS, gfp_mask); +-} ++ gfp_flag = ((gfp_mask & GFP_ATOMIC) == GFP_ATOMIC) ? GFP_ATOMIC : ++ GFP_NOWAIT; + +-static int ib_nl_make_request(struct ib_sa_query *query, gfp_t gfp_mask) +-{ +- unsigned long flags; +- unsigned long delay; +- int ret; ++ spin_lock_irqsave(&ib_nl_request_lock, flags); ++ ret = rdma_nl_multicast(&init_net, skb, RDMA_NL_GROUP_LS, gfp_flag); + +- INIT_LIST_HEAD(&query->list); +- query->seq = (u32)atomic_inc_return(&ib_nl_sa_request_seq); ++ if (ret) ++ goto out; + +- /* Put the request on the list first.*/ +- spin_lock_irqsave(&ib_nl_request_lock, flags); ++ /* Put the request on the list.*/ + delay = msecs_to_jiffies(sa_local_svc_timeout_ms); + query->timeout = delay + jiffies; + list_add_tail(&query->list, &ib_nl_request_list); + /* Start the timeout if this is the only request */ + if (ib_nl_request_list.next == &query->list) + queue_delayed_work(ib_nl_wq, &ib_nl_timed_work, delay); +- spin_unlock_irqrestore(&ib_nl_request_lock, flags); + +- ret = ib_nl_send_msg(query, gfp_mask); +- if (ret) { +- ret = -EIO; +- /* Remove the request */ +- spin_lock_irqsave(&ib_nl_request_lock, flags); +- list_del(&query->list); +- spin_unlock_irqrestore(&ib_nl_request_lock, flags); +- } ++out: ++ spin_unlock_irqrestore(&ib_nl_request_lock, flags); + + return ret; + } +-- +2.25.1 + diff --git a/queue-5.7/ionic-centralize-queue-reset-code.patch b/queue-5.7/ionic-centralize-queue-reset-code.patch new file mode 100644 index 00000000000..d58ecbcc13e --- /dev/null +++ b/queue-5.7/ionic-centralize-queue-reset-code.patch @@ -0,0 +1,204 @@ +From 3646fff269439041b6b4f9e9e596fade063e6e23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jul 2020 14:13:26 -0700 +Subject: ionic: centralize queue reset code + +From: Shannon Nelson + +[ Upstream commit 086c18f2452d0028f81e319f098bcb8e53133dbf ] + +The queue reset pattern is used in a couple different places, +only slightly different from each other, and could cause +issues if one gets changed and the other didn't. This puts +them together so that only one version is needed, yet each +can have slighty different effects by passing in a pointer +to a work function to do whatever configuration twiddling is +needed in the middle of the reset. + +This specifically addresses issues seen where under loops +of changing ring size or queue count parameters we could +occasionally bump into the netdev watchdog. + +v2: added more commit message commentary + +Fixes: 4d03e00a2140 ("ionic: Add initial ethtool support") +Signed-off-by: Shannon Nelson +Acked-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/pensando/ionic/ionic_ethtool.c | 52 ++++++------------- + .../net/ethernet/pensando/ionic/ionic_lif.c | 17 ++++-- + .../net/ethernet/pensando/ionic/ionic_lif.h | 4 +- + 3 files changed, 32 insertions(+), 41 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c b/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c +index 6996229facfd4..22430fa911e2c 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c +@@ -464,12 +464,18 @@ static void ionic_get_ringparam(struct net_device *netdev, + ring->rx_pending = lif->nrxq_descs; + } + ++static void ionic_set_ringsize(struct ionic_lif *lif, void *arg) ++{ ++ struct ethtool_ringparam *ring = arg; ++ ++ lif->ntxq_descs = ring->tx_pending; ++ lif->nrxq_descs = ring->rx_pending; ++} ++ + static int ionic_set_ringparam(struct net_device *netdev, + struct ethtool_ringparam *ring) + { + struct ionic_lif *lif = netdev_priv(netdev); +- bool running; +- int err; + + if (ring->rx_mini_pending || ring->rx_jumbo_pending) { + netdev_info(netdev, "Changing jumbo or mini descriptors not supported\n"); +@@ -487,22 +493,7 @@ static int ionic_set_ringparam(struct net_device *netdev, + ring->rx_pending == lif->nrxq_descs) + return 0; + +- err = ionic_wait_for_bit(lif, IONIC_LIF_F_QUEUE_RESET); +- if (err) +- return err; +- +- running = test_bit(IONIC_LIF_F_UP, lif->state); +- if (running) +- ionic_stop(netdev); +- +- lif->ntxq_descs = ring->tx_pending; +- lif->nrxq_descs = ring->rx_pending; +- +- if (running) +- ionic_open(netdev); +- clear_bit(IONIC_LIF_F_QUEUE_RESET, lif->state); +- +- return 0; ++ return ionic_reset_queues(lif, ionic_set_ringsize, ring); + } + + static void ionic_get_channels(struct net_device *netdev, +@@ -517,12 +508,17 @@ static void ionic_get_channels(struct net_device *netdev, + ch->combined_count = lif->nxqs; + } + ++static void ionic_set_queuecount(struct ionic_lif *lif, void *arg) ++{ ++ struct ethtool_channels *ch = arg; ++ ++ lif->nxqs = ch->combined_count; ++} ++ + static int ionic_set_channels(struct net_device *netdev, + struct ethtool_channels *ch) + { + struct ionic_lif *lif = netdev_priv(netdev); +- bool running; +- int err; + + if (!ch->combined_count || ch->other_count || + ch->rx_count || ch->tx_count) +@@ -531,21 +527,7 @@ static int ionic_set_channels(struct net_device *netdev, + if (ch->combined_count == lif->nxqs) + return 0; + +- err = ionic_wait_for_bit(lif, IONIC_LIF_F_QUEUE_RESET); +- if (err) +- return err; +- +- running = test_bit(IONIC_LIF_F_UP, lif->state); +- if (running) +- ionic_stop(netdev); +- +- lif->nxqs = ch->combined_count; +- +- if (running) +- ionic_open(netdev); +- clear_bit(IONIC_LIF_F_QUEUE_RESET, lif->state); +- +- return 0; ++ return ionic_reset_queues(lif, ionic_set_queuecount, ch); + } + + static u32 ionic_get_priv_flags(struct net_device *netdev) +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +index 790d4854b8ef5..b591bec0301cc 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -1301,7 +1301,7 @@ static int ionic_change_mtu(struct net_device *netdev, int new_mtu) + return err; + + netdev->mtu = new_mtu; +- err = ionic_reset_queues(lif); ++ err = ionic_reset_queues(lif, NULL, NULL); + + return err; + } +@@ -1313,7 +1313,7 @@ static void ionic_tx_timeout_work(struct work_struct *ws) + netdev_info(lif->netdev, "Tx Timeout recovery\n"); + + rtnl_lock(); +- ionic_reset_queues(lif); ++ ionic_reset_queues(lif, NULL, NULL); + rtnl_unlock(); + } + +@@ -1944,7 +1944,7 @@ static const struct net_device_ops ionic_netdev_ops = { + .ndo_get_vf_stats = ionic_get_vf_stats, + }; + +-int ionic_reset_queues(struct ionic_lif *lif) ++int ionic_reset_queues(struct ionic_lif *lif, ionic_reset_cb cb, void *arg) + { + bool running; + int err = 0; +@@ -1957,12 +1957,19 @@ int ionic_reset_queues(struct ionic_lif *lif) + if (running) { + netif_device_detach(lif->netdev); + err = ionic_stop(lif->netdev); ++ if (err) ++ goto reset_out; + } +- if (!err && running) { +- ionic_open(lif->netdev); ++ ++ if (cb) ++ cb(lif, arg); ++ ++ if (running) { ++ err = ionic_open(lif->netdev); + netif_device_attach(lif->netdev); + } + ++reset_out: + clear_bit(IONIC_LIF_F_QUEUE_RESET, lif->state); + + return err; +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.h b/drivers/net/ethernet/pensando/ionic/ionic_lif.h +index 5d4ffda5c05f2..2c65cf6300dbd 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.h ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.h +@@ -226,6 +226,8 @@ static inline u32 ionic_coal_hw_to_usec(struct ionic *ionic, u32 units) + return (units * div) / mult; + } + ++typedef void (*ionic_reset_cb)(struct ionic_lif *lif, void *arg); ++ + void ionic_link_status_check_request(struct ionic_lif *lif); + void ionic_lif_deferred_enqueue(struct ionic_deferred *def, + struct ionic_deferred_work *work); +@@ -243,7 +245,7 @@ int ionic_lif_rss_config(struct ionic_lif *lif, u16 types, + + int ionic_open(struct net_device *netdev); + int ionic_stop(struct net_device *netdev); +-int ionic_reset_queues(struct ionic_lif *lif); ++int ionic_reset_queues(struct ionic_lif *lif, ionic_reset_cb cb, void *arg); + + static inline void debug_stats_txq_post(struct ionic_qcq *qcq, + struct ionic_txq_desc *desc, bool dbell) +-- +2.25.1 + diff --git a/queue-5.7/kvm-arm64-vgic-v4-plug-race-between-non-residency-an.patch b/queue-5.7/kvm-arm64-vgic-v4-plug-race-between-non-residency-an.patch new file mode 100644 index 00000000000..c2f987b23f5 --- /dev/null +++ b/queue-5.7/kvm-arm64-vgic-v4-plug-race-between-non-residency-an.patch @@ -0,0 +1,87 @@ +From 3f12f12596c8fadd25f765a65e43b18c72fa9880 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jun 2020 10:44:08 +0100 +Subject: KVM: arm64: vgic-v4: Plug race between non-residency and v4.1 + doorbell + +From: Marc Zyngier + +[ Upstream commit a3f574cd65487cd993f79ab235d70229d9302c1e ] + +When making a vPE non-resident because it has hit a blocking WFI, +the doorbell can fire at any time after the write to the RD. +Crucially, it can fire right between the write to GICR_VPENDBASER +and the write to the pending_last field in the its_vpe structure. + +This means that we would overwrite pending_last with stale data, +and potentially not wakeup until some unrelated event (such as +a timer interrupt) puts the vPE back on the CPU. + +GICv4 isn't affected by this as we actively mask the doorbell on +entering the guest, while GICv4.1 automatically manages doorbell +delivery without any hypervisor-driven masking. + +Use the vpe_lock to synchronize such update, which solves the +problem altogether. + +Fixes: ae699ad348cdc ("irqchip/gic-v4.1: Move doorbell management to the GICv4 abstraction layer") +Reported-by: Zenghui Yu +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v3-its.c | 8 ++++++++ + virt/kvm/arm/vgic/vgic-v4.c | 8 ++++++++ + 2 files changed, 16 insertions(+) + +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c +index b3e16a06c13b7..b99e3105bf9fe 100644 +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -3938,16 +3938,24 @@ static void its_vpe_4_1_deschedule(struct its_vpe *vpe, + u64 val; + + if (info->req_db) { ++ unsigned long flags; ++ + /* + * vPE is going to block: make the vPE non-resident with + * PendingLast clear and DB set. The GIC guarantees that if + * we read-back PendingLast clear, then a doorbell will be + * delivered when an interrupt comes. ++ * ++ * Note the locking to deal with the concurrent update of ++ * pending_last from the doorbell interrupt handler that can ++ * run concurrently. + */ ++ raw_spin_lock_irqsave(&vpe->vpe_lock, flags); + val = its_clear_vpend_valid(vlpi_base, + GICR_VPENDBASER_PendingLast, + GICR_VPENDBASER_4_1_DB); + vpe->pending_last = !!(val & GICR_VPENDBASER_PendingLast); ++ raw_spin_unlock_irqrestore(&vpe->vpe_lock, flags); + } else { + /* + * We're not blocking, so just make the vPE non-resident +diff --git a/virt/kvm/arm/vgic/vgic-v4.c b/virt/kvm/arm/vgic/vgic-v4.c +index 27ac833e5ec7c..b5fa73c9fd355 100644 +--- a/virt/kvm/arm/vgic/vgic-v4.c ++++ b/virt/kvm/arm/vgic/vgic-v4.c +@@ -90,7 +90,15 @@ static irqreturn_t vgic_v4_doorbell_handler(int irq, void *info) + !irqd_irq_disabled(&irq_to_desc(irq)->irq_data)) + disable_irq_nosync(irq); + ++ /* ++ * The v4.1 doorbell can fire concurrently with the vPE being ++ * made non-resident. Ensure we only update pending_last ++ * *after* the non-residency sequence has completed. ++ */ ++ raw_spin_lock(&vcpu->arch.vgic_cpu.vgic_v3.its_vpe.vpe_lock); + vcpu->arch.vgic_cpu.vgic_v3.its_vpe.pending_last = true; ++ raw_spin_unlock(&vcpu->arch.vgic_cpu.vgic_v3.its_vpe.vpe_lock); ++ + kvm_make_request(KVM_REQ_IRQ_PENDING, vcpu); + kvm_vcpu_kick(vcpu); + +-- +2.25.1 + diff --git a/queue-5.7/mac80211-fix-dropping-broadcast-packets-in-802.11-en.patch b/queue-5.7/mac80211-fix-dropping-broadcast-packets-in-802.11-en.patch new file mode 100644 index 00000000000..5eb3e80f8c6 --- /dev/null +++ b/queue-5.7/mac80211-fix-dropping-broadcast-packets-in-802.11-en.patch @@ -0,0 +1,37 @@ +From 6a15c4ff10bc8e928a9703a2af94716b1a08056b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jun 2020 15:45:54 +0530 +Subject: mac80211: Fix dropping broadcast packets in 802.11 encap + +From: Seevalamuthu Mariappan + +[ Upstream commit 78fb5b541b7ae57ac39187ccb3097e606004cf9b ] + +Broadcast pkts like arp are getting dropped in 'ieee80211_8023_xmit'. +Fix this by replacing is_valid_ether_addr api with is_zero_ether_addr. + +Fixes: 50ff477a8639 ("mac80211: add 802.11 encapsulation offloading support") +Signed-off-by: Seevalamuthu Mariappan +Link: https://lore.kernel.org/r/1591697754-4975-1-git-send-email-seevalam@codeaurora.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 82846aca86d96..6ab33d9904eec 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -4192,7 +4192,7 @@ static void ieee80211_8023_xmit(struct ieee80211_sub_if_data *sdata, + (!sta || !test_sta_flag(sta, WLAN_STA_TDLS_PEER))) + ra = sdata->u.mgd.bssid; + +- if (!is_valid_ether_addr(ra)) ++ if (is_zero_ether_addr(ra)) + goto out_free; + + multicast = is_multicast_ether_addr(ra); +-- +2.25.1 + diff --git a/queue-5.7/mlxsw-pci-fix-use-after-free-in-case-of-failed-devli.patch b/queue-5.7/mlxsw-pci-fix-use-after-free-in-case-of-failed-devli.patch new file mode 100644 index 00000000000..1fb537717cd --- /dev/null +++ b/queue-5.7/mlxsw-pci-fix-use-after-free-in-case-of-failed-devli.patch @@ -0,0 +1,195 @@ +From 1859e90788702ec05f898523972190cc8a23eb44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 16:41:39 +0300 +Subject: mlxsw: pci: Fix use-after-free in case of failed devlink reload + +From: Ido Schimmel + +[ Upstream commit c4317b11675b99af6641662ebcbd3c6010600e64 ] + +In case devlink reload failed, it is possible to trigger a +use-after-free when querying the kernel for device info via 'devlink dev +info' [1]. + +This happens because as part of the reload error path the PCI command +interface is de-initialized and its mailboxes are freed. When the +devlink '->info_get()' callback is invoked the device is queried via the +command interface and the freed mailboxes are accessed. + +Fix this by initializing the command interface once during probe and not +during every reload. + +This is consistent with the other bus used by mlxsw (i.e., 'mlxsw_i2c') +and also allows user space to query the running firmware version (for +example) from the device after a failed reload. + +[1] +BUG: KASAN: use-after-free in memcpy include/linux/string.h:406 [inline] +BUG: KASAN: use-after-free in mlxsw_pci_cmd_exec+0x177/0xa60 drivers/net/ethernet/mellanox/mlxsw/pci.c:1675 +Write of size 4096 at addr ffff88810ae32000 by task syz-executor.1/2355 + +CPU: 1 PID: 2355 Comm: syz-executor.1 Not tainted 5.8.0-rc2+ #29 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xf6/0x16e lib/dump_stack.c:118 + print_address_description.constprop.0+0x1c/0x250 mm/kasan/report.c:383 + __kasan_report mm/kasan/report.c:513 [inline] + kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 + check_memory_region_inline mm/kasan/generic.c:186 [inline] + check_memory_region+0x14e/0x1b0 mm/kasan/generic.c:192 + memcpy+0x39/0x60 mm/kasan/common.c:106 + memcpy include/linux/string.h:406 [inline] + mlxsw_pci_cmd_exec+0x177/0xa60 drivers/net/ethernet/mellanox/mlxsw/pci.c:1675 + mlxsw_cmd_exec+0x249/0x550 drivers/net/ethernet/mellanox/mlxsw/core.c:2335 + mlxsw_cmd_access_reg drivers/net/ethernet/mellanox/mlxsw/cmd.h:859 [inline] + mlxsw_core_reg_access_cmd drivers/net/ethernet/mellanox/mlxsw/core.c:1938 [inline] + mlxsw_core_reg_access+0x2f6/0x540 drivers/net/ethernet/mellanox/mlxsw/core.c:1985 + mlxsw_reg_query drivers/net/ethernet/mellanox/mlxsw/core.c:2000 [inline] + mlxsw_devlink_info_get+0x17f/0x6e0 drivers/net/ethernet/mellanox/mlxsw/core.c:1090 + devlink_nl_info_fill.constprop.0+0x13c/0x2d0 net/core/devlink.c:4588 + devlink_nl_cmd_info_get_dumpit+0x246/0x460 net/core/devlink.c:4648 + genl_lock_dumpit+0x85/0xc0 net/netlink/genetlink.c:575 + netlink_dump+0x515/0xe50 net/netlink/af_netlink.c:2245 + __netlink_dump_start+0x53d/0x830 net/netlink/af_netlink.c:2353 + genl_family_rcv_msg_dumpit.isra.0+0x296/0x300 net/netlink/genetlink.c:638 + genl_family_rcv_msg net/netlink/genetlink.c:733 [inline] + genl_rcv_msg+0x78d/0x9d0 net/netlink/genetlink.c:753 + netlink_rcv_skb+0x152/0x440 net/netlink/af_netlink.c:2469 + genl_rcv+0x24/0x40 net/netlink/genetlink.c:764 + netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] + netlink_unicast+0x53a/0x750 net/netlink/af_netlink.c:1329 + netlink_sendmsg+0x850/0xd90 net/netlink/af_netlink.c:1918 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg+0x150/0x190 net/socket.c:672 + ____sys_sendmsg+0x6d8/0x840 net/socket.c:2363 + ___sys_sendmsg+0xff/0x170 net/socket.c:2417 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2450 + do_syscall_64+0x56/0xa0 arch/x86/entry/common.c:359 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: a9c8336f6544 ("mlxsw: core: Add support for devlink info command") +Signed-off-by: Ido Schimmel +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/pci.c | 54 ++++++++++++++++------- + 1 file changed, 38 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/pci.c b/drivers/net/ethernet/mellanox/mlxsw/pci.c +index fd0e97de44e7a..c04ec1a928260 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/pci.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/pci.c +@@ -1414,23 +1414,12 @@ static int mlxsw_pci_init(void *bus_priv, struct mlxsw_core *mlxsw_core, + u16 num_pages; + int err; + +- mutex_init(&mlxsw_pci->cmd.lock); +- init_waitqueue_head(&mlxsw_pci->cmd.wait); +- + mlxsw_pci->core = mlxsw_core; + + mbox = mlxsw_cmd_mbox_alloc(); + if (!mbox) + return -ENOMEM; + +- err = mlxsw_pci_mbox_alloc(mlxsw_pci, &mlxsw_pci->cmd.in_mbox); +- if (err) +- goto mbox_put; +- +- err = mlxsw_pci_mbox_alloc(mlxsw_pci, &mlxsw_pci->cmd.out_mbox); +- if (err) +- goto err_out_mbox_alloc; +- + err = mlxsw_pci_sw_reset(mlxsw_pci, mlxsw_pci->id); + if (err) + goto err_sw_reset; +@@ -1537,9 +1526,6 @@ static int mlxsw_pci_init(void *bus_priv, struct mlxsw_core *mlxsw_core, + mlxsw_pci_free_irq_vectors(mlxsw_pci); + err_alloc_irq: + err_sw_reset: +- mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.out_mbox); +-err_out_mbox_alloc: +- mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.in_mbox); + mbox_put: + mlxsw_cmd_mbox_free(mbox); + return err; +@@ -1553,8 +1539,6 @@ static void mlxsw_pci_fini(void *bus_priv) + mlxsw_pci_aqs_fini(mlxsw_pci); + mlxsw_pci_fw_area_fini(mlxsw_pci); + mlxsw_pci_free_irq_vectors(mlxsw_pci); +- mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.out_mbox); +- mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.in_mbox); + } + + static struct mlxsw_pci_queue * +@@ -1776,6 +1760,37 @@ static const struct mlxsw_bus mlxsw_pci_bus = { + .features = MLXSW_BUS_F_TXRX | MLXSW_BUS_F_RESET, + }; + ++static int mlxsw_pci_cmd_init(struct mlxsw_pci *mlxsw_pci) ++{ ++ int err; ++ ++ mutex_init(&mlxsw_pci->cmd.lock); ++ init_waitqueue_head(&mlxsw_pci->cmd.wait); ++ ++ err = mlxsw_pci_mbox_alloc(mlxsw_pci, &mlxsw_pci->cmd.in_mbox); ++ if (err) ++ goto err_in_mbox_alloc; ++ ++ err = mlxsw_pci_mbox_alloc(mlxsw_pci, &mlxsw_pci->cmd.out_mbox); ++ if (err) ++ goto err_out_mbox_alloc; ++ ++ return 0; ++ ++err_out_mbox_alloc: ++ mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.in_mbox); ++err_in_mbox_alloc: ++ mutex_destroy(&mlxsw_pci->cmd.lock); ++ return err; ++} ++ ++static void mlxsw_pci_cmd_fini(struct mlxsw_pci *mlxsw_pci) ++{ ++ mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.out_mbox); ++ mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.in_mbox); ++ mutex_destroy(&mlxsw_pci->cmd.lock); ++} ++ + static int mlxsw_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + { + const char *driver_name = pdev->driver->name; +@@ -1831,6 +1846,10 @@ static int mlxsw_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + mlxsw_pci->pdev = pdev; + pci_set_drvdata(pdev, mlxsw_pci); + ++ err = mlxsw_pci_cmd_init(mlxsw_pci); ++ if (err) ++ goto err_pci_cmd_init; ++ + mlxsw_pci->bus_info.device_kind = driver_name; + mlxsw_pci->bus_info.device_name = pci_name(mlxsw_pci->pdev); + mlxsw_pci->bus_info.dev = &pdev->dev; +@@ -1848,6 +1867,8 @@ static int mlxsw_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + return 0; + + err_bus_device_register: ++ mlxsw_pci_cmd_fini(mlxsw_pci); ++err_pci_cmd_init: + iounmap(mlxsw_pci->hw_addr); + err_ioremap: + err_pci_resource_len_check: +@@ -1865,6 +1886,7 @@ static void mlxsw_pci_remove(struct pci_dev *pdev) + struct mlxsw_pci *mlxsw_pci = pci_get_drvdata(pdev); + + mlxsw_core_bus_device_unregister(mlxsw_pci->core, false); ++ mlxsw_pci_cmd_fini(mlxsw_pci); + iounmap(mlxsw_pci->hw_addr); + pci_release_regions(mlxsw_pci->pdev); + pci_disable_device(mlxsw_pci->pdev); +-- +2.25.1 + diff --git a/queue-5.7/mlxsw-spectrum_router-remove-inappropriate-usage-of-.patch b/queue-5.7/mlxsw-spectrum_router-remove-inappropriate-usage-of-.patch new file mode 100644 index 00000000000..d4c792a1fe2 --- /dev/null +++ b/queue-5.7/mlxsw-spectrum_router-remove-inappropriate-usage-of-.patch @@ -0,0 +1,49 @@ +From f535260ab3a815523df419be3c0260795742afca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 16:41:38 +0300 +Subject: mlxsw: spectrum_router: Remove inappropriate usage of WARN_ON() + +From: Ido Schimmel + +[ Upstream commit d9d5420273997664a1c09151ca86ac993f2f89c1 ] + +We should not trigger a warning when a memory allocation fails. Remove +the WARN_ON(). + +The warning is constantly triggered by syzkaller when it is injecting +faults: + +[ 2230.758664] FAULT_INJECTION: forcing a failure. +[ 2230.758664] name failslab, interval 1, probability 0, space 0, times 0 +[ 2230.762329] CPU: 3 PID: 1407 Comm: syz-executor.0 Not tainted 5.8.0-rc2+ #28 +... +[ 2230.898175] WARNING: CPU: 3 PID: 1407 at drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:6265 mlxsw_sp_router_fib_event+0xfad/0x13e0 +[ 2230.898179] Kernel panic - not syncing: panic_on_warn set ... +[ 2230.898183] CPU: 3 PID: 1407 Comm: syz-executor.0 Not tainted 5.8.0-rc2+ #28 +[ 2230.898190] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 + +Fixes: 3057224e014c ("mlxsw: spectrum_router: Implement FIB offload in deferred work") +Signed-off-by: Ido Schimmel +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c +index d5bca1be3ef53..84b3d78a9dd84 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c +@@ -6256,7 +6256,7 @@ static int mlxsw_sp_router_fib_event(struct notifier_block *nb, + } + + fib_work = kzalloc(sizeof(*fib_work), GFP_ATOMIC); +- if (WARN_ON(!fib_work)) ++ if (!fib_work) + return NOTIFY_BAD; + + fib_work->mlxsw_sp = router->mlxsw_sp; +-- +2.25.1 + diff --git a/queue-5.7/mtd-set-master-partition-panic-write-flag.patch b/queue-5.7/mtd-set-master-partition-panic-write-flag.patch new file mode 100644 index 00000000000..f2e81fee031 --- /dev/null +++ b/queue-5.7/mtd-set-master-partition-panic-write-flag.patch @@ -0,0 +1,40 @@ +From 3456be286be7af679f2627d2903ade1a38ee608f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 11:51:34 -0400 +Subject: mtd: set master partition panic write flag + +From: Kamal Dasu + +[ Upstream commit 630e8d5507d9f55dfa98134bfcadefb6cfba4fbb ] + +Check and set master panic write flag so that low level drivers +can use it to take required action to ensure oops data gets written +to assigned mtdoops device partition. + +Fixes: 9f897bfdd89f ("mtd: Add flag to indicate panic_write") +Signed-off-by: Kamal Dasu +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20200615155134.32007-1-kdasu.kdev@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/mtdcore.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c +index 29d41003d6e0d..f8317ccd8f2a6 100644 +--- a/drivers/mtd/mtdcore.c ++++ b/drivers/mtd/mtdcore.c +@@ -1235,8 +1235,8 @@ int mtd_panic_write(struct mtd_info *mtd, loff_t to, size_t len, size_t *retlen, + return -EROFS; + if (!len) + return 0; +- if (!mtd->oops_panic_write) +- mtd->oops_panic_write = true; ++ if (!master->oops_panic_write) ++ master->oops_panic_write = true; + + return master->_panic_write(master, mtd_get_master_ofs(mtd, to), len, + retlen, buf); +-- +2.25.1 + diff --git a/queue-5.7/nbd-fix-memory-leak-in-nbd_add_socket.patch b/queue-5.7/nbd-fix-memory-leak-in-nbd_add_socket.patch new file mode 100644 index 00000000000..845d829b65d --- /dev/null +++ b/queue-5.7/nbd-fix-memory-leak-in-nbd_add_socket.patch @@ -0,0 +1,80 @@ +From a193c83e350bc2d00243bb1ce2c6b7c487bf30ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 09:23:49 +0800 +Subject: nbd: Fix memory leak in nbd_add_socket + +From: Zheng Bin + +[ Upstream commit 579dd91ab3a5446b148e7f179b6596b270dace46 ] + +When adding first socket to nbd, if nsock's allocation failed, the data +structure member "config->socks" was reallocated, but the data structure +member "config->num_connections" was not updated. A memory leak will occur +then because the function "nbd_config_put" will free "config->socks" only +when "config->num_connections" is not zero. + +Fixes: 03bf73c315ed ("nbd: prevent memory leak") +Reported-by: syzbot+934037347002901b8d2a@syzkaller.appspotmail.com +Signed-off-by: Zheng Bin +Reviewed-by: Eric Biggers +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 25 +++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 43cff01a5a675..ce7e9f223b20b 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1033,25 +1033,26 @@ static int nbd_add_socket(struct nbd_device *nbd, unsigned long arg, + test_bit(NBD_RT_BOUND, &config->runtime_flags))) { + dev_err(disk_to_dev(nbd->disk), + "Device being setup by another task"); +- sockfd_put(sock); +- return -EBUSY; ++ err = -EBUSY; ++ goto put_socket; ++ } ++ ++ nsock = kzalloc(sizeof(*nsock), GFP_KERNEL); ++ if (!nsock) { ++ err = -ENOMEM; ++ goto put_socket; + } + + socks = krealloc(config->socks, (config->num_connections + 1) * + sizeof(struct nbd_sock *), GFP_KERNEL); + if (!socks) { +- sockfd_put(sock); +- return -ENOMEM; ++ kfree(nsock); ++ err = -ENOMEM; ++ goto put_socket; + } + + config->socks = socks; + +- nsock = kzalloc(sizeof(struct nbd_sock), GFP_KERNEL); +- if (!nsock) { +- sockfd_put(sock); +- return -ENOMEM; +- } +- + nsock->fallback_index = -1; + nsock->dead = false; + mutex_init(&nsock->tx_lock); +@@ -1063,6 +1064,10 @@ static int nbd_add_socket(struct nbd_device *nbd, unsigned long arg, + atomic_inc(&config->live_connections); + + return 0; ++ ++put_socket: ++ sockfd_put(sock); ++ return err; + } + + static int nbd_reconnect_socket(struct nbd_device *nbd, unsigned long arg) +-- +2.25.1 + diff --git a/queue-5.7/net-atlantic-fix-ip-dst-and-ipv6-address-filters.patch b/queue-5.7/net-atlantic-fix-ip-dst-and-ipv6-address-filters.patch new file mode 100644 index 00000000000..a1625882144 --- /dev/null +++ b/queue-5.7/net-atlantic-fix-ip-dst-and-ipv6-address-filters.patch @@ -0,0 +1,63 @@ +From dfcdbf258b0a1eaf858a306e66fd4770a45a8961 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jul 2020 17:17:10 +0300 +Subject: net: atlantic: fix ip dst and ipv6 address filters + +From: Dmitry Bogdanov + +[ Upstream commit a42e6aee7f47a8a68d09923c720fc8f605a04207 ] + +This patch fixes ip dst and ipv6 address filters. +There were 2 mistakes in the code, which led to the issue: +* invalid register was used for ipv4 dst address; +* incorrect write order of dwords for ipv6 addresses. + +Fixes: 23e7a718a49b ("net: aquantia: add rx-flow filter definitions") +Signed-off-by: Dmitry Bogdanov +Signed-off-by: Mark Starovoytov +Signed-off-by: Alexander Lobakin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_llh.c | 4 ++-- + .../ethernet/aquantia/atlantic/hw_atl/hw_atl_llh_internal.h | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_llh.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_llh.c +index d1f68fc162918..e6b1fb10ad912 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_llh.c ++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_llh.c +@@ -1651,7 +1651,7 @@ void hw_atl_rpfl3l4_ipv6_src_addr_set(struct aq_hw_s *aq_hw, u8 location, + for (i = 0; i < 4; ++i) + aq_hw_write_reg(aq_hw, + HW_ATL_RPF_L3_SRCA_ADR(location + i), +- ipv6_src[i]); ++ ipv6_src[3 - i]); + } + + void hw_atl_rpfl3l4_ipv6_dest_addr_set(struct aq_hw_s *aq_hw, u8 location, +@@ -1662,7 +1662,7 @@ void hw_atl_rpfl3l4_ipv6_dest_addr_set(struct aq_hw_s *aq_hw, u8 location, + for (i = 0; i < 4; ++i) + aq_hw_write_reg(aq_hw, + HW_ATL_RPF_L3_DSTA_ADR(location + i), +- ipv6_dest[i]); ++ ipv6_dest[3 - i]); + } + + u32 hw_atl_sem_ram_get(struct aq_hw_s *self) +diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_llh_internal.h b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_llh_internal.h +index 18de2f7b89593..a7590b9ea2df5 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_llh_internal.h ++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_llh_internal.h +@@ -1360,7 +1360,7 @@ + */ + + /* Register address for bitfield pif_rpf_l3_da0_i[31:0] */ +-#define HW_ATL_RPF_L3_DSTA_ADR(filter) (0x000053B0 + (filter) * 0x4) ++#define HW_ATL_RPF_L3_DSTA_ADR(filter) (0x000053D0 + (filter) * 0x4) + /* Bitmask for bitfield l3_da0[1F:0] */ + #define HW_ATL_RPF_L3_DSTA_MSK 0xFFFFFFFFu + /* Inverted bitmask for bitfield l3_da0[1F:0] */ +-- +2.25.1 + diff --git a/queue-5.7/net-cxgb4-fix-return-error-value-in-t4_prep_fw.patch b/queue-5.7/net-cxgb4-fix-return-error-value-in-t4_prep_fw.patch new file mode 100644 index 00000000000..890936d493d --- /dev/null +++ b/queue-5.7/net-cxgb4-fix-return-error-value-in-t4_prep_fw.patch @@ -0,0 +1,58 @@ +From e075e535a4377c2936a695e6a2983cbc0fee0c5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 18:49:51 +0800 +Subject: net: cxgb4: fix return error value in t4_prep_fw + +From: Li Heng + +[ Upstream commit 8a259e6b73ad8181b0b2ef338b35043433db1075 ] + +t4_prep_fw goto bye tag with positive return value when something +bad happened and which can not free resource in adap_init0. +so fix it to return negative value. + +Fixes: 16e47624e76b ("cxgb4: Add new scheme to update T4/T5 firmware") +Reported-by: Hulk Robot +Signed-off-by: Li Heng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c +index 2a3480fc1d914..9121cef2be2d5 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c +@@ -3493,7 +3493,7 @@ int t4_prep_fw(struct adapter *adap, struct fw_info *fw_info, + drv_fw = &fw_info->fw_hdr; + + /* Read the header of the firmware on the card */ +- ret = -t4_read_flash(adap, FLASH_FW_START, ++ ret = t4_read_flash(adap, FLASH_FW_START, + sizeof(*card_fw) / sizeof(uint32_t), + (uint32_t *)card_fw, 1); + if (ret == 0) { +@@ -3522,8 +3522,8 @@ int t4_prep_fw(struct adapter *adap, struct fw_info *fw_info, + should_install_fs_fw(adap, card_fw_usable, + be32_to_cpu(fs_fw->fw_ver), + be32_to_cpu(card_fw->fw_ver))) { +- ret = -t4_fw_upgrade(adap, adap->mbox, fw_data, +- fw_size, 0); ++ ret = t4_fw_upgrade(adap, adap->mbox, fw_data, ++ fw_size, 0); + if (ret != 0) { + dev_err(adap->pdev_dev, + "failed to install firmware: %d\n", ret); +@@ -3554,7 +3554,7 @@ int t4_prep_fw(struct adapter *adap, struct fw_info *fw_info, + FW_HDR_FW_VER_MICRO_G(c), FW_HDR_FW_VER_BUILD_G(c), + FW_HDR_FW_VER_MAJOR_G(k), FW_HDR_FW_VER_MINOR_G(k), + FW_HDR_FW_VER_MICRO_G(k), FW_HDR_FW_VER_BUILD_G(k)); +- ret = EINVAL; ++ ret = -EINVAL; + goto bye; + } + +-- +2.25.1 + diff --git a/queue-5.7/net-dsa-microchip-set-the-correct-number-of-ports.patch b/queue-5.7/net-dsa-microchip-set-the-correct-number-of-ports.patch new file mode 100644 index 00000000000..e1b80ba8aca --- /dev/null +++ b/queue-5.7/net-dsa-microchip-set-the-correct-number-of-ports.patch @@ -0,0 +1,56 @@ +From 4e3781645ce58b4d5cc8ae7d322bb6290d9f10b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jul 2020 12:44:50 +0300 +Subject: net: dsa: microchip: set the correct number of ports + +From: Codrin Ciubotariu + +[ Upstream commit af199a1a9cb02ec0194804bd46c174b6db262075 ] + +The number of ports is incorrectly set to the maximum available for a DSA +switch. Even if the extra ports are not used, this causes some functions +to be called later, like port_disable() and port_stp_state_set(). If the +driver doesn't check the port index, it will end up modifying unknown +registers. + +Fixes: b987e98e50ab ("dsa: add DSA switch driver for Microchip KSZ9477") +Signed-off-by: Codrin Ciubotariu +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/microchip/ksz8795.c | 3 +++ + drivers/net/dsa/microchip/ksz9477.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c +index 47d65b77caf77..7c17b0f705ec3 100644 +--- a/drivers/net/dsa/microchip/ksz8795.c ++++ b/drivers/net/dsa/microchip/ksz8795.c +@@ -1268,6 +1268,9 @@ static int ksz8795_switch_init(struct ksz_device *dev) + return -ENOMEM; + } + ++ /* set the real number of ports */ ++ dev->ds->num_ports = dev->port_cnt; ++ + return 0; + } + +diff --git a/drivers/net/dsa/microchip/ksz9477.c b/drivers/net/dsa/microchip/ksz9477.c +index 9a51b8a4de5d1..8d15c30160246 100644 +--- a/drivers/net/dsa/microchip/ksz9477.c ++++ b/drivers/net/dsa/microchip/ksz9477.c +@@ -1588,6 +1588,9 @@ static int ksz9477_switch_init(struct ksz_device *dev) + return -ENOMEM; + } + ++ /* set the real number of ports */ ++ dev->ds->num_ports = dev->port_cnt; ++ + return 0; + } + +-- +2.25.1 + diff --git a/queue-5.7/net-hns3-add-a-missing-uninit-debugfs-when-unload-dr.patch b/queue-5.7/net-hns3-add-a-missing-uninit-debugfs-when-unload-dr.patch new file mode 100644 index 00000000000..dec4dd8f771 --- /dev/null +++ b/queue-5.7/net-hns3-add-a-missing-uninit-debugfs-when-unload-dr.patch @@ -0,0 +1,38 @@ +From 2e4856c7bcc6c696a86f5394890952a20b33b385 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jul 2020 19:26:01 +0800 +Subject: net: hns3: add a missing uninit debugfs when unload driver + +From: Huazhong Tan + +[ Upstream commit e22b5e728bbb179b912d3a3cd5c25894a89a26a2 ] + +When unloading driver, if flag HNS3_NIC_STATE_INITED has been +already cleared, the debugfs will not be uninitialized, so fix it. + +Fixes: b2292360bb2a ("net: hns3: Add debugfs framework registration") +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index da98fd7c8eca5..3003eecd5263b 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -4153,9 +4153,8 @@ static void hns3_client_uninit(struct hnae3_handle *handle, bool reset) + + hns3_put_ring_config(priv); + +- hns3_dbg_uninit(handle); +- + out_netdev_free: ++ hns3_dbg_uninit(handle); + free_netdev(netdev); + } + +-- +2.25.1 + diff --git a/queue-5.7/net-hns3-check-reset-pending-after-flr-prepare.patch b/queue-5.7/net-hns3-check-reset-pending-after-flr-prepare.patch new file mode 100644 index 00000000000..879e28446c6 --- /dev/null +++ b/queue-5.7/net-hns3-check-reset-pending-after-flr-prepare.patch @@ -0,0 +1,38 @@ +From c6ac524461bbd00af137d17619f37f61a20ca71f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jul 2020 19:25:59 +0800 +Subject: net: hns3: check reset pending after FLR prepare + +From: Huazhong Tan + +[ Upstream commit bb3d866882c280a85e8950d4d72af1e294d2e69c ] + +If there is a PF reset pending before FLR prepare, FLR's +preparatory work will not fail, but the FLR rebuild procedure +will fail for this pending. So this PF reset pending should +be handled in the FLR preparatory. + +Fixes: 8627bdedc435 ("net: hns3: refactor the precedure of PF FLR") +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index a758f9ae32be9..4de268a879582 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -9351,7 +9351,7 @@ static void hclge_flr_prepare(struct hnae3_ae_dev *ae_dev) + set_bit(HCLGE_STATE_RST_HANDLING, &hdev->state); + hdev->reset_type = HNAE3_FLR_RESET; + ret = hclge_reset_prepare(hdev); +- if (ret) { ++ if (ret || hdev->reset_pending) { + dev_err(&hdev->pdev->dev, "fail to prepare FLR, ret=%d\n", + ret); + if (hdev->reset_pending || +-- +2.25.1 + diff --git a/queue-5.7/net-hns3-fix-for-mishandle-of-asserting-vf-reset-fai.patch b/queue-5.7/net-hns3-fix-for-mishandle-of-asserting-vf-reset-fai.patch new file mode 100644 index 00000000000..1cc05a94327 --- /dev/null +++ b/queue-5.7/net-hns3-fix-for-mishandle-of-asserting-vf-reset-fai.patch @@ -0,0 +1,41 @@ +From 8dfee9772fd56569bb922eea651486469558a161 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jul 2020 19:26:00 +0800 +Subject: net: hns3: fix for mishandle of asserting VF reset fail + +From: Huazhong Tan + +[ Upstream commit cddd5648926d7a6e84526dadd8bfb21609a14fb7 ] + +When asserts VF reset fail, flag HCLGEVF_STATE_CMD_DISABLE +and handshake status should not set, otherwise the retry will +fail. So adds a check for asserting VF reset and returns +directly when fails. + +Fixes: ef5f8e507ec9 ("net: hns3: stop handling command queue while resetting VF") +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +index e02d427131eeb..e6cdd06925e6b 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +@@ -1527,6 +1527,11 @@ static int hclgevf_reset_prepare_wait(struct hclgevf_dev *hdev) + if (hdev->reset_type == HNAE3_VF_FUNC_RESET) { + hclgevf_build_send_msg(&send_msg, HCLGE_MBX_RESET, 0); + ret = hclgevf_send_mbx_msg(hdev, &send_msg, true, NULL, 0); ++ if (ret) { ++ dev_err(&hdev->pdev->dev, ++ "failed to assert VF reset, ret = %d\n", ret); ++ return ret; ++ } + hdev->rst_stats.vf_func_rst_cnt++; + } + +-- +2.25.1 + diff --git a/queue-5.7/net-hns3-fix-use-after-free-when-doing-self-test.patch b/queue-5.7/net-hns3-fix-use-after-free-when-doing-self-test.patch new file mode 100644 index 00000000000..be3b2acaf25 --- /dev/null +++ b/queue-5.7/net-hns3-fix-use-after-free-when-doing-self-test.patch @@ -0,0 +1,85 @@ +From 77e020ca4ebe1bbce7c6beef2ff8064ab36ab58c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jul 2020 19:26:02 +0800 +Subject: net: hns3: fix use-after-free when doing self test + +From: Yonglong Liu + +[ Upstream commit a06656211304fec653c1931c2ca6d644013b5bbb ] + +Enable promisc mode of PF, set VF link state to enable, and +run iperf of the VF, then do self test of the PF. The self test +will fail with a low frequency, and may cause a use-after-free +problem. + +[ 87.142126] selftest:000004a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +[ 87.159722] ================================================================== +[ 87.174187] BUG: KASAN: use-after-free in hex_dump_to_buffer+0x140/0x608 +[ 87.187600] Read of size 1 at addr ffff003b22828000 by task ethtool/1186 +[ 87.201012] +[ 87.203978] CPU: 7 PID: 1186 Comm: ethtool Not tainted 5.5.0-rc4-gfd51c473-dirty #4 +[ 87.219306] Hardware name: Huawei TaiShan 2280 V2/BC82AMDA, BIOS TA BIOS 2280-A CS V2.B160.01 01/15/2020 +[ 87.238292] Call trace: +[ 87.243173] dump_backtrace+0x0/0x280 +[ 87.250491] show_stack+0x24/0x30 +[ 87.257114] dump_stack+0xe8/0x140 +[ 87.263911] print_address_description.isra.8+0x70/0x380 +[ 87.274538] __kasan_report+0x12c/0x230 +[ 87.282203] kasan_report+0xc/0x18 +[ 87.288999] __asan_load1+0x60/0x68 +[ 87.295969] hex_dump_to_buffer+0x140/0x608 +[ 87.304332] print_hex_dump+0x140/0x1e0 +[ 87.312000] hns3_lb_check_skb_data+0x168/0x170 +[ 87.321060] hns3_clean_rx_ring+0xa94/0xfe0 +[ 87.329422] hns3_self_test+0x708/0x8c0 + +The length of packet sent by the selftest process is only +128 + 14 bytes, and the min buffer size of a BD is 256 bytes, +and the receive process will make sure the packet sent by +the selftest process is in the linear part, so only check +the linear part in hns3_lb_check_skb_data(). + +So fix this use-after-free by using skb_headlen() to dump +skb->data instead of skb->len. + +Fixes: c39c4d98dc65 ("net: hns3: Add mac loopback selftest support in hns3 driver") +Signed-off-by: Yonglong Liu +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +index 28b81f24afa11..2a78805d531a1 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +@@ -174,18 +174,21 @@ static void hns3_lb_check_skb_data(struct hns3_enet_ring *ring, + { + struct hns3_enet_tqp_vector *tqp_vector = ring->tqp_vector; + unsigned char *packet = skb->data; ++ u32 len = skb_headlen(skb); + u32 i; + +- for (i = 0; i < skb->len; i++) ++ len = min_t(u32, len, HNS3_NIC_LB_TEST_PACKET_SIZE); ++ ++ for (i = 0; i < len; i++) + if (packet[i] != (unsigned char)(i & 0xff)) + break; + + /* The packet is correctly received */ +- if (i == skb->len) ++ if (i == HNS3_NIC_LB_TEST_PACKET_SIZE) + tqp_vector->rx_group.total_packets++; + else + print_hex_dump(KERN_ERR, "selftest:", DUMP_PREFIX_OFFSET, 16, 1, +- skb->data, skb->len, true); ++ skb->data, len, true); + + dev_kfree_skb_any(skb); + } +-- +2.25.1 + diff --git a/queue-5.7/net-ipa-fix-qmi-structure-definition-bugs.patch b/queue-5.7/net-ipa-fix-qmi-structure-definition-bugs.patch new file mode 100644 index 00000000000..6a38cdd53e6 --- /dev/null +++ b/queue-5.7/net-ipa-fix-qmi-structure-definition-bugs.patch @@ -0,0 +1,60 @@ +From e6ac7d9dd8ba22aaf5cfbc3c4fbf88dd3f75c2f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jul 2020 18:10:08 -0500 +Subject: net: ipa: fix QMI structure definition bugs + +From: Alex Elder + +[ Upstream commit 74478ea4ded519db35cb1f059948b1e713bb4abf ] + +Building with "W=1" did exactly what it was supposed to do, namely +point out some suspicious-looking code to be verified not to contain +bugs. + +Some QMI message structures defined in "ipa_qmi_msg.c" contained +some bad field names (duplicating the "elem_size" field instead of +defining the "offset" field), almost certainly due to copy/paste +errors that weren't obvious in a scan of the code. Fix these bugs. + +Fixes: 530f9216a953 ("soc: qcom: ipa: AP/modem communications") +Signed-off-by: Alex Elder +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ipa/ipa_qmi_msg.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ipa/ipa_qmi_msg.c b/drivers/net/ipa/ipa_qmi_msg.c +index 03a1d0e559644..73413371e3d3e 100644 +--- a/drivers/net/ipa/ipa_qmi_msg.c ++++ b/drivers/net/ipa/ipa_qmi_msg.c +@@ -119,7 +119,7 @@ struct qmi_elem_info ipa_driver_init_complete_rsp_ei[] = { + sizeof_field(struct ipa_driver_init_complete_rsp, + rsp), + .tlv_type = 0x02, +- .elem_size = offsetof(struct ipa_driver_init_complete_rsp, ++ .offset = offsetof(struct ipa_driver_init_complete_rsp, + rsp), + .ei_array = qmi_response_type_v01_ei, + }, +@@ -137,7 +137,7 @@ struct qmi_elem_info ipa_init_complete_ind_ei[] = { + sizeof_field(struct ipa_init_complete_ind, + status), + .tlv_type = 0x02, +- .elem_size = offsetof(struct ipa_init_complete_ind, ++ .offset = offsetof(struct ipa_init_complete_ind, + status), + .ei_array = qmi_response_type_v01_ei, + }, +@@ -218,7 +218,7 @@ struct qmi_elem_info ipa_init_modem_driver_req_ei[] = { + sizeof_field(struct ipa_init_modem_driver_req, + platform_type_valid), + .tlv_type = 0x10, +- .elem_size = offsetof(struct ipa_init_modem_driver_req, ++ .offset = offsetof(struct ipa_init_modem_driver_req, + platform_type_valid), + }, + { +-- +2.25.1 + diff --git a/queue-5.7/net-ipa-no-checksum-offload-for-sdm845-lan-rx.patch b/queue-5.7/net-ipa-no-checksum-offload-for-sdm845-lan-rx.patch new file mode 100644 index 00000000000..c12a1235fb9 --- /dev/null +++ b/queue-5.7/net-ipa-no-checksum-offload-for-sdm845-lan-rx.patch @@ -0,0 +1,38 @@ +From 4856abf79dfd705635c409756dd9c73f6ee066b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jun 2020 07:44:43 -0500 +Subject: net: ipa: no checksum offload for SDM845 LAN RX + +From: Alex Elder + +[ Upstream commit 41af5436e857ec64f302fcc9b6e4a8c526b6b402 ] + +The AP LAN RX endpoint should not have download checksum offload +enabled. + +The receive handler does properly accommodate the trailer that's +added by the hardware, but we ignore it. + +Fixes: 1ed7d0c0fdba ("soc: qcom: ipa: configuration data") +Signed-off-by: Alex Elder +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ipa/ipa_data-sdm845.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ipa/ipa_data-sdm845.c b/drivers/net/ipa/ipa_data-sdm845.c +index 0d9c36e1e806c..0917c5b028f67 100644 +--- a/drivers/net/ipa/ipa_data-sdm845.c ++++ b/drivers/net/ipa/ipa_data-sdm845.c +@@ -44,7 +44,6 @@ static const struct ipa_gsi_endpoint_data ipa_gsi_endpoint_data[] = { + .endpoint = { + .seq_type = IPA_SEQ_INVALID, + .config = { +- .checksum = true, + .aggregation = true, + .status_enable = true, + .rx = { +-- +2.25.1 + diff --git a/queue-5.7/net-macb-fix-call-to-pm_runtime-in-the-suspend-resum.patch b/queue-5.7/net-macb-fix-call-to-pm_runtime-in-the-suspend-resum.patch new file mode 100644 index 00000000000..874d2bbdb2d --- /dev/null +++ b/queue-5.7/net-macb-fix-call-to-pm_runtime-in-the-suspend-resum.patch @@ -0,0 +1,52 @@ +From 1a759b3d9f0480978df98e4d614d37f684f310fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 14:46:45 +0200 +Subject: net: macb: fix call to pm_runtime in the suspend/resume functions + +From: Nicolas Ferre + +[ Upstream commit 6c8f85cac98a4c6b767c4c4f6af7283724c32b47 ] + +The calls to pm_runtime_force_suspend/resume() functions are only +relevant if the device is not configured to act as a WoL wakeup source. +Add the device_may_wakeup() test before calling them. + +Fixes: 3e2a5e153906 ("net: macb: add wake-on-lan support via magic packet") +Cc: Claudiu Beznea +Cc: Harini Katakam +Cc: Sergio Prado +Reviewed-by: Florian Fainelli +Signed-off-by: Nicolas Ferre +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 548815255e22b..f1f0976e7669a 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -4606,7 +4606,8 @@ static int __maybe_unused macb_suspend(struct device *dev) + + if (bp->ptp_info) + bp->ptp_info->ptp_remove(netdev); +- pm_runtime_force_suspend(dev); ++ if (!device_may_wakeup(dev)) ++ pm_runtime_force_suspend(dev); + + return 0; + } +@@ -4621,7 +4622,8 @@ static int __maybe_unused macb_resume(struct device *dev) + if (!netif_running(netdev)) + return 0; + +- pm_runtime_force_resume(dev); ++ if (!device_may_wakeup(dev)) ++ pm_runtime_force_resume(dev); + + if (bp->wol & MACB_WOL_ENABLED) { + macb_writel(bp, IDR, MACB_BIT(WOL)); +-- +2.25.1 + diff --git a/queue-5.7/net-macb-fix-macb_get-set_wol-when-moving-to-phylink.patch b/queue-5.7/net-macb-fix-macb_get-set_wol-when-moving-to-phylink.patch new file mode 100644 index 00000000000..0e7d83f41bb --- /dev/null +++ b/queue-5.7/net-macb-fix-macb_get-set_wol-when-moving-to-phylink.patch @@ -0,0 +1,73 @@ +From 8be9ab23ba7b9a9d124e1d9ea07e1ec8d7774696 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 14:46:43 +0200 +Subject: net: macb: fix macb_get/set_wol() when moving to phylink + +From: Nicolas Ferre + +[ Upstream commit 253fe09435045ab9346a8e364299d971185ae031 ] + +Keep previous function goals and integrate phylink actions to them. + +phylink_ethtool_get_wol() is not enough to figure out if Ethernet driver +supports Wake-on-Lan. +Initialization of "supported" and "wolopts" members is done in phylink +function, no need to keep them in calling function. + +phylink_ethtool_set_wol() return value is considered and determines +if the MAC has to handle WoL or not. The case where the PHY doesn't +implement WoL leads to the MAC configuring it to provide this feature. + +Fixes: 7897b071ac3b ("net: macb: convert to phylink") +Cc: Claudiu Beznea +Cc: Harini Katakam +Cc: Antoine Tenart +Cc: Florian Fainelli +Signed-off-by: Nicolas Ferre +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 4cafe343c0a27..79c2fe0543038 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -2821,11 +2821,13 @@ static void macb_get_wol(struct net_device *netdev, struct ethtool_wolinfo *wol) + { + struct macb *bp = netdev_priv(netdev); + +- wol->supported = 0; +- wol->wolopts = 0; +- +- if (bp->wol & MACB_WOL_HAS_MAGIC_PACKET) ++ if (bp->wol & MACB_WOL_HAS_MAGIC_PACKET) { + phylink_ethtool_get_wol(bp->phylink, wol); ++ wol->supported |= WAKE_MAGIC; ++ ++ if (bp->wol & MACB_WOL_ENABLED) ++ wol->wolopts |= WAKE_MAGIC; ++ } + } + + static int macb_set_wol(struct net_device *netdev, struct ethtool_wolinfo *wol) +@@ -2833,9 +2835,13 @@ static int macb_set_wol(struct net_device *netdev, struct ethtool_wolinfo *wol) + struct macb *bp = netdev_priv(netdev); + int ret; + ++ /* Pass the order to phylink layer */ + ret = phylink_ethtool_set_wol(bp->phylink, wol); +- if (!ret) +- return 0; ++ /* Don't manage WoL on MAC if handled by the PHY ++ * or if there's a failure in talking to the PHY ++ */ ++ if (!ret || ret != -EOPNOTSUPP) ++ return ret; + + if (!(bp->wol & MACB_WOL_HAS_MAGIC_PACKET) || + (wol->wolopts & ~WAKE_MAGIC)) +-- +2.25.1 + diff --git a/queue-5.7/net-macb-fix-macb_suspend-by-removing-call-to-netif_.patch b/queue-5.7/net-macb-fix-macb_suspend-by-removing-call-to-netif_.patch new file mode 100644 index 00000000000..5bf1b17617e --- /dev/null +++ b/queue-5.7/net-macb-fix-macb_suspend-by-removing-call-to-netif_.patch @@ -0,0 +1,40 @@ +From 7c7dc7405dd340e9c47fbc429fb0d2f025262853 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 14:46:44 +0200 +Subject: net: macb: fix macb_suspend() by removing call to netif_carrier_off() + +From: Nicolas Ferre + +[ Upstream commit 64febc5e56c9a748162f206dcc5be1a44436087a ] + +As we now use the phylink call to phylink_stop() in the non-WoL path, +there is no need for this call to netif_carrier_off() anymore. It can +disturb the underlying phylink FSM. + +Fixes: 7897b071ac3b ("net: macb: convert to phylink") +Cc: Claudiu Beznea +Cc: Harini Katakam +Cc: Antoine Tenart +Reviewed-by: Florian Fainelli +Signed-off-by: Nicolas Ferre +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 79c2fe0543038..548815255e22b 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -4604,7 +4604,6 @@ static int __maybe_unused macb_suspend(struct device *dev) + bp->pm_data.scrt2 = gem_readl_n(bp, ETHT, SCRT2_ETHT); + } + +- netif_carrier_off(netdev); + if (bp->ptp_info) + bp->ptp_info->ptp_remove(netdev); + pm_runtime_force_suspend(dev); +-- +2.25.1 + diff --git a/queue-5.7/net-macb-fix-wakeup-test-in-runtime-suspend-resume-r.patch b/queue-5.7/net-macb-fix-wakeup-test-in-runtime-suspend-resume-r.patch new file mode 100644 index 00000000000..2f20f79abc3 --- /dev/null +++ b/queue-5.7/net-macb-fix-wakeup-test-in-runtime-suspend-resume-r.patch @@ -0,0 +1,53 @@ +From c42ec16f214f7f9d0d1eadcfa38b12898639bb2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 14:46:41 +0200 +Subject: net: macb: fix wakeup test in runtime suspend/resume routines + +From: Nicolas Ferre + +[ Upstream commit 515a10a701d570e26dfbe6ee373f77c8bf11053f ] + +Use the proper struct device pointer to check if the wakeup flag +and wakeup source are positioned. +Use the one passed by function call which is equivalent to +&bp->dev->dev.parent. + +It's preventing the trigger of a spurious interrupt in case the +Wake-on-Lan feature is used. + +Fixes: d54f89af6cc4 ("net: macb: Add pm runtime support") +Cc: Claudiu Beznea +Cc: Harini Katakam +Reviewed-by: Florian Fainelli +Signed-off-by: Nicolas Ferre +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 52582e8ed90e5..55e680f350222 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -4654,7 +4654,7 @@ static int __maybe_unused macb_runtime_suspend(struct device *dev) + struct net_device *netdev = dev_get_drvdata(dev); + struct macb *bp = netdev_priv(netdev); + +- if (!(device_may_wakeup(&bp->dev->dev))) { ++ if (!(device_may_wakeup(dev))) { + clk_disable_unprepare(bp->tx_clk); + clk_disable_unprepare(bp->hclk); + clk_disable_unprepare(bp->pclk); +@@ -4670,7 +4670,7 @@ static int __maybe_unused macb_runtime_resume(struct device *dev) + struct net_device *netdev = dev_get_drvdata(dev); + struct macb *bp = netdev_priv(netdev); + +- if (!(device_may_wakeup(&bp->dev->dev))) { ++ if (!(device_may_wakeup(dev))) { + clk_prepare_enable(bp->pclk); + clk_prepare_enable(bp->hclk); + clk_prepare_enable(bp->tx_clk); +-- +2.25.1 + diff --git a/queue-5.7/net-macb-mark-device-wake-capable-when-magic-packet-.patch b/queue-5.7/net-macb-mark-device-wake-capable-when-magic-packet-.patch new file mode 100644 index 00000000000..575f99a67c5 --- /dev/null +++ b/queue-5.7/net-macb-mark-device-wake-capable-when-magic-packet-.patch @@ -0,0 +1,50 @@ +From 4458e5c776c80e2c25de92651601c90032c7c9b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 14:46:42 +0200 +Subject: net: macb: mark device wake capable when "magic-packet" property + present + +From: Nicolas Ferre + +[ Upstream commit ced4799d06375929e013eea04ba6908207afabbe ] + +Change the way the "magic-packet" DT property is handled in the +macb_probe() function, matching DT binding documentation. +Now we mark the device as "wakeup capable" instead of calling the +device_init_wakeup() function that would enable the wakeup source. + +For Ethernet WoL, enabling the wakeup_source is done by +using ethtool and associated macb_set_wol() function that +already calls device_set_wakeup_enable() for this purpose. + +That would reduce power consumption by cutting more clocks if +"magic-packet" property is set but WoL is not configured by ethtool. + +Fixes: 3e2a5e153906 ("net: macb: add wake-on-lan support via magic packet") +Cc: Claudiu Beznea +Cc: Harini Katakam +Cc: Sergio Prado +Reviewed-by: Florian Fainelli +Signed-off-by: Nicolas Ferre +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 55e680f350222..4cafe343c0a27 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -4422,7 +4422,7 @@ static int macb_probe(struct platform_device *pdev) + bp->wol = 0; + if (of_get_property(np, "magic-packet", NULL)) + bp->wol |= MACB_WOL_HAS_MAGIC_PACKET; +- device_init_wakeup(&pdev->dev, bp->wol & MACB_WOL_HAS_MAGIC_PACKET); ++ device_set_wakeup_capable(&pdev->dev, bp->wol & MACB_WOL_HAS_MAGIC_PACKET); + + spin_lock_init(&bp->lock); + +-- +2.25.1 + diff --git a/queue-5.7/net-mlx5-fix-eeprom-support-for-sfp-module.patch b/queue-5.7/net-mlx5-fix-eeprom-support-for-sfp-module.patch new file mode 100644 index 00000000000..c8088f3824e --- /dev/null +++ b/queue-5.7/net-mlx5-fix-eeprom-support-for-sfp-module.patch @@ -0,0 +1,173 @@ +From 87772f5566b9baeda34c2646d9ee216def3bfe53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 17:31:26 +0300 +Subject: net/mlx5: Fix eeprom support for SFP module + +From: Eran Ben Elisha + +[ Upstream commit 47afbdd2fa4c5775c383ba376a3d1da7d7f694dc ] + +Fix eeprom SFP query support by setting i2c_addr, offset and page number +correctly. Unlike QSFP modules, SFP eeprom params are as follow: +- i2c_addr is 0x50 for offset 0 - 255 and 0x51 for offset 256 - 511. +- Page number is always zero. +- Page offset is always relative to zero. + +As part of eeprom query, query the module ID (SFP / QSFP*) via helper +function to set the params accordingly. + +In addition, change mlx5_qsfp_eeprom_page() input type to be u16 to avoid +unnecessary casting. + +Fixes: a708fb7b1f8d ("net/mlx5e: ethtool, Add support for EEPROM high pages query") +Signed-off-by: Eran Ben Elisha +Signed-off-by: Huy Nguyen +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/port.c | 93 +++++++++++++++---- + 1 file changed, 77 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/port.c b/drivers/net/ethernet/mellanox/mlx5/core/port.c +index cc262b30aed53..dc589322940c5 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/port.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/port.c +@@ -293,7 +293,40 @@ static int mlx5_query_module_num(struct mlx5_core_dev *dev, int *module_num) + return 0; + } + +-static int mlx5_eeprom_page(int offset) ++static int mlx5_query_module_id(struct mlx5_core_dev *dev, int module_num, ++ u8 *module_id) ++{ ++ u32 in[MLX5_ST_SZ_DW(mcia_reg)] = {}; ++ u32 out[MLX5_ST_SZ_DW(mcia_reg)]; ++ int err, status; ++ u8 *ptr; ++ ++ MLX5_SET(mcia_reg, in, i2c_device_address, MLX5_I2C_ADDR_LOW); ++ MLX5_SET(mcia_reg, in, module, module_num); ++ MLX5_SET(mcia_reg, in, device_address, 0); ++ MLX5_SET(mcia_reg, in, page_number, 0); ++ MLX5_SET(mcia_reg, in, size, 1); ++ MLX5_SET(mcia_reg, in, l, 0); ++ ++ err = mlx5_core_access_reg(dev, in, sizeof(in), out, ++ sizeof(out), MLX5_REG_MCIA, 0, 0); ++ if (err) ++ return err; ++ ++ status = MLX5_GET(mcia_reg, out, status); ++ if (status) { ++ mlx5_core_err(dev, "query_mcia_reg failed: status: 0x%x\n", ++ status); ++ return -EIO; ++ } ++ ptr = MLX5_ADDR_OF(mcia_reg, out, dword_0); ++ ++ *module_id = ptr[0]; ++ ++ return 0; ++} ++ ++static int mlx5_qsfp_eeprom_page(u16 offset) + { + if (offset < MLX5_EEPROM_PAGE_LENGTH) + /* Addresses between 0-255 - page 00 */ +@@ -307,7 +340,7 @@ static int mlx5_eeprom_page(int offset) + MLX5_EEPROM_HIGH_PAGE_LENGTH); + } + +-static int mlx5_eeprom_high_page_offset(int page_num) ++static int mlx5_qsfp_eeprom_high_page_offset(int page_num) + { + if (!page_num) /* Page 0 always start from low page */ + return 0; +@@ -316,35 +349,62 @@ static int mlx5_eeprom_high_page_offset(int page_num) + return page_num * MLX5_EEPROM_HIGH_PAGE_LENGTH; + } + ++static void mlx5_qsfp_eeprom_params_set(u16 *i2c_addr, int *page_num, u16 *offset) ++{ ++ *i2c_addr = MLX5_I2C_ADDR_LOW; ++ *page_num = mlx5_qsfp_eeprom_page(*offset); ++ *offset -= mlx5_qsfp_eeprom_high_page_offset(*page_num); ++} ++ ++static void mlx5_sfp_eeprom_params_set(u16 *i2c_addr, int *page_num, u16 *offset) ++{ ++ *i2c_addr = MLX5_I2C_ADDR_LOW; ++ *page_num = 0; ++ ++ if (*offset < MLX5_EEPROM_PAGE_LENGTH) ++ return; ++ ++ *i2c_addr = MLX5_I2C_ADDR_HIGH; ++ *offset -= MLX5_EEPROM_PAGE_LENGTH; ++} ++ + int mlx5_query_module_eeprom(struct mlx5_core_dev *dev, + u16 offset, u16 size, u8 *data) + { +- int module_num, page_num, status, err; ++ int module_num, status, err, page_num = 0; ++ u32 in[MLX5_ST_SZ_DW(mcia_reg)] = {}; + u32 out[MLX5_ST_SZ_DW(mcia_reg)]; +- u32 in[MLX5_ST_SZ_DW(mcia_reg)]; +- u16 i2c_addr; +- void *ptr = MLX5_ADDR_OF(mcia_reg, out, dword_0); ++ u16 i2c_addr = 0; ++ u8 module_id; ++ void *ptr; + + err = mlx5_query_module_num(dev, &module_num); + if (err) + return err; + +- memset(in, 0, sizeof(in)); +- size = min_t(int, size, MLX5_EEPROM_MAX_BYTES); +- +- /* Get the page number related to the given offset */ +- page_num = mlx5_eeprom_page(offset); ++ err = mlx5_query_module_id(dev, module_num, &module_id); ++ if (err) ++ return err; + +- /* Set the right offset according to the page number, +- * For page_num > 0, relative offset is always >= 128 (high page). +- */ +- offset -= mlx5_eeprom_high_page_offset(page_num); ++ switch (module_id) { ++ case MLX5_MODULE_ID_SFP: ++ mlx5_sfp_eeprom_params_set(&i2c_addr, &page_num, &offset); ++ break; ++ case MLX5_MODULE_ID_QSFP: ++ case MLX5_MODULE_ID_QSFP_PLUS: ++ case MLX5_MODULE_ID_QSFP28: ++ mlx5_qsfp_eeprom_params_set(&i2c_addr, &page_num, &offset); ++ break; ++ default: ++ mlx5_core_err(dev, "Module ID not recognized: 0x%x\n", module_id); ++ return -EINVAL; ++ } + + if (offset + size > MLX5_EEPROM_PAGE_LENGTH) + /* Cross pages read, read until offset 256 in low page */ + size -= offset + size - MLX5_EEPROM_PAGE_LENGTH; + +- i2c_addr = MLX5_I2C_ADDR_LOW; ++ size = min_t(int, size, MLX5_EEPROM_MAX_BYTES); + + MLX5_SET(mcia_reg, in, l, 0); + MLX5_SET(mcia_reg, in, module, module_num); +@@ -365,6 +425,7 @@ int mlx5_query_module_eeprom(struct mlx5_core_dev *dev, + return -EIO; + } + ++ ptr = MLX5_ADDR_OF(mcia_reg, out, dword_0); + memcpy(data, ptr, size); + + return size; +-- +2.25.1 + diff --git a/queue-5.7/net-mlx5e-ct-fix-memory-leak-in-cleanup.patch b/queue-5.7/net-mlx5e-ct-fix-memory-leak-in-cleanup.patch new file mode 100644 index 00000000000..cc46ed71247 --- /dev/null +++ b/queue-5.7/net-mlx5e-ct-fix-memory-leak-in-cleanup.patch @@ -0,0 +1,37 @@ +From 8da58a12c4d63f444bacdf62bb8dca9fb02509fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Jun 2020 15:42:26 +0300 +Subject: net/mlx5e: CT: Fix memory leak in cleanup + +From: Eli Britstein + +[ Upstream commit eb32b3f53d283e8d68b6d86c3a6ed859b24dacae ] + +CT entries are deleted via a workqueue from netfilter. If removing the +module before that, the rules are cleaned by the driver itself, but the +memory entries for them are not freed. Fix that. + +Fixes: ac991b48d43c ("net/mlx5e: CT: Offload established flows") +Signed-off-by: Eli Britstein +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c +index 470282daed198..369a037714356 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c +@@ -849,6 +849,7 @@ mlx5_tc_ct_flush_ft_entry(void *ptr, void *arg) + struct mlx5_ct_entry *entry = ptr; + + mlx5_tc_ct_entry_del_rules(ct_priv, entry); ++ kfree(entry); + } + + static void +-- +2.25.1 + diff --git a/queue-5.7/net-mlx5e-fix-50g-per-lane-indication.patch b/queue-5.7/net-mlx5e-fix-50g-per-lane-indication.patch new file mode 100644 index 00000000000..80eb4fd9e73 --- /dev/null +++ b/queue-5.7/net-mlx5e-fix-50g-per-lane-indication.patch @@ -0,0 +1,134 @@ +From e88f6ffb8dfb5ec08efb7e26311a051cbc0a599e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 12:48:47 +0300 +Subject: net/mlx5e: Fix 50G per lane indication + +From: Aya Levin + +[ Upstream commit 6a1cf4e443a3b0a4d690d3c93b84b1e9cbfcb1bd ] + +Some released FW versions mistakenly don't set the capability that 50G +per lane link-modes are supported for VFs (ptys_extended_ethernet +capability bit). When the capability is unset, read +PTYS.ext_eth_proto_capability (always reliable). +If PTYS.ext_eth_proto_capability is valid (has a non-zero value) +conclude that the HCA supports 50G per lane. Otherwise, conclude that +the HCA doesn't support 50G per lane. + +Fixes: a08b4ed1373d ("net/mlx5: Add support to ext_* fields introduced in Port Type and Speed register") +Signed-off-by: Aya Levin +Reviewed-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en/port.c | 21 ++++++++++++++++--- + .../net/ethernet/mellanox/mlx5/core/en/port.h | 2 +- + .../ethernet/mellanox/mlx5/core/en_ethtool.c | 8 +++---- + 3 files changed, 23 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/port.c b/drivers/net/ethernet/mellanox/mlx5/core/en/port.c +index 2a8950b3056f9..3cf3e35053f77 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/port.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/port.c +@@ -78,11 +78,26 @@ static const u32 mlx5e_ext_link_speed[MLX5E_EXT_LINK_MODES_NUMBER] = { + [MLX5E_400GAUI_8] = 400000, + }; + ++bool mlx5e_ptys_ext_supported(struct mlx5_core_dev *mdev) ++{ ++ struct mlx5e_port_eth_proto eproto; ++ int err; ++ ++ if (MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet)) ++ return true; ++ ++ err = mlx5_port_query_eth_proto(mdev, 1, true, &eproto); ++ if (err) ++ return false; ++ ++ return !!eproto.cap; ++} ++ + static void mlx5e_port_get_speed_arr(struct mlx5_core_dev *mdev, + const u32 **arr, u32 *size, + bool force_legacy) + { +- bool ext = force_legacy ? false : MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet); ++ bool ext = force_legacy ? false : mlx5e_ptys_ext_supported(mdev); + + *size = ext ? ARRAY_SIZE(mlx5e_ext_link_speed) : + ARRAY_SIZE(mlx5e_link_speed); +@@ -177,7 +192,7 @@ int mlx5e_port_linkspeed(struct mlx5_core_dev *mdev, u32 *speed) + bool ext; + int err; + +- ext = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet); ++ ext = mlx5e_ptys_ext_supported(mdev); + err = mlx5_port_query_eth_proto(mdev, 1, ext, &eproto); + if (err) + goto out; +@@ -205,7 +220,7 @@ int mlx5e_port_max_linkspeed(struct mlx5_core_dev *mdev, u32 *speed) + int err; + int i; + +- ext = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet); ++ ext = mlx5e_ptys_ext_supported(mdev); + err = mlx5_port_query_eth_proto(mdev, 1, ext, &eproto); + if (err) + return err; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/port.h b/drivers/net/ethernet/mellanox/mlx5/core/en/port.h +index a2ddd446dd59e..7a7defe607926 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/port.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/port.h +@@ -54,7 +54,7 @@ int mlx5e_port_linkspeed(struct mlx5_core_dev *mdev, u32 *speed); + int mlx5e_port_max_linkspeed(struct mlx5_core_dev *mdev, u32 *speed); + u32 mlx5e_port_speed2linkmodes(struct mlx5_core_dev *mdev, u32 speed, + bool force_legacy); +- ++bool mlx5e_ptys_ext_supported(struct mlx5_core_dev *mdev); + int mlx5e_port_query_pbmc(struct mlx5_core_dev *mdev, void *out); + int mlx5e_port_set_pbmc(struct mlx5_core_dev *mdev, void *in); + int mlx5e_port_query_priority2buffer(struct mlx5_core_dev *mdev, u8 *buffer); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index bc290ae80a531..1c491acd48f32 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -200,7 +200,7 @@ static void mlx5e_ethtool_get_speed_arr(struct mlx5_core_dev *mdev, + struct ptys2ethtool_config **arr, + u32 *size) + { +- bool ext = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet); ++ bool ext = mlx5e_ptys_ext_supported(mdev); + + *arr = ext ? ptys2ext_ethtool_table : ptys2legacy_ethtool_table; + *size = ext ? ARRAY_SIZE(ptys2ext_ethtool_table) : +@@ -883,7 +883,7 @@ static void get_lp_advertising(struct mlx5_core_dev *mdev, u32 eth_proto_lp, + struct ethtool_link_ksettings *link_ksettings) + { + unsigned long *lp_advertising = link_ksettings->link_modes.lp_advertising; +- bool ext = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet); ++ bool ext = mlx5e_ptys_ext_supported(mdev); + + ptys2ethtool_adver_link(lp_advertising, eth_proto_lp, ext); + } +@@ -913,7 +913,7 @@ int mlx5e_ethtool_get_link_ksettings(struct mlx5e_priv *priv, + __func__, err); + goto err_query_regs; + } +- ext = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet); ++ ext = !!MLX5_GET_ETH_PROTO(ptys_reg, out, true, eth_proto_capability); + eth_proto_cap = MLX5_GET_ETH_PROTO(ptys_reg, out, ext, + eth_proto_capability); + eth_proto_admin = MLX5_GET_ETH_PROTO(ptys_reg, out, ext, +@@ -1066,7 +1066,7 @@ int mlx5e_ethtool_set_link_ksettings(struct mlx5e_priv *priv, + autoneg = link_ksettings->base.autoneg; + speed = link_ksettings->base.speed; + +- ext_supported = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet); ++ ext_supported = mlx5e_ptys_ext_supported(mdev); + ext = ext_requested(autoneg, adver, ext_supported); + if (!ext_supported && ext) + return -EOPNOTSUPP; +-- +2.25.1 + diff --git a/queue-5.7/net-mlx5e-fix-cpu-mapping-after-function-reload-to-a.patch b/queue-5.7/net-mlx5e-fix-cpu-mapping-after-function-reload-to-a.patch new file mode 100644 index 00000000000..2ef293c93de --- /dev/null +++ b/queue-5.7/net-mlx5e-fix-cpu-mapping-after-function-reload-to-a.patch @@ -0,0 +1,84 @@ +From 7c2cd1b62c62c9fe93fc22fc376f7b5f510acbbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 May 2020 10:37:42 +0300 +Subject: net/mlx5e: Fix CPU mapping after function reload to avoid aRFS RX + crash + +From: Aya Levin + +[ Upstream commit f4aebbfb56ed0c186adbeb2799df836da50f78e3 ] + +After function reload, CPU mapping used by aRFS RX is broken, leading to +a kernel panic. Fix by moving initialization of rx_cpu_rmap from +netdev_init to netdev_attach. IRQ table is re-allocated on mlx5_load, +but netdev is not re-initialize. + +Trace of the panic: +[ 22.055672] general protection fault, probably for non-canonical address 0x785634120000ff1c: 0000 [#1] SMP PTI +[ 22.065010] CPU: 4 PID: 0 Comm: swapper/4 Not tainted 5.7.0-rc2-for-upstream-perf-2020-04-21_16-34-03-31 #1 +[ 22.067967] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +[ 22.071174] RIP: 0010:get_rps_cpu+0x267/0x300 +[ 22.075692] RSP: 0018:ffffc90000244d60 EFLAGS: 00010202 +[ 22.076888] RAX: ffff888459b0e400 RBX: 0000000000000000 RCX:0000000000000007 +[ 22.078364] RDX: 0000000000008884 RSI: ffff888467cb5b00 RDI:0000000000000000 +[ 22.079815] RBP: 00000000ff342b27 R08: 0000000000000007 R09:0000000000000003 +[ 22.081289] R10: ffffffffffffffff R11: 00000000000070cc R12:ffff888454900000 +[ 22.082767] R13: ffffc90000e5a950 R14: ffffc90000244dc0 R15:0000000000000007 +[ 22.084190] FS: 0000000000000000(0000) GS:ffff88846fc80000(0000)knlGS:0000000000000000 +[ 22.086161] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 22.087427] CR2: ffffffffffffffff CR3: 0000000464426003 CR4:0000000000760ee0 +[ 22.088888] DR0: 0000000000000000 DR1: 0000000000000000 DR2:0000000000000000 +[ 22.090336] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:0000000000000400 +[ 22.091764] PKRU: 55555554 +[ 22.092618] Call Trace: +[ 22.093442] +[ 22.094211] ? kvm_clock_get_cycles+0xd/0x10 +[ 22.095272] netif_receive_skb_list_internal+0x258/0x2a0 +[ 22.096460] gro_normal_list.part.137+0x19/0x40 +[ 22.097547] napi_complete_done+0xc6/0x110 +[ 22.098685] mlx5e_napi_poll+0x190/0x670 [mlx5_core] +[ 22.099859] net_rx_action+0x2a0/0x400 +[ 22.100848] __do_softirq+0xd8/0x2a8 +[ 22.101829] irq_exit+0xa5/0xb0 +[ 22.102750] do_IRQ+0x52/0xd0 +[ 22.103654] common_interrupt+0xf/0xf +[ 22.104641] + +Fixes: 4383cfcc65e7 ("net/mlx5: Add devlink reload") +Signed-off-by: Aya Levin +Reviewed-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 02f6b6bd2847c..bc54913c58618 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -5119,6 +5119,10 @@ static int mlx5e_init_nic_rx(struct mlx5e_priv *priv) + if (err) + goto err_destroy_flow_steering; + ++#ifdef CONFIG_MLX5_EN_ARFS ++ priv->netdev->rx_cpu_rmap = mlx5_eq_table_get_rmap(priv->mdev); ++#endif ++ + return 0; + + err_destroy_flow_steering: +@@ -5296,10 +5300,6 @@ int mlx5e_netdev_init(struct net_device *netdev, + /* netdev init */ + netif_carrier_off(netdev); + +-#ifdef CONFIG_MLX5_EN_ARFS +- netdev->rx_cpu_rmap = mlx5_eq_table_get_rmap(mdev); +-#endif +- + return 0; + + err_free_cpumask: +-- +2.25.1 + diff --git a/queue-5.7/net-mlx5e-fix-vxlan-configuration-restore-after-func.patch b/queue-5.7/net-mlx5e-fix-vxlan-configuration-restore-after-func.patch new file mode 100644 index 00000000000..60e58282468 --- /dev/null +++ b/queue-5.7/net-mlx5e-fix-vxlan-configuration-restore-after-func.patch @@ -0,0 +1,59 @@ +From 9c0b8aa6b42b5c6edecb68df7314e8ceac0d3787 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jun 2020 19:04:03 +0300 +Subject: net/mlx5e: Fix VXLAN configuration restore after function reload + +From: Aya Levin + +[ Upstream commit b3c2ed21c0bdf35ba498a9974aa587f99a03b658 ] + +When detaching netdev, remove vxlan port configuration using +udp_tunnel_drop_rx_info. During function reload, configuration will be +restored using udp_tunnel_get_rx_info. This ensures sync between +firmware and driver. Use udp_tunnel_get_rx_info even if its physical +interface is down. + +Fixes: 4383cfcc65e7 ("net/mlx5: Add devlink reload") +Signed-off-by: Aya Levin +Reviewed-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index bd8d0e0960857..02f6b6bd2847c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3076,9 +3076,6 @@ int mlx5e_open(struct net_device *netdev) + mlx5_set_port_admin_status(priv->mdev, MLX5_PORT_UP); + mutex_unlock(&priv->state_lock); + +- if (mlx5_vxlan_allowed(priv->mdev->vxlan)) +- udp_tunnel_get_rx_info(netdev); +- + return err; + } + +@@ -5207,6 +5204,8 @@ static void mlx5e_nic_enable(struct mlx5e_priv *priv) + rtnl_lock(); + if (netif_running(netdev)) + mlx5e_open(netdev); ++ if (mlx5_vxlan_allowed(priv->mdev->vxlan)) ++ udp_tunnel_get_rx_info(netdev); + netif_device_attach(netdev); + rtnl_unlock(); + } +@@ -5223,6 +5222,8 @@ static void mlx5e_nic_disable(struct mlx5e_priv *priv) + rtnl_lock(); + if (netif_running(priv->netdev)) + mlx5e_close(priv->netdev); ++ if (mlx5_vxlan_allowed(priv->mdev->vxlan)) ++ udp_tunnel_drop_rx_info(priv->netdev); + netif_device_detach(priv->netdev); + rtnl_unlock(); + +-- +2.25.1 + diff --git a/queue-5.7/net-mvneta-fix-use-of-state-speed.patch b/queue-5.7/net-mvneta-fix-use-of-state-speed.patch new file mode 100644 index 00000000000..5ae98fd64db --- /dev/null +++ b/queue-5.7/net-mvneta-fix-use-of-state-speed.patch @@ -0,0 +1,41 @@ +From ff6e9db9e4f9828600287b324056ccb062538846 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jun 2020 11:04:40 +0100 +Subject: net: mvneta: fix use of state->speed + +From: Russell King + +[ Upstream commit f2ca673d2cd5df9a76247b670e9ffd4d63682b3f ] + +When support for short preambles was added, it incorrectly keyed its +decision off state->speed instead of state->interface. state->speed +is not guaranteed to be correct for in-band modes, which can lead to +short preambles being unexpectedly disabled. + +Fix this by keying off the interface mode, which is the only way that +mvneta can operate at 2.5Gbps. + +Fixes: da58a931f248 ("net: mvneta: Add support for 2500Mbps SGMII") +Signed-off-by: Russell King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvneta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index af578a5813bd2..cf26cf4e47aa8 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -3953,7 +3953,7 @@ static void mvneta_mac_config(struct phylink_config *config, unsigned int mode, + /* When at 2.5G, the link partner can send frames with shortened + * preambles. + */ +- if (state->speed == SPEED_2500) ++ if (state->interface == PHY_INTERFACE_MODE_2500BASEX) + new_ctrl4 |= MVNETA_GMAC4_SHORT_PREAMBLE_ENABLE; + + if (pp->phy_interface != state->interface) { +-- +2.25.1 + diff --git a/queue-5.7/net-qed-fix-buffer-overflow-on-ethtool-d.patch b/queue-5.7/net-qed-fix-buffer-overflow-on-ethtool-d.patch new file mode 100644 index 00000000000..033550191c8 --- /dev/null +++ b/queue-5.7/net-qed-fix-buffer-overflow-on-ethtool-d.patch @@ -0,0 +1,107 @@ +From 31ea600bdb726d959e6a26d2f0ea767899bc2494 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jul 2020 12:25:53 +0300 +Subject: net: qed: fix buffer overflow on ethtool -d + +From: Alexander Lobakin + +[ Upstream commit da3287111ab43b32cec54d7ca6b48640f210a196 ] + +When generating debug dump, driver firstly collects all data in binary +form, and then performs per-feature formatting to human-readable if it +is supported. + +For ethtool -d, this is roughly incorrect for two reasons. First of all, +drivers should always provide only original raw dumps to Ethtool without +any changes. +The second, and more critical, is that Ethtool's output buffer size is +strictly determined by ethtool_ops::get_regs_len(), and all data *must* +fit in it. The current version of driver always returns the size of raw +data, but the size of the formatted buffer exceeds it in most cases. +This leads to out-of-bound writes and memory corruption. + +Address both issues by adding an option to return original, non-formatted +debug data, and using it for Ethtool case. + +v2: + - Expand commit message to make it more clear; + - No functional changes. + +Fixes: c965db444629 ("qed: Add support for debug data collection") +Signed-off-by: Alexander Lobakin +Signed-off-by: Igor Russkikh +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed.h | 2 ++ + drivers/net/ethernet/qlogic/qed/qed_debug.c | 13 ++++++++++++- + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed.h b/drivers/net/ethernet/qlogic/qed/qed.h +index fa41bf08a5895..58d6ef489d5bf 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed.h ++++ b/drivers/net/ethernet/qlogic/qed/qed.h +@@ -880,6 +880,8 @@ struct qed_dev { + #endif + struct qed_dbg_feature dbg_features[DBG_FEATURE_NUM]; + bool disable_ilt_dump; ++ bool dbg_bin_dump; ++ + DECLARE_HASHTABLE(connections, 10); + const struct firmware *firmware; + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_debug.c b/drivers/net/ethernet/qlogic/qed/qed_debug.c +index 3e56b6056b477..03ce18f653932 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_debug.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_debug.c +@@ -7506,6 +7506,12 @@ static enum dbg_status format_feature(struct qed_hwfn *p_hwfn, + if (p_hwfn->cdev->dbg_params.print_data) + qed_dbg_print_feature(text_buf, text_size_bytes); + ++ /* Just return the original binary buffer if requested */ ++ if (p_hwfn->cdev->dbg_bin_dump) { ++ vfree(text_buf); ++ return DBG_STATUS_OK; ++ } ++ + /* Free the old dump_buf and point the dump_buf to the newly allocagted + * and formatted text buffer. + */ +@@ -7733,7 +7739,9 @@ int qed_dbg_mcp_trace_size(struct qed_dev *cdev) + #define REGDUMP_HEADER_SIZE_SHIFT 0 + #define REGDUMP_HEADER_SIZE_MASK 0xffffff + #define REGDUMP_HEADER_FEATURE_SHIFT 24 +-#define REGDUMP_HEADER_FEATURE_MASK 0x3f ++#define REGDUMP_HEADER_FEATURE_MASK 0x1f ++#define REGDUMP_HEADER_BIN_DUMP_SHIFT 29 ++#define REGDUMP_HEADER_BIN_DUMP_MASK 0x1 + #define REGDUMP_HEADER_OMIT_ENGINE_SHIFT 30 + #define REGDUMP_HEADER_OMIT_ENGINE_MASK 0x1 + #define REGDUMP_HEADER_ENGINE_SHIFT 31 +@@ -7771,6 +7779,7 @@ static u32 qed_calc_regdump_header(struct qed_dev *cdev, + feature, feature_size); + + SET_FIELD(res, REGDUMP_HEADER_FEATURE, feature); ++ SET_FIELD(res, REGDUMP_HEADER_BIN_DUMP, 1); + SET_FIELD(res, REGDUMP_HEADER_OMIT_ENGINE, omit_engine); + SET_FIELD(res, REGDUMP_HEADER_ENGINE, engine); + +@@ -7794,6 +7803,7 @@ int qed_dbg_all_data(struct qed_dev *cdev, void *buffer) + omit_engine = 1; + + mutex_lock(&qed_dbg_lock); ++ cdev->dbg_bin_dump = true; + + org_engine = qed_get_debug_engine(cdev); + for (cur_engine = 0; cur_engine < cdev->num_hwfns; cur_engine++) { +@@ -7993,6 +8003,7 @@ int qed_dbg_all_data(struct qed_dev *cdev, void *buffer) + QED_NVM_IMAGE_MDUMP, "QED_NVM_IMAGE_MDUMP", rc); + } + ++ cdev->dbg_bin_dump = false; + mutex_unlock(&qed_dbg_lock); + + return 0; +-- +2.25.1 + diff --git a/queue-5.7/net-rmnet-do-not-allow-to-add-multiple-bridge-interf.patch b/queue-5.7/net-rmnet-do-not-allow-to-add-multiple-bridge-interf.patch new file mode 100644 index 00000000000..d044977862d --- /dev/null +++ b/queue-5.7/net-rmnet-do-not-allow-to-add-multiple-bridge-interf.patch @@ -0,0 +1,89 @@ +From 35cd1ea46c358a56334c4c7802f49b0ec90a1313 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jul 2020 17:08:55 +0000 +Subject: net: rmnet: do not allow to add multiple bridge interfaces + +From: Taehee Yoo + +[ Upstream commit 2fb2799a2abb39d7dbb48abb3baa1133bf5e921a ] + +rmnet can have only two bridge interface. +One of them is a link interface and another one is added by +the master operation. +rmnet interface shouldn't allow adding additional +bridge interfaces by mater operation. +But, there is no code to deny additional interfaces. +So, interface leak occurs. + +Test commands: + ip link add dummy0 type dummy + ip link add dummy1 type dummy + ip link add dummy2 type dummy + ip link add rmnet0 link dummy0 type rmnet mux_id 1 + ip link set dummy1 master rmnet0 + ip link set dummy2 master rmnet0 + ip link del rmnet0 + +In the above test command, the dummy0 was attached to rmnet as VND mode. +Then, dummy1 was attached to rmnet0 as BRIDGE mode. +At this point, dummy0 mode is switched from VND to BRIDGE automatically. +Then, dummy2 is attached to rmnet as BRIDGE mode. +At this point, rmnet0 should deny this operation. +But, rmnet0 doesn't deny this. +So that below splat occurs when the rmnet0 interface is deleted. + +Splat looks like: +[ 186.684787][ C2] WARNING: CPU: 2 PID: 1009 at net/core/dev.c:8992 rollback_registered_many+0x986/0xcf0 +[ 186.684788][ C2] Modules linked in: rmnet dummy openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_x +[ 186.684805][ C2] CPU: 2 PID: 1009 Comm: ip Not tainted 5.8.0-rc1+ #621 +[ 186.684807][ C2] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +[ 186.684808][ C2] RIP: 0010:rollback_registered_many+0x986/0xcf0 +[ 186.684811][ C2] Code: 41 8b 4e cc 45 31 c0 31 d2 4c 89 ee 48 89 df e8 e0 47 ff ff 85 c0 0f 84 cd fc ff ff 5 +[ 186.684812][ C2] RSP: 0018:ffff8880cd9472e0 EFLAGS: 00010287 +[ 186.684815][ C2] RAX: ffff8880cc56da58 RBX: ffff8880ab21c000 RCX: ffffffff9329d323 +[ 186.684816][ C2] RDX: 1ffffffff2be6410 RSI: 0000000000000008 RDI: ffffffff95f32080 +[ 186.684818][ C2] RBP: dffffc0000000000 R08: fffffbfff2be6411 R09: fffffbfff2be6411 +[ 186.684819][ C2] R10: ffffffff95f32087 R11: 0000000000000001 R12: ffff8880cd947480 +[ 186.684820][ C2] R13: ffff8880ab21c0b8 R14: ffff8880cd947400 R15: ffff8880cdf10640 +[ 186.684822][ C2] FS: 00007f00843890c0(0000) GS:ffff8880d4e00000(0000) knlGS:0000000000000000 +[ 186.684823][ C2] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 186.684825][ C2] CR2: 000055b8ab1077b8 CR3: 00000000ab612006 CR4: 00000000000606e0 +[ 186.684826][ C2] Call Trace: +[ 186.684827][ C2] ? lockdep_hardirqs_on_prepare+0x379/0x540 +[ 186.684829][ C2] ? netif_set_real_num_tx_queues+0x780/0x780 +[ 186.684830][ C2] ? rmnet_unregister_real_device+0x56/0x90 [rmnet] +[ 186.684831][ C2] ? __kasan_slab_free+0x126/0x150 +[ 186.684832][ C2] ? kfree+0xdc/0x320 +[ 186.684834][ C2] ? rmnet_unregister_real_device+0x56/0x90 [rmnet] +[ 186.684835][ C2] unregister_netdevice_many.part.135+0x13/0x1b0 +[ 186.684836][ C2] rtnl_delete_link+0xbc/0x100 +[ ... ] +[ 238.440071][ T1009] unregister_netdevice: waiting for rmnet0 to become free. Usage count = 1 + +Fixes: 037f9cdf72fb ("net: rmnet: use upper/lower device infrastructure") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c +index 2c8c252b7b97f..fcdecddb28122 100644 +--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c ++++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c +@@ -429,6 +429,11 @@ int rmnet_add_bridge(struct net_device *rmnet_dev, + return -EINVAL; + } + ++ if (port->rmnet_mode != RMNET_EPMODE_VND) { ++ NL_SET_ERR_MSG_MOD(extack, "more than one bridge dev attached"); ++ return -EINVAL; ++ } ++ + if (rmnet_is_real_dev_registered(slave_dev)) { + NL_SET_ERR_MSG_MOD(extack, + "slave cannot be another rmnet dev"); +-- +2.25.1 + diff --git a/queue-5.7/net-rmnet-fix-lower-interface-leak.patch b/queue-5.7/net-rmnet-fix-lower-interface-leak.patch new file mode 100644 index 00000000000..6e9fd7f063e --- /dev/null +++ b/queue-5.7/net-rmnet-fix-lower-interface-leak.patch @@ -0,0 +1,136 @@ +From 61595f1c90c95ba6143de3a192637c49bc198327 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jul 2020 17:08:18 +0000 +Subject: net: rmnet: fix lower interface leak + +From: Taehee Yoo + +[ Upstream commit 2a762e9e8cd1cf1242e4269a2244666ed02eecd1 ] + +There are two types of the lower interface of rmnet that are VND +and BRIDGE. +Each lower interface can have only one type either VND or BRIDGE. +But, there is a case, which uses both lower interface types. +Due to this unexpected behavior, lower interface leak occurs. + +Test commands: + ip link add dummy0 type dummy + ip link add dummy1 type dummy + ip link add rmnet0 link dummy0 type rmnet mux_id 1 + ip link set dummy1 master rmnet0 + ip link add rmnet1 link dummy1 type rmnet mux_id 2 + ip link del rmnet0 + +The dummy1 was attached as BRIDGE interface of rmnet0. +Then, it also was attached as VND interface of rmnet1. +This is unexpected behavior and there is no code for handling this case. +So that below splat occurs when the rmnet0 interface is deleted. + +Splat looks like: +[ 53.254112][ C1] WARNING: CPU: 1 PID: 1192 at net/core/dev.c:8992 rollback_registered_many+0x986/0xcf0 +[ 53.254117][ C1] Modules linked in: rmnet dummy openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nfx +[ 53.254182][ C1] CPU: 1 PID: 1192 Comm: ip Not tainted 5.8.0-rc1+ #620 +[ 53.254188][ C1] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +[ 53.254192][ C1] RIP: 0010:rollback_registered_many+0x986/0xcf0 +[ 53.254200][ C1] Code: 41 8b 4e cc 45 31 c0 31 d2 4c 89 ee 48 89 df e8 e0 47 ff ff 85 c0 0f 84 cd fc ff ff 0f 0b e5 +[ 53.254205][ C1] RSP: 0018:ffff888050a5f2e0 EFLAGS: 00010287 +[ 53.254214][ C1] RAX: ffff88805756d658 RBX: ffff88804d99c000 RCX: ffffffff8329d323 +[ 53.254219][ C1] RDX: 1ffffffff0be6410 RSI: 0000000000000008 RDI: ffffffff85f32080 +[ 53.254223][ C1] RBP: dffffc0000000000 R08: fffffbfff0be6411 R09: fffffbfff0be6411 +[ 53.254228][ C1] R10: ffffffff85f32087 R11: 0000000000000001 R12: ffff888050a5f480 +[ 53.254233][ C1] R13: ffff88804d99c0b8 R14: ffff888050a5f400 R15: ffff8880548ebe40 +[ 53.254238][ C1] FS: 00007f6b86b370c0(0000) GS:ffff88806c200000(0000) knlGS:0000000000000000 +[ 53.254243][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 53.254248][ C1] CR2: 0000562c62438758 CR3: 000000003f600005 CR4: 00000000000606e0 +[ 53.254253][ C1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 53.254257][ C1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 53.254261][ C1] Call Trace: +[ 53.254266][ C1] ? lockdep_hardirqs_on_prepare+0x379/0x540 +[ 53.254270][ C1] ? netif_set_real_num_tx_queues+0x780/0x780 +[ 53.254275][ C1] ? rmnet_unregister_real_device+0x56/0x90 [rmnet] +[ 53.254279][ C1] ? __kasan_slab_free+0x126/0x150 +[ 53.254283][ C1] ? kfree+0xdc/0x320 +[ 53.254288][ C1] ? rmnet_unregister_real_device+0x56/0x90 [rmnet] +[ 53.254293][ C1] unregister_netdevice_many.part.135+0x13/0x1b0 +[ 53.254297][ C1] rtnl_delete_link+0xbc/0x100 +[ 53.254301][ C1] ? rtnl_af_register+0xc0/0xc0 +[ 53.254305][ C1] rtnl_dellink+0x2dc/0x840 +[ 53.254309][ C1] ? find_held_lock+0x39/0x1d0 +[ 53.254314][ C1] ? valid_fdb_dump_strict+0x620/0x620 +[ 53.254318][ C1] ? rtnetlink_rcv_msg+0x457/0x890 +[ 53.254322][ C1] ? lock_contended+0xd20/0xd20 +[ 53.254326][ C1] rtnetlink_rcv_msg+0x4a8/0x890 +[ ... ] +[ 73.813696][ T1192] unregister_netdevice: waiting for rmnet0 to become free. Usage count = 1 + +Fixes: 037f9cdf72fb ("net: rmnet: use upper/lower device infrastructure") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/qualcomm/rmnet/rmnet_config.c | 21 +++++++++++-------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c +index 40efe60eff8d9..2c8c252b7b97f 100644 +--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c ++++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c +@@ -47,15 +47,23 @@ static int rmnet_unregister_real_device(struct net_device *real_dev) + return 0; + } + +-static int rmnet_register_real_device(struct net_device *real_dev) ++static int rmnet_register_real_device(struct net_device *real_dev, ++ struct netlink_ext_ack *extack) + { + struct rmnet_port *port; + int rc, entry; + + ASSERT_RTNL(); + +- if (rmnet_is_real_dev_registered(real_dev)) ++ if (rmnet_is_real_dev_registered(real_dev)) { ++ port = rmnet_get_port_rtnl(real_dev); ++ if (port->rmnet_mode != RMNET_EPMODE_VND) { ++ NL_SET_ERR_MSG_MOD(extack, "bridge device already exists"); ++ return -EINVAL; ++ } ++ + return 0; ++ } + + port = kzalloc(sizeof(*port), GFP_KERNEL); + if (!port) +@@ -133,7 +141,7 @@ static int rmnet_newlink(struct net *src_net, struct net_device *dev, + + mux_id = nla_get_u16(data[IFLA_RMNET_MUX_ID]); + +- err = rmnet_register_real_device(real_dev); ++ err = rmnet_register_real_device(real_dev, extack); + if (err) + goto err0; + +@@ -421,11 +429,6 @@ int rmnet_add_bridge(struct net_device *rmnet_dev, + return -EINVAL; + } + +- if (port->rmnet_mode != RMNET_EPMODE_VND) { +- NL_SET_ERR_MSG_MOD(extack, "bridge device already exists"); +- return -EINVAL; +- } +- + if (rmnet_is_real_dev_registered(slave_dev)) { + NL_SET_ERR_MSG_MOD(extack, + "slave cannot be another rmnet dev"); +@@ -433,7 +436,7 @@ int rmnet_add_bridge(struct net_device *rmnet_dev, + return -EBUSY; + } + +- err = rmnet_register_real_device(slave_dev); ++ err = rmnet_register_real_device(slave_dev, extack); + if (err) + return -EBUSY; + +-- +2.25.1 + diff --git a/queue-5.7/netfilter-conntrack-refetch-conntrack-after-nf_connt.patch b/queue-5.7/netfilter-conntrack-refetch-conntrack-after-nf_connt.patch new file mode 100644 index 00000000000..887e208a49d --- /dev/null +++ b/queue-5.7/netfilter-conntrack-refetch-conntrack-after-nf_connt.patch @@ -0,0 +1,55 @@ +From 937f23966dbf3962004ac06e9734f5ea33d678b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jul 2020 13:17:40 +0200 +Subject: netfilter: conntrack: refetch conntrack after nf_conntrack_update() + +From: Pablo Neira Ayuso + +[ Upstream commit d005fbb855d3b5660d62ee5a6bd2d99c13ff8cf3 ] + +__nf_conntrack_update() might refresh the conntrack object that is +attached to the skbuff. Otherwise, this triggers UAF. + +[ 633.200434] ================================================================== +[ 633.200472] BUG: KASAN: use-after-free in nf_conntrack_update+0x34e/0x770 [nf_conntrack] +[ 633.200478] Read of size 1 at addr ffff888370804c00 by task nfqnl_test/6769 + +[ 633.200487] CPU: 1 PID: 6769 Comm: nfqnl_test Not tainted 5.8.0-rc2+ #388 +[ 633.200490] Hardware name: LENOVO 23259H1/23259H1, BIOS G2ET32WW (1.12 ) 05/30/2012 +[ 633.200491] Call Trace: +[ 633.200499] dump_stack+0x7c/0xb0 +[ 633.200526] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack] +[ 633.200532] print_address_description.constprop.6+0x1a/0x200 +[ 633.200539] ? _raw_write_lock_irqsave+0xc0/0xc0 +[ 633.200568] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack] +[ 633.200594] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack] +[ 633.200598] kasan_report.cold.9+0x1f/0x42 +[ 633.200604] ? call_rcu+0x2c0/0x390 +[ 633.200633] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack] +[ 633.200659] nf_conntrack_update+0x34e/0x770 [nf_conntrack] +[ 633.200687] ? nf_conntrack_find_get+0x30/0x30 [nf_conntrack] + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1436 +Fixes: ee04805ff54a ("netfilter: conntrack: make conntrack userspace helpers work again") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index bb72ca5f3999a..3ab6dbb6588e2 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -2149,6 +2149,8 @@ static int nf_conntrack_update(struct net *net, struct sk_buff *skb) + err = __nf_conntrack_update(net, skb, ct, ctinfo); + if (err < 0) + return err; ++ ++ ct = nf_ct_get(skb, &ctinfo); + } + + return nf_confirm_cthelper(skb, ct, ctinfo); +-- +2.25.1 + diff --git a/queue-5.7/netfilter-ipset-call-ip_set_free-instead-of-kfree.patch b/queue-5.7/netfilter-ipset-call-ip_set_free-instead-of-kfree.patch new file mode 100644 index 00000000000..5dd35fb90a5 --- /dev/null +++ b/queue-5.7/netfilter-ipset-call-ip_set_free-instead-of-kfree.patch @@ -0,0 +1,134 @@ +From 33376bde186ffb154182759e6cf9fad7d9c28d10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 17:04:17 -0700 +Subject: netfilter: ipset: call ip_set_free() instead of kfree() + +From: Eric Dumazet + +[ Upstream commit c4e8fa9074ad94f80e5c0dcaa16b313e50e958c5 ] + +Whenever ip_set_alloc() is used, allocated memory can either +use kmalloc() or vmalloc(). We should call kvfree() or +ip_set_free() + +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +CPU: 0 PID: 21935 Comm: syz-executor.3 Not tainted 5.8.0-rc2-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:__phys_addr+0xa7/0x110 arch/x86/mm/physaddr.c:28 +Code: 1d 7a 09 4c 89 e3 31 ff 48 d3 eb 48 89 de e8 d0 58 3f 00 48 85 db 75 0d e8 26 5c 3f 00 4c 89 e0 5b 5d 41 5c c3 e8 19 5c 3f 00 <0f> 0b e8 12 5c 3f 00 48 c7 c0 10 10 a8 89 48 ba 00 00 00 00 00 fc +RSP: 0000:ffffc900018572c0 EFLAGS: 00010046 +RAX: 0000000000040000 RBX: 0000000000000001 RCX: ffffc9000fac3000 +RDX: 0000000000040000 RSI: ffffffff8133f437 RDI: 0000000000000007 +RBP: ffffc90098aff000 R08: 0000000000000000 R09: ffff8880ae636cdb +R10: 0000000000000000 R11: 0000000000000000 R12: 0000408018aff000 +R13: 0000000000080000 R14: 000000000000001d R15: ffffc900018573d8 +FS: 00007fc540c66700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fc9dcd67200 CR3: 0000000059411000 CR4: 00000000001406f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + virt_to_head_page include/linux/mm.h:841 [inline] + virt_to_cache mm/slab.h:474 [inline] + kfree+0x77/0x2c0 mm/slab.c:3749 + hash_net_create+0xbb2/0xd70 net/netfilter/ipset/ip_set_hash_gen.h:1536 + ip_set_create+0x6a2/0x13c0 net/netfilter/ipset/ip_set_core.c:1128 + nfnetlink_rcv_msg+0xbe8/0xea0 net/netfilter/nfnetlink.c:230 + netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2469 + nfnetlink_rcv+0x1ac/0x420 net/netfilter/nfnetlink.c:564 + netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] + netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1329 + netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1918 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:672 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2352 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2406 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439 + do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:359 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x45cb19 +Code: Bad RIP value. +RSP: 002b:00007fc540c65c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00000000004fed80 RCX: 000000000045cb19 +RDX: 0000000000000000 RSI: 0000000020001080 RDI: 0000000000000003 +RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff +R13: 000000000000095e R14: 00000000004cc295 R15: 00007fc540c666d4 + +Fixes: f66ee0410b1c ("netfilter: ipset: Fix "INFO: rcu detected stall in hash_xxx" reports") +Fixes: 03c8b234e61a ("netfilter: ipset: Generalize extensions support") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_bitmap_ip.c | 2 +- + net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2 +- + net/netfilter/ipset/ip_set_bitmap_port.c | 2 +- + net/netfilter/ipset/ip_set_hash_gen.h | 4 ++-- + 4 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c +index 486959f70cf31..a8ce04a4bb72a 100644 +--- a/net/netfilter/ipset/ip_set_bitmap_ip.c ++++ b/net/netfilter/ipset/ip_set_bitmap_ip.c +@@ -326,7 +326,7 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb[], + set->variant = &bitmap_ip; + if (!init_map_ip(set, map, first_ip, last_ip, + elements, hosts, netmask)) { +- kfree(map); ++ ip_set_free(map); + return -ENOMEM; + } + if (tb[IPSET_ATTR_TIMEOUT]) { +diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c +index 2310a316e0aff..2c625e0f49ec0 100644 +--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c ++++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c +@@ -363,7 +363,7 @@ bitmap_ipmac_create(struct net *net, struct ip_set *set, struct nlattr *tb[], + map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long); + set->variant = &bitmap_ipmac; + if (!init_map_ipmac(set, map, first_ip, last_ip, elements)) { +- kfree(map); ++ ip_set_free(map); + return -ENOMEM; + } + if (tb[IPSET_ATTR_TIMEOUT]) { +diff --git a/net/netfilter/ipset/ip_set_bitmap_port.c b/net/netfilter/ipset/ip_set_bitmap_port.c +index e56ced66f202d..7138e080def4c 100644 +--- a/net/netfilter/ipset/ip_set_bitmap_port.c ++++ b/net/netfilter/ipset/ip_set_bitmap_port.c +@@ -274,7 +274,7 @@ bitmap_port_create(struct net *net, struct ip_set *set, struct nlattr *tb[], + map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long); + set->variant = &bitmap_port; + if (!init_map_port(set, map, first_port, last_port)) { +- kfree(map); ++ ip_set_free(map); + return -ENOMEM; + } + if (tb[IPSET_ATTR_TIMEOUT]) { +diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h +index 1ee43752d6d3c..521e970be4028 100644 +--- a/net/netfilter/ipset/ip_set_hash_gen.h ++++ b/net/netfilter/ipset/ip_set_hash_gen.h +@@ -682,7 +682,7 @@ mtype_resize(struct ip_set *set, bool retried) + } + t->hregion = ip_set_alloc(ahash_sizeof_regions(htable_bits)); + if (!t->hregion) { +- kfree(t); ++ ip_set_free(t); + ret = -ENOMEM; + goto out; + } +@@ -1533,7 +1533,7 @@ IPSET_TOKEN(HTYPE, _create)(struct net *net, struct ip_set *set, + } + t->hregion = ip_set_alloc(ahash_sizeof_regions(hbits)); + if (!t->hregion) { +- kfree(t); ++ ip_set_free(t); + kfree(h); + return -ENOMEM; + } +-- +2.25.1 + diff --git a/queue-5.7/nl80211-don-t-return-err-unconditionally-in-nl80211_.patch b/queue-5.7/nl80211-don-t-return-err-unconditionally-in-nl80211_.patch new file mode 100644 index 00000000000..2edd411561a --- /dev/null +++ b/queue-5.7/nl80211-don-t-return-err-unconditionally-in-nl80211_.patch @@ -0,0 +1,41 @@ +From 81e96f05610d656f8fff9f6d726055e51179a9c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jun 2020 12:49:39 +0300 +Subject: nl80211: don't return err unconditionally in nl80211_start_ap() + +From: Luca Coelho + +[ Upstream commit bc7a39b4272b9672d806d422b6850e8c1a09914c ] + +When a memory leak was fixed, a return err was changed to goto err, +but, accidentally, the if (err) was removed, so now we always exit at +this point. + +Fix it by adding if (err) back. + +Fixes: 9951ebfcdf2b ("nl80211: fix potential leak in AP start") +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20200626124931.871ba5b31eee.I97340172d92164ee92f3c803fe20a8a6e97714e1@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 692bcd35f8094..a56ede64e70fc 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -5004,7 +5004,8 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info) + err = nl80211_parse_he_obss_pd( + info->attrs[NL80211_ATTR_HE_OBSS_PD], + ¶ms.he_obss_pd); +- goto out; ++ if (err) ++ goto out; + } + + if (info->attrs[NL80211_ATTR_HE_BSS_COLOR]) { +-- +2.25.1 + diff --git a/queue-5.7/nl80211-fix-memory-leak-when-parsing-nl80211_attr_he.patch b/queue-5.7/nl80211-fix-memory-leak-when-parsing-nl80211_attr_he.patch new file mode 100644 index 00000000000..dff5ade789b --- /dev/null +++ b/queue-5.7/nl80211-fix-memory-leak-when-parsing-nl80211_attr_he.patch @@ -0,0 +1,38 @@ +From 9f120f5793216844b4d9bfb55b064ba10252e5d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jun 2020 12:49:40 +0300 +Subject: nl80211: fix memory leak when parsing NL80211_ATTR_HE_BSS_COLOR + +From: Luca Coelho + +[ Upstream commit 60a0121f8fa64b0f4297aa6fef8207500483a874 ] + +If there is an error when parsing the NL80211_ATTR_HE_BSS_COLOR +attribute, we return immediately without freeing param.acl. Fit it by +using goto out instead of returning immediately. + +Fixes: 5c5e52d1bb96 ("nl80211: add handling for BSS color") +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20200626124931.7ad2a3eb894f.I60905fb70bd20389a3b170db515a07275e31845e@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index a56ede64e70fc..7ae6b90e0d264 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -5013,7 +5013,7 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info) + info->attrs[NL80211_ATTR_HE_BSS_COLOR], + ¶ms.he_bss_color); + if (err) +- return err; ++ goto out; + } + + nl80211_calculate_ap_params(¶ms); +-- +2.25.1 + diff --git a/queue-5.7/perf-intel-pt-fix-pebs-sample-for-xmm-registers.patch b/queue-5.7/perf-intel-pt-fix-pebs-sample-for-xmm-registers.patch new file mode 100644 index 00000000000..5c3e674dbb5 --- /dev/null +++ b/queue-5.7/perf-intel-pt-fix-pebs-sample-for-xmm-registers.patch @@ -0,0 +1,49 @@ +From 0f8ab9e17b31a2d2e007ff689546d39c2225838b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jun 2020 16:39:35 +0300 +Subject: perf intel-pt: Fix PEBS sample for XMM registers + +From: Adrian Hunter + +[ Upstream commit 4c95ad261cfac120dd66238fcae222766754c219 ] + +The condition to add XMM registers was missing, the regs array needed to +be in the outer scope, and the size of the regs array was too small. + +Fixes: 143d34a6b387b ("perf intel-pt: Add XMM registers to synthesized PEBS sample") +Signed-off-by: Adrian Hunter +Cc: Jiri Olsa +Cc: Luwei Kang +Link: http://lore.kernel.org/lkml/20200630133935.11150-4-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/intel-pt.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c +index 23c8289c2472d..545d1cdc0ec87 100644 +--- a/tools/perf/util/intel-pt.c ++++ b/tools/perf/util/intel-pt.c +@@ -1731,6 +1731,7 @@ static int intel_pt_synth_pebs_sample(struct intel_pt_queue *ptq) + u64 sample_type = evsel->core.attr.sample_type; + u64 id = evsel->core.id[0]; + u8 cpumode; ++ u64 regs[8 * sizeof(sample.intr_regs.mask)]; + + if (intel_pt_skip_event(pt)) + return 0; +@@ -1780,8 +1781,8 @@ static int intel_pt_synth_pebs_sample(struct intel_pt_queue *ptq) + } + + if (sample_type & PERF_SAMPLE_REGS_INTR && +- items->mask[INTEL_PT_GP_REGS_POS]) { +- u64 regs[sizeof(sample.intr_regs.mask)]; ++ (items->mask[INTEL_PT_GP_REGS_POS] || ++ items->mask[INTEL_PT_XMM_POS])) { + u64 regs_mask = evsel->core.attr.sample_regs_intr; + u64 *pos; + +-- +2.25.1 + diff --git a/queue-5.7/perf-intel-pt-fix-recording-pebs-via-pt-with-registe.patch b/queue-5.7/perf-intel-pt-fix-recording-pebs-via-pt-with-registe.patch new file mode 100644 index 00000000000..83d6bffbeba --- /dev/null +++ b/queue-5.7/perf-intel-pt-fix-recording-pebs-via-pt-with-registe.patch @@ -0,0 +1,69 @@ +From 6871c7fe8809bbc5b9f3eb5d8d15585873e38ec8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jun 2020 16:39:33 +0300 +Subject: perf intel-pt: Fix recording PEBS-via-PT with registers + +From: Adrian Hunter + +[ Upstream commit 75bcb8776dc987538f267ba4ba05ca43fc2b1676 ] + +When recording PEBS-via-PT, the kernel will not accept the intel_pt +event with register sampling e.g. + + # perf record --kcore -c 10000 -e '{intel_pt/branch=0/,branch-loads/aux-output/ppp}' -I -- ls -l + Error: + intel_pt/branch=0/: PMU Hardware doesn't support sampling/overflow-interrupts. Try 'perf stat' + +Fix by suppressing register sampling on the intel_pt evsel. + +Committer notes: + +Adrian informed that this is only available from Tremont onwards, so on +older processors the error continues the same as before. + +Fixes: 9e64cefe4335b ("perf intel-pt: Process options for PEBS event synthesis") +Signed-off-by: Adrian Hunter +Cc: Jiri Olsa +Cc: Luwei Kang +Link: http://lore.kernel.org/lkml/20200630133935.11150-2-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/arch/x86/util/intel-pt.c | 1 + + tools/perf/util/evsel.c | 4 ++-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/arch/x86/util/intel-pt.c b/tools/perf/arch/x86/util/intel-pt.c +index 1643aed8c4c8e..2a548fbdf2a2a 100644 +--- a/tools/perf/arch/x86/util/intel-pt.c ++++ b/tools/perf/arch/x86/util/intel-pt.c +@@ -634,6 +634,7 @@ static int intel_pt_recording_options(struct auxtrace_record *itr, + } + evsel->core.attr.freq = 0; + evsel->core.attr.sample_period = 1; ++ evsel->no_aux_samples = true; + intel_pt_evsel = evsel; + opts->full_auxtrace = true; + } +diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c +index eb880efbce16d..386950f29792a 100644 +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -1048,12 +1048,12 @@ void perf_evsel__config(struct evsel *evsel, struct record_opts *opts, + if (callchain && callchain->enabled && !evsel->no_aux_samples) + perf_evsel__config_callchain(evsel, opts, callchain); + +- if (opts->sample_intr_regs) { ++ if (opts->sample_intr_regs && !evsel->no_aux_samples) { + attr->sample_regs_intr = opts->sample_intr_regs; + perf_evsel__set_sample_bit(evsel, REGS_INTR); + } + +- if (opts->sample_user_regs) { ++ if (opts->sample_user_regs && !evsel->no_aux_samples) { + attr->sample_regs_user |= opts->sample_user_regs; + perf_evsel__set_sample_bit(evsel, REGS_USER); + } +-- +2.25.1 + diff --git a/queue-5.7/perf-report-tui-fix-segmentation-fault-in-perf_evsel.patch b/queue-5.7/perf-report-tui-fix-segmentation-fault-in-perf_evsel.patch new file mode 100644 index 00000000000..eb67ce0e67a --- /dev/null +++ b/queue-5.7/perf-report-tui-fix-segmentation-fault-in-perf_evsel.patch @@ -0,0 +1,84 @@ +From a89886419ee4a51f612203306baaea1c224934ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jun 2020 17:43:22 +0800 +Subject: perf report TUI: Fix segmentation fault in perf_evsel__hists_browse() + +From: Wei Li + +[ Upstream commit d61cbb859b45fdb6b4997f2d51834fae41af0e94 ] + +The segmentation fault can be reproduced as following steps: + +1) Executing perf report in tui. + +2) Typing '/xxxxx' to filter the symbol to get nothing matched. + +3) Pressing enter with no entry selected. + +Then it will report a segmentation fault. + +It is caused by the lack of check of browser->he_selection when +accessing it's member res_samples in perf_evsel__hists_browse(). + +These processes are meaningful for specified samples, so we can skip +these when nothing is selected. + +Fixes: 4968ac8fb7c3 ("perf report: Implement browsing of individual samples") +Signed-off-by: Wei Li +Acked-by: Jiri Olsa +Acked-by: Namhyung Kim +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Hanjun Guo +Cc: Jin Yao +Cc: Mark Rutland +Link: http://lore.kernel.org/lkml/20200612094322.39565-1-liwei391@huawei.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/ui/browsers/hists.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/tools/perf/ui/browsers/hists.c b/tools/perf/ui/browsers/hists.c +index 487e54ef56a98..2101b6b770d81 100644 +--- a/tools/perf/ui/browsers/hists.c ++++ b/tools/perf/ui/browsers/hists.c +@@ -2288,6 +2288,11 @@ static struct thread *hist_browser__selected_thread(struct hist_browser *browser + return browser->he_selection->thread; + } + ++static struct res_sample *hist_browser__selected_res_sample(struct hist_browser *browser) ++{ ++ return browser->he_selection ? browser->he_selection->res_samples : NULL; ++} ++ + /* Check whether the browser is for 'top' or 'report' */ + static inline bool is_report_browser(void *timer) + { +@@ -3357,16 +3362,16 @@ static int perf_evsel__hists_browse(struct evsel *evsel, int nr_events, + &options[nr_options], NULL, NULL, evsel); + nr_options += add_res_sample_opt(browser, &actions[nr_options], + &options[nr_options], +- hist_browser__selected_entry(browser)->res_samples, +- evsel, A_NORMAL); ++ hist_browser__selected_res_sample(browser), ++ evsel, A_NORMAL); + nr_options += add_res_sample_opt(browser, &actions[nr_options], + &options[nr_options], +- hist_browser__selected_entry(browser)->res_samples, +- evsel, A_ASM); ++ hist_browser__selected_res_sample(browser), ++ evsel, A_ASM); + nr_options += add_res_sample_opt(browser, &actions[nr_options], + &options[nr_options], +- hist_browser__selected_entry(browser)->res_samples, +- evsel, A_SOURCE); ++ hist_browser__selected_res_sample(browser), ++ evsel, A_SOURCE); + nr_options += add_switch_opt(browser, &actions[nr_options], + &options[nr_options]); + skip_scripting: +-- +2.25.1 + diff --git a/queue-5.7/powerpc-64s-exception-fix-0x1500-interrupt-handler-c.patch b/queue-5.7/powerpc-64s-exception-fix-0x1500-interrupt-handler-c.patch new file mode 100644 index 00000000000..60bc3f1f3d8 --- /dev/null +++ b/queue-5.7/powerpc-64s-exception-fix-0x1500-interrupt-handler-c.patch @@ -0,0 +1,46 @@ +From 7b1aef4c8c7acabd456cabe8f9e6d7c9de3b256d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jul 2020 17:49:42 +1000 +Subject: powerpc/64s/exception: Fix 0x1500 interrupt handler crash + +From: Nicholas Piggin + +[ Upstream commit 4557ac6b344b8cdf948ff8b007e8e1de34832f2e ] + +A typo caused the interrupt handler to branch immediately to the +common "unknown interrupt" handler and skip the special case test for +denormal cause. + +This does not affect KVM softpatch handling (e.g., for POWER9 TM +assist) because the KVM test was moved to common code by commit +9600f261acaa ("powerpc/64s/exception: Move KVM test to common code") +just before this bug was introduced. + +Fixes: 3f7fbd97d07d ("powerpc/64s/exception: Clean up SRR specifiers") +Reported-by: Paul Menzel +Signed-off-by: Nicholas Piggin +Tested-by: Paul Menzel +[mpe: Split selftest into a separate patch] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200708074942.1713396-1-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/exceptions-64s.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S +index d9ddce40bed89..fd99d4feec7a4 100644 +--- a/arch/powerpc/kernel/exceptions-64s.S ++++ b/arch/powerpc/kernel/exceptions-64s.S +@@ -2547,7 +2547,7 @@ EXC_VIRT_NONE(0x5400, 0x100) + INT_DEFINE_BEGIN(denorm_exception) + IVEC=0x1500 + IHSRR=1 +- IBRANCH_COMMON=0 ++ IBRANCH_TO_COMMON=0 + IKVM_REAL=1 + INT_DEFINE_END(denorm_exception) + +-- +2.25.1 + diff --git a/queue-5.7/qed-populate-nvm-file-attributes-while-reading-nvm-c.patch b/queue-5.7/qed-populate-nvm-file-attributes-while-reading-nvm-c.patch new file mode 100644 index 00000000000..873dd84f4fa --- /dev/null +++ b/queue-5.7/qed-populate-nvm-file-attributes-while-reading-nvm-c.patch @@ -0,0 +1,129 @@ +From 88c9527cccd9d9c5316535ebefc1049562d33735 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jul 2020 20:14:29 -0700 +Subject: qed: Populate nvm-file attributes while reading nvm config partition. + +From: Sudarsana Reddy Kalluru + +[ Upstream commit 13cf8aab7425a253070433b5a55b4209ceac8b19 ] + +NVM config file address will be modified when the MBI image is upgraded. +Driver would return stale config values if user reads the nvm-config +(via ethtool -d) in this state. The fix is to re-populate nvm attribute +info while reading the nvm config values/partition. + +Changes from previous version: +------------------------------- +v3: Corrected the formatting in 'Fixes' tag. +v2: Added 'Fixes' tag. + +Fixes: 1ac4329a1cff ("qed: Add configuration information to register dump and debug data") +Signed-off-by: Sudarsana Reddy Kalluru +Signed-off-by: Igor Russkikh +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_debug.c | 4 ++++ + drivers/net/ethernet/qlogic/qed/qed_dev.c | 12 +++--------- + drivers/net/ethernet/qlogic/qed/qed_mcp.c | 7 +++++++ + drivers/net/ethernet/qlogic/qed/qed_mcp.h | 7 +++++++ + 4 files changed, 21 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_debug.c b/drivers/net/ethernet/qlogic/qed/qed_debug.c +index 03ce18f653932..25745b75daf32 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_debug.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_debug.c +@@ -7941,6 +7941,10 @@ int qed_dbg_all_data(struct qed_dev *cdev, void *buffer) + DP_ERR(cdev, "qed_dbg_mcp_trace failed. rc = %d\n", rc); + } + ++ /* Re-populate nvm attribute info */ ++ qed_mcp_nvm_info_free(p_hwfn); ++ qed_mcp_nvm_info_populate(p_hwfn); ++ + /* nvm cfg1 */ + rc = qed_dbg_nvm_image(cdev, + (u8 *)buffer + offset + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c +index 9b00988fb77e1..58913fe4f3457 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c +@@ -4466,12 +4466,6 @@ static int qed_get_dev_info(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt) + return 0; + } + +-static void qed_nvm_info_free(struct qed_hwfn *p_hwfn) +-{ +- kfree(p_hwfn->nvm_info.image_att); +- p_hwfn->nvm_info.image_att = NULL; +-} +- + static int qed_hw_prepare_single(struct qed_hwfn *p_hwfn, + void __iomem *p_regview, + void __iomem *p_doorbells, +@@ -4556,7 +4550,7 @@ static int qed_hw_prepare_single(struct qed_hwfn *p_hwfn, + return rc; + err3: + if (IS_LEAD_HWFN(p_hwfn)) +- qed_nvm_info_free(p_hwfn); ++ qed_mcp_nvm_info_free(p_hwfn); + err2: + if (IS_LEAD_HWFN(p_hwfn)) + qed_iov_free_hw_info(p_hwfn->cdev); +@@ -4617,7 +4611,7 @@ int qed_hw_prepare(struct qed_dev *cdev, + if (rc) { + if (IS_PF(cdev)) { + qed_init_free(p_hwfn); +- qed_nvm_info_free(p_hwfn); ++ qed_mcp_nvm_info_free(p_hwfn); + qed_mcp_free(p_hwfn); + qed_hw_hwfn_free(p_hwfn); + } +@@ -4651,7 +4645,7 @@ void qed_hw_remove(struct qed_dev *cdev) + + qed_iov_free_hw_info(cdev); + +- qed_nvm_info_free(p_hwfn); ++ qed_mcp_nvm_info_free(p_hwfn); + } + + static void qed_chain_free_next_ptr(struct qed_dev *cdev, +diff --git a/drivers/net/ethernet/qlogic/qed/qed_mcp.c b/drivers/net/ethernet/qlogic/qed/qed_mcp.c +index 280527cc05781..99548d5b44ea1 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c +@@ -3151,6 +3151,13 @@ int qed_mcp_nvm_info_populate(struct qed_hwfn *p_hwfn) + return rc; + } + ++void qed_mcp_nvm_info_free(struct qed_hwfn *p_hwfn) ++{ ++ kfree(p_hwfn->nvm_info.image_att); ++ p_hwfn->nvm_info.image_att = NULL; ++ p_hwfn->nvm_info.valid = false; ++} ++ + int + qed_mcp_get_nvm_image_att(struct qed_hwfn *p_hwfn, + enum qed_nvm_images image_id, +diff --git a/drivers/net/ethernet/qlogic/qed/qed_mcp.h b/drivers/net/ethernet/qlogic/qed/qed_mcp.h +index 9c4c2763de8d7..e38297383b007 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.h ++++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.h +@@ -1192,6 +1192,13 @@ void qed_mcp_read_ufp_config(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt); + */ + int qed_mcp_nvm_info_populate(struct qed_hwfn *p_hwfn); + ++/** ++ * @brief Delete nvm info shadow in the given hardware function ++ * ++ * @param p_hwfn ++ */ ++void qed_mcp_nvm_info_free(struct qed_hwfn *p_hwfn); ++ + /** + * @brief Get the engine affinity configuration. + * +-- +2.25.1 + diff --git a/queue-5.7/rdma-siw-fix-reporting-vendor_part_id.patch b/queue-5.7/rdma-siw-fix-reporting-vendor_part_id.patch new file mode 100644 index 00000000000..6c59c6f4f5f --- /dev/null +++ b/queue-5.7/rdma-siw-fix-reporting-vendor_part_id.patch @@ -0,0 +1,46 @@ +From 3a74ca04ed9bcfd6db9ef7353d8ecd9ad4d8a7c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jul 2020 16:09:31 +0300 +Subject: RDMA/siw: Fix reporting vendor_part_id + +From: Kamal Heib + +[ Upstream commit 04340645f69ab7abb6f9052688a60f0213b3f79c ] + +Move the initialization of the vendor_part_id to be before calling +ib_register_device(), this is needed because the query_device() callback +is called from the context of ib_register_device() before initializing the +vendor_part_id, so the reported value is wrong. + +Fixes: bdcf26bf9b3a ("rdma/siw: network and RDMA core interface") +Link: https://lore.kernel.org/r/20200707130931.444724-1-kamalheib1@gmail.com +Signed-off-by: Kamal Heib +Reviewed-by: Bernard Metzler +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/siw/siw_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/siw/siw_main.c b/drivers/infiniband/sw/siw/siw_main.c +index 5cd40fb9e20ce..634c4b3716238 100644 +--- a/drivers/infiniband/sw/siw/siw_main.c ++++ b/drivers/infiniband/sw/siw/siw_main.c +@@ -67,12 +67,13 @@ static int siw_device_register(struct siw_device *sdev, const char *name) + static int dev_id = 1; + int rv; + ++ sdev->vendor_part_id = dev_id++; ++ + rv = ib_register_device(base_dev, name); + if (rv) { + pr_warn("siw: device registration error %d\n", rv); + return rv; + } +- sdev->vendor_part_id = dev_id++; + + siw_dbg(base_dev, "HWaddr=%pM\n", sdev->netdev->dev_addr); + +-- +2.25.1 + diff --git a/queue-5.7/selftests-bpf-fix-detach-from-sockmap-tests.patch b/queue-5.7/selftests-bpf-fix-detach-from-sockmap-tests.patch new file mode 100644 index 00000000000..8ef6fbf8e5e --- /dev/null +++ b/queue-5.7/selftests-bpf-fix-detach-from-sockmap-tests.patch @@ -0,0 +1,79 @@ +From 97b2b3b59df5c2f5450d44f695a566e95fc42a79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jul 2020 12:51:51 +0100 +Subject: selftests: bpf: Fix detach from sockmap tests + +From: Lorenz Bauer + +[ Upstream commit f43cb0d672aa8eb09bfdb779de5900c040487d1d ] + +Fix sockmap tests which rely on old bpf_prog_dispatch behaviour. +In the first case, the tests check that detaching without giving +a program succeeds. Since these are not the desired semantics, +invert the condition. In the second case, the clean up code doesn't +supply the necessary program fds. + +Fixes: bb0de3131f4c ("bpf: sockmap: Require attach_bpf_fd when detaching a program") +Reported-by: Martin KaFai Lau +Signed-off-by: Lorenz Bauer +Signed-off-by: Daniel Borkmann +Reviewed-by: Jakub Sitnicki +Link: https://lore.kernel.org/bpf/20200709115151.75829-1-lmb@cloudflare.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_maps.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/bpf/test_maps.c b/tools/testing/selftests/bpf/test_maps.c +index c6766b2cff853..9990e91c18dff 100644 +--- a/tools/testing/selftests/bpf/test_maps.c ++++ b/tools/testing/selftests/bpf/test_maps.c +@@ -789,19 +789,19 @@ static void test_sockmap(unsigned int tasks, void *data) + } + + err = bpf_prog_detach(fd, BPF_SK_SKB_STREAM_PARSER); +- if (err) { ++ if (!err) { + printf("Failed empty parser prog detach\n"); + goto out_sockmap; + } + + err = bpf_prog_detach(fd, BPF_SK_SKB_STREAM_VERDICT); +- if (err) { ++ if (!err) { + printf("Failed empty verdict prog detach\n"); + goto out_sockmap; + } + + err = bpf_prog_detach(fd, BPF_SK_MSG_VERDICT); +- if (err) { ++ if (!err) { + printf("Failed empty msg verdict prog detach\n"); + goto out_sockmap; + } +@@ -1090,19 +1090,19 @@ static void test_sockmap(unsigned int tasks, void *data) + assert(status == 0); + } + +- err = bpf_prog_detach(map_fd_rx, __MAX_BPF_ATTACH_TYPE); ++ err = bpf_prog_detach2(parse_prog, map_fd_rx, __MAX_BPF_ATTACH_TYPE); + if (!err) { + printf("Detached an invalid prog type.\n"); + goto out_sockmap; + } + +- err = bpf_prog_detach(map_fd_rx, BPF_SK_SKB_STREAM_PARSER); ++ err = bpf_prog_detach2(parse_prog, map_fd_rx, BPF_SK_SKB_STREAM_PARSER); + if (err) { + printf("Failed parser prog detach\n"); + goto out_sockmap; + } + +- err = bpf_prog_detach(map_fd_rx, BPF_SK_SKB_STREAM_VERDICT); ++ err = bpf_prog_detach2(verdict_prog, map_fd_rx, BPF_SK_SKB_STREAM_VERDICT); + if (err) { + printf("Failed parser prog detach\n"); + goto out_sockmap; +-- +2.25.1 + diff --git a/queue-5.7/series b/queue-5.7/series index 424b5cd876c..041385e41a1 100644 --- a/queue-5.7/series +++ b/queue-5.7/series @@ -42,3 +42,64 @@ x86-entry-increase-entry_stack-size-to-a-full-page.patch arm64-add-kryo-3-4-xx-silver-cpu-cores-to-ssb-safeli.patch nfs-fix-memory-leak-of-export_path.patch sched-core-check-cpus_mask-not-cpus_ptr-in-__set_cpu.patch +mtd-set-master-partition-panic-write-flag.patch +gpio-pca953x-synchronize-interrupt-handler-properly.patch +gpio-pca953x-override-irq-for-one-of-the-expanders-o.patch +gpio-pca953x-fix-direction-setting-when-configure-an.patch +gpio-pca953x-fix-gpio-resource-leak-on-intel-galileo.patch +asoc-fsl_mqs-don-t-check-clock-is-null-before-callin.patch +asoc-fsl_mqs-fix-unchecked-return-value-for-clk_prep.patch +kvm-arm64-vgic-v4-plug-race-between-non-residency-an.patch +mac80211-fix-dropping-broadcast-packets-in-802.11-en.patch +bpf-do-not-allow-btf_ctx_access-with-__int128-types.patch +nl80211-don-t-return-err-unconditionally-in-nl80211_.patch +nl80211-fix-memory-leak-when-parsing-nl80211_attr_he.patch +drm-mediatek-check-plane-visibility-in-atomic_update.patch +bpf-sockmap-rcu-splat-with-redirect-and-strparser-er.patch +bpf-sockmap-rcu-dereferenced-psock-may-be-used-outsi.patch +netfilter-ipset-call-ip_set_free-instead-of-kfree.patch +net-mvneta-fix-use-of-state-speed.patch +net-ipa-no-checksum-offload-for-sdm845-lan-rx.patch +net-cxgb4-fix-return-error-value-in-t4_prep_fw.patch +btrfs-fix-reclaim_size-counter-leak-after-stealing-f.patch +drm-meson-viu-fix-setting-the-osd-burst-length-in-vi.patch +ib-sa-resolv-use-after-free-in-ib_nl_make_request.patch +net-dsa-microchip-set-the-correct-number-of-ports.patch +netfilter-conntrack-refetch-conntrack-after-nf_connt.patch +net-rmnet-fix-lower-interface-leak.patch +net-rmnet-do-not-allow-to-add-multiple-bridge-interf.patch +perf-report-tui-fix-segmentation-fault-in-perf_evsel.patch +perf-intel-pt-fix-recording-pebs-via-pt-with-registe.patch +perf-intel-pt-fix-pebs-sample-for-xmm-registers.patch +smsc95xx-check-return-value-of-smsc95xx_reset.patch +smsc95xx-avoid-memory-leak-in-smsc95xx_bind.patch +net-hns3-check-reset-pending-after-flr-prepare.patch +net-hns3-fix-for-mishandle-of-asserting-vf-reset-fai.patch +net-hns3-add-a-missing-uninit-debugfs-when-unload-dr.patch +net-hns3-fix-use-after-free-when-doing-self-test.patch +alsa-compress-fix-partial_drain-completion-state.patch +net-ipa-fix-qmi-structure-definition-bugs.patch +net-qed-fix-buffer-overflow-on-ethtool-d.patch +ionic-centralize-queue-reset-code.patch +powerpc-64s-exception-fix-0x1500-interrupt-handler-c.patch +rdma-siw-fix-reporting-vendor_part_id.patch +net-atlantic-fix-ip-dst-and-ipv6-address-filters.patch +arm64-kgdb-fix-single-step-exception-handling-oops.patch +nbd-fix-memory-leak-in-nbd_add_socket.patch +cxgb4-fix-all-mask-ip-address-comparison.patch +ib-mlx5-fix-50g-per-lane-indication.patch +qed-populate-nvm-file-attributes-while-reading-nvm-c.patch +selftests-bpf-fix-detach-from-sockmap-tests.patch +net-mlx5-fix-eeprom-support-for-sfp-module.patch +net-mlx5e-fix-vxlan-configuration-restore-after-func.patch +net-mlx5e-fix-cpu-mapping-after-function-reload-to-a.patch +net-mlx5e-fix-50g-per-lane-indication.patch +net-mlx5e-ct-fix-memory-leak-in-cleanup.patch +bnxt_en-fix-null-dereference-in-case-sr-iov-configur.patch +net-macb-fix-wakeup-test-in-runtime-suspend-resume-r.patch +net-macb-mark-device-wake-capable-when-magic-packet-.patch +net-macb-fix-macb_get-set_wol-when-moving-to-phylink.patch +net-macb-fix-macb_suspend-by-removing-call-to-netif_.patch +net-macb-fix-call-to-pm_runtime-in-the-suspend-resum.patch +mlxsw-spectrum_router-remove-inappropriate-usage-of-.patch +mlxsw-pci-fix-use-after-free-in-case-of-failed-devli.patch diff --git a/queue-5.7/smsc95xx-avoid-memory-leak-in-smsc95xx_bind.patch b/queue-5.7/smsc95xx-avoid-memory-leak-in-smsc95xx_bind.patch new file mode 100644 index 00000000000..646e6ce91e4 --- /dev/null +++ b/queue-5.7/smsc95xx-avoid-memory-leak-in-smsc95xx_bind.patch @@ -0,0 +1,39 @@ +From e41c5d5d6476bf689c3eb4a5036bc17568a9edd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jul 2020 10:39:35 +0200 +Subject: smsc95xx: avoid memory leak in smsc95xx_bind + +From: Andre Edich + +[ Upstream commit 3ed58f96a70b85ef646d5427258f677f1395b62f ] + +In a case where the ID_REV register read is failed, the memory for a +private data structure has to be freed before returning error from the +function smsc95xx_bind. + +Fixes: bbd9f9ee69242 ("smsc95xx: add wol support for more frame types") +Signed-off-by: Andre Edich +Signed-off-by: Parthiban Veerasooran +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc95xx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c +index eb404bb74e18e..bb4ccbda031ab 100644 +--- a/drivers/net/usb/smsc95xx.c ++++ b/drivers/net/usb/smsc95xx.c +@@ -1293,7 +1293,8 @@ static int smsc95xx_bind(struct usbnet *dev, struct usb_interface *intf) + /* detect device revision as different features may be available */ + ret = smsc95xx_read_reg(dev, ID_REV, &val); + if (ret < 0) +- return ret; ++ goto free_pdata; ++ + val >>= 16; + pdata->chip_id = val; + pdata->mdix_ctrl = get_mdix_status(dev->net); +-- +2.25.1 + diff --git a/queue-5.7/smsc95xx-check-return-value-of-smsc95xx_reset.patch b/queue-5.7/smsc95xx-check-return-value-of-smsc95xx_reset.patch new file mode 100644 index 00000000000..b2b4736acde --- /dev/null +++ b/queue-5.7/smsc95xx-check-return-value-of-smsc95xx_reset.patch @@ -0,0 +1,48 @@ +From 923944f6fe8e8e8838e733c51be0deb8300367af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jul 2020 10:39:34 +0200 +Subject: smsc95xx: check return value of smsc95xx_reset + +From: Andre Edich + +[ Upstream commit 7c8b1e855f94f88a0c569be6309fc8d5c8844cd1 ] + +The return value of the function smsc95xx_reset() must be checked +to avoid returning false success from the function smsc95xx_bind(). + +Fixes: 2f7ca802bdae2 ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver") +Signed-off-by: Andre Edich +Signed-off-by: Parthiban Veerasooran +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc95xx.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c +index 3cf4dc3433f91..eb404bb74e18e 100644 +--- a/drivers/net/usb/smsc95xx.c ++++ b/drivers/net/usb/smsc95xx.c +@@ -1287,6 +1287,8 @@ static int smsc95xx_bind(struct usbnet *dev, struct usb_interface *intf) + + /* Init all registers */ + ret = smsc95xx_reset(dev); ++ if (ret) ++ goto free_pdata; + + /* detect device revision as different features may be available */ + ret = smsc95xx_read_reg(dev, ID_REV, &val); +@@ -1317,6 +1319,10 @@ static int smsc95xx_bind(struct usbnet *dev, struct usb_interface *intf) + schedule_delayed_work(&pdata->carrier_check, CARRIER_CHECK_DELAY); + + return 0; ++ ++free_pdata: ++ kfree(pdata); ++ return ret; + } + + static void smsc95xx_unbind(struct usbnet *dev, struct usb_interface *intf) +-- +2.25.1 + -- 2.47.3