From 6153c1c98697c227c75b8b3c6c86485767f72f74 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 30 May 2021 16:20:50 +0200 Subject: [PATCH] 5.10-stable patches added patches: bluetooth-cmtp-fix-file-refcount-when-cmtp_attach_device-fails.patch drm-meson-fix-shutdown-crash-when-component-not-probed.patch fs-nfs-use-fatal_signal_pending-instead-of-signal_pending.patch net-mlx4-fix-eeprom-dump-support.patch net-mlx5-set-reformat-action-when-needed-for-termination-rules.patch net-mlx5-set-term-table-as-an-unmanaged-flow-table.patch net-mlx5e-fix-error-path-of-updating-netdev-queues.patch net-mlx5e-fix-multipath-lag-activation.patch net-mlx5e-fix-null-deref-accessing-lag-dev.patch net-mlx5e-fix-nullptr-in-add_vlan_push_action.patch net-mlx5e-reset-xps-on-error-flow-if-netdev-isn-t-registered-yet.patch net-vdpa-mlx5-configure-interface-mac-into-mpfs-l2-table.patch nfs-don-t-corrupt-the-value-of-pg_bytes_written-in-nfs_do_recoalesce.patch nfs-fix-an-incorrect-limit-in-filelayout_decode_layout.patch nfs-fix-an-oopsable-condition-in-__nfs_pageio_add_request.patch nfsv4-fix-v4.0-v4.1-seek_data-return-enotsupp-when-set-nfs_v4_2-config.patch revert-net-tipc-fix-a-double-free-in-tipc_sk_mcast_rcv.patch spi-spi-fsl-dspi-fix-a-resource-leak-in-an-error-handling-path.patch sunrpc-in-case-of-backlog-hand-free-slots-directly-to-waiting-task.patch tipc-skb_linearize-the-head-skb-when-reassembling-msgs.patch tipc-wait-and-exit-until-all-work-queues-are-done.patch --- ...fcount-when-cmtp_attach_device-fails.patch | 40 ++++ ...down-crash-when-component-not-probed.patch | 59 ++++++ ...al_pending-instead-of-signal_pending.patch | 41 ++++ .../net-mlx4-fix-eeprom-dump-support.patch | 198 ++++++++++++++++++ ...on-when-needed-for-termination-rules.patch | 84 ++++++++ ...erm-table-as-an-unmanaged-flow-table.patch | 61 ++++++ ...error-path-of-updating-netdev-queues.patch | 33 +++ ...t-mlx5e-fix-multipath-lag-activation.patch | 51 +++++ ...x5e-fix-null-deref-accessing-lag-dev.patch | 35 ++++ ...-fix-nullptr-in-add_vlan_push_action.patch | 51 +++++ ...-flow-if-netdev-isn-t-registered-yet.patch | 67 ++++++ ...ure-interface-mac-into-mpfs-l2-table.patch | 186 ++++++++++++++++ ...g_bytes_written-in-nfs_do_recoalesce.patch | 52 +++++ ...ct-limit-in-filelayout_decode_layout.patch | 34 +++ ...ondition-in-__nfs_pageio_add_request.patch | 45 ++++ ...rn-enotsupp-when-set-nfs_v4_2-config.patch | 36 ++++ ...x-a-double-free-in-tipc_sk_mcast_rcv.patch | 36 ++++ queue-5.10/series | 21 ++ ...ource-leak-in-an-error-handling-path.patch | 40 ++++ ...-free-slots-directly-to-waiting-task.patch | 182 ++++++++++++++++ ...-the-head-skb-when-reassembling-msgs.patch | 95 +++++++++ ...-exit-until-all-work-queues-are-done.patch | 88 ++++++++ 22 files changed, 1535 insertions(+) create mode 100644 queue-5.10/bluetooth-cmtp-fix-file-refcount-when-cmtp_attach_device-fails.patch create mode 100644 queue-5.10/drm-meson-fix-shutdown-crash-when-component-not-probed.patch create mode 100644 queue-5.10/fs-nfs-use-fatal_signal_pending-instead-of-signal_pending.patch create mode 100644 queue-5.10/net-mlx4-fix-eeprom-dump-support.patch create mode 100644 queue-5.10/net-mlx5-set-reformat-action-when-needed-for-termination-rules.patch create mode 100644 queue-5.10/net-mlx5-set-term-table-as-an-unmanaged-flow-table.patch create mode 100644 queue-5.10/net-mlx5e-fix-error-path-of-updating-netdev-queues.patch create mode 100644 queue-5.10/net-mlx5e-fix-multipath-lag-activation.patch create mode 100644 queue-5.10/net-mlx5e-fix-null-deref-accessing-lag-dev.patch create mode 100644 queue-5.10/net-mlx5e-fix-nullptr-in-add_vlan_push_action.patch create mode 100644 queue-5.10/net-mlx5e-reset-xps-on-error-flow-if-netdev-isn-t-registered-yet.patch create mode 100644 queue-5.10/net-vdpa-mlx5-configure-interface-mac-into-mpfs-l2-table.patch create mode 100644 queue-5.10/nfs-don-t-corrupt-the-value-of-pg_bytes_written-in-nfs_do_recoalesce.patch create mode 100644 queue-5.10/nfs-fix-an-incorrect-limit-in-filelayout_decode_layout.patch create mode 100644 queue-5.10/nfs-fix-an-oopsable-condition-in-__nfs_pageio_add_request.patch create mode 100644 queue-5.10/nfsv4-fix-v4.0-v4.1-seek_data-return-enotsupp-when-set-nfs_v4_2-config.patch create mode 100644 queue-5.10/revert-net-tipc-fix-a-double-free-in-tipc_sk_mcast_rcv.patch create mode 100644 queue-5.10/spi-spi-fsl-dspi-fix-a-resource-leak-in-an-error-handling-path.patch create mode 100644 queue-5.10/sunrpc-in-case-of-backlog-hand-free-slots-directly-to-waiting-task.patch create mode 100644 queue-5.10/tipc-skb_linearize-the-head-skb-when-reassembling-msgs.patch create mode 100644 queue-5.10/tipc-wait-and-exit-until-all-work-queues-are-done.patch diff --git a/queue-5.10/bluetooth-cmtp-fix-file-refcount-when-cmtp_attach_device-fails.patch b/queue-5.10/bluetooth-cmtp-fix-file-refcount-when-cmtp_attach_device-fails.patch new file mode 100644 index 00000000000..8a078398ae5 --- /dev/null +++ b/queue-5.10/bluetooth-cmtp-fix-file-refcount-when-cmtp_attach_device-fails.patch @@ -0,0 +1,40 @@ +From 8da3a0b87f4f1c3a3bbc4bfb78cf68476e97d183 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Tue, 13 Apr 2021 13:21:03 -0300 +Subject: Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails + +From: Thadeu Lima de Souza Cascardo + +commit 8da3a0b87f4f1c3a3bbc4bfb78cf68476e97d183 upstream. + +When cmtp_attach_device fails, cmtp_add_connection returns the error value +which leads to the caller to doing fput through sockfd_put. But +cmtp_session kthread, which is stopped in this path will also call fput, +leading to a potential refcount underflow or a use-after-free. + +Add a refcount before we signal the kthread to stop. The kthread will try +to grab the cmtp_session_sem mutex before doing the fput, which is held +when get_file is called, so there should be no races there. + +Reported-by: Ryota Shiga +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/cmtp/core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/bluetooth/cmtp/core.c ++++ b/net/bluetooth/cmtp/core.c +@@ -392,6 +392,11 @@ int cmtp_add_connection(struct cmtp_conn + if (!(session->flags & BIT(CMTP_LOOPBACK))) { + err = cmtp_attach_device(session); + if (err < 0) { ++ /* Caller will call fput in case of failure, and so ++ * will cmtp_session kthread. ++ */ ++ get_file(session->sock->file); ++ + atomic_inc(&session->terminate); + wake_up_interruptible(sk_sleep(session->sock->sk)); + up_write(&cmtp_session_sem); diff --git a/queue-5.10/drm-meson-fix-shutdown-crash-when-component-not-probed.patch b/queue-5.10/drm-meson-fix-shutdown-crash-when-component-not-probed.patch new file mode 100644 index 00000000000..5931eda06ad --- /dev/null +++ b/queue-5.10/drm-meson-fix-shutdown-crash-when-component-not-probed.patch @@ -0,0 +1,59 @@ +From 7cfc4ea78fc103ea51ecbacd9236abb5b1c490d2 Mon Sep 17 00:00:00 2001 +From: Neil Armstrong +Date: Fri, 30 Apr 2021 10:27:44 +0200 +Subject: drm/meson: fix shutdown crash when component not probed + +From: Neil Armstrong + +commit 7cfc4ea78fc103ea51ecbacd9236abb5b1c490d2 upstream. + +When main component is not probed, by example when the dw-hdmi module is +not loaded yet or in probe defer, the following crash appears on shutdown: + +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000038 +... +pc : meson_drv_shutdown+0x24/0x50 +lr : platform_drv_shutdown+0x20/0x30 +... +Call trace: +meson_drv_shutdown+0x24/0x50 +platform_drv_shutdown+0x20/0x30 +device_shutdown+0x158/0x360 +kernel_restart_prepare+0x38/0x48 +kernel_restart+0x18/0x68 +__do_sys_reboot+0x224/0x250 +__arm64_sys_reboot+0x24/0x30 +... + +Simply check if the priv struct has been allocated before using it. + +Fixes: fa0c16caf3d7 ("drm: meson_drv add shutdown function") +Reported-by: Stefan Agner +Signed-off-by: Neil Armstrong +Tested-by: Martin Blumenstingl +Reviewed-by: Martin Blumenstingl +Link: https://patchwork.freedesktop.org/patch/msgid/20210430082744.3638743-1-narmstrong@baylibre.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/meson/meson_drv.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/meson/meson_drv.c ++++ b/drivers/gpu/drm/meson/meson_drv.c +@@ -485,11 +485,12 @@ static int meson_probe_remote(struct pla + static void meson_drv_shutdown(struct platform_device *pdev) + { + struct meson_drm *priv = dev_get_drvdata(&pdev->dev); +- struct drm_device *drm = priv->drm; + +- DRM_DEBUG_DRIVER("\n"); +- drm_kms_helper_poll_fini(drm); +- drm_atomic_helper_shutdown(drm); ++ if (!priv) ++ return; ++ ++ drm_kms_helper_poll_fini(priv->drm); ++ drm_atomic_helper_shutdown(priv->drm); + } + + static int meson_drv_probe(struct platform_device *pdev) diff --git a/queue-5.10/fs-nfs-use-fatal_signal_pending-instead-of-signal_pending.patch b/queue-5.10/fs-nfs-use-fatal_signal_pending-instead-of-signal_pending.patch new file mode 100644 index 00000000000..4c05f7175e6 --- /dev/null +++ b/queue-5.10/fs-nfs-use-fatal_signal_pending-instead-of-signal_pending.patch @@ -0,0 +1,41 @@ +From bb002388901151fe35b6697ab116f6ed0721a9ed Mon Sep 17 00:00:00 2001 +From: zhouchuangao +Date: Sun, 9 May 2021 19:34:37 -0700 +Subject: fs/nfs: Use fatal_signal_pending instead of signal_pending + +From: zhouchuangao + +commit bb002388901151fe35b6697ab116f6ed0721a9ed upstream. + +We set the state of the current process to TASK_KILLABLE via +prepare_to_wait(). Should we use fatal_signal_pending() to detect +the signal here? + +Fixes: b4868b44c562 ("NFSv4: Wait for stateid updates after CLOSE/OPEN_DOWNGRADE") +Signed-off-by: zhouchuangao +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1688,7 +1688,7 @@ static void nfs_set_open_stateid_locked( + rcu_read_unlock(); + trace_nfs4_open_stateid_update_wait(state->inode, stateid, 0); + +- if (!signal_pending(current)) { ++ if (!fatal_signal_pending(current)) { + if (schedule_timeout(5*HZ) == 0) + status = -EAGAIN; + else +@@ -3463,7 +3463,7 @@ static bool nfs4_refresh_open_old_statei + write_sequnlock(&state->seqlock); + trace_nfs4_close_stateid_update_wait(state->inode, dst, 0); + +- if (signal_pending(current)) ++ if (fatal_signal_pending(current)) + status = -EINTR; + else + if (schedule_timeout(5*HZ) != 0) diff --git a/queue-5.10/net-mlx4-fix-eeprom-dump-support.patch b/queue-5.10/net-mlx4-fix-eeprom-dump-support.patch new file mode 100644 index 00000000000..d1ed2e47e1b --- /dev/null +++ b/queue-5.10/net-mlx4-fix-eeprom-dump-support.patch @@ -0,0 +1,198 @@ +From db825feefc6868896fed5e361787ba3bee2fd906 Mon Sep 17 00:00:00 2001 +From: Vladyslav Tarasiuk +Date: Sun, 9 May 2021 09:43:18 +0300 +Subject: net/mlx4: Fix EEPROM dump support + +From: Vladyslav Tarasiuk + +commit db825feefc6868896fed5e361787ba3bee2fd906 upstream. + +Fix SFP and QSFP* EEPROM queries by setting i2c_address, offset and page +number correctly. For SFP set the following params: +- I2C address for offsets 0-255 is 0x50. For 256-511 - 0x51. +- Page number is zero. +- Offset is 0-255. + +At the same time, QSFP* parameters are different: +- I2C address is always 0x50. +- Page number is not limited to zero. +- Offset is 0-255 for page zero and 128-255 for others. + +To set parameters accordingly to cable used, implement function to query +module ID and implement respective helper functions to set parameters +correctly. + +Fixes: 135dd9594f12 ("net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query") +Signed-off-by: Vladyslav Tarasiuk +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 4 + drivers/net/ethernet/mellanox/mlx4/port.c | 107 +++++++++++++++++++++++- + 2 files changed, 104 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +@@ -2027,8 +2027,6 @@ static int mlx4_en_set_tunable(struct ne + return ret; + } + +-#define MLX4_EEPROM_PAGE_LEN 256 +- + static int mlx4_en_get_module_info(struct net_device *dev, + struct ethtool_modinfo *modinfo) + { +@@ -2063,7 +2061,7 @@ static int mlx4_en_get_module_info(struc + break; + case MLX4_MODULE_ID_SFP: + modinfo->type = ETH_MODULE_SFF_8472; +- modinfo->eeprom_len = MLX4_EEPROM_PAGE_LEN; ++ modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN; + break; + default: + return -EINVAL; +--- a/drivers/net/ethernet/mellanox/mlx4/port.c ++++ b/drivers/net/ethernet/mellanox/mlx4/port.c +@@ -1973,6 +1973,7 @@ EXPORT_SYMBOL(mlx4_get_roce_gid_from_sla + #define I2C_ADDR_LOW 0x50 + #define I2C_ADDR_HIGH 0x51 + #define I2C_PAGE_SIZE 256 ++#define I2C_HIGH_PAGE_SIZE 128 + + /* Module Info Data */ + struct mlx4_cable_info { +@@ -2026,6 +2027,88 @@ static inline const char *cable_info_mad + return "Unknown Error"; + } + ++static int mlx4_get_module_id(struct mlx4_dev *dev, u8 port, u8 *module_id) ++{ ++ struct mlx4_cmd_mailbox *inbox, *outbox; ++ struct mlx4_mad_ifc *inmad, *outmad; ++ struct mlx4_cable_info *cable_info; ++ int ret; ++ ++ inbox = mlx4_alloc_cmd_mailbox(dev); ++ if (IS_ERR(inbox)) ++ return PTR_ERR(inbox); ++ ++ outbox = mlx4_alloc_cmd_mailbox(dev); ++ if (IS_ERR(outbox)) { ++ mlx4_free_cmd_mailbox(dev, inbox); ++ return PTR_ERR(outbox); ++ } ++ ++ inmad = (struct mlx4_mad_ifc *)(inbox->buf); ++ outmad = (struct mlx4_mad_ifc *)(outbox->buf); ++ ++ inmad->method = 0x1; /* Get */ ++ inmad->class_version = 0x1; ++ inmad->mgmt_class = 0x1; ++ inmad->base_version = 0x1; ++ inmad->attr_id = cpu_to_be16(0xFF60); /* Module Info */ ++ ++ cable_info = (struct mlx4_cable_info *)inmad->data; ++ cable_info->dev_mem_address = 0; ++ cable_info->page_num = 0; ++ cable_info->i2c_addr = I2C_ADDR_LOW; ++ cable_info->size = cpu_to_be16(1); ++ ++ ret = mlx4_cmd_box(dev, inbox->dma, outbox->dma, port, 3, ++ MLX4_CMD_MAD_IFC, MLX4_CMD_TIME_CLASS_C, ++ MLX4_CMD_NATIVE); ++ if (ret) ++ goto out; ++ ++ if (be16_to_cpu(outmad->status)) { ++ /* Mad returned with bad status */ ++ ret = be16_to_cpu(outmad->status); ++ mlx4_warn(dev, ++ "MLX4_CMD_MAD_IFC Get Module ID attr(%x) port(%d) i2c_addr(%x) offset(%d) size(%d): Response Mad Status(%x) - %s\n", ++ 0xFF60, port, I2C_ADDR_LOW, 0, 1, ret, ++ cable_info_mad_err_str(ret)); ++ ret = -ret; ++ goto out; ++ } ++ cable_info = (struct mlx4_cable_info *)outmad->data; ++ *module_id = cable_info->data[0]; ++out: ++ mlx4_free_cmd_mailbox(dev, inbox); ++ mlx4_free_cmd_mailbox(dev, outbox); ++ return ret; ++} ++ ++static void mlx4_sfp_eeprom_params_set(u8 *i2c_addr, u8 *page_num, u16 *offset) ++{ ++ *i2c_addr = I2C_ADDR_LOW; ++ *page_num = 0; ++ ++ if (*offset < I2C_PAGE_SIZE) ++ return; ++ ++ *i2c_addr = I2C_ADDR_HIGH; ++ *offset -= I2C_PAGE_SIZE; ++} ++ ++static void mlx4_qsfp_eeprom_params_set(u8 *i2c_addr, u8 *page_num, u16 *offset) ++{ ++ /* Offsets 0-255 belong to page 0. ++ * Offsets 256-639 belong to pages 01, 02, 03. ++ * For example, offset 400 is page 02: 1 + (400 - 256) / 128 = 2 ++ */ ++ if (*offset < I2C_PAGE_SIZE) ++ *page_num = 0; ++ else ++ *page_num = 1 + (*offset - I2C_PAGE_SIZE) / I2C_HIGH_PAGE_SIZE; ++ *i2c_addr = I2C_ADDR_LOW; ++ *offset -= *page_num * I2C_HIGH_PAGE_SIZE; ++} ++ + /** + * mlx4_get_module_info - Read cable module eeprom data + * @dev: mlx4_dev. +@@ -2045,12 +2128,30 @@ int mlx4_get_module_info(struct mlx4_dev + struct mlx4_cmd_mailbox *inbox, *outbox; + struct mlx4_mad_ifc *inmad, *outmad; + struct mlx4_cable_info *cable_info; +- u16 i2c_addr; ++ u8 module_id, i2c_addr, page_num; + int ret; + + if (size > MODULE_INFO_MAX_READ) + size = MODULE_INFO_MAX_READ; + ++ ret = mlx4_get_module_id(dev, port, &module_id); ++ if (ret) ++ return ret; ++ ++ switch (module_id) { ++ case MLX4_MODULE_ID_SFP: ++ mlx4_sfp_eeprom_params_set(&i2c_addr, &page_num, &offset); ++ break; ++ case MLX4_MODULE_ID_QSFP: ++ case MLX4_MODULE_ID_QSFP_PLUS: ++ case MLX4_MODULE_ID_QSFP28: ++ mlx4_qsfp_eeprom_params_set(&i2c_addr, &page_num, &offset); ++ break; ++ default: ++ mlx4_err(dev, "Module ID not recognized: %#x\n", module_id); ++ return -EINVAL; ++ } ++ + inbox = mlx4_alloc_cmd_mailbox(dev); + if (IS_ERR(inbox)) + return PTR_ERR(inbox); +@@ -2076,11 +2177,9 @@ int mlx4_get_module_info(struct mlx4_dev + */ + size -= offset + size - I2C_PAGE_SIZE; + +- i2c_addr = I2C_ADDR_LOW; +- + cable_info = (struct mlx4_cable_info *)inmad->data; + cable_info->dev_mem_address = cpu_to_be16(offset); +- cable_info->page_num = 0; ++ cable_info->page_num = page_num; + cable_info->i2c_addr = i2c_addr; + cable_info->size = cpu_to_be16(size); + diff --git a/queue-5.10/net-mlx5-set-reformat-action-when-needed-for-termination-rules.patch b/queue-5.10/net-mlx5-set-reformat-action-when-needed-for-termination-rules.patch new file mode 100644 index 00000000000..2013b4f2e84 --- /dev/null +++ b/queue-5.10/net-mlx5-set-reformat-action-when-needed-for-termination-rules.patch @@ -0,0 +1,84 @@ +From 442b3d7b671bcb779ebdad46edd08051eb8b28d9 Mon Sep 17 00:00:00 2001 +From: Jianbo Liu +Date: Fri, 30 Apr 2021 06:58:29 +0000 +Subject: net/mlx5: Set reformat action when needed for termination rules + +From: Jianbo Liu + +commit 442b3d7b671bcb779ebdad46edd08051eb8b28d9 upstream. + +For remote mirroring, after the tunnel packets are received, they are +decapsulated and sent to representor, then re-encapsulated and sent +out over another tunnel. So reformat action is set only when the +destination is required to do encapsulation. + +Fixes: 249ccc3c95bd ("net/mlx5e: Add support for offloading traffic from uplink to uplink") +Signed-off-by: Jianbo Liu +Reviewed-by: Ariel Levkovich +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c | 31 +++------- + 1 file changed, 10 insertions(+), 21 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c +@@ -171,19 +171,6 @@ mlx5_eswitch_termtbl_put(struct mlx5_esw + } + } + +-static bool mlx5_eswitch_termtbl_is_encap_reformat(struct mlx5_pkt_reformat *rt) +-{ +- switch (rt->reformat_type) { +- case MLX5_REFORMAT_TYPE_L2_TO_VXLAN: +- case MLX5_REFORMAT_TYPE_L2_TO_NVGRE: +- case MLX5_REFORMAT_TYPE_L2_TO_L2_TUNNEL: +- case MLX5_REFORMAT_TYPE_L2_TO_L3_TUNNEL: +- return true; +- default: +- return false; +- } +-} +- + static void + mlx5_eswitch_termtbl_actions_move(struct mlx5_flow_act *src, + struct mlx5_flow_act *dst) +@@ -201,14 +188,6 @@ mlx5_eswitch_termtbl_actions_move(struct + memset(&src->vlan[1], 0, sizeof(src->vlan[1])); + } + } +- +- if (src->action & MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT && +- mlx5_eswitch_termtbl_is_encap_reformat(src->pkt_reformat)) { +- src->action &= ~MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT; +- dst->action |= MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT; +- dst->pkt_reformat = src->pkt_reformat; +- src->pkt_reformat = NULL; +- } + } + + static bool mlx5_eswitch_offload_is_uplink_port(const struct mlx5_eswitch *esw, +@@ -278,6 +257,14 @@ mlx5_eswitch_add_termtbl_rule(struct mlx + if (dest[i].type != MLX5_FLOW_DESTINATION_TYPE_VPORT) + continue; + ++ if (attr->dests[num_vport_dests].flags & MLX5_ESW_DEST_ENCAP) { ++ term_tbl_act.action |= MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT; ++ term_tbl_act.pkt_reformat = attr->dests[num_vport_dests].pkt_reformat; ++ } else { ++ term_tbl_act.action &= ~MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT; ++ term_tbl_act.pkt_reformat = NULL; ++ } ++ + /* get the terminating table for the action list */ + tt = mlx5_eswitch_termtbl_get_create(esw, &term_tbl_act, + &dest[i], attr); +@@ -299,6 +286,8 @@ mlx5_eswitch_add_termtbl_rule(struct mlx + goto revert_changes; + + /* create the FTE */ ++ flow_act->action &= ~MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT; ++ flow_act->pkt_reformat = NULL; + rule = mlx5_add_flow_rules(fdb, spec, flow_act, dest, num_dest); + if (IS_ERR(rule)) + goto revert_changes; diff --git a/queue-5.10/net-mlx5-set-term-table-as-an-unmanaged-flow-table.patch b/queue-5.10/net-mlx5-set-term-table-as-an-unmanaged-flow-table.patch new file mode 100644 index 00000000000..80afb71b959 --- /dev/null +++ b/queue-5.10/net-mlx5-set-term-table-as-an-unmanaged-flow-table.patch @@ -0,0 +1,61 @@ +From 6ff51ab8aa8fcbcddeeefce8ca705b575805d12b Mon Sep 17 00:00:00 2001 +From: Ariel Levkovich +Date: Wed, 31 Mar 2021 10:09:02 +0300 +Subject: net/mlx5: Set term table as an unmanaged flow table + +From: Ariel Levkovich + +commit 6ff51ab8aa8fcbcddeeefce8ca705b575805d12b upstream. + +Termination tables are restricted to have the default miss action and +cannot be set to forward to another table in case of a miss. +If the fs prio of the termination table is not the last one in the +list, fs_core will attempt to attach it to another table. + +Set the unmanaged ft flag when creating the termination table ft +and select the tc offload prio for it to prevent fs_core from selecting +the forwarding to next ft miss action and use the default one. + +In addition, set the flow that forwards to the termination table to +ignore ft level restrictions since the ft level is not set by fs_core +for unamanged fts. + +Fixes: 249ccc3c95bd ("net/mlx5e: Add support for offloading traffic from uplink to uplink") +Signed-off-by: Ariel Levkovich +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c +@@ -76,10 +76,11 @@ mlx5_eswitch_termtbl_create(struct mlx5_ + /* As this is the terminating action then the termination table is the + * same prio as the slow path + */ +- ft_attr.flags = MLX5_FLOW_TABLE_TERMINATION | ++ ft_attr.flags = MLX5_FLOW_TABLE_TERMINATION | MLX5_FLOW_TABLE_UNMANAGED | + MLX5_FLOW_TABLE_TUNNEL_EN_REFORMAT; +- ft_attr.prio = FDB_SLOW_PATH; ++ ft_attr.prio = FDB_TC_OFFLOAD; + ft_attr.max_fte = 1; ++ ft_attr.level = 1; + ft_attr.autogroup.max_num_groups = 1; + tt->termtbl = mlx5_create_auto_grouped_flow_table(root_ns, &ft_attr); + if (IS_ERR(tt->termtbl)) { +@@ -216,6 +217,7 @@ mlx5_eswitch_termtbl_required(struct mlx + int i; + + if (!MLX5_CAP_ESW_FLOWTABLE_FDB(esw->dev, termination_table) || ++ !MLX5_CAP_ESW_FLOWTABLE_FDB(esw->dev, ignore_flow_level) || + attr->flags & MLX5_ESW_ATTR_FLAG_SLOW_PATH || + !mlx5_eswitch_offload_is_uplink_port(esw, spec)) + return false; +@@ -288,6 +290,7 @@ mlx5_eswitch_add_termtbl_rule(struct mlx + /* create the FTE */ + flow_act->action &= ~MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT; + flow_act->pkt_reformat = NULL; ++ flow_act->flags |= FLOW_ACT_IGNORE_FLOW_LEVEL; + rule = mlx5_add_flow_rules(fdb, spec, flow_act, dest, num_dest); + if (IS_ERR(rule)) + goto revert_changes; diff --git a/queue-5.10/net-mlx5e-fix-error-path-of-updating-netdev-queues.patch b/queue-5.10/net-mlx5e-fix-error-path-of-updating-netdev-queues.patch new file mode 100644 index 00000000000..f383306f11e --- /dev/null +++ b/queue-5.10/net-mlx5e-fix-error-path-of-updating-netdev-queues.patch @@ -0,0 +1,33 @@ +From 5e7923acbd86d0ff29269688d8a9c47ad091dd46 Mon Sep 17 00:00:00 2001 +From: Aya Levin +Date: Wed, 21 Apr 2021 14:26:31 +0300 +Subject: net/mlx5e: Fix error path of updating netdev queues + +From: Aya Levin + +commit 5e7923acbd86d0ff29269688d8a9c47ad091dd46 upstream. + +Avoid division by zero in the error flow. In the driver TC number can be +either 1 or 8. When TC count is set to 1, driver zero netdev->num_tc. +Hence, need to convert it back from 0 to 1 in the error flow. + +Fixes: fa3748775b92 ("net/mlx5e: Handle errors from netif_set_real_num_{tx,rx}_queues") +Signed-off-by: Aya Levin +Reviewed-by: Maxim Mikityanskiy +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -2920,7 +2920,7 @@ static int mlx5e_update_netdev_queues(st + int err; + + old_num_txqs = netdev->real_num_tx_queues; +- old_ntc = netdev->num_tc; ++ old_ntc = netdev->num_tc ? : 1; + + nch = priv->channels.params.num_channels; + ntc = priv->channels.params.num_tc; diff --git a/queue-5.10/net-mlx5e-fix-multipath-lag-activation.patch b/queue-5.10/net-mlx5e-fix-multipath-lag-activation.patch new file mode 100644 index 00000000000..88f53ca4278 --- /dev/null +++ b/queue-5.10/net-mlx5e-fix-multipath-lag-activation.patch @@ -0,0 +1,51 @@ +From 97817fcc684ed01497bd19d0cd4dea699665b9cf Mon Sep 17 00:00:00 2001 +From: Dima Chumak +Date: Tue, 13 Apr 2021 22:43:08 +0300 +Subject: net/mlx5e: Fix multipath lag activation + +From: Dima Chumak + +commit 97817fcc684ed01497bd19d0cd4dea699665b9cf upstream. + +When handling FIB_EVENT_ENTRY_REPLACE event for a new multipath route, +lag activation can be missed if a stale (struct lag_mp)->mfi pointer +exists, which was associated with an older multipath route that had been +removed. + +Normally, when a route is removed, it triggers mlx5_lag_fib_event(), +which handles FIB_EVENT_ENTRY_DEL and clears mfi pointer. But, if +mlx5_lag_check_prereq() condition isn't met, for example when eswitch is +in legacy mode, the fib event is skipped and mfi pointer becomes stale. + +Fix by resetting mfi pointer to NULL every time mlx5_lag_mp_init() is +called. + +Fixes: 544fe7c2e654 ("net/mlx5e: Activate HW multipath and handle port affinity based on FIB events") +Signed-off-by: Dima Chumak +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/lag_mp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag_mp.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag_mp.c +@@ -307,6 +307,11 @@ int mlx5_lag_mp_init(struct mlx5_lag *ld + struct lag_mp *mp = &ldev->lag_mp; + int err; + ++ /* always clear mfi, as it might become stale when a route delete event ++ * has been missed ++ */ ++ mp->mfi = NULL; ++ + if (mp->fib_nb.notifier_call) + return 0; + +@@ -335,4 +340,5 @@ void mlx5_lag_mp_cleanup(struct mlx5_lag + unregister_fib_notifier(&init_net, &mp->fib_nb); + destroy_workqueue(mp->wq); + mp->fib_nb.notifier_call = NULL; ++ mp->mfi = NULL; + } diff --git a/queue-5.10/net-mlx5e-fix-null-deref-accessing-lag-dev.patch b/queue-5.10/net-mlx5e-fix-null-deref-accessing-lag-dev.patch new file mode 100644 index 00000000000..76c91c4f227 --- /dev/null +++ b/queue-5.10/net-mlx5e-fix-null-deref-accessing-lag-dev.patch @@ -0,0 +1,35 @@ +From 83026d83186bc48bb41ee4872f339b83f31dfc55 Mon Sep 17 00:00:00 2001 +From: Roi Dayan +Date: Mon, 3 May 2021 18:01:02 +0300 +Subject: net/mlx5e: Fix null deref accessing lag dev + +From: Roi Dayan + +commit 83026d83186bc48bb41ee4872f339b83f31dfc55 upstream. + +It could be the lag dev is null so stop processing the event. +In bond_enslave() the active/backup slave being set before setting the +upper dev so first event is without an upper dev. +After setting the upper dev with bond_master_upper_dev_link() there is +a second event and in that event we have an upper dev. + +Fixes: 7e51891a237f ("net/mlx5e: Use netdev events to set/del egress acl forward-to-vport rule") +Signed-off-by: Roi Dayan +Reviewed-by: Maor Dickman +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en/rep/bond.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bond.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bond.c +@@ -223,6 +223,8 @@ static void mlx5e_rep_changelowerstate_e + rpriv = priv->ppriv; + fwd_vport_num = rpriv->rep->vport; + lag_dev = netdev_master_upper_dev_get(netdev); ++ if (!lag_dev) ++ return; + + netdev_dbg(netdev, "lag_dev(%s)'s slave vport(%d) is txable(%d)\n", + lag_dev->name, fwd_vport_num, net_lag_port_dev_txable(netdev)); diff --git a/queue-5.10/net-mlx5e-fix-nullptr-in-add_vlan_push_action.patch b/queue-5.10/net-mlx5e-fix-nullptr-in-add_vlan_push_action.patch new file mode 100644 index 00000000000..5a07bbd19a5 --- /dev/null +++ b/queue-5.10/net-mlx5e-fix-nullptr-in-add_vlan_push_action.patch @@ -0,0 +1,51 @@ +From dca59f4a791960ec73fa15803faa0abe0f92ece2 Mon Sep 17 00:00:00 2001 +From: Dima Chumak +Date: Mon, 26 Apr 2021 15:16:26 +0300 +Subject: net/mlx5e: Fix nullptr in add_vlan_push_action() + +From: Dima Chumak + +commit dca59f4a791960ec73fa15803faa0abe0f92ece2 upstream. + +The result of dev_get_by_index_rcu() is not checked for NULL and then +gets dereferenced immediately. + +Also, the RCU lock must be held by the caller of dev_get_by_index_rcu(), +which isn't satisfied by the call stack. + +Fix by handling nullptr return value when iflink device is not found. +Add RCU locking around dev_get_by_index_rcu() to avoid possible adverse +effects while iterating over the net_device's hlist. + +It is safe not to increment reference count of the net_device pointer in +case of a successful lookup, because it's already handled by VLAN code +during VLAN device registration (see register_vlan_dev and +netdev_upper_dev_link). + +Fixes: 278748a95aa3 ("net/mlx5e: Offload TC e-switch rules with egress VLAN device") +Addresses-Coverity: ("Dereference null return value") +Signed-off-by: Dima Chumak +Reviewed-by: Vlad Buslov +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -4025,8 +4025,12 @@ static int add_vlan_push_action(struct m + if (err) + return err; + +- *out_dev = dev_get_by_index_rcu(dev_net(vlan_dev), +- dev_get_iflink(vlan_dev)); ++ rcu_read_lock(); ++ *out_dev = dev_get_by_index_rcu(dev_net(vlan_dev), dev_get_iflink(vlan_dev)); ++ rcu_read_unlock(); ++ if (!*out_dev) ++ return -ENODEV; ++ + if (is_vlan_dev(*out_dev)) + err = add_vlan_push_action(priv, attr, out_dev, action); + diff --git a/queue-5.10/net-mlx5e-reset-xps-on-error-flow-if-netdev-isn-t-registered-yet.patch b/queue-5.10/net-mlx5e-reset-xps-on-error-flow-if-netdev-isn-t-registered-yet.patch new file mode 100644 index 00000000000..1e2b9e14f8d --- /dev/null +++ b/queue-5.10/net-mlx5e-reset-xps-on-error-flow-if-netdev-isn-t-registered-yet.patch @@ -0,0 +1,67 @@ +From 77ecd10d0a8aaa6e4871d8c63626e4c9fc5e47db Mon Sep 17 00:00:00 2001 +From: Saeed Mahameed +Date: Thu, 25 Feb 2021 11:20:00 -0800 +Subject: net/mlx5e: reset XPS on error flow if netdev isn't registered yet + +From: Saeed Mahameed + +commit 77ecd10d0a8aaa6e4871d8c63626e4c9fc5e47db upstream. + +mlx5e_attach_netdev can be called prior to registering the netdevice: +Example stack: + +ipoib_new_child_link -> +ipoib_intf_init-> +rdma_init_netdev-> +mlx5_rdma_setup_rn-> + +mlx5e_attach_netdev-> +mlx5e_num_channels_changed -> +mlx5e_set_default_xps_cpumasks -> +netif_set_xps_queue -> +__netif_set_xps_queue -> kmalloc + +If any later stage fails at any point after mlx5e_num_channels_changed() +returns, XPS allocated maps will never be freed as they +are only freed during netdev unregistration, which will never happen for +yet to be registered netdevs. + +Fixes: 3909a12e7913 ("net/mlx5e: Fix configuration of XPS cpumasks and netdev queues in corner cases") +Signed-off-by: Saeed Mahameed +Signed-off-by: Aya Levin +Reviewed-by: Tariq Toukan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -5385,6 +5385,11 @@ err_free_netdev: + return NULL; + } + ++static void mlx5e_reset_channels(struct net_device *netdev) ++{ ++ netdev_reset_tc(netdev); ++} ++ + int mlx5e_attach_netdev(struct mlx5e_priv *priv) + { + const bool take_rtnl = priv->netdev->reg_state == NETREG_REGISTERED; +@@ -5438,6 +5443,7 @@ err_cleanup_tx: + profile->cleanup_tx(priv); + + out: ++ mlx5e_reset_channels(priv->netdev); + set_bit(MLX5E_STATE_DESTROYING, &priv->state); + cancel_work_sync(&priv->update_stats_work); + return err; +@@ -5455,6 +5461,7 @@ void mlx5e_detach_netdev(struct mlx5e_pr + + profile->cleanup_rx(priv); + profile->cleanup_tx(priv); ++ mlx5e_reset_channels(priv->netdev); + cancel_work_sync(&priv->update_stats_work); + } + diff --git a/queue-5.10/net-vdpa-mlx5-configure-interface-mac-into-mpfs-l2-table.patch b/queue-5.10/net-vdpa-mlx5-configure-interface-mac-into-mpfs-l2-table.patch new file mode 100644 index 00000000000..5c0e261856f --- /dev/null +++ b/queue-5.10/net-vdpa-mlx5-configure-interface-mac-into-mpfs-l2-table.patch @@ -0,0 +1,186 @@ +From 7c9f131f366ab414691907fa0407124ea2b2f3bc Mon Sep 17 00:00:00 2001 +From: Eli Cohen +Date: Thu, 22 Apr 2021 15:48:10 +0300 +Subject: {net,vdpa}/mlx5: Configure interface MAC into mpfs L2 table + +From: Eli Cohen + +commit 7c9f131f366ab414691907fa0407124ea2b2f3bc upstream. + +net/mlx5: Expose MPFS configuration API + +MPFS is the multi physical function switch that bridges traffic between +the physical port and any physical functions associated with it. The +driver is required to add or remove MAC entries to properly forward +incoming traffic to the correct physical function. + +We export the API to control MPFS so that other drivers, such as +mlx5_vdpa are able to add MAC addresses of their network interfaces. + +The MAC address of the vdpa interface must be configured into the MPFS L2 +address. Failing to do so could cause, in some NIC configurations, failure +to forward packets to the vdpa network device instance. + +Fix this by adding calls to update the MPFS table. + +CC: +CC: +CC: +Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices") +Signed-off-by: Eli Cohen +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 1 + + drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 1 + + drivers/net/ethernet/mellanox/mlx5/core/lib/mpfs.c | 3 +++ + drivers/net/ethernet/mellanox/mlx5/core/lib/mpfs.h | 5 +---- + drivers/vdpa/mlx5/net/mlx5_vnet.c | 19 ++++++++++++++++++- + include/linux/mlx5/mpfs.h | 18 ++++++++++++++++++ + 6 files changed, 42 insertions(+), 5 deletions(-) + create mode 100644 include/linux/mlx5/mpfs.h + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + #include "en.h" + #include "lib/mpfs.h" + +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + #include "esw/acl/lgcy.h" + #include "mlx5_core.h" + #include "lib/eq.h" +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/mpfs.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/mpfs.c +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + #include + #include "mlx5_core.h" + #include "lib/mpfs.h" +@@ -175,6 +176,7 @@ out: + mutex_unlock(&mpfs->lock); + return err; + } ++EXPORT_SYMBOL(mlx5_mpfs_add_mac); + + int mlx5_mpfs_del_mac(struct mlx5_core_dev *dev, u8 *mac) + { +@@ -206,3 +208,4 @@ unlock: + mutex_unlock(&mpfs->lock); + return err; + } ++EXPORT_SYMBOL(mlx5_mpfs_del_mac); +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/mpfs.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/mpfs.h +@@ -84,12 +84,9 @@ struct l2addr_node { + #ifdef CONFIG_MLX5_MPFS + int mlx5_mpfs_init(struct mlx5_core_dev *dev); + void mlx5_mpfs_cleanup(struct mlx5_core_dev *dev); +-int mlx5_mpfs_add_mac(struct mlx5_core_dev *dev, u8 *mac); +-int mlx5_mpfs_del_mac(struct mlx5_core_dev *dev, u8 *mac); + #else /* #ifndef CONFIG_MLX5_MPFS */ + static inline int mlx5_mpfs_init(struct mlx5_core_dev *dev) { return 0; } + static inline void mlx5_mpfs_cleanup(struct mlx5_core_dev *dev) {} +-static inline int mlx5_mpfs_add_mac(struct mlx5_core_dev *dev, u8 *mac) { return 0; } +-static inline int mlx5_mpfs_del_mac(struct mlx5_core_dev *dev, u8 *mac) { return 0; } + #endif ++ + #endif +--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c ++++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include "mlx5_vnet.h" + #include "mlx5_vdpa_ifc.h" + #include "mlx5_vdpa.h" +@@ -1839,11 +1840,16 @@ static int mlx5_vdpa_set_map(struct vdpa + static void mlx5_vdpa_free(struct vdpa_device *vdev) + { + struct mlx5_vdpa_dev *mvdev = to_mvdev(vdev); ++ struct mlx5_core_dev *pfmdev; + struct mlx5_vdpa_net *ndev; + + ndev = to_mlx5_vdpa_ndev(mvdev); + + free_resources(ndev); ++ if (!is_zero_ether_addr(ndev->config.mac)) { ++ pfmdev = pci_get_drvdata(pci_physfn(mvdev->mdev->pdev)); ++ mlx5_mpfs_del_mac(pfmdev, ndev->config.mac); ++ } + mlx5_vdpa_free_resources(&ndev->mvdev); + mutex_destroy(&ndev->reslock); + } +@@ -1962,6 +1968,7 @@ static void init_mvqs(struct mlx5_vdpa_n + void *mlx5_vdpa_add_dev(struct mlx5_core_dev *mdev) + { + struct virtio_net_config *config; ++ struct mlx5_core_dev *pfmdev; + struct mlx5_vdpa_dev *mvdev; + struct mlx5_vdpa_net *ndev; + u32 max_vqs; +@@ -1990,10 +1997,17 @@ void *mlx5_vdpa_add_dev(struct mlx5_core + if (err) + goto err_mtu; + ++ if (!is_zero_ether_addr(config->mac)) { ++ pfmdev = pci_get_drvdata(pci_physfn(mdev->pdev)); ++ err = mlx5_mpfs_add_mac(pfmdev, config->mac); ++ if (err) ++ goto err_mtu; ++ } ++ + mvdev->vdev.dma_dev = mdev->device; + err = mlx5_vdpa_alloc_resources(&ndev->mvdev); + if (err) +- goto err_mtu; ++ goto err_mpfs; + + err = alloc_resources(ndev); + if (err) +@@ -2009,6 +2023,9 @@ err_reg: + free_resources(ndev); + err_res: + mlx5_vdpa_free_resources(&ndev->mvdev); ++err_mpfs: ++ if (!is_zero_ether_addr(config->mac)) ++ mlx5_mpfs_del_mac(pfmdev, config->mac); + err_mtu: + mutex_destroy(&ndev->reslock); + put_device(&mvdev->vdev.dev); +--- /dev/null ++++ b/include/linux/mlx5/mpfs.h +@@ -0,0 +1,18 @@ ++/* SPDX-License-Identifier: GPL-2.0 OR Linux-OpenIB ++ * Copyright (c) 2021 Mellanox Technologies Ltd. ++ */ ++ ++#ifndef _MLX5_MPFS_ ++#define _MLX5_MPFS_ ++ ++struct mlx5_core_dev; ++ ++#ifdef CONFIG_MLX5_MPFS ++int mlx5_mpfs_add_mac(struct mlx5_core_dev *dev, u8 *mac); ++int mlx5_mpfs_del_mac(struct mlx5_core_dev *dev, u8 *mac); ++#else /* #ifndef CONFIG_MLX5_MPFS */ ++static inline int mlx5_mpfs_add_mac(struct mlx5_core_dev *dev, u8 *mac) { return 0; } ++static inline int mlx5_mpfs_del_mac(struct mlx5_core_dev *dev, u8 *mac) { return 0; } ++#endif ++ ++#endif diff --git a/queue-5.10/nfs-don-t-corrupt-the-value-of-pg_bytes_written-in-nfs_do_recoalesce.patch b/queue-5.10/nfs-don-t-corrupt-the-value-of-pg_bytes_written-in-nfs_do_recoalesce.patch new file mode 100644 index 00000000000..d49d5ef59cb --- /dev/null +++ b/queue-5.10/nfs-don-t-corrupt-the-value-of-pg_bytes_written-in-nfs_do_recoalesce.patch @@ -0,0 +1,52 @@ +From 0d0ea309357dea0d85a82815f02157eb7fcda39f Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 25 May 2021 10:40:12 -0400 +Subject: NFS: Don't corrupt the value of pg_bytes_written in nfs_do_recoalesce() + +From: Trond Myklebust + +commit 0d0ea309357dea0d85a82815f02157eb7fcda39f upstream. + +The value of mirror->pg_bytes_written should only be updated after a +successful attempt to flush out the requests on the list. + +Fixes: a7d42ddb3099 ("nfs: add mirroring support to pgio layer") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/pagelist.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/fs/nfs/pagelist.c ++++ b/fs/nfs/pagelist.c +@@ -1128,17 +1128,16 @@ static void nfs_pageio_doio(struct nfs_p + { + struct nfs_pgio_mirror *mirror = nfs_pgio_current_mirror(desc); + +- + if (!list_empty(&mirror->pg_list)) { + int error = desc->pg_ops->pg_doio(desc); + if (error < 0) + desc->pg_error = error; +- else ++ if (list_empty(&mirror->pg_list)) { + mirror->pg_bytes_written += mirror->pg_count; +- } +- if (list_empty(&mirror->pg_list)) { +- mirror->pg_count = 0; +- mirror->pg_base = 0; ++ mirror->pg_count = 0; ++ mirror->pg_base = 0; ++ mirror->pg_recoalesce = 0; ++ } + } + } + +@@ -1228,7 +1227,6 @@ static int nfs_do_recoalesce(struct nfs_ + + do { + list_splice_init(&mirror->pg_list, &head); +- mirror->pg_bytes_written -= mirror->pg_count; + mirror->pg_count = 0; + mirror->pg_base = 0; + mirror->pg_recoalesce = 0; diff --git a/queue-5.10/nfs-fix-an-incorrect-limit-in-filelayout_decode_layout.patch b/queue-5.10/nfs-fix-an-incorrect-limit-in-filelayout_decode_layout.patch new file mode 100644 index 00000000000..05fc89ec0d6 --- /dev/null +++ b/queue-5.10/nfs-fix-an-incorrect-limit-in-filelayout_decode_layout.patch @@ -0,0 +1,34 @@ +From 769b01ea68b6c49dc3cde6adf7e53927dacbd3a8 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 11 May 2021 11:49:42 +0300 +Subject: NFS: fix an incorrect limit in filelayout_decode_layout() + +From: Dan Carpenter + +commit 769b01ea68b6c49dc3cde6adf7e53927dacbd3a8 upstream. + +The "sizeof(struct nfs_fh)" is two bytes too large and could lead to +memory corruption. It should be NFS_MAXFHSIZE because that's the size +of the ->data[] buffer. + +I reversed the size of the arguments to put the variable on the left. + +Fixes: 16b374ca439f ("NFSv4.1: pnfs: filelayout: add driver's LAYOUTGET and GETDEVICEINFO infrastructure") +Signed-off-by: Dan Carpenter +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/filelayout/filelayout.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/filelayout/filelayout.c ++++ b/fs/nfs/filelayout/filelayout.c +@@ -718,7 +718,7 @@ filelayout_decode_layout(struct pnfs_lay + if (unlikely(!p)) + goto out_err; + fl->fh_array[i]->size = be32_to_cpup(p++); +- if (sizeof(struct nfs_fh) < fl->fh_array[i]->size) { ++ if (fl->fh_array[i]->size > NFS_MAXFHSIZE) { + printk(KERN_ERR "NFS: Too big fh %d received %d\n", + i, fl->fh_array[i]->size); + goto out_err; diff --git a/queue-5.10/nfs-fix-an-oopsable-condition-in-__nfs_pageio_add_request.patch b/queue-5.10/nfs-fix-an-oopsable-condition-in-__nfs_pageio_add_request.patch new file mode 100644 index 00000000000..045152eab1d --- /dev/null +++ b/queue-5.10/nfs-fix-an-oopsable-condition-in-__nfs_pageio_add_request.patch @@ -0,0 +1,45 @@ +From 56517ab958b7c11030e626250c00b9b1a24b41eb Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 25 May 2021 10:23:05 -0400 +Subject: NFS: Fix an Oopsable condition in __nfs_pageio_add_request() + +From: Trond Myklebust + +commit 56517ab958b7c11030e626250c00b9b1a24b41eb upstream. + +Ensure that nfs_pageio_error_cleanup() resets the mirror array contents, +so that the structure reflects the fact that it is now empty. +Also change the test in nfs_pageio_do_add_request() to be more robust by +checking whether or not the list is empty rather than relying on the +value of pg_count. + +Fixes: a7d42ddb3099 ("nfs: add mirroring support to pgio layer") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/pagelist.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/fs/nfs/pagelist.c ++++ b/fs/nfs/pagelist.c +@@ -1094,15 +1094,16 @@ nfs_pageio_do_add_request(struct nfs_pag + struct nfs_page *prev = NULL; + unsigned int size; + +- if (mirror->pg_count != 0) { +- prev = nfs_list_entry(mirror->pg_list.prev); +- } else { ++ if (list_empty(&mirror->pg_list)) { + if (desc->pg_ops->pg_init) + desc->pg_ops->pg_init(desc, req); + if (desc->pg_error < 0) + return 0; + mirror->pg_base = req->wb_pgbase; +- } ++ mirror->pg_count = 0; ++ mirror->pg_recoalesce = 0; ++ } else ++ prev = nfs_list_entry(mirror->pg_list.prev); + + if (desc->pg_maxretrans && req->wb_nio > desc->pg_maxretrans) { + if (NFS_SERVER(desc->pg_inode)->flags & NFS_MOUNT_SOFTERR) diff --git a/queue-5.10/nfsv4-fix-v4.0-v4.1-seek_data-return-enotsupp-when-set-nfs_v4_2-config.patch b/queue-5.10/nfsv4-fix-v4.0-v4.1-seek_data-return-enotsupp-when-set-nfs_v4_2-config.patch new file mode 100644 index 00000000000..2949ed0257f --- /dev/null +++ b/queue-5.10/nfsv4-fix-v4.0-v4.1-seek_data-return-enotsupp-when-set-nfs_v4_2-config.patch @@ -0,0 +1,36 @@ +From e67afa7ee4a59584d7253e45d7f63b9528819a13 Mon Sep 17 00:00:00 2001 +From: Zhang Xiaoxu +Date: Tue, 25 May 2021 23:32:35 -0400 +Subject: NFSv4: Fix v4.0/v4.1 SEEK_DATA return -ENOTSUPP when set NFS_V4_2 config + +From: Zhang Xiaoxu + +commit e67afa7ee4a59584d7253e45d7f63b9528819a13 upstream. + +Since commit bdcc2cd14e4e ("NFSv4.2: handle NFS-specific llseek errors"), +nfs42_proc_llseek would return -EOPNOTSUPP rather than -ENOTSUPP when +SEEK_DATA on NFSv4.0/v4.1. + +This will lead xfstests generic/285 not run on NFSv4.0/v4.1 when set the +CONFIG_NFS_V4_2, rather than run failed. + +Fixes: bdcc2cd14e4e ("NFSv4.2: handle NFS-specific llseek errors") +Cc: # 4.2 +Signed-off-by: Zhang Xiaoxu +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/nfs4file.c ++++ b/fs/nfs/nfs4file.c +@@ -211,7 +211,7 @@ static loff_t nfs4_file_llseek(struct fi + case SEEK_HOLE: + case SEEK_DATA: + ret = nfs42_proc_llseek(filep, offset, whence); +- if (ret != -ENOTSUPP) ++ if (ret != -EOPNOTSUPP) + return ret; + fallthrough; + default: diff --git a/queue-5.10/revert-net-tipc-fix-a-double-free-in-tipc_sk_mcast_rcv.patch b/queue-5.10/revert-net-tipc-fix-a-double-free-in-tipc_sk_mcast_rcv.patch new file mode 100644 index 00000000000..a3ea98a42df --- /dev/null +++ b/queue-5.10/revert-net-tipc-fix-a-double-free-in-tipc_sk_mcast_rcv.patch @@ -0,0 +1,36 @@ +From 75016891357a628d2b8acc09e2b9b2576c18d318 Mon Sep 17 00:00:00 2001 +From: Hoang Le +Date: Fri, 14 May 2021 08:23:03 +0700 +Subject: Revert "net:tipc: Fix a double free in tipc_sk_mcast_rcv" + +From: Hoang Le + +commit 75016891357a628d2b8acc09e2b9b2576c18d318 upstream. + +This reverts commit 6bf24dc0cc0cc43b29ba344b66d78590e687e046. +Above fix is not correct and caused memory leak issue. + +Fixes: 6bf24dc0cc0c ("net:tipc: Fix a double free in tipc_sk_mcast_rcv") +Acked-by: Jon Maloy +Acked-by: Tung Nguyen +Signed-off-by: Hoang Le +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/socket.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -1244,7 +1244,10 @@ void tipc_sk_mcast_rcv(struct net *net, + spin_lock_bh(&inputq->lock); + if (skb_peek(arrvq) == skb) { + skb_queue_splice_tail_init(&tmpq, inputq); +- __skb_dequeue(arrvq); ++ /* Decrease the skb's refcnt as increasing in the ++ * function tipc_skb_peek ++ */ ++ kfree_skb(__skb_dequeue(arrvq)); + } + spin_unlock_bh(&inputq->lock); + __skb_queue_purge(&tmpq); diff --git a/queue-5.10/series b/queue-5.10/series index 3afe00afd71..d05db1bbfea 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -87,3 +87,24 @@ usb-dwc3-gadget-properly-track-pending-and-queued-sg.patch usb-gadget-udc-renesas_usb3-fix-a-race-in-usb3_start_pipen.patch usb-typec-mux-fix-matching-with-typec_altmode_desc.patch net-usb-fix-memory-leak-in-smsc75xx_bind.patch +bluetooth-cmtp-fix-file-refcount-when-cmtp_attach_device-fails.patch +fs-nfs-use-fatal_signal_pending-instead-of-signal_pending.patch +nfs-fix-an-incorrect-limit-in-filelayout_decode_layout.patch +nfs-fix-an-oopsable-condition-in-__nfs_pageio_add_request.patch +nfs-don-t-corrupt-the-value-of-pg_bytes_written-in-nfs_do_recoalesce.patch +nfsv4-fix-v4.0-v4.1-seek_data-return-enotsupp-when-set-nfs_v4_2-config.patch +drm-meson-fix-shutdown-crash-when-component-not-probed.patch +net-mlx5e-reset-xps-on-error-flow-if-netdev-isn-t-registered-yet.patch +net-mlx5e-fix-multipath-lag-activation.patch +net-mlx5e-fix-error-path-of-updating-netdev-queues.patch +net-vdpa-mlx5-configure-interface-mac-into-mpfs-l2-table.patch +net-mlx5e-fix-nullptr-in-add_vlan_push_action.patch +net-mlx5-set-reformat-action-when-needed-for-termination-rules.patch +net-mlx5e-fix-null-deref-accessing-lag-dev.patch +net-mlx4-fix-eeprom-dump-support.patch +net-mlx5-set-term-table-as-an-unmanaged-flow-table.patch +sunrpc-in-case-of-backlog-hand-free-slots-directly-to-waiting-task.patch +revert-net-tipc-fix-a-double-free-in-tipc_sk_mcast_rcv.patch +tipc-wait-and-exit-until-all-work-queues-are-done.patch +tipc-skb_linearize-the-head-skb-when-reassembling-msgs.patch +spi-spi-fsl-dspi-fix-a-resource-leak-in-an-error-handling-path.patch diff --git a/queue-5.10/spi-spi-fsl-dspi-fix-a-resource-leak-in-an-error-handling-path.patch b/queue-5.10/spi-spi-fsl-dspi-fix-a-resource-leak-in-an-error-handling-path.patch new file mode 100644 index 00000000000..3a9a9eea516 --- /dev/null +++ b/queue-5.10/spi-spi-fsl-dspi-fix-a-resource-leak-in-an-error-handling-path.patch @@ -0,0 +1,40 @@ +From 680ec0549a055eb464dce6ffb4bfb736ef87236e Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sun, 9 May 2021 21:12:27 +0200 +Subject: spi: spi-fsl-dspi: Fix a resource leak in an error handling path + +From: Christophe JAILLET + +commit 680ec0549a055eb464dce6ffb4bfb736ef87236e upstream. + +'dspi_request_dma()' should be undone by a 'dspi_release_dma()' call in the +error handling path of the probe function, as already done in the remove +function + +Fixes: 90ba37033cb9 ("spi: spi-fsl-dspi: Add DMA support for Vybrid") +Signed-off-by: Christophe JAILLET +Reviewed-by: Vladimir Oltean +Link: https://lore.kernel.org/r/d51caaac747277a1099ba8dea07acd85435b857e.1620587472.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-fsl-dspi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-fsl-dspi.c ++++ b/drivers/spi/spi-fsl-dspi.c +@@ -1375,11 +1375,13 @@ poll_mode: + ret = spi_register_controller(ctlr); + if (ret != 0) { + dev_err(&pdev->dev, "Problem registering DSPI ctlr\n"); +- goto out_free_irq; ++ goto out_release_dma; + } + + return ret; + ++out_release_dma: ++ dspi_release_dma(dspi); + out_free_irq: + if (dspi->irq) + free_irq(dspi->irq, dspi); diff --git a/queue-5.10/sunrpc-in-case-of-backlog-hand-free-slots-directly-to-waiting-task.patch b/queue-5.10/sunrpc-in-case-of-backlog-hand-free-slots-directly-to-waiting-task.patch new file mode 100644 index 00000000000..d3912d0c210 --- /dev/null +++ b/queue-5.10/sunrpc-in-case-of-backlog-hand-free-slots-directly-to-waiting-task.patch @@ -0,0 +1,182 @@ +From e877a88d1f069edced4160792f42c2a8e2dba942 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Mon, 17 May 2021 09:59:10 +1000 +Subject: SUNRPC in case of backlog, hand free slots directly to waiting task + +From: NeilBrown + +commit e877a88d1f069edced4160792f42c2a8e2dba942 upstream. + +If sunrpc.tcp_max_slot_table_entries is small and there are tasks +on the backlog queue, then when a request completes it is freed and the +first task on the queue is woken. The expectation is that it will wake +and claim that request. However if it was a sync task and the waiting +process was killed at just that moment, it will wake and NOT claim the +request. + +As long as TASK_CONGESTED remains set, requests can only be claimed by +tasks woken from the backlog, and they are woken only as requests are +freed, so when a task doesn't claim a request, no other task can ever +get that request until TASK_CONGESTED is cleared. Each time this +happens the number of available requests is decreased by one. + +With a sufficiently high workload and sufficiently low setting of +max_slot (16 in the case where this was seen), TASK_CONGESTED can remain +set for an extended period, and the above scenario (of a process being +killed just as its task was woken) can repeat until no requests can be +allocated. Then traffic stops. + +This patch addresses the problem by introducing a positive handover of a +request from a completing task to a backlog task - the request is never +freed when there is a backlog. + +When a task is woken it might not already have a request attached in +which case it is *not* freed (as with current code) but is initialised +(if needed) and used. If it isn't used it will eventually be freed by +rpc_exit_task(). xprt_release() is enhanced to be able to correctly +release an uninitialised request. + +Fixes: ba60eb25ff6b ("SUNRPC: Fix a livelock problem in the xprt->backlog queue") +Signed-off-by: NeilBrown +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/clnt.c | 7 ----- + net/sunrpc/xprt.c | 68 +++++++++++++++++++++++++++++++++++++----------------- + 2 files changed, 47 insertions(+), 28 deletions(-) + +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -1680,13 +1680,6 @@ call_reserveresult(struct rpc_task *task + return; + } + +- /* +- * Even though there was an error, we may have acquired +- * a request slot somehow. Make sure not to leak it. +- */ +- if (task->tk_rqstp) +- xprt_release(task); +- + switch (status) { + case -ENOMEM: + rpc_delay(task, HZ >> 2); +--- a/net/sunrpc/xprt.c ++++ b/net/sunrpc/xprt.c +@@ -70,6 +70,7 @@ + static void xprt_init(struct rpc_xprt *xprt, struct net *net); + static __be32 xprt_alloc_xid(struct rpc_xprt *xprt); + static void xprt_destroy(struct rpc_xprt *xprt); ++static void xprt_request_init(struct rpc_task *task); + + static DEFINE_SPINLOCK(xprt_list_lock); + static LIST_HEAD(xprt_list); +@@ -1580,10 +1581,26 @@ static void xprt_add_backlog(struct rpc_ + rpc_sleep_on(&xprt->backlog, task, NULL); + } + +-static void xprt_wake_up_backlog(struct rpc_xprt *xprt) ++static bool __xprt_set_rq(struct rpc_task *task, void *data) + { +- if (rpc_wake_up_next(&xprt->backlog) == NULL) ++ struct rpc_rqst *req = data; ++ ++ if (task->tk_rqstp == NULL) { ++ memset(req, 0, sizeof(*req)); /* mark unused */ ++ task->tk_status = -EAGAIN; ++ task->tk_rqstp = req; ++ return true; ++ } ++ return false; ++} ++ ++static bool xprt_wake_up_backlog(struct rpc_xprt *xprt, struct rpc_rqst *req) ++{ ++ if (rpc_wake_up_first(&xprt->backlog, __xprt_set_rq, req) == NULL) { + clear_bit(XPRT_CONGESTED, &xprt->state); ++ return false; ++ } ++ return true; + } + + static bool xprt_throttle_congested(struct rpc_xprt *xprt, struct rpc_task *task) +@@ -1671,11 +1688,11 @@ EXPORT_SYMBOL_GPL(xprt_alloc_slot); + void xprt_free_slot(struct rpc_xprt *xprt, struct rpc_rqst *req) + { + spin_lock(&xprt->reserve_lock); +- if (!xprt_dynamic_free_slot(xprt, req)) { ++ if (!xprt_wake_up_backlog(xprt, req) && ++ !xprt_dynamic_free_slot(xprt, req)) { + memset(req, 0, sizeof(*req)); /* mark unused */ + list_add(&req->rq_list, &xprt->free); + } +- xprt_wake_up_backlog(xprt); + spin_unlock(&xprt->reserve_lock); + } + EXPORT_SYMBOL_GPL(xprt_free_slot); +@@ -1763,6 +1780,10 @@ xprt_request_init(struct rpc_task *task) + struct rpc_xprt *xprt = task->tk_xprt; + struct rpc_rqst *req = task->tk_rqstp; + ++ if (req->rq_task) ++ /* Already initialized */ ++ return; ++ + req->rq_task = task; + req->rq_xprt = xprt; + req->rq_buffer = NULL; +@@ -1823,8 +1844,10 @@ void xprt_retry_reserve(struct rpc_task + struct rpc_xprt *xprt = task->tk_xprt; + + task->tk_status = 0; +- if (task->tk_rqstp != NULL) ++ if (task->tk_rqstp != NULL) { ++ xprt_request_init(task); + return; ++ } + + task->tk_status = -EAGAIN; + xprt_do_reserve(xprt, task); +@@ -1849,23 +1872,26 @@ void xprt_release(struct rpc_task *task) + } + + xprt = req->rq_xprt; +- xprt_request_dequeue_xprt(task); +- spin_lock(&xprt->transport_lock); +- xprt->ops->release_xprt(xprt, task); +- if (xprt->ops->release_request) +- xprt->ops->release_request(task); +- xprt_schedule_autodisconnect(xprt); +- spin_unlock(&xprt->transport_lock); +- if (req->rq_buffer) +- xprt->ops->buf_free(task); +- xdr_free_bvec(&req->rq_rcv_buf); +- xdr_free_bvec(&req->rq_snd_buf); +- if (req->rq_cred != NULL) +- put_rpccred(req->rq_cred); +- task->tk_rqstp = NULL; +- if (req->rq_release_snd_buf) +- req->rq_release_snd_buf(req); ++ if (xprt) { ++ xprt_request_dequeue_xprt(task); ++ spin_lock(&xprt->transport_lock); ++ xprt->ops->release_xprt(xprt, task); ++ if (xprt->ops->release_request) ++ xprt->ops->release_request(task); ++ xprt_schedule_autodisconnect(xprt); ++ spin_unlock(&xprt->transport_lock); ++ if (req->rq_buffer) ++ xprt->ops->buf_free(task); ++ xdr_free_bvec(&req->rq_rcv_buf); ++ xdr_free_bvec(&req->rq_snd_buf); ++ if (req->rq_cred != NULL) ++ put_rpccred(req->rq_cred); ++ if (req->rq_release_snd_buf) ++ req->rq_release_snd_buf(req); ++ } else ++ xprt = task->tk_xprt; + ++ task->tk_rqstp = NULL; + if (likely(!bc_prealloc(req))) + xprt->ops->free_slot(xprt, req); + else diff --git a/queue-5.10/tipc-skb_linearize-the-head-skb-when-reassembling-msgs.patch b/queue-5.10/tipc-skb_linearize-the-head-skb-when-reassembling-msgs.patch new file mode 100644 index 00000000000..e5d7964bcc6 --- /dev/null +++ b/queue-5.10/tipc-skb_linearize-the-head-skb-when-reassembling-msgs.patch @@ -0,0 +1,95 @@ +From b7df21cf1b79ab7026f545e7bf837bd5750ac026 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Sat, 8 May 2021 03:57:03 +0800 +Subject: tipc: skb_linearize the head skb when reassembling msgs + +From: Xin Long + +commit b7df21cf1b79ab7026f545e7bf837bd5750ac026 upstream. + +It's not a good idea to append the frag skb to a skb's frag_list if +the frag_list already has skbs from elsewhere, such as this skb was +created by pskb_copy() where the frag_list was cloned (all the skbs +in it were skb_get'ed) and shared by multiple skbs. + +However, the new appended frag skb should have been only seen by the +current skb. Otherwise, it will cause use after free crashes as this +appended frag skb are seen by multiple skbs but it only got skb_get +called once. + +The same thing happens with a skb updated by pskb_may_pull() with a +skb_cloned skb. Li Shuang has reported quite a few crashes caused +by this when doing testing over macvlan devices: + + [] kernel BUG at net/core/skbuff.c:1970! + [] Call Trace: + [] skb_clone+0x4d/0xb0 + [] macvlan_broadcast+0xd8/0x160 [macvlan] + [] macvlan_process_broadcast+0x148/0x150 [macvlan] + [] process_one_work+0x1a7/0x360 + [] worker_thread+0x30/0x390 + + [] kernel BUG at mm/usercopy.c:102! + [] Call Trace: + [] __check_heap_object+0xd3/0x100 + [] __check_object_size+0xff/0x16b + [] simple_copy_to_iter+0x1c/0x30 + [] __skb_datagram_iter+0x7d/0x310 + [] __skb_datagram_iter+0x2a5/0x310 + [] skb_copy_datagram_iter+0x3b/0x90 + [] tipc_recvmsg+0x14a/0x3a0 [tipc] + [] ____sys_recvmsg+0x91/0x150 + [] ___sys_recvmsg+0x7b/0xc0 + + [] kernel BUG at mm/slub.c:305! + [] Call Trace: + [] + [] kmem_cache_free+0x3ff/0x400 + [] __netif_receive_skb_core+0x12c/0xc40 + [] ? kmem_cache_alloc+0x12e/0x270 + [] netif_receive_skb_internal+0x3d/0xb0 + [] ? get_rx_page_info+0x8e/0xa0 [be2net] + [] be_poll+0x6ef/0xd00 [be2net] + [] ? irq_exit+0x4f/0x100 + [] net_rx_action+0x149/0x3b0 + + ... + +This patch is to fix it by linearizing the head skb if it has frag_list +set in tipc_buf_append(). Note that we choose to do this before calling +skb_unshare(), as __skb_linearize() will avoid skb_copy(). Also, we can +not just drop the frag_list either as the early time. + +Fixes: 45c8b7b175ce ("tipc: allow non-linear first fragment buffer") +Reported-by: Li Shuang +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/msg.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +--- a/net/tipc/msg.c ++++ b/net/tipc/msg.c +@@ -151,18 +151,13 @@ int tipc_buf_append(struct sk_buff **hea + if (unlikely(head)) + goto err; + *buf = NULL; ++ if (skb_has_frag_list(frag) && __skb_linearize(frag)) ++ goto err; + frag = skb_unshare(frag, GFP_ATOMIC); + if (unlikely(!frag)) + goto err; + head = *headbuf = frag; + TIPC_SKB_CB(head)->tail = NULL; +- if (skb_is_nonlinear(head)) { +- skb_walk_frags(head, tail) { +- TIPC_SKB_CB(head)->tail = tail; +- } +- } else { +- skb_frag_list_init(head); +- } + return 0; + } + diff --git a/queue-5.10/tipc-wait-and-exit-until-all-work-queues-are-done.patch b/queue-5.10/tipc-wait-and-exit-until-all-work-queues-are-done.patch new file mode 100644 index 00000000000..570f6f3e2e3 --- /dev/null +++ b/queue-5.10/tipc-wait-and-exit-until-all-work-queues-are-done.patch @@ -0,0 +1,88 @@ +From 04c26faa51d1e2fe71cf13c45791f5174c37f986 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Mon, 17 May 2021 02:28:58 +0800 +Subject: tipc: wait and exit until all work queues are done + +From: Xin Long + +commit 04c26faa51d1e2fe71cf13c45791f5174c37f986 upstream. + +On some host, a crash could be triggered simply by repeating these +commands several times: + + # modprobe tipc + # tipc bearer enable media udp name UDP1 localip 127.0.0.1 + # rmmod tipc + + [] BUG: unable to handle kernel paging request at ffffffffc096bb00 + [] Workqueue: events 0xffffffffc096bb00 + [] Call Trace: + [] ? process_one_work+0x1a7/0x360 + [] ? worker_thread+0x30/0x390 + [] ? create_worker+0x1a0/0x1a0 + [] ? kthread+0x116/0x130 + [] ? kthread_flush_work_fn+0x10/0x10 + [] ? ret_from_fork+0x35/0x40 + +When removing the TIPC module, the UDP tunnel sock will be delayed to +release in a work queue as sock_release() can't be done in rtnl_lock(). +If the work queue is schedule to run after the TIPC module is removed, +kernel will crash as the work queue function cleanup_beareri() code no +longer exists when trying to invoke it. + +To fix it, this patch introduce a member wq_count in tipc_net to track +the numbers of work queues in schedule, and wait and exit until all +work queues are done in tipc_exit_net(). + +Fixes: d0f91938bede ("tipc: add ip/udp media type") +Reported-by: Shuang Li +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/core.c | 2 ++ + net/tipc/core.h | 2 ++ + net/tipc/udp_media.c | 2 ++ + 3 files changed, 6 insertions(+) + +--- a/net/tipc/core.c ++++ b/net/tipc/core.c +@@ -121,6 +121,8 @@ static void __net_exit tipc_exit_net(str + #ifdef CONFIG_TIPC_CRYPTO + tipc_crypto_stop(&tipc_net(net)->crypto_tx); + #endif ++ while (atomic_read(&tn->wq_count)) ++ cond_resched(); + } + + static void __net_exit tipc_pernet_pre_exit(struct net *net) +--- a/net/tipc/core.h ++++ b/net/tipc/core.h +@@ -151,6 +151,8 @@ struct tipc_net { + #endif + /* Work item for net finalize */ + struct tipc_net_work final_work; ++ /* The numbers of work queues in schedule */ ++ atomic_t wq_count; + }; + + static inline struct tipc_net *tipc_net(struct net *net) +--- a/net/tipc/udp_media.c ++++ b/net/tipc/udp_media.c +@@ -806,6 +806,7 @@ static void cleanup_bearer(struct work_s + kfree_rcu(rcast, rcu); + } + ++ atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count); + dst_cache_destroy(&ub->rcast.dst_cache); + udp_tunnel_sock_release(ub->ubsock); + synchronize_net(); +@@ -826,6 +827,7 @@ static void tipc_udp_disable(struct tipc + RCU_INIT_POINTER(ub->bearer, NULL); + + /* sock_release need to be done outside of rtnl lock */ ++ atomic_inc(&tipc_net(sock_net(ub->ubsock->sk))->wq_count); + INIT_WORK(&ub->work, cleanup_bearer); + schedule_work(&ub->work); + } -- 2.47.3