From 75ecaa05c960312ad808504f7c66cb9b805b07c3 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 6 Jun 2021 16:55:34 -0400 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...context-mutex-during-object-deletion.patch | 46 ++++ ...mory_xp-and-efi_memory_ro-both-to-be.patch | 41 ++++ ...printf-use-in-cper_dimm_err_location.patch | 52 ++++ ...d-i2c-hid-fix-format-string-mismatch.patch | 47 ++++ ...-error-return-code-in-hid_pidff_init.patch | 36 +++ ...wmon-dell-smm-hwmon-fix-index-values.patch | 47 ++++ ...m-geni-add-shutdown-callback-for-i2c.patch | 57 +++++ ...dd-correct-exception-tracing-for-xdp.patch | 87 +++++++ ...ptimize-for-xdp_redirect-in-xsk-path.patch | 55 +++++ ...allow-all-lldp-packets-from-pf-to-tx.patch | 63 +++++ ...es-for-avf-drivers-that-expect-atqle.patch | 63 +++++ ...e-write-register-with-correct-offset.patch | 38 +++ ...rror-return-code-in-ieee802154_add_i.patch | 41 ++++ ...rror-return-code-in-ieee802154_llsec.patch | 41 ++++ ...lab-out-of-bounds-read-in-fib6_nh_fl.patch | 232 ++++++++++++++++++ ...s_svc_f_hashed-flag-when-adding-serv.patch | 62 +++++ ...dd-correct-exception-tracing-for-xdp.patch | 46 ++++ ...for-needed-capability-for-cvlan-matc.patch | 55 +++++ ...-fix-ct-template-allocation-for-zone.patch | 59 +++++ ...ack-unregister-ipv4-sockopts-on-erro.patch | 35 +++ ...ink_cthelper-hit-ebusy-on-updates-if.patch | 45 ++++ ...-skip-expectations-for-confirmed-con.patch | 64 +++++ ...v-fix-error-handing-in-mdpy_fb_probe.patch | 62 +++++ queue-5.4/series | 26 ++ ...-error-return-code-in-vfio_ecap_init.patch | 39 +++ .../vfio-pci-zap_vma_ptes-needs-mmu.patch | 48 ++++ ...rm-fix-module_put-call-in-error-flow.patch | 37 +++ 27 files changed, 1524 insertions(+) create mode 100644 queue-5.4/acpica-clean-up-context-mutex-during-object-deletion.patch create mode 100644 queue-5.4/efi-allow-efi_memory_xp-and-efi_memory_ro-both-to-be.patch create mode 100644 queue-5.4/efi-cper-fix-snprintf-use-in-cper_dimm_err_location.patch create mode 100644 queue-5.4/hid-i2c-hid-fix-format-string-mismatch.patch create mode 100644 queue-5.4/hid-pidff-fix-error-return-code-in-hid_pidff_init.patch create mode 100644 queue-5.4/hwmon-dell-smm-hwmon-fix-index-values.patch create mode 100644 queue-5.4/i2c-qcom-geni-add-shutdown-callback-for-i2c.patch create mode 100644 queue-5.4/i40e-add-correct-exception-tracing-for-xdp.patch create mode 100644 queue-5.4/i40e-optimize-for-xdp_redirect-in-xsk-path.patch create mode 100644 queue-5.4/ice-allow-all-lldp-packets-from-pf-to-tx.patch create mode 100644 queue-5.4/ice-fix-vfr-issues-for-avf-drivers-that-expect-atqle.patch create mode 100644 queue-5.4/ice-write-register-with-correct-offset.patch create mode 100644 queue-5.4/ieee802154-fix-error-return-code-in-ieee802154_add_i.patch create mode 100644 queue-5.4/ieee802154-fix-error-return-code-in-ieee802154_llsec.patch create mode 100644 queue-5.4/ipv6-fix-kasan-slab-out-of-bounds-read-in-fib6_nh_fl.patch create mode 100644 queue-5.4/ipvs-ignore-ip_vs_svc_f_hashed-flag-when-adding-serv.patch create mode 100644 queue-5.4/ixgbevf-add-correct-exception-tracing-for-xdp.patch create mode 100644 queue-5.4/net-mlx5e-check-for-needed-capability-for-cvlan-matc.patch create mode 100644 queue-5.4/net-sched-act_ct-fix-ct-template-allocation-for-zone.patch create mode 100644 queue-5.4/netfilter-conntrack-unregister-ipv4-sockopts-on-erro.patch create mode 100644 queue-5.4/netfilter-nfnetlink_cthelper-hit-ebusy-on-updates-if.patch create mode 100644 queue-5.4/netfilter-nft_ct-skip-expectations-for-confirmed-con.patch create mode 100644 queue-5.4/samples-vfio-mdev-fix-error-handing-in-mdpy_fb_probe.patch create mode 100644 queue-5.4/vfio-pci-fix-error-return-code-in-vfio_ecap_init.patch create mode 100644 queue-5.4/vfio-pci-zap_vma_ptes-needs-mmu.patch create mode 100644 queue-5.4/vfio-platform-fix-module_put-call-in-error-flow.patch diff --git a/queue-5.4/acpica-clean-up-context-mutex-during-object-deletion.patch b/queue-5.4/acpica-clean-up-context-mutex-during-object-deletion.patch new file mode 100644 index 00000000000..43594382f3c --- /dev/null +++ b/queue-5.4/acpica-clean-up-context-mutex-during-object-deletion.patch @@ -0,0 +1,46 @@ +From 1e959919cea2a7515fc7042aad1032427869a007 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 May 2021 15:28:08 -0700 +Subject: ACPICA: Clean up context mutex during object deletion + +From: Erik Kaneda + +[ Upstream commit e4dfe108371214500ee10c2cf19268f53acaa803 ] + +ACPICA commit bc43c878fd4ff27ba75b1d111b97ee90d4a82707 + +Fixes: c27f3d011b08 ("Fix race in GenericSerialBus (I2C) and GPIO OpRegion parameter handling") +Link: https://github.com/acpica/acpica/commit/bc43c878 +Reported-by: John Garry +Reported-by: Xiang Chen +Tested-by: Xiang Chen +Signed-off-by: Erik Kaneda +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/utdelete.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/acpi/acpica/utdelete.c b/drivers/acpi/acpica/utdelete.c +index 4c0d4e434196..72d2c0b65633 100644 +--- a/drivers/acpi/acpica/utdelete.c ++++ b/drivers/acpi/acpica/utdelete.c +@@ -285,6 +285,14 @@ static void acpi_ut_delete_internal_obj(union acpi_operand_object *object) + } + break; + ++ case ACPI_TYPE_LOCAL_ADDRESS_HANDLER: ++ ++ ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS, ++ "***** Address handler %p\n", object)); ++ ++ acpi_os_delete_mutex(object->address_space.context_mutex); ++ break; ++ + default: + + break; +-- +2.30.2 + diff --git a/queue-5.4/efi-allow-efi_memory_xp-and-efi_memory_ro-both-to-be.patch b/queue-5.4/efi-allow-efi_memory_xp-and-efi_memory_ro-both-to-be.patch new file mode 100644 index 00000000000..e892494ce47 --- /dev/null +++ b/queue-5.4/efi-allow-efi_memory_xp-and-efi_memory_ro-both-to-be.patch @@ -0,0 +1,41 @@ +From 2934b64510e12669aef855f621df36863e772c95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Apr 2021 16:22:51 +0200 +Subject: efi: Allow EFI_MEMORY_XP and EFI_MEMORY_RO both to be cleared + +From: Heiner Kallweit + +[ Upstream commit 45add3cc99feaaf57d4b6f01d52d532c16a1caee ] + +UEFI spec 2.9, p.108, table 4-1 lists the scenario that both attributes +are cleared with the description "No memory access protection is +possible for Entry". So we can have valid entries where both attributes +are cleared, so remove the check. + +Signed-off-by: Heiner Kallweit +Fixes: 10f0d2f577053 ("efi: Implement generic support for the Memory Attributes table") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/memattr.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/firmware/efi/memattr.c b/drivers/firmware/efi/memattr.c +index 58452fde92cc..5d343dc8e535 100644 +--- a/drivers/firmware/efi/memattr.c ++++ b/drivers/firmware/efi/memattr.c +@@ -66,11 +66,6 @@ static bool entry_is_valid(const efi_memory_desc_t *in, efi_memory_desc_t *out) + return false; + } + +- if (!(in->attribute & (EFI_MEMORY_RO | EFI_MEMORY_XP))) { +- pr_warn("Entry attributes invalid: RO and XP bits both cleared\n"); +- return false; +- } +- + if (PAGE_SIZE > EFI_PAGE_SIZE && + (!PAGE_ALIGNED(in->phys_addr) || + !PAGE_ALIGNED(in->num_pages << EFI_PAGE_SHIFT))) { +-- +2.30.2 + diff --git a/queue-5.4/efi-cper-fix-snprintf-use-in-cper_dimm_err_location.patch b/queue-5.4/efi-cper-fix-snprintf-use-in-cper_dimm_err_location.patch new file mode 100644 index 00000000000..961bea6e361 --- /dev/null +++ b/queue-5.4/efi-cper-fix-snprintf-use-in-cper_dimm_err_location.patch @@ -0,0 +1,52 @@ +From c0c2fc20bb64861b179bf36f9cd2092e7869f04e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Apr 2021 21:46:36 +0200 +Subject: efi: cper: fix snprintf() use in cper_dimm_err_location() + +From: Rasmus Villemoes + +[ Upstream commit 942859d969de7f6f7f2659a79237a758b42782da ] + +snprintf() should be given the full buffer size, not one less. And it +guarantees nul-termination, so doing it manually afterwards is +pointless. + +It's even potentially harmful (though probably not in practice because +CPER_REC_LEN is 256), due to the "return how much would have been +written had the buffer been big enough" semantics. I.e., if the bank +and/or device strings are long enough that the "DIMM location ..." +output gets truncated, writing to msg[n] is a buffer overflow. + +Signed-off-by: Rasmus Villemoes +Fixes: 3760cd20402d4 ("CPER: Adjust code flow of some functions") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/cper.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c +index b1af0de2e100..e48298687b76 100644 +--- a/drivers/firmware/efi/cper.c ++++ b/drivers/firmware/efi/cper.c +@@ -263,8 +263,7 @@ static int cper_dimm_err_location(struct cper_mem_err_compact *mem, char *msg) + if (!msg || !(mem->validation_bits & CPER_MEM_VALID_MODULE_HANDLE)) + return 0; + +- n = 0; +- len = CPER_REC_LEN - 1; ++ len = CPER_REC_LEN; + dmi_memdev_name(mem->mem_dev_handle, &bank, &device); + if (bank && device) + n = snprintf(msg, len, "DIMM location: %s %s ", bank, device); +@@ -273,7 +272,6 @@ static int cper_dimm_err_location(struct cper_mem_err_compact *mem, char *msg) + "DIMM location: not present. DMI handle: 0x%.4x ", + mem->mem_dev_handle); + +- msg[n] = '\0'; + return n; + } + +-- +2.30.2 + diff --git a/queue-5.4/hid-i2c-hid-fix-format-string-mismatch.patch b/queue-5.4/hid-i2c-hid-fix-format-string-mismatch.patch new file mode 100644 index 00000000000..4a176c95f95 --- /dev/null +++ b/queue-5.4/hid-i2c-hid-fix-format-string-mismatch.patch @@ -0,0 +1,47 @@ +From 74b2e0bdebb3ad8f7a0fb915762a420eed2cffe8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 May 2021 15:58:50 +0200 +Subject: HID: i2c-hid: fix format string mismatch + +From: Arnd Bergmann + +[ Upstream commit dc5f9f55502e13ba05731d5046a14620aa2ff456 ] + +clang doesn't like printing a 32-bit integer using %hX format string: + +drivers/hid/i2c-hid/i2c-hid-core.c:994:18: error: format specifies type 'unsigned short' but the argument has type '__u32' (aka 'unsigned int') [-Werror,-Wformat] + client->name, hid->vendor, hid->product); + ^~~~~~~~~~~ +drivers/hid/i2c-hid/i2c-hid-core.c:994:31: error: format specifies type 'unsigned short' but the argument has type '__u32' (aka 'unsigned int') [-Werror,-Wformat] + client->name, hid->vendor, hid->product); + ^~~~~~~~~~~~ + +Use an explicit cast to truncate it to the low 16 bits instead. + +Fixes: 9ee3e06610fd ("HID: i2c-hid: override HID descriptors for certain devices") +Signed-off-by: Arnd Bergmann +Reviewed-by: Nathan Chancellor +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/i2c-hid/i2c-hid-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c +index 96898983db99..f67817819f9a 100644 +--- a/drivers/hid/i2c-hid/i2c-hid-core.c ++++ b/drivers/hid/i2c-hid/i2c-hid-core.c +@@ -1114,8 +1114,8 @@ static int i2c_hid_probe(struct i2c_client *client, + hid->vendor = le16_to_cpu(ihid->hdesc.wVendorID); + hid->product = le16_to_cpu(ihid->hdesc.wProductID); + +- snprintf(hid->name, sizeof(hid->name), "%s %04hX:%04hX", +- client->name, hid->vendor, hid->product); ++ snprintf(hid->name, sizeof(hid->name), "%s %04X:%04X", ++ client->name, (u16)hid->vendor, (u16)hid->product); + strlcpy(hid->phys, dev_name(&client->dev), sizeof(hid->phys)); + + ihid->quirks = i2c_hid_lookup_quirk(hid->vendor, hid->product); +-- +2.30.2 + diff --git a/queue-5.4/hid-pidff-fix-error-return-code-in-hid_pidff_init.patch b/queue-5.4/hid-pidff-fix-error-return-code-in-hid_pidff_init.patch new file mode 100644 index 00000000000..9afb5d0202c --- /dev/null +++ b/queue-5.4/hid-pidff-fix-error-return-code-in-hid_pidff_init.patch @@ -0,0 +1,36 @@ +From efdf1a5aa0fb35bb715815c02deda20889356346 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 May 2021 10:47:37 +0800 +Subject: HID: pidff: fix error return code in hid_pidff_init() + +From: Zhen Lei + +[ Upstream commit 3dd653c077efda8152f4dd395359617d577a54cd ] + +Fix to return a negative error code from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: 224ee88fe395 ("Input: add force feedback driver for PID devices") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/usbhid/hid-pidff.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c +index fddac7c72f64..07a9fe97d2e0 100644 +--- a/drivers/hid/usbhid/hid-pidff.c ++++ b/drivers/hid/usbhid/hid-pidff.c +@@ -1292,6 +1292,7 @@ int hid_pidff_init(struct hid_device *hid) + + if (pidff->pool[PID_DEVICE_MANAGED_POOL].value && + pidff->pool[PID_DEVICE_MANAGED_POOL].value[0] == 0) { ++ error = -EPERM; + hid_notice(hid, + "device does not support device managed pool\n"); + goto fail; +-- +2.30.2 + diff --git a/queue-5.4/hwmon-dell-smm-hwmon-fix-index-values.patch b/queue-5.4/hwmon-dell-smm-hwmon-fix-index-values.patch new file mode 100644 index 00000000000..aece91429bc --- /dev/null +++ b/queue-5.4/hwmon-dell-smm-hwmon-fix-index-values.patch @@ -0,0 +1,47 @@ +From 0e9870c23eb977b4a9c2b508f0df3564b804f81e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 May 2021 17:45:46 +0200 +Subject: hwmon: (dell-smm-hwmon) Fix index values +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit 35d470b5fbc9f82feb77b56bb0d5d0b5cd73e9da ] + +When support for up to 10 temp sensors and for disabling automatic BIOS +fan control was added, noone updated the index values used for +disallowing fan support and fan type calls. +Fix those values. + +Signed-off-by: Armin Wolf +Reviewed-by: Pali Rohár +Link: https://lore.kernel.org/r/20210513154546.12430-1-W_Armin@gmx.de +Fixes: 1bb46a20e73b ("hwmon: (dell-smm) Support up to 10 temp sensors") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/dell-smm-hwmon.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/dell-smm-hwmon.c b/drivers/hwmon/dell-smm-hwmon.c +index 4212d022d253..35c00420d855 100644 +--- a/drivers/hwmon/dell-smm-hwmon.c ++++ b/drivers/hwmon/dell-smm-hwmon.c +@@ -792,10 +792,10 @@ static struct attribute *i8k_attrs[] = { + static umode_t i8k_is_visible(struct kobject *kobj, struct attribute *attr, + int index) + { +- if (disallow_fan_support && index >= 8) ++ if (disallow_fan_support && index >= 20) + return 0; + if (disallow_fan_type_call && +- (index == 9 || index == 12 || index == 15)) ++ (index == 21 || index == 25 || index == 28)) + return 0; + if (index >= 0 && index <= 1 && + !(i8k_hwmon_flags & I8K_HWMON_HAVE_TEMP1)) +-- +2.30.2 + diff --git a/queue-5.4/i2c-qcom-geni-add-shutdown-callback-for-i2c.patch b/queue-5.4/i2c-qcom-geni-add-shutdown-callback-for-i2c.patch new file mode 100644 index 00000000000..3e562948439 --- /dev/null +++ b/queue-5.4/i2c-qcom-geni-add-shutdown-callback-for-i2c.patch @@ -0,0 +1,57 @@ +From c1c1e2b44ca64901103f7fa456747180eca16026 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 May 2021 18:40:50 +0530 +Subject: i2c: qcom-geni: Add shutdown callback for i2c + +From: Roja Rani Yarubandi + +[ Upstream commit 9f78c607600ce4f2a952560de26534715236f612 ] + +If the hardware is still accessing memory after SMMU translation +is disabled (as part of smmu shutdown callback), then the +IOVAs (I/O virtual address) which it was using will go on the bus +as the physical addresses which will result in unknown crashes +like NoC/interconnect errors. + +So, implement shutdown callback for i2c driver to suspend the bus +during system "reboot" or "shutdown". + +Fixes: 37692de5d523 ("i2c: i2c-qcom-geni: Add bus driver for the Qualcomm GENI I2C controller") +Signed-off-by: Roja Rani Yarubandi +Reviewed-by: Stephen Boyd +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-qcom-geni.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-qcom-geni.c b/drivers/i2c/busses/i2c-qcom-geni.c +index b56a427fb928..d4ca00df6a5e 100644 +--- a/drivers/i2c/busses/i2c-qcom-geni.c ++++ b/drivers/i2c/busses/i2c-qcom-geni.c +@@ -641,6 +641,14 @@ static int geni_i2c_remove(struct platform_device *pdev) + return 0; + } + ++static void geni_i2c_shutdown(struct platform_device *pdev) ++{ ++ struct geni_i2c_dev *gi2c = platform_get_drvdata(pdev); ++ ++ /* Make client i2c transfers start failing */ ++ i2c_mark_adapter_suspended(&gi2c->adap); ++} ++ + static int __maybe_unused geni_i2c_runtime_suspend(struct device *dev) + { + int ret; +@@ -701,6 +709,7 @@ MODULE_DEVICE_TABLE(of, geni_i2c_dt_match); + static struct platform_driver geni_i2c_driver = { + .probe = geni_i2c_probe, + .remove = geni_i2c_remove, ++ .shutdown = geni_i2c_shutdown, + .driver = { + .name = "geni_i2c", + .pm = &geni_i2c_pm_ops, +-- +2.30.2 + diff --git a/queue-5.4/i40e-add-correct-exception-tracing-for-xdp.patch b/queue-5.4/i40e-add-correct-exception-tracing-for-xdp.patch new file mode 100644 index 00000000000..885bdb96032 --- /dev/null +++ b/queue-5.4/i40e-add-correct-exception-tracing-for-xdp.patch @@ -0,0 +1,87 @@ +From 9a73baca55843db2876f4397f7c9095c3f06ab48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 May 2021 11:38:49 +0200 +Subject: i40e: add correct exception tracing for XDP + +From: Magnus Karlsson + +[ Upstream commit f6c10b48f8c8da44adaff730d8e700b6272add2b ] + +Add missing exception tracing to XDP when a number of different errors +can occur. The support was only partial. Several errors where not +logged which would confuse the user quite a lot not knowing where and +why the packets disappeared. + +Fixes: 74608d17fe29 ("i40e: add support for XDP_TX action") +Fixes: 0a714186d3c0 ("i40e: add AF_XDP zero-copy Rx support") +Reported-by: Jesper Dangaard Brouer +Signed-off-by: Magnus Karlsson +Tested-by: Kiran Bhandare +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 7 ++++++- + drivers/net/ethernet/intel/i40e/i40e_xsk.c | 8 ++++++-- + 2 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index 218aada8949d..68a2fcf4c0bf 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -2233,15 +2233,20 @@ static struct sk_buff *i40e_run_xdp(struct i40e_ring *rx_ring, + case XDP_TX: + xdp_ring = rx_ring->vsi->xdp_rings[rx_ring->queue_index]; + result = i40e_xmit_xdp_tx_ring(xdp, xdp_ring); ++ if (result == I40E_XDP_CONSUMED) ++ goto out_failure; + break; + case XDP_REDIRECT: + err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog); +- result = !err ? I40E_XDP_REDIR : I40E_XDP_CONSUMED; ++ if (err) ++ goto out_failure; ++ result = I40E_XDP_REDIR; + break; + default: + bpf_warn_invalid_xdp_action(act); + /* fall through */ + case XDP_ABORTED: ++out_failure: + trace_xdp_exception(rx_ring->netdev, xdp_prog, act); + /* fall through -- handle aborts by dropping packet */ + case XDP_DROP: +diff --git a/drivers/net/ethernet/intel/i40e/i40e_xsk.c b/drivers/net/ethernet/intel/i40e/i40e_xsk.c +index 17499c0d10bb..a9ad788c4913 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_xsk.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_xsk.c +@@ -214,9 +214,10 @@ static int i40e_run_xdp_zc(struct i40e_ring *rx_ring, struct xdp_buff *xdp) + + if (likely(act == XDP_REDIRECT)) { + err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog); +- result = !err ? I40E_XDP_REDIR : I40E_XDP_CONSUMED; ++ if (err) ++ goto out_failure; + rcu_read_unlock(); +- return result; ++ return I40E_XDP_REDIR; + } + + switch (act) { +@@ -225,11 +226,14 @@ static int i40e_run_xdp_zc(struct i40e_ring *rx_ring, struct xdp_buff *xdp) + case XDP_TX: + xdp_ring = rx_ring->vsi->xdp_rings[rx_ring->queue_index]; + result = i40e_xmit_xdp_tx_ring(xdp, xdp_ring); ++ if (result == I40E_XDP_CONSUMED) ++ goto out_failure; + break; + default: + bpf_warn_invalid_xdp_action(act); + /* fall through */ + case XDP_ABORTED: ++out_failure: + trace_xdp_exception(rx_ring->netdev, xdp_prog, act); + /* fallthrough -- handle aborts by dropping packet */ + case XDP_DROP: +-- +2.30.2 + diff --git a/queue-5.4/i40e-optimize-for-xdp_redirect-in-xsk-path.patch b/queue-5.4/i40e-optimize-for-xdp_redirect-in-xsk-path.patch new file mode 100644 index 00000000000..76a7a3d7815 --- /dev/null +++ b/queue-5.4/i40e-optimize-for-xdp_redirect-in-xsk-path.patch @@ -0,0 +1,55 @@ +From 268af2537bc0bb0e3a2c14a9fc47002879078836 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Dec 2020 16:07:22 +0100 +Subject: i40e: optimize for XDP_REDIRECT in xsk path + +From: Magnus Karlsson + +[ Upstream commit 346497c78d15cdd5bdc3b642a895009359e5457f ] + +Optimize i40e_run_xdp_zc() for the XDP program verdict being +XDP_REDIRECT in the xsk zero-copy path. This path is only used when +having AF_XDP zero-copy on and in that case most packets will be +directed to user space. This provides a little over 100k extra packets +in throughput on my server when running l2fwd in xdpsock. + +Signed-off-by: Magnus Karlsson +Tested-by: George Kuruvinakunnel +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_xsk.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_xsk.c b/drivers/net/ethernet/intel/i40e/i40e_xsk.c +index c9d4534fbdf0..17499c0d10bb 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_xsk.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_xsk.c +@@ -212,6 +212,13 @@ static int i40e_run_xdp_zc(struct i40e_ring *rx_ring, struct xdp_buff *xdp) + + xdp->handle = xsk_umem_adjust_offset(umem, xdp->handle, offset); + ++ if (likely(act == XDP_REDIRECT)) { ++ err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog); ++ result = !err ? I40E_XDP_REDIR : I40E_XDP_CONSUMED; ++ rcu_read_unlock(); ++ return result; ++ } ++ + switch (act) { + case XDP_PASS: + break; +@@ -219,10 +226,6 @@ static int i40e_run_xdp_zc(struct i40e_ring *rx_ring, struct xdp_buff *xdp) + xdp_ring = rx_ring->vsi->xdp_rings[rx_ring->queue_index]; + result = i40e_xmit_xdp_tx_ring(xdp, xdp_ring); + break; +- case XDP_REDIRECT: +- err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog); +- result = !err ? I40E_XDP_REDIR : I40E_XDP_CONSUMED; +- break; + default: + bpf_warn_invalid_xdp_action(act); + /* fall through */ +-- +2.30.2 + diff --git a/queue-5.4/ice-allow-all-lldp-packets-from-pf-to-tx.patch b/queue-5.4/ice-allow-all-lldp-packets-from-pf-to-tx.patch new file mode 100644 index 00000000000..0adfd5b43a7 --- /dev/null +++ b/queue-5.4/ice-allow-all-lldp-packets-from-pf-to-tx.patch @@ -0,0 +1,63 @@ +From d433e55835974efd57fd9a3abb43f395c8315f8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 May 2021 14:17:59 -0700 +Subject: ice: Allow all LLDP packets from PF to Tx + +From: Dave Ertman + +[ Upstream commit f9f83202b7263ac371d616d6894a2c9ed79158ef ] + +Currently in the ice driver, the check whether to +allow a LLDP packet to egress the interface from the +PF_VSI is being based on the SKB's priority field. +It checks to see if the packets priority is equal to +TC_PRIO_CONTROL. Injected LLDP packets do not always +meet this condition. + +SCAPY defaults to a sk_buff->protocol value of ETH_P_ALL +(0x0003) and does not set the priority field. There will +be other injection methods (even ones used by end users) +that will not correctly configure the socket so that +SKB fields are correctly populated. + +Then ethernet header has to have to correct value for +the protocol though. + +Add a check to also allow packets whose ethhdr->h_proto +matches ETH_P_LLDP (0x88CC). + +Fixes: 0c3a6101ff2d ("ice: Allow egress control packets from PF_VSI") +Signed-off-by: Dave Ertman +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_txrx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c +index 33dd103035dc..2b55efe5ed96 100644 +--- a/drivers/net/ethernet/intel/ice/ice_txrx.c ++++ b/drivers/net/ethernet/intel/ice/ice_txrx.c +@@ -2109,6 +2109,7 @@ ice_xmit_frame_ring(struct sk_buff *skb, struct ice_ring *tx_ring) + struct ice_tx_offload_params offload = { 0 }; + struct ice_vsi *vsi = tx_ring->vsi; + struct ice_tx_buf *first; ++ struct ethhdr *eth; + unsigned int count; + int tso, csum; + +@@ -2156,7 +2157,9 @@ ice_xmit_frame_ring(struct sk_buff *skb, struct ice_ring *tx_ring) + goto out_drop; + + /* allow CONTROL frames egress from main VSI if FW LLDP disabled */ +- if (unlikely(skb->priority == TC_PRIO_CONTROL && ++ eth = (struct ethhdr *)skb_mac_header(skb); ++ if (unlikely((skb->priority == TC_PRIO_CONTROL || ++ eth->h_proto == htons(ETH_P_LLDP)) && + vsi->type == ICE_VSI_PF && + vsi->port_info->is_sw_lldp)) + offload.cd_qw1 |= (u64)(ICE_TX_DESC_DTYPE_CTX | +-- +2.30.2 + diff --git a/queue-5.4/ice-fix-vfr-issues-for-avf-drivers-that-expect-atqle.patch b/queue-5.4/ice-fix-vfr-issues-for-avf-drivers-that-expect-atqle.patch new file mode 100644 index 00000000000..ed2bc23cc3c --- /dev/null +++ b/queue-5.4/ice-fix-vfr-issues-for-avf-drivers-that-expect-atqle.patch @@ -0,0 +1,63 @@ +From 1f325b2c6ad6a32a51d90811c3a0deb4a6f9a422 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Feb 2021 13:19:21 -0800 +Subject: ice: Fix VFR issues for AVF drivers that expect ATQLEN cleared + +From: Brett Creeley + +[ Upstream commit 8679f07a9922068b9b6be81b632f52cac45d1b91 ] + +Some AVF drivers expect the VF_MBX_ATQLEN register to be cleared for any +type of VFR/VFLR. Fix this by clearing the VF_MBX_ATQLEN register at the +same time as VF_MBX_ARQLEN. + +Fixes: 82ba01282cf8 ("ice: clear VF ARQLEN register on reset") +Signed-off-by: Brett Creeley +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_hw_autogen.h | 1 + + drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 12 +++++++----- + 2 files changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_hw_autogen.h b/drivers/net/ethernet/intel/ice/ice_hw_autogen.h +index 9138b19de87e..f2bb83af4d9e 100644 +--- a/drivers/net/ethernet/intel/ice/ice_hw_autogen.h ++++ b/drivers/net/ethernet/intel/ice/ice_hw_autogen.h +@@ -34,6 +34,7 @@ + #define PF_FW_ATQLEN_ATQOVFL_M BIT(29) + #define PF_FW_ATQLEN_ATQCRIT_M BIT(30) + #define VF_MBX_ARQLEN(_VF) (0x0022BC00 + ((_VF) * 4)) ++#define VF_MBX_ATQLEN(_VF) (0x0022A800 + ((_VF) * 4)) + #define PF_FW_ATQLEN_ATQENABLE_M BIT(31) + #define PF_FW_ATQT 0x00080400 + #define PF_MBX_ARQBAH 0x0022E400 +diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c +index 360c0f7e0384..5e97fdca5fab 100644 +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c +@@ -384,13 +384,15 @@ static void ice_trigger_vf_reset(struct ice_vf *vf, bool is_vflr, bool is_pfr) + */ + clear_bit(ICE_VF_STATE_INIT, vf->vf_states); + +- /* VF_MBX_ARQLEN is cleared by PFR, so the driver needs to clear it +- * in the case of VFR. If this is done for PFR, it can mess up VF +- * resets because the VF driver may already have started cleanup +- * by the time we get here. ++ /* VF_MBX_ARQLEN and VF_MBX_ATQLEN are cleared by PFR, so the driver ++ * needs to clear them in the case of VFR/VFLR. If this is done for ++ * PFR, it can mess up VF resets because the VF driver may already ++ * have started cleanup by the time we get here. + */ +- if (!is_pfr) ++ if (!is_pfr) { + wr32(hw, VF_MBX_ARQLEN(vf->vf_id), 0); ++ wr32(hw, VF_MBX_ATQLEN(vf->vf_id), 0); ++ } + + /* In the case of a VFLR, the HW has already reset the VF and we + * just need to clean up, so don't hit the VFRTRIG register. +-- +2.30.2 + diff --git a/queue-5.4/ice-write-register-with-correct-offset.patch b/queue-5.4/ice-write-register-with-correct-offset.patch new file mode 100644 index 00000000000..59f96d88c42 --- /dev/null +++ b/queue-5.4/ice-write-register-with-correct-offset.patch @@ -0,0 +1,38 @@ +From 1764c7e010362807f6b09190fdafd63d1a3fe59b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2019 07:09:48 -0700 +Subject: ice: write register with correct offset + +From: Mitch Williams + +[ Upstream commit 395594563b29fbcd8d9a4f0a642484e5d3bb6db1 ] + +The VF_MBX_ARQLEN register array is per-PF, not global, so we should not +use the absolute VF ID as an index. Instead, use the per-PF VF ID. + +This fixes an issue with VFs on PFs other than 0 not seeing reset. + +Signed-off-by: Mitch Williams +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c +index e92a00a61755..360c0f7e0384 100644 +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c +@@ -390,7 +390,7 @@ static void ice_trigger_vf_reset(struct ice_vf *vf, bool is_vflr, bool is_pfr) + * by the time we get here. + */ + if (!is_pfr) +- wr32(hw, VF_MBX_ARQLEN(vf_abs_id), 0); ++ wr32(hw, VF_MBX_ARQLEN(vf->vf_id), 0); + + /* In the case of a VFLR, the HW has already reset the VF and we + * just need to clean up, so don't hit the VFRTRIG register. +-- +2.30.2 + diff --git a/queue-5.4/ieee802154-fix-error-return-code-in-ieee802154_add_i.patch b/queue-5.4/ieee802154-fix-error-return-code-in-ieee802154_add_i.patch new file mode 100644 index 00000000000..de845ee1e6f --- /dev/null +++ b/queue-5.4/ieee802154-fix-error-return-code-in-ieee802154_add_i.patch @@ -0,0 +1,41 @@ +From f4c8d542dde59e79927a13a1356dc3b300c1a4e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 May 2021 14:25:17 +0800 +Subject: ieee802154: fix error return code in ieee802154_add_iface() + +From: Zhen Lei + +[ Upstream commit 79c6b8ed30e54b401c873dbad2511f2a1c525fd5 ] + +Fix to return a negative error code from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: be51da0f3e34 ("ieee802154: Stop using NLA_PUT*().") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Link: https://lore.kernel.org/r/20210508062517.2574-1-thunder.leizhen@huawei.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + net/ieee802154/nl-phy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ieee802154/nl-phy.c b/net/ieee802154/nl-phy.c +index 2cdc7e63fe17..88215b5c93aa 100644 +--- a/net/ieee802154/nl-phy.c ++++ b/net/ieee802154/nl-phy.c +@@ -241,8 +241,10 @@ int ieee802154_add_iface(struct sk_buff *skb, struct genl_info *info) + } + + if (nla_put_string(msg, IEEE802154_ATTR_PHY_NAME, wpan_phy_name(phy)) || +- nla_put_string(msg, IEEE802154_ATTR_DEV_NAME, dev->name)) ++ nla_put_string(msg, IEEE802154_ATTR_DEV_NAME, dev->name)) { ++ rc = -EMSGSIZE; + goto nla_put_failure; ++ } + dev_put(dev); + + wpan_phy_put(phy); +-- +2.30.2 + diff --git a/queue-5.4/ieee802154-fix-error-return-code-in-ieee802154_llsec.patch b/queue-5.4/ieee802154-fix-error-return-code-in-ieee802154_llsec.patch new file mode 100644 index 00000000000..c911f2b2721 --- /dev/null +++ b/queue-5.4/ieee802154-fix-error-return-code-in-ieee802154_llsec.patch @@ -0,0 +1,41 @@ +From e65e7d7aba14a9d7c44677179ac9a90a8e82dbb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 May 2021 14:16:14 +0000 +Subject: ieee802154: fix error return code in ieee802154_llsec_getparams() + +From: Wei Yongjun + +[ Upstream commit 373e864cf52403b0974c2f23ca8faf9104234555 ] + +Fix to return negative error code -ENOBUFS from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: 3e9c156e2c21 ("ieee802154: add netlink interfaces for llsec") +Reported-by: Hulk Robot +Signed-off-by: Wei Yongjun +Link: https://lore.kernel.org/r/20210519141614.3040055-1-weiyongjun1@huawei.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + net/ieee802154/nl-mac.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ieee802154/nl-mac.c b/net/ieee802154/nl-mac.c +index d19c40c684e8..71be75112321 100644 +--- a/net/ieee802154/nl-mac.c ++++ b/net/ieee802154/nl-mac.c +@@ -680,8 +680,10 @@ int ieee802154_llsec_getparams(struct sk_buff *skb, struct genl_info *info) + nla_put_u8(msg, IEEE802154_ATTR_LLSEC_SECLEVEL, params.out_level) || + nla_put_u32(msg, IEEE802154_ATTR_LLSEC_FRAME_COUNTER, + be32_to_cpu(params.frame_counter)) || +- ieee802154_llsec_fill_key_id(msg, ¶ms.out_key)) ++ ieee802154_llsec_fill_key_id(msg, ¶ms.out_key)) { ++ rc = -ENOBUFS; + goto out_free; ++ } + + dev_put(dev); + +-- +2.30.2 + diff --git a/queue-5.4/ipv6-fix-kasan-slab-out-of-bounds-read-in-fib6_nh_fl.patch b/queue-5.4/ipv6-fix-kasan-slab-out-of-bounds-read-in-fib6_nh_fl.patch new file mode 100644 index 00000000000..8492b50484f --- /dev/null +++ b/queue-5.4/ipv6-fix-kasan-slab-out-of-bounds-read-in-fib6_nh_fl.patch @@ -0,0 +1,232 @@ +From 52a5da1ffb8f429b445b9427be061065d78fd15e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jun 2021 07:32:58 +0000 +Subject: ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions + +From: Coco Li + +[ Upstream commit 821bbf79fe46a8b1d18aa456e8ed0a3c208c3754 ] + +Reported by syzbot: +HEAD commit: 90c911ad Merge tag 'fixes' of git://git.kernel.org/pub/scm.. +git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master +dashboard link: https://syzkaller.appspot.com/bug?extid=123aa35098fd3c000eb7 +compiler: Debian clang version 11.0.1-2 + +================================================================== +BUG: KASAN: slab-out-of-bounds in fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline] +BUG: KASAN: slab-out-of-bounds in fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732 +Read of size 8 at addr ffff8880145c78f8 by task syz-executor.4/17760 + +CPU: 0 PID: 17760 Comm: syz-executor.4 Not tainted 5.12.0-rc8-syzkaller #0 +Call Trace: + + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x202/0x31e lib/dump_stack.c:120 + print_address_description+0x5f/0x3b0 mm/kasan/report.c:232 + __kasan_report mm/kasan/report.c:399 [inline] + kasan_report+0x15c/0x200 mm/kasan/report.c:416 + fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline] + fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732 + fib6_nh_release+0x9a/0x430 net/ipv6/route.c:3536 + fib6_info_destroy_rcu+0xcb/0x1c0 net/ipv6/ip6_fib.c:174 + rcu_do_batch kernel/rcu/tree.c:2559 [inline] + rcu_core+0x8f6/0x1450 kernel/rcu/tree.c:2794 + __do_softirq+0x372/0x7a6 kernel/softirq.c:345 + invoke_softirq kernel/softirq.c:221 [inline] + __irq_exit_rcu+0x22c/0x260 kernel/softirq.c:422 + irq_exit_rcu+0x5/0x20 kernel/softirq.c:434 + sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100 + + asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632 +RIP: 0010:lock_acquire+0x1f6/0x720 kernel/locking/lockdep.c:5515 +Code: f6 84 24 a1 00 00 00 02 0f 85 8d 02 00 00 f7 c3 00 02 00 00 49 bd 00 00 00 00 00 fc ff df 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 3d 00 00 00 00 00 4b c7 44 3d 09 00 00 00 00 43 c7 44 3d +RSP: 0018:ffffc90009e06560 EFLAGS: 00000206 +RAX: 1ffff920013c0cc0 RBX: 0000000000000246 RCX: dffffc0000000000 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: ffffc90009e066e0 R08: dffffc0000000000 R09: fffffbfff1f992b1 +R10: fffffbfff1f992b1 R11: 0000000000000000 R12: 0000000000000000 +R13: dffffc0000000000 R14: 0000000000000000 R15: 1ffff920013c0cb4 + rcu_lock_acquire+0x2a/0x30 include/linux/rcupdate.h:267 + rcu_read_lock include/linux/rcupdate.h:656 [inline] + ext4_get_group_info+0xea/0x340 fs/ext4/ext4.h:3231 + ext4_mb_prefetch+0x123/0x5d0 fs/ext4/mballoc.c:2212 + ext4_mb_regular_allocator+0x8a5/0x28f0 fs/ext4/mballoc.c:2379 + ext4_mb_new_blocks+0xc6e/0x24f0 fs/ext4/mballoc.c:4982 + ext4_ext_map_blocks+0x2be3/0x7210 fs/ext4/extents.c:4238 + ext4_map_blocks+0xab3/0x1cb0 fs/ext4/inode.c:638 + ext4_getblk+0x187/0x6c0 fs/ext4/inode.c:848 + ext4_bread+0x2a/0x1c0 fs/ext4/inode.c:900 + ext4_append+0x1a4/0x360 fs/ext4/namei.c:67 + ext4_init_new_dir+0x337/0xa10 fs/ext4/namei.c:2768 + ext4_mkdir+0x4b8/0xc00 fs/ext4/namei.c:2814 + vfs_mkdir+0x45b/0x640 fs/namei.c:3819 + ovl_do_mkdir fs/overlayfs/overlayfs.h:161 [inline] + ovl_mkdir_real+0x53/0x1a0 fs/overlayfs/dir.c:146 + ovl_create_real+0x280/0x490 fs/overlayfs/dir.c:193 + ovl_workdir_create+0x425/0x600 fs/overlayfs/super.c:788 + ovl_make_workdir+0xed/0x1140 fs/overlayfs/super.c:1355 + ovl_get_workdir fs/overlayfs/super.c:1492 [inline] + ovl_fill_super+0x39ee/0x5370 fs/overlayfs/super.c:2035 + mount_nodev+0x52/0xe0 fs/super.c:1413 + legacy_get_tree+0xea/0x180 fs/fs_context.c:592 + vfs_get_tree+0x86/0x270 fs/super.c:1497 + do_new_mount fs/namespace.c:2903 [inline] + path_mount+0x196f/0x2be0 fs/namespace.c:3233 + do_mount fs/namespace.c:3246 [inline] + __do_sys_mount fs/namespace.c:3454 [inline] + __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3431 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x4665f9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f68f2b87188 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 +RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665f9 +RDX: 00000000200000c0 RSI: 0000000020000000 RDI: 000000000040000a +RBP: 00000000004bfbb9 R08: 0000000020000100 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 +R13: 00007ffe19002dff R14: 00007f68f2b87300 R15: 0000000000022000 + +Allocated by task 17768: + kasan_save_stack mm/kasan/common.c:38 [inline] + kasan_set_track mm/kasan/common.c:46 [inline] + set_alloc_info mm/kasan/common.c:427 [inline] + ____kasan_kmalloc+0xc2/0xf0 mm/kasan/common.c:506 + kasan_kmalloc include/linux/kasan.h:233 [inline] + __kmalloc+0xb4/0x380 mm/slub.c:4055 + kmalloc include/linux/slab.h:559 [inline] + kzalloc include/linux/slab.h:684 [inline] + fib6_info_alloc+0x2c/0xd0 net/ipv6/ip6_fib.c:154 + ip6_route_info_create+0x55d/0x1a10 net/ipv6/route.c:3638 + ip6_route_add+0x22/0x120 net/ipv6/route.c:3728 + inet6_rtm_newroute+0x2cd/0x2260 net/ipv6/route.c:5352 + rtnetlink_rcv_msg+0xb34/0xe70 net/core/rtnetlink.c:5553 + netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2502 + netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] + netlink_unicast+0x7de/0x9b0 net/netlink/af_netlink.c:1338 + netlink_sendmsg+0xaa6/0xe90 net/netlink/af_netlink.c:1927 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg net/socket.c:674 [inline] + ____sys_sendmsg+0x5a2/0x900 net/socket.c:2350 + ___sys_sendmsg net/socket.c:2404 [inline] + __sys_sendmsg+0x319/0x400 net/socket.c:2433 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Last potentially related work creation: + kasan_save_stack+0x27/0x50 mm/kasan/common.c:38 + kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:345 + __call_rcu kernel/rcu/tree.c:3039 [inline] + call_rcu+0x1b1/0xa30 kernel/rcu/tree.c:3114 + fib6_info_release include/net/ip6_fib.h:337 [inline] + ip6_route_info_create+0x10c4/0x1a10 net/ipv6/route.c:3718 + ip6_route_add+0x22/0x120 net/ipv6/route.c:3728 + inet6_rtm_newroute+0x2cd/0x2260 net/ipv6/route.c:5352 + rtnetlink_rcv_msg+0xb34/0xe70 net/core/rtnetlink.c:5553 + netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2502 + netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] + netlink_unicast+0x7de/0x9b0 net/netlink/af_netlink.c:1338 + netlink_sendmsg+0xaa6/0xe90 net/netlink/af_netlink.c:1927 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg net/socket.c:674 [inline] + ____sys_sendmsg+0x5a2/0x900 net/socket.c:2350 + ___sys_sendmsg net/socket.c:2404 [inline] + __sys_sendmsg+0x319/0x400 net/socket.c:2433 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Second to last potentially related work creation: + kasan_save_stack+0x27/0x50 mm/kasan/common.c:38 + kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:345 + insert_work+0x54/0x400 kernel/workqueue.c:1331 + __queue_work+0x981/0xcc0 kernel/workqueue.c:1497 + queue_work_on+0x111/0x200 kernel/workqueue.c:1524 + queue_work include/linux/workqueue.h:507 [inline] + call_usermodehelper_exec+0x283/0x470 kernel/umh.c:433 + kobject_uevent_env+0x1349/0x1730 lib/kobject_uevent.c:617 + kvm_uevent_notify_change+0x309/0x3b0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4809 + kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:877 [inline] + kvm_put_kvm+0x9c/0xd10 arch/x86/kvm/../../../virt/kvm/kvm_main.c:920 + kvm_vcpu_release+0x53/0x60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3120 + __fput+0x352/0x7b0 fs/file_table.c:280 + task_work_run+0x146/0x1c0 kernel/task_work.c:140 + tracehook_notify_resume include/linux/tracehook.h:189 [inline] + exit_to_user_mode_loop kernel/entry/common.c:174 [inline] + exit_to_user_mode_prepare+0x10b/0x1e0 kernel/entry/common.c:208 + __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline] + syscall_exit_to_user_mode+0x26/0x70 kernel/entry/common.c:301 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +The buggy address belongs to the object at ffff8880145c7800 + which belongs to the cache kmalloc-192 of size 192 +The buggy address is located 56 bytes to the right of + 192-byte region [ffff8880145c7800, ffff8880145c78c0) +The buggy address belongs to the page: +page:ffffea00005171c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x145c7 +flags: 0xfff00000000200(slab) +raw: 00fff00000000200 ffffea00006474c0 0000000200000002 ffff888010c41a00 +raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8880145c7780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + ffff8880145c7800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff8880145c7880: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff8880145c7900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880145c7980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +================================================================== + +In the ip6_route_info_create function, in the case that the nh pointer +is not NULL, the fib6_nh in fib6_info has not been allocated. +Therefore, when trying to free fib6_info in this error case using +fib6_info_release, the function will call fib6_info_destroy_rcu, +which it will access fib6_nh_release(f6i->fib6_nh); +However, f6i->fib6_nh doesn't have any refcount yet given the lack of allocation +causing the reported memory issue above. +Therefore, releasing the empty pointer directly instead would be the solution. + +Fixes: f88d8ea67fbdb ("ipv6: Plumb support for nexthop object in a fib6_info") +Fixes: 706ec91916462 ("ipv6: Fix nexthop refcnt leak when creating ipv6 route info") +Signed-off-by: Coco Li +Cc: David Ahern +Reviewed-by: Eric Dumazet +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 3a9bd9687e7d..b903fe28ce50 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -3688,11 +3688,11 @@ static struct fib6_info *ip6_route_info_create(struct fib6_config *cfg, + if (nh) { + if (rt->fib6_src.plen) { + NL_SET_ERR_MSG(extack, "Nexthops can not be used with source routing"); +- goto out; ++ goto out_free; + } + if (!nexthop_get(nh)) { + NL_SET_ERR_MSG(extack, "Nexthop has been deleted"); +- goto out; ++ goto out_free; + } + rt->nh = nh; + fib6_nh = nexthop_fib6_nh(rt->nh); +@@ -3729,6 +3729,10 @@ static struct fib6_info *ip6_route_info_create(struct fib6_config *cfg, + out: + fib6_info_release(rt); + return ERR_PTR(err); ++out_free: ++ ip_fib_metrics_put(rt->fib6_metrics); ++ kfree(rt); ++ return ERR_PTR(err); + } + + int ip6_route_add(struct fib6_config *cfg, gfp_t gfp_flags, +-- +2.30.2 + diff --git a/queue-5.4/ipvs-ignore-ip_vs_svc_f_hashed-flag-when-adding-serv.patch b/queue-5.4/ipvs-ignore-ip_vs_svc_f_hashed-flag-when-adding-serv.patch new file mode 100644 index 00000000000..ea9839f9550 --- /dev/null +++ b/queue-5.4/ipvs-ignore-ip_vs_svc_f_hashed-flag-when-adding-serv.patch @@ -0,0 +1,62 @@ +From 7c372886150c3f7656598270fc632697b82f9116 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 May 2021 22:54:57 +0300 +Subject: ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service + +From: Julian Anastasov + +[ Upstream commit 56e4ee82e850026d71223262c07df7d6af3bd872 ] + +syzbot reported memory leak [1] when adding service with +HASHED flag. We should ignore this flag both from sockopt +and netlink provided data, otherwise the service is not +hashed and not visible while releasing resources. + +[1] +BUG: memory leak +unreferenced object 0xffff888115227800 (size 512): + comm "syz-executor263", pid 8658, jiffies 4294951882 (age 12.560s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmalloc include/linux/slab.h:556 [inline] + [] kzalloc include/linux/slab.h:686 [inline] + [] ip_vs_add_service+0x598/0x7c0 net/netfilter/ipvs/ip_vs_ctl.c:1343 + [] do_ip_vs_set_ctl+0x810/0xa40 net/netfilter/ipvs/ip_vs_ctl.c:2570 + [] nf_setsockopt+0x68/0xa0 net/netfilter/nf_sockopt.c:101 + [] ip_setsockopt+0x259/0x1ff0 net/ipv4/ip_sockglue.c:1435 + [] raw_setsockopt+0x18c/0x1b0 net/ipv4/raw.c:857 + [] __sys_setsockopt+0x1b0/0x360 net/socket.c:2117 + [] __do_sys_setsockopt net/socket.c:2128 [inline] + [] __se_sys_setsockopt net/socket.c:2125 [inline] + [] __x64_sys_setsockopt+0x22/0x30 net/socket.c:2125 + [] do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + +Reported-and-tested-by: syzbot+e562383183e4b1766930@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Julian Anastasov +Reviewed-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_ctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 99168af0c28d..f93fa0e21097 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -1340,7 +1340,7 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u, + ip_vs_addr_copy(svc->af, &svc->addr, &u->addr); + svc->port = u->port; + svc->fwmark = u->fwmark; +- svc->flags = u->flags; ++ svc->flags = u->flags & ~IP_VS_SVC_F_HASHED; + svc->timeout = u->timeout * HZ; + svc->netmask = u->netmask; + svc->ipvs = ipvs; +-- +2.30.2 + diff --git a/queue-5.4/ixgbevf-add-correct-exception-tracing-for-xdp.patch b/queue-5.4/ixgbevf-add-correct-exception-tracing-for-xdp.patch new file mode 100644 index 00000000000..d7c9d3bb950 --- /dev/null +++ b/queue-5.4/ixgbevf-add-correct-exception-tracing-for-xdp.patch @@ -0,0 +1,46 @@ +From 56fc051f97dba2006831a06de35bde528cd6908b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 May 2021 11:38:53 +0200 +Subject: ixgbevf: add correct exception tracing for XDP + +From: Magnus Karlsson + +[ Upstream commit faae81420d162551b6ef2d804aafc00f4cd68e0e ] + +Add missing exception tracing to XDP when a number of different +errors can occur. The support was only partial. Several errors +where not logged which would confuse the user quite a lot not +knowing where and why the packets disappeared. + +Fixes: 21092e9ce8b1 ("ixgbevf: Add support for XDP_TX action") +Reported-by: Jesper Dangaard Brouer +Signed-off-by: Magnus Karlsson +Tested-by: Vishakha Jambekar +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +index 64ec0e7c64b4..be8e6d4e376e 100644 +--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c ++++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +@@ -1079,11 +1079,14 @@ static struct sk_buff *ixgbevf_run_xdp(struct ixgbevf_adapter *adapter, + case XDP_TX: + xdp_ring = adapter->xdp_ring[rx_ring->queue_index]; + result = ixgbevf_xmit_xdp_ring(xdp_ring, xdp); ++ if (result == IXGBEVF_XDP_CONSUMED) ++ goto out_failure; + break; + default: + bpf_warn_invalid_xdp_action(act); + /* fallthrough */ + case XDP_ABORTED: ++out_failure: + trace_xdp_exception(rx_ring->netdev, xdp_prog, act); + /* fallthrough -- handle aborts by dropping packet */ + case XDP_DROP: +-- +2.30.2 + diff --git a/queue-5.4/net-mlx5e-check-for-needed-capability-for-cvlan-matc.patch b/queue-5.4/net-mlx5e-check-for-needed-capability-for-cvlan-matc.patch new file mode 100644 index 00000000000..aec980c7d67 --- /dev/null +++ b/queue-5.4/net-mlx5e-check-for-needed-capability-for-cvlan-matc.patch @@ -0,0 +1,55 @@ +From ae7489922492dcc2272199a53d4787b68a0d39d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Apr 2021 14:35:22 +0300 +Subject: net/mlx5e: Check for needed capability for cvlan matching + +From: Roi Dayan + +[ Upstream commit afe93f71b5d3cdae7209213ec8ef25210b837b93 ] + +If not supported show an error and return instead of trying to offload +to the hardware and fail. + +Fixes: 699e96ddf47f ("net/mlx5e: Support offloading tc double vlan headers match") +Reported-by: Pablo Neira Ayuso +Signed-off-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index fe7342e8a043..1a8990b1563e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -1812,10 +1812,12 @@ static int __parse_cls_flower(struct mlx5e_priv *priv, + misc_parameters); + struct flow_rule *rule = flow_cls_offload_flow_rule(f); + struct flow_dissector *dissector = rule->match.dissector; ++ enum fs_flow_table_type fs_type; + u16 addr_type = 0; + u8 ip_proto = 0; + u8 *match_level; + ++ fs_type = mlx5e_is_eswitch_flow(flow) ? FS_FT_FDB : FS_FT_NIC_RX; + match_level = outer_match_level; + + if (dissector->used_keys & +@@ -1930,6 +1932,13 @@ static int __parse_cls_flower(struct mlx5e_priv *priv, + if (match.mask->vlan_id || + match.mask->vlan_priority || + match.mask->vlan_tpid) { ++ if (!MLX5_CAP_FLOWTABLE_TYPE(priv->mdev, ft_field_support.outer_second_vid, ++ fs_type)) { ++ NL_SET_ERR_MSG_MOD(extack, ++ "Matching on CVLAN is not supported"); ++ return -EOPNOTSUPP; ++ } ++ + if (match.key->vlan_tpid == htons(ETH_P_8021AD)) { + MLX5_SET(fte_match_set_misc, misc_c, + outer_second_svlan_tag, 1); +-- +2.30.2 + diff --git a/queue-5.4/net-sched-act_ct-fix-ct-template-allocation-for-zone.patch b/queue-5.4/net-sched-act_ct-fix-ct-template-allocation-for-zone.patch new file mode 100644 index 00000000000..ad30321d40d --- /dev/null +++ b/queue-5.4/net-sched-act_ct-fix-ct-template-allocation-for-zone.patch @@ -0,0 +1,59 @@ +From 45cfd82c2b8854dbc4ae86abe37e186dce9eee91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 May 2021 20:01:10 +0300 +Subject: net/sched: act_ct: Fix ct template allocation for zone 0 + +From: Ariel Levkovich + +[ Upstream commit fb91702b743dec78d6507c53a2dec8a8883f509d ] + +Fix current behavior of skipping template allocation in case the +ct action is in zone 0. + +Skipping the allocation may cause the datapath ct code to ignore the +entire ct action with all its attributes (commit, nat) in case the ct +action in zone 0 was preceded by a ct clear action. + +The ct clear action sets the ct_state to untracked and resets the +skb->_nfct pointer. Under these conditions and without an allocated +ct template, the skb->_nfct pointer will remain NULL which will +cause the tc ct action handler to exit without handling commit and nat +actions, if such exist. + +For example, the following rule in OVS dp: +recirc_id(0x2),ct_state(+new-est-rel-rpl+trk),ct_label(0/0x1), \ +in_port(eth0),actions:ct_clear,ct(commit,nat(src=10.11.0.12)), \ +recirc(0x37a) + +Will result in act_ct skipping the commit and nat actions in zone 0. + +The change removes the skipping of template allocation for zone 0 and +treats it the same as any other zone. + +Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct") +Signed-off-by: Ariel Levkovich +Acked-by: Marcelo Ricardo Leitner +Link: https://lore.kernel.org/r/20210526170110.54864-1-lariel@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/act_ct.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c +index 6119c31dcd07..31eb8eefc868 100644 +--- a/net/sched/act_ct.c ++++ b/net/sched/act_ct.c +@@ -648,9 +648,6 @@ static int tcf_ct_fill_params(struct net *net, + sizeof(p->zone)); + } + +- if (p->zone == NF_CT_DEFAULT_ZONE_ID) +- return 0; +- + nf_ct_zone_init(&zone, p->zone, NF_CT_DEFAULT_ZONE_DIR, 0); + tmpl = nf_ct_tmpl_alloc(net, &zone, GFP_KERNEL); + if (!tmpl) { +-- +2.30.2 + diff --git a/queue-5.4/netfilter-conntrack-unregister-ipv4-sockopts-on-erro.patch b/queue-5.4/netfilter-conntrack-unregister-ipv4-sockopts-on-erro.patch new file mode 100644 index 00000000000..26d1d35f26a --- /dev/null +++ b/queue-5.4/netfilter-conntrack-unregister-ipv4-sockopts-on-erro.patch @@ -0,0 +1,35 @@ +From 360c3188d641c19800259c6fd357440eae1566dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 16:40:00 +0200 +Subject: netfilter: conntrack: unregister ipv4 sockopts on error unwind + +From: Florian Westphal + +[ Upstream commit 22cbdbcfb61acc78d5fc21ebb13ccc0d7e29f793 ] + +When ipv6 sockopt register fails, the ipv4 one needs to be removed. + +Fixes: a0ae2562c6c ("netfilter: conntrack: remove l3proto abstraction") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_proto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c +index aaf4293ddd45..75e6b429635d 100644 +--- a/net/netfilter/nf_conntrack_proto.c ++++ b/net/netfilter/nf_conntrack_proto.c +@@ -660,7 +660,7 @@ int nf_conntrack_proto_init(void) + + #if IS_ENABLED(CONFIG_IPV6) + cleanup_sockopt: +- nf_unregister_sockopt(&so_getorigdst6); ++ nf_unregister_sockopt(&so_getorigdst); + #endif + return ret; + } +-- +2.30.2 + diff --git a/queue-5.4/netfilter-nfnetlink_cthelper-hit-ebusy-on-updates-if.patch b/queue-5.4/netfilter-nfnetlink_cthelper-hit-ebusy-on-updates-if.patch new file mode 100644 index 00000000000..d90a66f4cef --- /dev/null +++ b/queue-5.4/netfilter-nfnetlink_cthelper-hit-ebusy-on-updates-if.patch @@ -0,0 +1,45 @@ +From efe2a1bf53a927ea48156fed3451c98d21ec457a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 May 2021 13:45:16 +0200 +Subject: netfilter: nfnetlink_cthelper: hit EBUSY on updates if size + mismatches + +From: Pablo Neira Ayuso + +[ Upstream commit 8971ee8b087750a23f3cd4dc55bff2d0303fd267 ] + +The private helper data size cannot be updated. However, updates that +contain NFCTH_PRIV_DATA_LEN might bogusly hit EBUSY even if the size is +the same. + +Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_cthelper.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c +index 81406b93f126..3d5fc07b2530 100644 +--- a/net/netfilter/nfnetlink_cthelper.c ++++ b/net/netfilter/nfnetlink_cthelper.c +@@ -380,10 +380,14 @@ static int + nfnl_cthelper_update(const struct nlattr * const tb[], + struct nf_conntrack_helper *helper) + { ++ u32 size; + int ret; + +- if (tb[NFCTH_PRIV_DATA_LEN]) +- return -EBUSY; ++ if (tb[NFCTH_PRIV_DATA_LEN]) { ++ size = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN])); ++ if (size != helper->data_len) ++ return -EBUSY; ++ } + + if (tb[NFCTH_POLICY]) { + ret = nfnl_cthelper_update_policy(helper, tb[NFCTH_POLICY]); +-- +2.30.2 + diff --git a/queue-5.4/netfilter-nft_ct-skip-expectations-for-confirmed-con.patch b/queue-5.4/netfilter-nft_ct-skip-expectations-for-confirmed-con.patch new file mode 100644 index 00000000000..7caf83b8b27 --- /dev/null +++ b/queue-5.4/netfilter-nft_ct-skip-expectations-for-confirmed-con.patch @@ -0,0 +1,64 @@ +From 2be0deda9e21552c846b41a92391e9776d9d820b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 May 2021 21:54:42 +0200 +Subject: netfilter: nft_ct: skip expectations for confirmed conntrack + +From: Pablo Neira Ayuso + +[ Upstream commit 1710eb913bdcda3917f44d383c32de6bdabfc836 ] + +nft_ct_expect_obj_eval() calls nf_ct_ext_add() for a confirmed +conntrack entry. However, nf_ct_ext_add() can only be called for +!nf_ct_is_confirmed(). + +[ 1825.349056] WARNING: CPU: 0 PID: 1279 at net/netfilter/nf_conntrack_extend.c:48 nf_ct_xt_add+0x18e/0x1a0 [nf_conntrack] +[ 1825.351391] RIP: 0010:nf_ct_ext_add+0x18e/0x1a0 [nf_conntrack] +[ 1825.351493] Code: 41 5c 41 5d 41 5e 41 5f c3 41 bc 0a 00 00 00 e9 15 ff ff ff ba 09 00 00 00 31 f6 4c 89 ff e8 69 6c 3d e9 eb 96 45 31 ed eb cd <0f> 0b e9 b1 fe ff ff e8 86 79 14 e9 eb bf 0f 1f 40 00 0f 1f 44 00 +[ 1825.351721] RSP: 0018:ffffc90002e1f1e8 EFLAGS: 00010202 +[ 1825.351790] RAX: 000000000000000e RBX: ffff88814f5783c0 RCX: ffffffffc0e4f887 +[ 1825.351881] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88814f578440 +[ 1825.351971] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88814f578447 +[ 1825.352060] R10: ffffed1029eaf088 R11: 0000000000000001 R12: ffff88814f578440 +[ 1825.352150] R13: ffff8882053f3a00 R14: 0000000000000000 R15: 0000000000000a20 +[ 1825.352240] FS: 00007f992261c900(0000) GS:ffff889faec00000(0000) knlGS:0000000000000000 +[ 1825.352343] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1825.352417] CR2: 000056070a4d1158 CR3: 000000015efe0000 CR4: 0000000000350ee0 +[ 1825.352508] Call Trace: +[ 1825.352544] nf_ct_helper_ext_add+0x10/0x60 [nf_conntrack] +[ 1825.352641] nft_ct_expect_obj_eval+0x1b8/0x1e0 [nft_ct] +[ 1825.352716] nft_do_chain+0x232/0x850 [nf_tables] + +Add the ct helper extension only for unconfirmed conntrack. Skip rule +evaluation if the ct helper extension does not exist. Thus, you can +only create expectations from the first packet. + +It should be possible to remove this limitation by adding a new action +to attach a generic ct helper to the first packet. Then, use this ct +helper extension from follow up packets to create the ct expectation. + +While at it, add a missing check to skip the template conntrack too +and remove check for IPCT_UNTRACK which is implicit to !ct. + +Fixes: 857b46027d6f ("netfilter: nft_ct: add ct expectations support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_ct.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c +index 2042c6f4629c..28991730728b 100644 +--- a/net/netfilter/nft_ct.c ++++ b/net/netfilter/nft_ct.c +@@ -1218,7 +1218,7 @@ static void nft_ct_expect_obj_eval(struct nft_object *obj, + struct nf_conn *ct; + + ct = nf_ct_get(pkt->skb, &ctinfo); +- if (!ct || ctinfo == IP_CT_UNTRACKED) { ++ if (!ct || nf_ct_is_confirmed(ct) || nf_ct_is_template(ct)) { + regs->verdict.code = NFT_BREAK; + return; + } +-- +2.30.2 + diff --git a/queue-5.4/samples-vfio-mdev-fix-error-handing-in-mdpy_fb_probe.patch b/queue-5.4/samples-vfio-mdev-fix-error-handing-in-mdpy_fb_probe.patch new file mode 100644 index 00000000000..1dd8f22fa7f --- /dev/null +++ b/queue-5.4/samples-vfio-mdev-fix-error-handing-in-mdpy_fb_probe.patch @@ -0,0 +1,62 @@ +From 25851084ac336936cb530c4c5a3e2fccfa19f62d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 May 2021 13:36:41 +0000 +Subject: samples: vfio-mdev: fix error handing in mdpy_fb_probe() + +From: Wei Yongjun + +[ Upstream commit 752774ce7793a1f8baa55aae31f3b4caac49cbe4 ] + +Fix to return a negative error code from the framebuffer_alloc() error +handling case instead of 0, also release regions in some error handing +cases. + +Fixes: cacade1946a4 ("sample: vfio mdev display - guest driver") +Reported-by: Hulk Robot +Signed-off-by: Wei Yongjun +Message-Id: <20210520133641.1421378-1-weiyongjun1@huawei.com> +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + samples/vfio-mdev/mdpy-fb.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/samples/vfio-mdev/mdpy-fb.c b/samples/vfio-mdev/mdpy-fb.c +index 2719bb259653..a760e130bd0d 100644 +--- a/samples/vfio-mdev/mdpy-fb.c ++++ b/samples/vfio-mdev/mdpy-fb.c +@@ -117,22 +117,27 @@ static int mdpy_fb_probe(struct pci_dev *pdev, + if (format != DRM_FORMAT_XRGB8888) { + pci_err(pdev, "format mismatch (0x%x != 0x%x)\n", + format, DRM_FORMAT_XRGB8888); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_release_regions; + } + if (width < 100 || width > 10000) { + pci_err(pdev, "width (%d) out of range\n", width); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_release_regions; + } + if (height < 100 || height > 10000) { + pci_err(pdev, "height (%d) out of range\n", height); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_release_regions; + } + pci_info(pdev, "mdpy found: %dx%d framebuffer\n", + width, height); + + info = framebuffer_alloc(sizeof(struct mdpy_fb_par), &pdev->dev); +- if (!info) ++ if (!info) { ++ ret = -ENOMEM; + goto err_release_regions; ++ } + pci_set_drvdata(pdev, info); + par = info->par; + +-- +2.30.2 + diff --git a/queue-5.4/series b/queue-5.4/series index ae5f9577699..b4b293da523 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -2,3 +2,29 @@ btrfs-tree-checker-do-not-error-out-if-extent-ref-ha.patch net-usb-cdc_ncm-don-t-spew-notifications.patch alsa-usb-update-old-style-static-const-declaration.patch nl80211-validate-key-indexes-for-cfg80211_registered.patch +hwmon-dell-smm-hwmon-fix-index-values.patch +netfilter-conntrack-unregister-ipv4-sockopts-on-erro.patch +efi-allow-efi_memory_xp-and-efi_memory_ro-both-to-be.patch +efi-cper-fix-snprintf-use-in-cper_dimm_err_location.patch +vfio-pci-fix-error-return-code-in-vfio_ecap_init.patch +vfio-pci-zap_vma_ptes-needs-mmu.patch +samples-vfio-mdev-fix-error-handing-in-mdpy_fb_probe.patch +vfio-platform-fix-module_put-call-in-error-flow.patch +ipvs-ignore-ip_vs_svc_f_hashed-flag-when-adding-serv.patch +hid-pidff-fix-error-return-code-in-hid_pidff_init.patch +hid-i2c-hid-fix-format-string-mismatch.patch +net-sched-act_ct-fix-ct-template-allocation-for-zone.patch +acpica-clean-up-context-mutex-during-object-deletion.patch +net-mlx5e-check-for-needed-capability-for-cvlan-matc.patch +netfilter-nft_ct-skip-expectations-for-confirmed-con.patch +netfilter-nfnetlink_cthelper-hit-ebusy-on-updates-if.patch +ieee802154-fix-error-return-code-in-ieee802154_add_i.patch +ieee802154-fix-error-return-code-in-ieee802154_llsec.patch +ixgbevf-add-correct-exception-tracing-for-xdp.patch +ipv6-fix-kasan-slab-out-of-bounds-read-in-fib6_nh_fl.patch +ice-write-register-with-correct-offset.patch +ice-fix-vfr-issues-for-avf-drivers-that-expect-atqle.patch +ice-allow-all-lldp-packets-from-pf-to-tx.patch +i2c-qcom-geni-add-shutdown-callback-for-i2c.patch +i40e-optimize-for-xdp_redirect-in-xsk-path.patch +i40e-add-correct-exception-tracing-for-xdp.patch diff --git a/queue-5.4/vfio-pci-fix-error-return-code-in-vfio_ecap_init.patch b/queue-5.4/vfio-pci-fix-error-return-code-in-vfio_ecap_init.patch new file mode 100644 index 00000000000..98e6d5fcbe5 --- /dev/null +++ b/queue-5.4/vfio-pci-fix-error-return-code-in-vfio_ecap_init.patch @@ -0,0 +1,39 @@ +From c9ff9f13961d997d36d6d829700237b24fcfb53a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 May 2021 10:04:58 +0800 +Subject: vfio/pci: Fix error return code in vfio_ecap_init() + +From: Zhen Lei + +[ Upstream commit d1ce2c79156d3baf0830990ab06d296477b93c26 ] + +The error code returned from vfio_ext_cap_len() is stored in 'len', not +in 'ret'. + +Fixes: 89e1f7d4c66d ("vfio: Add PCI device driver") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Reviewed-by: Max Gurtovoy +Message-Id: <20210515020458.6771-1-thunder.leizhen@huawei.com> +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci_config.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c +index bf32997c557f..50cd17fcf754 100644 +--- a/drivers/vfio/pci/vfio_pci_config.c ++++ b/drivers/vfio/pci/vfio_pci_config.c +@@ -1576,7 +1576,7 @@ static int vfio_ecap_init(struct vfio_pci_device *vdev) + if (len == 0xFF) { + len = vfio_ext_cap_len(vdev, ecap, epos); + if (len < 0) +- return ret; ++ return len; + } + } + +-- +2.30.2 + diff --git a/queue-5.4/vfio-pci-zap_vma_ptes-needs-mmu.patch b/queue-5.4/vfio-pci-zap_vma_ptes-needs-mmu.patch new file mode 100644 index 00000000000..623f21a839d --- /dev/null +++ b/queue-5.4/vfio-pci-zap_vma_ptes-needs-mmu.patch @@ -0,0 +1,48 @@ +From 2a658842bcf90393aa2d5ea73514d7c76ef67597 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 May 2021 12:08:56 -0700 +Subject: vfio/pci: zap_vma_ptes() needs MMU + +From: Randy Dunlap + +[ Upstream commit 2a55ca37350171d9b43d561528f23d4130097255 ] + +zap_vma_ptes() is only available when CONFIG_MMU is set/enabled. +Without CONFIG_MMU, vfio_pci.o has build errors, so make +VFIO_PCI depend on MMU. + +riscv64-linux-ld: drivers/vfio/pci/vfio_pci.o: in function `vfio_pci_mmap_open': +vfio_pci.c:(.text+0x1ec): undefined reference to `zap_vma_ptes' +riscv64-linux-ld: drivers/vfio/pci/vfio_pci.o: in function `.L0 ': +vfio_pci.c:(.text+0x165c): undefined reference to `zap_vma_ptes' + +Fixes: 11c4cd07ba11 ("vfio-pci: Fault mmaps to enable vma tracking") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Alex Williamson +Cc: Cornelia Huck +Cc: kvm@vger.kernel.org +Cc: Jason Gunthorpe +Cc: Eric Auger +Message-Id: <20210515190856.2130-1-rdunlap@infradead.org> +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/vfio/pci/Kconfig b/drivers/vfio/pci/Kconfig +index 4abddbebd4b2..c691127bc805 100644 +--- a/drivers/vfio/pci/Kconfig ++++ b/drivers/vfio/pci/Kconfig +@@ -2,6 +2,7 @@ + config VFIO_PCI + tristate "VFIO support for PCI devices" + depends on VFIO && PCI && EVENTFD ++ depends on MMU + select VFIO_VIRQFD + select IRQ_BYPASS_MANAGER + help +-- +2.30.2 + diff --git a/queue-5.4/vfio-platform-fix-module_put-call-in-error-flow.patch b/queue-5.4/vfio-platform-fix-module_put-call-in-error-flow.patch new file mode 100644 index 00000000000..e1abdcb0056 --- /dev/null +++ b/queue-5.4/vfio-platform-fix-module_put-call-in-error-flow.patch @@ -0,0 +1,37 @@ +From e663fcaed603637b10bcfbdb9089df20c897bffa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 May 2021 22:21:31 +0300 +Subject: vfio/platform: fix module_put call in error flow + +From: Max Gurtovoy + +[ Upstream commit dc51ff91cf2d1e9a2d941da483602f71d4a51472 ] + +The ->parent_module is the one that use in try_module_get. It should +also be the one the we use in module_put during vfio_platform_open(). + +Fixes: 32a2d71c4e80 ("vfio: platform: introduce vfio-platform-base module") +Signed-off-by: Max Gurtovoy +Message-Id: <20210518192133.59195-1-mgurtovoy@nvidia.com> +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/platform/vfio_platform_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/vfio/platform/vfio_platform_common.c b/drivers/vfio/platform/vfio_platform_common.c +index 152e5188183c..6f727034679f 100644 +--- a/drivers/vfio/platform/vfio_platform_common.c ++++ b/drivers/vfio/platform/vfio_platform_common.c +@@ -289,7 +289,7 @@ err_irq: + vfio_platform_regions_cleanup(vdev); + err_reg: + mutex_unlock(&driver_lock); +- module_put(THIS_MODULE); ++ module_put(vdev->parent_module); + return ret; + } + +-- +2.30.2 + -- 2.47.3