From 93324a321b1aef449d1d257523de3a678be23d35 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 15 Aug 2021 08:52:57 -0400 Subject: [PATCH] Fixes for 5.10 Signed-off-by: Sasha Levin --- ...rect-definition-of-adc-volume-contro.patch | 49 +++ ...42-don-t-allow-snd_soc_daifmt_left_j.patch | 36 ++ ...-inversion-of-adc-notch-switch-contr.patch | 37 +++ ...c-cs42l42-fix-lrclk-frame-start-edge.patch | 67 ++++ ...ove-duplicate-control-for-wnf-filter.patch | 63 ++++ ...ntel-hda-ipc-fix-reply-size-checking.patch | 41 +++ ...nvalid-read-beyond-skb-s-linear-data.patch | 53 +++ ...teger-overflow-involving-bucket_size.patch | 87 +++++ ...cess-sfc_done-when-media-domain-is-n.patch | 81 +++++ ...lour-distortion-from-hdr-set-during-.patch | 73 +++++ ...rss-lut-and-key-in-reset-handle-path.patch | 56 ++++ ...ve-netdev-dev_addr-from-uc-sync-list.patch | 132 ++++++++ ...ce-prevent-probing-virtual-functions.patch | 50 +++ ...4-hwsim-fix-gpf-in-hwsim_new_edge_nl.patch | 38 +++ ...-hwsim-fix-gpf-in-hwsim_set_edge_lqi.patch | 47 +++ ...m-icc-rpmh-add-bcms-to-commit-list-i.patch | 76 +++++ ...obe-for-bpf_prog_type_cgroup_sockopt.patch | 52 +++ ...aovid-double-completion-of-a-request.patch | 69 ++++ ...lags-interpretation-for-extern-learn.patch | 130 ++++++++ .../net-bridge-fix-memleak-in-br_add_if.patch | 75 +++++ ...ate-the-nud_permanent-bit-when-addin.patch | 191 +++++++++++ ...fix-broken-backpressure-in-.port_fdb.patch | 138 ++++++++ ...ix-broken-backpressure-in-.port_fdb_.patch | 65 ++++ .../net-dsa-microchip-fix-ksz_read64.patch | 43 +++ ...microchip-ksz8795-fix-vlan-filtering.patch | 64 ++++ ...dd-the-missing-rxunicast-mib-counter.patch | 34 ++ ...fix-broken-backpressure-in-.port_fdb.patch | 54 +++ ...emory-leak-in-ieee802154_raw_deliver.patch | 87 +++++ ...x-data-race-in-igmp_ifc_timer_expire.patch | 155 +++++++++ ...t-igmp-increase-size-of-mr_ifc_count.patch | 52 +++ ...x-failure-to-restore-device-state-ac.patch | 93 ++++++ ...urn-value-from-tracer-initialization.patch | 51 +++ ...onize-correct-irq-when-destroying-cq.patch | 307 ++++++++++++++++++ ...t-mvvp2-fix-short-frame-size-on-s390.patch | 63 ++++ ...fix-link-detection-on-ksz87xx-switch.patch | 43 +++ ...rred-reset-ct-info-when-mirror-redir.patch | 60 ++++ ...smc-fix-wait-on-already-cleared-link.patch | 177 ++++++++++ ...ntrack_bridge-fix-memory-leak-when-e.patch | 43 +++ ...-fix-fallback-behavior-for-bias_set_.patch | 52 +++ ...e-fix-gpio-mapping-for-newer-version.patch | 83 +++++ ...ngines-apuv2-add-missing-terminating.patch | 50 +++ ...ng-ifname-when-empty-ifla_ifname-is-.patch | 58 ++++ ...ple-add-a-fwd-declaration-for-skbuff.patch | 37 +++ queue-5.10/series | 46 +++ ...wrap-bug-in-round-logic-if-bbr_init-.patch | 67 ++++ ...id-potential-deadlock-when-vsock-dev.patch | 77 +++++ ...events-fix-race-in-set_evtchn_to_irq.patch | 127 ++++++++ 47 files changed, 3629 insertions(+) create mode 100644 queue-5.10/asoc-cs42l42-correct-definition-of-adc-volume-contro.patch create mode 100644 queue-5.10/asoc-cs42l42-don-t-allow-snd_soc_daifmt_left_j.patch create mode 100644 queue-5.10/asoc-cs42l42-fix-inversion-of-adc-notch-switch-contr.patch create mode 100644 queue-5.10/asoc-cs42l42-fix-lrclk-frame-start-edge.patch create mode 100644 queue-5.10/asoc-cs42l42-remove-duplicate-control-for-wnf-filter.patch create mode 100644 queue-5.10/asoc-sof-intel-hda-ipc-fix-reply-size-checking.patch create mode 100644 queue-5.10/bareudp-fix-invalid-read-beyond-skb-s-linear-data.patch create mode 100644 queue-5.10/bpf-fix-integer-overflow-involving-bucket_size.patch create mode 100644 queue-5.10/drm-i915-only-access-sfc_done-when-media-domain-is-n.patch create mode 100644 queue-5.10/drm-meson-fix-colour-distortion-from-hdr-set-during-.patch create mode 100644 queue-5.10/iavf-set-rss-lut-and-key-in-reset-handle-path.patch create mode 100644 queue-5.10/ice-don-t-remove-netdev-dev_addr-from-uc-sync-list.patch create mode 100644 queue-5.10/ice-prevent-probing-virtual-functions.patch create mode 100644 queue-5.10/ieee802154-hwsim-fix-gpf-in-hwsim_new_edge_nl.patch create mode 100644 queue-5.10/ieee802154-hwsim-fix-gpf-in-hwsim_set_edge_lqi.patch create mode 100644 queue-5.10/interconnect-qcom-icc-rpmh-add-bcms-to-commit-list-i.patch create mode 100644 queue-5.10/libbpf-fix-probe-for-bpf_prog_type_cgroup_sockopt.patch create mode 100644 queue-5.10/nbd-aovid-double-completion-of-a-request.patch create mode 100644 queue-5.10/net-bridge-fix-flags-interpretation-for-extern-learn.patch create mode 100644 queue-5.10/net-bridge-fix-memleak-in-br_add_if.patch create mode 100644 queue-5.10/net-bridge-validate-the-nud_permanent-bit-when-addin.patch create mode 100644 queue-5.10/net-dsa-lan9303-fix-broken-backpressure-in-.port_fdb.patch create mode 100644 queue-5.10/net-dsa-lantiq-fix-broken-backpressure-in-.port_fdb_.patch create mode 100644 queue-5.10/net-dsa-microchip-fix-ksz_read64.patch create mode 100644 queue-5.10/net-dsa-microchip-ksz8795-fix-vlan-filtering.patch create mode 100644 queue-5.10/net-dsa-mt7530-add-the-missing-rxunicast-mib-counter.patch create mode 100644 queue-5.10/net-dsa-sja1105-fix-broken-backpressure-in-.port_fdb.patch create mode 100644 queue-5.10/net-fix-memory-leak-in-ieee802154_raw_deliver.patch create mode 100644 queue-5.10/net-igmp-fix-data-race-in-igmp_ifc_timer_expire.patch create mode 100644 queue-5.10/net-igmp-increase-size-of-mr_ifc_count.patch create mode 100644 queue-5.10/net-linkwatch-fix-failure-to-restore-device-state-ac.patch create mode 100644 queue-5.10/net-mlx5-fix-return-value-from-tracer-initialization.patch create mode 100644 queue-5.10/net-mlx5-synchronize-correct-irq-when-destroying-cq.patch create mode 100644 queue-5.10/net-mvvp2-fix-short-frame-size-on-s390.patch create mode 100644 queue-5.10/net-phy-micrel-fix-link-detection-on-ksz87xx-switch.patch create mode 100644 queue-5.10/net-sched-act_mirred-reset-ct-info-when-mirror-redir.patch create mode 100644 queue-5.10/net-smc-fix-wait-on-already-cleared-link.patch create mode 100644 queue-5.10/netfilter-nf_conntrack_bridge-fix-memory-leak-when-e.patch create mode 100644 queue-5.10/pinctrl-mediatek-fix-fallback-behavior-for-bias_set_.patch create mode 100644 queue-5.10/pinctrl-tigerlake-fix-gpio-mapping-for-newer-version.patch create mode 100644 queue-5.10/platform-x86-pcengines-apuv2-add-missing-terminating.patch create mode 100644 queue-5.10/ppp-fix-generating-ifname-when-empty-ifla_ifname-is-.patch create mode 100644 queue-5.10/psample-add-a-fwd-declaration-for-skbuff.patch create mode 100644 queue-5.10/series create mode 100644 queue-5.10/tcp_bbr-fix-u32-wrap-bug-in-round-logic-if-bbr_init-.patch create mode 100644 queue-5.10/vsock-virtio-avoid-potential-deadlock-when-vsock-dev.patch create mode 100644 queue-5.10/xen-events-fix-race-in-set_evtchn_to_irq.patch diff --git a/queue-5.10/asoc-cs42l42-correct-definition-of-adc-volume-contro.patch b/queue-5.10/asoc-cs42l42-correct-definition-of-adc-volume-contro.patch new file mode 100644 index 00000000000..bb143ca3af9 --- /dev/null +++ b/queue-5.10/asoc-cs42l42-correct-definition-of-adc-volume-contro.patch @@ -0,0 +1,49 @@ +From 4cfba0856280f5ded3296a1efc9720178d4f3c67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jul 2021 18:09:27 +0100 +Subject: ASoC: cs42l42: Correct definition of ADC Volume control + +From: Richard Fitzgerald + +[ Upstream commit ee86f680ff4c9b406d49d4e22ddf10805b8a2137 ] + +The ADC volume is a signed 8-bit number with range -97 to +12, +with -97 being mute. Use a SOC_SINGLE_S8_TLV() to define this +and fix the DECLARE_TLV_DB_SCALE() to have the correct start and +mute flag. + +Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec") +Signed-off-by: Richard Fitzgerald +Link: https://lore.kernel.org/r/20210729170929.6589-1-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l42.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c +index 7c6b10bc0b8c..64e8831e7b8a 100644 +--- a/sound/soc/codecs/cs42l42.c ++++ b/sound/soc/codecs/cs42l42.c +@@ -403,7 +403,7 @@ static const struct regmap_config cs42l42_regmap = { + .use_single_write = true, + }; + +-static DECLARE_TLV_DB_SCALE(adc_tlv, -9600, 100, false); ++static DECLARE_TLV_DB_SCALE(adc_tlv, -9700, 100, true); + static DECLARE_TLV_DB_SCALE(mixer_tlv, -6300, 100, true); + + static const char * const cs42l42_hpf_freq_text[] = { +@@ -442,8 +442,7 @@ static const struct snd_kcontrol_new cs42l42_snd_controls[] = { + CS42L42_ADC_INV_SHIFT, true, false), + SOC_SINGLE("ADC Boost Switch", CS42L42_ADC_CTL, + CS42L42_ADC_DIG_BOOST_SHIFT, true, false), +- SOC_SINGLE_SX_TLV("ADC Volume", CS42L42_ADC_VOLUME, +- CS42L42_ADC_VOL_SHIFT, 0xA0, 0x6C, adc_tlv), ++ SOC_SINGLE_S8_TLV("ADC Volume", CS42L42_ADC_VOLUME, -97, 12, adc_tlv), + SOC_SINGLE("ADC WNF Switch", CS42L42_ADC_WNF_HPF_CTL, + CS42L42_ADC_WNF_EN_SHIFT, true, false), + SOC_SINGLE("ADC HPF Switch", CS42L42_ADC_WNF_HPF_CTL, +-- +2.30.2 + diff --git a/queue-5.10/asoc-cs42l42-don-t-allow-snd_soc_daifmt_left_j.patch b/queue-5.10/asoc-cs42l42-don-t-allow-snd_soc_daifmt_left_j.patch new file mode 100644 index 00000000000..a1d24a71f25 --- /dev/null +++ b/queue-5.10/asoc-cs42l42-don-t-allow-snd_soc_daifmt_left_j.patch @@ -0,0 +1,36 @@ +From 3d999c3ba013d39c7846f2e8c1a7230c0c9f52df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jul 2021 18:09:28 +0100 +Subject: ASoC: cs42l42: Don't allow SND_SOC_DAIFMT_LEFT_J + +From: Richard Fitzgerald + +[ Upstream commit 64324bac750b84ca54711fb7d332132fcdb87293 ] + +The driver has no support for left-justified protocol so it should +not have been allowing this to be passed to cs42l42_set_dai_fmt(). + +Signed-off-by: Richard Fitzgerald +Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec") +Link: https://lore.kernel.org/r/20210729170929.6589-2-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l42.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c +index 64e8831e7b8a..9269b7003b31 100644 +--- a/sound/soc/codecs/cs42l42.c ++++ b/sound/soc/codecs/cs42l42.c +@@ -772,7 +772,6 @@ static int cs42l42_set_dai_fmt(struct snd_soc_dai *codec_dai, unsigned int fmt) + /* interface format */ + switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) { + case SND_SOC_DAIFMT_I2S: +- case SND_SOC_DAIFMT_LEFT_J: + break; + default: + return -EINVAL; +-- +2.30.2 + diff --git a/queue-5.10/asoc-cs42l42-fix-inversion-of-adc-notch-switch-contr.patch b/queue-5.10/asoc-cs42l42-fix-inversion-of-adc-notch-switch-contr.patch new file mode 100644 index 00000000000..4c0592b5f4a --- /dev/null +++ b/queue-5.10/asoc-cs42l42-fix-inversion-of-adc-notch-switch-contr.patch @@ -0,0 +1,37 @@ +From 17cb1e55c844a25ca692a4c9f6d781cf65dd937d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Aug 2021 17:08:33 +0100 +Subject: ASoC: cs42l42: Fix inversion of ADC Notch Switch control + +From: Richard Fitzgerald + +[ Upstream commit 30615bd21b4cc3c3bb5ae8bd70e2a915cc5f75c7 ] + +The underlying register field has inverted sense (0 = enabled) so +the control definition must be marked as inverted. + +Signed-off-by: Richard Fitzgerald +Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec") +Link: https://lore.kernel.org/r/20210803160834.9005-1-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l42.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c +index 9269b7003b31..298354d4ab8d 100644 +--- a/sound/soc/codecs/cs42l42.c ++++ b/sound/soc/codecs/cs42l42.c +@@ -435,7 +435,7 @@ static SOC_ENUM_SINGLE_DECL(cs42l42_wnf05_freq_enum, CS42L42_ADC_WNF_HPF_CTL, + static const struct snd_kcontrol_new cs42l42_snd_controls[] = { + /* ADC Volume and Filter Controls */ + SOC_SINGLE("ADC Notch Switch", CS42L42_ADC_CTL, +- CS42L42_ADC_NOTCH_DIS_SHIFT, true, false), ++ CS42L42_ADC_NOTCH_DIS_SHIFT, true, true), + SOC_SINGLE("ADC Weak Force Switch", CS42L42_ADC_CTL, + CS42L42_ADC_FORCE_WEAK_VCM_SHIFT, true, false), + SOC_SINGLE("ADC Invert Switch", CS42L42_ADC_CTL, +-- +2.30.2 + diff --git a/queue-5.10/asoc-cs42l42-fix-lrclk-frame-start-edge.patch b/queue-5.10/asoc-cs42l42-fix-lrclk-frame-start-edge.patch new file mode 100644 index 00000000000..f4521c88b0b --- /dev/null +++ b/queue-5.10/asoc-cs42l42-fix-lrclk-frame-start-edge.patch @@ -0,0 +1,67 @@ +From 3e5fb4e82e04d4ba23b38304576125bf42d72f9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Aug 2021 17:11:05 +0100 +Subject: ASoC: cs42l42: Fix LRCLK frame start edge + +From: Richard Fitzgerald + +[ Upstream commit 0c2f2ad4f16a58879463d0979a54293f8f296d6f ] + +An I2S frame starts on the falling edge of LRCLK so ASP_STP must +be 0. + +At the same time, move other format settings in the same register +from cs42l42_pll_config() to cs42l42_set_dai_fmt() where you'd +expect to find them, and merge into a single write. + +Signed-off-by: Richard Fitzgerald +Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec") +Link: https://lore.kernel.org/r/20210805161111.10410-2-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l42.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c +index ab6f89032ea0..828dc78202e8 100644 +--- a/sound/soc/codecs/cs42l42.c ++++ b/sound/soc/codecs/cs42l42.c +@@ -658,15 +658,6 @@ static int cs42l42_pll_config(struct snd_soc_component *component) + CS42L42_FSYNC_PULSE_WIDTH_MASK, + CS42L42_FRAC1_VAL(fsync - 1) << + CS42L42_FSYNC_PULSE_WIDTH_SHIFT); +- snd_soc_component_update_bits(component, +- CS42L42_ASP_FRM_CFG, +- CS42L42_ASP_5050_MASK, +- CS42L42_ASP_5050_MASK); +- /* Set the frame delay to 1.0 SCLK clocks */ +- snd_soc_component_update_bits(component, CS42L42_ASP_FRM_CFG, +- CS42L42_ASP_FSD_MASK, +- CS42L42_ASP_FSD_1_0 << +- CS42L42_ASP_FSD_SHIFT); + /* Set the sample rates (96k or lower) */ + snd_soc_component_update_bits(component, CS42L42_FS_RATE_EN, + CS42L42_FS_EN_MASK, +@@ -762,6 +753,18 @@ static int cs42l42_set_dai_fmt(struct snd_soc_dai *codec_dai, unsigned int fmt) + /* interface format */ + switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) { + case SND_SOC_DAIFMT_I2S: ++ /* ++ * 5050 mode, frame starts on falling edge of LRCLK, ++ * frame delayed by 1.0 SCLKs ++ */ ++ snd_soc_component_update_bits(component, ++ CS42L42_ASP_FRM_CFG, ++ CS42L42_ASP_STP_MASK | ++ CS42L42_ASP_5050_MASK | ++ CS42L42_ASP_FSD_MASK, ++ CS42L42_ASP_5050_MASK | ++ (CS42L42_ASP_FSD_1_0 << ++ CS42L42_ASP_FSD_SHIFT)); + break; + default: + return -EINVAL; +-- +2.30.2 + diff --git a/queue-5.10/asoc-cs42l42-remove-duplicate-control-for-wnf-filter.patch b/queue-5.10/asoc-cs42l42-remove-duplicate-control-for-wnf-filter.patch new file mode 100644 index 00000000000..87e1d517b05 --- /dev/null +++ b/queue-5.10/asoc-cs42l42-remove-duplicate-control-for-wnf-filter.patch @@ -0,0 +1,63 @@ +From 2c697c2e75ac0e017bcd159a5378038e727dbf27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Aug 2021 17:08:34 +0100 +Subject: ASoC: cs42l42: Remove duplicate control for WNF filter frequency + +From: Richard Fitzgerald + +[ Upstream commit 8b353bbeae20e2214c9d9d88bcb2fda4ba145d83 ] + +The driver was defining two ALSA controls that both change the same +register field for the wind noise filter corner frequency. The filter +response has two corners, at different frequencies, and the duplicate +controls most likely were an attempt to be able to set the value using +either of the frequencies. + +However, having two controls changing the same field can be problematic +and it is unnecessary. Both frequencies are related to each other so +setting one implies exactly what the other would be. + +Removing a control affects user-side code, but there is currently no +known use of the removed control so it would be best to remove it now +before it becomes a problem. + +Signed-off-by: Richard Fitzgerald +Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec") +Link: https://lore.kernel.org/r/20210803160834.9005-2-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l42.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c +index 298354d4ab8d..ab6f89032ea0 100644 +--- a/sound/soc/codecs/cs42l42.c ++++ b/sound/soc/codecs/cs42l42.c +@@ -423,15 +423,6 @@ static SOC_ENUM_SINGLE_DECL(cs42l42_wnf3_freq_enum, CS42L42_ADC_WNF_HPF_CTL, + CS42L42_ADC_WNF_CF_SHIFT, + cs42l42_wnf3_freq_text); + +-static const char * const cs42l42_wnf05_freq_text[] = { +- "280Hz", "315Hz", "350Hz", "385Hz", +- "420Hz", "455Hz", "490Hz", "525Hz" +-}; +- +-static SOC_ENUM_SINGLE_DECL(cs42l42_wnf05_freq_enum, CS42L42_ADC_WNF_HPF_CTL, +- CS42L42_ADC_WNF_CF_SHIFT, +- cs42l42_wnf05_freq_text); +- + static const struct snd_kcontrol_new cs42l42_snd_controls[] = { + /* ADC Volume and Filter Controls */ + SOC_SINGLE("ADC Notch Switch", CS42L42_ADC_CTL, +@@ -449,7 +440,6 @@ static const struct snd_kcontrol_new cs42l42_snd_controls[] = { + CS42L42_ADC_HPF_EN_SHIFT, true, false), + SOC_ENUM("HPF Corner Freq", cs42l42_hpf_freq_enum), + SOC_ENUM("WNF 3dB Freq", cs42l42_wnf3_freq_enum), +- SOC_ENUM("WNF 05dB Freq", cs42l42_wnf05_freq_enum), + + /* DAC Volume and Filter Controls */ + SOC_SINGLE("DACA Invert Switch", CS42L42_DAC_CTL1, +-- +2.30.2 + diff --git a/queue-5.10/asoc-sof-intel-hda-ipc-fix-reply-size-checking.patch b/queue-5.10/asoc-sof-intel-hda-ipc-fix-reply-size-checking.patch new file mode 100644 index 00000000000..ee8c18e1580 --- /dev/null +++ b/queue-5.10/asoc-sof-intel-hda-ipc-fix-reply-size-checking.patch @@ -0,0 +1,41 @@ +From 8553794bf9c43c4daf3d27c009985ca298f548ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Aug 2021 10:17:49 -0500 +Subject: ASoC: SOF: Intel: hda-ipc: fix reply size checking + +From: Guennadi Liakhovetski + +[ Upstream commit 973b393fdf073a4ebd8d82ef6edea99fedc74af9 ] + +Checking that two values don't have common bits makes no sense, +strict equality is meant. + +Fixes: f3b433e4699f ("ASoC: SOF: Implement Probe IPC API") +Reviewed-by: Ranjani Sridharan +Signed-off-by: Guennadi Liakhovetski +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20210802151749.15417-1-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/intel/hda-ipc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/sof/intel/hda-ipc.c b/sound/soc/sof/intel/hda-ipc.c +index c91aa951df22..acfeca42604c 100644 +--- a/sound/soc/sof/intel/hda-ipc.c ++++ b/sound/soc/sof/intel/hda-ipc.c +@@ -107,8 +107,8 @@ void hda_dsp_ipc_get_reply(struct snd_sof_dev *sdev) + } else { + /* reply correct size ? */ + if (reply.hdr.size != msg->reply_size && +- /* getter payload is never known upfront */ +- !(reply.hdr.cmd & SOF_IPC_GLB_PROBE)) { ++ /* getter payload is never known upfront */ ++ ((reply.hdr.cmd & SOF_GLB_TYPE_MASK) != SOF_IPC_GLB_PROBE)) { + dev_err(sdev->dev, "error: reply expected %zu got %u bytes\n", + msg->reply_size, reply.hdr.size); + ret = -EINVAL; +-- +2.30.2 + diff --git a/queue-5.10/bareudp-fix-invalid-read-beyond-skb-s-linear-data.patch b/queue-5.10/bareudp-fix-invalid-read-beyond-skb-s-linear-data.patch new file mode 100644 index 00000000000..dbe293cc43f --- /dev/null +++ b/queue-5.10/bareudp-fix-invalid-read-beyond-skb-s-linear-data.patch @@ -0,0 +1,53 @@ +From 52ee6b38c43afd43526e40d6495140b8a575bd35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Aug 2021 17:52:06 +0200 +Subject: bareudp: Fix invalid read beyond skb's linear data + +From: Guillaume Nault + +[ Upstream commit 143a8526ab5fd4f8a0c4fe2a9cb28c181dc5a95f ] + +Data beyond the UDP header might not be part of the skb's linear data. +Use skb_copy_bits() instead of direct access to skb->data+X, so that +we read the correct bytes even on a fragmented skb. + +Fixes: 4b5f67232d95 ("net: Special handling for IP & MPLS.") +Signed-off-by: Guillaume Nault +Link: https://lore.kernel.org/r/7741c46545c6ef02e70c80a9b32814b22d9616b3.1628264975.git.gnault@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bareudp.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c +index 59c1724bcd0e..39b128205f25 100644 +--- a/drivers/net/bareudp.c ++++ b/drivers/net/bareudp.c +@@ -71,12 +71,18 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb) + family = AF_INET6; + + if (bareudp->ethertype == htons(ETH_P_IP)) { +- struct iphdr *iphdr; ++ __u8 ipversion; + +- iphdr = (struct iphdr *)(skb->data + BAREUDP_BASE_HLEN); +- if (iphdr->version == 4) { +- proto = bareudp->ethertype; +- } else if (bareudp->multi_proto_mode && (iphdr->version == 6)) { ++ if (skb_copy_bits(skb, BAREUDP_BASE_HLEN, &ipversion, ++ sizeof(ipversion))) { ++ bareudp->dev->stats.rx_dropped++; ++ goto drop; ++ } ++ ipversion >>= 4; ++ ++ if (ipversion == 4) { ++ proto = htons(ETH_P_IP); ++ } else if (ipversion == 6 && bareudp->multi_proto_mode) { + proto = htons(ETH_P_IPV6); + } else { + bareudp->dev->stats.rx_dropped++; +-- +2.30.2 + diff --git a/queue-5.10/bpf-fix-integer-overflow-involving-bucket_size.patch b/queue-5.10/bpf-fix-integer-overflow-involving-bucket_size.patch new file mode 100644 index 00000000000..05ed400b869 --- /dev/null +++ b/queue-5.10/bpf-fix-integer-overflow-involving-bucket_size.patch @@ -0,0 +1,87 @@ +From e6ec13b9c41d05a66b4469b06401a97ba3a8f3ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Aug 2021 00:04:18 +0900 +Subject: bpf: Fix integer overflow involving bucket_size + +From: Tatsuhiko Yasumatsu + +[ Upstream commit c4eb1f403243fc7bbb7de644db8587c03de36da6 ] + +In __htab_map_lookup_and_delete_batch(), hash buckets are iterated +over to count the number of elements in each bucket (bucket_size). +If bucket_size is large enough, the multiplication to calculate +kvmalloc() size could overflow, resulting in out-of-bounds write +as reported by KASAN: + + [...] + [ 104.986052] BUG: KASAN: vmalloc-out-of-bounds in __htab_map_lookup_and_delete_batch+0x5ce/0xb60 + [ 104.986489] Write of size 4194224 at addr ffffc9010503be70 by task crash/112 + [ 104.986889] + [ 104.987193] CPU: 0 PID: 112 Comm: crash Not tainted 5.14.0-rc4 #13 + [ 104.987552] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 + [ 104.988104] Call Trace: + [ 104.988410] dump_stack_lvl+0x34/0x44 + [ 104.988706] print_address_description.constprop.0+0x21/0x140 + [ 104.988991] ? __htab_map_lookup_and_delete_batch+0x5ce/0xb60 + [ 104.989327] ? __htab_map_lookup_and_delete_batch+0x5ce/0xb60 + [ 104.989622] kasan_report.cold+0x7f/0x11b + [ 104.989881] ? __htab_map_lookup_and_delete_batch+0x5ce/0xb60 + [ 104.990239] kasan_check_range+0x17c/0x1e0 + [ 104.990467] memcpy+0x39/0x60 + [ 104.990670] __htab_map_lookup_and_delete_batch+0x5ce/0xb60 + [ 104.990982] ? __wake_up_common+0x4d/0x230 + [ 104.991256] ? htab_of_map_free+0x130/0x130 + [ 104.991541] bpf_map_do_batch+0x1fb/0x220 + [...] + +In hashtable, if the elements' keys have the same jhash() value, the +elements will be put into the same bucket. By putting a lot of elements +into a single bucket, the value of bucket_size can be increased to +trigger the integer overflow. + +Triggering the overflow is possible for both callers with CAP_SYS_ADMIN +and callers without CAP_SYS_ADMIN. + +It will be trivial for a caller with CAP_SYS_ADMIN to intentionally +reach this overflow by enabling BPF_F_ZERO_SEED. As this flag will set +the random seed passed to jhash() to 0, it will be easy for the caller +to prepare keys which will be hashed into the same value, and thus put +all the elements into the same bucket. + +If the caller does not have CAP_SYS_ADMIN, BPF_F_ZERO_SEED cannot be +used. However, it will be still technically possible to trigger the +overflow, by guessing the random seed value passed to jhash() (32bit) +and repeating the attempt to trigger the overflow. In this case, +the probability to trigger the overflow will be low and will take +a very long time. + +Fix the integer overflow by calling kvmalloc_array() instead of +kvmalloc() to allocate memory. + +Fixes: 057996380a42 ("bpf: Add batch ops to all htab bpf map") +Signed-off-by: Tatsuhiko Yasumatsu +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20210806150419.109658-1-th.yasumatsu@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/hashtab.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c +index 1fccba6e88c4..6c444e815406 100644 +--- a/kernel/bpf/hashtab.c ++++ b/kernel/bpf/hashtab.c +@@ -1425,8 +1425,8 @@ alloc: + /* We cannot do copy_from_user or copy_to_user inside + * the rcu_read_lock. Allocate enough space here. + */ +- keys = kvmalloc(key_size * bucket_size, GFP_USER | __GFP_NOWARN); +- values = kvmalloc(value_size * bucket_size, GFP_USER | __GFP_NOWARN); ++ keys = kvmalloc_array(key_size, bucket_size, GFP_USER | __GFP_NOWARN); ++ values = kvmalloc_array(value_size, bucket_size, GFP_USER | __GFP_NOWARN); + if (!keys || !values) { + ret = -ENOMEM; + goto after_loop; +-- +2.30.2 + diff --git a/queue-5.10/drm-i915-only-access-sfc_done-when-media-domain-is-n.patch b/queue-5.10/drm-i915-only-access-sfc_done-when-media-domain-is-n.patch new file mode 100644 index 00000000000..e02f67f1945 --- /dev/null +++ b/queue-5.10/drm-i915-only-access-sfc_done-when-media-domain-is-n.patch @@ -0,0 +1,81 @@ +From 9729174b490ee8cfee2a4873a4a95ac40f0b563f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Aug 2021 10:41:30 -0700 +Subject: drm/i915: Only access SFC_DONE when media domain is not fused off +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matt Roper + +[ Upstream commit 24d032e2359e3abc926b3d423f49a7c33e0b7836 ] + +The SFC_DONE register lives within the corresponding VD0/VD2/VD4/VD6 +forcewake domain and is not accessible if the vdbox in that domain is +fused off and the forcewake is not initialized. + +This mistake went unnoticed because until recently we were using the +wrong register offset for the SFC_DONE register; once the register +offset was corrected, we started hitting errors like + + <4> [544.989065] i915 0000:cc:00.0: Uninitialized forcewake domain(s) 0x80 accessed at 0x1ce000 + +on parts with fused-off vdbox engines. + +Fixes: e50dbdbfd9fb ("drm/i915/tgl: Add SFC instdone to error state") +Fixes: 9c9c6d0ab08a ("drm/i915: Correct SFC_DONE register offset") +Cc: Daniele Ceraolo Spurio +Cc: Mika Kuoppala +Signed-off-by: Matt Roper +Link: https://patchwork.freedesktop.org/patch/msgid/20210806174130.1058960-1-matthew.d.roper@intel.com +Reviewed-by: José Roberto de Souza +(cherry picked from commit c5589bb5dccb0c5cb74910da93663f489589f3ce) +Signed-off-by: Rodrigo Vivi +[Changed Fixes tag to match the cherry-picked 82929a2140eb] +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/i915_gpu_error.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c +index cf6e47adfde6..9ce8f043ad7f 100644 +--- a/drivers/gpu/drm/i915/i915_gpu_error.c ++++ b/drivers/gpu/drm/i915/i915_gpu_error.c +@@ -727,9 +727,18 @@ static void err_print_gt(struct drm_i915_error_state_buf *m, + if (INTEL_GEN(m->i915) >= 12) { + int i; + +- for (i = 0; i < GEN12_SFC_DONE_MAX; i++) ++ for (i = 0; i < GEN12_SFC_DONE_MAX; i++) { ++ /* ++ * SFC_DONE resides in the VD forcewake domain, so it ++ * only exists if the corresponding VCS engine is ++ * present. ++ */ ++ if (!HAS_ENGINE(gt->_gt, _VCS(i * 2))) ++ continue; ++ + err_printf(m, " SFC_DONE[%d]: 0x%08x\n", i, + gt->sfc_done[i]); ++ } + + err_printf(m, " GAM_DONE: 0x%08x\n", gt->gam_done); + } +@@ -1594,6 +1603,14 @@ static void gt_record_regs(struct intel_gt_coredump *gt) + + if (INTEL_GEN(i915) >= 12) { + for (i = 0; i < GEN12_SFC_DONE_MAX; i++) { ++ /* ++ * SFC_DONE resides in the VD forcewake domain, so it ++ * only exists if the corresponding VCS engine is ++ * present. ++ */ ++ if (!HAS_ENGINE(gt->_gt, _VCS(i * 2))) ++ continue; ++ + gt->sfc_done[i] = + intel_uncore_read(uncore, GEN12_SFC_DONE(i)); + } +-- +2.30.2 + diff --git a/queue-5.10/drm-meson-fix-colour-distortion-from-hdr-set-during-.patch b/queue-5.10/drm-meson-fix-colour-distortion-from-hdr-set-during-.patch new file mode 100644 index 00000000000..9e330d35778 --- /dev/null +++ b/queue-5.10/drm-meson-fix-colour-distortion-from-hdr-set-during-.patch @@ -0,0 +1,73 @@ +From a6a7d5172e2ad770816c3fc48d1e6ef52fdeced3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Aug 2021 09:40:05 +0000 +Subject: drm/meson: fix colour distortion from HDR set during vendor u-boot + +From: Christian Hewitt + +[ Upstream commit bf33677a3c394bb8fddd48d3bbc97adf0262e045 ] + +Add support for the OSD1 HDR registers so meson DRM can handle the HDR +properties set by Amlogic u-boot on G12A and newer devices which result +in blue/green/pink colour distortion to display output. + +This takes the original patch submissions from Mathias [0] and [1] with +corrections for formatting and the missing description and attribution +needed for merge. + +[0] https://lore.kernel.org/linux-amlogic/59dfd7e6-fc91-3d61-04c4-94e078a3188c@baylibre.com/T/ +[1] https://lore.kernel.org/linux-amlogic/CAOKfEHBx_fboUqkENEMd-OC-NSrf46nto+vDLgvgttzPe99kXg@mail.gmail.com/T/#u + +Fixes: 728883948b0d ("drm/meson: Add G12A Support for VIU setup") +Suggested-by: Mathias Steiger +Signed-off-by: Christian Hewitt +Tested-by: Neil Armstrong +Tested-by: Philip Milev +[narmsrong: adding missing space on second tested-by tag] +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20210806094005.7136-1-christianshewitt@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_registers.h | 5 +++++ + drivers/gpu/drm/meson/meson_viu.c | 7 ++++++- + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/meson/meson_registers.h b/drivers/gpu/drm/meson/meson_registers.h +index 446e7961da48..0f3cafab8860 100644 +--- a/drivers/gpu/drm/meson/meson_registers.h ++++ b/drivers/gpu/drm/meson/meson_registers.h +@@ -634,6 +634,11 @@ + #define VPP_WRAP_OSD3_MATRIX_PRE_OFFSET2 0x3dbc + #define VPP_WRAP_OSD3_MATRIX_EN_CTRL 0x3dbd + ++/* osd1 HDR */ ++#define OSD1_HDR2_CTRL 0x38a0 ++#define OSD1_HDR2_CTRL_VDIN0_HDR2_TOP_EN BIT(13) ++#define OSD1_HDR2_CTRL_REG_ONLY_MAT BIT(16) ++ + /* osd2 scaler */ + #define OSD2_VSC_PHASE_STEP 0x3d00 + #define OSD2_VSC_INI_PHASE 0x3d01 +diff --git a/drivers/gpu/drm/meson/meson_viu.c b/drivers/gpu/drm/meson/meson_viu.c +index aede0c67a57f..259f3e6bec90 100644 +--- a/drivers/gpu/drm/meson/meson_viu.c ++++ b/drivers/gpu/drm/meson/meson_viu.c +@@ -425,9 +425,14 @@ void meson_viu_init(struct meson_drm *priv) + if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_GXM) || + meson_vpu_is_compatible(priv, VPU_COMPATIBLE_GXL)) + meson_viu_load_matrix(priv); +- else if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_G12A)) ++ else if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_G12A)) { + meson_viu_set_g12a_osd1_matrix(priv, RGB709_to_YUV709l_coeff, + true); ++ /* fix green/pink color distortion from vendor u-boot */ ++ writel_bits_relaxed(OSD1_HDR2_CTRL_REG_ONLY_MAT | ++ OSD1_HDR2_CTRL_VDIN0_HDR2_TOP_EN, 0, ++ priv->io_base + _REG(OSD1_HDR2_CTRL)); ++ } + + /* Initialize OSD1 fifo control register */ + reg = VIU_OSD_DDR_PRIORITY_URGENT | +-- +2.30.2 + diff --git a/queue-5.10/iavf-set-rss-lut-and-key-in-reset-handle-path.patch b/queue-5.10/iavf-set-rss-lut-and-key-in-reset-handle-path.patch new file mode 100644 index 00000000000..52b4789ffac --- /dev/null +++ b/queue-5.10/iavf-set-rss-lut-and-key-in-reset-handle-path.patch @@ -0,0 +1,56 @@ +From 3612dde11890173918a89d52dbd2f9288144df38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jun 2021 09:53:33 -0700 +Subject: iavf: Set RSS LUT and key in reset handle path + +From: Md Fahad Iqbal Polash + +[ Upstream commit a7550f8b1c9712894f9e98d6caf5f49451ebd058 ] + +iavf driver should set RSS LUT and key unconditionally in reset +path. Currently, the driver does not do that. This patch fixes +this issue. + +Fixes: 2c86ac3c7079 ("i40evf: create a generic config RSS function") +Signed-off-by: Md Fahad Iqbal Polash +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index f3caf5eab8d4..c4ec9a91c7c5 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1489,11 +1489,6 @@ static int iavf_reinit_interrupt_scheme(struct iavf_adapter *adapter) + set_bit(__IAVF_VSI_DOWN, adapter->vsi.state); + + iavf_map_rings_to_vectors(adapter); +- +- if (RSS_AQ(adapter)) +- adapter->aq_required |= IAVF_FLAG_AQ_CONFIGURE_RSS; +- else +- err = iavf_init_rss(adapter); + err: + return err; + } +@@ -2167,6 +2162,14 @@ continue_reset: + goto reset_err; + } + ++ if (RSS_AQ(adapter)) { ++ adapter->aq_required |= IAVF_FLAG_AQ_CONFIGURE_RSS; ++ } else { ++ err = iavf_init_rss(adapter); ++ if (err) ++ goto reset_err; ++ } ++ + adapter->aq_required |= IAVF_FLAG_AQ_GET_CONFIG; + adapter->aq_required |= IAVF_FLAG_AQ_MAP_VECTORS; + +-- +2.30.2 + diff --git a/queue-5.10/ice-don-t-remove-netdev-dev_addr-from-uc-sync-list.patch b/queue-5.10/ice-don-t-remove-netdev-dev_addr-from-uc-sync-list.patch new file mode 100644 index 00000000000..04d453a1f6f --- /dev/null +++ b/queue-5.10/ice-don-t-remove-netdev-dev_addr-from-uc-sync-list.patch @@ -0,0 +1,132 @@ +From d8c6ee7726668828873e710c40621695cd7038aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Aug 2021 09:51:27 -0700 +Subject: ice: don't remove netdev->dev_addr from uc sync list + +From: Brett Creeley + +[ Upstream commit 3ba7f53f8bf1fb862e36c7f74434ac3aceb60158 ] + +In some circumstances, such as with bridging, it's possible that the +stack will add the device's own MAC address to its unicast address list. + +If, later, the stack deletes this address, the driver will receive a +request to remove this address. + +The driver stores its current MAC address as part of the VSI MAC filter +list instead of separately. So, this causes a problem when the device's +MAC address is deleted unexpectedly, which results in traffic failure in +some cases. + +The following configuration steps will reproduce the previously +mentioned problem: + +> ip link set eth0 up +> ip link add dev br0 type bridge +> ip link set br0 up +> ip addr flush dev eth0 +> ip link set eth0 master br0 +> echo 1 > /sys/class/net/br0/bridge/vlan_filtering +> modprobe -r veth +> modprobe -r bridge +> ip addr add 192.168.1.100/24 dev eth0 + +The following ping command fails due to the netdev->dev_addr being +deleted when removing the bridge module. +> ping + +Fix this by making sure to not delete the netdev->dev_addr during MAC +address sync. After fixing this issue it was noticed that the +netdev_warn() in .set_mac was overly verbose, so make it at +netdev_dbg(). + +Also, there is a possibility of a race condition between .set_mac and +.set_rx_mode. Fix this by calling netif_addr_lock_bh() and +netif_addr_unlock_bh() on the device's netdev when the netdev->dev_addr +is going to be updated in .set_mac. + +Fixes: e94d44786693 ("ice: Implement filter sync, NDO operations and bump version") +Signed-off-by: Brett Creeley +Tested-by: Liang Li +Tested-by: Gurucharan G +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 6421e9fd69a2..a46780570cd9 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -189,6 +189,14 @@ static int ice_add_mac_to_unsync_list(struct net_device *netdev, const u8 *addr) + struct ice_netdev_priv *np = netdev_priv(netdev); + struct ice_vsi *vsi = np->vsi; + ++ /* Under some circumstances, we might receive a request to delete our ++ * own device address from our uc list. Because we store the device ++ * address in the VSI's MAC filter list, we need to ignore such ++ * requests and not delete our device address from this list. ++ */ ++ if (ether_addr_equal(addr, netdev->dev_addr)) ++ return 0; ++ + if (ice_fltr_add_mac_to_list(vsi, &vsi->tmp_unsync_list, addr, + ICE_FWD_TO_VSI)) + return -EINVAL; +@@ -4881,7 +4889,7 @@ static int ice_set_mac_address(struct net_device *netdev, void *pi) + return -EADDRNOTAVAIL; + + if (ether_addr_equal(netdev->dev_addr, mac)) { +- netdev_warn(netdev, "already using mac %pM\n", mac); ++ netdev_dbg(netdev, "already using mac %pM\n", mac); + return 0; + } + +@@ -4892,6 +4900,7 @@ static int ice_set_mac_address(struct net_device *netdev, void *pi) + return -EBUSY; + } + ++ netif_addr_lock_bh(netdev); + /* Clean up old MAC filter. Not an error if old filter doesn't exist */ + status = ice_fltr_remove_mac(vsi, netdev->dev_addr, ICE_FWD_TO_VSI); + if (status && status != ICE_ERR_DOES_NOT_EXIST) { +@@ -4901,30 +4910,28 @@ static int ice_set_mac_address(struct net_device *netdev, void *pi) + + /* Add filter for new MAC. If filter exists, return success */ + status = ice_fltr_add_mac(vsi, mac, ICE_FWD_TO_VSI); +- if (status == ICE_ERR_ALREADY_EXISTS) { ++ if (status == ICE_ERR_ALREADY_EXISTS) + /* Although this MAC filter is already present in hardware it's + * possible in some cases (e.g. bonding) that dev_addr was + * modified outside of the driver and needs to be restored back + * to this value. + */ +- memcpy(netdev->dev_addr, mac, netdev->addr_len); + netdev_dbg(netdev, "filter for MAC %pM already exists\n", mac); +- return 0; +- } +- +- /* error if the new filter addition failed */ +- if (status) ++ else if (status) ++ /* error if the new filter addition failed */ + err = -EADDRNOTAVAIL; + + err_update_filters: + if (err) { + netdev_err(netdev, "can't set MAC %pM. filter update failed\n", + mac); ++ netif_addr_unlock_bh(netdev); + return err; + } + + /* change the netdev's MAC address */ + memcpy(netdev->dev_addr, mac, netdev->addr_len); ++ netif_addr_unlock_bh(netdev); + netdev_dbg(vsi->netdev, "updated MAC address to %pM\n", + netdev->dev_addr); + +-- +2.30.2 + diff --git a/queue-5.10/ice-prevent-probing-virtual-functions.patch b/queue-5.10/ice-prevent-probing-virtual-functions.patch new file mode 100644 index 00000000000..601955c6e6c --- /dev/null +++ b/queue-5.10/ice-prevent-probing-virtual-functions.patch @@ -0,0 +1,50 @@ +From 726d391eea80f58213dd1cc5716c68497d134b68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jul 2021 12:39:10 -0700 +Subject: ice: Prevent probing virtual functions + +From: Anirudh Venkataramanan + +[ Upstream commit 50ac7479846053ca8054be833c1594e64de496bb ] + +The userspace utility "driverctl" can be used to change/override the +system's default driver choices. This is useful in some situations +(buggy driver, old driver missing a device ID, trying a workaround, +etc.) where the user needs to load a different driver. + +However, this is also prone to user error, where a driver is mapped +to a device it's not designed to drive. For example, if the ice driver +is mapped to driver iavf devices, the ice driver crashes. + +Add a check to return an error if the ice driver is being used to +probe a virtual function. + +Fixes: 837f08fdecbe ("ice: Add basic driver framework for Intel(R) E800 Series") +Signed-off-by: Anirudh Venkataramanan +Tested-by: Gurucharan G +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 1567ddd4c5b8..6421e9fd69a2 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -3991,6 +3991,11 @@ ice_probe(struct pci_dev *pdev, const struct pci_device_id __always_unused *ent) + struct ice_hw *hw; + int i, err; + ++ if (pdev->is_virtfn) { ++ dev_err(dev, "can't probe a virtual function\n"); ++ return -EINVAL; ++ } ++ + /* this driver uses devres, see + * Documentation/driver-api/driver-model/devres.rst + */ +-- +2.30.2 + diff --git a/queue-5.10/ieee802154-hwsim-fix-gpf-in-hwsim_new_edge_nl.patch b/queue-5.10/ieee802154-hwsim-fix-gpf-in-hwsim_new_edge_nl.patch new file mode 100644 index 00000000000..767a9777662 --- /dev/null +++ b/queue-5.10/ieee802154-hwsim-fix-gpf-in-hwsim_new_edge_nl.patch @@ -0,0 +1,38 @@ +From 1689d71783cb2112ca3206ca9aa5d6715f28993f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 23:56:32 +0800 +Subject: ieee802154: hwsim: fix GPF in hwsim_new_edge_nl + +From: Dongliang Mu + +[ Upstream commit 889d0e7dc68314a273627d89cbb60c09e1cc1c25 ] + +Both MAC802154_HWSIM_ATTR_RADIO_ID and MAC802154_HWSIM_ATTR_RADIO_EDGE +must be present to fix GPF. + +Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb") +Signed-off-by: Dongliang Mu +Acked-by: Alexander Aring +Link: https://lore.kernel.org/r/20210707155633.1486603-1-mudongliangabcd@gmail.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/mac802154_hwsim.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c +index 43f389540bba..080b15fc0060 100644 +--- a/drivers/net/ieee802154/mac802154_hwsim.c ++++ b/drivers/net/ieee802154/mac802154_hwsim.c +@@ -418,7 +418,7 @@ static int hwsim_new_edge_nl(struct sk_buff *msg, struct genl_info *info) + struct hwsim_edge *e; + u32 v0, v1; + +- if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] && ++ if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] || + !info->attrs[MAC802154_HWSIM_ATTR_RADIO_EDGE]) + return -EINVAL; + +-- +2.30.2 + diff --git a/queue-5.10/ieee802154-hwsim-fix-gpf-in-hwsim_set_edge_lqi.patch b/queue-5.10/ieee802154-hwsim-fix-gpf-in-hwsim_set_edge_lqi.patch new file mode 100644 index 00000000000..5a45a133936 --- /dev/null +++ b/queue-5.10/ieee802154-hwsim-fix-gpf-in-hwsim_set_edge_lqi.patch @@ -0,0 +1,47 @@ +From 8468debbc5782c5ac9518e214c661a6b83d9b8fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 21:13:20 +0800 +Subject: ieee802154: hwsim: fix GPF in hwsim_set_edge_lqi + +From: Dongliang Mu + +[ Upstream commit e9faf53c5a5d01f6f2a09ae28ec63a3bbd6f64fd ] + +Both MAC802154_HWSIM_ATTR_RADIO_ID and MAC802154_HWSIM_ATTR_RADIO_EDGE, +MAC802154_HWSIM_EDGE_ATTR_ENDPOINT_ID and MAC802154_HWSIM_EDGE_ATTR_LQI +must be present to fix GPF. + +Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb") +Signed-off-by: Dongliang Mu +Acked-by: Alexander Aring +Link: https://lore.kernel.org/r/20210705131321.217111-1-mudongliangabcd@gmail.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/mac802154_hwsim.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c +index 626e1ce817fc..43f389540bba 100644 +--- a/drivers/net/ieee802154/mac802154_hwsim.c ++++ b/drivers/net/ieee802154/mac802154_hwsim.c +@@ -528,14 +528,14 @@ static int hwsim_set_edge_lqi(struct sk_buff *msg, struct genl_info *info) + u32 v0, v1; + u8 lqi; + +- if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] && ++ if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] || + !info->attrs[MAC802154_HWSIM_ATTR_RADIO_EDGE]) + return -EINVAL; + + if (nla_parse_nested_deprecated(edge_attrs, MAC802154_HWSIM_EDGE_ATTR_MAX, info->attrs[MAC802154_HWSIM_ATTR_RADIO_EDGE], hwsim_edge_policy, NULL)) + return -EINVAL; + +- if (!edge_attrs[MAC802154_HWSIM_EDGE_ATTR_ENDPOINT_ID] && ++ if (!edge_attrs[MAC802154_HWSIM_EDGE_ATTR_ENDPOINT_ID] || + !edge_attrs[MAC802154_HWSIM_EDGE_ATTR_LQI]) + return -EINVAL; + +-- +2.30.2 + diff --git a/queue-5.10/interconnect-qcom-icc-rpmh-add-bcms-to-commit-list-i.patch b/queue-5.10/interconnect-qcom-icc-rpmh-add-bcms-to-commit-list-i.patch new file mode 100644 index 00000000000..6df18bd6acc --- /dev/null +++ b/queue-5.10/interconnect-qcom-icc-rpmh-add-bcms-to-commit-list-i.patch @@ -0,0 +1,76 @@ +From 36874ac60c095178afa0616db16ee70f61c61d11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 10:54:32 -0700 +Subject: interconnect: qcom: icc-rpmh: Add BCMs to commit list in + pre_aggregate + +From: Mike Tipton + +[ Upstream commit f84f5b6f72e68bbaeb850b58ac167e4a3a47532a ] + +We're only adding BCMs to the commit list in aggregate(), but there are +cases where pre_aggregate() is called without subsequently calling +aggregate(). In particular, in icc_sync_state() when a node with initial +BW has zero requests. Since BCMs aren't added to the commit list in +these cases, we don't actually send the zero BW request to HW. So the +resources remain on unnecessarily. + +Add BCMs to the commit list in pre_aggregate() instead, which is always +called even when there are no requests. + +Fixes: 976daac4a1c5 ("interconnect: qcom: Consolidate interconnect RPMh support") +Signed-off-by: Mike Tipton +Link: https://lore.kernel.org/r/20210721175432.2119-5-mdtipton@codeaurora.org +Signed-off-by: Georgi Djakov +Signed-off-by: Sasha Levin +--- + drivers/interconnect/qcom/icc-rpmh.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/interconnect/qcom/icc-rpmh.c b/drivers/interconnect/qcom/icc-rpmh.c +index f6fae64861ce..27cc5f03611c 100644 +--- a/drivers/interconnect/qcom/icc-rpmh.c ++++ b/drivers/interconnect/qcom/icc-rpmh.c +@@ -20,13 +20,18 @@ void qcom_icc_pre_aggregate(struct icc_node *node) + { + size_t i; + struct qcom_icc_node *qn; ++ struct qcom_icc_provider *qp; + + qn = node->data; ++ qp = to_qcom_provider(node->provider); + + for (i = 0; i < QCOM_ICC_NUM_BUCKETS; i++) { + qn->sum_avg[i] = 0; + qn->max_peak[i] = 0; + } ++ ++ for (i = 0; i < qn->num_bcms; i++) ++ qcom_icc_bcm_voter_add(qp->voter, qn->bcms[i]); + } + EXPORT_SYMBOL_GPL(qcom_icc_pre_aggregate); + +@@ -44,10 +49,8 @@ int qcom_icc_aggregate(struct icc_node *node, u32 tag, u32 avg_bw, + { + size_t i; + struct qcom_icc_node *qn; +- struct qcom_icc_provider *qp; + + qn = node->data; +- qp = to_qcom_provider(node->provider); + + if (!tag) + tag = QCOM_ICC_TAG_ALWAYS; +@@ -67,9 +70,6 @@ int qcom_icc_aggregate(struct icc_node *node, u32 tag, u32 avg_bw, + *agg_avg += avg_bw; + *agg_peak = max_t(u32, *agg_peak, peak_bw); + +- for (i = 0; i < qn->num_bcms; i++) +- qcom_icc_bcm_voter_add(qp->voter, qn->bcms[i]); +- + return 0; + } + EXPORT_SYMBOL_GPL(qcom_icc_aggregate); +-- +2.30.2 + diff --git a/queue-5.10/libbpf-fix-probe-for-bpf_prog_type_cgroup_sockopt.patch b/queue-5.10/libbpf-fix-probe-for-bpf_prog_type_cgroup_sockopt.patch new file mode 100644 index 00000000000..f771df1583c --- /dev/null +++ b/queue-5.10/libbpf-fix-probe-for-bpf_prog_type_cgroup_sockopt.patch @@ -0,0 +1,52 @@ +From 3724486c41d61e3925cbdfe221ff9474f8031bca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jul 2021 00:58:25 +0200 +Subject: libbpf: Fix probe for BPF_PROG_TYPE_CGROUP_SOCKOPT +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Robin Gögge + +[ Upstream commit 78d14bda861dd2729f15bb438fe355b48514bfe0 ] + +This patch fixes the probe for BPF_PROG_TYPE_CGROUP_SOCKOPT, +so the probe reports accurate results when used by e.g. +bpftool. + +Fixes: 4cdbfb59c44a ("libbpf: support sockopt hooks") +Signed-off-by: Robin Gögge +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Reviewed-by: Quentin Monnet +Link: https://lore.kernel.org/bpf/20210728225825.2357586-1-r.goegge@gmail.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf_probes.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/libbpf_probes.c b/tools/lib/bpf/libbpf_probes.c +index 5482a9b7ae2d..d38284a3aaf0 100644 +--- a/tools/lib/bpf/libbpf_probes.c ++++ b/tools/lib/bpf/libbpf_probes.c +@@ -75,6 +75,9 @@ probe_load(enum bpf_prog_type prog_type, const struct bpf_insn *insns, + case BPF_PROG_TYPE_CGROUP_SOCK_ADDR: + xattr.expected_attach_type = BPF_CGROUP_INET4_CONNECT; + break; ++ case BPF_PROG_TYPE_CGROUP_SOCKOPT: ++ xattr.expected_attach_type = BPF_CGROUP_GETSOCKOPT; ++ break; + case BPF_PROG_TYPE_SK_LOOKUP: + xattr.expected_attach_type = BPF_SK_LOOKUP; + break; +@@ -104,7 +107,6 @@ probe_load(enum bpf_prog_type prog_type, const struct bpf_insn *insns, + case BPF_PROG_TYPE_SK_REUSEPORT: + case BPF_PROG_TYPE_FLOW_DISSECTOR: + case BPF_PROG_TYPE_CGROUP_SYSCTL: +- case BPF_PROG_TYPE_CGROUP_SOCKOPT: + case BPF_PROG_TYPE_TRACING: + case BPF_PROG_TYPE_STRUCT_OPS: + case BPF_PROG_TYPE_EXT: +-- +2.30.2 + diff --git a/queue-5.10/nbd-aovid-double-completion-of-a-request.patch b/queue-5.10/nbd-aovid-double-completion-of-a-request.patch new file mode 100644 index 00000000000..f8076f1b407 --- /dev/null +++ b/queue-5.10/nbd-aovid-double-completion-of-a-request.patch @@ -0,0 +1,69 @@ +From 7ae39894aa9ea8322770c5a097b6afb3104c2185 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Aug 2021 23:13:30 +0800 +Subject: nbd: Aovid double completion of a request + +From: Xie Yongji + +[ Upstream commit cddce01160582a5f52ada3da9626c052d852ec42 ] + +There is a race between iterating over requests in +nbd_clear_que() and completing requests in recv_work(), +which can lead to double completion of a request. + +To fix it, flush the recv worker before iterating over +the requests and don't abort the completed request +while iterating. + +Fixes: 96d97e17828f ("nbd: clear_sock on netlink disconnect") +Reported-by: Jiang Yadong +Signed-off-by: Xie Yongji +Reviewed-by: Josef Bacik +Link: https://lore.kernel.org/r/20210813151330.96-1-xieyongji@bytedance.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 9a70eab7edbf..59c452fff835 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -812,6 +812,10 @@ static bool nbd_clear_req(struct request *req, void *data, bool reserved) + { + struct nbd_cmd *cmd = blk_mq_rq_to_pdu(req); + ++ /* don't abort one completed request */ ++ if (blk_mq_request_completed(req)) ++ return true; ++ + mutex_lock(&cmd->lock); + cmd->status = BLK_STS_IOERR; + mutex_unlock(&cmd->lock); +@@ -2024,15 +2028,19 @@ static void nbd_disconnect_and_put(struct nbd_device *nbd) + { + mutex_lock(&nbd->config_lock); + nbd_disconnect(nbd); +- nbd_clear_sock(nbd); +- mutex_unlock(&nbd->config_lock); ++ sock_shutdown(nbd); + /* + * Make sure recv thread has finished, so it does not drop the last + * config ref and try to destroy the workqueue from inside the work +- * queue. ++ * queue. And this also ensure that we can safely call nbd_clear_que() ++ * to cancel the inflight I/Os. + */ + if (nbd->recv_workq) + flush_workqueue(nbd->recv_workq); ++ nbd_clear_que(nbd); ++ nbd->task_setup = NULL; ++ mutex_unlock(&nbd->config_lock); ++ + if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, + &nbd->config->runtime_flags)) + nbd_config_put(nbd); +-- +2.30.2 + diff --git a/queue-5.10/net-bridge-fix-flags-interpretation-for-extern-learn.patch b/queue-5.10/net-bridge-fix-flags-interpretation-for-extern-learn.patch new file mode 100644 index 00000000000..ffcb1381e82 --- /dev/null +++ b/queue-5.10/net-bridge-fix-flags-interpretation-for-extern-learn.patch @@ -0,0 +1,130 @@ +From 5fea272d5c5f7d933bd762d7a78865f0b83c2abc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 14:00:10 +0300 +Subject: net: bridge: fix flags interpretation for extern learn fdb entries + +From: Nikolay Aleksandrov + +[ Upstream commit 45a687879b31caae4032abd1c2402e289d2b8083 ] + +Ignore fdb flags when adding port extern learn entries and always set +BR_FDB_LOCAL flag when adding bridge extern learn entries. This is +closest to the behaviour we had before and avoids breaking any use cases +which were allowed. + +This patch fixes iproute2 calls which assume NUD_PERMANENT and were +allowed before, example: +$ bridge fdb add 00:11:22:33:44:55 dev swp1 extern_learn + +Extern learn entries are allowed to roam, but do not expire, so static +or dynamic flags make no sense for them. + +Also add a comment for future reference. + +Fixes: eb100e0e24a2 ("net: bridge: allow to add externally learned entries from user-space") +Fixes: 0541a6293298 ("net: bridge: validate the NUD_PERMANENT bit when adding an extern_learn FDB entry") +Reviewed-by: Ido Schimmel +Tested-by: Ido Schimmel +Signed-off-by: Nikolay Aleksandrov +Reviewed-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20210810110010.43859-1-razor@blackwall.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/uapi/linux/neighbour.h | 7 +++++-- + net/bridge/br.c | 3 +-- + net/bridge/br_fdb.c | 11 ++++------- + net/bridge/br_private.h | 2 +- + 4 files changed, 11 insertions(+), 12 deletions(-) + +diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h +index dc8b72201f6c..00a60695fa53 100644 +--- a/include/uapi/linux/neighbour.h ++++ b/include/uapi/linux/neighbour.h +@@ -66,8 +66,11 @@ enum { + #define NUD_NONE 0x00 + + /* NUD_NOARP & NUD_PERMANENT are pseudostates, they never change +- and make no address resolution or NUD. +- NUD_PERMANENT also cannot be deleted by garbage collectors. ++ * and make no address resolution or NUD. ++ * NUD_PERMANENT also cannot be deleted by garbage collectors. ++ * When NTF_EXT_LEARNED is set for a bridge fdb entry the different cache entry ++ * states don't make sense and thus are ignored. Such entries don't age and ++ * can roam. + */ + + struct nda_cacheinfo { +diff --git a/net/bridge/br.c b/net/bridge/br.c +index a416b01ee773..1b169f8e7491 100644 +--- a/net/bridge/br.c ++++ b/net/bridge/br.c +@@ -166,8 +166,7 @@ static int br_switchdev_event(struct notifier_block *unused, + case SWITCHDEV_FDB_ADD_TO_BRIDGE: + fdb_info = ptr; + err = br_fdb_external_learn_add(br, p, fdb_info->addr, +- fdb_info->vid, +- fdb_info->is_local, false); ++ fdb_info->vid, false); + if (err) { + err = notifier_from_errno(err); + break; +diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c +index a729786e0f03..8a6470a21702 100644 +--- a/net/bridge/br_fdb.c ++++ b/net/bridge/br_fdb.c +@@ -975,10 +975,7 @@ static int __br_fdb_add(struct ndmsg *ndm, struct net_bridge *br, + "FDB entry towards bridge must be permanent"); + return -EINVAL; + } +- +- err = br_fdb_external_learn_add(br, p, addr, vid, +- ndm->ndm_state & NUD_PERMANENT, +- true); ++ err = br_fdb_external_learn_add(br, p, addr, vid, true); + } else { + spin_lock_bh(&br->hash_lock); + err = fdb_add_entry(br, p, addr, ndm, nlh_flags, vid, nfea_tb); +@@ -1206,7 +1203,7 @@ void br_fdb_unsync_static(struct net_bridge *br, struct net_bridge_port *p) + } + + int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p, +- const unsigned char *addr, u16 vid, bool is_local, ++ const unsigned char *addr, u16 vid, + bool swdev_notify) + { + struct net_bridge_fdb_entry *fdb; +@@ -1224,7 +1221,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p, + if (swdev_notify) + flags |= BIT(BR_FDB_ADDED_BY_USER); + +- if (is_local) ++ if (!p) + flags |= BIT(BR_FDB_LOCAL); + + fdb = fdb_create(br, p, addr, vid, flags); +@@ -1253,7 +1250,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p, + if (swdev_notify) + set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags); + +- if (is_local) ++ if (!p) + set_bit(BR_FDB_LOCAL, &fdb->flags); + + if (modified) +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 26f311b2cc11..5e5726048a1a 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -708,7 +708,7 @@ int br_fdb_get(struct sk_buff *skb, struct nlattr *tb[], struct net_device *dev, + int br_fdb_sync_static(struct net_bridge *br, struct net_bridge_port *p); + void br_fdb_unsync_static(struct net_bridge *br, struct net_bridge_port *p); + int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p, +- const unsigned char *addr, u16 vid, bool is_local, ++ const unsigned char *addr, u16 vid, + bool swdev_notify); + int br_fdb_external_learn_del(struct net_bridge *br, struct net_bridge_port *p, + const unsigned char *addr, u16 vid, +-- +2.30.2 + diff --git a/queue-5.10/net-bridge-fix-memleak-in-br_add_if.patch b/queue-5.10/net-bridge-fix-memleak-in-br_add_if.patch new file mode 100644 index 00000000000..8a77a38839a --- /dev/null +++ b/queue-5.10/net-bridge-fix-memleak-in-br_add_if.patch @@ -0,0 +1,75 @@ +From b3de964698d3be4e1ef6db625fa9c035a3681ed6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 21:20:23 +0800 +Subject: net: bridge: fix memleak in br_add_if() + +From: Yang Yingliang + +[ Upstream commit 519133debcc19f5c834e7e28480b60bdc234fe02 ] + +I got a memleak report: + +BUG: memory leak +unreferenced object 0x607ee521a658 (size 240): +comm "syz-executor.0", pid 955, jiffies 4294780569 (age 16.449s) +hex dump (first 32 bytes, cpu 1): +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +backtrace: +[<00000000d830ea5a>] br_multicast_add_port+0x1c2/0x300 net/bridge/br_multicast.c:1693 +[<00000000274d9a71>] new_nbp net/bridge/br_if.c:435 [inline] +[<00000000274d9a71>] br_add_if+0x670/0x1740 net/bridge/br_if.c:611 +[<0000000012ce888e>] do_set_master net/core/rtnetlink.c:2513 [inline] +[<0000000012ce888e>] do_set_master+0x1aa/0x210 net/core/rtnetlink.c:2487 +[<0000000099d1cafc>] __rtnl_newlink+0x1095/0x13e0 net/core/rtnetlink.c:3457 +[<00000000a01facc0>] rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3488 +[<00000000acc9186c>] rtnetlink_rcv_msg+0x369/0xa10 net/core/rtnetlink.c:5550 +[<00000000d4aabb9c>] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504 +[<00000000bc2e12a3>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] +[<00000000bc2e12a3>] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340 +[<00000000e4dc2d0e>] netlink_sendmsg+0x789/0xc70 net/netlink/af_netlink.c:1929 +[<000000000d22c8b3>] sock_sendmsg_nosec net/socket.c:654 [inline] +[<000000000d22c8b3>] sock_sendmsg+0x139/0x170 net/socket.c:674 +[<00000000e281417a>] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350 +[<00000000237aa2ab>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404 +[<000000004f2dc381>] __sys_sendmsg+0xd3/0x190 net/socket.c:2433 +[<0000000005feca6c>] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:47 +[<000000007304477d>] entry_SYSCALL_64_after_hwframe+0x44/0xae + +On error path of br_add_if(), p->mcast_stats allocated in +new_nbp() need be freed, or it will be leaked. + +Fixes: 1080ab95e3c7 ("net: bridge: add support for IGMP/MLD stats and export them via netlink") +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Acked-by: Nikolay Aleksandrov +Link: https://lore.kernel.org/r/20210809132023.978546-1-yangyingliang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_if.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c +index 857a2c512ca3..1d87bf51f384 100644 +--- a/net/bridge/br_if.c ++++ b/net/bridge/br_if.c +@@ -615,6 +615,7 @@ int br_add_if(struct net_bridge *br, struct net_device *dev, + + err = dev_set_allmulti(dev, 1); + if (err) { ++ br_multicast_del_port(p); + kfree(p); /* kobject not yet init'd, manually free */ + goto err1; + } +@@ -728,6 +729,7 @@ err4: + err3: + sysfs_remove_link(br->ifobj, p->dev->name); + err2: ++ br_multicast_del_port(p); + kobject_put(&p->kobj); + dev_set_allmulti(dev, -1); + err1: +-- +2.30.2 + diff --git a/queue-5.10/net-bridge-validate-the-nud_permanent-bit-when-addin.patch b/queue-5.10/net-bridge-validate-the-nud_permanent-bit-when-addin.patch new file mode 100644 index 00000000000..c42e433adc3 --- /dev/null +++ b/queue-5.10/net-bridge-validate-the-nud_permanent-bit-when-addin.patch @@ -0,0 +1,191 @@ +From 5c3230552dacbe86157a399f361bf1549c9b49a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Aug 2021 02:17:30 +0300 +Subject: net: bridge: validate the NUD_PERMANENT bit when adding an + extern_learn FDB entry + +From: Vladimir Oltean + +[ Upstream commit 0541a6293298fb52789de389dfb27ef54df81f73 ] + +Currently it is possible to add broken extern_learn FDB entries to the +bridge in two ways: + +1. Entries pointing towards the bridge device that are not local/permanent: + +ip link add br0 type bridge +bridge fdb add 00:01:02:03:04:05 dev br0 self extern_learn static + +2. Entries pointing towards the bridge device or towards a port that +are marked as local/permanent, however the bridge does not process the +'permanent' bit in any way, therefore they are recorded as though they +aren't permanent: + +ip link add br0 type bridge +bridge fdb add 00:01:02:03:04:05 dev br0 self extern_learn permanent + +Since commit 52e4bec15546 ("net: bridge: switchdev: treat local FDBs the +same as entries towards the bridge"), these incorrect FDB entries can +even trigger NULL pointer dereferences inside the kernel. + +This is because that commit made the assumption that all FDB entries +that are not local/permanent have a valid destination port. For context, +local / permanent FDB entries either have fdb->dst == NULL, and these +point towards the bridge device and are therefore local and not to be +used for forwarding, or have fdb->dst == a net_bridge_port structure +(but are to be treated in the same way, i.e. not for forwarding). + +That assumption _is_ correct as long as things are working correctly in +the bridge driver, i.e. we cannot logically have fdb->dst == NULL under +any circumstance for FDB entries that are not local. However, the +extern_learn code path where FDB entries are managed by a user space +controller show that it is possible for the bridge kernel driver to +misinterpret the NUD flags of an entry transmitted by user space, and +end up having fdb->dst == NULL while not being a local entry. This is +invalid and should be rejected. + +Before, the two commands listed above both crashed the kernel in this +check from br_switchdev_fdb_notify: + + struct net_device *dev = info.is_local ? br->dev : dst->dev; + +info.is_local == false, dst == NULL. + +After this patch, the invalid entry added by the first command is +rejected: + +ip link add br0 type bridge && bridge fdb add 00:01:02:03:04:05 dev br0 self extern_learn static; ip link del br0 +Error: bridge: FDB entry towards bridge must be permanent. + +and the valid entry added by the second command is properly treated as a +local address and does not crash br_switchdev_fdb_notify anymore: + +ip link add br0 type bridge && bridge fdb add 00:01:02:03:04:05 dev br0 self extern_learn permanent; ip link del br0 + +Fixes: eb100e0e24a2 ("net: bridge: allow to add externally learned entries from user-space") +Reported-by: syzbot+9ba1174359adba5a5b7c@syzkaller.appspotmail.com +Signed-off-by: Vladimir Oltean +Acked-by: Nikolay Aleksandrov +Link: https://lore.kernel.org/r/20210801231730.7493-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br.c | 3 ++- + net/bridge/br_fdb.c | 30 ++++++++++++++++++++++++------ + net/bridge/br_private.h | 2 +- + 3 files changed, 27 insertions(+), 8 deletions(-) + +diff --git a/net/bridge/br.c b/net/bridge/br.c +index 1b169f8e7491..a416b01ee773 100644 +--- a/net/bridge/br.c ++++ b/net/bridge/br.c +@@ -166,7 +166,8 @@ static int br_switchdev_event(struct notifier_block *unused, + case SWITCHDEV_FDB_ADD_TO_BRIDGE: + fdb_info = ptr; + err = br_fdb_external_learn_add(br, p, fdb_info->addr, +- fdb_info->vid, false); ++ fdb_info->vid, ++ fdb_info->is_local, false); + if (err) { + err = notifier_from_errno(err); + break; +diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c +index 32ac8343b0ba..a729786e0f03 100644 +--- a/net/bridge/br_fdb.c ++++ b/net/bridge/br_fdb.c +@@ -950,7 +950,8 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source, + + static int __br_fdb_add(struct ndmsg *ndm, struct net_bridge *br, + struct net_bridge_port *p, const unsigned char *addr, +- u16 nlh_flags, u16 vid, struct nlattr *nfea_tb[]) ++ u16 nlh_flags, u16 vid, struct nlattr *nfea_tb[], ++ struct netlink_ext_ack *extack) + { + int err = 0; + +@@ -969,7 +970,15 @@ static int __br_fdb_add(struct ndmsg *ndm, struct net_bridge *br, + rcu_read_unlock(); + local_bh_enable(); + } else if (ndm->ndm_flags & NTF_EXT_LEARNED) { +- err = br_fdb_external_learn_add(br, p, addr, vid, true); ++ if (!p && !(ndm->ndm_state & NUD_PERMANENT)) { ++ NL_SET_ERR_MSG_MOD(extack, ++ "FDB entry towards bridge must be permanent"); ++ return -EINVAL; ++ } ++ ++ err = br_fdb_external_learn_add(br, p, addr, vid, ++ ndm->ndm_state & NUD_PERMANENT, ++ true); + } else { + spin_lock_bh(&br->hash_lock); + err = fdb_add_entry(br, p, addr, ndm, nlh_flags, vid, nfea_tb); +@@ -1041,9 +1050,11 @@ int br_fdb_add(struct ndmsg *ndm, struct nlattr *tb[], + } + + /* VID was specified, so use it. */ +- err = __br_fdb_add(ndm, br, p, addr, nlh_flags, vid, nfea_tb); ++ err = __br_fdb_add(ndm, br, p, addr, nlh_flags, vid, nfea_tb, ++ extack); + } else { +- err = __br_fdb_add(ndm, br, p, addr, nlh_flags, 0, nfea_tb); ++ err = __br_fdb_add(ndm, br, p, addr, nlh_flags, 0, nfea_tb, ++ extack); + if (err || !vg || !vg->num_vlans) + goto out; + +@@ -1055,7 +1066,7 @@ int br_fdb_add(struct ndmsg *ndm, struct nlattr *tb[], + if (!br_vlan_should_use(v)) + continue; + err = __br_fdb_add(ndm, br, p, addr, nlh_flags, v->vid, +- nfea_tb); ++ nfea_tb, extack); + if (err) + goto out; + } +@@ -1195,7 +1206,7 @@ void br_fdb_unsync_static(struct net_bridge *br, struct net_bridge_port *p) + } + + int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p, +- const unsigned char *addr, u16 vid, ++ const unsigned char *addr, u16 vid, bool is_local, + bool swdev_notify) + { + struct net_bridge_fdb_entry *fdb; +@@ -1212,6 +1223,10 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p, + + if (swdev_notify) + flags |= BIT(BR_FDB_ADDED_BY_USER); ++ ++ if (is_local) ++ flags |= BIT(BR_FDB_LOCAL); ++ + fdb = fdb_create(br, p, addr, vid, flags); + if (!fdb) { + err = -ENOMEM; +@@ -1238,6 +1253,9 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p, + if (swdev_notify) + set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags); + ++ if (is_local) ++ set_bit(BR_FDB_LOCAL, &fdb->flags); ++ + if (modified) + fdb_notify(br, fdb, RTM_NEWNEIGH, swdev_notify); + } +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 5e5726048a1a..26f311b2cc11 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -708,7 +708,7 @@ int br_fdb_get(struct sk_buff *skb, struct nlattr *tb[], struct net_device *dev, + int br_fdb_sync_static(struct net_bridge *br, struct net_bridge_port *p); + void br_fdb_unsync_static(struct net_bridge *br, struct net_bridge_port *p); + int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p, +- const unsigned char *addr, u16 vid, ++ const unsigned char *addr, u16 vid, bool is_local, + bool swdev_notify); + int br_fdb_external_learn_del(struct net_bridge *br, struct net_bridge_port *p, + const unsigned char *addr, u16 vid, +-- +2.30.2 + diff --git a/queue-5.10/net-dsa-lan9303-fix-broken-backpressure-in-.port_fdb.patch b/queue-5.10/net-dsa-lan9303-fix-broken-backpressure-in-.port_fdb.patch new file mode 100644 index 00000000000..cedd7440349 --- /dev/null +++ b/queue-5.10/net-dsa-lan9303-fix-broken-backpressure-in-.port_fdb.patch @@ -0,0 +1,138 @@ +From 5ec4306cf18cdc6d119475616fa140d3518e9b06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 14:19:54 +0300 +Subject: net: dsa: lan9303: fix broken backpressure in .port_fdb_dump + +From: Vladimir Oltean + +[ Upstream commit ada2fee185d8145afb89056558bb59545b9dbdd0 ] + +rtnl_fdb_dump() has logic to split a dump of PF_BRIDGE neighbors into +multiple netlink skbs if the buffer provided by user space is too small +(one buffer will typically handle a few hundred FDB entries). + +When the current buffer becomes full, nlmsg_put() in +dsa_slave_port_fdb_do_dump() returns -EMSGSIZE and DSA saves the index +of the last dumped FDB entry, returns to rtnl_fdb_dump() up to that +point, and then the dump resumes on the same port with a new skb, and +FDB entries up to the saved index are simply skipped. + +Since dsa_slave_port_fdb_do_dump() is pointed to by the "cb" passed to +drivers, then drivers must check for the -EMSGSIZE error code returned +by it. Otherwise, when a netlink skb becomes full, DSA will no longer +save newly dumped FDB entries to it, but the driver will continue +dumping. So FDB entries will be missing from the dump. + +Fix the broken backpressure by propagating the "cb" return code and +allow rtnl_fdb_dump() to restart the FDB dump with a new skb. + +Fixes: ab335349b852 ("net: dsa: lan9303: Add port_fast_age and port_fdb_dump methods") +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/lan9303-core.c | 34 +++++++++++++++++++--------------- + 1 file changed, 19 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/dsa/lan9303-core.c b/drivers/net/dsa/lan9303-core.c +index aa1142d6a9f5..dcf1fc89451f 100644 +--- a/drivers/net/dsa/lan9303-core.c ++++ b/drivers/net/dsa/lan9303-core.c +@@ -557,12 +557,12 @@ static int lan9303_alr_make_entry_raw(struct lan9303 *chip, u32 dat0, u32 dat1) + return 0; + } + +-typedef void alr_loop_cb_t(struct lan9303 *chip, u32 dat0, u32 dat1, +- int portmap, void *ctx); ++typedef int alr_loop_cb_t(struct lan9303 *chip, u32 dat0, u32 dat1, ++ int portmap, void *ctx); + +-static void lan9303_alr_loop(struct lan9303 *chip, alr_loop_cb_t *cb, void *ctx) ++static int lan9303_alr_loop(struct lan9303 *chip, alr_loop_cb_t *cb, void *ctx) + { +- int i; ++ int ret = 0, i; + + mutex_lock(&chip->alr_mutex); + lan9303_write_switch_reg(chip, LAN9303_SWE_ALR_CMD, +@@ -582,13 +582,17 @@ static void lan9303_alr_loop(struct lan9303 *chip, alr_loop_cb_t *cb, void *ctx) + LAN9303_ALR_DAT1_PORT_BITOFFS; + portmap = alrport_2_portmap[alrport]; + +- cb(chip, dat0, dat1, portmap, ctx); ++ ret = cb(chip, dat0, dat1, portmap, ctx); ++ if (ret) ++ break; + + lan9303_write_switch_reg(chip, LAN9303_SWE_ALR_CMD, + LAN9303_ALR_CMD_GET_NEXT); + lan9303_write_switch_reg(chip, LAN9303_SWE_ALR_CMD, 0); + } + mutex_unlock(&chip->alr_mutex); ++ ++ return ret; + } + + static void alr_reg_to_mac(u32 dat0, u32 dat1, u8 mac[6]) +@@ -606,18 +610,20 @@ struct del_port_learned_ctx { + }; + + /* Clear learned (non-static) entry on given port */ +-static void alr_loop_cb_del_port_learned(struct lan9303 *chip, u32 dat0, +- u32 dat1, int portmap, void *ctx) ++static int alr_loop_cb_del_port_learned(struct lan9303 *chip, u32 dat0, ++ u32 dat1, int portmap, void *ctx) + { + struct del_port_learned_ctx *del_ctx = ctx; + int port = del_ctx->port; + + if (((BIT(port) & portmap) == 0) || (dat1 & LAN9303_ALR_DAT1_STATIC)) +- return; ++ return 0; + + /* learned entries has only one port, we can just delete */ + dat1 &= ~LAN9303_ALR_DAT1_VALID; /* delete entry */ + lan9303_alr_make_entry_raw(chip, dat0, dat1); ++ ++ return 0; + } + + struct port_fdb_dump_ctx { +@@ -626,19 +632,19 @@ struct port_fdb_dump_ctx { + dsa_fdb_dump_cb_t *cb; + }; + +-static void alr_loop_cb_fdb_port_dump(struct lan9303 *chip, u32 dat0, +- u32 dat1, int portmap, void *ctx) ++static int alr_loop_cb_fdb_port_dump(struct lan9303 *chip, u32 dat0, ++ u32 dat1, int portmap, void *ctx) + { + struct port_fdb_dump_ctx *dump_ctx = ctx; + u8 mac[ETH_ALEN]; + bool is_static; + + if ((BIT(dump_ctx->port) & portmap) == 0) +- return; ++ return 0; + + alr_reg_to_mac(dat0, dat1, mac); + is_static = !!(dat1 & LAN9303_ALR_DAT1_STATIC); +- dump_ctx->cb(mac, 0, is_static, dump_ctx->data); ++ return dump_ctx->cb(mac, 0, is_static, dump_ctx->data); + } + + /* Set a static ALR entry. Delete entry if port_map is zero */ +@@ -1210,9 +1216,7 @@ static int lan9303_port_fdb_dump(struct dsa_switch *ds, int port, + }; + + dev_dbg(chip->dev, "%s(%d)\n", __func__, port); +- lan9303_alr_loop(chip, alr_loop_cb_fdb_port_dump, &dump_ctx); +- +- return 0; ++ return lan9303_alr_loop(chip, alr_loop_cb_fdb_port_dump, &dump_ctx); + } + + static int lan9303_port_mdb_prepare(struct dsa_switch *ds, int port, +-- +2.30.2 + diff --git a/queue-5.10/net-dsa-lantiq-fix-broken-backpressure-in-.port_fdb_.patch b/queue-5.10/net-dsa-lantiq-fix-broken-backpressure-in-.port_fdb_.patch new file mode 100644 index 00000000000..441aca7c068 --- /dev/null +++ b/queue-5.10/net-dsa-lantiq-fix-broken-backpressure-in-.port_fdb_.patch @@ -0,0 +1,65 @@ +From 65df0fd07344353be4829cbb96a2c84b010a1808 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 14:19:55 +0300 +Subject: net: dsa: lantiq: fix broken backpressure in .port_fdb_dump + +From: Vladimir Oltean + +[ Upstream commit 871a73a1c8f55da0a3db234e9dd816ea4fd546f2 ] + +rtnl_fdb_dump() has logic to split a dump of PF_BRIDGE neighbors into +multiple netlink skbs if the buffer provided by user space is too small +(one buffer will typically handle a few hundred FDB entries). + +When the current buffer becomes full, nlmsg_put() in +dsa_slave_port_fdb_do_dump() returns -EMSGSIZE and DSA saves the index +of the last dumped FDB entry, returns to rtnl_fdb_dump() up to that +point, and then the dump resumes on the same port with a new skb, and +FDB entries up to the saved index are simply skipped. + +Since dsa_slave_port_fdb_do_dump() is pointed to by the "cb" passed to +drivers, then drivers must check for the -EMSGSIZE error code returned +by it. Otherwise, when a netlink skb becomes full, DSA will no longer +save newly dumped FDB entries to it, but the driver will continue +dumping. So FDB entries will be missing from the dump. + +Fix the broken backpressure by propagating the "cb" return code and +allow rtnl_fdb_dump() to restart the FDB dump with a new skb. + +Fixes: 58c59ef9e930 ("net: dsa: lantiq: Add Forwarding Database access") +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/lantiq_gswip.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/dsa/lantiq_gswip.c b/drivers/net/dsa/lantiq_gswip.c +index 93c7fa1fd4cb..a455534740cd 100644 +--- a/drivers/net/dsa/lantiq_gswip.c ++++ b/drivers/net/dsa/lantiq_gswip.c +@@ -1416,11 +1416,17 @@ static int gswip_port_fdb_dump(struct dsa_switch *ds, int port, + addr[1] = mac_bridge.key[2] & 0xff; + addr[0] = (mac_bridge.key[2] >> 8) & 0xff; + if (mac_bridge.val[1] & GSWIP_TABLE_MAC_BRIDGE_STATIC) { +- if (mac_bridge.val[0] & BIT(port)) +- cb(addr, 0, true, data); ++ if (mac_bridge.val[0] & BIT(port)) { ++ err = cb(addr, 0, true, data); ++ if (err) ++ return err; ++ } + } else { +- if (((mac_bridge.val[0] & GENMASK(7, 4)) >> 4) == port) +- cb(addr, 0, false, data); ++ if (((mac_bridge.val[0] & GENMASK(7, 4)) >> 4) == port) { ++ err = cb(addr, 0, false, data); ++ if (err) ++ return err; ++ } + } + } + return 0; +-- +2.30.2 + diff --git a/queue-5.10/net-dsa-microchip-fix-ksz_read64.patch b/queue-5.10/net-dsa-microchip-fix-ksz_read64.patch new file mode 100644 index 00000000000..5dcf57415cd --- /dev/null +++ b/queue-5.10/net-dsa-microchip-fix-ksz_read64.patch @@ -0,0 +1,43 @@ +From 357f4e4d19f0943930b1c0690341aef90eeda12e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 00:59:12 +0200 +Subject: net: dsa: microchip: Fix ksz_read64() + +From: Ben Hutchings + +[ Upstream commit c34f674c8875235725c3ef86147a627f165d23b4 ] + +ksz_read64() currently does some dubious byte-swapping on the two +halves of a 64-bit register, and then only returns the high bits. +Replace this with a straightforward expression. + +Fixes: e66f840c08a2 ("net: dsa: ksz: Add Microchip KSZ8795 DSA driver") +Signed-off-by: Ben Hutchings +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/microchip/ksz_common.h | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/dsa/microchip/ksz_common.h b/drivers/net/dsa/microchip/ksz_common.h +index cf866e48ff66..a51c716ec920 100644 +--- a/drivers/net/dsa/microchip/ksz_common.h ++++ b/drivers/net/dsa/microchip/ksz_common.h +@@ -210,12 +210,8 @@ static inline int ksz_read64(struct ksz_device *dev, u32 reg, u64 *val) + int ret; + + ret = regmap_bulk_read(dev->regmap[2], reg, value, 2); +- if (!ret) { +- /* Ick! ToDo: Add 64bit R/W to regmap on 32bit systems */ +- value[0] = swab32(value[0]); +- value[1] = swab32(value[1]); +- *val = swab64((u64)*value); +- } ++ if (!ret) ++ *val = (u64)value[0] << 32 | value[1]; + + return ret; + } +-- +2.30.2 + diff --git a/queue-5.10/net-dsa-microchip-ksz8795-fix-vlan-filtering.patch b/queue-5.10/net-dsa-microchip-ksz8795-fix-vlan-filtering.patch new file mode 100644 index 00000000000..7698ecac1b5 --- /dev/null +++ b/queue-5.10/net-dsa-microchip-ksz8795-fix-vlan-filtering.patch @@ -0,0 +1,64 @@ +From cb21f67b1b622c180b813016c31627b40ea8a979 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 01:00:06 +0200 +Subject: net: dsa: microchip: ksz8795: Fix VLAN filtering + +From: Ben Hutchings + +[ Upstream commit 164844135a3f215d3018ee9d6875336beb942413 ] + +Currently ksz8_port_vlan_filtering() sets or clears the VLAN Enable +hardware flag. That controls discarding of packets with a VID that +has not been enabled for any port on the switch. + +Since it is a global flag, set the dsa_switch::vlan_filtering_is_global +flag so that the DSA core understands this can't be controlled per +port. + +When VLAN filtering is enabled, the switch should also discard packets +with a VID that's not enabled on the ingress port. Set or clear each +external port's VLAN Ingress Filter flag in ksz8_port_vlan_filtering() +to make that happen. + +Fixes: e66f840c08a2 ("net: dsa: ksz: Add Microchip KSZ8795 DSA driver") +Signed-off-by: Ben Hutchings +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/microchip/ksz8795.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c +index 1e101ab56cea..108a14db1f1a 100644 +--- a/drivers/net/dsa/microchip/ksz8795.c ++++ b/drivers/net/dsa/microchip/ksz8795.c +@@ -790,8 +790,14 @@ static int ksz8795_port_vlan_filtering(struct dsa_switch *ds, int port, + if (switchdev_trans_ph_prepare(trans)) + return 0; + ++ /* Discard packets with VID not enabled on the switch */ + ksz_cfg(dev, S_MIRROR_CTRL, SW_VLAN_ENABLE, flag); + ++ /* Discard packets with VID not enabled on the ingress port */ ++ for (port = 0; port < dev->phy_port_cnt; ++port) ++ ksz_port_cfg(dev, port, REG_PORT_CTRL_2, PORT_INGRESS_FILTER, ++ flag); ++ + return 0; + } + +@@ -1266,6 +1272,11 @@ static int ksz8795_switch_init(struct ksz_device *dev) + /* set the real number of ports */ + dev->ds->num_ports = dev->port_cnt + 1; + ++ /* VLAN filtering is partly controlled by the global VLAN ++ * Enable flag ++ */ ++ dev->ds->vlan_filtering_is_global = true; ++ + return 0; + } + +-- +2.30.2 + diff --git a/queue-5.10/net-dsa-mt7530-add-the-missing-rxunicast-mib-counter.patch b/queue-5.10/net-dsa-mt7530-add-the-missing-rxunicast-mib-counter.patch new file mode 100644 index 00000000000..50e0d6b1ee7 --- /dev/null +++ b/queue-5.10/net-dsa-mt7530-add-the-missing-rxunicast-mib-counter.patch @@ -0,0 +1,34 @@ +From 16c56d0508aa58c11aebd1ed15f9c96891432756 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Aug 2021 12:05:27 +0800 +Subject: net: dsa: mt7530: add the missing RxUnicast MIB counter + +From: DENG Qingfang + +[ Upstream commit aff51c5da3208bd164381e1488998667269c6cf4 ] + +Add the missing RxUnicast counter. + +Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch") +Signed-off-by: DENG Qingfang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mt7530.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c +index 190025a0a98e..3fa2f81c8b47 100644 +--- a/drivers/net/dsa/mt7530.c ++++ b/drivers/net/dsa/mt7530.c +@@ -45,6 +45,7 @@ static const struct mt7530_mib_desc mt7530_mib[] = { + MIB_DESC(2, 0x48, "TxBytes"), + MIB_DESC(1, 0x60, "RxDrop"), + MIB_DESC(1, 0x64, "RxFiltering"), ++ MIB_DESC(1, 0x68, "RxUnicast"), + MIB_DESC(1, 0x6c, "RxMulticast"), + MIB_DESC(1, 0x70, "RxBroadcast"), + MIB_DESC(1, 0x74, "RxAlignErr"), +-- +2.30.2 + diff --git a/queue-5.10/net-dsa-sja1105-fix-broken-backpressure-in-.port_fdb.patch b/queue-5.10/net-dsa-sja1105-fix-broken-backpressure-in-.port_fdb.patch new file mode 100644 index 00000000000..97fd9a3226f --- /dev/null +++ b/queue-5.10/net-dsa-sja1105-fix-broken-backpressure-in-.port_fdb.patch @@ -0,0 +1,54 @@ +From 98605c3e59dcff04e6388a3c0354027ef5270a67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 14:19:56 +0300 +Subject: net: dsa: sja1105: fix broken backpressure in .port_fdb_dump + +From: Vladimir Oltean + +[ Upstream commit 21b52fed928e96d2f75d2f6aa9eac7a4b0b55d22 ] + +rtnl_fdb_dump() has logic to split a dump of PF_BRIDGE neighbors into +multiple netlink skbs if the buffer provided by user space is too small +(one buffer will typically handle a few hundred FDB entries). + +When the current buffer becomes full, nlmsg_put() in +dsa_slave_port_fdb_do_dump() returns -EMSGSIZE and DSA saves the index +of the last dumped FDB entry, returns to rtnl_fdb_dump() up to that +point, and then the dump resumes on the same port with a new skb, and +FDB entries up to the saved index are simply skipped. + +Since dsa_slave_port_fdb_do_dump() is pointed to by the "cb" passed to +drivers, then drivers must check for the -EMSGSIZE error code returned +by it. Otherwise, when a netlink skb becomes full, DSA will no longer +save newly dumped FDB entries to it, but the driver will continue +dumping. So FDB entries will be missing from the dump. + +Fix the broken backpressure by propagating the "cb" return code and +allow rtnl_fdb_dump() to restart the FDB dump with a new skb. + +Fixes: 291d1e72b756 ("net: dsa: sja1105: Add support for FDB and MDB management") +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/sja1105/sja1105_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c +index 855371fcbf85..c03d76c10868 100644 +--- a/drivers/net/dsa/sja1105/sja1105_main.c ++++ b/drivers/net/dsa/sja1105/sja1105_main.c +@@ -1566,7 +1566,9 @@ static int sja1105_fdb_dump(struct dsa_switch *ds, int port, + /* We need to hide the dsa_8021q VLANs from the user. */ + if (priv->vlan_state == SJA1105_VLAN_UNAWARE) + l2_lookup.vlanid = 0; +- cb(macaddr, l2_lookup.vlanid, l2_lookup.lockeds, data); ++ rc = cb(macaddr, l2_lookup.vlanid, l2_lookup.lockeds, data); ++ if (rc) ++ return rc; + } + return 0; + } +-- +2.30.2 + diff --git a/queue-5.10/net-fix-memory-leak-in-ieee802154_raw_deliver.patch b/queue-5.10/net-fix-memory-leak-in-ieee802154_raw_deliver.patch new file mode 100644 index 00000000000..3e1c10074ba --- /dev/null +++ b/queue-5.10/net-fix-memory-leak-in-ieee802154_raw_deliver.patch @@ -0,0 +1,87 @@ +From 555e64eca1648d22a08e5fb2b334bfec9b39af9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Aug 2021 16:54:14 +0900 +Subject: net: Fix memory leak in ieee802154_raw_deliver + +From: Takeshi Misawa + +[ Upstream commit 1090340f7ee53e824fd4eef66a4855d548110c5b ] + +If IEEE-802.15.4-RAW is closed before receive skb, skb is leaked. +Fix this, by freeing sk_receive_queue in sk->sk_destruct(). + +syzbot report: +BUG: memory leak +unreferenced object 0xffff88810f644600 (size 232): + comm "softirq", pid 0, jiffies 4294967032 (age 81.270s) + hex dump (first 32 bytes): + 10 7d 4b 12 81 88 ff ff 10 7d 4b 12 81 88 ff ff .}K......}K..... + 00 00 00 00 00 00 00 00 40 7c 4b 12 81 88 ff ff ........@|K..... + backtrace: + [] skb_clone+0xaa/0x2b0 net/core/skbuff.c:1496 + [] ieee802154_raw_deliver net/ieee802154/socket.c:369 [inline] + [] ieee802154_rcv+0x100/0x340 net/ieee802154/socket.c:1070 + [] __netif_receive_skb_one_core+0x6a/0xa0 net/core/dev.c:5384 + [] __netif_receive_skb+0x27/0xa0 net/core/dev.c:5498 + [] netif_receive_skb_internal net/core/dev.c:5603 [inline] + [] netif_receive_skb+0x59/0x260 net/core/dev.c:5662 + [] ieee802154_deliver_skb net/mac802154/rx.c:29 [inline] + [] ieee802154_subif_frame net/mac802154/rx.c:102 [inline] + [] __ieee802154_rx_handle_packet net/mac802154/rx.c:212 [inline] + [] ieee802154_rx+0x612/0x620 net/mac802154/rx.c:284 + [] ieee802154_tasklet_handler+0x86/0xa0 net/mac802154/main.c:35 + [] tasklet_action_common.constprop.0+0x5b/0x100 kernel/softirq.c:557 + [] __do_softirq+0xbf/0x2ab kernel/softirq.c:345 + [] do_softirq kernel/softirq.c:248 [inline] + [] do_softirq+0x5c/0x80 kernel/softirq.c:235 + [] __local_bh_enable_ip+0x51/0x60 kernel/softirq.c:198 + [] local_bh_enable include/linux/bottom_half.h:32 [inline] + [] rcu_read_unlock_bh include/linux/rcupdate.h:745 [inline] + [] __dev_queue_xmit+0x7f4/0xf60 net/core/dev.c:4221 + [] raw_sendmsg+0x1f4/0x2b0 net/ieee802154/socket.c:295 + [] sock_sendmsg_nosec net/socket.c:654 [inline] + [] sock_sendmsg+0x56/0x80 net/socket.c:674 + [] __sys_sendto+0x15c/0x200 net/socket.c:1977 + [] __do_sys_sendto net/socket.c:1989 [inline] + [] __se_sys_sendto net/socket.c:1985 [inline] + [] __x64_sys_sendto+0x26/0x30 net/socket.c:1985 + +Fixes: 9ec767160357 ("net: add IEEE 802.15.4 socket family implementation") +Reported-and-tested-by: syzbot+1f68113fa907bf0695a8@syzkaller.appspotmail.com +Signed-off-by: Takeshi Misawa +Acked-by: Alexander Aring +Link: https://lore.kernel.org/r/20210805075414.GA15796@DESKTOP +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + net/ieee802154/socket.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c +index a45a0401adc5..c25f7617770c 100644 +--- a/net/ieee802154/socket.c ++++ b/net/ieee802154/socket.c +@@ -984,6 +984,11 @@ static const struct proto_ops ieee802154_dgram_ops = { + .sendpage = sock_no_sendpage, + }; + ++static void ieee802154_sock_destruct(struct sock *sk) ++{ ++ skb_queue_purge(&sk->sk_receive_queue); ++} ++ + /* Create a socket. Initialise the socket, blank the addresses + * set the state. + */ +@@ -1024,7 +1029,7 @@ static int ieee802154_create(struct net *net, struct socket *sock, + sock->ops = ops; + + sock_init_data(sock, sk); +- /* FIXME: sk->sk_destruct */ ++ sk->sk_destruct = ieee802154_sock_destruct; + sk->sk_family = PF_IEEE802154; + + /* Checksums on by default */ +-- +2.30.2 + diff --git a/queue-5.10/net-igmp-fix-data-race-in-igmp_ifc_timer_expire.patch b/queue-5.10/net-igmp-fix-data-race-in-igmp_ifc_timer_expire.patch new file mode 100644 index 00000000000..07093abb18d --- /dev/null +++ b/queue-5.10/net-igmp-fix-data-race-in-igmp_ifc_timer_expire.patch @@ -0,0 +1,155 @@ +From 5e38479fb03e4a46174173abe02c06fc6f35b461 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 02:45:47 -0700 +Subject: net: igmp: fix data-race in igmp_ifc_timer_expire() + +From: Eric Dumazet + +[ Upstream commit 4a2b285e7e103d4d6c6ed3e5052a0ff74a5d7f15 ] + +Fix the data-race reported by syzbot [1] +Issue here is that igmp_ifc_timer_expire() can update in_dev->mr_ifc_count +while another change just occured from another context. + +in_dev->mr_ifc_count is only 8bit wide, so the race had little +consequences. + +[1] +BUG: KCSAN: data-race in igmp_ifc_event / igmp_ifc_timer_expire + +write to 0xffff8881051e3062 of 1 bytes by task 12547 on cpu 0: + igmp_ifc_event+0x1d5/0x290 net/ipv4/igmp.c:821 + igmp_group_added+0x462/0x490 net/ipv4/igmp.c:1356 + ____ip_mc_inc_group+0x3ff/0x500 net/ipv4/igmp.c:1461 + __ip_mc_join_group+0x24d/0x2c0 net/ipv4/igmp.c:2199 + ip_mc_join_group_ssm+0x20/0x30 net/ipv4/igmp.c:2218 + do_ip_setsockopt net/ipv4/ip_sockglue.c:1285 [inline] + ip_setsockopt+0x1827/0x2a80 net/ipv4/ip_sockglue.c:1423 + tcp_setsockopt+0x8c/0xa0 net/ipv4/tcp.c:3657 + sock_common_setsockopt+0x5d/0x70 net/core/sock.c:3362 + __sys_setsockopt+0x18f/0x200 net/socket.c:2159 + __do_sys_setsockopt net/socket.c:2170 [inline] + __se_sys_setsockopt net/socket.c:2167 [inline] + __x64_sys_setsockopt+0x62/0x70 net/socket.c:2167 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff8881051e3062 of 1 bytes by interrupt on cpu 1: + igmp_ifc_timer_expire+0x706/0xa30 net/ipv4/igmp.c:808 + call_timer_fn+0x2e/0x1d0 kernel/time/timer.c:1419 + expire_timers+0x135/0x250 kernel/time/timer.c:1464 + __run_timers+0x358/0x420 kernel/time/timer.c:1732 + run_timer_softirq+0x19/0x30 kernel/time/timer.c:1745 + __do_softirq+0x12c/0x26e kernel/softirq.c:558 + invoke_softirq kernel/softirq.c:432 [inline] + __irq_exit_rcu+0x9a/0xb0 kernel/softirq.c:636 + sysvec_apic_timer_interrupt+0x69/0x80 arch/x86/kernel/apic/apic.c:1100 + asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638 + console_unlock+0x8e8/0xb30 kernel/printk/printk.c:2646 + vprintk_emit+0x125/0x3d0 kernel/printk/printk.c:2174 + vprintk_default+0x22/0x30 kernel/printk/printk.c:2185 + vprintk+0x15a/0x170 kernel/printk/printk_safe.c:392 + printk+0x62/0x87 kernel/printk/printk.c:2216 + selinux_netlink_send+0x399/0x400 security/selinux/hooks.c:6041 + security_netlink_send+0x42/0x90 security/security.c:2070 + netlink_sendmsg+0x59e/0x7c0 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:703 [inline] + sock_sendmsg net/socket.c:723 [inline] + ____sys_sendmsg+0x360/0x4d0 net/socket.c:2392 + ___sys_sendmsg net/socket.c:2446 [inline] + __sys_sendmsg+0x1ed/0x270 net/socket.c:2475 + __do_sys_sendmsg net/socket.c:2484 [inline] + __se_sys_sendmsg net/socket.c:2482 [inline] + __x64_sys_sendmsg+0x42/0x50 net/socket.c:2482 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x01 -> 0x02 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 12539 Comm: syz-executor.1 Not tainted 5.14.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/igmp.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c +index 6b3c558a4f23..a51360087b19 100644 +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -803,10 +803,17 @@ static void igmp_gq_timer_expire(struct timer_list *t) + static void igmp_ifc_timer_expire(struct timer_list *t) + { + struct in_device *in_dev = from_timer(in_dev, t, mr_ifc_timer); ++ u8 mr_ifc_count; + + igmpv3_send_cr(in_dev); +- if (in_dev->mr_ifc_count) { +- in_dev->mr_ifc_count--; ++restart: ++ mr_ifc_count = READ_ONCE(in_dev->mr_ifc_count); ++ ++ if (mr_ifc_count) { ++ if (cmpxchg(&in_dev->mr_ifc_count, ++ mr_ifc_count, ++ mr_ifc_count - 1) != mr_ifc_count) ++ goto restart; + igmp_ifc_start_timer(in_dev, + unsolicited_report_interval(in_dev)); + } +@@ -818,7 +825,7 @@ static void igmp_ifc_event(struct in_device *in_dev) + struct net *net = dev_net(in_dev->dev); + if (IGMP_V1_SEEN(in_dev) || IGMP_V2_SEEN(in_dev)) + return; +- in_dev->mr_ifc_count = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv; ++ WRITE_ONCE(in_dev->mr_ifc_count, in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv); + igmp_ifc_start_timer(in_dev, 1); + } + +@@ -957,7 +964,7 @@ static bool igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb, + in_dev->mr_qri; + } + /* cancel the interface change timer */ +- in_dev->mr_ifc_count = 0; ++ WRITE_ONCE(in_dev->mr_ifc_count, 0); + if (del_timer(&in_dev->mr_ifc_timer)) + __in_dev_put(in_dev); + /* clear deleted report items */ +@@ -1724,7 +1731,7 @@ void ip_mc_down(struct in_device *in_dev) + igmp_group_dropped(pmc); + + #ifdef CONFIG_IP_MULTICAST +- in_dev->mr_ifc_count = 0; ++ WRITE_ONCE(in_dev->mr_ifc_count, 0); + if (del_timer(&in_dev->mr_ifc_timer)) + __in_dev_put(in_dev); + in_dev->mr_gq_running = 0; +@@ -1941,7 +1948,7 @@ static int ip_mc_del_src(struct in_device *in_dev, __be32 *pmca, int sfmode, + pmc->sfmode = MCAST_INCLUDE; + #ifdef CONFIG_IP_MULTICAST + pmc->crcount = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv; +- in_dev->mr_ifc_count = pmc->crcount; ++ WRITE_ONCE(in_dev->mr_ifc_count, pmc->crcount); + for (psf = pmc->sources; psf; psf = psf->sf_next) + psf->sf_crcount = 0; + igmp_ifc_event(pmc->interface); +@@ -2120,7 +2127,7 @@ static int ip_mc_add_src(struct in_device *in_dev, __be32 *pmca, int sfmode, + /* else no filters; keep old mode for reports */ + + pmc->crcount = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv; +- in_dev->mr_ifc_count = pmc->crcount; ++ WRITE_ONCE(in_dev->mr_ifc_count, pmc->crcount); + for (psf = pmc->sources; psf; psf = psf->sf_next) + psf->sf_crcount = 0; + igmp_ifc_event(in_dev); +-- +2.30.2 + diff --git a/queue-5.10/net-igmp-increase-size-of-mr_ifc_count.patch b/queue-5.10/net-igmp-increase-size-of-mr_ifc_count.patch new file mode 100644 index 00000000000..2447c177ec3 --- /dev/null +++ b/queue-5.10/net-igmp-increase-size-of-mr_ifc_count.patch @@ -0,0 +1,52 @@ +From 91734d19af98551ef5fe93b3bafe3f8016285325 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Aug 2021 12:57:15 -0700 +Subject: net: igmp: increase size of mr_ifc_count + +From: Eric Dumazet + +[ Upstream commit b69dd5b3780a7298bd893816a09da751bc0636f7 ] + +Some arches support cmpxchg() on 4-byte and 8-byte only. +Increase mr_ifc_count width to 32bit to fix this problem. + +Fixes: 4a2b285e7e10 ("net: igmp: fix data-race in igmp_ifc_timer_expire()") +Signed-off-by: Eric Dumazet +Reported-by: Guenter Roeck +Link: https://lore.kernel.org/r/20210811195715.3684218-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/inetdevice.h | 2 +- + net/ipv4/igmp.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h +index 3515ca64e638..b68fca08be27 100644 +--- a/include/linux/inetdevice.h ++++ b/include/linux/inetdevice.h +@@ -41,7 +41,7 @@ struct in_device { + unsigned long mr_qri; /* Query Response Interval */ + unsigned char mr_qrv; /* Query Robustness Variable */ + unsigned char mr_gq_running; +- unsigned char mr_ifc_count; ++ u32 mr_ifc_count; + struct timer_list mr_gq_timer; /* general query timer */ + struct timer_list mr_ifc_timer; /* interface change timer */ + +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c +index a51360087b19..00576bae183d 100644 +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -803,7 +803,7 @@ static void igmp_gq_timer_expire(struct timer_list *t) + static void igmp_ifc_timer_expire(struct timer_list *t) + { + struct in_device *in_dev = from_timer(in_dev, t, mr_ifc_timer); +- u8 mr_ifc_count; ++ u32 mr_ifc_count; + + igmpv3_send_cr(in_dev); + restart: +-- +2.30.2 + diff --git a/queue-5.10/net-linkwatch-fix-failure-to-restore-device-state-ac.patch b/queue-5.10/net-linkwatch-fix-failure-to-restore-device-state-ac.patch new file mode 100644 index 00000000000..33d8546ad8f --- /dev/null +++ b/queue-5.10/net-linkwatch-fix-failure-to-restore-device-state-ac.patch @@ -0,0 +1,93 @@ +From 5a072844789db0e56362ac312bd135584706f212 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 18:06:28 +0200 +Subject: net: linkwatch: fix failure to restore device state across + suspend/resume + +From: Willy Tarreau + +[ Upstream commit 6922110d152e56d7569616b45a1f02876cf3eb9f ] + +After migrating my laptop from 4.19-LTS to 5.4-LTS a while ago I noticed +that my Ethernet port to which a bond and a VLAN interface are attached +appeared to remain up after resuming from suspend with the cable unplugged +(and that problem still persists with 5.10-LTS). + +It happens that the following happens: + + - the network driver (e1000e here) prepares to suspend, calls e1000e_down() + which calls netif_carrier_off() to signal that the link is going down. + - netif_carrier_off() adds a link_watch event to the list of events for + this device + - the device is completely stopped. + - the machine suspends + - the cable is unplugged and the machine brought to another location + - the machine is resumed + - the queued linkwatch events are processed for the device + - the device doesn't yet have the __LINK_STATE_PRESENT bit and its events + are silently dropped + - the device is resumed with its link down + - the upper VLAN and bond interfaces are never notified that the link had + been turned down and remain up + - the only way to provoke a change is to physically connect the machine + to a port and possibly unplug it. + +The state after resume looks like this: + $ ip -br li | egrep 'bond|eth' + bond0 UP e8:6a:64:64:64:64 + eth0 DOWN e8:6a:64:64:64:64 + eth0.2@eth0 UP e8:6a:64:64:64:64 + +Placing an explicit call to netdev_state_change() either in the suspend +or the resume code in the NIC driver worked around this but the solution +is not satisfying. + +The issue in fact really is in link_watch that loses events while it +ought not to. It happens that the test for the device being present was +added by commit 124eee3f6955 ("net: linkwatch: add check for netdevice +being present to linkwatch_do_dev") in 4.20 to avoid an access to +devices that are not present. + +Instead of dropping events, this patch proceeds slightly differently by +postponing their handling so that they happen after the device is fully +resumed. + +Fixes: 124eee3f6955 ("net: linkwatch: add check for netdevice being present to linkwatch_do_dev") +Link: https://lists.openwall.net/netdev/2018/03/15/62 +Cc: Heiner Kallweit +Cc: Geert Uytterhoeven +Cc: Florian Fainelli +Signed-off-by: Willy Tarreau +Link: https://lore.kernel.org/r/20210809160628.22623-1-w@1wt.eu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/link_watch.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/core/link_watch.c b/net/core/link_watch.c +index 75431ca9300f..1a455847da54 100644 +--- a/net/core/link_watch.c ++++ b/net/core/link_watch.c +@@ -158,7 +158,7 @@ static void linkwatch_do_dev(struct net_device *dev) + clear_bit(__LINK_STATE_LINKWATCH_PENDING, &dev->state); + + rfc2863_policy(dev); +- if (dev->flags & IFF_UP && netif_device_present(dev)) { ++ if (dev->flags & IFF_UP) { + if (netif_carrier_ok(dev)) + dev_activate(dev); + else +@@ -204,7 +204,8 @@ static void __linkwatch_run_queue(int urgent_only) + dev = list_first_entry(&wrk, struct net_device, link_watch_list); + list_del_init(&dev->link_watch_list); + +- if (urgent_only && !linkwatch_urgent_event(dev)) { ++ if (!netif_device_present(dev) || ++ (urgent_only && !linkwatch_urgent_event(dev))) { + list_add_tail(&dev->link_watch_list, &lweventlist); + continue; + } +-- +2.30.2 + diff --git a/queue-5.10/net-mlx5-fix-return-value-from-tracer-initialization.patch b/queue-5.10/net-mlx5-fix-return-value-from-tracer-initialization.patch new file mode 100644 index 00000000000..bece520d56e --- /dev/null +++ b/queue-5.10/net-mlx5-fix-return-value-from-tracer-initialization.patch @@ -0,0 +1,51 @@ +From 2e3209d8713730a3794211365c19e00c1acfc30d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 16:38:30 +0300 +Subject: net/mlx5: Fix return value from tracer initialization + +From: Aya Levin + +[ Upstream commit bd37c2888ccaa5ceb9895718f6909b247cc372e0 ] + +Check return value of mlx5_fw_tracer_start(), set error path and fix +return value of mlx5_fw_tracer_init() accordingly. + +Fixes: c71ad41ccb0c ("net/mlx5: FW tracer, events handling") +Signed-off-by: Aya Levin +Reviewed-by: Moshe Shemesh +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +index 2eb022ad7fd0..3dfcb20e97c6 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +@@ -1019,12 +1019,19 @@ int mlx5_fw_tracer_init(struct mlx5_fw_tracer *tracer) + MLX5_NB_INIT(&tracer->nb, fw_tracer_event, DEVICE_TRACER); + mlx5_eq_notifier_register(dev, &tracer->nb); + +- mlx5_fw_tracer_start(tracer); +- ++ err = mlx5_fw_tracer_start(tracer); ++ if (err) { ++ mlx5_core_warn(dev, "FWTracer: Failed to start tracer %d\n", err); ++ goto err_notifier_unregister; ++ } + return 0; + ++err_notifier_unregister: ++ mlx5_eq_notifier_unregister(dev, &tracer->nb); ++ mlx5_core_destroy_mkey(dev, &tracer->buff.mkey); + err_dealloc_pd: + mlx5_core_dealloc_pd(dev, tracer->buff.pdn); ++ cancel_work_sync(&tracer->read_fw_strings_work); + return err; + } + +-- +2.30.2 + diff --git a/queue-5.10/net-mlx5-synchronize-correct-irq-when-destroying-cq.patch b/queue-5.10/net-mlx5-synchronize-correct-irq-when-destroying-cq.patch new file mode 100644 index 00000000000..ce2662cdaf5 --- /dev/null +++ b/queue-5.10/net-mlx5-synchronize-correct-irq-when-destroying-cq.patch @@ -0,0 +1,307 @@ +From d995f6780118f1dfd066a1f1a4fe33e16ae132f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Apr 2021 15:32:55 +0300 +Subject: net/mlx5: Synchronize correct IRQ when destroying CQ + +From: Shay Drory + +[ Upstream commit 563476ae0c5e48a028cbfa38fa9d2fc0418eb88f ] + +The CQ destroy is performed based on the IRQ number that is stored in +cq->irqn. That number wasn't set explicitly during CQ creation and as +expected some of the API users of mlx5_core_create_cq() forgot to update +it. + +This caused to wrong synchronization call of the wrong IRQ with a number +0 instead of the real one. + +As a fix, set the IRQ number directly in the mlx5_core_create_cq() and +update all users accordingly. + +Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices") +Fixes: ef1659ade359 ("IB/mlx5: Add DEVX support for CQ events") +Signed-off-by: Shay Drory +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/cq.c | 4 +--- + drivers/infiniband/hw/mlx5/devx.c | 3 +-- + drivers/net/ethernet/mellanox/mlx5/core/cq.c | 1 + + .../net/ethernet/mellanox/mlx5/core/en_main.c | 13 ++---------- + drivers/net/ethernet/mellanox/mlx5/core/eq.c | 20 +++++++++++++++---- + .../ethernet/mellanox/mlx5/core/fpga/conn.c | 4 +--- + .../net/ethernet/mellanox/mlx5/core/lib/eq.h | 2 ++ + .../mellanox/mlx5/core/steering/dr_send.c | 4 +--- + drivers/vdpa/mlx5/net/mlx5_vnet.c | 3 +-- + include/linux/mlx5/driver.h | 3 +-- + 10 files changed, 27 insertions(+), 30 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c +index 372adb7ceb74..74644b6ea0ff 100644 +--- a/drivers/infiniband/hw/mlx5/cq.c ++++ b/drivers/infiniband/hw/mlx5/cq.c +@@ -930,7 +930,6 @@ int mlx5_ib_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, + u32 *cqb = NULL; + void *cqc; + int cqe_size; +- unsigned int irqn; + int eqn; + int err; + +@@ -969,7 +968,7 @@ int mlx5_ib_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, + INIT_WORK(&cq->notify_work, notify_soft_wc_handler); + } + +- err = mlx5_vector2eqn(dev->mdev, vector, &eqn, &irqn); ++ err = mlx5_vector2eqn(dev->mdev, vector, &eqn); + if (err) + goto err_cqb; + +@@ -992,7 +991,6 @@ int mlx5_ib_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, + goto err_cqb; + + mlx5_ib_dbg(dev, "cqn 0x%x\n", cq->mcq.cqn); +- cq->mcq.irqn = irqn; + if (udata) + cq->mcq.tasklet_ctx.comp = mlx5_ib_cq_comp; + else +diff --git a/drivers/infiniband/hw/mlx5/devx.c b/drivers/infiniband/hw/mlx5/devx.c +index 06a873257619..343e6709d9fc 100644 +--- a/drivers/infiniband/hw/mlx5/devx.c ++++ b/drivers/infiniband/hw/mlx5/devx.c +@@ -904,7 +904,6 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_DEVX_QUERY_EQN)( + struct mlx5_ib_dev *dev; + int user_vector; + int dev_eqn; +- unsigned int irqn; + int err; + + if (uverbs_copy_from(&user_vector, attrs, +@@ -916,7 +915,7 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_DEVX_QUERY_EQN)( + return PTR_ERR(c); + dev = to_mdev(c->ibucontext.device); + +- err = mlx5_vector2eqn(dev->mdev, user_vector, &dev_eqn, &irqn); ++ err = mlx5_vector2eqn(dev->mdev, user_vector, &dev_eqn); + if (err < 0) + return err; + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cq.c b/drivers/net/ethernet/mellanox/mlx5/core/cq.c +index df3e4938ecdd..360e093874d4 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cq.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cq.c +@@ -134,6 +134,7 @@ int mlx5_core_create_cq(struct mlx5_core_dev *dev, struct mlx5_core_cq *cq, + cq->cqn); + + cq->uar = dev->priv.uar; ++ cq->irqn = eq->core.irqn; + + return 0; + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index d81fa8e56199..6b4a3d90c9f7 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -1547,15 +1547,9 @@ static int mlx5e_alloc_cq_common(struct mlx5_core_dev *mdev, + struct mlx5e_cq *cq) + { + struct mlx5_core_cq *mcq = &cq->mcq; +- int eqn_not_used; +- unsigned int irqn; + int err; + u32 i; + +- err = mlx5_vector2eqn(mdev, param->eq_ix, &eqn_not_used, &irqn); +- if (err) +- return err; +- + err = mlx5_cqwq_create(mdev, ¶m->wq, param->cqc, &cq->wq, + &cq->wq_ctrl); + if (err) +@@ -1569,7 +1563,6 @@ static int mlx5e_alloc_cq_common(struct mlx5_core_dev *mdev, + mcq->vector = param->eq_ix; + mcq->comp = mlx5e_completion_event; + mcq->event = mlx5e_cq_error_event; +- mcq->irqn = irqn; + + for (i = 0; i < mlx5_cqwq_get_size(&cq->wq); i++) { + struct mlx5_cqe64 *cqe = mlx5_cqwq_get_wqe(&cq->wq, i); +@@ -1615,11 +1608,10 @@ static int mlx5e_create_cq(struct mlx5e_cq *cq, struct mlx5e_cq_param *param) + void *in; + void *cqc; + int inlen; +- unsigned int irqn_not_used; + int eqn; + int err; + +- err = mlx5_vector2eqn(mdev, param->eq_ix, &eqn, &irqn_not_used); ++ err = mlx5_vector2eqn(mdev, param->eq_ix, &eqn); + if (err) + return err; + +@@ -1977,9 +1969,8 @@ static int mlx5e_open_channel(struct mlx5e_priv *priv, int ix, + struct mlx5e_channel *c; + unsigned int irq; + int err; +- int eqn; + +- err = mlx5_vector2eqn(priv->mdev, ix, &eqn, &irq); ++ err = mlx5_vector2irqn(priv->mdev, ix, &irq); + if (err) + return err; + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eq.c b/drivers/net/ethernet/mellanox/mlx5/core/eq.c +index ccd53a7a2b80..4f4f79ca37a8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eq.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eq.c +@@ -859,8 +859,8 @@ clean: + return err; + } + +-int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn, +- unsigned int *irqn) ++static int vector2eqnirqn(struct mlx5_core_dev *dev, int vector, int *eqn, ++ unsigned int *irqn) + { + struct mlx5_eq_table *table = dev->priv.eq_table; + struct mlx5_eq_comp *eq, *n; +@@ -869,8 +869,10 @@ int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn, + + list_for_each_entry_safe(eq, n, &table->comp_eqs_list, list) { + if (i++ == vector) { +- *eqn = eq->core.eqn; +- *irqn = eq->core.irqn; ++ if (irqn) ++ *irqn = eq->core.irqn; ++ if (eqn) ++ *eqn = eq->core.eqn; + err = 0; + break; + } +@@ -878,8 +880,18 @@ int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn, + + return err; + } ++ ++int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn) ++{ ++ return vector2eqnirqn(dev, vector, eqn, NULL); ++} + EXPORT_SYMBOL(mlx5_vector2eqn); + ++int mlx5_vector2irqn(struct mlx5_core_dev *dev, int vector, unsigned int *irqn) ++{ ++ return vector2eqnirqn(dev, vector, NULL, irqn); ++} ++ + unsigned int mlx5_comp_vectors_count(struct mlx5_core_dev *dev) + { + return dev->priv.eq_table->num_comp_eqs; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c +index 80da50e12915..a42bd493293a 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c +@@ -417,7 +417,6 @@ static int mlx5_fpga_conn_create_cq(struct mlx5_fpga_conn *conn, int cq_size) + struct mlx5_wq_param wqp; + struct mlx5_cqe64 *cqe; + int inlen, err, eqn; +- unsigned int irqn; + void *cqc, *in; + __be64 *pas; + u32 i; +@@ -446,7 +445,7 @@ static int mlx5_fpga_conn_create_cq(struct mlx5_fpga_conn *conn, int cq_size) + goto err_cqwq; + } + +- err = mlx5_vector2eqn(mdev, smp_processor_id(), &eqn, &irqn); ++ err = mlx5_vector2eqn(mdev, smp_processor_id(), &eqn); + if (err) { + kvfree(in); + goto err_cqwq; +@@ -476,7 +475,6 @@ static int mlx5_fpga_conn_create_cq(struct mlx5_fpga_conn *conn, int cq_size) + *conn->cq.mcq.arm_db = 0; + conn->cq.mcq.vector = 0; + conn->cq.mcq.comp = mlx5_fpga_conn_cq_complete; +- conn->cq.mcq.irqn = irqn; + conn->cq.mcq.uar = fdev->conn_res.uar; + tasklet_setup(&conn->cq.tasklet, mlx5_fpga_conn_cq_tasklet); + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/eq.h b/drivers/net/ethernet/mellanox/mlx5/core/lib/eq.h +index 81f2cc4ca1da..fa79e6e6a98a 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/eq.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/eq.h +@@ -98,4 +98,6 @@ void mlx5_core_eq_free_irqs(struct mlx5_core_dev *dev); + struct cpu_rmap *mlx5_eq_table_get_rmap(struct mlx5_core_dev *dev); + #endif + ++int mlx5_vector2irqn(struct mlx5_core_dev *dev, int vector, unsigned int *irqn); ++ + #endif +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c +index 24dede1b0a20..ea3c6cf27db4 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c +@@ -711,7 +711,6 @@ static struct mlx5dr_cq *dr_create_cq(struct mlx5_core_dev *mdev, + struct mlx5_cqe64 *cqe; + struct mlx5dr_cq *cq; + int inlen, err, eqn; +- unsigned int irqn; + void *cqc, *in; + __be64 *pas; + int vector; +@@ -744,7 +743,7 @@ static struct mlx5dr_cq *dr_create_cq(struct mlx5_core_dev *mdev, + goto err_cqwq; + + vector = raw_smp_processor_id() % mlx5_comp_vectors_count(mdev); +- err = mlx5_vector2eqn(mdev, vector, &eqn, &irqn); ++ err = mlx5_vector2eqn(mdev, vector, &eqn); + if (err) { + kvfree(in); + goto err_cqwq; +@@ -780,7 +779,6 @@ static struct mlx5dr_cq *dr_create_cq(struct mlx5_core_dev *mdev, + *cq->mcq.arm_db = cpu_to_be32(2 << 28); + + cq->mcq.vector = 0; +- cq->mcq.irqn = irqn; + cq->mcq.uar = uar; + + return cq; +diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c +index fe7ed3212473..fbdc9468818d 100644 +--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c ++++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c +@@ -511,7 +511,6 @@ static int cq_create(struct mlx5_vdpa_net *ndev, u16 idx, u32 num_ent) + void __iomem *uar_page = ndev->mvdev.res.uar->map; + u32 out[MLX5_ST_SZ_DW(create_cq_out)]; + struct mlx5_vdpa_cq *vcq = &mvq->cq; +- unsigned int irqn; + __be64 *pas; + int inlen; + void *cqc; +@@ -551,7 +550,7 @@ static int cq_create(struct mlx5_vdpa_net *ndev, u16 idx, u32 num_ent) + /* Use vector 0 by default. Consider adding code to choose least used + * vector. + */ +- err = mlx5_vector2eqn(mdev, 0, &eqn, &irqn); ++ err = mlx5_vector2eqn(mdev, 0, &eqn); + if (err) + goto err_vec; + +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index add85094f9a5..41fbb4793394 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -981,8 +981,7 @@ void mlx5_unregister_debugfs(void); + void mlx5_fill_page_array(struct mlx5_frag_buf *buf, __be64 *pas); + void mlx5_fill_page_frag_array_perm(struct mlx5_frag_buf *buf, __be64 *pas, u8 perm); + void mlx5_fill_page_frag_array(struct mlx5_frag_buf *frag_buf, __be64 *pas); +-int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn, +- unsigned int *irqn); ++int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn); + int mlx5_core_attach_mcg(struct mlx5_core_dev *dev, union ib_gid *mgid, u32 qpn); + int mlx5_core_detach_mcg(struct mlx5_core_dev *dev, union ib_gid *mgid, u32 qpn); + +-- +2.30.2 + diff --git a/queue-5.10/net-mvvp2-fix-short-frame-size-on-s390.patch b/queue-5.10/net-mvvp2-fix-short-frame-size-on-s390.patch new file mode 100644 index 00000000000..49b9e46d3ae --- /dev/null +++ b/queue-5.10/net-mvvp2-fix-short-frame-size-on-s390.patch @@ -0,0 +1,63 @@ +From be61583556543c7fc1e8d53986e0f6a2f216e717 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Aug 2021 23:53:30 -0700 +Subject: net: mvvp2: fix short frame size on s390 + +From: John Hubbard + +[ Upstream commit 704e624f7b3e8a4fc1ce43fb564746d1d07b20c0 ] + +On s390, the following build warning occurs: + +drivers/net/ethernet/marvell/mvpp2/mvpp2.h:844:2: warning: overflow in +conversion from 'long unsigned int' to 'int' changes value from +'18446744073709551584' to '-32' [-Woverflow] +844 | ((total_size) - MVPP2_SKB_HEADROOM - MVPP2_SKB_SHINFO_SIZE) + +This happens because MVPP2_SKB_SHINFO_SIZE, which is 320 bytes (which is +already 64-byte aligned) on some architectures, actually gets ALIGN'd up +to 512 bytes in the s390 case. + +So then, when this is invoked: + + MVPP2_RX_MAX_PKT_SIZE(MVPP2_BM_SHORT_FRAME_SIZE) + +...that turns into: + + 704 - 224 - 512 == -32 + +...which is not a good frame size to end up with! The warning above is a +bit lucky: it notices a signed/unsigned bad behavior here, which leads +to the real problem of a frame that is too short for its contents. + +Increase MVPP2_BM_SHORT_FRAME_SIZE by 32 (from 704 to 736), which is +just exactly big enough. (The other values can't readily be changed +without causing a lot of other problems.) + +Fixes: 07dd0a7aae7f ("mvpp2: add basic XDP support") +Cc: Sven Auhagen +Cc: Matteo Croce +Cc: David S. Miller +Signed-off-by: John Hubbard +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h +index a1aefce55e65..d825eb021b22 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h +@@ -854,7 +854,7 @@ enum mvpp22_ptp_packet_format { + #define MVPP2_BM_COOKIE_POOL_OFFS 8 + #define MVPP2_BM_COOKIE_CPU_OFFS 24 + +-#define MVPP2_BM_SHORT_FRAME_SIZE 704 /* frame size 128 */ ++#define MVPP2_BM_SHORT_FRAME_SIZE 736 /* frame size 128 */ + #define MVPP2_BM_LONG_FRAME_SIZE 2240 /* frame size 1664 */ + #define MVPP2_BM_JUMBO_FRAME_SIZE 10432 /* frame size 9856 */ + /* BM short pool packet size +-- +2.30.2 + diff --git a/queue-5.10/net-phy-micrel-fix-link-detection-on-ksz87xx-switch.patch b/queue-5.10/net-phy-micrel-fix-link-detection-on-ksz87xx-switch.patch new file mode 100644 index 00000000000..5a5f513ceb0 --- /dev/null +++ b/queue-5.10/net-phy-micrel-fix-link-detection-on-ksz87xx-switch.patch @@ -0,0 +1,43 @@ +From 965ef8b2adabce2f3a51d3faeb3eb7cc785032d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Aug 2021 02:06:18 +0200 +Subject: net: phy: micrel: Fix link detection on ksz87xx switch" + +From: Ben Hutchings + +[ Upstream commit 2383cb9497d113360137a2be308b390faa80632d ] + +Commit a5e63c7d38d5 "net: phy: micrel: Fix detection of ksz87xx +switch" broke link detection on the external ports of the KSZ8795. + +The previously unused phy_driver structure for these devices specifies +config_aneg and read_status functions that appear to be designed for a +fixed link and do not work with the embedded PHYs in the KSZ8795. + +Delete the use of these functions in favour of the generic PHY +implementations which were used previously. + +Fixes: a5e63c7d38d5 ("net: phy: micrel: Fix detection of ksz87xx switch") +Signed-off-by: Ben Hutchings +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/micrel.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c +index 9a566c5b36a6..69b20a466c61 100644 +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -1374,8 +1374,6 @@ static struct phy_driver ksphy_driver[] = { + .name = "Micrel KSZ87XX Switch", + /* PHY_BASIC_FEATURES */ + .config_init = kszphy_config_init, +- .config_aneg = ksz8873mll_config_aneg, +- .read_status = ksz8873mll_read_status, + .match_phy_device = ksz8795_match_phy_device, + .suspend = genphy_suspend, + .resume = genphy_resume, +-- +2.30.2 + diff --git a/queue-5.10/net-sched-act_mirred-reset-ct-info-when-mirror-redir.patch b/queue-5.10/net-sched-act_mirred-reset-ct-info-when-mirror-redir.patch new file mode 100644 index 00000000000..9476f0e6ae8 --- /dev/null +++ b/queue-5.10/net-sched-act_mirred-reset-ct-info-when-mirror-redir.patch @@ -0,0 +1,60 @@ +From 3e723986d758e3123b0297b300886d27b327fa95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 15:04:55 +0800 +Subject: net: sched: act_mirred: Reset ct info when mirror/redirect skb + +From: Hangbin Liu + +[ Upstream commit d09c548dbf3b31cb07bba562e0f452edfa01efe3 ] + +When mirror/redirect a skb to a different port, the ct info should be reset +for reclassification. Or the pkts will match unexpected rules. For example, +with following topology and commands: + + ----------- + | + veth0 -+------- + | + veth1 -+------- + | + ------------ + + tc qdisc add dev veth0 clsact + # The same with "action mirred egress mirror dev veth1" or "action mirred ingress redirect dev veth1" + tc filter add dev veth0 egress chain 1 protocol ip flower ct_state +trk action mirred ingress mirror dev veth1 + tc filter add dev veth0 egress chain 0 protocol ip flower ct_state -inv action ct commit action goto chain 1 + tc qdisc add dev veth1 clsact + tc filter add dev veth1 ingress chain 0 protocol ip flower ct_state +trk action drop + + ping & + tc -s filter show dev veth1 ingress + +With command 'tc -s filter show', we can find the pkts were dropped on +veth1. + +Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct") +Signed-off-by: Roi Dayan +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/act_mirred.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c +index e24b7e2331cd..0b0eb18919c0 100644 +--- a/net/sched/act_mirred.c ++++ b/net/sched/act_mirred.c +@@ -261,6 +261,9 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, + goto out; + } + ++ /* All mirred/redirected skbs should clear previous ct info */ ++ nf_reset_ct(skb2); ++ + want_ingress = tcf_mirred_act_wants_ingress(m_eaction); + + expects_nh = want_ingress || !m_mac_header_xmit; +-- +2.30.2 + diff --git a/queue-5.10/net-smc-fix-wait-on-already-cleared-link.patch b/queue-5.10/net-smc-fix-wait-on-already-cleared-link.patch new file mode 100644 index 00000000000..2cd0a7aa914 --- /dev/null +++ b/queue-5.10/net-smc-fix-wait-on-already-cleared-link.patch @@ -0,0 +1,177 @@ +From bb0468a979493436e47e925d6e87905950aca1c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 11:05:56 +0200 +Subject: net/smc: fix wait on already cleared link + +From: Karsten Graul + +[ Upstream commit 8f3d65c166797746455553f4eaf74a5f89f996d4 ] + +There can be a race between the waiters for a tx work request buffer +and the link down processing that finally clears the link. Although +all waiters are woken up before the link is cleared there might be +waiters which did not yet get back control and are still waiting. +This results in an access to a cleared wait queue head. + +Fix this by introducing atomic reference counting around the wait calls, +and wait with the link clear processing until all waiters have finished. +Move the work request layer related calls into smc_wr.c and set the +link state to INACTIVE before calling smcr_link_clear() in +smc_llc_srv_add_link(). + +Fixes: 15e1b99aadfb ("net/smc: no WR buffer wait for terminating link group") +Signed-off-by: Karsten Graul +Signed-off-by: Guvenc Gulce +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/smc_core.h | 2 ++ + net/smc/smc_llc.c | 10 ++++------ + net/smc/smc_tx.c | 18 +++++++++++++++++- + net/smc/smc_wr.c | 10 ++++++++++ + 4 files changed, 33 insertions(+), 7 deletions(-) + +diff --git a/net/smc/smc_core.h b/net/smc/smc_core.h +index f1e867ce2e63..4745a9a5a28f 100644 +--- a/net/smc/smc_core.h ++++ b/net/smc/smc_core.h +@@ -94,6 +94,7 @@ struct smc_link { + unsigned long *wr_tx_mask; /* bit mask of used indexes */ + u32 wr_tx_cnt; /* number of WR send buffers */ + wait_queue_head_t wr_tx_wait; /* wait for free WR send buf */ ++ atomic_t wr_tx_refcnt; /* tx refs to link */ + + struct smc_wr_buf *wr_rx_bufs; /* WR recv payload buffers */ + struct ib_recv_wr *wr_rx_ibs; /* WR recv meta data */ +@@ -106,6 +107,7 @@ struct smc_link { + + struct ib_reg_wr wr_reg; /* WR register memory region */ + wait_queue_head_t wr_reg_wait; /* wait for wr_reg result */ ++ atomic_t wr_reg_refcnt; /* reg refs to link */ + enum smc_wr_reg_state wr_reg_state; /* state of wr_reg request */ + + u8 gid[SMC_GID_SIZE];/* gid matching used vlan id*/ +diff --git a/net/smc/smc_llc.c b/net/smc/smc_llc.c +index 273eaf1bfe49..2e7560eba981 100644 +--- a/net/smc/smc_llc.c ++++ b/net/smc/smc_llc.c +@@ -888,6 +888,7 @@ int smc_llc_cli_add_link(struct smc_link *link, struct smc_llc_qentry *qentry) + if (!rc) + goto out; + out_clear_lnk: ++ lnk_new->state = SMC_LNK_INACTIVE; + smcr_link_clear(lnk_new, false); + out_reject: + smc_llc_cli_add_link_reject(qentry); +@@ -1184,6 +1185,7 @@ int smc_llc_srv_add_link(struct smc_link *link) + goto out_err; + return 0; + out_err: ++ link_new->state = SMC_LNK_INACTIVE; + smcr_link_clear(link_new, false); + return rc; + } +@@ -1286,10 +1288,8 @@ static void smc_llc_process_cli_delete_link(struct smc_link_group *lgr) + del_llc->reason = 0; + smc_llc_send_message(lnk, &qentry->msg); /* response */ + +- if (smc_link_downing(&lnk_del->state)) { +- if (smc_switch_conns(lgr, lnk_del, false)) +- smc_wr_tx_wait_no_pending_sends(lnk_del); +- } ++ if (smc_link_downing(&lnk_del->state)) ++ smc_switch_conns(lgr, lnk_del, false); + smcr_link_clear(lnk_del, true); + + active_links = smc_llc_active_link_count(lgr); +@@ -1805,8 +1805,6 @@ void smc_llc_link_clear(struct smc_link *link, bool log) + link->smcibdev->ibdev->name, link->ibport); + complete(&link->llc_testlink_resp); + cancel_delayed_work_sync(&link->llc_testlink_wrk); +- smc_wr_wakeup_reg_wait(link); +- smc_wr_wakeup_tx_wait(link); + } + + /* register a new rtoken at the remote peer (for all links) */ +diff --git a/net/smc/smc_tx.c b/net/smc/smc_tx.c +index 4532c16bf85e..ff02952b3d03 100644 +--- a/net/smc/smc_tx.c ++++ b/net/smc/smc_tx.c +@@ -479,7 +479,7 @@ static int smc_tx_rdma_writes(struct smc_connection *conn, + /* Wakeup sndbuf consumers from any context (IRQ or process) + * since there is more data to transmit; usable snd_wnd as max transmit + */ +-static int smcr_tx_sndbuf_nonempty(struct smc_connection *conn) ++static int _smcr_tx_sndbuf_nonempty(struct smc_connection *conn) + { + struct smc_cdc_producer_flags *pflags = &conn->local_tx_ctrl.prod_flags; + struct smc_link *link = conn->lnk; +@@ -533,6 +533,22 @@ out_unlock: + return rc; + } + ++static int smcr_tx_sndbuf_nonempty(struct smc_connection *conn) ++{ ++ struct smc_link *link = conn->lnk; ++ int rc = -ENOLINK; ++ ++ if (!link) ++ return rc; ++ ++ atomic_inc(&link->wr_tx_refcnt); ++ if (smc_link_usable(link)) ++ rc = _smcr_tx_sndbuf_nonempty(conn); ++ if (atomic_dec_and_test(&link->wr_tx_refcnt)) ++ wake_up_all(&link->wr_tx_wait); ++ return rc; ++} ++ + static int smcd_tx_sndbuf_nonempty(struct smc_connection *conn) + { + struct smc_cdc_producer_flags *pflags = &conn->local_tx_ctrl.prod_flags; +diff --git a/net/smc/smc_wr.c b/net/smc/smc_wr.c +index 1e23cdd41eb1..9dbe4804853e 100644 +--- a/net/smc/smc_wr.c ++++ b/net/smc/smc_wr.c +@@ -322,9 +322,12 @@ int smc_wr_reg_send(struct smc_link *link, struct ib_mr *mr) + if (rc) + return rc; + ++ atomic_inc(&link->wr_reg_refcnt); + rc = wait_event_interruptible_timeout(link->wr_reg_wait, + (link->wr_reg_state != POSTED), + SMC_WR_REG_MR_WAIT_TIME); ++ if (atomic_dec_and_test(&link->wr_reg_refcnt)) ++ wake_up_all(&link->wr_reg_wait); + if (!rc) { + /* timeout - terminate link */ + smcr_link_down_cond_sched(link); +@@ -566,10 +569,15 @@ void smc_wr_free_link(struct smc_link *lnk) + return; + ibdev = lnk->smcibdev->ibdev; + ++ smc_wr_wakeup_reg_wait(lnk); ++ smc_wr_wakeup_tx_wait(lnk); ++ + if (smc_wr_tx_wait_no_pending_sends(lnk)) + memset(lnk->wr_tx_mask, 0, + BITS_TO_LONGS(SMC_WR_BUF_CNT) * + sizeof(*lnk->wr_tx_mask)); ++ wait_event(lnk->wr_reg_wait, (!atomic_read(&lnk->wr_reg_refcnt))); ++ wait_event(lnk->wr_tx_wait, (!atomic_read(&lnk->wr_tx_refcnt))); + + if (lnk->wr_rx_dma_addr) { + ib_dma_unmap_single(ibdev, lnk->wr_rx_dma_addr, +@@ -730,7 +738,9 @@ int smc_wr_create_link(struct smc_link *lnk) + memset(lnk->wr_tx_mask, 0, + BITS_TO_LONGS(SMC_WR_BUF_CNT) * sizeof(*lnk->wr_tx_mask)); + init_waitqueue_head(&lnk->wr_tx_wait); ++ atomic_set(&lnk->wr_tx_refcnt, 0); + init_waitqueue_head(&lnk->wr_reg_wait); ++ atomic_set(&lnk->wr_reg_refcnt, 0); + return rc; + + dma_unmap: +-- +2.30.2 + diff --git a/queue-5.10/netfilter-nf_conntrack_bridge-fix-memory-leak-when-e.patch b/queue-5.10/netfilter-nf_conntrack_bridge-fix-memory-leak-when-e.patch new file mode 100644 index 00000000000..935ee32d75d --- /dev/null +++ b/queue-5.10/netfilter-nf_conntrack_bridge-fix-memory-leak-when-e.patch @@ -0,0 +1,43 @@ +From b8a0c4586a2d90926351aefe20a00f4926e1aa40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jul 2021 16:20:21 +0800 +Subject: netfilter: nf_conntrack_bridge: Fix memory leak when error + +From: Yajun Deng + +[ Upstream commit 38ea9def5b62f9193f6bad96c5d108e2830ecbde ] + +It should be added kfree_skb_list() when err is not equal to zero +in nf_br_ip_fragment(). + +v2: keep this aligned with IPv6. +v3: modify iter.frag_list to iter.frag. + +Fixes: 3c171f496ef5 ("netfilter: bridge: add connection tracking system") +Signed-off-by: Yajun Deng +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/bridge/netfilter/nf_conntrack_bridge.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c +index 8d033a75a766..fdbed3158555 100644 +--- a/net/bridge/netfilter/nf_conntrack_bridge.c ++++ b/net/bridge/netfilter/nf_conntrack_bridge.c +@@ -88,6 +88,12 @@ static int nf_br_ip_fragment(struct net *net, struct sock *sk, + + skb = ip_fraglist_next(&iter); + } ++ ++ if (!err) ++ return 0; ++ ++ kfree_skb_list(iter.frag); ++ + return err; + } + slow_path: +-- +2.30.2 + diff --git a/queue-5.10/pinctrl-mediatek-fix-fallback-behavior-for-bias_set_.patch b/queue-5.10/pinctrl-mediatek-fix-fallback-behavior-for-bias_set_.patch new file mode 100644 index 00000000000..8e0d4e1c01a --- /dev/null +++ b/queue-5.10/pinctrl-mediatek-fix-fallback-behavior-for-bias_set_.patch @@ -0,0 +1,52 @@ +From d30449f2afe75f1f35f51a044e90294abc2ffdf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jul 2021 16:09:55 +0800 +Subject: pinctrl: mediatek: Fix fallback behavior for bias_set_combo + +From: Hsin-Yi Wang + +[ Upstream commit 798a315fc359aa6dbe48e09d802aa59b7e158ffc ] + +Some pin doesn't support PUPD register, if it fails and fallbacks with +bias_set_combo case, it will call mtk_pinconf_bias_set_pupd_r1_r0() to +modify the PUPD pin again. + +Since the general bias set are either PU/PD or PULLSEL/PULLEN, try +bias_set or bias_set_rev1 for the other fallback case. If the pin +doesn't support neither PU/PD nor PULLSEL/PULLEN, it will return +-ENOTSUPP. + +Fixes: 81bd1579b43e ("pinctrl: mediatek: Fix fallback call path") +Signed-off-by: Hsin-Yi Wang +Reviewed-by: Chen-Yu Tsai +Reviewed-by: Zhiyong Tao +Link: https://lore.kernel.org/r/20210701080955.2660294-1-hsinyi@chromium.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c b/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c +index 7815426e7aea..10002b8497fe 100644 +--- a/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c ++++ b/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c +@@ -926,12 +926,10 @@ int mtk_pinconf_adv_pull_set(struct mtk_pinctrl *hw, + err = hw->soc->bias_set(hw, desc, pullup); + if (err) + return err; +- } else if (hw->soc->bias_set_combo) { +- err = hw->soc->bias_set_combo(hw, desc, pullup, arg); +- if (err) +- return err; + } else { +- return -ENOTSUPP; ++ err = mtk_pinconf_bias_set_rev1(hw, desc, pullup); ++ if (err) ++ err = mtk_pinconf_bias_set(hw, desc, pullup); + } + } + +-- +2.30.2 + diff --git a/queue-5.10/pinctrl-tigerlake-fix-gpio-mapping-for-newer-version.patch b/queue-5.10/pinctrl-tigerlake-fix-gpio-mapping-for-newer-version.patch new file mode 100644 index 00000000000..9a9618b61bc --- /dev/null +++ b/queue-5.10/pinctrl-tigerlake-fix-gpio-mapping-for-newer-version.patch @@ -0,0 +1,83 @@ +From f088bf5351615e87b4cd29662098fa6e9d03996b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Aug 2021 14:21:41 +0300 +Subject: pinctrl: tigerlake: Fix GPIO mapping for newer version of software + +From: Andy Shevchenko + +[ Upstream commit 2f658f7a3953f6d70bab90e117aff8d0ad44e200 ] + +The software mapping for GPIO, which initially comes from Microsoft, +is subject to change by respective Windows and firmware developers. +Due to the above the driver had been written and published way ahead +of the schedule, and thus the numbering schema used in it is outdated. + +Fix the numbering schema in accordance with the real products on market. + +Fixes: 653d96455e1e ("pinctrl: tigerlake: Add support for Tiger Lake-H") +Reported-and-tested-by: Kai-Heng Feng +Reported-by: Riccardo Mori +Reported-and-tested-by: Lovesh +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213463 +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213579 +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213857 +Signed-off-by: Andy Shevchenko +Acked-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-tigerlake.c | 26 +++++++++++------------ + 1 file changed, 13 insertions(+), 13 deletions(-) + +diff --git a/drivers/pinctrl/intel/pinctrl-tigerlake.c b/drivers/pinctrl/intel/pinctrl-tigerlake.c +index 3e354e02f408..bed769d99b8b 100644 +--- a/drivers/pinctrl/intel/pinctrl-tigerlake.c ++++ b/drivers/pinctrl/intel/pinctrl-tigerlake.c +@@ -701,32 +701,32 @@ static const struct pinctrl_pin_desc tglh_pins[] = { + + static const struct intel_padgroup tglh_community0_gpps[] = { + TGL_GPP(0, 0, 24, 0), /* GPP_A */ +- TGL_GPP(1, 25, 44, 128), /* GPP_R */ +- TGL_GPP(2, 45, 70, 32), /* GPP_B */ +- TGL_GPP(3, 71, 78, INTEL_GPIO_BASE_NOMAP), /* vGPIO_0 */ ++ TGL_GPP(1, 25, 44, 32), /* GPP_R */ ++ TGL_GPP(2, 45, 70, 64), /* GPP_B */ ++ TGL_GPP(3, 71, 78, 96), /* vGPIO_0 */ + }; + + static const struct intel_padgroup tglh_community1_gpps[] = { +- TGL_GPP(0, 79, 104, 96), /* GPP_D */ +- TGL_GPP(1, 105, 128, 64), /* GPP_C */ +- TGL_GPP(2, 129, 136, 160), /* GPP_S */ +- TGL_GPP(3, 137, 153, 192), /* GPP_G */ +- TGL_GPP(4, 154, 180, 224), /* vGPIO */ ++ TGL_GPP(0, 79, 104, 128), /* GPP_D */ ++ TGL_GPP(1, 105, 128, 160), /* GPP_C */ ++ TGL_GPP(2, 129, 136, 192), /* GPP_S */ ++ TGL_GPP(3, 137, 153, 224), /* GPP_G */ ++ TGL_GPP(4, 154, 180, 256), /* vGPIO */ + }; + + static const struct intel_padgroup tglh_community3_gpps[] = { +- TGL_GPP(0, 181, 193, 256), /* GPP_E */ +- TGL_GPP(1, 194, 217, 288), /* GPP_F */ ++ TGL_GPP(0, 181, 193, 288), /* GPP_E */ ++ TGL_GPP(1, 194, 217, 320), /* GPP_F */ + }; + + static const struct intel_padgroup tglh_community4_gpps[] = { +- TGL_GPP(0, 218, 241, 320), /* GPP_H */ ++ TGL_GPP(0, 218, 241, 352), /* GPP_H */ + TGL_GPP(1, 242, 251, 384), /* GPP_J */ +- TGL_GPP(2, 252, 266, 352), /* GPP_K */ ++ TGL_GPP(2, 252, 266, 416), /* GPP_K */ + }; + + static const struct intel_padgroup tglh_community5_gpps[] = { +- TGL_GPP(0, 267, 281, 416), /* GPP_I */ ++ TGL_GPP(0, 267, 281, 448), /* GPP_I */ + TGL_GPP(1, 282, 290, INTEL_GPIO_BASE_NOMAP), /* JTAG */ + }; + +-- +2.30.2 + diff --git a/queue-5.10/platform-x86-pcengines-apuv2-add-missing-terminating.patch b/queue-5.10/platform-x86-pcengines-apuv2-add-missing-terminating.patch new file mode 100644 index 00000000000..25090b70753 --- /dev/null +++ b/queue-5.10/platform-x86-pcengines-apuv2-add-missing-terminating.patch @@ -0,0 +1,50 @@ +From fc76311915393bd2bf4bb3d3b1761838e5c8e1bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Aug 2021 13:55:15 +0200 +Subject: platform/x86: pcengines-apuv2: Add missing terminating entries to + gpio-lookup tables + +From: Hans de Goede + +[ Upstream commit 9d7b132e62e41b7d49bf157aeaf9147c27492e0f ] + +The gpiod_lookup_table.table passed to gpiod_add_lookup_table() must +be terminated with an empty entry, add this. + +Note we have likely been getting away with this not being present because +the GPIO lookup code first matches on the dev_id, causing most lookups to +skip checking the table and the lookups which do check the table will +find a matching entry before reaching the end. With that said, terminating +these tables properly still is obviously the correct thing to do. + +Fixes: f8eb0235f659 ("x86: pcengines apuv2 gpio/leds/keys platform driver") +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20210806115515.12184-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/pcengines-apuv2.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/platform/x86/pcengines-apuv2.c b/drivers/platform/x86/pcengines-apuv2.c +index c37349f97bb8..d063d91db9bc 100644 +--- a/drivers/platform/x86/pcengines-apuv2.c ++++ b/drivers/platform/x86/pcengines-apuv2.c +@@ -94,6 +94,7 @@ static struct gpiod_lookup_table gpios_led_table = { + NULL, 1, GPIO_ACTIVE_LOW), + GPIO_LOOKUP_IDX(AMD_FCH_GPIO_DRIVER_NAME, APU2_GPIO_LINE_LED3, + NULL, 2, GPIO_ACTIVE_LOW), ++ {} /* Terminating entry */ + } + }; + +@@ -123,6 +124,7 @@ static struct gpiod_lookup_table gpios_key_table = { + .table = { + GPIO_LOOKUP_IDX(AMD_FCH_GPIO_DRIVER_NAME, APU2_GPIO_LINE_MODESW, + NULL, 0, GPIO_ACTIVE_LOW), ++ {} /* Terminating entry */ + } + }; + +-- +2.30.2 + diff --git a/queue-5.10/ppp-fix-generating-ifname-when-empty-ifla_ifname-is-.patch b/queue-5.10/ppp-fix-generating-ifname-when-empty-ifla_ifname-is-.patch new file mode 100644 index 00000000000..2b2d26e2d2f --- /dev/null +++ b/queue-5.10/ppp-fix-generating-ifname-when-empty-ifla_ifname-is-.patch @@ -0,0 +1,58 @@ +From 70a334a96760579ba9fab179546fb11eb5ffba25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Aug 2021 15:27:03 +0200 +Subject: ppp: Fix generating ifname when empty IFLA_IFNAME is specified +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 2459dcb96bcba94c08d6861f8a050185ff301672 ] + +IFLA_IFNAME is nul-term string which means that IFLA_IFNAME buffer can be +larger than length of string which contains. + +Function __rtnl_newlink() generates new own ifname if either IFLA_IFNAME +was not specified at all or userspace passed empty nul-term string. + +It is expected that if userspace does not specify ifname for new ppp netdev +then kernel generates one in format "ppp" where id matches to the ppp +unit id which can be later obtained by PPPIOCGUNIT ioctl. + +And it works in this way if IFLA_IFNAME is not specified at all. But it +does not work when IFLA_IFNAME is specified with empty string. + +So fix this logic also for empty IFLA_IFNAME in ppp_nl_newlink() function +and correctly generates ifname based on ppp unit identifier if userspace +did not provided preferred ifname. + +Without this patch when IFLA_IFNAME was specified with empty string then +kernel created a new ppp interface in format "ppp" but id did not +match ppp unit id returned by PPPIOCGUNIT ioctl. In this case id was some +number generated by __rtnl_newlink() function. + +Signed-off-by: Pali Rohár +Fixes: bb8082f69138 ("ppp: build ifname using unit identifier for rtnl based devices") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_generic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index f7a13529e4ad..33b2e0fb68bb 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -1207,7 +1207,7 @@ static int ppp_nl_newlink(struct net *src_net, struct net_device *dev, + * the PPP unit identifer as suffix (i.e. ppp). This allows + * userspace to infer the device name using to the PPPIOCGUNIT ioctl. + */ +- if (!tb[IFLA_IFNAME]) ++ if (!tb[IFLA_IFNAME] || !nla_len(tb[IFLA_IFNAME]) || !*(char *)nla_data(tb[IFLA_IFNAME])) + conf.ifname_is_set = false; + + err = ppp_dev_configure(src_net, dev, &conf); +-- +2.30.2 + diff --git a/queue-5.10/psample-add-a-fwd-declaration-for-skbuff.patch b/queue-5.10/psample-add-a-fwd-declaration-for-skbuff.patch new file mode 100644 index 00000000000..e6fa90df996 --- /dev/null +++ b/queue-5.10/psample-add-a-fwd-declaration-for-skbuff.patch @@ -0,0 +1,37 @@ +From 9746793d4a387359ad98d17b189744272937c74f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Aug 2021 09:52:42 +0300 +Subject: psample: Add a fwd declaration for skbuff + +From: Roi Dayan + +[ Upstream commit beb7f2de5728b0bd2140a652fa51f6ad85d159f7 ] + +Without this there is a warning if source files include psample.h +before skbuff.h or doesn't include it at all. + +Fixes: 6ae0a6286171 ("net: Introduce psample, a new genetlink channel for packet sampling") +Signed-off-by: Roi Dayan +Link: https://lore.kernel.org/r/20210808065242.1522535-1-roid@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/psample.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/net/psample.h b/include/net/psample.h +index 68ae16bb0a4a..20a17551f790 100644 +--- a/include/net/psample.h ++++ b/include/net/psample.h +@@ -18,6 +18,8 @@ struct psample_group *psample_group_get(struct net *net, u32 group_num); + void psample_group_take(struct psample_group *group); + void psample_group_put(struct psample_group *group); + ++struct sk_buff; ++ + #if IS_ENABLED(CONFIG_PSAMPLE) + + void psample_sample_packet(struct psample_group *group, struct sk_buff *skb, +-- +2.30.2 + diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 00000000000..90e3b9f988a --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1,46 @@ +ieee802154-hwsim-fix-gpf-in-hwsim_set_edge_lqi.patch +ieee802154-hwsim-fix-gpf-in-hwsim_new_edge_nl.patch +pinctrl-mediatek-fix-fallback-behavior-for-bias_set_.patch +asoc-cs42l42-correct-definition-of-adc-volume-contro.patch +asoc-cs42l42-don-t-allow-snd_soc_daifmt_left_j.patch +interconnect-qcom-icc-rpmh-add-bcms-to-commit-list-i.patch +asoc-sof-intel-hda-ipc-fix-reply-size-checking.patch +asoc-cs42l42-fix-inversion-of-adc-notch-switch-contr.patch +asoc-cs42l42-remove-duplicate-control-for-wnf-filter.patch +netfilter-nf_conntrack_bridge-fix-memory-leak-when-e.patch +pinctrl-tigerlake-fix-gpio-mapping-for-newer-version.patch +asoc-cs42l42-fix-lrclk-frame-start-edge.patch +net-dsa-mt7530-add-the-missing-rxunicast-mib-counter.patch +net-mvvp2-fix-short-frame-size-on-s390.patch +platform-x86-pcengines-apuv2-add-missing-terminating.patch +libbpf-fix-probe-for-bpf_prog_type_cgroup_sockopt.patch +bpf-fix-integer-overflow-involving-bucket_size.patch +net-phy-micrel-fix-link-detection-on-ksz87xx-switch.patch +ppp-fix-generating-ifname-when-empty-ifla_ifname-is-.patch +net-smc-fix-wait-on-already-cleared-link.patch +net-sched-act_mirred-reset-ct-info-when-mirror-redir.patch +ice-prevent-probing-virtual-functions.patch +ice-don-t-remove-netdev-dev_addr-from-uc-sync-list.patch +iavf-set-rss-lut-and-key-in-reset-handle-path.patch +psample-add-a-fwd-declaration-for-skbuff.patch +bareudp-fix-invalid-read-beyond-skb-s-linear-data.patch +net-mlx5-synchronize-correct-irq-when-destroying-cq.patch +net-mlx5-fix-return-value-from-tracer-initialization.patch +drm-meson-fix-colour-distortion-from-hdr-set-during-.patch +net-dsa-microchip-fix-ksz_read64.patch +net-dsa-microchip-ksz8795-fix-vlan-filtering.patch +net-fix-memory-leak-in-ieee802154_raw_deliver.patch +net-igmp-fix-data-race-in-igmp_ifc_timer_expire.patch +net-dsa-lan9303-fix-broken-backpressure-in-.port_fdb.patch +net-dsa-lantiq-fix-broken-backpressure-in-.port_fdb_.patch +net-dsa-sja1105-fix-broken-backpressure-in-.port_fdb.patch +net-bridge-validate-the-nud_permanent-bit-when-addin.patch +net-bridge-fix-flags-interpretation-for-extern-learn.patch +net-bridge-fix-memleak-in-br_add_if.patch +net-linkwatch-fix-failure-to-restore-device-state-ac.patch +tcp_bbr-fix-u32-wrap-bug-in-round-logic-if-bbr_init-.patch +net-igmp-increase-size-of-mr_ifc_count.patch +drm-i915-only-access-sfc_done-when-media-domain-is-n.patch +xen-events-fix-race-in-set_evtchn_to_irq.patch +vsock-virtio-avoid-potential-deadlock-when-vsock-dev.patch +nbd-aovid-double-completion-of-a-request.patch diff --git a/queue-5.10/tcp_bbr-fix-u32-wrap-bug-in-round-logic-if-bbr_init-.patch b/queue-5.10/tcp_bbr-fix-u32-wrap-bug-in-round-logic-if-bbr_init-.patch new file mode 100644 index 00000000000..b3ac9b4f476 --- /dev/null +++ b/queue-5.10/tcp_bbr-fix-u32-wrap-bug-in-round-logic-if-bbr_init-.patch @@ -0,0 +1,67 @@ +From d6cea02c543e85782f85981f959e518e4afca161 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 22:40:56 -0400 +Subject: tcp_bbr: fix u32 wrap bug in round logic if bbr_init() called after + 2B packets + +From: Neal Cardwell + +[ Upstream commit 6de035fec045f8ae5ee5f3a02373a18b939e91fb ] + +Currently if BBR congestion control is initialized after more than 2B +packets have been delivered, depending on the phase of the +tp->delivered counter the tracking of BBR round trips can get stuck. + +The bug arises because if tp->delivered is between 2^31 and 2^32 at +the time the BBR congestion control module is initialized, then the +initialization of bbr->next_rtt_delivered to 0 will cause the logic to +believe that the end of the round trip is still billions of packets in +the future. More specifically, the following check will fail +repeatedly: + + !before(rs->prior_delivered, bbr->next_rtt_delivered) + +and thus the connection will take up to 2B packets delivered before +that check will pass and the connection will set: + + bbr->round_start = 1; + +This could cause many mechanisms in BBR to fail to trigger, for +example bbr_check_full_bw_reached() would likely never exit STARTUP. + +This bug is 5 years old and has not been observed, and as a practical +matter this would likely rarely trigger, since it would require +transferring at least 2B packets, or likely more than 3 terabytes of +data, before switching congestion control algorithms to BBR. + +This patch is a stable candidate for kernels as far back as v4.9, +when tcp_bbr.c was added. + +Fixes: 0f8782ea1497 ("tcp_bbr: add BBR congestion control") +Signed-off-by: Neal Cardwell +Reviewed-by: Yuchung Cheng +Reviewed-by: Kevin Yang +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20210811024056.235161-1-ncardwell@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_bbr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_bbr.c b/net/ipv4/tcp_bbr.c +index 6ea3dc2e4219..6274462b86b4 100644 +--- a/net/ipv4/tcp_bbr.c ++++ b/net/ipv4/tcp_bbr.c +@@ -1041,7 +1041,7 @@ static void bbr_init(struct sock *sk) + bbr->prior_cwnd = 0; + tp->snd_ssthresh = TCP_INFINITE_SSTHRESH; + bbr->rtt_cnt = 0; +- bbr->next_rtt_delivered = 0; ++ bbr->next_rtt_delivered = tp->delivered; + bbr->prev_ca_state = TCP_CA_Open; + bbr->packet_conservation = 0; + +-- +2.30.2 + diff --git a/queue-5.10/vsock-virtio-avoid-potential-deadlock-when-vsock-dev.patch b/queue-5.10/vsock-virtio-avoid-potential-deadlock-when-vsock-dev.patch new file mode 100644 index 00000000000..ba13e3e8716 --- /dev/null +++ b/queue-5.10/vsock-virtio-avoid-potential-deadlock-when-vsock-dev.patch @@ -0,0 +1,77 @@ +From 2c2ca2b6a3b5cba3a1b86688315a02bc81c53a0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Aug 2021 13:30:56 +0800 +Subject: vsock/virtio: avoid potential deadlock when vsock device remove + +From: Longpeng(Mike) + +[ Upstream commit 49b0b6ffe20c5344f4173f3436298782a08da4f2 ] + +There's a potential deadlock case when remove the vsock device or +process the RESET event: + + vsock_for_each_connected_socket: + spin_lock_bh(&vsock_table_lock) ----------- (1) + ... + virtio_vsock_reset_sock: + lock_sock(sk) --------------------- (2) + ... + spin_unlock_bh(&vsock_table_lock) + +lock_sock() may do initiative schedule when the 'sk' is owned by +other thread at the same time, we would receivce a warning message +that "scheduling while atomic". + +Even worse, if the next task (selected by the scheduler) try to +release a 'sk', it need to request vsock_table_lock and the deadlock +occur, cause the system into softlockup state. + Call trace: + queued_spin_lock_slowpath + vsock_remove_bound + vsock_remove_sock + virtio_transport_release + __vsock_release + vsock_release + __sock_release + sock_close + __fput + ____fput + +So we should not require sk_lock in this case, just like the behavior +in vhost_vsock or vmci. + +Fixes: 0ea9e1d3a9e3 ("VSOCK: Introduce virtio_transport.ko") +Cc: Stefan Hajnoczi +Signed-off-by: Longpeng(Mike) +Reviewed-by: Stefano Garzarella +Link: https://lore.kernel.org/r/20210812053056.1699-1-longpeng2@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c +index 2700a63ab095..3a056f8affd1 100644 +--- a/net/vmw_vsock/virtio_transport.c ++++ b/net/vmw_vsock/virtio_transport.c +@@ -356,11 +356,14 @@ static void virtio_vsock_event_fill(struct virtio_vsock *vsock) + + static void virtio_vsock_reset_sock(struct sock *sk) + { +- lock_sock(sk); ++ /* vmci_transport.c doesn't take sk_lock here either. At least we're ++ * under vsock_table_lock so the sock cannot disappear while we're ++ * executing. ++ */ ++ + sk->sk_state = TCP_CLOSE; + sk->sk_err = ECONNRESET; + sk->sk_error_report(sk); +- release_sock(sk); + } + + static void virtio_vsock_update_guest_cid(struct virtio_vsock *vsock) +-- +2.30.2 + diff --git a/queue-5.10/xen-events-fix-race-in-set_evtchn_to_irq.patch b/queue-5.10/xen-events-fix-race-in-set_evtchn_to_irq.patch new file mode 100644 index 00000000000..2176442a8c6 --- /dev/null +++ b/queue-5.10/xen-events-fix-race-in-set_evtchn_to_irq.patch @@ -0,0 +1,127 @@ +From 2915442f34a39458066b9e24424b88261b3fef1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Aug 2021 13:09:27 +0000 +Subject: xen/events: Fix race in set_evtchn_to_irq + +From: Maximilian Heyne + +[ Upstream commit 88ca2521bd5b4e8b83743c01a2d4cb09325b51e9 ] + +There is a TOCTOU issue in set_evtchn_to_irq. Rows in the evtchn_to_irq +mapping are lazily allocated in this function. The check whether the row +is already present and the row initialization is not synchronized. Two +threads can at the same time allocate a new row for evtchn_to_irq and +add the irq mapping to the their newly allocated row. One thread will +overwrite what the other has set for evtchn_to_irq[row] and therefore +the irq mapping is lost. This will trigger a BUG_ON later in +bind_evtchn_to_cpu: + + INFO: pci 0000:1a:15.4: [1d0f:8061] type 00 class 0x010802 + INFO: nvme 0000:1a:12.1: enabling device (0000 -> 0002) + INFO: nvme nvme77: 1/0/0 default/read/poll queues + CRIT: kernel BUG at drivers/xen/events/events_base.c:427! + WARN: invalid opcode: 0000 [#1] SMP NOPTI + WARN: Workqueue: nvme-reset-wq nvme_reset_work [nvme] + WARN: RIP: e030:bind_evtchn_to_cpu+0xc2/0xd0 + WARN: Call Trace: + WARN: set_affinity_irq+0x121/0x150 + WARN: irq_do_set_affinity+0x37/0xe0 + WARN: irq_setup_affinity+0xf6/0x170 + WARN: irq_startup+0x64/0xe0 + WARN: __setup_irq+0x69e/0x740 + WARN: ? request_threaded_irq+0xad/0x160 + WARN: request_threaded_irq+0xf5/0x160 + WARN: ? nvme_timeout+0x2f0/0x2f0 [nvme] + WARN: pci_request_irq+0xa9/0xf0 + WARN: ? pci_alloc_irq_vectors_affinity+0xbb/0x130 + WARN: queue_request_irq+0x4c/0x70 [nvme] + WARN: nvme_reset_work+0x82d/0x1550 [nvme] + WARN: ? check_preempt_wakeup+0x14f/0x230 + WARN: ? check_preempt_curr+0x29/0x80 + WARN: ? nvme_irq_check+0x30/0x30 [nvme] + WARN: process_one_work+0x18e/0x3c0 + WARN: worker_thread+0x30/0x3a0 + WARN: ? process_one_work+0x3c0/0x3c0 + WARN: kthread+0x113/0x130 + WARN: ? kthread_park+0x90/0x90 + WARN: ret_from_fork+0x3a/0x50 + +This patch sets evtchn_to_irq rows via a cmpxchg operation so that they +will be set only once. The row is now cleared before writing it to +evtchn_to_irq in order to not create a race once the row is visible for +other threads. + +While at it, do not require the page to be zeroed, because it will be +overwritten with -1's in clear_evtchn_to_irq_row anyway. + +Signed-off-by: Maximilian Heyne +Fixes: d0b075ffeede ("xen/events: Refactor evtchn_to_irq array to be dynamically allocated") +Link: https://lore.kernel.org/r/20210812130930.127134-1-mheyne@amazon.de +Reviewed-by: Boris Ostrovsky +Signed-off-by: Boris Ostrovsky +Signed-off-by: Sasha Levin +--- + drivers/xen/events/events_base.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c +index af0f6ad32522..fba78daee449 100644 +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -192,12 +192,12 @@ static void disable_dynirq(struct irq_data *data); + + static DEFINE_PER_CPU(unsigned int, irq_epoch); + +-static void clear_evtchn_to_irq_row(unsigned row) ++static void clear_evtchn_to_irq_row(int *evtchn_row) + { + unsigned col; + + for (col = 0; col < EVTCHN_PER_ROW; col++) +- WRITE_ONCE(evtchn_to_irq[row][col], -1); ++ WRITE_ONCE(evtchn_row[col], -1); + } + + static void clear_evtchn_to_irq_all(void) +@@ -207,7 +207,7 @@ static void clear_evtchn_to_irq_all(void) + for (row = 0; row < EVTCHN_ROW(xen_evtchn_max_channels()); row++) { + if (evtchn_to_irq[row] == NULL) + continue; +- clear_evtchn_to_irq_row(row); ++ clear_evtchn_to_irq_row(evtchn_to_irq[row]); + } + } + +@@ -215,6 +215,7 @@ static int set_evtchn_to_irq(evtchn_port_t evtchn, unsigned int irq) + { + unsigned row; + unsigned col; ++ int *evtchn_row; + + if (evtchn >= xen_evtchn_max_channels()) + return -EINVAL; +@@ -227,11 +228,18 @@ static int set_evtchn_to_irq(evtchn_port_t evtchn, unsigned int irq) + if (irq == -1) + return 0; + +- evtchn_to_irq[row] = (int *)get_zeroed_page(GFP_KERNEL); +- if (evtchn_to_irq[row] == NULL) ++ evtchn_row = (int *) __get_free_pages(GFP_KERNEL, 0); ++ if (evtchn_row == NULL) + return -ENOMEM; + +- clear_evtchn_to_irq_row(row); ++ clear_evtchn_to_irq_row(evtchn_row); ++ ++ /* ++ * We've prepared an empty row for the mapping. If a different ++ * thread was faster inserting it, we can drop ours. ++ */ ++ if (cmpxchg(&evtchn_to_irq[row], NULL, evtchn_row) != NULL) ++ free_page((unsigned long) evtchn_row); + } + + WRITE_ONCE(evtchn_to_irq[row][col], irq); +-- +2.30.2 + -- 2.47.3