From ad46ccbe55d107f7b8caf79d4cba25dba5254e13 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 29 Aug 2021 17:45:52 -0400 Subject: [PATCH] Fixes for 5.10 Signed-off-by: Sasha Levin --- ...h-blocked-freelist-bitmap-after-free.patch | 53 ++++++++ .../drm-i915-fix-syncmap-memory-leak.patch | 67 ++++++++++ ...-sifive-l2-cache-fix-select-matching.patch | 44 +++++++ ...ake-care-about-recovery-nvm-checksum.patch | 58 +++++++++ ...e-max-snoop-no-snoop-latency-for-10m.patch | 76 +++++++++++ ...ible-null-pointer-dereference-in-_ex.patch | 65 ++++++++++ ...-devlink-info-if-board-identifier-ca.patch | 50 ++++++++ ...-fault-when-thunderbolt-is-unplugged.patch | 111 ++++++++++++++++ ...ueues-when-iterating-over-tx_ring-qu.patch | 49 +++++++ ...ip_gre-add-validation-for-csum_start.patch | 41 ++++++ ...h-instead-of-jenkins-in-fnhe_hashfun.patch | 55 ++++++++ ...v6-use-siphash-in-rt6_exception_hash.patch | 75 +++++++++++ ...ting-time-before-cmdq-memory-is-rele.patch | 95 ++++++++++++++ ...ardware-resource-when-loading-driver.patch | 86 +++++++++++++ ...hns3-fix-duplicate-node-in-vlan-list.patch | 42 ++++++ ...-wrong-pfc_en-when-query-pfc-configu.patch | 66 ++++++++++ ...ll-fix-mvneta_tx_in_prgrs-bit-number.patch | 36 ++++++ ...x-crash-when-flipping-from-strict-to.patch | 104 +++++++++++++++ ...mutex-lock-to-protect-est-parameters.patch | 99 ++++++++++++++ ...ernel-panic-due-to-null-pointer-dere.patch | 83 ++++++++++++ ...fixes-of-set_register-s-return-value.patch | 48 +++++++ ...add-missing-spin-lock-initialization.patch | 36 ++++++ ...ove-unpaired-rtnl-unlock-in-bnxt_re_.patch | 40 ++++++ ...a-efa-free-irq-vectors-on-error-flow.patch | 38 ++++++ ...-iproc-set-sdhci_quirk_cap_clock_bas.patch | 43 +++++++ ...-correct-error-on-changing-device-ne.patch | 121 ++++++++++++++++++ queue-5.10/series | 29 +++++ ...-ucounts-reference-counter-before-th.patch | 98 ++++++++++++++ ...io-fix-race-condition-on-endpoint-st.patch | 57 +++++++++ ...esource-leak-in-the-error-handling-p.patch | 46 +++++++ 30 files changed, 1911 insertions(+) create mode 100644 queue-5.10/cxgb4-dont-touch-blocked-freelist-bitmap-after-free.patch create mode 100644 queue-5.10/drm-i915-fix-syncmap-memory-leak.patch create mode 100644 queue-5.10/dt-bindings-sifive-l2-cache-fix-select-matching.patch create mode 100644 queue-5.10/e1000e-do-not-take-care-about-recovery-nvm-checksum.patch create mode 100644 queue-5.10/e1000e-fix-the-max-snoop-no-snoop-latency-for-10m.patch create mode 100644 queue-5.10/ib-hfi1-fix-possible-null-pointer-dereference-in-_ex.patch create mode 100644 queue-5.10/ice-do-not-abort-devlink-info-if-board-identifier-ca.patch create mode 100644 queue-5.10/igc-fix-page-fault-when-thunderbolt-is-unplugged.patch create mode 100644 queue-5.10/igc-use-num_tx_queues-when-iterating-over-tx_ring-qu.patch create mode 100644 queue-5.10/ip_gre-add-validation-for-csum_start.patch create mode 100644 queue-5.10/ipv4-use-siphash-instead-of-jenkins-in-fnhe_hashfun.patch create mode 100644 queue-5.10/ipv6-use-siphash-in-rt6_exception_hash.patch create mode 100644 queue-5.10/net-hns3-add-waiting-time-before-cmdq-memory-is-rele.patch create mode 100644 queue-5.10/net-hns3-clear-hardware-resource-when-loading-driver.patch create mode 100644 queue-5.10/net-hns3-fix-duplicate-node-in-vlan-list.patch create mode 100644 queue-5.10/net-hns3-fix-get-wrong-pfc_en-when-query-pfc-configu.patch create mode 100644 queue-5.10/net-marvell-fix-mvneta_tx_in_prgrs-bit-number.patch create mode 100644 queue-5.10/net-sched-ets-fix-crash-when-flipping-from-strict-to.patch create mode 100644 queue-5.10/net-stmmac-add-mutex-lock-to-protect-est-parameters.patch create mode 100644 queue-5.10/net-stmmac-fix-kernel-panic-due-to-null-pointer-dere.patch create mode 100644 queue-5.10/net-usb-pegasus-fixes-of-set_register-s-return-value.patch create mode 100644 queue-5.10/rdma-bnxt_re-add-missing-spin-lock-initialization.patch create mode 100644 queue-5.10/rdma-bnxt_re-remove-unpaired-rtnl-unlock-in-bnxt_re_.patch create mode 100644 queue-5.10/rdma-efa-free-irq-vectors-on-error-flow.patch create mode 100644 queue-5.10/revert-mmc-sdhci-iproc-set-sdhci_quirk_cap_clock_bas.patch create mode 100644 queue-5.10/rtnetlink-return-correct-error-on-changing-device-ne.patch create mode 100644 queue-5.10/ucounts-increase-ucounts-reference-counter-before-th.patch create mode 100644 queue-5.10/usb-gadget-u_audio-fix-race-condition-on-endpoint-st.patch create mode 100644 queue-5.10/xgene-v2-fix-a-resource-leak-in-the-error-handling-p.patch diff --git a/queue-5.10/cxgb4-dont-touch-blocked-freelist-bitmap-after-free.patch b/queue-5.10/cxgb4-dont-touch-blocked-freelist-bitmap-after-free.patch new file mode 100644 index 00000000000..370a010d9c4 --- /dev/null +++ b/queue-5.10/cxgb4-dont-touch-blocked-freelist-bitmap-after-free.patch @@ -0,0 +1,53 @@ +From 3b5154f6d16cb6ba4eb1a946f5c5d4b14987383d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Aug 2021 02:59:42 +0530 +Subject: cxgb4: dont touch blocked freelist bitmap after free + +From: Rahul Lakkireddy + +[ Upstream commit 43fed4d48d325e0a61dc2638a84da972fbb1087b ] + +When adapter init fails, the blocked freelist bitmap is already freed +up and should not be touched. So, move the bitmap zeroing closer to +where it was successfully allocated. Also handle adapter init failure +unwind path immediately and avoid setting up RDMA memory windows. + +Fixes: 5b377d114f2b ("cxgb4: Add debugfs facility to inject FL starvation") +Signed-off-by: Rahul Lakkireddy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +index 6698afad4379..3c28a1c3c1ed 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -5072,6 +5072,7 @@ static int adap_init0(struct adapter *adap, int vpd_skip) + ret = -ENOMEM; + goto bye; + } ++ bitmap_zero(adap->sge.blocked_fl, adap->sge.egr_sz); + #endif + + params[0] = FW_PARAM_PFVF(CLIP_START); +@@ -6792,13 +6793,11 @@ static int init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + + setup_memwin(adapter); + err = adap_init0(adapter, 0); +-#ifdef CONFIG_DEBUG_FS +- bitmap_zero(adapter->sge.blocked_fl, adapter->sge.egr_sz); +-#endif +- setup_memwin_rdma(adapter); + if (err) + goto out_unmap_bar; + ++ setup_memwin_rdma(adapter); ++ + /* configure SGE_STAT_CFG_A to read WC stats */ + if (!is_t4(adapter->params.chip)) + t4_write_reg(adapter, SGE_STAT_CFG_A, STATSOURCE_T5_V(7) | +-- +2.30.2 + diff --git a/queue-5.10/drm-i915-fix-syncmap-memory-leak.patch b/queue-5.10/drm-i915-fix-syncmap-memory-leak.patch new file mode 100644 index 00000000000..ad59bfbd848 --- /dev/null +++ b/queue-5.10/drm-i915-fix-syncmap-memory-leak.patch @@ -0,0 +1,67 @@ +From f727e5dffae38481380e6d66d72ae23d6a95e2d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jul 2021 12:53:42 -0700 +Subject: drm/i915: Fix syncmap memory leak + +From: Matthew Brost + +[ Upstream commit a63bcf08f0efb5348105bb8e0e1e8c6671077753 ] + +A small race exists between intel_gt_retire_requests_timeout and +intel_timeline_exit which could result in the syncmap not getting +free'd. Rather than work to hard to seal this race, simply cleanup the +syncmap on fini. + +unreferenced object 0xffff88813bc53b18 (size 96): + comm "gem_close_race", pid 5410, jiffies 4294917818 (age 1105.600s) + hex dump (first 32 bytes): + 01 00 00 00 00 00 00 00 00 00 00 00 0a 00 00 00 ................ + 00 00 00 00 00 00 00 00 6b 6b 6b 6b 06 00 00 00 ........kkkk.... + backtrace: + [<00000000120b863a>] __sync_alloc_leaf+0x1e/0x40 [i915] + [<00000000042f6959>] __sync_set+0x1bb/0x240 [i915] + [<0000000090f0e90f>] i915_request_await_dma_fence+0x1c7/0x400 [i915] + [<0000000056a48219>] i915_request_await_object+0x222/0x360 [i915] + [<00000000aaac4ee3>] i915_gem_do_execbuffer+0x1bd0/0x2250 [i915] + [<000000003c9d830f>] i915_gem_execbuffer2_ioctl+0x405/0xce0 [i915] + [<00000000fd7a8e68>] drm_ioctl_kernel+0xb0/0xf0 [drm] + [<00000000e721ee87>] drm_ioctl+0x305/0x3c0 [drm] + [<000000008b0d8986>] __x64_sys_ioctl+0x71/0xb0 + [<0000000076c362a4>] do_syscall_64+0x33/0x80 + [<00000000eb7a4831>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Signed-off-by: Matthew Brost +Fixes: 531958f6f357 ("drm/i915/gt: Track timeline activeness in enter/exit") +Cc: +Reviewed-by: John Harrison +Signed-off-by: John Harrison +Link: https://patchwork.freedesktop.org/patch/msgid/20210730195342.110234-1-matthew.brost@intel.com +(cherry picked from commit faf890985e30d5e88cc3a7c50c1bcad32f89ab7c) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/intel_timeline.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/gpu/drm/i915/gt/intel_timeline.c b/drivers/gpu/drm/i915/gt/intel_timeline.c +index 8015964043eb..e25385ad2c1e 100644 +--- a/drivers/gpu/drm/i915/gt/intel_timeline.c ++++ b/drivers/gpu/drm/i915/gt/intel_timeline.c +@@ -296,6 +296,14 @@ static void intel_timeline_fini(struct intel_timeline *timeline) + i915_gem_object_unpin_map(timeline->hwsp_ggtt->obj); + + i915_vma_put(timeline->hwsp_ggtt); ++ ++ /* ++ * A small race exists between intel_gt_retire_requests_timeout and ++ * intel_timeline_exit which could result in the syncmap not getting ++ * free'd. Rather than work to hard to seal this race, simply cleanup ++ * the syncmap on fini. ++ */ ++ i915_syncmap_free(&timeline->sync); + } + + struct intel_timeline * +-- +2.30.2 + diff --git a/queue-5.10/dt-bindings-sifive-l2-cache-fix-select-matching.patch b/queue-5.10/dt-bindings-sifive-l2-cache-fix-select-matching.patch new file mode 100644 index 00000000000..0a38b4a0e1e --- /dev/null +++ b/queue-5.10/dt-bindings-sifive-l2-cache-fix-select-matching.patch @@ -0,0 +1,44 @@ +From dbb106df91f8382ff3767706efd700fd29bcc16d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Aug 2021 12:47:55 -0500 +Subject: dt-bindings: sifive-l2-cache: Fix 'select' matching + +From: Rob Herring + +[ Upstream commit 1c8094e394bceb4f1880f9d539bdd255c130826e ] + +When the schema fixups are applied to 'select' the result is a single +entry is required for a match, but that will never match as there should +be 2 entries. Also, a 'select' schema should have the widest possible +match, so use 'contains' which matches the compatible string(s) in any +position and not just the first position. + +Fixes: 993dcfac64eb ("dt-bindings: riscv: sifive-l2-cache: convert bindings to json-schema") +Signed-off-by: Rob Herring +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + .../devicetree/bindings/riscv/sifive-l2-cache.yaml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/Documentation/devicetree/bindings/riscv/sifive-l2-cache.yaml b/Documentation/devicetree/bindings/riscv/sifive-l2-cache.yaml +index efc0198eeb74..5444be7667b6 100644 +--- a/Documentation/devicetree/bindings/riscv/sifive-l2-cache.yaml ++++ b/Documentation/devicetree/bindings/riscv/sifive-l2-cache.yaml +@@ -24,9 +24,9 @@ allOf: + select: + properties: + compatible: +- items: +- - enum: +- - sifive,fu540-c000-ccache ++ contains: ++ enum: ++ - sifive,fu540-c000-ccache + + required: + - compatible +-- +2.30.2 + diff --git a/queue-5.10/e1000e-do-not-take-care-about-recovery-nvm-checksum.patch b/queue-5.10/e1000e-do-not-take-care-about-recovery-nvm-checksum.patch new file mode 100644 index 00000000000..ec36667c342 --- /dev/null +++ b/queue-5.10/e1000e-do-not-take-care-about-recovery-nvm-checksum.patch @@ -0,0 +1,58 @@ +From a5f8881b2871e6aafdc74e84b80e18fe62c1a956 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 07:10:31 +0300 +Subject: e1000e: Do not take care about recovery NVM checksum + +From: Sasha Neftin + +[ Upstream commit 4051f68318ca9f3d3becef3b54e70ad2c146df97 ] + +On new platforms, the NVM is read-only. Attempting to update the NVM +is causing a lockup to occur. Do not attempt to write to the NVM +on platforms where it's not supported. +Emit an error message when the NVM checksum is invalid. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=213667 +Fixes: fb776f5d57ee ("e1000e: Add support for Tiger Lake") +Suggested-by: Dima Ruinskiy +Suggested-by: Vitaly Lifshits +Signed-off-by: Sasha Neftin +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/ich8lan.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c b/drivers/net/ethernet/intel/e1000e/ich8lan.c +index 5f0f1bd522f0..854c585de2e1 100644 +--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c ++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c +@@ -4134,13 +4134,17 @@ static s32 e1000_validate_nvm_checksum_ich8lan(struct e1000_hw *hw) + return ret_val; + + if (!(data & valid_csum_mask)) { +- data |= valid_csum_mask; +- ret_val = e1000_write_nvm(hw, word, 1, &data); +- if (ret_val) +- return ret_val; +- ret_val = e1000e_update_nvm_checksum(hw); +- if (ret_val) +- return ret_val; ++ e_dbg("NVM Checksum Invalid\n"); ++ ++ if (hw->mac.type < e1000_pch_cnp) { ++ data |= valid_csum_mask; ++ ret_val = e1000_write_nvm(hw, word, 1, &data); ++ if (ret_val) ++ return ret_val; ++ ret_val = e1000e_update_nvm_checksum(hw); ++ if (ret_val) ++ return ret_val; ++ } + } + + return e1000e_validate_nvm_checksum_generic(hw); +-- +2.30.2 + diff --git a/queue-5.10/e1000e-fix-the-max-snoop-no-snoop-latency-for-10m.patch b/queue-5.10/e1000e-fix-the-max-snoop-no-snoop-latency-for-10m.patch new file mode 100644 index 00000000000..08f4a81b53a --- /dev/null +++ b/queue-5.10/e1000e-fix-the-max-snoop-no-snoop-latency-for-10m.patch @@ -0,0 +1,76 @@ +From be3af9dad1f82f3cac7749f0fe2887354c2c677f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jul 2021 10:11:41 +0300 +Subject: e1000e: Fix the max snoop/no-snoop latency for 10M + +From: Sasha Neftin + +[ Upstream commit 44a13a5d99c71bf9e1676d9e51679daf4d7b3d73 ] + +We should decode the latency and the max_latency before directly compare. +The latency should be presented as lat_enc = scale x value: +lat_enc_d = (lat_enc & 0x0x3ff) x (1U << (5*((max_ltr_enc & 0x1c00) +>> 10))) + +Fixes: cf8fb73c23aa ("e1000e: add support for LTR on I217/I218") +Suggested-by: Yee Li +Signed-off-by: Sasha Neftin +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/ich8lan.c | 14 +++++++++++++- + drivers/net/ethernet/intel/e1000e/ich8lan.h | 3 +++ + 2 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c b/drivers/net/ethernet/intel/e1000e/ich8lan.c +index 6fb46682b058..5f0f1bd522f0 100644 +--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c ++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c +@@ -1006,6 +1006,8 @@ static s32 e1000_platform_pm_pch_lpt(struct e1000_hw *hw, bool link) + { + u32 reg = link << (E1000_LTRV_REQ_SHIFT + E1000_LTRV_NOSNOOP_SHIFT) | + link << E1000_LTRV_REQ_SHIFT | E1000_LTRV_SEND; ++ u16 max_ltr_enc_d = 0; /* maximum LTR decoded by platform */ ++ u16 lat_enc_d = 0; /* latency decoded */ + u16 lat_enc = 0; /* latency encoded */ + + if (link) { +@@ -1059,7 +1061,17 @@ static s32 e1000_platform_pm_pch_lpt(struct e1000_hw *hw, bool link) + E1000_PCI_LTR_CAP_LPT + 2, &max_nosnoop); + max_ltr_enc = max_t(u16, max_snoop, max_nosnoop); + +- if (lat_enc > max_ltr_enc) ++ lat_enc_d = (lat_enc & E1000_LTRV_VALUE_MASK) * ++ (1U << (E1000_LTRV_SCALE_FACTOR * ++ ((lat_enc & E1000_LTRV_SCALE_MASK) ++ >> E1000_LTRV_SCALE_SHIFT))); ++ ++ max_ltr_enc_d = (max_ltr_enc & E1000_LTRV_VALUE_MASK) * ++ (1U << (E1000_LTRV_SCALE_FACTOR * ++ ((max_ltr_enc & E1000_LTRV_SCALE_MASK) ++ >> E1000_LTRV_SCALE_SHIFT))); ++ ++ if (lat_enc_d > max_ltr_enc_d) + lat_enc = max_ltr_enc; + } + +diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.h b/drivers/net/ethernet/intel/e1000e/ich8lan.h +index 1502895eb45d..e757896287eb 100644 +--- a/drivers/net/ethernet/intel/e1000e/ich8lan.h ++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.h +@@ -274,8 +274,11 @@ + + /* Latency Tolerance Reporting */ + #define E1000_LTRV 0x000F8 ++#define E1000_LTRV_VALUE_MASK 0x000003FF + #define E1000_LTRV_SCALE_MAX 5 + #define E1000_LTRV_SCALE_FACTOR 5 ++#define E1000_LTRV_SCALE_SHIFT 10 ++#define E1000_LTRV_SCALE_MASK 0x00001C00 + #define E1000_LTRV_REQ_SHIFT 15 + #define E1000_LTRV_NOSNOOP_SHIFT 16 + #define E1000_LTRV_SEND (1 << 30) +-- +2.30.2 + diff --git a/queue-5.10/ib-hfi1-fix-possible-null-pointer-dereference-in-_ex.patch b/queue-5.10/ib-hfi1-fix-possible-null-pointer-dereference-in-_ex.patch new file mode 100644 index 00000000000..9770bec90fd --- /dev/null +++ b/queue-5.10/ib-hfi1-fix-possible-null-pointer-dereference-in-_ex.patch @@ -0,0 +1,65 @@ +From 6e51ff4d20e478654bcc7a1ef78eda1bc748062f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Aug 2021 06:30:29 -0700 +Subject: IB/hfi1: Fix possible null-pointer dereference in + _extend_sdma_tx_descs() + +From: Tuo Li + +[ Upstream commit cbe71c61992c38f72c2b625b2ef25916b9f0d060 ] + +kmalloc_array() is called to allocate memory for tx->descp. If it fails, +the function __sdma_txclean() is called: + __sdma_txclean(dd, tx); + +However, in the function __sdma_txclean(), tx-descp is dereferenced if +tx->num_desc is not zero: + sdma_unmap_desc(dd, &tx->descp[0]); + +To fix this possible null-pointer dereference, assign the return value of +kmalloc_array() to a local variable descp, and then assign it to tx->descp +if it is not NULL. Otherwise, go to enomem. + +Fixes: 7724105686e7 ("IB/hfi1: add driver files") +Link: https://lore.kernel.org/r/20210806133029.194964-1-islituo@gmail.com +Reported-by: TOTE Robot +Signed-off-by: Tuo Li +Tested-by: Mike Marciniszyn +Acked-by: Mike Marciniszyn +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/sdma.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c +index a307d4c8b15a..ac6f87137b63 100644 +--- a/drivers/infiniband/hw/hfi1/sdma.c ++++ b/drivers/infiniband/hw/hfi1/sdma.c +@@ -3055,6 +3055,7 @@ static void __sdma_process_event(struct sdma_engine *sde, + static int _extend_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx) + { + int i; ++ struct sdma_desc *descp; + + /* Handle last descriptor */ + if (unlikely((tx->num_desc == (MAX_DESC - 1)))) { +@@ -3075,12 +3076,10 @@ static int _extend_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx) + if (unlikely(tx->num_desc == MAX_DESC)) + goto enomem; + +- tx->descp = kmalloc_array( +- MAX_DESC, +- sizeof(struct sdma_desc), +- GFP_ATOMIC); +- if (!tx->descp) ++ descp = kmalloc_array(MAX_DESC, sizeof(struct sdma_desc), GFP_ATOMIC); ++ if (!descp) + goto enomem; ++ tx->descp = descp; + + /* reserve last descriptor for coalescing */ + tx->desc_limit = MAX_DESC - 1; +-- +2.30.2 + diff --git a/queue-5.10/ice-do-not-abort-devlink-info-if-board-identifier-ca.patch b/queue-5.10/ice-do-not-abort-devlink-info-if-board-identifier-ca.patch new file mode 100644 index 00000000000..2d703eadde6 --- /dev/null +++ b/queue-5.10/ice-do-not-abort-devlink-info-if-board-identifier-ca.patch @@ -0,0 +1,50 @@ +From 3fe3a876879eb481d2dfe00a02882440958e1965 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Aug 2021 15:34:51 -0700 +Subject: ice: do not abort devlink info if board identifier can't be found + +From: Jacob Keller + +[ Upstream commit a8f89fa27773a8c96fd09fb4e2f4892d794f21f6 ] + +The devlink dev info command reports version information about the +device and firmware running on the board. This includes the "board.id" +field which is supposed to represent an identifier of the board design. +The ice driver uses the Product Board Assembly identifier for this. + +In some cases, the PBA is not present in the NVM. If this happens, +devlink dev info will fail with an error. Instead, modify the +ice_info_pba function to just exit without filling in the context +buffer. This will cause the board.id field to be skipped. Log a dev_dbg +message in case someone wants to confirm why board.id is not showing up +for them. + +Fixes: e961b679fb0b ("ice: add board identifier info to devlink .info_get") +Signed-off-by: Jacob Keller +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20210819223451.245613-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_devlink.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_devlink.c b/drivers/net/ethernet/intel/ice/ice_devlink.c +index 511da59bd6f2..f18ce43b7e74 100644 +--- a/drivers/net/ethernet/intel/ice/ice_devlink.c ++++ b/drivers/net/ethernet/intel/ice/ice_devlink.c +@@ -23,7 +23,9 @@ static int ice_info_pba(struct ice_pf *pf, char *buf, size_t len) + + status = ice_read_pba_string(hw, (u8 *)buf, len); + if (status) +- return -EIO; ++ /* We failed to locate the PBA, so just skip this entry */ ++ dev_dbg(ice_pf_to_dev(pf), "Failed to read Product Board Assembly string, status %s\n", ++ ice_stat_str(status)); + + return 0; + } +-- +2.30.2 + diff --git a/queue-5.10/igc-fix-page-fault-when-thunderbolt-is-unplugged.patch b/queue-5.10/igc-fix-page-fault-when-thunderbolt-is-unplugged.patch new file mode 100644 index 00000000000..e307d6be9e9 --- /dev/null +++ b/queue-5.10/igc-fix-page-fault-when-thunderbolt-is-unplugged.patch @@ -0,0 +1,111 @@ +From 17ae26221c4fece37a7967b5e7b8cde49ee84a5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jul 2021 21:00:36 +0800 +Subject: igc: fix page fault when thunderbolt is unplugged + +From: Aaron Ma + +[ Upstream commit 4b79959510e6612d80f8d86022e0cb44eee6f4a2 ] + +After unplug thunderbolt dock with i225, pciehp interrupt is triggered, +remove call will read/write mmio address which is already disconnected, +then cause page fault and make system hang. + +Check PCI state to remove device safely. + +Trace: +BUG: unable to handle page fault for address: 000000000000b604 +Oops: 0000 [#1] SMP NOPTI +RIP: 0010:igc_rd32+0x1c/0x90 [igc] +Call Trace: +igc_ptp_suspend+0x6c/0xa0 [igc] +igc_ptp_stop+0x12/0x50 [igc] +igc_remove+0x7f/0x1c0 [igc] +pci_device_remove+0x3e/0xb0 +__device_release_driver+0x181/0x240 + +Fixes: 13b5b7fd6a4a ("igc: Add support for Tx/Rx rings") +Fixes: b03c49cde61f ("igc: Save PTP time before a reset") +Signed-off-by: Aaron Ma +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 32 ++++++++++++++--------- + drivers/net/ethernet/intel/igc/igc_ptp.c | 3 ++- + 2 files changed, 21 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index b9fe2785f573..66f181d12578 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -138,6 +138,9 @@ static void igc_release_hw_control(struct igc_adapter *adapter) + struct igc_hw *hw = &adapter->hw; + u32 ctrl_ext; + ++ if (!pci_device_is_present(adapter->pdev)) ++ return; ++ + /* Let firmware take over control of h/w */ + ctrl_ext = rd32(IGC_CTRL_EXT); + wr32(IGC_CTRL_EXT, +@@ -3782,26 +3785,29 @@ void igc_down(struct igc_adapter *adapter) + + igc_ptp_suspend(adapter); + +- /* disable receives in the hardware */ +- rctl = rd32(IGC_RCTL); +- wr32(IGC_RCTL, rctl & ~IGC_RCTL_EN); +- /* flush and sleep below */ +- ++ if (pci_device_is_present(adapter->pdev)) { ++ /* disable receives in the hardware */ ++ rctl = rd32(IGC_RCTL); ++ wr32(IGC_RCTL, rctl & ~IGC_RCTL_EN); ++ /* flush and sleep below */ ++ } + /* set trans_start so we don't get spurious watchdogs during reset */ + netif_trans_update(netdev); + + netif_carrier_off(netdev); + netif_tx_stop_all_queues(netdev); + +- /* disable transmits in the hardware */ +- tctl = rd32(IGC_TCTL); +- tctl &= ~IGC_TCTL_EN; +- wr32(IGC_TCTL, tctl); +- /* flush both disables and wait for them to finish */ +- wrfl(); +- usleep_range(10000, 20000); ++ if (pci_device_is_present(adapter->pdev)) { ++ /* disable transmits in the hardware */ ++ tctl = rd32(IGC_TCTL); ++ tctl &= ~IGC_TCTL_EN; ++ wr32(IGC_TCTL, tctl); ++ /* flush both disables and wait for them to finish */ ++ wrfl(); ++ usleep_range(10000, 20000); + +- igc_irq_disable(adapter); ++ igc_irq_disable(adapter); ++ } + + adapter->flags &= ~IGC_FLAG_NEED_LINK_UPDATE; + +diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c +index 545f4d0e67cf..4ab46eee3d93 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ptp.c ++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c +@@ -557,7 +557,8 @@ void igc_ptp_suspend(struct igc_adapter *adapter) + adapter->ptp_tx_skb = NULL; + clear_bit_unlock(__IGC_PTP_TX_IN_PROGRESS, &adapter->state); + +- igc_ptp_time_save(adapter); ++ if (pci_device_is_present(adapter->pdev)) ++ igc_ptp_time_save(adapter); + } + + /** +-- +2.30.2 + diff --git a/queue-5.10/igc-use-num_tx_queues-when-iterating-over-tx_ring-qu.patch b/queue-5.10/igc-use-num_tx_queues-when-iterating-over-tx_ring-qu.patch new file mode 100644 index 00000000000..578c72c3a19 --- /dev/null +++ b/queue-5.10/igc-use-num_tx_queues-when-iterating-over-tx_ring-qu.patch @@ -0,0 +1,49 @@ +From f955bb08914a1914f8a7ed3fd476e439f1246e99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 17:34:03 -0700 +Subject: igc: Use num_tx_queues when iterating over tx_ring queue + +From: Toshiki Nishioka + +[ Upstream commit 691bd4d7761992914a0e83c27a4ce57d01474cda ] + +Use num_tx_queues rather than the IGC_MAX_TX_QUEUES fixed number 4 when +iterating over tx_ring queue since instantiated queue count could be +less than 4 where on-line cpu count is less than 4. + +Fixes: ec50a9d437f0 ("igc: Add support for taprio offloading") +Signed-off-by: Toshiki Nishioka +Signed-off-by: Muhammad Husaini Zulkifli +Tested-by: Muhammad Husaini Zulkifli +Acked-by: Sasha Neftin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 66f181d12578..013dd2955381 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -4761,7 +4761,7 @@ static bool validate_schedule(struct igc_adapter *adapter, + if (e->command != TC_TAPRIO_CMD_SET_GATES) + return false; + +- for (i = 0; i < IGC_MAX_TX_QUEUES; i++) { ++ for (i = 0; i < adapter->num_tx_queues; i++) { + if (e->gate_mask & BIT(i)) + queue_uses[i]++; + +@@ -4818,7 +4818,7 @@ static int igc_save_qbv_schedule(struct igc_adapter *adapter, + + end_time += e->interval; + +- for (i = 0; i < IGC_MAX_TX_QUEUES; i++) { ++ for (i = 0; i < adapter->num_tx_queues; i++) { + struct igc_ring *ring = adapter->tx_ring[i]; + + if (!(e->gate_mask & BIT(i))) +-- +2.30.2 + diff --git a/queue-5.10/ip_gre-add-validation-for-csum_start.patch b/queue-5.10/ip_gre-add-validation-for-csum_start.patch new file mode 100644 index 00000000000..a0f159f1b07 --- /dev/null +++ b/queue-5.10/ip_gre-add-validation-for-csum_start.patch @@ -0,0 +1,41 @@ +From 1db8dcaf9bbb22d5c33b9f10531f8d08d0d40292 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Aug 2021 12:44:24 +0530 +Subject: ip_gre: add validation for csum_start + +From: Shreyansh Chouhan + +[ Upstream commit 1d011c4803c72f3907eccfc1ec63caefb852fcbf ] + +Validate csum_start in gre_handle_offloads before we call _gre_xmit so +that we do not crash later when the csum_start value is used in the +lco_csum function call. + +This patch deals with ipv4 code. + +Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") +Reported-by: syzbot+ff8e1b9f2f36481e2efc@syzkaller.appspotmail.com +Signed-off-by: Shreyansh Chouhan +Reviewed-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index e70291748889..a0829495b211 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -468,6 +468,8 @@ static void __gre_xmit(struct sk_buff *skb, struct net_device *dev, + + static int gre_handle_offloads(struct sk_buff *skb, bool csum) + { ++ if (csum && skb_checksum_start(skb) < skb->data) ++ return -EINVAL; + return iptunnel_handle_offloads(skb, csum ? SKB_GSO_GRE_CSUM : SKB_GSO_GRE); + } + +-- +2.30.2 + diff --git a/queue-5.10/ipv4-use-siphash-instead-of-jenkins-in-fnhe_hashfun.patch b/queue-5.10/ipv4-use-siphash-instead-of-jenkins-in-fnhe_hashfun.patch new file mode 100644 index 00000000000..5f70f99f401 --- /dev/null +++ b/queue-5.10/ipv4-use-siphash-instead-of-jenkins-in-fnhe_hashfun.patch @@ -0,0 +1,55 @@ +From 80a1741ef7a7360413eb2b78e56d622db6029d5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Aug 2021 16:17:29 -0700 +Subject: ipv4: use siphash instead of Jenkins in fnhe_hashfun() + +From: Eric Dumazet + +[ Upstream commit 6457378fe796815c973f631a1904e147d6ee33b1 ] + +A group of security researchers brought to our attention +the weakness of hash function used in fnhe_hashfun(). + +Lets use siphash instead of Jenkins Hash, to considerably +reduce security risks. + +Also remove the inline keyword, this really is distracting. + +Fixes: d546c621542d ("ipv4: harden fnhe_hashfun()") +Signed-off-by: Eric Dumazet +Reported-by: Keyu Man +Cc: Willy Tarreau +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index e15c1d8b7c8d..3d9946fd41f3 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -624,14 +624,14 @@ static struct fib_nh_exception *fnhe_oldest(struct fnhe_hash_bucket *hash) + return oldest; + } + +-static inline u32 fnhe_hashfun(__be32 daddr) ++static u32 fnhe_hashfun(__be32 daddr) + { +- static u32 fnhe_hashrnd __read_mostly; +- u32 hval; ++ static siphash_key_t fnhe_hash_key __read_mostly; ++ u64 hval; + +- net_get_random_once(&fnhe_hashrnd, sizeof(fnhe_hashrnd)); +- hval = jhash_1word((__force u32)daddr, fnhe_hashrnd); +- return hash_32(hval, FNHE_HASH_SHIFT); ++ net_get_random_once(&fnhe_hash_key, sizeof(fnhe_hash_key)); ++ hval = siphash_1u32((__force u32)daddr, &fnhe_hash_key); ++ return hash_64(hval, FNHE_HASH_SHIFT); + } + + static void fill_route_from_fnhe(struct rtable *rt, struct fib_nh_exception *fnhe) +-- +2.30.2 + diff --git a/queue-5.10/ipv6-use-siphash-in-rt6_exception_hash.patch b/queue-5.10/ipv6-use-siphash-in-rt6_exception_hash.patch new file mode 100644 index 00000000000..2870b079045 --- /dev/null +++ b/queue-5.10/ipv6-use-siphash-in-rt6_exception_hash.patch @@ -0,0 +1,75 @@ +From f0f26692a51c96b8fe9dc04dff3799a909d248b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Aug 2021 16:17:28 -0700 +Subject: ipv6: use siphash in rt6_exception_hash() + +From: Eric Dumazet + +[ Upstream commit 4785305c05b25a242e5314cc821f54ade4c18810 ] + +A group of security researchers brought to our attention +the weakness of hash function used in rt6_exception_hash() + +Lets use siphash instead of Jenkins Hash, to considerably +reduce security risks. + +Following patch deals with IPv4. + +Fixes: 35732d01fe31 ("ipv6: introduce a hash table to store dst cache") +Signed-off-by: Eric Dumazet +Reported-by: Keyu Man +Cc: Wei Wang +Cc: Martin KaFai Lau +Acked-by: Wei Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 62db3c98424b..bcf4fae83a9b 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -41,6 +41,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1482,17 +1483,24 @@ static void rt6_exception_remove_oldest(struct rt6_exception_bucket *bucket) + static u32 rt6_exception_hash(const struct in6_addr *dst, + const struct in6_addr *src) + { +- static u32 seed __read_mostly; +- u32 val; ++ static siphash_key_t rt6_exception_key __read_mostly; ++ struct { ++ struct in6_addr dst; ++ struct in6_addr src; ++ } __aligned(SIPHASH_ALIGNMENT) combined = { ++ .dst = *dst, ++ }; ++ u64 val; + +- net_get_random_once(&seed, sizeof(seed)); +- val = jhash2((const u32 *)dst, sizeof(*dst)/sizeof(u32), seed); ++ net_get_random_once(&rt6_exception_key, sizeof(rt6_exception_key)); + + #ifdef CONFIG_IPV6_SUBTREES + if (src) +- val = jhash2((const u32 *)src, sizeof(*src)/sizeof(u32), val); ++ combined.src = *src; + #endif +- return hash_32(val, FIB6_EXCEPTION_BUCKET_SIZE_SHIFT); ++ val = siphash(&combined, sizeof(combined), &rt6_exception_key); ++ ++ return hash_64(val, FIB6_EXCEPTION_BUCKET_SIZE_SHIFT); + } + + /* Helper function to find the cached rt in the hash table +-- +2.30.2 + diff --git a/queue-5.10/net-hns3-add-waiting-time-before-cmdq-memory-is-rele.patch b/queue-5.10/net-hns3-add-waiting-time-before-cmdq-memory-is-rele.patch new file mode 100644 index 00000000000..e2763f41865 --- /dev/null +++ b/queue-5.10/net-hns3-add-waiting-time-before-cmdq-memory-is-rele.patch @@ -0,0 +1,95 @@ +From 4c195f6de3f5a8ecedaf7deb26a0fdbe76ebaa90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Aug 2021 19:21:56 +0800 +Subject: net: hns3: add waiting time before cmdq memory is released + +From: Yufeng Mo + +[ Upstream commit a96d9330b02a3d051ae689bc2c5e7d3a2ba25594 ] + +After the cmdq registers are cleared, the firmware may take time to +clear out possible left over commands in the cmdq. Driver must release +cmdq memory only after firmware has completed processing of left over +commands. + +Fixes: 232d0d55fca6 ("net: hns3: uninitialize command queue while unloading PF driver") +Signed-off-by: Yufeng Mo +Signed-off-by: Guangbin Huang +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c | 6 +++++- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h | 1 + + drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_cmd.c | 7 ++++++- + drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_cmd.h | 1 + + 4 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c +index e6321dda0f3f..6f9f759ce0c0 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c +@@ -521,9 +521,13 @@ static void hclge_cmd_uninit_regs(struct hclge_hw *hw) + + void hclge_cmd_uninit(struct hclge_dev *hdev) + { ++ set_bit(HCLGE_STATE_CMD_DISABLE, &hdev->state); ++ /* wait to ensure that the firmware completes the possible left ++ * over commands. ++ */ ++ msleep(HCLGE_CMDQ_CLEAR_WAIT_TIME); + spin_lock_bh(&hdev->hw.cmq.csq.lock); + spin_lock(&hdev->hw.cmq.crq.lock); +- set_bit(HCLGE_STATE_CMD_DISABLE, &hdev->state); + hclge_cmd_uninit_regs(&hdev->hw); + spin_unlock(&hdev->hw.cmq.crq.lock); + spin_unlock_bh(&hdev->hw.cmq.csq.lock); +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h +index b38b48b9f0b1..3d70c3a47d63 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h +@@ -9,6 +9,7 @@ + #include "hnae3.h" + + #define HCLGE_CMDQ_TX_TIMEOUT 30000 ++#define HCLGE_CMDQ_CLEAR_WAIT_TIME 200 + #define HCLGE_DESC_DATA_LEN 6 + + struct hclge_dev; +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_cmd.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_cmd.c +index 66866c1cfb12..cae6db17cb19 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_cmd.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_cmd.c +@@ -472,12 +472,17 @@ static void hclgevf_cmd_uninit_regs(struct hclgevf_hw *hw) + + void hclgevf_cmd_uninit(struct hclgevf_dev *hdev) + { ++ set_bit(HCLGEVF_STATE_CMD_DISABLE, &hdev->state); ++ /* wait to ensure that the firmware completes the possible left ++ * over commands. ++ */ ++ msleep(HCLGEVF_CMDQ_CLEAR_WAIT_TIME); + spin_lock_bh(&hdev->hw.cmq.csq.lock); + spin_lock(&hdev->hw.cmq.crq.lock); +- set_bit(HCLGEVF_STATE_CMD_DISABLE, &hdev->state); + hclgevf_cmd_uninit_regs(&hdev->hw); + spin_unlock(&hdev->hw.cmq.crq.lock); + spin_unlock_bh(&hdev->hw.cmq.csq.lock); ++ + hclgevf_free_cmd_desc(&hdev->hw.cmq.csq); + hclgevf_free_cmd_desc(&hdev->hw.cmq.crq); + } +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_cmd.h b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_cmd.h +index 9460c128c095..f90ff8a84b7e 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_cmd.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_cmd.h +@@ -8,6 +8,7 @@ + #include "hnae3.h" + + #define HCLGEVF_CMDQ_TX_TIMEOUT 30000 ++#define HCLGEVF_CMDQ_CLEAR_WAIT_TIME 200 + #define HCLGEVF_CMDQ_RX_INVLD_B 0 + #define HCLGEVF_CMDQ_RX_OUTVLD_B 1 + +-- +2.30.2 + diff --git a/queue-5.10/net-hns3-clear-hardware-resource-when-loading-driver.patch b/queue-5.10/net-hns3-clear-hardware-resource-when-loading-driver.patch new file mode 100644 index 00000000000..5be7e0dfd72 --- /dev/null +++ b/queue-5.10/net-hns3-clear-hardware-resource-when-loading-driver.patch @@ -0,0 +1,86 @@ +From 08afd0a87a4212c7831c95d0e79113de09214f55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Aug 2021 19:21:55 +0800 +Subject: net: hns3: clear hardware resource when loading driver + +From: Yufeng Mo + +[ Upstream commit 1a6d281946c330cee2855f6d0cd796616e54601f ] + +If a PF is bonded to a virtual machine and the virtual machine exits +unexpectedly, some hardware resource cannot be cleared. In this case, +loading driver may cause exceptions. Therefore, the hardware resource +needs to be cleared when the driver is loaded. + +Fixes: 46a3df9f9718 ("net: hns3: Add HNS3 Acceleration Engine & Compatibility Layer Support") +Signed-off-by: Yufeng Mo +Signed-off-by: Salil Mehta +Signed-off-by: Guangbin Huang +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../hisilicon/hns3/hns3pf/hclge_cmd.h | 3 +++ + .../hisilicon/hns3/hns3pf/hclge_main.c | 26 +++++++++++++++++++ + 2 files changed, 29 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h +index 36690fc5c1af..b38b48b9f0b1 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h +@@ -262,6 +262,9 @@ enum hclge_opcode_type { + /* Led command */ + HCLGE_OPC_LED_STATUS_CFG = 0xB000, + ++ /* clear hardware resource command */ ++ HCLGE_OPC_CLEAR_HW_RESOURCE = 0x700B, ++ + /* NCL config command */ + HCLGE_OPC_QUERY_NCL_CONFIG = 0x7011, + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index 98190aa90781..c48c845472ca 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -10030,6 +10030,28 @@ static void hclge_clear_resetting_state(struct hclge_dev *hdev) + } + } + ++static int hclge_clear_hw_resource(struct hclge_dev *hdev) ++{ ++ struct hclge_desc desc; ++ int ret; ++ ++ hclge_cmd_setup_basic_desc(&desc, HCLGE_OPC_CLEAR_HW_RESOURCE, false); ++ ++ ret = hclge_cmd_send(&hdev->hw, &desc, 1); ++ /* This new command is only supported by new firmware, it will ++ * fail with older firmware. Error value -EOPNOSUPP can only be ++ * returned by older firmware running this command, to keep code ++ * backward compatible we will override this value and return ++ * success. ++ */ ++ if (ret && ret != -EOPNOTSUPP) { ++ dev_err(&hdev->pdev->dev, ++ "failed to clear hw resource, ret = %d\n", ret); ++ return ret; ++ } ++ return 0; ++} ++ + static int hclge_init_ae_dev(struct hnae3_ae_dev *ae_dev) + { + struct pci_dev *pdev = ae_dev->pdev; +@@ -10067,6 +10089,10 @@ static int hclge_init_ae_dev(struct hnae3_ae_dev *ae_dev) + if (ret) + goto err_cmd_uninit; + ++ ret = hclge_clear_hw_resource(hdev); ++ if (ret) ++ goto err_cmd_uninit; ++ + ret = hclge_get_cap(hdev); + if (ret) + goto err_cmd_uninit; +-- +2.30.2 + diff --git a/queue-5.10/net-hns3-fix-duplicate-node-in-vlan-list.patch b/queue-5.10/net-hns3-fix-duplicate-node-in-vlan-list.patch new file mode 100644 index 00000000000..b4dd1fc7527 --- /dev/null +++ b/queue-5.10/net-hns3-fix-duplicate-node-in-vlan-list.patch @@ -0,0 +1,42 @@ +From eb04b605724179af3a7f34f7924ea5124fbfd87f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Aug 2021 19:21:58 +0800 +Subject: net: hns3: fix duplicate node in VLAN list + +From: Guojia Liao + +[ Upstream commit 94391fae82f71c98ecc7716a32611fcca73c74eb ] + +VLAN list should not be added duplicate VLAN node, otherwise it would +cause "add failed" when restore VLAN from VLAN list, so this patch adds +VLAN ID check before adding node into VLAN list. + +Fixes: c6075b193462 ("net: hns3: Record VF vlan tables") +Signed-off-by: Guojia Liao +Signed-off-by: Guangbin Huang +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index c48c845472ca..2261de5caf86 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -8792,7 +8792,11 @@ static int hclge_init_vlan_config(struct hclge_dev *hdev) + static void hclge_add_vport_vlan_table(struct hclge_vport *vport, u16 vlan_id, + bool writen_to_tbl) + { +- struct hclge_vport_vlan_cfg *vlan; ++ struct hclge_vport_vlan_cfg *vlan, *tmp; ++ ++ list_for_each_entry_safe(vlan, tmp, &vport->vlan_list, node) ++ if (vlan->vlan_id == vlan_id) ++ return; + + vlan = kzalloc(sizeof(*vlan), GFP_KERNEL); + if (!vlan) +-- +2.30.2 + diff --git a/queue-5.10/net-hns3-fix-get-wrong-pfc_en-when-query-pfc-configu.patch b/queue-5.10/net-hns3-fix-get-wrong-pfc_en-when-query-pfc-configu.patch new file mode 100644 index 00000000000..a85d32632bf --- /dev/null +++ b/queue-5.10/net-hns3-fix-get-wrong-pfc_en-when-query-pfc-configu.patch @@ -0,0 +1,66 @@ +From b09887398c5158aa58bd2feacc4e3d5cd393fc7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Aug 2021 19:22:01 +0800 +Subject: net: hns3: fix get wrong pfc_en when query PFC configuration + +From: Guangbin Huang + +[ Upstream commit 8c1671e0d13d4a0ba4fb3a0da932bf3736d7ff73 ] + +Currently, when query PFC configuration by dcbtool, driver will return +PFC enable status based on TC. As all priorities are mapped to TC0 by +default, if TC0 is enabled, then all priorities mapped to TC0 will be +shown as enabled status when query PFC setting, even though some +priorities have never been set. + +for example: +$ dcb pfc show dev eth0 +pfc-cap 4 macsec-bypass off delay 0 +prio-pfc 0:off 1:off 2:off 3:off 4:off 5:off 6:off 7:off +$ dcb pfc set dev eth0 prio-pfc 0:on 1:on 2:on 3:on +$ dcb pfc show dev eth0 +pfc-cap 4 macsec-bypass off delay 0 +prio-pfc 0:on 1:on 2:on 3:on 4:on 5:on 6:on 7:on + +To fix this problem, just returns user's PFC config parameter saved in +driver. + +Fixes: cacde272dd00 ("net: hns3: Add hclge_dcb module for the support of DCB feature") +Signed-off-by: Guangbin Huang +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c | 13 ++----------- + 1 file changed, 2 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c +index 3606240025a8..a93c7eb4e7cb 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c +@@ -283,21 +283,12 @@ static int hclge_ieee_getpfc(struct hnae3_handle *h, struct ieee_pfc *pfc) + u64 requests[HNAE3_MAX_TC], indications[HNAE3_MAX_TC]; + struct hclge_vport *vport = hclge_get_vport(h); + struct hclge_dev *hdev = vport->back; +- u8 i, j, pfc_map, *prio_tc; + int ret; ++ u8 i; + + memset(pfc, 0, sizeof(*pfc)); + pfc->pfc_cap = hdev->pfc_max; +- prio_tc = hdev->tm_info.prio_tc; +- pfc_map = hdev->tm_info.hw_pfc_map; +- +- /* Pfc setting is based on TC */ +- for (i = 0; i < hdev->tm_info.num_tc; i++) { +- for (j = 0; j < HNAE3_MAX_USER_PRIO; j++) { +- if ((prio_tc[j] == i) && (pfc_map & BIT(i))) +- pfc->pfc_en |= BIT(j); +- } +- } ++ pfc->pfc_en = hdev->tm_info.pfc_en; + + ret = hclge_pfc_tx_stats_get(hdev, requests); + if (ret) +-- +2.30.2 + diff --git a/queue-5.10/net-marvell-fix-mvneta_tx_in_prgrs-bit-number.patch b/queue-5.10/net-marvell-fix-mvneta_tx_in_prgrs-bit-number.patch new file mode 100644 index 00000000000..bd46b5a3702 --- /dev/null +++ b/queue-5.10/net-marvell-fix-mvneta_tx_in_prgrs-bit-number.patch @@ -0,0 +1,36 @@ +From cebe5ce0afeacb6f1a80c22b157642660a277e49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Aug 2021 18:39:51 +0300 +Subject: net: marvell: fix MVNETA_TX_IN_PRGRS bit number + +From: Maxim Kiselev + +[ Upstream commit 359f4cdd7d78fdf8c098713b05fee950a730f131 ] + +According to Armada XP datasheet bit at 0 position is corresponding for +TxInProg indication. + +Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP network unit") +Signed-off-by: Maxim Kiselev +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvneta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index c6b735b30515..74e266c0b8e1 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -103,7 +103,7 @@ + #define MVNETA_DESC_SWAP BIT(6) + #define MVNETA_TX_BRST_SZ_MASK(burst) ((burst) << 22) + #define MVNETA_PORT_STATUS 0x2444 +-#define MVNETA_TX_IN_PRGRS BIT(1) ++#define MVNETA_TX_IN_PRGRS BIT(0) + #define MVNETA_TX_FIFO_EMPTY BIT(8) + #define MVNETA_RX_MIN_FRAME_SIZE 0x247c + /* Only exists on Armada XP and Armada 370 */ +-- +2.30.2 + diff --git a/queue-5.10/net-sched-ets-fix-crash-when-flipping-from-strict-to.patch b/queue-5.10/net-sched-ets-fix-crash-when-flipping-from-strict-to.patch new file mode 100644 index 00000000000..ea4aeb769b2 --- /dev/null +++ b/queue-5.10/net-sched-ets-fix-crash-when-flipping-from-strict-to.patch @@ -0,0 +1,104 @@ +From 38eea8f8be82396e58db7cbac0d536c3c11c40d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Aug 2021 00:33:48 +0200 +Subject: net/sched: ets: fix crash when flipping from 'strict' to 'quantum' + +From: Davide Caratti + +[ Upstream commit cd9b50adc6bb9ad3f7d244590a389522215865c4 ] + +While running kselftests, Hangbin observed that sch_ets.sh often crashes, +and splats like the following one are seen in the output of 'dmesg': + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 159f12067 P4D 159f12067 PUD 159f13067 PMD 0 + Oops: 0000 [#1] SMP NOPTI + CPU: 2 PID: 921 Comm: tc Not tainted 5.14.0-rc6+ #458 + Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 + RIP: 0010:__list_del_entry_valid+0x2d/0x50 + Code: 48 8b 57 08 48 b9 00 01 00 00 00 00 ad de 48 39 c8 0f 84 ac 6e 5b 00 48 b9 22 01 00 00 00 00 ad de 48 39 ca 0f 84 cf 6e 5b 00 <48> 8b 32 48 39 fe 0f 85 af 6e 5b 00 48 8b 50 08 48 39 f2 0f 85 94 + RSP: 0018:ffffb2da005c3890 EFLAGS: 00010217 + RAX: 0000000000000000 RBX: ffff9073ba23f800 RCX: dead000000000122 + RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff9073ba23fbc8 + RBP: ffff9073ba23f890 R08: 0000000000000001 R09: 0000000000000001 + R10: 0000000000000001 R11: 0000000000000001 R12: dead000000000100 + R13: ffff9073ba23fb00 R14: 0000000000000002 R15: 0000000000000002 + FS: 00007f93e5564e40(0000) GS:ffff9073bba00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 000000014ad34000 CR4: 0000000000350ee0 + Call Trace: + ets_qdisc_reset+0x6e/0x100 [sch_ets] + qdisc_reset+0x49/0x1d0 + tbf_reset+0x15/0x60 [sch_tbf] + qdisc_reset+0x49/0x1d0 + dev_reset_queue.constprop.42+0x2f/0x90 + dev_deactivate_many+0x1d3/0x3d0 + dev_deactivate+0x56/0x90 + qdisc_graft+0x47e/0x5a0 + tc_get_qdisc+0x1db/0x3e0 + rtnetlink_rcv_msg+0x164/0x4c0 + netlink_rcv_skb+0x50/0x100 + netlink_unicast+0x1a5/0x280 + netlink_sendmsg+0x242/0x480 + sock_sendmsg+0x5b/0x60 + ____sys_sendmsg+0x1f2/0x260 + ___sys_sendmsg+0x7c/0xc0 + __sys_sendmsg+0x57/0xa0 + do_syscall_64+0x3a/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + RIP: 0033:0x7f93e44b8338 + Code: 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 25 43 2c 00 8b 00 85 c0 75 17 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 41 89 d4 55 + RSP: 002b:00007ffc0db737a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 0000000061255c06 RCX: 00007f93e44b8338 + RDX: 0000000000000000 RSI: 00007ffc0db73810 RDI: 0000000000000003 + RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 + R10: 000000000000000b R11: 0000000000000246 R12: 0000000000000001 + R13: 0000000000687880 R14: 0000000000000000 R15: 0000000000000000 + Modules linked in: sch_ets sch_tbf dummy rfkill iTCO_wdt iTCO_vendor_support intel_rapl_msr intel_rapl_common joydev i2c_i801 pcspkr i2c_smbus lpc_ich virtio_balloon ip_tables xfs libcrc32c crct10dif_pclmul crc32_pclmul crc32c_intel ahci libahci ghash_clmulni_intel libata serio_raw virtio_blk virtio_console virtio_net net_failover failover sunrpc dm_mirror dm_region_hash dm_log dm_mod + CR2: 0000000000000000 + +When the change() function decreases the value of 'nstrict', we must take +into account that packets might be already enqueued on a class that flips +from 'strict' to 'quantum': otherwise that class will not be added to the +bandwidth-sharing list. Then, a call to ets_qdisc_reset() will attempt to +do list_del(&alist) with 'alist' filled with zero, hence the NULL pointer +dereference. +For classes flipping from 'strict' to 'quantum', initialize an empty list +and eventually add it to the bandwidth-sharing list, if there are packets +already enqueued. In this way, the kernel will: + a) prevent crashing as described above. + b) avoid retaining the backlog packets (for an arbitrarily long time) in + case no packet is enqueued after a change from 'strict' to 'quantum'. + +Reported-by: Hangbin Liu +Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc") +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_ets.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/sched/sch_ets.c b/net/sched/sch_ets.c +index c1e84d1eeaba..c76701ac35ab 100644 +--- a/net/sched/sch_ets.c ++++ b/net/sched/sch_ets.c +@@ -660,6 +660,13 @@ static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt, + sch_tree_lock(sch); + + q->nbands = nbands; ++ for (i = nstrict; i < q->nstrict; i++) { ++ INIT_LIST_HEAD(&q->classes[i].alist); ++ if (q->classes[i].qdisc->q.qlen) { ++ list_add_tail(&q->classes[i].alist, &q->active); ++ q->classes[i].deficit = quanta[i]; ++ } ++ } + q->nstrict = nstrict; + memcpy(q->prio2band, priomap, sizeof(priomap)); + +-- +2.30.2 + diff --git a/queue-5.10/net-stmmac-add-mutex-lock-to-protect-est-parameters.patch b/queue-5.10/net-stmmac-add-mutex-lock-to-protect-est-parameters.patch new file mode 100644 index 00000000000..f829c9c3d42 --- /dev/null +++ b/queue-5.10/net-stmmac-add-mutex-lock-to-protect-est-parameters.patch @@ -0,0 +1,99 @@ +From 94c442a8f2c6ef87b31b855106753ddaaa39d72d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 18:26:54 +0800 +Subject: net: stmmac: add mutex lock to protect est parameters + +From: Xiaoliang Yang + +[ Upstream commit b2aae654a4794ef898ad33a179f341eb610f6b85 ] + +Add a mutex lock to protect est structure parameters so that the +EST parameters can be updated by other threads. + +Signed-off-by: Xiaoliang Yang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 13 ++++++++++++- + include/linux/stmmac.h | 1 + + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c +index 40dc14d1415f..8c2eae2a7efd 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c +@@ -689,14 +689,18 @@ static int tc_setup_taprio(struct stmmac_priv *priv, + GFP_KERNEL); + if (!plat->est) + return -ENOMEM; ++ ++ mutex_init(&priv->plat->est->lock); + } else { + memset(plat->est, 0, sizeof(*plat->est)); + } + + size = qopt->num_entries; + ++ mutex_lock(&priv->plat->est->lock); + priv->plat->est->gcl_size = size; + priv->plat->est->enable = qopt->enable; ++ mutex_unlock(&priv->plat->est->lock); + + for (i = 0; i < size; i++) { + s64 delta_ns = qopt->entries[i].interval; +@@ -727,6 +731,7 @@ static int tc_setup_taprio(struct stmmac_priv *priv, + priv->plat->est->gcl[i] = delta_ns | (gates << wid); + } + ++ mutex_lock(&priv->plat->est->lock); + /* Adjust for real system time */ + priv->ptp_clock_ops.gettime64(&priv->ptp_clock_ops, ¤t_time); + current_time_ns = timespec64_to_ktime(current_time); +@@ -751,8 +756,10 @@ static int tc_setup_taprio(struct stmmac_priv *priv, + priv->plat->est->ctr[0] = do_div(ctr, NSEC_PER_SEC); + priv->plat->est->ctr[1] = (u32)ctr; + +- if (fpe && !priv->dma_cap.fpesel) ++ if (fpe && !priv->dma_cap.fpesel) { ++ mutex_unlock(&priv->plat->est->lock); + return -EOPNOTSUPP; ++ } + + ret = stmmac_fpe_configure(priv, priv->ioaddr, + priv->plat->tx_queues_to_use, +@@ -764,6 +771,7 @@ static int tc_setup_taprio(struct stmmac_priv *priv, + + ret = stmmac_est_configure(priv, priv->ioaddr, priv->plat->est, + priv->plat->clk_ptp_rate); ++ mutex_unlock(&priv->plat->est->lock); + if (ret) { + netdev_err(priv->dev, "failed to configure EST\n"); + goto disable; +@@ -773,9 +781,12 @@ static int tc_setup_taprio(struct stmmac_priv *priv, + return 0; + + disable: ++ mutex_lock(&priv->plat->est->lock); + priv->plat->est->enable = false; + stmmac_est_configure(priv, priv->ioaddr, priv->plat->est, + priv->plat->clk_ptp_rate); ++ mutex_unlock(&priv->plat->est->lock); ++ + return ret; + } + +diff --git a/include/linux/stmmac.h b/include/linux/stmmac.h +index 15ca6b4167cc..b56e1dedcf2f 100644 +--- a/include/linux/stmmac.h ++++ b/include/linux/stmmac.h +@@ -112,6 +112,7 @@ struct stmmac_axi { + + #define EST_GCL 1024 + struct stmmac_est { ++ struct mutex lock; + int enable; + u32 btr_offset[2]; + u32 btr[2]; +-- +2.30.2 + diff --git a/queue-5.10/net-stmmac-fix-kernel-panic-due-to-null-pointer-dere.patch b/queue-5.10/net-stmmac-fix-kernel-panic-due-to-null-pointer-dere.patch new file mode 100644 index 00000000000..096cb9ce574 --- /dev/null +++ b/queue-5.10/net-stmmac-fix-kernel-panic-due-to-null-pointer-dere.patch @@ -0,0 +1,83 @@ +From 4cf2a5f72f5f592715dfdbdf0fd9b6204d162c90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Aug 2021 21:26:22 +0800 +Subject: net: stmmac: fix kernel panic due to NULL pointer dereference of + plat->est + +From: Wong Vee Khee + +[ Upstream commit 82a44ae113b7b35850f4542f0443fcab221e376a ] + +In the case of taprio offload is not enabled, the error handling path +causes a kernel crash due to kernel NULL pointer deference. + +Fix this by adding check for NULL before attempt to access 'plat->est' +on the mutex_lock() call. + +The following kernel panic is observed without this patch: + +RIP: 0010:mutex_lock+0x10/0x20 +Call Trace: +tc_setup_taprio+0x482/0x560 [stmmac] +kmem_cache_alloc_trace+0x13f/0x490 +taprio_disable_offload.isra.0+0x9d/0x180 [sch_taprio] +taprio_destroy+0x6c/0x100 [sch_taprio] +qdisc_create+0x2e5/0x4f0 +tc_modify_qdisc+0x126/0x740 +rtnetlink_rcv_msg+0x12b/0x380 +_raw_spin_lock_irqsave+0x19/0x40 +_raw_spin_unlock_irqrestore+0x18/0x30 +create_object+0x212/0x340 +rtnl_calcit.isra.0+0x110/0x110 +netlink_rcv_skb+0x50/0x100 +netlink_unicast+0x191/0x230 +netlink_sendmsg+0x243/0x470 +sock_sendmsg+0x5e/0x60 +____sys_sendmsg+0x20b/0x280 +copy_msghdr_from_user+0x5c/0x90 +__mod_memcg_state+0x87/0xf0 + ___sys_sendmsg+0x7c/0xc0 +lru_cache_add+0x7f/0xa0 +_raw_spin_unlock+0x16/0x30 +wp_page_copy+0x449/0x890 +handle_mm_fault+0x921/0xfc0 +__sys_sendmsg+0x59/0xa0 +do_syscall_64+0x33/0x40 +entry_SYSCALL_64_after_hwframe+0x44/0xa9 +---[ end trace b1f19b24368a96aa ]--- + +Fixes: b60189e0392f ("net: stmmac: Integrate EST with TAPRIO scheduler API") +Cc: # 5.10.x +Signed-off-by: Wong Vee Khee +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c +index 8c2eae2a7efd..22c34474e617 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c +@@ -781,11 +781,13 @@ static int tc_setup_taprio(struct stmmac_priv *priv, + return 0; + + disable: +- mutex_lock(&priv->plat->est->lock); +- priv->plat->est->enable = false; +- stmmac_est_configure(priv, priv->ioaddr, priv->plat->est, +- priv->plat->clk_ptp_rate); +- mutex_unlock(&priv->plat->est->lock); ++ if (priv->plat->est) { ++ mutex_lock(&priv->plat->est->lock); ++ priv->plat->est->enable = false; ++ stmmac_est_configure(priv, priv->ioaddr, priv->plat->est, ++ priv->plat->clk_ptp_rate); ++ mutex_unlock(&priv->plat->est->lock); ++ } + + return ret; + } +-- +2.30.2 + diff --git a/queue-5.10/net-usb-pegasus-fixes-of-set_register-s-return-value.patch b/queue-5.10/net-usb-pegasus-fixes-of-set_register-s-return-value.patch new file mode 100644 index 00000000000..38eba33fde0 --- /dev/null +++ b/queue-5.10/net-usb-pegasus-fixes-of-set_register-s-return-value.patch @@ -0,0 +1,48 @@ +From 5f45f4a91009cc3c6bf0f36d66bb07089bd773ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Aug 2021 09:57:53 +0300 +Subject: net: usb: pegasus: fixes of set_register(s) return value evaluation; + +From: Petko Manolov + +[ Upstream commit ffc9c3ebb4af870a121da99826e9ccb63dc8b3d7 ] + +- restore the behavior in enable_net_traffic() to avoid regressions - Jakub + Kicinski; + - hurried up and removed redundant assignment in pegasus_open() before yet + another checker complains; + +Fixes: 8a160e2e9aeb ("net: usb: pegasus: Check the return value of get_geristers() and friends;") +Reported-by: Jakub Kicinski +Signed-off-by: Petko Manolov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/pegasus.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c +index fb1a8c4486dd..2a748a924f83 100644 +--- a/drivers/net/usb/pegasus.c ++++ b/drivers/net/usb/pegasus.c +@@ -471,7 +471,7 @@ static int enable_net_traffic(struct net_device *dev, struct usb_device *usb) + write_mii_word(pegasus, 0, 0x1b, &auxmode); + } + +- return 0; ++ return ret; + fail: + netif_dbg(pegasus, drv, pegasus->net, "%s failed\n", __func__); + return ret; +@@ -861,7 +861,7 @@ static int pegasus_open(struct net_device *net) + if (!pegasus->rx_skb) + goto exit; + +- res = set_registers(pegasus, EthID, 6, net->dev_addr); ++ set_registers(pegasus, EthID, 6, net->dev_addr); + + usb_fill_bulk_urb(pegasus->rx_urb, pegasus->usb, + usb_rcvbulkpipe(pegasus->usb, 1), +-- +2.30.2 + diff --git a/queue-5.10/rdma-bnxt_re-add-missing-spin-lock-initialization.patch b/queue-5.10/rdma-bnxt_re-add-missing-spin-lock-initialization.patch new file mode 100644 index 00000000000..0f1d63ec93d --- /dev/null +++ b/queue-5.10/rdma-bnxt_re-add-missing-spin-lock-initialization.patch @@ -0,0 +1,36 @@ +From 05337c625fbf72881c42c3d13cb31056bf3fd05d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Aug 2021 20:25:52 -0700 +Subject: RDMA/bnxt_re: Add missing spin lock initialization + +From: Naresh Kumar PBS + +[ Upstream commit 17f2569dce1848080825b8336e6b7c6900193b44 ] + +Add the missing initialization of srq lock. + +Fixes: 37cb11acf1f7 ("RDMA/bnxt_re: Add SRQ support for Broadcom adapters") +Link: https://lore.kernel.org/r/1629343553-5843-3-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Naresh Kumar PBS +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +index 266de55f5719..441952a5eca4 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -1691,6 +1691,7 @@ int bnxt_re_create_srq(struct ib_srq *ib_srq, + if (nq) + nq->budget++; + atomic_inc(&rdev->srq_count); ++ spin_lock_init(&srq->lock); + + return 0; + +-- +2.30.2 + diff --git a/queue-5.10/rdma-bnxt_re-remove-unpaired-rtnl-unlock-in-bnxt_re_.patch b/queue-5.10/rdma-bnxt_re-remove-unpaired-rtnl-unlock-in-bnxt_re_.patch new file mode 100644 index 00000000000..0268bccf145 --- /dev/null +++ b/queue-5.10/rdma-bnxt_re-remove-unpaired-rtnl-unlock-in-bnxt_re_.patch @@ -0,0 +1,40 @@ +From bc5595d1c4c58980a40620e67bb16b9f0aacbc94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Aug 2021 16:55:31 +0800 +Subject: RDMA/bnxt_re: Remove unpaired rtnl unlock in bnxt_re_dev_init() + +From: Dinghao Liu + +[ Upstream commit a036ad088306a88de87e973981f2b9224e466c3f ] + +The fixed commit removes all rtnl_lock() and rtnl_unlock() calls in +function bnxt_re_dev_init(), but forgets to remove a rtnl_unlock() in the +error handling path of bnxt_re_register_netdev(), which may cause a +deadlock. This bug is suggested by a static analysis tool. + +Fixes: c2b777a95923 ("RDMA/bnxt_re: Refactor device add/remove functionalities") +Link: https://lore.kernel.org/r/20210816085531.12167-1-dinghao.liu@zju.edu.cn +Signed-off-by: Dinghao Liu +Acked-by: Selvin Xavier +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c +index 1fadca8af71a..9ef6aea29ff1 100644 +--- a/drivers/infiniband/hw/bnxt_re/main.c ++++ b/drivers/infiniband/hw/bnxt_re/main.c +@@ -1410,7 +1410,6 @@ static int bnxt_re_dev_init(struct bnxt_re_dev *rdev, u8 wqe_mode) + memset(&rattr, 0, sizeof(rattr)); + rc = bnxt_re_register_netdev(rdev); + if (rc) { +- rtnl_unlock(); + ibdev_err(&rdev->ibdev, + "Failed to register with netedev: %#x\n", rc); + return -EINVAL; +-- +2.30.2 + diff --git a/queue-5.10/rdma-efa-free-irq-vectors-on-error-flow.patch b/queue-5.10/rdma-efa-free-irq-vectors-on-error-flow.patch new file mode 100644 index 00000000000..5eaab320b3b --- /dev/null +++ b/queue-5.10/rdma-efa-free-irq-vectors-on-error-flow.patch @@ -0,0 +1,38 @@ +From a97d32f58cf51b33574af9f380ed8f31f4218a7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Aug 2021 18:11:28 +0300 +Subject: RDMA/efa: Free IRQ vectors on error flow + +From: Gal Pressman + +[ Upstream commit dbe986bdfd6dfe6ef24b833767fff4151e024357 ] + +Make sure to free the IRQ vectors in case the allocation doesn't return +the expected number of IRQs. + +Fixes: b7f5e880f377 ("RDMA/efa: Add the efa module") +Link: https://lore.kernel.org/r/20210811151131.39138-2-galpress@amazon.com +Reviewed-by: Firas JahJah +Reviewed-by: Yossi Leybovich +Signed-off-by: Gal Pressman +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/efa/efa_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/efa/efa_main.c b/drivers/infiniband/hw/efa/efa_main.c +index 6faed3a81e08..ffdd18f4217f 100644 +--- a/drivers/infiniband/hw/efa/efa_main.c ++++ b/drivers/infiniband/hw/efa/efa_main.c +@@ -377,6 +377,7 @@ static int efa_enable_msix(struct efa_dev *dev) + } + + if (irq_num != msix_vecs) { ++ efa_disable_msix(dev); + dev_err(&dev->pdev->dev, + "Allocated %d MSI-X (out of %d requested)\n", + irq_num, msix_vecs); +-- +2.30.2 + diff --git a/queue-5.10/revert-mmc-sdhci-iproc-set-sdhci_quirk_cap_clock_bas.patch b/queue-5.10/revert-mmc-sdhci-iproc-set-sdhci_quirk_cap_clock_bas.patch new file mode 100644 index 00000000000..8c01412e898 --- /dev/null +++ b/queue-5.10/revert-mmc-sdhci-iproc-set-sdhci_quirk_cap_clock_bas.patch @@ -0,0 +1,43 @@ +From b22b0d4ab0edf8ba7a7d5d4ccdada3c641c90a10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Aug 2021 16:30:36 +0200 +Subject: Revert "mmc: sdhci-iproc: Set SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN on + BCM2711" + +From: Ulf Hansson + +[ Upstream commit 885814a97f5a1a2daf66bde5f2076f0bf632c174 ] + +This reverts commit 419dd626e357e89fc9c4e3863592c8b38cfe1571. + +It turned out that the change from the reverted commit breaks the ACPI +based rpi's because it causes the 100Mhz max clock to be overridden to the +return from sdhci_iproc_get_max_clock(), which is 0 because there isn't a +OF/DT based clock device. + +Reported-by: Jeremy Linton +Fixes: 419dd626e357 ("mmc: sdhci-iproc: Set SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN on BCM2711") +Acked-by: Stefan Wahren +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-iproc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/mmc/host/sdhci-iproc.c b/drivers/mmc/host/sdhci-iproc.c +index 9f0eef97ebdd..b9eb2ec61a83 100644 +--- a/drivers/mmc/host/sdhci-iproc.c ++++ b/drivers/mmc/host/sdhci-iproc.c +@@ -295,8 +295,7 @@ static const struct sdhci_ops sdhci_iproc_bcm2711_ops = { + }; + + static const struct sdhci_pltfm_data sdhci_bcm2711_pltfm_data = { +- .quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 | +- SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN, ++ .quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12, + .ops = &sdhci_iproc_bcm2711_ops, + }; + +-- +2.30.2 + diff --git a/queue-5.10/rtnetlink-return-correct-error-on-changing-device-ne.patch b/queue-5.10/rtnetlink-return-correct-error-on-changing-device-ne.patch new file mode 100644 index 00000000000..7a8b491012e --- /dev/null +++ b/queue-5.10/rtnetlink-return-correct-error-on-changing-device-ne.patch @@ -0,0 +1,121 @@ +From 24bb20b45d9890c5960da25eeda13ff40e41d929 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Aug 2021 17:25:40 -0700 +Subject: rtnetlink: Return correct error on changing device netns + +From: Andrey Ignatov + +[ Upstream commit 96a6b93b69880b2c978e1b2be9cae6970b605008 ] + +Currently when device is moved between network namespaces using +RTM_NEWLINK message type and one of netns attributes (FLA_NET_NS_PID, +IFLA_NET_NS_FD, IFLA_TARGET_NETNSID) but w/o specifying IFLA_IFNAME, and +target namespace already has device with same name, userspace will get +EINVAL what is confusing and makes debugging harder. + +Fix it so that userspace gets more appropriate EEXIST instead what makes +debugging much easier. + +Before: + + # ./ifname.sh + + ip netns add ns0 + + ip netns exec ns0 ip link add l0 type dummy + + ip netns exec ns0 ip link show l0 + 8: l0: mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 + link/ether 66:90:b5:d5:78:69 brd ff:ff:ff:ff:ff:ff + + ip link add l0 type dummy + + ip link show l0 + 10: l0: mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 + link/ether 6e:c6:1f:15:20:8d brd ff:ff:ff:ff:ff:ff + + ip link set l0 netns ns0 + RTNETLINK answers: Invalid argument + +After: + + # ./ifname.sh + + ip netns add ns0 + + ip netns exec ns0 ip link add l0 type dummy + + ip netns exec ns0 ip link show l0 + 8: l0: mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 + link/ether 1e:4a:72:e3:e3:8f brd ff:ff:ff:ff:ff:ff + + ip link add l0 type dummy + + ip link show l0 + 10: l0: mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 + link/ether f2:fc:fe:2b:7d:a6 brd ff:ff:ff:ff:ff:ff + + ip link set l0 netns ns0 + RTNETLINK answers: File exists + +The problem is that do_setlink() passes its `char *ifname` argument, +that it gets from a caller, to __dev_change_net_namespace() as is (as +`const char *pat`), but semantics of ifname and pat can be different. + +For example, __rtnl_newlink() does this: + +net/core/rtnetlink.c + 3270 char ifname[IFNAMSIZ]; + ... + 3286 if (tb[IFLA_IFNAME]) + 3287 nla_strscpy(ifname, tb[IFLA_IFNAME], IFNAMSIZ); + 3288 else + 3289 ifname[0] = '\0'; + ... + 3364 if (dev) { + ... + 3394 return do_setlink(skb, dev, ifm, extack, tb, ifname, status); + 3395 } + +, i.e. do_setlink() gets ifname pointer that is always valid no matter +if user specified IFLA_IFNAME or not and then do_setlink() passes this +ifname pointer as is to __dev_change_net_namespace() as pat argument. + +But the pat (pattern) in __dev_change_net_namespace() is used as: + +net/core/dev.c + 11198 err = -EEXIST; + 11199 if (__dev_get_by_name(net, dev->name)) { + 11200 /* We get here if we can't use the current device name */ + 11201 if (!pat) + 11202 goto out; + 11203 err = dev_get_valid_name(net, dev, pat); + 11204 if (err < 0) + 11205 goto out; + 11206 } + +As the result the `goto out` path on line 11202 is neven taken and +instead of returning EEXIST defined on line 11198, +__dev_change_net_namespace() returns an error from dev_get_valid_name() +and this, in turn, will be EINVAL for ifname[0] = '\0' set earlier. + +Fixes: d8a5ec672768 ("[NET]: netlink support for moving devices between network namespaces.") +Signed-off-by: Andrey Ignatov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index dd4659246405..7266571d5c7e 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -2601,6 +2601,7 @@ static int do_setlink(const struct sk_buff *skb, + return err; + + if (tb[IFLA_NET_NS_PID] || tb[IFLA_NET_NS_FD] || tb[IFLA_TARGET_NETNSID]) { ++ const char *pat = ifname && ifname[0] ? ifname : NULL; + struct net *net = rtnl_link_get_net_capable(skb, dev_net(dev), + tb, CAP_NET_ADMIN); + if (IS_ERR(net)) { +@@ -2608,7 +2609,7 @@ static int do_setlink(const struct sk_buff *skb, + goto errout; + } + +- err = dev_change_net_namespace(dev, net, ifname); ++ err = dev_change_net_namespace(dev, net, pat); + put_net(net); + if (err) + goto errout; +-- +2.30.2 + diff --git a/queue-5.10/series b/queue-5.10/series index c6d4f3cca41..12741b96304 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -20,3 +20,32 @@ usb-renesas-xhci-prefer-firmware-loading-on-unknown-rom-state.patch usb-dwc3-gadget-fix-dwc3_calc_trbs_left.patch usb-dwc3-gadget-stop-ep0-transfers-during-pullup-disable.patch scsi-core-fix-hang-of-freezing-queue-between-blocking-and-running-device.patch +rdma-bnxt_re-add-missing-spin-lock-initialization.patch +ib-hfi1-fix-possible-null-pointer-dereference-in-_ex.patch +rdma-bnxt_re-remove-unpaired-rtnl-unlock-in-bnxt_re_.patch +ice-do-not-abort-devlink-info-if-board-identifier-ca.patch +net-usb-pegasus-fixes-of-set_register-s-return-value.patch +igc-fix-page-fault-when-thunderbolt-is-unplugged.patch +igc-use-num_tx_queues-when-iterating-over-tx_ring-qu.patch +e1000e-fix-the-max-snoop-no-snoop-latency-for-10m.patch +e1000e-do-not-take-care-about-recovery-nvm-checksum.patch +rdma-efa-free-irq-vectors-on-error-flow.patch +ip_gre-add-validation-for-csum_start.patch +xgene-v2-fix-a-resource-leak-in-the-error-handling-p.patch +net-marvell-fix-mvneta_tx_in_prgrs-bit-number.patch +ucounts-increase-ucounts-reference-counter-before-th.patch +net-sched-ets-fix-crash-when-flipping-from-strict-to.patch +ipv6-use-siphash-in-rt6_exception_hash.patch +ipv4-use-siphash-instead-of-jenkins-in-fnhe_hashfun.patch +cxgb4-dont-touch-blocked-freelist-bitmap-after-free.patch +rtnetlink-return-correct-error-on-changing-device-ne.patch +net-hns3-clear-hardware-resource-when-loading-driver.patch +net-hns3-add-waiting-time-before-cmdq-memory-is-rele.patch +net-hns3-fix-duplicate-node-in-vlan-list.patch +net-hns3-fix-get-wrong-pfc_en-when-query-pfc-configu.patch +revert-mmc-sdhci-iproc-set-sdhci_quirk_cap_clock_bas.patch +net-stmmac-add-mutex-lock-to-protect-est-parameters.patch +net-stmmac-fix-kernel-panic-due-to-null-pointer-dere.patch +drm-i915-fix-syncmap-memory-leak.patch +usb-gadget-u_audio-fix-race-condition-on-endpoint-st.patch +dt-bindings-sifive-l2-cache-fix-select-matching.patch diff --git a/queue-5.10/ucounts-increase-ucounts-reference-counter-before-th.patch b/queue-5.10/ucounts-increase-ucounts-reference-counter-before-th.patch new file mode 100644 index 00000000000..147768b2cc4 --- /dev/null +++ b/queue-5.10/ucounts-increase-ucounts-reference-counter-before-th.patch @@ -0,0 +1,98 @@ +From e3300589876bb44b178c4820625c430a2006b828 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Aug 2021 18:16:33 +0200 +Subject: ucounts: Increase ucounts reference counter before the security hook + +From: Alexey Gladkov + +[ Upstream commit bbb6d0f3e1feb43d663af089c7dedb23be6a04fb ] + +We need to increment the ucounts reference counter befor security_prepare_creds() +because this function may fail and abort_creds() will try to decrement +this reference. + +[ 96.465056][ T8641] FAULT_INJECTION: forcing a failure. +[ 96.465056][ T8641] name fail_page_alloc, interval 1, probability 0, space 0, times 0 +[ 96.478453][ T8641] CPU: 1 PID: 8641 Comm: syz-executor668 Not tainted 5.14.0-rc6-syzkaller #0 +[ 96.487215][ T8641] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +[ 96.497254][ T8641] Call Trace: +[ 96.500517][ T8641] dump_stack_lvl+0x1d3/0x29f +[ 96.505758][ T8641] ? show_regs_print_info+0x12/0x12 +[ 96.510944][ T8641] ? log_buf_vmcoreinfo_setup+0x498/0x498 +[ 96.516652][ T8641] should_fail+0x384/0x4b0 +[ 96.521141][ T8641] prepare_alloc_pages+0x1d1/0x5a0 +[ 96.526236][ T8641] __alloc_pages+0x14d/0x5f0 +[ 96.530808][ T8641] ? __rmqueue_pcplist+0x2030/0x2030 +[ 96.536073][ T8641] ? lockdep_hardirqs_on_prepare+0x3e2/0x750 +[ 96.542056][ T8641] ? alloc_pages+0x3f3/0x500 +[ 96.546635][ T8641] allocate_slab+0xf1/0x540 +[ 96.551120][ T8641] ___slab_alloc+0x1cf/0x350 +[ 96.555689][ T8641] ? kzalloc+0x1d/0x30 +[ 96.559740][ T8641] __kmalloc+0x2e7/0x390 +[ 96.563980][ T8641] ? kzalloc+0x1d/0x30 +[ 96.568029][ T8641] kzalloc+0x1d/0x30 +[ 96.571903][ T8641] security_prepare_creds+0x46/0x220 +[ 96.577174][ T8641] prepare_creds+0x411/0x640 +[ 96.581747][ T8641] __sys_setfsuid+0xe2/0x3a0 +[ 96.586333][ T8641] do_syscall_64+0x3d/0xb0 +[ 96.590739][ T8641] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 96.596611][ T8641] RIP: 0033:0x445a69 +[ 96.600483][ T8641] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +[ 96.620152][ T8641] RSP: 002b:00007f1054173318 EFLAGS: 00000246 ORIG_RAX: 000000000000007a +[ 96.628543][ T8641] RAX: ffffffffffffffda RBX: 00000000004ca4c8 RCX: 0000000000445a69 +[ 96.636600][ T8641] RDX: 0000000000000010 RSI: 00007f10541732f0 RDI: 0000000000000000 +[ 96.644550][ T8641] RBP: 00000000004ca4c0 R08: 0000000000000001 R09: 0000000000000000 +[ 96.652500][ T8641] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004ca4cc +[ 96.660631][ T8641] R13: 00007fffffe0b62f R14: 00007f1054173400 R15: 0000000000022000 + +Fixes: 905ae01c4ae2 ("Add a reference to ucounts for each cred") +Reported-by: syzbot+01985d7909f9468f013c@syzkaller.appspotmail.com +Signed-off-by: Alexey Gladkov +Link: https://lkml.kernel.org/r/97433b1742c3331f02ad92de5a4f07d673c90613.1629735352.git.legion@kernel.org +Signed-off-by: Eric W. Biederman +Signed-off-by: Sasha Levin +--- + kernel/cred.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/kernel/cred.c b/kernel/cred.c +index 098213d4a39c..8c0983fa794a 100644 +--- a/kernel/cred.c ++++ b/kernel/cred.c +@@ -286,13 +286,13 @@ struct cred *prepare_creds(void) + new->security = NULL; + #endif + +- if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0) +- goto error; +- + new->ucounts = get_ucounts(new->ucounts); + if (!new->ucounts) + goto error; + ++ if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0) ++ goto error; ++ + validate_creds(new); + return new; + +@@ -753,13 +753,13 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon) + #ifdef CONFIG_SECURITY + new->security = NULL; + #endif +- if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0) +- goto error; +- + new->ucounts = get_ucounts(new->ucounts); + if (!new->ucounts) + goto error; + ++ if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0) ++ goto error; ++ + put_cred(old); + validate_creds(new); + return new; +-- +2.30.2 + diff --git a/queue-5.10/usb-gadget-u_audio-fix-race-condition-on-endpoint-st.patch b/queue-5.10/usb-gadget-u_audio-fix-race-condition-on-endpoint-st.patch new file mode 100644 index 00000000000..be1c9ee4e07 --- /dev/null +++ b/queue-5.10/usb-gadget-u_audio-fix-race-condition-on-endpoint-st.patch @@ -0,0 +1,57 @@ +From 0be0a4b568549b823a6246a8536e1b519e93c1be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Aug 2021 11:29:27 +0200 +Subject: usb: gadget: u_audio: fix race condition on endpoint stop + +From: Jerome Brunet + +[ Upstream commit 068fdad20454f815e61e6f6eb9f051a8b3120e88 ] + +If the endpoint completion callback is call right after the ep_enabled flag +is cleared and before usb_ep_dequeue() is call, we could do a double free +on the request and the associated buffer. + +Fix this by clearing ep_enabled after all the endpoint requests have been +dequeued. + +Fixes: 7de8681be2cd ("usb: gadget: u_audio: Free requests only after callback") +Cc: stable +Reported-by: Thinh Nguyen +Signed-off-by: Jerome Brunet +Link: https://lore.kernel.org/r/20210827092927.366482-1-jbrunet@baylibre.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/u_audio.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/gadget/function/u_audio.c b/drivers/usb/gadget/function/u_audio.c +index 908e49dafd62..95605b1ef4eb 100644 +--- a/drivers/usb/gadget/function/u_audio.c ++++ b/drivers/usb/gadget/function/u_audio.c +@@ -334,8 +334,6 @@ static inline void free_ep(struct uac_rtd_params *prm, struct usb_ep *ep) + if (!prm->ep_enabled) + return; + +- prm->ep_enabled = false; +- + audio_dev = uac->audio_dev; + params = &audio_dev->params; + +@@ -353,11 +351,12 @@ static inline void free_ep(struct uac_rtd_params *prm, struct usb_ep *ep) + } + } + ++ prm->ep_enabled = false; ++ + if (usb_ep_disable(ep)) + dev_err(uac->card->dev, "%s:%d Error!\n", __func__, __LINE__); + } + +- + int u_audio_start_capture(struct g_audio *audio_dev) + { + struct snd_uac_chip *uac = audio_dev->uac; +-- +2.30.2 + diff --git a/queue-5.10/xgene-v2-fix-a-resource-leak-in-the-error-handling-p.patch b/queue-5.10/xgene-v2-fix-a-resource-leak-in-the-error-handling-p.patch new file mode 100644 index 00000000000..71b5b7645f0 --- /dev/null +++ b/queue-5.10/xgene-v2-fix-a-resource-leak-in-the-error-handling-p.patch @@ -0,0 +1,46 @@ +From f27bc62226b5c5c9a1a46e8d6806558308c45a84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Aug 2021 09:35:23 +0200 +Subject: xgene-v2: Fix a resource leak in the error handling path of + 'xge_probe()' + +From: Christophe JAILLET + +[ Upstream commit 5ed74b03eb4d08f5dd281dcb5f1c9bb92b363a8d ] + +A successful 'xge_mdio_config()' call should be balanced by a corresponding +'xge_mdio_remove()' call in the error handling path of the probe, as +already done in the remove function. + +Update the error handling path accordingly. + +Fixes: ea8ab16ab225 ("drivers: net: xgene-v2: Add MDIO support") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/apm/xgene-v2/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/apm/xgene-v2/main.c b/drivers/net/ethernet/apm/xgene-v2/main.c +index 860c18fb7aae..80399c8980bd 100644 +--- a/drivers/net/ethernet/apm/xgene-v2/main.c ++++ b/drivers/net/ethernet/apm/xgene-v2/main.c +@@ -677,11 +677,13 @@ static int xge_probe(struct platform_device *pdev) + ret = register_netdev(ndev); + if (ret) { + netdev_err(ndev, "Failed to register netdev\n"); +- goto err; ++ goto err_mdio_remove; + } + + return 0; + ++err_mdio_remove: ++ xge_mdio_remove(ndev); + err: + free_netdev(ndev); + +-- +2.30.2 + -- 2.47.3