From d0c6d1ee17ab879a8c85ced876e57ecb685e5782 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 25 Feb 2022 17:14:48 +0100 Subject: [PATCH] 5.10-stable patches added patches: bnx2x-fix-driver-load-from-initrd.patch bnxt_en-fix-active-fec-reporting-to-ethtool.patch bpf-add-schedule-points-in-batch-ops.patch bpf-do-not-try-bpf_msg_push_data-with-len-0.patch drm-edid-always-set-rgb444.patch gso-do-not-skip-outer-ip-header-in-case-of-ipip-and-net_failover.patch hwmon-handle-failure-to-register-sensor-with-thermal-zone-correctly.patch io_uring-add-a-schedule-point-in-io_add_buffers.patch net-__pskb_pull_tail-pskb_carve_frag_list-drop_monitor-friends.patch net-force-inlining-of-checksum-functions-in-net-checksum.h.patch net-ll_temac-check-the-return-value-of-devm_kmalloc.patch net-mlx5-fix-possible-deadlock-on-rule-deletion.patch net-mlx5-fix-wrong-limitation-of-metadata-match-on-ecpf.patch net-mlx5e-fix-wrong-return-value-on-ioctl-eeprom-query-failure.patch net-mlx5e-ktls-use-checksum_unnecessary-for-device-offloaded-packets.patch net-sched-act_ct-fix-flow-table-lookup-after-ct-clear-or-switching-zones.patch net-smc-use-a-mutex-for-locking-struct-smc_pnettable.patch netfilter-nf_tables-fix-memory-leak-during-stateful-obj-update.patch nfp-flower-fix-a-potential-leak-in-nfp_tunnel_add_shared_mac.patch openvswitch-fix-setting-ipv6-fields-causing-hw-csum-failure.patch perf-data-fix-double-free-in-perf_session__delete.patch ping-remove-pr_err-from-ping_lookup.patch selftests-bpf-check-bpf_msg_push_data-return-value.patch surface-surface3_power-fix-battery-readings-on-batteries-without-a-serial-number.patch tipc-fix-end-of-loop-tests-for-list_for_each_entry.patch udp_tunnel-fix-end-of-loop-test-in-udp_tunnel_nic_unregister.patch --- .../bnx2x-fix-driver-load-from-initrd.patch | 40 +++ ...-fix-active-fec-reporting-to-ethtool.patch | 34 +++ ...bpf-add-schedule-points-in-batch-ops.patch | 63 +++++ ...not-try-bpf_msg_push_data-with-len-0.patch | 43 ++++ queue-5.10/drm-edid-always-set-rgb444.patch | 65 +++++ ...der-in-case-of-ipip-and-net_failover.patch | 103 ++++++++ ...r-sensor-with-thermal-zone-correctly.patch | 89 +++++++ ...d-a-schedule-point-in-io_add_buffers.patch | 87 +++++++ ...carve_frag_list-drop_monitor-friends.patch | 42 +++ ...checksum-functions-in-net-checksum.h.patch | 241 ++++++++++++++++++ ...eck-the-return-value-of-devm_kmalloc.patch | 33 +++ ...x-possible-deadlock-on-rule-deletion.patch | 32 +++ ...limitation-of-metadata-match-on-ecpf.patch | 36 +++ ...-value-on-ioctl-eeprom-query-failure.patch | 32 +++ ...cessary-for-device-offloaded-packets.patch | 43 ++++ ...up-after-ct-clear-or-switching-zones.patch | 42 +++ ...tex-for-locking-struct-smc_pnettable.patch | 220 ++++++++++++++++ ...mory-leak-during-stateful-obj-update.patch | 77 ++++++ ...al-leak-in-nfp_tunnel_add_shared_mac.patch | 50 ++++ ...-ipv6-fields-causing-hw-csum-failure.patch | 149 +++++++++++ ...-double-free-in-perf_session__delete.patch | 58 +++++ .../ping-remove-pr_err-from-ping_lookup.patch | 33 +++ ...check-bpf_msg_push_data-return-value.patch | 97 +++++++ queue-5.10/series | 26 ++ ...on-batteries-without-a-serial-number.patch | 57 +++++ ...f-loop-tests-for-list_for_each_entry.patch | 47 ++++ ...op-test-in-udp_tunnel_nic_unregister.patch | 35 +++ 27 files changed, 1874 insertions(+) create mode 100644 queue-5.10/bnx2x-fix-driver-load-from-initrd.patch create mode 100644 queue-5.10/bnxt_en-fix-active-fec-reporting-to-ethtool.patch create mode 100644 queue-5.10/bpf-add-schedule-points-in-batch-ops.patch create mode 100644 queue-5.10/bpf-do-not-try-bpf_msg_push_data-with-len-0.patch create mode 100644 queue-5.10/drm-edid-always-set-rgb444.patch create mode 100644 queue-5.10/gso-do-not-skip-outer-ip-header-in-case-of-ipip-and-net_failover.patch create mode 100644 queue-5.10/hwmon-handle-failure-to-register-sensor-with-thermal-zone-correctly.patch create mode 100644 queue-5.10/io_uring-add-a-schedule-point-in-io_add_buffers.patch create mode 100644 queue-5.10/net-__pskb_pull_tail-pskb_carve_frag_list-drop_monitor-friends.patch create mode 100644 queue-5.10/net-force-inlining-of-checksum-functions-in-net-checksum.h.patch create mode 100644 queue-5.10/net-ll_temac-check-the-return-value-of-devm_kmalloc.patch create mode 100644 queue-5.10/net-mlx5-fix-possible-deadlock-on-rule-deletion.patch create mode 100644 queue-5.10/net-mlx5-fix-wrong-limitation-of-metadata-match-on-ecpf.patch create mode 100644 queue-5.10/net-mlx5e-fix-wrong-return-value-on-ioctl-eeprom-query-failure.patch create mode 100644 queue-5.10/net-mlx5e-ktls-use-checksum_unnecessary-for-device-offloaded-packets.patch create mode 100644 queue-5.10/net-sched-act_ct-fix-flow-table-lookup-after-ct-clear-or-switching-zones.patch create mode 100644 queue-5.10/net-smc-use-a-mutex-for-locking-struct-smc_pnettable.patch create mode 100644 queue-5.10/netfilter-nf_tables-fix-memory-leak-during-stateful-obj-update.patch create mode 100644 queue-5.10/nfp-flower-fix-a-potential-leak-in-nfp_tunnel_add_shared_mac.patch create mode 100644 queue-5.10/openvswitch-fix-setting-ipv6-fields-causing-hw-csum-failure.patch create mode 100644 queue-5.10/perf-data-fix-double-free-in-perf_session__delete.patch create mode 100644 queue-5.10/ping-remove-pr_err-from-ping_lookup.patch create mode 100644 queue-5.10/selftests-bpf-check-bpf_msg_push_data-return-value.patch create mode 100644 queue-5.10/surface-surface3_power-fix-battery-readings-on-batteries-without-a-serial-number.patch create mode 100644 queue-5.10/tipc-fix-end-of-loop-tests-for-list_for_each_entry.patch create mode 100644 queue-5.10/udp_tunnel-fix-end-of-loop-test-in-udp_tunnel_nic_unregister.patch diff --git a/queue-5.10/bnx2x-fix-driver-load-from-initrd.patch b/queue-5.10/bnx2x-fix-driver-load-from-initrd.patch new file mode 100644 index 00000000000..b0150c69046 --- /dev/null +++ b/queue-5.10/bnx2x-fix-driver-load-from-initrd.patch @@ -0,0 +1,40 @@ +From e13ad1443684f7afaff24cf207e85e97885256bd Mon Sep 17 00:00:00 2001 +From: Manish Chopra +Date: Wed, 23 Feb 2022 00:57:20 -0800 +Subject: bnx2x: fix driver load from initrd + +From: Manish Chopra + +commit e13ad1443684f7afaff24cf207e85e97885256bd upstream. + +Commit b7a49f73059f ("bnx2x: Utilize firmware 7.13.21.0") added +new firmware support in the driver with maintaining older firmware +compatibility. However, older firmware was not added in MODULE_FIRMWARE() +which caused missing firmware files in initrd image leading to driver load +failure from initrd. This patch adds MODULE_FIRMWARE() for older firmware +version to have firmware files included in initrd. + +Fixes: b7a49f73059f ("bnx2x: Utilize firmware 7.13.21.0") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215627 +Signed-off-by: Manish Chopra +Signed-off-by: Alok Prasad +Signed-off-by: Ariel Elior +Link: https://lore.kernel.org/r/20220223085720.12021-1-manishc@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +@@ -100,6 +100,9 @@ MODULE_LICENSE("GPL"); + MODULE_FIRMWARE(FW_FILE_NAME_E1); + MODULE_FIRMWARE(FW_FILE_NAME_E1H); + MODULE_FIRMWARE(FW_FILE_NAME_E2); ++MODULE_FIRMWARE(FW_FILE_NAME_E1_V15); ++MODULE_FIRMWARE(FW_FILE_NAME_E1H_V15); ++MODULE_FIRMWARE(FW_FILE_NAME_E2_V15); + + int bnx2x_num_queues; + module_param_named(num_queues, bnx2x_num_queues, int, 0444); diff --git a/queue-5.10/bnxt_en-fix-active-fec-reporting-to-ethtool.patch b/queue-5.10/bnxt_en-fix-active-fec-reporting-to-ethtool.patch new file mode 100644 index 00000000000..a4e577a55f9 --- /dev/null +++ b/queue-5.10/bnxt_en-fix-active-fec-reporting-to-ethtool.patch @@ -0,0 +1,34 @@ +From 84d3c83e6ea7d46cf3de3a54578af73eb24a64f2 Mon Sep 17 00:00:00 2001 +From: Somnath Kotur +Date: Sun, 20 Feb 2022 04:05:47 -0500 +Subject: bnxt_en: Fix active FEC reporting to ethtool + +From: Somnath Kotur + +commit 84d3c83e6ea7d46cf3de3a54578af73eb24a64f2 upstream. + +ethtool --show-fec does not show anything when the Active +FEC setting in the chip is set to None. Fix it to properly return +ETHTOOL_FEC_OFF in that case. + +Fixes: 8b2775890ad8 ("bnxt_en: Report FEC settings to ethtool.") +Signed-off-by: Somnath Kotur +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +@@ -1926,6 +1926,9 @@ static int bnxt_get_fecparam(struct net_ + case PORT_PHY_QCFG_RESP_ACTIVE_FEC_FEC_RS272_IEEE_ACTIVE: + fec->active_fec |= ETHTOOL_FEC_LLRS; + break; ++ case PORT_PHY_QCFG_RESP_ACTIVE_FEC_FEC_NONE_ACTIVE: ++ fec->active_fec |= ETHTOOL_FEC_OFF; ++ break; + } + return 0; + } diff --git a/queue-5.10/bpf-add-schedule-points-in-batch-ops.patch b/queue-5.10/bpf-add-schedule-points-in-batch-ops.patch new file mode 100644 index 00000000000..9b03205c094 --- /dev/null +++ b/queue-5.10/bpf-add-schedule-points-in-batch-ops.patch @@ -0,0 +1,63 @@ +From 75134f16e7dd0007aa474b281935c5f42e79f2c8 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 17 Feb 2022 10:19:02 -0800 +Subject: bpf: Add schedule points in batch ops + +From: Eric Dumazet + +commit 75134f16e7dd0007aa474b281935c5f42e79f2c8 upstream. + +syzbot reported various soft lockups caused by bpf batch operations. + + INFO: task kworker/1:1:27 blocked for more than 140 seconds. + INFO: task hung in rcu_barrier + +Nothing prevents batch ops to process huge amount of data, +we need to add schedule points in them. + +Note that maybe_wait_bpf_programs(map) calls from +generic_map_delete_batch() can be factorized by moving +the call after the loop. + +This will be done later in -next tree once we get this fix merged, +unless there is strong opinion doing this optimization sooner. + +Fixes: aa2e93b8e58e ("bpf: Add generic support for update and delete batch ops") +Fixes: cb4d03ab499d ("bpf: Add generic support for lookup batch op") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: Alexei Starovoitov +Reviewed-by: Stanislav Fomichev +Acked-by: Brian Vazquez +Link: https://lore.kernel.org/bpf/20220217181902.808742-1-eric.dumazet@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/syscall.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -1308,6 +1308,7 @@ int generic_map_delete_batch(struct bpf_ + maybe_wait_bpf_programs(map); + if (err) + break; ++ cond_resched(); + } + if (copy_to_user(&uattr->batch.count, &cp, sizeof(cp))) + err = -EFAULT; +@@ -1365,6 +1366,7 @@ int generic_map_update_batch(struct bpf_ + + if (err) + break; ++ cond_resched(); + } + + if (copy_to_user(&uattr->batch.count, &cp, sizeof(cp))) +@@ -1462,6 +1464,7 @@ int generic_map_lookup_batch(struct bpf_ + swap(prev_key, key); + retry = MAP_LOOKUP_RETRIES; + cp++; ++ cond_resched(); + } + + if (err == -EFAULT) diff --git a/queue-5.10/bpf-do-not-try-bpf_msg_push_data-with-len-0.patch b/queue-5.10/bpf-do-not-try-bpf_msg_push_data-with-len-0.patch new file mode 100644 index 00000000000..68cec555536 --- /dev/null +++ b/queue-5.10/bpf-do-not-try-bpf_msg_push_data-with-len-0.patch @@ -0,0 +1,43 @@ +From 4a11678f683814df82fca9018d964771e02d7e6d Mon Sep 17 00:00:00 2001 +From: Felix Maurer +Date: Wed, 9 Feb 2022 16:55:26 +0100 +Subject: bpf: Do not try bpf_msg_push_data with len 0 + +From: Felix Maurer + +commit 4a11678f683814df82fca9018d964771e02d7e6d upstream. + +If bpf_msg_push_data() is called with len 0 (as it happens during +selftests/bpf/test_sockmap), we do not need to do anything and can +return early. + +Calling bpf_msg_push_data() with len 0 previously lead to a wrong ENOMEM +error: we later called get_order(copy + len); if len was 0, copy + len +was also often 0 and get_order() returned some undefined value (at the +moment 52). alloc_pages() caught that and failed, but then bpf_msg_push_data() +returned ENOMEM. This was wrong because we are most probably not out of +memory and actually do not need any additional memory. + +Fixes: 6fff607e2f14b ("bpf: sk_msg program helper bpf_msg_push_data") +Signed-off-by: Felix Maurer +Signed-off-by: Daniel Borkmann +Acked-by: Yonghong Song +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/df69012695c7094ccb1943ca02b4920db3537466.1644421921.git.fmaurer@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + net/core/filter.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2730,6 +2730,9 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_ + if (unlikely(flags)) + return -EINVAL; + ++ if (unlikely(len == 0)) ++ return 0; ++ + /* First find the starting scatterlist element */ + i = msg->sg.start; + do { diff --git a/queue-5.10/drm-edid-always-set-rgb444.patch b/queue-5.10/drm-edid-always-set-rgb444.patch new file mode 100644 index 00000000000..1d066884f07 --- /dev/null +++ b/queue-5.10/drm-edid-always-set-rgb444.patch @@ -0,0 +1,65 @@ +From ecbd4912a693b862e25cba0a6990a8c95b00721e Mon Sep 17 00:00:00 2001 +From: Maxime Ripard +Date: Thu, 3 Feb 2022 12:54:16 +0100 +Subject: drm/edid: Always set RGB444 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maxime Ripard + +commit ecbd4912a693b862e25cba0a6990a8c95b00721e upstream. + +In order to fill the drm_display_info structure each time an EDID is +read, the code currently will call drm_add_display_info with the parsed +EDID. + +drm_add_display_info will then call drm_reset_display_info to reset all +the fields to 0, and then set them to the proper value depending on the +EDID. + +In the color_formats case, we will thus report that we don't support any +color format, and then fill it back with RGB444 plus the additional +formats described in the EDID Feature Support byte. + +However, since that byte only contains format-related bits since the 1.4 +specification, this doesn't happen if the EDID is following an earlier +specification. In turn, it means that for one of these EDID, we end up +with color_formats set to 0. + +The EDID 1.3 specification never really specifies what it means by RGB +exactly, but since both HDMI and DVI will use RGB444, it's fairly safe +to assume it's supposed to be RGB444. + +Let's move the addition of RGB444 to color_formats earlier in +drm_add_display_info() so that it's always set for a digital display. + +Fixes: da05a5a71ad8 ("drm: parse color format support for digital displays") +Cc: Ville Syrjälä +Reported-by: Matthias Reichl +Signed-off-by: Maxime Ripard +Reviewed-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20220203115416.1137308-1-maxime@cerno.tech +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_edid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -5132,6 +5132,7 @@ u32 drm_add_display_info(struct drm_conn + if (!(edid->input & DRM_EDID_INPUT_DIGITAL)) + return quirks; + ++ info->color_formats |= DRM_COLOR_FORMAT_RGB444; + drm_parse_cea_ext(connector, edid); + + /* +@@ -5180,7 +5181,6 @@ u32 drm_add_display_info(struct drm_conn + DRM_DEBUG("%s: Assigning EDID-1.4 digital sink color depth as %d bpc.\n", + connector->name, info->bpc); + +- info->color_formats |= DRM_COLOR_FORMAT_RGB444; + if (edid->features & DRM_EDID_FEATURE_RGB_YCRCB444) + info->color_formats |= DRM_COLOR_FORMAT_YCRCB444; + if (edid->features & DRM_EDID_FEATURE_RGB_YCRCB422) diff --git a/queue-5.10/gso-do-not-skip-outer-ip-header-in-case-of-ipip-and-net_failover.patch b/queue-5.10/gso-do-not-skip-outer-ip-header-in-case-of-ipip-and-net_failover.patch new file mode 100644 index 00000000000..a79b831ca9d --- /dev/null +++ b/queue-5.10/gso-do-not-skip-outer-ip-header-in-case-of-ipip-and-net_failover.patch @@ -0,0 +1,103 @@ +From cc20cced0598d9a5ff91ae4ab147b3b5e99ee819 Mon Sep 17 00:00:00 2001 +From: Tao Liu +Date: Fri, 18 Feb 2022 22:35:24 +0800 +Subject: gso: do not skip outer ip header in case of ipip and net_failover + +From: Tao Liu + +commit cc20cced0598d9a5ff91ae4ab147b3b5e99ee819 upstream. + +We encounter a tcp drop issue in our cloud environment. Packet GROed in +host forwards to a VM virtio_net nic with net_failover enabled. VM acts +as a IPVS LB with ipip encapsulation. The full path like: +host gro -> vm virtio_net rx -> net_failover rx -> ipvs fullnat + -> ipip encap -> net_failover tx -> virtio_net tx + +When net_failover transmits a ipip pkt (gso_type = 0x0103, which means +SKB_GSO_TCPV4, SKB_GSO_DODGY and SKB_GSO_IPXIP4), there is no gso +did because it supports TSO and GSO_IPXIP4. But network_header points to +inner ip header. + +Call Trace: + tcp4_gso_segment ------> return NULL + inet_gso_segment ------> inner iph, network_header points to + ipip_gso_segment + inet_gso_segment ------> outer iph + skb_mac_gso_segment + +Afterwards virtio_net transmits the pkt, only inner ip header is modified. +And the outer one just keeps unchanged. The pkt will be dropped in remote +host. + +Call Trace: + inet_gso_segment ------> inner iph, outer iph is skipped + skb_mac_gso_segment + __skb_gso_segment + validate_xmit_skb + validate_xmit_skb_list + sch_direct_xmit + __qdisc_run + __dev_queue_xmit ------> virtio_net + dev_hard_start_xmit + __dev_queue_xmit ------> net_failover + ip_finish_output2 + ip_output + iptunnel_xmit + ip_tunnel_xmit + ipip_tunnel_xmit ------> ipip + dev_hard_start_xmit + __dev_queue_xmit + ip_finish_output2 + ip_output + ip_forward + ip_rcv + __netif_receive_skb_one_core + netif_receive_skb_internal + napi_gro_receive + receive_buf + virtnet_poll + net_rx_action + +The root cause of this issue is specific with the rare combination of +SKB_GSO_DODGY and a tunnel device that adds an SKB_GSO_ tunnel option. +SKB_GSO_DODGY is set from external virtio_net. We need to reset network +header when callbacks.gso_segment() returns NULL. + +This patch also includes ipv6_gso_segment(), considering SIT, etc. + +Fixes: cb32f511a70b ("ipip: add GSO/TSO support") +Signed-off-by: Tao Liu +Reviewed-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/af_inet.c | 5 ++++- + net/ipv6/ip6_offload.c | 2 ++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -1374,8 +1374,11 @@ struct sk_buff *inet_gso_segment(struct + } + + ops = rcu_dereference(inet_offloads[proto]); +- if (likely(ops && ops->callbacks.gso_segment)) ++ if (likely(ops && ops->callbacks.gso_segment)) { + segs = ops->callbacks.gso_segment(skb, features); ++ if (!segs) ++ skb->network_header = skb_mac_header(skb) + nhoff - skb->head; ++ } + + if (IS_ERR_OR_NULL(segs)) + goto out; +--- a/net/ipv6/ip6_offload.c ++++ b/net/ipv6/ip6_offload.c +@@ -113,6 +113,8 @@ static struct sk_buff *ipv6_gso_segment( + if (likely(ops && ops->callbacks.gso_segment)) { + skb_reset_transport_header(skb); + segs = ops->callbacks.gso_segment(skb, features); ++ if (!segs) ++ skb->network_header = skb_mac_header(skb) + nhoff - skb->head; + } + + if (IS_ERR_OR_NULL(segs)) diff --git a/queue-5.10/hwmon-handle-failure-to-register-sensor-with-thermal-zone-correctly.patch b/queue-5.10/hwmon-handle-failure-to-register-sensor-with-thermal-zone-correctly.patch new file mode 100644 index 00000000000..955a7f3b045 --- /dev/null +++ b/queue-5.10/hwmon-handle-failure-to-register-sensor-with-thermal-zone-correctly.patch @@ -0,0 +1,89 @@ +From 1b5f517cca36292076d9e38fa6e33a257703e62e Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Mon, 21 Feb 2022 08:32:14 -0800 +Subject: hwmon: Handle failure to register sensor with thermal zone correctly + +From: Guenter Roeck + +commit 1b5f517cca36292076d9e38fa6e33a257703e62e upstream. + +If an attempt is made to a sensor with a thermal zone and it fails, +the call to devm_thermal_zone_of_sensor_register() may return -ENODEV. +This may result in crashes similar to the following. + +Unable to handle kernel NULL pointer dereference at virtual address 00000000000003cd +... +Internal error: Oops: 96000021 [#1] PREEMPT SMP +... +pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : mutex_lock+0x18/0x60 +lr : thermal_zone_device_update+0x40/0x2e0 +sp : ffff800014c4fc60 +x29: ffff800014c4fc60 x28: ffff365ee3f6e000 x27: ffffdde218426790 +x26: ffff365ee3f6e000 x25: 0000000000000000 x24: ffff365ee3f6e000 +x23: ffffdde218426870 x22: ffff365ee3f6e000 x21: 00000000000003cd +x20: ffff365ee8bf3308 x19: ffffffffffffffed x18: 0000000000000000 +x17: ffffdde21842689c x16: ffffdde1cb7a0b7c x15: 0000000000000040 +x14: ffffdde21a4889a0 x13: 0000000000000228 x12: 0000000000000000 +x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 +x8 : 0000000001120000 x7 : 0000000000000001 x6 : 0000000000000000 +x5 : 0068000878e20f07 x4 : 0000000000000000 x3 : 00000000000003cd +x2 : ffff365ee3f6e000 x1 : 0000000000000000 x0 : 00000000000003cd +Call trace: + mutex_lock+0x18/0x60 + hwmon_notify_event+0xfc/0x110 + 0xffffdde1cb7a0a90 + 0xffffdde1cb7a0b7c + irq_thread_fn+0x2c/0xa0 + irq_thread+0x134/0x240 + kthread+0x178/0x190 + ret_from_fork+0x10/0x20 +Code: d503201f d503201f d2800001 aa0103e4 (c8e47c02) + +Jon Hunter reports that the exact call sequence is: + +hwmon_notify_event() + --> hwmon_thermal_notify() + --> thermal_zone_device_update() + --> update_temperature() + --> mutex_lock() + +The hwmon core needs to handle all errors returned from calls +to devm_thermal_zone_of_sensor_register(). If the call fails +with -ENODEV, report that the sensor was not attached to a +thermal zone but continue to register the hwmon device. + +Reported-by: Jon Hunter +Cc: Dmitry Osipenko +Fixes: 1597b374af222 ("hwmon: Add notification support") +Reviewed-by: Dmitry Osipenko +Tested-by: Jon Hunter +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/hwmon.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/hwmon/hwmon.c ++++ b/drivers/hwmon/hwmon.c +@@ -178,12 +178,14 @@ static int hwmon_thermal_add_sensor(stru + + tzd = devm_thermal_zone_of_sensor_register(dev, index, tdata, + &hwmon_thermal_ops); +- /* +- * If CONFIG_THERMAL_OF is disabled, this returns -ENODEV, +- * so ignore that error but forward any other error. +- */ +- if (IS_ERR(tzd) && (PTR_ERR(tzd) != -ENODEV)) +- return PTR_ERR(tzd); ++ if (IS_ERR(tzd)) { ++ if (PTR_ERR(tzd) != -ENODEV) ++ return PTR_ERR(tzd); ++ dev_info(dev, "temp%d_input not attached to any thermal zone\n", ++ index + 1); ++ devm_kfree(dev, tdata); ++ return 0; ++ } + + err = devm_add_action(dev, hwmon_thermal_remove_sensor, &tdata->node); + if (err) diff --git a/queue-5.10/io_uring-add-a-schedule-point-in-io_add_buffers.patch b/queue-5.10/io_uring-add-a-schedule-point-in-io_add_buffers.patch new file mode 100644 index 00000000000..772cdb020ed --- /dev/null +++ b/queue-5.10/io_uring-add-a-schedule-point-in-io_add_buffers.patch @@ -0,0 +1,87 @@ +From f240762f88b4b1b58561939ffd44837759756477 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 14 Feb 2022 20:10:03 -0800 +Subject: io_uring: add a schedule point in io_add_buffers() + +From: Eric Dumazet + +commit f240762f88b4b1b58561939ffd44837759756477 upstream. + +Looping ~65535 times doing kmalloc() calls can trigger soft lockups, +especially with DEBUG features (like KASAN). + +[ 253.536212] watchdog: BUG: soft lockup - CPU#64 stuck for 26s! [b219417889:12575] +[ 253.544433] Modules linked in: vfat fat i2c_mux_pca954x i2c_mux spidev cdc_acm xhci_pci xhci_hcd sha3_generic gq(O) +[ 253.544451] CPU: 64 PID: 12575 Comm: b219417889 Tainted: G S O 5.17.0-smp-DEV #801 +[ 253.544457] RIP: 0010:kernel_text_address (./include/asm-generic/sections.h:192 ./include/linux/kallsyms.h:29 kernel/extable.c:67 kernel/extable.c:98) +[ 253.544464] Code: 0f 93 c0 48 c7 c1 e0 63 d7 a4 48 39 cb 0f 92 c1 20 c1 0f b6 c1 5b 5d c3 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 53 48 89 fb <48> c7 c0 00 00 80 a0 41 be 01 00 00 00 48 39 c7 72 0c 48 c7 c0 40 +[ 253.544468] RSP: 0018:ffff8882d8baf4c0 EFLAGS: 00000246 +[ 253.544471] RAX: 1ffff1105b175e00 RBX: ffffffffa13ef09a RCX: 00000000a13ef001 +[ 253.544474] RDX: ffffffffa13ef09a RSI: ffff8882d8baf558 RDI: ffffffffa13ef09a +[ 253.544476] RBP: ffff8882d8baf4d8 R08: ffff8882d8baf5e0 R09: 0000000000000004 +[ 253.544479] R10: ffff8882d8baf5e8 R11: ffffffffa0d59a50 R12: ffff8882eab20380 +[ 253.544481] R13: ffffffffa0d59a50 R14: dffffc0000000000 R15: 1ffff1105b175eb0 +[ 253.544483] FS: 00000000016d3380(0000) GS:ffff88af48c00000(0000) knlGS:0000000000000000 +[ 253.544486] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 253.544488] CR2: 00000000004af0f0 CR3: 00000002eabfa004 CR4: 00000000003706e0 +[ 253.544491] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 253.544492] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 253.544494] Call Trace: +[ 253.544496] +[ 253.544498] ? io_queue_sqe (fs/io_uring.c:7143) +[ 253.544505] __kernel_text_address (kernel/extable.c:78) +[ 253.544508] unwind_get_return_address (arch/x86/kernel/unwind_frame.c:19) +[ 253.544514] arch_stack_walk (arch/x86/kernel/stacktrace.c:27) +[ 253.544517] ? io_queue_sqe (fs/io_uring.c:7143) +[ 253.544521] stack_trace_save (kernel/stacktrace.c:123) +[ 253.544527] ____kasan_kmalloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515) +[ 253.544531] ? ____kasan_kmalloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515) +[ 253.544533] ? __kasan_kmalloc (mm/kasan/common.c:524) +[ 253.544535] ? kmem_cache_alloc_trace (./include/linux/kasan.h:270 mm/slab.c:3567) +[ 253.544541] ? io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828) +[ 253.544544] ? __io_queue_sqe (fs/io_uring.c:?) +[ 253.544551] __kasan_kmalloc (mm/kasan/common.c:524) +[ 253.544553] kmem_cache_alloc_trace (./include/linux/kasan.h:270 mm/slab.c:3567) +[ 253.544556] ? io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828) +[ 253.544560] io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828) +[ 253.544564] ? __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) +[ 253.544567] ? __kasan_slab_alloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) +[ 253.544569] ? kmem_cache_alloc_bulk (mm/slab.h:732 mm/slab.c:3546) +[ 253.544573] ? __io_alloc_req_refill (fs/io_uring.c:2078) +[ 253.544578] ? io_submit_sqes (fs/io_uring.c:7441) +[ 253.544581] ? __se_sys_io_uring_enter (fs/io_uring.c:10154 fs/io_uring.c:10096) +[ 253.544584] ? __x64_sys_io_uring_enter (fs/io_uring.c:10096) +[ 253.544587] ? do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) +[ 253.544590] ? entry_SYSCALL_64_after_hwframe (??:?) +[ 253.544596] __io_queue_sqe (fs/io_uring.c:?) +[ 253.544600] io_queue_sqe (fs/io_uring.c:7143) +[ 253.544603] io_submit_sqe (fs/io_uring.c:?) +[ 253.544608] io_submit_sqes (fs/io_uring.c:?) +[ 253.544612] __se_sys_io_uring_enter (fs/io_uring.c:10154 fs/io_uring.c:10096) +[ 253.544616] __x64_sys_io_uring_enter (fs/io_uring.c:10096) +[ 253.544619] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) +[ 253.544623] entry_SYSCALL_64_after_hwframe (??:?) + +Fixes: ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS") +Signed-off-by: Eric Dumazet +Cc: Jens Axboe +Cc: Pavel Begunkov +Cc: io-uring +Reported-by: syzbot +Link: https://lore.kernel.org/r/20220215041003.2394784-1-eric.dumazet@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -4058,6 +4058,7 @@ static int io_add_buffers(struct io_prov + } else { + list_add_tail(&buf->list, &(*head)->list); + } ++ cond_resched(); + } + + return i ? i : -ENOMEM; diff --git a/queue-5.10/net-__pskb_pull_tail-pskb_carve_frag_list-drop_monitor-friends.patch b/queue-5.10/net-__pskb_pull_tail-pskb_carve_frag_list-drop_monitor-friends.patch new file mode 100644 index 00000000000..3ad0d0fe9bc --- /dev/null +++ b/queue-5.10/net-__pskb_pull_tail-pskb_carve_frag_list-drop_monitor-friends.patch @@ -0,0 +1,42 @@ +From ef527f968ae05c6717c39f49c8709a7e2c19183a Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Sun, 20 Feb 2022 07:40:52 -0800 +Subject: net: __pskb_pull_tail() & pskb_carve_frag_list() drop_monitor friends + +From: Eric Dumazet + +commit ef527f968ae05c6717c39f49c8709a7e2c19183a upstream. + +Whenever one of these functions pull all data from an skb in a frag_list, +use consume_skb() instead of kfree_skb() to avoid polluting drop +monitoring. + +Fixes: 6fa01ccd8830 ("skbuff: Add pskb_extract() helper function") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20220220154052.1308469-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -2139,7 +2139,7 @@ void *__pskb_pull_tail(struct sk_buff *s + /* Free pulled out fragments. */ + while ((list = skb_shinfo(skb)->frag_list) != insp) { + skb_shinfo(skb)->frag_list = list->next; +- kfree_skb(list); ++ consume_skb(list); + } + /* And insert new clone at head. */ + if (clone) { +@@ -6044,7 +6044,7 @@ static int pskb_carve_frag_list(struct s + /* Free pulled out fragments. */ + while ((list = shinfo->frag_list) != insp) { + shinfo->frag_list = list->next; +- kfree_skb(list); ++ consume_skb(list); + } + /* And insert new clone at head. */ + if (clone) { diff --git a/queue-5.10/net-force-inlining-of-checksum-functions-in-net-checksum.h.patch b/queue-5.10/net-force-inlining-of-checksum-functions-in-net-checksum.h.patch new file mode 100644 index 00000000000..4941e5ce1a4 --- /dev/null +++ b/queue-5.10/net-force-inlining-of-checksum-functions-in-net-checksum.h.patch @@ -0,0 +1,241 @@ +From 5486f5bf790b5c664913076c3194b8f916a5c7ad Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Thu, 17 Feb 2022 14:35:49 +0100 +Subject: net: Force inlining of checksum functions in net/checksum.h + +From: Christophe Leroy + +commit 5486f5bf790b5c664913076c3194b8f916a5c7ad upstream. + +All functions defined as static inline in net/checksum.h are +meant to be inlined for performance reason. + +But since commit ac7c3e4ff401 ("compiler: enable +CONFIG_OPTIMIZE_INLINING forcibly") the compiler is allowed to +uninline functions when it wants. + +Fair enough in the general case, but for tiny performance critical +checksum helpers that's counter-productive. + +The problem mainly arises when selecting CONFIG_CC_OPTIMISE_FOR_SIZE, +Those helpers being 'static inline' in header files you suddenly find +them duplicated many times in the resulting vmlinux. + +Here is a typical exemple when building powerpc pmac32_defconfig +with CONFIG_CC_OPTIMISE_FOR_SIZE. csum_sub() appears 4 times: + + c04a23cc : + c04a23cc: 7c 84 20 f8 not r4,r4 + c04a23d0: 7c 63 20 14 addc r3,r3,r4 + c04a23d4: 7c 63 01 94 addze r3,r3 + c04a23d8: 4e 80 00 20 blr + ... + c04a2ce8: 4b ff f6 e5 bl c04a23cc + ... + c04a2d2c: 4b ff f6 a1 bl c04a23cc + ... + c04a2d54: 4b ff f6 79 bl c04a23cc + ... + c04a754c : + c04a754c: 7c 84 20 f8 not r4,r4 + c04a7550: 7c 63 20 14 addc r3,r3,r4 + c04a7554: 7c 63 01 94 addze r3,r3 + c04a7558: 4e 80 00 20 blr + ... + c04ac930: 4b ff ac 1d bl c04a754c + ... + c04ad264: 4b ff a2 e9 bl c04a754c + ... + c04e3b08 : + c04e3b08: 7c 84 20 f8 not r4,r4 + c04e3b0c: 7c 63 20 14 addc r3,r3,r4 + c04e3b10: 7c 63 01 94 addze r3,r3 + c04e3b14: 4e 80 00 20 blr + ... + c04e5788: 4b ff e3 81 bl c04e3b08 + ... + c04e65c8: 4b ff d5 41 bl c04e3b08 + ... + c0512d34 : + c0512d34: 7c 84 20 f8 not r4,r4 + c0512d38: 7c 63 20 14 addc r3,r3,r4 + c0512d3c: 7c 63 01 94 addze r3,r3 + c0512d40: 4e 80 00 20 blr + ... + c0512dfc: 4b ff ff 39 bl c0512d34 + ... + c05138bc: 4b ff f4 79 bl c0512d34 + ... + +Restore the expected behaviour by using __always_inline for all +functions defined in net/checksum.h + +vmlinux size is even reduced by 256 bytes with this patch: + + text data bss dec hex filename + 6980022 2515362 194384 9689768 93daa8 vmlinux.before + 6979862 2515266 194384 9689512 93d9a8 vmlinux.now + +Fixes: ac7c3e4ff401 ("compiler: enable CONFIG_OPTIMIZE_INLINING forcibly") +Cc: Masahiro Yamada +Cc: Nick Desaulniers +Cc: Andrew Morton +Signed-off-by: Christophe Leroy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/checksum.h | 43 ++++++++++++++++++++++--------------------- + 1 file changed, 22 insertions(+), 21 deletions(-) + +--- a/include/net/checksum.h ++++ b/include/net/checksum.h +@@ -22,7 +22,7 @@ + #include + + #ifndef _HAVE_ARCH_COPY_AND_CSUM_FROM_USER +-static inline ++static __always_inline + __wsum csum_and_copy_from_user (const void __user *src, void *dst, + int len) + { +@@ -33,7 +33,7 @@ __wsum csum_and_copy_from_user (const vo + #endif + + #ifndef HAVE_CSUM_COPY_USER +-static __inline__ __wsum csum_and_copy_to_user ++static __always_inline __wsum csum_and_copy_to_user + (const void *src, void __user *dst, int len) + { + __wsum sum = csum_partial(src, len, ~0U); +@@ -45,7 +45,7 @@ static __inline__ __wsum csum_and_copy_t + #endif + + #ifndef _HAVE_ARCH_CSUM_AND_COPY +-static inline __wsum ++static __always_inline __wsum + csum_partial_copy_nocheck(const void *src, void *dst, int len) + { + memcpy(dst, src, len); +@@ -54,7 +54,7 @@ csum_partial_copy_nocheck(const void *sr + #endif + + #ifndef HAVE_ARCH_CSUM_ADD +-static inline __wsum csum_add(__wsum csum, __wsum addend) ++static __always_inline __wsum csum_add(__wsum csum, __wsum addend) + { + u32 res = (__force u32)csum; + res += (__force u32)addend; +@@ -62,12 +62,12 @@ static inline __wsum csum_add(__wsum csu + } + #endif + +-static inline __wsum csum_sub(__wsum csum, __wsum addend) ++static __always_inline __wsum csum_sub(__wsum csum, __wsum addend) + { + return csum_add(csum, ~addend); + } + +-static inline __sum16 csum16_add(__sum16 csum, __be16 addend) ++static __always_inline __sum16 csum16_add(__sum16 csum, __be16 addend) + { + u16 res = (__force u16)csum; + +@@ -75,12 +75,12 @@ static inline __sum16 csum16_add(__sum16 + return (__force __sum16)(res + (res < (__force u16)addend)); + } + +-static inline __sum16 csum16_sub(__sum16 csum, __be16 addend) ++static __always_inline __sum16 csum16_sub(__sum16 csum, __be16 addend) + { + return csum16_add(csum, ~addend); + } + +-static inline __wsum ++static __always_inline __wsum + csum_block_add(__wsum csum, __wsum csum2, int offset) + { + u32 sum = (__force u32)csum2; +@@ -92,36 +92,37 @@ csum_block_add(__wsum csum, __wsum csum2 + return csum_add(csum, (__force __wsum)sum); + } + +-static inline __wsum ++static __always_inline __wsum + csum_block_add_ext(__wsum csum, __wsum csum2, int offset, int len) + { + return csum_block_add(csum, csum2, offset); + } + +-static inline __wsum ++static __always_inline __wsum + csum_block_sub(__wsum csum, __wsum csum2, int offset) + { + return csum_block_add(csum, ~csum2, offset); + } + +-static inline __wsum csum_unfold(__sum16 n) ++static __always_inline __wsum csum_unfold(__sum16 n) + { + return (__force __wsum)n; + } + +-static inline __wsum csum_partial_ext(const void *buff, int len, __wsum sum) ++static __always_inline ++__wsum csum_partial_ext(const void *buff, int len, __wsum sum) + { + return csum_partial(buff, len, sum); + } + + #define CSUM_MANGLED_0 ((__force __sum16)0xffff) + +-static inline void csum_replace_by_diff(__sum16 *sum, __wsum diff) ++static __always_inline void csum_replace_by_diff(__sum16 *sum, __wsum diff) + { + *sum = csum_fold(csum_add(diff, ~csum_unfold(*sum))); + } + +-static inline void csum_replace4(__sum16 *sum, __be32 from, __be32 to) ++static __always_inline void csum_replace4(__sum16 *sum, __be32 from, __be32 to) + { + __wsum tmp = csum_sub(~csum_unfold(*sum), (__force __wsum)from); + +@@ -134,7 +135,7 @@ static inline void csum_replace4(__sum16 + * m : old value of a 16bit field + * m' : new value of a 16bit field + */ +-static inline void csum_replace2(__sum16 *sum, __be16 old, __be16 new) ++static __always_inline void csum_replace2(__sum16 *sum, __be16 old, __be16 new) + { + *sum = ~csum16_add(csum16_sub(~(*sum), old), new); + } +@@ -153,16 +154,16 @@ void inet_proto_csum_replace16(__sum16 * + void inet_proto_csum_replace_by_diff(__sum16 *sum, struct sk_buff *skb, + __wsum diff, bool pseudohdr); + +-static inline void inet_proto_csum_replace2(__sum16 *sum, struct sk_buff *skb, +- __be16 from, __be16 to, +- bool pseudohdr) ++static __always_inline ++void inet_proto_csum_replace2(__sum16 *sum, struct sk_buff *skb, ++ __be16 from, __be16 to, bool pseudohdr) + { + inet_proto_csum_replace4(sum, skb, (__force __be32)from, + (__force __be32)to, pseudohdr); + } + +-static inline __wsum remcsum_adjust(void *ptr, __wsum csum, +- int start, int offset) ++static __always_inline __wsum remcsum_adjust(void *ptr, __wsum csum, ++ int start, int offset) + { + __sum16 *psum = (__sum16 *)(ptr + offset); + __wsum delta; +@@ -178,7 +179,7 @@ static inline __wsum remcsum_adjust(void + return delta; + } + +-static inline void remcsum_unadjust(__sum16 *psum, __wsum delta) ++static __always_inline void remcsum_unadjust(__sum16 *psum, __wsum delta) + { + *psum = csum_fold(csum_sub(delta, (__force __wsum)*psum)); + } diff --git a/queue-5.10/net-ll_temac-check-the-return-value-of-devm_kmalloc.patch b/queue-5.10/net-ll_temac-check-the-return-value-of-devm_kmalloc.patch new file mode 100644 index 00000000000..c6b8777b039 --- /dev/null +++ b/queue-5.10/net-ll_temac-check-the-return-value-of-devm_kmalloc.patch @@ -0,0 +1,33 @@ +From b352c3465bb808ab700d03f5bac2f7a6f37c5350 Mon Sep 17 00:00:00 2001 +From: Xiaoke Wang +Date: Fri, 18 Feb 2022 10:19:39 +0800 +Subject: net: ll_temac: check the return value of devm_kmalloc() + +From: Xiaoke Wang + +commit b352c3465bb808ab700d03f5bac2f7a6f37c5350 upstream. + +devm_kmalloc() returns a pointer to allocated memory on success, NULL +on failure. While lp->indirect_lock is allocated by devm_kmalloc() +without proper check. It is better to check the value of it to +prevent potential wrong memory access. + +Fixes: f14f5c11f051 ("net: ll_temac: Support indirect_mutex share within TEMAC IP") +Signed-off-by: Xiaoke Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/xilinx/ll_temac_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/xilinx/ll_temac_main.c ++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c +@@ -1421,6 +1421,8 @@ static int temac_probe(struct platform_d + lp->indirect_lock = devm_kmalloc(&pdev->dev, + sizeof(*lp->indirect_lock), + GFP_KERNEL); ++ if (!lp->indirect_lock) ++ return -ENOMEM; + spin_lock_init(lp->indirect_lock); + } + diff --git a/queue-5.10/net-mlx5-fix-possible-deadlock-on-rule-deletion.patch b/queue-5.10/net-mlx5-fix-possible-deadlock-on-rule-deletion.patch new file mode 100644 index 00000000000..91ce655ad30 --- /dev/null +++ b/queue-5.10/net-mlx5-fix-possible-deadlock-on-rule-deletion.patch @@ -0,0 +1,32 @@ +From b645e57debca846f51b3209907546ea857ddd3f5 Mon Sep 17 00:00:00 2001 +From: Maor Gottlieb +Date: Mon, 24 Jan 2022 21:25:04 +0200 +Subject: net/mlx5: Fix possible deadlock on rule deletion + +From: Maor Gottlieb + +commit b645e57debca846f51b3209907546ea857ddd3f5 upstream. + +Add missing call to up_write_ref_node() which releases the semaphore +in case the FTE doesn't have destinations, such in drop rule case. + +Fixes: 465e7baab6d9 ("net/mlx5: Fix deletion of duplicate rules") +Signed-off-by: Maor Gottlieb +Reviewed-by: Mark Bloch +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -2034,6 +2034,8 @@ void mlx5_del_flow_rules(struct mlx5_flo + fte->node.del_hw_func = NULL; + up_write_ref_node(&fte->node, false); + tree_put_node(&fte->node, false); ++ } else { ++ up_write_ref_node(&fte->node, false); + } + kfree(handle); + } diff --git a/queue-5.10/net-mlx5-fix-wrong-limitation-of-metadata-match-on-ecpf.patch b/queue-5.10/net-mlx5-fix-wrong-limitation-of-metadata-match-on-ecpf.patch new file mode 100644 index 00000000000..9c8d1484d56 --- /dev/null +++ b/queue-5.10/net-mlx5-fix-wrong-limitation-of-metadata-match-on-ecpf.patch @@ -0,0 +1,36 @@ +From 07666c75ad17d7389b18ac0235c8cf41e1504ea8 Mon Sep 17 00:00:00 2001 +From: Ariel Levkovich +Date: Sat, 29 Jan 2022 01:39:24 +0200 +Subject: net/mlx5: Fix wrong limitation of metadata match on ecpf + +From: Ariel Levkovich + +commit 07666c75ad17d7389b18ac0235c8cf41e1504ea8 upstream. + +Match metadata support check returns false for ecpf device. +However, this support does exist for ecpf and therefore this +limitation should be removed to allow feature such as stacked +devices and internal port offloaded to be supported. + +Fixes: 92ab1eb392c6 ("net/mlx5: E-Switch, Enable vport metadata matching if firmware supports it") +Signed-off-by: Ariel Levkovich +Reviewed-by: Maor Dickman +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +@@ -2037,10 +2037,6 @@ esw_check_vport_match_metadata_supported + if (!MLX5_CAP_ESW_FLOWTABLE(esw->dev, flow_source)) + return false; + +- if (mlx5_core_is_ecpf_esw_manager(esw->dev) || +- mlx5_ecpf_vport_exists(esw->dev)) +- return false; +- + return true; + } + diff --git a/queue-5.10/net-mlx5e-fix-wrong-return-value-on-ioctl-eeprom-query-failure.patch b/queue-5.10/net-mlx5e-fix-wrong-return-value-on-ioctl-eeprom-query-failure.patch new file mode 100644 index 00000000000..d125eb0481e --- /dev/null +++ b/queue-5.10/net-mlx5e-fix-wrong-return-value-on-ioctl-eeprom-query-failure.patch @@ -0,0 +1,32 @@ +From 0b89429722353d112f8b8b29ca397e95fa994d27 Mon Sep 17 00:00:00 2001 +From: Gal Pressman +Date: Wed, 2 Feb 2022 16:07:21 +0200 +Subject: net/mlx5e: Fix wrong return value on ioctl EEPROM query failure + +From: Gal Pressman + +commit 0b89429722353d112f8b8b29ca397e95fa994d27 upstream. + +The ioctl EEPROM query wrongly returns success on read failures, fix +that by returning the appropriate error code. + +Fixes: bb64143eee8c ("net/mlx5e: Add ethtool support for dump module EEPROM") +Signed-off-by: Gal Pressman +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -1746,7 +1746,7 @@ static int mlx5e_get_module_eeprom(struc + if (size_read < 0) { + netdev_err(priv->netdev, "%s: mlx5_query_eeprom failed:0x%x\n", + __func__, size_read); +- return 0; ++ return size_read; + } + + i += size_read; diff --git a/queue-5.10/net-mlx5e-ktls-use-checksum_unnecessary-for-device-offloaded-packets.patch b/queue-5.10/net-mlx5e-ktls-use-checksum_unnecessary-for-device-offloaded-packets.patch new file mode 100644 index 00000000000..76c513d8d42 --- /dev/null +++ b/queue-5.10/net-mlx5e-ktls-use-checksum_unnecessary-for-device-offloaded-packets.patch @@ -0,0 +1,43 @@ +From 7eaf1f37b8817c608c4e959d69986ef459d345cd Mon Sep 17 00:00:00 2001 +From: Tariq Toukan +Date: Mon, 31 Jan 2022 10:26:19 +0200 +Subject: net/mlx5e: kTLS, Use CHECKSUM_UNNECESSARY for device-offloaded packets + +From: Tariq Toukan + +commit 7eaf1f37b8817c608c4e959d69986ef459d345cd upstream. + +For RX TLS device-offloaded packets, the HW spec guarantees checksum +validation for the offloaded packets, but does not define whether the +CQE.checksum field matches the original packet (ciphertext) or +the decrypted one (plaintext). This latitude allows architetctural +improvements between generations of chips, resulting in different decisions +regarding the value type of CQE.checksum. + +Hence, for these packets, the device driver should not make use of this CQE +field. Here we block CHECKSUM_COMPLETE usage for RX TLS device-offloaded +packets, and use CHECKSUM_UNNECESSARY instead. + +Value of the packet's tcp_hdr.csum is not modified by the HW, and it always +matches the original ciphertext. + +Fixes: 1182f3659357 ("net/mlx5e: kTLS, Add kTLS RX HW offload support") +Signed-off-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -985,7 +985,8 @@ static inline void mlx5e_handle_csum(str + } + + /* True when explicitly set via priv flag, or XDP prog is loaded */ +- if (test_bit(MLX5E_RQ_STATE_NO_CSUM_COMPLETE, &rq->state)) ++ if (test_bit(MLX5E_RQ_STATE_NO_CSUM_COMPLETE, &rq->state) || ++ get_cqe_tls_offload(cqe)) + goto csum_unnecessary; + + /* CQE csum doesn't cover padding octets in short ethernet diff --git a/queue-5.10/net-sched-act_ct-fix-flow-table-lookup-after-ct-clear-or-switching-zones.patch b/queue-5.10/net-sched-act_ct-fix-flow-table-lookup-after-ct-clear-or-switching-zones.patch new file mode 100644 index 00000000000..b639e2c4a09 --- /dev/null +++ b/queue-5.10/net-sched-act_ct-fix-flow-table-lookup-after-ct-clear-or-switching-zones.patch @@ -0,0 +1,42 @@ +From 2f131de361f6d0eaff17db26efdb844c178432f8 Mon Sep 17 00:00:00 2001 +From: Paul Blakey +Date: Thu, 17 Feb 2022 11:30:48 +0200 +Subject: net/sched: act_ct: Fix flow table lookup after ct clear or switching zones + +From: Paul Blakey + +commit 2f131de361f6d0eaff17db26efdb844c178432f8 upstream. + +Flow table lookup is skipped if packet either went through ct clear +action (which set the IP_CT_UNTRACKED flag on the packet), or while +switching zones and there is already a connection associated with +the packet. This will result in no SW offload of the connection, +and the and connection not being removed from flow table with +TCP teardown (fin/rst packet). + +To fix the above, remove these unneccary checks in flow +table lookup. + +Fixes: 46475bb20f4b ("net/sched: act_ct: Software offload of established flows") +Signed-off-by: Paul Blakey +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_ct.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/net/sched/act_ct.c ++++ b/net/sched/act_ct.c +@@ -514,11 +514,6 @@ static bool tcf_ct_flow_table_lookup(str + struct nf_conn *ct; + u8 dir; + +- /* Previously seen or loopback */ +- ct = nf_ct_get(skb, &ctinfo); +- if ((ct && !nf_ct_is_template(ct)) || ctinfo == IP_CT_UNTRACKED) +- return false; +- + switch (family) { + case NFPROTO_IPV4: + if (!tcf_ct_flow_table_fill_tuple_ipv4(skb, &tuple, &tcph)) diff --git a/queue-5.10/net-smc-use-a-mutex-for-locking-struct-smc_pnettable.patch b/queue-5.10/net-smc-use-a-mutex-for-locking-struct-smc_pnettable.patch new file mode 100644 index 00000000000..4232c3fca2e --- /dev/null +++ b/queue-5.10/net-smc-use-a-mutex-for-locking-struct-smc_pnettable.patch @@ -0,0 +1,220 @@ +From 7ff57e98fb78ad94edafbdc7435f2d745e9e6bb5 Mon Sep 17 00:00:00 2001 +From: "Fabio M. De Francesco" +Date: Wed, 23 Feb 2022 11:02:52 +0100 +Subject: net/smc: Use a mutex for locking "struct smc_pnettable" + +From: Fabio M. De Francesco + +commit 7ff57e98fb78ad94edafbdc7435f2d745e9e6bb5 upstream. + +smc_pnetid_by_table_ib() uses read_lock() and then it calls smc_pnet_apply_ib() +which, in turn, calls mutex_lock(&smc_ib_devices.mutex). + +read_lock() disables preemption. Therefore, the code acquires a mutex while in +atomic context and it leads to a SAC bug. + +Fix this bug by replacing the rwlock with a mutex. + +Reported-and-tested-by: syzbot+4f322a6d84e991c38775@syzkaller.appspotmail.com +Fixes: 64e28b52c7a6 ("net/smc: add pnet table namespace support") +Confirmed-by: Tony Lu +Signed-off-by: Fabio M. De Francesco +Acked-by: Karsten Graul +Link: https://lore.kernel.org/r/20220223100252.22562-1-fmdefrancesco@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/smc_pnet.c | 42 +++++++++++++++++++++--------------------- + net/smc/smc_pnet.h | 2 +- + 2 files changed, 22 insertions(+), 22 deletions(-) + +--- a/net/smc/smc_pnet.c ++++ b/net/smc/smc_pnet.c +@@ -112,7 +112,7 @@ static int smc_pnet_remove_by_pnetid(str + pnettable = &sn->pnettable; + + /* remove table entry */ +- write_lock(&pnettable->lock); ++ mutex_lock(&pnettable->lock); + list_for_each_entry_safe(pnetelem, tmp_pe, &pnettable->pnetlist, + list) { + if (!pnet_name || +@@ -130,7 +130,7 @@ static int smc_pnet_remove_by_pnetid(str + rc = 0; + } + } +- write_unlock(&pnettable->lock); ++ mutex_unlock(&pnettable->lock); + + /* if this is not the initial namespace, stop here */ + if (net != &init_net) +@@ -191,7 +191,7 @@ static int smc_pnet_add_by_ndev(struct n + sn = net_generic(net, smc_net_id); + pnettable = &sn->pnettable; + +- write_lock(&pnettable->lock); ++ mutex_lock(&pnettable->lock); + list_for_each_entry_safe(pnetelem, tmp_pe, &pnettable->pnetlist, list) { + if (pnetelem->type == SMC_PNET_ETH && !pnetelem->ndev && + !strncmp(pnetelem->eth_name, ndev->name, IFNAMSIZ)) { +@@ -205,7 +205,7 @@ static int smc_pnet_add_by_ndev(struct n + break; + } + } +- write_unlock(&pnettable->lock); ++ mutex_unlock(&pnettable->lock); + return rc; + } + +@@ -223,7 +223,7 @@ static int smc_pnet_remove_by_ndev(struc + sn = net_generic(net, smc_net_id); + pnettable = &sn->pnettable; + +- write_lock(&pnettable->lock); ++ mutex_lock(&pnettable->lock); + list_for_each_entry_safe(pnetelem, tmp_pe, &pnettable->pnetlist, list) { + if (pnetelem->type == SMC_PNET_ETH && pnetelem->ndev == ndev) { + dev_put(pnetelem->ndev); +@@ -236,7 +236,7 @@ static int smc_pnet_remove_by_ndev(struc + break; + } + } +- write_unlock(&pnettable->lock); ++ mutex_unlock(&pnettable->lock); + return rc; + } + +@@ -371,7 +371,7 @@ static int smc_pnet_add_eth(struct smc_p + + rc = -EEXIST; + new_netdev = true; +- write_lock(&pnettable->lock); ++ mutex_lock(&pnettable->lock); + list_for_each_entry(tmp_pe, &pnettable->pnetlist, list) { + if (tmp_pe->type == SMC_PNET_ETH && + !strncmp(tmp_pe->eth_name, eth_name, IFNAMSIZ)) { +@@ -381,9 +381,9 @@ static int smc_pnet_add_eth(struct smc_p + } + if (new_netdev) { + list_add_tail(&new_pe->list, &pnettable->pnetlist); +- write_unlock(&pnettable->lock); ++ mutex_unlock(&pnettable->lock); + } else { +- write_unlock(&pnettable->lock); ++ mutex_unlock(&pnettable->lock); + kfree(new_pe); + goto out_put; + } +@@ -445,7 +445,7 @@ static int smc_pnet_add_ib(struct smc_pn + new_pe->ib_port = ib_port; + + new_ibdev = true; +- write_lock(&pnettable->lock); ++ mutex_lock(&pnettable->lock); + list_for_each_entry(tmp_pe, &pnettable->pnetlist, list) { + if (tmp_pe->type == SMC_PNET_IB && + !strncmp(tmp_pe->ib_name, ib_name, IB_DEVICE_NAME_MAX)) { +@@ -455,9 +455,9 @@ static int smc_pnet_add_ib(struct smc_pn + } + if (new_ibdev) { + list_add_tail(&new_pe->list, &pnettable->pnetlist); +- write_unlock(&pnettable->lock); ++ mutex_unlock(&pnettable->lock); + } else { +- write_unlock(&pnettable->lock); ++ mutex_unlock(&pnettable->lock); + kfree(new_pe); + } + return (new_ibdev) ? 0 : -EEXIST; +@@ -602,7 +602,7 @@ static int _smc_pnet_dump(struct net *ne + pnettable = &sn->pnettable; + + /* dump pnettable entries */ +- read_lock(&pnettable->lock); ++ mutex_lock(&pnettable->lock); + list_for_each_entry(pnetelem, &pnettable->pnetlist, list) { + if (pnetid && !smc_pnet_match(pnetelem->pnet_name, pnetid)) + continue; +@@ -617,7 +617,7 @@ static int _smc_pnet_dump(struct net *ne + break; + } + } +- read_unlock(&pnettable->lock); ++ mutex_unlock(&pnettable->lock); + return idx; + } + +@@ -859,7 +859,7 @@ int smc_pnet_net_init(struct net *net) + struct smc_pnetids_ndev *pnetids_ndev = &sn->pnetids_ndev; + + INIT_LIST_HEAD(&pnettable->pnetlist); +- rwlock_init(&pnettable->lock); ++ mutex_init(&pnettable->lock); + INIT_LIST_HEAD(&pnetids_ndev->list); + rwlock_init(&pnetids_ndev->lock); + +@@ -939,7 +939,7 @@ static int smc_pnet_find_ndev_pnetid_by_ + sn = net_generic(net, smc_net_id); + pnettable = &sn->pnettable; + +- read_lock(&pnettable->lock); ++ mutex_lock(&pnettable->lock); + list_for_each_entry(pnetelem, &pnettable->pnetlist, list) { + if (pnetelem->type == SMC_PNET_ETH && ndev == pnetelem->ndev) { + /* get pnetid of netdev device */ +@@ -948,7 +948,7 @@ static int smc_pnet_find_ndev_pnetid_by_ + break; + } + } +- read_unlock(&pnettable->lock); ++ mutex_unlock(&pnettable->lock); + return rc; + } + +@@ -1129,7 +1129,7 @@ int smc_pnetid_by_table_ib(struct smc_ib + sn = net_generic(&init_net, smc_net_id); + pnettable = &sn->pnettable; + +- read_lock(&pnettable->lock); ++ mutex_lock(&pnettable->lock); + list_for_each_entry(tmp_pe, &pnettable->pnetlist, list) { + if (tmp_pe->type == SMC_PNET_IB && + !strncmp(tmp_pe->ib_name, ib_name, IB_DEVICE_NAME_MAX) && +@@ -1139,7 +1139,7 @@ int smc_pnetid_by_table_ib(struct smc_ib + break; + } + } +- read_unlock(&pnettable->lock); ++ mutex_unlock(&pnettable->lock); + + return rc; + } +@@ -1158,7 +1158,7 @@ int smc_pnetid_by_table_smcd(struct smcd + sn = net_generic(&init_net, smc_net_id); + pnettable = &sn->pnettable; + +- read_lock(&pnettable->lock); ++ mutex_lock(&pnettable->lock); + list_for_each_entry(tmp_pe, &pnettable->pnetlist, list) { + if (tmp_pe->type == SMC_PNET_IB && + !strncmp(tmp_pe->ib_name, ib_name, IB_DEVICE_NAME_MAX)) { +@@ -1167,7 +1167,7 @@ int smc_pnetid_by_table_smcd(struct smcd + break; + } + } +- read_unlock(&pnettable->lock); ++ mutex_unlock(&pnettable->lock); + + return rc; + } +--- a/net/smc/smc_pnet.h ++++ b/net/smc/smc_pnet.h +@@ -29,7 +29,7 @@ struct smc_link_group; + * @pnetlist: List of PNETIDs + */ + struct smc_pnettable { +- rwlock_t lock; ++ struct mutex lock; + struct list_head pnetlist; + }; + diff --git a/queue-5.10/netfilter-nf_tables-fix-memory-leak-during-stateful-obj-update.patch b/queue-5.10/netfilter-nf_tables-fix-memory-leak-during-stateful-obj-update.patch new file mode 100644 index 00000000000..0d137fbfbc7 --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-fix-memory-leak-during-stateful-obj-update.patch @@ -0,0 +1,77 @@ +From dad3bdeef45f81a6e90204bcc85360bb76eccec7 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 21 Feb 2022 13:31:49 +0100 +Subject: netfilter: nf_tables: fix memory leak during stateful obj update + +From: Florian Westphal + +commit dad3bdeef45f81a6e90204bcc85360bb76eccec7 upstream. + +stateful objects can be updated from the control plane. +The transaction logic allocates a temporary object for this purpose. + +The ->init function was called for this object, so plain kfree() leaks +resources. We must call ->destroy function of the object. + +nft_obj_destroy does this, but it also decrements the module refcount, +but the update path doesn't increment it. + +To avoid special-casing the update object release, do module_get for +the update case too and release it via nft_obj_destroy(). + +Fixes: d62d0ba97b58 ("netfilter: nf_tables: Introduce stateful object update operation") +Cc: Fernando Fernandez Mancera +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -5924,12 +5924,15 @@ static int nf_tables_updobj(const struct + { + struct nft_object *newobj; + struct nft_trans *trans; +- int err; ++ int err = -ENOMEM; ++ ++ if (!try_module_get(type->owner)) ++ return -ENOENT; + + trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ, + sizeof(struct nft_trans_obj)); + if (!trans) +- return -ENOMEM; ++ goto err_trans; + + newobj = nft_obj_init(ctx, type, attr); + if (IS_ERR(newobj)) { +@@ -5946,6 +5949,8 @@ static int nf_tables_updobj(const struct + + err_free_trans: + kfree(trans); ++err_trans: ++ module_put(type->owner); + return err; + } + +@@ -7555,7 +7560,7 @@ static void nft_obj_commit_update(struct + if (obj->ops->update) + obj->ops->update(obj, newobj); + +- kfree(newobj); ++ nft_obj_destroy(&trans->ctx, newobj); + } + + static void nft_commit_release(struct nft_trans *trans) +@@ -8202,7 +8207,7 @@ static int __nf_tables_abort(struct net + break; + case NFT_MSG_NEWOBJ: + if (nft_trans_obj_update(trans)) { +- kfree(nft_trans_obj_newobj(trans)); ++ nft_obj_destroy(&trans->ctx, nft_trans_obj_newobj(trans)); + nft_trans_destroy(trans); + } else { + trans->ctx.table->use--; diff --git a/queue-5.10/nfp-flower-fix-a-potential-leak-in-nfp_tunnel_add_shared_mac.patch b/queue-5.10/nfp-flower-fix-a-potential-leak-in-nfp_tunnel_add_shared_mac.patch new file mode 100644 index 00000000000..77abcd47408 --- /dev/null +++ b/queue-5.10/nfp-flower-fix-a-potential-leak-in-nfp_tunnel_add_shared_mac.patch @@ -0,0 +1,50 @@ +From 3a14d0888eb4b0045884126acc69abfb7b87814d Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Fri, 18 Feb 2022 14:15:35 +0100 +Subject: nfp: flower: Fix a potential leak in nfp_tunnel_add_shared_mac() + +From: Christophe JAILLET + +commit 3a14d0888eb4b0045884126acc69abfb7b87814d upstream. + +ida_simple_get() returns an id between min (0) and max (NFP_MAX_MAC_INDEX) +inclusive. +So NFP_MAX_MAC_INDEX (0xff) is a valid id. + +In order for the error handling path to work correctly, the 'invalid' +value for 'ida_idx' should not be in the 0..NFP_MAX_MAC_INDEX range, +inclusive. + +So set it to -1. + +Fixes: 20cce8865098 ("nfp: flower: enable MAC address sharing for offloadable devs") +Signed-off-by: Christophe JAILLET +Signed-off-by: Simon Horman +Link: https://lore.kernel.org/r/20220218131535.100258-1-simon.horman@corigine.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c +@@ -922,8 +922,8 @@ nfp_tunnel_add_shared_mac(struct nfp_app + int port, bool mod) + { + struct nfp_flower_priv *priv = app->priv; +- int ida_idx = NFP_MAX_MAC_INDEX, err; + struct nfp_tun_offloaded_mac *entry; ++ int ida_idx = -1, err; + u16 nfp_mac_idx = 0; + + entry = nfp_tunnel_lookup_offloaded_macs(app, netdev->dev_addr); +@@ -997,7 +997,7 @@ err_remove_hash: + err_free_entry: + kfree(entry); + err_free_ida: +- if (ida_idx != NFP_MAX_MAC_INDEX) ++ if (ida_idx != -1) + ida_simple_remove(&priv->tun.mac_off_ids, ida_idx); + + return err; diff --git a/queue-5.10/openvswitch-fix-setting-ipv6-fields-causing-hw-csum-failure.patch b/queue-5.10/openvswitch-fix-setting-ipv6-fields-causing-hw-csum-failure.patch new file mode 100644 index 00000000000..9831a1af66b --- /dev/null +++ b/queue-5.10/openvswitch-fix-setting-ipv6-fields-causing-hw-csum-failure.patch @@ -0,0 +1,149 @@ +From d9b5ae5c1b241b91480aa30408be12fe91af834a Mon Sep 17 00:00:00 2001 +From: Paul Blakey +Date: Wed, 23 Feb 2022 18:34:16 +0200 +Subject: openvswitch: Fix setting ipv6 fields causing hw csum failure + +From: Paul Blakey + +commit d9b5ae5c1b241b91480aa30408be12fe91af834a upstream. + +Ipv6 ttl, label and tos fields are modified without first +pulling/pushing the ipv6 header, which would have updated +the hw csum (if available). This might cause csum validation +when sending the packet to the stack, as can be seen in +the trace below. + +Fix this by updating skb->csum if available. + +Trace resulted by ipv6 ttl dec and then sending packet +to conntrack [actions: set(ipv6(hlimit=63)),ct(zone=99)]: +[295241.900063] s_pf0vf2: hw csum failure +[295241.923191] Call Trace: +[295241.925728] +[295241.927836] dump_stack+0x5c/0x80 +[295241.931240] __skb_checksum_complete+0xac/0xc0 +[295241.935778] nf_conntrack_tcp_packet+0x398/0xba0 [nf_conntrack] +[295241.953030] nf_conntrack_in+0x498/0x5e0 [nf_conntrack] +[295241.958344] __ovs_ct_lookup+0xac/0x860 [openvswitch] +[295241.968532] ovs_ct_execute+0x4a7/0x7c0 [openvswitch] +[295241.979167] do_execute_actions+0x54a/0xaa0 [openvswitch] +[295242.001482] ovs_execute_actions+0x48/0x100 [openvswitch] +[295242.006966] ovs_dp_process_packet+0x96/0x1d0 [openvswitch] +[295242.012626] ovs_vport_receive+0x6c/0xc0 [openvswitch] +[295242.028763] netdev_frame_hook+0xc0/0x180 [openvswitch] +[295242.034074] __netif_receive_skb_core+0x2ca/0xcb0 +[295242.047498] netif_receive_skb_internal+0x3e/0xc0 +[295242.052291] napi_gro_receive+0xba/0xe0 +[295242.056231] mlx5e_handle_rx_cqe_mpwrq_rep+0x12b/0x250 [mlx5_core] +[295242.062513] mlx5e_poll_rx_cq+0xa0f/0xa30 [mlx5_core] +[295242.067669] mlx5e_napi_poll+0xe1/0x6b0 [mlx5_core] +[295242.077958] net_rx_action+0x149/0x3b0 +[295242.086762] __do_softirq+0xd7/0x2d6 +[295242.090427] irq_exit+0xf7/0x100 +[295242.093748] do_IRQ+0x7f/0xd0 +[295242.096806] common_interrupt+0xf/0xf +[295242.100559] +[295242.102750] RIP: 0033:0x7f9022e88cbd +[295242.125246] RSP: 002b:00007f9022282b20 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffda +[295242.132900] RAX: 0000000000000005 RBX: 0000000000000010 RCX: 0000000000000000 +[295242.140120] RDX: 00007f9022282ba8 RSI: 00007f9022282a30 RDI: 00007f9014005c30 +[295242.147337] RBP: 00007f9014014d60 R08: 0000000000000020 R09: 00007f90254a8340 +[295242.154557] R10: 00007f9022282a28 R11: 0000000000000246 R12: 0000000000000000 +[295242.161775] R13: 00007f902308c000 R14: 000000000000002b R15: 00007f9022b71f40 + +Fixes: 3fdbd1ce11e5 ("openvswitch: add ipv6 'set' action") +Signed-off-by: Paul Blakey +Link: https://lore.kernel.org/r/20220223163416.24096-1-paulb@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/net/checksum.h | 5 +++++ + net/openvswitch/actions.c | 46 ++++++++++++++++++++++++++++++++++++++-------- + 2 files changed, 43 insertions(+), 8 deletions(-) + +--- a/include/net/checksum.h ++++ b/include/net/checksum.h +@@ -139,6 +139,11 @@ static inline void csum_replace2(__sum16 + *sum = ~csum16_add(csum16_sub(~(*sum), old), new); + } + ++static inline void csum_replace(__wsum *csum, __wsum old, __wsum new) ++{ ++ *csum = csum_add(csum_sub(*csum, old), new); ++} ++ + struct sk_buff; + void inet_proto_csum_replace4(__sum16 *sum, struct sk_buff *skb, + __be32 from, __be32 to, bool pseudohdr); +--- a/net/openvswitch/actions.c ++++ b/net/openvswitch/actions.c +@@ -422,12 +422,43 @@ static void set_ipv6_addr(struct sk_buff + memcpy(addr, new_addr, sizeof(__be32[4])); + } + +-static void set_ipv6_fl(struct ipv6hdr *nh, u32 fl, u32 mask) ++static void set_ipv6_dsfield(struct sk_buff *skb, struct ipv6hdr *nh, u8 ipv6_tclass, u8 mask) + { ++ u8 old_ipv6_tclass = ipv6_get_dsfield(nh); ++ ++ ipv6_tclass = OVS_MASKED(old_ipv6_tclass, ipv6_tclass, mask); ++ ++ if (skb->ip_summed == CHECKSUM_COMPLETE) ++ csum_replace(&skb->csum, (__force __wsum)(old_ipv6_tclass << 12), ++ (__force __wsum)(ipv6_tclass << 12)); ++ ++ ipv6_change_dsfield(nh, ~mask, ipv6_tclass); ++} ++ ++static void set_ipv6_fl(struct sk_buff *skb, struct ipv6hdr *nh, u32 fl, u32 mask) ++{ ++ u32 ofl; ++ ++ ofl = nh->flow_lbl[0] << 16 | nh->flow_lbl[1] << 8 | nh->flow_lbl[2]; ++ fl = OVS_MASKED(ofl, fl, mask); ++ + /* Bits 21-24 are always unmasked, so this retains their values. */ +- OVS_SET_MASKED(nh->flow_lbl[0], (u8)(fl >> 16), (u8)(mask >> 16)); +- OVS_SET_MASKED(nh->flow_lbl[1], (u8)(fl >> 8), (u8)(mask >> 8)); +- OVS_SET_MASKED(nh->flow_lbl[2], (u8)fl, (u8)mask); ++ nh->flow_lbl[0] = (u8)(fl >> 16); ++ nh->flow_lbl[1] = (u8)(fl >> 8); ++ nh->flow_lbl[2] = (u8)fl; ++ ++ if (skb->ip_summed == CHECKSUM_COMPLETE) ++ csum_replace(&skb->csum, (__force __wsum)htonl(ofl), (__force __wsum)htonl(fl)); ++} ++ ++static void set_ipv6_ttl(struct sk_buff *skb, struct ipv6hdr *nh, u8 new_ttl, u8 mask) ++{ ++ new_ttl = OVS_MASKED(nh->hop_limit, new_ttl, mask); ++ ++ if (skb->ip_summed == CHECKSUM_COMPLETE) ++ csum_replace(&skb->csum, (__force __wsum)(nh->hop_limit << 8), ++ (__force __wsum)(new_ttl << 8)); ++ nh->hop_limit = new_ttl; + } + + static void set_ip_ttl(struct sk_buff *skb, struct iphdr *nh, u8 new_ttl, +@@ -545,18 +576,17 @@ static int set_ipv6(struct sk_buff *skb, + } + } + if (mask->ipv6_tclass) { +- ipv6_change_dsfield(nh, ~mask->ipv6_tclass, key->ipv6_tclass); ++ set_ipv6_dsfield(skb, nh, key->ipv6_tclass, mask->ipv6_tclass); + flow_key->ip.tos = ipv6_get_dsfield(nh); + } + if (mask->ipv6_label) { +- set_ipv6_fl(nh, ntohl(key->ipv6_label), ++ set_ipv6_fl(skb, nh, ntohl(key->ipv6_label), + ntohl(mask->ipv6_label)); + flow_key->ipv6.label = + *(__be32 *)nh & htonl(IPV6_FLOWINFO_FLOWLABEL); + } + if (mask->ipv6_hlimit) { +- OVS_SET_MASKED(nh->hop_limit, key->ipv6_hlimit, +- mask->ipv6_hlimit); ++ set_ipv6_ttl(skb, nh, key->ipv6_hlimit, mask->ipv6_hlimit); + flow_key->ip.ttl = nh->hop_limit; + } + return 0; diff --git a/queue-5.10/perf-data-fix-double-free-in-perf_session__delete.patch b/queue-5.10/perf-data-fix-double-free-in-perf_session__delete.patch new file mode 100644 index 00000000000..1c96ac1f020 --- /dev/null +++ b/queue-5.10/perf-data-fix-double-free-in-perf_session__delete.patch @@ -0,0 +1,58 @@ +From 69560e366fc4d5fca7bebb0e44edbfafc8bcaf05 Mon Sep 17 00:00:00 2001 +From: Alexey Bayduraev +Date: Fri, 18 Feb 2022 18:23:41 +0300 +Subject: perf data: Fix double free in perf_session__delete() + +From: Alexey Bayduraev + +commit 69560e366fc4d5fca7bebb0e44edbfafc8bcaf05 upstream. + +When perf_data__create_dir() fails, it calls close_dir(), but +perf_session__delete() also calls close_dir() and since dir.version and +dir.nr were initialized by perf_data__create_dir(), a double free occurs. + +This patch moves the initialization of dir.version and dir.nr after +successful initialization of dir.files, that prevents double freeing. +This behavior is already implemented in perf_data__open_dir(). + +Fixes: 145520631130bd64 ("perf data: Add perf_data__(create_dir|close_dir) functions") +Signed-off-by: Alexey Bayduraev +Acked-by: Jiri Olsa +Cc: Adrian Hunter +Cc: Alexander Antonov +Cc: Alexander Shishkin +Cc: Alexei Budankov +Cc: Andi Kleen +Cc: Ingo Molnar +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20220218152341.5197-2-alexey.v.bayduraev@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/data.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/tools/perf/util/data.c ++++ b/tools/perf/util/data.c +@@ -44,10 +44,6 @@ int perf_data__create_dir(struct perf_da + if (!files) + return -ENOMEM; + +- data->dir.version = PERF_DIR_VERSION; +- data->dir.files = files; +- data->dir.nr = nr; +- + for (i = 0; i < nr; i++) { + struct perf_data_file *file = &files[i]; + +@@ -62,6 +58,9 @@ int perf_data__create_dir(struct perf_da + file->fd = ret; + } + ++ data->dir.version = PERF_DIR_VERSION; ++ data->dir.files = files; ++ data->dir.nr = nr; + return 0; + + out_err: diff --git a/queue-5.10/ping-remove-pr_err-from-ping_lookup.patch b/queue-5.10/ping-remove-pr_err-from-ping_lookup.patch new file mode 100644 index 00000000000..4eb952560ee --- /dev/null +++ b/queue-5.10/ping-remove-pr_err-from-ping_lookup.patch @@ -0,0 +1,33 @@ +From cd33bdcbead882c2e58fdb4a54a7bd75b610a452 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Wed, 23 Feb 2022 22:41:08 -0500 +Subject: ping: remove pr_err from ping_lookup + +From: Xin Long + +commit cd33bdcbead882c2e58fdb4a54a7bd75b610a452 upstream. + +As Jakub noticed, prints should be avoided on the datapath. +Also, as packets would never come to the else branch in +ping_lookup(), remove pr_err() from ping_lookup(). + +Fixes: 35a79e64de29 ("ping: fix the dif and sdif check in ping_lookup") +Reported-by: Jakub Kicinski +Signed-off-by: Xin Long +Link: https://lore.kernel.org/r/1ef3f2fcd31bd681a193b1fcf235eee1603819bd.1645674068.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ping.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -187,7 +187,6 @@ static struct sock *ping_lookup(struct n + (int)ident, &ipv6_hdr(skb)->daddr, dif); + #endif + } else { +- pr_err("ping: protocol(%x) is not supported\n", ntohs(skb->protocol)); + return NULL; + } + diff --git a/queue-5.10/selftests-bpf-check-bpf_msg_push_data-return-value.patch b/queue-5.10/selftests-bpf-check-bpf_msg_push_data-return-value.patch new file mode 100644 index 00000000000..477e41bf010 --- /dev/null +++ b/queue-5.10/selftests-bpf-check-bpf_msg_push_data-return-value.patch @@ -0,0 +1,97 @@ +From 61d06f01f9710b327a53492e5add9f972eb909b3 Mon Sep 17 00:00:00 2001 +From: Felix Maurer +Date: Fri, 11 Feb 2022 18:43:36 +0100 +Subject: selftests: bpf: Check bpf_msg_push_data return value + +From: Felix Maurer + +commit 61d06f01f9710b327a53492e5add9f972eb909b3 upstream. + +bpf_msg_push_data may return a non-zero value to indicate an error. The +return value should be checked to prevent undetected errors. + +To indicate an error, the BPF programs now perform a different action +than their intended one to make the userspace test program notice the +error, i.e., the programs supposed to pass/redirect drop, the program +supposed to drop passes. + +Fixes: 84fbfe026acaa ("bpf: test_sockmap add options to use msg_push_data") +Signed-off-by: Felix Maurer +Signed-off-by: Alexei Starovoitov +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/89f767bb44005d6b4dd1f42038c438f76b3ebfad.1644601294.git.fmaurer@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/progs/test_sockmap_kern.h | 26 ++++++++++++------ + 1 file changed, 18 insertions(+), 8 deletions(-) + +--- a/tools/testing/selftests/bpf/progs/test_sockmap_kern.h ++++ b/tools/testing/selftests/bpf/progs/test_sockmap_kern.h +@@ -235,7 +235,7 @@ SEC("sk_msg1") + int bpf_prog4(struct sk_msg_md *msg) + { + int *bytes, zero = 0, one = 1, two = 2, three = 3, four = 4, five = 5; +- int *start, *end, *start_push, *end_push, *start_pop, *pop; ++ int *start, *end, *start_push, *end_push, *start_pop, *pop, err = 0; + + bytes = bpf_map_lookup_elem(&sock_apply_bytes, &zero); + if (bytes) +@@ -249,8 +249,11 @@ int bpf_prog4(struct sk_msg_md *msg) + bpf_msg_pull_data(msg, *start, *end, 0); + start_push = bpf_map_lookup_elem(&sock_bytes, &two); + end_push = bpf_map_lookup_elem(&sock_bytes, &three); +- if (start_push && end_push) +- bpf_msg_push_data(msg, *start_push, *end_push, 0); ++ if (start_push && end_push) { ++ err = bpf_msg_push_data(msg, *start_push, *end_push, 0); ++ if (err) ++ return SK_DROP; ++ } + start_pop = bpf_map_lookup_elem(&sock_bytes, &four); + pop = bpf_map_lookup_elem(&sock_bytes, &five); + if (start_pop && pop) +@@ -263,6 +266,7 @@ int bpf_prog6(struct sk_msg_md *msg) + { + int zero = 0, one = 1, two = 2, three = 3, four = 4, five = 5, key = 0; + int *bytes, *start, *end, *start_push, *end_push, *start_pop, *pop, *f; ++ int err = 0; + __u64 flags = 0; + + bytes = bpf_map_lookup_elem(&sock_apply_bytes, &zero); +@@ -279,8 +283,11 @@ int bpf_prog6(struct sk_msg_md *msg) + + start_push = bpf_map_lookup_elem(&sock_bytes, &two); + end_push = bpf_map_lookup_elem(&sock_bytes, &three); +- if (start_push && end_push) +- bpf_msg_push_data(msg, *start_push, *end_push, 0); ++ if (start_push && end_push) { ++ err = bpf_msg_push_data(msg, *start_push, *end_push, 0); ++ if (err) ++ return SK_DROP; ++ } + + start_pop = bpf_map_lookup_elem(&sock_bytes, &four); + pop = bpf_map_lookup_elem(&sock_bytes, &five); +@@ -338,7 +345,7 @@ SEC("sk_msg5") + int bpf_prog10(struct sk_msg_md *msg) + { + int *bytes, *start, *end, *start_push, *end_push, *start_pop, *pop; +- int zero = 0, one = 1, two = 2, three = 3, four = 4, five = 5; ++ int zero = 0, one = 1, two = 2, three = 3, four = 4, five = 5, err = 0; + + bytes = bpf_map_lookup_elem(&sock_apply_bytes, &zero); + if (bytes) +@@ -352,8 +359,11 @@ int bpf_prog10(struct sk_msg_md *msg) + bpf_msg_pull_data(msg, *start, *end, 0); + start_push = bpf_map_lookup_elem(&sock_bytes, &two); + end_push = bpf_map_lookup_elem(&sock_bytes, &three); +- if (start_push && end_push) +- bpf_msg_push_data(msg, *start_push, *end_push, 0); ++ if (start_push && end_push) { ++ err = bpf_msg_push_data(msg, *start_push, *end_push, 0); ++ if (err) ++ return SK_PASS; ++ } + start_pop = bpf_map_lookup_elem(&sock_bytes, &four); + pop = bpf_map_lookup_elem(&sock_bytes, &five); + if (start_pop && pop) diff --git a/queue-5.10/series b/queue-5.10/series index 75265aae867..069e64311c9 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -16,3 +16,29 @@ netfilter-nf_tables_offload-incorrect-flow-offload-action-array-size.patch x86-fpu-correct-pkru-xstate-inconsistency.patch tee-export-teedev_open-and-teedev_close_context.patch optee-use-driver-internal-tee_context-for-some-rpc.patch +ping-remove-pr_err-from-ping_lookup.patch +perf-data-fix-double-free-in-perf_session__delete.patch +bnx2x-fix-driver-load-from-initrd.patch +bnxt_en-fix-active-fec-reporting-to-ethtool.patch +hwmon-handle-failure-to-register-sensor-with-thermal-zone-correctly.patch +bpf-do-not-try-bpf_msg_push_data-with-len-0.patch +selftests-bpf-check-bpf_msg_push_data-return-value.patch +bpf-add-schedule-points-in-batch-ops.patch +io_uring-add-a-schedule-point-in-io_add_buffers.patch +net-__pskb_pull_tail-pskb_carve_frag_list-drop_monitor-friends.patch +tipc-fix-end-of-loop-tests-for-list_for_each_entry.patch +gso-do-not-skip-outer-ip-header-in-case-of-ipip-and-net_failover.patch +openvswitch-fix-setting-ipv6-fields-causing-hw-csum-failure.patch +drm-edid-always-set-rgb444.patch +net-mlx5e-fix-wrong-return-value-on-ioctl-eeprom-query-failure.patch +net-sched-act_ct-fix-flow-table-lookup-after-ct-clear-or-switching-zones.patch +net-ll_temac-check-the-return-value-of-devm_kmalloc.patch +net-force-inlining-of-checksum-functions-in-net-checksum.h.patch +nfp-flower-fix-a-potential-leak-in-nfp_tunnel_add_shared_mac.patch +netfilter-nf_tables-fix-memory-leak-during-stateful-obj-update.patch +net-smc-use-a-mutex-for-locking-struct-smc_pnettable.patch +surface-surface3_power-fix-battery-readings-on-batteries-without-a-serial-number.patch +udp_tunnel-fix-end-of-loop-test-in-udp_tunnel_nic_unregister.patch +net-mlx5-fix-possible-deadlock-on-rule-deletion.patch +net-mlx5-fix-wrong-limitation-of-metadata-match-on-ecpf.patch +net-mlx5e-ktls-use-checksum_unnecessary-for-device-offloaded-packets.patch diff --git a/queue-5.10/surface-surface3_power-fix-battery-readings-on-batteries-without-a-serial-number.patch b/queue-5.10/surface-surface3_power-fix-battery-readings-on-batteries-without-a-serial-number.patch new file mode 100644 index 00000000000..97dba6527e4 --- /dev/null +++ b/queue-5.10/surface-surface3_power-fix-battery-readings-on-batteries-without-a-serial-number.patch @@ -0,0 +1,57 @@ +From 21d90aaee8d5c2a097ef41f1430d97661233ecc6 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Thu, 24 Feb 2022 11:18:48 +0100 +Subject: surface: surface3_power: Fix battery readings on batteries without a serial number + +From: Hans de Goede + +commit 21d90aaee8d5c2a097ef41f1430d97661233ecc6 upstream. + +The battery on the 2nd hand Surface 3 which I recently bought appears to +not have a serial number programmed in. This results in any I2C reads from +the registers containing the serial number failing with an I2C NACK. + +This was causing mshw0011_bix() to fail causing the battery readings to +not work at all. + +Ignore EREMOTEIO (I2C NACK) errors when retrieving the serial number and +continue with an empty serial number to fix this. + +Fixes: b1f81b496b0d ("platform/x86: surface3_power: MSHW0011 rev-eng implementation") +BugLink: https://github.com/linux-surface/linux-surface/issues/608 +Reviewed-by: Benjamin Tissoires +Reviewed-by: Maximilian Luz +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20220224101848.7219-1-hdegoede@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/surface3_power.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/platform/x86/surface3_power.c ++++ b/drivers/platform/x86/surface3_power.c +@@ -233,14 +233,21 @@ static int mshw0011_bix(struct mshw0011_ + } + bix->last_full_charg_capacity = ret; + +- /* get serial number */ ++ /* ++ * Get serial number, on some devices (with unofficial replacement ++ * battery?) reading any of the serial number range addresses gets ++ * nacked in this case just leave the serial number empty. ++ */ + ret = i2c_smbus_read_i2c_block_data(client, MSHW0011_BAT0_REG_SERIAL_NO, + sizeof(buf), buf); +- if (ret != sizeof(buf)) { ++ if (ret == -EREMOTEIO) { ++ /* no serial number available */ ++ } else if (ret != sizeof(buf)) { + dev_err(&client->dev, "Error reading serial no: %d\n", ret); + return ret; ++ } else { ++ snprintf(bix->serial, ARRAY_SIZE(bix->serial), "%3pE%6pE", buf + 7, buf); + } +- snprintf(bix->serial, ARRAY_SIZE(bix->serial), "%3pE%6pE", buf + 7, buf); + + /* get cycle count */ + ret = i2c_smbus_read_word_data(client, MSHW0011_BAT0_REG_CYCLE_CNT); diff --git a/queue-5.10/tipc-fix-end-of-loop-tests-for-list_for_each_entry.patch b/queue-5.10/tipc-fix-end-of-loop-tests-for-list_for_each_entry.patch new file mode 100644 index 00000000000..4770cc69c3c --- /dev/null +++ b/queue-5.10/tipc-fix-end-of-loop-tests-for-list_for_each_entry.patch @@ -0,0 +1,47 @@ +From a1f8fec4dac8bc7b172b2bdbd881e015261a6322 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 22 Feb 2022 16:43:12 +0300 +Subject: tipc: Fix end of loop tests for list_for_each_entry() + +From: Dan Carpenter + +commit a1f8fec4dac8bc7b172b2bdbd881e015261a6322 upstream. + +These tests are supposed to check if the loop exited via a break or not. +However the tests are wrong because if we did not exit via a break then +"p" is not a valid pointer. In that case, it's the equivalent of +"if (*(u32 *)sr == *last_key) {". That's going to work most of the time, +but there is a potential for those to be equal. + +Fixes: 1593123a6a49 ("tipc: add name table dump to new netlink api") +Fixes: 1a1a143daf84 ("tipc: add publication dump to new netlink api") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/name_table.c | 2 +- + net/tipc/socket.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/net/tipc/name_table.c ++++ b/net/tipc/name_table.c +@@ -931,7 +931,7 @@ static int __tipc_nl_add_nametable_publ( + list_for_each_entry(p, &sr->all_publ, all_publ) + if (p->key == *last_key) + break; +- if (p->key != *last_key) ++ if (list_entry_is_head(p, &sr->all_publ, all_publ)) + return -EPIPE; + } else { + p = list_first_entry(&sr->all_publ, +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -3743,7 +3743,7 @@ static int __tipc_nl_list_sk_publ(struct + if (p->key == *last_publ) + break; + } +- if (p->key != *last_publ) { ++ if (list_entry_is_head(p, &tsk->publications, binding_sock)) { + /* We never set seq or call nl_dump_check_consistent() + * this means that setting prev_seq here will cause the + * consistence check to fail in the netlink callback diff --git a/queue-5.10/udp_tunnel-fix-end-of-loop-test-in-udp_tunnel_nic_unregister.patch b/queue-5.10/udp_tunnel-fix-end-of-loop-test-in-udp_tunnel_nic_unregister.patch new file mode 100644 index 00000000000..ab393faef56 --- /dev/null +++ b/queue-5.10/udp_tunnel-fix-end-of-loop-test-in-udp_tunnel_nic_unregister.patch @@ -0,0 +1,35 @@ +From de7b2efacf4e83954aed3f029d347dfc0b7a4f49 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 22 Feb 2022 16:42:51 +0300 +Subject: udp_tunnel: Fix end of loop test in udp_tunnel_nic_unregister() + +From: Dan Carpenter + +commit de7b2efacf4e83954aed3f029d347dfc0b7a4f49 upstream. + +This test is checking if we exited the list via break or not. However +if it did not exit via a break then "node" does not point to a valid +udp_tunnel_nic_shared_node struct. It will work because of the way +the structs are laid out it's the equivalent of +"if (info->shared->udp_tunnel_nic_info != dev)" which will always be +true, but it's not the right way to test. + +Fixes: 74cc6d182d03 ("udp_tunnel: add the ability to share port tables") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp_tunnel_nic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/udp_tunnel_nic.c ++++ b/net/ipv4/udp_tunnel_nic.c +@@ -846,7 +846,7 @@ udp_tunnel_nic_unregister(struct net_dev + list_for_each_entry(node, &info->shared->devices, list) + if (node->dev == dev) + break; +- if (node->dev != dev) ++ if (list_entry_is_head(node, &info->shared->devices, list)) + return; + + list_del(&node->list); -- 2.47.3