From f0e9d200d8733bdcffcf3658b1a74728f397f990 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 30 Jan 2022 12:33:06 +0100 Subject: [PATCH] Revert "Fixes for 4.19" This reverts commit d074482816e3aafc05fcf1b64dd5ae60cda82637. --- ...hen-kasan-and-kprobe-are-enabl.patch-21269 | 119 ------- ...arameter-check-in-msm_dsi_phy_e.patch-8670 | 52 --- ...msm-fix-wrong-size-calculation.patch-15295 | 46 --- ...ximum-conversion-rate-for-g781.patch-26288 | 44 --- ...hen-maximum-queues-is-exceeded.patch-26847 | 204 ----------- ...fix-queues-reservation-for-xdp.patch-25963 | 94 ----- .../i40e-fix-unsigned-stat-widths.patch-22316 | 79 ----- ...-to-1-s-after-global-emp-reset.patch-16088 | 52 --- .../ibmvnic-don-t-spin-in-tasklet.patch-2299 | 47 --- ...ic-init-running_cap_crqs-early.patch-27527 | 327 ------------------ ...d-ip-generator-for-connected-s.patch-17436 | 70 ---- ...aw-lock-the-socket-in-raw_bind.patch-21218 | 78 ----- ...d-zero-ipid-in-synack-messages.patch-24177 | 77 ----- ...nel-rate-limit-warning-messages.patch-5779 | 51 --- ...ation-leakage-in-proc-net-ptype.patch-9405 | 78 ----- ...-net-devices-bound-packet-types.patch-5310 | 117 ------- ...has-an-up-to-date-ctime-before.patch-22722 | 37 -- ...has-an-up-to-date-ctime-before.patch-29305 | 37 -- ...e-the-lookup-of-a-directory-fa.patch-18733 | 52 --- ...can-race-when-looking-up-a-non.patch-18710 | 45 --- ...b-fix-potential-use-after-free.patch-14076 | 58 ---- ...nd_dev_if-match-in-ping_lookup.patch-26915 | 51 --- ...tween-the-release-of-rpmsg_ctr.patch-30705 | 117 ------- ...tween-the-release-of-rpmsg_ept.patch-13389 | 76 ---- ...stroy_work-queue-before-calling-.patch-750 | 152 -------- queue-4.19/series | 52 --- ...ory-leak-in-yam_siocdevprivate.patch-11367 | 37 -- 27 files changed, 2249 deletions(-) delete mode 100644 queue-4.19/arm-9170-1-fix-panic-when-kasan-and-kprobe-are-enabl.patch-21269 delete mode 100644 queue-4.19/drm-msm-dsi-invalid-parameter-check-in-msm_dsi_phy_e.patch-8670 delete mode 100644 queue-4.19/drm-msm-fix-wrong-size-calculation.patch-15295 delete mode 100644 queue-4.19/hwmon-lm90-reduce-maximum-conversion-rate-for-g781.patch-26288 delete mode 100644 queue-4.19/i40e-fix-issue-when-maximum-queues-is-exceeded.patch-26847 delete mode 100644 queue-4.19/i40e-fix-queues-reservation-for-xdp.patch-25963 delete mode 100644 queue-4.19/i40e-fix-unsigned-stat-widths.patch-22316 delete mode 100644 queue-4.19/i40e-increase-delay-to-1-s-after-global-emp-reset.patch-16088 delete mode 100644 queue-4.19/ibmvnic-don-t-spin-in-tasklet.patch-2299 delete mode 100644 queue-4.19/ibmvnic-init-running_cap_crqs-early.patch-27527 delete mode 100644 queue-4.19/ipv4-avoid-using-shared-ip-generator-for-connected-s.patch-17436 delete mode 100644 queue-4.19/ipv4-raw-lock-the-socket-in-raw_bind.patch-21218 delete mode 100644 queue-4.19/ipv4-tcp-send-zero-ipid-in-synack-messages.patch-24177 delete mode 100644 queue-4.19/ipv6_tunnel-rate-limit-warning-messages.patch-5779 delete mode 100644 queue-4.19/net-fix-information-leakage-in-proc-net-ptype.patch-9405 delete mode 100644 queue-4.19/net-procfs-show-net-devices-bound-packet-types.patch-5310 delete mode 100644 queue-4.19/nfs-ensure-the-server-has-an-up-to-date-ctime-before.patch-22722 delete mode 100644 queue-4.19/nfs-ensure-the-server-has-an-up-to-date-ctime-before.patch-29305 delete mode 100644 queue-4.19/nfsv4-handle-case-where-the-lookup-of-a-directory-fa.patch-18733 delete mode 100644 queue-4.19/nfsv4-nfs_atomic_open-can-race-when-looking-up-a-non.patch-18710 delete mode 100644 queue-4.19/phylib-fix-potential-use-after-free.patch-14076 delete mode 100644 queue-4.19/ping-fix-the-sk_bound_dev_if-match-in-ping_lookup.patch-26915 delete mode 100644 queue-4.19/rpmsg-char-fix-race-between-the-release-of-rpmsg_ctr.patch-30705 delete mode 100644 queue-4.19/rpmsg-char-fix-race-between-the-release-of-rpmsg_ept.patch-13389 delete mode 100644 queue-4.19/scsi-bnx2fc-flush-destroy_work-queue-before-calling-.patch-750 delete mode 100644 queue-4.19/yam-fix-a-memory-leak-in-yam_siocdevprivate.patch-11367 diff --git a/queue-4.19/arm-9170-1-fix-panic-when-kasan-and-kprobe-are-enabl.patch-21269 b/queue-4.19/arm-9170-1-fix-panic-when-kasan-and-kprobe-are-enabl.patch-21269 deleted file mode 100644 index ade04467318..00000000000 --- a/queue-4.19/arm-9170-1-fix-panic-when-kasan-and-kprobe-are-enabl.patch-21269 +++ /dev/null @@ -1,119 +0,0 @@ -From 3c7e67fb8b3bd7ad53ba44950d84c6f463cbdb07 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 15 Dec 2021 10:08:23 +0100 -Subject: ARM: 9170/1: fix panic when kasan and kprobe are enabled - -From: sparkhuang - -[ Upstream commit 8b59b0a53c840921b625378f137e88adfa87647e ] - -arm32 uses software to simulate the instruction replaced -by kprobe. some instructions may be simulated by constructing -assembly functions. therefore, before executing instruction -simulation, it is necessary to construct assembly function -execution environment in C language through binding registers. -after kasan is enabled, the register binding relationship will -be destroyed, resulting in instruction simulation errors and -causing kernel panic. - -the kprobe emulate instruction function is distributed in three -files: actions-common.c actions-arm.c actions-thumb.c, so disable -KASAN when compiling these files. - -for example, use kprobe insert on cap_capable+20 after kasan -enabled, the cap_capable assembly code is as follows: -: -e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} -e1a05000 mov r5, r0 -e280006c add r0, r0, #108 ; 0x6c -e1a04001 mov r4, r1 -e1a06002 mov r6, r2 -e59fa090 ldr sl, [pc, #144] ; -ebfc7bf8 bl c03aa4b4 <__asan_load4> -e595706c ldr r7, [r5, #108] ; 0x6c -e2859014 add r9, r5, #20 -...... -The emulate_ldr assembly code after enabling kasan is as follows: -c06f1384 : -e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} -e282803c add r8, r2, #60 ; 0x3c -e1a05000 mov r5, r0 -e7e37855 ubfx r7, r5, #16, #4 -e1a00008 mov r0, r8 -e1a09001 mov r9, r1 -e1a04002 mov r4, r2 -ebf35462 bl c03c6530 <__asan_load4> -e357000f cmp r7, #15 -e7e36655 ubfx r6, r5, #12, #4 -e205a00f and sl, r5, #15 -0a000001 beq c06f13bc -e0840107 add r0, r4, r7, lsl #2 -ebf3545c bl c03c6530 <__asan_load4> -e084010a add r0, r4, sl, lsl #2 -ebf3545a bl c03c6530 <__asan_load4> -e2890010 add r0, r9, #16 -ebf35458 bl c03c6530 <__asan_load4> -e5990010 ldr r0, [r9, #16] -e12fff30 blx r0 -e356000f cm r6, #15 -1a000014 bne c06f1430 -e1a06000 mov r6, r0 -e2840040 add r0, r4, #64 ; 0x40 -...... - -when running in emulate_ldr to simulate the ldr instruction, panic -occurred, and the log is as follows: -Unable to handle kernel NULL pointer dereference at virtual address -00000090 -pgd = ecb46400 -[00000090] *pgd=2e0fa003, *pmd=00000000 -Internal error: Oops: 206 [#1] SMP ARM -PC is at cap_capable+0x14/0xb0 -LR is at emulate_ldr+0x50/0xc0 -psr: 600d0293 sp : ecd63af8 ip : 00000004 fp : c0a7c30c -r10: 00000000 r9 : c30897f4 r8 : ecd63cd4 -r7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98 -r3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008 -Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user -Control: 32c5387d Table: 2d546400 DAC: 55555555 -Process bash (pid: 1643, stack limit = 0xecd60190) -(cap_capable) from (kprobe_handler+0x218/0x340) -(kprobe_handler) from (kprobe_trap_handler+0x24/0x48) -(kprobe_trap_handler) from (do_undefinstr+0x13c/0x364) -(do_undefinstr) from (__und_svc_finish+0x0/0x30) -(__und_svc_finish) from (cap_capable+0x18/0xb0) -(cap_capable) from (cap_vm_enough_memory+0x38/0x48) -(cap_vm_enough_memory) from -(security_vm_enough_memory_mm+0x48/0x6c) -(security_vm_enough_memory_mm) from -(copy_process.constprop.5+0x16b4/0x25c8) -(copy_process.constprop.5) from (_do_fork+0xe8/0x55c) -(_do_fork) from (SyS_clone+0x1c/0x24) -(SyS_clone) from (__sys_trace_return+0x0/0x10) -Code: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7) - -Fixes: 35aa1df43283 ("ARM kprobes: instruction single-stepping support") -Fixes: 421015713b30 ("ARM: 9017/2: Enable KASan for ARM") -Signed-off-by: huangshaobo -Acked-by: Ard Biesheuvel -Signed-off-by: Russell King (Oracle) -Signed-off-by: Sasha Levin ---- - arch/arm/probes/kprobes/Makefile | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/arch/arm/probes/kprobes/Makefile b/arch/arm/probes/kprobes/Makefile -index 14db56f49f0a3..6159010dac4a6 100644 ---- a/arch/arm/probes/kprobes/Makefile -+++ b/arch/arm/probes/kprobes/Makefile -@@ -1,4 +1,7 @@ - # SPDX-License-Identifier: GPL-2.0 -+KASAN_SANITIZE_actions-common.o := n -+KASAN_SANITIZE_actions-arm.o := n -+KASAN_SANITIZE_actions-thumb.o := n - obj-$(CONFIG_KPROBES) += core.o actions-common.o checkers-common.o - obj-$(CONFIG_ARM_KPROBES_TEST) += test-kprobes.o - test-kprobes-objs := test-core.o --- -2.34.1 - diff --git a/queue-4.19/drm-msm-dsi-invalid-parameter-check-in-msm_dsi_phy_e.patch-8670 b/queue-4.19/drm-msm-dsi-invalid-parameter-check-in-msm_dsi_phy_e.patch-8670 deleted file mode 100644 index 7a126602985..00000000000 --- a/queue-4.19/drm-msm-dsi-invalid-parameter-check-in-msm_dsi_phy_e.patch-8670 +++ /dev/null @@ -1,52 +0,0 @@ -From ddc3c7ac084fe2b6d0d5a6fd167c9149640ce676 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 16 Jan 2022 19:18:44 +0100 -Subject: drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: José Expósito - -[ Upstream commit 5e761a2287234bc402ba7ef07129f5103bcd775c ] - -The function performs a check on the "phy" input parameter, however, it -is used before the check. - -Initialize the "dev" variable after the sanity check to avoid a possible -NULL pointer dereference. - -Fixes: 5c8290284402b ("drm/msm/dsi: Split PHY drivers to separate files") -Addresses-Coverity-ID: 1493860 ("Null pointer dereference") -Signed-off-by: José Expósito -Reviewed-by: Dmitry Baryshkov -Link: https://lore.kernel.org/r/20220116181844.7400-1-jose.exposito89@gmail.com -Signed-off-by: Dmitry Baryshkov -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/msm/dsi/phy/dsi_phy.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c -index c630871de7c5b..f01e245cd0eee 100644 ---- a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c -+++ b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c -@@ -667,12 +667,14 @@ void __exit msm_dsi_phy_driver_unregister(void) - int msm_dsi_phy_enable(struct msm_dsi_phy *phy, int src_pll_id, - struct msm_dsi_phy_clk_request *clk_req) - { -- struct device *dev = &phy->pdev->dev; -+ struct device *dev; - int ret; - - if (!phy || !phy->cfg->ops.enable) - return -EINVAL; - -+ dev = &phy->pdev->dev; -+ - ret = dsi_phy_enable_resource(phy); - if (ret) { - dev_err(dev, "%s: resource enable failed, %d\n", --- -2.34.1 - diff --git a/queue-4.19/drm-msm-fix-wrong-size-calculation.patch-15295 b/queue-4.19/drm-msm-fix-wrong-size-calculation.patch-15295 deleted file mode 100644 index a3f297fd21b..00000000000 --- a/queue-4.19/drm-msm-fix-wrong-size-calculation.patch-15295 +++ /dev/null @@ -1,46 +0,0 @@ -From e76842db65b82e58f97e169d2f7cdf2ee43dcee6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 12 Jan 2022 20:33:34 +0800 -Subject: drm/msm: Fix wrong size calculation - -From: Xianting Tian - -[ Upstream commit 0a727b459ee39bd4c5ced19d6024258ac87b6b2e ] - -For example, memory-region in .dts as below, - reg = <0x0 0x50000000 0x0 0x20000000> - -We can get below values, -struct resource r; -r.start = 0x50000000; -r.end = 0x6fffffff; - -So the size should be: -size = r.end - r.start + 1 = 0x20000000 - -Signed-off-by: Xianting Tian -Fixes: 072f1f9168ed ("drm/msm: add support for "stolen" mem") -Reviewed-by: Dmitry Baryshkov -Link: https://lore.kernel.org/r/20220112123334.749776-1-xianting.tian@linux.alibaba.com -Signed-off-by: Dmitry Baryshkov -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/msm/msm_drv.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c -index 08ff9d7645d74..11bad11101b9e 100644 ---- a/drivers/gpu/drm/msm/msm_drv.c -+++ b/drivers/gpu/drm/msm/msm_drv.c -@@ -388,7 +388,7 @@ static int msm_init_vram(struct drm_device *dev) - of_node_put(node); - if (ret) - return ret; -- size = r.end - r.start; -+ size = r.end - r.start + 1; - DRM_INFO("using VRAM carveout: %lx@%pa\n", size, &r.start); - - /* if we have no IOMMU, then we need to use carveout allocator. --- -2.34.1 - diff --git a/queue-4.19/hwmon-lm90-reduce-maximum-conversion-rate-for-g781.patch-26288 b/queue-4.19/hwmon-lm90-reduce-maximum-conversion-rate-for-g781.patch-26288 deleted file mode 100644 index a1b85f553b0..00000000000 --- a/queue-4.19/hwmon-lm90-reduce-maximum-conversion-rate-for-g781.patch-26288 +++ /dev/null @@ -1,44 +0,0 @@ -From 49607c4893f6fca1076bb3dd56afbbb04e065d5d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 6 Jan 2022 11:48:52 -0800 -Subject: hwmon: (lm90) Reduce maximum conversion rate for G781 - -From: Guenter Roeck - -[ Upstream commit a66c5ed539277b9f2363bbace0dba88b85b36c26 ] - -According to its datasheet, G781 supports a maximum conversion rate value -of 8 (62.5 ms). However, chips labeled G781 and G780 were found to only -support a maximum conversion rate value of 7 (125 ms). On the other side, -chips labeled G781-1 and G784 were found to support a conversion rate value -of 8. There is no known means to distinguish G780 from G781 or G784; all -chips report the same manufacturer ID and chip revision. -Setting the conversion rate register value to 8 on chips not supporting -it causes unexpected behavior since the real conversion rate is set to 0 -(16 seconds) if a value of 8 is written into the conversion rate register. -Limit the conversion rate register value to 7 for all G78x chips to avoid -the problem. - -Fixes: ae544f64cc7b ("hwmon: (lm90) Add support for GMT G781") -Signed-off-by: Guenter Roeck -Signed-off-by: Sasha Levin ---- - drivers/hwmon/lm90.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/hwmon/lm90.c b/drivers/hwmon/lm90.c -index 30a7f7fde6511..033c89f8359d1 100644 ---- a/drivers/hwmon/lm90.c -+++ b/drivers/hwmon/lm90.c -@@ -359,7 +359,7 @@ static const struct lm90_params lm90_params[] = { - .flags = LM90_HAVE_OFFSET | LM90_HAVE_REM_LIMIT_EXT - | LM90_HAVE_BROKEN_ALERT, - .alert_alarms = 0x7c, -- .max_convrate = 8, -+ .max_convrate = 7, - }, - [lm86] = { - .flags = LM90_HAVE_OFFSET | LM90_HAVE_REM_LIMIT_EXT, --- -2.34.1 - diff --git a/queue-4.19/i40e-fix-issue-when-maximum-queues-is-exceeded.patch-26847 b/queue-4.19/i40e-fix-issue-when-maximum-queues-is-exceeded.patch-26847 deleted file mode 100644 index 25c0b12a1ce..00000000000 --- a/queue-4.19/i40e-fix-issue-when-maximum-queues-is-exceeded.patch-26847 +++ /dev/null @@ -1,204 +0,0 @@ -From c154db5ee97f6fb2deca2c4cc93284cb7c54feab Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 5 Nov 2021 11:17:00 +0000 -Subject: i40e: Fix issue when maximum queues is exceeded - -From: Jedrzej Jagielski - -[ Upstream commit d701658a50a471591094b3eb3961b4926cc8f104 ] - -Before this patch VF interface vanished when -maximum queue number was exceeded. Driver tried -to add next queues even if there was not enough -space. PF sent incorrect number of queues to -the VF when there were not enough of them. - -Add an additional condition introduced to check -available space in 'qp_pile' before proceeding. -This condition makes it impossible to add queues -if they number is greater than the number resulting -from available space. -Also add the search for free space in PF queue -pair piles. - -Without this patch VF interfaces are not seen -when available space for queues has been -exceeded and following logs appears permanently -in dmesg: -"Unable to get VF config (-32)". -"VF 62 failed opcode 3, retval: -5" -"Unable to get VF config due to PF error condition, not retrying" - -Fixes: 7daa6bf3294e ("i40e: driver core headers") -Fixes: 41c445ff0f48 ("i40e: main driver core") -Signed-off-by: Jaroslaw Gawin -Signed-off-by: Slawomir Laba -Signed-off-by: Jedrzej Jagielski -Tested-by: Konrad Jankowski -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/i40e/i40e.h | 1 - - drivers/net/ethernet/intel/i40e/i40e_main.c | 14 +---- - .../ethernet/intel/i40e/i40e_virtchnl_pf.c | 59 +++++++++++++++++++ - 3 files changed, 61 insertions(+), 13 deletions(-) - -diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h -index 519b595944235..8a15538227139 100644 ---- a/drivers/net/ethernet/intel/i40e/i40e.h -+++ b/drivers/net/ethernet/intel/i40e/i40e.h -@@ -179,7 +179,6 @@ enum i40e_interrupt_policy { - - struct i40e_lump_tracking { - u16 num_entries; -- u16 search_hint; - u16 list[0]; - #define I40E_PILE_VALID_BIT 0x8000 - #define I40E_IWARP_IRQ_PILE_ID (I40E_PILE_VALID_BIT - 2) -diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c -index 6907feb1aa636..71f4ef4684322 100644 ---- a/drivers/net/ethernet/intel/i40e/i40e_main.c -+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c -@@ -193,10 +193,6 @@ int i40e_free_virt_mem_d(struct i40e_hw *hw, struct i40e_virt_mem *mem) - * @id: an owner id to stick on the items assigned - * - * Returns the base item index of the lump, or negative for error -- * -- * The search_hint trick and lack of advanced fit-finding only work -- * because we're highly likely to have all the same size lump requests. -- * Linear search time and any fragmentation should be minimal. - **/ - static int i40e_get_lump(struct i40e_pf *pf, struct i40e_lump_tracking *pile, - u16 needed, u16 id) -@@ -211,8 +207,7 @@ static int i40e_get_lump(struct i40e_pf *pf, struct i40e_lump_tracking *pile, - return -EINVAL; - } - -- /* start the linear search with an imperfect hint */ -- i = pile->search_hint; -+ i = 0; - while (i < pile->num_entries) { - /* skip already allocated entries */ - if (pile->list[i] & I40E_PILE_VALID_BIT) { -@@ -231,7 +226,6 @@ static int i40e_get_lump(struct i40e_pf *pf, struct i40e_lump_tracking *pile, - for (j = 0; j < needed; j++) - pile->list[i+j] = id | I40E_PILE_VALID_BIT; - ret = i; -- pile->search_hint = i + j; - break; - } - -@@ -254,7 +248,7 @@ static int i40e_put_lump(struct i40e_lump_tracking *pile, u16 index, u16 id) - { - int valid_id = (id | I40E_PILE_VALID_BIT); - int count = 0; -- int i; -+ u16 i; - - if (!pile || index >= pile->num_entries) - return -EINVAL; -@@ -266,8 +260,6 @@ static int i40e_put_lump(struct i40e_lump_tracking *pile, u16 index, u16 id) - count++; - } - -- if (count && index < pile->search_hint) -- pile->search_hint = index; - - return count; - } -@@ -10727,7 +10719,6 @@ static int i40e_init_interrupt_scheme(struct i40e_pf *pf) - return -ENOMEM; - - pf->irq_pile->num_entries = vectors; -- pf->irq_pile->search_hint = 0; - - /* track first vector for misc interrupts, ignore return */ - (void)i40e_get_lump(pf, pf->irq_pile, 1, I40E_PILE_VALID_BIT - 1); -@@ -11436,7 +11427,6 @@ static int i40e_sw_init(struct i40e_pf *pf) - goto sw_init_done; - } - pf->qp_pile->num_entries = pf->hw.func_caps.num_tx_qp; -- pf->qp_pile->search_hint = 0; - - pf->tx_timeout_recovery_level = 1; - -diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c -index 55710028c99f3..a39a8fe073ca8 100644 ---- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c -+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c -@@ -2338,6 +2338,59 @@ error_param: - aq_ret); - } - -+/** -+ * i40e_check_enough_queue - find big enough queue number -+ * @vf: pointer to the VF info -+ * @needed: the number of items needed -+ * -+ * Returns the base item index of the queue, or negative for error -+ **/ -+static int i40e_check_enough_queue(struct i40e_vf *vf, u16 needed) -+{ -+ unsigned int i, cur_queues, more, pool_size; -+ struct i40e_lump_tracking *pile; -+ struct i40e_pf *pf = vf->pf; -+ struct i40e_vsi *vsi; -+ -+ vsi = pf->vsi[vf->lan_vsi_idx]; -+ cur_queues = vsi->alloc_queue_pairs; -+ -+ /* if current allocated queues are enough for need */ -+ if (cur_queues >= needed) -+ return vsi->base_queue; -+ -+ pile = pf->qp_pile; -+ if (cur_queues > 0) { -+ /* if the allocated queues are not zero -+ * just check if there are enough queues for more -+ * behind the allocated queues. -+ */ -+ more = needed - cur_queues; -+ for (i = vsi->base_queue + cur_queues; -+ i < pile->num_entries; i++) { -+ if (pile->list[i] & I40E_PILE_VALID_BIT) -+ break; -+ -+ if (more-- == 1) -+ /* there is enough */ -+ return vsi->base_queue; -+ } -+ } -+ -+ pool_size = 0; -+ for (i = 0; i < pile->num_entries; i++) { -+ if (pile->list[i] & I40E_PILE_VALID_BIT) { -+ pool_size = 0; -+ continue; -+ } -+ if (needed <= ++pool_size) -+ /* there is enough */ -+ return i; -+ } -+ -+ return -ENOMEM; -+} -+ - /** - * i40e_vc_request_queues_msg - * @vf: pointer to the VF info -@@ -2377,6 +2430,12 @@ static int i40e_vc_request_queues_msg(struct i40e_vf *vf, u8 *msg, int msglen) - req_pairs - cur_pairs, - pf->queues_left); - vfres->num_queue_pairs = pf->queues_left + cur_pairs; -+ } else if (i40e_check_enough_queue(vf, req_pairs) < 0) { -+ dev_warn(&pf->pdev->dev, -+ "VF %d requested %d more queues, but there is not enough for it.\n", -+ vf->vf_id, -+ req_pairs - cur_pairs); -+ vfres->num_queue_pairs = cur_pairs; - } else { - /* successful request */ - vf->num_req_queues = req_pairs; --- -2.34.1 - diff --git a/queue-4.19/i40e-fix-queues-reservation-for-xdp.patch-25963 b/queue-4.19/i40e-fix-queues-reservation-for-xdp.patch-25963 deleted file mode 100644 index ab8feb1df63..00000000000 --- a/queue-4.19/i40e-fix-queues-reservation-for-xdp.patch-25963 +++ /dev/null @@ -1,94 +0,0 @@ -From bd7f380cb982b005a5c460c1724d1fb664687a8a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 26 Nov 2021 11:11:22 +0100 -Subject: i40e: Fix queues reservation for XDP - -From: Sylwester Dziedziuch - -[ Upstream commit 92947844b8beee988c0ce17082b705c2f75f0742 ] - -When XDP was configured on a system with large number of CPUs -and X722 NIC there was a call trace with NULL pointer dereference. - -i40e 0000:87:00.0: failed to get tracking for 256 queues for VSI 0 err -12 -i40e 0000:87:00.0: setup of MAIN VSI failed - -BUG: kernel NULL pointer dereference, address: 0000000000000000 -RIP: 0010:i40e_xdp+0xea/0x1b0 [i40e] -Call Trace: -? i40e_reconfig_rss_queues+0x130/0x130 [i40e] -dev_xdp_install+0x61/0xe0 -dev_xdp_attach+0x18a/0x4c0 -dev_change_xdp_fd+0x1e6/0x220 -do_setlink+0x616/0x1030 -? ahci_port_stop+0x80/0x80 -? ata_qc_issue+0x107/0x1e0 -? lock_timer_base+0x61/0x80 -? __mod_timer+0x202/0x380 -rtnl_setlink+0xe5/0x170 -? bpf_lsm_binder_transaction+0x10/0x10 -? security_capable+0x36/0x50 -rtnetlink_rcv_msg+0x121/0x350 -? rtnl_calcit.isra.0+0x100/0x100 -netlink_rcv_skb+0x50/0xf0 -netlink_unicast+0x1d3/0x2a0 -netlink_sendmsg+0x22a/0x440 -sock_sendmsg+0x5e/0x60 -__sys_sendto+0xf0/0x160 -? __sys_getsockname+0x7e/0xc0 -? _copy_from_user+0x3c/0x80 -? __sys_setsockopt+0xc8/0x1a0 -__x64_sys_sendto+0x20/0x30 -do_syscall_64+0x33/0x40 -entry_SYSCALL_64_after_hwframe+0x44/0xae -RIP: 0033:0x7f83fa7a39e0 - -This was caused by PF queue pile fragmentation due to -flow director VSI queue being placed right after main VSI. -Because of this main VSI was not able to resize its -queue allocation for XDP resulting in no queues allocated -for main VSI when XDP was turned on. - -Fix this by always allocating last queue in PF queue pile -for a flow director VSI. - -Fixes: 41c445ff0f48 ("i40e: main driver core") -Fixes: 74608d17fe29 ("i40e: add support for XDP_TX action") -Signed-off-by: Sylwester Dziedziuch -Signed-off-by: Mateusz Palczewski -Reviewed-by: Maciej Fijalkowski -Tested-by: Kiran Bhandare -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/i40e/i40e_main.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c -index 71f4ef4684322..7699e79f24a64 100644 ---- a/drivers/net/ethernet/intel/i40e/i40e_main.c -+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c -@@ -207,6 +207,20 @@ static int i40e_get_lump(struct i40e_pf *pf, struct i40e_lump_tracking *pile, - return -EINVAL; - } - -+ /* Allocate last queue in the pile for FDIR VSI queue -+ * so it doesn't fragment the qp_pile -+ */ -+ if (pile == pf->qp_pile && pf->vsi[id]->type == I40E_VSI_FDIR) { -+ if (pile->list[pile->num_entries - 1] & I40E_PILE_VALID_BIT) { -+ dev_err(&pf->pdev->dev, -+ "Cannot allocate queue %d for I40E_VSI_FDIR\n", -+ pile->num_entries - 1); -+ return -ENOMEM; -+ } -+ pile->list[pile->num_entries - 1] = id | I40E_PILE_VALID_BIT; -+ return pile->num_entries - 1; -+ } -+ - i = 0; - while (i < pile->num_entries) { - /* skip already allocated entries */ --- -2.34.1 - diff --git a/queue-4.19/i40e-fix-unsigned-stat-widths.patch-22316 b/queue-4.19/i40e-fix-unsigned-stat-widths.patch-22316 deleted file mode 100644 index 53c0a338990..00000000000 --- a/queue-4.19/i40e-fix-unsigned-stat-widths.patch-22316 +++ /dev/null @@ -1,79 +0,0 @@ -From ffe509c5e4dca1f7e0ea3bc4b6687ec15c551fcd Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 8 Dec 2021 17:56:33 -0800 -Subject: i40e: fix unsigned stat widths - -From: Joe Damato - -[ Upstream commit 3b8428b84539c78fdc8006c17ebd25afd4722d51 ] - -Change i40e_update_vsi_stats and struct i40e_vsi to use u64 fields to match -the width of the stats counters in struct i40e_rx_queue_stats. - -Update debugfs code to use the correct format specifier for u64. - -Fixes: 41c445ff0f48 ("i40e: main driver core") -Signed-off-by: Joe Damato -Reported-by: kernel test robot -Tested-by: Gurucharan G -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/i40e/i40e.h | 8 ++++---- - drivers/net/ethernet/intel/i40e/i40e_debugfs.c | 2 +- - drivers/net/ethernet/intel/i40e/i40e_main.c | 4 ++-- - 3 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h -index 8a15538227139..dc99e296f349e 100644 ---- a/drivers/net/ethernet/intel/i40e/i40e.h -+++ b/drivers/net/ethernet/intel/i40e/i40e.h -@@ -708,12 +708,12 @@ struct i40e_vsi { - struct rtnl_link_stats64 net_stats_offsets; - struct i40e_eth_stats eth_stats; - struct i40e_eth_stats eth_stats_offsets; -- u32 tx_restart; -- u32 tx_busy; -+ u64 tx_restart; -+ u64 tx_busy; - u64 tx_linearize; - u64 tx_force_wb; -- u32 rx_buf_failed; -- u32 rx_page_failed; -+ u64 rx_buf_failed; -+ u64 rx_page_failed; - - /* These are containers of ring pointers, allocated at run-time */ - struct i40e_ring **rx_rings; -diff --git a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c -index 56b911a5dd8be..a66492b9403c4 100644 ---- a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c -+++ b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c -@@ -236,7 +236,7 @@ static void i40e_dbg_dump_vsi_seid(struct i40e_pf *pf, int seid) - (unsigned long int)vsi->net_stats_offsets.rx_compressed, - (unsigned long int)vsi->net_stats_offsets.tx_compressed); - dev_info(&pf->pdev->dev, -- " tx_restart = %d, tx_busy = %d, rx_buf_failed = %d, rx_page_failed = %d\n", -+ " tx_restart = %llu, tx_busy = %llu, rx_buf_failed = %llu, rx_page_failed = %llu\n", - vsi->tx_restart, vsi->tx_busy, - vsi->rx_buf_failed, vsi->rx_page_failed); - rcu_read_lock(); -diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c -index 7699e79f24a64..21ea0cdea6668 100644 ---- a/drivers/net/ethernet/intel/i40e/i40e_main.c -+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c -@@ -791,9 +791,9 @@ static void i40e_update_vsi_stats(struct i40e_vsi *vsi) - struct rtnl_link_stats64 *ns; /* netdev stats */ - struct i40e_eth_stats *oes; - struct i40e_eth_stats *es; /* device's eth stats */ -- u32 tx_restart, tx_busy; -+ u64 tx_restart, tx_busy; - struct i40e_ring *p; -- u32 rx_page, rx_buf; -+ u64 rx_page, rx_buf; - u64 bytes, packets; - unsigned int start; - u64 tx_linearize; --- -2.34.1 - diff --git a/queue-4.19/i40e-increase-delay-to-1-s-after-global-emp-reset.patch-16088 b/queue-4.19/i40e-increase-delay-to-1-s-after-global-emp-reset.patch-16088 deleted file mode 100644 index 5f2bf9a95f8..00000000000 --- a/queue-4.19/i40e-increase-delay-to-1-s-after-global-emp-reset.patch-16088 +++ /dev/null @@ -1,52 +0,0 @@ -From 4ad897691571213a23518b8a3da92a877f25f029 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 28 Oct 2021 13:51:14 +0000 -Subject: i40e: Increase delay to 1 s after global EMP reset - -From: Jedrzej Jagielski - -[ Upstream commit 9b13bd53134c9ddd544a790125199fdbdb505e67 ] - -Recently simplified i40e_rebuild causes that FW sometimes -is not ready after NVM update, the ping does not return. - -Increase the delay in case of EMP reset. -Old delay of 300 ms was introduced for specific cards for 710 series. -Now it works for all the cards and delay was increased. - -Fixes: 1fa51a650e1d ("i40e: Add delay after EMP reset for firmware to recover") -Signed-off-by: Arkadiusz Kubalewski -Signed-off-by: Jedrzej Jagielski -Tested-by: Gurucharan G -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/i40e/i40e_main.c | 12 +++--------- - 1 file changed, 3 insertions(+), 9 deletions(-) - -diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c -index 1fadc4991c48e..6907feb1aa636 100644 ---- a/drivers/net/ethernet/intel/i40e/i40e_main.c -+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c -@@ -9486,15 +9486,9 @@ static void i40e_rebuild(struct i40e_pf *pf, bool reinit, bool lock_acquired) - } - i40e_get_oem_version(&pf->hw); - -- if (test_bit(__I40E_EMP_RESET_INTR_RECEIVED, pf->state) && -- ((hw->aq.fw_maj_ver == 4 && hw->aq.fw_min_ver <= 33) || -- hw->aq.fw_maj_ver < 4) && hw->mac.type == I40E_MAC_XL710) { -- /* The following delay is necessary for 4.33 firmware and older -- * to recover after EMP reset. 200 ms should suffice but we -- * put here 300 ms to be sure that FW is ready to operate -- * after reset. -- */ -- mdelay(300); -+ if (test_and_clear_bit(__I40E_EMP_RESET_INTR_RECEIVED, pf->state)) { -+ /* The following delay is necessary for firmware update. */ -+ mdelay(1000); - } - - /* re-verify the eeprom if we just had an EMP reset */ --- -2.34.1 - diff --git a/queue-4.19/ibmvnic-don-t-spin-in-tasklet.patch-2299 b/queue-4.19/ibmvnic-don-t-spin-in-tasklet.patch-2299 deleted file mode 100644 index 9f4c633961f..00000000000 --- a/queue-4.19/ibmvnic-don-t-spin-in-tasklet.patch-2299 +++ /dev/null @@ -1,47 +0,0 @@ -From 867c7d06456e040ce62909519afa586e49ff3e4e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 21 Jan 2022 18:59:20 -0800 -Subject: ibmvnic: don't spin in tasklet - -From: Sukadev Bhattiprolu - -[ Upstream commit 48079e7fdd0269d66b1d7d66ae88bd03162464ad ] - -ibmvnic_tasklet() continuously spins waiting for responses to all -capability requests. It does this to avoid encountering an error -during initialization of the vnic. However if there is a bug in the -VIOS and we do not receive a response to one or more queries the -tasklet ends up spinning continuously leading to hard lock ups. - -If we fail to receive a message from the VIOS it is reasonable to -timeout the login attempt rather than spin indefinitely in the tasklet. - -Fixes: 249168ad07cd ("ibmvnic: Make CRQ interrupt tasklet wait for all capabilities crqs") -Signed-off-by: Sukadev Bhattiprolu -Reviewed-by: Dany Madden -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/ibm/ibmvnic.c | 6 ------ - 1 file changed, 6 deletions(-) - -diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c -index 9174eccfd9329..ffea634e03e8a 100644 ---- a/drivers/net/ethernet/ibm/ibmvnic.c -+++ b/drivers/net/ethernet/ibm/ibmvnic.c -@@ -4493,12 +4493,6 @@ static void ibmvnic_tasklet(void *data) - ibmvnic_handle_crq(crq, adapter); - crq->generic.first = 0; - } -- -- /* remain in tasklet until all -- * capabilities responses are received -- */ -- if (!adapter->wait_capability) -- done = true; - } - /* if capabilities CRQ's were sent in this tasklet, the following - * tasklet must wait until all responses are received --- -2.34.1 - diff --git a/queue-4.19/ibmvnic-init-running_cap_crqs-early.patch-27527 b/queue-4.19/ibmvnic-init-running_cap_crqs-early.patch-27527 deleted file mode 100644 index be40a790116..00000000000 --- a/queue-4.19/ibmvnic-init-running_cap_crqs-early.patch-27527 +++ /dev/null @@ -1,327 +0,0 @@ -From 113622e85f14d6c3abf8f6ccffa0c5df1f711dc4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 21 Jan 2022 18:59:19 -0800 -Subject: ibmvnic: init ->running_cap_crqs early - -From: Sukadev Bhattiprolu - -[ Upstream commit 151b6a5c06b678687f64f2d9a99fd04d5cd32b72 ] - -We use ->running_cap_crqs to determine when the ibmvnic_tasklet() should -send out the next protocol message type. i.e when we get back responses -to all our QUERY_CAPABILITY CRQs we send out REQUEST_CAPABILITY crqs. -Similiary, when we get responses to all the REQUEST_CAPABILITY crqs, we -send out the QUERY_IP_OFFLOAD CRQ. - -We currently increment ->running_cap_crqs as we send out each CRQ and -have the ibmvnic_tasklet() send out the next message type, when this -running_cap_crqs count drops to 0. - -This assumes that all the CRQs of the current type were sent out before -the count drops to 0. However it is possible that we send out say 6 CRQs, -get preempted and receive all the 6 responses before we send out the -remaining CRQs. This can result in ->running_cap_crqs count dropping to -zero before all messages of the current type were sent and we end up -sending the next protocol message too early. - -Instead initialize the ->running_cap_crqs upfront so the tasklet will -only send the next protocol message after all responses are received. - -Use the cap_reqs local variable to also detect any discrepancy (either -now or in future) in the number of capability requests we actually send. - -Currently only send_query_cap() is affected by this behavior (of sending -next message early) since it is called from the worker thread (during -reset) and from application thread (during ->ndo_open()) and they can be -preempted. send_request_cap() is only called from the tasklet which -processes CRQ responses sequentially, is not be affected. But to -maintain the existing symmtery with send_query_capability() we update -send_request_capability() also. - -Fixes: 249168ad07cd ("ibmvnic: Make CRQ interrupt tasklet wait for all capabilities crqs") -Signed-off-by: Sukadev Bhattiprolu -Reviewed-by: Dany Madden -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/ibm/ibmvnic.c | 106 +++++++++++++++++++---------- - 1 file changed, 71 insertions(+), 35 deletions(-) - -diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c -index c52c26fc44e59..9174eccfd9329 100644 ---- a/drivers/net/ethernet/ibm/ibmvnic.c -+++ b/drivers/net/ethernet/ibm/ibmvnic.c -@@ -3044,11 +3044,25 @@ static void ibmvnic_send_req_caps(struct ibmvnic_adapter *adapter, int retry) - struct device *dev = &adapter->vdev->dev; - union ibmvnic_crq crq; - int max_entries; -+ int cap_reqs; -+ -+ /* We send out 6 or 7 REQUEST_CAPABILITY CRQs below (depending on -+ * the PROMISC flag). Initialize this count upfront. When the tasklet -+ * receives a response to all of these, it will send the next protocol -+ * message (QUERY_IP_OFFLOAD). -+ */ -+ if (!(adapter->netdev->flags & IFF_PROMISC) || -+ adapter->promisc_supported) -+ cap_reqs = 7; -+ else -+ cap_reqs = 6; - - if (!retry) { - /* Sub-CRQ entries are 32 byte long */ - int entries_page = 4 * PAGE_SIZE / (sizeof(u64) * 4); - -+ atomic_set(&adapter->running_cap_crqs, cap_reqs); -+ - if (adapter->min_tx_entries_per_subcrq > entries_page || - adapter->min_rx_add_entries_per_subcrq > entries_page) { - dev_err(dev, "Fatal, invalid entries per sub-crq\n"); -@@ -3109,44 +3123,45 @@ static void ibmvnic_send_req_caps(struct ibmvnic_adapter *adapter, int retry) - adapter->opt_rx_comp_queues; - - adapter->req_rx_add_queues = adapter->max_rx_add_queues; -+ } else { -+ atomic_add(cap_reqs, &adapter->running_cap_crqs); - } -- - memset(&crq, 0, sizeof(crq)); - crq.request_capability.first = IBMVNIC_CRQ_CMD; - crq.request_capability.cmd = REQUEST_CAPABILITY; - - crq.request_capability.capability = cpu_to_be16(REQ_TX_QUEUES); - crq.request_capability.number = cpu_to_be64(adapter->req_tx_queues); -- atomic_inc(&adapter->running_cap_crqs); -+ cap_reqs--; - ibmvnic_send_crq(adapter, &crq); - - crq.request_capability.capability = cpu_to_be16(REQ_RX_QUEUES); - crq.request_capability.number = cpu_to_be64(adapter->req_rx_queues); -- atomic_inc(&adapter->running_cap_crqs); -+ cap_reqs--; - ibmvnic_send_crq(adapter, &crq); - - crq.request_capability.capability = cpu_to_be16(REQ_RX_ADD_QUEUES); - crq.request_capability.number = cpu_to_be64(adapter->req_rx_add_queues); -- atomic_inc(&adapter->running_cap_crqs); -+ cap_reqs--; - ibmvnic_send_crq(adapter, &crq); - - crq.request_capability.capability = - cpu_to_be16(REQ_TX_ENTRIES_PER_SUBCRQ); - crq.request_capability.number = - cpu_to_be64(adapter->req_tx_entries_per_subcrq); -- atomic_inc(&adapter->running_cap_crqs); -+ cap_reqs--; - ibmvnic_send_crq(adapter, &crq); - - crq.request_capability.capability = - cpu_to_be16(REQ_RX_ADD_ENTRIES_PER_SUBCRQ); - crq.request_capability.number = - cpu_to_be64(adapter->req_rx_add_entries_per_subcrq); -- atomic_inc(&adapter->running_cap_crqs); -+ cap_reqs--; - ibmvnic_send_crq(adapter, &crq); - - crq.request_capability.capability = cpu_to_be16(REQ_MTU); - crq.request_capability.number = cpu_to_be64(adapter->req_mtu); -- atomic_inc(&adapter->running_cap_crqs); -+ cap_reqs--; - ibmvnic_send_crq(adapter, &crq); - - if (adapter->netdev->flags & IFF_PROMISC) { -@@ -3154,16 +3169,21 @@ static void ibmvnic_send_req_caps(struct ibmvnic_adapter *adapter, int retry) - crq.request_capability.capability = - cpu_to_be16(PROMISC_REQUESTED); - crq.request_capability.number = cpu_to_be64(1); -- atomic_inc(&adapter->running_cap_crqs); -+ cap_reqs--; - ibmvnic_send_crq(adapter, &crq); - } - } else { - crq.request_capability.capability = - cpu_to_be16(PROMISC_REQUESTED); - crq.request_capability.number = cpu_to_be64(0); -- atomic_inc(&adapter->running_cap_crqs); -+ cap_reqs--; - ibmvnic_send_crq(adapter, &crq); - } -+ -+ /* Keep at end to catch any discrepancy between expected and actual -+ * CRQs sent. -+ */ -+ WARN_ON(cap_reqs != 0); - } - - static int pending_scrq(struct ibmvnic_adapter *adapter, -@@ -3568,118 +3588,132 @@ static void send_map_query(struct ibmvnic_adapter *adapter) - static void send_cap_queries(struct ibmvnic_adapter *adapter) - { - union ibmvnic_crq crq; -+ int cap_reqs; -+ -+ /* We send out 25 QUERY_CAPABILITY CRQs below. Initialize this count -+ * upfront. When the tasklet receives a response to all of these, it -+ * can send out the next protocol messaage (REQUEST_CAPABILITY). -+ */ -+ cap_reqs = 25; -+ -+ atomic_set(&adapter->running_cap_crqs, cap_reqs); - -- atomic_set(&adapter->running_cap_crqs, 0); - memset(&crq, 0, sizeof(crq)); - crq.query_capability.first = IBMVNIC_CRQ_CMD; - crq.query_capability.cmd = QUERY_CAPABILITY; - - crq.query_capability.capability = cpu_to_be16(MIN_TX_QUEUES); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = cpu_to_be16(MIN_RX_QUEUES); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = cpu_to_be16(MIN_RX_ADD_QUEUES); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = cpu_to_be16(MAX_TX_QUEUES); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = cpu_to_be16(MAX_RX_QUEUES); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = cpu_to_be16(MAX_RX_ADD_QUEUES); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = - cpu_to_be16(MIN_TX_ENTRIES_PER_SUBCRQ); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = - cpu_to_be16(MIN_RX_ADD_ENTRIES_PER_SUBCRQ); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = - cpu_to_be16(MAX_TX_ENTRIES_PER_SUBCRQ); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = - cpu_to_be16(MAX_RX_ADD_ENTRIES_PER_SUBCRQ); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = cpu_to_be16(TCP_IP_OFFLOAD); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = cpu_to_be16(PROMISC_SUPPORTED); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = cpu_to_be16(MIN_MTU); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = cpu_to_be16(MAX_MTU); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = cpu_to_be16(MAX_MULTICAST_FILTERS); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = cpu_to_be16(VLAN_HEADER_INSERTION); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = cpu_to_be16(RX_VLAN_HEADER_INSERTION); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = cpu_to_be16(MAX_TX_SG_ENTRIES); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = cpu_to_be16(RX_SG_SUPPORTED); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = cpu_to_be16(OPT_TX_COMP_SUB_QUEUES); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = cpu_to_be16(OPT_RX_COMP_QUEUES); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = - cpu_to_be16(OPT_RX_BUFADD_Q_PER_RX_COMP_Q); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = - cpu_to_be16(OPT_TX_ENTRIES_PER_SUBCRQ); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = - cpu_to_be16(OPT_RXBA_ENTRIES_PER_SUBCRQ); -- atomic_inc(&adapter->running_cap_crqs); - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; - - crq.query_capability.capability = cpu_to_be16(TX_RX_DESC_REQ); -- atomic_inc(&adapter->running_cap_crqs); -+ - ibmvnic_send_crq(adapter, &crq); -+ cap_reqs--; -+ -+ /* Keep at end to catch any discrepancy between expected and actual -+ * CRQs sent. -+ */ -+ WARN_ON(cap_reqs != 0); - } - - static void handle_vpd_size_rsp(union ibmvnic_crq *crq, -@@ -3923,6 +3957,8 @@ static void handle_request_cap_rsp(union ibmvnic_crq *crq, - char *name; - - atomic_dec(&adapter->running_cap_crqs); -+ netdev_dbg(adapter->netdev, "Outstanding request-caps: %d\n", -+ atomic_read(&adapter->running_cap_crqs)); - switch (be16_to_cpu(crq->request_capability_rsp.capability)) { - case REQ_TX_QUEUES: - req_value = &adapter->req_tx_queues; --- -2.34.1 - diff --git a/queue-4.19/ipv4-avoid-using-shared-ip-generator-for-connected-s.patch-17436 b/queue-4.19/ipv4-avoid-using-shared-ip-generator-for-connected-s.patch-17436 deleted file mode 100644 index 3874e07dc3c..00000000000 --- a/queue-4.19/ipv4-avoid-using-shared-ip-generator-for-connected-s.patch-17436 +++ /dev/null @@ -1,70 +0,0 @@ -From 56d576ef004c11ade0a556fbd929098ee32b80e2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 26 Jan 2022 17:10:22 -0800 -Subject: ipv4: avoid using shared IP generator for connected sockets - -From: Eric Dumazet - -[ Upstream commit 23f57406b82de51809d5812afd96f210f8b627f3 ] - -ip_select_ident_segs() has been very conservative about using -the connected socket private generator only for packets with IP_DF -set, claiming it was needed for some VJ compression implementations. - -As mentioned in this referenced document, this can be abused. -(Ref: Off-Path TCP Exploits of the Mixed IPID Assignment) - -Before switching to pure random IPID generation and possibly hurt -some workloads, lets use the private inet socket generator. - -Not only this will remove one vulnerability, this will also -improve performance of TCP flows using pmtudisc==IP_PMTUDISC_DONT - -Fixes: 73f156a6e8c1 ("inetpeer: get rid of ip_id_count") -Signed-off-by: Eric Dumazet -Reviewed-by: David Ahern -Reported-by: Ray Che -Cc: Willy Tarreau -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - include/net/ip.h | 21 ++++++++++----------- - 1 file changed, 10 insertions(+), 11 deletions(-) - -diff --git a/include/net/ip.h b/include/net/ip.h -index e8fa25280cbfd..d1a4efedbc039 100644 ---- a/include/net/ip.h -+++ b/include/net/ip.h -@@ -441,19 +441,18 @@ static inline void ip_select_ident_segs(struct net *net, struct sk_buff *skb, - { - struct iphdr *iph = ip_hdr(skb); - -+ /* We had many attacks based on IPID, use the private -+ * generator as much as we can. -+ */ -+ if (sk && inet_sk(sk)->inet_daddr) { -+ iph->id = htons(inet_sk(sk)->inet_id); -+ inet_sk(sk)->inet_id += segs; -+ return; -+ } - if ((iph->frag_off & htons(IP_DF)) && !skb->ignore_df) { -- /* This is only to work around buggy Windows95/2000 -- * VJ compression implementations. If the ID field -- * does not change, they drop every other packet in -- * a TCP stream using header compression. -- */ -- if (sk && inet_sk(sk)->inet_daddr) { -- iph->id = htons(inet_sk(sk)->inet_id); -- inet_sk(sk)->inet_id += segs; -- } else { -- iph->id = 0; -- } -+ iph->id = 0; - } else { -+ /* Unfortunately we need the big hammer to get a suitable IPID */ - __ip_select_ident(net, iph, segs); - } - } --- -2.34.1 - diff --git a/queue-4.19/ipv4-raw-lock-the-socket-in-raw_bind.patch-21218 b/queue-4.19/ipv4-raw-lock-the-socket-in-raw_bind.patch-21218 deleted file mode 100644 index 4e128c635d9..00000000000 --- a/queue-4.19/ipv4-raw-lock-the-socket-in-raw_bind.patch-21218 +++ /dev/null @@ -1,78 +0,0 @@ -From 2097f6f8192e419b19e27125a2ee80bba4f8d95d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 26 Jan 2022 16:51:16 -0800 -Subject: ipv4: raw: lock the socket in raw_bind() - -From: Eric Dumazet - -[ Upstream commit 153a0d187e767c68733b8e9f46218eb1f41ab902 ] - -For some reason, raw_bind() forgot to lock the socket. - -BUG: KCSAN: data-race in __ip4_datagram_connect / raw_bind - -write to 0xffff8881170d4308 of 4 bytes by task 5466 on cpu 0: - raw_bind+0x1b0/0x250 net/ipv4/raw.c:739 - inet_bind+0x56/0xa0 net/ipv4/af_inet.c:443 - __sys_bind+0x14b/0x1b0 net/socket.c:1697 - __do_sys_bind net/socket.c:1708 [inline] - __se_sys_bind net/socket.c:1706 [inline] - __x64_sys_bind+0x3d/0x50 net/socket.c:1706 - do_syscall_x64 arch/x86/entry/common.c:50 [inline] - do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 - entry_SYSCALL_64_after_hwframe+0x44/0xae - -read to 0xffff8881170d4308 of 4 bytes by task 5468 on cpu 1: - __ip4_datagram_connect+0xb7/0x7b0 net/ipv4/datagram.c:39 - ip4_datagram_connect+0x2a/0x40 net/ipv4/datagram.c:89 - inet_dgram_connect+0x107/0x190 net/ipv4/af_inet.c:576 - __sys_connect_file net/socket.c:1900 [inline] - __sys_connect+0x197/0x1b0 net/socket.c:1917 - __do_sys_connect net/socket.c:1927 [inline] - __se_sys_connect net/socket.c:1924 [inline] - __x64_sys_connect+0x3d/0x50 net/socket.c:1924 - do_syscall_x64 arch/x86/entry/common.c:50 [inline] - do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 - entry_SYSCALL_64_after_hwframe+0x44/0xae - -value changed: 0x00000000 -> 0x0003007f - -Reported by Kernel Concurrency Sanitizer on: -CPU: 1 PID: 5468 Comm: syz-executor.5 Not tainted 5.17.0-rc1-syzkaller #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Eric Dumazet -Reported-by: syzbot -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv4/raw.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c -index 21800979ed621..8cae691c3c9f4 100644 ---- a/net/ipv4/raw.c -+++ b/net/ipv4/raw.c -@@ -725,6 +725,7 @@ static int raw_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len) - int ret = -EINVAL; - int chk_addr_ret; - -+ lock_sock(sk); - if (sk->sk_state != TCP_CLOSE || addr_len < sizeof(struct sockaddr_in)) - goto out; - -@@ -744,7 +745,9 @@ static int raw_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len) - inet->inet_saddr = 0; /* Use device */ - sk_dst_reset(sk); - ret = 0; --out: return ret; -+out: -+ release_sock(sk); -+ return ret; - } - - /* --- -2.34.1 - diff --git a/queue-4.19/ipv4-tcp-send-zero-ipid-in-synack-messages.patch-24177 b/queue-4.19/ipv4-tcp-send-zero-ipid-in-synack-messages.patch-24177 deleted file mode 100644 index 68fe5a3eede..00000000000 --- a/queue-4.19/ipv4-tcp-send-zero-ipid-in-synack-messages.patch-24177 +++ /dev/null @@ -1,77 +0,0 @@ -From 7e03166080dae3f10aee0a4621f7bcd16125fd4d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 26 Jan 2022 17:10:21 -0800 -Subject: ipv4: tcp: send zero IPID in SYNACK messages - -From: Eric Dumazet - -[ Upstream commit 970a5a3ea86da637471d3cd04d513a0755aba4bf ] - -In commit 431280eebed9 ("ipv4: tcp: send zero IPID for RST and -ACK sent in SYN-RECV and TIME-WAIT state") we took care of some -ctl packets sent by TCP. - -It turns out we need to use a similar strategy for SYNACK packets. - -By default, they carry IP_DF and IPID==0, but there are ways -to ask them to use the hashed IP ident generator and thus -be used to build off-path attacks. -(Ref: Off-Path TCP Exploits of the Mixed IPID Assignment) - -One of this way is to force (before listener is started) -echo 1 >/proc/sys/net/ipv4/ip_no_pmtu_disc - -Another way is using forged ICMP ICMP_FRAG_NEEDED -with a very small MTU (like 68) to force a false return from -ip_dont_fragment() - -In this patch, ip_build_and_send_pkt() uses the following -heuristics. - -1) Most SYNACK packets are smaller than IPV4_MIN_MTU and therefore -can use IP_DF regardless of the listener or route pmtu setting. - -2) In case the SYNACK packet is bigger than IPV4_MIN_MTU, -we use prandom_u32() generator instead of the IPv4 hashed ident one. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Eric Dumazet -Reported-by: Ray Che -Reviewed-by: David Ahern -Cc: Geoff Alexander -Cc: Willy Tarreau -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/ip_output.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c -index 25beecee89494..06a981676356c 100644 ---- a/net/ipv4/ip_output.c -+++ b/net/ipv4/ip_output.c -@@ -160,12 +160,19 @@ int ip_build_and_send_pkt(struct sk_buff *skb, const struct sock *sk, - iph->daddr = (opt && opt->opt.srr ? opt->opt.faddr : daddr); - iph->saddr = saddr; - iph->protocol = sk->sk_protocol; -- if (ip_dont_fragment(sk, &rt->dst)) { -+ /* Do not bother generating IPID for small packets (eg SYNACK) */ -+ if (skb->len <= IPV4_MIN_MTU || ip_dont_fragment(sk, &rt->dst)) { - iph->frag_off = htons(IP_DF); - iph->id = 0; - } else { - iph->frag_off = 0; -- __ip_select_ident(net, iph, 1); -+ /* TCP packets here are SYNACK with fat IPv4/TCP options. -+ * Avoid using the hashed IP ident generator. -+ */ -+ if (sk->sk_protocol == IPPROTO_TCP) -+ iph->id = (__force __be16)prandom_u32(); -+ else -+ __ip_select_ident(net, iph, 1); - } - - if (opt && opt->opt.optlen) { --- -2.34.1 - diff --git a/queue-4.19/ipv6_tunnel-rate-limit-warning-messages.patch-5779 b/queue-4.19/ipv6_tunnel-rate-limit-warning-messages.patch-5779 deleted file mode 100644 index bfad11b4e0a..00000000000 --- a/queue-4.19/ipv6_tunnel-rate-limit-warning-messages.patch-5779 +++ /dev/null @@ -1,51 +0,0 @@ -From a90719a0f91989aa1794b40760a86507a2984ff4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 20 Jan 2022 10:05:46 +0200 -Subject: ipv6_tunnel: Rate limit warning messages - -From: Ido Schimmel - -[ Upstream commit 6cee105e7f2ced596373951d9ea08dacc3883c68 ] - -The warning messages can be invoked from the data path for every packet -transmitted through an ip6gre netdev, leading to high CPU utilization. - -Fix that by rate limiting the messages. - -Fixes: 09c6bbf090ec ("[IPV6]: Do mandatory IPv6 tunnel endpoint checks in realtime") -Reported-by: Maksym Yaremchuk -Tested-by: Maksym Yaremchuk -Signed-off-by: Ido Schimmel -Reviewed-by: Amit Cohen -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv6/ip6_tunnel.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c -index 35c127c3eee78..b647a40376795 100644 ---- a/net/ipv6/ip6_tunnel.c -+++ b/net/ipv6/ip6_tunnel.c -@@ -1005,14 +1005,14 @@ int ip6_tnl_xmit_ctl(struct ip6_tnl *t, - - if (unlikely(!ipv6_chk_addr_and_flags(net, laddr, ldev, false, - 0, IFA_F_TENTATIVE))) -- pr_warn("%s xmit: Local address not yet configured!\n", -- p->name); -+ pr_warn_ratelimited("%s xmit: Local address not yet configured!\n", -+ p->name); - else if (!(p->flags & IP6_TNL_F_ALLOW_LOCAL_REMOTE) && - !ipv6_addr_is_multicast(raddr) && - unlikely(ipv6_chk_addr_and_flags(net, raddr, ldev, - true, 0, IFA_F_TENTATIVE))) -- pr_warn("%s xmit: Routing loop! Remote address found on this node!\n", -- p->name); -+ pr_warn_ratelimited("%s xmit: Routing loop! Remote address found on this node!\n", -+ p->name); - else - ret = 1; - rcu_read_unlock(); --- -2.34.1 - diff --git a/queue-4.19/net-fix-information-leakage-in-proc-net-ptype.patch-9405 b/queue-4.19/net-fix-information-leakage-in-proc-net-ptype.patch-9405 deleted file mode 100644 index 18fb395b2bd..00000000000 --- a/queue-4.19/net-fix-information-leakage-in-proc-net-ptype.patch-9405 +++ /dev/null @@ -1,78 +0,0 @@ -From 0a1f7a6d7f25d840f88e3fa256ec7b2cf31288d1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 18 Jan 2022 14:20:13 -0500 -Subject: net: fix information leakage in /proc/net/ptype - -From: Congyu Liu - -[ Upstream commit 47934e06b65637c88a762d9c98329ae6e3238888 ] - -In one net namespace, after creating a packet socket without binding -it to a device, users in other net namespaces can observe the new -`packet_type` added by this packet socket by reading `/proc/net/ptype` -file. This is minor information leakage as packet socket is -namespace aware. - -Add a net pointer in `packet_type` to keep the net namespace of -of corresponding packet socket. In `ptype_seq_show`, this net pointer -must be checked when it is not NULL. - -Fixes: 2feb27dbe00c ("[NETNS]: Minor information leak via /proc/net/ptype file.") -Signed-off-by: Congyu Liu -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - include/linux/netdevice.h | 1 + - net/core/net-procfs.c | 3 ++- - net/packet/af_packet.c | 2 ++ - 3 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h -index 50ab7c8fd3090..58ee9d2d6a3ca 100644 ---- a/include/linux/netdevice.h -+++ b/include/linux/netdevice.h -@@ -2346,6 +2346,7 @@ struct packet_type { - struct net_device *); - bool (*id_match)(struct packet_type *ptype, - struct sock *sk); -+ struct net *af_packet_net; - void *af_packet_priv; - struct list_head list; - }; -diff --git a/net/core/net-procfs.c b/net/core/net-procfs.c -index 63881f72ef71c..6d4343e0092f5 100644 ---- a/net/core/net-procfs.c -+++ b/net/core/net-procfs.c -@@ -252,7 +252,8 @@ static int ptype_seq_show(struct seq_file *seq, void *v) - - if (v == SEQ_START_TOKEN) - seq_puts(seq, "Type Device Function\n"); -- else if (pt->dev == NULL || dev_net(pt->dev) == seq_file_net(seq)) { -+ else if ((!pt->af_packet_net || net_eq(pt->af_packet_net, seq_file_net(seq))) && -+ (!pt->dev || net_eq(dev_net(pt->dev), seq_file_net(seq)))) { - if (pt->type == htons(ETH_P_ALL)) - seq_puts(seq, "ALL "); - else -diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index 1309161032d50..7503a4b02c594 100644 ---- a/net/packet/af_packet.c -+++ b/net/packet/af_packet.c -@@ -1716,6 +1716,7 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags) - match->prot_hook.dev = po->prot_hook.dev; - match->prot_hook.func = packet_rcv_fanout; - match->prot_hook.af_packet_priv = match; -+ match->prot_hook.af_packet_net = read_pnet(&match->net); - match->prot_hook.id_match = match_fanout_group; - list_add(&match->list, &fanout_list); - } -@@ -3294,6 +3295,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, - po->prot_hook.func = packet_rcv_spkt; - - po->prot_hook.af_packet_priv = sk; -+ po->prot_hook.af_packet_net = sock_net(sk); - - if (proto) { - po->prot_hook.type = proto; --- -2.34.1 - diff --git a/queue-4.19/net-procfs-show-net-devices-bound-packet-types.patch-5310 b/queue-4.19/net-procfs-show-net-devices-bound-packet-types.patch-5310 deleted file mode 100644 index 5bdcce31f2a..00000000000 --- a/queue-4.19/net-procfs-show-net-devices-bound-packet-types.patch-5310 +++ /dev/null @@ -1,117 +0,0 @@ -From 8aafe7fb245841bae3be744c531c3b9ca09bc006 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 21 Jan 2022 17:15:31 +0800 -Subject: net-procfs: show net devices bound packet types - -From: Jianguo Wu - -[ Upstream commit 1d10f8a1f40b965d449e8f2d5ed7b96a7c138b77 ] - -After commit:7866a621043f ("dev: add per net_device packet type chains"), -we can not get packet types that are bound to a specified net device by -/proc/net/ptype, this patch fix the regression. - -Run "tcpdump -i ens192 udp -nns0" Before and after apply this patch: - -Before: - [root@localhost ~]# cat /proc/net/ptype - Type Device Function - 0800 ip_rcv - 0806 arp_rcv - 86dd ipv6_rcv - -After: - [root@localhost ~]# cat /proc/net/ptype - Type Device Function - ALL ens192 tpacket_rcv - 0800 ip_rcv - 0806 arp_rcv - 86dd ipv6_rcv - -v1 -> v2: - - fix the regression rather than adding new /proc API as - suggested by Stephen Hemminger. - -Fixes: 7866a621043f ("dev: add per net_device packet type chains") -Signed-off-by: Jianguo Wu -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/core/net-procfs.c | 35 ++++++++++++++++++++++++++++++++--- - 1 file changed, 32 insertions(+), 3 deletions(-) - -diff --git a/net/core/net-procfs.c b/net/core/net-procfs.c -index 6d4343e0092f5..2808c5f9c1f05 100644 ---- a/net/core/net-procfs.c -+++ b/net/core/net-procfs.c -@@ -182,12 +182,23 @@ static const struct seq_operations softnet_seq_ops = { - .show = softnet_seq_show, - }; - --static void *ptype_get_idx(loff_t pos) -+static void *ptype_get_idx(struct seq_file *seq, loff_t pos) - { -+ struct list_head *ptype_list = NULL; - struct packet_type *pt = NULL; -+ struct net_device *dev; - loff_t i = 0; - int t; - -+ for_each_netdev_rcu(seq_file_net(seq), dev) { -+ ptype_list = &dev->ptype_all; -+ list_for_each_entry_rcu(pt, ptype_list, list) { -+ if (i == pos) -+ return pt; -+ ++i; -+ } -+ } -+ - list_for_each_entry_rcu(pt, &ptype_all, list) { - if (i == pos) - return pt; -@@ -208,22 +219,40 @@ static void *ptype_seq_start(struct seq_file *seq, loff_t *pos) - __acquires(RCU) - { - rcu_read_lock(); -- return *pos ? ptype_get_idx(*pos - 1) : SEQ_START_TOKEN; -+ return *pos ? ptype_get_idx(seq, *pos - 1) : SEQ_START_TOKEN; - } - - static void *ptype_seq_next(struct seq_file *seq, void *v, loff_t *pos) - { -+ struct net_device *dev; - struct packet_type *pt; - struct list_head *nxt; - int hash; - - ++*pos; - if (v == SEQ_START_TOKEN) -- return ptype_get_idx(0); -+ return ptype_get_idx(seq, 0); - - pt = v; - nxt = pt->list.next; -+ if (pt->dev) { -+ if (nxt != &pt->dev->ptype_all) -+ goto found; -+ -+ dev = pt->dev; -+ for_each_netdev_continue_rcu(seq_file_net(seq), dev) { -+ if (!list_empty(&dev->ptype_all)) { -+ nxt = dev->ptype_all.next; -+ goto found; -+ } -+ } -+ -+ nxt = ptype_all.next; -+ goto ptype_all; -+ } -+ - if (pt->type == htons(ETH_P_ALL)) { -+ptype_all: - if (nxt != &ptype_all) - goto found; - hash = 0; --- -2.34.1 - diff --git a/queue-4.19/nfs-ensure-the-server-has-an-up-to-date-ctime-before.patch-22722 b/queue-4.19/nfs-ensure-the-server-has-an-up-to-date-ctime-before.patch-22722 deleted file mode 100644 index 031fbe8bcf5..00000000000 --- a/queue-4.19/nfs-ensure-the-server-has-an-up-to-date-ctime-before.patch-22722 +++ /dev/null @@ -1,37 +0,0 @@ -From 167b2877031986e42327a3a8743fb60a0d32f536 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 15 Dec 2021 16:38:16 -0500 -Subject: NFS: Ensure the server has an up to date ctime before renaming - -From: Trond Myklebust - -[ Upstream commit 6ff9d99bb88faebf134ca668842349d9718e5464 ] - -Renaming a file is required by POSIX to update the file ctime, so -ensure that the file data is synced to disk so that we don't clobber the -updated ctime by writing back after creating the hard link. - -Fixes: f2c2c552f119 ("NFS: Move delegation recall into the NFSv4 callback for rename_setup()") -Signed-off-by: Trond Myklebust -Signed-off-by: Anna Schumaker -Signed-off-by: Sasha Levin ---- - fs/nfs/dir.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c -index f53304bd99fc7..432470502838c 100644 ---- a/fs/nfs/dir.c -+++ b/fs/nfs/dir.c -@@ -2105,6 +2105,8 @@ int nfs_rename(struct inode *old_dir, struct dentry *old_dentry, - } - } - -+ if (S_ISREG(old_inode->i_mode)) -+ nfs_sync_inode(old_inode); - task = nfs_async_rename(old_dir, new_dir, old_dentry, new_dentry, NULL); - if (IS_ERR(task)) { - error = PTR_ERR(task); --- -2.34.1 - diff --git a/queue-4.19/nfs-ensure-the-server-has-an-up-to-date-ctime-before.patch-29305 b/queue-4.19/nfs-ensure-the-server-has-an-up-to-date-ctime-before.patch-29305 deleted file mode 100644 index 992a7361878..00000000000 --- a/queue-4.19/nfs-ensure-the-server-has-an-up-to-date-ctime-before.patch-29305 +++ /dev/null @@ -1,37 +0,0 @@ -From dbc5fbdd5c8d640b7f541d814dd6627707a28841 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 15 Dec 2021 16:38:15 -0500 -Subject: NFS: Ensure the server has an up to date ctime before hardlinking - -From: Trond Myklebust - -[ Upstream commit 204975036b34f55237bc44c8a302a88468ef21b5 ] - -Creating a hard link is required by POSIX to update the file ctime, so -ensure that the file data is synced to disk so that we don't clobber the -updated ctime by writing back after creating the hard link. - -Fixes: 9f7682728728 ("NFS: Move the delegation return down into nfs4_proc_link()") -Signed-off-by: Trond Myklebust -Signed-off-by: Anna Schumaker -Signed-off-by: Sasha Levin ---- - fs/nfs/dir.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c -index 733fd9e4f0a15..f53304bd99fc7 100644 ---- a/fs/nfs/dir.c -+++ b/fs/nfs/dir.c -@@ -2015,6 +2015,8 @@ nfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *dentry) - - trace_nfs_link_enter(inode, dir, dentry); - d_drop(dentry); -+ if (S_ISREG(inode->i_mode)) -+ nfs_sync_inode(inode); - error = NFS_PROTO(dir)->link(inode, dir, &dentry->d_name); - if (error == 0) { - ihold(inode); --- -2.34.1 - diff --git a/queue-4.19/nfsv4-handle-case-where-the-lookup-of-a-directory-fa.patch-18733 b/queue-4.19/nfsv4-handle-case-where-the-lookup-of-a-directory-fa.patch-18733 deleted file mode 100644 index 5a40f8c1520..00000000000 --- a/queue-4.19/nfsv4-handle-case-where-the-lookup-of-a-directory-fa.patch-18733 +++ /dev/null @@ -1,52 +0,0 @@ -From 16f59d3e54cf999fdfe4139d0095009452df2471 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 6 Jan 2022 18:24:02 -0500 -Subject: NFSv4: Handle case where the lookup of a directory fails - -From: Trond Myklebust - -[ Upstream commit ac795161c93699d600db16c1a8cc23a65a1eceaf ] - -If the application sets the O_DIRECTORY flag, and tries to open a -regular file, nfs_atomic_open() will punt to doing a regular lookup. -If the server then returns a regular file, we will happily return a -file descriptor with uninitialised open state. - -The fix is to return the expected ENOTDIR error in these cases. - -Reported-by: Lyu Tao -Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()") -Signed-off-by: Trond Myklebust -Signed-off-by: Anna Schumaker -Signed-off-by: Sasha Levin ---- - fs/nfs/dir.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c -index 432470502838c..02df2e89f1cb4 100644 ---- a/fs/nfs/dir.c -+++ b/fs/nfs/dir.c -@@ -1626,6 +1626,19 @@ out: - - no_open: - res = nfs_lookup(dir, dentry, lookup_flags); -+ if (!res) { -+ inode = d_inode(dentry); -+ if ((lookup_flags & LOOKUP_DIRECTORY) && inode && -+ !S_ISDIR(inode->i_mode)) -+ res = ERR_PTR(-ENOTDIR); -+ } else if (!IS_ERR(res)) { -+ inode = d_inode(res); -+ if ((lookup_flags & LOOKUP_DIRECTORY) && inode && -+ !S_ISDIR(inode->i_mode)) { -+ dput(res); -+ res = ERR_PTR(-ENOTDIR); -+ } -+ } - if (switched) { - d_lookup_done(dentry); - if (!res) --- -2.34.1 - diff --git a/queue-4.19/nfsv4-nfs_atomic_open-can-race-when-looking-up-a-non.patch-18710 b/queue-4.19/nfsv4-nfs_atomic_open-can-race-when-looking-up-a-non.patch-18710 deleted file mode 100644 index 8c0584498f0..00000000000 --- a/queue-4.19/nfsv4-nfs_atomic_open-can-race-when-looking-up-a-non.patch-18710 +++ /dev/null @@ -1,45 +0,0 @@ -From 26a8ae675a4f896372ee9bb389a12549462c5de2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 6 Jan 2022 18:24:03 -0500 -Subject: NFSv4: nfs_atomic_open() can race when looking up a non-regular file - -From: Trond Myklebust - -[ Upstream commit 1751fc1db36f6f411709e143d5393f92d12137a9 ] - -If the file type changes back to being a regular file on the server -between the failed OPEN and our LOOKUP, then we need to re-run the OPEN. - -Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()") -Signed-off-by: Trond Myklebust -Signed-off-by: Anna Schumaker -Signed-off-by: Sasha Levin ---- - fs/nfs/dir.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c -index 02df2e89f1cb4..a968b8b4b982f 100644 ---- a/fs/nfs/dir.c -+++ b/fs/nfs/dir.c -@@ -1631,12 +1631,17 @@ no_open: - if ((lookup_flags & LOOKUP_DIRECTORY) && inode && - !S_ISDIR(inode->i_mode)) - res = ERR_PTR(-ENOTDIR); -+ else if (inode && S_ISREG(inode->i_mode)) -+ res = ERR_PTR(-EOPENSTALE); - } else if (!IS_ERR(res)) { - inode = d_inode(res); - if ((lookup_flags & LOOKUP_DIRECTORY) && inode && - !S_ISDIR(inode->i_mode)) { - dput(res); - res = ERR_PTR(-ENOTDIR); -+ } else if (inode && S_ISREG(inode->i_mode)) { -+ dput(res); -+ res = ERR_PTR(-EOPENSTALE); - } - } - if (switched) { --- -2.34.1 - diff --git a/queue-4.19/phylib-fix-potential-use-after-free.patch-14076 b/queue-4.19/phylib-fix-potential-use-after-free.patch-14076 deleted file mode 100644 index 9d2a762a773..00000000000 --- a/queue-4.19/phylib-fix-potential-use-after-free.patch-14076 +++ /dev/null @@ -1,58 +0,0 @@ -From e7b5efd0fe774e034faf3706316fddc43e8e97e9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jan 2022 17:27:48 +0100 -Subject: phylib: fix potential use-after-free -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Marek Behún - -[ Upstream commit cbda1b16687580d5beee38273f6241ae3725960c ] - -Commit bafbdd527d56 ("phylib: Add device reset GPIO support") added call -to phy_device_reset(phydev) after the put_device() call in phy_detach(). - -The comment before the put_device() call says that the phydev might go -away with put_device(). - -Fix potential use-after-free by calling phy_device_reset() before -put_device(). - -Fixes: bafbdd527d56 ("phylib: Add device reset GPIO support") -Signed-off-by: Marek Behún -Reviewed-by: Andrew Lunn -Link: https://lore.kernel.org/r/20220119162748.32418-1-kabel@kernel.org -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/phy/phy_device.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c -index b884b681d5c52..a03d0627efb06 100644 ---- a/drivers/net/phy/phy_device.c -+++ b/drivers/net/phy/phy_device.c -@@ -1166,6 +1166,9 @@ void phy_detach(struct phy_device *phydev) - phydev->mdio.dev.driver == &genphy_driver.mdiodrv.driver) - device_release_driver(&phydev->mdio.dev); - -+ /* Assert the reset signal */ -+ phy_device_reset(phydev, 1); -+ - /* - * The phydev might go away on the put_device() below, so avoid - * a use-after-free bug by reading the underlying bus first. -@@ -1175,9 +1178,6 @@ void phy_detach(struct phy_device *phydev) - put_device(&phydev->mdio.dev); - if (ndev_owner != bus->owner) - module_put(bus->owner); -- -- /* Assert the reset signal */ -- phy_device_reset(phydev, 1); - } - EXPORT_SYMBOL(phy_detach); - --- -2.34.1 - diff --git a/queue-4.19/ping-fix-the-sk_bound_dev_if-match-in-ping_lookup.patch-26915 b/queue-4.19/ping-fix-the-sk_bound_dev_if-match-in-ping_lookup.patch-26915 deleted file mode 100644 index aa085c73231..00000000000 --- a/queue-4.19/ping-fix-the-sk_bound_dev_if-match-in-ping_lookup.patch-26915 +++ /dev/null @@ -1,51 +0,0 @@ -From 56211c904880c3c23febc8f46e6c4cf8029e2362 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 22 Jan 2022 06:40:56 -0500 -Subject: ping: fix the sk_bound_dev_if match in ping_lookup - -From: Xin Long - -[ Upstream commit 2afc3b5a31f9edf3ef0f374f5d70610c79c93a42 ] - -When 'ping' changes to use PING socket instead of RAW socket by: - - # sysctl -w net.ipv4.ping_group_range="0 100" - -the selftests 'router_broadcast.sh' will fail, as such command - - # ip vrf exec vrf-h1 ping -I veth0 198.51.100.255 -b - -can't receive the response skb by the PING socket. It's caused by mismatch -of sk_bound_dev_if and dif in ping_rcv() when looking up the PING socket, -as dif is vrf-h1 if dif's master was set to vrf-h1. - -This patch is to fix this regression by also checking the sk_bound_dev_if -against sdif so that the packets can stil be received even if the socket -is not bound to the vrf device but to the real iif. - -Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") -Reported-by: Hangbin Liu -Signed-off-by: Xin Long -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv4/ping.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c -index 862744c285482..276442443d322 100644 ---- a/net/ipv4/ping.c -+++ b/net/ipv4/ping.c -@@ -225,7 +225,8 @@ static struct sock *ping_lookup(struct net *net, struct sk_buff *skb, u16 ident) - continue; - } - -- if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif) -+ if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif && -+ sk->sk_bound_dev_if != inet_sdif(skb)) - continue; - - sock_hold(sk); --- -2.34.1 - diff --git a/queue-4.19/rpmsg-char-fix-race-between-the-release-of-rpmsg_ctr.patch-30705 b/queue-4.19/rpmsg-char-fix-race-between-the-release-of-rpmsg_ctr.patch-30705 deleted file mode 100644 index 2d483121ae8..00000000000 --- a/queue-4.19/rpmsg-char-fix-race-between-the-release-of-rpmsg_ctr.patch-30705 +++ /dev/null @@ -1,117 +0,0 @@ -From 98a89d3eced95df752e4177266076ef4a5c85142 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 10 Jan 2022 10:47:36 -0800 -Subject: rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev - -From: Sujit Kautkar - -[ Upstream commit b7fb2dad571d1e21173c06cef0bced77b323990a ] - -struct rpmsg_ctrldev contains a struct cdev. The current code frees -the rpmsg_ctrldev struct in rpmsg_ctrldev_release_device(), but the -cdev is a managed object, therefore its release is not predictable -and the rpmsg_ctrldev could be freed before the cdev is entirely -released, as in the backtrace below. - -[ 93.625603] ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x7c -[ 93.636115] WARNING: CPU: 0 PID: 12 at lib/debugobjects.c:488 debug_print_object+0x13c/0x1b0 -[ 93.644799] Modules linked in: veth xt_cgroup xt_MASQUERADE rfcomm algif_hash algif_skcipher af_alg uinput ip6table_nat fuse uvcvideo videobuf2_vmalloc venus_enc venus_dec videobuf2_dma_contig hci_uart btandroid btqca snd_soc_rt5682_i2c bluetooth qcom_spmi_temp_alarm snd_soc_rt5682v -[ 93.715175] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.4.163-lockdep #26 -[ 93.723855] Hardware name: Google Lazor (rev3 - 8) with LTE (DT) -[ 93.730055] Workqueue: events kobject_delayed_cleanup -[ 93.735271] pstate: 60c00009 (nZCv daif +PAN +UAO) -[ 93.740216] pc : debug_print_object+0x13c/0x1b0 -[ 93.744890] lr : debug_print_object+0x13c/0x1b0 -[ 93.749555] sp : ffffffacf5bc7940 -[ 93.752978] x29: ffffffacf5bc7940 x28: dfffffd000000000 -[ 93.758448] x27: ffffffacdb11a800 x26: dfffffd000000000 -[ 93.763916] x25: ffffffd0734f856c x24: dfffffd000000000 -[ 93.769389] x23: 0000000000000000 x22: ffffffd0733c35b0 -[ 93.774860] x21: ffffffd0751994a0 x20: ffffffd075ec27c0 -[ 93.780338] x19: ffffffd075199100 x18: 00000000000276e0 -[ 93.785814] x17: 0000000000000000 x16: dfffffd000000000 -[ 93.791291] x15: ffffffffffffffff x14: 6e6968207473696c -[ 93.796768] x13: 0000000000000000 x12: ffffffd075e2b000 -[ 93.802244] x11: 0000000000000001 x10: 0000000000000000 -[ 93.807723] x9 : d13400dff1921900 x8 : d13400dff1921900 -[ 93.813200] x7 : 0000000000000000 x6 : 0000000000000000 -[ 93.818676] x5 : 0000000000000080 x4 : 0000000000000000 -[ 93.824152] x3 : ffffffd0732a0fa4 x2 : 0000000000000001 -[ 93.829628] x1 : ffffffacf5bc7580 x0 : 0000000000000061 -[ 93.835104] Call trace: -[ 93.837644] debug_print_object+0x13c/0x1b0 -[ 93.841963] __debug_check_no_obj_freed+0x25c/0x3c0 -[ 93.846987] debug_check_no_obj_freed+0x18/0x20 -[ 93.851669] slab_free_freelist_hook+0xbc/0x1e4 -[ 93.856346] kfree+0xfc/0x2f4 -[ 93.859416] rpmsg_ctrldev_release_device+0x78/0xb8 -[ 93.864445] device_release+0x84/0x168 -[ 93.868310] kobject_cleanup+0x12c/0x298 -[ 93.872356] kobject_delayed_cleanup+0x10/0x18 -[ 93.876948] process_one_work+0x578/0x92c -[ 93.881086] worker_thread+0x804/0xcf8 -[ 93.884963] kthread+0x2a8/0x314 -[ 93.888303] ret_from_fork+0x10/0x18 - -The cdev_device_add/del() API was created to address this issue (see -commit '233ed09d7fda ("chardev: add helper function to register char -devs with a struct device")'), use it instead of cdev add/del(). - -Fixes: c0cdc19f84a4 ("rpmsg: Driver for user space endpoint interface") -Signed-off-by: Sujit Kautkar -Signed-off-by: Matthias Kaehlcke -Reviewed-by: Mathieu Poirier -Reviewed-by: Bjorn Andersson -Reviewed-by: Stephen Boyd -Signed-off-by: Bjorn Andersson -Link: https://lore.kernel.org/r/20220110104706.v6.1.Iaac908f3e3149a89190ce006ba166e2d3fd247a3@changeid -Signed-off-by: Sasha Levin ---- - drivers/rpmsg/rpmsg_char.c | 11 ++--------- - 1 file changed, 2 insertions(+), 9 deletions(-) - -diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c -index a76b963a7e50f..2995647fb2c20 100644 ---- a/drivers/rpmsg/rpmsg_char.c -+++ b/drivers/rpmsg/rpmsg_char.c -@@ -455,7 +455,6 @@ static void rpmsg_ctrldev_release_device(struct device *dev) - - ida_simple_remove(&rpmsg_ctrl_ida, dev->id); - ida_simple_remove(&rpmsg_minor_ida, MINOR(dev->devt)); -- cdev_del(&ctrldev->cdev); - kfree(ctrldev); - } - -@@ -490,19 +489,13 @@ static int rpmsg_chrdev_probe(struct rpmsg_device *rpdev) - dev->id = ret; - dev_set_name(&ctrldev->dev, "rpmsg_ctrl%d", ret); - -- ret = cdev_add(&ctrldev->cdev, dev->devt, 1); -+ ret = cdev_device_add(&ctrldev->cdev, &ctrldev->dev); - if (ret) - goto free_ctrl_ida; - - /* We can now rely on the release function for cleanup */ - dev->release = rpmsg_ctrldev_release_device; - -- ret = device_add(dev); -- if (ret) { -- dev_err(&rpdev->dev, "device_add failed: %d\n", ret); -- put_device(dev); -- } -- - dev_set_drvdata(&rpdev->dev, ctrldev); - - return ret; -@@ -528,7 +521,7 @@ static void rpmsg_chrdev_remove(struct rpmsg_device *rpdev) - if (ret) - dev_warn(&rpdev->dev, "failed to nuke endpoints: %d\n", ret); - -- device_del(&ctrldev->dev); -+ cdev_device_del(&ctrldev->cdev, &ctrldev->dev); - put_device(&ctrldev->dev); - } - --- -2.34.1 - diff --git a/queue-4.19/rpmsg-char-fix-race-between-the-release-of-rpmsg_ept.patch-13389 b/queue-4.19/rpmsg-char-fix-race-between-the-release-of-rpmsg_ept.patch-13389 deleted file mode 100644 index fa83c92c6c3..00000000000 --- a/queue-4.19/rpmsg-char-fix-race-between-the-release-of-rpmsg_ept.patch-13389 +++ /dev/null @@ -1,76 +0,0 @@ -From e949451a4f2488feb83ada00a2be1a8da412bf8e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 10 Jan 2022 10:47:37 -0800 -Subject: rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev - -From: Matthias Kaehlcke - -[ Upstream commit 7a534ae89e34e9b51acb5a63dd0f88308178b46a ] - -struct rpmsg_eptdev contains a struct cdev. The current code frees -the rpmsg_eptdev struct in rpmsg_eptdev_destroy(), but the cdev is -a managed object, therefore its release is not predictable and the -rpmsg_eptdev could be freed before the cdev is entirely released. - -The cdev_device_add/del() API was created to address this issue -(see commit '233ed09d7fda ("chardev: add helper function to register -char devs with a struct device")'), use it instead of cdev add/del(). - -Fixes: c0cdc19f84a4 ("rpmsg: Driver for user space endpoint interface") -Suggested-by: Bjorn Andersson -Signed-off-by: Matthias Kaehlcke -Reviewed-by: Mathieu Poirier -Reviewed-by: Stephen Boyd -Reviewed-by: Bjorn Andersson -Signed-off-by: Bjorn Andersson -Link: https://lore.kernel.org/r/20220110104706.v6.2.Idde68b05b88d4a2e6e54766c653f3a6d9e419ce6@changeid -Signed-off-by: Sasha Levin ---- - drivers/rpmsg/rpmsg_char.c | 11 ++--------- - 1 file changed, 2 insertions(+), 9 deletions(-) - -diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c -index 2995647fb2c20..d153fb1bf65f1 100644 ---- a/drivers/rpmsg/rpmsg_char.c -+++ b/drivers/rpmsg/rpmsg_char.c -@@ -92,7 +92,7 @@ static int rpmsg_eptdev_destroy(struct device *dev, void *data) - /* wake up any blocked readers */ - wake_up_interruptible(&eptdev->readq); - -- device_del(&eptdev->dev); -+ cdev_device_del(&eptdev->cdev, &eptdev->dev); - put_device(&eptdev->dev); - - return 0; -@@ -329,7 +329,6 @@ static void rpmsg_eptdev_release_device(struct device *dev) - - ida_simple_remove(&rpmsg_ept_ida, dev->id); - ida_simple_remove(&rpmsg_minor_ida, MINOR(eptdev->dev.devt)); -- cdev_del(&eptdev->cdev); - kfree(eptdev); - } - -@@ -374,19 +373,13 @@ static int rpmsg_eptdev_create(struct rpmsg_ctrldev *ctrldev, - dev->id = ret; - dev_set_name(dev, "rpmsg%d", ret); - -- ret = cdev_add(&eptdev->cdev, dev->devt, 1); -+ ret = cdev_device_add(&eptdev->cdev, &eptdev->dev); - if (ret) - goto free_ept_ida; - - /* We can now rely on the release function for cleanup */ - dev->release = rpmsg_eptdev_release_device; - -- ret = device_add(dev); -- if (ret) { -- dev_err(dev, "device_add failed: %d\n", ret); -- put_device(dev); -- } -- - return ret; - - free_ept_ida: --- -2.34.1 - diff --git a/queue-4.19/scsi-bnx2fc-flush-destroy_work-queue-before-calling-.patch-750 b/queue-4.19/scsi-bnx2fc-flush-destroy_work-queue-before-calling-.patch-750 deleted file mode 100644 index 45678bf7053..00000000000 --- a/queue-4.19/scsi-bnx2fc-flush-destroy_work-queue-before-calling-.patch-750 +++ /dev/null @@ -1,152 +0,0 @@ -From a38c84c24286f4c3845b1b72b0984441ce0b80d3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 14 Jan 2022 23:00:44 -0500 -Subject: scsi: bnx2fc: Flush destroy_work queue before calling - bnx2fc_interface_put() - -From: John Meneghini - -[ Upstream commit 847f9ea4c5186fdb7b84297e3eeed9e340e83fce ] - -The bnx2fc_destroy() functions are removing the interface before calling -destroy_work. This results multiple WARNings from sysfs_remove_group() as -the controller rport device attributes are removed too early. - -Replace the fcoe_port's destroy_work queue. It's not needed. - -The problem is easily reproducible with the following steps. - -Example: - - $ dmesg -w & - $ systemctl enable --now fcoe - $ fipvlan -s -c ens2f1 - $ fcoeadm -d ens2f1.802 - [ 583.464488] host2: libfc: Link down on port (7500a1) - [ 583.472651] bnx2fc: 7500a1 - rport not created Yet!! - [ 583.490468] ------------[ cut here ]------------ - [ 583.538725] sysfs group 'power' not found for kobject 'rport-2:0-0' - [ 583.568814] WARNING: CPU: 3 PID: 192 at fs/sysfs/group.c:279 sysfs_remove_group+0x6f/0x80 - [ 583.607130] Modules linked in: dm_service_time 8021q garp mrp stp llc bnx2fc cnic uio rpcsec_gss_krb5 auth_rpcgss nfsv4 ... - [ 583.942994] CPU: 3 PID: 192 Comm: kworker/3:2 Kdump: loaded Not tainted 5.14.0-39.el9.x86_64 #1 - [ 583.984105] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013 - [ 584.016535] Workqueue: fc_wq_2 fc_rport_final_delete [scsi_transport_fc] - [ 584.050691] RIP: 0010:sysfs_remove_group+0x6f/0x80 - [ 584.074725] Code: ff 5b 48 89 ef 5d 41 5c e9 ee c0 ff ff 48 89 ef e8 f6 b8 ff ff eb d1 49 8b 14 24 48 8b 33 48 c7 c7 ... - [ 584.162586] RSP: 0018:ffffb567c15afdc0 EFLAGS: 00010282 - [ 584.188225] RAX: 0000000000000000 RBX: ffffffff8eec4220 RCX: 0000000000000000 - [ 584.221053] RDX: ffff8c1586ce84c0 RSI: ffff8c1586cd7cc0 RDI: ffff8c1586cd7cc0 - [ 584.255089] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb567c15afc00 - [ 584.287954] R10: ffffb567c15afbf8 R11: ffffffff8fbe7f28 R12: ffff8c1486326400 - [ 584.322356] R13: ffff8c1486326480 R14: ffff8c1483a4a000 R15: 0000000000000004 - [ 584.355379] FS: 0000000000000000(0000) GS:ffff8c1586cc0000(0000) knlGS:0000000000000000 - [ 584.394419] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 - [ 584.421123] CR2: 00007fe95a6f7840 CR3: 0000000107674002 CR4: 00000000000606e0 - [ 584.454888] Call Trace: - [ 584.466108] device_del+0xb2/0x3e0 - [ 584.481701] device_unregister+0x13/0x60 - [ 584.501306] bsg_unregister_queue+0x5b/0x80 - [ 584.522029] bsg_remove_queue+0x1c/0x40 - [ 584.541884] fc_rport_final_delete+0xf3/0x1d0 [scsi_transport_fc] - [ 584.573823] process_one_work+0x1e3/0x3b0 - [ 584.592396] worker_thread+0x50/0x3b0 - [ 584.609256] ? rescuer_thread+0x370/0x370 - [ 584.628877] kthread+0x149/0x170 - [ 584.643673] ? set_kthread_struct+0x40/0x40 - [ 584.662909] ret_from_fork+0x22/0x30 - [ 584.680002] ---[ end trace 53575ecefa942ece ]--- - -Link: https://lore.kernel.org/r/20220115040044.1013475-1-jmeneghi@redhat.com -Fixes: 0cbf32e1681d ("[SCSI] bnx2fc: Avoid calling bnx2fc_if_destroy with unnecessary locks") -Tested-by: Guangwu Zhang -Co-developed-by: Maurizio Lombardi -Signed-off-by: Maurizio Lombardi -Signed-off-by: John Meneghini -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 20 +++++--------------- - 1 file changed, 5 insertions(+), 15 deletions(-) - -diff --git a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c -index 780651c4fc0c4..944ffc83a9944 100644 ---- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c -+++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c -@@ -80,7 +80,7 @@ static int bnx2fc_bind_pcidev(struct bnx2fc_hba *hba); - static void bnx2fc_unbind_pcidev(struct bnx2fc_hba *hba); - static struct fc_lport *bnx2fc_if_create(struct bnx2fc_interface *interface, - struct device *parent, int npiv); --static void bnx2fc_destroy_work(struct work_struct *work); -+static void bnx2fc_port_destroy(struct fcoe_port *port); - - static struct bnx2fc_hba *bnx2fc_hba_lookup(struct net_device *phys_dev); - static struct bnx2fc_interface *bnx2fc_interface_lookup(struct net_device -@@ -911,9 +911,6 @@ static void bnx2fc_indicate_netevent(void *context, unsigned long event, - __bnx2fc_destroy(interface); - } - mutex_unlock(&bnx2fc_dev_lock); -- -- /* Ensure ALL destroy work has been completed before return */ -- flush_workqueue(bnx2fc_wq); - return; - - default: -@@ -1220,8 +1217,8 @@ static int bnx2fc_vport_destroy(struct fc_vport *vport) - mutex_unlock(&n_port->lp_mutex); - bnx2fc_free_vport(interface->hba, port->lport); - bnx2fc_port_shutdown(port->lport); -+ bnx2fc_port_destroy(port); - bnx2fc_interface_put(interface); -- queue_work(bnx2fc_wq, &port->destroy_work); - return 0; - } - -@@ -1530,7 +1527,6 @@ static struct fc_lport *bnx2fc_if_create(struct bnx2fc_interface *interface, - port->lport = lport; - port->priv = interface; - port->get_netdev = bnx2fc_netdev; -- INIT_WORK(&port->destroy_work, bnx2fc_destroy_work); - - /* Configure fcoe_port */ - rc = bnx2fc_lport_config(lport); -@@ -1658,8 +1654,8 @@ static void __bnx2fc_destroy(struct bnx2fc_interface *interface) - bnx2fc_interface_cleanup(interface); - bnx2fc_stop(interface); - list_del(&interface->list); -+ bnx2fc_port_destroy(port); - bnx2fc_interface_put(interface); -- queue_work(bnx2fc_wq, &port->destroy_work); - } - - /** -@@ -1700,15 +1696,12 @@ netdev_err: - return rc; - } - --static void bnx2fc_destroy_work(struct work_struct *work) -+static void bnx2fc_port_destroy(struct fcoe_port *port) - { -- struct fcoe_port *port; - struct fc_lport *lport; - -- port = container_of(work, struct fcoe_port, destroy_work); - lport = port->lport; -- -- BNX2FC_HBA_DBG(lport, "Entered bnx2fc_destroy_work\n"); -+ BNX2FC_HBA_DBG(lport, "Entered %s, destroying lport %p\n", __func__, lport); - - bnx2fc_if_destroy(lport); - } -@@ -2562,9 +2555,6 @@ static void bnx2fc_ulp_exit(struct cnic_dev *dev) - __bnx2fc_destroy(interface); - mutex_unlock(&bnx2fc_dev_lock); - -- /* Ensure ALL destroy work has been completed before return */ -- flush_workqueue(bnx2fc_wq); -- - bnx2fc_ulp_stop(hba); - /* unregister cnic device */ - if (test_and_clear_bit(BNX2FC_CNIC_REGISTERED, &hba->reg_with_cnic)) --- -2.34.1 - diff --git a/queue-4.19/series b/queue-4.19/series index 4eabda397cb..4a1a9082e66 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -16,55 +16,3 @@ usb-gadget-f_sourcesink-fix-isoc-transfer-for-usb_speed_super_plus.patch usb-core-fix-hang-in-usb_kill_urb-by-adding-memory-barriers.patch usb-typec-tcpm-do-not-disconnect-while-receiving-vbus-off.patch net-sfp-ignore-disabled-sfp-node.patch -nfs-ensure-the-server-has-an-up-to-date-ctime-before.patch -nfs-ensure-the-server-has-an-up-to-date-ctime-before.patch-3272 -nfsv4-handle-case-where-the-lookup-of-a-directory-fa.patch -nfsv4-nfs_atomic_open-can-race-when-looking-up-a-non.patch -rpmsg-char-fix-race-between-the-release-of-rpmsg_ctr.patch -rpmsg-char-fix-race-between-the-release-of-rpmsg_ept.patch -arm-9170-1-fix-panic-when-kasan-and-kprobe-are-enabl.patch -net-fix-information-leakage-in-proc-net-ptype.patch -ipv6_tunnel-rate-limit-warning-messages.patch -i40e-increase-delay-to-1-s-after-global-emp-reset.patch -i40e-fix-issue-when-maximum-queues-is-exceeded.patch -i40e-fix-queues-reservation-for-xdp.patch -i40e-fix-unsigned-stat-widths.patch -phylib-fix-potential-use-after-free.patch -hwmon-lm90-reduce-maximum-conversion-rate-for-g781.patch -net-procfs-show-net-devices-bound-packet-types.patch -ibmvnic-init-running_cap_crqs-early.patch -ibmvnic-don-t-spin-in-tasklet.patch -ping-fix-the-sk_bound_dev_if-match-in-ping_lookup.patch -drm-msm-fix-wrong-size-calculation.patch -drm-msm-dsi-invalid-parameter-check-in-msm_dsi_phy_e.patch -scsi-bnx2fc-flush-destroy_work-queue-before-calling-.patch -yam-fix-a-memory-leak-in-yam_siocdevprivate.patch -ipv4-raw-lock-the-socket-in-raw_bind.patch -ipv4-tcp-send-zero-ipid-in-synack-messages.patch -ipv4-avoid-using-shared-ip-generator-for-connected-s.patch -nfs-ensure-the-server-has-an-up-to-date-ctime-before.patch-29305 -nfs-ensure-the-server-has-an-up-to-date-ctime-before.patch-22722 -nfsv4-handle-case-where-the-lookup-of-a-directory-fa.patch-18733 -nfsv4-nfs_atomic_open-can-race-when-looking-up-a-non.patch-18710 -rpmsg-char-fix-race-between-the-release-of-rpmsg_ctr.patch-30705 -rpmsg-char-fix-race-between-the-release-of-rpmsg_ept.patch-13389 -arm-9170-1-fix-panic-when-kasan-and-kprobe-are-enabl.patch-21269 -net-fix-information-leakage-in-proc-net-ptype.patch-9405 -ipv6_tunnel-rate-limit-warning-messages.patch-5779 -i40e-increase-delay-to-1-s-after-global-emp-reset.patch-16088 -i40e-fix-issue-when-maximum-queues-is-exceeded.patch-26847 -i40e-fix-queues-reservation-for-xdp.patch-25963 -i40e-fix-unsigned-stat-widths.patch-22316 -phylib-fix-potential-use-after-free.patch-14076 -hwmon-lm90-reduce-maximum-conversion-rate-for-g781.patch-26288 -net-procfs-show-net-devices-bound-packet-types.patch-5310 -ibmvnic-init-running_cap_crqs-early.patch-27527 -ibmvnic-don-t-spin-in-tasklet.patch-2299 -ping-fix-the-sk_bound_dev_if-match-in-ping_lookup.patch-26915 -drm-msm-fix-wrong-size-calculation.patch-15295 -drm-msm-dsi-invalid-parameter-check-in-msm_dsi_phy_e.patch-8670 -scsi-bnx2fc-flush-destroy_work-queue-before-calling-.patch-750 -yam-fix-a-memory-leak-in-yam_siocdevprivate.patch-11367 -ipv4-raw-lock-the-socket-in-raw_bind.patch-21218 -ipv4-tcp-send-zero-ipid-in-synack-messages.patch-24177 -ipv4-avoid-using-shared-ip-generator-for-connected-s.patch-17436 diff --git a/queue-4.19/yam-fix-a-memory-leak-in-yam_siocdevprivate.patch-11367 b/queue-4.19/yam-fix-a-memory-leak-in-yam_siocdevprivate.patch-11367 deleted file mode 100644 index d2fdde6ce77..00000000000 --- a/queue-4.19/yam-fix-a-memory-leak-in-yam_siocdevprivate.patch-11367 +++ /dev/null @@ -1,37 +0,0 @@ -From 07c544600897c87e65a9812a69f95f7fa8fddf99 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 24 Jan 2022 11:29:54 +0800 -Subject: yam: fix a memory leak in yam_siocdevprivate() - -From: Hangyu Hua - -[ Upstream commit 29eb31542787e1019208a2e1047bb7c76c069536 ] - -ym needs to be free when ym->cmd != SIOCYAMSMCS. - -Fixes: 0781168e23a2 ("yam: fix a missing-check bug") -Signed-off-by: Hangyu Hua -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/hamradio/yam.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/drivers/net/hamradio/yam.c b/drivers/net/hamradio/yam.c -index fdab498725878..3db86f247bf45 100644 ---- a/drivers/net/hamradio/yam.c -+++ b/drivers/net/hamradio/yam.c -@@ -966,9 +966,7 @@ static int yam_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) - sizeof(struct yamdrv_ioctl_mcs)); - if (IS_ERR(ym)) - return PTR_ERR(ym); -- if (ym->cmd != SIOCYAMSMCS) -- return -EINVAL; -- if (ym->bitrate > YAM_MAXBITRATE) { -+ if (ym->cmd != SIOCYAMSMCS || ym->bitrate > YAM_MAXBITRATE) { - kfree(ym); - return -EINVAL; - } --- -2.34.1 - -- 2.47.2