From f369b35ed55db5e9d1553657d4c19c5dc0d45b73 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 18 Feb 2022 15:55:22 +0100 Subject: [PATCH] 4.19-stable patches added patches: bonding-fix-data-races-around-agg_select_timer.patch drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch iwlwifi-pcie-fix-locking-when-hw-not-ready.patch iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch libsubcmd-fix-use-after-free-for-realloc-...-0.patch net-dsa-lan9303-fix-reset-on-probe.patch net-ieee802154-ca8210-fix-lifs-sifs-periods.patch ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch --- ...x-data-races-around-agg_select_timer.patch | 138 ++++++++++++++++++ ...ropmon_net_event-trace_napi_poll_hit.patch | 103 +++++++++++++ ...i-pcie-fix-locking-when-hw-not-ready.patch | 34 +++++ ...e-gen2-fix-locking-when-hw-not-ready.patch | 34 +++++ ...fix-use-after-free-for-realloc-...-0.patch | 66 +++++++++ .../net-dsa-lan9303-fix-reset-on-probe.patch | 36 +++++ ...e802154-ca8210-fix-lifs-sifs-periods.patch | 36 +++++ ...he-dif-and-sdif-check-in-ping_lookup.patch | 78 ++++++++++ queue-4.19/series | 8 + 9 files changed, 533 insertions(+) create mode 100644 queue-4.19/bonding-fix-data-races-around-agg_select_timer.patch create mode 100644 queue-4.19/drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch create mode 100644 queue-4.19/iwlwifi-pcie-fix-locking-when-hw-not-ready.patch create mode 100644 queue-4.19/iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch create mode 100644 queue-4.19/libsubcmd-fix-use-after-free-for-realloc-...-0.patch create mode 100644 queue-4.19/net-dsa-lan9303-fix-reset-on-probe.patch create mode 100644 queue-4.19/net-ieee802154-ca8210-fix-lifs-sifs-periods.patch create mode 100644 queue-4.19/ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch diff --git a/queue-4.19/bonding-fix-data-races-around-agg_select_timer.patch b/queue-4.19/bonding-fix-data-races-around-agg_select_timer.patch new file mode 100644 index 00000000000..3b6313ce64e --- /dev/null +++ b/queue-4.19/bonding-fix-data-races-around-agg_select_timer.patch @@ -0,0 +1,138 @@ +From 9ceaf6f76b203682bb6100e14b3d7da4c0bedde8 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 14 Feb 2022 11:15:53 -0800 +Subject: bonding: fix data-races around agg_select_timer + +From: Eric Dumazet + +commit 9ceaf6f76b203682bb6100e14b3d7da4c0bedde8 upstream. + +syzbot reported that two threads might write over agg_select_timer +at the same time. Make agg_select_timer atomic to fix the races. + +BUG: KCSAN: data-race in bond_3ad_initiate_agg_selection / bond_3ad_state_machine_handler + +read to 0xffff8881242aea90 of 4 bytes by task 1846 on cpu 1: + bond_3ad_state_machine_handler+0x99/0x2810 drivers/net/bonding/bond_3ad.c:2317 + process_one_work+0x3f6/0x960 kernel/workqueue.c:2307 + worker_thread+0x616/0xa70 kernel/workqueue.c:2454 + kthread+0x1bf/0x1e0 kernel/kthread.c:377 + ret_from_fork+0x1f/0x30 + +write to 0xffff8881242aea90 of 4 bytes by task 25910 on cpu 0: + bond_3ad_initiate_agg_selection+0x18/0x30 drivers/net/bonding/bond_3ad.c:1998 + bond_open+0x658/0x6f0 drivers/net/bonding/bond_main.c:3967 + __dev_open+0x274/0x3a0 net/core/dev.c:1407 + dev_open+0x54/0x190 net/core/dev.c:1443 + bond_enslave+0xcef/0x3000 drivers/net/bonding/bond_main.c:1937 + do_set_master net/core/rtnetlink.c:2532 [inline] + do_setlink+0x94f/0x2500 net/core/rtnetlink.c:2736 + __rtnl_newlink net/core/rtnetlink.c:3414 [inline] + rtnl_newlink+0xfeb/0x13e0 net/core/rtnetlink.c:3529 + rtnetlink_rcv_msg+0x745/0x7e0 net/core/rtnetlink.c:5594 + netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2494 + rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5612 + netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] + netlink_unicast+0x602/0x6d0 net/netlink/af_netlink.c:1343 + netlink_sendmsg+0x728/0x850 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg net/socket.c:725 [inline] + ____sys_sendmsg+0x39a/0x510 net/socket.c:2413 + ___sys_sendmsg net/socket.c:2467 [inline] + __sys_sendmsg+0x195/0x230 net/socket.c:2496 + __do_sys_sendmsg net/socket.c:2505 [inline] + __se_sys_sendmsg net/socket.c:2503 [inline] + __x64_sys_sendmsg+0x42/0x50 net/socket.c:2503 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x00000050 -> 0x0000004f + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 25910 Comm: syz-executor.1 Tainted: G W 5.17.0-rc4-syzkaller-dirty #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Jay Vosburgh +Cc: Veaceslav Falico +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_3ad.c | 30 +++++++++++++++++++++++++----- + include/net/bond_3ad.h | 2 +- + 2 files changed, 26 insertions(+), 6 deletions(-) + +--- a/drivers/net/bonding/bond_3ad.c ++++ b/drivers/net/bonding/bond_3ad.c +@@ -249,7 +249,7 @@ static inline int __check_agg_selection_ + if (bond == NULL) + return 0; + +- return BOND_AD_INFO(bond).agg_select_timer ? 1 : 0; ++ return atomic_read(&BOND_AD_INFO(bond).agg_select_timer) ? 1 : 0; + } + + /** +@@ -1965,7 +1965,7 @@ static void ad_marker_response_received( + */ + void bond_3ad_initiate_agg_selection(struct bonding *bond, int timeout) + { +- BOND_AD_INFO(bond).agg_select_timer = timeout; ++ atomic_set(&BOND_AD_INFO(bond).agg_select_timer, timeout); + } + + /** +@@ -2250,6 +2250,28 @@ void bond_3ad_update_ad_actor_settings(s + } + + /** ++ * bond_agg_timer_advance - advance agg_select_timer ++ * @bond: bonding structure ++ * ++ * Return true when agg_select_timer reaches 0. ++ */ ++static bool bond_agg_timer_advance(struct bonding *bond) ++{ ++ int val, nval; ++ ++ while (1) { ++ val = atomic_read(&BOND_AD_INFO(bond).agg_select_timer); ++ if (!val) ++ return false; ++ nval = val - 1; ++ if (atomic_cmpxchg(&BOND_AD_INFO(bond).agg_select_timer, ++ val, nval) == val) ++ break; ++ } ++ return nval == 0; ++} ++ ++/** + * bond_3ad_state_machine_handler - handle state machines timeout + * @bond: bonding struct to work on + * +@@ -2284,9 +2306,7 @@ void bond_3ad_state_machine_handler(stru + if (!bond_has_slaves(bond)) + goto re_arm; + +- /* check if agg_select_timer timer after initialize is timed out */ +- if (BOND_AD_INFO(bond).agg_select_timer && +- !(--BOND_AD_INFO(bond).agg_select_timer)) { ++ if (bond_agg_timer_advance(bond)) { + slave = bond_first_slave_rcu(bond); + port = slave ? &(SLAVE_AD_INFO(slave)->port) : NULL; + +--- a/include/net/bond_3ad.h ++++ b/include/net/bond_3ad.h +@@ -265,7 +265,7 @@ struct ad_system { + + struct ad_bond_info { + struct ad_system system; /* 802.3ad system structure */ +- u32 agg_select_timer; /* Timer to select aggregator after all adapter's hand shakes */ ++ atomic_t agg_select_timer; /* Timer to select aggregator after all adapter's hand shakes */ + u16 aggregator_identifier; + }; + diff --git a/queue-4.19/drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch b/queue-4.19/drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch new file mode 100644 index 00000000000..2a3aadc4e46 --- /dev/null +++ b/queue-4.19/drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch @@ -0,0 +1,103 @@ +From dcd54265c8bc14bd023815e36e2d5f9d66ee1fee Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 10 Feb 2022 09:13:31 -0800 +Subject: drop_monitor: fix data-race in dropmon_net_event / trace_napi_poll_hit + +From: Eric Dumazet + +commit dcd54265c8bc14bd023815e36e2d5f9d66ee1fee upstream. + +trace_napi_poll_hit() is reading stat->dev while another thread can write +on it from dropmon_net_event() + +Use READ_ONCE()/WRITE_ONCE() here, RCU rules are properly enforced already, +we only have to take care of load/store tearing. + +BUG: KCSAN: data-race in dropmon_net_event / trace_napi_poll_hit + +write to 0xffff88816f3ab9c0 of 8 bytes by task 20260 on cpu 1: + dropmon_net_event+0xb8/0x2b0 net/core/drop_monitor.c:1579 + notifier_call_chain kernel/notifier.c:84 [inline] + raw_notifier_call_chain+0x53/0xb0 kernel/notifier.c:392 + call_netdevice_notifiers_info net/core/dev.c:1919 [inline] + call_netdevice_notifiers_extack net/core/dev.c:1931 [inline] + call_netdevice_notifiers net/core/dev.c:1945 [inline] + unregister_netdevice_many+0x867/0xfb0 net/core/dev.c:10415 + ip_tunnel_delete_nets+0x24a/0x280 net/ipv4/ip_tunnel.c:1123 + vti_exit_batch_net+0x2a/0x30 net/ipv4/ip_vti.c:515 + ops_exit_list net/core/net_namespace.c:173 [inline] + cleanup_net+0x4dc/0x8d0 net/core/net_namespace.c:597 + process_one_work+0x3f6/0x960 kernel/workqueue.c:2307 + worker_thread+0x616/0xa70 kernel/workqueue.c:2454 + kthread+0x1bf/0x1e0 kernel/kthread.c:377 + ret_from_fork+0x1f/0x30 + +read to 0xffff88816f3ab9c0 of 8 bytes by interrupt on cpu 0: + trace_napi_poll_hit+0x89/0x1c0 net/core/drop_monitor.c:292 + trace_napi_poll include/trace/events/napi.h:14 [inline] + __napi_poll+0x36b/0x3f0 net/core/dev.c:6366 + napi_poll net/core/dev.c:6432 [inline] + net_rx_action+0x29e/0x650 net/core/dev.c:6519 + __do_softirq+0x158/0x2de kernel/softirq.c:558 + do_softirq+0xb1/0xf0 kernel/softirq.c:459 + __local_bh_enable_ip+0x68/0x70 kernel/softirq.c:383 + __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] + _raw_spin_unlock_bh+0x33/0x40 kernel/locking/spinlock.c:210 + spin_unlock_bh include/linux/spinlock.h:394 [inline] + ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline] + wg_packet_decrypt_worker+0x73c/0x780 drivers/net/wireguard/receive.c:506 + process_one_work+0x3f6/0x960 kernel/workqueue.c:2307 + worker_thread+0x616/0xa70 kernel/workqueue.c:2454 + kthread+0x1bf/0x1e0 kernel/kthread.c:377 + ret_from_fork+0x1f/0x30 + +value changed: 0xffff88815883e000 -> 0x0000000000000000 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 26435 Comm: kworker/0:1 Not tainted 5.17.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: wg-crypt-wg2 wg_packet_decrypt_worker + +Fixes: 4ea7e38696c7 ("dropmon: add ability to detect when hardware dropsrxpackets") +Signed-off-by: Eric Dumazet +Cc: Neil Horman +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/drop_monitor.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/net/core/drop_monitor.c ++++ b/net/core/drop_monitor.c +@@ -219,13 +219,17 @@ static void trace_napi_poll_hit(void *ig + + rcu_read_lock(); + list_for_each_entry_rcu(new_stat, &hw_stats_list, list) { ++ struct net_device *dev; ++ + /* + * only add a note to our monitor buffer if: + * 1) this is the dev we received on + * 2) its after the last_rx delta + * 3) our rx_dropped count has gone up + */ +- if ((new_stat->dev == napi->dev) && ++ /* Paired with WRITE_ONCE() in dropmon_net_event() */ ++ dev = READ_ONCE(new_stat->dev); ++ if ((dev == napi->dev) && + (time_after(jiffies, new_stat->last_rx + dm_hw_check_delta)) && + (napi->dev->stats.rx_dropped != new_stat->last_drop_val)) { + trace_drop_common(NULL, NULL); +@@ -340,7 +344,10 @@ static int dropmon_net_event(struct noti + mutex_lock(&trace_state_mutex); + list_for_each_entry_safe(new_stat, tmp, &hw_stats_list, list) { + if (new_stat->dev == dev) { +- new_stat->dev = NULL; ++ ++ /* Paired with READ_ONCE() in trace_napi_poll_hit() */ ++ WRITE_ONCE(new_stat->dev, NULL); ++ + if (trace_state == TRACE_OFF) { + list_del_rcu(&new_stat->list); + kfree_rcu(new_stat, rcu); diff --git a/queue-4.19/iwlwifi-pcie-fix-locking-when-hw-not-ready.patch b/queue-4.19/iwlwifi-pcie-fix-locking-when-hw-not-ready.patch new file mode 100644 index 00000000000..f384d9dabe0 --- /dev/null +++ b/queue-4.19/iwlwifi-pcie-fix-locking-when-hw-not-ready.patch @@ -0,0 +1,34 @@ +From e9848aed147708a06193b40d78493b0ef6abccf2 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 28 Jan 2022 14:30:52 +0200 +Subject: iwlwifi: pcie: fix locking when "HW not ready" + +From: Johannes Berg + +commit e9848aed147708a06193b40d78493b0ef6abccf2 upstream. + +If we run into this error path, we shouldn't unlock the mutex +since it's not locked since. Fix this. + +Fixes: a6bd005fe92d ("iwlwifi: pcie: fix RF-Kill vs. firmware load race") +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20220128142706.5d16821d1433.Id259699ddf9806459856d6aefbdbe54477aecffd@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -1363,8 +1363,7 @@ static int iwl_trans_pcie_start_fw(struc + /* This may fail if AMT took ownership of the device */ + if (iwl_pcie_prepare_card_hw(trans)) { + IWL_WARN(trans, "Exit HW not ready\n"); +- ret = -EIO; +- goto out; ++ return -EIO; + } + + iwl_enable_rfkill_int(trans); diff --git a/queue-4.19/iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch b/queue-4.19/iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch new file mode 100644 index 00000000000..7b948a193f6 --- /dev/null +++ b/queue-4.19/iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch @@ -0,0 +1,34 @@ +From 4c29c1e27a1e178a219b3877d055e6dd643bdfda Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 28 Jan 2022 14:30:53 +0200 +Subject: iwlwifi: pcie: gen2: fix locking when "HW not ready" + +From: Johannes Berg + +commit 4c29c1e27a1e178a219b3877d055e6dd643bdfda upstream. + +If we run into this error path, we shouldn't unlock the mutex +since it's not locked since. Fix this in the gen2 code as well. + +Fixes: eda50cde58de ("iwlwifi: pcie: add context information support") +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20220128142706.b8b0dfce16ef.Ie20f0f7b23e5911350a2766524300d2915e7b677@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c +@@ -310,8 +310,7 @@ int iwl_trans_pcie_gen2_start_fw(struct + /* This may fail if AMT took ownership of the device */ + if (iwl_pcie_prepare_card_hw(trans)) { + IWL_WARN(trans, "Exit HW not ready\n"); +- ret = -EIO; +- goto out; ++ return -EIO; + } + + iwl_enable_rfkill_int(trans); diff --git a/queue-4.19/libsubcmd-fix-use-after-free-for-realloc-...-0.patch b/queue-4.19/libsubcmd-fix-use-after-free-for-realloc-...-0.patch new file mode 100644 index 00000000000..23bfaebab85 --- /dev/null +++ b/queue-4.19/libsubcmd-fix-use-after-free-for-realloc-...-0.patch @@ -0,0 +1,66 @@ +From 52a9dab6d892763b2a8334a568bd4e2c1a6fde66 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Sun, 13 Feb 2022 10:24:43 -0800 +Subject: libsubcmd: Fix use-after-free for realloc(..., 0) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kees Cook + +commit 52a9dab6d892763b2a8334a568bd4e2c1a6fde66 upstream. + +GCC 12 correctly reports a potential use-after-free condition in the +xrealloc helper. Fix the warning by avoiding an implicit "free(ptr)" +when size == 0: + +In file included from help.c:12: +In function 'xrealloc', + inlined from 'add_cmdname' at help.c:24:2: subcmd-util.h:56:23: error: pointer may be used after 'realloc' [-Werror=use-after-free] + 56 | ret = realloc(ptr, size); + | ^~~~~~~~~~~~~~~~~~ +subcmd-util.h:52:21: note: call to 'realloc' here + 52 | void *ret = realloc(ptr, size); + | ^~~~~~~~~~~~~~~~~~ +subcmd-util.h:58:31: error: pointer may be used after 'realloc' [-Werror=use-after-free] + 58 | ret = realloc(ptr, 1); + | ^~~~~~~~~~~~~~~ +subcmd-util.h:52:21: note: call to 'realloc' here + 52 | void *ret = realloc(ptr, size); + | ^~~~~~~~~~~~~~~~~~ + +Fixes: 2f4ce5ec1d447beb ("perf tools: Finalize subcmd independence") +Reported-by: Valdis Klētnieks +Signed-off-by: Kees Kook +Tested-by: Valdis Klētnieks +Tested-by: Justin M. Forbes +Acked-by: Josh Poimboeuf +Cc: linux-hardening@vger.kernel.org +Cc: Valdis Klētnieks +Link: http://lore.kernel.org/lkml/20220213182443.4037039-1-keescook@chromium.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/lib/subcmd/subcmd-util.h | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +--- a/tools/lib/subcmd/subcmd-util.h ++++ b/tools/lib/subcmd/subcmd-util.h +@@ -50,15 +50,8 @@ static NORETURN inline void die(const ch + static inline void *xrealloc(void *ptr, size_t size) + { + void *ret = realloc(ptr, size); +- if (!ret && !size) +- ret = realloc(ptr, 1); +- if (!ret) { +- ret = realloc(ptr, size); +- if (!ret && !size) +- ret = realloc(ptr, 1); +- if (!ret) +- die("Out of memory, realloc failed"); +- } ++ if (!ret) ++ die("Out of memory, realloc failed"); + return ret; + } + diff --git a/queue-4.19/net-dsa-lan9303-fix-reset-on-probe.patch b/queue-4.19/net-dsa-lan9303-fix-reset-on-probe.patch new file mode 100644 index 00000000000..f03b23bc047 --- /dev/null +++ b/queue-4.19/net-dsa-lan9303-fix-reset-on-probe.patch @@ -0,0 +1,36 @@ +From 6bb9681a43f34f2cab4aad6e2a02da4ce54d13c5 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard +Date: Wed, 9 Feb 2022 14:54:54 +0000 +Subject: net: dsa: lan9303: fix reset on probe + +From: Mans Rullgard + +commit 6bb9681a43f34f2cab4aad6e2a02da4ce54d13c5 upstream. + +The reset input to the LAN9303 chip is active low, and devicetree +gpio handles reflect this. Therefore, the gpio should be requested +with an initial state of high in order for the reset signal to be +asserted. Other uses of the gpio already use the correct polarity. + +Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303") +Signed-off-by: Mans Rullgard +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fianelil +Link: https://lore.kernel.org/r/20220209145454.19749-1-mans@mansr.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/lan9303-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/dsa/lan9303-core.c ++++ b/drivers/net/dsa/lan9303-core.c +@@ -1307,7 +1307,7 @@ static int lan9303_probe_reset_gpio(stru + struct device_node *np) + { + chip->reset_gpio = devm_gpiod_get_optional(chip->dev, "reset", +- GPIOD_OUT_LOW); ++ GPIOD_OUT_HIGH); + if (IS_ERR(chip->reset_gpio)) + return PTR_ERR(chip->reset_gpio); + diff --git a/queue-4.19/net-ieee802154-ca8210-fix-lifs-sifs-periods.patch b/queue-4.19/net-ieee802154-ca8210-fix-lifs-sifs-periods.patch new file mode 100644 index 00000000000..c89999c9738 --- /dev/null +++ b/queue-4.19/net-ieee802154-ca8210-fix-lifs-sifs-periods.patch @@ -0,0 +1,36 @@ +From bdc120a2bcd834e571ce4115aaddf71ab34495de Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Tue, 1 Feb 2022 19:06:26 +0100 +Subject: net: ieee802154: ca8210: Fix lifs/sifs periods + +From: Miquel Raynal + +commit bdc120a2bcd834e571ce4115aaddf71ab34495de upstream. + +These periods are expressed in time units (microseconds) while 40 and 12 +are the number of symbol durations these periods will last. We need to +multiply them both with the symbol_duration in order to get these +values in microseconds. + +Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/r/20220201180629.93410-2-miquel.raynal@bootlin.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ieee802154/ca8210.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -2975,8 +2975,8 @@ static void ca8210_hw_setup(struct ieee8 + ca8210_hw->phy->cca.opt = NL802154_CCA_OPT_ENERGY_CARRIER_AND; + ca8210_hw->phy->cca_ed_level = -9800; + ca8210_hw->phy->symbol_duration = 16; +- ca8210_hw->phy->lifs_period = 40; +- ca8210_hw->phy->sifs_period = 12; ++ ca8210_hw->phy->lifs_period = 40 * ca8210_hw->phy->symbol_duration; ++ ca8210_hw->phy->sifs_period = 12 * ca8210_hw->phy->symbol_duration; + ca8210_hw->flags = + IEEE802154_HW_AFILT | + IEEE802154_HW_OMIT_CKSUM | diff --git a/queue-4.19/ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch b/queue-4.19/ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch new file mode 100644 index 00000000000..adb4bad65b9 --- /dev/null +++ b/queue-4.19/ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch @@ -0,0 +1,78 @@ +From 35a79e64de29e8d57a5989aac57611c0cd29e13e Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Wed, 16 Feb 2022 00:20:52 -0500 +Subject: ping: fix the dif and sdif check in ping_lookup + +From: Xin Long + +commit 35a79e64de29e8d57a5989aac57611c0cd29e13e upstream. + +When 'ping' changes to use PING socket instead of RAW socket by: + + # sysctl -w net.ipv4.ping_group_range="0 100" + +There is another regression caused when matching sk_bound_dev_if +and dif, RAW socket is using inet_iif() while PING socket lookup +is using skb->dev->ifindex, the cmd below fails due to this: + + # ip link add dummy0 type dummy + # ip link set dummy0 up + # ip addr add 192.168.111.1/24 dev dummy0 + # ping -I dummy0 192.168.111.1 -c1 + +The issue was also reported on: + + https://github.com/iputils/iputils/issues/104 + +But fixed in iputils in a wrong way by not binding to device when +destination IP is on device, and it will cause some of kselftests +to fail, as Jianlin noticed. + +This patch is to use inet(6)_iif and inet(6)_sdif to get dif and +sdif for PING socket, and keep consistent with RAW socket. + +Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") +Reported-by: Jianlin Shi +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ping.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -177,16 +177,23 @@ static struct sock *ping_lookup(struct n + struct sock *sk = NULL; + struct inet_sock *isk; + struct hlist_nulls_node *hnode; +- int dif = skb->dev->ifindex; ++ int dif, sdif; + + if (skb->protocol == htons(ETH_P_IP)) { ++ dif = inet_iif(skb); ++ sdif = inet_sdif(skb); + pr_debug("try to find: num = %d, daddr = %pI4, dif = %d\n", + (int)ident, &ip_hdr(skb)->daddr, dif); + #if IS_ENABLED(CONFIG_IPV6) + } else if (skb->protocol == htons(ETH_P_IPV6)) { ++ dif = inet6_iif(skb); ++ sdif = inet6_sdif(skb); + pr_debug("try to find: num = %d, daddr = %pI6c, dif = %d\n", + (int)ident, &ipv6_hdr(skb)->daddr, dif); + #endif ++ } else { ++ pr_err("ping: protocol(%x) is not supported\n", ntohs(skb->protocol)); ++ return NULL; + } + + read_lock_bh(&ping_table.lock); +@@ -226,7 +233,7 @@ static struct sock *ping_lookup(struct n + } + + if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif && +- sk->sk_bound_dev_if != inet_sdif(skb)) ++ sk->sk_bound_dev_if != sdif) + continue; + + sock_hold(sk); diff --git a/queue-4.19/series b/queue-4.19/series index 0eea82694a9..ed7da2c9ef6 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -20,3 +20,11 @@ xfrm-don-t-accidentally-set-rto_onlink-in-decode_session4.patch taskstats-cleanup-the-use-of-task-exit_code.patch mmc-block-fix-read-single-on-recovery-logic.patch vsock-remove-vsock-from-connected-table-when-connect-is-interrupted-by-a-signal.patch +iwlwifi-pcie-fix-locking-when-hw-not-ready.patch +iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch +net-dsa-lan9303-fix-reset-on-probe.patch +net-ieee802154-ca8210-fix-lifs-sifs-periods.patch +ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch +drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch +bonding-fix-data-races-around-agg_select_timer.patch +libsubcmd-fix-use-after-free-for-realloc-...-0.patch -- 2.47.3