From 4bd14107690b8d6891b18ebc094118f04ba2a07e Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 2 Apr 2023 09:40:19 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...ned-mac_len-comparison-with-zero-in-.patch | 48 ++++ ...etup-fix-kmsan-uninit-value-in-vfs_w.patch | 118 ++++++++++ ...rs-dump-after-run-ethtool-adapter-se.patch | 91 ++++++++ ...x-enable-igmp-snooping-on-user-ports.patch | 55 +++++ ...mvneta-make-tx-buffer-array-agnostic.patch | 221 ++++++++++++++++++ ...s-fix-crash-after-a-double-completio.patch | 47 ++++ queue-4.19/series | 6 + 7 files changed, 586 insertions(+) create mode 100644 queue-4.19/ca8210-fix-unsigned-mac_len-comparison-with-zero-in-.patch create mode 100644 queue-4.19/can-bcm-bcm_tx_setup-fix-kmsan-uninit-value-in-vfs_w.patch create mode 100644 queue-4.19/i40e-fix-registers-dump-after-run-ethtool-adapter-se.patch create mode 100644 queue-4.19/net-dsa-mv88e6xxx-enable-igmp-snooping-on-user-ports.patch create mode 100644 queue-4.19/net-mvneta-make-tx-buffer-array-agnostic.patch create mode 100644 queue-4.19/scsi-megaraid_sas-fix-crash-after-a-double-completio.patch diff --git a/queue-4.19/ca8210-fix-unsigned-mac_len-comparison-with-zero-in-.patch b/queue-4.19/ca8210-fix-unsigned-mac_len-comparison-with-zero-in-.patch new file mode 100644 index 00000000000..d640a14c89e --- /dev/null +++ b/queue-4.19/ca8210-fix-unsigned-mac_len-comparison-with-zero-in-.patch @@ -0,0 +1,48 @@ +From b132adcdc9ef43286ddfd3c43a7ad1b25a81e669 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 11:18:24 -0800 +Subject: ca8210: Fix unsigned mac_len comparison with zero in ca8210_skb_tx() + +From: Harshit Mogalapalli + +[ Upstream commit 748b2f5e82d17480404b3e2895388fc2925f7caf ] + +mac_len is of type unsigned, which can never be less than zero. + + mac_len = ieee802154_hdr_peek_addrs(skb, &header); + if (mac_len < 0) + return mac_len; + +Change this to type int as ieee802154_hdr_peek_addrs() can return negative +integers, this is found by static analysis with smatch. + +Fixes: 6c993779ea1d ("ca8210: fix mac_len negative array access") +Signed-off-by: Harshit Mogalapalli +Acked-by: Alexander Aring +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230306191824.4115839-1-harshit.m.mogalapalli@oracle.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/ca8210.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c +index 2d4471b77fa7c..f75faec23cc98 100644 +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -1943,10 +1943,9 @@ static int ca8210_skb_tx( + struct ca8210_priv *priv + ) + { +- int status; + struct ieee802154_hdr header = { }; + struct secspec secspec; +- unsigned int mac_len; ++ int mac_len, status; + + dev_dbg(&priv->spi->dev, "%s called\n", __func__); + +-- +2.39.2 + diff --git a/queue-4.19/can-bcm-bcm_tx_setup-fix-kmsan-uninit-value-in-vfs_w.patch b/queue-4.19/can-bcm-bcm_tx_setup-fix-kmsan-uninit-value-in-vfs_w.patch new file mode 100644 index 00000000000..29dad5dc817 --- /dev/null +++ b/queue-4.19/can-bcm-bcm_tx_setup-fix-kmsan-uninit-value-in-vfs_w.patch @@ -0,0 +1,118 @@ +From 89a51657bf88754702e114551685d258e354d18e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 16:04:45 +0400 +Subject: can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write + +From: Ivan Orlov + +[ Upstream commit 2b4c99f7d9a57ecd644eda9b1fb0a1072414959f ] + +Syzkaller reported the following issue: + +===================================================== +BUG: KMSAN: uninit-value in aio_rw_done fs/aio.c:1520 [inline] +BUG: KMSAN: uninit-value in aio_write+0x899/0x950 fs/aio.c:1600 + aio_rw_done fs/aio.c:1520 [inline] + aio_write+0x899/0x950 fs/aio.c:1600 + io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019 + __do_sys_io_submit fs/aio.c:2078 [inline] + __se_sys_io_submit+0x293/0x770 fs/aio.c:2048 + __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was created at: + slab_post_alloc_hook mm/slab.h:766 [inline] + slab_alloc_node mm/slub.c:3452 [inline] + __kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491 + __do_kmalloc_node mm/slab_common.c:967 [inline] + __kmalloc+0x11d/0x3b0 mm/slab_common.c:981 + kmalloc_array include/linux/slab.h:636 [inline] + bcm_tx_setup+0x80e/0x29d0 net/can/bcm.c:930 + bcm_sendmsg+0x3a2/0xce0 net/can/bcm.c:1351 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg net/socket.c:734 [inline] + sock_write_iter+0x495/0x5e0 net/socket.c:1108 + call_write_iter include/linux/fs.h:2189 [inline] + aio_write+0x63a/0x950 fs/aio.c:1600 + io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019 + __do_sys_io_submit fs/aio.c:2078 [inline] + __se_sys_io_submit+0x293/0x770 fs/aio.c:2048 + __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +CPU: 1 PID: 5034 Comm: syz-executor350 Not tainted 6.2.0-rc6-syzkaller-80422-geda666ff2276 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 +===================================================== + +We can follow the call chain and find that 'bcm_tx_setup' function +calls 'memcpy_from_msg' to copy some content to the newly allocated +frame of 'op->frames'. After that the 'len' field of copied structure +being compared with some constant value (64 or 8). However, if +'memcpy_from_msg' returns an error, we will compare some uninitialized +memory. This triggers 'uninit-value' issue. + +This patch will add 'memcpy_from_msg' possible errors processing to +avoid uninit-value issue. + +Tested via syzkaller + +Reported-by: syzbot+c9bfd85eca611ebf5db1@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=47f897f8ad958bbde5790ebf389b5e7e0a345089 +Signed-off-by: Ivan Orlov +Fixes: 6f3b911d5f29b ("can: bcm: add support for CAN FD frames") +Acked-by: Oliver Hartkopp +Link: https://lore.kernel.org/all/20230314120445.12407-1-ivan.orlov0322@gmail.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/bcm.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/net/can/bcm.c b/net/can/bcm.c +index 74e555a22de75..61269cc2fa828 100644 +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -935,6 +935,8 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, + + cf = op->frames + op->cfsiz * i; + err = memcpy_from_msg((u8 *)cf, msg, op->cfsiz); ++ if (err < 0) ++ goto free_op; + + if (op->flags & CAN_FD_FRAME) { + if (cf->len > 64) +@@ -944,12 +946,8 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, + err = -EINVAL; + } + +- if (err < 0) { +- if (op->frames != &op->sframe) +- kfree(op->frames); +- kfree(op); +- return err; +- } ++ if (err < 0) ++ goto free_op; + + if (msg_head->flags & TX_CP_CAN_ID) { + /* copy can_id into frame */ +@@ -1020,6 +1018,12 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, + bcm_tx_start_timer(op); + + return msg_head->nframes * op->cfsiz + MHSIZ; ++ ++free_op: ++ if (op->frames != &op->sframe) ++ kfree(op->frames); ++ kfree(op); ++ return err; + } + + /* +-- +2.39.2 + diff --git a/queue-4.19/i40e-fix-registers-dump-after-run-ethtool-adapter-se.patch b/queue-4.19/i40e-fix-registers-dump-after-run-ethtool-adapter-se.patch new file mode 100644 index 00000000000..8cb7aff549a --- /dev/null +++ b/queue-4.19/i40e-fix-registers-dump-after-run-ethtool-adapter-se.patch @@ -0,0 +1,91 @@ +From 31eba224a3a02c68b12ea4583e3213c2123c21b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Mar 2023 10:26:59 -0700 +Subject: i40e: fix registers dump after run ethtool adapter self test + +From: Radoslaw Tyl + +[ Upstream commit c5cff16f461a4a434a9915a7be7ac9ced861a8a4 ] + +Fix invalid registers dump from ethtool -d ethX after adapter self test +by ethtool -t ethY. It causes invalid data display. + +The problem was caused by overwriting i40e_reg_list[].elements +which is common for ethtool self test and dump. + +Fixes: 22dd9ae8afcc ("i40e: Rework register diagnostic") +Signed-off-by: Radoslaw Tyl +Reviewed-by: Michal Swiatkowski +Tested-by: Arpana Arland (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20230328172659.3906413-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_diag.c | 11 ++++++----- + drivers/net/ethernet/intel/i40e/i40e_diag.h | 2 +- + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_diag.c b/drivers/net/ethernet/intel/i40e/i40e_diag.c +index ef4d3762bf371..ca229b0efeb65 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_diag.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_diag.c +@@ -44,7 +44,7 @@ static i40e_status i40e_diag_reg_pattern_test(struct i40e_hw *hw, + return 0; + } + +-struct i40e_diag_reg_test_info i40e_reg_list[] = { ++const struct i40e_diag_reg_test_info i40e_reg_list[] = { + /* offset mask elements stride */ + {I40E_QTX_CTL(0), 0x0000FFBF, 1, + I40E_QTX_CTL(1) - I40E_QTX_CTL(0)}, +@@ -78,27 +78,28 @@ i40e_status i40e_diag_reg_test(struct i40e_hw *hw) + { + i40e_status ret_code = 0; + u32 reg, mask; ++ u32 elements; + u32 i, j; + + for (i = 0; i40e_reg_list[i].offset != 0 && + !ret_code; i++) { + ++ elements = i40e_reg_list[i].elements; + /* set actual reg range for dynamically allocated resources */ + if (i40e_reg_list[i].offset == I40E_QTX_CTL(0) && + hw->func_caps.num_tx_qp != 0) +- i40e_reg_list[i].elements = hw->func_caps.num_tx_qp; ++ elements = hw->func_caps.num_tx_qp; + if ((i40e_reg_list[i].offset == I40E_PFINT_ITRN(0, 0) || + i40e_reg_list[i].offset == I40E_PFINT_ITRN(1, 0) || + i40e_reg_list[i].offset == I40E_PFINT_ITRN(2, 0) || + i40e_reg_list[i].offset == I40E_QINT_TQCTL(0) || + i40e_reg_list[i].offset == I40E_QINT_RQCTL(0)) && + hw->func_caps.num_msix_vectors != 0) +- i40e_reg_list[i].elements = +- hw->func_caps.num_msix_vectors - 1; ++ elements = hw->func_caps.num_msix_vectors - 1; + + /* test register access */ + mask = i40e_reg_list[i].mask; +- for (j = 0; j < i40e_reg_list[i].elements && !ret_code; j++) { ++ for (j = 0; j < elements && !ret_code; j++) { + reg = i40e_reg_list[i].offset + + (j * i40e_reg_list[i].stride); + ret_code = i40e_diag_reg_pattern_test(hw, reg, mask); +diff --git a/drivers/net/ethernet/intel/i40e/i40e_diag.h b/drivers/net/ethernet/intel/i40e/i40e_diag.h +index c3340f320a18c..1db7c6d572311 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_diag.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_diag.h +@@ -20,7 +20,7 @@ struct i40e_diag_reg_test_info { + u32 stride; /* bytes between each element */ + }; + +-extern struct i40e_diag_reg_test_info i40e_reg_list[]; ++extern const struct i40e_diag_reg_test_info i40e_reg_list[]; + + i40e_status i40e_diag_reg_test(struct i40e_hw *hw); + i40e_status i40e_diag_eeprom_test(struct i40e_hw *hw); +-- +2.39.2 + diff --git a/queue-4.19/net-dsa-mv88e6xxx-enable-igmp-snooping-on-user-ports.patch b/queue-4.19/net-dsa-mv88e6xxx-enable-igmp-snooping-on-user-ports.patch new file mode 100644 index 00000000000..ae7a91f071d --- /dev/null +++ b/queue-4.19/net-dsa-mv88e6xxx-enable-igmp-snooping-on-user-ports.patch @@ -0,0 +1,55 @@ +From 3de238a69bcf879239e5a444a7312082fa31fafa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Mar 2023 12:01:40 -0300 +Subject: net: dsa: mv88e6xxx: Enable IGMP snooping on user ports only +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Steffen Bätz + +[ Upstream commit 7bcad0f0e6fbc1d613e49e0ee35c8e5f2e685bb0 ] + +Do not set the MV88E6XXX_PORT_CTL0_IGMP_MLD_SNOOP bit on CPU or DSA ports. + +This allows the host CPU port to be a regular IGMP listener by sending out +IGMP Membership Reports, which would otherwise not be forwarded by the +mv88exxx chip, but directly looped back to the CPU port itself. + +Fixes: 54d792f257c6 ("net: dsa: Centralise global and port setup code into mv88e6xxx.") +Signed-off-by: Steffen Bätz +Signed-off-by: Fabio Estevam +Reviewed-by: Andrew Lunn +Reviewed-by: Vladimir Oltean +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20230329150140.701559-1-festevam@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index be064bcfd70a6..6b310f7235801 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -2237,9 +2237,14 @@ static int mv88e6xxx_setup_port(struct mv88e6xxx_chip *chip, int port) + * If this is the upstream port for this switch, enable + * forwarding of unknown unicasts and multicasts. + */ +- reg = MV88E6XXX_PORT_CTL0_IGMP_MLD_SNOOP | +- MV88E6185_PORT_CTL0_USE_TAG | MV88E6185_PORT_CTL0_USE_IP | ++ reg = MV88E6185_PORT_CTL0_USE_TAG | MV88E6185_PORT_CTL0_USE_IP | + MV88E6XXX_PORT_CTL0_STATE_FORWARDING; ++ /* Forward any IPv4 IGMP or IPv6 MLD frames received ++ * by a USER port to the CPU port to allow snooping. ++ */ ++ if (dsa_is_user_port(ds, port)) ++ reg |= MV88E6XXX_PORT_CTL0_IGMP_MLD_SNOOP; ++ + err = mv88e6xxx_port_write(chip, port, MV88E6XXX_PORT_CTL0, reg); + if (err) + return err; +-- +2.39.2 + diff --git a/queue-4.19/net-mvneta-make-tx-buffer-array-agnostic.patch b/queue-4.19/net-mvneta-make-tx-buffer-array-agnostic.patch new file mode 100644 index 00000000000..2bfe3646737 --- /dev/null +++ b/queue-4.19/net-mvneta-make-tx-buffer-array-agnostic.patch @@ -0,0 +1,221 @@ +From a30baeac2aea4a90f29ea39381f199fe3c90836e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Oct 2019 10:13:26 +0200 +Subject: net: mvneta: make tx buffer array agnostic + +From: Lorenzo Bianconi + +[ Upstream commit 9e58c8b410650b5a6eb5b8fad8474bd8425a4023 ] + +Allow tx buffer array to contain both skb and xdp buffers in order to +enable xdp frame recycling adding XDP_TX verdict support + +Signed-off-by: Lorenzo Bianconi +Signed-off-by: David S. Miller +Stable-dep-of: 2960a2d33b02 ("net: mvneta: fix potential double-frees in mvneta_txq_sw_deinit()") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvneta.c | 66 +++++++++++++++++---------- + 1 file changed, 43 insertions(+), 23 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index fd13116812006..f1a4b11ce0d19 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -542,6 +542,20 @@ struct mvneta_rx_desc { + }; + #endif + ++enum mvneta_tx_buf_type { ++ MVNETA_TYPE_SKB, ++ MVNETA_TYPE_XDP_TX, ++ MVNETA_TYPE_XDP_NDO, ++}; ++ ++struct mvneta_tx_buf { ++ enum mvneta_tx_buf_type type; ++ union { ++ struct xdp_frame *xdpf; ++ struct sk_buff *skb; ++ }; ++}; ++ + struct mvneta_tx_queue { + /* Number of this TX queue, in the range 0-7 */ + u8 id; +@@ -557,8 +571,8 @@ struct mvneta_tx_queue { + int tx_stop_threshold; + int tx_wake_threshold; + +- /* Array of transmitted skb */ +- struct sk_buff **tx_skb; ++ /* Array of transmitted buffers */ ++ struct mvneta_tx_buf *buf; + + /* Index of last TX DMA descriptor that was inserted */ + int txq_put_index; +@@ -1767,14 +1781,9 @@ static void mvneta_txq_bufs_free(struct mvneta_port *pp, + int i; + + for (i = 0; i < num; i++) { ++ struct mvneta_tx_buf *buf = &txq->buf[txq->txq_get_index]; + struct mvneta_tx_desc *tx_desc = txq->descs + + txq->txq_get_index; +- struct sk_buff *skb = txq->tx_skb[txq->txq_get_index]; +- +- if (skb) { +- bytes_compl += skb->len; +- pkts_compl++; +- } + + mvneta_txq_inc_get(txq); + +@@ -1782,9 +1791,12 @@ static void mvneta_txq_bufs_free(struct mvneta_port *pp, + dma_unmap_single(pp->dev->dev.parent, + tx_desc->buf_phys_addr, + tx_desc->data_size, DMA_TO_DEVICE); +- if (!skb) ++ if (!buf->skb) + continue; +- dev_kfree_skb_any(skb); ++ ++ bytes_compl += buf->skb->len; ++ pkts_compl++; ++ dev_kfree_skb_any(buf->skb); + } + + netdev_tx_completed_queue(nq, pkts_compl, bytes_compl); +@@ -2238,16 +2250,19 @@ static inline void + mvneta_tso_put_hdr(struct sk_buff *skb, + struct mvneta_port *pp, struct mvneta_tx_queue *txq) + { +- struct mvneta_tx_desc *tx_desc; + int hdr_len = skb_transport_offset(skb) + tcp_hdrlen(skb); ++ struct mvneta_tx_buf *buf = &txq->buf[txq->txq_put_index]; ++ struct mvneta_tx_desc *tx_desc; + +- txq->tx_skb[txq->txq_put_index] = NULL; + tx_desc = mvneta_txq_next_desc_get(txq); + tx_desc->data_size = hdr_len; + tx_desc->command = mvneta_skb_tx_csum(pp, skb); + tx_desc->command |= MVNETA_TXD_F_DESC; + tx_desc->buf_phys_addr = txq->tso_hdrs_phys + + txq->txq_put_index * TSO_HEADER_SIZE; ++ buf->type = MVNETA_TYPE_SKB; ++ buf->skb = NULL; ++ + mvneta_txq_inc_put(txq); + } + +@@ -2256,6 +2271,7 @@ mvneta_tso_put_data(struct net_device *dev, struct mvneta_tx_queue *txq, + struct sk_buff *skb, char *data, int size, + bool last_tcp, bool is_last) + { ++ struct mvneta_tx_buf *buf = &txq->buf[txq->txq_put_index]; + struct mvneta_tx_desc *tx_desc; + + tx_desc = mvneta_txq_next_desc_get(txq); +@@ -2269,7 +2285,8 @@ mvneta_tso_put_data(struct net_device *dev, struct mvneta_tx_queue *txq, + } + + tx_desc->command = 0; +- txq->tx_skb[txq->txq_put_index] = NULL; ++ buf->type = MVNETA_TYPE_SKB; ++ buf->skb = NULL; + + if (last_tcp) { + /* last descriptor in the TCP packet */ +@@ -2277,7 +2294,7 @@ mvneta_tso_put_data(struct net_device *dev, struct mvneta_tx_queue *txq, + + /* last descriptor in SKB */ + if (is_last) +- txq->tx_skb[txq->txq_put_index] = skb; ++ buf->skb = skb; + } + mvneta_txq_inc_put(txq); + return 0; +@@ -2362,6 +2379,7 @@ static int mvneta_tx_frag_process(struct mvneta_port *pp, struct sk_buff *skb, + int i, nr_frags = skb_shinfo(skb)->nr_frags; + + for (i = 0; i < nr_frags; i++) { ++ struct mvneta_tx_buf *buf = &txq->buf[txq->txq_put_index]; + skb_frag_t *frag = &skb_shinfo(skb)->frags[i]; + void *addr = page_address(frag->page.p) + frag->page_offset; + +@@ -2381,12 +2399,13 @@ static int mvneta_tx_frag_process(struct mvneta_port *pp, struct sk_buff *skb, + if (i == nr_frags - 1) { + /* Last descriptor */ + tx_desc->command = MVNETA_TXD_L_DESC | MVNETA_TXD_Z_PAD; +- txq->tx_skb[txq->txq_put_index] = skb; ++ buf->skb = skb; + } else { + /* Descriptor in the middle: Not First, Not Last */ + tx_desc->command = 0; +- txq->tx_skb[txq->txq_put_index] = NULL; ++ buf->skb = NULL; + } ++ buf->type = MVNETA_TYPE_SKB; + mvneta_txq_inc_put(txq); + } + +@@ -2414,6 +2433,7 @@ static netdev_tx_t mvneta_tx(struct sk_buff *skb, struct net_device *dev) + struct mvneta_port *pp = netdev_priv(dev); + u16 txq_id = skb_get_queue_mapping(skb); + struct mvneta_tx_queue *txq = &pp->txqs[txq_id]; ++ struct mvneta_tx_buf *buf = &txq->buf[txq->txq_put_index]; + struct mvneta_tx_desc *tx_desc; + int len = skb->len; + int frags = 0; +@@ -2446,16 +2466,17 @@ static netdev_tx_t mvneta_tx(struct sk_buff *skb, struct net_device *dev) + goto out; + } + ++ buf->type = MVNETA_TYPE_SKB; + if (frags == 1) { + /* First and Last descriptor */ + tx_cmd |= MVNETA_TXD_FLZ_DESC; + tx_desc->command = tx_cmd; +- txq->tx_skb[txq->txq_put_index] = skb; ++ buf->skb = skb; + mvneta_txq_inc_put(txq); + } else { + /* First but not Last */ + tx_cmd |= MVNETA_TXD_F_DESC; +- txq->tx_skb[txq->txq_put_index] = NULL; ++ buf->skb = NULL; + mvneta_txq_inc_put(txq); + tx_desc->command = tx_cmd; + /* Continue with other skb fragments */ +@@ -3000,9 +3021,8 @@ static int mvneta_txq_sw_init(struct mvneta_port *pp, + + txq->last_desc = txq->size - 1; + +- txq->tx_skb = kmalloc_array(txq->size, sizeof(*txq->tx_skb), +- GFP_KERNEL); +- if (!txq->tx_skb) { ++ txq->buf = kmalloc_array(txq->size, sizeof(*txq->buf), GFP_KERNEL); ++ if (!txq->buf) { + dma_free_coherent(pp->dev->dev.parent, + txq->size * MVNETA_DESC_ALIGNED_SIZE, + txq->descs, txq->descs_phys); +@@ -3014,7 +3034,7 @@ static int mvneta_txq_sw_init(struct mvneta_port *pp, + txq->size * TSO_HEADER_SIZE, + &txq->tso_hdrs_phys, GFP_KERNEL); + if (!txq->tso_hdrs) { +- kfree(txq->tx_skb); ++ kfree(txq->buf); + dma_free_coherent(pp->dev->dev.parent, + txq->size * MVNETA_DESC_ALIGNED_SIZE, + txq->descs, txq->descs_phys); +@@ -3069,7 +3089,7 @@ static void mvneta_txq_sw_deinit(struct mvneta_port *pp, + { + struct netdev_queue *nq = netdev_get_tx_queue(pp->dev, txq->id); + +- kfree(txq->tx_skb); ++ kfree(txq->buf); + + if (txq->tso_hdrs) + dma_free_coherent(pp->dev->dev.parent, +-- +2.39.2 + diff --git a/queue-4.19/scsi-megaraid_sas-fix-crash-after-a-double-completio.patch b/queue-4.19/scsi-megaraid_sas-fix-crash-after-a-double-completio.patch new file mode 100644 index 00000000000..182e8e653b0 --- /dev/null +++ b/queue-4.19/scsi-megaraid_sas-fix-crash-after-a-double-completio.patch @@ -0,0 +1,47 @@ +From 650a9550a2d8a815d23e7d60391af7162ebf3e64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 16:01:34 +0100 +Subject: scsi: megaraid_sas: Fix crash after a double completion + +From: Tomas Henzl + +[ Upstream commit 2309df27111a51734cb9240b4d3c25f2f3c6ab06 ] + +When a physical disk is attached directly "without JBOD MAP support" (see +megasas_get_tm_devhandle()) then there is no real error handling in the +driver. Return FAILED instead of SUCCESS. + +Fixes: 18365b138508 ("megaraid_sas: Task management support") +Signed-off-by: Tomas Henzl +Link: https://lore.kernel.org/r/20230324150134.14696-1-thenzl@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/megaraid/megaraid_sas_fusion.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.c b/drivers/scsi/megaraid/megaraid_sas_fusion.c +index bdb12bf0d5c75..b400167f9ad42 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c ++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c +@@ -4367,7 +4367,7 @@ int megasas_task_abort_fusion(struct scsi_cmnd *scmd) + devhandle = megasas_get_tm_devhandle(scmd->device); + + if (devhandle == (u16)ULONG_MAX) { +- ret = SUCCESS; ++ ret = FAILED; + sdev_printk(KERN_INFO, scmd->device, + "task abort issued for invalid devhandle\n"); + mutex_unlock(&instance->reset_mutex); +@@ -4440,7 +4440,7 @@ int megasas_reset_target_fusion(struct scsi_cmnd *scmd) + devhandle = megasas_get_tm_devhandle(scmd->device); + + if (devhandle == (u16)ULONG_MAX) { +- ret = SUCCESS; ++ ret = FAILED; + sdev_printk(KERN_INFO, scmd->device, + "target reset issued for invalid devhandle\n"); + mutex_unlock(&instance->reset_mutex); +-- +2.39.2 + diff --git a/queue-4.19/series b/queue-4.19/series index bb0f150bb15..6d3da2155a8 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -60,3 +60,9 @@ fbdev-nvidia-fix-potential-divide-by-zero.patch fbdev-intelfb-fix-potential-divide-by-zero.patch fbdev-lxfb-fix-potential-divide-by-zero.patch fbdev-au1200fb-fix-potential-divide-by-zero.patch +ca8210-fix-unsigned-mac_len-comparison-with-zero-in-.patch +scsi-megaraid_sas-fix-crash-after-a-double-completio.patch +can-bcm-bcm_tx_setup-fix-kmsan-uninit-value-in-vfs_w.patch +i40e-fix-registers-dump-after-run-ethtool-adapter-se.patch +net-dsa-mv88e6xxx-enable-igmp-snooping-on-user-ports.patch +net-mvneta-make-tx-buffer-array-agnostic.patch -- 2.47.3