From 89aa57f883694c6fc35fea4a3f146d4cbc3427a8 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 10 Sep 2022 19:50:46 -0400 Subject: [PATCH] Fixes for 5.10 Signed-off-by: Sasha Levin --- ...ation-issue-time-instead-of-the-repl.patch | 125 +++++++++++ ...nform-the-delayed-registration-more-.patch | 58 ++++++ ...egister-card-again-for-iface-over-de.patch | 60 ++++++ ...a5d27_wlsom1-don-t-keep-ldo2-enabled.patch | 35 ++++ ...a5d27_wlsom1-specify-proper-regulato.patch | 84 ++++++++ ...a5d2_icp-don-t-keep-vdd_other-enable.patch | 36 ++++ ...a5d2_icp-specify-proper-regulator-ou.patch | 83 ++++++++ ...kontron-samx6i-remove-duplicated-nod.patch | 44 ++++ ...x-kernel-crash-during-module-removal.patch | 106 ++++++++++ ...nested-dead-lock-as-part-of-odp-flow.patch | 94 +++++++++ ...se-bitmap_free-instead-of-devm_kfree.patch | 37 ++++ ...of-bounds-read-when-setting-hmac-dat.patch | 78 +++++++ ...e-a-spinlock-to-guard-fep-ptp_clk_on.patch | 194 ++++++++++++++++++ ...filter-drop-dst-references-before-se.patch | 96 +++++++++ ...nf_conntrack_irc-fix-forged-ip-logic.patch | 43 ++++ ...les-clean-up-hook-list-when-offload-.patch | 68 ++++++ ...ression-that-causes-sporadic-request.patch | 79 +++++++ ...fix-uaf-when-detecting-digest-errors.patch | 39 ++++ ...uments-order-in-net-device-validatio.patch | 48 +++++ .../rdma-hns-fix-supported-page-size.patch | 37 ++++ ...wrong-fixed-value-of-qp-rq.wqe_shift.patch | 43 ++++ ...cal-port-to-one-when-accessing-count.patch | 53 +++++ ...a-siw-pass-a-pointer-to-virt_to_page.patch | 88 ++++++++ ...ator-core-clean-up-on-enable-failure.patch | 72 +++++++ ...ufficiently-large-sglist-in-rxkad_ve.patch | 58 ++++++ ...re-skb-len-before-calling-child-enqu.patch | 52 +++++ ...sume-the-skb-is-still-around-after-e.patch | 82 ++++++++ queue-5.10/series | 32 +++ ...rm-fix-refcount-leak-and-__iomem-lea.patch | 163 +++++++++++++++ ...timedout-after-spurious-non-sack-rto.patch | 129 ++++++++++++ ...compiler-warning-in-tee_shm_register.patch | 40 ++++ ...pc-fix-shift-wrapping-bug-in-map_get.patch | 36 ++++ ...-remove-hotplug-status-when-the-vif-.patch | 50 +++++ 33 files changed, 2342 insertions(+) create mode 100644 queue-5.10/afs-use-the-operation-issue-time-instead-of-the-repl.patch create mode 100644 queue-5.10/alsa-usb-audio-inform-the-delayed-registration-more-.patch create mode 100644 queue-5.10/alsa-usb-audio-register-card-again-for-iface-over-de.patch create mode 100644 queue-5.10/arm-dts-at91-sama5d27_wlsom1-don-t-keep-ldo2-enabled.patch create mode 100644 queue-5.10/arm-dts-at91-sama5d27_wlsom1-specify-proper-regulato.patch create mode 100644 queue-5.10/arm-dts-at91-sama5d2_icp-don-t-keep-vdd_other-enable.patch create mode 100644 queue-5.10/arm-dts-at91-sama5d2_icp-specify-proper-regulator-ou.patch create mode 100644 queue-5.10/arm-dts-imx6qdl-kontron-samx6i-remove-duplicated-nod.patch create mode 100644 queue-5.10/i40e-fix-kernel-crash-during-module-removal.patch create mode 100644 queue-5.10/ib-core-fix-a-nested-dead-lock-as-part-of-odp-flow.patch create mode 100644 queue-5.10/ice-use-bitmap_free-instead-of-devm_kfree.patch create mode 100644 queue-5.10/ipv6-sr-fix-out-of-bounds-read-when-setting-hmac-dat.patch create mode 100644 queue-5.10/net-fec-use-a-spinlock-to-guard-fep-ptp_clk_on.patch create mode 100644 queue-5.10/netfilter-br_netfilter-drop-dst-references-before-se.patch create mode 100644 queue-5.10/netfilter-nf_conntrack_irc-fix-forged-ip-logic.patch create mode 100644 queue-5.10/netfilter-nf_tables-clean-up-hook-list-when-offload-.patch create mode 100644 queue-5.10/nvme-tcp-fix-regression-that-causes-sporadic-request.patch create mode 100644 queue-5.10/nvme-tcp-fix-uaf-when-detecting-digest-errors.patch create mode 100644 queue-5.10/rdma-cma-fix-arguments-order-in-net-device-validatio.patch create mode 100644 queue-5.10/rdma-hns-fix-supported-page-size.patch create mode 100644 queue-5.10/rdma-hns-fix-wrong-fixed-value-of-qp-rq.wqe_shift.patch create mode 100644 queue-5.10/rdma-mlx5-set-local-port-to-one-when-accessing-count.patch create mode 100644 queue-5.10/rdma-siw-pass-a-pointer-to-virt_to_page.patch create mode 100644 queue-5.10/regulator-core-clean-up-on-enable-failure.patch create mode 100644 queue-5.10/rxrpc-fix-an-insufficiently-large-sglist-in-rxkad_ve.patch create mode 100644 queue-5.10/sch_sfb-also-store-skb-len-before-calling-child-enqu.patch create mode 100644 queue-5.10/sch_sfb-don-t-assume-the-skb-is-still-around-after-e.patch create mode 100644 queue-5.10/soc-brcmstb-pm-arm-fix-refcount-leak-and-__iomem-lea.patch create mode 100644 queue-5.10/tcp-fix-early-etimedout-after-spurious-non-sack-rto.patch create mode 100644 queue-5.10/tee-fix-compiler-warning-in-tee_shm_register.patch create mode 100644 queue-5.10/tipc-fix-shift-wrapping-bug-in-map_get.patch create mode 100644 queue-5.10/xen-netback-only-remove-hotplug-status-when-the-vif-.patch diff --git a/queue-5.10/afs-use-the-operation-issue-time-instead-of-the-repl.patch b/queue-5.10/afs-use-the-operation-issue-time-instead-of-the-repl.patch new file mode 100644 index 00000000000..63a18d940d3 --- /dev/null +++ b/queue-5.10/afs-use-the-operation-issue-time-instead-of-the-repl.patch @@ -0,0 +1,125 @@ +From a7f6821a86ad7671ebbd8de78386ef0e9536539c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 13:16:42 +0100 +Subject: afs: Use the operation issue time instead of the reply time for + callbacks + +From: David Howells + +[ Upstream commit 7903192c4b4a82d792cb0dc5e2779a2efe60d45b ] + +rxrpc and kafs between them try to use the receive timestamp on the first +data packet (ie. the one with sequence number 1) as a base from which to +calculate the time at which callback promise and lock expiration occurs. + +However, we don't know how long it took for the server to send us the reply +from it having completed the basic part of the operation - it might then, +for instance, have to send a bunch of a callback breaks, depending on the +particular operation. + +Fix this by using the time at which the operation is issued on the client +as a base instead. That should never be longer than the server's idea of +the expiry time. + +Fixes: 781070551c26 ("afs: Fix calculation of callback expiry time") +Fixes: 2070a3e44962 ("rxrpc: Allow the reply time to be obtained on a client call") +Suggested-by: Jeffrey E Altman +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/afs/flock.c | 2 +- + fs/afs/fsclient.c | 2 +- + fs/afs/internal.h | 3 +-- + fs/afs/rxrpc.c | 7 +------ + fs/afs/yfsclient.c | 3 +-- + 5 files changed, 5 insertions(+), 12 deletions(-) + +diff --git a/fs/afs/flock.c b/fs/afs/flock.c +index cb3054c7843ea..466ad609f2057 100644 +--- a/fs/afs/flock.c ++++ b/fs/afs/flock.c +@@ -76,7 +76,7 @@ void afs_lock_op_done(struct afs_call *call) + if (call->error == 0) { + spin_lock(&vnode->lock); + trace_afs_flock_ev(vnode, NULL, afs_flock_timestamp, 0); +- vnode->locked_at = call->reply_time; ++ vnode->locked_at = call->issue_time; + afs_schedule_lock_extension(vnode); + spin_unlock(&vnode->lock); + } +diff --git a/fs/afs/fsclient.c b/fs/afs/fsclient.c +index 1d95ed9dd86e6..0048a32cb040e 100644 +--- a/fs/afs/fsclient.c ++++ b/fs/afs/fsclient.c +@@ -130,7 +130,7 @@ static void xdr_decode_AFSFetchStatus(const __be32 **_bp, + + static time64_t xdr_decode_expiry(struct afs_call *call, u32 expiry) + { +- return ktime_divns(call->reply_time, NSEC_PER_SEC) + expiry; ++ return ktime_divns(call->issue_time, NSEC_PER_SEC) + expiry; + } + + static void xdr_decode_AFSCallBack(const __be32 **_bp, +diff --git a/fs/afs/internal.h b/fs/afs/internal.h +index dc08a3d9b3a8b..637cbe549397c 100644 +--- a/fs/afs/internal.h ++++ b/fs/afs/internal.h +@@ -135,7 +135,6 @@ struct afs_call { + bool need_attention; /* T if RxRPC poked us */ + bool async; /* T if asynchronous */ + bool upgrade; /* T to request service upgrade */ +- bool have_reply_time; /* T if have got reply_time */ + bool intr; /* T if interruptible */ + bool unmarshalling_error; /* T if an unmarshalling error occurred */ + u16 service_id; /* Actual service ID (after upgrade) */ +@@ -149,7 +148,7 @@ struct afs_call { + } __attribute__((packed)); + __be64 tmp64; + }; +- ktime_t reply_time; /* Time of first reply packet */ ++ ktime_t issue_time; /* Time of issue of operation */ + }; + + struct afs_call_type { +diff --git a/fs/afs/rxrpc.c b/fs/afs/rxrpc.c +index efe0fb3ad8bdc..535d28b44bca3 100644 +--- a/fs/afs/rxrpc.c ++++ b/fs/afs/rxrpc.c +@@ -429,6 +429,7 @@ void afs_make_call(struct afs_addr_cursor *ac, struct afs_call *call, gfp_t gfp) + if (call->max_lifespan) + rxrpc_kernel_set_max_life(call->net->socket, rxcall, + call->max_lifespan); ++ call->issue_time = ktime_get_real(); + + /* send the request */ + iov[0].iov_base = call->request; +@@ -533,12 +534,6 @@ static void afs_deliver_to_call(struct afs_call *call) + return; + } + +- if (!call->have_reply_time && +- rxrpc_kernel_get_reply_time(call->net->socket, +- call->rxcall, +- &call->reply_time)) +- call->have_reply_time = true; +- + ret = call->type->deliver(call); + state = READ_ONCE(call->state); + if (ret == 0 && call->unmarshalling_error) +diff --git a/fs/afs/yfsclient.c b/fs/afs/yfsclient.c +index bd787e71a657f..5b2ef5ffd716f 100644 +--- a/fs/afs/yfsclient.c ++++ b/fs/afs/yfsclient.c +@@ -239,8 +239,7 @@ static void xdr_decode_YFSCallBack(const __be32 **_bp, + struct afs_callback *cb = &scb->callback; + ktime_t cb_expiry; + +- cb_expiry = call->reply_time; +- cb_expiry = ktime_add(cb_expiry, xdr_to_u64(x->expiration_time) * 100); ++ cb_expiry = ktime_add(call->issue_time, xdr_to_u64(x->expiration_time) * 100); + cb->expires_at = ktime_divns(cb_expiry, NSEC_PER_SEC); + scb->have_cb = true; + *_bp += xdr_size(x); +-- +2.35.1 + diff --git a/queue-5.10/alsa-usb-audio-inform-the-delayed-registration-more-.patch b/queue-5.10/alsa-usb-audio-inform-the-delayed-registration-more-.patch new file mode 100644 index 00000000000..8e113a18f0f --- /dev/null +++ b/queue-5.10/alsa-usb-audio-inform-the-delayed-registration-more-.patch @@ -0,0 +1,58 @@ +From 0a1e3f9f6e2db3f58c14ca1823da293798a2818f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 14:59:00 +0200 +Subject: ALSA: usb-audio: Inform the delayed registration more properly + +From: Takashi Iwai + +[ Upstream commit 7e1afce5866e02b45bf88c27dd7de1b9dfade1cc ] + +The info message that was added in the commit a4aad5636c72 ("ALSA: +usb-audio: Inform devices that need delayed registration") is actually +useful to know the need for the delayed registration. However, it +turned out that this doesn't catch the all cases; namely, this warned +only when a PCM stream is attached onto the existing PCM instance, but +it doesn't count for a newly created PCM instance. This made +confusion as if there were no further delayed registration. + +This patch moves the check to the code path for either adding a stream +or creating a PCM instance. Also, make it simpler by checking the +card->registered flag instead of querying each snd_device state. + +Fixes: a4aad5636c72 ("ALSA: usb-audio: Inform devices that need delayed registration") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216082 +Link: https://lore.kernel.org/r/20220831125901.4660-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/stream.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/sound/usb/stream.c b/sound/usb/stream.c +index 7711184a0d0bf..c4f4585f9b851 100644 +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -496,6 +496,10 @@ static int __snd_usb_add_audio_stream(struct snd_usb_audio *chip, + return 0; + } + } ++ ++ if (chip->card->registered) ++ chip->need_delayed_register = true; ++ + /* look for an empty stream */ + list_for_each_entry(as, &chip->pcm_list, list) { + if (as->fmt_type != fp->fmt_type) +@@ -503,9 +507,6 @@ static int __snd_usb_add_audio_stream(struct snd_usb_audio *chip, + subs = &as->substream[stream]; + if (subs->ep_num) + continue; +- if (snd_device_get_state(chip->card, as->pcm) != +- SNDRV_DEV_BUILD) +- chip->need_delayed_register = true; + err = snd_pcm_new_stream(as->pcm, stream, 1); + if (err < 0) + return err; +-- +2.35.1 + diff --git a/queue-5.10/alsa-usb-audio-register-card-again-for-iface-over-de.patch b/queue-5.10/alsa-usb-audio-register-card-again-for-iface-over-de.patch new file mode 100644 index 00000000000..fde0c0cd1eb --- /dev/null +++ b/queue-5.10/alsa-usb-audio-register-card-again-for-iface-over-de.patch @@ -0,0 +1,60 @@ +From 03d25c35d8f6983bd668c8617c160cc1d3f6bbe7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 14:59:01 +0200 +Subject: ALSA: usb-audio: Register card again for iface over delayed_register + option + +From: Takashi Iwai + +[ Upstream commit 2027f114686e0f3f1f39971964dfc618637c88c2 ] + +When the delayed registration is specified via either delayed_register +option or the quirk, we delay the invocation of snd_card_register() +until the given interface. But if a wrong value has been set there +and there are more interfaces over the given interface number, +snd_card_register() call would be missing for those interfaces. + +This patch catches up those missing calls by fixing the comparison of +the interface number. Now the call is skipped only if the processed +interface is less than the given interface, instead of the exact +match. + +Fixes: b70038ef4fea ("ALSA: usb-audio: Add delayed_register option") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216082 +Link: https://lore.kernel.org/r/20220831125901.4660-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/card.c | 2 +- + sound/usb/quirks.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/usb/card.c b/sound/usb/card.c +index a3e06a71cf356..6b172db58a310 100644 +--- a/sound/usb/card.c ++++ b/sound/usb/card.c +@@ -667,7 +667,7 @@ static bool check_delayed_register_option(struct snd_usb_audio *chip, int iface) + if (delayed_register[i] && + sscanf(delayed_register[i], "%x:%x", &id, &inum) == 2 && + id == chip->usb_id) +- return inum != iface; ++ return iface < inum; + } + + return false; +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 6333a2ecb848a..41f5d8242478f 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1911,7 +1911,7 @@ bool snd_usb_registration_quirk(struct snd_usb_audio *chip, int iface) + + for (q = registration_quirks; q->usb_id; q++) + if (chip->usb_id == q->usb_id) +- return iface != q->interface; ++ return iface < q->interface; + + /* Register as normal */ + return false; +-- +2.35.1 + diff --git a/queue-5.10/arm-dts-at91-sama5d27_wlsom1-don-t-keep-ldo2-enabled.patch b/queue-5.10/arm-dts-at91-sama5d27_wlsom1-don-t-keep-ldo2-enabled.patch new file mode 100644 index 00000000000..655ea02ae92 --- /dev/null +++ b/queue-5.10/arm-dts-at91-sama5d27_wlsom1-don-t-keep-ldo2-enabled.patch @@ -0,0 +1,35 @@ +From 0f6387647a794a3b8cd5d04e9d3851a2ff9bc74e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 11:39:25 +0300 +Subject: ARM: dts: at91: sama5d27_wlsom1: don't keep ldo2 enabled all the time + +From: Claudiu Beznea + +[ Upstream commit 617a0d9fe6867bf5b3b7272629cd780c27c877d9 ] + +ldo2 is not used by any consumer on sama5d27_wlsom1 board, thus +don't keep it enabled all the time. + +Fixes: 5d4c3cfb63fe ("ARM: dts: at91: sama5d27_wlsom1: add SAMA5D27 wlsom1 and wlsom1-ek") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20220826083927.3107272-8-claudiu.beznea@microchip.com +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/at91-sama5d27_wlsom1.dtsi | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm/boot/dts/at91-sama5d27_wlsom1.dtsi b/arch/arm/boot/dts/at91-sama5d27_wlsom1.dtsi +index 7f16d62bb1a1a..9c8b3eb49ea30 100644 +--- a/arch/arm/boot/dts/at91-sama5d27_wlsom1.dtsi ++++ b/arch/arm/boot/dts/at91-sama5d27_wlsom1.dtsi +@@ -163,7 +163,6 @@ + regulator-name = "LDO2"; + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <3300000>; +- regulator-always-on; + + regulator-state-standby { + regulator-on-in-suspend; +-- +2.35.1 + diff --git a/queue-5.10/arm-dts-at91-sama5d27_wlsom1-specify-proper-regulato.patch b/queue-5.10/arm-dts-at91-sama5d27_wlsom1-specify-proper-regulato.patch new file mode 100644 index 00000000000..94dcee4dc91 --- /dev/null +++ b/queue-5.10/arm-dts-at91-sama5d27_wlsom1-specify-proper-regulato.patch @@ -0,0 +1,84 @@ +From 3b1c66b997bd88172a0246b9aa99145234d1c389 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 11:39:22 +0300 +Subject: ARM: dts: at91: sama5d27_wlsom1: specify proper regulator output + ranges + +From: Claudiu Beznea + +[ Upstream commit addf7efec23af2b67547800aa232d551945e7de2 ] + +Min and max output ranges of regulators need to satisfy board +requirements not PMIC requirements. Thus adjust device tree to +cope with this. + +Fixes: 5d4c3cfb63fe ("ARM: dts: at91: sama5d27_wlsom1: add SAMA5D27 wlsom1 and wlsom1-ek") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20220826083927.3107272-5-claudiu.beznea@microchip.com +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/at91-sama5d27_wlsom1.dtsi | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/arch/arm/boot/dts/at91-sama5d27_wlsom1.dtsi b/arch/arm/boot/dts/at91-sama5d27_wlsom1.dtsi +index a06700e53e4c3..7f16d62bb1a1a 100644 +--- a/arch/arm/boot/dts/at91-sama5d27_wlsom1.dtsi ++++ b/arch/arm/boot/dts/at91-sama5d27_wlsom1.dtsi +@@ -62,8 +62,8 @@ + regulators { + vdd_3v3: VDD_IO { + regulator-name = "VDD_IO"; +- regulator-min-microvolt = <1200000>; +- regulator-max-microvolt = <3700000>; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; + regulator-initial-mode = <2>; + regulator-allowed-modes = <2>, <4>; + regulator-always-on; +@@ -81,8 +81,8 @@ + + vddio_ddr: VDD_DDR { + regulator-name = "VDD_DDR"; +- regulator-min-microvolt = <600000>; +- regulator-max-microvolt = <1850000>; ++ regulator-min-microvolt = <1200000>; ++ regulator-max-microvolt = <1200000>; + regulator-initial-mode = <2>; + regulator-allowed-modes = <2>, <4>; + regulator-always-on; +@@ -104,8 +104,8 @@ + + vdd_core: VDD_CORE { + regulator-name = "VDD_CORE"; +- regulator-min-microvolt = <600000>; +- regulator-max-microvolt = <1850000>; ++ regulator-min-microvolt = <1250000>; ++ regulator-max-microvolt = <1250000>; + regulator-initial-mode = <2>; + regulator-allowed-modes = <2>, <4>; + regulator-always-on; +@@ -146,8 +146,8 @@ + + LDO1 { + regulator-name = "LDO1"; +- regulator-min-microvolt = <1200000>; +- regulator-max-microvolt = <3700000>; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; + regulator-always-on; + + regulator-state-standby { +@@ -161,8 +161,8 @@ + + LDO2 { + regulator-name = "LDO2"; +- regulator-min-microvolt = <1200000>; +- regulator-max-microvolt = <3700000>; ++ regulator-min-microvolt = <1800000>; ++ regulator-max-microvolt = <3300000>; + regulator-always-on; + + regulator-state-standby { +-- +2.35.1 + diff --git a/queue-5.10/arm-dts-at91-sama5d2_icp-don-t-keep-vdd_other-enable.patch b/queue-5.10/arm-dts-at91-sama5d2_icp-don-t-keep-vdd_other-enable.patch new file mode 100644 index 00000000000..c2e69754bc4 --- /dev/null +++ b/queue-5.10/arm-dts-at91-sama5d2_icp-don-t-keep-vdd_other-enable.patch @@ -0,0 +1,36 @@ +From edb7726d7065f07df7bbc26c18f01c2c3243c29c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 11:39:26 +0300 +Subject: ARM: dts: at91: sama5d2_icp: don't keep vdd_other enabled all the + time + +From: Claudiu Beznea + +[ Upstream commit 3d074b750d2b4c91962f10ea1df1c289ce0d3ce8 ] + +VDD_OTHER is not connected to any on board consumer thus it is not +needed to keep it enabled all the time. + +Fixes: 68a95ef72cef ("ARM: dts: at91: sama5d2-icp: add SAMA5D2-ICP") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20220826083927.3107272-9-claudiu.beznea@microchip.com +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/at91-sama5d2_icp.dts | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm/boot/dts/at91-sama5d2_icp.dts b/arch/arm/boot/dts/at91-sama5d2_icp.dts +index 9fbcd107d1afb..00b9e88ff5451 100644 +--- a/arch/arm/boot/dts/at91-sama5d2_icp.dts ++++ b/arch/arm/boot/dts/at91-sama5d2_icp.dts +@@ -256,7 +256,6 @@ + regulator-max-microvolt = <1850000>; + regulator-initial-mode = <2>; + regulator-allowed-modes = <2>, <4>; +- regulator-always-on; + + regulator-state-standby { + regulator-on-in-suspend; +-- +2.35.1 + diff --git a/queue-5.10/arm-dts-at91-sama5d2_icp-specify-proper-regulator-ou.patch b/queue-5.10/arm-dts-at91-sama5d2_icp-specify-proper-regulator-ou.patch new file mode 100644 index 00000000000..0f36c48fcb4 --- /dev/null +++ b/queue-5.10/arm-dts-at91-sama5d2_icp-specify-proper-regulator-ou.patch @@ -0,0 +1,83 @@ +From 82d8dd4e157ca6c3181b536fcbafcbfab5aaf121 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 11:39:23 +0300 +Subject: ARM: dts: at91: sama5d2_icp: specify proper regulator output ranges + +From: Claudiu Beznea + +[ Upstream commit 7737d93666eea282febf95e5fa3b3fde1f2549f3 ] + +Min and max output ranges of regulators need to satisfy board +requirements not PMIC requirements. Thus adjust device tree to +cope with this. + +Fixes: 68a95ef72cef ("ARM: dts: at91: sama5d2-icp: add SAMA5D2-ICP") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20220826083927.3107272-6-claudiu.beznea@microchip.com +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/at91-sama5d2_icp.dts | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/arch/arm/boot/dts/at91-sama5d2_icp.dts b/arch/arm/boot/dts/at91-sama5d2_icp.dts +index 634411d13b4aa..9fbcd107d1afb 100644 +--- a/arch/arm/boot/dts/at91-sama5d2_icp.dts ++++ b/arch/arm/boot/dts/at91-sama5d2_icp.dts +@@ -195,8 +195,8 @@ + regulators { + vdd_io_reg: VDD_IO { + regulator-name = "VDD_IO"; +- regulator-min-microvolt = <1200000>; +- regulator-max-microvolt = <3700000>; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; + regulator-initial-mode = <2>; + regulator-allowed-modes = <2>, <4>; + regulator-always-on; +@@ -214,8 +214,8 @@ + + VDD_DDR { + regulator-name = "VDD_DDR"; +- regulator-min-microvolt = <600000>; +- regulator-max-microvolt = <1850000>; ++ regulator-min-microvolt = <1350000>; ++ regulator-max-microvolt = <1350000>; + regulator-initial-mode = <2>; + regulator-allowed-modes = <2>, <4>; + regulator-always-on; +@@ -233,8 +233,8 @@ + + VDD_CORE { + regulator-name = "VDD_CORE"; +- regulator-min-microvolt = <600000>; +- regulator-max-microvolt = <1850000>; ++ regulator-min-microvolt = <1250000>; ++ regulator-max-microvolt = <1250000>; + regulator-initial-mode = <2>; + regulator-allowed-modes = <2>, <4>; + regulator-always-on; +@@ -271,8 +271,8 @@ + + LDO1 { + regulator-name = "LDO1"; +- regulator-min-microvolt = <1200000>; +- regulator-max-microvolt = <3700000>; ++ regulator-min-microvolt = <2500000>; ++ regulator-max-microvolt = <2500000>; + regulator-always-on; + + regulator-state-standby { +@@ -286,8 +286,8 @@ + + LDO2 { + regulator-name = "LDO2"; +- regulator-min-microvolt = <1200000>; +- regulator-max-microvolt = <3700000>; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; + regulator-always-on; + + regulator-state-standby { +-- +2.35.1 + diff --git a/queue-5.10/arm-dts-imx6qdl-kontron-samx6i-remove-duplicated-nod.patch b/queue-5.10/arm-dts-imx6qdl-kontron-samx6i-remove-duplicated-nod.patch new file mode 100644 index 00000000000..3cc72659248 --- /dev/null +++ b/queue-5.10/arm-dts-imx6qdl-kontron-samx6i-remove-duplicated-nod.patch @@ -0,0 +1,44 @@ +From 6839e12b0d2a987f8dc19e5f023cff98cd50df4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Jul 2022 15:05:21 +0200 +Subject: ARM: dts: imx6qdl-kontron-samx6i: remove duplicated node + +From: Marco Felsch + +[ Upstream commit 204f67d86f55dd4fa757ed04757d7273f71a169c ] + +The regulator node 'regulator-3p3v-s0' was dupplicated. Remove it to +clean the DTS. + +Fixes: 2a51f9dae13d ("ARM: dts: imx6qdl-kontron-samx6i: Add iMX6-based Kontron SMARC-sAMX6i module") +Signed-off-by: Marco Felsch +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6qdl-kontron-samx6i.dtsi | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/arch/arm/boot/dts/imx6qdl-kontron-samx6i.dtsi b/arch/arm/boot/dts/imx6qdl-kontron-samx6i.dtsi +index 92f9977d14822..e9a4115124eb0 100644 +--- a/arch/arm/boot/dts/imx6qdl-kontron-samx6i.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-kontron-samx6i.dtsi +@@ -51,16 +51,6 @@ + vin-supply = <®_3p3v_s5>; + }; + +- reg_3p3v_s0: regulator-3p3v-s0 { +- compatible = "regulator-fixed"; +- regulator-name = "V_3V3_S0"; +- regulator-min-microvolt = <3300000>; +- regulator-max-microvolt = <3300000>; +- regulator-always-on; +- regulator-boot-on; +- vin-supply = <®_3p3v_s5>; +- }; +- + reg_3p3v_s5: regulator-3p3v-s5 { + compatible = "regulator-fixed"; + regulator-name = "V_3V3_S5"; +-- +2.35.1 + diff --git a/queue-5.10/i40e-fix-kernel-crash-during-module-removal.patch b/queue-5.10/i40e-fix-kernel-crash-during-module-removal.patch new file mode 100644 index 00000000000..3f66d4c75db --- /dev/null +++ b/queue-5.10/i40e-fix-kernel-crash-during-module-removal.patch @@ -0,0 +1,106 @@ +From 2b94ace13aead670eff6557dda16ca13fcb08b7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 18:22:30 +0200 +Subject: i40e: Fix kernel crash during module removal + +From: Ivan Vecera + +[ Upstream commit fb8396aeda5872369a8ed6d2301e2c86e303c520 ] + +The driver incorrectly frees client instance and subsequent +i40e module removal leads to kernel crash. + +Reproducer: +1. Do ethtool offline test followed immediately by another one +host# ethtool -t eth0 offline; ethtool -t eth0 offline +2. Remove recursively irdma module that also removes i40e module +host# modprobe -r irdma + +Result: +[ 8675.035651] i40e 0000:3d:00.0 eno1: offline testing starting +[ 8675.193774] i40e 0000:3d:00.0 eno1: testing finished +[ 8675.201316] i40e 0000:3d:00.0 eno1: offline testing starting +[ 8675.358921] i40e 0000:3d:00.0 eno1: testing finished +[ 8675.496921] i40e 0000:3d:00.0: IRDMA hardware initialization FAILED init_state=2 status=-110 +[ 8686.188955] i40e 0000:3d:00.1: i40e_ptp_stop: removed PHC on eno2 +[ 8686.943890] i40e 0000:3d:00.1: Deleted LAN device PF1 bus=0x3d dev=0x00 func=0x01 +[ 8686.952669] i40e 0000:3d:00.0: i40e_ptp_stop: removed PHC on eno1 +[ 8687.761787] BUG: kernel NULL pointer dereference, address: 0000000000000030 +[ 8687.768755] #PF: supervisor read access in kernel mode +[ 8687.773895] #PF: error_code(0x0000) - not-present page +[ 8687.779034] PGD 0 P4D 0 +[ 8687.781575] Oops: 0000 [#1] PREEMPT SMP NOPTI +[ 8687.785935] CPU: 51 PID: 172891 Comm: rmmod Kdump: loaded Tainted: G W I 5.19.0+ #2 +[ 8687.794800] Hardware name: Intel Corporation S2600WFD/S2600WFD, BIOS SE5C620.86B.0X.02.0001.051420190324 05/14/2019 +[ 8687.805222] RIP: 0010:i40e_lan_del_device+0x13/0xb0 [i40e] +[ 8687.810719] Code: d4 84 c0 0f 84 b8 25 01 00 e9 9c 25 01 00 41 bc f4 ff ff ff eb 91 90 0f 1f 44 00 00 41 54 55 53 48 8b 87 58 08 00 00 48 89 fb <48> 8b 68 30 48 89 ef e8 21 8a 0f d5 48 89 ef e8 a9 78 0f d5 48 8b +[ 8687.829462] RSP: 0018:ffffa604072efce0 EFLAGS: 00010202 +[ 8687.834689] RAX: 0000000000000000 RBX: ffff8f43833b2000 RCX: 0000000000000000 +[ 8687.841821] RDX: 0000000000000000 RSI: ffff8f4b0545b298 RDI: ffff8f43833b2000 +[ 8687.848955] RBP: ffff8f43833b2000 R08: 0000000000000001 R09: 0000000000000000 +[ 8687.856086] R10: 0000000000000000 R11: 000ffffffffff000 R12: ffff8f43833b2ef0 +[ 8687.863218] R13: ffff8f43833b2ef0 R14: ffff915103966000 R15: ffff8f43833b2008 +[ 8687.870342] FS: 00007f79501c3740(0000) GS:ffff8f4adffc0000(0000) knlGS:0000000000000000 +[ 8687.878427] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 8687.884174] CR2: 0000000000000030 CR3: 000000014276e004 CR4: 00000000007706e0 +[ 8687.891306] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 8687.898441] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 8687.905572] PKRU: 55555554 +[ 8687.908286] Call Trace: +[ 8687.910737] +[ 8687.912843] i40e_remove+0x2c0/0x330 [i40e] +[ 8687.917040] pci_device_remove+0x33/0xa0 +[ 8687.920962] device_release_driver_internal+0x1aa/0x230 +[ 8687.926188] driver_detach+0x44/0x90 +[ 8687.929770] bus_remove_driver+0x55/0xe0 +[ 8687.933693] pci_unregister_driver+0x2a/0xb0 +[ 8687.937967] i40e_exit_module+0xc/0xf48 [i40e] + +Two offline tests cause IRDMA driver failure (ETIMEDOUT) and this +failure is indicated back to i40e_client_subtask() that calls +i40e_client_del_instance() to free client instance referenced +by pf->cinst and sets this pointer to NULL. During the module +removal i40e_remove() calls i40e_lan_del_device() that dereferences +pf->cinst that is NULL -> crash. +Do not remove client instance when client open callbacks fails and +just clear __I40E_CLIENT_INSTANCE_OPENED bit. The driver also needs +to take care about this situation (when netdev is up and client +is NOT opened) in i40e_notify_client_of_netdev_close() and +calls client close callback only when __I40E_CLIENT_INSTANCE_OPENED +is set. + +Fixes: 0ef2d5afb12d ("i40e: KISS the client interface") +Signed-off-by: Ivan Vecera +Tested-by: Helena Anna Dubel +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_client.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c +index 32f3facbed1a5..b3cb5d1033260 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_client.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c +@@ -178,6 +178,10 @@ void i40e_notify_client_of_netdev_close(struct i40e_vsi *vsi, bool reset) + "Cannot locate client instance close routine\n"); + return; + } ++ if (!test_bit(__I40E_CLIENT_INSTANCE_OPENED, &cdev->state)) { ++ dev_dbg(&pf->pdev->dev, "Client is not open, abort close\n"); ++ return; ++ } + cdev->client->ops->close(&cdev->lan_info, cdev->client, reset); + clear_bit(__I40E_CLIENT_INSTANCE_OPENED, &cdev->state); + i40e_client_release_qvlist(&cdev->lan_info); +@@ -374,7 +378,6 @@ void i40e_client_subtask(struct i40e_pf *pf) + /* Remove failed client instance */ + clear_bit(__I40E_CLIENT_INSTANCE_OPENED, + &cdev->state); +- i40e_client_del_instance(pf); + return; + } + } +-- +2.35.1 + diff --git a/queue-5.10/ib-core-fix-a-nested-dead-lock-as-part-of-odp-flow.patch b/queue-5.10/ib-core-fix-a-nested-dead-lock-as-part-of-odp-flow.patch new file mode 100644 index 00000000000..62703b200de --- /dev/null +++ b/queue-5.10/ib-core-fix-a-nested-dead-lock-as-part-of-odp-flow.patch @@ -0,0 +1,94 @@ +From 431f979ff71b56e6305a18cc9374530b2d2d7638 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 09:10:36 +0300 +Subject: IB/core: Fix a nested dead lock as part of ODP flow + +From: Yishai Hadas + +[ Upstream commit 85eaeb5058f0f04dffb124c97c86b4f18db0b833 ] + +Fix a nested dead lock as part of ODP flow by using mmput_async(). + +From the below call trace [1] can see that calling mmput() once we have +the umem_odp->umem_mutex locked as required by +ib_umem_odp_map_dma_and_lock() might trigger in the same task the +exit_mmap()->__mmu_notifier_release()->mlx5_ib_invalidate_range() which +may dead lock when trying to lock the same mutex. + +Moving to use mmput_async() will solve the problem as the above +exit_mmap() flow will be called in other task and will be executed once +the lock will be available. + +[1] +[64843.077665] task:kworker/u133:2 state:D stack: 0 pid:80906 ppid: +2 flags:0x00004000 +[64843.077672] Workqueue: mlx5_ib_page_fault mlx5_ib_eqe_pf_action [mlx5_ib] +[64843.077719] Call Trace: +[64843.077722] +[64843.077724] __schedule+0x23d/0x590 +[64843.077729] schedule+0x4e/0xb0 +[64843.077735] schedule_preempt_disabled+0xe/0x10 +[64843.077740] __mutex_lock.constprop.0+0x263/0x490 +[64843.077747] __mutex_lock_slowpath+0x13/0x20 +[64843.077752] mutex_lock+0x34/0x40 +[64843.077758] mlx5_ib_invalidate_range+0x48/0x270 [mlx5_ib] +[64843.077808] __mmu_notifier_release+0x1a4/0x200 +[64843.077816] exit_mmap+0x1bc/0x200 +[64843.077822] ? walk_page_range+0x9c/0x120 +[64843.077828] ? __cond_resched+0x1a/0x50 +[64843.077833] ? mutex_lock+0x13/0x40 +[64843.077839] ? uprobe_clear_state+0xac/0x120 +[64843.077860] mmput+0x5f/0x140 +[64843.077867] ib_umem_odp_map_dma_and_lock+0x21b/0x580 [ib_core] +[64843.077931] pagefault_real_mr+0x9a/0x140 [mlx5_ib] +[64843.077962] pagefault_mr+0xb4/0x550 [mlx5_ib] +[64843.077992] pagefault_single_data_segment.constprop.0+0x2ac/0x560 +[mlx5_ib] +[64843.078022] mlx5_ib_eqe_pf_action+0x528/0x780 [mlx5_ib] +[64843.078051] process_one_work+0x22b/0x3d0 +[64843.078059] worker_thread+0x53/0x410 +[64843.078065] ? process_one_work+0x3d0/0x3d0 +[64843.078073] kthread+0x12a/0x150 +[64843.078079] ? set_kthread_struct+0x50/0x50 +[64843.078085] ret_from_fork+0x22/0x30 +[64843.078093] + +Fixes: 36f30e486dce ("IB/core: Improve ODP to use hmm_range_fault()") +Reviewed-by: Maor Gottlieb +Signed-off-by: Yishai Hadas +Link: https://lore.kernel.org/r/74d93541ea533ef7daec6f126deb1072500aeb16.1661251841.git.leonro@nvidia.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/umem_odp.c | 2 +- + kernel/fork.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/umem_odp.c b/drivers/infiniband/core/umem_odp.c +index 323f6cf006824..af4af4789ef27 100644 +--- a/drivers/infiniband/core/umem_odp.c ++++ b/drivers/infiniband/core/umem_odp.c +@@ -466,7 +466,7 @@ int ib_umem_odp_map_dma_and_lock(struct ib_umem_odp *umem_odp, u64 user_virt, + mutex_unlock(&umem_odp->umem_mutex); + + out_put_mm: +- mmput(owning_mm); ++ mmput_async(owning_mm); + out_put_task: + if (owning_process) + put_task_struct(owning_process); +diff --git a/kernel/fork.c b/kernel/fork.c +index a78c0b02edd55..b877480c901f0 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1127,6 +1127,7 @@ void mmput_async(struct mm_struct *mm) + schedule_work(&mm->async_put_work); + } + } ++EXPORT_SYMBOL_GPL(mmput_async); + #endif + + /** +-- +2.35.1 + diff --git a/queue-5.10/ice-use-bitmap_free-instead-of-devm_kfree.patch b/queue-5.10/ice-use-bitmap_free-instead-of-devm_kfree.patch new file mode 100644 index 00000000000..32b4a60fee0 --- /dev/null +++ b/queue-5.10/ice-use-bitmap_free-instead-of-devm_kfree.patch @@ -0,0 +1,37 @@ +From 9064c9febb8cb2ff768aef15c3d5cd4f3c17d651 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Aug 2022 10:53:20 +0200 +Subject: ice: use bitmap_free instead of devm_kfree + +From: Michal Swiatkowski + +[ Upstream commit 59ac325557b6c14f1f793b90d3946bc145ffa085 ] + +pf->avail_txqs was allocated using bitmap_zalloc, bitmap_free should be +used to free this memory. + +Fixes: 78b5713ac1241 ("ice: Alloc queue management bitmaps and arrays dynamically") +Signed-off-by: Michal Swiatkowski +Tested-by: Gurucharan (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 810f2bdb91645..f193709c8efc6 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -3404,7 +3404,7 @@ static int ice_init_pf(struct ice_pf *pf) + + pf->avail_rxqs = bitmap_zalloc(pf->max_pf_rxqs, GFP_KERNEL); + if (!pf->avail_rxqs) { +- devm_kfree(ice_pf_to_dev(pf), pf->avail_txqs); ++ bitmap_free(pf->avail_txqs); + pf->avail_txqs = NULL; + return -ENOMEM; + } +-- +2.35.1 + diff --git a/queue-5.10/ipv6-sr-fix-out-of-bounds-read-when-setting-hmac-dat.patch b/queue-5.10/ipv6-sr-fix-out-of-bounds-read-when-setting-hmac-dat.patch new file mode 100644 index 00000000000..5909138ba4b --- /dev/null +++ b/queue-5.10/ipv6-sr-fix-out-of-bounds-read-when-setting-hmac-dat.patch @@ -0,0 +1,78 @@ +From 377662145ca7921ad9b4621cb5642a976999c90d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 10:45:06 +0100 +Subject: ipv6: sr: fix out-of-bounds read when setting HMAC data. + +From: David Lebrun + +[ Upstream commit 84a53580c5d2138c7361c7c3eea5b31827e63b35 ] + +The SRv6 layer allows defining HMAC data that can later be used to sign IPv6 +Segment Routing Headers. This configuration is realised via netlink through +four attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and +SEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual +length of the SECRET attribute, it is possible to provide invalid combinations +(e.g., secret = "", secretlen = 64). This case is not checked in the code and +with an appropriately crafted netlink message, an out-of-bounds read of up +to 64 bytes (max secret length) can occur past the skb end pointer and into +skb_shared_info: + +Breakpoint 1, seg6_genl_sethmac (skb=, info=) at net/ipv6/seg6.c:208 +208 memcpy(hinfo->secret, secret, slen); +(gdb) bt + #0 seg6_genl_sethmac (skb=, info=) at net/ipv6/seg6.c:208 + #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600, + extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 , family=, + family=) at net/netlink/genetlink.c:731 + #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00, + family=0xffffffff82fef6c0 ) at net/netlink/genetlink.c:775 + #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792 + #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 ) + at net/netlink/af_netlink.c:2501 + #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803 + #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000) + at net/netlink/af_netlink.c:1319 + #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=) + at net/netlink/af_netlink.c:1345 + #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=, msg=0xffffc90000ba7e48, len=) at net/netlink/af_netlink.c:1921 +... +(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end +$1 = 0xffff88800b1b76c0 +(gdb) p/x secret +$2 = 0xffff88800b1b76c0 +(gdb) p slen +$3 = 64 '@' + +The OOB data can then be read back from userspace by dumping HMAC state. This +commit fixes this by ensuring SECRETLEN cannot exceed the actual length of +SECRET. + +Reported-by: Lucas Leong +Tested: verified that EINVAL is correctly returned when secretlen > len(secret) +Fixes: 4f4853dc1c9c1 ("ipv6: sr: implement API to control SR HMAC structure") +Signed-off-by: David Lebrun +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c +index d2f8138e5a73a..2278c0234c497 100644 +--- a/net/ipv6/seg6.c ++++ b/net/ipv6/seg6.c +@@ -135,6 +135,11 @@ static int seg6_genl_sethmac(struct sk_buff *skb, struct genl_info *info) + goto out_unlock; + } + ++ if (slen > nla_len(info->attrs[SEG6_ATTR_SECRET])) { ++ err = -EINVAL; ++ goto out_unlock; ++ } ++ + if (hinfo) { + err = seg6_hmac_info_del(net, hmackeyid); + if (err) +-- +2.35.1 + diff --git a/queue-5.10/net-fec-use-a-spinlock-to-guard-fep-ptp_clk_on.patch b/queue-5.10/net-fec-use-a-spinlock-to-guard-fep-ptp_clk_on.patch new file mode 100644 index 00000000000..baa71dc7ddf --- /dev/null +++ b/queue-5.10/net-fec-use-a-spinlock-to-guard-fep-ptp_clk_on.patch @@ -0,0 +1,194 @@ +From cfe5ba8bd867d2ff8f1c43f17e923614981c85dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 16:04:03 +0200 +Subject: net: fec: Use a spinlock to guard `fep->ptp_clk_on` +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Csókás Bence + +[ Upstream commit b353b241f1eb9b6265358ffbe2632fdcb563354f ] + +Mutexes cannot be taken in a non-preemptible context, +causing a panic in `fec_ptp_save_state()`. Replacing +`ptp_clk_mutex` by `tmreg_lock` fixes this. + +Fixes: 6a4d7234ae9a ("net: fec: ptp: avoid register access when ipg clock is disabled") +Fixes: f79959220fa5 ("fec: Restart PPS after link state change") +Reported-by: Marc Kleine-Budde +Link: https://lore.kernel.org/all/20220827160922.642zlcd5foopozru@pengutronix.de/ +Signed-off-by: Csókás Bence +Tested-by: Francesco Dolcini # Toradex Apalis iMX6 +Link: https://lore.kernel.org/r/20220901140402.64804-1-csokas.bence@prolan.hu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec.h | 1 - + drivers/net/ethernet/freescale/fec_main.c | 17 +++++++------- + drivers/net/ethernet/freescale/fec_ptp.c | 28 ++++++++--------------- + 3 files changed, 19 insertions(+), 27 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec.h b/drivers/net/ethernet/freescale/fec.h +index 6ea98af63b341..e7b23d4a22d0a 100644 +--- a/drivers/net/ethernet/freescale/fec.h ++++ b/drivers/net/ethernet/freescale/fec.h +@@ -523,7 +523,6 @@ struct fec_enet_private { + struct clk *clk_ptp; + + bool ptp_clk_on; +- struct mutex ptp_clk_mutex; + unsigned int num_tx_queues; + unsigned int num_rx_queues; + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index d8bdaf2e5365c..674591751a676 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -1937,6 +1937,7 @@ static void fec_enet_phy_reset_after_clk_enable(struct net_device *ndev) + static int fec_enet_clk_enable(struct net_device *ndev, bool enable) + { + struct fec_enet_private *fep = netdev_priv(ndev); ++ unsigned long flags; + int ret; + + if (enable) { +@@ -1945,15 +1946,15 @@ static int fec_enet_clk_enable(struct net_device *ndev, bool enable) + return ret; + + if (fep->clk_ptp) { +- mutex_lock(&fep->ptp_clk_mutex); ++ spin_lock_irqsave(&fep->tmreg_lock, flags); + ret = clk_prepare_enable(fep->clk_ptp); + if (ret) { +- mutex_unlock(&fep->ptp_clk_mutex); ++ spin_unlock_irqrestore(&fep->tmreg_lock, flags); + goto failed_clk_ptp; + } else { + fep->ptp_clk_on = true; + } +- mutex_unlock(&fep->ptp_clk_mutex); ++ spin_unlock_irqrestore(&fep->tmreg_lock, flags); + } + + ret = clk_prepare_enable(fep->clk_ref); +@@ -1964,10 +1965,10 @@ static int fec_enet_clk_enable(struct net_device *ndev, bool enable) + } else { + clk_disable_unprepare(fep->clk_enet_out); + if (fep->clk_ptp) { +- mutex_lock(&fep->ptp_clk_mutex); ++ spin_lock_irqsave(&fep->tmreg_lock, flags); + clk_disable_unprepare(fep->clk_ptp); + fep->ptp_clk_on = false; +- mutex_unlock(&fep->ptp_clk_mutex); ++ spin_unlock_irqrestore(&fep->tmreg_lock, flags); + } + clk_disable_unprepare(fep->clk_ref); + } +@@ -1976,10 +1977,10 @@ static int fec_enet_clk_enable(struct net_device *ndev, bool enable) + + failed_clk_ref: + if (fep->clk_ptp) { +- mutex_lock(&fep->ptp_clk_mutex); ++ spin_lock_irqsave(&fep->tmreg_lock, flags); + clk_disable_unprepare(fep->clk_ptp); + fep->ptp_clk_on = false; +- mutex_unlock(&fep->ptp_clk_mutex); ++ spin_unlock_irqrestore(&fep->tmreg_lock, flags); + } + failed_clk_ptp: + clk_disable_unprepare(fep->clk_enet_out); +@@ -3665,7 +3666,7 @@ fec_probe(struct platform_device *pdev) + fep->clk_enet_out = NULL; + + fep->ptp_clk_on = false; +- mutex_init(&fep->ptp_clk_mutex); ++ spin_lock_init(&fep->tmreg_lock); + + /* clk_ref is optional, depends on board */ + fep->clk_ref = devm_clk_get(&pdev->dev, "enet_clk_ref"); +diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c +index c5ae673005908..99bd67d3befd0 100644 +--- a/drivers/net/ethernet/freescale/fec_ptp.c ++++ b/drivers/net/ethernet/freescale/fec_ptp.c +@@ -366,21 +366,19 @@ static int fec_ptp_adjtime(struct ptp_clock_info *ptp, s64 delta) + */ + static int fec_ptp_gettime(struct ptp_clock_info *ptp, struct timespec64 *ts) + { +- struct fec_enet_private *adapter = ++ struct fec_enet_private *fep = + container_of(ptp, struct fec_enet_private, ptp_caps); + u64 ns; + unsigned long flags; + +- mutex_lock(&adapter->ptp_clk_mutex); ++ spin_lock_irqsave(&fep->tmreg_lock, flags); + /* Check the ptp clock */ +- if (!adapter->ptp_clk_on) { +- mutex_unlock(&adapter->ptp_clk_mutex); ++ if (!fep->ptp_clk_on) { ++ spin_unlock_irqrestore(&fep->tmreg_lock, flags); + return -EINVAL; + } +- spin_lock_irqsave(&adapter->tmreg_lock, flags); +- ns = timecounter_read(&adapter->tc); +- spin_unlock_irqrestore(&adapter->tmreg_lock, flags); +- mutex_unlock(&adapter->ptp_clk_mutex); ++ ns = timecounter_read(&fep->tc); ++ spin_unlock_irqrestore(&fep->tmreg_lock, flags); + + *ts = ns_to_timespec64(ns); + +@@ -405,10 +403,10 @@ static int fec_ptp_settime(struct ptp_clock_info *ptp, + unsigned long flags; + u32 counter; + +- mutex_lock(&fep->ptp_clk_mutex); ++ spin_lock_irqsave(&fep->tmreg_lock, flags); + /* Check the ptp clock */ + if (!fep->ptp_clk_on) { +- mutex_unlock(&fep->ptp_clk_mutex); ++ spin_unlock_irqrestore(&fep->tmreg_lock, flags); + return -EINVAL; + } + +@@ -418,11 +416,9 @@ static int fec_ptp_settime(struct ptp_clock_info *ptp, + */ + counter = ns & fep->cc.mask; + +- spin_lock_irqsave(&fep->tmreg_lock, flags); + writel(counter, fep->hwp + FEC_ATIME); + timecounter_init(&fep->tc, &fep->cc, ns); + spin_unlock_irqrestore(&fep->tmreg_lock, flags); +- mutex_unlock(&fep->ptp_clk_mutex); + return 0; + } + +@@ -523,13 +519,11 @@ static void fec_time_keep(struct work_struct *work) + struct fec_enet_private *fep = container_of(dwork, struct fec_enet_private, time_keep); + unsigned long flags; + +- mutex_lock(&fep->ptp_clk_mutex); ++ spin_lock_irqsave(&fep->tmreg_lock, flags); + if (fep->ptp_clk_on) { +- spin_lock_irqsave(&fep->tmreg_lock, flags); + timecounter_read(&fep->tc); +- spin_unlock_irqrestore(&fep->tmreg_lock, flags); + } +- mutex_unlock(&fep->ptp_clk_mutex); ++ spin_unlock_irqrestore(&fep->tmreg_lock, flags); + + schedule_delayed_work(&fep->time_keep, HZ); + } +@@ -604,8 +598,6 @@ void fec_ptp_init(struct platform_device *pdev, int irq_idx) + } + fep->ptp_inc = NSEC_PER_SEC / fep->cycle_speed; + +- spin_lock_init(&fep->tmreg_lock); +- + fec_ptp_start_cyclecounter(ndev); + + INIT_DELAYED_WORK(&fep->time_keep, fec_time_keep); +-- +2.35.1 + diff --git a/queue-5.10/netfilter-br_netfilter-drop-dst-references-before-se.patch b/queue-5.10/netfilter-br_netfilter-drop-dst-references-before-se.patch new file mode 100644 index 00000000000..3e3aaa14791 --- /dev/null +++ b/queue-5.10/netfilter-br_netfilter-drop-dst-references-before-se.patch @@ -0,0 +1,96 @@ +From a4a8f769baf47149f24fafb3ed8f4c512a1b370f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 22:36:03 -0700 +Subject: netfilter: br_netfilter: Drop dst references before setting. + +From: Harsh Modi + +[ Upstream commit d047283a7034140ea5da759a494fd2274affdd46 ] + +The IPv6 path already drops dst in the daddr changed case, but the IPv4 +path does not. This change makes the two code paths consistent. + +Further, it is possible that there is already a metadata_dst allocated from +ingress that might already be attached to skbuff->dst while following +the bridge path. If it is not released before setting a new +metadata_dst, it will be leaked. This is similar to what is done in +bpf_set_tunnel_key() or ip6_route_input(). + +It is important to note that the memory being leaked is not the dst +being set in the bridge code, but rather memory allocated from some +other code path that is not being freed correctly before the skb dst is +overwritten. + +An example of the leakage fixed by this commit found using kmemleak: + +unreferenced object 0xffff888010112b00 (size 256): + comm "softirq", pid 0, jiffies 4294762496 (age 32.012s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 80 16 f1 83 ff ff ff ff ................ + e1 4e f6 82 ff ff ff ff 00 00 00 00 00 00 00 00 .N.............. + backtrace: + [<00000000d79567ea>] metadata_dst_alloc+0x1b/0xe0 + [<00000000be113e13>] udp_tun_rx_dst+0x174/0x1f0 + [<00000000a36848f4>] geneve_udp_encap_recv+0x350/0x7b0 + [<00000000d4afb476>] udp_queue_rcv_one_skb+0x380/0x560 + [<00000000ac064aea>] udp_unicast_rcv_skb+0x75/0x90 + [<000000009a8ee8c5>] ip_protocol_deliver_rcu+0xd8/0x230 + [<00000000ef4980bb>] ip_local_deliver_finish+0x7a/0xa0 + [<00000000d7533c8c>] __netif_receive_skb_one_core+0x89/0xa0 + [<00000000a879497d>] process_backlog+0x93/0x190 + [<00000000e41ade9f>] __napi_poll+0x28/0x170 + [<00000000b4c0906b>] net_rx_action+0x14f/0x2a0 + [<00000000b20dd5d4>] __do_softirq+0xf4/0x305 + [<000000003a7d7e15>] __irq_exit_rcu+0xc3/0x140 + [<00000000968d39a2>] sysvec_apic_timer_interrupt+0x9e/0xc0 + [<000000009e920794>] asm_sysvec_apic_timer_interrupt+0x16/0x20 + [<000000008942add0>] native_safe_halt+0x13/0x20 + +Florian Westphal says: "Original code was likely fine because nothing +ever did set a skb->dst entry earlier than bridge in those days." + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Harsh Modi +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/bridge/br_netfilter_hooks.c | 2 ++ + net/bridge/br_netfilter_ipv6.c | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 10a2c7bca7199..a718204c4bfdd 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -384,6 +384,7 @@ static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_ + /* - Bridged-and-DNAT'ed traffic doesn't + * require ip_forwarding. */ + if (rt->dst.dev == dev) { ++ skb_dst_drop(skb); + skb_dst_set(skb, &rt->dst); + goto bridged_dnat; + } +@@ -413,6 +414,7 @@ static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_ + kfree_skb(skb); + return 0; + } ++ skb_dst_drop(skb); + skb_dst_set_noref(skb, &rt->dst); + } + +diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c +index e4e0c836c3f51..6b07f30675bb0 100644 +--- a/net/bridge/br_netfilter_ipv6.c ++++ b/net/bridge/br_netfilter_ipv6.c +@@ -197,6 +197,7 @@ static int br_nf_pre_routing_finish_ipv6(struct net *net, struct sock *sk, struc + kfree_skb(skb); + return 0; + } ++ skb_dst_drop(skb); + skb_dst_set_noref(skb, &rt->dst); + } + +-- +2.35.1 + diff --git a/queue-5.10/netfilter-nf_conntrack_irc-fix-forged-ip-logic.patch b/queue-5.10/netfilter-nf_conntrack_irc-fix-forged-ip-logic.patch new file mode 100644 index 00000000000..6744f533e6a --- /dev/null +++ b/queue-5.10/netfilter-nf_conntrack_irc-fix-forged-ip-logic.patch @@ -0,0 +1,43 @@ +From 02ac2dd7a7d2f4c4a0515726d843ff497a23fd53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 14:56:58 +1000 +Subject: netfilter: nf_conntrack_irc: Fix forged IP logic + +From: David Leadbeater + +[ Upstream commit 0efe125cfb99e6773a7434f3463f7c2fa28f3a43 ] + +Ensure the match happens in the right direction, previously the +destination used was the server, not the NAT host, as the comment +shows the code intended. + +Additionally nf_nat_irc uses port 0 as a signal and there's no valid way +it can appear in a DCC message, so consider port 0 also forged. + +Fixes: 869f37d8e48f ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port") +Signed-off-by: David Leadbeater +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_irc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c +index e40988a2f22fb..26245419ef4a9 100644 +--- a/net/netfilter/nf_conntrack_irc.c ++++ b/net/netfilter/nf_conntrack_irc.c +@@ -185,8 +185,9 @@ static int help(struct sk_buff *skb, unsigned int protoff, + + /* dcc_ip can be the internal OR external (NAT'ed) IP */ + tuple = &ct->tuplehash[dir].tuple; +- if (tuple->src.u3.ip != dcc_ip && +- tuple->dst.u3.ip != dcc_ip) { ++ if ((tuple->src.u3.ip != dcc_ip && ++ ct->tuplehash[!dir].tuple.dst.u3.ip != dcc_ip) || ++ dcc_port == 0) { + net_warn_ratelimited("Forged DCC command from %pI4: %pI4:%u\n", + &tuple->src.u3.ip, + &dcc_ip, dcc_port); +-- +2.35.1 + diff --git a/queue-5.10/netfilter-nf_tables-clean-up-hook-list-when-offload-.patch b/queue-5.10/netfilter-nf_tables-clean-up-hook-list-when-offload-.patch new file mode 100644 index 00000000000..9ec064244b1 --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-clean-up-hook-list-when-offload-.patch @@ -0,0 +1,68 @@ +From 1f6dc501e543e16a87ee9c13d186e1a4aa63b345 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 13:11:47 +0200 +Subject: netfilter: nf_tables: clean up hook list when offload flags check + fails + +From: Pablo Neira Ayuso + +[ Upstream commit 77972a36ecc4db7fc7c68f0e80714263c5f03f65 ] + +splice back the hook list so nft_chain_release_hook() has a chance to +release the hooks. + +BUG: memory leak +unreferenced object 0xffff88810180b100 (size 96): + comm "syz-executor133", pid 3619, jiffies 4294945714 (age 12.690s) + hex dump (first 32 bytes): + 28 64 23 02 81 88 ff ff 28 64 23 02 81 88 ff ff (d#.....(d#..... + 90 a8 aa 83 ff ff ff ff 00 00 b5 0f 81 88 ff ff ................ + backtrace: + [] kmalloc include/linux/slab.h:600 [inline] + [] nft_netdev_hook_alloc+0x3b/0xc0 net/netfilter/nf_tables_api.c:1901 + [] nft_chain_parse_netdev net/netfilter/nf_tables_api.c:1998 [inline] + [] nft_chain_parse_hook+0x33a/0x530 net/netfilter/nf_tables_api.c:2073 + [] nf_tables_addchain.constprop.0+0x10b/0x950 net/netfilter/nf_tables_api.c:2218 + [] nf_tables_newchain+0xa8b/0xc60 net/netfilter/nf_tables_api.c:2593 + [] nfnetlink_rcv_batch+0xa46/0xd20 net/netfilter/nfnetlink.c:517 + [] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:638 [inline] + [] nfnetlink_rcv+0x1f9/0x220 net/netfilter/nfnetlink.c:656 + [] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] + [] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345 + [] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921 + [] sock_sendmsg_nosec net/socket.c:714 [inline] + [] sock_sendmsg+0x56/0x80 net/socket.c:734 + [] ____sys_sendmsg+0x36c/0x390 net/socket.c:2482 + [] ___sys_sendmsg+0xa8/0x110 net/socket.c:2536 + [] __sys_sendmsg+0x88/0x100 net/socket.c:2565 + [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] + [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + [] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Fixes: d54725cd11a5 ("netfilter: nf_tables: support for multiple devices per netdev hook") +Reported-by: syzbot+5fcdbfab6d6744c57418@syzkaller.appspotmail.com +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 1b039476e4d6a..b8e7e1c5c08a8 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1971,8 +1971,10 @@ static int nft_basechain_init(struct nft_base_chain *basechain, u8 family, + chain->flags |= NFT_CHAIN_BASE | flags; + basechain->policy = NF_ACCEPT; + if (chain->flags & NFT_CHAIN_HW_OFFLOAD && +- !nft_chain_offload_support(basechain)) ++ !nft_chain_offload_support(basechain)) { ++ list_splice_init(&basechain->hook_list, &hook->list); + return -EOPNOTSUPP; ++ } + + flow_block_init(&basechain->flow_block); + +-- +2.35.1 + diff --git a/queue-5.10/nvme-tcp-fix-regression-that-causes-sporadic-request.patch b/queue-5.10/nvme-tcp-fix-regression-that-causes-sporadic-request.patch new file mode 100644 index 00000000000..2288d81e19b --- /dev/null +++ b/queue-5.10/nvme-tcp-fix-regression-that-causes-sporadic-request.patch @@ -0,0 +1,79 @@ +From ed7dd98592b4e72888089c971e415f8143a391ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 18:07:06 +0300 +Subject: nvme-tcp: fix regression that causes sporadic requests to time out + +From: Sagi Grimberg + +[ Upstream commit 3770a42bb8ceb856877699257a43c0585a5d2996 ] + +When we queue requests, we strive to batch as much as possible and also +signal the network stack that more data is about to be sent over a socket +with MSG_SENDPAGE_NOTLAST. This flag looks at the pending requests queued +as well as queue->more_requests that is derived from the block layer +last-in-batch indication. + +We set more_request=true when we flush the request directly from +.queue_rq submission context (in nvme_tcp_send_all), however this is +wrongly assuming that no other requests may be queued during the +execution of nvme_tcp_send_all. + +Due to this, a race condition may happen where: + + 1. request X is queued as !last-in-batch + 2. request X submission context calls nvme_tcp_send_all directly + 3. nvme_tcp_send_all is preempted and schedules to a different cpu + 4. request Y is queued as last-in-batch + 5. nvme_tcp_send_all context sends request X+Y, however signals for + both MSG_SENDPAGE_NOTLAST because queue->more_requests=true. + +==> none of the requests is pushed down to the wire as the network +stack is waiting for more data, both requests timeout. + +To fix this, we eliminate queue->more_requests and only rely on +the queue req_list and send_list to be not-empty. + +Fixes: 122e5b9f3d37 ("nvme-tcp: optimize network stack with setting msg flags according to batch size") +Reported-by: Jonathan Nicklin +Signed-off-by: Sagi Grimberg +Tested-by: Jonathan Nicklin +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/tcp.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 329aeb5fe9514..57df87def8c33 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -118,7 +118,6 @@ struct nvme_tcp_queue { + struct mutex send_mutex; + struct llist_head req_list; + struct list_head send_list; +- bool more_requests; + + /* recv state */ + void *pdu; +@@ -314,7 +313,7 @@ static inline void nvme_tcp_send_all(struct nvme_tcp_queue *queue) + static inline bool nvme_tcp_queue_more(struct nvme_tcp_queue *queue) + { + return !list_empty(&queue->send_list) || +- !llist_empty(&queue->req_list) || queue->more_requests; ++ !llist_empty(&queue->req_list); + } + + static inline void nvme_tcp_queue_request(struct nvme_tcp_request *req, +@@ -333,9 +332,7 @@ static inline void nvme_tcp_queue_request(struct nvme_tcp_request *req, + */ + if (queue->io_cpu == raw_smp_processor_id() && + sync && empty && mutex_trylock(&queue->send_mutex)) { +- queue->more_requests = !last; + nvme_tcp_send_all(queue); +- queue->more_requests = false; + mutex_unlock(&queue->send_mutex); + } + +-- +2.35.1 + diff --git a/queue-5.10/nvme-tcp-fix-uaf-when-detecting-digest-errors.patch b/queue-5.10/nvme-tcp-fix-uaf-when-detecting-digest-errors.patch new file mode 100644 index 00000000000..a62b2ec0b13 --- /dev/null +++ b/queue-5.10/nvme-tcp-fix-uaf-when-detecting-digest-errors.patch @@ -0,0 +1,39 @@ +From c97ee206d09bd34b79d68a92dcb097be11e513e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 13:54:17 +0300 +Subject: nvme-tcp: fix UAF when detecting digest errors + +From: Sagi Grimberg + +[ Upstream commit 160f3549a907a50e51a8518678ba2dcf2541abea ] + +We should also bail from the io_work loop when we set rd_enabled to true, +so we don't attempt to read data from the socket when the TCP stream is +already out-of-sync or corrupted. + +Fixes: 3f2304f8c6d6 ("nvme-tcp: add NVMe over TCP host driver") +Reported-by: Daniel Wagner +Signed-off-by: Sagi Grimberg +Reviewed-by: Daniel Wagner +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/tcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index fe8c27bbc3f20..329aeb5fe9514 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -1196,7 +1196,7 @@ static void nvme_tcp_io_work(struct work_struct *w) + else if (unlikely(result < 0)) + return; + +- if (!pending) ++ if (!pending || !queue->rd_enabled) + return; + + } while (!time_after(jiffies, deadline)); /* quota is exhausted */ +-- +2.35.1 + diff --git a/queue-5.10/rdma-cma-fix-arguments-order-in-net-device-validatio.patch b/queue-5.10/rdma-cma-fix-arguments-order-in-net-device-validatio.patch new file mode 100644 index 00000000000..37b63c64edd --- /dev/null +++ b/queue-5.10/rdma-cma-fix-arguments-order-in-net-device-validatio.patch @@ -0,0 +1,48 @@ +From 5cf0e04be99d200ca480a321210b9f6b79310607 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 13:51:50 +0300 +Subject: RDMA/cma: Fix arguments order in net device validation + +From: Michael Guralnik + +[ Upstream commit 27cfde795a96aef1e859a5480489944b95421e46 ] + +Fix the order of source and destination addresses when resolving the +route between server and client to validate use of correct net device. + +The reverse order we had so far didn't actually validate the net device +as the server would try to resolve the route to itself, thus always +getting the server's net device. + +The issue was discovered when running cm applications on a single host +between 2 interfaces with same subnet and source based routing rules. +When resolving the reverse route the source based route rules were +ignored. + +Fixes: f887f2ac87c2 ("IB/cma: Validate routing of incoming requests") +Link: https://lore.kernel.org/r/1c1ec2277a131d277ebcceec987fd338d35b775f.1661251872.git.leonro@nvidia.com +Signed-off-by: Michael Guralnik +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 3c40aa50cd60c..b5fa19a033c0a 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -1722,8 +1722,8 @@ cma_ib_id_from_event(struct ib_cm_id *cm_id, + } + + if (!validate_net_dev(*net_dev, +- (struct sockaddr *)&req->listen_addr_storage, +- (struct sockaddr *)&req->src_addr_storage)) { ++ (struct sockaddr *)&req->src_addr_storage, ++ (struct sockaddr *)&req->listen_addr_storage)) { + id_priv = ERR_PTR(-EHOSTUNREACH); + goto err; + } +-- +2.35.1 + diff --git a/queue-5.10/rdma-hns-fix-supported-page-size.patch b/queue-5.10/rdma-hns-fix-supported-page-size.patch new file mode 100644 index 00000000000..db1533d71ca --- /dev/null +++ b/queue-5.10/rdma-hns-fix-supported-page-size.patch @@ -0,0 +1,37 @@ +From f3df38eb146d5c7de9d9376b2f12bdff667d91ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Aug 2022 18:50:18 +0800 +Subject: RDMA/hns: Fix supported page size + +From: Chengchang Tang + +[ Upstream commit 55af9d498556f0860eb89ffa7677e8d73f6f643f ] + +The supported page size for hns is (4K, 128M), not (4K, 2G). + +Fixes: cfc85f3e4b7f ("RDMA/hns: Add profile support for hip08 driver") +Link: https://lore.kernel.org/r/20220829105021.1427804-2-liangwenpeng@huawei.com +Signed-off-by: Chengchang Tang +Signed-off-by: Wenpeng Liang +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +index be7f2fe1e8839..8a92faeb3d237 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +@@ -92,7 +92,7 @@ + + #define HNS_ROCE_V2_QPC_TIMER_ENTRY_SZ PAGE_SIZE + #define HNS_ROCE_V2_CQC_TIMER_ENTRY_SZ PAGE_SIZE +-#define HNS_ROCE_V2_PAGE_SIZE_SUPPORTED 0xFFFFF000 ++#define HNS_ROCE_V2_PAGE_SIZE_SUPPORTED 0xFFFF000 + #define HNS_ROCE_V2_MAX_INNER_MTPT_NUM 2 + #define HNS_ROCE_INVALID_LKEY 0x100 + #define HNS_ROCE_CMQ_TX_TIMEOUT 30000 +-- +2.35.1 + diff --git a/queue-5.10/rdma-hns-fix-wrong-fixed-value-of-qp-rq.wqe_shift.patch b/queue-5.10/rdma-hns-fix-wrong-fixed-value-of-qp-rq.wqe_shift.patch new file mode 100644 index 00000000000..cb73e5f914a --- /dev/null +++ b/queue-5.10/rdma-hns-fix-wrong-fixed-value-of-qp-rq.wqe_shift.patch @@ -0,0 +1,43 @@ +From e3e4903c6297c814c715ce8753559e52f0b59947 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Aug 2022 18:50:19 +0800 +Subject: RDMA/hns: Fix wrong fixed value of qp->rq.wqe_shift + +From: Wenpeng Liang + +[ Upstream commit 0c8b5d6268d92d141bfd64d21c870d295a84dee1 ] + +The value of qp->rq.wqe_shift of HIP08 is always determined by the number +of sge. So delete the wrong branch. + +Fixes: cfc85f3e4b7f ("RDMA/hns: Add profile support for hip08 driver") +Fixes: 926a01dc000d ("RDMA/hns: Add QP operations support for hip08 SoC") +Link: https://lore.kernel.org/r/20220829105021.1427804-3-liangwenpeng@huawei.com +Signed-off-by: Wenpeng Liang +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_qp.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c +index 291e06d631505..6fe98af7741b5 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_qp.c ++++ b/drivers/infiniband/hw/hns/hns_roce_qp.c +@@ -386,11 +386,8 @@ static int set_rq_size(struct hns_roce_dev *hr_dev, struct ib_qp_cap *cap, + + hr_qp->rq.max_gs = roundup_pow_of_two(max(1U, cap->max_recv_sge)); + +- if (hr_dev->caps.max_rq_sg <= HNS_ROCE_SGE_IN_WQE) +- hr_qp->rq.wqe_shift = ilog2(hr_dev->caps.max_rq_desc_sz); +- else +- hr_qp->rq.wqe_shift = ilog2(hr_dev->caps.max_rq_desc_sz * +- hr_qp->rq.max_gs); ++ hr_qp->rq.wqe_shift = ilog2(hr_dev->caps.max_rq_desc_sz * ++ hr_qp->rq.max_gs); + + hr_qp->rq.wqe_cnt = cnt; + if (hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_RQ_INLINE) +-- +2.35.1 + diff --git a/queue-5.10/rdma-mlx5-set-local-port-to-one-when-accessing-count.patch b/queue-5.10/rdma-mlx5-set-local-port-to-one-when-accessing-count.patch new file mode 100644 index 00000000000..5cf66ebe7da --- /dev/null +++ b/queue-5.10/rdma-mlx5-set-local-port-to-one-when-accessing-count.patch @@ -0,0 +1,53 @@ +From d70cd5fe65aa4e2382e57944a5574f14fa5d35f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Aug 2022 12:02:28 +0300 +Subject: RDMA/mlx5: Set local port to one when accessing counters + +From: Chris Mi + +[ Upstream commit 74b30b3ad5cec95d2647e796d10137438a098bc1 ] + +When accessing Ports Performance Counters Register (PPCNT), +local port must be one if it is Function-Per-Port HCA that +HCA_CAP.num_ports is 1. + +The offending patch can change the local port to other values +when accessing PPCNT after enabling switchdev mode. The following +syndrome will be printed: + + # cat /sys/class/infiniband/rdmap4s0f0/ports/2/counters/* + # dmesg + mlx5_core 0000:04:00.0: mlx5_cmd_check:756:(pid 12450): ACCESS_REG(0x805) op_mod(0x1) failed, status bad parameter(0x3), syndrome (0x1e5585) + +Fix it by setting local port to one for Function-Per-Port HCA. + +Fixes: 210b1f78076f ("IB/mlx5: When not in dual port RoCE mode, use provided port as native") +Reviewed-by: Mark Bloch +Signed-off-by: Chris Mi +Link: https://lore.kernel.org/r/6c5086c295c76211169e58dbd610fb0402360bab.1661763459.git.leonro@nvidia.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/mad.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/infiniband/hw/mlx5/mad.c b/drivers/infiniband/hw/mlx5/mad.c +index 9bb9bb058932f..cca7a4a6bd82d 100644 +--- a/drivers/infiniband/hw/mlx5/mad.c ++++ b/drivers/infiniband/hw/mlx5/mad.c +@@ -166,6 +166,12 @@ static int process_pma_cmd(struct mlx5_ib_dev *dev, u8 port_num, + mdev = dev->mdev; + mdev_port_num = 1; + } ++ if (MLX5_CAP_GEN(dev->mdev, num_ports) == 1) { ++ /* set local port to one for Function-Per-Port HCA. */ ++ mdev = dev->mdev; ++ mdev_port_num = 1; ++ } ++ + /* Declaring support of extended counters */ + if (in_mad->mad_hdr.attr_id == IB_PMA_CLASS_PORT_INFO) { + struct ib_class_port_info cpi = {}; +-- +2.35.1 + diff --git a/queue-5.10/rdma-siw-pass-a-pointer-to-virt_to_page.patch b/queue-5.10/rdma-siw-pass-a-pointer-to-virt_to_page.patch new file mode 100644 index 00000000000..021427e699b --- /dev/null +++ b/queue-5.10/rdma-siw-pass-a-pointer-to-virt_to_page.patch @@ -0,0 +1,88 @@ +From bca75332c962bd0b6a0b866fab141837018604ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 23:59:18 +0200 +Subject: RDMA/siw: Pass a pointer to virt_to_page() + +From: Linus Walleij + +[ Upstream commit 0d1b756acf60da5004c1e20ca4462f0c257bf6e1 ] + +Functions that work on a pointer to virtual memory such as +virt_to_pfn() and users of that function such as +virt_to_page() are supposed to pass a pointer to virtual +memory, ideally a (void *) or other pointer. However since +many architectures implement virt_to_pfn() as a macro, +this function becomes polymorphic and accepts both a +(unsigned long) and a (void *). + +If we instead implement a proper virt_to_pfn(void *addr) +function the following happens (occurred on arch/arm): + +drivers/infiniband/sw/siw/siw_qp_tx.c:32:23: warning: incompatible + integer to pointer conversion passing 'dma_addr_t' (aka 'unsigned int') + to parameter of type 'const void *' [-Wint-conversion] +drivers/infiniband/sw/siw/siw_qp_tx.c:32:37: warning: passing argument + 1 of 'virt_to_pfn' makes pointer from integer without a cast + [-Wint-conversion] +drivers/infiniband/sw/siw/siw_qp_tx.c:538:36: warning: incompatible + integer to pointer conversion passing 'unsigned long long' + to parameter of type 'const void *' [-Wint-conversion] + +Fix this with an explicit cast. In one case where the SIW +SGE uses an unaligned u64 we need a double cast modifying the +virtual address (va) to a platform-specific uintptr_t before +casting to a (void *). + +Fixes: b9be6f18cf9e ("rdma/siw: transmit path") +Cc: linux-rdma@vger.kernel.org +Signed-off-by: Linus Walleij +Link: https://lore.kernel.org/r/20220902215918.603761-1-linus.walleij@linaro.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/siw/siw_qp_tx.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/sw/siw/siw_qp_tx.c b/drivers/infiniband/sw/siw/siw_qp_tx.c +index 7989c4043db4e..3c3ae5ef29428 100644 +--- a/drivers/infiniband/sw/siw/siw_qp_tx.c ++++ b/drivers/infiniband/sw/siw/siw_qp_tx.c +@@ -29,7 +29,7 @@ static struct page *siw_get_pblpage(struct siw_mem *mem, u64 addr, int *idx) + dma_addr_t paddr = siw_pbl_get_buffer(pbl, offset, NULL, idx); + + if (paddr) +- return virt_to_page(paddr); ++ return virt_to_page((void *)paddr); + + return NULL; + } +@@ -523,13 +523,23 @@ static int siw_tx_hdt(struct siw_iwarp_tx *c_tx, struct socket *s) + kunmap(p); + } + } else { +- u64 va = sge->laddr + sge_off; ++ /* ++ * Cast to an uintptr_t to preserve all 64 bits ++ * in sge->laddr. ++ */ ++ uintptr_t va = (uintptr_t)(sge->laddr + sge_off); + +- page_array[seg] = virt_to_page(va & PAGE_MASK); ++ /* ++ * virt_to_page() takes a (void *) pointer ++ * so cast to a (void *) meaning it will be 64 ++ * bits on a 64 bit platform and 32 bits on a ++ * 32 bit platform. ++ */ ++ page_array[seg] = virt_to_page((void *)(va & PAGE_MASK)); + if (do_crc) + crypto_shash_update( + c_tx->mpa_crc_hd, +- (void *)(uintptr_t)va, ++ (void *)va, + plen); + } + +-- +2.35.1 + diff --git a/queue-5.10/regulator-core-clean-up-on-enable-failure.patch b/queue-5.10/regulator-core-clean-up-on-enable-failure.patch new file mode 100644 index 00000000000..4a2d218626a --- /dev/null +++ b/queue-5.10/regulator-core-clean-up-on-enable-failure.patch @@ -0,0 +1,72 @@ +From 38e24b214634ff839b7cd4f8e2f7ac402bad5113 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 14:43:36 -0500 +Subject: regulator: core: Clean up on enable failure + +From: Andrew Halaney + +[ Upstream commit c32f1ebfd26bece77141257864ed7b4720da1557 ] + +If regulator_enable() fails, enable_count is incremented still. +A consumer, assuming no matching regulator_disable() is necessary on +failure, will then get this error message upon regulator_put() +since enable_count is non-zero: + + [ 1.277418] WARNING: CPU: 3 PID: 1 at drivers/regulator/core.c:2304 _regulator_put.part.0+0x168/0x170 + +The consumer could try to fix this in their driver by cleaning up on +error from regulator_enable() (i.e. call regulator_disable()), but that +results in the following since regulator_enable() failed and didn't +increment user_count: + + [ 1.258112] unbalanced disables for vreg_l17c + [ 1.262606] WARNING: CPU: 4 PID: 1 at drivers/regulator/core.c:2899 _regulator_disable+0xd4/0x190 + +Fix this by decrementing enable_count upon failure to enable. + +With this in place, just the reason for failure to enable is printed +as expected and developers can focus on the root cause of their issue +instead of thinking their usage of the regulator consumer api is +incorrect. For example, in my case: + + [ 1.240426] vreg_l17c: invalid input voltage found + +Fixes: 5451781dadf8 ("regulator: core: Only count load for enabled consumers") +Signed-off-by: Andrew Halaney +Reviewed-by: Douglas Anderson +Reviewed-by: Brian Masney +Link: https://lore.kernel.org/r/20220819194336.382740-1-ahalaney@redhat.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index 6e3f3511e7ddd..317d701487ecd 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -2596,13 +2596,18 @@ static int _regulator_do_enable(struct regulator_dev *rdev) + */ + static int _regulator_handle_consumer_enable(struct regulator *regulator) + { ++ int ret; + struct regulator_dev *rdev = regulator->rdev; + + lockdep_assert_held_once(&rdev->mutex.base); + + regulator->enable_count++; +- if (regulator->uA_load && regulator->enable_count == 1) +- return drms_uA_update(rdev); ++ if (regulator->uA_load && regulator->enable_count == 1) { ++ ret = drms_uA_update(rdev); ++ if (ret) ++ regulator->enable_count--; ++ return ret; ++ } + + return 0; + } +-- +2.35.1 + diff --git a/queue-5.10/rxrpc-fix-an-insufficiently-large-sglist-in-rxkad_ve.patch b/queue-5.10/rxrpc-fix-an-insufficiently-large-sglist-in-rxkad_ve.patch new file mode 100644 index 00000000000..0fdaddb62ec --- /dev/null +++ b/queue-5.10/rxrpc-fix-an-insufficiently-large-sglist-in-rxkad_ve.patch @@ -0,0 +1,58 @@ +From 635aa8b58a0be08b113f471ae083fa841d69c797 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 22:39:28 +0100 +Subject: rxrpc: Fix an insufficiently large sglist in rxkad_verify_packet_2() + +From: David Howells + +[ Upstream commit 0d40f728e28393a8817d1fcae923dfa3409e488c ] + +rxkad_verify_packet_2() has a small stack-allocated sglist of 4 elements, +but if that isn't sufficient for the number of fragments in the socket +buffer, we try to allocate an sglist large enough to hold all the +fragments. + +However, for large packets with a lot of fragments, this isn't sufficient +and we need at least one additional fragment. + +The problem manifests as skb_to_sgvec() returning -EMSGSIZE and this then +getting returned by userspace. Most of the time, this isn't a problem as +rxrpc sets a limit of 5692, big enough for 4 jumbo subpackets to be glued +together; occasionally, however, the server will ignore the reported limit +and give a packet that's a lot bigger - say 19852 bytes with ->nr_frags +being 7. skb_to_sgvec() then tries to return a "zeroth" fragment that +seems to occur before the fragments counted by ->nr_frags and we hit the +end of the sglist too early. + +Note that __skb_to_sgvec() also has an skb_walk_frags() loop that is +recursive up to 24 deep. I'm not sure if I need to take account of that +too - or if there's an easy way of counting those frags too. + +Fix this by counting an extra frag and allocating a larger sglist based on +that. + +Fixes: d0d5c0cd1e71 ("rxrpc: Use skb_unshare() rather than skb_cow_data()") +Reported-by: Marc Dionne +Signed-off-by: David Howells +cc: linux-afs@lists.infradead.org +Signed-off-by: Sasha Levin +--- + net/rxrpc/rxkad.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rxrpc/rxkad.c b/net/rxrpc/rxkad.c +index f114dc2af5cf3..5345e8eefd33c 100644 +--- a/net/rxrpc/rxkad.c ++++ b/net/rxrpc/rxkad.c +@@ -451,7 +451,7 @@ static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb, + * directly into the target buffer. + */ + sg = _sg; +- nsg = skb_shinfo(skb)->nr_frags; ++ nsg = skb_shinfo(skb)->nr_frags + 1; + if (nsg <= 4) { + nsg = 4; + } else { +-- +2.35.1 + diff --git a/queue-5.10/sch_sfb-also-store-skb-len-before-calling-child-enqu.patch b/queue-5.10/sch_sfb-also-store-skb-len-before-calling-child-enqu.patch new file mode 100644 index 00000000000..51561eaa467 --- /dev/null +++ b/queue-5.10/sch_sfb-also-store-skb-len-before-calling-child-enqu.patch @@ -0,0 +1,52 @@ +From 887ba39961e52862480cc88e17628b4fcd8cef34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 21:21:36 +0200 +Subject: sch_sfb: Also store skb len before calling child enqueue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 2f09707d0c972120bf794cfe0f0c67e2c2ddb252 ] + +Cong Wang noticed that the previous fix for sch_sfb accessing the queued +skb after enqueueing it to a child qdisc was incomplete: the SFB enqueue +function was also calling qdisc_qstats_backlog_inc() after enqueue, which +reads the pkt len from the skb cb field. Fix this by also storing the skb +len, and using the stored value to increment the backlog after enqueueing. + +Fixes: 9efd23297cca ("sch_sfb: Don't assume the skb is still around after enqueueing to child") +Signed-off-by: Toke Høiland-Jørgensen +Acked-by: Cong Wang +Link: https://lore.kernel.org/r/20220905192137.965549-1-toke@toke.dk +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/sch_sfb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sched/sch_sfb.c b/net/sched/sch_sfb.c +index f180cf95cfc97..b2724057629f6 100644 +--- a/net/sched/sch_sfb.c ++++ b/net/sched/sch_sfb.c +@@ -281,6 +281,7 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch, + { + + struct sfb_sched_data *q = qdisc_priv(sch); ++ unsigned int len = qdisc_pkt_len(skb); + struct Qdisc *child = q->qdisc; + struct tcf_proto *fl; + struct sfb_skb_cb cb; +@@ -403,7 +404,7 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch, + memcpy(&cb, sfb_skb_cb(skb), sizeof(cb)); + ret = qdisc_enqueue(skb, child, to_free); + if (likely(ret == NET_XMIT_SUCCESS)) { +- qdisc_qstats_backlog_inc(sch, skb); ++ sch->qstats.backlog += len; + sch->q.qlen++; + increment_qlen(&cb, q); + } else if (net_xmit_drop_count(ret)) { +-- +2.35.1 + diff --git a/queue-5.10/sch_sfb-don-t-assume-the-skb-is-still-around-after-e.patch b/queue-5.10/sch_sfb-don-t-assume-the-skb-is-still-around-after-e.patch new file mode 100644 index 00000000000..998b7651728 --- /dev/null +++ b/queue-5.10/sch_sfb-don-t-assume-the-skb-is-still-around-after-e.patch @@ -0,0 +1,82 @@ +From 522119733b65321381b01c19c36ff913937b6b73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 23:52:18 +0200 +Subject: sch_sfb: Don't assume the skb is still around after enqueueing to + child +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 9efd23297cca530bb35e1848665805d3fcdd7889 ] + +The sch_sfb enqueue() routine assumes the skb is still alive after it has +been enqueued into a child qdisc, using the data in the skb cb field in the +increment_qlen() routine after enqueue. However, the skb may in fact have +been freed, causing a use-after-free in this case. In particular, this +happens if sch_cake is used as a child of sfb, and the GSO splitting mode +of CAKE is enabled (in which case the skb will be split into segments and +the original skb freed). + +Fix this by copying the sfb cb data to the stack before enqueueing the skb, +and using this stack copy in increment_qlen() instead of the skb pointer +itself. + +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-18231 +Fixes: e13e02a3c68d ("net_sched: SFB flow scheduler") +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_sfb.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/sched/sch_sfb.c b/net/sched/sch_sfb.c +index da047a37a3bf3..f180cf95cfc97 100644 +--- a/net/sched/sch_sfb.c ++++ b/net/sched/sch_sfb.c +@@ -135,15 +135,15 @@ static void increment_one_qlen(u32 sfbhash, u32 slot, struct sfb_sched_data *q) + } + } + +-static void increment_qlen(const struct sk_buff *skb, struct sfb_sched_data *q) ++static void increment_qlen(const struct sfb_skb_cb *cb, struct sfb_sched_data *q) + { + u32 sfbhash; + +- sfbhash = sfb_hash(skb, 0); ++ sfbhash = cb->hashes[0]; + if (sfbhash) + increment_one_qlen(sfbhash, 0, q); + +- sfbhash = sfb_hash(skb, 1); ++ sfbhash = cb->hashes[1]; + if (sfbhash) + increment_one_qlen(sfbhash, 1, q); + } +@@ -283,6 +283,7 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch, + struct sfb_sched_data *q = qdisc_priv(sch); + struct Qdisc *child = q->qdisc; + struct tcf_proto *fl; ++ struct sfb_skb_cb cb; + int i; + u32 p_min = ~0; + u32 minqlen = ~0; +@@ -399,11 +400,12 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch, + } + + enqueue: ++ memcpy(&cb, sfb_skb_cb(skb), sizeof(cb)); + ret = qdisc_enqueue(skb, child, to_free); + if (likely(ret == NET_XMIT_SUCCESS)) { + qdisc_qstats_backlog_inc(sch, skb); + sch->q.qlen++; +- increment_qlen(skb, q); ++ increment_qlen(&cb, q); + } else if (net_xmit_drop_count(ret)) { + q->stats.childdrop++; + qdisc_qstats_drop(sch); +-- +2.35.1 + diff --git a/queue-5.10/series b/queue-5.10/series index aa604464d97..de5011d9736 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -34,3 +34,35 @@ cgroup-elide-write-locking-threadgroup_rwsem-when-up.patch cgroup-fix-threadgroup_rwsem-cpus_read_lock-deadlock.patch cifs-remove-useless-parameter-is_fsctl-from-smb2_ioc.patch smb3-missing-inode-locks-in-punch-hole.patch +arm-dts-imx6qdl-kontron-samx6i-remove-duplicated-nod.patch +regulator-core-clean-up-on-enable-failure.patch +tee-fix-compiler-warning-in-tee_shm_register.patch +rdma-cma-fix-arguments-order-in-net-device-validatio.patch +soc-brcmstb-pm-arm-fix-refcount-leak-and-__iomem-lea.patch +rdma-hns-fix-supported-page-size.patch +rdma-hns-fix-wrong-fixed-value-of-qp-rq.wqe_shift.patch +arm-dts-at91-sama5d27_wlsom1-specify-proper-regulato.patch +arm-dts-at91-sama5d2_icp-specify-proper-regulator-ou.patch +arm-dts-at91-sama5d27_wlsom1-don-t-keep-ldo2-enabled.patch +arm-dts-at91-sama5d2_icp-don-t-keep-vdd_other-enable.patch +netfilter-br_netfilter-drop-dst-references-before-se.patch +netfilter-nf_tables-clean-up-hook-list-when-offload-.patch +netfilter-nf_conntrack_irc-fix-forged-ip-logic.patch +alsa-usb-audio-inform-the-delayed-registration-more-.patch +alsa-usb-audio-register-card-again-for-iface-over-de.patch +rxrpc-fix-an-insufficiently-large-sglist-in-rxkad_ve.patch +afs-use-the-operation-issue-time-instead-of-the-repl.patch +sch_sfb-don-t-assume-the-skb-is-still-around-after-e.patch +tipc-fix-shift-wrapping-bug-in-map_get.patch +ice-use-bitmap_free-instead-of-devm_kfree.patch +i40e-fix-kernel-crash-during-module-removal.patch +net-fec-use-a-spinlock-to-guard-fep-ptp_clk_on.patch +xen-netback-only-remove-hotplug-status-when-the-vif-.patch +rdma-siw-pass-a-pointer-to-virt_to_page.patch +ipv6-sr-fix-out-of-bounds-read-when-setting-hmac-dat.patch +ib-core-fix-a-nested-dead-lock-as-part-of-odp-flow.patch +rdma-mlx5-set-local-port-to-one-when-accessing-count.patch +nvme-tcp-fix-uaf-when-detecting-digest-errors.patch +nvme-tcp-fix-regression-that-causes-sporadic-request.patch +tcp-fix-early-etimedout-after-spurious-non-sack-rto.patch +sch_sfb-also-store-skb-len-before-calling-child-enqu.patch diff --git a/queue-5.10/soc-brcmstb-pm-arm-fix-refcount-leak-and-__iomem-lea.patch b/queue-5.10/soc-brcmstb-pm-arm-fix-refcount-leak-and-__iomem-lea.patch new file mode 100644 index 00000000000..d05ad1eacb9 --- /dev/null +++ b/queue-5.10/soc-brcmstb-pm-arm-fix-refcount-leak-and-__iomem-lea.patch @@ -0,0 +1,163 @@ +From a69766b86a9d53c9d8f72971ceae82dd1700b618 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jul 2022 09:56:20 +0800 +Subject: soc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs + +From: Liang He + +[ Upstream commit 1085f5080647f0c9f357c270a537869191f7f2a1 ] + +In brcmstb_pm_probe(), there are two kinds of leak bugs: + +(1) we need to add of_node_put() when for_each__matching_node() breaks +(2) we need to add iounmap() for each iomap in fail path + +Fixes: 0b741b8234c8 ("soc: bcm: brcmstb: Add support for S2/S3/S5 suspend states (ARM)") +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220707015620.306468-1-windhl@126.com +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + drivers/soc/bcm/brcmstb/pm/pm-arm.c | 50 ++++++++++++++++++++++------- + 1 file changed, 39 insertions(+), 11 deletions(-) + +diff --git a/drivers/soc/bcm/brcmstb/pm/pm-arm.c b/drivers/soc/bcm/brcmstb/pm/pm-arm.c +index c6ec7d95bcfcc..722fd54e537cf 100644 +--- a/drivers/soc/bcm/brcmstb/pm/pm-arm.c ++++ b/drivers/soc/bcm/brcmstb/pm/pm-arm.c +@@ -681,13 +681,14 @@ static int brcmstb_pm_probe(struct platform_device *pdev) + const struct of_device_id *of_id = NULL; + struct device_node *dn; + void __iomem *base; +- int ret, i; ++ int ret, i, s; + + /* AON ctrl registers */ + base = brcmstb_ioremap_match(aon_ctrl_dt_ids, 0, NULL); + if (IS_ERR(base)) { + pr_err("error mapping AON_CTRL\n"); +- return PTR_ERR(base); ++ ret = PTR_ERR(base); ++ goto aon_err; + } + ctrl.aon_ctrl_base = base; + +@@ -697,8 +698,10 @@ static int brcmstb_pm_probe(struct platform_device *pdev) + /* Assume standard offset */ + ctrl.aon_sram = ctrl.aon_ctrl_base + + AON_CTRL_SYSTEM_DATA_RAM_OFS; ++ s = 0; + } else { + ctrl.aon_sram = base; ++ s = 1; + } + + writel_relaxed(0, ctrl.aon_sram + AON_REG_PANIC); +@@ -708,7 +711,8 @@ static int brcmstb_pm_probe(struct platform_device *pdev) + (const void **)&ddr_phy_data); + if (IS_ERR(base)) { + pr_err("error mapping DDR PHY\n"); +- return PTR_ERR(base); ++ ret = PTR_ERR(base); ++ goto ddr_phy_err; + } + ctrl.support_warm_boot = ddr_phy_data->supports_warm_boot; + ctrl.pll_status_offset = ddr_phy_data->pll_status_offset; +@@ -728,17 +732,20 @@ static int brcmstb_pm_probe(struct platform_device *pdev) + for_each_matching_node(dn, ddr_shimphy_dt_ids) { + i = ctrl.num_memc; + if (i >= MAX_NUM_MEMC) { ++ of_node_put(dn); + pr_warn("too many MEMCs (max %d)\n", MAX_NUM_MEMC); + break; + } + + base = of_io_request_and_map(dn, 0, dn->full_name); + if (IS_ERR(base)) { ++ of_node_put(dn); + if (!ctrl.support_warm_boot) + break; + + pr_err("error mapping DDR SHIMPHY %d\n", i); +- return PTR_ERR(base); ++ ret = PTR_ERR(base); ++ goto ddr_shimphy_err; + } + ctrl.memcs[i].ddr_shimphy_base = base; + ctrl.num_memc++; +@@ -749,14 +756,18 @@ static int brcmstb_pm_probe(struct platform_device *pdev) + for_each_matching_node(dn, brcmstb_memc_of_match) { + base = of_iomap(dn, 0); + if (!base) { ++ of_node_put(dn); + pr_err("error mapping DDR Sequencer %d\n", i); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto brcmstb_memc_err; + } + + of_id = of_match_node(brcmstb_memc_of_match, dn); + if (!of_id) { + iounmap(base); +- return -EINVAL; ++ of_node_put(dn); ++ ret = -EINVAL; ++ goto brcmstb_memc_err; + } + + ddr_seq_data = of_id->data; +@@ -776,21 +787,24 @@ static int brcmstb_pm_probe(struct platform_device *pdev) + dn = of_find_matching_node(NULL, sram_dt_ids); + if (!dn) { + pr_err("SRAM not found\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto brcmstb_memc_err; + } + + ret = brcmstb_init_sram(dn); + of_node_put(dn); + if (ret) { + pr_err("error setting up SRAM for PM\n"); +- return ret; ++ goto brcmstb_memc_err; + } + + ctrl.pdev = pdev; + + ctrl.s3_params = kmalloc(sizeof(*ctrl.s3_params), GFP_KERNEL); +- if (!ctrl.s3_params) +- return -ENOMEM; ++ if (!ctrl.s3_params) { ++ ret = -ENOMEM; ++ goto s3_params_err; ++ } + ctrl.s3_params_pa = dma_map_single(&pdev->dev, ctrl.s3_params, + sizeof(*ctrl.s3_params), + DMA_TO_DEVICE); +@@ -810,7 +824,21 @@ static int brcmstb_pm_probe(struct platform_device *pdev) + + out: + kfree(ctrl.s3_params); +- ++s3_params_err: ++ iounmap(ctrl.boot_sram); ++brcmstb_memc_err: ++ for (i--; i >= 0; i--) ++ iounmap(ctrl.memcs[i].ddr_ctrl); ++ddr_shimphy_err: ++ for (i = 0; i < ctrl.num_memc; i++) ++ iounmap(ctrl.memcs[i].ddr_shimphy_base); ++ ++ iounmap(ctrl.memcs[0].ddr_phy_base); ++ddr_phy_err: ++ iounmap(ctrl.aon_ctrl_base); ++ if (s) ++ iounmap(ctrl.aon_sram); ++aon_err: + pr_warn("PM: initialization failed with code %d\n", ret); + + return ret; +-- +2.35.1 + diff --git a/queue-5.10/tcp-fix-early-etimedout-after-spurious-non-sack-rto.patch b/queue-5.10/tcp-fix-early-etimedout-after-spurious-non-sack-rto.patch new file mode 100644 index 00000000000..5b7ab3272ac --- /dev/null +++ b/queue-5.10/tcp-fix-early-etimedout-after-spurious-non-sack-rto.patch @@ -0,0 +1,129 @@ +From ccae4efc4cbf1dd8f6e9bc72c69a409f8cabe318 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Sep 2022 08:10:23 -0400 +Subject: tcp: fix early ETIMEDOUT after spurious non-SACK RTO + +From: Neal Cardwell + +[ Upstream commit 686dc2db2a0fdc1d34b424ec2c0a735becd8d62b ] + +Fix a bug reported and analyzed by Nagaraj Arankal, where the handling +of a spurious non-SACK RTO could cause a connection to fail to clear +retrans_stamp, causing a later RTO to very prematurely time out the +connection with ETIMEDOUT. + +Here is the buggy scenario, expanding upon Nagaraj Arankal's excellent +report: + +(*1) Send one data packet on a non-SACK connection + +(*2) Because no ACK packet is received, the packet is retransmitted + and we enter CA_Loss; but this retransmission is spurious. + +(*3) The ACK for the original data is received. The transmitted packet + is acknowledged. The TCP timestamp is before the retrans_stamp, + so tcp_may_undo() returns true, and tcp_try_undo_loss() returns + true without changing state to Open (because tcp_is_sack() is + false), and tcp_process_loss() returns without calling + tcp_try_undo_recovery(). Normally after undoing a CA_Loss + episode, tcp_fastretrans_alert() would see that the connection + has returned to CA_Open and fall through and call + tcp_try_to_open(), which would set retrans_stamp to 0. However, + for non-SACK connections we hold the connection in CA_Loss, so do + not fall through to call tcp_try_to_open() and do not set + retrans_stamp to 0. So retrans_stamp is (erroneously) still + non-zero. + + At this point the first "retransmission event" has passed and + been recovered from. Any future retransmission is a completely + new "event". However, retrans_stamp is erroneously still + set. (And we are still in CA_Loss, which is correct.) + +(*4) After 16 minutes (to correspond with tcp_retries2=15), a new data + packet is sent. Note: No data is transmitted between (*3) and + (*4) and we disabled keep alives. + + The socket's timeout SHOULD be calculated from this point in + time, but instead it's calculated from the prior "event" 16 + minutes ago (step (*2)). + +(*5) Because no ACK packet is received, the packet is retransmitted. + +(*6) At the time of the 2nd retransmission, the socket returns + ETIMEDOUT, prematurely, because retrans_stamp is (erroneously) + too far in the past (set at the time of (*2)). + +This commit fixes this bug by ensuring that we reuse in +tcp_try_undo_loss() the same careful logic for non-SACK connections +that we have in tcp_try_undo_recovery(). To avoid duplicating logic, +we factor out that logic into a new +tcp_is_non_sack_preventing_reopen() helper and call that helper from +both undo functions. + +Fixes: da34ac7626b5 ("tcp: only undo on partial ACKs in CA_Loss") +Reported-by: Nagaraj Arankal +Link: https://lore.kernel.org/all/SJ0PR84MB1847BE6C24D274C46A1B9B0EB27A9@SJ0PR84MB1847.NAMPRD84.PROD.OUTLOOK.COM/ +Signed-off-by: Neal Cardwell +Signed-off-by: Yuchung Cheng +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20220903121023.866900-1-ncardwell.kernel@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index e62500d6fe0d0..4ecd85b1e806c 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -2496,6 +2496,21 @@ static inline bool tcp_may_undo(const struct tcp_sock *tp) + return tp->undo_marker && (!tp->undo_retrans || tcp_packet_delayed(tp)); + } + ++static bool tcp_is_non_sack_preventing_reopen(struct sock *sk) ++{ ++ struct tcp_sock *tp = tcp_sk(sk); ++ ++ if (tp->snd_una == tp->high_seq && tcp_is_reno(tp)) { ++ /* Hold old state until something *above* high_seq ++ * is ACKed. For Reno it is MUST to prevent false ++ * fast retransmits (RFC2582). SACK TCP is safe. */ ++ if (!tcp_any_retrans_done(sk)) ++ tp->retrans_stamp = 0; ++ return true; ++ } ++ return false; ++} ++ + /* People celebrate: "We love our President!" */ + static bool tcp_try_undo_recovery(struct sock *sk) + { +@@ -2518,14 +2533,8 @@ static bool tcp_try_undo_recovery(struct sock *sk) + } else if (tp->rack.reo_wnd_persist) { + tp->rack.reo_wnd_persist--; + } +- if (tp->snd_una == tp->high_seq && tcp_is_reno(tp)) { +- /* Hold old state until something *above* high_seq +- * is ACKed. For Reno it is MUST to prevent false +- * fast retransmits (RFC2582). SACK TCP is safe. */ +- if (!tcp_any_retrans_done(sk)) +- tp->retrans_stamp = 0; ++ if (tcp_is_non_sack_preventing_reopen(sk)) + return true; +- } + tcp_set_ca_state(sk, TCP_CA_Open); + tp->is_sack_reneg = 0; + return false; +@@ -2561,6 +2570,8 @@ static bool tcp_try_undo_loss(struct sock *sk, bool frto_undo) + NET_INC_STATS(sock_net(sk), + LINUX_MIB_TCPSPURIOUSRTOS); + inet_csk(sk)->icsk_retransmits = 0; ++ if (tcp_is_non_sack_preventing_reopen(sk)) ++ return true; + if (frto_undo || tcp_is_sack(tp)) { + tcp_set_ca_state(sk, TCP_CA_Open); + tp->is_sack_reneg = 0; +-- +2.35.1 + diff --git a/queue-5.10/tee-fix-compiler-warning-in-tee_shm_register.patch b/queue-5.10/tee-fix-compiler-warning-in-tee_shm_register.patch new file mode 100644 index 00000000000..8e98b6a3c5e --- /dev/null +++ b/queue-5.10/tee-fix-compiler-warning-in-tee_shm_register.patch @@ -0,0 +1,40 @@ +From dc8f09ca8934a1de92c1cbf9ba78dd06672c0dd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 07:43:35 +0200 +Subject: tee: fix compiler warning in tee_shm_register() + +From: Jens Wiklander + +[ Upstream commit eccd7439709810127563e7e3e49b8b44c7b2791d ] + +Include to avoid the warning: + drivers/tee/tee_shm.c: In function 'tee_shm_register': +>> drivers/tee/tee_shm.c:242:14: error: implicit declaration of function 'access_ok' [-Werror=implicit-function-declaration] + 242 | if (!access_ok((void __user *)addr, length)) + | ^~~~~~~~~ + cc1: some warnings being treated as errors + +Fixes: 573ae4f13f63 ("tee: add overflow check in register_shm_helper()") +Reviewed-by: Sumit Garg +Reported-by: kernel test robot +Signed-off-by: Jens Wiklander +Signed-off-by: Sasha Levin +--- + drivers/tee/tee_shm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c +index 499fccba3d74b..6fb4400333fb4 100644 +--- a/drivers/tee/tee_shm.c ++++ b/drivers/tee/tee_shm.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + #include "tee_private.h" + +-- +2.35.1 + diff --git a/queue-5.10/tipc-fix-shift-wrapping-bug-in-map_get.patch b/queue-5.10/tipc-fix-shift-wrapping-bug-in-map_get.patch new file mode 100644 index 00000000000..f0a788b837f --- /dev/null +++ b/queue-5.10/tipc-fix-shift-wrapping-bug-in-map_get.patch @@ -0,0 +1,36 @@ +From 6dbc1d78b00e9fb57df05a1dcf77977f55032ef4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 17:47:56 +0300 +Subject: tipc: fix shift wrapping bug in map_get() + +From: Dan Carpenter + +[ Upstream commit e2b224abd9bf45dcb55750479fc35970725a430b ] + +There is a shift wrapping bug in this code so anything thing above +31 will return false. + +Fixes: 35c55c9877f8 ("tipc: add neighbor monitoring framework") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/monitor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tipc/monitor.c b/net/tipc/monitor.c +index a37190da5a504..1d90f39129ca0 100644 +--- a/net/tipc/monitor.c ++++ b/net/tipc/monitor.c +@@ -130,7 +130,7 @@ static void map_set(u64 *up_map, int i, unsigned int v) + + static int map_get(u64 up_map, int i) + { +- return (up_map & (1 << i)) >> i; ++ return (up_map & (1ULL << i)) >> i; + } + + static struct tipc_peer *peer_prev(struct tipc_peer *peer) +-- +2.35.1 + diff --git a/queue-5.10/xen-netback-only-remove-hotplug-status-when-the-vif-.patch b/queue-5.10/xen-netback-only-remove-hotplug-status-when-the-vif-.patch new file mode 100644 index 00000000000..3e363fd2868 --- /dev/null +++ b/queue-5.10/xen-netback-only-remove-hotplug-status-when-the-vif-.patch @@ -0,0 +1,50 @@ +From 4659cbdcf64833054499d8bcd91120863aed15a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 12:55:54 +0100 +Subject: xen-netback: only remove 'hotplug-status' when the vif is actually + destroyed + +From: Paul Durrant + +[ Upstream commit c55f34b6aec2a8cb47eadaffea773e83bf85de91 ] + +Removing 'hotplug-status' in backend_disconnected() means that it will be +removed even in the case that the frontend unilaterally disconnects (which +it is free to do at any time). The consequence of this is that, when the +frontend attempts to re-connect, the backend gets stuck in 'InitWait' +rather than moving straight to 'Connected' (which it can do because the +hotplug script has already run). +Instead, the 'hotplug-status' mode should be removed in netback_remove() +i.e. when the vif really is going away. + +Fixes: 0f4558ae9187 ("Revert "xen-netback: remove 'hotplug-status' once it has served its purpose"") +Signed-off-by: Paul Durrant +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netback/xenbus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c +index ca261e0fc9c9b..9ee9ce0493fe6 100644 +--- a/drivers/net/xen-netback/xenbus.c ++++ b/drivers/net/xen-netback/xenbus.c +@@ -256,7 +256,6 @@ static void backend_disconnect(struct backend_info *be) + unsigned int queue_index; + + xen_unregister_watchers(vif); +- xenbus_rm(XBT_NIL, be->dev->nodename, "hotplug-status"); + #ifdef CONFIG_DEBUG_FS + xenvif_debugfs_delif(vif); + #endif /* CONFIG_DEBUG_FS */ +@@ -984,6 +983,7 @@ static int netback_remove(struct xenbus_device *dev) + struct backend_info *be = dev_get_drvdata(&dev->dev); + + unregister_hotplug_status_watch(be); ++ xenbus_rm(XBT_NIL, dev->nodename, "hotplug-status"); + if (be->vif) { + kobject_uevent(&dev->dev.kobj, KOBJ_OFFLINE); + backend_disconnect(be); +-- +2.35.1 + -- 2.47.3