From 941eab042aa0e3e7984fde11f788c64ba23e19cf Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 4 Jul 2022 14:04:38 +0200 Subject: [PATCH] 5.4-stable patches added patches: linux-dim-fix-divide-by-0-in-rdma-dim.patch net-tun-stop-napi-when-detaching-queues.patch net-tun-unlink-napi-from-device-on-destruction.patch rdma-qedr-fix-reporting-qp-timeout-attribute.patch selftests-net-pass-ipv6_args-to-udpgso_bench-s-ipv6-tcp-test.patch usbnet-fix-memory-allocation-in-helpers.patch virtio-net-fix-race-between-ndo_open-and-virtio_device_ready.patch --- ...inux-dim-fix-divide-by-0-in-rdma-dim.patch | 69 +++++++++++++++++++ ...-tun-stop-napi-when-detaching-queues.patch | 58 ++++++++++++++++ ...link-napi-from-device-on-destruction.patch | 34 +++++++++ ...r-fix-reporting-qp-timeout-attribute.patch | 58 ++++++++++++++++ ...args-to-udpgso_bench-s-ipv6-tcp-test.patch | 34 +++++++++ queue-5.4/series | 7 ++ ...net-fix-memory-allocation-in-helpers.patch | 45 ++++++++++++ ...een-ndo_open-and-virtio_device_ready.patch | 52 ++++++++++++++ 8 files changed, 357 insertions(+) create mode 100644 queue-5.4/linux-dim-fix-divide-by-0-in-rdma-dim.patch create mode 100644 queue-5.4/net-tun-stop-napi-when-detaching-queues.patch create mode 100644 queue-5.4/net-tun-unlink-napi-from-device-on-destruction.patch create mode 100644 queue-5.4/rdma-qedr-fix-reporting-qp-timeout-attribute.patch create mode 100644 queue-5.4/selftests-net-pass-ipv6_args-to-udpgso_bench-s-ipv6-tcp-test.patch create mode 100644 queue-5.4/usbnet-fix-memory-allocation-in-helpers.patch create mode 100644 queue-5.4/virtio-net-fix-race-between-ndo_open-and-virtio_device_ready.patch diff --git a/queue-5.4/linux-dim-fix-divide-by-0-in-rdma-dim.patch b/queue-5.4/linux-dim-fix-divide-by-0-in-rdma-dim.patch new file mode 100644 index 00000000000..7e468712954 --- /dev/null +++ b/queue-5.4/linux-dim-fix-divide-by-0-in-rdma-dim.patch @@ -0,0 +1,69 @@ +From 0fe3dbbefb74a8575f61d7801b08dbc50523d60d Mon Sep 17 00:00:00 2001 +From: Tao Liu +Date: Mon, 27 Jun 2022 22:00:04 +0800 +Subject: linux/dim: Fix divide by 0 in RDMA DIM + +From: Tao Liu + +commit 0fe3dbbefb74a8575f61d7801b08dbc50523d60d upstream. + +Fix a divide 0 error in rdma_dim_stats_compare() when prev->cpe_ratio == +0. + +CallTrace: + Hardware name: H3C R4900 G3/RS33M2C9S, BIOS 2.00.37P21 03/12/2020 + task: ffff880194b78000 task.stack: ffffc90006714000 + RIP: 0010:backport_rdma_dim+0x10e/0x240 [mlx_compat] + RSP: 0018:ffff880c10e83ec0 EFLAGS: 00010202 + RAX: 0000000000002710 RBX: ffff88096cd7f780 RCX: 0000000000000064 + RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000001 + RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000000 R12: 000000001d7c6c09 + R13: ffff88096cd7f780 R14: ffff880b174fe800 R15: 0000000000000000 + FS: 0000000000000000(0000) GS:ffff880c10e80000(0000) + knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00000000a0965b00 CR3: 000000000200a003 CR4: 00000000007606e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + + ib_poll_handler+0x43/0x80 [ib_core] + irq_poll_softirq+0xae/0x110 + __do_softirq+0xd1/0x28c + irq_exit+0xde/0xf0 + do_IRQ+0x54/0xe0 + common_interrupt+0x8f/0x8f + + ? cpuidle_enter_state+0xd9/0x2a0 + ? cpuidle_enter_state+0xc7/0x2a0 + ? do_idle+0x170/0x1d0 + ? cpu_startup_entry+0x6f/0x80 + ? start_secondary+0x1b9/0x210 + ? secondary_startup_64+0xa5/0xb0 + Code: 0f 87 e1 00 00 00 8b 4c 24 14 44 8b 43 14 89 c8 4d 63 c8 44 29 c0 99 31 d0 29 d0 31 d2 48 98 48 8d 04 80 48 8d 04 80 48 c1 e0 02 <49> f7 f1 48 83 f8 0a 0f 86 c1 00 00 00 44 39 c1 7f 10 48 89 df + RIP: backport_rdma_dim+0x10e/0x240 [mlx_compat] RSP: ffff880c10e83ec0 + +Fixes: f4915455dcf0 ("linux/dim: Implement RDMA adaptive moderation (DIM)") +Link: https://lore.kernel.org/r/20220627140004.3099-1-thomas.liu@ucloud.cn +Signed-off-by: Tao Liu +Reviewed-by: Max Gurtovoy +Acked-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/dim.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/dim.h ++++ b/include/linux/dim.h +@@ -17,7 +17,7 @@ + * We consider 10% difference as significant. + */ + #define IS_SIGNIFICANT_DIFF(val, ref) \ +- (((100UL * abs((val) - (ref))) / (ref)) > 10) ++ ((ref) && (((100UL * abs((val) - (ref))) / (ref)) > 10)) + + /** + * Calculate the gap between two values. diff --git a/queue-5.4/net-tun-stop-napi-when-detaching-queues.patch b/queue-5.4/net-tun-stop-napi-when-detaching-queues.patch new file mode 100644 index 00000000000..d5af175d5d8 --- /dev/null +++ b/queue-5.4/net-tun-stop-napi-when-detaching-queues.patch @@ -0,0 +1,58 @@ +From a8fc8cb5692aebb9c6f7afd4265366d25dcd1d01 Mon Sep 17 00:00:00 2001 +From: Jakub Kicinski +Date: Wed, 22 Jun 2022 21:21:05 -0700 +Subject: net: tun: stop NAPI when detaching queues + +From: Jakub Kicinski + +commit a8fc8cb5692aebb9c6f7afd4265366d25dcd1d01 upstream. + +While looking at a syzbot report I noticed the NAPI only gets +disabled before it's deleted. I think that user can detach +the queue before destroying the device and the NAPI will never +be stopped. + +Fixes: 943170998b20 ("tun: enable NAPI for TUN/TAP driver") +Acked-by: Petar Penkov +Link: https://lore.kernel.org/r/20220623042105.2274812-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -327,6 +327,12 @@ static void tun_napi_init(struct tun_str + } + } + ++static void tun_napi_enable(struct tun_file *tfile) ++{ ++ if (tfile->napi_enabled) ++ napi_enable(&tfile->napi); ++} ++ + static void tun_napi_disable(struct tun_file *tfile) + { + if (tfile->napi_enabled) +@@ -709,8 +715,10 @@ static void __tun_detach(struct tun_file + if (clean) { + RCU_INIT_POINTER(tfile->tun, NULL); + sock_put(&tfile->sk); +- } else ++ } else { + tun_disable_queue(tun, tfile); ++ tun_napi_disable(tfile); ++ } + + synchronize_net(); + tun_flow_delete_by_queue(tun, tun->numqueues + 1); +@@ -864,6 +872,7 @@ static int tun_attach(struct tun_struct + + if (tfile->detached) { + tun_enable_queue(tfile); ++ tun_napi_enable(tfile); + } else { + sock_hold(&tfile->sk); + tun_napi_init(tun, tfile, napi, napi_frags); diff --git a/queue-5.4/net-tun-unlink-napi-from-device-on-destruction.patch b/queue-5.4/net-tun-unlink-napi-from-device-on-destruction.patch new file mode 100644 index 00000000000..d119a28bf8e --- /dev/null +++ b/queue-5.4/net-tun-unlink-napi-from-device-on-destruction.patch @@ -0,0 +1,34 @@ +From 3b9bc84d311104906d2b4995a9a02d7b7ddab2db Mon Sep 17 00:00:00 2001 +From: Jakub Kicinski +Date: Wed, 22 Jun 2022 21:20:39 -0700 +Subject: net: tun: unlink NAPI from device on destruction + +From: Jakub Kicinski + +commit 3b9bc84d311104906d2b4995a9a02d7b7ddab2db upstream. + +Syzbot found a race between tun file and device destruction. +NAPIs live in struct tun_file which can get destroyed before +the netdev so we have to del them explicitly. The current +code is missing deleting the NAPI if the queue was detached +first. + +Fixes: 943170998b20 ("tun: enable NAPI for TUN/TAP driver") +Reported-by: syzbot+b75c138e9286ac742647@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20220623042039.2274708-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -783,6 +783,7 @@ static void tun_detach_all(struct net_de + sock_put(&tfile->sk); + } + list_for_each_entry_safe(tfile, tmp, &tun->disabled, next) { ++ tun_napi_del(tfile); + tun_enable_queue(tfile); + tun_queue_purge(tfile); + xdp_rxq_info_unreg(&tfile->xdp_rxq); diff --git a/queue-5.4/rdma-qedr-fix-reporting-qp-timeout-attribute.patch b/queue-5.4/rdma-qedr-fix-reporting-qp-timeout-attribute.patch new file mode 100644 index 00000000000..d0a4b227fe3 --- /dev/null +++ b/queue-5.4/rdma-qedr-fix-reporting-qp-timeout-attribute.patch @@ -0,0 +1,58 @@ +From 118f767413ada4eef7825fbd4af7c0866f883441 Mon Sep 17 00:00:00 2001 +From: Kamal Heib +Date: Wed, 25 May 2022 16:20:29 +0300 +Subject: RDMA/qedr: Fix reporting QP timeout attribute +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kamal Heib + +commit 118f767413ada4eef7825fbd4af7c0866f883441 upstream. + +Make sure to save the passed QP timeout attribute when the QP gets modified, +so when calling query QP the right value is reported and not the +converted value that is required by the firmware. This issue was found +while running the pyverbs tests. + +Fixes: cecbcddf6461 ("qedr: Add support for QP verbs") +Link: https://lore.kernel.org/r/20220525132029.84813-1-kamalheib1@gmail.com +Signed-off-by: Kamal Heib +Acked-by: Michal Kalderon  +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/qedr/qedr.h | 1 + + drivers/infiniband/hw/qedr/verbs.c | 4 +++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/qedr/qedr.h ++++ b/drivers/infiniband/hw/qedr/qedr.h +@@ -416,6 +416,7 @@ struct qedr_qp { + u32 sq_psn; + u32 qkey; + u32 dest_qp_num; ++ u8 timeout; + + /* Relevant to qps created from kernel space only (ULPs) */ + u8 prev_wqe_size; +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -2259,6 +2259,8 @@ int qedr_modify_qp(struct ib_qp *ibqp, s + 1 << max_t(int, attr->timeout - 8, 0); + else + qp_params.ack_timeout = 0; ++ ++ qp->timeout = attr->timeout; + } + + if (attr_mask & IB_QP_RETRY_CNT) { +@@ -2418,7 +2420,7 @@ int qedr_query_qp(struct ib_qp *ibqp, + rdma_ah_set_dgid_raw(&qp_attr->ah_attr, ¶ms.dgid.bytes[0]); + rdma_ah_set_port_num(&qp_attr->ah_attr, 1); + rdma_ah_set_sl(&qp_attr->ah_attr, 0); +- qp_attr->timeout = params.timeout; ++ qp_attr->timeout = qp->timeout; + qp_attr->rnr_retry = params.rnr_retry; + qp_attr->retry_cnt = params.retry_cnt; + qp_attr->min_rnr_timer = params.min_rnr_nak_timer; diff --git a/queue-5.4/selftests-net-pass-ipv6_args-to-udpgso_bench-s-ipv6-tcp-test.patch b/queue-5.4/selftests-net-pass-ipv6_args-to-udpgso_bench-s-ipv6-tcp-test.patch new file mode 100644 index 00000000000..98ee114d338 --- /dev/null +++ b/queue-5.4/selftests-net-pass-ipv6_args-to-udpgso_bench-s-ipv6-tcp-test.patch @@ -0,0 +1,34 @@ +From b968080808f7f28b89aa495b7402ba48eb17ee93 Mon Sep 17 00:00:00 2001 +From: Dimitris Michailidis +Date: Wed, 22 Jun 2022 17:02:34 -0700 +Subject: selftests/net: pass ipv6_args to udpgso_bench's IPv6 TCP test + +From: Dimitris Michailidis + +commit b968080808f7f28b89aa495b7402ba48eb17ee93 upstream. + +udpgso_bench.sh has been running its IPv6 TCP test with IPv4 arguments +since its initial conmit. Looks like a typo. + +Fixes: 3a687bef148d ("selftests: udp gso benchmark") +Cc: willemb@google.com +Signed-off-by: Dimitris Michailidis +Acked-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20220623000234.61774-1-dmichail@fungible.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/udpgso_bench.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/udpgso_bench.sh ++++ b/tools/testing/selftests/net/udpgso_bench.sh +@@ -120,7 +120,7 @@ run_all() { + run_udp "${ipv4_args}" + + echo "ipv6" +- run_tcp "${ipv4_args}" ++ run_tcp "${ipv6_args}" + run_udp "${ipv6_args}" + } + diff --git a/queue-5.4/series b/queue-5.4/series index c142b770a1f..ca1c8a96153 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -8,3 +8,10 @@ s390-archrandom-simplify-back-to-earlier-design-and-initialize-earlier.patch sunrpc-fix-read_plus-crasher.patch net-rose-fix-uaf-bugs-caused-by-timer-handler.patch net-usb-ax88179_178a-fix-packet-receiving.patch +virtio-net-fix-race-between-ndo_open-and-virtio_device_ready.patch +selftests-net-pass-ipv6_args-to-udpgso_bench-s-ipv6-tcp-test.patch +net-tun-unlink-napi-from-device-on-destruction.patch +net-tun-stop-napi-when-detaching-queues.patch +rdma-qedr-fix-reporting-qp-timeout-attribute.patch +linux-dim-fix-divide-by-0-in-rdma-dim.patch +usbnet-fix-memory-allocation-in-helpers.patch diff --git a/queue-5.4/usbnet-fix-memory-allocation-in-helpers.patch b/queue-5.4/usbnet-fix-memory-allocation-in-helpers.patch new file mode 100644 index 00000000000..c41b7b8bf3d --- /dev/null +++ b/queue-5.4/usbnet-fix-memory-allocation-in-helpers.patch @@ -0,0 +1,45 @@ +From e65af5403e462ccd7dff6a045a886c64da598c2e Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 28 Jun 2022 11:35:17 +0200 +Subject: usbnet: fix memory allocation in helpers + +From: Oliver Neukum + +commit e65af5403e462ccd7dff6a045a886c64da598c2e upstream. + +usbnet provides some helper functions that are also used in +the context of reset() operations. During a reset the other +drivers on a device are unable to operate. As that can be block +drivers, a driver for another interface cannot use paging +in its memory allocations without risking a deadlock. +Use GFP_NOIO in the helpers. + +Fixes: 877bd862f32b8 ("usbnet: introduce usbnet 3 command helpers") +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20220628093517.7469-1-oneukum@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/usbnet.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1987,7 +1987,7 @@ static int __usbnet_read_cmd(struct usbn + cmd, reqtype, value, index, size); + + if (size) { +- buf = kmalloc(size, GFP_KERNEL); ++ buf = kmalloc(size, GFP_NOIO); + if (!buf) + goto out; + } +@@ -2019,7 +2019,7 @@ static int __usbnet_write_cmd(struct usb + cmd, reqtype, value, index, size); + + if (data) { +- buf = kmemdup(data, size, GFP_KERNEL); ++ buf = kmemdup(data, size, GFP_NOIO); + if (!buf) + goto out; + } else { diff --git a/queue-5.4/virtio-net-fix-race-between-ndo_open-and-virtio_device_ready.patch b/queue-5.4/virtio-net-fix-race-between-ndo_open-and-virtio_device_ready.patch new file mode 100644 index 00000000000..e6d6d741040 --- /dev/null +++ b/queue-5.4/virtio-net-fix-race-between-ndo_open-and-virtio_device_ready.patch @@ -0,0 +1,52 @@ +From 50c0ada627f56c92f5953a8bf9158b045ad026a1 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Fri, 17 Jun 2022 15:29:49 +0800 +Subject: virtio-net: fix race between ndo_open() and virtio_device_ready() + +From: Jason Wang + +commit 50c0ada627f56c92f5953a8bf9158b045ad026a1 upstream. + +We currently call virtio_device_ready() after netdev +registration. Since ndo_open() can be called immediately +after register_netdev, this means there exists a race between +ndo_open() and virtio_device_ready(): the driver may start to use the +device before DRIVER_OK which violates the spec. + +Fix this by switching to use register_netdevice() and protect the +virtio_device_ready() with rtnl_lock() to make sure ndo_open() can +only be called after virtio_device_ready(). + +Fixes: 4baf1e33d0842 ("virtio_net: enable VQs early") +Signed-off-by: Jason Wang +Message-Id: <20220617072949.30734-1-jasowang@redhat.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -3219,14 +3219,20 @@ static int virtnet_probe(struct virtio_d + } + } + +- err = register_netdev(dev); ++ /* serialize netdev register + virtio_device_ready() with ndo_open() */ ++ rtnl_lock(); ++ ++ err = register_netdevice(dev); + if (err) { + pr_debug("virtio_net: registering device failed\n"); ++ rtnl_unlock(); + goto free_failover; + } + + virtio_device_ready(vdev); + ++ rtnl_unlock(); ++ + err = virtnet_cpu_notif_add(vi); + if (err) { + pr_debug("virtio_net: registering cpu notifier failed\n"); -- 2.47.3