From ca785833243184a339f17b1f1092bc2bcbdf4263 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 16 Jul 2023 21:01:19 -0400 Subject: [PATCH] Fixes for 5.10 Signed-off-by: Sasha Levin --- ...t-riscv-jit-to-provide-bpf_line_info.patch | 75 ++++++++ ...-add-connector_type-for-innolux_at04.patch | 39 ++++ ...-add-powertip-ph800480t013-drm_displ.patch | 38 ++++ ...nite-loop-in-z_erofs_do_read_page-wh.patch | 54 ++++++ ...default-duplex-configuration-to-full.patch | 43 +++++ ...tr-deref-of-ip6_null_entry-rt6i_idev.patch | 145 ++++++++++++++ ...erting-of-empty-frame-for-launchtime.patch | 128 +++++++++++++ ...fix-launchtime-before-start-of-cycle.patch | 46 +++++ ...e-delay-during-tx-ring-configuration.patch | 46 +++++ ...n-supported-and-advertising-fields-o.patch | 39 ++++ ...ove-warn_on-to-prevent-panic_on_warn.patch | 42 +++++ ...x-a-potential-refcount-underflow-for.patch | 53 ++++++ ...ne-turning-irqs-off-to-avoid-soc-han.patch | 55 ++++++ ...for-not_ready-flag-state-after-locki.patch | 133 +++++++++++++ ...uble-free-in-mlx5e_destroy_flow_tabl.patch | 38 ++++ ...-fix-txq_map-in-case-of-txq_number-1.patch | 48 +++++ ...corruption-on-frag-list-segmentation.patch | 102 ++++++++++ ...-fix-improper-refcount-update-leads-.patch | 62 ++++++ ...-ensure-both-minimum-and-maximum-por.patch | 82 ++++++++ ...sched-make-psched_mtu-rtnl-less-safe.patch | 49 +++++ ...q-account-for-stab-overhead-in-qfq_e.patch | 96 ++++++++++ ...q-refactor-parsing-of-netlink-parame.patch | 87 +++++++++ ...initialized-data-in-nsim_dev_trap_fa.patch | 55 ++++++ ...r-handling-in-amd_ntb_pci_driver_ini.patch | 64 +++++++ ...rror-handling-in-idt_pci_driver_init.patch | 66 +++++++ ...ror-handling-in-intel_ntb_pci_driver.patch | 65 +++++++ ...-ntb_tool-add-check-for-devm_kcalloc.patch | 39 ++++ ...t-fix-possible-memory-leak-while-dev.patch | 42 +++++ ...-direction-of-unmapping-integrity-da.patch | 41 ++++ ...-break-possible-infinite-loop-when-p.patch | 84 +++++++++ .../platform-x86-wmi-move-variables.patch | 80 ++++++++ ...-x86-wmi-remove-unnecessary-argument.patch | 75 ++++++++ ...rm-x86-wmi-use-guid_t-and-guid_equal.patch | 177 ++++++++++++++++++ queue-5.10/riscv-bpf-avoid-breaking-w-x.patch | 45 +++++ ...ix-inconsistent-jit-image-generation.patch | 137 ++++++++++++++ ...pf_jit_alloc_exec-and-bpf_jit_free_e.patch | 69 +++++++ ...x-fix-error-code-in-qla2x00_start_sp.patch | 38 ++++ queue-5.10/series | 39 ++++ queue-5.10/udp6-fix-udp6_ehashfn-typo.patch | 40 ++++ ...uninitialized-warning-in-airo_get_ra.patch | 47 +++++ 40 files changed, 2703 insertions(+) create mode 100644 queue-5.10/bpf-riscv-support-riscv-jit-to-provide-bpf_line_info.patch create mode 100644 queue-5.10/drm-panel-simple-add-connector_type-for-innolux_at04.patch create mode 100644 queue-5.10/drm-panel-simple-add-powertip-ph800480t013-drm_displ.patch create mode 100644 queue-5.10/erofs-avoid-infinite-loop-in-z_erofs_do_read_page-wh.patch create mode 100644 queue-5.10/gve-set-default-duplex-configuration-to-full.patch create mode 100644 queue-5.10/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch create mode 100644 queue-5.10/igc-fix-inserting-of-empty-frame-for-launchtime.patch create mode 100644 queue-5.10/igc-fix-launchtime-before-start-of-cycle.patch create mode 100644 queue-5.10/igc-remove-delay-during-tx-ring-configuration.patch create mode 100644 queue-5.10/igc-set-tp-bit-in-supported-and-advertising-fields-o.patch create mode 100644 queue-5.10/ionic-remove-warn_on-to-prevent-panic_on_warn.patch create mode 100644 queue-5.10/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch create mode 100644 queue-5.10/net-bgmac-postpone-turning-irqs-off-to-avoid-soc-han.patch create mode 100644 queue-5.10/net-mlx5e-check-for-not_ready-flag-state-after-locki.patch create mode 100644 queue-5.10/net-mlx5e-fix-double-free-in-mlx5e_destroy_flow_tabl.patch create mode 100644 queue-5.10/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch create mode 100644 queue-5.10/net-prevent-skb-corruption-on-frag-list-segmentation.patch create mode 100644 queue-5.10/net-sched-cls_fw-fix-improper-refcount-update-leads-.patch create mode 100644 queue-5.10/net-sched-flower-ensure-both-minimum-and-maximum-por.patch create mode 100644 queue-5.10/net-sched-make-psched_mtu-rtnl-less-safe.patch create mode 100644 queue-5.10/net-sched-sch_qfq-account-for-stab-overhead-in-qfq_e.patch create mode 100644 queue-5.10/net-sched-sch_qfq-refactor-parsing-of-netlink-parame.patch create mode 100644 queue-5.10/netdevsim-fix-uninitialized-data-in-nsim_dev_trap_fa.patch create mode 100644 queue-5.10/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch create mode 100644 queue-5.10/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch create mode 100644 queue-5.10/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch create mode 100644 queue-5.10/ntb-ntb_tool-add-check-for-devm_kcalloc.patch create mode 100644 queue-5.10/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch create mode 100644 queue-5.10/nvme-pci-fix-dma-direction-of-unmapping-integrity-da.patch create mode 100644 queue-5.10/platform-x86-wmi-break-possible-infinite-loop-when-p.patch create mode 100644 queue-5.10/platform-x86-wmi-move-variables.patch create mode 100644 queue-5.10/platform-x86-wmi-remove-unnecessary-argument.patch create mode 100644 queue-5.10/platform-x86-wmi-use-guid_t-and-guid_equal.patch create mode 100644 queue-5.10/riscv-bpf-avoid-breaking-w-x.patch create mode 100644 queue-5.10/riscv-bpf-fix-inconsistent-jit-image-generation.patch create mode 100644 queue-5.10/riscv-bpf-move-bpf_jit_alloc_exec-and-bpf_jit_free_e.patch create mode 100644 queue-5.10/scsi-qla2xxx-fix-error-code-in-qla2x00_start_sp.patch create mode 100644 queue-5.10/udp6-fix-udp6_ehashfn-typo.patch create mode 100644 queue-5.10/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch diff --git a/queue-5.10/bpf-riscv-support-riscv-jit-to-provide-bpf_line_info.patch b/queue-5.10/bpf-riscv-support-riscv-jit-to-provide-bpf_line_info.patch new file mode 100644 index 00000000000..dfa0414e7c7 --- /dev/null +++ b/queue-5.10/bpf-riscv-support-riscv-jit-to-provide-bpf_line_info.patch @@ -0,0 +1,75 @@ +From 08e94dd671f1cf66d7c8791d504ecf41c85a776f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 May 2022 17:28:11 +0800 +Subject: bpf, riscv: Support riscv jit to provide bpf_line_info + +From: Pu Lehui + +[ Upstream commit 3cb70413041fdf028fa1ba3986fd0c6aec9e3dcb ] + +Add support for riscv jit to provide bpf_line_info. We need to +consider the prologue offset in ctx->offset, but unlike x86 and +arm64, ctx->offset of riscv does not provide an extra slot for +the prologue, so here we just calculate the len of prologue and +add it to ctx->offset at the end. Both RV64 and RV32 have been +tested. + +Signed-off-by: Pu Lehui +Signed-off-by: Daniel Borkmann +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20220530092815.1112406-3-pulehui@huawei.com +Stable-dep-of: c56fb2aab235 ("riscv, bpf: Fix inconsistent JIT image generation") +Signed-off-by: Sasha Levin +--- + arch/riscv/net/bpf_jit.h | 1 + + arch/riscv/net/bpf_jit_core.c | 8 +++++++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/arch/riscv/net/bpf_jit.h b/arch/riscv/net/bpf_jit.h +index 75c1e99968675..ab0cd6d10ccf3 100644 +--- a/arch/riscv/net/bpf_jit.h ++++ b/arch/riscv/net/bpf_jit.h +@@ -69,6 +69,7 @@ struct rv_jit_context { + struct bpf_prog *prog; + u16 *insns; /* RV insns */ + int ninsns; ++ int body_len; + int epilogue_offset; + int *offset; /* BPF to RV */ + unsigned long flags; +diff --git a/arch/riscv/net/bpf_jit_core.c b/arch/riscv/net/bpf_jit_core.c +index 5d247198c30d3..750b15c319d5d 100644 +--- a/arch/riscv/net/bpf_jit_core.c ++++ b/arch/riscv/net/bpf_jit_core.c +@@ -43,7 +43,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + { + bool tmp_blinded = false, extra_pass = false; + struct bpf_prog *tmp, *orig_prog = prog; +- int pass = 0, prev_ninsns = 0, i; ++ int pass = 0, prev_ninsns = 0, prologue_len, i; + struct rv_jit_data *jit_data; + struct rv_jit_context *ctx; + unsigned int image_size = 0; +@@ -95,6 +95,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + prog = orig_prog; + goto out_offset; + } ++ ctx->body_len = ctx->ninsns; + bpf_jit_build_prologue(ctx); + ctx->epilogue_offset = ctx->ninsns; + bpf_jit_build_epilogue(ctx); +@@ -154,6 +155,11 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + + if (!prog->is_func || extra_pass) { + bpf_jit_binary_lock_ro(jit_data->header); ++ prologue_len = ctx->epilogue_offset - ctx->body_len; ++ for (i = 0; i < prog->len; i++) ++ ctx->offset[i] = ninsns_rvoff(prologue_len + ++ ctx->offset[i]); ++ bpf_prog_fill_jited_linfo(prog, ctx->offset); + out_offset: + kfree(ctx->offset); + kfree(jit_data); +-- +2.39.2 + diff --git a/queue-5.10/drm-panel-simple-add-connector_type-for-innolux_at04.patch b/queue-5.10/drm-panel-simple-add-connector_type-for-innolux_at04.patch new file mode 100644 index 00000000000..5ac1deb819f --- /dev/null +++ b/queue-5.10/drm-panel-simple-add-connector_type-for-innolux_at04.patch @@ -0,0 +1,39 @@ +From 31d7ebc306aee8cd050979655f24bf30429400b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 08:22:02 -0300 +Subject: drm/panel: simple: Add connector_type for innolux_at043tn24 + +From: Fabio Estevam + +[ Upstream commit 2c56a751845ddfd3078ebe79981aaaa182629163 ] + +The innolux at043tn24 display is a parallel LCD. Pass the 'connector_type' +information to avoid the following warning: + +panel-simple panel: Specify missing connector_type + +Signed-off-by: Fabio Estevam +Fixes: 41bcceb4de9c ("drm/panel: simple: Add support for Innolux AT043TN24") +Reviewed-by: Sam Ravnborg +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230620112202.654981-1-festevam@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index b0b92f436879a..ffda99c204356 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -2091,6 +2091,7 @@ static const struct panel_desc innolux_at043tn24 = { + .height = 54, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X24, ++ .connector_type = DRM_MODE_CONNECTOR_DPI, + .bus_flags = DRM_BUS_FLAG_DE_HIGH | DRM_BUS_FLAG_PIXDATA_DRIVE_POSEDGE, + }; + +-- +2.39.2 + diff --git a/queue-5.10/drm-panel-simple-add-powertip-ph800480t013-drm_displ.patch b/queue-5.10/drm-panel-simple-add-powertip-ph800480t013-drm_displ.patch new file mode 100644 index 00000000000..6adae45da16 --- /dev/null +++ b/queue-5.10/drm-panel-simple-add-powertip-ph800480t013-drm_displ.patch @@ -0,0 +1,38 @@ +From 0b1bddd8f52eb2d2c5215e3046b6c2ca1b3442f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 22:16:02 +0200 +Subject: drm/panel: simple: Add Powertip PH800480T013 drm_display_mode flags + +From: Marek Vasut + +[ Upstream commit 1c519980aced3da1fae37c1339cf43b24eccdee7 ] + +Add missing drm_display_mode DRM_MODE_FLAG_NVSYNC | DRM_MODE_FLAG_NHSYNC +flags. Those are used by various bridges in the pipeline to correctly +configure its sync signals polarity. + +Fixes: d69de69f2be1 ("drm/panel: simple: Add Powertip PH800480T013 panel") +Signed-off-by: Marek Vasut +Reviewed-by: Sam Ravnborg +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230615201602.565948-1-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index ffda99c204356..7b69f81444ebd 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -3153,6 +3153,7 @@ static const struct drm_display_mode powertip_ph800480t013_idf02_mode = { + .vsync_start = 480 + 49, + .vsync_end = 480 + 49 + 2, + .vtotal = 480 + 49 + 2 + 22, ++ .flags = DRM_MODE_FLAG_NVSYNC | DRM_MODE_FLAG_NHSYNC, + }; + + static const struct panel_desc powertip_ph800480t013_idf02 = { +-- +2.39.2 + diff --git a/queue-5.10/erofs-avoid-infinite-loop-in-z_erofs_do_read_page-wh.patch b/queue-5.10/erofs-avoid-infinite-loop-in-z_erofs_do_read_page-wh.patch new file mode 100644 index 00000000000..5b52f7c4520 --- /dev/null +++ b/queue-5.10/erofs-avoid-infinite-loop-in-z_erofs_do_read_page-wh.patch @@ -0,0 +1,54 @@ +From ab418c2e4ce893c2f6c065ff11c691b4fa2419ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 17:34:10 +0800 +Subject: erofs: avoid infinite loop in z_erofs_do_read_page() when reading + beyond EOF + +From: Chunhai Guo + +[ Upstream commit 8191213a5835b0317c5e4d0d337ae1ae00c75253 ] + +z_erofs_do_read_page() may loop infinitely due to the inappropriate +truncation in the below statement. Since the offset is 64 bits and min_t() +truncates the result to 32 bits. The solution is to replace unsigned int +with a 64-bit type, such as erofs_off_t. + cur = end - min_t(unsigned int, offset + end - map->m_la, end); + + - For example: + - offset = 0x400160000 + - end = 0x370 + - map->m_la = 0x160370 + - offset + end - map->m_la = 0x400000000 + - offset + end - map->m_la = 0x00000000 (truncated as unsigned int) + - Expected result: + - cur = 0 + - Actual result: + - cur = 0x370 + +Signed-off-by: Chunhai Guo +Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support") +Reviewed-by: Gao Xiang +Reviewed-by: Chao Yu +Link: https://lore.kernel.org/r/20230710093410.44071-1-guochunhai@vivo.com +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + fs/erofs/zdata.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c +index 8cb2cf612e49b..9cff927382599 100644 +--- a/fs/erofs/zdata.c ++++ b/fs/erofs/zdata.c +@@ -629,7 +629,7 @@ static int z_erofs_do_read_page(struct z_erofs_decompress_frontend *fe, + tight &= (clt->mode >= COLLECT_PRIMARY_HOOKED && + clt->mode != COLLECT_PRIMARY_FOLLOWED_NOINPLACE); + +- cur = end - min_t(unsigned int, offset + end - map->m_la, end); ++ cur = end - min_t(erofs_off_t, offset + end - map->m_la, end); + if (!(map->m_flags & EROFS_MAP_MAPPED)) { + zero_user_segment(page, cur, end); + goto next_part; +-- +2.39.2 + diff --git a/queue-5.10/gve-set-default-duplex-configuration-to-full.patch b/queue-5.10/gve-set-default-duplex-configuration-to-full.patch new file mode 100644 index 00000000000..e2ab8b698b4 --- /dev/null +++ b/queue-5.10/gve-set-default-duplex-configuration-to-full.patch @@ -0,0 +1,43 @@ +From 16788fe6a3213dc782c2135f0e2e7ba48ec48d54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 12:41:28 +0800 +Subject: gve: Set default duplex configuration to full + +From: Junfeng Guo + +[ Upstream commit 0503efeadbf6bb8bf24397613a73b67e665eac5f ] + +Current duplex mode was unset in the driver, resulting in the default +parameter being set to 0, which corresponds to half duplex. It might +mislead users to have incorrect expectation about the driver's +transmission capabilities. +Set the default duplex configuration to full, as the driver runs in +full duplex mode at this point. + +Fixes: 7e074d5a76ca ("gve: Enable Link Speed Reporting in the driver.") +Signed-off-by: Junfeng Guo +Reviewed-by: Leon Romanovsky +Message-ID: <20230706044128.2726747-1-junfeng.guo@intel.com> +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve_ethtool.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/google/gve/gve_ethtool.c b/drivers/net/ethernet/google/gve/gve_ethtool.c +index e0449cc24fbdb..cbfd007449351 100644 +--- a/drivers/net/ethernet/google/gve/gve_ethtool.c ++++ b/drivers/net/ethernet/google/gve/gve_ethtool.c +@@ -516,6 +516,9 @@ static int gve_get_link_ksettings(struct net_device *netdev, + err = gve_adminq_report_link_speed(priv); + + cmd->base.speed = priv->link_speed; ++ ++ cmd->base.duplex = DUPLEX_FULL; ++ + return err; + } + +-- +2.39.2 + diff --git a/queue-5.10/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch b/queue-5.10/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch new file mode 100644 index 00000000000..aa2256cec62 --- /dev/null +++ b/queue-5.10/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch @@ -0,0 +1,145 @@ +From fd4812e25f97d7173396b96409ed2a2b0b4ed5df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 18:43:27 -0700 +Subject: icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in + icmp6_dev(). + +From: Kuniyuki Iwashima + +[ Upstream commit 2aaa8a15de73874847d62eb595c6683bface80fd ] + +With some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that +has the link-local address as src and dst IP and will be forwarded to +an external IP in the IPv6 Ext Hdr. + +For example, the script below generates a packet whose src IP is the +link-local address and dst is updated to 11::. + + # for f in $(find /proc/sys/net/ -name *seg6_enabled*); do echo 1 > $f; done + # python3 + >>> from socket import * + >>> from scapy.all import * + >>> + >>> SRC_ADDR = DST_ADDR = "fe80::5054:ff:fe12:3456" + >>> + >>> pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR) + >>> pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=["11::", "22::"], segleft=1) + >>> + >>> sk = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW) + >>> sk.sendto(bytes(pkt), (DST_ADDR, 0)) + +For such a packet, we call ip6_route_input() to look up a route for the +next destination in these three functions depending on the header type. + + * ipv6_rthdr_rcv() + * ipv6_rpl_srh_rcv() + * ipv6_srh_rcv() + +If no route is found, ip6_null_entry is set to skb, and the following +dst_input(skb) calls ip6_pkt_drop(). + +Finally, in icmp6_dev(), we dereference skb_rt6_info(skb)->rt6i_idev->dev +as the input device is the loopback interface. Then, we have to check if +skb_rt6_info(skb)->rt6i_idev is NULL or not to avoid NULL pointer deref +for ip6_null_entry. + +BUG: kernel NULL pointer dereference, address: 0000000000000000 + PF: supervisor read access in kernel mode + PF: error_code(0x0000) - not-present page +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP PTI +CPU: 0 PID: 157 Comm: python3 Not tainted 6.4.0-11996-gb121d614371c #35 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503) +Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01 +RSP: 0018:ffffc90000003c70 EFLAGS: 00000286 +RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0 +RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18 +RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001 +R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10 +R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0 +FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0 +PKRU: 55555554 +Call Trace: + + ip6_pkt_drop (net/ipv6/route.c:4513) + ipv6_rthdr_rcv (net/ipv6/exthdrs.c:640 net/ipv6/exthdrs.c:686) + ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5)) + ip6_input_finish (./include/linux/rcupdate.h:781 net/ipv6/ip6_input.c:483) + __netif_receive_skb_one_core (net/core/dev.c:5455) + process_backlog (./include/linux/rcupdate.h:781 net/core/dev.c:5895) + __napi_poll (net/core/dev.c:6460) + net_rx_action (net/core/dev.c:6529 net/core/dev.c:6660) + __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554) + do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) + + + __local_bh_enable_ip (kernel/softirq.c:381) + __dev_queue_xmit (net/core/dev.c:4231) + ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:135) + rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914) + sock_sendmsg (net/socket.c:725 net/socket.c:748) + __sys_sendto (net/socket.c:2134) + __x64_sys_sendto (net/socket.c:2146 net/socket.c:2142 net/socket.c:2142) + do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) +RIP: 0033:0x7f9dc751baea +Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 +RSP: 002b:00007ffe98712c38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 00007ffe98712cf8 RCX: 00007f9dc751baea +RDX: 0000000000000060 RSI: 00007f9dc6460b90 RDI: 0000000000000003 +RBP: 00007f9dc56e8be0 R08: 00007ffe98712d70 R09: 000000000000001c +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: ffffffffc4653600 R14: 0000000000000001 R15: 00007f9dc6af5d1b + +Modules linked in: +CR2: 0000000000000000 + ---[ end trace 0000000000000000 ]--- +RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503) +Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01 +RSP: 0018:ffffc90000003c70 EFLAGS: 00000286 +RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0 +RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18 +RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001 +R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10 +R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0 +FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0 +PKRU: 55555554 +Kernel panic - not syncing: Fatal exception in interrupt +Kernel Offset: disabled + +Fixes: 4832c30d5458 ("net: ipv6: put host and anycast routes on device with address") +Reported-by: Wang Yufen +Closes: https://lore.kernel.org/netdev/c41403a9-c2f6-3b7e-0c96-e1901e605cd0@huawei.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: David Ahern +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/icmp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c +index fd1f896115c1e..d01165bb6a32b 100644 +--- a/net/ipv6/icmp.c ++++ b/net/ipv6/icmp.c +@@ -429,7 +429,10 @@ static struct net_device *icmp6_dev(const struct sk_buff *skb) + if (unlikely(dev->ifindex == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) { + const struct rt6_info *rt6 = skb_rt6_info(skb); + +- if (rt6) ++ /* The destination could be an external IP in Ext Hdr (SRv6, RPL, etc.), ++ * and ip6_null_entry could be set to skb if no route is found. ++ */ ++ if (rt6 && rt6->rt6i_idev) + dev = rt6->rt6i_idev->dev; + } + +-- +2.39.2 + diff --git a/queue-5.10/igc-fix-inserting-of-empty-frame-for-launchtime.patch b/queue-5.10/igc-fix-inserting-of-empty-frame-for-launchtime.patch new file mode 100644 index 00000000000..ea7234f31a1 --- /dev/null +++ b/queue-5.10/igc-fix-inserting-of-empty-frame-for-launchtime.patch @@ -0,0 +1,128 @@ +From 28e19afbca0fa1e531bf500dfb1772f86514af4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 16:07:14 +0200 +Subject: igc: Fix inserting of empty frame for launchtime + +From: Florian Kauer + +[ Upstream commit 0bcc62858d6ba62cbade957d69745e6adeed5f3d ] + +The insertion of an empty frame was introduced with +commit db0b124f02ba ("igc: Enhance Qbv scheduling by using first flag bit") +in order to ensure that the current cycle has at least one packet if +there is some packet to be scheduled for the next cycle. + +However, the current implementation does not properly check if +a packet is already scheduled for the current cycle. Currently, +an empty packet is always inserted if and only if +txtime >= end_of_cycle && txtime > last_tx_cycle +but since last_tx_cycle is always either the end of the current +cycle (end_of_cycle) or the end of a previous cycle, the +second part (txtime > last_tx_cycle) is always true unless +txtime == last_tx_cycle. + +What actually needs to be checked here is if the last_tx_cycle +was already written within the current cycle, so an empty frame +should only be inserted if and only if +txtime >= end_of_cycle && end_of_cycle > last_tx_cycle. + +This patch does not only avoid an unnecessary insertion, but it +can actually be harmful to insert an empty packet if packets +are already scheduled in the current cycle, because it can lead +to a situation where the empty packet is actually processed +as the first packet in the upcoming cycle shifting the packet +with the first_flag even one cycle into the future, finally leading +to a TX hang. + +The TX hang can be reproduced on a i225 with: + + sudo tc qdisc replace dev enp1s0 parent root handle 100 taprio \ + num_tc 1 \ + map 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 \ + queues 1@0 \ + base-time 0 \ + sched-entry S 01 300000 \ + flags 0x1 \ + txtime-delay 500000 \ + clockid CLOCK_TAI + sudo tc qdisc replace dev enp1s0 parent 100:1 etf \ + clockid CLOCK_TAI \ + delta 500000 \ + offload \ + skip_sock_check + +and traffic generator + + sudo trafgen -i traffic.cfg -o enp1s0 --cpp -n0 -q -t1400ns + +with traffic.cfg + + #define ETH_P_IP 0x0800 + + { + /* Ethernet Header */ + 0x30, 0x1f, 0x9a, 0xd0, 0xf0, 0x0e, # MAC Dest - adapt as needed + 0x24, 0x5e, 0xbe, 0x57, 0x2e, 0x36, # MAC Src - adapt as needed + const16(ETH_P_IP), + + /* IPv4 Header */ + 0b01000101, 0, # IPv4 version, IHL, TOS + const16(1028), # IPv4 total length (UDP length + 20 bytes (IP header)) + const16(2), # IPv4 ident + 0b01000000, 0, # IPv4 flags, fragmentation off + 64, # IPv4 TTL + 17, # Protocol UDP + csumip(14, 33), # IPv4 checksum + + /* UDP Header */ + 10, 0, 48, 1, # IP Src - adapt as needed + 10, 0, 48, 10, # IP Dest - adapt as needed + const16(5555), # UDP Src Port + const16(6666), # UDP Dest Port + const16(1008), # UDP length (UDP header 8 bytes + payload length) + csumudp(14, 34), # UDP checksum + + /* Payload */ + fill('W', 1000), + } + +and the observed message with that is for example + + igc 0000:01:00.0 enp1s0: Detected Tx Unit Hang + Tx Queue <0> + TDH <32> + TDT <3c> + next_to_use <3c> + next_to_clean <32> + buffer_info[next_to_clean] + time_stamp + next_to_watch <00000000632a1828> + jiffies + desc.status <1048000> + +Fixes: db0b124f02ba ("igc: Enhance Qbv scheduling by using first flag bit") +Signed-off-by: Florian Kauer +Reviewed-by: Kurt Kanzenbach +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 051b1048eb41b..631ce793fb2ec 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -918,7 +918,7 @@ static __le32 igc_tx_launchtime(struct igc_ring *ring, ktime_t txtime, + *first_flag = true; + ring->last_ff_cycle = baset_est; + +- if (ktime_compare(txtime, ring->last_tx_cycle) > 0) ++ if (ktime_compare(end_of_cycle, ring->last_tx_cycle) > 0) + *insert_empty = true; + } + } +-- +2.39.2 + diff --git a/queue-5.10/igc-fix-launchtime-before-start-of-cycle.patch b/queue-5.10/igc-fix-launchtime-before-start-of-cycle.patch new file mode 100644 index 00000000000..a52262e4338 --- /dev/null +++ b/queue-5.10/igc-fix-launchtime-before-start-of-cycle.patch @@ -0,0 +1,46 @@ +From 5bd9a05d5faa13c4939b72db846ba1a409b9bc39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 16:07:13 +0200 +Subject: igc: Fix launchtime before start of cycle + +From: Florian Kauer + +[ Upstream commit c1bca9ac0bcb355be11354c2e68bc7bf31f5ac5a ] + +It is possible (verified on a running system) that frames are processed +by igc_tx_launchtime with a txtime before the start of the cycle +(baset_est). + +However, the result of txtime - baset_est is written into a u32, +leading to a wrap around to a positive number. The following +launchtime > 0 check will only branch to executing launchtime = 0 +if launchtime is already 0. + +Fix it by using a s32 before checking launchtime > 0. + +Fixes: db0b124f02ba ("igc: Enhance Qbv scheduling by using first flag bit") +Signed-off-by: Florian Kauer +Reviewed-by: Kurt Kanzenbach +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 2b51ee87a2def..051b1048eb41b 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -905,7 +905,7 @@ static __le32 igc_tx_launchtime(struct igc_ring *ring, ktime_t txtime, + ktime_t base_time = adapter->base_time; + ktime_t now = ktime_get_clocktai(); + ktime_t baset_est, end_of_cycle; +- u32 launchtime; ++ s32 launchtime; + s64 n; + + n = div64_s64(ktime_sub_ns(now, base_time), cycle_time); +-- +2.39.2 + diff --git a/queue-5.10/igc-remove-delay-during-tx-ring-configuration.patch b/queue-5.10/igc-remove-delay-during-tx-ring-configuration.patch new file mode 100644 index 00000000000..a0e9e75312a --- /dev/null +++ b/queue-5.10/igc-remove-delay-during-tx-ring-configuration.patch @@ -0,0 +1,46 @@ +From 2db76a308aa7625f060b0945befbf2f97128673c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 08:18:12 +0800 +Subject: igc: Remove delay during TX ring configuration + +From: Muhammad Husaini Zulkifli + +[ Upstream commit cca28ceac7c7857bc2d313777017585aef00bcc4 ] + +Remove unnecessary delay during the TX ring configuration. +This will cause delay, especially during link down and +link up activity. + +Furthermore, old SKUs like as I225 will call the reset_adapter +to reset the controller during TSN mode Gate Control List (GCL) +setting. This will add more time to the configuration of the +real-time use case. + +It doesn't mentioned about this delay in the Software User Manual. +It might have been ported from legacy code I210 in the past. + +Fixes: 13b5b7fd6a4a ("igc: Add support for Tx/Rx rings") +Signed-off-by: Muhammad Husaini Zulkifli +Acked-by: Sasha Neftin +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index a15e4b6d7fa40..2b51ee87a2def 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -600,7 +600,6 @@ static void igc_configure_tx_ring(struct igc_adapter *adapter, + /* disable the queue */ + wr32(IGC_TXDCTL(reg_idx), 0); + wrfl(); +- mdelay(10); + + wr32(IGC_TDLEN(reg_idx), + ring->count * sizeof(union igc_adv_tx_desc)); +-- +2.39.2 + diff --git a/queue-5.10/igc-set-tp-bit-in-supported-and-advertising-fields-o.patch b/queue-5.10/igc-set-tp-bit-in-supported-and-advertising-fields-o.patch new file mode 100644 index 00000000000..96864b40f9e --- /dev/null +++ b/queue-5.10/igc-set-tp-bit-in-supported-and-advertising-fields-o.patch @@ -0,0 +1,39 @@ +From b8e41a5723d033d84e74fa79a056bb31a3ed303b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 11:09:01 -0700 +Subject: igc: set TP bit in 'supported' and 'advertising' fields of + ethtool_link_ksettings + +From: Prasad Koya + +[ Upstream commit 9ac3fc2f42e5ffa1e927dcbffb71b15fa81459e2 ] + +set TP bit in the 'supported' and 'advertising' fields. i225/226 parts +only support twisted pair copper. + +Fixes: 8c5ad0dae93c ("igc: Add ethtool support") +Signed-off-by: Prasad Koya +Acked-by: Sasha Neftin +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_ethtool.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igc/igc_ethtool.c b/drivers/net/ethernet/intel/igc/igc_ethtool.c +index da259cd59adda..d28ac3a025ab1 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ethtool.c ++++ b/drivers/net/ethernet/intel/igc/igc_ethtool.c +@@ -1673,6 +1673,8 @@ static int igc_ethtool_get_link_ksettings(struct net_device *netdev, + /* twisted pair */ + cmd->base.port = PORT_TP; + cmd->base.phy_address = hw->phy.addr; ++ ethtool_link_ksettings_add_link_mode(cmd, supported, TP); ++ ethtool_link_ksettings_add_link_mode(cmd, advertising, TP); + + /* advertising link modes */ + if (hw->phy.autoneg_advertised & ADVERTISE_10_HALF) +-- +2.39.2 + diff --git a/queue-5.10/ionic-remove-warn_on-to-prevent-panic_on_warn.patch b/queue-5.10/ionic-remove-warn_on-to-prevent-panic_on_warn.patch new file mode 100644 index 00000000000..7ec6e836161 --- /dev/null +++ b/queue-5.10/ionic-remove-warn_on-to-prevent-panic_on_warn.patch @@ -0,0 +1,42 @@ +From d882c5c49b84da8cf2d6039045449ef7fb0316bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 11:20:06 -0700 +Subject: ionic: remove WARN_ON to prevent panic_on_warn + +From: Nitya Sunkad + +[ Upstream commit abfb2a58a5377ebab717d4362d6180f901b6e5c1 ] + +Remove unnecessary early code development check and the WARN_ON +that it uses. The irq alloc and free paths have long been +cleaned up and this check shouldn't have stuck around so long. + +Fixes: 77ceb68e29cc ("ionic: Add notifyq support") +Signed-off-by: Nitya Sunkad +Signed-off-by: Shannon Nelson +Reviewed-by: Jacob Keller +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +index fcd4213c99b83..098772601df8c 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -433,11 +433,6 @@ static void ionic_qcqs_free(struct ionic_lif *lif) + static void ionic_link_qcq_interrupts(struct ionic_qcq *src_qcq, + struct ionic_qcq *n_qcq) + { +- if (WARN_ON(n_qcq->flags & IONIC_QCQ_F_INTR)) { +- ionic_intr_free(n_qcq->cq.lif->ionic, n_qcq->intr.index); +- n_qcq->flags &= ~IONIC_QCQ_F_INTR; +- } +- + n_qcq->intr.vector = src_qcq->intr.vector; + n_qcq->intr.index = src_qcq->intr.index; + } +-- +2.39.2 + diff --git a/queue-5.10/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch b/queue-5.10/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch new file mode 100644 index 00000000000..4dd464c4d2a --- /dev/null +++ b/queue-5.10/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch @@ -0,0 +1,53 @@ +From 07fc730e8fffd463605d4bd1de5a3366e57fae89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jul 2023 14:59:10 +0800 +Subject: ipv6/addrconf: fix a potential refcount underflow for idev + +From: Ziyang Xuan + +[ Upstream commit 06a0716949c22e2aefb648526580671197151acc ] + +Now in addrconf_mod_rs_timer(), reference idev depends on whether +rs_timer is not pending. Then modify rs_timer timeout. + +There is a time gap in [1], during which if the pending rs_timer +becomes not pending. It will miss to hold idev, but the rs_timer +is activated. Thus rs_timer callback function addrconf_rs_timer() +will be executed and put idev later without holding idev. A refcount +underflow issue for idev can be caused by this. + + if (!timer_pending(&idev->rs_timer)) + in6_dev_hold(idev); + <--------------[1] + mod_timer(&idev->rs_timer, jiffies + when); + +To fix the issue, hold idev if mod_timer() return 0. + +Fixes: b7b1bfce0bb6 ("ipv6: split duplicate address detection and router solicitation timer") +Suggested-by: Eric Dumazet +Signed-off-by: Ziyang Xuan +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index ed1e5bfc97b31..d5d10496b4aef 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -314,9 +314,8 @@ static void addrconf_del_dad_work(struct inet6_ifaddr *ifp) + static void addrconf_mod_rs_timer(struct inet6_dev *idev, + unsigned long when) + { +- if (!timer_pending(&idev->rs_timer)) ++ if (!mod_timer(&idev->rs_timer, jiffies + when)) + in6_dev_hold(idev); +- mod_timer(&idev->rs_timer, jiffies + when); + } + + static void addrconf_mod_dad_work(struct inet6_ifaddr *ifp, +-- +2.39.2 + diff --git a/queue-5.10/net-bgmac-postpone-turning-irqs-off-to-avoid-soc-han.patch b/queue-5.10/net-bgmac-postpone-turning-irqs-off-to-avoid-soc-han.patch new file mode 100644 index 00000000000..6ca6484e626 --- /dev/null +++ b/queue-5.10/net-bgmac-postpone-turning-irqs-off-to-avoid-soc-han.patch @@ -0,0 +1,55 @@ +From ed50cac1312221bd55775880bbadd85707d48851 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 08:53:25 +0200 +Subject: net: bgmac: postpone turning IRQs off to avoid SoC hangs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit e7731194fdf085f46d58b1adccfddbd0dfee4873 ] + +Turning IRQs off is done by accessing Ethernet controller registers. +That can't be done until device's clock is enabled. It results in a SoC +hang otherwise. + +This bug remained unnoticed for years as most bootloaders keep all +Ethernet interfaces turned on. It seems to only affect a niche SoC +family BCM47189. It has two Ethernet controllers but CFE bootloader uses +only the first one. + +Fixes: 34322615cbaa ("net: bgmac: Mask interrupts during probe") +Signed-off-by: Rafał Miłecki +Reviewed-by: Michal Kubiak +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bgmac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bgmac.c b/drivers/net/ethernet/broadcom/bgmac.c +index bb999e67d7736..ab8ee93316354 100644 +--- a/drivers/net/ethernet/broadcom/bgmac.c ++++ b/drivers/net/ethernet/broadcom/bgmac.c +@@ -1492,8 +1492,6 @@ int bgmac_enet_probe(struct bgmac *bgmac) + + bgmac->in_init = true; + +- bgmac_chip_intrs_off(bgmac); +- + net_dev->irq = bgmac->irq; + SET_NETDEV_DEV(net_dev, bgmac->dev); + dev_set_drvdata(bgmac->dev, bgmac); +@@ -1511,6 +1509,8 @@ int bgmac_enet_probe(struct bgmac *bgmac) + */ + bgmac_clk_enable(bgmac, 0); + ++ bgmac_chip_intrs_off(bgmac); ++ + /* This seems to be fixing IRQ by assigning OOB #6 to the core */ + if (!(bgmac->feature_flags & BGMAC_FEAT_IDM_MASK)) { + if (bgmac->feature_flags & BGMAC_FEAT_IRQ_ID_OOB_6) +-- +2.39.2 + diff --git a/queue-5.10/net-mlx5e-check-for-not_ready-flag-state-after-locki.patch b/queue-5.10/net-mlx5e-check-for-not_ready-flag-state-after-locki.patch new file mode 100644 index 00000000000..7f37aaa9fa5 --- /dev/null +++ b/queue-5.10/net-mlx5e-check-for-not_ready-flag-state-after-locki.patch @@ -0,0 +1,133 @@ +From 4fab9166cfad1448f3e5a54a365ade31178e240e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 09:32:10 +0200 +Subject: net/mlx5e: Check for NOT_READY flag state after locking + +From: Vlad Buslov + +[ Upstream commit 65e64640e97c0f223e77f9ea69b5a46186b93470 ] + +Currently the check for NOT_READY flag is performed before obtaining the +necessary lock. This opens a possibility for race condition when the flow +is concurrently removed from unready_flows list by the workqueue task, +which causes a double-removal from the list and a crash[0]. Fix the issue +by moving the flag check inside the section protected by +uplink_priv->unready_flows_lock mutex. + +[0]: +[44376.389654] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] SMP +[44376.391665] CPU: 7 PID: 59123 Comm: tc Not tainted 6.4.0-rc4+ #1 +[44376.392984] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +[44376.395342] RIP: 0010:mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core] +[44376.396857] Code: 00 48 8b b8 68 ce 02 00 e8 8a 4d 02 00 4c 8d a8 a8 01 00 00 4c 89 ef e8 8b 79 88 e1 48 8b 83 98 06 00 00 48 8b 93 90 06 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 83 90 06 +[44376.399167] RSP: 0018:ffff88812cc97570 EFLAGS: 00010246 +[44376.399680] RAX: dead000000000122 RBX: ffff8881088e3800 RCX: ffff8881881bac00 +[44376.400337] RDX: dead000000000100 RSI: ffff88812cc97500 RDI: ffff8881242f71b0 +[44376.401001] RBP: ffff88811cbb0940 R08: 0000000000000400 R09: 0000000000000001 +[44376.401663] R10: 0000000000000001 R11: 0000000000000000 R12: ffff88812c944000 +[44376.402342] R13: ffff8881242f71a8 R14: ffff8881222b4000 R15: 0000000000000000 +[44376.402999] FS: 00007f0451104800(0000) GS:ffff88852cb80000(0000) knlGS:0000000000000000 +[44376.403787] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[44376.404343] CR2: 0000000000489108 CR3: 0000000123a79003 CR4: 0000000000370ea0 +[44376.405004] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[44376.405665] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[44376.406339] Call Trace: +[44376.406651] +[44376.406939] ? die_addr+0x33/0x90 +[44376.407311] ? exc_general_protection+0x192/0x390 +[44376.407795] ? asm_exc_general_protection+0x22/0x30 +[44376.408292] ? mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core] +[44376.408876] __mlx5e_tc_del_fdb_peer_flow+0xbc/0xe0 [mlx5_core] +[44376.409482] mlx5e_tc_del_flow+0x42/0x210 [mlx5_core] +[44376.410055] mlx5e_flow_put+0x25/0x50 [mlx5_core] +[44376.410529] mlx5e_delete_flower+0x24b/0x350 [mlx5_core] +[44376.411043] tc_setup_cb_reoffload+0x22/0x80 +[44376.411462] fl_reoffload+0x261/0x2f0 [cls_flower] +[44376.411907] ? mlx5e_rep_indr_setup_ft_cb+0x160/0x160 [mlx5_core] +[44376.412481] ? mlx5e_rep_indr_setup_ft_cb+0x160/0x160 [mlx5_core] +[44376.413044] tcf_block_playback_offloads+0x76/0x170 +[44376.413497] tcf_block_unbind+0x7b/0xd0 +[44376.413881] tcf_block_setup+0x17d/0x1c0 +[44376.414269] tcf_block_offload_cmd.isra.0+0xf1/0x130 +[44376.414725] tcf_block_offload_unbind+0x43/0x70 +[44376.415153] __tcf_block_put+0x82/0x150 +[44376.415532] ingress_destroy+0x22/0x30 [sch_ingress] +[44376.415986] qdisc_destroy+0x3b/0xd0 +[44376.416343] qdisc_graft+0x4d0/0x620 +[44376.416706] tc_get_qdisc+0x1c9/0x3b0 +[44376.417074] rtnetlink_rcv_msg+0x29c/0x390 +[44376.419978] ? rep_movs_alternative+0x3a/0xa0 +[44376.420399] ? rtnl_calcit.isra.0+0x120/0x120 +[44376.420813] netlink_rcv_skb+0x54/0x100 +[44376.421192] netlink_unicast+0x1f6/0x2c0 +[44376.421573] netlink_sendmsg+0x232/0x4a0 +[44376.421980] sock_sendmsg+0x38/0x60 +[44376.422328] ____sys_sendmsg+0x1d0/0x1e0 +[44376.422709] ? copy_msghdr_from_user+0x6d/0xa0 +[44376.423127] ___sys_sendmsg+0x80/0xc0 +[44376.423495] ? ___sys_recvmsg+0x8b/0xc0 +[44376.423869] __sys_sendmsg+0x51/0x90 +[44376.424226] do_syscall_64+0x3d/0x90 +[44376.424587] entry_SYSCALL_64_after_hwframe+0x46/0xb0 +[44376.425046] RIP: 0033:0x7f045134f887 +[44376.425403] Code: 0a 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 +[44376.426914] RSP: 002b:00007ffd63a82b98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +[44376.427592] RAX: ffffffffffffffda RBX: 000000006481955f RCX: 00007f045134f887 +[44376.428195] RDX: 0000000000000000 RSI: 00007ffd63a82c00 RDI: 0000000000000003 +[44376.428796] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 +[44376.429404] R10: 00007f0451208708 R11: 0000000000000246 R12: 0000000000000001 +[44376.430039] R13: 0000000000409980 R14: 000000000047e538 R15: 0000000000485400 +[44376.430644] +[44376.430907] Modules linked in: mlx5_ib mlx5_core act_mirred act_tunnel_key cls_flower vxlan dummy sch_ingress openvswitch nsh rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_g +ss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: mlx5_core] +[44376.433936] ---[ end trace 0000000000000000 ]--- +[44376.434373] RIP: 0010:mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core] +[44376.434951] Code: 00 48 8b b8 68 ce 02 00 e8 8a 4d 02 00 4c 8d a8 a8 01 00 00 4c 89 ef e8 8b 79 88 e1 48 8b 83 98 06 00 00 48 8b 93 90 06 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 83 90 06 +[44376.436452] RSP: 0018:ffff88812cc97570 EFLAGS: 00010246 +[44376.436924] RAX: dead000000000122 RBX: ffff8881088e3800 RCX: ffff8881881bac00 +[44376.437530] RDX: dead000000000100 RSI: ffff88812cc97500 RDI: ffff8881242f71b0 +[44376.438179] RBP: ffff88811cbb0940 R08: 0000000000000400 R09: 0000000000000001 +[44376.438786] R10: 0000000000000001 R11: 0000000000000000 R12: ffff88812c944000 +[44376.439393] R13: ffff8881242f71a8 R14: ffff8881222b4000 R15: 0000000000000000 +[44376.439998] FS: 00007f0451104800(0000) GS:ffff88852cb80000(0000) knlGS:0000000000000000 +[44376.440714] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[44376.441225] CR2: 0000000000489108 CR3: 0000000123a79003 CR4: 0000000000370ea0 +[44376.441843] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[44376.442471] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Fixes: ad86755b18d5 ("net/mlx5e: Protect unready flows with dedicated lock") +Signed-off-by: Vlad Buslov +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index 16846442717dc..c6a81a51530d2 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -1334,7 +1334,8 @@ static void remove_unready_flow(struct mlx5e_tc_flow *flow) + uplink_priv = &rpriv->uplink_priv; + + mutex_lock(&uplink_priv->unready_flows_lock); +- unready_flow_del(flow); ++ if (flow_flag_test(flow, NOT_READY)) ++ unready_flow_del(flow); + mutex_unlock(&uplink_priv->unready_flows_lock); + } + +@@ -1475,8 +1476,7 @@ static void mlx5e_tc_del_fdb_flow(struct mlx5e_priv *priv, + + mlx5e_put_flow_tunnel_id(flow); + +- if (flow_flag_test(flow, NOT_READY)) +- remove_unready_flow(flow); ++ remove_unready_flow(flow); + + if (mlx5e_is_offloaded_flow(flow)) { + if (flow_flag_test(flow, SLOW)) +-- +2.39.2 + diff --git a/queue-5.10/net-mlx5e-fix-double-free-in-mlx5e_destroy_flow_tabl.patch b/queue-5.10/net-mlx5e-fix-double-free-in-mlx5e_destroy_flow_tabl.patch new file mode 100644 index 00000000000..390629d9fcf --- /dev/null +++ b/queue-5.10/net-mlx5e-fix-double-free-in-mlx5e_destroy_flow_tabl.patch @@ -0,0 +1,38 @@ +From 51c1d01a8df6ae61c3421a1b34f59d4ff6474735 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jun 2023 08:59:34 +0800 +Subject: net/mlx5e: fix double free in mlx5e_destroy_flow_table + +From: Zhengchao Shao + +[ Upstream commit 884abe45a9014d0de2e6edb0630dfd64f23f1d1b ] + +In function accel_fs_tcp_create_groups(), when the ft->g memory is +successfully allocated but the 'in' memory fails to be allocated, the +memory pointed to by ft->g is released once. And in function +accel_fs_tcp_create_table, mlx5e_destroy_flow_table is called to release +the memory pointed to by ft->g again. This will cause double free problem. + +Fixes: c062d52ac24c ("net/mlx5e: Receive flow steering framework for accelerated TCP flows") +Signed-off-by: Zhengchao Shao +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c +index e51f60b55daa4..2da90f6649d17 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c +@@ -194,6 +194,7 @@ static int accel_fs_tcp_create_groups(struct mlx5e_flow_table *ft, + in = kvzalloc(inlen, GFP_KERNEL); + if (!in || !ft->g) { + kfree(ft->g); ++ ft->g = NULL; + kvfree(in); + return -ENOMEM; + } +-- +2.39.2 + diff --git a/queue-5.10/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch b/queue-5.10/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch new file mode 100644 index 00000000000..48d4f71190f --- /dev/null +++ b/queue-5.10/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch @@ -0,0 +1,48 @@ +From 8d474071fb65277ad4a185d716e67d58a5603536 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 07:37:12 +0200 +Subject: net: mvneta: fix txq_map in case of txq_number==1 + +From: Klaus Kudielka + +[ Upstream commit 21327f81db6337c8843ce755b01523c7d3df715b ] + +If we boot with mvneta.txq_number=1, the txq_map is set incorrectly: +MVNETA_CPU_TXQ_ACCESS(1) refers to TX queue 1, but only TX queue 0 is +initialized. Fix this. + +Fixes: 50bf8cb6fc9c ("net: mvneta: Configure XPS support") +Signed-off-by: Klaus Kudielka +Reviewed-by: Michal Kubiak +Link: https://lore.kernel.org/r/20230705053712.3914-1-klaus.kudielka@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvneta.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index f5567d485e91a..3656a3937eca6 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -1471,7 +1471,7 @@ static void mvneta_defaults_set(struct mvneta_port *pp) + */ + if (txq_number == 1) + txq_map = (cpu == pp->rxq_def) ? +- MVNETA_CPU_TXQ_ACCESS(1) : 0; ++ MVNETA_CPU_TXQ_ACCESS(0) : 0; + + } else { + txq_map = MVNETA_CPU_TXQ_ACCESS_ALL_MASK; +@@ -4165,7 +4165,7 @@ static void mvneta_percpu_elect(struct mvneta_port *pp) + */ + if (txq_number == 1) + txq_map = (cpu == elected_cpu) ? +- MVNETA_CPU_TXQ_ACCESS(1) : 0; ++ MVNETA_CPU_TXQ_ACCESS(0) : 0; + else + txq_map = mvreg_read(pp, MVNETA_CPU_MAP(cpu)) & + MVNETA_CPU_TXQ_ACCESS_ALL_MASK; +-- +2.39.2 + diff --git a/queue-5.10/net-prevent-skb-corruption-on-frag-list-segmentation.patch b/queue-5.10/net-prevent-skb-corruption-on-frag-list-segmentation.patch new file mode 100644 index 00000000000..469cf66b8f0 --- /dev/null +++ b/queue-5.10/net-prevent-skb-corruption-on-frag-list-segmentation.patch @@ -0,0 +1,102 @@ +From 26aa2d34f0d6c8d867b7723dbaeb20226317bd4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 10:11:10 +0200 +Subject: net: prevent skb corruption on frag list segmentation + +From: Paolo Abeni + +[ Upstream commit c329b261afe71197d9da83c1f18eb45a7e97e089 ] + +Ian reported several skb corruptions triggered by rx-gro-list, +collecting different oops alike: + +[ 62.624003] BUG: kernel NULL pointer dereference, address: 00000000000000c0 +[ 62.631083] #PF: supervisor read access in kernel mode +[ 62.636312] #PF: error_code(0x0000) - not-present page +[ 62.641541] PGD 0 P4D 0 +[ 62.644174] Oops: 0000 [#1] PREEMPT SMP NOPTI +[ 62.648629] CPU: 1 PID: 913 Comm: napi/eno2-79 Not tainted 6.4.0 #364 +[ 62.655162] Hardware name: Supermicro Super Server/A2SDi-12C-HLN4F, BIOS 1.7a 10/13/2022 +[ 62.663344] RIP: 0010:__udp_gso_segment (./include/linux/skbuff.h:2858 +./include/linux/udp.h:23 net/ipv4/udp_offload.c:228 net/ipv4/udp_offload.c:261 +net/ipv4/udp_offload.c:277) +[ 62.687193] RSP: 0018:ffffbd3a83b4f868 EFLAGS: 00010246 +[ 62.692515] RAX: 00000000000000ce RBX: 0000000000000000 RCX: 0000000000000000 +[ 62.699743] RDX: ffffa124def8a000 RSI: 0000000000000079 RDI: ffffa125952a14d4 +[ 62.706970] RBP: ffffa124def8a000 R08: 0000000000000022 R09: 00002000001558c9 +[ 62.714199] R10: 0000000000000000 R11: 00000000be554639 R12: 00000000000000e2 +[ 62.721426] R13: ffffa125952a1400 R14: ffffa125952a1400 R15: 00002000001558c9 +[ 62.728654] FS: 0000000000000000(0000) GS:ffffa127efa40000(0000) +knlGS:0000000000000000 +[ 62.736852] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 62.742702] CR2: 00000000000000c0 CR3: 00000001034b0000 CR4: 00000000003526e0 +[ 62.749948] Call Trace: +[ 62.752498] +[ 62.779267] inet_gso_segment (net/ipv4/af_inet.c:1398) +[ 62.787605] skb_mac_gso_segment (net/core/gro.c:141) +[ 62.791906] __skb_gso_segment (net/core/dev.c:3403 (discriminator 2)) +[ 62.800492] validate_xmit_skb (./include/linux/netdevice.h:4862 +net/core/dev.c:3659) +[ 62.804695] validate_xmit_skb_list (net/core/dev.c:3710) +[ 62.809158] sch_direct_xmit (net/sched/sch_generic.c:330) +[ 62.813198] __dev_queue_xmit (net/core/dev.c:3805 net/core/dev.c:4210) +net/netfilter/core.c:626) +[ 62.821093] br_dev_queue_push_xmit (net/bridge/br_forward.c:55) +[ 62.825652] maybe_deliver (net/bridge/br_forward.c:193) +[ 62.829420] br_flood (net/bridge/br_forward.c:233) +[ 62.832758] br_handle_frame_finish (net/bridge/br_input.c:215) +[ 62.837403] br_handle_frame (net/bridge/br_input.c:298 +net/bridge/br_input.c:416) +[ 62.851417] __netif_receive_skb_core.constprop.0 (net/core/dev.c:5387) +[ 62.866114] __netif_receive_skb_list_core (net/core/dev.c:5570) +[ 62.871367] netif_receive_skb_list_internal (net/core/dev.c:5638 +net/core/dev.c:5727) +[ 62.876795] napi_complete_done (./include/linux/list.h:37 +./include/net/gro.h:434 ./include/net/gro.h:429 net/core/dev.c:6067) +[ 62.881004] ixgbe_poll (drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:3191) +[ 62.893534] __napi_poll (net/core/dev.c:6498) +[ 62.897133] napi_threaded_poll (./include/linux/netpoll.h:89 +net/core/dev.c:6640) +[ 62.905276] kthread (kernel/kthread.c:379) +[ 62.913435] ret_from_fork (arch/x86/entry/entry_64.S:314) +[ 62.917119] + +In the critical scenario, rx-gro-list GRO-ed packets are fed, via a +bridge, both to the local input path and to an egress device (tun). + +The segmentation of such packets unsafely writes to the cloned skbs +with shared heads. + +This change addresses the issue by uncloning as needed the +to-be-segmented skbs. + +Reported-by: Ian Kumlien +Tested-by: Ian Kumlien +Fixes: 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.") +Signed-off-by: Paolo Abeni +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/skbuff.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index e203172b9b9e7..b10285d06a2ca 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3685,6 +3685,11 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, + + skb_push(skb, -skb_network_offset(skb) + offset); + ++ /* Ensure the head is writeable before touching the shared info */ ++ err = skb_unclone(skb, GFP_ATOMIC); ++ if (err) ++ goto err_linearize; ++ + skb_shinfo(skb)->frag_list = NULL; + + while (list_skb) { +-- +2.39.2 + diff --git a/queue-5.10/net-sched-cls_fw-fix-improper-refcount-update-leads-.patch b/queue-5.10/net-sched-cls_fw-fix-improper-refcount-update-leads-.patch new file mode 100644 index 00000000000..26a7b7a3f8f --- /dev/null +++ b/queue-5.10/net-sched-cls_fw-fix-improper-refcount-update-leads-.patch @@ -0,0 +1,62 @@ +From a5dfedd80251cd7f449b05be9ca3bfee01513642 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 12:15:30 -0400 +Subject: net/sched: cls_fw: Fix improper refcount update leads to + use-after-free + +From: M A Ramdhan + +[ Upstream commit 0323bce598eea038714f941ce2b22541c46d488f ] + +In the event of a failure in tcf_change_indev(), fw_set_parms() will +immediately return an error after incrementing or decrementing +reference counter in tcf_bind_filter(). If attacker can control +reference counter to zero and make reference freed, leading to +use after free. + +In order to prevent this, move the point of possible failure above the +point where the TC_FW_CLASSID is handled. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: M A Ramdhan +Signed-off-by: M A Ramdhan +Acked-by: Jamal Hadi Salim +Reviewed-by: Pedro Tammela +Message-ID: <20230705161530.52003-1-ramdhan@starlabs.sg> +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_fw.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c +index ec945294626a8..41f0898a5a565 100644 +--- a/net/sched/cls_fw.c ++++ b/net/sched/cls_fw.c +@@ -210,11 +210,6 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp, + if (err < 0) + return err; + +- if (tb[TCA_FW_CLASSID]) { +- f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]); +- tcf_bind_filter(tp, &f->res, base); +- } +- + if (tb[TCA_FW_INDEV]) { + int ret; + ret = tcf_change_indev(net, tb[TCA_FW_INDEV], extack); +@@ -231,6 +226,11 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp, + } else if (head->mask != 0xFFFFFFFF) + return err; + ++ if (tb[TCA_FW_CLASSID]) { ++ f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]); ++ tcf_bind_filter(tp, &f->res, base); ++ } ++ + return 0; + } + +-- +2.39.2 + diff --git a/queue-5.10/net-sched-flower-ensure-both-minimum-and-maximum-por.patch b/queue-5.10/net-sched-flower-ensure-both-minimum-and-maximum-por.patch new file mode 100644 index 00000000000..3df73ff13f1 --- /dev/null +++ b/queue-5.10/net-sched-flower-ensure-both-minimum-and-maximum-por.patch @@ -0,0 +1,82 @@ +From 1b7c76fe6d9b400849874bef849242b3832a3ed2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 10:08:09 +0300 +Subject: net/sched: flower: Ensure both minimum and maximum ports are + specified + +From: Ido Schimmel + +[ Upstream commit d3f87278bcb80bd7f9519669d928b43320363d4f ] + +The kernel does not currently validate that both the minimum and maximum +ports of a port range are specified. This can lead user space to think +that a filter matching on a port range was successfully added, when in +fact it was not. For example, with a patched (buggy) iproute2 that only +sends the minimum port, the following commands do not return an error: + + # tc filter add dev swp1 ingress pref 1 proto ip flower ip_proto udp src_port 100-200 action pass + + # tc filter add dev swp1 ingress pref 1 proto ip flower ip_proto udp dst_port 100-200 action pass + + # tc filter show dev swp1 ingress + filter protocol ip pref 1 flower chain 0 + filter protocol ip pref 1 flower chain 0 handle 0x1 + eth_type ipv4 + ip_proto udp + not_in_hw + action order 1: gact action pass + random type none pass val 0 + index 1 ref 1 bind 1 + + filter protocol ip pref 1 flower chain 0 handle 0x2 + eth_type ipv4 + ip_proto udp + not_in_hw + action order 1: gact action pass + random type none pass val 0 + index 2 ref 1 bind 1 + +Fix by returning an error unless both ports are specified: + + # tc filter add dev swp1 ingress pref 1 proto ip flower ip_proto udp src_port 100-200 action pass + Error: Both min and max source ports must be specified. + We have an error talking to the kernel + + # tc filter add dev swp1 ingress pref 1 proto ip flower ip_proto udp dst_port 100-200 action pass + Error: Both min and max destination ports must be specified. + We have an error talking to the kernel + +Fixes: 5c72299fba9d ("net: sched: cls_flower: Classify packets using port ranges") +Signed-off-by: Ido Schimmel +Reviewed-by: Petr Machata +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_flower.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c +index caf1a05bfbde4..dcf21d99f132c 100644 +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -778,6 +778,16 @@ static int fl_set_key_port_range(struct nlattr **tb, struct fl_flow_key *key, + TCA_FLOWER_KEY_PORT_SRC_MAX, &mask->tp_range.tp_max.src, + TCA_FLOWER_UNSPEC, sizeof(key->tp_range.tp_max.src)); + ++ if (mask->tp_range.tp_min.dst != mask->tp_range.tp_max.dst) { ++ NL_SET_ERR_MSG(extack, ++ "Both min and max destination ports must be specified"); ++ return -EINVAL; ++ } ++ if (mask->tp_range.tp_min.src != mask->tp_range.tp_max.src) { ++ NL_SET_ERR_MSG(extack, ++ "Both min and max source ports must be specified"); ++ return -EINVAL; ++ } + if (mask->tp_range.tp_min.dst && mask->tp_range.tp_max.dst && + ntohs(key->tp_range.tp_max.dst) <= + ntohs(key->tp_range.tp_min.dst)) { +-- +2.39.2 + diff --git a/queue-5.10/net-sched-make-psched_mtu-rtnl-less-safe.patch b/queue-5.10/net-sched-make-psched_mtu-rtnl-less-safe.patch new file mode 100644 index 00000000000..73e21bed4e9 --- /dev/null +++ b/queue-5.10/net-sched-make-psched_mtu-rtnl-less-safe.patch @@ -0,0 +1,49 @@ +From 138f6a37f75054e68b1ab8f84c79d3580fbbbba5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 23:16:34 -0300 +Subject: net/sched: make psched_mtu() RTNL-less safe + +From: Pedro Tammela + +[ Upstream commit 150e33e62c1fa4af5aaab02776b6c3812711d478 ] + +Eric Dumazet says[1]: +------- +Speaking of psched_mtu(), I see that net/sched/sch_pie.c is using it +without holding RTNL, so dev->mtu can be changed underneath. +KCSAN could issue a warning. +------- + +Annotate dev->mtu with READ_ONCE() so KCSAN don't issue a warning. + +[1] https://lore.kernel.org/all/CANn89iJoJO5VtaJ-2=_d2aOQhb0Xw8iBT_Cxqp2HyuS-zj6azw@mail.gmail.com/ + +v1 -> v2: Fix commit message + +Fixes: d4b36210c2e6 ("net: pkt_sched: PIE AQM scheme") +Suggested-by: Eric Dumazet +Signed-off-by: Pedro Tammela +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230711021634.561598-1-pctammela@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/pkt_sched.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h +index ba781e0aaf566..e186b2bd8c860 100644 +--- a/include/net/pkt_sched.h ++++ b/include/net/pkt_sched.h +@@ -136,7 +136,7 @@ extern const struct nla_policy rtm_tca_policy[TCA_MAX + 1]; + */ + static inline unsigned int psched_mtu(const struct net_device *dev) + { +- return dev->mtu + dev->hard_header_len; ++ return READ_ONCE(dev->mtu) + dev->hard_header_len; + } + + static inline struct net *qdisc_net(struct Qdisc *q) +-- +2.39.2 + diff --git a/queue-5.10/net-sched-sch_qfq-account-for-stab-overhead-in-qfq_e.patch b/queue-5.10/net-sched-sch_qfq-account-for-stab-overhead-in-qfq_e.patch new file mode 100644 index 00000000000..a0a40945e6c --- /dev/null +++ b/queue-5.10/net-sched-sch_qfq-account-for-stab-overhead-in-qfq_e.patch @@ -0,0 +1,96 @@ +From f2f7cbdad43b636ff9da4a90f187be4aeb8562b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 18:01:02 -0300 +Subject: net/sched: sch_qfq: account for stab overhead in qfq_enqueue + +From: Pedro Tammela + +[ Upstream commit 3e337087c3b5805fe0b8a46ba622a962880b5d64 ] + +Lion says: +------- +In the QFQ scheduler a similar issue to CVE-2023-31436 +persists. + +Consider the following code in net/sched/sch_qfq.c: + +static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch, + struct sk_buff **to_free) +{ + unsigned int len = qdisc_pkt_len(skb), gso_segs; + + // ... + + if (unlikely(cl->agg->lmax < len)) { + pr_debug("qfq: increasing maxpkt from %u to %u for class %u", + cl->agg->lmax, len, cl->common.classid); + err = qfq_change_agg(sch, cl, cl->agg->class_weight, len); + if (err) { + cl->qstats.drops++; + return qdisc_drop(skb, sch, to_free); + } + + // ... + + } + +Similarly to CVE-2023-31436, "lmax" is increased without any bounds +checks according to the packet length "len". Usually this would not +impose a problem because packet sizes are naturally limited. + +This is however not the actual packet length, rather the +"qdisc_pkt_len(skb)" which might apply size transformations according to +"struct qdisc_size_table" as created by "qdisc_get_stab()" in +net/sched/sch_api.c if the TCA_STAB option was set when modifying the qdisc. + +A user may choose virtually any size using such a table. + +As a result the same issue as in CVE-2023-31436 can occur, allowing heap +out-of-bounds read / writes in the kmalloc-8192 cache. +------- + +We can create the issue with the following commands: + +tc qdisc add dev $DEV root handle 1: stab mtu 2048 tsize 512 mpu 0 \ +overhead 999999999 linklayer ethernet qfq +tc class add dev $DEV parent 1: classid 1:1 htb rate 6mbit burst 15k +tc filter add dev $DEV parent 1: matchall classid 1:1 +ping -I $DEV 1.1.1.2 + +This is caused by incorrectly assuming that qdisc_pkt_len() returns a +length within the QFQ_MIN_LMAX < len < QFQ_MAX_LMAX. + +Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") +Reported-by: Lion +Reviewed-by: Eric Dumazet +Signed-off-by: Jamal Hadi Salim +Signed-off-by: Pedro Tammela +Reviewed-by: Simon Horman +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 975e444f2d820..616d1798cfef6 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -381,8 +381,13 @@ static int qfq_change_agg(struct Qdisc *sch, struct qfq_class *cl, u32 weight, + u32 lmax) + { + struct qfq_sched *q = qdisc_priv(sch); +- struct qfq_aggregate *new_agg = qfq_find_agg(q, lmax, weight); ++ struct qfq_aggregate *new_agg; + ++ /* 'lmax' can range from [QFQ_MIN_LMAX, pktlen + stab overhead] */ ++ if (lmax > QFQ_MAX_LMAX) ++ return -EINVAL; ++ ++ new_agg = qfq_find_agg(q, lmax, weight); + if (new_agg == NULL) { /* create new aggregate */ + new_agg = kzalloc(sizeof(*new_agg), GFP_ATOMIC); + if (new_agg == NULL) +-- +2.39.2 + diff --git a/queue-5.10/net-sched-sch_qfq-refactor-parsing-of-netlink-parame.patch b/queue-5.10/net-sched-sch_qfq-refactor-parsing-of-netlink-parame.patch new file mode 100644 index 00000000000..3ee34ddd5ec --- /dev/null +++ b/queue-5.10/net-sched-sch_qfq-refactor-parsing-of-netlink-parame.patch @@ -0,0 +1,87 @@ +From 53538e9ed4bd86297de2fe1e408f4b207ed8b82d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Apr 2023 12:56:11 -0300 +Subject: net/sched: sch_qfq: refactor parsing of netlink parameters + +From: Pedro Tammela + +[ Upstream commit 25369891fcef373540f8b4e0b3bccf77a04490d5 ] + +Two parameters can be transformed into netlink policies and +validated while parsing the netlink message. + +Reviewed-by: Simon Horman +Acked-by: Jamal Hadi Salim +Signed-off-by: Pedro Tammela +Signed-off-by: David S. Miller +Stable-dep-of: 3e337087c3b5 ("net/sched: sch_qfq: account for stab overhead in qfq_enqueue") +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 25 +++++++++++-------------- + 1 file changed, 11 insertions(+), 14 deletions(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index cad7deacf60a4..975e444f2d820 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -113,6 +113,7 @@ + + #define QFQ_MTU_SHIFT 16 /* to support TSO/GSO */ + #define QFQ_MIN_LMAX 512 /* see qfq_slot_insert */ ++#define QFQ_MAX_LMAX (1UL << QFQ_MTU_SHIFT) + + #define QFQ_MAX_AGG_CLASSES 8 /* max num classes per aggregate allowed */ + +@@ -214,9 +215,14 @@ static struct qfq_class *qfq_find_class(struct Qdisc *sch, u32 classid) + return container_of(clc, struct qfq_class, common); + } + ++static struct netlink_range_validation lmax_range = { ++ .min = QFQ_MIN_LMAX, ++ .max = QFQ_MAX_LMAX, ++}; ++ + static const struct nla_policy qfq_policy[TCA_QFQ_MAX + 1] = { +- [TCA_QFQ_WEIGHT] = { .type = NLA_U32 }, +- [TCA_QFQ_LMAX] = { .type = NLA_U32 }, ++ [TCA_QFQ_WEIGHT] = NLA_POLICY_RANGE(NLA_U32, 1, QFQ_MAX_WEIGHT), ++ [TCA_QFQ_LMAX] = NLA_POLICY_FULL_RANGE(NLA_U32, &lmax_range), + }; + + /* +@@ -408,17 +414,13 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + } + + err = nla_parse_nested_deprecated(tb, TCA_QFQ_MAX, tca[TCA_OPTIONS], +- qfq_policy, NULL); ++ qfq_policy, extack); + if (err < 0) + return err; + +- if (tb[TCA_QFQ_WEIGHT]) { ++ if (tb[TCA_QFQ_WEIGHT]) + weight = nla_get_u32(tb[TCA_QFQ_WEIGHT]); +- if (!weight || weight > (1UL << QFQ_MAX_WSHIFT)) { +- pr_notice("qfq: invalid weight %u\n", weight); +- return -EINVAL; +- } +- } else ++ else + weight = 1; + + if (tb[TCA_QFQ_LMAX]) +@@ -426,11 +428,6 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + else + lmax = psched_mtu(qdisc_dev(sch)); + +- if (lmax < QFQ_MIN_LMAX || lmax > (1UL << QFQ_MTU_SHIFT)) { +- pr_notice("qfq: invalid max length %u\n", lmax); +- return -EINVAL; +- } +- + inv_w = ONE_FP / weight; + weight = ONE_FP / inv_w; + +-- +2.39.2 + diff --git a/queue-5.10/netdevsim-fix-uninitialized-data-in-nsim_dev_trap_fa.patch b/queue-5.10/netdevsim-fix-uninitialized-data-in-nsim_dev_trap_fa.patch new file mode 100644 index 00000000000..565885a1e48 --- /dev/null +++ b/queue-5.10/netdevsim-fix-uninitialized-data-in-nsim_dev_trap_fa.patch @@ -0,0 +1,55 @@ +From a372d451f1e494f60eb06515981309299843c920 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 11:52:26 +0300 +Subject: netdevsim: fix uninitialized data in nsim_dev_trap_fa_cookie_write() + +From: Dan Carpenter + +[ Upstream commit f72207a5c0dbaaf6921cf9a6c0d2fd0bc249ea78 ] + +The simple_write_to_buffer() function is designed to handle partial +writes. It returns negatives on error, otherwise it returns the number +of bytes that were able to be copied. This code doesn't check the +return properly. We only know that the first byte is written, the rest +of the buffer might be uninitialized. + +There is no need to use the simple_write_to_buffer() function. +Partial writes are prohibited by the "if (*ppos != 0)" check at the +start of the function. Just use memdup_user() and copy the whole +buffer. + +Fixes: d3cbb907ae57 ("netdevsim: add ACL trap reporting cookie as a metadata") +Signed-off-by: Dan Carpenter +Reviewed-by: Pavan Chebbi +Reviewed-by: Ido Schimmel +Link: https://lore.kernel.org/r/7c1f950b-3a7d-4252-82a6-876e53078ef7@moroto.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/netdevsim/dev.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c +index 9bbecf4d159b4..bcf354719745c 100644 +--- a/drivers/net/netdevsim/dev.c ++++ b/drivers/net/netdevsim/dev.c +@@ -149,13 +149,10 @@ static ssize_t nsim_dev_trap_fa_cookie_write(struct file *file, + cookie_len = (count - 1) / 2; + if ((count - 1) % 2) + return -EINVAL; +- buf = kmalloc(count, GFP_KERNEL | __GFP_NOWARN); +- if (!buf) +- return -ENOMEM; + +- ret = simple_write_to_buffer(buf, count, ppos, data, count); +- if (ret < 0) +- goto free_buf; ++ buf = memdup_user(data, count); ++ if (IS_ERR(buf)) ++ return PTR_ERR(buf); + + fa_cookie = kmalloc(sizeof(*fa_cookie) + cookie_len, + GFP_KERNEL | __GFP_NOWARN); +-- +2.39.2 + diff --git a/queue-5.10/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch b/queue-5.10/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch new file mode 100644 index 00000000000..d17921103f2 --- /dev/null +++ b/queue-5.10/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch @@ -0,0 +1,64 @@ +From acb70e7fad57fad2b84b9cef5f7abdbafd1deea1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Nov 2022 09:43:09 +0000 +Subject: NTB: amd: Fix error handling in amd_ntb_pci_driver_init() + +From: Yuan Can + +[ Upstream commit 98af0a33c1101c29b3ce4f0cf4715fd927c717f9 ] + +A problem about ntb_hw_amd create debugfs failed is triggered with the +following log given: + + [ 618.431232] AMD(R) PCI-E Non-Transparent Bridge Driver 1.0 + [ 618.433284] debugfs: Directory 'ntb_hw_amd' with parent '/' already present! + +The reason is that amd_ntb_pci_driver_init() returns pci_register_driver() +directly without checking its return value, if pci_register_driver() +failed, it returns without destroy the newly created debugfs, resulting +the debugfs of ntb_hw_amd can never be created later. + + amd_ntb_pci_driver_init() + debugfs_create_dir() # create debugfs directory + pci_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without destroy debugfs directory + +Fix by removing debugfs when pci_register_driver() returns error. + +Fixes: a1b3695820aa ("NTB: Add support for AMD PCI-Express Non-Transparent Bridge") +Signed-off-by: Yuan Can +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/amd/ntb_hw_amd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/amd/ntb_hw_amd.c b/drivers/ntb/hw/amd/ntb_hw_amd.c +index 71428d8cbcfc5..ac401ad7884a6 100644 +--- a/drivers/ntb/hw/amd/ntb_hw_amd.c ++++ b/drivers/ntb/hw/amd/ntb_hw_amd.c +@@ -1344,12 +1344,17 @@ static struct pci_driver amd_ntb_pci_driver = { + + static int __init amd_ntb_pci_driver_init(void) + { ++ int ret; + pr_info("%s %s\n", NTB_DESC, NTB_VER); + + if (debugfs_initialized()) + debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL); + +- return pci_register_driver(&amd_ntb_pci_driver); ++ ret = pci_register_driver(&amd_ntb_pci_driver); ++ if (ret) ++ debugfs_remove_recursive(debugfs_dir); ++ ++ return ret; + } + module_init(amd_ntb_pci_driver_init); + +-- +2.39.2 + diff --git a/queue-5.10/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch b/queue-5.10/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch new file mode 100644 index 00000000000..420401f97cb --- /dev/null +++ b/queue-5.10/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch @@ -0,0 +1,66 @@ +From 901c9a0805498149af8ac8ca51b1ca8cba34d3d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Nov 2022 09:43:01 +0000 +Subject: ntb: idt: Fix error handling in idt_pci_driver_init() + +From: Yuan Can + +[ Upstream commit c012968259b451dc4db407f2310fe131eaefd800 ] + +A problem about ntb_hw_idt create debugfs failed is triggered with the +following log given: + + [ 1236.637636] IDT PCI-E Non-Transparent Bridge Driver 2.0 + [ 1236.639292] debugfs: Directory 'ntb_hw_idt' with parent '/' already present! + +The reason is that idt_pci_driver_init() returns pci_register_driver() +directly without checking its return value, if pci_register_driver() +failed, it returns without destroy the newly created debugfs, resulting +the debugfs of ntb_hw_idt can never be created later. + + idt_pci_driver_init() + debugfs_create_dir() # create debugfs directory + pci_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without destroy debugfs directory + +Fix by removing debugfs when pci_register_driver() returns error. + +Fixes: bf2a952d31d2 ("NTB: Add IDT 89HPESxNTx PCIe-switches support") +Signed-off-by: Yuan Can +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/idt/ntb_hw_idt.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/idt/ntb_hw_idt.c b/drivers/ntb/hw/idt/ntb_hw_idt.c +index d54261f508519..99711dd0b6e8e 100644 +--- a/drivers/ntb/hw/idt/ntb_hw_idt.c ++++ b/drivers/ntb/hw/idt/ntb_hw_idt.c +@@ -2902,6 +2902,7 @@ static struct pci_driver idt_pci_driver = { + + static int __init idt_pci_driver_init(void) + { ++ int ret; + pr_info("%s %s\n", NTB_DESC, NTB_VER); + + /* Create the top DebugFS directory if the FS is initialized */ +@@ -2909,7 +2910,11 @@ static int __init idt_pci_driver_init(void) + dbgfs_topdir = debugfs_create_dir(KBUILD_MODNAME, NULL); + + /* Register the NTB hardware driver to handle the PCI device */ +- return pci_register_driver(&idt_pci_driver); ++ ret = pci_register_driver(&idt_pci_driver); ++ if (ret) ++ debugfs_remove_recursive(dbgfs_topdir); ++ ++ return ret; + } + module_init(idt_pci_driver_init); + +-- +2.39.2 + diff --git a/queue-5.10/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch b/queue-5.10/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch new file mode 100644 index 00000000000..2a289bac2d2 --- /dev/null +++ b/queue-5.10/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch @@ -0,0 +1,65 @@ +From f716610f915b3ea672a36b1d2b7d9c5077b6ef2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Nov 2022 09:43:22 +0000 +Subject: ntb: intel: Fix error handling in intel_ntb_pci_driver_init() + +From: Yuan Can + +[ Upstream commit 4c3c796aca02883ad35bb117468938cc4022ca41 ] + +A problem about ntb_hw_intel create debugfs failed is triggered with the +following log given: + + [ 273.112733] Intel(R) PCI-E Non-Transparent Bridge Driver 2.0 + [ 273.115342] debugfs: Directory 'ntb_hw_intel' with parent '/' already present! + +The reason is that intel_ntb_pci_driver_init() returns +pci_register_driver() directly without checking its return value, if +pci_register_driver() failed, it returns without destroy the newly created +debugfs, resulting the debugfs of ntb_hw_intel can never be created later. + + intel_ntb_pci_driver_init() + debugfs_create_dir() # create debugfs directory + pci_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without destroy debugfs directory + +Fix by removing debugfs when pci_register_driver() returns error. + +Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers") +Signed-off-by: Yuan Can +Acked-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/intel/ntb_hw_gen1.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/intel/ntb_hw_gen1.c b/drivers/ntb/hw/intel/ntb_hw_gen1.c +index 093dd20057b92..4f1add57d81de 100644 +--- a/drivers/ntb/hw/intel/ntb_hw_gen1.c ++++ b/drivers/ntb/hw/intel/ntb_hw_gen1.c +@@ -2068,12 +2068,17 @@ static struct pci_driver intel_ntb_pci_driver = { + + static int __init intel_ntb_pci_driver_init(void) + { ++ int ret; + pr_info("%s %s\n", NTB_DESC, NTB_VER); + + if (debugfs_initialized()) + debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL); + +- return pci_register_driver(&intel_ntb_pci_driver); ++ ret = pci_register_driver(&intel_ntb_pci_driver); ++ if (ret) ++ debugfs_remove_recursive(debugfs_dir); ++ ++ return ret; + } + module_init(intel_ntb_pci_driver_init); + +-- +2.39.2 + diff --git a/queue-5.10/ntb-ntb_tool-add-check-for-devm_kcalloc.patch b/queue-5.10/ntb-ntb_tool-add-check-for-devm_kcalloc.patch new file mode 100644 index 00000000000..5f429a789e6 --- /dev/null +++ b/queue-5.10/ntb-ntb_tool-add-check-for-devm_kcalloc.patch @@ -0,0 +1,39 @@ +From 8b3f4f715a23299487155e9d8bd3d2eb1e0c320c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 11:32:44 +0800 +Subject: NTB: ntb_tool: Add check for devm_kcalloc + +From: Jiasheng Jiang + +[ Upstream commit 2790143f09938776a3b4f69685b380bae8fd06c7 ] + +As the devm_kcalloc may return NULL pointer, +it should be better to add check for the return +value, as same as the others. + +Fixes: 7f46c8b3a552 ("NTB: ntb_tool: Add full multi-port NTB API support") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Serge Semin +Reviewed-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/test/ntb_tool.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/ntb/test/ntb_tool.c b/drivers/ntb/test/ntb_tool.c +index 5ee0afa621a95..eeeb4b1c97d2c 100644 +--- a/drivers/ntb/test/ntb_tool.c ++++ b/drivers/ntb/test/ntb_tool.c +@@ -998,6 +998,8 @@ static int tool_init_mws(struct tool_ctx *tc) + tc->peers[pidx].outmws = + devm_kcalloc(&tc->ntb->dev, tc->peers[pidx].outmw_cnt, + sizeof(*tc->peers[pidx].outmws), GFP_KERNEL); ++ if (tc->peers[pidx].outmws == NULL) ++ return -ENOMEM; + + for (widx = 0; widx < tc->peers[pidx].outmw_cnt; widx++) { + tc->peers[pidx].outmws[widx].pidx = pidx; +-- +2.39.2 + diff --git a/queue-5.10/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch b/queue-5.10/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch new file mode 100644 index 00000000000..8d734829721 --- /dev/null +++ b/queue-5.10/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch @@ -0,0 +1,42 @@ +From 38ff45890011895a2d3548a48689e979c73e0e5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 23:19:17 +0800 +Subject: NTB: ntb_transport: fix possible memory leak while device_register() + fails + +From: Yang Yingliang + +[ Upstream commit 8623ccbfc55d962e19a3537652803676ad7acb90 ] + +If device_register() returns error, the name allocated by +dev_set_name() need be freed. As comment of device_register() +says, it should use put_device() to give up the reference in +the error path. So fix this by calling put_device(), then the +name can be freed in kobject_cleanup(), and client_dev is freed +in ntb_transport_client_release(). + +Fixes: fce8a7bb5b4b ("PCI-Express Non-Transparent Bridge Support") +Signed-off-by: Yang Yingliang +Reviewed-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/ntb_transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c +index 4a02561cfb965..d18cb44765603 100644 +--- a/drivers/ntb/ntb_transport.c ++++ b/drivers/ntb/ntb_transport.c +@@ -412,7 +412,7 @@ int ntb_transport_register_client_dev(char *device_name) + + rc = device_register(dev); + if (rc) { +- kfree(client_dev); ++ put_device(dev); + goto err; + } + +-- +2.39.2 + diff --git a/queue-5.10/nvme-pci-fix-dma-direction-of-unmapping-integrity-da.patch b/queue-5.10/nvme-pci-fix-dma-direction-of-unmapping-integrity-da.patch new file mode 100644 index 00000000000..6d20415c506 --- /dev/null +++ b/queue-5.10/nvme-pci-fix-dma-direction-of-unmapping-integrity-da.patch @@ -0,0 +1,41 @@ +From 90f48bef4f8592b123adc792884d4b154d75b5b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 17:26:20 +0800 +Subject: nvme-pci: fix DMA direction of unmapping integrity data + +From: Ming Lei + +[ Upstream commit b8f6446b6853768cb99e7c201bddce69ca60c15e ] + +DMA direction should be taken in dma_unmap_page() for unmapping integrity +data. + +Fix this DMA direction, and reported in Guangwu's test. + +Reported-by: Guangwu Zhang +Fixes: 4aedb705437f ("nvme-pci: split metadata handling from nvme_map_data / nvme_unmap_data") +Signed-off-by: Ming Lei +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index c47512da9872a..3aaead9b3a570 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -968,7 +968,8 @@ static void nvme_pci_complete_rq(struct request *req) + + if (blk_integrity_rq(req)) + dma_unmap_page(dev->dev, iod->meta_dma, +- rq_integrity_vec(req)->bv_len, rq_data_dir(req)); ++ rq_integrity_vec(req)->bv_len, rq_dma_dir(req)); ++ + if (blk_rq_nr_phys_segments(req)) + nvme_unmap_data(dev, req); + nvme_complete_rq(req); +-- +2.39.2 + diff --git a/queue-5.10/platform-x86-wmi-break-possible-infinite-loop-when-p.patch b/queue-5.10/platform-x86-wmi-break-possible-infinite-loop-when-p.patch new file mode 100644 index 00000000000..8b72a463740 --- /dev/null +++ b/queue-5.10/platform-x86-wmi-break-possible-infinite-loop-when-p.patch @@ -0,0 +1,84 @@ +From 0933ab92bd2131f9808f5c3297b0767d3cb65a9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 18:11:54 +0300 +Subject: platform/x86: wmi: Break possible infinite loop when parsing GUID + +From: Andy Shevchenko + +[ Upstream commit 028e6e204ace1f080cfeacd72c50397eb8ae8883 ] + +The while-loop may break on one of the two conditions, either ID string +is empty or GUID matches. The second one, may never be reached if the +parsed string is not correct GUID. In such a case the loop will never +advance to check the next ID. + +Break possible infinite loop by factoring out guid_parse_and_compare() +helper which may be moved to the generic header for everyone later on +and preventing from similar mistake in the future. + +Interestingly that firstly it appeared when WMI was turned into a bus +driver, but later when duplicated GUIDs were checked, the while-loop +has been replaced by for-loop and hence no mistake made again. + +Fixes: a48e23385fcf ("platform/x86: wmi: add context pointer field to struct wmi_device_id") +Fixes: 844af950da94 ("platform/x86: wmi: Turn WMI into a bus driver") +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230621151155.78279-1-andriy.shevchenko@linux.intel.com +Tested-by: Armin Wolf +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index 5e4c03f7db7c0..567c28705cb1b 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -130,6 +130,16 @@ static bool find_guid(const char *guid_string, struct wmi_block **out) + return false; + } + ++static bool guid_parse_and_compare(const char *string, const guid_t *guid) ++{ ++ guid_t guid_input; ++ ++ if (guid_parse(string, &guid_input)) ++ return false; ++ ++ return guid_equal(&guid_input, guid); ++} ++ + static const void *find_guid_context(struct wmi_block *wblock, + struct wmi_driver *wdriver) + { +@@ -142,11 +152,7 @@ static const void *find_guid_context(struct wmi_block *wblock, + + id = wdriver->id_table; + while (*id->guid_string) { +- guid_t guid_input; +- +- if (guid_parse(id->guid_string, &guid_input)) +- continue; +- if (guid_equal(&wblock->gblock.guid, &guid_input)) ++ if (guid_parse_and_compare(id->guid_string, &wblock->gblock.guid)) + return id->context; + id++; + } +@@ -804,11 +810,7 @@ static int wmi_dev_match(struct device *dev, struct device_driver *driver) + return 0; + + while (*id->guid_string) { +- guid_t driver_guid; +- +- if (WARN_ON(guid_parse(id->guid_string, &driver_guid))) +- continue; +- if (guid_equal(&driver_guid, &wblock->gblock.guid)) ++ if (guid_parse_and_compare(id->guid_string, &wblock->gblock.guid)) + return 1; + + id++; +-- +2.39.2 + diff --git a/queue-5.10/platform-x86-wmi-move-variables.patch b/queue-5.10/platform-x86-wmi-move-variables.patch new file mode 100644 index 00000000000..c6a9f372333 --- /dev/null +++ b/queue-5.10/platform-x86-wmi-move-variables.patch @@ -0,0 +1,80 @@ +From 2b2a2dfecf816da3761256e2e96ac17431e4840c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Sep 2021 17:56:10 +0000 +Subject: platform/x86: wmi: move variables +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Pőcze + +[ Upstream commit f5431bf1e6781e876bdc8ae10fb1e7da6f1aa9b5 ] + +Move some variables in order to keep them +in the narrowest possible scope. + +Signed-off-by: Barnabás Pőcze +Link: https://lore.kernel.org/r/20210904175450.156801-22-pobrn@protonmail.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Stable-dep-of: 028e6e204ace ("platform/x86: wmi: Break possible infinite loop when parsing GUID") +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index 18c4080d4a71e..5e4c03f7db7c0 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -134,7 +134,6 @@ static const void *find_guid_context(struct wmi_block *wblock, + struct wmi_driver *wdriver) + { + const struct wmi_device_id *id; +- guid_t guid_input; + + if (wblock == NULL || wdriver == NULL) + return NULL; +@@ -143,6 +142,8 @@ static const void *find_guid_context(struct wmi_block *wblock, + + id = wdriver->id_table; + while (*id->guid_string) { ++ guid_t guid_input; ++ + if (guid_parse(id->guid_string, &guid_input)) + continue; + if (guid_equal(&wblock->gblock.guid, &guid_input)) +@@ -615,7 +616,6 @@ acpi_status wmi_get_event_data(u32 event, struct acpi_buffer *out) + { + struct acpi_object_list input; + union acpi_object params[1]; +- struct guid_block *gblock; + struct wmi_block *wblock; + + input.count = 1; +@@ -624,7 +624,7 @@ acpi_status wmi_get_event_data(u32 event, struct acpi_buffer *out) + params[0].integer.value = event; + + list_for_each_entry(wblock, &wmi_block_list, list) { +- gblock = &wblock->gblock; ++ struct guid_block *gblock = &wblock->gblock; + + if ((gblock->flags & ACPI_WMI_EVENT) && + (gblock->notify_id == event)) +@@ -1281,12 +1281,11 @@ acpi_wmi_ec_space_handler(u32 function, acpi_physical_address address, + static void acpi_wmi_notify_handler(acpi_handle handle, u32 event, + void *context) + { +- struct guid_block *block; + struct wmi_block *wblock; + bool found_it = false; + + list_for_each_entry(wblock, &wmi_block_list, list) { +- block = &wblock->gblock; ++ struct guid_block *block = &wblock->gblock; + + if (wblock->acpi_device->handle == handle && + (block->flags & ACPI_WMI_EVENT) && +-- +2.39.2 + diff --git a/queue-5.10/platform-x86-wmi-remove-unnecessary-argument.patch b/queue-5.10/platform-x86-wmi-remove-unnecessary-argument.patch new file mode 100644 index 00000000000..b34586d641e --- /dev/null +++ b/queue-5.10/platform-x86-wmi-remove-unnecessary-argument.patch @@ -0,0 +1,75 @@ +From 8f06216a815ddd37f9408c5f4f4167c790cc507e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Sep 2021 17:55:16 +0000 +Subject: platform/x86: wmi: remove unnecessary argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Pőcze + +[ Upstream commit 84eacf7e6413d5e2d2f4f9dddf9216c18a3631cf ] + +The GUID block is available for `wmi_create_device()` +through `wblock->gblock`. Use that consistently in +the function instead of using a mix of `gblock` and +`wblock->gblock`. + +Signed-off-by: Barnabás Pőcze +Link: https://lore.kernel.org/r/20210904175450.156801-8-pobrn@protonmail.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Stable-dep-of: 028e6e204ace ("platform/x86: wmi: Break possible infinite loop when parsing GUID") +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index 1f80b26281628..9a6dc2717e1d4 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -1042,7 +1042,6 @@ static const struct device_type wmi_type_data = { + }; + + static int wmi_create_device(struct device *wmi_bus_dev, +- const struct guid_block *gblock, + struct wmi_block *wblock, + struct acpi_device *device) + { +@@ -1050,12 +1049,12 @@ static int wmi_create_device(struct device *wmi_bus_dev, + char method[5]; + int result; + +- if (gblock->flags & ACPI_WMI_EVENT) { ++ if (wblock->gblock.flags & ACPI_WMI_EVENT) { + wblock->dev.dev.type = &wmi_type_event; + goto out_init; + } + +- if (gblock->flags & ACPI_WMI_METHOD) { ++ if (wblock->gblock.flags & ACPI_WMI_METHOD) { + wblock->dev.dev.type = &wmi_type_method; + mutex_init(&wblock->char_mutex); + goto out_init; +@@ -1105,7 +1104,7 @@ static int wmi_create_device(struct device *wmi_bus_dev, + wblock->dev.dev.bus = &wmi_bus_type; + wblock->dev.dev.parent = wmi_bus_dev; + +- dev_set_name(&wblock->dev.dev, "%pUL", gblock->guid); ++ dev_set_name(&wblock->dev.dev, "%pUL", wblock->gblock.guid); + + device_initialize(&wblock->dev.dev); + +@@ -1197,7 +1196,7 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device) + wblock->acpi_device = device; + wblock->gblock = gblock[i]; + +- retval = wmi_create_device(wmi_bus_dev, &gblock[i], wblock, device); ++ retval = wmi_create_device(wmi_bus_dev, wblock, device); + if (retval) { + kfree(wblock); + continue; +-- +2.39.2 + diff --git a/queue-5.10/platform-x86-wmi-use-guid_t-and-guid_equal.patch b/queue-5.10/platform-x86-wmi-use-guid_t-and-guid_equal.patch new file mode 100644 index 00000000000..b71731e768b --- /dev/null +++ b/queue-5.10/platform-x86-wmi-use-guid_t-and-guid_equal.patch @@ -0,0 +1,177 @@ +From 41fd3e4cb930244953bc634c695a4d13fc02655a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Sep 2021 17:55:39 +0000 +Subject: platform/x86: wmi: use guid_t and guid_equal() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Pőcze + +[ Upstream commit 67f472fdacf4a691b1c3c20c27800b23ce31e2de ] + +Instead of hard-coding a 16 long byte array, +use the available `guid_t` type and related methods. + +Signed-off-by: Barnabás Pőcze +Link: https://lore.kernel.org/r/20210904175450.156801-15-pobrn@protonmail.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Stable-dep-of: 028e6e204ace ("platform/x86: wmi: Break possible infinite loop when parsing GUID") +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index 9a6dc2717e1d4..18c4080d4a71e 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -40,7 +40,7 @@ MODULE_LICENSE("GPL"); + static LIST_HEAD(wmi_block_list); + + struct guid_block { +- char guid[16]; ++ guid_t guid; + union { + char object_id[2]; + struct { +@@ -121,7 +121,7 @@ static bool find_guid(const char *guid_string, struct wmi_block **out) + list_for_each_entry(wblock, &wmi_block_list, list) { + block = &wblock->gblock; + +- if (memcmp(block->guid, &guid_input, 16) == 0) { ++ if (guid_equal(&block->guid, &guid_input)) { + if (out) + *out = wblock; + return true; +@@ -145,7 +145,7 @@ static const void *find_guid_context(struct wmi_block *wblock, + while (*id->guid_string) { + if (guid_parse(id->guid_string, &guid_input)) + continue; +- if (!memcmp(wblock->gblock.guid, &guid_input, 16)) ++ if (guid_equal(&wblock->gblock.guid, &guid_input)) + return id->context; + id++; + } +@@ -457,7 +457,7 @@ EXPORT_SYMBOL_GPL(wmi_set_block); + + static void wmi_dump_wdg(const struct guid_block *g) + { +- pr_info("%pUL:\n", g->guid); ++ pr_info("%pUL:\n", &g->guid); + if (g->flags & ACPI_WMI_EVENT) + pr_info("\tnotify_id: 0x%02X\n", g->notify_id); + else +@@ -539,7 +539,7 @@ wmi_notify_handler handler, void *data) + list_for_each_entry(block, &wmi_block_list, list) { + acpi_status wmi_status; + +- if (memcmp(block->gblock.guid, &guid_input, 16) == 0) { ++ if (guid_equal(&block->gblock.guid, &guid_input)) { + if (block->handler && + block->handler != wmi_notify_debug) + return AE_ALREADY_ACQUIRED; +@@ -579,7 +579,7 @@ acpi_status wmi_remove_notify_handler(const char *guid) + list_for_each_entry(block, &wmi_block_list, list) { + acpi_status wmi_status; + +- if (memcmp(block->gblock.guid, &guid_input, 16) == 0) { ++ if (guid_equal(&block->gblock.guid, &guid_input)) { + if (!block->handler || + block->handler == wmi_notify_debug) + return AE_NULL_ENTRY; +@@ -685,7 +685,7 @@ static ssize_t modalias_show(struct device *dev, struct device_attribute *attr, + { + struct wmi_block *wblock = dev_to_wblock(dev); + +- return sprintf(buf, "wmi:%pUL\n", wblock->gblock.guid); ++ return sprintf(buf, "wmi:%pUL\n", &wblock->gblock.guid); + } + static DEVICE_ATTR_RO(modalias); + +@@ -694,7 +694,7 @@ static ssize_t guid_show(struct device *dev, struct device_attribute *attr, + { + struct wmi_block *wblock = dev_to_wblock(dev); + +- return sprintf(buf, "%pUL\n", wblock->gblock.guid); ++ return sprintf(buf, "%pUL\n", &wblock->gblock.guid); + } + static DEVICE_ATTR_RO(guid); + +@@ -777,10 +777,10 @@ static int wmi_dev_uevent(struct device *dev, struct kobj_uevent_env *env) + { + struct wmi_block *wblock = dev_to_wblock(dev); + +- if (add_uevent_var(env, "MODALIAS=wmi:%pUL", wblock->gblock.guid)) ++ if (add_uevent_var(env, "MODALIAS=wmi:%pUL", &wblock->gblock.guid)) + return -ENOMEM; + +- if (add_uevent_var(env, "WMI_GUID=%pUL", wblock->gblock.guid)) ++ if (add_uevent_var(env, "WMI_GUID=%pUL", &wblock->gblock.guid)) + return -ENOMEM; + + return 0; +@@ -808,7 +808,7 @@ static int wmi_dev_match(struct device *dev, struct device_driver *driver) + + if (WARN_ON(guid_parse(id->guid_string, &driver_guid))) + continue; +- if (!memcmp(&driver_guid, wblock->gblock.guid, 16)) ++ if (guid_equal(&driver_guid, &wblock->gblock.guid)) + return 1; + + id++; +@@ -1104,7 +1104,7 @@ static int wmi_create_device(struct device *wmi_bus_dev, + wblock->dev.dev.bus = &wmi_bus_type; + wblock->dev.dev.parent = wmi_bus_dev; + +- dev_set_name(&wblock->dev.dev, "%pUL", wblock->gblock.guid); ++ dev_set_name(&wblock->dev.dev, "%pUL", &wblock->gblock.guid); + + device_initialize(&wblock->dev.dev); + +@@ -1124,12 +1124,12 @@ static void wmi_free_devices(struct acpi_device *device) + } + } + +-static bool guid_already_parsed(struct acpi_device *device, const u8 *guid) ++static bool guid_already_parsed(struct acpi_device *device, const guid_t *guid) + { + struct wmi_block *wblock; + + list_for_each_entry(wblock, &wmi_block_list, list) { +- if (memcmp(wblock->gblock.guid, guid, 16) == 0) { ++ if (guid_equal(&wblock->gblock.guid, guid)) { + /* + * Because we historically didn't track the relationship + * between GUIDs and ACPI nodes, we don't know whether +@@ -1184,7 +1184,7 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device) + * case yet, so for now, we'll just ignore the duplicate + * for device creation. + */ +- if (guid_already_parsed(device, gblock[i].guid)) ++ if (guid_already_parsed(device, &gblock[i].guid)) + continue; + + wblock = kzalloc(sizeof(struct wmi_block), GFP_KERNEL); +@@ -1221,7 +1221,7 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device) + retval = device_add(&wblock->dev.dev); + if (retval) { + dev_err(wmi_bus_dev, "failed to register %pUL\n", +- wblock->gblock.guid); ++ &wblock->gblock.guid); + if (debug_event) + wmi_method_enable(wblock, 0); + list_del(&wblock->list); +@@ -1335,7 +1335,7 @@ static void acpi_wmi_notify_handler(acpi_handle handle, u32 event, + } + + if (debug_event) +- pr_info("DEBUG Event GUID: %pUL\n", wblock->gblock.guid); ++ pr_info("DEBUG Event GUID: %pUL\n", &wblock->gblock.guid); + + acpi_bus_generate_netlink_event( + wblock->acpi_device->pnp.device_class, +-- +2.39.2 + diff --git a/queue-5.10/riscv-bpf-avoid-breaking-w-x.patch b/queue-5.10/riscv-bpf-avoid-breaking-w-x.patch new file mode 100644 index 00000000000..dc317b5c188 --- /dev/null +++ b/queue-5.10/riscv-bpf-avoid-breaking-w-x.patch @@ -0,0 +1,45 @@ +From 4050c9f9f0d0ac97014d29d95259e3be1ebede8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Mar 2021 02:25:21 +0800 +Subject: riscv: bpf: Avoid breaking W^X + +From: Jisheng Zhang + +[ Upstream commit fc8504765ec5e812135b8ccafca7101069a0c6d8 ] + +We allocate Non-executable pages, then call bpf_jit_binary_lock_ro() +to enable executable permission after mapping them read-only. This is +to prepare for STRICT_MODULE_RWX in following patch. + +Signed-off-by: Jisheng Zhang +Signed-off-by: Palmer Dabbelt +Stable-dep-of: c56fb2aab235 ("riscv, bpf: Fix inconsistent JIT image generation") +Signed-off-by: Sasha Levin +--- + arch/riscv/net/bpf_jit_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/riscv/net/bpf_jit_core.c b/arch/riscv/net/bpf_jit_core.c +index e295c9eed9e93..5d247198c30d3 100644 +--- a/arch/riscv/net/bpf_jit_core.c ++++ b/arch/riscv/net/bpf_jit_core.c +@@ -153,6 +153,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + bpf_flush_icache(jit_data->header, ctx->insns + ctx->ninsns); + + if (!prog->is_func || extra_pass) { ++ bpf_jit_binary_lock_ro(jit_data->header); + out_offset: + kfree(ctx->offset); + kfree(jit_data); +@@ -170,7 +171,7 @@ void *bpf_jit_alloc_exec(unsigned long size) + { + return __vmalloc_node_range(size, PAGE_SIZE, BPF_JIT_REGION_START, + BPF_JIT_REGION_END, GFP_KERNEL, +- PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE, ++ PAGE_KERNEL, 0, NUMA_NO_NODE, + __builtin_return_address(0)); + } + +-- +2.39.2 + diff --git a/queue-5.10/riscv-bpf-fix-inconsistent-jit-image-generation.patch b/queue-5.10/riscv-bpf-fix-inconsistent-jit-image-generation.patch new file mode 100644 index 00000000000..96f8fc15ac6 --- /dev/null +++ b/queue-5.10/riscv-bpf-fix-inconsistent-jit-image-generation.patch @@ -0,0 +1,137 @@ +From 1630d20fd0e8a85705dd35377dedae41556087dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 09:41:31 +0200 +Subject: riscv, bpf: Fix inconsistent JIT image generation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Björn Töpel + +[ Upstream commit c56fb2aab23505bb7160d06097c8de100b82b851 ] + +In order to generate the prologue and epilogue, the BPF JIT needs to +know which registers that are clobbered. Therefore, the during +pre-final passes, the prologue is generated after the body of the +program body-prologue-epilogue. Then, in the final pass, a proper +prologue-body-epilogue JITted image is generated. + +This scheme has worked most of the time. However, for some large +programs with many jumps, e.g. the test_kmod.sh BPF selftest with +hardening enabled (blinding constants), this has shown to be +incorrect. For the final pass, when the proper prologue-body-epilogue +is generated, the image has not converged. This will lead to that the +final image will have incorrect jump offsets. The following is an +excerpt from an incorrect image: + + | ... + | 3b8: 00c50663 beq a0,a2,3c4 <.text+0x3c4> + | 3bc: 0020e317 auipc t1,0x20e + | 3c0: 49630067 jalr zero,1174(t1) # 20e852 <.text+0x20e852> + | ... + | 20e84c: 8796 c.mv a5,t0 + | 20e84e: 6422 c.ldsp s0,8(sp) # Epilogue start + | 20e850: 6141 c.addi16sp sp,16 + | 20e852: 853e c.mv a0,a5 # Incorrect jump target + | 20e854: 8082 c.jr ra + +The image has shrunk, and the epilogue offset is incorrect in the +final pass. + +Correct the problem by always generating proper prologue-body-epilogue +outputs, which means that the first pass will only generate the body +to track what registers that are touched. + +Fixes: 2353ecc6f91f ("bpf, riscv: add BPF JIT for RV64G") +Signed-off-by: Björn Töpel +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20230710074131.19596-1-bjorn@kernel.org +Signed-off-by: Sasha Levin +--- + arch/riscv/net/bpf_jit.h | 6 +++--- + arch/riscv/net/bpf_jit_core.c | 19 +++++++++++++------ + 2 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/arch/riscv/net/bpf_jit.h b/arch/riscv/net/bpf_jit.h +index ab0cd6d10ccf3..ef336fe160044 100644 +--- a/arch/riscv/net/bpf_jit.h ++++ b/arch/riscv/net/bpf_jit.h +@@ -69,7 +69,7 @@ struct rv_jit_context { + struct bpf_prog *prog; + u16 *insns; /* RV insns */ + int ninsns; +- int body_len; ++ int prologue_len; + int epilogue_offset; + int *offset; /* BPF to RV */ + unsigned long flags; +@@ -215,8 +215,8 @@ static inline int rv_offset(int insn, int off, struct rv_jit_context *ctx) + int from, to; + + off++; /* BPF branch is from PC+1, RV is from PC */ +- from = (insn > 0) ? ctx->offset[insn - 1] : 0; +- to = (insn + off > 0) ? ctx->offset[insn + off - 1] : 0; ++ from = (insn > 0) ? ctx->offset[insn - 1] : ctx->prologue_len; ++ to = (insn + off > 0) ? ctx->offset[insn + off - 1] : ctx->prologue_len; + return ninsns_rvoff(to - from); + } + +diff --git a/arch/riscv/net/bpf_jit_core.c b/arch/riscv/net/bpf_jit_core.c +index 750b15c319d5d..ef17bc8055d4c 100644 +--- a/arch/riscv/net/bpf_jit_core.c ++++ b/arch/riscv/net/bpf_jit_core.c +@@ -43,7 +43,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + { + bool tmp_blinded = false, extra_pass = false; + struct bpf_prog *tmp, *orig_prog = prog; +- int pass = 0, prev_ninsns = 0, prologue_len, i; ++ int pass = 0, prev_ninsns = 0, i; + struct rv_jit_data *jit_data; + struct rv_jit_context *ctx; + unsigned int image_size = 0; +@@ -83,6 +83,12 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + prog = orig_prog; + goto out_offset; + } ++ ++ if (build_body(ctx, extra_pass, NULL)) { ++ prog = orig_prog; ++ goto out_offset; ++ } ++ + for (i = 0; i < prog->len; i++) { + prev_ninsns += 32; + ctx->offset[i] = prev_ninsns; +@@ -91,12 +97,15 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + for (i = 0; i < NR_JIT_ITERATIONS; i++) { + pass++; + ctx->ninsns = 0; ++ ++ bpf_jit_build_prologue(ctx); ++ ctx->prologue_len = ctx->ninsns; ++ + if (build_body(ctx, extra_pass, ctx->offset)) { + prog = orig_prog; + goto out_offset; + } +- ctx->body_len = ctx->ninsns; +- bpf_jit_build_prologue(ctx); ++ + ctx->epilogue_offset = ctx->ninsns; + bpf_jit_build_epilogue(ctx); + +@@ -155,10 +164,8 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + + if (!prog->is_func || extra_pass) { + bpf_jit_binary_lock_ro(jit_data->header); +- prologue_len = ctx->epilogue_offset - ctx->body_len; + for (i = 0; i < prog->len; i++) +- ctx->offset[i] = ninsns_rvoff(prologue_len + +- ctx->offset[i]); ++ ctx->offset[i] = ninsns_rvoff(ctx->offset[i]); + bpf_prog_fill_jited_linfo(prog, ctx->offset); + out_offset: + kfree(ctx->offset); +-- +2.39.2 + diff --git a/queue-5.10/riscv-bpf-move-bpf_jit_alloc_exec-and-bpf_jit_free_e.patch b/queue-5.10/riscv-bpf-move-bpf_jit_alloc_exec-and-bpf_jit_free_e.patch new file mode 100644 index 00000000000..1166c62f4d7 --- /dev/null +++ b/queue-5.10/riscv-bpf-move-bpf_jit_alloc_exec-and-bpf_jit_free_e.patch @@ -0,0 +1,69 @@ +From 6d498f474443359b0bee68babcd44efc6cf38cbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Mar 2021 02:24:54 +0800 +Subject: riscv: bpf: Move bpf_jit_alloc_exec() and bpf_jit_free_exec() to core + +From: Jisheng Zhang + +[ Upstream commit 1d27d854425faec98f352cf88ec3e2a8844429a4 ] + +We will drop the executable permissions of the code pages from the +mapping at allocation time soon. Move bpf_jit_alloc_exec() and +bpf_jit_free_exec() to bpf_jit_core.c so that they can be shared by +both RV64I and RV32I. + +Signed-off-by: Jisheng Zhang +Acked-by: Luke Nelson +Signed-off-by: Palmer Dabbelt +Stable-dep-of: c56fb2aab235 ("riscv, bpf: Fix inconsistent JIT image generation") +Signed-off-by: Sasha Levin +--- + arch/riscv/net/bpf_jit_comp64.c | 13 ------------- + arch/riscv/net/bpf_jit_core.c | 13 +++++++++++++ + 2 files changed, 13 insertions(+), 13 deletions(-) + +diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c +index c113ae818b14e..053dc83e323b6 100644 +--- a/arch/riscv/net/bpf_jit_comp64.c ++++ b/arch/riscv/net/bpf_jit_comp64.c +@@ -1144,16 +1144,3 @@ void bpf_jit_build_epilogue(struct rv_jit_context *ctx) + { + __build_epilogue(false, ctx); + } +- +-void *bpf_jit_alloc_exec(unsigned long size) +-{ +- return __vmalloc_node_range(size, PAGE_SIZE, BPF_JIT_REGION_START, +- BPF_JIT_REGION_END, GFP_KERNEL, +- PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE, +- __builtin_return_address(0)); +-} +- +-void bpf_jit_free_exec(void *addr) +-{ +- return vfree(addr); +-} +diff --git a/arch/riscv/net/bpf_jit_core.c b/arch/riscv/net/bpf_jit_core.c +index cbf7d2414886e..e295c9eed9e93 100644 +--- a/arch/riscv/net/bpf_jit_core.c ++++ b/arch/riscv/net/bpf_jit_core.c +@@ -165,3 +165,16 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + tmp : orig_prog); + return prog; + } ++ ++void *bpf_jit_alloc_exec(unsigned long size) ++{ ++ return __vmalloc_node_range(size, PAGE_SIZE, BPF_JIT_REGION_START, ++ BPF_JIT_REGION_END, GFP_KERNEL, ++ PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE, ++ __builtin_return_address(0)); ++} ++ ++void bpf_jit_free_exec(void *addr) ++{ ++ return vfree(addr); ++} +-- +2.39.2 + diff --git a/queue-5.10/scsi-qla2xxx-fix-error-code-in-qla2x00_start_sp.patch b/queue-5.10/scsi-qla2xxx-fix-error-code-in-qla2x00_start_sp.patch new file mode 100644 index 00000000000..a708f5dfc3a --- /dev/null +++ b/queue-5.10/scsi-qla2xxx-fix-error-code-in-qla2x00_start_sp.patch @@ -0,0 +1,38 @@ +From 5804ed9cd312ce0843bff3fc159ae27613447512 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jun 2023 13:58:47 +0300 +Subject: scsi: qla2xxx: Fix error code in qla2x00_start_sp() + +From: Dan Carpenter + +[ Upstream commit e579b007eff3ff8d29d59d16214cd85fb9e573f7 ] + +This should be negative -EAGAIN instead of positive. The callers treat +non-zero error codes the same so it doesn't really impact runtime beyond +some trivial differences to debug output. + +Fixes: 80676d054e5a ("scsi: qla2xxx: Fix session cleanup hang") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/49866d28-4cfe-47b0-842b-78f110e61aab@moroto.mountain +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_iocb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c +index e54cc2a761dd4..f0af76c3de7e3 100644 +--- a/drivers/scsi/qla2xxx/qla_iocb.c ++++ b/drivers/scsi/qla2xxx/qla_iocb.c +@@ -3713,7 +3713,7 @@ qla2x00_start_sp(srb_t *sp) + spin_lock_irqsave(qp->qp_lock_ptr, flags); + pkt = __qla2x00_alloc_iocbs(sp->qpair, sp); + if (!pkt) { +- rval = EAGAIN; ++ rval = -EAGAIN; + ql_log(ql_log_warn, vha, 0x700c, + "qla2x00_alloc_iocbs failed.\n"); + goto done; +-- +2.39.2 + diff --git a/queue-5.10/series b/queue-5.10/series index f82a50ab21b..bb163c6177e 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -333,3 +333,42 @@ rcu-tasks-simplify-trc_read_check_handler-atomic-operations.patch block-partition-fix-signedness-issue-for-amiga-partitions.patch io_uring-use-io_schedule-in-cqring-wait.patch io_uring-add-reschedule-point-to-handle_tw_list.patch +drm-panel-simple-add-connector_type-for-innolux_at04.patch +drm-panel-simple-add-powertip-ph800480t013-drm_displ.patch +igc-remove-delay-during-tx-ring-configuration.patch +net-mlx5e-fix-double-free-in-mlx5e_destroy_flow_tabl.patch +net-mlx5e-check-for-not_ready-flag-state-after-locki.patch +igc-set-tp-bit-in-supported-and-advertising-fields-o.patch +scsi-qla2xxx-fix-error-code-in-qla2x00_start_sp.patch +net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch +net-sched-cls_fw-fix-improper-refcount-update-leads-.patch +gve-set-default-duplex-configuration-to-full.patch +ionic-remove-warn_on-to-prevent-panic_on_warn.patch +net-bgmac-postpone-turning-irqs-off-to-avoid-soc-han.patch +net-prevent-skb-corruption-on-frag-list-segmentation.patch +icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch +udp6-fix-udp6_ehashfn-typo.patch +ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch +ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch +ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch +ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch +ntb-ntb_tool-add-check-for-devm_kcalloc.patch +ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch +platform-x86-wmi-remove-unnecessary-argument.patch +platform-x86-wmi-use-guid_t-and-guid_equal.patch +platform-x86-wmi-move-variables.patch +platform-x86-wmi-break-possible-infinite-loop-when-p.patch +igc-fix-launchtime-before-start-of-cycle.patch +igc-fix-inserting-of-empty-frame-for-launchtime.patch +riscv-bpf-move-bpf_jit_alloc_exec-and-bpf_jit_free_e.patch +riscv-bpf-avoid-breaking-w-x.patch +bpf-riscv-support-riscv-jit-to-provide-bpf_line_info.patch +riscv-bpf-fix-inconsistent-jit-image-generation.patch +erofs-avoid-infinite-loop-in-z_erofs_do_read_page-wh.patch +wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch +net-sched-flower-ensure-both-minimum-and-maximum-por.patch +netdevsim-fix-uninitialized-data-in-nsim_dev_trap_fa.patch +net-sched-make-psched_mtu-rtnl-less-safe.patch +net-sched-sch_qfq-refactor-parsing-of-netlink-parame.patch +net-sched-sch_qfq-account-for-stab-overhead-in-qfq_e.patch +nvme-pci-fix-dma-direction-of-unmapping-integrity-da.patch diff --git a/queue-5.10/udp6-fix-udp6_ehashfn-typo.patch b/queue-5.10/udp6-fix-udp6_ehashfn-typo.patch new file mode 100644 index 00000000000..bb54a6e7102 --- /dev/null +++ b/queue-5.10/udp6-fix-udp6_ehashfn-typo.patch @@ -0,0 +1,40 @@ +From 279a8ca0c53b60a63609bd8055b756cfb4af296a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jul 2023 08:29:58 +0000 +Subject: udp6: fix udp6_ehashfn() typo + +From: Eric Dumazet + +[ Upstream commit 51d03e2f2203e76ed02d33fb5ffbb5fc85ffaf54 ] + +Amit Klein reported that udp6_ehash_secret was initialized but never used. + +Fixes: 1bbdceef1e53 ("inet: convert inet_ehash_secret and ipv6_hash_secret to net_get_random_once") +Reported-by: Amit Klein +Signed-off-by: Eric Dumazet +Cc: Willy Tarreau +Cc: Willem de Bruijn +Cc: David Ahern +Cc: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/udp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 19c0721399d9e..788bb19f32e99 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -87,7 +87,7 @@ static u32 udp6_ehashfn(const struct net *net, + fhash = __ipv6_addr_jhash(faddr, udp_ipv6_hash_secret); + + return __inet6_ehashfn(lhash, lport, fhash, fport, +- udp_ipv6_hash_secret + net_hash_mix(net)); ++ udp6_ehash_secret + net_hash_mix(net)); + } + + int udp_v6_get_port(struct sock *sk, unsigned short snum) +-- +2.39.2 + diff --git a/queue-5.10/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch b/queue-5.10/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch new file mode 100644 index 00000000000..91f85139ff2 --- /dev/null +++ b/queue-5.10/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch @@ -0,0 +1,47 @@ +From dae3b37a715c8a9b65c38b1aadefc8cf0152d738 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Jul 2023 06:31:54 -0700 +Subject: wifi: airo: avoid uninitialized warning in airo_get_rate() + +From: Randy Dunlap + +[ Upstream commit 9373771aaed17f5c2c38485f785568abe3a9f8c1 ] + +Quieten a gcc (11.3.0) build error or warning by checking the function +call status and returning -EBUSY if the function call failed. +This is similar to what several other wireless drivers do for the +SIOCGIWRATE ioctl call when there is a locking problem. + +drivers/net/wireless/cisco/airo.c: error: 'status_rid.currentXmitRate' is used uninitialized [-Werror=uninitialized] + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Randy Dunlap +Reported-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/39abf2c7-24a-f167-91da-ed4c5435d1c4@linux-m68k.org +Link: https://lore.kernel.org/r/20230709133154.26206-1-rdunlap@infradead.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/cisco/airo.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c +index 8c9c6bfbaeee7..aa1d12f6f5c3b 100644 +--- a/drivers/net/wireless/cisco/airo.c ++++ b/drivers/net/wireless/cisco/airo.c +@@ -6150,8 +6150,11 @@ static int airo_get_rate(struct net_device *dev, + { + struct airo_info *local = dev->ml_priv; + StatusRid status_rid; /* Card status info */ ++ int ret; + +- readStatusRid(local, &status_rid, 1); ++ ret = readStatusRid(local, &status_rid, 1); ++ if (ret) ++ return -EBUSY; + + vwrq->value = le16_to_cpu(status_rid.currentXmitRate) * 500000; + /* If more than one rate, set auto */ +-- +2.39.2 + -- 2.47.3