From: Sasha Levin Date: Sat, 30 Oct 2021 20:33:17 +0000 (-0400) Subject: Fixes for 5.14 X-Git-Tag: v4.4.291~15 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=08619b65c4968a85ef0877dacfe39461028e73a6;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.14 Signed-off-by: Sasha Levin --- diff --git a/queue-5.14/bpf-move-bpf_map_type-for-inode_storage-and-task_sto.patch b/queue-5.14/bpf-move-bpf_map_type-for-inode_storage-and-task_sto.patch new file mode 100644 index 00000000000..0acc35dd454 --- /dev/null +++ b/queue-5.14/bpf-move-bpf_map_type-for-inode_storage-and-task_sto.patch @@ -0,0 +1,56 @@ +From ddd116713fafa84be2dc8f65ad37ec7cc64a0784 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Oct 2021 08:46:10 -1000 +Subject: bpf: Move BPF_MAP_TYPE for INODE_STORAGE and TASK_STORAGE outside of + CONFIG_NET + +From: Tejun Heo + +[ Upstream commit 99d0a3831e3500d945162cdb2310e3a5fce90b60 ] + +bpf_types.h has BPF_MAP_TYPE_INODE_STORAGE and BPF_MAP_TYPE_TASK_STORAGE +declared inside #ifdef CONFIG_NET although they are built regardless of +CONFIG_NET. So, when CONFIG_BPF_SYSCALL && !CONFIG_NET, they are built +without the declarations leading to spurious build failures and not +registered to bpf_map_types making them unavailable. + +Fix it by moving the BPF_MAP_TYPE for the two map types outside of +CONFIG_NET. + +Reported-by: kernel test robot +Fixes: a10787e6d58c ("bpf: Enable task local storage for tracing programs") +Signed-off-by: Tejun Heo +Signed-off-by: Alexei Starovoitov +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/YXG1cuuSJDqHQfRY@slm.duckdns.org +Signed-off-by: Sasha Levin +--- + include/linux/bpf_types.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/include/linux/bpf_types.h b/include/linux/bpf_types.h +index ae3ac3a2018c..2eb9c53468e7 100644 +--- a/include/linux/bpf_types.h ++++ b/include/linux/bpf_types.h +@@ -101,14 +101,14 @@ BPF_MAP_TYPE(BPF_MAP_TYPE_STACK_TRACE, stack_trace_map_ops) + #endif + BPF_MAP_TYPE(BPF_MAP_TYPE_ARRAY_OF_MAPS, array_of_maps_map_ops) + BPF_MAP_TYPE(BPF_MAP_TYPE_HASH_OF_MAPS, htab_of_maps_map_ops) +-#ifdef CONFIG_NET +-BPF_MAP_TYPE(BPF_MAP_TYPE_DEVMAP, dev_map_ops) +-BPF_MAP_TYPE(BPF_MAP_TYPE_DEVMAP_HASH, dev_map_hash_ops) +-BPF_MAP_TYPE(BPF_MAP_TYPE_SK_STORAGE, sk_storage_map_ops) + #ifdef CONFIG_BPF_LSM + BPF_MAP_TYPE(BPF_MAP_TYPE_INODE_STORAGE, inode_storage_map_ops) + #endif + BPF_MAP_TYPE(BPF_MAP_TYPE_TASK_STORAGE, task_storage_map_ops) ++#ifdef CONFIG_NET ++BPF_MAP_TYPE(BPF_MAP_TYPE_DEVMAP, dev_map_ops) ++BPF_MAP_TYPE(BPF_MAP_TYPE_DEVMAP_HASH, dev_map_hash_ops) ++BPF_MAP_TYPE(BPF_MAP_TYPE_SK_STORAGE, sk_storage_map_ops) + BPF_MAP_TYPE(BPF_MAP_TYPE_CPUMAP, cpu_map_ops) + #if defined(CONFIG_XDP_SOCKETS) + BPF_MAP_TYPE(BPF_MAP_TYPE_XSKMAP, xsk_map_ops) +-- +2.33.0 + diff --git a/queue-5.14/bpf-use-kvmalloc-for-map-values-in-syscall.patch b/queue-5.14/bpf-use-kvmalloc-for-map-values-in-syscall.patch new file mode 100644 index 00000000000..6bab3cdd11d --- /dev/null +++ b/queue-5.14/bpf-use-kvmalloc-for-map-values-in-syscall.patch @@ -0,0 +1,131 @@ +From 63a3d56e65e01eeb84981721c0075572621f74c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Aug 2021 16:52:15 -0700 +Subject: bpf: Use kvmalloc for map values in syscall + +From: Stanislav Fomichev + +[ Upstream commit f0dce1d9b7c81fc3dc9d0cc0bc7ef9b3eae22584 ] + +Use kvmalloc/kvfree for temporary value when manipulating a map via +syscall. kmalloc might not be sufficient for percpu maps where the value +is big (and further multiplied by hundreds of CPUs). + +Can be reproduced with netcnt test on qemu with "-smp 255". + +Signed-off-by: Stanislav Fomichev +Signed-off-by: Daniel Borkmann +Acked-by: Song Liu +Link: https://lore.kernel.org/bpf/20210818235216.1159202-1-sdf@google.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/syscall.c | 28 +++++++++++----------------- + 1 file changed, 11 insertions(+), 17 deletions(-) + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index d245061ba318..92ed4b2984b8 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -1066,7 +1066,7 @@ static int map_lookup_elem(union bpf_attr *attr) + value_size = bpf_map_value_size(map); + + err = -ENOMEM; +- value = kmalloc(value_size, GFP_USER | __GFP_NOWARN); ++ value = kvmalloc(value_size, GFP_USER | __GFP_NOWARN); + if (!value) + goto free_key; + +@@ -1081,7 +1081,7 @@ static int map_lookup_elem(union bpf_attr *attr) + err = 0; + + free_value: +- kfree(value); ++ kvfree(value); + free_key: + kfree(key); + err_put: +@@ -1127,16 +1127,10 @@ static int map_update_elem(union bpf_attr *attr, bpfptr_t uattr) + goto err_put; + } + +- if (map->map_type == BPF_MAP_TYPE_PERCPU_HASH || +- map->map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH || +- map->map_type == BPF_MAP_TYPE_PERCPU_ARRAY || +- map->map_type == BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE) +- value_size = round_up(map->value_size, 8) * num_possible_cpus(); +- else +- value_size = map->value_size; ++ value_size = bpf_map_value_size(map); + + err = -ENOMEM; +- value = kmalloc(value_size, GFP_USER | __GFP_NOWARN); ++ value = kvmalloc(value_size, GFP_USER | __GFP_NOWARN); + if (!value) + goto free_key; + +@@ -1147,7 +1141,7 @@ static int map_update_elem(union bpf_attr *attr, bpfptr_t uattr) + err = bpf_map_update_value(map, f, key, value, attr->flags); + + free_value: +- kfree(value); ++ kvfree(value); + free_key: + kfree(key); + err_put: +@@ -1356,7 +1350,7 @@ int generic_map_update_batch(struct bpf_map *map, + if (!key) + return -ENOMEM; + +- value = kmalloc(value_size, GFP_USER | __GFP_NOWARN); ++ value = kvmalloc(value_size, GFP_USER | __GFP_NOWARN); + if (!value) { + kfree(key); + return -ENOMEM; +@@ -1380,7 +1374,7 @@ int generic_map_update_batch(struct bpf_map *map, + if (copy_to_user(&uattr->batch.count, &cp, sizeof(cp))) + err = -EFAULT; + +- kfree(value); ++ kvfree(value); + kfree(key); + fdput(f); + return err; +@@ -1420,7 +1414,7 @@ int generic_map_lookup_batch(struct bpf_map *map, + if (!buf_prevkey) + return -ENOMEM; + +- buf = kmalloc(map->key_size + value_size, GFP_USER | __GFP_NOWARN); ++ buf = kvmalloc(map->key_size + value_size, GFP_USER | __GFP_NOWARN); + if (!buf) { + kfree(buf_prevkey); + return -ENOMEM; +@@ -1483,7 +1477,7 @@ int generic_map_lookup_batch(struct bpf_map *map, + + free_buf: + kfree(buf_prevkey); +- kfree(buf); ++ kvfree(buf); + return err; + } + +@@ -1538,7 +1532,7 @@ static int map_lookup_and_delete_elem(union bpf_attr *attr) + value_size = bpf_map_value_size(map); + + err = -ENOMEM; +- value = kmalloc(value_size, GFP_USER | __GFP_NOWARN); ++ value = kvmalloc(value_size, GFP_USER | __GFP_NOWARN); + if (!value) + goto free_key; + +@@ -1570,7 +1564,7 @@ static int map_lookup_and_delete_elem(union bpf_attr *attr) + err = 0; + + free_value: +- kfree(value); ++ kvfree(value); + free_key: + kfree(key); + err_put: +-- +2.33.0 + diff --git a/queue-5.14/net-hns3-add-more-string-spaces-for-dumping-packets-.patch b/queue-5.14/net-hns3-add-more-string-spaces-for-dumping-packets-.patch new file mode 100644 index 00000000000..d79b23081de --- /dev/null +++ b/queue-5.14/net-hns3-add-more-string-spaces-for-dumping-packets-.patch @@ -0,0 +1,48 @@ +From bf7dbe9b66229041180086374d4de1020dfb607f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Oct 2021 20:11:47 +0800 +Subject: net: hns3: add more string spaces for dumping packets number of queue + info in debugfs + +From: Jie Wang + +[ Upstream commit 6754614a787cbcbf87bae8a75619c24a33ea6791 ] + +As the width of packets number registers is 32 bits, they needs at most +10 characters for decimal data printing, but now the string spaces is not +enough, so this patch fixes it. + +Fixes: e44c495d95e ("net: hns3: refactor queue info of debugfs") +Signed-off-by: Jie Wang +Signed-off-by: Guangbin Huang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +index 80461ab0ce9e..ce2fc283fe5c 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +@@ -463,7 +463,7 @@ static const struct hns3_dbg_item rx_queue_info_items[] = { + { "TAIL", 2 }, + { "HEAD", 2 }, + { "FBDNUM", 2 }, +- { "PKTNUM", 2 }, ++ { "PKTNUM", 5 }, + { "COPYBREAK", 2 }, + { "RING_EN", 2 }, + { "RX_RING_EN", 2 }, +@@ -566,7 +566,7 @@ static const struct hns3_dbg_item tx_queue_info_items[] = { + { "HEAD", 2 }, + { "FBDNUM", 2 }, + { "OFFSET", 2 }, +- { "PKTNUM", 2 }, ++ { "PKTNUM", 5 }, + { "RING_EN", 2 }, + { "TX_RING_EN", 2 }, + { "BASE_ADDR", 10 }, +-- +2.33.0 + diff --git a/queue-5.14/net-hns3-expand-buffer-len-for-some-debugfs-command.patch b/queue-5.14/net-hns3-expand-buffer-len-for-some-debugfs-command.patch new file mode 100644 index 00000000000..07a148de437 --- /dev/null +++ b/queue-5.14/net-hns3-expand-buffer-len-for-some-debugfs-command.patch @@ -0,0 +1,56 @@ +From 6bf11d449144c858918d8e9d6a4a842f0b30c4a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Oct 2021 20:11:48 +0800 +Subject: net: hns3: expand buffer len for some debugfs command + +From: Guangbin Huang + +[ Upstream commit c7a6e3978ea952efb107ecf511c095c3bbb2945f ] + +The specified buffer length for three debugfs files fd_tcam, uc and tqp +is not enough for their maximum needs, so this patch fixes them. + +Fixes: b5a0b70d77b9 ("net: hns3: refactor dump fd tcam of debugfs") +Fixes: 1556ea9120ff ("net: hns3: refactor dump mac list of debugfs") +Fixes: d96b0e59468d ("net: hns3: refactor dump reg of debugfs") +Signed-off-by: Guangbin Huang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +index ce2fc283fe5c..b22b8baec54c 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +@@ -138,7 +138,7 @@ static struct hns3_dbg_cmd_info hns3_dbg_cmd[] = { + .name = "uc", + .cmd = HNAE3_DBG_CMD_MAC_UC, + .dentry = HNS3_DBG_DENTRY_MAC, +- .buf_len = HNS3_DBG_READ_LEN, ++ .buf_len = HNS3_DBG_READ_LEN_128KB, + .init = hns3_dbg_common_file_init, + }, + { +@@ -257,7 +257,7 @@ static struct hns3_dbg_cmd_info hns3_dbg_cmd[] = { + .name = "tqp", + .cmd = HNAE3_DBG_CMD_REG_TQP, + .dentry = HNS3_DBG_DENTRY_REG, +- .buf_len = HNS3_DBG_READ_LEN, ++ .buf_len = HNS3_DBG_READ_LEN_128KB, + .init = hns3_dbg_common_file_init, + }, + { +@@ -299,7 +299,7 @@ static struct hns3_dbg_cmd_info hns3_dbg_cmd[] = { + .name = "fd_tcam", + .cmd = HNAE3_DBG_CMD_FD_TCAM, + .dentry = HNS3_DBG_DENTRY_FD, +- .buf_len = HNS3_DBG_READ_LEN, ++ .buf_len = HNS3_DBG_READ_LEN_1MB, + .init = hns3_dbg_common_file_init, + }, + { +-- +2.33.0 + diff --git a/queue-5.14/octeontx2-af-check-whether-ipolicers-exists.patch b/queue-5.14/octeontx2-af-check-whether-ipolicers-exists.patch new file mode 100644 index 00000000000..c3f630a28e1 --- /dev/null +++ b/queue-5.14/octeontx2-af-check-whether-ipolicers-exists.patch @@ -0,0 +1,53 @@ +From e970f55fef79894c57042b0bc4b37b06110f1cbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Oct 2021 23:02:32 +0530 +Subject: octeontx2-af: Check whether ipolicers exists + +From: Subbaraya Sundeep + +[ Upstream commit cc45b96e2de7ada26520f101dada0abafa4ba997 ] + +While displaying ingress policers information in +debugfs check whether ingress policers exist in +the hardware or not because some platforms(CN9XXX) +do not have this feature. + +Fixes: e7d8971763f3 ("octeontx2-af: cn10k: Debugfs support for bandwidth") +Signed-off-by: Subbaraya Sundeep +Signed-off-by: Rakesh Babu +Signed-off-by: Sunil Kovvuri Goutham +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c +index 75794c8590c4..a606de56678d 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c +@@ -1796,6 +1796,10 @@ static int rvu_dbg_nix_band_prof_ctx_display(struct seq_file *m, void *unused) + u16 pcifunc; + char *str; + ++ /* Ingress policers do not exist on all platforms */ ++ if (!nix_hw->ipolicer) ++ return 0; ++ + for (layer = 0; layer < BAND_PROF_NUM_LAYERS; layer++) { + if (layer == BAND_PROF_INVAL_LAYER) + continue; +@@ -1845,6 +1849,10 @@ static int rvu_dbg_nix_band_prof_rsrc_display(struct seq_file *m, void *unused) + int layer; + char *str; + ++ /* Ingress policers do not exist on all platforms */ ++ if (!nix_hw->ipolicer) ++ return 0; ++ + seq_puts(m, "\nBandwidth profile resource free count\n"); + seq_puts(m, "=====================================\n"); + for (layer = 0; layer < BAND_PROF_NUM_LAYERS; layer++) { +-- +2.33.0 + diff --git a/queue-5.14/rdma-irdma-do-not-hold-qos-mutex-twice-on-qp-resume.patch b/queue-5.14/rdma-irdma-do-not-hold-qos-mutex-twice-on-qp-resume.patch new file mode 100644 index 00000000000..25c786a3664 --- /dev/null +++ b/queue-5.14/rdma-irdma-do-not-hold-qos-mutex-twice-on-qp-resume.patch @@ -0,0 +1,67 @@ +From fe2db2f80044305ed39a2903fd04ea3bfb9a320d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 10:16:54 -0500 +Subject: RDMA/irdma: Do not hold qos mutex twice on QP resume + +From: Mustafa Ismail + +[ Upstream commit 2dace185caa580720c7cd67fec9efc5ee26108ac ] + +When irdma_ws_add fails, irdma_ws_remove is used to cleanup the leaf node. +This lead to holding the qos mutex twice in the QP resume path. Fix this +by avoiding the call to irdma_ws_remove and unwinding the error in +irdma_ws_add. This skips the call to irdma_tc_in_use function which is not +needed in the error unwind cases. + +Fixes: 3ae331c75128 ("RDMA/irdma: Add QoS definitions") +Link: https://lore.kernel.org/r/20211019151654.1943-2-shiraz.saleem@intel.com +Signed-off-by: Mustafa Ismail +Signed-off-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/ws.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/irdma/ws.c b/drivers/infiniband/hw/irdma/ws.c +index b68c575eb78e..b0d6ee0739f5 100644 +--- a/drivers/infiniband/hw/irdma/ws.c ++++ b/drivers/infiniband/hw/irdma/ws.c +@@ -330,8 +330,10 @@ enum irdma_status_code irdma_ws_add(struct irdma_sc_vsi *vsi, u8 user_pri) + + tc_node->enable = true; + ret = irdma_ws_cqp_cmd(vsi, tc_node, IRDMA_OP_WS_MODIFY_NODE); +- if (ret) ++ if (ret) { ++ vsi->unregister_qset(vsi, tc_node); + goto reg_err; ++ } + } + ibdev_dbg(to_ibdev(vsi->dev), + "WS: Using node %d which represents VSI %d TC %d\n", +@@ -350,6 +352,10 @@ enum irdma_status_code irdma_ws_add(struct irdma_sc_vsi *vsi, u8 user_pri) + } + goto exit; + ++reg_err: ++ irdma_ws_cqp_cmd(vsi, tc_node, IRDMA_OP_WS_DELETE_NODE); ++ list_del(&tc_node->siblings); ++ irdma_free_node(vsi, tc_node); + leaf_add_err: + if (list_empty(&vsi_node->child_list_head)) { + if (irdma_ws_cqp_cmd(vsi, vsi_node, IRDMA_OP_WS_DELETE_NODE)) +@@ -369,11 +375,6 @@ vsi_add_err: + exit: + mutex_unlock(&vsi->dev->ws_mutex); + return ret; +- +-reg_err: +- mutex_unlock(&vsi->dev->ws_mutex); +- irdma_ws_remove(vsi, user_pri); +- return ret; + } + + /** +-- +2.33.0 + diff --git a/queue-5.14/rdma-irdma-process-extended-cq-entries-correctly.patch b/queue-5.14/rdma-irdma-process-extended-cq-entries-correctly.patch new file mode 100644 index 00000000000..3c2a6584227 --- /dev/null +++ b/queue-5.14/rdma-irdma-process-extended-cq-entries-correctly.patch @@ -0,0 +1,47 @@ +From 224968545da225d57d53f4205d3dc0d37d86d4cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 13:23:02 -0500 +Subject: RDMA/irdma: Process extended CQ entries correctly + +From: Shiraz Saleem + +[ Upstream commit e93c7d8e8c4cf80c6afe56e71c83c1cd31b4fce1 ] + +The valid bit for extended CQE's written by HW is retrieved from the +incorrect quad-word. This leads to missed completions for any UD traffic +particularly after a wrap-around. + +Get the valid bit for extended CQE's from the correct quad-word in the +descriptor. + +Fixes: 551c46edc769 ("RDMA/irdma: Add user/kernel shared libraries") +Link: https://lore.kernel.org/r/20211005182302.374-1-shiraz.saleem@intel.com +Signed-off-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/uk.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/irdma/uk.c b/drivers/infiniband/hw/irdma/uk.c +index 5fb92de1f015..9b544a3b1288 100644 +--- a/drivers/infiniband/hw/irdma/uk.c ++++ b/drivers/infiniband/hw/irdma/uk.c +@@ -1092,12 +1092,12 @@ irdma_uk_cq_poll_cmpl(struct irdma_cq_uk *cq, struct irdma_cq_poll_info *info) + if (cq->avoid_mem_cflct) { + ext_cqe = (__le64 *)((u8 *)cqe + 32); + get_64bit_val(ext_cqe, 24, &qword7); +- polarity = (u8)FIELD_GET(IRDMA_CQ_VALID, qword3); ++ polarity = (u8)FIELD_GET(IRDMA_CQ_VALID, qword7); + } else { + peek_head = (cq->cq_ring.head + 1) % cq->cq_ring.size; + ext_cqe = cq->cq_base[peek_head].buf; + get_64bit_val(ext_cqe, 24, &qword7); +- polarity = (u8)FIELD_GET(IRDMA_CQ_VALID, qword3); ++ polarity = (u8)FIELD_GET(IRDMA_CQ_VALID, qword7); + if (!peek_head) + polarity ^= 1; + } +-- +2.33.0 + diff --git a/queue-5.14/rdma-irdma-set-vlan-in-ud-work-completion-correctly.patch b/queue-5.14/rdma-irdma-set-vlan-in-ud-work-completion-correctly.patch new file mode 100644 index 00000000000..5917cab4389 --- /dev/null +++ b/queue-5.14/rdma-irdma-set-vlan-in-ud-work-completion-correctly.patch @@ -0,0 +1,47 @@ +From 87ce847272075f038b5aa3719becf4733b06c510 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 10:16:53 -0500 +Subject: RDMA/irdma: Set VLAN in UD work completion correctly + +From: Mustafa Ismail + +[ Upstream commit cc07b73ef11d11d4359fb104d0199b22451dd3d8 ] + +Currently VLAN is reported in UD work completion when VLAN id is zero, +i.e. no VLAN case. + +Report VLAN in UD work completion only when VLAN id is non-zero. + +Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") +Link: https://lore.kernel.org/r/20211019151654.1943-1-shiraz.saleem@intel.com +Signed-off-by: Mustafa Ismail +Signed-off-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/verbs.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c +index fa393c5ea397..4261705fa19d 100644 +--- a/drivers/infiniband/hw/irdma/verbs.c ++++ b/drivers/infiniband/hw/irdma/verbs.c +@@ -3405,9 +3405,13 @@ static void irdma_process_cqe(struct ib_wc *entry, + } + + if (cq_poll_info->ud_vlan_valid) { +- entry->vlan_id = cq_poll_info->ud_vlan & VLAN_VID_MASK; +- entry->wc_flags |= IB_WC_WITH_VLAN; ++ u16 vlan = cq_poll_info->ud_vlan & VLAN_VID_MASK; ++ + entry->sl = cq_poll_info->ud_vlan >> VLAN_PRIO_SHIFT; ++ if (vlan) { ++ entry->vlan_id = vlan; ++ entry->wc_flags |= IB_WC_WITH_VLAN; ++ } + } else { + entry->sl = 0; + } +-- +2.33.0 + diff --git a/queue-5.14/sctp-add-vtag-check-in-sctp_sf_do_8_5_1_e_sa.patch b/queue-5.14/sctp-add-vtag-check-in-sctp_sf_do_8_5_1_e_sa.patch new file mode 100644 index 00000000000..145d8252638 --- /dev/null +++ b/queue-5.14/sctp-add-vtag-check-in-sctp_sf_do_8_5_1_e_sa.patch @@ -0,0 +1,65 @@ +From 2d61fcf4df6ecd303715632e54c6bb36a8e257c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 07:42:46 -0400 +Subject: sctp: add vtag check in sctp_sf_do_8_5_1_E_sa + +From: Xin Long + +[ Upstream commit ef16b1734f0a176277b7bb9c71a6d977a6ef3998 ] + +sctp_sf_do_8_5_1_E_sa() is called when processing SHUTDOWN_ACK chunk +in cookie_wait and cookie_echoed state. + +The vtag in the chunk's sctphdr should be verified, otherwise, as +later in chunk length check, it may send abort with the existent +asoc's vtag, which can be exploited by one to cook a malicious +chunk to terminate a SCTP asoc. + +Note that when fails to verify the vtag from SHUTDOWN-ACK chunk, +SHUTDOWN COMPLETE message will still be sent back to peer, but +with the vtag from SHUTDOWN-ACK chunk, as said in 5) of +rfc4960#section-8.4. + +While at it, also remove the unnecessary chunk length check from +sctp_sf_shut_8_4_5(), as it's already done in both places where +it calls sctp_sf_shut_8_4_5(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index 36328ab88bdd..a3545498a038 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -3803,12 +3803,6 @@ static enum sctp_disposition sctp_sf_shut_8_4_5( + + SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); + +- /* If the chunk length is invalid, we don't want to process +- * the reset of the packet. +- */ +- if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) +- return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); +- + /* We need to discard the rest of the packet to prevent + * potential boomming attacks from additional bundled chunks. + * This is documented in SCTP Threats ID. +@@ -3836,6 +3830,9 @@ enum sctp_disposition sctp_sf_do_8_5_1_E_sa(struct net *net, + { + struct sctp_chunk *chunk = arg; + ++ if (!sctp_vtag_verify(chunk, asoc)) ++ asoc = NULL; ++ + /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ + if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) + return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, +-- +2.33.0 + diff --git a/queue-5.14/sctp-add-vtag-check-in-sctp_sf_ootb.patch b/queue-5.14/sctp-add-vtag-check-in-sctp_sf_ootb.patch new file mode 100644 index 00000000000..4327b374dae --- /dev/null +++ b/queue-5.14/sctp-add-vtag-check-in-sctp_sf_ootb.patch @@ -0,0 +1,47 @@ +From 740f4a4bd261baa61893582ba25ff41a876b72c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 07:42:47 -0400 +Subject: sctp: add vtag check in sctp_sf_ootb + +From: Xin Long + +[ Upstream commit 9d02831e517aa36ee6bdb453a0eb47bd49923fe3 ] + +sctp_sf_ootb() is called when processing DATA chunk in closed state, +and many other places are also using it. + +The vtag in the chunk's sctphdr should be verified, otherwise, as +later in chunk length check, it may send abort with the existent +asoc's vtag, which can be exploited by one to cook a malicious +chunk to terminate a SCTP asoc. + +When fails to verify the vtag from the chunk, this patch sets asoc +to NULL, so that the abort will be made with the vtag from the +received chunk later. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index a3545498a038..fb3da4d8f4a3 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -3688,6 +3688,9 @@ enum sctp_disposition sctp_sf_ootb(struct net *net, + + SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); + ++ if (asoc && !sctp_vtag_verify(chunk, asoc)) ++ asoc = NULL; ++ + ch = (struct sctp_chunkhdr *)chunk->chunk_hdr; + do { + /* Report violation if the chunk is less then minimal */ +-- +2.33.0 + diff --git a/queue-5.14/sctp-add-vtag-check-in-sctp_sf_violation.patch b/queue-5.14/sctp-add-vtag-check-in-sctp_sf_violation.patch new file mode 100644 index 00000000000..da26c6c693d --- /dev/null +++ b/queue-5.14/sctp-add-vtag-check-in-sctp_sf_violation.patch @@ -0,0 +1,43 @@ +From c3f9ce884b4af54c961434ca45a3bfc5f23d2528 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 07:42:45 -0400 +Subject: sctp: add vtag check in sctp_sf_violation + +From: Xin Long + +[ Upstream commit aa0f697e45286a6b5f0ceca9418acf54b9099d99 ] + +sctp_sf_violation() is called when processing HEARTBEAT_ACK chunk +in cookie_wait state, and some other places are also using it. + +The vtag in the chunk's sctphdr should be verified, otherwise, as +later in chunk length check, it may send abort with the existent +asoc's vtag, which can be exploited by one to cook a malicious +chunk to terminate a SCTP asoc. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index 96a069d725e9..36328ab88bdd 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -4669,6 +4669,9 @@ enum sctp_disposition sctp_sf_violation(struct net *net, + { + struct sctp_chunk *chunk = arg; + ++ if (!sctp_vtag_verify(chunk, asoc)) ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); ++ + /* Make sure that the chunk has a valid length. */ + if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) + return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, +-- +2.33.0 + diff --git a/queue-5.14/sctp-fix-the-processing-for-cookie_echo-chunk.patch b/queue-5.14/sctp-fix-the-processing-for-cookie_echo-chunk.patch new file mode 100644 index 00000000000..736eb14602d --- /dev/null +++ b/queue-5.14/sctp-fix-the-processing-for-cookie_echo-chunk.patch @@ -0,0 +1,75 @@ +From 0367d80b31856a92a23f256e0390615eacac95fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 07:42:44 -0400 +Subject: sctp: fix the processing for COOKIE_ECHO chunk + +From: Xin Long + +[ Upstream commit a64b341b8695e1c744dd972b39868371b4f68f83 ] + +1. In closed state: in sctp_sf_do_5_1D_ce(): + + When asoc is NULL, making packet for abort will use chunk's vtag + in sctp_ootb_pkt_new(). But when asoc exists, vtag from the chunk + should be verified before using peer.i.init_tag to make packet + for abort in sctp_ootb_pkt_new(), and just discard it if vtag is + not correct. + +2. In the other states: in sctp_sf_do_5_2_4_dupcook(): + + asoc always exists, but duplicate cookie_echo's vtag will be + handled by sctp_tietags_compare() and then take actions, so before + that we only verify the vtag for the abort sent for invalid chunk + length. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index 672e5308839b..96a069d725e9 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -710,6 +710,9 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net, + struct sock *sk; + int error = 0; + ++ if (asoc && !sctp_vtag_verify(chunk, asoc)) ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); ++ + /* If the packet is an OOTB packet which is temporarily on the + * control endpoint, respond with an ABORT. + */ +@@ -724,7 +727,8 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net, + * in sctp_unpack_cookie(). + */ + if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) +- return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); ++ return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, ++ commands); + + /* If the endpoint is not listening or if the number of associations + * on the TCP-style socket exceed the max backlog, respond with an +@@ -2204,9 +2208,11 @@ enum sctp_disposition sctp_sf_do_5_2_4_dupcook( + * enough for the chunk header. Cookie length verification is + * done later. + */ +- if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) +- return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, +- commands); ++ if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) { ++ if (!sctp_vtag_verify(chunk, asoc)) ++ asoc = NULL; ++ return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, commands); ++ } + + /* "Decode" the chunk. We have no optional parameters so we + * are in good shape. +-- +2.33.0 + diff --git a/queue-5.14/sctp-fix-the-processing-for-init-chunk.patch b/queue-5.14/sctp-fix-the-processing-for-init-chunk.patch new file mode 100644 index 00000000000..1fab8287fc4 --- /dev/null +++ b/queue-5.14/sctp-fix-the-processing-for-init-chunk.patch @@ -0,0 +1,166 @@ +From 21cace65b6bc54e76c3648a46458e12f3e00f65f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 07:42:42 -0400 +Subject: sctp: fix the processing for INIT chunk + +From: Xin Long + +[ Upstream commit eae5783908042a762c24e1bd11876edb91d314b1 ] + +This patch fixes the problems below: + +1. In non-shutdown_ack_sent states: in sctp_sf_do_5_1B_init() and + sctp_sf_do_5_2_2_dupinit(): + + chunk length check should be done before any checks that may cause + to send abort, as making packet for abort will access the init_tag + from init_hdr in sctp_ootb_pkt_new(). + +2. In shutdown_ack_sent state: in sctp_sf_do_9_2_reshutack(): + + The same checks as does in sctp_sf_do_5_2_2_dupinit() is needed + for sctp_sf_do_9_2_reshutack(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 72 ++++++++++++++++++++++++++--------------- + 1 file changed, 46 insertions(+), 26 deletions(-) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index 7f8306968c39..9bfa8cca9974 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -156,6 +156,12 @@ static enum sctp_disposition __sctp_sf_do_9_1_abort( + void *arg, + struct sctp_cmd_seq *commands); + ++static enum sctp_disposition ++__sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, ++ const struct sctp_association *asoc, ++ const union sctp_subtype type, void *arg, ++ struct sctp_cmd_seq *commands); ++ + /* Small helper function that checks if the chunk length + * is of the appropriate length. The 'required_length' argument + * is set to be the size of a specific chunk we are testing. +@@ -337,6 +343,14 @@ enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net, + if (!chunk->singleton) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + ++ /* Make sure that the INIT chunk has a valid length. ++ * Normally, this would cause an ABORT with a Protocol Violation ++ * error, but since we don't have an association, we'll ++ * just discard the packet. ++ */ ++ if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); ++ + /* If the packet is an OOTB packet which is temporarily on the + * control endpoint, respond with an ABORT. + */ +@@ -351,14 +365,6 @@ enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net, + if (chunk->sctp_hdr->vtag != 0) + return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); + +- /* Make sure that the INIT chunk has a valid length. +- * Normally, this would cause an ABORT with a Protocol Violation +- * error, but since we don't have an association, we'll +- * just discard the packet. +- */ +- if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) +- return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); +- + /* If the INIT is coming toward a closing socket, we'll send back + * and ABORT. Essentially, this catches the race of INIT being + * backloged to the socket at the same time as the user issues close(). +@@ -1524,20 +1530,16 @@ static enum sctp_disposition sctp_sf_do_unexpected_init( + if (!chunk->singleton) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + ++ /* Make sure that the INIT chunk has a valid length. */ ++ if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); ++ + /* 3.1 A packet containing an INIT chunk MUST have a zero Verification + * Tag. + */ + if (chunk->sctp_hdr->vtag != 0) + return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); + +- /* Make sure that the INIT chunk has a valid length. +- * In this case, we generate a protocol violation since we have +- * an association established. +- */ +- if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) +- return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, +- commands); +- + if (SCTP_INPUT_CB(chunk->skb)->encap_port != chunk->transport->encap_port) + return sctp_sf_new_encap_port(net, ep, asoc, type, arg, commands); + +@@ -1882,9 +1884,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_a( + * its peer. + */ + if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { +- disposition = sctp_sf_do_9_2_reshutack(net, ep, asoc, +- SCTP_ST_CHUNK(chunk->chunk_hdr->type), +- chunk, commands); ++ disposition = __sctp_sf_do_9_2_reshutack(net, ep, asoc, ++ SCTP_ST_CHUNK(chunk->chunk_hdr->type), ++ chunk, commands); + if (SCTP_DISPOSITION_NOMEM == disposition) + goto nomem; + +@@ -2970,13 +2972,11 @@ enum sctp_disposition sctp_sf_do_9_2_shut_ctsn( + * that belong to this association, it should discard the INIT chunk and + * retransmit the SHUTDOWN ACK chunk. + */ +-enum sctp_disposition sctp_sf_do_9_2_reshutack( +- struct net *net, +- const struct sctp_endpoint *ep, +- const struct sctp_association *asoc, +- const union sctp_subtype type, +- void *arg, +- struct sctp_cmd_seq *commands) ++static enum sctp_disposition ++__sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, ++ const struct sctp_association *asoc, ++ const union sctp_subtype type, void *arg, ++ struct sctp_cmd_seq *commands) + { + struct sctp_chunk *chunk = arg; + struct sctp_chunk *reply; +@@ -3010,6 +3010,26 @@ nomem: + return SCTP_DISPOSITION_NOMEM; + } + ++enum sctp_disposition ++sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, ++ const struct sctp_association *asoc, ++ const union sctp_subtype type, void *arg, ++ struct sctp_cmd_seq *commands) ++{ ++ struct sctp_chunk *chunk = arg; ++ ++ if (!chunk->singleton) ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); ++ ++ if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); ++ ++ if (chunk->sctp_hdr->vtag != 0) ++ return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); ++ ++ return __sctp_sf_do_9_2_reshutack(net, ep, asoc, type, arg, commands); ++} ++ + /* + * sctp_sf_do_ecn_cwr + * +-- +2.33.0 + diff --git a/queue-5.14/sctp-fix-the-processing-for-init_ack-chunk.patch b/queue-5.14/sctp-fix-the-processing-for-init_ack-chunk.patch new file mode 100644 index 00000000000..8650dd5116c --- /dev/null +++ b/queue-5.14/sctp-fix-the-processing-for-init_ack-chunk.patch @@ -0,0 +1,135 @@ +From 88c24a5a6379f605a15d231a5bd0245b0f3e951a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 07:42:43 -0400 +Subject: sctp: fix the processing for INIT_ACK chunk + +From: Xin Long + +[ Upstream commit 438b95a7c98f77d51cbf4db021f41b602d750a3f ] + +Currently INIT_ACK chunk in non-cookie_echoed state is processed in +sctp_sf_discard_chunk() to send an abort with the existent asoc's +vtag if the chunk length is not valid. But the vtag in the chunk's +sctphdr is not verified, which may be exploited by one to cook a +malicious chunk to terminal a SCTP asoc. + +sctp_sf_discard_chunk() also is called in many other places to send +an abort, and most of those have this problem. This patch is to fix +it by sending abort with the existent asoc's vtag only if the vtag +from the chunk's sctphdr is verified in sctp_sf_discard_chunk(). + +Note on sctp_sf_do_9_1_abort() and sctp_sf_shutdown_pending_abort(), +the chunk length has been verified before sctp_sf_discard_chunk(), +so replace it with sctp_sf_discard(). On sctp_sf_do_asconf_ack() and +sctp_sf_do_asconf(), move the sctp_chunk_length_valid check ahead of +sctp_sf_discard_chunk(), then replace it with sctp_sf_discard(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 37 +++++++++++++++++++------------------ + 1 file changed, 19 insertions(+), 18 deletions(-) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index 9bfa8cca9974..672e5308839b 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -2343,7 +2343,7 @@ enum sctp_disposition sctp_sf_shutdown_pending_abort( + */ + if (SCTP_ADDR_DEL == + sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) +- return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + + if (!sctp_err_chunk_valid(chunk)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); +@@ -2389,7 +2389,7 @@ enum sctp_disposition sctp_sf_shutdown_sent_abort( + */ + if (SCTP_ADDR_DEL == + sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) +- return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + + if (!sctp_err_chunk_valid(chunk)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); +@@ -2659,7 +2659,7 @@ enum sctp_disposition sctp_sf_do_9_1_abort( + */ + if (SCTP_ADDR_DEL == + sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) +- return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + + if (!sctp_err_chunk_valid(chunk)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); +@@ -3865,6 +3865,11 @@ enum sctp_disposition sctp_sf_do_asconf(struct net *net, + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + } + ++ /* Make sure that the ASCONF ADDIP chunk has a valid length. */ ++ if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk))) ++ return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, ++ commands); ++ + /* ADD-IP: Section 4.1.1 + * This chunk MUST be sent in an authenticated way by using + * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk +@@ -3873,13 +3878,7 @@ enum sctp_disposition sctp_sf_do_asconf(struct net *net, + */ + if (!asoc->peer.asconf_capable || + (!net->sctp.addip_noauth && !chunk->auth)) +- return sctp_sf_discard_chunk(net, ep, asoc, type, arg, +- commands); +- +- /* Make sure that the ASCONF ADDIP chunk has a valid length. */ +- if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk))) +- return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, +- commands); ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + + hdr = (struct sctp_addiphdr *)chunk->skb->data; + serial = ntohl(hdr->serial); +@@ -4008,6 +4007,12 @@ enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net, + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + } + ++ /* Make sure that the ADDIP chunk has a valid length. */ ++ if (!sctp_chunk_length_valid(asconf_ack, ++ sizeof(struct sctp_addip_chunk))) ++ return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, ++ commands); ++ + /* ADD-IP, Section 4.1.2: + * This chunk MUST be sent in an authenticated way by using + * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk +@@ -4016,14 +4021,7 @@ enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net, + */ + if (!asoc->peer.asconf_capable || + (!net->sctp.addip_noauth && !asconf_ack->auth)) +- return sctp_sf_discard_chunk(net, ep, asoc, type, arg, +- commands); +- +- /* Make sure that the ADDIP chunk has a valid length. */ +- if (!sctp_chunk_length_valid(asconf_ack, +- sizeof(struct sctp_addip_chunk))) +- return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, +- commands); ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + + addip_hdr = (struct sctp_addiphdr *)asconf_ack->skb->data; + rcvd_serial = ntohl(addip_hdr->serial); +@@ -4595,6 +4593,9 @@ enum sctp_disposition sctp_sf_discard_chunk(struct net *net, + { + struct sctp_chunk *chunk = arg; + ++ if (asoc && !sctp_vtag_verify(chunk, asoc)) ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); ++ + /* Make sure that the chunk has a valid length. + * Since we don't know the chunk type, we use a general + * chunkhdr structure to make a comparison. +-- +2.33.0 + diff --git a/queue-5.14/sctp-use-init_tag-from-inithdr-for-abort-chunk.patch b/queue-5.14/sctp-use-init_tag-from-inithdr-for-abort-chunk.patch new file mode 100644 index 00000000000..106991d9963 --- /dev/null +++ b/queue-5.14/sctp-use-init_tag-from-inithdr-for-abort-chunk.patch @@ -0,0 +1,42 @@ +From 3c838d50facebfb2190e1248ae6c41b146d38652 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 07:42:41 -0400 +Subject: sctp: use init_tag from inithdr for ABORT chunk + +From: Xin Long + +[ Upstream commit 4f7019c7eb33967eb87766e0e4602b5576873680 ] + +Currently Linux SCTP uses the verification tag of the existing SCTP +asoc when failing to process and sending the packet with the ABORT +chunk. This will result in the peer accepting the ABORT chunk and +removing the SCTP asoc. One could exploit this to terminate a SCTP +asoc. + +This patch is to fix it by always using the initiate tag of the +received INIT chunk for the ABORT chunk to be sent. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index 32df65f68c12..7f8306968c39 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -6348,6 +6348,7 @@ static struct sctp_packet *sctp_ootb_pkt_new( + * yet. + */ + switch (chunk->chunk_hdr->type) { ++ case SCTP_CID_INIT: + case SCTP_CID_INIT_ACK: + { + struct sctp_initack_chunk *initack; +-- +2.33.0 + diff --git a/queue-5.14/series b/queue-5.14/series index 363c9448270..17228962fdd 100644 --- a/queue-5.14/series +++ b/queue-5.14/series @@ -93,3 +93,20 @@ phy-phy_ethtool_ksettings_get-lock-the-phy-for-consistency.patch phy-phy_ethtool_ksettings_set-move-after-phy_start_aneg.patch phy-phy_start_aneg-add-an-unlocked-version.patch phy-phy_ethtool_ksettings_set-lock-the-phy-while-changing-settings.patch +rdma-irdma-process-extended-cq-entries-correctly.patch +rdma-irdma-set-vlan-in-ud-work-completion-correctly.patch +rdma-irdma-do-not-hold-qos-mutex-twice-on-qp-resume.patch +sctp-use-init_tag-from-inithdr-for-abort-chunk.patch +sctp-fix-the-processing-for-init-chunk.patch +sctp-fix-the-processing-for-init_ack-chunk.patch +sctp-fix-the-processing-for-cookie_echo-chunk.patch +sctp-add-vtag-check-in-sctp_sf_violation.patch +sctp-add-vtag-check-in-sctp_sf_do_8_5_1_e_sa.patch +sctp-add-vtag-check-in-sctp_sf_ootb.patch +bpf-use-kvmalloc-for-map-values-in-syscall.patch +watchdog-sbsa-only-use-32-bit-accessors.patch +bpf-move-bpf_map_type-for-inode_storage-and-task_sto.patch +net-hns3-add-more-string-spaces-for-dumping-packets-.patch +net-hns3-expand-buffer-len-for-some-debugfs-command.patch +virtio-ring-fix-dma-metadata-flags.patch +octeontx2-af-check-whether-ipolicers-exists.patch diff --git a/queue-5.14/virtio-ring-fix-dma-metadata-flags.patch b/queue-5.14/virtio-ring-fix-dma-metadata-flags.patch new file mode 100644 index 00000000000..cac797d197d --- /dev/null +++ b/queue-5.14/virtio-ring-fix-dma-metadata-flags.patch @@ -0,0 +1,38 @@ +From 562be98d7682b2bd29bb92329dbc154df9ffeea4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 15:31:00 +0200 +Subject: virtio-ring: fix DMA metadata flags + +From: Vincent Whitchurch + +[ Upstream commit 890d33561337ffeba0d8ba42517e71288cfee2b6 ] + +The flags are currently overwritten, leading to the wrong direction +being passed to the DMA unmap functions. + +Fixes: 72b5e8958738aaa4 ("virtio-ring: store DMA metadata in desc_extra for split virtqueue") +Signed-off-by: Vincent Whitchurch +Link: https://lore.kernel.org/r/20211026133100.17541-1-vincent.whitchurch@axis.com +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: Sasha Levin +--- + drivers/virtio/virtio_ring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c +index dd95dfd85e98..3035bb6f5458 100644 +--- a/drivers/virtio/virtio_ring.c ++++ b/drivers/virtio/virtio_ring.c +@@ -576,7 +576,7 @@ static inline int virtqueue_add_split(struct virtqueue *_vq, + /* Last one doesn't continue. */ + desc[prev].flags &= cpu_to_virtio16(_vq->vdev, ~VRING_DESC_F_NEXT); + if (!indirect && vq->use_dma_api) +- vq->split.desc_extra[prev & (vq->split.vring.num - 1)].flags = ++ vq->split.desc_extra[prev & (vq->split.vring.num - 1)].flags &= + ~VRING_DESC_F_NEXT; + + if (indirect) { +-- +2.33.0 + diff --git a/queue-5.14/watchdog-sbsa-only-use-32-bit-accessors.patch b/queue-5.14/watchdog-sbsa-only-use-32-bit-accessors.patch new file mode 100644 index 00000000000..46817ef64b3 --- /dev/null +++ b/queue-5.14/watchdog-sbsa-only-use-32-bit-accessors.patch @@ -0,0 +1,56 @@ +From 37b1ff3837245fe8a72f0d456ded4f596db03873 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Sep 2021 12:21:01 +0100 +Subject: watchdog: sbsa: only use 32-bit accessors + +From: Jamie Iles + +[ Upstream commit f31afb502c3151855df3ed40f5974c7884c10d14 ] + +SBSA says of the generic watchdog: + + All registers are 32 bits in size and should be accessed using 32-bit + reads and writes. If an access size other than 32 bits is used then + the results are IMPLEMENTATION DEFINED. + +and for qemu, the implementation will only allow 32-bit accesses +resulting in a synchronous external abort when configuring the watchdog. +Use lo_hi_* accessors rather than a readq/writeq. + +Fixes: abd3ac7902fb ("watchdog: sbsa: Support architecture version 1") +Signed-off-by: Jamie Iles +Reviewed-by: Guenter Roeck +Reviewed-by: Shaokun Zhang +Link: https://lore.kernel.org/r/20210903112101.493552-1-quic_jiles@quicinc.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/sbsa_gwdt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/watchdog/sbsa_gwdt.c b/drivers/watchdog/sbsa_gwdt.c +index ee9ff38929eb..6f4319bdbc50 100644 +--- a/drivers/watchdog/sbsa_gwdt.c ++++ b/drivers/watchdog/sbsa_gwdt.c +@@ -130,7 +130,7 @@ static u64 sbsa_gwdt_reg_read(struct sbsa_gwdt *gwdt) + if (gwdt->version == 0) + return readl(gwdt->control_base + SBSA_GWDT_WOR); + else +- return readq(gwdt->control_base + SBSA_GWDT_WOR); ++ return lo_hi_readq(gwdt->control_base + SBSA_GWDT_WOR); + } + + static void sbsa_gwdt_reg_write(u64 val, struct sbsa_gwdt *gwdt) +@@ -138,7 +138,7 @@ static void sbsa_gwdt_reg_write(u64 val, struct sbsa_gwdt *gwdt) + if (gwdt->version == 0) + writel((u32)val, gwdt->control_base + SBSA_GWDT_WOR); + else +- writeq(val, gwdt->control_base + SBSA_GWDT_WOR); ++ lo_hi_writeq(val, gwdt->control_base + SBSA_GWDT_WOR); + } + + /* +-- +2.33.0 +