From: Greg Kroah-Hartman Date: Sat, 30 Oct 2021 13:18:56 +0000 (+0200) Subject: 5.14-stable patches X-Git-Tag: v4.4.291~16 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2a9fadf03d9f6081e424ec491c735fc48fabe2a3;p=thirdparty%2Fkernel%2Fstable-queue.git 5.14-stable patches added patches: arm64-dts-allwinner-h5-nanopi-neo-2-fix-ethernet-node.patch bpf-fix-error-usage-of-map_fd-and-fdget-in-generic_map_update_batch.patch bpf-fix-potential-race-in-tail-call-compatibility-check.patch cfg80211-correct-bridge-4addr-mode-check.patch cgroup-fix-memory-leak-caused-by-missing-cgroup_bpf_offline.patch gpio-xgs-iproc-fix-parsing-of-ngpios-property.patch ib-hfi1-fix-abba-locking-issue-with-sc_disable.patch ib-qib-protect-from-buffer-overflow-in-struct-qib_user_sdma_pkt-fields.patch ice-check-whether-ptp-is-initialized-in-ice_ptp_release.patch ice-respond-to-a-netdev_unregister-event-for-lag.patch mlxsw-pci-recycle-received-packet-upon-allocation-failure.patch net-batman-adv-fix-error-handling.patch net-ethernet-microchip-lan743x-fix-dma-allocation-failure-by-using-dma_set_mask_and_coherent.patch net-ethernet-microchip-lan743x-fix-driver-crash-when-lan743x_pm_resume-fails.patch net-ethernet-microchip-lan743x-fix-skb-allocation-failure.patch net-hns3-fix-data-endian-problem-of-some-functions-of-debugfs.patch net-hns3-fix-pause-config-problem-after-autoneg-disabled.patch net-nxp-lpc_eth.c-avoid-hang-when-bringing-interface-down.patch net-prevent-infinite-while-loop-in-skb_tx_hash.patch net-sysfs-initialize-uid-and-gid-before-calling-net_ns_get_ownership.patch net-tls-fix-flipped-sign-in-async_wait.err-assignment.patch nios2-make-nios2_dtb_source_bool-depend-on-compile_test.patch nvme-tcp-fix-data-digest-pointer-calculation.patch nvme-tcp-fix-possible-req-offset-corruption.patch nvmet-tcp-fix-data-digest-pointer-calculation.patch octeontx2-af-display-all-enabled-pf-vf-rsrc_alloc-entries.patch octeontx2-af-fix-possible-null-pointer-dereference.patch phy-phy_ethtool_ksettings_get-lock-the-phy-for-consistency.patch phy-phy_ethtool_ksettings_set-lock-the-phy-while-changing-settings.patch phy-phy_ethtool_ksettings_set-move-after-phy_start_aneg.patch phy-phy_start_aneg-add-an-unlocked-version.patch rdma-mlx5-initialize-the-odp-xarray-when-creating-an-odp-mr.patch rdma-mlx5-set-user-priority-for-dct.patch rdma-sa_query-use-strscpy_pad-instead-of-memcpy-to-copy-a-string.patch regmap-fix-possible-double-free-in-regcache_rbtree_exit.patch reset-brcmstb-rescal-fix-incorrect-polarity-of-status-bit.patch revert-watchdog-itco_wdt-account-for-rebooting-on-second-timeout.patch riscv-bpf-fix-potential-null-dereference.patch tcp_bpf-fix-one-concurrency-problem-in-the-tcp_bpf_send_verdict-function.patch --- diff --git a/queue-5.14/arm64-dts-allwinner-h5-nanopi-neo-2-fix-ethernet-node.patch b/queue-5.14/arm64-dts-allwinner-h5-nanopi-neo-2-fix-ethernet-node.patch new file mode 100644 index 00000000000..4e3638d0131 --- /dev/null +++ b/queue-5.14/arm64-dts-allwinner-h5-nanopi-neo-2-fix-ethernet-node.patch @@ -0,0 +1,37 @@ +From 0764e365dacd0b8f75c1736f9236be280649bd18 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= +Date: Sun, 5 Sep 2021 02:20:27 +0200 +Subject: arm64: dts: allwinner: h5: NanoPI Neo 2: Fix ethernet node +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Clément Bœsch + +commit 0764e365dacd0b8f75c1736f9236be280649bd18 upstream. + +RX and TX delay are provided by ethernet PHY. Reflect that in ethernet +node. + +Fixes: 44a94c7ef989 ("arm64: dts: allwinner: H5: Restore EMAC changes") +Signed-off-by: Clément Bœsch +Reviewed-by: Jernej Skrabec +Reviewed-by: Andrew Lunn +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20210905002027.171984-1-u@pkh.me +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/allwinner/sun50i-h5-nanopi-neo2.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/allwinner/sun50i-h5-nanopi-neo2.dts ++++ b/arch/arm64/boot/dts/allwinner/sun50i-h5-nanopi-neo2.dts +@@ -75,7 +75,7 @@ + pinctrl-0 = <&emac_rgmii_pins>; + phy-supply = <®_gmac_3v3>; + phy-handle = <&ext_rgmii_phy>; +- phy-mode = "rgmii"; ++ phy-mode = "rgmii-id"; + status = "okay"; + }; + diff --git a/queue-5.14/bpf-fix-error-usage-of-map_fd-and-fdget-in-generic_map_update_batch.patch b/queue-5.14/bpf-fix-error-usage-of-map_fd-and-fdget-in-generic_map_update_batch.patch new file mode 100644 index 00000000000..03a521ed755 --- /dev/null +++ b/queue-5.14/bpf-fix-error-usage-of-map_fd-and-fdget-in-generic_map_update_batch.patch @@ -0,0 +1,53 @@ +From fda7a38714f40b635f5502ec4855602c6b33dad2 Mon Sep 17 00:00:00 2001 +From: Xu Kuohai +Date: Tue, 19 Oct 2021 03:29:34 +0000 +Subject: bpf: Fix error usage of map_fd and fdget() in generic_map_update_batch() + +From: Xu Kuohai + +commit fda7a38714f40b635f5502ec4855602c6b33dad2 upstream. + +1. The ufd in generic_map_update_batch() should be read from batch.map_fd; +2. A call to fdget() should be followed by a symmetric call to fdput(). + +Fixes: aa2e93b8e58e ("bpf: Add generic support for update and delete batch ops") +Signed-off-by: Xu Kuohai +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20211019032934.1210517-1-xukuohai@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/syscall.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -1333,12 +1333,11 @@ int generic_map_update_batch(struct bpf_ + void __user *values = u64_to_user_ptr(attr->batch.values); + void __user *keys = u64_to_user_ptr(attr->batch.keys); + u32 value_size, cp, max_count; +- int ufd = attr->map_fd; ++ int ufd = attr->batch.map_fd; + void *key, *value; + struct fd f; + int err = 0; + +- f = fdget(ufd); + if (attr->batch.elem_flags & ~BPF_F_LOCK) + return -EINVAL; + +@@ -1363,6 +1362,7 @@ int generic_map_update_batch(struct bpf_ + return -ENOMEM; + } + ++ f = fdget(ufd); /* bpf_map_do_batch() guarantees ufd is valid */ + for (cp = 0; cp < max_count; cp++) { + err = -EFAULT; + if (copy_from_user(key, keys + cp * map->key_size, +@@ -1382,6 +1382,7 @@ int generic_map_update_batch(struct bpf_ + + kfree(value); + kfree(key); ++ fdput(f); + return err; + } + diff --git a/queue-5.14/bpf-fix-potential-race-in-tail-call-compatibility-check.patch b/queue-5.14/bpf-fix-potential-race-in-tail-call-compatibility-check.patch new file mode 100644 index 00000000000..aadc904604a --- /dev/null +++ b/queue-5.14/bpf-fix-potential-race-in-tail-call-compatibility-check.patch @@ -0,0 +1,133 @@ +From 54713c85f536048e685258f880bf298a74c3620d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= +Date: Tue, 26 Oct 2021 13:00:19 +0200 +Subject: bpf: Fix potential race in tail call compatibility check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +commit 54713c85f536048e685258f880bf298a74c3620d upstream. + +Lorenzo noticed that the code testing for program type compatibility of +tail call maps is potentially racy in that two threads could encounter a +map with an unset type simultaneously and both return true even though they +are inserting incompatible programs. + +The race window is quite small, but artificially enlarging it by adding a +usleep_range() inside the check in bpf_prog_array_compatible() makes it +trivial to trigger from userspace with a program that does, essentially: + + map_fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, 4, 4, 2, 0); + pid = fork(); + if (pid) { + key = 0; + value = xdp_fd; + } else { + key = 1; + value = tc_fd; + } + err = bpf_map_update_elem(map_fd, &key, &value, 0); + +While the race window is small, it has potentially serious ramifications in +that triggering it would allow a BPF program to tail call to a program of a +different type. So let's get rid of it by protecting the update with a +spinlock. The commit in the Fixes tag is the last commit that touches the +code in question. + +v2: +- Use a spinlock instead of an atomic variable and cmpxchg() (Alexei) +v3: +- Put lock and the members it protects into an embedded 'owner' struct (Daniel) + +Fixes: 3324b584b6f6 ("ebpf: misc core cleanup") +Reported-by: Lorenzo Bianconi +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20211026110019.363464-1-toke@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/bpf.h | 7 +++++-- + kernel/bpf/arraymap.c | 1 + + kernel/bpf/core.c | 20 +++++++++++++------- + kernel/bpf/syscall.c | 6 ++++-- + 4 files changed, 23 insertions(+), 11 deletions(-) + +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -900,8 +900,11 @@ struct bpf_array_aux { + * stored in the map to make sure that all callers and callees have + * the same prog type and JITed flag. + */ +- enum bpf_prog_type type; +- bool jited; ++ struct { ++ spinlock_t lock; ++ enum bpf_prog_type type; ++ bool jited; ++ } owner; + /* Programs with direct jumps into programs part of this array. */ + struct list_head poke_progs; + struct bpf_map *map; +--- a/kernel/bpf/arraymap.c ++++ b/kernel/bpf/arraymap.c +@@ -1051,6 +1051,7 @@ static struct bpf_map *prog_array_map_al + INIT_WORK(&aux->work, prog_array_map_clear_deferred); + INIT_LIST_HEAD(&aux->poke_progs); + mutex_init(&aux->poke_mutex); ++ spin_lock_init(&aux->owner.lock); + + map = array_map_alloc(attr); + if (IS_ERR(map)) { +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -1821,20 +1821,26 @@ static unsigned int __bpf_prog_ret0_warn + bool bpf_prog_array_compatible(struct bpf_array *array, + const struct bpf_prog *fp) + { ++ bool ret; ++ + if (fp->kprobe_override) + return false; + +- if (!array->aux->type) { ++ spin_lock(&array->aux->owner.lock); ++ ++ if (!array->aux->owner.type) { + /* There's no owner yet where we could check for + * compatibility. + */ +- array->aux->type = fp->type; +- array->aux->jited = fp->jited; +- return true; ++ array->aux->owner.type = fp->type; ++ array->aux->owner.jited = fp->jited; ++ ret = true; ++ } else { ++ ret = array->aux->owner.type == fp->type && ++ array->aux->owner.jited == fp->jited; + } +- +- return array->aux->type == fp->type && +- array->aux->jited == fp->jited; ++ spin_unlock(&array->aux->owner.lock); ++ return ret; + } + + static int bpf_check_tail_call(const struct bpf_prog *fp) +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -543,8 +543,10 @@ static void bpf_map_show_fdinfo(struct s + + if (map->map_type == BPF_MAP_TYPE_PROG_ARRAY) { + array = container_of(map, struct bpf_array, map); +- type = array->aux->type; +- jited = array->aux->jited; ++ spin_lock(&array->aux->owner.lock); ++ type = array->aux->owner.type; ++ jited = array->aux->owner.jited; ++ spin_unlock(&array->aux->owner.lock); + } + + seq_printf(m, diff --git a/queue-5.14/cfg80211-correct-bridge-4addr-mode-check.patch b/queue-5.14/cfg80211-correct-bridge-4addr-mode-check.patch new file mode 100644 index 00000000000..28cb3868f86 --- /dev/null +++ b/queue-5.14/cfg80211-correct-bridge-4addr-mode-check.patch @@ -0,0 +1,52 @@ +From 689a0a9f505f7bffdefe6f17fddb41c8ab6344f6 Mon Sep 17 00:00:00 2001 +From: Janusz Dziedzic +Date: Sun, 24 Oct 2021 22:15:46 +0200 +Subject: cfg80211: correct bridge/4addr mode check + +From: Janusz Dziedzic + +commit 689a0a9f505f7bffdefe6f17fddb41c8ab6344f6 upstream. + +Without the patch we fail: + +$ sudo brctl addbr br0 +$ sudo brctl addif br0 wlp1s0 +$ sudo iw wlp1s0 set 4addr on +command failed: Device or resource busy (-16) + +Last command failed but iface was already in 4addr mode. + +Fixes: ad4bb6f8883a ("cfg80211: disallow bridging managed/adhoc interfaces") +Signed-off-by: Janusz Dziedzic +Link: https://lore.kernel.org/r/20211024201546.614379-1-janusz.dziedzic@gmail.com +[add fixes tag, fix indentation, edit commit log] +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/util.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -1028,14 +1028,14 @@ int cfg80211_change_iface(struct cfg8021 + !(rdev->wiphy.interface_modes & (1 << ntype))) + return -EOPNOTSUPP; + +- /* if it's part of a bridge, reject changing type to station/ibss */ +- if (netif_is_bridge_port(dev) && +- (ntype == NL80211_IFTYPE_ADHOC || +- ntype == NL80211_IFTYPE_STATION || +- ntype == NL80211_IFTYPE_P2P_CLIENT)) +- return -EBUSY; +- + if (ntype != otype) { ++ /* if it's part of a bridge, reject changing type to station/ibss */ ++ if (netif_is_bridge_port(dev) && ++ (ntype == NL80211_IFTYPE_ADHOC || ++ ntype == NL80211_IFTYPE_STATION || ++ ntype == NL80211_IFTYPE_P2P_CLIENT)) ++ return -EBUSY; ++ + dev->ieee80211_ptr->use_4addr = false; + dev->ieee80211_ptr->mesh_id_up_len = 0; + wdev_lock(dev->ieee80211_ptr); diff --git a/queue-5.14/cgroup-fix-memory-leak-caused-by-missing-cgroup_bpf_offline.patch b/queue-5.14/cgroup-fix-memory-leak-caused-by-missing-cgroup_bpf_offline.patch new file mode 100644 index 00000000000..27d58e2af05 --- /dev/null +++ b/queue-5.14/cgroup-fix-memory-leak-caused-by-missing-cgroup_bpf_offline.patch @@ -0,0 +1,75 @@ +From 04f8ef5643bcd8bcde25dfdebef998aea480b2ba Mon Sep 17 00:00:00 2001 +From: Quanyang Wang +Date: Mon, 18 Oct 2021 15:56:23 +0800 +Subject: cgroup: Fix memory leak caused by missing cgroup_bpf_offline + +From: Quanyang Wang + +commit 04f8ef5643bcd8bcde25dfdebef998aea480b2ba upstream. + +When enabling CONFIG_CGROUP_BPF, kmemleak can be observed by running +the command as below: + + $mount -t cgroup -o none,name=foo cgroup cgroup/ + $umount cgroup/ + +unreferenced object 0xc3585c40 (size 64): + comm "mount", pid 425, jiffies 4294959825 (age 31.990s) + hex dump (first 32 bytes): + 01 00 00 80 84 8c 28 c0 00 00 00 00 00 00 00 00 ......(......... + 00 00 00 00 00 00 00 00 6c 43 a0 c3 00 00 00 00 ........lC...... + backtrace: + [] cgroup_bpf_inherit+0x44/0x24c + [<1f03679c>] cgroup_setup_root+0x174/0x37c + [] cgroup1_get_tree+0x2c0/0x4a0 + [] vfs_get_tree+0x24/0x108 + [] path_mount+0x384/0x988 + [] do_mount+0x64/0x9c + [<208c9cfe>] sys_mount+0xfc/0x1f4 + [<06dd06e0>] ret_fast_syscall+0x0/0x48 + [] 0xbeb4daa8 + +This is because that since the commit 2b0d3d3e4fcf ("percpu_ref: reduce +memory footprint of percpu_ref in fast path") root_cgrp->bpf.refcnt.data +is allocated by the function percpu_ref_init in cgroup_bpf_inherit which +is called by cgroup_setup_root when mounting, but not freed along with +root_cgrp when umounting. Adding cgroup_bpf_offline which calls +percpu_ref_kill to cgroup_kill_sb can free root_cgrp->bpf.refcnt.data in +umount path. + +This patch also fixes the commit 4bfc0bb2c60e ("bpf: decouple the lifetime +of cgroup_bpf from cgroup itself"). A cgroup_bpf_offline is needed to do a +cleanup that frees the resources which are allocated by cgroup_bpf_inherit +in cgroup_setup_root. + +And inside cgroup_bpf_offline, cgroup_get() is at the beginning and +cgroup_put is at the end of cgroup_bpf_release which is called by +cgroup_bpf_offline. So cgroup_bpf_offline can keep the balance of +cgroup's refcount. + +Fixes: 2b0d3d3e4fcf ("percpu_ref: reduce memory footprint of percpu_ref in fast path") +Fixes: 4bfc0bb2c60e ("bpf: decouple the lifetime of cgroup_bpf from cgroup itself") +Signed-off-by: Quanyang Wang +Signed-off-by: Alexei Starovoitov +Acked-by: Roman Gushchin +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/20211018075623.26884-1-quanyang.wang@windriver.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cgroup.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -2174,8 +2174,10 @@ static void cgroup_kill_sb(struct super_ + * And don't kill the default root. + */ + if (list_empty(&root->cgrp.self.children) && root != &cgrp_dfl_root && +- !percpu_ref_is_dying(&root->cgrp.self.refcnt)) ++ !percpu_ref_is_dying(&root->cgrp.self.refcnt)) { ++ cgroup_bpf_offline(&root->cgrp); + percpu_ref_kill(&root->cgrp.self.refcnt); ++ } + cgroup_put(&root->cgrp); + kernfs_kill_sb(sb); + } diff --git a/queue-5.14/gpio-xgs-iproc-fix-parsing-of-ngpios-property.patch b/queue-5.14/gpio-xgs-iproc-fix-parsing-of-ngpios-property.patch new file mode 100644 index 00000000000..57fc4a96c11 --- /dev/null +++ b/queue-5.14/gpio-xgs-iproc-fix-parsing-of-ngpios-property.patch @@ -0,0 +1,34 @@ +From 85fe6415c146d5d42ce300c12f1ecf4d4af47d40 Mon Sep 17 00:00:00 2001 +From: Jonas Gorski +Date: Thu, 14 Oct 2021 14:33:42 +0200 +Subject: gpio: xgs-iproc: fix parsing of ngpios property + +From: Jonas Gorski + +commit 85fe6415c146d5d42ce300c12f1ecf4d4af47d40 upstream. + +of_property_read_u32 returns 0 on success, not true, so we need to +invert the check to actually take over the provided ngpio value. + +Fixes: 6a41b6c5fc20 ("gpio: Add xgs-iproc driver") +Signed-off-by: Jonas Gorski +Reviewed-by: Chris Packham +Reviewed-by: Florian Fainelli +Reviewed-by: Linus Walleij +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-xgs-iproc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-xgs-iproc.c ++++ b/drivers/gpio/gpio-xgs-iproc.c +@@ -224,7 +224,7 @@ static int iproc_gpio_probe(struct platf + } + + chip->gc.label = dev_name(dev); +- if (of_property_read_u32(dn, "ngpios", &num_gpios)) ++ if (!of_property_read_u32(dn, "ngpios", &num_gpios)) + chip->gc.ngpio = num_gpios; + + irq = platform_get_irq(pdev, 0); diff --git a/queue-5.14/ib-hfi1-fix-abba-locking-issue-with-sc_disable.patch b/queue-5.14/ib-hfi1-fix-abba-locking-issue-with-sc_disable.patch new file mode 100644 index 00000000000..4df33fc0737 --- /dev/null +++ b/queue-5.14/ib-hfi1-fix-abba-locking-issue-with-sc_disable.patch @@ -0,0 +1,65 @@ +From 13bac861952a78664907a0f927d3e874e9a59034 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Wed, 13 Oct 2021 10:18:52 -0400 +Subject: IB/hfi1: Fix abba locking issue with sc_disable() + +From: Mike Marciniszyn + +commit 13bac861952a78664907a0f927d3e874e9a59034 upstream. + +sc_disable() after having disabled the send context wakes up any waiters +by calling hfi1_qp_wakeup() while holding the waitlock for the sc. + +This is contrary to the model for all other calls to hfi1_qp_wakeup() +where the waitlock is dropped and a local is used to drive calls to +hfi1_qp_wakeup(). + +Fix by moving the sc->piowait into a local list and driving the wakeup +calls from the list. + +Fixes: 099a884ba4c0 ("IB/hfi1: Handle wakeup of orphaned QPs for pio") +Link: https://lore.kernel.org/r/20211013141852.128104.2682.stgit@awfm-01.cornelisnetworks.com +Signed-off-by: Mike Marciniszyn +Reported-by: TOTE Robot +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hfi1/pio.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/pio.c ++++ b/drivers/infiniband/hw/hfi1/pio.c +@@ -920,6 +920,7 @@ void sc_disable(struct send_context *sc) + { + u64 reg; + struct pio_buf *pbuf; ++ LIST_HEAD(wake_list); + + if (!sc) + return; +@@ -954,19 +955,21 @@ void sc_disable(struct send_context *sc) + spin_unlock(&sc->release_lock); + + write_seqlock(&sc->waitlock); +- while (!list_empty(&sc->piowait)) { ++ if (!list_empty(&sc->piowait)) ++ list_move(&sc->piowait, &wake_list); ++ write_sequnlock(&sc->waitlock); ++ while (!list_empty(&wake_list)) { + struct iowait *wait; + struct rvt_qp *qp; + struct hfi1_qp_priv *priv; + +- wait = list_first_entry(&sc->piowait, struct iowait, list); ++ wait = list_first_entry(&wake_list, struct iowait, list); + qp = iowait_to_qp(wait); + priv = qp->priv; + list_del_init(&priv->s_iowait.list); + priv->s_iowait.lock = NULL; + hfi1_qp_wakeup(qp, RVT_S_WAIT_PIO | HFI1_S_WAIT_PIO_DRAIN); + } +- write_sequnlock(&sc->waitlock); + + spin_unlock_irq(&sc->alloc_lock); + } diff --git a/queue-5.14/ib-qib-protect-from-buffer-overflow-in-struct-qib_user_sdma_pkt-fields.patch b/queue-5.14/ib-qib-protect-from-buffer-overflow-in-struct-qib_user_sdma_pkt-fields.patch new file mode 100644 index 00000000000..a3138680509 --- /dev/null +++ b/queue-5.14/ib-qib-protect-from-buffer-overflow-in-struct-qib_user_sdma_pkt-fields.patch @@ -0,0 +1,115 @@ +From d39bf40e55e666b5905fdbd46a0dced030ce87be Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Tue, 12 Oct 2021 13:55:19 -0400 +Subject: IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields + +From: Mike Marciniszyn + +commit d39bf40e55e666b5905fdbd46a0dced030ce87be upstream. + +Overflowing either addrlimit or bytes_togo can allow userspace to trigger +a buffer overflow of kernel memory. Check for overflows in all the places +doing math on user controlled buffers. + +Fixes: f931551bafe1 ("IB/qib: Add new qib driver for QLogic PCIe InfiniBand adapters") +Link: https://lore.kernel.org/r/20211012175519.7298.77738.stgit@awfm-01.cornelisnetworks.com +Reported-by: Ilja Van Sprundel +Reviewed-by: Dennis Dalessandro +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/qib/qib_user_sdma.c | 33 ++++++++++++++++++++---------- + 1 file changed, 23 insertions(+), 10 deletions(-) + +--- a/drivers/infiniband/hw/qib/qib_user_sdma.c ++++ b/drivers/infiniband/hw/qib/qib_user_sdma.c +@@ -602,7 +602,7 @@ done: + /* + * How many pages in this iovec element? + */ +-static int qib_user_sdma_num_pages(const struct iovec *iov) ++static size_t qib_user_sdma_num_pages(const struct iovec *iov) + { + const unsigned long addr = (unsigned long) iov->iov_base; + const unsigned long len = iov->iov_len; +@@ -658,7 +658,7 @@ static void qib_user_sdma_free_pkt_frag( + static int qib_user_sdma_pin_pages(const struct qib_devdata *dd, + struct qib_user_sdma_queue *pq, + struct qib_user_sdma_pkt *pkt, +- unsigned long addr, int tlen, int npages) ++ unsigned long addr, int tlen, size_t npages) + { + struct page *pages[8]; + int i, j; +@@ -722,7 +722,7 @@ static int qib_user_sdma_pin_pkt(const s + unsigned long idx; + + for (idx = 0; idx < niov; idx++) { +- const int npages = qib_user_sdma_num_pages(iov + idx); ++ const size_t npages = qib_user_sdma_num_pages(iov + idx); + const unsigned long addr = (unsigned long) iov[idx].iov_base; + + ret = qib_user_sdma_pin_pages(dd, pq, pkt, addr, +@@ -824,8 +824,8 @@ static int qib_user_sdma_queue_pkts(cons + unsigned pktnw; + unsigned pktnwc; + int nfrags = 0; +- int npages = 0; +- int bytes_togo = 0; ++ size_t npages = 0; ++ size_t bytes_togo = 0; + int tiddma = 0; + int cfur; + +@@ -885,7 +885,11 @@ static int qib_user_sdma_queue_pkts(cons + + npages += qib_user_sdma_num_pages(&iov[idx]); + +- bytes_togo += slen; ++ if (check_add_overflow(bytes_togo, slen, &bytes_togo) || ++ bytes_togo > type_max(typeof(pkt->bytes_togo))) { ++ ret = -EINVAL; ++ goto free_pbc; ++ } + pktnwc += slen >> 2; + idx++; + nfrags++; +@@ -904,8 +908,7 @@ static int qib_user_sdma_queue_pkts(cons + } + + if (frag_size) { +- int tidsmsize, n; +- size_t pktsize; ++ size_t tidsmsize, n, pktsize, sz, addrlimit; + + n = npages*((2*PAGE_SIZE/frag_size)+1); + pktsize = struct_size(pkt, addr, n); +@@ -923,14 +926,24 @@ static int qib_user_sdma_queue_pkts(cons + else + tidsmsize = 0; + +- pkt = kmalloc(pktsize+tidsmsize, GFP_KERNEL); ++ if (check_add_overflow(pktsize, tidsmsize, &sz)) { ++ ret = -EINVAL; ++ goto free_pbc; ++ } ++ pkt = kmalloc(sz, GFP_KERNEL); + if (!pkt) { + ret = -ENOMEM; + goto free_pbc; + } + pkt->largepkt = 1; + pkt->frag_size = frag_size; +- pkt->addrlimit = n + ARRAY_SIZE(pkt->addr); ++ if (check_add_overflow(n, ARRAY_SIZE(pkt->addr), ++ &addrlimit) || ++ addrlimit > type_max(typeof(pkt->addrlimit))) { ++ ret = -EINVAL; ++ goto free_pbc; ++ } ++ pkt->addrlimit = addrlimit; + + if (tiddma) { + char *tidsm = (char *)pkt + pktsize; diff --git a/queue-5.14/ice-check-whether-ptp-is-initialized-in-ice_ptp_release.patch b/queue-5.14/ice-check-whether-ptp-is-initialized-in-ice_ptp_release.patch new file mode 100644 index 00000000000..4f8af7929cd --- /dev/null +++ b/queue-5.14/ice-check-whether-ptp-is-initialized-in-ice_ptp_release.patch @@ -0,0 +1,67 @@ +From fd1b5beb177a8372cea2a0d014835491e4886f77 Mon Sep 17 00:00:00 2001 +From: Yongxin Liu +Date: Mon, 11 Oct 2021 15:02:16 +0800 +Subject: ice: check whether PTP is initialized in ice_ptp_release() + +From: Yongxin Liu + +commit fd1b5beb177a8372cea2a0d014835491e4886f77 upstream. + +PTP is currently only supported on E810 devices, it is checked +in ice_ptp_init(). However, there is no check in ice_ptp_release(). +For other E800 series devices, ice_ptp_release() will be wrongly executed. + +Fix the following calltrace. + + INFO: trying to register non-static key. + The code is fine but needs lockdep annotation, or maybe + you didn't initialize this object before use? + turning off the locking correctness validator. + Workqueue: ice ice_service_task [ice] + Call Trace: + dump_stack_lvl+0x5b/0x82 + dump_stack+0x10/0x12 + register_lock_class+0x495/0x4a0 + ? find_held_lock+0x3c/0xb0 + __lock_acquire+0x71/0x1830 + lock_acquire+0x1e6/0x330 + ? ice_ptp_release+0x3c/0x1e0 [ice] + ? _raw_spin_lock+0x19/0x70 + ? ice_ptp_release+0x3c/0x1e0 [ice] + _raw_spin_lock+0x38/0x70 + ? ice_ptp_release+0x3c/0x1e0 [ice] + ice_ptp_release+0x3c/0x1e0 [ice] + ice_prepare_for_reset+0xcb/0xe0 [ice] + ice_do_reset+0x38/0x110 [ice] + ice_service_task+0x138/0xf10 [ice] + ? __this_cpu_preempt_check+0x13/0x20 + process_one_work+0x26a/0x650 + worker_thread+0x3f/0x3b0 + ? __kthread_parkme+0x51/0xb0 + ? process_one_work+0x650/0x650 + kthread+0x161/0x190 + ? set_kthread_struct+0x40/0x40 + ret_from_fork+0x1f/0x30 + +Fixes: 4dd0d5c33c3e ("ice: add lock around Tx timestamp tracker flush") +Signed-off-by: Yongxin Liu +Reviewed-by: Jacob Keller +Tested-by: Gurucharan G +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_ptp.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/intel/ice/ice_ptp.c ++++ b/drivers/net/ethernet/intel/ice/ice_ptp.c +@@ -1582,6 +1582,9 @@ err_kworker: + */ + void ice_ptp_release(struct ice_pf *pf) + { ++ if (!test_bit(ICE_FLAG_PTP, pf->flags)) ++ return; ++ + /* Disable timestamping for both Tx and Rx */ + ice_ptp_cfg_timestamp(pf, false); + diff --git a/queue-5.14/ice-respond-to-a-netdev_unregister-event-for-lag.patch b/queue-5.14/ice-respond-to-a-netdev_unregister-event-for-lag.patch new file mode 100644 index 00000000000..62d359e6996 --- /dev/null +++ b/queue-5.14/ice-respond-to-a-netdev_unregister-event-for-lag.patch @@ -0,0 +1,72 @@ +From 6a8b357278f5f8b9817147277ab8f12879dce8a8 Mon Sep 17 00:00:00 2001 +From: Dave Ertman +Date: Thu, 7 Oct 2021 08:40:31 -0700 +Subject: ice: Respond to a NETDEV_UNREGISTER event for LAG + +From: Dave Ertman + +commit 6a8b357278f5f8b9817147277ab8f12879dce8a8 upstream. + +When the PF is a member of a link aggregate, and the driver +is removed, the process will hang unless we respond to the +NETDEV_UNREGISTER event that is sent to the event_handler +for LAG. + +Add a case statement for the ice_lag_event_handler to unlink +the PF from the link aggregate. + +Also remove code that was incorrectly applying a dev_hold to +peer_netdevs that were associated with the ice driver. + +Fixes: df006dd4b1dc ("ice: Add initial support framework for LAG") +Signed-off-by: Dave Ertman +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_lag.c | 18 ++++-------------- + 1 file changed, 4 insertions(+), 14 deletions(-) + +--- a/drivers/net/ethernet/intel/ice/ice_lag.c ++++ b/drivers/net/ethernet/intel/ice/ice_lag.c +@@ -100,9 +100,9 @@ static void ice_display_lag_info(struct + */ + static void ice_lag_info_event(struct ice_lag *lag, void *ptr) + { +- struct net_device *event_netdev, *netdev_tmp; + struct netdev_notifier_bonding_info *info; + struct netdev_bonding_info *bonding_info; ++ struct net_device *event_netdev; + const char *lag_netdev_name; + + event_netdev = netdev_notifier_info_to_dev(ptr); +@@ -123,19 +123,6 @@ static void ice_lag_info_event(struct ic + goto lag_out; + } + +- rcu_read_lock(); +- for_each_netdev_in_bond_rcu(lag->upper_netdev, netdev_tmp) { +- if (!netif_is_ice(netdev_tmp)) +- continue; +- +- if (netdev_tmp && netdev_tmp != lag->netdev && +- lag->peer_netdev != netdev_tmp) { +- dev_hold(netdev_tmp); +- lag->peer_netdev = netdev_tmp; +- } +- } +- rcu_read_unlock(); +- + if (bonding_info->slave.state) + ice_lag_set_backup(lag); + else +@@ -319,6 +306,9 @@ ice_lag_event_handler(struct notifier_bl + case NETDEV_BONDING_INFO: + ice_lag_info_event(lag, ptr); + break; ++ case NETDEV_UNREGISTER: ++ ice_lag_unlink(lag, ptr); ++ break; + default: + break; + } diff --git a/queue-5.14/mlxsw-pci-recycle-received-packet-upon-allocation-failure.patch b/queue-5.14/mlxsw-pci-recycle-received-packet-upon-allocation-failure.patch new file mode 100644 index 00000000000..0ff0c916eb4 --- /dev/null +++ b/queue-5.14/mlxsw-pci-recycle-received-packet-upon-allocation-failure.patch @@ -0,0 +1,134 @@ +From 759635760a804b0d8ad0cc677b650f1544cae22f Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Sun, 24 Oct 2021 09:40:14 +0300 +Subject: mlxsw: pci: Recycle received packet upon allocation failure + +From: Ido Schimmel + +commit 759635760a804b0d8ad0cc677b650f1544cae22f upstream. + +When the driver fails to allocate a new Rx buffer, it passes an empty Rx +descriptor (contains zero address and size) to the device and marks it +as invalid by setting the skb pointer in the descriptor's metadata to +NULL. + +After processing enough Rx descriptors, the driver will try to process +the invalid descriptor, but will return immediately seeing that the skb +pointer is NULL. Since the driver no longer passes new Rx descriptors to +the device, the Rx queue will eventually become full and the device will +start to drop packets. + +Fix this by recycling the received packet if allocation of the new +packet failed. This means that allocation is no longer performed at the +end of the Rx routine, but at the start, before tearing down the DMA +mapping of the received packet. + +Remove the comment about the descriptor being zeroed as it is no longer +correct. This is OK because we either use the descriptor as-is (when +recycling) or overwrite its address and size fields with that of the +newly allocated Rx buffer. + +The issue was discovered when a process ("perf") consumed too much +memory and put the system under memory pressure. It can be reproduced by +injecting slab allocation failures [1]. After the fix, the Rx queue no +longer comes to a halt. + +[1] + # echo 10 > /sys/kernel/debug/failslab/times + # echo 1000 > /sys/kernel/debug/failslab/interval + # echo 100 > /sys/kernel/debug/failslab/probability + + FAULT_INJECTION: forcing a failure. + name failslab, interval 1000, probability 100, space 0, times 8 + [...] + Call Trace: + + dump_stack_lvl+0x34/0x44 + should_fail.cold+0x32/0x37 + should_failslab+0x5/0x10 + kmem_cache_alloc_node+0x23/0x190 + __alloc_skb+0x1f9/0x280 + __netdev_alloc_skb+0x3a/0x150 + mlxsw_pci_rdq_skb_alloc+0x24/0x90 + mlxsw_pci_cq_tasklet+0x3dc/0x1200 + tasklet_action_common.constprop.0+0x9f/0x100 + __do_softirq+0xb5/0x252 + irq_exit_rcu+0x7a/0xa0 + common_interrupt+0x83/0xa0 + + asm_common_interrupt+0x1e/0x40 + RIP: 0010:cpuidle_enter_state+0xc8/0x340 + [...] + mlxsw_spectrum2 0000:06:00.0: Failed to alloc skb for RDQ + +Fixes: eda6500a987a ("mlxsw: Add PCI bus implementation") +Signed-off-by: Ido Schimmel +Reviewed-by: Petr Machata +Link: https://lore.kernel.org/r/20211024064014.1060919-1-idosch@idosch.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/pci.c | 25 ++++++++++++------------- + 1 file changed, 12 insertions(+), 13 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/pci.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/pci.c +@@ -353,13 +353,10 @@ static int mlxsw_pci_rdq_skb_alloc(struc + struct sk_buff *skb; + int err; + +- elem_info->u.rdq.skb = NULL; + skb = netdev_alloc_skb_ip_align(NULL, buf_len); + if (!skb) + return -ENOMEM; + +- /* Assume that wqe was previously zeroed. */ +- + err = mlxsw_pci_wqe_frag_map(mlxsw_pci, wqe, 0, skb->data, + buf_len, DMA_FROM_DEVICE); + if (err) +@@ -597,21 +594,26 @@ static void mlxsw_pci_cqe_rdq_handle(str + struct pci_dev *pdev = mlxsw_pci->pdev; + struct mlxsw_pci_queue_elem_info *elem_info; + struct mlxsw_rx_info rx_info = {}; +- char *wqe; ++ char wqe[MLXSW_PCI_WQE_SIZE]; + struct sk_buff *skb; + u16 byte_count; + int err; + + elem_info = mlxsw_pci_queue_elem_info_consumer_get(q); +- skb = elem_info->u.sdq.skb; +- if (!skb) +- return; +- wqe = elem_info->elem; +- mlxsw_pci_wqe_frag_unmap(mlxsw_pci, wqe, 0, DMA_FROM_DEVICE); ++ skb = elem_info->u.rdq.skb; ++ memcpy(wqe, elem_info->elem, MLXSW_PCI_WQE_SIZE); + + if (q->consumer_counter++ != consumer_counter_limit) + dev_dbg_ratelimited(&pdev->dev, "Consumer counter does not match limit in RDQ\n"); + ++ err = mlxsw_pci_rdq_skb_alloc(mlxsw_pci, elem_info); ++ if (err) { ++ dev_err_ratelimited(&pdev->dev, "Failed to alloc skb for RDQ\n"); ++ goto out; ++ } ++ ++ mlxsw_pci_wqe_frag_unmap(mlxsw_pci, wqe, 0, DMA_FROM_DEVICE); ++ + if (mlxsw_pci_cqe_lag_get(cqe_v, cqe)) { + rx_info.is_lag = true; + rx_info.u.lag_id = mlxsw_pci_cqe_lag_id_get(cqe_v, cqe); +@@ -647,10 +649,7 @@ static void mlxsw_pci_cqe_rdq_handle(str + skb_put(skb, byte_count); + mlxsw_core_skb_receive(mlxsw_pci->core, skb, &rx_info); + +- memset(wqe, 0, q->elem_size); +- err = mlxsw_pci_rdq_skb_alloc(mlxsw_pci, elem_info); +- if (err) +- dev_dbg_ratelimited(&pdev->dev, "Failed to alloc skb for RDQ\n"); ++out: + /* Everything is set up, ring doorbell to pass elem to HW */ + q->producer_counter++; + mlxsw_pci_queue_doorbell_producer_ring(mlxsw_pci, q); diff --git a/queue-5.14/net-batman-adv-fix-error-handling.patch b/queue-5.14/net-batman-adv-fix-error-handling.patch new file mode 100644 index 00000000000..79bafa21526 --- /dev/null +++ b/queue-5.14/net-batman-adv-fix-error-handling.patch @@ -0,0 +1,173 @@ +From 6f68cd634856f8ca93bafd623ba5357e0f648c68 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Sun, 24 Oct 2021 16:13:56 +0300 +Subject: net: batman-adv: fix error handling + +From: Pavel Skripkin + +commit 6f68cd634856f8ca93bafd623ba5357e0f648c68 upstream. + +Syzbot reported ODEBUG warning in batadv_nc_mesh_free(). The problem was +in wrong error handling in batadv_mesh_init(). + +Before this patch batadv_mesh_init() was calling batadv_mesh_free() in case +of any batadv_*_init() calls failure. This approach may work well, when +there is some kind of indicator, which can tell which parts of batadv are +initialized; but there isn't any. + +All written above lead to cleaning up uninitialized fields. Even if we hide +ODEBUG warning by initializing bat_priv->nc.work, syzbot was able to hit +GPF in batadv_nc_purge_paths(), because hash pointer in still NULL. [1] + +To fix these bugs we can unwind batadv_*_init() calls one by one. +It is good approach for 2 reasons: 1) It fixes bugs on error handling +path 2) It improves the performance, since we won't call unneeded +batadv_*_free() functions. + +So, this patch makes all batadv_*_init() clean up all allocated memory +before returning with an error to no call correspoing batadv_*_free() +and open-codes batadv_mesh_free() with proper order to avoid touching +uninitialized fields. + +Link: https://lore.kernel.org/netdev/000000000000c87fbd05cef6bcb0@google.com/ [1] +Reported-and-tested-by: syzbot+28b0702ada0bf7381f58@syzkaller.appspotmail.com +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Signed-off-by: Pavel Skripkin +Acked-by: Sven Eckelmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bridge_loop_avoidance.c | 8 +++- + net/batman-adv/main.c | 56 +++++++++++++++++++++++---------- + net/batman-adv/network-coding.c | 4 +- + net/batman-adv/translation-table.c | 4 +- + 4 files changed, 52 insertions(+), 20 deletions(-) + +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -1556,10 +1556,14 @@ int batadv_bla_init(struct batadv_priv * + return 0; + + bat_priv->bla.claim_hash = batadv_hash_new(128); +- bat_priv->bla.backbone_hash = batadv_hash_new(32); ++ if (!bat_priv->bla.claim_hash) ++ return -ENOMEM; + +- if (!bat_priv->bla.claim_hash || !bat_priv->bla.backbone_hash) ++ bat_priv->bla.backbone_hash = batadv_hash_new(32); ++ if (!bat_priv->bla.backbone_hash) { ++ batadv_hash_destroy(bat_priv->bla.claim_hash); + return -ENOMEM; ++ } + + batadv_hash_set_lock_class(bat_priv->bla.claim_hash, + &batadv_claim_hash_lock_class_key); +--- a/net/batman-adv/main.c ++++ b/net/batman-adv/main.c +@@ -190,29 +190,41 @@ int batadv_mesh_init(struct net_device * + + bat_priv->gw.generation = 0; + +- ret = batadv_v_mesh_init(bat_priv); +- if (ret < 0) +- goto err; +- + ret = batadv_originator_init(bat_priv); +- if (ret < 0) +- goto err; ++ if (ret < 0) { ++ atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING); ++ goto err_orig; ++ } + + ret = batadv_tt_init(bat_priv); +- if (ret < 0) +- goto err; ++ if (ret < 0) { ++ atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING); ++ goto err_tt; ++ } ++ ++ ret = batadv_v_mesh_init(bat_priv); ++ if (ret < 0) { ++ atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING); ++ goto err_v; ++ } + + ret = batadv_bla_init(bat_priv); +- if (ret < 0) +- goto err; ++ if (ret < 0) { ++ atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING); ++ goto err_bla; ++ } + + ret = batadv_dat_init(bat_priv); +- if (ret < 0) +- goto err; ++ if (ret < 0) { ++ atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING); ++ goto err_dat; ++ } + + ret = batadv_nc_mesh_init(bat_priv); +- if (ret < 0) +- goto err; ++ if (ret < 0) { ++ atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING); ++ goto err_nc; ++ } + + batadv_gw_init(bat_priv); + batadv_mcast_init(bat_priv); +@@ -222,8 +234,20 @@ int batadv_mesh_init(struct net_device * + + return 0; + +-err: +- batadv_mesh_free(soft_iface); ++err_nc: ++ batadv_dat_free(bat_priv); ++err_dat: ++ batadv_bla_free(bat_priv); ++err_bla: ++ batadv_v_mesh_free(bat_priv); ++err_v: ++ batadv_tt_free(bat_priv); ++err_tt: ++ batadv_originator_free(bat_priv); ++err_orig: ++ batadv_purge_outstanding_packets(bat_priv, NULL); ++ atomic_set(&bat_priv->mesh_state, BATADV_MESH_INACTIVE); ++ + return ret; + } + +--- a/net/batman-adv/network-coding.c ++++ b/net/batman-adv/network-coding.c +@@ -152,8 +152,10 @@ int batadv_nc_mesh_init(struct batadv_pr + &batadv_nc_coding_hash_lock_class_key); + + bat_priv->nc.decoding_hash = batadv_hash_new(128); +- if (!bat_priv->nc.decoding_hash) ++ if (!bat_priv->nc.decoding_hash) { ++ batadv_hash_destroy(bat_priv->nc.coding_hash); + goto err; ++ } + + batadv_hash_set_lock_class(bat_priv->nc.decoding_hash, + &batadv_nc_decoding_hash_lock_class_key); +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -4193,8 +4193,10 @@ int batadv_tt_init(struct batadv_priv *b + return ret; + + ret = batadv_tt_global_init(bat_priv); +- if (ret < 0) ++ if (ret < 0) { ++ batadv_tt_local_table_free(bat_priv); + return ret; ++ } + + batadv_tvlv_handler_register(bat_priv, batadv_tt_tvlv_ogm_handler_v1, + batadv_tt_tvlv_unicast_handler_v1, diff --git a/queue-5.14/net-ethernet-microchip-lan743x-fix-dma-allocation-failure-by-using-dma_set_mask_and_coherent.patch b/queue-5.14/net-ethernet-microchip-lan743x-fix-dma-allocation-failure-by-using-dma_set_mask_and_coherent.patch new file mode 100644 index 00000000000..dfadc4a685a --- /dev/null +++ b/queue-5.14/net-ethernet-microchip-lan743x-fix-dma-allocation-failure-by-using-dma_set_mask_and_coherent.patch @@ -0,0 +1,58 @@ +From 95a359c9553342d36d408d35331ff0bfce75272f Mon Sep 17 00:00:00 2001 +From: Yuiko Oshino +Date: Fri, 22 Oct 2021 11:53:43 -0400 +Subject: net: ethernet: microchip: lan743x: Fix dma allocation failure by using dma_set_mask_and_coherent + +From: Yuiko Oshino + +commit 95a359c9553342d36d408d35331ff0bfce75272f upstream. + +The dma failure was reported in the raspberry pi github (issue #4117). +https://github.com/raspberrypi/linux/issues/4117 +The use of dma_set_mask_and_coherent fixes the issue. +Tested on 32/64-bit raspberry pi CM4 and 64-bit ubuntu x86 PC with EVB-LAN7430. + +Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver") +Signed-off-by: Yuiko Oshino +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microchip/lan743x_main.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +--- a/drivers/net/ethernet/microchip/lan743x_main.c ++++ b/drivers/net/ethernet/microchip/lan743x_main.c +@@ -1743,6 +1743,16 @@ static int lan743x_tx_ring_init(struct l + ret = -EINVAL; + goto cleanup; + } ++ if (dma_set_mask_and_coherent(&tx->adapter->pdev->dev, ++ DMA_BIT_MASK(64))) { ++ if (dma_set_mask_and_coherent(&tx->adapter->pdev->dev, ++ DMA_BIT_MASK(32))) { ++ dev_warn(&tx->adapter->pdev->dev, ++ "lan743x_: No suitable DMA available\n"); ++ ret = -ENOMEM; ++ goto cleanup; ++ } ++ } + ring_allocation_size = ALIGN(tx->ring_size * + sizeof(struct lan743x_tx_descriptor), + PAGE_SIZE); +@@ -2276,6 +2286,16 @@ static int lan743x_rx_ring_init(struct l + ret = -EINVAL; + goto cleanup; + } ++ if (dma_set_mask_and_coherent(&rx->adapter->pdev->dev, ++ DMA_BIT_MASK(64))) { ++ if (dma_set_mask_and_coherent(&rx->adapter->pdev->dev, ++ DMA_BIT_MASK(32))) { ++ dev_warn(&rx->adapter->pdev->dev, ++ "lan743x_: No suitable DMA available\n"); ++ ret = -ENOMEM; ++ goto cleanup; ++ } ++ } + ring_allocation_size = ALIGN(rx->ring_size * + sizeof(struct lan743x_rx_descriptor), + PAGE_SIZE); diff --git a/queue-5.14/net-ethernet-microchip-lan743x-fix-driver-crash-when-lan743x_pm_resume-fails.patch b/queue-5.14/net-ethernet-microchip-lan743x-fix-driver-crash-when-lan743x_pm_resume-fails.patch new file mode 100644 index 00000000000..68aad15f350 --- /dev/null +++ b/queue-5.14/net-ethernet-microchip-lan743x-fix-driver-crash-when-lan743x_pm_resume-fails.patch @@ -0,0 +1,30 @@ +From d6423d2ec39cce2bfca418c81ef51792891576bc Mon Sep 17 00:00:00 2001 +From: Yuiko Oshino +Date: Fri, 22 Oct 2021 11:13:53 -0400 +Subject: net: ethernet: microchip: lan743x: Fix driver crash when lan743x_pm_resume fails + +From: Yuiko Oshino + +commit d6423d2ec39cce2bfca418c81ef51792891576bc upstream. + +The driver needs to clean up and return when the initialization fails on resume. + +Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver") +Signed-off-by: Yuiko Oshino +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microchip/lan743x_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/microchip/lan743x_main.c ++++ b/drivers/net/ethernet/microchip/lan743x_main.c +@@ -3019,6 +3019,8 @@ static int lan743x_pm_resume(struct devi + if (ret) { + netif_err(adapter, probe, adapter->netdev, + "lan743x_hardware_init returned %d\n", ret); ++ lan743x_pci_cleanup(adapter); ++ return ret; + } + + /* open netdev when netdev is at running state while resume. diff --git a/queue-5.14/net-ethernet-microchip-lan743x-fix-skb-allocation-failure.patch b/queue-5.14/net-ethernet-microchip-lan743x-fix-skb-allocation-failure.patch new file mode 100644 index 00000000000..6fc808f2434 --- /dev/null +++ b/queue-5.14/net-ethernet-microchip-lan743x-fix-skb-allocation-failure.patch @@ -0,0 +1,69 @@ +From e8684db191e4164f3f5f3ad7dec04a6734c25f1c Mon Sep 17 00:00:00 2001 +From: Yuiko Oshino +Date: Wed, 27 Oct 2021 14:23:02 -0400 +Subject: net: ethernet: microchip: lan743x: Fix skb allocation failure + +From: Yuiko Oshino + +commit e8684db191e4164f3f5f3ad7dec04a6734c25f1c upstream. + +The driver allocates skb during ndo_open with GFP_ATOMIC which has high chance of failure when there are multiple instances. +GFP_KERNEL is enough while open and use GFP_ATOMIC only from interrupt context. + +Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver") +Signed-off-by: Yuiko Oshino +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microchip/lan743x_main.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/microchip/lan743x_main.c ++++ b/drivers/net/ethernet/microchip/lan743x_main.c +@@ -1944,7 +1944,8 @@ static void lan743x_rx_update_tail(struc + index); + } + +-static int lan743x_rx_init_ring_element(struct lan743x_rx *rx, int index) ++static int lan743x_rx_init_ring_element(struct lan743x_rx *rx, int index, ++ gfp_t gfp) + { + struct net_device *netdev = rx->adapter->netdev; + struct device *dev = &rx->adapter->pdev->dev; +@@ -1958,7 +1959,7 @@ static int lan743x_rx_init_ring_element( + + descriptor = &rx->ring_cpu_ptr[index]; + buffer_info = &rx->buffer_info[index]; +- skb = __netdev_alloc_skb(netdev, buffer_length, GFP_ATOMIC | GFP_DMA); ++ skb = __netdev_alloc_skb(netdev, buffer_length, gfp); + if (!skb) + return -ENOMEM; + dma_ptr = dma_map_single(dev, skb->data, buffer_length, DMA_FROM_DEVICE); +@@ -2120,7 +2121,8 @@ static int lan743x_rx_process_buffer(str + + /* save existing skb, allocate new skb and map to dma */ + skb = buffer_info->skb; +- if (lan743x_rx_init_ring_element(rx, rx->last_head)) { ++ if (lan743x_rx_init_ring_element(rx, rx->last_head, ++ GFP_ATOMIC | GFP_DMA)) { + /* failed to allocate next skb. + * Memory is very low. + * Drop this packet and reuse buffer. +@@ -2335,13 +2337,16 @@ static int lan743x_rx_ring_init(struct l + + rx->last_head = 0; + for (index = 0; index < rx->ring_size; index++) { +- ret = lan743x_rx_init_ring_element(rx, index); ++ ret = lan743x_rx_init_ring_element(rx, index, GFP_KERNEL); + if (ret) + goto cleanup; + } + return 0; + + cleanup: ++ netif_warn(rx->adapter, ifup, rx->adapter->netdev, ++ "Error allocating memory for LAN743x\n"); ++ + lan743x_rx_ring_cleanup(rx); + return ret; + } diff --git a/queue-5.14/net-hns3-fix-data-endian-problem-of-some-functions-of-debugfs.patch b/queue-5.14/net-hns3-fix-data-endian-problem-of-some-functions-of-debugfs.patch new file mode 100644 index 00000000000..62fc2548250 --- /dev/null +++ b/queue-5.14/net-hns3-fix-data-endian-problem-of-some-functions-of-debugfs.patch @@ -0,0 +1,122 @@ +From 2a21dab594a98c338c4bfbc31864cbca15888549 Mon Sep 17 00:00:00 2001 +From: Jie Wang +Date: Wed, 27 Oct 2021 20:11:46 +0800 +Subject: net: hns3: fix data endian problem of some functions of debugfs + +From: Jie Wang + +commit 2a21dab594a98c338c4bfbc31864cbca15888549 upstream. + +The member data in struct hclge_desc is type of __le32, it needs endian +conversion before using it, and some functions of debugfs didn't do that, +so this patch fixes it. + +Fixes: c0ebebb9ccc1 ("net: hns3: Add "dcb register" status information query function") +Signed-off-by: Jie Wang +Signed-off-by: Guangbin Huang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c | 30 ++++++------- + 1 file changed, 14 insertions(+), 16 deletions(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c +@@ -391,7 +391,7 @@ static int hclge_dbg_dump_mac(struct hcl + static int hclge_dbg_dump_dcb_qset(struct hclge_dev *hdev, char *buf, int len, + int *pos) + { +- struct hclge_dbg_bitmap_cmd *bitmap; ++ struct hclge_dbg_bitmap_cmd req; + struct hclge_desc desc; + u16 qset_id, qset_num; + int ret; +@@ -408,12 +408,12 @@ static int hclge_dbg_dump_dcb_qset(struc + if (ret) + return ret; + +- bitmap = (struct hclge_dbg_bitmap_cmd *)&desc.data[1]; ++ req.bitmap = (u8)le32_to_cpu(desc.data[1]); + + *pos += scnprintf(buf + *pos, len - *pos, + "%04u %#x %#x %#x %#x\n", +- qset_id, bitmap->bit0, bitmap->bit1, +- bitmap->bit2, bitmap->bit3); ++ qset_id, req.bit0, req.bit1, req.bit2, ++ req.bit3); + } + + return 0; +@@ -422,7 +422,7 @@ static int hclge_dbg_dump_dcb_qset(struc + static int hclge_dbg_dump_dcb_pri(struct hclge_dev *hdev, char *buf, int len, + int *pos) + { +- struct hclge_dbg_bitmap_cmd *bitmap; ++ struct hclge_dbg_bitmap_cmd req; + struct hclge_desc desc; + u8 pri_id, pri_num; + int ret; +@@ -439,12 +439,11 @@ static int hclge_dbg_dump_dcb_pri(struct + if (ret) + return ret; + +- bitmap = (struct hclge_dbg_bitmap_cmd *)&desc.data[1]; ++ req.bitmap = (u8)le32_to_cpu(desc.data[1]); + + *pos += scnprintf(buf + *pos, len - *pos, + "%03u %#x %#x %#x\n", +- pri_id, bitmap->bit0, bitmap->bit1, +- bitmap->bit2); ++ pri_id, req.bit0, req.bit1, req.bit2); + } + + return 0; +@@ -453,7 +452,7 @@ static int hclge_dbg_dump_dcb_pri(struct + static int hclge_dbg_dump_dcb_pg(struct hclge_dev *hdev, char *buf, int len, + int *pos) + { +- struct hclge_dbg_bitmap_cmd *bitmap; ++ struct hclge_dbg_bitmap_cmd req; + struct hclge_desc desc; + u8 pg_id; + int ret; +@@ -466,12 +465,11 @@ static int hclge_dbg_dump_dcb_pg(struct + if (ret) + return ret; + +- bitmap = (struct hclge_dbg_bitmap_cmd *)&desc.data[1]; ++ req.bitmap = (u8)le32_to_cpu(desc.data[1]); + + *pos += scnprintf(buf + *pos, len - *pos, + "%03u %#x %#x %#x\n", +- pg_id, bitmap->bit0, bitmap->bit1, +- bitmap->bit2); ++ pg_id, req.bit0, req.bit1, req.bit2); + } + + return 0; +@@ -511,7 +509,7 @@ static int hclge_dbg_dump_dcb_queue(stru + static int hclge_dbg_dump_dcb_port(struct hclge_dev *hdev, char *buf, int len, + int *pos) + { +- struct hclge_dbg_bitmap_cmd *bitmap; ++ struct hclge_dbg_bitmap_cmd req; + struct hclge_desc desc; + u8 port_id = 0; + int ret; +@@ -521,12 +519,12 @@ static int hclge_dbg_dump_dcb_port(struc + if (ret) + return ret; + +- bitmap = (struct hclge_dbg_bitmap_cmd *)&desc.data[1]; ++ req.bitmap = (u8)le32_to_cpu(desc.data[1]); + + *pos += scnprintf(buf + *pos, len - *pos, "port_mask: %#x\n", +- bitmap->bit0); ++ req.bit0); + *pos += scnprintf(buf + *pos, len - *pos, "port_shaping_pass: %#x\n", +- bitmap->bit1); ++ req.bit1); + + return 0; + } diff --git a/queue-5.14/net-hns3-fix-pause-config-problem-after-autoneg-disabled.patch b/queue-5.14/net-hns3-fix-pause-config-problem-after-autoneg-disabled.patch new file mode 100644 index 00000000000..f03c61c82e3 --- /dev/null +++ b/queue-5.14/net-hns3-fix-pause-config-problem-after-autoneg-disabled.patch @@ -0,0 +1,166 @@ +From 3bda2e5df476417b6d08967e2d84234a59d57b1c Mon Sep 17 00:00:00 2001 +From: Guangbin Huang +Date: Wed, 27 Oct 2021 20:11:43 +0800 +Subject: net: hns3: fix pause config problem after autoneg disabled + +From: Guangbin Huang + +commit 3bda2e5df476417b6d08967e2d84234a59d57b1c upstream. + +If a TP port is configured by follow steps: +1.ethtool -s ethx autoneg off speed 100 duplex full +2.ethtool -A ethx rx on tx on +3.ethtool -s ethx autoneg on(rx&tx negotiated pause results are off) +4.ethtool -s ethx autoneg off speed 100 duplex full + +In step 3, driver will set rx&tx pause parameters of hardware to off as +pause parameters negotiated with link partner are off. + +After step 4, the "ethtool -a ethx" command shows both rx and tx pause +parameters are on. However, pause parameters of hardware are still off +and port has no flow control function actually. + +To fix this problem, if autoneg is disabled, driver uses its saved +parameters to restore pause of hardware. If the speed is not changed in +this case, there is no link state changed for phy, it will cause the pause +parameter is not taken effect, so we need to force phy to go down and up. + +Fixes: aacbe27e82f0 ("net: hns3: modify how pause options is displayed") +Signed-off-by: Guangbin Huang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hnae3.h | 1 + drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 33 +++++++++++----- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 30 ++++++++++++++ + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c | 2 + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h | 1 + 5 files changed, 57 insertions(+), 10 deletions(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hnae3.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.h +@@ -568,6 +568,7 @@ struct hnae3_ae_ops { + u32 *auto_neg, u32 *rx_en, u32 *tx_en); + int (*set_pauseparam)(struct hnae3_handle *handle, + u32 auto_neg, u32 rx_en, u32 tx_en); ++ int (*restore_pauseparam)(struct hnae3_handle *handle); + + int (*set_autoneg)(struct hnae3_handle *handle, bool enable); + int (*get_autoneg)(struct hnae3_handle *handle); +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +@@ -838,6 +838,26 @@ static int hns3_check_ksettings_param(co + return 0; + } + ++static int hns3_set_phy_link_ksettings(struct net_device *netdev, ++ const struct ethtool_link_ksettings *cmd) ++{ ++ struct hnae3_handle *handle = hns3_get_handle(netdev); ++ const struct hnae3_ae_ops *ops = handle->ae_algo->ops; ++ int ret; ++ ++ if (cmd->base.speed == SPEED_1000 && ++ cmd->base.autoneg == AUTONEG_DISABLE) ++ return -EINVAL; ++ ++ if (cmd->base.autoneg == AUTONEG_DISABLE && ops->restore_pauseparam) { ++ ret = ops->restore_pauseparam(handle); ++ if (ret) ++ return ret; ++ } ++ ++ return phy_ethtool_ksettings_set(netdev->phydev, cmd); ++} ++ + static int hns3_set_link_ksettings(struct net_device *netdev, + const struct ethtool_link_ksettings *cmd) + { +@@ -856,16 +876,11 @@ static int hns3_set_link_ksettings(struc + cmd->base.autoneg, cmd->base.speed, cmd->base.duplex); + + /* Only support ksettings_set for netdev with phy attached for now */ +- if (netdev->phydev) { +- if (cmd->base.speed == SPEED_1000 && +- cmd->base.autoneg == AUTONEG_DISABLE) +- return -EINVAL; +- +- return phy_ethtool_ksettings_set(netdev->phydev, cmd); +- } else if (test_bit(HNAE3_DEV_SUPPORT_PHY_IMP_B, ae_dev->caps) && +- ops->set_phy_link_ksettings) { ++ if (netdev->phydev) ++ return hns3_set_phy_link_ksettings(netdev, cmd); ++ else if (test_bit(HNAE3_DEV_SUPPORT_PHY_IMP_B, ae_dev->caps) && ++ ops->set_phy_link_ksettings) + return ops->set_phy_link_ksettings(handle, cmd); +- } + + if (ae_dev->dev_version < HNAE3_DEVICE_VERSION_V2) + return -EOPNOTSUPP; +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -11014,6 +11014,35 @@ static int hclge_set_pauseparam(struct h + return -EOPNOTSUPP; + } + ++static int hclge_restore_pauseparam(struct hnae3_handle *handle) ++{ ++ struct hclge_vport *vport = hclge_get_vport(handle); ++ struct hclge_dev *hdev = vport->back; ++ u32 auto_neg, rx_pause, tx_pause; ++ int ret; ++ ++ hclge_get_pauseparam(handle, &auto_neg, &rx_pause, &tx_pause); ++ /* when autoneg is disabled, the pause setting of phy has no effect ++ * unless the link goes down. ++ */ ++ ret = phy_suspend(hdev->hw.mac.phydev); ++ if (ret) ++ return ret; ++ ++ phy_set_asym_pause(hdev->hw.mac.phydev, rx_pause, tx_pause); ++ ++ ret = phy_resume(hdev->hw.mac.phydev); ++ if (ret) ++ return ret; ++ ++ ret = hclge_mac_pause_setup_hw(hdev); ++ if (ret) ++ dev_err(&hdev->pdev->dev, ++ "restore pauseparam error, ret = %d.\n", ret); ++ ++ return ret; ++} ++ + static void hclge_get_ksettings_an_result(struct hnae3_handle *handle, + u8 *auto_neg, u32 *speed, u8 *duplex) + { +@@ -12943,6 +12972,7 @@ static const struct hnae3_ae_ops hclge_o + .halt_autoneg = hclge_halt_autoneg, + .get_pauseparam = hclge_get_pauseparam, + .set_pauseparam = hclge_set_pauseparam, ++ .restore_pauseparam = hclge_restore_pauseparam, + .set_mtu = hclge_set_mtu, + .reset_queue = hclge_reset_tqp, + .get_stats = hclge_get_stats, +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c +@@ -1435,7 +1435,7 @@ static int hclge_bp_setup_hw(struct hclg + return 0; + } + +-static int hclge_mac_pause_setup_hw(struct hclge_dev *hdev) ++int hclge_mac_pause_setup_hw(struct hclge_dev *hdev) + { + bool tx_en, rx_en; + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h +@@ -244,6 +244,7 @@ int hclge_tm_get_pri_weight(struct hclge + int hclge_tm_get_pri_shaper(struct hclge_dev *hdev, u8 pri_id, + enum hclge_opcode_type cmd, + struct hclge_tm_shaper_para *para); ++int hclge_mac_pause_setup_hw(struct hclge_dev *hdev); + int hclge_tm_get_q_to_qs_map(struct hclge_dev *hdev, u16 q_id, u16 *qset_id); + int hclge_tm_get_q_to_tc(struct hclge_dev *hdev, u16 q_id, u8 *tc_id); + int hclge_tm_get_pg_to_pri_map(struct hclge_dev *hdev, u8 pg_id, diff --git a/queue-5.14/net-nxp-lpc_eth.c-avoid-hang-when-bringing-interface-down.patch b/queue-5.14/net-nxp-lpc_eth.c-avoid-hang-when-bringing-interface-down.patch new file mode 100644 index 00000000000..574fe6f30cc --- /dev/null +++ b/queue-5.14/net-nxp-lpc_eth.c-avoid-hang-when-bringing-interface-down.patch @@ -0,0 +1,44 @@ +From ace19b992436a257d9a793672e57abc28fe83e2e Mon Sep 17 00:00:00 2001 +From: Trevor Woerner +Date: Sun, 24 Oct 2021 13:50:02 -0400 +Subject: net: nxp: lpc_eth.c: avoid hang when bringing interface down + +From: Trevor Woerner + +commit ace19b992436a257d9a793672e57abc28fe83e2e upstream. + +A hard hang is observed whenever the ethernet interface is brought +down. If the PHY is stopped before the LPC core block is reset, +the SoC will hang. Comparing lpc_eth_close() and lpc_eth_open() I +re-arranged the ordering of the functions calls in lpc_eth_close() to +reset the hardware before stopping the PHY. +Fixes: b7370112f519 ("lpc32xx: Added ethernet driver") +Signed-off-by: Trevor Woerner +Acked-by: Vladimir Zapolskiy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/nxp/lpc_eth.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/nxp/lpc_eth.c ++++ b/drivers/net/ethernet/nxp/lpc_eth.c +@@ -1015,9 +1015,6 @@ static int lpc_eth_close(struct net_devi + napi_disable(&pldat->napi); + netif_stop_queue(ndev); + +- if (ndev->phydev) +- phy_stop(ndev->phydev); +- + spin_lock_irqsave(&pldat->lock, flags); + __lpc_eth_reset(pldat); + netif_carrier_off(ndev); +@@ -1025,6 +1022,8 @@ static int lpc_eth_close(struct net_devi + writel(0, LPC_ENET_MAC2(pldat->net_base)); + spin_unlock_irqrestore(&pldat->lock, flags); + ++ if (ndev->phydev) ++ phy_stop(ndev->phydev); + clk_disable_unprepare(pldat->clk); + + return 0; diff --git a/queue-5.14/net-prevent-infinite-while-loop-in-skb_tx_hash.patch b/queue-5.14/net-prevent-infinite-while-loop-in-skb_tx_hash.patch new file mode 100644 index 00000000000..81eab3ece4a --- /dev/null +++ b/queue-5.14/net-prevent-infinite-while-loop-in-skb_tx_hash.patch @@ -0,0 +1,43 @@ +From 0c57eeecc559ca6bc18b8c4e2808bc78dbe769b0 Mon Sep 17 00:00:00 2001 +From: Michael Chan +Date: Mon, 25 Oct 2021 05:05:28 -0400 +Subject: net: Prevent infinite while loop in skb_tx_hash() + +From: Michael Chan + +commit 0c57eeecc559ca6bc18b8c4e2808bc78dbe769b0 upstream. + +Drivers call netdev_set_num_tc() and then netdev_set_tc_queue() +to set the queue count and offset for each TC. So the queue count +and offset for the TCs may be zero for a short period after dev->num_tc +has been set. If a TX packet is being transmitted at this time in the +code path netdev_pick_tx() -> skb_tx_hash(), skb_tx_hash() may see +nonzero dev->num_tc but zero qcount for the TC. The while loop that +keeps looping while hash >= qcount will not end. + +Fix it by checking the TC's qcount to be nonzero before using it. + +Fixes: eadec877ce9c ("net: Add support for subordinate traffic classes to netdev_pick_tx") +Reviewed-by: Andy Gospodarek +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3246,6 +3246,12 @@ static u16 skb_tx_hash(const struct net_ + + qoffset = sb_dev->tc_to_txq[tc].offset; + qcount = sb_dev->tc_to_txq[tc].count; ++ if (unlikely(!qcount)) { ++ net_warn_ratelimited("%s: invalid qcount, qoffset %u for tc %u\n", ++ sb_dev->name, qoffset, tc); ++ qoffset = 0; ++ qcount = dev->real_num_tx_queues; ++ } + } + + if (skb_rx_queue_recorded(skb)) { diff --git a/queue-5.14/net-sysfs-initialize-uid-and-gid-before-calling-net_ns_get_ownership.patch b/queue-5.14/net-sysfs-initialize-uid-and-gid-before-calling-net_ns_get_ownership.patch new file mode 100644 index 00000000000..138ead47468 --- /dev/null +++ b/queue-5.14/net-sysfs-initialize-uid-and-gid-before-calling-net_ns_get_ownership.patch @@ -0,0 +1,40 @@ +From f7a1e76d0f608961cc2fc681f867a834f2746bce Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Mon, 25 Oct 2021 02:31:48 -0400 +Subject: net-sysfs: initialize uid and gid before calling net_ns_get_ownership + +From: Xin Long + +commit f7a1e76d0f608961cc2fc681f867a834f2746bce upstream. + +Currently in net_ns_get_ownership() it may not be able to set uid or gid +if make_kuid or make_kgid returns an invalid value, and an uninit-value +issue can be triggered by this. + +This patch is to fix it by initializing the uid and gid before calling +net_ns_get_ownership(), as it does in kobject_get_ownership() + +Fixes: e6dee9f3893c ("net-sysfs: add netdev_change_owner()") +Reported-by: Paolo Abeni +Signed-off-by: Xin Long +Acked-by: Christian Brauner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/net-sysfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/core/net-sysfs.c ++++ b/net/core/net-sysfs.c +@@ -1973,9 +1973,9 @@ int netdev_register_kobject(struct net_d + int netdev_change_owner(struct net_device *ndev, const struct net *net_old, + const struct net *net_new) + { ++ kuid_t old_uid = GLOBAL_ROOT_UID, new_uid = GLOBAL_ROOT_UID; ++ kgid_t old_gid = GLOBAL_ROOT_GID, new_gid = GLOBAL_ROOT_GID; + struct device *dev = &ndev->dev; +- kuid_t old_uid, new_uid; +- kgid_t old_gid, new_gid; + int error; + + net_ns_get_ownership(net_old, &old_uid, &old_gid); diff --git a/queue-5.14/net-tls-fix-flipped-sign-in-async_wait.err-assignment.patch b/queue-5.14/net-tls-fix-flipped-sign-in-async_wait.err-assignment.patch new file mode 100644 index 00000000000..d9414459229 --- /dev/null +++ b/queue-5.14/net-tls-fix-flipped-sign-in-async_wait.err-assignment.patch @@ -0,0 +1,32 @@ +From 1d9d6fd21ad4a28b16ed9ee5432ae738b9dc58aa Mon Sep 17 00:00:00 2001 +From: Daniel Jordan +Date: Wed, 27 Oct 2021 17:59:21 -0400 +Subject: net/tls: Fix flipped sign in async_wait.err assignment + +From: Daniel Jordan + +commit 1d9d6fd21ad4a28b16ed9ee5432ae738b9dc58aa upstream. + +sk->sk_err contains a positive number, yet async_wait.err wants the +opposite. Fix the missed sign flip, which Jakub caught by inspection. + +Fixes: a42055e8d2c3 ("net/tls: Add support for async encryption of records for performance") +Suggested-by: Jakub Kicinski +Signed-off-by: Daniel Jordan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tls/tls_sw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -459,7 +459,7 @@ static void tls_encrypt_done(struct cryp + + /* If err is already set on socket, return the same code */ + if (sk->sk_err) { +- ctx->async_wait.err = sk->sk_err; ++ ctx->async_wait.err = -sk->sk_err; + } else { + ctx->async_wait.err = err; + tls_err_abort(sk, err); diff --git a/queue-5.14/nios2-make-nios2_dtb_source_bool-depend-on-compile_test.patch b/queue-5.14/nios2-make-nios2_dtb_source_bool-depend-on-compile_test.patch new file mode 100644 index 00000000000..fc96d2f4154 --- /dev/null +++ b/queue-5.14/nios2-make-nios2_dtb_source_bool-depend-on-compile_test.patch @@ -0,0 +1,39 @@ +From 4a089e95b4d6bb625044d47aed0c442a8f7bd093 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Wed, 20 Oct 2021 12:11:16 -0700 +Subject: nios2: Make NIOS2_DTB_SOURCE_BOOL depend on !COMPILE_TEST + +From: Guenter Roeck + +commit 4a089e95b4d6bb625044d47aed0c442a8f7bd093 upstream. + +nios2:allmodconfig builds fail with + +make[1]: *** No rule to make target 'arch/nios2/boot/dts/""', + needed by 'arch/nios2/boot/dts/built-in.a'. Stop. +make: [Makefile:1868: arch/nios2/boot/dts] Error 2 (ignored) + +This is seen with compile tests since those enable NIOS2_DTB_SOURCE_BOOL, +which in turn enables NIOS2_DTB_SOURCE. This causes the build error +because the default value for NIOS2_DTB_SOURCE is an empty string. +Disable NIOS2_DTB_SOURCE_BOOL for compile tests to avoid the error. + +Fixes: 2fc8483fdcde ("nios2: Build infrastructure") +Signed-off-by: Guenter Roeck +Reviewed-by: Randy Dunlap +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + arch/nios2/platform/Kconfig.platform | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/nios2/platform/Kconfig.platform ++++ b/arch/nios2/platform/Kconfig.platform +@@ -37,6 +37,7 @@ config NIOS2_DTB_PHYS_ADDR + + config NIOS2_DTB_SOURCE_BOOL + bool "Compile and link device tree into kernel image" ++ depends on !COMPILE_TEST + help + This allows you to specify a dts (device tree source) file + which will be compiled and linked into the kernel image. diff --git a/queue-5.14/nvme-tcp-fix-data-digest-pointer-calculation.patch b/queue-5.14/nvme-tcp-fix-data-digest-pointer-calculation.patch new file mode 100644 index 00000000000..55beb71818b --- /dev/null +++ b/queue-5.14/nvme-tcp-fix-data-digest-pointer-calculation.patch @@ -0,0 +1,33 @@ +From d89b9f3bbb58e9e378881209756b0723694f22ff Mon Sep 17 00:00:00 2001 +From: Varun Prakash +Date: Mon, 25 Oct 2021 22:47:30 +0530 +Subject: nvme-tcp: fix data digest pointer calculation + +From: Varun Prakash + +commit d89b9f3bbb58e9e378881209756b0723694f22ff upstream. + +ddgst is of type __le32, &req->ddgst + req->offset +increases &req->ddgst by 4 * req->offset, fix this by +type casting &req->ddgst to u8 *. + +Fixes: 3f2304f8c6d6 ("nvme-tcp: add NVMe over TCP host driver") +Signed-off-by: Varun Prakash +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/tcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -1040,7 +1040,7 @@ static int nvme_tcp_try_send_ddgst(struc + int ret; + struct msghdr msg = { .msg_flags = MSG_DONTWAIT }; + struct kvec iov = { +- .iov_base = &req->ddgst + req->offset, ++ .iov_base = (u8 *)&req->ddgst + req->offset, + .iov_len = NVME_TCP_DIGEST_LENGTH - req->offset + }; + diff --git a/queue-5.14/nvme-tcp-fix-possible-req-offset-corruption.patch b/queue-5.14/nvme-tcp-fix-possible-req-offset-corruption.patch new file mode 100644 index 00000000000..b665bd09975 --- /dev/null +++ b/queue-5.14/nvme-tcp-fix-possible-req-offset-corruption.patch @@ -0,0 +1,54 @@ +From ce7723e9cdae4eb3030da082876580f4b2dc0861 Mon Sep 17 00:00:00 2001 +From: Varun Prakash +Date: Tue, 26 Oct 2021 19:01:55 +0530 +Subject: nvme-tcp: fix possible req->offset corruption + +From: Varun Prakash + +commit ce7723e9cdae4eb3030da082876580f4b2dc0861 upstream. + +With commit db5ad6b7f8cd ("nvme-tcp: try to send request in queue_rq +context") r2t and response PDU can get processed while send function +is executing. + +Current data digest send code uses req->offset after kernel_sendmsg(), +this creates a race condition where req->offset gets reset before it +is used in send function. + +This can happen in two cases - +1. Target sends r2t PDU which resets req->offset. +2. Target send response PDU which completes the req and then req is + used for a new command, nvme_tcp_setup_cmd_pdu() resets req->offset. + +Fix this by storing req->offset in a local variable and using +this local variable after kernel_sendmsg(). + +Fixes: db5ad6b7f8cd ("nvme-tcp: try to send request in queue_rq context") +Signed-off-by: Varun Prakash +Reviewed-by: Keith Busch +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/tcp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -1037,6 +1037,7 @@ static int nvme_tcp_try_send_data_pdu(st + static int nvme_tcp_try_send_ddgst(struct nvme_tcp_request *req) + { + struct nvme_tcp_queue *queue = req->queue; ++ size_t offset = req->offset; + int ret; + struct msghdr msg = { .msg_flags = MSG_DONTWAIT }; + struct kvec iov = { +@@ -1053,7 +1054,7 @@ static int nvme_tcp_try_send_ddgst(struc + if (unlikely(ret <= 0)) + return ret; + +- if (req->offset + ret == NVME_TCP_DIGEST_LENGTH) { ++ if (offset + ret == NVME_TCP_DIGEST_LENGTH) { + nvme_tcp_done_send_req(queue); + return 1; + } diff --git a/queue-5.14/nvmet-tcp-fix-data-digest-pointer-calculation.patch b/queue-5.14/nvmet-tcp-fix-data-digest-pointer-calculation.patch new file mode 100644 index 00000000000..50a9b3cc39b --- /dev/null +++ b/queue-5.14/nvmet-tcp-fix-data-digest-pointer-calculation.patch @@ -0,0 +1,33 @@ +From e790de54e94a7a15fb725b34724d41d41cbaa60c Mon Sep 17 00:00:00 2001 +From: Varun Prakash +Date: Mon, 25 Oct 2021 22:46:54 +0530 +Subject: nvmet-tcp: fix data digest pointer calculation + +From: Varun Prakash + +commit e790de54e94a7a15fb725b34724d41d41cbaa60c upstream. + +exp_ddgst is of type __le32, &cmd->exp_ddgst + cmd->offset increases +&cmd->exp_ddgst by 4 * cmd->offset, fix this by type casting +&cmd->exp_ddgst to u8 *. + +Fixes: 872d26a391da ("nvmet-tcp: add NVMe over TCP target driver") +Signed-off-by: Varun Prakash +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/tcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -702,7 +702,7 @@ static int nvmet_try_send_ddgst(struct n + struct nvmet_tcp_queue *queue = cmd->queue; + struct msghdr msg = { .msg_flags = MSG_DONTWAIT }; + struct kvec iov = { +- .iov_base = &cmd->exp_ddgst + cmd->offset, ++ .iov_base = (u8 *)&cmd->exp_ddgst + cmd->offset, + .iov_len = NVME_TCP_DIGEST_LENGTH - cmd->offset + }; + int ret; diff --git a/queue-5.14/octeontx2-af-display-all-enabled-pf-vf-rsrc_alloc-entries.patch b/queue-5.14/octeontx2-af-display-all-enabled-pf-vf-rsrc_alloc-entries.patch new file mode 100644 index 00000000000..610dd29717d --- /dev/null +++ b/queue-5.14/octeontx2-af-display-all-enabled-pf-vf-rsrc_alloc-entries.patch @@ -0,0 +1,233 @@ +From e77bcdd1f639809950c45234b08647ac6d3ffe7b Mon Sep 17 00:00:00 2001 +From: Rakesh Babu +Date: Wed, 27 Oct 2021 23:02:33 +0530 +Subject: octeontx2-af: Display all enabled PF VF rsrc_alloc entries. + +From: Rakesh Babu + +commit e77bcdd1f639809950c45234b08647ac6d3ffe7b upstream. + +Currently, we are using a fixed buffer size of length 2048 to display +rsrc_alloc output. As a result a maximum of 2048 characters of +rsrc_alloc output is displayed, which may lead sometimes to display only +partial output. This patch fixes this dependency on max limit of buffer +size and displays all PF VF entries. + +Each column of the debugfs entry "rsrc_alloc" uses a fixed width of 12 +characters to print the list of LFs of each block for a PF/VF. If the +length of list of LFs of a block exceeds this fixed width then the list +gets truncated and displays only a part of the list. This patch fixes +this by using the maximum possible length of list of LFs among all +blocks of all PFs and VFs entries as the width size. + +Fixes: f7884097141b ("octeontx2-af: Formatting debugfs entry rsrc_alloc.") +Fixes: 23205e6d06d4 ("octeontx2-af: Dump current resource provisioning status") +Signed-off-by: Rakesh Babu +Signed-off-by: Nithin Dabilpuram +Signed-off-by: Sunil Kovvuri Goutham +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c | 138 ++++++++++++---- + 1 file changed, 106 insertions(+), 32 deletions(-) + +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c +@@ -229,18 +229,85 @@ static const struct file_operations rvu_ + + static void print_nix_qsize(struct seq_file *filp, struct rvu_pfvf *pfvf); + ++static void get_lf_str_list(struct rvu_block block, int pcifunc, ++ char *lfs) ++{ ++ int lf = 0, seq = 0, len = 0, prev_lf = block.lf.max; ++ ++ for_each_set_bit(lf, block.lf.bmap, block.lf.max) { ++ if (lf >= block.lf.max) ++ break; ++ ++ if (block.fn_map[lf] != pcifunc) ++ continue; ++ ++ if (lf == prev_lf + 1) { ++ prev_lf = lf; ++ seq = 1; ++ continue; ++ } ++ ++ if (seq) ++ len += sprintf(lfs + len, "-%d,%d", prev_lf, lf); ++ else ++ len += (len ? sprintf(lfs + len, ",%d", lf) : ++ sprintf(lfs + len, "%d", lf)); ++ ++ prev_lf = lf; ++ seq = 0; ++ } ++ ++ if (seq) ++ len += sprintf(lfs + len, "-%d", prev_lf); ++ ++ lfs[len] = '\0'; ++} ++ ++static int get_max_column_width(struct rvu *rvu) ++{ ++ int index, pf, vf, lf_str_size = 12, buf_size = 256; ++ struct rvu_block block; ++ u16 pcifunc; ++ char *buf; ++ ++ buf = kzalloc(buf_size, GFP_KERNEL); ++ if (!buf) ++ return -ENOMEM; ++ ++ for (pf = 0; pf < rvu->hw->total_pfs; pf++) { ++ for (vf = 0; vf <= rvu->hw->total_vfs; vf++) { ++ pcifunc = pf << 10 | vf; ++ if (!pcifunc) ++ continue; ++ ++ for (index = 0; index < BLK_COUNT; index++) { ++ block = rvu->hw->block[index]; ++ if (!strlen(block.name)) ++ continue; ++ ++ get_lf_str_list(block, pcifunc, buf); ++ if (lf_str_size <= strlen(buf)) ++ lf_str_size = strlen(buf) + 1; ++ } ++ } ++ } ++ ++ kfree(buf); ++ return lf_str_size; ++} ++ + /* Dumps current provisioning status of all RVU block LFs */ + static ssize_t rvu_dbg_rsrc_attach_status(struct file *filp, + char __user *buffer, + size_t count, loff_t *ppos) + { +- int index, off = 0, flag = 0, go_back = 0, len = 0; ++ int index, off = 0, flag = 0, len = 0, i = 0; + struct rvu *rvu = filp->private_data; +- int lf, pf, vf, pcifunc; ++ int bytes_not_copied = 0; + struct rvu_block block; +- int bytes_not_copied; +- int lf_str_size = 12; ++ int pf, vf, pcifunc; + int buf_size = 2048; ++ int lf_str_size; + char *lfs; + char *buf; + +@@ -252,6 +319,9 @@ static ssize_t rvu_dbg_rsrc_attach_statu + if (!buf) + return -ENOSPC; + ++ /* Get the maximum width of a column */ ++ lf_str_size = get_max_column_width(rvu); ++ + lfs = kzalloc(lf_str_size, GFP_KERNEL); + if (!lfs) { + kfree(buf); +@@ -265,65 +335,69 @@ static ssize_t rvu_dbg_rsrc_attach_statu + "%-*s", lf_str_size, + rvu->hw->block[index].name); + } ++ + off += scnprintf(&buf[off], buf_size - 1 - off, "\n"); ++ bytes_not_copied = copy_to_user(buffer + (i * off), buf, off); ++ if (bytes_not_copied) ++ goto out; ++ ++ i++; ++ *ppos += off; + for (pf = 0; pf < rvu->hw->total_pfs; pf++) { + for (vf = 0; vf <= rvu->hw->total_vfs; vf++) { ++ off = 0; ++ flag = 0; + pcifunc = pf << 10 | vf; + if (!pcifunc) + continue; + + if (vf) { + sprintf(lfs, "PF%d:VF%d", pf, vf - 1); +- go_back = scnprintf(&buf[off], +- buf_size - 1 - off, +- "%-*s", lf_str_size, lfs); ++ off = scnprintf(&buf[off], ++ buf_size - 1 - off, ++ "%-*s", lf_str_size, lfs); + } else { + sprintf(lfs, "PF%d", pf); +- go_back = scnprintf(&buf[off], +- buf_size - 1 - off, +- "%-*s", lf_str_size, lfs); ++ off = scnprintf(&buf[off], ++ buf_size - 1 - off, ++ "%-*s", lf_str_size, lfs); + } + +- off += go_back; +- for (index = 0; index < BLKTYPE_MAX; index++) { ++ for (index = 0; index < BLK_COUNT; index++) { + block = rvu->hw->block[index]; + if (!strlen(block.name)) + continue; + len = 0; + lfs[len] = '\0'; +- for (lf = 0; lf < block.lf.max; lf++) { +- if (block.fn_map[lf] != pcifunc) +- continue; ++ get_lf_str_list(block, pcifunc, lfs); ++ if (strlen(lfs)) + flag = 1; +- len += sprintf(&lfs[len], "%d,", lf); +- } + +- if (flag) +- len--; +- lfs[len] = '\0'; + off += scnprintf(&buf[off], buf_size - 1 - off, + "%-*s", lf_str_size, lfs); +- if (!strlen(lfs)) +- go_back += lf_str_size; + } +- if (!flag) +- off -= go_back; +- else +- flag = 0; +- off--; +- off += scnprintf(&buf[off], buf_size - 1 - off, "\n"); ++ if (flag) { ++ off += scnprintf(&buf[off], ++ buf_size - 1 - off, "\n"); ++ bytes_not_copied = copy_to_user(buffer + ++ (i * off), ++ buf, off); ++ if (bytes_not_copied) ++ goto out; ++ ++ i++; ++ *ppos += off; ++ } + } + } + +- bytes_not_copied = copy_to_user(buffer, buf, off); ++out: + kfree(lfs); + kfree(buf); +- + if (bytes_not_copied) + return -EFAULT; + +- *ppos = off; +- return off; ++ return *ppos; + } + + RVU_DEBUG_FOPS(rsrc_status, rsrc_attach_status, NULL); diff --git a/queue-5.14/octeontx2-af-fix-possible-null-pointer-dereference.patch b/queue-5.14/octeontx2-af-fix-possible-null-pointer-dereference.patch new file mode 100644 index 00000000000..7ab1fc3d00f --- /dev/null +++ b/queue-5.14/octeontx2-af-fix-possible-null-pointer-dereference.patch @@ -0,0 +1,47 @@ +From c2d4c543f74c90f883e8ec62a31973ae8807d354 Mon Sep 17 00:00:00 2001 +From: Rakesh Babu Saladi +Date: Wed, 27 Oct 2021 23:02:34 +0530 +Subject: octeontx2-af: Fix possible null pointer dereference. + +From: Rakesh Babu Saladi + +commit c2d4c543f74c90f883e8ec62a31973ae8807d354 upstream. + +This patch fixes possible null pointer dereference in files +"rvu_debugfs.c" and "rvu_nix.c" + +Fixes: 8756828a8148 ("octeontx2-af: Add NPA aura and pool contexts to debugfs") +Fixes: 9a946def264d ("octeontx2-af: Modify nix_vtag_cfg mailbox to support TX VTAG entries") +Signed-off-by: Rakesh Babu Saladi +Signed-off-by: Subbaraya Sundeep +Signed-off-by: Sunil Goutham +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c | 2 +- + drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 3 +++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c +@@ -581,7 +581,7 @@ static ssize_t rvu_dbg_qsize_write(struc + if (cmd_buf) + ret = -EINVAL; + +- if (!strncmp(subtoken, "help", 4) || ret < 0) { ++ if (ret < 0 || !strncmp(subtoken, "help", 4)) { + dev_info(rvu->dev, "Use echo <%s-lf > qsize\n", blk_string); + goto qsize_write_done; + } +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +@@ -2146,6 +2146,9 @@ static void nix_free_tx_vtag_entries(str + return; + + nix_hw = get_nix_hw(rvu->hw, blkaddr); ++ if (!nix_hw) ++ return; ++ + vlan = &nix_hw->txvlan; + + mutex_lock(&vlan->rsrc_lock); diff --git a/queue-5.14/phy-phy_ethtool_ksettings_get-lock-the-phy-for-consistency.patch b/queue-5.14/phy-phy_ethtool_ksettings_get-lock-the-phy-for-consistency.patch new file mode 100644 index 00000000000..3c262d243b9 --- /dev/null +++ b/queue-5.14/phy-phy_ethtool_ksettings_get-lock-the-phy-for-consistency.patch @@ -0,0 +1,39 @@ +From c10a485c3de5ccbf1fff65a382cebcb2730c6b06 Mon Sep 17 00:00:00 2001 +From: Andrew Lunn +Date: Sun, 24 Oct 2021 21:48:02 +0200 +Subject: phy: phy_ethtool_ksettings_get: Lock the phy for consistency + +From: Andrew Lunn + +commit c10a485c3de5ccbf1fff65a382cebcb2730c6b06 upstream. + +The PHY structure should be locked while copying information out if +it, otherwise there is no guarantee of self consistency. Without the +lock the PHY state machine could be updating the structure. + +Fixes: 2d55173e71b0 ("phy: add generic function to support ksetting support") +Signed-off-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/phy/phy.c ++++ b/drivers/net/phy/phy.c +@@ -299,6 +299,7 @@ EXPORT_SYMBOL(phy_ethtool_ksettings_set) + void phy_ethtool_ksettings_get(struct phy_device *phydev, + struct ethtool_link_ksettings *cmd) + { ++ mutex_lock(&phydev->lock); + linkmode_copy(cmd->link_modes.supported, phydev->supported); + linkmode_copy(cmd->link_modes.advertising, phydev->advertising); + linkmode_copy(cmd->link_modes.lp_advertising, phydev->lp_advertising); +@@ -317,6 +318,7 @@ void phy_ethtool_ksettings_get(struct ph + cmd->base.autoneg = phydev->autoneg; + cmd->base.eth_tp_mdix_ctrl = phydev->mdix_ctrl; + cmd->base.eth_tp_mdix = phydev->mdix; ++ mutex_unlock(&phydev->lock); + } + EXPORT_SYMBOL(phy_ethtool_ksettings_get); + diff --git a/queue-5.14/phy-phy_ethtool_ksettings_set-lock-the-phy-while-changing-settings.patch b/queue-5.14/phy-phy_ethtool_ksettings_set-lock-the-phy-while-changing-settings.patch new file mode 100644 index 00000000000..eef89dcdd3d --- /dev/null +++ b/queue-5.14/phy-phy_ethtool_ksettings_set-lock-the-phy-while-changing-settings.patch @@ -0,0 +1,46 @@ +From af1a02aa23c37045e6adfcf074cf7dbac167a403 Mon Sep 17 00:00:00 2001 +From: Andrew Lunn +Date: Sun, 24 Oct 2021 21:48:05 +0200 +Subject: phy: phy_ethtool_ksettings_set: Lock the PHY while changing settings + +From: Andrew Lunn + +commit af1a02aa23c37045e6adfcf074cf7dbac167a403 upstream. + +There is a race condition where the PHY state machine can change +members of the phydev structure at the same time userspace requests a +change via ethtool. To prevent this, have phy_ethtool_ksettings_set +take the PHY lock. + +Fixes: 2d55173e71b0 ("phy: add generic function to support ksetting support") +Reported-by: Walter Stoll +Suggested-by: Walter Stoll +Tested-by: Walter Stoll +Signed-off-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/phy/phy.c ++++ b/drivers/net/phy/phy.c +@@ -798,6 +798,7 @@ int phy_ethtool_ksettings_set(struct phy + duplex != DUPLEX_FULL))) + return -EINVAL; + ++ mutex_lock(&phydev->lock); + phydev->autoneg = autoneg; + + if (autoneg == AUTONEG_DISABLE) { +@@ -814,8 +815,9 @@ int phy_ethtool_ksettings_set(struct phy + phydev->mdix_ctrl = cmd->base.eth_tp_mdix_ctrl; + + /* Restart the PHY */ +- phy_start_aneg(phydev); ++ _phy_start_aneg(phydev); + ++ mutex_unlock(&phydev->lock); + return 0; + } + EXPORT_SYMBOL(phy_ethtool_ksettings_set); diff --git a/queue-5.14/phy-phy_ethtool_ksettings_set-move-after-phy_start_aneg.patch b/queue-5.14/phy-phy_ethtool_ksettings_set-move-after-phy_start_aneg.patch new file mode 100644 index 00000000000..8de5f741045 --- /dev/null +++ b/queue-5.14/phy-phy_ethtool_ksettings_set-move-after-phy_start_aneg.patch @@ -0,0 +1,142 @@ +From 64cd92d5e8180c2ded3fdea76862de6f596ae2c9 Mon Sep 17 00:00:00 2001 +From: Andrew Lunn +Date: Sun, 24 Oct 2021 21:48:03 +0200 +Subject: phy: phy_ethtool_ksettings_set: Move after phy_start_aneg + +From: Andrew Lunn + +commit 64cd92d5e8180c2ded3fdea76862de6f596ae2c9 upstream. + +This allows it to make use of a helper which assume the PHY is already +locked. + +Fixes: 2d55173e71b0 ("phy: add generic function to support ksetting support") +Signed-off-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy.c | 106 +++++++++++++++++++++++++------------------------- + 1 file changed, 53 insertions(+), 53 deletions(-) + +--- a/drivers/net/phy/phy.c ++++ b/drivers/net/phy/phy.c +@@ -243,59 +243,6 @@ static void phy_sanitize_settings(struct + } + } + +-int phy_ethtool_ksettings_set(struct phy_device *phydev, +- const struct ethtool_link_ksettings *cmd) +-{ +- __ETHTOOL_DECLARE_LINK_MODE_MASK(advertising); +- u8 autoneg = cmd->base.autoneg; +- u8 duplex = cmd->base.duplex; +- u32 speed = cmd->base.speed; +- +- if (cmd->base.phy_address != phydev->mdio.addr) +- return -EINVAL; +- +- linkmode_copy(advertising, cmd->link_modes.advertising); +- +- /* We make sure that we don't pass unsupported values in to the PHY */ +- linkmode_and(advertising, advertising, phydev->supported); +- +- /* Verify the settings we care about. */ +- if (autoneg != AUTONEG_ENABLE && autoneg != AUTONEG_DISABLE) +- return -EINVAL; +- +- if (autoneg == AUTONEG_ENABLE && linkmode_empty(advertising)) +- return -EINVAL; +- +- if (autoneg == AUTONEG_DISABLE && +- ((speed != SPEED_1000 && +- speed != SPEED_100 && +- speed != SPEED_10) || +- (duplex != DUPLEX_HALF && +- duplex != DUPLEX_FULL))) +- return -EINVAL; +- +- phydev->autoneg = autoneg; +- +- if (autoneg == AUTONEG_DISABLE) { +- phydev->speed = speed; +- phydev->duplex = duplex; +- } +- +- linkmode_copy(phydev->advertising, advertising); +- +- linkmode_mod_bit(ETHTOOL_LINK_MODE_Autoneg_BIT, +- phydev->advertising, autoneg == AUTONEG_ENABLE); +- +- phydev->master_slave_set = cmd->base.master_slave_cfg; +- phydev->mdix_ctrl = cmd->base.eth_tp_mdix_ctrl; +- +- /* Restart the PHY */ +- phy_start_aneg(phydev); +- +- return 0; +-} +-EXPORT_SYMBOL(phy_ethtool_ksettings_set); +- + void phy_ethtool_ksettings_get(struct phy_device *phydev, + struct ethtool_link_ksettings *cmd) + { +@@ -802,6 +749,59 @@ static int phy_poll_aneg_done(struct phy + return ret < 0 ? ret : 0; + } + ++int phy_ethtool_ksettings_set(struct phy_device *phydev, ++ const struct ethtool_link_ksettings *cmd) ++{ ++ __ETHTOOL_DECLARE_LINK_MODE_MASK(advertising); ++ u8 autoneg = cmd->base.autoneg; ++ u8 duplex = cmd->base.duplex; ++ u32 speed = cmd->base.speed; ++ ++ if (cmd->base.phy_address != phydev->mdio.addr) ++ return -EINVAL; ++ ++ linkmode_copy(advertising, cmd->link_modes.advertising); ++ ++ /* We make sure that we don't pass unsupported values in to the PHY */ ++ linkmode_and(advertising, advertising, phydev->supported); ++ ++ /* Verify the settings we care about. */ ++ if (autoneg != AUTONEG_ENABLE && autoneg != AUTONEG_DISABLE) ++ return -EINVAL; ++ ++ if (autoneg == AUTONEG_ENABLE && linkmode_empty(advertising)) ++ return -EINVAL; ++ ++ if (autoneg == AUTONEG_DISABLE && ++ ((speed != SPEED_1000 && ++ speed != SPEED_100 && ++ speed != SPEED_10) || ++ (duplex != DUPLEX_HALF && ++ duplex != DUPLEX_FULL))) ++ return -EINVAL; ++ ++ phydev->autoneg = autoneg; ++ ++ if (autoneg == AUTONEG_DISABLE) { ++ phydev->speed = speed; ++ phydev->duplex = duplex; ++ } ++ ++ linkmode_copy(phydev->advertising, advertising); ++ ++ linkmode_mod_bit(ETHTOOL_LINK_MODE_Autoneg_BIT, ++ phydev->advertising, autoneg == AUTONEG_ENABLE); ++ ++ phydev->master_slave_set = cmd->base.master_slave_cfg; ++ phydev->mdix_ctrl = cmd->base.eth_tp_mdix_ctrl; ++ ++ /* Restart the PHY */ ++ phy_start_aneg(phydev); ++ ++ return 0; ++} ++EXPORT_SYMBOL(phy_ethtool_ksettings_set); ++ + /** + * phy_speed_down - set speed to lowest speed supported by both link partners + * @phydev: the phy_device struct diff --git a/queue-5.14/phy-phy_start_aneg-add-an-unlocked-version.patch b/queue-5.14/phy-phy_start_aneg-add-an-unlocked-version.patch new file mode 100644 index 00000000000..f9aa5b01025 --- /dev/null +++ b/queue-5.14/phy-phy_start_aneg-add-an-unlocked-version.patch @@ -0,0 +1,81 @@ +From 707293a56f95f8e7e0cfae008010c7933fb68973 Mon Sep 17 00:00:00 2001 +From: Andrew Lunn +Date: Sun, 24 Oct 2021 21:48:04 +0200 +Subject: phy: phy_start_aneg: Add an unlocked version + +From: Andrew Lunn + +commit 707293a56f95f8e7e0cfae008010c7933fb68973 upstream. + +Split phy_start_aneg into a wrapper which takes the PHY lock, and a +helper doing the real work. This will be needed when +phy_ethtook_ksettings_set takes the lock. + +Fixes: 2d55173e71b0 ("phy: add generic function to support ksetting support") +Signed-off-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy.c | 30 ++++++++++++++++++++++++------ + 1 file changed, 24 insertions(+), 6 deletions(-) + +--- a/drivers/net/phy/phy.c ++++ b/drivers/net/phy/phy.c +@@ -700,7 +700,7 @@ static int phy_check_link_status(struct + } + + /** +- * phy_start_aneg - start auto-negotiation for this PHY device ++ * _phy_start_aneg - start auto-negotiation for this PHY device + * @phydev: the phy_device struct + * + * Description: Sanitizes the settings (if we're not autonegotiating +@@ -708,25 +708,43 @@ static int phy_check_link_status(struct + * If the PHYCONTROL Layer is operating, we change the state to + * reflect the beginning of Auto-negotiation or forcing. + */ +-int phy_start_aneg(struct phy_device *phydev) ++static int _phy_start_aneg(struct phy_device *phydev) + { + int err; + ++ lockdep_assert_held(&phydev->lock); ++ + if (!phydev->drv) + return -EIO; + +- mutex_lock(&phydev->lock); +- + if (AUTONEG_DISABLE == phydev->autoneg) + phy_sanitize_settings(phydev); + + err = phy_config_aneg(phydev); + if (err < 0) +- goto out_unlock; ++ return err; + + if (phy_is_started(phydev)) + err = phy_check_link_status(phydev); +-out_unlock: ++ ++ return err; ++} ++ ++/** ++ * phy_start_aneg - start auto-negotiation for this PHY device ++ * @phydev: the phy_device struct ++ * ++ * Description: Sanitizes the settings (if we're not autonegotiating ++ * them), and then calls the driver's config_aneg function. ++ * If the PHYCONTROL Layer is operating, we change the state to ++ * reflect the beginning of Auto-negotiation or forcing. ++ */ ++int phy_start_aneg(struct phy_device *phydev) ++{ ++ int err; ++ ++ mutex_lock(&phydev->lock); ++ err = _phy_start_aneg(phydev); + mutex_unlock(&phydev->lock); + + return err; diff --git a/queue-5.14/rdma-mlx5-initialize-the-odp-xarray-when-creating-an-odp-mr.patch b/queue-5.14/rdma-mlx5-initialize-the-odp-xarray-when-creating-an-odp-mr.patch new file mode 100644 index 00000000000..f9b1ccb1a9a --- /dev/null +++ b/queue-5.14/rdma-mlx5-initialize-the-odp-xarray-when-creating-an-odp-mr.patch @@ -0,0 +1,81 @@ +From 5508546631a0f555d7088203dec2614e41b5106e Mon Sep 17 00:00:00 2001 +From: Aharon Landau +Date: Tue, 19 Oct 2021 14:30:10 +0300 +Subject: RDMA/mlx5: Initialize the ODP xarray when creating an ODP MR + +From: Aharon Landau + +commit 5508546631a0f555d7088203dec2614e41b5106e upstream. + +Normally the zero fill would hide the missing initialization, but an +errant set to desc_size in reg_create() causes a crash: + + BUG: unable to handle page fault for address: 0000000800000000 + PGD 0 P4D 0 + Oops: 0000 [#1] SMP PTI + CPU: 5 PID: 890 Comm: ib_write_bw Not tainted 5.15.0-rc4+ #47 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + RIP: 0010:mlx5_ib_dereg_mr+0x14/0x3b0 [mlx5_ib] + Code: 48 63 cd 4c 89 f7 48 89 0c 24 e8 37 30 03 e1 48 8b 0c 24 eb a0 90 0f 1f 44 00 00 41 56 41 55 41 54 55 53 48 89 fb 48 83 ec 30 <48> 8b 2f 65 48 8b 04 25 28 00 00 00 48 89 44 24 28 31 c0 8b 87 c8 + RSP: 0018:ffff88811afa3a60 EFLAGS: 00010286 + RAX: 000000000000001c RBX: 0000000800000000 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000800000000 + RBP: 0000000800000000 R08: 0000000000000000 R09: c0000000fffff7ff + R10: ffff88811afa38f8 R11: ffff88811afa38f0 R12: ffffffffa02c7ac0 + R13: 0000000000000000 R14: ffff88811afa3cd8 R15: ffff88810772fa00 + FS: 00007f47b9080740(0000) GS:ffff88852cd40000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000800000000 CR3: 000000010761e003 CR4: 0000000000370ea0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + mlx5_ib_free_odp_mr+0x95/0xc0 [mlx5_ib] + mlx5_ib_dereg_mr+0x128/0x3b0 [mlx5_ib] + ib_dereg_mr_user+0x45/0xb0 [ib_core] + ? xas_load+0x8/0x80 + destroy_hw_idr_uobject+0x1a/0x50 [ib_uverbs] + uverbs_destroy_uobject+0x2f/0x150 [ib_uverbs] + uobj_destroy+0x3c/0x70 [ib_uverbs] + ib_uverbs_cmd_verbs+0x467/0xb00 [ib_uverbs] + ? uverbs_finalize_object+0x60/0x60 [ib_uverbs] + ? ttwu_queue_wakelist+0xa9/0xe0 + ? pty_write+0x85/0x90 + ? file_tty_write.isra.33+0x214/0x330 + ? process_echoes+0x60/0x60 + ib_uverbs_ioctl+0xa7/0x110 [ib_uverbs] + __x64_sys_ioctl+0x10d/0x8e0 + ? vfs_write+0x17f/0x260 + do_syscall_64+0x3c/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Add the missing xarray initialization and remove the desc_size set. + +Fixes: a639e66703ee ("RDMA/mlx5: Zero out ODP related items in the mlx5_ib_mr") +Link: https://lore.kernel.org/r/a4846a11c9de834663e521770da895007f9f0d30.1634642730.git.leonro@nvidia.com +Signed-off-by: Aharon Landau +Reviewed-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx5/mr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx5/mr.c ++++ b/drivers/infiniband/hw/mlx5/mr.c +@@ -1338,7 +1338,6 @@ static struct mlx5_ib_mr *reg_create(str + goto err_2; + } + mr->mmkey.type = MLX5_MKEY_MR; +- mr->desc_size = sizeof(struct mlx5_mtt); + mr->umem = umem; + set_mr_fields(dev, mr, umem->length, access_flags); + kvfree(in); +@@ -1532,6 +1531,7 @@ static struct ib_mr *create_user_odp_mr( + ib_umem_release(&odp->umem); + return ERR_CAST(mr); + } ++ xa_init(&mr->implicit_children); + + odp->private = mr; + err = mlx5r_store_odp_mkey(dev, &mr->mmkey); diff --git a/queue-5.14/rdma-mlx5-set-user-priority-for-dct.patch b/queue-5.14/rdma-mlx5-set-user-priority-for-dct.patch new file mode 100644 index 00000000000..fe5e45580bf --- /dev/null +++ b/queue-5.14/rdma-mlx5-set-user-priority-for-dct.patch @@ -0,0 +1,37 @@ +From 1ab52ac1e9bc9391f592c9fa8340a6e3e9c36286 Mon Sep 17 00:00:00 2001 +From: Patrisious Haddad +Date: Wed, 6 Oct 2021 12:31:53 +0300 +Subject: RDMA/mlx5: Set user priority for DCT + +From: Patrisious Haddad + +commit 1ab52ac1e9bc9391f592c9fa8340a6e3e9c36286 upstream. + +Currently, the driver doesn't set the PCP-based priority for DCT, hence +DCT response packets are transmitted without user priority. + +Fix it by setting user provided priority in the eth_prio field in the DCT +context, which in turn sets the value in the transmitted packet. + +Fixes: 776a3906b692 ("IB/mlx5: Add support for DC target QP") +Link: https://lore.kernel.org/r/5fd2d94a13f5742d8803c218927322257d53205c.1633512672.git.leonro@nvidia.com +Signed-off-by: Patrisious Haddad +Reviewed-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx5/qp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -4309,6 +4309,8 @@ static int mlx5_ib_modify_dct(struct ib_ + MLX5_SET(dctc, dctc, mtu, attr->path_mtu); + MLX5_SET(dctc, dctc, my_addr_index, attr->ah_attr.grh.sgid_index); + MLX5_SET(dctc, dctc, hop_limit, attr->ah_attr.grh.hop_limit); ++ if (attr->ah_attr.type == RDMA_AH_ATTR_TYPE_ROCE) ++ MLX5_SET(dctc, dctc, eth_prio, attr->ah_attr.sl & 0x7); + + err = mlx5_core_create_dct(dev, &qp->dct.mdct, qp->dct.in, + MLX5_ST_SZ_BYTES(create_dct_in), out, diff --git a/queue-5.14/rdma-sa_query-use-strscpy_pad-instead-of-memcpy-to-copy-a-string.patch b/queue-5.14/rdma-sa_query-use-strscpy_pad-instead-of-memcpy-to-copy-a-string.patch new file mode 100644 index 00000000000..d9a8210843d --- /dev/null +++ b/queue-5.14/rdma-sa_query-use-strscpy_pad-instead-of-memcpy-to-copy-a-string.patch @@ -0,0 +1,84 @@ +From 64733956ebba7cc629856f4a6ee35a52bc9c023f Mon Sep 17 00:00:00 2001 +From: Mark Zhang +Date: Sun, 24 Oct 2021 09:08:20 +0300 +Subject: RDMA/sa_query: Use strscpy_pad instead of memcpy to copy a string + +From: Mark Zhang + +commit 64733956ebba7cc629856f4a6ee35a52bc9c023f upstream. + +When copying the device name, the length of the data memcpy copied exceeds +the length of the source buffer, which cause the KASAN issue below. Use +strscpy_pad() instead. + + BUG: KASAN: slab-out-of-bounds in ib_nl_set_path_rec_attrs+0x136/0x320 [ib_core] + Read of size 64 at addr ffff88811a10f5e0 by task rping/140263 + CPU: 3 PID: 140263 Comm: rping Not tainted 5.15.0-rc1+ #1 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + Call Trace: + dump_stack_lvl+0x57/0x7d + print_address_description.constprop.0+0x1d/0xa0 + kasan_report+0xcb/0x110 + kasan_check_range+0x13d/0x180 + memcpy+0x20/0x60 + ib_nl_set_path_rec_attrs+0x136/0x320 [ib_core] + ib_nl_make_request+0x1c6/0x380 [ib_core] + send_mad+0x20a/0x220 [ib_core] + ib_sa_path_rec_get+0x3e3/0x800 [ib_core] + cma_query_ib_route+0x29b/0x390 [rdma_cm] + rdma_resolve_route+0x308/0x3e0 [rdma_cm] + ucma_resolve_route+0xe1/0x150 [rdma_ucm] + ucma_write+0x17b/0x1f0 [rdma_ucm] + vfs_write+0x142/0x4d0 + ksys_write+0x133/0x160 + do_syscall_64+0x43/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + RIP: 0033:0x7f26499aa90f + Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 29 fd ff ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c fd ff ff 48 + RSP: 002b:00007f26495f2dc0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 + RAX: ffffffffffffffda RBX: 00000000000007d0 RCX: 00007f26499aa90f + RDX: 0000000000000010 RSI: 00007f26495f2e00 RDI: 0000000000000003 + RBP: 00005632a8315440 R08: 0000000000000000 R09: 0000000000000001 + R10: 0000000000000000 R11: 0000000000000293 R12: 00007f26495f2e00 + R13: 00005632a83154e0 R14: 00005632a8315440 R15: 00005632a830a810 + + Allocated by task 131419: + kasan_save_stack+0x1b/0x40 + __kasan_kmalloc+0x7c/0x90 + proc_self_get_link+0x8b/0x100 + pick_link+0x4f1/0x5c0 + step_into+0x2eb/0x3d0 + walk_component+0xc8/0x2c0 + link_path_walk+0x3b8/0x580 + path_openat+0x101/0x230 + do_filp_open+0x12e/0x240 + do_sys_openat2+0x115/0x280 + __x64_sys_openat+0xce/0x140 + do_syscall_64+0x43/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: 2ca546b92a02 ("IB/sa: Route SA pathrecord query through netlink") +Link: https://lore.kernel.org/r/72ede0f6dab61f7f23df9ac7a70666e07ef314b0.1635055496.git.leonro@nvidia.com +Signed-off-by: Mark Zhang +Reviewed-by: Mark Bloch +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/sa_query.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/core/sa_query.c ++++ b/drivers/infiniband/core/sa_query.c +@@ -760,8 +760,9 @@ static void ib_nl_set_path_rec_attrs(str + + /* Construct the family header first */ + header = skb_put(skb, NLMSG_ALIGN(sizeof(*header))); +- memcpy(header->device_name, dev_name(&query->port->agent->device->dev), +- LS_DEVICE_NAME_MAX); ++ strscpy_pad(header->device_name, ++ dev_name(&query->port->agent->device->dev), ++ LS_DEVICE_NAME_MAX); + header->port_num = query->port->port_num; + + if ((comp_mask & IB_SA_PATH_REC_REVERSIBLE) && diff --git a/queue-5.14/regmap-fix-possible-double-free-in-regcache_rbtree_exit.patch b/queue-5.14/regmap-fix-possible-double-free-in-regcache_rbtree_exit.patch new file mode 100644 index 00000000000..43bc91dcc4b --- /dev/null +++ b/queue-5.14/regmap-fix-possible-double-free-in-regcache_rbtree_exit.patch @@ -0,0 +1,70 @@ +From 55e6d8037805b3400096d621091dfbf713f97e83 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Tue, 12 Oct 2021 10:37:35 +0800 +Subject: regmap: Fix possible double-free in regcache_rbtree_exit() + +From: Yang Yingliang + +commit 55e6d8037805b3400096d621091dfbf713f97e83 upstream. + +In regcache_rbtree_insert_to_block(), when 'present' realloc failed, +the 'blk' which is supposed to assign to 'rbnode->block' will be freed, +so 'rbnode->block' points a freed memory, in the error handling path of +regcache_rbtree_init(), 'rbnode->block' will be freed again in +regcache_rbtree_exit(), KASAN will report double-free as follows: + +BUG: KASAN: double-free or invalid-free in kfree+0xce/0x390 +Call Trace: + slab_free_freelist_hook+0x10d/0x240 + kfree+0xce/0x390 + regcache_rbtree_exit+0x15d/0x1a0 + regcache_rbtree_init+0x224/0x2c0 + regcache_init+0x88d/0x1310 + __regmap_init+0x3151/0x4a80 + __devm_regmap_init+0x7d/0x100 + madera_spi_probe+0x10f/0x333 [madera_spi] + spi_probe+0x183/0x210 + really_probe+0x285/0xc30 + +To fix this, moving up the assignment of rbnode->block to immediately after +the reallocation has succeeded so that the data structure stays valid even +if the second reallocation fails. + +Reported-by: Hulk Robot +Fixes: 3f4ff561bc88b ("regmap: rbtree: Make cache_present bitmap per node") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20211012023735.1632786-1-yangyingliang@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/regmap/regcache-rbtree.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/base/regmap/regcache-rbtree.c ++++ b/drivers/base/regmap/regcache-rbtree.c +@@ -281,14 +281,14 @@ static int regcache_rbtree_insert_to_blo + if (!blk) + return -ENOMEM; + ++ rbnode->block = blk; ++ + if (BITS_TO_LONGS(blklen) > BITS_TO_LONGS(rbnode->blklen)) { + present = krealloc(rbnode->cache_present, + BITS_TO_LONGS(blklen) * sizeof(*present), + GFP_KERNEL); +- if (!present) { +- kfree(blk); ++ if (!present) + return -ENOMEM; +- } + + memset(present + BITS_TO_LONGS(rbnode->blklen), 0, + (BITS_TO_LONGS(blklen) - BITS_TO_LONGS(rbnode->blklen)) +@@ -305,7 +305,6 @@ static int regcache_rbtree_insert_to_blo + } + + /* update the rbnode block, its size and the base register */ +- rbnode->block = blk; + rbnode->blklen = blklen; + rbnode->base_reg = base_reg; + rbnode->cache_present = present; diff --git a/queue-5.14/reset-brcmstb-rescal-fix-incorrect-polarity-of-status-bit.patch b/queue-5.14/reset-brcmstb-rescal-fix-incorrect-polarity-of-status-bit.patch new file mode 100644 index 00000000000..345c9f70c94 --- /dev/null +++ b/queue-5.14/reset-brcmstb-rescal-fix-incorrect-polarity-of-status-bit.patch @@ -0,0 +1,33 @@ +From f33eb7f29c16ba78db3221ee02346fd832274cdd Mon Sep 17 00:00:00 2001 +From: Jim Quinlan +Date: Tue, 14 Sep 2021 15:11:21 -0700 +Subject: reset: brcmstb-rescal: fix incorrect polarity of status bit + +From: Jim Quinlan + +commit f33eb7f29c16ba78db3221ee02346fd832274cdd upstream. + +The readl_poll_timeout() should complete when the status bit +is a 1, not 0. + +Fixes: 4cf176e52397 ("reset: Add Broadcom STB RESCAL reset controller") +Signed-off-by: Jim Quinlan +Signed-off-by: Florian Fainelli +Link: https://lore.kernel.org/r/20210914221122.62315-1-f.fainelli@gmail.com +Signed-off-by: Philipp Zabel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/reset/reset-brcmstb-rescal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/reset/reset-brcmstb-rescal.c ++++ b/drivers/reset/reset-brcmstb-rescal.c +@@ -38,7 +38,7 @@ static int brcm_rescal_reset_set(struct + } + + ret = readl_poll_timeout(base + BRCM_RESCAL_STATUS, reg, +- !(reg & BRCM_RESCAL_STATUS_BIT), 100, 1000); ++ (reg & BRCM_RESCAL_STATUS_BIT), 100, 1000); + if (ret) { + dev_err(data->dev, "time out on SATA/PCIe rescal\n"); + return ret; diff --git a/queue-5.14/revert-watchdog-itco_wdt-account-for-rebooting-on-second-timeout.patch b/queue-5.14/revert-watchdog-itco_wdt-account-for-rebooting-on-second-timeout.patch new file mode 100644 index 00000000000..4c0c3026812 --- /dev/null +++ b/queue-5.14/revert-watchdog-itco_wdt-account-for-rebooting-on-second-timeout.patch @@ -0,0 +1,69 @@ +From 6e7733ef0bb9372d5491168635f6ecba8ac3cb8a Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Thu, 7 Oct 2021 17:33:02 -0700 +Subject: Revert "watchdog: iTCO_wdt: Account for rebooting on second timeout" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Guenter Roeck + +commit 6e7733ef0bb9372d5491168635f6ecba8ac3cb8a upstream. + +This reverts commit cb011044e34c ("watchdog: iTCO_wdt: Account for +rebooting on second timeout") and commit aec42642d91f ("watchdog: iTCO_wdt: +Fix detection of SMI-off case") since those patches cause a regression +on certain boards (https://bugzilla.kernel.org/show_bug.cgi?id=213809). + +While this revert may result in some boards to only reset after twice +the configured timeout value, that is still better than a watchdog reset +after half the configured value. + +Fixes: cb011044e34c ("watchdog: iTCO_wdt: Account for rebooting on second timeout") +Fixes: aec42642d91f ("watchdog: iTCO_wdt: Fix detection of SMI-off case") +Cc: Jan Kiszka +Cc: Mantas Mikulėnas +Reported-by: Javier S. Pedro +Signed-off-by: Guenter Roeck +Link: https://lore.kernel.org/r/20211008003302.1461733-1-linux@roeck-us.net +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/iTCO_wdt.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +--- a/drivers/watchdog/iTCO_wdt.c ++++ b/drivers/watchdog/iTCO_wdt.c +@@ -71,8 +71,6 @@ + #define TCOBASE(p) ((p)->tco_res->start) + /* SMI Control and Enable Register */ + #define SMI_EN(p) ((p)->smi_res->start) +-#define TCO_EN (1 << 13) +-#define GBL_SMI_EN (1 << 0) + + #define TCO_RLD(p) (TCOBASE(p) + 0x00) /* TCO Timer Reload/Curr. Value */ + #define TCOv1_TMR(p) (TCOBASE(p) + 0x01) /* TCOv1 Timer Initial Value*/ +@@ -357,12 +355,8 @@ static int iTCO_wdt_set_timeout(struct w + + tmrval = seconds_to_ticks(p, t); + +- /* +- * If TCO SMIs are off, the timer counts down twice before rebooting. +- * Otherwise, the BIOS generally reboots when the SMI triggers. +- */ +- if (p->smi_res && +- (inl(SMI_EN(p)) & (TCO_EN | GBL_SMI_EN)) != (TCO_EN | GBL_SMI_EN)) ++ /* For TCO v1 the timer counts down twice before rebooting */ ++ if (p->iTCO_version == 1) + tmrval /= 2; + + /* from the specs: */ +@@ -527,7 +521,7 @@ static int iTCO_wdt_probe(struct platfor + * Disables TCO logic generating an SMI# + */ + val32 = inl(SMI_EN(p)); +- val32 &= ~TCO_EN; /* Turn off SMI clearing watchdog */ ++ val32 &= 0xffffdfff; /* Turn off SMI clearing watchdog */ + outl(val32, SMI_EN(p)); + } + diff --git a/queue-5.14/riscv-bpf-fix-potential-null-dereference.patch b/queue-5.14/riscv-bpf-fix-potential-null-dereference.patch new file mode 100644 index 00000000000..c7baef21a83 --- /dev/null +++ b/queue-5.14/riscv-bpf-fix-potential-null-dereference.patch @@ -0,0 +1,40 @@ +From 27de809a3d83a6199664479ebb19712533d6fd9b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= +Date: Thu, 28 Oct 2021 14:51:15 +0200 +Subject: riscv, bpf: Fix potential NULL dereference +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Björn Töpel + +commit 27de809a3d83a6199664479ebb19712533d6fd9b upstream. + +The bpf_jit_binary_free() function requires a non-NULL argument. When +the RISC-V BPF JIT fails to converge in NR_JIT_ITERATIONS steps, +jit_data->header will be NULL, which triggers a NULL +dereference. Avoid this by checking the argument, prior calling the +function. + +Fixes: ca6cb5447cec ("riscv, bpf: Factor common RISC-V JIT code") +Signed-off-by: Björn Töpel +Acked-by: Daniel Borkmann +Link: https://lore.kernel.org/r/20211028125115.514587-1-bjorn@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/net/bpf_jit_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/riscv/net/bpf_jit_core.c ++++ b/arch/riscv/net/bpf_jit_core.c +@@ -125,7 +125,8 @@ struct bpf_prog *bpf_int_jit_compile(str + + if (i == NR_JIT_ITERATIONS) { + pr_err("bpf-jit: image did not converge in <%d passes!\n", i); +- bpf_jit_binary_free(jit_data->header); ++ if (jit_data->header) ++ bpf_jit_binary_free(jit_data->header); + prog = orig_prog; + goto out_offset; + } diff --git a/queue-5.14/series b/queue-5.14/series index d17d647b034..363c9448270 100644 --- a/queue-5.14/series +++ b/queue-5.14/series @@ -54,3 +54,42 @@ drm-amd-display-increase-watermark-latencies-for-dcn3.1.patch drm-amd-display-moved-dccg-init-to-after-bios-golden-init.patch drm-amd-display-fallback-to-clocks-which-meet-requested-voltage-on-dcn31.patch drm-amd-display-fix-deadlock-when-falling-back-to-v2-from-v3.patch +revert-watchdog-itco_wdt-account-for-rebooting-on-second-timeout.patch +cgroup-fix-memory-leak-caused-by-missing-cgroup_bpf_offline.patch +riscv-bpf-fix-potential-null-dereference.patch +tcp_bpf-fix-one-concurrency-problem-in-the-tcp_bpf_send_verdict-function.patch +bpf-fix-potential-race-in-tail-call-compatibility-check.patch +bpf-fix-error-usage-of-map_fd-and-fdget-in-generic_map_update_batch.patch +ib-qib-protect-from-buffer-overflow-in-struct-qib_user_sdma_pkt-fields.patch +ib-hfi1-fix-abba-locking-issue-with-sc_disable.patch +nvmet-tcp-fix-data-digest-pointer-calculation.patch +nvme-tcp-fix-data-digest-pointer-calculation.patch +nvme-tcp-fix-possible-req-offset-corruption.patch +octeontx2-af-display-all-enabled-pf-vf-rsrc_alloc-entries.patch +octeontx2-af-fix-possible-null-pointer-dereference.patch +ice-respond-to-a-netdev_unregister-event-for-lag.patch +rdma-mlx5-set-user-priority-for-dct.patch +ice-check-whether-ptp-is-initialized-in-ice_ptp_release.patch +arm64-dts-allwinner-h5-nanopi-neo-2-fix-ethernet-node.patch +reset-brcmstb-rescal-fix-incorrect-polarity-of-status-bit.patch +regmap-fix-possible-double-free-in-regcache_rbtree_exit.patch +net-batman-adv-fix-error-handling.patch +net-sysfs-initialize-uid-and-gid-before-calling-net_ns_get_ownership.patch +cfg80211-correct-bridge-4addr-mode-check.patch +net-prevent-infinite-while-loop-in-skb_tx_hash.patch +rdma-mlx5-initialize-the-odp-xarray-when-creating-an-odp-mr.patch +rdma-sa_query-use-strscpy_pad-instead-of-memcpy-to-copy-a-string.patch +gpio-xgs-iproc-fix-parsing-of-ngpios-property.patch +nios2-make-nios2_dtb_source_bool-depend-on-compile_test.patch +mlxsw-pci-recycle-received-packet-upon-allocation-failure.patch +net-ethernet-microchip-lan743x-fix-driver-crash-when-lan743x_pm_resume-fails.patch +net-ethernet-microchip-lan743x-fix-dma-allocation-failure-by-using-dma_set_mask_and_coherent.patch +net-nxp-lpc_eth.c-avoid-hang-when-bringing-interface-down.patch +net-hns3-fix-pause-config-problem-after-autoneg-disabled.patch +net-hns3-fix-data-endian-problem-of-some-functions-of-debugfs.patch +net-ethernet-microchip-lan743x-fix-skb-allocation-failure.patch +net-tls-fix-flipped-sign-in-async_wait.err-assignment.patch +phy-phy_ethtool_ksettings_get-lock-the-phy-for-consistency.patch +phy-phy_ethtool_ksettings_set-move-after-phy_start_aneg.patch +phy-phy_start_aneg-add-an-unlocked-version.patch +phy-phy_ethtool_ksettings_set-lock-the-phy-while-changing-settings.patch diff --git a/queue-5.14/tcp_bpf-fix-one-concurrency-problem-in-the-tcp_bpf_send_verdict-function.patch b/queue-5.14/tcp_bpf-fix-one-concurrency-problem-in-the-tcp_bpf_send_verdict-function.patch new file mode 100644 index 00000000000..525610c0152 --- /dev/null +++ b/queue-5.14/tcp_bpf-fix-one-concurrency-problem-in-the-tcp_bpf_send_verdict-function.patch @@ -0,0 +1,82 @@ +From cd9733f5d75c94a32544d6ce5be47e14194cf137 Mon Sep 17 00:00:00 2001 +From: Liu Jian +Date: Tue, 12 Oct 2021 13:20:19 +0800 +Subject: tcp_bpf: Fix one concurrency problem in the tcp_bpf_send_verdict function + +From: Liu Jian + +commit cd9733f5d75c94a32544d6ce5be47e14194cf137 upstream. + +With two Msgs, msgA and msgB and a user doing nonblocking sendmsg calls (or +multiple cores) on a single socket 'sk' we could get the following flow. + + msgA, sk msgB, sk + ----------- --------------- + tcp_bpf_sendmsg() + lock(sk) + psock = sk->psock + tcp_bpf_sendmsg() + lock(sk) ... blocking +tcp_bpf_send_verdict +if (psock->eval == NONE) + psock->eval = sk_psock_msg_verdict + .. + < handle SK_REDIRECT case > + release_sock(sk) < lock dropped so grab here > + ret = tcp_bpf_sendmsg_redir + psock = sk->psock + tcp_bpf_send_verdict + lock_sock(sk) ... blocking on B + if (psock->eval == NONE) <- boom. + psock->eval will have msgA state + +The problem here is we dropped the lock on msgA and grabbed it with msgB. +Now we have old state in psock and importantly psock->eval has not been +cleared. So msgB will run whatever action was done on A and the verdict +program may never see it. + +Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") +Signed-off-by: Liu Jian +Signed-off-by: Alexei Starovoitov +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/20211012052019.184398-1-liujian56@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_bpf.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -232,6 +232,7 @@ static int tcp_bpf_send_verdict(struct s + bool cork = false, enospc = sk_msg_full(msg); + struct sock *sk_redir; + u32 tosend, delta = 0; ++ u32 eval = __SK_NONE; + int ret; + + more_data: +@@ -275,13 +276,24 @@ more_data: + case __SK_REDIRECT: + sk_redir = psock->sk_redir; + sk_msg_apply_bytes(psock, tosend); ++ if (!psock->apply_bytes) { ++ /* Clean up before releasing the sock lock. */ ++ eval = psock->eval; ++ psock->eval = __SK_NONE; ++ psock->sk_redir = NULL; ++ } + if (psock->cork) { + cork = true; + psock->cork = NULL; + } + sk_msg_return(sk, msg, tosend); + release_sock(sk); ++ + ret = tcp_bpf_sendmsg_redir(sk_redir, msg, tosend, flags); ++ ++ if (eval == __SK_REDIRECT) ++ sock_put(sk_redir); ++ + lock_sock(sk); + if (unlikely(ret < 0)) { + int free = sk_msg_free_nocharge(sk, msg);