From: Sasha Levin Date: Mon, 26 Jul 2021 02:40:52 +0000 (-0400) Subject: Fixes for 5.13 X-Git-Tag: v4.4.277~82 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=36d924424b98b0a160236903ba64e5d8395c4718;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.13 Signed-off-by: Sasha Levin --- diff --git a/queue-5.13/acpi-kconfig-fix-table-override-from-built-in-initrd.patch b/queue-5.13/acpi-kconfig-fix-table-override-from-built-in-initrd.patch new file mode 100644 index 00000000000..29fa80063db --- /dev/null +++ b/queue-5.13/acpi-kconfig-fix-table-override-from-built-in-initrd.patch @@ -0,0 +1,39 @@ +From d9ed57fcb3d5aab70b64446839f83232d6aefc70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 11:26:01 +0200 +Subject: ACPI: Kconfig: Fix table override from built-in initrd + +From: Robert Richter + +[ Upstream commit d2cbbf1fe503c07e466c62f83aa1926d74d15821 ] + +During a rework of initramfs code the INITRAMFS_COMPRESSION config +option was removed in commit 65e00e04e5ae. A leftover as a dependency +broke the config option ACPI_TABLE_OVERRIDE_VIA_ BUILTIN_INITRD that +is used to enable the overriding of ACPI tables from built-in initrd. +Fixing the dependency. + +Fixes: 65e00e04e5ae ("initramfs: refactor the initramfs build rules") +Signed-off-by: Robert Richter +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/Kconfig b/drivers/acpi/Kconfig +index eedec61e3476..226f849fe7dc 100644 +--- a/drivers/acpi/Kconfig ++++ b/drivers/acpi/Kconfig +@@ -370,7 +370,7 @@ config ACPI_TABLE_UPGRADE + config ACPI_TABLE_OVERRIDE_VIA_BUILTIN_INITRD + bool "Override ACPI tables from built-in initrd" + depends on ACPI_TABLE_UPGRADE +- depends on INITRAMFS_SOURCE!="" && INITRAMFS_COMPRESSION="" ++ depends on INITRAMFS_SOURCE!="" && INITRAMFS_COMPRESSION_NONE + help + This option provides functionality to override arbitrary ACPI tables + from built-in uncompressed initrd. +-- +2.30.2 + diff --git a/queue-5.13/acpi-utils-fix-reference-counting-in-for_each_acpi_d.patch b/queue-5.13/acpi-utils-fix-reference-counting-in-for_each_acpi_d.patch new file mode 100644 index 00000000000..5faf7190250 --- /dev/null +++ b/queue-5.13/acpi-utils-fix-reference-counting-in-for_each_acpi_d.patch @@ -0,0 +1,117 @@ +From 9b33ed3a4be3985e11c6bc81e5789262794164b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jul 2021 21:21:21 +0300 +Subject: ACPI: utils: Fix reference counting in for_each_acpi_dev_match() + +From: Andy Shevchenko + +[ Upstream commit 71f6428332844f38c7cb10461d9f29e9c9b983a0 ] + +Currently it's possible to iterate over the dangling pointer in case the device +suddenly disappears. This may happen becase callers put it at the end of a loop. + +Instead, let's move that call inside acpi_dev_get_next_match_dev(). + +Fixes: 803abec64ef9 ("media: ipu3-cio2: Add cio2-bridge to ipu3-cio2 driver") +Fixes: bf263f64e804 ("media: ACPI / bus: Add acpi_dev_get_next_match_dev() and helper macro") +Fixes: edbd1bc4951e ("efi/dev-path-parser: Switch to use for_each_acpi_dev_match()") +Signed-off-by: Andy Shevchenko +Reviewed-by: Daniel Scally +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/utils.c | 7 +++---- + drivers/firmware/efi/dev-path-parser.c | 1 - + drivers/media/pci/intel/ipu3/cio2-bridge.c | 6 ++---- + include/acpi/acpi_bus.h | 5 ----- + 4 files changed, 5 insertions(+), 14 deletions(-) + +diff --git a/drivers/acpi/utils.c b/drivers/acpi/utils.c +index 3b54b8fd7396..27ec9d57f3b8 100644 +--- a/drivers/acpi/utils.c ++++ b/drivers/acpi/utils.c +@@ -846,11 +846,9 @@ EXPORT_SYMBOL(acpi_dev_present); + * Return the next match of ACPI device if another matching device was present + * at the moment of invocation, or NULL otherwise. + * +- * FIXME: The function does not tolerate the sudden disappearance of @adev, e.g. +- * in the case of a hotplug event. That said, the caller should ensure that +- * this will never happen. +- * + * The caller is responsible for invoking acpi_dev_put() on the returned device. ++ * On the other hand the function invokes acpi_dev_put() on the given @adev ++ * assuming that its reference counter had been increased beforehand. + * + * See additional information in acpi_dev_present() as well. + */ +@@ -866,6 +864,7 @@ acpi_dev_get_next_match_dev(struct acpi_device *adev, const char *hid, const cha + match.hrv = hrv; + + dev = bus_find_device(&acpi_bus_type, start, &match, acpi_dev_match_cb); ++ acpi_dev_put(adev); + return dev ? to_acpi_device(dev) : NULL; + } + EXPORT_SYMBOL(acpi_dev_get_next_match_dev); +diff --git a/drivers/firmware/efi/dev-path-parser.c b/drivers/firmware/efi/dev-path-parser.c +index 10d4457417a4..eb9c65f97841 100644 +--- a/drivers/firmware/efi/dev-path-parser.c ++++ b/drivers/firmware/efi/dev-path-parser.c +@@ -34,7 +34,6 @@ static long __init parse_acpi_path(const struct efi_dev_path *node, + break; + if (!adev->pnp.unique_id && node->acpi.uid == 0) + break; +- acpi_dev_put(adev); + } + if (!adev) + return -ENODEV; +diff --git a/drivers/media/pci/intel/ipu3/cio2-bridge.c b/drivers/media/pci/intel/ipu3/cio2-bridge.c +index 4657e99df033..59a36f922675 100644 +--- a/drivers/media/pci/intel/ipu3/cio2-bridge.c ++++ b/drivers/media/pci/intel/ipu3/cio2-bridge.c +@@ -173,10 +173,8 @@ static int cio2_bridge_connect_sensor(const struct cio2_sensor_config *cfg, + int ret; + + for_each_acpi_dev_match(adev, cfg->hid, NULL, -1) { +- if (!adev->status.enabled) { +- acpi_dev_put(adev); ++ if (!adev->status.enabled) + continue; +- } + + if (bridge->n_sensors >= CIO2_NUM_PORTS) { + acpi_dev_put(adev); +@@ -185,7 +183,6 @@ static int cio2_bridge_connect_sensor(const struct cio2_sensor_config *cfg, + } + + sensor = &bridge->sensors[bridge->n_sensors]; +- sensor->adev = adev; + strscpy(sensor->name, cfg->hid, sizeof(sensor->name)); + + ret = cio2_bridge_read_acpi_buffer(adev, "SSDB", +@@ -215,6 +212,7 @@ static int cio2_bridge_connect_sensor(const struct cio2_sensor_config *cfg, + goto err_free_swnodes; + } + ++ sensor->adev = acpi_dev_get(adev); + adev->fwnode.secondary = fwnode; + + dev_info(&cio2->dev, "Found supported sensor %s\n", +diff --git a/include/acpi/acpi_bus.h b/include/acpi/acpi_bus.h +index 3a82faac5767..bff6a11bb21f 100644 +--- a/include/acpi/acpi_bus.h ++++ b/include/acpi/acpi_bus.h +@@ -698,11 +698,6 @@ acpi_dev_get_first_match_dev(const char *hid, const char *uid, s64 hrv); + * @hrv: Hardware Revision of the device, pass -1 to not check _HRV + * + * The caller is responsible for invoking acpi_dev_put() on the returned device. +- * +- * FIXME: Due to above requirement there is a window that may invalidate @adev +- * and next iteration will use a dangling pointer, e.g. in the case of a +- * hotplug event. That said, the caller should ensure that this will never +- * happen. + */ + #define for_each_acpi_dev_match(adev, hid, uid, hrv) \ + for (adev = acpi_dev_get_first_match_dev(hid, uid, hrv); \ +-- +2.30.2 + diff --git a/queue-5.13/afs-check-function-return.patch b/queue-5.13/afs-check-function-return.patch new file mode 100644 index 00000000000..2b947e88387 --- /dev/null +++ b/queue-5.13/afs-check-function-return.patch @@ -0,0 +1,67 @@ +From ded551fd7f2c606ad13903a8d9fb0d2bb182d821 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Apr 2021 08:50:31 -0700 +Subject: afs: check function return + +From: Tom Rix + +[ Upstream commit afe6949862f77bcc14fa16ad7938a04e84586d6a ] + +Static analysis reports this problem + +write.c:773:29: warning: Assigned value is garbage or undefined + mapping->writeback_index = next; + ^ ~~~~ +The call to afs_writepages_region() can return without setting +next. So check the function return before using next. + +Changes: + ver #2: + - Need to fix the range_cyclic case also[1]. + +Fixes: e87b03f5830e ("afs: Prepare for use of THPs") +Signed-off-by: Tom Rix +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/20210430155031.3287870-1-trix@redhat.com +Link: https://lore.kernel.org/r/CAB9dFdvHsLsw7CMnB+4cgciWDSqVjuij4mH3TaXnHQB8sz5rHw@mail.gmail.com/ [1] +Link: https://lore.kernel.org/r/162609464716.3133237.10354897554363093252.stgit@warthog.procyon.org.uk/ # v1 +Link: https://lore.kernel.org/r/162610727640.3408253.8687445613469681311.stgit@warthog.procyon.org.uk/ # v2 +Signed-off-by: Sasha Levin +--- + fs/afs/write.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/fs/afs/write.c b/fs/afs/write.c +index 3104b62c2082..1ed62e0ccfe5 100644 +--- a/fs/afs/write.c ++++ b/fs/afs/write.c +@@ -771,13 +771,19 @@ int afs_writepages(struct address_space *mapping, + if (wbc->range_cyclic) { + start = mapping->writeback_index * PAGE_SIZE; + ret = afs_writepages_region(mapping, wbc, start, LLONG_MAX, &next); +- if (start > 0 && wbc->nr_to_write > 0 && ret == 0) +- ret = afs_writepages_region(mapping, wbc, 0, start, +- &next); +- mapping->writeback_index = next / PAGE_SIZE; ++ if (ret == 0) { ++ mapping->writeback_index = next / PAGE_SIZE; ++ if (start > 0 && wbc->nr_to_write > 0) { ++ ret = afs_writepages_region(mapping, wbc, 0, ++ start, &next); ++ if (ret == 0) ++ mapping->writeback_index = ++ next / PAGE_SIZE; ++ } ++ } + } else if (wbc->range_start == 0 && wbc->range_end == LLONG_MAX) { + ret = afs_writepages_region(mapping, wbc, 0, LLONG_MAX, &next); +- if (wbc->nr_to_write > 0) ++ if (wbc->nr_to_write > 0 && ret == 0) + mapping->writeback_index = next; + } else { + ret = afs_writepages_region(mapping, wbc, +-- +2.30.2 + diff --git a/queue-5.13/afs-fix-setting-of-writeback_index.patch b/queue-5.13/afs-fix-setting-of-writeback_index.patch new file mode 100644 index 00000000000..88db3fafae1 --- /dev/null +++ b/queue-5.13/afs-fix-setting-of-writeback_index.patch @@ -0,0 +1,40 @@ +From a990dead298b7aebcf47069a8a44342b5ae57555 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jul 2021 17:04:47 +0100 +Subject: afs: Fix setting of writeback_index + +From: David Howells + +[ Upstream commit 5a972474cf685bf99ca430979657095bda3a15c8 ] + +Fix afs_writepages() to always set mapping->writeback_index to a page index +and not a byte position[1]. + +Fixes: 31143d5d515e ("AFS: implement basic file write support") +Reported-by: Marc Dionne +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/CAB9dFdvHsLsw7CMnB+4cgciWDSqVjuij4mH3TaXnHQB8sz5rHw@mail.gmail.com/ [1] +Link: https://lore.kernel.org/r/162610728339.3408253.4604750166391496546.stgit@warthog.procyon.org.uk/ # v2 (no v1) +Signed-off-by: Sasha Levin +--- + fs/afs/write.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/afs/write.c b/fs/afs/write.c +index 1ed62e0ccfe5..c0534697268e 100644 +--- a/fs/afs/write.c ++++ b/fs/afs/write.c +@@ -784,7 +784,7 @@ int afs_writepages(struct address_space *mapping, + } else if (wbc->range_start == 0 && wbc->range_end == LLONG_MAX) { + ret = afs_writepages_region(mapping, wbc, 0, LLONG_MAX, &next); + if (wbc->nr_to_write > 0 && ret == 0) +- mapping->writeback_index = next; ++ mapping->writeback_index = next / PAGE_SIZE; + } else { + ret = afs_writepages_region(mapping, wbc, + wbc->range_start, wbc->range_end, &next); +-- +2.30.2 + diff --git a/queue-5.13/afs-fix-tracepoint-string-placement-with-built-in-af.patch b/queue-5.13/afs-fix-tracepoint-string-placement-with-built-in-af.patch new file mode 100644 index 00000000000..b2b2909b917 --- /dev/null +++ b/queue-5.13/afs-fix-tracepoint-string-placement-with-built-in-af.patch @@ -0,0 +1,284 @@ +From 5ea6a4f4aef5c3b796659c564943431e3f2ef134 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jun 2021 11:57:26 +0100 +Subject: afs: Fix tracepoint string placement with built-in AFS + +From: David Howells + +[ Upstream commit 6c881ca0b3040f3e724eae513117ba4ddef86057 ] + +To quote Alexey[1]: + + I was adding custom tracepoint to the kernel, grabbed full F34 kernel + .config, disabled modules and booted whole shebang as VM kernel. + + Then did + + perf record -a -e ... + + It crashed: + + general protection fault, probably for non-canonical address 0x435f5346592e4243: 0000 [#1] SMP PTI + CPU: 1 PID: 842 Comm: cat Not tainted 5.12.6+ #26 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 + RIP: 0010:t_show+0x22/0xd0 + + Then reproducer was narrowed to + + # cat /sys/kernel/tracing/printk_formats + + Original F34 kernel with modules didn't crash. + + So I started to disable options and after disabling AFS everything + started working again. + + The root cause is that AFS was placing char arrays content into a + section full of _pointers_ to strings with predictable consequences. + + Non canonical address 435f5346592e4243 is "CB.YFS_" which came from + CM_NAME macro. + + Steps to reproduce: + + CONFIG_AFS=y + CONFIG_TRACING=y + + # cat /sys/kernel/tracing/printk_formats + +Fix this by the following means: + + (1) Add enum->string translation tables in the event header with the AFS + and YFS cache/callback manager operations listed by RPC operation ID. + + (2) Modify the afs_cb_call tracepoint to print the string from the + translation table rather than using the string at the afs_call name + pointer. + + (3) Switch translation table depending on the service we're being accessed + as (AFS or YFS) in the tracepoint print clause. Will this cause + problems to userspace utilities? + + Note that the symbolic representation of the YFS service ID isn't + available to this header, so I've put it in as a number. I'm not sure + if this is the best way to do this. + + (4) Remove the name wrangling (CM_NAME) macro and put the names directly + into the afs_call_type structs in cmservice.c. + +Fixes: 8e8d7f13b6d5a9 ("afs: Add some tracepoints") +Reported-by: Alexey Dobriyan (SK hynix) +Signed-off-by: David Howells +Reviewed-by: Steven Rostedt (VMware) +Reviewed-by: Marc Dionne +cc: Andrew Morton +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/YLAXfvZ+rObEOdc%2F@localhost.localdomain/ [1] +Link: https://lore.kernel.org/r/643721.1623754699@warthog.procyon.org.uk/ +Link: https://lore.kernel.org/r/162430903582.2896199.6098150063997983353.stgit@warthog.procyon.org.uk/ # v1 +Link: https://lore.kernel.org/r/162609463957.3133237.15916579353149746363.stgit@warthog.procyon.org.uk/ # v1 (repost) +Link: https://lore.kernel.org/r/162610726860.3408253.445207609466288531.stgit@warthog.procyon.org.uk/ # v2 +Signed-off-by: Sasha Levin +--- + fs/afs/cmservice.c | 25 ++++---------- + include/trace/events/afs.h | 67 +++++++++++++++++++++++++++++++++++--- + 2 files changed, 69 insertions(+), 23 deletions(-) + +diff --git a/fs/afs/cmservice.c b/fs/afs/cmservice.c +index d3c6bb22c5f4..a3f5de28be79 100644 +--- a/fs/afs/cmservice.c ++++ b/fs/afs/cmservice.c +@@ -29,16 +29,11 @@ static void SRXAFSCB_TellMeAboutYourself(struct work_struct *); + + static int afs_deliver_yfs_cb_callback(struct afs_call *); + +-#define CM_NAME(name) \ +- char afs_SRXCB##name##_name[] __tracepoint_string = \ +- "CB." #name +- + /* + * CB.CallBack operation type + */ +-static CM_NAME(CallBack); + static const struct afs_call_type afs_SRXCBCallBack = { +- .name = afs_SRXCBCallBack_name, ++ .name = "CB.CallBack", + .deliver = afs_deliver_cb_callback, + .destructor = afs_cm_destructor, + .work = SRXAFSCB_CallBack, +@@ -47,9 +42,8 @@ static const struct afs_call_type afs_SRXCBCallBack = { + /* + * CB.InitCallBackState operation type + */ +-static CM_NAME(InitCallBackState); + static const struct afs_call_type afs_SRXCBInitCallBackState = { +- .name = afs_SRXCBInitCallBackState_name, ++ .name = "CB.InitCallBackState", + .deliver = afs_deliver_cb_init_call_back_state, + .destructor = afs_cm_destructor, + .work = SRXAFSCB_InitCallBackState, +@@ -58,9 +52,8 @@ static const struct afs_call_type afs_SRXCBInitCallBackState = { + /* + * CB.InitCallBackState3 operation type + */ +-static CM_NAME(InitCallBackState3); + static const struct afs_call_type afs_SRXCBInitCallBackState3 = { +- .name = afs_SRXCBInitCallBackState3_name, ++ .name = "CB.InitCallBackState3", + .deliver = afs_deliver_cb_init_call_back_state3, + .destructor = afs_cm_destructor, + .work = SRXAFSCB_InitCallBackState, +@@ -69,9 +62,8 @@ static const struct afs_call_type afs_SRXCBInitCallBackState3 = { + /* + * CB.Probe operation type + */ +-static CM_NAME(Probe); + static const struct afs_call_type afs_SRXCBProbe = { +- .name = afs_SRXCBProbe_name, ++ .name = "CB.Probe", + .deliver = afs_deliver_cb_probe, + .destructor = afs_cm_destructor, + .work = SRXAFSCB_Probe, +@@ -80,9 +72,8 @@ static const struct afs_call_type afs_SRXCBProbe = { + /* + * CB.ProbeUuid operation type + */ +-static CM_NAME(ProbeUuid); + static const struct afs_call_type afs_SRXCBProbeUuid = { +- .name = afs_SRXCBProbeUuid_name, ++ .name = "CB.ProbeUuid", + .deliver = afs_deliver_cb_probe_uuid, + .destructor = afs_cm_destructor, + .work = SRXAFSCB_ProbeUuid, +@@ -91,9 +82,8 @@ static const struct afs_call_type afs_SRXCBProbeUuid = { + /* + * CB.TellMeAboutYourself operation type + */ +-static CM_NAME(TellMeAboutYourself); + static const struct afs_call_type afs_SRXCBTellMeAboutYourself = { +- .name = afs_SRXCBTellMeAboutYourself_name, ++ .name = "CB.TellMeAboutYourself", + .deliver = afs_deliver_cb_tell_me_about_yourself, + .destructor = afs_cm_destructor, + .work = SRXAFSCB_TellMeAboutYourself, +@@ -102,9 +92,8 @@ static const struct afs_call_type afs_SRXCBTellMeAboutYourself = { + /* + * YFS CB.CallBack operation type + */ +-static CM_NAME(YFS_CallBack); + static const struct afs_call_type afs_SRXYFSCB_CallBack = { +- .name = afs_SRXCBYFS_CallBack_name, ++ .name = "YFSCB.CallBack", + .deliver = afs_deliver_yfs_cb_callback, + .destructor = afs_cm_destructor, + .work = SRXAFSCB_CallBack, +diff --git a/include/trace/events/afs.h b/include/trace/events/afs.h +index 3ccf591b2374..9f73ed2cf061 100644 +--- a/include/trace/events/afs.h ++++ b/include/trace/events/afs.h +@@ -174,6 +174,34 @@ enum afs_vl_operation { + afs_VL_GetCapabilities = 65537, /* AFS Get VL server capabilities */ + }; + ++enum afs_cm_operation { ++ afs_CB_CallBack = 204, /* AFS break callback promises */ ++ afs_CB_InitCallBackState = 205, /* AFS initialise callback state */ ++ afs_CB_Probe = 206, /* AFS probe client */ ++ afs_CB_GetLock = 207, /* AFS get contents of CM lock table */ ++ afs_CB_GetCE = 208, /* AFS get cache file description */ ++ afs_CB_GetXStatsVersion = 209, /* AFS get version of extended statistics */ ++ afs_CB_GetXStats = 210, /* AFS get contents of extended statistics data */ ++ afs_CB_InitCallBackState3 = 213, /* AFS initialise callback state, version 3 */ ++ afs_CB_ProbeUuid = 214, /* AFS check the client hasn't rebooted */ ++}; ++ ++enum yfs_cm_operation { ++ yfs_CB_Probe = 206, /* YFS probe client */ ++ yfs_CB_GetLock = 207, /* YFS get contents of CM lock table */ ++ yfs_CB_XStatsVersion = 209, /* YFS get version of extended statistics */ ++ yfs_CB_GetXStats = 210, /* YFS get contents of extended statistics data */ ++ yfs_CB_InitCallBackState3 = 213, /* YFS initialise callback state, version 3 */ ++ yfs_CB_ProbeUuid = 214, /* YFS check the client hasn't rebooted */ ++ yfs_CB_GetServerPrefs = 215, ++ yfs_CB_GetCellServDV = 216, ++ yfs_CB_GetLocalCell = 217, ++ yfs_CB_GetCacheConfig = 218, ++ yfs_CB_GetCellByNum = 65537, ++ yfs_CB_TellMeAboutYourself = 65538, /* get client capabilities */ ++ yfs_CB_CallBack = 64204, ++}; ++ + enum afs_edit_dir_op { + afs_edit_dir_create, + afs_edit_dir_create_error, +@@ -436,6 +464,32 @@ enum afs_cb_break_reason { + EM(afs_YFSVL_GetCellName, "YFSVL.GetCellName") \ + E_(afs_VL_GetCapabilities, "VL.GetCapabilities") + ++#define afs_cm_operations \ ++ EM(afs_CB_CallBack, "CB.CallBack") \ ++ EM(afs_CB_InitCallBackState, "CB.InitCallBackState") \ ++ EM(afs_CB_Probe, "CB.Probe") \ ++ EM(afs_CB_GetLock, "CB.GetLock") \ ++ EM(afs_CB_GetCE, "CB.GetCE") \ ++ EM(afs_CB_GetXStatsVersion, "CB.GetXStatsVersion") \ ++ EM(afs_CB_GetXStats, "CB.GetXStats") \ ++ EM(afs_CB_InitCallBackState3, "CB.InitCallBackState3") \ ++ E_(afs_CB_ProbeUuid, "CB.ProbeUuid") ++ ++#define yfs_cm_operations \ ++ EM(yfs_CB_Probe, "YFSCB.Probe") \ ++ EM(yfs_CB_GetLock, "YFSCB.GetLock") \ ++ EM(yfs_CB_XStatsVersion, "YFSCB.XStatsVersion") \ ++ EM(yfs_CB_GetXStats, "YFSCB.GetXStats") \ ++ EM(yfs_CB_InitCallBackState3, "YFSCB.InitCallBackState3") \ ++ EM(yfs_CB_ProbeUuid, "YFSCB.ProbeUuid") \ ++ EM(yfs_CB_GetServerPrefs, "YFSCB.GetServerPrefs") \ ++ EM(yfs_CB_GetCellServDV, "YFSCB.GetCellServDV") \ ++ EM(yfs_CB_GetLocalCell, "YFSCB.GetLocalCell") \ ++ EM(yfs_CB_GetCacheConfig, "YFSCB.GetCacheConfig") \ ++ EM(yfs_CB_GetCellByNum, "YFSCB.GetCellByNum") \ ++ EM(yfs_CB_TellMeAboutYourself, "YFSCB.TellMeAboutYourself") \ ++ E_(yfs_CB_CallBack, "YFSCB.CallBack") ++ + #define afs_edit_dir_ops \ + EM(afs_edit_dir_create, "create") \ + EM(afs_edit_dir_create_error, "c_fail") \ +@@ -569,6 +623,8 @@ afs_server_traces; + afs_cell_traces; + afs_fs_operations; + afs_vl_operations; ++afs_cm_operations; ++yfs_cm_operations; + afs_edit_dir_ops; + afs_edit_dir_reasons; + afs_eproto_causes; +@@ -649,20 +705,21 @@ TRACE_EVENT(afs_cb_call, + + TP_STRUCT__entry( + __field(unsigned int, call ) +- __field(const char *, name ) + __field(u32, op ) ++ __field(u16, service_id ) + ), + + TP_fast_assign( + __entry->call = call->debug_id; +- __entry->name = call->type->name; + __entry->op = call->operation_ID; ++ __entry->service_id = call->service_id; + ), + +- TP_printk("c=%08x %s o=%u", ++ TP_printk("c=%08x %s", + __entry->call, +- __entry->name, +- __entry->op) ++ __entry->service_id == 2501 ? ++ __print_symbolic(__entry->op, yfs_cm_operations) : ++ __print_symbolic(__entry->op, afs_cm_operations)) + ); + + TRACE_EVENT(afs_call, +-- +2.30.2 + diff --git a/queue-5.13/alsa-hda-intel-dsp-cfg-add-missing-elkhartlake-pci-i.patch b/queue-5.13/alsa-hda-intel-dsp-cfg-add-missing-elkhartlake-pci-i.patch new file mode 100644 index 00000000000..4051c91d34d --- /dev/null +++ b/queue-5.13/alsa-hda-intel-dsp-cfg-add-missing-elkhartlake-pci-i.patch @@ -0,0 +1,41 @@ +From 4161552d7b8d12edf1d6df4865d1593f546d394c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jul 2021 18:17:46 -0500 +Subject: ALSA: hda: intel-dsp-cfg: add missing ElkhartLake PCI ID + +From: Pierre-Louis Bossart + +[ Upstream commit 114613f62f42e7cbc1242c4e82076a0153043761 ] + +We missed the fact that ElkhartLake platforms have two different PCI +IDs. We only added one so the SOF driver is never selected by the +autodetection logic for the missing configuration. + +BugLink: https://github.com/thesofproject/linux/issues/2990 +Fixes: cc8f81c7e625 ('ALSA: hda: fix intel DSP config') +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20210719231746.557325-1-pierre-louis.bossart@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/intel-dsp-config.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/hda/intel-dsp-config.c b/sound/hda/intel-dsp-config.c +index d8be146793ee..c9d0ba353463 100644 +--- a/sound/hda/intel-dsp-config.c ++++ b/sound/hda/intel-dsp-config.c +@@ -319,6 +319,10 @@ static const struct config_entry config_table[] = { + .flags = FLAG_SOF | FLAG_SOF_ONLY_IF_DMIC, + .device = 0x4b55, + }, ++ { ++ .flags = FLAG_SOF | FLAG_SOF_ONLY_IF_DMIC, ++ .device = 0x4b58, ++ }, + #endif + + /* Alder Lake */ +-- +2.30.2 + diff --git a/queue-5.13/arm-dts-aspeed-update-e3c246d4i-vuart-properties.patch b/queue-5.13/arm-dts-aspeed-update-e3c246d4i-vuart-properties.patch new file mode 100644 index 00000000000..90720079362 --- /dev/null +++ b/queue-5.13/arm-dts-aspeed-update-e3c246d4i-vuart-properties.patch @@ -0,0 +1,51 @@ +From b273a6e683bc23bf65737f830a7933d3492b60c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Apr 2021 02:51:13 -0500 +Subject: ARM: dts: aspeed: Update e3c246d4i vuart properties + +From: Zev Weiss + +[ Upstream commit 812bae32e5d50914f75a6e036d3bde39ca86b0c3 ] + +This device-tree was merged with a provisional vuart IRQ-polarity +property that was still under review and ended up taking a somewhat +different form. This patch updates it to match the final form of the +new vuart properties, which additionally allow specifying the SIRQ +number and LPC address. + +Signed-off-by: Zev Weiss +Reviewed-by: Andrew Jeffery +Fixes: ca03042f0f12 ("serial: 8250_aspeed_vuart: add aspeed, lpc-io-reg and aspeed, lpc-interrupts DT properties") +Reviewed-by: Joel Stanley +Link: https://lore.kernel.org/r/20210416075113.18047-1-zev@bewilderbeest.net +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/aspeed-bmc-asrock-e3c246d4i.dts | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/aspeed-bmc-asrock-e3c246d4i.dts b/arch/arm/boot/dts/aspeed-bmc-asrock-e3c246d4i.dts +index dcab6e78dfa4..8be40c8283af 100644 +--- a/arch/arm/boot/dts/aspeed-bmc-asrock-e3c246d4i.dts ++++ b/arch/arm/boot/dts/aspeed-bmc-asrock-e3c246d4i.dts +@@ -4,6 +4,7 @@ + #include "aspeed-g5.dtsi" + #include + #include ++#include + + /{ + model = "ASRock E3C246D4I BMC"; +@@ -73,7 +74,8 @@ + + &vuart { + status = "okay"; +- aspeed,sirq-active-high; ++ aspeed,lpc-io-reg = <0x2f8>; ++ aspeed,lpc-interrupts = <3 IRQ_TYPE_LEVEL_HIGH>; + }; + + &mac0 { +-- +2.30.2 + diff --git a/queue-5.13/arm64-mte-fix-restoration-of-gcr_el1-from-suspend.patch b/queue-5.13/arm64-mte-fix-restoration-of-gcr_el1-from-suspend.patch new file mode 100644 index 00000000000..853c06d3387 --- /dev/null +++ b/queue-5.13/arm64-mte-fix-restoration-of-gcr_el1-from-suspend.patch @@ -0,0 +1,77 @@ +From 2b1ec6ffa87f73f4262093136a20066a4b74e637 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jul 2021 15:38:41 +0100 +Subject: arm64: mte: fix restoration of GCR_EL1 from suspend + +From: Mark Rutland + +[ Upstream commit 59f44069e0527523f27948da7b77599a73dab157 ] + +Since commit: + + bad1e1c663e0a72f ("arm64: mte: switch GCR_EL1 in kernel entry and exit") + +we saved/restored the user GCR_EL1 value at exception boundaries, and +update_gcr_el1_excl() is no longer used for this. However it is used to +restore the kernel's GCR_EL1 value when returning from a suspend state. +Thus, the comment is misleading (and an ISB is necessary). + +When restoring the kernel's GCR value, we need an ISB to ensure this is +used by subsequent instructions. We don't necessarily get an ISB by +other means (e.g. if the kernel is built without support for pointer +authentication). As __cpu_setup() initialised GCR_EL1.Exclude to 0xffff, +until a context synchronization event, allocation tag 0 may be used +rather than the desired set of tags. + +This patch drops the misleading comment, adds the missing ISB, and for +clarity folds update_gcr_el1_excl() into its only user. + +Fixes: bad1e1c663e0 ("arm64: mte: switch GCR_EL1 in kernel entry and exit") +Signed-off-by: Mark Rutland +Cc: Andrey Konovalov +Cc: Catalin Marinas +Cc: Vincenzo Frascino +Cc: Will Deacon +Link: https://lore.kernel.org/r/20210714143843.56537-2-mark.rutland@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/mte.c | 15 ++------------- + 1 file changed, 2 insertions(+), 13 deletions(-) + +diff --git a/arch/arm64/kernel/mte.c b/arch/arm64/kernel/mte.c +index 125a10e413e9..23e9879a6e78 100644 +--- a/arch/arm64/kernel/mte.c ++++ b/arch/arm64/kernel/mte.c +@@ -185,18 +185,6 @@ void mte_check_tfsr_el1(void) + } + #endif + +-static void update_gcr_el1_excl(u64 excl) +-{ +- +- /* +- * Note that the mask controlled by the user via prctl() is an +- * include while GCR_EL1 accepts an exclude mask. +- * No need for ISB since this only affects EL0 currently, implicit +- * with ERET. +- */ +- sysreg_clear_set_s(SYS_GCR_EL1, SYS_GCR_EL1_EXCL_MASK, excl); +-} +- + static void set_gcr_el1_excl(u64 excl) + { + current->thread.gcr_user_excl = excl; +@@ -257,7 +245,8 @@ void mte_suspend_exit(void) + if (!system_supports_mte()) + return; + +- update_gcr_el1_excl(gcr_kernel_excl); ++ sysreg_clear_set_s(SYS_GCR_EL1, SYS_GCR_EL1_EXCL_MASK, gcr_kernel_excl); ++ isb(); + } + + long set_mte_ctrl(struct task_struct *task, unsigned long arg) +-- +2.30.2 + diff --git a/queue-5.13/asoc-rt5631-fix-regcache-sync-errors-on-resume.patch b/queue-5.13/asoc-rt5631-fix-regcache-sync-errors-on-resume.patch new file mode 100644 index 00000000000..90b94827d61 --- /dev/null +++ b/queue-5.13/asoc-rt5631-fix-regcache-sync-errors-on-resume.patch @@ -0,0 +1,43 @@ +From 353e309753c5fc5c85cf50b0627d8857e7c7575b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jul 2021 03:50:11 +0300 +Subject: ASoC: rt5631: Fix regcache sync errors on resume + +From: Maxim Schwalm + +[ Upstream commit c71f78a662611fe2c67f3155da19b0eff0f29762 ] + +The ALC5631 does not like multi-write accesses, avoid them. This fixes: + +rt5631 4-001a: Unable to sync registers 0x3a-0x3c. -121 + +errors on resume from suspend (and all registers after the registers in +the error not being synced). + +Inspired by commit 2d30e9494f1e ("ASoC: rt5651: Fix regcache sync errors +on resume") from Hans de Geode, which fixed the same errors on ALC5651. + +Signed-off-by: Maxim Schwalm +Link: https://lore.kernel.org/r/20210712005011.28536-1-digetx@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5631.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/codecs/rt5631.c b/sound/soc/codecs/rt5631.c +index 3000bc128b5b..38356ea2bd6e 100644 +--- a/sound/soc/codecs/rt5631.c ++++ b/sound/soc/codecs/rt5631.c +@@ -1695,6 +1695,8 @@ static const struct regmap_config rt5631_regmap_config = { + .reg_defaults = rt5631_reg, + .num_reg_defaults = ARRAY_SIZE(rt5631_reg), + .cache_type = REGCACHE_RBTREE, ++ .use_single_read = true, ++ .use_single_write = true, + }; + + static int rt5631_i2c_probe(struct i2c_client *i2c, +-- +2.30.2 + diff --git a/queue-5.13/asoc-soc-pcm-add-a-flag-to-reverse-the-stop-sequence.patch b/queue-5.13/asoc-soc-pcm-add-a-flag-to-reverse-the-stop-sequence.patch new file mode 100644 index 00000000000..c2063105e21 --- /dev/null +++ b/queue-5.13/asoc-soc-pcm-add-a-flag-to-reverse-the-stop-sequence.patch @@ -0,0 +1,88 @@ +From e1ee1d875f24ebb9fc43706e2198c08e65d14179 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 18:00:12 +0530 +Subject: ASoC: soc-pcm: add a flag to reverse the stop sequence + +From: Vijendar Mukunda + +[ Upstream commit 59dd33f82dc0975c55d3d46801e7ca45532d7673 ] + +On stream stop, currently CPU DAI stop sequence invoked first +followed by DMA. For Few platforms, it is required to stop the +DMA first before stopping CPU DAI. + +Introduced new flag in dai_link structure for reordering stop sequence. +Based on flag check, ASoC core will re-order the stop sequence. + +Fixes: 4378f1fbe92405 ("ASoC: soc-pcm: Use different sequence for start/stop trigger") +Signed-off-by: Vijendar Mukunda +Link: https://lore.kernel.org/r/20210716123015.15697-1-vijendar.mukunda@amd.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + include/sound/soc.h | 6 ++++++ + sound/soc/soc-pcm.c | 22 ++++++++++++++++------ + 2 files changed, 22 insertions(+), 6 deletions(-) + +diff --git a/include/sound/soc.h b/include/sound/soc.h +index e746da996351..723eeb1c3f78 100644 +--- a/include/sound/soc.h ++++ b/include/sound/soc.h +@@ -712,6 +712,12 @@ struct snd_soc_dai_link { + /* Do not create a PCM for this DAI link (Backend link) */ + unsigned int ignore:1; + ++ /* This flag will reorder stop sequence. By enabling this flag ++ * DMA controller stop sequence will be invoked first followed by ++ * CPU DAI driver stop sequence ++ */ ++ unsigned int stop_dma_first:1; ++ + #ifdef CONFIG_SND_SOC_TOPOLOGY + struct snd_soc_dobj dobj; /* For topology */ + #endif +diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c +index 46513bb97904..d1c570ca21ea 100644 +--- a/sound/soc/soc-pcm.c ++++ b/sound/soc/soc-pcm.c +@@ -1015,6 +1015,7 @@ out: + + static int soc_pcm_trigger(struct snd_pcm_substream *substream, int cmd) + { ++ struct snd_soc_pcm_runtime *rtd = asoc_substream_to_rtd(substream); + int ret = -EINVAL, _ret = 0; + int rollback = 0; + +@@ -1055,14 +1056,23 @@ start_err: + case SNDRV_PCM_TRIGGER_STOP: + case SNDRV_PCM_TRIGGER_SUSPEND: + case SNDRV_PCM_TRIGGER_PAUSE_PUSH: +- ret = snd_soc_pcm_dai_trigger(substream, cmd, rollback); +- if (ret < 0) +- break; ++ if (rtd->dai_link->stop_dma_first) { ++ ret = snd_soc_pcm_component_trigger(substream, cmd, rollback); ++ if (ret < 0) ++ break; + +- ret = snd_soc_pcm_component_trigger(substream, cmd, rollback); +- if (ret < 0) +- break; ++ ret = snd_soc_pcm_dai_trigger(substream, cmd, rollback); ++ if (ret < 0) ++ break; ++ } else { ++ ret = snd_soc_pcm_dai_trigger(substream, cmd, rollback); ++ if (ret < 0) ++ break; + ++ ret = snd_soc_pcm_component_trigger(substream, cmd, rollback); ++ if (ret < 0) ++ break; ++ } + ret = snd_soc_link_trigger(substream, cmd, rollback); + break; + } +-- +2.30.2 + diff --git a/queue-5.13/asoc-sof-intel-update-adl-descriptor-to-use-acpi-pow.patch b/queue-5.13/asoc-sof-intel-update-adl-descriptor-to-use-acpi-pow.patch new file mode 100644 index 00000000000..ba4f5b7f1a7 --- /dev/null +++ b/queue-5.13/asoc-sof-intel-update-adl-descriptor-to-use-acpi-pow.patch @@ -0,0 +1,39 @@ +From 71a80379545a0be377e4f5a588de5c48ca3c3d06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jul 2021 15:16:20 -0500 +Subject: ASoC: SOF: Intel: Update ADL descriptor to use ACPI power states + +From: Sathya Prakash M R + +[ Upstream commit aa21548e34c19c12e924c736f3fd9e6a4d0f5419 ] + +The ADL descriptor was missing an ACPI power setting, causing the DSP +to enter D3 even with a D0i1-compatible wake-on-voice/hotwording +capture stream. + +Fixes: 4ad03f894b3c ('ASoC: SOF: Intel: Update ADL P to use its own descriptor') +Reviewed-by: Ranjani Sridharan +Signed-off-by: Sathya Prakash M R +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20210712201620.44311-1-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/intel/pci-tgl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/sof/intel/pci-tgl.c b/sound/soc/sof/intel/pci-tgl.c +index 88c3bf404dd7..d1fd0a330554 100644 +--- a/sound/soc/sof/intel/pci-tgl.c ++++ b/sound/soc/sof/intel/pci-tgl.c +@@ -89,6 +89,7 @@ static const struct sof_dev_desc adls_desc = { + static const struct sof_dev_desc adl_desc = { + .machines = snd_soc_acpi_intel_adl_machines, + .alt_machines = snd_soc_acpi_intel_adl_sdw_machines, ++ .use_acpi_target_states = true, + .resindex_lpe_base = 0, + .resindex_pcicfg_base = -1, + .resindex_imr_base = -1, +-- +2.30.2 + diff --git a/queue-5.13/asoc-wm_adsp-correct-wm_coeff_tlv_get-handling.patch b/queue-5.13/asoc-wm_adsp-correct-wm_coeff_tlv_get-handling.patch new file mode 100644 index 00000000000..4549b62f861 --- /dev/null +++ b/queue-5.13/asoc-wm_adsp-correct-wm_coeff_tlv_get-handling.patch @@ -0,0 +1,39 @@ +From 013e69950319145e4fd7febf9bbd76538670cb78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Jun 2021 16:59:39 +0100 +Subject: ASoC: wm_adsp: Correct wm_coeff_tlv_get handling + +From: Charles Keepax + +[ Upstream commit dd6fb8ff2210f74b056bf9234d0605e8c26a8ac0 ] + +When wm_coeff_tlv_get was updated it was accidentally switch to the _raw +version of the helper causing it to ignore the current DSP state it +should be checking. Switch the code back to the correct helper so that +users can't read the controls when they arn't available. + +Fixes: 73ecf1a673d3 ("ASoC: wm_adsp: Correct cache handling of new kernel control API") +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20210626155941.12251-1-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm_adsp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c +index 3dc119daf2f6..cef05d81c39b 100644 +--- a/sound/soc/codecs/wm_adsp.c ++++ b/sound/soc/codecs/wm_adsp.c +@@ -1213,7 +1213,7 @@ static int wm_coeff_tlv_get(struct snd_kcontrol *kctl, + + mutex_lock(&ctl->dsp->pwr_lock); + +- ret = wm_coeff_read_ctrl_raw(ctl, ctl->cache, size); ++ ret = wm_coeff_read_ctrl(ctl, ctl->cache, size); + + if (!ret && copy_to_user(bytes, ctl->cache, size)) + ret = -EFAULT; +-- +2.30.2 + diff --git a/queue-5.13/bnxt_en-add-missing-check-for-bnxt_state_abort_err-i.patch b/queue-5.13/bnxt_en-add-missing-check-for-bnxt_state_abort_err-i.patch new file mode 100644 index 00000000000..cd05590729b --- /dev/null +++ b/queue-5.13/bnxt_en-add-missing-check-for-bnxt_state_abort_err-i.patch @@ -0,0 +1,40 @@ +From c132b0ec59ddda39ebb214441260a2e61b5f08e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 15:36:28 -0400 +Subject: bnxt_en: Add missing check for BNXT_STATE_ABORT_ERR in + bnxt_fw_rset_task() + +From: Michael Chan + +[ Upstream commit 6cd657cb3ee6f4de57e635b126ffbe0e51d00f1a ] + +In the BNXT_FW_RESET_STATE_POLL_VF state in bnxt_fw_reset_task() after all +VFs have unregistered, we need to check for BNXT_STATE_ABORT_ERR after +we acquire the rtnl_lock. If the flag is set, we need to abort. + +Fixes: 230d1f0de754 ("bnxt_en: Handle firmware reset.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index d57fb1613cfc..07efab5bad95 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -11882,6 +11882,10 @@ static void bnxt_fw_reset_task(struct work_struct *work) + } + bp->fw_reset_timestamp = jiffies; + rtnl_lock(); ++ if (test_bit(BNXT_STATE_ABORT_ERR, &bp->state)) { ++ rtnl_unlock(); ++ goto fw_reset_abort; ++ } + bnxt_fw_reset_close(bp); + if (bp->fw_cap & BNXT_FW_CAP_ERR_RECOVER_RELOAD) { + bp->fw_reset_state = BNXT_FW_RESET_STATE_POLL_FW_DOWN; +-- +2.30.2 + diff --git a/queue-5.13/bnxt_en-check-abort-error-state-in-bnxt_half_open_ni.patch b/queue-5.13/bnxt_en-check-abort-error-state-in-bnxt_half_open_ni.patch new file mode 100644 index 00000000000..9a3b965aa4f --- /dev/null +++ b/queue-5.13/bnxt_en-check-abort-error-state-in-bnxt_half_open_ni.patch @@ -0,0 +1,68 @@ +From e7a1a60f7338b929e244ff5242fd868dee3f321a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 15:36:31 -0400 +Subject: bnxt_en: Check abort error state in bnxt_half_open_nic() + +From: Somnath Kotur + +[ Upstream commit 11a39259ff79b74bc99f8b7c44075a2d6d5e7ab1 ] + +bnxt_half_open_nic() is called during during ethtool self test and is +protected by rtnl_lock. Firmware reset can be happening at the same +time. Only critical portions of the entire firmware reset sequence +are protected by the rtnl_lock. It is possible that bnxt_half_open_nic() +can be called when the firmware reset sequence is aborting. In that +case, bnxt_half_open_nic() needs to check if the ABORT_ERR flag is set +and abort if it is. The ethtool self test will fail but the NIC will be +brought to a consistent IF_DOWN state. + +Without this patch, if bnxt_half_open_nic() were to continue in this +error state, it may crash like this: + + bnxt_en 0000:82:00.1 enp130s0f1np1: FW reset in progress during close, FW reset will be aborted + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 + ... + Process ethtool (pid: 333327, stack limit = 0x0000000046476577) + Call trace: + bnxt_alloc_mem+0x444/0xef0 [bnxt_en] + bnxt_half_open_nic+0x24/0xb8 [bnxt_en] + bnxt_self_test+0x2dc/0x390 [bnxt_en] + ethtool_self_test+0xe0/0x1f8 + dev_ethtool+0x1744/0x22d0 + dev_ioctl+0x190/0x3e0 + sock_ioctl+0x238/0x480 + do_vfs_ioctl+0xc4/0x758 + ksys_ioctl+0x84/0xb8 + __arm64_sys_ioctl+0x28/0x38 + el0_svc_handler+0xb0/0x180 + el0_svc+0x8/0xc + +Fixes: a1301f08c5ac ("bnxt_en: Check abort error state in bnxt_open_nic().") +Signed-off-by: Somnath Kotur +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index be36dee65f90..3c3aa9467310 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -10104,6 +10104,12 @@ int bnxt_half_open_nic(struct bnxt *bp) + { + int rc = 0; + ++ if (test_bit(BNXT_STATE_ABORT_ERR, &bp->state)) { ++ netdev_err(bp->dev, "A previous firmware reset has not completed, aborting half open\n"); ++ rc = -ENODEV; ++ goto half_open_err; ++ } ++ + rc = bnxt_alloc_mem(bp, false); + if (rc) { + netdev_err(bp->dev, "bnxt_alloc_mem err: %x\n", rc); +-- +2.30.2 + diff --git a/queue-5.13/bnxt_en-don-t-disable-an-already-disabled-pci-device.patch b/queue-5.13/bnxt_en-don-t-disable-an-already-disabled-pci-device.patch new file mode 100644 index 00000000000..155b21d2dd2 --- /dev/null +++ b/queue-5.13/bnxt_en-don-t-disable-an-already-disabled-pci-device.patch @@ -0,0 +1,41 @@ +From d0ed45ba2be9a100f83b3b362722227b8f7e26f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 15:36:25 -0400 +Subject: bnxt_en: don't disable an already disabled PCI device + +From: Kalesh AP + +[ Upstream commit c81cfb6256d90ea5ba4a6fb280ea3b171be4e05c ] + +If device is already disabled in reset path and PCI io error is +detected before the device could be enabled, driver could +call pci_disable_device() for already disabled device. Fix this +problem by calling pci_disable_device() only if the device is already +enabled. + +Fixes: 6316ea6db93d ("bnxt_en: Enable AER support.") +Signed-off-by: Kalesh AP +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index aef3fccc27a9..d57fb1613cfc 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -13315,7 +13315,8 @@ static pci_ers_result_t bnxt_io_error_detected(struct pci_dev *pdev, + if (netif_running(netdev)) + bnxt_close(netdev); + +- pci_disable_device(pdev); ++ if (pci_is_enabled(pdev)) ++ pci_disable_device(pdev); + bnxt_free_ctx_mem(bp); + kfree(bp->ctx); + bp->ctx = NULL; +-- +2.30.2 + diff --git a/queue-5.13/bnxt_en-fix-error-path-of-fw-reset.patch b/queue-5.13/bnxt_en-fix-error-path-of-fw-reset.patch new file mode 100644 index 00000000000..3e5ae8c4af8 --- /dev/null +++ b/queue-5.13/bnxt_en-fix-error-path-of-fw-reset.patch @@ -0,0 +1,108 @@ +From add722806a610b335b57e16f26f75ffb7d6ea904 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 15:36:29 -0400 +Subject: bnxt_en: fix error path of FW reset + +From: Somnath Kotur + +[ Upstream commit 3958b1da725a477b4a222183d16a14d85445d4b6 ] + +When bnxt_open() fails in the firmware reset path, the driver needs to +gracefully abort, but it is executing code that should be invoked only +in the success path. Define a function to abort FW reset and +consolidate all error paths to call this new function. + +Fixes: dab62e7c2de7 ("bnxt_en: Implement faster recovery for firmware fatal error.") +Signed-off-by: Somnath Kotur +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 31 +++++++++++++++-------- + 1 file changed, 21 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 07efab5bad95..49aca3289c00 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -11849,10 +11849,21 @@ static bool bnxt_fw_reset_timeout(struct bnxt *bp) + (bp->fw_reset_max_dsecs * HZ / 10)); + } + ++static void bnxt_fw_reset_abort(struct bnxt *bp, int rc) ++{ ++ clear_bit(BNXT_STATE_IN_FW_RESET, &bp->state); ++ if (bp->fw_reset_state != BNXT_FW_RESET_STATE_POLL_VF) { ++ bnxt_ulp_start(bp, rc); ++ bnxt_dl_health_status_update(bp, false); ++ } ++ bp->fw_reset_state = 0; ++ dev_close(bp->dev); ++} ++ + static void bnxt_fw_reset_task(struct work_struct *work) + { + struct bnxt *bp = container_of(work, struct bnxt, fw_reset_task.work); +- int rc; ++ int rc = 0; + + if (!test_bit(BNXT_STATE_IN_FW_RESET, &bp->state)) { + netdev_err(bp->dev, "bnxt_fw_reset_task() called when not in fw reset mode!\n"); +@@ -11883,8 +11894,9 @@ static void bnxt_fw_reset_task(struct work_struct *work) + bp->fw_reset_timestamp = jiffies; + rtnl_lock(); + if (test_bit(BNXT_STATE_ABORT_ERR, &bp->state)) { ++ bnxt_fw_reset_abort(bp, rc); + rtnl_unlock(); +- goto fw_reset_abort; ++ return; + } + bnxt_fw_reset_close(bp); + if (bp->fw_cap & BNXT_FW_CAP_ERR_RECOVER_RELOAD) { +@@ -11933,6 +11945,7 @@ static void bnxt_fw_reset_task(struct work_struct *work) + if (val == 0xffff) { + if (bnxt_fw_reset_timeout(bp)) { + netdev_err(bp->dev, "Firmware reset aborted, PCI config space invalid\n"); ++ rc = -ETIMEDOUT; + goto fw_reset_abort; + } + bnxt_queue_fw_reset_work(bp, HZ / 1000); +@@ -11942,6 +11955,7 @@ static void bnxt_fw_reset_task(struct work_struct *work) + clear_bit(BNXT_STATE_FW_FATAL_COND, &bp->state); + if (pci_enable_device(bp->pdev)) { + netdev_err(bp->dev, "Cannot re-enable PCI device\n"); ++ rc = -ENODEV; + goto fw_reset_abort; + } + pci_set_master(bp->pdev); +@@ -11968,9 +11982,10 @@ static void bnxt_fw_reset_task(struct work_struct *work) + } + rc = bnxt_open(bp->dev); + if (rc) { +- netdev_err(bp->dev, "bnxt_open_nic() failed\n"); +- clear_bit(BNXT_STATE_IN_FW_RESET, &bp->state); +- dev_close(bp->dev); ++ netdev_err(bp->dev, "bnxt_open() failed during FW reset\n"); ++ bnxt_fw_reset_abort(bp, rc); ++ rtnl_unlock(); ++ return; + } + + bp->fw_reset_state = 0; +@@ -11997,12 +12012,8 @@ fw_reset_abort_status: + netdev_err(bp->dev, "fw_health_status 0x%x\n", sts); + } + fw_reset_abort: +- clear_bit(BNXT_STATE_IN_FW_RESET, &bp->state); +- if (bp->fw_reset_state != BNXT_FW_RESET_STATE_POLL_VF) +- bnxt_dl_health_status_update(bp, false); +- bp->fw_reset_state = 0; + rtnl_lock(); +- dev_close(bp->dev); ++ bnxt_fw_reset_abort(bp, rc); + rtnl_unlock(); + } + +-- +2.30.2 + diff --git a/queue-5.13/bnxt_en-refresh-roce-capabilities-in-bnxt_ulp_probe.patch b/queue-5.13/bnxt_en-refresh-roce-capabilities-in-bnxt_ulp_probe.patch new file mode 100644 index 00000000000..e8bc7315a05 --- /dev/null +++ b/queue-5.13/bnxt_en-refresh-roce-capabilities-in-bnxt_ulp_probe.patch @@ -0,0 +1,52 @@ +From deefc285ac44c458554d81e47f71b4a28bf0e06a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 15:36:27 -0400 +Subject: bnxt_en: Refresh RoCE capabilities in bnxt_ulp_probe() + +From: Michael Chan + +[ Upstream commit 2c9f046bc377efd1f5e26e74817d5f96e9506c86 ] + +The capabilities can change after firmware upgrade/downgrade, so we +should get the up-to-date RoCE capabilities everytime bnxt_ulp_probe() +is called. + +Fixes: 2151fe0830fd ("bnxt_en: Handle RESET_NOTIFY async event from firmware.") +Reviewed-by: Somnath Kotur +Reviewed-by: Edwin Peer +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c +index a918e374f3c5..187ff643ad2a 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c +@@ -479,16 +479,17 @@ struct bnxt_en_dev *bnxt_ulp_probe(struct net_device *dev) + if (!edev) + return ERR_PTR(-ENOMEM); + edev->en_ops = &bnxt_en_ops_tbl; +- if (bp->flags & BNXT_FLAG_ROCEV1_CAP) +- edev->flags |= BNXT_EN_FLAG_ROCEV1_CAP; +- if (bp->flags & BNXT_FLAG_ROCEV2_CAP) +- edev->flags |= BNXT_EN_FLAG_ROCEV2_CAP; + edev->net = dev; + edev->pdev = bp->pdev; + edev->l2_db_size = bp->db_size; + edev->l2_db_size_nc = bp->db_size; + bp->edev = edev; + } ++ edev->flags &= ~BNXT_EN_FLAG_ROCE_CAP; ++ if (bp->flags & BNXT_FLAG_ROCEV1_CAP) ++ edev->flags |= BNXT_EN_FLAG_ROCEV1_CAP; ++ if (bp->flags & BNXT_FLAG_ROCEV2_CAP) ++ edev->flags |= BNXT_EN_FLAG_ROCEV2_CAP; + return bp->edev; + } + EXPORT_SYMBOL(bnxt_ulp_probe); +-- +2.30.2 + diff --git a/queue-5.13/bnxt_en-validate-vlan-protocol-id-on-rx-packets.patch b/queue-5.13/bnxt_en-validate-vlan-protocol-id-on-rx-packets.patch new file mode 100644 index 00000000000..d467f546949 --- /dev/null +++ b/queue-5.13/bnxt_en-validate-vlan-protocol-id-on-rx-packets.patch @@ -0,0 +1,69 @@ +From 6ab90ea4a4c377f3ea00282ded5d551866fc7d06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 15:36:30 -0400 +Subject: bnxt_en: Validate vlan protocol ID on RX packets + +From: Michael Chan + +[ Upstream commit 96bdd4b9ea7ef9a12db8fdd0ce90e37dffbd3703 ] + +Only pass supported VLAN protocol IDs for stripped VLAN tags to the +stack. The stack will hit WARN() if the protocol ID is unsupported. + +Existing firmware sets up the chip to strip 0x8100, 0x88a8, 0x9100. +Only the 1st two protocols are supported by the kernel. + +Fixes: a196e96bb68f ("bnxt_en: clean up VLAN feature bit handling") +Reviewed-by: Somnath Kotur +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 49aca3289c00..be36dee65f90 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -1640,11 +1640,16 @@ static inline struct sk_buff *bnxt_tpa_end(struct bnxt *bp, + + if ((tpa_info->flags2 & RX_CMP_FLAGS2_META_FORMAT_VLAN) && + (skb->dev->features & BNXT_HW_FEATURE_VLAN_ALL_RX)) { +- u16 vlan_proto = tpa_info->metadata >> +- RX_CMP_FLAGS2_METADATA_TPID_SFT; ++ __be16 vlan_proto = htons(tpa_info->metadata >> ++ RX_CMP_FLAGS2_METADATA_TPID_SFT); + u16 vtag = tpa_info->metadata & RX_CMP_FLAGS2_METADATA_TCI_MASK; + +- __vlan_hwaccel_put_tag(skb, htons(vlan_proto), vtag); ++ if (eth_type_vlan(vlan_proto)) { ++ __vlan_hwaccel_put_tag(skb, vlan_proto, vtag); ++ } else { ++ dev_kfree_skb(skb); ++ return NULL; ++ } + } + + skb_checksum_none_assert(skb); +@@ -1865,9 +1870,15 @@ static int bnxt_rx_pkt(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, + (skb->dev->features & BNXT_HW_FEATURE_VLAN_ALL_RX)) { + u32 meta_data = le32_to_cpu(rxcmp1->rx_cmp_meta_data); + u16 vtag = meta_data & RX_CMP_FLAGS2_METADATA_TCI_MASK; +- u16 vlan_proto = meta_data >> RX_CMP_FLAGS2_METADATA_TPID_SFT; ++ __be16 vlan_proto = htons(meta_data >> ++ RX_CMP_FLAGS2_METADATA_TPID_SFT); + +- __vlan_hwaccel_put_tag(skb, htons(vlan_proto), vtag); ++ if (eth_type_vlan(vlan_proto)) { ++ __vlan_hwaccel_put_tag(skb, vlan_proto, vtag); ++ } else { ++ dev_kfree_skb(skb); ++ goto next_rx; ++ } + } + + skb_checksum_none_assert(skb); +-- +2.30.2 + diff --git a/queue-5.13/bonding-add-struct-bond_ipesc-to-manage-sa.patch b/queue-5.13/bonding-add-struct-bond_ipesc-to-manage-sa.patch new file mode 100644 index 00000000000..af5632bec4a --- /dev/null +++ b/queue-5.13/bonding-add-struct-bond_ipesc-to-manage-sa.patch @@ -0,0 +1,300 @@ +From 7f73ad149ebc700705833f47a650d85987afb409 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 15:38:12 +0000 +Subject: bonding: Add struct bond_ipesc to manage SA + +From: Taehee Yoo + +[ Upstream commit 9a5605505d9c7dbfdb89cc29a8f5fc5cf9fd2334 ] + +bonding has been supporting ipsec offload. +When SA is added, bonding just passes SA to its own active real interface. +But it doesn't manage SA. +So, when events(add/del real interface, active real interface change, etc) +occur, bonding can't handle that well because It doesn't manage SA. +So some problems(panic, UAF, refcnt leak)occur. + +In order to make it stable, it should manage SA. +That's the reason why struct bond_ipsec is added. +When a new SA is added to bonding interface, it is stored in the +bond_ipsec list. And the SA is passed to a current active real interface. +If events occur, it uses bond_ipsec data to handle these events. +bond->ipsec_list is protected by bond->ipsec_lock. + +If a current active real interface is changed, the following logic works. +1. delete all SAs from old active real interface +2. Add all SAs to the new active real interface. +3. If a new active real interface doesn't support ipsec offload or SA's +option, it sets real_dev to NULL. + +Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 139 +++++++++++++++++++++++++++----- + include/net/bonding.h | 9 ++- + 2 files changed, 127 insertions(+), 21 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index d85a19c06c69..3f67b4b794ac 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -401,6 +401,7 @@ static int bond_vlan_rx_kill_vid(struct net_device *bond_dev, + static int bond_ipsec_add_sa(struct xfrm_state *xs) + { + struct net_device *bond_dev = xs->xso.dev; ++ struct bond_ipsec *ipsec; + struct bonding *bond; + struct slave *slave; + int err; +@@ -416,9 +417,6 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs) + return -ENODEV; + } + +- xs->xso.real_dev = slave->dev; +- bond->xs = xs; +- + if (!slave->dev->xfrmdev_ops || + !slave->dev->xfrmdev_ops->xdo_dev_state_add || + netif_is_bond_master(slave->dev)) { +@@ -427,11 +425,63 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs) + return -EINVAL; + } + ++ ipsec = kmalloc(sizeof(*ipsec), GFP_ATOMIC); ++ if (!ipsec) { ++ rcu_read_unlock(); ++ return -ENOMEM; ++ } ++ xs->xso.real_dev = slave->dev; ++ + err = slave->dev->xfrmdev_ops->xdo_dev_state_add(xs); ++ if (!err) { ++ ipsec->xs = xs; ++ INIT_LIST_HEAD(&ipsec->list); ++ spin_lock_bh(&bond->ipsec_lock); ++ list_add(&ipsec->list, &bond->ipsec_list); ++ spin_unlock_bh(&bond->ipsec_lock); ++ } else { ++ kfree(ipsec); ++ } + rcu_read_unlock(); + return err; + } + ++static void bond_ipsec_add_sa_all(struct bonding *bond) ++{ ++ struct net_device *bond_dev = bond->dev; ++ struct bond_ipsec *ipsec; ++ struct slave *slave; ++ ++ rcu_read_lock(); ++ slave = rcu_dereference(bond->curr_active_slave); ++ if (!slave) ++ goto out; ++ ++ if (!slave->dev->xfrmdev_ops || ++ !slave->dev->xfrmdev_ops->xdo_dev_state_add || ++ netif_is_bond_master(slave->dev)) { ++ spin_lock_bh(&bond->ipsec_lock); ++ if (!list_empty(&bond->ipsec_list)) ++ slave_warn(bond_dev, slave->dev, ++ "%s: no slave xdo_dev_state_add\n", ++ __func__); ++ spin_unlock_bh(&bond->ipsec_lock); ++ goto out; ++ } ++ ++ spin_lock_bh(&bond->ipsec_lock); ++ list_for_each_entry(ipsec, &bond->ipsec_list, list) { ++ ipsec->xs->xso.real_dev = slave->dev; ++ if (slave->dev->xfrmdev_ops->xdo_dev_state_add(ipsec->xs)) { ++ slave_warn(bond_dev, slave->dev, "%s: failed to add SA\n", __func__); ++ ipsec->xs->xso.real_dev = NULL; ++ } ++ } ++ spin_unlock_bh(&bond->ipsec_lock); ++out: ++ rcu_read_unlock(); ++} ++ + /** + * bond_ipsec_del_sa - clear out this specific SA + * @xs: pointer to transformer state struct +@@ -439,6 +489,7 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs) + static void bond_ipsec_del_sa(struct xfrm_state *xs) + { + struct net_device *bond_dev = xs->xso.dev; ++ struct bond_ipsec *ipsec; + struct bonding *bond; + struct slave *slave; + +@@ -452,7 +503,10 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs) + if (!slave) + goto out; + +- xs->xso.real_dev = slave->dev; ++ if (!xs->xso.real_dev) ++ goto out; ++ ++ WARN_ON(xs->xso.real_dev != slave->dev); + + if (!slave->dev->xfrmdev_ops || + !slave->dev->xfrmdev_ops->xdo_dev_state_delete || +@@ -463,6 +517,48 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs) + + slave->dev->xfrmdev_ops->xdo_dev_state_delete(xs); + out: ++ spin_lock_bh(&bond->ipsec_lock); ++ list_for_each_entry(ipsec, &bond->ipsec_list, list) { ++ if (ipsec->xs == xs) { ++ list_del(&ipsec->list); ++ kfree(ipsec); ++ break; ++ } ++ } ++ spin_unlock_bh(&bond->ipsec_lock); ++ rcu_read_unlock(); ++} ++ ++static void bond_ipsec_del_sa_all(struct bonding *bond) ++{ ++ struct net_device *bond_dev = bond->dev; ++ struct bond_ipsec *ipsec; ++ struct slave *slave; ++ ++ rcu_read_lock(); ++ slave = rcu_dereference(bond->curr_active_slave); ++ if (!slave) { ++ rcu_read_unlock(); ++ return; ++ } ++ ++ spin_lock_bh(&bond->ipsec_lock); ++ list_for_each_entry(ipsec, &bond->ipsec_list, list) { ++ if (!ipsec->xs->xso.real_dev) ++ continue; ++ ++ if (!slave->dev->xfrmdev_ops || ++ !slave->dev->xfrmdev_ops->xdo_dev_state_delete || ++ netif_is_bond_master(slave->dev)) { ++ slave_warn(bond_dev, slave->dev, ++ "%s: no slave xdo_dev_state_delete\n", ++ __func__); ++ } else { ++ slave->dev->xfrmdev_ops->xdo_dev_state_delete(ipsec->xs); ++ } ++ ipsec->xs->xso.real_dev = NULL; ++ } ++ spin_unlock_bh(&bond->ipsec_lock); + rcu_read_unlock(); + } + +@@ -474,22 +570,27 @@ out: + static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs) + { + struct net_device *bond_dev = xs->xso.dev; +- struct bonding *bond = netdev_priv(bond_dev); +- struct slave *curr_active = rcu_dereference(bond->curr_active_slave); +- struct net_device *slave_dev = curr_active->dev; ++ struct net_device *real_dev; ++ struct slave *curr_active; ++ struct bonding *bond; ++ ++ bond = netdev_priv(bond_dev); ++ curr_active = rcu_dereference(bond->curr_active_slave); ++ real_dev = curr_active->dev; + + if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) + return true; + +- if (!slave_dev->xfrmdev_ops || +- !slave_dev->xfrmdev_ops->xdo_dev_offload_ok || +- netif_is_bond_master(slave_dev)) { +- slave_warn(bond_dev, slave_dev, "%s: no slave xdo_dev_offload_ok\n", __func__); ++ if (!xs->xso.real_dev) ++ return false; ++ ++ if (!real_dev->xfrmdev_ops || ++ !real_dev->xfrmdev_ops->xdo_dev_offload_ok || ++ netif_is_bond_master(real_dev)) { + return false; + } + +- xs->xso.real_dev = slave_dev; +- return slave_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs); ++ return real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs); + } + + static const struct xfrmdev_ops bond_xfrmdev_ops = { +@@ -1006,8 +1107,7 @@ void bond_change_active_slave(struct bonding *bond, struct slave *new_active) + return; + + #ifdef CONFIG_XFRM_OFFLOAD +- if (old_active && bond->xs) +- bond_ipsec_del_sa(bond->xs); ++ bond_ipsec_del_sa_all(bond); + #endif /* CONFIG_XFRM_OFFLOAD */ + + if (new_active) { +@@ -1083,10 +1183,7 @@ void bond_change_active_slave(struct bonding *bond, struct slave *new_active) + } + + #ifdef CONFIG_XFRM_OFFLOAD +- if (new_active && bond->xs) { +- xfrm_dev_state_flush(dev_net(bond->dev), bond->dev, true); +- bond_ipsec_add_sa(bond->xs); +- } ++ bond_ipsec_add_sa_all(bond); + #endif /* CONFIG_XFRM_OFFLOAD */ + + /* resend IGMP joins since active slave has changed or +@@ -3335,6 +3432,7 @@ static int bond_master_netdev_event(unsigned long event, + return bond_event_changename(event_bond); + case NETDEV_UNREGISTER: + bond_remove_proc_entry(event_bond); ++ xfrm_dev_state_flush(dev_net(bond_dev), bond_dev, true); + break; + case NETDEV_REGISTER: + bond_create_proc_entry(event_bond); +@@ -4898,7 +4996,8 @@ void bond_setup(struct net_device *bond_dev) + #ifdef CONFIG_XFRM_OFFLOAD + /* set up xfrm device ops (only supported in active-backup right now) */ + bond_dev->xfrmdev_ops = &bond_xfrmdev_ops; +- bond->xs = NULL; ++ INIT_LIST_HEAD(&bond->ipsec_list); ++ spin_lock_init(&bond->ipsec_lock); + #endif /* CONFIG_XFRM_OFFLOAD */ + + /* don't acquire bond device's netif_tx_lock when transmitting */ +diff --git a/include/net/bonding.h b/include/net/bonding.h +index 019e998d944a..a02b19843819 100644 +--- a/include/net/bonding.h ++++ b/include/net/bonding.h +@@ -201,6 +201,11 @@ struct bond_up_slave { + */ + #define BOND_LINK_NOCHANGE -1 + ++struct bond_ipsec { ++ struct list_head list; ++ struct xfrm_state *xs; ++}; ++ + /* + * Here are the locking policies for the two bonding locks: + * Get rcu_read_lock when reading or RTNL when writing slave list. +@@ -249,7 +254,9 @@ struct bonding { + #endif /* CONFIG_DEBUG_FS */ + struct rtnl_link_stats64 bond_stats; + #ifdef CONFIG_XFRM_OFFLOAD +- struct xfrm_state *xs; ++ struct list_head ipsec_list; ++ /* protecting ipsec_list */ ++ spinlock_t ipsec_lock; + #endif /* CONFIG_XFRM_OFFLOAD */ + }; + +-- +2.30.2 + diff --git a/queue-5.13/bonding-disallow-setting-nested-bonding-ipsec-offloa.patch b/queue-5.13/bonding-disallow-setting-nested-bonding-ipsec-offloa.patch new file mode 100644 index 00000000000..285339dcf27 --- /dev/null +++ b/queue-5.13/bonding-disallow-setting-nested-bonding-ipsec-offloa.patch @@ -0,0 +1,75 @@ +From cb788b4d12704756371d156e3814b2baab4829dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 15:38:11 +0000 +Subject: bonding: disallow setting nested bonding + ipsec offload + +From: Taehee Yoo + +[ Upstream commit b121693381b112b78c076dea171ee113e237c0e4 ] + +bonding interface can be nested and it supports ipsec offload. +So, it allows setting the nested bonding + ipsec scenario. +But code does not support this scenario. +So, it should be disallowed. + +interface graph: +bond2 + | +bond1 + | +eth0 + +The nested bonding + ipsec offload may not a real usecase. +So, disallowing this scenario is fine. + +Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index a7b6550063b2..d85a19c06c69 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -419,8 +419,9 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs) + xs->xso.real_dev = slave->dev; + bond->xs = xs; + +- if (!(slave->dev->xfrmdev_ops +- && slave->dev->xfrmdev_ops->xdo_dev_state_add)) { ++ if (!slave->dev->xfrmdev_ops || ++ !slave->dev->xfrmdev_ops->xdo_dev_state_add || ++ netif_is_bond_master(slave->dev)) { + slave_warn(bond_dev, slave->dev, "Slave does not support ipsec offload\n"); + rcu_read_unlock(); + return -EINVAL; +@@ -453,8 +454,9 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs) + + xs->xso.real_dev = slave->dev; + +- if (!(slave->dev->xfrmdev_ops +- && slave->dev->xfrmdev_ops->xdo_dev_state_delete)) { ++ if (!slave->dev->xfrmdev_ops || ++ !slave->dev->xfrmdev_ops->xdo_dev_state_delete || ++ netif_is_bond_master(slave->dev)) { + slave_warn(bond_dev, slave->dev, "%s: no slave xdo_dev_state_delete\n", __func__); + goto out; + } +@@ -479,8 +481,9 @@ static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs) + if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) + return true; + +- if (!(slave_dev->xfrmdev_ops +- && slave_dev->xfrmdev_ops->xdo_dev_offload_ok)) { ++ if (!slave_dev->xfrmdev_ops || ++ !slave_dev->xfrmdev_ops->xdo_dev_offload_ok || ++ netif_is_bond_master(slave_dev)) { + slave_warn(bond_dev, slave_dev, "%s: no slave xdo_dev_offload_ok\n", __func__); + return false; + } +-- +2.30.2 + diff --git a/queue-5.13/bonding-fix-incorrect-return-value-of-bond_ipsec_off.patch b/queue-5.13/bonding-fix-incorrect-return-value-of-bond_ipsec_off.patch new file mode 100644 index 00000000000..56fdd3d127e --- /dev/null +++ b/queue-5.13/bonding-fix-incorrect-return-value-of-bond_ipsec_off.patch @@ -0,0 +1,39 @@ +From 7ff106b0c11d0a819199e34289f700efbddf8455 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 15:38:14 +0000 +Subject: bonding: fix incorrect return value of bond_ipsec_offload_ok() + +From: Taehee Yoo + +[ Upstream commit 168e696a36792a4a3b2525a06249e7472ef90186 ] + +bond_ipsec_offload_ok() is called to check whether the interface supports +ipsec offload or not. +bonding interface support ipsec offload only in active-backup mode. +So, if a bond interface is not in active-backup mode, it should return +false but it returns true. + +Fixes: a3b658cfb664 ("bonding: allow xfrm offload setup post-module-load") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index d267791a06c0..bf8ade982940 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -581,7 +581,7 @@ static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs) + real_dev = curr_active->dev; + + if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) { +- err = true; ++ err = false; + goto out; + } + +-- +2.30.2 + diff --git a/queue-5.13/bonding-fix-null-dereference-in-bond_ipsec_add_sa.patch b/queue-5.13/bonding-fix-null-dereference-in-bond_ipsec_add_sa.patch new file mode 100644 index 00000000000..0a92b36e624 --- /dev/null +++ b/queue-5.13/bonding-fix-null-dereference-in-bond_ipsec_add_sa.patch @@ -0,0 +1,90 @@ +From e0a044a0cefe6e1a505451eee2b02296397ce768 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 15:38:07 +0000 +Subject: bonding: fix null dereference in bond_ipsec_add_sa() + +From: Taehee Yoo + +[ Upstream commit 105cd17a866017b45f3c45901b394c711c97bf40 ] + +If bond doesn't have real device, bond->curr_active_slave is null. +But bond_ipsec_add_sa() dereferences bond->curr_active_slave without +null checking. +So, null-ptr-deref would occur. + +Test commands: + ip link add bond0 type bond + ip link set bond0 up + ip x s add proto esp dst 14.1.1.1 src 15.1.1.1 spi \ +0x07 mode transport reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))' \ +0x44434241343332312423222114131211f4f3f2f1 128 sel src 14.0.0.52/24 \ +dst 14.0.0.70/24 proto tcp offload dev bond0 dir in + +Splat looks like: +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +CPU: 4 PID: 680 Comm: ip Not tainted 5.13.0-rc3+ #1168 +RIP: 0010:bond_ipsec_add_sa+0xc4/0x2e0 [bonding] +Code: 85 21 02 00 00 4d 8b a6 48 0c 00 00 e8 75 58 44 ce 85 c0 0f 85 14 +01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 +00 0f 85 fc 01 00 00 48 8d bb e0 02 00 00 4d 8b 2c 24 48 +RSP: 0018:ffff88810946f508 EFLAGS: 00010246 +RAX: dffffc0000000000 RBX: ffff88810b4e8040 RCX: 0000000000000001 +RDX: 0000000000000000 RSI: ffffffff8fe34280 RDI: ffff888115abe100 +RBP: ffff88810946f528 R08: 0000000000000003 R09: fffffbfff2287e11 +R10: 0000000000000001 R11: ffff888115abe0c8 R12: 0000000000000000 +R13: ffffffffc0aea9a0 R14: ffff88800d7d2000 R15: ffff88810b4e8330 +FS: 00007efc5552e680(0000) GS:ffff888119c00000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000055c2530dbf40 CR3: 0000000103056004 CR4: 00000000003706e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + xfrm_dev_state_add+0x2a9/0x770 + ? memcpy+0x38/0x60 + xfrm_add_sa+0x2278/0x3b10 [xfrm_user] + ? xfrm_get_policy+0xaa0/0xaa0 [xfrm_user] + ? register_lock_class+0x1750/0x1750 + xfrm_user_rcv_msg+0x331/0x660 [xfrm_user] + ? rcu_read_lock_sched_held+0x91/0xc0 + ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user] + ? find_held_lock+0x3a/0x1c0 + ? mutex_lock_io_nested+0x1210/0x1210 + ? sched_clock_cpu+0x18/0x170 + netlink_rcv_skb+0x121/0x350 + ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user] + ? netlink_ack+0x9d0/0x9d0 + ? netlink_deliver_tap+0x17c/0xa50 + xfrm_netlink_rcv+0x68/0x80 [xfrm_user] + netlink_unicast+0x41c/0x610 + ? netlink_attachskb+0x710/0x710 + netlink_sendmsg+0x6b9/0xb70 +[ ...] + +Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 026f4511bf7b..24b33118105a 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -411,6 +411,11 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs) + rcu_read_lock(); + bond = netdev_priv(bond_dev); + slave = rcu_dereference(bond->curr_active_slave); ++ if (!slave) { ++ rcu_read_unlock(); ++ return -ENODEV; ++ } ++ + xs->xso.real_dev = slave->dev; + bond->xs = xs; + +-- +2.30.2 + diff --git a/queue-5.13/bonding-fix-suspicious-rcu-usage-in-bond_ipsec_add_s.patch b/queue-5.13/bonding-fix-suspicious-rcu-usage-in-bond_ipsec_add_s.patch new file mode 100644 index 00000000000..1b38270874e --- /dev/null +++ b/queue-5.13/bonding-fix-suspicious-rcu-usage-in-bond_ipsec_add_s.patch @@ -0,0 +1,108 @@ +From 135a5999c3b5c8f350ee70a65c5fafe11930da2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 15:38:06 +0000 +Subject: bonding: fix suspicious RCU usage in bond_ipsec_add_sa() + +From: Taehee Yoo + +[ Upstream commit b648eba4c69e5819880b4907e7fcb2bb576069ab ] + +To dereference bond->curr_active_slave, it uses rcu_dereference(). +But it and the caller doesn't acquire RCU so a warning occurs. +So add rcu_read_lock(). + +Test commands: + ip link add dummy0 type dummy + ip link add bond0 type bond + ip link set dummy0 master bond0 + ip link set dummy0 up + ip link set bond0 up + ip x s add proto esp dst 14.1.1.1 src 15.1.1.1 spi 0x07 \ + mode transport \ + reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))' \ + 0x44434241343332312423222114131211f4f3f2f1 128 sel \ + src 14.0.0.52/24 dst 14.0.0.70/24 proto tcp offload \ + dev bond0 dir in + +Splat looks like: +============================= +WARNING: suspicious RCU usage +5.13.0-rc3+ #1168 Not tainted +----------------------------- +drivers/net/bonding/bond_main.c:411 suspicious rcu_dereference_check() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +1 lock held by ip/684: + #0: ffffffff9a2757c0 (&net->xfrm.xfrm_cfg_mutex){+.+.}-{3:3}, +at: xfrm_netlink_rcv+0x59/0x80 [xfrm_user] + 55.191733][ T684] stack backtrace: +CPU: 0 PID: 684 Comm: ip Not tainted 5.13.0-rc3+ #1168 +Call Trace: + dump_stack+0xa4/0xe5 + bond_ipsec_add_sa+0x18c/0x1f0 [bonding] + xfrm_dev_state_add+0x2a9/0x770 + ? memcpy+0x38/0x60 + xfrm_add_sa+0x2278/0x3b10 [xfrm_user] + ? xfrm_get_policy+0xaa0/0xaa0 [xfrm_user] + ? register_lock_class+0x1750/0x1750 + xfrm_user_rcv_msg+0x331/0x660 [xfrm_user] + ? rcu_read_lock_sched_held+0x91/0xc0 + ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user] + ? find_held_lock+0x3a/0x1c0 + ? mutex_lock_io_nested+0x1210/0x1210 + ? sched_clock_cpu+0x18/0x170 + netlink_rcv_skb+0x121/0x350 + ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user] + ? netlink_ack+0x9d0/0x9d0 + ? netlink_deliver_tap+0x17c/0xa50 + xfrm_netlink_rcv+0x68/0x80 [xfrm_user] + netlink_unicast+0x41c/0x610 + ? netlink_attachskb+0x710/0x710 + netlink_sendmsg+0x6b9/0xb70 +[ ... ] + +Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index c5a646d06102..026f4511bf7b 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -403,10 +403,12 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs) + struct net_device *bond_dev = xs->xso.dev; + struct bonding *bond; + struct slave *slave; ++ int err; + + if (!bond_dev) + return -EINVAL; + ++ rcu_read_lock(); + bond = netdev_priv(bond_dev); + slave = rcu_dereference(bond->curr_active_slave); + xs->xso.real_dev = slave->dev; +@@ -415,10 +417,13 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs) + if (!(slave->dev->xfrmdev_ops + && slave->dev->xfrmdev_ops->xdo_dev_state_add)) { + slave_warn(bond_dev, slave->dev, "Slave does not support ipsec offload\n"); ++ rcu_read_unlock(); + return -EINVAL; + } + +- return slave->dev->xfrmdev_ops->xdo_dev_state_add(xs); ++ err = slave->dev->xfrmdev_ops->xdo_dev_state_add(xs); ++ rcu_read_unlock(); ++ return err; + } + + /** +-- +2.30.2 + diff --git a/queue-5.13/bonding-fix-suspicious-rcu-usage-in-bond_ipsec_del_s.patch b/queue-5.13/bonding-fix-suspicious-rcu-usage-in-bond_ipsec_del_s.patch new file mode 100644 index 00000000000..b47b0934c97 --- /dev/null +++ b/queue-5.13/bonding-fix-suspicious-rcu-usage-in-bond_ipsec_del_s.patch @@ -0,0 +1,106 @@ +From f41062b5a4253e1453928bee2390321bfb4033bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 15:38:10 +0000 +Subject: bonding: fix suspicious RCU usage in bond_ipsec_del_sa() + +From: Taehee Yoo + +[ Upstream commit a22c39b831a081da9b2c488bd970a4412d926f30 ] + +To dereference bond->curr_active_slave, it uses rcu_dereference(). +But it and the caller doesn't acquire RCU so a warning occurs. +So add rcu_read_lock(). + +Test commands: + ip netns add A + ip netns exec A bash + modprobe netdevsim + echo "1 1" > /sys/bus/netdevsim/new_device + ip link add bond0 type bond + ip link set eth0 master bond0 + ip link set eth0 up + ip link set bond0 up + ip x s add proto esp dst 14.1.1.1 src 15.1.1.1 spi 0x07 mode \ +transport reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))' \ +0x44434241343332312423222114131211f4f3f2f1 128 sel src 14.0.0.52/24 \ +dst 14.0.0.70/24 proto tcp offload dev bond0 dir in + ip x s f + +Splat looks like: +============================= +WARNING: suspicious RCU usage +5.13.0-rc3+ #1168 Not tainted +----------------------------- +drivers/net/bonding/bond_main.c:448 suspicious rcu_dereference_check() +usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +2 locks held by ip/705: + #0: ffff888106701780 (&net->xfrm.xfrm_cfg_mutex){+.+.}-{3:3}, +at: xfrm_netlink_rcv+0x59/0x80 [xfrm_user] + #1: ffff8880075b0098 (&x->lock){+.-.}-{2:2}, +at: xfrm_state_delete+0x16/0x30 + +stack backtrace: +CPU: 6 PID: 705 Comm: ip Not tainted 5.13.0-rc3+ #1168 +Call Trace: + dump_stack+0xa4/0xe5 + bond_ipsec_del_sa+0x16a/0x1c0 [bonding] + __xfrm_state_delete+0x51f/0x730 + xfrm_state_delete+0x1e/0x30 + xfrm_state_flush+0x22f/0x390 + xfrm_flush_sa+0xd8/0x260 [xfrm_user] + ? xfrm_flush_policy+0x290/0x290 [xfrm_user] + xfrm_user_rcv_msg+0x331/0x660 [xfrm_user] + ? rcu_read_lock_sched_held+0x91/0xc0 + ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user] + ? find_held_lock+0x3a/0x1c0 + ? mutex_lock_io_nested+0x1210/0x1210 + ? sched_clock_cpu+0x18/0x170 + netlink_rcv_skb+0x121/0x350 +[ ... ] + +Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 24b33118105a..a7b6550063b2 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -444,21 +444,24 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs) + if (!bond_dev) + return; + ++ rcu_read_lock(); + bond = netdev_priv(bond_dev); + slave = rcu_dereference(bond->curr_active_slave); + + if (!slave) +- return; ++ goto out; + + xs->xso.real_dev = slave->dev; + + if (!(slave->dev->xfrmdev_ops + && slave->dev->xfrmdev_ops->xdo_dev_state_delete)) { + slave_warn(bond_dev, slave->dev, "%s: no slave xdo_dev_state_delete\n", __func__); +- return; ++ goto out; + } + + slave->dev->xfrmdev_ops->xdo_dev_state_delete(xs); ++out: ++ rcu_read_unlock(); + } + + /** +-- +2.30.2 + diff --git a/queue-5.13/bonding-fix-suspicious-rcu-usage-in-bond_ipsec_offlo.patch b/queue-5.13/bonding-fix-suspicious-rcu-usage-in-bond_ipsec_offlo.patch new file mode 100644 index 00000000000..b43edfdbe62 --- /dev/null +++ b/queue-5.13/bonding-fix-suspicious-rcu-usage-in-bond_ipsec_offlo.patch @@ -0,0 +1,96 @@ +From d7145013c4c46dcaf9fe414cafd3f531dbfa7166 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 15:38:13 +0000 +Subject: bonding: fix suspicious RCU usage in bond_ipsec_offload_ok() + +From: Taehee Yoo + +[ Upstream commit 955b785ec6b3b2f9b91914d6eeac8ee66ee29239 ] + +To dereference bond->curr_active_slave, it uses rcu_dereference(). +But it and the caller doesn't acquire RCU so a warning occurs. +So add rcu_read_lock(). + +Splat looks like: +WARNING: suspicious RCU usage +5.13.0-rc6+ #1179 Not tainted +drivers/net/bonding/bond_main.c:571 suspicious +rcu_dereference_check() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +1 lock held by ping/974: + #0: ffff888109e7db70 (sk_lock-AF_INET){+.+.}-{0:0}, +at: raw_sendmsg+0x1303/0x2cb0 + +stack backtrace: +CPU: 2 PID: 974 Comm: ping Not tainted 5.13.0-rc6+ #1179 +Call Trace: + dump_stack+0xa4/0xe5 + bond_ipsec_offload_ok+0x1f4/0x260 [bonding] + xfrm_output+0x179/0x890 + xfrm4_output+0xfa/0x410 + ? __xfrm4_output+0x4b0/0x4b0 + ? __ip_make_skb+0xecc/0x2030 + ? xfrm4_udp_encap_rcv+0x800/0x800 + ? ip_local_out+0x21/0x3a0 + ip_send_skb+0x37/0xa0 + raw_sendmsg+0x1bfd/0x2cb0 + +Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 3f67b4b794ac..d267791a06c0 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -573,24 +573,34 @@ static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs) + struct net_device *real_dev; + struct slave *curr_active; + struct bonding *bond; ++ int err; + + bond = netdev_priv(bond_dev); ++ rcu_read_lock(); + curr_active = rcu_dereference(bond->curr_active_slave); + real_dev = curr_active->dev; + +- if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) +- return true; ++ if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) { ++ err = true; ++ goto out; ++ } + +- if (!xs->xso.real_dev) +- return false; ++ if (!xs->xso.real_dev) { ++ err = false; ++ goto out; ++ } + + if (!real_dev->xfrmdev_ops || + !real_dev->xfrmdev_ops->xdo_dev_offload_ok || + netif_is_bond_master(real_dev)) { +- return false; ++ err = false; ++ goto out; + } + +- return real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs); ++ err = real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs); ++out: ++ rcu_read_unlock(); ++ return err; + } + + static const struct xfrmdev_ops bond_xfrmdev_ops = { +-- +2.30.2 + diff --git a/queue-5.13/bpf-fix-tail_call_reachable-rejection-for-interprete.patch b/queue-5.13/bpf-fix-tail_call_reachable-rejection-for-interprete.patch new file mode 100644 index 00000000000..ff394a5e26c --- /dev/null +++ b/queue-5.13/bpf-fix-tail_call_reachable-rejection-for-interprete.patch @@ -0,0 +1,122 @@ +From b830546e1f87a341595762df9be000f2c4207e4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jul 2021 22:57:35 +0200 +Subject: bpf: Fix tail_call_reachable rejection for interpreter when jit + failed + +From: Daniel Borkmann + +[ Upstream commit 5dd0a6b8582ffbfa88351949d50eccd5b6694ade ] + +During testing of f263a81451c1 ("bpf: Track subprog poke descriptors correctly +and fix use-after-free") under various failure conditions, for example, when +jit_subprogs() fails and tries to clean up the program to be run under the +interpreter, we ran into the following freeze: + + [...] + #127/8 tailcall_bpf2bpf_3:FAIL + [...] + [ 92.041251] BUG: KASAN: slab-out-of-bounds in ___bpf_prog_run+0x1b9d/0x2e20 + [ 92.042408] Read of size 8 at addr ffff88800da67f68 by task test_progs/682 + [ 92.043707] + [ 92.044030] CPU: 1 PID: 682 Comm: test_progs Tainted: G O 5.13.0-53301-ge6c08cb33a30-dirty #87 + [ 92.045542] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 + [ 92.046785] Call Trace: + [ 92.047171] ? __bpf_prog_run_args64+0xc0/0xc0 + [ 92.047773] ? __bpf_prog_run_args32+0x8b/0xb0 + [ 92.048389] ? __bpf_prog_run_args64+0xc0/0xc0 + [ 92.049019] ? ktime_get+0x117/0x130 + [...] // few hundred [similar] lines more + [ 92.659025] ? ktime_get+0x117/0x130 + [ 92.659845] ? __bpf_prog_run_args64+0xc0/0xc0 + [ 92.660738] ? __bpf_prog_run_args32+0x8b/0xb0 + [ 92.661528] ? __bpf_prog_run_args64+0xc0/0xc0 + [ 92.662378] ? print_usage_bug+0x50/0x50 + [ 92.663221] ? print_usage_bug+0x50/0x50 + [ 92.664077] ? bpf_ksym_find+0x9c/0xe0 + [ 92.664887] ? ktime_get+0x117/0x130 + [ 92.665624] ? kernel_text_address+0xf5/0x100 + [ 92.666529] ? __kernel_text_address+0xe/0x30 + [ 92.667725] ? unwind_get_return_address+0x2f/0x50 + [ 92.668854] ? ___bpf_prog_run+0x15d4/0x2e20 + [ 92.670185] ? ktime_get+0x117/0x130 + [ 92.671130] ? __bpf_prog_run_args64+0xc0/0xc0 + [ 92.672020] ? __bpf_prog_run_args32+0x8b/0xb0 + [ 92.672860] ? __bpf_prog_run_args64+0xc0/0xc0 + [ 92.675159] ? ktime_get+0x117/0x130 + [ 92.677074] ? lock_is_held_type+0xd5/0x130 + [ 92.678662] ? ___bpf_prog_run+0x15d4/0x2e20 + [ 92.680046] ? ktime_get+0x117/0x130 + [ 92.681285] ? __bpf_prog_run32+0x6b/0x90 + [ 92.682601] ? __bpf_prog_run64+0x90/0x90 + [ 92.683636] ? lock_downgrade+0x370/0x370 + [ 92.684647] ? mark_held_locks+0x44/0x90 + [ 92.685652] ? ktime_get+0x117/0x130 + [ 92.686752] ? lockdep_hardirqs_on+0x79/0x100 + [ 92.688004] ? ktime_get+0x117/0x130 + [ 92.688573] ? __cant_migrate+0x2b/0x80 + [ 92.689192] ? bpf_test_run+0x2f4/0x510 + [ 92.689869] ? bpf_test_timer_continue+0x1c0/0x1c0 + [ 92.690856] ? rcu_read_lock_bh_held+0x90/0x90 + [ 92.691506] ? __kasan_slab_alloc+0x61/0x80 + [ 92.692128] ? eth_type_trans+0x128/0x240 + [ 92.692737] ? __build_skb+0x46/0x50 + [ 92.693252] ? bpf_prog_test_run_skb+0x65e/0xc50 + [ 92.693954] ? bpf_prog_test_run_raw_tp+0x2d0/0x2d0 + [ 92.694639] ? __fget_light+0xa1/0x100 + [ 92.695162] ? bpf_prog_inc+0x23/0x30 + [ 92.695685] ? __sys_bpf+0xb40/0x2c80 + [ 92.696324] ? bpf_link_get_from_fd+0x90/0x90 + [ 92.697150] ? mark_held_locks+0x24/0x90 + [ 92.698007] ? lockdep_hardirqs_on_prepare+0x124/0x220 + [ 92.699045] ? finish_task_switch+0xe6/0x370 + [ 92.700072] ? lockdep_hardirqs_on+0x79/0x100 + [ 92.701233] ? finish_task_switch+0x11d/0x370 + [ 92.702264] ? __switch_to+0x2c0/0x740 + [ 92.703148] ? mark_held_locks+0x24/0x90 + [ 92.704155] ? __x64_sys_bpf+0x45/0x50 + [ 92.705146] ? do_syscall_64+0x35/0x80 + [ 92.706953] ? entry_SYSCALL_64_after_hwframe+0x44/0xae + [...] + +Turns out that the program rejection from e411901c0b77 ("bpf: allow for tailcalls +in BPF subprograms for x64 JIT") is buggy since env->prog->aux->tail_call_reachable +is never true. Commit ebf7d1f508a7 ("bpf, x64: rework pro/epilogue and tailcall +handling in JIT") added a tracker into check_max_stack_depth() which propagates +the tail_call_reachable condition throughout the subprograms. This info is then +assigned to the subprogram's func[i]->aux->tail_call_reachable. However, in the +case of the rejection check upon JIT failure, env->prog->aux->tail_call_reachable +is used. func[0]->aux->tail_call_reachable which represents the main program's +information did not propagate this to the outer env->prog->aux, though. Add this +propagation into check_max_stack_depth() where it needs to belong so that the +check can be done reliably. + +Fixes: ebf7d1f508a7 ("bpf, x64: rework pro/epilogue and tailcall handling in JIT") +Fixes: e411901c0b77 ("bpf: allow for tailcalls in BPF subprograms for x64 JIT") +Co-developed-by: John Fastabend +Signed-off-by: Daniel Borkmann +Signed-off-by: John Fastabend +Signed-off-by: Alexei Starovoitov +Acked-by: Maciej Fijalkowski +Link: https://lore.kernel.org/bpf/618c34e3163ad1a36b1e82377576a6081e182f25.1626123173.git.daniel@iogearbox.net +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index d8a6fcd28e39..e6db39a00de2 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -3675,6 +3675,8 @@ continue_func: + if (tail_call_reachable) + for (j = 0; j < frame; j++) + subprog[ret_prog[j]].tail_call_reachable = true; ++ if (subprog[0].tail_call_reachable) ++ env->prog->aux->tail_call_reachable = true; + + /* end of for() loop means the last insn of the 'subprog' + * was reached. Doesn't matter whether it was JA or EXIT +-- +2.30.2 + diff --git a/queue-5.13/bpf-samples-fix-xdpsock-with-m-parameter-missing-unl.patch b/queue-5.13/bpf-samples-fix-xdpsock-with-m-parameter-missing-unl.patch new file mode 100644 index 00000000000..0a4718e1850 --- /dev/null +++ b/queue-5.13/bpf-samples-fix-xdpsock-with-m-parameter-missing-unl.patch @@ -0,0 +1,106 @@ +From 854b37b81b47443208c75ba7c3775fd49d335344 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jun 2021 17:18:15 +0800 +Subject: bpf, samples: Fix xdpsock with '-M' parameter missing unload process + +From: Wang Hai + +[ Upstream commit 2620e92ae6ed83260eb46d214554cd308ee35d92 ] + +Execute the following command and exit, then execute it again, the following +error will be reported: + + $ sudo ./samples/bpf/xdpsock -i ens4f2 -M + ^C + $ sudo ./samples/bpf/xdpsock -i ens4f2 -M + libbpf: elf: skipping unrecognized data section(16) .eh_frame + libbpf: elf: skipping relo section(17) .rel.eh_frame for section(16) .eh_frame + libbpf: Kernel error message: XDP program already attached + ERROR: link set xdp fd failed + +Commit c9d27c9e8dc7 ("samples: bpf: Do not unload prog within xdpsock") removed +the unloading prog code because of the presence of bpf_link. This is fine if +XDP_SHARED_UMEM is disabled, but if it is enabled, unloading the prog is still +needed. + +Fixes: c9d27c9e8dc7 ("samples: bpf: Do not unload prog within xdpsock") +Signed-off-by: Wang Hai +Signed-off-by: Daniel Borkmann +Acked-by: Magnus Karlsson +Cc: Maciej Fijalkowski +Link: https://lore.kernel.org/bpf/20210628091815.2373487-1-wanghai38@huawei.com +Signed-off-by: Sasha Levin +--- + samples/bpf/xdpsock_user.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/samples/bpf/xdpsock_user.c b/samples/bpf/xdpsock_user.c +index 53e300f860bb..33d0bdebbed8 100644 +--- a/samples/bpf/xdpsock_user.c ++++ b/samples/bpf/xdpsock_user.c +@@ -96,6 +96,7 @@ static int opt_xsk_frame_size = XSK_UMEM__DEFAULT_FRAME_SIZE; + static int opt_timeout = 1000; + static bool opt_need_wakeup = true; + static u32 opt_num_xsks = 1; ++static u32 prog_id; + static bool opt_busy_poll; + static bool opt_reduced_cap; + +@@ -461,6 +462,23 @@ static void *poller(void *arg) + return NULL; + } + ++static void remove_xdp_program(void) ++{ ++ u32 curr_prog_id = 0; ++ ++ if (bpf_get_link_xdp_id(opt_ifindex, &curr_prog_id, opt_xdp_flags)) { ++ printf("bpf_get_link_xdp_id failed\n"); ++ exit(EXIT_FAILURE); ++ } ++ ++ if (prog_id == curr_prog_id) ++ bpf_set_link_xdp_fd(opt_ifindex, -1, opt_xdp_flags); ++ else if (!curr_prog_id) ++ printf("couldn't find a prog id on a given interface\n"); ++ else ++ printf("program on interface changed, not removing\n"); ++} ++ + static void int_exit(int sig) + { + benchmark_done = true; +@@ -471,6 +489,9 @@ static void __exit_with_error(int error, const char *file, const char *func, + { + fprintf(stderr, "%s:%s:%i: errno: %d/\"%s\"\n", file, func, + line, error, strerror(error)); ++ ++ if (opt_num_xsks > 1) ++ remove_xdp_program(); + exit(EXIT_FAILURE); + } + +@@ -490,6 +511,9 @@ static void xdpsock_cleanup(void) + if (write(sock, &cmd, sizeof(int)) < 0) + exit_with_error(errno); + } ++ ++ if (opt_num_xsks > 1) ++ remove_xdp_program(); + } + + static void swap_mac_addresses(void *data) +@@ -857,6 +881,10 @@ static struct xsk_socket_info *xsk_configure_socket(struct xsk_umem_info *umem, + if (ret) + exit_with_error(-ret); + ++ ret = bpf_get_link_xdp_id(opt_ifindex, &prog_id, opt_xdp_flags); ++ if (ret) ++ exit_with_error(-ret); ++ + xsk->app_stats.rx_empty_polls = 0; + xsk->app_stats.fill_fail_polls = 0; + xsk->app_stats.copy_tx_sendtos = 0; +-- +2.30.2 + diff --git a/queue-5.13/bpf-sockmap-fix-potential-memory-leak-on-unlikely-er.patch b/queue-5.13/bpf-sockmap-fix-potential-memory-leak-on-unlikely-er.patch new file mode 100644 index 00000000000..86140c965da --- /dev/null +++ b/queue-5.13/bpf-sockmap-fix-potential-memory-leak-on-unlikely-er.patch @@ -0,0 +1,80 @@ +From 485b2e483d41e1673bb507e0a6549b821c9f7a22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jul 2021 12:55:45 -0700 +Subject: bpf, sockmap: Fix potential memory leak on unlikely error case + +From: John Fastabend + +[ Upstream commit 7e6b27a69167f97c56b5437871d29e9722c3e470 ] + +If skb_linearize is needed and fails we could leak a msg on the error +handling. To fix ensure we kfree the msg block before returning error. +Found during code review. + +Fixes: 4363023d2668e ("bpf, sockmap: Avoid failures from skb_to_sgvec when skb has frag_list") +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Reviewed-by: Cong Wang +Link: https://lore.kernel.org/bpf/20210712195546.423990-2-john.fastabend@gmail.com +Signed-off-by: Sasha Levin +--- + net/core/skmsg.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index 539c83a45665..b2410a1bfa23 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -531,10 +531,8 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb, + if (skb_linearize(skb)) + return -EAGAIN; + num_sge = skb_to_sgvec(skb, msg->sg.data, 0, skb->len); +- if (unlikely(num_sge < 0)) { +- kfree(msg); ++ if (unlikely(num_sge < 0)) + return num_sge; +- } + + copied = skb->len; + msg->sg.start = 0; +@@ -553,6 +551,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb) + { + struct sock *sk = psock->sk; + struct sk_msg *msg; ++ int err; + + /* If we are receiving on the same sock skb->sk is already assigned, + * skip memory accounting and owner transition seeing it already set +@@ -571,7 +570,10 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb) + * into user buffers. + */ + skb_set_owner_r(skb, sk); +- return sk_psock_skb_ingress_enqueue(skb, psock, sk, msg); ++ err = sk_psock_skb_ingress_enqueue(skb, psock, sk, msg); ++ if (err < 0) ++ kfree(msg); ++ return err; + } + + /* Puts an skb on the ingress queue of the socket already assigned to the +@@ -582,12 +584,16 @@ static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb + { + struct sk_msg *msg = kzalloc(sizeof(*msg), __GFP_NOWARN | GFP_ATOMIC); + struct sock *sk = psock->sk; ++ int err; + + if (unlikely(!msg)) + return -EAGAIN; + sk_msg_init(msg); + skb_set_owner_r(skb, sk); +- return sk_psock_skb_ingress_enqueue(skb, psock, sk, msg); ++ err = sk_psock_skb_ingress_enqueue(skb, psock, sk, msg); ++ if (err < 0) ++ kfree(msg); ++ return err; + } + + static int sk_psock_handle_skb(struct sk_psock *psock, struct sk_buff *skb, +-- +2.30.2 + diff --git a/queue-5.13/bpf-sockmap-tcp-sk_prot-needs-inuse_idx-set-for-proc.patch b/queue-5.13/bpf-sockmap-tcp-sk_prot-needs-inuse_idx-set-for-proc.patch new file mode 100644 index 00000000000..61bed705138 --- /dev/null +++ b/queue-5.13/bpf-sockmap-tcp-sk_prot-needs-inuse_idx-set-for-proc.patch @@ -0,0 +1,47 @@ +From 5a33683654f4c64bd45012c99faa8eb364f6b134 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jul 2021 12:55:46 -0700 +Subject: bpf, sockmap, tcp: sk_prot needs inuse_idx set for proc stats + +From: John Fastabend + +[ Upstream commit 228a4a7ba8e99bb9ef980b62f71e3be33f4aae69 ] + +The proc socket stats use sk_prot->inuse_idx value to record inuse sock +stats. We currently do not set this correctly from sockmap side. The +result is reading sock stats '/proc/net/sockstat' gives incorrect values. +The socket counter is incremented correctly, but because we don't set the +counter correctly when we replace sk_prot we may omit the decrement. + +To get the correct inuse_idx value move the core_initcall that initializes +the TCP proto handlers to late_initcall. This way it is initialized after +TCP has the chance to assign the inuse_idx value from the register protocol +handler. + +Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") +Suggested-by: Jakub Sitnicki +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Reviewed-by: Cong Wang +Link: https://lore.kernel.org/bpf/20210712195546.423990-3-john.fastabend@gmail.com +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_bpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c +index ad9d17923fc5..b65201ba4d93 100644 +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -486,7 +486,7 @@ static int __init tcp_bpf_v4_build_proto(void) + tcp_bpf_rebuild_protos(tcp_bpf_prots[TCP_BPF_IPV4], &tcp_prot); + return 0; + } +-core_initcall(tcp_bpf_v4_build_proto); ++late_initcall(tcp_bpf_v4_build_proto); + + static int tcp_bpf_assert_proto_ops(struct proto *ops) + { +-- +2.30.2 + diff --git a/queue-5.13/bpf-sockmap-udp-sk_prot-needs-inuse_idx-set-for-proc.patch b/queue-5.13/bpf-sockmap-udp-sk_prot-needs-inuse_idx-set-for-proc.patch new file mode 100644 index 00000000000..bd660a856aa --- /dev/null +++ b/queue-5.13/bpf-sockmap-udp-sk_prot-needs-inuse_idx-set-for-proc.patch @@ -0,0 +1,47 @@ +From b042033226704e98bb329fc39a0fa76859e74dd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jul 2021 17:47:50 +0200 +Subject: bpf, sockmap, udp: sk_prot needs inuse_idx set for proc stats + +From: Jakub Sitnicki + +[ Upstream commit 54ea2f49fd9400dd698c25450be3352b5613b3b4 ] + +The proc socket stats use sk_prot->inuse_idx value to record inuse sock +stats. We currently do not set this correctly from sockmap side. The +result is reading sock stats '/proc/net/sockstat' gives incorrect values. +The socket counter is incremented correctly, but because we don't set the +counter correctly when we replace sk_prot we may omit the decrement. + +To get the correct inuse_idx value move the core_initcall that initializes +the UDP proto handlers to late_initcall. This way it is initialized after +UDP has the chance to assign the inuse_idx value from the register protocol +handler. + +Fixes: edc6741cc660 ("bpf: Add sockmap hooks for UDP sockets") +Signed-off-by: Jakub Sitnicki +Signed-off-by: Daniel Borkmann +Reviewed-by: Cong Wang +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/20210714154750.528206-1-jakub@cloudflare.com +Signed-off-by: Sasha Levin +--- + net/ipv4/udp_bpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/udp_bpf.c b/net/ipv4/udp_bpf.c +index 954c4591a6fd..725b6df4b2a2 100644 +--- a/net/ipv4/udp_bpf.c ++++ b/net/ipv4/udp_bpf.c +@@ -101,7 +101,7 @@ static int __init udp_bpf_v4_build_proto(void) + udp_bpf_rebuild_protos(&udp_bpf_prots[UDP_BPF_IPV4], &udp_prot); + return 0; + } +-core_initcall(udp_bpf_v4_build_proto); ++late_initcall(udp_bpf_v4_build_proto); + + int udp_bpf_update_proto(struct sock *sk, struct sk_psock *psock, bool restore) + { +-- +2.30.2 + diff --git a/queue-5.13/bpf-test-fix-null-pointer-dereference-on-invalid-exp.patch b/queue-5.13/bpf-test-fix-null-pointer-dereference-on-invalid-exp.patch new file mode 100644 index 00000000000..9b3bcafa8da --- /dev/null +++ b/queue-5.13/bpf-test-fix-null-pointer-dereference-on-invalid-exp.patch @@ -0,0 +1,110 @@ +From 8164192e5497d59ca2481e657ff75310ee2b7f9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jul 2021 16:04:09 +0800 +Subject: bpf, test: fix NULL pointer dereference on invalid + expected_attach_type + +From: Xuan Zhuo + +[ Upstream commit 5e21bb4e812566aef86fbb77c96a4ec0782286e4 ] + +These two types of XDP progs (BPF_XDP_DEVMAP, BPF_XDP_CPUMAP) will not be +executed directly in the driver, therefore we should also not directly +run them from here. To run in these two situations, there must be further +preparations done, otherwise these may cause a kernel panic. + +For more details, see also dev_xdp_attach(). + + [ 46.982479] BUG: kernel NULL pointer dereference, address: 0000000000000000 + [ 46.984295] #PF: supervisor read access in kernel mode + [ 46.985777] #PF: error_code(0x0000) - not-present page + [ 46.987227] PGD 800000010dca4067 P4D 800000010dca4067 PUD 10dca6067 PMD 0 + [ 46.989201] Oops: 0000 [#1] SMP PTI + [ 46.990304] CPU: 7 PID: 562 Comm: a.out Not tainted 5.13.0+ #44 + [ 46.992001] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/24 + [ 46.995113] RIP: 0010:___bpf_prog_run+0x17b/0x1710 + [ 46.996586] Code: 49 03 14 cc e8 76 f6 fe ff e9 ad fe ff ff 0f b6 43 01 48 0f bf 4b 02 48 83 c3 08 89 c2 83 e0 0f c0 ea 04 02 + [ 47.001562] RSP: 0018:ffffc900005afc58 EFLAGS: 00010246 + [ 47.003115] RAX: 0000000000000000 RBX: ffffc9000023f068 RCX: 0000000000000000 + [ 47.005163] RDX: 0000000000000000 RSI: 0000000000000079 RDI: ffffc900005afc98 + [ 47.007135] RBP: 0000000000000000 R08: ffffc9000023f048 R09: c0000000ffffdfff + [ 47.009171] R10: 0000000000000001 R11: ffffc900005afb40 R12: ffffc900005afc98 + [ 47.011172] R13: 0000000000000001 R14: 0000000000000001 R15: ffffffff825258a8 + [ 47.013244] FS: 00007f04a5207580(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000 + [ 47.015705] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 47.017475] CR2: 0000000000000000 CR3: 0000000100182005 CR4: 0000000000770ee0 + [ 47.019558] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [ 47.021595] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [ 47.023574] PKRU: 55555554 + [ 47.024571] Call Trace: + [ 47.025424] __bpf_prog_run32+0x32/0x50 + [ 47.026296] ? printk+0x53/0x6a + [ 47.027066] ? ktime_get+0x39/0x90 + [ 47.027895] bpf_test_run.cold.28+0x23/0x123 + [ 47.028866] ? printk+0x53/0x6a + [ 47.029630] bpf_prog_test_run_xdp+0x149/0x1d0 + [ 47.030649] __sys_bpf+0x1305/0x23d0 + [ 47.031482] __x64_sys_bpf+0x17/0x20 + [ 47.032316] do_syscall_64+0x3a/0x80 + [ 47.033165] entry_SYSCALL_64_after_hwframe+0x44/0xae + [ 47.034254] RIP: 0033:0x7f04a51364dd + [ 47.035133] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 48 + [ 47.038768] RSP: 002b:00007fff8f9fc518 EFLAGS: 00000213 ORIG_RAX: 0000000000000141 + [ 47.040344] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f04a51364dd + [ 47.041749] RDX: 0000000000000048 RSI: 0000000020002a80 RDI: 000000000000000a + [ 47.043171] RBP: 00007fff8f9fc530 R08: 0000000002049300 R09: 0000000020000100 + [ 47.044626] R10: 0000000000000004 R11: 0000000000000213 R12: 0000000000401070 + [ 47.046088] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + [ 47.047579] Modules linked in: + [ 47.048318] CR2: 0000000000000000 + [ 47.049120] ---[ end trace 7ad34443d5be719a ]--- + [ 47.050273] RIP: 0010:___bpf_prog_run+0x17b/0x1710 + [ 47.051343] Code: 49 03 14 cc e8 76 f6 fe ff e9 ad fe ff ff 0f b6 43 01 48 0f bf 4b 02 48 83 c3 08 89 c2 83 e0 0f c0 ea 04 02 + [ 47.054943] RSP: 0018:ffffc900005afc58 EFLAGS: 00010246 + [ 47.056068] RAX: 0000000000000000 RBX: ffffc9000023f068 RCX: 0000000000000000 + [ 47.057522] RDX: 0000000000000000 RSI: 0000000000000079 RDI: ffffc900005afc98 + [ 47.058961] RBP: 0000000000000000 R08: ffffc9000023f048 R09: c0000000ffffdfff + [ 47.060390] R10: 0000000000000001 R11: ffffc900005afb40 R12: ffffc900005afc98 + [ 47.061803] R13: 0000000000000001 R14: 0000000000000001 R15: ffffffff825258a8 + [ 47.063249] FS: 00007f04a5207580(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000 + [ 47.065070] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 47.066307] CR2: 0000000000000000 CR3: 0000000100182005 CR4: 0000000000770ee0 + [ 47.067747] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [ 47.069217] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [ 47.070652] PKRU: 55555554 + [ 47.071318] Kernel panic - not syncing: Fatal exception + [ 47.072854] Kernel Offset: disabled + [ 47.073683] ---[ end Kernel panic - not syncing: Fatal exception ]--- + +Fixes: 9216477449f3 ("bpf: cpumap: Add the possibility to attach an eBPF program to cpumap") +Fixes: fbee97feed9b ("bpf: Add support to attach bpf program to a devmap entry") +Reported-by: Abaci +Signed-off-by: Xuan Zhuo +Signed-off-by: Daniel Borkmann +Reviewed-by: Dust Li +Acked-by: Jesper Dangaard Brouer +Acked-by: David Ahern +Acked-by: Song Liu +Link: https://lore.kernel.org/bpf/20210708080409.73525-1-xuanzhuo@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + net/bpf/test_run.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c +index a5d72c48fb66..28ac3c96fa88 100644 +--- a/net/bpf/test_run.c ++++ b/net/bpf/test_run.c +@@ -701,6 +701,9 @@ int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr, + void *data; + int ret; + ++ if (prog->expected_attach_type == BPF_XDP_DEVMAP || ++ prog->expected_attach_type == BPF_XDP_CPUMAP) ++ return -EINVAL; + if (kattr->test.ctx_in || kattr->test.ctx_out) + return -EINVAL; + +-- +2.30.2 + diff --git a/queue-5.13/bpftool-check-malloc-return-value-in-mount_bpffs_for.patch b/queue-5.13/bpftool-check-malloc-return-value-in-mount_bpffs_for.patch new file mode 100644 index 00000000000..8b8e839ea87 --- /dev/null +++ b/queue-5.13/bpftool-check-malloc-return-value-in-mount_bpffs_for.patch @@ -0,0 +1,41 @@ +From cb54a0b4c56ea4f82cb0c958b34a5806d2815a00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 13:06:09 +0200 +Subject: bpftool: Check malloc return value in mount_bpffs_for_pin + +From: Tobias Klauser + +[ Upstream commit d444b06e40855219ef38b5e9286db16d435f06dc ] + +Fix and add a missing NULL check for the prior malloc() call. + +Fixes: 49a086c201a9 ("bpftool: implement prog load command") +Signed-off-by: Tobias Klauser +Signed-off-by: Daniel Borkmann +Reviewed-by: Quentin Monnet +Acked-by: Roman Gushchin +Link: https://lore.kernel.org/bpf/20210715110609.29364-1-tklauser@distanz.ch +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/common.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tools/bpf/bpftool/common.c b/tools/bpf/bpftool/common.c +index 1828bba19020..dc6daa193557 100644 +--- a/tools/bpf/bpftool/common.c ++++ b/tools/bpf/bpftool/common.c +@@ -222,6 +222,11 @@ int mount_bpffs_for_pin(const char *name) + int err = 0; + + file = malloc(strlen(name) + 1); ++ if (!file) { ++ p_err("mem alloc failed"); ++ return -1; ++ } ++ + strcpy(file, name); + dir = dirname(file); + +-- +2.30.2 + diff --git a/queue-5.13/ceph-don-t-warn-if-we-re-still-opening-a-session-to-.patch b/queue-5.13/ceph-don-t-warn-if-we-re-still-opening-a-session-to-.patch new file mode 100644 index 00000000000..fb485c73cc5 --- /dev/null +++ b/queue-5.13/ceph-don-t-warn-if-we-re-still-opening-a-session-to-.patch @@ -0,0 +1,42 @@ +From d1b58f35cce20485e1ff1521ecc0a6f710f55e9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 14:40:39 +0100 +Subject: ceph: don't WARN if we're still opening a session to an MDS + +From: Luis Henriques + +[ Upstream commit cdb330f4b41ab55feb35487729e883c9e08b8a54 ] + +If MDSs aren't available while mounting a filesystem, the session state +will transition from SESSION_OPENING to SESSION_CLOSING. And in that +scenario check_session_state() will be called from delayed_work() and +trigger this WARN. + +Avoid this by only WARNing after a session has already been established +(i.e., the s_ttl will be different from 0). + +Fixes: 62575e270f66 ("ceph: check session state after bumping session->s_seq") +Signed-off-by: Luis Henriques +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/mds_client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c +index e5af591d3bd4..86f09b1110a2 100644 +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -4468,7 +4468,7 @@ bool check_session_state(struct ceph_mds_session *s) + break; + case CEPH_MDS_SESSION_CLOSING: + /* Should never reach this when we're unmounting */ +- WARN_ON_ONCE(true); ++ WARN_ON_ONCE(s->s_ttl); + fallthrough; + case CEPH_MDS_SESSION_NEW: + case CEPH_MDS_SESSION_RESTARTING: +-- +2.30.2 + diff --git a/queue-5.13/cifs-fix-fallocate-when-trying-to-allocate-a-hole.patch b/queue-5.13/cifs-fix-fallocate-when-trying-to-allocate-a-hole.patch new file mode 100644 index 00000000000..c1a5a0657c2 --- /dev/null +++ b/queue-5.13/cifs-fix-fallocate-when-trying-to-allocate-a-hole.patch @@ -0,0 +1,68 @@ +From fbd932a6124b49cb6d8fc4554f883d3b0af04760 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jul 2021 11:21:24 +1000 +Subject: cifs: fix fallocate when trying to allocate a hole. + +From: Ronnie Sahlberg + +[ Upstream commit 488968a8945c119859d91bb6a8dc13bf50002f15 ] + +Remove the conditional checking for out_data_len and skipping the fallocate +if it is 0. This is wrong will actually change any legitimate the fallocate +where the entire region is unallocated into a no-op. + +Additionally, before allocating the range, if FALLOC_FL_KEEP_SIZE is set then +we need to clamp the length of the fallocate region as to not extend the size of the file. + +Fixes: 966a3cb7c7db ("cifs: improve fallocate emulation") +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2ops.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index cc253bbff696..64cad843ce72 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -3663,11 +3663,6 @@ static int smb3_simple_fallocate_range(unsigned int xid, + (char **)&out_data, &out_data_len); + if (rc) + goto out; +- /* +- * It is already all allocated +- */ +- if (out_data_len == 0) +- goto out; + + buf = kzalloc(1024 * 1024, GFP_KERNEL); + if (buf == NULL) { +@@ -3790,6 +3785,24 @@ static long smb3_simple_falloc(struct file *file, struct cifs_tcon *tcon, + goto out; + } + ++ if (keep_size == true) { ++ /* ++ * We can not preallocate pages beyond the end of the file ++ * in SMB2 ++ */ ++ if (off >= i_size_read(inode)) { ++ rc = 0; ++ goto out; ++ } ++ /* ++ * For fallocates that are partially beyond the end of file, ++ * clamp len so we only fallocate up to the end of file. ++ */ ++ if (off + len > i_size_read(inode)) { ++ len = i_size_read(inode) - off; ++ } ++ } ++ + if ((keep_size == true) || (i_size_read(inode) >= off + len)) { + /* + * At this point, we are trying to fallocate an internal +-- +2.30.2 + diff --git a/queue-5.13/cifs-only-write-64kb-at-a-time-when-fallocating-a-sm.patch b/queue-5.13/cifs-only-write-64kb-at-a-time-when-fallocating-a-sm.patch new file mode 100644 index 00000000000..65205b7ba6f --- /dev/null +++ b/queue-5.13/cifs-only-write-64kb-at-a-time-when-fallocating-a-sm.patch @@ -0,0 +1,71 @@ +From b3076ea07ec752c1bd23dad1bed21d444ecf2244 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jul 2021 14:53:32 +1000 +Subject: cifs: only write 64kb at a time when fallocating a small region of a + file + +From: Ronnie Sahlberg + +[ Upstream commit 2485bd7557a7edb4520b4072af464f0a08c8efe0 ] + +We only allow sending single credit writes through the SMB2_write() synchronous +api so split this into smaller chunks. + +Fixes: 966a3cb7c7db ("cifs: improve fallocate emulation") + +Signed-off-by: Ronnie Sahlberg +Reported-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2ops.c | 26 +++++++++++++++++++------- + 1 file changed, 19 insertions(+), 7 deletions(-) + +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index 903de7449aa3..cc253bbff696 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -3613,7 +3613,7 @@ static int smb3_simple_fallocate_write_range(unsigned int xid, + char *buf) + { + struct cifs_io_parms io_parms = {0}; +- int nbytes; ++ int rc, nbytes; + struct kvec iov[2]; + + io_parms.netfid = cfile->fid.netfid; +@@ -3621,13 +3621,25 @@ static int smb3_simple_fallocate_write_range(unsigned int xid, + io_parms.tcon = tcon; + io_parms.persistent_fid = cfile->fid.persistent_fid; + io_parms.volatile_fid = cfile->fid.volatile_fid; +- io_parms.offset = off; +- io_parms.length = len; + +- /* iov[0] is reserved for smb header */ +- iov[1].iov_base = buf; +- iov[1].iov_len = io_parms.length; +- return SMB2_write(xid, &io_parms, &nbytes, iov, 1); ++ while (len) { ++ io_parms.offset = off; ++ io_parms.length = len; ++ if (io_parms.length > SMB2_MAX_BUFFER_SIZE) ++ io_parms.length = SMB2_MAX_BUFFER_SIZE; ++ /* iov[0] is reserved for smb header */ ++ iov[1].iov_base = buf; ++ iov[1].iov_len = io_parms.length; ++ rc = SMB2_write(xid, &io_parms, &nbytes, iov, 1); ++ if (rc) ++ break; ++ if (nbytes > len) ++ return -EINVAL; ++ buf += nbytes; ++ off += nbytes; ++ len -= nbytes; ++ } ++ return rc; + } + + static int smb3_simple_fallocate_range(unsigned int xid, +-- +2.30.2 + diff --git a/queue-5.13/cxgb4-fix-irq-free-race-during-driver-unload.patch b/queue-5.13/cxgb4-fix-irq-free-race-during-driver-unload.patch new file mode 100644 index 00000000000..4c83a8ed1d1 --- /dev/null +++ b/queue-5.13/cxgb4-fix-irq-free-race-during-driver-unload.patch @@ -0,0 +1,89 @@ +From 16bba1557e2761fef53f030204d29d65d39fa2af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jul 2021 21:51:56 +0530 +Subject: cxgb4: fix IRQ free race during driver unload + +From: Shahjada Abul Husain + +[ Upstream commit 015fe6fd29c4b9ac0f61b8c4455ef88e6018b9cc ] + +IRQs are requested during driver's ndo_open() and then later +freed up in disable_interrupts() during driver unload. +A race exists where driver can set the CXGB4_FULL_INIT_DONE +flag in ndo_open() after the disable_interrupts() in driver +unload path checks it, and hence misses calling free_irq(). + +Fix by unregistering netdevice first and sync with driver's +ndo_open(). This ensures disable_interrupts() checks the flag +correctly and frees up the IRQs properly. + +Fixes: b37987e8db5f ("cxgb4: Disable interrupts and napi before unregistering netdev") +Signed-off-by: Shahjada Abul Husain +Signed-off-by: Raju Rangoju +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/chelsio/cxgb4/cxgb4_main.c | 18 ++++++++++-------- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c | 3 +++ + 2 files changed, 13 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +index 762113a04dde..9f62ffe64781 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -2643,6 +2643,9 @@ static void detach_ulds(struct adapter *adap) + { + unsigned int i; + ++ if (!is_uld(adap)) ++ return; ++ + mutex_lock(&uld_mutex); + list_del(&adap->list_node); + +@@ -7141,10 +7144,13 @@ static void remove_one(struct pci_dev *pdev) + */ + destroy_workqueue(adapter->workq); + +- if (is_uld(adapter)) { +- detach_ulds(adapter); +- t4_uld_clean_up(adapter); +- } ++ detach_ulds(adapter); ++ ++ for_each_port(adapter, i) ++ if (adapter->port[i]->reg_state == NETREG_REGISTERED) ++ unregister_netdev(adapter->port[i]); ++ ++ t4_uld_clean_up(adapter); + + adap_free_hma_mem(adapter); + +@@ -7152,10 +7158,6 @@ static void remove_one(struct pci_dev *pdev) + + cxgb4_free_mps_ref_entries(adapter); + +- for_each_port(adapter, i) +- if (adapter->port[i]->reg_state == NETREG_REGISTERED) +- unregister_netdev(adapter->port[i]); +- + debugfs_remove_recursive(adapter->debugfs_root); + + if (!is_t4(adapter->params.chip)) +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c +index 743af9e654aa..17faac715882 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c +@@ -581,6 +581,9 @@ void t4_uld_clean_up(struct adapter *adap) + { + unsigned int i; + ++ if (!is_uld(adap)) ++ return; ++ + mutex_lock(&uld_mutex); + for (i = 0; i < CXGB4_ULD_MAX; i++) { + if (!adap->uld[i].handle) +-- +2.30.2 + diff --git a/queue-5.13/dma-mapping-handle-vmalloc-addresses-in-dma_common_-.patch b/queue-5.13/dma-mapping-handle-vmalloc-addresses-in-dma_common_-.patch new file mode 100644 index 00000000000..f4262b06d62 --- /dev/null +++ b/queue-5.13/dma-mapping-handle-vmalloc-addresses-in-dma_common_-.patch @@ -0,0 +1,71 @@ +From 9e8824e82babdc8a5675975caae203777afcb982 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 11:39:34 +0300 +Subject: dma-mapping: handle vmalloc addresses in + dma_common_{mmap,get_sgtable} + +From: Roman Skakun + +[ Upstream commit 40ac971eab89330d6153e7721e88acd2d98833f9 ] + +xen-swiotlb can use vmalloc backed addresses for dma coherent allocations +and uses the common helpers. Properly handle them to unbreak Xen on +ARM platforms. + +Fixes: 1b65c4e5a9af ("swiotlb-xen: use xen_alloc/free_coherent_pages") +Signed-off-by: Roman Skakun +Reviewed-by: Andrii Anisov +[hch: split the patch, renamed the helpers] +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + kernel/dma/ops_helpers.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/kernel/dma/ops_helpers.c b/kernel/dma/ops_helpers.c +index 910ae69cae77..af4a6ef48ce0 100644 +--- a/kernel/dma/ops_helpers.c ++++ b/kernel/dma/ops_helpers.c +@@ -5,6 +5,13 @@ + */ + #include + ++static struct page *dma_common_vaddr_to_page(void *cpu_addr) ++{ ++ if (is_vmalloc_addr(cpu_addr)) ++ return vmalloc_to_page(cpu_addr); ++ return virt_to_page(cpu_addr); ++} ++ + /* + * Create scatter-list for the already allocated DMA buffer. + */ +@@ -12,7 +19,7 @@ int dma_common_get_sgtable(struct device *dev, struct sg_table *sgt, + void *cpu_addr, dma_addr_t dma_addr, size_t size, + unsigned long attrs) + { +- struct page *page = virt_to_page(cpu_addr); ++ struct page *page = dma_common_vaddr_to_page(cpu_addr); + int ret; + + ret = sg_alloc_table(sgt, 1, GFP_KERNEL); +@@ -32,6 +39,7 @@ int dma_common_mmap(struct device *dev, struct vm_area_struct *vma, + unsigned long user_count = vma_pages(vma); + unsigned long count = PAGE_ALIGN(size) >> PAGE_SHIFT; + unsigned long off = vma->vm_pgoff; ++ struct page *page = dma_common_vaddr_to_page(cpu_addr); + int ret = -ENXIO; + + vma->vm_page_prot = dma_pgprot(dev, vma->vm_page_prot, attrs); +@@ -43,7 +51,7 @@ int dma_common_mmap(struct device *dev, struct vm_area_struct *vma, + return -ENXIO; + + return remap_pfn_range(vma, vma->vm_start, +- page_to_pfn(virt_to_page(cpu_addr)) + vma->vm_pgoff, ++ page_to_pfn(page) + vma->vm_pgoff, + user_count << PAGE_SHIFT, vma->vm_page_prot); + #else + return -ENXIO; +-- +2.30.2 + diff --git a/queue-5.13/dpaa2-switch-seed-the-buffer-pool-after-allocating-t.patch b/queue-5.13/dpaa2-switch-seed-the-buffer-pool-after-allocating-t.patch new file mode 100644 index 00000000000..1a8ab2851b4 --- /dev/null +++ b/queue-5.13/dpaa2-switch-seed-the-buffer-pool-after-allocating-t.patch @@ -0,0 +1,74 @@ +From b895e1a06489b8dd8f2742024ceb36589fbd1b12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jul 2021 15:15:51 +0300 +Subject: dpaa2-switch: seed the buffer pool after allocating the swp + +From: Ioana Ciornei + +[ Upstream commit 7aaa0f311e2df2704fa8ddb8ed681a3b5841d0bf ] + +Any interraction with the buffer pool (seeding a buffer, acquire one) is +made through a software portal (SWP, a DPIO object). +There are circumstances where the dpaa2-switch driver probes on a DPSW +before any DPIO devices have been probed. In this case, seeding of the +buffer pool will lead to a panic since no SWPs are initialized. + +To fix this, seed the buffer pool after making sure that the software +portals have been probed and are ready to be used. + +Fixes: 0b1b71370458 ("staging: dpaa2-switch: handle Rx path on control interface") +Signed-off-by: Ioana Ciornei +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/freescale/dpaa2/dpaa2-switch.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +index 05de37c3b64c..87321b7239cf 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +@@ -2770,32 +2770,32 @@ static int dpaa2_switch_ctrl_if_setup(struct ethsw_core *ethsw) + if (err) + return err; + +- err = dpaa2_switch_seed_bp(ethsw); +- if (err) +- goto err_free_dpbp; +- + err = dpaa2_switch_alloc_rings(ethsw); + if (err) +- goto err_drain_dpbp; ++ goto err_free_dpbp; + + err = dpaa2_switch_setup_dpio(ethsw); + if (err) + goto err_destroy_rings; + ++ err = dpaa2_switch_seed_bp(ethsw); ++ if (err) ++ goto err_deregister_dpio; ++ + err = dpsw_ctrl_if_enable(ethsw->mc_io, 0, ethsw->dpsw_handle); + if (err) { + dev_err(ethsw->dev, "dpsw_ctrl_if_enable err %d\n", err); +- goto err_deregister_dpio; ++ goto err_drain_dpbp; + } + + return 0; + ++err_drain_dpbp: ++ dpaa2_switch_drain_bp(ethsw); + err_deregister_dpio: + dpaa2_switch_free_dpio(ethsw); + err_destroy_rings: + dpaa2_switch_destroy_rings(ethsw); +-err_drain_dpbp: +- dpaa2_switch_drain_bp(ethsw); + err_free_dpbp: + dpaa2_switch_free_dpbp(ethsw); + +-- +2.30.2 + diff --git a/queue-5.13/drm-panel-raspberrypi-touchscreen-prevent-double-fre.patch b/queue-5.13/drm-panel-raspberrypi-touchscreen-prevent-double-fre.patch new file mode 100644 index 00000000000..79e6f350934 --- /dev/null +++ b/queue-5.13/drm-panel-raspberrypi-touchscreen-prevent-double-fre.patch @@ -0,0 +1,36 @@ +From 285bf918fe4464a0a33a37b6cd7901a5919d4d10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 15:45:23 +0200 +Subject: drm/panel: raspberrypi-touchscreen: Prevent double-free + +From: Maxime Ripard + +[ Upstream commit 7bbcb919e32d776ca8ddce08abb391ab92eef6a9 ] + +The mipi_dsi_device allocated by mipi_dsi_device_register_full() is +already free'd on release. + +Fixes: 2f733d6194bd ("drm/panel: Add support for the Raspberry Pi 7" Touchscreen.") +Signed-off-by: Maxime Ripard +Reviewed-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20210720134525.563936-9-maxime@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c b/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c +index 5e9ccefb88f6..bbdd086be7f5 100644 +--- a/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c ++++ b/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c +@@ -447,7 +447,6 @@ static int rpi_touchscreen_remove(struct i2c_client *i2c) + drm_panel_remove(&ts->base); + + mipi_dsi_device_unregister(ts->dsi); +- kfree(ts->dsi); + + return 0; + } +-- +2.30.2 + diff --git a/queue-5.13/drm-ttm-force-re-init-if-ttm_global_init-fails.patch b/queue-5.13/drm-ttm-force-re-init-if-ttm_global_init-fails.patch new file mode 100644 index 00000000000..8d385b2f4d1 --- /dev/null +++ b/queue-5.13/drm-ttm-force-re-init-if-ttm_global_init-fails.patch @@ -0,0 +1,42 @@ +From 51a4cac7e1b6932191e4a17bc3ef046e82558907 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 13:13:55 -0500 +Subject: drm/ttm: Force re-init if ttm_global_init() fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jason Ekstrand + +[ Upstream commit 235c3610d5f02ee91244239b43cd9ae8b4859dff ] + +If we have a failure, decrement the reference count so that the next +call to ttm_global_init() will actually do something instead of assume +everything is all set up. + +Signed-off-by: Jason Ekstrand +Fixes: 62b53b37e4b1 ("drm/ttm: use a static ttm_bo_global instance") +Reviewed-by: Christian König +Link: https://patchwork.freedesktop.org/patch/msgid/20210720181357.2760720-5-jason@jlekstrand.net +Signed-off-by: Christian König +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/ttm/ttm_device.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/ttm/ttm_device.c b/drivers/gpu/drm/ttm/ttm_device.c +index 3d9c62b93e29..ef6e0c042bb1 100644 +--- a/drivers/gpu/drm/ttm/ttm_device.c ++++ b/drivers/gpu/drm/ttm/ttm_device.c +@@ -100,6 +100,8 @@ static int ttm_global_init(void) + debugfs_create_atomic_t("buffer_objects", 0444, ttm_debugfs_root, + &glob->bo_count); + out: ++ if (ret) ++ --ttm_glob_use_count; + mutex_unlock(&ttm_global_mutex); + return ret; + } +-- +2.30.2 + diff --git a/queue-5.13/drm-vc4-hdmi-drop-devm-interrupt-handler-for-cec-int.patch b/queue-5.13/drm-vc4-hdmi-drop-devm-interrupt-handler-for-cec-int.patch new file mode 100644 index 00000000000..6a292d5c91a --- /dev/null +++ b/queue-5.13/drm-vc4-hdmi-drop-devm-interrupt-handler-for-cec-int.patch @@ -0,0 +1,117 @@ +From 57d3edaddb8132977dd5bfe585a6d8d823a8e7f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 11:51:10 +0200 +Subject: drm/vc4: hdmi: Drop devm interrupt handler for CEC interrupts + +From: Maxime Ripard + +[ Upstream commit 32a19de21ae40f0601f48575b610dde4f518ccc6 ] + +The CEC interrupt handlers are registered through the +devm_request_threaded_irq function. However, while free_irq is indeed +called properly when the device is unbound or bind fails, it's called +after unbind or bind is done. + +In our particular case, it means that on failure it creates a window +where our interrupt handler can be called, but we're freeing every +resource (CEC adapter, DRM objects, etc.) it might need. + +In order to address this, let's switch to the non-devm variant to +control better when the handler will be unregistered and allow us to +make it safe. + +Fixes: 15b4511a4af6 ("drm/vc4: add HDMI CEC support") +Signed-off-by: Maxime Ripard +Reviewed-by: Dave Stevenson +Link: https://patchwork.freedesktop.org/patch/msgid/20210707095112.1469670-2-maxime@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_hdmi.c | 49 +++++++++++++++++++++++----------- + 1 file changed, 33 insertions(+), 16 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c +index 188b74c9e9ff..edee565334d8 100644 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c +@@ -1690,38 +1690,46 @@ static int vc4_hdmi_cec_init(struct vc4_hdmi *vc4_hdmi) + vc4_hdmi_cec_update_clk_div(vc4_hdmi); + + if (vc4_hdmi->variant->external_irq_controller) { +- ret = devm_request_threaded_irq(&pdev->dev, +- platform_get_irq_byname(pdev, "cec-rx"), +- vc4_cec_irq_handler_rx_bare, +- vc4_cec_irq_handler_rx_thread, 0, +- "vc4 hdmi cec rx", vc4_hdmi); ++ ret = request_threaded_irq(platform_get_irq_byname(pdev, "cec-rx"), ++ vc4_cec_irq_handler_rx_bare, ++ vc4_cec_irq_handler_rx_thread, 0, ++ "vc4 hdmi cec rx", vc4_hdmi); + if (ret) + goto err_delete_cec_adap; + +- ret = devm_request_threaded_irq(&pdev->dev, +- platform_get_irq_byname(pdev, "cec-tx"), +- vc4_cec_irq_handler_tx_bare, +- vc4_cec_irq_handler_tx_thread, 0, +- "vc4 hdmi cec tx", vc4_hdmi); ++ ret = request_threaded_irq(platform_get_irq_byname(pdev, "cec-tx"), ++ vc4_cec_irq_handler_tx_bare, ++ vc4_cec_irq_handler_tx_thread, 0, ++ "vc4 hdmi cec tx", vc4_hdmi); + if (ret) +- goto err_delete_cec_adap; ++ goto err_remove_cec_rx_handler; + } else { + HDMI_WRITE(HDMI_CEC_CPU_MASK_SET, 0xffffffff); + +- ret = devm_request_threaded_irq(&pdev->dev, platform_get_irq(pdev, 0), +- vc4_cec_irq_handler, +- vc4_cec_irq_handler_thread, 0, +- "vc4 hdmi cec", vc4_hdmi); ++ ret = request_threaded_irq(platform_get_irq(pdev, 0), ++ vc4_cec_irq_handler, ++ vc4_cec_irq_handler_thread, 0, ++ "vc4 hdmi cec", vc4_hdmi); + if (ret) + goto err_delete_cec_adap; + } + + ret = cec_register_adapter(vc4_hdmi->cec_adap, &pdev->dev); + if (ret < 0) +- goto err_delete_cec_adap; ++ goto err_remove_handlers; + + return 0; + ++err_remove_handlers: ++ if (vc4_hdmi->variant->external_irq_controller) ++ free_irq(platform_get_irq_byname(pdev, "cec-tx"), vc4_hdmi); ++ else ++ free_irq(platform_get_irq(pdev, 0), vc4_hdmi); ++ ++err_remove_cec_rx_handler: ++ if (vc4_hdmi->variant->external_irq_controller) ++ free_irq(platform_get_irq_byname(pdev, "cec-rx"), vc4_hdmi); ++ + err_delete_cec_adap: + cec_delete_adapter(vc4_hdmi->cec_adap); + +@@ -1730,6 +1738,15 @@ err_delete_cec_adap: + + static void vc4_hdmi_cec_exit(struct vc4_hdmi *vc4_hdmi) + { ++ struct platform_device *pdev = vc4_hdmi->pdev; ++ ++ if (vc4_hdmi->variant->external_irq_controller) { ++ free_irq(platform_get_irq_byname(pdev, "cec-rx"), vc4_hdmi); ++ free_irq(platform_get_irq_byname(pdev, "cec-tx"), vc4_hdmi); ++ } else { ++ free_irq(platform_get_irq(pdev, 0), vc4_hdmi); ++ } ++ + cec_unregister_adapter(vc4_hdmi->cec_adap); + } + #else +-- +2.30.2 + diff --git a/queue-5.13/drm-vmwgfx-fix-a-bad-merge-in-otable-batch-takedown.patch b/queue-5.13/drm-vmwgfx-fix-a-bad-merge-in-otable-batch-takedown.patch new file mode 100644 index 00000000000..6d1147ca790 --- /dev/null +++ b/queue-5.13/drm-vmwgfx-fix-a-bad-merge-in-otable-batch-takedown.patch @@ -0,0 +1,41 @@ +From 8a5a7788fbe31aa1f76f413029b33c1775b29ea6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jun 2021 14:23:35 -0400 +Subject: drm/vmwgfx: Fix a bad merge in otable batch takedown + +From: Zack Rusin + +[ Upstream commit 34bd46bcf3de72cbffcdc42d3fa67e543d1c869b ] + +Change +2ef4fb92363c ("drm/vmwgfx: Make sure bo's are unpinned before putting them back") +caused a conflict in one of the drm trees and the merge commit +68a32ba14177 ("Merge tag 'drm-next-2021-04-28' of git://anongit.freedesktop.org/drm/drm") +accidently re-added code that the original change was removing. +Fixed by removing the incorrect buffer unpin - it has already been unpinned +two lines above. + +Fixes: 68a32ba14177 ("Merge tag 'drm-next-2021-04-28' of git://anongit.freedesktop.org/drm/drm") +Signed-off-by: Zack Rusin +Reviewed-by: Martin Krastev +Link: https://patchwork.freedesktop.org/patch/msgid/20210615182336.995192-4-zackr@vmware.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_mob.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c b/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c +index 5648664f71bc..f2d625415458 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c +@@ -354,7 +354,6 @@ static void vmw_otable_batch_takedown(struct vmw_private *dev_priv, + ttm_bo_unpin(bo); + ttm_bo_unreserve(bo); + +- ttm_bo_unpin(batch->otable_bo); + ttm_bo_put(batch->otable_bo); + batch->otable_bo = NULL; + } +-- +2.30.2 + diff --git a/queue-5.13/e1000e-fix-an-error-handling-path-in-e1000_probe.patch b/queue-5.13/e1000e-fix-an-error-handling-path-in-e1000_probe.patch new file mode 100644 index 00000000000..bd89d74d631 --- /dev/null +++ b/queue-5.13/e1000e-fix-an-error-handling-path-in-e1000_probe.patch @@ -0,0 +1,38 @@ +From 86f7e714e37301896d425fa8b8fb5dcd88e4f7a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 07:05:53 +0200 +Subject: e1000e: Fix an error handling path in 'e1000_probe()' + +From: Christophe JAILLET + +[ Upstream commit 4589075608420bc49fcef6e98279324bf2bb91ae ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 111b9dc5c981 ("e1000e: add aer support") +Signed-off-by: Christophe JAILLET +Acked-by: Sasha Neftin +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index dc0ded7e5e61..86b7778dc9b4 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -7664,6 +7664,7 @@ err_flashmap: + err_ioremap: + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-5.13/efi-dev-path-parser-switch-to-use-for_each_acpi_dev_.patch b/queue-5.13/efi-dev-path-parser-switch-to-use-for_each_acpi_dev_.patch new file mode 100644 index 00000000000..b9b0d664cc8 --- /dev/null +++ b/queue-5.13/efi-dev-path-parser-switch-to-use-for_each_acpi_dev_.patch @@ -0,0 +1,97 @@ +From fb0431072f6b6dbac7fb5944cebe2a4ad2df3eb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Apr 2021 21:12:16 +0300 +Subject: efi/dev-path-parser: Switch to use for_each_acpi_dev_match() + +From: Andy Shevchenko + +[ Upstream commit edbd1bc4951eff8da65732dbe0d381e555054428 ] + +Switch to use for_each_acpi_dev_match() instead of home grown analogue. +No functional change intended. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/dev-path-parser.c | 49 ++++++++++---------------- + 1 file changed, 18 insertions(+), 31 deletions(-) + +diff --git a/drivers/firmware/efi/dev-path-parser.c b/drivers/firmware/efi/dev-path-parser.c +index 5c9625e552f4..10d4457417a4 100644 +--- a/drivers/firmware/efi/dev-path-parser.c ++++ b/drivers/firmware/efi/dev-path-parser.c +@@ -12,52 +12,39 @@ + #include + #include + +-struct acpi_hid_uid { +- struct acpi_device_id hid[2]; +- char uid[11]; /* UINT_MAX + null byte */ +-}; +- +-static int __init match_acpi_dev(struct device *dev, const void *data) +-{ +- struct acpi_hid_uid hid_uid = *(const struct acpi_hid_uid *)data; +- struct acpi_device *adev = to_acpi_device(dev); +- +- if (acpi_match_device_ids(adev, hid_uid.hid)) +- return 0; +- +- if (adev->pnp.unique_id) +- return !strcmp(adev->pnp.unique_id, hid_uid.uid); +- else +- return !strcmp("0", hid_uid.uid); +-} +- + static long __init parse_acpi_path(const struct efi_dev_path *node, + struct device *parent, struct device **child) + { +- struct acpi_hid_uid hid_uid = {}; ++ char hid[ACPI_ID_LEN], uid[11]; /* UINT_MAX + null byte */ ++ struct acpi_device *adev; + struct device *phys_dev; + + if (node->header.length != 12) + return -EINVAL; + +- sprintf(hid_uid.hid[0].id, "%c%c%c%04X", ++ sprintf(hid, "%c%c%c%04X", + 'A' + ((node->acpi.hid >> 10) & 0x1f) - 1, + 'A' + ((node->acpi.hid >> 5) & 0x1f) - 1, + 'A' + ((node->acpi.hid >> 0) & 0x1f) - 1, + node->acpi.hid >> 16); +- sprintf(hid_uid.uid, "%u", node->acpi.uid); +- +- *child = bus_find_device(&acpi_bus_type, NULL, &hid_uid, +- match_acpi_dev); +- if (!*child) ++ sprintf(uid, "%u", node->acpi.uid); ++ ++ for_each_acpi_dev_match(adev, hid, NULL, -1) { ++ if (adev->pnp.unique_id && !strcmp(adev->pnp.unique_id, uid)) ++ break; ++ if (!adev->pnp.unique_id && node->acpi.uid == 0) ++ break; ++ acpi_dev_put(adev); ++ } ++ if (!adev) + return -ENODEV; + +- phys_dev = acpi_get_first_physical_node(to_acpi_device(*child)); ++ phys_dev = acpi_get_first_physical_node(adev); + if (phys_dev) { +- get_device(phys_dev); +- put_device(*child); +- *child = phys_dev; +- } ++ *child = get_device(phys_dev); ++ acpi_dev_put(adev); ++ } else ++ *child = &adev->dev; + + return 0; + } +-- +2.30.2 + diff --git a/queue-5.13/efi-tpm-differentiate-missing-and-invalid-final-even.patch b/queue-5.13/efi-tpm-differentiate-missing-and-invalid-final-even.patch new file mode 100644 index 00000000000..5f27a6bfc0c --- /dev/null +++ b/queue-5.13/efi-tpm-differentiate-missing-and-invalid-final-even.patch @@ -0,0 +1,45 @@ +From bd84dafb9d267b0bc0f6b955bbd467996204d715 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jul 2021 11:46:54 +0200 +Subject: efi/tpm: Differentiate missing and invalid final event log table. + +From: Michal Suchanek + +[ Upstream commit 674a9f1f6815849bfb5bf385e7da8fc198aaaba9 ] + +Missing TPM final event log table is not a firmware bug. + +Clearly if providing event log in the old format makes the final event +log invalid it should not be provided at least in that case. + +Fixes: b4f1874c6216 ("tpm: check event log version before reading final events") +Signed-off-by: Michal Suchanek +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/tpm.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c +index c1955d320fec..8f665678e9e3 100644 +--- a/drivers/firmware/efi/tpm.c ++++ b/drivers/firmware/efi/tpm.c +@@ -62,9 +62,11 @@ int __init efi_tpm_eventlog_init(void) + tbl_size = sizeof(*log_tbl) + log_tbl->size; + memblock_reserve(efi.tpm_log, tbl_size); + +- if (efi.tpm_final_log == EFI_INVALID_TABLE_ADDR || +- log_tbl->version != EFI_TCG2_EVENT_LOG_FORMAT_TCG_2) { +- pr_warn(FW_BUG "TPM Final Events table missing or invalid\n"); ++ if (efi.tpm_final_log == EFI_INVALID_TABLE_ADDR) { ++ pr_info("TPM Final Events table not present\n"); ++ goto out; ++ } else if (log_tbl->version != EFI_TCG2_EVENT_LOG_FORMAT_TCG_2) { ++ pr_warn(FW_BUG "TPM Final Events table invalid\n"); + goto out; + } + +-- +2.30.2 + diff --git a/queue-5.13/firmware-arm_scmi-ensure-drivers-provide-a-probe-fun.patch b/queue-5.13/firmware-arm_scmi-ensure-drivers-provide-a-probe-fun.patch new file mode 100644 index 00000000000..156696c9792 --- /dev/null +++ b/queue-5.13/firmware-arm_scmi-ensure-drivers-provide-a-probe-fun.patch @@ -0,0 +1,45 @@ +From e80803ef5bee71ed04ad65f8055cb724e1a7a04e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Jun 2021 10:50:59 +0100 +Subject: firmware: arm_scmi: Ensure drivers provide a probe function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sudeep Holla + +[ Upstream commit 5e469dac326555d2038d199a6329458cc82a34e5 ] + +The bus probe callback calls the driver callback without further +checking. Better be safe than sorry and refuse registration of a driver +without a probe function to prevent a NULL pointer exception. + +Link: https://lore.kernel.org/r/20210624095059.4010157-2-sudeep.holla@arm.com +Fixes: 933c504424a2 ("firmware: arm_scmi: add scmi protocol bus to enumerate protocol devices") +Reported-by: Uwe Kleine-König +Tested-by: Cristian Marussi +Reviewed-by: Cristian Marussi +Acked-by: Uwe Kleine-König +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/bus.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/firmware/arm_scmi/bus.c b/drivers/firmware/arm_scmi/bus.c +index 784cf0027da3..9184a0d5acbe 100644 +--- a/drivers/firmware/arm_scmi/bus.c ++++ b/drivers/firmware/arm_scmi/bus.c +@@ -139,6 +139,9 @@ int scmi_driver_register(struct scmi_driver *driver, struct module *owner, + { + int retval; + ++ if (!driver->probe) ++ return -EINVAL; ++ + retval = scmi_protocol_device_request(driver->id_table); + if (retval) + return retval; +-- +2.30.2 + diff --git a/queue-5.13/fm10k-fix-an-error-handling-path-in-fm10k_probe.patch b/queue-5.13/fm10k-fix-an-error-handling-path-in-fm10k_probe.patch new file mode 100644 index 00000000000..0ece28f18ec --- /dev/null +++ b/queue-5.13/fm10k-fix-an-error-handling-path-in-fm10k_probe.patch @@ -0,0 +1,36 @@ +From 02c18bb10279a1fe46803aad46f08b5d0f2f3ede Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 07:00:36 +0200 +Subject: fm10k: Fix an error handling path in 'fm10k_probe()' + +From: Christophe JAILLET + +[ Upstream commit e85e14d68f517ef12a5fb8123fff65526b35b6cd ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 19ae1b3fb99c ("fm10k: Add support for PCI power management and error handling") +Signed-off-by: Christophe JAILLET +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/fm10k/fm10k_pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_pci.c b/drivers/net/ethernet/intel/fm10k/fm10k_pci.c +index 9e3103fae723..caedf24c24c1 100644 +--- a/drivers/net/ethernet/intel/fm10k/fm10k_pci.c ++++ b/drivers/net/ethernet/intel/fm10k/fm10k_pci.c +@@ -2227,6 +2227,7 @@ err_sw_init: + err_ioremap: + free_netdev(netdev); + err_alloc_netdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-5.13/gve-fix-an-error-handling-path-in-gve_probe.patch b/queue-5.13/gve-fix-an-error-handling-path-in-gve_probe.patch new file mode 100644 index 00000000000..7d286c0ee72 --- /dev/null +++ b/queue-5.13/gve-fix-an-error-handling-path-in-gve_probe.patch @@ -0,0 +1,50 @@ +From fd6ac0f1393630582fa6c5d48bfcb9569b0569cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jul 2021 22:18:24 +0200 +Subject: gve: Fix an error handling path in 'gve_probe()' + +From: Christophe JAILLET + +[ Upstream commit 2342ae10d1272d411a468a85a67647dd115b344f ] + +If the 'register_netdev() call fails, we must release the resources +allocated by the previous 'gve_init_priv()' call, as already done in the +remove function. + +Add a new label and the missing 'gve_teardown_priv_resources()' in the +error handling path. + +Fixes: 893ce44df565 ("gve: Add basic driver framework for Compute Engine Virtual NIC") +Signed-off-by: Christophe JAILLET +Reviewed-by: Catherine Sullivan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c +index 79cefe85a799..b43c6ff07614 100644 +--- a/drivers/net/ethernet/google/gve/gve_main.c ++++ b/drivers/net/ethernet/google/gve/gve_main.c +@@ -1349,13 +1349,16 @@ static int gve_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + err = register_netdev(dev); + if (err) +- goto abort_with_wq; ++ goto abort_with_gve_init; + + dev_info(&pdev->dev, "GVE version %s\n", gve_version_str); + gve_clear_probe_in_progress(priv); + queue_work(priv->gve_wq, &priv->service_task); + return 0; + ++abort_with_gve_init: ++ gve_teardown_priv_resources(priv); ++ + abort_with_wq: + destroy_workqueue(priv->gve_wq); + +-- +2.30.2 + diff --git a/queue-5.13/i2c-mpc-poll-for-mcf.patch b/queue-5.13/i2c-mpc-poll-for-mcf.patch new file mode 100644 index 00000000000..57adcfa68d0 --- /dev/null +++ b/queue-5.13/i2c-mpc-poll-for-mcf.patch @@ -0,0 +1,42 @@ +From f8f913a456d059ab6943704eb2e823b3381d931b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 08:58:32 +1200 +Subject: i2c: mpc: Poll for MCF + +From: Chris Packham + +[ Upstream commit 4a8ac5e45cdaa88884b4ce05303e304cbabeb367 ] + +During some transfers the bus can still be busy when an interrupt is +received. Commit 763778cd7926 ("i2c: mpc: Restore reread of I2C status +register") attempted to address this by re-reading MPC_I2C_SR once but +that just made it less likely to happen without actually preventing it. +Instead of a single re-read, poll with a timeout so that the bus is given +enough time to settle but a genuine stuck SCL is still noticed. + +Fixes: 1538d82f4647 ("i2c: mpc: Interrupt driven transfer") +Signed-off-by: Chris Packham +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-mpc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-mpc.c b/drivers/i2c/busses/i2c-mpc.c +index 6d5014ebaab5..a6ea1eb1394e 100644 +--- a/drivers/i2c/busses/i2c-mpc.c ++++ b/drivers/i2c/busses/i2c-mpc.c +@@ -635,8 +635,8 @@ static irqreturn_t mpc_i2c_isr(int irq, void *dev_id) + + status = readb(i2c->base + MPC_I2C_SR); + if (status & CSR_MIF) { +- /* Read again to allow register to stabilise */ +- status = readb(i2c->base + MPC_I2C_SR); ++ /* Wait up to 100us for transfer to properly complete */ ++ readb_poll_timeout(i2c->base + MPC_I2C_SR, status, !(status & CSR_MCF), 0, 100); + writeb(0, i2c->base + MPC_I2C_SR); + mpc_i2c_do_intr(i2c, status); + return IRQ_HANDLED; +-- +2.30.2 + diff --git a/queue-5.13/iavf-fix-an-error-handling-path-in-iavf_probe.patch b/queue-5.13/iavf-fix-an-error-handling-path-in-iavf_probe.patch new file mode 100644 index 00000000000..1d5b1f5a825 --- /dev/null +++ b/queue-5.13/iavf-fix-an-error-handling-path-in-iavf_probe.patch @@ -0,0 +1,36 @@ +From ac89c382a94330d0f7d6df6bcb5916bfa3ecd716 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 07:53:02 +0200 +Subject: iavf: Fix an error handling path in 'iavf_probe()' + +From: Christophe JAILLET + +[ Upstream commit af30cbd2f4d6d66a9b6094e0aa32420bc8b20e08 ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 5eae00c57f5e ("i40evf: main driver core") +Signed-off-by: Christophe JAILLET +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index e612c24fa384..44bafedd09f2 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -3798,6 +3798,7 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + err_ioremap: + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-5.13/ibmvnic-remove-the-proper-scrq-flush.patch b/queue-5.13/ibmvnic-remove-the-proper-scrq-flush.patch new file mode 100644 index 00000000000..972b6c48d90 --- /dev/null +++ b/queue-5.13/ibmvnic-remove-the-proper-scrq-flush.patch @@ -0,0 +1,51 @@ +From 817278298dabcd9930a62c1d7b1bd72008dce4cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 19:34:39 -0700 +Subject: ibmvnic: Remove the proper scrq flush + +From: Sukadev Bhattiprolu + +[ Upstream commit bb55362bd6976631b662ca712779b6532d8de0a6 ] + +Commit 65d6470d139a ("ibmvnic: clean pending indirect buffs during reset") +intended to remove the call to ibmvnic_tx_scrq_flush() when the +->resetting flag is true and was tested that way. But during the final +rebase to net-next, the hunk got applied to a block few lines below +(which happened to have the same diff context) and the wrong call to +ibmvnic_tx_scrq_flush() got removed. + +Fix that by removing the correct ibmvnic_tx_scrq_flush() and restoring +the one that was incorrectly removed. + +Fixes: 65d6470d139a ("ibmvnic: clean pending indirect buffs during reset") +Reported-by: Dany Madden +Signed-off-by: Sukadev Bhattiprolu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index efc98903c0b7..5b4a7ef7dffa 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -1707,7 +1707,6 @@ static netdev_tx_t ibmvnic_xmit(struct sk_buff *skb, struct net_device *netdev) + tx_send_failed++; + tx_dropped++; + ret = NETDEV_TX_OK; +- ibmvnic_tx_scrq_flush(adapter, tx_scrq); + goto out; + } + +@@ -1729,6 +1728,7 @@ static netdev_tx_t ibmvnic_xmit(struct sk_buff *skb, struct net_device *netdev) + dev_kfree_skb_any(skb); + tx_send_failed++; + tx_dropped++; ++ ibmvnic_tx_scrq_flush(adapter, tx_scrq); + ret = NETDEV_TX_OK; + goto out; + } +-- +2.30.2 + diff --git a/queue-5.13/igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch b/queue-5.13/igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch new file mode 100644 index 00000000000..76b5fca7ac3 --- /dev/null +++ b/queue-5.13/igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch @@ -0,0 +1,59 @@ +From 9625a5ce2e87d6acaaf4618e14414055906bbb1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Apr 2021 10:19:23 +0000 +Subject: igb: Check if num of q_vectors is smaller than max before array + access + +From: Aleksandr Loktionov + +[ Upstream commit 6c19d772618fea40d9681f259368f284a330fd90 ] + +Ensure that the adapter->q_vector[MAX_Q_VECTORS] array isn't accessed +beyond its size. It was fixed by using a local variable num_q_vectors +as a limit for loop index, and ensure that num_q_vectors is not bigger +than MAX_Q_VECTORS. + +Fixes: 047e0030f1e6 ("igb: add new data structure for handling interrupts and NAPI") +Signed-off-by: Aleksandr Loktionov +Reviewed-by: Grzegorz Siwik +Reviewed-by: Arkadiusz Kubalewski +Reviewed-by: Slawomir Laba +Reviewed-by: Sylwester Dziedziuch +Reviewed-by: Mateusz Palczewski +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index a371c51a3fe8..9f83ff55394c 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -931,6 +931,7 @@ static void igb_configure_msix(struct igb_adapter *adapter) + **/ + static int igb_request_msix(struct igb_adapter *adapter) + { ++ unsigned int num_q_vectors = adapter->num_q_vectors; + struct net_device *netdev = adapter->netdev; + int i, err = 0, vector = 0, free_vector = 0; + +@@ -939,7 +940,13 @@ static int igb_request_msix(struct igb_adapter *adapter) + if (err) + goto err_out; + +- for (i = 0; i < adapter->num_q_vectors; i++) { ++ if (num_q_vectors > MAX_Q_VECTORS) { ++ num_q_vectors = MAX_Q_VECTORS; ++ dev_warn(&adapter->pdev->dev, ++ "The number of queue vectors (%d) is higher than max allowed (%d)\n", ++ adapter->num_q_vectors, MAX_Q_VECTORS); ++ } ++ for (i = 0; i < num_q_vectors; i++) { + struct igb_q_vector *q_vector = adapter->q_vector[i]; + + vector++; +-- +2.30.2 + diff --git a/queue-5.13/igb-fix-an-error-handling-path-in-igb_probe.patch b/queue-5.13/igb-fix-an-error-handling-path-in-igb_probe.patch new file mode 100644 index 00000000000..ce258962e59 --- /dev/null +++ b/queue-5.13/igb-fix-an-error-handling-path-in-igb_probe.patch @@ -0,0 +1,37 @@ +From 8dafe304b023f9359f2b0ad4d17d02096fda8b62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 22:08:33 +0200 +Subject: igb: Fix an error handling path in 'igb_probe()' + +From: Christophe JAILLET + +[ Upstream commit fea03b1cebd653cd095f2e9a58cfe1c85661c363 ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 40a914fa72ab ("igb: Add support for pci-e Advanced Error Reporting") +Signed-off-by: Christophe JAILLET +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index ed7ec27df8c2..a371c51a3fe8 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -3615,6 +3615,7 @@ err_sw_init: + err_ioremap: + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-5.13/igb-fix-position-of-assignment-to-ring.patch b/queue-5.13/igb-fix-position-of-assignment-to-ring.patch new file mode 100644 index 00000000000..aebf6f50863 --- /dev/null +++ b/queue-5.13/igb-fix-position-of-assignment-to-ring.patch @@ -0,0 +1,46 @@ +From 07a3f5750217f99952b7fb4e63ab2b33689800f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 22:42:17 +0000 +Subject: igb: Fix position of assignment to *ring + +From: Jedrzej Jagielski + +[ Upstream commit 382a7c20d9253bcd5715789b8179528d0f3de72c ] + +Assignment to *ring should be done after correctness check of the +argument queue. + +Fixes: 91db364236c8 ("igb: Refactor igb_configure_cbs()") +Signed-off-by: Jedrzej Jagielski +Acked-by: Vinicius Costa Gomes +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 9f83ff55394c..b0e900d1eae2 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -1685,14 +1685,15 @@ static bool is_any_txtime_enabled(struct igb_adapter *adapter) + **/ + static void igb_config_tx_modes(struct igb_adapter *adapter, int queue) + { +- struct igb_ring *ring = adapter->tx_ring[queue]; + struct net_device *netdev = adapter->netdev; + struct e1000_hw *hw = &adapter->hw; ++ struct igb_ring *ring; + u32 tqavcc, tqavctrl; + u16 value; + + WARN_ON(hw->mac.type != e1000_i210); + WARN_ON(queue < 0 || queue > 1); ++ ring = adapter->tx_ring[queue]; + + /* If any of the Qav features is enabled, configure queues as SR and + * with HIGH PRIO. If none is, then configure them with LOW PRIO and +-- +2.30.2 + diff --git a/queue-5.13/igb-fix-use-after-free-error-during-reset.patch b/queue-5.13/igb-fix-use-after-free-error-during-reset.patch new file mode 100644 index 00000000000..18aad48e06a --- /dev/null +++ b/queue-5.13/igb-fix-use-after-free-error-during-reset.patch @@ -0,0 +1,45 @@ +From 68e373c948875a472b20dbde5773acf5ecebdfc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 May 2021 17:31:04 -0700 +Subject: igb: Fix use-after-free error during reset + +From: Vinicius Costa Gomes + +[ Upstream commit 7b292608db23ccbbfbfa50cdb155d01725d7a52e ] + +Cleans the next descriptor to watch (next_to_watch) when cleaning the +TX ring. + +Failure to do so can cause invalid memory accesses. If igb_poll() runs +while the controller is reset this can lead to the driver try to free +a skb that was already freed. + +(The crash is harder to reproduce with the igb driver, but the same +potential problem exists as the code is identical to igc) + +Fixes: 7cc6fd4c60f2 ("igb: Don't bother clearing Tx buffer_info in igb_clean_tx_ring") +Signed-off-by: Vinicius Costa Gomes +Reported-by: Erez Geva +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 7b1885f9ce03..ed7ec27df8c2 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -4835,6 +4835,8 @@ static void igb_clean_tx_ring(struct igb_ring *tx_ring) + DMA_TO_DEVICE); + } + ++ tx_buffer->next_to_watch = NULL; ++ + /* move us one more past the eop_desc for start of next pkt */ + tx_buffer++; + i++; +-- +2.30.2 + diff --git a/queue-5.13/igc-change-default-return-of-igc_read_phy_reg.patch b/queue-5.13/igc-change-default-return-of-igc_read_phy_reg.patch new file mode 100644 index 00000000000..37f973e4929 --- /dev/null +++ b/queue-5.13/igc-change-default-return-of-igc_read_phy_reg.patch @@ -0,0 +1,45 @@ +From ef6841dc5c7c8d3bbfd8b6c8c901d664fed8635e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 May 2021 12:50:19 -0700 +Subject: igc: change default return of igc_read_phy_reg() + +From: Tom Rix + +[ Upstream commit 05682a0a61b6cbecd97a0f37f743b2cbfd516977 ] + +Static analysis reports this problem + +igc_main.c:4944:20: warning: The left operand of '&' + is a garbage value + if (!(phy_data & SR_1000T_REMOTE_RX_STATUS) && + ~~~~~~~~ ^ + +phy_data is set by the call to igc_read_phy_reg() only if +there is a read_reg() op, else it is unset and a 0 is +returned. Change the return to -EOPNOTSUPP. + +Fixes: 208983f099d9 ("igc: Add watchdog") +Signed-off-by: Tom Rix +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h +index 25871351730b..58e842cbf6ef 100644 +--- a/drivers/net/ethernet/intel/igc/igc.h ++++ b/drivers/net/ethernet/intel/igc/igc.h +@@ -560,7 +560,7 @@ static inline s32 igc_read_phy_reg(struct igc_hw *hw, u32 offset, u16 *data) + if (hw->phy.ops.read_reg) + return hw->phy.ops.read_reg(hw, offset, data); + +- return 0; ++ return -EOPNOTSUPP; + } + + void igc_reinit_locked(struct igc_adapter *); +-- +2.30.2 + diff --git a/queue-5.13/igc-fix-an-error-handling-path-in-igc_probe.patch b/queue-5.13/igc-fix-an-error-handling-path-in-igc_probe.patch new file mode 100644 index 00000000000..25ebfcbbb50 --- /dev/null +++ b/queue-5.13/igc-fix-an-error-handling-path-in-igc_probe.patch @@ -0,0 +1,38 @@ +From 106a0b76122cc8b34046e038b734356a99819d83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 22:00:05 +0200 +Subject: igc: Fix an error handling path in 'igc_probe()' + +From: Christophe JAILLET + +[ Upstream commit c6bc9e5ce5d37cb3e6b552f41b92a193db1806ab ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: c9a11c23ceb6 ("igc: Add netdev") +Signed-off-by: Christophe JAILLET +Tested-by: Dvora Fuxbrumer +Acked-by: Sasha Neftin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 9cac1e74a2ba..a8d5f196fdbd 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -5596,6 +5596,7 @@ err_sw_init: + err_ioremap: + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-5.13/igc-fix-use-after-free-error-during-reset.patch b/queue-5.13/igc-fix-use-after-free-error-during-reset.patch new file mode 100644 index 00000000000..b672db394a1 --- /dev/null +++ b/queue-5.13/igc-fix-use-after-free-error-during-reset.patch @@ -0,0 +1,93 @@ +From 31a0da16501566341ff4393309bcc802e0e6d7c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 May 2021 17:31:03 -0700 +Subject: igc: Fix use-after-free error during reset + +From: Vinicius Costa Gomes + +[ Upstream commit 56ea7ed103b46970e171eb1c95916f393d64eeff ] + +Cleans the next descriptor to watch (next_to_watch) when cleaning the +TX ring. + +Failure to do so can cause invalid memory accesses. If igc_poll() runs +while the controller is being reset this can lead to the driver try to +free a skb that was already freed. + +Log message: + + [ 101.525242] refcount_t: underflow; use-after-free. + [ 101.525251] WARNING: CPU: 1 PID: 646 at lib/refcount.c:28 refcount_warn_saturate+0xab/0xf0 + [ 101.525259] Modules linked in: sch_etf(E) sch_mqprio(E) rfkill(E) intel_rapl_msr(E) intel_rapl_common(E) + x86_pkg_temp_thermal(E) intel_powerclamp(E) coretemp(E) binfmt_misc(E) kvm_intel(E) kvm(E) irqbypass(E) crc32_pclmul(E) + ghash_clmulni_intel(E) aesni_intel(E) mei_wdt(E) libaes(E) crypto_simd(E) cryptd(E) glue_helper(E) snd_hda_codec_hdmi(E) + rapl(E) intel_cstate(E) snd_hda_intel(E) snd_intel_dspcfg(E) sg(E) soundwire_intel(E) intel_uncore(E) at24(E) + soundwire_generic_allocation(E) iTCO_wdt(E) soundwire_cadence(E) intel_pmc_bxt(E) serio_raw(E) snd_hda_codec(E) + iTCO_vendor_support(E) watchdog(E) snd_hda_core(E) snd_hwdep(E) snd_soc_core(E) snd_compress(E) snd_pcsp(E) + soundwire_bus(E) snd_pcm(E) evdev(E) snd_timer(E) mei_me(E) snd(E) soundcore(E) mei(E) configfs(E) ip_tables(E) x_tables(E) + autofs4(E) ext4(E) crc32c_generic(E) crc16(E) mbcache(E) jbd2(E) sd_mod(E) t10_pi(E) crc_t10dif(E) crct10dif_generic(E) + i915(E) ahci(E) libahci(E) ehci_pci(E) igb(E) xhci_pci(E) ehci_hcd(E) + [ 101.525303] drm_kms_helper(E) dca(E) xhci_hcd(E) libata(E) crct10dif_pclmul(E) cec(E) crct10dif_common(E) tsn(E) igc(E) + e1000e(E) ptp(E) i2c_i801(E) crc32c_intel(E) psmouse(E) i2c_algo_bit(E) i2c_smbus(E) scsi_mod(E) lpc_ich(E) pps_core(E) + usbcore(E) drm(E) button(E) video(E) + [ 101.525318] CPU: 1 PID: 646 Comm: irq/37-enp7s0-T Tainted: G E 5.10.30-rt37-tsn1-rt-ipipe #ipipe + [ 101.525320] Hardware name: SIEMENS AG SIMATIC IPC427D/A5E31233588, BIOS V17.02.09 03/31/2017 + [ 101.525322] RIP: 0010:refcount_warn_saturate+0xab/0xf0 + [ 101.525325] Code: 05 31 48 44 01 01 e8 f0 c6 42 00 0f 0b c3 80 3d 1f 48 44 01 00 75 90 48 c7 c7 78 a8 f3 a6 c6 05 0f 48 + 44 01 01 e8 d1 c6 42 00 <0f> 0b c3 80 3d fe 47 44 01 00 0f 85 6d ff ff ff 48 c7 c7 d0 a8 f3 + [ 101.525327] RSP: 0018:ffffbdedc0917cb8 EFLAGS: 00010286 + [ 101.525329] RAX: 0000000000000000 RBX: ffff98fd6becbf40 RCX: 0000000000000001 + [ 101.525330] RDX: 0000000000000001 RSI: ffffffffa6f2700c RDI: 00000000ffffffff + [ 101.525332] RBP: ffff98fd6becc14c R08: ffffffffa7463d00 R09: ffffbdedc0917c50 + [ 101.525333] R10: ffffffffa74c3578 R11: 0000000000000034 R12: 00000000ffffff00 + [ 101.525335] R13: ffff98fd6b0b1000 R14: 0000000000000039 R15: ffff98fd6be35c40 + [ 101.525337] FS: 0000000000000000(0000) GS:ffff98fd6e240000(0000) knlGS:0000000000000000 + [ 101.525339] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 101.525341] CR2: 00007f34135a3a70 CR3: 0000000150210003 CR4: 00000000001706e0 + [ 101.525343] Call Trace: + [ 101.525346] sock_wfree+0x9c/0xa0 + [ 101.525353] unix_destruct_scm+0x7b/0xa0 + [ 101.525358] skb_release_head_state+0x40/0x90 + [ 101.525362] skb_release_all+0xe/0x30 + [ 101.525364] napi_consume_skb+0x57/0x160 + [ 101.525367] igc_poll+0xb7/0xc80 [igc] + [ 101.525376] ? sched_clock+0x5/0x10 + [ 101.525381] ? sched_clock_cpu+0xe/0x100 + [ 101.525385] net_rx_action+0x14c/0x410 + [ 101.525388] __do_softirq+0xe9/0x2f4 + [ 101.525391] __local_bh_enable_ip+0xe3/0x110 + [ 101.525395] ? irq_finalize_oneshot.part.47+0xe0/0xe0 + [ 101.525398] irq_forced_thread_fn+0x6a/0x80 + [ 101.525401] irq_thread+0xe8/0x180 + [ 101.525403] ? wake_threads_waitq+0x30/0x30 + [ 101.525406] ? irq_thread_check_affinity+0xd0/0xd0 + [ 101.525408] kthread+0x183/0x1a0 + [ 101.525412] ? kthread_park+0x80/0x80 + [ 101.525415] ret_from_fork+0x22/0x30 + +Fixes: 13b5b7fd6a4a ("igc: Add support for Tx/Rx rings") +Reported-by: Erez Geva +Signed-off-by: Vinicius Costa Gomes +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index f1adf154ec4a..9cac1e74a2ba 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -217,6 +217,8 @@ static void igc_clean_tx_ring(struct igc_ring *tx_ring) + DMA_TO_DEVICE); + } + ++ tx_buffer->next_to_watch = NULL; ++ + /* move us one more past the eop_desc for start of next pkt */ + tx_buffer++; + i++; +-- +2.30.2 + diff --git a/queue-5.13/io_uring-fix-memleak-in-io_init_wq_offload.patch b/queue-5.13/io_uring-fix-memleak-in-io_init_wq_offload.patch new file mode 100644 index 00000000000..3aa97ec1516 --- /dev/null +++ b/queue-5.13/io_uring-fix-memleak-in-io_init_wq_offload.patch @@ -0,0 +1,82 @@ +From c3fc1f8d3c2f07f557c33f940349651959fcb753 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 16:38:05 +0800 +Subject: io_uring: fix memleak in io_init_wq_offload() + +From: Yang Yingliang + +[ Upstream commit 362a9e65289284f36403058eea2462d0330c1f24 ] + +I got memory leak report when doing fuzz test: + +BUG: memory leak +unreferenced object 0xffff888107310a80 (size 96): +comm "syz-executor.6", pid 4610, jiffies 4295140240 (age 20.135s) +hex dump (first 32 bytes): +01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... +backtrace: +[<000000001974933b>] kmalloc include/linux/slab.h:591 [inline] +[<000000001974933b>] kzalloc include/linux/slab.h:721 [inline] +[<000000001974933b>] io_init_wq_offload fs/io_uring.c:7920 [inline] +[<000000001974933b>] io_uring_alloc_task_context+0x466/0x640 fs/io_uring.c:7955 +[<0000000039d0800d>] __io_uring_add_tctx_node+0x256/0x360 fs/io_uring.c:9016 +[<000000008482e78c>] io_uring_add_tctx_node fs/io_uring.c:9052 [inline] +[<000000008482e78c>] __do_sys_io_uring_enter fs/io_uring.c:9354 [inline] +[<000000008482e78c>] __se_sys_io_uring_enter fs/io_uring.c:9301 [inline] +[<000000008482e78c>] __x64_sys_io_uring_enter+0xabc/0xc20 fs/io_uring.c:9301 +[<00000000b875f18f>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] +[<00000000b875f18f>] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 +[<000000006b0a8484>] entry_SYSCALL_64_after_hwframe+0x44/0xae + +CPU0 CPU1 +io_uring_enter io_uring_enter +io_uring_add_tctx_node io_uring_add_tctx_node +__io_uring_add_tctx_node __io_uring_add_tctx_node +io_uring_alloc_task_context io_uring_alloc_task_context +io_init_wq_offload io_init_wq_offload +hash = kzalloc hash = kzalloc +ctx->hash_map = hash ctx->hash_map = hash <- one of the hash is leaked + +When calling io_uring_enter() in parallel, the 'hash_map' will be leaked, +add uring_lock to protect 'hash_map'. + +Fixes: e941894eae31 ("io-wq: make buffered file write hashed work map per-ctx") +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Reviewed-by: Pavel Begunkov +Link: https://lore.kernel.org/r/20210720083805.3030730-1-yangyingliang@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index eeea6b8c8bee..8843f48ace27 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -7859,15 +7859,19 @@ static struct io_wq *io_init_wq_offload(struct io_ring_ctx *ctx, + struct io_wq_data data; + unsigned int concurrency; + ++ mutex_lock(&ctx->uring_lock); + hash = ctx->hash_map; + if (!hash) { + hash = kzalloc(sizeof(*hash), GFP_KERNEL); +- if (!hash) ++ if (!hash) { ++ mutex_unlock(&ctx->uring_lock); + return ERR_PTR(-ENOMEM); ++ } + refcount_set(&hash->refs, 1); + init_waitqueue_head(&hash->wait); + ctx->hash_map = hash; + } ++ mutex_unlock(&ctx->uring_lock); + + data.hash = hash; + data.task = task; +-- +2.30.2 + diff --git a/queue-5.13/ipv6-fix-another-slab-out-of-bounds-in-fib6_nh_flush.patch b/queue-5.13/ipv6-fix-another-slab-out-of-bounds-in-fib6_nh_flush.patch new file mode 100644 index 00000000000..4d4e89461c5 --- /dev/null +++ b/queue-5.13/ipv6-fix-another-slab-out-of-bounds-in-fib6_nh_flush.patch @@ -0,0 +1,44 @@ +From a4305c656837721339166821f687e517a1773012 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 15:08:40 +0200 +Subject: ipv6: fix another slab-out-of-bounds in fib6_nh_flush_exceptions + +From: Paolo Abeni + +[ Upstream commit 8fb4792f091e608a0a1d353dfdf07ef55a719db5 ] + +While running the self-tests on a KASAN enabled kernel, I observed a +slab-out-of-bounds splat very similar to the one reported in +commit 821bbf79fe46 ("ipv6: Fix KASAN: slab-out-of-bounds Read in + fib6_nh_flush_exceptions"). + +We additionally need to take care of fib6_metrics initialization +failure when the caller provides an nh. + +The fix is similar, explicitly free the route instead of calling +fib6_info_release on a half-initialized object. + +Fixes: f88d8ea67fbdb ("ipv6: Plumb support for nexthop object in a fib6_info") +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index d417e514bd52..09e84161b731 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -3642,7 +3642,7 @@ static struct fib6_info *ip6_route_info_create(struct fib6_config *cfg, + err = PTR_ERR(rt->fib6_metrics); + /* Do not leave garbage there. */ + rt->fib6_metrics = (struct dst_metrics *)&dst_default_metrics; +- goto out; ++ goto out_free; + } + + if (cfg->fc_flags & RTF_ADDRCONF) +-- +2.30.2 + diff --git a/queue-5.13/ipv6-fix-disable_policy-for-fwd-packets.patch b/queue-5.13/ipv6-fix-disable_policy-for-fwd-packets.patch new file mode 100644 index 00000000000..24f81b9542f --- /dev/null +++ b/queue-5.13/ipv6-fix-disable_policy-for-fwd-packets.patch @@ -0,0 +1,51 @@ +From e0622e1971e0b3143e7ab8fc9653379d16fd981a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jul 2021 11:13:35 +0200 +Subject: ipv6: fix 'disable_policy' for fwd packets + +From: Nicolas Dichtel + +[ Upstream commit ccd27f05ae7b8ebc40af5b004e94517a919aa862 ] + +The goal of commit df789fe75206 ("ipv6: Provide ipv6 version of +"disable_policy" sysctl") was to have the disable_policy from ipv4 +available on ipv6. +However, it's not exactly the same mechanism. On IPv4, all packets coming +from an interface, which has disable_policy set, bypass the policy check. +For ipv6, this is done only for local packets, ie for packets destinated to +an address configured on the incoming interface. + +Let's align ipv6 with ipv4 so that the 'disable_policy' sysctl has the same +effect for both protocols. + +My first approach was to create a new kind of route cache entries, to be +able to set DST_NOPOLICY without modifying routes. This would have added a +lot of code. Because the local delivery path is already handled, I choose +to focus on the forwarding path to minimize code churn. + +Fixes: df789fe75206 ("ipv6: Provide ipv6 version of "disable_policy" sysctl") +Signed-off-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_output.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 497974b4372a..b7ffb4f227a4 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -479,7 +479,9 @@ int ip6_forward(struct sk_buff *skb) + if (skb_warn_if_lro(skb)) + goto drop; + +- if (!xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) { ++ if (!net->ipv6.devconf_all->disable_policy && ++ !idev->cnf.disable_policy && ++ !xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) { + __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS); + goto drop; + } +-- +2.30.2 + diff --git a/queue-5.13/ixgbe-fix-an-error-handling-path-in-ixgbe_probe.patch b/queue-5.13/ixgbe-fix-an-error-handling-path-in-ixgbe_probe.patch new file mode 100644 index 00000000000..311ea64ec86 --- /dev/null +++ b/queue-5.13/ixgbe-fix-an-error-handling-path-in-ixgbe_probe.patch @@ -0,0 +1,37 @@ +From 2288de7f6413d33a114cc2a269aa11b53225959f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 15:46:09 +0200 +Subject: ixgbe: Fix an error handling path in 'ixgbe_probe()' + +From: Christophe JAILLET + +[ Upstream commit dd2aefcd5e37989ae5f90afdae44bbbf3a2990da ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 6fabd715e6d8 ("ixgbe: Implement PCIe AER support") +Signed-off-by: Christophe JAILLET +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +index 2ac5b82676f3..39fdc46f34f9 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -11069,6 +11069,7 @@ err_ioremap: + disable_dev = !test_and_set_bit(__IXGBE_DISABLED, &adapter->state); + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-5.13/ixgbevf-use-xso.real_dev-instead-of-xso.dev-in-callb.patch b/queue-5.13/ixgbevf-use-xso.real_dev-instead-of-xso.dev-in-callb.patch new file mode 100644 index 00000000000..cea90c0569a --- /dev/null +++ b/queue-5.13/ixgbevf-use-xso.real_dev-instead-of-xso.dev-in-callb.patch @@ -0,0 +1,133 @@ +From 0ee73e7624e98dee3e86d02e36841a144d2b7653 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 15:38:09 +0000 +Subject: ixgbevf: use xso.real_dev instead of xso.dev in callback functions of + struct xfrmdev_ops + +From: Taehee Yoo + +[ Upstream commit 2de7e4f67599affc97132bd07e30e3bd59d0b777 ] + +There are two pointers in struct xfrm_state_offload, *dev, *real_dev. +These are used in callback functions of struct xfrmdev_ops. +The *dev points whether bonding interface or real interface. +If bonding ipsec offload is used, it points bonding interface If not, +it points real interface. +And real_dev always points real interface. +So, ixgbevf should always use real_dev instead of dev. +Of course, real_dev always not be null. + +Test commands: + ip link add bond0 type bond + #eth0 is ixgbevf interface + ip link set eth0 master bond0 + ip link set bond0 up + ip x s add proto esp dst 14.1.1.1 src 15.1.1.1 spi 0x07 mode \ +transport reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))' \ +0x44434241343332312423222114131211f4f3f2f1 128 sel src 14.0.0.52/24 \ +dst 14.0.0.70/24 proto tcp offload dev bond0 dir in + +Splat looks like: +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +CPU: 6 PID: 688 Comm: ip Not tainted 5.13.0-rc3+ #1168 +RIP: 0010:ixgbevf_ipsec_find_empty_idx+0x28/0x1b0 [ixgbevf] +Code: 00 00 0f 1f 44 00 00 55 53 48 89 fb 48 83 ec 08 40 84 f6 0f 84 9c +00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 +84 c0 74 08 3c 01 0f 8e 4c 01 00 00 66 81 3b 00 04 0f +RSP: 0018:ffff8880089af390 EFLAGS: 00010246 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001 +RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 +RBP: ffff8880089af4f8 R08: 0000000000000003 R09: fffffbfff4287e11 +R10: 0000000000000001 R11: ffff888005de8908 R12: 0000000000000000 +R13: ffff88810936a000 R14: ffff88810936a000 R15: ffff888004d78040 +FS: 00007fdf9883a680(0000) GS:ffff88811a400000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000055bc14adbf40 CR3: 000000000b87c005 CR4: 00000000003706e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + ixgbevf_ipsec_add_sa+0x1bf/0x9c0 [ixgbevf] + ? rcu_read_lock_sched_held+0x91/0xc0 + ? ixgbevf_ipsec_parse_proto_keys.isra.9+0x280/0x280 [ixgbevf] + ? lock_acquire+0x191/0x720 + ? bond_ipsec_add_sa+0x48/0x350 [bonding] + ? lockdep_hardirqs_on_prepare+0x3e0/0x3e0 + ? rcu_read_lock_held+0x91/0xa0 + ? rcu_read_lock_sched_held+0xc0/0xc0 + bond_ipsec_add_sa+0x193/0x350 [bonding] + xfrm_dev_state_add+0x2a9/0x770 + ? memcpy+0x38/0x60 + xfrm_add_sa+0x2278/0x3b10 [xfrm_user] + ? xfrm_get_policy+0xaa0/0xaa0 [xfrm_user] + ? register_lock_class+0x1750/0x1750 + xfrm_user_rcv_msg+0x331/0x660 [xfrm_user] + ? rcu_read_lock_sched_held+0x91/0xc0 + ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user] + ? find_held_lock+0x3a/0x1c0 + ? mutex_lock_io_nested+0x1210/0x1210 + ? sched_clock_cpu+0x18/0x170 + netlink_rcv_skb+0x121/0x350 +[ ... ] + +Fixes: 272c2330adc9 ("xfrm: bail early on slave pass over skb") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbevf/ipsec.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbevf/ipsec.c b/drivers/net/ethernet/intel/ixgbevf/ipsec.c +index caaea2c920a6..e3e4676af9e4 100644 +--- a/drivers/net/ethernet/intel/ixgbevf/ipsec.c ++++ b/drivers/net/ethernet/intel/ixgbevf/ipsec.c +@@ -211,7 +211,7 @@ struct xfrm_state *ixgbevf_ipsec_find_rx_state(struct ixgbevf_ipsec *ipsec, + static int ixgbevf_ipsec_parse_proto_keys(struct xfrm_state *xs, + u32 *mykey, u32 *mysalt) + { +- struct net_device *dev = xs->xso.dev; ++ struct net_device *dev = xs->xso.real_dev; + unsigned char *key_data; + char *alg_name = NULL; + int key_len; +@@ -260,12 +260,15 @@ static int ixgbevf_ipsec_parse_proto_keys(struct xfrm_state *xs, + **/ + static int ixgbevf_ipsec_add_sa(struct xfrm_state *xs) + { +- struct net_device *dev = xs->xso.dev; +- struct ixgbevf_adapter *adapter = netdev_priv(dev); +- struct ixgbevf_ipsec *ipsec = adapter->ipsec; ++ struct net_device *dev = xs->xso.real_dev; ++ struct ixgbevf_adapter *adapter; ++ struct ixgbevf_ipsec *ipsec; + u16 sa_idx; + int ret; + ++ adapter = netdev_priv(dev); ++ ipsec = adapter->ipsec; ++ + if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) { + netdev_err(dev, "Unsupported protocol 0x%04x for IPsec offload\n", + xs->id.proto); +@@ -383,11 +386,14 @@ static int ixgbevf_ipsec_add_sa(struct xfrm_state *xs) + **/ + static void ixgbevf_ipsec_del_sa(struct xfrm_state *xs) + { +- struct net_device *dev = xs->xso.dev; +- struct ixgbevf_adapter *adapter = netdev_priv(dev); +- struct ixgbevf_ipsec *ipsec = adapter->ipsec; ++ struct net_device *dev = xs->xso.real_dev; ++ struct ixgbevf_adapter *adapter; ++ struct ixgbevf_ipsec *ipsec; + u16 sa_idx; + ++ adapter = netdev_priv(dev); ++ ipsec = adapter->ipsec; ++ + if (xs->xso.flags & XFRM_OFFLOAD_INBOUND) { + sa_idx = xs->xso.offload_handle - IXGBE_IPSEC_BASE_RX_INDEX; + +-- +2.30.2 + diff --git a/queue-5.13/kbuild-lto-fix-module-versionings-mismatch-in-gnu-ma.patch b/queue-5.13/kbuild-lto-fix-module-versionings-mismatch-in-gnu-ma.patch new file mode 100644 index 00000000000..642e5a7ac70 --- /dev/null +++ b/queue-5.13/kbuild-lto-fix-module-versionings-mismatch-in-gnu-ma.patch @@ -0,0 +1,73 @@ +From 8266618ca2aa08c19836f2c97967de55bfa098c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 15:37:16 +0800 +Subject: Kbuild: lto: fix module versionings mismatch in GNU make 3.X + +From: Lecopzer Chen + +[ Upstream commit 1d11053dc63094075bf9e4809fffd3bb5e72f9a6 ] + +When building modules(CONFIG_...=m), I found some of module versions +are incorrect and set to 0. +This can be found in build log for first clean build which shows + +WARNING: EXPORT symbol "XXXX" [drivers/XXX/XXX.ko] version generation failed, +symbol will not be versioned. + +But in second build(incremental build), the WARNING disappeared and the +module version becomes valid CRC and make someone who want to change +modules without updating kernel image can't insert their modules. + +The problematic code is ++ $(foreach n, $(filter-out FORCE,$^), \ ++ $(if $(wildcard $(n).symversions), \ ++ ; cat $(n).symversions >> $@.symversions)) + +For example: + rm -f fs/notify/built-in.a.symversions ; rm -f fs/notify/built-in.a; \ +llvm-ar cDPrST fs/notify/built-in.a fs/notify/fsnotify.o \ +fs/notify/notification.o fs/notify/group.o ... + +`foreach n` shows nothing to `cat` into $(n).symversions because +`if $(wildcard $(n).symversions)` return nothing, but actually +they do exist during this line was executed. + +-rw-r--r-- 1 root root 168580 Jun 13 19:10 fs/notify/fsnotify.o +-rw-r--r-- 1 root root 111 Jun 13 19:10 fs/notify/fsnotify.o.symversions + +The reason is the $(n).symversions are generated at runtime, but +Makefile wildcard function expends and checks the file exist or not +during parsing the Makefile. + +Thus fix this by use `test` shell command to check the file +existence in runtime. + +Rebase from both: +1. [https://lore.kernel.org/lkml/20210616080252.32046-1-lecopzer.chen@mediatek.com/] +2. [https://lore.kernel.org/lkml/20210702032943.7865-1-lecopzer.chen@mediatek.com/] + +Fixes: 38e891849003 ("kbuild: lto: fix module versioning") +Co-developed-by: Sami Tolvanen +Signed-off-by: Lecopzer Chen +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/Makefile.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/Makefile.build b/scripts/Makefile.build +index 34d257653fb4..c6bd62f518ff 100644 +--- a/scripts/Makefile.build ++++ b/scripts/Makefile.build +@@ -388,7 +388,7 @@ ifeq ($(CONFIG_LTO_CLANG) $(CONFIG_MODVERSIONS),y y) + cmd_update_lto_symversions = \ + rm -f $@.symversions \ + $(foreach n, $(filter-out FORCE,$^), \ +- $(if $(wildcard $(n).symversions), \ ++ $(if $(shell test -s $(n).symversions && echo y), \ + ; cat $(n).symversions >> $@.symversions)) + else + cmd_update_lto_symversions = echo >/dev/null +-- +2.30.2 + diff --git a/queue-5.13/kvm-ppc-book3s-fix-config_transactional_mem-n-crash.patch b/queue-5.13/kvm-ppc-book3s-fix-config_transactional_mem-n-crash.patch new file mode 100644 index 00000000000..f940f23a239 --- /dev/null +++ b/queue-5.13/kvm-ppc-book3s-fix-config_transactional_mem-n-crash.patch @@ -0,0 +1,44 @@ +From ae3915adb5e544247519546df1411b596e8d6556 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 12:43:09 +1000 +Subject: KVM: PPC: Book3S: Fix CONFIG_TRANSACTIONAL_MEM=n crash + +From: Nicholas Piggin + +[ Upstream commit bd31ecf44b8e18ccb1e5f6b50f85de6922a60de3 ] + +When running CPU_FTR_P9_TM_HV_ASSIST, HFSCR[TM] is set for the guest +even if the host has CONFIG_TRANSACTIONAL_MEM=n, which causes it to be +unprepared to handle guest exits while transactional. + +Normal guests don't have a problem because the HTM capability will not +be advertised, but a rogue or buggy one could crash the host. + +Fixes: 4bb3c7a0208f ("KVM: PPC: Book3S HV: Work around transactional memory bugs in POWER9") +Reported-by: Alexey Kardashevskiy +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210716024310.164448-1-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/book3s_hv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c +index 67cc164c4ac1..395f98158e81 100644 +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -2445,8 +2445,10 @@ static int kvmppc_core_vcpu_create_hv(struct kvm_vcpu *vcpu) + HFSCR_DSCR | HFSCR_VECVSX | HFSCR_FP | HFSCR_PREFIX; + if (cpu_has_feature(CPU_FTR_HVMODE)) { + vcpu->arch.hfscr &= mfspr(SPRN_HFSCR); ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM + if (cpu_has_feature(CPU_FTR_P9_TM_HV_ASSIST)) + vcpu->arch.hfscr |= HFSCR_TM; ++#endif + } + if (cpu_has_feature(CPU_FTR_TM_COMP)) + vcpu->arch.hfscr |= HFSCR_TM; +-- +2.30.2 + diff --git a/queue-5.13/kvm-ppc-fix-kvm_arch_vcpu_ioctl-vcpu_load-leak.patch b/queue-5.13/kvm-ppc-fix-kvm_arch_vcpu_ioctl-vcpu_load-leak.patch new file mode 100644 index 00000000000..3e931347418 --- /dev/null +++ b/queue-5.13/kvm-ppc-fix-kvm_arch_vcpu_ioctl-vcpu_load-leak.patch @@ -0,0 +1,51 @@ +From 6906cdef6d72b58c7850b14d5dc45eaaf0b4f41c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 12:43:10 +1000 +Subject: KVM: PPC: Fix kvm_arch_vcpu_ioctl vcpu_load leak + +From: Nicholas Piggin + +[ Upstream commit bc4188a2f56e821ea057aca6bf444e138d06c252 ] + +vcpu_put is not called if the user copy fails. This can result in preempt +notifier corruption and crashes, among other issues. + +Fixes: b3cebfe8c1ca ("KVM: PPC: Move vcpu_load/vcpu_put down to each ioctl case in kvm_arch_vcpu_ioctl") +Reported-by: Alexey Kardashevskiy +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210716024310.164448-2-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/powerpc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c +index a2a68a958fa0..6e4f03c02a0a 100644 +--- a/arch/powerpc/kvm/powerpc.c ++++ b/arch/powerpc/kvm/powerpc.c +@@ -2045,9 +2045,9 @@ long kvm_arch_vcpu_ioctl(struct file *filp, + { + struct kvm_enable_cap cap; + r = -EFAULT; +- vcpu_load(vcpu); + if (copy_from_user(&cap, argp, sizeof(cap))) + goto out; ++ vcpu_load(vcpu); + r = kvm_vcpu_ioctl_enable_cap(vcpu, &cap); + vcpu_put(vcpu); + break; +@@ -2071,9 +2071,9 @@ long kvm_arch_vcpu_ioctl(struct file *filp, + case KVM_DIRTY_TLB: { + struct kvm_dirty_tlb dirty; + r = -EFAULT; +- vcpu_load(vcpu); + if (copy_from_user(&dirty, argp, sizeof(dirty))) + goto out; ++ vcpu_load(vcpu); + r = kvm_vcpu_ioctl_dirty_tlb(vcpu, &dirty); + vcpu_put(vcpu); + break; +-- +2.30.2 + diff --git a/queue-5.13/kvm-svm-fix-sev_pin_memory-error-checks-in-sev-migra.patch b/queue-5.13/kvm-svm-fix-sev_pin_memory-error-checks-in-sev-migra.patch new file mode 100644 index 00000000000..d4ddb09734b --- /dev/null +++ b/queue-5.13/kvm-svm-fix-sev_pin_memory-error-checks-in-sev-migra.patch @@ -0,0 +1,61 @@ +From 75e0cd354b91b3344d8a9b19045e5865dfa89d88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 10:58:26 -0700 +Subject: KVM: SVM: Fix sev_pin_memory() error checks in SEV migration + utilities + +From: Sean Christopherson + +[ Upstream commit c7a1b2b678c54ac19320daf525038d0e2e43ca7c ] + +Use IS_ERR() instead of checking for a NULL pointer when querying for +sev_pin_memory() failures. sev_pin_memory() always returns an error code +cast to a pointer, or a valid pointer; it never returns NULL. + +Reported-by: Dan Carpenter +Cc: Steve Rutherford +Cc: Brijesh Singh +Cc: Ashish Kalra +Fixes: d3d1af85e2c7 ("KVM: SVM: Add KVM_SEND_UPDATE_DATA command") +Fixes: 15fb7de1a7f5 ("KVM: SVM: Add KVM_SEV_RECEIVE_UPDATE_DATA command") +Signed-off-by: Sean Christopherson +Message-Id: <20210506175826.2166383-3-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/svm/sev.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c +index 3dc3e2897804..02d60d7f903d 100644 +--- a/arch/x86/kvm/svm/sev.c ++++ b/arch/x86/kvm/svm/sev.c +@@ -1271,8 +1271,8 @@ static int sev_send_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp) + /* Pin guest memory */ + guest_page = sev_pin_memory(kvm, params.guest_uaddr & PAGE_MASK, + PAGE_SIZE, &n, 0); +- if (!guest_page) +- return -EFAULT; ++ if (IS_ERR(guest_page)) ++ return PTR_ERR(guest_page); + + /* allocate memory for header and transport buffer */ + ret = -ENOMEM; +@@ -1463,11 +1463,12 @@ static int sev_receive_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp) + data.trans_len = params.trans_len; + + /* Pin guest memory */ +- ret = -EFAULT; + guest_page = sev_pin_memory(kvm, params.guest_uaddr & PAGE_MASK, + PAGE_SIZE, &n, 0); +- if (!guest_page) ++ if (IS_ERR(guest_page)) { ++ ret = PTR_ERR(guest_page); + goto e_free_trans; ++ } + + /* The RECEIVE_UPDATE_DATA command requires C-bit to be always set. */ + data.guest_address = (page_to_pfn(guest_page[0]) << PAGE_SHIFT) + offset; +-- +2.30.2 + diff --git a/queue-5.13/kvm-svm-return-efault-if-copy_to_user-for-sev-mig-pa.patch b/queue-5.13/kvm-svm-return-efault-if-copy_to_user-for-sev-mig-pa.patch new file mode 100644 index 00000000000..ef4ad023f58 --- /dev/null +++ b/queue-5.13/kvm-svm-return-efault-if-copy_to_user-for-sev-mig-pa.patch @@ -0,0 +1,45 @@ +From b43a089c497e506ba3b8c957d51a4df87c8938dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 10:58:25 -0700 +Subject: KVM: SVM: Return -EFAULT if copy_to_user() for SEV mig packet header + fails + +From: Sean Christopherson + +[ Upstream commit b4a693924aab93f3747465b2261add46c82c3220 ] + +Return -EFAULT if copy_to_user() fails; if accessing user memory faults, +copy_to_user() returns the number of bytes remaining, not an error code. + +Reported-by: Dan Carpenter +Cc: Steve Rutherford +Cc: Brijesh Singh +Cc: Ashish Kalra +Fixes: d3d1af85e2c7 ("KVM: SVM: Add KVM_SEND_UPDATE_DATA command") +Signed-off-by: Sean Christopherson +Message-Id: <20210506175826.2166383-2-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/svm/sev.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c +index 8d36f0c73071..3dc3e2897804 100644 +--- a/arch/x86/kvm/svm/sev.c ++++ b/arch/x86/kvm/svm/sev.c +@@ -1309,8 +1309,9 @@ static int sev_send_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp) + } + + /* Copy packet header to userspace. */ +- ret = copy_to_user((void __user *)(uintptr_t)params.hdr_uaddr, hdr, +- params.hdr_len); ++ if (copy_to_user((void __user *)(uintptr_t)params.hdr_uaddr, hdr, ++ params.hdr_len)) ++ ret = -EFAULT; + + e_free_trans_data: + kfree(trans_data); +-- +2.30.2 + diff --git a/queue-5.13/kvm-x86-pmu-clear-anythread-deprecated-bit-when-0xa-.patch b/queue-5.13/kvm-x86-pmu-clear-anythread-deprecated-bit-when-0xa-.patch new file mode 100644 index 00000000000..321330c0372 --- /dev/null +++ b/queue-5.13/kvm-x86-pmu-clear-anythread-deprecated-bit-when-0xa-.patch @@ -0,0 +1,44 @@ +From 48483717b4e3f3dea5dd69d9472aeec3516918f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jun 2021 15:43:54 +0800 +Subject: KVM: x86/pmu: Clear anythread deprecated bit when 0xa leaf is + unsupported on the SVM + +From: Like Xu + +[ Upstream commit 7234c362ccb3c2228f06f19f93b132de9cfa7ae4 ] + +The AMD platform does not support the functions Ah CPUID leaf. The returned +results for this entry should all remain zero just like the native does: + +AMD host: + 0x0000000a 0x00: eax=0x00000000 ebx=0x00000000 ecx=0x00000000 edx=0x00000000 +(uncanny) AMD guest: + 0x0000000a 0x00: eax=0x00000000 ebx=0x00000000 ecx=0x00000000 edx=0x00008000 + +Fixes: cadbaa039b99 ("perf/x86/intel: Make anythread filter support conditional") +Signed-off-by: Like Xu +Message-Id: <20210628074354.33848-1-likexu@tencent.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/cpuid.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c +index ca7866d63e98..739be5da3bca 100644 +--- a/arch/x86/kvm/cpuid.c ++++ b/arch/x86/kvm/cpuid.c +@@ -765,7 +765,8 @@ static inline int __do_cpuid_func(struct kvm_cpuid_array *array, u32 function) + + edx.split.num_counters_fixed = min(cap.num_counters_fixed, MAX_FIXED_COUNTERS); + edx.split.bit_width_fixed = cap.bit_width_fixed; +- edx.split.anythread_deprecated = 1; ++ if (cap.version) ++ edx.split.anythread_deprecated = 1; + edx.split.reserved1 = 0; + edx.split.reserved2 = 0; + +-- +2.30.2 + diff --git a/queue-5.13/liquidio-fix-unintentional-sign-extension-issue-on-l.patch b/queue-5.13/liquidio-fix-unintentional-sign-extension-issue-on-l.patch new file mode 100644 index 00000000000..0cdc8809a0c --- /dev/null +++ b/queue-5.13/liquidio-fix-unintentional-sign-extension-issue-on-l.patch @@ -0,0 +1,43 @@ +From cac23668a7c35be066cd8f93fb373c95e41ac3d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jul 2021 16:23:43 +0100 +Subject: liquidio: Fix unintentional sign extension issue on left shift of u16 + +From: Colin Ian King + +[ Upstream commit e7efc2ce3d0789cd7c21b70ff00cd7838d382639 ] + +Shifting the u16 integer oct->pcie_port by CN23XX_PKT_INPUT_CTL_MAC_NUM_POS +(29) bits will be promoted to a 32 bit signed int and then sign-extended +to a u64. In the cases where oct->pcie_port where bit 2 is set (e.g. 3..7) +the shifted value will be sign extended and the top 32 bits of the result +will be set. + +Fix this by casting the u16 values to a u64 before the 29 bit left shift. + +Addresses-Coverity: ("Unintended sign extension") + +Fixes: 3451b97cce2d ("liquidio: CN23XX register setup") +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c +index 4cddd628d41b..9ed3d1ab2ca5 100644 +--- a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c ++++ b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c +@@ -420,7 +420,7 @@ static int cn23xx_pf_setup_global_input_regs(struct octeon_device *oct) + * bits 32:47 indicate the PVF num. + */ + for (q_no = 0; q_no < ern; q_no++) { +- reg_val = oct->pcie_port << CN23XX_PKT_INPUT_CTL_MAC_NUM_POS; ++ reg_val = (u64)oct->pcie_port << CN23XX_PKT_INPUT_CTL_MAC_NUM_POS; + + /* for VF assigned queues. */ + if (q_no < oct->sriov_info.pf_srn) { +-- +2.30.2 + diff --git a/queue-5.13/mptcp-add-sk-parameter-for-mptcp_get_options.patch b/queue-5.13/mptcp-add-sk-parameter-for-mptcp_get_options.patch new file mode 100644 index 00000000000..e7a0ce9ccdd --- /dev/null +++ b/queue-5.13/mptcp-add-sk-parameter-for-mptcp_get_options.patch @@ -0,0 +1,111 @@ +From f6a62e5ab9da159ac1e154dcb49326a50b8c959a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jun 2021 16:46:12 -0700 +Subject: mptcp: add sk parameter for mptcp_get_options + +From: Geliang Tang + +[ Upstream commit c863225b79426459feca2ef5b0cc2f07e8e68771 ] + +This patch added a new parameter name sk in mptcp_get_options(). + +Acked-by: Paolo Abeni +Signed-off-by: Geliang Tang +Signed-off-by: Mat Martineau +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/mptcp/options.c | 5 +++-- + net/mptcp/protocol.h | 3 ++- + net/mptcp/subflow.c | 10 +++++----- + 3 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/net/mptcp/options.c b/net/mptcp/options.c +index b87e46f515fb..72b1067d5aa2 100644 +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -323,7 +323,8 @@ static void mptcp_parse_option(const struct sk_buff *skb, + } + } + +-void mptcp_get_options(const struct sk_buff *skb, ++void mptcp_get_options(const struct sock *sk, ++ const struct sk_buff *skb, + struct mptcp_options_received *mp_opt) + { + const struct tcphdr *th = tcp_hdr(skb); +@@ -1010,7 +1011,7 @@ void mptcp_incoming_options(struct sock *sk, struct sk_buff *skb) + return; + } + +- mptcp_get_options(skb, &mp_opt); ++ mptcp_get_options(sk, skb, &mp_opt); + if (!check_fully_established(msk, sk, subflow, skb, &mp_opt)) + return; + +diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h +index 7b634568f49c..f74258377c05 100644 +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -576,7 +576,8 @@ int __init mptcp_proto_v6_init(void); + struct sock *mptcp_sk_clone(const struct sock *sk, + const struct mptcp_options_received *mp_opt, + struct request_sock *req); +-void mptcp_get_options(const struct sk_buff *skb, ++void mptcp_get_options(const struct sock *sk, ++ const struct sk_buff *skb, + struct mptcp_options_received *mp_opt); + + void mptcp_finish_connect(struct sock *sk); +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index 5221cfce5390..78e787ef8fff 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -150,7 +150,7 @@ static int subflow_check_req(struct request_sock *req, + return -EINVAL; + #endif + +- mptcp_get_options(skb, &mp_opt); ++ mptcp_get_options(sk_listener, skb, &mp_opt); + + if (mp_opt.mp_capable) { + SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_MPCAPABLEPASSIVE); +@@ -244,7 +244,7 @@ int mptcp_subflow_init_cookie_req(struct request_sock *req, + int err; + + subflow_init_req(req, sk_listener); +- mptcp_get_options(skb, &mp_opt); ++ mptcp_get_options(sk_listener, skb, &mp_opt); + + if (mp_opt.mp_capable && mp_opt.mp_join) + return -EINVAL; +@@ -403,7 +403,7 @@ static void subflow_finish_connect(struct sock *sk, const struct sk_buff *skb) + subflow->ssn_offset = TCP_SKB_CB(skb)->seq; + pr_debug("subflow=%p synack seq=%x", subflow, subflow->ssn_offset); + +- mptcp_get_options(skb, &mp_opt); ++ mptcp_get_options(sk, skb, &mp_opt); + if (subflow->request_mptcp) { + if (!mp_opt.mp_capable) { + MPTCP_INC_STATS(sock_net(sk), +@@ -650,7 +650,7 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, + * reordered MPC will cause fallback, but we don't have other + * options. + */ +- mptcp_get_options(skb, &mp_opt); ++ mptcp_get_options(sk, skb, &mp_opt); + if (!mp_opt.mp_capable) { + fallback = true; + goto create_child; +@@ -660,7 +660,7 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, + if (!new_msk) + fallback = true; + } else if (subflow_req->mp_join) { +- mptcp_get_options(skb, &mp_opt); ++ mptcp_get_options(sk, skb, &mp_opt); + if (!mp_opt.mp_join || !subflow_hmac_valid(req, &mp_opt) || + !mptcp_can_accept_new_subflow(subflow_req->msk)) { + SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC); +-- +2.30.2 + diff --git a/queue-5.13/mptcp-avoid-processing-packet-if-a-subflow-reset.patch b/queue-5.13/mptcp-avoid-processing-packet-if-a-subflow-reset.patch new file mode 100644 index 00000000000..78a3b1d31e5 --- /dev/null +++ b/queue-5.13/mptcp-avoid-processing-packet-if-a-subflow-reset.patch @@ -0,0 +1,165 @@ +From abc2f2567f1620aed353c12a6a7e3faf31b92b4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jul 2021 17:20:49 -0700 +Subject: mptcp: avoid processing packet if a subflow reset + +From: Jianguo Wu + +[ Upstream commit 6787b7e350d3552651a3422d3d8980fbc8d65368 ] + +If check_fully_established() causes a subflow reset, it should not +continue to process the packet in tcp_data_queue(). +Add a return value to mptcp_incoming_options(), and return false if a +subflow has been reset, else return true. Then drop the packet in +tcp_data_queue()/tcp_rcv_state_process() if mptcp_incoming_options() +return false. + +Fixes: d582484726c4 ("mptcp: fix fallback for MP_JOIN subflows") +Signed-off-by: Jianguo Wu +Signed-off-by: Mat Martineau +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/mptcp.h | 5 +++-- + net/ipv4/tcp_input.c | 19 +++++++++++++++---- + net/mptcp/options.c | 19 +++++++++++++------ + 3 files changed, 31 insertions(+), 12 deletions(-) + +diff --git a/include/net/mptcp.h b/include/net/mptcp.h +index 83f23774b908..f1d798ff29e9 100644 +--- a/include/net/mptcp.h ++++ b/include/net/mptcp.h +@@ -101,7 +101,7 @@ bool mptcp_synack_options(const struct request_sock *req, unsigned int *size, + bool mptcp_established_options(struct sock *sk, struct sk_buff *skb, + unsigned int *size, unsigned int remaining, + struct mptcp_out_options *opts); +-void mptcp_incoming_options(struct sock *sk, struct sk_buff *skb); ++bool mptcp_incoming_options(struct sock *sk, struct sk_buff *skb); + + void mptcp_write_options(__be32 *ptr, const struct tcp_sock *tp, + struct mptcp_out_options *opts); +@@ -223,9 +223,10 @@ static inline bool mptcp_established_options(struct sock *sk, + return false; + } + +-static inline void mptcp_incoming_options(struct sock *sk, ++static inline bool mptcp_incoming_options(struct sock *sk, + struct sk_buff *skb) + { ++ return true; + } + + static inline void mptcp_skb_ext_move(struct sk_buff *to, +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 6bd628f08ded..0f1b4bfddfd4 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -4247,6 +4247,9 @@ void tcp_reset(struct sock *sk, struct sk_buff *skb) + { + trace_tcp_receive_reset(sk); + ++ /* mptcp can't tell us to ignore reset pkts, ++ * so just ignore the return value of mptcp_incoming_options(). ++ */ + if (sk_is_mptcp(sk)) + mptcp_incoming_options(sk, skb); + +@@ -4941,8 +4944,13 @@ static void tcp_data_queue(struct sock *sk, struct sk_buff *skb) + bool fragstolen; + int eaten; + +- if (sk_is_mptcp(sk)) +- mptcp_incoming_options(sk, skb); ++ /* If a subflow has been reset, the packet should not continue ++ * to be processed, drop the packet. ++ */ ++ if (sk_is_mptcp(sk) && !mptcp_incoming_options(sk, skb)) { ++ __kfree_skb(skb); ++ return; ++ } + + if (TCP_SKB_CB(skb)->seq == TCP_SKB_CB(skb)->end_seq) { + __kfree_skb(skb); +@@ -6522,8 +6530,11 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb) + case TCP_CLOSING: + case TCP_LAST_ACK: + if (!before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt)) { +- if (sk_is_mptcp(sk)) +- mptcp_incoming_options(sk, skb); ++ /* If a subflow has been reset, the packet should not ++ * continue to be processed, drop the packet. ++ */ ++ if (sk_is_mptcp(sk) && !mptcp_incoming_options(sk, skb)) ++ goto discard; + break; + } + fallthrough; +diff --git a/net/mptcp/options.c b/net/mptcp/options.c +index 72b1067d5aa2..4f08e04e1ab7 100644 +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -990,7 +990,8 @@ static bool add_addr_hmac_valid(struct mptcp_sock *msk, + return hmac == mp_opt->ahmac; + } + +-void mptcp_incoming_options(struct sock *sk, struct sk_buff *skb) ++/* Return false if a subflow has been reset, else return true */ ++bool mptcp_incoming_options(struct sock *sk, struct sk_buff *skb) + { + struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk); + struct mptcp_sock *msk = mptcp_sk(subflow->conn); +@@ -1008,12 +1009,16 @@ void mptcp_incoming_options(struct sock *sk, struct sk_buff *skb) + __mptcp_check_push(subflow->conn, sk); + __mptcp_data_acked(subflow->conn); + mptcp_data_unlock(subflow->conn); +- return; ++ return true; + } + + mptcp_get_options(sk, skb, &mp_opt); ++ ++ /* The subflow can be in close state only if check_fully_established() ++ * just sent a reset. If so, tell the caller to ignore the current packet. ++ */ + if (!check_fully_established(msk, sk, subflow, skb, &mp_opt)) +- return; ++ return sk->sk_state != TCP_CLOSE; + + if (mp_opt.fastclose && + msk->local_key == mp_opt.rcvr_key) { +@@ -1055,7 +1060,7 @@ void mptcp_incoming_options(struct sock *sk, struct sk_buff *skb) + } + + if (!mp_opt.dss) +- return; ++ return true; + + /* we can't wait for recvmsg() to update the ack_seq, otherwise + * monodirectional flows will stuck +@@ -1074,12 +1079,12 @@ void mptcp_incoming_options(struct sock *sk, struct sk_buff *skb) + schedule_work(&msk->work)) + sock_hold(subflow->conn); + +- return; ++ return true; + } + + mpext = skb_ext_add(skb, SKB_EXT_MPTCP); + if (!mpext) +- return; ++ return true; + + memset(mpext, 0, sizeof(*mpext)); + +@@ -1104,6 +1109,8 @@ void mptcp_incoming_options(struct sock *sk, struct sk_buff *skb) + mpext->data_len = mp_opt.data_len; + mpext->use_map = 1; + } ++ ++ return true; + } + + static void mptcp_set_rwin(const struct tcp_sock *tp) +-- +2.30.2 + diff --git a/queue-5.13/mptcp-fix-syncookie-process-if-mptcp-can-not_accept-.patch b/queue-5.13/mptcp-fix-syncookie-process-if-mptcp-can-not_accept-.patch new file mode 100644 index 00000000000..f55e9c6c19f --- /dev/null +++ b/queue-5.13/mptcp-fix-syncookie-process-if-mptcp-can-not_accept-.patch @@ -0,0 +1,81 @@ +From 4a6674ff37b902fe4e5dbbe5f5de1638cd8df3d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jul 2021 17:20:48 -0700 +Subject: mptcp: fix syncookie process if mptcp can not_accept new subflow + +From: Jianguo Wu + +[ Upstream commit 8547ea5f52dd8ef19b69c25c41b1415481b3503b ] + +Lots of "TCP: tcp_fin: Impossible, sk->sk_state=7" in client side +when doing stress testing using wrk and webfsd. + +There are at least two cases may trigger this warning: +1.mptcp is in syncookie, and server recv MP_JOIN SYN request, + in subflow_check_req(), the mptcp_can_accept_new_subflow() + return false, so subflow_init_req_cookie_join_save() isn't + called, i.e. not store the data present in the MP_JOIN syn + request and the random nonce in hash table - join_entries[], + but still send synack. When recv 3rd-ack, + mptcp_token_join_cookie_init_state() will return false, and + 3rd-ack is dropped, then if mptcp conn is closed by client, + client will send a DATA_FIN and a MPTCP FIN, the DATA_FIN + doesn't have MP_CAPABLE or MP_JOIN, + so mptcp_subflow_init_cookie_req() will return 0, and pass + the cookie check, MP_JOIN request is fallback to normal TCP. + Server will send a TCP FIN if closed, in client side, + when process TCP FIN, it will do reset, the code path is: + tcp_data_queue()->mptcp_incoming_options() + ->check_fully_established()->mptcp_subflow_reset(). + mptcp_subflow_reset() will set sock state to TCP_CLOSE, + so tcp_fin will hit TCP_CLOSE, and print the warning. + +2.mptcp is in syncookie, and server recv 3rd-ack, in + mptcp_subflow_init_cookie_req(), mptcp_can_accept_new_subflow() + return false, and subflow_req->mp_join is not set to 1, + so in subflow_syn_recv_sock() will not reset the MP_JOIN + subflow, but fallback to normal TCP, and then the same thing + happens when server will send a TCP FIN if closed. + +For case1, subflow_check_req() return -EPERM, +then tcp_conn_request() will drop MP_JOIN SYN. + +For case2, let subflow_syn_recv_sock() call +mptcp_can_accept_new_subflow(), and do fatal fallback, send reset. + +Fixes: 9466a1ccebbe ("mptcp: enable JOIN requests even if cookies are in use") +Signed-off-by: Jianguo Wu +Signed-off-by: Mat Martineau +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/mptcp/subflow.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index 5493c851ca6c..5221cfce5390 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -223,6 +223,8 @@ again: + if (unlikely(req->syncookie)) { + if (mptcp_can_accept_new_subflow(subflow_req->msk)) + subflow_init_req_cookie_join_save(subflow_req, skb); ++ else ++ return -EPERM; + } + + pr_debug("token=%u, remote_nonce=%u msk=%p", subflow_req->token, +@@ -262,9 +264,7 @@ int mptcp_subflow_init_cookie_req(struct request_sock *req, + if (!mptcp_token_join_cookie_init_state(subflow_req, skb)) + return -EINVAL; + +- if (mptcp_can_accept_new_subflow(subflow_req->msk)) +- subflow_req->mp_join = 1; +- ++ subflow_req->mp_join = 1; + subflow_req->ssn_offset = TCP_SKB_CB(skb)->seq - 1; + } + +-- +2.30.2 + diff --git a/queue-5.13/mptcp-fix-warning-in-__skb_flow_dissect-when-do-syn-.patch b/queue-5.13/mptcp-fix-warning-in-__skb_flow_dissect-when-do-syn-.patch new file mode 100644 index 00000000000..bc264c737ba --- /dev/null +++ b/queue-5.13/mptcp-fix-warning-in-__skb_flow_dissect-when-do-syn-.patch @@ -0,0 +1,124 @@ +From 8a8a0a058235860ad7a0be9a3e25ef032c7bf63b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jul 2021 17:20:46 -0700 +Subject: mptcp: fix warning in __skb_flow_dissect() when do syn cookie for + subflow join + +From: Jianguo Wu + +[ Upstream commit 0c71929b5893e410e0efbe1bbeca6f19a5f19956 ] + +I did stress test with wrk[1] and webfsd[2] with the assistance of +mptcp-tools[3]: + + Server side: + ./use_mptcp.sh webfsd -4 -R /tmp/ -p 8099 + Client side: + ./use_mptcp.sh wrk -c 200 -d 30 -t 4 http://192.168.174.129:8099/ + +and got the following warning message: + +[ 55.552626] TCP: request_sock_subflow: Possible SYN flooding on port 8099. Sending cookies. Check SNMP counters. +[ 55.553024] ------------[ cut here ]------------ +[ 55.553027] WARNING: CPU: 0 PID: 10 at net/core/flow_dissector.c:984 __skb_flow_dissect+0x280/0x1650 +... +[ 55.553117] CPU: 0 PID: 10 Comm: ksoftirqd/0 Not tainted 5.12.0+ #18 +[ 55.553121] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 02/27/2020 +[ 55.553124] RIP: 0010:__skb_flow_dissect+0x280/0x1650 +... +[ 55.553133] RSP: 0018:ffffb79580087770 EFLAGS: 00010246 +[ 55.553137] RAX: 0000000000000000 RBX: ffffffff8ddb58e0 RCX: ffffb79580087888 +[ 55.553139] RDX: ffffffff8ddb58e0 RSI: ffff8f7e4652b600 RDI: 0000000000000000 +[ 55.553141] RBP: ffffb79580087858 R08: 0000000000000000 R09: 0000000000000008 +[ 55.553143] R10: 000000008c622965 R11: 00000000d3313a5b R12: ffff8f7e4652b600 +[ 55.553146] R13: ffff8f7e465c9062 R14: 0000000000000000 R15: ffffb79580087888 +[ 55.553149] FS: 0000000000000000(0000) GS:ffff8f7f75e00000(0000) knlGS:0000000000000000 +[ 55.553152] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 55.553154] CR2: 00007f73d1d19000 CR3: 0000000135e10004 CR4: 00000000003706f0 +[ 55.553160] Call Trace: +[ 55.553166] ? __sha256_final+0x67/0xd0 +[ 55.553173] ? sha256+0x7e/0xa0 +[ 55.553177] __skb_get_hash+0x57/0x210 +[ 55.553182] subflow_init_req_cookie_join_save+0xac/0xc0 +[ 55.553189] subflow_check_req+0x474/0x550 +[ 55.553195] ? ip_route_output_key_hash+0x67/0x90 +[ 55.553200] ? xfrm_lookup_route+0x1d/0xa0 +[ 55.553207] subflow_v4_route_req+0x8e/0xd0 +[ 55.553212] tcp_conn_request+0x31e/0xab0 +[ 55.553218] ? selinux_socket_sock_rcv_skb+0x116/0x210 +[ 55.553224] ? tcp_rcv_state_process+0x179/0x6d0 +[ 55.553229] tcp_rcv_state_process+0x179/0x6d0 +[ 55.553235] tcp_v4_do_rcv+0xaf/0x220 +[ 55.553239] tcp_v4_rcv+0xce4/0xd80 +[ 55.553243] ? ip_route_input_rcu+0x246/0x260 +[ 55.553248] ip_protocol_deliver_rcu+0x35/0x1b0 +[ 55.553253] ip_local_deliver_finish+0x44/0x50 +[ 55.553258] ip_local_deliver+0x6c/0x110 +[ 55.553262] ? ip_rcv_finish_core.isra.19+0x5a/0x400 +[ 55.553267] ip_rcv+0xd1/0xe0 +... + +After debugging, I found in __skb_flow_dissect(), skb->dev and skb->sk +are both NULL, then net is NULL, and trigger WARN_ON_ONCE(!net), +actually net is always NULL in this code path, as skb->dev is set to +NULL in tcp_v4_rcv(), and skb->sk is never set. + +Code snippet in __skb_flow_dissect() that trigger warning: + 975 if (skb) { + 976 if (!net) { + 977 if (skb->dev) + 978 net = dev_net(skb->dev); + 979 else if (skb->sk) + 980 net = sock_net(skb->sk); + 981 } + 982 } + 983 + 984 WARN_ON_ONCE(!net); + +So, using seq and transport header derived hash. + +[1] https://github.com/wg/wrk +[2] https://github.com/ourway/webfsd +[3] https://github.com/pabeni/mptcp-tools + +Fixes: 9466a1ccebbe ("mptcp: enable JOIN requests even if cookies are in use") +Suggested-by: Paolo Abeni +Suggested-by: Florian Westphal +Signed-off-by: Jianguo Wu +Signed-off-by: Mat Martineau +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/mptcp/syncookies.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/net/mptcp/syncookies.c b/net/mptcp/syncookies.c +index abe0fd099746..37127781aee9 100644 +--- a/net/mptcp/syncookies.c ++++ b/net/mptcp/syncookies.c +@@ -37,7 +37,21 @@ static spinlock_t join_entry_locks[COOKIE_JOIN_SLOTS] __cacheline_aligned_in_smp + + static u32 mptcp_join_entry_hash(struct sk_buff *skb, struct net *net) + { +- u32 i = skb_get_hash(skb) ^ net_hash_mix(net); ++ static u32 mptcp_join_hash_secret __read_mostly; ++ struct tcphdr *th = tcp_hdr(skb); ++ u32 seq, i; ++ ++ net_get_random_once(&mptcp_join_hash_secret, ++ sizeof(mptcp_join_hash_secret)); ++ ++ if (th->syn) ++ seq = TCP_SKB_CB(skb)->seq; ++ else ++ seq = TCP_SKB_CB(skb)->seq - 1; ++ ++ i = jhash_3words(seq, net_hash_mix(net), ++ (__force __u32)th->source << 16 | (__force __u32)th->dest, ++ mptcp_join_hash_secret); + + return i % ARRAY_SIZE(join_entries); + } +-- +2.30.2 + diff --git a/queue-5.13/mptcp-properly-account-bulk-freed-memory.patch b/queue-5.13/mptcp-properly-account-bulk-freed-memory.patch new file mode 100644 index 00000000000..2be157672d2 --- /dev/null +++ b/queue-5.13/mptcp-properly-account-bulk-freed-memory.patch @@ -0,0 +1,141 @@ +From ea1f17d1c56fe3cfab272ce7760bb31df09bc042 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jul 2021 17:20:51 -0700 +Subject: mptcp: properly account bulk freed memory + +From: Paolo Abeni + +[ Upstream commit ce599c516386f09ca30848a1a4eb93d3fffbe187 ] + +After commit 879526030c8b ("mptcp: protect the rx path with +the msk socket spinlock") the rmem currently used by a given +msk is really sk_rmem_alloc - rmem_released. + +The safety check in mptcp_data_ready() does not take the above +in due account, as a result legit incoming data is kept in +subflow receive queue with no reason, delaying or blocking +MPTCP-level ack generation. + +This change addresses the issue introducing a new helper to fetch +the rmem memory and using it as needed. Additionally add a MIB +counter for the exceptional event described above - the peer is +misbehaving. + +Finally, introduce the required annotation when rmem_released is +updated. + +Fixes: 879526030c8b ("mptcp: protect the rx path with the msk socket spinlock") +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/211 +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/mptcp/mib.c | 1 + + net/mptcp/mib.h | 1 + + net/mptcp/protocol.c | 12 +++++++----- + net/mptcp/protocol.h | 10 +++++++++- + 4 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/net/mptcp/mib.c b/net/mptcp/mib.c +index eb2dc6dbe212..c8f4823cd79f 100644 +--- a/net/mptcp/mib.c ++++ b/net/mptcp/mib.c +@@ -42,6 +42,7 @@ static const struct snmp_mib mptcp_snmp_list[] = { + SNMP_MIB_ITEM("RmSubflow", MPTCP_MIB_RMSUBFLOW), + SNMP_MIB_ITEM("MPPrioTx", MPTCP_MIB_MPPRIOTX), + SNMP_MIB_ITEM("MPPrioRx", MPTCP_MIB_MPPRIORX), ++ SNMP_MIB_ITEM("RcvPruned", MPTCP_MIB_RCVPRUNED), + SNMP_MIB_SENTINEL + }; + +diff --git a/net/mptcp/mib.h b/net/mptcp/mib.h +index f0da4f060fe1..93fa7c95e206 100644 +--- a/net/mptcp/mib.h ++++ b/net/mptcp/mib.h +@@ -35,6 +35,7 @@ enum linux_mptcp_mib_field { + MPTCP_MIB_RMSUBFLOW, /* Remove a subflow */ + MPTCP_MIB_MPPRIOTX, /* Transmit a MP_PRIO */ + MPTCP_MIB_MPPRIORX, /* Received a MP_PRIO */ ++ MPTCP_MIB_RCVPRUNED, /* Incoming packet dropped due to memory limit */ + __MPTCP_MIB_MAX + }; + +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index 18f152bdb66f..94b707a39bc3 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -465,7 +465,7 @@ static void mptcp_cleanup_rbuf(struct mptcp_sock *msk) + bool cleanup, rx_empty; + + cleanup = (space > 0) && (space >= (old_space << 1)); +- rx_empty = !atomic_read(&sk->sk_rmem_alloc); ++ rx_empty = !__mptcp_rmem(sk); + + mptcp_for_each_subflow(msk, subflow) { + struct sock *ssk = mptcp_subflow_tcp_sock(subflow); +@@ -714,8 +714,10 @@ void mptcp_data_ready(struct sock *sk, struct sock *ssk) + sk_rbuf = ssk_rbuf; + + /* over limit? can't append more skbs to msk, Also, no need to wake-up*/ +- if (atomic_read(&sk->sk_rmem_alloc) > sk_rbuf) ++ if (__mptcp_rmem(sk) > sk_rbuf) { ++ MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_RCVPRUNED); + return; ++ } + + /* Wake-up the reader only for in-sequence data */ + mptcp_data_lock(sk); +@@ -1799,7 +1801,7 @@ static int __mptcp_recvmsg_mskq(struct mptcp_sock *msk, + if (!(flags & MSG_PEEK)) { + /* we will bulk release the skb memory later */ + skb->destructor = NULL; +- msk->rmem_released += skb->truesize; ++ WRITE_ONCE(msk->rmem_released, msk->rmem_released + skb->truesize); + __skb_unlink(skb, &msk->receive_queue); + __kfree_skb(skb); + } +@@ -1918,7 +1920,7 @@ static void __mptcp_update_rmem(struct sock *sk) + + atomic_sub(msk->rmem_released, &sk->sk_rmem_alloc); + sk_mem_uncharge(sk, msk->rmem_released); +- msk->rmem_released = 0; ++ WRITE_ONCE(msk->rmem_released, 0); + } + + static void __mptcp_splice_receive_queue(struct sock *sk) +@@ -2420,7 +2422,7 @@ static int __mptcp_init_sock(struct sock *sk) + msk->out_of_order_queue = RB_ROOT; + msk->first_pending = NULL; + msk->wmem_reserved = 0; +- msk->rmem_released = 0; ++ WRITE_ONCE(msk->rmem_released, 0); + msk->tx_pending_data = 0; + msk->size_goal_cache = TCP_BASE_MSS; + +diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h +index f842c832f6b0..dc5b71de0a9a 100644 +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -290,9 +290,17 @@ static inline struct mptcp_sock *mptcp_sk(const struct sock *sk) + return (struct mptcp_sock *)sk; + } + ++/* the msk socket don't use the backlog, also account for the bulk ++ * free memory ++ */ ++static inline int __mptcp_rmem(const struct sock *sk) ++{ ++ return atomic_read(&sk->sk_rmem_alloc) - READ_ONCE(mptcp_sk(sk)->rmem_released); ++} ++ + static inline int __mptcp_space(const struct sock *sk) + { +- return tcp_space(sk) + READ_ONCE(mptcp_sk(sk)->rmem_released); ++ return tcp_win_from_space(sk, READ_ONCE(sk->sk_rcvbuf) - __mptcp_rmem(sk)); + } + + static inline struct mptcp_data_frag *mptcp_send_head(const struct sock *sk) +-- +2.30.2 + diff --git a/queue-5.13/mptcp-refine-mptcp_cleanup_rbuf.patch b/queue-5.13/mptcp-refine-mptcp_cleanup_rbuf.patch new file mode 100644 index 00000000000..1e81b1c1a80 --- /dev/null +++ b/queue-5.13/mptcp-refine-mptcp_cleanup_rbuf.patch @@ -0,0 +1,164 @@ +From d593d14d946f59aab07b1c121ec377196ce39cb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Jun 2021 12:25:23 -0700 +Subject: mptcp: refine mptcp_cleanup_rbuf + +From: Paolo Abeni + +[ Upstream commit fde56eea01f96b664eb63033990be0fd2a945da5 ] + +The current cleanup rbuf tries a bit too hard to avoid acquiring +the subflow socket lock. We may end-up delaying the needed ack, +or skip acking a blocked subflow. + +Address the above extending the conditions used to trigger the cleanup +to reflect more closely what TCP does and invoking tcp_cleanup_rbuf() +on all the active subflows. + +Note that we can't replicate the exact tests implemented in +tcp_cleanup_rbuf(), as MPTCP lacks some of the required info - e.g. +ping-pong mode. + +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/mptcp/protocol.c | 56 ++++++++++++++++++-------------------------- + net/mptcp/protocol.h | 1 - + 2 files changed, 23 insertions(+), 34 deletions(-) + +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index 0f36fefcc77e..18f152bdb66f 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -433,49 +433,46 @@ static void mptcp_send_ack(struct mptcp_sock *msk) + } + } + +-static bool mptcp_subflow_cleanup_rbuf(struct sock *ssk) ++static void mptcp_subflow_cleanup_rbuf(struct sock *ssk) + { + bool slow; +- int ret; + + slow = lock_sock_fast(ssk); +- ret = tcp_can_send_ack(ssk); +- if (ret) ++ if (tcp_can_send_ack(ssk)) + tcp_cleanup_rbuf(ssk, 1); + unlock_sock_fast(ssk, slow); +- return ret; ++} ++ ++static bool mptcp_subflow_could_cleanup(const struct sock *ssk, bool rx_empty) ++{ ++ const struct inet_connection_sock *icsk = inet_csk(ssk); ++ bool ack_pending = READ_ONCE(icsk->icsk_ack.pending); ++ const struct tcp_sock *tp = tcp_sk(ssk); ++ ++ return (ack_pending & ICSK_ACK_SCHED) && ++ ((READ_ONCE(tp->rcv_nxt) - READ_ONCE(tp->rcv_wup) > ++ READ_ONCE(icsk->icsk_ack.rcv_mss)) || ++ (rx_empty && ack_pending & ++ (ICSK_ACK_PUSHED2 | ICSK_ACK_PUSHED))); + } + + static void mptcp_cleanup_rbuf(struct mptcp_sock *msk) + { +- struct sock *ack_hint = READ_ONCE(msk->ack_hint); + int old_space = READ_ONCE(msk->old_wspace); + struct mptcp_subflow_context *subflow; + struct sock *sk = (struct sock *)msk; +- bool cleanup; ++ int space = __mptcp_space(sk); ++ bool cleanup, rx_empty; + +- /* this is a simple superset of what tcp_cleanup_rbuf() implements +- * so that we don't have to acquire the ssk socket lock most of the time +- * to do actually nothing +- */ +- cleanup = __mptcp_space(sk) - old_space >= max(0, old_space); +- if (!cleanup) +- return; ++ cleanup = (space > 0) && (space >= (old_space << 1)); ++ rx_empty = !atomic_read(&sk->sk_rmem_alloc); + +- /* if the hinted ssk is still active, try to use it */ +- if (likely(ack_hint)) { +- mptcp_for_each_subflow(msk, subflow) { +- struct sock *ssk = mptcp_subflow_tcp_sock(subflow); ++ mptcp_for_each_subflow(msk, subflow) { ++ struct sock *ssk = mptcp_subflow_tcp_sock(subflow); + +- if (ack_hint == ssk && mptcp_subflow_cleanup_rbuf(ssk)) +- return; +- } ++ if (cleanup || mptcp_subflow_could_cleanup(ssk, rx_empty)) ++ mptcp_subflow_cleanup_rbuf(ssk); + } +- +- /* otherwise pick the first active subflow */ +- mptcp_for_each_subflow(msk, subflow) +- if (mptcp_subflow_cleanup_rbuf(mptcp_subflow_tcp_sock(subflow))) +- return; + } + + static bool mptcp_check_data_fin(struct sock *sk) +@@ -620,7 +617,6 @@ static bool __mptcp_move_skbs_from_subflow(struct mptcp_sock *msk, + break; + } + } while (more_data_avail); +- WRITE_ONCE(msk->ack_hint, ssk); + + *bytes += moved; + return done; +@@ -1955,7 +1951,6 @@ static bool __mptcp_move_skbs(struct mptcp_sock *msk) + __mptcp_update_rmem(sk); + done = __mptcp_move_skbs_from_subflow(msk, ssk, &moved); + mptcp_data_unlock(sk); +- tcp_cleanup_rbuf(ssk, moved); + + if (unlikely(ssk->sk_err)) + __mptcp_error_report(sk); +@@ -1971,7 +1966,6 @@ static bool __mptcp_move_skbs(struct mptcp_sock *msk) + ret |= __mptcp_ofo_queue(msk); + __mptcp_splice_receive_queue(sk); + mptcp_data_unlock(sk); +- mptcp_cleanup_rbuf(msk); + } + if (ret) + mptcp_check_data_fin((struct sock *)msk); +@@ -2216,9 +2210,6 @@ static void __mptcp_close_ssk(struct sock *sk, struct sock *ssk, + if (ssk == msk->last_snd) + msk->last_snd = NULL; + +- if (ssk == msk->ack_hint) +- msk->ack_hint = NULL; +- + if (ssk == msk->first) + msk->first = NULL; + +@@ -2433,7 +2424,6 @@ static int __mptcp_init_sock(struct sock *sk) + msk->tx_pending_data = 0; + msk->size_goal_cache = TCP_BASE_MSS; + +- msk->ack_hint = NULL; + msk->first = NULL; + inet_csk(sk)->icsk_sync_mss = mptcp_sync_mss; + +diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h +index f74258377c05..f842c832f6b0 100644 +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -236,7 +236,6 @@ struct mptcp_sock { + bool rcv_fastclose; + bool use_64bit_ack; /* Set when we received a 64-bit DSN */ + spinlock_t join_list_lock; +- struct sock *ack_hint; + struct work_struct work; + struct sk_buff *ooo_last_skb; + struct rb_root out_of_order_queue; +-- +2.30.2 + diff --git a/queue-5.13/mptcp-remove-redundant-req-destruct-in-subflow_check.patch b/queue-5.13/mptcp-remove-redundant-req-destruct-in-subflow_check.patch new file mode 100644 index 00000000000..a9d36196cf0 --- /dev/null +++ b/queue-5.13/mptcp-remove-redundant-req-destruct-in-subflow_check.patch @@ -0,0 +1,49 @@ +From 3e03e81c2dfd3661089f67a0a981b09e8a628982 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jul 2021 17:20:47 -0700 +Subject: mptcp: remove redundant req destruct in subflow_check_req() + +From: Jianguo Wu + +[ Upstream commit 030d37bd1cd2443a1f21db47eb301899bfa45a2a ] + +In subflow_check_req(), if subflow sport is mismatch, will put msk, +destroy token, and destruct req, then return -EPERM, which can be +done by subflow_req_destructor() via: + + tcp_conn_request() + |--__reqsk_free() + |--subflow_req_destructor() + +So we should remove these redundant code, otherwise will call +tcp_v4_reqsk_destructor() twice, and may double free +inet_rsk(req)->ireq_opt. + +Fixes: 5bc56388c74f ("mptcp: add port number check for MP_JOIN") +Signed-off-by: Jianguo Wu +Signed-off-by: Mat Martineau +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/mptcp/subflow.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index cbc452d0901e..5493c851ca6c 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -212,11 +212,6 @@ again: + ntohs(inet_sk(sk_listener)->inet_sport), + ntohs(inet_sk((struct sock *)subflow_req->msk)->inet_sport)); + if (!mptcp_pm_sport_in_anno_list(subflow_req->msk, sk_listener)) { +- sock_put((struct sock *)subflow_req->msk); +- mptcp_token_destroy_request(req); +- tcp_request_sock_ops.destructor(req); +- subflow_req->msk = NULL; +- subflow_req->mp_join = 0; + SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_MISMATCHPORTSYNRX); + return -EPERM; + } +-- +2.30.2 + diff --git a/queue-5.13/mptcp-use-fast-lock-for-subflows-when-possible.patch b/queue-5.13/mptcp-use-fast-lock-for-subflows-when-possible.patch new file mode 100644 index 00000000000..1c4145737f1 --- /dev/null +++ b/queue-5.13/mptcp-use-fast-lock-for-subflows-when-possible.patch @@ -0,0 +1,120 @@ +From d35c64c47e2e29662d3d18a400ee8a33ee74b617 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jun 2021 15:54:34 -0700 +Subject: mptcp: use fast lock for subflows when possible + +From: Paolo Abeni + +[ Upstream commit 75e908c33615999abe1f3a8429d25dea30d28e4e ] + +There are a bunch of callsite where the ssk socket +lock is acquired using the full-blown version eligible for +the fast variant. Let's move to the latter. + +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/mptcp/pm_netlink.c | 10 ++++++---- + net/mptcp/protocol.c | 15 +++++++++------ + 2 files changed, 15 insertions(+), 10 deletions(-) + +diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c +index 3f5d90a20235..fce1d057d19e 100644 +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -540,6 +540,7 @@ void mptcp_pm_nl_addr_send_ack(struct mptcp_sock *msk) + subflow = list_first_entry_or_null(&msk->conn_list, typeof(*subflow), node); + if (subflow) { + struct sock *ssk = mptcp_subflow_tcp_sock(subflow); ++ bool slow; + + spin_unlock_bh(&msk->pm.lock); + pr_debug("send ack for %s%s%s", +@@ -547,9 +548,9 @@ void mptcp_pm_nl_addr_send_ack(struct mptcp_sock *msk) + mptcp_pm_should_add_signal_ipv6(msk) ? " [ipv6]" : "", + mptcp_pm_should_add_signal_port(msk) ? " [port]" : ""); + +- lock_sock(ssk); ++ slow = lock_sock_fast(ssk); + tcp_send_ack(ssk); +- release_sock(ssk); ++ unlock_sock_fast(ssk, slow); + spin_lock_bh(&msk->pm.lock); + } + } +@@ -566,6 +567,7 @@ int mptcp_pm_nl_mp_prio_send_ack(struct mptcp_sock *msk, + struct sock *ssk = mptcp_subflow_tcp_sock(subflow); + struct sock *sk = (struct sock *)msk; + struct mptcp_addr_info local; ++ bool slow; + + local_address((struct sock_common *)ssk, &local); + if (!addresses_equal(&local, addr, addr->port)) +@@ -578,9 +580,9 @@ int mptcp_pm_nl_mp_prio_send_ack(struct mptcp_sock *msk, + + spin_unlock_bh(&msk->pm.lock); + pr_debug("send ack for mp_prio"); +- lock_sock(ssk); ++ slow = lock_sock_fast(ssk); + tcp_send_ack(ssk); +- release_sock(ssk); ++ unlock_sock_fast(ssk, slow); + spin_lock_bh(&msk->pm.lock); + + return 0; +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index 8ead550df8b1..0f36fefcc77e 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -424,23 +424,25 @@ static void mptcp_send_ack(struct mptcp_sock *msk) + + mptcp_for_each_subflow(msk, subflow) { + struct sock *ssk = mptcp_subflow_tcp_sock(subflow); ++ bool slow; + +- lock_sock(ssk); ++ slow = lock_sock_fast(ssk); + if (tcp_can_send_ack(ssk)) + tcp_send_ack(ssk); +- release_sock(ssk); ++ unlock_sock_fast(ssk, slow); + } + } + + static bool mptcp_subflow_cleanup_rbuf(struct sock *ssk) + { ++ bool slow; + int ret; + +- lock_sock(ssk); ++ slow = lock_sock_fast(ssk); + ret = tcp_can_send_ack(ssk); + if (ret) + tcp_cleanup_rbuf(ssk, 1); +- release_sock(ssk); ++ unlock_sock_fast(ssk, slow); + return ret; + } + +@@ -2288,13 +2290,14 @@ static void mptcp_check_fastclose(struct mptcp_sock *msk) + + list_for_each_entry_safe(subflow, tmp, &msk->conn_list, node) { + struct sock *tcp_sk = mptcp_subflow_tcp_sock(subflow); ++ bool slow; + +- lock_sock(tcp_sk); ++ slow = lock_sock_fast(tcp_sk); + if (tcp_sk->sk_state != TCP_CLOSE) { + tcp_send_active_reset(tcp_sk, GFP_ATOMIC); + tcp_set_state(tcp_sk, TCP_CLOSE); + } +- release_sock(tcp_sk); ++ unlock_sock_fast(tcp_sk, slow); + } + + inet_sk_state_store(sk, TCP_CLOSE); +-- +2.30.2 + diff --git a/queue-5.13/net-decnet-fix-sleeping-inside-in-af_decnet.patch b/queue-5.13/net-decnet-fix-sleeping-inside-in-af_decnet.patch new file mode 100644 index 00000000000..f9a8b0f544d --- /dev/null +++ b/queue-5.13/net-decnet-fix-sleeping-inside-in-af_decnet.patch @@ -0,0 +1,126 @@ +From e06c26f449e7a7b7a0ac82108d4bf3686a30e129 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jul 2021 17:13:20 +0800 +Subject: net: decnet: Fix sleeping inside in af_decnet + +From: Yajun Deng + +[ Upstream commit 5f119ba1d5771bbf46d57cff7417dcd84d3084ba ] + +The release_sock() is blocking function, it would change the state +after sleeping. use wait_woken() instead. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yajun Deng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/decnet/af_decnet.c | 27 ++++++++++++--------------- + 1 file changed, 12 insertions(+), 15 deletions(-) + +diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c +index 5dbd45dc35ad..dc92a67baea3 100644 +--- a/net/decnet/af_decnet.c ++++ b/net/decnet/af_decnet.c +@@ -816,7 +816,7 @@ static int dn_auto_bind(struct socket *sock) + static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation) + { + struct dn_scp *scp = DN_SK(sk); +- DEFINE_WAIT(wait); ++ DEFINE_WAIT_FUNC(wait, woken_wake_function); + int err; + + if (scp->state != DN_CR) +@@ -826,11 +826,11 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation) + scp->segsize_loc = dst_metric_advmss(__sk_dst_get(sk)); + dn_send_conn_conf(sk, allocation); + +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); ++ add_wait_queue(sk_sleep(sk), &wait); + for(;;) { + release_sock(sk); + if (scp->state == DN_CC) +- *timeo = schedule_timeout(*timeo); ++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo); + lock_sock(sk); + err = 0; + if (scp->state == DN_RUN) +@@ -844,9 +844,8 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation) + err = -EAGAIN; + if (!*timeo) + break; +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + } +- finish_wait(sk_sleep(sk), &wait); ++ remove_wait_queue(sk_sleep(sk), &wait); + if (err == 0) { + sk->sk_socket->state = SS_CONNECTED; + } else if (scp->state != DN_CC) { +@@ -858,7 +857,7 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation) + static int dn_wait_run(struct sock *sk, long *timeo) + { + struct dn_scp *scp = DN_SK(sk); +- DEFINE_WAIT(wait); ++ DEFINE_WAIT_FUNC(wait, woken_wake_function); + int err = 0; + + if (scp->state == DN_RUN) +@@ -867,11 +866,11 @@ static int dn_wait_run(struct sock *sk, long *timeo) + if (!*timeo) + return -EALREADY; + +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); ++ add_wait_queue(sk_sleep(sk), &wait); + for(;;) { + release_sock(sk); + if (scp->state == DN_CI || scp->state == DN_CC) +- *timeo = schedule_timeout(*timeo); ++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo); + lock_sock(sk); + err = 0; + if (scp->state == DN_RUN) +@@ -885,9 +884,8 @@ static int dn_wait_run(struct sock *sk, long *timeo) + err = -ETIMEDOUT; + if (!*timeo) + break; +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + } +- finish_wait(sk_sleep(sk), &wait); ++ remove_wait_queue(sk_sleep(sk), &wait); + out: + if (err == 0) { + sk->sk_socket->state = SS_CONNECTED; +@@ -1032,16 +1030,16 @@ static void dn_user_copy(struct sk_buff *skb, struct optdata_dn *opt) + + static struct sk_buff *dn_wait_for_connect(struct sock *sk, long *timeo) + { +- DEFINE_WAIT(wait); ++ DEFINE_WAIT_FUNC(wait, woken_wake_function); + struct sk_buff *skb = NULL; + int err = 0; + +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); ++ add_wait_queue(sk_sleep(sk), &wait); + for(;;) { + release_sock(sk); + skb = skb_dequeue(&sk->sk_receive_queue); + if (skb == NULL) { +- *timeo = schedule_timeout(*timeo); ++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo); + skb = skb_dequeue(&sk->sk_receive_queue); + } + lock_sock(sk); +@@ -1056,9 +1054,8 @@ static struct sk_buff *dn_wait_for_connect(struct sock *sk, long *timeo) + err = -EAGAIN; + if (!*timeo) + break; +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + } +- finish_wait(sk_sleep(sk), &wait); ++ remove_wait_queue(sk_sleep(sk), &wait); + + return skb == NULL ? ERR_PTR(err) : skb; + } +-- +2.30.2 + diff --git a/queue-5.13/net-dsa-mv88e6xxx-net_dsa_mv88e6xxx_ptp-should-depen.patch b/queue-5.13/net-dsa-mv88e6xxx-net_dsa_mv88e6xxx_ptp-should-depen.patch new file mode 100644 index 00000000000..fbc6d592236 --- /dev/null +++ b/queue-5.13/net-dsa-mv88e6xxx-net_dsa_mv88e6xxx_ptp-should-depen.patch @@ -0,0 +1,44 @@ +From 3198103a756821b310008b12b8b12c637854aef0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jul 2021 11:58:12 +0200 +Subject: net: dsa: mv88e6xxx: NET_DSA_MV88E6XXX_PTP should depend on + NET_DSA_MV88E6XXX + +From: Geert Uytterhoeven + +[ Upstream commit 99bb2ebab953435852340cdb198c5abbf0bb5dd3 ] + +Making global2 support mandatory removed the Kconfig symbol +NET_DSA_MV88E6XXX_GLOBAL2. This symbol also served as an intermediate +symbol to make NET_DSA_MV88E6XXX_PTP depend on NET_DSA_MV88E6XXX. With +the symbol removed, the user is always asked about PTP support for +Marvell 88E6xxx switches, even if the latter support is not enabled. + +Fix this by reinstating the dependency. + +Fixes: 63368a7416df144b ("net: dsa: mv88e6xxx: Make global2 support mandatory") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Andrew Lunn +Reviewed-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/Kconfig b/drivers/net/dsa/mv88e6xxx/Kconfig +index 05af632b0f59..634a48e6616b 100644 +--- a/drivers/net/dsa/mv88e6xxx/Kconfig ++++ b/drivers/net/dsa/mv88e6xxx/Kconfig +@@ -12,7 +12,7 @@ config NET_DSA_MV88E6XXX + config NET_DSA_MV88E6XXX_PTP + bool "PTP support for Marvell 88E6xxx" + default n +- depends on PTP_1588_CLOCK ++ depends on NET_DSA_MV88E6XXX && PTP_1588_CLOCK + help + Say Y to enable PTP hardware timestamping on Marvell 88E6xxx switch + chips that support it. +-- +2.30.2 + diff --git a/queue-5.13/net-dsa-sja1105-make-vid-4095-a-bridge-vlan-too.patch b/queue-5.13/net-dsa-sja1105-make-vid-4095-a-bridge-vlan-too.patch new file mode 100644 index 00000000000..627755d0732 --- /dev/null +++ b/queue-5.13/net-dsa-sja1105-make-vid-4095-a-bridge-vlan-too.patch @@ -0,0 +1,103 @@ +From 2ce1a71e4b702f549b39b2de4f7791581a894cbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 15:37:59 +0300 +Subject: net: dsa: sja1105: make VID 4095 a bridge VLAN too + +From: Vladimir Oltean + +[ Upstream commit e40cba9490bab1414d45c2d62defc0ad4f6e4136 ] + +This simple series of commands: + +ip link add br0 type bridge vlan_filtering 1 +ip link set swp0 master br0 + +fails on sja1105 with the following error: +[ 33.439103] sja1105 spi0.1: vlan-lookup-table needs to have at least the default untagged VLAN +[ 33.447710] sja1105 spi0.1: Invalid config, cannot upload +Warning: sja1105: Failed to change VLAN Ethertype. + +For context, sja1105 has 3 operating modes: +- SJA1105_VLAN_UNAWARE: the dsa_8021q_vlans are committed to hardware +- SJA1105_VLAN_FILTERING_FULL: the bridge_vlans are committed to hardware +- SJA1105_VLAN_FILTERING_BEST_EFFORT: both the dsa_8021q_vlans and the + bridge_vlans are committed to hardware + +Swapping out a VLAN list and another in happens in +sja1105_build_vlan_table(), which performs a delta update procedure. +That function is called from a few places, notably from +sja1105_vlan_filtering() which is called from the +SWITCHDEV_ATTR_ID_BRIDGE_VLAN_FILTERING handler. + +The above set of 2 commands fails when run on a kernel pre-commit +8841f6e63f2c ("net: dsa: sja1105: make devlink property +best_effort_vlan_filtering true by default"). So the priv->vlan_state +transition that takes place is between VLAN-unaware and full VLAN +filtering. So the dsa_8021q_vlans are swapped out and the bridge_vlans +are swapped in. + +So why does it fail? + +Well, the bridge driver, through nbp_vlan_init(), first sets up the +SWITCHDEV_ATTR_ID_BRIDGE_VLAN_FILTERING attribute, and only then +proceeds to call nbp_vlan_add for the default_pvid. + +So when we swap out the dsa_8021q_vlans and swap in the bridge_vlans in +the SWITCHDEV_ATTR_ID_BRIDGE_VLAN_FILTERING handler, there are no bridge +VLANs (yet). So we have wiped the VLAN table clean, and the low-level +static config checker complains of an invalid configuration. We _will_ +add the bridge VLANs using the dynamic config interface, albeit later, +when nbp_vlan_add() calls us. So it is natural that it fails. + +So why did it ever work? + +Surprisingly, it looks like I only tested this configuration with 2 +things set up in a particular way: +- a network manager that brings all ports up +- a kernel with CONFIG_VLAN_8021Q=y + +It is widely known that commit ad1afb003939 ("vlan_dev: VLAN 0 should be +treated as "no vlan tag" (802.1p packet)") installs VID 0 to every net +device that comes up. DSA treats these VLANs as bridge VLANs, and +therefore, in my testing, the list of bridge_vlans was never empty. + +However, if CONFIG_VLAN_8021Q is not enabled, or the port is not up when +it joins a VLAN-aware bridge, the bridge_vlans list will be temporarily +empty, and the sja1105_static_config_reload() call from +sja1105_vlan_filtering() will fail. + +To fix this, the simplest thing is to keep VID 4095, the one used for +CPU-injected control packets since commit ed040abca4c1 ("net: dsa: +sja1105: use 4095 as the private VLAN for untagged traffic"), in the +list of bridge VLANs too, not just the list of tag_8021q VLANs. This +ensures that the list of bridge VLANs will never be empty. + +Fixes: ec5ae61076d0 ("net: dsa: sja1105: save/restore VLANs using a delta commit method") +Reported-by: Radu Pirea (NXP OSS) +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/sja1105/sja1105_main.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c +index ebe4d33cda27..6e5dbe9f3892 100644 +--- a/drivers/net/dsa/sja1105/sja1105_main.c ++++ b/drivers/net/dsa/sja1105/sja1105_main.c +@@ -378,6 +378,12 @@ static int sja1105_init_static_vlan(struct sja1105_private *priv) + if (dsa_is_cpu_port(ds, port)) + v->pvid = true; + list_add(&v->list, &priv->dsa_8021q_vlans); ++ ++ v = kmemdup(v, sizeof(*v), GFP_KERNEL); ++ if (!v) ++ return -ENOMEM; ++ ++ list_add(&v->list, &priv->bridge_vlans); + } + + ((struct sja1105_vlan_lookup_entry *)table->entries)[0] = pvid; +-- +2.30.2 + diff --git a/queue-5.13/net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch b/queue-5.13/net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch new file mode 100644 index 00000000000..a749e6b2de8 --- /dev/null +++ b/queue-5.13/net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch @@ -0,0 +1,57 @@ +From 8e6e76aec9dfc1d7313302c7cc170ee44d648178 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 20:22:04 +0800 +Subject: net: fix uninit-value in caif_seqpkt_sendmsg + +From: Ziyang Xuan + +[ Upstream commit 991e634360f2622a683b48dfe44fe6d9cb765a09 ] + +When nr_segs equal to zero in iovec_from_user, the object +msg->msg_iter.iov is uninit stack memory in caif_seqpkt_sendmsg +which is defined in ___sys_sendmsg. So we cann't just judge +msg->msg_iter.iov->base directlly. We can use nr_segs to judge +msg in caif_seqpkt_sendmsg whether has data buffers. + +===================================================== +BUG: KMSAN: uninit-value in caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 + caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg net/socket.c:672 [inline] + ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2343 + ___sys_sendmsg net/socket.c:2397 [inline] + __sys_sendmmsg+0x808/0xc90 net/socket.c:2480 + __compat_sys_sendmmsg net/compat.c:656 [inline] + +Reported-by: syzbot+09a5d591c1f98cf5efcb@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=1ace85e8fc9b0d5a45c08c2656c3e91762daa9b8 +Fixes: bece7b2398d0 ("caif: Rewritten socket implementation") +Signed-off-by: Ziyang Xuan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/caif/caif_socket.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c +index 3ad0a1df6712..9d26c5e9da05 100644 +--- a/net/caif/caif_socket.c ++++ b/net/caif/caif_socket.c +@@ -539,7 +539,8 @@ static int caif_seqpkt_sendmsg(struct socket *sock, struct msghdr *msg, + goto err; + + ret = -EINVAL; +- if (unlikely(msg->msg_iter.iov->iov_base == NULL)) ++ if (unlikely(msg->msg_iter.nr_segs == 0) || ++ unlikely(msg->msg_iter.iov->iov_base == NULL)) + goto err; + noblock = msg->msg_flags & MSG_DONTWAIT; + +-- +2.30.2 + diff --git a/queue-5.13/net-hisilicon-rename-cache_line_mask-to-avoid-redefi.patch b/queue-5.13/net-hisilicon-rename-cache_line_mask-to-avoid-redefi.patch new file mode 100644 index 00000000000..67282827bb9 --- /dev/null +++ b/queue-5.13/net-hisilicon-rename-cache_line_mask-to-avoid-redefi.patch @@ -0,0 +1,62 @@ +From 5a1813dbcef53a4db8b30ff3745d3feb08de5694 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 13:38:34 -0700 +Subject: net: hisilicon: rename CACHE_LINE_MASK to avoid redefinition + +From: Randy Dunlap + +[ Upstream commit b16f3299ae1aa3c327e1fb742d0379ae4d6e86f2 ] + +Building on ARCH=arc causes a "redefined" warning, so rename this +driver's CACHE_LINE_MASK to avoid the warning. + +../drivers/net/ethernet/hisilicon/hip04_eth.c:134: warning: "CACHE_LINE_MASK" redefined + 134 | #define CACHE_LINE_MASK 0x3F +In file included from ../include/linux/cache.h:6, + from ../include/linux/printk.h:9, + from ../include/linux/kernel.h:19, + from ../include/linux/list.h:9, + from ../include/linux/module.h:12, + from ../drivers/net/ethernet/hisilicon/hip04_eth.c:7: +../arch/arc/include/asm/cache.h:17: note: this is the location of the previous definition + 17 | #define CACHE_LINE_MASK (~(L1_CACHE_BYTES - 1)) + +Fixes: d413779cdd93 ("net: hisilicon: Add an tx_desc to adapt HI13X1_GMAC") +Signed-off-by: Randy Dunlap +Cc: Vineet Gupta +Cc: Jiangfeng Xiao +Cc: "David S. Miller" +Cc: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hip04_eth.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c +index 12f6c2442a7a..e53512f6878a 100644 +--- a/drivers/net/ethernet/hisilicon/hip04_eth.c ++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c +@@ -131,7 +131,7 @@ + /* buf unit size is cache_line_size, which is 64, so the shift is 6 */ + #define PPE_BUF_SIZE_SHIFT 6 + #define PPE_TX_BUF_HOLD BIT(31) +-#define CACHE_LINE_MASK 0x3F ++#define SOC_CACHE_LINE_MASK 0x3F + #else + #define PPE_CFG_QOS_VMID_GRP_SHIFT 8 + #define PPE_CFG_RX_CTRL_ALIGN_SHIFT 11 +@@ -531,8 +531,8 @@ hip04_mac_start_xmit(struct sk_buff *skb, struct net_device *ndev) + #if defined(CONFIG_HI13X1_GMAC) + desc->cfg = (__force u32)cpu_to_be32(TX_CLEAR_WB | TX_FINISH_CACHE_INV + | TX_RELEASE_TO_PPE | priv->port << TX_POOL_SHIFT); +- desc->data_offset = (__force u32)cpu_to_be32(phys & CACHE_LINE_MASK); +- desc->send_addr = (__force u32)cpu_to_be32(phys & ~CACHE_LINE_MASK); ++ desc->data_offset = (__force u32)cpu_to_be32(phys & SOC_CACHE_LINE_MASK); ++ desc->send_addr = (__force u32)cpu_to_be32(phys & ~SOC_CACHE_LINE_MASK); + #else + desc->cfg = (__force u32)cpu_to_be32(TX_CLEAR_WB | TX_FINISH_CACHE_INV); + desc->send_addr = (__force u32)cpu_to_be32(phys); +-- +2.30.2 + diff --git a/queue-5.13/net-hns3-fix-possible-mismatches-resp-of-mailbox.patch b/queue-5.13/net-hns3-fix-possible-mismatches-resp-of-mailbox.patch new file mode 100644 index 00000000000..dc51a66d614 --- /dev/null +++ b/queue-5.13/net-hns3-fix-possible-mismatches-resp-of-mailbox.patch @@ -0,0 +1,86 @@ +From 9703afa7b479d08ac472e38cf7683d83d1844ea2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jul 2021 17:13:05 +0800 +Subject: net: hns3: fix possible mismatches resp of mailbox + +From: Chengwen Feng + +[ Upstream commit 1b713d14dc3c077ec45e65dab4ea01a8bc41b8c1 ] + +Currently, the mailbox synchronous communication between VF and PF use +the following fields to maintain communication: +1. Origin_mbx_msg which was combined by message code and subcode, used +to match request and response. +2. Received_resp which means whether received response. + +There may possible mismatches of the following situation: +1. VF sends message A with code=1 subcode=1. +2. PF was blocked about 500ms when processing the message A. +3. VF will detect message A timeout because it can't get the response +within 500ms. +4. VF sends message B with code=1 subcode=1 which equal message A. +5. PF processes the first message A and send the response message to +VF. +6. VF will identify the response matched the message B because the +code/subcode is the same. This will lead to mismatch of request and +response. + +To fix the above bug, we use the following scheme: +1. The message sent from VF was labelled with match_id which was a +unique 16-bit non-zero value. +2. The response sent from PF will label with match_id which got from +the request. +3. The VF uses the match_id to match request and response message. + +As for PF driver, it only needs to copy the match_id from request to +response. + +Fixes: dde1a86e93ca ("net: hns3: Add mailbox support to PF driver") +Signed-off-by: Chengwen Feng +Signed-off-by: Guangbin Huang +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h | 6 ++++-- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 1 + + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h b/drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h +index a2c17af57fde..d283beec9f66 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h +@@ -135,7 +135,8 @@ struct hclge_mbx_vf_to_pf_cmd { + u8 mbx_need_resp; + u8 rsv1[1]; + u8 msg_len; +- u8 rsv2[3]; ++ u8 rsv2; ++ u16 match_id; + struct hclge_vf_to_pf_msg msg; + }; + +@@ -145,7 +146,8 @@ struct hclge_mbx_pf_to_vf_cmd { + u8 dest_vfid; + u8 rsv[3]; + u8 msg_len; +- u8 rsv1[3]; ++ u8 rsv1; ++ u16 match_id; + struct hclge_pf_to_vf_msg msg; + }; + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c +index f1c9f4ada348..38b601031db4 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c +@@ -47,6 +47,7 @@ static int hclge_gen_resp_to_vf(struct hclge_vport *vport, + + resp_pf_to_vf->dest_vfid = vf_to_pf_req->mbx_src_vfid; + resp_pf_to_vf->msg_len = vf_to_pf_req->msg_len; ++ resp_pf_to_vf->match_id = vf_to_pf_req->match_id; + + resp_pf_to_vf->msg.code = HCLGE_MBX_PF_VF_RESP; + resp_pf_to_vf->msg.vf_mbx_msg_code = vf_to_pf_req->msg.code; +-- +2.30.2 + diff --git a/queue-5.13/net-hns3-fix-rx-vlan-offload-state-inconsistent-issu.patch b/queue-5.13/net-hns3-fix-rx-vlan-offload-state-inconsistent-issu.patch new file mode 100644 index 00000000000..27b2156e18a --- /dev/null +++ b/queue-5.13/net-hns3-fix-rx-vlan-offload-state-inconsistent-issu.patch @@ -0,0 +1,50 @@ +From 44d5336842732c60ce9b01337e2747ce7020b988 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jul 2021 17:13:08 +0800 +Subject: net: hns3: fix rx VLAN offload state inconsistent issue + +From: Jian Shen + +[ Upstream commit bbfd4506f962e7e6fff8f37f017154a3c3791264 ] + +Currently, VF doesn't enable rx VLAN offload when initializating, +and PF does it for VFs. If user disable the rx VLAN offload for +VF with ethtool -K, and reload the VF driver, it may cause the +rx VLAN offload state being inconsistent between hardware and +software. + +Fixes it by enabling rx VLAN offload when VF initializing. + +Fixes: e2cb1dec9779 ("net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support") +Signed-off-by: Jian Shen +Signed-off-by: Guangbin Huang +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +index 0db51ef15ef6..fe03c8419890 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +@@ -2621,6 +2621,16 @@ static int hclgevf_rss_init_hw(struct hclgevf_dev *hdev) + + static int hclgevf_init_vlan_config(struct hclgevf_dev *hdev) + { ++ struct hnae3_handle *nic = &hdev->nic; ++ int ret; ++ ++ ret = hclgevf_en_hw_strip_rxvtag(nic, true); ++ if (ret) { ++ dev_err(&hdev->pdev->dev, ++ "failed to enable rx vlan offload, ret = %d\n", ret); ++ return ret; ++ } ++ + return hclgevf_set_vlan_filter(&hdev->nic, htons(ETH_P_8021Q), 0, + false); + } +-- +2.30.2 + diff --git a/queue-5.13/net-ocelot-fix-switchdev-objects-synced-for-wrong-ne.patch b/queue-5.13/net-ocelot-fix-switchdev-objects-synced-for-wrong-ne.patch new file mode 100644 index 00000000000..c84ab021b30 --- /dev/null +++ b/queue-5.13/net-ocelot-fix-switchdev-objects-synced-for-wrong-ne.patch @@ -0,0 +1,72 @@ +From cb8509f365a30c31fa03133b4dd95922e02cce5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jul 2021 12:33:50 +0300 +Subject: net: ocelot: fix switchdev objects synced for wrong netdev with LAG + offload + +From: Vladimir Oltean + +[ Upstream commit e56c6bbd98dc1cefb6f9c5d795fd29016e4f2fe7 ] + +The point with a *dev and a *brport_dev is that when we have a LAG net +device that is a bridge port, *dev is an ocelot net device and +*brport_dev is the bonding/team net device. The ocelot net device +beneath the LAG does not exist from the bridge's perspective, so we need +to sync the switchdev objects belonging to the brport_dev and not to the +dev. + +Fixes: e4bd44e89dcf ("net: ocelot: replay switchdev events when joining bridge") +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot_net.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mscc/ocelot_net.c b/drivers/net/ethernet/mscc/ocelot_net.c +index aad33d22c33f..3dc577183a40 100644 +--- a/drivers/net/ethernet/mscc/ocelot_net.c ++++ b/drivers/net/ethernet/mscc/ocelot_net.c +@@ -1287,6 +1287,7 @@ static int ocelot_netdevice_lag_leave(struct net_device *dev, + } + + static int ocelot_netdevice_changeupper(struct net_device *dev, ++ struct net_device *brport_dev, + struct netdev_notifier_changeupper_info *info) + { + struct netlink_ext_ack *extack; +@@ -1296,11 +1297,11 @@ static int ocelot_netdevice_changeupper(struct net_device *dev, + + if (netif_is_bridge_master(info->upper_dev)) { + if (info->linking) +- err = ocelot_netdevice_bridge_join(dev, dev, ++ err = ocelot_netdevice_bridge_join(dev, brport_dev, + info->upper_dev, + extack); + else +- err = ocelot_netdevice_bridge_leave(dev, dev, ++ err = ocelot_netdevice_bridge_leave(dev, brport_dev, + info->upper_dev); + } + if (netif_is_lag_master(info->upper_dev)) { +@@ -1335,7 +1336,7 @@ ocelot_netdevice_lag_changeupper(struct net_device *dev, + if (ocelot_port->bond != dev) + return NOTIFY_OK; + +- err = ocelot_netdevice_changeupper(lower, info); ++ err = ocelot_netdevice_changeupper(lower, dev, info); + if (err) + return notifier_from_errno(err); + } +@@ -1374,7 +1375,7 @@ static int ocelot_netdevice_event(struct notifier_block *unused, + struct netdev_notifier_changeupper_info *info = ptr; + + if (ocelot_netdevice_dev_check(dev)) +- return ocelot_netdevice_changeupper(dev, info); ++ return ocelot_netdevice_changeupper(dev, dev, info); + + if (netif_is_lag_master(dev)) + return ocelot_netdevice_lag_changeupper(dev, info); +-- +2.30.2 + diff --git a/queue-5.13/net-phy-marvell10g-fix-differentiation-of-88x3310-fr.patch b/queue-5.13/net-phy-marvell10g-fix-differentiation-of-88x3310-fr.patch new file mode 100644 index 00000000000..55daf1e9979 --- /dev/null +++ b/queue-5.13/net-phy-marvell10g-fix-differentiation-of-88x3310-fr.patch @@ -0,0 +1,132 @@ +From dbe1079d0d2698e54884986a4a5d156ceef654cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Jul 2021 18:38:15 +0200 +Subject: net: phy: marvell10g: fix differentiation of 88X3310 from 88X3340 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit a5de4be0aaaa66a2fa98e8a33bdbed3bd0682804 ] + +It seems that we cannot differentiate 88X3310 from 88X3340 by simply +looking at bit 3 of revision ID. This only works on revisions A0 and A1. +On revision B0, this bit is always 1. + +Instead use the 3.d00d register for differentiation, since this register +contains information about number of ports on the device. + +Fixes: 9885d016ffa9 ("net: phy: marvell10g: add separate structure for 88X3340") +Signed-off-by: Marek Behún +Reported-by: Matteo Croce +Tested-by: Matteo Croce +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/marvell10g.c | 40 +++++++++++++++++++++++++++++++----- + include/linux/marvell_phy.h | 6 +----- + 2 files changed, 36 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/phy/marvell10g.c b/drivers/net/phy/marvell10g.c +index bbbc6ac8fa82..53a433442803 100644 +--- a/drivers/net/phy/marvell10g.c ++++ b/drivers/net/phy/marvell10g.c +@@ -78,6 +78,11 @@ enum { + /* Temperature read register (88E2110 only) */ + MV_PCS_TEMP = 0x8042, + ++ /* Number of ports on the device */ ++ MV_PCS_PORT_INFO = 0xd00d, ++ MV_PCS_PORT_INFO_NPORTS_MASK = 0x0380, ++ MV_PCS_PORT_INFO_NPORTS_SHIFT = 7, ++ + /* These registers appear at 0x800X and 0xa00X - the 0xa00X control + * registers appear to set themselves to the 0x800X when AN is + * restarted, but status registers appear readable from either. +@@ -966,6 +971,30 @@ static const struct mv3310_chip mv2111_type = { + #endif + }; + ++static int mv3310_get_number_of_ports(struct phy_device *phydev) ++{ ++ int ret; ++ ++ ret = phy_read_mmd(phydev, MDIO_MMD_PCS, MV_PCS_PORT_INFO); ++ if (ret < 0) ++ return ret; ++ ++ ret &= MV_PCS_PORT_INFO_NPORTS_MASK; ++ ret >>= MV_PCS_PORT_INFO_NPORTS_SHIFT; ++ ++ return ret + 1; ++} ++ ++static int mv3310_match_phy_device(struct phy_device *phydev) ++{ ++ return mv3310_get_number_of_ports(phydev) == 1; ++} ++ ++static int mv3340_match_phy_device(struct phy_device *phydev) ++{ ++ return mv3310_get_number_of_ports(phydev) == 4; ++} ++ + static int mv211x_match_phy_device(struct phy_device *phydev, bool has_5g) + { + int val; +@@ -994,7 +1023,8 @@ static int mv2111_match_phy_device(struct phy_device *phydev) + static struct phy_driver mv3310_drivers[] = { + { + .phy_id = MARVELL_PHY_ID_88X3310, +- .phy_id_mask = MARVELL_PHY_ID_88X33X0_MASK, ++ .phy_id_mask = MARVELL_PHY_ID_MASK, ++ .match_phy_device = mv3310_match_phy_device, + .name = "mv88x3310", + .driver_data = &mv3310_type, + .get_features = mv3310_get_features, +@@ -1011,8 +1041,9 @@ static struct phy_driver mv3310_drivers[] = { + .set_loopback = genphy_c45_loopback, + }, + { +- .phy_id = MARVELL_PHY_ID_88X3340, +- .phy_id_mask = MARVELL_PHY_ID_88X33X0_MASK, ++ .phy_id = MARVELL_PHY_ID_88X3310, ++ .phy_id_mask = MARVELL_PHY_ID_MASK, ++ .match_phy_device = mv3340_match_phy_device, + .name = "mv88x3340", + .driver_data = &mv3340_type, + .get_features = mv3310_get_features, +@@ -1069,8 +1100,7 @@ static struct phy_driver mv3310_drivers[] = { + module_phy_driver(mv3310_drivers); + + static struct mdio_device_id __maybe_unused mv3310_tbl[] = { +- { MARVELL_PHY_ID_88X3310, MARVELL_PHY_ID_88X33X0_MASK }, +- { MARVELL_PHY_ID_88X3340, MARVELL_PHY_ID_88X33X0_MASK }, ++ { MARVELL_PHY_ID_88X3310, MARVELL_PHY_ID_MASK }, + { MARVELL_PHY_ID_88E2110, MARVELL_PHY_ID_MASK }, + { }, + }; +diff --git a/include/linux/marvell_phy.h b/include/linux/marvell_phy.h +index acee44b9db26..0f06c2287b52 100644 +--- a/include/linux/marvell_phy.h ++++ b/include/linux/marvell_phy.h +@@ -22,14 +22,10 @@ + #define MARVELL_PHY_ID_88E1545 0x01410ea0 + #define MARVELL_PHY_ID_88E1548P 0x01410ec0 + #define MARVELL_PHY_ID_88E3016 0x01410e60 ++#define MARVELL_PHY_ID_88X3310 0x002b09a0 + #define MARVELL_PHY_ID_88E2110 0x002b09b0 + #define MARVELL_PHY_ID_88X2222 0x01410f10 + +-/* PHY IDs and mask for Alaska 10G PHYs */ +-#define MARVELL_PHY_ID_88X33X0_MASK 0xfffffff8 +-#define MARVELL_PHY_ID_88X3310 0x002b09a0 +-#define MARVELL_PHY_ID_88X3340 0x002b09a8 +- + /* Marvel 88E1111 in Finisar SFP module with modified PHY ID */ + #define MARVELL_PHY_ID_88E1111_FINISAR 0x01ff0cc0 + +-- +2.30.2 + diff --git a/queue-5.13/net-sched-act_skbmod-skip-non-ethernet-packets.patch b/queue-5.13/net-sched-act_skbmod-skip-non-ethernet-packets.patch new file mode 100644 index 00000000000..b98ecfefbbd --- /dev/null +++ b/queue-5.13/net-sched-act_skbmod-skip-non-ethernet-packets.patch @@ -0,0 +1,70 @@ +From 5c04a1c8f4da7661eb294b8800266537bcf9f359 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jul 2021 16:41:24 -0700 +Subject: net/sched: act_skbmod: Skip non-Ethernet packets + +From: Peilin Ye + +[ Upstream commit 727d6a8b7ef3d25080fad228b2c4a1d4da5999c6 ] + +Currently tcf_skbmod_act() assumes that packets use Ethernet as their L2 +protocol, which is not always the case. As an example, for CAN devices: + + $ ip link add dev vcan0 type vcan + $ ip link set up vcan0 + $ tc qdisc add dev vcan0 root handle 1: htb + $ tc filter add dev vcan0 parent 1: protocol ip prio 10 \ + matchall action skbmod swap mac + +Doing the above silently corrupts all the packets. Do not perform skbmod +actions for non-Ethernet packets. + +Fixes: 86da71b57383 ("net_sched: Introduce skbmod action") +Reviewed-by: Cong Wang +Signed-off-by: Peilin Ye +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/act_skbmod.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/sched/act_skbmod.c b/net/sched/act_skbmod.c +index 81a1c67335be..8d17a543cc9f 100644 +--- a/net/sched/act_skbmod.c ++++ b/net/sched/act_skbmod.c +@@ -6,6 +6,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -33,6 +34,13 @@ static int tcf_skbmod_act(struct sk_buff *skb, const struct tc_action *a, + tcf_lastuse_update(&d->tcf_tm); + bstats_cpu_update(this_cpu_ptr(d->common.cpu_bstats), skb); + ++ action = READ_ONCE(d->tcf_action); ++ if (unlikely(action == TC_ACT_SHOT)) ++ goto drop; ++ ++ if (!skb->dev || skb->dev->type != ARPHRD_ETHER) ++ return action; ++ + /* XXX: if you are going to edit more fields beyond ethernet header + * (example when you add IP header replacement or vlan swap) + * then MAX_EDIT_LEN needs to change appropriately +@@ -41,10 +49,6 @@ static int tcf_skbmod_act(struct sk_buff *skb, const struct tc_action *a, + if (unlikely(err)) /* best policy is to drop on the floor */ + goto drop; + +- action = READ_ONCE(d->tcf_action); +- if (unlikely(action == TC_ACT_SHOT)) +- goto drop; +- + p = rcu_dereference_bh(d->skbmod_p); + flags = p->flags; + if (flags & SKBMOD_F_DMAC) +-- +2.30.2 + diff --git a/queue-5.13/net-sched-cls_api-fix-the-the-wrong-parameter.patch b/queue-5.13/net-sched-cls_api-fix-the-the-wrong-parameter.patch new file mode 100644 index 00000000000..1251f4d5401 --- /dev/null +++ b/queue-5.13/net-sched-cls_api-fix-the-the-wrong-parameter.patch @@ -0,0 +1,36 @@ +From 5d15445b146fcb6b672278d37478b6c6baa819c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jul 2021 11:23:43 +0800 +Subject: net: sched: cls_api: Fix the the wrong parameter + +From: Yajun Deng + +[ Upstream commit 9d85a6f44bd5585761947f40f7821c9cd78a1bbe ] + +The 4th parameter in tc_chain_notify() should be flags rather than seq. +Let's change it back correctly. + +Fixes: 32a4f5ecd738 ("net: sched: introduce chain object to uapi") +Signed-off-by: Yajun Deng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c +index d73b5c5514a9..e3e79e9bd706 100644 +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -2904,7 +2904,7 @@ replay: + break; + case RTM_GETCHAIN: + err = tc_chain_notify(chain, skb, n->nlmsg_seq, +- n->nlmsg_seq, n->nlmsg_type, true); ++ n->nlmsg_flags, n->nlmsg_type, true); + if (err < 0) + NL_SET_ERR_MSG(extack, "Failed to send chain notify message"); + break; +-- +2.30.2 + diff --git a/queue-5.13/net-sched-fix-memory-leak-in-tcindex_partial_destroy.patch b/queue-5.13/net-sched-fix-memory-leak-in-tcindex_partial_destroy.patch new file mode 100644 index 00000000000..c4eb9e9c490 --- /dev/null +++ b/queue-5.13/net-sched-fix-memory-leak-in-tcindex_partial_destroy.patch @@ -0,0 +1,52 @@ +From 573a4767480bab63ac5b13e43f393ee79269e900 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jul 2021 14:29:33 +0300 +Subject: net: sched: fix memory leak in tcindex_partial_destroy_work + +From: Pavel Skripkin + +[ Upstream commit f5051bcece50140abd1a11a2d36dc3ec5484fc32 ] + +Syzbot reported memory leak in tcindex_set_parms(). The problem was in +non-freed perfect hash in tcindex_partial_destroy_work(). + +In tcindex_set_parms() new tcindex_data is allocated and some fields from +old one are copied to new one, but not the perfect hash. Since +tcindex_partial_destroy_work() is the destroy function for old +tcindex_data, we need to free perfect hash to avoid memory leak. + +Reported-and-tested-by: syzbot+f0bbb2287b8993d4fa74@syzkaller.appspotmail.com +Fixes: 331b72922c5f ("net: sched: RCU cls_tcindex") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_tcindex.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c +index 5b274534264c..e9a8a2c86bbd 100644 +--- a/net/sched/cls_tcindex.c ++++ b/net/sched/cls_tcindex.c +@@ -278,6 +278,8 @@ static int tcindex_filter_result_init(struct tcindex_filter_result *r, + TCA_TCINDEX_POLICE); + } + ++static void tcindex_free_perfect_hash(struct tcindex_data *cp); ++ + static void tcindex_partial_destroy_work(struct work_struct *work) + { + struct tcindex_data *p = container_of(to_rcu_work(work), +@@ -285,7 +287,8 @@ static void tcindex_partial_destroy_work(struct work_struct *work) + rwork); + + rtnl_lock(); +- kfree(p->perfect); ++ if (p->perfect) ++ tcindex_free_perfect_hash(p); + kfree(p); + rtnl_unlock(); + } +-- +2.30.2 + diff --git a/queue-5.13/net-stmmac-terminate-fpe-workqueue-in-suspend.patch b/queue-5.13/net-stmmac-terminate-fpe-workqueue-in-suspend.patch new file mode 100644 index 00000000000..97b393997ec --- /dev/null +++ b/queue-5.13/net-stmmac-terminate-fpe-workqueue-in-suspend.patch @@ -0,0 +1,37 @@ +From 1554660dae2c8fc91d61e926876bcaaa3327fb60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jun 2021 17:59:35 +0800 +Subject: net: stmmac: Terminate FPE workqueue in suspend + +From: Mohammad Athari Bin Ismail + +[ Upstream commit 6b28a86d6c0bb02119f386ec2f56efde909e9bcb ] + +Add stmmac_fpe_stop_wq() in stmmac_suspend() to terminate FPE workqueue +during suspend. So, in suspend mode, there will be no FPE workqueue +available. Without this fix, new additional FPE workqueue will be created +in every suspend->resume cycle. + +Fixes: 5a5586112b92 ("net: stmmac: support FPE link partner hand-shaking procedure") +Signed-off-by: Mohammad Athari Bin Ismail +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 91cd5073ddb2..980a60477b02 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -7170,6 +7170,7 @@ int stmmac_suspend(struct device *dev) + priv->plat->rx_queues_to_use, false); + + stmmac_fpe_handshake(priv, false); ++ stmmac_fpe_stop_wq(priv); + } + + priv->speed = SPEED_UNKNOWN; +-- +2.30.2 + diff --git a/queue-5.13/net-tcp_fastopen-fix-data-races-around-tfo_active_di.patch b/queue-5.13/net-tcp_fastopen-fix-data-races-around-tfo_active_di.patch new file mode 100644 index 00000000000..db72ad9b236 --- /dev/null +++ b/queue-5.13/net-tcp_fastopen-fix-data-races-around-tfo_active_di.patch @@ -0,0 +1,72 @@ +From a1bbb421a282c3c5d1f7b647677e2132296a8c81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jul 2021 02:12:18 -0700 +Subject: net/tcp_fastopen: fix data races around tfo_active_disable_stamp + +From: Eric Dumazet + +[ Upstream commit 6f20c8adb1813467ea52c1296d52c4e95978cb2f ] + +tfo_active_disable_stamp is read and written locklessly. +We need to annotate these accesses appropriately. + +Then, we need to perform the atomic_inc(tfo_active_disable_times) +after the timestamp has been updated, and thus add barriers +to make sure tcp_fastopen_active_should_disable() wont read +a stale timestamp. + +Fixes: cf1ef3f0719b ("net/tcp_fastopen: Disable active side TFO in certain scenarios") +Signed-off-by: Eric Dumazet +Cc: Wei Wang +Cc: Yuchung Cheng +Cc: Neal Cardwell +Acked-by: Wei Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_fastopen.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c +index af2814c9342a..08548ff23d83 100644 +--- a/net/ipv4/tcp_fastopen.c ++++ b/net/ipv4/tcp_fastopen.c +@@ -507,8 +507,15 @@ void tcp_fastopen_active_disable(struct sock *sk) + { + struct net *net = sock_net(sk); + ++ /* Paired with READ_ONCE() in tcp_fastopen_active_should_disable() */ ++ WRITE_ONCE(net->ipv4.tfo_active_disable_stamp, jiffies); ++ ++ /* Paired with smp_rmb() in tcp_fastopen_active_should_disable(). ++ * We want net->ipv4.tfo_active_disable_stamp to be updated first. ++ */ ++ smp_mb__before_atomic(); + atomic_inc(&net->ipv4.tfo_active_disable_times); +- net->ipv4.tfo_active_disable_stamp = jiffies; ++ + NET_INC_STATS(net, LINUX_MIB_TCPFASTOPENBLACKHOLE); + } + +@@ -526,10 +533,16 @@ bool tcp_fastopen_active_should_disable(struct sock *sk) + if (!tfo_da_times) + return false; + ++ /* Paired with smp_mb__before_atomic() in tcp_fastopen_active_disable() */ ++ smp_rmb(); ++ + /* Limit timout to max: 2^6 * initial timeout */ + multiplier = 1 << min(tfo_da_times - 1, 6); +- timeout = multiplier * tfo_bh_timeout * HZ; +- if (time_before(jiffies, sock_net(sk)->ipv4.tfo_active_disable_stamp + timeout)) ++ ++ /* Paired with the WRITE_ONCE() in tcp_fastopen_active_disable(). */ ++ timeout = READ_ONCE(sock_net(sk)->ipv4.tfo_active_disable_stamp) + ++ multiplier * tfo_bh_timeout * HZ; ++ if (time_before(jiffies, timeout)) + return true; + + /* Mark check bit so we can check for successful active TFO +-- +2.30.2 + diff --git a/queue-5.13/netrom-decrease-sock-refcount-when-sock-timers-expir.patch b/queue-5.13/netrom-decrease-sock-refcount-when-sock-timers-expir.patch new file mode 100644 index 00000000000..8cf72979699 --- /dev/null +++ b/queue-5.13/netrom-decrease-sock-refcount-when-sock-timers-expir.patch @@ -0,0 +1,118 @@ +From 52e99ce86ce4cc270042cc7b2ef53fd695749b9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 22:40:13 +0800 +Subject: netrom: Decrease sock refcount when sock timers expire + +From: Nguyen Dinh Phi + +[ Upstream commit 517a16b1a88bdb6b530f48d5d153478b2552d9a8 ] + +Commit 63346650c1a9 ("netrom: switch to sock timer API") switched to use +sock timer API. It replaces mod_timer() by sk_reset_timer(), and +del_timer() by sk_stop_timer(). + +Function sk_reset_timer() will increase the refcount of sock if it is +called on an inactive timer, hence, in case the timer expires, we need to +decrease the refcount ourselves in the handler, otherwise, the sock +refcount will be unbalanced and the sock will never be freed. + +Signed-off-by: Nguyen Dinh Phi +Reported-by: syzbot+10f1194569953b72f1ae@syzkaller.appspotmail.com +Fixes: 63346650c1a9 ("netrom: switch to sock timer API") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netrom/nr_timer.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/net/netrom/nr_timer.c b/net/netrom/nr_timer.c +index 9115f8a7dd45..a8da88db7893 100644 +--- a/net/netrom/nr_timer.c ++++ b/net/netrom/nr_timer.c +@@ -121,11 +121,9 @@ static void nr_heartbeat_expiry(struct timer_list *t) + is accepted() it isn't 'dead' so doesn't get removed. */ + if (sock_flag(sk, SOCK_DESTROY) || + (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) { +- sock_hold(sk); + bh_unlock_sock(sk); + nr_destroy_socket(sk); +- sock_put(sk); +- return; ++ goto out; + } + break; + +@@ -146,6 +144,8 @@ static void nr_heartbeat_expiry(struct timer_list *t) + + nr_start_heartbeat(sk); + bh_unlock_sock(sk); ++out: ++ sock_put(sk); + } + + static void nr_t2timer_expiry(struct timer_list *t) +@@ -159,6 +159,7 @@ static void nr_t2timer_expiry(struct timer_list *t) + nr_enquiry_response(sk); + } + bh_unlock_sock(sk); ++ sock_put(sk); + } + + static void nr_t4timer_expiry(struct timer_list *t) +@@ -169,6 +170,7 @@ static void nr_t4timer_expiry(struct timer_list *t) + bh_lock_sock(sk); + nr_sk(sk)->condition &= ~NR_COND_PEER_RX_BUSY; + bh_unlock_sock(sk); ++ sock_put(sk); + } + + static void nr_idletimer_expiry(struct timer_list *t) +@@ -197,6 +199,7 @@ static void nr_idletimer_expiry(struct timer_list *t) + sock_set_flag(sk, SOCK_DEAD); + } + bh_unlock_sock(sk); ++ sock_put(sk); + } + + static void nr_t1timer_expiry(struct timer_list *t) +@@ -209,8 +212,7 @@ static void nr_t1timer_expiry(struct timer_list *t) + case NR_STATE_1: + if (nr->n2count == nr->n2) { + nr_disconnect(sk, ETIMEDOUT); +- bh_unlock_sock(sk); +- return; ++ goto out; + } else { + nr->n2count++; + nr_write_internal(sk, NR_CONNREQ); +@@ -220,8 +222,7 @@ static void nr_t1timer_expiry(struct timer_list *t) + case NR_STATE_2: + if (nr->n2count == nr->n2) { + nr_disconnect(sk, ETIMEDOUT); +- bh_unlock_sock(sk); +- return; ++ goto out; + } else { + nr->n2count++; + nr_write_internal(sk, NR_DISCREQ); +@@ -231,8 +232,7 @@ static void nr_t1timer_expiry(struct timer_list *t) + case NR_STATE_3: + if (nr->n2count == nr->n2) { + nr_disconnect(sk, ETIMEDOUT); +- bh_unlock_sock(sk); +- return; ++ goto out; + } else { + nr->n2count++; + nr_requeue_frames(sk); +@@ -241,5 +241,7 @@ static void nr_t1timer_expiry(struct timer_list *t) + } + + nr_start_t1timer(sk); ++out: + bh_unlock_sock(sk); ++ sock_put(sk); + } +-- +2.30.2 + diff --git a/queue-5.13/nvme-pci-do-not-call-nvme_dev_remove_admin-from-nvme.patch b/queue-5.13/nvme-pci-do-not-call-nvme_dev_remove_admin-from-nvme.patch new file mode 100644 index 00000000000..31c61e9e596 --- /dev/null +++ b/queue-5.13/nvme-pci-do-not-call-nvme_dev_remove_admin-from-nvme.patch @@ -0,0 +1,44 @@ +From 307d10b1411f730070e56919d007e6aaf7c8fbdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 14:14:32 -0700 +Subject: nvme-pci: do not call nvme_dev_remove_admin from nvme_remove + +From: Casey Chen + +[ Upstream commit 251ef6f71be2adfd09546a26643426fe62585173 ] + +nvme_dev_remove_admin could free dev->admin_q and the admin_tagset +while they are being accessed by nvme_dev_disable(), which can be called +by nvme_reset_work via nvme_remove_dead_ctrl. + +Commit cb4bfda62afa ("nvme-pci: fix hot removal during error handling") +intended to avoid requests being stuck on a removed controller by killing +the admin queue. But the later fix c8e9e9b7646e ("nvme-pci: unquiesce +admin queue on shutdown"), together with nvme_dev_disable(dev, true) +right before nvme_dev_remove_admin() could help dispatch requests and +fail them early, so we don't need nvme_dev_remove_admin() any more. + +Fixes: cb4bfda62afa ("nvme-pci: fix hot removal during error handling") +Signed-off-by: Casey Chen +Reviewed-by: Keith Busch +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 42ad75ff1348..c625da463330 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2998,7 +2998,6 @@ static void nvme_remove(struct pci_dev *pdev) + if (!pci_device_is_present(pdev)) { + nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DEAD); + nvme_dev_disable(dev, true); +- nvme_dev_remove_admin(dev); + } + + flush_work(&dev->ctrl.reset_work); +-- +2.30.2 + diff --git a/queue-5.13/nvme-pci-don-t-warn_on-in-nvme_reset_work-if-ctrl.st.patch b/queue-5.13/nvme-pci-don-t-warn_on-in-nvme_reset_work-if-ctrl.st.patch new file mode 100644 index 00000000000..3a3cda17862 --- /dev/null +++ b/queue-5.13/nvme-pci-don-t-warn_on-in-nvme_reset_work-if-ctrl.st.patch @@ -0,0 +1,81 @@ +From 23b3efad451cd52b9ef3deda831707f741881984 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 21:38:29 +0800 +Subject: nvme-pci: don't WARN_ON in nvme_reset_work if ctrl.state is not + RESETTING + +From: Zhihao Cheng + +[ Upstream commit 7764656b108cd308c39e9a8554353b8f9ca232a3 ] + +Followling process: +nvme_probe + nvme_reset_ctrl + nvme_change_ctrl_state(ctrl, NVME_CTRL_RESETTING) + queue_work(nvme_reset_wq, &ctrl->reset_work) + +--------------> nvme_remove + nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DELETING) +worker_thread + process_one_work + nvme_reset_work + WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING) + +, which will trigger WARN_ON in nvme_reset_work(): +[ 127.534298] WARNING: CPU: 0 PID: 139 at drivers/nvme/host/pci.c:2594 +[ 127.536161] CPU: 0 PID: 139 Comm: kworker/u8:7 Not tainted 5.13.0 +[ 127.552518] Call Trace: +[ 127.552840] ? kvm_sched_clock_read+0x25/0x40 +[ 127.553936] ? native_send_call_func_single_ipi+0x1c/0x30 +[ 127.555117] ? send_call_function_single_ipi+0x9b/0x130 +[ 127.556263] ? __smp_call_single_queue+0x48/0x60 +[ 127.557278] ? ttwu_queue_wakelist+0xfa/0x1c0 +[ 127.558231] ? try_to_wake_up+0x265/0x9d0 +[ 127.559120] ? ext4_end_io_rsv_work+0x160/0x290 +[ 127.560118] process_one_work+0x28c/0x640 +[ 127.561002] worker_thread+0x39a/0x700 +[ 127.561833] ? rescuer_thread+0x580/0x580 +[ 127.562714] kthread+0x18c/0x1e0 +[ 127.563444] ? set_kthread_struct+0x70/0x70 +[ 127.564347] ret_from_fork+0x1f/0x30 + +The preceding problem can be easily reproduced by executing following +script (based on blktests suite): +test() { + pdev="$(_get_pci_dev_from_blkdev)" + sysfs="/sys/bus/pci/devices/${pdev}" + for ((i = 0; i < 10; i++)); do + echo 1 > "$sysfs/remove" + echo 1 > /sys/bus/pci/rescan + done +} + +Since the device ctrl could be updated as an non-RESETTING state by +repeating probe/remove in userspace (which is a normal situation), we +can replace stack dumping WARN_ON with a warnning message. + +Fixes: 82b057caefaff ("nvme-pci: fix multiple ctrl removal schedulin") +Signed-off-by: Zhihao Cheng +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index c625da463330..fb1c5ae0da39 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2591,7 +2591,9 @@ static void nvme_reset_work(struct work_struct *work) + bool was_suspend = !!(dev->ctrl.ctrl_config & NVME_CC_SHN_NORMAL); + int result; + +- if (WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING)) { ++ if (dev->ctrl.state != NVME_CTRL_RESETTING) { ++ dev_warn(dev->ctrl.device, "ctrl state %d is not RESETTING\n", ++ dev->ctrl.state); + result = -ENODEV; + goto out; + } +-- +2.30.2 + diff --git a/queue-5.13/nvme-set-the-pract-bit-when-using-write-zeroes-with-.patch b/queue-5.13/nvme-set-the-pract-bit-when-using-write-zeroes-with-.patch new file mode 100644 index 00000000000..3f46fe679f7 --- /dev/null +++ b/queue-5.13/nvme-set-the-pract-bit-when-using-write-zeroes-with-.patch @@ -0,0 +1,43 @@ +From e6f1ce812e6851424b83c26974d5aadf7d7868fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 10:00:11 +0200 +Subject: nvme: set the PRACT bit when using Write Zeroes with T10 PI + +From: Christoph Hellwig + +[ Upstream commit aaeb7bb061be545251606f4d9c82d710ca2a7c8e ] + +When using Write Zeroes on a namespace that has protection +information enabled they behavior without the PRACT bit +counter-intuitive and will generally lead to validation failures +when reading the written blocks. Fix this by always setting the +PRACT bit that generates matching PI data on the fly. + +Fixes: 6e02318eaea5 ("nvme: add support for the Write Zeroes command") +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Reviewed-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 66973bb56305..148e756857a8 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -880,7 +880,10 @@ static inline blk_status_t nvme_setup_write_zeroes(struct nvme_ns *ns, + cpu_to_le64(nvme_sect_to_lba(ns, blk_rq_pos(req))); + cmnd->write_zeroes.length = + cpu_to_le16((blk_rq_bytes(req) >> ns->lba_shift) - 1); +- cmnd->write_zeroes.control = 0; ++ if (nvme_ns_has_pi(ns)) ++ cmnd->write_zeroes.control = cpu_to_le16(NVME_RW_PRINFO_PRACT); ++ else ++ cmnd->write_zeroes.control = 0; + return BLK_STS_OK; + } + +-- +2.30.2 + diff --git a/queue-5.13/perf-data-close-all-files-in-close_dir.patch b/queue-5.13/perf-data-close-all-files-in-close_dir.patch new file mode 100644 index 00000000000..d907878b944 --- /dev/null +++ b/queue-5.13/perf-data-close-all-files-in-close_dir.patch @@ -0,0 +1,46 @@ +From d18292b8d5ce67eb1b10f79776d7b112b2ec1bb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 16:11:20 +0200 +Subject: perf data: Close all files in close_dir() + +From: Riccardo Mancini + +[ Upstream commit d4b3eedce151e63932ce4a00f1d0baa340a8b907 ] + +When using 'perf report' in directory mode, the first file is not closed +on exit, causing a memory leak. + +The problem is caused by the iterating variable never reaching 0. + +Fixes: 145520631130bd64 ("perf data: Add perf_data__(create_dir|close_dir) functions") +Signed-off-by: Riccardo Mancini +Acked-by: Namhyung Kim +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Peter Zijlstra +Cc: Zhen Lei +Link: http://lore.kernel.org/lkml/20210716141122.858082-1-rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/data.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/data.c b/tools/perf/util/data.c +index 8fca4779ae6a..70b91ce35178 100644 +--- a/tools/perf/util/data.c ++++ b/tools/perf/util/data.c +@@ -20,7 +20,7 @@ + + static void close_dir(struct perf_data_file *files, int nr) + { +- while (--nr >= 1) { ++ while (--nr >= 0) { + close(files[nr].fd); + zfree(&files[nr].path); + } +-- +2.30.2 + diff --git a/queue-5.13/perf-dso-fix-memory-leak-in-dso__new_map.patch b/queue-5.13/perf-dso-fix-memory-leak-in-dso__new_map.patch new file mode 100644 index 00000000000..37e8db5f315 --- /dev/null +++ b/queue-5.13/perf-dso-fix-memory-leak-in-dso__new_map.patch @@ -0,0 +1,54 @@ +From e5705303dd59fa99aae6351a0cbf5ed1261db681 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:11 +0200 +Subject: perf dso: Fix memory leak in dso__new_map() + +From: Riccardo Mancini + +[ Upstream commit 581e295a0f6b5c2931d280259fbbfff56959faa9 ] + +ASan reports a memory leak when running: + + # perf test "65: maps__merge_in". + +The causes of the leaks are two, this patch addresses only the first +one, which is related to dso__new_map(). + +The bug is that dso__new_map() creates a new dso but never decreases the +refcount it gets from creating it. + +This patch adds the missing dso__put(). + +Signed-off-by: Riccardo Mancini +Fixes: d3a7c489c7fd2463 ("perf tools: Reference count struct dso") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/60bfe0cd06e89e2ca33646eb8468d7f5de2ee597.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/dso.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/dso.c b/tools/perf/util/dso.c +index d786cf6b0cfa..ee15db2be2f4 100644 +--- a/tools/perf/util/dso.c ++++ b/tools/perf/util/dso.c +@@ -1154,8 +1154,10 @@ struct map *dso__new_map(const char *name) + struct map *map = NULL; + struct dso *dso = dso__new(name); + +- if (dso) ++ if (dso) { + map = map__new2(0, dso); ++ dso__put(dso); ++ } + + return map; + } +-- +2.30.2 + diff --git a/queue-5.13/perf-env-fix-memory-leak-of-cpu_pmu_caps.patch b/queue-5.13/perf-env-fix-memory-leak-of-cpu_pmu_caps.patch new file mode 100644 index 00000000000..04cbdd3c4bf --- /dev/null +++ b/queue-5.13/perf-env-fix-memory-leak-of-cpu_pmu_caps.patch @@ -0,0 +1,47 @@ +From b31d2996dfbd038cbf264b24eb3a5a5abca32145 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:13 +0200 +Subject: perf env: Fix memory leak of cpu_pmu_caps + +From: Riccardo Mancini + +[ Upstream commit da6b7c6c0626901428245f65712385805e42eba6 ] + +ASan reports memory leaks while running: + + # perf test "83: Zstd perf.data compression/decompression" + +The first of the leaks is caused by env->cpu_pmu_caps not being freed. + +This patch adds the missing (z)free inside perf_env__exit. + +Signed-off-by: Riccardo Mancini +Fixes: 6f91ea283a1ed23e ("perf header: Support CPU PMU capabilities") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/6ba036a8220156ec1f3d6be3e5d25920f6145028.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/env.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/util/env.c b/tools/perf/util/env.c +index f3b90412cc70..16a111b62cc3 100644 +--- a/tools/perf/util/env.c ++++ b/tools/perf/util/env.c +@@ -191,6 +191,7 @@ void perf_env__exit(struct perf_env *env) + zfree(&env->sibling_threads); + zfree(&env->pmu_mappings); + zfree(&env->cpu); ++ zfree(&env->cpu_pmu_caps); + zfree(&env->numa_map); + + for (i = 0; i < env->nr_numa_nodes; i++) +-- +2.30.2 + diff --git a/queue-5.13/perf-env-fix-sibling_dies-memory-leak.patch b/queue-5.13/perf-env-fix-sibling_dies-memory-leak.patch new file mode 100644 index 00000000000..e2f7b1fc376 --- /dev/null +++ b/queue-5.13/perf-env-fix-sibling_dies-memory-leak.patch @@ -0,0 +1,46 @@ +From 85e6a9028253e29b3af7d1704d6398d008ba301d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:07 +0200 +Subject: perf env: Fix sibling_dies memory leak + +From: Riccardo Mancini + +[ Upstream commit 42db3d9ded555f7148b5695109a7dc8d66f0dde4 ] + +ASan reports a memory leak in perf_env while running: + + # perf test "41: Session topology" + +Caused by sibling_dies not being freed. + +This patch adds the required free. + +Fixes: acae8b36cded0ee6 ("perf header: Add die information in CPU topology") +Signed-off-by: Riccardo Mancini +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/2140d0b57656e4eb9021ca9772250c24c032924b.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/env.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/util/env.c b/tools/perf/util/env.c +index bc5e4f294e9e..f3b90412cc70 100644 +--- a/tools/perf/util/env.c ++++ b/tools/perf/util/env.c +@@ -186,6 +186,7 @@ void perf_env__exit(struct perf_env *env) + zfree(&env->cpuid); + zfree(&env->cmdline); + zfree(&env->cmdline_argv); ++ zfree(&env->sibling_dies); + zfree(&env->sibling_cores); + zfree(&env->sibling_threads); + zfree(&env->pmu_mappings); +-- +2.30.2 + diff --git a/queue-5.13/perf-inject-fix-dso-nsinfo-refcounting.patch b/queue-5.13/perf-inject-fix-dso-nsinfo-refcounting.patch new file mode 100644 index 00000000000..2ba303fbbea --- /dev/null +++ b/queue-5.13/perf-inject-fix-dso-nsinfo-refcounting.patch @@ -0,0 +1,54 @@ +From 487e8d6cfccb31f6a31771ee2c57b40ae24ae99e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:06 +0200 +Subject: perf inject: Fix dso->nsinfo refcounting + +From: Riccardo Mancini + +[ Upstream commit 0967ebffe098157180a0bbd180ac90348c6e07d7 ] + +ASan reports a memory leak of nsinfo during the execution of: + + # perf test "31: Lookup mmap thread" + +The leak is caused by a refcounted variable being replaced without +dropping the refcount. + +This patch makes sure that the refcnt of nsinfo is decreased when a +refcounted variable is replaced with a new value. + +Signed-off-by: Riccardo Mancini +Fixes: 27c9c3424fc217da ("perf inject: Add --buildid-all option") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/55223bc8821b34ccb01f92ef1401c02b6a32e61f.1626343282.git.rickyman7@gmail.com +[ Split from a larger patch ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-inject.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/builtin-inject.c b/tools/perf/builtin-inject.c +index ddccc0eb7390..614e428e4ac5 100644 +--- a/tools/perf/builtin-inject.c ++++ b/tools/perf/builtin-inject.c +@@ -358,9 +358,10 @@ static struct dso *findnew_dso(int pid, int tid, const char *filename, + dso = machine__findnew_dso_id(machine, filename, id); + } + +- if (dso) ++ if (dso) { ++ nsinfo__put(dso->nsinfo); + dso->nsinfo = nsi; +- else ++ } else + nsinfo__put(nsi); + + thread__put(thread); +-- +2.30.2 + diff --git a/queue-5.13/perf-lzma-close-lzma-stream-on-exit.patch b/queue-5.13/perf-lzma-close-lzma-stream-on-exit.patch new file mode 100644 index 00000000000..4439c3df8a4 --- /dev/null +++ b/queue-5.13/perf-lzma-close-lzma-stream-on-exit.patch @@ -0,0 +1,72 @@ +From 3035c719dfbeb0a0961d951d6e26a17436ad59be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:19 +0200 +Subject: perf lzma: Close lzma stream on exit + +From: Riccardo Mancini + +[ Upstream commit f8cbb0f926ae1e1fb5f9e51614e5437560ed4039 ] + +ASan reports memory leaks when running: + + # perf test "88: Check open filename arg using perf trace + vfs_getname" + +One of these is caused by the lzma stream never being closed inside +lzma_decompress_to_file(). + +This patch adds the missing lzma_end(). + +Signed-off-by: Riccardo Mancini +Fixes: 80a32e5b498a7547 ("perf tools: Add lzma decompression support for kernel module") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/aaf50bdce7afe996cfc06e1bbb36e4a2a9b9db93.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/lzma.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/util/lzma.c b/tools/perf/util/lzma.c +index 39062df02629..51424cdc3b68 100644 +--- a/tools/perf/util/lzma.c ++++ b/tools/perf/util/lzma.c +@@ -69,7 +69,7 @@ int lzma_decompress_to_file(const char *input, int output_fd) + + if (ferror(infile)) { + pr_err("lzma: read error: %s\n", strerror(errno)); +- goto err_fclose; ++ goto err_lzma_end; + } + + if (feof(infile)) +@@ -83,7 +83,7 @@ int lzma_decompress_to_file(const char *input, int output_fd) + + if (writen(output_fd, buf_out, write_size) != write_size) { + pr_err("lzma: write error: %s\n", strerror(errno)); +- goto err_fclose; ++ goto err_lzma_end; + } + + strm.next_out = buf_out; +@@ -95,11 +95,13 @@ int lzma_decompress_to_file(const char *input, int output_fd) + break; + + pr_err("lzma: failed %s\n", lzma_strerror(ret)); +- goto err_fclose; ++ goto err_lzma_end; + } + } + + err = 0; ++err_lzma_end: ++ lzma_end(&strm); + err_fclose: + fclose(infile); + return err; +-- +2.30.2 + diff --git a/queue-5.13/perf-map-fix-dso-nsinfo-refcounting.patch b/queue-5.13/perf-map-fix-dso-nsinfo-refcounting.patch new file mode 100644 index 00000000000..a49591d8c9d --- /dev/null +++ b/queue-5.13/perf-map-fix-dso-nsinfo-refcounting.patch @@ -0,0 +1,51 @@ +From 902b249e761ac06778d97ea01e29d49a36141dce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:06 +0200 +Subject: perf map: Fix dso->nsinfo refcounting + +From: Riccardo Mancini + +[ Upstream commit 2d6b74baa7147251c30a46c4996e8cc224aa2dc5 ] + +ASan reports a memory leak of nsinfo during the execution of + + # perf test "31: Lookup mmap thread" + +The leak is caused by a refcounted variable being replaced without +dropping the refcount. + +This patch makes sure that the refcnt of nsinfo is decreased whenever a +refcounted variable is replaced with a new value. + +Signed-off-by: Riccardo Mancini +Fixes: bf2e710b3cb8445c ("perf maps: Lookup maps in both intitial mountns and inner mountns.") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Krister Johansen +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/55223bc8821b34ccb01f92ef1401c02b6a32e61f.1626343282.git.rickyman7@gmail.com +[ Split from a larger patch ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/map.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/perf/util/map.c b/tools/perf/util/map.c +index 8af693d9678c..72e7f3616157 100644 +--- a/tools/perf/util/map.c ++++ b/tools/perf/util/map.c +@@ -192,6 +192,8 @@ struct map *map__new(struct machine *machine, u64 start, u64 len, + if (!(prot & PROT_EXEC)) + dso__set_loaded(dso); + } ++ ++ nsinfo__put(dso->nsinfo); + dso->nsinfo = nsi; + + if (build_id__is_defined(bid)) +-- +2.30.2 + diff --git a/queue-5.13/perf-probe-file-delete-namelist-in-del_events-on-the.patch b/queue-5.13/perf-probe-file-delete-namelist-in-del_events-on-the.patch new file mode 100644 index 00000000000..2e71eff1550 --- /dev/null +++ b/queue-5.13/perf-probe-file-delete-namelist-in-del_events-on-the.patch @@ -0,0 +1,54 @@ +From f48c3cbd4b3a765cf75523307ffdc321de4a6742 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:25 +0200 +Subject: perf probe-file: Delete namelist in del_events() on the error path + +From: Riccardo Mancini + +[ Upstream commit e0fa7ab42232e742dcb3de9f3c1f6127b5adc019 ] + +ASan reports some memory leaks when running: + + # perf test "42: BPF filter" + +This second leak is caused by a strlist not being dellocated on error +inside probe_file__del_events. + +This patch adds a goto label before the deallocation and makes the error +path jump to it. + +Signed-off-by: Riccardo Mancini +Fixes: e7895e422e4da63d ("perf probe: Split del_perf_probe_events()") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/174963c587ae77fa108af794669998e4ae558338.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/probe-file.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/probe-file.c b/tools/perf/util/probe-file.c +index 52273542e6ef..3f6de459ac2b 100644 +--- a/tools/perf/util/probe-file.c ++++ b/tools/perf/util/probe-file.c +@@ -342,11 +342,11 @@ int probe_file__del_events(int fd, struct strfilter *filter) + + ret = probe_file__get_events(fd, filter, namelist); + if (ret < 0) +- return ret; ++ goto out; + + ret = probe_file__del_strlist(fd, namelist); ++out: + strlist__delete(namelist); +- + return ret; + } + +-- +2.30.2 + diff --git a/queue-5.13/perf-probe-fix-dso-nsinfo-refcounting.patch b/queue-5.13/perf-probe-fix-dso-nsinfo-refcounting.patch new file mode 100644 index 00000000000..3eab895b369 --- /dev/null +++ b/queue-5.13/perf-probe-fix-dso-nsinfo-refcounting.patch @@ -0,0 +1,54 @@ +From 24e4b406552ebc851df64c8d27c0ea3124293b65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:06 +0200 +Subject: perf probe: Fix dso->nsinfo refcounting + +From: Riccardo Mancini + +[ Upstream commit dedeb4be203b382ba7245d13079bc3b0f6d40c65 ] + +ASan reports a memory leak of nsinfo during the execution of: + + # perf test "31: Lookup mmap thread". + +The leak is caused by a refcounted variable being replaced without +dropping the refcount. + +This patch makes sure that the refcnt of nsinfo is decreased whenever +a refcounted variable is replaced with a new value. + +Signed-off-by: Riccardo Mancini +Fixes: 544abd44c7064c8a ("perf probe: Allow placing uprobes in alternate namespaces.") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Krister Johansen +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/55223bc8821b34ccb01f92ef1401c02b6a32e61f.1626343282.git.rickyman7@gmail.com +[ Split from a larger patch ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/probe-event.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/probe-event.c b/tools/perf/util/probe-event.c +index a78c8d59a555..9cc89a047b15 100644 +--- a/tools/perf/util/probe-event.c ++++ b/tools/perf/util/probe-event.c +@@ -180,8 +180,10 @@ struct map *get_target_map(const char *target, struct nsinfo *nsi, bool user) + struct map *map; + + map = dso__new_map(target); +- if (map && map->dso) ++ if (map && map->dso) { ++ nsinfo__put(map->dso->nsinfo); + map->dso->nsinfo = nsinfo__get(nsi); ++ } + return map; + } else { + return kernel_get_module_map(target); +-- +2.30.2 + diff --git a/queue-5.13/perf-report-free-generated-help-strings-for-sort-opt.patch b/queue-5.13/perf-report-free-generated-help-strings-for-sort-opt.patch new file mode 100644 index 00000000000..176c9006dc0 --- /dev/null +++ b/queue-5.13/perf-report-free-generated-help-strings-for-sort-opt.patch @@ -0,0 +1,158 @@ +From a2ecdfe2c248eeb6ca09add68392972fc758915b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:14 +0200 +Subject: perf report: Free generated help strings for sort option + +From: Riccardo Mancini + +[ Upstream commit a37338aad8c4d8676173ead14e881d2ec308155c ] + +ASan reports the memory leak of the strings allocated by sort_help() when +running perf report. + +This patch changes the returned pointer to char* (instead of const +char*), saves it in a temporary variable, and finally deallocates it at +function exit. + +Signed-off-by: Riccardo Mancini +Fixes: 702fb9b415e7c99b ("perf report: Show all sort keys in help output") +Cc: Andi Kleen +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/a38b13f02812a8a6759200b9063c6191337f44d4.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-report.c | 33 ++++++++++++++++++++++----------- + tools/perf/util/sort.c | 2 +- + tools/perf/util/sort.h | 2 +- + 3 files changed, 24 insertions(+), 13 deletions(-) + +diff --git a/tools/perf/builtin-report.c b/tools/perf/builtin-report.c +index 36f9ccfeb38a..ce420f910ff8 100644 +--- a/tools/perf/builtin-report.c ++++ b/tools/perf/builtin-report.c +@@ -1167,6 +1167,8 @@ int cmd_report(int argc, const char **argv) + .annotation_opts = annotation__default_options, + .skip_empty = true, + }; ++ char *sort_order_help = sort_help("sort by key(s):"); ++ char *field_order_help = sort_help("output field(s): overhead period sample "); + const struct option options[] = { + OPT_STRING('i', "input", &input_name, "file", + "input file name"), +@@ -1201,9 +1203,9 @@ int cmd_report(int argc, const char **argv) + OPT_BOOLEAN(0, "header-only", &report.header_only, + "Show only data header."), + OPT_STRING('s', "sort", &sort_order, "key[,key2...]", +- sort_help("sort by key(s):")), ++ sort_order_help), + OPT_STRING('F', "fields", &field_order, "key[,keys...]", +- sort_help("output field(s): overhead period sample ")), ++ field_order_help), + OPT_BOOLEAN(0, "show-cpu-utilization", &symbol_conf.show_cpu_utilization, + "Show sample percentage for different cpu modes"), + OPT_BOOLEAN_FLAG(0, "showcpuutilization", &symbol_conf.show_cpu_utilization, +@@ -1336,11 +1338,11 @@ int cmd_report(int argc, const char **argv) + char sort_tmp[128]; + + if (ret < 0) +- return ret; ++ goto exit; + + ret = perf_config(report__config, &report); + if (ret) +- return ret; ++ goto exit; + + argc = parse_options(argc, argv, options, report_usage, 0); + if (argc) { +@@ -1354,8 +1356,10 @@ int cmd_report(int argc, const char **argv) + report.symbol_filter_str = argv[0]; + } + +- if (annotate_check_args(&report.annotation_opts) < 0) +- return -EINVAL; ++ if (annotate_check_args(&report.annotation_opts) < 0) { ++ ret = -EINVAL; ++ goto exit; ++ } + + if (report.mmaps_mode) + report.tasks_mode = true; +@@ -1369,12 +1373,14 @@ int cmd_report(int argc, const char **argv) + if (symbol_conf.vmlinux_name && + access(symbol_conf.vmlinux_name, R_OK)) { + pr_err("Invalid file: %s\n", symbol_conf.vmlinux_name); +- return -EINVAL; ++ ret = -EINVAL; ++ goto exit; + } + if (symbol_conf.kallsyms_name && + access(symbol_conf.kallsyms_name, R_OK)) { + pr_err("Invalid file: %s\n", symbol_conf.kallsyms_name); +- return -EINVAL; ++ ret = -EINVAL; ++ goto exit; + } + + if (report.inverted_callchain) +@@ -1398,12 +1404,14 @@ int cmd_report(int argc, const char **argv) + + repeat: + session = perf_session__new(&data, false, &report.tool); +- if (IS_ERR(session)) +- return PTR_ERR(session); ++ if (IS_ERR(session)) { ++ ret = PTR_ERR(session); ++ goto exit; ++ } + + ret = evswitch__init(&report.evswitch, session->evlist, stderr); + if (ret) +- return ret; ++ goto exit; + + if (zstd_init(&(session->zstd_data), 0) < 0) + pr_warning("Decompression initialization failed. Reported data may be incomplete.\n"); +@@ -1638,5 +1646,8 @@ error: + + zstd_fini(&(session->zstd_data)); + perf_session__delete(session); ++exit: ++ free(sort_order_help); ++ free(field_order_help); + return ret; + } +diff --git a/tools/perf/util/sort.c b/tools/perf/util/sort.c +index 88ce47f2547e..568a88c001c6 100644 +--- a/tools/perf/util/sort.c ++++ b/tools/perf/util/sort.c +@@ -3370,7 +3370,7 @@ static void add_hpp_sort_string(struct strbuf *sb, struct hpp_dimension *s, int + add_key(sb, s[i].name, llen); + } + +-const char *sort_help(const char *prefix) ++char *sort_help(const char *prefix) + { + struct strbuf sb; + char *s; +diff --git a/tools/perf/util/sort.h b/tools/perf/util/sort.h +index 87a092645aa7..b67c469aba79 100644 +--- a/tools/perf/util/sort.h ++++ b/tools/perf/util/sort.h +@@ -302,7 +302,7 @@ void reset_output_field(void); + void sort__setup_elide(FILE *fp); + void perf_hpp__set_elide(int idx, bool elide); + +-const char *sort_help(const char *prefix); ++char *sort_help(const char *prefix); + + int report_parse_ignore_callees_opt(const struct option *opt, const char *arg, int unset); + +-- +2.30.2 + diff --git a/queue-5.13/perf-sched-fix-record-failure-when-config_schedstats.patch b/queue-5.13/perf-sched-fix-record-failure-when-config_schedstats.patch new file mode 100644 index 00000000000..3ff4edff760 --- /dev/null +++ b/queue-5.13/perf-sched-fix-record-failure-when-config_schedstats.patch @@ -0,0 +1,135 @@ +From 93e0db86dd4062835dbbb6da142ce0a25c941016 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jul 2021 19:23:58 +0800 +Subject: perf sched: Fix record failure when CONFIG_SCHEDSTATS is not set + +From: Yang Jihong + +[ Upstream commit b0f008551f0bf4d5f6db9b5f0e071b02790d6a2e ] + +The tracepoints trace_sched_stat_{wait, sleep, iowait} are not exposed to user +if CONFIG_SCHEDSTATS is not set, "perf sched record" records the three events. +As a result, the command fails. + +Before: + + #perf sched record sleep 1 + event syntax error: 'sched:sched_stat_wait' + \___ unknown tracepoint + + Error: File /sys/kernel/tracing/events/sched/sched_stat_wait not found. + Hint: Perhaps this kernel misses some CONFIG_ setting to enable this feature?. + + Run 'perf list' for a list of valid events + + Usage: perf record [] [] + or: perf record [] -- [] + + -e, --event event selector. use 'perf list' to list available events + +Solution: + Check whether schedstat tracepoints are exposed. If no, these events are not recorded. + +After: + # perf sched record sleep 1 + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.163 MB perf.data (1091 samples) ] + # perf sched report + run measurement overhead: 4736 nsecs + sleep measurement overhead: 9059979 nsecs + the run test took 999854 nsecs + the sleep test took 8945271 nsecs + nr_run_events: 716 + nr_sleep_events: 785 + nr_wakeup_events: 0 + ... + ------------------------------------------------------------ + +Fixes: 2a09b5de235a6 ("sched/fair: do not expose some tracepoints to user if CONFIG_SCHEDSTATS is not set") +Signed-off-by: Yang Jihong +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Steven Rostedt (VMware) +Cc: Yafang Shao +Link: http://lore.kernel.org/lkml/20210713112358.194693-1-yangjihong1@huawei.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-sched.c | 33 +++++++++++++++++++++++++++++---- + 1 file changed, 29 insertions(+), 4 deletions(-) + +diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c +index 954ce2f594e9..3e5b7faf0c16 100644 +--- a/tools/perf/builtin-sched.c ++++ b/tools/perf/builtin-sched.c +@@ -3335,6 +3335,16 @@ static void setup_sorting(struct perf_sched *sched, const struct option *options + sort_dimension__add("pid", &sched->cmp_pid); + } + ++static bool schedstat_events_exposed(void) ++{ ++ /* ++ * Select "sched:sched_stat_wait" event to check ++ * whether schedstat tracepoints are exposed. ++ */ ++ return IS_ERR(trace_event__tp_format("sched", "sched_stat_wait")) ? ++ false : true; ++} ++ + static int __cmd_record(int argc, const char **argv) + { + unsigned int rec_argc, i, j; +@@ -3346,21 +3356,33 @@ static int __cmd_record(int argc, const char **argv) + "-m", "1024", + "-c", "1", + "-e", "sched:sched_switch", +- "-e", "sched:sched_stat_wait", +- "-e", "sched:sched_stat_sleep", +- "-e", "sched:sched_stat_iowait", + "-e", "sched:sched_stat_runtime", + "-e", "sched:sched_process_fork", + "-e", "sched:sched_wakeup_new", + "-e", "sched:sched_migrate_task", + }; ++ ++ /* ++ * The tracepoints trace_sched_stat_{wait, sleep, iowait} ++ * are not exposed to user if CONFIG_SCHEDSTATS is not set, ++ * to prevent "perf sched record" execution failure, determine ++ * whether to record schedstat events according to actual situation. ++ */ ++ const char * const schedstat_args[] = { ++ "-e", "sched:sched_stat_wait", ++ "-e", "sched:sched_stat_sleep", ++ "-e", "sched:sched_stat_iowait", ++ }; ++ unsigned int schedstat_argc = schedstat_events_exposed() ? ++ ARRAY_SIZE(schedstat_args) : 0; ++ + struct tep_event *waking_event; + + /* + * +2 for either "-e", "sched:sched_wakeup" or + * "-e", "sched:sched_waking" + */ +- rec_argc = ARRAY_SIZE(record_args) + 2 + argc - 1; ++ rec_argc = ARRAY_SIZE(record_args) + 2 + schedstat_argc + argc - 1; + rec_argv = calloc(rec_argc + 1, sizeof(char *)); + + if (rec_argv == NULL) +@@ -3376,6 +3398,9 @@ static int __cmd_record(int argc, const char **argv) + else + rec_argv[i++] = strdup("sched:sched_wakeup"); + ++ for (j = 0; j < schedstat_argc; j++) ++ rec_argv[i++] = strdup(schedstat_args[j]); ++ + for (j = 1; j < (unsigned int)argc; j++, i++) + rec_argv[i] = argv[j]; + +-- +2.30.2 + diff --git a/queue-5.13/perf-script-fix-memory-threads-and-cpus-leaks-on-exi.patch b/queue-5.13/perf-script-fix-memory-threads-and-cpus-leaks-on-exi.patch new file mode 100644 index 00000000000..f04b7f1d7a6 --- /dev/null +++ b/queue-5.13/perf-script-fix-memory-threads-and-cpus-leaks-on-exi.patch @@ -0,0 +1,64 @@ +From 647163832bf833cf7320cb62d1e33a4cb660fcc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:18 +0200 +Subject: perf script: Fix memory 'threads' and 'cpus' leaks on exit + +From: Riccardo Mancini + +[ Upstream commit faf3ac305d61341c74e5cdd9e41daecce7f67bfe ] + +ASan reports several memory leaks while running: + + # perf test "82: Use vfs_getname probe to get syscall args filenames" + +Two of these are caused by some refcounts not being decreased on +perf-script exit, namely script.threads and script.cpus. + +This patch adds the missing __put calls in a new perf_script__exit +function, which is called at the end of cmd_script. + +This patch concludes the fixes of all remaining memory leaks in perf +test "82: Use vfs_getname probe to get syscall args filenames". + +Signed-off-by: Riccardo Mancini +Fixes: cfc8874a48599249 ("perf script: Process cpu/threads maps") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/5ee73b19791c6fa9d24c4d57f4ac1a23609400d7.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-script.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c +index 8a6656ab835b..c43c2963117d 100644 +--- a/tools/perf/builtin-script.c ++++ b/tools/perf/builtin-script.c +@@ -2534,6 +2534,12 @@ static void perf_script__exit_per_event_dump_stats(struct perf_script *script) + } + } + ++static void perf_script__exit(struct perf_script *script) ++{ ++ perf_thread_map__put(script->threads); ++ perf_cpu_map__put(script->cpus); ++} ++ + static int __cmd_script(struct perf_script *script) + { + int ret; +@@ -3994,6 +4000,7 @@ out_delete: + zstd_fini(&(session->zstd_data)); + evlist__free_stats(session->evlist); + perf_session__delete(session); ++ perf_script__exit(&script); + + if (script_started) + cleanup_scripting(); +-- +2.30.2 + diff --git a/queue-5.13/perf-script-release-zstd-data.patch b/queue-5.13/perf-script-release-zstd-data.patch new file mode 100644 index 00000000000..2de47d3c174 --- /dev/null +++ b/queue-5.13/perf-script-release-zstd-data.patch @@ -0,0 +1,48 @@ +From c7af91b89950c0fe6ce26ebcdc936fcdb5aba993 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:17 +0200 +Subject: perf script: Release zstd data + +From: Riccardo Mancini + +[ Upstream commit 1b1f57cf9e4c8eb16c8f6b2ce12cc5dd3517fc61 ] + +ASan reports several memory leak while running: + + # perf test "82: Use vfs_getname probe to get syscall args filenames" + +One of the leaks is caused by zstd data not being released on exit in +perf-script. + +This patch adds the missing zstd_fini(). + +Signed-off-by: Riccardo Mancini +Fixes: b13b04d9382113f7 ("perf script: Initialize zstd_data") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Milian Wolff +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/39388e8cc2f85ca219ea18697a17b7bd8f74b693.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-script.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c +index 1280cbfad4db..8a6656ab835b 100644 +--- a/tools/perf/builtin-script.c ++++ b/tools/perf/builtin-script.c +@@ -3991,6 +3991,7 @@ out_delete: + zfree(&script.ptime_range); + } + ++ zstd_fini(&(session->zstd_data)); + evlist__free_stats(session->evlist); + perf_session__delete(session); + +-- +2.30.2 + diff --git a/queue-5.13/perf-test-event_update-fix-memory-leak-of-evlist.patch b/queue-5.13/perf-test-event_update-fix-memory-leak-of-evlist.patch new file mode 100644 index 00000000000..51a1a9fe59f --- /dev/null +++ b/queue-5.13/perf-test-event_update-fix-memory-leak-of-evlist.patch @@ -0,0 +1,47 @@ +From 5b3ecd812a8f546accd209ac0219522874a482fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:09 +0200 +Subject: perf test event_update: Fix memory leak of evlist + +From: Riccardo Mancini + +[ Upstream commit fc56f54f6fcd5337634f4545af6459613129b432 ] + +ASan reports a memory leak when running: + + # perf test "49: Synthesize attr update" + +Caused by evlist not being deleted. + +This patch adds the missing evlist__delete and removes the +perf_cpu_map__put since it's already being deleted by evlist__delete. + +Signed-off-by: Riccardo Mancini +Fixes: a6e5281780d1da65 ("perf tools: Add event_update event unit type") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/f7994ad63d248f7645f901132d208fadf9f2b7e4.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/event_update.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/tests/event_update.c b/tools/perf/tests/event_update.c +index 656218179222..932ab0740d11 100644 +--- a/tools/perf/tests/event_update.c ++++ b/tools/perf/tests/event_update.c +@@ -118,6 +118,6 @@ int test__event_update(struct test *test __maybe_unused, int subtest __maybe_unu + TEST_ASSERT_VAL("failed to synthesize attr update cpus", + !perf_event__synthesize_event_update_cpus(&tmp.tool, evsel, process_event_cpus)); + +- perf_cpu_map__put(evsel->core.own_cpus); ++ evlist__delete(evlist); + return 0; + } +-- +2.30.2 + diff --git a/queue-5.13/perf-test-event_update-fix-memory-leak-of-unit.patch b/queue-5.13/perf-test-event_update-fix-memory-leak-of-unit.patch new file mode 100644 index 00000000000..78e26320683 --- /dev/null +++ b/queue-5.13/perf-test-event_update-fix-memory-leak-of-unit.patch @@ -0,0 +1,66 @@ +From 1dc38f156ad7cbd5c4c2253c7367a5447e2fa75a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:10 +0200 +Subject: perf test event_update: Fix memory leak of unit + +From: Riccardo Mancini + +[ Upstream commit dccfca926c351ba0893af4c8b481477bdb2881a4 ] + +ASan reports a memory leak while running: + + # perf test "49: Synthesize attr update" + +Caused by a string being duplicated but never freed. + +This patch adds the missing free(). + +Note that evsel->unit is not deallocated together with evsel since it is +supposed to be a constant string. + +Signed-off-by: Riccardo Mancini +Fixes: a6e5281780d1da65 ("perf tools: Add event_update event unit type") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/1fbc8158663fb0d4d5392e36bae564f6ad60be3c.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/event_update.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/tests/event_update.c b/tools/perf/tests/event_update.c +index 932ab0740d11..44a50527f9d9 100644 +--- a/tools/perf/tests/event_update.c ++++ b/tools/perf/tests/event_update.c +@@ -88,6 +88,7 @@ int test__event_update(struct test *test __maybe_unused, int subtest __maybe_unu + struct evsel *evsel; + struct event_name tmp; + struct evlist *evlist = evlist__new_default(); ++ char *unit = strdup("KRAVA"); + + TEST_ASSERT_VAL("failed to get evlist", evlist); + +@@ -98,7 +99,7 @@ int test__event_update(struct test *test __maybe_unused, int subtest __maybe_unu + + perf_evlist__id_add(&evlist->core, &evsel->core, 0, 0, 123); + +- evsel->unit = strdup("KRAVA"); ++ evsel->unit = unit; + + TEST_ASSERT_VAL("failed to synthesize attr update unit", + !perf_event__synthesize_event_update_unit(NULL, evsel, process_event_unit)); +@@ -118,6 +119,7 @@ int test__event_update(struct test *test __maybe_unused, int subtest __maybe_unu + TEST_ASSERT_VAL("failed to synthesize attr update cpus", + !perf_event__synthesize_event_update_cpus(&tmp.tool, evsel, process_event_cpus)); + ++ free(unit); + evlist__delete(evlist); + return 0; + } +-- +2.30.2 + diff --git a/queue-5.13/perf-test-maps__merge_in-fix-memory-leak-of-maps.patch b/queue-5.13/perf-test-maps__merge_in-fix-memory-leak-of-maps.patch new file mode 100644 index 00000000000..29f019c0c37 --- /dev/null +++ b/queue-5.13/perf-test-maps__merge_in-fix-memory-leak-of-maps.patch @@ -0,0 +1,49 @@ +From 7e934c4ff7acf9c91e5291049f04ec89b2990e60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:12 +0200 +Subject: perf test maps__merge_in: Fix memory leak of maps + +From: Riccardo Mancini + +[ Upstream commit 244d1797c8c8e850b8de7992af713aa5c70d5650 ] + +ASan reports a memory leak when running: + + # perf test "65: maps__merge_in" + +This is the second and final patch addressing these memory leaks. + +This time, the problem is simply that the maps object is never +destructed. + +This patch adds the missing maps__exit call. + +Signed-off-by: Riccardo Mancini +Fixes: 79b6bb73f888933c ("perf maps: Merge 'struct maps' with 'struct map_groups'") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/a1a29b97a58738987d150e94d4ebfad0282fb038.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/maps.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/perf/tests/maps.c b/tools/perf/tests/maps.c +index edcbc70ff9d6..1ac72919fa35 100644 +--- a/tools/perf/tests/maps.c ++++ b/tools/perf/tests/maps.c +@@ -116,5 +116,7 @@ int test__maps__merge_in(struct test *t __maybe_unused, int subtest __maybe_unus + + ret = check_maps(merged3, ARRAY_SIZE(merged3), &maps); + TEST_ASSERT_VAL("merge check failed", !ret); ++ ++ maps__exit(&maps); + return TEST_OK; + } +-- +2.30.2 + diff --git a/queue-5.13/perf-test-session_topology-delete-session-evlist.patch b/queue-5.13/perf-test-session_topology-delete-session-evlist.patch new file mode 100644 index 00000000000..94ab91dd6e1 --- /dev/null +++ b/queue-5.13/perf-test-session_topology-delete-session-evlist.patch @@ -0,0 +1,48 @@ +From 0f16ee3b21dc62324d2604f5484fe423e3bbb862 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:08 +0200 +Subject: perf test session_topology: Delete session->evlist + +From: Riccardo Mancini + +[ Upstream commit 233f2dc1c284337286f9a64c0152236779a42f6c ] + +ASan reports a memory leak related to session->evlist while running: + + # perf test "41: Session topology". + +When perf_data is in write mode, session->evlist is owned by the caller, +which should also take care of deleting it. + +This patch adds the missing evlist__delete(). + +Signed-off-by: Riccardo Mancini +Fixes: c84974ed9fb67293 ("perf test: Add entry to test cpu topology") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/822f741f06eb25250fb60686cf30a35f447e9e91.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/topology.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/tests/topology.c b/tools/perf/tests/topology.c +index ec4e3b21b831..b5efe675b321 100644 +--- a/tools/perf/tests/topology.c ++++ b/tools/perf/tests/topology.c +@@ -61,6 +61,7 @@ static int session_write_header(char *path) + TEST_ASSERT_VAL("failed to write header", + !perf_session__write_header(session, session->evlist, data.file.fd, true)); + ++ evlist__delete(session->evlist); + perf_session__delete(session); + + return 0; +-- +2.30.2 + diff --git a/queue-5.13/proc-avoid-mixing-integer-types-in-mem_rw.patch b/queue-5.13/proc-avoid-mixing-integer-types-in-mem_rw.patch new file mode 100644 index 00000000000..0bdbb6bd9fb --- /dev/null +++ b/queue-5.13/proc-avoid-mixing-integer-types-in-mem_rw.patch @@ -0,0 +1,52 @@ +From 1894f079302d9e21e0d10206b2fe92eee4e44f22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jun 2021 18:54:38 -0700 +Subject: proc: Avoid mixing integer types in mem_rw() + +From: Marcelo Henrique Cerri + +[ Upstream commit d238692b4b9f2c36e35af4c6e6f6da36184aeb3e ] + +Use size_t when capping the count argument received by mem_rw(). Since +count is size_t, using min_t(int, ...) can lead to a negative value +that will later be passed to access_remote_vm(), which can cause +unexpected behavior. + +Since we are capping the value to at maximum PAGE_SIZE, the conversion +from size_t to int when passing it to access_remote_vm() as "len" +shouldn't be a problem. + +Link: https://lkml.kernel.org/r/20210512125215.3348316-1-marcelo.cerri@canonical.com +Reviewed-by: David Disseldorp +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Marcelo Henrique Cerri +Cc: Alexey Dobriyan +Cc: Souza Cascardo +Cc: Christian Brauner +Cc: Michel Lespinasse +Cc: Helge Deller +Cc: Oleg Nesterov +Cc: Lorenzo Stoakes +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/proc/base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/proc/base.c b/fs/proc/base.c +index 9cbd915025ad..a0a2fc1c9da2 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -854,7 +854,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf, + flags = FOLL_FORCE | (write ? FOLL_WRITE : 0); + + while (count > 0) { +- int this_len = min_t(int, count, PAGE_SIZE); ++ size_t this_len = min_t(size_t, count, PAGE_SIZE); + + if (write && copy_from_user(page, buf, this_len)) { + copied = -EFAULT; +-- +2.30.2 + diff --git a/queue-5.13/pwm-sprd-ensure-configuring-period-and-duty_cycle-is.patch b/queue-5.13/pwm-sprd-ensure-configuring-period-and-duty_cycle-is.patch new file mode 100644 index 00000000000..6b909fe731d --- /dev/null +++ b/queue-5.13/pwm-sprd-ensure-configuring-period-and-duty_cycle-is.patch @@ -0,0 +1,51 @@ +From 532d2b8d4eb9874ee48994367547ba1985cceb90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jul 2021 10:27:51 +0200 +Subject: pwm: sprd: Ensure configuring period and duty_cycle isn't wrongly + skipped +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 65e2e6c1c20104ed19060a38f4edbf14e9f9a9a5 ] + +As the last call to sprd_pwm_apply() might have exited early if +state->enabled was false, the values for period and duty_cycle stored in +pwm->state might not have been written to hardware and it must be +ensured that they are configured before enabling the PWM. + +Fixes: 8aae4b02e8a6 ("pwm: sprd: Add Spreadtrum PWM support") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-sprd.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/drivers/pwm/pwm-sprd.c b/drivers/pwm/pwm-sprd.c +index 98c479dfae31..3041f0b3bbb6 100644 +--- a/drivers/pwm/pwm-sprd.c ++++ b/drivers/pwm/pwm-sprd.c +@@ -183,13 +183,10 @@ static int sprd_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm, + } + } + +- if (state->period != cstate->period || +- state->duty_cycle != cstate->duty_cycle) { +- ret = sprd_pwm_config(spc, pwm, state->duty_cycle, +- state->period); +- if (ret) +- return ret; +- } ++ ret = sprd_pwm_config(spc, pwm, state->duty_cycle, ++ state->period); ++ if (ret) ++ return ret; + + sprd_pwm_write(spc, pwm->hwpwm, SPRD_PWM_ENABLE, 1); + } else if (cstate->enabled) { +-- +2.30.2 + diff --git a/queue-5.13/r8169-avoid-duplicate-sysfs-entry-creation-error.patch b/queue-5.13/r8169-avoid-duplicate-sysfs-entry-creation-error.patch new file mode 100644 index 00000000000..618dc248c3f --- /dev/null +++ b/queue-5.13/r8169-avoid-duplicate-sysfs-entry-creation-error.patch @@ -0,0 +1,55 @@ +From 60062f6eb37fb568d4d9e58d3d8056683864d209 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 17:17:40 +0100 +Subject: r8169: Avoid duplicate sysfs entry creation error + +From: Sayanta Pattanayak + +[ Upstream commit e9a72f874d5b95cef0765bafc56005a50f72c5fe ] + +When registering the MDIO bus for a r8169 device, we use the PCI +bus/device specifier as a (seemingly) unique device identifier. +However the very same BDF number can be used on another PCI segment, +which makes the driver fail probing: + +[ 27.544136] r8169 0002:07:00.0: enabling device (0000 -> 0003) +[ 27.559734] sysfs: cannot create duplicate filename '/class/mdio_bus/r8169-700' +.... +[ 27.684858] libphy: mii_bus r8169-700 failed to register +[ 27.695602] r8169: probe of 0002:07:00.0 failed with error -22 + +Add the segment number to the device name to make it more unique. + +This fixes operation on ARM N1SDP boards, with two boards connected +together to form an SMP system, and all on-board devices showing up +twice, just on different PCI segments. A similar issue would occur on +large systems with many PCI slots and multiple RTL8169 NICs. + +Fixes: f1e911d5d0dfd ("r8169: add basic phylib support") +Signed-off-by: Sayanta Pattanayak +[Andre: expand commit message, use pci_domain_nr()] +Signed-off-by: Andre Przywara +Acked-by: Heiner Kallweit +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index a0d4e052a79e..b8eb1b2a8de3 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -5085,7 +5085,8 @@ static int r8169_mdio_register(struct rtl8169_private *tp) + new_bus->priv = tp; + new_bus->parent = &pdev->dev; + new_bus->irq[0] = PHY_MAC_INTERRUPT; +- snprintf(new_bus->id, MII_BUS_ID_SIZE, "r8169-%x", pci_dev_id(pdev)); ++ snprintf(new_bus->id, MII_BUS_ID_SIZE, "r8169-%x-%x", ++ pci_domain_nr(pdev->bus), pci_dev_id(pdev)); + + new_bus->read = r8169_mdio_read_reg; + new_bus->write = r8169_mdio_write_reg; +-- +2.30.2 + diff --git a/queue-5.13/regulator-hi6421-fix-getting-wrong-drvdata.patch b/queue-5.13/regulator-hi6421-fix-getting-wrong-drvdata.patch new file mode 100644 index 00000000000..4cc6c0efef3 --- /dev/null +++ b/queue-5.13/regulator-hi6421-fix-getting-wrong-drvdata.patch @@ -0,0 +1,119 @@ +From 3f491eb12e467487a2fd113634cb158401b92041 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jun 2021 17:59:59 +0800 +Subject: regulator: hi6421: Fix getting wrong drvdata + +From: Axel Lin + +[ Upstream commit 1c73daee4bf30ccdff5e86dc400daa6f74735da5 ] + +Since config.dev = pdev->dev.parent in current code, so +dev_get_drvdata(rdev->dev.parent) call in hi6421_regulator_enable +returns the drvdata of the mfd device rather than the regulator. Fix it. + +This was broken while converting to use simplified DT parsing because the +config.dev changed from pdev->dev to pdev->dev.parent for parsing the +parent's of_node. + +Fixes: 29dc269a85ef ("regulator: hi6421: Convert to use simplified DT parsing") +Signed-off-by: Axel Lin +Link: https://lore.kernel.org/r/20210630095959.2411543-1-axel.lin@ingics.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/hi6421-regulator.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/drivers/regulator/hi6421-regulator.c b/drivers/regulator/hi6421-regulator.c +index bff8c515dcde..d144a4bdb76d 100644 +--- a/drivers/regulator/hi6421-regulator.c ++++ b/drivers/regulator/hi6421-regulator.c +@@ -366,9 +366,8 @@ static struct hi6421_regulator_info + + static int hi6421_regulator_enable(struct regulator_dev *rdev) + { +- struct hi6421_regulator_pdata *pdata; ++ struct hi6421_regulator_pdata *pdata = rdev_get_drvdata(rdev); + +- pdata = dev_get_drvdata(rdev->dev.parent); + /* hi6421 spec requires regulator enablement must be serialized: + * - Because when BUCK, LDO switching from off to on, it will have + * a huge instantaneous current; so you can not turn on two or +@@ -385,9 +384,10 @@ static int hi6421_regulator_enable(struct regulator_dev *rdev) + + static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev) + { +- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); ++ struct hi6421_regulator_info *info; + unsigned int reg_val; + ++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc); + regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val); + if (reg_val & info->mode_mask) + return REGULATOR_MODE_IDLE; +@@ -397,9 +397,10 @@ static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev) + + static unsigned int hi6421_regulator_buck_get_mode(struct regulator_dev *rdev) + { +- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); ++ struct hi6421_regulator_info *info; + unsigned int reg_val; + ++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc); + regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val); + if (reg_val & info->mode_mask) + return REGULATOR_MODE_STANDBY; +@@ -410,9 +411,10 @@ static unsigned int hi6421_regulator_buck_get_mode(struct regulator_dev *rdev) + static int hi6421_regulator_ldo_set_mode(struct regulator_dev *rdev, + unsigned int mode) + { +- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); ++ struct hi6421_regulator_info *info; + unsigned int new_mode; + ++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc); + switch (mode) { + case REGULATOR_MODE_NORMAL: + new_mode = 0; +@@ -434,9 +436,10 @@ static int hi6421_regulator_ldo_set_mode(struct regulator_dev *rdev, + static int hi6421_regulator_buck_set_mode(struct regulator_dev *rdev, + unsigned int mode) + { +- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); ++ struct hi6421_regulator_info *info; + unsigned int new_mode; + ++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc); + switch (mode) { + case REGULATOR_MODE_NORMAL: + new_mode = 0; +@@ -459,7 +462,9 @@ static unsigned int + hi6421_regulator_ldo_get_optimum_mode(struct regulator_dev *rdev, + int input_uV, int output_uV, int load_uA) + { +- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); ++ struct hi6421_regulator_info *info; ++ ++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc); + + if (load_uA > info->eco_microamp) + return REGULATOR_MODE_NORMAL; +@@ -543,14 +548,13 @@ static int hi6421_regulator_probe(struct platform_device *pdev) + if (!pdata) + return -ENOMEM; + mutex_init(&pdata->lock); +- platform_set_drvdata(pdev, pdata); + + for (i = 0; i < ARRAY_SIZE(hi6421_regulator_info); i++) { + /* assign per-regulator data */ + info = &hi6421_regulator_info[i]; + + config.dev = pdev->dev.parent; +- config.driver_data = info; ++ config.driver_data = pdata; + config.regmap = pmic->regmap; + + rdev = devm_regulator_register(&pdev->dev, &info->desc, +-- +2.30.2 + diff --git a/queue-5.13/regulator-hi6421-use-correct-variable-type-for-regma.patch b/queue-5.13/regulator-hi6421-use-correct-variable-type-for-regma.patch new file mode 100644 index 00000000000..c33c3a64934 --- /dev/null +++ b/queue-5.13/regulator-hi6421-use-correct-variable-type-for-regma.patch @@ -0,0 +1,64 @@ +From 4ede73473ab44fef23dcebab32fa608aa6a463d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Jun 2021 20:41:33 +0800 +Subject: regulator: hi6421: Use correct variable type for regmap api val + argument + +From: Axel Lin + +[ Upstream commit ae60e6a9d24e89a74e2512204ad04de94921bdd2 ] + +Use unsigned int instead of u32 for regmap_read/regmap_update_bits val +argument. + +Signed-off-by: Axel Lin +Link: https://lore.kernel.org/r/20210619124133.4096683-1-axel.lin@ingics.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/hi6421-regulator.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/regulator/hi6421-regulator.c b/drivers/regulator/hi6421-regulator.c +index dc631c1a46b4..bff8c515dcde 100644 +--- a/drivers/regulator/hi6421-regulator.c ++++ b/drivers/regulator/hi6421-regulator.c +@@ -386,7 +386,7 @@ static int hi6421_regulator_enable(struct regulator_dev *rdev) + static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev) + { + struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); +- u32 reg_val; ++ unsigned int reg_val; + + regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val); + if (reg_val & info->mode_mask) +@@ -398,7 +398,7 @@ static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev) + static unsigned int hi6421_regulator_buck_get_mode(struct regulator_dev *rdev) + { + struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); +- u32 reg_val; ++ unsigned int reg_val; + + regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val); + if (reg_val & info->mode_mask) +@@ -411,7 +411,7 @@ static int hi6421_regulator_ldo_set_mode(struct regulator_dev *rdev, + unsigned int mode) + { + struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); +- u32 new_mode; ++ unsigned int new_mode; + + switch (mode) { + case REGULATOR_MODE_NORMAL: +@@ -435,7 +435,7 @@ static int hi6421_regulator_buck_set_mode(struct regulator_dev *rdev, + unsigned int mode) + { + struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); +- u32 new_mode; ++ unsigned int new_mode; + + switch (mode) { + case REGULATOR_MODE_NORMAL: +-- +2.30.2 + diff --git a/queue-5.13/revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch b/queue-5.13/revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch new file mode 100644 index 00000000000..0f3df26c5e1 --- /dev/null +++ b/queue-5.13/revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch @@ -0,0 +1,56 @@ +From 3eb6ea52bc28b00a79422675b42bfb8cf57362ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 11:25:16 +0200 +Subject: Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE + modem" + +From: Vincent Palatin + +[ Upstream commit f3a1a937f7b240be623d989c8553a6d01465d04f ] + +This reverts commit 0bd860493f81eb2a46173f6f5e44cc38331c8dbd. + +While the patch was working as stated,ie preventing the L850-GL LTE modem +from crashing on some U3 wake-ups due to a race condition between the +host wake-up and the modem-side wake-up, when using the MBIM interface, +this would force disabling the USB runtime PM on the device. + +The increased power consumption is significant for LTE laptops, +and given that with decently recent modem firmwares, when the modem hits +the bug, it automatically recovers (ie it drops from the bus, but +automatically re-enumerates after less than half a second, rather than being +stuck until a power cycle as it was doing with ancient firmware), for +most people, the trade-off now seems in favor of re-enabling it by +default. + +For people with access to the platform code, the bug can also be worked-around +successfully by changing the USB3 LFPM polling off-time for the XHCI +controller in the BIOS code. + +Signed-off-by: Vincent Palatin +Link: https://lore.kernel.org/r/20210721092516.2775971-1-vpalatin@chromium.org +Fixes: 0bd860493f81 ("USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem") +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/quirks.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 21e7522655ac..a54a735b6384 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -502,10 +502,6 @@ static const struct usb_device_id usb_quirk_list[] = { + /* DJI CineSSD */ + { USB_DEVICE(0x2ca3, 0x0031), .driver_info = USB_QUIRK_NO_LPM }, + +- /* Fibocom L850-GL LTE Modem */ +- { USB_DEVICE(0x2cb7, 0x0007), .driver_info = +- USB_QUIRK_IGNORE_REMOTE_WAKEUP }, +- + /* INTEL VALUE SSD */ + { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME }, + +-- +2.30.2 + diff --git a/queue-5.13/risc-v-load-initrd-wherever-it-fits-into-memory.patch b/queue-5.13/risc-v-load-initrd-wherever-it-fits-into-memory.patch new file mode 100644 index 00000000000..b81cc167d69 --- /dev/null +++ b/queue-5.13/risc-v-load-initrd-wherever-it-fits-into-memory.patch @@ -0,0 +1,46 @@ +From 466b30138b3e9cb57189bf8c86291241ae97f297 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Jun 2021 15:40:18 +0200 +Subject: RISC-V: load initrd wherever it fits into memory + +From: Heinrich Schuchardt + +[ Upstream commit c79e89ecaa246c880292ba68cbe08c9c30db77e3 ] + +Requiring that initrd is loaded below RAM start + 256 MiB led to failure +to boot SUSE Linux with GRUB on QEMU, cf. +https://lists.gnu.org/archive/html/grub-devel/2021-06/msg00037.html + +Remove the constraint. + +Reported-by: Andreas Schwab +Signed-off-by: Heinrich Schuchardt +Reviewed-by: Atish Patra +Acked-by: Ard Biesheuvel +Fixes: d7071743db31 ("RISC-V: Add EFI stub support.") +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/include/asm/efi.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/include/asm/efi.h b/arch/riscv/include/asm/efi.h +index 6d98cd999680..7b3483ba2e84 100644 +--- a/arch/riscv/include/asm/efi.h ++++ b/arch/riscv/include/asm/efi.h +@@ -27,10 +27,10 @@ int efi_set_mapping_permissions(struct mm_struct *mm, efi_memory_desc_t *md); + + #define ARCH_EFI_IRQ_FLAGS_MASK (SR_IE | SR_SPIE) + +-/* Load initrd at enough distance from DRAM start */ ++/* Load initrd anywhere in system RAM */ + static inline unsigned long efi_get_max_initrd_addr(unsigned long image_addr) + { +- return image_addr + SZ_256M; ++ return ULONG_MAX; + } + + #define alloc_screen_info(x...) (&screen_info) +-- +2.30.2 + diff --git a/queue-5.13/riscv-fix-32-bit-risc-v-boot-failure.patch b/queue-5.13/riscv-fix-32-bit-risc-v-boot-failure.patch new file mode 100644 index 00000000000..bac7b7fa382 --- /dev/null +++ b/queue-5.13/riscv-fix-32-bit-risc-v-boot-failure.patch @@ -0,0 +1,52 @@ +From f754e1456505a7a04b3b949f50f12565f768a106 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Jun 2021 21:51:17 +0800 +Subject: riscv: Fix 32-bit RISC-V boot failure + +From: Bin Meng + +[ Upstream commit d0e4dae74470fb709fc0ab61862c317938f4cc4d ] + +Commit dd2d082b5760 ("riscv: Cleanup setup_bootmem()") adjusted +the calling sequence in setup_bootmem(), which invalidates the fix +commit de043da0b9e7 ("RISC-V: Fix usage of memblock_enforce_memory_limit") +did for 32-bit RISC-V unfortunately. + +So now 32-bit RISC-V does not boot again when testing booting kernel +on QEMU 'virt' with '-m 2G', which was exactly what the original +commit de043da0b9e7 ("RISC-V: Fix usage of memblock_enforce_memory_limit") +tried to fix. + +Fixes: dd2d082b5760 ("riscv: Cleanup setup_bootmem()") +Signed-off-by: Bin Meng +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/mm/init.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c +index 4c4c92ce0bb8..9b23b95c50cf 100644 +--- a/arch/riscv/mm/init.c ++++ b/arch/riscv/mm/init.c +@@ -123,7 +123,7 @@ void __init setup_bootmem(void) + { + phys_addr_t vmlinux_end = __pa_symbol(&_end); + phys_addr_t vmlinux_start = __pa_symbol(&_start); +- phys_addr_t dram_end = memblock_end_of_DRAM(); ++ phys_addr_t dram_end; + phys_addr_t max_mapped_addr = __pa(~(ulong)0); + + #ifdef CONFIG_XIP_KERNEL +@@ -146,6 +146,8 @@ void __init setup_bootmem(void) + #endif + memblock_reserve(vmlinux_start, vmlinux_end - vmlinux_start); + ++ dram_end = memblock_end_of_DRAM(); ++ + /* + * memblock allocator is not aware of the fact that last 4K bytes of + * the addressable memory can not be mapped because of IS_ERR_VALUE +-- +2.30.2 + diff --git a/queue-5.13/s390-bpf-perform-r1-range-checking-before-accessing-.patch b/queue-5.13/s390-bpf-perform-r1-range-checking-before-accessing-.patch new file mode 100644 index 00000000000..59371440673 --- /dev/null +++ b/queue-5.13/s390-bpf-perform-r1-range-checking-before-accessing-.patch @@ -0,0 +1,44 @@ +From e8b00c95c9eb15a63fc60ab51b361640b6006594 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 13:57:12 +0100 +Subject: s390/bpf: Perform r1 range checking before accessing + jit->seen_reg[r1] + +From: Colin Ian King + +[ Upstream commit 91091656252f5d6d8c476e0c92776ce9fae7b445 ] + +Currently array jit->seen_reg[r1] is being accessed before the range +checking of index r1. The range changing on r1 should be performed +first since it will avoid any potential out-of-range accesses on the +array seen_reg[] and also it is more optimal to perform checks on r1 +before fetching data from the array. Fix this by swapping the order +of the checks before the array access. + +Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend") +Signed-off-by: Colin Ian King +Signed-off-by: Daniel Borkmann +Tested-by: Ilya Leoshkevich +Acked-by: Ilya Leoshkevich +Link: https://lore.kernel.org/bpf/20210715125712.24690-1-colin.king@canonical.com +Signed-off-by: Sasha Levin +--- + arch/s390/net/bpf_jit_comp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index 63cae0476bb4..2ae419f5115a 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -112,7 +112,7 @@ static inline void reg_set_seen(struct bpf_jit *jit, u32 b1) + { + u32 r1 = reg2hex[b1]; + +- if (!jit->seen_reg[r1] && r1 >= 6 && r1 <= 15) ++ if (r1 >= 6 && r1 <= 15 && !jit->seen_reg[r1]) + jit->seen_reg[r1] = 1; + } + +-- +2.30.2 + diff --git a/queue-5.13/scsi-iscsi-fix-iface-sysfs-attr-detection.patch b/queue-5.13/scsi-iscsi-fix-iface-sysfs-attr-detection.patch new file mode 100644 index 00000000000..1318e0679b4 --- /dev/null +++ b/queue-5.13/scsi-iscsi-fix-iface-sysfs-attr-detection.patch @@ -0,0 +1,146 @@ +From 1c8e4e209c84b84731ed68db1fc2947847f077e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jun 2021 19:25:59 -0500 +Subject: scsi: iscsi: Fix iface sysfs attr detection + +From: Mike Christie + +[ Upstream commit e746f3451ec7f91dcc9fd67a631239c715850a34 ] + +A ISCSI_IFACE_PARAM can have the same value as a ISCSI_NET_PARAM so when +iscsi_iface_attr_is_visible tries to figure out the type by just checking +the value, we can collide and return the wrong type. When we call into the +driver we might not match and return that we don't want attr visible in +sysfs. The patch fixes this by setting the type when we figure out what the +param is. + +Link: https://lore.kernel.org/r/20210701002559.89533-1-michael.christie@oracle.com +Fixes: 3e0f65b34cc9 ("[SCSI] iscsi_transport: Additional parameters for network settings") +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 90 +++++++++++------------------ + 1 file changed, 34 insertions(+), 56 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index b07105ae7c91..d8b05d8b5470 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -439,39 +439,10 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + struct device *dev = container_of(kobj, struct device, kobj); + struct iscsi_iface *iface = iscsi_dev_to_iface(dev); + struct iscsi_transport *t = iface->transport; +- int param; +- int param_type; ++ int param = -1; + + if (attr == &dev_attr_iface_enabled.attr) + param = ISCSI_NET_PARAM_IFACE_ENABLE; +- else if (attr == &dev_attr_iface_vlan_id.attr) +- param = ISCSI_NET_PARAM_VLAN_ID; +- else if (attr == &dev_attr_iface_vlan_priority.attr) +- param = ISCSI_NET_PARAM_VLAN_PRIORITY; +- else if (attr == &dev_attr_iface_vlan_enabled.attr) +- param = ISCSI_NET_PARAM_VLAN_ENABLED; +- else if (attr == &dev_attr_iface_mtu.attr) +- param = ISCSI_NET_PARAM_MTU; +- else if (attr == &dev_attr_iface_port.attr) +- param = ISCSI_NET_PARAM_PORT; +- else if (attr == &dev_attr_iface_ipaddress_state.attr) +- param = ISCSI_NET_PARAM_IPADDR_STATE; +- else if (attr == &dev_attr_iface_delayed_ack_en.attr) +- param = ISCSI_NET_PARAM_DELAYED_ACK_EN; +- else if (attr == &dev_attr_iface_tcp_nagle_disable.attr) +- param = ISCSI_NET_PARAM_TCP_NAGLE_DISABLE; +- else if (attr == &dev_attr_iface_tcp_wsf_disable.attr) +- param = ISCSI_NET_PARAM_TCP_WSF_DISABLE; +- else if (attr == &dev_attr_iface_tcp_wsf.attr) +- param = ISCSI_NET_PARAM_TCP_WSF; +- else if (attr == &dev_attr_iface_tcp_timer_scale.attr) +- param = ISCSI_NET_PARAM_TCP_TIMER_SCALE; +- else if (attr == &dev_attr_iface_tcp_timestamp_en.attr) +- param = ISCSI_NET_PARAM_TCP_TIMESTAMP_EN; +- else if (attr == &dev_attr_iface_cache_id.attr) +- param = ISCSI_NET_PARAM_CACHE_ID; +- else if (attr == &dev_attr_iface_redirect_en.attr) +- param = ISCSI_NET_PARAM_REDIRECT_EN; + else if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr) + param = ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO; + else if (attr == &dev_attr_iface_header_digest.attr) +@@ -508,6 +479,38 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + param = ISCSI_IFACE_PARAM_STRICT_LOGIN_COMP_EN; + else if (attr == &dev_attr_iface_initiator_name.attr) + param = ISCSI_IFACE_PARAM_INITIATOR_NAME; ++ ++ if (param != -1) ++ return t->attr_is_visible(ISCSI_IFACE_PARAM, param); ++ ++ if (attr == &dev_attr_iface_vlan_id.attr) ++ param = ISCSI_NET_PARAM_VLAN_ID; ++ else if (attr == &dev_attr_iface_vlan_priority.attr) ++ param = ISCSI_NET_PARAM_VLAN_PRIORITY; ++ else if (attr == &dev_attr_iface_vlan_enabled.attr) ++ param = ISCSI_NET_PARAM_VLAN_ENABLED; ++ else if (attr == &dev_attr_iface_mtu.attr) ++ param = ISCSI_NET_PARAM_MTU; ++ else if (attr == &dev_attr_iface_port.attr) ++ param = ISCSI_NET_PARAM_PORT; ++ else if (attr == &dev_attr_iface_ipaddress_state.attr) ++ param = ISCSI_NET_PARAM_IPADDR_STATE; ++ else if (attr == &dev_attr_iface_delayed_ack_en.attr) ++ param = ISCSI_NET_PARAM_DELAYED_ACK_EN; ++ else if (attr == &dev_attr_iface_tcp_nagle_disable.attr) ++ param = ISCSI_NET_PARAM_TCP_NAGLE_DISABLE; ++ else if (attr == &dev_attr_iface_tcp_wsf_disable.attr) ++ param = ISCSI_NET_PARAM_TCP_WSF_DISABLE; ++ else if (attr == &dev_attr_iface_tcp_wsf.attr) ++ param = ISCSI_NET_PARAM_TCP_WSF; ++ else if (attr == &dev_attr_iface_tcp_timer_scale.attr) ++ param = ISCSI_NET_PARAM_TCP_TIMER_SCALE; ++ else if (attr == &dev_attr_iface_tcp_timestamp_en.attr) ++ param = ISCSI_NET_PARAM_TCP_TIMESTAMP_EN; ++ else if (attr == &dev_attr_iface_cache_id.attr) ++ param = ISCSI_NET_PARAM_CACHE_ID; ++ else if (attr == &dev_attr_iface_redirect_en.attr) ++ param = ISCSI_NET_PARAM_REDIRECT_EN; + else if (iface->iface_type == ISCSI_IFACE_TYPE_IPV4) { + if (attr == &dev_attr_ipv4_iface_ipaddress.attr) + param = ISCSI_NET_PARAM_IPV4_ADDR; +@@ -598,32 +601,7 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + return 0; + } + +- switch (param) { +- case ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO: +- case ISCSI_IFACE_PARAM_HDRDGST_EN: +- case ISCSI_IFACE_PARAM_DATADGST_EN: +- case ISCSI_IFACE_PARAM_IMM_DATA_EN: +- case ISCSI_IFACE_PARAM_INITIAL_R2T_EN: +- case ISCSI_IFACE_PARAM_DATASEQ_INORDER_EN: +- case ISCSI_IFACE_PARAM_PDU_INORDER_EN: +- case ISCSI_IFACE_PARAM_ERL: +- case ISCSI_IFACE_PARAM_MAX_RECV_DLENGTH: +- case ISCSI_IFACE_PARAM_FIRST_BURST: +- case ISCSI_IFACE_PARAM_MAX_R2T: +- case ISCSI_IFACE_PARAM_MAX_BURST: +- case ISCSI_IFACE_PARAM_CHAP_AUTH_EN: +- case ISCSI_IFACE_PARAM_BIDI_CHAP_EN: +- case ISCSI_IFACE_PARAM_DISCOVERY_AUTH_OPTIONAL: +- case ISCSI_IFACE_PARAM_DISCOVERY_LOGOUT_EN: +- case ISCSI_IFACE_PARAM_STRICT_LOGIN_COMP_EN: +- case ISCSI_IFACE_PARAM_INITIATOR_NAME: +- param_type = ISCSI_IFACE_PARAM; +- break; +- default: +- param_type = ISCSI_NET_PARAM; +- } +- +- return t->attr_is_visible(param_type, param); ++ return t->attr_is_visible(ISCSI_NET_PARAM, param); + } + + static struct attribute *iscsi_iface_attrs[] = { +-- +2.30.2 + diff --git a/queue-5.13/scsi-target-fix-null-dereference-on-xcopy-completion.patch b/queue-5.13/scsi-target-fix-null-dereference-on-xcopy-completion.patch new file mode 100644 index 00000000000..6e6a1cccfa1 --- /dev/null +++ b/queue-5.13/scsi-target-fix-null-dereference-on-xcopy-completion.patch @@ -0,0 +1,66 @@ +From e588e16f0f8644bda153699767cfe75ad72e98de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 00:55:22 +0200 +Subject: scsi: target: Fix NULL dereference on XCOPY completion + +From: David Disseldorp + +[ Upstream commit a47fa41381a09e5997afd762664db4f5f6657e03 ] + +CPU affinity control added with commit 39ae3edda325 ("scsi: target: core: +Make completion affinity configurable") makes target_complete_cmd() queue +work on a CPU based on se_tpg->se_tpg_wwn->cmd_compl_affinity state. + +LIO's EXTENDED COPY worker is a special case in that read/write cmds are +dispatched using the global xcopy_pt_tpg, which carries a NULL se_tpg_wwn +pointer following initialization in target_xcopy_setup_pt(). + +The NULL xcopy_pt_tpg->se_tpg_wwn pointer is dereferenced on completion of +any EXTENDED COPY initiated read/write cmds. E.g using the libiscsi +SCSI.ExtendedCopy.Simple test: + + BUG: kernel NULL pointer dereference, address: 00000000000001a8 + RIP: 0010:target_complete_cmd+0x9d/0x130 [target_core_mod] + Call Trace: + fd_execute_rw+0x148/0x42a [target_core_file] + ? __dynamic_pr_debug+0xa7/0xe0 + ? target_check_reservation+0x5b/0x940 [target_core_mod] + __target_execute_cmd+0x1e/0x90 [target_core_mod] + transport_generic_new_cmd+0x17c/0x330 [target_core_mod] + target_xcopy_issue_pt_cmd+0x9/0x60 [target_core_mod] + target_xcopy_read_source.isra.7+0x10b/0x1b0 [target_core_mod] + ? target_check_fua+0x40/0x40 [target_core_mod] + ? transport_complete_task_attr+0x130/0x130 [target_core_mod] + target_xcopy_do_work+0x61f/0xc00 [target_core_mod] + +This fix makes target_complete_cmd() queue work on se_cmd->cpuid if +se_tpg_wwn is NULL. + +Link: https://lore.kernel.org/r/20210720225522.26291-1-ddiss@suse.de +Fixes: 39ae3edda325 ("scsi: target: core: Make completion affinity configurable") +Cc: Lee Duncan +Cc: Mike Christie +Reviewed-by: Mike Christie +Signed-off-by: David Disseldorp +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c +index 7e35eddd9eb7..26ceabe34de5 100644 +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -886,7 +886,7 @@ void target_complete_cmd(struct se_cmd *cmd, u8 scsi_status) + INIT_WORK(&cmd->work, success ? target_complete_ok_work : + target_complete_failure_work); + +- if (wwn->cmd_compl_affinity == SE_COMPL_AFFINITY_CPUID) ++ if (!wwn || wwn->cmd_compl_affinity == SE_COMPL_AFFINITY_CPUID) + cpu = cmd->cpuid; + else + cpu = wwn->cmd_compl_affinity; +-- +2.30.2 + diff --git a/queue-5.13/scsi-target-fix-protect-handling-in-write-same-32.patch b/queue-5.13/scsi-target-fix-protect-handling-in-write-same-32.patch new file mode 100644 index 00000000000..9f79cdc613d --- /dev/null +++ b/queue-5.13/scsi-target-fix-protect-handling-in-write-same-32.patch @@ -0,0 +1,183 @@ +From 5568ae84761eef3be8d8ceb2c2e9ac61f864d065 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jul 2021 12:16:55 +0300 +Subject: scsi: target: Fix protect handling in WRITE SAME(32) + +From: Dmitry Bogdanov + +[ Upstream commit 6d8e7e7c932162bccd06872362751b0e1d76f5af ] + +WRITE SAME(32) command handling reads WRPROTECT at the wrong offset in 1st +byte instead of 10th byte. + +Link: https://lore.kernel.org/r/20210702091655.22818-1-d.bogdanov@yadro.com +Fixes: afd73f1b60fc ("target: Perform PROTECT sanity checks for WRITE_SAME") +Signed-off-by: Dmitry Bogdanov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_sbc.c | 35 ++++++++++++++++---------------- + 1 file changed, 17 insertions(+), 18 deletions(-) + +diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c +index 7b07e557dc8d..6594bb0b9df0 100644 +--- a/drivers/target/target_core_sbc.c ++++ b/drivers/target/target_core_sbc.c +@@ -25,7 +25,7 @@ + #include "target_core_alua.h" + + static sense_reason_t +-sbc_check_prot(struct se_device *, struct se_cmd *, unsigned char *, u32, bool); ++sbc_check_prot(struct se_device *, struct se_cmd *, unsigned char, u32, bool); + static sense_reason_t sbc_execute_unmap(struct se_cmd *cmd); + + static sense_reason_t +@@ -279,14 +279,14 @@ static inline unsigned long long transport_lba_64_ext(unsigned char *cdb) + } + + static sense_reason_t +-sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *ops) ++sbc_setup_write_same(struct se_cmd *cmd, unsigned char flags, struct sbc_ops *ops) + { + struct se_device *dev = cmd->se_dev; + sector_t end_lba = dev->transport->get_blocks(dev) + 1; + unsigned int sectors = sbc_get_write_same_sectors(cmd); + sense_reason_t ret; + +- if ((flags[0] & 0x04) || (flags[0] & 0x02)) { ++ if ((flags & 0x04) || (flags & 0x02)) { + pr_err("WRITE_SAME PBDATA and LBDATA" + " bits not supported for Block Discard" + " Emulation\n"); +@@ -308,7 +308,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o + } + + /* We always have ANC_SUP == 0 so setting ANCHOR is always an error */ +- if (flags[0] & 0x10) { ++ if (flags & 0x10) { + pr_warn("WRITE SAME with ANCHOR not supported\n"); + return TCM_INVALID_CDB_FIELD; + } +@@ -316,7 +316,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o + * Special case for WRITE_SAME w/ UNMAP=1 that ends up getting + * translated into block discard requests within backend code. + */ +- if (flags[0] & 0x08) { ++ if (flags & 0x08) { + if (!ops->execute_unmap) + return TCM_UNSUPPORTED_SCSI_OPCODE; + +@@ -331,7 +331,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o + if (!ops->execute_write_same) + return TCM_UNSUPPORTED_SCSI_OPCODE; + +- ret = sbc_check_prot(dev, cmd, &cmd->t_task_cdb[0], sectors, true); ++ ret = sbc_check_prot(dev, cmd, flags >> 5, sectors, true); + if (ret) + return ret; + +@@ -717,10 +717,9 @@ sbc_set_prot_op_checks(u8 protect, bool fabric_prot, enum target_prot_type prot_ + } + + static sense_reason_t +-sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char *cdb, ++sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char protect, + u32 sectors, bool is_write) + { +- u8 protect = cdb[1] >> 5; + int sp_ops = cmd->se_sess->sup_prot_ops; + int pi_prot_type = dev->dev_attrib.pi_prot_type; + bool fabric_prot = false; +@@ -768,7 +767,7 @@ sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char *cdb, + fallthrough; + default: + pr_err("Unable to determine pi_prot_type for CDB: 0x%02x " +- "PROTECT: 0x%02x\n", cdb[0], protect); ++ "PROTECT: 0x%02x\n", cmd->t_task_cdb[0], protect); + return TCM_INVALID_CDB_FIELD; + } + +@@ -843,7 +842,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, false); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false); + if (ret) + return ret; + +@@ -857,7 +856,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, false); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false); + if (ret) + return ret; + +@@ -871,7 +870,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, false); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false); + if (ret) + return ret; + +@@ -892,7 +891,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, true); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true); + if (ret) + return ret; + +@@ -906,7 +905,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, true); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true); + if (ret) + return ret; + +@@ -921,7 +920,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, true); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true); + if (ret) + return ret; + +@@ -980,7 +979,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + size = sbc_get_size(cmd, 1); + cmd->t_task_lba = get_unaligned_be64(&cdb[12]); + +- ret = sbc_setup_write_same(cmd, &cdb[10], ops); ++ ret = sbc_setup_write_same(cmd, cdb[10], ops); + if (ret) + return ret; + break; +@@ -1079,7 +1078,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + size = sbc_get_size(cmd, 1); + cmd->t_task_lba = get_unaligned_be64(&cdb[2]); + +- ret = sbc_setup_write_same(cmd, &cdb[1], ops); ++ ret = sbc_setup_write_same(cmd, cdb[1], ops); + if (ret) + return ret; + break; +@@ -1097,7 +1096,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + * Follow sbcr26 with WRITE_SAME (10) and check for the existence + * of byte 1 bit 3 UNMAP instead of original reserved field + */ +- ret = sbc_setup_write_same(cmd, &cdb[1], ops); ++ ret = sbc_setup_write_same(cmd, cdb[1], ops); + if (ret) + return ret; + break; +-- +2.30.2 + diff --git a/queue-5.13/sctp-trim-optlen-when-it-s-a-huge-value-in-sctp_sets.patch b/queue-5.13/sctp-trim-optlen-when-it-s-a-huge-value-in-sctp_sets.patch new file mode 100644 index 00000000000..fc113c03d9e --- /dev/null +++ b/queue-5.13/sctp-trim-optlen-when-it-s-a-huge-value-in-sctp_sets.patch @@ -0,0 +1,51 @@ +From 567efd3b001b1d7a6a8d9d0388cfa750d8d59aae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jul 2021 17:19:19 -0400 +Subject: sctp: trim optlen when it's a huge value in sctp_setsockopt + +From: Xin Long + +[ Upstream commit 2f3fdd8d4805015fa964807e1c7f3d88f31bd389 ] + +After commit ca84bd058dae ("sctp: copy the optval from user space in +sctp_setsockopt"), it does memory allocation in sctp_setsockopt with +the optlen, and it would fail the allocation and return error if the +optlen from user space is a huge value. + +This breaks some sockopts, like SCTP_HMAC_IDENT, SCTP_RESET_STREAMS and +SCTP_AUTH_KEY, as when processing these sockopts before, optlen would +be trimmed to a biggest value it needs when optlen is a huge value, +instead of failing the allocation and returning error. + +This patch is to fix the allocation failure when it's a huge optlen from +user space by trimming it to the biggest size sctp sockopt may need when +necessary, and this biggest size is from sctp_setsockopt_reset_streams() +for SCTP_RESET_STREAMS, which is bigger than those for SCTP_HMAC_IDENT +and SCTP_AUTH_KEY. + +Fixes: ca84bd058dae ("sctp: copy the optval from user space in sctp_setsockopt") +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/socket.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index a79d193ff872..dbd074f4d450 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -4521,6 +4521,10 @@ static int sctp_setsockopt(struct sock *sk, int level, int optname, + } + + if (optlen > 0) { ++ /* Trim it to the biggest size sctp sockopt may need if necessary */ ++ optlen = min_t(unsigned int, optlen, ++ PAGE_ALIGN(USHRT_MAX + ++ sizeof(__u16) * sizeof(struct sctp_reset_streams))); + kopt = memdup_sockptr(optval, optlen); + if (IS_ERR(kopt)) + return PTR_ERR(kopt); +-- +2.30.2 + diff --git a/queue-5.13/sctp-update-active_key-for-asoc-when-old-key-is-bein.patch b/queue-5.13/sctp-update-active_key-for-asoc-when-old-key-is-bein.patch new file mode 100644 index 00000000000..860d0073f21 --- /dev/null +++ b/queue-5.13/sctp-update-active_key-for-asoc-when-old-key-is-bein.patch @@ -0,0 +1,55 @@ +From 3bb2712ad81c878bf0f568b01ff381cd7ef6c24e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 16:07:01 -0400 +Subject: sctp: update active_key for asoc when old key is being replaced + +From: Xin Long + +[ Upstream commit 58acd10092268831e49de279446c314727101292 ] + +syzbot reported a call trace: + + BUG: KASAN: use-after-free in sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112 + Call Trace: + sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112 + sctp_set_owner_w net/sctp/socket.c:131 [inline] + sctp_sendmsg_to_asoc+0x152e/0x2180 net/sctp/socket.c:1865 + sctp_sendmsg+0x103b/0x1d30 net/sctp/socket.c:2027 + inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:821 + sock_sendmsg_nosec net/socket.c:703 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:723 + +This is an use-after-free issue caused by not updating asoc->shkey after +it was replaced in the key list asoc->endpoint_shared_keys, and the old +key was freed. + +This patch is to fix by also updating active_key for asoc when old key is +being replaced with a new one. Note that this issue doesn't exist in +sctp_auth_del_key_id(), as it's not allowed to delete the active_key +from the asoc. + +Fixes: 1b1e0bc99474 ("sctp: add refcnt support for sh_key") +Reported-by: syzbot+b774577370208727d12b@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/auth.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/sctp/auth.c b/net/sctp/auth.c +index 6f8319b828b0..fe74c5f95630 100644 +--- a/net/sctp/auth.c ++++ b/net/sctp/auth.c +@@ -860,6 +860,8 @@ int sctp_auth_set_key(struct sctp_endpoint *ep, + if (replace) { + list_del_init(&shkey->key_list); + sctp_auth_shkey_release(shkey); ++ if (asoc && asoc->active_key_id == auth_key->sca_keynumber) ++ sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL); + } + list_add(&cur_key->key_list, sh_keys); + +-- +2.30.2 + diff --git a/queue-5.13/selftests-icmp_redirect-ipv6-pmtu-info-should-be-cle.patch b/queue-5.13/selftests-icmp_redirect-ipv6-pmtu-info-should-be-cle.patch new file mode 100644 index 00000000000..24cc3b42de4 --- /dev/null +++ b/queue-5.13/selftests-icmp_redirect-ipv6-pmtu-info-should-be-cle.patch @@ -0,0 +1,45 @@ +From 18416bbbabf3f281e26fe9e62527d94a7d7da506 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 16:15:30 +0800 +Subject: selftests: icmp_redirect: IPv6 PMTU info should be cleared after + redirect + +From: Hangbin Liu + +[ Upstream commit 0e02bf5de46ae30074a2e1a8194a422a84482a1a ] + +After redirecting, it's already a new path. So the old PMTU info should +be cleared. The IPv6 test "mtu exception plus redirect" should only +has redirect info without old PMTU. + +The IPv4 test can not be changed because of legacy. + +Fixes: ec8105352869 ("selftests: Add redirect tests") +Signed-off-by: Hangbin Liu +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/icmp_redirect.sh | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/icmp_redirect.sh b/tools/testing/selftests/net/icmp_redirect.sh +index bfcabee50155..104a7a5f13b1 100755 +--- a/tools/testing/selftests/net/icmp_redirect.sh ++++ b/tools/testing/selftests/net/icmp_redirect.sh +@@ -309,9 +309,10 @@ check_exception() + fi + log_test $? 0 "IPv4: ${desc}" + +- if [ "$with_redirect" = "yes" ]; then ++ # No PMTU info for test "redirect" and "mtu exception plus redirect" ++ if [ "$with_redirect" = "yes" ] && [ "$desc" != "redirect exception plus mtu" ]; then + ip -netns h1 -6 ro get ${H1_VRF_ARG} ${H2_N2_IP6} | \ +- grep -q "${H2_N2_IP6} .*via ${R2_LLADDR} dev br0.*${mtu}" ++ grep -v "mtu" | grep -q "${H2_N2_IP6} .*via ${R2_LLADDR} dev br0" + elif [ -n "${mtu}" ]; then + ip -netns h1 -6 ro get ${H1_VRF_ARG} ${H2_N2_IP6} | \ + grep -q "${mtu}" +-- +2.30.2 + diff --git a/queue-5.13/selftests-icmp_redirect-remove-from-checking-for-ipv.patch b/queue-5.13/selftests-icmp_redirect-remove-from-checking-for-ipv.patch new file mode 100644 index 00000000000..050d5c04d63 --- /dev/null +++ b/queue-5.13/selftests-icmp_redirect-remove-from-checking-for-ipv.patch @@ -0,0 +1,38 @@ +From bb941f960e0d2b65039af6f752036837fb3be0c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 16:15:29 +0800 +Subject: selftests: icmp_redirect: remove from checking for IPv6 route get + +From: Hangbin Liu + +[ Upstream commit 24b671aad4eae423e1abf5b7f08d9a5235458b8d ] + +If the kernel doesn't enable option CONFIG_IPV6_SUBTREES, the RTA_SRC +info will not be exported to userspace in rt6_fill_node(). And ip cmd will +not print "from ::" to the route output. So remove this check. + +Fixes: ec8105352869 ("selftests: Add redirect tests") +Signed-off-by: Hangbin Liu +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/icmp_redirect.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/icmp_redirect.sh b/tools/testing/selftests/net/icmp_redirect.sh +index bf361f30d6ef..bfcabee50155 100755 +--- a/tools/testing/selftests/net/icmp_redirect.sh ++++ b/tools/testing/selftests/net/icmp_redirect.sh +@@ -311,7 +311,7 @@ check_exception() + + if [ "$with_redirect" = "yes" ]; then + ip -netns h1 -6 ro get ${H1_VRF_ARG} ${H2_N2_IP6} | \ +- grep -q "${H2_N2_IP6} from :: via ${R2_LLADDR} dev br0.*${mtu}" ++ grep -q "${H2_N2_IP6} .*via ${R2_LLADDR} dev br0.*${mtu}" + elif [ -n "${mtu}" ]; then + ip -netns h1 -6 ro get ${H1_VRF_ARG} ${H2_N2_IP6} | \ + grep -q "${mtu}" +-- +2.30.2 + diff --git a/queue-5.13/selftests-mptcp-fix-case-multiple-subflows-limited-b.patch b/queue-5.13/selftests-mptcp-fix-case-multiple-subflows-limited-b.patch new file mode 100644 index 00000000000..46cb63e4b48 --- /dev/null +++ b/queue-5.13/selftests-mptcp-fix-case-multiple-subflows-limited-b.patch @@ -0,0 +1,42 @@ +From 1dc7f9b4af96d2370b1634517ed99f364351e330 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jul 2021 17:20:50 -0700 +Subject: selftests: mptcp: fix case multiple subflows limited by server + +From: Jianguo Wu + +[ Upstream commit a7da441621c7945fbfd43ed239c93b8073cda502 ] + +After patch "mptcp: fix syncookie process if mptcp can not_accept new +subflow", if subflow is limited, MP_JOIN SYN is dropped, and no SYN/ACK +will be replied. + +So in case "multiple subflows limited by server", the expected SYN/ACK +number should be 1. + +Fixes: 00587187ad30 ("selftests: mptcp: add test cases for mptcp join tests with syn cookies") +Reported-by: kernel test robot +Signed-off-by: Jianguo Wu +Signed-off-by: Mat Martineau +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/mptcp/mptcp_join.sh b/tools/testing/selftests/net/mptcp/mptcp_join.sh +index fd99485cf2a4..e8ac852c6ff6 100755 +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -1341,7 +1341,7 @@ syncookies_tests() + ip netns exec $ns2 ./pm_nl_ctl add 10.0.3.2 flags subflow + ip netns exec $ns2 ./pm_nl_ctl add 10.0.2.2 flags subflow + run_tests $ns1 $ns2 10.0.1.1 +- chk_join_nr "subflows limited by server w cookies" 2 2 1 ++ chk_join_nr "subflows limited by server w cookies" 2 1 1 + + # test signal address with cookies + reset_with_cookies +-- +2.30.2 + diff --git a/queue-5.13/series b/queue-5.13/series new file mode 100644 index 00000000000..69f47e03571 --- /dev/null +++ b/queue-5.13/series @@ -0,0 +1,143 @@ +igc-fix-use-after-free-error-during-reset.patch +igb-fix-use-after-free-error-during-reset.patch +igc-change-default-return-of-igc_read_phy_reg.patch +ixgbe-fix-an-error-handling-path-in-ixgbe_probe.patch +igc-fix-an-error-handling-path-in-igc_probe.patch +igb-fix-an-error-handling-path-in-igb_probe.patch +fm10k-fix-an-error-handling-path-in-fm10k_probe.patch +e1000e-fix-an-error-handling-path-in-e1000_probe.patch +iavf-fix-an-error-handling-path-in-iavf_probe.patch +igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch +igb-fix-position-of-assignment-to-ring.patch +net-stmmac-terminate-fpe-workqueue-in-suspend.patch +gve-fix-an-error-handling-path-in-gve_probe.patch +bpf-samples-fix-xdpsock-with-m-parameter-missing-unl.patch +bonding-fix-suspicious-rcu-usage-in-bond_ipsec_add_s.patch +bonding-fix-null-dereference-in-bond_ipsec_add_sa.patch +ixgbevf-use-xso.real_dev-instead-of-xso.dev-in-callb.patch +bonding-fix-suspicious-rcu-usage-in-bond_ipsec_del_s.patch +bonding-disallow-setting-nested-bonding-ipsec-offloa.patch +bonding-add-struct-bond_ipesc-to-manage-sa.patch +bonding-fix-suspicious-rcu-usage-in-bond_ipsec_offlo.patch +bonding-fix-incorrect-return-value-of-bond_ipsec_off.patch +ipv6-fix-disable_policy-for-fwd-packets.patch +stmmac-platform-fix-signedness-bug-in-stmmac_probe_c.patch +selftests-icmp_redirect-remove-from-checking-for-ipv.patch +selftests-icmp_redirect-ipv6-pmtu-info-should-be-cle.patch +pwm-sprd-ensure-configuring-period-and-duty_cycle-is.patch +cxgb4-fix-irq-free-race-during-driver-unload.patch +drm-vmwgfx-fix-a-bad-merge-in-otable-batch-takedown.patch +mptcp-fix-warning-in-__skb_flow_dissect-when-do-syn-.patch +mptcp-remove-redundant-req-destruct-in-subflow_check.patch +mptcp-fix-syncookie-process-if-mptcp-can-not_accept-.patch +mptcp-add-sk-parameter-for-mptcp_get_options.patch +mptcp-avoid-processing-packet-if-a-subflow-reset.patch +selftests-mptcp-fix-case-multiple-subflows-limited-b.patch +mptcp-use-fast-lock-for-subflows-when-possible.patch +mptcp-refine-mptcp_cleanup_rbuf.patch +mptcp-properly-account-bulk-freed-memory.patch +net-phy-marvell10g-fix-differentiation-of-88x3310-fr.patch +nvme-pci-do-not-call-nvme_dev_remove_admin-from-nvme.patch +net-ocelot-fix-switchdev-objects-synced-for-wrong-ne.patch +sfc-fix-lack-of-xdp-tx-queues-error-xdp-tx-failed-22.patch +kvm-x86-pmu-clear-anythread-deprecated-bit-when-0xa-.patch +kvm-svm-return-efault-if-copy_to_user-for-sev-mig-pa.patch +kvm-svm-fix-sev_pin_memory-error-checks-in-sev-migra.patch +arm64-mte-fix-restoration-of-gcr_el1-from-suspend.patch +arm-dts-aspeed-update-e3c246d4i-vuart-properties.patch +firmware-arm_scmi-ensure-drivers-provide-a-probe-fun.patch +perf-inject-fix-dso-nsinfo-refcounting.patch +perf-map-fix-dso-nsinfo-refcounting.patch +perf-probe-fix-dso-nsinfo-refcounting.patch +perf-env-fix-sibling_dies-memory-leak.patch +perf-test-session_topology-delete-session-evlist.patch +perf-test-event_update-fix-memory-leak-of-evlist.patch +perf-test-event_update-fix-memory-leak-of-unit.patch +perf-dso-fix-memory-leak-in-dso__new_map.patch +perf-test-maps__merge_in-fix-memory-leak-of-maps.patch +perf-env-fix-memory-leak-of-cpu_pmu_caps.patch +perf-report-free-generated-help-strings-for-sort-opt.patch +perf-script-release-zstd-data.patch +perf-script-fix-memory-threads-and-cpus-leaks-on-exi.patch +perf-lzma-close-lzma-stream-on-exit.patch +perf-probe-file-delete-namelist-in-del_events-on-the.patch +perf-data-close-all-files-in-close_dir.patch +perf-sched-fix-record-failure-when-config_schedstats.patch +kbuild-lto-fix-module-versionings-mismatch-in-gnu-ma.patch +asoc-wm_adsp-correct-wm_coeff_tlv_get-handling.patch +spi-imx-mx51-ecspi-reinstate-low-speed-configreg-del.patch +spi-stm32-fixes-pm_runtime-calls-in-probe-remove.patch +regulator-hi6421-use-correct-variable-type-for-regma.patch +regulator-hi6421-fix-getting-wrong-drvdata.patch +spi-mediatek-fix-fifo-rx-mode.patch +asoc-rt5631-fix-regcache-sync-errors-on-resume.patch +bpf-test-fix-null-pointer-dereference-on-invalid-exp.patch +bpf-fix-tail_call_reachable-rejection-for-interprete.patch +xdp-net-fix-use-after-free-in-bpf_xdp_link_release.patch +asoc-sof-intel-update-adl-descriptor-to-use-acpi-pow.patch +timers-fix-get_next_timer_interrupt-with-no-timers-p.patch +drm-vc4-hdmi-drop-devm-interrupt-handler-for-cec-int.patch +net-dsa-mv88e6xxx-net_dsa_mv88e6xxx_ptp-should-depen.patch +liquidio-fix-unintentional-sign-extension-issue-on-l.patch +s390-bpf-perform-r1-range-checking-before-accessing-.patch +bpf-sockmap-fix-potential-memory-leak-on-unlikely-er.patch +bpf-sockmap-tcp-sk_prot-needs-inuse_idx-set-for-proc.patch +bpf-sockmap-udp-sk_prot-needs-inuse_idx-set-for-proc.patch +bpftool-check-malloc-return-value-in-mount_bpffs_for.patch +net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch +spi-spi-cadence-quadspi-fix-division-by-zero-warning.patch +usb-hso-fix-error-handling-code-of-hso_create_net_de.patch +dma-mapping-handle-vmalloc-addresses-in-dma_common_-.patch +asoc-soc-pcm-add-a-flag-to-reverse-the-stop-sequence.patch +efi-tpm-differentiate-missing-and-invalid-final-even.patch +net-decnet-fix-sleeping-inside-in-af_decnet.patch +kvm-ppc-book3s-fix-config_transactional_mem-n-crash.patch +kvm-ppc-fix-kvm_arch_vcpu_ioctl-vcpu_load-leak.patch +net-sched-fix-memory-leak-in-tcindex_partial_destroy.patch +sctp-trim-optlen-when-it-s-a-huge-value-in-sctp_sets.patch +netrom-decrease-sock-refcount-when-sock-timers-expir.patch +scsi-iscsi-fix-iface-sysfs-attr-detection.patch +scsi-target-fix-protect-handling-in-write-same-32.patch +spi-cadence-correct-initialisation-of-runtime-pm-aga.patch +acpi-kconfig-fix-table-override-from-built-in-initrd.patch +efi-dev-path-parser-switch-to-use-for_each_acpi_dev_.patch +acpi-utils-fix-reference-counting-in-for_each_acpi_d.patch +bnxt_en-don-t-disable-an-already-disabled-pci-device.patch +bnxt_en-refresh-roce-capabilities-in-bnxt_ulp_probe.patch +bnxt_en-add-missing-check-for-bnxt_state_abort_err-i.patch +bnxt_en-fix-error-path-of-fw-reset.patch +bnxt_en-validate-vlan-protocol-id-on-rx-packets.patch +bnxt_en-check-abort-error-state-in-bnxt_half_open_ni.patch +net-hisilicon-rename-cache_line_mask-to-avoid-redefi.patch +net-tcp_fastopen-fix-data-races-around-tfo_active_di.patch +alsa-hda-intel-dsp-cfg-add-missing-elkhartlake-pci-i.patch +net-hns3-fix-possible-mismatches-resp-of-mailbox.patch +net-hns3-fix-rx-vlan-offload-state-inconsistent-issu.patch +spi-spi-bcm2835-fix-deadlock.patch +io_uring-fix-memleak-in-io_init_wq_offload.patch +net-sched-act_skbmod-skip-non-ethernet-packets.patch +ipv6-fix-another-slab-out-of-bounds-in-fib6_nh_flush.patch +ceph-don-t-warn-if-we-re-still-opening-a-session-to-.patch +i2c-mpc-poll-for-mcf.patch +scsi-target-fix-null-dereference-on-xcopy-completion.patch +drm-ttm-force-re-init-if-ttm_global_init-fails.patch +nvme-pci-don-t-warn_on-in-nvme_reset_work-if-ctrl.st.patch +revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch +afs-fix-tracepoint-string-placement-with-built-in-af.patch +afs-check-function-return.patch +afs-fix-setting-of-writeback_index.patch +r8169-avoid-duplicate-sysfs-entry-creation-error.patch +nvme-set-the-pract-bit-when-using-write-zeroes-with-.patch +sctp-update-active_key-for-asoc-when-old-key-is-bein.patch +udp-check-encap-socket-in-__udp_lib_err.patch +ibmvnic-remove-the-proper-scrq-flush.patch +riscv-fix-32-bit-risc-v-boot-failure.patch +tcp-disable-tfo-blackhole-logic-by-default.patch +net-dsa-sja1105-make-vid-4095-a-bridge-vlan-too.patch +risc-v-load-initrd-wherever-it-fits-into-memory.patch +net-sched-cls_api-fix-the-the-wrong-parameter.patch +drm-panel-raspberrypi-touchscreen-prevent-double-fre.patch +dpaa2-switch-seed-the-buffer-pool-after-allocating-t.patch +cifs-only-write-64kb-at-a-time-when-fallocating-a-sm.patch +cifs-fix-fallocate-when-trying-to-allocate-a-hole.patch +proc-avoid-mixing-integer-types-in-mem_rw.patch diff --git a/queue-5.13/sfc-fix-lack-of-xdp-tx-queues-error-xdp-tx-failed-22.patch b/queue-5.13/sfc-fix-lack-of-xdp-tx-queues-error-xdp-tx-failed-22.patch new file mode 100644 index 00000000000..91d827948e5 --- /dev/null +++ b/queue-5.13/sfc-fix-lack-of-xdp-tx-queues-error-xdp-tx-failed-22.patch @@ -0,0 +1,101 @@ +From 2a3f2e814fa0ed753ae56beb5c0c86caca9d52d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jul 2021 16:21:27 +0200 +Subject: sfc: fix lack of XDP TX queues - error XDP TX failed (-22) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Íñigo Huguet + +[ Upstream commit f28100cb9c9645c07cbd22431278ac9492f6a01c ] + +Fixes: e26ca4b53582 sfc: reduce the number of requested xdp ev queues + +The buggy commit intended to allocate less channels for XDP in order to +be more unlikely to reach the limit of 32 channels of the driver. + +The idea was to use each IRQ/eventqeue for more XDP TX queues than +before, calculating which is the maximum number of TX queues that one +event queue can handle. For example, in EF10 each event queue could +handle up to 8 queues, better than the 4 they were handling before the +change. This way, it would have to allocate half of channels than before +for XDP TX. + +The problem is that the TX queues are also contained inside the channel +structs, and there are only 4 queues per channel. Reducing the number of +channels means also reducing the number of queues, resulting in not +having the desired number of 1 queue per CPU. + +This leads to getting errors on XDP_TX and XDP_REDIRECT if they're +executed from a high numbered CPU, because there only exist queues for +the low half of CPUs, actually. If XDP_TX/REDIRECT is executed in a low +numbered CPU, the error doesn't happen. This is the error in the logs +(repeated many times, even rate limited): +sfc 0000:5e:00.0 ens3f0np0: XDP TX failed (-22) + +This errors happens in function efx_xdp_tx_buffers, where it expects to +have a dedicated XDP TX queue per CPU. + +Reverting the change makes again more likely to reach the limit of 32 +channels in machines with many CPUs. If this happen, no XDP_TX/REDIRECT +will be possible at all, and we will have this log error messages: + +At interface probe: +sfc 0000:5e:00.0: Insufficient resources for 12 XDP event queues (24 other channels, max 32) + +At every subsequent XDP_TX/REDIRECT failure, rate limited: +sfc 0000:5e:00.0 ens3f0np0: XDP TX failed (-22) + +However, without reverting the change, it makes the user to think that +everything is OK at probe time, but later it fails in an unpredictable +way, depending on the CPU that handles the packet. + +It is better to restore the predictable behaviour. If the user sees the +error message at probe time, he/she can try to configure the best way it +fits his/her needs. At least, he/she will have 2 options: +- Accept that XDP_TX/REDIRECT is not available (he/she may not need it) +- Load sfc module with modparam 'rss_cpus' with a lower number, thus + creating less normal RX queues/channels, letting more free resources + for XDP, with some performance penalty. + +Anyway, let the calculation of maximum TX queues that can be handled by +a single event queue, and use it only if it's less than the number of TX +queues per channel. This doesn't happen in practice, but could happen if +some constant values are tweaked in the future, such us +EFX_MAX_TXQ_PER_CHANNEL, EFX_MAX_EVQ_SIZE or EFX_MAX_DMAQ_SIZE. + +Related mailing list thread: +https://lore.kernel.org/bpf/20201215104327.2be76156@carbon/ + +Signed-off-by: Íñigo Huguet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/efx_channels.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sfc/efx_channels.c b/drivers/net/ethernet/sfc/efx_channels.c +index a3ca406a3561..5b71f8a03a6d 100644 +--- a/drivers/net/ethernet/sfc/efx_channels.c ++++ b/drivers/net/ethernet/sfc/efx_channels.c +@@ -152,6 +152,7 @@ static int efx_allocate_msix_channels(struct efx_nic *efx, + * maximum size. + */ + tx_per_ev = EFX_MAX_EVQ_SIZE / EFX_TXQ_MAX_ENT(efx); ++ tx_per_ev = min(tx_per_ev, EFX_MAX_TXQ_PER_CHANNEL); + n_xdp_tx = num_possible_cpus(); + n_xdp_ev = DIV_ROUND_UP(n_xdp_tx, tx_per_ev); + +@@ -181,7 +182,7 @@ static int efx_allocate_msix_channels(struct efx_nic *efx, + efx->xdp_tx_queue_count = 0; + } else { + efx->n_xdp_channels = n_xdp_ev; +- efx->xdp_tx_per_channel = EFX_MAX_TXQ_PER_CHANNEL; ++ efx->xdp_tx_per_channel = tx_per_ev; + efx->xdp_tx_queue_count = n_xdp_tx; + n_channels += n_xdp_ev; + netif_dbg(efx, drv, efx->net_dev, +-- +2.30.2 + diff --git a/queue-5.13/spi-cadence-correct-initialisation-of-runtime-pm-aga.patch b/queue-5.13/spi-cadence-correct-initialisation-of-runtime-pm-aga.patch new file mode 100644 index 00000000000..0e1fdc3ef87 --- /dev/null +++ b/queue-5.13/spi-cadence-correct-initialisation-of-runtime-pm-aga.patch @@ -0,0 +1,74 @@ +From 23ad06329184e13e239d4ab505784a043a881414 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 20:21:33 +0200 +Subject: spi: cadence: Correct initialisation of runtime PM again + +From: Marek Vasut + +[ Upstream commit 56912da7a68c8356df6a6740476237441b0b792a ] + +The original implementation of RPM handling in probe() was mostly +correct, except it failed to call pm_runtime_get_*() to activate the +hardware. The subsequent fix, 734882a8bf98 ("spi: cadence: Correct +initialisation of runtime PM"), breaks the implementation further, +to the point where the system using this hard IP on ZynqMP hangs on +boot, because it accesses hardware which is gated off. + +Undo 734882a8bf98 ("spi: cadence: Correct initialisation of runtime +PM") and instead add missing pm_runtime_get_noresume() and move the +RPM disabling all the way to the end of probe(). That makes ZynqMP +not hang on boot yet again. + +Fixes: 734882a8bf98 ("spi: cadence: Correct initialisation of runtime PM") +Signed-off-by: Marek Vasut +Cc: Charles Keepax +Cc: Mark Brown +Link: https://lore.kernel.org/r/20210716182133.218640-1-marex@denx.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-cadence.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/spi/spi-cadence.c b/drivers/spi/spi-cadence.c +index a3afd1b9ac56..ceb16e70d235 100644 +--- a/drivers/spi/spi-cadence.c ++++ b/drivers/spi/spi-cadence.c +@@ -517,6 +517,12 @@ static int cdns_spi_probe(struct platform_device *pdev) + goto clk_dis_apb; + } + ++ pm_runtime_use_autosuspend(&pdev->dev); ++ pm_runtime_set_autosuspend_delay(&pdev->dev, SPI_AUTOSUSPEND_TIMEOUT); ++ pm_runtime_get_noresume(&pdev->dev); ++ pm_runtime_set_active(&pdev->dev); ++ pm_runtime_enable(&pdev->dev); ++ + ret = of_property_read_u32(pdev->dev.of_node, "num-cs", &num_cs); + if (ret < 0) + master->num_chipselect = CDNS_SPI_DEFAULT_NUM_CS; +@@ -531,11 +537,6 @@ static int cdns_spi_probe(struct platform_device *pdev) + /* SPI controller initializations */ + cdns_spi_init_hw(xspi); + +- pm_runtime_set_active(&pdev->dev); +- pm_runtime_enable(&pdev->dev); +- pm_runtime_use_autosuspend(&pdev->dev); +- pm_runtime_set_autosuspend_delay(&pdev->dev, SPI_AUTOSUSPEND_TIMEOUT); +- + irq = platform_get_irq(pdev, 0); + if (irq <= 0) { + ret = -ENXIO; +@@ -566,6 +567,9 @@ static int cdns_spi_probe(struct platform_device *pdev) + + master->bits_per_word_mask = SPI_BPW_MASK(8); + ++ pm_runtime_mark_last_busy(&pdev->dev); ++ pm_runtime_put_autosuspend(&pdev->dev); ++ + ret = spi_register_master(master); + if (ret) { + dev_err(&pdev->dev, "spi_register_master failed\n"); +-- +2.30.2 + diff --git a/queue-5.13/spi-imx-mx51-ecspi-reinstate-low-speed-configreg-del.patch b/queue-5.13/spi-imx-mx51-ecspi-reinstate-low-speed-configreg-del.patch new file mode 100644 index 00000000000..0692bde3a81 --- /dev/null +++ b/queue-5.13/spi-imx-mx51-ecspi-reinstate-low-speed-configreg-del.patch @@ -0,0 +1,107 @@ +From fb8623bcde96db8aed19abf7d473beba70b30c8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Jul 2021 04:23:00 +0200 +Subject: spi: imx: mx51-ecspi: Reinstate low-speed CONFIGREG delay +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Vasut + +[ Upstream commit 135cbd378eab336da15de9c84bbb22bf743b38a5 ] + +Since 00b80ac935539 ("spi: imx: mx51-ecspi: Move some initialisation to +prepare_message hook."), the MX51_ECSPI_CONFIG write no longer happens +in prepare_transfer hook, but rather in prepare_message hook, however +the MX51_ECSPI_CONFIG delay is still left in prepare_transfer hook and +thus has no effect. This leads to low bus frequency operation problems +described in 6fd8b8503a0dc ("spi: spi-imx: Fix out-of-order CS/SCLK +operation at low speeds") again. + +Move the MX51_ECSPI_CONFIG write delay into the prepare_message hook +as well, thus reinstating the low bus frequency fix. + +Fixes: 00b80ac935539 ("spi: imx: mx51-ecspi: Move some initialisation to prepare_message hook.") +Signed-off-by: Marek Vasut +Cc: Uwe Kleine-König +Cc: Mark Brown +Link: https://lore.kernel.org/r/20210703022300.296114-1-marex@denx.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-imx.c | 38 +++++++++++++++++++------------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c +index 39dc02e366f4..4aee3db6d6df 100644 +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -506,7 +506,7 @@ static int mx51_ecspi_prepare_message(struct spi_imx_data *spi_imx, + { + struct spi_device *spi = msg->spi; + u32 ctrl = MX51_ECSPI_CTRL_ENABLE; +- u32 testreg; ++ u32 testreg, delay; + u32 cfg = readl(spi_imx->base + MX51_ECSPI_CONFIG); + + /* set Master or Slave mode */ +@@ -567,6 +567,23 @@ static int mx51_ecspi_prepare_message(struct spi_imx_data *spi_imx, + + writel(cfg, spi_imx->base + MX51_ECSPI_CONFIG); + ++ /* ++ * Wait until the changes in the configuration register CONFIGREG ++ * propagate into the hardware. It takes exactly one tick of the ++ * SCLK clock, but we will wait two SCLK clock just to be sure. The ++ * effect of the delay it takes for the hardware to apply changes ++ * is noticable if the SCLK clock run very slow. In such a case, if ++ * the polarity of SCLK should be inverted, the GPIO ChipSelect might ++ * be asserted before the SCLK polarity changes, which would disrupt ++ * the SPI communication as the device on the other end would consider ++ * the change of SCLK polarity as a clock tick already. ++ */ ++ delay = (2 * 1000000) / spi_imx->spi_bus_clk; ++ if (likely(delay < 10)) /* SCLK is faster than 100 kHz */ ++ udelay(delay); ++ else /* SCLK is _very_ slow */ ++ usleep_range(delay, delay + 10); ++ + return 0; + } + +@@ -574,7 +591,7 @@ static int mx51_ecspi_prepare_transfer(struct spi_imx_data *spi_imx, + struct spi_device *spi) + { + u32 ctrl = readl(spi_imx->base + MX51_ECSPI_CTRL); +- u32 clk, delay; ++ u32 clk; + + /* Clear BL field and set the right value */ + ctrl &= ~MX51_ECSPI_CTRL_BL_MASK; +@@ -596,23 +613,6 @@ static int mx51_ecspi_prepare_transfer(struct spi_imx_data *spi_imx, + + writel(ctrl, spi_imx->base + MX51_ECSPI_CTRL); + +- /* +- * Wait until the changes in the configuration register CONFIGREG +- * propagate into the hardware. It takes exactly one tick of the +- * SCLK clock, but we will wait two SCLK clock just to be sure. The +- * effect of the delay it takes for the hardware to apply changes +- * is noticable if the SCLK clock run very slow. In such a case, if +- * the polarity of SCLK should be inverted, the GPIO ChipSelect might +- * be asserted before the SCLK polarity changes, which would disrupt +- * the SPI communication as the device on the other end would consider +- * the change of SCLK polarity as a clock tick already. +- */ +- delay = (2 * 1000000) / clk; +- if (likely(delay < 10)) /* SCLK is faster than 100 kHz */ +- udelay(delay); +- else /* SCLK is _very_ slow */ +- usleep_range(delay, delay + 10); +- + return 0; + } + +-- +2.30.2 + diff --git a/queue-5.13/spi-mediatek-fix-fifo-rx-mode.patch b/queue-5.13/spi-mediatek-fix-fifo-rx-mode.patch new file mode 100644 index 00000000000..0150260503a --- /dev/null +++ b/queue-5.13/spi-mediatek-fix-fifo-rx-mode.patch @@ -0,0 +1,59 @@ +From 5696fa7e864fe6011c3398d05225a5d55b50eb08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jul 2021 14:16:09 +0200 +Subject: spi: mediatek: fix fifo rx mode + +From: Peter Hess + +[ Upstream commit 3a70dd2d050331ee4cf5ad9d5c0a32d83ead9a43 ] + +In FIFO mode were two problems: +- RX mode was never handled and +- in this case the tx_buf pointer was NULL and caused an exception + +fix this by handling RX mode in mtk_spi_fifo_transfer + +Fixes: a568231f4632 ("spi: mediatek: Add spi bus for Mediatek MT8173") +Signed-off-by: Peter Hess +Signed-off-by: Frank Wunderlich +Link: https://lore.kernel.org/r/20210706121609.680534-1-linux@fw-web.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-mt65xx.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c +index 976f73b9e299..8d5fa7f1e506 100644 +--- a/drivers/spi/spi-mt65xx.c ++++ b/drivers/spi/spi-mt65xx.c +@@ -427,13 +427,23 @@ static int mtk_spi_fifo_transfer(struct spi_master *master, + mtk_spi_setup_packet(master); + + cnt = xfer->len / 4; +- iowrite32_rep(mdata->base + SPI_TX_DATA_REG, xfer->tx_buf, cnt); ++ if (xfer->tx_buf) ++ iowrite32_rep(mdata->base + SPI_TX_DATA_REG, xfer->tx_buf, cnt); ++ ++ if (xfer->rx_buf) ++ ioread32_rep(mdata->base + SPI_RX_DATA_REG, xfer->rx_buf, cnt); + + remainder = xfer->len % 4; + if (remainder > 0) { + reg_val = 0; +- memcpy(®_val, xfer->tx_buf + (cnt * 4), remainder); +- writel(reg_val, mdata->base + SPI_TX_DATA_REG); ++ if (xfer->tx_buf) { ++ memcpy(®_val, xfer->tx_buf + (cnt * 4), remainder); ++ writel(reg_val, mdata->base + SPI_TX_DATA_REG); ++ } ++ if (xfer->rx_buf) { ++ reg_val = readl(mdata->base + SPI_RX_DATA_REG); ++ memcpy(xfer->rx_buf + (cnt * 4), ®_val, remainder); ++ } + } + + mtk_spi_enable_transfer(master); +-- +2.30.2 + diff --git a/queue-5.13/spi-spi-bcm2835-fix-deadlock.patch b/queue-5.13/spi-spi-bcm2835-fix-deadlock.patch new file mode 100644 index 00000000000..6a823a689f9 --- /dev/null +++ b/queue-5.13/spi-spi-bcm2835-fix-deadlock.patch @@ -0,0 +1,86 @@ +From 9d5a82d054d50789b520e60a01e4732acd064c5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jul 2021 00:02:45 +0300 +Subject: spi: spi-bcm2835: Fix deadlock + +From: Alexandru Tachici + +[ Upstream commit c45c1e82bba130db4f19d9dbc1deefcf4ea994ed ] + +The bcm2835_spi_transfer_one function can create a deadlock +if it is called while another thread already has the +CCF lock. + +Signed-off-by: Alexandru Tachici +Fixes: f8043872e796 ("spi: add driver for BCM2835") +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20210716210245.13240-2-alexandru.tachici@analog.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm2835.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c +index fe40626e45aa..61cbcc7e2121 100644 +--- a/drivers/spi/spi-bcm2835.c ++++ b/drivers/spi/spi-bcm2835.c +@@ -84,6 +84,7 @@ MODULE_PARM_DESC(polling_limit_us, + * struct bcm2835_spi - BCM2835 SPI controller + * @regs: base address of register map + * @clk: core clock, divided to calculate serial clock ++ * @clk_hz: core clock cached speed + * @irq: interrupt, signals TX FIFO empty or RX FIFO ¾ full + * @tfr: SPI transfer currently processed + * @ctlr: SPI controller reverse lookup +@@ -124,6 +125,7 @@ MODULE_PARM_DESC(polling_limit_us, + struct bcm2835_spi { + void __iomem *regs; + struct clk *clk; ++ unsigned long clk_hz; + int irq; + struct spi_transfer *tfr; + struct spi_controller *ctlr; +@@ -1082,19 +1084,18 @@ static int bcm2835_spi_transfer_one(struct spi_controller *ctlr, + struct spi_transfer *tfr) + { + struct bcm2835_spi *bs = spi_controller_get_devdata(ctlr); +- unsigned long spi_hz, clk_hz, cdiv; ++ unsigned long spi_hz, cdiv; + unsigned long hz_per_byte, byte_limit; + u32 cs = bs->prepare_cs[spi->chip_select]; + + /* set clock */ + spi_hz = tfr->speed_hz; +- clk_hz = clk_get_rate(bs->clk); + +- if (spi_hz >= clk_hz / 2) { ++ if (spi_hz >= bs->clk_hz / 2) { + cdiv = 2; /* clk_hz/2 is the fastest we can go */ + } else if (spi_hz) { + /* CDIV must be a multiple of two */ +- cdiv = DIV_ROUND_UP(clk_hz, spi_hz); ++ cdiv = DIV_ROUND_UP(bs->clk_hz, spi_hz); + cdiv += (cdiv % 2); + + if (cdiv >= 65536) +@@ -1102,7 +1103,7 @@ static int bcm2835_spi_transfer_one(struct spi_controller *ctlr, + } else { + cdiv = 0; /* 0 is the slowest we can go */ + } +- tfr->effective_speed_hz = cdiv ? (clk_hz / cdiv) : (clk_hz / 65536); ++ tfr->effective_speed_hz = cdiv ? (bs->clk_hz / cdiv) : (bs->clk_hz / 65536); + bcm2835_wr(bs, BCM2835_SPI_CLK, cdiv); + + /* handle all the 3-wire mode */ +@@ -1320,6 +1321,7 @@ static int bcm2835_spi_probe(struct platform_device *pdev) + return bs->irq ? bs->irq : -ENODEV; + + clk_prepare_enable(bs->clk); ++ bs->clk_hz = clk_get_rate(bs->clk); + + err = bcm2835_dma_init(ctlr, &pdev->dev, bs); + if (err) +-- +2.30.2 + diff --git a/queue-5.13/spi-spi-cadence-quadspi-fix-division-by-zero-warning.patch b/queue-5.13/spi-spi-cadence-quadspi-fix-division-by-zero-warning.patch new file mode 100644 index 00000000000..4e3fd3f6473 --- /dev/null +++ b/queue-5.13/spi-spi-cadence-quadspi-fix-division-by-zero-warning.patch @@ -0,0 +1,52 @@ +From 8e7f9650f5d883bca7b0239529c1b704673abd38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 16:21:32 +0000 +Subject: spi: spi-cadence-quadspi: Fix division by zero warning + +From: Yoshitaka Ikeda + +[ Upstream commit 55cef88bbf12f3bfbe5c2379a8868a034707e755 ] + +Fix below division by zero warning: +- Added an if statement because buswidth can be zero, resulting in division by zero. +- The modified code was based on another driver (atmel-quadspi). + +[ 0.795337] Division by zero in kernel. + : +[ 0.834051] [<807fd40c>] (__div0) from [<804e1acc>] (Ldiv0+0x8/0x10) +[ 0.839097] [<805f0710>] (cqspi_exec_mem_op) from [<805edb4c>] (spi_mem_exec_op+0x3b0/0x3f8) + +Fixes: 7512eaf54190 ("spi: cadence-quadspi: Fix dummy cycle calculation when buswidth > 1") +Signed-off-by: Yoshitaka Ikeda +Link: https://lore.kernel.org/r/ed989af6-da88-4e0b-9ed8-126db6cad2e4@nskint.co.jp +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-cadence-quadspi.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c +index 7a00346ff9b9..13d1f0ce618e 100644 +--- a/drivers/spi/spi-cadence-quadspi.c ++++ b/drivers/spi/spi-cadence-quadspi.c +@@ -307,11 +307,13 @@ static unsigned int cqspi_calc_rdreg(struct cqspi_flash_pdata *f_pdata) + + static unsigned int cqspi_calc_dummy(const struct spi_mem_op *op, bool dtr) + { +- unsigned int dummy_clk; ++ unsigned int dummy_clk = 0; + +- dummy_clk = op->dummy.nbytes * (8 / op->dummy.buswidth); +- if (dtr) +- dummy_clk /= 2; ++ if (op->dummy.buswidth && op->dummy.nbytes) { ++ dummy_clk = op->dummy.nbytes * (8 / op->dummy.buswidth); ++ if (dtr) ++ dummy_clk /= 2; ++ } + + return dummy_clk; + } +-- +2.30.2 + diff --git a/queue-5.13/spi-stm32-fixes-pm_runtime-calls-in-probe-remove.patch b/queue-5.13/spi-stm32-fixes-pm_runtime-calls-in-probe-remove.patch new file mode 100644 index 00000000000..e9d239803d4 --- /dev/null +++ b/queue-5.13/spi-stm32-fixes-pm_runtime-calls-in-probe-remove.patch @@ -0,0 +1,76 @@ +From 019bbd7dfba577f89af5e1e2edb05cb06a735245 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 10:27:00 +0200 +Subject: spi: stm32: fixes pm_runtime calls in probe/remove + +From: Alain Volmat + +[ Upstream commit 7999d2555c9f879d006ea8469d74db9cdb038af0 ] + +Add pm_runtime calls in probe/probe error path and remove +in order to be consistent in all places in ordering and +ensure that pm_runtime is disabled prior to resources used +by the SPI controller. + +This patch also fixes the 2 following warnings on driver remove: +WARNING: CPU: 0 PID: 743 at drivers/clk/clk.c:594 clk_core_disable_lock+0x18/0x24 +WARNING: CPU: 0 PID: 743 at drivers/clk/clk.c:476 clk_unprepare+0x24/0x2c + +Fixes: 038ac869c9d2 ("spi: stm32: add runtime PM support") + +Signed-off-by: Amelie Delaunay +Signed-off-by: Alain Volmat +Link: https://lore.kernel.org/r/1625646426-5826-2-git-send-email-alain.volmat@foss.st.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-stm32.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-stm32.c b/drivers/spi/spi-stm32.c +index 8ffcffbb8157..a92a28933edb 100644 +--- a/drivers/spi/spi-stm32.c ++++ b/drivers/spi/spi-stm32.c +@@ -1925,6 +1925,7 @@ static int stm32_spi_probe(struct platform_device *pdev) + master->can_dma = stm32_spi_can_dma; + + pm_runtime_set_active(&pdev->dev); ++ pm_runtime_get_noresume(&pdev->dev); + pm_runtime_enable(&pdev->dev); + + ret = spi_register_master(master); +@@ -1940,6 +1941,8 @@ static int stm32_spi_probe(struct platform_device *pdev) + + err_pm_disable: + pm_runtime_disable(&pdev->dev); ++ pm_runtime_put_noidle(&pdev->dev); ++ pm_runtime_set_suspended(&pdev->dev); + err_dma_release: + if (spi->dma_tx) + dma_release_channel(spi->dma_tx); +@@ -1956,9 +1959,14 @@ static int stm32_spi_remove(struct platform_device *pdev) + struct spi_master *master = platform_get_drvdata(pdev); + struct stm32_spi *spi = spi_master_get_devdata(master); + ++ pm_runtime_get_sync(&pdev->dev); ++ + spi_unregister_master(master); + spi->cfg->disable(spi); + ++ pm_runtime_disable(&pdev->dev); ++ pm_runtime_put_noidle(&pdev->dev); ++ pm_runtime_set_suspended(&pdev->dev); + if (master->dma_tx) + dma_release_channel(master->dma_tx); + if (master->dma_rx) +@@ -1966,7 +1974,6 @@ static int stm32_spi_remove(struct platform_device *pdev) + + clk_disable_unprepare(spi->clk); + +- pm_runtime_disable(&pdev->dev); + + pinctrl_pm_select_sleep_state(&pdev->dev); + +-- +2.30.2 + diff --git a/queue-5.13/stmmac-platform-fix-signedness-bug-in-stmmac_probe_c.patch b/queue-5.13/stmmac-platform-fix-signedness-bug-in-stmmac_probe_c.patch new file mode 100644 index 00000000000..f8cc01be8c0 --- /dev/null +++ b/queue-5.13/stmmac-platform-fix-signedness-bug-in-stmmac_probe_c.patch @@ -0,0 +1,51 @@ +From cf2b18efc7f5047dd5e00043045e3ff97441a159 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 15:53:35 +0800 +Subject: stmmac: platform: Fix signedness bug in stmmac_probe_config_dt() + +From: YueHaibing + +[ Upstream commit eca81f09145d765c21dd8fb1ba5d874ca255c32c ] + +The "plat->phy_interface" variable is an enum and in this context GCC +will treat it as an unsigned int so the error handling is never +triggered. + +Fixes: b9f0b2f634c0 ("net: stmmac: platform: fix probe for ACPI devices") +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +index a696ada013eb..cad9e466353f 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +@@ -399,6 +399,7 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac) + struct device_node *np = pdev->dev.of_node; + struct plat_stmmacenet_data *plat; + struct stmmac_dma_cfg *dma_cfg; ++ int phy_mode; + void *ret; + int rc; + +@@ -414,10 +415,11 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac) + eth_zero_addr(mac); + } + +- plat->phy_interface = device_get_phy_mode(&pdev->dev); +- if (plat->phy_interface < 0) +- return ERR_PTR(plat->phy_interface); ++ phy_mode = device_get_phy_mode(&pdev->dev); ++ if (phy_mode < 0) ++ return ERR_PTR(phy_mode); + ++ plat->phy_interface = phy_mode; + plat->interface = stmmac_of_get_mac_mode(np); + if (plat->interface < 0) + plat->interface = plat->phy_interface; +-- +2.30.2 + diff --git a/queue-5.13/tcp-disable-tfo-blackhole-logic-by-default.patch b/queue-5.13/tcp-disable-tfo-blackhole-logic-by-default.patch new file mode 100644 index 00000000000..607c7d0f81e --- /dev/null +++ b/queue-5.13/tcp-disable-tfo-blackhole-logic-by-default.patch @@ -0,0 +1,90 @@ +From 417a2ba2f5e341cb7a842132e7685d187c251675 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 10:27:38 -0700 +Subject: tcp: disable TFO blackhole logic by default + +From: Wei Wang + +[ Upstream commit 213ad73d06073b197a02476db3a4998e219ddb06 ] + +Multiple complaints have been raised from the TFO users on the internet +stating that the TFO blackhole logic is too aggressive and gets falsely +triggered too often. +(e.g. https://blog.apnic.net/2021/07/05/tcp-fast-open-not-so-fast/) +Considering that most middleboxes no longer drop TFO packets, we decide +to disable the blackhole logic by setting +/proc/sys/net/ipv4/tcp_fastopen_blackhole_timeout_set to 0 by default. + +Fixes: cf1ef3f0719b4 ("net/tcp_fastopen: Disable active side TFO in certain scenarios") +Signed-off-by: Wei Wang +Signed-off-by: Eric Dumazet +Acked-by: Neal Cardwell +Acked-by: Soheil Hassas Yeganeh +Acked-by: Yuchung Cheng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + Documentation/networking/ip-sysctl.rst | 2 +- + net/ipv4/tcp_fastopen.c | 9 ++++++++- + net/ipv4/tcp_ipv4.c | 2 +- + 3 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst +index c2ecc9894fd0..9a57e972dae4 100644 +--- a/Documentation/networking/ip-sysctl.rst ++++ b/Documentation/networking/ip-sysctl.rst +@@ -772,7 +772,7 @@ tcp_fastopen_blackhole_timeout_sec - INTEGER + initial value when the blackhole issue goes away. + 0 to disable the blackhole detection. + +- By default, it is set to 1hr. ++ By default, it is set to 0 (feature is disabled). + + tcp_fastopen_key - list of comma separated 32-digit hexadecimal INTEGERs + The list consists of a primary key and an optional backup key. The +diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c +index 08548ff23d83..d49709ba8e16 100644 +--- a/net/ipv4/tcp_fastopen.c ++++ b/net/ipv4/tcp_fastopen.c +@@ -507,6 +507,9 @@ void tcp_fastopen_active_disable(struct sock *sk) + { + struct net *net = sock_net(sk); + ++ if (!sock_net(sk)->ipv4.sysctl_tcp_fastopen_blackhole_timeout) ++ return; ++ + /* Paired with READ_ONCE() in tcp_fastopen_active_should_disable() */ + WRITE_ONCE(net->ipv4.tfo_active_disable_stamp, jiffies); + +@@ -526,10 +529,14 @@ void tcp_fastopen_active_disable(struct sock *sk) + bool tcp_fastopen_active_should_disable(struct sock *sk) + { + unsigned int tfo_bh_timeout = sock_net(sk)->ipv4.sysctl_tcp_fastopen_blackhole_timeout; +- int tfo_da_times = atomic_read(&sock_net(sk)->ipv4.tfo_active_disable_times); + unsigned long timeout; ++ int tfo_da_times; + int multiplier; + ++ if (!tfo_bh_timeout) ++ return false; ++ ++ tfo_da_times = atomic_read(&sock_net(sk)->ipv4.tfo_active_disable_times); + if (!tfo_da_times) + return false; + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index e409f2de5dc4..8bb5f7f51dae 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -2954,7 +2954,7 @@ static int __net_init tcp_sk_init(struct net *net) + net->ipv4.sysctl_tcp_comp_sack_nr = 44; + net->ipv4.sysctl_tcp_fastopen = TFO_CLIENT_ENABLE; + spin_lock_init(&net->ipv4.tcp_fastopen_ctx_lock); +- net->ipv4.sysctl_tcp_fastopen_blackhole_timeout = 60 * 60; ++ net->ipv4.sysctl_tcp_fastopen_blackhole_timeout = 0; + atomic_set(&net->ipv4.tfo_active_disable_times, 0); + + /* Reno is always built in */ +-- +2.30.2 + diff --git a/queue-5.13/timers-fix-get_next_timer_interrupt-with-no-timers-p.patch b/queue-5.13/timers-fix-get_next_timer_interrupt-with-no-timers-p.patch new file mode 100644 index 00000000000..d3067bd5195 --- /dev/null +++ b/queue-5.13/timers-fix-get_next_timer_interrupt-with-no-timers-p.patch @@ -0,0 +1,125 @@ +From 41464c66dab40b71048a037f6be348272aa8d17d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jul 2021 16:13:25 +0200 +Subject: timers: Fix get_next_timer_interrupt() with no timers pending + +From: Nicolas Saenz Julienne + +[ Upstream commit aebacb7f6ca1926918734faae14d1f0b6fae5cb7 ] + +31cd0e119d50 ("timers: Recalculate next timer interrupt only when +necessary") subtly altered get_next_timer_interrupt()'s behaviour. The +function no longer consistently returns KTIME_MAX with no timers +pending. + +In order to decide if there are any timers pending we check whether the +next expiry will happen NEXT_TIMER_MAX_DELTA jiffies from now. +Unfortunately, the next expiry time and the timer base clock are no +longer updated in unison. The former changes upon certain timer +operations (enqueue, expire, detach), whereas the latter keeps track of +jiffies as they move forward. Ultimately breaking the logic above. + +A simplified example: + +- Upon entering get_next_timer_interrupt() with: + + jiffies = 1 + base->clk = 0; + base->next_expiry = NEXT_TIMER_MAX_DELTA; + + 'base->next_expiry == base->clk + NEXT_TIMER_MAX_DELTA', the function + returns KTIME_MAX. + +- 'base->clk' is updated to the jiffies value. + +- The next time we enter get_next_timer_interrupt(), taking into account + no timer operations happened: + + base->clk = 1; + base->next_expiry = NEXT_TIMER_MAX_DELTA; + + 'base->next_expiry != base->clk + NEXT_TIMER_MAX_DELTA', the function + returns a valid expire time, which is incorrect. + +This ultimately might unnecessarily rearm sched's timer on nohz_full +setups, and add latency to the system[1]. + +So, introduce 'base->timers_pending'[2], update it every time +'base->next_expiry' changes, and use it in get_next_timer_interrupt(). + +[1] See tick_nohz_stop_tick(). +[2] A quick pahole check on x86_64 and arm64 shows it doesn't make + 'struct timer_base' any bigger. + +Fixes: 31cd0e119d50 ("timers: Recalculate next timer interrupt only when necessary") +Signed-off-by: Nicolas Saenz Julienne +Signed-off-by: Frederic Weisbecker +Signed-off-by: Sasha Levin +--- + kernel/time/timer.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/kernel/time/timer.c b/kernel/time/timer.c +index d111adf4a0cb..99b97ccefdbd 100644 +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -207,6 +207,7 @@ struct timer_base { + unsigned int cpu; + bool next_expiry_recalc; + bool is_idle; ++ bool timers_pending; + DECLARE_BITMAP(pending_map, WHEEL_SIZE); + struct hlist_head vectors[WHEEL_SIZE]; + } ____cacheline_aligned; +@@ -595,6 +596,7 @@ static void enqueue_timer(struct timer_base *base, struct timer_list *timer, + * can reevaluate the wheel: + */ + base->next_expiry = bucket_expiry; ++ base->timers_pending = true; + base->next_expiry_recalc = false; + trigger_dyntick_cpu(base, timer); + } +@@ -1596,6 +1598,7 @@ static unsigned long __next_timer_interrupt(struct timer_base *base) + } + + base->next_expiry_recalc = false; ++ base->timers_pending = !(next == base->clk + NEXT_TIMER_MAX_DELTA); + + return next; + } +@@ -1647,7 +1650,6 @@ u64 get_next_timer_interrupt(unsigned long basej, u64 basem) + struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]); + u64 expires = KTIME_MAX; + unsigned long nextevt; +- bool is_max_delta; + + /* + * Pretend that there is no timer pending if the cpu is offline. +@@ -1660,7 +1662,6 @@ u64 get_next_timer_interrupt(unsigned long basej, u64 basem) + if (base->next_expiry_recalc) + base->next_expiry = __next_timer_interrupt(base); + nextevt = base->next_expiry; +- is_max_delta = (nextevt == base->clk + NEXT_TIMER_MAX_DELTA); + + /* + * We have a fresh next event. Check whether we can forward the +@@ -1678,7 +1679,7 @@ u64 get_next_timer_interrupt(unsigned long basej, u64 basem) + expires = basem; + base->is_idle = false; + } else { +- if (!is_max_delta) ++ if (base->timers_pending) + expires = basem + (u64)(nextevt - basej) * TICK_NSEC; + /* + * If we expect to sleep more than a tick, mark the base idle. +@@ -1961,6 +1962,7 @@ int timers_prepare_cpu(unsigned int cpu) + base = per_cpu_ptr(&timer_bases[b], cpu); + base->clk = jiffies; + base->next_expiry = base->clk + NEXT_TIMER_MAX_DELTA; ++ base->timers_pending = false; + base->is_idle = false; + } + return 0; +-- +2.30.2 + diff --git a/queue-5.13/udp-check-encap-socket-in-__udp_lib_err.patch b/queue-5.13/udp-check-encap-socket-in-__udp_lib_err.patch new file mode 100644 index 00000000000..387bf659f82 --- /dev/null +++ b/queue-5.13/udp-check-encap-socket-in-__udp_lib_err.patch @@ -0,0 +1,169 @@ +From 664797f4a5ddb9b2842a10b4e95a0a8a677dcd59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 23:35:28 +0300 +Subject: udp: check encap socket in __udp_lib_err + +From: Vadim Fedorenko + +[ Upstream commit 9bfce73c8921c92a9565562e6e7d458d37b7ce80 ] + +Commit d26796ae5894 ("udp: check udp sock encap_type in __udp_lib_err") +added checks for encapsulated sockets but it broke cases when there is +no implementation of encap_err_lookup for encapsulation, i.e. ESP in +UDP encapsulation. Fix it by calling encap_err_lookup only if socket +implements this method otherwise treat it as legal socket. + +Fixes: d26796ae5894 ("udp: check udp sock encap_type in __udp_lib_err") +Signed-off-by: Vadim Fedorenko +Reviewed-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/udp.c | 25 +++++++++++++++++++------ + net/ipv6/udp.c | 25 +++++++++++++++++++------ + 2 files changed, 38 insertions(+), 12 deletions(-) + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index ca9cf1051b1e..568dc31a0467 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -645,10 +645,12 @@ static struct sock *__udp4_lib_err_encap(struct net *net, + const struct iphdr *iph, + struct udphdr *uh, + struct udp_table *udptable, ++ struct sock *sk, + struct sk_buff *skb, u32 info) + { ++ int (*lookup)(struct sock *sk, struct sk_buff *skb); + int network_offset, transport_offset; +- struct sock *sk; ++ struct udp_sock *up; + + network_offset = skb_network_offset(skb); + transport_offset = skb_transport_offset(skb); +@@ -659,18 +661,28 @@ static struct sock *__udp4_lib_err_encap(struct net *net, + /* Transport header needs to point to the UDP header */ + skb_set_transport_header(skb, iph->ihl << 2); + ++ if (sk) { ++ up = udp_sk(sk); ++ ++ lookup = READ_ONCE(up->encap_err_lookup); ++ if (lookup && lookup(sk, skb)) ++ sk = NULL; ++ ++ goto out; ++ } ++ + sk = __udp4_lib_lookup(net, iph->daddr, uh->source, + iph->saddr, uh->dest, skb->dev->ifindex, 0, + udptable, NULL); + if (sk) { +- int (*lookup)(struct sock *sk, struct sk_buff *skb); +- struct udp_sock *up = udp_sk(sk); ++ up = udp_sk(sk); + + lookup = READ_ONCE(up->encap_err_lookup); + if (!lookup || lookup(sk, skb)) + sk = NULL; + } + ++out: + if (!sk) + sk = ERR_PTR(__udp4_lib_err_encap_no_sk(skb, info)); + +@@ -707,15 +719,16 @@ int __udp4_lib_err(struct sk_buff *skb, u32 info, struct udp_table *udptable) + sk = __udp4_lib_lookup(net, iph->daddr, uh->dest, + iph->saddr, uh->source, skb->dev->ifindex, + inet_sdif(skb), udptable, NULL); ++ + if (!sk || udp_sk(sk)->encap_type) { + /* No socket for error: try tunnels before discarding */ +- sk = ERR_PTR(-ENOENT); + if (static_branch_unlikely(&udp_encap_needed_key)) { +- sk = __udp4_lib_err_encap(net, iph, uh, udptable, skb, ++ sk = __udp4_lib_err_encap(net, iph, uh, udptable, sk, skb, + info); + if (!sk) + return 0; +- } ++ } else ++ sk = ERR_PTR(-ENOENT); + + if (IS_ERR(sk)) { + __ICMP_INC_STATS(net, ICMP_MIB_INERRORS); +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 6774e776228c..2d3bd4a9b0d0 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -502,12 +502,14 @@ static struct sock *__udp6_lib_err_encap(struct net *net, + const struct ipv6hdr *hdr, int offset, + struct udphdr *uh, + struct udp_table *udptable, ++ struct sock *sk, + struct sk_buff *skb, + struct inet6_skb_parm *opt, + u8 type, u8 code, __be32 info) + { ++ int (*lookup)(struct sock *sk, struct sk_buff *skb); + int network_offset, transport_offset; +- struct sock *sk; ++ struct udp_sock *up; + + network_offset = skb_network_offset(skb); + transport_offset = skb_transport_offset(skb); +@@ -518,18 +520,28 @@ static struct sock *__udp6_lib_err_encap(struct net *net, + /* Transport header needs to point to the UDP header */ + skb_set_transport_header(skb, offset); + ++ if (sk) { ++ up = udp_sk(sk); ++ ++ lookup = READ_ONCE(up->encap_err_lookup); ++ if (lookup && lookup(sk, skb)) ++ sk = NULL; ++ ++ goto out; ++ } ++ + sk = __udp6_lib_lookup(net, &hdr->daddr, uh->source, + &hdr->saddr, uh->dest, + inet6_iif(skb), 0, udptable, skb); + if (sk) { +- int (*lookup)(struct sock *sk, struct sk_buff *skb); +- struct udp_sock *up = udp_sk(sk); ++ up = udp_sk(sk); + + lookup = READ_ONCE(up->encap_err_lookup); + if (!lookup || lookup(sk, skb)) + sk = NULL; + } + ++out: + if (!sk) { + sk = ERR_PTR(__udp6_lib_err_encap_no_sk(skb, opt, type, code, + offset, info)); +@@ -558,16 +570,17 @@ int __udp6_lib_err(struct sk_buff *skb, struct inet6_skb_parm *opt, + + sk = __udp6_lib_lookup(net, daddr, uh->dest, saddr, uh->source, + inet6_iif(skb), inet6_sdif(skb), udptable, NULL); ++ + if (!sk || udp_sk(sk)->encap_type) { + /* No socket for error: try tunnels before discarding */ +- sk = ERR_PTR(-ENOENT); + if (static_branch_unlikely(&udpv6_encap_needed_key)) { + sk = __udp6_lib_err_encap(net, hdr, offset, uh, +- udptable, skb, ++ udptable, sk, skb, + opt, type, code, info); + if (!sk) + return 0; +- } ++ } else ++ sk = ERR_PTR(-ENOENT); + + if (IS_ERR(sk)) { + __ICMP6_INC_STATS(net, __in6_dev_get(skb->dev), +-- +2.30.2 + diff --git a/queue-5.13/usb-hso-fix-error-handling-code-of-hso_create_net_de.patch b/queue-5.13/usb-hso-fix-error-handling-code-of-hso_create_net_de.patch new file mode 100644 index 00000000000..ea34558be22 --- /dev/null +++ b/queue-5.13/usb-hso-fix-error-handling-code-of-hso_create_net_de.patch @@ -0,0 +1,115 @@ +From b91519ff60db3fd5b20c000b9e89b6305185ef5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jul 2021 17:13:22 +0800 +Subject: usb: hso: fix error handling code of hso_create_net_device + +From: Dongliang Mu + +[ Upstream commit a6ecfb39ba9d7316057cea823b196b734f6b18ca ] + +The current error handling code of hso_create_net_device is +hso_free_net_device, no matter which errors lead to. For example, +WARNING in hso_free_net_device [1]. + +Fix this by refactoring the error handling code of +hso_create_net_device by handling different errors by different code. + +[1] https://syzkaller.appspot.com/bug?id=66eff8d49af1b28370ad342787413e35bbe76efe + +Reported-by: syzbot+44d53c7255bb1aea22d2@syzkaller.appspotmail.com +Fixes: 5fcfb6d0bfcd ("hso: fix bailout in error case of probe") +Signed-off-by: Dongliang Mu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/hso.c | 33 +++++++++++++++++++++++---------- + 1 file changed, 23 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c +index 5c779cc0ea11..28ebf4955b83 100644 +--- a/drivers/net/usb/hso.c ++++ b/drivers/net/usb/hso.c +@@ -2496,7 +2496,7 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface, + hso_net_init); + if (!net) { + dev_err(&interface->dev, "Unable to create ethernet device\n"); +- goto exit; ++ goto err_hso_dev; + } + + hso_net = netdev_priv(net); +@@ -2509,13 +2509,13 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface, + USB_DIR_IN); + if (!hso_net->in_endp) { + dev_err(&interface->dev, "Can't find BULK IN endpoint\n"); +- goto exit; ++ goto err_net; + } + hso_net->out_endp = hso_get_ep(interface, USB_ENDPOINT_XFER_BULK, + USB_DIR_OUT); + if (!hso_net->out_endp) { + dev_err(&interface->dev, "Can't find BULK OUT endpoint\n"); +- goto exit; ++ goto err_net; + } + SET_NETDEV_DEV(net, &interface->dev); + SET_NETDEV_DEVTYPE(net, &hso_type); +@@ -2524,18 +2524,18 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface, + for (i = 0; i < MUX_BULK_RX_BUF_COUNT; i++) { + hso_net->mux_bulk_rx_urb_pool[i] = usb_alloc_urb(0, GFP_KERNEL); + if (!hso_net->mux_bulk_rx_urb_pool[i]) +- goto exit; ++ goto err_mux_bulk_rx; + hso_net->mux_bulk_rx_buf_pool[i] = kzalloc(MUX_BULK_RX_BUF_SIZE, + GFP_KERNEL); + if (!hso_net->mux_bulk_rx_buf_pool[i]) +- goto exit; ++ goto err_mux_bulk_rx; + } + hso_net->mux_bulk_tx_urb = usb_alloc_urb(0, GFP_KERNEL); + if (!hso_net->mux_bulk_tx_urb) +- goto exit; ++ goto err_mux_bulk_rx; + hso_net->mux_bulk_tx_buf = kzalloc(MUX_BULK_TX_BUF_SIZE, GFP_KERNEL); + if (!hso_net->mux_bulk_tx_buf) +- goto exit; ++ goto err_free_tx_urb; + + add_net_device(hso_dev); + +@@ -2543,7 +2543,7 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface, + result = register_netdev(net); + if (result) { + dev_err(&interface->dev, "Failed to register device\n"); +- goto exit; ++ goto err_free_tx_buf; + } + + hso_log_port(hso_dev); +@@ -2551,8 +2551,21 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface, + hso_create_rfkill(hso_dev, interface); + + return hso_dev; +-exit: +- hso_free_net_device(hso_dev, true); ++ ++err_free_tx_buf: ++ remove_net_device(hso_dev); ++ kfree(hso_net->mux_bulk_tx_buf); ++err_free_tx_urb: ++ usb_free_urb(hso_net->mux_bulk_tx_urb); ++err_mux_bulk_rx: ++ for (i = 0; i < MUX_BULK_RX_BUF_COUNT; i++) { ++ usb_free_urb(hso_net->mux_bulk_rx_urb_pool[i]); ++ kfree(hso_net->mux_bulk_rx_buf_pool[i]); ++ } ++err_net: ++ free_netdev(net); ++err_hso_dev: ++ kfree(hso_dev); + return NULL; + } + +-- +2.30.2 + diff --git a/queue-5.13/xdp-net-fix-use-after-free-in-bpf_xdp_link_release.patch b/queue-5.13/xdp-net-fix-use-after-free-in-bpf_xdp_link_release.patch new file mode 100644 index 00000000000..465d3069d44 --- /dev/null +++ b/queue-5.13/xdp-net-fix-use-after-free-in-bpf_xdp_link_release.patch @@ -0,0 +1,161 @@ +From 12fd148b9e54b095dcf0338d501d8d8f62a6e7e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Jul 2021 11:16:35 +0800 +Subject: xdp, net: Fix use-after-free in bpf_xdp_link_release + +From: Xuan Zhuo + +[ Upstream commit 5acc7d3e8d342858405fbbc671221f676b547ce7 ] + +The problem occurs between dev_get_by_index() and dev_xdp_attach_link(). +At this point, dev_xdp_uninstall() is called. Then xdp link will not be +detached automatically when dev is released. But link->dev already +points to dev, when xdp link is released, dev will still be accessed, +but dev has been released. + +dev_get_by_index() | +link->dev = dev | + | rtnl_lock() + | unregister_netdevice_many() + | dev_xdp_uninstall() + | rtnl_unlock() +rtnl_lock(); | +dev_xdp_attach_link() | +rtnl_unlock(); | + | netdev_run_todo() // dev released +bpf_xdp_link_release() | + /* access dev. | + use-after-free */ | + +[ 45.966867] BUG: KASAN: use-after-free in bpf_xdp_link_release+0x3b8/0x3d0 +[ 45.967619] Read of size 8 at addr ffff00000f9980c8 by task a.out/732 +[ 45.968297] +[ 45.968502] CPU: 1 PID: 732 Comm: a.out Not tainted 5.13.0+ #22 +[ 45.969222] Hardware name: linux,dummy-virt (DT) +[ 45.969795] Call trace: +[ 45.970106] dump_backtrace+0x0/0x4c8 +[ 45.970564] show_stack+0x30/0x40 +[ 45.970981] dump_stack_lvl+0x120/0x18c +[ 45.971470] print_address_description.constprop.0+0x74/0x30c +[ 45.972182] kasan_report+0x1e8/0x200 +[ 45.972659] __asan_report_load8_noabort+0x2c/0x50 +[ 45.973273] bpf_xdp_link_release+0x3b8/0x3d0 +[ 45.973834] bpf_link_free+0xd0/0x188 +[ 45.974315] bpf_link_put+0x1d0/0x218 +[ 45.974790] bpf_link_release+0x3c/0x58 +[ 45.975291] __fput+0x20c/0x7e8 +[ 45.975706] ____fput+0x24/0x30 +[ 45.976117] task_work_run+0x104/0x258 +[ 45.976609] do_notify_resume+0x894/0xaf8 +[ 45.977121] work_pending+0xc/0x328 +[ 45.977575] +[ 45.977775] The buggy address belongs to the page: +[ 45.978369] page:fffffc00003e6600 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f998 +[ 45.979522] flags: 0x7fffe0000000000(node=0|zone=0|lastcpupid=0x3ffff) +[ 45.980349] raw: 07fffe0000000000 fffffc00003e6708 ffff0000dac3c010 0000000000000000 +[ 45.981309] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 +[ 45.982259] page dumped because: kasan: bad access detected +[ 45.982948] +[ 45.983153] Memory state around the buggy address: +[ 45.983753] ffff00000f997f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 45.984645] ffff00000f998000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 45.985533] >ffff00000f998080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 45.986419] ^ +[ 45.987112] ffff00000f998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 45.988006] ffff00000f998180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 45.988895] ================================================================== +[ 45.989773] Disabling lock debugging due to kernel taint +[ 45.990552] Kernel panic - not syncing: panic_on_warn set ... +[ 45.991166] CPU: 1 PID: 732 Comm: a.out Tainted: G B 5.13.0+ #22 +[ 45.991929] Hardware name: linux,dummy-virt (DT) +[ 45.992448] Call trace: +[ 45.992753] dump_backtrace+0x0/0x4c8 +[ 45.993208] show_stack+0x30/0x40 +[ 45.993627] dump_stack_lvl+0x120/0x18c +[ 45.994113] dump_stack+0x1c/0x34 +[ 45.994530] panic+0x3a4/0x7d8 +[ 45.994930] end_report+0x194/0x198 +[ 45.995380] kasan_report+0x134/0x200 +[ 45.995850] __asan_report_load8_noabort+0x2c/0x50 +[ 45.996453] bpf_xdp_link_release+0x3b8/0x3d0 +[ 45.997007] bpf_link_free+0xd0/0x188 +[ 45.997474] bpf_link_put+0x1d0/0x218 +[ 45.997942] bpf_link_release+0x3c/0x58 +[ 45.998429] __fput+0x20c/0x7e8 +[ 45.998833] ____fput+0x24/0x30 +[ 45.999247] task_work_run+0x104/0x258 +[ 45.999731] do_notify_resume+0x894/0xaf8 +[ 46.000236] work_pending+0xc/0x328 +[ 46.000697] SMP: stopping secondary CPUs +[ 46.001226] Dumping ftrace buffer: +[ 46.001663] (ftrace buffer empty) +[ 46.002110] Kernel Offset: disabled +[ 46.002545] CPU features: 0x00000001,23202c00 +[ 46.003080] Memory Limit: none + +Fixes: aa8d3a716b59db6c ("bpf, xdp: Add bpf_link-based XDP attachment API") +Reported-by: Abaci +Signed-off-by: Xuan Zhuo +Signed-off-by: Alexei Starovoitov +Reviewed-by: Dust Li +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20210710031635.41649-1-xuanzhuo@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 4f29dde4ed0a..0dcedcdf6d7e 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -9659,14 +9659,17 @@ int bpf_xdp_link_attach(const union bpf_attr *attr, struct bpf_prog *prog) + struct net_device *dev; + int err, fd; + ++ rtnl_lock(); + dev = dev_get_by_index(net, attr->link_create.target_ifindex); +- if (!dev) ++ if (!dev) { ++ rtnl_unlock(); + return -EINVAL; ++ } + + link = kzalloc(sizeof(*link), GFP_USER); + if (!link) { + err = -ENOMEM; +- goto out_put_dev; ++ goto unlock; + } + + bpf_link_init(&link->link, BPF_LINK_TYPE_XDP, &bpf_xdp_link_lops, prog); +@@ -9676,14 +9679,14 @@ int bpf_xdp_link_attach(const union bpf_attr *attr, struct bpf_prog *prog) + err = bpf_link_prime(&link->link, &link_primer); + if (err) { + kfree(link); +- goto out_put_dev; ++ goto unlock; + } + +- rtnl_lock(); + err = dev_xdp_attach_link(dev, NULL, link); + rtnl_unlock(); + + if (err) { ++ link->dev = NULL; + bpf_link_cleanup(&link_primer); + goto out_put_dev; + } +@@ -9693,6 +9696,9 @@ int bpf_xdp_link_attach(const union bpf_attr *attr, struct bpf_prog *prog) + dev_put(dev); + return fd; + ++unlock: ++ rtnl_unlock(); ++ + out_put_dev: + dev_put(dev); + return err; +-- +2.30.2 +