From: Greg Kroah-Hartman Date: Tue, 12 May 2020 08:58:48 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.19.123~47 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=40ccc755c665c17c02d1b4540f120bc823237ce3;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: bnxt_en-fix-vf-anti-spoof-filter-setup.patch bnxt_en-fix-vlan-acceleration-handling-in-bnxt_fix_features.patch bnxt_en-improve-aer-slot-reset.patch bnxt_en-reduce-bnxt_msix_vec_max-value-to-supported-cqs-per-pf.patch bnxt_en-return-error-when-allocating-zero-size-context-memory.patch devlink-fix-return-value-after-hitting-end-in-region-read.patch dp83640-reverse-arguments-to-list_add_tail.patch fq_codel-fix-tca_fq_codel_drop_batch_size-sanity-checks.patch ipv6-use-global-sernum-for-dst-validation-with-nexthop-objects.patch mlxsw-spectrum_acl_tcam-position-vchunk-in-a-vregion-list-properly.patch neigh-send-protocol-value-in-neighbor-create-notification.patch net-dsa-do-not-leave-dsa-master-with-null-netdev_ops.patch net-macb-fix-an-issue-about-leak-related-system-resources.patch net-macsec-preserve-ingress-frame-ordering.patch net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch net-mlx5-dr-on-creation-set-cq-s-arm_db-member-to-right-value.patch net-mlx5-fix-command-entry-leak-in-internal-error-state.patch net-mlx5-fix-forced-completion-access-non-initialized-command-entry.patch net-mvpp2-cls-prevent-buffer-overflow-in-mvpp2_ethtool_cls_rule_del.patch net-mvpp2-prevent-buffer-overflow-in-mvpp22_rss_ctx.patch net-stricter-validation-of-untrusted-gso-packets.patch net-tc35815-fix-phydev-supported-advertising-mask.patch net-tls-fix-sk_psock-refcnt-leak-in-bpf_exec_tx_verdict.patch net-tls-fix-sk_psock-refcnt-leak-when-in-tls_data_ready.patch net-usb-qmi_wwan-add-support-for-dw5816e.patch net_sched-sch_skbprio-add-message-validation-to-skbprio_change.patch nfp-abm-fix-a-memory-leak-bug.patch sch_choke-avoid-potential-panic-in-choke_reset.patch sch_sfq-validate-silly-quantum-values.patch tipc-fix-partial-topology-connection-closure.patch tunnel-propagate-ect-1-when-decapsulating-as-recommended-by-rfc6040.patch --- diff --git a/queue-5.4/bnxt_en-fix-vf-anti-spoof-filter-setup.patch b/queue-5.4/bnxt_en-fix-vf-anti-spoof-filter-setup.patch new file mode 100644 index 00000000000..caa209da5ef --- /dev/null +++ b/queue-5.4/bnxt_en-fix-vf-anti-spoof-filter-setup.patch @@ -0,0 +1,96 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Michael Chan +Date: Sun, 26 Apr 2020 16:24:38 -0400 +Subject: bnxt_en: Fix VF anti-spoof filter setup. + +From: Michael Chan + +[ Upstream commit c71c4e49afe173823a2a85b0cabc9b3f1176ffa2 ] + +Fix the logic that sets the enable/disable flag for the source MAC +filter according to firmware spec 1.7.1. + +In the original firmware spec. before 1.7.1, the VF spoof check flags +were not latched after making the HWRM_FUNC_CFG call, so there was a +need to keep the func_flags so that subsequent calls would perserve +the VF spoof check setting. A change was made in the 1.7.1 spec +so that the flags became latched. So we now set or clear the anti- +spoof setting directly without retrieving the old settings in the +stored vf->func_flags which are no longer valid. We also remove the +unneeded vf->func_flags. + +Fixes: 8eb992e876a8 ("bnxt_en: Update firmware interface spec to 1.7.6.2.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 1 - + drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c | 10 ++-------- + 2 files changed, 2 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +@@ -1058,7 +1058,6 @@ struct bnxt_vf_info { + #define BNXT_VF_LINK_FORCED 0x4 + #define BNXT_VF_LINK_UP 0x8 + #define BNXT_VF_TRUST 0x10 +- u32 func_flags; /* func cfg flags */ + u32 min_tx_rate; + u32 max_tx_rate; + void *hwrm_cmd_req_addr; +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c +@@ -85,11 +85,10 @@ int bnxt_set_vf_spoofchk(struct net_devi + if (old_setting == setting) + return 0; + +- func_flags = vf->func_flags; + if (setting) +- func_flags |= FUNC_CFG_REQ_FLAGS_SRC_MAC_ADDR_CHECK_ENABLE; ++ func_flags = FUNC_CFG_REQ_FLAGS_SRC_MAC_ADDR_CHECK_ENABLE; + else +- func_flags |= FUNC_CFG_REQ_FLAGS_SRC_MAC_ADDR_CHECK_DISABLE; ++ func_flags = FUNC_CFG_REQ_FLAGS_SRC_MAC_ADDR_CHECK_DISABLE; + /*TODO: if the driver supports VLAN filter on guest VLAN, + * the spoof check should also include vlan anti-spoofing + */ +@@ -98,7 +97,6 @@ int bnxt_set_vf_spoofchk(struct net_devi + req.flags = cpu_to_le32(func_flags); + rc = hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT); + if (!rc) { +- vf->func_flags = func_flags; + if (setting) + vf->flags |= BNXT_VF_SPOOFCHK; + else +@@ -230,7 +228,6 @@ int bnxt_set_vf_mac(struct net_device *d + memcpy(vf->mac_addr, mac, ETH_ALEN); + bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FUNC_CFG, -1, -1); + req.fid = cpu_to_le16(vf->fw_fid); +- req.flags = cpu_to_le32(vf->func_flags); + req.enables = cpu_to_le32(FUNC_CFG_REQ_ENABLES_DFLT_MAC_ADDR); + memcpy(req.dflt_mac_addr, mac, ETH_ALEN); + return hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT); +@@ -268,7 +265,6 @@ int bnxt_set_vf_vlan(struct net_device * + + bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FUNC_CFG, -1, -1); + req.fid = cpu_to_le16(vf->fw_fid); +- req.flags = cpu_to_le32(vf->func_flags); + req.dflt_vlan = cpu_to_le16(vlan_tag); + req.enables = cpu_to_le32(FUNC_CFG_REQ_ENABLES_DFLT_VLAN); + rc = hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT); +@@ -307,7 +303,6 @@ int bnxt_set_vf_bw(struct net_device *de + return 0; + bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FUNC_CFG, -1, -1); + req.fid = cpu_to_le16(vf->fw_fid); +- req.flags = cpu_to_le32(vf->func_flags); + req.enables = cpu_to_le32(FUNC_CFG_REQ_ENABLES_MAX_BW); + req.max_bw = cpu_to_le32(max_tx_rate); + req.enables |= cpu_to_le32(FUNC_CFG_REQ_ENABLES_MIN_BW); +@@ -479,7 +474,6 @@ static void __bnxt_set_vf_params(struct + vf = &bp->pf.vf[vf_id]; + bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FUNC_CFG, -1, -1); + req.fid = cpu_to_le16(vf->fw_fid); +- req.flags = cpu_to_le32(vf->func_flags); + + if (is_valid_ether_addr(vf->mac_addr)) { + req.enables |= cpu_to_le32(FUNC_CFG_REQ_ENABLES_DFLT_MAC_ADDR); diff --git a/queue-5.4/bnxt_en-fix-vlan-acceleration-handling-in-bnxt_fix_features.patch b/queue-5.4/bnxt_en-fix-vlan-acceleration-handling-in-bnxt_fix_features.patch new file mode 100644 index 00000000000..dd02ddb029c --- /dev/null +++ b/queue-5.4/bnxt_en-fix-vlan-acceleration-handling-in-bnxt_fix_features.patch @@ -0,0 +1,51 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Michael Chan +Date: Sun, 26 Apr 2020 16:24:42 -0400 +Subject: bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features(). + +From: Michael Chan + +[ Upstream commit c72cb303aa6c2ae7e4184f0081c6d11bf03fb96b ] + +The current logic in bnxt_fix_features() will inadvertently turn on both +CTAG and STAG VLAN offload if the user tries to disable both. Fix it +by checking that the user is trying to enable CTAG or STAG before +enabling both. The logic is supposed to enable or disable both CTAG and +STAG together. + +Fixes: 5a9f6b238e59 ("bnxt_en: Enable and disable RX CTAG and RX STAG VLAN acceleration together.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -9755,6 +9755,7 @@ static netdev_features_t bnxt_fix_featur + netdev_features_t features) + { + struct bnxt *bp = netdev_priv(dev); ++ netdev_features_t vlan_features; + + if ((features & NETIF_F_NTUPLE) && !bnxt_rfs_capable(bp)) + features &= ~NETIF_F_NTUPLE; +@@ -9771,12 +9772,14 @@ static netdev_features_t bnxt_fix_featur + /* Both CTAG and STAG VLAN accelaration on the RX side have to be + * turned on or off together. + */ +- if ((features & (NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_HW_VLAN_STAG_RX)) != +- (NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_HW_VLAN_STAG_RX)) { ++ vlan_features = features & (NETIF_F_HW_VLAN_CTAG_RX | ++ NETIF_F_HW_VLAN_STAG_RX); ++ if (vlan_features != (NETIF_F_HW_VLAN_CTAG_RX | ++ NETIF_F_HW_VLAN_STAG_RX)) { + if (dev->features & NETIF_F_HW_VLAN_CTAG_RX) + features &= ~(NETIF_F_HW_VLAN_CTAG_RX | + NETIF_F_HW_VLAN_STAG_RX); +- else ++ else if (vlan_features) + features |= NETIF_F_HW_VLAN_CTAG_RX | + NETIF_F_HW_VLAN_STAG_RX; + } diff --git a/queue-5.4/bnxt_en-improve-aer-slot-reset.patch b/queue-5.4/bnxt_en-improve-aer-slot-reset.patch new file mode 100644 index 00000000000..9bdaa2cca3e --- /dev/null +++ b/queue-5.4/bnxt_en-improve-aer-slot-reset.patch @@ -0,0 +1,42 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Michael Chan +Date: Sun, 26 Apr 2020 16:24:40 -0400 +Subject: bnxt_en: Improve AER slot reset. + +From: Michael Chan + +[ Upstream commit bae361c54fb6ac6eba3b4762f49ce14beb73ef13 ] + +Improve the slot reset sequence by disabling the device to prevent bad +DMAs if slot reset fails. Return the proper result instead of always +PCI_ERS_RESULT_RECOVERED to the caller. + +Fixes: 6316ea6db93d ("bnxt_en: Enable AER support.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -12066,12 +12066,15 @@ static pci_ers_result_t bnxt_io_slot_res + } + } + +- if (result != PCI_ERS_RESULT_RECOVERED && netif_running(netdev)) +- dev_close(netdev); ++ if (result != PCI_ERS_RESULT_RECOVERED) { ++ if (netif_running(netdev)) ++ dev_close(netdev); ++ pci_disable_device(pdev); ++ } + + rtnl_unlock(); + +- return PCI_ERS_RESULT_RECOVERED; ++ return result; + } + + /** diff --git a/queue-5.4/bnxt_en-reduce-bnxt_msix_vec_max-value-to-supported-cqs-per-pf.patch b/queue-5.4/bnxt_en-reduce-bnxt_msix_vec_max-value-to-supported-cqs-per-pf.patch new file mode 100644 index 00000000000..68af8437b95 --- /dev/null +++ b/queue-5.4/bnxt_en-reduce-bnxt_msix_vec_max-value-to-supported-cqs-per-pf.patch @@ -0,0 +1,35 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Vasundhara Volam +Date: Sun, 26 Apr 2020 16:24:39 -0400 +Subject: bnxt_en: Reduce BNXT_MSIX_VEC_MAX value to supported CQs per PF. + +From: Vasundhara Volam + +[ Upstream commit 9e68cb0359b20f99c7b070f1d3305e5e0a9fae6d ] + +Broadcom adapters support only maximum of 512 CQs per PF. If user sets +MSIx vectors more than supported CQs, firmware is setting incorrect value +for msix_vec_per_pf_max parameter. Fix it by reducing the BNXT_MSIX_VEC_MAX +value to 512, even though the maximum # of MSIx vectors supported by adapter +are 1280. + +Fixes: f399e8497826 ("bnxt_en: Use msix_vec_per_pf_max and msix_vec_per_pf_min devlink params.") +Signed-off-by: Vasundhara Volam +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.h +@@ -39,7 +39,7 @@ static inline void bnxt_link_bp_to_dl(st + #define NVM_OFF_DIS_GRE_VER_CHECK 171 + #define NVM_OFF_ENABLE_SRIOV 401 + +-#define BNXT_MSIX_VEC_MAX 1280 ++#define BNXT_MSIX_VEC_MAX 512 + #define BNXT_MSIX_VEC_MIN_MAX 128 + + enum bnxt_nvm_dir_type { diff --git a/queue-5.4/bnxt_en-return-error-when-allocating-zero-size-context-memory.patch b/queue-5.4/bnxt_en-return-error-when-allocating-zero-size-context-memory.patch new file mode 100644 index 00000000000..bbdbf87445b --- /dev/null +++ b/queue-5.4/bnxt_en-return-error-when-allocating-zero-size-context-memory.patch @@ -0,0 +1,33 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Michael Chan +Date: Sun, 26 Apr 2020 16:24:41 -0400 +Subject: bnxt_en: Return error when allocating zero size context memory. + +From: Michael Chan + +[ Upstream commit bbf211b1ecb891c7e0cc7888834504183fc8b534 ] + +bnxt_alloc_ctx_pg_tbls() should return error when the memory size of the +context memory to set up is zero. By returning success (0), the caller +may proceed normally and may crash later when it tries to set up the +memory. + +Fixes: 08fe9d181606 ("bnxt_en: Add Level 2 context memory paging support.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -6649,7 +6649,7 @@ static int bnxt_alloc_ctx_pg_tbls(struct + int rc; + + if (!mem_size) +- return 0; ++ return -EINVAL; + + ctx_pg->nr_pages = DIV_ROUND_UP(mem_size, BNXT_PAGE_SIZE); + if (ctx_pg->nr_pages > MAX_CTX_TOTAL_PAGES) { diff --git a/queue-5.4/devlink-fix-return-value-after-hitting-end-in-region-read.patch b/queue-5.4/devlink-fix-return-value-after-hitting-end-in-region-read.patch new file mode 100644 index 00000000000..cbfc8afdfe6 --- /dev/null +++ b/queue-5.4/devlink-fix-return-value-after-hitting-end-in-region-read.patch @@ -0,0 +1,50 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Jakub Kicinski +Date: Tue, 28 Apr 2020 19:01:58 -0700 +Subject: devlink: fix return value after hitting end in region read + +From: Jakub Kicinski + +[ Upstream commit 610a9346c138b9c2c93d38bf5f3728e74ae9cbd5 ] + +Commit d5b90e99e1d5 ("devlink: report 0 after hitting end in region read") +fixed region dump, but region read still returns a spurious error: + +$ devlink region read netdevsim/netdevsim1/dummy snapshot 0 addr 0 len 128 +0000000000000000 a6 f4 c4 1c 21 35 95 a6 9d 34 c3 5b 87 5b 35 79 +0000000000000010 f3 a0 d7 ee 4f 2f 82 7f c6 dd c4 f6 a5 c3 1b ae +0000000000000020 a4 fd c8 62 07 59 48 03 70 3b c7 09 86 88 7f 68 +0000000000000030 6f 45 5d 6d 7d 0e 16 38 a9 d0 7a 4b 1e 1e 2e a6 +0000000000000040 e6 1d ae 06 d6 18 00 85 ca 62 e8 7e 11 7e f6 0f +0000000000000050 79 7e f7 0f f3 94 68 bd e6 40 22 85 b6 be 6f b1 +0000000000000060 af db ef 5e 34 f0 98 4b 62 9a e3 1b 8b 93 fc 17 +devlink answers: Invalid argument +0000000000000070 61 e8 11 11 66 10 a5 f7 b1 ea 8d 40 60 53 ed 12 + +This is a minimal fix, I'll follow up with a restructuring +so we don't have two checks for the same condition. + +Fixes: fdd41ec21e15 ("devlink: Return right error code in case of errors for region read") +Signed-off-by: Jakub Kicinski +Reviewed-by: Jacob Keller +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/devlink.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/core/devlink.c ++++ b/net/core/devlink.c +@@ -3907,6 +3907,11 @@ static int devlink_nl_cmd_region_read_du + end_offset = nla_get_u64(attrs[DEVLINK_ATTR_REGION_CHUNK_ADDR]); + end_offset += nla_get_u64(attrs[DEVLINK_ATTR_REGION_CHUNK_LEN]); + dump = false; ++ ++ if (start_offset == end_offset) { ++ err = 0; ++ goto nla_put_failure; ++ } + } + + err = devlink_nl_region_read_snapshot_fill(skb, devlink, diff --git a/queue-5.4/dp83640-reverse-arguments-to-list_add_tail.patch b/queue-5.4/dp83640-reverse-arguments-to-list_add_tail.patch new file mode 100644 index 00000000000..a8e29fadcf8 --- /dev/null +++ b/queue-5.4/dp83640-reverse-arguments-to-list_add_tail.patch @@ -0,0 +1,34 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Julia Lawall +Date: Thu, 30 Apr 2020 21:51:32 +0200 +Subject: dp83640: reverse arguments to list_add_tail + +From: Julia Lawall + +[ Upstream commit 865308373ed49c9fb05720d14cbf1315349b32a9 ] + +In this code, it appears that phyter_clocks is a list head, based on +the previous list_for_each, and that clock->list is intended to be a +list element, given that it has just been initialized in +dp83640_clock_init. Accordingly, switch the arguments to +list_add_tail, which takes the list head as the second argument. + +Fixes: cb646e2b02b27 ("ptp: Added a clock driver for the National Semiconductor PHYTER.") +Signed-off-by: Julia Lawall +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/dp83640.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/phy/dp83640.c ++++ b/drivers/net/phy/dp83640.c +@@ -1119,7 +1119,7 @@ static struct dp83640_clock *dp83640_clo + goto out; + } + dp83640_clock_init(clock, bus); +- list_add_tail(&phyter_clocks, &clock->list); ++ list_add_tail(&clock->list, &phyter_clocks); + out: + mutex_unlock(&phyter_clocks_lock); + diff --git a/queue-5.4/fq_codel-fix-tca_fq_codel_drop_batch_size-sanity-checks.patch b/queue-5.4/fq_codel-fix-tca_fq_codel_drop_batch_size-sanity-checks.patch new file mode 100644 index 00000000000..b243eff86f3 --- /dev/null +++ b/queue-5.4/fq_codel-fix-tca_fq_codel_drop_batch_size-sanity-checks.patch @@ -0,0 +1,32 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Eric Dumazet +Date: Sat, 25 Apr 2020 12:40:25 -0700 +Subject: fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks + +From: Eric Dumazet + +[ Upstream commit 14695212d4cd8b0c997f6121b6df8520038ce076 ] + +My intent was to not let users set a zero drop_batch_size, +it seems I once again messed with min()/max(). + +Fixes: 9d18562a2278 ("fq_codel: add batch ability to fq_codel_drop()") +Signed-off-by: Eric Dumazet +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_fq_codel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/sch_fq_codel.c ++++ b/net/sched/sch_fq_codel.c +@@ -417,7 +417,7 @@ static int fq_codel_change(struct Qdisc + q->quantum = max(256U, nla_get_u32(tb[TCA_FQ_CODEL_QUANTUM])); + + if (tb[TCA_FQ_CODEL_DROP_BATCH_SIZE]) +- q->drop_batch_size = min(1U, nla_get_u32(tb[TCA_FQ_CODEL_DROP_BATCH_SIZE])); ++ q->drop_batch_size = max(1U, nla_get_u32(tb[TCA_FQ_CODEL_DROP_BATCH_SIZE])); + + if (tb[TCA_FQ_CODEL_MEMORY_LIMIT]) + q->memory_limit = min(1U << 31, nla_get_u32(tb[TCA_FQ_CODEL_MEMORY_LIMIT])); diff --git a/queue-5.4/ipv6-use-global-sernum-for-dst-validation-with-nexthop-objects.patch b/queue-5.4/ipv6-use-global-sernum-for-dst-validation-with-nexthop-objects.patch new file mode 100644 index 00000000000..7184a978c60 --- /dev/null +++ b/queue-5.4/ipv6-use-global-sernum-for-dst-validation-with-nexthop-objects.patch @@ -0,0 +1,175 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: David Ahern +Date: Fri, 1 May 2020 08:53:08 -0600 +Subject: ipv6: Use global sernum for dst validation with nexthop objects + +From: David Ahern + +[ Upstream commit 8f34e53b60b337e559f1ea19e2780ff95ab2fa65 ] + +Nik reported a bug with pcpu dst cache when nexthop objects are +used illustrated by the following: + $ ip netns add foo + $ ip -netns foo li set lo up + $ ip -netns foo addr add 2001:db8:11::1/128 dev lo + $ ip netns exec foo sysctl net.ipv6.conf.all.forwarding=1 + $ ip li add veth1 type veth peer name veth2 + $ ip li set veth1 up + $ ip addr add 2001:db8:10::1/64 dev veth1 + $ ip li set dev veth2 netns foo + $ ip -netns foo li set veth2 up + $ ip -netns foo addr add 2001:db8:10::2/64 dev veth2 + $ ip -6 nexthop add id 100 via 2001:db8:10::2 dev veth1 + $ ip -6 route add 2001:db8:11::1/128 nhid 100 + + Create a pcpu entry on cpu 0: + $ taskset -a -c 0 ip -6 route get 2001:db8:11::1 + + Re-add the route entry: + $ ip -6 ro del 2001:db8:11::1 + $ ip -6 route add 2001:db8:11::1/128 nhid 100 + + Route get on cpu 0 returns the stale pcpu: + $ taskset -a -c 0 ip -6 route get 2001:db8:11::1 + RTNETLINK answers: Network is unreachable + + While cpu 1 works: + $ taskset -a -c 1 ip -6 route get 2001:db8:11::1 + 2001:db8:11::1 from :: via 2001:db8:10::2 dev veth1 src 2001:db8:10::1 metric 1024 pref medium + +Conversion of FIB entries to work with external nexthop objects +missed an important difference between IPv4 and IPv6 - how dst +entries are invalidated when the FIB changes. IPv4 has a per-network +namespace generation id (rt_genid) that is bumped on changes to the FIB. +Checking if a dst_entry is still valid means comparing rt_genid in the +rtable to the current value of rt_genid for the namespace. + +IPv6 also has a per network namespace counter, fib6_sernum, but the +count is saved per fib6_node. With the per-node counter only dst_entries +based on fib entries under the node are invalidated when changes are +made to the routes - limiting the scope of invalidations. IPv6 uses a +reference in the rt6_info, 'from', to track the corresponding fib entry +used to create the dst_entry. When validating a dst_entry, the 'from' +is used to backtrack to the fib6_node and check the sernum of it to the +cookie passed to the dst_check operation. + +With the inline format (nexthop definition inline with the fib6_info), +dst_entries cached in the fib6_nh have a 1:1 correlation between fib +entries, nexthop data and dst_entries. With external nexthops, IPv6 +looks more like IPv4 which means multiple fib entries across disparate +fib6_nodes can all reference the same fib6_nh. That means validation +of dst_entries based on external nexthops needs to use the IPv4 format +- the per-network namespace counter. + +Add sernum to rt6_info and set it when creating a pcpu dst entry. Update +rt6_get_cookie to return sernum if it is set and update dst_check for +IPv6 to look for sernum set and based the check on it if so. Finally, +rt6_get_pcpu_route needs to validate the cached entry before returning +a pcpu entry (similar to the rt_cache_valid calls in __mkroute_input and +__mkroute_output for IPv4). + +This problem only affects routes using the new, external nexthops. + +Thanks to the kbuild test robot for catching the IS_ENABLED needed +around rt_genid_ipv6 before I sent this out. + +Fixes: 5b98324ebe29 ("ipv6: Allow routes to use nexthop objects") +Reported-by: Nikolay Aleksandrov +Signed-off-by: David Ahern +Reviewed-by: Nikolay Aleksandrov +Tested-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ip6_fib.h | 4 ++++ + include/net/net_namespace.h | 7 +++++++ + net/ipv6/route.c | 25 +++++++++++++++++++++++++ + 3 files changed, 36 insertions(+) + +--- a/include/net/ip6_fib.h ++++ b/include/net/ip6_fib.h +@@ -177,6 +177,7 @@ struct fib6_info { + struct rt6_info { + struct dst_entry dst; + struct fib6_info __rcu *from; ++ int sernum; + + struct rt6key rt6i_dst; + struct rt6key rt6i_src; +@@ -260,6 +261,9 @@ static inline u32 rt6_get_cookie(const s + struct fib6_info *from; + u32 cookie = 0; + ++ if (rt->sernum) ++ return rt->sernum; ++ + rcu_read_lock(); + + from = rcu_dereference(rt->from); +--- a/include/net/net_namespace.h ++++ b/include/net/net_namespace.h +@@ -428,6 +428,13 @@ static inline int rt_genid_ipv4(struct n + return atomic_read(&net->ipv4.rt_genid); + } + ++#if IS_ENABLED(CONFIG_IPV6) ++static inline int rt_genid_ipv6(const struct net *net) ++{ ++ return atomic_read(&net->ipv6.fib6_sernum); ++} ++#endif ++ + static inline void rt_genid_bump_ipv4(struct net *net) + { + atomic_inc(&net->ipv4.rt_genid); +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -1388,9 +1388,18 @@ static struct rt6_info *ip6_rt_pcpu_allo + } + ip6_rt_copy_init(pcpu_rt, res); + pcpu_rt->rt6i_flags |= RTF_PCPU; ++ ++ if (f6i->nh) ++ pcpu_rt->sernum = rt_genid_ipv6(dev_net(dev)); ++ + return pcpu_rt; + } + ++static bool rt6_is_valid(const struct rt6_info *rt6) ++{ ++ return rt6->sernum == rt_genid_ipv6(dev_net(rt6->dst.dev)); ++} ++ + /* It should be called with rcu_read_lock() acquired */ + static struct rt6_info *rt6_get_pcpu_route(const struct fib6_result *res) + { +@@ -1398,6 +1407,19 @@ static struct rt6_info *rt6_get_pcpu_rou + + pcpu_rt = this_cpu_read(*res->nh->rt6i_pcpu); + ++ if (pcpu_rt && pcpu_rt->sernum && !rt6_is_valid(pcpu_rt)) { ++ struct rt6_info *prev, **p; ++ ++ p = this_cpu_ptr(res->nh->rt6i_pcpu); ++ prev = xchg(p, NULL); ++ if (prev) { ++ dst_dev_put(&prev->dst); ++ dst_release(&prev->dst); ++ } ++ ++ pcpu_rt = NULL; ++ } ++ + return pcpu_rt; + } + +@@ -2599,6 +2621,9 @@ static struct dst_entry *ip6_dst_check(s + + rt = container_of(dst, struct rt6_info, dst); + ++ if (rt->sernum) ++ return rt6_is_valid(rt) ? dst : NULL; ++ + rcu_read_lock(); + + /* All IPV6 dsts are created with ->obsolete set to the value diff --git a/queue-5.4/mlxsw-spectrum_acl_tcam-position-vchunk-in-a-vregion-list-properly.patch b/queue-5.4/mlxsw-spectrum_acl_tcam-position-vchunk-in-a-vregion-list-properly.patch new file mode 100644 index 00000000000..f69c0780c8a --- /dev/null +++ b/queue-5.4/mlxsw-spectrum_acl_tcam-position-vchunk-in-a-vregion-list-properly.patch @@ -0,0 +1,53 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Jiri Pirko +Date: Mon, 27 Apr 2020 18:05:47 +0300 +Subject: mlxsw: spectrum_acl_tcam: Position vchunk in a vregion list properly + +From: Jiri Pirko + +[ Upstream commit 6ef4889fc0b3aa6ab928e7565935ac6f762cee6e ] + +Vregion helpers to get min and max priority depend on the correct +ordering of vchunks in the vregion list. However, the current code +always adds new chunk to the end of the list, no matter what the +priority is. Fix this by finding the correct place in the list and put +vchunk there. + +Fixes: 22a677661f56 ("mlxsw: spectrum: Introduce ACL core with simple TCAM implementation") +Signed-off-by: Jiri Pirko +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c +@@ -986,8 +986,9 @@ mlxsw_sp_acl_tcam_vchunk_create(struct m + unsigned int priority, + struct mlxsw_afk_element_usage *elusage) + { ++ struct mlxsw_sp_acl_tcam_vchunk *vchunk, *vchunk2; + struct mlxsw_sp_acl_tcam_vregion *vregion; +- struct mlxsw_sp_acl_tcam_vchunk *vchunk; ++ struct list_head *pos; + int err; + + if (priority == MLXSW_SP_ACL_TCAM_CATCHALL_PRIO) +@@ -1025,7 +1026,14 @@ mlxsw_sp_acl_tcam_vchunk_create(struct m + } + + mlxsw_sp_acl_tcam_rehash_ctx_vregion_changed(vregion); +- list_add_tail(&vchunk->list, &vregion->vchunk_list); ++ ++ /* Position the vchunk inside the list according to priority */ ++ list_for_each(pos, &vregion->vchunk_list) { ++ vchunk2 = list_entry(pos, typeof(*vchunk2), list); ++ if (vchunk2->priority > priority) ++ break; ++ } ++ list_add_tail(&vchunk->list, pos); + mutex_unlock(&vregion->lock); + + return vchunk; diff --git a/queue-5.4/neigh-send-protocol-value-in-neighbor-create-notification.patch b/queue-5.4/neigh-send-protocol-value-in-neighbor-create-notification.patch new file mode 100644 index 00000000000..bce4b5eb947 --- /dev/null +++ b/queue-5.4/neigh-send-protocol-value-in-neighbor-create-notification.patch @@ -0,0 +1,45 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Roman Mashak +Date: Fri, 1 May 2020 21:34:18 -0400 +Subject: neigh: send protocol value in neighbor create notification + +From: Roman Mashak + +[ Upstream commit 38212bb31fe923d0a2c6299bd2adfbb84cddef2a ] + +When a new neighbor entry has been added, event is generated but it does not +include protocol, because its value is assigned after the event notification +routine has run, so move protocol assignment code earlier. + +Fixes: df9b0e30d44c ("neighbor: Add protocol attribute") +Cc: David Ahern +Signed-off-by: Roman Mashak +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -1954,6 +1954,9 @@ static int neigh_add(struct sk_buff *skb + NEIGH_UPDATE_F_OVERRIDE_ISROUTER); + } + ++ if (protocol) ++ neigh->protocol = protocol; ++ + if (ndm->ndm_flags & NTF_EXT_LEARNED) + flags |= NEIGH_UPDATE_F_EXT_LEARNED; + +@@ -1967,9 +1970,6 @@ static int neigh_add(struct sk_buff *skb + err = __neigh_update(neigh, lladdr, ndm->ndm_state, flags, + NETLINK_CB(skb).portid, extack); + +- if (protocol) +- neigh->protocol = protocol; +- + neigh_release(neigh); + + out: diff --git a/queue-5.4/net-dsa-do-not-leave-dsa-master-with-null-netdev_ops.patch b/queue-5.4/net-dsa-do-not-leave-dsa-master-with-null-netdev_ops.patch new file mode 100644 index 00000000000..7addef5afa4 --- /dev/null +++ b/queue-5.4/net-dsa-do-not-leave-dsa-master-with-null-netdev_ops.patch @@ -0,0 +1,42 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Florian Fainelli +Date: Mon, 4 May 2020 13:18:06 -0700 +Subject: net: dsa: Do not leave DSA master with NULL netdev_ops + +From: Florian Fainelli + +[ Upstream commit 050569fc8384c8056bacefcc246bcb2dfe574936 ] + +When ndo_get_phys_port_name() for the CPU port was added we introduced +an early check for when the DSA master network device in +dsa_master_ndo_setup() already implements ndo_get_phys_port_name(). When +we perform the teardown operation in dsa_master_ndo_teardown() we would +not be checking that cpu_dp->orig_ndo_ops was successfully allocated and +non-NULL initialized. + +With network device drivers such as virtio_net, this leads to a NPD as +soon as the DSA switch hanging off of it gets torn down because we are +now assigning the virtio_net device's netdev_ops a NULL pointer. + +Fixes: da7b9e9b00d4 ("net: dsa: Add ndo_get_phys_port_name() for CPU port") +Reported-by: Allen Pais +Signed-off-by: Florian Fainelli +Tested-by: Allen Pais +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/master.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/dsa/master.c ++++ b/net/dsa/master.c +@@ -259,7 +259,8 @@ static void dsa_master_ndo_teardown(stru + { + struct dsa_port *cpu_dp = dev->dsa_ptr; + +- dev->netdev_ops = cpu_dp->orig_ndo_ops; ++ if (cpu_dp->orig_ndo_ops) ++ dev->netdev_ops = cpu_dp->orig_ndo_ops; + cpu_dp->orig_ndo_ops = NULL; + } + diff --git a/queue-5.4/net-macb-fix-an-issue-about-leak-related-system-resources.patch b/queue-5.4/net-macb-fix-an-issue-about-leak-related-system-resources.patch new file mode 100644 index 00000000000..9e2aa329d1e --- /dev/null +++ b/queue-5.4/net-macb-fix-an-issue-about-leak-related-system-resources.patch @@ -0,0 +1,48 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Dejin Zheng +Date: Sun, 3 May 2020 20:32:26 +0800 +Subject: net: macb: fix an issue about leak related system resources + +From: Dejin Zheng + +[ Upstream commit b959c77dac09348955f344104c6a921ebe104753 ] + +A call of the function macb_init() can fail in the function +fu540_c000_init. The related system resources were not released +then. use devm_platform_ioremap_resource() to replace ioremap() +to fix it. + +Fixes: c218ad559020ff9 ("macb: Add support for SiFive FU540-C000") +Cc: Andy Shevchenko +Reviewed-by: Yash Shah +Suggested-by: Nicolas Ferre +Suggested-by: Andy Shevchenko +Signed-off-by: Dejin Zheng +Acked-by: Nicolas Ferre +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cadence/macb_main.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -4054,15 +4054,9 @@ static int fu540_c000_clk_init(struct pl + + static int fu540_c000_init(struct platform_device *pdev) + { +- struct resource *res; +- +- res = platform_get_resource(pdev, IORESOURCE_MEM, 1); +- if (!res) +- return -ENODEV; +- +- mgmt->reg = ioremap(res->start, resource_size(res)); +- if (!mgmt->reg) +- return -ENOMEM; ++ mgmt->reg = devm_platform_ioremap_resource(pdev, 1); ++ if (IS_ERR(mgmt->reg)) ++ return PTR_ERR(mgmt->reg); + + return macb_init(pdev); + } diff --git a/queue-5.4/net-macsec-preserve-ingress-frame-ordering.patch b/queue-5.4/net-macsec-preserve-ingress-frame-ordering.patch new file mode 100644 index 00000000000..e8753f7b533 --- /dev/null +++ b/queue-5.4/net-macsec-preserve-ingress-frame-ordering.patch @@ -0,0 +1,75 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Scott Dial +Date: Fri, 24 Apr 2020 18:51:08 -0400 +Subject: net: macsec: preserve ingress frame ordering + +From: Scott Dial + +[ Upstream commit ab046a5d4be4c90a3952a0eae75617b49c0cb01b ] + +MACsec decryption always occurs in a softirq context. Since +the FPU may not be usable in the softirq context, the call to +decrypt may be scheduled on the cryptd work queue. The cryptd +work queue does not provide ordering guarantees. Therefore, +preserving order requires masking out ASYNC implementations +of gcm(aes). + +For instance, an Intel CPU with AES-NI makes available the +generic-gcm-aesni driver from the aesni_intel module to +implement gcm(aes). However, this implementation requires +the FPU, so it is not always available to use from a softirq +context, and will fallback to the cryptd work queue, which +does not preserve frame ordering. With this change, such a +system would select gcm_base(ctr(aes-aesni),ghash-generic). +While the aes-aesni implementation prefers to use the FPU, it +will fallback to the aes-asm implementation if unavailable. + +By using a synchronous version of gcm(aes), the decryption +will complete before returning from crypto_aead_decrypt(). +Therefore, the macsec_decrypt_done() callback will be called +before returning from macsec_decrypt(). Thus, the order of +calls to macsec_post_decrypt() for the frames is preserved. + +While it's presumable that the pure AES-NI version of gcm(aes) +is more performant, the hybrid solution is capable of gigabit +speeds on modest hardware. Regardless, preserving the order +of frames is paramount for many network protocols (e.g., +triggering TCP retries). Within the MACsec driver itself, the +replay protection is tripped by the out-of-order frames, and +can cause frames to be dropped. + +This bug has been present in this code since it was added in +v4.6, however it may not have been noticed since not all CPUs +have FPU offload available. Additionally, the bug manifests +as occasional out-of-order packets that are easily +misattributed to other network phenomena. + +When this code was added in v4.6, the crypto/gcm.c code did +not restrict selection of the ghash function based on the +ASYNC flag. For instance, x86 CPUs with PCLMULQDQ would +select the ghash-clmulni driver instead of ghash-generic, +which submits to the cryptd work queue if the FPU is busy. +However, this bug was was corrected in v4.8 by commit +b30bdfa86431afbafe15284a3ad5ac19b49b88e3, and was backported +all the way back to the v3.14 stable branch, so this patch +should be applicable back to the v4.6 stable branch. + +Signed-off-by: Scott Dial +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macsec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -1309,7 +1309,8 @@ static struct crypto_aead *macsec_alloc_ + struct crypto_aead *tfm; + int ret; + +- tfm = crypto_alloc_aead("gcm(aes)", 0, 0); ++ /* Pick a sync gcm(aes) cipher to ensure order is preserved. */ ++ tfm = crypto_alloc_aead("gcm(aes)", 0, CRYPTO_ALG_ASYNC); + + if (IS_ERR(tfm)) + return tfm; diff --git a/queue-5.4/net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch b/queue-5.4/net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch new file mode 100644 index 00000000000..bfef1962ef1 --- /dev/null +++ b/queue-5.4/net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch @@ -0,0 +1,49 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Tariq Toukan +Date: Mon, 4 May 2020 11:36:02 +0300 +Subject: net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() + +From: Tariq Toukan + +[ Upstream commit 40e473071dbad04316ddc3613c3a3d1c75458299 ] + +When ENOSPC is set the idx is still valid and gets set to the global +MLX4_SINK_COUNTER_INDEX. However gcc's static analysis cannot tell that +ENOSPC is impossible from mlx4_cmd_imm() and gives this warning: + +drivers/net/ethernet/mellanox/mlx4/main.c:2552:28: warning: 'idx' may be +used uninitialized in this function [-Wmaybe-uninitialized] + 2552 | priv->def_counter[port] = idx; + +Also, when ENOSPC is returned mlx4_allocate_default_counters should not +fail. + +Fixes: 6de5f7f6a1fa ("net/mlx4_core: Allocate default counter per port") +Signed-off-by: Jason Gunthorpe +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/main.c ++++ b/drivers/net/ethernet/mellanox/mlx4/main.c +@@ -2550,6 +2550,7 @@ static int mlx4_allocate_default_counter + + if (!err || err == -ENOSPC) { + priv->def_counter[port] = idx; ++ err = 0; + } else if (err == -ENOENT) { + err = 0; + continue; +@@ -2600,7 +2601,8 @@ int mlx4_counter_alloc(struct mlx4_dev * + MLX4_CMD_TIME_CLASS_A, MLX4_CMD_WRAPPED); + if (!err) + *idx = get_param_l(&out_param); +- ++ if (WARN_ON(err == -ENOSPC)) ++ err = -EINVAL; + return err; + } + return __mlx4_counter_alloc(dev, idx); diff --git a/queue-5.4/net-mlx5-dr-on-creation-set-cq-s-arm_db-member-to-right-value.patch b/queue-5.4/net-mlx5-dr-on-creation-set-cq-s-arm_db-member-to-right-value.patch new file mode 100644 index 00000000000..647bcb055b0 --- /dev/null +++ b/queue-5.4/net-mlx5-dr-on-creation-set-cq-s-arm_db-member-to-right-value.patch @@ -0,0 +1,62 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Erez Shitrit +Date: Wed, 25 Mar 2020 17:19:43 +0200 +Subject: net/mlx5: DR, On creation set CQ's arm_db member to right value + +From: Erez Shitrit + +[ Upstream commit 8075411d93b6efe143d9f606f6531077795b7fbf ] + +In polling mode, set arm_db member to a value that will avoid CQ +event recovery by the HW. +Otherwise we might get event without completion function. +In addition,empty completion function to was added to protect from +unexpected events. + +Fixes: 297cccebdc5a ("net/mlx5: DR, Expose an internal API to issue RDMA operations") +Signed-off-by: Erez Shitrit +Reviewed-by: Tariq Toukan +Reviewed-by: Alex Vesker +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c | 14 ++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c +@@ -689,6 +689,12 @@ static void dr_cq_event(struct mlx5_core + pr_info("CQ event %u on CQ #%u\n", event, mcq->cqn); + } + ++static void dr_cq_complete(struct mlx5_core_cq *mcq, ++ struct mlx5_eqe *eqe) ++{ ++ pr_err("CQ completion CQ: #%u\n", mcq->cqn); ++} ++ + static struct mlx5dr_cq *dr_create_cq(struct mlx5_core_dev *mdev, + struct mlx5_uars_page *uar, + size_t ncqe) +@@ -750,6 +756,7 @@ static struct mlx5dr_cq *dr_create_cq(st + mlx5_fill_page_frag_array(&cq->wq_ctrl.buf, pas); + + cq->mcq.event = dr_cq_event; ++ cq->mcq.comp = dr_cq_complete; + + err = mlx5_core_create_cq(mdev, &cq->mcq, in, inlen, out, sizeof(out)); + kvfree(in); +@@ -761,7 +768,12 @@ static struct mlx5dr_cq *dr_create_cq(st + cq->mcq.set_ci_db = cq->wq_ctrl.db.db; + cq->mcq.arm_db = cq->wq_ctrl.db.db + 1; + *cq->mcq.set_ci_db = 0; +- *cq->mcq.arm_db = 0; ++ ++ /* set no-zero value, in order to avoid the HW to run db-recovery on ++ * CQ that used in polling mode. ++ */ ++ *cq->mcq.arm_db = cpu_to_be32(2 << 28); ++ + cq->mcq.vector = 0; + cq->mcq.irqn = irqn; + cq->mcq.uar = uar; diff --git a/queue-5.4/net-mlx5-fix-command-entry-leak-in-internal-error-state.patch b/queue-5.4/net-mlx5-fix-command-entry-leak-in-internal-error-state.patch new file mode 100644 index 00000000000..85a1b84df9f --- /dev/null +++ b/queue-5.4/net-mlx5-fix-command-entry-leak-in-internal-error-state.patch @@ -0,0 +1,36 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Moshe Shemesh +Date: Sun, 23 Feb 2020 03:27:41 +0200 +Subject: net/mlx5: Fix command entry leak in Internal Error State + +From: Moshe Shemesh + +[ Upstream commit cece6f432cca9f18900463ed01b97a152a03600a ] + +Processing commands by cmd_work_handler() while already in Internal +Error State will result in entry leak, since the handler process force +completion without doorbell. Forced completion doesn't release the entry +and event completion will never arrive, so entry should be released. + +Fixes: 73dd3a4839c1 ("net/mlx5: Avoid using pending command interface slots") +Signed-off-by: Moshe Shemesh +Signed-off-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -922,6 +922,10 @@ static void cmd_work_handler(struct work + MLX5_SET(mbox_out, ent->out, syndrome, drv_synd); + + mlx5_cmd_comp_handler(dev, 1UL << ent->idx, true); ++ /* no doorbell, no need to keep the entry */ ++ free_ent(cmd, ent->idx); ++ if (ent->callback) ++ free_cmd(ent); + return; + } + diff --git a/queue-5.4/net-mlx5-fix-forced-completion-access-non-initialized-command-entry.patch b/queue-5.4/net-mlx5-fix-forced-completion-access-non-initialized-command-entry.patch new file mode 100644 index 00000000000..f226e557c85 --- /dev/null +++ b/queue-5.4/net-mlx5-fix-forced-completion-access-non-initialized-command-entry.patch @@ -0,0 +1,46 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Moshe Shemesh +Date: Sun, 21 Jul 2019 08:40:13 +0300 +Subject: net/mlx5: Fix forced completion access non initialized command entry + +From: Moshe Shemesh + +[ Upstream commit f3cb3cebe26ed4c8036adbd9448b372129d3c371 ] + +mlx5_cmd_flush() will trigger forced completions to all valid command +entries. Triggered by an asynch event such as fast teardown it can +happen at any stage of the command, including command initialization. +It will trigger forced completion and that can lead to completion on an +uninitialized command entry. + +Setting MLX5_CMD_ENT_STATE_PENDING_COMP only after command entry is +initialized will ensure force completion is treated only if command +entry is initialized. + +Fixes: 73dd3a4839c1 ("net/mlx5: Avoid using pending command interface slots") +Signed-off-by: Moshe Shemesh +Signed-off-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -888,7 +888,6 @@ static void cmd_work_handler(struct work + } + + cmd->ent_arr[ent->idx] = ent; +- set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state); + lay = get_inst(cmd, ent->idx); + ent->lay = lay; + memset(lay, 0, sizeof(*lay)); +@@ -910,6 +909,7 @@ static void cmd_work_handler(struct work + + if (ent->callback) + schedule_delayed_work(&ent->cb_timeout_work, cb_timeout); ++ set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state); + + /* Skip sending command to fw if internal error */ + if (pci_channel_offline(dev->pdev) || diff --git a/queue-5.4/net-mvpp2-cls-prevent-buffer-overflow-in-mvpp2_ethtool_cls_rule_del.patch b/queue-5.4/net-mvpp2-cls-prevent-buffer-overflow-in-mvpp2_ethtool_cls_rule_del.patch new file mode 100644 index 00000000000..8fc2a272c31 --- /dev/null +++ b/queue-5.4/net-mvpp2-cls-prevent-buffer-overflow-in-mvpp2_ethtool_cls_rule_del.patch @@ -0,0 +1,36 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Dan Carpenter +Date: Wed, 6 May 2020 13:16:56 +0300 +Subject: net: mvpp2: cls: Prevent buffer overflow in mvpp2_ethtool_cls_rule_del() + +From: Dan Carpenter + +[ Upstream commit 722c0f00d4feea77475a5dc943b53d60824a1e4e ] + +The "info->fs.location" is a u32 that comes from the user via the +ethtool_set_rxnfc() function. We need to check for invalid values to +prevent a buffer overflow. + +I copy and pasted this check from the mvpp2_ethtool_cls_rule_ins() +function. + +Fixes: 90b509b39ac9 ("net: mvpp2: cls: Add Classification offload support") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c +@@ -1422,6 +1422,9 @@ int mvpp2_ethtool_cls_rule_del(struct mv + struct mvpp2_ethtool_fs *efs; + int ret; + ++ if (info->fs.location >= MVPP2_N_RFS_ENTRIES_PER_FLOW) ++ return -EINVAL; ++ + efs = port->rfs_rules[info->fs.location]; + if (!efs) + return -EINVAL; diff --git a/queue-5.4/net-mvpp2-prevent-buffer-overflow-in-mvpp22_rss_ctx.patch b/queue-5.4/net-mvpp2-prevent-buffer-overflow-in-mvpp22_rss_ctx.patch new file mode 100644 index 00000000000..f27aa56e10e --- /dev/null +++ b/queue-5.4/net-mvpp2-prevent-buffer-overflow-in-mvpp22_rss_ctx.patch @@ -0,0 +1,33 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Dan Carpenter +Date: Wed, 6 May 2020 13:16:22 +0300 +Subject: net: mvpp2: prevent buffer overflow in mvpp22_rss_ctx() + +From: Dan Carpenter + +[ Upstream commit 39bd16df7c31bb8cf5dfd0c88e42abd5ae10029d ] + +The "rss_context" variable comes from the user via ethtool_get_rxfh(). +It can be any u32 value except zero. Eventually it gets passed to +mvpp22_rss_ctx() and if it is over MVPP22_N_RSS_TABLES (8) then it +results in an array overflow. + +Fixes: 895586d5dc32 ("net: mvpp2: cls: Use RSS contexts to handle RSS tables") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -4319,6 +4319,8 @@ static int mvpp2_ethtool_get_rxfh_contex + + if (!mvpp22_rss_is_supported()) + return -EOPNOTSUPP; ++ if (rss_context >= MVPP22_N_RSS_TABLES) ++ return -EINVAL; + + if (hfunc) + *hfunc = ETH_RSS_HASH_CRC32; diff --git a/queue-5.4/net-stricter-validation-of-untrusted-gso-packets.patch b/queue-5.4/net-stricter-validation-of-untrusted-gso-packets.patch new file mode 100644 index 00000000000..cb3e69b36a7 --- /dev/null +++ b/queue-5.4/net-stricter-validation-of-untrusted-gso-packets.patch @@ -0,0 +1,105 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Willem de Bruijn +Date: Mon, 4 May 2020 12:48:54 -0400 +Subject: net: stricter validation of untrusted gso packets + +From: Willem de Bruijn + +[ Upstream commit 9274124f023b5c56dc4326637d4f787968b03607 ] + +Syzkaller again found a path to a kernel crash through bad gso input: +a packet with transport header extending beyond skb_headlen(skb). + +Tighten validation at kernel entry: + +- Verify that the transport header lies within the linear section. + + To avoid pulling linux/tcp.h, verify just sizeof tcphdr. + tcp_gso_segment will call pskb_may_pull (th->doff * 4) before use. + +- Match the gso_type against the ip_proto found by the flow dissector. + +Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.") +Reported-by: syzbot +Signed-off-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/virtio_net.h | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +--- a/include/linux/virtio_net.h ++++ b/include/linux/virtio_net.h +@@ -3,6 +3,8 @@ + #define _LINUX_VIRTIO_NET_H + + #include ++#include ++#include + #include + + static inline int virtio_net_hdr_set_proto(struct sk_buff *skb, +@@ -28,17 +30,25 @@ static inline int virtio_net_hdr_to_skb( + bool little_endian) + { + unsigned int gso_type = 0; ++ unsigned int thlen = 0; ++ unsigned int ip_proto; + + if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) { + switch (hdr->gso_type & ~VIRTIO_NET_HDR_GSO_ECN) { + case VIRTIO_NET_HDR_GSO_TCPV4: + gso_type = SKB_GSO_TCPV4; ++ ip_proto = IPPROTO_TCP; ++ thlen = sizeof(struct tcphdr); + break; + case VIRTIO_NET_HDR_GSO_TCPV6: + gso_type = SKB_GSO_TCPV6; ++ ip_proto = IPPROTO_TCP; ++ thlen = sizeof(struct tcphdr); + break; + case VIRTIO_NET_HDR_GSO_UDP: + gso_type = SKB_GSO_UDP; ++ ip_proto = IPPROTO_UDP; ++ thlen = sizeof(struct udphdr); + break; + default: + return -EINVAL; +@@ -57,16 +67,22 @@ static inline int virtio_net_hdr_to_skb( + + if (!skb_partial_csum_set(skb, start, off)) + return -EINVAL; ++ ++ if (skb_transport_offset(skb) + thlen > skb_headlen(skb)) ++ return -EINVAL; + } else { + /* gso packets without NEEDS_CSUM do not set transport_offset. + * probe and drop if does not match one of the above types. + */ + if (gso_type && skb->network_header) { ++ struct flow_keys_basic keys; ++ + if (!skb->protocol) + virtio_net_hdr_set_proto(skb, hdr); + retry: +- skb_probe_transport_header(skb); +- if (!skb_transport_header_was_set(skb)) { ++ if (!skb_flow_dissect_flow_keys_basic(NULL, skb, &keys, ++ NULL, 0, 0, 0, ++ 0)) { + /* UFO does not specify ipv4 or 6: try both */ + if (gso_type & SKB_GSO_UDP && + skb->protocol == htons(ETH_P_IP)) { +@@ -75,6 +91,12 @@ retry: + } + return -EINVAL; + } ++ ++ if (keys.control.thoff + thlen > skb_headlen(skb) || ++ keys.basic.ip_proto != ip_proto) ++ return -EINVAL; ++ ++ skb_set_transport_header(skb, keys.control.thoff); + } + } + diff --git a/queue-5.4/net-tc35815-fix-phydev-supported-advertising-mask.patch b/queue-5.4/net-tc35815-fix-phydev-supported-advertising-mask.patch new file mode 100644 index 00000000000..340dcaf9c33 --- /dev/null +++ b/queue-5.4/net-tc35815-fix-phydev-supported-advertising-mask.patch @@ -0,0 +1,40 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Anthony Felice +Date: Sun, 26 Apr 2020 22:00:59 -0400 +Subject: net: tc35815: Fix phydev supported/advertising mask + +From: Anthony Felice + +[ Upstream commit 4b5b71f770e2edefbfe74203777264bfe6a9927c ] + +Commit 3c1bcc8614db ("net: ethernet: Convert phydev advertize and +supported from u32 to link mode") updated ethernet drivers to use a +linkmode bitmap. It mistakenly dropped a bitwise negation in the +tc35815 ethernet driver on a bitmask to set the supported/advertising +flags. + +Found by Anthony via code inspection, not tested as I do not have the +required hardware. + +Fixes: 3c1bcc8614db ("net: ethernet: Convert phydev advertize and supported from u32 to link mode") +Signed-off-by: Anthony Felice +Reviewed-by: Akshay Bhat +Reviewed-by: Heiner Kallweit +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/toshiba/tc35815.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/toshiba/tc35815.c ++++ b/drivers/net/ethernet/toshiba/tc35815.c +@@ -644,7 +644,7 @@ static int tc_mii_probe(struct net_devic + linkmode_set_bit(ETHTOOL_LINK_MODE_10baseT_Half_BIT, mask); + linkmode_set_bit(ETHTOOL_LINK_MODE_100baseT_Half_BIT, mask); + } +- linkmode_and(phydev->supported, phydev->supported, mask); ++ linkmode_andnot(phydev->supported, phydev->supported, mask); + linkmode_copy(phydev->advertising, phydev->supported); + + lp->link = 0; diff --git a/queue-5.4/net-tls-fix-sk_psock-refcnt-leak-in-bpf_exec_tx_verdict.patch b/queue-5.4/net-tls-fix-sk_psock-refcnt-leak-in-bpf_exec_tx_verdict.patch new file mode 100644 index 00000000000..6eccf73f95c --- /dev/null +++ b/queue-5.4/net-tls-fix-sk_psock-refcnt-leak-in-bpf_exec_tx_verdict.patch @@ -0,0 +1,42 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Xiyu Yang +Date: Sat, 25 Apr 2020 20:54:37 +0800 +Subject: net/tls: Fix sk_psock refcnt leak in bpf_exec_tx_verdict() + +From: Xiyu Yang + +[ Upstream commit 095f5614bfe16e5b3e191b34ea41b10d6fdd4ced ] + +bpf_exec_tx_verdict() invokes sk_psock_get(), which returns a reference +of the specified sk_psock object to "psock" with increased refcnt. + +When bpf_exec_tx_verdict() returns, local variable "psock" becomes +invalid, so the refcount should be decreased to keep refcount balanced. + +The reference counting issue happens in one exception handling path of +bpf_exec_tx_verdict(). When "policy" equals to NULL but "psock" is not +NULL, the function forgets to decrease the refcnt increased by +sk_psock_get(), causing a refcnt leak. + +Fix this issue by calling sk_psock_put() on this error path before +bpf_exec_tx_verdict() returns. + +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tls/tls_sw.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -797,6 +797,8 @@ static int bpf_exec_tx_verdict(struct sk + *copied -= sk_msg_free(sk, msg); + tls_free_open_rec(sk); + } ++ if (psock) ++ sk_psock_put(sk, psock); + return err; + } + more_data: diff --git a/queue-5.4/net-tls-fix-sk_psock-refcnt-leak-when-in-tls_data_ready.patch b/queue-5.4/net-tls-fix-sk_psock-refcnt-leak-when-in-tls_data_ready.patch new file mode 100644 index 00000000000..d9bf213caa0 --- /dev/null +++ b/queue-5.4/net-tls-fix-sk_psock-refcnt-leak-when-in-tls_data_ready.patch @@ -0,0 +1,45 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Xiyu Yang +Date: Sat, 25 Apr 2020 21:10:23 +0800 +Subject: net/tls: Fix sk_psock refcnt leak when in tls_data_ready() + +From: Xiyu Yang + +[ Upstream commit 62b4011fa7bef9fa00a6aeec26e69685dc1cc21e ] + +tls_data_ready() invokes sk_psock_get(), which returns a reference of +the specified sk_psock object to "psock" with increased refcnt. + +When tls_data_ready() returns, local variable "psock" becomes invalid, +so the refcount should be decreased to keep refcount balanced. + +The reference counting issue happens in one exception handling path of +tls_data_ready(). When "psock->ingress_msg" is empty but "psock" is not +NULL, the function forgets to decrease the refcnt increased by +sk_psock_get(), causing a refcnt leak. + +Fix this issue by calling sk_psock_put() on all paths when "psock" is +not NULL. + +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tls/tls_sw.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -2078,8 +2078,9 @@ static void tls_data_ready(struct sock * + strp_data_ready(&ctx->strp); + + psock = sk_psock_get(sk); +- if (psock && !list_empty(&psock->ingress_msg)) { +- ctx->saved_data_ready(sk); ++ if (psock) { ++ if (!list_empty(&psock->ingress_msg)) ++ ctx->saved_data_ready(sk); + sk_psock_put(sk, psock); + } + } diff --git a/queue-5.4/net-usb-qmi_wwan-add-support-for-dw5816e.patch b/queue-5.4/net-usb-qmi_wwan-add-support-for-dw5816e.patch new file mode 100644 index 00000000000..4243e7e24e8 --- /dev/null +++ b/queue-5.4/net-usb-qmi_wwan-add-support-for-dw5816e.patch @@ -0,0 +1,29 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Matt Jolly +Date: Sun, 3 May 2020 01:52:28 +1000 +Subject: net: usb: qmi_wwan: add support for DW5816e + +From: Matt Jolly + +[ Upstream commit 57c7f2bd758eed867295c81d3527fff4fab1ed74 ] + +Add support for Dell Wireless 5816e to drivers/net/usb/qmi_wwan.c + +Signed-off-by: Matt Jolly +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1359,6 +1359,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x413c, 0x81b3, 8)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */ + {QMI_FIXED_INTF(0x413c, 0x81b6, 8)}, /* Dell Wireless 5811e */ + {QMI_FIXED_INTF(0x413c, 0x81b6, 10)}, /* Dell Wireless 5811e */ ++ {QMI_FIXED_INTF(0x413c, 0x81cc, 8)}, /* Dell Wireless 5816e */ + {QMI_FIXED_INTF(0x413c, 0x81d7, 0)}, /* Dell Wireless 5821e */ + {QMI_FIXED_INTF(0x413c, 0x81d7, 1)}, /* Dell Wireless 5821e preproduction config */ + {QMI_FIXED_INTF(0x413c, 0x81e0, 0)}, /* Dell Wireless 5821e with eSIM support*/ diff --git a/queue-5.4/net_sched-sch_skbprio-add-message-validation-to-skbprio_change.patch b/queue-5.4/net_sched-sch_skbprio-add-message-validation-to-skbprio_change.patch new file mode 100644 index 00000000000..6674682bf3c --- /dev/null +++ b/queue-5.4/net_sched-sch_skbprio-add-message-validation-to-skbprio_change.patch @@ -0,0 +1,32 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Eric Dumazet +Date: Sat, 2 May 2020 20:09:25 -0700 +Subject: net_sched: sch_skbprio: add message validation to skbprio_change() + +From: Eric Dumazet + +[ Upstream commit 2761121af87de45951989a0adada917837d8fa82 ] + +Do not assume the attribute has the right size. + +Fixes: aea5f654e6b7 ("net/sched: add skbprio scheduler") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_skbprio.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/sched/sch_skbprio.c ++++ b/net/sched/sch_skbprio.c +@@ -169,6 +169,9 @@ static int skbprio_change(struct Qdisc * + { + struct tc_skbprio_qopt *ctl = nla_data(opt); + ++ if (opt->nla_len != nla_attr_size(sizeof(*ctl))) ++ return -EINVAL; ++ + sch->limit = ctl->limit; + return 0; + } diff --git a/queue-5.4/nfp-abm-fix-a-memory-leak-bug.patch b/queue-5.4/nfp-abm-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..e8c483bae56 --- /dev/null +++ b/queue-5.4/nfp-abm-fix-a-memory-leak-bug.patch @@ -0,0 +1,33 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Qiushi Wu +Date: Sat, 2 May 2020 17:42:59 -0500 +Subject: nfp: abm: fix a memory leak bug + +From: Qiushi Wu + +[ Upstream commit bd4af432cc71b5fbfe4833510359a6ad3ada250d ] + +In function nfp_abm_vnic_set_mac, pointer nsp is allocated by nfp_nsp_open. +But when nfp_nsp_has_hwinfo_lookup fail, the pointer is not released, +which can lead to a memory leak bug. Fix this issue by adding +nfp_nsp_close(nsp) in the error path. + +Fixes: f6e71efdf9fb1 ("nfp: abm: look up MAC addresses via management FW") +Signed-off-by: Qiushi Wu +Acked-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/abm/main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/netronome/nfp/abm/main.c ++++ b/drivers/net/ethernet/netronome/nfp/abm/main.c +@@ -283,6 +283,7 @@ nfp_abm_vnic_set_mac(struct nfp_pf *pf, + if (!nfp_nsp_has_hwinfo_lookup(nsp)) { + nfp_warn(pf->cpp, "NSP doesn't support PF MAC generation\n"); + eth_hw_addr_random(nn->dp.netdev); ++ nfp_nsp_close(nsp); + return; + } + diff --git a/queue-5.4/sch_choke-avoid-potential-panic-in-choke_reset.patch b/queue-5.4/sch_choke-avoid-potential-panic-in-choke_reset.patch new file mode 100644 index 00000000000..0f12a41b915 --- /dev/null +++ b/queue-5.4/sch_choke-avoid-potential-panic-in-choke_reset.patch @@ -0,0 +1,69 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Eric Dumazet +Date: Sat, 25 Apr 2020 15:19:51 -0700 +Subject: sch_choke: avoid potential panic in choke_reset() + +From: Eric Dumazet + +[ Upstream commit 8738c85c72b3108c9b9a369a39868ba5f8e10ae0 ] + +If choke_init() could not allocate q->tab, we would crash later +in choke_reset(). + +BUG: KASAN: null-ptr-deref in memset include/linux/string.h:366 [inline] +BUG: KASAN: null-ptr-deref in choke_reset+0x208/0x340 net/sched/sch_choke.c:326 +Write of size 8 at addr 0000000000000000 by task syz-executor822/7022 + +CPU: 1 PID: 7022 Comm: syz-executor822 Not tainted 5.7.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x188/0x20d lib/dump_stack.c:118 + __kasan_report.cold+0x5/0x4d mm/kasan/report.c:515 + kasan_report+0x33/0x50 mm/kasan/common.c:625 + check_memory_region_inline mm/kasan/generic.c:187 [inline] + check_memory_region+0x141/0x190 mm/kasan/generic.c:193 + memset+0x20/0x40 mm/kasan/common.c:85 + memset include/linux/string.h:366 [inline] + choke_reset+0x208/0x340 net/sched/sch_choke.c:326 + qdisc_reset+0x6b/0x520 net/sched/sch_generic.c:910 + dev_deactivate_queue.constprop.0+0x13c/0x240 net/sched/sch_generic.c:1138 + netdev_for_each_tx_queue include/linux/netdevice.h:2197 [inline] + dev_deactivate_many+0xe2/0xba0 net/sched/sch_generic.c:1195 + dev_deactivate+0xf8/0x1c0 net/sched/sch_generic.c:1233 + qdisc_graft+0xd25/0x1120 net/sched/sch_api.c:1051 + tc_modify_qdisc+0xbab/0x1a00 net/sched/sch_api.c:1670 + rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5454 + netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469 + netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] + netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329 + netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:672 + ____sys_sendmsg+0x6bf/0x7e0 net/socket.c:2362 + ___sys_sendmsg+0x100/0x170 net/socket.c:2416 + __sys_sendmsg+0xec/0x1b0 net/socket.c:2449 + do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 + +Fixes: 77e62da6e60c ("sch_choke: drop all packets in queue during reset") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_choke.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sched/sch_choke.c ++++ b/net/sched/sch_choke.c +@@ -323,7 +323,8 @@ static void choke_reset(struct Qdisc *sc + + sch->q.qlen = 0; + sch->qstats.backlog = 0; +- memset(q->tab, 0, (q->tab_mask + 1) * sizeof(struct sk_buff *)); ++ if (q->tab) ++ memset(q->tab, 0, (q->tab_mask + 1) * sizeof(struct sk_buff *)); + q->head = q->tail = 0; + red_restart(&q->vars); + } diff --git a/queue-5.4/sch_sfq-validate-silly-quantum-values.patch b/queue-5.4/sch_sfq-validate-silly-quantum-values.patch new file mode 100644 index 00000000000..f12f359f363 --- /dev/null +++ b/queue-5.4/sch_sfq-validate-silly-quantum-values.patch @@ -0,0 +1,47 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Eric Dumazet +Date: Sun, 26 Apr 2020 18:19:07 -0700 +Subject: sch_sfq: validate silly quantum values + +From: Eric Dumazet + +[ Upstream commit df4953e4e997e273501339f607b77953772e3559 ] + +syzbot managed to set up sfq so that q->scaled_quantum was zero, +triggering an infinite loop in sfq_dequeue() + +More generally, we must only accept quantum between 1 and 2^18 - 7, +meaning scaled_quantum must be in [1, 0x7FFF] range. + +Otherwise, we also could have a loop in sfq_dequeue() +if scaled_quantum happens to be 0x8000, since slot->allot +could indefinitely switch between 0 and 0x8000. + +Fixes: eeaeb068f139 ("sch_sfq: allow big packets and be fair") +Signed-off-by: Eric Dumazet +Reported-by: syzbot+0251e883fe39e7a0cb0a@syzkaller.appspotmail.com +Cc: Jason A. Donenfeld +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_sfq.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/net/sched/sch_sfq.c ++++ b/net/sched/sch_sfq.c +@@ -637,6 +637,15 @@ static int sfq_change(struct Qdisc *sch, + if (ctl->divisor && + (!is_power_of_2(ctl->divisor) || ctl->divisor > 65536)) + return -EINVAL; ++ ++ /* slot->allot is a short, make sure quantum is not too big. */ ++ if (ctl->quantum) { ++ unsigned int scaled = SFQ_ALLOT_SIZE(ctl->quantum); ++ ++ if (scaled <= 0 || scaled > SHRT_MAX) ++ return -EINVAL; ++ } ++ + if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max, + ctl_v1->Wlog)) + return -EINVAL; diff --git a/queue-5.4/series b/queue-5.4/series index dbc2516957f..988a9e5f46e 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -7,3 +7,34 @@ drm-amdgpu-move-kfd-suspend-after-ip_suspend_phase1.patch drm-amdgpu-drop-redundant-cg-pg-ungate-on-runpm-ente.patch vt-fix-unicode-console-freeing-with-a-common-interfa.patch tty-xilinx_uartps-fix-missing-id-assignment-to-the-c.patch +devlink-fix-return-value-after-hitting-end-in-region-read.patch +dp83640-reverse-arguments-to-list_add_tail.patch +fq_codel-fix-tca_fq_codel_drop_batch_size-sanity-checks.patch +ipv6-use-global-sernum-for-dst-validation-with-nexthop-objects.patch +mlxsw-spectrum_acl_tcam-position-vchunk-in-a-vregion-list-properly.patch +neigh-send-protocol-value-in-neighbor-create-notification.patch +net-dsa-do-not-leave-dsa-master-with-null-netdev_ops.patch +net-macb-fix-an-issue-about-leak-related-system-resources.patch +net-macsec-preserve-ingress-frame-ordering.patch +net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch +net_sched-sch_skbprio-add-message-validation-to-skbprio_change.patch +net-stricter-validation-of-untrusted-gso-packets.patch +net-tc35815-fix-phydev-supported-advertising-mask.patch +net-tls-fix-sk_psock-refcnt-leak-in-bpf_exec_tx_verdict.patch +net-tls-fix-sk_psock-refcnt-leak-when-in-tls_data_ready.patch +net-usb-qmi_wwan-add-support-for-dw5816e.patch +nfp-abm-fix-a-memory-leak-bug.patch +sch_choke-avoid-potential-panic-in-choke_reset.patch +sch_sfq-validate-silly-quantum-values.patch +tipc-fix-partial-topology-connection-closure.patch +tunnel-propagate-ect-1-when-decapsulating-as-recommended-by-rfc6040.patch +bnxt_en-fix-vf-anti-spoof-filter-setup.patch +bnxt_en-reduce-bnxt_msix_vec_max-value-to-supported-cqs-per-pf.patch +bnxt_en-improve-aer-slot-reset.patch +bnxt_en-return-error-when-allocating-zero-size-context-memory.patch +bnxt_en-fix-vlan-acceleration-handling-in-bnxt_fix_features.patch +net-mlx5-dr-on-creation-set-cq-s-arm_db-member-to-right-value.patch +net-mlx5-fix-forced-completion-access-non-initialized-command-entry.patch +net-mlx5-fix-command-entry-leak-in-internal-error-state.patch +net-mvpp2-prevent-buffer-overflow-in-mvpp22_rss_ctx.patch +net-mvpp2-cls-prevent-buffer-overflow-in-mvpp2_ethtool_cls_rule_del.patch diff --git a/queue-5.4/tipc-fix-partial-topology-connection-closure.patch b/queue-5.4/tipc-fix-partial-topology-connection-closure.patch new file mode 100644 index 00000000000..daf6f852beb --- /dev/null +++ b/queue-5.4/tipc-fix-partial-topology-connection-closure.patch @@ -0,0 +1,51 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: Tuong Lien +Date: Mon, 4 May 2020 11:15:54 +0700 +Subject: tipc: fix partial topology connection closure + +From: Tuong Lien + +[ Upstream commit 980d69276f3048af43a045be2925dacfb898a7be ] + +When an application connects to the TIPC topology server and subscribes +to some services, a new connection is created along with some objects - +'tipc_subscription' to store related data correspondingly... +However, there is one omission in the connection handling that when the +connection or application is orderly shutdown (e.g. via SIGQUIT, etc.), +the connection is not closed in kernel, the 'tipc_subscription' objects +are not freed too. +This results in: +- The maximum number of subscriptions (65535) will be reached soon, new +subscriptions will be rejected; +- TIPC module cannot be removed (unless the objects are somehow forced +to release first); + +The commit fixes the issue by closing the connection if the 'recvmsg()' +returns '0' i.e. when the peer is shutdown gracefully. It also includes +the other unexpected cases. + +Acked-by: Jon Maloy +Acked-by: Ying Xue +Signed-off-by: Tuong Lien +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/topsrv.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/tipc/topsrv.c ++++ b/net/tipc/topsrv.c +@@ -402,10 +402,11 @@ static int tipc_conn_rcv_from_sock(struc + read_lock_bh(&sk->sk_callback_lock); + ret = tipc_conn_rcv_sub(srv, con, &s); + read_unlock_bh(&sk->sk_callback_lock); ++ if (!ret) ++ return 0; + } +- if (ret < 0) +- tipc_conn_close(con); + ++ tipc_conn_close(con); + return ret; + } + diff --git a/queue-5.4/tunnel-propagate-ect-1-when-decapsulating-as-recommended-by-rfc6040.patch b/queue-5.4/tunnel-propagate-ect-1-when-decapsulating-as-recommended-by-rfc6040.patch new file mode 100644 index 00000000000..b2ebe281819 --- /dev/null +++ b/queue-5.4/tunnel-propagate-ect-1-when-decapsulating-as-recommended-by-rfc6040.patch @@ -0,0 +1,113 @@ +From foo@baz Tue 12 May 2020 10:55:24 AM CEST +From: "Toke Høiland-Jørgensen" +Date: Mon, 27 Apr 2020 16:11:05 +0200 +Subject: tunnel: Propagate ECT(1) when decapsulating as recommended by RFC6040 + +From: "Toke Høiland-Jørgensen" + +[ Upstream commit b723748750ece7d844cdf2f52c01d37f83387208 ] + +RFC 6040 recommends propagating an ECT(1) mark from an outer tunnel header +to the inner header if that inner header is already marked as ECT(0). When +RFC 6040 decapsulation was implemented, this case of propagation was not +added. This simply appears to be an oversight, so let's fix that. + +Fixes: eccc1bb8d4b4 ("tunnel: drop packet if ECN present with not-ECT") +Reported-by: Bob Briscoe +Reported-by: Olivier Tilmans +Cc: Dave Taht +Cc: Stephen Hemminger +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/inet_ecn.h | 57 +++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 55 insertions(+), 2 deletions(-) + +--- a/include/net/inet_ecn.h ++++ b/include/net/inet_ecn.h +@@ -99,6 +99,20 @@ static inline int IP_ECN_set_ce(struct i + return 1; + } + ++static inline int IP_ECN_set_ect1(struct iphdr *iph) ++{ ++ u32 check = (__force u32)iph->check; ++ ++ if ((iph->tos & INET_ECN_MASK) != INET_ECN_ECT_0) ++ return 0; ++ ++ check += (__force u16)htons(0x100); ++ ++ iph->check = (__force __sum16)(check + (check>=0xFFFF)); ++ iph->tos ^= INET_ECN_MASK; ++ return 1; ++} ++ + static inline void IP_ECN_clear(struct iphdr *iph) + { + iph->tos &= ~INET_ECN_MASK; +@@ -134,6 +148,22 @@ static inline int IP6_ECN_set_ce(struct + return 1; + } + ++static inline int IP6_ECN_set_ect1(struct sk_buff *skb, struct ipv6hdr *iph) ++{ ++ __be32 from, to; ++ ++ if ((ipv6_get_dsfield(iph) & INET_ECN_MASK) != INET_ECN_ECT_0) ++ return 0; ++ ++ from = *(__be32 *)iph; ++ to = from ^ htonl(INET_ECN_MASK << 20); ++ *(__be32 *)iph = to; ++ if (skb->ip_summed == CHECKSUM_COMPLETE) ++ skb->csum = csum_add(csum_sub(skb->csum, (__force __wsum)from), ++ (__force __wsum)to); ++ return 1; ++} ++ + static inline void ipv6_copy_dscp(unsigned int dscp, struct ipv6hdr *inner) + { + dscp &= ~INET_ECN_MASK; +@@ -159,6 +189,25 @@ static inline int INET_ECN_set_ce(struct + return 0; + } + ++static inline int INET_ECN_set_ect1(struct sk_buff *skb) ++{ ++ switch (skb->protocol) { ++ case cpu_to_be16(ETH_P_IP): ++ if (skb_network_header(skb) + sizeof(struct iphdr) <= ++ skb_tail_pointer(skb)) ++ return IP_ECN_set_ect1(ip_hdr(skb)); ++ break; ++ ++ case cpu_to_be16(ETH_P_IPV6): ++ if (skb_network_header(skb) + sizeof(struct ipv6hdr) <= ++ skb_tail_pointer(skb)) ++ return IP6_ECN_set_ect1(skb, ipv6_hdr(skb)); ++ break; ++ } ++ ++ return 0; ++} ++ + /* + * RFC 6040 4.2 + * To decapsulate the inner header at the tunnel egress, a compliant +@@ -208,8 +257,12 @@ static inline int INET_ECN_decapsulate(s + int rc; + + rc = __INET_ECN_decapsulate(outer, inner, &set_ce); +- if (!rc && set_ce) +- INET_ECN_set_ce(skb); ++ if (!rc) { ++ if (set_ce) ++ INET_ECN_set_ce(skb); ++ else if ((outer & INET_ECN_MASK) == INET_ECN_ECT_1) ++ INET_ECN_set_ect1(skb); ++ } + + return rc; + }