From: Sasha Levin Date: Mon, 13 Jul 2020 03:21:59 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v5.7.9~37^2~4 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=431cc14da54245308dacbdeafdb322d5f973595a;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/alsa-compress-fix-partial_drain-completion-state.patch b/queue-5.4/alsa-compress-fix-partial_drain-completion-state.patch new file mode 100644 index 00000000000..1e8c6745f72 --- /dev/null +++ b/queue-5.4/alsa-compress-fix-partial_drain-completion-state.patch @@ -0,0 +1,90 @@ +From 655e436dbe24dc3ef3c0fee9f28a5f8675fde7e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 19:17:37 +0530 +Subject: ALSA: compress: fix partial_drain completion state + +From: Vinod Koul + +[ Upstream commit f79a732a8325dfbd570d87f1435019d7e5501c6d ] + +On partial_drain completion we should be in SNDRV_PCM_STATE_RUNNING +state, so set that for partially draining streams in +snd_compr_drain_notify() and use a flag for partially draining streams + +While at it, add locks for stream state change in +snd_compr_drain_notify() as well. + +Fixes: f44f2a5417b2 ("ALSA: compress: fix drain calls blocking other compress functions (v6)") +Reviewed-by: Srinivas Kandagatla +Tested-by: Srinivas Kandagatla +Reviewed-by: Charles Keepax +Tested-by: Charles Keepax +Signed-off-by: Vinod Koul +Link: https://lore.kernel.org/r/20200629134737.105993-4-vkoul@kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/sound/compress_driver.h | 10 +++++++++- + sound/core/compress_offload.c | 4 ++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/include/sound/compress_driver.h b/include/sound/compress_driver.h +index bc88d6f964da9..006f019224399 100644 +--- a/include/sound/compress_driver.h ++++ b/include/sound/compress_driver.h +@@ -59,6 +59,7 @@ struct snd_compr_runtime { + * @direction: stream direction, playback/recording + * @metadata_set: metadata set flag, true when set + * @next_track: has userspace signal next track transition, true when set ++ * @partial_drain: undergoing partial_drain for stream, true when set + * @private_data: pointer to DSP private data + */ + struct snd_compr_stream { +@@ -70,6 +71,7 @@ struct snd_compr_stream { + enum snd_compr_direction direction; + bool metadata_set; + bool next_track; ++ bool partial_drain; + void *private_data; + }; + +@@ -173,7 +175,13 @@ static inline void snd_compr_drain_notify(struct snd_compr_stream *stream) + if (snd_BUG_ON(!stream)) + return; + +- stream->runtime->state = SNDRV_PCM_STATE_SETUP; ++ /* for partial_drain case we are back to running state on success */ ++ if (stream->partial_drain) { ++ stream->runtime->state = SNDRV_PCM_STATE_RUNNING; ++ stream->partial_drain = false; /* clear this flag as well */ ++ } else { ++ stream->runtime->state = SNDRV_PCM_STATE_SETUP; ++ } + + wake_up(&stream->runtime->sleep); + } +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index f34ce564d92c4..1afa06b80f06c 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -722,6 +722,9 @@ static int snd_compr_stop(struct snd_compr_stream *stream) + + retval = stream->ops->trigger(stream, SNDRV_PCM_TRIGGER_STOP); + if (!retval) { ++ /* clear flags and stop any drain wait */ ++ stream->partial_drain = false; ++ stream->metadata_set = false; + snd_compr_drain_notify(stream); + stream->runtime->total_bytes_available = 0; + stream->runtime->total_bytes_transferred = 0; +@@ -879,6 +882,7 @@ static int snd_compr_partial_drain(struct snd_compr_stream *stream) + if (stream->next_track == false) + return -EPERM; + ++ stream->partial_drain = true; + retval = stream->ops->trigger(stream, SND_COMPR_TRIGGER_PARTIAL_DRAIN); + if (retval) { + pr_debug("Partial drain returned failure\n"); +-- +2.25.1 + diff --git a/queue-5.4/arm64-kgdb-fix-single-step-exception-handling-oops.patch b/queue-5.4/arm64-kgdb-fix-single-step-exception-handling-oops.patch new file mode 100644 index 00000000000..5730699601d --- /dev/null +++ b/queue-5.4/arm64-kgdb-fix-single-step-exception-handling-oops.patch @@ -0,0 +1,115 @@ +From bb2d40739b734e74f5bd0c1f31af170c676c8e76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 May 2020 05:41:56 +0800 +Subject: arm64: kgdb: Fix single-step exception handling oops + +From: Wei Li + +[ Upstream commit 8523c006264df65aac7d77284cc69aac46a6f842 ] + +After entering kdb due to breakpoint, when we execute 'ss' or 'go' (will +delay installing breakpoints, do single-step first), it won't work +correctly, and it will enter kdb due to oops. + +It's because the reason gotten in kdb_stub() is not as expected, and it +seems that the ex_vector for single-step should be 0, like what arch +powerpc/sh/parisc has implemented. + +Before the patch: +Entering kdb (current=0xffff8000119e2dc0, pid 0) on processor 0 due to Keyboard Entry +[0]kdb> bp printk +Instruction(i) BP #0 at 0xffff8000101486cc (printk) + is enabled addr at ffff8000101486cc, hardtype=0 installed=0 + +[0]kdb> g + +/ # echo h > /proc/sysrq-trigger + +Entering kdb (current=0xffff0000fa878040, pid 266) on processor 3 due to Breakpoint @ 0xffff8000101486cc +[3]kdb> ss + +Entering kdb (current=0xffff0000fa878040, pid 266) on processor 3 Oops: (null) +due to oops @ 0xffff800010082ab8 +CPU: 3 PID: 266 Comm: sh Not tainted 5.7.0-rc4-13839-gf0e5ad491718 #6 +Hardware name: linux,dummy-virt (DT) +pstate: 00000085 (nzcv daIf -PAN -UAO) +pc : el1_irq+0x78/0x180 +lr : __handle_sysrq+0x80/0x190 +sp : ffff800015003bf0 +x29: ffff800015003d20 x28: ffff0000fa878040 +x27: 0000000000000000 x26: ffff80001126b1f0 +x25: ffff800011b6a0d8 x24: 0000000000000000 +x23: 0000000080200005 x22: ffff8000101486cc +x21: ffff800015003d30 x20: 0000ffffffffffff +x19: ffff8000119f2000 x18: 0000000000000000 +x17: 0000000000000000 x16: 0000000000000000 +x15: 0000000000000000 x14: 0000000000000000 +x13: 0000000000000000 x12: 0000000000000000 +x11: 0000000000000000 x10: 0000000000000000 +x9 : 0000000000000000 x8 : ffff800015003e50 +x7 : 0000000000000002 x6 : 00000000380b9990 +x5 : ffff8000106e99e8 x4 : ffff0000fadd83c0 +x3 : 0000ffffffffffff x2 : ffff800011b6a0d8 +x1 : ffff800011b6a000 x0 : ffff80001130c9d8 +Call trace: + el1_irq+0x78/0x180 + printk+0x0/0x84 + write_sysrq_trigger+0xb0/0x118 + proc_reg_write+0xb4/0xe0 + __vfs_write+0x18/0x40 + vfs_write+0xb0/0x1b8 + ksys_write+0x64/0xf0 + __arm64_sys_write+0x14/0x20 + el0_svc_common.constprop.2+0xb0/0x168 + do_el0_svc+0x20/0x98 + el0_sync_handler+0xec/0x1a8 + el0_sync+0x140/0x180 + +[3]kdb> + +After the patch: +Entering kdb (current=0xffff8000119e2dc0, pid 0) on processor 0 due to Keyboard Entry +[0]kdb> bp printk +Instruction(i) BP #0 at 0xffff8000101486cc (printk) + is enabled addr at ffff8000101486cc, hardtype=0 installed=0 + +[0]kdb> g + +/ # echo h > /proc/sysrq-trigger + +Entering kdb (current=0xffff0000fa852bc0, pid 268) on processor 0 due to Breakpoint @ 0xffff8000101486cc +[0]kdb> g + +Entering kdb (current=0xffff0000fa852bc0, pid 268) on processor 0 due to Breakpoint @ 0xffff8000101486cc +[0]kdb> ss + +Entering kdb (current=0xffff0000fa852bc0, pid 268) on processor 0 due to SS trap @ 0xffff800010082ab8 +[0]kdb> + +Fixes: 44679a4f142b ("arm64: KGDB: Add step debugging support") +Signed-off-by: Wei Li +Tested-by: Douglas Anderson +Reviewed-by: Douglas Anderson +Link: https://lore.kernel.org/r/20200509214159.19680-2-liwei391@huawei.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/kgdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/kgdb.c b/arch/arm64/kernel/kgdb.c +index 43119922341f8..1a157ca33262d 100644 +--- a/arch/arm64/kernel/kgdb.c ++++ b/arch/arm64/kernel/kgdb.c +@@ -252,7 +252,7 @@ static int kgdb_step_brk_fn(struct pt_regs *regs, unsigned int esr) + if (!kgdb_single_step) + return DBG_HOOK_ERROR; + +- kgdb_handle_exception(1, SIGTRAP, 0, regs); ++ kgdb_handle_exception(0, SIGTRAP, 0, regs); + return DBG_HOOK_HANDLED; + } + NOKPROBE_SYMBOL(kgdb_step_brk_fn); +-- +2.25.1 + diff --git a/queue-5.4/bnxt_en-fix-null-dereference-in-case-sr-iov-configur.patch b/queue-5.4/bnxt_en-fix-null-dereference-in-case-sr-iov-configur.patch new file mode 100644 index 00000000000..f4fc68fdbc1 --- /dev/null +++ b/queue-5.4/bnxt_en-fix-null-dereference-in-case-sr-iov-configur.patch @@ -0,0 +1,93 @@ +From 6d445589bf6350b845584d0f654909de93456b9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 12:55:08 +0200 +Subject: bnxt_en: fix NULL dereference in case SR-IOV configuration fails + +From: Davide Caratti + +[ Upstream commit c8b1d7436045d3599bae56aef1682813ecccaad7 ] + +we need to set 'active_vfs' back to 0, if something goes wrong during the +allocation of SR-IOV resources: otherwise, further VF configurations will +wrongly assume that bp->pf.vf[x] are valid memory locations, and commands +like the ones in the following sequence: + + # echo 2 >/sys/bus/pci/devices/${ADDR}/sriov_numvfs + # ip link set dev ens1f0np0 up + # ip link set dev ens1f0np0 vf 0 trust on + +will cause a kernel crash similar to this: + + bnxt_en 0000:3b:00.0: not enough MMIO resources for SR-IOV + BUG: kernel NULL pointer dereference, address: 0000000000000014 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] SMP PTI + CPU: 43 PID: 2059 Comm: ip Tainted: G I 5.8.0-rc2.upstream+ #871 + Hardware name: Dell Inc. PowerEdge R740/08D89F, BIOS 2.2.11 06/13/2019 + RIP: 0010:bnxt_set_vf_trust+0x5b/0x110 [bnxt_en] + Code: 44 24 58 31 c0 e8 f5 fb ff ff 85 c0 0f 85 b6 00 00 00 48 8d 1c 5b 41 89 c6 b9 0b 00 00 00 48 c1 e3 04 49 03 9c 24 f0 0e 00 00 <8b> 43 14 89 c2 83 c8 10 83 e2 ef 45 84 ed 49 89 e5 0f 44 c2 4c 89 + RSP: 0018:ffffac6246a1f570 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000b + RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff98b28f538900 + RBP: ffff98b28f538900 R08: 0000000000000000 R09: 0000000000000008 + R10: ffffffffb9515be0 R11: ffffac6246a1f678 R12: ffff98b28f538000 + R13: 0000000000000001 R14: 0000000000000000 R15: ffffffffc05451e0 + FS: 00007fde0f688800(0000) GS:ffff98baffd40000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000014 CR3: 000000104bb0a003 CR4: 00000000007606e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + do_setlink+0x994/0xfe0 + __rtnl_newlink+0x544/0x8d0 + rtnl_newlink+0x47/0x70 + rtnetlink_rcv_msg+0x29f/0x350 + netlink_rcv_skb+0x4a/0x110 + netlink_unicast+0x21d/0x300 + netlink_sendmsg+0x329/0x450 + sock_sendmsg+0x5b/0x60 + ____sys_sendmsg+0x204/0x280 + ___sys_sendmsg+0x88/0xd0 + __sys_sendmsg+0x5e/0xa0 + do_syscall_64+0x47/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: c0c050c58d840 ("bnxt_en: New Broadcom ethernet driver.") +Reported-by: Fei Liu +CC: Jonathan Toppins +CC: Michael Chan +Signed-off-by: Davide Caratti +Reviewed-by: Michael Chan +Acked-by: Jonathan Toppins +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c +index 1046b22220a30..452be9749827a 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c +@@ -398,6 +398,7 @@ static void bnxt_free_vf_resources(struct bnxt *bp) + } + } + ++ bp->pf.active_vfs = 0; + kfree(bp->pf.vf); + bp->pf.vf = NULL; + } +@@ -833,7 +834,6 @@ void bnxt_sriov_disable(struct bnxt *bp) + + bnxt_free_vf_resources(bp); + +- bp->pf.active_vfs = 0; + /* Reclaim all resources for the PF. */ + rtnl_lock(); + bnxt_restore_pf_fw_resources(bp); +-- +2.25.1 + diff --git a/queue-5.4/bpf-sockmap-rcu-dereferenced-psock-may-be-used-outsi.patch b/queue-5.4/bpf-sockmap-rcu-dereferenced-psock-may-be-used-outsi.patch new file mode 100644 index 00000000000..91f6009488e --- /dev/null +++ b/queue-5.4/bpf-sockmap-rcu-dereferenced-psock-may-be-used-outsi.patch @@ -0,0 +1,93 @@ +From 9b2b73fff3f99320a0b7423ddfbf9edabbe69b2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jun 2020 16:13:18 -0700 +Subject: bpf, sockmap: RCU dereferenced psock may be used outside RCU block + +From: John Fastabend + +[ Upstream commit 8025751d4d55a2f32be6bdf825b6a80c299875f5 ] + +If an ingress verdict program specifies message sizes greater than +skb->len and there is an ENOMEM error due to memory pressure we +may call the rcv_msg handler outside the strp_data_ready() caller +context. This is because on an ENOMEM error the strparser will +retry from a workqueue. The caller currently protects the use of +psock by calling the strp_data_ready() inside a rcu_read_lock/unlock +block. + +But, in above workqueue error case the psock is accessed outside +the read_lock/unlock block of the caller. So instead of using +psock directly we must do a look up against the sk again to +ensure the psock is available. + +There is an an ugly piece here where we must handle +the case where we paused the strp and removed the psock. On +psock removal we first pause the strparser and then remove +the psock. If the strparser is paused while an skb is +scheduled on the workqueue the skb will be dropped on the +flow and kfree_skb() is called. If the workqueue manages +to get called before we pause the strparser but runs the rcvmsg +callback after the psock is removed we will hit the unlikely +case where we run the sockmap rcvmsg handler but do not have +a psock. For now we will follow strparser logic and drop the +skb on the floor with skb_kfree(). This is ugly because the +data is dropped. To date this has not caused problems in practice +because either the application controlling the sockmap is +coordinating with the datapath so that skbs are "flushed" +before removal or we simply wait for the sock to be closed before +removing it. + +This patch fixes the describe RCU bug and dropping the skb doesn't +make things worse. Future patches will improve this by allowing +the normal case where skbs are not merged to skip the strparser +altogether. In practice many (most?) use cases have no need to +merge skbs so its both a code complexity hit as seen above and +a performance issue. For example, in the Cilium case we always +set the strparser up to return sbks 1:1 without any merging and +have avoided above issues. + +Fixes: e91de6afa81c1 ("bpf: Fix running sk_skb program types with ktls") +Signed-off-by: John Fastabend +Signed-off-by: Alexei Starovoitov +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/159312679888.18340.15248924071966273998.stgit@john-XPS-13-9370 +Signed-off-by: Sasha Levin +--- + net/core/skmsg.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index 70ea352e3a3b6..118cf1ace43a6 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -785,11 +785,18 @@ static void sk_psock_verdict_apply(struct sk_psock *psock, + + static void sk_psock_strp_read(struct strparser *strp, struct sk_buff *skb) + { +- struct sk_psock *psock = sk_psock_from_strp(strp); ++ struct sk_psock *psock; + struct bpf_prog *prog; + int ret = __SK_DROP; ++ struct sock *sk; + + rcu_read_lock(); ++ sk = strp->sk; ++ psock = sk_psock(sk); ++ if (unlikely(!psock)) { ++ kfree_skb(skb); ++ goto out; ++ } + prog = READ_ONCE(psock->progs.skb_verdict); + if (likely(prog)) { + skb_orphan(skb); +@@ -798,6 +805,7 @@ static void sk_psock_strp_read(struct strparser *strp, struct sk_buff *skb) + ret = sk_psock_map_verd(ret, tcp_skb_bpf_redirect_fetch(skb)); + } + sk_psock_verdict_apply(psock, skb, ret); ++out: + rcu_read_unlock(); + } + +-- +2.25.1 + diff --git a/queue-5.4/bpf-sockmap-rcu-splat-with-redirect-and-strparser-er.patch b/queue-5.4/bpf-sockmap-rcu-splat-with-redirect-and-strparser-er.patch new file mode 100644 index 00000000000..c2be0f9de72 --- /dev/null +++ b/queue-5.4/bpf-sockmap-rcu-splat-with-redirect-and-strparser-er.patch @@ -0,0 +1,161 @@ +From 6ef1ba2a95b84876ca1f687ba23b121aa619e75a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jun 2020 16:12:59 -0700 +Subject: bpf, sockmap: RCU splat with redirect and strparser error or TLS + +From: John Fastabend + +[ Upstream commit 93dd5f185916b05e931cffae636596f21f98546e ] + +There are two paths to generate the below RCU splat the first and +most obvious is the result of the BPF verdict program issuing a +redirect on a TLS socket (This is the splat shown below). Unlike +the non-TLS case the caller of the *strp_read() hooks does not +wrap the call in a rcu_read_lock/unlock. Then if the BPF program +issues a redirect action we hit the RCU splat. + +However, in the non-TLS socket case the splat appears to be +relatively rare, because the skmsg caller into the strp_data_ready() +is wrapped in a rcu_read_lock/unlock. Shown here, + + static void sk_psock_strp_data_ready(struct sock *sk) + { + struct sk_psock *psock; + + rcu_read_lock(); + psock = sk_psock(sk); + if (likely(psock)) { + if (tls_sw_has_ctx_rx(sk)) { + psock->parser.saved_data_ready(sk); + } else { + write_lock_bh(&sk->sk_callback_lock); + strp_data_ready(&psock->parser.strp); + write_unlock_bh(&sk->sk_callback_lock); + } + } + rcu_read_unlock(); + } + +If the above was the only way to run the verdict program we +would be safe. But, there is a case where the strparser may throw an +ENOMEM error while parsing the skb. This is a result of a failed +skb_clone, or alloc_skb_for_msg while building a new merged skb when +the msg length needed spans multiple skbs. This will in turn put the +skb on the strp_wrk workqueue in the strparser code. The skb will +later be dequeued and verdict programs run, but now from a +different context without the rcu_read_lock()/unlock() critical +section in sk_psock_strp_data_ready() shown above. In practice +I have not seen this yet, because as far as I know most users of the +verdict programs are also only working on single skbs. In this case no +merge happens which could trigger the above ENOMEM errors. In addition +the system would need to be under memory pressure. For example, we +can't hit the above case in selftests because we missed having tests +to merge skbs. (Added in later patch) + +To fix the below splat extend the rcu_read_lock/unnlock block to +include the call to sk_psock_tls_verdict_apply(). This will fix both +TLS redirect case and non-TLS redirect+error case. Also remove +psock from the sk_psock_tls_verdict_apply() function signature its +not used there. + +[ 1095.937597] WARNING: suspicious RCU usage +[ 1095.940964] 5.7.0-rc7-02911-g463bac5f1ca79 #1 Tainted: G W +[ 1095.944363] ----------------------------- +[ 1095.947384] include/linux/skmsg.h:284 suspicious rcu_dereference_check() usage! +[ 1095.950866] +[ 1095.950866] other info that might help us debug this: +[ 1095.950866] +[ 1095.957146] +[ 1095.957146] rcu_scheduler_active = 2, debug_locks = 1 +[ 1095.961482] 1 lock held by test_sockmap/15970: +[ 1095.964501] #0: ffff9ea6b25de660 (sk_lock-AF_INET){+.+.}-{0:0}, at: tls_sw_recvmsg+0x13a/0x840 [tls] +[ 1095.968568] +[ 1095.968568] stack backtrace: +[ 1095.975001] CPU: 1 PID: 15970 Comm: test_sockmap Tainted: G W 5.7.0-rc7-02911-g463bac5f1ca79 #1 +[ 1095.977883] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +[ 1095.980519] Call Trace: +[ 1095.982191] dump_stack+0x8f/0xd0 +[ 1095.984040] sk_psock_skb_redirect+0xa6/0xf0 +[ 1095.986073] sk_psock_tls_strp_read+0x1d8/0x250 +[ 1095.988095] tls_sw_recvmsg+0x714/0x840 [tls] + +v2: Improve commit message to identify non-TLS redirect plus error case + condition as well as more common TLS case. In the process I decided + doing the rcu_read_unlock followed by the lock/unlock inside branches + was unnecessarily complex. We can just extend the current rcu block + and get the same effeective without the shuffling and branching. + Thanks Martin! + +Fixes: e91de6afa81c1 ("bpf: Fix running sk_skb program types with ktls") +Reported-by: Jakub Sitnicki +Reported-by: kernel test robot +Signed-off-by: John Fastabend +Signed-off-by: Alexei Starovoitov +Acked-by: Martin KaFai Lau +Acked-by: Jakub Sitnicki +Link: https://lore.kernel.org/bpf/159312677907.18340.11064813152758406626.stgit@john-XPS-13-9370 +Signed-off-by: Sasha Levin +--- + net/core/skmsg.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index 0536ea9298e4c..70ea352e3a3b6 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -687,7 +687,7 @@ static struct sk_psock *sk_psock_from_strp(struct strparser *strp) + return container_of(parser, struct sk_psock, parser); + } + +-static void sk_psock_skb_redirect(struct sk_psock *psock, struct sk_buff *skb) ++static void sk_psock_skb_redirect(struct sk_buff *skb) + { + struct sk_psock *psock_other; + struct sock *sk_other; +@@ -719,12 +719,11 @@ static void sk_psock_skb_redirect(struct sk_psock *psock, struct sk_buff *skb) + } + } + +-static void sk_psock_tls_verdict_apply(struct sk_psock *psock, +- struct sk_buff *skb, int verdict) ++static void sk_psock_tls_verdict_apply(struct sk_buff *skb, int verdict) + { + switch (verdict) { + case __SK_REDIRECT: +- sk_psock_skb_redirect(psock, skb); ++ sk_psock_skb_redirect(skb); + break; + case __SK_PASS: + case __SK_DROP: +@@ -745,8 +744,8 @@ int sk_psock_tls_strp_read(struct sk_psock *psock, struct sk_buff *skb) + ret = sk_psock_bpf_run(psock, prog, skb); + ret = sk_psock_map_verd(ret, tcp_skb_bpf_redirect_fetch(skb)); + } ++ sk_psock_tls_verdict_apply(skb, ret); + rcu_read_unlock(); +- sk_psock_tls_verdict_apply(psock, skb, ret); + return ret; + } + EXPORT_SYMBOL_GPL(sk_psock_tls_strp_read); +@@ -774,7 +773,7 @@ static void sk_psock_verdict_apply(struct sk_psock *psock, + } + goto out_free; + case __SK_REDIRECT: +- sk_psock_skb_redirect(psock, skb); ++ sk_psock_skb_redirect(skb); + break; + case __SK_DROP: + /* fall-through */ +@@ -798,8 +797,8 @@ static void sk_psock_strp_read(struct strparser *strp, struct sk_buff *skb) + ret = sk_psock_bpf_run(psock, prog, skb); + ret = sk_psock_map_verd(ret, tcp_skb_bpf_redirect_fetch(skb)); + } +- rcu_read_unlock(); + sk_psock_verdict_apply(psock, skb, ret); ++ rcu_read_unlock(); + } + + static int sk_psock_strp_read_done(struct strparser *strp, int err) +-- +2.25.1 + diff --git a/queue-5.4/cxgb4-fix-all-mask-ip-address-comparison.patch b/queue-5.4/cxgb4-fix-all-mask-ip-address-comparison.patch new file mode 100644 index 00000000000..c13da0d8367 --- /dev/null +++ b/queue-5.4/cxgb4-fix-all-mask-ip-address-comparison.patch @@ -0,0 +1,48 @@ +From a24cff2f0071faab09b5f4e353ed5db58e85d852 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jul 2020 03:14:27 +0530 +Subject: cxgb4: fix all-mask IP address comparison + +From: Rahul Lakkireddy + +[ Upstream commit 76c4d85c9260c3d741cbd194c30c61983d0a4303 ] + +Convert all-mask IP address to Big Endian, instead, for comparison. + +Fixes: f286dd8eaad5 ("cxgb4: use correct type for all-mask IP address comparison") +Signed-off-by: Rahul Lakkireddy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c +index 375e1be6a2d8d..f459313357c78 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c +@@ -839,16 +839,16 @@ static bool is_addr_all_mask(u8 *ipmask, int family) + struct in_addr *addr; + + addr = (struct in_addr *)ipmask; +- if (ntohl(addr->s_addr) == 0xffffffff) ++ if (addr->s_addr == htonl(0xffffffff)) + return true; + } else if (family == AF_INET6) { + struct in6_addr *addr6; + + addr6 = (struct in6_addr *)ipmask; +- if (ntohl(addr6->s6_addr32[0]) == 0xffffffff && +- ntohl(addr6->s6_addr32[1]) == 0xffffffff && +- ntohl(addr6->s6_addr32[2]) == 0xffffffff && +- ntohl(addr6->s6_addr32[3]) == 0xffffffff) ++ if (addr6->s6_addr32[0] == htonl(0xffffffff) && ++ addr6->s6_addr32[1] == htonl(0xffffffff) && ++ addr6->s6_addr32[2] == htonl(0xffffffff) && ++ addr6->s6_addr32[3] == htonl(0xffffffff)) + return true; + } + return false; +-- +2.25.1 + diff --git a/queue-5.4/drm-mediatek-check-plane-visibility-in-atomic_update.patch b/queue-5.4/drm-mediatek-check-plane-visibility-in-atomic_update.patch new file mode 100644 index 00000000000..ca6ad7fe8ca --- /dev/null +++ b/queue-5.4/drm-mediatek-check-plane-visibility-in-atomic_update.patch @@ -0,0 +1,74 @@ +From 443da6a16d58831dec80c66e2069612f9cba6d31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jun 2020 23:57:53 +0800 +Subject: drm/mediatek: Check plane visibility in atomic_update + +From: Hsin-Yi Wang + +[ Upstream commit c0b8892e2461b5fa740e47efbb1269a487b04020 ] + +Disable the plane if it's not visible. Otherwise mtk_ovl_layer_config() +would proceed with invalid plane and we may see vblank timeout. + +Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") +Signed-off-by: Hsin-Yi Wang +Reviewed-by: Tomasz Figa +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_plane.c | 25 ++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c b/drivers/gpu/drm/mediatek/mtk_drm_plane.c +index 584a9ecadce62..b7592b16ea940 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c +@@ -101,6 +101,16 @@ static int mtk_plane_atomic_check(struct drm_plane *plane, + true, true); + } + ++static void mtk_plane_atomic_disable(struct drm_plane *plane, ++ struct drm_plane_state *old_state) ++{ ++ struct mtk_plane_state *state = to_mtk_plane_state(plane->state); ++ ++ state->pending.enable = false; ++ wmb(); /* Make sure the above parameter is set before update */ ++ state->pending.dirty = true; ++} ++ + static void mtk_plane_atomic_update(struct drm_plane *plane, + struct drm_plane_state *old_state) + { +@@ -115,6 +125,11 @@ static void mtk_plane_atomic_update(struct drm_plane *plane, + if (!crtc || WARN_ON(!fb)) + return; + ++ if (!plane->state->visible) { ++ mtk_plane_atomic_disable(plane, old_state); ++ return; ++ } ++ + gem = fb->obj[0]; + mtk_gem = to_mtk_gem_obj(gem); + addr = mtk_gem->dma_addr; +@@ -136,16 +151,6 @@ static void mtk_plane_atomic_update(struct drm_plane *plane, + state->pending.dirty = true; + } + +-static void mtk_plane_atomic_disable(struct drm_plane *plane, +- struct drm_plane_state *old_state) +-{ +- struct mtk_plane_state *state = to_mtk_plane_state(plane->state); +- +- state->pending.enable = false; +- wmb(); /* Make sure the above parameter is set before update */ +- state->pending.dirty = true; +-} +- + static const struct drm_plane_helper_funcs mtk_plane_helper_funcs = { + .prepare_fb = drm_gem_fb_prepare_fb, + .atomic_check = mtk_plane_atomic_check, +-- +2.25.1 + diff --git a/queue-5.4/gpio-pca953x-fix-gpio-resource-leak-on-intel-galileo.patch b/queue-5.4/gpio-pca953x-fix-gpio-resource-leak-on-intel-galileo.patch new file mode 100644 index 00000000000..2747ceab339 --- /dev/null +++ b/queue-5.4/gpio-pca953x-fix-gpio-resource-leak-on-intel-galileo.patch @@ -0,0 +1,46 @@ +From 50fa90bfce515c9bad5c05a0cfa05765a82c37b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jun 2020 14:49:06 +0300 +Subject: gpio: pca953x: Fix GPIO resource leak on Intel Galileo Gen 2 + +From: Andy Shevchenko + +[ Upstream commit 5d8913504ccfeea6120df5ae1c6f4479ff09b931 ] + +When adding a quirk for IRQ on Intel Galileo Gen 2 the commit ba8c90c61847 +("gpio: pca953x: Override IRQ for one of the expanders on Galileo Gen 2") +missed GPIO resource release. We can safely do this in the same quirk, since +IRQ will be locked by GPIO framework when requested and unlocked on freeing. + +Fixes: ba8c90c61847 ("gpio: pca953x: Override IRQ for one of the expanders on Galileo Gen 2") +Signed-off-by: Andy Shevchenko +Cc: Mika Westerberg +Reviewed-by: Mika Westerberg +Reviewed-by: Linus Walleij +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-pca953x.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c +index c935019c0257c..81f5103dccb6f 100644 +--- a/drivers/gpio/gpio-pca953x.c ++++ b/drivers/gpio/gpio-pca953x.c +@@ -176,7 +176,12 @@ static int pca953x_acpi_get_irq(struct device *dev) + if (ret) + return ret; + +- return gpio_to_irq(pin); ++ ret = gpio_to_irq(pin); ++ ++ /* When pin is used as an IRQ, no need to keep it requested */ ++ gpio_free(pin); ++ ++ return ret; + } + #endif + +-- +2.25.1 + diff --git a/queue-5.4/gpio-pca953x-override-irq-for-one-of-the-expanders-o.patch b/queue-5.4/gpio-pca953x-override-irq-for-one-of-the-expanders-o.patch new file mode 100644 index 00000000000..dfd674224ae --- /dev/null +++ b/queue-5.4/gpio-pca953x-override-irq-for-one-of-the-expanders-o.patch @@ -0,0 +1,132 @@ +From d933f2a08dc7bd313220dfeb093f03d1b664f0de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2020 16:40:34 +0300 +Subject: gpio: pca953x: Override IRQ for one of the expanders on Galileo Gen 2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andy Shevchenko + +[ Upstream commit ba8c90c6184784b397807b72403656085ac2f8c1 ] + +ACPI table on Intel Galileo Gen 2 has wrong pin number for IRQ resource +of one of the I²C GPIO expanders. Since we know what that number is and +luckily have GPIO bases fixed for SoC's controllers, we may use a simple +DMI quirk to match the platform and retrieve GpioInt() pin on it for +the expander in question. + +Mika suggested the way to avoid a quirk in the GPIO ACPI library and +here is the second, almost rewritten version of it. + +Fixes: f32517bf1ae0 ("gpio: pca953x: support ACPI devices found on Galileo Gen2") +Depends-on: 25e3ef894eef ("gpio: acpi: Split out acpi_gpio_get_irq_resource() helper") +Suggested-by: Mika Westerberg +Reviewed-by: Mika Westerberg +Signed-off-by: Andy Shevchenko +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-pca953x.c | 79 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 79 insertions(+) + +diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c +index 29ba26742c8f5..c935019c0257c 100644 +--- a/drivers/gpio/gpio-pca953x.c ++++ b/drivers/gpio/gpio-pca953x.c +@@ -107,6 +107,79 @@ static const struct i2c_device_id pca953x_id[] = { + }; + MODULE_DEVICE_TABLE(i2c, pca953x_id); + ++#ifdef CONFIG_GPIO_PCA953X_IRQ ++ ++#include ++#include ++#include ++ ++static const struct dmi_system_id pca953x_dmi_acpi_irq_info[] = { ++ { ++ /* ++ * On Intel Galileo Gen 2 board the IRQ pin of one of ++ * the I²C GPIO expanders, which has GpioInt() resource, ++ * is provided as an absolute number instead of being ++ * relative. Since first controller (gpio-sch.c) and ++ * second (gpio-dwapb.c) are at the fixed bases, we may ++ * safely refer to the number in the global space to get ++ * an IRQ out of it. ++ */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_BOARD_NAME, "GalileoGen2"), ++ }, ++ }, ++ {} ++}; ++ ++#ifdef CONFIG_ACPI ++static int pca953x_acpi_get_pin(struct acpi_resource *ares, void *data) ++{ ++ struct acpi_resource_gpio *agpio; ++ int *pin = data; ++ ++ if (acpi_gpio_get_irq_resource(ares, &agpio)) ++ *pin = agpio->pin_table[0]; ++ return 1; ++} ++ ++static int pca953x_acpi_find_pin(struct device *dev) ++{ ++ struct acpi_device *adev = ACPI_COMPANION(dev); ++ int pin = -ENOENT, ret; ++ LIST_HEAD(r); ++ ++ ret = acpi_dev_get_resources(adev, &r, pca953x_acpi_get_pin, &pin); ++ acpi_dev_free_resource_list(&r); ++ if (ret < 0) ++ return ret; ++ ++ return pin; ++} ++#else ++static inline int pca953x_acpi_find_pin(struct device *dev) { return -ENXIO; } ++#endif ++ ++static int pca953x_acpi_get_irq(struct device *dev) ++{ ++ int pin, ret; ++ ++ pin = pca953x_acpi_find_pin(dev); ++ if (pin < 0) ++ return pin; ++ ++ dev_info(dev, "Applying ACPI interrupt quirk (GPIO %d)\n", pin); ++ ++ if (!gpio_is_valid(pin)) ++ return -EINVAL; ++ ++ ret = gpio_request(pin, "pca953x interrupt"); ++ if (ret) ++ return ret; ++ ++ return gpio_to_irq(pin); ++} ++#endif ++ + static const struct acpi_device_id pca953x_acpi_ids[] = { + { "INT3491", 16 | PCA953X_TYPE | PCA_LATCH_INT, }, + { } +@@ -772,6 +845,12 @@ static int pca953x_irq_setup(struct pca953x_chip *chip, + u8 reg_direction[MAX_BANK]; + int ret, i; + ++ if (dmi_first_match(pca953x_dmi_acpi_irq_info)) { ++ ret = pca953x_acpi_get_irq(&client->dev); ++ if (ret > 0) ++ client->irq = ret; ++ } ++ + if (!client->irq) + return 0; + +-- +2.25.1 + diff --git a/queue-5.4/ib-mlx5-fix-50g-per-lane-indication.patch b/queue-5.4/ib-mlx5-fix-50g-per-lane-indication.patch new file mode 100644 index 00000000000..d29479bccc0 --- /dev/null +++ b/queue-5.4/ib-mlx5-fix-50g-per-lane-indication.patch @@ -0,0 +1,47 @@ +From 402bf4bc412b8a674186c822672b926c562c0a18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jul 2020 14:06:11 +0300 +Subject: IB/mlx5: Fix 50G per lane indication + +From: Aya Levin + +[ Upstream commit 530c8632b547ff72f11ff83654b22462a73f1f7b ] + +Some released FW versions mistakenly don't set the capability that 50G per +lane link-modes are supported for VFs (ptys_extended_ethernet capability +bit). + +Use PTYS.ext_eth_proto_capability instead, as this indication is always +accurate. If PTYS.ext_eth_proto_capability is valid +(has a non-zero value) conclude that the HCA supports 50G per lane. + +Otherwise, conclude that the HCA doesn't support 50G per lane. + +Fixes: 08e8676f1607 ("IB/mlx5: Add support for 50Gbps per lane link modes") +Link: https://lore.kernel.org/r/20200707110612.882962-3-leon@kernel.org +Signed-off-by: Aya Levin +Reviewed-by: Eran Ben Elisha +Reviewed-by: Saeed Mahameed +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index 4f44a731a48e1..b781ad74e6de4 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -517,7 +517,7 @@ static int mlx5_query_port_roce(struct ib_device *device, u8 port_num, + mdev_port_num); + if (err) + goto out; +- ext = MLX5_CAP_PCAM_FEATURE(dev->mdev, ptys_extended_ethernet); ++ ext = !!MLX5_GET_ETH_PROTO(ptys_reg, out, true, eth_proto_capability); + eth_prot_oper = MLX5_GET_ETH_PROTO(ptys_reg, out, ext, eth_proto_oper); + + props->active_width = IB_WIDTH_4X; +-- +2.25.1 + diff --git a/queue-5.4/ib-sa-resolv-use-after-free-in-ib_nl_make_request.patch b/queue-5.4/ib-sa-resolv-use-after-free-in-ib_nl_make_request.patch new file mode 100644 index 00000000000..43120359616 --- /dev/null +++ b/queue-5.4/ib-sa-resolv-use-after-free-in-ib_nl_make_request.patch @@ -0,0 +1,130 @@ +From 6ef115ce959caf0df3a7f83b7c7d5e63caa4ff19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jun 2020 19:13:09 -0700 +Subject: IB/sa: Resolv use-after-free in ib_nl_make_request() + +From: Divya Indi + +[ Upstream commit f427f4d6214c183c474eeb46212d38e6c7223d6a ] + +There is a race condition where ib_nl_make_request() inserts the request +data into the linked list but the timer in ib_nl_request_timeout() can see +it and destroy it before ib_nl_send_msg() is done touching it. This could +happen, for instance, if there is a long delay allocating memory during +nlmsg_new() + +This causes a use-after-free in the send_mad() thread: + + [] ? ib_pack+0x17b/0x240 [ib_core] + [ ] ib_sa_path_rec_get+0x181/0x200 [ib_sa] + [] rdma_resolve_route+0x3c0/0x8d0 [rdma_cm] + [] ? cma_bind_port+0xa0/0xa0 [rdma_cm] + [] ? rds_rdma_cm_event_handler_cmn+0x850/0x850 [rds_rdma] + [] rds_rdma_cm_event_handler_cmn+0x22c/0x850 [rds_rdma] + [] rds_rdma_cm_event_handler+0x10/0x20 [rds_rdma] + [] addr_handler+0x9e/0x140 [rdma_cm] + [] process_req+0x134/0x190 [ib_addr] + [] process_one_work+0x169/0x4a0 + [] worker_thread+0x5b/0x560 + [] ? flush_delayed_work+0x50/0x50 + [] kthread+0xcb/0xf0 + [] ? __schedule+0x24a/0x810 + [] ? __schedule+0x24a/0x810 + [] ? kthread_create_on_node+0x180/0x180 + [] ret_from_fork+0x47/0x90 + [] ? kthread_create_on_node+0x180/0x180 + +The ownership rule is once the request is on the list, ownership transfers +to the list and the local thread can't touch it any more, just like for +the normal MAD case in send_mad(). + +Thus, instead of adding before send and then trying to delete after on +errors, move the entire thing under the spinlock so that the send and +update of the lists are atomic to the conurrent threads. Lightly reoganize +things so spinlock safe memory allocations are done in the final NL send +path and the rest of the setup work is done before and outside the lock. + +Fixes: 3ebd2fd0d011 ("IB/sa: Put netlink request into the request list before sending") +Link: https://lore.kernel.org/r/1592964789-14533-1-git-send-email-divya.indi@oracle.com +Signed-off-by: Divya Indi +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/sa_query.c | 38 +++++++++++++----------------- + 1 file changed, 17 insertions(+), 21 deletions(-) + +diff --git a/drivers/infiniband/core/sa_query.c b/drivers/infiniband/core/sa_query.c +index bddb5434fbed2..d2d70c89193ff 100644 +--- a/drivers/infiniband/core/sa_query.c ++++ b/drivers/infiniband/core/sa_query.c +@@ -829,13 +829,20 @@ static int ib_nl_get_path_rec_attrs_len(ib_sa_comp_mask comp_mask) + return len; + } + +-static int ib_nl_send_msg(struct ib_sa_query *query, gfp_t gfp_mask) ++static int ib_nl_make_request(struct ib_sa_query *query, gfp_t gfp_mask) + { + struct sk_buff *skb = NULL; + struct nlmsghdr *nlh; + void *data; + struct ib_sa_mad *mad; + int len; ++ unsigned long flags; ++ unsigned long delay; ++ gfp_t gfp_flag; ++ int ret; ++ ++ INIT_LIST_HEAD(&query->list); ++ query->seq = (u32)atomic_inc_return(&ib_nl_sa_request_seq); + + mad = query->mad_buf->mad; + len = ib_nl_get_path_rec_attrs_len(mad->sa_hdr.comp_mask); +@@ -860,36 +867,25 @@ static int ib_nl_send_msg(struct ib_sa_query *query, gfp_t gfp_mask) + /* Repair the nlmsg header length */ + nlmsg_end(skb, nlh); + +- return rdma_nl_multicast(&init_net, skb, RDMA_NL_GROUP_LS, gfp_mask); +-} ++ gfp_flag = ((gfp_mask & GFP_ATOMIC) == GFP_ATOMIC) ? GFP_ATOMIC : ++ GFP_NOWAIT; + +-static int ib_nl_make_request(struct ib_sa_query *query, gfp_t gfp_mask) +-{ +- unsigned long flags; +- unsigned long delay; +- int ret; ++ spin_lock_irqsave(&ib_nl_request_lock, flags); ++ ret = rdma_nl_multicast(&init_net, skb, RDMA_NL_GROUP_LS, gfp_flag); + +- INIT_LIST_HEAD(&query->list); +- query->seq = (u32)atomic_inc_return(&ib_nl_sa_request_seq); ++ if (ret) ++ goto out; + +- /* Put the request on the list first.*/ +- spin_lock_irqsave(&ib_nl_request_lock, flags); ++ /* Put the request on the list.*/ + delay = msecs_to_jiffies(sa_local_svc_timeout_ms); + query->timeout = delay + jiffies; + list_add_tail(&query->list, &ib_nl_request_list); + /* Start the timeout if this is the only request */ + if (ib_nl_request_list.next == &query->list) + queue_delayed_work(ib_nl_wq, &ib_nl_timed_work, delay); +- spin_unlock_irqrestore(&ib_nl_request_lock, flags); + +- ret = ib_nl_send_msg(query, gfp_mask); +- if (ret) { +- ret = -EIO; +- /* Remove the request */ +- spin_lock_irqsave(&ib_nl_request_lock, flags); +- list_del(&query->list); +- spin_unlock_irqrestore(&ib_nl_request_lock, flags); +- } ++out: ++ spin_unlock_irqrestore(&ib_nl_request_lock, flags); + + return ret; + } +-- +2.25.1 + diff --git a/queue-5.4/mlxsw-pci-fix-use-after-free-in-case-of-failed-devli.patch b/queue-5.4/mlxsw-pci-fix-use-after-free-in-case-of-failed-devli.patch new file mode 100644 index 00000000000..d4a393928a2 --- /dev/null +++ b/queue-5.4/mlxsw-pci-fix-use-after-free-in-case-of-failed-devli.patch @@ -0,0 +1,195 @@ +From ee7a762c5ffda299f228b85544545489cc30e3fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 16:41:39 +0300 +Subject: mlxsw: pci: Fix use-after-free in case of failed devlink reload + +From: Ido Schimmel + +[ Upstream commit c4317b11675b99af6641662ebcbd3c6010600e64 ] + +In case devlink reload failed, it is possible to trigger a +use-after-free when querying the kernel for device info via 'devlink dev +info' [1]. + +This happens because as part of the reload error path the PCI command +interface is de-initialized and its mailboxes are freed. When the +devlink '->info_get()' callback is invoked the device is queried via the +command interface and the freed mailboxes are accessed. + +Fix this by initializing the command interface once during probe and not +during every reload. + +This is consistent with the other bus used by mlxsw (i.e., 'mlxsw_i2c') +and also allows user space to query the running firmware version (for +example) from the device after a failed reload. + +[1] +BUG: KASAN: use-after-free in memcpy include/linux/string.h:406 [inline] +BUG: KASAN: use-after-free in mlxsw_pci_cmd_exec+0x177/0xa60 drivers/net/ethernet/mellanox/mlxsw/pci.c:1675 +Write of size 4096 at addr ffff88810ae32000 by task syz-executor.1/2355 + +CPU: 1 PID: 2355 Comm: syz-executor.1 Not tainted 5.8.0-rc2+ #29 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xf6/0x16e lib/dump_stack.c:118 + print_address_description.constprop.0+0x1c/0x250 mm/kasan/report.c:383 + __kasan_report mm/kasan/report.c:513 [inline] + kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 + check_memory_region_inline mm/kasan/generic.c:186 [inline] + check_memory_region+0x14e/0x1b0 mm/kasan/generic.c:192 + memcpy+0x39/0x60 mm/kasan/common.c:106 + memcpy include/linux/string.h:406 [inline] + mlxsw_pci_cmd_exec+0x177/0xa60 drivers/net/ethernet/mellanox/mlxsw/pci.c:1675 + mlxsw_cmd_exec+0x249/0x550 drivers/net/ethernet/mellanox/mlxsw/core.c:2335 + mlxsw_cmd_access_reg drivers/net/ethernet/mellanox/mlxsw/cmd.h:859 [inline] + mlxsw_core_reg_access_cmd drivers/net/ethernet/mellanox/mlxsw/core.c:1938 [inline] + mlxsw_core_reg_access+0x2f6/0x540 drivers/net/ethernet/mellanox/mlxsw/core.c:1985 + mlxsw_reg_query drivers/net/ethernet/mellanox/mlxsw/core.c:2000 [inline] + mlxsw_devlink_info_get+0x17f/0x6e0 drivers/net/ethernet/mellanox/mlxsw/core.c:1090 + devlink_nl_info_fill.constprop.0+0x13c/0x2d0 net/core/devlink.c:4588 + devlink_nl_cmd_info_get_dumpit+0x246/0x460 net/core/devlink.c:4648 + genl_lock_dumpit+0x85/0xc0 net/netlink/genetlink.c:575 + netlink_dump+0x515/0xe50 net/netlink/af_netlink.c:2245 + __netlink_dump_start+0x53d/0x830 net/netlink/af_netlink.c:2353 + genl_family_rcv_msg_dumpit.isra.0+0x296/0x300 net/netlink/genetlink.c:638 + genl_family_rcv_msg net/netlink/genetlink.c:733 [inline] + genl_rcv_msg+0x78d/0x9d0 net/netlink/genetlink.c:753 + netlink_rcv_skb+0x152/0x440 net/netlink/af_netlink.c:2469 + genl_rcv+0x24/0x40 net/netlink/genetlink.c:764 + netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] + netlink_unicast+0x53a/0x750 net/netlink/af_netlink.c:1329 + netlink_sendmsg+0x850/0xd90 net/netlink/af_netlink.c:1918 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg+0x150/0x190 net/socket.c:672 + ____sys_sendmsg+0x6d8/0x840 net/socket.c:2363 + ___sys_sendmsg+0xff/0x170 net/socket.c:2417 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2450 + do_syscall_64+0x56/0xa0 arch/x86/entry/common.c:359 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: a9c8336f6544 ("mlxsw: core: Add support for devlink info command") +Signed-off-by: Ido Schimmel +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/pci.c | 54 ++++++++++++++++------- + 1 file changed, 38 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/pci.c b/drivers/net/ethernet/mellanox/mlxsw/pci.c +index f3d1f9411d104..aa4fef7890841 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/pci.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/pci.c +@@ -1401,23 +1401,12 @@ static int mlxsw_pci_init(void *bus_priv, struct mlxsw_core *mlxsw_core, + u16 num_pages; + int err; + +- mutex_init(&mlxsw_pci->cmd.lock); +- init_waitqueue_head(&mlxsw_pci->cmd.wait); +- + mlxsw_pci->core = mlxsw_core; + + mbox = mlxsw_cmd_mbox_alloc(); + if (!mbox) + return -ENOMEM; + +- err = mlxsw_pci_mbox_alloc(mlxsw_pci, &mlxsw_pci->cmd.in_mbox); +- if (err) +- goto mbox_put; +- +- err = mlxsw_pci_mbox_alloc(mlxsw_pci, &mlxsw_pci->cmd.out_mbox); +- if (err) +- goto err_out_mbox_alloc; +- + err = mlxsw_pci_sw_reset(mlxsw_pci, mlxsw_pci->id); + if (err) + goto err_sw_reset; +@@ -1524,9 +1513,6 @@ static int mlxsw_pci_init(void *bus_priv, struct mlxsw_core *mlxsw_core, + mlxsw_pci_free_irq_vectors(mlxsw_pci); + err_alloc_irq: + err_sw_reset: +- mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.out_mbox); +-err_out_mbox_alloc: +- mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.in_mbox); + mbox_put: + mlxsw_cmd_mbox_free(mbox); + return err; +@@ -1540,8 +1526,6 @@ static void mlxsw_pci_fini(void *bus_priv) + mlxsw_pci_aqs_fini(mlxsw_pci); + mlxsw_pci_fw_area_fini(mlxsw_pci); + mlxsw_pci_free_irq_vectors(mlxsw_pci); +- mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.out_mbox); +- mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.in_mbox); + } + + static struct mlxsw_pci_queue * +@@ -1755,6 +1739,37 @@ static const struct mlxsw_bus mlxsw_pci_bus = { + .features = MLXSW_BUS_F_TXRX | MLXSW_BUS_F_RESET, + }; + ++static int mlxsw_pci_cmd_init(struct mlxsw_pci *mlxsw_pci) ++{ ++ int err; ++ ++ mutex_init(&mlxsw_pci->cmd.lock); ++ init_waitqueue_head(&mlxsw_pci->cmd.wait); ++ ++ err = mlxsw_pci_mbox_alloc(mlxsw_pci, &mlxsw_pci->cmd.in_mbox); ++ if (err) ++ goto err_in_mbox_alloc; ++ ++ err = mlxsw_pci_mbox_alloc(mlxsw_pci, &mlxsw_pci->cmd.out_mbox); ++ if (err) ++ goto err_out_mbox_alloc; ++ ++ return 0; ++ ++err_out_mbox_alloc: ++ mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.in_mbox); ++err_in_mbox_alloc: ++ mutex_destroy(&mlxsw_pci->cmd.lock); ++ return err; ++} ++ ++static void mlxsw_pci_cmd_fini(struct mlxsw_pci *mlxsw_pci) ++{ ++ mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.out_mbox); ++ mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.in_mbox); ++ mutex_destroy(&mlxsw_pci->cmd.lock); ++} ++ + static int mlxsw_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + { + const char *driver_name = pdev->driver->name; +@@ -1810,6 +1825,10 @@ static int mlxsw_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + mlxsw_pci->pdev = pdev; + pci_set_drvdata(pdev, mlxsw_pci); + ++ err = mlxsw_pci_cmd_init(mlxsw_pci); ++ if (err) ++ goto err_pci_cmd_init; ++ + mlxsw_pci->bus_info.device_kind = driver_name; + mlxsw_pci->bus_info.device_name = pci_name(mlxsw_pci->pdev); + mlxsw_pci->bus_info.dev = &pdev->dev; +@@ -1827,6 +1846,8 @@ static int mlxsw_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + return 0; + + err_bus_device_register: ++ mlxsw_pci_cmd_fini(mlxsw_pci); ++err_pci_cmd_init: + iounmap(mlxsw_pci->hw_addr); + err_ioremap: + err_pci_resource_len_check: +@@ -1844,6 +1865,7 @@ static void mlxsw_pci_remove(struct pci_dev *pdev) + struct mlxsw_pci *mlxsw_pci = pci_get_drvdata(pdev); + + mlxsw_core_bus_device_unregister(mlxsw_pci->core, false); ++ mlxsw_pci_cmd_fini(mlxsw_pci); + iounmap(mlxsw_pci->hw_addr); + pci_release_regions(mlxsw_pci->pdev); + pci_disable_device(mlxsw_pci->pdev); +-- +2.25.1 + diff --git a/queue-5.4/mlxsw-spectrum_router-remove-inappropriate-usage-of-.patch b/queue-5.4/mlxsw-spectrum_router-remove-inappropriate-usage-of-.patch new file mode 100644 index 00000000000..307c030b3bf --- /dev/null +++ b/queue-5.4/mlxsw-spectrum_router-remove-inappropriate-usage-of-.patch @@ -0,0 +1,49 @@ +From 89b332022aea7a0ff40a2ed07886e4f7faf56cfd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 16:41:38 +0300 +Subject: mlxsw: spectrum_router: Remove inappropriate usage of WARN_ON() + +From: Ido Schimmel + +[ Upstream commit d9d5420273997664a1c09151ca86ac993f2f89c1 ] + +We should not trigger a warning when a memory allocation fails. Remove +the WARN_ON(). + +The warning is constantly triggered by syzkaller when it is injecting +faults: + +[ 2230.758664] FAULT_INJECTION: forcing a failure. +[ 2230.758664] name failslab, interval 1, probability 0, space 0, times 0 +[ 2230.762329] CPU: 3 PID: 1407 Comm: syz-executor.0 Not tainted 5.8.0-rc2+ #28 +... +[ 2230.898175] WARNING: CPU: 3 PID: 1407 at drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:6265 mlxsw_sp_router_fib_event+0xfad/0x13e0 +[ 2230.898179] Kernel panic - not syncing: panic_on_warn set ... +[ 2230.898183] CPU: 3 PID: 1407 Comm: syz-executor.0 Not tainted 5.8.0-rc2+ #28 +[ 2230.898190] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 + +Fixes: 3057224e014c ("mlxsw: spectrum_router: Implement FIB offload in deferred work") +Signed-off-by: Ido Schimmel +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c +index efdf8cb5114c2..2f013fc716985 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c +@@ -6287,7 +6287,7 @@ static int mlxsw_sp_router_fib_event(struct notifier_block *nb, + } + + fib_work = kzalloc(sizeof(*fib_work), GFP_ATOMIC); +- if (WARN_ON(!fib_work)) ++ if (!fib_work) + return NOTIFY_BAD; + + fib_work->mlxsw_sp = router->mlxsw_sp; +-- +2.25.1 + diff --git a/queue-5.4/nbd-fix-memory-leak-in-nbd_add_socket.patch b/queue-5.4/nbd-fix-memory-leak-in-nbd_add_socket.patch new file mode 100644 index 00000000000..b2a41ae78fa --- /dev/null +++ b/queue-5.4/nbd-fix-memory-leak-in-nbd_add_socket.patch @@ -0,0 +1,80 @@ +From 51f99126bd309daf8e405d708e4f6e7a37b6c9f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 09:23:49 +0800 +Subject: nbd: Fix memory leak in nbd_add_socket + +From: Zheng Bin + +[ Upstream commit 579dd91ab3a5446b148e7f179b6596b270dace46 ] + +When adding first socket to nbd, if nsock's allocation failed, the data +structure member "config->socks" was reallocated, but the data structure +member "config->num_connections" was not updated. A memory leak will occur +then because the function "nbd_config_put" will free "config->socks" only +when "config->num_connections" is not zero. + +Fixes: 03bf73c315ed ("nbd: prevent memory leak") +Reported-by: syzbot+934037347002901b8d2a@syzkaller.appspotmail.com +Signed-off-by: Zheng Bin +Reviewed-by: Eric Biggers +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 25 +++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 78181908f0df6..7b61d53ba050e 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1022,25 +1022,26 @@ static int nbd_add_socket(struct nbd_device *nbd, unsigned long arg, + test_bit(NBD_RT_BOUND, &config->runtime_flags))) { + dev_err(disk_to_dev(nbd->disk), + "Device being setup by another task"); +- sockfd_put(sock); +- return -EBUSY; ++ err = -EBUSY; ++ goto put_socket; ++ } ++ ++ nsock = kzalloc(sizeof(*nsock), GFP_KERNEL); ++ if (!nsock) { ++ err = -ENOMEM; ++ goto put_socket; + } + + socks = krealloc(config->socks, (config->num_connections + 1) * + sizeof(struct nbd_sock *), GFP_KERNEL); + if (!socks) { +- sockfd_put(sock); +- return -ENOMEM; ++ kfree(nsock); ++ err = -ENOMEM; ++ goto put_socket; + } + + config->socks = socks; + +- nsock = kzalloc(sizeof(struct nbd_sock), GFP_KERNEL); +- if (!nsock) { +- sockfd_put(sock); +- return -ENOMEM; +- } +- + nsock->fallback_index = -1; + nsock->dead = false; + mutex_init(&nsock->tx_lock); +@@ -1052,6 +1053,10 @@ static int nbd_add_socket(struct nbd_device *nbd, unsigned long arg, + atomic_inc(&config->live_connections); + + return 0; ++ ++put_socket: ++ sockfd_put(sock); ++ return err; + } + + static int nbd_reconnect_socket(struct nbd_device *nbd, unsigned long arg) +-- +2.25.1 + diff --git a/queue-5.4/net-cxgb4-fix-return-error-value-in-t4_prep_fw.patch b/queue-5.4/net-cxgb4-fix-return-error-value-in-t4_prep_fw.patch new file mode 100644 index 00000000000..b9c0e524406 --- /dev/null +++ b/queue-5.4/net-cxgb4-fix-return-error-value-in-t4_prep_fw.patch @@ -0,0 +1,58 @@ +From 64e3ef8427b06c4e3721b3d503ff1903dd10e0f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 18:49:51 +0800 +Subject: net: cxgb4: fix return error value in t4_prep_fw + +From: Li Heng + +[ Upstream commit 8a259e6b73ad8181b0b2ef338b35043433db1075 ] + +t4_prep_fw goto bye tag with positive return value when something +bad happened and which can not free resource in adap_init0. +so fix it to return negative value. + +Fixes: 16e47624e76b ("cxgb4: Add new scheme to update T4/T5 firmware") +Reported-by: Hulk Robot +Signed-off-by: Li Heng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c +index 31fcfc58e3373..588b63473c473 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c +@@ -3499,7 +3499,7 @@ int t4_prep_fw(struct adapter *adap, struct fw_info *fw_info, + drv_fw = &fw_info->fw_hdr; + + /* Read the header of the firmware on the card */ +- ret = -t4_read_flash(adap, FLASH_FW_START, ++ ret = t4_read_flash(adap, FLASH_FW_START, + sizeof(*card_fw) / sizeof(uint32_t), + (uint32_t *)card_fw, 1); + if (ret == 0) { +@@ -3528,8 +3528,8 @@ int t4_prep_fw(struct adapter *adap, struct fw_info *fw_info, + should_install_fs_fw(adap, card_fw_usable, + be32_to_cpu(fs_fw->fw_ver), + be32_to_cpu(card_fw->fw_ver))) { +- ret = -t4_fw_upgrade(adap, adap->mbox, fw_data, +- fw_size, 0); ++ ret = t4_fw_upgrade(adap, adap->mbox, fw_data, ++ fw_size, 0); + if (ret != 0) { + dev_err(adap->pdev_dev, + "failed to install firmware: %d\n", ret); +@@ -3560,7 +3560,7 @@ int t4_prep_fw(struct adapter *adap, struct fw_info *fw_info, + FW_HDR_FW_VER_MICRO_G(c), FW_HDR_FW_VER_BUILD_G(c), + FW_HDR_FW_VER_MAJOR_G(k), FW_HDR_FW_VER_MINOR_G(k), + FW_HDR_FW_VER_MICRO_G(k), FW_HDR_FW_VER_BUILD_G(k)); +- ret = EINVAL; ++ ret = -EINVAL; + goto bye; + } + +-- +2.25.1 + diff --git a/queue-5.4/net-dsa-microchip-set-the-correct-number-of-ports.patch b/queue-5.4/net-dsa-microchip-set-the-correct-number-of-ports.patch new file mode 100644 index 00000000000..017d3e0e3a5 --- /dev/null +++ b/queue-5.4/net-dsa-microchip-set-the-correct-number-of-ports.patch @@ -0,0 +1,56 @@ +From 6c1ad72626a3b11e3f18c7c0685ccb92f6d750dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jul 2020 12:44:50 +0300 +Subject: net: dsa: microchip: set the correct number of ports + +From: Codrin Ciubotariu + +[ Upstream commit af199a1a9cb02ec0194804bd46c174b6db262075 ] + +The number of ports is incorrectly set to the maximum available for a DSA +switch. Even if the extra ports are not used, this causes some functions +to be called later, like port_disable() and port_stp_state_set(). If the +driver doesn't check the port index, it will end up modifying unknown +registers. + +Fixes: b987e98e50ab ("dsa: add DSA switch driver for Microchip KSZ9477") +Signed-off-by: Codrin Ciubotariu +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/microchip/ksz8795.c | 3 +++ + drivers/net/dsa/microchip/ksz9477.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c +index 24a5e99f7fd5b..84c4319e3b31f 100644 +--- a/drivers/net/dsa/microchip/ksz8795.c ++++ b/drivers/net/dsa/microchip/ksz8795.c +@@ -1267,6 +1267,9 @@ static int ksz8795_switch_init(struct ksz_device *dev) + return -ENOMEM; + } + ++ /* set the real number of ports */ ++ dev->ds->num_ports = dev->port_cnt; ++ + return 0; + } + +diff --git a/drivers/net/dsa/microchip/ksz9477.c b/drivers/net/dsa/microchip/ksz9477.c +index 50ffc63d62319..3afb596d8e43f 100644 +--- a/drivers/net/dsa/microchip/ksz9477.c ++++ b/drivers/net/dsa/microchip/ksz9477.c +@@ -1587,6 +1587,9 @@ static int ksz9477_switch_init(struct ksz_device *dev) + return -ENOMEM; + } + ++ /* set the real number of ports */ ++ dev->ds->num_ports = dev->port_cnt; ++ + return 0; + } + +-- +2.25.1 + diff --git a/queue-5.4/net-hns3-add-a-missing-uninit-debugfs-when-unload-dr.patch b/queue-5.4/net-hns3-add-a-missing-uninit-debugfs-when-unload-dr.patch new file mode 100644 index 00000000000..18149857b88 --- /dev/null +++ b/queue-5.4/net-hns3-add-a-missing-uninit-debugfs-when-unload-dr.patch @@ -0,0 +1,38 @@ +From 8001aa02cc7a196942c88cb13db11614db923f9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jul 2020 19:26:01 +0800 +Subject: net: hns3: add a missing uninit debugfs when unload driver + +From: Huazhong Tan + +[ Upstream commit e22b5e728bbb179b912d3a3cd5c25894a89a26a2 ] + +When unloading driver, if flag HNS3_NIC_STATE_INITED has been +already cleared, the debugfs will not be uninitialized, so fix it. + +Fixes: b2292360bb2a ("net: hns3: Add debugfs framework registration") +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index 403e0f089f2af..37537c3020806 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -3993,9 +3993,8 @@ static void hns3_client_uninit(struct hnae3_handle *handle, bool reset) + + hns3_put_ring_config(priv); + +- hns3_dbg_uninit(handle); +- + out_netdev_free: ++ hns3_dbg_uninit(handle); + free_netdev(netdev); + } + +-- +2.25.1 + diff --git a/queue-5.4/net-hns3-fix-use-after-free-when-doing-self-test.patch b/queue-5.4/net-hns3-fix-use-after-free-when-doing-self-test.patch new file mode 100644 index 00000000000..8058dac86fa --- /dev/null +++ b/queue-5.4/net-hns3-fix-use-after-free-when-doing-self-test.patch @@ -0,0 +1,85 @@ +From fce83a8539e82a370658a408066e991222540994 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jul 2020 19:26:02 +0800 +Subject: net: hns3: fix use-after-free when doing self test + +From: Yonglong Liu + +[ Upstream commit a06656211304fec653c1931c2ca6d644013b5bbb ] + +Enable promisc mode of PF, set VF link state to enable, and +run iperf of the VF, then do self test of the PF. The self test +will fail with a low frequency, and may cause a use-after-free +problem. + +[ 87.142126] selftest:000004a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +[ 87.159722] ================================================================== +[ 87.174187] BUG: KASAN: use-after-free in hex_dump_to_buffer+0x140/0x608 +[ 87.187600] Read of size 1 at addr ffff003b22828000 by task ethtool/1186 +[ 87.201012] +[ 87.203978] CPU: 7 PID: 1186 Comm: ethtool Not tainted 5.5.0-rc4-gfd51c473-dirty #4 +[ 87.219306] Hardware name: Huawei TaiShan 2280 V2/BC82AMDA, BIOS TA BIOS 2280-A CS V2.B160.01 01/15/2020 +[ 87.238292] Call trace: +[ 87.243173] dump_backtrace+0x0/0x280 +[ 87.250491] show_stack+0x24/0x30 +[ 87.257114] dump_stack+0xe8/0x140 +[ 87.263911] print_address_description.isra.8+0x70/0x380 +[ 87.274538] __kasan_report+0x12c/0x230 +[ 87.282203] kasan_report+0xc/0x18 +[ 87.288999] __asan_load1+0x60/0x68 +[ 87.295969] hex_dump_to_buffer+0x140/0x608 +[ 87.304332] print_hex_dump+0x140/0x1e0 +[ 87.312000] hns3_lb_check_skb_data+0x168/0x170 +[ 87.321060] hns3_clean_rx_ring+0xa94/0xfe0 +[ 87.329422] hns3_self_test+0x708/0x8c0 + +The length of packet sent by the selftest process is only +128 + 14 bytes, and the min buffer size of a BD is 256 bytes, +and the receive process will make sure the packet sent by +the selftest process is in the linear part, so only check +the linear part in hns3_lb_check_skb_data(). + +So fix this use-after-free by using skb_headlen() to dump +skb->data instead of skb->len. + +Fixes: c39c4d98dc65 ("net: hns3: Add mac loopback selftest support in hns3 driver") +Signed-off-by: Yonglong Liu +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +index 52c9d204fe3d9..34e5448d59f6f 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +@@ -174,18 +174,21 @@ static void hns3_lb_check_skb_data(struct hns3_enet_ring *ring, + { + struct hns3_enet_tqp_vector *tqp_vector = ring->tqp_vector; + unsigned char *packet = skb->data; ++ u32 len = skb_headlen(skb); + u32 i; + +- for (i = 0; i < skb->len; i++) ++ len = min_t(u32, len, HNS3_NIC_LB_TEST_PACKET_SIZE); ++ ++ for (i = 0; i < len; i++) + if (packet[i] != (unsigned char)(i & 0xff)) + break; + + /* The packet is correctly received */ +- if (i == skb->len) ++ if (i == HNS3_NIC_LB_TEST_PACKET_SIZE) + tqp_vector->rx_group.total_packets++; + else + print_hex_dump(KERN_ERR, "selftest:", DUMP_PREFIX_OFFSET, 16, 1, +- skb->data, skb->len, true); ++ skb->data, len, true); + + dev_kfree_skb_any(skb); + } +-- +2.25.1 + diff --git a/queue-5.4/net-macb-fix-call-to-pm_runtime-in-the-suspend-resum.patch b/queue-5.4/net-macb-fix-call-to-pm_runtime-in-the-suspend-resum.patch new file mode 100644 index 00000000000..a2dde07e7de --- /dev/null +++ b/queue-5.4/net-macb-fix-call-to-pm_runtime-in-the-suspend-resum.patch @@ -0,0 +1,52 @@ +From 1ec2cfedee4c0001903e98e21555cbf7f73f2586 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 14:46:45 +0200 +Subject: net: macb: fix call to pm_runtime in the suspend/resume functions + +From: Nicolas Ferre + +[ Upstream commit 6c8f85cac98a4c6b767c4c4f6af7283724c32b47 ] + +The calls to pm_runtime_force_suspend/resume() functions are only +relevant if the device is not configured to act as a WoL wakeup source. +Add the device_may_wakeup() test before calling them. + +Fixes: 3e2a5e153906 ("net: macb: add wake-on-lan support via magic packet") +Cc: Claudiu Beznea +Cc: Harini Katakam +Cc: Sergio Prado +Reviewed-by: Florian Fainelli +Signed-off-by: Nicolas Ferre +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index e7fafe2fcae5d..01ed4d4296db2 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -4453,7 +4453,8 @@ static int __maybe_unused macb_suspend(struct device *dev) + netif_carrier_off(netdev); + if (bp->ptp_info) + bp->ptp_info->ptp_remove(netdev); +- pm_runtime_force_suspend(dev); ++ if (!device_may_wakeup(dev)) ++ pm_runtime_force_suspend(dev); + + return 0; + } +@@ -4468,7 +4469,8 @@ static int __maybe_unused macb_resume(struct device *dev) + if (!netif_running(netdev)) + return 0; + +- pm_runtime_force_resume(dev); ++ if (!device_may_wakeup(dev)) ++ pm_runtime_force_resume(dev); + + if (bp->wol & MACB_WOL_ENABLED) { + macb_writel(bp, IDR, MACB_BIT(WOL)); +-- +2.25.1 + diff --git a/queue-5.4/net-macb-fix-wakeup-test-in-runtime-suspend-resume-r.patch b/queue-5.4/net-macb-fix-wakeup-test-in-runtime-suspend-resume-r.patch new file mode 100644 index 00000000000..3c78e7c305a --- /dev/null +++ b/queue-5.4/net-macb-fix-wakeup-test-in-runtime-suspend-resume-r.patch @@ -0,0 +1,53 @@ +From 274904ecd58aab3112fb64740aa8eb5938c7be19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 14:46:41 +0200 +Subject: net: macb: fix wakeup test in runtime suspend/resume routines + +From: Nicolas Ferre + +[ Upstream commit 515a10a701d570e26dfbe6ee373f77c8bf11053f ] + +Use the proper struct device pointer to check if the wakeup flag +and wakeup source are positioned. +Use the one passed by function call which is equivalent to +&bp->dev->dev.parent. + +It's preventing the trigger of a spurious interrupt in case the +Wake-on-Lan feature is used. + +Fixes: d54f89af6cc4 ("net: macb: Add pm runtime support") +Cc: Claudiu Beznea +Cc: Harini Katakam +Reviewed-by: Florian Fainelli +Signed-off-by: Nicolas Ferre +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 1ec19d9fab00c..16f5c62ba6dfe 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -4507,7 +4507,7 @@ static int __maybe_unused macb_runtime_suspend(struct device *dev) + struct net_device *netdev = dev_get_drvdata(dev); + struct macb *bp = netdev_priv(netdev); + +- if (!(device_may_wakeup(&bp->dev->dev))) { ++ if (!(device_may_wakeup(dev))) { + clk_disable_unprepare(bp->tx_clk); + clk_disable_unprepare(bp->hclk); + clk_disable_unprepare(bp->pclk); +@@ -4523,7 +4523,7 @@ static int __maybe_unused macb_runtime_resume(struct device *dev) + struct net_device *netdev = dev_get_drvdata(dev); + struct macb *bp = netdev_priv(netdev); + +- if (!(device_may_wakeup(&bp->dev->dev))) { ++ if (!(device_may_wakeup(dev))) { + clk_prepare_enable(bp->pclk); + clk_prepare_enable(bp->hclk); + clk_prepare_enable(bp->tx_clk); +-- +2.25.1 + diff --git a/queue-5.4/net-macb-mark-device-wake-capable-when-magic-packet-.patch b/queue-5.4/net-macb-mark-device-wake-capable-when-magic-packet-.patch new file mode 100644 index 00000000000..e8b45d1c97a --- /dev/null +++ b/queue-5.4/net-macb-mark-device-wake-capable-when-magic-packet-.patch @@ -0,0 +1,50 @@ +From b408db556d537a85a29a7ed52e55a77b03b50040 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 14:46:42 +0200 +Subject: net: macb: mark device wake capable when "magic-packet" property + present + +From: Nicolas Ferre + +[ Upstream commit ced4799d06375929e013eea04ba6908207afabbe ] + +Change the way the "magic-packet" DT property is handled in the +macb_probe() function, matching DT binding documentation. +Now we mark the device as "wakeup capable" instead of calling the +device_init_wakeup() function that would enable the wakeup source. + +For Ethernet WoL, enabling the wakeup_source is done by +using ethtool and associated macb_set_wol() function that +already calls device_set_wakeup_enable() for this purpose. + +That would reduce power consumption by cutting more clocks if +"magic-packet" property is set but WoL is not configured by ethtool. + +Fixes: 3e2a5e153906 ("net: macb: add wake-on-lan support via magic packet") +Cc: Claudiu Beznea +Cc: Harini Katakam +Cc: Sergio Prado +Reviewed-by: Florian Fainelli +Signed-off-by: Nicolas Ferre +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 16f5c62ba6dfe..e7fafe2fcae5d 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -4260,7 +4260,7 @@ static int macb_probe(struct platform_device *pdev) + bp->wol = 0; + if (of_get_property(np, "magic-packet", NULL)) + bp->wol |= MACB_WOL_HAS_MAGIC_PACKET; +- device_init_wakeup(&pdev->dev, bp->wol & MACB_WOL_HAS_MAGIC_PACKET); ++ device_set_wakeup_capable(&pdev->dev, bp->wol & MACB_WOL_HAS_MAGIC_PACKET); + + spin_lock_init(&bp->lock); + +-- +2.25.1 + diff --git a/queue-5.4/net-mlx5-fix-eeprom-support-for-sfp-module.patch b/queue-5.4/net-mlx5-fix-eeprom-support-for-sfp-module.patch new file mode 100644 index 00000000000..5f35d9976bb --- /dev/null +++ b/queue-5.4/net-mlx5-fix-eeprom-support-for-sfp-module.patch @@ -0,0 +1,173 @@ +From e3a57a771f7b79f8de4ed299a8d91f545d001930 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 17:31:26 +0300 +Subject: net/mlx5: Fix eeprom support for SFP module + +From: Eran Ben Elisha + +[ Upstream commit 47afbdd2fa4c5775c383ba376a3d1da7d7f694dc ] + +Fix eeprom SFP query support by setting i2c_addr, offset and page number +correctly. Unlike QSFP modules, SFP eeprom params are as follow: +- i2c_addr is 0x50 for offset 0 - 255 and 0x51 for offset 256 - 511. +- Page number is always zero. +- Page offset is always relative to zero. + +As part of eeprom query, query the module ID (SFP / QSFP*) via helper +function to set the params accordingly. + +In addition, change mlx5_qsfp_eeprom_page() input type to be u16 to avoid +unnecessary casting. + +Fixes: a708fb7b1f8d ("net/mlx5e: ethtool, Add support for EEPROM high pages query") +Signed-off-by: Eran Ben Elisha +Signed-off-by: Huy Nguyen +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/port.c | 93 +++++++++++++++---- + 1 file changed, 77 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/port.c b/drivers/net/ethernet/mellanox/mlx5/core/port.c +index cc262b30aed53..dc589322940c5 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/port.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/port.c +@@ -293,7 +293,40 @@ static int mlx5_query_module_num(struct mlx5_core_dev *dev, int *module_num) + return 0; + } + +-static int mlx5_eeprom_page(int offset) ++static int mlx5_query_module_id(struct mlx5_core_dev *dev, int module_num, ++ u8 *module_id) ++{ ++ u32 in[MLX5_ST_SZ_DW(mcia_reg)] = {}; ++ u32 out[MLX5_ST_SZ_DW(mcia_reg)]; ++ int err, status; ++ u8 *ptr; ++ ++ MLX5_SET(mcia_reg, in, i2c_device_address, MLX5_I2C_ADDR_LOW); ++ MLX5_SET(mcia_reg, in, module, module_num); ++ MLX5_SET(mcia_reg, in, device_address, 0); ++ MLX5_SET(mcia_reg, in, page_number, 0); ++ MLX5_SET(mcia_reg, in, size, 1); ++ MLX5_SET(mcia_reg, in, l, 0); ++ ++ err = mlx5_core_access_reg(dev, in, sizeof(in), out, ++ sizeof(out), MLX5_REG_MCIA, 0, 0); ++ if (err) ++ return err; ++ ++ status = MLX5_GET(mcia_reg, out, status); ++ if (status) { ++ mlx5_core_err(dev, "query_mcia_reg failed: status: 0x%x\n", ++ status); ++ return -EIO; ++ } ++ ptr = MLX5_ADDR_OF(mcia_reg, out, dword_0); ++ ++ *module_id = ptr[0]; ++ ++ return 0; ++} ++ ++static int mlx5_qsfp_eeprom_page(u16 offset) + { + if (offset < MLX5_EEPROM_PAGE_LENGTH) + /* Addresses between 0-255 - page 00 */ +@@ -307,7 +340,7 @@ static int mlx5_eeprom_page(int offset) + MLX5_EEPROM_HIGH_PAGE_LENGTH); + } + +-static int mlx5_eeprom_high_page_offset(int page_num) ++static int mlx5_qsfp_eeprom_high_page_offset(int page_num) + { + if (!page_num) /* Page 0 always start from low page */ + return 0; +@@ -316,35 +349,62 @@ static int mlx5_eeprom_high_page_offset(int page_num) + return page_num * MLX5_EEPROM_HIGH_PAGE_LENGTH; + } + ++static void mlx5_qsfp_eeprom_params_set(u16 *i2c_addr, int *page_num, u16 *offset) ++{ ++ *i2c_addr = MLX5_I2C_ADDR_LOW; ++ *page_num = mlx5_qsfp_eeprom_page(*offset); ++ *offset -= mlx5_qsfp_eeprom_high_page_offset(*page_num); ++} ++ ++static void mlx5_sfp_eeprom_params_set(u16 *i2c_addr, int *page_num, u16 *offset) ++{ ++ *i2c_addr = MLX5_I2C_ADDR_LOW; ++ *page_num = 0; ++ ++ if (*offset < MLX5_EEPROM_PAGE_LENGTH) ++ return; ++ ++ *i2c_addr = MLX5_I2C_ADDR_HIGH; ++ *offset -= MLX5_EEPROM_PAGE_LENGTH; ++} ++ + int mlx5_query_module_eeprom(struct mlx5_core_dev *dev, + u16 offset, u16 size, u8 *data) + { +- int module_num, page_num, status, err; ++ int module_num, status, err, page_num = 0; ++ u32 in[MLX5_ST_SZ_DW(mcia_reg)] = {}; + u32 out[MLX5_ST_SZ_DW(mcia_reg)]; +- u32 in[MLX5_ST_SZ_DW(mcia_reg)]; +- u16 i2c_addr; +- void *ptr = MLX5_ADDR_OF(mcia_reg, out, dword_0); ++ u16 i2c_addr = 0; ++ u8 module_id; ++ void *ptr; + + err = mlx5_query_module_num(dev, &module_num); + if (err) + return err; + +- memset(in, 0, sizeof(in)); +- size = min_t(int, size, MLX5_EEPROM_MAX_BYTES); +- +- /* Get the page number related to the given offset */ +- page_num = mlx5_eeprom_page(offset); ++ err = mlx5_query_module_id(dev, module_num, &module_id); ++ if (err) ++ return err; + +- /* Set the right offset according to the page number, +- * For page_num > 0, relative offset is always >= 128 (high page). +- */ +- offset -= mlx5_eeprom_high_page_offset(page_num); ++ switch (module_id) { ++ case MLX5_MODULE_ID_SFP: ++ mlx5_sfp_eeprom_params_set(&i2c_addr, &page_num, &offset); ++ break; ++ case MLX5_MODULE_ID_QSFP: ++ case MLX5_MODULE_ID_QSFP_PLUS: ++ case MLX5_MODULE_ID_QSFP28: ++ mlx5_qsfp_eeprom_params_set(&i2c_addr, &page_num, &offset); ++ break; ++ default: ++ mlx5_core_err(dev, "Module ID not recognized: 0x%x\n", module_id); ++ return -EINVAL; ++ } + + if (offset + size > MLX5_EEPROM_PAGE_LENGTH) + /* Cross pages read, read until offset 256 in low page */ + size -= offset + size - MLX5_EEPROM_PAGE_LENGTH; + +- i2c_addr = MLX5_I2C_ADDR_LOW; ++ size = min_t(int, size, MLX5_EEPROM_MAX_BYTES); + + MLX5_SET(mcia_reg, in, l, 0); + MLX5_SET(mcia_reg, in, module, module_num); +@@ -365,6 +425,7 @@ int mlx5_query_module_eeprom(struct mlx5_core_dev *dev, + return -EIO; + } + ++ ptr = MLX5_ADDR_OF(mcia_reg, out, dword_0); + memcpy(data, ptr, size); + + return size; +-- +2.25.1 + diff --git a/queue-5.4/net-mlx5e-fix-50g-per-lane-indication.patch b/queue-5.4/net-mlx5e-fix-50g-per-lane-indication.patch new file mode 100644 index 00000000000..db5eb74664c --- /dev/null +++ b/queue-5.4/net-mlx5e-fix-50g-per-lane-indication.patch @@ -0,0 +1,134 @@ +From 21acdcac664d9f4b7c3dafbfddd41ed8f69873cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 12:48:47 +0300 +Subject: net/mlx5e: Fix 50G per lane indication + +From: Aya Levin + +[ Upstream commit 6a1cf4e443a3b0a4d690d3c93b84b1e9cbfcb1bd ] + +Some released FW versions mistakenly don't set the capability that 50G +per lane link-modes are supported for VFs (ptys_extended_ethernet +capability bit). When the capability is unset, read +PTYS.ext_eth_proto_capability (always reliable). +If PTYS.ext_eth_proto_capability is valid (has a non-zero value) +conclude that the HCA supports 50G per lane. Otherwise, conclude that +the HCA doesn't support 50G per lane. + +Fixes: a08b4ed1373d ("net/mlx5: Add support to ext_* fields introduced in Port Type and Speed register") +Signed-off-by: Aya Levin +Reviewed-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en/port.c | 21 ++++++++++++++++--- + .../net/ethernet/mellanox/mlx5/core/en/port.h | 2 +- + .../ethernet/mellanox/mlx5/core/en_ethtool.c | 8 +++---- + 3 files changed, 23 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/port.c b/drivers/net/ethernet/mellanox/mlx5/core/en/port.c +index fce6eccdcf8b2..fa81a97f6ba9e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/port.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/port.c +@@ -78,11 +78,26 @@ static const u32 mlx5e_ext_link_speed[MLX5E_EXT_LINK_MODES_NUMBER] = { + [MLX5E_400GAUI_8] = 400000, + }; + ++bool mlx5e_ptys_ext_supported(struct mlx5_core_dev *mdev) ++{ ++ struct mlx5e_port_eth_proto eproto; ++ int err; ++ ++ if (MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet)) ++ return true; ++ ++ err = mlx5_port_query_eth_proto(mdev, 1, true, &eproto); ++ if (err) ++ return false; ++ ++ return !!eproto.cap; ++} ++ + static void mlx5e_port_get_speed_arr(struct mlx5_core_dev *mdev, + const u32 **arr, u32 *size, + bool force_legacy) + { +- bool ext = force_legacy ? false : MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet); ++ bool ext = force_legacy ? false : mlx5e_ptys_ext_supported(mdev); + + *size = ext ? ARRAY_SIZE(mlx5e_ext_link_speed) : + ARRAY_SIZE(mlx5e_link_speed); +@@ -177,7 +192,7 @@ int mlx5e_port_linkspeed(struct mlx5_core_dev *mdev, u32 *speed) + bool ext; + int err; + +- ext = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet); ++ ext = mlx5e_ptys_ext_supported(mdev); + err = mlx5_port_query_eth_proto(mdev, 1, ext, &eproto); + if (err) + goto out; +@@ -205,7 +220,7 @@ int mlx5e_port_max_linkspeed(struct mlx5_core_dev *mdev, u32 *speed) + int err; + int i; + +- ext = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet); ++ ext = mlx5e_ptys_ext_supported(mdev); + err = mlx5_port_query_eth_proto(mdev, 1, ext, &eproto); + if (err) + return err; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/port.h b/drivers/net/ethernet/mellanox/mlx5/core/en/port.h +index 4a7f4497692bc..e196888f7056b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/port.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/port.h +@@ -54,7 +54,7 @@ int mlx5e_port_linkspeed(struct mlx5_core_dev *mdev, u32 *speed); + int mlx5e_port_max_linkspeed(struct mlx5_core_dev *mdev, u32 *speed); + u32 mlx5e_port_speed2linkmodes(struct mlx5_core_dev *mdev, u32 speed, + bool force_legacy); +- ++bool mlx5e_ptys_ext_supported(struct mlx5_core_dev *mdev); + int mlx5e_port_query_pbmc(struct mlx5_core_dev *mdev, void *out); + int mlx5e_port_set_pbmc(struct mlx5_core_dev *mdev, void *in); + int mlx5e_port_query_priority2buffer(struct mlx5_core_dev *mdev, u8 *buffer); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index 39ee32518b106..8cd529556b214 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -200,7 +200,7 @@ static void mlx5e_ethtool_get_speed_arr(struct mlx5_core_dev *mdev, + struct ptys2ethtool_config **arr, + u32 *size) + { +- bool ext = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet); ++ bool ext = mlx5e_ptys_ext_supported(mdev); + + *arr = ext ? ptys2ext_ethtool_table : ptys2legacy_ethtool_table; + *size = ext ? ARRAY_SIZE(ptys2ext_ethtool_table) : +@@ -871,7 +871,7 @@ static void get_lp_advertising(struct mlx5_core_dev *mdev, u32 eth_proto_lp, + struct ethtool_link_ksettings *link_ksettings) + { + unsigned long *lp_advertising = link_ksettings->link_modes.lp_advertising; +- bool ext = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet); ++ bool ext = mlx5e_ptys_ext_supported(mdev); + + ptys2ethtool_adver_link(lp_advertising, eth_proto_lp, ext); + } +@@ -900,7 +900,7 @@ int mlx5e_ethtool_get_link_ksettings(struct mlx5e_priv *priv, + __func__, err); + goto err_query_regs; + } +- ext = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet); ++ ext = !!MLX5_GET_ETH_PROTO(ptys_reg, out, true, eth_proto_capability); + eth_proto_cap = MLX5_GET_ETH_PROTO(ptys_reg, out, ext, + eth_proto_capability); + eth_proto_admin = MLX5_GET_ETH_PROTO(ptys_reg, out, ext, +@@ -1052,7 +1052,7 @@ int mlx5e_ethtool_set_link_ksettings(struct mlx5e_priv *priv, + autoneg = link_ksettings->base.autoneg; + speed = link_ksettings->base.speed; + +- ext_supported = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet); ++ ext_supported = mlx5e_ptys_ext_supported(mdev); + ext = ext_requested(autoneg, adver, ext_supported); + if (!ext_supported && ext) + return -EOPNOTSUPP; +-- +2.25.1 + diff --git a/queue-5.4/net-mvneta-fix-use-of-state-speed.patch b/queue-5.4/net-mvneta-fix-use-of-state-speed.patch new file mode 100644 index 00000000000..7e9791934b8 --- /dev/null +++ b/queue-5.4/net-mvneta-fix-use-of-state-speed.patch @@ -0,0 +1,41 @@ +From 65470ea7d6aa1d9f2a1fc31ae9da66c441c393d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jun 2020 11:04:40 +0100 +Subject: net: mvneta: fix use of state->speed + +From: Russell King + +[ Upstream commit f2ca673d2cd5df9a76247b670e9ffd4d63682b3f ] + +When support for short preambles was added, it incorrectly keyed its +decision off state->speed instead of state->interface. state->speed +is not guaranteed to be correct for in-band modes, which can lead to +short preambles being unexpectedly disabled. + +Fix this by keying off the interface mode, which is the only way that +mvneta can operate at 2.5Gbps. + +Fixes: da58a931f248 ("net: mvneta: Add support for 2500Mbps SGMII") +Signed-off-by: Russell King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvneta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index 9799253948281..ffdb7b113f172 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -3594,7 +3594,7 @@ static void mvneta_mac_config(struct phylink_config *config, unsigned int mode, + /* When at 2.5G, the link partner can send frames with shortened + * preambles. + */ +- if (state->speed == SPEED_2500) ++ if (state->interface == PHY_INTERFACE_MODE_2500BASEX) + new_ctrl4 |= MVNETA_GMAC4_SHORT_PREAMBLE_ENABLE; + + if (pp->phy_interface != state->interface) { +-- +2.25.1 + diff --git a/queue-5.4/netfilter-conntrack-refetch-conntrack-after-nf_connt.patch b/queue-5.4/netfilter-conntrack-refetch-conntrack-after-nf_connt.patch new file mode 100644 index 00000000000..5fd5ae173d1 --- /dev/null +++ b/queue-5.4/netfilter-conntrack-refetch-conntrack-after-nf_connt.patch @@ -0,0 +1,55 @@ +From 2b62181ade0918942d061e6fd6db0b7f4ed929ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jul 2020 13:17:40 +0200 +Subject: netfilter: conntrack: refetch conntrack after nf_conntrack_update() + +From: Pablo Neira Ayuso + +[ Upstream commit d005fbb855d3b5660d62ee5a6bd2d99c13ff8cf3 ] + +__nf_conntrack_update() might refresh the conntrack object that is +attached to the skbuff. Otherwise, this triggers UAF. + +[ 633.200434] ================================================================== +[ 633.200472] BUG: KASAN: use-after-free in nf_conntrack_update+0x34e/0x770 [nf_conntrack] +[ 633.200478] Read of size 1 at addr ffff888370804c00 by task nfqnl_test/6769 + +[ 633.200487] CPU: 1 PID: 6769 Comm: nfqnl_test Not tainted 5.8.0-rc2+ #388 +[ 633.200490] Hardware name: LENOVO 23259H1/23259H1, BIOS G2ET32WW (1.12 ) 05/30/2012 +[ 633.200491] Call Trace: +[ 633.200499] dump_stack+0x7c/0xb0 +[ 633.200526] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack] +[ 633.200532] print_address_description.constprop.6+0x1a/0x200 +[ 633.200539] ? _raw_write_lock_irqsave+0xc0/0xc0 +[ 633.200568] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack] +[ 633.200594] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack] +[ 633.200598] kasan_report.cold.9+0x1f/0x42 +[ 633.200604] ? call_rcu+0x2c0/0x390 +[ 633.200633] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack] +[ 633.200659] nf_conntrack_update+0x34e/0x770 [nf_conntrack] +[ 633.200687] ? nf_conntrack_find_get+0x30/0x30 [nf_conntrack] + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1436 +Fixes: ee04805ff54a ("netfilter: conntrack: make conntrack userspace helpers work again") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index 48db4aec02dea..200cdad3ff3ab 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -2012,6 +2012,8 @@ static int nf_conntrack_update(struct net *net, struct sk_buff *skb) + err = __nf_conntrack_update(net, skb, ct, ctinfo); + if (err < 0) + return err; ++ ++ ct = nf_ct_get(skb, &ctinfo); + } + + return nf_confirm_cthelper(skb, ct, ctinfo); +-- +2.25.1 + diff --git a/queue-5.4/netfilter-ipset-call-ip_set_free-instead-of-kfree.patch b/queue-5.4/netfilter-ipset-call-ip_set_free-instead-of-kfree.patch new file mode 100644 index 00000000000..b36477074b8 --- /dev/null +++ b/queue-5.4/netfilter-ipset-call-ip_set_free-instead-of-kfree.patch @@ -0,0 +1,134 @@ +From da2a16f86295dc24f69af2e439426ead5a463408 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 17:04:17 -0700 +Subject: netfilter: ipset: call ip_set_free() instead of kfree() + +From: Eric Dumazet + +[ Upstream commit c4e8fa9074ad94f80e5c0dcaa16b313e50e958c5 ] + +Whenever ip_set_alloc() is used, allocated memory can either +use kmalloc() or vmalloc(). We should call kvfree() or +ip_set_free() + +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +CPU: 0 PID: 21935 Comm: syz-executor.3 Not tainted 5.8.0-rc2-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:__phys_addr+0xa7/0x110 arch/x86/mm/physaddr.c:28 +Code: 1d 7a 09 4c 89 e3 31 ff 48 d3 eb 48 89 de e8 d0 58 3f 00 48 85 db 75 0d e8 26 5c 3f 00 4c 89 e0 5b 5d 41 5c c3 e8 19 5c 3f 00 <0f> 0b e8 12 5c 3f 00 48 c7 c0 10 10 a8 89 48 ba 00 00 00 00 00 fc +RSP: 0000:ffffc900018572c0 EFLAGS: 00010046 +RAX: 0000000000040000 RBX: 0000000000000001 RCX: ffffc9000fac3000 +RDX: 0000000000040000 RSI: ffffffff8133f437 RDI: 0000000000000007 +RBP: ffffc90098aff000 R08: 0000000000000000 R09: ffff8880ae636cdb +R10: 0000000000000000 R11: 0000000000000000 R12: 0000408018aff000 +R13: 0000000000080000 R14: 000000000000001d R15: ffffc900018573d8 +FS: 00007fc540c66700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fc9dcd67200 CR3: 0000000059411000 CR4: 00000000001406f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + virt_to_head_page include/linux/mm.h:841 [inline] + virt_to_cache mm/slab.h:474 [inline] + kfree+0x77/0x2c0 mm/slab.c:3749 + hash_net_create+0xbb2/0xd70 net/netfilter/ipset/ip_set_hash_gen.h:1536 + ip_set_create+0x6a2/0x13c0 net/netfilter/ipset/ip_set_core.c:1128 + nfnetlink_rcv_msg+0xbe8/0xea0 net/netfilter/nfnetlink.c:230 + netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2469 + nfnetlink_rcv+0x1ac/0x420 net/netfilter/nfnetlink.c:564 + netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] + netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1329 + netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1918 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:672 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2352 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2406 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439 + do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:359 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x45cb19 +Code: Bad RIP value. +RSP: 002b:00007fc540c65c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00000000004fed80 RCX: 000000000045cb19 +RDX: 0000000000000000 RSI: 0000000020001080 RDI: 0000000000000003 +RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff +R13: 000000000000095e R14: 00000000004cc295 R15: 00007fc540c666d4 + +Fixes: f66ee0410b1c ("netfilter: ipset: Fix "INFO: rcu detected stall in hash_xxx" reports") +Fixes: 03c8b234e61a ("netfilter: ipset: Generalize extensions support") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_bitmap_ip.c | 2 +- + net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2 +- + net/netfilter/ipset/ip_set_bitmap_port.c | 2 +- + net/netfilter/ipset/ip_set_hash_gen.h | 4 ++-- + 4 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c +index d934384f31ad6..6e3cf4d19ce88 100644 +--- a/net/netfilter/ipset/ip_set_bitmap_ip.c ++++ b/net/netfilter/ipset/ip_set_bitmap_ip.c +@@ -314,7 +314,7 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb[], + set->variant = &bitmap_ip; + if (!init_map_ip(set, map, first_ip, last_ip, + elements, hosts, netmask)) { +- kfree(map); ++ ip_set_free(map); + return -ENOMEM; + } + if (tb[IPSET_ATTR_TIMEOUT]) { +diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c +index e8532783b43aa..ae7cdc0d0f29a 100644 +--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c ++++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c +@@ -363,7 +363,7 @@ bitmap_ipmac_create(struct net *net, struct ip_set *set, struct nlattr *tb[], + map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long); + set->variant = &bitmap_ipmac; + if (!init_map_ipmac(set, map, first_ip, last_ip, elements)) { +- kfree(map); ++ ip_set_free(map); + return -ENOMEM; + } + if (tb[IPSET_ATTR_TIMEOUT]) { +diff --git a/net/netfilter/ipset/ip_set_bitmap_port.c b/net/netfilter/ipset/ip_set_bitmap_port.c +index e3ac914fff1a5..d4a14750f5c42 100644 +--- a/net/netfilter/ipset/ip_set_bitmap_port.c ++++ b/net/netfilter/ipset/ip_set_bitmap_port.c +@@ -247,7 +247,7 @@ bitmap_port_create(struct net *net, struct ip_set *set, struct nlattr *tb[], + map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long); + set->variant = &bitmap_port; + if (!init_map_port(set, map, first_port, last_port)) { +- kfree(map); ++ ip_set_free(map); + return -ENOMEM; + } + if (tb[IPSET_ATTR_TIMEOUT]) { +diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h +index 2389c9f89e481..a7a982a3e6761 100644 +--- a/net/netfilter/ipset/ip_set_hash_gen.h ++++ b/net/netfilter/ipset/ip_set_hash_gen.h +@@ -682,7 +682,7 @@ mtype_resize(struct ip_set *set, bool retried) + } + t->hregion = ip_set_alloc(ahash_sizeof_regions(htable_bits)); + if (!t->hregion) { +- kfree(t); ++ ip_set_free(t); + ret = -ENOMEM; + goto out; + } +@@ -1533,7 +1533,7 @@ IPSET_TOKEN(HTYPE, _create)(struct net *net, struct ip_set *set, + } + t->hregion = ip_set_alloc(ahash_sizeof_regions(hbits)); + if (!t->hregion) { +- kfree(t); ++ ip_set_free(t); + kfree(h); + return -ENOMEM; + } +-- +2.25.1 + diff --git a/queue-5.4/nl80211-don-t-return-err-unconditionally-in-nl80211_.patch b/queue-5.4/nl80211-don-t-return-err-unconditionally-in-nl80211_.patch new file mode 100644 index 00000000000..01409952b70 --- /dev/null +++ b/queue-5.4/nl80211-don-t-return-err-unconditionally-in-nl80211_.patch @@ -0,0 +1,41 @@ +From d93cd81f6fbe38c48be355c0cc0d390af4c38f20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jun 2020 12:49:39 +0300 +Subject: nl80211: don't return err unconditionally in nl80211_start_ap() + +From: Luca Coelho + +[ Upstream commit bc7a39b4272b9672d806d422b6850e8c1a09914c ] + +When a memory leak was fixed, a return err was changed to goto err, +but, accidentally, the if (err) was removed, so now we always exit at +this point. + +Fix it by adding if (err) back. + +Fixes: 9951ebfcdf2b ("nl80211: fix potential leak in AP start") +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20200626124931.871ba5b31eee.I97340172d92164ee92f3c803fe20a8a6e97714e1@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index b65180e874fb9..a34bbca80f498 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -4798,7 +4798,8 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info) + err = nl80211_parse_he_obss_pd( + info->attrs[NL80211_ATTR_HE_OBSS_PD], + ¶ms.he_obss_pd); +- goto out; ++ if (err) ++ goto out; + } + + nl80211_calculate_ap_params(¶ms); +-- +2.25.1 + diff --git a/queue-5.4/perf-intel-pt-fix-pebs-sample-for-xmm-registers.patch b/queue-5.4/perf-intel-pt-fix-pebs-sample-for-xmm-registers.patch new file mode 100644 index 00000000000..682651929d3 --- /dev/null +++ b/queue-5.4/perf-intel-pt-fix-pebs-sample-for-xmm-registers.patch @@ -0,0 +1,49 @@ +From 3f152efcfda2d822e6ff44bb78ce53644798db7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jun 2020 16:39:35 +0300 +Subject: perf intel-pt: Fix PEBS sample for XMM registers + +From: Adrian Hunter + +[ Upstream commit 4c95ad261cfac120dd66238fcae222766754c219 ] + +The condition to add XMM registers was missing, the regs array needed to +be in the outer scope, and the size of the regs array was too small. + +Fixes: 143d34a6b387b ("perf intel-pt: Add XMM registers to synthesized PEBS sample") +Signed-off-by: Adrian Hunter +Cc: Jiri Olsa +Cc: Luwei Kang +Link: http://lore.kernel.org/lkml/20200630133935.11150-4-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/intel-pt.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c +index a1c9eb6d4f40d..c5cce3a60476b 100644 +--- a/tools/perf/util/intel-pt.c ++++ b/tools/perf/util/intel-pt.c +@@ -1707,6 +1707,7 @@ static int intel_pt_synth_pebs_sample(struct intel_pt_queue *ptq) + u64 sample_type = evsel->core.attr.sample_type; + u64 id = evsel->core.id[0]; + u8 cpumode; ++ u64 regs[8 * sizeof(sample.intr_regs.mask)]; + + if (intel_pt_skip_event(pt)) + return 0; +@@ -1756,8 +1757,8 @@ static int intel_pt_synth_pebs_sample(struct intel_pt_queue *ptq) + } + + if (sample_type & PERF_SAMPLE_REGS_INTR && +- items->mask[INTEL_PT_GP_REGS_POS]) { +- u64 regs[sizeof(sample.intr_regs.mask)]; ++ (items->mask[INTEL_PT_GP_REGS_POS] || ++ items->mask[INTEL_PT_XMM_POS])) { + u64 regs_mask = evsel->core.attr.sample_regs_intr; + u64 *pos; + +-- +2.25.1 + diff --git a/queue-5.4/perf-intel-pt-fix-recording-pebs-via-pt-with-registe.patch b/queue-5.4/perf-intel-pt-fix-recording-pebs-via-pt-with-registe.patch new file mode 100644 index 00000000000..21e39121312 --- /dev/null +++ b/queue-5.4/perf-intel-pt-fix-recording-pebs-via-pt-with-registe.patch @@ -0,0 +1,69 @@ +From 9897085e038de72c48a3f39318eaabb757bfc641 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jun 2020 16:39:33 +0300 +Subject: perf intel-pt: Fix recording PEBS-via-PT with registers + +From: Adrian Hunter + +[ Upstream commit 75bcb8776dc987538f267ba4ba05ca43fc2b1676 ] + +When recording PEBS-via-PT, the kernel will not accept the intel_pt +event with register sampling e.g. + + # perf record --kcore -c 10000 -e '{intel_pt/branch=0/,branch-loads/aux-output/ppp}' -I -- ls -l + Error: + intel_pt/branch=0/: PMU Hardware doesn't support sampling/overflow-interrupts. Try 'perf stat' + +Fix by suppressing register sampling on the intel_pt evsel. + +Committer notes: + +Adrian informed that this is only available from Tremont onwards, so on +older processors the error continues the same as before. + +Fixes: 9e64cefe4335b ("perf intel-pt: Process options for PEBS event synthesis") +Signed-off-by: Adrian Hunter +Cc: Jiri Olsa +Cc: Luwei Kang +Link: http://lore.kernel.org/lkml/20200630133935.11150-2-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/arch/x86/util/intel-pt.c | 1 + + tools/perf/util/evsel.c | 4 ++-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/arch/x86/util/intel-pt.c b/tools/perf/arch/x86/util/intel-pt.c +index d43f9dec69980..e768c02ef2ab9 100644 +--- a/tools/perf/arch/x86/util/intel-pt.c ++++ b/tools/perf/arch/x86/util/intel-pt.c +@@ -596,6 +596,7 @@ static int intel_pt_recording_options(struct auxtrace_record *itr, + } + evsel->core.attr.freq = 0; + evsel->core.attr.sample_period = 1; ++ evsel->no_aux_samples = true; + intel_pt_evsel = evsel; + opts->full_auxtrace = true; + } +diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c +index abc7fda4a0fe1..a844715a352d8 100644 +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -1028,12 +1028,12 @@ void perf_evsel__config(struct evsel *evsel, struct record_opts *opts, + if (callchain && callchain->enabled && !evsel->no_aux_samples) + perf_evsel__config_callchain(evsel, opts, callchain); + +- if (opts->sample_intr_regs) { ++ if (opts->sample_intr_regs && !evsel->no_aux_samples) { + attr->sample_regs_intr = opts->sample_intr_regs; + perf_evsel__set_sample_bit(evsel, REGS_INTR); + } + +- if (opts->sample_user_regs) { ++ if (opts->sample_user_regs && !evsel->no_aux_samples) { + attr->sample_regs_user |= opts->sample_user_regs; + perf_evsel__set_sample_bit(evsel, REGS_USER); + } +-- +2.25.1 + diff --git a/queue-5.4/perf-report-tui-fix-segmentation-fault-in-perf_evsel.patch b/queue-5.4/perf-report-tui-fix-segmentation-fault-in-perf_evsel.patch new file mode 100644 index 00000000000..4946c89d467 --- /dev/null +++ b/queue-5.4/perf-report-tui-fix-segmentation-fault-in-perf_evsel.patch @@ -0,0 +1,84 @@ +From d3da71065dd81f9169074f2347ab99266d8cc0f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jun 2020 17:43:22 +0800 +Subject: perf report TUI: Fix segmentation fault in perf_evsel__hists_browse() + +From: Wei Li + +[ Upstream commit d61cbb859b45fdb6b4997f2d51834fae41af0e94 ] + +The segmentation fault can be reproduced as following steps: + +1) Executing perf report in tui. + +2) Typing '/xxxxx' to filter the symbol to get nothing matched. + +3) Pressing enter with no entry selected. + +Then it will report a segmentation fault. + +It is caused by the lack of check of browser->he_selection when +accessing it's member res_samples in perf_evsel__hists_browse(). + +These processes are meaningful for specified samples, so we can skip +these when nothing is selected. + +Fixes: 4968ac8fb7c3 ("perf report: Implement browsing of individual samples") +Signed-off-by: Wei Li +Acked-by: Jiri Olsa +Acked-by: Namhyung Kim +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Hanjun Guo +Cc: Jin Yao +Cc: Mark Rutland +Link: http://lore.kernel.org/lkml/20200612094322.39565-1-liwei391@huawei.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/ui/browsers/hists.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/tools/perf/ui/browsers/hists.c b/tools/perf/ui/browsers/hists.c +index 88c3df24b748c..514cef3a17b40 100644 +--- a/tools/perf/ui/browsers/hists.c ++++ b/tools/perf/ui/browsers/hists.c +@@ -2224,6 +2224,11 @@ static struct thread *hist_browser__selected_thread(struct hist_browser *browser + return browser->he_selection->thread; + } + ++static struct res_sample *hist_browser__selected_res_sample(struct hist_browser *browser) ++{ ++ return browser->he_selection ? browser->he_selection->res_samples : NULL; ++} ++ + /* Check whether the browser is for 'top' or 'report' */ + static inline bool is_report_browser(void *timer) + { +@@ -3170,16 +3175,16 @@ static int perf_evsel__hists_browse(struct evsel *evsel, int nr_events, + &options[nr_options], NULL, NULL, evsel); + nr_options += add_res_sample_opt(browser, &actions[nr_options], + &options[nr_options], +- hist_browser__selected_entry(browser)->res_samples, +- evsel, A_NORMAL); ++ hist_browser__selected_res_sample(browser), ++ evsel, A_NORMAL); + nr_options += add_res_sample_opt(browser, &actions[nr_options], + &options[nr_options], +- hist_browser__selected_entry(browser)->res_samples, +- evsel, A_ASM); ++ hist_browser__selected_res_sample(browser), ++ evsel, A_ASM); + nr_options += add_res_sample_opt(browser, &actions[nr_options], + &options[nr_options], +- hist_browser__selected_entry(browser)->res_samples, +- evsel, A_SOURCE); ++ hist_browser__selected_res_sample(browser), ++ evsel, A_SOURCE); + nr_options += add_switch_opt(browser, &actions[nr_options], + &options[nr_options]); + skip_scripting: +-- +2.25.1 + diff --git a/queue-5.4/qed-populate-nvm-file-attributes-while-reading-nvm-c.patch b/queue-5.4/qed-populate-nvm-file-attributes-while-reading-nvm-c.patch new file mode 100644 index 00000000000..b0539d662f7 --- /dev/null +++ b/queue-5.4/qed-populate-nvm-file-attributes-while-reading-nvm-c.patch @@ -0,0 +1,129 @@ +From 53f37023c26c9e451cdf18ade628817eca47a6ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jul 2020 20:14:29 -0700 +Subject: qed: Populate nvm-file attributes while reading nvm config partition. + +From: Sudarsana Reddy Kalluru + +[ Upstream commit 13cf8aab7425a253070433b5a55b4209ceac8b19 ] + +NVM config file address will be modified when the MBI image is upgraded. +Driver would return stale config values if user reads the nvm-config +(via ethtool -d) in this state. The fix is to re-populate nvm attribute +info while reading the nvm config values/partition. + +Changes from previous version: +------------------------------- +v3: Corrected the formatting in 'Fixes' tag. +v2: Added 'Fixes' tag. + +Fixes: 1ac4329a1cff ("qed: Add configuration information to register dump and debug data") +Signed-off-by: Sudarsana Reddy Kalluru +Signed-off-by: Igor Russkikh +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_debug.c | 4 ++++ + drivers/net/ethernet/qlogic/qed/qed_dev.c | 12 +++--------- + drivers/net/ethernet/qlogic/qed/qed_mcp.c | 7 +++++++ + drivers/net/ethernet/qlogic/qed/qed_mcp.h | 7 +++++++ + 4 files changed, 21 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_debug.c b/drivers/net/ethernet/qlogic/qed/qed_debug.c +index 859caa6c1a1fb..8e7be214f9598 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_debug.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_debug.c +@@ -8197,6 +8197,10 @@ int qed_dbg_all_data(struct qed_dev *cdev, void *buffer) + DP_ERR(cdev, "qed_dbg_mcp_trace failed. rc = %d\n", rc); + } + ++ /* Re-populate nvm attribute info */ ++ qed_mcp_nvm_info_free(p_hwfn); ++ qed_mcp_nvm_info_populate(p_hwfn); ++ + /* nvm cfg1 */ + rc = qed_dbg_nvm_image(cdev, + (u8 *)buffer + offset + REGDUMP_HEADER_SIZE, +diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c +index ecd14474a6031..638047b937c65 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c +@@ -4423,12 +4423,6 @@ static int qed_get_dev_info(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt) + return 0; + } + +-static void qed_nvm_info_free(struct qed_hwfn *p_hwfn) +-{ +- kfree(p_hwfn->nvm_info.image_att); +- p_hwfn->nvm_info.image_att = NULL; +-} +- + static int qed_hw_prepare_single(struct qed_hwfn *p_hwfn, + void __iomem *p_regview, + void __iomem *p_doorbells, +@@ -4513,7 +4507,7 @@ static int qed_hw_prepare_single(struct qed_hwfn *p_hwfn, + return rc; + err3: + if (IS_LEAD_HWFN(p_hwfn)) +- qed_nvm_info_free(p_hwfn); ++ qed_mcp_nvm_info_free(p_hwfn); + err2: + if (IS_LEAD_HWFN(p_hwfn)) + qed_iov_free_hw_info(p_hwfn->cdev); +@@ -4574,7 +4568,7 @@ int qed_hw_prepare(struct qed_dev *cdev, + if (rc) { + if (IS_PF(cdev)) { + qed_init_free(p_hwfn); +- qed_nvm_info_free(p_hwfn); ++ qed_mcp_nvm_info_free(p_hwfn); + qed_mcp_free(p_hwfn); + qed_hw_hwfn_free(p_hwfn); + } +@@ -4608,7 +4602,7 @@ void qed_hw_remove(struct qed_dev *cdev) + + qed_iov_free_hw_info(cdev); + +- qed_nvm_info_free(p_hwfn); ++ qed_mcp_nvm_info_free(p_hwfn); + } + + static void qed_chain_free_next_ptr(struct qed_dev *cdev, +diff --git a/drivers/net/ethernet/qlogic/qed/qed_mcp.c b/drivers/net/ethernet/qlogic/qed/qed_mcp.c +index 36ddb89856a86..9401b49275f0a 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c +@@ -3149,6 +3149,13 @@ int qed_mcp_nvm_info_populate(struct qed_hwfn *p_hwfn) + return rc; + } + ++void qed_mcp_nvm_info_free(struct qed_hwfn *p_hwfn) ++{ ++ kfree(p_hwfn->nvm_info.image_att); ++ p_hwfn->nvm_info.image_att = NULL; ++ p_hwfn->nvm_info.valid = false; ++} ++ + int + qed_mcp_get_nvm_image_att(struct qed_hwfn *p_hwfn, + enum qed_nvm_images image_id, +diff --git a/drivers/net/ethernet/qlogic/qed/qed_mcp.h b/drivers/net/ethernet/qlogic/qed/qed_mcp.h +index 9c4c2763de8d7..e38297383b007 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.h ++++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.h +@@ -1192,6 +1192,13 @@ void qed_mcp_read_ufp_config(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt); + */ + int qed_mcp_nvm_info_populate(struct qed_hwfn *p_hwfn); + ++/** ++ * @brief Delete nvm info shadow in the given hardware function ++ * ++ * @param p_hwfn ++ */ ++void qed_mcp_nvm_info_free(struct qed_hwfn *p_hwfn); ++ + /** + * @brief Get the engine affinity configuration. + * +-- +2.25.1 + diff --git a/queue-5.4/rdma-siw-fix-reporting-vendor_part_id.patch b/queue-5.4/rdma-siw-fix-reporting-vendor_part_id.patch new file mode 100644 index 00000000000..e9ccf755f83 --- /dev/null +++ b/queue-5.4/rdma-siw-fix-reporting-vendor_part_id.patch @@ -0,0 +1,46 @@ +From cec8c02e6dac9acc156283a2aae48b36781e829f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jul 2020 16:09:31 +0300 +Subject: RDMA/siw: Fix reporting vendor_part_id + +From: Kamal Heib + +[ Upstream commit 04340645f69ab7abb6f9052688a60f0213b3f79c ] + +Move the initialization of the vendor_part_id to be before calling +ib_register_device(), this is needed because the query_device() callback +is called from the context of ib_register_device() before initializing the +vendor_part_id, so the reported value is wrong. + +Fixes: bdcf26bf9b3a ("rdma/siw: network and RDMA core interface") +Link: https://lore.kernel.org/r/20200707130931.444724-1-kamalheib1@gmail.com +Signed-off-by: Kamal Heib +Reviewed-by: Bernard Metzler +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/siw/siw_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/siw/siw_main.c b/drivers/infiniband/sw/siw/siw_main.c +index 130b1e31b9780..fb66d67572787 100644 +--- a/drivers/infiniband/sw/siw/siw_main.c ++++ b/drivers/infiniband/sw/siw/siw_main.c +@@ -66,12 +66,13 @@ static int siw_device_register(struct siw_device *sdev, const char *name) + static int dev_id = 1; + int rv; + ++ sdev->vendor_part_id = dev_id++; ++ + rv = ib_register_device(base_dev, name); + if (rv) { + pr_warn("siw: device registration error %d\n", rv); + return rv; + } +- sdev->vendor_part_id = dev_id++; + + siw_dbg(base_dev, "HWaddr=%pM\n", sdev->netdev->dev_addr); + +-- +2.25.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 42f45f94b4f..7e432ba88bd 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -32,3 +32,37 @@ block-release-bip-in-a-right-way-in-error-path.patch nvme-rdma-assign-completion-vector-correctly.patch x86-entry-increase-entry_stack-size-to-a-full-page.patch sched-core-check-cpus_mask-not-cpus_ptr-in-__set_cpu.patch +gpio-pca953x-override-irq-for-one-of-the-expanders-o.patch +gpio-pca953x-fix-gpio-resource-leak-on-intel-galileo.patch +nl80211-don-t-return-err-unconditionally-in-nl80211_.patch +drm-mediatek-check-plane-visibility-in-atomic_update.patch +bpf-sockmap-rcu-splat-with-redirect-and-strparser-er.patch +bpf-sockmap-rcu-dereferenced-psock-may-be-used-outsi.patch +netfilter-ipset-call-ip_set_free-instead-of-kfree.patch +net-mvneta-fix-use-of-state-speed.patch +net-cxgb4-fix-return-error-value-in-t4_prep_fw.patch +ib-sa-resolv-use-after-free-in-ib_nl_make_request.patch +net-dsa-microchip-set-the-correct-number-of-ports.patch +netfilter-conntrack-refetch-conntrack-after-nf_connt.patch +perf-report-tui-fix-segmentation-fault-in-perf_evsel.patch +perf-intel-pt-fix-recording-pebs-via-pt-with-registe.patch +perf-intel-pt-fix-pebs-sample-for-xmm-registers.patch +smsc95xx-check-return-value-of-smsc95xx_reset.patch +smsc95xx-avoid-memory-leak-in-smsc95xx_bind.patch +net-hns3-add-a-missing-uninit-debugfs-when-unload-dr.patch +net-hns3-fix-use-after-free-when-doing-self-test.patch +alsa-compress-fix-partial_drain-completion-state.patch +rdma-siw-fix-reporting-vendor_part_id.patch +arm64-kgdb-fix-single-step-exception-handling-oops.patch +nbd-fix-memory-leak-in-nbd_add_socket.patch +cxgb4-fix-all-mask-ip-address-comparison.patch +ib-mlx5-fix-50g-per-lane-indication.patch +qed-populate-nvm-file-attributes-while-reading-nvm-c.patch +net-mlx5-fix-eeprom-support-for-sfp-module.patch +net-mlx5e-fix-50g-per-lane-indication.patch +bnxt_en-fix-null-dereference-in-case-sr-iov-configur.patch +net-macb-fix-wakeup-test-in-runtime-suspend-resume-r.patch +net-macb-mark-device-wake-capable-when-magic-packet-.patch +net-macb-fix-call-to-pm_runtime-in-the-suspend-resum.patch +mlxsw-spectrum_router-remove-inappropriate-usage-of-.patch +mlxsw-pci-fix-use-after-free-in-case-of-failed-devli.patch diff --git a/queue-5.4/smsc95xx-avoid-memory-leak-in-smsc95xx_bind.patch b/queue-5.4/smsc95xx-avoid-memory-leak-in-smsc95xx_bind.patch new file mode 100644 index 00000000000..3581e1fb338 --- /dev/null +++ b/queue-5.4/smsc95xx-avoid-memory-leak-in-smsc95xx_bind.patch @@ -0,0 +1,39 @@ +From 36e4709154c704cd9677d6586ef216d72c28d566 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jul 2020 10:39:35 +0200 +Subject: smsc95xx: avoid memory leak in smsc95xx_bind + +From: Andre Edich + +[ Upstream commit 3ed58f96a70b85ef646d5427258f677f1395b62f ] + +In a case where the ID_REV register read is failed, the memory for a +private data structure has to be freed before returning error from the +function smsc95xx_bind. + +Fixes: bbd9f9ee69242 ("smsc95xx: add wol support for more frame types") +Signed-off-by: Andre Edich +Signed-off-by: Parthiban Veerasooran +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc95xx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c +index eb404bb74e18e..bb4ccbda031ab 100644 +--- a/drivers/net/usb/smsc95xx.c ++++ b/drivers/net/usb/smsc95xx.c +@@ -1293,7 +1293,8 @@ static int smsc95xx_bind(struct usbnet *dev, struct usb_interface *intf) + /* detect device revision as different features may be available */ + ret = smsc95xx_read_reg(dev, ID_REV, &val); + if (ret < 0) +- return ret; ++ goto free_pdata; ++ + val >>= 16; + pdata->chip_id = val; + pdata->mdix_ctrl = get_mdix_status(dev->net); +-- +2.25.1 + diff --git a/queue-5.4/smsc95xx-check-return-value-of-smsc95xx_reset.patch b/queue-5.4/smsc95xx-check-return-value-of-smsc95xx_reset.patch new file mode 100644 index 00000000000..a5a0a893273 --- /dev/null +++ b/queue-5.4/smsc95xx-check-return-value-of-smsc95xx_reset.patch @@ -0,0 +1,48 @@ +From 3ccb972cdbcd05d2c33034253285da10d68afb73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jul 2020 10:39:34 +0200 +Subject: smsc95xx: check return value of smsc95xx_reset + +From: Andre Edich + +[ Upstream commit 7c8b1e855f94f88a0c569be6309fc8d5c8844cd1 ] + +The return value of the function smsc95xx_reset() must be checked +to avoid returning false success from the function smsc95xx_bind(). + +Fixes: 2f7ca802bdae2 ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver") +Signed-off-by: Andre Edich +Signed-off-by: Parthiban Veerasooran +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc95xx.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c +index 3cf4dc3433f91..eb404bb74e18e 100644 +--- a/drivers/net/usb/smsc95xx.c ++++ b/drivers/net/usb/smsc95xx.c +@@ -1287,6 +1287,8 @@ static int smsc95xx_bind(struct usbnet *dev, struct usb_interface *intf) + + /* Init all registers */ + ret = smsc95xx_reset(dev); ++ if (ret) ++ goto free_pdata; + + /* detect device revision as different features may be available */ + ret = smsc95xx_read_reg(dev, ID_REV, &val); +@@ -1317,6 +1319,10 @@ static int smsc95xx_bind(struct usbnet *dev, struct usb_interface *intf) + schedule_delayed_work(&pdata->carrier_check, CARRIER_CHECK_DELAY); + + return 0; ++ ++free_pdata: ++ kfree(pdata); ++ return ret; + } + + static void smsc95xx_unbind(struct usbnet *dev, struct usb_interface *intf) +-- +2.25.1 +