From: Greg Kroah-Hartman Date: Sat, 7 Nov 2020 10:45:43 +0000 (+0100) Subject: 5.9-stable patches X-Git-Tag: v4.4.242~48 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4cd322c1962fe100ef3b6bb2e4753f5a0a49163d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.9-stable patches added patches: cadence-force-nonlinear-buffers-to-be-cloned.patch chelsio-chtls-fix-always-leaking-ctrl_skb.patch chelsio-chtls-fix-memory-leaks-caused-by-a-race.patch dpaa_eth-fix-the-rx-headroom-size-alignment.patch dpaa_eth-update-the-buffer-layout-for-non-a050385-erratum-scenarios.patch gianfar-account-for-tx-ptp-timestamp-in-the-skb-headroom.patch gianfar-replace-skb_realloc_headroom-with-skb_cow_head-for-ptp.patch ionic-check-port-ptr-before-use.patch ip6_tunnel-set-inner-ipproto-before-ip6_tnl_encap.patch ip_tunnel-fix-over-mtu-packet-send-fail-without-tunnel_dont_fragment-flags.patch mptcp-token-fix-unititialized-variable.patch net-dsa-qca8k-fix-port-mtu-setting.patch net-ethernet-ti-cpsw-disable-ptpv1-hw-timestamping-advertisement.patch net-fec-fix-mdio-probing-for-some-fec-hardware-blocks.patch net-openvswitch-silence-suspicious-rcu-usage-warning.patch net-usb-qmi_wwan-add-telit-le910cx-0x1230-composition.patch powerpc-vnic-extend-failover-pending-window.patch r8169-work-around-short-packet-hw-bug-on-rtl8125.patch sctp-fix-comm_lost-cant_str_assoc-err-reporting-on-big-endian-platforms.patch sfp-fix-error-handing-in-sfp_probe.patch --- diff --git a/queue-5.9/cadence-force-nonlinear-buffers-to-be-cloned.patch b/queue-5.9/cadence-force-nonlinear-buffers-to-be-cloned.patch new file mode 100644 index 00000000000..4c21ff62e03 --- /dev/null +++ b/queue-5.9/cadence-force-nonlinear-buffers-to-be-cloned.patch @@ -0,0 +1,94 @@ +From foo@baz Sat Nov 7 11:45:25 AM CET 2020 +From: Mark Deneen +Date: Fri, 30 Oct 2020 15:58:14 +0000 +Subject: [PATCH stable 5.9 01/20] cadence: force nonlinear buffers to be cloned + +From: Mark Deneen + +[ Upstream commit 403dc16796f5516acf23d94a1cd9eba564d03210 ] + +In my test setup, I had a SAMA5D27 device configured with ip forwarding, and +second device with usb ethernet (r8152) sending ICMP packets.  If the packet +was larger than about 220 bytes, the SAMA5 device would "oops" with the +following trace: + +kernel BUG at net/core/skbuff.c:1863! +Internal error: Oops - BUG: 0 [#1] ARM +Modules linked in: xt_MASQUERADE ppp_async ppp_generic slhc iptable_nat xt_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 can_raw can bridge stp llc ipt_REJECT nf_reject_ipv4 sd_mod cdc_ether usbnet usb_storage r8152 scsi_mod mii o +ption usb_wwan usbserial micrel macb at91_sama5d2_adc phylink gpio_sama5d2_piobu m_can_platform m_can industrialio_triggered_buffer kfifo_buf of_mdio can_dev fixed_phy sdhci_of_at91 sdhci_pltfm libphy sdhci mmc_core ohci_at91 ehci_atmel o +hci_hcd iio_rescale industrialio sch_fq_codel spidev prox2_hal(O) +CPU: 0 PID: 0 Comm: swapper Tainted: G           O      5.9.1-prox2+ #1 +Hardware name: Atmel SAMA5 +PC is at skb_put+0x3c/0x50 +LR is at macb_start_xmit+0x134/0xad0 [macb] +pc : []    lr : []    psr: 20070113 +sp : c0d01a60  ip : c07232c0  fp : c4250000 +r10: c0d03cc8  r9 : 00000000  r8 : c0d038c0 +r7 : 00000000  r6 : 00000008  r5 : c59b66c0  r4 : 0000002a +r3 : 8f659eff  r2 : c59e9eea  r1 : 00000001  r0 : c59b66c0 +Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none +Control: 10c53c7d  Table: 2640c059  DAC: 00000051 +Process swapper (pid: 0, stack limit = 0x75002d81) + + + +[] (skb_put) from [] (macb_start_xmit+0x134/0xad0 [macb]) +[] (macb_start_xmit [macb]) from [] (dev_hard_start_xmit+0x90/0x11c) +[] (dev_hard_start_xmit) from [] (sch_direct_xmit+0x124/0x260) +[] (sch_direct_xmit) from [] (__dev_queue_xmit+0x4b0/0x6d0) +[] (__dev_queue_xmit) from [] (ip_finish_output2+0x350/0x580) +[] (ip_finish_output2) from [] (ip_output+0xb4/0x13c) +[] (ip_output) from [] (ip_forward+0x474/0x500) +[] (ip_forward) from [] (ip_sublist_rcv_finish+0x3c/0x50) +[] (ip_sublist_rcv_finish) from [] (ip_sublist_rcv+0x11c/0x188) +[] (ip_sublist_rcv) from [] (ip_list_rcv+0xf8/0x124) +[] (ip_list_rcv) from [] (__netif_receive_skb_list_core+0x1a0/0x20c) +[] (__netif_receive_skb_list_core) from [] (netif_receive_skb_list_internal+0x194/0x230) +[] (netif_receive_skb_list_internal) from [] (gro_normal_list.part.0+0x14/0x28) +[] (gro_normal_list.part.0) from [] (napi_complete_done+0x16c/0x210) +[] (napi_complete_done) from [] (r8152_poll+0x684/0x708 [r8152]) +[] (r8152_poll [r8152]) from [] (net_rx_action+0x100/0x328) +[] (net_rx_action) from [] (__do_softirq+0xec/0x274) +[] (__do_softirq) from [] (irq_exit+0xcc/0xd0) +[] (irq_exit) from [] (__handle_domain_irq+0x58/0xa4) +[] (__handle_domain_irq) from [] (__irq_svc+0x6c/0x90) +Exception stack(0xc0d01ef0 to 0xc0d01f38) +1ee0:                                     00000000 0000003d 0c31f383 c0d0fa00 +1f00: c0d2eb80 00000000 c0d2e630 4dad8c49 4da967b0 0000003d 0000003d 00000000 +1f20: fffffff5 c0d01f40 c04e0f88 c04e0f8c 30070013 ffffffff +[] (__irq_svc) from [] (cpuidle_enter_state+0x7c/0x378) +[] (cpuidle_enter_state) from [] (cpuidle_enter+0x28/0x38) +[] (cpuidle_enter) from [] (do_idle+0x194/0x214) +[] (do_idle) from [] (cpu_startup_entry+0xc/0x14) +[] (cpu_startup_entry) from [] (start_kernel+0x46c/0x4a0) +Code: e580c054 8a000002 e1a00002 e8bd8070 (e7f001f2) +---[ end trace 146c8a334115490c ]--- + +The solution was to force nonlinear buffers to be cloned.  This was previously +reported by Klaus Doth (https://www.spinics.net/lists/netdev/msg556937.html) +but never formally submitted as a patch. + +This is the third revision, hopefully the formatting is correct this time! + +Suggested-by: Klaus Doth +Fixes: 653e92a9175e ("net: macb: add support for padding and fcs computation") +Signed-off-by: Mark Deneen +Link: https://lore.kernel.org/r/20201030155814.622831-1-mdeneen@saucontech.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cadence/macb_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -1930,7 +1930,8 @@ static inline int macb_clear_csum(struct + + static int macb_pad_and_fcs(struct sk_buff **skb, struct net_device *ndev) + { +- bool cloned = skb_cloned(*skb) || skb_header_cloned(*skb); ++ bool cloned = skb_cloned(*skb) || skb_header_cloned(*skb) || ++ skb_is_nonlinear(*skb); + int padlen = ETH_ZLEN - (*skb)->len; + int headroom = skb_headroom(*skb); + int tailroom = skb_tailroom(*skb); diff --git a/queue-5.9/chelsio-chtls-fix-always-leaking-ctrl_skb.patch b/queue-5.9/chelsio-chtls-fix-always-leaking-ctrl_skb.patch new file mode 100644 index 00000000000..172d0c9ebad --- /dev/null +++ b/queue-5.9/chelsio-chtls-fix-always-leaking-ctrl_skb.patch @@ -0,0 +1,34 @@ +From foo@baz Sat Nov 7 11:45:25 AM CET 2020 +From: Vinay Kumar Yadav +Date: Mon, 2 Nov 2020 23:09:10 +0530 +Subject: [PATCH stable 5.9 03/20] chelsio/chtls: fix always leaking ctrl_skb + +From: Vinay Kumar Yadav + +[ Upstream commit dbfe394dad33f99cf8458be50483ec40a5d29c34 ] + +Correct skb refcount in alloc_ctrl_skb(), causing skb memleak +when chtls_send_abort() called with NULL skb. +it was always leaking the skb, correct it by incrementing skb +refs by one. + +Fixes: cc35c88ae4db ("crypto : chtls - CPL handler definition") +Signed-off-by: Vinay Kumar Yadav +Link: https://lore.kernel.org/r/20201102173909.24826-1-vinay.yadav@chelsio.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/chelsio/chtls/chtls_cm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/chelsio/chtls/chtls_cm.c ++++ b/drivers/crypto/chelsio/chtls/chtls_cm.c +@@ -212,7 +212,7 @@ static struct sk_buff *alloc_ctrl_skb(st + { + if (likely(skb && !skb_shared(skb) && !skb_cloned(skb))) { + __skb_trim(skb, 0); +- refcount_add(2, &skb->users); ++ refcount_inc(&skb->users); + } else { + skb = alloc_skb(len, GFP_KERNEL | __GFP_NOFAIL); + } diff --git a/queue-5.9/chelsio-chtls-fix-memory-leaks-caused-by-a-race.patch b/queue-5.9/chelsio-chtls-fix-memory-leaks-caused-by-a-race.patch new file mode 100644 index 00000000000..d71759e32c0 --- /dev/null +++ b/queue-5.9/chelsio-chtls-fix-memory-leaks-caused-by-a-race.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Nov 7 11:45:25 AM CET 2020 +From: Vinay Kumar Yadav +Date: Mon, 2 Nov 2020 23:06:51 +0530 +Subject: [PATCH stable 5.9 02/20] chelsio/chtls: fix memory leaks caused by a race + +From: Vinay Kumar Yadav + +[ Upstream commit 8080b462b6aa856ae05ea010441a702599e579f2 ] + +race between user context and softirq causing memleak, +consider the call sequence scenario + +chtls_setkey() //user context +chtls_peer_close() +chtls_abort_req_rss() +chtls_setkey() //user context + +work request skb queued in chtls_setkey() won't be freed +because resources are already cleaned for this connection, +fix it by not queuing work request while socket is closing. + +v1->v2: +- fix W=1 warning. + +v2->v3: +- separate it out from another memleak fix. + +Fixes: cc35c88ae4db ("crypto : chtls - CPL handler definition") +Signed-off-by: Vinay Kumar Yadav +Link: https://lore.kernel.org/r/20201102173650.24754-1-vinay.yadav@chelsio.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/chelsio/chtls/chtls_hw.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/crypto/chelsio/chtls/chtls_hw.c ++++ b/drivers/crypto/chelsio/chtls/chtls_hw.c +@@ -383,6 +383,9 @@ int chtls_setkey(struct chtls_sock *csk, + if (ret) + goto out_notcb; + ++ if (unlikely(csk_flag(sk, CSK_ABORT_SHUTDOWN))) ++ goto out_notcb; ++ + set_wr_txq(skb, CPL_PRIORITY_DATA, csk->tlshws.txqid); + csk->wr_credits -= DIV_ROUND_UP(len, 16); + csk->wr_unacked += DIV_ROUND_UP(len, 16); diff --git a/queue-5.9/dpaa_eth-fix-the-rx-headroom-size-alignment.patch b/queue-5.9/dpaa_eth-fix-the-rx-headroom-size-alignment.patch new file mode 100644 index 00000000000..9818bd28217 --- /dev/null +++ b/queue-5.9/dpaa_eth-fix-the-rx-headroom-size-alignment.patch @@ -0,0 +1,61 @@ +From foo@baz Sat Nov 7 11:45:25 AM CET 2020 +From: Camelia Groza +Date: Mon, 2 Nov 2020 20:34:36 +0200 +Subject: [PATCH stable 5.9 05/20] dpaa_eth: fix the RX headroom size alignment + +From: Camelia Groza + +[ Upstream commit 7834e494f42627769d3f965d5d203e9c6ddb8403 ] + +The headroom reserved for received frames needs to be aligned to an +RX specific value. There is currently a discrepancy between the values +used in the Ethernet driver and the values passed to the FMan. +Coincidentally, the resulting aligned values are identical. + +Fixes: 3c68b8fffb48 ("dpaa_eth: FMan erratum A050385 workaround") +Acked-by: Willem de Bruijn +Signed-off-by: Camelia Groza +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c ++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c +@@ -2845,7 +2845,8 @@ out_error: + return err; + } + +-static inline u16 dpaa_get_headroom(struct dpaa_buffer_layout *bl) ++static u16 dpaa_get_headroom(struct dpaa_buffer_layout *bl, ++ enum port_type port) + { + u16 headroom; + +@@ -2859,9 +2860,12 @@ static inline u16 dpaa_get_headroom(stru + * + * Also make sure the headroom is a multiple of data_align bytes + */ +- headroom = (u16)(bl->priv_data_size + DPAA_HWA_SIZE); ++ headroom = (u16)(bl[port].priv_data_size + DPAA_HWA_SIZE); + +- return ALIGN(headroom, DPAA_FD_DATA_ALIGNMENT); ++ if (port == RX) ++ return ALIGN(headroom, DPAA_FD_RX_DATA_ALIGNMENT); ++ else ++ return ALIGN(headroom, DPAA_FD_DATA_ALIGNMENT); + } + + static int dpaa_eth_probe(struct platform_device *pdev) +@@ -3029,8 +3033,8 @@ static int dpaa_eth_probe(struct platfor + goto free_dpaa_fqs; + } + +- priv->tx_headroom = dpaa_get_headroom(&priv->buf_layout[TX]); +- priv->rx_headroom = dpaa_get_headroom(&priv->buf_layout[RX]); ++ priv->tx_headroom = dpaa_get_headroom(priv->buf_layout, TX); ++ priv->rx_headroom = dpaa_get_headroom(priv->buf_layout, RX); + + /* All real interfaces need their ports initialized */ + err = dpaa_eth_init_ports(mac_dev, dpaa_bp, &port_fqs, diff --git a/queue-5.9/dpaa_eth-update-the-buffer-layout-for-non-a050385-erratum-scenarios.patch b/queue-5.9/dpaa_eth-update-the-buffer-layout-for-non-a050385-erratum-scenarios.patch new file mode 100644 index 00000000000..9d3af516c89 --- /dev/null +++ b/queue-5.9/dpaa_eth-update-the-buffer-layout-for-non-a050385-erratum-scenarios.patch @@ -0,0 +1,60 @@ +From foo@baz Sat Nov 7 11:45:25 AM CET 2020 +From: Camelia Groza +Date: Mon, 2 Nov 2020 20:34:35 +0200 +Subject: [PATCH stable 5.9 04/20] dpaa_eth: update the buffer layout for non-A050385 erratum scenarios + +From: Camelia Groza + +[ Upstream commit acef159a0cb2a978d62b641e2366a33ad1d5afef ] + +Impose a larger RX private data area only when the A050385 erratum is +present on the hardware. A smaller buffer size is sufficient in all +other scenarios. This enables a wider range of linear Jumbo frame +sizes in non-erratum scenarios, instead of turning to multi +buffer Scatter/Gather frames. The maximum linear frame size is +increased by 128 bytes for non-erratum arm64 platforms. + +Cleanup the hardware annotations header defines in the process. + +Fixes: 3c68b8fffb48 ("dpaa_eth: FMan erratum A050385 workaround") +Signed-off-by: Camelia Groza +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c ++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c +@@ -174,12 +174,17 @@ MODULE_PARM_DESC(tx_timeout, "The Tx tim + #define DPAA_PARSE_RESULTS_SIZE sizeof(struct fman_prs_result) + #define DPAA_TIME_STAMP_SIZE 8 + #define DPAA_HASH_RESULTS_SIZE 8 ++#define DPAA_HWA_SIZE (DPAA_PARSE_RESULTS_SIZE + DPAA_TIME_STAMP_SIZE \ ++ + DPAA_HASH_RESULTS_SIZE) ++#define DPAA_RX_PRIV_DATA_DEFAULT_SIZE (DPAA_TX_PRIV_DATA_SIZE + \ ++ dpaa_rx_extra_headroom) + #ifdef CONFIG_DPAA_ERRATUM_A050385 +-#define DPAA_RX_PRIV_DATA_SIZE (DPAA_A050385_ALIGN - (DPAA_PARSE_RESULTS_SIZE\ +- + DPAA_TIME_STAMP_SIZE + DPAA_HASH_RESULTS_SIZE)) ++#define DPAA_RX_PRIV_DATA_A050385_SIZE (DPAA_A050385_ALIGN - DPAA_HWA_SIZE) ++#define DPAA_RX_PRIV_DATA_SIZE (fman_has_errata_a050385() ? \ ++ DPAA_RX_PRIV_DATA_A050385_SIZE : \ ++ DPAA_RX_PRIV_DATA_DEFAULT_SIZE) + #else +-#define DPAA_RX_PRIV_DATA_SIZE (u16)(DPAA_TX_PRIV_DATA_SIZE + \ +- dpaa_rx_extra_headroom) ++#define DPAA_RX_PRIV_DATA_SIZE DPAA_RX_PRIV_DATA_DEFAULT_SIZE + #endif + + #define DPAA_ETH_PCD_RXQ_NUM 128 +@@ -2854,8 +2859,7 @@ static inline u16 dpaa_get_headroom(stru + * + * Also make sure the headroom is a multiple of data_align bytes + */ +- headroom = (u16)(bl->priv_data_size + DPAA_PARSE_RESULTS_SIZE + +- DPAA_TIME_STAMP_SIZE + DPAA_HASH_RESULTS_SIZE); ++ headroom = (u16)(bl->priv_data_size + DPAA_HWA_SIZE); + + return ALIGN(headroom, DPAA_FD_DATA_ALIGNMENT); + } diff --git a/queue-5.9/gianfar-account-for-tx-ptp-timestamp-in-the-skb-headroom.patch b/queue-5.9/gianfar-account-for-tx-ptp-timestamp-in-the-skb-headroom.patch new file mode 100644 index 00000000000..e57e7f1d093 --- /dev/null +++ b/queue-5.9/gianfar-account-for-tx-ptp-timestamp-in-the-skb-headroom.patch @@ -0,0 +1,55 @@ +From foo@baz Sat Nov 7 11:45:25 AM CET 2020 +From: Claudiu Manoil +Date: Tue, 20 Oct 2020 20:36:05 +0300 +Subject: [PATCH stable 5.9 07/20] gianfar: Account for Tx PTP timestamp in the skb headroom + +From: Claudiu Manoil + +[ Upstream commit d6a076d68c6b5d6a5800f3990a513facb7016dea ] + +When PTP timestamping is enabled on Tx, the controller +inserts the Tx timestamp at the beginning of the frame +buffer, between SFD and the L2 frame header. This means +that the skb provided by the stack is required to have +enough headroom otherwise a new skb needs to be created +by the driver to accommodate the timestamp inserted by h/w. +Up until now the driver was relying on the second option, +using skb_realloc_headroom() to create a new skb to accommodate +PTP frames. Turns out that this method is not reliable, as +reallocation of skbs for PTP frames along with the required +overhead (skb_set_owner_w, consume_skb) is causing random +crashes in subsequent skb_*() calls, when multiple concurrent +TCP streams are run at the same time on the same device +(as seen in James' report). +Note that these crashes don't occur with a single TCP stream, +nor with multiple concurrent UDP streams, but only when multiple +TCP streams are run concurrently with the PTP packet flow +(doing skb reallocation). +This patch enforces the first method, by requesting enough +headroom from the stack to accommodate PTP frames, and so avoiding +skb_realloc_headroom() & co, and the crashes no longer occur. +There's no reason not to set needed_headroom to a large enough +value to accommodate PTP frames, so in this regard this patch +is a fix. + +Reported-by: James Jurack +Fixes: bee9e58c9e98 ("gianfar:don't add FCB length to hard_header_len") +Signed-off-by: Claudiu Manoil +Link: https://lore.kernel.org/r/20201020173605.1173-1-claudiu.manoil@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/gianfar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/gianfar.c ++++ b/drivers/net/ethernet/freescale/gianfar.c +@@ -3372,7 +3372,7 @@ static int gfar_probe(struct platform_de + + if (dev->features & NETIF_F_IP_CSUM || + priv->device_flags & FSL_GIANFAR_DEV_HAS_TIMER) +- dev->needed_headroom = GMAC_FCB_LEN; ++ dev->needed_headroom = GMAC_FCB_LEN + GMAC_TXPAL_LEN; + + /* Initializing some of the rx/tx queue level parameters */ + for (i = 0; i < priv->num_tx_queues; i++) { diff --git a/queue-5.9/gianfar-replace-skb_realloc_headroom-with-skb_cow_head-for-ptp.patch b/queue-5.9/gianfar-replace-skb_realloc_headroom-with-skb_cow_head-for-ptp.patch new file mode 100644 index 00000000000..0d5db1594d5 --- /dev/null +++ b/queue-5.9/gianfar-replace-skb_realloc_headroom-with-skb_cow_head-for-ptp.patch @@ -0,0 +1,70 @@ +From foo@baz Sat Nov 7 11:45:25 AM CET 2020 +From: Claudiu Manoil +Date: Thu, 29 Oct 2020 10:10:56 +0200 +Subject: [PATCH stable 5.9 06/20] gianfar: Replace skb_realloc_headroom with skb_cow_head for PTP + +From: Claudiu Manoil + +[ Upstream commit d145c9031325fed963a887851d9fa42516efd52b ] + +When PTP timestamping is enabled on Tx, the controller +inserts the Tx timestamp at the beginning of the frame +buffer, between SFD and the L2 frame header. This means +that the skb provided by the stack is required to have +enough headroom otherwise a new skb needs to be created +by the driver to accommodate the timestamp inserted by h/w. +Up until now the driver was relying on skb_realloc_headroom() +to create new skbs to accommodate PTP frames. Turns out that +this method is not reliable in this context at least, as +skb_realloc_headroom() for PTP frames can cause random crashes, +mostly in subsequent skb_*() calls, when multiple concurrent +TCP streams are run at the same time with the PTP flow +on the same device (as seen in James' report). I also noticed +that when the system is loaded by sending multiple TCP streams, +the driver receives cloned skbs in large numbers. +skb_cow_head() instead proves to be stable in this scenario, +and not only handles cloned skbs too but it's also more efficient +and widely used in other drivers. +The commit introducing skb_realloc_headroom in the driver +goes back to 2009, commit 93c1285c5d92 +("gianfar: reallocate skb when headroom is not enough for fcb"). +For practical purposes I'm referencing a newer commit (from 2012) +that brings the code to its current structure (and fixes the PTP +case). + +Fixes: 9c4886e5e63b ("gianfar: Fix invalid TX frames returned on error queue when time stamping") +Reported-by: James Jurack +Suggested-by: Jakub Kicinski +Signed-off-by: Claudiu Manoil +Link: https://lore.kernel.org/r/20201029081057.8506-1-claudiu.manoil@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/gianfar.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +--- a/drivers/net/ethernet/freescale/gianfar.c ++++ b/drivers/net/ethernet/freescale/gianfar.c +@@ -1829,20 +1829,12 @@ static netdev_tx_t gfar_start_xmit(struc + fcb_len = GMAC_FCB_LEN + GMAC_TXPAL_LEN; + + /* make space for additional header when fcb is needed */ +- if (fcb_len && unlikely(skb_headroom(skb) < fcb_len)) { +- struct sk_buff *skb_new; +- +- skb_new = skb_realloc_headroom(skb, fcb_len); +- if (!skb_new) { ++ if (fcb_len) { ++ if (unlikely(skb_cow_head(skb, fcb_len))) { + dev->stats.tx_errors++; + dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } +- +- if (skb->sk) +- skb_set_owner_w(skb_new, skb->sk); +- dev_consume_skb_any(skb); +- skb = skb_new; + } + + /* total number of fragments in the SKB */ diff --git a/queue-5.9/ionic-check-port-ptr-before-use.patch b/queue-5.9/ionic-check-port-ptr-before-use.patch new file mode 100644 index 00000000000..0dcf4ec1b60 --- /dev/null +++ b/queue-5.9/ionic-check-port-ptr-before-use.patch @@ -0,0 +1,35 @@ +From foo@baz Sat Nov 7 11:45:25 AM CET 2020 +From: Shannon Nelson +Date: Wed, 4 Nov 2020 11:56:06 -0800 +Subject: [PATCH stable 5.9 08/20] ionic: check port ptr before use + +From: Shannon Nelson + +[ Upstream commit 2bcbf42add911ef63a6d90e92001dc2bcb053e68 ] + +Check for corner case of port_init failure before using +the port_info pointer. + +Fixes: 4d03e00a2140 ("ionic: Add initial ethtool support") +Signed-off-by: Shannon Nelson +Link: https://lore.kernel.org/r/20201104195606.61184-1-snelson@pensando.io +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/pensando/ionic/ionic_ethtool.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c +@@ -126,6 +126,11 @@ static int ionic_get_link_ksettings(stru + + ethtool_link_ksettings_zero_link_mode(ks, supported); + ++ if (!idev->port_info) { ++ netdev_err(netdev, "port_info not initialized\n"); ++ return -EOPNOTSUPP; ++ } ++ + /* The port_info data is found in a DMA space that the NIC keeps + * up-to-date, so there's no need to request the data from the + * NIC, we already have it in our memory space. diff --git a/queue-5.9/ip6_tunnel-set-inner-ipproto-before-ip6_tnl_encap.patch b/queue-5.9/ip6_tunnel-set-inner-ipproto-before-ip6_tnl_encap.patch new file mode 100644 index 00000000000..ae72670f5b2 --- /dev/null +++ b/queue-5.9/ip6_tunnel-set-inner-ipproto-before-ip6_tnl_encap.patch @@ -0,0 +1,50 @@ +From foo@baz Sat Nov 7 11:45:25 AM CET 2020 +From: Alexander Ovechkin +Date: Thu, 29 Oct 2020 20:10:12 +0300 +Subject: [PATCH stable 5.9 15/20] ip6_tunnel: set inner ipproto before ip6_tnl_encap + +From: Alexander Ovechkin + +[ Upstream commit 9e7c5b396e98eed859d3dd1ab235912a296faab5 ] + +ip6_tnl_encap assigns to proto transport protocol which +encapsulates inner packet, but we must pass to set_inner_ipproto +protocol of that inner packet. + +Calling set_inner_ipproto after ip6_tnl_encap might break gso. +For example, in case of encapsulating ipv6 packet in fou6 packet, inner_ipproto +would be set to IPPROTO_UDP instead of IPPROTO_IPV6. This would lead to +incorrect calling sequence of gso functions: +ipv6_gso_segment -> udp6_ufo_fragment -> skb_udp_tunnel_segment -> udp6_ufo_fragment +instead of: +ipv6_gso_segment -> udp6_ufo_fragment -> skb_udp_tunnel_segment -> ip6ip6_gso_segment + +Fixes: 6c11fbf97e69 ("ip6_tunnel: add MPLS transmit support") +Signed-off-by: Alexander Ovechkin +Link: https://lore.kernel.org/r/20201029171012.20904-1-ovov@yandex-team.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_tunnel.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -1271,6 +1271,8 @@ route_lookup: + if (max_headroom > dev->needed_headroom) + dev->needed_headroom = max_headroom; + ++ skb_set_inner_ipproto(skb, proto); ++ + err = ip6_tnl_encap(skb, t, &proto, fl6); + if (err) + return err; +@@ -1280,8 +1282,6 @@ route_lookup: + ipv6_push_frag_opts(skb, &opt.ops, &proto); + } + +- skb_set_inner_ipproto(skb, proto); +- + skb_push(skb, sizeof(struct ipv6hdr)); + skb_reset_network_header(skb); + ipv6h = ipv6_hdr(skb); diff --git a/queue-5.9/ip_tunnel-fix-over-mtu-packet-send-fail-without-tunnel_dont_fragment-flags.patch b/queue-5.9/ip_tunnel-fix-over-mtu-packet-send-fail-without-tunnel_dont_fragment-flags.patch new file mode 100644 index 00000000000..9476ce73344 --- /dev/null +++ b/queue-5.9/ip_tunnel-fix-over-mtu-packet-send-fail-without-tunnel_dont_fragment-flags.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Nov 7 11:45:25 AM CET 2020 +From: wenxu +Date: Fri, 30 Oct 2020 11:32:08 +0800 +Subject: [PATCH stable 5.9 09/20] ip_tunnel: fix over-mtu packet send fail without TUNNEL_DONT_FRAGMENT flags + +From: wenxu + +[ Upstream commit 20149e9eb68c003eaa09e7c9a49023df40779552 ] + +The tunnel device such as vxlan, bareudp and geneve in the lwt mode set +the outer df only based TUNNEL_DONT_FRAGMENT. +And this was also the behavior for gre device before switching to use +ip_md_tunnel_xmit in commit 962924fa2b7a ("ip_gre: Refactor collect +metatdata mode tunnel xmit to ip_md_tunnel_xmit") + +When the ip_gre in lwt mode xmit with ip_md_tunnel_xmi changed the rule and +make the discrepancy between handling of DF by different tunnels. So in the +ip_md_tunnel_xmit should follow the same rule like other tunnels. + +Fixes: cfc7381b3002 ("ip_tunnel: add collect_md mode to IPIP tunnel") +Signed-off-by: wenxu +Link: https://lore.kernel.org/r/1604028728-31100-1-git-send-email-wenxu@ucloud.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_tunnel.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -614,9 +614,6 @@ void ip_md_tunnel_xmit(struct sk_buff *s + ttl = ip4_dst_hoplimit(&rt->dst); + } + +- if (!df && skb->protocol == htons(ETH_P_IP)) +- df = inner_iph->frag_off & htons(IP_DF); +- + headroom += LL_RESERVED_SPACE(rt->dst.dev) + rt->dst.header_len; + if (headroom > dev->needed_headroom) + dev->needed_headroom = headroom; diff --git a/queue-5.9/mptcp-token-fix-unititialized-variable.patch b/queue-5.9/mptcp-token-fix-unititialized-variable.patch new file mode 100644 index 00000000000..a4e629155f7 --- /dev/null +++ b/queue-5.9/mptcp-token-fix-unititialized-variable.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Nov 7 11:45:25 AM CET 2020 +From: Davide Caratti +Date: Mon, 2 Nov 2020 10:09:49 +0100 +Subject: [PATCH stable 5.9 17/20] mptcp: token: fix unititialized variable + +From: Davide Caratti + +[ Upstream commit e16b874ee87aa70cd0a7145346ff5f41349b514c ] + +gcc complains about use of uninitialized 'num'. Fix it by doing the first +assignment of 'num' when the variable is declared. + +Fixes: 96d890daad05 ("mptcp: add msk interations helper") +Signed-off-by: Davide Caratti +Acked-by: Paolo Abeni +Link: https://lore.kernel.org/r/49e20da5d467a73414d4294a8bd35e2cb1befd49.1604308087.git.dcaratti@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/token.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mptcp/token.c ++++ b/net/mptcp/token.c +@@ -291,7 +291,7 @@ struct mptcp_sock *mptcp_token_iter_next + { + struct mptcp_sock *ret = NULL; + struct hlist_nulls_node *pos; +- int slot, num; ++ int slot, num = 0; + + for (slot = *s_slot; slot <= token_mask; *s_num = 0, slot++) { + struct token_bucket *bucket = &token_hash[slot]; diff --git a/queue-5.9/net-dsa-qca8k-fix-port-mtu-setting.patch b/queue-5.9/net-dsa-qca8k-fix-port-mtu-setting.patch new file mode 100644 index 00000000000..fb54b84681b --- /dev/null +++ b/queue-5.9/net-dsa-qca8k-fix-port-mtu-setting.patch @@ -0,0 +1,37 @@ +From foo@baz Sat Nov 7 11:45:25 AM CET 2020 +From: Jonathan McDowell +Date: Fri, 30 Oct 2020 18:33:15 +0000 +Subject: [PATCH stable 5.9 18/20] net: dsa: qca8k: Fix port MTU setting + +From: Jonathan McDowell + +[ Upstream commit 99cab7107d914a71c57f5a4e6d34292425fbbb61 ] + +The qca8k only supports a switch-wide MTU setting, and the code to take +the max of all ports was only looking at the port currently being set. +Fix to examine all ports. + +Reported-by: DENG Qingfang +Fixes: f58d2598cf70 ("net: dsa: qca8k: implement the port MTU callbacks") +Signed-off-by: Jonathan McDowell +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20201030183315.GA6736@earth.li +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/qca8k.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/dsa/qca8k.c ++++ b/drivers/net/dsa/qca8k.c +@@ -1219,8 +1219,8 @@ qca8k_port_change_mtu(struct dsa_switch + priv->port_mtu[port] = new_mtu; + + for (i = 0; i < QCA8K_NUM_PORTS; i++) +- if (priv->port_mtu[port] > mtu) +- mtu = priv->port_mtu[port]; ++ if (priv->port_mtu[i] > mtu) ++ mtu = priv->port_mtu[i]; + + /* Include L2 header / FCS length */ + qca8k_write(priv, QCA8K_MAX_FRAME_SIZE, mtu + ETH_HLEN + ETH_FCS_LEN); diff --git a/queue-5.9/net-ethernet-ti-cpsw-disable-ptpv1-hw-timestamping-advertisement.patch b/queue-5.9/net-ethernet-ti-cpsw-disable-ptpv1-hw-timestamping-advertisement.patch new file mode 100644 index 00000000000..9cefdfa6861 --- /dev/null +++ b/queue-5.9/net-ethernet-ti-cpsw-disable-ptpv1-hw-timestamping-advertisement.patch @@ -0,0 +1,63 @@ +From foo@baz Sat Nov 7 11:45:25 AM CET 2020 +From: Grygorii Strashko +Date: Thu, 29 Oct 2020 21:09:10 +0200 +Subject: [PATCH stable 5.9 10/20] net: ethernet: ti: cpsw: disable PTPv1 hw timestamping advertisement + +From: Grygorii Strashko + +[ Upstream commit 0a26ba0603d637eb6673a2ea79808cc73909ef3a ] + +The TI CPTS does not natively support PTPv1, only PTPv2. But, as it +happens, the CPTS can provide HW timestamp for PTPv1 Sync messages, because +CPTS HW parser looks for PTP messageType id in PTP message octet 0 which +value is 0 for PTPv1. As result, CPTS HW can detect Sync messages for PTPv1 +and PTPv2 (Sync messageType = 0 for both), but it fails for any other PTPv1 +messages (Delay_req/resp) and will return PTP messageType id 0 for them. + +The commit e9523a5a32a1 ("net: ethernet: ti: cpsw: enable +HWTSTAMP_FILTER_PTP_V1_L4_EVENT filter") added PTPv1 hw timestamping +advertisement by mistake, only to make Linux Kernel "timestamping" utility +work, and this causes issues with only PTPv1 compatible HW/SW - Sync HW +timestamped, but Delay_req/resp are not. + +Hence, fix it disabling PTPv1 hw timestamping advertisement, so only PTPv1 +compatible HW/SW can properly roll back to SW timestamping. + +Fixes: e9523a5a32a1 ("net: ethernet: ti: cpsw: enable HWTSTAMP_FILTER_PTP_V1_L4_EVENT filter") +Signed-off-by: Grygorii Strashko +Acked-by: Richard Cochran +Link: https://lore.kernel.org/r/20201029190910.30789-1-grygorii.strashko@ti.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ti/cpsw_ethtool.c | 1 - + drivers/net/ethernet/ti/cpsw_priv.c | 5 +---- + 2 files changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/net/ethernet/ti/cpsw_ethtool.c ++++ b/drivers/net/ethernet/ti/cpsw_ethtool.c +@@ -727,7 +727,6 @@ int cpsw_get_ts_info(struct net_device * + (1 << HWTSTAMP_TX_ON); + info->rx_filters = + (1 << HWTSTAMP_FILTER_NONE) | +- (1 << HWTSTAMP_FILTER_PTP_V1_L4_EVENT) | + (1 << HWTSTAMP_FILTER_PTP_V2_EVENT); + return 0; + } +--- a/drivers/net/ethernet/ti/cpsw_priv.c ++++ b/drivers/net/ethernet/ti/cpsw_priv.c +@@ -639,13 +639,10 @@ static int cpsw_hwtstamp_set(struct net_ + break; + case HWTSTAMP_FILTER_ALL: + case HWTSTAMP_FILTER_NTP_ALL: +- return -ERANGE; + case HWTSTAMP_FILTER_PTP_V1_L4_EVENT: + case HWTSTAMP_FILTER_PTP_V1_L4_SYNC: + case HWTSTAMP_FILTER_PTP_V1_L4_DELAY_REQ: +- priv->rx_ts_enabled = HWTSTAMP_FILTER_PTP_V1_L4_EVENT; +- cfg.rx_filter = HWTSTAMP_FILTER_PTP_V1_L4_EVENT; +- break; ++ return -ERANGE; + case HWTSTAMP_FILTER_PTP_V2_L4_EVENT: + case HWTSTAMP_FILTER_PTP_V2_L4_SYNC: + case HWTSTAMP_FILTER_PTP_V2_L4_DELAY_REQ: diff --git a/queue-5.9/net-fec-fix-mdio-probing-for-some-fec-hardware-blocks.patch b/queue-5.9/net-fec-fix-mdio-probing-for-some-fec-hardware-blocks.patch new file mode 100644 index 00000000000..2d0d133d057 --- /dev/null +++ b/queue-5.9/net-fec-fix-mdio-probing-for-some-fec-hardware-blocks.patch @@ -0,0 +1,112 @@ +From foo@baz Sat Nov 7 11:45:25 AM CET 2020 +From: Greg Ungerer +Date: Wed, 28 Oct 2020 15:22:32 +1000 +Subject: [PATCH stable 5.9 16/20] net: fec: fix MDIO probing for some FEC hardware blocks + +From: Greg Ungerer + +[ Upstream commit 1e6114f51f9d4090390fcec2f5d67d8cc8dc4bfc ] + +Some (apparently older) versions of the FEC hardware block do not like +the MMFR register being cleared to avoid generation of MII events at +initialization time. The action of clearing this register results in no +future MII events being generated at all on the problem block. This means +the probing of the MDIO bus will find no PHYs. + +Create a quirk that can be checked at the FECs MII init time so that +the right thing is done. The quirk is set as appropriate for the FEC +hardware blocks that are known to need this. + +Fixes: f166f890c8f0 ("net: ethernet: fec: Replace interrupt driven MDIO with polled IO") +Signed-off-by: Greg Ungerer +Acked-by: Fugang Duan +Tested-by: Andrew Lunn +Tested-by: Clemens Gruber +Link: https://lore.kernel.org/r/20201028052232.1315167-1-gerg@linux-m68k.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/fec.h | 6 ++++++ + drivers/net/ethernet/freescale/fec_main.c | 29 ++++++++++++++++------------- + 2 files changed, 22 insertions(+), 13 deletions(-) + +--- a/drivers/net/ethernet/freescale/fec.h ++++ b/drivers/net/ethernet/freescale/fec.h +@@ -456,6 +456,12 @@ struct bufdesc_ex { + */ + #define FEC_QUIRK_HAS_FRREG (1 << 16) + ++/* Some FEC hardware blocks need the MMFR cleared at setup time to avoid ++ * the generation of an MII event. This must be avoided in the older ++ * FEC blocks where it will stop MII events being generated. ++ */ ++#define FEC_QUIRK_CLEAR_SETUP_MII (1 << 17) ++ + struct bufdesc_prop { + int qid; + /* Address of Rx and Tx buffers */ +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -100,14 +100,14 @@ static const struct fec_devinfo fec_imx2 + static const struct fec_devinfo fec_imx28_info = { + .quirks = FEC_QUIRK_ENET_MAC | FEC_QUIRK_SWAP_FRAME | + FEC_QUIRK_SINGLE_MDIO | FEC_QUIRK_HAS_RACC | +- FEC_QUIRK_HAS_FRREG, ++ FEC_QUIRK_HAS_FRREG | FEC_QUIRK_CLEAR_SETUP_MII, + }; + + static const struct fec_devinfo fec_imx6q_info = { + .quirks = FEC_QUIRK_ENET_MAC | FEC_QUIRK_HAS_GBIT | + FEC_QUIRK_HAS_BUFDESC_EX | FEC_QUIRK_HAS_CSUM | + FEC_QUIRK_HAS_VLAN | FEC_QUIRK_ERR006358 | +- FEC_QUIRK_HAS_RACC, ++ FEC_QUIRK_HAS_RACC | FEC_QUIRK_CLEAR_SETUP_MII, + }; + + static const struct fec_devinfo fec_mvf600_info = { +@@ -119,7 +119,8 @@ static const struct fec_devinfo fec_imx6 + FEC_QUIRK_HAS_BUFDESC_EX | FEC_QUIRK_HAS_CSUM | + FEC_QUIRK_HAS_VLAN | FEC_QUIRK_HAS_AVB | + FEC_QUIRK_ERR007885 | FEC_QUIRK_BUG_CAPTURE | +- FEC_QUIRK_HAS_RACC | FEC_QUIRK_HAS_COALESCE, ++ FEC_QUIRK_HAS_RACC | FEC_QUIRK_HAS_COALESCE | ++ FEC_QUIRK_CLEAR_SETUP_MII, + }; + + static const struct fec_devinfo fec_imx6ul_info = { +@@ -127,7 +128,7 @@ static const struct fec_devinfo fec_imx6 + FEC_QUIRK_HAS_BUFDESC_EX | FEC_QUIRK_HAS_CSUM | + FEC_QUIRK_HAS_VLAN | FEC_QUIRK_ERR007885 | + FEC_QUIRK_BUG_CAPTURE | FEC_QUIRK_HAS_RACC | +- FEC_QUIRK_HAS_COALESCE, ++ FEC_QUIRK_HAS_COALESCE | FEC_QUIRK_CLEAR_SETUP_MII, + }; + + static struct platform_device_id fec_devtype[] = { +@@ -2135,15 +2136,17 @@ static int fec_enet_mii_init(struct plat + if (suppress_preamble) + fep->phy_speed |= BIT(7); + +- /* Clear MMFR to avoid to generate MII event by writing MSCR. +- * MII event generation condition: +- * - writing MSCR: +- * - mmfr[31:0]_not_zero & mscr[7:0]_is_zero & +- * mscr_reg_data_in[7:0] != 0 +- * - writing MMFR: +- * - mscr[7:0]_not_zero +- */ +- writel(0, fep->hwp + FEC_MII_DATA); ++ if (fep->quirks & FEC_QUIRK_CLEAR_SETUP_MII) { ++ /* Clear MMFR to avoid to generate MII event by writing MSCR. ++ * MII event generation condition: ++ * - writing MSCR: ++ * - mmfr[31:0]_not_zero & mscr[7:0]_is_zero & ++ * mscr_reg_data_in[7:0] != 0 ++ * - writing MMFR: ++ * - mscr[7:0]_not_zero ++ */ ++ writel(0, fep->hwp + FEC_MII_DATA); ++ } + + writel(fep->phy_speed, fep->hwp + FEC_MII_SPEED); + diff --git a/queue-5.9/net-openvswitch-silence-suspicious-rcu-usage-warning.patch b/queue-5.9/net-openvswitch-silence-suspicious-rcu-usage-warning.patch new file mode 100644 index 00000000000..4353be50bd4 --- /dev/null +++ b/queue-5.9/net-openvswitch-silence-suspicious-rcu-usage-warning.patch @@ -0,0 +1,77 @@ +From foo@baz Sat Nov 7 11:45:25 AM CET 2020 +From: Eelco Chaudron +Date: Tue, 3 Nov 2020 09:25:49 +0100 +Subject: [PATCH stable 5.9 19/20] net: openvswitch: silence suspicious RCU usage warning + +From: Eelco Chaudron + +[ Upstream commit fea07a487c6dd422dc8837237c9d2bc7c33119af ] + +Silence suspicious RCU usage warning in ovs_flow_tbl_masks_cache_resize() +by replacing rcu_dereference() with rcu_dereference_ovsl(). + +In addition, when creating a new datapath, make sure it's configured under +the ovs_lock. + +Fixes: 9bf24f594c6a ("net: openvswitch: make masks cache size configurable") +Reported-by: syzbot+9a8f8bfcc56e8578016c@syzkaller.appspotmail.com +Signed-off-by: Eelco Chaudron +Link: https://lore.kernel.org/r/160439190002.56943.1418882726496275961.stgit@ebuild +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/datapath.c | 14 +++++++------- + net/openvswitch/flow_table.c | 2 +- + 2 files changed, 8 insertions(+), 8 deletions(-) + +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -1699,13 +1699,13 @@ static int ovs_dp_cmd_new(struct sk_buff + parms.port_no = OVSP_LOCAL; + parms.upcall_portids = a[OVS_DP_ATTR_UPCALL_PID]; + +- err = ovs_dp_change(dp, a); +- if (err) +- goto err_destroy_meters; +- + /* So far only local changes have been made, now need the lock. */ + ovs_lock(); + ++ err = ovs_dp_change(dp, a); ++ if (err) ++ goto err_unlock_and_destroy_meters; ++ + vport = new_vport(&parms); + if (IS_ERR(vport)) { + err = PTR_ERR(vport); +@@ -1721,8 +1721,7 @@ static int ovs_dp_cmd_new(struct sk_buff + ovs_dp_reset_user_features(skb, info); + } + +- ovs_unlock(); +- goto err_destroy_meters; ++ goto err_unlock_and_destroy_meters; + } + + err = ovs_dp_cmd_fill_info(dp, reply, info->snd_portid, +@@ -1737,7 +1736,8 @@ static int ovs_dp_cmd_new(struct sk_buff + ovs_notify(&dp_datapath_genl_family, reply, info); + return 0; + +-err_destroy_meters: ++err_unlock_and_destroy_meters: ++ ovs_unlock(); + ovs_meters_exit(dp); + err_destroy_ports: + kfree(dp->ports); +--- a/net/openvswitch/flow_table.c ++++ b/net/openvswitch/flow_table.c +@@ -387,7 +387,7 @@ static struct mask_cache *tbl_mask_cache + } + int ovs_flow_tbl_masks_cache_resize(struct flow_table *table, u32 size) + { +- struct mask_cache *mc = rcu_dereference(table->mask_cache); ++ struct mask_cache *mc = rcu_dereference_ovsl(table->mask_cache); + struct mask_cache *new; + + if (size == mc->cache_size) diff --git a/queue-5.9/net-usb-qmi_wwan-add-telit-le910cx-0x1230-composition.patch b/queue-5.9/net-usb-qmi_wwan-add-telit-le910cx-0x1230-composition.patch new file mode 100644 index 00000000000..24754f8ac31 --- /dev/null +++ b/queue-5.9/net-usb-qmi_wwan-add-telit-le910cx-0x1230-composition.patch @@ -0,0 +1,32 @@ +From foo@baz Sat Nov 7 11:45:25 AM CET 2020 +From: Daniele Palmas +Date: Mon, 2 Nov 2020 12:01:08 +0100 +Subject: [PATCH stable 5.9 11/20] net: usb: qmi_wwan: add Telit LE910Cx 0x1230 composition + +From: Daniele Palmas + +[ Upstream commit 5fd8477ed8ca77e64b93d44a6dae4aa70c191396 ] + +Add support for Telit LE910Cx 0x1230 composition: + +0x1230: tty, adb, rmnet, audio, tty, tty, tty, tty + +Signed-off-by: Daniele Palmas +Acked-by: Bjørn Mork +Link: https://lore.kernel.org/r/20201102110108.17244-1-dnlplm@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1331,6 +1331,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */ + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1201, 2)}, /* Telit LE920, LE920A4 */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1230, 2)}, /* Telit LE910Cx */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1260, 2)}, /* Telit LE910Cx */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1261, 2)}, /* Telit LE910Cx */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1900, 1)}, /* Telit LN940 series */ diff --git a/queue-5.9/powerpc-vnic-extend-failover-pending-window.patch b/queue-5.9/powerpc-vnic-extend-failover-pending-window.patch new file mode 100644 index 00000000000..5a44531535d --- /dev/null +++ b/queue-5.9/powerpc-vnic-extend-failover-pending-window.patch @@ -0,0 +1,137 @@ +From foo@baz Sat Nov 7 11:45:25 AM CET 2020 +From: Sukadev Bhattiprolu +Date: Fri, 30 Oct 2020 10:07:11 -0700 +Subject: [PATCH stable 5.9 12/20] powerpc/vnic: Extend "failover pending" window + +From: Sukadev Bhattiprolu + +[ Upstream commit 1d8504937478fdc2f3ef2174a816fd3302eca882 ] + +Commit 5a18e1e0c193b introduced the 'failover_pending' state to track +the "failover pending window" - where we wait for the partner to become +ready (after a transport event) before actually attempting to failover. +i.e window is between following two events: + + a. we get a transport event due to a FAILOVER + + b. later, we get CRQ_INITIALIZED indicating the partner is + ready at which point we schedule a FAILOVER reset. + +and ->failover_pending is true during this window. + +If during this window, we attempt to open (or close) a device, we pretend +that the operation succeded and let the FAILOVER reset path complete the +operation. + +This is fine, except if the transport event ("a" above) occurs during the +open and after open has already checked whether a failover is pending. If +that happens, we fail the open, which can cause the boot scripts to leave +the interface down requiring administrator to manually bring up the device. + +This fix "extends" the failover pending window till we are _actually_ +ready to perform the failover reset (i.e until after we get the RTNL +lock). Since open() holds the RTNL lock, we can be sure that we either +finish the open or if the open() fails due to the failover pending window, +we can again pretend that open is done and let the failover complete it. + +We could try and block the open until failover is completed but a) that +could still timeout the application and b) Existing code "pretends" that +failover occurred "just after" open succeeded, so marks the open successful +and lets the failover complete the open. So, mark the open successful even +if the transport event occurs before we actually start the open. + +Fixes: 5a18e1e0c193 ("ibmvnic: Fix failover case for non-redundant configuration") +Signed-off-by: Sukadev Bhattiprolu +Acked-by: Dany Madden +Link: https://lore.kernel.org/r/20201030170711.1562994-1-sukadev@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 36 ++++++++++++++++++++++++++++++++---- + 1 file changed, 32 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -1197,18 +1197,27 @@ static int ibmvnic_open(struct net_devic + if (adapter->state != VNIC_CLOSED) { + rc = ibmvnic_login(netdev); + if (rc) +- return rc; ++ goto out; + + rc = init_resources(adapter); + if (rc) { + netdev_err(netdev, "failed to initialize resources\n"); + release_resources(adapter); +- return rc; ++ goto out; + } + } + + rc = __ibmvnic_open(netdev); + ++out: ++ /* ++ * If open fails due to a pending failover, set device state and ++ * return. Device operation will be handled by reset routine. ++ */ ++ if (rc && adapter->failover_pending) { ++ adapter->state = VNIC_OPEN; ++ rc = 0; ++ } + return rc; + } + +@@ -1935,6 +1944,13 @@ static int do_reset(struct ibmvnic_adapt + rwi->reset_reason); + + rtnl_lock(); ++ /* ++ * Now that we have the rtnl lock, clear any pending failover. ++ * This will ensure ibmvnic_open() has either completed or will ++ * block until failover is complete. ++ */ ++ if (rwi->reset_reason == VNIC_RESET_FAILOVER) ++ adapter->failover_pending = false; + + netif_carrier_off(netdev); + adapter->reset_reason = rwi->reset_reason; +@@ -2215,6 +2231,13 @@ static void __ibmvnic_reset(struct work_ + /* CHANGE_PARAM requestor holds rtnl_lock */ + rc = do_change_param_reset(adapter, rwi, reset_state); + } else if (adapter->force_reset_recovery) { ++ /* ++ * Since we are doing a hard reset now, clear the ++ * failover_pending flag so we don't ignore any ++ * future MOBILITY or other resets. ++ */ ++ adapter->failover_pending = false; ++ + /* Transport event occurred during previous reset */ + if (adapter->wait_for_reset) { + /* Previous was CHANGE_PARAM; caller locked */ +@@ -2279,9 +2302,15 @@ static int ibmvnic_reset(struct ibmvnic_ + unsigned long flags; + int ret; + ++ /* ++ * If failover is pending don't schedule any other reset. ++ * Instead let the failover complete. If there is already a ++ * a failover reset scheduled, we will detect and drop the ++ * duplicate reset when walking the ->rwi_list below. ++ */ + if (adapter->state == VNIC_REMOVING || + adapter->state == VNIC_REMOVED || +- adapter->failover_pending) { ++ (adapter->failover_pending && reason != VNIC_RESET_FAILOVER)) { + ret = EBUSY; + netdev_dbg(netdev, "Adapter removing or pending failover, skipping reset\n"); + goto err; +@@ -4665,7 +4694,6 @@ static void ibmvnic_handle_crq(union ibm + case IBMVNIC_CRQ_INIT: + dev_info(dev, "Partner initialized\n"); + adapter->from_passive_init = true; +- adapter->failover_pending = false; + if (!completion_done(&adapter->init_done)) { + complete(&adapter->init_done); + adapter->init_done_rc = -EIO; diff --git a/queue-5.9/r8169-work-around-short-packet-hw-bug-on-rtl8125.patch b/queue-5.9/r8169-work-around-short-packet-hw-bug-on-rtl8125.patch new file mode 100644 index 00000000000..a0a48d7b4a4 --- /dev/null +++ b/queue-5.9/r8169-work-around-short-packet-hw-bug-on-rtl8125.patch @@ -0,0 +1,60 @@ +From foo@baz Sat Nov 7 11:45:25 AM CET 2020 +From: Heiner Kallweit +Date: Tue, 3 Nov 2020 18:52:18 +0100 +Subject: [PATCH stable 5.9 20/20] r8169: work around short packet hw bug on RTL8125 + +From: Heiner Kallweit + +[ Upstream commit 2aaf09a0e7842b3ac7be6e0b8fb1888b3daeb3b3 ] + +Network problems with RTL8125B have been reported [0] and with help +from Realtek it turned out that this chip version has a hw problem +with short packets (similar to RTL8168evl). Having said that activate +the same workaround as for RTL8168evl. +Realtek suggested to activate the workaround for RTL8125A too, even +though they're not 100% sure yet which RTL8125 versions are affected. + +[0] https://bugzilla.kernel.org/show_bug.cgi?id=209839 + +Fixes: 0439297be951 ("r8169: add support for RTL8125B") +Reported-by: Maxim Plotnikov +Tested-by: Maxim Plotnikov +Signed-off-by: Heiner Kallweit +Link: https://lore.kernel.org/r/8002c31a-60b9-58f1-f0dd-8fd07239917f@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169_main.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4062,9 +4062,17 @@ err_out: + return -EIO; + } + +-static bool rtl_test_hw_pad_bug(struct rtl8169_private *tp, struct sk_buff *skb) ++static bool rtl_test_hw_pad_bug(struct rtl8169_private *tp) + { +- return skb->len < ETH_ZLEN && tp->mac_version == RTL_GIGA_MAC_VER_34; ++ switch (tp->mac_version) { ++ case RTL_GIGA_MAC_VER_34: ++ case RTL_GIGA_MAC_VER_60: ++ case RTL_GIGA_MAC_VER_61: ++ case RTL_GIGA_MAC_VER_63: ++ return true; ++ default: ++ return false; ++ } + } + + static void rtl8169_tso_csum_v1(struct sk_buff *skb, u32 *opts) +@@ -4136,7 +4144,7 @@ static bool rtl8169_tso_csum_v2(struct r + + opts[1] |= transport_offset << TCPHO_SHIFT; + } else { +- if (unlikely(rtl_test_hw_pad_bug(tp, skb))) ++ if (unlikely(skb->len < ETH_ZLEN && rtl_test_hw_pad_bug(tp))) + return !eth_skb_pad(skb); + } + diff --git a/queue-5.9/sctp-fix-comm_lost-cant_str_assoc-err-reporting-on-big-endian-platforms.patch b/queue-5.9/sctp-fix-comm_lost-cant_str_assoc-err-reporting-on-big-endian-platforms.patch new file mode 100644 index 00000000000..04bb2fbf684 --- /dev/null +++ b/queue-5.9/sctp-fix-comm_lost-cant_str_assoc-err-reporting-on-big-endian-platforms.patch @@ -0,0 +1,44 @@ +From foo@baz Sat Nov 7 11:45:25 AM CET 2020 +From: Petr Malat +Date: Fri, 30 Oct 2020 14:26:33 +0100 +Subject: [PATCH stable 5.9 13/20] sctp: Fix COMM_LOST/CANT_STR_ASSOC err reporting on big-endian platforms + +From: Petr Malat + +[ Upstream commit b6df8c81412190fbd5eaa3cec7f642142d9c16cd ] + +Commit 978aa0474115 ("sctp: fix some type cast warnings introduced since +very beginning")' broke err reading from sctp_arg, because it reads the +value as 32-bit integer, although the value is stored as 16-bit integer. +Later this value is passed to the userspace in 16-bit variable, thus the +user always gets 0 on big-endian platforms. Fix it by reading the __u16 +field of sctp_arg union, as reading err field would produce a sparse +warning. + +Fixes: 978aa0474115 ("sctp: fix some type cast warnings introduced since very beginning") +Signed-off-by: Petr Malat +Acked-by: Marcelo Ricardo Leitner +Link: https://lore.kernel.org/r/20201030132633.7045-1-oss@malat.biz +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sm_sideeffect.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/sctp/sm_sideeffect.c ++++ b/net/sctp/sm_sideeffect.c +@@ -1601,12 +1601,12 @@ static int sctp_cmd_interpreter(enum sct + break; + + case SCTP_CMD_INIT_FAILED: +- sctp_cmd_init_failed(commands, asoc, cmd->obj.u32); ++ sctp_cmd_init_failed(commands, asoc, cmd->obj.u16); + break; + + case SCTP_CMD_ASSOC_FAILED: + sctp_cmd_assoc_failed(commands, asoc, event_type, +- subtype, chunk, cmd->obj.u32); ++ subtype, chunk, cmd->obj.u16); + break; + + case SCTP_CMD_INIT_COUNTER_INC: diff --git a/queue-5.9/series b/queue-5.9/series index 25cd30bd023..1ea0253566c 100644 --- a/queue-5.9/series +++ b/queue-5.9/series @@ -20,3 +20,23 @@ drm-i915-restore-ilk-m-rps-support.patch drm-nouveau-kms-nv50-program-notifier-offset-before-requesting-disp-caps.patch drm-nouveau-device-fix-changing-endianess-code-to-work-on-older-gpus.patch ptrace-fix-task_join_group_stop-for-the-case-when-current-is-traced.patch +cadence-force-nonlinear-buffers-to-be-cloned.patch +chelsio-chtls-fix-memory-leaks-caused-by-a-race.patch +chelsio-chtls-fix-always-leaking-ctrl_skb.patch +dpaa_eth-update-the-buffer-layout-for-non-a050385-erratum-scenarios.patch +dpaa_eth-fix-the-rx-headroom-size-alignment.patch +gianfar-replace-skb_realloc_headroom-with-skb_cow_head-for-ptp.patch +gianfar-account-for-tx-ptp-timestamp-in-the-skb-headroom.patch +ionic-check-port-ptr-before-use.patch +ip_tunnel-fix-over-mtu-packet-send-fail-without-tunnel_dont_fragment-flags.patch +net-ethernet-ti-cpsw-disable-ptpv1-hw-timestamping-advertisement.patch +net-usb-qmi_wwan-add-telit-le910cx-0x1230-composition.patch +powerpc-vnic-extend-failover-pending-window.patch +sctp-fix-comm_lost-cant_str_assoc-err-reporting-on-big-endian-platforms.patch +sfp-fix-error-handing-in-sfp_probe.patch +ip6_tunnel-set-inner-ipproto-before-ip6_tnl_encap.patch +net-fec-fix-mdio-probing-for-some-fec-hardware-blocks.patch +mptcp-token-fix-unititialized-variable.patch +net-dsa-qca8k-fix-port-mtu-setting.patch +net-openvswitch-silence-suspicious-rcu-usage-warning.patch +r8169-work-around-short-packet-hw-bug-on-rtl8125.patch diff --git a/queue-5.9/sfp-fix-error-handing-in-sfp_probe.patch b/queue-5.9/sfp-fix-error-handing-in-sfp_probe.patch new file mode 100644 index 00000000000..487bd361693 --- /dev/null +++ b/queue-5.9/sfp-fix-error-handing-in-sfp_probe.patch @@ -0,0 +1,34 @@ +From foo@baz Sat Nov 7 11:45:25 AM CET 2020 +From: YueHaibing +Date: Sat, 31 Oct 2020 11:10:53 +0800 +Subject: [PATCH stable 5.9 14/20] sfp: Fix error handing in sfp_probe() + +From: YueHaibing + +[ Upstream commit 9621618130bf7e83635367c13b9a6ee53935bb37 ] + +gpiod_to_irq() never return 0, but returns negative in +case of error, check it and set gpio_irq to 0. + +Fixes: 73970055450e ("sfp: add SFP module support") +Signed-off-by: YueHaibing +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20201031031053.25264-1-yuehaibing@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/sfp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -2389,7 +2389,8 @@ static int sfp_probe(struct platform_dev + continue; + + sfp->gpio_irq[i] = gpiod_to_irq(sfp->gpio[i]); +- if (!sfp->gpio_irq[i]) { ++ if (sfp->gpio_irq[i] < 0) { ++ sfp->gpio_irq[i] = 0; + sfp->need_poll = true; + continue; + }