From: Sasha Levin Date: Sun, 1 Aug 2021 02:52:10 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.4.278~39 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5147aee62e74803dc0e39dbef138bcbaa7d3f049;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/can-hi311x-fix-a-signedness-bug-in-hi3110_cmd.patch b/queue-5.4/can-hi311x-fix-a-signedness-bug-in-hi3110_cmd.patch new file mode 100644 index 00000000000..b542eefed9e --- /dev/null +++ b/queue-5.4/can-hi311x-fix-a-signedness-bug-in-hi3110_cmd.patch @@ -0,0 +1,38 @@ +From 1202dcb316fb2bdc33742951329b974883cd654b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jul 2021 17:12:46 +0300 +Subject: can: hi311x: fix a signedness bug in hi3110_cmd() + +From: Dan Carpenter + +[ Upstream commit f6b3c7848e66e9046c8a79a5b88fd03461cc252b ] + +The hi3110_cmd() is supposed to return zero on success and negative +error codes on failure, but it was accidentally declared as a u8 when +it needs to be an int type. + +Fixes: 57e83fb9b746 ("can: hi311x: Add Holt HI-311x CAN driver") +Link: https://lore.kernel.org/r/20210729141246.GA1267@kili +Signed-off-by: Dan Carpenter +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/hi311x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/spi/hi311x.c b/drivers/net/can/spi/hi311x.c +index 73d48c3b8ded..7d2315c8cacb 100644 +--- a/drivers/net/can/spi/hi311x.c ++++ b/drivers/net/can/spi/hi311x.c +@@ -218,7 +218,7 @@ static int hi3110_spi_trans(struct spi_device *spi, int len) + return ret; + } + +-static u8 hi3110_cmd(struct spi_device *spi, u8 command) ++static int hi3110_cmd(struct spi_device *spi, u8 command) + { + struct hi3110_priv *priv = spi_get_drvdata(spi); + +-- +2.30.2 + diff --git a/queue-5.4/i40e-fix-firmware-lldp-agent-related-warning.patch b/queue-5.4/i40e-fix-firmware-lldp-agent-related-warning.patch new file mode 100644 index 00000000000..3855d3c33a8 --- /dev/null +++ b/queue-5.4/i40e-fix-firmware-lldp-agent-related-warning.patch @@ -0,0 +1,49 @@ +From f5d118d3ca5846d2737b5c14374f130c823e55d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 May 2021 18:41:26 +0200 +Subject: i40e: Fix firmware LLDP agent related warning + +From: Arkadiusz Kubalewski + +[ Upstream commit 71d6fdba4b2d82fdd883fec31dee77fbcf59773a ] + +Make warning meaningful for the user. + +Previously the trace: +"Starting FW LLDP agent failed: error: I40E_ERR_ADMIN_QUEUE_ERROR, I40E_AQ_RC_EAGAIN" +was produced when user tried to start Firmware LLDP agent, +just after it was stopped with sequence: +ethtool --set-priv-flags disable-fw-lldp on +ethtool --set-priv-flags disable-fw-lldp off +(without any delay between the commands) +At that point the firmware is still processing stop command, the behavior +is expected. + +Fixes: c1041d070437 ("i40e: Missing response checks in driver when starting/stopping FW LLDP") +Signed-off-by: Aleksandr Loktionov +Signed-off-by: Arkadiusz Kubalewski +Tested-by: Imam Hassan Reza Biswas +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +index 2288a3855e52..5e20d5082532 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +@@ -5087,6 +5087,10 @@ flags_complete: + dev_warn(&pf->pdev->dev, + "Device configuration forbids SW from starting the LLDP agent.\n"); + return -EINVAL; ++ case I40E_AQ_RC_EAGAIN: ++ dev_warn(&pf->pdev->dev, ++ "Stop FW LLDP agent command is still being processed, please try again in a second.\n"); ++ return -EBUSY; + default: + dev_warn(&pf->pdev->dev, + "Starting FW LLDP agent failed: error: %s, %s\n", +-- +2.30.2 + diff --git a/queue-5.4/i40e-fix-log-tc-creation-failure-when-max-num-of-que.patch b/queue-5.4/i40e-fix-log-tc-creation-failure-when-max-num-of-que.patch new file mode 100644 index 00000000000..3b366b204c5 --- /dev/null +++ b/queue-5.4/i40e-fix-log-tc-creation-failure-when-max-num-of-que.patch @@ -0,0 +1,38 @@ +From 15d35db5b8aeaaf1b30d05d010c35d5f37732f71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 08:49:49 +0000 +Subject: i40e: Fix log TC creation failure when max num of queues is exceeded + +From: Jedrzej Jagielski + +[ Upstream commit ea52faae1d17cd3048681d86d2e8641f44de484d ] + +Fix missing failed message if driver does not have enough queues to +complete TC command. Without this fix no message is displayed in dmesg. + +Fixes: a9ce82f744dc ("i40e: Enable 'channel' mode in mqprio for TC configs") +Signed-off-by: Grzegorz Szczurek +Signed-off-by: Jedrzej Jagielski +Tested-by: Imam Hassan Reza Biswas +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 7140c1386143..21ab7d2caddf 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -6878,6 +6878,8 @@ static int i40e_validate_mqprio_qopt(struct i40e_vsi *vsi, + } + if (vsi->num_queue_pairs < + (mqprio_qopt->qopt.offset[i] + mqprio_qopt->qopt.count[i])) { ++ dev_err(&vsi->back->pdev->dev, ++ "Failed to create traffic channel, insufficient number of queues.\n"); + return -EINVAL; + } + if (sum_max_rate > i40e_get_link_speed(vsi)) { +-- +2.30.2 + diff --git a/queue-5.4/i40e-fix-logic-of-disabling-queues.patch b/queue-5.4/i40e-fix-logic-of-disabling-queues.patch new file mode 100644 index 00000000000..24f10f461fc --- /dev/null +++ b/queue-5.4/i40e-fix-logic-of-disabling-queues.patch @@ -0,0 +1,159 @@ +From 4c2a041553946708f0e6e4276dba05f2c0239279 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Apr 2021 19:49:47 +0200 +Subject: i40e: Fix logic of disabling queues + +From: Arkadiusz Kubalewski + +[ Upstream commit 65662a8dcdd01342b71ee44234bcfd0162e195af ] + +Correct the message flow between driver and firmware when disabling +queues. + +Previously in case of PF reset (due to required reinit after reconfig), +the error like: "VSI seid 397 Tx ring 60 disable timeout" could show up +occasionally. The error was not a real issue of hardware or firmware, +it was caused by wrong sequence of messages invoked by the driver. + +Fixes: 41c445ff0f48 ("i40e: main driver core") +Signed-off-by: Aleksandr Loktionov +Signed-off-by: Arkadiusz Kubalewski +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 58 ++++++++++++--------- + 1 file changed, 34 insertions(+), 24 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 4f4ec1f166ef..3514e36d1487 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -4403,11 +4403,10 @@ int i40e_control_wait_tx_q(int seid, struct i40e_pf *pf, int pf_q, + } + + /** +- * i40e_vsi_control_tx - Start or stop a VSI's rings ++ * i40e_vsi_enable_tx - Start a VSI's rings + * @vsi: the VSI being configured +- * @enable: start or stop the rings + **/ +-static int i40e_vsi_control_tx(struct i40e_vsi *vsi, bool enable) ++static int i40e_vsi_enable_tx(struct i40e_vsi *vsi) + { + struct i40e_pf *pf = vsi->back; + int i, pf_q, ret = 0; +@@ -4416,7 +4415,7 @@ static int i40e_vsi_control_tx(struct i40e_vsi *vsi, bool enable) + for (i = 0; i < vsi->num_queue_pairs; i++, pf_q++) { + ret = i40e_control_wait_tx_q(vsi->seid, pf, + pf_q, +- false /*is xdp*/, enable); ++ false /*is xdp*/, true); + if (ret) + break; + +@@ -4425,7 +4424,7 @@ static int i40e_vsi_control_tx(struct i40e_vsi *vsi, bool enable) + + ret = i40e_control_wait_tx_q(vsi->seid, pf, + pf_q + vsi->alloc_queue_pairs, +- true /*is xdp*/, enable); ++ true /*is xdp*/, true); + if (ret) + break; + } +@@ -4523,32 +4522,25 @@ int i40e_control_wait_rx_q(struct i40e_pf *pf, int pf_q, bool enable) + } + + /** +- * i40e_vsi_control_rx - Start or stop a VSI's rings ++ * i40e_vsi_enable_rx - Start a VSI's rings + * @vsi: the VSI being configured +- * @enable: start or stop the rings + **/ +-static int i40e_vsi_control_rx(struct i40e_vsi *vsi, bool enable) ++static int i40e_vsi_enable_rx(struct i40e_vsi *vsi) + { + struct i40e_pf *pf = vsi->back; + int i, pf_q, ret = 0; + + pf_q = vsi->base_queue; + for (i = 0; i < vsi->num_queue_pairs; i++, pf_q++) { +- ret = i40e_control_wait_rx_q(pf, pf_q, enable); ++ ret = i40e_control_wait_rx_q(pf, pf_q, true); + if (ret) { + dev_info(&pf->pdev->dev, +- "VSI seid %d Rx ring %d %sable timeout\n", +- vsi->seid, pf_q, (enable ? "en" : "dis")); ++ "VSI seid %d Rx ring %d enable timeout\n", ++ vsi->seid, pf_q); + break; + } + } + +- /* Due to HW errata, on Rx disable only, the register can indicate done +- * before it really is. Needs 50ms to be sure +- */ +- if (!enable) +- mdelay(50); +- + return ret; + } + +@@ -4561,29 +4553,47 @@ int i40e_vsi_start_rings(struct i40e_vsi *vsi) + int ret = 0; + + /* do rx first for enable and last for disable */ +- ret = i40e_vsi_control_rx(vsi, true); ++ ret = i40e_vsi_enable_rx(vsi); + if (ret) + return ret; +- ret = i40e_vsi_control_tx(vsi, true); ++ ret = i40e_vsi_enable_tx(vsi); + + return ret; + } + ++#define I40E_DISABLE_TX_GAP_MSEC 50 ++ + /** + * i40e_vsi_stop_rings - Stop a VSI's rings + * @vsi: the VSI being configured + **/ + void i40e_vsi_stop_rings(struct i40e_vsi *vsi) + { ++ struct i40e_pf *pf = vsi->back; ++ int pf_q, err, q_end; ++ + /* When port TX is suspended, don't wait */ + if (test_bit(__I40E_PORT_SUSPENDED, vsi->back->state)) + return i40e_vsi_stop_rings_no_wait(vsi); + +- /* do rx first for enable and last for disable +- * Ignore return value, we need to shutdown whatever we can +- */ +- i40e_vsi_control_tx(vsi, false); +- i40e_vsi_control_rx(vsi, false); ++ q_end = vsi->base_queue + vsi->num_queue_pairs; ++ for (pf_q = vsi->base_queue; pf_q < q_end; pf_q++) ++ i40e_pre_tx_queue_cfg(&pf->hw, (u32)pf_q, false); ++ ++ for (pf_q = vsi->base_queue; pf_q < q_end; pf_q++) { ++ err = i40e_control_wait_rx_q(pf, pf_q, false); ++ if (err) ++ dev_info(&pf->pdev->dev, ++ "VSI seid %d Rx ring %d dissable timeout\n", ++ vsi->seid, pf_q); ++ } ++ ++ msleep(I40E_DISABLE_TX_GAP_MSEC); ++ pf_q = vsi->base_queue; ++ for (pf_q = vsi->base_queue; pf_q < q_end; pf_q++) ++ wr32(&pf->hw, I40E_QTX_ENA(pf_q), 0); ++ ++ i40e_vsi_wait_queues_disabled(vsi); + } + + /** +-- +2.30.2 + diff --git a/queue-5.4/i40e-fix-queue-to-tc-mapping-on-tx.patch b/queue-5.4/i40e-fix-queue-to-tc-mapping-on-tx.patch new file mode 100644 index 00000000000..374480c8e37 --- /dev/null +++ b/queue-5.4/i40e-fix-queue-to-tc-mapping-on-tx.patch @@ -0,0 +1,118 @@ +From bfd27153468cd7ae761da22cc482edebac211300 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jun 2021 00:47:03 +0000 +Subject: i40e: Fix queue-to-TC mapping on Tx + +From: Jedrzej Jagielski + +[ Upstream commit 89ec1f0886c127c7e41ac61a6b6d539f4fb2510b ] + +In SW DCB mode the packets sent receive incorrect UP tags. They are +constructed correctly and put into tx_ring, but UP is later remapped by +HW on the basis of TCTUPR register contents according to Tx queue +selected, and BW used is consistent with the new UP values. This is +caused by Tx queue selection in kernel not taking into account DCB +configuration. This patch fixes the issue by implementing the +ndo_select_queue NDO callback. + +Fixes: fd0a05ce74ef ("i40e: transmit, receive, and NAPI") +Signed-off-by: Arkadiusz Kubalewski +Signed-off-by: Jedrzej Jagielski +Tested-by: Imam Hassan Reza Biswas +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 1 + + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 50 +++++++++++++++++++++ + drivers/net/ethernet/intel/i40e/i40e_txrx.h | 2 + + 3 files changed, 53 insertions(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 3514e36d1487..7140c1386143 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -12893,6 +12893,7 @@ static const struct net_device_ops i40e_netdev_ops = { + .ndo_poll_controller = i40e_netpoll, + #endif + .ndo_setup_tc = __i40e_setup_tc, ++ .ndo_select_queue = i40e_lan_select_queue, + .ndo_set_features = i40e_set_features, + .ndo_set_vf_mac = i40e_ndo_set_vf_mac, + .ndo_set_vf_vlan = i40e_ndo_set_vf_port_vlan, +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index 68a2fcf4c0bf..8e38c547b53f 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -3521,6 +3521,56 @@ dma_error: + return -1; + } + ++static u16 i40e_swdcb_skb_tx_hash(struct net_device *dev, ++ const struct sk_buff *skb, ++ u16 num_tx_queues) ++{ ++ u32 jhash_initval_salt = 0xd631614b; ++ u32 hash; ++ ++ if (skb->sk && skb->sk->sk_hash) ++ hash = skb->sk->sk_hash; ++ else ++ hash = (__force u16)skb->protocol ^ skb->hash; ++ ++ hash = jhash_1word(hash, jhash_initval_salt); ++ ++ return (u16)(((u64)hash * num_tx_queues) >> 32); ++} ++ ++u16 i40e_lan_select_queue(struct net_device *netdev, ++ struct sk_buff *skb, ++ struct net_device __always_unused *sb_dev) ++{ ++ struct i40e_netdev_priv *np = netdev_priv(netdev); ++ struct i40e_vsi *vsi = np->vsi; ++ struct i40e_hw *hw; ++ u16 qoffset; ++ u16 qcount; ++ u8 tclass; ++ u16 hash; ++ u8 prio; ++ ++ /* is DCB enabled at all? */ ++ if (vsi->tc_config.numtc == 1) ++ return i40e_swdcb_skb_tx_hash(netdev, skb, ++ netdev->real_num_tx_queues); ++ ++ prio = skb->priority; ++ hw = &vsi->back->hw; ++ tclass = hw->local_dcbx_config.etscfg.prioritytable[prio]; ++ /* sanity check */ ++ if (unlikely(!(vsi->tc_config.enabled_tc & BIT(tclass)))) ++ tclass = 0; ++ ++ /* select a queue assigned for the given TC */ ++ qcount = vsi->tc_config.tc_info[tclass].qcount; ++ hash = i40e_swdcb_skb_tx_hash(netdev, skb, qcount); ++ ++ qoffset = vsi->tc_config.tc_info[tclass].qoffset; ++ return qoffset + hash; ++} ++ + /** + * i40e_xmit_xdp_ring - transmits an XDP buffer to an XDP Tx ring + * @xdp: data to transmit +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.h b/drivers/net/ethernet/intel/i40e/i40e_txrx.h +index 36d37f31a287..ba4ce80efeb0 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.h +@@ -481,6 +481,8 @@ static inline unsigned int i40e_rx_pg_order(struct i40e_ring *ring) + + bool i40e_alloc_rx_buffers(struct i40e_ring *rxr, u16 cleaned_count); + netdev_tx_t i40e_lan_xmit_frame(struct sk_buff *skb, struct net_device *netdev); ++u16 i40e_lan_select_queue(struct net_device *netdev, struct sk_buff *skb, ++ struct net_device *sb_dev); + void i40e_clean_tx_ring(struct i40e_ring *tx_ring); + void i40e_clean_rx_ring(struct i40e_ring *rx_ring); + int i40e_setup_tx_descriptors(struct i40e_ring *tx_ring); +-- +2.30.2 + diff --git a/queue-5.4/mlx4-fix-missing-error-code-in-mlx4_load_one.patch b/queue-5.4/mlx4-fix-missing-error-code-in-mlx4_load_one.patch new file mode 100644 index 00000000000..8ff78a3c9b6 --- /dev/null +++ b/queue-5.4/mlx4-fix-missing-error-code-in-mlx4_load_one.patch @@ -0,0 +1,42 @@ +From 78d820e15c9b0f806a0213a8f185dca9ea2ac8b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jul 2021 18:36:09 +0800 +Subject: mlx4: Fix missing error code in mlx4_load_one() + +From: Jiapeng Chong + +[ Upstream commit 7e4960b3d66d7248b23de3251118147812b42da2 ] + +The error code is missing in this code scenario, add the error code +'-EINVAL' to the return value 'err'. + +Eliminate the follow smatch warning: + +drivers/net/ethernet/mellanox/mlx4/main.c:3538 mlx4_load_one() warn: +missing error code 'err'. + +Reported-by: Abaci Robot +Fixes: 7ae0e400cd93 ("net/mlx4_core: Flexible (asymmetric) allocation of EQs and MSI-X vectors for PF/VFs") +Signed-off-by: Jiapeng Chong +Reviewed-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/main.c b/drivers/net/ethernet/mellanox/mlx4/main.c +index cb4664a040ab..35882d6ded8b 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/main.c ++++ b/drivers/net/ethernet/mellanox/mlx4/main.c +@@ -3526,6 +3526,7 @@ slave_start: + + if (!SRIOV_VALID_STATE(dev->flags)) { + mlx4_err(dev, "Invalid SRIOV state\n"); ++ err = -EINVAL; + goto err_close; + } + } +-- +2.30.2 + diff --git a/queue-5.4/net-llc-fix-skb_over_panic.patch b/queue-5.4/net-llc-fix-skb_over_panic.patch new file mode 100644 index 00000000000..f4abf7cbba2 --- /dev/null +++ b/queue-5.4/net-llc-fix-skb_over_panic.patch @@ -0,0 +1,161 @@ +From 6ee163d932473015a742cc04aaad4bb83c182284 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Jul 2021 00:11:59 +0300 +Subject: net: llc: fix skb_over_panic + +From: Pavel Skripkin + +[ Upstream commit c7c9d2102c9c098916ab9e0ab248006107d00d6c ] + +Syzbot reported skb_over_panic() in llc_pdu_init_as_xid_cmd(). The +problem was in wrong LCC header manipulations. + +Syzbot's reproducer tries to send XID packet. llc_ui_sendmsg() is +doing following steps: + + 1. skb allocation with size = len + header size + len is passed from userpace and header size + is 3 since addr->sllc_xid is set. + + 2. skb_reserve() for header_len = 3 + 3. filling all other space with memcpy_from_msg() + +Ok, at this moment we have fully loaded skb, only headers needs to be +filled. + +Then code comes to llc_sap_action_send_xid_c(). This function pushes 3 +bytes for LLC PDU header and initializes it. Then comes +llc_pdu_init_as_xid_cmd(). It initalizes next 3 bytes *AFTER* LLC PDU +header and call skb_push(skb, 3). This looks wrong for 2 reasons: + + 1. Bytes rigth after LLC header are user data, so this function + was overwriting payload. + + 2. skb_push(skb, 3) call can cause skb_over_panic() since + all free space was filled in llc_ui_sendmsg(). (This can + happen is user passed 686 len: 686 + 14 (eth header) + 3 (LLC + header) = 703. SKB_DATA_ALIGN(703) = 704) + +So, in this patch I added 2 new private constansts: LLC_PDU_TYPE_U_XID +and LLC_PDU_LEN_U_XID. LLC_PDU_LEN_U_XID is used to correctly reserve +header size to handle LLC + XID case. LLC_PDU_TYPE_U_XID is used by +llc_pdu_header_init() function to push 6 bytes instead of 3. And finally +I removed skb_push() call from llc_pdu_init_as_xid_cmd(). + +This changes should not affect other parts of LLC, since after +all steps we just transmit buffer. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-and-tested-by: syzbot+5e5a981ad7cc54c4b2b4@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/llc_pdu.h | 31 +++++++++++++++++++++++-------- + net/llc/af_llc.c | 10 +++++++++- + net/llc/llc_s_ac.c | 2 +- + 3 files changed, 33 insertions(+), 10 deletions(-) + +diff --git a/include/net/llc_pdu.h b/include/net/llc_pdu.h +index c0f0a13ed818..49aa79c7b278 100644 +--- a/include/net/llc_pdu.h ++++ b/include/net/llc_pdu.h +@@ -15,9 +15,11 @@ + #include + + /* Lengths of frame formats */ +-#define LLC_PDU_LEN_I 4 /* header and 2 control bytes */ +-#define LLC_PDU_LEN_S 4 +-#define LLC_PDU_LEN_U 3 /* header and 1 control byte */ ++#define LLC_PDU_LEN_I 4 /* header and 2 control bytes */ ++#define LLC_PDU_LEN_S 4 ++#define LLC_PDU_LEN_U 3 /* header and 1 control byte */ ++/* header and 1 control byte and XID info */ ++#define LLC_PDU_LEN_U_XID (LLC_PDU_LEN_U + sizeof(struct llc_xid_info)) + /* Known SAP addresses */ + #define LLC_GLOBAL_SAP 0xFF + #define LLC_NULL_SAP 0x00 /* not network-layer visible */ +@@ -50,9 +52,10 @@ + #define LLC_PDU_TYPE_U_MASK 0x03 /* 8-bit control field */ + #define LLC_PDU_TYPE_MASK 0x03 + +-#define LLC_PDU_TYPE_I 0 /* first bit */ +-#define LLC_PDU_TYPE_S 1 /* first two bits */ +-#define LLC_PDU_TYPE_U 3 /* first two bits */ ++#define LLC_PDU_TYPE_I 0 /* first bit */ ++#define LLC_PDU_TYPE_S 1 /* first two bits */ ++#define LLC_PDU_TYPE_U 3 /* first two bits */ ++#define LLC_PDU_TYPE_U_XID 4 /* private type for detecting XID commands */ + + #define LLC_PDU_TYPE_IS_I(pdu) \ + ((!(pdu->ctrl_1 & LLC_PDU_TYPE_I_MASK)) ? 1 : 0) +@@ -230,9 +233,18 @@ static inline struct llc_pdu_un *llc_pdu_un_hdr(struct sk_buff *skb) + static inline void llc_pdu_header_init(struct sk_buff *skb, u8 type, + u8 ssap, u8 dsap, u8 cr) + { +- const int hlen = type == LLC_PDU_TYPE_U ? 3 : 4; ++ int hlen = 4; /* default value for I and S types */ + struct llc_pdu_un *pdu; + ++ switch (type) { ++ case LLC_PDU_TYPE_U: ++ hlen = 3; ++ break; ++ case LLC_PDU_TYPE_U_XID: ++ hlen = 6; ++ break; ++ } ++ + skb_push(skb, hlen); + skb_reset_network_header(skb); + pdu = llc_pdu_un_hdr(skb); +@@ -374,7 +386,10 @@ static inline void llc_pdu_init_as_xid_cmd(struct sk_buff *skb, + xid_info->fmt_id = LLC_XID_FMT_ID; /* 0x81 */ + xid_info->type = svcs_supported; + xid_info->rw = rx_window << 1; /* size of receive window */ +- skb_put(skb, sizeof(struct llc_xid_info)); ++ ++ /* no need to push/put since llc_pdu_header_init() has already ++ * pushed 3 + 3 bytes ++ */ + } + + /** +diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c +index fa0f3c1543ba..0b3adf7594ff 100644 +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -98,8 +98,16 @@ static inline u8 llc_ui_header_len(struct sock *sk, struct sockaddr_llc *addr) + { + u8 rc = LLC_PDU_LEN_U; + +- if (addr->sllc_test || addr->sllc_xid) ++ if (addr->sllc_test) + rc = LLC_PDU_LEN_U; ++ else if (addr->sllc_xid) ++ /* We need to expand header to sizeof(struct llc_xid_info) ++ * since llc_pdu_init_as_xid_cmd() sets 4,5,6 bytes of LLC header ++ * as XID PDU. In llc_ui_sendmsg() we reserved header size and then ++ * filled all other space with user data. If we won't reserve this ++ * bytes, llc_pdu_init_as_xid_cmd() will overwrite user data ++ */ ++ rc = LLC_PDU_LEN_U_XID; + else if (sk->sk_type == SOCK_STREAM) + rc = LLC_PDU_LEN_I; + return rc; +diff --git a/net/llc/llc_s_ac.c b/net/llc/llc_s_ac.c +index 7ae4cc684d3a..9fa3342c7a82 100644 +--- a/net/llc/llc_s_ac.c ++++ b/net/llc/llc_s_ac.c +@@ -79,7 +79,7 @@ int llc_sap_action_send_xid_c(struct llc_sap *sap, struct sk_buff *skb) + struct llc_sap_state_ev *ev = llc_sap_ev(skb); + int rc; + +- llc_pdu_header_init(skb, LLC_PDU_TYPE_U, ev->saddr.lsap, ++ llc_pdu_header_init(skb, LLC_PDU_TYPE_U_XID, ev->saddr.lsap, + ev->daddr.lsap, LLC_PDU_CMD); + llc_pdu_init_as_xid_cmd(skb, LLC_XID_NULL_CLASS_2, 0); + rc = llc_mac_hdr_init(skb, ev->saddr.mac, ev->daddr.mac); +-- +2.30.2 + diff --git a/queue-5.4/net-mlx5-fix-flow-table-chaining.patch b/queue-5.4/net-mlx5-fix-flow-table-chaining.patch new file mode 100644 index 00000000000..44bf839c3d0 --- /dev/null +++ b/queue-5.4/net-mlx5-fix-flow-table-chaining.patch @@ -0,0 +1,88 @@ +From 49eb45e0dcb694c0520e2eea3c7f2ea0c4e1764f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jul 2021 09:20:14 +0300 +Subject: net/mlx5: Fix flow table chaining + +From: Maor Gottlieb + +[ Upstream commit 8b54874ef1617185048029a3083d510569e93751 ] + +Fix a bug when flow table is created in priority that already +has other flow tables as shown in the below diagram. +If the new flow table (FT-B) has the lowest level in the priority, +we need to connect the flow tables from the previous priority (p0) +to this new table. In addition when this flow table is destroyed +(FT-B), we need to connect the flow tables from the previous +priority (p0) to the next level flow table (FT-C) in the same +priority of the destroyed table (if exists). + + --------- + |root_ns| + --------- + | + -------------------------------- + | | | + ---------- ---------- --------- + |p(prio)-x| | p-y | | p-n | + ---------- ---------- --------- + | | + ---------------- ------------------ + |ns(e.g bypass)| |ns(e.g. kernel) | + ---------------- ------------------ + | | | + ------- ------ ---- + | p0 | | p1 | |p2| + ------- ------ ---- + | | \ + -------- ------- ------ + | FT-A | |FT-B | |FT-C| + -------- ------- ------ + +Fixes: f90edfd279f3 ("net/mlx5_core: Connect flow tables") +Signed-off-by: Maor Gottlieb +Reviewed-by: Mark Bloch +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index 11e12761b0a6..739bf5dc5a25 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -968,17 +968,19 @@ static int connect_fwd_rules(struct mlx5_core_dev *dev, + static int connect_flow_table(struct mlx5_core_dev *dev, struct mlx5_flow_table *ft, + struct fs_prio *prio) + { +- struct mlx5_flow_table *next_ft; ++ struct mlx5_flow_table *next_ft, *first_ft; + int err = 0; + + /* Connect_prev_fts and update_root_ft_create are mutually exclusive */ + +- if (list_empty(&prio->node.children)) { ++ first_ft = list_first_entry_or_null(&prio->node.children, ++ struct mlx5_flow_table, node.list); ++ if (!first_ft || first_ft->level > ft->level) { + err = connect_prev_fts(dev, ft, prio); + if (err) + return err; + +- next_ft = find_next_chained_ft(prio); ++ next_ft = first_ft ? first_ft : find_next_chained_ft(prio); + err = connect_fwd_rules(dev, ft, next_ft); + if (err) + return err; +@@ -2026,7 +2028,7 @@ static int disconnect_flow_table(struct mlx5_flow_table *ft) + node.list) == ft)) + return 0; + +- next_ft = find_next_chained_ft(prio); ++ next_ft = find_next_ft(ft); + err = connect_fwd_rules(dev, next_ft, ft); + if (err) + return err; +-- +2.30.2 + diff --git a/queue-5.4/net-mlx5e-fix-nullptr-in-mlx5e_hairpin_get_mdev.patch b/queue-5.4/net-mlx5e-fix-nullptr-in-mlx5e_hairpin_get_mdev.patch new file mode 100644 index 00000000000..242110f38b2 --- /dev/null +++ b/queue-5.4/net-mlx5e-fix-nullptr-in-mlx5e_hairpin_get_mdev.patch @@ -0,0 +1,97 @@ +From ddcc2e2f42d7245631e40fad22c36fee69d11dc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Apr 2021 15:16:26 +0300 +Subject: net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev() + +From: Dima Chumak + +[ Upstream commit b1c2f6312c5005c928a72e668bf305a589d828d4 ] + +The result of __dev_get_by_index() is not checked for NULL and then gets +dereferenced immediately. + +Also, __dev_get_by_index() must be called while holding either RTNL lock +or @dev_base_lock, which isn't satisfied by mlx5e_hairpin_get_mdev() or +its callers. This makes the underlying hlist_for_each_entry() loop not +safe, and can have adverse effects in itself. + +Fix by using dev_get_by_index() and handling nullptr return value when +ifindex device is not found. Update mlx5e_hairpin_get_mdev() callers to +check for possible PTR_ERR() result. + +Fixes: 77ab67b7f0f9 ("net/mlx5e: Basic setup of hairpin object") +Addresses-Coverity: ("Dereference null return value") +Signed-off-by: Dima Chumak +Reviewed-by: Vlad Buslov +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_tc.c | 33 +++++++++++++++++-- + 1 file changed, 31 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index 9d26463f3fa5..5abc15a92cfa 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -444,12 +444,32 @@ static void mlx5e_detach_mod_hdr(struct mlx5e_priv *priv, + static + struct mlx5_core_dev *mlx5e_hairpin_get_mdev(struct net *net, int ifindex) + { ++ struct mlx5_core_dev *mdev; + struct net_device *netdev; + struct mlx5e_priv *priv; + +- netdev = __dev_get_by_index(net, ifindex); ++ netdev = dev_get_by_index(net, ifindex); ++ if (!netdev) ++ return ERR_PTR(-ENODEV); ++ + priv = netdev_priv(netdev); +- return priv->mdev; ++ mdev = priv->mdev; ++ dev_put(netdev); ++ ++ /* Mirred tc action holds a refcount on the ifindex net_device (see ++ * net/sched/act_mirred.c:tcf_mirred_get_dev). So, it's okay to continue using mdev ++ * after dev_put(netdev), while we're in the context of adding a tc flow. ++ * ++ * The mdev pointer corresponds to the peer/out net_device of a hairpin. It is then ++ * stored in a hairpin object, which exists until all flows, that refer to it, get ++ * removed. ++ * ++ * On the other hand, after a hairpin object has been created, the peer net_device may ++ * be removed/unbound while there are still some hairpin flows that are using it. This ++ * case is handled by mlx5e_tc_hairpin_update_dead_peer, which is hooked to ++ * NETDEV_UNREGISTER event of the peer net_device. ++ */ ++ return mdev; + } + + static int mlx5e_hairpin_create_transport(struct mlx5e_hairpin *hp) +@@ -648,6 +668,10 @@ mlx5e_hairpin_create(struct mlx5e_priv *priv, struct mlx5_hairpin_params *params + + func_mdev = priv->mdev; + peer_mdev = mlx5e_hairpin_get_mdev(dev_net(priv->netdev), peer_ifindex); ++ if (IS_ERR(peer_mdev)) { ++ err = PTR_ERR(peer_mdev); ++ goto create_pair_err; ++ } + + pair = mlx5_core_hairpin_create(func_mdev, peer_mdev, params); + if (IS_ERR(pair)) { +@@ -786,6 +810,11 @@ static int mlx5e_hairpin_flow_add(struct mlx5e_priv *priv, + int err; + + peer_mdev = mlx5e_hairpin_get_mdev(dev_net(priv->netdev), peer_ifindex); ++ if (IS_ERR(peer_mdev)) { ++ NL_SET_ERR_MSG_MOD(extack, "invalid ifindex of mirred device"); ++ return PTR_ERR(peer_mdev); ++ } ++ + if (!MLX5_CAP_GEN(priv->mdev, hairpin) || !MLX5_CAP_GEN(peer_mdev, hairpin)) { + NL_SET_ERR_MSG_MOD(extack, "hairpin is not supported"); + return -EOPNOTSUPP; +-- +2.30.2 + diff --git a/queue-5.4/net-set-true-network-header-for-ecn-decapsulation.patch b/queue-5.4/net-set-true-network-header-for-ecn-decapsulation.patch new file mode 100644 index 00000000000..3cc2cd3e99f --- /dev/null +++ b/queue-5.4/net-set-true-network-header-for-ecn-decapsulation.patch @@ -0,0 +1,97 @@ +From 214d0ce76f91b869e52cc2e81de35600ba5a3207 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jul 2021 20:01:28 +0300 +Subject: net: Set true network header for ECN decapsulation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gilad Naaman + +[ Upstream commit 227adfb2b1dfbc53dfc53b9dd7a93a6298ff7c56 ] + +In cases where the header straight after the tunnel header was +another ethernet header (TEB), instead of the network header, +the ECN decapsulation code would treat the ethernet header as if +it was an IP header, resulting in mishandling and possible +wrong drops or corruption of the IP header. + +In this case, ECT(1) is sent, so IP_ECN_decapsulate tries to copy it to the +inner IPv4 header, and correct its checksum. + +The offset of the ECT bits in an IPv4 header corresponds to the +lower 2 bits of the second octet of the destination MAC address +in the ethernet header. +The IPv4 checksum corresponds to end of the source address. + +In order to reproduce: + + $ ip netns add A + $ ip netns add B + $ ip -n A link add _v0 type veth peer name _v1 netns B + $ ip -n A link set _v0 up + $ ip -n A addr add dev _v0 10.254.3.1/24 + $ ip -n A route add default dev _v0 scope global + $ ip -n B link set _v1 up + $ ip -n B addr add dev _v1 10.254.1.6/24 + $ ip -n B route add default dev _v1 scope global + $ ip -n B link add gre1 type gretap local 10.254.1.6 remote 10.254.3.1 key 0x49000000 + $ ip -n B link set gre1 up + + # Now send an IPv4/GRE/Eth/IPv4 frame where the outer header has ECT(1), + # and the inner header has no ECT bits set: + + $ cat send_pkt.py + #!/usr/bin/env python3 + from scapy.all import * + + pkt = IP(b'E\x01\x00\xa7\x00\x00\x00\x00@/`%\n\xfe\x03\x01\n\xfe\x01\x06 \x00eXI\x00' + b'\x00\x00\x18\xbe\x92\xa0\xee&\x18\xb0\x92\xa0l&\x08\x00E\x00\x00}\x8b\x85' + b'@\x00\x01\x01\xe4\xf2\x82\x82\x82\x01\x82\x82\x82\x02\x08\x00d\x11\xa6\xeb' + b'3\x1e\x1e\\xf3\\xf7`\x00\x00\x00\x00ZN\x00\x00\x00\x00\x00\x00\x10\x11\x12' + b'\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./01234' + b'56789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ') + + send(pkt) + $ sudo ip netns exec B tcpdump -neqlllvi gre1 icmp & ; sleep 1 + $ sudo ip netns exec A python3 send_pkt.py + +In the original packet, the source/destinatio MAC addresses are +dst=18:be:92:a0:ee:26 src=18:b0:92:a0:6c:26 + +In the received packet, they are +dst=18:bd:92:a0:ee:26 src=18:b0:92:a0:6c:27 + +Thanks to Lahav Schlesinger and Isaac Garzon +for helping me pinpoint the origin. + +Fixes: b723748750ec ("tunnel: Propagate ECT(1) when decapsulating as recommended by RFC6040") +Cc: David S. Miller +Cc: Hideaki YOSHIFUJI +Cc: David Ahern +Cc: Jakub Kicinski +Cc: Toke Høiland-Jørgensen +Signed-off-by: Gilad Naaman +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c +index eb381a24a8f8..38d3095ef979 100644 +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -391,7 +391,7 @@ int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb, + tunnel->i_seqno = ntohl(tpi->seq) + 1; + } + +- skb_reset_network_header(skb); ++ skb_set_network_header(skb, (tunnel->dev->type == ARPHRD_ETHER) ? ETH_HLEN : 0); + + err = IP_ECN_decapsulate(iph, skb); + if (unlikely(err)) { +-- +2.30.2 + diff --git a/queue-5.4/netfilter-conntrack-adjust-stop-timestamp-to-real-ex.patch b/queue-5.4/netfilter-conntrack-adjust-stop-timestamp-to-real-ex.patch new file mode 100644 index 00000000000..9d92f7909f7 --- /dev/null +++ b/queue-5.4/netfilter-conntrack-adjust-stop-timestamp-to-real-ex.patch @@ -0,0 +1,44 @@ +From 49116537838effe043bbb76618b5bda03c607b67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 18:36:00 +0200 +Subject: netfilter: conntrack: adjust stop timestamp to real expiry value + +From: Florian Westphal + +[ Upstream commit 30a56a2b881821625f79837d4d968c679852444e ] + +In case the entry is evicted via garbage collection there is +delay between the timeout value and the eviction event. + +This adjusts the stop value based on how much time has passed. + +Fixes: b87a2f9199ea82 ("netfilter: conntrack: add gc worker to remove timed-out entries") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index 9a40312b1f16..4a988ce4264c 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -660,8 +660,13 @@ bool nf_ct_delete(struct nf_conn *ct, u32 portid, int report) + return false; + + tstamp = nf_conn_tstamp_find(ct); +- if (tstamp && tstamp->stop == 0) ++ if (tstamp) { ++ s32 timeout = ct->timeout - nfct_time_stamp; ++ + tstamp->stop = ktime_get_real_ns(); ++ if (timeout < 0) ++ tstamp->stop -= jiffies_to_nsecs(-timeout); ++ } + + if (nf_conntrack_event_report(IPCT_DESTROY, ct, + portid, report) < 0) { +-- +2.30.2 + diff --git a/queue-5.4/netfilter-nft_nat-allow-to-specify-layer-4-protocol-.patch b/queue-5.4/netfilter-nft_nat-allow-to-specify-layer-4-protocol-.patch new file mode 100644 index 00000000000..44089514bcf --- /dev/null +++ b/queue-5.4/netfilter-nft_nat-allow-to-specify-layer-4-protocol-.patch @@ -0,0 +1,36 @@ +From 816f838f06bb69aceb469f8db6fcd843303f3558 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 18:22:50 +0200 +Subject: netfilter: nft_nat: allow to specify layer 4 protocol NAT only + +From: Pablo Neira Ayuso + +[ Upstream commit a33f387ecd5aafae514095c2c4a8c24f7aea7e8b ] + +nft_nat reports a bogus EAFNOSUPPORT if no layer 3 information is specified. + +Fixes: d07db9884a5f ("netfilter: nf_tables: introduce nft_validate_register_load()") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_nat.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c +index 243e8107f456..17c0f75dfcdb 100644 +--- a/net/netfilter/nft_nat.c ++++ b/net/netfilter/nft_nat.c +@@ -147,7 +147,9 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr, + alen = FIELD_SIZEOF(struct nf_nat_range, min_addr.ip6); + break; + default: +- return -EAFNOSUPPORT; ++ if (tb[NFTA_NAT_REG_ADDR_MIN]) ++ return -EAFNOSUPPORT; ++ break; + } + priv->family = family; + +-- +2.30.2 + diff --git a/queue-5.4/sctp-fix-return-value-check-in-__sctp_rcv_asconf_loo.patch b/queue-5.4/sctp-fix-return-value-check-in-__sctp_rcv_asconf_loo.patch new file mode 100644 index 00000000000..f8d864405aa --- /dev/null +++ b/queue-5.4/sctp-fix-return-value-check-in-__sctp_rcv_asconf_loo.patch @@ -0,0 +1,38 @@ +From 0bb065b14188dd723028bc1d450a653497c4db1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jul 2021 23:40:54 -0300 +Subject: sctp: fix return value check in __sctp_rcv_asconf_lookup + +From: Marcelo Ricardo Leitner + +[ Upstream commit 557fb5862c9272ad9b21407afe1da8acfd9b53eb ] + +As Ben Hutchings noticed, this check should have been inverted: the call +returns true in case of success. + +Reported-by: Ben Hutchings +Fixes: 0c5dc070ff3d ("sctp: validate from_addr_param return") +Signed-off-by: Marcelo Ricardo Leitner +Reviewed-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sctp/input.c b/net/sctp/input.c +index ab84ebf1af4a..db4f917aafd9 100644 +--- a/net/sctp/input.c ++++ b/net/sctp/input.c +@@ -1175,7 +1175,7 @@ static struct sctp_association *__sctp_rcv_asconf_lookup( + if (unlikely(!af)) + return NULL; + +- if (af->from_addr_param(&paddr, param, peer_port, 0)) ++ if (!af->from_addr_param(&paddr, param, peer_port, 0)) + return NULL; + + return __sctp_lookup_association(net, laddr, &paddr, transportp); +-- +2.30.2 + diff --git a/queue-5.4/series b/queue-5.4/series index 922f66b6b85..b23f3e25b94 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -17,3 +17,19 @@ hid-wacom-re-enable-touch-by-default-for-cintiq-24hdt-27qhdt.patch niu-fix-incorrect-error-return-missed-in-previous-revert.patch nfc-nfcsim-fix-use-after-free-during-module-unload.patch cfg80211-fix-possible-memory-leak-in-function-cfg80211_bss_update.patch +netfilter-conntrack-adjust-stop-timestamp-to-real-ex.patch +netfilter-nft_nat-allow-to-specify-layer-4-protocol-.patch +i40e-fix-logic-of-disabling-queues.patch +i40e-fix-firmware-lldp-agent-related-warning.patch +i40e-fix-queue-to-tc-mapping-on-tx.patch +i40e-fix-log-tc-creation-failure-when-max-num-of-que.patch +tipc-fix-sleeping-in-tipc-accept-routine.patch +net-set-true-network-header-for-ecn-decapsulation.patch +mlx4-fix-missing-error-code-in-mlx4_load_one.patch +net-llc-fix-skb_over_panic.patch +net-mlx5-fix-flow-table-chaining.patch +net-mlx5e-fix-nullptr-in-mlx5e_hairpin_get_mdev.patch +sctp-fix-return-value-check-in-__sctp_rcv_asconf_loo.patch +tulip-windbond-840-fix-missing-pci_disable_device-in.patch +sis900-fix-missing-pci_disable_device-in-probe-and-r.patch +can-hi311x-fix-a-signedness-bug-in-hi3110_cmd.patch diff --git a/queue-5.4/sis900-fix-missing-pci_disable_device-in-probe-and-r.patch b/queue-5.4/sis900-fix-missing-pci_disable_device-in-probe-and-r.patch new file mode 100644 index 00000000000..ab828175b80 --- /dev/null +++ b/queue-5.4/sis900-fix-missing-pci_disable_device-in-probe-and-r.patch @@ -0,0 +1,64 @@ +From 8b8175dcf87fca69702188295f760eb403d5c077 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jul 2021 20:11:07 +0800 +Subject: sis900: Fix missing pci_disable_device() in probe and remove + +From: Wang Hai + +[ Upstream commit 89fb62fde3b226f99b7015280cf132e2a7438edf ] + +Replace pci_enable_device() with pcim_enable_device(), +pci_disable_device() and pci_release_regions() will be +called in release automatically. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sis/sis900.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/sis/sis900.c b/drivers/net/ethernet/sis/sis900.c +index 44fe2adf0ee0..30990d7a8e40 100644 +--- a/drivers/net/ethernet/sis/sis900.c ++++ b/drivers/net/ethernet/sis/sis900.c +@@ -443,7 +443,7 @@ static int sis900_probe(struct pci_dev *pci_dev, + #endif + + /* setup various bits in PCI command register */ +- ret = pci_enable_device(pci_dev); ++ ret = pcim_enable_device(pci_dev); + if(ret) return ret; + + i = pci_set_dma_mask(pci_dev, DMA_BIT_MASK(32)); +@@ -469,7 +469,7 @@ static int sis900_probe(struct pci_dev *pci_dev, + ioaddr = pci_iomap(pci_dev, 0, 0); + if (!ioaddr) { + ret = -ENOMEM; +- goto err_out_cleardev; ++ goto err_out; + } + + sis_priv = netdev_priv(net_dev); +@@ -579,8 +579,6 @@ err_unmap_tx: + sis_priv->tx_ring_dma); + err_out_unmap: + pci_iounmap(pci_dev, ioaddr); +-err_out_cleardev: +- pci_release_regions(pci_dev); + err_out: + free_netdev(net_dev); + return ret; +@@ -2489,7 +2487,6 @@ static void sis900_remove(struct pci_dev *pci_dev) + sis_priv->tx_ring_dma); + pci_iounmap(pci_dev, sis_priv->ioaddr); + free_netdev(net_dev); +- pci_release_regions(pci_dev); + } + + #ifdef CONFIG_PM +-- +2.30.2 + diff --git a/queue-5.4/tipc-fix-sleeping-in-tipc-accept-routine.patch b/queue-5.4/tipc-fix-sleeping-in-tipc-accept-routine.patch new file mode 100644 index 00000000000..c57ad1fea02 --- /dev/null +++ b/queue-5.4/tipc-fix-sleeping-in-tipc-accept-routine.patch @@ -0,0 +1,62 @@ +From 0ec576428de8da05dd284808afb8da2c2352ae0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jul 2021 09:25:34 +0700 +Subject: tipc: fix sleeping in tipc accept routine + +From: Hoang Le + +[ Upstream commit d237a7f11719ff9320721be5818352e48071aab6 ] + +The release_sock() is blocking function, it would change the state +after sleeping. In order to evaluate the stated condition outside +the socket lock context, switch to use wait_woken() instead. + +Fixes: 6398e23cdb1d8 ("tipc: standardize accept routine") +Acked-by: Jon Maloy +Signed-off-by: Hoang Le +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/socket.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/net/tipc/socket.c b/net/tipc/socket.c +index cdade990fe44..a5922ce9109c 100644 +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -2501,7 +2501,7 @@ static int tipc_listen(struct socket *sock, int len) + static int tipc_wait_for_accept(struct socket *sock, long timeo) + { + struct sock *sk = sock->sk; +- DEFINE_WAIT(wait); ++ DEFINE_WAIT_FUNC(wait, woken_wake_function); + int err; + + /* True wake-one mechanism for incoming connections: only +@@ -2510,12 +2510,12 @@ static int tipc_wait_for_accept(struct socket *sock, long timeo) + * anymore, the common case will execute the loop only once. + */ + for (;;) { +- prepare_to_wait_exclusive(sk_sleep(sk), &wait, +- TASK_INTERRUPTIBLE); + if (timeo && skb_queue_empty(&sk->sk_receive_queue)) { ++ add_wait_queue(sk_sleep(sk), &wait); + release_sock(sk); +- timeo = schedule_timeout(timeo); ++ timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo); + lock_sock(sk); ++ remove_wait_queue(sk_sleep(sk), &wait); + } + err = 0; + if (!skb_queue_empty(&sk->sk_receive_queue)) +@@ -2527,7 +2527,6 @@ static int tipc_wait_for_accept(struct socket *sock, long timeo) + if (signal_pending(current)) + break; + } +- finish_wait(sk_sleep(sk), &wait); + return err; + } + +-- +2.30.2 + diff --git a/queue-5.4/tulip-windbond-840-fix-missing-pci_disable_device-in.patch b/queue-5.4/tulip-windbond-840-fix-missing-pci_disable_device-in.patch new file mode 100644 index 00000000000..51343ea35ba --- /dev/null +++ b/queue-5.4/tulip-windbond-840-fix-missing-pci_disable_device-in.patch @@ -0,0 +1,65 @@ +From 6bfa6826a8a8dbb181fbc1c807546fb5dc740d9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jul 2021 15:43:13 +0800 +Subject: tulip: windbond-840: Fix missing pci_disable_device() in probe and + remove + +From: Wang Hai + +[ Upstream commit 76a16be07b209a3f507c72abe823bd3af1c8661a ] + +Replace pci_enable_device() with pcim_enable_device(), +pci_disable_device() and pci_release_regions() will be +called in release automatically. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/dec/tulip/winbond-840.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/dec/tulip/winbond-840.c b/drivers/net/ethernet/dec/tulip/winbond-840.c +index 70cb2d689c2c..79bdd2a79dbd 100644 +--- a/drivers/net/ethernet/dec/tulip/winbond-840.c ++++ b/drivers/net/ethernet/dec/tulip/winbond-840.c +@@ -367,7 +367,7 @@ static int w840_probe1(struct pci_dev *pdev, const struct pci_device_id *ent) + int i, option = find_cnt < MAX_UNITS ? options[find_cnt] : 0; + void __iomem *ioaddr; + +- i = pci_enable_device(pdev); ++ i = pcim_enable_device(pdev); + if (i) return i; + + pci_set_master(pdev); +@@ -389,7 +389,7 @@ static int w840_probe1(struct pci_dev *pdev, const struct pci_device_id *ent) + + ioaddr = pci_iomap(pdev, TULIP_BAR, netdev_res_size); + if (!ioaddr) +- goto err_out_free_res; ++ goto err_out_netdev; + + for (i = 0; i < 3; i++) + ((__le16 *)dev->dev_addr)[i] = cpu_to_le16(eeprom_read(ioaddr, i)); +@@ -468,8 +468,6 @@ static int w840_probe1(struct pci_dev *pdev, const struct pci_device_id *ent) + + err_out_cleardev: + pci_iounmap(pdev, ioaddr); +-err_out_free_res: +- pci_release_regions(pdev); + err_out_netdev: + free_netdev (dev); + return -ENODEV; +@@ -1535,7 +1533,6 @@ static void w840_remove1(struct pci_dev *pdev) + if (dev) { + struct netdev_private *np = netdev_priv(dev); + unregister_netdev(dev); +- pci_release_regions(pdev); + pci_iounmap(pdev, np->base_addr); + free_netdev(dev); + } +-- +2.30.2 +