From: Sasha Levin Date: Sun, 6 Jun 2021 20:55:33 +0000 (-0400) Subject: Fixes for 5.12 X-Git-Tag: v4.4.272~91 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5d5f5df0a950ced832b3652b01cf1f97d6f3de09;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.12 Signed-off-by: Sasha Levin --- diff --git a/queue-5.12/acpica-clean-up-context-mutex-during-object-deletion.patch b/queue-5.12/acpica-clean-up-context-mutex-during-object-deletion.patch new file mode 100644 index 00000000000..ea0b43ac3f1 --- /dev/null +++ b/queue-5.12/acpica-clean-up-context-mutex-during-object-deletion.patch @@ -0,0 +1,46 @@ +From 878859d666bf1f4706e704910fed609a71b41417 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 May 2021 15:28:08 -0700 +Subject: ACPICA: Clean up context mutex during object deletion + +From: Erik Kaneda + +[ Upstream commit e4dfe108371214500ee10c2cf19268f53acaa803 ] + +ACPICA commit bc43c878fd4ff27ba75b1d111b97ee90d4a82707 + +Fixes: c27f3d011b08 ("Fix race in GenericSerialBus (I2C) and GPIO OpRegion parameter handling") +Link: https://github.com/acpica/acpica/commit/bc43c878 +Reported-by: John Garry +Reported-by: Xiang Chen +Tested-by: Xiang Chen +Signed-off-by: Erik Kaneda +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/utdelete.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/acpi/acpica/utdelete.c b/drivers/acpi/acpica/utdelete.c +index 624a26794d55..e5ba9795ec69 100644 +--- a/drivers/acpi/acpica/utdelete.c ++++ b/drivers/acpi/acpica/utdelete.c +@@ -285,6 +285,14 @@ static void acpi_ut_delete_internal_obj(union acpi_operand_object *object) + } + break; + ++ case ACPI_TYPE_LOCAL_ADDRESS_HANDLER: ++ ++ ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS, ++ "***** Address handler %p\n", object)); ++ ++ acpi_os_delete_mutex(object->address_space.context_mutex); ++ break; ++ + default: + + break; +-- +2.30.2 + diff --git a/queue-5.12/bpf-lockdown-audit-fix-buggy-selinux-lockdown-permis.patch b/queue-5.12/bpf-lockdown-audit-fix-buggy-selinux-lockdown-permis.patch new file mode 100644 index 00000000000..27135d11216 --- /dev/null +++ b/queue-5.12/bpf-lockdown-audit-fix-buggy-selinux-lockdown-permis.patch @@ -0,0 +1,278 @@ +From ce5c59774cb359ea95b4788cd12e99135f8ee453 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 May 2021 09:16:31 +0000 +Subject: bpf, lockdown, audit: Fix buggy SELinux lockdown permission checks + +From: Daniel Borkmann + +[ Upstream commit ff40e51043af63715ab413995ff46996ecf9583f ] + +Commit 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown") +added an implementation of the locked_down LSM hook to SELinux, with the aim +to restrict which domains are allowed to perform operations that would breach +lockdown. This is indirectly also getting audit subsystem involved to report +events. The latter is problematic, as reported by Ondrej and Serhei, since it +can bring down the whole system via audit: + + 1) The audit events that are triggered due to calls to security_locked_down() + can OOM kill a machine, see below details [0]. + + 2) It also seems to be causing a deadlock via avc_has_perm()/slow_avc_audit() + when trying to wake up kauditd, for example, when using trace_sched_switch() + tracepoint, see details in [1]. Triggering this was not via some hypothetical + corner case, but with existing tools like runqlat & runqslower from bcc, for + example, which make use of this tracepoint. Rough call sequence goes like: + + rq_lock(rq) -> -------------------------+ + trace_sched_switch() -> | + bpf_prog_xyz() -> +-> deadlock + selinux_lockdown() -> | + audit_log_end() -> | + wake_up_interruptible() -> | + try_to_wake_up() -> | + rq_lock(rq) --------------+ + +What's worse is that the intention of 59438b46471a to further restrict lockdown +settings for specific applications in respect to the global lockdown policy is +completely broken for BPF. The SELinux policy rule for the current lockdown check +looks something like this: + + allow : lockdown { }; + +However, this doesn't match with the 'current' task where the security_locked_down() +is executed, example: httpd does a syscall. There is a tracing program attached +to the syscall which triggers a BPF program to run, which ends up doing a +bpf_probe_read_kernel{,_str}() helper call. The selinux_lockdown() hook does +the permission check against 'current', that is, httpd in this example. httpd +has literally zero relation to this tracing program, and it would be nonsensical +having to write an SELinux policy rule against httpd to let the tracing helper +pass. The policy in this case needs to be against the entity that is installing +the BPF program. For example, if bpftrace would generate a histogram of syscall +counts by user space application: + + bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }' + +bpftrace would then go and generate a BPF program from this internally. One way +of doing it [for the sake of the example] could be to call bpf_get_current_task() +helper and then access current->comm via one of bpf_probe_read_kernel{,_str}() +helpers. So the program itself has nothing to do with httpd or any other random +app doing a syscall here. The BPF program _explicitly initiated_ the lockdown +check. The allow/deny policy belongs in the context of bpftrace: meaning, you +want to grant bpftrace access to use these helpers, but other tracers on the +system like my_random_tracer _not_. + +Therefore fix all three issues at the same time by taking a completely different +approach for the security_locked_down() hook, that is, move the check into the +program verification phase where we actually retrieve the BPF func proto. This +also reliably gets the task (current) that is trying to install the BPF tracing +program, e.g. bpftrace/bcc/perf/systemtap/etc, and it also fixes the OOM since +we're moving this out of the BPF helper's fast-path which can be called several +millions of times per second. + +The check is then also in line with other security_locked_down() hooks in the +system where the enforcement is performed at open/load time, for example, +open_kcore() for /proc/kcore access or module_sig_check() for module signatures +just to pick few random ones. What's out of scope in the fix as well as in +other security_locked_down() hook locations /outside/ of BPF subsystem is that +if the lockdown policy changes on the fly there is no retrospective action. +This requires a different discussion, potentially complex infrastructure, and +it's also not clear whether this can be solved generically. Either way, it is +out of scope for a suitable stable fix which this one is targeting. Note that +the breakage is specifically on 59438b46471a where it started to rely on 'current' +as UAPI behavior, and _not_ earlier infrastructure such as 9d1f8be5cf42 ("bpf: +Restrict bpf when kernel lockdown is in confidentiality mode"). + +[0] https://bugzilla.redhat.com/show_bug.cgi?id=1955585, Jakub Hrozek says: + + I starting seeing this with F-34. When I run a container that is traced with + BPF to record the syscalls it is doing, auditd is flooded with messages like: + + type=AVC msg=audit(1619784520.593:282387): avc: denied { confidentiality } + for pid=476 comm="auditd" lockdown_reason="use of bpf to read kernel RAM" + scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:system_r:auditd_t:s0 + tclass=lockdown permissive=0 + + This seems to be leading to auditd running out of space in the backlog buffer + and eventually OOMs the machine. + + [...] + auditd running at 99% CPU presumably processing all the messages, eventually I get: + Apr 30 12:20:42 fedora kernel: audit: backlog limit exceeded + Apr 30 12:20:42 fedora kernel: audit: backlog limit exceeded + Apr 30 12:20:42 fedora kernel: audit: audit_backlog=2152579 > audit_backlog_limit=64 + Apr 30 12:20:42 fedora kernel: audit: audit_backlog=2152626 > audit_backlog_limit=64 + Apr 30 12:20:42 fedora kernel: audit: audit_backlog=2152694 > audit_backlog_limit=64 + Apr 30 12:20:42 fedora kernel: audit: audit_lost=6878426 audit_rate_limit=0 audit_backlog_limit=64 + Apr 30 12:20:45 fedora kernel: oci-seccomp-bpf invoked oom-killer: gfp_mask=0x100cca(GFP_HIGHUSER_MOVABLE), order=0, oom_score_adj=-1000 + Apr 30 12:20:45 fedora kernel: CPU: 0 PID: 13284 Comm: oci-seccomp-bpf Not tainted 5.11.12-300.fc34.x86_64 #1 + Apr 30 12:20:45 fedora kernel: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-2.fc32 04/01/2014 + [...] + +[1] https://lore.kernel.org/linux-audit/CANYvDQN7H5tVp47fbYcRasv4XF07eUbsDwT_eDCHXJUj43J7jQ@mail.gmail.com/, + Serhei Makarov says: + + Upstream kernel 5.11.0-rc7 and later was found to deadlock during a + bpf_probe_read_compat() call within a sched_switch tracepoint. The problem + is reproducible with the reg_alloc3 testcase from SystemTap's BPF backend + testsuite on x86_64 as well as the runqlat, runqslower tools from bcc on + ppc64le. Example stack trace: + + [...] + [ 730.868702] stack backtrace: + [ 730.869590] CPU: 1 PID: 701 Comm: in:imjournal Not tainted, 5.12.0-0.rc2.20210309git144c79ef3353.166.fc35.x86_64 #1 + [ 730.871605] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014 + [ 730.873278] Call Trace: + [ 730.873770] dump_stack+0x7f/0xa1 + [ 730.874433] check_noncircular+0xdf/0x100 + [ 730.875232] __lock_acquire+0x1202/0x1e10 + [ 730.876031] ? __lock_acquire+0xfc0/0x1e10 + [ 730.876844] lock_acquire+0xc2/0x3a0 + [ 730.877551] ? __wake_up_common_lock+0x52/0x90 + [ 730.878434] ? lock_acquire+0xc2/0x3a0 + [ 730.879186] ? lock_is_held_type+0xa7/0x120 + [ 730.880044] ? skb_queue_tail+0x1b/0x50 + [ 730.880800] _raw_spin_lock_irqsave+0x4d/0x90 + [ 730.881656] ? __wake_up_common_lock+0x52/0x90 + [ 730.882532] __wake_up_common_lock+0x52/0x90 + [ 730.883375] audit_log_end+0x5b/0x100 + [ 730.884104] slow_avc_audit+0x69/0x90 + [ 730.884836] avc_has_perm+0x8b/0xb0 + [ 730.885532] selinux_lockdown+0xa5/0xd0 + [ 730.886297] security_locked_down+0x20/0x40 + [ 730.887133] bpf_probe_read_compat+0x66/0xd0 + [ 730.887983] bpf_prog_250599c5469ac7b5+0x10f/0x820 + [ 730.888917] trace_call_bpf+0xe9/0x240 + [ 730.889672] perf_trace_run_bpf_submit+0x4d/0xc0 + [ 730.890579] perf_trace_sched_switch+0x142/0x180 + [ 730.891485] ? __schedule+0x6d8/0xb20 + [ 730.892209] __schedule+0x6d8/0xb20 + [ 730.892899] schedule+0x5b/0xc0 + [ 730.893522] exit_to_user_mode_prepare+0x11d/0x240 + [ 730.894457] syscall_exit_to_user_mode+0x27/0x70 + [ 730.895361] entry_SYSCALL_64_after_hwframe+0x44/0xae + [...] + +Fixes: 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown") +Reported-by: Ondrej Mosnacek +Reported-by: Jakub Hrozek +Reported-by: Serhei Makarov +Reported-by: Jiri Olsa +Signed-off-by: Daniel Borkmann +Acked-by: Alexei Starovoitov +Tested-by: Jiri Olsa +Cc: Paul Moore +Cc: James Morris +Cc: Jerome Marchand +Cc: Frank Eigler +Cc: Linus Torvalds +Link: https://lore.kernel.org/bpf/01135120-8bf7-df2e-cff0-1d73f1f841c3@iogearbox.net +Signed-off-by: Sasha Levin +--- + kernel/bpf/helpers.c | 7 +++++-- + kernel/trace/bpf_trace.c | 32 ++++++++++++-------------------- + 2 files changed, 17 insertions(+), 22 deletions(-) + +diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c +index 308427fe03a3..6140e91e9c89 100644 +--- a/kernel/bpf/helpers.c ++++ b/kernel/bpf/helpers.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + + #include "../../lib/kstrtox.h" + +@@ -741,11 +742,13 @@ bpf_base_func_proto(enum bpf_func_id func_id) + case BPF_FUNC_probe_read_user: + return &bpf_probe_read_user_proto; + case BPF_FUNC_probe_read_kernel: +- return &bpf_probe_read_kernel_proto; ++ return security_locked_down(LOCKDOWN_BPF_READ) < 0 ? ++ NULL : &bpf_probe_read_kernel_proto; + case BPF_FUNC_probe_read_user_str: + return &bpf_probe_read_user_str_proto; + case BPF_FUNC_probe_read_kernel_str: +- return &bpf_probe_read_kernel_str_proto; ++ return security_locked_down(LOCKDOWN_BPF_READ) < 0 ? ++ NULL : &bpf_probe_read_kernel_str_proto; + case BPF_FUNC_snprintf_btf: + return &bpf_snprintf_btf_proto; + default: +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index b0c45d923f0f..9bb3d2823f44 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -215,16 +215,11 @@ const struct bpf_func_proto bpf_probe_read_user_str_proto = { + static __always_inline int + bpf_probe_read_kernel_common(void *dst, u32 size, const void *unsafe_ptr) + { +- int ret = security_locked_down(LOCKDOWN_BPF_READ); ++ int ret; + +- if (unlikely(ret < 0)) +- goto fail; + ret = copy_from_kernel_nofault(dst, unsafe_ptr, size); + if (unlikely(ret < 0)) +- goto fail; +- return ret; +-fail: +- memset(dst, 0, size); ++ memset(dst, 0, size); + return ret; + } + +@@ -246,10 +241,7 @@ const struct bpf_func_proto bpf_probe_read_kernel_proto = { + static __always_inline int + bpf_probe_read_kernel_str_common(void *dst, u32 size, const void *unsafe_ptr) + { +- int ret = security_locked_down(LOCKDOWN_BPF_READ); +- +- if (unlikely(ret < 0)) +- goto fail; ++ int ret; + + /* + * The strncpy_from_kernel_nofault() call will likely not fill the +@@ -262,11 +254,7 @@ bpf_probe_read_kernel_str_common(void *dst, u32 size, const void *unsafe_ptr) + */ + ret = strncpy_from_kernel_nofault(dst, unsafe_ptr, size); + if (unlikely(ret < 0)) +- goto fail; +- +- return ret; +-fail: +- memset(dst, 0, size); ++ memset(dst, 0, size); + return ret; + } + +@@ -1322,16 +1310,20 @@ bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) + case BPF_FUNC_probe_read_user: + return &bpf_probe_read_user_proto; + case BPF_FUNC_probe_read_kernel: +- return &bpf_probe_read_kernel_proto; ++ return security_locked_down(LOCKDOWN_BPF_READ) < 0 ? ++ NULL : &bpf_probe_read_kernel_proto; + case BPF_FUNC_probe_read_user_str: + return &bpf_probe_read_user_str_proto; + case BPF_FUNC_probe_read_kernel_str: +- return &bpf_probe_read_kernel_str_proto; ++ return security_locked_down(LOCKDOWN_BPF_READ) < 0 ? ++ NULL : &bpf_probe_read_kernel_str_proto; + #ifdef CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE + case BPF_FUNC_probe_read: +- return &bpf_probe_read_compat_proto; ++ return security_locked_down(LOCKDOWN_BPF_READ) < 0 ? ++ NULL : &bpf_probe_read_compat_proto; + case BPF_FUNC_probe_read_str: +- return &bpf_probe_read_compat_str_proto; ++ return security_locked_down(LOCKDOWN_BPF_READ) < 0 ? ++ NULL : &bpf_probe_read_compat_str_proto; + #endif + #ifdef CONFIG_CGROUPS + case BPF_FUNC_get_current_cgroup_id: +-- +2.30.2 + diff --git a/queue-5.12/cxgb4-avoid-link-re-train-during-tc-mqprio-configura.patch b/queue-5.12/cxgb4-avoid-link-re-train-during-tc-mqprio-configura.patch new file mode 100644 index 00000000000..0c27e1377db --- /dev/null +++ b/queue-5.12/cxgb4-avoid-link-re-train-during-tc-mqprio-configura.patch @@ -0,0 +1,145 @@ +From a23c0c388f171bbf9dd65235546305012cf654ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jun 2021 16:48:18 +0530 +Subject: cxgb4: avoid link re-train during TC-MQPRIO configuration + +From: Rahul Lakkireddy + +[ Upstream commit 3822d0670c9d4342794d73e0d0e615322b40438e ] + +When configuring TC-MQPRIO offload, only turn off netdev carrier and +don't bring physical link down in hardware. Otherwise, when the +physical link is brought up again after configuration, it gets +re-trained and stalls ongoing traffic. + +Also, when firmware is no longer accessible or crashed, avoid sending +FLOWC and waiting for reply that will never come. + +Fix following hung_task_timeout_secs trace seen in these cases. + +INFO: task tc:20807 blocked for more than 122 seconds. + Tainted: G S 5.13.0-rc3+ #122 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +task:tc state:D stack:14768 pid:20807 ppid: 19366 flags:0x00000000 +Call Trace: + __schedule+0x27b/0x6a0 + schedule+0x37/0xa0 + schedule_preempt_disabled+0x5/0x10 + __mutex_lock.isra.14+0x2a0/0x4a0 + ? netlink_lookup+0x120/0x1a0 + ? rtnl_fill_ifinfo+0x10f0/0x10f0 + __netlink_dump_start+0x70/0x250 + rtnetlink_rcv_msg+0x28b/0x380 + ? rtnl_fill_ifinfo+0x10f0/0x10f0 + ? rtnl_calcit.isra.42+0x120/0x120 + netlink_rcv_skb+0x4b/0xf0 + netlink_unicast+0x1a0/0x280 + netlink_sendmsg+0x216/0x440 + sock_sendmsg+0x56/0x60 + __sys_sendto+0xe9/0x150 + ? handle_mm_fault+0x6d/0x1b0 + ? do_user_addr_fault+0x1c5/0x620 + __x64_sys_sendto+0x1f/0x30 + do_syscall_64+0x3c/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7f7f73218321 +RSP: 002b:00007ffd19626208 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 000055b7c0a8b240 RCX: 00007f7f73218321 +RDX: 0000000000000028 RSI: 00007ffd19626210 RDI: 0000000000000003 +RBP: 000055b7c08680ff R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 000055b7c085f5f6 +R13: 000055b7c085f60a R14: 00007ffd19636470 R15: 00007ffd196262a0 + +Fixes: b1396c2bd675 ("cxgb4: parse and configure TC-MQPRIO offload") +Signed-off-by: Rahul Lakkireddy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4.h | 2 -- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 4 ++-- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_mqprio.c | 9 ++++++--- + drivers/net/ethernet/chelsio/cxgb4/sge.c | 6 ++++++ + 4 files changed, 14 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h b/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h +index 314f8d806723..9058f09f921e 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h +@@ -2177,8 +2177,6 @@ int cxgb4_update_mac_filt(struct port_info *pi, unsigned int viid, + bool persistent, u8 *smt_idx); + int cxgb4_get_msix_idx_from_bmap(struct adapter *adap); + void cxgb4_free_msix_idx_in_bmap(struct adapter *adap, u32 msix_idx); +-int cxgb_open(struct net_device *dev); +-int cxgb_close(struct net_device *dev); + void cxgb4_enable_rx(struct adapter *adap, struct sge_rspq *q); + void cxgb4_quiesce_rx(struct sge_rspq *q); + int cxgb4_port_mirror_alloc(struct net_device *dev); +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +index 421bd9b88028..1f601de02e70 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -2834,7 +2834,7 @@ static void cxgb_down(struct adapter *adapter) + /* + * net_device operations + */ +-int cxgb_open(struct net_device *dev) ++static int cxgb_open(struct net_device *dev) + { + struct port_info *pi = netdev_priv(dev); + struct adapter *adapter = pi->adapter; +@@ -2882,7 +2882,7 @@ out_unlock: + return err; + } + +-int cxgb_close(struct net_device *dev) ++static int cxgb_close(struct net_device *dev) + { + struct port_info *pi = netdev_priv(dev); + struct adapter *adapter = pi->adapter; +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_mqprio.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_mqprio.c +index 6c259de96f96..338b04f339b3 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_mqprio.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_mqprio.c +@@ -589,7 +589,8 @@ int cxgb4_setup_tc_mqprio(struct net_device *dev, + * down before configuring tc params. + */ + if (netif_running(dev)) { +- cxgb_close(dev); ++ netif_tx_stop_all_queues(dev); ++ netif_carrier_off(dev); + needs_bring_up = true; + } + +@@ -615,8 +616,10 @@ int cxgb4_setup_tc_mqprio(struct net_device *dev, + } + + out: +- if (needs_bring_up) +- cxgb_open(dev); ++ if (needs_bring_up) { ++ netif_tx_start_all_queues(dev); ++ netif_carrier_on(dev); ++ } + + mutex_unlock(&adap->tc_mqprio->mqprio_mutex); + return ret; +diff --git a/drivers/net/ethernet/chelsio/cxgb4/sge.c b/drivers/net/ethernet/chelsio/cxgb4/sge.c +index 1e5f2edb70cf..6a099cb34b12 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/sge.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/sge.c +@@ -2556,6 +2556,12 @@ int cxgb4_ethofld_send_flowc(struct net_device *dev, u32 eotid, u32 tc) + if (!eosw_txq) + return -ENOMEM; + ++ if (!(adap->flags & CXGB4_FW_OK)) { ++ /* Don't stall caller when access to FW is lost */ ++ complete(&eosw_txq->completion); ++ return -EIO; ++ } ++ + skb = alloc_skb(len, GFP_KERNEL); + if (!skb) + return -ENOMEM; +-- +2.30.2 + diff --git a/queue-5.12/cxgb4-fix-regression-with-hash-tc-prio-value-update.patch b/queue-5.12/cxgb4-fix-regression-with-hash-tc-prio-value-update.patch new file mode 100644 index 00000000000..b620d4eea5a --- /dev/null +++ b/queue-5.12/cxgb4-fix-regression-with-hash-tc-prio-value-update.patch @@ -0,0 +1,57 @@ +From 84816153c7921d69f0dfae59f416bde94429c4cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jun 2021 19:38:59 +0530 +Subject: cxgb4: fix regression with HASH tc prio value update + +From: Rahul Lakkireddy + +[ Upstream commit a27fb314cba8cb84cd6456a4699c3330a83c326d ] + +commit db43b30cd89c ("cxgb4: add ethtool n-tuple filter deletion") +has moved searching for next highest priority HASH filter rule to +cxgb4_flow_rule_destroy(), which searches the rhashtable before the +the rule is removed from it and hence always finds at least 1 entry. +Fix by removing the rule from rhashtable first before calling +cxgb4_flow_rule_destroy() and hence avoid fetching stale info. + +Fixes: db43b30cd89c ("cxgb4: add ethtool n-tuple filter deletion") +Signed-off-by: Rahul Lakkireddy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c +index 1b88bd1c2dbe..dd9be229819a 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c +@@ -997,20 +997,16 @@ int cxgb4_tc_flower_destroy(struct net_device *dev, + if (!ch_flower) + return -ENOENT; + ++ rhashtable_remove_fast(&adap->flower_tbl, &ch_flower->node, ++ adap->flower_ht_params); ++ + ret = cxgb4_flow_rule_destroy(dev, ch_flower->fs.tc_prio, + &ch_flower->fs, ch_flower->filter_id); + if (ret) +- goto err; ++ netdev_err(dev, "Flow rule destroy failed for tid: %u, ret: %d", ++ ch_flower->filter_id, ret); + +- ret = rhashtable_remove_fast(&adap->flower_tbl, &ch_flower->node, +- adap->flower_ht_params); +- if (ret) { +- netdev_err(dev, "Flow remove from rhashtable failed"); +- goto err; +- } + kfree_rcu(ch_flower, rcu); +- +-err: + return ret; + } + +-- +2.30.2 + diff --git a/queue-5.12/devlink-correct-virtual-port-to-not-have-phys_port-a.patch b/queue-5.12/devlink-correct-virtual-port-to-not-have-phys_port-a.patch new file mode 100644 index 00000000000..12fb803fa3b --- /dev/null +++ b/queue-5.12/devlink-correct-virtual-port-to-not-have-phys_port-a.patch @@ -0,0 +1,80 @@ +From 35fab99ade5be46eb744025377d332acdc2dcee9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 May 2021 23:00:27 +0300 +Subject: devlink: Correct VIRTUAL port to not have phys_port attributes + +From: Parav Pandit + +[ Upstream commit b28d8f0c25a9b0355116cace5f53ea52bd4020c8 ] + +Physical port name, port number attributes do not belong to virtual port +flavour. When VF or SF virtual ports are registered they incorrectly +append "np0" string in the netdevice name of the VF/SF. + +Before this fix, VF netdevice name were ens2f0np0v0, ens2f0np0v1 for VF +0 and 1 respectively. + +After the fix, they are ens2f0v0, ens2f0v1. + +With this fix, reading /sys/class/net/ens2f0v0/phys_port_name returns +-EOPNOTSUPP. + +Also devlink port show example for 2 VFs on one PF to ensure that any +physical port attributes are not exposed. + +$ devlink port show +pci/0000:06:00.0/65535: type eth netdev ens2f0np0 flavour physical port 0 splittable false +pci/0000:06:00.3/196608: type eth netdev ens2f0v0 flavour virtual splittable false +pci/0000:06:00.4/262144: type eth netdev ens2f0v1 flavour virtual splittable false + +This change introduces a netdevice name change on systemd/udev +version 245 and higher which honors phys_port_name sysfs file for +generation of netdevice name. + +This also aligns to phys_port_name usage which is limited to switchdev +ports as described in [1]. + +[1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/tree/Documentation/networking/switchdev.rst + +Fixes: acf1ee44ca5d ("devlink: Introduce devlink port flavour virtual") +Signed-off-by: Parav Pandit +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20210526200027.14008-1-parav@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/devlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/core/devlink.c b/net/core/devlink.c +index 737b61c2976e..4c363fa7d4d1 100644 +--- a/net/core/devlink.c ++++ b/net/core/devlink.c +@@ -705,7 +705,6 @@ static int devlink_nl_port_attrs_put(struct sk_buff *msg, + case DEVLINK_PORT_FLAVOUR_PHYSICAL: + case DEVLINK_PORT_FLAVOUR_CPU: + case DEVLINK_PORT_FLAVOUR_DSA: +- case DEVLINK_PORT_FLAVOUR_VIRTUAL: + if (nla_put_u32(msg, DEVLINK_ATTR_PORT_NUMBER, + attrs->phys.port_number)) + return -EMSGSIZE; +@@ -8629,7 +8628,6 @@ static int __devlink_port_phys_port_name_get(struct devlink_port *devlink_port, + + switch (attrs->flavour) { + case DEVLINK_PORT_FLAVOUR_PHYSICAL: +- case DEVLINK_PORT_FLAVOUR_VIRTUAL: + if (!attrs->split) + n = snprintf(name, len, "p%u", attrs->phys.port_number); + else +@@ -8670,6 +8668,8 @@ static int __devlink_port_phys_port_name_get(struct devlink_port *devlink_port, + n = snprintf(name, len, "pf%usf%u", attrs->pci_sf.pf, + attrs->pci_sf.sf); + break; ++ case DEVLINK_PORT_FLAVOUR_VIRTUAL: ++ return -EOPNOTSUPP; + } + + if (n >= len) +-- +2.30.2 + diff --git a/queue-5.12/drm-i915-selftests-fix-return-value-check-in-live_br.patch b/queue-5.12/drm-i915-selftests-fix-return-value-check-in-live_br.patch new file mode 100644 index 00000000000..aae777a1ae1 --- /dev/null +++ b/queue-5.12/drm-i915-selftests-fix-return-value-check-in-live_br.patch @@ -0,0 +1,46 @@ +From 5c7607bbf8d100c491555ef3d8ea23df5d86ce04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jun 2021 09:19:35 +0000 +Subject: drm/i915/selftests: Fix return value check in + live_breadcrumbs_smoketest() + +From: Zhihao Cheng + +[ Upstream commit 10c1f0cbcea93beec5d3bdc02b1a3b577b4985e7 ] + +In case of error, the function live_context() returns ERR_PTR() and never +returns NULL. The NULL test in the return value check should be replaced +with IS_ERR(). + +Fixes: 52c0fdb25c7c ("drm/i915: Replace global breadcrumbs with per-context interrupt tracking") +Reported-by: Hulk Robot +Signed-off-by: Zhihao Cheng +Reviewed-by: Tvrtko Ursulin +Link: https://patchwork.freedesktop.org/patch/msgid/33c46ef24cd547d0ad21dc106441491a@intel.com +[tursulin: Wrap commit text, fix Fixes: tag.] +Signed-off-by: Tvrtko Ursulin +(cherry picked from commit 8f4caef8d5401b42c6367d46c23da5e0e8111516) +Signed-off-by: Jani Nikula +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/selftests/i915_request.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/selftests/i915_request.c b/drivers/gpu/drm/i915/selftests/i915_request.c +index d2a678a2497e..411494005f0e 100644 +--- a/drivers/gpu/drm/i915/selftests/i915_request.c ++++ b/drivers/gpu/drm/i915/selftests/i915_request.c +@@ -1392,8 +1392,8 @@ static int live_breadcrumbs_smoketest(void *arg) + + for (n = 0; n < smoke[0].ncontexts; n++) { + smoke[0].contexts[n] = live_context(i915, file); +- if (!smoke[0].contexts[n]) { +- ret = -ENOMEM; ++ if (IS_ERR(smoke[0].contexts[n])) { ++ ret = PTR_ERR(smoke[0].contexts[n]); + goto out_contexts; + } + } +-- +2.30.2 + diff --git a/queue-5.12/efi-allow-efi_memory_xp-and-efi_memory_ro-both-to-be.patch b/queue-5.12/efi-allow-efi_memory_xp-and-efi_memory_ro-both-to-be.patch new file mode 100644 index 00000000000..197fdcf3de4 --- /dev/null +++ b/queue-5.12/efi-allow-efi_memory_xp-and-efi_memory_ro-both-to-be.patch @@ -0,0 +1,41 @@ +From 3fe5f0a2c4636cf98f84e6f134e04cf5300945c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Apr 2021 16:22:51 +0200 +Subject: efi: Allow EFI_MEMORY_XP and EFI_MEMORY_RO both to be cleared + +From: Heiner Kallweit + +[ Upstream commit 45add3cc99feaaf57d4b6f01d52d532c16a1caee ] + +UEFI spec 2.9, p.108, table 4-1 lists the scenario that both attributes +are cleared with the description "No memory access protection is +possible for Entry". So we can have valid entries where both attributes +are cleared, so remove the check. + +Signed-off-by: Heiner Kallweit +Fixes: 10f0d2f577053 ("efi: Implement generic support for the Memory Attributes table") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/memattr.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/firmware/efi/memattr.c b/drivers/firmware/efi/memattr.c +index 5737cb0fcd44..0a9aba5f9cef 100644 +--- a/drivers/firmware/efi/memattr.c ++++ b/drivers/firmware/efi/memattr.c +@@ -67,11 +67,6 @@ static bool entry_is_valid(const efi_memory_desc_t *in, efi_memory_desc_t *out) + return false; + } + +- if (!(in->attribute & (EFI_MEMORY_RO | EFI_MEMORY_XP))) { +- pr_warn("Entry attributes invalid: RO and XP bits both cleared\n"); +- return false; +- } +- + if (PAGE_SIZE > EFI_PAGE_SIZE && + (!PAGE_ALIGNED(in->phys_addr) || + !PAGE_ALIGNED(in->num_pages << EFI_PAGE_SHIFT))) { +-- +2.30.2 + diff --git a/queue-5.12/efi-cper-fix-snprintf-use-in-cper_dimm_err_location.patch b/queue-5.12/efi-cper-fix-snprintf-use-in-cper_dimm_err_location.patch new file mode 100644 index 00000000000..2366637a9ff --- /dev/null +++ b/queue-5.12/efi-cper-fix-snprintf-use-in-cper_dimm_err_location.patch @@ -0,0 +1,52 @@ +From 5ec0c7cc890e00ab42444389cc2d3e2d700a1d2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Apr 2021 21:46:36 +0200 +Subject: efi: cper: fix snprintf() use in cper_dimm_err_location() + +From: Rasmus Villemoes + +[ Upstream commit 942859d969de7f6f7f2659a79237a758b42782da ] + +snprintf() should be given the full buffer size, not one less. And it +guarantees nul-termination, so doing it manually afterwards is +pointless. + +It's even potentially harmful (though probably not in practice because +CPER_REC_LEN is 256), due to the "return how much would have been +written had the buffer been big enough" semantics. I.e., if the bank +and/or device strings are long enough that the "DIMM location ..." +output gets truncated, writing to msg[n] is a buffer overflow. + +Signed-off-by: Rasmus Villemoes +Fixes: 3760cd20402d4 ("CPER: Adjust code flow of some functions") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/cper.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c +index e15d484b6a5a..ea7ca74fc173 100644 +--- a/drivers/firmware/efi/cper.c ++++ b/drivers/firmware/efi/cper.c +@@ -276,8 +276,7 @@ static int cper_dimm_err_location(struct cper_mem_err_compact *mem, char *msg) + if (!msg || !(mem->validation_bits & CPER_MEM_VALID_MODULE_HANDLE)) + return 0; + +- n = 0; +- len = CPER_REC_LEN - 1; ++ len = CPER_REC_LEN; + dmi_memdev_name(mem->mem_dev_handle, &bank, &device); + if (bank && device) + n = snprintf(msg, len, "DIMM location: %s %s ", bank, device); +@@ -286,7 +285,6 @@ static int cper_dimm_err_location(struct cper_mem_err_compact *mem, char *msg) + "DIMM location: not present. DMI handle: 0x%.4x ", + mem->mem_dev_handle); + +- msg[n] = '\0'; + return n; + } + +-- +2.30.2 + diff --git a/queue-5.12/efi-fdt-fix-panic-when-no-valid-fdt-found.patch b/queue-5.12/efi-fdt-fix-panic-when-no-valid-fdt-found.patch new file mode 100644 index 00000000000..99dfc2d1e47 --- /dev/null +++ b/queue-5.12/efi-fdt-fix-panic-when-no-valid-fdt-found.patch @@ -0,0 +1,39 @@ +From 79b22b941b54b843aa7763c37fb5483d40180b41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Mar 2021 22:54:35 +0800 +Subject: efi/fdt: fix panic when no valid fdt found + +From: Changbin Du + +[ Upstream commit 668a84c1bfb2b3fd5a10847825a854d63fac7baa ] + +setup_arch() would invoke efi_init()->efi_get_fdt_params(). If no +valid fdt found then initial_boot_params will be null. So we +should stop further fdt processing here. I encountered this +issue on risc-v. + +Signed-off-by: Changbin Du +Fixes: b91540d52a08b ("RISC-V: Add EFI runtime services") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/fdtparams.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/firmware/efi/fdtparams.c b/drivers/firmware/efi/fdtparams.c +index bb042ab7c2be..e901f8564ca0 100644 +--- a/drivers/firmware/efi/fdtparams.c ++++ b/drivers/firmware/efi/fdtparams.c +@@ -98,6 +98,9 @@ u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm) + BUILD_BUG_ON(ARRAY_SIZE(target) != ARRAY_SIZE(name)); + BUILD_BUG_ON(ARRAY_SIZE(target) != ARRAY_SIZE(dt_params[0].params)); + ++ if (!fdt) ++ return 0; ++ + for (i = 0; i < ARRAY_SIZE(dt_params); i++) { + node = fdt_path_offset(fdt, dt_params[i].path); + if (node < 0) +-- +2.30.2 + diff --git a/queue-5.12/efi-libstub-prevent-read-overflow-in-find_file_optio.patch b/queue-5.12/efi-libstub-prevent-read-overflow-in-find_file_optio.patch new file mode 100644 index 00000000000..cfe29bc70a2 --- /dev/null +++ b/queue-5.12/efi-libstub-prevent-read-overflow-in-find_file_optio.patch @@ -0,0 +1,38 @@ +From f96ae2a23f8d7ff14af449d269d1749412ce68c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Apr 2021 14:48:31 +0300 +Subject: efi/libstub: prevent read overflow in find_file_option() + +From: Dan Carpenter + +[ Upstream commit c4039b29fe9637e1135912813f830994af4c867f ] + +If the buffer has slashes up to the end then this will read past the end +of the array. I don't anticipate that this is an issue for many people +in real life, but it's the right thing to do and it makes static +checkers happy. + +Fixes: 7a88a6227dc7 ("efi/libstub: Fix path separator regression") +Signed-off-by: Dan Carpenter +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/efi/libstub/file.c b/drivers/firmware/efi/libstub/file.c +index 4e81c6077188..dd95f330fe6e 100644 +--- a/drivers/firmware/efi/libstub/file.c ++++ b/drivers/firmware/efi/libstub/file.c +@@ -103,7 +103,7 @@ static int find_file_option(const efi_char16_t *cmdline, int cmdline_len, + return 0; + + /* Skip any leading slashes */ +- while (cmdline[i] == L'/' || cmdline[i] == L'\\') ++ while (i < cmdline_len && (cmdline[i] == L'/' || cmdline[i] == L'\\')) + i++; + + while (--result_len > 0 && i < cmdline_len) { +-- +2.30.2 + diff --git a/queue-5.12/hid-amd_sfh-fix-memory-leak-in-amd_sfh_work.patch b/queue-5.12/hid-amd_sfh-fix-memory-leak-in-amd_sfh_work.patch new file mode 100644 index 00000000000..7c21fe926d0 --- /dev/null +++ b/queue-5.12/hid-amd_sfh-fix-memory-leak-in-amd_sfh_work.patch @@ -0,0 +1,63 @@ +From 601d1ebabcfc1f997ddf3d0b5c5d740b52525ec7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 May 2021 18:41:56 +0530 +Subject: HID: amd_sfh: Fix memory leak in amd_sfh_work + +From: Basavaraj Natikar + +[ Upstream commit 5ad755fd2b326aa2bc8910b0eb351ee6aece21b1 ] + +Kmemleak tool detected a memory leak in the amd_sfh driver. + +==================== +unreferenced object 0xffff88810228ada0 (size 32): + comm "insmod", pid 3968, jiffies 4295056001 (age 775.792s) + hex dump (first 32 bytes): + 00 20 73 1f 81 88 ff ff 00 01 00 00 00 00 ad de . s............. + 22 01 00 00 00 00 ad de 01 00 02 00 00 00 00 00 "............... + backtrace: + [<000000007b4c8799>] kmem_cache_alloc_trace+0x163/0x4f0 + [<0000000005326893>] amd_sfh_get_report+0xa4/0x1d0 [amd_sfh] + [<000000002a9e5ec4>] amdtp_hid_request+0x62/0x80 [amd_sfh] + [<00000000b8a95807>] sensor_hub_get_feature+0x145/0x270 [hid_sensor_hub] + [<00000000fda054ee>] hid_sensor_parse_common_attributes+0x215/0x460 [hid_sensor_iio_common] + [<0000000021279ecf>] hid_accel_3d_probe+0xff/0x4a0 [hid_sensor_accel_3d] + [<00000000915760ce>] platform_probe+0x6a/0xd0 + [<0000000060258a1f>] really_probe+0x192/0x620 + [<00000000fa812f2d>] driver_probe_device+0x14a/0x1d0 + [<000000005e79f7fd>] __device_attach_driver+0xbd/0x110 + [<0000000070d15018>] bus_for_each_drv+0xfd/0x160 + [<0000000013a3c312>] __device_attach+0x18b/0x220 + [<000000008c7b4afc>] device_initial_probe+0x13/0x20 + [<00000000e6e99665>] bus_probe_device+0xfe/0x120 + [<00000000833fa90b>] device_add+0x6a6/0xe00 + [<00000000fa901078>] platform_device_add+0x180/0x380 +==================== + +The fix is to freeing request_list entry once the processed entry is +removed from the request_list. + +Fixes: 4b2c53d93a4b ("SFH:Transport Driver to add support of AMD Sensor Fusion Hub (SFH)") +Reviewed-by: Shyam Sundar S K +Signed-off-by: Basavaraj Natikar +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/amd-sfh-hid/amd_sfh_client.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/amd-sfh-hid/amd_sfh_client.c b/drivers/hid/amd-sfh-hid/amd_sfh_client.c +index 2ab38b715347..ea9a4913932d 100644 +--- a/drivers/hid/amd-sfh-hid/amd_sfh_client.c ++++ b/drivers/hid/amd-sfh-hid/amd_sfh_client.c +@@ -88,6 +88,7 @@ static void amd_sfh_work(struct work_struct *work) + sensor_index = req_node->sensor_idx; + report_id = req_node->report_id; + node_type = req_node->report_type; ++ kfree(req_node); + + if (node_type == HID_FEATURE_REPORT) { + report_size = get_feature_report(sensor_index, report_id, +-- +2.30.2 + diff --git a/queue-5.12/hid-i2c-hid-fix-format-string-mismatch.patch b/queue-5.12/hid-i2c-hid-fix-format-string-mismatch.patch new file mode 100644 index 00000000000..fbad0caa5b1 --- /dev/null +++ b/queue-5.12/hid-i2c-hid-fix-format-string-mismatch.patch @@ -0,0 +1,47 @@ +From 72144853167f7e3cc1f3efcbc75a37a23c0a9317 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 May 2021 15:58:50 +0200 +Subject: HID: i2c-hid: fix format string mismatch + +From: Arnd Bergmann + +[ Upstream commit dc5f9f55502e13ba05731d5046a14620aa2ff456 ] + +clang doesn't like printing a 32-bit integer using %hX format string: + +drivers/hid/i2c-hid/i2c-hid-core.c:994:18: error: format specifies type 'unsigned short' but the argument has type '__u32' (aka 'unsigned int') [-Werror,-Wformat] + client->name, hid->vendor, hid->product); + ^~~~~~~~~~~ +drivers/hid/i2c-hid/i2c-hid-core.c:994:31: error: format specifies type 'unsigned short' but the argument has type '__u32' (aka 'unsigned int') [-Werror,-Wformat] + client->name, hid->vendor, hid->product); + ^~~~~~~~~~~~ + +Use an explicit cast to truncate it to the low 16 bits instead. + +Fixes: 9ee3e06610fd ("HID: i2c-hid: override HID descriptors for certain devices") +Signed-off-by: Arnd Bergmann +Reviewed-by: Nathan Chancellor +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/i2c-hid/i2c-hid-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c +index 9993133989a5..f9d28ad17d9c 100644 +--- a/drivers/hid/i2c-hid/i2c-hid-core.c ++++ b/drivers/hid/i2c-hid/i2c-hid-core.c +@@ -990,8 +990,8 @@ int i2c_hid_core_probe(struct i2c_client *client, struct i2chid_ops *ops, + hid->vendor = le16_to_cpu(ihid->hdesc.wVendorID); + hid->product = le16_to_cpu(ihid->hdesc.wProductID); + +- snprintf(hid->name, sizeof(hid->name), "%s %04hX:%04hX", +- client->name, hid->vendor, hid->product); ++ snprintf(hid->name, sizeof(hid->name), "%s %04X:%04X", ++ client->name, (u16)hid->vendor, (u16)hid->product); + strlcpy(hid->phys, dev_name(&client->dev), sizeof(hid->phys)); + + ihid->quirks = i2c_hid_lookup_quirk(hid->vendor, hid->product); +-- +2.30.2 + diff --git a/queue-5.12/hid-logitech-hidpp-initialize-level-variable.patch b/queue-5.12/hid-logitech-hidpp-initialize-level-variable.patch new file mode 100644 index 00000000000..194d5db37dc --- /dev/null +++ b/queue-5.12/hid-logitech-hidpp-initialize-level-variable.patch @@ -0,0 +1,46 @@ +From 5b94c33701c9c8e91304f6b7bbd7dec154632fab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 May 2021 12:18:19 -0700 +Subject: HID: logitech-hidpp: initialize level variable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tom Rix + +[ Upstream commit 81c8bf9170477d453b24a6bc3300d201d641e645 ] + +Static analysis reports this representative problem + +hid-logitech-hidpp.c:1356:23: warning: Assigned value is + garbage or undefined + hidpp->battery.level = level; + ^ ~~~~~ + +In some cases, 'level' is never set in hidpp20_battery_map_status_voltage() +Since level is not available on all hw, initialize level to unknown. + +Fixes: be281368f297 ("hid-logitech-hidpp: read battery voltage from newer devices") +Signed-off-by: Tom Rix +Reviewed-by: Filipe Laíns +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-logitech-hidpp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c +index d459e2dbe647..f7710fb2f48d 100644 +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -1262,6 +1262,7 @@ static int hidpp20_battery_map_status_voltage(u8 data[3], int *voltage, + int status; + + long flags = (long) data[2]; ++ *level = POWER_SUPPLY_CAPACITY_LEVEL_UNKNOWN; + + if (flags & 0x80) + switch (flags & 0x07) { +-- +2.30.2 + diff --git a/queue-5.12/hid-pidff-fix-error-return-code-in-hid_pidff_init.patch b/queue-5.12/hid-pidff-fix-error-return-code-in-hid_pidff_init.patch new file mode 100644 index 00000000000..3f490e864ea --- /dev/null +++ b/queue-5.12/hid-pidff-fix-error-return-code-in-hid_pidff_init.patch @@ -0,0 +1,36 @@ +From 27fc0446269c447143a8bcb510c6861a546b501d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 May 2021 10:47:37 +0800 +Subject: HID: pidff: fix error return code in hid_pidff_init() + +From: Zhen Lei + +[ Upstream commit 3dd653c077efda8152f4dd395359617d577a54cd ] + +Fix to return a negative error code from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: 224ee88fe395 ("Input: add force feedback driver for PID devices") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/usbhid/hid-pidff.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c +index fddac7c72f64..07a9fe97d2e0 100644 +--- a/drivers/hid/usbhid/hid-pidff.c ++++ b/drivers/hid/usbhid/hid-pidff.c +@@ -1292,6 +1292,7 @@ int hid_pidff_init(struct hid_device *hid) + + if (pidff->pool[PID_DEVICE_MANAGED_POOL].value && + pidff->pool[PID_DEVICE_MANAGED_POOL].value[0] == 0) { ++ error = -EPERM; + hid_notice(hid, + "device does not support device managed pool\n"); + goto fail; +-- +2.30.2 + diff --git a/queue-5.12/hwmon-dell-smm-hwmon-fix-index-values.patch b/queue-5.12/hwmon-dell-smm-hwmon-fix-index-values.patch new file mode 100644 index 00000000000..6bd103c8653 --- /dev/null +++ b/queue-5.12/hwmon-dell-smm-hwmon-fix-index-values.patch @@ -0,0 +1,47 @@ +From 5495554d329a243d6cb13420a88e039dccdfeba4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 May 2021 17:45:46 +0200 +Subject: hwmon: (dell-smm-hwmon) Fix index values +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit 35d470b5fbc9f82feb77b56bb0d5d0b5cd73e9da ] + +When support for up to 10 temp sensors and for disabling automatic BIOS +fan control was added, noone updated the index values used for +disallowing fan support and fan type calls. +Fix those values. + +Signed-off-by: Armin Wolf +Reviewed-by: Pali Rohár +Link: https://lore.kernel.org/r/20210513154546.12430-1-W_Armin@gmx.de +Fixes: 1bb46a20e73b ("hwmon: (dell-smm) Support up to 10 temp sensors") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/dell-smm-hwmon.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/dell-smm-hwmon.c b/drivers/hwmon/dell-smm-hwmon.c +index 73b9db9e3aab..63b74e781c5d 100644 +--- a/drivers/hwmon/dell-smm-hwmon.c ++++ b/drivers/hwmon/dell-smm-hwmon.c +@@ -838,10 +838,10 @@ static struct attribute *i8k_attrs[] = { + static umode_t i8k_is_visible(struct kobject *kobj, struct attribute *attr, + int index) + { +- if (disallow_fan_support && index >= 8) ++ if (disallow_fan_support && index >= 20) + return 0; + if (disallow_fan_type_call && +- (index == 9 || index == 12 || index == 15)) ++ (index == 21 || index == 25 || index == 28)) + return 0; + if (index >= 0 && index <= 1 && + !(i8k_hwmon_flags & I8K_HWMON_HAVE_TEMP1)) +-- +2.30.2 + diff --git a/queue-5.12/hwmon-pmbus-isl68137-remove-read_temperature_3-for-r.patch b/queue-5.12/hwmon-pmbus-isl68137-remove-read_temperature_3-for-r.patch new file mode 100644 index 00000000000..8b17e1d432a --- /dev/null +++ b/queue-5.12/hwmon-pmbus-isl68137-remove-read_temperature_3-for-r.patch @@ -0,0 +1,41 @@ +From 4c994e054f5496553638bc49638c849577c0352a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 May 2021 16:19:55 -0500 +Subject: hwmon: (pmbus/isl68137) remove READ_TEMPERATURE_3 for RAA228228 + +From: Grant Peltier + +[ Upstream commit 2a29db088c7ae7121801a0d7a60740ed2d18c4f3 ] + +The initial version of the RAA228228 datasheet claimed that the device +supported READ_TEMPERATURE_3 but not READ_TEMPERATURE_1. It has since been +discovered that the datasheet was incorrect. The RAA228228 does support +READ_TEMPERATURE_1 but does not support READ_TEMPERATURE_3. + +Signed-off-by: Grant Peltier +Fixes: 51fb91ed5a6f ("hwmon: (pmbus/isl68137) remove READ_TEMPERATURE_1 telemetry for RAA228228") +Link: https://lore.kernel.org/r/20210514211954.GA24646@raspberrypi +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pmbus/isl68137.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/pmbus/isl68137.c b/drivers/hwmon/pmbus/isl68137.c +index 2bee930d3900..789242ed72e5 100644 +--- a/drivers/hwmon/pmbus/isl68137.c ++++ b/drivers/hwmon/pmbus/isl68137.c +@@ -244,8 +244,8 @@ static int isl68137_probe(struct i2c_client *client) + info->read_word_data = raa_dmpvr2_read_word_data; + break; + case raa_dmpvr2_2rail_nontc: +- info->func[0] &= ~PMBUS_HAVE_TEMP; +- info->func[1] &= ~PMBUS_HAVE_TEMP; ++ info->func[0] &= ~PMBUS_HAVE_TEMP3; ++ info->func[1] &= ~PMBUS_HAVE_TEMP3; + fallthrough; + case raa_dmpvr2_2rail: + info->pages = 2; +-- +2.30.2 + diff --git a/queue-5.12/i2c-qcom-geni-add-shutdown-callback-for-i2c.patch b/queue-5.12/i2c-qcom-geni-add-shutdown-callback-for-i2c.patch new file mode 100644 index 00000000000..363e409f581 --- /dev/null +++ b/queue-5.12/i2c-qcom-geni-add-shutdown-callback-for-i2c.patch @@ -0,0 +1,57 @@ +From 7e6687ea2024d609da9dfcc1849f35cf3e3c20cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 May 2021 18:40:50 +0530 +Subject: i2c: qcom-geni: Add shutdown callback for i2c + +From: Roja Rani Yarubandi + +[ Upstream commit 9f78c607600ce4f2a952560de26534715236f612 ] + +If the hardware is still accessing memory after SMMU translation +is disabled (as part of smmu shutdown callback), then the +IOVAs (I/O virtual address) which it was using will go on the bus +as the physical addresses which will result in unknown crashes +like NoC/interconnect errors. + +So, implement shutdown callback for i2c driver to suspend the bus +during system "reboot" or "shutdown". + +Fixes: 37692de5d523 ("i2c: i2c-qcom-geni: Add bus driver for the Qualcomm GENI I2C controller") +Signed-off-by: Roja Rani Yarubandi +Reviewed-by: Stephen Boyd +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-qcom-geni.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-qcom-geni.c b/drivers/i2c/busses/i2c-qcom-geni.c +index 214b4c913a13..c3ae66ba6345 100644 +--- a/drivers/i2c/busses/i2c-qcom-geni.c ++++ b/drivers/i2c/busses/i2c-qcom-geni.c +@@ -650,6 +650,14 @@ static int geni_i2c_remove(struct platform_device *pdev) + return 0; + } + ++static void geni_i2c_shutdown(struct platform_device *pdev) ++{ ++ struct geni_i2c_dev *gi2c = platform_get_drvdata(pdev); ++ ++ /* Make client i2c transfers start failing */ ++ i2c_mark_adapter_suspended(&gi2c->adap); ++} ++ + static int __maybe_unused geni_i2c_runtime_suspend(struct device *dev) + { + int ret; +@@ -714,6 +722,7 @@ MODULE_DEVICE_TABLE(of, geni_i2c_dt_match); + static struct platform_driver geni_i2c_driver = { + .probe = geni_i2c_probe, + .remove = geni_i2c_remove, ++ .shutdown = geni_i2c_shutdown, + .driver = { + .name = "geni_i2c", + .pm = &geni_i2c_pm_ops, +-- +2.30.2 + diff --git a/queue-5.12/i40e-add-correct-exception-tracing-for-xdp.patch b/queue-5.12/i40e-add-correct-exception-tracing-for-xdp.patch new file mode 100644 index 00000000000..7d20d0304d6 --- /dev/null +++ b/queue-5.12/i40e-add-correct-exception-tracing-for-xdp.patch @@ -0,0 +1,87 @@ +From 33db9c51bb1de0ca2859a2dd3bcc432a3f774ebf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 May 2021 11:38:49 +0200 +Subject: i40e: add correct exception tracing for XDP + +From: Magnus Karlsson + +[ Upstream commit f6c10b48f8c8da44adaff730d8e700b6272add2b ] + +Add missing exception tracing to XDP when a number of different errors +can occur. The support was only partial. Several errors where not +logged which would confuse the user quite a lot not knowing where and +why the packets disappeared. + +Fixes: 74608d17fe29 ("i40e: add support for XDP_TX action") +Fixes: 0a714186d3c0 ("i40e: add AF_XDP zero-copy Rx support") +Reported-by: Jesper Dangaard Brouer +Signed-off-by: Magnus Karlsson +Tested-by: Kiran Bhandare +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 7 ++++++- + drivers/net/ethernet/intel/i40e/i40e_xsk.c | 8 ++++++-- + 2 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index 70b515049540..c358d9049881 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -2313,15 +2313,20 @@ static int i40e_run_xdp(struct i40e_ring *rx_ring, struct xdp_buff *xdp) + case XDP_TX: + xdp_ring = rx_ring->vsi->xdp_rings[rx_ring->queue_index]; + result = i40e_xmit_xdp_tx_ring(xdp, xdp_ring); ++ if (result == I40E_XDP_CONSUMED) ++ goto out_failure; + break; + case XDP_REDIRECT: + err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog); +- result = !err ? I40E_XDP_REDIR : I40E_XDP_CONSUMED; ++ if (err) ++ goto out_failure; ++ result = I40E_XDP_REDIR; + break; + default: + bpf_warn_invalid_xdp_action(act); + fallthrough; + case XDP_ABORTED: ++out_failure: + trace_xdp_exception(rx_ring->netdev, xdp_prog, act); + fallthrough; /* handle aborts by dropping packet */ + case XDP_DROP: +diff --git a/drivers/net/ethernet/intel/i40e/i40e_xsk.c b/drivers/net/ethernet/intel/i40e/i40e_xsk.c +index 3af72dc08539..5b39c457bd77 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_xsk.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_xsk.c +@@ -162,9 +162,10 @@ static int i40e_run_xdp_zc(struct i40e_ring *rx_ring, struct xdp_buff *xdp) + + if (likely(act == XDP_REDIRECT)) { + err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog); +- result = !err ? I40E_XDP_REDIR : I40E_XDP_CONSUMED; ++ if (err) ++ goto out_failure; + rcu_read_unlock(); +- return result; ++ return I40E_XDP_REDIR; + } + + switch (act) { +@@ -173,11 +174,14 @@ static int i40e_run_xdp_zc(struct i40e_ring *rx_ring, struct xdp_buff *xdp) + case XDP_TX: + xdp_ring = rx_ring->vsi->xdp_rings[rx_ring->queue_index]; + result = i40e_xmit_xdp_tx_ring(xdp, xdp_ring); ++ if (result == I40E_XDP_CONSUMED) ++ goto out_failure; + break; + default: + bpf_warn_invalid_xdp_action(act); + fallthrough; + case XDP_ABORTED: ++out_failure: + trace_xdp_exception(rx_ring->netdev, xdp_prog, act); + fallthrough; /* handle aborts by dropping packet */ + case XDP_DROP: +-- +2.30.2 + diff --git a/queue-5.12/i40e-optimize-for-xdp_redirect-in-xsk-path.patch b/queue-5.12/i40e-optimize-for-xdp_redirect-in-xsk-path.patch new file mode 100644 index 00000000000..58e8d1f23a3 --- /dev/null +++ b/queue-5.12/i40e-optimize-for-xdp_redirect-in-xsk-path.patch @@ -0,0 +1,55 @@ +From 41f69f5c1c469a5e82ab82d85b2f96eeeaeccdbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Dec 2020 16:07:22 +0100 +Subject: i40e: optimize for XDP_REDIRECT in xsk path + +From: Magnus Karlsson + +[ Upstream commit 346497c78d15cdd5bdc3b642a895009359e5457f ] + +Optimize i40e_run_xdp_zc() for the XDP program verdict being +XDP_REDIRECT in the xsk zero-copy path. This path is only used when +having AF_XDP zero-copy on and in that case most packets will be +directed to user space. This provides a little over 100k extra packets +in throughput on my server when running l2fwd in xdpsock. + +Signed-off-by: Magnus Karlsson +Tested-by: George Kuruvinakunnel +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_xsk.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_xsk.c b/drivers/net/ethernet/intel/i40e/i40e_xsk.c +index 12ca84113587..3af72dc08539 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_xsk.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_xsk.c +@@ -160,6 +160,13 @@ static int i40e_run_xdp_zc(struct i40e_ring *rx_ring, struct xdp_buff *xdp) + xdp_prog = READ_ONCE(rx_ring->xdp_prog); + act = bpf_prog_run_xdp(xdp_prog, xdp); + ++ if (likely(act == XDP_REDIRECT)) { ++ err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog); ++ result = !err ? I40E_XDP_REDIR : I40E_XDP_CONSUMED; ++ rcu_read_unlock(); ++ return result; ++ } ++ + switch (act) { + case XDP_PASS: + break; +@@ -167,10 +174,6 @@ static int i40e_run_xdp_zc(struct i40e_ring *rx_ring, struct xdp_buff *xdp) + xdp_ring = rx_ring->vsi->xdp_rings[rx_ring->queue_index]; + result = i40e_xmit_xdp_tx_ring(xdp, xdp_ring); + break; +- case XDP_REDIRECT: +- err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog); +- result = !err ? I40E_XDP_REDIR : I40E_XDP_CONSUMED; +- break; + default: + bpf_warn_invalid_xdp_action(act); + fallthrough; +-- +2.30.2 + diff --git a/queue-5.12/ice-add-correct-exception-tracing-for-xdp.patch b/queue-5.12/ice-add-correct-exception-tracing-for-xdp.patch new file mode 100644 index 00000000000..6c1c068552a --- /dev/null +++ b/queue-5.12/ice-add-correct-exception-tracing-for-xdp.patch @@ -0,0 +1,97 @@ +From 4283fbcf7351f8be82d89d34329513a93a4056e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 May 2021 11:38:50 +0200 +Subject: ice: add correct exception tracing for XDP + +From: Magnus Karlsson + +[ Upstream commit 89d65df024c59988291f643b4e45d1528c51aef9 ] + +Add missing exception tracing to XDP when a number of different +errors can occur. The support was only partial. Several errors +where not logged which would confuse the user quite a lot not +knowing where and why the packets disappeared. + +Fixes: efc2214b6047 ("ice: Add support for XDP") +Fixes: 2d4238f55697 ("ice: Add support for AF_XDP") +Reported-by: Jesper Dangaard Brouer +Signed-off-by: Magnus Karlsson +Tested-by: Kiran Bhandare +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_txrx.c | 12 +++++++++--- + drivers/net/ethernet/intel/ice/ice_xsk.c | 8 ++++++-- + 2 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c +index 44b6849ec008..113e53efffd7 100644 +--- a/drivers/net/ethernet/intel/ice/ice_txrx.c ++++ b/drivers/net/ethernet/intel/ice/ice_txrx.c +@@ -523,7 +523,7 @@ ice_run_xdp(struct ice_ring *rx_ring, struct xdp_buff *xdp, + struct bpf_prog *xdp_prog) + { + struct ice_ring *xdp_ring; +- int err; ++ int err, result; + u32 act; + + act = bpf_prog_run_xdp(xdp_prog, xdp); +@@ -532,14 +532,20 @@ ice_run_xdp(struct ice_ring *rx_ring, struct xdp_buff *xdp, + return ICE_XDP_PASS; + case XDP_TX: + xdp_ring = rx_ring->vsi->xdp_rings[smp_processor_id()]; +- return ice_xmit_xdp_buff(xdp, xdp_ring); ++ result = ice_xmit_xdp_buff(xdp, xdp_ring); ++ if (result == ICE_XDP_CONSUMED) ++ goto out_failure; ++ return result; + case XDP_REDIRECT: + err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog); +- return !err ? ICE_XDP_REDIR : ICE_XDP_CONSUMED; ++ if (err) ++ goto out_failure; ++ return ICE_XDP_REDIR; + default: + bpf_warn_invalid_xdp_action(act); + fallthrough; + case XDP_ABORTED: ++out_failure: + trace_xdp_exception(rx_ring->netdev, xdp_prog, act); + fallthrough; + case XDP_DROP: +diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c +index adb2f12bcb87..f1d4240e57df 100644 +--- a/drivers/net/ethernet/intel/ice/ice_xsk.c ++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c +@@ -479,9 +479,10 @@ ice_run_xdp_zc(struct ice_ring *rx_ring, struct xdp_buff *xdp) + + if (likely(act == XDP_REDIRECT)) { + err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog); +- result = !err ? ICE_XDP_REDIR : ICE_XDP_CONSUMED; ++ if (err) ++ goto out_failure; + rcu_read_unlock(); +- return result; ++ return ICE_XDP_REDIR; + } + + switch (act) { +@@ -490,11 +491,14 @@ ice_run_xdp_zc(struct ice_ring *rx_ring, struct xdp_buff *xdp) + case XDP_TX: + xdp_ring = rx_ring->vsi->xdp_rings[rx_ring->q_index]; + result = ice_xmit_xdp_buff(xdp, xdp_ring); ++ if (result == ICE_XDP_CONSUMED) ++ goto out_failure; + break; + default: + bpf_warn_invalid_xdp_action(act); + fallthrough; + case XDP_ABORTED: ++out_failure: + trace_xdp_exception(rx_ring->netdev, xdp_prog, act); + fallthrough; + case XDP_DROP: +-- +2.30.2 + diff --git a/queue-5.12/ice-allow-all-lldp-packets-from-pf-to-tx.patch b/queue-5.12/ice-allow-all-lldp-packets-from-pf-to-tx.patch new file mode 100644 index 00000000000..a7c3ed445a1 --- /dev/null +++ b/queue-5.12/ice-allow-all-lldp-packets-from-pf-to-tx.patch @@ -0,0 +1,63 @@ +From 55b6240637e27d5ebc1dae68bba5473d5a87eafe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 May 2021 14:17:59 -0700 +Subject: ice: Allow all LLDP packets from PF to Tx + +From: Dave Ertman + +[ Upstream commit f9f83202b7263ac371d616d6894a2c9ed79158ef ] + +Currently in the ice driver, the check whether to +allow a LLDP packet to egress the interface from the +PF_VSI is being based on the SKB's priority field. +It checks to see if the packets priority is equal to +TC_PRIO_CONTROL. Injected LLDP packets do not always +meet this condition. + +SCAPY defaults to a sk_buff->protocol value of ETH_P_ALL +(0x0003) and does not set the priority field. There will +be other injection methods (even ones used by end users) +that will not correctly configure the socket so that +SKB fields are correctly populated. + +Then ethernet header has to have to correct value for +the protocol though. + +Add a check to also allow packets whose ethhdr->h_proto +matches ETH_P_LLDP (0x88CC). + +Fixes: 0c3a6101ff2d ("ice: Allow egress control packets from PF_VSI") +Signed-off-by: Dave Ertman +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_txrx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c +index b91dcfd12727..44b6849ec008 100644 +--- a/drivers/net/ethernet/intel/ice/ice_txrx.c ++++ b/drivers/net/ethernet/intel/ice/ice_txrx.c +@@ -2331,6 +2331,7 @@ ice_xmit_frame_ring(struct sk_buff *skb, struct ice_ring *tx_ring) + struct ice_tx_offload_params offload = { 0 }; + struct ice_vsi *vsi = tx_ring->vsi; + struct ice_tx_buf *first; ++ struct ethhdr *eth; + unsigned int count; + int tso, csum; + +@@ -2377,7 +2378,9 @@ ice_xmit_frame_ring(struct sk_buff *skb, struct ice_ring *tx_ring) + goto out_drop; + + /* allow CONTROL frames egress from main VSI if FW LLDP disabled */ +- if (unlikely(skb->priority == TC_PRIO_CONTROL && ++ eth = (struct ethhdr *)skb_mac_header(skb); ++ if (unlikely((skb->priority == TC_PRIO_CONTROL || ++ eth->h_proto == htons(ETH_P_LLDP)) && + vsi->type == ICE_VSI_PF && + vsi->port_info->qos_cfg.is_sw_lldp)) + offload.cd_qw1 |= (u64)(ICE_TX_DESC_DTYPE_CTX | +-- +2.30.2 + diff --git a/queue-5.12/ice-fix-allowing-vf-to-request-more-less-queues-via-.patch b/queue-5.12/ice-fix-allowing-vf-to-request-more-less-queues-via-.patch new file mode 100644 index 00000000000..641b9e309b1 --- /dev/null +++ b/queue-5.12/ice-fix-allowing-vf-to-request-more-less-queues-via-.patch @@ -0,0 +1,41 @@ +From 8086830d27f72fa6fe0695cf979873de39ab796c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Feb 2021 13:19:20 -0800 +Subject: ice: Fix allowing VF to request more/less queues via virtchnl + +From: Brett Creeley + +[ Upstream commit f0457690af56673cb0c47af6e25430389a149225 ] + +Commit 12bb018c538c ("ice: Refactor VF reset") caused a regression +that removes the ability for a VF to request a different amount of +queues via VIRTCHNL_OP_REQUEST_QUEUES. This prevents VF drivers to +either increase or decrease the number of queue pairs they are +allocated. Fix this by using the variable vf->num_req_qs when +determining the vf->num_vf_qs during VF VSI creation. + +Fixes: 12bb018c538c ("ice: Refactor VF reset") +Signed-off-by: Brett Creeley +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_lib.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c +index 9b38b2768884..27e439853c3b 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_lib.c +@@ -198,6 +198,8 @@ static void ice_vsi_set_num_qs(struct ice_vsi *vsi, u16 vf_id) + break; + case ICE_VSI_VF: + vf = &pf->vf[vsi->vf_id]; ++ if (vf->num_req_qs) ++ vf->num_vf_qs = vf->num_req_qs; + vsi->alloc_txq = vf->num_vf_qs; + vsi->alloc_rxq = vf->num_vf_qs; + /* pf->num_msix_per_vf includes (VF miscellaneous vector + +-- +2.30.2 + diff --git a/queue-5.12/ice-fix-vfr-issues-for-avf-drivers-that-expect-atqle.patch b/queue-5.12/ice-fix-vfr-issues-for-avf-drivers-that-expect-atqle.patch new file mode 100644 index 00000000000..c409d338012 --- /dev/null +++ b/queue-5.12/ice-fix-vfr-issues-for-avf-drivers-that-expect-atqle.patch @@ -0,0 +1,63 @@ +From ad026baa62bcd6baa46d636fc8b5246579c8bc92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Feb 2021 13:19:21 -0800 +Subject: ice: Fix VFR issues for AVF drivers that expect ATQLEN cleared + +From: Brett Creeley + +[ Upstream commit 8679f07a9922068b9b6be81b632f52cac45d1b91 ] + +Some AVF drivers expect the VF_MBX_ATQLEN register to be cleared for any +type of VFR/VFLR. Fix this by clearing the VF_MBX_ATQLEN register at the +same time as VF_MBX_ARQLEN. + +Fixes: 82ba01282cf8 ("ice: clear VF ARQLEN register on reset") +Signed-off-by: Brett Creeley +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_hw_autogen.h | 1 + + drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 12 +++++++----- + 2 files changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_hw_autogen.h b/drivers/net/ethernet/intel/ice/ice_hw_autogen.h +index 093a1818a392..1998821896c0 100644 +--- a/drivers/net/ethernet/intel/ice/ice_hw_autogen.h ++++ b/drivers/net/ethernet/intel/ice/ice_hw_autogen.h +@@ -31,6 +31,7 @@ + #define PF_FW_ATQLEN_ATQOVFL_M BIT(29) + #define PF_FW_ATQLEN_ATQCRIT_M BIT(30) + #define VF_MBX_ARQLEN(_VF) (0x0022BC00 + ((_VF) * 4)) ++#define VF_MBX_ATQLEN(_VF) (0x0022A800 + ((_VF) * 4)) + #define PF_FW_ATQLEN_ATQENABLE_M BIT(31) + #define PF_FW_ATQT 0x00080400 + #define PF_MBX_ARQBAH 0x0022E400 +diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c +index 1f38a8d0c525..0f2a4d48574e 100644 +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c +@@ -435,13 +435,15 @@ static void ice_trigger_vf_reset(struct ice_vf *vf, bool is_vflr, bool is_pfr) + */ + clear_bit(ICE_VF_STATE_INIT, vf->vf_states); + +- /* VF_MBX_ARQLEN is cleared by PFR, so the driver needs to clear it +- * in the case of VFR. If this is done for PFR, it can mess up VF +- * resets because the VF driver may already have started cleanup +- * by the time we get here. ++ /* VF_MBX_ARQLEN and VF_MBX_ATQLEN are cleared by PFR, so the driver ++ * needs to clear them in the case of VFR/VFLR. If this is done for ++ * PFR, it can mess up VF resets because the VF driver may already ++ * have started cleanup by the time we get here. + */ +- if (!is_pfr) ++ if (!is_pfr) { + wr32(hw, VF_MBX_ARQLEN(vf->vf_id), 0); ++ wr32(hw, VF_MBX_ATQLEN(vf->vf_id), 0); ++ } + + /* In the case of a VFLR, the HW has already reset the VF and we + * just need to clean up, so don't hit the VFRTRIG register. +-- +2.30.2 + diff --git a/queue-5.12/ice-handle-the-vf-vsi-rebuild-failure.patch b/queue-5.12/ice-handle-the-vf-vsi-rebuild-failure.patch new file mode 100644 index 00000000000..5e8121d9035 --- /dev/null +++ b/queue-5.12/ice-handle-the-vf-vsi-rebuild-failure.patch @@ -0,0 +1,43 @@ +From 1af22a01dcf858441c84c617c283d1fc1a48147a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Feb 2021 13:19:31 -0800 +Subject: ice: handle the VF VSI rebuild failure + +From: Haiyue Wang + +[ Upstream commit c7ee6ce1cf60b7fcdbdd2354d377d00bae3fa2d2 ] + +VSI rebuild can be failed for LAN queue config, then the VF's VSI will +be NULL, the VF reset should be stopped with the VF entering into the +disable state. + +Fixes: 12bb018c538c ("ice: Refactor VF reset") +Signed-off-by: Haiyue Wang +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c +index 0f2a4d48574e..48dee9c5d534 100644 +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c +@@ -1377,7 +1377,12 @@ bool ice_reset_vf(struct ice_vf *vf, bool is_vflr) + } + + ice_vf_pre_vsi_rebuild(vf); +- ice_vf_rebuild_vsi_with_release(vf); ++ ++ if (ice_vf_rebuild_vsi_with_release(vf)) { ++ dev_err(dev, "Failed to release and setup the VF%u's VSI\n", vf->vf_id); ++ return false; ++ } ++ + ice_vf_post_vsi_rebuild(vf); + + return true; +-- +2.30.2 + diff --git a/queue-5.12/ice-optimize-for-xdp_redirect-in-xsk-path.patch b/queue-5.12/ice-optimize-for-xdp_redirect-in-xsk-path.patch new file mode 100644 index 00000000000..9dbb12c4c87 --- /dev/null +++ b/queue-5.12/ice-optimize-for-xdp_redirect-in-xsk-path.patch @@ -0,0 +1,56 @@ +From 8cc7a30a0db2f5fc6822958bff828d60e8cab296 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Dec 2020 16:07:24 +0100 +Subject: ice: optimize for XDP_REDIRECT in xsk path + +From: Magnus Karlsson + +[ Upstream commit bb52073645a618ab4d93c8d932fb8faf114c55bc ] + +Optimize ice_run_xdp_zc() for the XDP program verdict being +XDP_REDIRECT in the xsk zero-copy path. This path is only used when +having AF_XDP zero-copy on and in that case most packets will be +directed to user space. This provides a little over 100k extra packets +in throughput on my server when running l2fwd in xdpsock. + +Signed-off-by: Magnus Karlsson +Tested-by: George Kuruvinakunnel +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_xsk.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c +index 47efc89a336f..adb2f12bcb87 100644 +--- a/drivers/net/ethernet/intel/ice/ice_xsk.c ++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c +@@ -476,6 +476,14 @@ ice_run_xdp_zc(struct ice_ring *rx_ring, struct xdp_buff *xdp) + xdp_prog = READ_ONCE(rx_ring->xdp_prog); + + act = bpf_prog_run_xdp(xdp_prog, xdp); ++ ++ if (likely(act == XDP_REDIRECT)) { ++ err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog); ++ result = !err ? ICE_XDP_REDIR : ICE_XDP_CONSUMED; ++ rcu_read_unlock(); ++ return result; ++ } ++ + switch (act) { + case XDP_PASS: + break; +@@ -483,10 +491,6 @@ ice_run_xdp_zc(struct ice_ring *rx_ring, struct xdp_buff *xdp) + xdp_ring = rx_ring->vsi->xdp_rings[rx_ring->q_index]; + result = ice_xmit_xdp_buff(xdp, xdp_ring); + break; +- case XDP_REDIRECT: +- err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog); +- result = !err ? ICE_XDP_REDIR : ICE_XDP_CONSUMED; +- break; + default: + bpf_warn_invalid_xdp_action(act); + fallthrough; +-- +2.30.2 + diff --git a/queue-5.12/ice-report-supported-and-advertised-autoneg-using-ph.patch b/queue-5.12/ice-report-supported-and-advertised-autoneg-using-ph.patch new file mode 100644 index 00000000000..57e406380d0 --- /dev/null +++ b/queue-5.12/ice-report-supported-and-advertised-autoneg-using-ph.patch @@ -0,0 +1,112 @@ +From 8fc872bbe93c04ddfa96c43d9c21eae0d56701fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 May 2021 14:17:58 -0700 +Subject: ice: report supported and advertised autoneg using PHY capabilities + +From: Paul Greenwalt + +[ Upstream commit 5cd349c349d6ec52862e550d3576893d35ab8ac2 ] + +Ethtool incorrectly reported supported and advertised auto-negotiation +settings for a backplane PHY image which did not support auto-negotiation. +This can occur when using media or PHY type for reporting ethtool +supported and advertised auto-negotiation settings. + +Remove setting supported and advertised auto-negotiation settings based +on PHY type in ice_phy_type_to_ethtool(), and MAC type in +ice_get_link_ksettings(). + +Ethtool supported and advertised auto-negotiation settings should be +based on the PHY image using the AQ command get PHY capabilities with +media. Add setting supported and advertised auto-negotiation settings +based get PHY capabilities with media in ice_get_link_ksettings(). + +Fixes: 48cb27f2fd18 ("ice: Implement handlers for ethtool PHY/link operations") +Signed-off-by: Paul Greenwalt +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_ethtool.c | 51 +++----------------- + 1 file changed, 6 insertions(+), 45 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c +index 32ba71a16165..f80fff97d8dc 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c ++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c +@@ -1797,49 +1797,6 @@ ice_phy_type_to_ethtool(struct net_device *netdev, + ice_ethtool_advertise_link_mode(ICE_AQ_LINK_SPEED_100GB, + 100000baseKR4_Full); + } +- +- /* Autoneg PHY types */ +- if (phy_types_low & ICE_PHY_TYPE_LOW_100BASE_TX || +- phy_types_low & ICE_PHY_TYPE_LOW_1000BASE_T || +- phy_types_low & ICE_PHY_TYPE_LOW_1000BASE_KX || +- phy_types_low & ICE_PHY_TYPE_LOW_2500BASE_T || +- phy_types_low & ICE_PHY_TYPE_LOW_2500BASE_KX || +- phy_types_low & ICE_PHY_TYPE_LOW_5GBASE_T || +- phy_types_low & ICE_PHY_TYPE_LOW_5GBASE_KR || +- phy_types_low & ICE_PHY_TYPE_LOW_10GBASE_T || +- phy_types_low & ICE_PHY_TYPE_LOW_10GBASE_KR_CR1 || +- phy_types_low & ICE_PHY_TYPE_LOW_25GBASE_T || +- phy_types_low & ICE_PHY_TYPE_LOW_25GBASE_CR || +- phy_types_low & ICE_PHY_TYPE_LOW_25GBASE_CR_S || +- phy_types_low & ICE_PHY_TYPE_LOW_25GBASE_CR1 || +- phy_types_low & ICE_PHY_TYPE_LOW_25GBASE_KR || +- phy_types_low & ICE_PHY_TYPE_LOW_25GBASE_KR_S || +- phy_types_low & ICE_PHY_TYPE_LOW_25GBASE_KR1 || +- phy_types_low & ICE_PHY_TYPE_LOW_40GBASE_CR4 || +- phy_types_low & ICE_PHY_TYPE_LOW_40GBASE_KR4) { +- ethtool_link_ksettings_add_link_mode(ks, supported, +- Autoneg); +- ethtool_link_ksettings_add_link_mode(ks, advertising, +- Autoneg); +- } +- if (phy_types_low & ICE_PHY_TYPE_LOW_50GBASE_CR2 || +- phy_types_low & ICE_PHY_TYPE_LOW_50GBASE_KR2 || +- phy_types_low & ICE_PHY_TYPE_LOW_50GBASE_CP || +- phy_types_low & ICE_PHY_TYPE_LOW_50GBASE_KR_PAM4) { +- ethtool_link_ksettings_add_link_mode(ks, supported, +- Autoneg); +- ethtool_link_ksettings_add_link_mode(ks, advertising, +- Autoneg); +- } +- if (phy_types_low & ICE_PHY_TYPE_LOW_100GBASE_CR4 || +- phy_types_low & ICE_PHY_TYPE_LOW_100GBASE_KR4 || +- phy_types_low & ICE_PHY_TYPE_LOW_100GBASE_KR_PAM4 || +- phy_types_low & ICE_PHY_TYPE_LOW_100GBASE_CP2) { +- ethtool_link_ksettings_add_link_mode(ks, supported, +- Autoneg); +- ethtool_link_ksettings_add_link_mode(ks, advertising, +- Autoneg); +- } + } + + #define TEST_SET_BITS_TIMEOUT 50 +@@ -1996,9 +1953,7 @@ ice_get_link_ksettings(struct net_device *netdev, + ks->base.port = PORT_TP; + break; + case ICE_MEDIA_BACKPLANE: +- ethtool_link_ksettings_add_link_mode(ks, supported, Autoneg); + ethtool_link_ksettings_add_link_mode(ks, supported, Backplane); +- ethtool_link_ksettings_add_link_mode(ks, advertising, Autoneg); + ethtool_link_ksettings_add_link_mode(ks, advertising, + Backplane); + ks->base.port = PORT_NONE; +@@ -2073,6 +2028,12 @@ ice_get_link_ksettings(struct net_device *netdev, + if (caps->link_fec_options & ICE_AQC_PHY_FEC_25G_RS_CLAUSE91_EN) + ethtool_link_ksettings_add_link_mode(ks, supported, FEC_RS); + ++ /* Set supported and advertised autoneg */ ++ if (ice_is_phy_caps_an_enabled(caps)) { ++ ethtool_link_ksettings_add_link_mode(ks, supported, Autoneg); ++ ethtool_link_ksettings_add_link_mode(ks, advertising, Autoneg); ++ } ++ + done: + kfree(caps); + return err; +-- +2.30.2 + diff --git a/queue-5.12/ice-track-af_xdp-zc-enabled-queues-in-bitmap.patch b/queue-5.12/ice-track-af_xdp-zc-enabled-queues-in-bitmap.patch new file mode 100644 index 00000000000..4596f165571 --- /dev/null +++ b/queue-5.12/ice-track-af_xdp-zc-enabled-queues-in-bitmap.patch @@ -0,0 +1,158 @@ +From fa3fbf4540767577f512ccc9c0118f9bad391f2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Apr 2021 21:52:09 +0200 +Subject: ice: track AF_XDP ZC enabled queues in bitmap + +From: Maciej Fijalkowski + +[ Upstream commit e102db780e1c14f10c70dafa7684af22a745b51d ] + +Commit c7a219048e45 ("ice: Remove xsk_buff_pool from VSI structure") +silently introduced a regression and broke the Tx side of AF_XDP in copy +mode. xsk_pool on ice_ring is set only based on the existence of the XDP +prog on the VSI which in turn picks ice_clean_tx_irq_zc to be executed. +That is not something that should happen for copy mode as it should use +the regular data path ice_clean_tx_irq. + +This results in a following splat when xdpsock is run in txonly or l2fwd +scenarios in copy mode: + + +[ 106.050195] BUG: kernel NULL pointer dereference, address: 0000000000000030 +[ 106.057269] #PF: supervisor read access in kernel mode +[ 106.062493] #PF: error_code(0x0000) - not-present page +[ 106.067709] PGD 0 P4D 0 +[ 106.070293] Oops: 0000 [#1] PREEMPT SMP NOPTI +[ 106.074721] CPU: 61 PID: 0 Comm: swapper/61 Not tainted 5.12.0-rc2+ #45 +[ 106.081436] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 +[ 106.092027] RIP: 0010:xp_raw_get_dma+0x36/0x50 +[ 106.096551] Code: 74 14 48 b8 ff ff ff ff ff ff 00 00 48 21 f0 48 c1 ee 30 48 01 c6 48 8b 87 90 00 00 00 48 89 f2 81 e6 ff 0f 00 00 48 c1 ea 0c <48> 8b 04 d0 48 83 e0 fe 48 01 f0 c3 66 66 2e 0f 1f 84 00 00 00 00 +[ 106.115588] RSP: 0018:ffffc9000d694e50 EFLAGS: 00010206 +[ 106.120893] RAX: 0000000000000000 RBX: ffff88984b8c8a00 RCX: ffff889852581800 +[ 106.128137] RDX: 0000000000000006 RSI: 0000000000000000 RDI: ffff88984cd8b800 +[ 106.135383] RBP: ffff888123b50001 R08: ffff889896800000 R09: 0000000000000800 +[ 106.142628] R10: 0000000000000000 R11: ffffffff826060c0 R12: 00000000000000ff +[ 106.149872] R13: 0000000000000000 R14: 0000000000000040 R15: ffff888123b50018 +[ 106.157117] FS: 0000000000000000(0000) GS:ffff8897e0f40000(0000) knlGS:0000000000000000 +[ 106.165332] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 106.171163] CR2: 0000000000000030 CR3: 000000000560a004 CR4: 00000000007706e0 +[ 106.178408] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 106.185653] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 106.192898] PKRU: 55555554 +[ 106.195653] Call Trace: +[ 106.198143] +[ 106.200196] ice_clean_tx_irq_zc+0x183/0x2a0 [ice] +[ 106.205087] ice_napi_poll+0x3e/0x590 [ice] +[ 106.209356] __napi_poll+0x2a/0x160 +[ 106.212911] net_rx_action+0xd6/0x200 +[ 106.216634] __do_softirq+0xbf/0x29b +[ 106.220274] irq_exit_rcu+0x88/0xc0 +[ 106.223819] common_interrupt+0x7b/0xa0 +[ 106.227719] +[ 106.229857] asm_common_interrupt+0x1e/0x40 + + +Fix this by introducing the bitmap of queues that are zero-copy enabled, +where each bit, corresponding to a queue id that xsk pool is being +configured on, will be set/cleared within ice_xsk_pool_{en,dis}able and +checked within ice_xsk_pool(). The latter is a function used for +deciding which napi poll routine is executed. +Idea is being taken from our other drivers such as i40e and ixgbe. + +Fixes: c7a219048e45 ("ice: Remove xsk_buff_pool from VSI structure") +Signed-off-by: Maciej Fijalkowski +Tested-by: Kiran Bhandare +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice.h | 8 +++++--- + drivers/net/ethernet/intel/ice/ice_lib.c | 10 ++++++++++ + drivers/net/ethernet/intel/ice/ice_xsk.c | 3 +++ + 3 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice.h b/drivers/net/ethernet/intel/ice/ice.h +index 17101c45cbcd..f668296ca677 100644 +--- a/drivers/net/ethernet/intel/ice/ice.h ++++ b/drivers/net/ethernet/intel/ice/ice.h +@@ -325,6 +325,7 @@ struct ice_vsi { + struct ice_tc_cfg tc_cfg; + struct bpf_prog *xdp_prog; + struct ice_ring **xdp_rings; /* XDP ring array */ ++ unsigned long *af_xdp_zc_qps; /* tracks AF_XDP ZC enabled qps */ + u16 num_xdp_txq; /* Used XDP queues */ + u8 xdp_mapping_mode; /* ICE_MAP_MODE_[CONTIG|SCATTER] */ + +@@ -534,15 +535,16 @@ static inline void ice_set_ring_xdp(struct ice_ring *ring) + */ + static inline struct xsk_buff_pool *ice_xsk_pool(struct ice_ring *ring) + { ++ struct ice_vsi *vsi = ring->vsi; + u16 qid = ring->q_index; + + if (ice_ring_is_xdp(ring)) +- qid -= ring->vsi->num_xdp_txq; ++ qid -= vsi->num_xdp_txq; + +- if (!ice_is_xdp_ena_vsi(ring->vsi)) ++ if (!ice_is_xdp_ena_vsi(vsi) || !test_bit(qid, vsi->af_xdp_zc_qps)) + return NULL; + +- return xsk_get_pool_from_qid(ring->vsi->netdev, qid); ++ return xsk_get_pool_from_qid(vsi->netdev, qid); + } + + /** +diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c +index 195d122c9cb2..9b38b2768884 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_lib.c +@@ -105,8 +105,14 @@ static int ice_vsi_alloc_arrays(struct ice_vsi *vsi) + if (!vsi->q_vectors) + goto err_vectors; + ++ vsi->af_xdp_zc_qps = bitmap_zalloc(max_t(int, vsi->alloc_txq, vsi->alloc_rxq), GFP_KERNEL); ++ if (!vsi->af_xdp_zc_qps) ++ goto err_zc_qps; ++ + return 0; + ++err_zc_qps: ++ devm_kfree(dev, vsi->q_vectors); + err_vectors: + devm_kfree(dev, vsi->rxq_map); + err_rxq_map: +@@ -286,6 +292,10 @@ static void ice_vsi_free_arrays(struct ice_vsi *vsi) + + dev = ice_pf_to_dev(pf); + ++ if (vsi->af_xdp_zc_qps) { ++ bitmap_free(vsi->af_xdp_zc_qps); ++ vsi->af_xdp_zc_qps = NULL; ++ } + /* free the ring and vector containers */ + if (vsi->q_vectors) { + devm_kfree(dev, vsi->q_vectors); +diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c +index 9f94d9159acd..47efc89a336f 100644 +--- a/drivers/net/ethernet/intel/ice/ice_xsk.c ++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c +@@ -273,6 +273,7 @@ static int ice_xsk_pool_disable(struct ice_vsi *vsi, u16 qid) + if (!pool) + return -EINVAL; + ++ clear_bit(qid, vsi->af_xdp_zc_qps); + xsk_pool_dma_unmap(pool, ICE_RX_DMA_ATTR); + + return 0; +@@ -303,6 +304,8 @@ ice_xsk_pool_enable(struct ice_vsi *vsi, struct xsk_buff_pool *pool, u16 qid) + if (err) + return err; + ++ set_bit(qid, vsi->af_xdp_zc_qps); ++ + return 0; + } + +-- +2.30.2 + diff --git a/queue-5.12/ieee802154-fix-error-return-code-in-ieee802154_add_i.patch b/queue-5.12/ieee802154-fix-error-return-code-in-ieee802154_add_i.patch new file mode 100644 index 00000000000..f44792ce790 --- /dev/null +++ b/queue-5.12/ieee802154-fix-error-return-code-in-ieee802154_add_i.patch @@ -0,0 +1,41 @@ +From 46480710133565b7b06eb58cbbf02fc76ef50089 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 May 2021 14:25:17 +0800 +Subject: ieee802154: fix error return code in ieee802154_add_iface() + +From: Zhen Lei + +[ Upstream commit 79c6b8ed30e54b401c873dbad2511f2a1c525fd5 ] + +Fix to return a negative error code from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: be51da0f3e34 ("ieee802154: Stop using NLA_PUT*().") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Link: https://lore.kernel.org/r/20210508062517.2574-1-thunder.leizhen@huawei.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + net/ieee802154/nl-phy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ieee802154/nl-phy.c b/net/ieee802154/nl-phy.c +index 2cdc7e63fe17..88215b5c93aa 100644 +--- a/net/ieee802154/nl-phy.c ++++ b/net/ieee802154/nl-phy.c +@@ -241,8 +241,10 @@ int ieee802154_add_iface(struct sk_buff *skb, struct genl_info *info) + } + + if (nla_put_string(msg, IEEE802154_ATTR_PHY_NAME, wpan_phy_name(phy)) || +- nla_put_string(msg, IEEE802154_ATTR_DEV_NAME, dev->name)) ++ nla_put_string(msg, IEEE802154_ATTR_DEV_NAME, dev->name)) { ++ rc = -EMSGSIZE; + goto nla_put_failure; ++ } + dev_put(dev); + + wpan_phy_put(phy); +-- +2.30.2 + diff --git a/queue-5.12/ieee802154-fix-error-return-code-in-ieee802154_llsec.patch b/queue-5.12/ieee802154-fix-error-return-code-in-ieee802154_llsec.patch new file mode 100644 index 00000000000..9987e24b43d --- /dev/null +++ b/queue-5.12/ieee802154-fix-error-return-code-in-ieee802154_llsec.patch @@ -0,0 +1,41 @@ +From 7cf3255a183d7110f02aa3d814d9562da753b7db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 May 2021 14:16:14 +0000 +Subject: ieee802154: fix error return code in ieee802154_llsec_getparams() + +From: Wei Yongjun + +[ Upstream commit 373e864cf52403b0974c2f23ca8faf9104234555 ] + +Fix to return negative error code -ENOBUFS from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: 3e9c156e2c21 ("ieee802154: add netlink interfaces for llsec") +Reported-by: Hulk Robot +Signed-off-by: Wei Yongjun +Link: https://lore.kernel.org/r/20210519141614.3040055-1-weiyongjun1@huawei.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + net/ieee802154/nl-mac.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ieee802154/nl-mac.c b/net/ieee802154/nl-mac.c +index 0c1b0770c59e..c23c152860b7 100644 +--- a/net/ieee802154/nl-mac.c ++++ b/net/ieee802154/nl-mac.c +@@ -680,8 +680,10 @@ int ieee802154_llsec_getparams(struct sk_buff *skb, struct genl_info *info) + nla_put_u8(msg, IEEE802154_ATTR_LLSEC_SECLEVEL, params.out_level) || + nla_put_u32(msg, IEEE802154_ATTR_LLSEC_FRAME_COUNTER, + be32_to_cpu(params.frame_counter)) || +- ieee802154_llsec_fill_key_id(msg, ¶ms.out_key)) ++ ieee802154_llsec_fill_key_id(msg, ¶ms.out_key)) { ++ rc = -ENOBUFS; + goto out_free; ++ } + + dev_put(dev); + +-- +2.30.2 + diff --git a/queue-5.12/igb-add-correct-exception-tracing-for-xdp.patch b/queue-5.12/igb-add-correct-exception-tracing-for-xdp.patch new file mode 100644 index 00000000000..c333bed4c85 --- /dev/null +++ b/queue-5.12/igb-add-correct-exception-tracing-for-xdp.patch @@ -0,0 +1,56 @@ +From f212737d3600876e1a437bf93f6c3ffe34ec07a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 May 2021 11:38:52 +0200 +Subject: igb: add correct exception tracing for XDP + +From: Magnus Karlsson + +[ Upstream commit 74431c40b9c5fa673fff83ec157a76a69efd5c72 ] + +Add missing exception tracing to XDP when a number of different +errors can occur. The support was only partial. Several errors +where not logged which would confuse the user quite a lot not +knowing where and why the packets disappeared. + +Fixes: 9cbc948b5a20 ("igb: add XDP support") +Reported-by: Jesper Dangaard Brouer +Signed-off-by: Magnus Karlsson +Tested-by: Vishakha Jambekar +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index a41b85f1fc94..caa8929289ae 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -8395,18 +8395,20 @@ static struct sk_buff *igb_run_xdp(struct igb_adapter *adapter, + break; + case XDP_TX: + result = igb_xdp_xmit_back(adapter, xdp); ++ if (result == IGB_XDP_CONSUMED) ++ goto out_failure; + break; + case XDP_REDIRECT: + err = xdp_do_redirect(adapter->netdev, xdp, xdp_prog); +- if (!err) +- result = IGB_XDP_REDIR; +- else +- result = IGB_XDP_CONSUMED; ++ if (err) ++ goto out_failure; ++ result = IGB_XDP_REDIR; + break; + default: + bpf_warn_invalid_xdp_action(act); + fallthrough; + case XDP_ABORTED: ++out_failure: + trace_xdp_exception(rx_ring->netdev, xdp_prog, act); + fallthrough; + case XDP_DROP: +-- +2.30.2 + diff --git a/queue-5.12/igb-fix-xdp-with-ptp-enabled.patch b/queue-5.12/igb-fix-xdp-with-ptp-enabled.patch new file mode 100644 index 00000000000..fedb78c6304 --- /dev/null +++ b/queue-5.12/igb-fix-xdp-with-ptp-enabled.patch @@ -0,0 +1,219 @@ +From 5d135e4bb53ae028a12c0a8e959f1afcfec9e58b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 May 2021 09:28:00 +0200 +Subject: igb: Fix XDP with PTP enabled + +From: Kurt Kanzenbach + +[ Upstream commit 5379260852b013902abbca691926b3ac1cac36d5 ] + +When using native XDP with the igb driver, the XDP frame data doesn't point to +the beginning of the packet. It's off by 16 bytes. Everything works as expected +with XDP skb mode. + +Actually these 16 bytes are used to store the packet timestamps. Therefore, pull +the timestamp before executing any XDP operations and adjust all other code +accordingly. The igc driver does it like that as well. + +Tested with Intel i210 card and AF_XDP sockets. + +Fixes: 9cbc948b5a20 ("igb: add XDP support") +Signed-off-by: Kurt Kanzenbach +Acked-by: Jesper Dangaard Brouer +Tested-by: Sandeep Penigalapati +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb.h | 2 +- + drivers/net/ethernet/intel/igb/igb_main.c | 45 +++++++++++++---------- + drivers/net/ethernet/intel/igb/igb_ptp.c | 23 +++++------- + 3 files changed, 37 insertions(+), 33 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb.h b/drivers/net/ethernet/intel/igb/igb.h +index 7bda8c5edea5..2d3daf022651 100644 +--- a/drivers/net/ethernet/intel/igb/igb.h ++++ b/drivers/net/ethernet/intel/igb/igb.h +@@ -749,7 +749,7 @@ void igb_ptp_rx_hang(struct igb_adapter *adapter); + void igb_ptp_tx_hang(struct igb_adapter *adapter); + void igb_ptp_rx_rgtstamp(struct igb_q_vector *q_vector, struct sk_buff *skb); + int igb_ptp_rx_pktstamp(struct igb_q_vector *q_vector, void *va, +- struct sk_buff *skb); ++ ktime_t *timestamp); + int igb_ptp_set_ts_config(struct net_device *netdev, struct ifreq *ifr); + int igb_ptp_get_ts_config(struct net_device *netdev, struct ifreq *ifr); + void igb_set_flag_queue_pairs(struct igb_adapter *, const u32); +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index a45cd2b416c8..a41b85f1fc94 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -8281,7 +8281,7 @@ static void igb_add_rx_frag(struct igb_ring *rx_ring, + static struct sk_buff *igb_construct_skb(struct igb_ring *rx_ring, + struct igb_rx_buffer *rx_buffer, + struct xdp_buff *xdp, +- union e1000_adv_rx_desc *rx_desc) ++ ktime_t timestamp) + { + #if (PAGE_SIZE < 8192) + unsigned int truesize = igb_rx_pg_size(rx_ring) / 2; +@@ -8301,12 +8301,8 @@ static struct sk_buff *igb_construct_skb(struct igb_ring *rx_ring, + if (unlikely(!skb)) + return NULL; + +- if (unlikely(igb_test_staterr(rx_desc, E1000_RXDADV_STAT_TSIP))) { +- if (!igb_ptp_rx_pktstamp(rx_ring->q_vector, xdp->data, skb)) { +- xdp->data += IGB_TS_HDR_LEN; +- size -= IGB_TS_HDR_LEN; +- } +- } ++ if (timestamp) ++ skb_hwtstamps(skb)->hwtstamp = timestamp; + + /* Determine available headroom for copy */ + headlen = size; +@@ -8337,7 +8333,7 @@ static struct sk_buff *igb_construct_skb(struct igb_ring *rx_ring, + static struct sk_buff *igb_build_skb(struct igb_ring *rx_ring, + struct igb_rx_buffer *rx_buffer, + struct xdp_buff *xdp, +- union e1000_adv_rx_desc *rx_desc) ++ ktime_t timestamp) + { + #if (PAGE_SIZE < 8192) + unsigned int truesize = igb_rx_pg_size(rx_ring) / 2; +@@ -8364,11 +8360,8 @@ static struct sk_buff *igb_build_skb(struct igb_ring *rx_ring, + if (metasize) + skb_metadata_set(skb, metasize); + +- /* pull timestamp out of packet data */ +- if (igb_test_staterr(rx_desc, E1000_RXDADV_STAT_TSIP)) { +- if (!igb_ptp_rx_pktstamp(rx_ring->q_vector, skb->data, skb)) +- __skb_pull(skb, IGB_TS_HDR_LEN); +- } ++ if (timestamp) ++ skb_hwtstamps(skb)->hwtstamp = timestamp; + + /* update buffer offset */ + #if (PAGE_SIZE < 8192) +@@ -8683,7 +8676,10 @@ static int igb_clean_rx_irq(struct igb_q_vector *q_vector, const int budget) + while (likely(total_packets < budget)) { + union e1000_adv_rx_desc *rx_desc; + struct igb_rx_buffer *rx_buffer; ++ ktime_t timestamp = 0; ++ int pkt_offset = 0; + unsigned int size; ++ void *pktbuf; + + /* return some buffers to hardware, one at a time is too slow */ + if (cleaned_count >= IGB_RX_BUFFER_WRITE) { +@@ -8703,14 +8699,24 @@ static int igb_clean_rx_irq(struct igb_q_vector *q_vector, const int budget) + dma_rmb(); + + rx_buffer = igb_get_rx_buffer(rx_ring, size, &rx_buf_pgcnt); ++ pktbuf = page_address(rx_buffer->page) + rx_buffer->page_offset; ++ ++ /* pull rx packet timestamp if available and valid */ ++ if (igb_test_staterr(rx_desc, E1000_RXDADV_STAT_TSIP)) { ++ int ts_hdr_len; ++ ++ ts_hdr_len = igb_ptp_rx_pktstamp(rx_ring->q_vector, ++ pktbuf, ×tamp); ++ ++ pkt_offset += ts_hdr_len; ++ size -= ts_hdr_len; ++ } + + /* retrieve a buffer from the ring */ + if (!skb) { +- unsigned int offset = igb_rx_offset(rx_ring); +- unsigned char *hard_start; ++ unsigned char *hard_start = pktbuf - igb_rx_offset(rx_ring); ++ unsigned int offset = pkt_offset + igb_rx_offset(rx_ring); + +- hard_start = page_address(rx_buffer->page) + +- rx_buffer->page_offset - offset; + xdp_prepare_buff(&xdp, hard_start, offset, size, true); + #if (PAGE_SIZE > 4096) + /* At larger PAGE_SIZE, frame_sz depend on len size */ +@@ -8733,10 +8739,11 @@ static int igb_clean_rx_irq(struct igb_q_vector *q_vector, const int budget) + } else if (skb) + igb_add_rx_frag(rx_ring, rx_buffer, skb, size); + else if (ring_uses_build_skb(rx_ring)) +- skb = igb_build_skb(rx_ring, rx_buffer, &xdp, rx_desc); ++ skb = igb_build_skb(rx_ring, rx_buffer, &xdp, ++ timestamp); + else + skb = igb_construct_skb(rx_ring, rx_buffer, +- &xdp, rx_desc); ++ &xdp, timestamp); + + /* exit if we failed to retrieve a buffer */ + if (!skb) { +diff --git a/drivers/net/ethernet/intel/igb/igb_ptp.c b/drivers/net/ethernet/intel/igb/igb_ptp.c +index 86a576201f5f..58b25f26ea7f 100644 +--- a/drivers/net/ethernet/intel/igb/igb_ptp.c ++++ b/drivers/net/ethernet/intel/igb/igb_ptp.c +@@ -856,30 +856,28 @@ static void igb_ptp_tx_hwtstamp(struct igb_adapter *adapter) + dev_kfree_skb_any(skb); + } + +-#define IGB_RET_PTP_DISABLED 1 +-#define IGB_RET_PTP_INVALID 2 +- + /** + * igb_ptp_rx_pktstamp - retrieve Rx per packet timestamp + * @q_vector: Pointer to interrupt specific structure + * @va: Pointer to address containing Rx buffer +- * @skb: Buffer containing timestamp and packet ++ * @timestamp: Pointer where timestamp will be stored + * + * This function is meant to retrieve a timestamp from the first buffer of an + * incoming frame. The value is stored in little endian format starting on + * byte 8 + * +- * Returns: 0 if success, nonzero if failure ++ * Returns: The timestamp header length or 0 if not available + **/ + int igb_ptp_rx_pktstamp(struct igb_q_vector *q_vector, void *va, +- struct sk_buff *skb) ++ ktime_t *timestamp) + { + struct igb_adapter *adapter = q_vector->adapter; ++ struct skb_shared_hwtstamps ts; + __le64 *regval = (__le64 *)va; + int adjust = 0; + + if (!(adapter->ptp_flags & IGB_PTP_ENABLED)) +- return IGB_RET_PTP_DISABLED; ++ return 0; + + /* The timestamp is recorded in little endian format. + * DWORD: 0 1 2 3 +@@ -888,10 +886,9 @@ int igb_ptp_rx_pktstamp(struct igb_q_vector *q_vector, void *va, + + /* check reserved dwords are zero, be/le doesn't matter for zero */ + if (regval[0]) +- return IGB_RET_PTP_INVALID; ++ return 0; + +- igb_ptp_systim_to_hwtstamp(adapter, skb_hwtstamps(skb), +- le64_to_cpu(regval[1])); ++ igb_ptp_systim_to_hwtstamp(adapter, &ts, le64_to_cpu(regval[1])); + + /* adjust timestamp for the RX latency based on link speed */ + if (adapter->hw.mac.type == e1000_i210) { +@@ -907,10 +904,10 @@ int igb_ptp_rx_pktstamp(struct igb_q_vector *q_vector, void *va, + break; + } + } +- skb_hwtstamps(skb)->hwtstamp = +- ktime_sub_ns(skb_hwtstamps(skb)->hwtstamp, adjust); + +- return 0; ++ *timestamp = ktime_sub_ns(ts.hwtstamp, adjust); ++ ++ return IGB_TS_HDR_LEN; + } + + /** +-- +2.30.2 + diff --git a/queue-5.12/ipv6-fix-kasan-slab-out-of-bounds-read-in-fib6_nh_fl.patch b/queue-5.12/ipv6-fix-kasan-slab-out-of-bounds-read-in-fib6_nh_fl.patch new file mode 100644 index 00000000000..c7132849cab --- /dev/null +++ b/queue-5.12/ipv6-fix-kasan-slab-out-of-bounds-read-in-fib6_nh_fl.patch @@ -0,0 +1,232 @@ +From c1d9a3d442c87435e305253cf3e39707bfeea887 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jun 2021 07:32:58 +0000 +Subject: ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions + +From: Coco Li + +[ Upstream commit 821bbf79fe46a8b1d18aa456e8ed0a3c208c3754 ] + +Reported by syzbot: +HEAD commit: 90c911ad Merge tag 'fixes' of git://git.kernel.org/pub/scm.. +git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master +dashboard link: https://syzkaller.appspot.com/bug?extid=123aa35098fd3c000eb7 +compiler: Debian clang version 11.0.1-2 + +================================================================== +BUG: KASAN: slab-out-of-bounds in fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline] +BUG: KASAN: slab-out-of-bounds in fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732 +Read of size 8 at addr ffff8880145c78f8 by task syz-executor.4/17760 + +CPU: 0 PID: 17760 Comm: syz-executor.4 Not tainted 5.12.0-rc8-syzkaller #0 +Call Trace: + + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x202/0x31e lib/dump_stack.c:120 + print_address_description+0x5f/0x3b0 mm/kasan/report.c:232 + __kasan_report mm/kasan/report.c:399 [inline] + kasan_report+0x15c/0x200 mm/kasan/report.c:416 + fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline] + fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732 + fib6_nh_release+0x9a/0x430 net/ipv6/route.c:3536 + fib6_info_destroy_rcu+0xcb/0x1c0 net/ipv6/ip6_fib.c:174 + rcu_do_batch kernel/rcu/tree.c:2559 [inline] + rcu_core+0x8f6/0x1450 kernel/rcu/tree.c:2794 + __do_softirq+0x372/0x7a6 kernel/softirq.c:345 + invoke_softirq kernel/softirq.c:221 [inline] + __irq_exit_rcu+0x22c/0x260 kernel/softirq.c:422 + irq_exit_rcu+0x5/0x20 kernel/softirq.c:434 + sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100 + + asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632 +RIP: 0010:lock_acquire+0x1f6/0x720 kernel/locking/lockdep.c:5515 +Code: f6 84 24 a1 00 00 00 02 0f 85 8d 02 00 00 f7 c3 00 02 00 00 49 bd 00 00 00 00 00 fc ff df 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 3d 00 00 00 00 00 4b c7 44 3d 09 00 00 00 00 43 c7 44 3d +RSP: 0018:ffffc90009e06560 EFLAGS: 00000206 +RAX: 1ffff920013c0cc0 RBX: 0000000000000246 RCX: dffffc0000000000 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: ffffc90009e066e0 R08: dffffc0000000000 R09: fffffbfff1f992b1 +R10: fffffbfff1f992b1 R11: 0000000000000000 R12: 0000000000000000 +R13: dffffc0000000000 R14: 0000000000000000 R15: 1ffff920013c0cb4 + rcu_lock_acquire+0x2a/0x30 include/linux/rcupdate.h:267 + rcu_read_lock include/linux/rcupdate.h:656 [inline] + ext4_get_group_info+0xea/0x340 fs/ext4/ext4.h:3231 + ext4_mb_prefetch+0x123/0x5d0 fs/ext4/mballoc.c:2212 + ext4_mb_regular_allocator+0x8a5/0x28f0 fs/ext4/mballoc.c:2379 + ext4_mb_new_blocks+0xc6e/0x24f0 fs/ext4/mballoc.c:4982 + ext4_ext_map_blocks+0x2be3/0x7210 fs/ext4/extents.c:4238 + ext4_map_blocks+0xab3/0x1cb0 fs/ext4/inode.c:638 + ext4_getblk+0x187/0x6c0 fs/ext4/inode.c:848 + ext4_bread+0x2a/0x1c0 fs/ext4/inode.c:900 + ext4_append+0x1a4/0x360 fs/ext4/namei.c:67 + ext4_init_new_dir+0x337/0xa10 fs/ext4/namei.c:2768 + ext4_mkdir+0x4b8/0xc00 fs/ext4/namei.c:2814 + vfs_mkdir+0x45b/0x640 fs/namei.c:3819 + ovl_do_mkdir fs/overlayfs/overlayfs.h:161 [inline] + ovl_mkdir_real+0x53/0x1a0 fs/overlayfs/dir.c:146 + ovl_create_real+0x280/0x490 fs/overlayfs/dir.c:193 + ovl_workdir_create+0x425/0x600 fs/overlayfs/super.c:788 + ovl_make_workdir+0xed/0x1140 fs/overlayfs/super.c:1355 + ovl_get_workdir fs/overlayfs/super.c:1492 [inline] + ovl_fill_super+0x39ee/0x5370 fs/overlayfs/super.c:2035 + mount_nodev+0x52/0xe0 fs/super.c:1413 + legacy_get_tree+0xea/0x180 fs/fs_context.c:592 + vfs_get_tree+0x86/0x270 fs/super.c:1497 + do_new_mount fs/namespace.c:2903 [inline] + path_mount+0x196f/0x2be0 fs/namespace.c:3233 + do_mount fs/namespace.c:3246 [inline] + __do_sys_mount fs/namespace.c:3454 [inline] + __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3431 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x4665f9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f68f2b87188 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 +RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665f9 +RDX: 00000000200000c0 RSI: 0000000020000000 RDI: 000000000040000a +RBP: 00000000004bfbb9 R08: 0000000020000100 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 +R13: 00007ffe19002dff R14: 00007f68f2b87300 R15: 0000000000022000 + +Allocated by task 17768: + kasan_save_stack mm/kasan/common.c:38 [inline] + kasan_set_track mm/kasan/common.c:46 [inline] + set_alloc_info mm/kasan/common.c:427 [inline] + ____kasan_kmalloc+0xc2/0xf0 mm/kasan/common.c:506 + kasan_kmalloc include/linux/kasan.h:233 [inline] + __kmalloc+0xb4/0x380 mm/slub.c:4055 + kmalloc include/linux/slab.h:559 [inline] + kzalloc include/linux/slab.h:684 [inline] + fib6_info_alloc+0x2c/0xd0 net/ipv6/ip6_fib.c:154 + ip6_route_info_create+0x55d/0x1a10 net/ipv6/route.c:3638 + ip6_route_add+0x22/0x120 net/ipv6/route.c:3728 + inet6_rtm_newroute+0x2cd/0x2260 net/ipv6/route.c:5352 + rtnetlink_rcv_msg+0xb34/0xe70 net/core/rtnetlink.c:5553 + netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2502 + netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] + netlink_unicast+0x7de/0x9b0 net/netlink/af_netlink.c:1338 + netlink_sendmsg+0xaa6/0xe90 net/netlink/af_netlink.c:1927 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg net/socket.c:674 [inline] + ____sys_sendmsg+0x5a2/0x900 net/socket.c:2350 + ___sys_sendmsg net/socket.c:2404 [inline] + __sys_sendmsg+0x319/0x400 net/socket.c:2433 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Last potentially related work creation: + kasan_save_stack+0x27/0x50 mm/kasan/common.c:38 + kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:345 + __call_rcu kernel/rcu/tree.c:3039 [inline] + call_rcu+0x1b1/0xa30 kernel/rcu/tree.c:3114 + fib6_info_release include/net/ip6_fib.h:337 [inline] + ip6_route_info_create+0x10c4/0x1a10 net/ipv6/route.c:3718 + ip6_route_add+0x22/0x120 net/ipv6/route.c:3728 + inet6_rtm_newroute+0x2cd/0x2260 net/ipv6/route.c:5352 + rtnetlink_rcv_msg+0xb34/0xe70 net/core/rtnetlink.c:5553 + netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2502 + netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] + netlink_unicast+0x7de/0x9b0 net/netlink/af_netlink.c:1338 + netlink_sendmsg+0xaa6/0xe90 net/netlink/af_netlink.c:1927 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg net/socket.c:674 [inline] + ____sys_sendmsg+0x5a2/0x900 net/socket.c:2350 + ___sys_sendmsg net/socket.c:2404 [inline] + __sys_sendmsg+0x319/0x400 net/socket.c:2433 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Second to last potentially related work creation: + kasan_save_stack+0x27/0x50 mm/kasan/common.c:38 + kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:345 + insert_work+0x54/0x400 kernel/workqueue.c:1331 + __queue_work+0x981/0xcc0 kernel/workqueue.c:1497 + queue_work_on+0x111/0x200 kernel/workqueue.c:1524 + queue_work include/linux/workqueue.h:507 [inline] + call_usermodehelper_exec+0x283/0x470 kernel/umh.c:433 + kobject_uevent_env+0x1349/0x1730 lib/kobject_uevent.c:617 + kvm_uevent_notify_change+0x309/0x3b0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4809 + kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:877 [inline] + kvm_put_kvm+0x9c/0xd10 arch/x86/kvm/../../../virt/kvm/kvm_main.c:920 + kvm_vcpu_release+0x53/0x60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3120 + __fput+0x352/0x7b0 fs/file_table.c:280 + task_work_run+0x146/0x1c0 kernel/task_work.c:140 + tracehook_notify_resume include/linux/tracehook.h:189 [inline] + exit_to_user_mode_loop kernel/entry/common.c:174 [inline] + exit_to_user_mode_prepare+0x10b/0x1e0 kernel/entry/common.c:208 + __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline] + syscall_exit_to_user_mode+0x26/0x70 kernel/entry/common.c:301 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +The buggy address belongs to the object at ffff8880145c7800 + which belongs to the cache kmalloc-192 of size 192 +The buggy address is located 56 bytes to the right of + 192-byte region [ffff8880145c7800, ffff8880145c78c0) +The buggy address belongs to the page: +page:ffffea00005171c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x145c7 +flags: 0xfff00000000200(slab) +raw: 00fff00000000200 ffffea00006474c0 0000000200000002 ffff888010c41a00 +raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8880145c7780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + ffff8880145c7800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff8880145c7880: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff8880145c7900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880145c7980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +================================================================== + +In the ip6_route_info_create function, in the case that the nh pointer +is not NULL, the fib6_nh in fib6_info has not been allocated. +Therefore, when trying to free fib6_info in this error case using +fib6_info_release, the function will call fib6_info_destroy_rcu, +which it will access fib6_nh_release(f6i->fib6_nh); +However, f6i->fib6_nh doesn't have any refcount yet given the lack of allocation +causing the reported memory issue above. +Therefore, releasing the empty pointer directly instead would be the solution. + +Fixes: f88d8ea67fbdb ("ipv6: Plumb support for nexthop object in a fib6_info") +Fixes: 706ec91916462 ("ipv6: Fix nexthop refcnt leak when creating ipv6 route info") +Signed-off-by: Coco Li +Cc: David Ahern +Reviewed-by: Eric Dumazet +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 373d48073106..36e80b3598b0 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -3676,11 +3676,11 @@ static struct fib6_info *ip6_route_info_create(struct fib6_config *cfg, + if (nh) { + if (rt->fib6_src.plen) { + NL_SET_ERR_MSG(extack, "Nexthops can not be used with source routing"); +- goto out; ++ goto out_free; + } + if (!nexthop_get(nh)) { + NL_SET_ERR_MSG(extack, "Nexthop has been deleted"); +- goto out; ++ goto out_free; + } + rt->nh = nh; + fib6_nh = nexthop_fib6_nh(rt->nh); +@@ -3717,6 +3717,10 @@ static struct fib6_info *ip6_route_info_create(struct fib6_config *cfg, + out: + fib6_info_release(rt); + return ERR_PTR(err); ++out_free: ++ ip_fib_metrics_put(rt->fib6_metrics); ++ kfree(rt); ++ return ERR_PTR(err); + } + + int ip6_route_add(struct fib6_config *cfg, gfp_t gfp_flags, +-- +2.30.2 + diff --git a/queue-5.12/ipvs-ignore-ip_vs_svc_f_hashed-flag-when-adding-serv.patch b/queue-5.12/ipvs-ignore-ip_vs_svc_f_hashed-flag-when-adding-serv.patch new file mode 100644 index 00000000000..e959cbdc745 --- /dev/null +++ b/queue-5.12/ipvs-ignore-ip_vs_svc_f_hashed-flag-when-adding-serv.patch @@ -0,0 +1,62 @@ +From 2891b2c2df96fbaa7dcf9acd0a6ae2a100708c6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 May 2021 22:54:57 +0300 +Subject: ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service + +From: Julian Anastasov + +[ Upstream commit 56e4ee82e850026d71223262c07df7d6af3bd872 ] + +syzbot reported memory leak [1] when adding service with +HASHED flag. We should ignore this flag both from sockopt +and netlink provided data, otherwise the service is not +hashed and not visible while releasing resources. + +[1] +BUG: memory leak +unreferenced object 0xffff888115227800 (size 512): + comm "syz-executor263", pid 8658, jiffies 4294951882 (age 12.560s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmalloc include/linux/slab.h:556 [inline] + [] kzalloc include/linux/slab.h:686 [inline] + [] ip_vs_add_service+0x598/0x7c0 net/netfilter/ipvs/ip_vs_ctl.c:1343 + [] do_ip_vs_set_ctl+0x810/0xa40 net/netfilter/ipvs/ip_vs_ctl.c:2570 + [] nf_setsockopt+0x68/0xa0 net/netfilter/nf_sockopt.c:101 + [] ip_setsockopt+0x259/0x1ff0 net/ipv4/ip_sockglue.c:1435 + [] raw_setsockopt+0x18c/0x1b0 net/ipv4/raw.c:857 + [] __sys_setsockopt+0x1b0/0x360 net/socket.c:2117 + [] __do_sys_setsockopt net/socket.c:2128 [inline] + [] __se_sys_setsockopt net/socket.c:2125 [inline] + [] __x64_sys_setsockopt+0x22/0x30 net/socket.c:2125 + [] do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + +Reported-and-tested-by: syzbot+e562383183e4b1766930@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Julian Anastasov +Reviewed-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_ctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index d45dbcba8b49..c25097092a06 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -1367,7 +1367,7 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u, + ip_vs_addr_copy(svc->af, &svc->addr, &u->addr); + svc->port = u->port; + svc->fwmark = u->fwmark; +- svc->flags = u->flags; ++ svc->flags = u->flags & ~IP_VS_SVC_F_HASHED; + svc->timeout = u->timeout * HZ; + svc->netmask = u->netmask; + svc->ipvs = ipvs; +-- +2.30.2 + diff --git a/queue-5.12/ixgbe-add-correct-exception-tracing-for-xdp.patch b/queue-5.12/ixgbe-add-correct-exception-tracing-for-xdp.patch new file mode 100644 index 00000000000..ec923658f67 --- /dev/null +++ b/queue-5.12/ixgbe-add-correct-exception-tracing-for-xdp.patch @@ -0,0 +1,104 @@ +From ebca0c7fa7f2c30580d0815ddb179545c4a3f918 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 May 2021 11:38:51 +0200 +Subject: ixgbe: add correct exception tracing for XDP + +From: Magnus Karlsson + +[ Upstream commit 8281356b1cab1cccc71412eb4cf28b99d6bb2c19 ] + +Add missing exception tracing to XDP when a number of different +errors can occur. The support was only partial. Several errors +where not logged which would confuse the user quite a lot not +knowing where and why the packets disappeared. + +Fixes: 33fdc82f0883 ("ixgbe: add support for XDP_TX action") +Fixes: d0bcacd0a130 ("ixgbe: add AF_XDP zero-copy Rx support") +Reported-by: Jesper Dangaard Brouer +Signed-off-by: Magnus Karlsson +Tested-by: Vishakha Jambekar +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 16 ++++++++-------- + drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c | 14 ++++++++------ + 2 files changed, 16 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +index cffb95f8f632..c194158a421c 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -2213,23 +2213,23 @@ static struct sk_buff *ixgbe_run_xdp(struct ixgbe_adapter *adapter, + break; + case XDP_TX: + xdpf = xdp_convert_buff_to_frame(xdp); +- if (unlikely(!xdpf)) { +- result = IXGBE_XDP_CONSUMED; +- break; +- } ++ if (unlikely(!xdpf)) ++ goto out_failure; + result = ixgbe_xmit_xdp_ring(adapter, xdpf); ++ if (result == IXGBE_XDP_CONSUMED) ++ goto out_failure; + break; + case XDP_REDIRECT: + err = xdp_do_redirect(adapter->netdev, xdp, xdp_prog); +- if (!err) +- result = IXGBE_XDP_REDIR; +- else +- result = IXGBE_XDP_CONSUMED; ++ if (err) ++ goto out_failure; ++ result = IXGBE_XDP_REDIR; + break; + default: + bpf_warn_invalid_xdp_action(act); + fallthrough; + case XDP_ABORTED: ++out_failure: + trace_xdp_exception(rx_ring->netdev, xdp_prog, act); + fallthrough; /* handle aborts by dropping packet */ + case XDP_DROP: +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c +index 91ad5b902673..f72d2978263b 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c +@@ -106,9 +106,10 @@ static int ixgbe_run_xdp_zc(struct ixgbe_adapter *adapter, + + if (likely(act == XDP_REDIRECT)) { + err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog); +- result = !err ? IXGBE_XDP_REDIR : IXGBE_XDP_CONSUMED; ++ if (err) ++ goto out_failure; + rcu_read_unlock(); +- return result; ++ return IXGBE_XDP_REDIR; + } + + switch (act) { +@@ -116,16 +117,17 @@ static int ixgbe_run_xdp_zc(struct ixgbe_adapter *adapter, + break; + case XDP_TX: + xdpf = xdp_convert_buff_to_frame(xdp); +- if (unlikely(!xdpf)) { +- result = IXGBE_XDP_CONSUMED; +- break; +- } ++ if (unlikely(!xdpf)) ++ goto out_failure; + result = ixgbe_xmit_xdp_ring(adapter, xdpf); ++ if (result == IXGBE_XDP_CONSUMED) ++ goto out_failure; + break; + default: + bpf_warn_invalid_xdp_action(act); + fallthrough; + case XDP_ABORTED: ++out_failure: + trace_xdp_exception(rx_ring->netdev, xdp_prog, act); + fallthrough; /* handle aborts by dropping packet */ + case XDP_DROP: +-- +2.30.2 + diff --git a/queue-5.12/ixgbe-optimize-for-xdp_redirect-in-xsk-path.patch b/queue-5.12/ixgbe-optimize-for-xdp_redirect-in-xsk-path.patch new file mode 100644 index 00000000000..75ec5964b28 --- /dev/null +++ b/queue-5.12/ixgbe-optimize-for-xdp_redirect-in-xsk-path.patch @@ -0,0 +1,55 @@ +From 00343cb0ccfd74e9eff39879daadddd6b43725db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Dec 2020 16:07:23 +0100 +Subject: ixgbe: optimize for XDP_REDIRECT in xsk path + +From: Magnus Karlsson + +[ Upstream commit 7d52fe2eaddfa3d7255d43c3e89ebf2748b7ea7a ] + +Optimize ixgbe_run_xdp_zc() for the XDP program verdict being +XDP_REDIRECT in the xsk zero-copy path. This path is only used when +having AF_XDP zero-copy on and in that case most packets will be +directed to user space. This provides a little under 100k extra +packets in throughput on my server when running l2fwd in xdpsock. + +Signed-off-by: Magnus Karlsson +Tested-by: Vishakha Jambekar +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c +index 3771857cf887..91ad5b902673 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c +@@ -104,6 +104,13 @@ static int ixgbe_run_xdp_zc(struct ixgbe_adapter *adapter, + xdp_prog = READ_ONCE(rx_ring->xdp_prog); + act = bpf_prog_run_xdp(xdp_prog, xdp); + ++ if (likely(act == XDP_REDIRECT)) { ++ err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog); ++ result = !err ? IXGBE_XDP_REDIR : IXGBE_XDP_CONSUMED; ++ rcu_read_unlock(); ++ return result; ++ } ++ + switch (act) { + case XDP_PASS: + break; +@@ -115,10 +122,6 @@ static int ixgbe_run_xdp_zc(struct ixgbe_adapter *adapter, + } + result = ixgbe_xmit_xdp_ring(adapter, xdpf); + break; +- case XDP_REDIRECT: +- err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog); +- result = !err ? IXGBE_XDP_REDIR : IXGBE_XDP_CONSUMED; +- break; + default: + bpf_warn_invalid_xdp_action(act); + fallthrough; +-- +2.30.2 + diff --git a/queue-5.12/ixgbevf-add-correct-exception-tracing-for-xdp.patch b/queue-5.12/ixgbevf-add-correct-exception-tracing-for-xdp.patch new file mode 100644 index 00000000000..5e63ca48066 --- /dev/null +++ b/queue-5.12/ixgbevf-add-correct-exception-tracing-for-xdp.patch @@ -0,0 +1,46 @@ +From 18ac237db57c6b4913fd27bff47f7989f6fca3a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 May 2021 11:38:53 +0200 +Subject: ixgbevf: add correct exception tracing for XDP + +From: Magnus Karlsson + +[ Upstream commit faae81420d162551b6ef2d804aafc00f4cd68e0e ] + +Add missing exception tracing to XDP when a number of different +errors can occur. The support was only partial. Several errors +where not logged which would confuse the user quite a lot not +knowing where and why the packets disappeared. + +Fixes: 21092e9ce8b1 ("ixgbevf: Add support for XDP_TX action") +Reported-by: Jesper Dangaard Brouer +Signed-off-by: Magnus Karlsson +Tested-by: Vishakha Jambekar +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +index 449d7d5b280d..b38860c48598 100644 +--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c ++++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +@@ -1067,11 +1067,14 @@ static struct sk_buff *ixgbevf_run_xdp(struct ixgbevf_adapter *adapter, + case XDP_TX: + xdp_ring = adapter->xdp_ring[rx_ring->queue_index]; + result = ixgbevf_xmit_xdp_ring(xdp_ring, xdp); ++ if (result == IXGBEVF_XDP_CONSUMED) ++ goto out_failure; + break; + default: + bpf_warn_invalid_xdp_action(act); + fallthrough; + case XDP_ABORTED: ++out_failure: + trace_xdp_exception(rx_ring->netdev, xdp_prog, act); + fallthrough; /* handle aborts by dropping packet */ + case XDP_DROP: +-- +2.30.2 + diff --git a/queue-5.12/kbuild-quote-objcopy-var-to-avoid-a-pahole-call-brea.patch b/queue-5.12/kbuild-quote-objcopy-var-to-avoid-a-pahole-call-brea.patch new file mode 100644 index 00000000000..903d68a261b --- /dev/null +++ b/queue-5.12/kbuild-quote-objcopy-var-to-avoid-a-pahole-call-brea.patch @@ -0,0 +1,82 @@ +From 658e55aeb57cb32bdb9c85ea8dbeae424002d510 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 May 2021 23:52:28 +0200 +Subject: kbuild: Quote OBJCOPY var to avoid a pahole call break the build + +From: Javier Martinez Canillas + +[ Upstream commit ff2e6efda0d5c51b33e2bcc0b0b981ac0a0ef214 ] + +The ccache tool can be used to speed up cross-compilation, by calling the +compiler and binutils through ccache. For example, following should work: + + $ export ARCH=arm64 CROSS_COMPILE="ccache aarch64-linux-gnu-" + + $ make M=drivers/gpu/drm/rockchip/ + +but pahole fails to extract the BTF info from DWARF, breaking the build: + + CC [M] drivers/gpu/drm/rockchip//rockchipdrm.mod.o + LD [M] drivers/gpu/drm/rockchip//rockchipdrm.ko + BTF [M] drivers/gpu/drm/rockchip//rockchipdrm.ko + aarch64-linux-gnu-objcopy: invalid option -- 'J' + Usage: aarch64-linux-gnu-objcopy [option(s)] in-file [out-file] + Copies a binary file, possibly transforming it in the process + ... + make[1]: *** [scripts/Makefile.modpost:156: __modpost] Error 2 + make: *** [Makefile:1866: modules] Error 2 + +this fails because OBJCOPY is set to "ccache aarch64-linux-gnu-copy" and +later pahole is executed with the following command line: + + LLVM_OBJCOPY=$(OBJCOPY) $(PAHOLE) -J --btf_base vmlinux $@ + +which gets expanded to: + + LLVM_OBJCOPY=ccache aarch64-linux-gnu-objcopy pahole -J ... + +instead of: + + LLVM_OBJCOPY="ccache aarch64-linux-gnu-objcopy" pahole -J ... + +Fixes: 5f9ae91f7c0d ("kbuild: Build kernel module BTFs if BTF is enabled and pahole supports it") +Signed-off-by: Javier Martinez Canillas +Signed-off-by: Andrii Nakryiko +Acked-by: Andrii Nakryiko +Acked-by: Arnaldo Carvalho de Melo +Link: https://lore.kernel.org/bpf/20210526215228.3729875-1-javierm@redhat.com +Signed-off-by: Sasha Levin +--- + scripts/Makefile.modfinal | 2 +- + scripts/link-vmlinux.sh | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/scripts/Makefile.modfinal b/scripts/Makefile.modfinal +index 735e11e9041b..19468831fcc7 100644 +--- a/scripts/Makefile.modfinal ++++ b/scripts/Makefile.modfinal +@@ -59,7 +59,7 @@ quiet_cmd_ld_ko_o = LD [M] $@ + quiet_cmd_btf_ko = BTF [M] $@ + cmd_btf_ko = \ + if [ -f vmlinux ]; then \ +- LLVM_OBJCOPY=$(OBJCOPY) $(PAHOLE) -J --btf_base vmlinux $@; \ ++ LLVM_OBJCOPY="$(OBJCOPY)" $(PAHOLE) -J --btf_base vmlinux $@; \ + else \ + printf "Skipping BTF generation for %s due to unavailability of vmlinux\n" $@ 1>&2; \ + fi; +diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh +index 3b261b0f74f0..0a16928e495b 100755 +--- a/scripts/link-vmlinux.sh ++++ b/scripts/link-vmlinux.sh +@@ -228,7 +228,7 @@ gen_btf() + vmlinux_link ${1} + + info "BTF" ${2} +- LLVM_OBJCOPY=${OBJCOPY} ${PAHOLE} -J ${1} ++ LLVM_OBJCOPY="${OBJCOPY}" ${PAHOLE} -J ${1} + + # Create ${2} which contains just .BTF section but no symbols. Add + # SHF_ALLOC because .BTF will be part of the vmlinux image. --strip-all +-- +2.30.2 + diff --git a/queue-5.12/mptcp-always-parse-mptcp-options-for-mpc-reqsk.patch b/queue-5.12/mptcp-always-parse-mptcp-options-for-mpc-reqsk.patch new file mode 100644 index 00000000000..c9e8fe94ea8 --- /dev/null +++ b/queue-5.12/mptcp-always-parse-mptcp-options-for-mpc-reqsk.patch @@ -0,0 +1,68 @@ +From 7f8d21341dbe037413c5e8a981e833bd9291ddd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 May 2021 16:31:38 -0700 +Subject: mptcp: always parse mptcp options for MPC reqsk + +From: Paolo Abeni + +[ Upstream commit 06f9a435b3aa12f4de6da91f11fdce8ce7b46205 ] + +In subflow_syn_recv_sock() we currently skip options parsing +for OoO packet, given that such packets may not carry the relevant +MPC option. + +If the peer generates an MPC+data TSO packet and some of the early +segments are lost or get reorder, we server will ignore the peer key, +causing transient, unexpected fallback to TCP. + +The solution is always parsing the incoming MPTCP options, and +do the fallback only for in-order packets. This actually cleans +the existing code a bit. + +Fixes: d22f4988ffec ("mptcp: process MP_CAPABLE data option") +Reported-by: Matthieu Baerts +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/subflow.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index 1936db3574d2..8878317b4386 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -608,21 +608,20 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, + + /* if the sk is MP_CAPABLE, we try to fetch the client key */ + if (subflow_req->mp_capable) { +- if (TCP_SKB_CB(skb)->seq != subflow_req->ssn_offset + 1) { +- /* here we can receive and accept an in-window, +- * out-of-order pkt, which will not carry the MP_CAPABLE +- * opt even on mptcp enabled paths +- */ +- goto create_msk; +- } +- ++ /* we can receive and accept an in-window, out-of-order pkt, ++ * which may not carry the MP_CAPABLE opt even on mptcp enabled ++ * paths: always try to extract the peer key, and fallback ++ * for packets missing it. ++ * Even OoO DSS packets coming legitly after dropped or ++ * reordered MPC will cause fallback, but we don't have other ++ * options. ++ */ + mptcp_get_options(skb, &mp_opt); + if (!mp_opt.mp_capable) { + fallback = true; + goto create_child; + } + +-create_msk: + new_msk = mptcp_sk_clone(listener->conn, &mp_opt, req); + if (!new_msk) + fallback = true; +-- +2.30.2 + diff --git a/queue-5.12/mptcp-do-not-reset-mp_capable-subflow-on-mapping-err.patch b/queue-5.12/mptcp-do-not-reset-mp_capable-subflow-on-mapping-err.patch new file mode 100644 index 00000000000..92fe2aa6a66 --- /dev/null +++ b/queue-5.12/mptcp-do-not-reset-mp_capable-subflow-on-mapping-err.patch @@ -0,0 +1,111 @@ +From df617b699d60ed92466849a26c28d59a085e33ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 May 2021 16:31:39 -0700 +Subject: mptcp: do not reset MP_CAPABLE subflow on mapping errors + +From: Paolo Abeni + +[ Upstream commit dea2b1ea9c705c5ba351a9174403fd83dbb68fc3 ] + +When some mapping related errors occurs we close the main +MPC subflow with a RST. We should instead fallback gracefully +to TCP, and do the reset only for MPJ subflows. + +Fixes: d22f4988ffec ("mptcp: process MP_CAPABLE data option") +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/192 +Reported-by: Matthieu Baerts +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/subflow.c | 59 +++++++++++++++++++++++---------------------- + 1 file changed, 30 insertions(+), 29 deletions(-) + +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index 8878317b4386..8425cd393bf3 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -984,22 +984,11 @@ static bool subflow_check_data_avail(struct sock *ssk) + u64 old_ack; + + status = get_mapping_status(ssk, msk); +- pr_debug("msk=%p ssk=%p status=%d", msk, ssk, status); +- if (status == MAPPING_INVALID) { +- ssk->sk_err = EBADMSG; +- goto fatal; +- } +- if (status == MAPPING_DUMMY) { +- __mptcp_do_fallback(msk); +- skb = skb_peek(&ssk->sk_receive_queue); +- subflow->map_valid = 1; +- subflow->map_seq = READ_ONCE(msk->ack_seq); +- subflow->map_data_len = skb->len; +- subflow->map_subflow_seq = tcp_sk(ssk)->copied_seq - +- subflow->ssn_offset; +- subflow->data_avail = MPTCP_SUBFLOW_DATA_AVAIL; +- return true; +- } ++ if (unlikely(status == MAPPING_INVALID)) ++ goto fallback; ++ ++ if (unlikely(status == MAPPING_DUMMY)) ++ goto fallback; + + if (status != MAPPING_OK) + goto no_data; +@@ -1012,10 +1001,8 @@ static bool subflow_check_data_avail(struct sock *ssk) + * MP_CAPABLE-based mapping + */ + if (unlikely(!READ_ONCE(msk->can_ack))) { +- if (!subflow->mpc_map) { +- ssk->sk_err = EBADMSG; +- goto fatal; +- } ++ if (!subflow->mpc_map) ++ goto fallback; + WRITE_ONCE(msk->remote_key, subflow->remote_key); + WRITE_ONCE(msk->ack_seq, subflow->map_seq); + WRITE_ONCE(msk->can_ack, true); +@@ -1043,15 +1030,29 @@ static bool subflow_check_data_avail(struct sock *ssk) + no_data: + subflow_sched_work_if_closed(msk, ssk); + return false; +-fatal: +- /* fatal protocol error, close the socket */ +- /* This barrier is coupled with smp_rmb() in tcp_poll() */ +- smp_wmb(); +- ssk->sk_error_report(ssk); +- tcp_set_state(ssk, TCP_CLOSE); +- tcp_send_active_reset(ssk, GFP_ATOMIC); +- subflow->data_avail = 0; +- return false; ++ ++fallback: ++ /* RFC 8684 section 3.7. */ ++ if (subflow->mp_join || subflow->fully_established) { ++ /* fatal protocol error, close the socket. ++ * subflow_error_report() will introduce the appropriate barriers ++ */ ++ ssk->sk_err = EBADMSG; ++ ssk->sk_error_report(ssk); ++ tcp_set_state(ssk, TCP_CLOSE); ++ tcp_send_active_reset(ssk, GFP_ATOMIC); ++ subflow->data_avail = 0; ++ return false; ++ } ++ ++ __mptcp_do_fallback(msk); ++ skb = skb_peek(&ssk->sk_receive_queue); ++ subflow->map_valid = 1; ++ subflow->map_seq = READ_ONCE(msk->ack_seq); ++ subflow->map_data_len = skb->len; ++ subflow->map_subflow_seq = tcp_sk(ssk)->copied_seq - subflow->ssn_offset; ++ subflow->data_avail = MPTCP_SUBFLOW_DATA_AVAIL; ++ return true; + } + + bool mptcp_subflow_data_available(struct sock *sk) +-- +2.30.2 + diff --git a/queue-5.12/mptcp-fix-sk_forward_memory-corruption-on-retransmis.patch b/queue-5.12/mptcp-fix-sk_forward_memory-corruption-on-retransmis.patch new file mode 100644 index 00000000000..8febbb5e0e0 --- /dev/null +++ b/queue-5.12/mptcp-fix-sk_forward_memory-corruption-on-retransmis.patch @@ -0,0 +1,85 @@ +From c6fbb1c3a3d316adaf5caa4a10d9fda432cb71c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 May 2021 16:31:37 -0700 +Subject: mptcp: fix sk_forward_memory corruption on retransmission + +From: Paolo Abeni + +[ Upstream commit b5941f066b4ca331db225a976dae1d6ca8cf0ae3 ] + +MPTCP sk_forward_memory handling is a bit special, as such field +is protected by the msk socket spin_lock, instead of the plain +socket lock. + +Currently we have a code path updating such field without handling +the relevant lock: + +__mptcp_retrans() -> __mptcp_clean_una_wakeup() + +Several helpers in __mptcp_clean_una_wakeup() will update +sk_forward_alloc, possibly causing such field corruption, as reported +by Matthieu. + +Address the issue providing and using a new variant of blamed function +which explicitly acquires the msk spin lock. + +Fixes: 64b9cea7a0af ("mptcp: fix spurious retransmissions") +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/172 +Reported-by: Matthieu Baerts +Tested-by: Matthieu Baerts +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/protocol.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index 228dd40828c4..225b98821517 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -937,6 +937,10 @@ static void __mptcp_update_wmem(struct sock *sk) + { + struct mptcp_sock *msk = mptcp_sk(sk); + ++#ifdef CONFIG_LOCKDEP ++ WARN_ON_ONCE(!lockdep_is_held(&sk->sk_lock.slock)); ++#endif ++ + if (!msk->wmem_reserved) + return; + +@@ -1075,10 +1079,20 @@ out: + + static void __mptcp_clean_una_wakeup(struct sock *sk) + { ++#ifdef CONFIG_LOCKDEP ++ WARN_ON_ONCE(!lockdep_is_held(&sk->sk_lock.slock)); ++#endif + __mptcp_clean_una(sk); + mptcp_write_space(sk); + } + ++static void mptcp_clean_una_wakeup(struct sock *sk) ++{ ++ mptcp_data_lock(sk); ++ __mptcp_clean_una_wakeup(sk); ++ mptcp_data_unlock(sk); ++} ++ + static void mptcp_enter_memory_pressure(struct sock *sk) + { + struct mptcp_subflow_context *subflow; +@@ -2288,7 +2302,7 @@ static void __mptcp_retrans(struct sock *sk) + struct sock *ssk; + int ret; + +- __mptcp_clean_una_wakeup(sk); ++ mptcp_clean_una_wakeup(sk); + dfrag = mptcp_rtx_head(sk); + if (!dfrag) { + if (mptcp_data_fin_enabled(msk)) { +-- +2.30.2 + diff --git a/queue-5.12/mt76-mt76x0e-fix-device-hang-during-suspend-resume.patch b/queue-5.12/mt76-mt76x0e-fix-device-hang-during-suspend-resume.patch new file mode 100644 index 00000000000..12fe94b80d2 --- /dev/null +++ b/queue-5.12/mt76-mt76x0e-fix-device-hang-during-suspend-resume.patch @@ -0,0 +1,152 @@ +From ab7854786cb41e970357c1e31fb80ed80e112d4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 May 2021 18:50:19 +0200 +Subject: mt76: mt76x0e: fix device hang during suspend/resume + +From: Lorenzo Bianconi + +[ Upstream commit 509559c35bcd23d5a046624b225cb3e99a9f1481 ] + +Similar to usb device, re-initialize mt76x0e device after resume in order +to fix mt7630e hang during suspend/resume + +Reported-by: Luca Trombin +Fixes: c2a4d9fbabfb9 ("mt76x0: inital split between pci and usb") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/4812f9611624b34053c1592fd9c175b67d4ffcb4.1620406022.git.lorenzo@kernel.org +Signed-off-by: Sasha Levin +--- + .../net/wireless/mediatek/mt76/mt76x0/pci.c | 81 ++++++++++++++++++- + 1 file changed, 77 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76x0/pci.c b/drivers/net/wireless/mediatek/mt76/mt76x0/pci.c +index 02d0aa0b815e..d2489dc9dc13 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76x0/pci.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x0/pci.c +@@ -87,7 +87,7 @@ static const struct ieee80211_ops mt76x0e_ops = { + .reconfig_complete = mt76x02_reconfig_complete, + }; + +-static int mt76x0e_register_device(struct mt76x02_dev *dev) ++static int mt76x0e_init_hardware(struct mt76x02_dev *dev, bool resume) + { + int err; + +@@ -100,9 +100,11 @@ static int mt76x0e_register_device(struct mt76x02_dev *dev) + if (err < 0) + return err; + +- err = mt76x02_dma_init(dev); +- if (err < 0) +- return err; ++ if (!resume) { ++ err = mt76x02_dma_init(dev); ++ if (err < 0) ++ return err; ++ } + + err = mt76x0_init_hardware(dev); + if (err < 0) +@@ -123,6 +125,17 @@ static int mt76x0e_register_device(struct mt76x02_dev *dev) + mt76_clear(dev, 0x110, BIT(9)); + mt76_set(dev, MT_MAX_LEN_CFG, BIT(13)); + ++ return 0; ++} ++ ++static int mt76x0e_register_device(struct mt76x02_dev *dev) ++{ ++ int err; ++ ++ err = mt76x0e_init_hardware(dev, false); ++ if (err < 0) ++ return err; ++ + err = mt76x0_register_device(dev); + if (err < 0) + return err; +@@ -167,6 +180,8 @@ mt76x0e_probe(struct pci_dev *pdev, const struct pci_device_id *id) + if (ret) + return ret; + ++ mt76_pci_disable_aspm(pdev); ++ + mdev = mt76_alloc_device(&pdev->dev, sizeof(*dev), &mt76x0e_ops, + &drv_ops); + if (!mdev) +@@ -220,6 +235,60 @@ mt76x0e_remove(struct pci_dev *pdev) + mt76_free_device(mdev); + } + ++#ifdef CONFIG_PM ++static int mt76x0e_suspend(struct pci_dev *pdev, pm_message_t state) ++{ ++ struct mt76_dev *mdev = pci_get_drvdata(pdev); ++ struct mt76x02_dev *dev = container_of(mdev, struct mt76x02_dev, mt76); ++ int i; ++ ++ mt76_worker_disable(&mdev->tx_worker); ++ for (i = 0; i < ARRAY_SIZE(mdev->phy.q_tx); i++) ++ mt76_queue_tx_cleanup(dev, mdev->phy.q_tx[i], true); ++ for (i = 0; i < ARRAY_SIZE(mdev->q_mcu); i++) ++ mt76_queue_tx_cleanup(dev, mdev->q_mcu[i], true); ++ napi_disable(&mdev->tx_napi); ++ ++ mt76_for_each_q_rx(mdev, i) ++ napi_disable(&mdev->napi[i]); ++ ++ mt76x02_dma_disable(dev); ++ mt76x02_mcu_cleanup(dev); ++ mt76x0_chip_onoff(dev, false, false); ++ ++ pci_enable_wake(pdev, pci_choose_state(pdev, state), true); ++ pci_save_state(pdev); ++ ++ return pci_set_power_state(pdev, pci_choose_state(pdev, state)); ++} ++ ++static int mt76x0e_resume(struct pci_dev *pdev) ++{ ++ struct mt76_dev *mdev = pci_get_drvdata(pdev); ++ struct mt76x02_dev *dev = container_of(mdev, struct mt76x02_dev, mt76); ++ int err, i; ++ ++ err = pci_set_power_state(pdev, PCI_D0); ++ if (err) ++ return err; ++ ++ pci_restore_state(pdev); ++ ++ mt76_worker_enable(&mdev->tx_worker); ++ ++ mt76_for_each_q_rx(mdev, i) { ++ mt76_queue_rx_reset(dev, i); ++ napi_enable(&mdev->napi[i]); ++ napi_schedule(&mdev->napi[i]); ++ } ++ ++ napi_enable(&mdev->tx_napi); ++ napi_schedule(&mdev->tx_napi); ++ ++ return mt76x0e_init_hardware(dev, true); ++} ++#endif /* CONFIG_PM */ ++ + static const struct pci_device_id mt76x0e_device_table[] = { + { PCI_DEVICE(0x14c3, 0x7610) }, + { PCI_DEVICE(0x14c3, 0x7630) }, +@@ -237,6 +306,10 @@ static struct pci_driver mt76x0e_driver = { + .id_table = mt76x0e_device_table, + .probe = mt76x0e_probe, + .remove = mt76x0e_remove, ++#ifdef CONFIG_PM ++ .suspend = mt76x0e_suspend, ++ .resume = mt76x0e_resume, ++#endif /* CONFIG_PM */ + }; + + module_pci_driver(mt76x0e_driver); +-- +2.30.2 + diff --git a/queue-5.12/mt76-mt7921-add-rcu-section-in-mt7921_mcu_tx_rate_re.patch b/queue-5.12/mt76-mt7921-add-rcu-section-in-mt7921_mcu_tx_rate_re.patch new file mode 100644 index 00000000000..9de44038d06 --- /dev/null +++ b/queue-5.12/mt76-mt7921-add-rcu-section-in-mt7921_mcu_tx_rate_re.patch @@ -0,0 +1,77 @@ +From 921d53ac5774cc22bd74da0501128c97a0e3567a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Apr 2021 14:25:54 +0200 +Subject: mt76: mt7921: add rcu section in mt7921_mcu_tx_rate_report + +From: Lorenzo Bianconi + +[ Upstream commit 481fc927c8289919cc0be58666fcd1b7da187a0c ] + +Introduce rcu section in mt7921_mcu_tx_rate_report before dereferencing +wcid pointer otherwise loockdep will report the following issue: + +[ 115.245740] ============================= +[ 115.245754] WARNING: suspicious RCU usage +[ 115.245771] 5.10.20 #0 Not tainted +[ 115.245784] ----------------------------- +[ 115.245816] other info that might help us debug this: +[ 115.245830] rcu_scheduler_active = 2, debug_locks = 1 +[ 115.245845] 3 locks held by kworker/u4:1/20: +[ 115.245858] #0: ffffff80065ab138 ((wq_completion)phy0){+.+.}-{0:0}, at: process_one_work+0x1f8/0x6b8 +[ 115.245948] #1: ffffffc01198bdd8 ((work_completion)(&(&dev->mphy.mac_work)->work)){+.+.}-{0:0}, at: process_one_8 +[ 115.246027] #2: ffffff8006543ce8 (&dev->mutex#2){+.+.}-{3:3}, at: mt7921_mac_work+0x60/0x2b0 [mt7921e] +[ 115.246125] +[ 115.246125] stack backtrace: +[ 115.246142] CPU: 1 PID: 20 Comm: kworker/u4:1 Not tainted 5.10.20 #0 +[ 115.246152] Hardware name: MediaTek MT7622 RFB1 board (DT) +[ 115.246168] Workqueue: phy0 mt7921_mac_work [mt7921e] +[ 115.246188] Call trace: +[ 115.246201] dump_backtrace+0x0/0x1a8 +[ 115.246213] show_stack+0x14/0x30 +[ 115.246228] dump_stack+0xec/0x134 +[ 115.246240] lockdep_rcu_suspicious+0xcc/0xdc +[ 115.246255] mt7921_get_wtbl_info+0x2a4/0x310 [mt7921e] +[ 115.246269] mt7921_mac_work+0x284/0x2b0 [mt7921e] +[ 115.246281] process_one_work+0x2a0/0x6b8 +[ 115.246293] worker_thread+0x40/0x440 +[ 115.246305] kthread+0x144/0x148 +[ 115.246317] ret_from_fork+0x10/0x18 + +Fixes: 1c099ab44727c ("mt76: mt7921: add MCU support") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +index 62afbad77596..9a140e4734b5 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +@@ -404,9 +404,12 @@ mt7921_mcu_tx_rate_report(struct mt7921_dev *dev, struct sk_buff *skb, + + if (wlan_idx >= MT76_N_WCIDS) + return; ++ ++ rcu_read_lock(); ++ + wcid = rcu_dereference(dev->mt76.wcid[wlan_idx]); + if (!wcid) +- return; ++ goto out; + + msta = container_of(wcid, struct mt7921_sta, wcid); + stats = &msta->stats; +@@ -414,6 +417,8 @@ mt7921_mcu_tx_rate_report(struct mt7921_dev *dev, struct sk_buff *skb, + /* current rate */ + mt7921_mcu_tx_rate_parse(mphy, &peer, &rate, curr); + stats->tx_rate = rate; ++out: ++ rcu_read_unlock(); + } + + static void +-- +2.30.2 + diff --git a/queue-5.12/mt76-mt7921-fix-possible-aoob-issue-in-mt7921_mcu_tx.patch b/queue-5.12/mt76-mt7921-fix-possible-aoob-issue-in-mt7921_mcu_tx.patch new file mode 100644 index 00000000000..4aa963382a0 --- /dev/null +++ b/queue-5.12/mt76-mt7921-fix-possible-aoob-issue-in-mt7921_mcu_tx.patch @@ -0,0 +1,67 @@ +From dbc2e0af0bedcb619b5d7fee00925bb7b4120feb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Apr 2021 16:27:09 +0200 +Subject: mt76: mt7921: fix possible AOOB issue in mt7921_mcu_tx_rate_report + +From: Lorenzo Bianconi + +[ Upstream commit d874e6c06952382897d35bf4094193cd44ae91bd ] + +Fix possible array out of bound access in mt7921_mcu_tx_rate_report. +Remove unnecessary varibable in mt7921_mcu_tx_rate_report + +Fixes: 1c099ab44727c ("mt76: mt7921: add MCU support") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/91a1e8f6b6a3e6a929de560ed68132f6eb421720.1619187875.git.lorenzo@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +index 9a140e4734b5..be88c9f5637a 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +@@ -391,20 +391,22 @@ static void + mt7921_mcu_tx_rate_report(struct mt7921_dev *dev, struct sk_buff *skb, + u16 wlan_idx) + { +- struct mt7921_mcu_wlan_info_event *wtbl_info = +- (struct mt7921_mcu_wlan_info_event *)(skb->data); +- struct rate_info rate = {}; +- u8 curr_idx = wtbl_info->rate_info.rate_idx; +- u16 curr = le16_to_cpu(wtbl_info->rate_info.rate[curr_idx]); +- struct mt7921_mcu_peer_cap peer = wtbl_info->peer_cap; ++ struct mt7921_mcu_wlan_info_event *wtbl_info; + struct mt76_phy *mphy = &dev->mphy; + struct mt7921_sta_stats *stats; ++ struct rate_info rate = {}; + struct mt7921_sta *msta; + struct mt76_wcid *wcid; ++ u8 idx; + + if (wlan_idx >= MT76_N_WCIDS) + return; + ++ wtbl_info = (struct mt7921_mcu_wlan_info_event *)skb->data; ++ idx = wtbl_info->rate_info.rate_idx; ++ if (idx >= ARRAY_SIZE(wtbl_info->rate_info.rate)) ++ return; ++ + rcu_read_lock(); + + wcid = rcu_dereference(dev->mt76.wcid[wlan_idx]); +@@ -415,7 +417,8 @@ mt7921_mcu_tx_rate_report(struct mt7921_dev *dev, struct sk_buff *skb, + stats = &msta->stats; + + /* current rate */ +- mt7921_mcu_tx_rate_parse(mphy, &peer, &rate, curr); ++ mt7921_mcu_tx_rate_parse(mphy, &wtbl_info->peer_cap, &rate, ++ le16_to_cpu(wtbl_info->rate_info.rate[idx])); + stats->tx_rate = rate; + out: + rcu_read_unlock(); +-- +2.30.2 + diff --git a/queue-5.12/net-dsa-tag_8021q-fix-the-vlan-ids-used-for-encoding.patch b/queue-5.12/net-dsa-tag_8021q-fix-the-vlan-ids-used-for-encoding.patch new file mode 100644 index 00000000000..ecba637cd81 --- /dev/null +++ b/queue-5.12/net-dsa-tag_8021q-fix-the-vlan-ids-used-for-encoding.patch @@ -0,0 +1,52 @@ +From b61a6eb4be9da4234838d8898626a3d6c630ceda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 May 2021 13:20:45 +0300 +Subject: net: dsa: tag_8021q: fix the VLAN IDs used for encoding sub-VLANs + +From: Vladimir Oltean + +[ Upstream commit 4ef8d857b5f494e62bce9085031563fda35f9563 ] + +When using sub-VLANs in the range of 1-7, the resulting value from: + + rx_vid = dsa_8021q_rx_vid_subvlan(ds, port, subvlan); + +is wrong according to the description from tag_8021q.c: + + | 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | + +-----------+-----+-----------------+-----------+-----------------------+ + | DIR | SVL | SWITCH_ID | SUBVLAN | PORT | + +-----------+-----+-----------------+-----------+-----------------------+ + +For example, when ds->index == 0, port == 3 and subvlan == 1, +dsa_8021q_rx_vid_subvlan() returns 1027, same as it returns for +subvlan == 0, but it should have returned 1043. + +This is because the low portion of the subvlan bits are not masked +properly when writing into the 12-bit VLAN value. They are masked into +bits 4:3, but they should be masked into bits 5:4. + +Fixes: 3eaae1d05f2b ("net: dsa: tag_8021q: support up to 8 VLANs per port using sub-VLANs") +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/dsa/tag_8021q.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/dsa/tag_8021q.c b/net/dsa/tag_8021q.c +index 008c1ec6e20c..122ad5833fb1 100644 +--- a/net/dsa/tag_8021q.c ++++ b/net/dsa/tag_8021q.c +@@ -64,7 +64,7 @@ + #define DSA_8021Q_SUBVLAN_HI_SHIFT 9 + #define DSA_8021Q_SUBVLAN_HI_MASK GENMASK(9, 9) + #define DSA_8021Q_SUBVLAN_LO_SHIFT 4 +-#define DSA_8021Q_SUBVLAN_LO_MASK GENMASK(4, 3) ++#define DSA_8021Q_SUBVLAN_LO_MASK GENMASK(5, 4) + #define DSA_8021Q_SUBVLAN_HI(x) (((x) & GENMASK(2, 2)) >> 2) + #define DSA_8021Q_SUBVLAN_LO(x) ((x) & GENMASK(1, 0)) + #define DSA_8021Q_SUBVLAN(x) \ +-- +2.30.2 + diff --git a/queue-5.12/net-mlx5-check-firmware-sync-reset-requested-is-set-.patch b/queue-5.12/net-mlx5-check-firmware-sync-reset-requested-is-set-.patch new file mode 100644 index 00000000000..3f6e830f6c5 --- /dev/null +++ b/queue-5.12/net-mlx5-check-firmware-sync-reset-requested-is-set-.patch @@ -0,0 +1,41 @@ +From b806030b1dbbb488e9c9934ab94f106dfa627778 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Apr 2021 07:30:57 +0300 +Subject: net/mlx5: Check firmware sync reset requested is set before trying to + abort it + +From: Moshe Shemesh + +[ Upstream commit 5940e64281c09976ce2b560244217e610bf9d029 ] + +In case driver sent NACK to firmware on sync reset request, it will get +sync reset abort event while it didn't set sync reset requested mode. +Thus, on abort sync reset event handler, driver should check reset +requested is set before trying to stop sync reset poll. + +Fixes: 7dd6df329d4c ("net/mlx5: Handle sync reset abort event") +Signed-off-by: Moshe Shemesh +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c +index f9042e147c7f..ee710ce00795 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c +@@ -354,6 +354,9 @@ static void mlx5_sync_reset_abort_event(struct work_struct *work) + reset_abort_work); + struct mlx5_core_dev *dev = fw_reset->dev; + ++ if (!test_bit(MLX5_FW_RESET_FLAGS_RESET_REQUESTED, &fw_reset->reset_flags)) ++ return; ++ + mlx5_sync_reset_clear_reset_requested(dev, true); + mlx5_core_warn(dev, "PCI Sync FW Update Reset Aborted.\n"); + } +-- +2.30.2 + diff --git a/queue-5.12/net-mlx5-dr-create-multi-destination-flow-table-with.patch b/queue-5.12/net-mlx5-dr-create-multi-destination-flow-table-with.patch new file mode 100644 index 00000000000..86da76951f0 --- /dev/null +++ b/queue-5.12/net-mlx5-dr-create-multi-destination-flow-table-with.patch @@ -0,0 +1,58 @@ +From 8cde07aca285001a857fe3ce5c7e2678ca1ac53f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Dec 2020 16:40:38 +0200 +Subject: net/mlx5: DR, Create multi-destination flow table with level less + than 64 + +From: Yevgeny Kliteynik + +[ Upstream commit 216214c64a8c1cb9078c2c0aec7bb4a2f8e75397 ] + +Flow table that contains flow pointing to multiple flow tables or multiple +TIRs must have a level lower than 64. In our case it applies to muli- +destination flow table. +Fix the level of the created table to comply with HW Spec definitions, and +still make sure that its level lower than SW-owned tables, so that it +would be possible to point from the multi-destination FW table to SW +tables. + +Fixes: 34583beea4b7 ("net/mlx5: DR, Create multi-destination table for SW-steering use") +Signed-off-by: Yevgeny Kliteynik +Reviewed-by: Alex Vesker +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_fw.c | 3 ++- + include/linux/mlx5/mlx5_ifc.h | 2 ++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_fw.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_fw.c +index 1fbcd012bb85..7ccfd40586ce 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_fw.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_fw.c +@@ -112,7 +112,8 @@ int mlx5dr_fw_create_md_tbl(struct mlx5dr_domain *dmn, + int ret; + + ft_attr.table_type = MLX5_FLOW_TABLE_TYPE_FDB; +- ft_attr.level = dmn->info.caps.max_ft_level - 2; ++ ft_attr.level = min_t(int, dmn->info.caps.max_ft_level - 2, ++ MLX5_FT_MAX_MULTIPATH_LEVEL); + ft_attr.reformat_en = reformat_req; + ft_attr.decap_en = reformat_req; + +diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h +index 9c68b2da14c6..e5a4c68093fc 100644 +--- a/include/linux/mlx5/mlx5_ifc.h ++++ b/include/linux/mlx5/mlx5_ifc.h +@@ -1260,6 +1260,8 @@ enum mlx5_fc_bulk_alloc_bitmask { + + #define MLX5_FC_BULK_NUM_FCS(fc_enum) (MLX5_FC_BULK_SIZE_FACTOR * (fc_enum)) + ++#define MLX5_FT_MAX_MULTIPATH_LEVEL 63 ++ + enum { + MLX5_STEERING_FORMAT_CONNECTX_5 = 0, + MLX5_STEERING_FORMAT_CONNECTX_6DX = 1, +-- +2.30.2 + diff --git a/queue-5.12/net-mlx5e-check-for-needed-capability-for-cvlan-matc.patch b/queue-5.12/net-mlx5e-check-for-needed-capability-for-cvlan-matc.patch new file mode 100644 index 00000000000..29ce9a55c01 --- /dev/null +++ b/queue-5.12/net-mlx5e-check-for-needed-capability-for-cvlan-matc.patch @@ -0,0 +1,56 @@ +From f756e31d16e248d2868e22e4c64047dd459d32f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Apr 2021 14:35:22 +0300 +Subject: net/mlx5e: Check for needed capability for cvlan matching + +From: Roi Dayan + +[ Upstream commit afe93f71b5d3cdae7209213ec8ef25210b837b93 ] + +If not supported show an error and return instead of trying to offload +to the hardware and fail. + +Fixes: 699e96ddf47f ("net/mlx5e: Support offloading tc double vlan headers match") +Reported-by: Pablo Neira Ayuso +Signed-off-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index 78a1403c9802..b633f669ea57 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -1964,11 +1964,13 @@ static int __parse_cls_flower(struct mlx5e_priv *priv, + misc_parameters); + struct flow_rule *rule = flow_cls_offload_flow_rule(f); + struct flow_dissector *dissector = rule->match.dissector; ++ enum fs_flow_table_type fs_type; + u16 addr_type = 0; + u8 ip_proto = 0; + u8 *match_level; + int err; + ++ fs_type = mlx5e_is_eswitch_flow(flow) ? FS_FT_FDB : FS_FT_NIC_RX; + match_level = outer_match_level; + + if (dissector->used_keys & +@@ -2093,6 +2095,13 @@ static int __parse_cls_flower(struct mlx5e_priv *priv, + if (match.mask->vlan_id || + match.mask->vlan_priority || + match.mask->vlan_tpid) { ++ if (!MLX5_CAP_FLOWTABLE_TYPE(priv->mdev, ft_field_support.outer_second_vid, ++ fs_type)) { ++ NL_SET_ERR_MSG_MOD(extack, ++ "Matching on CVLAN is not supported"); ++ return -EOPNOTSUPP; ++ } ++ + if (match.key->vlan_tpid == htons(ETH_P_8021AD)) { + MLX5_SET(fte_match_set_misc, misc_c, + outer_second_svlan_tag, 1); +-- +2.30.2 + diff --git a/queue-5.12/net-mlx5e-fix-adding-encap-rules-to-slow-path.patch b/queue-5.12/net-mlx5e-fix-adding-encap-rules-to-slow-path.patch new file mode 100644 index 00000000000..0e43141f7de --- /dev/null +++ b/queue-5.12/net-mlx5e-fix-adding-encap-rules-to-slow-path.patch @@ -0,0 +1,78 @@ +From 6dbb83612ec66600960f965193c6f7081dc52dff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 May 2021 10:00:27 +0300 +Subject: net/mlx5e: Fix adding encap rules to slow path + +From: Roi Dayan + +[ Upstream commit 2a2c84facd4af661d71be6e81fd9d490ac7fdc53 ] + +On some devices the ignore flow level cap is not supported and we +shouldn't use it. Setting the dest ft with mlx5_chains_get_tc_end_ft() +already gives the correct end ft if ignore flow level cap is supported +or not. + +Fixes: 39ac237ce009 ("net/mlx5: E-Switch, Refactor chains and priorities") +Signed-off-by: Roi Dayan +Reviewed-by: Paul Blakey +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c | 3 ++- + drivers/net/ethernet/mellanox/mlx5/core/lib/fs_chains.c | 2 +- + drivers/net/ethernet/mellanox/mlx5/core/lib/fs_chains.h | 5 +++++ + 3 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +index d4a2f8d1ee9f..3719452a7803 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +@@ -349,7 +349,8 @@ esw_setup_slow_path_dest(struct mlx5_flow_destination *dest, + struct mlx5_fs_chains *chains, + int i) + { +- flow_act->flags |= FLOW_ACT_IGNORE_FLOW_LEVEL; ++ if (mlx5_chains_ignore_flow_level_supported(chains)) ++ flow_act->flags |= FLOW_ACT_IGNORE_FLOW_LEVEL; + dest[i].type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; + dest[i].ft = mlx5_chains_get_tc_end_ft(chains); + } +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_chains.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_chains.c +index 381325b4a863..b607ed5a74bb 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_chains.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_chains.c +@@ -111,7 +111,7 @@ bool mlx5_chains_prios_supported(struct mlx5_fs_chains *chains) + return chains->flags & MLX5_CHAINS_AND_PRIOS_SUPPORTED; + } + +-static bool mlx5_chains_ignore_flow_level_supported(struct mlx5_fs_chains *chains) ++bool mlx5_chains_ignore_flow_level_supported(struct mlx5_fs_chains *chains) + { + return chains->flags & MLX5_CHAINS_IGNORE_FLOW_LEVEL_SUPPORTED; + } +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_chains.h b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_chains.h +index 6d5be31b05dd..9f53a0823558 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_chains.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_chains.h +@@ -27,6 +27,7 @@ struct mlx5_chains_attr { + + bool + mlx5_chains_prios_supported(struct mlx5_fs_chains *chains); ++bool mlx5_chains_ignore_flow_level_supported(struct mlx5_fs_chains *chains); + bool + mlx5_chains_backwards_supported(struct mlx5_fs_chains *chains); + u32 +@@ -72,6 +73,10 @@ mlx5_chains_set_end_ft(struct mlx5_fs_chains *chains, + + #else /* CONFIG_MLX5_CLS_ACT */ + ++static inline bool ++mlx5_chains_ignore_flow_level_supported(struct mlx5_fs_chains *chains) ++{ return false; } ++ + static inline struct mlx5_flow_table * + mlx5_chains_get_table(struct mlx5_fs_chains *chains, u32 chain, u32 prio, + u32 level) { return ERR_PTR(-EOPNOTSUPP); } +-- +2.30.2 + diff --git a/queue-5.12/net-mlx5e-fix-incompatible-casting.patch b/queue-5.12/net-mlx5e-fix-incompatible-casting.patch new file mode 100644 index 00000000000..5c7ddfda95f --- /dev/null +++ b/queue-5.12/net-mlx5e-fix-incompatible-casting.patch @@ -0,0 +1,45 @@ +From 208ed29f08f7dec5b0681b3fad9ae001329492bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 May 2021 15:35:25 +0300 +Subject: net/mlx5e: Fix incompatible casting + +From: Aya Levin + +[ Upstream commit d8ec92005f806dfa7524e9171eca707c0bb1267e ] + +Device supports setting of a single fec mode at a time, enforce this +by bitmap_weight == 1. Input from fec command is in u32, avoid cast to +unsigned long and use bitmap_from_arr32 to populate bitmap safely. + +Fixes: 4bd9d5070b92 ("net/mlx5e: Enforce setting of a single FEC mode") +Signed-off-by: Aya Levin +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index 53802e18af90..04b49cb3adb3 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -1632,12 +1632,13 @@ static int mlx5e_set_fecparam(struct net_device *netdev, + { + struct mlx5e_priv *priv = netdev_priv(netdev); + struct mlx5_core_dev *mdev = priv->mdev; ++ unsigned long fec_bitmap; + u16 fec_policy = 0; + int mode; + int err; + +- if (bitmap_weight((unsigned long *)&fecparam->fec, +- ETHTOOL_FEC_LLRS_BIT + 1) > 1) ++ bitmap_from_arr32(&fec_bitmap, &fecparam->fec, sizeof(fecparam->fec) * BITS_PER_BYTE); ++ if (bitmap_weight(&fec_bitmap, ETHTOOL_FEC_LLRS_BIT + 1) > 1) + return -EOPNOTSUPP; + + for (mode = 0; mode < ARRAY_SIZE(pplm_fec_2_ethtool); mode++) { +-- +2.30.2 + diff --git a/queue-5.12/net-sched-act_ct-fix-ct-template-allocation-for-zone.patch b/queue-5.12/net-sched-act_ct-fix-ct-template-allocation-for-zone.patch new file mode 100644 index 00000000000..d84da990057 --- /dev/null +++ b/queue-5.12/net-sched-act_ct-fix-ct-template-allocation-for-zone.patch @@ -0,0 +1,59 @@ +From f74180f285223eb8efef7979004be6c4962b38e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 May 2021 20:01:10 +0300 +Subject: net/sched: act_ct: Fix ct template allocation for zone 0 + +From: Ariel Levkovich + +[ Upstream commit fb91702b743dec78d6507c53a2dec8a8883f509d ] + +Fix current behavior of skipping template allocation in case the +ct action is in zone 0. + +Skipping the allocation may cause the datapath ct code to ignore the +entire ct action with all its attributes (commit, nat) in case the ct +action in zone 0 was preceded by a ct clear action. + +The ct clear action sets the ct_state to untracked and resets the +skb->_nfct pointer. Under these conditions and without an allocated +ct template, the skb->_nfct pointer will remain NULL which will +cause the tc ct action handler to exit without handling commit and nat +actions, if such exist. + +For example, the following rule in OVS dp: +recirc_id(0x2),ct_state(+new-est-rel-rpl+trk),ct_label(0/0x1), \ +in_port(eth0),actions:ct_clear,ct(commit,nat(src=10.11.0.12)), \ +recirc(0x37a) + +Will result in act_ct skipping the commit and nat actions in zone 0. + +The change removes the skipping of template allocation for zone 0 and +treats it the same as any other zone. + +Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct") +Signed-off-by: Ariel Levkovich +Acked-by: Marcelo Ricardo Leitner +Link: https://lore.kernel.org/r/20210526170110.54864-1-lariel@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/act_ct.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c +index 371fd64638d2..ba7f57cb41c3 100644 +--- a/net/sched/act_ct.c ++++ b/net/sched/act_ct.c +@@ -1205,9 +1205,6 @@ static int tcf_ct_fill_params(struct net *net, + sizeof(p->zone)); + } + +- if (p->zone == NF_CT_DEFAULT_ZONE_ID) +- return 0; +- + nf_ct_zone_init(&zone, p->zone, NF_CT_DEFAULT_ZONE_DIR, 0); + tmpl = nf_ct_tmpl_alloc(net, &zone, GFP_KERNEL); + if (!tmpl) { +-- +2.30.2 + diff --git a/queue-5.12/net-sched-act_ct-offload-connections-with-commit-act.patch b/queue-5.12/net-sched-act_ct-offload-connections-with-commit-act.patch new file mode 100644 index 00000000000..e53eb6bbc56 --- /dev/null +++ b/queue-5.12/net-sched-act_ct-offload-connections-with-commit-act.patch @@ -0,0 +1,71 @@ +From 370b81750e5bb749e6f2637181a9cce1d48d0d8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 May 2021 14:44:09 +0300 +Subject: net/sched: act_ct: Offload connections with commit action + +From: Paul Blakey + +[ Upstream commit 0cc254e5aa37cf05f65bcdcdc0ac5c58010feb33 ] + +Currently established connections are not offloaded if the filter has a +"ct commit" action. This behavior will not offload connections of the +following scenario: + +$ tc_filter add dev $DEV ingress protocol ip prio 1 flower \ + ct_state -trk \ + action ct commit action goto chain 1 + +$ tc_filter add dev $DEV ingress protocol ip chain 1 prio 1 flower \ + action mirred egress redirect dev $DEV2 + +$ tc_filter add dev $DEV2 ingress protocol ip prio 1 flower \ + action ct commit action goto chain 1 + +$ tc_filter add dev $DEV2 ingress protocol ip prio 1 chain 1 flower \ + ct_state +trk+est \ + action mirred egress redirect dev $DEV + +Offload established connections, regardless of the commit flag. + +Fixes: 46475bb20f4b ("net/sched: act_ct: Software offload of established flows") +Reviewed-by: Oz Shlomo +Reviewed-by: Jiri Pirko +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Paul Blakey +Link: https://lore.kernel.org/r/1622029449-27060-1-git-send-email-paulb@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/act_ct.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c +index 48fdf7293dea..371fd64638d2 100644 +--- a/net/sched/act_ct.c ++++ b/net/sched/act_ct.c +@@ -984,7 +984,7 @@ static int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a, + */ + cached = tcf_ct_skb_nfct_cached(net, skb, p->zone, force); + if (!cached) { +- if (!commit && tcf_ct_flow_table_lookup(p, skb, family)) { ++ if (tcf_ct_flow_table_lookup(p, skb, family)) { + skip_add = true; + goto do_nat; + } +@@ -1024,10 +1024,11 @@ do_nat: + * even if the connection is already confirmed. + */ + nf_conntrack_confirm(skb); +- } else if (!skip_add) { +- tcf_ct_flow_table_process_conn(p->ct_ft, ct, ctinfo); + } + ++ if (!skip_add) ++ tcf_ct_flow_table_process_conn(p->ct_ft, ct, ctinfo); ++ + out_push: + skb_push_rcsum(skb, nh_ofs); + +-- +2.30.2 + diff --git a/queue-5.12/net-sock-fix-in-kernel-mark-setting.patch b/queue-5.12/net-sock-fix-in-kernel-mark-setting.patch new file mode 100644 index 00000000000..751a793ce75 --- /dev/null +++ b/queue-5.12/net-sock-fix-in-kernel-mark-setting.patch @@ -0,0 +1,64 @@ +From 01aa71e38e1d98935bf7bb6fd454d3d65dd56362 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 May 2021 17:00:30 -0400 +Subject: net: sock: fix in-kernel mark setting + +From: Alexander Aring + +[ Upstream commit dd9082f4a9f94280fbbece641bf8fc0a25f71f7a ] + +This patch fixes the in-kernel mark setting by doing an additional +sk_dst_reset() which was introduced by commit 50254256f382 ("sock: Reset +dst when changing sk_mark via setsockopt"). The code is now shared to +avoid any further suprises when changing the socket mark value. + +Fixes: 84d1c617402e ("net: sock: add sock_set_mark") +Reported-by: Marcelo Ricardo Leitner +Signed-off-by: Alexander Aring +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 9c7b143e7a96..a266760cd65e 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -815,10 +815,18 @@ void sock_set_rcvbuf(struct sock *sk, int val) + } + EXPORT_SYMBOL(sock_set_rcvbuf); + ++static void __sock_set_mark(struct sock *sk, u32 val) ++{ ++ if (val != sk->sk_mark) { ++ sk->sk_mark = val; ++ sk_dst_reset(sk); ++ } ++} ++ + void sock_set_mark(struct sock *sk, u32 val) + { + lock_sock(sk); +- sk->sk_mark = val; ++ __sock_set_mark(sk, val); + release_sock(sk); + } + EXPORT_SYMBOL(sock_set_mark); +@@ -1126,10 +1134,10 @@ set_sndbuf: + case SO_MARK: + if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) { + ret = -EPERM; +- } else if (val != sk->sk_mark) { +- sk->sk_mark = val; +- sk_dst_reset(sk); ++ break; + } ++ ++ __sock_set_mark(sk, val); + break; + + case SO_RXQ_OVFL: +-- +2.30.2 + diff --git a/queue-5.12/net-tls-fix-use-after-free-after-the-tls-device-goes.patch b/queue-5.12/net-tls-fix-use-after-free-after-the-tls-device-goes.patch new file mode 100644 index 00000000000..264126f78c9 --- /dev/null +++ b/queue-5.12/net-tls-fix-use-after-free-after-the-tls-device-goes.patch @@ -0,0 +1,207 @@ +From 728a5626bb28ec89494882c38b3457d1c048baff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jun 2021 15:08:00 +0300 +Subject: net/tls: Fix use-after-free after the TLS device goes down and up + +From: Maxim Mikityanskiy + +[ Upstream commit c55dcdd435aa6c6ad6ccac0a4c636d010ee367a4 ] + +When a netdev with active TLS offload goes down, tls_device_down is +called to stop the offload and tear down the TLS context. However, the +socket stays alive, and it still points to the TLS context, which is now +deallocated. If a netdev goes up, while the connection is still active, +and the data flow resumes after a number of TCP retransmissions, it will +lead to a use-after-free of the TLS context. + +This commit addresses this bug by keeping the context alive until its +normal destruction, and implements the necessary fallbacks, so that the +connection can resume in software (non-offloaded) kTLS mode. + +On the TX side tls_sw_fallback is used to encrypt all packets. The RX +side already has all the necessary fallbacks, because receiving +non-decrypted packets is supported. The thing needed on the RX side is +to block resync requests, which are normally produced after receiving +non-decrypted packets. + +The necessary synchronization is implemented for a graceful teardown: +first the fallbacks are deployed, then the driver resources are released +(it used to be possible to have a tls_dev_resync after tls_dev_del). + +A new flag called TLS_RX_DEV_DEGRADED is added to indicate the fallback +mode. It's used to skip the RX resync logic completely, as it becomes +useless, and some objects may be released (for example, resync_async, +which is allocated and freed by the driver). + +Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure") +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/tls.h | 9 ++++++ + net/tls/tls_device.c | 52 +++++++++++++++++++++++++++++++---- + net/tls/tls_device_fallback.c | 7 +++++ + net/tls/tls_main.c | 1 + + 4 files changed, 64 insertions(+), 5 deletions(-) + +diff --git a/include/net/tls.h b/include/net/tls.h +index 6531ace2a68b..8341a8d1e807 100644 +--- a/include/net/tls.h ++++ b/include/net/tls.h +@@ -193,6 +193,11 @@ struct tls_offload_context_tx { + (sizeof(struct tls_offload_context_tx) + TLS_DRIVER_STATE_SIZE_TX) + + enum tls_context_flags { ++ /* tls_device_down was called after the netdev went down, device state ++ * was released, and kTLS works in software, even though rx_conf is ++ * still TLS_HW (needed for transition). ++ */ ++ TLS_RX_DEV_DEGRADED = 0, + /* Unlike RX where resync is driven entirely by the core in TX only + * the driver knows when things went out of sync, so we need the flag + * to be atomic. +@@ -265,6 +270,7 @@ struct tls_context { + + /* cache cold stuff */ + struct proto *sk_proto; ++ struct sock *sk; + + void (*sk_destruct)(struct sock *sk); + +@@ -447,6 +453,9 @@ static inline u16 tls_user_config(struct tls_context *ctx, bool tx) + struct sk_buff * + tls_validate_xmit_skb(struct sock *sk, struct net_device *dev, + struct sk_buff *skb); ++struct sk_buff * ++tls_validate_xmit_skb_sw(struct sock *sk, struct net_device *dev, ++ struct sk_buff *skb); + + static inline bool tls_is_sk_tx_device_offloaded(struct sock *sk) + { +diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c +index 2602d61a8d28..9b1ea17f3b1d 100644 +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -50,6 +50,7 @@ static void tls_device_gc_task(struct work_struct *work); + static DECLARE_WORK(tls_device_gc_work, tls_device_gc_task); + static LIST_HEAD(tls_device_gc_list); + static LIST_HEAD(tls_device_list); ++static LIST_HEAD(tls_device_down_list); + static DEFINE_SPINLOCK(tls_device_lock); + + static void tls_device_free_ctx(struct tls_context *ctx) +@@ -759,6 +760,8 @@ void tls_device_rx_resync_new_rec(struct sock *sk, u32 rcd_len, u32 seq) + + if (tls_ctx->rx_conf != TLS_HW) + return; ++ if (unlikely(test_bit(TLS_RX_DEV_DEGRADED, &tls_ctx->flags))) ++ return; + + prot = &tls_ctx->prot_info; + rx_ctx = tls_offload_ctx_rx(tls_ctx); +@@ -961,6 +964,17 @@ int tls_device_decrypted(struct sock *sk, struct tls_context *tls_ctx, + + ctx->sw.decrypted |= is_decrypted; + ++ if (unlikely(test_bit(TLS_RX_DEV_DEGRADED, &tls_ctx->flags))) { ++ if (likely(is_encrypted || is_decrypted)) ++ return 0; ++ ++ /* After tls_device_down disables the offload, the next SKB will ++ * likely have initial fragments decrypted, and final ones not ++ * decrypted. We need to reencrypt that single SKB. ++ */ ++ return tls_device_reencrypt(sk, skb); ++ } ++ + /* Return immediately if the record is either entirely plaintext or + * entirely ciphertext. Otherwise handle reencrypt partially decrypted + * record. +@@ -1290,6 +1304,26 @@ static int tls_device_down(struct net_device *netdev) + spin_unlock_irqrestore(&tls_device_lock, flags); + + list_for_each_entry_safe(ctx, tmp, &list, list) { ++ /* Stop offloaded TX and switch to the fallback. ++ * tls_is_sk_tx_device_offloaded will return false. ++ */ ++ WRITE_ONCE(ctx->sk->sk_validate_xmit_skb, tls_validate_xmit_skb_sw); ++ ++ /* Stop the RX and TX resync. ++ * tls_dev_resync must not be called after tls_dev_del. ++ */ ++ WRITE_ONCE(ctx->netdev, NULL); ++ ++ /* Start skipping the RX resync logic completely. */ ++ set_bit(TLS_RX_DEV_DEGRADED, &ctx->flags); ++ ++ /* Sync with inflight packets. After this point: ++ * TX: no non-encrypted packets will be passed to the driver. ++ * RX: resync requests from the driver will be ignored. ++ */ ++ synchronize_net(); ++ ++ /* Release the offload context on the driver side. */ + if (ctx->tx_conf == TLS_HW) + netdev->tlsdev_ops->tls_dev_del(netdev, ctx, + TLS_OFFLOAD_CTX_DIR_TX); +@@ -1297,13 +1331,21 @@ static int tls_device_down(struct net_device *netdev) + !test_bit(TLS_RX_DEV_CLOSED, &ctx->flags)) + netdev->tlsdev_ops->tls_dev_del(netdev, ctx, + TLS_OFFLOAD_CTX_DIR_RX); +- WRITE_ONCE(ctx->netdev, NULL); +- synchronize_net(); ++ + dev_put(netdev); +- list_del_init(&ctx->list); + +- if (refcount_dec_and_test(&ctx->refcount)) +- tls_device_free_ctx(ctx); ++ /* Move the context to a separate list for two reasons: ++ * 1. When the context is deallocated, list_del is called. ++ * 2. It's no longer an offloaded context, so we don't want to ++ * run offload-specific code on this context. ++ */ ++ spin_lock_irqsave(&tls_device_lock, flags); ++ list_move_tail(&ctx->list, &tls_device_down_list); ++ spin_unlock_irqrestore(&tls_device_lock, flags); ++ ++ /* Device contexts for RX and TX will be freed in on sk_destruct ++ * by tls_device_free_ctx. rx_conf and tx_conf stay in TLS_HW. ++ */ + } + + up_write(&device_offload_lock); +diff --git a/net/tls/tls_device_fallback.c b/net/tls/tls_device_fallback.c +index cacf040872c7..e40bedd112b6 100644 +--- a/net/tls/tls_device_fallback.c ++++ b/net/tls/tls_device_fallback.c +@@ -431,6 +431,13 @@ struct sk_buff *tls_validate_xmit_skb(struct sock *sk, + } + EXPORT_SYMBOL_GPL(tls_validate_xmit_skb); + ++struct sk_buff *tls_validate_xmit_skb_sw(struct sock *sk, ++ struct net_device *dev, ++ struct sk_buff *skb) ++{ ++ return tls_sw_fallback(sk, skb); ++} ++ + struct sk_buff *tls_encrypt_skb(struct sk_buff *skb) + { + return tls_sw_fallback(skb->sk, skb); +diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c +index 47b7c5334c34..fde56ff49163 100644 +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -636,6 +636,7 @@ struct tls_context *tls_ctx_create(struct sock *sk) + mutex_init(&ctx->tx_lock); + rcu_assign_pointer(icsk->icsk_ulp_data, ctx); + ctx->sk_proto = READ_ONCE(sk->sk_prot); ++ ctx->sk = sk; + return ctx; + } + +-- +2.30.2 + diff --git a/queue-5.12/net-tls-replace-tls_rx_sync_running-with-rcu.patch b/queue-5.12/net-tls-replace-tls_rx_sync_running-with-rcu.patch new file mode 100644 index 00000000000..33b2785a081 --- /dev/null +++ b/queue-5.12/net-tls-replace-tls_rx_sync_running-with-rcu.patch @@ -0,0 +1,71 @@ +From 7175291a362c758aed527ceafc954eb032a84054 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jun 2021 15:07:59 +0300 +Subject: net/tls: Replace TLS_RX_SYNC_RUNNING with RCU + +From: Maxim Mikityanskiy + +[ Upstream commit 05fc8b6cbd4f979a6f25759c4a17dd5f657f7ecd ] + +RCU synchronization is guaranteed to finish in finite time, unlike a +busy loop that polls a flag. This patch is a preparation for the bugfix +in the next patch, where the same synchronize_net() call will also be +used to sync with the TX datapath. + +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/tls.h | 1 - + net/tls/tls_device.c | 10 +++------- + 2 files changed, 3 insertions(+), 8 deletions(-) + +diff --git a/include/net/tls.h b/include/net/tls.h +index 3eccb525e8f7..6531ace2a68b 100644 +--- a/include/net/tls.h ++++ b/include/net/tls.h +@@ -193,7 +193,6 @@ struct tls_offload_context_tx { + (sizeof(struct tls_offload_context_tx) + TLS_DRIVER_STATE_SIZE_TX) + + enum tls_context_flags { +- TLS_RX_SYNC_RUNNING = 0, + /* Unlike RX where resync is driven entirely by the core in TX only + * the driver knows when things went out of sync, so we need the flag + * to be atomic. +diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c +index d9cd229aa111..2602d61a8d28 100644 +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -680,15 +680,13 @@ static void tls_device_resync_rx(struct tls_context *tls_ctx, + struct tls_offload_context_rx *rx_ctx = tls_offload_ctx_rx(tls_ctx); + struct net_device *netdev; + +- if (WARN_ON(test_and_set_bit(TLS_RX_SYNC_RUNNING, &tls_ctx->flags))) +- return; +- + trace_tls_device_rx_resync_send(sk, seq, rcd_sn, rx_ctx->resync_type); ++ rcu_read_lock(); + netdev = READ_ONCE(tls_ctx->netdev); + if (netdev) + netdev->tlsdev_ops->tls_dev_resync(netdev, sk, seq, rcd_sn, + TLS_OFFLOAD_CTX_DIR_RX); +- clear_bit_unlock(TLS_RX_SYNC_RUNNING, &tls_ctx->flags); ++ rcu_read_unlock(); + TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSRXDEVICERESYNC); + } + +@@ -1300,9 +1298,7 @@ static int tls_device_down(struct net_device *netdev) + netdev->tlsdev_ops->tls_dev_del(netdev, ctx, + TLS_OFFLOAD_CTX_DIR_RX); + WRITE_ONCE(ctx->netdev, NULL); +- smp_mb__before_atomic(); /* pairs with test_and_set_bit() */ +- while (test_bit(TLS_RX_SYNC_RUNNING, &ctx->flags)) +- usleep_range(10, 200); ++ synchronize_net(); + dev_put(netdev); + list_del_init(&ctx->list); + +-- +2.30.2 + diff --git a/queue-5.12/netfilter-conntrack-unregister-ipv4-sockopts-on-erro.patch b/queue-5.12/netfilter-conntrack-unregister-ipv4-sockopts-on-erro.patch new file mode 100644 index 00000000000..bba1e93fdbd --- /dev/null +++ b/queue-5.12/netfilter-conntrack-unregister-ipv4-sockopts-on-erro.patch @@ -0,0 +1,35 @@ +From 4e0906190fe7d5399f31c0e57acd7cd2aed3d0a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 16:40:00 +0200 +Subject: netfilter: conntrack: unregister ipv4 sockopts on error unwind + +From: Florian Westphal + +[ Upstream commit 22cbdbcfb61acc78d5fc21ebb13ccc0d7e29f793 ] + +When ipv6 sockopt register fails, the ipv4 one needs to be removed. + +Fixes: a0ae2562c6c ("netfilter: conntrack: remove l3proto abstraction") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_proto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c +index 47e9319d2cf3..71892822bbf5 100644 +--- a/net/netfilter/nf_conntrack_proto.c ++++ b/net/netfilter/nf_conntrack_proto.c +@@ -660,7 +660,7 @@ int nf_conntrack_proto_init(void) + + #if IS_ENABLED(CONFIG_IPV6) + cleanup_sockopt: +- nf_unregister_sockopt(&so_getorigdst6); ++ nf_unregister_sockopt(&so_getorigdst); + #endif + return ret; + } +-- +2.30.2 + diff --git a/queue-5.12/netfilter-nfnetlink_cthelper-hit-ebusy-on-updates-if.patch b/queue-5.12/netfilter-nfnetlink_cthelper-hit-ebusy-on-updates-if.patch new file mode 100644 index 00000000000..30513cbba0b --- /dev/null +++ b/queue-5.12/netfilter-nfnetlink_cthelper-hit-ebusy-on-updates-if.patch @@ -0,0 +1,45 @@ +From 928643625e26df276347b4370ed03c2d6c238735 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 May 2021 13:45:16 +0200 +Subject: netfilter: nfnetlink_cthelper: hit EBUSY on updates if size + mismatches + +From: Pablo Neira Ayuso + +[ Upstream commit 8971ee8b087750a23f3cd4dc55bff2d0303fd267 ] + +The private helper data size cannot be updated. However, updates that +contain NFCTH_PRIV_DATA_LEN might bogusly hit EBUSY even if the size is +the same. + +Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_cthelper.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c +index 0f94fce1d3ed..04a12a264cf7 100644 +--- a/net/netfilter/nfnetlink_cthelper.c ++++ b/net/netfilter/nfnetlink_cthelper.c +@@ -380,10 +380,14 @@ static int + nfnl_cthelper_update(const struct nlattr * const tb[], + struct nf_conntrack_helper *helper) + { ++ u32 size; + int ret; + +- if (tb[NFCTH_PRIV_DATA_LEN]) +- return -EBUSY; ++ if (tb[NFCTH_PRIV_DATA_LEN]) { ++ size = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN])); ++ if (size != helper->data_len) ++ return -EBUSY; ++ } + + if (tb[NFCTH_POLICY]) { + ret = nfnl_cthelper_update_policy(helper, tb[NFCTH_POLICY]); +-- +2.30.2 + diff --git a/queue-5.12/netfilter-nft_ct-skip-expectations-for-confirmed-con.patch b/queue-5.12/netfilter-nft_ct-skip-expectations-for-confirmed-con.patch new file mode 100644 index 00000000000..04546d766a2 --- /dev/null +++ b/queue-5.12/netfilter-nft_ct-skip-expectations-for-confirmed-con.patch @@ -0,0 +1,64 @@ +From cf39c19f9dbd36e4ad5c7e0ac989907304446d62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 May 2021 21:54:42 +0200 +Subject: netfilter: nft_ct: skip expectations for confirmed conntrack + +From: Pablo Neira Ayuso + +[ Upstream commit 1710eb913bdcda3917f44d383c32de6bdabfc836 ] + +nft_ct_expect_obj_eval() calls nf_ct_ext_add() for a confirmed +conntrack entry. However, nf_ct_ext_add() can only be called for +!nf_ct_is_confirmed(). + +[ 1825.349056] WARNING: CPU: 0 PID: 1279 at net/netfilter/nf_conntrack_extend.c:48 nf_ct_xt_add+0x18e/0x1a0 [nf_conntrack] +[ 1825.351391] RIP: 0010:nf_ct_ext_add+0x18e/0x1a0 [nf_conntrack] +[ 1825.351493] Code: 41 5c 41 5d 41 5e 41 5f c3 41 bc 0a 00 00 00 e9 15 ff ff ff ba 09 00 00 00 31 f6 4c 89 ff e8 69 6c 3d e9 eb 96 45 31 ed eb cd <0f> 0b e9 b1 fe ff ff e8 86 79 14 e9 eb bf 0f 1f 40 00 0f 1f 44 00 +[ 1825.351721] RSP: 0018:ffffc90002e1f1e8 EFLAGS: 00010202 +[ 1825.351790] RAX: 000000000000000e RBX: ffff88814f5783c0 RCX: ffffffffc0e4f887 +[ 1825.351881] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88814f578440 +[ 1825.351971] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88814f578447 +[ 1825.352060] R10: ffffed1029eaf088 R11: 0000000000000001 R12: ffff88814f578440 +[ 1825.352150] R13: ffff8882053f3a00 R14: 0000000000000000 R15: 0000000000000a20 +[ 1825.352240] FS: 00007f992261c900(0000) GS:ffff889faec00000(0000) knlGS:0000000000000000 +[ 1825.352343] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1825.352417] CR2: 000056070a4d1158 CR3: 000000015efe0000 CR4: 0000000000350ee0 +[ 1825.352508] Call Trace: +[ 1825.352544] nf_ct_helper_ext_add+0x10/0x60 [nf_conntrack] +[ 1825.352641] nft_ct_expect_obj_eval+0x1b8/0x1e0 [nft_ct] +[ 1825.352716] nft_do_chain+0x232/0x850 [nf_tables] + +Add the ct helper extension only for unconfirmed conntrack. Skip rule +evaluation if the ct helper extension does not exist. Thus, you can +only create expectations from the first packet. + +It should be possible to remove this limitation by adding a new action +to attach a generic ct helper to the first packet. Then, use this ct +helper extension from follow up packets to create the ct expectation. + +While at it, add a missing check to skip the template conntrack too +and remove check for IPCT_UNTRACK which is implicit to !ct. + +Fixes: 857b46027d6f ("netfilter: nft_ct: add ct expectations support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_ct.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c +index 882fe8648653..6d2b382f5e07 100644 +--- a/net/netfilter/nft_ct.c ++++ b/net/netfilter/nft_ct.c +@@ -1216,7 +1216,7 @@ static void nft_ct_expect_obj_eval(struct nft_object *obj, + struct nf_conn *ct; + + ct = nf_ct_get(pkt->skb, &ctinfo); +- if (!ct || ctinfo == IP_CT_UNTRACKED) { ++ if (!ct || nf_ct_is_confirmed(ct) || nf_ct_is_template(ct)) { + regs->verdict.code = NFT_BREAK; + return; + } +-- +2.30.2 + diff --git a/queue-5.12/nvme-rdma-fix-in-casule-data-send-for-chained-sgls.patch b/queue-5.12/nvme-rdma-fix-in-casule-data-send-for-chained-sgls.patch new file mode 100644 index 00000000000..f206b1db1ab --- /dev/null +++ b/queue-5.12/nvme-rdma-fix-in-casule-data-send-for-chained-sgls.patch @@ -0,0 +1,54 @@ +From 397d1cbbd0a2e192c0511e93f1a5b56f7c2f83c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 May 2021 18:16:38 -0700 +Subject: nvme-rdma: fix in-casule data send for chained sgls + +From: Sagi Grimberg + +[ Upstream commit 12b2aaadb6d5ef77434e8db21f469f46fe2d392e ] + +We have only 2 inline sg entries and we allow 4 sg entries for the send +wr sge. Larger sgls entries will be chained. However when we build +in-capsule send wr sge, we iterate without taking into account that the +sgl may be chained and still fit in-capsule (which can happen if the sgl +is bigger than 2, but lower-equal to 4). + +Fix in-capsule data mapping to correctly iterate chained sgls. + +Fixes: 38e1800275d3 ("nvme-rdma: Avoid preallocating big SGL for data") +Reported-by: Walker, Benjamin +Signed-off-by: Sagi Grimberg +Reviewed-by: Max Gurtovoy +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/rdma.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index be905d4fdb47..ce8b3ce7582b 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -1319,16 +1319,17 @@ static int nvme_rdma_map_sg_inline(struct nvme_rdma_queue *queue, + int count) + { + struct nvme_sgl_desc *sg = &c->common.dptr.sgl; +- struct scatterlist *sgl = req->data_sgl.sg_table.sgl; + struct ib_sge *sge = &req->sge[1]; ++ struct scatterlist *sgl; + u32 len = 0; + int i; + +- for (i = 0; i < count; i++, sgl++, sge++) { ++ for_each_sg(req->data_sgl.sg_table.sgl, sgl, count, i) { + sge->addr = sg_dma_address(sgl); + sge->length = sg_dma_len(sgl); + sge->lkey = queue->device->pd->local_dma_lkey; + len += sge->length; ++ sge++; + } + + sg->addr = cpu_to_le64(queue->ctrl->ctrl.icdoff); +-- +2.30.2 + diff --git a/queue-5.12/nvmet-fix-freeing-unallocated-p2pmem.patch b/queue-5.12/nvmet-fix-freeing-unallocated-p2pmem.patch new file mode 100644 index 00000000000..71c07a5ae3c --- /dev/null +++ b/queue-5.12/nvmet-fix-freeing-unallocated-p2pmem.patch @@ -0,0 +1,120 @@ +From 059edb070d9e17ab5a9c93dd661d337f51a65425 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jun 2021 19:22:05 +0300 +Subject: nvmet: fix freeing unallocated p2pmem + +From: Max Gurtovoy + +[ Upstream commit bcd9a0797d73eeff659582f23277e7ab6e5f18f3 ] + +In case p2p device was found but the p2p pool is empty, the nvme target +is still trying to free the sgl from the p2p pool instead of the +regular sgl pool and causing a crash (BUG() is called). Instead, assign +the p2p_dev for the request only if it was allocated from p2p pool. + +This is the crash that was caused: + +[Sun May 30 19:13:53 2021] ------------[ cut here ]------------ +[Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518! +[Sun May 30 19:13:53 2021] invalid opcode: 0000 [#1] SMP PTI +... +[Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518! +... +[Sun May 30 19:13:53 2021] RIP: 0010:gen_pool_free_owner+0xa8/0xb0 +... +[Sun May 30 19:13:53 2021] Call Trace: +[Sun May 30 19:13:53 2021] ------------[ cut here ]------------ +[Sun May 30 19:13:53 2021] pci_free_p2pmem+0x2b/0x70 +[Sun May 30 19:13:53 2021] pci_p2pmem_free_sgl+0x4f/0x80 +[Sun May 30 19:13:53 2021] nvmet_req_free_sgls+0x1e/0x80 [nvmet] +[Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518! +[Sun May 30 19:13:53 2021] nvmet_rdma_release_rsp+0x4e/0x1f0 [nvmet_rdma] +[Sun May 30 19:13:53 2021] nvmet_rdma_send_done+0x1c/0x60 [nvmet_rdma] + +Fixes: c6e3f1339812 ("nvmet: add metadata support for block devices") +Reviewed-by: Israel Rukshin +Signed-off-by: Max Gurtovoy +Reviewed-by: Logan Gunthorpe +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/core.c | 33 ++++++++++++++++----------------- + 1 file changed, 16 insertions(+), 17 deletions(-) + +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index 348057fdc568..7d16cb4cd8ac 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -999,19 +999,23 @@ static unsigned int nvmet_data_transfer_len(struct nvmet_req *req) + return req->transfer_len - req->metadata_len; + } + +-static int nvmet_req_alloc_p2pmem_sgls(struct nvmet_req *req) ++static int nvmet_req_alloc_p2pmem_sgls(struct pci_dev *p2p_dev, ++ struct nvmet_req *req) + { +- req->sg = pci_p2pmem_alloc_sgl(req->p2p_dev, &req->sg_cnt, ++ req->sg = pci_p2pmem_alloc_sgl(p2p_dev, &req->sg_cnt, + nvmet_data_transfer_len(req)); + if (!req->sg) + goto out_err; + + if (req->metadata_len) { +- req->metadata_sg = pci_p2pmem_alloc_sgl(req->p2p_dev, ++ req->metadata_sg = pci_p2pmem_alloc_sgl(p2p_dev, + &req->metadata_sg_cnt, req->metadata_len); + if (!req->metadata_sg) + goto out_free_sg; + } ++ ++ req->p2p_dev = p2p_dev; ++ + return 0; + out_free_sg: + pci_p2pmem_free_sgl(req->p2p_dev, req->sg); +@@ -1019,25 +1023,19 @@ out_err: + return -ENOMEM; + } + +-static bool nvmet_req_find_p2p_dev(struct nvmet_req *req) ++static struct pci_dev *nvmet_req_find_p2p_dev(struct nvmet_req *req) + { +- if (!IS_ENABLED(CONFIG_PCI_P2PDMA)) +- return false; +- +- if (req->sq->ctrl && req->sq->qid && req->ns) { +- req->p2p_dev = radix_tree_lookup(&req->sq->ctrl->p2p_ns_map, +- req->ns->nsid); +- if (req->p2p_dev) +- return true; +- } +- +- req->p2p_dev = NULL; +- return false; ++ if (!IS_ENABLED(CONFIG_PCI_P2PDMA) || ++ !req->sq->ctrl || !req->sq->qid || !req->ns) ++ return NULL; ++ return radix_tree_lookup(&req->sq->ctrl->p2p_ns_map, req->ns->nsid); + } + + int nvmet_req_alloc_sgls(struct nvmet_req *req) + { +- if (nvmet_req_find_p2p_dev(req) && !nvmet_req_alloc_p2pmem_sgls(req)) ++ struct pci_dev *p2p_dev = nvmet_req_find_p2p_dev(req); ++ ++ if (p2p_dev && !nvmet_req_alloc_p2pmem_sgls(p2p_dev, req)) + return 0; + + req->sg = sgl_alloc(nvmet_data_transfer_len(req), GFP_KERNEL, +@@ -1066,6 +1064,7 @@ void nvmet_req_free_sgls(struct nvmet_req *req) + pci_p2pmem_free_sgl(req->p2p_dev, req->sg); + if (req->metadata_sg) + pci_p2pmem_free_sgl(req->p2p_dev, req->metadata_sg); ++ req->p2p_dev = NULL; + } else { + sgl_free(req->sg); + if (req->metadata_sg) +-- +2.30.2 + diff --git a/queue-5.12/perf-probe-fix-null-pointer-dereference-in-convert_v.patch b/queue-5.12/perf-probe-fix-null-pointer-dereference-in-convert_v.patch new file mode 100644 index 00000000000..817ddddc959 --- /dev/null +++ b/queue-5.12/perf-probe-fix-null-pointer-dereference-in-convert_v.patch @@ -0,0 +1,130 @@ +From 7ff39dfbb5e095b9734a75a11e4026f24b75f065 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jun 2021 17:27:50 +0800 +Subject: perf probe: Fix NULL pointer dereference in + convert_variable_location() + +From: Li Huafei + +[ Upstream commit 3cb17cce1e76ccc5499915a4d7e095a1ad6bf7ff ] + +If we just check whether the variable can be converted, 'tvar' should be +a null pointer. However, the null pointer check is missing in the +'Constant value' execution path. + +The following cases can trigger this problem: + + $ cat test.c + #include + + void main(void) + { + int a; + const int b = 1; + + asm volatile("mov %1, %0" : "=r"(a): "i"(b)); + printf("a: %d\n", a); + } + + $ gcc test.c -o test -O -g + $ sudo ./perf probe -x ./test -L "main" + + 0 void main(void) + { + 2 int a; + const int b = 1; + + asm volatile("mov %1, %0" : "=r"(a): "i"(b)); + 6 printf("a: %d\n", a); + } + + $ sudo ./perf probe -x ./test -V "main:6" + Segmentation fault + +The check on 'tvar' is added. If 'tavr' is a null pointer, we return 0 +to indicate that the variable can be converted. Now, we can successfully +show the variables that can be accessed. + + $ sudo ./perf probe -x ./test -V "main:6" + Available variables at main:6 + @ + char* __fmt + int a + int b + +However, the variable 'b' cannot be tracked. + + $ sudo ./perf probe -x ./test -D "main:6 b" + Failed to find the location of the 'b' variable at this address. + Perhaps it has been optimized out. + Use -V with the --range option to show 'b' location range. + Error: Failed to add events. + +This is because __die_find_variable_cb() did not successfully match +variable 'b', which has the DW_AT_const_value attribute instead of +DW_AT_location. We added support for DW_AT_const_value in +__die_find_variable_cb(). With this modification, we can successfully +track the variable 'b'. + + $ sudo ./perf probe -x ./test -D "main:6 b" + p:probe_test/main_L6 /home/lhf/test:0x1156 b=\1:s32 + +Fixes: 66f69b219716 ("perf probe: Support DW_AT_const_value constant value") +Signed-off-by: Li Huafei +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Frank Ch. Eigler +Cc: Jianlin Lv +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Masami Hiramatsu +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Srikar Dronamraju +Cc: Yang Jihong +Cc: Zhang Jinhao +http://lore.kernel.org/lkml/20210601092750.169601-1-lihuafei1@huawei.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/dwarf-aux.c | 8 ++++++-- + tools/perf/util/probe-finder.c | 3 +++ + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c +index 7b2d471a6419..4343356f3cf9 100644 +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -975,9 +975,13 @@ static int __die_find_variable_cb(Dwarf_Die *die_mem, void *data) + if ((tag == DW_TAG_formal_parameter || + tag == DW_TAG_variable) && + die_compare_name(die_mem, fvp->name) && +- /* Does the DIE have location information or external instance? */ ++ /* ++ * Does the DIE have location information or const value ++ * or external instance? ++ */ + (dwarf_attr(die_mem, DW_AT_external, &attr) || +- dwarf_attr(die_mem, DW_AT_location, &attr))) ++ dwarf_attr(die_mem, DW_AT_location, &attr) || ++ dwarf_attr(die_mem, DW_AT_const_value, &attr))) + return DIE_FIND_CB_END; + if (dwarf_haspc(die_mem, fvp->addr)) + return DIE_FIND_CB_CONTINUE; +diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c +index 1b118c9c86a6..bba61b95a37a 100644 +--- a/tools/perf/util/probe-finder.c ++++ b/tools/perf/util/probe-finder.c +@@ -190,6 +190,9 @@ static int convert_variable_location(Dwarf_Die *vr_die, Dwarf_Addr addr, + immediate_value_is_supported()) { + Dwarf_Sword snum; + ++ if (!tvar) ++ return 0; ++ + dwarf_formsdata(&attr, &snum); + ret = asprintf(&tvar->value, "\\%ld", (long)snum); + +-- +2.30.2 + diff --git a/queue-5.12/samples-vfio-mdev-fix-error-handing-in-mdpy_fb_probe.patch b/queue-5.12/samples-vfio-mdev-fix-error-handing-in-mdpy_fb_probe.patch new file mode 100644 index 00000000000..18a341d28a8 --- /dev/null +++ b/queue-5.12/samples-vfio-mdev-fix-error-handing-in-mdpy_fb_probe.patch @@ -0,0 +1,62 @@ +From bae7b85931cfe7ae94d9d54fc4caf829583544d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 May 2021 13:36:41 +0000 +Subject: samples: vfio-mdev: fix error handing in mdpy_fb_probe() + +From: Wei Yongjun + +[ Upstream commit 752774ce7793a1f8baa55aae31f3b4caac49cbe4 ] + +Fix to return a negative error code from the framebuffer_alloc() error +handling case instead of 0, also release regions in some error handing +cases. + +Fixes: cacade1946a4 ("sample: vfio mdev display - guest driver") +Reported-by: Hulk Robot +Signed-off-by: Wei Yongjun +Message-Id: <20210520133641.1421378-1-weiyongjun1@huawei.com> +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + samples/vfio-mdev/mdpy-fb.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/samples/vfio-mdev/mdpy-fb.c b/samples/vfio-mdev/mdpy-fb.c +index 21dbf63d6e41..9ec93d90e8a5 100644 +--- a/samples/vfio-mdev/mdpy-fb.c ++++ b/samples/vfio-mdev/mdpy-fb.c +@@ -117,22 +117,27 @@ static int mdpy_fb_probe(struct pci_dev *pdev, + if (format != DRM_FORMAT_XRGB8888) { + pci_err(pdev, "format mismatch (0x%x != 0x%x)\n", + format, DRM_FORMAT_XRGB8888); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_release_regions; + } + if (width < 100 || width > 10000) { + pci_err(pdev, "width (%d) out of range\n", width); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_release_regions; + } + if (height < 100 || height > 10000) { + pci_err(pdev, "height (%d) out of range\n", height); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_release_regions; + } + pci_info(pdev, "mdpy found: %dx%d framebuffer\n", + width, height); + + info = framebuffer_alloc(sizeof(struct mdpy_fb_par), &pdev->dev); +- if (!info) ++ if (!info) { ++ ret = -ENOMEM; + goto err_release_regions; ++ } + pci_set_drvdata(pdev, info); + par = info->par; + +-- +2.30.2 + diff --git a/queue-5.12/sch_htb-fix-refcount-leak-in-htb_parent_to_leaf_offl.patch b/queue-5.12/sch_htb-fix-refcount-leak-in-htb_parent_to_leaf_offl.patch new file mode 100644 index 00000000000..1217ddfccf4 --- /dev/null +++ b/queue-5.12/sch_htb-fix-refcount-leak-in-htb_parent_to_leaf_offl.patch @@ -0,0 +1,63 @@ +From b06d43426fdddd3c5ebef62473119aa22d7515cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jun 2021 19:03:18 +0800 +Subject: sch_htb: fix refcount leak in htb_parent_to_leaf_offload + +From: Yunjian Wang + +[ Upstream commit 944d671d5faa0d78980a3da5c0f04960ef1ad893 ] + +The commit ae81feb7338c ("sch_htb: fix null pointer dereference +on a null new_q") fixes a NULL pointer dereference bug, but it +is not correct. + +Because htb_graft_helper properly handles the case when new_q +is NULL, and after the previous patch by skipping this call +which creates an inconsistency : dev_queue->qdisc will still +point to the old qdisc, but cl->parent->leaf.q will point to +the new one (which will be noop_qdisc, because new_q was NULL). +The code is based on an assumption that these two pointers are +the same, so it can lead to refcount leaks. + +The correct fix is to add a NULL pointer check to protect +qdisc_refcount_inc inside htb_parent_to_leaf_offload. + +Fixes: ae81feb7338c ("sch_htb: fix null pointer dereference on a null new_q") +Signed-off-by: Yunjian Wang +Suggested-by: Maxim Mikityanskiy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_htb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c +index 081c11d5717c..8827987ba903 100644 +--- a/net/sched/sch_htb.c ++++ b/net/sched/sch_htb.c +@@ -1488,7 +1488,8 @@ static void htb_parent_to_leaf_offload(struct Qdisc *sch, + struct Qdisc *old_q; + + /* One ref for cl->leaf.q, the other for dev_queue->qdisc. */ +- qdisc_refcount_inc(new_q); ++ if (new_q) ++ qdisc_refcount_inc(new_q); + old_q = htb_graft_helper(dev_queue, new_q); + WARN_ON(!(old_q->flags & TCQ_F_BUILTIN)); + } +@@ -1675,10 +1676,9 @@ static int htb_delete(struct Qdisc *sch, unsigned long arg, + cl->parent->common.classid, + NULL); + if (q->offload) { +- if (new_q) { ++ if (new_q) + htb_set_lockdep_class_child(new_q); +- htb_parent_to_leaf_offload(sch, dev_queue, new_q); +- } ++ htb_parent_to_leaf_offload(sch, dev_queue, new_q); + } + } + +-- +2.30.2 + diff --git a/queue-5.12/series b/queue-5.12/series new file mode 100644 index 00000000000..3963813402b --- /dev/null +++ b/queue-5.12/series @@ -0,0 +1,65 @@ +mt76-mt7921-add-rcu-section-in-mt7921_mcu_tx_rate_re.patch +mt76-mt7921-fix-possible-aoob-issue-in-mt7921_mcu_tx.patch +mt76-mt76x0e-fix-device-hang-during-suspend-resume.patch +hwmon-dell-smm-hwmon-fix-index-values.patch +hwmon-pmbus-isl68137-remove-read_temperature_3-for-r.patch +netfilter-conntrack-unregister-ipv4-sockopts-on-erro.patch +efi-fdt-fix-panic-when-no-valid-fdt-found.patch +efi-allow-efi_memory_xp-and-efi_memory_ro-both-to-be.patch +efi-libstub-prevent-read-overflow-in-find_file_optio.patch +efi-cper-fix-snprintf-use-in-cper_dimm_err_location.patch +vfio-pci-fix-error-return-code-in-vfio_ecap_init.patch +vfio-pci-zap_vma_ptes-needs-mmu.patch +samples-vfio-mdev-fix-error-handing-in-mdpy_fb_probe.patch +vfio-platform-fix-module_put-call-in-error-flow.patch +ipvs-ignore-ip_vs_svc_f_hashed-flag-when-adding-serv.patch +hid-logitech-hidpp-initialize-level-variable.patch +hid-pidff-fix-error-return-code-in-hid_pidff_init.patch +hid-amd_sfh-fix-memory-leak-in-amd_sfh_work.patch +hid-i2c-hid-fix-format-string-mismatch.patch +kbuild-quote-objcopy-var-to-avoid-a-pahole-call-brea.patch +devlink-correct-virtual-port-to-not-have-phys_port-a.patch +net-sched-act_ct-offload-connections-with-commit-act.patch +net-sched-act_ct-fix-ct-template-allocation-for-zone.patch +mptcp-fix-sk_forward_memory-corruption-on-retransmis.patch +mptcp-always-parse-mptcp-options-for-mpc-reqsk.patch +mptcp-do-not-reset-mp_capable-subflow-on-mapping-err.patch +nvme-rdma-fix-in-casule-data-send-for-chained-sgls.patch +acpica-clean-up-context-mutex-during-object-deletion.patch +perf-probe-fix-null-pointer-dereference-in-convert_v.patch +net-dsa-tag_8021q-fix-the-vlan-ids-used-for-encoding.patch +net-sock-fix-in-kernel-mark-setting.patch +net-tls-replace-tls_rx_sync_running-with-rcu.patch +net-tls-fix-use-after-free-after-the-tls-device-goes.patch +net-mlx5e-fix-incompatible-casting.patch +net-mlx5-check-firmware-sync-reset-requested-is-set-.patch +net-mlx5e-check-for-needed-capability-for-cvlan-matc.patch +net-mlx5e-fix-adding-encap-rules-to-slow-path.patch +net-mlx5-dr-create-multi-destination-flow-table-with.patch +nvmet-fix-freeing-unallocated-p2pmem.patch +netfilter-nft_ct-skip-expectations-for-confirmed-con.patch +netfilter-nfnetlink_cthelper-hit-ebusy-on-updates-if.patch +drm-i915-selftests-fix-return-value-check-in-live_br.patch +bpf-lockdown-audit-fix-buggy-selinux-lockdown-permis.patch +ieee802154-fix-error-return-code-in-ieee802154_add_i.patch +ieee802154-fix-error-return-code-in-ieee802154_llsec.patch +igb-fix-xdp-with-ptp-enabled.patch +igb-add-correct-exception-tracing-for-xdp.patch +ixgbevf-add-correct-exception-tracing-for-xdp.patch +ice-track-af_xdp-zc-enabled-queues-in-bitmap.patch +cxgb4-fix-regression-with-hash-tc-prio-value-update.patch +ipv6-fix-kasan-slab-out-of-bounds-read-in-fib6_nh_fl.patch +ice-fix-allowing-vf-to-request-more-less-queues-via-.patch +ice-fix-vfr-issues-for-avf-drivers-that-expect-atqle.patch +ice-handle-the-vf-vsi-rebuild-failure.patch +ice-report-supported-and-advertised-autoneg-using-ph.patch +ice-allow-all-lldp-packets-from-pf-to-tx.patch +i2c-qcom-geni-add-shutdown-callback-for-i2c.patch +sch_htb-fix-refcount-leak-in-htb_parent_to_leaf_offl.patch +cxgb4-avoid-link-re-train-during-tc-mqprio-configura.patch +i40e-optimize-for-xdp_redirect-in-xsk-path.patch +i40e-add-correct-exception-tracing-for-xdp.patch +ice-optimize-for-xdp_redirect-in-xsk-path.patch +ice-add-correct-exception-tracing-for-xdp.patch +ixgbe-optimize-for-xdp_redirect-in-xsk-path.patch +ixgbe-add-correct-exception-tracing-for-xdp.patch diff --git a/queue-5.12/vfio-pci-fix-error-return-code-in-vfio_ecap_init.patch b/queue-5.12/vfio-pci-fix-error-return-code-in-vfio_ecap_init.patch new file mode 100644 index 00000000000..6806e33b626 --- /dev/null +++ b/queue-5.12/vfio-pci-fix-error-return-code-in-vfio_ecap_init.patch @@ -0,0 +1,39 @@ +From c1d8026a93503f292dba877473e4735d8bbef48e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 May 2021 10:04:58 +0800 +Subject: vfio/pci: Fix error return code in vfio_ecap_init() + +From: Zhen Lei + +[ Upstream commit d1ce2c79156d3baf0830990ab06d296477b93c26 ] + +The error code returned from vfio_ext_cap_len() is stored in 'len', not +in 'ret'. + +Fixes: 89e1f7d4c66d ("vfio: Add PCI device driver") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Reviewed-by: Max Gurtovoy +Message-Id: <20210515020458.6771-1-thunder.leizhen@huawei.com> +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci_config.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c +index a402adee8a21..47f21a6ca7fe 100644 +--- a/drivers/vfio/pci/vfio_pci_config.c ++++ b/drivers/vfio/pci/vfio_pci_config.c +@@ -1581,7 +1581,7 @@ static int vfio_ecap_init(struct vfio_pci_device *vdev) + if (len == 0xFF) { + len = vfio_ext_cap_len(vdev, ecap, epos); + if (len < 0) +- return ret; ++ return len; + } + } + +-- +2.30.2 + diff --git a/queue-5.12/vfio-pci-zap_vma_ptes-needs-mmu.patch b/queue-5.12/vfio-pci-zap_vma_ptes-needs-mmu.patch new file mode 100644 index 00000000000..5aaf56efc6a --- /dev/null +++ b/queue-5.12/vfio-pci-zap_vma_ptes-needs-mmu.patch @@ -0,0 +1,48 @@ +From 11b8a562f3fbdfeabf5cde52a415319e481ef7b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 May 2021 12:08:56 -0700 +Subject: vfio/pci: zap_vma_ptes() needs MMU + +From: Randy Dunlap + +[ Upstream commit 2a55ca37350171d9b43d561528f23d4130097255 ] + +zap_vma_ptes() is only available when CONFIG_MMU is set/enabled. +Without CONFIG_MMU, vfio_pci.o has build errors, so make +VFIO_PCI depend on MMU. + +riscv64-linux-ld: drivers/vfio/pci/vfio_pci.o: in function `vfio_pci_mmap_open': +vfio_pci.c:(.text+0x1ec): undefined reference to `zap_vma_ptes' +riscv64-linux-ld: drivers/vfio/pci/vfio_pci.o: in function `.L0 ': +vfio_pci.c:(.text+0x165c): undefined reference to `zap_vma_ptes' + +Fixes: 11c4cd07ba11 ("vfio-pci: Fault mmaps to enable vma tracking") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Alex Williamson +Cc: Cornelia Huck +Cc: kvm@vger.kernel.org +Cc: Jason Gunthorpe +Cc: Eric Auger +Message-Id: <20210515190856.2130-1-rdunlap@infradead.org> +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/vfio/pci/Kconfig b/drivers/vfio/pci/Kconfig +index 4abddbebd4b2..c691127bc805 100644 +--- a/drivers/vfio/pci/Kconfig ++++ b/drivers/vfio/pci/Kconfig +@@ -2,6 +2,7 @@ + config VFIO_PCI + tristate "VFIO support for PCI devices" + depends on VFIO && PCI && EVENTFD ++ depends on MMU + select VFIO_VIRQFD + select IRQ_BYPASS_MANAGER + help +-- +2.30.2 + diff --git a/queue-5.12/vfio-platform-fix-module_put-call-in-error-flow.patch b/queue-5.12/vfio-platform-fix-module_put-call-in-error-flow.patch new file mode 100644 index 00000000000..f6654b9ac87 --- /dev/null +++ b/queue-5.12/vfio-platform-fix-module_put-call-in-error-flow.patch @@ -0,0 +1,37 @@ +From b261398111b9d8f03a65b8b2e4e78bed6199c0f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 May 2021 22:21:31 +0300 +Subject: vfio/platform: fix module_put call in error flow + +From: Max Gurtovoy + +[ Upstream commit dc51ff91cf2d1e9a2d941da483602f71d4a51472 ] + +The ->parent_module is the one that use in try_module_get. It should +also be the one the we use in module_put during vfio_platform_open(). + +Fixes: 32a2d71c4e80 ("vfio: platform: introduce vfio-platform-base module") +Signed-off-by: Max Gurtovoy +Message-Id: <20210518192133.59195-1-mgurtovoy@nvidia.com> +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/platform/vfio_platform_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/vfio/platform/vfio_platform_common.c b/drivers/vfio/platform/vfio_platform_common.c +index fb4b385191f2..e83a7cd15c95 100644 +--- a/drivers/vfio/platform/vfio_platform_common.c ++++ b/drivers/vfio/platform/vfio_platform_common.c +@@ -289,7 +289,7 @@ err_irq: + vfio_platform_regions_cleanup(vdev); + err_reg: + mutex_unlock(&driver_lock); +- module_put(THIS_MODULE); ++ module_put(vdev->parent_module); + return ret; + } + +-- +2.30.2 +