From: Sasha Levin Date: Sat, 28 Oct 2023 02:53:53 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v6.1.61~63 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a5b97a71288932ce55c1a301dee019e54f799291;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/igb-fix-potential-memory-leak-in-igb_add_ethtool_nfc.patch b/queue-4.19/igb-fix-potential-memory-leak-in-igb_add_ethtool_nfc.patch new file mode 100644 index 00000000000..f7a5e2d765e --- /dev/null +++ b/queue-4.19/igb-fix-potential-memory-leak-in-igb_add_ethtool_nfc.patch @@ -0,0 +1,47 @@ +From d239ec3c54306dc45bbe43eced045e79d4785235 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 13:40:35 -0700 +Subject: igb: Fix potential memory leak in igb_add_ethtool_nfc_entry + +From: Mateusz Palczewski + +[ Upstream commit 8c0b48e01daba5ca58f939a8425855d3f4f2ed14 ] + +Add check for return of igb_update_ethtool_nfc_entry so that in case +of any potential errors the memory alocated for input will be freed. + +Fixes: 0e71def25281 ("igb: add support of RX network flow classification") +Reviewed-by: Wojciech Drewek +Signed-off-by: Mateusz Palczewski +Tested-by: Arpana Arland (A Contingent worker at Intel) +Signed-off-by: Jacob Keller +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_ethtool.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_ethtool.c b/drivers/net/ethernet/intel/igb/igb_ethtool.c +index e19fbdf2ff304..f714c85c36c50 100644 +--- a/drivers/net/ethernet/intel/igb/igb_ethtool.c ++++ b/drivers/net/ethernet/intel/igb/igb_ethtool.c +@@ -2994,11 +2994,15 @@ static int igb_add_ethtool_nfc_entry(struct igb_adapter *adapter, + if (err) + goto err_out_w_lock; + +- igb_update_ethtool_nfc_entry(adapter, input, input->sw_idx); ++ err = igb_update_ethtool_nfc_entry(adapter, input, input->sw_idx); ++ if (err) ++ goto err_out_input_filter; + + spin_unlock(&adapter->nfc_lock); + return 0; + ++err_out_input_filter: ++ igb_erase_filter(adapter, input); + err_out_w_lock: + spin_unlock(&adapter->nfc_lock); + err_out: +-- +2.42.0 + diff --git a/queue-4.19/r8169-fix-the-kcsan-reported-data-race-in-rtl_rx-whi.patch b/queue-4.19/r8169-fix-the-kcsan-reported-data-race-in-rtl_rx-whi.patch new file mode 100644 index 00000000000..121c198a566 --- /dev/null +++ b/queue-4.19/r8169-fix-the-kcsan-reported-data-race-in-rtl_rx-whi.patch @@ -0,0 +1,105 @@ +From 7bb586793f3df57353817891ce4f95b0336ac956 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 21:34:38 +0200 +Subject: r8169: fix the KCSAN reported data race in rtl_rx while reading + desc->opts1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mirsad Goran Todorovac + +[ Upstream commit f97eee484e71890131f9c563c5cc6d5a69e4308d ] + +KCSAN reported the following data-race bug: + +================================================================== +BUG: KCSAN: data-race in rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4430 drivers/net/ethernet/realtek/r8169_main.c:4583) r8169 + +race at unknown origin, with read to 0xffff888117e43510 of 4 bytes by interrupt on cpu 21: +rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4430 drivers/net/ethernet/realtek/r8169_main.c:4583) r8169 +__napi_poll (net/core/dev.c:6527) +net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727) +__do_softirq (kernel/softirq.c:553) +__irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632) +irq_exit_rcu (kernel/softirq.c:647) +sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1074 (discriminator 14)) +asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:645) +cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291) +cpuidle_enter (drivers/cpuidle/cpuidle.c:390) +call_cpuidle (kernel/sched/idle.c:135) +do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282) +cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1)) +start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294) +secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433) + +value changed: 0x80003fff -> 0x3402805f + +Reported by Kernel Concurrency Sanitizer on: +CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 #41 +Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023 +================================================================== + +drivers/net/ethernet/realtek/r8169_main.c: +========================================== + 4429 + → 4430 status = le32_to_cpu(desc->opts1); + 4431 if (status & DescOwn) + 4432 break; + 4433 + 4434 /* This barrier is needed to keep us from reading + 4435 * any other fields out of the Rx descriptor until + 4436 * we know the status of DescOwn + 4437 */ + 4438 dma_rmb(); + 4439 + 4440 if (unlikely(status & RxRES)) { + 4441 if (net_ratelimit()) + 4442 netdev_warn(dev, "Rx ERROR. status = %08x\n", + +Marco Elver explained that dma_rmb() doesn't prevent the compiler to tear up the access to +desc->opts1 which can be written to concurrently. READ_ONCE() should prevent that from +happening: + + 4429 + → 4430 status = le32_to_cpu(READ_ONCE(desc->opts1)); + 4431 if (status & DescOwn) + 4432 break; + 4433 + +As the consequence of this fix, this KCSAN warning was eliminated. + +Fixes: 6202806e7c03a ("r8169: drop member opts1_mask from struct rtl8169_private") +Suggested-by: Marco Elver +Cc: Heiner Kallweit +Cc: nic_swsd@realtek.com +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: netdev@vger.kernel.org +Link: https://lore.kernel.org/lkml/dc7fc8fa-4ea4-e9a9-30a6-7c83e6b53188@alu.unizg.hr/ +Signed-off-by: Mirsad Goran Todorovac +Acked-by: Marco Elver +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index b7bba00ab4587..92875a935eb13 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -6541,7 +6541,7 @@ static int rtl_rx(struct net_device *dev, struct rtl8169_private *tp, u32 budget + struct RxDesc *desc = tp->RxDescArray + entry; + u32 status; + +- status = le32_to_cpu(desc->opts1); ++ status = le32_to_cpu(READ_ONCE(desc->opts1)); + if (status & DescOwn) + break; + +-- +2.42.0 + diff --git a/queue-4.19/r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch b/queue-4.19/r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch new file mode 100644 index 00000000000..5566c7aadc4 --- /dev/null +++ b/queue-4.19/r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch @@ -0,0 +1,136 @@ +From 0f121058bb79083e4dc1b9699e0abe912884ac3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 21:34:36 +0200 +Subject: r8169: fix the KCSAN reported data-race in rtl_tx while reading + TxDescArray[entry].opts1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mirsad Goran Todorovac + +[ Upstream commit dcf75a0f6bc136de94e88178ae5f51b7f879abc9 ] + +KCSAN reported the following data-race: + +================================================================== +BUG: KCSAN: data-race in rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4368 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169 + +race at unknown origin, with read to 0xffff888140d37570 of 4 bytes by interrupt on cpu 21: +rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4368 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169 +__napi_poll (net/core/dev.c:6527) +net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727) +__do_softirq (kernel/softirq.c:553) +__irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632) +irq_exit_rcu (kernel/softirq.c:647) +sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1074 (discriminator 14)) +asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:645) +cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291) +cpuidle_enter (drivers/cpuidle/cpuidle.c:390) +call_cpuidle (kernel/sched/idle.c:135) +do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282) +cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1)) +start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294) +secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433) + +value changed: 0xb0000042 -> 0x00000000 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 #41 +Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023 +================================================================== + +The read side is in + +drivers/net/ethernet/realtek/r8169_main.c +========================================= + 4355 static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp, + 4356 int budget) + 4357 { + 4358 unsigned int dirty_tx, bytes_compl = 0, pkts_compl = 0; + 4359 struct sk_buff *skb; + 4360 + 4361 dirty_tx = tp->dirty_tx; + 4362 + 4363 while (READ_ONCE(tp->cur_tx) != dirty_tx) { + 4364 unsigned int entry = dirty_tx % NUM_TX_DESC; + 4365 u32 status; + 4366 + → 4367 status = le32_to_cpu(tp->TxDescArray[entry].opts1); + 4368 if (status & DescOwn) + 4369 break; + 4370 + 4371 skb = tp->tx_skb[entry].skb; + 4372 rtl8169_unmap_tx_skb(tp, entry); + 4373 + 4374 if (skb) { + 4375 pkts_compl++; + 4376 bytes_compl += skb->len; + 4377 napi_consume_skb(skb, budget); + 4378 } + 4379 dirty_tx++; + 4380 } + 4381 + 4382 if (tp->dirty_tx != dirty_tx) { + 4383 dev_sw_netstats_tx_add(dev, pkts_compl, bytes_compl); + 4384 WRITE_ONCE(tp->dirty_tx, dirty_tx); + 4385 + 4386 netif_subqueue_completed_wake(dev, 0, pkts_compl, bytes_compl, + 4387 rtl_tx_slots_avail(tp), + 4388 R8169_TX_START_THRS); + 4389 /* + 4390 * 8168 hack: TxPoll requests are lost when the Tx packets are + 4391 * too close. Let's kick an extra TxPoll request when a burst + 4392 * of start_xmit activity is detected (if it is not detected, + 4393 * it is slow enough). -- FR + 4394 * If skb is NULL then we come here again once a tx irq is + 4395 * triggered after the last fragment is marked transmitted. + 4396 */ + 4397 if (READ_ONCE(tp->cur_tx) != dirty_tx && skb) + 4398 rtl8169_doorbell(tp); + 4399 } + 4400 } + +tp->TxDescArray[entry].opts1 is reported to have a data-race and READ_ONCE() fixes +this KCSAN warning. + + 4366 + → 4367 status = le32_to_cpu(READ_ONCE(tp->TxDescArray[entry].opts1)); + 4368 if (status & DescOwn) + 4369 break; + 4370 + +Cc: Heiner Kallweit +Cc: nic_swsd@realtek.com +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Marco Elver +Cc: netdev@vger.kernel.org +Link: https://lore.kernel.org/lkml/dc7fc8fa-4ea4-e9a9-30a6-7c83e6b53188@alu.unizg.hr/ +Signed-off-by: Mirsad Goran Todorovac +Acked-by: Marco Elver +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index 523626f2ffbeb..b7bba00ab4587 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -6445,7 +6445,7 @@ static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp) + struct ring_info *tx_skb = tp->tx_skb + entry; + u32 status; + +- status = le32_to_cpu(tp->TxDescArray[entry].opts1); ++ status = le32_to_cpu(READ_ONCE(tp->TxDescArray[entry].opts1)); + if (status & DescOwn) + break; + +-- +2.42.0 + diff --git a/queue-4.19/r8169-rename-r8169.c-to-r8169_main.c.patch b/queue-4.19/r8169-rename-r8169.c-to-r8169_main.c.patch new file mode 100644 index 00000000000..28be674b680 --- /dev/null +++ b/queue-4.19/r8169-rename-r8169.c-to-r8169_main.c.patch @@ -0,0 +1,39 @@ +From 959a0f240be8b00169333d0c85a69b9f6327aa9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jun 2019 07:59:57 +0200 +Subject: r8169: rename r8169.c to r8169_main.c + +From: Heiner Kallweit + +[ Upstream commit 25e992a4603cd5284127e2a6fda6b05bd58d12ed ] + +In preparation of factoring out firmware handling rename r8169.c to +r8169_main.c. + +Signed-off-by: Heiner Kallweit +Signed-off-by: David S. Miller +Stable-dep-of: dcf75a0f6bc1 ("r8169: fix the KCSAN reported data-race in rtl_tx while reading TxDescArray[entry].opts1") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/Makefile | 1 + + drivers/net/ethernet/realtek/{r8169.c => r8169_main.c} | 0 + 2 files changed, 1 insertion(+) + rename drivers/net/ethernet/realtek/{r8169.c => r8169_main.c} (100%) + +diff --git a/drivers/net/ethernet/realtek/Makefile b/drivers/net/ethernet/realtek/Makefile +index 71b1da30ecb5b..7f68be4b9f51f 100644 +--- a/drivers/net/ethernet/realtek/Makefile ++++ b/drivers/net/ethernet/realtek/Makefile +@@ -5,4 +5,5 @@ + obj-$(CONFIG_8139CP) += 8139cp.o + obj-$(CONFIG_8139TOO) += 8139too.o + obj-$(CONFIG_ATP) += atp.o ++r8169-objs += r8169_main.o + obj-$(CONFIG_R8169) += r8169.o +diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169_main.c +similarity index 100% +rename from drivers/net/ethernet/realtek/r8169.c +rename to drivers/net/ethernet/realtek/r8169_main.c +-- +2.42.0 + diff --git a/queue-4.19/series b/queue-4.19/series index 15982864a63..37b035998ff 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -5,3 +5,8 @@ mcb-return-actual-parsed-size-when-reading-chameleon.patch mcb-lpc-reallocate-memory-region-to-avoid-memory-ove.patch virtio_balloon-fix-endless-deflation-and-inflation-on-arm64.patch virtio-mmio-fix-memory-leak-of-vm_dev.patch +r8169-rename-r8169.c-to-r8169_main.c.patch +r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch +r8169-fix-the-kcsan-reported-data-race-in-rtl_rx-whi.patch +treewide-spelling-fix-in-comment.patch +igb-fix-potential-memory-leak-in-igb_add_ethtool_nfc.patch diff --git a/queue-4.19/treewide-spelling-fix-in-comment.patch b/queue-4.19/treewide-spelling-fix-in-comment.patch new file mode 100644 index 00000000000..0258b5e6fd2 --- /dev/null +++ b/queue-4.19/treewide-spelling-fix-in-comment.patch @@ -0,0 +1,36 @@ +From 870d76b80cddb99be6f8c9bce1ba264d5805a4af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 17:31:56 +0800 +Subject: treewide: Spelling fix in comment + +From: Kunwu Chan + +[ Upstream commit fb71ba0ed8be9534493c80ba00142a64d9972a72 ] + +reques -> request + +Fixes: 09dde54c6a69 ("PS3: gelic: Add wireless support for PS3") +Signed-off-by: Kunwu Chan +Reviewed-by: Geert Uytterhoeven +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/toshiba/ps3_gelic_wireless.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c b/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c +index 302079e22b06c..186f35b2b182b 100644 +--- a/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c ++++ b/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c +@@ -1232,7 +1232,7 @@ static int gelic_wl_set_encodeext(struct net_device *netdev, + key_index = wl->current_key; + + if (!enc->length && (ext->ext_flags & IW_ENCODE_EXT_SET_TX_KEY)) { +- /* reques to change default key index */ ++ /* request to change default key index */ + pr_debug("%s: request to change default key to %d\n", + __func__, key_index); + wl->current_key = key_index; +-- +2.42.0 +