From: Sasha Levin Date: Mon, 26 Jul 2021 02:40:52 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v4.4.277~81 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=aa8895e0ec57a288d28274160a87af1b532471f2;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/acpi-kconfig-fix-table-override-from-built-in-initrd.patch b/queue-5.10/acpi-kconfig-fix-table-override-from-built-in-initrd.patch new file mode 100644 index 00000000000..a956031fb4b --- /dev/null +++ b/queue-5.10/acpi-kconfig-fix-table-override-from-built-in-initrd.patch @@ -0,0 +1,39 @@ +From 0c744631b5e977437ac1b26b4542d53d4adb1f6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 11:26:01 +0200 +Subject: ACPI: Kconfig: Fix table override from built-in initrd + +From: Robert Richter + +[ Upstream commit d2cbbf1fe503c07e466c62f83aa1926d74d15821 ] + +During a rework of initramfs code the INITRAMFS_COMPRESSION config +option was removed in commit 65e00e04e5ae. A leftover as a dependency +broke the config option ACPI_TABLE_OVERRIDE_VIA_ BUILTIN_INITRD that +is used to enable the overriding of ACPI tables from built-in initrd. +Fixing the dependency. + +Fixes: 65e00e04e5ae ("initramfs: refactor the initramfs build rules") +Signed-off-by: Robert Richter +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/Kconfig b/drivers/acpi/Kconfig +index edf1558c1105..b5ea34c340cc 100644 +--- a/drivers/acpi/Kconfig ++++ b/drivers/acpi/Kconfig +@@ -359,7 +359,7 @@ config ACPI_TABLE_UPGRADE + config ACPI_TABLE_OVERRIDE_VIA_BUILTIN_INITRD + bool "Override ACPI tables from built-in initrd" + depends on ACPI_TABLE_UPGRADE +- depends on INITRAMFS_SOURCE!="" && INITRAMFS_COMPRESSION="" ++ depends on INITRAMFS_SOURCE!="" && INITRAMFS_COMPRESSION_NONE + help + This option provides functionality to override arbitrary ACPI tables + from built-in uncompressed initrd. +-- +2.30.2 + diff --git a/queue-5.10/afs-fix-tracepoint-string-placement-with-built-in-af.patch b/queue-5.10/afs-fix-tracepoint-string-placement-with-built-in-af.patch new file mode 100644 index 00000000000..42fca80b56a --- /dev/null +++ b/queue-5.10/afs-fix-tracepoint-string-placement-with-built-in-af.patch @@ -0,0 +1,284 @@ +From 1f34ded5bcf90b2c79f052f2eb3a7d11286621c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jun 2021 11:57:26 +0100 +Subject: afs: Fix tracepoint string placement with built-in AFS + +From: David Howells + +[ Upstream commit 6c881ca0b3040f3e724eae513117ba4ddef86057 ] + +To quote Alexey[1]: + + I was adding custom tracepoint to the kernel, grabbed full F34 kernel + .config, disabled modules and booted whole shebang as VM kernel. + + Then did + + perf record -a -e ... + + It crashed: + + general protection fault, probably for non-canonical address 0x435f5346592e4243: 0000 [#1] SMP PTI + CPU: 1 PID: 842 Comm: cat Not tainted 5.12.6+ #26 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 + RIP: 0010:t_show+0x22/0xd0 + + Then reproducer was narrowed to + + # cat /sys/kernel/tracing/printk_formats + + Original F34 kernel with modules didn't crash. + + So I started to disable options and after disabling AFS everything + started working again. + + The root cause is that AFS was placing char arrays content into a + section full of _pointers_ to strings with predictable consequences. + + Non canonical address 435f5346592e4243 is "CB.YFS_" which came from + CM_NAME macro. + + Steps to reproduce: + + CONFIG_AFS=y + CONFIG_TRACING=y + + # cat /sys/kernel/tracing/printk_formats + +Fix this by the following means: + + (1) Add enum->string translation tables in the event header with the AFS + and YFS cache/callback manager operations listed by RPC operation ID. + + (2) Modify the afs_cb_call tracepoint to print the string from the + translation table rather than using the string at the afs_call name + pointer. + + (3) Switch translation table depending on the service we're being accessed + as (AFS or YFS) in the tracepoint print clause. Will this cause + problems to userspace utilities? + + Note that the symbolic representation of the YFS service ID isn't + available to this header, so I've put it in as a number. I'm not sure + if this is the best way to do this. + + (4) Remove the name wrangling (CM_NAME) macro and put the names directly + into the afs_call_type structs in cmservice.c. + +Fixes: 8e8d7f13b6d5a9 ("afs: Add some tracepoints") +Reported-by: Alexey Dobriyan (SK hynix) +Signed-off-by: David Howells +Reviewed-by: Steven Rostedt (VMware) +Reviewed-by: Marc Dionne +cc: Andrew Morton +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/YLAXfvZ+rObEOdc%2F@localhost.localdomain/ [1] +Link: https://lore.kernel.org/r/643721.1623754699@warthog.procyon.org.uk/ +Link: https://lore.kernel.org/r/162430903582.2896199.6098150063997983353.stgit@warthog.procyon.org.uk/ # v1 +Link: https://lore.kernel.org/r/162609463957.3133237.15916579353149746363.stgit@warthog.procyon.org.uk/ # v1 (repost) +Link: https://lore.kernel.org/r/162610726860.3408253.445207609466288531.stgit@warthog.procyon.org.uk/ # v2 +Signed-off-by: Sasha Levin +--- + fs/afs/cmservice.c | 25 ++++---------- + include/trace/events/afs.h | 67 +++++++++++++++++++++++++++++++++++--- + 2 files changed, 69 insertions(+), 23 deletions(-) + +diff --git a/fs/afs/cmservice.c b/fs/afs/cmservice.c +index a4e9e6e07e93..2a528b70478c 100644 +--- a/fs/afs/cmservice.c ++++ b/fs/afs/cmservice.c +@@ -29,16 +29,11 @@ static void SRXAFSCB_TellMeAboutYourself(struct work_struct *); + + static int afs_deliver_yfs_cb_callback(struct afs_call *); + +-#define CM_NAME(name) \ +- char afs_SRXCB##name##_name[] __tracepoint_string = \ +- "CB." #name +- + /* + * CB.CallBack operation type + */ +-static CM_NAME(CallBack); + static const struct afs_call_type afs_SRXCBCallBack = { +- .name = afs_SRXCBCallBack_name, ++ .name = "CB.CallBack", + .deliver = afs_deliver_cb_callback, + .destructor = afs_cm_destructor, + .work = SRXAFSCB_CallBack, +@@ -47,9 +42,8 @@ static const struct afs_call_type afs_SRXCBCallBack = { + /* + * CB.InitCallBackState operation type + */ +-static CM_NAME(InitCallBackState); + static const struct afs_call_type afs_SRXCBInitCallBackState = { +- .name = afs_SRXCBInitCallBackState_name, ++ .name = "CB.InitCallBackState", + .deliver = afs_deliver_cb_init_call_back_state, + .destructor = afs_cm_destructor, + .work = SRXAFSCB_InitCallBackState, +@@ -58,9 +52,8 @@ static const struct afs_call_type afs_SRXCBInitCallBackState = { + /* + * CB.InitCallBackState3 operation type + */ +-static CM_NAME(InitCallBackState3); + static const struct afs_call_type afs_SRXCBInitCallBackState3 = { +- .name = afs_SRXCBInitCallBackState3_name, ++ .name = "CB.InitCallBackState3", + .deliver = afs_deliver_cb_init_call_back_state3, + .destructor = afs_cm_destructor, + .work = SRXAFSCB_InitCallBackState, +@@ -69,9 +62,8 @@ static const struct afs_call_type afs_SRXCBInitCallBackState3 = { + /* + * CB.Probe operation type + */ +-static CM_NAME(Probe); + static const struct afs_call_type afs_SRXCBProbe = { +- .name = afs_SRXCBProbe_name, ++ .name = "CB.Probe", + .deliver = afs_deliver_cb_probe, + .destructor = afs_cm_destructor, + .work = SRXAFSCB_Probe, +@@ -80,9 +72,8 @@ static const struct afs_call_type afs_SRXCBProbe = { + /* + * CB.ProbeUuid operation type + */ +-static CM_NAME(ProbeUuid); + static const struct afs_call_type afs_SRXCBProbeUuid = { +- .name = afs_SRXCBProbeUuid_name, ++ .name = "CB.ProbeUuid", + .deliver = afs_deliver_cb_probe_uuid, + .destructor = afs_cm_destructor, + .work = SRXAFSCB_ProbeUuid, +@@ -91,9 +82,8 @@ static const struct afs_call_type afs_SRXCBProbeUuid = { + /* + * CB.TellMeAboutYourself operation type + */ +-static CM_NAME(TellMeAboutYourself); + static const struct afs_call_type afs_SRXCBTellMeAboutYourself = { +- .name = afs_SRXCBTellMeAboutYourself_name, ++ .name = "CB.TellMeAboutYourself", + .deliver = afs_deliver_cb_tell_me_about_yourself, + .destructor = afs_cm_destructor, + .work = SRXAFSCB_TellMeAboutYourself, +@@ -102,9 +92,8 @@ static const struct afs_call_type afs_SRXCBTellMeAboutYourself = { + /* + * YFS CB.CallBack operation type + */ +-static CM_NAME(YFS_CallBack); + static const struct afs_call_type afs_SRXYFSCB_CallBack = { +- .name = afs_SRXCBYFS_CallBack_name, ++ .name = "YFSCB.CallBack", + .deliver = afs_deliver_yfs_cb_callback, + .destructor = afs_cm_destructor, + .work = SRXAFSCB_CallBack, +diff --git a/include/trace/events/afs.h b/include/trace/events/afs.h +index 4eef374d4413..5deb9f490f6f 100644 +--- a/include/trace/events/afs.h ++++ b/include/trace/events/afs.h +@@ -174,6 +174,34 @@ enum afs_vl_operation { + afs_VL_GetCapabilities = 65537, /* AFS Get VL server capabilities */ + }; + ++enum afs_cm_operation { ++ afs_CB_CallBack = 204, /* AFS break callback promises */ ++ afs_CB_InitCallBackState = 205, /* AFS initialise callback state */ ++ afs_CB_Probe = 206, /* AFS probe client */ ++ afs_CB_GetLock = 207, /* AFS get contents of CM lock table */ ++ afs_CB_GetCE = 208, /* AFS get cache file description */ ++ afs_CB_GetXStatsVersion = 209, /* AFS get version of extended statistics */ ++ afs_CB_GetXStats = 210, /* AFS get contents of extended statistics data */ ++ afs_CB_InitCallBackState3 = 213, /* AFS initialise callback state, version 3 */ ++ afs_CB_ProbeUuid = 214, /* AFS check the client hasn't rebooted */ ++}; ++ ++enum yfs_cm_operation { ++ yfs_CB_Probe = 206, /* YFS probe client */ ++ yfs_CB_GetLock = 207, /* YFS get contents of CM lock table */ ++ yfs_CB_XStatsVersion = 209, /* YFS get version of extended statistics */ ++ yfs_CB_GetXStats = 210, /* YFS get contents of extended statistics data */ ++ yfs_CB_InitCallBackState3 = 213, /* YFS initialise callback state, version 3 */ ++ yfs_CB_ProbeUuid = 214, /* YFS check the client hasn't rebooted */ ++ yfs_CB_GetServerPrefs = 215, ++ yfs_CB_GetCellServDV = 216, ++ yfs_CB_GetLocalCell = 217, ++ yfs_CB_GetCacheConfig = 218, ++ yfs_CB_GetCellByNum = 65537, ++ yfs_CB_TellMeAboutYourself = 65538, /* get client capabilities */ ++ yfs_CB_CallBack = 64204, ++}; ++ + enum afs_edit_dir_op { + afs_edit_dir_create, + afs_edit_dir_create_error, +@@ -435,6 +463,32 @@ enum afs_cb_break_reason { + EM(afs_YFSVL_GetCellName, "YFSVL.GetCellName") \ + E_(afs_VL_GetCapabilities, "VL.GetCapabilities") + ++#define afs_cm_operations \ ++ EM(afs_CB_CallBack, "CB.CallBack") \ ++ EM(afs_CB_InitCallBackState, "CB.InitCallBackState") \ ++ EM(afs_CB_Probe, "CB.Probe") \ ++ EM(afs_CB_GetLock, "CB.GetLock") \ ++ EM(afs_CB_GetCE, "CB.GetCE") \ ++ EM(afs_CB_GetXStatsVersion, "CB.GetXStatsVersion") \ ++ EM(afs_CB_GetXStats, "CB.GetXStats") \ ++ EM(afs_CB_InitCallBackState3, "CB.InitCallBackState3") \ ++ E_(afs_CB_ProbeUuid, "CB.ProbeUuid") ++ ++#define yfs_cm_operations \ ++ EM(yfs_CB_Probe, "YFSCB.Probe") \ ++ EM(yfs_CB_GetLock, "YFSCB.GetLock") \ ++ EM(yfs_CB_XStatsVersion, "YFSCB.XStatsVersion") \ ++ EM(yfs_CB_GetXStats, "YFSCB.GetXStats") \ ++ EM(yfs_CB_InitCallBackState3, "YFSCB.InitCallBackState3") \ ++ EM(yfs_CB_ProbeUuid, "YFSCB.ProbeUuid") \ ++ EM(yfs_CB_GetServerPrefs, "YFSCB.GetServerPrefs") \ ++ EM(yfs_CB_GetCellServDV, "YFSCB.GetCellServDV") \ ++ EM(yfs_CB_GetLocalCell, "YFSCB.GetLocalCell") \ ++ EM(yfs_CB_GetCacheConfig, "YFSCB.GetCacheConfig") \ ++ EM(yfs_CB_GetCellByNum, "YFSCB.GetCellByNum") \ ++ EM(yfs_CB_TellMeAboutYourself, "YFSCB.TellMeAboutYourself") \ ++ E_(yfs_CB_CallBack, "YFSCB.CallBack") ++ + #define afs_edit_dir_ops \ + EM(afs_edit_dir_create, "create") \ + EM(afs_edit_dir_create_error, "c_fail") \ +@@ -567,6 +621,8 @@ afs_server_traces; + afs_cell_traces; + afs_fs_operations; + afs_vl_operations; ++afs_cm_operations; ++yfs_cm_operations; + afs_edit_dir_ops; + afs_edit_dir_reasons; + afs_eproto_causes; +@@ -647,20 +703,21 @@ TRACE_EVENT(afs_cb_call, + + TP_STRUCT__entry( + __field(unsigned int, call ) +- __field(const char *, name ) + __field(u32, op ) ++ __field(u16, service_id ) + ), + + TP_fast_assign( + __entry->call = call->debug_id; +- __entry->name = call->type->name; + __entry->op = call->operation_ID; ++ __entry->service_id = call->service_id; + ), + +- TP_printk("c=%08x %s o=%u", ++ TP_printk("c=%08x %s", + __entry->call, +- __entry->name, +- __entry->op) ++ __entry->service_id == 2501 ? ++ __print_symbolic(__entry->op, yfs_cm_operations) : ++ __print_symbolic(__entry->op, afs_cm_operations)) + ); + + TRACE_EVENT(afs_call, +-- +2.30.2 + diff --git a/queue-5.10/alsa-hda-intel-dsp-cfg-add-missing-elkhartlake-pci-i.patch b/queue-5.10/alsa-hda-intel-dsp-cfg-add-missing-elkhartlake-pci-i.patch new file mode 100644 index 00000000000..23e929ca0ea --- /dev/null +++ b/queue-5.10/alsa-hda-intel-dsp-cfg-add-missing-elkhartlake-pci-i.patch @@ -0,0 +1,41 @@ +From c50a9530049bbf888660005198588f2b41f41796 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jul 2021 18:17:46 -0500 +Subject: ALSA: hda: intel-dsp-cfg: add missing ElkhartLake PCI ID + +From: Pierre-Louis Bossart + +[ Upstream commit 114613f62f42e7cbc1242c4e82076a0153043761 ] + +We missed the fact that ElkhartLake platforms have two different PCI +IDs. We only added one so the SOF driver is never selected by the +autodetection logic for the missing configuration. + +BugLink: https://github.com/thesofproject/linux/issues/2990 +Fixes: cc8f81c7e625 ('ALSA: hda: fix intel DSP config') +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20210719231746.557325-1-pierre-louis.bossart@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/intel-dsp-config.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/hda/intel-dsp-config.c b/sound/hda/intel-dsp-config.c +index fe49e9a97f0e..61e1de6d7be0 100644 +--- a/sound/hda/intel-dsp-config.c ++++ b/sound/hda/intel-dsp-config.c +@@ -318,6 +318,10 @@ static const struct config_entry config_table[] = { + .flags = FLAG_SOF | FLAG_SOF_ONLY_IF_DMIC, + .device = 0x4b55, + }, ++ { ++ .flags = FLAG_SOF | FLAG_SOF_ONLY_IF_DMIC, ++ .device = 0x4b58, ++ }, + #endif + + }; +-- +2.30.2 + diff --git a/queue-5.10/asoc-rt5631-fix-regcache-sync-errors-on-resume.patch b/queue-5.10/asoc-rt5631-fix-regcache-sync-errors-on-resume.patch new file mode 100644 index 00000000000..3cacfa09244 --- /dev/null +++ b/queue-5.10/asoc-rt5631-fix-regcache-sync-errors-on-resume.patch @@ -0,0 +1,43 @@ +From b76adb1ff09f5ca437e7cd3d41966a0b8bbbadb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jul 2021 03:50:11 +0300 +Subject: ASoC: rt5631: Fix regcache sync errors on resume + +From: Maxim Schwalm + +[ Upstream commit c71f78a662611fe2c67f3155da19b0eff0f29762 ] + +The ALC5631 does not like multi-write accesses, avoid them. This fixes: + +rt5631 4-001a: Unable to sync registers 0x3a-0x3c. -121 + +errors on resume from suspend (and all registers after the registers in +the error not being synced). + +Inspired by commit 2d30e9494f1e ("ASoC: rt5651: Fix regcache sync errors +on resume") from Hans de Geode, which fixed the same errors on ALC5651. + +Signed-off-by: Maxim Schwalm +Link: https://lore.kernel.org/r/20210712005011.28536-1-digetx@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5631.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/codecs/rt5631.c b/sound/soc/codecs/rt5631.c +index 653da3eaf355..86d58d0df057 100644 +--- a/sound/soc/codecs/rt5631.c ++++ b/sound/soc/codecs/rt5631.c +@@ -1695,6 +1695,8 @@ static const struct regmap_config rt5631_regmap_config = { + .reg_defaults = rt5631_reg, + .num_reg_defaults = ARRAY_SIZE(rt5631_reg), + .cache_type = REGCACHE_RBTREE, ++ .use_single_read = true, ++ .use_single_write = true, + }; + + static int rt5631_i2c_probe(struct i2c_client *i2c, +-- +2.30.2 + diff --git a/queue-5.10/asoc-wm_adsp-correct-wm_coeff_tlv_get-handling.patch b/queue-5.10/asoc-wm_adsp-correct-wm_coeff_tlv_get-handling.patch new file mode 100644 index 00000000000..3a2117e9f9f --- /dev/null +++ b/queue-5.10/asoc-wm_adsp-correct-wm_coeff_tlv_get-handling.patch @@ -0,0 +1,39 @@ +From d5b2564f457f67625bf86b72afcbe1186c58c481 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Jun 2021 16:59:39 +0100 +Subject: ASoC: wm_adsp: Correct wm_coeff_tlv_get handling + +From: Charles Keepax + +[ Upstream commit dd6fb8ff2210f74b056bf9234d0605e8c26a8ac0 ] + +When wm_coeff_tlv_get was updated it was accidentally switch to the _raw +version of the helper causing it to ignore the current DSP state it +should be checking. Switch the code back to the correct helper so that +users can't read the controls when they arn't available. + +Fixes: 73ecf1a673d3 ("ASoC: wm_adsp: Correct cache handling of new kernel control API") +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20210626155941.12251-1-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm_adsp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c +index 985b2dcecf13..51d95437e0fd 100644 +--- a/sound/soc/codecs/wm_adsp.c ++++ b/sound/soc/codecs/wm_adsp.c +@@ -1221,7 +1221,7 @@ static int wm_coeff_tlv_get(struct snd_kcontrol *kctl, + + mutex_lock(&ctl->dsp->pwr_lock); + +- ret = wm_coeff_read_ctrl_raw(ctl, ctl->cache, size); ++ ret = wm_coeff_read_ctrl(ctl, ctl->cache, size); + + if (!ret && copy_to_user(bytes, ctl->cache, size)) + ret = -EFAULT; +-- +2.30.2 + diff --git a/queue-5.10/bnxt_en-add-missing-check-for-bnxt_state_abort_err-i.patch b/queue-5.10/bnxt_en-add-missing-check-for-bnxt_state_abort_err-i.patch new file mode 100644 index 00000000000..718b3e40b5b --- /dev/null +++ b/queue-5.10/bnxt_en-add-missing-check-for-bnxt_state_abort_err-i.patch @@ -0,0 +1,40 @@ +From e14b9063a20def723b780e4d31b0c950c14c7128 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 15:36:28 -0400 +Subject: bnxt_en: Add missing check for BNXT_STATE_ABORT_ERR in + bnxt_fw_rset_task() + +From: Michael Chan + +[ Upstream commit 6cd657cb3ee6f4de57e635b126ffbe0e51d00f1a ] + +In the BNXT_FW_RESET_STATE_POLL_VF state in bnxt_fw_reset_task() after all +VFs have unregistered, we need to check for BNXT_STATE_ABORT_ERR after +we acquire the rtnl_lock. If the flag is set, we need to abort. + +Fixes: 230d1f0de754 ("bnxt_en: Handle firmware reset.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index f003f08de167..dee6bcfe2fe2 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -11480,6 +11480,10 @@ static void bnxt_fw_reset_task(struct work_struct *work) + } + bp->fw_reset_timestamp = jiffies; + rtnl_lock(); ++ if (test_bit(BNXT_STATE_ABORT_ERR, &bp->state)) { ++ rtnl_unlock(); ++ goto fw_reset_abort; ++ } + bnxt_fw_reset_close(bp); + if (bp->fw_cap & BNXT_FW_CAP_ERR_RECOVER_RELOAD) { + bp->fw_reset_state = BNXT_FW_RESET_STATE_POLL_FW_DOWN; +-- +2.30.2 + diff --git a/queue-5.10/bnxt_en-check-abort-error-state-in-bnxt_half_open_ni.patch b/queue-5.10/bnxt_en-check-abort-error-state-in-bnxt_half_open_ni.patch new file mode 100644 index 00000000000..189fcd90fcb --- /dev/null +++ b/queue-5.10/bnxt_en-check-abort-error-state-in-bnxt_half_open_ni.patch @@ -0,0 +1,68 @@ +From da0b6a9f0e5cf7f5b4339c2563d93882b19d7e40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 15:36:31 -0400 +Subject: bnxt_en: Check abort error state in bnxt_half_open_nic() + +From: Somnath Kotur + +[ Upstream commit 11a39259ff79b74bc99f8b7c44075a2d6d5e7ab1 ] + +bnxt_half_open_nic() is called during during ethtool self test and is +protected by rtnl_lock. Firmware reset can be happening at the same +time. Only critical portions of the entire firmware reset sequence +are protected by the rtnl_lock. It is possible that bnxt_half_open_nic() +can be called when the firmware reset sequence is aborting. In that +case, bnxt_half_open_nic() needs to check if the ABORT_ERR flag is set +and abort if it is. The ethtool self test will fail but the NIC will be +brought to a consistent IF_DOWN state. + +Without this patch, if bnxt_half_open_nic() were to continue in this +error state, it may crash like this: + + bnxt_en 0000:82:00.1 enp130s0f1np1: FW reset in progress during close, FW reset will be aborted + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 + ... + Process ethtool (pid: 333327, stack limit = 0x0000000046476577) + Call trace: + bnxt_alloc_mem+0x444/0xef0 [bnxt_en] + bnxt_half_open_nic+0x24/0xb8 [bnxt_en] + bnxt_self_test+0x2dc/0x390 [bnxt_en] + ethtool_self_test+0xe0/0x1f8 + dev_ethtool+0x1744/0x22d0 + dev_ioctl+0x190/0x3e0 + sock_ioctl+0x238/0x480 + do_vfs_ioctl+0xc4/0x758 + ksys_ioctl+0x84/0xb8 + __arm64_sys_ioctl+0x28/0x38 + el0_svc_handler+0xb0/0x180 + el0_svc+0x8/0xc + +Fixes: a1301f08c5ac ("bnxt_en: Check abort error state in bnxt_open_nic().") +Signed-off-by: Somnath Kotur +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index e3a8c1c6d237..8f169508a90a 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -9841,6 +9841,12 @@ int bnxt_half_open_nic(struct bnxt *bp) + { + int rc = 0; + ++ if (test_bit(BNXT_STATE_ABORT_ERR, &bp->state)) { ++ netdev_err(bp->dev, "A previous firmware reset has not completed, aborting half open\n"); ++ rc = -ENODEV; ++ goto half_open_err; ++ } ++ + rc = bnxt_alloc_mem(bp, false); + if (rc) { + netdev_err(bp->dev, "bnxt_alloc_mem err: %x\n", rc); +-- +2.30.2 + diff --git a/queue-5.10/bnxt_en-don-t-disable-an-already-disabled-pci-device.patch b/queue-5.10/bnxt_en-don-t-disable-an-already-disabled-pci-device.patch new file mode 100644 index 00000000000..03b900aed58 --- /dev/null +++ b/queue-5.10/bnxt_en-don-t-disable-an-already-disabled-pci-device.patch @@ -0,0 +1,41 @@ +From ba985c1cc534f781a73cd47e6d3de224986235ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 15:36:25 -0400 +Subject: bnxt_en: don't disable an already disabled PCI device + +From: Kalesh AP + +[ Upstream commit c81cfb6256d90ea5ba4a6fb280ea3b171be4e05c ] + +If device is already disabled in reset path and PCI io error is +detected before the device could be enabled, driver could +call pci_disable_device() for already disabled device. Fix this +problem by calling pci_disable_device() only if the device is already +enabled. + +Fixes: 6316ea6db93d ("bnxt_en: Enable AER support.") +Signed-off-by: Kalesh AP +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index db1b89f57079..f003f08de167 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -12901,7 +12901,8 @@ static pci_ers_result_t bnxt_io_error_detected(struct pci_dev *pdev, + if (netif_running(netdev)) + bnxt_close(netdev); + +- pci_disable_device(pdev); ++ if (pci_is_enabled(pdev)) ++ pci_disable_device(pdev); + bnxt_free_ctx_mem(bp); + kfree(bp->ctx); + bp->ctx = NULL; +-- +2.30.2 + diff --git a/queue-5.10/bnxt_en-refresh-roce-capabilities-in-bnxt_ulp_probe.patch b/queue-5.10/bnxt_en-refresh-roce-capabilities-in-bnxt_ulp_probe.patch new file mode 100644 index 00000000000..54a3883f273 --- /dev/null +++ b/queue-5.10/bnxt_en-refresh-roce-capabilities-in-bnxt_ulp_probe.patch @@ -0,0 +1,51 @@ +From adc5afb655794c84d87e5825e5a28841b71cf41e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 15:36:27 -0400 +Subject: bnxt_en: Refresh RoCE capabilities in bnxt_ulp_probe() + +From: Michael Chan + +[ Upstream commit 2c9f046bc377efd1f5e26e74817d5f96e9506c86 ] + +The capabilities can change after firmware upgrade/downgrade, so we +should get the up-to-date RoCE capabilities everytime bnxt_ulp_probe() +is called. + +Fixes: 2151fe0830fd ("bnxt_en: Handle RESET_NOTIFY async event from firmware.") +Reviewed-by: Somnath Kotur +Reviewed-by: Edwin Peer +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c +index 64dbbb04b043..abf169001bf3 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c +@@ -479,15 +479,16 @@ struct bnxt_en_dev *bnxt_ulp_probe(struct net_device *dev) + if (!edev) + return ERR_PTR(-ENOMEM); + edev->en_ops = &bnxt_en_ops_tbl; +- if (bp->flags & BNXT_FLAG_ROCEV1_CAP) +- edev->flags |= BNXT_EN_FLAG_ROCEV1_CAP; +- if (bp->flags & BNXT_FLAG_ROCEV2_CAP) +- edev->flags |= BNXT_EN_FLAG_ROCEV2_CAP; + edev->net = dev; + edev->pdev = bp->pdev; + edev->l2_db_size = bp->db_size; + edev->l2_db_size_nc = bp->db_size; + bp->edev = edev; + } ++ edev->flags &= ~BNXT_EN_FLAG_ROCE_CAP; ++ if (bp->flags & BNXT_FLAG_ROCEV1_CAP) ++ edev->flags |= BNXT_EN_FLAG_ROCEV1_CAP; ++ if (bp->flags & BNXT_FLAG_ROCEV2_CAP) ++ edev->flags |= BNXT_EN_FLAG_ROCEV2_CAP; + return bp->edev; + } +-- +2.30.2 + diff --git a/queue-5.10/bnxt_en-validate-vlan-protocol-id-on-rx-packets.patch b/queue-5.10/bnxt_en-validate-vlan-protocol-id-on-rx-packets.patch new file mode 100644 index 00000000000..52a4833b533 --- /dev/null +++ b/queue-5.10/bnxt_en-validate-vlan-protocol-id-on-rx-packets.patch @@ -0,0 +1,69 @@ +From e27df44aeac9314833e6ead0938f8c294856c7df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 15:36:30 -0400 +Subject: bnxt_en: Validate vlan protocol ID on RX packets + +From: Michael Chan + +[ Upstream commit 96bdd4b9ea7ef9a12db8fdd0ce90e37dffbd3703 ] + +Only pass supported VLAN protocol IDs for stripped VLAN tags to the +stack. The stack will hit WARN() if the protocol ID is unsupported. + +Existing firmware sets up the chip to strip 0x8100, 0x88a8, 0x9100. +Only the 1st two protocols are supported by the kernel. + +Fixes: a196e96bb68f ("bnxt_en: clean up VLAN feature bit handling") +Reviewed-by: Somnath Kotur +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index dee6bcfe2fe2..e3a8c1c6d237 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -1633,11 +1633,16 @@ static inline struct sk_buff *bnxt_tpa_end(struct bnxt *bp, + + if ((tpa_info->flags2 & RX_CMP_FLAGS2_META_FORMAT_VLAN) && + (skb->dev->features & BNXT_HW_FEATURE_VLAN_ALL_RX)) { +- u16 vlan_proto = tpa_info->metadata >> +- RX_CMP_FLAGS2_METADATA_TPID_SFT; ++ __be16 vlan_proto = htons(tpa_info->metadata >> ++ RX_CMP_FLAGS2_METADATA_TPID_SFT); + u16 vtag = tpa_info->metadata & RX_CMP_FLAGS2_METADATA_TCI_MASK; + +- __vlan_hwaccel_put_tag(skb, htons(vlan_proto), vtag); ++ if (eth_type_vlan(vlan_proto)) { ++ __vlan_hwaccel_put_tag(skb, vlan_proto, vtag); ++ } else { ++ dev_kfree_skb(skb); ++ return NULL; ++ } + } + + skb_checksum_none_assert(skb); +@@ -1858,9 +1863,15 @@ static int bnxt_rx_pkt(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, + (skb->dev->features & BNXT_HW_FEATURE_VLAN_ALL_RX)) { + u32 meta_data = le32_to_cpu(rxcmp1->rx_cmp_meta_data); + u16 vtag = meta_data & RX_CMP_FLAGS2_METADATA_TCI_MASK; +- u16 vlan_proto = meta_data >> RX_CMP_FLAGS2_METADATA_TPID_SFT; ++ __be16 vlan_proto = htons(meta_data >> ++ RX_CMP_FLAGS2_METADATA_TPID_SFT); + +- __vlan_hwaccel_put_tag(skb, htons(vlan_proto), vtag); ++ if (eth_type_vlan(vlan_proto)) { ++ __vlan_hwaccel_put_tag(skb, vlan_proto, vtag); ++ } else { ++ dev_kfree_skb(skb); ++ goto next_rx; ++ } + } + + skb_checksum_none_assert(skb); +-- +2.30.2 + diff --git a/queue-5.10/bonding-add-struct-bond_ipesc-to-manage-sa.patch b/queue-5.10/bonding-add-struct-bond_ipesc-to-manage-sa.patch new file mode 100644 index 00000000000..aab17f781b9 --- /dev/null +++ b/queue-5.10/bonding-add-struct-bond_ipesc-to-manage-sa.patch @@ -0,0 +1,300 @@ +From 773e64da6e0b587e3e02af280d6a9af6d4d10c1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 15:38:12 +0000 +Subject: bonding: Add struct bond_ipesc to manage SA + +From: Taehee Yoo + +[ Upstream commit 9a5605505d9c7dbfdb89cc29a8f5fc5cf9fd2334 ] + +bonding has been supporting ipsec offload. +When SA is added, bonding just passes SA to its own active real interface. +But it doesn't manage SA. +So, when events(add/del real interface, active real interface change, etc) +occur, bonding can't handle that well because It doesn't manage SA. +So some problems(panic, UAF, refcnt leak)occur. + +In order to make it stable, it should manage SA. +That's the reason why struct bond_ipsec is added. +When a new SA is added to bonding interface, it is stored in the +bond_ipsec list. And the SA is passed to a current active real interface. +If events occur, it uses bond_ipsec data to handle these events. +bond->ipsec_list is protected by bond->ipsec_lock. + +If a current active real interface is changed, the following logic works. +1. delete all SAs from old active real interface +2. Add all SAs to the new active real interface. +3. If a new active real interface doesn't support ipsec offload or SA's +option, it sets real_dev to NULL. + +Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 139 +++++++++++++++++++++++++++----- + include/net/bonding.h | 9 ++- + 2 files changed, 127 insertions(+), 21 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 3555798879f2..484784757073 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -385,6 +385,7 @@ static int bond_vlan_rx_kill_vid(struct net_device *bond_dev, + static int bond_ipsec_add_sa(struct xfrm_state *xs) + { + struct net_device *bond_dev = xs->xso.dev; ++ struct bond_ipsec *ipsec; + struct bonding *bond; + struct slave *slave; + int err; +@@ -400,9 +401,6 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs) + return -ENODEV; + } + +- xs->xso.real_dev = slave->dev; +- bond->xs = xs; +- + if (!slave->dev->xfrmdev_ops || + !slave->dev->xfrmdev_ops->xdo_dev_state_add || + netif_is_bond_master(slave->dev)) { +@@ -411,11 +409,63 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs) + return -EINVAL; + } + ++ ipsec = kmalloc(sizeof(*ipsec), GFP_ATOMIC); ++ if (!ipsec) { ++ rcu_read_unlock(); ++ return -ENOMEM; ++ } ++ xs->xso.real_dev = slave->dev; ++ + err = slave->dev->xfrmdev_ops->xdo_dev_state_add(xs); ++ if (!err) { ++ ipsec->xs = xs; ++ INIT_LIST_HEAD(&ipsec->list); ++ spin_lock_bh(&bond->ipsec_lock); ++ list_add(&ipsec->list, &bond->ipsec_list); ++ spin_unlock_bh(&bond->ipsec_lock); ++ } else { ++ kfree(ipsec); ++ } + rcu_read_unlock(); + return err; + } + ++static void bond_ipsec_add_sa_all(struct bonding *bond) ++{ ++ struct net_device *bond_dev = bond->dev; ++ struct bond_ipsec *ipsec; ++ struct slave *slave; ++ ++ rcu_read_lock(); ++ slave = rcu_dereference(bond->curr_active_slave); ++ if (!slave) ++ goto out; ++ ++ if (!slave->dev->xfrmdev_ops || ++ !slave->dev->xfrmdev_ops->xdo_dev_state_add || ++ netif_is_bond_master(slave->dev)) { ++ spin_lock_bh(&bond->ipsec_lock); ++ if (!list_empty(&bond->ipsec_list)) ++ slave_warn(bond_dev, slave->dev, ++ "%s: no slave xdo_dev_state_add\n", ++ __func__); ++ spin_unlock_bh(&bond->ipsec_lock); ++ goto out; ++ } ++ ++ spin_lock_bh(&bond->ipsec_lock); ++ list_for_each_entry(ipsec, &bond->ipsec_list, list) { ++ ipsec->xs->xso.real_dev = slave->dev; ++ if (slave->dev->xfrmdev_ops->xdo_dev_state_add(ipsec->xs)) { ++ slave_warn(bond_dev, slave->dev, "%s: failed to add SA\n", __func__); ++ ipsec->xs->xso.real_dev = NULL; ++ } ++ } ++ spin_unlock_bh(&bond->ipsec_lock); ++out: ++ rcu_read_unlock(); ++} ++ + /** + * bond_ipsec_del_sa - clear out this specific SA + * @xs: pointer to transformer state struct +@@ -423,6 +473,7 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs) + static void bond_ipsec_del_sa(struct xfrm_state *xs) + { + struct net_device *bond_dev = xs->xso.dev; ++ struct bond_ipsec *ipsec; + struct bonding *bond; + struct slave *slave; + +@@ -436,7 +487,10 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs) + if (!slave) + goto out; + +- xs->xso.real_dev = slave->dev; ++ if (!xs->xso.real_dev) ++ goto out; ++ ++ WARN_ON(xs->xso.real_dev != slave->dev); + + if (!slave->dev->xfrmdev_ops || + !slave->dev->xfrmdev_ops->xdo_dev_state_delete || +@@ -447,6 +501,48 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs) + + slave->dev->xfrmdev_ops->xdo_dev_state_delete(xs); + out: ++ spin_lock_bh(&bond->ipsec_lock); ++ list_for_each_entry(ipsec, &bond->ipsec_list, list) { ++ if (ipsec->xs == xs) { ++ list_del(&ipsec->list); ++ kfree(ipsec); ++ break; ++ } ++ } ++ spin_unlock_bh(&bond->ipsec_lock); ++ rcu_read_unlock(); ++} ++ ++static void bond_ipsec_del_sa_all(struct bonding *bond) ++{ ++ struct net_device *bond_dev = bond->dev; ++ struct bond_ipsec *ipsec; ++ struct slave *slave; ++ ++ rcu_read_lock(); ++ slave = rcu_dereference(bond->curr_active_slave); ++ if (!slave) { ++ rcu_read_unlock(); ++ return; ++ } ++ ++ spin_lock_bh(&bond->ipsec_lock); ++ list_for_each_entry(ipsec, &bond->ipsec_list, list) { ++ if (!ipsec->xs->xso.real_dev) ++ continue; ++ ++ if (!slave->dev->xfrmdev_ops || ++ !slave->dev->xfrmdev_ops->xdo_dev_state_delete || ++ netif_is_bond_master(slave->dev)) { ++ slave_warn(bond_dev, slave->dev, ++ "%s: no slave xdo_dev_state_delete\n", ++ __func__); ++ } else { ++ slave->dev->xfrmdev_ops->xdo_dev_state_delete(ipsec->xs); ++ } ++ ipsec->xs->xso.real_dev = NULL; ++ } ++ spin_unlock_bh(&bond->ipsec_lock); + rcu_read_unlock(); + } + +@@ -458,22 +554,27 @@ out: + static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs) + { + struct net_device *bond_dev = xs->xso.dev; +- struct bonding *bond = netdev_priv(bond_dev); +- struct slave *curr_active = rcu_dereference(bond->curr_active_slave); +- struct net_device *slave_dev = curr_active->dev; ++ struct net_device *real_dev; ++ struct slave *curr_active; ++ struct bonding *bond; ++ ++ bond = netdev_priv(bond_dev); ++ curr_active = rcu_dereference(bond->curr_active_slave); ++ real_dev = curr_active->dev; + + if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) + return true; + +- if (!slave_dev->xfrmdev_ops || +- !slave_dev->xfrmdev_ops->xdo_dev_offload_ok || +- netif_is_bond_master(slave_dev)) { +- slave_warn(bond_dev, slave_dev, "%s: no slave xdo_dev_offload_ok\n", __func__); ++ if (!xs->xso.real_dev) ++ return false; ++ ++ if (!real_dev->xfrmdev_ops || ++ !real_dev->xfrmdev_ops->xdo_dev_offload_ok || ++ netif_is_bond_master(real_dev)) { + return false; + } + +- xs->xso.real_dev = slave_dev; +- return slave_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs); ++ return real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs); + } + + static const struct xfrmdev_ops bond_xfrmdev_ops = { +@@ -990,8 +1091,7 @@ void bond_change_active_slave(struct bonding *bond, struct slave *new_active) + return; + + #ifdef CONFIG_XFRM_OFFLOAD +- if (old_active && bond->xs) +- bond_ipsec_del_sa(bond->xs); ++ bond_ipsec_del_sa_all(bond); + #endif /* CONFIG_XFRM_OFFLOAD */ + + if (new_active) { +@@ -1067,10 +1167,7 @@ void bond_change_active_slave(struct bonding *bond, struct slave *new_active) + } + + #ifdef CONFIG_XFRM_OFFLOAD +- if (new_active && bond->xs) { +- xfrm_dev_state_flush(dev_net(bond->dev), bond->dev, true); +- bond_ipsec_add_sa(bond->xs); +- } ++ bond_ipsec_add_sa_all(bond); + #endif /* CONFIG_XFRM_OFFLOAD */ + + /* resend IGMP joins since active slave has changed or +@@ -3309,6 +3406,7 @@ static int bond_master_netdev_event(unsigned long event, + return bond_event_changename(event_bond); + case NETDEV_UNREGISTER: + bond_remove_proc_entry(event_bond); ++ xfrm_dev_state_flush(dev_net(bond_dev), bond_dev, true); + break; + case NETDEV_REGISTER: + bond_create_proc_entry(event_bond); +@@ -4742,7 +4840,8 @@ void bond_setup(struct net_device *bond_dev) + #ifdef CONFIG_XFRM_OFFLOAD + /* set up xfrm device ops (only supported in active-backup right now) */ + bond_dev->xfrmdev_ops = &bond_xfrmdev_ops; +- bond->xs = NULL; ++ INIT_LIST_HEAD(&bond->ipsec_list); ++ spin_lock_init(&bond->ipsec_lock); + #endif /* CONFIG_XFRM_OFFLOAD */ + + /* don't acquire bond device's netif_tx_lock when transmitting */ +diff --git a/include/net/bonding.h b/include/net/bonding.h +index adc3da776970..67d676059aa0 100644 +--- a/include/net/bonding.h ++++ b/include/net/bonding.h +@@ -199,6 +199,11 @@ struct bond_up_slave { + */ + #define BOND_LINK_NOCHANGE -1 + ++struct bond_ipsec { ++ struct list_head list; ++ struct xfrm_state *xs; ++}; ++ + /* + * Here are the locking policies for the two bonding locks: + * Get rcu_read_lock when reading or RTNL when writing slave list. +@@ -247,7 +252,9 @@ struct bonding { + #endif /* CONFIG_DEBUG_FS */ + struct rtnl_link_stats64 bond_stats; + #ifdef CONFIG_XFRM_OFFLOAD +- struct xfrm_state *xs; ++ struct list_head ipsec_list; ++ /* protecting ipsec_list */ ++ spinlock_t ipsec_lock; + #endif /* CONFIG_XFRM_OFFLOAD */ + }; + +-- +2.30.2 + diff --git a/queue-5.10/bonding-disallow-setting-nested-bonding-ipsec-offloa.patch b/queue-5.10/bonding-disallow-setting-nested-bonding-ipsec-offloa.patch new file mode 100644 index 00000000000..5cefca826af --- /dev/null +++ b/queue-5.10/bonding-disallow-setting-nested-bonding-ipsec-offloa.patch @@ -0,0 +1,75 @@ +From cd6b6c49c24d708f754f0c48eb80a9c53b3fee42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 15:38:11 +0000 +Subject: bonding: disallow setting nested bonding + ipsec offload + +From: Taehee Yoo + +[ Upstream commit b121693381b112b78c076dea171ee113e237c0e4 ] + +bonding interface can be nested and it supports ipsec offload. +So, it allows setting the nested bonding + ipsec scenario. +But code does not support this scenario. +So, it should be disallowed. + +interface graph: +bond2 + | +bond1 + | +eth0 + +The nested bonding + ipsec offload may not a real usecase. +So, disallowing this scenario is fine. + +Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 952796fb5f1a..3555798879f2 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -403,8 +403,9 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs) + xs->xso.real_dev = slave->dev; + bond->xs = xs; + +- if (!(slave->dev->xfrmdev_ops +- && slave->dev->xfrmdev_ops->xdo_dev_state_add)) { ++ if (!slave->dev->xfrmdev_ops || ++ !slave->dev->xfrmdev_ops->xdo_dev_state_add || ++ netif_is_bond_master(slave->dev)) { + slave_warn(bond_dev, slave->dev, "Slave does not support ipsec offload\n"); + rcu_read_unlock(); + return -EINVAL; +@@ -437,8 +438,9 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs) + + xs->xso.real_dev = slave->dev; + +- if (!(slave->dev->xfrmdev_ops +- && slave->dev->xfrmdev_ops->xdo_dev_state_delete)) { ++ if (!slave->dev->xfrmdev_ops || ++ !slave->dev->xfrmdev_ops->xdo_dev_state_delete || ++ netif_is_bond_master(slave->dev)) { + slave_warn(bond_dev, slave->dev, "%s: no slave xdo_dev_state_delete\n", __func__); + goto out; + } +@@ -463,8 +465,9 @@ static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs) + if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) + return true; + +- if (!(slave_dev->xfrmdev_ops +- && slave_dev->xfrmdev_ops->xdo_dev_offload_ok)) { ++ if (!slave_dev->xfrmdev_ops || ++ !slave_dev->xfrmdev_ops->xdo_dev_offload_ok || ++ netif_is_bond_master(slave_dev)) { + slave_warn(bond_dev, slave_dev, "%s: no slave xdo_dev_offload_ok\n", __func__); + return false; + } +-- +2.30.2 + diff --git a/queue-5.10/bonding-fix-incorrect-return-value-of-bond_ipsec_off.patch b/queue-5.10/bonding-fix-incorrect-return-value-of-bond_ipsec_off.patch new file mode 100644 index 00000000000..6b74e1e0078 --- /dev/null +++ b/queue-5.10/bonding-fix-incorrect-return-value-of-bond_ipsec_off.patch @@ -0,0 +1,39 @@ +From d6766784e03cba9e043eaf3f026a0198e6a2e4f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 15:38:14 +0000 +Subject: bonding: fix incorrect return value of bond_ipsec_offload_ok() + +From: Taehee Yoo + +[ Upstream commit 168e696a36792a4a3b2525a06249e7472ef90186 ] + +bond_ipsec_offload_ok() is called to check whether the interface supports +ipsec offload or not. +bonding interface support ipsec offload only in active-backup mode. +So, if a bond interface is not in active-backup mode, it should return +false but it returns true. + +Fixes: a3b658cfb664 ("bonding: allow xfrm offload setup post-module-load") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 9aa2d79aa942..1a795a858630 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -565,7 +565,7 @@ static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs) + real_dev = curr_active->dev; + + if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) { +- err = true; ++ err = false; + goto out; + } + +-- +2.30.2 + diff --git a/queue-5.10/bonding-fix-null-dereference-in-bond_ipsec_add_sa.patch b/queue-5.10/bonding-fix-null-dereference-in-bond_ipsec_add_sa.patch new file mode 100644 index 00000000000..f4e7b5a1a0d --- /dev/null +++ b/queue-5.10/bonding-fix-null-dereference-in-bond_ipsec_add_sa.patch @@ -0,0 +1,90 @@ +From b5ce909a7c27ef2bc2d6bdcfd79d925505fd4ef1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 15:38:07 +0000 +Subject: bonding: fix null dereference in bond_ipsec_add_sa() + +From: Taehee Yoo + +[ Upstream commit 105cd17a866017b45f3c45901b394c711c97bf40 ] + +If bond doesn't have real device, bond->curr_active_slave is null. +But bond_ipsec_add_sa() dereferences bond->curr_active_slave without +null checking. +So, null-ptr-deref would occur. + +Test commands: + ip link add bond0 type bond + ip link set bond0 up + ip x s add proto esp dst 14.1.1.1 src 15.1.1.1 spi \ +0x07 mode transport reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))' \ +0x44434241343332312423222114131211f4f3f2f1 128 sel src 14.0.0.52/24 \ +dst 14.0.0.70/24 proto tcp offload dev bond0 dir in + +Splat looks like: +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +CPU: 4 PID: 680 Comm: ip Not tainted 5.13.0-rc3+ #1168 +RIP: 0010:bond_ipsec_add_sa+0xc4/0x2e0 [bonding] +Code: 85 21 02 00 00 4d 8b a6 48 0c 00 00 e8 75 58 44 ce 85 c0 0f 85 14 +01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 +00 0f 85 fc 01 00 00 48 8d bb e0 02 00 00 4d 8b 2c 24 48 +RSP: 0018:ffff88810946f508 EFLAGS: 00010246 +RAX: dffffc0000000000 RBX: ffff88810b4e8040 RCX: 0000000000000001 +RDX: 0000000000000000 RSI: ffffffff8fe34280 RDI: ffff888115abe100 +RBP: ffff88810946f528 R08: 0000000000000003 R09: fffffbfff2287e11 +R10: 0000000000000001 R11: ffff888115abe0c8 R12: 0000000000000000 +R13: ffffffffc0aea9a0 R14: ffff88800d7d2000 R15: ffff88810b4e8330 +FS: 00007efc5552e680(0000) GS:ffff888119c00000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000055c2530dbf40 CR3: 0000000103056004 CR4: 00000000003706e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + xfrm_dev_state_add+0x2a9/0x770 + ? memcpy+0x38/0x60 + xfrm_add_sa+0x2278/0x3b10 [xfrm_user] + ? xfrm_get_policy+0xaa0/0xaa0 [xfrm_user] + ? register_lock_class+0x1750/0x1750 + xfrm_user_rcv_msg+0x331/0x660 [xfrm_user] + ? rcu_read_lock_sched_held+0x91/0xc0 + ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user] + ? find_held_lock+0x3a/0x1c0 + ? mutex_lock_io_nested+0x1210/0x1210 + ? sched_clock_cpu+0x18/0x170 + netlink_rcv_skb+0x121/0x350 + ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user] + ? netlink_ack+0x9d0/0x9d0 + ? netlink_deliver_tap+0x17c/0xa50 + xfrm_netlink_rcv+0x68/0x80 [xfrm_user] + netlink_unicast+0x41c/0x610 + ? netlink_attachskb+0x710/0x710 + netlink_sendmsg+0x6b9/0xb70 +[ ...] + +Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 8bb90e97898d..a66d639c415f 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -395,6 +395,11 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs) + rcu_read_lock(); + bond = netdev_priv(bond_dev); + slave = rcu_dereference(bond->curr_active_slave); ++ if (!slave) { ++ rcu_read_unlock(); ++ return -ENODEV; ++ } ++ + xs->xso.real_dev = slave->dev; + bond->xs = xs; + +-- +2.30.2 + diff --git a/queue-5.10/bonding-fix-suspicious-rcu-usage-in-bond_ipsec_add_s.patch b/queue-5.10/bonding-fix-suspicious-rcu-usage-in-bond_ipsec_add_s.patch new file mode 100644 index 00000000000..577f307c7f6 --- /dev/null +++ b/queue-5.10/bonding-fix-suspicious-rcu-usage-in-bond_ipsec_add_s.patch @@ -0,0 +1,108 @@ +From 9d46332a6b667cca5067e85886ccc19d8b748a34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 15:38:06 +0000 +Subject: bonding: fix suspicious RCU usage in bond_ipsec_add_sa() + +From: Taehee Yoo + +[ Upstream commit b648eba4c69e5819880b4907e7fcb2bb576069ab ] + +To dereference bond->curr_active_slave, it uses rcu_dereference(). +But it and the caller doesn't acquire RCU so a warning occurs. +So add rcu_read_lock(). + +Test commands: + ip link add dummy0 type dummy + ip link add bond0 type bond + ip link set dummy0 master bond0 + ip link set dummy0 up + ip link set bond0 up + ip x s add proto esp dst 14.1.1.1 src 15.1.1.1 spi 0x07 \ + mode transport \ + reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))' \ + 0x44434241343332312423222114131211f4f3f2f1 128 sel \ + src 14.0.0.52/24 dst 14.0.0.70/24 proto tcp offload \ + dev bond0 dir in + +Splat looks like: +============================= +WARNING: suspicious RCU usage +5.13.0-rc3+ #1168 Not tainted +----------------------------- +drivers/net/bonding/bond_main.c:411 suspicious rcu_dereference_check() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +1 lock held by ip/684: + #0: ffffffff9a2757c0 (&net->xfrm.xfrm_cfg_mutex){+.+.}-{3:3}, +at: xfrm_netlink_rcv+0x59/0x80 [xfrm_user] + 55.191733][ T684] stack backtrace: +CPU: 0 PID: 684 Comm: ip Not tainted 5.13.0-rc3+ #1168 +Call Trace: + dump_stack+0xa4/0xe5 + bond_ipsec_add_sa+0x18c/0x1f0 [bonding] + xfrm_dev_state_add+0x2a9/0x770 + ? memcpy+0x38/0x60 + xfrm_add_sa+0x2278/0x3b10 [xfrm_user] + ? xfrm_get_policy+0xaa0/0xaa0 [xfrm_user] + ? register_lock_class+0x1750/0x1750 + xfrm_user_rcv_msg+0x331/0x660 [xfrm_user] + ? rcu_read_lock_sched_held+0x91/0xc0 + ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user] + ? find_held_lock+0x3a/0x1c0 + ? mutex_lock_io_nested+0x1210/0x1210 + ? sched_clock_cpu+0x18/0x170 + netlink_rcv_skb+0x121/0x350 + ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user] + ? netlink_ack+0x9d0/0x9d0 + ? netlink_deliver_tap+0x17c/0xa50 + xfrm_netlink_rcv+0x68/0x80 [xfrm_user] + netlink_unicast+0x41c/0x610 + ? netlink_attachskb+0x710/0x710 + netlink_sendmsg+0x6b9/0xb70 +[ ... ] + +Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 345a3f61c723..8bb90e97898d 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -387,10 +387,12 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs) + struct net_device *bond_dev = xs->xso.dev; + struct bonding *bond; + struct slave *slave; ++ int err; + + if (!bond_dev) + return -EINVAL; + ++ rcu_read_lock(); + bond = netdev_priv(bond_dev); + slave = rcu_dereference(bond->curr_active_slave); + xs->xso.real_dev = slave->dev; +@@ -399,10 +401,13 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs) + if (!(slave->dev->xfrmdev_ops + && slave->dev->xfrmdev_ops->xdo_dev_state_add)) { + slave_warn(bond_dev, slave->dev, "Slave does not support ipsec offload\n"); ++ rcu_read_unlock(); + return -EINVAL; + } + +- return slave->dev->xfrmdev_ops->xdo_dev_state_add(xs); ++ err = slave->dev->xfrmdev_ops->xdo_dev_state_add(xs); ++ rcu_read_unlock(); ++ return err; + } + + /** +-- +2.30.2 + diff --git a/queue-5.10/bonding-fix-suspicious-rcu-usage-in-bond_ipsec_del_s.patch b/queue-5.10/bonding-fix-suspicious-rcu-usage-in-bond_ipsec_del_s.patch new file mode 100644 index 00000000000..23e8cef42cf --- /dev/null +++ b/queue-5.10/bonding-fix-suspicious-rcu-usage-in-bond_ipsec_del_s.patch @@ -0,0 +1,106 @@ +From af746137a8008ff41116e4c964f277381716bfb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 15:38:10 +0000 +Subject: bonding: fix suspicious RCU usage in bond_ipsec_del_sa() + +From: Taehee Yoo + +[ Upstream commit a22c39b831a081da9b2c488bd970a4412d926f30 ] + +To dereference bond->curr_active_slave, it uses rcu_dereference(). +But it and the caller doesn't acquire RCU so a warning occurs. +So add rcu_read_lock(). + +Test commands: + ip netns add A + ip netns exec A bash + modprobe netdevsim + echo "1 1" > /sys/bus/netdevsim/new_device + ip link add bond0 type bond + ip link set eth0 master bond0 + ip link set eth0 up + ip link set bond0 up + ip x s add proto esp dst 14.1.1.1 src 15.1.1.1 spi 0x07 mode \ +transport reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))' \ +0x44434241343332312423222114131211f4f3f2f1 128 sel src 14.0.0.52/24 \ +dst 14.0.0.70/24 proto tcp offload dev bond0 dir in + ip x s f + +Splat looks like: +============================= +WARNING: suspicious RCU usage +5.13.0-rc3+ #1168 Not tainted +----------------------------- +drivers/net/bonding/bond_main.c:448 suspicious rcu_dereference_check() +usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +2 locks held by ip/705: + #0: ffff888106701780 (&net->xfrm.xfrm_cfg_mutex){+.+.}-{3:3}, +at: xfrm_netlink_rcv+0x59/0x80 [xfrm_user] + #1: ffff8880075b0098 (&x->lock){+.-.}-{2:2}, +at: xfrm_state_delete+0x16/0x30 + +stack backtrace: +CPU: 6 PID: 705 Comm: ip Not tainted 5.13.0-rc3+ #1168 +Call Trace: + dump_stack+0xa4/0xe5 + bond_ipsec_del_sa+0x16a/0x1c0 [bonding] + __xfrm_state_delete+0x51f/0x730 + xfrm_state_delete+0x1e/0x30 + xfrm_state_flush+0x22f/0x390 + xfrm_flush_sa+0xd8/0x260 [xfrm_user] + ? xfrm_flush_policy+0x290/0x290 [xfrm_user] + xfrm_user_rcv_msg+0x331/0x660 [xfrm_user] + ? rcu_read_lock_sched_held+0x91/0xc0 + ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user] + ? find_held_lock+0x3a/0x1c0 + ? mutex_lock_io_nested+0x1210/0x1210 + ? sched_clock_cpu+0x18/0x170 + netlink_rcv_skb+0x121/0x350 +[ ... ] + +Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index a66d639c415f..952796fb5f1a 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -428,21 +428,24 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs) + if (!bond_dev) + return; + ++ rcu_read_lock(); + bond = netdev_priv(bond_dev); + slave = rcu_dereference(bond->curr_active_slave); + + if (!slave) +- return; ++ goto out; + + xs->xso.real_dev = slave->dev; + + if (!(slave->dev->xfrmdev_ops + && slave->dev->xfrmdev_ops->xdo_dev_state_delete)) { + slave_warn(bond_dev, slave->dev, "%s: no slave xdo_dev_state_delete\n", __func__); +- return; ++ goto out; + } + + slave->dev->xfrmdev_ops->xdo_dev_state_delete(xs); ++out: ++ rcu_read_unlock(); + } + + /** +-- +2.30.2 + diff --git a/queue-5.10/bonding-fix-suspicious-rcu-usage-in-bond_ipsec_offlo.patch b/queue-5.10/bonding-fix-suspicious-rcu-usage-in-bond_ipsec_offlo.patch new file mode 100644 index 00000000000..9881afd1d00 --- /dev/null +++ b/queue-5.10/bonding-fix-suspicious-rcu-usage-in-bond_ipsec_offlo.patch @@ -0,0 +1,96 @@ +From 393d37fbcb9b76c2fb4b1c2b66320a3cc85f9dd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 15:38:13 +0000 +Subject: bonding: fix suspicious RCU usage in bond_ipsec_offload_ok() + +From: Taehee Yoo + +[ Upstream commit 955b785ec6b3b2f9b91914d6eeac8ee66ee29239 ] + +To dereference bond->curr_active_slave, it uses rcu_dereference(). +But it and the caller doesn't acquire RCU so a warning occurs. +So add rcu_read_lock(). + +Splat looks like: +WARNING: suspicious RCU usage +5.13.0-rc6+ #1179 Not tainted +drivers/net/bonding/bond_main.c:571 suspicious +rcu_dereference_check() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +1 lock held by ping/974: + #0: ffff888109e7db70 (sk_lock-AF_INET){+.+.}-{0:0}, +at: raw_sendmsg+0x1303/0x2cb0 + +stack backtrace: +CPU: 2 PID: 974 Comm: ping Not tainted 5.13.0-rc6+ #1179 +Call Trace: + dump_stack+0xa4/0xe5 + bond_ipsec_offload_ok+0x1f4/0x260 [bonding] + xfrm_output+0x179/0x890 + xfrm4_output+0xfa/0x410 + ? __xfrm4_output+0x4b0/0x4b0 + ? __ip_make_skb+0xecc/0x2030 + ? xfrm4_udp_encap_rcv+0x800/0x800 + ? ip_local_out+0x21/0x3a0 + ip_send_skb+0x37/0xa0 + raw_sendmsg+0x1bfd/0x2cb0 + +Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 484784757073..9aa2d79aa942 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -557,24 +557,34 @@ static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs) + struct net_device *real_dev; + struct slave *curr_active; + struct bonding *bond; ++ int err; + + bond = netdev_priv(bond_dev); ++ rcu_read_lock(); + curr_active = rcu_dereference(bond->curr_active_slave); + real_dev = curr_active->dev; + +- if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) +- return true; ++ if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) { ++ err = true; ++ goto out; ++ } + +- if (!xs->xso.real_dev) +- return false; ++ if (!xs->xso.real_dev) { ++ err = false; ++ goto out; ++ } + + if (!real_dev->xfrmdev_ops || + !real_dev->xfrmdev_ops->xdo_dev_offload_ok || + netif_is_bond_master(real_dev)) { +- return false; ++ err = false; ++ goto out; + } + +- return real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs); ++ err = real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs); ++out: ++ rcu_read_unlock(); ++ return err; + } + + static const struct xfrmdev_ops bond_xfrmdev_ops = { +-- +2.30.2 + diff --git a/queue-5.10/bpf-fix-tail_call_reachable-rejection-for-interprete.patch b/queue-5.10/bpf-fix-tail_call_reachable-rejection-for-interprete.patch new file mode 100644 index 00000000000..2b6bf6e65c9 --- /dev/null +++ b/queue-5.10/bpf-fix-tail_call_reachable-rejection-for-interprete.patch @@ -0,0 +1,122 @@ +From 00859be3e51c02dd95986aafd82c0276d8e6eb36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jul 2021 22:57:35 +0200 +Subject: bpf: Fix tail_call_reachable rejection for interpreter when jit + failed + +From: Daniel Borkmann + +[ Upstream commit 5dd0a6b8582ffbfa88351949d50eccd5b6694ade ] + +During testing of f263a81451c1 ("bpf: Track subprog poke descriptors correctly +and fix use-after-free") under various failure conditions, for example, when +jit_subprogs() fails and tries to clean up the program to be run under the +interpreter, we ran into the following freeze: + + [...] + #127/8 tailcall_bpf2bpf_3:FAIL + [...] + [ 92.041251] BUG: KASAN: slab-out-of-bounds in ___bpf_prog_run+0x1b9d/0x2e20 + [ 92.042408] Read of size 8 at addr ffff88800da67f68 by task test_progs/682 + [ 92.043707] + [ 92.044030] CPU: 1 PID: 682 Comm: test_progs Tainted: G O 5.13.0-53301-ge6c08cb33a30-dirty #87 + [ 92.045542] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 + [ 92.046785] Call Trace: + [ 92.047171] ? __bpf_prog_run_args64+0xc0/0xc0 + [ 92.047773] ? __bpf_prog_run_args32+0x8b/0xb0 + [ 92.048389] ? __bpf_prog_run_args64+0xc0/0xc0 + [ 92.049019] ? ktime_get+0x117/0x130 + [...] // few hundred [similar] lines more + [ 92.659025] ? ktime_get+0x117/0x130 + [ 92.659845] ? __bpf_prog_run_args64+0xc0/0xc0 + [ 92.660738] ? __bpf_prog_run_args32+0x8b/0xb0 + [ 92.661528] ? __bpf_prog_run_args64+0xc0/0xc0 + [ 92.662378] ? print_usage_bug+0x50/0x50 + [ 92.663221] ? print_usage_bug+0x50/0x50 + [ 92.664077] ? bpf_ksym_find+0x9c/0xe0 + [ 92.664887] ? ktime_get+0x117/0x130 + [ 92.665624] ? kernel_text_address+0xf5/0x100 + [ 92.666529] ? __kernel_text_address+0xe/0x30 + [ 92.667725] ? unwind_get_return_address+0x2f/0x50 + [ 92.668854] ? ___bpf_prog_run+0x15d4/0x2e20 + [ 92.670185] ? ktime_get+0x117/0x130 + [ 92.671130] ? __bpf_prog_run_args64+0xc0/0xc0 + [ 92.672020] ? __bpf_prog_run_args32+0x8b/0xb0 + [ 92.672860] ? __bpf_prog_run_args64+0xc0/0xc0 + [ 92.675159] ? ktime_get+0x117/0x130 + [ 92.677074] ? lock_is_held_type+0xd5/0x130 + [ 92.678662] ? ___bpf_prog_run+0x15d4/0x2e20 + [ 92.680046] ? ktime_get+0x117/0x130 + [ 92.681285] ? __bpf_prog_run32+0x6b/0x90 + [ 92.682601] ? __bpf_prog_run64+0x90/0x90 + [ 92.683636] ? lock_downgrade+0x370/0x370 + [ 92.684647] ? mark_held_locks+0x44/0x90 + [ 92.685652] ? ktime_get+0x117/0x130 + [ 92.686752] ? lockdep_hardirqs_on+0x79/0x100 + [ 92.688004] ? ktime_get+0x117/0x130 + [ 92.688573] ? __cant_migrate+0x2b/0x80 + [ 92.689192] ? bpf_test_run+0x2f4/0x510 + [ 92.689869] ? bpf_test_timer_continue+0x1c0/0x1c0 + [ 92.690856] ? rcu_read_lock_bh_held+0x90/0x90 + [ 92.691506] ? __kasan_slab_alloc+0x61/0x80 + [ 92.692128] ? eth_type_trans+0x128/0x240 + [ 92.692737] ? __build_skb+0x46/0x50 + [ 92.693252] ? bpf_prog_test_run_skb+0x65e/0xc50 + [ 92.693954] ? bpf_prog_test_run_raw_tp+0x2d0/0x2d0 + [ 92.694639] ? __fget_light+0xa1/0x100 + [ 92.695162] ? bpf_prog_inc+0x23/0x30 + [ 92.695685] ? __sys_bpf+0xb40/0x2c80 + [ 92.696324] ? bpf_link_get_from_fd+0x90/0x90 + [ 92.697150] ? mark_held_locks+0x24/0x90 + [ 92.698007] ? lockdep_hardirqs_on_prepare+0x124/0x220 + [ 92.699045] ? finish_task_switch+0xe6/0x370 + [ 92.700072] ? lockdep_hardirqs_on+0x79/0x100 + [ 92.701233] ? finish_task_switch+0x11d/0x370 + [ 92.702264] ? __switch_to+0x2c0/0x740 + [ 92.703148] ? mark_held_locks+0x24/0x90 + [ 92.704155] ? __x64_sys_bpf+0x45/0x50 + [ 92.705146] ? do_syscall_64+0x35/0x80 + [ 92.706953] ? entry_SYSCALL_64_after_hwframe+0x44/0xae + [...] + +Turns out that the program rejection from e411901c0b77 ("bpf: allow for tailcalls +in BPF subprograms for x64 JIT") is buggy since env->prog->aux->tail_call_reachable +is never true. Commit ebf7d1f508a7 ("bpf, x64: rework pro/epilogue and tailcall +handling in JIT") added a tracker into check_max_stack_depth() which propagates +the tail_call_reachable condition throughout the subprograms. This info is then +assigned to the subprogram's func[i]->aux->tail_call_reachable. However, in the +case of the rejection check upon JIT failure, env->prog->aux->tail_call_reachable +is used. func[0]->aux->tail_call_reachable which represents the main program's +information did not propagate this to the outer env->prog->aux, though. Add this +propagation into check_max_stack_depth() where it needs to belong so that the +check can be done reliably. + +Fixes: ebf7d1f508a7 ("bpf, x64: rework pro/epilogue and tailcall handling in JIT") +Fixes: e411901c0b77 ("bpf: allow for tailcalls in BPF subprograms for x64 JIT") +Co-developed-by: John Fastabend +Signed-off-by: Daniel Borkmann +Signed-off-by: John Fastabend +Signed-off-by: Alexei Starovoitov +Acked-by: Maciej Fijalkowski +Link: https://lore.kernel.org/bpf/618c34e3163ad1a36b1e82377576a6081e182f25.1626123173.git.daniel@iogearbox.net +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 1f8bf2b39d50..36bc34fce623 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -3356,6 +3356,8 @@ continue_func: + if (tail_call_reachable) + for (j = 0; j < frame; j++) + subprog[ret_prog[j]].tail_call_reachable = true; ++ if (subprog[0].tail_call_reachable) ++ env->prog->aux->tail_call_reachable = true; + + /* end of for() loop means the last insn of the 'subprog' + * was reached. Doesn't matter whether it was JA or EXIT +-- +2.30.2 + diff --git a/queue-5.10/bpf-sockmap-fix-potential-memory-leak-on-unlikely-er.patch b/queue-5.10/bpf-sockmap-fix-potential-memory-leak-on-unlikely-er.patch new file mode 100644 index 00000000000..c4d00d6ffac --- /dev/null +++ b/queue-5.10/bpf-sockmap-fix-potential-memory-leak-on-unlikely-er.patch @@ -0,0 +1,80 @@ +From 9ce3f2a13b8b718679be23835c6886d995a7ca8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jul 2021 12:55:45 -0700 +Subject: bpf, sockmap: Fix potential memory leak on unlikely error case + +From: John Fastabend + +[ Upstream commit 7e6b27a69167f97c56b5437871d29e9722c3e470 ] + +If skb_linearize is needed and fails we could leak a msg on the error +handling. To fix ensure we kfree the msg block before returning error. +Found during code review. + +Fixes: 4363023d2668e ("bpf, sockmap: Avoid failures from skb_to_sgvec when skb has frag_list") +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Reviewed-by: Cong Wang +Link: https://lore.kernel.org/bpf/20210712195546.423990-2-john.fastabend@gmail.com +Signed-off-by: Sasha Levin +--- + net/core/skmsg.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index 923a1d0f84ca..c4c224a5b9de 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -433,10 +433,8 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb, + if (skb_linearize(skb)) + return -EAGAIN; + num_sge = skb_to_sgvec(skb, msg->sg.data, 0, skb->len); +- if (unlikely(num_sge < 0)) { +- kfree(msg); ++ if (unlikely(num_sge < 0)) + return num_sge; +- } + + copied = skb->len; + msg->sg.start = 0; +@@ -455,6 +453,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb) + { + struct sock *sk = psock->sk; + struct sk_msg *msg; ++ int err; + + /* If we are receiving on the same sock skb->sk is already assigned, + * skip memory accounting and owner transition seeing it already set +@@ -473,7 +472,10 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb) + * into user buffers. + */ + skb_set_owner_r(skb, sk); +- return sk_psock_skb_ingress_enqueue(skb, psock, sk, msg); ++ err = sk_psock_skb_ingress_enqueue(skb, psock, sk, msg); ++ if (err < 0) ++ kfree(msg); ++ return err; + } + + /* Puts an skb on the ingress queue of the socket already assigned to the +@@ -484,12 +486,16 @@ static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb + { + struct sk_msg *msg = kzalloc(sizeof(*msg), __GFP_NOWARN | GFP_ATOMIC); + struct sock *sk = psock->sk; ++ int err; + + if (unlikely(!msg)) + return -EAGAIN; + sk_msg_init(msg); + skb_set_owner_r(skb, sk); +- return sk_psock_skb_ingress_enqueue(skb, psock, sk, msg); ++ err = sk_psock_skb_ingress_enqueue(skb, psock, sk, msg); ++ if (err < 0) ++ kfree(msg); ++ return err; + } + + static int sk_psock_handle_skb(struct sk_psock *psock, struct sk_buff *skb, +-- +2.30.2 + diff --git a/queue-5.10/bpf-sockmap-tcp-sk_prot-needs-inuse_idx-set-for-proc.patch b/queue-5.10/bpf-sockmap-tcp-sk_prot-needs-inuse_idx-set-for-proc.patch new file mode 100644 index 00000000000..a0ac64b3696 --- /dev/null +++ b/queue-5.10/bpf-sockmap-tcp-sk_prot-needs-inuse_idx-set-for-proc.patch @@ -0,0 +1,47 @@ +From 704377a489c7551e030fa50a562218b6a7c70c20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jul 2021 12:55:46 -0700 +Subject: bpf, sockmap, tcp: sk_prot needs inuse_idx set for proc stats + +From: John Fastabend + +[ Upstream commit 228a4a7ba8e99bb9ef980b62f71e3be33f4aae69 ] + +The proc socket stats use sk_prot->inuse_idx value to record inuse sock +stats. We currently do not set this correctly from sockmap side. The +result is reading sock stats '/proc/net/sockstat' gives incorrect values. +The socket counter is incremented correctly, but because we don't set the +counter correctly when we replace sk_prot we may omit the decrement. + +To get the correct inuse_idx value move the core_initcall that initializes +the TCP proto handlers to late_initcall. This way it is initialized after +TCP has the chance to assign the inuse_idx value from the register protocol +handler. + +Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") +Suggested-by: Jakub Sitnicki +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Reviewed-by: Cong Wang +Link: https://lore.kernel.org/bpf/20210712195546.423990-3-john.fastabend@gmail.com +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_bpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c +index bc7d2a586e18..f91ae827d47f 100644 +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -588,7 +588,7 @@ static int __init tcp_bpf_v4_build_proto(void) + tcp_bpf_rebuild_protos(tcp_bpf_prots[TCP_BPF_IPV4], &tcp_prot); + return 0; + } +-core_initcall(tcp_bpf_v4_build_proto); ++late_initcall(tcp_bpf_v4_build_proto); + + static int tcp_bpf_assert_proto_ops(struct proto *ops) + { +-- +2.30.2 + diff --git a/queue-5.10/bpf-sockmap-udp-sk_prot-needs-inuse_idx-set-for-proc.patch b/queue-5.10/bpf-sockmap-udp-sk_prot-needs-inuse_idx-set-for-proc.patch new file mode 100644 index 00000000000..092f4fc46de --- /dev/null +++ b/queue-5.10/bpf-sockmap-udp-sk_prot-needs-inuse_idx-set-for-proc.patch @@ -0,0 +1,47 @@ +From fe74851f0f83c3da13483edfea12266d9503358d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jul 2021 17:47:50 +0200 +Subject: bpf, sockmap, udp: sk_prot needs inuse_idx set for proc stats + +From: Jakub Sitnicki + +[ Upstream commit 54ea2f49fd9400dd698c25450be3352b5613b3b4 ] + +The proc socket stats use sk_prot->inuse_idx value to record inuse sock +stats. We currently do not set this correctly from sockmap side. The +result is reading sock stats '/proc/net/sockstat' gives incorrect values. +The socket counter is incremented correctly, but because we don't set the +counter correctly when we replace sk_prot we may omit the decrement. + +To get the correct inuse_idx value move the core_initcall that initializes +the UDP proto handlers to late_initcall. This way it is initialized after +UDP has the chance to assign the inuse_idx value from the register protocol +handler. + +Fixes: edc6741cc660 ("bpf: Add sockmap hooks for UDP sockets") +Signed-off-by: Jakub Sitnicki +Signed-off-by: Daniel Borkmann +Reviewed-by: Cong Wang +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/20210714154750.528206-1-jakub@cloudflare.com +Signed-off-by: Sasha Levin +--- + net/ipv4/udp_bpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/udp_bpf.c b/net/ipv4/udp_bpf.c +index 7a94791efc1a..69c9663f9ee7 100644 +--- a/net/ipv4/udp_bpf.c ++++ b/net/ipv4/udp_bpf.c +@@ -39,7 +39,7 @@ static int __init udp_bpf_v4_build_proto(void) + udp_bpf_rebuild_protos(&udp_bpf_prots[UDP_BPF_IPV4], &udp_prot); + return 0; + } +-core_initcall(udp_bpf_v4_build_proto); ++late_initcall(udp_bpf_v4_build_proto); + + struct proto *udp_bpf_get_proto(struct sock *sk, struct sk_psock *psock) + { +-- +2.30.2 + diff --git a/queue-5.10/bpf-test-fix-null-pointer-dereference-on-invalid-exp.patch b/queue-5.10/bpf-test-fix-null-pointer-dereference-on-invalid-exp.patch new file mode 100644 index 00000000000..0c8fee25b36 --- /dev/null +++ b/queue-5.10/bpf-test-fix-null-pointer-dereference-on-invalid-exp.patch @@ -0,0 +1,110 @@ +From 9e721886d108fc99e886e1bce4039e629f745b32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jul 2021 16:04:09 +0800 +Subject: bpf, test: fix NULL pointer dereference on invalid + expected_attach_type + +From: Xuan Zhuo + +[ Upstream commit 5e21bb4e812566aef86fbb77c96a4ec0782286e4 ] + +These two types of XDP progs (BPF_XDP_DEVMAP, BPF_XDP_CPUMAP) will not be +executed directly in the driver, therefore we should also not directly +run them from here. To run in these two situations, there must be further +preparations done, otherwise these may cause a kernel panic. + +For more details, see also dev_xdp_attach(). + + [ 46.982479] BUG: kernel NULL pointer dereference, address: 0000000000000000 + [ 46.984295] #PF: supervisor read access in kernel mode + [ 46.985777] #PF: error_code(0x0000) - not-present page + [ 46.987227] PGD 800000010dca4067 P4D 800000010dca4067 PUD 10dca6067 PMD 0 + [ 46.989201] Oops: 0000 [#1] SMP PTI + [ 46.990304] CPU: 7 PID: 562 Comm: a.out Not tainted 5.13.0+ #44 + [ 46.992001] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/24 + [ 46.995113] RIP: 0010:___bpf_prog_run+0x17b/0x1710 + [ 46.996586] Code: 49 03 14 cc e8 76 f6 fe ff e9 ad fe ff ff 0f b6 43 01 48 0f bf 4b 02 48 83 c3 08 89 c2 83 e0 0f c0 ea 04 02 + [ 47.001562] RSP: 0018:ffffc900005afc58 EFLAGS: 00010246 + [ 47.003115] RAX: 0000000000000000 RBX: ffffc9000023f068 RCX: 0000000000000000 + [ 47.005163] RDX: 0000000000000000 RSI: 0000000000000079 RDI: ffffc900005afc98 + [ 47.007135] RBP: 0000000000000000 R08: ffffc9000023f048 R09: c0000000ffffdfff + [ 47.009171] R10: 0000000000000001 R11: ffffc900005afb40 R12: ffffc900005afc98 + [ 47.011172] R13: 0000000000000001 R14: 0000000000000001 R15: ffffffff825258a8 + [ 47.013244] FS: 00007f04a5207580(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000 + [ 47.015705] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 47.017475] CR2: 0000000000000000 CR3: 0000000100182005 CR4: 0000000000770ee0 + [ 47.019558] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [ 47.021595] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [ 47.023574] PKRU: 55555554 + [ 47.024571] Call Trace: + [ 47.025424] __bpf_prog_run32+0x32/0x50 + [ 47.026296] ? printk+0x53/0x6a + [ 47.027066] ? ktime_get+0x39/0x90 + [ 47.027895] bpf_test_run.cold.28+0x23/0x123 + [ 47.028866] ? printk+0x53/0x6a + [ 47.029630] bpf_prog_test_run_xdp+0x149/0x1d0 + [ 47.030649] __sys_bpf+0x1305/0x23d0 + [ 47.031482] __x64_sys_bpf+0x17/0x20 + [ 47.032316] do_syscall_64+0x3a/0x80 + [ 47.033165] entry_SYSCALL_64_after_hwframe+0x44/0xae + [ 47.034254] RIP: 0033:0x7f04a51364dd + [ 47.035133] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 48 + [ 47.038768] RSP: 002b:00007fff8f9fc518 EFLAGS: 00000213 ORIG_RAX: 0000000000000141 + [ 47.040344] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f04a51364dd + [ 47.041749] RDX: 0000000000000048 RSI: 0000000020002a80 RDI: 000000000000000a + [ 47.043171] RBP: 00007fff8f9fc530 R08: 0000000002049300 R09: 0000000020000100 + [ 47.044626] R10: 0000000000000004 R11: 0000000000000213 R12: 0000000000401070 + [ 47.046088] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + [ 47.047579] Modules linked in: + [ 47.048318] CR2: 0000000000000000 + [ 47.049120] ---[ end trace 7ad34443d5be719a ]--- + [ 47.050273] RIP: 0010:___bpf_prog_run+0x17b/0x1710 + [ 47.051343] Code: 49 03 14 cc e8 76 f6 fe ff e9 ad fe ff ff 0f b6 43 01 48 0f bf 4b 02 48 83 c3 08 89 c2 83 e0 0f c0 ea 04 02 + [ 47.054943] RSP: 0018:ffffc900005afc58 EFLAGS: 00010246 + [ 47.056068] RAX: 0000000000000000 RBX: ffffc9000023f068 RCX: 0000000000000000 + [ 47.057522] RDX: 0000000000000000 RSI: 0000000000000079 RDI: ffffc900005afc98 + [ 47.058961] RBP: 0000000000000000 R08: ffffc9000023f048 R09: c0000000ffffdfff + [ 47.060390] R10: 0000000000000001 R11: ffffc900005afb40 R12: ffffc900005afc98 + [ 47.061803] R13: 0000000000000001 R14: 0000000000000001 R15: ffffffff825258a8 + [ 47.063249] FS: 00007f04a5207580(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000 + [ 47.065070] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 47.066307] CR2: 0000000000000000 CR3: 0000000100182005 CR4: 0000000000770ee0 + [ 47.067747] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [ 47.069217] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [ 47.070652] PKRU: 55555554 + [ 47.071318] Kernel panic - not syncing: Fatal exception + [ 47.072854] Kernel Offset: disabled + [ 47.073683] ---[ end Kernel panic - not syncing: Fatal exception ]--- + +Fixes: 9216477449f3 ("bpf: cpumap: Add the possibility to attach an eBPF program to cpumap") +Fixes: fbee97feed9b ("bpf: Add support to attach bpf program to a devmap entry") +Reported-by: Abaci +Signed-off-by: Xuan Zhuo +Signed-off-by: Daniel Borkmann +Reviewed-by: Dust Li +Acked-by: Jesper Dangaard Brouer +Acked-by: David Ahern +Acked-by: Song Liu +Link: https://lore.kernel.org/bpf/20210708080409.73525-1-xuanzhuo@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + net/bpf/test_run.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c +index 8b796c499cbb..e7cbd1b4a5e5 100644 +--- a/net/bpf/test_run.c ++++ b/net/bpf/test_run.c +@@ -627,6 +627,9 @@ int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr, + void *data; + int ret; + ++ if (prog->expected_attach_type == BPF_XDP_DEVMAP || ++ prog->expected_attach_type == BPF_XDP_CPUMAP) ++ return -EINVAL; + if (kattr->test.ctx_in || kattr->test.ctx_out) + return -EINVAL; + +-- +2.30.2 + diff --git a/queue-5.10/bpftool-check-malloc-return-value-in-mount_bpffs_for.patch b/queue-5.10/bpftool-check-malloc-return-value-in-mount_bpffs_for.patch new file mode 100644 index 00000000000..99c838c8987 --- /dev/null +++ b/queue-5.10/bpftool-check-malloc-return-value-in-mount_bpffs_for.patch @@ -0,0 +1,41 @@ +From c4d78021a2e213bcb36d1a921d9459f2e187011b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 13:06:09 +0200 +Subject: bpftool: Check malloc return value in mount_bpffs_for_pin + +From: Tobias Klauser + +[ Upstream commit d444b06e40855219ef38b5e9286db16d435f06dc ] + +Fix and add a missing NULL check for the prior malloc() call. + +Fixes: 49a086c201a9 ("bpftool: implement prog load command") +Signed-off-by: Tobias Klauser +Signed-off-by: Daniel Borkmann +Reviewed-by: Quentin Monnet +Acked-by: Roman Gushchin +Link: https://lore.kernel.org/bpf/20210715110609.29364-1-tklauser@distanz.ch +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/common.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tools/bpf/bpftool/common.c b/tools/bpf/bpftool/common.c +index 65303664417e..6ebf2b215ef4 100644 +--- a/tools/bpf/bpftool/common.c ++++ b/tools/bpf/bpftool/common.c +@@ -221,6 +221,11 @@ int mount_bpffs_for_pin(const char *name) + int err = 0; + + file = malloc(strlen(name) + 1); ++ if (!file) { ++ p_err("mem alloc failed"); ++ return -1; ++ } ++ + strcpy(file, name); + dir = dirname(file); + +-- +2.30.2 + diff --git a/queue-5.10/ceph-don-t-warn-if-we-re-still-opening-a-session-to-.patch b/queue-5.10/ceph-don-t-warn-if-we-re-still-opening-a-session-to-.patch new file mode 100644 index 00000000000..669476e0151 --- /dev/null +++ b/queue-5.10/ceph-don-t-warn-if-we-re-still-opening-a-session-to-.patch @@ -0,0 +1,42 @@ +From 840e342de501c74d101e70b90ea6e30167c935d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 14:40:39 +0100 +Subject: ceph: don't WARN if we're still opening a session to an MDS + +From: Luis Henriques + +[ Upstream commit cdb330f4b41ab55feb35487729e883c9e08b8a54 ] + +If MDSs aren't available while mounting a filesystem, the session state +will transition from SESSION_OPENING to SESSION_CLOSING. And in that +scenario check_session_state() will be called from delayed_work() and +trigger this WARN. + +Avoid this by only WARNing after a session has already been established +(i.e., the s_ttl will be different from 0). + +Fixes: 62575e270f66 ("ceph: check session state after bumping session->s_seq") +Signed-off-by: Luis Henriques +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/mds_client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c +index d560752b764d..6b00f1d7c8e7 100644 +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -4401,7 +4401,7 @@ bool check_session_state(struct ceph_mds_session *s) + break; + case CEPH_MDS_SESSION_CLOSING: + /* Should never reach this when we're unmounting */ +- WARN_ON_ONCE(true); ++ WARN_ON_ONCE(s->s_ttl); + fallthrough; + case CEPH_MDS_SESSION_NEW: + case CEPH_MDS_SESSION_RESTARTING: +-- +2.30.2 + diff --git a/queue-5.10/cifs-fix-fallocate-when-trying-to-allocate-a-hole.patch b/queue-5.10/cifs-fix-fallocate-when-trying-to-allocate-a-hole.patch new file mode 100644 index 00000000000..739d4b2d0d9 --- /dev/null +++ b/queue-5.10/cifs-fix-fallocate-when-trying-to-allocate-a-hole.patch @@ -0,0 +1,68 @@ +From 6eff6d0b7dc974383b974002273a6e709c684673 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jul 2021 11:21:24 +1000 +Subject: cifs: fix fallocate when trying to allocate a hole. + +From: Ronnie Sahlberg + +[ Upstream commit 488968a8945c119859d91bb6a8dc13bf50002f15 ] + +Remove the conditional checking for out_data_len and skipping the fallocate +if it is 0. This is wrong will actually change any legitimate the fallocate +where the entire region is unallocated into a no-op. + +Additionally, before allocating the range, if FALLOC_FL_KEEP_SIZE is set then +we need to clamp the length of the fallocate region as to not extend the size of the file. + +Fixes: 966a3cb7c7db ("cifs: improve fallocate emulation") +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2ops.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index 442bf422aa01..b0b06eb86edf 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -3516,11 +3516,6 @@ static int smb3_simple_fallocate_range(unsigned int xid, + (char **)&out_data, &out_data_len); + if (rc) + goto out; +- /* +- * It is already all allocated +- */ +- if (out_data_len == 0) +- goto out; + + buf = kzalloc(1024 * 1024, GFP_KERNEL); + if (buf == NULL) { +@@ -3643,6 +3638,24 @@ static long smb3_simple_falloc(struct file *file, struct cifs_tcon *tcon, + goto out; + } + ++ if (keep_size == true) { ++ /* ++ * We can not preallocate pages beyond the end of the file ++ * in SMB2 ++ */ ++ if (off >= i_size_read(inode)) { ++ rc = 0; ++ goto out; ++ } ++ /* ++ * For fallocates that are partially beyond the end of file, ++ * clamp len so we only fallocate up to the end of file. ++ */ ++ if (off + len > i_size_read(inode)) { ++ len = i_size_read(inode) - off; ++ } ++ } ++ + if ((keep_size == true) || (i_size_read(inode) >= off + len)) { + /* + * At this point, we are trying to fallocate an internal +-- +2.30.2 + diff --git a/queue-5.10/cifs-only-write-64kb-at-a-time-when-fallocating-a-sm.patch b/queue-5.10/cifs-only-write-64kb-at-a-time-when-fallocating-a-sm.patch new file mode 100644 index 00000000000..d315756aab5 --- /dev/null +++ b/queue-5.10/cifs-only-write-64kb-at-a-time-when-fallocating-a-sm.patch @@ -0,0 +1,71 @@ +From 5342cd08a77be40b6b55479e518f5726d0e7b7f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jul 2021 14:53:32 +1000 +Subject: cifs: only write 64kb at a time when fallocating a small region of a + file + +From: Ronnie Sahlberg + +[ Upstream commit 2485bd7557a7edb4520b4072af464f0a08c8efe0 ] + +We only allow sending single credit writes through the SMB2_write() synchronous +api so split this into smaller chunks. + +Fixes: 966a3cb7c7db ("cifs: improve fallocate emulation") + +Signed-off-by: Ronnie Sahlberg +Reported-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2ops.c | 26 +++++++++++++++++++------- + 1 file changed, 19 insertions(+), 7 deletions(-) + +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index f6ceb79a995d..442bf422aa01 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -3466,7 +3466,7 @@ static int smb3_simple_fallocate_write_range(unsigned int xid, + char *buf) + { + struct cifs_io_parms io_parms = {0}; +- int nbytes; ++ int rc, nbytes; + struct kvec iov[2]; + + io_parms.netfid = cfile->fid.netfid; +@@ -3474,13 +3474,25 @@ static int smb3_simple_fallocate_write_range(unsigned int xid, + io_parms.tcon = tcon; + io_parms.persistent_fid = cfile->fid.persistent_fid; + io_parms.volatile_fid = cfile->fid.volatile_fid; +- io_parms.offset = off; +- io_parms.length = len; + +- /* iov[0] is reserved for smb header */ +- iov[1].iov_base = buf; +- iov[1].iov_len = io_parms.length; +- return SMB2_write(xid, &io_parms, &nbytes, iov, 1); ++ while (len) { ++ io_parms.offset = off; ++ io_parms.length = len; ++ if (io_parms.length > SMB2_MAX_BUFFER_SIZE) ++ io_parms.length = SMB2_MAX_BUFFER_SIZE; ++ /* iov[0] is reserved for smb header */ ++ iov[1].iov_base = buf; ++ iov[1].iov_len = io_parms.length; ++ rc = SMB2_write(xid, &io_parms, &nbytes, iov, 1); ++ if (rc) ++ break; ++ if (nbytes > len) ++ return -EINVAL; ++ buf += nbytes; ++ off += nbytes; ++ len -= nbytes; ++ } ++ return rc; + } + + static int smb3_simple_fallocate_range(unsigned int xid, +-- +2.30.2 + diff --git a/queue-5.10/cxgb4-fix-irq-free-race-during-driver-unload.patch b/queue-5.10/cxgb4-fix-irq-free-race-during-driver-unload.patch new file mode 100644 index 00000000000..d73cb3c45e8 --- /dev/null +++ b/queue-5.10/cxgb4-fix-irq-free-race-during-driver-unload.patch @@ -0,0 +1,89 @@ +From 4731270754e95823e9e5b85f9b5fd7e23b67fd1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jul 2021 21:51:56 +0530 +Subject: cxgb4: fix IRQ free race during driver unload + +From: Shahjada Abul Husain + +[ Upstream commit 015fe6fd29c4b9ac0f61b8c4455ef88e6018b9cc ] + +IRQs are requested during driver's ndo_open() and then later +freed up in disable_interrupts() during driver unload. +A race exists where driver can set the CXGB4_FULL_INIT_DONE +flag in ndo_open() after the disable_interrupts() in driver +unload path checks it, and hence misses calling free_irq(). + +Fix by unregistering netdevice first and sync with driver's +ndo_open(). This ensures disable_interrupts() checks the flag +correctly and frees up the IRQs properly. + +Fixes: b37987e8db5f ("cxgb4: Disable interrupts and napi before unregistering netdev") +Signed-off-by: Shahjada Abul Husain +Signed-off-by: Raju Rangoju +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/chelsio/cxgb4/cxgb4_main.c | 18 ++++++++++-------- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c | 3 +++ + 2 files changed, 13 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +index 8be525c5e2e4..6698afad4379 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -2643,6 +2643,9 @@ static void detach_ulds(struct adapter *adap) + { + unsigned int i; + ++ if (!is_uld(adap)) ++ return; ++ + mutex_lock(&uld_mutex); + list_del(&adap->list_node); + +@@ -7145,10 +7148,13 @@ static void remove_one(struct pci_dev *pdev) + */ + destroy_workqueue(adapter->workq); + +- if (is_uld(adapter)) { +- detach_ulds(adapter); +- t4_uld_clean_up(adapter); +- } ++ detach_ulds(adapter); ++ ++ for_each_port(adapter, i) ++ if (adapter->port[i]->reg_state == NETREG_REGISTERED) ++ unregister_netdev(adapter->port[i]); ++ ++ t4_uld_clean_up(adapter); + + adap_free_hma_mem(adapter); + +@@ -7156,10 +7162,6 @@ static void remove_one(struct pci_dev *pdev) + + cxgb4_free_mps_ref_entries(adapter); + +- for_each_port(adapter, i) +- if (adapter->port[i]->reg_state == NETREG_REGISTERED) +- unregister_netdev(adapter->port[i]); +- + debugfs_remove_recursive(adapter->debugfs_root); + + if (!is_t4(adapter->params.chip)) +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c +index 743af9e654aa..17faac715882 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c +@@ -581,6 +581,9 @@ void t4_uld_clean_up(struct adapter *adap) + { + unsigned int i; + ++ if (!is_uld(adap)) ++ return; ++ + mutex_lock(&uld_mutex); + for (i = 0; i < CXGB4_ULD_MAX; i++) { + if (!adap->uld[i].handle) +-- +2.30.2 + diff --git a/queue-5.10/dma-mapping-handle-vmalloc-addresses-in-dma_common_-.patch b/queue-5.10/dma-mapping-handle-vmalloc-addresses-in-dma_common_-.patch new file mode 100644 index 00000000000..c5a447d4ee8 --- /dev/null +++ b/queue-5.10/dma-mapping-handle-vmalloc-addresses-in-dma_common_-.patch @@ -0,0 +1,71 @@ +From 47ac4c72edabcc99b36989ab6011e960ecc9e53f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 11:39:34 +0300 +Subject: dma-mapping: handle vmalloc addresses in + dma_common_{mmap,get_sgtable} + +From: Roman Skakun + +[ Upstream commit 40ac971eab89330d6153e7721e88acd2d98833f9 ] + +xen-swiotlb can use vmalloc backed addresses for dma coherent allocations +and uses the common helpers. Properly handle them to unbreak Xen on +ARM platforms. + +Fixes: 1b65c4e5a9af ("swiotlb-xen: use xen_alloc/free_coherent_pages") +Signed-off-by: Roman Skakun +Reviewed-by: Andrii Anisov +[hch: split the patch, renamed the helpers] +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + kernel/dma/ops_helpers.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/kernel/dma/ops_helpers.c b/kernel/dma/ops_helpers.c +index 910ae69cae77..af4a6ef48ce0 100644 +--- a/kernel/dma/ops_helpers.c ++++ b/kernel/dma/ops_helpers.c +@@ -5,6 +5,13 @@ + */ + #include + ++static struct page *dma_common_vaddr_to_page(void *cpu_addr) ++{ ++ if (is_vmalloc_addr(cpu_addr)) ++ return vmalloc_to_page(cpu_addr); ++ return virt_to_page(cpu_addr); ++} ++ + /* + * Create scatter-list for the already allocated DMA buffer. + */ +@@ -12,7 +19,7 @@ int dma_common_get_sgtable(struct device *dev, struct sg_table *sgt, + void *cpu_addr, dma_addr_t dma_addr, size_t size, + unsigned long attrs) + { +- struct page *page = virt_to_page(cpu_addr); ++ struct page *page = dma_common_vaddr_to_page(cpu_addr); + int ret; + + ret = sg_alloc_table(sgt, 1, GFP_KERNEL); +@@ -32,6 +39,7 @@ int dma_common_mmap(struct device *dev, struct vm_area_struct *vma, + unsigned long user_count = vma_pages(vma); + unsigned long count = PAGE_ALIGN(size) >> PAGE_SHIFT; + unsigned long off = vma->vm_pgoff; ++ struct page *page = dma_common_vaddr_to_page(cpu_addr); + int ret = -ENXIO; + + vma->vm_page_prot = dma_pgprot(dev, vma->vm_page_prot, attrs); +@@ -43,7 +51,7 @@ int dma_common_mmap(struct device *dev, struct vm_area_struct *vma, + return -ENXIO; + + return remap_pfn_range(vma, vma->vm_start, +- page_to_pfn(virt_to_page(cpu_addr)) + vma->vm_pgoff, ++ page_to_pfn(page) + vma->vm_pgoff, + user_count << PAGE_SHIFT, vma->vm_page_prot); + #else + return -ENXIO; +-- +2.30.2 + diff --git a/queue-5.10/drm-panel-raspberrypi-touchscreen-prevent-double-fre.patch b/queue-5.10/drm-panel-raspberrypi-touchscreen-prevent-double-fre.patch new file mode 100644 index 00000000000..ffee03bec19 --- /dev/null +++ b/queue-5.10/drm-panel-raspberrypi-touchscreen-prevent-double-fre.patch @@ -0,0 +1,36 @@ +From 60a67fd4305eeb9c3ab9a58949a0151126d1e275 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 15:45:23 +0200 +Subject: drm/panel: raspberrypi-touchscreen: Prevent double-free + +From: Maxime Ripard + +[ Upstream commit 7bbcb919e32d776ca8ddce08abb391ab92eef6a9 ] + +The mipi_dsi_device allocated by mipi_dsi_device_register_full() is +already free'd on release. + +Fixes: 2f733d6194bd ("drm/panel: Add support for the Raspberry Pi 7" Touchscreen.") +Signed-off-by: Maxime Ripard +Reviewed-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20210720134525.563936-9-maxime@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c b/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c +index 5e9ccefb88f6..bbdd086be7f5 100644 +--- a/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c ++++ b/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c +@@ -447,7 +447,6 @@ static int rpi_touchscreen_remove(struct i2c_client *i2c) + drm_panel_remove(&ts->base); + + mipi_dsi_device_unregister(ts->dsi); +- kfree(ts->dsi); + + return 0; + } +-- +2.30.2 + diff --git a/queue-5.10/e1000e-fix-an-error-handling-path-in-e1000_probe.patch b/queue-5.10/e1000e-fix-an-error-handling-path-in-e1000_probe.patch new file mode 100644 index 00000000000..07f3e5aa00d --- /dev/null +++ b/queue-5.10/e1000e-fix-an-error-handling-path-in-e1000_probe.patch @@ -0,0 +1,38 @@ +From d656d53d12b89e886f7e0f791730861fd8621a69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 07:05:53 +0200 +Subject: e1000e: Fix an error handling path in 'e1000_probe()' + +From: Christophe JAILLET + +[ Upstream commit 4589075608420bc49fcef6e98279324bf2bb91ae ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 111b9dc5c981 ("e1000e: add aer support") +Signed-off-by: Christophe JAILLET +Acked-by: Sasha Neftin +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index b3ad95ac3d85..361b8d0bd78d 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -7657,6 +7657,7 @@ err_flashmap: + err_ioremap: + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-5.10/efi-tpm-differentiate-missing-and-invalid-final-even.patch b/queue-5.10/efi-tpm-differentiate-missing-and-invalid-final-even.patch new file mode 100644 index 00000000000..9ac42638dc8 --- /dev/null +++ b/queue-5.10/efi-tpm-differentiate-missing-and-invalid-final-even.patch @@ -0,0 +1,45 @@ +From d639bbdeebbc783c88043129488967fb3c3d5b05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jul 2021 11:46:54 +0200 +Subject: efi/tpm: Differentiate missing and invalid final event log table. + +From: Michal Suchanek + +[ Upstream commit 674a9f1f6815849bfb5bf385e7da8fc198aaaba9 ] + +Missing TPM final event log table is not a firmware bug. + +Clearly if providing event log in the old format makes the final event +log invalid it should not be provided at least in that case. + +Fixes: b4f1874c6216 ("tpm: check event log version before reading final events") +Signed-off-by: Michal Suchanek +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/tpm.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c +index c1955d320fec..8f665678e9e3 100644 +--- a/drivers/firmware/efi/tpm.c ++++ b/drivers/firmware/efi/tpm.c +@@ -62,9 +62,11 @@ int __init efi_tpm_eventlog_init(void) + tbl_size = sizeof(*log_tbl) + log_tbl->size; + memblock_reserve(efi.tpm_log, tbl_size); + +- if (efi.tpm_final_log == EFI_INVALID_TABLE_ADDR || +- log_tbl->version != EFI_TCG2_EVENT_LOG_FORMAT_TCG_2) { +- pr_warn(FW_BUG "TPM Final Events table missing or invalid\n"); ++ if (efi.tpm_final_log == EFI_INVALID_TABLE_ADDR) { ++ pr_info("TPM Final Events table not present\n"); ++ goto out; ++ } else if (log_tbl->version != EFI_TCG2_EVENT_LOG_FORMAT_TCG_2) { ++ pr_warn(FW_BUG "TPM Final Events table invalid\n"); + goto out; + } + +-- +2.30.2 + diff --git a/queue-5.10/fm10k-fix-an-error-handling-path-in-fm10k_probe.patch b/queue-5.10/fm10k-fix-an-error-handling-path-in-fm10k_probe.patch new file mode 100644 index 00000000000..d3c707ea114 --- /dev/null +++ b/queue-5.10/fm10k-fix-an-error-handling-path-in-fm10k_probe.patch @@ -0,0 +1,36 @@ +From d06387922a4fa641ab4ece2604e04efe38de862a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 07:00:36 +0200 +Subject: fm10k: Fix an error handling path in 'fm10k_probe()' + +From: Christophe JAILLET + +[ Upstream commit e85e14d68f517ef12a5fb8123fff65526b35b6cd ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 19ae1b3fb99c ("fm10k: Add support for PCI power management and error handling") +Signed-off-by: Christophe JAILLET +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/fm10k/fm10k_pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_pci.c b/drivers/net/ethernet/intel/fm10k/fm10k_pci.c +index 9e3103fae723..caedf24c24c1 100644 +--- a/drivers/net/ethernet/intel/fm10k/fm10k_pci.c ++++ b/drivers/net/ethernet/intel/fm10k/fm10k_pci.c +@@ -2227,6 +2227,7 @@ err_sw_init: + err_ioremap: + free_netdev(netdev); + err_alloc_netdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-5.10/gve-fix-an-error-handling-path-in-gve_probe.patch b/queue-5.10/gve-fix-an-error-handling-path-in-gve_probe.patch new file mode 100644 index 00000000000..a6a314ad045 --- /dev/null +++ b/queue-5.10/gve-fix-an-error-handling-path-in-gve_probe.patch @@ -0,0 +1,50 @@ +From bb3f912cce5172fa6dfb76cc555e6fe457d4ff54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jul 2021 22:18:24 +0200 +Subject: gve: Fix an error handling path in 'gve_probe()' + +From: Christophe JAILLET + +[ Upstream commit 2342ae10d1272d411a468a85a67647dd115b344f ] + +If the 'register_netdev() call fails, we must release the resources +allocated by the previous 'gve_init_priv()' call, as already done in the +remove function. + +Add a new label and the missing 'gve_teardown_priv_resources()' in the +error handling path. + +Fixes: 893ce44df565 ("gve: Add basic driver framework for Compute Engine Virtual NIC") +Signed-off-by: Christophe JAILLET +Reviewed-by: Catherine Sullivan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c +index 3a74e4645ce6..0b714b606ba1 100644 +--- a/drivers/net/ethernet/google/gve/gve_main.c ++++ b/drivers/net/ethernet/google/gve/gve_main.c +@@ -1340,13 +1340,16 @@ static int gve_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + err = register_netdev(dev); + if (err) +- goto abort_with_wq; ++ goto abort_with_gve_init; + + dev_info(&pdev->dev, "GVE version %s\n", gve_version_str); + gve_clear_probe_in_progress(priv); + queue_work(priv->gve_wq, &priv->service_task); + return 0; + ++abort_with_gve_init: ++ gve_teardown_priv_resources(priv); ++ + abort_with_wq: + destroy_workqueue(priv->gve_wq); + +-- +2.30.2 + diff --git a/queue-5.10/iavf-fix-an-error-handling-path-in-iavf_probe.patch b/queue-5.10/iavf-fix-an-error-handling-path-in-iavf_probe.patch new file mode 100644 index 00000000000..491ca7de91b --- /dev/null +++ b/queue-5.10/iavf-fix-an-error-handling-path-in-iavf_probe.patch @@ -0,0 +1,36 @@ +From 145b31bf5b7ff75a3ed5a8927ce4e6da6da95502 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 07:53:02 +0200 +Subject: iavf: Fix an error handling path in 'iavf_probe()' + +From: Christophe JAILLET + +[ Upstream commit af30cbd2f4d6d66a9b6094e0aa32420bc8b20e08 ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 5eae00c57f5e ("i40evf: main driver core") +Signed-off-by: Christophe JAILLET +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index ebd08543791b..f3caf5eab8d4 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -3759,6 +3759,7 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + err_ioremap: + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-5.10/igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch b/queue-5.10/igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch new file mode 100644 index 00000000000..7437c9a9b98 --- /dev/null +++ b/queue-5.10/igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch @@ -0,0 +1,59 @@ +From 108ef6af91fc3f1a7f31e054ecaf2f85c28ee9e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Apr 2021 10:19:23 +0000 +Subject: igb: Check if num of q_vectors is smaller than max before array + access + +From: Aleksandr Loktionov + +[ Upstream commit 6c19d772618fea40d9681f259368f284a330fd90 ] + +Ensure that the adapter->q_vector[MAX_Q_VECTORS] array isn't accessed +beyond its size. It was fixed by using a local variable num_q_vectors +as a limit for loop index, and ensure that num_q_vectors is not bigger +than MAX_Q_VECTORS. + +Fixes: 047e0030f1e6 ("igb: add new data structure for handling interrupts and NAPI") +Signed-off-by: Aleksandr Loktionov +Reviewed-by: Grzegorz Siwik +Reviewed-by: Arkadiusz Kubalewski +Reviewed-by: Slawomir Laba +Reviewed-by: Sylwester Dziedziuch +Reviewed-by: Mateusz Palczewski +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 43f2096a0669..c083e5e4e8e6 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -931,6 +931,7 @@ static void igb_configure_msix(struct igb_adapter *adapter) + **/ + static int igb_request_msix(struct igb_adapter *adapter) + { ++ unsigned int num_q_vectors = adapter->num_q_vectors; + struct net_device *netdev = adapter->netdev; + int i, err = 0, vector = 0, free_vector = 0; + +@@ -939,7 +940,13 @@ static int igb_request_msix(struct igb_adapter *adapter) + if (err) + goto err_out; + +- for (i = 0; i < adapter->num_q_vectors; i++) { ++ if (num_q_vectors > MAX_Q_VECTORS) { ++ num_q_vectors = MAX_Q_VECTORS; ++ dev_warn(&adapter->pdev->dev, ++ "The number of queue vectors (%d) is higher than max allowed (%d)\n", ++ adapter->num_q_vectors, MAX_Q_VECTORS); ++ } ++ for (i = 0; i < num_q_vectors; i++) { + struct igb_q_vector *q_vector = adapter->q_vector[i]; + + vector++; +-- +2.30.2 + diff --git a/queue-5.10/igb-fix-an-error-handling-path-in-igb_probe.patch b/queue-5.10/igb-fix-an-error-handling-path-in-igb_probe.patch new file mode 100644 index 00000000000..0701295440e --- /dev/null +++ b/queue-5.10/igb-fix-an-error-handling-path-in-igb_probe.patch @@ -0,0 +1,37 @@ +From d81af865981ae01d03e2d11dcfa6f3f8b392ceb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 22:08:33 +0200 +Subject: igb: Fix an error handling path in 'igb_probe()' + +From: Christophe JAILLET + +[ Upstream commit fea03b1cebd653cd095f2e9a58cfe1c85661c363 ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 40a914fa72ab ("igb: Add support for pci-e Advanced Error Reporting") +Signed-off-by: Christophe JAILLET +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index b40654664025..43f2096a0669 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -3616,6 +3616,7 @@ err_sw_init: + err_ioremap: + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-5.10/igb-fix-position-of-assignment-to-ring.patch b/queue-5.10/igb-fix-position-of-assignment-to-ring.patch new file mode 100644 index 00000000000..185c00f08cb --- /dev/null +++ b/queue-5.10/igb-fix-position-of-assignment-to-ring.patch @@ -0,0 +1,46 @@ +From cf7f6314d59c74ce2b4f030479a09fe1fce358a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 22:42:17 +0000 +Subject: igb: Fix position of assignment to *ring + +From: Jedrzej Jagielski + +[ Upstream commit 382a7c20d9253bcd5715789b8179528d0f3de72c ] + +Assignment to *ring should be done after correctness check of the +argument queue. + +Fixes: 91db364236c8 ("igb: Refactor igb_configure_cbs()") +Signed-off-by: Jedrzej Jagielski +Acked-by: Vinicius Costa Gomes +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index c083e5e4e8e6..e24fb122c03a 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -1685,14 +1685,15 @@ static bool is_any_txtime_enabled(struct igb_adapter *adapter) + **/ + static void igb_config_tx_modes(struct igb_adapter *adapter, int queue) + { +- struct igb_ring *ring = adapter->tx_ring[queue]; + struct net_device *netdev = adapter->netdev; + struct e1000_hw *hw = &adapter->hw; ++ struct igb_ring *ring; + u32 tqavcc, tqavctrl; + u16 value; + + WARN_ON(hw->mac.type != e1000_i210); + WARN_ON(queue < 0 || queue > 1); ++ ring = adapter->tx_ring[queue]; + + /* If any of the Qav features is enabled, configure queues as SR and + * with HIGH PRIO. If none is, then configure them with LOW PRIO and +-- +2.30.2 + diff --git a/queue-5.10/igb-fix-use-after-free-error-during-reset.patch b/queue-5.10/igb-fix-use-after-free-error-during-reset.patch new file mode 100644 index 00000000000..6c79c61bd33 --- /dev/null +++ b/queue-5.10/igb-fix-use-after-free-error-during-reset.patch @@ -0,0 +1,45 @@ +From 341a46682aeaaae50776bfd2e8447e949a5997de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 May 2021 17:31:04 -0700 +Subject: igb: Fix use-after-free error during reset + +From: Vinicius Costa Gomes + +[ Upstream commit 7b292608db23ccbbfbfa50cdb155d01725d7a52e ] + +Cleans the next descriptor to watch (next_to_watch) when cleaning the +TX ring. + +Failure to do so can cause invalid memory accesses. If igb_poll() runs +while the controller is reset this can lead to the driver try to free +a skb that was already freed. + +(The crash is harder to reproduce with the igb driver, but the same +potential problem exists as the code is identical to igc) + +Fixes: 7cc6fd4c60f2 ("igb: Don't bother clearing Tx buffer_info in igb_clean_tx_ring") +Signed-off-by: Vinicius Costa Gomes +Reported-by: Erez Geva +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 4b9b5148c916..b40654664025 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -4836,6 +4836,8 @@ static void igb_clean_tx_ring(struct igb_ring *tx_ring) + DMA_TO_DEVICE); + } + ++ tx_buffer->next_to_watch = NULL; ++ + /* move us one more past the eop_desc for start of next pkt */ + tx_buffer++; + i++; +-- +2.30.2 + diff --git a/queue-5.10/igc-change-default-return-of-igc_read_phy_reg.patch b/queue-5.10/igc-change-default-return-of-igc_read_phy_reg.patch new file mode 100644 index 00000000000..784ea5bb2ec --- /dev/null +++ b/queue-5.10/igc-change-default-return-of-igc_read_phy_reg.patch @@ -0,0 +1,45 @@ +From 82a0f601a62562bd6c2650b79da5b5fcc6de7309 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 May 2021 12:50:19 -0700 +Subject: igc: change default return of igc_read_phy_reg() + +From: Tom Rix + +[ Upstream commit 05682a0a61b6cbecd97a0f37f743b2cbfd516977 ] + +Static analysis reports this problem + +igc_main.c:4944:20: warning: The left operand of '&' + is a garbage value + if (!(phy_data & SR_1000T_REMOTE_RX_STATUS) && + ~~~~~~~~ ^ + +phy_data is set by the call to igc_read_phy_reg() only if +there is a read_reg() op, else it is unset and a 0 is +returned. Change the return to -EOPNOTSUPP. + +Fixes: 208983f099d9 ("igc: Add watchdog") +Signed-off-by: Tom Rix +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h +index 6dca67d9c25d..a97bf7a5f1d6 100644 +--- a/drivers/net/ethernet/intel/igc/igc.h ++++ b/drivers/net/ethernet/intel/igc/igc.h +@@ -532,7 +532,7 @@ static inline s32 igc_read_phy_reg(struct igc_hw *hw, u32 offset, u16 *data) + if (hw->phy.ops.read_reg) + return hw->phy.ops.read_reg(hw, offset, data); + +- return 0; ++ return -EOPNOTSUPP; + } + + void igc_reinit_locked(struct igc_adapter *); +-- +2.30.2 + diff --git a/queue-5.10/igc-fix-an-error-handling-path-in-igc_probe.patch b/queue-5.10/igc-fix-an-error-handling-path-in-igc_probe.patch new file mode 100644 index 00000000000..ff401d70e7e --- /dev/null +++ b/queue-5.10/igc-fix-an-error-handling-path-in-igc_probe.patch @@ -0,0 +1,38 @@ +From a9a21e55db0e1479e6bb816fbaabe5fea2662dca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 22:00:05 +0200 +Subject: igc: Fix an error handling path in 'igc_probe()' + +From: Christophe JAILLET + +[ Upstream commit c6bc9e5ce5d37cb3e6b552f41b92a193db1806ab ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: c9a11c23ceb6 ("igc: Add netdev") +Signed-off-by: Christophe JAILLET +Tested-by: Dvora Fuxbrumer +Acked-by: Sasha Neftin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 4b58dd97a7c0..b9fe2785f573 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -5223,6 +5223,7 @@ err_sw_init: + err_ioremap: + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-5.10/igc-fix-use-after-free-error-during-reset.patch b/queue-5.10/igc-fix-use-after-free-error-during-reset.patch new file mode 100644 index 00000000000..b7f62ea6816 --- /dev/null +++ b/queue-5.10/igc-fix-use-after-free-error-during-reset.patch @@ -0,0 +1,93 @@ +From 7954f08060d44c5294514f8137e01585f5826ee4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 May 2021 17:31:03 -0700 +Subject: igc: Fix use-after-free error during reset + +From: Vinicius Costa Gomes + +[ Upstream commit 56ea7ed103b46970e171eb1c95916f393d64eeff ] + +Cleans the next descriptor to watch (next_to_watch) when cleaning the +TX ring. + +Failure to do so can cause invalid memory accesses. If igc_poll() runs +while the controller is being reset this can lead to the driver try to +free a skb that was already freed. + +Log message: + + [ 101.525242] refcount_t: underflow; use-after-free. + [ 101.525251] WARNING: CPU: 1 PID: 646 at lib/refcount.c:28 refcount_warn_saturate+0xab/0xf0 + [ 101.525259] Modules linked in: sch_etf(E) sch_mqprio(E) rfkill(E) intel_rapl_msr(E) intel_rapl_common(E) + x86_pkg_temp_thermal(E) intel_powerclamp(E) coretemp(E) binfmt_misc(E) kvm_intel(E) kvm(E) irqbypass(E) crc32_pclmul(E) + ghash_clmulni_intel(E) aesni_intel(E) mei_wdt(E) libaes(E) crypto_simd(E) cryptd(E) glue_helper(E) snd_hda_codec_hdmi(E) + rapl(E) intel_cstate(E) snd_hda_intel(E) snd_intel_dspcfg(E) sg(E) soundwire_intel(E) intel_uncore(E) at24(E) + soundwire_generic_allocation(E) iTCO_wdt(E) soundwire_cadence(E) intel_pmc_bxt(E) serio_raw(E) snd_hda_codec(E) + iTCO_vendor_support(E) watchdog(E) snd_hda_core(E) snd_hwdep(E) snd_soc_core(E) snd_compress(E) snd_pcsp(E) + soundwire_bus(E) snd_pcm(E) evdev(E) snd_timer(E) mei_me(E) snd(E) soundcore(E) mei(E) configfs(E) ip_tables(E) x_tables(E) + autofs4(E) ext4(E) crc32c_generic(E) crc16(E) mbcache(E) jbd2(E) sd_mod(E) t10_pi(E) crc_t10dif(E) crct10dif_generic(E) + i915(E) ahci(E) libahci(E) ehci_pci(E) igb(E) xhci_pci(E) ehci_hcd(E) + [ 101.525303] drm_kms_helper(E) dca(E) xhci_hcd(E) libata(E) crct10dif_pclmul(E) cec(E) crct10dif_common(E) tsn(E) igc(E) + e1000e(E) ptp(E) i2c_i801(E) crc32c_intel(E) psmouse(E) i2c_algo_bit(E) i2c_smbus(E) scsi_mod(E) lpc_ich(E) pps_core(E) + usbcore(E) drm(E) button(E) video(E) + [ 101.525318] CPU: 1 PID: 646 Comm: irq/37-enp7s0-T Tainted: G E 5.10.30-rt37-tsn1-rt-ipipe #ipipe + [ 101.525320] Hardware name: SIEMENS AG SIMATIC IPC427D/A5E31233588, BIOS V17.02.09 03/31/2017 + [ 101.525322] RIP: 0010:refcount_warn_saturate+0xab/0xf0 + [ 101.525325] Code: 05 31 48 44 01 01 e8 f0 c6 42 00 0f 0b c3 80 3d 1f 48 44 01 00 75 90 48 c7 c7 78 a8 f3 a6 c6 05 0f 48 + 44 01 01 e8 d1 c6 42 00 <0f> 0b c3 80 3d fe 47 44 01 00 0f 85 6d ff ff ff 48 c7 c7 d0 a8 f3 + [ 101.525327] RSP: 0018:ffffbdedc0917cb8 EFLAGS: 00010286 + [ 101.525329] RAX: 0000000000000000 RBX: ffff98fd6becbf40 RCX: 0000000000000001 + [ 101.525330] RDX: 0000000000000001 RSI: ffffffffa6f2700c RDI: 00000000ffffffff + [ 101.525332] RBP: ffff98fd6becc14c R08: ffffffffa7463d00 R09: ffffbdedc0917c50 + [ 101.525333] R10: ffffffffa74c3578 R11: 0000000000000034 R12: 00000000ffffff00 + [ 101.525335] R13: ffff98fd6b0b1000 R14: 0000000000000039 R15: ffff98fd6be35c40 + [ 101.525337] FS: 0000000000000000(0000) GS:ffff98fd6e240000(0000) knlGS:0000000000000000 + [ 101.525339] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 101.525341] CR2: 00007f34135a3a70 CR3: 0000000150210003 CR4: 00000000001706e0 + [ 101.525343] Call Trace: + [ 101.525346] sock_wfree+0x9c/0xa0 + [ 101.525353] unix_destruct_scm+0x7b/0xa0 + [ 101.525358] skb_release_head_state+0x40/0x90 + [ 101.525362] skb_release_all+0xe/0x30 + [ 101.525364] napi_consume_skb+0x57/0x160 + [ 101.525367] igc_poll+0xb7/0xc80 [igc] + [ 101.525376] ? sched_clock+0x5/0x10 + [ 101.525381] ? sched_clock_cpu+0xe/0x100 + [ 101.525385] net_rx_action+0x14c/0x410 + [ 101.525388] __do_softirq+0xe9/0x2f4 + [ 101.525391] __local_bh_enable_ip+0xe3/0x110 + [ 101.525395] ? irq_finalize_oneshot.part.47+0xe0/0xe0 + [ 101.525398] irq_forced_thread_fn+0x6a/0x80 + [ 101.525401] irq_thread+0xe8/0x180 + [ 101.525403] ? wake_threads_waitq+0x30/0x30 + [ 101.525406] ? irq_thread_check_affinity+0xd0/0xd0 + [ 101.525408] kthread+0x183/0x1a0 + [ 101.525412] ? kthread_park+0x80/0x80 + [ 101.525415] ret_from_fork+0x22/0x30 + +Fixes: 13b5b7fd6a4a ("igc: Add support for Tx/Rx rings") +Reported-by: Erez Geva +Signed-off-by: Vinicius Costa Gomes +Tested-by: Dvora Fuxbrumer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 7b822cdcc6c5..4b58dd97a7c0 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -207,6 +207,8 @@ static void igc_clean_tx_ring(struct igc_ring *tx_ring) + DMA_TO_DEVICE); + } + ++ tx_buffer->next_to_watch = NULL; ++ + /* move us one more past the eop_desc for start of next pkt */ + tx_buffer++; + i++; +-- +2.30.2 + diff --git a/queue-5.10/ipv6-fix-another-slab-out-of-bounds-in-fib6_nh_flush.patch b/queue-5.10/ipv6-fix-another-slab-out-of-bounds-in-fib6_nh_flush.patch new file mode 100644 index 00000000000..2d16df19b22 --- /dev/null +++ b/queue-5.10/ipv6-fix-another-slab-out-of-bounds-in-fib6_nh_flush.patch @@ -0,0 +1,44 @@ +From eb56fadf97f8692999509ae248963f3c90167dac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 15:08:40 +0200 +Subject: ipv6: fix another slab-out-of-bounds in fib6_nh_flush_exceptions + +From: Paolo Abeni + +[ Upstream commit 8fb4792f091e608a0a1d353dfdf07ef55a719db5 ] + +While running the self-tests on a KASAN enabled kernel, I observed a +slab-out-of-bounds splat very similar to the one reported in +commit 821bbf79fe46 ("ipv6: Fix KASAN: slab-out-of-bounds Read in + fib6_nh_flush_exceptions"). + +We additionally need to take care of fib6_metrics initialization +failure when the caller provides an nh. + +The fix is similar, explicitly free the route instead of calling +fib6_info_release on a half-initialized object. + +Fixes: f88d8ea67fbdb ("ipv6: Plumb support for nexthop object in a fib6_info") +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index ccff4738313c..62db3c98424b 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -3640,7 +3640,7 @@ static struct fib6_info *ip6_route_info_create(struct fib6_config *cfg, + err = PTR_ERR(rt->fib6_metrics); + /* Do not leave garbage there. */ + rt->fib6_metrics = (struct dst_metrics *)&dst_default_metrics; +- goto out; ++ goto out_free; + } + + if (cfg->fc_flags & RTF_ADDRCONF) +-- +2.30.2 + diff --git a/queue-5.10/ipv6-fix-disable_policy-for-fwd-packets.patch b/queue-5.10/ipv6-fix-disable_policy-for-fwd-packets.patch new file mode 100644 index 00000000000..9d577bb1e79 --- /dev/null +++ b/queue-5.10/ipv6-fix-disable_policy-for-fwd-packets.patch @@ -0,0 +1,51 @@ +From 4a2549be9fb22276cdd96de505a8e8c30d82a52e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jul 2021 11:13:35 +0200 +Subject: ipv6: fix 'disable_policy' for fwd packets + +From: Nicolas Dichtel + +[ Upstream commit ccd27f05ae7b8ebc40af5b004e94517a919aa862 ] + +The goal of commit df789fe75206 ("ipv6: Provide ipv6 version of +"disable_policy" sysctl") was to have the disable_policy from ipv4 +available on ipv6. +However, it's not exactly the same mechanism. On IPv4, all packets coming +from an interface, which has disable_policy set, bypass the policy check. +For ipv6, this is done only for local packets, ie for packets destinated to +an address configured on the incoming interface. + +Let's align ipv6 with ipv4 so that the 'disable_policy' sysctl has the same +effect for both protocols. + +My first approach was to create a new kind of route cache entries, to be +able to set DST_NOPOLICY without modifying routes. This would have added a +lot of code. Because the local delivery path is already handled, I choose +to focus on the forwarding path to minimize code churn. + +Fixes: df789fe75206 ("ipv6: Provide ipv6 version of "disable_policy" sysctl") +Signed-off-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_output.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index e889655ca0e2..341d0c7acc8b 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -478,7 +478,9 @@ int ip6_forward(struct sk_buff *skb) + if (skb_warn_if_lro(skb)) + goto drop; + +- if (!xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) { ++ if (!net->ipv6.devconf_all->disable_policy && ++ !idev->cnf.disable_policy && ++ !xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) { + __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS); + goto drop; + } +-- +2.30.2 + diff --git a/queue-5.10/ixgbe-fix-an-error-handling-path-in-ixgbe_probe.patch b/queue-5.10/ixgbe-fix-an-error-handling-path-in-ixgbe_probe.patch new file mode 100644 index 00000000000..94c9a0bf165 --- /dev/null +++ b/queue-5.10/ixgbe-fix-an-error-handling-path-in-ixgbe_probe.patch @@ -0,0 +1,37 @@ +From e49bf0ea5fae8bed804e19ff96bc6f69decd8000 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 15:46:09 +0200 +Subject: ixgbe: Fix an error handling path in 'ixgbe_probe()' + +From: Christophe JAILLET + +[ Upstream commit dd2aefcd5e37989ae5f90afdae44bbbf3a2990da ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 6fabd715e6d8 ("ixgbe: Implement PCIe AER support") +Signed-off-by: Christophe JAILLET +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +index 1bfba87f1ff6..5c8f9ba43968 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -11081,6 +11081,7 @@ err_ioremap: + disable_dev = !test_and_set_bit(__IXGBE_DISABLED, &adapter->state); + free_netdev(netdev); + err_alloc_etherdev: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_mem_regions(pdev); + err_pci_reg: + err_dma: +-- +2.30.2 + diff --git a/queue-5.10/ixgbevf-use-xso.real_dev-instead-of-xso.dev-in-callb.patch b/queue-5.10/ixgbevf-use-xso.real_dev-instead-of-xso.dev-in-callb.patch new file mode 100644 index 00000000000..b0553e2594a --- /dev/null +++ b/queue-5.10/ixgbevf-use-xso.real_dev-instead-of-xso.dev-in-callb.patch @@ -0,0 +1,133 @@ +From 0720bb50079aadbedeb45eea98fc0aa378f5eb1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 15:38:09 +0000 +Subject: ixgbevf: use xso.real_dev instead of xso.dev in callback functions of + struct xfrmdev_ops + +From: Taehee Yoo + +[ Upstream commit 2de7e4f67599affc97132bd07e30e3bd59d0b777 ] + +There are two pointers in struct xfrm_state_offload, *dev, *real_dev. +These are used in callback functions of struct xfrmdev_ops. +The *dev points whether bonding interface or real interface. +If bonding ipsec offload is used, it points bonding interface If not, +it points real interface. +And real_dev always points real interface. +So, ixgbevf should always use real_dev instead of dev. +Of course, real_dev always not be null. + +Test commands: + ip link add bond0 type bond + #eth0 is ixgbevf interface + ip link set eth0 master bond0 + ip link set bond0 up + ip x s add proto esp dst 14.1.1.1 src 15.1.1.1 spi 0x07 mode \ +transport reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))' \ +0x44434241343332312423222114131211f4f3f2f1 128 sel src 14.0.0.52/24 \ +dst 14.0.0.70/24 proto tcp offload dev bond0 dir in + +Splat looks like: +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +CPU: 6 PID: 688 Comm: ip Not tainted 5.13.0-rc3+ #1168 +RIP: 0010:ixgbevf_ipsec_find_empty_idx+0x28/0x1b0 [ixgbevf] +Code: 00 00 0f 1f 44 00 00 55 53 48 89 fb 48 83 ec 08 40 84 f6 0f 84 9c +00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 +84 c0 74 08 3c 01 0f 8e 4c 01 00 00 66 81 3b 00 04 0f +RSP: 0018:ffff8880089af390 EFLAGS: 00010246 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001 +RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 +RBP: ffff8880089af4f8 R08: 0000000000000003 R09: fffffbfff4287e11 +R10: 0000000000000001 R11: ffff888005de8908 R12: 0000000000000000 +R13: ffff88810936a000 R14: ffff88810936a000 R15: ffff888004d78040 +FS: 00007fdf9883a680(0000) GS:ffff88811a400000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000055bc14adbf40 CR3: 000000000b87c005 CR4: 00000000003706e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + ixgbevf_ipsec_add_sa+0x1bf/0x9c0 [ixgbevf] + ? rcu_read_lock_sched_held+0x91/0xc0 + ? ixgbevf_ipsec_parse_proto_keys.isra.9+0x280/0x280 [ixgbevf] + ? lock_acquire+0x191/0x720 + ? bond_ipsec_add_sa+0x48/0x350 [bonding] + ? lockdep_hardirqs_on_prepare+0x3e0/0x3e0 + ? rcu_read_lock_held+0x91/0xa0 + ? rcu_read_lock_sched_held+0xc0/0xc0 + bond_ipsec_add_sa+0x193/0x350 [bonding] + xfrm_dev_state_add+0x2a9/0x770 + ? memcpy+0x38/0x60 + xfrm_add_sa+0x2278/0x3b10 [xfrm_user] + ? xfrm_get_policy+0xaa0/0xaa0 [xfrm_user] + ? register_lock_class+0x1750/0x1750 + xfrm_user_rcv_msg+0x331/0x660 [xfrm_user] + ? rcu_read_lock_sched_held+0x91/0xc0 + ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user] + ? find_held_lock+0x3a/0x1c0 + ? mutex_lock_io_nested+0x1210/0x1210 + ? sched_clock_cpu+0x18/0x170 + netlink_rcv_skb+0x121/0x350 +[ ... ] + +Fixes: 272c2330adc9 ("xfrm: bail early on slave pass over skb") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbevf/ipsec.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbevf/ipsec.c b/drivers/net/ethernet/intel/ixgbevf/ipsec.c +index caaea2c920a6..e3e4676af9e4 100644 +--- a/drivers/net/ethernet/intel/ixgbevf/ipsec.c ++++ b/drivers/net/ethernet/intel/ixgbevf/ipsec.c +@@ -211,7 +211,7 @@ struct xfrm_state *ixgbevf_ipsec_find_rx_state(struct ixgbevf_ipsec *ipsec, + static int ixgbevf_ipsec_parse_proto_keys(struct xfrm_state *xs, + u32 *mykey, u32 *mysalt) + { +- struct net_device *dev = xs->xso.dev; ++ struct net_device *dev = xs->xso.real_dev; + unsigned char *key_data; + char *alg_name = NULL; + int key_len; +@@ -260,12 +260,15 @@ static int ixgbevf_ipsec_parse_proto_keys(struct xfrm_state *xs, + **/ + static int ixgbevf_ipsec_add_sa(struct xfrm_state *xs) + { +- struct net_device *dev = xs->xso.dev; +- struct ixgbevf_adapter *adapter = netdev_priv(dev); +- struct ixgbevf_ipsec *ipsec = adapter->ipsec; ++ struct net_device *dev = xs->xso.real_dev; ++ struct ixgbevf_adapter *adapter; ++ struct ixgbevf_ipsec *ipsec; + u16 sa_idx; + int ret; + ++ adapter = netdev_priv(dev); ++ ipsec = adapter->ipsec; ++ + if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) { + netdev_err(dev, "Unsupported protocol 0x%04x for IPsec offload\n", + xs->id.proto); +@@ -383,11 +386,14 @@ static int ixgbevf_ipsec_add_sa(struct xfrm_state *xs) + **/ + static void ixgbevf_ipsec_del_sa(struct xfrm_state *xs) + { +- struct net_device *dev = xs->xso.dev; +- struct ixgbevf_adapter *adapter = netdev_priv(dev); +- struct ixgbevf_ipsec *ipsec = adapter->ipsec; ++ struct net_device *dev = xs->xso.real_dev; ++ struct ixgbevf_adapter *adapter; ++ struct ixgbevf_ipsec *ipsec; + u16 sa_idx; + ++ adapter = netdev_priv(dev); ++ ipsec = adapter->ipsec; ++ + if (xs->xso.flags & XFRM_OFFLOAD_INBOUND) { + sa_idx = xs->xso.offload_handle - IXGBE_IPSEC_BASE_RX_INDEX; + +-- +2.30.2 + diff --git a/queue-5.10/kvm-ppc-book3s-fix-config_transactional_mem-n-crash.patch b/queue-5.10/kvm-ppc-book3s-fix-config_transactional_mem-n-crash.patch new file mode 100644 index 00000000000..cd04f30310e --- /dev/null +++ b/queue-5.10/kvm-ppc-book3s-fix-config_transactional_mem-n-crash.patch @@ -0,0 +1,44 @@ +From 92bd57d9c7417392b8407ea4f458f1c4f4ff1d4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 12:43:09 +1000 +Subject: KVM: PPC: Book3S: Fix CONFIG_TRANSACTIONAL_MEM=n crash + +From: Nicholas Piggin + +[ Upstream commit bd31ecf44b8e18ccb1e5f6b50f85de6922a60de3 ] + +When running CPU_FTR_P9_TM_HV_ASSIST, HFSCR[TM] is set for the guest +even if the host has CONFIG_TRANSACTIONAL_MEM=n, which causes it to be +unprepared to handle guest exits while transactional. + +Normal guests don't have a problem because the HTM capability will not +be advertised, but a rogue or buggy one could crash the host. + +Fixes: 4bb3c7a0208f ("KVM: PPC: Book3S HV: Work around transactional memory bugs in POWER9") +Reported-by: Alexey Kardashevskiy +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210716024310.164448-1-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/book3s_hv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c +index 2325b7a6e95f..bd7350a608d4 100644 +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -2366,8 +2366,10 @@ static int kvmppc_core_vcpu_create_hv(struct kvm_vcpu *vcpu) + HFSCR_DSCR | HFSCR_VECVSX | HFSCR_FP | HFSCR_PREFIX; + if (cpu_has_feature(CPU_FTR_HVMODE)) { + vcpu->arch.hfscr &= mfspr(SPRN_HFSCR); ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM + if (cpu_has_feature(CPU_FTR_P9_TM_HV_ASSIST)) + vcpu->arch.hfscr |= HFSCR_TM; ++#endif + } + if (cpu_has_feature(CPU_FTR_TM_COMP)) + vcpu->arch.hfscr |= HFSCR_TM; +-- +2.30.2 + diff --git a/queue-5.10/kvm-ppc-fix-kvm_arch_vcpu_ioctl-vcpu_load-leak.patch b/queue-5.10/kvm-ppc-fix-kvm_arch_vcpu_ioctl-vcpu_load-leak.patch new file mode 100644 index 00000000000..963d0275164 --- /dev/null +++ b/queue-5.10/kvm-ppc-fix-kvm_arch_vcpu_ioctl-vcpu_load-leak.patch @@ -0,0 +1,51 @@ +From e1992608f27133f6d4d1e1e1bd04c4f329006cc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 12:43:10 +1000 +Subject: KVM: PPC: Fix kvm_arch_vcpu_ioctl vcpu_load leak + +From: Nicholas Piggin + +[ Upstream commit bc4188a2f56e821ea057aca6bf444e138d06c252 ] + +vcpu_put is not called if the user copy fails. This can result in preempt +notifier corruption and crashes, among other issues. + +Fixes: b3cebfe8c1ca ("KVM: PPC: Move vcpu_load/vcpu_put down to each ioctl case in kvm_arch_vcpu_ioctl") +Reported-by: Alexey Kardashevskiy +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210716024310.164448-2-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/powerpc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c +index 32fa0fa3d4ff..543db9157f3b 100644 +--- a/arch/powerpc/kvm/powerpc.c ++++ b/arch/powerpc/kvm/powerpc.c +@@ -2041,9 +2041,9 @@ long kvm_arch_vcpu_ioctl(struct file *filp, + { + struct kvm_enable_cap cap; + r = -EFAULT; +- vcpu_load(vcpu); + if (copy_from_user(&cap, argp, sizeof(cap))) + goto out; ++ vcpu_load(vcpu); + r = kvm_vcpu_ioctl_enable_cap(vcpu, &cap); + vcpu_put(vcpu); + break; +@@ -2067,9 +2067,9 @@ long kvm_arch_vcpu_ioctl(struct file *filp, + case KVM_DIRTY_TLB: { + struct kvm_dirty_tlb dirty; + r = -EFAULT; +- vcpu_load(vcpu); + if (copy_from_user(&dirty, argp, sizeof(dirty))) + goto out; ++ vcpu_load(vcpu); + r = kvm_vcpu_ioctl_dirty_tlb(vcpu, &dirty); + vcpu_put(vcpu); + break; +-- +2.30.2 + diff --git a/queue-5.10/kvm-x86-pmu-clear-anythread-deprecated-bit-when-0xa-.patch b/queue-5.10/kvm-x86-pmu-clear-anythread-deprecated-bit-when-0xa-.patch new file mode 100644 index 00000000000..55acee0d238 --- /dev/null +++ b/queue-5.10/kvm-x86-pmu-clear-anythread-deprecated-bit-when-0xa-.patch @@ -0,0 +1,44 @@ +From 91349599f1b011f3f73b1fc1a8f71ee274142020 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jun 2021 15:43:54 +0800 +Subject: KVM: x86/pmu: Clear anythread deprecated bit when 0xa leaf is + unsupported on the SVM + +From: Like Xu + +[ Upstream commit 7234c362ccb3c2228f06f19f93b132de9cfa7ae4 ] + +The AMD platform does not support the functions Ah CPUID leaf. The returned +results for this entry should all remain zero just like the native does: + +AMD host: + 0x0000000a 0x00: eax=0x00000000 ebx=0x00000000 ecx=0x00000000 edx=0x00000000 +(uncanny) AMD guest: + 0x0000000a 0x00: eax=0x00000000 ebx=0x00000000 ecx=0x00000000 edx=0x00008000 + +Fixes: cadbaa039b99 ("perf/x86/intel: Make anythread filter support conditional") +Signed-off-by: Like Xu +Message-Id: <20210628074354.33848-1-likexu@tencent.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/cpuid.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c +index 7a3fbf3b796e..41b0dc37720e 100644 +--- a/arch/x86/kvm/cpuid.c ++++ b/arch/x86/kvm/cpuid.c +@@ -684,7 +684,8 @@ static inline int __do_cpuid_func(struct kvm_cpuid_array *array, u32 function) + + edx.split.num_counters_fixed = min(cap.num_counters_fixed, MAX_FIXED_COUNTERS); + edx.split.bit_width_fixed = cap.bit_width_fixed; +- edx.split.anythread_deprecated = 1; ++ if (cap.version) ++ edx.split.anythread_deprecated = 1; + edx.split.reserved1 = 0; + edx.split.reserved2 = 0; + +-- +2.30.2 + diff --git a/queue-5.10/liquidio-fix-unintentional-sign-extension-issue-on-l.patch b/queue-5.10/liquidio-fix-unintentional-sign-extension-issue-on-l.patch new file mode 100644 index 00000000000..7da7a171684 --- /dev/null +++ b/queue-5.10/liquidio-fix-unintentional-sign-extension-issue-on-l.patch @@ -0,0 +1,43 @@ +From dbe34e28a4937f3e2d57c9cd53c1c6a2548249cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jul 2021 16:23:43 +0100 +Subject: liquidio: Fix unintentional sign extension issue on left shift of u16 + +From: Colin Ian King + +[ Upstream commit e7efc2ce3d0789cd7c21b70ff00cd7838d382639 ] + +Shifting the u16 integer oct->pcie_port by CN23XX_PKT_INPUT_CTL_MAC_NUM_POS +(29) bits will be promoted to a 32 bit signed int and then sign-extended +to a u64. In the cases where oct->pcie_port where bit 2 is set (e.g. 3..7) +the shifted value will be sign extended and the top 32 bits of the result +will be set. + +Fix this by casting the u16 values to a u64 before the 29 bit left shift. + +Addresses-Coverity: ("Unintended sign extension") + +Fixes: 3451b97cce2d ("liquidio: CN23XX register setup") +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c +index 4cddd628d41b..9ed3d1ab2ca5 100644 +--- a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c ++++ b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c +@@ -420,7 +420,7 @@ static int cn23xx_pf_setup_global_input_regs(struct octeon_device *oct) + * bits 32:47 indicate the PVF num. + */ + for (q_no = 0; q_no < ern; q_no++) { +- reg_val = oct->pcie_port << CN23XX_PKT_INPUT_CTL_MAC_NUM_POS; ++ reg_val = (u64)oct->pcie_port << CN23XX_PKT_INPUT_CTL_MAC_NUM_POS; + + /* for VF assigned queues. */ + if (q_no < oct->sriov_info.pf_srn) { +-- +2.30.2 + diff --git a/queue-5.10/mptcp-fix-warning-in-__skb_flow_dissect-when-do-syn-.patch b/queue-5.10/mptcp-fix-warning-in-__skb_flow_dissect-when-do-syn-.patch new file mode 100644 index 00000000000..e45987b402d --- /dev/null +++ b/queue-5.10/mptcp-fix-warning-in-__skb_flow_dissect-when-do-syn-.patch @@ -0,0 +1,124 @@ +From 5682efc6ea950922aba875ae1e80bf009884f07e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jul 2021 17:20:46 -0700 +Subject: mptcp: fix warning in __skb_flow_dissect() when do syn cookie for + subflow join + +From: Jianguo Wu + +[ Upstream commit 0c71929b5893e410e0efbe1bbeca6f19a5f19956 ] + +I did stress test with wrk[1] and webfsd[2] with the assistance of +mptcp-tools[3]: + + Server side: + ./use_mptcp.sh webfsd -4 -R /tmp/ -p 8099 + Client side: + ./use_mptcp.sh wrk -c 200 -d 30 -t 4 http://192.168.174.129:8099/ + +and got the following warning message: + +[ 55.552626] TCP: request_sock_subflow: Possible SYN flooding on port 8099. Sending cookies. Check SNMP counters. +[ 55.553024] ------------[ cut here ]------------ +[ 55.553027] WARNING: CPU: 0 PID: 10 at net/core/flow_dissector.c:984 __skb_flow_dissect+0x280/0x1650 +... +[ 55.553117] CPU: 0 PID: 10 Comm: ksoftirqd/0 Not tainted 5.12.0+ #18 +[ 55.553121] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 02/27/2020 +[ 55.553124] RIP: 0010:__skb_flow_dissect+0x280/0x1650 +... +[ 55.553133] RSP: 0018:ffffb79580087770 EFLAGS: 00010246 +[ 55.553137] RAX: 0000000000000000 RBX: ffffffff8ddb58e0 RCX: ffffb79580087888 +[ 55.553139] RDX: ffffffff8ddb58e0 RSI: ffff8f7e4652b600 RDI: 0000000000000000 +[ 55.553141] RBP: ffffb79580087858 R08: 0000000000000000 R09: 0000000000000008 +[ 55.553143] R10: 000000008c622965 R11: 00000000d3313a5b R12: ffff8f7e4652b600 +[ 55.553146] R13: ffff8f7e465c9062 R14: 0000000000000000 R15: ffffb79580087888 +[ 55.553149] FS: 0000000000000000(0000) GS:ffff8f7f75e00000(0000) knlGS:0000000000000000 +[ 55.553152] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 55.553154] CR2: 00007f73d1d19000 CR3: 0000000135e10004 CR4: 00000000003706f0 +[ 55.553160] Call Trace: +[ 55.553166] ? __sha256_final+0x67/0xd0 +[ 55.553173] ? sha256+0x7e/0xa0 +[ 55.553177] __skb_get_hash+0x57/0x210 +[ 55.553182] subflow_init_req_cookie_join_save+0xac/0xc0 +[ 55.553189] subflow_check_req+0x474/0x550 +[ 55.553195] ? ip_route_output_key_hash+0x67/0x90 +[ 55.553200] ? xfrm_lookup_route+0x1d/0xa0 +[ 55.553207] subflow_v4_route_req+0x8e/0xd0 +[ 55.553212] tcp_conn_request+0x31e/0xab0 +[ 55.553218] ? selinux_socket_sock_rcv_skb+0x116/0x210 +[ 55.553224] ? tcp_rcv_state_process+0x179/0x6d0 +[ 55.553229] tcp_rcv_state_process+0x179/0x6d0 +[ 55.553235] tcp_v4_do_rcv+0xaf/0x220 +[ 55.553239] tcp_v4_rcv+0xce4/0xd80 +[ 55.553243] ? ip_route_input_rcu+0x246/0x260 +[ 55.553248] ip_protocol_deliver_rcu+0x35/0x1b0 +[ 55.553253] ip_local_deliver_finish+0x44/0x50 +[ 55.553258] ip_local_deliver+0x6c/0x110 +[ 55.553262] ? ip_rcv_finish_core.isra.19+0x5a/0x400 +[ 55.553267] ip_rcv+0xd1/0xe0 +... + +After debugging, I found in __skb_flow_dissect(), skb->dev and skb->sk +are both NULL, then net is NULL, and trigger WARN_ON_ONCE(!net), +actually net is always NULL in this code path, as skb->dev is set to +NULL in tcp_v4_rcv(), and skb->sk is never set. + +Code snippet in __skb_flow_dissect() that trigger warning: + 975 if (skb) { + 976 if (!net) { + 977 if (skb->dev) + 978 net = dev_net(skb->dev); + 979 else if (skb->sk) + 980 net = sock_net(skb->sk); + 981 } + 982 } + 983 + 984 WARN_ON_ONCE(!net); + +So, using seq and transport header derived hash. + +[1] https://github.com/wg/wrk +[2] https://github.com/ourway/webfsd +[3] https://github.com/pabeni/mptcp-tools + +Fixes: 9466a1ccebbe ("mptcp: enable JOIN requests even if cookies are in use") +Suggested-by: Paolo Abeni +Suggested-by: Florian Westphal +Signed-off-by: Jianguo Wu +Signed-off-by: Mat Martineau +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/mptcp/syncookies.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/net/mptcp/syncookies.c b/net/mptcp/syncookies.c +index abe0fd099746..37127781aee9 100644 +--- a/net/mptcp/syncookies.c ++++ b/net/mptcp/syncookies.c +@@ -37,7 +37,21 @@ static spinlock_t join_entry_locks[COOKIE_JOIN_SLOTS] __cacheline_aligned_in_smp + + static u32 mptcp_join_entry_hash(struct sk_buff *skb, struct net *net) + { +- u32 i = skb_get_hash(skb) ^ net_hash_mix(net); ++ static u32 mptcp_join_hash_secret __read_mostly; ++ struct tcphdr *th = tcp_hdr(skb); ++ u32 seq, i; ++ ++ net_get_random_once(&mptcp_join_hash_secret, ++ sizeof(mptcp_join_hash_secret)); ++ ++ if (th->syn) ++ seq = TCP_SKB_CB(skb)->seq; ++ else ++ seq = TCP_SKB_CB(skb)->seq - 1; ++ ++ i = jhash_3words(seq, net_hash_mix(net), ++ (__force __u32)th->source << 16 | (__force __u32)th->dest, ++ mptcp_join_hash_secret); + + return i % ARRAY_SIZE(join_entries); + } +-- +2.30.2 + diff --git a/queue-5.10/net-add-kcov-handle-to-skb-extensions.patch b/queue-5.10/net-add-kcov-handle-to-skb-extensions.patch new file mode 100644 index 00000000000..1792f554c4a --- /dev/null +++ b/queue-5.10/net-add-kcov-handle-to-skb-extensions.patch @@ -0,0 +1,147 @@ +From ca2de4b28be01cf117e6790e7e87d739e79014b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Oct 2020 17:36:19 +0000 +Subject: net: add kcov handle to skb extensions + +From: Aleksandr Nogikh + +[ Upstream commit 6370cc3bbd8a0f9bf975b013781243ab147876c6 ] + +Remote KCOV coverage collection enables coverage-guided fuzzing of the +code that is not reachable during normal system call execution. It is +especially helpful for fuzzing networking subsystems, where it is +common to perform packet handling in separate work queues even for the +packets that originated directly from the user space. + +Enable coverage-guided frame injection by adding kcov remote handle to +skb extensions. Default initialization in __alloc_skb and +__build_skb_around ensures that no socket buffer that was generated +during a system call will be missed. + +Code that is of interest and that performs packet processing should be +annotated with kcov_remote_start()/kcov_remote_stop(). + +An alternative approach is to determine kcov_handle solely on the +basis of the device/interface that received the specific socket +buffer. However, in this case it would be impossible to distinguish +between packets that originated during normal background network +processes or were intentionally injected from the user space. + +Signed-off-by: Aleksandr Nogikh +Acked-by: Willem de Bruijn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/skbuff.h | 33 +++++++++++++++++++++++++++++++++ + lib/Kconfig.debug | 1 + + net/core/skbuff.c | 11 +++++++++++ + 3 files changed, 45 insertions(+) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index a828cf99c521..2d01b2bbb746 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -4150,6 +4150,9 @@ enum skb_ext_id { + #endif + #if IS_ENABLED(CONFIG_MPTCP) + SKB_EXT_MPTCP, ++#endif ++#if IS_ENABLED(CONFIG_KCOV) ++ SKB_EXT_KCOV_HANDLE, + #endif + SKB_EXT_NUM, /* must be last */ + }; +@@ -4605,5 +4608,35 @@ static inline void skb_reset_redirect(struct sk_buff *skb) + #endif + } + ++#ifdef CONFIG_KCOV ++static inline void skb_set_kcov_handle(struct sk_buff *skb, ++ const u64 kcov_handle) ++{ ++ /* Do not allocate skb extensions only to set kcov_handle to zero ++ * (as it is zero by default). However, if the extensions are ++ * already allocated, update kcov_handle anyway since ++ * skb_set_kcov_handle can be called to zero a previously set ++ * value. ++ */ ++ if (skb_has_extensions(skb) || kcov_handle) { ++ u64 *kcov_handle_ptr = skb_ext_add(skb, SKB_EXT_KCOV_HANDLE); ++ ++ if (kcov_handle_ptr) ++ *kcov_handle_ptr = kcov_handle; ++ } ++} ++ ++static inline u64 skb_get_kcov_handle(struct sk_buff *skb) ++{ ++ u64 *kcov_handle = skb_ext_find(skb, SKB_EXT_KCOV_HANDLE); ++ ++ return kcov_handle ? *kcov_handle : 0; ++} ++#else ++static inline void skb_set_kcov_handle(struct sk_buff *skb, ++ const u64 kcov_handle) { } ++static inline u64 skb_get_kcov_handle(struct sk_buff *skb) { return 0; } ++#endif /* CONFIG_KCOV */ ++ + #endif /* __KERNEL__ */ + #endif /* _LINUX_SKBUFF_H */ +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 5b7f88a2876d..ffccc13d685b 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -1869,6 +1869,7 @@ config KCOV + depends on CC_HAS_SANCOV_TRACE_PC || GCC_PLUGINS + select DEBUG_FS + select GCC_PLUGIN_SANCOV if !CC_HAS_SANCOV_TRACE_PC ++ select SKB_EXTENSIONS + help + KCOV exposes kernel code coverage information in a form suitable + for coverage-guided fuzzing (randomized testing). +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 1301ea694b94..d17b87aabc8b 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -249,6 +249,9 @@ struct sk_buff *__alloc_skb(unsigned int size, gfp_t gfp_mask, + + fclones->skb2.fclone = SKB_FCLONE_CLONE; + } ++ ++ skb_set_kcov_handle(skb, kcov_common_handle()); ++ + out: + return skb; + nodata: +@@ -282,6 +285,8 @@ static struct sk_buff *__build_skb_around(struct sk_buff *skb, + memset(shinfo, 0, offsetof(struct skb_shared_info, dataref)); + atomic_set(&shinfo->dataref, 1); + ++ skb_set_kcov_handle(skb, kcov_common_handle()); ++ + return skb; + } + +@@ -4248,6 +4253,9 @@ static const u8 skb_ext_type_len[] = { + #if IS_ENABLED(CONFIG_MPTCP) + [SKB_EXT_MPTCP] = SKB_EXT_CHUNKSIZEOF(struct mptcp_ext), + #endif ++#if IS_ENABLED(CONFIG_KCOV) ++ [SKB_EXT_KCOV_HANDLE] = SKB_EXT_CHUNKSIZEOF(u64), ++#endif + }; + + static __always_inline unsigned int skb_ext_total_length(void) +@@ -4264,6 +4272,9 @@ static __always_inline unsigned int skb_ext_total_length(void) + #endif + #if IS_ENABLED(CONFIG_MPTCP) + skb_ext_type_len[SKB_EXT_MPTCP] + ++#endif ++#if IS_ENABLED(CONFIG_KCOV) ++ skb_ext_type_len[SKB_EXT_KCOV_HANDLE] + + #endif + 0; + } +-- +2.30.2 + diff --git a/queue-5.10/net-decnet-fix-sleeping-inside-in-af_decnet.patch b/queue-5.10/net-decnet-fix-sleeping-inside-in-af_decnet.patch new file mode 100644 index 00000000000..31ba5ebaacd --- /dev/null +++ b/queue-5.10/net-decnet-fix-sleeping-inside-in-af_decnet.patch @@ -0,0 +1,126 @@ +From de1eefd3f388676cd205858f795303c611b3a5f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jul 2021 17:13:20 +0800 +Subject: net: decnet: Fix sleeping inside in af_decnet + +From: Yajun Deng + +[ Upstream commit 5f119ba1d5771bbf46d57cff7417dcd84d3084ba ] + +The release_sock() is blocking function, it would change the state +after sleeping. use wait_woken() instead. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yajun Deng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/decnet/af_decnet.c | 27 ++++++++++++--------------- + 1 file changed, 12 insertions(+), 15 deletions(-) + +diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c +index 5dbd45dc35ad..dc92a67baea3 100644 +--- a/net/decnet/af_decnet.c ++++ b/net/decnet/af_decnet.c +@@ -816,7 +816,7 @@ static int dn_auto_bind(struct socket *sock) + static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation) + { + struct dn_scp *scp = DN_SK(sk); +- DEFINE_WAIT(wait); ++ DEFINE_WAIT_FUNC(wait, woken_wake_function); + int err; + + if (scp->state != DN_CR) +@@ -826,11 +826,11 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation) + scp->segsize_loc = dst_metric_advmss(__sk_dst_get(sk)); + dn_send_conn_conf(sk, allocation); + +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); ++ add_wait_queue(sk_sleep(sk), &wait); + for(;;) { + release_sock(sk); + if (scp->state == DN_CC) +- *timeo = schedule_timeout(*timeo); ++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo); + lock_sock(sk); + err = 0; + if (scp->state == DN_RUN) +@@ -844,9 +844,8 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation) + err = -EAGAIN; + if (!*timeo) + break; +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + } +- finish_wait(sk_sleep(sk), &wait); ++ remove_wait_queue(sk_sleep(sk), &wait); + if (err == 0) { + sk->sk_socket->state = SS_CONNECTED; + } else if (scp->state != DN_CC) { +@@ -858,7 +857,7 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation) + static int dn_wait_run(struct sock *sk, long *timeo) + { + struct dn_scp *scp = DN_SK(sk); +- DEFINE_WAIT(wait); ++ DEFINE_WAIT_FUNC(wait, woken_wake_function); + int err = 0; + + if (scp->state == DN_RUN) +@@ -867,11 +866,11 @@ static int dn_wait_run(struct sock *sk, long *timeo) + if (!*timeo) + return -EALREADY; + +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); ++ add_wait_queue(sk_sleep(sk), &wait); + for(;;) { + release_sock(sk); + if (scp->state == DN_CI || scp->state == DN_CC) +- *timeo = schedule_timeout(*timeo); ++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo); + lock_sock(sk); + err = 0; + if (scp->state == DN_RUN) +@@ -885,9 +884,8 @@ static int dn_wait_run(struct sock *sk, long *timeo) + err = -ETIMEDOUT; + if (!*timeo) + break; +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + } +- finish_wait(sk_sleep(sk), &wait); ++ remove_wait_queue(sk_sleep(sk), &wait); + out: + if (err == 0) { + sk->sk_socket->state = SS_CONNECTED; +@@ -1032,16 +1030,16 @@ static void dn_user_copy(struct sk_buff *skb, struct optdata_dn *opt) + + static struct sk_buff *dn_wait_for_connect(struct sock *sk, long *timeo) + { +- DEFINE_WAIT(wait); ++ DEFINE_WAIT_FUNC(wait, woken_wake_function); + struct sk_buff *skb = NULL; + int err = 0; + +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); ++ add_wait_queue(sk_sleep(sk), &wait); + for(;;) { + release_sock(sk); + skb = skb_dequeue(&sk->sk_receive_queue); + if (skb == NULL) { +- *timeo = schedule_timeout(*timeo); ++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo); + skb = skb_dequeue(&sk->sk_receive_queue); + } + lock_sock(sk); +@@ -1056,9 +1054,8 @@ static struct sk_buff *dn_wait_for_connect(struct sock *sk, long *timeo) + err = -EAGAIN; + if (!*timeo) + break; +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + } +- finish_wait(sk_sleep(sk), &wait); ++ remove_wait_queue(sk_sleep(sk), &wait); + + return skb == NULL ? ERR_PTR(err) : skb; + } +-- +2.30.2 + diff --git a/queue-5.10/net-do-not-reuse-skbuff-allocated-from-skbuff_fclone.patch b/queue-5.10/net-do-not-reuse-skbuff-allocated-from-skbuff_fclone.patch new file mode 100644 index 00000000000..8b30c718c74 --- /dev/null +++ b/queue-5.10/net-do-not-reuse-skbuff-allocated-from-skbuff_fclone.patch @@ -0,0 +1,65 @@ +From b6c2d6d20cdc81b9ec442bc0061a176915d05099 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jul 2021 18:16:09 +0200 +Subject: net: do not reuse skbuff allocated from skbuff_fclone_cache in the + skb cache + +From: Antoine Tenart + +[ Upstream commit 28b34f01a73435a754956ebae826e728c03ffa38 ] + +Some socket buffers allocated in the fclone cache (in __alloc_skb) can +end-up in the following path[1]: + +napi_skb_finish + __kfree_skb_defer + napi_skb_cache_put + +The issue is napi_skb_cache_put is not fclone friendly and will put +those skbuff in the skb cache to be reused later, although this cache +only expects skbuff allocated from skbuff_head_cache. When this happens +the skbuff is eventually freed using the wrong origin cache, and we can +see traces similar to: + +[ 1223.947534] cache_from_obj: Wrong slab cache. skbuff_head_cache but object is from skbuff_fclone_cache +[ 1223.948895] WARNING: CPU: 3 PID: 0 at mm/slab.h:442 kmem_cache_free+0x251/0x3e0 +[ 1223.950211] Modules linked in: +[ 1223.950680] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 5.13.0+ #474 +[ 1223.951587] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-3.fc34 04/01/2014 +[ 1223.953060] RIP: 0010:kmem_cache_free+0x251/0x3e0 + +Leading sometimes to other memory related issues. + +Fix this by using __kfree_skb for fclone skbuff, similar to what is done +the other place __kfree_skb_defer is called. + +[1] At least in setups using veth pairs and tunnels. Building a kernel + with KASAN we can for example see packets allocated in + sk_stream_alloc_skb hit the above path and later the issue arises + when the skbuff is reused. + +Fixes: 9243adfc311a ("skbuff: queue NAPI_MERGED_FREE skbs into NAPI cache instead of freeing") +Cc: Alexander Lobakin +Signed-off-by: Antoine Tenart +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 6b08de52bf0e..86a0fe0f4c02 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -6100,6 +6100,8 @@ static gro_result_t napi_skb_finish(struct napi_struct *napi, + case GRO_MERGED_FREE: + if (NAPI_GRO_CB(skb)->free == NAPI_GRO_FREE_STOLEN_HEAD) + napi_skb_free_stolen_head(skb); ++ else if (skb->fclone != SKB_FCLONE_UNAVAILABLE) ++ __kfree_skb(skb); + else + __kfree_skb(skb); + break; +-- +2.30.2 + diff --git a/queue-5.10/net-dsa-sja1105-make-vid-4095-a-bridge-vlan-too.patch b/queue-5.10/net-dsa-sja1105-make-vid-4095-a-bridge-vlan-too.patch new file mode 100644 index 00000000000..891c01fc88e --- /dev/null +++ b/queue-5.10/net-dsa-sja1105-make-vid-4095-a-bridge-vlan-too.patch @@ -0,0 +1,103 @@ +From aad75e1dde1cbcb029d3029d8b4b1b1f62ba7428 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 15:37:59 +0300 +Subject: net: dsa: sja1105: make VID 4095 a bridge VLAN too + +From: Vladimir Oltean + +[ Upstream commit e40cba9490bab1414d45c2d62defc0ad4f6e4136 ] + +This simple series of commands: + +ip link add br0 type bridge vlan_filtering 1 +ip link set swp0 master br0 + +fails on sja1105 with the following error: +[ 33.439103] sja1105 spi0.1: vlan-lookup-table needs to have at least the default untagged VLAN +[ 33.447710] sja1105 spi0.1: Invalid config, cannot upload +Warning: sja1105: Failed to change VLAN Ethertype. + +For context, sja1105 has 3 operating modes: +- SJA1105_VLAN_UNAWARE: the dsa_8021q_vlans are committed to hardware +- SJA1105_VLAN_FILTERING_FULL: the bridge_vlans are committed to hardware +- SJA1105_VLAN_FILTERING_BEST_EFFORT: both the dsa_8021q_vlans and the + bridge_vlans are committed to hardware + +Swapping out a VLAN list and another in happens in +sja1105_build_vlan_table(), which performs a delta update procedure. +That function is called from a few places, notably from +sja1105_vlan_filtering() which is called from the +SWITCHDEV_ATTR_ID_BRIDGE_VLAN_FILTERING handler. + +The above set of 2 commands fails when run on a kernel pre-commit +8841f6e63f2c ("net: dsa: sja1105: make devlink property +best_effort_vlan_filtering true by default"). So the priv->vlan_state +transition that takes place is between VLAN-unaware and full VLAN +filtering. So the dsa_8021q_vlans are swapped out and the bridge_vlans +are swapped in. + +So why does it fail? + +Well, the bridge driver, through nbp_vlan_init(), first sets up the +SWITCHDEV_ATTR_ID_BRIDGE_VLAN_FILTERING attribute, and only then +proceeds to call nbp_vlan_add for the default_pvid. + +So when we swap out the dsa_8021q_vlans and swap in the bridge_vlans in +the SWITCHDEV_ATTR_ID_BRIDGE_VLAN_FILTERING handler, there are no bridge +VLANs (yet). So we have wiped the VLAN table clean, and the low-level +static config checker complains of an invalid configuration. We _will_ +add the bridge VLANs using the dynamic config interface, albeit later, +when nbp_vlan_add() calls us. So it is natural that it fails. + +So why did it ever work? + +Surprisingly, it looks like I only tested this configuration with 2 +things set up in a particular way: +- a network manager that brings all ports up +- a kernel with CONFIG_VLAN_8021Q=y + +It is widely known that commit ad1afb003939 ("vlan_dev: VLAN 0 should be +treated as "no vlan tag" (802.1p packet)") installs VID 0 to every net +device that comes up. DSA treats these VLANs as bridge VLANs, and +therefore, in my testing, the list of bridge_vlans was never empty. + +However, if CONFIG_VLAN_8021Q is not enabled, or the port is not up when +it joins a VLAN-aware bridge, the bridge_vlans list will be temporarily +empty, and the sja1105_static_config_reload() call from +sja1105_vlan_filtering() will fail. + +To fix this, the simplest thing is to keep VID 4095, the one used for +CPU-injected control packets since commit ed040abca4c1 ("net: dsa: +sja1105: use 4095 as the private VLAN for untagged traffic"), in the +list of bridge VLANs too, not just the list of tag_8021q VLANs. This +ensures that the list of bridge VLANs will never be empty. + +Fixes: ec5ae61076d0 ("net: dsa: sja1105: save/restore VLANs using a delta commit method") +Reported-by: Radu Pirea (NXP OSS) +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/sja1105/sja1105_main.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c +index 82852c57cc0e..82b918d36117 100644 +--- a/drivers/net/dsa/sja1105/sja1105_main.c ++++ b/drivers/net/dsa/sja1105/sja1105_main.c +@@ -350,6 +350,12 @@ static int sja1105_init_static_vlan(struct sja1105_private *priv) + if (dsa_is_cpu_port(ds, port)) + v->pvid = true; + list_add(&v->list, &priv->dsa_8021q_vlans); ++ ++ v = kmemdup(v, sizeof(*v), GFP_KERNEL); ++ if (!v) ++ return -ENOMEM; ++ ++ list_add(&v->list, &priv->bridge_vlans); + } + + ((struct sja1105_vlan_lookup_entry *)table->entries)[0] = pvid; +-- +2.30.2 + diff --git a/queue-5.10/net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch b/queue-5.10/net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch new file mode 100644 index 00000000000..aab4eb18f6a --- /dev/null +++ b/queue-5.10/net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch @@ -0,0 +1,57 @@ +From 03441529fe18250d950f05298803bb1c3449d51e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 20:22:04 +0800 +Subject: net: fix uninit-value in caif_seqpkt_sendmsg + +From: Ziyang Xuan + +[ Upstream commit 991e634360f2622a683b48dfe44fe6d9cb765a09 ] + +When nr_segs equal to zero in iovec_from_user, the object +msg->msg_iter.iov is uninit stack memory in caif_seqpkt_sendmsg +which is defined in ___sys_sendmsg. So we cann't just judge +msg->msg_iter.iov->base directlly. We can use nr_segs to judge +msg in caif_seqpkt_sendmsg whether has data buffers. + +===================================================== +BUG: KMSAN: uninit-value in caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 + caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg net/socket.c:672 [inline] + ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2343 + ___sys_sendmsg net/socket.c:2397 [inline] + __sys_sendmmsg+0x808/0xc90 net/socket.c:2480 + __compat_sys_sendmmsg net/compat.c:656 [inline] + +Reported-by: syzbot+09a5d591c1f98cf5efcb@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=1ace85e8fc9b0d5a45c08c2656c3e91762daa9b8 +Fixes: bece7b2398d0 ("caif: Rewritten socket implementation") +Signed-off-by: Ziyang Xuan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/caif/caif_socket.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c +index 3ad0a1df6712..9d26c5e9da05 100644 +--- a/net/caif/caif_socket.c ++++ b/net/caif/caif_socket.c +@@ -539,7 +539,8 @@ static int caif_seqpkt_sendmsg(struct socket *sock, struct msghdr *msg, + goto err; + + ret = -EINVAL; +- if (unlikely(msg->msg_iter.iov->iov_base == NULL)) ++ if (unlikely(msg->msg_iter.nr_segs == 0) || ++ unlikely(msg->msg_iter.iov->iov_base == NULL)) + goto err; + noblock = msg->msg_flags & MSG_DONTWAIT; + +-- +2.30.2 + diff --git a/queue-5.10/net-hisilicon-rename-cache_line_mask-to-avoid-redefi.patch b/queue-5.10/net-hisilicon-rename-cache_line_mask-to-avoid-redefi.patch new file mode 100644 index 00000000000..f1359553dca --- /dev/null +++ b/queue-5.10/net-hisilicon-rename-cache_line_mask-to-avoid-redefi.patch @@ -0,0 +1,62 @@ +From 44acb8c045f31e28f604dc82d15543ebe3d51b9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 13:38:34 -0700 +Subject: net: hisilicon: rename CACHE_LINE_MASK to avoid redefinition + +From: Randy Dunlap + +[ Upstream commit b16f3299ae1aa3c327e1fb742d0379ae4d6e86f2 ] + +Building on ARCH=arc causes a "redefined" warning, so rename this +driver's CACHE_LINE_MASK to avoid the warning. + +../drivers/net/ethernet/hisilicon/hip04_eth.c:134: warning: "CACHE_LINE_MASK" redefined + 134 | #define CACHE_LINE_MASK 0x3F +In file included from ../include/linux/cache.h:6, + from ../include/linux/printk.h:9, + from ../include/linux/kernel.h:19, + from ../include/linux/list.h:9, + from ../include/linux/module.h:12, + from ../drivers/net/ethernet/hisilicon/hip04_eth.c:7: +../arch/arc/include/asm/cache.h:17: note: this is the location of the previous definition + 17 | #define CACHE_LINE_MASK (~(L1_CACHE_BYTES - 1)) + +Fixes: d413779cdd93 ("net: hisilicon: Add an tx_desc to adapt HI13X1_GMAC") +Signed-off-by: Randy Dunlap +Cc: Vineet Gupta +Cc: Jiangfeng Xiao +Cc: "David S. Miller" +Cc: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hip04_eth.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c +index 12f6c2442a7a..e53512f6878a 100644 +--- a/drivers/net/ethernet/hisilicon/hip04_eth.c ++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c +@@ -131,7 +131,7 @@ + /* buf unit size is cache_line_size, which is 64, so the shift is 6 */ + #define PPE_BUF_SIZE_SHIFT 6 + #define PPE_TX_BUF_HOLD BIT(31) +-#define CACHE_LINE_MASK 0x3F ++#define SOC_CACHE_LINE_MASK 0x3F + #else + #define PPE_CFG_QOS_VMID_GRP_SHIFT 8 + #define PPE_CFG_RX_CTRL_ALIGN_SHIFT 11 +@@ -531,8 +531,8 @@ hip04_mac_start_xmit(struct sk_buff *skb, struct net_device *ndev) + #if defined(CONFIG_HI13X1_GMAC) + desc->cfg = (__force u32)cpu_to_be32(TX_CLEAR_WB | TX_FINISH_CACHE_INV + | TX_RELEASE_TO_PPE | priv->port << TX_POOL_SHIFT); +- desc->data_offset = (__force u32)cpu_to_be32(phys & CACHE_LINE_MASK); +- desc->send_addr = (__force u32)cpu_to_be32(phys & ~CACHE_LINE_MASK); ++ desc->data_offset = (__force u32)cpu_to_be32(phys & SOC_CACHE_LINE_MASK); ++ desc->send_addr = (__force u32)cpu_to_be32(phys & ~SOC_CACHE_LINE_MASK); + #else + desc->cfg = (__force u32)cpu_to_be32(TX_CLEAR_WB | TX_FINISH_CACHE_INV); + desc->send_addr = (__force u32)cpu_to_be32(phys); +-- +2.30.2 + diff --git a/queue-5.10/net-hns3-fix-possible-mismatches-resp-of-mailbox.patch b/queue-5.10/net-hns3-fix-possible-mismatches-resp-of-mailbox.patch new file mode 100644 index 00000000000..3a8219b9514 --- /dev/null +++ b/queue-5.10/net-hns3-fix-possible-mismatches-resp-of-mailbox.patch @@ -0,0 +1,86 @@ +From 539f1a3b4016b11a200af8df52b0354dd4dd9c6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jul 2021 17:13:05 +0800 +Subject: net: hns3: fix possible mismatches resp of mailbox + +From: Chengwen Feng + +[ Upstream commit 1b713d14dc3c077ec45e65dab4ea01a8bc41b8c1 ] + +Currently, the mailbox synchronous communication between VF and PF use +the following fields to maintain communication: +1. Origin_mbx_msg which was combined by message code and subcode, used +to match request and response. +2. Received_resp which means whether received response. + +There may possible mismatches of the following situation: +1. VF sends message A with code=1 subcode=1. +2. PF was blocked about 500ms when processing the message A. +3. VF will detect message A timeout because it can't get the response +within 500ms. +4. VF sends message B with code=1 subcode=1 which equal message A. +5. PF processes the first message A and send the response message to +VF. +6. VF will identify the response matched the message B because the +code/subcode is the same. This will lead to mismatch of request and +response. + +To fix the above bug, we use the following scheme: +1. The message sent from VF was labelled with match_id which was a +unique 16-bit non-zero value. +2. The response sent from PF will label with match_id which got from +the request. +3. The VF uses the match_id to match request and response message. + +As for PF driver, it only needs to copy the match_id from request to +response. + +Fixes: dde1a86e93ca ("net: hns3: Add mailbox support to PF driver") +Signed-off-by: Chengwen Feng +Signed-off-by: Guangbin Huang +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h | 6 ++++-- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 1 + + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h b/drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h +index 98a9f5e3fe86..98f55fbe6c3d 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h +@@ -134,7 +134,8 @@ struct hclge_mbx_vf_to_pf_cmd { + u8 mbx_need_resp; + u8 rsv1[1]; + u8 msg_len; +- u8 rsv2[3]; ++ u8 rsv2; ++ u16 match_id; + struct hclge_vf_to_pf_msg msg; + }; + +@@ -144,7 +145,8 @@ struct hclge_mbx_pf_to_vf_cmd { + u8 dest_vfid; + u8 rsv[3]; + u8 msg_len; +- u8 rsv1[3]; ++ u8 rsv1; ++ u16 match_id; + struct hclge_pf_to_vf_msg msg; + }; + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c +index 2c2d53f5c56e..61f6f0287cbe 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c +@@ -47,6 +47,7 @@ static int hclge_gen_resp_to_vf(struct hclge_vport *vport, + + resp_pf_to_vf->dest_vfid = vf_to_pf_req->mbx_src_vfid; + resp_pf_to_vf->msg_len = vf_to_pf_req->msg_len; ++ resp_pf_to_vf->match_id = vf_to_pf_req->match_id; + + resp_pf_to_vf->msg.code = HCLGE_MBX_PF_VF_RESP; + resp_pf_to_vf->msg.vf_mbx_msg_code = vf_to_pf_req->msg.code; +-- +2.30.2 + diff --git a/queue-5.10/net-hns3-fix-rx-vlan-offload-state-inconsistent-issu.patch b/queue-5.10/net-hns3-fix-rx-vlan-offload-state-inconsistent-issu.patch new file mode 100644 index 00000000000..f69aff6452f --- /dev/null +++ b/queue-5.10/net-hns3-fix-rx-vlan-offload-state-inconsistent-issu.patch @@ -0,0 +1,50 @@ +From 72e82a44fd98984394c47e235e0d5bdb5cd93892 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jul 2021 17:13:08 +0800 +Subject: net: hns3: fix rx VLAN offload state inconsistent issue + +From: Jian Shen + +[ Upstream commit bbfd4506f962e7e6fff8f37f017154a3c3791264 ] + +Currently, VF doesn't enable rx VLAN offload when initializating, +and PF does it for VFs. If user disable the rx VLAN offload for +VF with ethtool -K, and reload the VF driver, it may cause the +rx VLAN offload state being inconsistent between hardware and +software. + +Fixes it by enabling rx VLAN offload when VF initializing. + +Fixes: e2cb1dec9779 ("net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support") +Signed-off-by: Jian Shen +Signed-off-by: Guangbin Huang +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +index ac6980acb6f0..d3010d5ab366 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +@@ -2518,6 +2518,16 @@ static int hclgevf_rss_init_hw(struct hclgevf_dev *hdev) + + static int hclgevf_init_vlan_config(struct hclgevf_dev *hdev) + { ++ struct hnae3_handle *nic = &hdev->nic; ++ int ret; ++ ++ ret = hclgevf_en_hw_strip_rxvtag(nic, true); ++ if (ret) { ++ dev_err(&hdev->pdev->dev, ++ "failed to enable rx vlan offload, ret = %d\n", ret); ++ return ret; ++ } ++ + return hclgevf_set_vlan_filter(&hdev->nic, htons(ETH_P_8021Q), 0, + false); + } +-- +2.30.2 + diff --git a/queue-5.10/net-introduce-preferred-busy-polling.patch b/queue-5.10/net-introduce-preferred-busy-polling.patch new file mode 100644 index 00000000000..85db83a47c7 --- /dev/null +++ b/queue-5.10/net-introduce-preferred-busy-polling.patch @@ -0,0 +1,442 @@ +From 68a591042e8fd5c95c5882d812e76ed215988e5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Nov 2020 19:51:56 +0100 +Subject: net: Introduce preferred busy-polling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Björn Töpel + +[ Upstream commit 7fd3253a7de6a317a0683f83739479fb880bffc8 ] + +The existing busy-polling mode, enabled by the SO_BUSY_POLL socket +option or system-wide using the /proc/sys/net/core/busy_read knob, is +an opportunistic. That means that if the NAPI context is not +scheduled, it will poll it. If, after busy-polling, the budget is +exceeded the busy-polling logic will schedule the NAPI onto the +regular softirq handling. + +One implication of the behavior above is that a busy/heavy loaded NAPI +context will never enter/allow for busy-polling. Some applications +prefer that most NAPI processing would be done by busy-polling. + +This series adds a new socket option, SO_PREFER_BUSY_POLL, that works +in concert with the napi_defer_hard_irqs and gro_flush_timeout +knobs. The napi_defer_hard_irqs and gro_flush_timeout knobs were +introduced in commit 6f8b12d661d0 ("net: napi: add hard irqs deferral +feature"), and allows for a user to defer interrupts to be enabled and +instead schedule the NAPI context from a watchdog timer. When a user +enables the SO_PREFER_BUSY_POLL, again with the other knobs enabled, +and the NAPI context is being processed by a softirq, the softirq NAPI +processing will exit early to allow the busy-polling to be performed. + +If the application stops performing busy-polling via a system call, +the watchdog timer defined by gro_flush_timeout will timeout, and +regular softirq handling will resume. + +In summary; Heavy traffic applications that prefer busy-polling over +softirq processing should use this option. + +Example usage: + + $ echo 2 | sudo tee /sys/class/net/ens785f1/napi_defer_hard_irqs + $ echo 200000 | sudo tee /sys/class/net/ens785f1/gro_flush_timeout + +Note that the timeout should be larger than the userspace processing +window, otherwise the watchdog will timeout and fall back to regular +softirq processing. + +Enable the SO_BUSY_POLL/SO_PREFER_BUSY_POLL options on your socket. + +Signed-off-by: Björn Töpel +Signed-off-by: Daniel Borkmann +Reviewed-by: Jakub Kicinski +Link: https://lore.kernel.org/bpf/20201130185205.196029-2-bjorn.topel@gmail.com +Signed-off-by: Sasha Levin +--- + arch/alpha/include/uapi/asm/socket.h | 2 + + arch/mips/include/uapi/asm/socket.h | 2 + + arch/parisc/include/uapi/asm/socket.h | 2 + + arch/sparc/include/uapi/asm/socket.h | 2 + + fs/eventpoll.c | 2 +- + include/linux/netdevice.h | 35 +++++++----- + include/net/busy_poll.h | 5 +- + include/net/sock.h | 4 ++ + include/uapi/asm-generic/socket.h | 2 + + net/core/dev.c | 78 +++++++++++++++++++++------ + net/core/sock.c | 9 ++++ + 11 files changed, 111 insertions(+), 32 deletions(-) + +diff --git a/arch/alpha/include/uapi/asm/socket.h b/arch/alpha/include/uapi/asm/socket.h +index de6c4df61082..538359642554 100644 +--- a/arch/alpha/include/uapi/asm/socket.h ++++ b/arch/alpha/include/uapi/asm/socket.h +@@ -124,6 +124,8 @@ + + #define SO_DETACH_REUSEPORT_BPF 68 + ++#define SO_PREFER_BUSY_POLL 69 ++ + #if !defined(__KERNEL__) + + #if __BITS_PER_LONG == 64 +diff --git a/arch/mips/include/uapi/asm/socket.h b/arch/mips/include/uapi/asm/socket.h +index d0a9ed2ca2d6..e406e73b5e6e 100644 +--- a/arch/mips/include/uapi/asm/socket.h ++++ b/arch/mips/include/uapi/asm/socket.h +@@ -135,6 +135,8 @@ + + #define SO_DETACH_REUSEPORT_BPF 68 + ++#define SO_PREFER_BUSY_POLL 69 ++ + #if !defined(__KERNEL__) + + #if __BITS_PER_LONG == 64 +diff --git a/arch/parisc/include/uapi/asm/socket.h b/arch/parisc/include/uapi/asm/socket.h +index 10173c32195e..1bc46200889d 100644 +--- a/arch/parisc/include/uapi/asm/socket.h ++++ b/arch/parisc/include/uapi/asm/socket.h +@@ -116,6 +116,8 @@ + + #define SO_DETACH_REUSEPORT_BPF 0x4042 + ++#define SO_PREFER_BUSY_POLL 0x4043 ++ + #if !defined(__KERNEL__) + + #if __BITS_PER_LONG == 64 +diff --git a/arch/sparc/include/uapi/asm/socket.h b/arch/sparc/include/uapi/asm/socket.h +index 8029b681fc7c..99688cf673a4 100644 +--- a/arch/sparc/include/uapi/asm/socket.h ++++ b/arch/sparc/include/uapi/asm/socket.h +@@ -117,6 +117,8 @@ + + #define SO_DETACH_REUSEPORT_BPF 0x0047 + ++#define SO_PREFER_BUSY_POLL 0x0048 ++ + #if !defined(__KERNEL__) + + +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index 6094b2e9058b..9e5b05e818ad 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -397,7 +397,7 @@ static void ep_busy_loop(struct eventpoll *ep, int nonblock) + unsigned int napi_id = READ_ONCE(ep->napi_id); + + if ((napi_id >= MIN_NAPI_ID) && net_busy_loop_on()) +- napi_busy_loop(napi_id, nonblock ? NULL : ep_busy_loop_end, ep); ++ napi_busy_loop(napi_id, nonblock ? NULL : ep_busy_loop_end, ep, false); + } + + static inline void ep_reset_busy_poll_napi_id(struct eventpoll *ep) +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index e37480b5f4c0..2488638a8749 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -350,23 +350,25 @@ struct napi_struct { + }; + + enum { +- NAPI_STATE_SCHED, /* Poll is scheduled */ +- NAPI_STATE_MISSED, /* reschedule a napi */ +- NAPI_STATE_DISABLE, /* Disable pending */ +- NAPI_STATE_NPSVC, /* Netpoll - don't dequeue from poll_list */ +- NAPI_STATE_LISTED, /* NAPI added to system lists */ +- NAPI_STATE_NO_BUSY_POLL,/* Do not add in napi_hash, no busy polling */ +- NAPI_STATE_IN_BUSY_POLL,/* sk_busy_loop() owns this NAPI */ ++ NAPI_STATE_SCHED, /* Poll is scheduled */ ++ NAPI_STATE_MISSED, /* reschedule a napi */ ++ NAPI_STATE_DISABLE, /* Disable pending */ ++ NAPI_STATE_NPSVC, /* Netpoll - don't dequeue from poll_list */ ++ NAPI_STATE_LISTED, /* NAPI added to system lists */ ++ NAPI_STATE_NO_BUSY_POLL, /* Do not add in napi_hash, no busy polling */ ++ NAPI_STATE_IN_BUSY_POLL, /* sk_busy_loop() owns this NAPI */ ++ NAPI_STATE_PREFER_BUSY_POLL, /* prefer busy-polling over softirq processing*/ + }; + + enum { +- NAPIF_STATE_SCHED = BIT(NAPI_STATE_SCHED), +- NAPIF_STATE_MISSED = BIT(NAPI_STATE_MISSED), +- NAPIF_STATE_DISABLE = BIT(NAPI_STATE_DISABLE), +- NAPIF_STATE_NPSVC = BIT(NAPI_STATE_NPSVC), +- NAPIF_STATE_LISTED = BIT(NAPI_STATE_LISTED), +- NAPIF_STATE_NO_BUSY_POLL = BIT(NAPI_STATE_NO_BUSY_POLL), +- NAPIF_STATE_IN_BUSY_POLL = BIT(NAPI_STATE_IN_BUSY_POLL), ++ NAPIF_STATE_SCHED = BIT(NAPI_STATE_SCHED), ++ NAPIF_STATE_MISSED = BIT(NAPI_STATE_MISSED), ++ NAPIF_STATE_DISABLE = BIT(NAPI_STATE_DISABLE), ++ NAPIF_STATE_NPSVC = BIT(NAPI_STATE_NPSVC), ++ NAPIF_STATE_LISTED = BIT(NAPI_STATE_LISTED), ++ NAPIF_STATE_NO_BUSY_POLL = BIT(NAPI_STATE_NO_BUSY_POLL), ++ NAPIF_STATE_IN_BUSY_POLL = BIT(NAPI_STATE_IN_BUSY_POLL), ++ NAPIF_STATE_PREFER_BUSY_POLL = BIT(NAPI_STATE_PREFER_BUSY_POLL), + }; + + enum gro_result { +@@ -437,6 +439,11 @@ static inline bool napi_disable_pending(struct napi_struct *n) + return test_bit(NAPI_STATE_DISABLE, &n->state); + } + ++static inline bool napi_prefer_busy_poll(struct napi_struct *n) ++{ ++ return test_bit(NAPI_STATE_PREFER_BUSY_POLL, &n->state); ++} ++ + bool napi_schedule_prep(struct napi_struct *n); + + /** +diff --git a/include/net/busy_poll.h b/include/net/busy_poll.h +index b001fa91c14e..0292b8353d7e 100644 +--- a/include/net/busy_poll.h ++++ b/include/net/busy_poll.h +@@ -43,7 +43,7 @@ bool sk_busy_loop_end(void *p, unsigned long start_time); + + void napi_busy_loop(unsigned int napi_id, + bool (*loop_end)(void *, unsigned long), +- void *loop_end_arg); ++ void *loop_end_arg, bool prefer_busy_poll); + + #else /* CONFIG_NET_RX_BUSY_POLL */ + static inline unsigned long net_busy_loop_on(void) +@@ -105,7 +105,8 @@ static inline void sk_busy_loop(struct sock *sk, int nonblock) + unsigned int napi_id = READ_ONCE(sk->sk_napi_id); + + if (napi_id >= MIN_NAPI_ID) +- napi_busy_loop(napi_id, nonblock ? NULL : sk_busy_loop_end, sk); ++ napi_busy_loop(napi_id, nonblock ? NULL : sk_busy_loop_end, sk, ++ READ_ONCE(sk->sk_prefer_busy_poll)); + #endif + } + +diff --git a/include/net/sock.h b/include/net/sock.h +index 3c7addf95150..95311369567f 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -301,6 +301,7 @@ struct bpf_local_storage; + * @sk_ack_backlog: current listen backlog + * @sk_max_ack_backlog: listen backlog set in listen() + * @sk_uid: user id of owner ++ * @sk_prefer_busy_poll: prefer busypolling over softirq processing + * @sk_priority: %SO_PRIORITY setting + * @sk_type: socket type (%SOCK_STREAM, etc) + * @sk_protocol: which protocol this socket belongs in this network family +@@ -479,6 +480,9 @@ struct sock { + u32 sk_ack_backlog; + u32 sk_max_ack_backlog; + kuid_t sk_uid; ++#ifdef CONFIG_NET_RX_BUSY_POLL ++ u8 sk_prefer_busy_poll; ++#endif + struct pid *sk_peer_pid; + const struct cred *sk_peer_cred; + long sk_rcvtimeo; +diff --git a/include/uapi/asm-generic/socket.h b/include/uapi/asm-generic/socket.h +index 77f7c1638eb1..7dd02408b7ce 100644 +--- a/include/uapi/asm-generic/socket.h ++++ b/include/uapi/asm-generic/socket.h +@@ -119,6 +119,8 @@ + + #define SO_DETACH_REUSEPORT_BPF 68 + ++#define SO_PREFER_BUSY_POLL 69 ++ + #if !defined(__KERNEL__) + + #if __BITS_PER_LONG == 64 || (defined(__x86_64__) && defined(__ILP32__)) +diff --git a/net/core/dev.c b/net/core/dev.c +index 2fdf30eefc59..6b08de52bf0e 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -6496,7 +6496,8 @@ bool napi_complete_done(struct napi_struct *n, int work_done) + + WARN_ON_ONCE(!(val & NAPIF_STATE_SCHED)); + +- new = val & ~(NAPIF_STATE_MISSED | NAPIF_STATE_SCHED); ++ new = val & ~(NAPIF_STATE_MISSED | NAPIF_STATE_SCHED | ++ NAPIF_STATE_PREFER_BUSY_POLL); + + /* If STATE_MISSED was set, leave STATE_SCHED set, + * because we will call napi->poll() one more time. +@@ -6535,8 +6536,29 @@ static struct napi_struct *napi_by_id(unsigned int napi_id) + + #define BUSY_POLL_BUDGET 8 + +-static void busy_poll_stop(struct napi_struct *napi, void *have_poll_lock) ++static void __busy_poll_stop(struct napi_struct *napi, bool skip_schedule) + { ++ if (!skip_schedule) { ++ gro_normal_list(napi); ++ __napi_schedule(napi); ++ return; ++ } ++ ++ if (napi->gro_bitmask) { ++ /* flush too old packets ++ * If HZ < 1000, flush all packets. ++ */ ++ napi_gro_flush(napi, HZ >= 1000); ++ } ++ ++ gro_normal_list(napi); ++ clear_bit(NAPI_STATE_SCHED, &napi->state); ++} ++ ++static void busy_poll_stop(struct napi_struct *napi, void *have_poll_lock, bool prefer_busy_poll) ++{ ++ bool skip_schedule = false; ++ unsigned long timeout; + int rc; + + /* Busy polling means there is a high chance device driver hard irq +@@ -6553,6 +6575,15 @@ static void busy_poll_stop(struct napi_struct *napi, void *have_poll_lock) + + local_bh_disable(); + ++ if (prefer_busy_poll) { ++ napi->defer_hard_irqs_count = READ_ONCE(napi->dev->napi_defer_hard_irqs); ++ timeout = READ_ONCE(napi->dev->gro_flush_timeout); ++ if (napi->defer_hard_irqs_count && timeout) { ++ hrtimer_start(&napi->timer, ns_to_ktime(timeout), HRTIMER_MODE_REL_PINNED); ++ skip_schedule = true; ++ } ++ } ++ + /* All we really want here is to re-enable device interrupts. + * Ideally, a new ndo_busy_poll_stop() could avoid another round. + */ +@@ -6563,19 +6594,14 @@ static void busy_poll_stop(struct napi_struct *napi, void *have_poll_lock) + */ + trace_napi_poll(napi, rc, BUSY_POLL_BUDGET); + netpoll_poll_unlock(have_poll_lock); +- if (rc == BUSY_POLL_BUDGET) { +- /* As the whole budget was spent, we still own the napi so can +- * safely handle the rx_list. +- */ +- gro_normal_list(napi); +- __napi_schedule(napi); +- } ++ if (rc == BUSY_POLL_BUDGET) ++ __busy_poll_stop(napi, skip_schedule); + local_bh_enable(); + } + + void napi_busy_loop(unsigned int napi_id, + bool (*loop_end)(void *, unsigned long), +- void *loop_end_arg) ++ void *loop_end_arg, bool prefer_busy_poll) + { + unsigned long start_time = loop_end ? busy_loop_current_time() : 0; + int (*napi_poll)(struct napi_struct *napi, int budget); +@@ -6603,12 +6629,18 @@ restart: + * we avoid dirtying napi->state as much as we can. + */ + if (val & (NAPIF_STATE_DISABLE | NAPIF_STATE_SCHED | +- NAPIF_STATE_IN_BUSY_POLL)) ++ NAPIF_STATE_IN_BUSY_POLL)) { ++ if (prefer_busy_poll) ++ set_bit(NAPI_STATE_PREFER_BUSY_POLL, &napi->state); + goto count; ++ } + if (cmpxchg(&napi->state, val, + val | NAPIF_STATE_IN_BUSY_POLL | +- NAPIF_STATE_SCHED) != val) ++ NAPIF_STATE_SCHED) != val) { ++ if (prefer_busy_poll) ++ set_bit(NAPI_STATE_PREFER_BUSY_POLL, &napi->state); + goto count; ++ } + have_poll_lock = netpoll_poll_lock(napi); + napi_poll = napi->poll; + } +@@ -6626,7 +6658,7 @@ count: + + if (unlikely(need_resched())) { + if (napi_poll) +- busy_poll_stop(napi, have_poll_lock); ++ busy_poll_stop(napi, have_poll_lock, prefer_busy_poll); + preempt_enable(); + rcu_read_unlock(); + cond_resched(); +@@ -6637,7 +6669,7 @@ count: + cpu_relax(); + } + if (napi_poll) +- busy_poll_stop(napi, have_poll_lock); ++ busy_poll_stop(napi, have_poll_lock, prefer_busy_poll); + preempt_enable(); + out: + rcu_read_unlock(); +@@ -6688,8 +6720,10 @@ static enum hrtimer_restart napi_watchdog(struct hrtimer *timer) + * NAPI_STATE_MISSED, since we do not react to a device IRQ. + */ + if (!napi_disable_pending(napi) && +- !test_and_set_bit(NAPI_STATE_SCHED, &napi->state)) ++ !test_and_set_bit(NAPI_STATE_SCHED, &napi->state)) { ++ clear_bit(NAPI_STATE_PREFER_BUSY_POLL, &napi->state); + __napi_schedule_irqoff(napi); ++ } + + return HRTIMER_NORESTART; + } +@@ -6747,6 +6781,7 @@ void napi_disable(struct napi_struct *n) + + hrtimer_cancel(&n->timer); + ++ clear_bit(NAPI_STATE_PREFER_BUSY_POLL, &n->state); + clear_bit(NAPI_STATE_DISABLE, &n->state); + } + EXPORT_SYMBOL(napi_disable); +@@ -6819,6 +6854,19 @@ static int napi_poll(struct napi_struct *n, struct list_head *repoll) + goto out_unlock; + } + ++ /* The NAPI context has more processing work, but busy-polling ++ * is preferred. Exit early. ++ */ ++ if (napi_prefer_busy_poll(n)) { ++ if (napi_complete_done(n, work)) { ++ /* If timeout is not set, we need to make sure ++ * that the NAPI is re-scheduled. ++ */ ++ napi_schedule(n); ++ } ++ goto out_unlock; ++ } ++ + if (n->gro_bitmask) { + /* flush too old packets + * If HZ < 1000, flush all packets. +diff --git a/net/core/sock.c b/net/core/sock.c +index 7de51ea15cdf..cf0e5fc3a8ba 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1167,6 +1167,12 @@ set_sndbuf: + sk->sk_ll_usec = val; + } + break; ++ case SO_PREFER_BUSY_POLL: ++ if (valbool && !capable(CAP_NET_ADMIN)) ++ ret = -EPERM; ++ else ++ WRITE_ONCE(sk->sk_prefer_busy_poll, valbool); ++ break; + #endif + + case SO_MAX_PACING_RATE: +@@ -1531,6 +1537,9 @@ int sock_getsockopt(struct socket *sock, int level, int optname, + case SO_BUSY_POLL: + v.val = sk->sk_ll_usec; + break; ++ case SO_PREFER_BUSY_POLL: ++ v.val = READ_ONCE(sk->sk_prefer_busy_poll); ++ break; + #endif + + case SO_MAX_PACING_RATE: +-- +2.30.2 + diff --git a/queue-5.10/net-sched-act_skbmod-skip-non-ethernet-packets.patch b/queue-5.10/net-sched-act_skbmod-skip-non-ethernet-packets.patch new file mode 100644 index 00000000000..ce95b60509d --- /dev/null +++ b/queue-5.10/net-sched-act_skbmod-skip-non-ethernet-packets.patch @@ -0,0 +1,70 @@ +From 49a0dc0e0fc088c9469b90c4593ced0912c59cbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jul 2021 16:41:24 -0700 +Subject: net/sched: act_skbmod: Skip non-Ethernet packets + +From: Peilin Ye + +[ Upstream commit 727d6a8b7ef3d25080fad228b2c4a1d4da5999c6 ] + +Currently tcf_skbmod_act() assumes that packets use Ethernet as their L2 +protocol, which is not always the case. As an example, for CAN devices: + + $ ip link add dev vcan0 type vcan + $ ip link set up vcan0 + $ tc qdisc add dev vcan0 root handle 1: htb + $ tc filter add dev vcan0 parent 1: protocol ip prio 10 \ + matchall action skbmod swap mac + +Doing the above silently corrupts all the packets. Do not perform skbmod +actions for non-Ethernet packets. + +Fixes: 86da71b57383 ("net_sched: Introduce skbmod action") +Reviewed-by: Cong Wang +Signed-off-by: Peilin Ye +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/act_skbmod.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/sched/act_skbmod.c b/net/sched/act_skbmod.c +index 81a1c67335be..8d17a543cc9f 100644 +--- a/net/sched/act_skbmod.c ++++ b/net/sched/act_skbmod.c +@@ -6,6 +6,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -33,6 +34,13 @@ static int tcf_skbmod_act(struct sk_buff *skb, const struct tc_action *a, + tcf_lastuse_update(&d->tcf_tm); + bstats_cpu_update(this_cpu_ptr(d->common.cpu_bstats), skb); + ++ action = READ_ONCE(d->tcf_action); ++ if (unlikely(action == TC_ACT_SHOT)) ++ goto drop; ++ ++ if (!skb->dev || skb->dev->type != ARPHRD_ETHER) ++ return action; ++ + /* XXX: if you are going to edit more fields beyond ethernet header + * (example when you add IP header replacement or vlan swap) + * then MAX_EDIT_LEN needs to change appropriately +@@ -41,10 +49,6 @@ static int tcf_skbmod_act(struct sk_buff *skb, const struct tc_action *a, + if (unlikely(err)) /* best policy is to drop on the floor */ + goto drop; + +- action = READ_ONCE(d->tcf_action); +- if (unlikely(action == TC_ACT_SHOT)) +- goto drop; +- + p = rcu_dereference_bh(d->skbmod_p); + flags = p->flags; + if (flags & SKBMOD_F_DMAC) +-- +2.30.2 + diff --git a/queue-5.10/net-sched-cls_api-fix-the-the-wrong-parameter.patch b/queue-5.10/net-sched-cls_api-fix-the-the-wrong-parameter.patch new file mode 100644 index 00000000000..63457b98f7e --- /dev/null +++ b/queue-5.10/net-sched-cls_api-fix-the-the-wrong-parameter.patch @@ -0,0 +1,36 @@ +From bffb006885ab9394354a4375cb039f11b4b175d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jul 2021 11:23:43 +0800 +Subject: net: sched: cls_api: Fix the the wrong parameter + +From: Yajun Deng + +[ Upstream commit 9d85a6f44bd5585761947f40f7821c9cd78a1bbe ] + +The 4th parameter in tc_chain_notify() should be flags rather than seq. +Let's change it back correctly. + +Fixes: 32a4f5ecd738 ("net: sched: introduce chain object to uapi") +Signed-off-by: Yajun Deng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c +index 30090794b791..31ac76a9189e 100644 +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -2905,7 +2905,7 @@ replay: + break; + case RTM_GETCHAIN: + err = tc_chain_notify(chain, skb, n->nlmsg_seq, +- n->nlmsg_seq, n->nlmsg_type, true); ++ n->nlmsg_flags, n->nlmsg_type, true); + if (err < 0) + NL_SET_ERR_MSG(extack, "Failed to send chain notify message"); + break; +-- +2.30.2 + diff --git a/queue-5.10/net-sched-fix-memory-leak-in-tcindex_partial_destroy.patch b/queue-5.10/net-sched-fix-memory-leak-in-tcindex_partial_destroy.patch new file mode 100644 index 00000000000..74093fc4b80 --- /dev/null +++ b/queue-5.10/net-sched-fix-memory-leak-in-tcindex_partial_destroy.patch @@ -0,0 +1,52 @@ +From e2534dbf9dfe9028db62c6a40b9fa3edb0f7ff93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jul 2021 14:29:33 +0300 +Subject: net: sched: fix memory leak in tcindex_partial_destroy_work + +From: Pavel Skripkin + +[ Upstream commit f5051bcece50140abd1a11a2d36dc3ec5484fc32 ] + +Syzbot reported memory leak in tcindex_set_parms(). The problem was in +non-freed perfect hash in tcindex_partial_destroy_work(). + +In tcindex_set_parms() new tcindex_data is allocated and some fields from +old one are copied to new one, but not the perfect hash. Since +tcindex_partial_destroy_work() is the destroy function for old +tcindex_data, we need to free perfect hash to avoid memory leak. + +Reported-and-tested-by: syzbot+f0bbb2287b8993d4fa74@syzkaller.appspotmail.com +Fixes: 331b72922c5f ("net: sched: RCU cls_tcindex") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_tcindex.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c +index 5b274534264c..e9a8a2c86bbd 100644 +--- a/net/sched/cls_tcindex.c ++++ b/net/sched/cls_tcindex.c +@@ -278,6 +278,8 @@ static int tcindex_filter_result_init(struct tcindex_filter_result *r, + TCA_TCINDEX_POLICE); + } + ++static void tcindex_free_perfect_hash(struct tcindex_data *cp); ++ + static void tcindex_partial_destroy_work(struct work_struct *work) + { + struct tcindex_data *p = container_of(to_rcu_work(work), +@@ -285,7 +287,8 @@ static void tcindex_partial_destroy_work(struct work_struct *work) + rwork); + + rtnl_lock(); +- kfree(p->perfect); ++ if (p->perfect) ++ tcindex_free_perfect_hash(p); + kfree(p); + rtnl_unlock(); + } +-- +2.30.2 + diff --git a/queue-5.10/net-tcp_fastopen-fix-data-races-around-tfo_active_di.patch b/queue-5.10/net-tcp_fastopen-fix-data-races-around-tfo_active_di.patch new file mode 100644 index 00000000000..ebf8eff4b74 --- /dev/null +++ b/queue-5.10/net-tcp_fastopen-fix-data-races-around-tfo_active_di.patch @@ -0,0 +1,72 @@ +From 6998d4c1f1bf1d0f4855a2b727e05d5fb5a0c8a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jul 2021 02:12:18 -0700 +Subject: net/tcp_fastopen: fix data races around tfo_active_disable_stamp + +From: Eric Dumazet + +[ Upstream commit 6f20c8adb1813467ea52c1296d52c4e95978cb2f ] + +tfo_active_disable_stamp is read and written locklessly. +We need to annotate these accesses appropriately. + +Then, we need to perform the atomic_inc(tfo_active_disable_times) +after the timestamp has been updated, and thus add barriers +to make sure tcp_fastopen_active_should_disable() wont read +a stale timestamp. + +Fixes: cf1ef3f0719b ("net/tcp_fastopen: Disable active side TFO in certain scenarios") +Signed-off-by: Eric Dumazet +Cc: Wei Wang +Cc: Yuchung Cheng +Cc: Neal Cardwell +Acked-by: Wei Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_fastopen.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c +index af2814c9342a..08548ff23d83 100644 +--- a/net/ipv4/tcp_fastopen.c ++++ b/net/ipv4/tcp_fastopen.c +@@ -507,8 +507,15 @@ void tcp_fastopen_active_disable(struct sock *sk) + { + struct net *net = sock_net(sk); + ++ /* Paired with READ_ONCE() in tcp_fastopen_active_should_disable() */ ++ WRITE_ONCE(net->ipv4.tfo_active_disable_stamp, jiffies); ++ ++ /* Paired with smp_rmb() in tcp_fastopen_active_should_disable(). ++ * We want net->ipv4.tfo_active_disable_stamp to be updated first. ++ */ ++ smp_mb__before_atomic(); + atomic_inc(&net->ipv4.tfo_active_disable_times); +- net->ipv4.tfo_active_disable_stamp = jiffies; ++ + NET_INC_STATS(net, LINUX_MIB_TCPFASTOPENBLACKHOLE); + } + +@@ -526,10 +533,16 @@ bool tcp_fastopen_active_should_disable(struct sock *sk) + if (!tfo_da_times) + return false; + ++ /* Paired with smp_mb__before_atomic() in tcp_fastopen_active_disable() */ ++ smp_rmb(); ++ + /* Limit timout to max: 2^6 * initial timeout */ + multiplier = 1 << min(tfo_da_times - 1, 6); +- timeout = multiplier * tfo_bh_timeout * HZ; +- if (time_before(jiffies, sock_net(sk)->ipv4.tfo_active_disable_stamp + timeout)) ++ ++ /* Paired with the WRITE_ONCE() in tcp_fastopen_active_disable(). */ ++ timeout = READ_ONCE(sock_net(sk)->ipv4.tfo_active_disable_stamp) + ++ multiplier * tfo_bh_timeout * HZ; ++ if (time_before(jiffies, timeout)) + return true; + + /* Mark check bit so we can check for successful active TFO +-- +2.30.2 + diff --git a/queue-5.10/netrom-decrease-sock-refcount-when-sock-timers-expir.patch b/queue-5.10/netrom-decrease-sock-refcount-when-sock-timers-expir.patch new file mode 100644 index 00000000000..f419193382c --- /dev/null +++ b/queue-5.10/netrom-decrease-sock-refcount-when-sock-timers-expir.patch @@ -0,0 +1,118 @@ +From 399ade11841e93564de18eefcf87fa90f358eff4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 22:40:13 +0800 +Subject: netrom: Decrease sock refcount when sock timers expire + +From: Nguyen Dinh Phi + +[ Upstream commit 517a16b1a88bdb6b530f48d5d153478b2552d9a8 ] + +Commit 63346650c1a9 ("netrom: switch to sock timer API") switched to use +sock timer API. It replaces mod_timer() by sk_reset_timer(), and +del_timer() by sk_stop_timer(). + +Function sk_reset_timer() will increase the refcount of sock if it is +called on an inactive timer, hence, in case the timer expires, we need to +decrease the refcount ourselves in the handler, otherwise, the sock +refcount will be unbalanced and the sock will never be freed. + +Signed-off-by: Nguyen Dinh Phi +Reported-by: syzbot+10f1194569953b72f1ae@syzkaller.appspotmail.com +Fixes: 63346650c1a9 ("netrom: switch to sock timer API") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netrom/nr_timer.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/net/netrom/nr_timer.c b/net/netrom/nr_timer.c +index 9115f8a7dd45..a8da88db7893 100644 +--- a/net/netrom/nr_timer.c ++++ b/net/netrom/nr_timer.c +@@ -121,11 +121,9 @@ static void nr_heartbeat_expiry(struct timer_list *t) + is accepted() it isn't 'dead' so doesn't get removed. */ + if (sock_flag(sk, SOCK_DESTROY) || + (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) { +- sock_hold(sk); + bh_unlock_sock(sk); + nr_destroy_socket(sk); +- sock_put(sk); +- return; ++ goto out; + } + break; + +@@ -146,6 +144,8 @@ static void nr_heartbeat_expiry(struct timer_list *t) + + nr_start_heartbeat(sk); + bh_unlock_sock(sk); ++out: ++ sock_put(sk); + } + + static void nr_t2timer_expiry(struct timer_list *t) +@@ -159,6 +159,7 @@ static void nr_t2timer_expiry(struct timer_list *t) + nr_enquiry_response(sk); + } + bh_unlock_sock(sk); ++ sock_put(sk); + } + + static void nr_t4timer_expiry(struct timer_list *t) +@@ -169,6 +170,7 @@ static void nr_t4timer_expiry(struct timer_list *t) + bh_lock_sock(sk); + nr_sk(sk)->condition &= ~NR_COND_PEER_RX_BUSY; + bh_unlock_sock(sk); ++ sock_put(sk); + } + + static void nr_idletimer_expiry(struct timer_list *t) +@@ -197,6 +199,7 @@ static void nr_idletimer_expiry(struct timer_list *t) + sock_set_flag(sk, SOCK_DEAD); + } + bh_unlock_sock(sk); ++ sock_put(sk); + } + + static void nr_t1timer_expiry(struct timer_list *t) +@@ -209,8 +212,7 @@ static void nr_t1timer_expiry(struct timer_list *t) + case NR_STATE_1: + if (nr->n2count == nr->n2) { + nr_disconnect(sk, ETIMEDOUT); +- bh_unlock_sock(sk); +- return; ++ goto out; + } else { + nr->n2count++; + nr_write_internal(sk, NR_CONNREQ); +@@ -220,8 +222,7 @@ static void nr_t1timer_expiry(struct timer_list *t) + case NR_STATE_2: + if (nr->n2count == nr->n2) { + nr_disconnect(sk, ETIMEDOUT); +- bh_unlock_sock(sk); +- return; ++ goto out; + } else { + nr->n2count++; + nr_write_internal(sk, NR_DISCREQ); +@@ -231,8 +232,7 @@ static void nr_t1timer_expiry(struct timer_list *t) + case NR_STATE_3: + if (nr->n2count == nr->n2) { + nr_disconnect(sk, ETIMEDOUT); +- bh_unlock_sock(sk); +- return; ++ goto out; + } else { + nr->n2count++; + nr_requeue_frames(sk); +@@ -241,5 +241,7 @@ static void nr_t1timer_expiry(struct timer_list *t) + } + + nr_start_t1timer(sk); ++out: + bh_unlock_sock(sk); ++ sock_put(sk); + } +-- +2.30.2 + diff --git a/queue-5.10/nvme-pci-do-not-call-nvme_dev_remove_admin-from-nvme.patch b/queue-5.10/nvme-pci-do-not-call-nvme_dev_remove_admin-from-nvme.patch new file mode 100644 index 00000000000..2add9081051 --- /dev/null +++ b/queue-5.10/nvme-pci-do-not-call-nvme_dev_remove_admin-from-nvme.patch @@ -0,0 +1,44 @@ +From 8eaf1a2c015aaa928aa5ad35ab14613c411defd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 14:14:32 -0700 +Subject: nvme-pci: do not call nvme_dev_remove_admin from nvme_remove + +From: Casey Chen + +[ Upstream commit 251ef6f71be2adfd09546a26643426fe62585173 ] + +nvme_dev_remove_admin could free dev->admin_q and the admin_tagset +while they are being accessed by nvme_dev_disable(), which can be called +by nvme_reset_work via nvme_remove_dead_ctrl. + +Commit cb4bfda62afa ("nvme-pci: fix hot removal during error handling") +intended to avoid requests being stuck on a removed controller by killing +the admin queue. But the later fix c8e9e9b7646e ("nvme-pci: unquiesce +admin queue on shutdown"), together with nvme_dev_disable(dev, true) +right before nvme_dev_remove_admin() could help dispatch requests and +fail them early, so we don't need nvme_dev_remove_admin() any more. + +Fixes: cb4bfda62afa ("nvme-pci: fix hot removal during error handling") +Signed-off-by: Casey Chen +Reviewed-by: Keith Busch +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 3f05df98697d..80e1d45b0668 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3003,7 +3003,6 @@ static void nvme_remove(struct pci_dev *pdev) + if (!pci_device_is_present(pdev)) { + nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DEAD); + nvme_dev_disable(dev, true); +- nvme_dev_remove_admin(dev); + } + + flush_work(&dev->ctrl.reset_work); +-- +2.30.2 + diff --git a/queue-5.10/nvme-pci-don-t-warn_on-in-nvme_reset_work-if-ctrl.st.patch b/queue-5.10/nvme-pci-don-t-warn_on-in-nvme_reset_work-if-ctrl.st.patch new file mode 100644 index 00000000000..01cd210c523 --- /dev/null +++ b/queue-5.10/nvme-pci-don-t-warn_on-in-nvme_reset_work-if-ctrl.st.patch @@ -0,0 +1,81 @@ +From a0e56141256178192c5e0d88c7ac46452ce01703 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 21:38:29 +0800 +Subject: nvme-pci: don't WARN_ON in nvme_reset_work if ctrl.state is not + RESETTING + +From: Zhihao Cheng + +[ Upstream commit 7764656b108cd308c39e9a8554353b8f9ca232a3 ] + +Followling process: +nvme_probe + nvme_reset_ctrl + nvme_change_ctrl_state(ctrl, NVME_CTRL_RESETTING) + queue_work(nvme_reset_wq, &ctrl->reset_work) + +--------------> nvme_remove + nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DELETING) +worker_thread + process_one_work + nvme_reset_work + WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING) + +, which will trigger WARN_ON in nvme_reset_work(): +[ 127.534298] WARNING: CPU: 0 PID: 139 at drivers/nvme/host/pci.c:2594 +[ 127.536161] CPU: 0 PID: 139 Comm: kworker/u8:7 Not tainted 5.13.0 +[ 127.552518] Call Trace: +[ 127.552840] ? kvm_sched_clock_read+0x25/0x40 +[ 127.553936] ? native_send_call_func_single_ipi+0x1c/0x30 +[ 127.555117] ? send_call_function_single_ipi+0x9b/0x130 +[ 127.556263] ? __smp_call_single_queue+0x48/0x60 +[ 127.557278] ? ttwu_queue_wakelist+0xfa/0x1c0 +[ 127.558231] ? try_to_wake_up+0x265/0x9d0 +[ 127.559120] ? ext4_end_io_rsv_work+0x160/0x290 +[ 127.560118] process_one_work+0x28c/0x640 +[ 127.561002] worker_thread+0x39a/0x700 +[ 127.561833] ? rescuer_thread+0x580/0x580 +[ 127.562714] kthread+0x18c/0x1e0 +[ 127.563444] ? set_kthread_struct+0x70/0x70 +[ 127.564347] ret_from_fork+0x1f/0x30 + +The preceding problem can be easily reproduced by executing following +script (based on blktests suite): +test() { + pdev="$(_get_pci_dev_from_blkdev)" + sysfs="/sys/bus/pci/devices/${pdev}" + for ((i = 0; i < 10; i++)); do + echo 1 > "$sysfs/remove" + echo 1 > /sys/bus/pci/rescan + done +} + +Since the device ctrl could be updated as an non-RESETTING state by +repeating probe/remove in userspace (which is a normal situation), we +can replace stack dumping WARN_ON with a warnning message. + +Fixes: 82b057caefaff ("nvme-pci: fix multiple ctrl removal schedulin") +Signed-off-by: Zhihao Cheng +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 80e1d45b0668..fb48a88d1acb 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2596,7 +2596,9 @@ static void nvme_reset_work(struct work_struct *work) + bool was_suspend = !!(dev->ctrl.ctrl_config & NVME_CC_SHN_NORMAL); + int result; + +- if (WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING)) { ++ if (dev->ctrl.state != NVME_CTRL_RESETTING) { ++ dev_warn(dev->ctrl.device, "ctrl state %d is not RESETTING\n", ++ dev->ctrl.state); + result = -ENODEV; + goto out; + } +-- +2.30.2 + diff --git a/queue-5.10/nvme-set-the-pract-bit-when-using-write-zeroes-with-.patch b/queue-5.10/nvme-set-the-pract-bit-when-using-write-zeroes-with-.patch new file mode 100644 index 00000000000..6b62000844f --- /dev/null +++ b/queue-5.10/nvme-set-the-pract-bit-when-using-write-zeroes-with-.patch @@ -0,0 +1,43 @@ +From 9539404584f179a8abefd3c6ed6967fd62e736db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 10:00:11 +0200 +Subject: nvme: set the PRACT bit when using Write Zeroes with T10 PI + +From: Christoph Hellwig + +[ Upstream commit aaeb7bb061be545251606f4d9c82d710ca2a7c8e ] + +When using Write Zeroes on a namespace that has protection +information enabled they behavior without the PRACT bit +counter-intuitive and will generally lead to validation failures +when reading the written blocks. Fix this by always setting the +PRACT bit that generates matching PI data on the fly. + +Fixes: 6e02318eaea5 ("nvme: add support for the Write Zeroes command") +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Reviewed-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index f520a71a361f..ff5a16b17133 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -751,7 +751,10 @@ static inline blk_status_t nvme_setup_write_zeroes(struct nvme_ns *ns, + cpu_to_le64(nvme_sect_to_lba(ns, blk_rq_pos(req))); + cmnd->write_zeroes.length = + cpu_to_le16((blk_rq_bytes(req) >> ns->lba_shift) - 1); +- cmnd->write_zeroes.control = 0; ++ if (nvme_ns_has_pi(ns)) ++ cmnd->write_zeroes.control = cpu_to_le16(NVME_RW_PRINFO_PRACT); ++ else ++ cmnd->write_zeroes.control = 0; + return BLK_STS_OK; + } + +-- +2.30.2 + diff --git a/queue-5.10/perf-data-close-all-files-in-close_dir.patch b/queue-5.10/perf-data-close-all-files-in-close_dir.patch new file mode 100644 index 00000000000..22aaf924198 --- /dev/null +++ b/queue-5.10/perf-data-close-all-files-in-close_dir.patch @@ -0,0 +1,46 @@ +From d5ac86421bdd6ade24e663ba7735b4f6961cd620 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 16:11:20 +0200 +Subject: perf data: Close all files in close_dir() + +From: Riccardo Mancini + +[ Upstream commit d4b3eedce151e63932ce4a00f1d0baa340a8b907 ] + +When using 'perf report' in directory mode, the first file is not closed +on exit, causing a memory leak. + +The problem is caused by the iterating variable never reaching 0. + +Fixes: 145520631130bd64 ("perf data: Add perf_data__(create_dir|close_dir) functions") +Signed-off-by: Riccardo Mancini +Acked-by: Namhyung Kim +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Peter Zijlstra +Cc: Zhen Lei +Link: http://lore.kernel.org/lkml/20210716141122.858082-1-rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/data.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/data.c b/tools/perf/util/data.c +index 5d97b3e45fbb..bcb494dc816a 100644 +--- a/tools/perf/util/data.c ++++ b/tools/perf/util/data.c +@@ -20,7 +20,7 @@ + + static void close_dir(struct perf_data_file *files, int nr) + { +- while (--nr >= 1) { ++ while (--nr >= 0) { + close(files[nr].fd); + zfree(&files[nr].path); + } +-- +2.30.2 + diff --git a/queue-5.10/perf-dso-fix-memory-leak-in-dso__new_map.patch b/queue-5.10/perf-dso-fix-memory-leak-in-dso__new_map.patch new file mode 100644 index 00000000000..79ebf2ba288 --- /dev/null +++ b/queue-5.10/perf-dso-fix-memory-leak-in-dso__new_map.patch @@ -0,0 +1,54 @@ +From 74af9a71b0cf8cb97cb7d0772f00c272abe37ec3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:11 +0200 +Subject: perf dso: Fix memory leak in dso__new_map() + +From: Riccardo Mancini + +[ Upstream commit 581e295a0f6b5c2931d280259fbbfff56959faa9 ] + +ASan reports a memory leak when running: + + # perf test "65: maps__merge_in". + +The causes of the leaks are two, this patch addresses only the first +one, which is related to dso__new_map(). + +The bug is that dso__new_map() creates a new dso but never decreases the +refcount it gets from creating it. + +This patch adds the missing dso__put(). + +Signed-off-by: Riccardo Mancini +Fixes: d3a7c489c7fd2463 ("perf tools: Reference count struct dso") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/60bfe0cd06e89e2ca33646eb8468d7f5de2ee597.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/dso.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/dso.c b/tools/perf/util/dso.c +index 55c11e854fe4..b1ff0c9f32da 100644 +--- a/tools/perf/util/dso.c ++++ b/tools/perf/util/dso.c +@@ -1141,8 +1141,10 @@ struct map *dso__new_map(const char *name) + struct map *map = NULL; + struct dso *dso = dso__new(name); + +- if (dso) ++ if (dso) { + map = map__new2(0, dso); ++ dso__put(dso); ++ } + + return map; + } +-- +2.30.2 + diff --git a/queue-5.10/perf-env-fix-memory-leak-of-cpu_pmu_caps.patch b/queue-5.10/perf-env-fix-memory-leak-of-cpu_pmu_caps.patch new file mode 100644 index 00000000000..6d582c60ef0 --- /dev/null +++ b/queue-5.10/perf-env-fix-memory-leak-of-cpu_pmu_caps.patch @@ -0,0 +1,47 @@ +From b75985a750b40a7cb1cbf2130f974db29f6d4e4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:13 +0200 +Subject: perf env: Fix memory leak of cpu_pmu_caps + +From: Riccardo Mancini + +[ Upstream commit da6b7c6c0626901428245f65712385805e42eba6 ] + +ASan reports memory leaks while running: + + # perf test "83: Zstd perf.data compression/decompression" + +The first of the leaks is caused by env->cpu_pmu_caps not being freed. + +This patch adds the missing (z)free inside perf_env__exit. + +Signed-off-by: Riccardo Mancini +Fixes: 6f91ea283a1ed23e ("perf header: Support CPU PMU capabilities") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/6ba036a8220156ec1f3d6be3e5d25920f6145028.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/env.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/util/env.c b/tools/perf/util/env.c +index 744e51c4a6bd..03bc843b1cf8 100644 +--- a/tools/perf/util/env.c ++++ b/tools/perf/util/env.c +@@ -183,6 +183,7 @@ void perf_env__exit(struct perf_env *env) + zfree(&env->sibling_threads); + zfree(&env->pmu_mappings); + zfree(&env->cpu); ++ zfree(&env->cpu_pmu_caps); + zfree(&env->numa_map); + + for (i = 0; i < env->nr_numa_nodes; i++) +-- +2.30.2 + diff --git a/queue-5.10/perf-env-fix-sibling_dies-memory-leak.patch b/queue-5.10/perf-env-fix-sibling_dies-memory-leak.patch new file mode 100644 index 00000000000..da6b3d581d4 --- /dev/null +++ b/queue-5.10/perf-env-fix-sibling_dies-memory-leak.patch @@ -0,0 +1,46 @@ +From d177d26ed076dbe7172e08f838372c7dc42a0797 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:07 +0200 +Subject: perf env: Fix sibling_dies memory leak + +From: Riccardo Mancini + +[ Upstream commit 42db3d9ded555f7148b5695109a7dc8d66f0dde4 ] + +ASan reports a memory leak in perf_env while running: + + # perf test "41: Session topology" + +Caused by sibling_dies not being freed. + +This patch adds the required free. + +Fixes: acae8b36cded0ee6 ("perf header: Add die information in CPU topology") +Signed-off-by: Riccardo Mancini +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/2140d0b57656e4eb9021ca9772250c24c032924b.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/env.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/util/env.c b/tools/perf/util/env.c +index fadc59708ece..744e51c4a6bd 100644 +--- a/tools/perf/util/env.c ++++ b/tools/perf/util/env.c +@@ -178,6 +178,7 @@ void perf_env__exit(struct perf_env *env) + zfree(&env->cpuid); + zfree(&env->cmdline); + zfree(&env->cmdline_argv); ++ zfree(&env->sibling_dies); + zfree(&env->sibling_cores); + zfree(&env->sibling_threads); + zfree(&env->pmu_mappings); +-- +2.30.2 + diff --git a/queue-5.10/perf-inject-fix-dso-nsinfo-refcounting.patch b/queue-5.10/perf-inject-fix-dso-nsinfo-refcounting.patch new file mode 100644 index 00000000000..12c12e8423c --- /dev/null +++ b/queue-5.10/perf-inject-fix-dso-nsinfo-refcounting.patch @@ -0,0 +1,54 @@ +From b417be806e7a34d4b19e9c221f4aea1b4ad8f5fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:06 +0200 +Subject: perf inject: Fix dso->nsinfo refcounting + +From: Riccardo Mancini + +[ Upstream commit 0967ebffe098157180a0bbd180ac90348c6e07d7 ] + +ASan reports a memory leak of nsinfo during the execution of: + + # perf test "31: Lookup mmap thread" + +The leak is caused by a refcounted variable being replaced without +dropping the refcount. + +This patch makes sure that the refcnt of nsinfo is decreased when a +refcounted variable is replaced with a new value. + +Signed-off-by: Riccardo Mancini +Fixes: 27c9c3424fc217da ("perf inject: Add --buildid-all option") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/55223bc8821b34ccb01f92ef1401c02b6a32e61f.1626343282.git.rickyman7@gmail.com +[ Split from a larger patch ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-inject.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/builtin-inject.c b/tools/perf/builtin-inject.c +index 5320ac1b1285..ec7e46b63551 100644 +--- a/tools/perf/builtin-inject.c ++++ b/tools/perf/builtin-inject.c +@@ -358,9 +358,10 @@ static struct dso *findnew_dso(int pid, int tid, const char *filename, + dso = machine__findnew_dso_id(machine, filename, id); + } + +- if (dso) ++ if (dso) { ++ nsinfo__put(dso->nsinfo); + dso->nsinfo = nsi; +- else ++ } else + nsinfo__put(nsi); + + thread__put(thread); +-- +2.30.2 + diff --git a/queue-5.10/perf-lzma-close-lzma-stream-on-exit.patch b/queue-5.10/perf-lzma-close-lzma-stream-on-exit.patch new file mode 100644 index 00000000000..bc7f989f28a --- /dev/null +++ b/queue-5.10/perf-lzma-close-lzma-stream-on-exit.patch @@ -0,0 +1,72 @@ +From 5d479f7fc8daa9a97098ab28764104b9e92c098e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:19 +0200 +Subject: perf lzma: Close lzma stream on exit + +From: Riccardo Mancini + +[ Upstream commit f8cbb0f926ae1e1fb5f9e51614e5437560ed4039 ] + +ASan reports memory leaks when running: + + # perf test "88: Check open filename arg using perf trace + vfs_getname" + +One of these is caused by the lzma stream never being closed inside +lzma_decompress_to_file(). + +This patch adds the missing lzma_end(). + +Signed-off-by: Riccardo Mancini +Fixes: 80a32e5b498a7547 ("perf tools: Add lzma decompression support for kernel module") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/aaf50bdce7afe996cfc06e1bbb36e4a2a9b9db93.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/lzma.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/util/lzma.c b/tools/perf/util/lzma.c +index 39062df02629..51424cdc3b68 100644 +--- a/tools/perf/util/lzma.c ++++ b/tools/perf/util/lzma.c +@@ -69,7 +69,7 @@ int lzma_decompress_to_file(const char *input, int output_fd) + + if (ferror(infile)) { + pr_err("lzma: read error: %s\n", strerror(errno)); +- goto err_fclose; ++ goto err_lzma_end; + } + + if (feof(infile)) +@@ -83,7 +83,7 @@ int lzma_decompress_to_file(const char *input, int output_fd) + + if (writen(output_fd, buf_out, write_size) != write_size) { + pr_err("lzma: write error: %s\n", strerror(errno)); +- goto err_fclose; ++ goto err_lzma_end; + } + + strm.next_out = buf_out; +@@ -95,11 +95,13 @@ int lzma_decompress_to_file(const char *input, int output_fd) + break; + + pr_err("lzma: failed %s\n", lzma_strerror(ret)); +- goto err_fclose; ++ goto err_lzma_end; + } + } + + err = 0; ++err_lzma_end: ++ lzma_end(&strm); + err_fclose: + fclose(infile); + return err; +-- +2.30.2 + diff --git a/queue-5.10/perf-map-fix-dso-nsinfo-refcounting.patch b/queue-5.10/perf-map-fix-dso-nsinfo-refcounting.patch new file mode 100644 index 00000000000..8c2b0ea3822 --- /dev/null +++ b/queue-5.10/perf-map-fix-dso-nsinfo-refcounting.patch @@ -0,0 +1,51 @@ +From c3082db07e4409f7ca462e7655599cb7307a6b6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:06 +0200 +Subject: perf map: Fix dso->nsinfo refcounting + +From: Riccardo Mancini + +[ Upstream commit 2d6b74baa7147251c30a46c4996e8cc224aa2dc5 ] + +ASan reports a memory leak of nsinfo during the execution of + + # perf test "31: Lookup mmap thread" + +The leak is caused by a refcounted variable being replaced without +dropping the refcount. + +This patch makes sure that the refcnt of nsinfo is decreased whenever a +refcounted variable is replaced with a new value. + +Signed-off-by: Riccardo Mancini +Fixes: bf2e710b3cb8445c ("perf maps: Lookup maps in both intitial mountns and inner mountns.") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Krister Johansen +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/55223bc8821b34ccb01f92ef1401c02b6a32e61f.1626343282.git.rickyman7@gmail.com +[ Split from a larger patch ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/map.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/perf/util/map.c b/tools/perf/util/map.c +index f4d44f75ba15..6688f6b253a7 100644 +--- a/tools/perf/util/map.c ++++ b/tools/perf/util/map.c +@@ -192,6 +192,8 @@ struct map *map__new(struct machine *machine, u64 start, u64 len, + if (!(prot & PROT_EXEC)) + dso__set_loaded(dso); + } ++ ++ nsinfo__put(dso->nsinfo); + dso->nsinfo = nsi; + dso__put(dso); + } +-- +2.30.2 + diff --git a/queue-5.10/perf-probe-file-delete-namelist-in-del_events-on-the.patch b/queue-5.10/perf-probe-file-delete-namelist-in-del_events-on-the.patch new file mode 100644 index 00000000000..de5b5403393 --- /dev/null +++ b/queue-5.10/perf-probe-file-delete-namelist-in-del_events-on-the.patch @@ -0,0 +1,54 @@ +From 5c67055280c3707211feea473aa8590988d005f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:25 +0200 +Subject: perf probe-file: Delete namelist in del_events() on the error path + +From: Riccardo Mancini + +[ Upstream commit e0fa7ab42232e742dcb3de9f3c1f6127b5adc019 ] + +ASan reports some memory leaks when running: + + # perf test "42: BPF filter" + +This second leak is caused by a strlist not being dellocated on error +inside probe_file__del_events. + +This patch adds a goto label before the deallocation and makes the error +path jump to it. + +Signed-off-by: Riccardo Mancini +Fixes: e7895e422e4da63d ("perf probe: Split del_perf_probe_events()") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/174963c587ae77fa108af794669998e4ae558338.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/probe-file.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/probe-file.c b/tools/perf/util/probe-file.c +index bbecb449ea94..d2b98d64438e 100644 +--- a/tools/perf/util/probe-file.c ++++ b/tools/perf/util/probe-file.c +@@ -342,11 +342,11 @@ int probe_file__del_events(int fd, struct strfilter *filter) + + ret = probe_file__get_events(fd, filter, namelist); + if (ret < 0) +- return ret; ++ goto out; + + ret = probe_file__del_strlist(fd, namelist); ++out: + strlist__delete(namelist); +- + return ret; + } + +-- +2.30.2 + diff --git a/queue-5.10/perf-probe-fix-dso-nsinfo-refcounting.patch b/queue-5.10/perf-probe-fix-dso-nsinfo-refcounting.patch new file mode 100644 index 00000000000..861c1dc6730 --- /dev/null +++ b/queue-5.10/perf-probe-fix-dso-nsinfo-refcounting.patch @@ -0,0 +1,54 @@ +From 6fe023c0157d1807b731ff4cc6111e7d8e2985bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:06 +0200 +Subject: perf probe: Fix dso->nsinfo refcounting + +From: Riccardo Mancini + +[ Upstream commit dedeb4be203b382ba7245d13079bc3b0f6d40c65 ] + +ASan reports a memory leak of nsinfo during the execution of: + + # perf test "31: Lookup mmap thread". + +The leak is caused by a refcounted variable being replaced without +dropping the refcount. + +This patch makes sure that the refcnt of nsinfo is decreased whenever +a refcounted variable is replaced with a new value. + +Signed-off-by: Riccardo Mancini +Fixes: 544abd44c7064c8a ("perf probe: Allow placing uprobes in alternate namespaces.") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Krister Johansen +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/55223bc8821b34ccb01f92ef1401c02b6a32e61f.1626343282.git.rickyman7@gmail.com +[ Split from a larger patch ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/probe-event.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/probe-event.c b/tools/perf/util/probe-event.c +index 8eae2afff71a..07db6cfad65b 100644 +--- a/tools/perf/util/probe-event.c ++++ b/tools/perf/util/probe-event.c +@@ -180,8 +180,10 @@ struct map *get_target_map(const char *target, struct nsinfo *nsi, bool user) + struct map *map; + + map = dso__new_map(target); +- if (map && map->dso) ++ if (map && map->dso) { ++ nsinfo__put(map->dso->nsinfo); + map->dso->nsinfo = nsinfo__get(nsi); ++ } + return map; + } else { + return kernel_get_module_map(target); +-- +2.30.2 + diff --git a/queue-5.10/perf-report-free-generated-help-strings-for-sort-opt.patch b/queue-5.10/perf-report-free-generated-help-strings-for-sort-opt.patch new file mode 100644 index 00000000000..8f0e802faad --- /dev/null +++ b/queue-5.10/perf-report-free-generated-help-strings-for-sort-opt.patch @@ -0,0 +1,158 @@ +From dbbe76228ea5195855847aed8b4b3974c7c58a96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:14 +0200 +Subject: perf report: Free generated help strings for sort option + +From: Riccardo Mancini + +[ Upstream commit a37338aad8c4d8676173ead14e881d2ec308155c ] + +ASan reports the memory leak of the strings allocated by sort_help() when +running perf report. + +This patch changes the returned pointer to char* (instead of const +char*), saves it in a temporary variable, and finally deallocates it at +function exit. + +Signed-off-by: Riccardo Mancini +Fixes: 702fb9b415e7c99b ("perf report: Show all sort keys in help output") +Cc: Andi Kleen +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/a38b13f02812a8a6759200b9063c6191337f44d4.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-report.c | 33 ++++++++++++++++++++++----------- + tools/perf/util/sort.c | 2 +- + tools/perf/util/sort.h | 2 +- + 3 files changed, 24 insertions(+), 13 deletions(-) + +diff --git a/tools/perf/builtin-report.c b/tools/perf/builtin-report.c +index 3c74c9c0f3c3..5824aa24acfc 100644 +--- a/tools/perf/builtin-report.c ++++ b/tools/perf/builtin-report.c +@@ -1143,6 +1143,8 @@ int cmd_report(int argc, const char **argv) + .socket_filter = -1, + .annotation_opts = annotation__default_options, + }; ++ char *sort_order_help = sort_help("sort by key(s):"); ++ char *field_order_help = sort_help("output field(s): overhead period sample "); + const struct option options[] = { + OPT_STRING('i', "input", &input_name, "file", + "input file name"), +@@ -1177,9 +1179,9 @@ int cmd_report(int argc, const char **argv) + OPT_BOOLEAN(0, "header-only", &report.header_only, + "Show only data header."), + OPT_STRING('s', "sort", &sort_order, "key[,key2...]", +- sort_help("sort by key(s):")), ++ sort_order_help), + OPT_STRING('F', "fields", &field_order, "key[,keys...]", +- sort_help("output field(s): overhead period sample ")), ++ field_order_help), + OPT_BOOLEAN(0, "show-cpu-utilization", &symbol_conf.show_cpu_utilization, + "Show sample percentage for different cpu modes"), + OPT_BOOLEAN_FLAG(0, "showcpuutilization", &symbol_conf.show_cpu_utilization, +@@ -1308,11 +1310,11 @@ int cmd_report(int argc, const char **argv) + char sort_tmp[128]; + + if (ret < 0) +- return ret; ++ goto exit; + + ret = perf_config(report__config, &report); + if (ret) +- return ret; ++ goto exit; + + argc = parse_options(argc, argv, options, report_usage, 0); + if (argc) { +@@ -1326,8 +1328,10 @@ int cmd_report(int argc, const char **argv) + report.symbol_filter_str = argv[0]; + } + +- if (annotate_check_args(&report.annotation_opts) < 0) +- return -EINVAL; ++ if (annotate_check_args(&report.annotation_opts) < 0) { ++ ret = -EINVAL; ++ goto exit; ++ } + + if (report.mmaps_mode) + report.tasks_mode = true; +@@ -1341,12 +1345,14 @@ int cmd_report(int argc, const char **argv) + if (symbol_conf.vmlinux_name && + access(symbol_conf.vmlinux_name, R_OK)) { + pr_err("Invalid file: %s\n", symbol_conf.vmlinux_name); +- return -EINVAL; ++ ret = -EINVAL; ++ goto exit; + } + if (symbol_conf.kallsyms_name && + access(symbol_conf.kallsyms_name, R_OK)) { + pr_err("Invalid file: %s\n", symbol_conf.kallsyms_name); +- return -EINVAL; ++ ret = -EINVAL; ++ goto exit; + } + + if (report.inverted_callchain) +@@ -1370,12 +1376,14 @@ int cmd_report(int argc, const char **argv) + + repeat: + session = perf_session__new(&data, false, &report.tool); +- if (IS_ERR(session)) +- return PTR_ERR(session); ++ if (IS_ERR(session)) { ++ ret = PTR_ERR(session); ++ goto exit; ++ } + + ret = evswitch__init(&report.evswitch, session->evlist, stderr); + if (ret) +- return ret; ++ goto exit; + + if (zstd_init(&(session->zstd_data), 0) < 0) + pr_warning("Decompression initialization failed. Reported data may be incomplete.\n"); +@@ -1603,5 +1611,8 @@ error: + + zstd_fini(&(session->zstd_data)); + perf_session__delete(session); ++exit: ++ free(sort_order_help); ++ free(field_order_help); + return ret; + } +diff --git a/tools/perf/util/sort.c b/tools/perf/util/sort.c +index 8a3b7d5a4737..5e9e96452b9e 100644 +--- a/tools/perf/util/sort.c ++++ b/tools/perf/util/sort.c +@@ -3177,7 +3177,7 @@ static void add_hpp_sort_string(struct strbuf *sb, struct hpp_dimension *s, int + add_key(sb, s[i].name, llen); + } + +-const char *sort_help(const char *prefix) ++char *sort_help(const char *prefix) + { + struct strbuf sb; + char *s; +diff --git a/tools/perf/util/sort.h b/tools/perf/util/sort.h +index 66d39c4cfe2b..fc94dcd67abc 100644 +--- a/tools/perf/util/sort.h ++++ b/tools/perf/util/sort.h +@@ -293,7 +293,7 @@ void reset_output_field(void); + void sort__setup_elide(FILE *fp); + void perf_hpp__set_elide(int idx, bool elide); + +-const char *sort_help(const char *prefix); ++char *sort_help(const char *prefix); + + int report_parse_ignore_callees_opt(const struct option *opt, const char *arg, int unset); + +-- +2.30.2 + diff --git a/queue-5.10/perf-sched-fix-record-failure-when-config_schedstats.patch b/queue-5.10/perf-sched-fix-record-failure-when-config_schedstats.patch new file mode 100644 index 00000000000..8d5e28d7ac4 --- /dev/null +++ b/queue-5.10/perf-sched-fix-record-failure-when-config_schedstats.patch @@ -0,0 +1,135 @@ +From edd3e448bfe3707b1293860cf8ebe0ce282801c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jul 2021 19:23:58 +0800 +Subject: perf sched: Fix record failure when CONFIG_SCHEDSTATS is not set + +From: Yang Jihong + +[ Upstream commit b0f008551f0bf4d5f6db9b5f0e071b02790d6a2e ] + +The tracepoints trace_sched_stat_{wait, sleep, iowait} are not exposed to user +if CONFIG_SCHEDSTATS is not set, "perf sched record" records the three events. +As a result, the command fails. + +Before: + + #perf sched record sleep 1 + event syntax error: 'sched:sched_stat_wait' + \___ unknown tracepoint + + Error: File /sys/kernel/tracing/events/sched/sched_stat_wait not found. + Hint: Perhaps this kernel misses some CONFIG_ setting to enable this feature?. + + Run 'perf list' for a list of valid events + + Usage: perf record [] [] + or: perf record [] -- [] + + -e, --event event selector. use 'perf list' to list available events + +Solution: + Check whether schedstat tracepoints are exposed. If no, these events are not recorded. + +After: + # perf sched record sleep 1 + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.163 MB perf.data (1091 samples) ] + # perf sched report + run measurement overhead: 4736 nsecs + sleep measurement overhead: 9059979 nsecs + the run test took 999854 nsecs + the sleep test took 8945271 nsecs + nr_run_events: 716 + nr_sleep_events: 785 + nr_wakeup_events: 0 + ... + ------------------------------------------------------------ + +Fixes: 2a09b5de235a6 ("sched/fair: do not expose some tracepoints to user if CONFIG_SCHEDSTATS is not set") +Signed-off-by: Yang Jihong +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Steven Rostedt (VMware) +Cc: Yafang Shao +Link: http://lore.kernel.org/lkml/20210713112358.194693-1-yangjihong1@huawei.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-sched.c | 33 +++++++++++++++++++++++++++++---- + 1 file changed, 29 insertions(+), 4 deletions(-) + +diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c +index 0e16f9d5a947..d3b5f5faf8c1 100644 +--- a/tools/perf/builtin-sched.c ++++ b/tools/perf/builtin-sched.c +@@ -3337,6 +3337,16 @@ static void setup_sorting(struct perf_sched *sched, const struct option *options + sort_dimension__add("pid", &sched->cmp_pid); + } + ++static bool schedstat_events_exposed(void) ++{ ++ /* ++ * Select "sched:sched_stat_wait" event to check ++ * whether schedstat tracepoints are exposed. ++ */ ++ return IS_ERR(trace_event__tp_format("sched", "sched_stat_wait")) ? ++ false : true; ++} ++ + static int __cmd_record(int argc, const char **argv) + { + unsigned int rec_argc, i, j; +@@ -3348,21 +3358,33 @@ static int __cmd_record(int argc, const char **argv) + "-m", "1024", + "-c", "1", + "-e", "sched:sched_switch", +- "-e", "sched:sched_stat_wait", +- "-e", "sched:sched_stat_sleep", +- "-e", "sched:sched_stat_iowait", + "-e", "sched:sched_stat_runtime", + "-e", "sched:sched_process_fork", + "-e", "sched:sched_wakeup_new", + "-e", "sched:sched_migrate_task", + }; ++ ++ /* ++ * The tracepoints trace_sched_stat_{wait, sleep, iowait} ++ * are not exposed to user if CONFIG_SCHEDSTATS is not set, ++ * to prevent "perf sched record" execution failure, determine ++ * whether to record schedstat events according to actual situation. ++ */ ++ const char * const schedstat_args[] = { ++ "-e", "sched:sched_stat_wait", ++ "-e", "sched:sched_stat_sleep", ++ "-e", "sched:sched_stat_iowait", ++ }; ++ unsigned int schedstat_argc = schedstat_events_exposed() ? ++ ARRAY_SIZE(schedstat_args) : 0; ++ + struct tep_event *waking_event; + + /* + * +2 for either "-e", "sched:sched_wakeup" or + * "-e", "sched:sched_waking" + */ +- rec_argc = ARRAY_SIZE(record_args) + 2 + argc - 1; ++ rec_argc = ARRAY_SIZE(record_args) + 2 + schedstat_argc + argc - 1; + rec_argv = calloc(rec_argc + 1, sizeof(char *)); + + if (rec_argv == NULL) +@@ -3378,6 +3400,9 @@ static int __cmd_record(int argc, const char **argv) + else + rec_argv[i++] = strdup("sched:sched_wakeup"); + ++ for (j = 0; j < schedstat_argc; j++) ++ rec_argv[i++] = strdup(schedstat_args[j]); ++ + for (j = 1; j < (unsigned int)argc; j++, i++) + rec_argv[i] = argv[j]; + +-- +2.30.2 + diff --git a/queue-5.10/perf-script-fix-memory-threads-and-cpus-leaks-on-exi.patch b/queue-5.10/perf-script-fix-memory-threads-and-cpus-leaks-on-exi.patch new file mode 100644 index 00000000000..bb547ce8aa6 --- /dev/null +++ b/queue-5.10/perf-script-fix-memory-threads-and-cpus-leaks-on-exi.patch @@ -0,0 +1,64 @@ +From c19c00d6b960ec91772e20fd96b69caeabff9ea4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:18 +0200 +Subject: perf script: Fix memory 'threads' and 'cpus' leaks on exit + +From: Riccardo Mancini + +[ Upstream commit faf3ac305d61341c74e5cdd9e41daecce7f67bfe ] + +ASan reports several memory leaks while running: + + # perf test "82: Use vfs_getname probe to get syscall args filenames" + +Two of these are caused by some refcounts not being decreased on +perf-script exit, namely script.threads and script.cpus. + +This patch adds the missing __put calls in a new perf_script__exit +function, which is called at the end of cmd_script. + +This patch concludes the fixes of all remaining memory leaks in perf +test "82: Use vfs_getname probe to get syscall args filenames". + +Signed-off-by: Riccardo Mancini +Fixes: cfc8874a48599249 ("perf script: Process cpu/threads maps") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/5ee73b19791c6fa9d24c4d57f4ac1a23609400d7.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-script.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c +index 48588ccf902e..2bb159c10503 100644 +--- a/tools/perf/builtin-script.c ++++ b/tools/perf/builtin-script.c +@@ -2483,6 +2483,12 @@ static void perf_script__exit_per_event_dump_stats(struct perf_script *script) + } + } + ++static void perf_script__exit(struct perf_script *script) ++{ ++ perf_thread_map__put(script->threads); ++ perf_cpu_map__put(script->cpus); ++} ++ + static int __cmd_script(struct perf_script *script) + { + int ret; +@@ -3937,6 +3943,7 @@ out_delete: + + perf_evlist__free_stats(session->evlist); + perf_session__delete(session); ++ perf_script__exit(&script); + + if (script_started) + cleanup_scripting(); +-- +2.30.2 + diff --git a/queue-5.10/perf-test-event_update-fix-memory-leak-of-evlist.patch b/queue-5.10/perf-test-event_update-fix-memory-leak-of-evlist.patch new file mode 100644 index 00000000000..164f7be432a --- /dev/null +++ b/queue-5.10/perf-test-event_update-fix-memory-leak-of-evlist.patch @@ -0,0 +1,47 @@ +From a1c8eddda6a9cbd6e8264c35ac2fd273468ff9cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:09 +0200 +Subject: perf test event_update: Fix memory leak of evlist + +From: Riccardo Mancini + +[ Upstream commit fc56f54f6fcd5337634f4545af6459613129b432 ] + +ASan reports a memory leak when running: + + # perf test "49: Synthesize attr update" + +Caused by evlist not being deleted. + +This patch adds the missing evlist__delete and removes the +perf_cpu_map__put since it's already being deleted by evlist__delete. + +Signed-off-by: Riccardo Mancini +Fixes: a6e5281780d1da65 ("perf tools: Add event_update event unit type") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/f7994ad63d248f7645f901132d208fadf9f2b7e4.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/event_update.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/tests/event_update.c b/tools/perf/tests/event_update.c +index bdcf032f8516..1c9a6138fba1 100644 +--- a/tools/perf/tests/event_update.c ++++ b/tools/perf/tests/event_update.c +@@ -119,6 +119,6 @@ int test__event_update(struct test *test __maybe_unused, int subtest __maybe_unu + TEST_ASSERT_VAL("failed to synthesize attr update cpus", + !perf_event__synthesize_event_update_cpus(&tmp.tool, evsel, process_event_cpus)); + +- perf_cpu_map__put(evsel->core.own_cpus); ++ evlist__delete(evlist); + return 0; + } +-- +2.30.2 + diff --git a/queue-5.10/perf-test-maps__merge_in-fix-memory-leak-of-maps.patch b/queue-5.10/perf-test-maps__merge_in-fix-memory-leak-of-maps.patch new file mode 100644 index 00000000000..f66d053b737 --- /dev/null +++ b/queue-5.10/perf-test-maps__merge_in-fix-memory-leak-of-maps.patch @@ -0,0 +1,49 @@ +From 397d45b351985c90c87a2394df70c6cf1ef8abfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:12 +0200 +Subject: perf test maps__merge_in: Fix memory leak of maps + +From: Riccardo Mancini + +[ Upstream commit 244d1797c8c8e850b8de7992af713aa5c70d5650 ] + +ASan reports a memory leak when running: + + # perf test "65: maps__merge_in" + +This is the second and final patch addressing these memory leaks. + +This time, the problem is simply that the maps object is never +destructed. + +This patch adds the missing maps__exit call. + +Signed-off-by: Riccardo Mancini +Fixes: 79b6bb73f888933c ("perf maps: Merge 'struct maps' with 'struct map_groups'") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/a1a29b97a58738987d150e94d4ebfad0282fb038.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/maps.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/perf/tests/maps.c b/tools/perf/tests/maps.c +index edcbc70ff9d6..1ac72919fa35 100644 +--- a/tools/perf/tests/maps.c ++++ b/tools/perf/tests/maps.c +@@ -116,5 +116,7 @@ int test__maps__merge_in(struct test *t __maybe_unused, int subtest __maybe_unus + + ret = check_maps(merged3, ARRAY_SIZE(merged3), &maps); + TEST_ASSERT_VAL("merge check failed", !ret); ++ ++ maps__exit(&maps); + return TEST_OK; + } +-- +2.30.2 + diff --git a/queue-5.10/perf-test-session_topology-delete-session-evlist.patch b/queue-5.10/perf-test-session_topology-delete-session-evlist.patch new file mode 100644 index 00000000000..b5b7abe3bc0 --- /dev/null +++ b/queue-5.10/perf-test-session_topology-delete-session-evlist.patch @@ -0,0 +1,48 @@ +From e7e693c3a2ae72ae31ebadc65973e3efeba2b824 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 18:07:08 +0200 +Subject: perf test session_topology: Delete session->evlist + +From: Riccardo Mancini + +[ Upstream commit 233f2dc1c284337286f9a64c0152236779a42f6c ] + +ASan reports a memory leak related to session->evlist while running: + + # perf test "41: Session topology". + +When perf_data is in write mode, session->evlist is owned by the caller, +which should also take care of deleting it. + +This patch adds the missing evlist__delete(). + +Signed-off-by: Riccardo Mancini +Fixes: c84974ed9fb67293 ("perf test: Add entry to test cpu topology") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/822f741f06eb25250fb60686cf30a35f447e9e91.1626343282.git.rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/topology.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/tests/topology.c b/tools/perf/tests/topology.c +index 22daf2bdf5fa..f4a2c0df0954 100644 +--- a/tools/perf/tests/topology.c ++++ b/tools/perf/tests/topology.c +@@ -52,6 +52,7 @@ static int session_write_header(char *path) + TEST_ASSERT_VAL("failed to write header", + !perf_session__write_header(session, session->evlist, data.file.fd, true)); + ++ evlist__delete(session->evlist); + perf_session__delete(session); + + return 0; +-- +2.30.2 + diff --git a/queue-5.10/proc-avoid-mixing-integer-types-in-mem_rw.patch b/queue-5.10/proc-avoid-mixing-integer-types-in-mem_rw.patch new file mode 100644 index 00000000000..5907fa2d97c --- /dev/null +++ b/queue-5.10/proc-avoid-mixing-integer-types-in-mem_rw.patch @@ -0,0 +1,52 @@ +From 809579bd89a7bc77c7be45423782f463dd19e477 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jun 2021 18:54:38 -0700 +Subject: proc: Avoid mixing integer types in mem_rw() + +From: Marcelo Henrique Cerri + +[ Upstream commit d238692b4b9f2c36e35af4c6e6f6da36184aeb3e ] + +Use size_t when capping the count argument received by mem_rw(). Since +count is size_t, using min_t(int, ...) can lead to a negative value +that will later be passed to access_remote_vm(), which can cause +unexpected behavior. + +Since we are capping the value to at maximum PAGE_SIZE, the conversion +from size_t to int when passing it to access_remote_vm() as "len" +shouldn't be a problem. + +Link: https://lkml.kernel.org/r/20210512125215.3348316-1-marcelo.cerri@canonical.com +Reviewed-by: David Disseldorp +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Marcelo Henrique Cerri +Cc: Alexey Dobriyan +Cc: Souza Cascardo +Cc: Christian Brauner +Cc: Michel Lespinasse +Cc: Helge Deller +Cc: Oleg Nesterov +Cc: Lorenzo Stoakes +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/proc/base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/proc/base.c b/fs/proc/base.c +index df9b17dd92cb..5d52aea8d7e7 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -855,7 +855,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf, + flags = FOLL_FORCE | (write ? FOLL_WRITE : 0); + + while (count > 0) { +- int this_len = min_t(int, count, PAGE_SIZE); ++ size_t this_len = min_t(size_t, count, PAGE_SIZE); + + if (write && copy_from_user(page, buf, this_len)) { + copied = -EFAULT; +-- +2.30.2 + diff --git a/queue-5.10/pwm-sprd-ensure-configuring-period-and-duty_cycle-is.patch b/queue-5.10/pwm-sprd-ensure-configuring-period-and-duty_cycle-is.patch new file mode 100644 index 00000000000..d46d6160dfb --- /dev/null +++ b/queue-5.10/pwm-sprd-ensure-configuring-period-and-duty_cycle-is.patch @@ -0,0 +1,51 @@ +From acbd9bf133384d6aafffa6552d4fe8130d915c93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jul 2021 10:27:51 +0200 +Subject: pwm: sprd: Ensure configuring period and duty_cycle isn't wrongly + skipped +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 65e2e6c1c20104ed19060a38f4edbf14e9f9a9a5 ] + +As the last call to sprd_pwm_apply() might have exited early if +state->enabled was false, the values for period and duty_cycle stored in +pwm->state might not have been written to hardware and it must be +ensured that they are configured before enabling the PWM. + +Fixes: 8aae4b02e8a6 ("pwm: sprd: Add Spreadtrum PWM support") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-sprd.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/drivers/pwm/pwm-sprd.c b/drivers/pwm/pwm-sprd.c +index 5123d948efd6..9eeb59cb81b6 100644 +--- a/drivers/pwm/pwm-sprd.c ++++ b/drivers/pwm/pwm-sprd.c +@@ -180,13 +180,10 @@ static int sprd_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm, + } + } + +- if (state->period != cstate->period || +- state->duty_cycle != cstate->duty_cycle) { +- ret = sprd_pwm_config(spc, pwm, state->duty_cycle, +- state->period); +- if (ret) +- return ret; +- } ++ ret = sprd_pwm_config(spc, pwm, state->duty_cycle, ++ state->period); ++ if (ret) ++ return ret; + + sprd_pwm_write(spc, pwm->hwpwm, SPRD_PWM_ENABLE, 1); + } else if (cstate->enabled) { +-- +2.30.2 + diff --git a/queue-5.10/r8169-avoid-duplicate-sysfs-entry-creation-error.patch b/queue-5.10/r8169-avoid-duplicate-sysfs-entry-creation-error.patch new file mode 100644 index 00000000000..8309dba8617 --- /dev/null +++ b/queue-5.10/r8169-avoid-duplicate-sysfs-entry-creation-error.patch @@ -0,0 +1,55 @@ +From 53dc42af5f5305edc947ece4146e3964d3a4580a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 17:17:40 +0100 +Subject: r8169: Avoid duplicate sysfs entry creation error + +From: Sayanta Pattanayak + +[ Upstream commit e9a72f874d5b95cef0765bafc56005a50f72c5fe ] + +When registering the MDIO bus for a r8169 device, we use the PCI +bus/device specifier as a (seemingly) unique device identifier. +However the very same BDF number can be used on another PCI segment, +which makes the driver fail probing: + +[ 27.544136] r8169 0002:07:00.0: enabling device (0000 -> 0003) +[ 27.559734] sysfs: cannot create duplicate filename '/class/mdio_bus/r8169-700' +.... +[ 27.684858] libphy: mii_bus r8169-700 failed to register +[ 27.695602] r8169: probe of 0002:07:00.0 failed with error -22 + +Add the segment number to the device name to make it more unique. + +This fixes operation on ARM N1SDP boards, with two boards connected +together to form an SMP system, and all on-board devices showing up +twice, just on different PCI segments. A similar issue would occur on +large systems with many PCI slots and multiple RTL8169 NICs. + +Fixes: f1e911d5d0dfd ("r8169: add basic phylib support") +Signed-off-by: Sayanta Pattanayak +[Andre: expand commit message, use pci_domain_nr()] +Signed-off-by: Andre Przywara +Acked-by: Heiner Kallweit +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index 9010aabd9782..e690a1b09e98 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -5160,7 +5160,8 @@ static int r8169_mdio_register(struct rtl8169_private *tp) + new_bus->priv = tp; + new_bus->parent = &pdev->dev; + new_bus->irq[0] = PHY_IGNORE_INTERRUPT; +- snprintf(new_bus->id, MII_BUS_ID_SIZE, "r8169-%x", pci_dev_id(pdev)); ++ snprintf(new_bus->id, MII_BUS_ID_SIZE, "r8169-%x-%x", ++ pci_domain_nr(pdev->bus), pci_dev_id(pdev)); + + new_bus->read = r8169_mdio_read_reg; + new_bus->write = r8169_mdio_write_reg; +-- +2.30.2 + diff --git a/queue-5.10/regulator-hi6421-fix-getting-wrong-drvdata.patch b/queue-5.10/regulator-hi6421-fix-getting-wrong-drvdata.patch new file mode 100644 index 00000000000..22d30996749 --- /dev/null +++ b/queue-5.10/regulator-hi6421-fix-getting-wrong-drvdata.patch @@ -0,0 +1,119 @@ +From a0ad14fd6576dac3cbc155097fb2680e804cb006 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jun 2021 17:59:59 +0800 +Subject: regulator: hi6421: Fix getting wrong drvdata + +From: Axel Lin + +[ Upstream commit 1c73daee4bf30ccdff5e86dc400daa6f74735da5 ] + +Since config.dev = pdev->dev.parent in current code, so +dev_get_drvdata(rdev->dev.parent) call in hi6421_regulator_enable +returns the drvdata of the mfd device rather than the regulator. Fix it. + +This was broken while converting to use simplified DT parsing because the +config.dev changed from pdev->dev to pdev->dev.parent for parsing the +parent's of_node. + +Fixes: 29dc269a85ef ("regulator: hi6421: Convert to use simplified DT parsing") +Signed-off-by: Axel Lin +Link: https://lore.kernel.org/r/20210630095959.2411543-1-axel.lin@ingics.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/hi6421-regulator.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/drivers/regulator/hi6421-regulator.c b/drivers/regulator/hi6421-regulator.c +index bff8c515dcde..d144a4bdb76d 100644 +--- a/drivers/regulator/hi6421-regulator.c ++++ b/drivers/regulator/hi6421-regulator.c +@@ -366,9 +366,8 @@ static struct hi6421_regulator_info + + static int hi6421_regulator_enable(struct regulator_dev *rdev) + { +- struct hi6421_regulator_pdata *pdata; ++ struct hi6421_regulator_pdata *pdata = rdev_get_drvdata(rdev); + +- pdata = dev_get_drvdata(rdev->dev.parent); + /* hi6421 spec requires regulator enablement must be serialized: + * - Because when BUCK, LDO switching from off to on, it will have + * a huge instantaneous current; so you can not turn on two or +@@ -385,9 +384,10 @@ static int hi6421_regulator_enable(struct regulator_dev *rdev) + + static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev) + { +- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); ++ struct hi6421_regulator_info *info; + unsigned int reg_val; + ++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc); + regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val); + if (reg_val & info->mode_mask) + return REGULATOR_MODE_IDLE; +@@ -397,9 +397,10 @@ static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev) + + static unsigned int hi6421_regulator_buck_get_mode(struct regulator_dev *rdev) + { +- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); ++ struct hi6421_regulator_info *info; + unsigned int reg_val; + ++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc); + regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val); + if (reg_val & info->mode_mask) + return REGULATOR_MODE_STANDBY; +@@ -410,9 +411,10 @@ static unsigned int hi6421_regulator_buck_get_mode(struct regulator_dev *rdev) + static int hi6421_regulator_ldo_set_mode(struct regulator_dev *rdev, + unsigned int mode) + { +- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); ++ struct hi6421_regulator_info *info; + unsigned int new_mode; + ++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc); + switch (mode) { + case REGULATOR_MODE_NORMAL: + new_mode = 0; +@@ -434,9 +436,10 @@ static int hi6421_regulator_ldo_set_mode(struct regulator_dev *rdev, + static int hi6421_regulator_buck_set_mode(struct regulator_dev *rdev, + unsigned int mode) + { +- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); ++ struct hi6421_regulator_info *info; + unsigned int new_mode; + ++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc); + switch (mode) { + case REGULATOR_MODE_NORMAL: + new_mode = 0; +@@ -459,7 +462,9 @@ static unsigned int + hi6421_regulator_ldo_get_optimum_mode(struct regulator_dev *rdev, + int input_uV, int output_uV, int load_uA) + { +- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); ++ struct hi6421_regulator_info *info; ++ ++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc); + + if (load_uA > info->eco_microamp) + return REGULATOR_MODE_NORMAL; +@@ -543,14 +548,13 @@ static int hi6421_regulator_probe(struct platform_device *pdev) + if (!pdata) + return -ENOMEM; + mutex_init(&pdata->lock); +- platform_set_drvdata(pdev, pdata); + + for (i = 0; i < ARRAY_SIZE(hi6421_regulator_info); i++) { + /* assign per-regulator data */ + info = &hi6421_regulator_info[i]; + + config.dev = pdev->dev.parent; +- config.driver_data = info; ++ config.driver_data = pdata; + config.regmap = pmic->regmap; + + rdev = devm_regulator_register(&pdev->dev, &info->desc, +-- +2.30.2 + diff --git a/queue-5.10/regulator-hi6421-use-correct-variable-type-for-regma.patch b/queue-5.10/regulator-hi6421-use-correct-variable-type-for-regma.patch new file mode 100644 index 00000000000..f6cbf46a8e2 --- /dev/null +++ b/queue-5.10/regulator-hi6421-use-correct-variable-type-for-regma.patch @@ -0,0 +1,64 @@ +From f8a761de36bca9cb0ad50123ede6008f4267dac4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Jun 2021 20:41:33 +0800 +Subject: regulator: hi6421: Use correct variable type for regmap api val + argument + +From: Axel Lin + +[ Upstream commit ae60e6a9d24e89a74e2512204ad04de94921bdd2 ] + +Use unsigned int instead of u32 for regmap_read/regmap_update_bits val +argument. + +Signed-off-by: Axel Lin +Link: https://lore.kernel.org/r/20210619124133.4096683-1-axel.lin@ingics.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/hi6421-regulator.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/regulator/hi6421-regulator.c b/drivers/regulator/hi6421-regulator.c +index dc631c1a46b4..bff8c515dcde 100644 +--- a/drivers/regulator/hi6421-regulator.c ++++ b/drivers/regulator/hi6421-regulator.c +@@ -386,7 +386,7 @@ static int hi6421_regulator_enable(struct regulator_dev *rdev) + static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev) + { + struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); +- u32 reg_val; ++ unsigned int reg_val; + + regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val); + if (reg_val & info->mode_mask) +@@ -398,7 +398,7 @@ static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev) + static unsigned int hi6421_regulator_buck_get_mode(struct regulator_dev *rdev) + { + struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); +- u32 reg_val; ++ unsigned int reg_val; + + regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val); + if (reg_val & info->mode_mask) +@@ -411,7 +411,7 @@ static int hi6421_regulator_ldo_set_mode(struct regulator_dev *rdev, + unsigned int mode) + { + struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); +- u32 new_mode; ++ unsigned int new_mode; + + switch (mode) { + case REGULATOR_MODE_NORMAL: +@@ -435,7 +435,7 @@ static int hi6421_regulator_buck_set_mode(struct regulator_dev *rdev, + unsigned int mode) + { + struct hi6421_regulator_info *info = rdev_get_drvdata(rdev); +- u32 new_mode; ++ unsigned int new_mode; + + switch (mode) { + case REGULATOR_MODE_NORMAL: +-- +2.30.2 + diff --git a/queue-5.10/revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch b/queue-5.10/revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch new file mode 100644 index 00000000000..1dd6e1960e0 --- /dev/null +++ b/queue-5.10/revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch @@ -0,0 +1,56 @@ +From c8cb3b3e3648e39b913d005eda23429770055d89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 11:25:16 +0200 +Subject: Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE + modem" + +From: Vincent Palatin + +[ Upstream commit f3a1a937f7b240be623d989c8553a6d01465d04f ] + +This reverts commit 0bd860493f81eb2a46173f6f5e44cc38331c8dbd. + +While the patch was working as stated,ie preventing the L850-GL LTE modem +from crashing on some U3 wake-ups due to a race condition between the +host wake-up and the modem-side wake-up, when using the MBIM interface, +this would force disabling the USB runtime PM on the device. + +The increased power consumption is significant for LTE laptops, +and given that with decently recent modem firmwares, when the modem hits +the bug, it automatically recovers (ie it drops from the bus, but +automatically re-enumerates after less than half a second, rather than being +stuck until a power cycle as it was doing with ancient firmware), for +most people, the trade-off now seems in favor of re-enabling it by +default. + +For people with access to the platform code, the bug can also be worked-around +successfully by changing the USB3 LFPM polling off-time for the XHCI +controller in the BIOS code. + +Signed-off-by: Vincent Palatin +Link: https://lore.kernel.org/r/20210721092516.2775971-1-vpalatin@chromium.org +Fixes: 0bd860493f81 ("USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem") +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/quirks.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 21e7522655ac..a54a735b6384 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -502,10 +502,6 @@ static const struct usb_device_id usb_quirk_list[] = { + /* DJI CineSSD */ + { USB_DEVICE(0x2ca3, 0x0031), .driver_info = USB_QUIRK_NO_LPM }, + +- /* Fibocom L850-GL LTE Modem */ +- { USB_DEVICE(0x2cb7, 0x0007), .driver_info = +- USB_QUIRK_IGNORE_REMOTE_WAKEUP }, +- + /* INTEL VALUE SSD */ + { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME }, + +-- +2.30.2 + diff --git a/queue-5.10/s390-bpf-perform-r1-range-checking-before-accessing-.patch b/queue-5.10/s390-bpf-perform-r1-range-checking-before-accessing-.patch new file mode 100644 index 00000000000..100d212ef8b --- /dev/null +++ b/queue-5.10/s390-bpf-perform-r1-range-checking-before-accessing-.patch @@ -0,0 +1,44 @@ +From 9937d7d1a324657ad54c78ddc31fc60f5b1ba40c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 13:57:12 +0100 +Subject: s390/bpf: Perform r1 range checking before accessing + jit->seen_reg[r1] + +From: Colin Ian King + +[ Upstream commit 91091656252f5d6d8c476e0c92776ce9fae7b445 ] + +Currently array jit->seen_reg[r1] is being accessed before the range +checking of index r1. The range changing on r1 should be performed +first since it will avoid any potential out-of-range accesses on the +array seen_reg[] and also it is more optimal to perform checks on r1 +before fetching data from the array. Fix this by swapping the order +of the checks before the array access. + +Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend") +Signed-off-by: Colin Ian King +Signed-off-by: Daniel Borkmann +Tested-by: Ilya Leoshkevich +Acked-by: Ilya Leoshkevich +Link: https://lore.kernel.org/bpf/20210715125712.24690-1-colin.king@canonical.com +Signed-off-by: Sasha Levin +--- + arch/s390/net/bpf_jit_comp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index 0a4182792876..fc44dce59536 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -112,7 +112,7 @@ static inline void reg_set_seen(struct bpf_jit *jit, u32 b1) + { + u32 r1 = reg2hex[b1]; + +- if (!jit->seen_reg[r1] && r1 >= 6 && r1 <= 15) ++ if (r1 >= 6 && r1 <= 15 && !jit->seen_reg[r1]) + jit->seen_reg[r1] = 1; + } + +-- +2.30.2 + diff --git a/queue-5.10/scsi-iscsi-fix-iface-sysfs-attr-detection.patch b/queue-5.10/scsi-iscsi-fix-iface-sysfs-attr-detection.patch new file mode 100644 index 00000000000..37a88ce3ac0 --- /dev/null +++ b/queue-5.10/scsi-iscsi-fix-iface-sysfs-attr-detection.patch @@ -0,0 +1,146 @@ +From 5678897f2735e2ee5c51db1e0d7764cd14eba73e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jun 2021 19:25:59 -0500 +Subject: scsi: iscsi: Fix iface sysfs attr detection + +From: Mike Christie + +[ Upstream commit e746f3451ec7f91dcc9fd67a631239c715850a34 ] + +A ISCSI_IFACE_PARAM can have the same value as a ISCSI_NET_PARAM so when +iscsi_iface_attr_is_visible tries to figure out the type by just checking +the value, we can collide and return the wrong type. When we call into the +driver we might not match and return that we don't want attr visible in +sysfs. The patch fixes this by setting the type when we figure out what the +param is. + +Link: https://lore.kernel.org/r/20210701002559.89533-1-michael.christie@oracle.com +Fixes: 3e0f65b34cc9 ("[SCSI] iscsi_transport: Additional parameters for network settings") +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 90 +++++++++++------------------ + 1 file changed, 34 insertions(+), 56 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 2171dab3e5dc..ac07a9ef3578 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -440,39 +440,10 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + struct device *dev = container_of(kobj, struct device, kobj); + struct iscsi_iface *iface = iscsi_dev_to_iface(dev); + struct iscsi_transport *t = iface->transport; +- int param; +- int param_type; ++ int param = -1; + + if (attr == &dev_attr_iface_enabled.attr) + param = ISCSI_NET_PARAM_IFACE_ENABLE; +- else if (attr == &dev_attr_iface_vlan_id.attr) +- param = ISCSI_NET_PARAM_VLAN_ID; +- else if (attr == &dev_attr_iface_vlan_priority.attr) +- param = ISCSI_NET_PARAM_VLAN_PRIORITY; +- else if (attr == &dev_attr_iface_vlan_enabled.attr) +- param = ISCSI_NET_PARAM_VLAN_ENABLED; +- else if (attr == &dev_attr_iface_mtu.attr) +- param = ISCSI_NET_PARAM_MTU; +- else if (attr == &dev_attr_iface_port.attr) +- param = ISCSI_NET_PARAM_PORT; +- else if (attr == &dev_attr_iface_ipaddress_state.attr) +- param = ISCSI_NET_PARAM_IPADDR_STATE; +- else if (attr == &dev_attr_iface_delayed_ack_en.attr) +- param = ISCSI_NET_PARAM_DELAYED_ACK_EN; +- else if (attr == &dev_attr_iface_tcp_nagle_disable.attr) +- param = ISCSI_NET_PARAM_TCP_NAGLE_DISABLE; +- else if (attr == &dev_attr_iface_tcp_wsf_disable.attr) +- param = ISCSI_NET_PARAM_TCP_WSF_DISABLE; +- else if (attr == &dev_attr_iface_tcp_wsf.attr) +- param = ISCSI_NET_PARAM_TCP_WSF; +- else if (attr == &dev_attr_iface_tcp_timer_scale.attr) +- param = ISCSI_NET_PARAM_TCP_TIMER_SCALE; +- else if (attr == &dev_attr_iface_tcp_timestamp_en.attr) +- param = ISCSI_NET_PARAM_TCP_TIMESTAMP_EN; +- else if (attr == &dev_attr_iface_cache_id.attr) +- param = ISCSI_NET_PARAM_CACHE_ID; +- else if (attr == &dev_attr_iface_redirect_en.attr) +- param = ISCSI_NET_PARAM_REDIRECT_EN; + else if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr) + param = ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO; + else if (attr == &dev_attr_iface_header_digest.attr) +@@ -509,6 +480,38 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + param = ISCSI_IFACE_PARAM_STRICT_LOGIN_COMP_EN; + else if (attr == &dev_attr_iface_initiator_name.attr) + param = ISCSI_IFACE_PARAM_INITIATOR_NAME; ++ ++ if (param != -1) ++ return t->attr_is_visible(ISCSI_IFACE_PARAM, param); ++ ++ if (attr == &dev_attr_iface_vlan_id.attr) ++ param = ISCSI_NET_PARAM_VLAN_ID; ++ else if (attr == &dev_attr_iface_vlan_priority.attr) ++ param = ISCSI_NET_PARAM_VLAN_PRIORITY; ++ else if (attr == &dev_attr_iface_vlan_enabled.attr) ++ param = ISCSI_NET_PARAM_VLAN_ENABLED; ++ else if (attr == &dev_attr_iface_mtu.attr) ++ param = ISCSI_NET_PARAM_MTU; ++ else if (attr == &dev_attr_iface_port.attr) ++ param = ISCSI_NET_PARAM_PORT; ++ else if (attr == &dev_attr_iface_ipaddress_state.attr) ++ param = ISCSI_NET_PARAM_IPADDR_STATE; ++ else if (attr == &dev_attr_iface_delayed_ack_en.attr) ++ param = ISCSI_NET_PARAM_DELAYED_ACK_EN; ++ else if (attr == &dev_attr_iface_tcp_nagle_disable.attr) ++ param = ISCSI_NET_PARAM_TCP_NAGLE_DISABLE; ++ else if (attr == &dev_attr_iface_tcp_wsf_disable.attr) ++ param = ISCSI_NET_PARAM_TCP_WSF_DISABLE; ++ else if (attr == &dev_attr_iface_tcp_wsf.attr) ++ param = ISCSI_NET_PARAM_TCP_WSF; ++ else if (attr == &dev_attr_iface_tcp_timer_scale.attr) ++ param = ISCSI_NET_PARAM_TCP_TIMER_SCALE; ++ else if (attr == &dev_attr_iface_tcp_timestamp_en.attr) ++ param = ISCSI_NET_PARAM_TCP_TIMESTAMP_EN; ++ else if (attr == &dev_attr_iface_cache_id.attr) ++ param = ISCSI_NET_PARAM_CACHE_ID; ++ else if (attr == &dev_attr_iface_redirect_en.attr) ++ param = ISCSI_NET_PARAM_REDIRECT_EN; + else if (iface->iface_type == ISCSI_IFACE_TYPE_IPV4) { + if (attr == &dev_attr_ipv4_iface_ipaddress.attr) + param = ISCSI_NET_PARAM_IPV4_ADDR; +@@ -599,32 +602,7 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + return 0; + } + +- switch (param) { +- case ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO: +- case ISCSI_IFACE_PARAM_HDRDGST_EN: +- case ISCSI_IFACE_PARAM_DATADGST_EN: +- case ISCSI_IFACE_PARAM_IMM_DATA_EN: +- case ISCSI_IFACE_PARAM_INITIAL_R2T_EN: +- case ISCSI_IFACE_PARAM_DATASEQ_INORDER_EN: +- case ISCSI_IFACE_PARAM_PDU_INORDER_EN: +- case ISCSI_IFACE_PARAM_ERL: +- case ISCSI_IFACE_PARAM_MAX_RECV_DLENGTH: +- case ISCSI_IFACE_PARAM_FIRST_BURST: +- case ISCSI_IFACE_PARAM_MAX_R2T: +- case ISCSI_IFACE_PARAM_MAX_BURST: +- case ISCSI_IFACE_PARAM_CHAP_AUTH_EN: +- case ISCSI_IFACE_PARAM_BIDI_CHAP_EN: +- case ISCSI_IFACE_PARAM_DISCOVERY_AUTH_OPTIONAL: +- case ISCSI_IFACE_PARAM_DISCOVERY_LOGOUT_EN: +- case ISCSI_IFACE_PARAM_STRICT_LOGIN_COMP_EN: +- case ISCSI_IFACE_PARAM_INITIATOR_NAME: +- param_type = ISCSI_IFACE_PARAM; +- break; +- default: +- param_type = ISCSI_NET_PARAM; +- } +- +- return t->attr_is_visible(param_type, param); ++ return t->attr_is_visible(ISCSI_NET_PARAM, param); + } + + static struct attribute *iscsi_iface_attrs[] = { +-- +2.30.2 + diff --git a/queue-5.10/scsi-target-fix-protect-handling-in-write-same-32.patch b/queue-5.10/scsi-target-fix-protect-handling-in-write-same-32.patch new file mode 100644 index 00000000000..b592b52329b --- /dev/null +++ b/queue-5.10/scsi-target-fix-protect-handling-in-write-same-32.patch @@ -0,0 +1,183 @@ +From 07f64b53e83ccbce01fa92e0c052ce97a2b835d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jul 2021 12:16:55 +0300 +Subject: scsi: target: Fix protect handling in WRITE SAME(32) + +From: Dmitry Bogdanov + +[ Upstream commit 6d8e7e7c932162bccd06872362751b0e1d76f5af ] + +WRITE SAME(32) command handling reads WRPROTECT at the wrong offset in 1st +byte instead of 10th byte. + +Link: https://lore.kernel.org/r/20210702091655.22818-1-d.bogdanov@yadro.com +Fixes: afd73f1b60fc ("target: Perform PROTECT sanity checks for WRITE_SAME") +Signed-off-by: Dmitry Bogdanov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_sbc.c | 35 ++++++++++++++++---------------- + 1 file changed, 17 insertions(+), 18 deletions(-) + +diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c +index 6e8b8d30938f..eaf8551ebc61 100644 +--- a/drivers/target/target_core_sbc.c ++++ b/drivers/target/target_core_sbc.c +@@ -25,7 +25,7 @@ + #include "target_core_alua.h" + + static sense_reason_t +-sbc_check_prot(struct se_device *, struct se_cmd *, unsigned char *, u32, bool); ++sbc_check_prot(struct se_device *, struct se_cmd *, unsigned char, u32, bool); + static sense_reason_t sbc_execute_unmap(struct se_cmd *cmd); + + static sense_reason_t +@@ -279,14 +279,14 @@ static inline unsigned long long transport_lba_64_ext(unsigned char *cdb) + } + + static sense_reason_t +-sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *ops) ++sbc_setup_write_same(struct se_cmd *cmd, unsigned char flags, struct sbc_ops *ops) + { + struct se_device *dev = cmd->se_dev; + sector_t end_lba = dev->transport->get_blocks(dev) + 1; + unsigned int sectors = sbc_get_write_same_sectors(cmd); + sense_reason_t ret; + +- if ((flags[0] & 0x04) || (flags[0] & 0x02)) { ++ if ((flags & 0x04) || (flags & 0x02)) { + pr_err("WRITE_SAME PBDATA and LBDATA" + " bits not supported for Block Discard" + " Emulation\n"); +@@ -308,7 +308,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o + } + + /* We always have ANC_SUP == 0 so setting ANCHOR is always an error */ +- if (flags[0] & 0x10) { ++ if (flags & 0x10) { + pr_warn("WRITE SAME with ANCHOR not supported\n"); + return TCM_INVALID_CDB_FIELD; + } +@@ -316,7 +316,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o + * Special case for WRITE_SAME w/ UNMAP=1 that ends up getting + * translated into block discard requests within backend code. + */ +- if (flags[0] & 0x08) { ++ if (flags & 0x08) { + if (!ops->execute_unmap) + return TCM_UNSUPPORTED_SCSI_OPCODE; + +@@ -331,7 +331,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o + if (!ops->execute_write_same) + return TCM_UNSUPPORTED_SCSI_OPCODE; + +- ret = sbc_check_prot(dev, cmd, &cmd->t_task_cdb[0], sectors, true); ++ ret = sbc_check_prot(dev, cmd, flags >> 5, sectors, true); + if (ret) + return ret; + +@@ -686,10 +686,9 @@ sbc_set_prot_op_checks(u8 protect, bool fabric_prot, enum target_prot_type prot_ + } + + static sense_reason_t +-sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char *cdb, ++sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char protect, + u32 sectors, bool is_write) + { +- u8 protect = cdb[1] >> 5; + int sp_ops = cmd->se_sess->sup_prot_ops; + int pi_prot_type = dev->dev_attrib.pi_prot_type; + bool fabric_prot = false; +@@ -737,7 +736,7 @@ sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char *cdb, + fallthrough; + default: + pr_err("Unable to determine pi_prot_type for CDB: 0x%02x " +- "PROTECT: 0x%02x\n", cdb[0], protect); ++ "PROTECT: 0x%02x\n", cmd->t_task_cdb[0], protect); + return TCM_INVALID_CDB_FIELD; + } + +@@ -812,7 +811,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, false); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false); + if (ret) + return ret; + +@@ -826,7 +825,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, false); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false); + if (ret) + return ret; + +@@ -840,7 +839,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, false); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false); + if (ret) + return ret; + +@@ -861,7 +860,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, true); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true); + if (ret) + return ret; + +@@ -875,7 +874,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, true); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true); + if (ret) + return ret; + +@@ -890,7 +889,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + if (sbc_check_dpofua(dev, cmd, cdb)) + return TCM_INVALID_CDB_FIELD; + +- ret = sbc_check_prot(dev, cmd, cdb, sectors, true); ++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true); + if (ret) + return ret; + +@@ -949,7 +948,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + size = sbc_get_size(cmd, 1); + cmd->t_task_lba = get_unaligned_be64(&cdb[12]); + +- ret = sbc_setup_write_same(cmd, &cdb[10], ops); ++ ret = sbc_setup_write_same(cmd, cdb[10], ops); + if (ret) + return ret; + break; +@@ -1048,7 +1047,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + size = sbc_get_size(cmd, 1); + cmd->t_task_lba = get_unaligned_be64(&cdb[2]); + +- ret = sbc_setup_write_same(cmd, &cdb[1], ops); ++ ret = sbc_setup_write_same(cmd, cdb[1], ops); + if (ret) + return ret; + break; +@@ -1066,7 +1065,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) + * Follow sbcr26 with WRITE_SAME (10) and check for the existence + * of byte 1 bit 3 UNMAP instead of original reserved field + */ +- ret = sbc_setup_write_same(cmd, &cdb[1], ops); ++ ret = sbc_setup_write_same(cmd, cdb[1], ops); + if (ret) + return ret; + break; +-- +2.30.2 + diff --git a/queue-5.10/sctp-trim-optlen-when-it-s-a-huge-value-in-sctp_sets.patch b/queue-5.10/sctp-trim-optlen-when-it-s-a-huge-value-in-sctp_sets.patch new file mode 100644 index 00000000000..fb260757413 --- /dev/null +++ b/queue-5.10/sctp-trim-optlen-when-it-s-a-huge-value-in-sctp_sets.patch @@ -0,0 +1,51 @@ +From e3dd03de9ba44c5b594b20a1bd60eab6dd76b628 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jul 2021 17:19:19 -0400 +Subject: sctp: trim optlen when it's a huge value in sctp_setsockopt + +From: Xin Long + +[ Upstream commit 2f3fdd8d4805015fa964807e1c7f3d88f31bd389 ] + +After commit ca84bd058dae ("sctp: copy the optval from user space in +sctp_setsockopt"), it does memory allocation in sctp_setsockopt with +the optlen, and it would fail the allocation and return error if the +optlen from user space is a huge value. + +This breaks some sockopts, like SCTP_HMAC_IDENT, SCTP_RESET_STREAMS and +SCTP_AUTH_KEY, as when processing these sockopts before, optlen would +be trimmed to a biggest value it needs when optlen is a huge value, +instead of failing the allocation and returning error. + +This patch is to fix the allocation failure when it's a huge optlen from +user space by trimming it to the biggest size sctp sockopt may need when +necessary, and this biggest size is from sctp_setsockopt_reset_streams() +for SCTP_RESET_STREAMS, which is bigger than those for SCTP_HMAC_IDENT +and SCTP_AUTH_KEY. + +Fixes: ca84bd058dae ("sctp: copy the optval from user space in sctp_setsockopt") +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/socket.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 3ac6b21ecf2c..e872bc50bbe6 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -4471,6 +4471,10 @@ static int sctp_setsockopt(struct sock *sk, int level, int optname, + } + + if (optlen > 0) { ++ /* Trim it to the biggest size sctp sockopt may need if necessary */ ++ optlen = min_t(unsigned int, optlen, ++ PAGE_ALIGN(USHRT_MAX + ++ sizeof(__u16) * sizeof(struct sctp_reset_streams))); + kopt = memdup_sockptr(optval, optlen); + if (IS_ERR(kopt)) + return PTR_ERR(kopt); +-- +2.30.2 + diff --git a/queue-5.10/sctp-update-active_key-for-asoc-when-old-key-is-bein.patch b/queue-5.10/sctp-update-active_key-for-asoc-when-old-key-is-bein.patch new file mode 100644 index 00000000000..08d1d72c651 --- /dev/null +++ b/queue-5.10/sctp-update-active_key-for-asoc-when-old-key-is-bein.patch @@ -0,0 +1,55 @@ +From 951ac6b1de3d27f3a73e4f7e40762ba80ca2aef9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 16:07:01 -0400 +Subject: sctp: update active_key for asoc when old key is being replaced + +From: Xin Long + +[ Upstream commit 58acd10092268831e49de279446c314727101292 ] + +syzbot reported a call trace: + + BUG: KASAN: use-after-free in sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112 + Call Trace: + sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112 + sctp_set_owner_w net/sctp/socket.c:131 [inline] + sctp_sendmsg_to_asoc+0x152e/0x2180 net/sctp/socket.c:1865 + sctp_sendmsg+0x103b/0x1d30 net/sctp/socket.c:2027 + inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:821 + sock_sendmsg_nosec net/socket.c:703 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:723 + +This is an use-after-free issue caused by not updating asoc->shkey after +it was replaced in the key list asoc->endpoint_shared_keys, and the old +key was freed. + +This patch is to fix by also updating active_key for asoc when old key is +being replaced with a new one. Note that this issue doesn't exist in +sctp_auth_del_key_id(), as it's not allowed to delete the active_key +from the asoc. + +Fixes: 1b1e0bc99474 ("sctp: add refcnt support for sh_key") +Reported-by: syzbot+b774577370208727d12b@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/auth.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/sctp/auth.c b/net/sctp/auth.c +index 6f8319b828b0..fe74c5f95630 100644 +--- a/net/sctp/auth.c ++++ b/net/sctp/auth.c +@@ -860,6 +860,8 @@ int sctp_auth_set_key(struct sctp_endpoint *ep, + if (replace) { + list_del_init(&shkey->key_list); + sctp_auth_shkey_release(shkey); ++ if (asoc && asoc->active_key_id == auth_key->sca_keynumber) ++ sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL); + } + list_add(&cur_key->key_list, sh_keys); + +-- +2.30.2 + diff --git a/queue-5.10/selftests-icmp_redirect-ipv6-pmtu-info-should-be-cle.patch b/queue-5.10/selftests-icmp_redirect-ipv6-pmtu-info-should-be-cle.patch new file mode 100644 index 00000000000..b8579be265e --- /dev/null +++ b/queue-5.10/selftests-icmp_redirect-ipv6-pmtu-info-should-be-cle.patch @@ -0,0 +1,45 @@ +From ec21e23c2988af2f1c6571c705989cd32a45cbb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 16:15:30 +0800 +Subject: selftests: icmp_redirect: IPv6 PMTU info should be cleared after + redirect + +From: Hangbin Liu + +[ Upstream commit 0e02bf5de46ae30074a2e1a8194a422a84482a1a ] + +After redirecting, it's already a new path. So the old PMTU info should +be cleared. The IPv6 test "mtu exception plus redirect" should only +has redirect info without old PMTU. + +The IPv4 test can not be changed because of legacy. + +Fixes: ec8105352869 ("selftests: Add redirect tests") +Signed-off-by: Hangbin Liu +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/icmp_redirect.sh | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/icmp_redirect.sh b/tools/testing/selftests/net/icmp_redirect.sh +index bfcabee50155..104a7a5f13b1 100755 +--- a/tools/testing/selftests/net/icmp_redirect.sh ++++ b/tools/testing/selftests/net/icmp_redirect.sh +@@ -309,9 +309,10 @@ check_exception() + fi + log_test $? 0 "IPv4: ${desc}" + +- if [ "$with_redirect" = "yes" ]; then ++ # No PMTU info for test "redirect" and "mtu exception plus redirect" ++ if [ "$with_redirect" = "yes" ] && [ "$desc" != "redirect exception plus mtu" ]; then + ip -netns h1 -6 ro get ${H1_VRF_ARG} ${H2_N2_IP6} | \ +- grep -q "${H2_N2_IP6} .*via ${R2_LLADDR} dev br0.*${mtu}" ++ grep -v "mtu" | grep -q "${H2_N2_IP6} .*via ${R2_LLADDR} dev br0" + elif [ -n "${mtu}" ]; then + ip -netns h1 -6 ro get ${H1_VRF_ARG} ${H2_N2_IP6} | \ + grep -q "${mtu}" +-- +2.30.2 + diff --git a/queue-5.10/selftests-icmp_redirect-remove-from-checking-for-ipv.patch b/queue-5.10/selftests-icmp_redirect-remove-from-checking-for-ipv.patch new file mode 100644 index 00000000000..8c13bd24d73 --- /dev/null +++ b/queue-5.10/selftests-icmp_redirect-remove-from-checking-for-ipv.patch @@ -0,0 +1,38 @@ +From da91ad43915a3a981c2a8dd2d28d9e2b08b1be11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 16:15:29 +0800 +Subject: selftests: icmp_redirect: remove from checking for IPv6 route get + +From: Hangbin Liu + +[ Upstream commit 24b671aad4eae423e1abf5b7f08d9a5235458b8d ] + +If the kernel doesn't enable option CONFIG_IPV6_SUBTREES, the RTA_SRC +info will not be exported to userspace in rt6_fill_node(). And ip cmd will +not print "from ::" to the route output. So remove this check. + +Fixes: ec8105352869 ("selftests: Add redirect tests") +Signed-off-by: Hangbin Liu +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/icmp_redirect.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/icmp_redirect.sh b/tools/testing/selftests/net/icmp_redirect.sh +index bf361f30d6ef..bfcabee50155 100755 +--- a/tools/testing/selftests/net/icmp_redirect.sh ++++ b/tools/testing/selftests/net/icmp_redirect.sh +@@ -311,7 +311,7 @@ check_exception() + + if [ "$with_redirect" = "yes" ]; then + ip -netns h1 -6 ro get ${H1_VRF_ARG} ${H2_N2_IP6} | \ +- grep -q "${H2_N2_IP6} from :: via ${R2_LLADDR} dev br0.*${mtu}" ++ grep -q "${H2_N2_IP6} .*via ${R2_LLADDR} dev br0.*${mtu}" + elif [ -n "${mtu}" ]; then + ip -netns h1 -6 ro get ${H1_VRF_ARG} ${H2_N2_IP6} | \ + grep -q "${mtu}" +-- +2.30.2 + diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 00000000000..535eb727a95 --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1,106 @@ +igc-fix-use-after-free-error-during-reset.patch +igb-fix-use-after-free-error-during-reset.patch +igc-change-default-return-of-igc_read_phy_reg.patch +ixgbe-fix-an-error-handling-path-in-ixgbe_probe.patch +igc-fix-an-error-handling-path-in-igc_probe.patch +igb-fix-an-error-handling-path-in-igb_probe.patch +fm10k-fix-an-error-handling-path-in-fm10k_probe.patch +e1000e-fix-an-error-handling-path-in-e1000_probe.patch +iavf-fix-an-error-handling-path-in-iavf_probe.patch +igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch +igb-fix-position-of-assignment-to-ring.patch +gve-fix-an-error-handling-path-in-gve_probe.patch +net-add-kcov-handle-to-skb-extensions.patch +net-introduce-preferred-busy-polling.patch +bonding-fix-suspicious-rcu-usage-in-bond_ipsec_add_s.patch +bonding-fix-null-dereference-in-bond_ipsec_add_sa.patch +ixgbevf-use-xso.real_dev-instead-of-xso.dev-in-callb.patch +bonding-fix-suspicious-rcu-usage-in-bond_ipsec_del_s.patch +bonding-disallow-setting-nested-bonding-ipsec-offloa.patch +bonding-add-struct-bond_ipesc-to-manage-sa.patch +bonding-fix-suspicious-rcu-usage-in-bond_ipsec_offlo.patch +bonding-fix-incorrect-return-value-of-bond_ipsec_off.patch +ipv6-fix-disable_policy-for-fwd-packets.patch +stmmac-platform-fix-signedness-bug-in-stmmac_probe_c.patch +selftests-icmp_redirect-remove-from-checking-for-ipv.patch +selftests-icmp_redirect-ipv6-pmtu-info-should-be-cle.patch +pwm-sprd-ensure-configuring-period-and-duty_cycle-is.patch +cxgb4-fix-irq-free-race-during-driver-unload.patch +net-do-not-reuse-skbuff-allocated-from-skbuff_fclone.patch +mptcp-fix-warning-in-__skb_flow_dissect-when-do-syn-.patch +nvme-pci-do-not-call-nvme_dev_remove_admin-from-nvme.patch +kvm-x86-pmu-clear-anythread-deprecated-bit-when-0xa-.patch +perf-inject-fix-dso-nsinfo-refcounting.patch +perf-map-fix-dso-nsinfo-refcounting.patch +perf-probe-fix-dso-nsinfo-refcounting.patch +perf-env-fix-sibling_dies-memory-leak.patch +perf-test-session_topology-delete-session-evlist.patch +perf-test-event_update-fix-memory-leak-of-evlist.patch +perf-dso-fix-memory-leak-in-dso__new_map.patch +perf-test-maps__merge_in-fix-memory-leak-of-maps.patch +perf-env-fix-memory-leak-of-cpu_pmu_caps.patch +perf-report-free-generated-help-strings-for-sort-opt.patch +perf-script-fix-memory-threads-and-cpus-leaks-on-exi.patch +perf-lzma-close-lzma-stream-on-exit.patch +perf-probe-file-delete-namelist-in-del_events-on-the.patch +perf-data-close-all-files-in-close_dir.patch +perf-sched-fix-record-failure-when-config_schedstats.patch +asoc-wm_adsp-correct-wm_coeff_tlv_get-handling.patch +spi-imx-add-a-check-for-speed_hz-before-calculating-.patch +spi-imx-mx51-ecspi-reinstate-low-speed-configreg-del.patch +spi-stm32-fixes-pm_runtime-calls-in-probe-remove.patch +regulator-hi6421-use-correct-variable-type-for-regma.patch +regulator-hi6421-fix-getting-wrong-drvdata.patch +spi-mediatek-fix-fifo-rx-mode.patch +asoc-rt5631-fix-regcache-sync-errors-on-resume.patch +bpf-test-fix-null-pointer-dereference-on-invalid-exp.patch +bpf-fix-tail_call_reachable-rejection-for-interprete.patch +xdp-net-fix-use-after-free-in-bpf_xdp_link_release.patch +timers-fix-get_next_timer_interrupt-with-no-timers-p.patch +liquidio-fix-unintentional-sign-extension-issue-on-l.patch +s390-bpf-perform-r1-range-checking-before-accessing-.patch +bpf-sockmap-fix-potential-memory-leak-on-unlikely-er.patch +bpf-sockmap-tcp-sk_prot-needs-inuse_idx-set-for-proc.patch +bpf-sockmap-udp-sk_prot-needs-inuse_idx-set-for-proc.patch +bpftool-check-malloc-return-value-in-mount_bpffs_for.patch +net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch +usb-hso-fix-error-handling-code-of-hso_create_net_de.patch +dma-mapping-handle-vmalloc-addresses-in-dma_common_-.patch +efi-tpm-differentiate-missing-and-invalid-final-even.patch +net-decnet-fix-sleeping-inside-in-af_decnet.patch +kvm-ppc-book3s-fix-config_transactional_mem-n-crash.patch +kvm-ppc-fix-kvm_arch_vcpu_ioctl-vcpu_load-leak.patch +net-sched-fix-memory-leak-in-tcindex_partial_destroy.patch +sctp-trim-optlen-when-it-s-a-huge-value-in-sctp_sets.patch +netrom-decrease-sock-refcount-when-sock-timers-expir.patch +scsi-iscsi-fix-iface-sysfs-attr-detection.patch +scsi-target-fix-protect-handling-in-write-same-32.patch +spi-cadence-correct-initialisation-of-runtime-pm-aga.patch +acpi-kconfig-fix-table-override-from-built-in-initrd.patch +bnxt_en-don-t-disable-an-already-disabled-pci-device.patch +bnxt_en-refresh-roce-capabilities-in-bnxt_ulp_probe.patch +bnxt_en-add-missing-check-for-bnxt_state_abort_err-i.patch +bnxt_en-validate-vlan-protocol-id-on-rx-packets.patch +bnxt_en-check-abort-error-state-in-bnxt_half_open_ni.patch +net-hisilicon-rename-cache_line_mask-to-avoid-redefi.patch +net-tcp_fastopen-fix-data-races-around-tfo_active_di.patch +alsa-hda-intel-dsp-cfg-add-missing-elkhartlake-pci-i.patch +net-hns3-fix-possible-mismatches-resp-of-mailbox.patch +net-hns3-fix-rx-vlan-offload-state-inconsistent-issu.patch +spi-spi-bcm2835-fix-deadlock.patch +net-sched-act_skbmod-skip-non-ethernet-packets.patch +ipv6-fix-another-slab-out-of-bounds-in-fib6_nh_flush.patch +ceph-don-t-warn-if-we-re-still-opening-a-session-to-.patch +nvme-pci-don-t-warn_on-in-nvme_reset_work-if-ctrl.st.patch +revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch +afs-fix-tracepoint-string-placement-with-built-in-af.patch +r8169-avoid-duplicate-sysfs-entry-creation-error.patch +nvme-set-the-pract-bit-when-using-write-zeroes-with-.patch +sctp-update-active_key-for-asoc-when-old-key-is-bein.patch +tcp-disable-tfo-blackhole-logic-by-default.patch +net-dsa-sja1105-make-vid-4095-a-bridge-vlan-too.patch +net-sched-cls_api-fix-the-the-wrong-parameter.patch +drm-panel-raspberrypi-touchscreen-prevent-double-fre.patch +cifs-only-write-64kb-at-a-time-when-fallocating-a-sm.patch +cifs-fix-fallocate-when-trying-to-allocate-a-hole.patch +proc-avoid-mixing-integer-types-in-mem_rw.patch diff --git a/queue-5.10/spi-cadence-correct-initialisation-of-runtime-pm-aga.patch b/queue-5.10/spi-cadence-correct-initialisation-of-runtime-pm-aga.patch new file mode 100644 index 00000000000..8b00f6f4357 --- /dev/null +++ b/queue-5.10/spi-cadence-correct-initialisation-of-runtime-pm-aga.patch @@ -0,0 +1,74 @@ +From 269e745d8dde8b36ad500e71aa2181ba9600c5ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 20:21:33 +0200 +Subject: spi: cadence: Correct initialisation of runtime PM again + +From: Marek Vasut + +[ Upstream commit 56912da7a68c8356df6a6740476237441b0b792a ] + +The original implementation of RPM handling in probe() was mostly +correct, except it failed to call pm_runtime_get_*() to activate the +hardware. The subsequent fix, 734882a8bf98 ("spi: cadence: Correct +initialisation of runtime PM"), breaks the implementation further, +to the point where the system using this hard IP on ZynqMP hangs on +boot, because it accesses hardware which is gated off. + +Undo 734882a8bf98 ("spi: cadence: Correct initialisation of runtime +PM") and instead add missing pm_runtime_get_noresume() and move the +RPM disabling all the way to the end of probe(). That makes ZynqMP +not hang on boot yet again. + +Fixes: 734882a8bf98 ("spi: cadence: Correct initialisation of runtime PM") +Signed-off-by: Marek Vasut +Cc: Charles Keepax +Cc: Mark Brown +Link: https://lore.kernel.org/r/20210716182133.218640-1-marex@denx.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-cadence.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/spi/spi-cadence.c b/drivers/spi/spi-cadence.c +index a3afd1b9ac56..ceb16e70d235 100644 +--- a/drivers/spi/spi-cadence.c ++++ b/drivers/spi/spi-cadence.c +@@ -517,6 +517,12 @@ static int cdns_spi_probe(struct platform_device *pdev) + goto clk_dis_apb; + } + ++ pm_runtime_use_autosuspend(&pdev->dev); ++ pm_runtime_set_autosuspend_delay(&pdev->dev, SPI_AUTOSUSPEND_TIMEOUT); ++ pm_runtime_get_noresume(&pdev->dev); ++ pm_runtime_set_active(&pdev->dev); ++ pm_runtime_enable(&pdev->dev); ++ + ret = of_property_read_u32(pdev->dev.of_node, "num-cs", &num_cs); + if (ret < 0) + master->num_chipselect = CDNS_SPI_DEFAULT_NUM_CS; +@@ -531,11 +537,6 @@ static int cdns_spi_probe(struct platform_device *pdev) + /* SPI controller initializations */ + cdns_spi_init_hw(xspi); + +- pm_runtime_set_active(&pdev->dev); +- pm_runtime_enable(&pdev->dev); +- pm_runtime_use_autosuspend(&pdev->dev); +- pm_runtime_set_autosuspend_delay(&pdev->dev, SPI_AUTOSUSPEND_TIMEOUT); +- + irq = platform_get_irq(pdev, 0); + if (irq <= 0) { + ret = -ENXIO; +@@ -566,6 +567,9 @@ static int cdns_spi_probe(struct platform_device *pdev) + + master->bits_per_word_mask = SPI_BPW_MASK(8); + ++ pm_runtime_mark_last_busy(&pdev->dev); ++ pm_runtime_put_autosuspend(&pdev->dev); ++ + ret = spi_register_master(master); + if (ret) { + dev_err(&pdev->dev, "spi_register_master failed\n"); +-- +2.30.2 + diff --git a/queue-5.10/spi-imx-add-a-check-for-speed_hz-before-calculating-.patch b/queue-5.10/spi-imx-add-a-check-for-speed_hz-before-calculating-.patch new file mode 100644 index 00000000000..a1c9eeab1de --- /dev/null +++ b/queue-5.10/spi-imx-add-a-check-for-speed_hz-before-calculating-.patch @@ -0,0 +1,138 @@ +From a592a53a8be1aa8a2347193dd94bfe8e7bb8be6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Apr 2021 18:33:47 +0800 +Subject: spi: imx: add a check for speed_hz before calculating the clock + +From: Clark Wang + +[ Upstream commit 4df2f5e1372e9eec8f9e1b4a3025b9be23487d36 ] + +When some drivers use spi to send data, spi_transfer->speed_hz is +not assigned. If spidev->max_speed_hz is not assigned as well, it +will cause an error in configuring the clock. +Add a check for these two values before configuring the clock. An +error will be returned when they are not assigned. + +Signed-off-by: Clark Wang +Link: https://lore.kernel.org/r/20210408103347.244313-2-xiaoning.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-imx.c | 37 +++++++++++++++++++++---------------- + 1 file changed, 21 insertions(+), 16 deletions(-) + +diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c +index 831a38920fa9..c8b750d8ac35 100644 +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -66,8 +66,7 @@ struct spi_imx_data; + struct spi_imx_devtype_data { + void (*intctrl)(struct spi_imx_data *, int); + int (*prepare_message)(struct spi_imx_data *, struct spi_message *); +- int (*prepare_transfer)(struct spi_imx_data *, struct spi_device *, +- struct spi_transfer *); ++ int (*prepare_transfer)(struct spi_imx_data *, struct spi_device *); + void (*trigger)(struct spi_imx_data *); + int (*rx_available)(struct spi_imx_data *); + void (*reset)(struct spi_imx_data *); +@@ -572,11 +571,10 @@ static int mx51_ecspi_prepare_message(struct spi_imx_data *spi_imx, + } + + static int mx51_ecspi_prepare_transfer(struct spi_imx_data *spi_imx, +- struct spi_device *spi, +- struct spi_transfer *t) ++ struct spi_device *spi) + { + u32 ctrl = readl(spi_imx->base + MX51_ECSPI_CTRL); +- u32 clk = t->speed_hz, delay; ++ u32 clk, delay; + + /* Clear BL field and set the right value */ + ctrl &= ~MX51_ECSPI_CTRL_BL_MASK; +@@ -590,7 +588,7 @@ static int mx51_ecspi_prepare_transfer(struct spi_imx_data *spi_imx, + /* set clock speed */ + ctrl &= ~(0xf << MX51_ECSPI_CTRL_POSTDIV_OFFSET | + 0xf << MX51_ECSPI_CTRL_PREDIV_OFFSET); +- ctrl |= mx51_ecspi_clkdiv(spi_imx, t->speed_hz, &clk); ++ ctrl |= mx51_ecspi_clkdiv(spi_imx, spi_imx->spi_bus_clk, &clk); + spi_imx->spi_bus_clk = clk; + + if (spi_imx->usedma) +@@ -702,13 +700,12 @@ static int mx31_prepare_message(struct spi_imx_data *spi_imx, + } + + static int mx31_prepare_transfer(struct spi_imx_data *spi_imx, +- struct spi_device *spi, +- struct spi_transfer *t) ++ struct spi_device *spi) + { + unsigned int reg = MX31_CSPICTRL_ENABLE | MX31_CSPICTRL_MASTER; + unsigned int clk; + +- reg |= spi_imx_clkdiv_2(spi_imx->spi_clk, t->speed_hz, &clk) << ++ reg |= spi_imx_clkdiv_2(spi_imx->spi_clk, spi_imx->spi_bus_clk, &clk) << + MX31_CSPICTRL_DR_SHIFT; + spi_imx->spi_bus_clk = clk; + +@@ -807,14 +804,13 @@ static int mx21_prepare_message(struct spi_imx_data *spi_imx, + } + + static int mx21_prepare_transfer(struct spi_imx_data *spi_imx, +- struct spi_device *spi, +- struct spi_transfer *t) ++ struct spi_device *spi) + { + unsigned int reg = MX21_CSPICTRL_ENABLE | MX21_CSPICTRL_MASTER; + unsigned int max = is_imx27_cspi(spi_imx) ? 16 : 18; + unsigned int clk; + +- reg |= spi_imx_clkdiv_1(spi_imx->spi_clk, t->speed_hz, max, &clk) ++ reg |= spi_imx_clkdiv_1(spi_imx->spi_clk, spi_imx->spi_bus_clk, max, &clk) + << MX21_CSPICTRL_DR_SHIFT; + spi_imx->spi_bus_clk = clk; + +@@ -883,13 +879,12 @@ static int mx1_prepare_message(struct spi_imx_data *spi_imx, + } + + static int mx1_prepare_transfer(struct spi_imx_data *spi_imx, +- struct spi_device *spi, +- struct spi_transfer *t) ++ struct spi_device *spi) + { + unsigned int reg = MX1_CSPICTRL_ENABLE | MX1_CSPICTRL_MASTER; + unsigned int clk; + +- reg |= spi_imx_clkdiv_2(spi_imx->spi_clk, t->speed_hz, &clk) << ++ reg |= spi_imx_clkdiv_2(spi_imx->spi_clk, spi_imx->spi_bus_clk, &clk) << + MX1_CSPICTRL_DR_SHIFT; + spi_imx->spi_bus_clk = clk; + +@@ -1195,6 +1190,16 @@ static int spi_imx_setupxfer(struct spi_device *spi, + if (!t) + return 0; + ++ if (!t->speed_hz) { ++ if (!spi->max_speed_hz) { ++ dev_err(&spi->dev, "no speed_hz provided!\n"); ++ return -EINVAL; ++ } ++ dev_dbg(&spi->dev, "using spi->max_speed_hz!\n"); ++ spi_imx->spi_bus_clk = spi->max_speed_hz; ++ } else ++ spi_imx->spi_bus_clk = t->speed_hz; ++ + spi_imx->bits_per_word = t->bits_per_word; + + /* +@@ -1236,7 +1241,7 @@ static int spi_imx_setupxfer(struct spi_device *spi, + spi_imx->slave_burst = t->len; + } + +- spi_imx->devtype_data->prepare_transfer(spi_imx, spi, t); ++ spi_imx->devtype_data->prepare_transfer(spi_imx, spi); + + return 0; + } +-- +2.30.2 + diff --git a/queue-5.10/spi-imx-mx51-ecspi-reinstate-low-speed-configreg-del.patch b/queue-5.10/spi-imx-mx51-ecspi-reinstate-low-speed-configreg-del.patch new file mode 100644 index 00000000000..7202cd75322 --- /dev/null +++ b/queue-5.10/spi-imx-mx51-ecspi-reinstate-low-speed-configreg-del.patch @@ -0,0 +1,107 @@ +From c86c9a2ccae44fc1873f351e77a6a91124d4b3d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Jul 2021 04:23:00 +0200 +Subject: spi: imx: mx51-ecspi: Reinstate low-speed CONFIGREG delay +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Vasut + +[ Upstream commit 135cbd378eab336da15de9c84bbb22bf743b38a5 ] + +Since 00b80ac935539 ("spi: imx: mx51-ecspi: Move some initialisation to +prepare_message hook."), the MX51_ECSPI_CONFIG write no longer happens +in prepare_transfer hook, but rather in prepare_message hook, however +the MX51_ECSPI_CONFIG delay is still left in prepare_transfer hook and +thus has no effect. This leads to low bus frequency operation problems +described in 6fd8b8503a0dc ("spi: spi-imx: Fix out-of-order CS/SCLK +operation at low speeds") again. + +Move the MX51_ECSPI_CONFIG write delay into the prepare_message hook +as well, thus reinstating the low bus frequency fix. + +Fixes: 00b80ac935539 ("spi: imx: mx51-ecspi: Move some initialisation to prepare_message hook.") +Signed-off-by: Marek Vasut +Cc: Uwe Kleine-König +Cc: Mark Brown +Link: https://lore.kernel.org/r/20210703022300.296114-1-marex@denx.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-imx.c | 38 +++++++++++++++++++------------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c +index c8b750d8ac35..8c0a6ea941ad 100644 +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -506,7 +506,7 @@ static int mx51_ecspi_prepare_message(struct spi_imx_data *spi_imx, + { + struct spi_device *spi = msg->spi; + u32 ctrl = MX51_ECSPI_CTRL_ENABLE; +- u32 testreg; ++ u32 testreg, delay; + u32 cfg = readl(spi_imx->base + MX51_ECSPI_CONFIG); + + /* set Master or Slave mode */ +@@ -567,6 +567,23 @@ static int mx51_ecspi_prepare_message(struct spi_imx_data *spi_imx, + + writel(cfg, spi_imx->base + MX51_ECSPI_CONFIG); + ++ /* ++ * Wait until the changes in the configuration register CONFIGREG ++ * propagate into the hardware. It takes exactly one tick of the ++ * SCLK clock, but we will wait two SCLK clock just to be sure. The ++ * effect of the delay it takes for the hardware to apply changes ++ * is noticable if the SCLK clock run very slow. In such a case, if ++ * the polarity of SCLK should be inverted, the GPIO ChipSelect might ++ * be asserted before the SCLK polarity changes, which would disrupt ++ * the SPI communication as the device on the other end would consider ++ * the change of SCLK polarity as a clock tick already. ++ */ ++ delay = (2 * 1000000) / spi_imx->spi_bus_clk; ++ if (likely(delay < 10)) /* SCLK is faster than 100 kHz */ ++ udelay(delay); ++ else /* SCLK is _very_ slow */ ++ usleep_range(delay, delay + 10); ++ + return 0; + } + +@@ -574,7 +591,7 @@ static int mx51_ecspi_prepare_transfer(struct spi_imx_data *spi_imx, + struct spi_device *spi) + { + u32 ctrl = readl(spi_imx->base + MX51_ECSPI_CTRL); +- u32 clk, delay; ++ u32 clk; + + /* Clear BL field and set the right value */ + ctrl &= ~MX51_ECSPI_CTRL_BL_MASK; +@@ -596,23 +613,6 @@ static int mx51_ecspi_prepare_transfer(struct spi_imx_data *spi_imx, + + writel(ctrl, spi_imx->base + MX51_ECSPI_CTRL); + +- /* +- * Wait until the changes in the configuration register CONFIGREG +- * propagate into the hardware. It takes exactly one tick of the +- * SCLK clock, but we will wait two SCLK clock just to be sure. The +- * effect of the delay it takes for the hardware to apply changes +- * is noticable if the SCLK clock run very slow. In such a case, if +- * the polarity of SCLK should be inverted, the GPIO ChipSelect might +- * be asserted before the SCLK polarity changes, which would disrupt +- * the SPI communication as the device on the other end would consider +- * the change of SCLK polarity as a clock tick already. +- */ +- delay = (2 * 1000000) / clk; +- if (likely(delay < 10)) /* SCLK is faster than 100 kHz */ +- udelay(delay); +- else /* SCLK is _very_ slow */ +- usleep_range(delay, delay + 10); +- + return 0; + } + +-- +2.30.2 + diff --git a/queue-5.10/spi-mediatek-fix-fifo-rx-mode.patch b/queue-5.10/spi-mediatek-fix-fifo-rx-mode.patch new file mode 100644 index 00000000000..4b9ce004f31 --- /dev/null +++ b/queue-5.10/spi-mediatek-fix-fifo-rx-mode.patch @@ -0,0 +1,59 @@ +From 4fdd195c949635b46f04ec98ea0ed3bcb2adafd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jul 2021 14:16:09 +0200 +Subject: spi: mediatek: fix fifo rx mode + +From: Peter Hess + +[ Upstream commit 3a70dd2d050331ee4cf5ad9d5c0a32d83ead9a43 ] + +In FIFO mode were two problems: +- RX mode was never handled and +- in this case the tx_buf pointer was NULL and caused an exception + +fix this by handling RX mode in mtk_spi_fifo_transfer + +Fixes: a568231f4632 ("spi: mediatek: Add spi bus for Mediatek MT8173") +Signed-off-by: Peter Hess +Signed-off-by: Frank Wunderlich +Link: https://lore.kernel.org/r/20210706121609.680534-1-linux@fw-web.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-mt65xx.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c +index 5d643051bf3d..8f2d112f0b5d 100644 +--- a/drivers/spi/spi-mt65xx.c ++++ b/drivers/spi/spi-mt65xx.c +@@ -434,13 +434,23 @@ static int mtk_spi_fifo_transfer(struct spi_master *master, + mtk_spi_setup_packet(master); + + cnt = xfer->len / 4; +- iowrite32_rep(mdata->base + SPI_TX_DATA_REG, xfer->tx_buf, cnt); ++ if (xfer->tx_buf) ++ iowrite32_rep(mdata->base + SPI_TX_DATA_REG, xfer->tx_buf, cnt); ++ ++ if (xfer->rx_buf) ++ ioread32_rep(mdata->base + SPI_RX_DATA_REG, xfer->rx_buf, cnt); + + remainder = xfer->len % 4; + if (remainder > 0) { + reg_val = 0; +- memcpy(®_val, xfer->tx_buf + (cnt * 4), remainder); +- writel(reg_val, mdata->base + SPI_TX_DATA_REG); ++ if (xfer->tx_buf) { ++ memcpy(®_val, xfer->tx_buf + (cnt * 4), remainder); ++ writel(reg_val, mdata->base + SPI_TX_DATA_REG); ++ } ++ if (xfer->rx_buf) { ++ reg_val = readl(mdata->base + SPI_RX_DATA_REG); ++ memcpy(xfer->rx_buf + (cnt * 4), ®_val, remainder); ++ } + } + + mtk_spi_enable_transfer(master); +-- +2.30.2 + diff --git a/queue-5.10/spi-spi-bcm2835-fix-deadlock.patch b/queue-5.10/spi-spi-bcm2835-fix-deadlock.patch new file mode 100644 index 00000000000..614503f5c35 --- /dev/null +++ b/queue-5.10/spi-spi-bcm2835-fix-deadlock.patch @@ -0,0 +1,86 @@ +From c840023158da611d0acf48d082cb0d57a49dcf58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jul 2021 00:02:45 +0300 +Subject: spi: spi-bcm2835: Fix deadlock + +From: Alexandru Tachici + +[ Upstream commit c45c1e82bba130db4f19d9dbc1deefcf4ea994ed ] + +The bcm2835_spi_transfer_one function can create a deadlock +if it is called while another thread already has the +CCF lock. + +Signed-off-by: Alexandru Tachici +Fixes: f8043872e796 ("spi: add driver for BCM2835") +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20210716210245.13240-2-alexandru.tachici@analog.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm2835.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c +index 29ee555a42f9..33c32e931767 100644 +--- a/drivers/spi/spi-bcm2835.c ++++ b/drivers/spi/spi-bcm2835.c +@@ -84,6 +84,7 @@ MODULE_PARM_DESC(polling_limit_us, + * struct bcm2835_spi - BCM2835 SPI controller + * @regs: base address of register map + * @clk: core clock, divided to calculate serial clock ++ * @clk_hz: core clock cached speed + * @irq: interrupt, signals TX FIFO empty or RX FIFO ¾ full + * @tfr: SPI transfer currently processed + * @ctlr: SPI controller reverse lookup +@@ -124,6 +125,7 @@ MODULE_PARM_DESC(polling_limit_us, + struct bcm2835_spi { + void __iomem *regs; + struct clk *clk; ++ unsigned long clk_hz; + int irq; + struct spi_transfer *tfr; + struct spi_controller *ctlr; +@@ -1082,19 +1084,18 @@ static int bcm2835_spi_transfer_one(struct spi_controller *ctlr, + struct spi_transfer *tfr) + { + struct bcm2835_spi *bs = spi_controller_get_devdata(ctlr); +- unsigned long spi_hz, clk_hz, cdiv; ++ unsigned long spi_hz, cdiv; + unsigned long hz_per_byte, byte_limit; + u32 cs = bs->prepare_cs[spi->chip_select]; + + /* set clock */ + spi_hz = tfr->speed_hz; +- clk_hz = clk_get_rate(bs->clk); + +- if (spi_hz >= clk_hz / 2) { ++ if (spi_hz >= bs->clk_hz / 2) { + cdiv = 2; /* clk_hz/2 is the fastest we can go */ + } else if (spi_hz) { + /* CDIV must be a multiple of two */ +- cdiv = DIV_ROUND_UP(clk_hz, spi_hz); ++ cdiv = DIV_ROUND_UP(bs->clk_hz, spi_hz); + cdiv += (cdiv % 2); + + if (cdiv >= 65536) +@@ -1102,7 +1103,7 @@ static int bcm2835_spi_transfer_one(struct spi_controller *ctlr, + } else { + cdiv = 0; /* 0 is the slowest we can go */ + } +- tfr->effective_speed_hz = cdiv ? (clk_hz / cdiv) : (clk_hz / 65536); ++ tfr->effective_speed_hz = cdiv ? (bs->clk_hz / cdiv) : (bs->clk_hz / 65536); + bcm2835_wr(bs, BCM2835_SPI_CLK, cdiv); + + /* handle all the 3-wire mode */ +@@ -1318,6 +1319,7 @@ static int bcm2835_spi_probe(struct platform_device *pdev) + return bs->irq ? bs->irq : -ENODEV; + + clk_prepare_enable(bs->clk); ++ bs->clk_hz = clk_get_rate(bs->clk); + + err = bcm2835_dma_init(ctlr, &pdev->dev, bs); + if (err) +-- +2.30.2 + diff --git a/queue-5.10/spi-stm32-fixes-pm_runtime-calls-in-probe-remove.patch b/queue-5.10/spi-stm32-fixes-pm_runtime-calls-in-probe-remove.patch new file mode 100644 index 00000000000..eee9614687f --- /dev/null +++ b/queue-5.10/spi-stm32-fixes-pm_runtime-calls-in-probe-remove.patch @@ -0,0 +1,76 @@ +From 6703c242ec2affcf2acb648efc224338f7c30f72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 10:27:00 +0200 +Subject: spi: stm32: fixes pm_runtime calls in probe/remove + +From: Alain Volmat + +[ Upstream commit 7999d2555c9f879d006ea8469d74db9cdb038af0 ] + +Add pm_runtime calls in probe/probe error path and remove +in order to be consistent in all places in ordering and +ensure that pm_runtime is disabled prior to resources used +by the SPI controller. + +This patch also fixes the 2 following warnings on driver remove: +WARNING: CPU: 0 PID: 743 at drivers/clk/clk.c:594 clk_core_disable_lock+0x18/0x24 +WARNING: CPU: 0 PID: 743 at drivers/clk/clk.c:476 clk_unprepare+0x24/0x2c + +Fixes: 038ac869c9d2 ("spi: stm32: add runtime PM support") + +Signed-off-by: Amelie Delaunay +Signed-off-by: Alain Volmat +Link: https://lore.kernel.org/r/1625646426-5826-2-git-send-email-alain.volmat@foss.st.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-stm32.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-stm32.c b/drivers/spi/spi-stm32.c +index 0318f02d6212..8f91f8705eee 100644 +--- a/drivers/spi/spi-stm32.c ++++ b/drivers/spi/spi-stm32.c +@@ -1946,6 +1946,7 @@ static int stm32_spi_probe(struct platform_device *pdev) + master->can_dma = stm32_spi_can_dma; + + pm_runtime_set_active(&pdev->dev); ++ pm_runtime_get_noresume(&pdev->dev); + pm_runtime_enable(&pdev->dev); + + ret = spi_register_master(master); +@@ -1967,6 +1968,8 @@ static int stm32_spi_probe(struct platform_device *pdev) + + err_pm_disable: + pm_runtime_disable(&pdev->dev); ++ pm_runtime_put_noidle(&pdev->dev); ++ pm_runtime_set_suspended(&pdev->dev); + err_dma_release: + if (spi->dma_tx) + dma_release_channel(spi->dma_tx); +@@ -1983,9 +1986,14 @@ static int stm32_spi_remove(struct platform_device *pdev) + struct spi_master *master = platform_get_drvdata(pdev); + struct stm32_spi *spi = spi_master_get_devdata(master); + ++ pm_runtime_get_sync(&pdev->dev); ++ + spi_unregister_master(master); + spi->cfg->disable(spi); + ++ pm_runtime_disable(&pdev->dev); ++ pm_runtime_put_noidle(&pdev->dev); ++ pm_runtime_set_suspended(&pdev->dev); + if (master->dma_tx) + dma_release_channel(master->dma_tx); + if (master->dma_rx) +@@ -1993,7 +2001,6 @@ static int stm32_spi_remove(struct platform_device *pdev) + + clk_disable_unprepare(spi->clk); + +- pm_runtime_disable(&pdev->dev); + + pinctrl_pm_select_sleep_state(&pdev->dev); + +-- +2.30.2 + diff --git a/queue-5.10/stmmac-platform-fix-signedness-bug-in-stmmac_probe_c.patch b/queue-5.10/stmmac-platform-fix-signedness-bug-in-stmmac_probe_c.patch new file mode 100644 index 00000000000..8504c3a1cae --- /dev/null +++ b/queue-5.10/stmmac-platform-fix-signedness-bug-in-stmmac_probe_c.patch @@ -0,0 +1,51 @@ +From 72b15156a8746a305c9ea97c07c205b0dca8fc7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 15:53:35 +0800 +Subject: stmmac: platform: Fix signedness bug in stmmac_probe_config_dt() + +From: YueHaibing + +[ Upstream commit eca81f09145d765c21dd8fb1ba5d874ca255c32c ] + +The "plat->phy_interface" variable is an enum and in this context GCC +will treat it as an unsigned int so the error handling is never +triggered. + +Fixes: b9f0b2f634c0 ("net: stmmac: platform: fix probe for ACPI devices") +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +index ff95400594fc..53be8fc1d125 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +@@ -399,6 +399,7 @@ stmmac_probe_config_dt(struct platform_device *pdev, const char **mac) + struct device_node *np = pdev->dev.of_node; + struct plat_stmmacenet_data *plat; + struct stmmac_dma_cfg *dma_cfg; ++ int phy_mode; + int rc; + + plat = devm_kzalloc(&pdev->dev, sizeof(*plat), GFP_KERNEL); +@@ -413,10 +414,11 @@ stmmac_probe_config_dt(struct platform_device *pdev, const char **mac) + *mac = NULL; + } + +- plat->phy_interface = device_get_phy_mode(&pdev->dev); +- if (plat->phy_interface < 0) +- return ERR_PTR(plat->phy_interface); ++ phy_mode = device_get_phy_mode(&pdev->dev); ++ if (phy_mode < 0) ++ return ERR_PTR(phy_mode); + ++ plat->phy_interface = phy_mode; + plat->interface = stmmac_of_get_mac_mode(np); + if (plat->interface < 0) + plat->interface = plat->phy_interface; +-- +2.30.2 + diff --git a/queue-5.10/tcp-disable-tfo-blackhole-logic-by-default.patch b/queue-5.10/tcp-disable-tfo-blackhole-logic-by-default.patch new file mode 100644 index 00000000000..e12a2f4b812 --- /dev/null +++ b/queue-5.10/tcp-disable-tfo-blackhole-logic-by-default.patch @@ -0,0 +1,90 @@ +From 8779d173e986f47ea7e7d53625469bb21e34c03c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 10:27:38 -0700 +Subject: tcp: disable TFO blackhole logic by default + +From: Wei Wang + +[ Upstream commit 213ad73d06073b197a02476db3a4998e219ddb06 ] + +Multiple complaints have been raised from the TFO users on the internet +stating that the TFO blackhole logic is too aggressive and gets falsely +triggered too often. +(e.g. https://blog.apnic.net/2021/07/05/tcp-fast-open-not-so-fast/) +Considering that most middleboxes no longer drop TFO packets, we decide +to disable the blackhole logic by setting +/proc/sys/net/ipv4/tcp_fastopen_blackhole_timeout_set to 0 by default. + +Fixes: cf1ef3f0719b4 ("net/tcp_fastopen: Disable active side TFO in certain scenarios") +Signed-off-by: Wei Wang +Signed-off-by: Eric Dumazet +Acked-by: Neal Cardwell +Acked-by: Soheil Hassas Yeganeh +Acked-by: Yuchung Cheng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + Documentation/networking/ip-sysctl.rst | 2 +- + net/ipv4/tcp_fastopen.c | 9 ++++++++- + net/ipv4/tcp_ipv4.c | 2 +- + 3 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst +index 4abcfff15e38..4822a058a81d 100644 +--- a/Documentation/networking/ip-sysctl.rst ++++ b/Documentation/networking/ip-sysctl.rst +@@ -751,7 +751,7 @@ tcp_fastopen_blackhole_timeout_sec - INTEGER + initial value when the blackhole issue goes away. + 0 to disable the blackhole detection. + +- By default, it is set to 1hr. ++ By default, it is set to 0 (feature is disabled). + + tcp_fastopen_key - list of comma separated 32-digit hexadecimal INTEGERs + The list consists of a primary key and an optional backup key. The +diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c +index 08548ff23d83..d49709ba8e16 100644 +--- a/net/ipv4/tcp_fastopen.c ++++ b/net/ipv4/tcp_fastopen.c +@@ -507,6 +507,9 @@ void tcp_fastopen_active_disable(struct sock *sk) + { + struct net *net = sock_net(sk); + ++ if (!sock_net(sk)->ipv4.sysctl_tcp_fastopen_blackhole_timeout) ++ return; ++ + /* Paired with READ_ONCE() in tcp_fastopen_active_should_disable() */ + WRITE_ONCE(net->ipv4.tfo_active_disable_stamp, jiffies); + +@@ -526,10 +529,14 @@ void tcp_fastopen_active_disable(struct sock *sk) + bool tcp_fastopen_active_should_disable(struct sock *sk) + { + unsigned int tfo_bh_timeout = sock_net(sk)->ipv4.sysctl_tcp_fastopen_blackhole_timeout; +- int tfo_da_times = atomic_read(&sock_net(sk)->ipv4.tfo_active_disable_times); + unsigned long timeout; ++ int tfo_da_times; + int multiplier; + ++ if (!tfo_bh_timeout) ++ return false; ++ ++ tfo_da_times = atomic_read(&sock_net(sk)->ipv4.tfo_active_disable_times); + if (!tfo_da_times) + return false; + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 5212db9ea157..04e259a04443 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -2913,7 +2913,7 @@ static int __net_init tcp_sk_init(struct net *net) + net->ipv4.sysctl_tcp_comp_sack_nr = 44; + net->ipv4.sysctl_tcp_fastopen = TFO_CLIENT_ENABLE; + spin_lock_init(&net->ipv4.tcp_fastopen_ctx_lock); +- net->ipv4.sysctl_tcp_fastopen_blackhole_timeout = 60 * 60; ++ net->ipv4.sysctl_tcp_fastopen_blackhole_timeout = 0; + atomic_set(&net->ipv4.tfo_active_disable_times, 0); + + /* Reno is always built in */ +-- +2.30.2 + diff --git a/queue-5.10/timers-fix-get_next_timer_interrupt-with-no-timers-p.patch b/queue-5.10/timers-fix-get_next_timer_interrupt-with-no-timers-p.patch new file mode 100644 index 00000000000..cc8ecf5662f --- /dev/null +++ b/queue-5.10/timers-fix-get_next_timer_interrupt-with-no-timers-p.patch @@ -0,0 +1,125 @@ +From 41b0a9ddf6a3c1498d7ed6e53fa7f66f9dc00386 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jul 2021 16:13:25 +0200 +Subject: timers: Fix get_next_timer_interrupt() with no timers pending + +From: Nicolas Saenz Julienne + +[ Upstream commit aebacb7f6ca1926918734faae14d1f0b6fae5cb7 ] + +31cd0e119d50 ("timers: Recalculate next timer interrupt only when +necessary") subtly altered get_next_timer_interrupt()'s behaviour. The +function no longer consistently returns KTIME_MAX with no timers +pending. + +In order to decide if there are any timers pending we check whether the +next expiry will happen NEXT_TIMER_MAX_DELTA jiffies from now. +Unfortunately, the next expiry time and the timer base clock are no +longer updated in unison. The former changes upon certain timer +operations (enqueue, expire, detach), whereas the latter keeps track of +jiffies as they move forward. Ultimately breaking the logic above. + +A simplified example: + +- Upon entering get_next_timer_interrupt() with: + + jiffies = 1 + base->clk = 0; + base->next_expiry = NEXT_TIMER_MAX_DELTA; + + 'base->next_expiry == base->clk + NEXT_TIMER_MAX_DELTA', the function + returns KTIME_MAX. + +- 'base->clk' is updated to the jiffies value. + +- The next time we enter get_next_timer_interrupt(), taking into account + no timer operations happened: + + base->clk = 1; + base->next_expiry = NEXT_TIMER_MAX_DELTA; + + 'base->next_expiry != base->clk + NEXT_TIMER_MAX_DELTA', the function + returns a valid expire time, which is incorrect. + +This ultimately might unnecessarily rearm sched's timer on nohz_full +setups, and add latency to the system[1]. + +So, introduce 'base->timers_pending'[2], update it every time +'base->next_expiry' changes, and use it in get_next_timer_interrupt(). + +[1] See tick_nohz_stop_tick(). +[2] A quick pahole check on x86_64 and arm64 shows it doesn't make + 'struct timer_base' any bigger. + +Fixes: 31cd0e119d50 ("timers: Recalculate next timer interrupt only when necessary") +Signed-off-by: Nicolas Saenz Julienne +Signed-off-by: Frederic Weisbecker +Signed-off-by: Sasha Levin +--- + kernel/time/timer.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/kernel/time/timer.c b/kernel/time/timer.c +index c3ad64fb9d8b..aa96b8a4e508 100644 +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -207,6 +207,7 @@ struct timer_base { + unsigned int cpu; + bool next_expiry_recalc; + bool is_idle; ++ bool timers_pending; + DECLARE_BITMAP(pending_map, WHEEL_SIZE); + struct hlist_head vectors[WHEEL_SIZE]; + } ____cacheline_aligned; +@@ -595,6 +596,7 @@ static void enqueue_timer(struct timer_base *base, struct timer_list *timer, + * can reevaluate the wheel: + */ + base->next_expiry = bucket_expiry; ++ base->timers_pending = true; + base->next_expiry_recalc = false; + trigger_dyntick_cpu(base, timer); + } +@@ -1575,6 +1577,7 @@ static unsigned long __next_timer_interrupt(struct timer_base *base) + } + + base->next_expiry_recalc = false; ++ base->timers_pending = !(next == base->clk + NEXT_TIMER_MAX_DELTA); + + return next; + } +@@ -1626,7 +1629,6 @@ u64 get_next_timer_interrupt(unsigned long basej, u64 basem) + struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]); + u64 expires = KTIME_MAX; + unsigned long nextevt; +- bool is_max_delta; + + /* + * Pretend that there is no timer pending if the cpu is offline. +@@ -1639,7 +1641,6 @@ u64 get_next_timer_interrupt(unsigned long basej, u64 basem) + if (base->next_expiry_recalc) + base->next_expiry = __next_timer_interrupt(base); + nextevt = base->next_expiry; +- is_max_delta = (nextevt == base->clk + NEXT_TIMER_MAX_DELTA); + + /* + * We have a fresh next event. Check whether we can forward the +@@ -1657,7 +1658,7 @@ u64 get_next_timer_interrupt(unsigned long basej, u64 basem) + expires = basem; + base->is_idle = false; + } else { +- if (!is_max_delta) ++ if (base->timers_pending) + expires = basem + (u64)(nextevt - basej) * TICK_NSEC; + /* + * If we expect to sleep more than a tick, mark the base idle. +@@ -1940,6 +1941,7 @@ int timers_prepare_cpu(unsigned int cpu) + base = per_cpu_ptr(&timer_bases[b], cpu); + base->clk = jiffies; + base->next_expiry = base->clk + NEXT_TIMER_MAX_DELTA; ++ base->timers_pending = false; + base->is_idle = false; + } + return 0; +-- +2.30.2 + diff --git a/queue-5.10/usb-hso-fix-error-handling-code-of-hso_create_net_de.patch b/queue-5.10/usb-hso-fix-error-handling-code-of-hso_create_net_de.patch new file mode 100644 index 00000000000..c8bdf7964ff --- /dev/null +++ b/queue-5.10/usb-hso-fix-error-handling-code-of-hso_create_net_de.patch @@ -0,0 +1,115 @@ +From 82ac25e563d3bca18b64fc6d508d06c3d4af3c57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jul 2021 17:13:22 +0800 +Subject: usb: hso: fix error handling code of hso_create_net_device + +From: Dongliang Mu + +[ Upstream commit a6ecfb39ba9d7316057cea823b196b734f6b18ca ] + +The current error handling code of hso_create_net_device is +hso_free_net_device, no matter which errors lead to. For example, +WARNING in hso_free_net_device [1]. + +Fix this by refactoring the error handling code of +hso_create_net_device by handling different errors by different code. + +[1] https://syzkaller.appspot.com/bug?id=66eff8d49af1b28370ad342787413e35bbe76efe + +Reported-by: syzbot+44d53c7255bb1aea22d2@syzkaller.appspotmail.com +Fixes: 5fcfb6d0bfcd ("hso: fix bailout in error case of probe") +Signed-off-by: Dongliang Mu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/hso.c | 33 +++++++++++++++++++++++---------- + 1 file changed, 23 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c +index fbfcbd0dcfcb..5b3aff2c279f 100644 +--- a/drivers/net/usb/hso.c ++++ b/drivers/net/usb/hso.c +@@ -2496,7 +2496,7 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface, + hso_net_init); + if (!net) { + dev_err(&interface->dev, "Unable to create ethernet device\n"); +- goto exit; ++ goto err_hso_dev; + } + + hso_net = netdev_priv(net); +@@ -2509,13 +2509,13 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface, + USB_DIR_IN); + if (!hso_net->in_endp) { + dev_err(&interface->dev, "Can't find BULK IN endpoint\n"); +- goto exit; ++ goto err_net; + } + hso_net->out_endp = hso_get_ep(interface, USB_ENDPOINT_XFER_BULK, + USB_DIR_OUT); + if (!hso_net->out_endp) { + dev_err(&interface->dev, "Can't find BULK OUT endpoint\n"); +- goto exit; ++ goto err_net; + } + SET_NETDEV_DEV(net, &interface->dev); + SET_NETDEV_DEVTYPE(net, &hso_type); +@@ -2524,18 +2524,18 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface, + for (i = 0; i < MUX_BULK_RX_BUF_COUNT; i++) { + hso_net->mux_bulk_rx_urb_pool[i] = usb_alloc_urb(0, GFP_KERNEL); + if (!hso_net->mux_bulk_rx_urb_pool[i]) +- goto exit; ++ goto err_mux_bulk_rx; + hso_net->mux_bulk_rx_buf_pool[i] = kzalloc(MUX_BULK_RX_BUF_SIZE, + GFP_KERNEL); + if (!hso_net->mux_bulk_rx_buf_pool[i]) +- goto exit; ++ goto err_mux_bulk_rx; + } + hso_net->mux_bulk_tx_urb = usb_alloc_urb(0, GFP_KERNEL); + if (!hso_net->mux_bulk_tx_urb) +- goto exit; ++ goto err_mux_bulk_rx; + hso_net->mux_bulk_tx_buf = kzalloc(MUX_BULK_TX_BUF_SIZE, GFP_KERNEL); + if (!hso_net->mux_bulk_tx_buf) +- goto exit; ++ goto err_free_tx_urb; + + add_net_device(hso_dev); + +@@ -2543,7 +2543,7 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface, + result = register_netdev(net); + if (result) { + dev_err(&interface->dev, "Failed to register device\n"); +- goto exit; ++ goto err_free_tx_buf; + } + + hso_log_port(hso_dev); +@@ -2551,8 +2551,21 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface, + hso_create_rfkill(hso_dev, interface); + + return hso_dev; +-exit: +- hso_free_net_device(hso_dev, true); ++ ++err_free_tx_buf: ++ remove_net_device(hso_dev); ++ kfree(hso_net->mux_bulk_tx_buf); ++err_free_tx_urb: ++ usb_free_urb(hso_net->mux_bulk_tx_urb); ++err_mux_bulk_rx: ++ for (i = 0; i < MUX_BULK_RX_BUF_COUNT; i++) { ++ usb_free_urb(hso_net->mux_bulk_rx_urb_pool[i]); ++ kfree(hso_net->mux_bulk_rx_buf_pool[i]); ++ } ++err_net: ++ free_netdev(net); ++err_hso_dev: ++ kfree(hso_dev); + return NULL; + } + +-- +2.30.2 + diff --git a/queue-5.10/xdp-net-fix-use-after-free-in-bpf_xdp_link_release.patch b/queue-5.10/xdp-net-fix-use-after-free-in-bpf_xdp_link_release.patch new file mode 100644 index 00000000000..abc9468b7e5 --- /dev/null +++ b/queue-5.10/xdp-net-fix-use-after-free-in-bpf_xdp_link_release.patch @@ -0,0 +1,161 @@ +From f01700e6ec08b1d384413de651306610c07eef42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Jul 2021 11:16:35 +0800 +Subject: xdp, net: Fix use-after-free in bpf_xdp_link_release + +From: Xuan Zhuo + +[ Upstream commit 5acc7d3e8d342858405fbbc671221f676b547ce7 ] + +The problem occurs between dev_get_by_index() and dev_xdp_attach_link(). +At this point, dev_xdp_uninstall() is called. Then xdp link will not be +detached automatically when dev is released. But link->dev already +points to dev, when xdp link is released, dev will still be accessed, +but dev has been released. + +dev_get_by_index() | +link->dev = dev | + | rtnl_lock() + | unregister_netdevice_many() + | dev_xdp_uninstall() + | rtnl_unlock() +rtnl_lock(); | +dev_xdp_attach_link() | +rtnl_unlock(); | + | netdev_run_todo() // dev released +bpf_xdp_link_release() | + /* access dev. | + use-after-free */ | + +[ 45.966867] BUG: KASAN: use-after-free in bpf_xdp_link_release+0x3b8/0x3d0 +[ 45.967619] Read of size 8 at addr ffff00000f9980c8 by task a.out/732 +[ 45.968297] +[ 45.968502] CPU: 1 PID: 732 Comm: a.out Not tainted 5.13.0+ #22 +[ 45.969222] Hardware name: linux,dummy-virt (DT) +[ 45.969795] Call trace: +[ 45.970106] dump_backtrace+0x0/0x4c8 +[ 45.970564] show_stack+0x30/0x40 +[ 45.970981] dump_stack_lvl+0x120/0x18c +[ 45.971470] print_address_description.constprop.0+0x74/0x30c +[ 45.972182] kasan_report+0x1e8/0x200 +[ 45.972659] __asan_report_load8_noabort+0x2c/0x50 +[ 45.973273] bpf_xdp_link_release+0x3b8/0x3d0 +[ 45.973834] bpf_link_free+0xd0/0x188 +[ 45.974315] bpf_link_put+0x1d0/0x218 +[ 45.974790] bpf_link_release+0x3c/0x58 +[ 45.975291] __fput+0x20c/0x7e8 +[ 45.975706] ____fput+0x24/0x30 +[ 45.976117] task_work_run+0x104/0x258 +[ 45.976609] do_notify_resume+0x894/0xaf8 +[ 45.977121] work_pending+0xc/0x328 +[ 45.977575] +[ 45.977775] The buggy address belongs to the page: +[ 45.978369] page:fffffc00003e6600 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f998 +[ 45.979522] flags: 0x7fffe0000000000(node=0|zone=0|lastcpupid=0x3ffff) +[ 45.980349] raw: 07fffe0000000000 fffffc00003e6708 ffff0000dac3c010 0000000000000000 +[ 45.981309] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 +[ 45.982259] page dumped because: kasan: bad access detected +[ 45.982948] +[ 45.983153] Memory state around the buggy address: +[ 45.983753] ffff00000f997f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 45.984645] ffff00000f998000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 45.985533] >ffff00000f998080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 45.986419] ^ +[ 45.987112] ffff00000f998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 45.988006] ffff00000f998180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 45.988895] ================================================================== +[ 45.989773] Disabling lock debugging due to kernel taint +[ 45.990552] Kernel panic - not syncing: panic_on_warn set ... +[ 45.991166] CPU: 1 PID: 732 Comm: a.out Tainted: G B 5.13.0+ #22 +[ 45.991929] Hardware name: linux,dummy-virt (DT) +[ 45.992448] Call trace: +[ 45.992753] dump_backtrace+0x0/0x4c8 +[ 45.993208] show_stack+0x30/0x40 +[ 45.993627] dump_stack_lvl+0x120/0x18c +[ 45.994113] dump_stack+0x1c/0x34 +[ 45.994530] panic+0x3a4/0x7d8 +[ 45.994930] end_report+0x194/0x198 +[ 45.995380] kasan_report+0x134/0x200 +[ 45.995850] __asan_report_load8_noabort+0x2c/0x50 +[ 45.996453] bpf_xdp_link_release+0x3b8/0x3d0 +[ 45.997007] bpf_link_free+0xd0/0x188 +[ 45.997474] bpf_link_put+0x1d0/0x218 +[ 45.997942] bpf_link_release+0x3c/0x58 +[ 45.998429] __fput+0x20c/0x7e8 +[ 45.998833] ____fput+0x24/0x30 +[ 45.999247] task_work_run+0x104/0x258 +[ 45.999731] do_notify_resume+0x894/0xaf8 +[ 46.000236] work_pending+0xc/0x328 +[ 46.000697] SMP: stopping secondary CPUs +[ 46.001226] Dumping ftrace buffer: +[ 46.001663] (ftrace buffer empty) +[ 46.002110] Kernel Offset: disabled +[ 46.002545] CPU features: 0x00000001,23202c00 +[ 46.003080] Memory Limit: none + +Fixes: aa8d3a716b59db6c ("bpf, xdp: Add bpf_link-based XDP attachment API") +Reported-by: Abaci +Signed-off-by: Xuan Zhuo +Signed-off-by: Alexei Starovoitov +Reviewed-by: Dust Li +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20210710031635.41649-1-xuanzhuo@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 86a0fe0f4c02..4935ca1e887f 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -9401,14 +9401,17 @@ int bpf_xdp_link_attach(const union bpf_attr *attr, struct bpf_prog *prog) + struct net_device *dev; + int err, fd; + ++ rtnl_lock(); + dev = dev_get_by_index(net, attr->link_create.target_ifindex); +- if (!dev) ++ if (!dev) { ++ rtnl_unlock(); + return -EINVAL; ++ } + + link = kzalloc(sizeof(*link), GFP_USER); + if (!link) { + err = -ENOMEM; +- goto out_put_dev; ++ goto unlock; + } + + bpf_link_init(&link->link, BPF_LINK_TYPE_XDP, &bpf_xdp_link_lops, prog); +@@ -9418,14 +9421,14 @@ int bpf_xdp_link_attach(const union bpf_attr *attr, struct bpf_prog *prog) + err = bpf_link_prime(&link->link, &link_primer); + if (err) { + kfree(link); +- goto out_put_dev; ++ goto unlock; + } + +- rtnl_lock(); + err = dev_xdp_attach_link(dev, NULL, link); + rtnl_unlock(); + + if (err) { ++ link->dev = NULL; + bpf_link_cleanup(&link_primer); + goto out_put_dev; + } +@@ -9435,6 +9438,9 @@ int bpf_xdp_link_attach(const union bpf_attr *attr, struct bpf_prog *prog) + dev_put(dev); + return fd; + ++unlock: ++ rtnl_unlock(); ++ + out_put_dev: + dev_put(dev); + return err; +-- +2.30.2 +