From: Sasha Levin Date: Mon, 4 Oct 2021 03:18:13 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.4.286~46 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f2de1fdf3e4fdc1d6ce505d9b5e0bb5a20ee2284;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/af_unix-fix-races-in-sk_peer_pid-and-sk_peer_cred-ac.patch b/queue-5.4/af_unix-fix-races-in-sk_peer_pid-and-sk_peer_cred-ac.patch new file mode 100644 index 00000000000..d6b32fe0d55 --- /dev/null +++ b/queue-5.4/af_unix-fix-races-in-sk_peer_pid-and-sk_peer_cred-ac.patch @@ -0,0 +1,190 @@ +From e20576e0edb24cc440225fb48ce7bc5117f820d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 15:57:50 -0700 +Subject: af_unix: fix races in sk_peer_pid and sk_peer_cred accesses + +From: Eric Dumazet + +[ Upstream commit 35306eb23814444bd4021f8a1c3047d3cb0c8b2b ] + +Jann Horn reported that SO_PEERCRED and SO_PEERGROUPS implementations +are racy, as af_unix can concurrently change sk_peer_pid and sk_peer_cred. + +In order to fix this issue, this patch adds a new spinlock that needs +to be used whenever these fields are read or written. + +Jann also pointed out that l2cap_sock_get_peer_pid_cb() is currently +reading sk->sk_peer_pid which makes no sense, as this field +is only possibly set by AF_UNIX sockets. +We will have to clean this in a separate patch. +This could be done by reverting b48596d1dc25 "Bluetooth: L2CAP: Add get_peer_pid callback" +or implementing what was truly expected. + +Fixes: 109f6e39fa07 ("af_unix: Allow SO_PEERCRED to work across namespaces.") +Signed-off-by: Eric Dumazet +Reported-by: Jann Horn +Cc: Eric W. Biederman +Cc: Luiz Augusto von Dentz +Cc: Marcel Holtmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 2 ++ + net/core/sock.c | 32 ++++++++++++++++++++++++++------ + net/unix/af_unix.c | 34 ++++++++++++++++++++++++++++------ + 3 files changed, 56 insertions(+), 12 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index d3dd89b6e2cb..079b5f6f13d8 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -470,8 +470,10 @@ struct sock { + u32 sk_ack_backlog; + u32 sk_max_ack_backlog; + kuid_t sk_uid; ++ spinlock_t sk_peer_lock; + struct pid *sk_peer_pid; + const struct cred *sk_peer_cred; ++ + long sk_rcvtimeo; + ktime_t sk_stamp; + #if BITS_PER_LONG==32 +diff --git a/net/core/sock.c b/net/core/sock.c +index 452883b28aba..57b7a10703c3 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1181,6 +1181,16 @@ int sock_setsockopt(struct socket *sock, int level, int optname, + } + EXPORT_SYMBOL(sock_setsockopt); + ++static const struct cred *sk_get_peer_cred(struct sock *sk) ++{ ++ const struct cred *cred; ++ ++ spin_lock(&sk->sk_peer_lock); ++ cred = get_cred(sk->sk_peer_cred); ++ spin_unlock(&sk->sk_peer_lock); ++ ++ return cred; ++} + + static void cred_to_ucred(struct pid *pid, const struct cred *cred, + struct ucred *ucred) +@@ -1355,7 +1365,11 @@ int sock_getsockopt(struct socket *sock, int level, int optname, + struct ucred peercred; + if (len > sizeof(peercred)) + len = sizeof(peercred); ++ ++ spin_lock(&sk->sk_peer_lock); + cred_to_ucred(sk->sk_peer_pid, sk->sk_peer_cred, &peercred); ++ spin_unlock(&sk->sk_peer_lock); ++ + if (copy_to_user(optval, &peercred, len)) + return -EFAULT; + goto lenout; +@@ -1363,20 +1377,23 @@ int sock_getsockopt(struct socket *sock, int level, int optname, + + case SO_PEERGROUPS: + { ++ const struct cred *cred; + int ret, n; + +- if (!sk->sk_peer_cred) ++ cred = sk_get_peer_cred(sk); ++ if (!cred) + return -ENODATA; + +- n = sk->sk_peer_cred->group_info->ngroups; ++ n = cred->group_info->ngroups; + if (len < n * sizeof(gid_t)) { + len = n * sizeof(gid_t); ++ put_cred(cred); + return put_user(len, optlen) ? -EFAULT : -ERANGE; + } + len = n * sizeof(gid_t); + +- ret = groups_to_user((gid_t __user *)optval, +- sk->sk_peer_cred->group_info); ++ ret = groups_to_user((gid_t __user *)optval, cred->group_info); ++ put_cred(cred); + if (ret) + return ret; + goto lenout; +@@ -1714,9 +1731,10 @@ static void __sk_destruct(struct rcu_head *head) + sk->sk_frag.page = NULL; + } + +- if (sk->sk_peer_cred) +- put_cred(sk->sk_peer_cred); ++ /* We do not need to acquire sk->sk_peer_lock, we are the last user. */ ++ put_cred(sk->sk_peer_cred); + put_pid(sk->sk_peer_pid); ++ + if (likely(sk->sk_net_refcnt)) + put_net(sock_net(sk)); + sk_prot_free(sk->sk_prot_creator, sk); +@@ -2915,6 +2933,8 @@ void sock_init_data(struct socket *sock, struct sock *sk) + + sk->sk_peer_pid = NULL; + sk->sk_peer_cred = NULL; ++ spin_lock_init(&sk->sk_peer_lock); ++ + sk->sk_write_pending = 0; + sk->sk_rcvlowat = 1; + sk->sk_rcvtimeo = MAX_SCHEDULE_TIMEOUT; +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 3098710c9c34..05470ca91bd9 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -595,20 +595,42 @@ static void unix_release_sock(struct sock *sk, int embrion) + + static void init_peercred(struct sock *sk) + { +- put_pid(sk->sk_peer_pid); +- if (sk->sk_peer_cred) +- put_cred(sk->sk_peer_cred); ++ const struct cred *old_cred; ++ struct pid *old_pid; ++ ++ spin_lock(&sk->sk_peer_lock); ++ old_pid = sk->sk_peer_pid; ++ old_cred = sk->sk_peer_cred; + sk->sk_peer_pid = get_pid(task_tgid(current)); + sk->sk_peer_cred = get_current_cred(); ++ spin_unlock(&sk->sk_peer_lock); ++ ++ put_pid(old_pid); ++ put_cred(old_cred); + } + + static void copy_peercred(struct sock *sk, struct sock *peersk) + { +- put_pid(sk->sk_peer_pid); +- if (sk->sk_peer_cred) +- put_cred(sk->sk_peer_cred); ++ const struct cred *old_cred; ++ struct pid *old_pid; ++ ++ if (sk < peersk) { ++ spin_lock(&sk->sk_peer_lock); ++ spin_lock_nested(&peersk->sk_peer_lock, SINGLE_DEPTH_NESTING); ++ } else { ++ spin_lock(&peersk->sk_peer_lock); ++ spin_lock_nested(&sk->sk_peer_lock, SINGLE_DEPTH_NESTING); ++ } ++ old_pid = sk->sk_peer_pid; ++ old_cred = sk->sk_peer_cred; + sk->sk_peer_pid = get_pid(peersk->sk_peer_pid); + sk->sk_peer_cred = get_cred(peersk->sk_peer_cred); ++ ++ spin_unlock(&sk->sk_peer_lock); ++ spin_unlock(&peersk->sk_peer_lock); ++ ++ put_pid(old_pid); ++ put_cred(old_cred); + } + + static int unix_listen(struct socket *sock, int backlog) +-- +2.33.0 + diff --git a/queue-5.4/e100-fix-buffer-overrun-in-e100_get_regs.patch b/queue-5.4/e100-fix-buffer-overrun-in-e100_get_regs.patch new file mode 100644 index 00000000000..522fb8f14a9 --- /dev/null +++ b/queue-5.4/e100-fix-buffer-overrun-in-e100_get_regs.patch @@ -0,0 +1,107 @@ +From b3adb6801f001a7080a689b10533d5e1cacb4a43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 10:52:37 -0700 +Subject: e100: fix buffer overrun in e100_get_regs + +From: Jacob Keller + +[ Upstream commit 51032e6f17ce990d06123ad7307f258c50d25aa7 ] + +The e100_get_regs function is used to implement a simple register dump +for the e100 device. The data is broken into a couple of MAC control +registers, and then a series of PHY registers, followed by a memory dump +buffer. + +The total length of the register dump is defined as (1 + E100_PHY_REGS) +* sizeof(u32) + sizeof(nic->mem->dump_buf). + +The logic for filling in the PHY registers uses a convoluted inverted +count for loop which counts from E100_PHY_REGS (0x1C) down to 0, and +assigns the slots 1 + E100_PHY_REGS - i. The first loop iteration will +fill in [1] and the final loop iteration will fill in [1 + 0x1C]. This +is actually one more than the supposed number of PHY registers. + +The memory dump buffer is then filled into the space at +[2 + E100_PHY_REGS] which will cause that memcpy to assign 4 bytes past +the total size. + +The end result is that we overrun the total buffer size allocated by the +kernel, which could lead to a panic or other issues due to memory +corruption. + +It is difficult to determine the actual total number of registers +here. The only 8255x datasheet I could find indicates there are 28 total +MDI registers. However, we're reading 29 here, and reading them in +reverse! + +In addition, the ethtool e100 register dump interface appears to read +the first PHY register to determine if the device is in MDI or MDIx +mode. This doesn't appear to be documented anywhere within the 8255x +datasheet. I can only assume it must be in register 28 (the extra +register we're reading here). + +Lets not change any of the intended meaning of what we copy here. Just +extend the space by 4 bytes to account for the extra register and +continue copying the data out in the same order. + +Change the E100_PHY_REGS value to be the correct total (29) so that the +total register dump size is calculated properly. Fix the offset for +where we copy the dump buffer so that it doesn't overrun the total size. + +Re-write the for loop to use counting up instead of the convoluted +down-counting. Correct the mdio_read offset to use the 0-based register +offsets, but maintain the bizarre reverse ordering so that we have the +ABI expected by applications like ethtool. This requires and additional +subtraction of 1. It seems a bit odd but it makes the flow of assignment +into the register buffer easier to follow. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Felicitas Hetzelt +Signed-off-by: Jacob Keller +Tested-by: Jacob Keller +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e100.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c +index ea0f97d76964..70962967d714 100644 +--- a/drivers/net/ethernet/intel/e100.c ++++ b/drivers/net/ethernet/intel/e100.c +@@ -2435,7 +2435,7 @@ static void e100_get_drvinfo(struct net_device *netdev, + sizeof(info->bus_info)); + } + +-#define E100_PHY_REGS 0x1C ++#define E100_PHY_REGS 0x1D + static int e100_get_regs_len(struct net_device *netdev) + { + struct nic *nic = netdev_priv(netdev); +@@ -2457,14 +2457,18 @@ static void e100_get_regs(struct net_device *netdev, + buff[0] = ioread8(&nic->csr->scb.cmd_hi) << 24 | + ioread8(&nic->csr->scb.cmd_lo) << 16 | + ioread16(&nic->csr->scb.status); +- for (i = E100_PHY_REGS; i >= 0; i--) +- buff[1 + E100_PHY_REGS - i] = +- mdio_read(netdev, nic->mii.phy_id, i); ++ for (i = 0; i < E100_PHY_REGS; i++) ++ /* Note that we read the registers in reverse order. This ++ * ordering is the ABI apparently used by ethtool and other ++ * applications. ++ */ ++ buff[1 + i] = mdio_read(netdev, nic->mii.phy_id, ++ E100_PHY_REGS - 1 - i); + memset(nic->mem->dump_buf, 0, sizeof(nic->mem->dump_buf)); + e100_exec_cb(nic, NULL, e100_dump); + msleep(10); +- memcpy(&buff[2 + E100_PHY_REGS], nic->mem->dump_buf, +- sizeof(nic->mem->dump_buf)); ++ memcpy(&buff[1 + E100_PHY_REGS], nic->mem->dump_buf, ++ sizeof(nic->mem->dump_buf)); + } + + static void e100_get_wol(struct net_device *netdev, struct ethtool_wolinfo *wol) +-- +2.33.0 + diff --git a/queue-5.4/e100-fix-length-calculation-in-e100_get_regs_len.patch b/queue-5.4/e100-fix-length-calculation-in-e100_get_regs_len.patch new file mode 100644 index 00000000000..1bfd85ec6ef --- /dev/null +++ b/queue-5.4/e100-fix-length-calculation-in-e100_get_regs_len.patch @@ -0,0 +1,50 @@ +From e9b4c4989a9abcfa0b3c096186f925424b69074e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 10:52:36 -0700 +Subject: e100: fix length calculation in e100_get_regs_len + +From: Jacob Keller + +[ Upstream commit 4329c8dc110b25d5f04ed20c6821bb60deff279f ] + +commit abf9b902059f ("e100: cleanup unneeded math") tried to simplify +e100_get_regs_len and remove a double 'divide and then multiply' +calculation that the e100_reg_regs_len function did. + +This change broke the size calculation entirely as it failed to account +for the fact that the numbered registers are actually 4 bytes wide and +not 1 byte. This resulted in a significant under allocation of the +register buffer used by e100_get_regs. + +Fix this by properly multiplying the register count by u32 first before +adding the size of the dump buffer. + +Fixes: abf9b902059f ("e100: cleanup unneeded math") +Reported-by: Felicitas Hetzelt +Signed-off-by: Jacob Keller +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e100.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c +index 911b3d2a94e1..ea0f97d76964 100644 +--- a/drivers/net/ethernet/intel/e100.c ++++ b/drivers/net/ethernet/intel/e100.c +@@ -2439,7 +2439,11 @@ static void e100_get_drvinfo(struct net_device *netdev, + static int e100_get_regs_len(struct net_device *netdev) + { + struct nic *nic = netdev_priv(netdev); +- return 1 + E100_PHY_REGS + sizeof(nic->mem->dump_buf); ++ ++ /* We know the number of registers, and the size of the dump buffer. ++ * Calculate the total size in bytes. ++ */ ++ return (1 + E100_PHY_REGS) * sizeof(u32) + sizeof(nic->mem->dump_buf); + } + + static void e100_get_regs(struct net_device *netdev, +-- +2.33.0 + diff --git a/queue-5.4/hwmon-mlxreg-fan-return-non-zero-value-when-fan-curr.patch b/queue-5.4/hwmon-mlxreg-fan-return-non-zero-value-when-fan-curr.patch new file mode 100644 index 00000000000..0f82e8d174b --- /dev/null +++ b/queue-5.4/hwmon-mlxreg-fan-return-non-zero-value-when-fan-curr.patch @@ -0,0 +1,128 @@ +From 33566a415758f3162ac396a0cbfed13afe5aff02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 21:31:51 +0300 +Subject: hwmon: (mlxreg-fan) Return non-zero value when fan current state is + enforced from sysfs + +From: Vadim Pasternak + +[ Upstream commit e6fab7af6ba1bc77c78713a83876f60ca7a4a064 ] + +Fan speed minimum can be enforced from sysfs. For example, setting +current fan speed to 20 is used to enforce fan speed to be at 100% +speed, 19 - to be not below 90% speed, etcetera. This feature provides +ability to limit fan speed according to some system wise +considerations, like absence of some replaceable units or high system +ambient temperature. + +Request for changing fan minimum speed is configuration request and can +be set only through 'sysfs' write procedure. In this situation value of +argument 'state' is above nominal fan speed maximum. + +Return non-zero code in this case to avoid +thermal_cooling_device_stats_update() call, because in this case +statistics update violates thermal statistics table range. +The issues is observed in case kernel is configured with option +CONFIG_THERMAL_STATISTICS. + +Here is the trace from KASAN: +[ 159.506659] BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x7d/0xb0 +[ 159.516016] Read of size 4 at addr ffff888116163840 by task hw-management.s/7444 +[ 159.545625] Call Trace: +[ 159.548366] dump_stack+0x92/0xc1 +[ 159.552084] ? thermal_cooling_device_stats_update+0x7d/0xb0 +[ 159.635869] thermal_zone_device_update+0x345/0x780 +[ 159.688711] thermal_zone_device_set_mode+0x7d/0xc0 +[ 159.694174] mlxsw_thermal_modules_init+0x48f/0x590 [mlxsw_core] +[ 159.700972] ? mlxsw_thermal_set_cur_state+0x5a0/0x5a0 [mlxsw_core] +[ 159.731827] mlxsw_thermal_init+0x763/0x880 [mlxsw_core] +[ 160.070233] RIP: 0033:0x7fd995909970 +[ 160.074239] Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff .. +[ 160.095242] RSP: 002b:00007fff54f5d938 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 160.103722] RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 00007fd995909970 +[ 160.111710] RDX: 0000000000000013 RSI: 0000000001906008 RDI: 0000000000000001 +[ 160.119699] RBP: 0000000001906008 R08: 00007fd995bc9760 R09: 00007fd996210700 +[ 160.127687] R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000013 +[ 160.135673] R13: 0000000000000001 R14: 00007fd995bc8600 R15: 0000000000000013 +[ 160.143671] +[ 160.145338] Allocated by task 2924: +[ 160.149242] kasan_save_stack+0x19/0x40 +[ 160.153541] __kasan_kmalloc+0x7f/0xa0 +[ 160.157743] __kmalloc+0x1a2/0x2b0 +[ 160.161552] thermal_cooling_device_setup_sysfs+0xf9/0x1a0 +[ 160.167687] __thermal_cooling_device_register+0x1b5/0x500 +[ 160.173833] devm_thermal_of_cooling_device_register+0x60/0xa0 +[ 160.180356] mlxreg_fan_probe+0x474/0x5e0 [mlxreg_fan] +[ 160.248140] +[ 160.249807] The buggy address belongs to the object at ffff888116163400 +[ 160.249807] which belongs to the cache kmalloc-1k of size 1024 +[ 160.263814] The buggy address is located 64 bytes to the right of +[ 160.263814] 1024-byte region [ffff888116163400, ffff888116163800) +[ 160.277536] The buggy address belongs to the page: +[ 160.282898] page:0000000012275840 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888116167000 pfn:0x116160 +[ 160.294872] head:0000000012275840 order:3 compound_mapcount:0 compound_pincount:0 +[ 160.303251] flags: 0x200000000010200(slab|head|node=0|zone=2) +[ 160.309694] raw: 0200000000010200 ffffea00046f7208 ffffea0004928208 ffff88810004dbc0 +[ 160.318367] raw: ffff888116167000 00000000000a0006 00000001ffffffff 0000000000000000 +[ 160.327033] page dumped because: kasan: bad access detected +[ 160.333270] +[ 160.334937] Memory state around the buggy address: +[ 160.356469] >ffff888116163800: fc .. + +Fixes: 65afb4c8e7e4 ("hwmon: (mlxreg-fan) Add support for Mellanox FAN driver") +Signed-off-by: Vadim Pasternak +Link: https://lore.kernel.org/r/20210916183151.869427-1-vadimp@nvidia.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/mlxreg-fan.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/hwmon/mlxreg-fan.c b/drivers/hwmon/mlxreg-fan.c +index ed8d59d4eecb..bd8f5a3aaad9 100644 +--- a/drivers/hwmon/mlxreg-fan.c ++++ b/drivers/hwmon/mlxreg-fan.c +@@ -291,8 +291,8 @@ static int mlxreg_fan_set_cur_state(struct thermal_cooling_device *cdev, + { + struct mlxreg_fan *fan = cdev->devdata; + unsigned long cur_state; ++ int i, config = 0; + u32 regval; +- int i; + int err; + + /* +@@ -305,6 +305,12 @@ static int mlxreg_fan_set_cur_state(struct thermal_cooling_device *cdev, + * overwritten. + */ + if (state >= MLXREG_FAN_SPEED_MIN && state <= MLXREG_FAN_SPEED_MAX) { ++ /* ++ * This is configuration change, which is only supported through sysfs. ++ * For configuration non-zero value is to be returned to avoid thermal ++ * statistics update. ++ */ ++ config = 1; + state -= MLXREG_FAN_MAX_STATE; + for (i = 0; i < state; i++) + fan->cooling_levels[i] = state; +@@ -319,7 +325,7 @@ static int mlxreg_fan_set_cur_state(struct thermal_cooling_device *cdev, + + cur_state = MLXREG_FAN_PWM_DUTY2STATE(regval); + if (state < cur_state) +- return 0; ++ return config; + + state = cur_state; + } +@@ -335,7 +341,7 @@ static int mlxreg_fan_set_cur_state(struct thermal_cooling_device *cdev, + dev_err(fan->dev, "Failed to write PWM duty\n"); + return err; + } +- return 0; ++ return config; + } + + static const struct thermal_cooling_device_ops mlxreg_fan_cooling_ops = { +-- +2.33.0 + diff --git a/queue-5.4/hwmon-tmp421-fix-rounding-for-negative-values.patch b/queue-5.4/hwmon-tmp421-fix-rounding-for-negative-values.patch new file mode 100644 index 00000000000..a03473e9c74 --- /dev/null +++ b/queue-5.4/hwmon-tmp421-fix-rounding-for-negative-values.patch @@ -0,0 +1,74 @@ +From a29bf34d9807f467000acda0a0537564e65284a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Sep 2021 12:30:11 +0300 +Subject: hwmon: (tmp421) fix rounding for negative values + +From: Paul Fertser + +[ Upstream commit 724e8af85854c4d3401313b6dd7d79cf792d8990 ] + +Old code produces -24999 for 0b1110011100000000 input in standard format due to +always rounding up rather than "away from zero". + +Use the common macro for division, unify and simplify the conversion code along +the way. + +Fixes: 9410700b881f ("hwmon: Add driver for Texas Instruments TMP421/422/423 sensor chips") +Signed-off-by: Paul Fertser +Link: https://lore.kernel.org/r/20210924093011.26083-3-fercerpav@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/tmp421.c | 24 ++++++++---------------- + 1 file changed, 8 insertions(+), 16 deletions(-) + +diff --git a/drivers/hwmon/tmp421.c b/drivers/hwmon/tmp421.c +index e245ae272f7d..876ccf77a825 100644 +--- a/drivers/hwmon/tmp421.c ++++ b/drivers/hwmon/tmp421.c +@@ -100,23 +100,17 @@ struct tmp421_data { + s16 temp[4]; + }; + +-static int temp_from_s16(s16 reg) ++static int temp_from_raw(u16 reg, bool extended) + { + /* Mask out status bits */ + int temp = reg & ~0xf; + +- return (temp * 1000 + 128) / 256; +-} +- +-static int temp_from_u16(u16 reg) +-{ +- /* Mask out status bits */ +- int temp = reg & ~0xf; +- +- /* Add offset for extended temperature range. */ +- temp -= 64 * 256; ++ if (extended) ++ temp = temp - 64 * 256; ++ else ++ temp = (s16)temp; + +- return (temp * 1000 + 128) / 256; ++ return DIV_ROUND_CLOSEST(temp * 1000, 256); + } + + static struct tmp421_data *tmp421_update_device(struct device *dev) +@@ -153,10 +147,8 @@ static int tmp421_read(struct device *dev, enum hwmon_sensor_types type, + + switch (attr) { + case hwmon_temp_input: +- if (tmp421->config & TMP421_CONFIG_RANGE) +- *val = temp_from_u16(tmp421->temp[channel]); +- else +- *val = temp_from_s16(tmp421->temp[channel]); ++ *val = temp_from_raw(tmp421->temp[channel], ++ tmp421->config & TMP421_CONFIG_RANGE); + return 0; + case hwmon_temp_fault: + /* +-- +2.33.0 + diff --git a/queue-5.4/hwmon-tmp421-report-pvld-condition-as-fault.patch b/queue-5.4/hwmon-tmp421-report-pvld-condition-as-fault.patch new file mode 100644 index 00000000000..d8f7cf1144e --- /dev/null +++ b/queue-5.4/hwmon-tmp421-report-pvld-condition-as-fault.patch @@ -0,0 +1,54 @@ +From 94f7992d1b18d35776b30c52dbd312033be2d236 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Sep 2021 12:30:10 +0300 +Subject: hwmon: (tmp421) report /PVLD condition as fault + +From: Paul Fertser + +[ Upstream commit 540effa7f283d25bcc13c0940d808002fee340b8 ] + +For both local and remote sensors all the supported ICs can report an +"undervoltage lockout" condition which means the conversion wasn't +properly performed due to insufficient power supply voltage and so the +measurement results can't be trusted. + +Fixes: 9410700b881f ("hwmon: Add driver for Texas Instruments TMP421/422/423 sensor chips") +Signed-off-by: Paul Fertser +Link: https://lore.kernel.org/r/20210924093011.26083-2-fercerpav@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/tmp421.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/hwmon/tmp421.c b/drivers/hwmon/tmp421.c +index a94e35cff3e5..e245ae272f7d 100644 +--- a/drivers/hwmon/tmp421.c ++++ b/drivers/hwmon/tmp421.c +@@ -160,10 +160,10 @@ static int tmp421_read(struct device *dev, enum hwmon_sensor_types type, + return 0; + case hwmon_temp_fault: + /* +- * The OPEN bit signals a fault. This is bit 0 of the temperature +- * register (low byte). ++ * Any of OPEN or /PVLD bits indicate a hardware mulfunction ++ * and the conversion result may be incorrect + */ +- *val = tmp421->temp[channel] & 0x01; ++ *val = !!(tmp421->temp[channel] & 0x03); + return 0; + default: + return -EOPNOTSUPP; +@@ -176,9 +176,6 @@ static umode_t tmp421_is_visible(const void *data, enum hwmon_sensor_types type, + { + switch (attr) { + case hwmon_temp_fault: +- if (channel == 0) +- return 0; +- return 0444; + case hwmon_temp_input: + return 0444; + default: +-- +2.33.0 + diff --git a/queue-5.4/ipvs-check-that-ip_vs_conn_tab_bits-is-between-8-and.patch b/queue-5.4/ipvs-check-that-ip_vs_conn_tab_bits-is-between-8-and.patch new file mode 100644 index 00000000000..e89bc4cdf34 --- /dev/null +++ b/queue-5.4/ipvs-check-that-ip_vs_conn_tab_bits-is-between-8-and.patch @@ -0,0 +1,46 @@ +From b762b6a7afd89d8dd92c68366ac79e8d6966459c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Sep 2021 18:08:39 +0200 +Subject: ipvs: check that ip_vs_conn_tab_bits is between 8 and 20 + +From: Andrea Claudi + +[ Upstream commit 69e73dbfda14fbfe748d3812da1244cce2928dcb ] + +ip_vs_conn_tab_bits may be provided by the user through the +conn_tab_bits module parameter. If this value is greater than 31, or +less than 0, the shift operator used to derive tab_size causes undefined +behaviour. + +Fix this checking ip_vs_conn_tab_bits value to be in the range specified +in ipvs Kconfig. If not, simply use default value. + +Fixes: 6f7edb4881bf ("IPVS: Allow boot time change of hash size") +Reported-by: Yi Chen +Signed-off-by: Andrea Claudi +Acked-by: Julian Anastasov +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_conn.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c +index 02f2f636798d..d1524ca4b90e 100644 +--- a/net/netfilter/ipvs/ip_vs_conn.c ++++ b/net/netfilter/ipvs/ip_vs_conn.c +@@ -1394,6 +1394,10 @@ int __init ip_vs_conn_init(void) + int idx; + + /* Compute size and mask */ ++ if (ip_vs_conn_tab_bits < 8 || ip_vs_conn_tab_bits > 20) { ++ pr_info("conn_tab_bits not in [8, 20]. Using default value\n"); ++ ip_vs_conn_tab_bits = CONFIG_IP_VS_TAB_BITS; ++ } + ip_vs_conn_tab_size = 1 << ip_vs_conn_tab_bits; + ip_vs_conn_tab_mask = ip_vs_conn_tab_size - 1; + +-- +2.33.0 + diff --git a/queue-5.4/mac80211-fix-ieee80211_amsdu_aggregate-frag_tail-bug.patch b/queue-5.4/mac80211-fix-ieee80211_amsdu_aggregate-frag_tail-bug.patch new file mode 100644 index 00000000000..e114f7ca8fb --- /dev/null +++ b/queue-5.4/mac80211-fix-ieee80211_amsdu_aggregate-frag_tail-bug.patch @@ -0,0 +1,52 @@ +From a462105883b55aef75b234ade9c82d8cba0abce5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Aug 2021 15:32:40 +0800 +Subject: mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug + +From: Chih-Kang Chang + +[ Upstream commit fe94bac626d9c1c5bc98ab32707be8a9d7f8adba ] + +In ieee80211_amsdu_aggregate() set a pointer frag_tail point to the +end of skb_shinfo(head)->frag_list, and use it to bind other skb in +the end of this function. But when execute ieee80211_amsdu_aggregate() +->ieee80211_amsdu_realloc_pad()->pskb_expand_head(), the address of +skb_shinfo(head)->frag_list will be changed. However, the +ieee80211_amsdu_aggregate() not update frag_tail after call +pskb_expand_head(). That will cause the second skb can't bind to the +head skb appropriately.So we update the address of frag_tail to fix it. + +Fixes: 6e0456b54545 ("mac80211: add A-MSDU tx support") +Signed-off-by: Chih-Kang Chang +Signed-off-by: Zong-Zhe Yang +Signed-off-by: Ping-Ke Shih +Link: https://lore.kernel.org/r/20210830073240.12736-1-pkshih@realtek.com +[reword comment] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 4dfac7a25e5a..eb87ed0146d1 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3325,6 +3325,14 @@ static bool ieee80211_amsdu_aggregate(struct ieee80211_sub_if_data *sdata, + if (!ieee80211_amsdu_prepare_head(sdata, fast_tx, head)) + goto out; + ++ /* If n == 2, the "while (*frag_tail)" loop above didn't execute ++ * and frag_tail should be &skb_shinfo(head)->frag_list. ++ * However, ieee80211_amsdu_prepare_head() can reallocate it. ++ * Reload frag_tail to have it pointing to the correct place. ++ */ ++ if (n == 2) ++ frag_tail = &skb_shinfo(head)->frag_list; ++ + /* + * Pad out the previous subframe to a multiple of 4 by adding the + * padding to the next one, that's being added. Note that head->len +-- +2.33.0 + diff --git a/queue-5.4/mac80211-hwsim-fix-late-beacon-hrtimer-handling.patch b/queue-5.4/mac80211-hwsim-fix-late-beacon-hrtimer-handling.patch new file mode 100644 index 00000000000..c685afabd81 --- /dev/null +++ b/queue-5.4/mac80211-hwsim-fix-late-beacon-hrtimer-handling.patch @@ -0,0 +1,66 @@ +From ee565d10cbbaaea87a44300be8155eb82cfd2e7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 11:29:37 +0200 +Subject: mac80211-hwsim: fix late beacon hrtimer handling + +From: Johannes Berg + +[ Upstream commit 313bbd1990b6ddfdaa7da098d0c56b098a833572 ] + +Thomas explained in https://lore.kernel.org/r/87mtoeb4hb.ffs@tglx +that our handling of the hrtimer here is wrong: If the timer fires +late (e.g. due to vCPU scheduling, as reported by Dmitry/syzbot) +then it tries to actually rearm the timer at the next deadline, +which might be in the past already: + + 1 2 3 N N+1 + | | | ... | | + + ^ intended to fire here (1) + ^ next deadline here (2) + ^ actually fired here + +The next time it fires, it's later, but will still try to schedule +for the next deadline (now 3), etc. until it catches up with N, +but that might take a long time, causing stalls etc. + +Now, all of this is simulation, so we just have to fix it, but +note that the behaviour is wrong even per spec, since there's no +value then in sending all those beacons unaligned - they should be +aligned to the TBTT (1, 2, 3, ... in the picture), and if we're a +bit (or a lot) late, then just resume at that point. + +Therefore, change the code to use hrtimer_forward_now() which will +ensure that the next firing of the timer would be at N+1 (in the +picture), i.e. the next interval point after the current time. + +Suggested-by: Thomas Gleixner +Reported-by: Dmitry Vyukov +Reported-by: syzbot+0e964fad69a9c462bc1e@syzkaller.appspotmail.com +Fixes: 01e59e467ecf ("mac80211_hwsim: hrtimer beacon") +Reviewed-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20210915112936.544f383472eb.I3f9712009027aa09244b65399bf18bf482a8c4f1@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mac80211_hwsim.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index 1033513d3d9d..07b070b14d75 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -1603,8 +1603,8 @@ mac80211_hwsim_beacon(struct hrtimer *timer) + bcn_int -= data->bcn_delta; + data->bcn_delta = 0; + } +- hrtimer_forward(&data->beacon_timer, hrtimer_get_expires(timer), +- ns_to_ktime(bcn_int * NSEC_PER_USEC)); ++ hrtimer_forward_now(&data->beacon_timer, ++ ns_to_ktime(bcn_int * NSEC_PER_USEC)); + return HRTIMER_RESTART; + } + +-- +2.33.0 + diff --git a/queue-5.4/mac80211-limit-injected-vht-mcs-nss-in-ieee80211_par.patch b/queue-5.4/mac80211-limit-injected-vht-mcs-nss-in-ieee80211_par.patch new file mode 100644 index 00000000000..66e3c9b3eae --- /dev/null +++ b/queue-5.4/mac80211-limit-injected-vht-mcs-nss-in-ieee80211_par.patch @@ -0,0 +1,84 @@ +From 6c24dfdb0a877b169a1aa91fe91169d1edddea43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Sep 2021 14:45:22 +0200 +Subject: mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap + +From: Lorenzo Bianconi + +[ Upstream commit 13cb6d826e0ac0d144b0d48191ff1a111d32f0c6 ] + +Limit max values for vht mcs and nss in ieee80211_parse_tx_radiotap +routine in order to fix the following warning reported by syzbot: + +WARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_rate_set_vht include/net/mac80211.h:989 [inline] +WARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244 +Modules linked in: +CPU: 0 PID: 10717 Comm: syz-executor.5 Not tainted 5.14.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:ieee80211_rate_set_vht include/net/mac80211.h:989 [inline] +RIP: 0010:ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244 +RSP: 0018:ffffc9000186f3e8 EFLAGS: 00010216 +RAX: 0000000000000618 RBX: ffff88804ef76500 RCX: ffffc900143a5000 +RDX: 0000000000040000 RSI: ffffffff888f478e RDI: 0000000000000003 +RBP: 00000000ffffffff R08: 0000000000000000 R09: 0000000000000100 +R10: ffffffff888f46f9 R11: 0000000000000000 R12: 00000000fffffff8 +R13: ffff88804ef7653c R14: 0000000000000001 R15: 0000000000000004 +FS: 00007fbf5718f700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b2de23000 CR3: 000000006a671000 CR4: 00000000001506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 +Call Trace: + ieee80211_monitor_select_queue+0xa6/0x250 net/mac80211/iface.c:740 + netdev_core_pick_tx+0x169/0x2e0 net/core/dev.c:4089 + __dev_queue_xmit+0x6f9/0x3710 net/core/dev.c:4165 + __bpf_tx_skb net/core/filter.c:2114 [inline] + __bpf_redirect_no_mac net/core/filter.c:2139 [inline] + __bpf_redirect+0x5ba/0xd20 net/core/filter.c:2162 + ____bpf_clone_redirect net/core/filter.c:2429 [inline] + bpf_clone_redirect+0x2ae/0x420 net/core/filter.c:2401 + bpf_prog_eeb6f53a69e5c6a2+0x59/0x234 + bpf_dispatcher_nop_func include/linux/bpf.h:717 [inline] + __bpf_prog_run include/linux/filter.h:624 [inline] + bpf_prog_run include/linux/filter.h:631 [inline] + bpf_test_run+0x381/0xa30 net/bpf/test_run.c:119 + bpf_prog_test_run_skb+0xb84/0x1ee0 net/bpf/test_run.c:663 + bpf_prog_test_run kernel/bpf/syscall.c:3307 [inline] + __sys_bpf+0x2137/0x5df0 kernel/bpf/syscall.c:4605 + __do_sys_bpf kernel/bpf/syscall.c:4691 [inline] + __se_sys_bpf kernel/bpf/syscall.c:4689 [inline] + __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4689 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x4665f9 + +Reported-by: syzbot+0196ac871673f0c20f68@syzkaller.appspotmail.com +Fixes: 646e76bb5daf4 ("mac80211: parse VHT info in injected frames") +Signed-off-by: Lorenzo Bianconi +Link: https://lore.kernel.org/r/c26c3f02dcb38ab63b2f2534cb463d95ee81bb13.1632141760.git.lorenzo@kernel.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index eb87ed0146d1..d82d22b6a2a9 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -2156,7 +2156,11 @@ static bool ieee80211_parse_tx_radiotap(struct ieee80211_local *local, + } + + vht_mcs = iterator.this_arg[4] >> 4; ++ if (vht_mcs > 11) ++ vht_mcs = 0; + vht_nss = iterator.this_arg[4] & 0xF; ++ if (!vht_nss || vht_nss > 8) ++ vht_nss = 1; + break; + + /* +-- +2.33.0 + diff --git a/queue-5.4/mac80211-mesh-fix-potentially-unaligned-access.patch b/queue-5.4/mac80211-mesh-fix-potentially-unaligned-access.patch new file mode 100644 index 00000000000..565dee946ef --- /dev/null +++ b/queue-5.4/mac80211-mesh-fix-potentially-unaligned-access.patch @@ -0,0 +1,45 @@ +From f3bb889be252b0616f7f3db82e07214ccb1646b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Sep 2021 15:40:05 +0200 +Subject: mac80211: mesh: fix potentially unaligned access + +From: Johannes Berg + +[ Upstream commit b9731062ce8afd35cf723bf3a8ad55d208f915a5 ] + +The pointer here points directly into the frame, so the +access is potentially unaligned. Use get_unaligned_le16 +to avoid that. + +Fixes: 3f52b7e328c5 ("mac80211: mesh power save basics") +Link: https://lore.kernel.org/r/20210920154009.3110ff75be0c.Ib6a2ff9e9cc9bc6fca50fce631ec1ce725cc926b@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh_ps.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/mesh_ps.c b/net/mac80211/mesh_ps.c +index 031e905f684a..bf83f512f748 100644 +--- a/net/mac80211/mesh_ps.c ++++ b/net/mac80211/mesh_ps.c +@@ -2,6 +2,7 @@ + /* + * Copyright 2012-2013, Marco Porsch + * Copyright 2012-2013, cozybit Inc. ++ * Copyright (C) 2021 Intel Corporation + */ + + #include "mesh.h" +@@ -584,7 +585,7 @@ void ieee80211_mps_frame_release(struct sta_info *sta, + + /* only transmit to PS STA with announced, non-zero awake window */ + if (test_sta_flag(sta, WLAN_STA_PS_STA) && +- (!elems->awake_window || !le16_to_cpu(*elems->awake_window))) ++ (!elems->awake_window || !get_unaligned_le16(elems->awake_window))) + return; + + if (!test_sta_flag(sta, WLAN_STA_MPSP_OWNER)) +-- +2.33.0 + diff --git a/queue-5.4/net-hns3-do-not-allow-call-hns3_nic_net_open-repeate.patch b/queue-5.4/net-hns3-do-not-allow-call-hns3_nic_net_open-repeate.patch new file mode 100644 index 00000000000..a28467bb9cd --- /dev/null +++ b/queue-5.4/net-hns3-do-not-allow-call-hns3_nic_net_open-repeate.patch @@ -0,0 +1,84 @@ +From f9846584e2b325464bb36889c76f7ec140568183 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 17:35:49 +0800 +Subject: net: hns3: do not allow call hns3_nic_net_open repeatedly + +From: Jian Shen + +[ Upstream commit 5b09e88e1bf7fe86540fab4b5f3eece8abead39e ] + +hns3_nic_net_open() is not allowed to called repeatly, but there +is no checking for this. When doing device reset and setup tc +concurrently, there is a small oppotunity to call hns3_nic_net_open +repeatedly, and cause kernel bug by calling napi_enable twice. + +The calltrace information is like below: +[ 3078.222780] ------------[ cut here ]------------ +[ 3078.230255] kernel BUG at net/core/dev.c:6991! +[ 3078.236224] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP +[ 3078.243431] Modules linked in: hns3 hclgevf hclge hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O) +[ 3078.258880] CPU: 0 PID: 295 Comm: kworker/u8:5 Tainted: G O 5.14.0-rc4+ #1 +[ 3078.269102] Hardware name: , BIOS KpxxxFPGA 1P B600 V181 08/12/2021 +[ 3078.276801] Workqueue: hclge hclge_service_task [hclge] +[ 3078.288774] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--) +[ 3078.296168] pc : napi_enable+0x80/0x84 +tc qdisc sho[w 3d0e7v8 .e3t0h218 79] lr : hns3_nic_net_open+0x138/0x510 [hns3] + +[ 3078.314771] sp : ffff8000108abb20 +[ 3078.319099] x29: ffff8000108abb20 x28: 0000000000000000 x27: ffff0820a8490300 +[ 3078.329121] x26: 0000000000000001 x25: ffff08209cfc6200 x24: 0000000000000000 +[ 3078.339044] x23: ffff0820a8490300 x22: ffff08209cd76000 x21: ffff0820abfe3880 +[ 3078.349018] x20: 0000000000000000 x19: ffff08209cd76900 x18: 0000000000000000 +[ 3078.358620] x17: 0000000000000000 x16: ffffc816e1727a50 x15: 0000ffff8f4ff930 +[ 3078.368895] x14: 0000000000000000 x13: 0000000000000000 x12: 0000259e9dbeb6b4 +[ 3078.377987] x11: 0096a8f7e764eb40 x10: 634615ad28d3eab5 x9 : ffffc816ad8885b8 +[ 3078.387091] x8 : ffff08209cfc6fb8 x7 : ffff0820ac0da058 x6 : ffff0820a8490344 +[ 3078.396356] x5 : 0000000000000140 x4 : 0000000000000003 x3 : ffff08209cd76938 +[ 3078.405365] x2 : 0000000000000000 x1 : 0000000000000010 x0 : ffff0820abfe38a0 +[ 3078.414657] Call trace: +[ 3078.418517] napi_enable+0x80/0x84 +[ 3078.424626] hns3_reset_notify_up_enet+0x78/0xd0 [hns3] +[ 3078.433469] hns3_reset_notify+0x64/0x80 [hns3] +[ 3078.441430] hclge_notify_client+0x68/0xb0 [hclge] +[ 3078.450511] hclge_reset_rebuild+0x524/0x884 [hclge] +[ 3078.458879] hclge_reset_service_task+0x3c4/0x680 [hclge] +[ 3078.467470] hclge_service_task+0xb0/0xb54 [hclge] +[ 3078.475675] process_one_work+0x1dc/0x48c +[ 3078.481888] worker_thread+0x15c/0x464 +[ 3078.487104] kthread+0x160/0x170 +[ 3078.492479] ret_from_fork+0x10/0x18 +[ 3078.498785] Code: c8027c81 35ffffa2 d50323bf d65f03c0 (d4210000) +[ 3078.506889] ---[ end trace 8ebe0340a1b0fb44 ]--- + +Once hns3_nic_net_open() is excute success, the flag +HNS3_NIC_STATE_DOWN will be cleared. So add checking for this +flag, directly return when HNS3_NIC_STATE_DOWN is no set. + +Fixes: e888402789b9 ("net: hns3: call hns3_nic_net_open() while doing HNAE3_UP_CLIENT") +Signed-off-by: Jian Shen +Signed-off-by: Guangbin Huang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index db9c8f943811..ffd1018d43fb 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -452,6 +452,11 @@ static int hns3_nic_net_open(struct net_device *netdev) + if (hns3_nic_resetting(netdev)) + return -EBUSY; + ++ if (!test_bit(HNS3_NIC_STATE_DOWN, &priv->state)) { ++ netdev_warn(netdev, "net open repeatedly!\n"); ++ return 0; ++ } ++ + netif_carrier_off(netdev); + + ret = hns3_nic_set_real_num_queue(netdev); +-- +2.33.0 + diff --git a/queue-5.4/net-ipv4-fix-rtnexthop-len-when-rta_flow-is-present.patch b/queue-5.4/net-ipv4-fix-rtnexthop-len-when-rta_flow-is-present.patch new file mode 100644 index 00000000000..06e309b5dd9 --- /dev/null +++ b/queue-5.4/net-ipv4-fix-rtnexthop-len-when-rta_flow-is-present.patch @@ -0,0 +1,116 @@ +From 77d92b58ffc8f5b00709304eed03695ba46445b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Sep 2021 23:03:19 +0800 +Subject: net: ipv4: Fix rtnexthop len when RTA_FLOW is present + +From: Xiao Liang + +[ Upstream commit 597aa16c782496bf74c5dc3b45ff472ade6cee64 ] + +Multipath RTA_FLOW is embedded in nexthop. Dump it in fib_add_nexthop() +to get the length of rtnexthop correct. + +Fixes: b0f60193632e ("ipv4: Refactor nexthop attributes in fib_dump_info") +Signed-off-by: Xiao Liang +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/ip_fib.h | 2 +- + include/net/nexthop.h | 2 +- + net/ipv4/fib_semantics.c | 16 +++++++++------- + net/ipv6/route.c | 5 +++-- + 4 files changed, 14 insertions(+), 11 deletions(-) + +diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h +index ffbae7683450..cb6c12562899 100644 +--- a/include/net/ip_fib.h ++++ b/include/net/ip_fib.h +@@ -524,5 +524,5 @@ int ip_valid_fib_dump_req(struct net *net, const struct nlmsghdr *nlh, + int fib_nexthop_info(struct sk_buff *skb, const struct fib_nh_common *nh, + u8 rt_family, unsigned char *flags, bool skip_oif); + int fib_add_nexthop(struct sk_buff *skb, const struct fib_nh_common *nh, +- int nh_weight, u8 rt_family); ++ int nh_weight, u8 rt_family, u32 nh_tclassid); + #endif /* _NET_FIB_H */ +diff --git a/include/net/nexthop.h b/include/net/nexthop.h +index 18a5aca26476..5ad614793af2 100644 +--- a/include/net/nexthop.h ++++ b/include/net/nexthop.h +@@ -173,7 +173,7 @@ int nexthop_mpath_fill_node(struct sk_buff *skb, struct nexthop *nh, + struct fib_nh_common *nhc = &nhi->fib_nhc; + int weight = nhg->nh_entries[i].weight; + +- if (fib_add_nexthop(skb, nhc, weight, rt_family) < 0) ++ if (fib_add_nexthop(skb, nhc, weight, rt_family, 0) < 0) + return -EMSGSIZE; + } + +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index b1b3220917ca..dce85a9c20c6 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -1654,7 +1654,7 @@ EXPORT_SYMBOL_GPL(fib_nexthop_info); + + #if IS_ENABLED(CONFIG_IP_ROUTE_MULTIPATH) || IS_ENABLED(CONFIG_IPV6) + int fib_add_nexthop(struct sk_buff *skb, const struct fib_nh_common *nhc, +- int nh_weight, u8 rt_family) ++ int nh_weight, u8 rt_family, u32 nh_tclassid) + { + const struct net_device *dev = nhc->nhc_dev; + struct rtnexthop *rtnh; +@@ -1672,6 +1672,9 @@ int fib_add_nexthop(struct sk_buff *skb, const struct fib_nh_common *nhc, + + rtnh->rtnh_flags = flags; + ++ if (nh_tclassid && nla_put_u32(skb, RTA_FLOW, nh_tclassid)) ++ goto nla_put_failure; ++ + /* length of rtnetlink header + attributes */ + rtnh->rtnh_len = nlmsg_get_pos(skb) - (void *)rtnh; + +@@ -1699,14 +1702,13 @@ static int fib_add_multipath(struct sk_buff *skb, struct fib_info *fi) + } + + for_nexthops(fi) { +- if (fib_add_nexthop(skb, &nh->nh_common, nh->fib_nh_weight, +- AF_INET) < 0) +- goto nla_put_failure; ++ u32 nh_tclassid = 0; + #ifdef CONFIG_IP_ROUTE_CLASSID +- if (nh->nh_tclassid && +- nla_put_u32(skb, RTA_FLOW, nh->nh_tclassid)) +- goto nla_put_failure; ++ nh_tclassid = nh->nh_tclassid; + #endif ++ if (fib_add_nexthop(skb, &nh->nh_common, nh->fib_nh_weight, ++ AF_INET, nh_tclassid) < 0) ++ goto nla_put_failure; + } endfor_nexthops(fi); + + mp_end: +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 575bd0f1b008..3fb259c20546 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -5523,14 +5523,15 @@ static int rt6_fill_node(struct net *net, struct sk_buff *skb, + goto nla_put_failure; + + if (fib_add_nexthop(skb, &rt->fib6_nh->nh_common, +- rt->fib6_nh->fib_nh_weight, AF_INET6) < 0) ++ rt->fib6_nh->fib_nh_weight, AF_INET6, ++ 0) < 0) + goto nla_put_failure; + + list_for_each_entry_safe(sibling, next_sibling, + &rt->fib6_siblings, fib6_siblings) { + if (fib_add_nexthop(skb, &sibling->fib6_nh->nh_common, + sibling->fib6_nh->fib_nh_weight, +- AF_INET6) < 0) ++ AF_INET6, 0) < 0) + goto nla_put_failure; + } + +-- +2.33.0 + diff --git a/queue-5.4/net-phy-bcm7xxx-fixed-indirect-mmd-operations.patch b/queue-5.4/net-phy-bcm7xxx-fixed-indirect-mmd-operations.patch new file mode 100644 index 00000000000..aa371e9aa7e --- /dev/null +++ b/queue-5.4/net-phy-bcm7xxx-fixed-indirect-mmd-operations.patch @@ -0,0 +1,193 @@ +From fc9865bf6884d7117a2dd3f1779fcb692317e9ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 13:32:33 -0700 +Subject: net: phy: bcm7xxx: Fixed indirect MMD operations + +From: Florian Fainelli + +[ Upstream commit d88fd1b546ff19c8040cfaea76bf16aed1c5a0bb ] + +When EEE support was added to the 28nm EPHY it was assumed that it would +be able to support the standard clause 45 over clause 22 register access +method. It turns out that the PHY does not support that, which is the +very reason for using the indirect shadow mode 2 bank 3 access method. + +Implement {read,write}_mmd to allow the standard PHY library routines +pertaining to EEE querying and configuration to work correctly on these +PHYs. This forces us to implement a __phy_set_clr_bits() function that +does not grab the MDIO bus lock since the PHY driver's {read,write}_mmd +functions are always called with that lock held. + +Fixes: 83ee102a6998 ("net: phy: bcm7xxx: add support for 28nm EPHY") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/bcm7xxx.c | 114 ++++++++++++++++++++++++++++++++++++-- + 1 file changed, 110 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/phy/bcm7xxx.c b/drivers/net/phy/bcm7xxx.c +index e68dd2e9443c..8686794148b8 100644 +--- a/drivers/net/phy/bcm7xxx.c ++++ b/drivers/net/phy/bcm7xxx.c +@@ -27,7 +27,12 @@ + #define MII_BCM7XXX_SHD_2_ADDR_CTRL 0xe + #define MII_BCM7XXX_SHD_2_CTRL_STAT 0xf + #define MII_BCM7XXX_SHD_2_BIAS_TRIM 0x1a ++#define MII_BCM7XXX_SHD_3_PCS_CTRL 0x0 ++#define MII_BCM7XXX_SHD_3_PCS_STATUS 0x1 ++#define MII_BCM7XXX_SHD_3_EEE_CAP 0x2 + #define MII_BCM7XXX_SHD_3_AN_EEE_ADV 0x3 ++#define MII_BCM7XXX_SHD_3_EEE_LP 0x4 ++#define MII_BCM7XXX_SHD_3_EEE_WK_ERR 0x5 + #define MII_BCM7XXX_SHD_3_PCS_CTRL_2 0x6 + #define MII_BCM7XXX_PCS_CTRL_2_DEF 0x4400 + #define MII_BCM7XXX_SHD_3_AN_STAT 0xb +@@ -212,25 +217,37 @@ static int bcm7xxx_28nm_resume(struct phy_device *phydev) + return genphy_config_aneg(phydev); + } + +-static int phy_set_clr_bits(struct phy_device *dev, int location, +- int set_mask, int clr_mask) ++static int __phy_set_clr_bits(struct phy_device *dev, int location, ++ int set_mask, int clr_mask) + { + int v, ret; + +- v = phy_read(dev, location); ++ v = __phy_read(dev, location); + if (v < 0) + return v; + + v &= ~clr_mask; + v |= set_mask; + +- ret = phy_write(dev, location, v); ++ ret = __phy_write(dev, location, v); + if (ret < 0) + return ret; + + return v; + } + ++static int phy_set_clr_bits(struct phy_device *dev, int location, ++ int set_mask, int clr_mask) ++{ ++ int ret; ++ ++ mutex_lock(&dev->mdio.bus->mdio_lock); ++ ret = __phy_set_clr_bits(dev, location, set_mask, clr_mask); ++ mutex_unlock(&dev->mdio.bus->mdio_lock); ++ ++ return ret; ++} ++ + static int bcm7xxx_28nm_ephy_01_afe_config_init(struct phy_device *phydev) + { + int ret; +@@ -394,6 +411,93 @@ static int bcm7xxx_28nm_ephy_config_init(struct phy_device *phydev) + return bcm7xxx_28nm_ephy_apd_enable(phydev); + } + ++#define MII_BCM7XXX_REG_INVALID 0xff ++ ++static u8 bcm7xxx_28nm_ephy_regnum_to_shd(u16 regnum) ++{ ++ switch (regnum) { ++ case MDIO_CTRL1: ++ return MII_BCM7XXX_SHD_3_PCS_CTRL; ++ case MDIO_STAT1: ++ return MII_BCM7XXX_SHD_3_PCS_STATUS; ++ case MDIO_PCS_EEE_ABLE: ++ return MII_BCM7XXX_SHD_3_EEE_CAP; ++ case MDIO_AN_EEE_ADV: ++ return MII_BCM7XXX_SHD_3_AN_EEE_ADV; ++ case MDIO_AN_EEE_LPABLE: ++ return MII_BCM7XXX_SHD_3_EEE_LP; ++ case MDIO_PCS_EEE_WK_ERR: ++ return MII_BCM7XXX_SHD_3_EEE_WK_ERR; ++ default: ++ return MII_BCM7XXX_REG_INVALID; ++ } ++} ++ ++static bool bcm7xxx_28nm_ephy_dev_valid(int devnum) ++{ ++ return devnum == MDIO_MMD_AN || devnum == MDIO_MMD_PCS; ++} ++ ++static int bcm7xxx_28nm_ephy_read_mmd(struct phy_device *phydev, ++ int devnum, u16 regnum) ++{ ++ u8 shd = bcm7xxx_28nm_ephy_regnum_to_shd(regnum); ++ int ret; ++ ++ if (!bcm7xxx_28nm_ephy_dev_valid(devnum) || ++ shd == MII_BCM7XXX_REG_INVALID) ++ return -EOPNOTSUPP; ++ ++ /* set shadow mode 2 */ ++ ret = __phy_set_clr_bits(phydev, MII_BCM7XXX_TEST, ++ MII_BCM7XXX_SHD_MODE_2, 0); ++ if (ret < 0) ++ return ret; ++ ++ /* Access the desired shadow register address */ ++ ret = __phy_write(phydev, MII_BCM7XXX_SHD_2_ADDR_CTRL, shd); ++ if (ret < 0) ++ goto reset_shadow_mode; ++ ++ ret = __phy_read(phydev, MII_BCM7XXX_SHD_2_CTRL_STAT); ++ ++reset_shadow_mode: ++ /* reset shadow mode 2 */ ++ __phy_set_clr_bits(phydev, MII_BCM7XXX_TEST, 0, ++ MII_BCM7XXX_SHD_MODE_2); ++ return ret; ++} ++ ++static int bcm7xxx_28nm_ephy_write_mmd(struct phy_device *phydev, ++ int devnum, u16 regnum, u16 val) ++{ ++ u8 shd = bcm7xxx_28nm_ephy_regnum_to_shd(regnum); ++ int ret; ++ ++ if (!bcm7xxx_28nm_ephy_dev_valid(devnum) || ++ shd == MII_BCM7XXX_REG_INVALID) ++ return -EOPNOTSUPP; ++ ++ /* set shadow mode 2 */ ++ ret = __phy_set_clr_bits(phydev, MII_BCM7XXX_TEST, ++ MII_BCM7XXX_SHD_MODE_2, 0); ++ if (ret < 0) ++ return ret; ++ ++ /* Access the desired shadow register address */ ++ ret = __phy_write(phydev, MII_BCM7XXX_SHD_2_ADDR_CTRL, shd); ++ if (ret < 0) ++ goto reset_shadow_mode; ++ ++ /* Write the desired value in the shadow register */ ++ __phy_write(phydev, MII_BCM7XXX_SHD_2_CTRL_STAT, val); ++ ++reset_shadow_mode: ++ /* reset shadow mode 2 */ ++ return __phy_set_clr_bits(phydev, MII_BCM7XXX_TEST, 0, ++ MII_BCM7XXX_SHD_MODE_2); ++} ++ + static int bcm7xxx_28nm_ephy_resume(struct phy_device *phydev) + { + int ret; +@@ -591,6 +695,8 @@ static void bcm7xxx_28nm_remove(struct phy_device *phydev) + .get_stats = bcm7xxx_28nm_get_phy_stats, \ + .probe = bcm7xxx_28nm_probe, \ + .remove = bcm7xxx_28nm_remove, \ ++ .read_mmd = bcm7xxx_28nm_ephy_read_mmd, \ ++ .write_mmd = bcm7xxx_28nm_ephy_write_mmd, \ + } + + #define BCM7XXX_40NM_EPHY(_oui, _name) \ +-- +2.33.0 + diff --git a/queue-5.4/net-phy-bcm7xxx-request-and-manage-gphy-clock.patch b/queue-5.4/net-phy-bcm7xxx-request-and-manage-gphy-clock.patch new file mode 100644 index 00000000000..269c96b9729 --- /dev/null +++ b/queue-5.4/net-phy-bcm7xxx-request-and-manage-gphy-clock.patch @@ -0,0 +1,104 @@ +From 8c11b3a7983a41bab64b9b8918173974bd2457fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 19:04:13 -0700 +Subject: net: phy: bcm7xxx: request and manage GPHY clock + +From: Florian Fainelli + +[ Upstream commit ba4ee3c053659119472135231dbef8f6880ce1fb ] + +The internal Gigabit PHY on Broadcom STB chips has a digital clock which +drives its MDIO interface among other things, the driver now requests +and manage that clock during .probe() and .remove() accordingly. + +Because the PHY driver can be probed with the clocks turned off we need +to apply the dummy BMSR workaround during the driver probe function to +ensure subsequent MDIO read or write towards the PHY will succeed. + +Signed-off-by: Florian Fainelli +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/bcm7xxx.c | 30 +++++++++++++++++++++++++++++- + 1 file changed, 29 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/bcm7xxx.c b/drivers/net/phy/bcm7xxx.c +index af8eabe7a6d4..e68dd2e9443c 100644 +--- a/drivers/net/phy/bcm7xxx.c ++++ b/drivers/net/phy/bcm7xxx.c +@@ -11,6 +11,7 @@ + #include "bcm-phy-lib.h" + #include + #include ++#include + #include + + /* Broadcom BCM7xxx internal PHY registers */ +@@ -39,6 +40,7 @@ + + struct bcm7xxx_phy_priv { + u64 *stats; ++ struct clk *clk; + }; + + static int bcm7xxx_28nm_d0_afe_config_init(struct phy_device *phydev) +@@ -517,6 +519,7 @@ static void bcm7xxx_28nm_get_phy_stats(struct phy_device *phydev, + static int bcm7xxx_28nm_probe(struct phy_device *phydev) + { + struct bcm7xxx_phy_priv *priv; ++ int ret = 0; + + priv = devm_kzalloc(&phydev->mdio.dev, sizeof(*priv), GFP_KERNEL); + if (!priv) +@@ -530,7 +533,30 @@ static int bcm7xxx_28nm_probe(struct phy_device *phydev) + if (!priv->stats) + return -ENOMEM; + +- return 0; ++ priv->clk = devm_clk_get_optional(&phydev->mdio.dev, NULL); ++ if (IS_ERR(priv->clk)) ++ return PTR_ERR(priv->clk); ++ ++ ret = clk_prepare_enable(priv->clk); ++ if (ret) ++ return ret; ++ ++ /* Dummy read to a register to workaround an issue upon reset where the ++ * internal inverter may not allow the first MDIO transaction to pass ++ * the MDIO management controller and make us return 0xffff for such ++ * reads. This is needed to ensure that any subsequent reads to the ++ * PHY will succeed. ++ */ ++ phy_read(phydev, MII_BMSR); ++ ++ return ret; ++} ++ ++static void bcm7xxx_28nm_remove(struct phy_device *phydev) ++{ ++ struct bcm7xxx_phy_priv *priv = phydev->priv; ++ ++ clk_disable_unprepare(priv->clk); + } + + #define BCM7XXX_28NM_GPHY(_oui, _name) \ +@@ -548,6 +574,7 @@ static int bcm7xxx_28nm_probe(struct phy_device *phydev) + .get_strings = bcm_phy_get_strings, \ + .get_stats = bcm7xxx_28nm_get_phy_stats, \ + .probe = bcm7xxx_28nm_probe, \ ++ .remove = bcm7xxx_28nm_remove, \ + } + + #define BCM7XXX_28NM_EPHY(_oui, _name) \ +@@ -563,6 +590,7 @@ static int bcm7xxx_28nm_probe(struct phy_device *phydev) + .get_strings = bcm_phy_get_strings, \ + .get_stats = bcm7xxx_28nm_get_phy_stats, \ + .probe = bcm7xxx_28nm_probe, \ ++ .remove = bcm7xxx_28nm_remove, \ + } + + #define BCM7XXX_40NM_EPHY(_oui, _name) \ +-- +2.33.0 + diff --git a/queue-5.4/net-sched-flower-protect-fl_walk-with-rcu.patch b/queue-5.4/net-sched-flower-protect-fl_walk-with-rcu.patch new file mode 100644 index 00000000000..3592377981e --- /dev/null +++ b/queue-5.4/net-sched-flower-protect-fl_walk-with-rcu.patch @@ -0,0 +1,212 @@ +From 5d72450690912f17cfcf81714cfc580e0130841f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 18:08:49 +0300 +Subject: net: sched: flower: protect fl_walk() with rcu + +From: Vlad Buslov + +[ Upstream commit d5ef190693a7d76c5c192d108e8dec48307b46ee ] + +Patch that refactored fl_walk() to use idr_for_each_entry_continue_ul() +also removed rcu protection of individual filters which causes following +use-after-free when filter is deleted concurrently. Fix fl_walk() to obtain +rcu read lock while iterating and taking the filter reference and temporary +release the lock while calling arg->fn() callback that can sleep. + +KASAN trace: + +[ 352.773640] ================================================================== +[ 352.775041] BUG: KASAN: use-after-free in fl_walk+0x159/0x240 [cls_flower] +[ 352.776304] Read of size 4 at addr ffff8881c8251480 by task tc/2987 + +[ 352.777862] CPU: 3 PID: 2987 Comm: tc Not tainted 5.15.0-rc2+ #2 +[ 352.778980] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +[ 352.781022] Call Trace: +[ 352.781573] dump_stack_lvl+0x46/0x5a +[ 352.782332] print_address_description.constprop.0+0x1f/0x140 +[ 352.783400] ? fl_walk+0x159/0x240 [cls_flower] +[ 352.784292] ? fl_walk+0x159/0x240 [cls_flower] +[ 352.785138] kasan_report.cold+0x83/0xdf +[ 352.785851] ? fl_walk+0x159/0x240 [cls_flower] +[ 352.786587] kasan_check_range+0x145/0x1a0 +[ 352.787337] fl_walk+0x159/0x240 [cls_flower] +[ 352.788163] ? fl_put+0x10/0x10 [cls_flower] +[ 352.789007] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 +[ 352.790102] tcf_chain_dump+0x231/0x450 +[ 352.790878] ? tcf_chain_tp_delete_empty+0x170/0x170 +[ 352.791833] ? __might_sleep+0x2e/0xc0 +[ 352.792594] ? tfilter_notify+0x170/0x170 +[ 352.793400] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 +[ 352.794477] tc_dump_tfilter+0x385/0x4b0 +[ 352.795262] ? tc_new_tfilter+0x1180/0x1180 +[ 352.796103] ? __mod_node_page_state+0x1f/0xc0 +[ 352.796974] ? __build_skb_around+0x10e/0x130 +[ 352.797826] netlink_dump+0x2c0/0x560 +[ 352.798563] ? netlink_getsockopt+0x430/0x430 +[ 352.799433] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 +[ 352.800542] __netlink_dump_start+0x356/0x440 +[ 352.801397] rtnetlink_rcv_msg+0x3ff/0x550 +[ 352.802190] ? tc_new_tfilter+0x1180/0x1180 +[ 352.802872] ? rtnl_calcit.isra.0+0x1f0/0x1f0 +[ 352.803668] ? tc_new_tfilter+0x1180/0x1180 +[ 352.804344] ? _copy_from_iter_nocache+0x800/0x800 +[ 352.805202] ? kasan_set_track+0x1c/0x30 +[ 352.805900] netlink_rcv_skb+0xc6/0x1f0 +[ 352.806587] ? rht_deferred_worker+0x6b0/0x6b0 +[ 352.807455] ? rtnl_calcit.isra.0+0x1f0/0x1f0 +[ 352.808324] ? netlink_ack+0x4d0/0x4d0 +[ 352.809086] ? netlink_deliver_tap+0x62/0x3d0 +[ 352.809951] netlink_unicast+0x353/0x480 +[ 352.810744] ? netlink_attachskb+0x430/0x430 +[ 352.811586] ? __alloc_skb+0xd7/0x200 +[ 352.812349] netlink_sendmsg+0x396/0x680 +[ 352.813132] ? netlink_unicast+0x480/0x480 +[ 352.813952] ? __import_iovec+0x192/0x210 +[ 352.814759] ? netlink_unicast+0x480/0x480 +[ 352.815580] sock_sendmsg+0x6c/0x80 +[ 352.816299] ____sys_sendmsg+0x3a5/0x3c0 +[ 352.817096] ? kernel_sendmsg+0x30/0x30 +[ 352.817873] ? __ia32_sys_recvmmsg+0x150/0x150 +[ 352.818753] ___sys_sendmsg+0xd8/0x140 +[ 352.819518] ? sendmsg_copy_msghdr+0x110/0x110 +[ 352.820402] ? ___sys_recvmsg+0xf4/0x1a0 +[ 352.821110] ? __copy_msghdr_from_user+0x260/0x260 +[ 352.821934] ? _raw_spin_lock+0x81/0xd0 +[ 352.822680] ? __handle_mm_fault+0xef3/0x1b20 +[ 352.823549] ? rb_insert_color+0x2a/0x270 +[ 352.824373] ? copy_page_range+0x16b0/0x16b0 +[ 352.825209] ? perf_event_update_userpage+0x2d0/0x2d0 +[ 352.826190] ? __fget_light+0xd9/0xf0 +[ 352.826941] __sys_sendmsg+0xb3/0x130 +[ 352.827613] ? __sys_sendmsg_sock+0x20/0x20 +[ 352.828377] ? do_user_addr_fault+0x2c5/0x8a0 +[ 352.829184] ? fpregs_assert_state_consistent+0x52/0x60 +[ 352.830001] ? exit_to_user_mode_prepare+0x32/0x160 +[ 352.830845] do_syscall_64+0x35/0x80 +[ 352.831445] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 352.832331] RIP: 0033:0x7f7bee973c17 +[ 352.833078] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 +[ 352.836202] RSP: 002b:00007ffcbb368e28 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +[ 352.837524] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7bee973c17 +[ 352.838715] RDX: 0000000000000000 RSI: 00007ffcbb368e50 RDI: 0000000000000003 +[ 352.839838] RBP: 00007ffcbb36d090 R08: 00000000cea96d79 R09: 00007f7beea34a40 +[ 352.841021] R10: 00000000004059bb R11: 0000000000000246 R12: 000000000046563f +[ 352.842208] R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffcbb36d088 + +[ 352.843784] Allocated by task 2960: +[ 352.844451] kasan_save_stack+0x1b/0x40 +[ 352.845173] __kasan_kmalloc+0x7c/0x90 +[ 352.845873] fl_change+0x282/0x22db [cls_flower] +[ 352.846696] tc_new_tfilter+0x6cf/0x1180 +[ 352.847493] rtnetlink_rcv_msg+0x471/0x550 +[ 352.848323] netlink_rcv_skb+0xc6/0x1f0 +[ 352.849097] netlink_unicast+0x353/0x480 +[ 352.849886] netlink_sendmsg+0x396/0x680 +[ 352.850678] sock_sendmsg+0x6c/0x80 +[ 352.851398] ____sys_sendmsg+0x3a5/0x3c0 +[ 352.852202] ___sys_sendmsg+0xd8/0x140 +[ 352.852967] __sys_sendmsg+0xb3/0x130 +[ 352.853718] do_syscall_64+0x35/0x80 +[ 352.854457] entry_SYSCALL_64_after_hwframe+0x44/0xae + +[ 352.855830] Freed by task 7: +[ 352.856421] kasan_save_stack+0x1b/0x40 +[ 352.857139] kasan_set_track+0x1c/0x30 +[ 352.857854] kasan_set_free_info+0x20/0x30 +[ 352.858609] __kasan_slab_free+0xed/0x130 +[ 352.859348] kfree+0xa7/0x3c0 +[ 352.859951] process_one_work+0x44d/0x780 +[ 352.860685] worker_thread+0x2e2/0x7e0 +[ 352.861390] kthread+0x1f4/0x220 +[ 352.862022] ret_from_fork+0x1f/0x30 + +[ 352.862955] Last potentially related work creation: +[ 352.863758] kasan_save_stack+0x1b/0x40 +[ 352.864378] kasan_record_aux_stack+0xab/0xc0 +[ 352.865028] insert_work+0x30/0x160 +[ 352.865617] __queue_work+0x351/0x670 +[ 352.866261] rcu_work_rcufn+0x30/0x40 +[ 352.866917] rcu_core+0x3b2/0xdb0 +[ 352.867561] __do_softirq+0xf6/0x386 + +[ 352.868708] Second to last potentially related work creation: +[ 352.869779] kasan_save_stack+0x1b/0x40 +[ 352.870560] kasan_record_aux_stack+0xab/0xc0 +[ 352.871426] call_rcu+0x5f/0x5c0 +[ 352.872108] queue_rcu_work+0x44/0x50 +[ 352.872855] __fl_put+0x17c/0x240 [cls_flower] +[ 352.873733] fl_delete+0xc7/0x100 [cls_flower] +[ 352.874607] tc_del_tfilter+0x510/0xb30 +[ 352.886085] rtnetlink_rcv_msg+0x471/0x550 +[ 352.886875] netlink_rcv_skb+0xc6/0x1f0 +[ 352.887636] netlink_unicast+0x353/0x480 +[ 352.888285] netlink_sendmsg+0x396/0x680 +[ 352.888942] sock_sendmsg+0x6c/0x80 +[ 352.889583] ____sys_sendmsg+0x3a5/0x3c0 +[ 352.890311] ___sys_sendmsg+0xd8/0x140 +[ 352.891019] __sys_sendmsg+0xb3/0x130 +[ 352.891716] do_syscall_64+0x35/0x80 +[ 352.892395] entry_SYSCALL_64_after_hwframe+0x44/0xae + +[ 352.893666] The buggy address belongs to the object at ffff8881c8251000 + which belongs to the cache kmalloc-2k of size 2048 +[ 352.895696] The buggy address is located 1152 bytes inside of + 2048-byte region [ffff8881c8251000, ffff8881c8251800) +[ 352.897640] The buggy address belongs to the page: +[ 352.898492] page:00000000213bac35 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c8250 +[ 352.900110] head:00000000213bac35 order:3 compound_mapcount:0 compound_pincount:0 +[ 352.901541] flags: 0x2ffff800010200(slab|head|node=0|zone=2|lastcpupid=0x1ffff) +[ 352.902908] raw: 002ffff800010200 0000000000000000 dead000000000122 ffff888100042f00 +[ 352.904391] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 +[ 352.905861] page dumped because: kasan: bad access detected + +[ 352.907323] Memory state around the buggy address: +[ 352.908218] ffff8881c8251380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 352.909471] ffff8881c8251400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 352.910735] >ffff8881c8251480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 352.912012] ^ +[ 352.912642] ffff8881c8251500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 352.913919] ffff8881c8251580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 352.915185] ================================================================== + +Fixes: d39d714969cd ("idr: introduce idr_for_each_entry_continue_ul()") +Signed-off-by: Vlad Buslov +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_flower.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c +index c5a0f2c2635e..26979b4853bd 100644 +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -1741,18 +1741,24 @@ static void fl_walk(struct tcf_proto *tp, struct tcf_walker *arg, + + arg->count = arg->skip; + ++ rcu_read_lock(); + idr_for_each_entry_continue_ul(&head->handle_idr, f, tmp, id) { + /* don't return filters that are being deleted */ + if (!refcount_inc_not_zero(&f->refcnt)) + continue; ++ rcu_read_unlock(); ++ + if (arg->fn(tp, f, arg) < 0) { + __fl_put(f); + arg->stop = 1; ++ rcu_read_lock(); + break; + } + __fl_put(f); + arg->count++; ++ rcu_read_lock(); + } ++ rcu_read_unlock(); + arg->cookie = id; + } + +-- +2.33.0 + diff --git a/queue-5.4/perf-x86-intel-update-event-constraints-for-icx.patch b/queue-5.4/perf-x86-intel-update-event-constraints-for-icx.patch new file mode 100644 index 00000000000..45a1765795f --- /dev/null +++ b/queue-5.4/perf-x86-intel-update-event-constraints-for-icx.patch @@ -0,0 +1,37 @@ +From 85f56271bef866cec5c0ec414fcf3c88988ee887 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 08:19:03 -0700 +Subject: perf/x86/intel: Update event constraints for ICX + +From: Kan Liang + +[ Upstream commit ecc2123e09f9e71ddc6c53d71e283b8ada685fe2 ] + +According to the latest event list, the event encoding 0xEF is only +available on the first 4 counters. Add it into the event constraints +table. + +Fixes: 6017608936c1 ("perf/x86/intel: Add Icelake support") +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/1632842343-25862-1-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c +index 9cb3266e148d..70758f99c9e4 100644 +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -259,6 +259,7 @@ static struct event_constraint intel_icl_event_constraints[] = { + INTEL_EVENT_CONSTRAINT_RANGE(0xa8, 0xb0, 0xf), + INTEL_EVENT_CONSTRAINT_RANGE(0xb7, 0xbd, 0xf), + INTEL_EVENT_CONSTRAINT_RANGE(0xd0, 0xe6, 0xf), ++ INTEL_EVENT_CONSTRAINT(0xef, 0xf), + INTEL_EVENT_CONSTRAINT_RANGE(0xf0, 0xf4, 0xf), + EVENT_CONSTRAINT_END + }; +-- +2.33.0 + diff --git a/queue-5.4/revert-block-bfq-honor-already-setup-queue-merges.patch b/queue-5.4/revert-block-bfq-honor-already-setup-queue-merges.patch new file mode 100644 index 00000000000..e21a43d5579 --- /dev/null +++ b/queue-5.4/revert-block-bfq-honor-already-setup-queue-merges.patch @@ -0,0 +1,68 @@ +From afc79690dd3b80153a630fc3ed9550564f8e1cb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 06:33:15 -0600 +Subject: Revert "block, bfq: honor already-setup queue merges" + +From: Jens Axboe + +[ Upstream commit ebc69e897e17373fbe1daaff1debaa77583a5284 ] + +This reverts commit 2d52c58b9c9bdae0ca3df6a1eab5745ab3f7d80b. + +We have had several folks complain that this causes hangs for them, which +is especially problematic as the commit has also hit stable already. + +As no resolution seems to be forthcoming right now, revert the patch. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=214503 +Fixes: 2d52c58b9c9b ("block, bfq: honor already-setup queue merges") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 16 +++------------- + 1 file changed, 3 insertions(+), 13 deletions(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index 8dee243e639f..73bffd7af15c 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -2523,15 +2523,6 @@ bfq_setup_merge(struct bfq_queue *bfqq, struct bfq_queue *new_bfqq) + * are likely to increase the throughput. + */ + bfqq->new_bfqq = new_bfqq; +- /* +- * The above assignment schedules the following redirections: +- * each time some I/O for bfqq arrives, the process that +- * generated that I/O is disassociated from bfqq and +- * associated with new_bfqq. Here we increases new_bfqq->ref +- * in advance, adding the number of processes that are +- * expected to be associated with new_bfqq as they happen to +- * issue I/O. +- */ + new_bfqq->ref += process_refs; + return new_bfqq; + } +@@ -2591,10 +2582,6 @@ bfq_setup_cooperator(struct bfq_data *bfqd, struct bfq_queue *bfqq, + { + struct bfq_queue *in_service_bfqq, *new_bfqq; + +- /* if a merge has already been setup, then proceed with that first */ +- if (bfqq->new_bfqq) +- return bfqq->new_bfqq; +- + /* + * Do not perform queue merging if the device is non + * rotational and performs internal queueing. In fact, such a +@@ -2649,6 +2636,9 @@ bfq_setup_cooperator(struct bfq_data *bfqd, struct bfq_queue *bfqq, + if (bfq_too_late_for_merging(bfqq)) + return NULL; + ++ if (bfqq->new_bfqq) ++ return bfqq->new_bfqq; ++ + if (!io_struct || unlikely(bfqq == &bfqd->oom_bfqq)) + return NULL; + +-- +2.33.0 + diff --git a/queue-5.4/scsi-csiostor-add-module-softdep-on-cxgb4.patch b/queue-5.4/scsi-csiostor-add-module-softdep-on-cxgb4.patch new file mode 100644 index 00000000000..2f33e53dc7e --- /dev/null +++ b/queue-5.4/scsi-csiostor-add-module-softdep-on-cxgb4.patch @@ -0,0 +1,44 @@ +From 7b6048be83a2aa38c1221ca65fec97b1c5c3a955 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 21:44:08 +0530 +Subject: scsi: csiostor: Add module softdep on cxgb4 + +From: Rahul Lakkireddy + +[ Upstream commit 79a7482249a7353bc86aff8127954d5febf02472 ] + +Both cxgb4 and csiostor drivers run on their own independent Physical +Function. But when cxgb4 and csiostor are both being loaded in parallel via +modprobe, there is a race when firmware upgrade is attempted by both the +drivers. + +When the cxgb4 driver initiates the firmware upgrade, it halts the firmware +and the chip until upgrade is complete. When the csiostor driver is coming +up in parallel, the firmware mailbox communication fails with timeouts and +the csiostor driver probe fails. + +Add a module soft dependency on cxgb4 driver to ensure loading csiostor +triggers cxgb4 to load first when available to avoid the firmware upgrade +race. + +Link: https://lore.kernel.org/r/1632759248-15382-1-git-send-email-rahul.lakkireddy@chelsio.com +Fixes: a3667aaed569 ("[SCSI] csiostor: Chelsio FCoE offload driver") +Signed-off-by: Rahul Lakkireddy +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/csiostor/csio_init.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/csiostor/csio_init.c b/drivers/scsi/csiostor/csio_init.c +index a6dd704d7f2d..1b8ccadc7cf6 100644 +--- a/drivers/scsi/csiostor/csio_init.c ++++ b/drivers/scsi/csiostor/csio_init.c +@@ -1257,3 +1257,4 @@ MODULE_DEVICE_TABLE(pci, csio_pci_tbl); + MODULE_VERSION(CSIO_DRV_VERSION); + MODULE_FIRMWARE(FW_FNAME_T5); + MODULE_FIRMWARE(FW_FNAME_T6); ++MODULE_SOFTDEP("pre: cxgb4"); +-- +2.33.0 + diff --git a/queue-5.4/sctp-break-out-if-skb_header_pointer-returns-null-in.patch b/queue-5.4/sctp-break-out-if-skb_header_pointer-returns-null-in.patch new file mode 100644 index 00000000000..faad0b33bcd --- /dev/null +++ b/queue-5.4/sctp-break-out-if-skb_header_pointer-returns-null-in.patch @@ -0,0 +1,55 @@ +From 2d7a6b31194e680ca79780bba60c513005db18e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Sep 2021 00:05:04 -0400 +Subject: sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb + +From: Xin Long + +[ Upstream commit f7e745f8e94492a8ac0b0a26e25f2b19d342918f ] + +We should always check if skb_header_pointer's return is NULL before +using it, otherwise it may cause null-ptr-deref, as syzbot reported: + + KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline] + RIP: 0010:sctp_rcv+0x1d84/0x3220 net/sctp/input.c:196 + Call Trace: + + sctp6_rcv+0x38/0x60 net/sctp/ipv6.c:1109 + ip6_protocol_deliver_rcu+0x2e9/0x1ca0 net/ipv6/ip6_input.c:422 + ip6_input_finish+0x62/0x170 net/ipv6/ip6_input.c:463 + NF_HOOK include/linux/netfilter.h:307 [inline] + NF_HOOK include/linux/netfilter.h:301 [inline] + ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:472 + dst_input include/net/dst.h:460 [inline] + ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline] + NF_HOOK include/linux/netfilter.h:307 [inline] + NF_HOOK include/linux/netfilter.h:301 [inline] + ipv6_rcv+0x28c/0x3c0 net/ipv6/ip6_input.c:297 + +Fixes: 3acb50c18d8d ("sctp: delay as much as possible skb_linearize") +Reported-by: syzbot+581aff2ae6b860625116@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sctp/input.c b/net/sctp/input.c +index 2aca37717ed1..9616b600a876 100644 +--- a/net/sctp/input.c ++++ b/net/sctp/input.c +@@ -676,7 +676,7 @@ static int sctp_rcv_ootb(struct sk_buff *skb) + ch = skb_header_pointer(skb, offset, sizeof(*ch), &_ch); + + /* Break out if chunk length is less then minimal. */ +- if (ntohs(ch->length) < sizeof(_ch)) ++ if (!ch || ntohs(ch->length) < sizeof(_ch)) + break; + + ch_end = offset + SCTP_PAD4(ntohs(ch->length)); +-- +2.33.0 + diff --git a/queue-5.4/selftests-bpf-test_lwt_ip_encap-really-disable-rp_fi.patch b/queue-5.4/selftests-bpf-test_lwt_ip_encap-really-disable-rp_fi.patch new file mode 100644 index 00000000000..838be58f1ef --- /dev/null +++ b/queue-5.4/selftests-bpf-test_lwt_ip_encap-really-disable-rp_fi.patch @@ -0,0 +1,57 @@ +From a0a639e49a65e64a07717608fab5d0e6059a02dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Sep 2021 10:40:22 +0200 +Subject: selftests, bpf: test_lwt_ip_encap: Really disable rp_filter + +From: Jiri Benc + +[ Upstream commit 79e2c306667542b8ee2d9a9d947eadc7039f0a3c ] + +It's not enough to set net.ipv4.conf.all.rp_filter=0, that does not override +a greater rp_filter value on the individual interfaces. We also need to set +net.ipv4.conf.default.rp_filter=0 before creating the interfaces. That way, +they'll also get their own rp_filter value of zero. + +Fixes: 0fde56e4385b0 ("selftests: bpf: add test_lwt_ip_encap selftest") +Signed-off-by: Jiri Benc +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/b1cdd9d469f09ea6e01e9c89a6071c79b7380f89.1632386362.git.jbenc@redhat.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_lwt_ip_encap.sh | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/tools/testing/selftests/bpf/test_lwt_ip_encap.sh b/tools/testing/selftests/bpf/test_lwt_ip_encap.sh +index 59ea56945e6c..b497bb85b667 100755 +--- a/tools/testing/selftests/bpf/test_lwt_ip_encap.sh ++++ b/tools/testing/selftests/bpf/test_lwt_ip_encap.sh +@@ -112,6 +112,14 @@ setup() + ip netns add "${NS2}" + ip netns add "${NS3}" + ++ # rp_filter gets confused by what these tests are doing, so disable it ++ ip netns exec ${NS1} sysctl -wq net.ipv4.conf.all.rp_filter=0 ++ ip netns exec ${NS2} sysctl -wq net.ipv4.conf.all.rp_filter=0 ++ ip netns exec ${NS3} sysctl -wq net.ipv4.conf.all.rp_filter=0 ++ ip netns exec ${NS1} sysctl -wq net.ipv4.conf.default.rp_filter=0 ++ ip netns exec ${NS2} sysctl -wq net.ipv4.conf.default.rp_filter=0 ++ ip netns exec ${NS3} sysctl -wq net.ipv4.conf.default.rp_filter=0 ++ + ip link add veth1 type veth peer name veth2 + ip link add veth3 type veth peer name veth4 + ip link add veth5 type veth peer name veth6 +@@ -236,11 +244,6 @@ setup() + ip -netns ${NS1} -6 route add ${IPv6_GRE}/128 dev veth5 via ${IPv6_6} ${VRF} + ip -netns ${NS2} -6 route add ${IPv6_GRE}/128 dev veth7 via ${IPv6_8} ${VRF} + +- # rp_filter gets confused by what these tests are doing, so disable it +- ip netns exec ${NS1} sysctl -wq net.ipv4.conf.all.rp_filter=0 +- ip netns exec ${NS2} sysctl -wq net.ipv4.conf.all.rp_filter=0 +- ip netns exec ${NS3} sysctl -wq net.ipv4.conf.all.rp_filter=0 +- + TMPFILE=$(mktemp /tmp/test_lwt_ip_encap.XXXXXX) + + sleep 1 # reduce flakiness +-- +2.33.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 18dad1e4f27..f41f3d9a341 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -10,3 +10,24 @@ scsi-ufs-fix-illegal-offset-in-upiu-event-trace.patch mac80211-fix-use-after-free-in-ccmp-gcmp-rx.patch x86-kvmclock-move-this_cpu_pvti-into-kvmclock.h.patch drm-amd-display-pass-pci-deviceid-into-dc.patch +ipvs-check-that-ip_vs_conn_tab_bits-is-between-8-and.patch +hwmon-mlxreg-fan-return-non-zero-value-when-fan-curr.patch +mac80211-fix-ieee80211_amsdu_aggregate-frag_tail-bug.patch +mac80211-limit-injected-vht-mcs-nss-in-ieee80211_par.patch +mac80211-mesh-fix-potentially-unaligned-access.patch +mac80211-hwsim-fix-late-beacon-hrtimer-handling.patch +sctp-break-out-if-skb_header_pointer-returns-null-in.patch +hwmon-tmp421-report-pvld-condition-as-fault.patch +hwmon-tmp421-fix-rounding-for-negative-values.patch +net-ipv4-fix-rtnexthop-len-when-rta_flow-is-present.patch +e100-fix-length-calculation-in-e100_get_regs_len.patch +e100-fix-buffer-overrun-in-e100_get_regs.patch +selftests-bpf-test_lwt_ip_encap-really-disable-rp_fi.patch +revert-block-bfq-honor-already-setup-queue-merges.patch +scsi-csiostor-add-module-softdep-on-cxgb4.patch +net-hns3-do-not-allow-call-hns3_nic_net_open-repeate.patch +net-phy-bcm7xxx-request-and-manage-gphy-clock.patch +net-phy-bcm7xxx-fixed-indirect-mmd-operations.patch +net-sched-flower-protect-fl_walk-with-rcu.patch +af_unix-fix-races-in-sk_peer_pid-and-sk_peer_cred-ac.patch +perf-x86-intel-update-event-constraints-for-icx.patch