--- /dev/null
+From 0fe3dbbefb74a8575f61d7801b08dbc50523d60d Mon Sep 17 00:00:00 2001
+From: Tao Liu <thomas.liu@ucloud.cn>
+Date: Mon, 27 Jun 2022 22:00:04 +0800
+Subject: linux/dim: Fix divide by 0 in RDMA DIM
+
+From: Tao Liu <thomas.liu@ucloud.cn>
+
+commit 0fe3dbbefb74a8575f61d7801b08dbc50523d60d upstream.
+
+Fix a divide 0 error in rdma_dim_stats_compare() when prev->cpe_ratio ==
+0.
+
+CallTrace:
+ Hardware name: H3C R4900 G3/RS33M2C9S, BIOS 2.00.37P21 03/12/2020
+ task: ffff880194b78000 task.stack: ffffc90006714000
+ RIP: 0010:backport_rdma_dim+0x10e/0x240 [mlx_compat]
+ RSP: 0018:ffff880c10e83ec0 EFLAGS: 00010202
+ RAX: 0000000000002710 RBX: ffff88096cd7f780 RCX: 0000000000000064
+ RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000001
+ RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000000 R12: 000000001d7c6c09
+ R13: ffff88096cd7f780 R14: ffff880b174fe800 R15: 0000000000000000
+ FS: 0000000000000000(0000) GS:ffff880c10e80000(0000)
+ knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00000000a0965b00 CR3: 000000000200a003 CR4: 00000000007606e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ PKRU: 55555554
+ Call Trace:
+ <IRQ>
+ ib_poll_handler+0x43/0x80 [ib_core]
+ irq_poll_softirq+0xae/0x110
+ __do_softirq+0xd1/0x28c
+ irq_exit+0xde/0xf0
+ do_IRQ+0x54/0xe0
+ common_interrupt+0x8f/0x8f
+ </IRQ>
+ ? cpuidle_enter_state+0xd9/0x2a0
+ ? cpuidle_enter_state+0xc7/0x2a0
+ ? do_idle+0x170/0x1d0
+ ? cpu_startup_entry+0x6f/0x80
+ ? start_secondary+0x1b9/0x210
+ ? secondary_startup_64+0xa5/0xb0
+ Code: 0f 87 e1 00 00 00 8b 4c 24 14 44 8b 43 14 89 c8 4d 63 c8 44 29 c0 99 31 d0 29 d0 31 d2 48 98 48 8d 04 80 48 8d 04 80 48 c1 e0 02 <49> f7 f1 48 83 f8 0a 0f 86 c1 00 00 00 44 39 c1 7f 10 48 89 df
+ RIP: backport_rdma_dim+0x10e/0x240 [mlx_compat] RSP: ffff880c10e83ec0
+
+Fixes: f4915455dcf0 ("linux/dim: Implement RDMA adaptive moderation (DIM)")
+Link: https://lore.kernel.org/r/20220627140004.3099-1-thomas.liu@ucloud.cn
+Signed-off-by: Tao Liu <thomas.liu@ucloud.cn>
+Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com>
+Acked-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/dim.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/dim.h
++++ b/include/linux/dim.h
+@@ -17,7 +17,7 @@
+ * We consider 10% difference as significant.
+ */
+ #define IS_SIGNIFICANT_DIFF(val, ref) \
+- (((100UL * abs((val) - (ref))) / (ref)) > 10)
++ ((ref) && (((100UL * abs((val) - (ref))) / (ref)) > 10))
+
+ /**
+ * Calculate the gap between two values.
--- /dev/null
+From a8fc8cb5692aebb9c6f7afd4265366d25dcd1d01 Mon Sep 17 00:00:00 2001
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Wed, 22 Jun 2022 21:21:05 -0700
+Subject: net: tun: stop NAPI when detaching queues
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+commit a8fc8cb5692aebb9c6f7afd4265366d25dcd1d01 upstream.
+
+While looking at a syzbot report I noticed the NAPI only gets
+disabled before it's deleted. I think that user can detach
+the queue before destroying the device and the NAPI will never
+be stopped.
+
+Fixes: 943170998b20 ("tun: enable NAPI for TUN/TAP driver")
+Acked-by: Petar Penkov <ppenkov@aviatrix.com>
+Link: https://lore.kernel.org/r/20220623042105.2274812-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tun.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -327,6 +327,12 @@ static void tun_napi_init(struct tun_str
+ }
+ }
+
++static void tun_napi_enable(struct tun_file *tfile)
++{
++ if (tfile->napi_enabled)
++ napi_enable(&tfile->napi);
++}
++
+ static void tun_napi_disable(struct tun_file *tfile)
+ {
+ if (tfile->napi_enabled)
+@@ -709,8 +715,10 @@ static void __tun_detach(struct tun_file
+ if (clean) {
+ RCU_INIT_POINTER(tfile->tun, NULL);
+ sock_put(&tfile->sk);
+- } else
++ } else {
+ tun_disable_queue(tun, tfile);
++ tun_napi_disable(tfile);
++ }
+
+ synchronize_net();
+ tun_flow_delete_by_queue(tun, tun->numqueues + 1);
+@@ -864,6 +872,7 @@ static int tun_attach(struct tun_struct
+
+ if (tfile->detached) {
+ tun_enable_queue(tfile);
++ tun_napi_enable(tfile);
+ } else {
+ sock_hold(&tfile->sk);
+ tun_napi_init(tun, tfile, napi, napi_frags);
--- /dev/null
+From 3b9bc84d311104906d2b4995a9a02d7b7ddab2db Mon Sep 17 00:00:00 2001
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Wed, 22 Jun 2022 21:20:39 -0700
+Subject: net: tun: unlink NAPI from device on destruction
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+commit 3b9bc84d311104906d2b4995a9a02d7b7ddab2db upstream.
+
+Syzbot found a race between tun file and device destruction.
+NAPIs live in struct tun_file which can get destroyed before
+the netdev so we have to del them explicitly. The current
+code is missing deleting the NAPI if the queue was detached
+first.
+
+Fixes: 943170998b20 ("tun: enable NAPI for TUN/TAP driver")
+Reported-by: syzbot+b75c138e9286ac742647@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20220623042039.2274708-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tun.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -783,6 +783,7 @@ static void tun_detach_all(struct net_de
+ sock_put(&tfile->sk);
+ }
+ list_for_each_entry_safe(tfile, tmp, &tun->disabled, next) {
++ tun_napi_del(tfile);
+ tun_enable_queue(tfile);
+ tun_queue_purge(tfile);
+ xdp_rxq_info_unreg(&tfile->xdp_rxq);
--- /dev/null
+From 118f767413ada4eef7825fbd4af7c0866f883441 Mon Sep 17 00:00:00 2001
+From: Kamal Heib <kamalheib1@gmail.com>
+Date: Wed, 25 May 2022 16:20:29 +0300
+Subject: RDMA/qedr: Fix reporting QP timeout attribute
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kamal Heib <kamalheib1@gmail.com>
+
+commit 118f767413ada4eef7825fbd4af7c0866f883441 upstream.
+
+Make sure to save the passed QP timeout attribute when the QP gets modified,
+so when calling query QP the right value is reported and not the
+converted value that is required by the firmware. This issue was found
+while running the pyverbs tests.
+
+Fixes: cecbcddf6461 ("qedr: Add support for QP verbs")
+Link: https://lore.kernel.org/r/20220525132029.84813-1-kamalheib1@gmail.com
+Signed-off-by: Kamal Heib <kamalheib1@gmail.com>
+Acked-by: Michal KalderonĀ <michal.kalderon@marvell.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/qedr/qedr.h | 1 +
+ drivers/infiniband/hw/qedr/verbs.c | 4 +++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/qedr/qedr.h
++++ b/drivers/infiniband/hw/qedr/qedr.h
+@@ -416,6 +416,7 @@ struct qedr_qp {
+ u32 sq_psn;
+ u32 qkey;
+ u32 dest_qp_num;
++ u8 timeout;
+
+ /* Relevant to qps created from kernel space only (ULPs) */
+ u8 prev_wqe_size;
+--- a/drivers/infiniband/hw/qedr/verbs.c
++++ b/drivers/infiniband/hw/qedr/verbs.c
+@@ -2259,6 +2259,8 @@ int qedr_modify_qp(struct ib_qp *ibqp, s
+ 1 << max_t(int, attr->timeout - 8, 0);
+ else
+ qp_params.ack_timeout = 0;
++
++ qp->timeout = attr->timeout;
+ }
+
+ if (attr_mask & IB_QP_RETRY_CNT) {
+@@ -2418,7 +2420,7 @@ int qedr_query_qp(struct ib_qp *ibqp,
+ rdma_ah_set_dgid_raw(&qp_attr->ah_attr, ¶ms.dgid.bytes[0]);
+ rdma_ah_set_port_num(&qp_attr->ah_attr, 1);
+ rdma_ah_set_sl(&qp_attr->ah_attr, 0);
+- qp_attr->timeout = params.timeout;
++ qp_attr->timeout = qp->timeout;
+ qp_attr->rnr_retry = params.rnr_retry;
+ qp_attr->retry_cnt = params.retry_cnt;
+ qp_attr->min_rnr_timer = params.min_rnr_nak_timer;
--- /dev/null
+From b968080808f7f28b89aa495b7402ba48eb17ee93 Mon Sep 17 00:00:00 2001
+From: Dimitris Michailidis <d.michailidis@fungible.com>
+Date: Wed, 22 Jun 2022 17:02:34 -0700
+Subject: selftests/net: pass ipv6_args to udpgso_bench's IPv6 TCP test
+
+From: Dimitris Michailidis <d.michailidis@fungible.com>
+
+commit b968080808f7f28b89aa495b7402ba48eb17ee93 upstream.
+
+udpgso_bench.sh has been running its IPv6 TCP test with IPv4 arguments
+since its initial conmit. Looks like a typo.
+
+Fixes: 3a687bef148d ("selftests: udp gso benchmark")
+Cc: willemb@google.com
+Signed-off-by: Dimitris Michailidis <dmichail@fungible.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20220623000234.61774-1-dmichail@fungible.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/udpgso_bench.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/net/udpgso_bench.sh
++++ b/tools/testing/selftests/net/udpgso_bench.sh
+@@ -120,7 +120,7 @@ run_all() {
+ run_udp "${ipv4_args}"
+
+ echo "ipv6"
+- run_tcp "${ipv4_args}"
++ run_tcp "${ipv6_args}"
+ run_udp "${ipv6_args}"
+ }
+
sunrpc-fix-read_plus-crasher.patch
net-rose-fix-uaf-bugs-caused-by-timer-handler.patch
net-usb-ax88179_178a-fix-packet-receiving.patch
+virtio-net-fix-race-between-ndo_open-and-virtio_device_ready.patch
+selftests-net-pass-ipv6_args-to-udpgso_bench-s-ipv6-tcp-test.patch
+net-tun-unlink-napi-from-device-on-destruction.patch
+net-tun-stop-napi-when-detaching-queues.patch
+rdma-qedr-fix-reporting-qp-timeout-attribute.patch
+linux-dim-fix-divide-by-0-in-rdma-dim.patch
+usbnet-fix-memory-allocation-in-helpers.patch
--- /dev/null
+From e65af5403e462ccd7dff6a045a886c64da598c2e Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 28 Jun 2022 11:35:17 +0200
+Subject: usbnet: fix memory allocation in helpers
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit e65af5403e462ccd7dff6a045a886c64da598c2e upstream.
+
+usbnet provides some helper functions that are also used in
+the context of reset() operations. During a reset the other
+drivers on a device are unable to operate. As that can be block
+drivers, a driver for another interface cannot use paging
+in its memory allocations without risking a deadlock.
+Use GFP_NOIO in the helpers.
+
+Fixes: 877bd862f32b8 ("usbnet: introduce usbnet 3 command helpers")
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20220628093517.7469-1-oneukum@suse.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1987,7 +1987,7 @@ static int __usbnet_read_cmd(struct usbn
+ cmd, reqtype, value, index, size);
+
+ if (size) {
+- buf = kmalloc(size, GFP_KERNEL);
++ buf = kmalloc(size, GFP_NOIO);
+ if (!buf)
+ goto out;
+ }
+@@ -2019,7 +2019,7 @@ static int __usbnet_write_cmd(struct usb
+ cmd, reqtype, value, index, size);
+
+ if (data) {
+- buf = kmemdup(data, size, GFP_KERNEL);
++ buf = kmemdup(data, size, GFP_NOIO);
+ if (!buf)
+ goto out;
+ } else {
--- /dev/null
+From 50c0ada627f56c92f5953a8bf9158b045ad026a1 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Fri, 17 Jun 2022 15:29:49 +0800
+Subject: virtio-net: fix race between ndo_open() and virtio_device_ready()
+
+From: Jason Wang <jasowang@redhat.com>
+
+commit 50c0ada627f56c92f5953a8bf9158b045ad026a1 upstream.
+
+We currently call virtio_device_ready() after netdev
+registration. Since ndo_open() can be called immediately
+after register_netdev, this means there exists a race between
+ndo_open() and virtio_device_ready(): the driver may start to use the
+device before DRIVER_OK which violates the spec.
+
+Fix this by switching to use register_netdevice() and protect the
+virtio_device_ready() with rtnl_lock() to make sure ndo_open() can
+only be called after virtio_device_ready().
+
+Fixes: 4baf1e33d0842 ("virtio_net: enable VQs early")
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Message-Id: <20220617072949.30734-1-jasowang@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/virtio_net.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -3219,14 +3219,20 @@ static int virtnet_probe(struct virtio_d
+ }
+ }
+
+- err = register_netdev(dev);
++ /* serialize netdev register + virtio_device_ready() with ndo_open() */
++ rtnl_lock();
++
++ err = register_netdevice(dev);
+ if (err) {
+ pr_debug("virtio_net: registering device failed\n");
++ rtnl_unlock();
+ goto free_failover;
+ }
+
+ virtio_device_ready(vdev);
+
++ rtnl_unlock();
++
+ err = virtnet_cpu_notif_add(vi);
+ if (err) {
+ pr_debug("virtio_net: registering cpu notifier failed\n");
projects / thirdparty / kernel / stable-queue.git / commitdiff
