stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH AUTOSEL 5.10 01/13] scsi: qla2xxx: Fix missed DMA unmap for aborted commands
@ 2022-05-18 12:28 Sasha Levin
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 02/13] mac80211: fix rx reordering with non explicit / psmp ack policy Sasha Levin
                   ` (11 more replies)
  0 siblings, 12 replies; 13+ messages in thread
From: Sasha Levin @ 2022-05-18 12:28 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Gleb Chesnokov, Himanshu Madhani, Martin K . Petersen,
	Sasha Levin, njavali, GR-QLogic-Storage-Upstream, jejb,
	linux-scsi

From: Gleb Chesnokov <Chesnokov.G@raidix.com>

[ Upstream commit 26f9ce53817a8fd84b69a73473a7de852a24c897 ]

Aborting commands that have already been sent to the firmware can
cause BUG in qlt_free_cmd(): BUG_ON(cmd->sg_mapped)

For instance:

 - Command passes rdx_to_xfer state, maps sgl, sends to the firmware

 - Reset occurs, qla2xxx performs ISP error recovery, aborts the command

 - Target stack calls qlt_abort_cmd() and then qlt_free_cmd()

 - BUG_ON(cmd->sg_mapped) in qlt_free_cmd() occurs because sgl was not
   unmapped

Thus, unmap sgl in qlt_abort_cmd() for commands with the aborted flag set.

Link: https://lore.kernel.org/r/AS8PR10MB4952D545F84B6B1DFD39EC1E9DEE9@AS8PR10MB4952.EURPRD10.PROD.OUTLOOK.COM
Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
Signed-off-by: Gleb Chesnokov <Chesnokov.G@raidix.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/qla2xxx/qla_target.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
index cf9ae0ab489a..ba823e8eb902 100644
--- a/drivers/scsi/qla2xxx/qla_target.c
+++ b/drivers/scsi/qla2xxx/qla_target.c
@@ -3773,6 +3773,9 @@ int qlt_abort_cmd(struct qla_tgt_cmd *cmd)
 
 	spin_lock_irqsave(&cmd->cmd_lock, flags);
 	if (cmd->aborted) {
+		if (cmd->sg_mapped)
+			qlt_unmap_sg(vha, cmd);
+
 		spin_unlock_irqrestore(&cmd->cmd_lock, flags);
 		/*
 		 * It's normal to see 2 calls in this path:
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 13+ messages in thread

* [PATCH AUTOSEL 5.10 02/13] mac80211: fix rx reordering with non explicit / psmp ack policy
  2022-05-18 12:28 [PATCH AUTOSEL 5.10 01/13] scsi: qla2xxx: Fix missed DMA unmap for aborted commands Sasha Levin
@ 2022-05-18 12:28 ` Sasha Levin
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 03/13] nl80211: validate S1G channel width Sasha Levin
                   ` (10 subsequent siblings)
  11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2022-05-18 12:28 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Felix Fietkau, Johannes Berg, Sasha Levin, johannes, davem,
	edumazet, kuba, pabeni, linux-wireless, netdev

From: Felix Fietkau <nbd@nbd.name>

[ Upstream commit 5e469ed9764d4722c59562da13120bd2dc6834c5 ]

When the QoS ack policy was set to non explicit / psmp ack, frames are treated
as not being part of a BA session, which causes extra latency on reordering.
Fix this by only bypassing reordering for packets with no-ack policy

Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://lore.kernel.org/r/20220420105038.36443-1-nbd@nbd.name
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/mac80211/rx.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 1e7614abd947..e991abb45f68 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1387,8 +1387,7 @@ static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
 		goto dont_reorder;
 
 	/* not part of a BA session */
-	if (ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK &&
-	    ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_NORMAL)
+	if (ack_policy == IEEE80211_QOS_CTL_ACK_POLICY_NOACK)
 		goto dont_reorder;
 
 	/* new, potentially un-ordered, ampdu frame - process it */
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 13+ messages in thread

* [PATCH AUTOSEL 5.10 03/13] nl80211: validate S1G channel width
  2022-05-18 12:28 [PATCH AUTOSEL 5.10 01/13] scsi: qla2xxx: Fix missed DMA unmap for aborted commands Sasha Levin
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 02/13] mac80211: fix rx reordering with non explicit / psmp ack policy Sasha Levin
@ 2022-05-18 12:28 ` Sasha Levin
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 04/13] selftests: add ping test with ping_group_range tuned Sasha Levin
                   ` (9 subsequent siblings)
  11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2022-05-18 12:28 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Kieran Frewen, Bassem Dawood, Johannes Berg, Sasha Levin,
	johannes, davem, edumazet, kuba, pabeni, linux-wireless, netdev

From: Kieran Frewen <kieran.frewen@morsemicro.com>

[ Upstream commit 5d087aa759eb82b8208411913f6c2158bd85abc0 ]

Validate the S1G channel width input by user to ensure it matches
that of the requested channel

Signed-off-by: Kieran Frewen <kieran.frewen@morsemicro.com>
Signed-off-by: Bassem Dawood <bassem@morsemicro.com>
Link: https://lore.kernel.org/r/20220420041321.3788789-2-kieran.frewen@morsemicro.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/wireless/nl80211.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 12f44ad4e0d8..283447df5fc6 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2955,6 +2955,15 @@ int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
 		chandef->width =
 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
+		if (chandef->chan->band == NL80211_BAND_S1GHZ) {
+			/* User input error for channel width doesn't match channel  */
+			if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
+				NL_SET_ERR_MSG_ATTR(extack,
+						    attrs[NL80211_ATTR_CHANNEL_WIDTH],
+						    "bad channel width");
+				return -EINVAL;
+			}
+		}
 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
 			chandef->center_freq1 =
 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 13+ messages in thread

* [PATCH AUTOSEL 5.10 04/13] selftests: add ping test with ping_group_range tuned
  2022-05-18 12:28 [PATCH AUTOSEL 5.10 01/13] scsi: qla2xxx: Fix missed DMA unmap for aborted commands Sasha Levin
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 02/13] mac80211: fix rx reordering with non explicit / psmp ack policy Sasha Levin
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 03/13] nl80211: validate S1G channel width Sasha Levin
@ 2022-05-18 12:28 ` Sasha Levin
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 05/13] nl80211: fix locking in nl80211_set_tx_bitrate_mask() Sasha Levin
                   ` (8 subsequent siblings)
  11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2022-05-18 12:28 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Nicolas Dichtel, David Ahern, Jakub Kicinski, Sasha Levin, davem,
	edumazet, pabeni, shuah, netdev, linux-kselftest

From: Nicolas Dichtel <nicolas.dichtel@6wind.com>

[ Upstream commit e71b7f1f44d3d88c677769c85ef0171caf9fc89f ]

The 'ping' utility is able to manage two kind of sockets (raw or icmp),
depending on the sysctl ping_group_range. By default, ping_group_range is
set to '1 0', which forces ping to use an ip raw socket.

Let's replay the ping tests by allowing 'ping' to use the ip icmp socket.
After the previous patch, ipv4 tests results are the same with both kinds
of socket. For ipv6, there are a lot a new failures (the previous patch
fixes only two cases).

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/net/fcnal-test.sh | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh
index ace976d89125..4a11ea2261cb 100755
--- a/tools/testing/selftests/net/fcnal-test.sh
+++ b/tools/testing/selftests/net/fcnal-test.sh
@@ -794,10 +794,16 @@ ipv4_ping()
 	setup
 	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
 	ipv4_ping_novrf
+	setup
+	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
+	ipv4_ping_novrf
 
 	log_subsection "With VRF"
 	setup "yes"
 	ipv4_ping_vrf
+	setup "yes"
+	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
+	ipv4_ping_vrf
 }
 
 ################################################################################
@@ -2261,10 +2267,16 @@ ipv6_ping()
 	log_subsection "No VRF"
 	setup
 	ipv6_ping_novrf
+	setup
+	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
+	ipv6_ping_novrf
 
 	log_subsection "With VRF"
 	setup "yes"
 	ipv6_ping_vrf
+	setup "yes"
+	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
+	ipv6_ping_vrf
 }
 
 ################################################################################
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 13+ messages in thread

* [PATCH AUTOSEL 5.10 05/13] nl80211: fix locking in nl80211_set_tx_bitrate_mask()
  2022-05-18 12:28 [PATCH AUTOSEL 5.10 01/13] scsi: qla2xxx: Fix missed DMA unmap for aborted commands Sasha Levin
                   ` (2 preceding siblings ...)
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 04/13] selftests: add ping test with ping_group_range tuned Sasha Levin
@ 2022-05-18 12:28 ` Sasha Levin
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 06/13] ethernet: tulip: fix missing pci_disable_device() on error in tulip_init_one() Sasha Levin
                   ` (7 subsequent siblings)
  11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2022-05-18 12:28 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Johannes Berg, Sasha Levin, johannes, davem, edumazet, kuba,
	pabeni, linux-wireless, netdev

From: Johannes Berg <johannes.berg@intel.com>

[ Upstream commit f971e1887fdb3ab500c9bebf4b98f62d49a20655 ]

This accesses the wdev's chandef etc., so cannot safely
be used without holding the lock.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Link: https://lore.kernel.org/r/20220506102136.06b7205419e6.I2a87c05fbd8bc5e565e84d190d4cfd2e92695a90@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/wireless/nl80211.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 283447df5fc6..f8d5f35cfc66 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -11095,18 +11095,23 @@ static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
 	struct cfg80211_bitrate_mask mask;
 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
 	struct net_device *dev = info->user_ptr[1];
+	struct wireless_dev *wdev = dev->ieee80211_ptr;
 	int err;
 
 	if (!rdev->ops->set_bitrate_mask)
 		return -EOPNOTSUPP;
 
+	wdev_lock(wdev);
 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
 					    NL80211_ATTR_TX_RATES, &mask,
 					    dev);
 	if (err)
-		return err;
+		goto out;
 
-	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
+	err = rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
+out:
+	wdev_unlock(wdev);
+	return err;
 }
 
 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 13+ messages in thread

* [PATCH AUTOSEL 5.10 06/13] ethernet: tulip: fix missing pci_disable_device() on error in tulip_init_one()
  2022-05-18 12:28 [PATCH AUTOSEL 5.10 01/13] scsi: qla2xxx: Fix missed DMA unmap for aborted commands Sasha Levin
                   ` (3 preceding siblings ...)
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 05/13] nl80211: fix locking in nl80211_set_tx_bitrate_mask() Sasha Levin
@ 2022-05-18 12:28 ` Sasha Levin
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 07/13] net: stmmac: fix missing pci_disable_device() on error in stmmac_pci_probe() Sasha Levin
                   ` (6 subsequent siblings)
  11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2022-05-18 12:28 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Yang Yingliang, Hulk Robot, Jakub Kicinski, Sasha Levin, davem,
	edumazet, pabeni, jgg, arnd, netdev, linux-parisc

From: Yang Yingliang <yangyingliang@huawei.com>

[ Upstream commit 51ca86b4c9c7c75f5630fa0dbe5f8f0bd98e3c3e ]

Fix the missing pci_disable_device() before return
from tulip_init_one() in the error handling case.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20220506094250.3630615-1-yangyingliang@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/dec/tulip/tulip_core.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/dec/tulip/tulip_core.c b/drivers/net/ethernet/dec/tulip/tulip_core.c
index e7b0d7de40fd..c22d945a79fd 100644
--- a/drivers/net/ethernet/dec/tulip/tulip_core.c
+++ b/drivers/net/ethernet/dec/tulip/tulip_core.c
@@ -1396,8 +1396,10 @@ static int tulip_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
 
 	/* alloc_etherdev ensures aligned and zeroed private structures */
 	dev = alloc_etherdev (sizeof (*tp));
-	if (!dev)
+	if (!dev) {
+		pci_disable_device(pdev);
 		return -ENOMEM;
+	}
 
 	SET_NETDEV_DEV(dev, &pdev->dev);
 	if (pci_resource_len (pdev, 0) < tulip_tbl[chip_idx].io_size) {
@@ -1774,6 +1776,7 @@ static int tulip_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
 
 err_out_free_netdev:
 	free_netdev (dev);
+	pci_disable_device(pdev);
 	return -ENODEV;
 }
 
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 13+ messages in thread

* [PATCH AUTOSEL 5.10 07/13] net: stmmac: fix missing pci_disable_device() on error in stmmac_pci_probe()
  2022-05-18 12:28 [PATCH AUTOSEL 5.10 01/13] scsi: qla2xxx: Fix missed DMA unmap for aborted commands Sasha Levin
                   ` (4 preceding siblings ...)
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 06/13] ethernet: tulip: fix missing pci_disable_device() on error in tulip_init_one() Sasha Levin
@ 2022-05-18 12:28 ` Sasha Levin
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 08/13] net: atlantic: fix "frag[0] not initialized" Sasha Levin
                   ` (5 subsequent siblings)
  11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2022-05-18 12:28 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Yang Yingliang, Hulk Robot, Jakub Kicinski, Sasha Levin,
	peppe.cavallaro, alexandre.torgue, joabreu, davem, edumazet,
	pabeni, mcoquelin.stm32, netdev, linux-stm32, linux-arm-kernel

From: Yang Yingliang <yangyingliang@huawei.com>

[ Upstream commit 0807ce0b010418a191e0e4009803b2d74c3245d5 ]

Switch to using pcim_enable_device() to avoid missing pci_disable_device().

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20220510031316.1780409-1-yangyingliang@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
index 272cb47af9f2..a7a1227c9b92 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
@@ -175,7 +175,7 @@ static int stmmac_pci_probe(struct pci_dev *pdev,
 		return -ENOMEM;
 
 	/* Enable pci device */
-	ret = pci_enable_device(pdev);
+	ret = pcim_enable_device(pdev);
 	if (ret) {
 		dev_err(&pdev->dev, "%s: ERROR: failed to enable device\n",
 			__func__);
@@ -227,8 +227,6 @@ static void stmmac_pci_remove(struct pci_dev *pdev)
 		pcim_iounmap_regions(pdev, BIT(i));
 		break;
 	}
-
-	pci_disable_device(pdev);
 }
 
 static int __maybe_unused stmmac_pci_suspend(struct device *dev)
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 13+ messages in thread

* [PATCH AUTOSEL 5.10 08/13] net: atlantic: fix "frag[0] not initialized"
  2022-05-18 12:28 [PATCH AUTOSEL 5.10 01/13] scsi: qla2xxx: Fix missed DMA unmap for aborted commands Sasha Levin
                   ` (5 preceding siblings ...)
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 07/13] net: stmmac: fix missing pci_disable_device() on error in stmmac_pci_probe() Sasha Levin
@ 2022-05-18 12:28 ` Sasha Levin
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 09/13] net: atlantic: reduce scope of is_rsc_complete Sasha Levin
                   ` (4 subsequent siblings)
  11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2022-05-18 12:28 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Grant Grundler, Aashay Shringarpure, Yi Chou, Shervin Oloumi,
	David S . Miller, Sasha Levin, irusskikh, edumazet, kuba, pabeni,
	netdev

From: Grant Grundler <grundler@chromium.org>

[ Upstream commit 62e0ae0f4020250f961cf8d0103a4621be74e077 ]

In aq_ring_rx_clean(), if buff->is_eop is not set AND
buff->len < AQ_CFG_RX_HDR_SIZE, then hdr_len remains equal to
buff->len and skb_add_rx_frag(xxx, *0*, ...) is not called.

The loop following this code starts calling skb_add_rx_frag() starting
with i=1 and thus frag[0] is never initialized. Since i is initialized
to zero at the top of the primary loop, we can just reference and
post-increment i instead of hardcoding the 0 when calling
skb_add_rx_frag() the first time.

Reported-by: Aashay Shringarpure <aashay@google.com>
Reported-by: Yi Chou <yich@google.com>
Reported-by: Shervin Oloumi <enlightened@google.com>
Signed-off-by: Grant Grundler <grundler@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
index 72f8751784c3..7cf5a48e9a7d 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
@@ -445,7 +445,7 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
 		       ALIGN(hdr_len, sizeof(long)));
 
 		if (buff->len - hdr_len > 0) {
-			skb_add_rx_frag(skb, 0, buff->rxdata.page,
+			skb_add_rx_frag(skb, i++, buff->rxdata.page,
 					buff->rxdata.pg_off + hdr_len,
 					buff->len - hdr_len,
 					AQ_CFG_RX_FRAME_MAX);
@@ -454,7 +454,6 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
 
 		if (!buff->is_eop) {
 			buff_ = buff;
-			i = 1U;
 			do {
 				next_ = buff_->next;
 				buff_ = &self->buff_ring[next_];
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 13+ messages in thread

* [PATCH AUTOSEL 5.10 09/13] net: atlantic: reduce scope of is_rsc_complete
  2022-05-18 12:28 [PATCH AUTOSEL 5.10 01/13] scsi: qla2xxx: Fix missed DMA unmap for aborted commands Sasha Levin
                   ` (6 preceding siblings ...)
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 08/13] net: atlantic: fix "frag[0] not initialized" Sasha Levin
@ 2022-05-18 12:28 ` Sasha Levin
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 10/13] net: atlantic: add check for MAX_SKB_FRAGS Sasha Levin
                   ` (3 subsequent siblings)
  11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2022-05-18 12:28 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Grant Grundler, David S . Miller, Sasha Levin, irusskikh,
	edumazet, kuba, pabeni, netdev

From: Grant Grundler <grundler@chromium.org>

[ Upstream commit 79784d77ebbd3ec516b7a5ce555d979fb7946202 ]

Don't defer handling the err case outside the loop. That's pointless.

And since is_rsc_complete is only used inside this loop, declare
it inside the loop to reduce it's scope.

Signed-off-by: Grant Grundler <grundler@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
index 7cf5a48e9a7d..339efdfb1d49 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
@@ -345,7 +345,6 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
 		     int budget)
 {
 	struct net_device *ndev = aq_nic_get_ndev(self->aq_nic);
-	bool is_rsc_completed = true;
 	int err = 0;
 
 	for (; (self->sw_head != self->hw_head) && budget;
@@ -365,6 +364,8 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
 		if (!buff->is_eop) {
 			buff_ = buff;
 			do {
+				bool is_rsc_completed = true;
+
 				if (buff_->next >= self->size) {
 					err = -EIO;
 					goto err_exit;
@@ -376,18 +377,16 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
 							    next_,
 							    self->hw_head);
 
-				if (unlikely(!is_rsc_completed))
-					break;
+				if (unlikely(!is_rsc_completed)) {
+					err = 0;
+					goto err_exit;
+				}
 
 				buff->is_error |= buff_->is_error;
 				buff->is_cso_err |= buff_->is_cso_err;
 
 			} while (!buff_->is_eop);
 
-			if (!is_rsc_completed) {
-				err = 0;
-				goto err_exit;
-			}
 			if (buff->is_error ||
 			    (buff->is_lro && buff->is_cso_err)) {
 				buff_ = buff;
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 13+ messages in thread

* [PATCH AUTOSEL 5.10 10/13] net: atlantic: add check for MAX_SKB_FRAGS
  2022-05-18 12:28 [PATCH AUTOSEL 5.10 01/13] scsi: qla2xxx: Fix missed DMA unmap for aborted commands Sasha Levin
                   ` (7 preceding siblings ...)
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 09/13] net: atlantic: reduce scope of is_rsc_complete Sasha Levin
@ 2022-05-18 12:28 ` Sasha Levin
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 11/13] net: atlantic: verify hw_head_ lies within TX buffer ring Sasha Levin
                   ` (2 subsequent siblings)
  11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2022-05-18 12:28 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Grant Grundler, Aashay Shringarpure, Yi Chou, Shervin Oloumi,
	David S . Miller, Sasha Levin, irusskikh, edumazet, kuba, pabeni,
	netdev

From: Grant Grundler <grundler@chromium.org>

[ Upstream commit 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f ]

Enforce that the CPU can not get stuck in an infinite loop.

Reported-by: Aashay Shringarpure <aashay@google.com>
Reported-by: Yi Chou <yich@google.com>
Reported-by: Shervin Oloumi <enlightened@google.com>
Signed-off-by: Grant Grundler <grundler@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
index 339efdfb1d49..e9c6f1fa0b1a 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
@@ -362,6 +362,7 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
 			continue;
 
 		if (!buff->is_eop) {
+			unsigned int frag_cnt = 0U;
 			buff_ = buff;
 			do {
 				bool is_rsc_completed = true;
@@ -370,6 +371,8 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
 					err = -EIO;
 					goto err_exit;
 				}
+
+				frag_cnt++;
 				next_ = buff_->next,
 				buff_ = &self->buff_ring[next_];
 				is_rsc_completed =
@@ -377,7 +380,8 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
 							    next_,
 							    self->hw_head);
 
-				if (unlikely(!is_rsc_completed)) {
+				if (unlikely(!is_rsc_completed) ||
+						frag_cnt > MAX_SKB_FRAGS) {
 					err = 0;
 					goto err_exit;
 				}
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 13+ messages in thread

* [PATCH AUTOSEL 5.10 11/13] net: atlantic: verify hw_head_ lies within TX buffer ring
  2022-05-18 12:28 [PATCH AUTOSEL 5.10 01/13] scsi: qla2xxx: Fix missed DMA unmap for aborted commands Sasha Levin
                   ` (8 preceding siblings ...)
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 10/13] net: atlantic: add check for MAX_SKB_FRAGS Sasha Levin
@ 2022-05-18 12:28 ` Sasha Levin
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 12/13] arm64: Enable repeat tlbi workaround on KRYO4XX gold CPUs Sasha Levin
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 13/13] usb: gadget: fix race when gadget driver register via ioctl Sasha Levin
  11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2022-05-18 12:28 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Grant Grundler, Aashay Shringarpure, Yi Chou, Shervin Oloumi,
	David S . Miller, Sasha Levin, irusskikh, edumazet, kuba, pabeni,
	netdev

From: Grant Grundler <grundler@chromium.org>

[ Upstream commit 2120b7f4d128433ad8c5f503a9584deba0684901 ]

Bounds check hw_head index provided by NIC to verify it lies
within the TX buffer ring.

Reported-by: Aashay Shringarpure <aashay@google.com>
Reported-by: Yi Chou <yich@google.com>
Reported-by: Shervin Oloumi <enlightened@google.com>
Signed-off-by: Grant Grundler <grundler@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
index 9f1b15077e7d..45c17c585d74 100644
--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
+++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
@@ -889,6 +889,13 @@ int hw_atl_b0_hw_ring_tx_head_update(struct aq_hw_s *self,
 		err = -ENXIO;
 		goto err_exit;
 	}
+
+	/* Validate that the new hw_head_ is reasonable. */
+	if (hw_head_ >= ring->size) {
+		err = -ENXIO;
+		goto err_exit;
+	}
+
 	ring->hw_head = hw_head_;
 	err = aq_hw_err_from_flags(self);
 
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 13+ messages in thread

* [PATCH AUTOSEL 5.10 12/13] arm64: Enable repeat tlbi workaround on KRYO4XX gold CPUs
  2022-05-18 12:28 [PATCH AUTOSEL 5.10 01/13] scsi: qla2xxx: Fix missed DMA unmap for aborted commands Sasha Levin
                   ` (9 preceding siblings ...)
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 11/13] net: atlantic: verify hw_head_ lies within TX buffer ring Sasha Levin
@ 2022-05-18 12:28 ` Sasha Levin
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 13/13] usb: gadget: fix race when gadget driver register via ioctl Sasha Levin
  11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2022-05-18 12:28 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Shreyas K K, Sai Prakash Ranjan, Will Deacon, Sasha Levin,
	catalin.marinas, corbet, anshuman.khandual, suzuki.poulose,
	mathieu.poirier, james.morse, arnd, lcherian, linux-arm-kernel,
	linux-doc

From: Shreyas K K <quic_shrekk@quicinc.com>

[ Upstream commit 51f559d66527e238f9a5f82027bff499784d4eac ]

Add KRYO4XX gold/big cores to the list of CPUs that need the
repeat TLBI workaround. Apply this to the affected
KRYO4XX cores (rcpe to rfpe).

The variant and revision bits are implementation defined and are
different from the their Cortex CPU counterparts on which they are
based on, i.e., (r0p0 to r3p0) is equivalent to (rcpe to rfpe).

Signed-off-by: Shreyas K K <quic_shrekk@quicinc.com>
Reviewed-by: Sai Prakash Ranjan <quic_saipraka@quicinc.com>
Link: https://lore.kernel.org/r/20220512110134.12179-1-quic_shrekk@quicinc.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 Documentation/arm64/silicon-errata.rst | 3 +++
 arch/arm64/kernel/cpu_errata.c         | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst
index 719510247292..f01eed0ee23a 100644
--- a/Documentation/arm64/silicon-errata.rst
+++ b/Documentation/arm64/silicon-errata.rst
@@ -160,6 +160,9 @@ stable kernels.
 +----------------+-----------------+-----------------+-----------------------------+
 | Qualcomm Tech. | Kryo4xx Silver  | N/A             | ARM64_ERRATUM_1024718       |
 +----------------+-----------------+-----------------+-----------------------------+
+| Qualcomm Tech. | Kryo4xx Gold    | N/A             | ARM64_ERRATUM_1286807       |
++----------------+-----------------+-----------------+-----------------------------+
+
 +----------------+-----------------+-----------------+-----------------------------+
 | Fujitsu        | A64FX           | E#010001        | FUJITSU_ERRATUM_010001      |
 +----------------+-----------------+-----------------+-----------------------------+
diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
index 533559c7d2b3..ca42d58e8c82 100644
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -220,6 +220,8 @@ static const struct arm64_cpu_capabilities arm64_repeat_tlbi_list[] = {
 #ifdef CONFIG_ARM64_ERRATUM_1286807
 	{
 		ERRATA_MIDR_RANGE(MIDR_CORTEX_A76, 0, 0, 3, 0),
+		/* Kryo4xx Gold (rcpe to rfpe) => (r0p0 to r3p0) */
+		ERRATA_MIDR_RANGE(MIDR_QCOM_KRYO_4XX_GOLD, 0xc, 0xe, 0xf, 0xe),
 	},
 #endif
 	{},
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 13+ messages in thread

* [PATCH AUTOSEL 5.10 13/13] usb: gadget: fix race when gadget driver register via ioctl
  2022-05-18 12:28 [PATCH AUTOSEL 5.10 01/13] scsi: qla2xxx: Fix missed DMA unmap for aborted commands Sasha Levin
                   ` (10 preceding siblings ...)
  2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 12/13] arm64: Enable repeat tlbi workaround on KRYO4XX gold CPUs Sasha Levin
@ 2022-05-18 12:28 ` Sasha Levin
  11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2022-05-18 12:28 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Schspa Shi, syzbot+dc7c3ca638e773db07f6, Andrey Konovalov,
	Greg Kroah-Hartman, Sasha Levin, balbi, jj251510319013,
	Julia.Lawall, jannh, linux-usb

From: Schspa Shi <schspa@gmail.com>

[ Upstream commit 5f0b5f4d50fa0faa8c76ef9d42a42e8d43f98b44 ]

The usb_gadget_register_driver can be called multi time by to
threads via USB_RAW_IOCTL_RUN ioctl syscall, which will lead
to multiple registrations.

Call trace:
  driver_register+0x220/0x3a0 drivers/base/driver.c:171
  usb_gadget_register_driver_owner+0xfb/0x1e0
    drivers/usb/gadget/udc/core.c:1546
  raw_ioctl_run drivers/usb/gadget/legacy/raw_gadget.c:513 [inline]
  raw_ioctl+0x1883/0x2730 drivers/usb/gadget/legacy/raw_gadget.c:1220
  ioctl USB_RAW_IOCTL_RUN

This routine allows two processes to register the same driver instance
via ioctl syscall. which lead to a race condition.

Please refer to the following scenarios.

           T1                                  T2
------------------------------------------------------------------
usb_gadget_register_driver_owner
  driver_register                    driver_register
    driver_find                       driver_find
    bus_add_driver                    bus_add_driver
      priv alloced                     <context switch>
      drv->p = priv;
      <schedule out>
      kobject_init_and_add // refcount = 1;
   //couldn't find an available UDC or it's busy
   <context switch>
                                       priv alloced
                                       drv->priv = priv;
                                       kobject_init_and_add
                                         ---> refcount = 1 <------
                                       // register success
                                       <context switch>
===================== another ioctl/process ======================
                                      driver_register
                                       driver_find
                                        k = kset_find_obj()
                                         ---> refcount = 2 <------
                                        <context out>
   driver_unregister
   // drv->p become T2's priv
   ---> refcount = 1 <------
   <context switch>
                                        kobject_put(k)
                                         ---> refcount = 0 <------
                                        return priv->driver;
                                        --------UAF here----------

There will be UAF in this scenario.

We can fix it by adding a new STATE_DEV_REGISTERING device state to
avoid double register.

Reported-by: syzbot+dc7c3ca638e773db07f6@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/000000000000e66c2805de55b15a@google.com/
Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
Signed-off-by: Schspa Shi <schspa@gmail.com>
Link: https://lore.kernel.org/r/20220508150247.38204-1-schspa@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/gadget/legacy/raw_gadget.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c
index 33efa6915b91..34cecd3660bf 100644
--- a/drivers/usb/gadget/legacy/raw_gadget.c
+++ b/drivers/usb/gadget/legacy/raw_gadget.c
@@ -144,6 +144,7 @@ enum dev_state {
 	STATE_DEV_INVALID = 0,
 	STATE_DEV_OPENED,
 	STATE_DEV_INITIALIZED,
+	STATE_DEV_REGISTERING,
 	STATE_DEV_RUNNING,
 	STATE_DEV_CLOSED,
 	STATE_DEV_FAILED
@@ -507,6 +508,7 @@ static int raw_ioctl_run(struct raw_dev *dev, unsigned long value)
 		ret = -EINVAL;
 		goto out_unlock;
 	}
+	dev->state = STATE_DEV_REGISTERING;
 	spin_unlock_irqrestore(&dev->lock, flags);
 
 	ret = usb_gadget_probe_driver(&dev->driver);
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 13+ messages in thread

end of thread, other threads:[~2022-05-18 12:34 UTC | newest]

Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-18 12:28 [PATCH AUTOSEL 5.10 01/13] scsi: qla2xxx: Fix missed DMA unmap for aborted commands Sasha Levin
2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 02/13] mac80211: fix rx reordering with non explicit / psmp ack policy Sasha Levin
2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 03/13] nl80211: validate S1G channel width Sasha Levin
2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 04/13] selftests: add ping test with ping_group_range tuned Sasha Levin
2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 05/13] nl80211: fix locking in nl80211_set_tx_bitrate_mask() Sasha Levin
2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 06/13] ethernet: tulip: fix missing pci_disable_device() on error in tulip_init_one() Sasha Levin
2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 07/13] net: stmmac: fix missing pci_disable_device() on error in stmmac_pci_probe() Sasha Levin
2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 08/13] net: atlantic: fix "frag[0] not initialized" Sasha Levin
2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 09/13] net: atlantic: reduce scope of is_rsc_complete Sasha Levin
2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 10/13] net: atlantic: add check for MAX_SKB_FRAGS Sasha Levin
2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 11/13] net: atlantic: verify hw_head_ lies within TX buffer ring Sasha Levin
2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 12/13] arm64: Enable repeat tlbi workaround on KRYO4XX gold CPUs Sasha Levin
2022-05-18 12:28 ` [PATCH AUTOSEL 5.10 13/13] usb: gadget: fix race when gadget driver register via ioctl Sasha Levin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).