commit 09f983f0c7fc0db79a5f6c883ec3510d424c369c Author: Greg Kroah-Hartman Date: Sat Jan 23 15:58:01 2021 +0100 Linux 5.4.92 Tested-by: Shuah Khan Tested-by: Linux Kernel Functional Testing Tested-by: Jon Hunter Tested-by: Guenter Roeck Link: https://lore.kernel.org/r/20210122135733.565501039@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit e2d69319b713c30ca21428c3955a79f3a7bf6c23 Author: Michael Hennerich Date: Thu Jan 14 17:42:17 2021 +0200 spi: cadence: cache reference clock rate during probe commit 4d163ad79b155c71bf30366dc38f8d2502f78844 upstream. The issue is that using SPI from a callback under the CCF lock will deadlock, since this code uses clk_get_rate(). Fixes: c474b38665463 ("spi: Add driver for Cadence SPI controller") Signed-off-by: Michael Hennerich Signed-off-by: Alexandru Ardelean Link: https://lore.kernel.org/r/20210114154217.51996-1-alexandru.ardelean@analog.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit d04c7938d0f897dcc30c533d038937891c8d6054 Author: Lorenzo Bianconi Date: Sat Dec 26 10:39:08 2020 +0100 mac80211: check if atf has been disabled in __ieee80211_schedule_txq commit c13cf5c159660451c8fbdc37efb998b198e1d305 upstream. Check if atf has been disabled in __ieee80211_schedule_txq() in order to avoid a given sta is always put to the beginning of the active_txqs list and never moved to the end since deficit is not decremented in ieee80211_sta_register_airtime() Fixes: b4809e9484da1 ("mac80211: Add airtime accounting and scheduling to TXQs") Signed-off-by: Lorenzo Bianconi Acked-by: Toke Høiland-Jørgensen Link: https://lore.kernel.org/r/93889406c50f1416214c079ca0b8c9faecc5143e.1608975195.git.lorenzo@kernel.org Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit d46996cb4b168f19f40154b83f6a22024a909cb3 Author: Felix Fietkau Date: Fri Dec 18 20:15:25 2020 +0100 mac80211: do not drop tx nulldata packets on encrypted links commit 2463ec86cd0338a2c2edbfb0b9d50c52ff76ff43 upstream. ieee80211_tx_h_select_key drops any non-mgmt packets without a key when encryption is used. This is wrong for nulldata packets that can't be encrypted and are sent out for probing clients and indicating 4-address mode. Reported-by: Sebastian Gottschall Fixes: a0761a301746 ("mac80211: drop data frames without key on encrypted links") Signed-off-by: Felix Fietkau Link: https://lore.kernel.org/r/20201218191525.1168-1-nbd@nbd.name Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 56e8947bcf814d195eb4954b4821868803d3dd67 Author: Hoang Le Date: Fri Jan 8 14:13:37 2021 +0700 tipc: fix NULL deref in tipc_link_xmit() [ Upstream commit b77413446408fdd256599daf00d5be72b5f3e7c6 ] The buffer list can have zero skb as following path: tipc_named_node_up()->tipc_node_xmit()->tipc_link_xmit(), so we need to check the list before casting an &sk_buff. Fault report: [] tipc: Bulk publication failure [] general protection fault, probably for non-canonical [#1] PREEMPT [...] [] KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf] [] CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 5.10.0-rc4+ #2 [] Hardware name: Bochs ..., BIOS Bochs 01/01/2011 [] RIP: 0010:tipc_link_xmit+0xc1/0x2180 [] Code: 24 b8 00 00 00 00 4d 39 ec 4c 0f 44 e8 e8 d7 0a 10 f9 48 [...] [] RSP: 0018:ffffc90000006ea0 EFLAGS: 00010202 [] RAX: dffffc0000000000 RBX: ffff8880224da000 RCX: 1ffff11003d3cc0d [] RDX: 0000000000000019 RSI: ffffffff886007b9 RDI: 00000000000000c8 [] RBP: ffffc90000007018 R08: 0000000000000001 R09: fffff52000000ded [] R10: 0000000000000003 R11: fffff52000000dec R12: ffffc90000007148 [] R13: 0000000000000000 R14: 0000000000000000 R15: ffffc90000007018 [] FS: 0000000000000000(0000) GS:ffff888037400000(0000) knlGS:000[...] [] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [] CR2: 00007fffd2db5000 CR3: 000000002b08f000 CR4: 00000000000006f0 Fixes: af9b028e270fd ("tipc: make media xmit call outside node spinlock context") Acked-by: Jon Maloy Signed-off-by: Hoang Le Link: https://lore.kernel.org/r/20210108071337.3598-1-hoang.h.le@dektech.com.au Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 55bac51762c39ef033b488dd09b60d48908d317f Author: Daniel Borkmann Date: Fri Jan 22 01:08:31 2021 +0100 net, sctp, filter: remap copy_from_user failure error [ no upstream commit ] Fix a potential kernel address leakage for the prerequisite where there is a BPF program attached to the cgroup/setsockopt hook. The latter can only be attached under root, however, if the attached program returns 1 to then run the related kernel handler, an unprivileged program could probe for kernel addresses that way. The reason this is possible is that we're under set_fs(KERNEL_DS) when running the kernel setsockopt handler. Aside from old cBPF there is also SCTP's struct sctp_getaddrs_old which contains pointers in the uapi struct that further need copy_from_user() inside the handler. In the normal case this would just return -EFAULT, but under a temporary KERNEL_DS setting the memory would be copied and we'd end up at a different error code, that is, -EINVAL, for both cases given subsequent validations fail, which then allows the app to distinguish and make use of this fact for probing the address space. In case of later kernel versions this issue won't work anymore thanks to Christoph Hellwig's work that got rid of the various temporary set_fs() address space overrides altogether. One potential option for 5.4 as the only affected stable kernel with the least complexity would be to remap those affected -EFAULT copy_from_user() error codes with -EINVAL such that they cannot be probed anymore. Risk of breakage should be rather low for this particular error case. Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks") Reported-by: Ryota Shiga (Flatt Security) Signed-off-by: Daniel Borkmann Cc: Stanislav Fomichev Cc: Eric Dumazet Acked-by: Marcelo Ricardo Leitner Signed-off-by: Greg Kroah-Hartman commit 52e0b20c8c5751d90ef1f02f9270ac561d37a079 Author: David Howells Date: Tue Jan 12 15:23:51 2021 +0000 rxrpc: Fix handling of an unsupported token type in rxrpc_read() [ Upstream commit d52e419ac8b50c8bef41b398ed13528e75d7ad48 ] Clang static analysis reports the following: net/rxrpc/key.c:657:11: warning: Assigned value is garbage or undefined toksize = toksizes[tok++]; ^ ~~~~~~~~~~~~~~~ rxrpc_read() contains two consecutive loops. The first loop calculates the token sizes and stores the results in toksizes[] and the second one uses the array. When there is an error in identifying the token in the first loop, the token is skipped, no change is made to the toksizes[] array. When the same error happens in the second loop, the token is not skipped. This will cause the toksizes[] array to be out of step and will overrun past the calculated sizes. Fix this by making both loops log a message and return an error in this case. This should only happen if a new token type is incompletely implemented, so it should normally be impossible to trigger this. Fixes: 9a059cd5ca7d ("rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read()") Reported-by: Tom Rix Signed-off-by: David Howells Reviewed-by: Tom Rix Link: https://lore.kernel.org/r/161046503122.2445787.16714129930607546635.stgit@warthog.procyon.org.uk Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 5c466480d7d4bbf1c9eaade9201febab3adc70b0 Author: Eric Dumazet Date: Wed Jan 13 08:18:19 2021 -0800 net: avoid 32 x truesize under-estimation for tiny skbs [ Upstream commit 3226b158e67cfaa677fd180152bfb28989cb2fac ] Both virtio net and napi_get_frags() allocate skbs with a very small skb->head While using page fragments instead of a kmalloc backed skb->head might give a small performance improvement in some cases, there is a huge risk of under estimating memory usage. For both GOOD_COPY_LEN and GRO_MAX_HEAD, we can fit at least 32 allocations per page (order-3 page in x86), or even 64 on PowerPC We have been tracking OOM issues on GKE hosts hitting tcp_mem limits but consuming far more memory for TCP buffers than instructed in tcp_mem[2] Even if we force napi_alloc_skb() to only use order-0 pages, the issue would still be there on arches with PAGE_SIZE >= 32768 This patch makes sure that small skb head are kmalloc backed, so that other objects in the slab page can be reused instead of being held as long as skbs are sitting in socket queues. Note that we might in the future use the sk_buff napi cache, instead of going through a more expensive __alloc_skb() Another idea would be to use separate page sizes depending on the allocated length (to never have more than 4 frags per page) I would like to thank Greg Thelen for his precious help on this matter, analysing crash dumps is always a time consuming task. Fixes: fd11a83dd363 ("net: Pull out core bits of __netdev_alloc_skb and add __napi_alloc_skb") Signed-off-by: Eric Dumazet Cc: Paolo Abeni Cc: Greg Thelen Reviewed-by: Alexander Duyck Acked-by: Michael S. Tsirkin Link: https://lore.kernel.org/r/20210113161819.1155526-1-eric.dumazet@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit f6499a78e581e6ae71ed73ee57a844ee14b2d387 Author: Jakub Kicinski Date: Wed Jan 13 17:29:47 2021 -0800 net: sit: unregister_netdevice on newlink's error path [ Upstream commit 47e4bb147a96f1c9b4e7691e7e994e53838bfff8 ] We need to unregister the netdevice if config failed. .ndo_uninit takes care of most of the heavy lifting. This was uncovered by recent commit c269a24ce057 ("net: make free_netdev() more lenient with unregistering devices"). Previously the partially-initialized device would be left in the system. Reported-and-tested-by: syzbot+2393580080a2da190f04@syzkaller.appspotmail.com Fixes: e2f1f072db8d ("sit: allow to configure 6rd tunnels via netlink") Acked-by: Nicolas Dichtel Link: https://lore.kernel.org/r/20210114012947.2515313-1-kuba@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit a3870cf8a7a243eadd83a063152049be870a412e Author: David Wu Date: Wed Jan 13 11:41:09 2021 +0800 net: stmmac: Fixed mtu channged by cache aligned [ Upstream commit 5b55299eed78538cc4746e50ee97103a1643249c ] Since the original mtu is not used when the mtu is updated, the mtu is aligned with cache, this will get an incorrect. For example, if you want to configure the mtu to be 1500, but mtu 1536 is configured in fact. Fixed: eaf4fac478077 ("net: stmmac: Do not accept invalid MTU values") Signed-off-by: David Wu Link: https://lore.kernel.org/r/20210113034109.27865-1-david.wu@rock-chips.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit c213d85cae390bdb9f6a6e9f95009ba8dc356fc1 Author: Baptiste Lepers Date: Tue Jan 12 15:59:15 2021 +0000 rxrpc: Call state should be read with READ_ONCE() under some circumstances [ Upstream commit a95d25dd7b94a5ba18246da09b4218f132fed60e ] The call state may be changed at any time by the data-ready routine in response to received packets, so if the call state is to be read and acted upon several times in a function, READ_ONCE() must be used unless the call state lock is held. As it happens, we used READ_ONCE() to read the state a few lines above the unmarked read in rxrpc_input_data(), so use that value rather than re-reading it. Fixes: a158bdd3247b ("rxrpc: Fix call timeouts") Signed-off-by: Baptiste Lepers Signed-off-by: David Howells Link: https://lore.kernel.org/r/161046715522.2450566.488819910256264150.stgit@warthog.procyon.org.uk Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 6d57b582fb35d321ea42fe6a75f7251451a55569 Author: Petr Machata Date: Mon Jan 11 18:07:07 2021 +0100 net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands [ Upstream commit df85bc140a4d6cbaa78d8e9c35154e1a2f0622c7 ] In commit 826f328e2b7e ("net: dcb: Validate netlink message in DCB handler"), Linux started rejecting RTM_GETDCB netlink messages if they contained a set-like DCB_CMD_ command. The reason was that privileges were only verified for RTM_SETDCB messages, but the value that determined the action to be taken is the command, not the message type. And validation of message type against the DCB command was the obvious missing piece. Unfortunately it turns out that mlnx_qos, a somewhat widely deployed tool for configuration of DCB, accesses the DCB set-like APIs through RTM_GETDCB. Therefore do not bounce the discrepancy between message type and command. Instead, in addition to validating privileges based on the actual message type, validate them also based on the expected message type. This closes the loophole of allowing DCB configuration on non-admin accounts, while maintaining backward compatibility. Fixes: 2f90b8657ec9 ("ixgbe: this patch adds support for DCB to the kernel and ixgbe driver") Fixes: 826f328e2b7e ("net: dcb: Validate netlink message in DCB handler") Signed-off-by: Petr Machata Link: https://lore.kernel.org/r/a3edcfda0825f2aa2591801c5232f2bbf2d8a554.1610384801.git.me@pmachata.org Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit d52f5929d9970f5e22ba38da67ce174a8484b228 Author: Petr Machata Date: Tue Dec 22 22:49:44 2020 +0100 net: dcb: Validate netlink message in DCB handler [ Upstream commit 826f328e2b7e8854dd42ea44e6519cd75018e7b1 ] DCB uses the same handler function for both RTM_GETDCB and RTM_SETDCB messages. dcb_doit() bounces RTM_SETDCB mesasges if the user does not have the CAP_NET_ADMIN capability. However, the operation to be performed is not decided from the DCB message type, but from the DCB command. Thus DCB_CMD_*_GET commands are used for reading DCB objects, the corresponding SET and DEL commands are used for manipulation. The assumption is that set-like commands will be sent via an RTM_SETDCB message, and get-like ones via RTM_GETDCB. However, this assumption is not enforced. It is therefore possible to manipulate DCB objects without CAP_NET_ADMIN capability by sending the corresponding command in an RTM_GETDCB message. That is a bug. Fix it by validating the type of the request message against the type used for the response. Fixes: 2f90b8657ec9 ("ixgbe: this patch adds support for DCB to the kernel and ixgbe driver") Signed-off-by: Petr Machata Link: https://lore.kernel.org/r/a2a9b88418f3a58ef211b718f2970128ef9e3793.1608673640.git.me@pmachata.org Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 814e0477621127badcfbd50c6f5139e9203a2295 Author: Willem de Bruijn Date: Sat Jan 9 17:18:34 2021 -0500 esp: avoid unneeded kmap_atomic call [ Upstream commit 9bd6b629c39e3fa9e14243a6d8820492be1a5b2e ] esp(6)_output_head uses skb_page_frag_refill to allocate a buffer for the esp trailer. It accesses the page with kmap_atomic to handle highmem. But skb_page_frag_refill can return compound pages, of which kmap_atomic only maps the first underlying page. skb_page_frag_refill does not return highmem, because flag __GFP_HIGHMEM is not set. ESP uses it in the same manner as TCP. That also does not call kmap_atomic, but directly uses page_address, in skb_copy_to_page_nocache. Do the same for ESP. This issue has become easier to trigger with recent kmap local debugging feature CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP. Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") Signed-off-by: Willem de Bruijn Acked-by: Steffen Klassert Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 0ff06dd1b9497d37d10dec589938df121997fcd4 Author: Andrey Zhizhikin Date: Fri Jan 8 09:58:39 2021 +0000 rndis_host: set proper input size for OID_GEN_PHYSICAL_MEDIUM request [ Upstream commit e56b3d94d939f52d46209b9e1b6700c5bfff3123 ] MSFT ActiveSync implementation requires that the size of the response for incoming query is to be provided in the request input length. Failure to set the input size proper results in failed request transfer, where the ActiveSync counterpart reports the NDIS_STATUS_INVALID_LENGTH (0xC0010014L) error. Set the input size for OID_GEN_PHYSICAL_MEDIUM query to the expected size of the response in order for the ActiveSync to properly respond to the request. Fixes: 039ee17d1baa ("rndis_host: Add RNDIS physical medium checking into generic_rndis_bind()") Signed-off-by: Andrey Zhizhikin Link: https://lore.kernel.org/r/20210108095839.3335-1-andrey.zhizhikin@leica-geosystems.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit c897c10e4334d46a7286fe5a8d7ba6ac75d9f6b3 Author: Stefan Chulski Date: Sun Jan 10 21:23:02 2021 +0200 net: mvpp2: Remove Pause and Asym_Pause support [ Upstream commit 6f83802a1a06e74eafbdbc9b52c05516d3083d02 ] Packet Processor hardware not connected to MAC flow control unit and cannot support TX flow control. This patch disable flow control support. Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit") Signed-off-by: Stefan Chulski Acked-by: Marcin Wojtas Link: https://lore.kernel.org/r/1610306582-16641-1-git-send-email-stefanc@marvell.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 18c29e175e30419e8760278e08e4d3dcfa1d1ad5 Author: Vadim Pasternak Date: Fri Jan 8 16:52:10 2021 +0200 mlxsw: core: Increase critical threshold for ASIC thermal zone [ Upstream commit b06ca3d5a43ca2dd806f7688a17e8e7e0619a80a ] Increase critical threshold for ASIC thermal zone from 110C to 140C according to the system hardware requirements. All the supported ASICs (Spectrum-1, Spectrum-2, Spectrum-3) could be still operational with ASIC temperature below 140C. With the old critical threshold value system can perform unjustified shutdown. All the systems equipped with the above ASICs implement thermal protection mechanism at firmware level and firmware could decide to perform system thermal shutdown in case the temperature is below 140C. So with the new threshold system will not meltdown, while thermal operating range will be aligned with hardware abilities. Fixes: 41e760841d26 ("mlxsw: core: Replace thermal temperature trips with defines") Fixes: a50c1e35650b ("mlxsw: core: Implement thermal zone") Signed-off-by: Vadim Pasternak Reviewed-by: Jiri Pirko Signed-off-by: Ido Schimmel Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 7680783452ceef2a74f707d48a71fe76ac5cd598 Author: Vadim Pasternak Date: Fri Jan 8 16:52:09 2021 +0200 mlxsw: core: Add validation of transceiver temperature thresholds [ Upstream commit 57726ebe2733891c9f59105eff028735f73d05fb ] Validate thresholds to avoid a single failure due to some transceiver unreliability. Ignore the last readouts in case warning temperature is above alarm temperature, since it can cause unexpected thermal shutdown. Stay with the previous values and refresh threshold within the next iteration. This is a rare scenario, but it was observed at a customer site. Fixes: 6a79507cfe94 ("mlxsw: core: Extend thermal module with per QSFP module thermal zones") Signed-off-by: Vadim Pasternak Reviewed-by: Jiri Pirko Signed-off-by: Ido Schimmel Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit ff6d4e8da7c65c999aca8ea2529e6a3ba6d820b8 Author: Aya Levin Date: Thu Jan 7 15:50:18 2021 +0200 net: ipv6: Validate GSO SKB before finish IPv6 processing [ Upstream commit b210de4f8c97d57de051e805686248ec4c6cfc52 ] There are cases where GSO segment's length exceeds the egress MTU: - Forwarding of a TCP GRO skb, when DF flag is not set. - Forwarding of an skb that arrived on a virtualisation interface (virtio-net/vhost/tap) with TSO/GSO size set by other network stack. - Local GSO skb transmitted on an NETIF_F_TSO tunnel stacked over an interface with a smaller MTU. - Arriving GRO skb (or GSO skb in a virtualised environment) that is bridged to a NETIF_F_TSO tunnel stacked over an interface with an insufficient MTU. If so: - Consume the SKB and its segments. - Issue an ICMP packet with 'Packet Too Big' message containing the MTU, allowing the source host to reduce its Path MTU appropriately. Note: These cases are handled in the same manner in IPv4 output finish. This patch aligns the behavior of IPv6 and the one of IPv4. Fixes: 9e50849054a4 ("netfilter: ipv6: move POSTROUTING invocation before fragmentation") Signed-off-by: Aya Levin Reviewed-by: Tariq Toukan Link: https://lore.kernel.org/r/1610027418-30438-1-git-send-email-ayal@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit b41352a93c163afafd29f56bb18fd3c0fef1120c Author: Jason A. Donenfeld Date: Mon Jan 13 18:42:26 2020 -0500 net: skbuff: disambiguate argument and member for skb_list_walk_safe helper commit 5eee7bd7e245914e4e050c413dfe864e31805207 upstream. This worked before, because we made all callers name their next pointer "next". But in trying to be more "drop-in" ready, the silliness here is revealed. This commit fixes the problem by making the macro argument and the member use different names. Signed-off-by: Jason A. Donenfeld Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit aa350dbe3a1ee5e062228f8f5ebd2ffb6e58709c Author: Jason A. Donenfeld Date: Wed Jan 8 16:59:02 2020 -0500 net: introduce skb_list_walk_safe for skb segment walking commit dcfea72e79b0aa7a057c8f6024169d86a1bbc84b upstream. As part of the continual effort to remove direct usage of skb->next and skb->prev, this patch adds a helper for iterating through the singly-linked variant of skb lists, which are used for lists of GSO packet. The name "skb_list_..." has been chosen to match the existing function, "kfree_skb_list, which also operates on these singly-linked lists, and the "..._walk_safe" part is the same idiom as elsewhere in the kernel. This patch removes the helper from wireguard and puts it into linux/skbuff.h, while making it a bit more robust for general usage. In particular, parenthesis are added around the macro argument usage, and it now accounts for trying to iterate through an already-null skb pointer, which will simply run the iteration zero times. This latter enhancement means it can be used to replace both do { ... } while and while (...) open-coded idioms. This should take care of these three possible usages, which match all current methods of iterations. skb_list_walk_safe(segs, skb, next) { ... } skb_list_walk_safe(skb, skb, next) { ... } skb_list_walk_safe(segs, skb, segs) { ... } Gcc appears to generate efficient code for each of these. Signed-off-by: Jason A. Donenfeld Signed-off-by: David S. Miller [ Just the skbuff.h changes for backporting - gregkh] Signed-off-by: Greg Kroah-Hartman commit 760e9fd4f7ab3b310c2a9e6b75bd82e2535b884c Author: Manish Chopra Date: Thu Jan 7 02:15:20 2021 -0800 netxen_nic: fix MSI/MSI-x interrupts [ Upstream commit a2bc221b972db91e4be1970e776e98f16aa87904 ] For all PCI functions on the netxen_nic adapter, interrupt mode (INTx or MSI) configuration is dependent on what has been configured by the PCI function zero in the shared interrupt register, as these adapters do not support mixed mode interrupts among the functions of a given adapter. Logic for setting MSI/MSI-x interrupt mode in the shared interrupt register based on PCI function id zero check is not appropriate for all family of netxen adapters, as for some of the netxen family adapters PCI function zero is not really meant to be probed/loaded in the host but rather just act as a management function on the device, which caused all the other PCI functions on the adapter to always use legacy interrupt (INTx) mode instead of choosing MSI/MSI-x interrupt mode. This patch replaces that check with port number so that for all type of adapters driver attempts for MSI/MSI-x interrupt modes. Fixes: b37eb210c076 ("netxen_nic: Avoid mixed mode interrupts") Signed-off-by: Manish Chopra Signed-off-by: Igor Russkikh Link: https://lore.kernel.org/r/20210107101520.6735-1-manishc@marvell.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 982e763ea3c301599279fdb5f0651865e4bebaf4 Author: Baptiste Lepers Date: Thu Jan 7 16:11:10 2021 +1100 udp: Prevent reuseport_select_sock from reading uninitialized socks [ Upstream commit fd2ddef043592e7de80af53f47fa46fd3573086e ] reuse->socks[] is modified concurrently by reuseport_add_sock. To prevent reading values that have not been fully initialized, only read the array up until the last known safe index instead of incorrectly re-reading the last index of the array. Fixes: acdcecc61285f ("udp: correct reuseport selection with connected sockets") Signed-off-by: Baptiste Lepers Acked-by: Willem de Bruijn Link: https://lore.kernel.org/r/20210107051110.12247-1-baptiste.lepers@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit bd4793843c8505ff7037ad159386603a59a59ca1 Author: Mircea Cirjaliu Date: Tue Jan 19 21:53:18 2021 +0100 bpf: Fix helper bpf_map_peek_elem_proto pointing to wrong callback commit 301a33d51880619d0c5a581b5a48d3a5248fa84b upstream. I assume this was obtained by copy/paste. Point it to bpf_map_peek_elem() instead of bpf_map_pop_elem(). In practice it may have been less likely hit when under JIT given shielded via 84430d4232c3 ("bpf, verifier: avoid retpoline for map push/pop/peek operation"). Fixes: f1a2e44a3aec ("bpf: add queue and stack maps") Signed-off-by: Mircea Cirjaliu Signed-off-by: Daniel Borkmann Cc: Mauricio Vasquez Link: https://lore.kernel.org/bpf/AM7PR02MB6082663DFDCCE8DA7A6DD6B1BBA30@AM7PR02MB6082.eurprd02.prod.outlook.com Signed-off-by: Greg Kroah-Hartman commit 79ce12cfa56a5b5a256b1c92e98a8a3a3425d131 Author: Stanislav Fomichev Date: Tue Jan 12 08:28:29 2021 -0800 bpf: Don't leak memory in bpf getsockopt when optlen == 0 commit 4be34f3d0731b38a1b24566b37fbb39500aaf3a2 upstream. optlen == 0 indicates that the kernel should ignore BPF buffer and use the original one from the user. We, however, forget to free the temporary buffer that we've allocated for BPF. Fixes: d8fe449a9c51 ("bpf: Don't return EINVAL from {get,set}sockopt when optlen > PAGE_SIZE") Reported-by: Martin KaFai Lau Signed-off-by: Stanislav Fomichev Signed-off-by: Daniel Borkmann Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/20210112162829.775079-1-sdf@google.com Signed-off-by: Greg Kroah-Hartman commit 4aef760c28e8bd1860a27fd78067b4ea77124987 Author: J. Bruce Fields Date: Mon Jan 11 16:01:29 2021 -0500 nfsd4: readdirplus shouldn't return parent of export commit 51b2ee7d006a736a9126e8111d1f24e4fd0afaa6 upstream. If you export a subdirectory of a filesystem, a READDIRPLUS on the root of that export will return the filehandle of the parent with the ".." entry. The filehandle is optional, so let's just not return the filehandle for ".." if we're at the root of an export. Note that once the client learns one filehandle outside of the export, they can trivially access the rest of the export using further lookups. However, it is also not very difficult to guess filehandles outside of the export. So exporting a subdirectory of a filesystem should considered equivalent to providing access to the entire filesystem. To avoid confusion, we recommend only exporting entire filesystems. Reported-by: Youjipeng Signed-off-by: J. Bruce Fields Cc: stable@vger.kernel.org Signed-off-by: Chuck Lever Signed-off-by: Greg Kroah-Hartman commit 9b72d5ba50f1009bc91f02158859a094fc66027b Author: Lukas Wunner Date: Mon Dec 7 09:17:16 2020 +0100 spi: npcm-fiu: Disable clock in probe error path commit 234266a5168bbe8220d263e3aa7aa80cf921c483 upstream If the call to devm_spi_register_master() fails on probe of the NPCM FIU SPI driver, the clock "fiu->clk" is erroneously not unprepared and disabled. Fix it. Fixes: ace55c411b11 ("spi: npcm-fiu: add NPCM FIU controller driver") Signed-off-by: Lukas Wunner Cc: # v5.4+ Cc: Tomer Maimon Link: https://lore.kernel.org/r/9ae62f4e1cfe542bec57ac2743e6fca9f9548f55.1607286887.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman commit 6ef67f59263e8535741a16c7d9e671c675ab8f92 Author: Qinglang Miao Date: Mon Sep 21 21:11:06 2020 +0800 spi: npcm-fiu: simplify the return expression of npcm_fiu_probe() commit 4c3a14fbc05a09fc369fb68a86cdbf6f441a29f2 upstream Simplify the return expression. Signed-off-by: Qinglang Miao Link: https://lore.kernel.org/r/20200921131106.93228-1-miaoqinglang@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman commit fa6de8d82d9c94e94d2f163eab2061bb30b15602 Author: YueHaibing Date: Tue Jan 7 09:49:56 2020 +0800 scsi: lpfc: Make lpfc_defer_acc_rsp static commit fdb827e4a3f84cb92e286a821114ac0ad79c8281 upstream. Fix sparse warning: drivers/scsi/lpfc/lpfc_nportdisc.c:344:1: warning: symbol 'lpfc_defer_acc_rsp' was not declared. Should it be static? Link: https://lore.kernel.org/r/20200107014956.41748-1-yuehaibing@huawei.com Reported-by: Hulk Robot Reviewed-by: James Smart Signed-off-by: YueHaibing Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit e82b58aa647107803a176b3932dc9589a1b59198 Author: zhengbin Date: Fri Oct 4 18:04:37 2019 +0800 scsi: lpfc: Make function lpfc_defer_pt2pt_acc static commit f7cb0d0945ebc9879aff72cf7b3342fd1040ffaa upstream. Fix sparse warnings: drivers/scsi/lpfc/lpfc_nportdisc.c:290:1: warning: symbol 'lpfc_defer_pt2pt_acc' was not declared. Should it be static? Link: https://lore.kernel.org/r/1570183477-137273-1-git-send-email-zhengbin13@huawei.com Reported-by: Hulk Robot Signed-off-by: zhengbin Reviewed-by: Dick Kennedy Reviewed-by: James Smart Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 5e6b888285267902f4f14e04febfcc35cb00e42e Author: Arnd Bergmann Date: Fri Dec 11 13:36:46 2020 -0800 elfcore: fix building with clang commit 6e7b64b9dd6d96537d816ea07ec26b7dedd397b9 upstream. kernel/elfcore.c only contains weak symbols, which triggers a bug with clang in combination with recordmcount: Cannot find symbol for section 2: .text. kernel/elfcore.o: failed Move the empty stubs into linux/elfcore.h as inline functions. As only two architectures use these, just use the architecture specific Kconfig symbols to key off the declaration. Link: https://lkml.kernel.org/r/20201204165742.3815221-2-arnd@kernel.org Signed-off-by: Arnd Bergmann Cc: Nathan Chancellor Cc: Nick Desaulniers Cc: Barret Rhoden Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Jian Cai Signed-off-by: Greg Kroah-Hartman commit ac29c052654f5ccb92e83a06b36811e1afaa72ff Author: Roger Pau Monne Date: Tue Jan 12 12:53:58 2021 +0100 xen/privcmd: allow fetching resource sizes commit ef3a575baf53571dc405ee4028e26f50856898e7 upstream. Allow issuing an IOCTL_PRIVCMD_MMAP_RESOURCE ioctl with num = 0 and addr = 0 in order to fetch the size of a specific resource. Add a shortcut to the default map resource path, since fetching the size requires no address to be passed in, and thus no VMA to setup. This is missing from the initial implementation, and causes issues when mapping resources that don't have fixed or known sizes. Signed-off-by: Roger Pau Monné Reviewed-by: Juergen Gross Tested-by: Andrew Cooper Cc: stable@vger.kernel.org # >= 4.18 Link: https://lore.kernel.org/r/20210112115358.23346-1-roger.pau@citrix.com Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit dd113b79ee7e837563321f626302a0ba7ee6c683 Author: Will Deacon Date: Tue Jan 12 22:48:32 2021 +0000 compiler.h: Raise minimum version of GCC to 5.1 for arm64 commit dca5244d2f5b94f1809f0c02a549edf41ccd5493 upstream. GCC versions >= 4.9 and < 5.1 have been shown to emit memory references beyond the stack pointer, resulting in memory corruption if an interrupt is taken after the stack pointer has been adjusted but before the reference has been executed. This leads to subtle, infrequent data corruption such as the EXT4 problems reported by Russell King at the link below. Life is too short for buggy compilers, so raise the minimum GCC version required by arm64 to 5.1. Reported-by: Russell King Suggested-by: Arnd Bergmann Signed-off-by: Will Deacon Tested-by: Nathan Chancellor Reviewed-by: Nick Desaulniers Reviewed-by: Nathan Chancellor Acked-by: Linus Torvalds Cc: Cc: Theodore Ts'o Cc: Florian Weimer Cc: Peter Zijlstra Cc: Nick Desaulniers Link: https://lore.kernel.org/r/20210105154726.GD1551@shell.armlinux.org.uk Link: https://lore.kernel.org/r/20210112224832.10980-1-will@kernel.org Signed-off-by: Catalin Marinas [will: backport to 4.19.y/5.4.y] Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 24cea7d705161cf63f4bf7fbbec6718867c9118e Author: Hamish Martin Date: Fri Sep 11 09:25:12 2020 +1200 usb: ohci: Make distrust_firmware param default to false commit c4005a8f65edc55fb1700dfc5c1c3dc58be80209 upstream. The 'distrust_firmware' module parameter dates from 2004 and the USB subsystem is a lot more mature and reliable now than it was then. Alter the default to false now. Suggested-by: Alan Stern Acked-by: Alan Stern Signed-off-by: Hamish Martin Link: https://lore.kernel.org/r/20200910212512.16670-2-hamish.martin@alliedtelesis.co.nz Signed-off-by: Greg Kroah-Hartman