5.10-stable patches

added patches:
	net-mlx5e-fix-a-race-in-command-alloc-flow.patch
	tracing-increase-perf_max_trace_size-to-handle-sentinel1-and-docker-together.patch
	tracing-show-size-of-requested-perf-buffer.patch

4 files changed, 244 insertions, 0 deletions

diff --git a/queue-5.10/net-mlx5e-fix-a-race-in-command-alloc-flow.patch b/queue-5.10/net-mlx5e-fix-a-race-in-command-alloc-flow.patch
new file mode 100644
index 0000000000..845f3008b2
--- /dev/null
+++ b/queue-5.10/net-mlx5e-fix-a-race-in-command-alloc-flow.patch
@@ -0,0 +1,122 @@
+From 8f5100da56b3980276234e812ce98d8f075194cd Mon Sep 17 00:00:00 2001
+From: Shifeng Li <lishifeng@sangfor.com.cn>
+Date: Sat, 2 Dec 2023 00:01:26 -0800
+Subject: net/mlx5e: Fix a race in command alloc flow
+
+From: Shifeng Li <lishifeng@sangfor.com.cn>
+
+commit 8f5100da56b3980276234e812ce98d8f075194cd upstream.
+
+Fix a cmd->ent use after free due to a race on command entry.
+Such race occurs when one of the commands releases its last refcount and
+frees its index and entry while another process running command flush
+flow takes refcount to this command entry. The process which handles
+commands flush may see this command as needed to be flushed if the other
+process allocated a ent->idx but didn't set ent to cmd->ent_arr in
+cmd_work_handler(). Fix it by moving the assignment of cmd->ent_arr into
+the spin lock.
+
+[70013.081955] BUG: KASAN: use-after-free in mlx5_cmd_trigger_completions+0x1e2/0x4c0 [mlx5_core]
+[70013.081967] Write of size 4 at addr ffff88880b1510b4 by task kworker/26:1/1433361
+[70013.081968]
+[70013.082028] Workqueue: events aer_isr
+[70013.082053] Call Trace:
+[70013.082067]  dump_stack+0x8b/0xbb
+[70013.082086]  print_address_description+0x6a/0x270
+[70013.082102]  kasan_report+0x179/0x2c0
+[70013.082173]  mlx5_cmd_trigger_completions+0x1e2/0x4c0 [mlx5_core]
+[70013.082267]  mlx5_cmd_flush+0x80/0x180 [mlx5_core]
+[70013.082304]  mlx5_enter_error_state+0x106/0x1d0 [mlx5_core]
+[70013.082338]  mlx5_try_fast_unload+0x2ea/0x4d0 [mlx5_core]
+[70013.082377]  remove_one+0x200/0x2b0 [mlx5_core]
+[70013.082409]  pci_device_remove+0xf3/0x280
+[70013.082439]  device_release_driver_internal+0x1c3/0x470
+[70013.082453]  pci_stop_bus_device+0x109/0x160
+[70013.082468]  pci_stop_and_remove_bus_device+0xe/0x20
+[70013.082485]  pcie_do_fatal_recovery+0x167/0x550
+[70013.082493]  aer_isr+0x7d2/0x960
+[70013.082543]  process_one_work+0x65f/0x12d0
+[70013.082556]  worker_thread+0x87/0xb50
+[70013.082571]  kthread+0x2e9/0x3a0
+[70013.082592]  ret_from_fork+0x1f/0x40
+
+The logical relationship of this error is as follows:
+
+             aer_recover_work              |          ent->work
+-------------------------------------------+------------------------------
+aer_recover_work_func                      |
+|- pcie_do_recovery                        |
+  |- report_error_detected                 |
+    |- mlx5_pci_err_detected               |cmd_work_handler
+      |- mlx5_enter_error_state            |  |- cmd_alloc_index
+        |- enter_error_state               |    |- lock cmd->alloc_lock
+          |- mlx5_cmd_flush                |    |- clear_bit
+            |- mlx5_cmd_trigger_completions|    |- unlock cmd->alloc_lock
+              |- lock cmd->alloc_lock      |
+              |- vector = ~dev->cmd.vars.bitmask
+              |- for_each_set_bit          |
+                |- cmd_ent_get(cmd->ent_arr[i]) (UAF)
+              |- unlock cmd->alloc_lock    |  |- cmd->ent_arr[ent->idx]=ent
+
+The cmd->ent_arr[ent->idx] assignment and the bit clearing are not
+protected by the cmd->alloc_lock in cmd_work_handler().
+
+Fixes: 50b2412b7e78 ("net/mlx5: Avoid possible free of command entry while timeout comp handler")
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Signed-off-by: Shifeng Li <lishifeng@sangfor.com.cn>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c |   12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -114,15 +114,18 @@ static u8 alloc_token(struct mlx5_cmd *c
+ 	return token;
+ }
+ 
+-static int cmd_alloc_index(struct mlx5_cmd *cmd)
++static int cmd_alloc_index(struct mlx5_cmd *cmd, struct mlx5_cmd_work_ent *ent)
+ {
+ 	unsigned long flags;
+ 	int ret;
+ 
+ 	spin_lock_irqsave(&cmd->alloc_lock, flags);
+ 	ret = find_first_bit(&cmd->bitmask, cmd->max_reg_cmds);
+-	if (ret < cmd->max_reg_cmds)
++	if (ret < cmd->max_reg_cmds) {
+ 		clear_bit(ret, &cmd->bitmask);
++		ent->idx = ret;
++		cmd->ent_arr[ent->idx] = ent;
++	}
+ 	spin_unlock_irqrestore(&cmd->alloc_lock, flags);
+ 
+ 	return ret < cmd->max_reg_cmds ? ret : -ENOMEM;
+@@ -912,7 +915,7 @@ static void cmd_work_handler(struct work
+ 	sem = ent->page_queue ? &cmd->pages_sem : &cmd->sem;
+ 	down(sem);
+ 	if (!ent->page_queue) {
+-		alloc_ret = cmd_alloc_index(cmd);
++		alloc_ret = cmd_alloc_index(cmd, ent);
+ 		if (alloc_ret < 0) {
+ 			mlx5_core_err_rl(dev, "failed to allocate command entry\n");
+ 			if (ent->callback) {
+@@ -927,15 +930,14 @@ static void cmd_work_handler(struct work
+ 			up(sem);
+ 			return;
+ 		}
+-		ent->idx = alloc_ret;
+ 	} else {
+ 		ent->idx = cmd->max_reg_cmds;
+ 		spin_lock_irqsave(&cmd->alloc_lock, flags);
+ 		clear_bit(ent->idx, &cmd->bitmask);
++		cmd->ent_arr[ent->idx] = ent;
+ 		spin_unlock_irqrestore(&cmd->alloc_lock, flags);
+ 	}
+ 
+-	cmd->ent_arr[ent->idx] = ent;
+ 	lay = get_inst(cmd, ent->idx);
+ 	ent->lay = lay;
+ 	memset(lay, 0, sizeof(*lay));
diff --git a/queue-5.10/series b/queue-5.10/series
index 7a9cc83fed..8cdd2fcab2 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -107,3 +107,6 @@ af_unix-suppress-false-positive-lockdep-splat-for-sp.patch
 serial-core-provide-port-lock-wrappers.patch
 serial-mxs-auart-add-spinlock-around-changing-cts-st.patch
 revert-crypto-api-disallow-identical-driver-names.patch
+net-mlx5e-fix-a-race-in-command-alloc-flow.patch
+tracing-show-size-of-requested-perf-buffer.patch
+tracing-increase-perf_max_trace_size-to-handle-sentinel1-and-docker-together.patch
diff --git a/queue-5.10/tracing-increase-perf_max_trace_size-to-handle-sentinel1-and-docker-together.patch b/queue-5.10/tracing-increase-perf_max_trace_size-to-handle-sentinel1-and-docker-together.patch
new file mode 100644
index 0000000000..50d821c58b
--- /dev/null
+++ b/queue-5.10/tracing-increase-perf_max_trace_size-to-handle-sentinel1-and-docker-together.patch
@@ -0,0 +1,85 @@
+From e531e90b5ab0f7ce5ff298e165214c1aec6ed187 Mon Sep 17 00:00:00 2001
+From: "Robin H. Johnson" <robbat2@gentoo.org>
+Date: Mon, 30 Aug 2021 21:37:23 -0700
+Subject: tracing: Increase PERF_MAX_TRACE_SIZE to handle Sentinel1 and docker together
+
+From: Robin H. Johnson <robbat2@gentoo.org>
+
+commit e531e90b5ab0f7ce5ff298e165214c1aec6ed187 upstream.
+
+Running endpoint security solutions like Sentinel1 that use perf-based
+tracing heavily lead to this repeated dump complaining about dockerd.
+The default value of 2048 is nowhere near not large enough.
+
+Using the prior patch "tracing: show size of requested buffer", we get
+"perf buffer not large enough, wanted 6644, have 6144", after repeated
+up-sizing (I did 2/4/6/8K). With 8K, the problem doesn't occur at all,
+so below is the trace for 6K.
+
+I'm wondering if this value should be selectable at boot time, but this
+is a good starting point.
+
+```
+------------[ cut here ]------------
+perf buffer not large enough, wanted 6644, have 6144
+WARNING: CPU: 1 PID: 4997 at kernel/trace/trace_event_perf.c:402 perf_trace_buf_alloc+0x8c/0xa0
+Modules linked in: [..]
+CPU: 1 PID: 4997 Comm: sh Tainted: G                T 5.13.13-x86_64-00039-gb3959163488e #63
+Hardware name: LENOVO 20KH002JUS/20KH002JUS, BIOS N23ET66W (1.41 ) 09/02/2019
+RIP: 0010:perf_trace_buf_alloc+0x8c/0xa0
+Code: 80 3d 43 97 d0 01 00 74 07 31 c0 5b 5d 41 5c c3 ba 00 18 00 00 89 ee 48 c7 c7 00 82 7d 91 c6 05 25 97 d0 01 01 e8 22 ee bc 00 <0f> 0b 31 c0 eb db 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 55 89
+RSP: 0018:ffffb922026b7d58 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: ffff9da5ee012000 RCX: 0000000000000027
+RDX: ffff9da881657828 RSI: 0000000000000001 RDI: ffff9da881657820
+RBP: 00000000000019f4 R08: 0000000000000000 R09: ffffb922026b7b80
+R10: ffffb922026b7b78 R11: ffffffff91dda688 R12: 000000000000000f
+R13: ffff9da5ee012108 R14: ffff9da8816570a0 R15: ffffb922026b7e30
+FS:  00007f420db1a080(0000) GS:ffff9da881640000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000060 CR3: 00000002504a8006 CR4: 00000000003706e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ kprobe_perf_func+0x11e/0x270
+ ? do_execveat_common.isra.0+0x1/0x1c0
+ ? do_execveat_common.isra.0+0x5/0x1c0
+ kprobe_ftrace_handler+0x10e/0x1d0
+ 0xffffffffc03aa0c8
+ ? do_execveat_common.isra.0+0x1/0x1c0
+ do_execveat_common.isra.0+0x5/0x1c0
+ __x64_sys_execve+0x33/0x40
+ do_syscall_64+0x6b/0xc0
+ ? do_syscall_64+0x11/0xc0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x7f420dc1db37
+Code: ff ff 76 e7 f7 d8 64 41 89 00 eb df 0f 1f 80 00 00 00 00 f7 d8 64 41 89 00 eb dc 0f 1f 84 00 00 00 00 00 b8 3b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 01 43 0f 00 f7 d8 64 89 01 48
+RSP: 002b:00007ffd4e8b4e38 EFLAGS: 00000246 ORIG_RAX: 000000000000003b
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f420dc1db37
+RDX: 0000564338d1e740 RSI: 0000564338d32d50 RDI: 0000564338d28f00
+RBP: 0000564338d28f00 R08: 0000564338d32d50 R09: 0000000000000020
+R10: 00000000000001b6 R11: 0000000000000246 R12: 0000564338d28f00
+R13: 0000564338d32d50 R14: 0000564338d1e740 R15: 0000564338d28c60
+---[ end trace 83ab3e8e16275e49 ]---
+```
+
+Link: https://lkml.kernel.org/r/20210831043723.13481-2-robbat2@gentoo.org
+
+Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/trace_events.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/trace_events.h
++++ b/include/linux/trace_events.h
+@@ -577,7 +577,7 @@ struct trace_event_file {
+ 	}								\
+ 	early_initcall(trace_init_perf_perm_##name);
+ 
+-#define PERF_MAX_TRACE_SIZE	2048
++#define PERF_MAX_TRACE_SIZE	8192
+ 
+ #define MAX_FILTER_STR_VAL	256U	/* Should handle KSYM_SYMBOL_LEN */
+ 
diff --git a/queue-5.10/tracing-show-size-of-requested-perf-buffer.patch b/queue-5.10/tracing-show-size-of-requested-perf-buffer.patch
new file mode 100644
index 0000000000..0c6a736e71
--- /dev/null
+++ b/queue-5.10/tracing-show-size-of-requested-perf-buffer.patch
@@ -0,0 +1,34 @@
+From a90afe8d020da9298c98fddb19b7a6372e2feb45 Mon Sep 17 00:00:00 2001
+From: "Robin H. Johnson" <robbat2@gentoo.org>
+Date: Mon, 30 Aug 2021 21:37:22 -0700
+Subject: tracing: Show size of requested perf buffer
+
+From: Robin H. Johnson <robbat2@gentoo.org>
+
+commit a90afe8d020da9298c98fddb19b7a6372e2feb45 upstream.
+
+If the perf buffer isn't large enough, provide a hint about how large it
+needs to be for whatever is running.
+
+Link: https://lkml.kernel.org/r/20210831043723.13481-1-robbat2@gentoo.org
+
+Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+---
+ kernel/trace/trace_event_perf.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_event_perf.c
++++ b/kernel/trace/trace_event_perf.c
+@@ -400,7 +400,8 @@ void *perf_trace_buf_alloc(int size, str
+ 	BUILD_BUG_ON(PERF_MAX_TRACE_SIZE % sizeof(unsigned long));
+ 
+ 	if (WARN_ONCE(size > PERF_MAX_TRACE_SIZE,
+-		      "perf buffer not large enough"))
++		      "perf buffer not large enough, wanted %d, have %d",
++		      size, PERF_MAX_TRACE_SIZE))
+ 		return NULL;
+ 
+ 	*rctxp = rctx = perf_swevent_get_recursion_context();