Fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.4/alsa-usb-audio-fix-undefined-behavior-due-to-shift-o.patch b/queue-5.4/alsa-usb-audio-fix-undefined-behavior-due-to-shift-o.patch
new file mode 100644 (file)
index 0000000..292e684
--- /dev/null
+++ b/queue-5.4/alsa-usb-audio-fix-undefined-behavior-due-to-shift-o.patch
@@ -0,0 +1,49 @@
+From 03e227b306be080bd1fe2639fb9e7964d1154e12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Apr 2022 17:15:08 +0200
+Subject: ALSA: usb-audio: Fix undefined behavior due to shift overflowing the
+ constant
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Borislav Petkov <bp@suse.de>
+
+[ Upstream commit 1ef8715975de8bd481abbd0839ed4f49d9e5b0ff ]
+
+Fix:
+
+  sound/usb/midi.c: In function ‘snd_usbmidi_out_endpoint_create’:
+  sound/usb/midi.c:1389:2: error: case label does not reduce to an integer constant
+    case USB_ID(0xfc08, 0x0101): /* Unknown vendor Cable */
+    ^~~~
+
+See https://lore.kernel.org/r/YkwQ6%2BtIH8GQpuct@zn.tnic for the gory
+details as to why it triggers with older gccs only.
+
+[ A slight correction with parentheses around the argument by tiwai ]
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lore.kernel.org/r/20220405151517.29753-3-bp@alien8.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/usbaudio.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/usb/usbaudio.h b/sound/usb/usbaudio.h
+index ff97fdcf63bd..b1959e04cbb1 100644
+--- a/sound/usb/usbaudio.h
++++ b/sound/usb/usbaudio.h
+@@ -8,7 +8,7 @@
+  */
+ 
+ /* handling of USB vendor/product ID pairs as 32-bit numbers */
+-#define USB_ID(vendor, product) (((vendor) << 16) | (product))
++#define USB_ID(vendor, product) (((unsigned int)(vendor) << 16) | (product))
+ #define USB_ID_VENDOR(id) ((id) >> 16)
+ #define USB_ID_PRODUCT(id) ((u16)(id))
+ 
+-- 
+2.35.1
+

diff --git a/queue-5.4/arm-vexpress-spc-avoid-negative-array-index-when-smp.patch b/queue-5.4/arm-vexpress-spc-avoid-negative-array-index-when-smp.patch
new file mode 100644 (file)
index 0000000..751f8ba
--- /dev/null
+++ b/queue-5.4/arm-vexpress-spc-avoid-negative-array-index-when-smp.patch
@@ -0,0 +1,58 @@
+From f133a9aa014b5fe586847aacf91a624ec0fe2db9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Mar 2022 12:04:43 -0700
+Subject: ARM: vexpress/spc: Avoid negative array index when !SMP
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit b3f1dd52c991d79118f35e6d1bf4d7cb09882e38 ]
+
+When building multi_v7_defconfig+CONFIG_SMP=n, -Warray-bounds exposes
+a couple negative array index accesses:
+
+arch/arm/mach-vexpress/spc.c: In function 've_spc_clk_init':
+arch/arm/mach-vexpress/spc.c:583:21: warning: array subscript -1 is below array bounds of 'bool[2]' {aka '_Bool[2]'} [-Warray-bounds]
+  583 |   if (init_opp_table[cluster])
+      |       ~~~~~~~~~~~~~~^~~~~~~~~
+arch/arm/mach-vexpress/spc.c:556:7: note: while referencing 'init_opp_table'
+  556 |  bool init_opp_table[MAX_CLUSTERS] = { false };
+      |       ^~~~~~~~~~~~~~
+arch/arm/mach-vexpress/spc.c:592:18: warning: array subscript -1 is below array bounds of 'bool[2]' {aka '_Bool[2]'} [-Warray-bounds]
+  592 |    init_opp_table[cluster] = true;
+      |    ~~~~~~~~~~~~~~^~~~~~~~~
+arch/arm/mach-vexpress/spc.c:556:7: note: while referencing 'init_opp_table'
+  556 |  bool init_opp_table[MAX_CLUSTERS] = { false };
+      |       ^~~~~~~~~~~~~~
+
+Skip this logic when built !SMP.
+
+Link: https://lore.kernel.org/r/20220331190443.851661-1-keescook@chromium.org
+Cc: Liviu Dudau <liviu.dudau@arm.com>
+Cc: Sudeep Holla <sudeep.holla@arm.com>
+Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Cc: Russell King <linux@armlinux.org.uk>
+Cc: linux-arm-kernel@lists.infradead.org
+Acked-by: Liviu Dudau <liviu.dudau@arm.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-vexpress/spc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-vexpress/spc.c b/arch/arm/mach-vexpress/spc.c
+index 1da11bdb1dfb..1c6500c4e6a1 100644
+--- a/arch/arm/mach-vexpress/spc.c
++++ b/arch/arm/mach-vexpress/spc.c
+@@ -580,7 +580,7 @@ static int __init ve_spc_clk_init(void)
+               }
+ 
+               cluster = topology_physical_package_id(cpu_dev->id);
+-              if (init_opp_table[cluster])
++              if (cluster < 0 || init_opp_table[cluster])
+                       continue;
+ 
+               if (ve_init_opp_table(cpu_dev))
+-- 
+2.35.1
+

diff --git a/queue-5.4/asoc-atmel-remove-system-clock-tree-configuration-fo.patch b/queue-5.4/asoc-atmel-remove-system-clock-tree-configuration-fo.patch
new file mode 100644 (file)
index 0000000..fd2d9ae
--- /dev/null
+++ b/queue-5.4/asoc-atmel-remove-system-clock-tree-configuration-fo.patch
@@ -0,0 +1,142 @@
+From 620fa8f590ecad76bfd997faaaa771e237fe37f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Mar 2022 15:42:39 +0000
+Subject: ASoC: atmel: Remove system clock tree configuration for at91sam9g20ek
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit c775cbf62ed4911e4f0f23880f01815753123690 ]
+
+The MCLK of the WM8731 on the AT91SAM9G20-EK board is connected to the
+PCK0 output of the SoC, intended in the reference software to be supplied
+using PLLB and programmed to 12MHz. As originally written for use with a
+board file the audio driver was responsible for configuring the entire tree
+but in the conversion to the common clock framework the registration of
+the named pck0 and pllb clocks was removed so the driver has failed to
+instantiate ever since.
+
+Since the WM8731 driver has had support for managing a MCLK provided via
+the common clock framework for some time we can simply drop all the clock
+management code from the machine driver other than configuration of the
+sysclk rate, the CODEC driver still respects that configuration from the
+machine driver.
+
+Fixes: ff78a189b0ae55f ("ARM: at91: remove old at91-specific clock driver")
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Reviewed-by: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+Link: https://lore.kernel.org/r/20220325154241.1600757-2-broonie@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/atmel/sam9g20_wm8731.c | 61 --------------------------------
+ 1 file changed, 61 deletions(-)
+
+diff --git a/sound/soc/atmel/sam9g20_wm8731.c b/sound/soc/atmel/sam9g20_wm8731.c
+index 05277a88e20d..d1579896f3a1 100644
+--- a/sound/soc/atmel/sam9g20_wm8731.c
++++ b/sound/soc/atmel/sam9g20_wm8731.c
+@@ -46,35 +46,6 @@
+  */
+ #undef ENABLE_MIC_INPUT
+ 
+-static struct clk *mclk;
+-
+-static int at91sam9g20ek_set_bias_level(struct snd_soc_card *card,
+-                                      struct snd_soc_dapm_context *dapm,
+-                                      enum snd_soc_bias_level level)
+-{
+-      static int mclk_on;
+-      int ret = 0;
+-
+-      switch (level) {
+-      case SND_SOC_BIAS_ON:
+-      case SND_SOC_BIAS_PREPARE:
+-              if (!mclk_on)
+-                      ret = clk_enable(mclk);
+-              if (ret == 0)
+-                      mclk_on = 1;
+-              break;
+-
+-      case SND_SOC_BIAS_OFF:
+-      case SND_SOC_BIAS_STANDBY:
+-              if (mclk_on)
+-                      clk_disable(mclk);
+-              mclk_on = 0;
+-              break;
+-      }
+-
+-      return ret;
+-}
+-
+ static const struct snd_soc_dapm_widget at91sam9g20ek_dapm_widgets[] = {
+       SND_SOC_DAPM_MIC("Int Mic", NULL),
+       SND_SOC_DAPM_SPK("Ext Spk", NULL),
+@@ -135,7 +106,6 @@ static struct snd_soc_card snd_soc_at91sam9g20ek = {
+       .owner = THIS_MODULE,
+       .dai_link = &at91sam9g20ek_dai,
+       .num_links = 1,
+-      .set_bias_level = at91sam9g20ek_set_bias_level,
+ 
+       .dapm_widgets = at91sam9g20ek_dapm_widgets,
+       .num_dapm_widgets = ARRAY_SIZE(at91sam9g20ek_dapm_widgets),
+@@ -148,7 +118,6 @@ static int at91sam9g20ek_audio_probe(struct platform_device *pdev)
+ {
+       struct device_node *np = pdev->dev.of_node;
+       struct device_node *codec_np, *cpu_np;
+-      struct clk *pllb;
+       struct snd_soc_card *card = &snd_soc_at91sam9g20ek;
+       int ret;
+ 
+@@ -162,31 +131,6 @@ static int at91sam9g20ek_audio_probe(struct platform_device *pdev)
+               return -EINVAL;
+       }
+ 
+-      /*
+-       * Codec MCLK is supplied by PCK0 - set it up.
+-       */
+-      mclk = clk_get(NULL, "pck0");
+-      if (IS_ERR(mclk)) {
+-              dev_err(&pdev->dev, "Failed to get MCLK\n");
+-              ret = PTR_ERR(mclk);
+-              goto err;
+-      }
+-
+-      pllb = clk_get(NULL, "pllb");
+-      if (IS_ERR(pllb)) {
+-              dev_err(&pdev->dev, "Failed to get PLLB\n");
+-              ret = PTR_ERR(pllb);
+-              goto err_mclk;
+-      }
+-      ret = clk_set_parent(mclk, pllb);
+-      clk_put(pllb);
+-      if (ret != 0) {
+-              dev_err(&pdev->dev, "Failed to set MCLK parent\n");
+-              goto err_mclk;
+-      }
+-
+-      clk_set_rate(mclk, MCLK_RATE);
+-
+       card->dev = &pdev->dev;
+ 
+       /* Parse device node info */
+@@ -230,9 +174,6 @@ static int at91sam9g20ek_audio_probe(struct platform_device *pdev)
+ 
+       return ret;
+ 
+-err_mclk:
+-      clk_put(mclk);
+-      mclk = NULL;
+ err:
+       atmel_ssc_put_audio(0);
+       return ret;
+@@ -242,8 +183,6 @@ static int at91sam9g20ek_audio_remove(struct platform_device *pdev)
+ {
+       struct snd_soc_card *card = platform_get_drvdata(pdev);
+ 
+-      clk_disable(mclk);
+-      mclk = NULL;
+       snd_soc_unregister_card(card);
+       atmel_ssc_put_audio(0);
+ 
+-- 
+2.35.1
+

diff --git a/queue-5.4/asoc-msm8916-wcd-digital-check-failure-for-devm_snd_.patch b/queue-5.4/asoc-msm8916-wcd-digital-check-failure-for-devm_snd_.patch
new file mode 100644 (file)
index 0000000..d98a273
--- /dev/null
+++ b/queue-5.4/asoc-msm8916-wcd-digital-check-failure-for-devm_snd_.patch
@@ -0,0 +1,47 @@
+From 029a8bcceb5fb8d7e00308027ad35e3d9c0f828b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Apr 2022 11:52:39 +0000
+Subject: ASoC: msm8916-wcd-digital: Check failure for
+ devm_snd_soc_register_component
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit e927b05f3cc20de87f6b7d912a5bbe556931caca ]
+
+devm_snd_soc_register_component() may fails, we should check the error
+and do the corresponding error handling.
+
+Fixes: 150db8c5afa1 ("ASoC: codecs: Add msm8916-wcd digital codec")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20220403115239.30140-1-linmq006@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/msm8916-wcd-digital.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/msm8916-wcd-digital.c b/sound/soc/codecs/msm8916-wcd-digital.c
+index d5269ab5f91c..e4cde214b7b2 100644
+--- a/sound/soc/codecs/msm8916-wcd-digital.c
++++ b/sound/soc/codecs/msm8916-wcd-digital.c
+@@ -1206,9 +1206,16 @@ static int msm8916_wcd_digital_probe(struct platform_device *pdev)
+ 
+       dev_set_drvdata(dev, priv);
+ 
+-      return devm_snd_soc_register_component(dev, &msm8916_wcd_digital,
++      ret = devm_snd_soc_register_component(dev, &msm8916_wcd_digital,
+                                     msm8916_wcd_digital_dai,
+                                     ARRAY_SIZE(msm8916_wcd_digital_dai));
++      if (ret)
++              goto err_mclk;
++
++      return 0;
++
++err_mclk:
++      clk_disable_unprepare(priv->mclk);
+ err_clk:
+       clk_disable_unprepare(priv->ahbclk);
+       return ret;
+-- 
+2.35.1
+

diff --git a/queue-5.4/brcmfmac-sdio-fix-undefined-behavior-due-to-shift-ov.patch b/queue-5.4/brcmfmac-sdio-fix-undefined-behavior-due-to-shift-ov.patch
new file mode 100644 (file)
index 0000000..c049fc9
--- /dev/null
+++ b/queue-5.4/brcmfmac-sdio-fix-undefined-behavior-due-to-shift-ov.patch
@@ -0,0 +1,59 @@
+From ef66959b3a894624908e47f5d1e0d48a5a939f82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Apr 2022 18:55:37 +0200
+Subject: brcmfmac: sdio: Fix undefined behavior due to shift overflowing the
+ constant
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Borislav Petkov <bp@alien8.de>
+
+[ Upstream commit 6fb3a5868b2117611f41e421e10e6a8c2a13039a ]
+
+Fix:
+
+  drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c: In function ‘brcmf_sdio_drivestrengthinit’:
+  drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:3798:2: error: case label does not reduce to an integer constant
+    case SDIOD_DRVSTR_KEY(BRCM_CC_43143_CHIP_ID, 17):
+    ^~~~
+  drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:3809:2: error: case label does not reduce to an integer constant
+    case SDIOD_DRVSTR_KEY(BRCM_CC_43362_CHIP_ID, 13):
+    ^~~~
+
+See https://lore.kernel.org/r/YkwQ6%2BtIH8GQpuct@zn.tnic for the gory
+details as to why it triggers with older gccs only.
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Arend van Spriel <aspriel@gmail.com>
+Cc: Franky Lin <franky.lin@broadcom.com>
+Cc: Hante Meuleman <hante.meuleman@broadcom.com>
+Cc: Kalle Valo <kvalo@kernel.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: brcm80211-dev-list.pdl@broadcom.com
+Cc: netdev@vger.kernel.org
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/Ykx0iRlvtBnKqtbG@zn.tnic
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+index ef5521b9b357..ddc999670484 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -550,7 +550,7 @@ enum brcmf_sdio_frmtype {
+       BRCMF_SDIO_FT_SUB,
+ };
+ 
+-#define SDIOD_DRVSTR_KEY(chip, pmu)     (((chip) << 16) | (pmu))
++#define SDIOD_DRVSTR_KEY(chip, pmu)     (((unsigned int)(chip) << 16) | (pmu))
+ 
+ /* SDIO Pad drive strength to select value mappings */
+ struct sdiod_drive_str {
+-- 
+2.35.1
+

diff --git a/queue-5.4/cifs-check-the-iocb_direct-flag-not-o_direct.patch b/queue-5.4/cifs-check-the-iocb_direct-flag-not-o_direct.patch
new file mode 100644 (file)
index 0000000..f08d1cf
--- /dev/null
+++ b/queue-5.4/cifs-check-the-iocb_direct-flag-not-o_direct.patch
@@ -0,0 +1,39 @@
+From c4ce05d539154039373cbab5e090169e3a25ce39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Apr 2022 00:03:14 +0100
+Subject: cifs: Check the IOCB_DIRECT flag, not O_DIRECT
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 994fd530a512597ffcd713b0f6d5bc916c5698f0 ]
+
+Use the IOCB_DIRECT indicator flag on the I/O context rather than checking to
+see if the file was opened O_DIRECT.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Steve French <sfrench@samba.org>
+cc: Shyam Prasad N <nspmangalore@gmail.com>
+cc: Rohith Surabattula <rohiths.msft@gmail.com>
+cc: linux-cifs@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/cifsfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
+index f44b6f9d0777..79a18692b84c 100644
+--- a/fs/cifs/cifsfs.c
++++ b/fs/cifs/cifsfs.c
+@@ -889,7 +889,7 @@ cifs_loose_read_iter(struct kiocb *iocb, struct iov_iter *iter)
+       ssize_t rc;
+       struct inode *inode = file_inode(iocb->ki_filp);
+ 
+-      if (iocb->ki_filp->f_flags & O_DIRECT)
++      if (iocb->ki_flags & IOCB_DIRECT)
+               return cifs_user_readv(iocb, iter);
+ 
+       rc = cifs_revalidate_mapping(inode);
+-- 
+2.35.1
+

diff --git a/queue-5.4/dmaengine-imx-sdma-fix-error-checking-in-sdma_event_.patch b/queue-5.4/dmaengine-imx-sdma-fix-error-checking-in-sdma_event_.patch
new file mode 100644 (file)
index 0000000..44c7db3
--- /dev/null
+++ b/queue-5.4/dmaengine-imx-sdma-fix-error-checking-in-sdma_event_.patch
@@ -0,0 +1,46 @@
+From 25f96ee8224f2d0cec56ccf9b127a40e769e8b8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Mar 2022 06:49:51 +0000
+Subject: dmaengine: imx-sdma: Fix error checking in sdma_event_remap
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 7104b9cb35a33ad803a1adbbfa50569b008faf15 ]
+
+of_parse_phandle() returns NULL on errors, rather than error
+pointers. Using NULL check on grp_np to fix this.
+
+Fixes: d078cd1b4185 ("dmaengine: imx-sdma: Add imx6sx platform support")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20220308064952.15743-1-linmq006@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/imx-sdma.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c
+index cc70da05db4b..801bef83df2a 100644
+--- a/drivers/dma/imx-sdma.c
++++ b/drivers/dma/imx-sdma.c
+@@ -1784,7 +1784,7 @@ static int sdma_event_remap(struct sdma_engine *sdma)
+       u32 reg, val, shift, num_map, i;
+       int ret = 0;
+ 
+-      if (IS_ERR(np) || IS_ERR(gpr_np))
++      if (IS_ERR(np) || !gpr_np)
+               goto out;
+ 
+       event_remap = of_find_property(np, propname, NULL);
+@@ -1832,7 +1832,7 @@ static int sdma_event_remap(struct sdma_engine *sdma)
+       }
+ 
+ out:
+-      if (!IS_ERR(gpr_np))
++      if (gpr_np)
+               of_node_put(gpr_np);
+ 
+       return ret;
+-- 
+2.35.1
+

diff --git a/queue-5.4/dmaengine-mediatek-fix-pm-usage-reference-leak-of-mt.patch b/queue-5.4/dmaengine-mediatek-fix-pm-usage-reference-leak-of-mt.patch
new file mode 100644 (file)
index 0000000..aad4b84
--- /dev/null
+++ b/queue-5.4/dmaengine-mediatek-fix-pm-usage-reference-leak-of-mt.patch
@@ -0,0 +1,66 @@
+From 05ee66bb789cd990a807b5dc45fcf22af8aca4df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Mar 2022 10:21:42 +0800
+Subject: dmaengine: mediatek:Fix PM usage reference leak of
+ mtk_uart_apdma_alloc_chan_resources
+
+From: zhangqilong <zhangqilong3@huawei.com>
+
+[ Upstream commit 545b2baac89b859180e51215468c05d85ea8465a ]
+
+pm_runtime_get_sync will increment pm usage counter even it failed.
+Forgetting to putting operation will result in reference leak here.
+We fix it:
+1) Replacing it with pm_runtime_resume_and_get to keep usage counter
+   balanced.
+2) Add putting operation before returning error.
+
+Fixes:9135408c3ace4 ("dmaengine: mediatek: Add MediaTek UART APDMA support")
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Link: https://lore.kernel.org/r/20220319022142.142709-1-zhangqilong3@huawei.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/mediatek/mtk-uart-apdma.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/dma/mediatek/mtk-uart-apdma.c b/drivers/dma/mediatek/mtk-uart-apdma.c
+index 9c0ea13ca788..7718d09e3d29 100644
+--- a/drivers/dma/mediatek/mtk-uart-apdma.c
++++ b/drivers/dma/mediatek/mtk-uart-apdma.c
+@@ -274,7 +274,7 @@ static int mtk_uart_apdma_alloc_chan_resources(struct dma_chan *chan)
+       unsigned int status;
+       int ret;
+ 
+-      ret = pm_runtime_get_sync(mtkd->ddev.dev);
++      ret = pm_runtime_resume_and_get(mtkd->ddev.dev);
+       if (ret < 0) {
+               pm_runtime_put_noidle(chan->device->dev);
+               return ret;
+@@ -288,18 +288,21 @@ static int mtk_uart_apdma_alloc_chan_resources(struct dma_chan *chan)
+       ret = readx_poll_timeout(readl, c->base + VFF_EN,
+                         status, !status, 10, 100);
+       if (ret)
+-              return ret;
++              goto err_pm;
+ 
+       ret = request_irq(c->irq, mtk_uart_apdma_irq_handler,
+                         IRQF_TRIGGER_NONE, KBUILD_MODNAME, chan);
+       if (ret < 0) {
+               dev_err(chan->device->dev, "Can't request dma IRQ\n");
+-              return -EINVAL;
++              ret = -EINVAL;
++              goto err_pm;
+       }
+ 
+       if (mtkd->support_33bits)
+               mtk_uart_apdma_write(c, VFF_4G_SUPPORT, VFF_4G_SUPPORT_CLR_B);
+ 
++err_pm:
++      pm_runtime_put_noidle(mtkd->ddev.dev);
+       return ret;
+ }
+ 
+-- 
+2.35.1
+

diff --git a/queue-5.4/dpaa_eth-fix-missing-of_node_put-in-dpaa_get_ts_info.patch b/queue-5.4/dpaa_eth-fix-missing-of_node_put-in-dpaa_get_ts_info.patch
new file mode 100644 (file)
index 0000000..8a75955
--- /dev/null
+++ b/queue-5.4/dpaa_eth-fix-missing-of_node_put-in-dpaa_get_ts_info.patch
@@ -0,0 +1,46 @@
+From 9c428f803a6017ecb1368aeba321f4f51eaa22f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Apr 2022 09:49:41 +0000
+Subject: dpaa_eth: Fix missing of_node_put in dpaa_get_ts_info()
+
+From: Lv Ruyi <lv.ruyi@zte.com.cn>
+
+[ Upstream commit 1a7eb80d170c28be2928433702256fe2a0bd1e0f ]
+
+Both of of_get_parent() and of_parse_phandle() return node pointer with
+refcount incremented, use of_node_put() on it to decrease refcount
+when done.
+
+Reported-by: Zeal Robot <zealci@zte.com.cn>
+Signed-off-by: Lv Ruyi <lv.ruyi@zte.com.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c
+index 7ce2e99b594d..0a186d16e73f 100644
+--- a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c
++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c
+@@ -506,11 +506,15 @@ static int dpaa_get_ts_info(struct net_device *net_dev,
+       info->phc_index = -1;
+ 
+       fman_node = of_get_parent(mac_node);
+-      if (fman_node)
++      if (fman_node) {
+               ptp_node = of_parse_phandle(fman_node, "ptimer-handle", 0);
++              of_node_put(fman_node);
++      }
+ 
+-      if (ptp_node)
++      if (ptp_node) {
+               ptp_dev = of_find_device_by_node(ptp_node);
++              of_node_put(ptp_node);
++      }
+ 
+       if (ptp_dev)
+               ptp = platform_get_drvdata(ptp_dev);
+-- 
+2.35.1
+

diff --git a/queue-5.4/drm-msm-mdp5-check-the-return-of-kzalloc.patch b/queue-5.4/drm-msm-mdp5-check-the-return-of-kzalloc.patch
new file mode 100644 (file)
index 0000000..4eefdca
--- /dev/null
+++ b/queue-5.4/drm-msm-mdp5-check-the-return-of-kzalloc.patch
@@ -0,0 +1,45 @@
+From e6367a96cb9333fdf4cbfe8d84549e7c062b3b87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Apr 2022 10:31:51 +0800
+Subject: drm/msm/mdp5: check the return of kzalloc()
+
+From: Xiaoke Wang <xkernel.wang@foxmail.com>
+
+[ Upstream commit 047ae665577776b7feb11bd4f81f46627cff95e7 ]
+
+kzalloc() is a memory allocation function which can return NULL when
+some internal memory errors happen. So it is better to check it to
+prevent potential wrong memory access.
+
+Besides, since mdp5_plane_reset() is void type, so we should better
+set `plane-state` to NULL after releasing it.
+
+Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/481055/
+Link: https://lore.kernel.org/r/tencent_8E2A1C78140EE1784AB2FF4B2088CC0AB908@qq.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c
+index 83423092de2f..da0799333970 100644
+--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c
++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c
+@@ -179,7 +179,10 @@ static void mdp5_plane_reset(struct drm_plane *plane)
+               drm_framebuffer_put(plane->state->fb);
+ 
+       kfree(to_mdp5_plane_state(plane->state));
++      plane->state = NULL;
+       mdp5_state = kzalloc(sizeof(*mdp5_state), GFP_KERNEL);
++      if (!mdp5_state)
++              return;
+ 
+       /* assign default blend parameters */
+       mdp5_state->alpha = 255;
+-- 
+2.35.1
+

diff --git a/queue-5.4/igc-fix-bug-scheduling-while-atomic.patch b/queue-5.4/igc-fix-bug-scheduling-while-atomic.patch
new file mode 100644 (file)
index 0000000..132d108
--- /dev/null
+++ b/queue-5.4/igc-fix-bug-scheduling-while-atomic.patch
@@ -0,0 +1,118 @@
+From add590a257ade2012e175eaa64475fcac0c76615 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Mar 2022 08:19:19 +0200
+Subject: igc: Fix BUG: scheduling while atomic
+
+From: Sasha Neftin <sasha.neftin@intel.com>
+
+[ Upstream commit c80a29f0fe9b6f5457e0788e27d1110577eba99b ]
+
+Replace usleep_range() method with udelay() method to allow atomic contexts
+in low-level MDIO access functions.
+
+The following issue can be seen by doing the following:
+$ modprobe -r bonding
+$ modprobe -v bonding max_bonds=1 mode=1 miimon=100 use_carrier=0
+$ ip link set bond0 up
+$ ifenslave bond0 eth0 eth1
+
+[  982.357308] BUG: scheduling while atomic: kworker/u64:0/9/0x00000002
+[  982.364431] INFO: lockdep is turned off.
+[  982.368824] Modules linked in: bonding sctp ip6_udp_tunnel udp_tunnel mlx4_ib ib_uverbs ib_core mlx4_en mlx4_core nfp tls sunrpc intel_rapl_msr iTCO_wdt iTCO_vendor_support mxm_wmi dcdbas intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel rapl intel_cstate intel_uncore pcspkr lpc_ich mei_me ipmi_ssif mei ipmi_si ipmi_devintf ipmi_msghandler wmi acpi_power_meter xfs libcrc32c sr_mod cdrom sd_mod t10_pi sg mgag200 drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm ahci libahci crc32c_intel libata i2c_algo_bit tg3 megaraid_sas igc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: bonding]
+[  982.437941] CPU: 25 PID: 9 Comm: kworker/u64:0 Kdump: loaded Tainted: G        W        --------- -  - 4.18.0-348.el8.x86_64+debug #1
+[  982.451333] Hardware name: Dell Inc. PowerEdge R730/0H21J3, BIOS 2.7.0 12/005/2017
+[  982.459791] Workqueue: bond0 bond_mii_monitor [bonding]
+[  982.465622] Call Trace:
+[  982.468355]  dump_stack+0x8e/0xd0
+[  982.472056]  __schedule_bug.cold.60+0x3a/0x60
+[  982.476919]  __schedule+0x147b/0x1bc0
+[  982.481007]  ? firmware_map_remove+0x16b/0x16b
+[  982.485967]  ? hrtimer_fixup_init+0x40/0x40
+[  982.490625]  schedule+0xd9/0x250
+[  982.494227]  schedule_hrtimeout_range_clock+0x10d/0x2c0
+[  982.500058]  ? hrtimer_nanosleep_restart+0x130/0x130
+[  982.505598]  ? hrtimer_init_sleeper_on_stack+0x90/0x90
+[  982.511332]  ? usleep_range+0x88/0x130
+[  982.515514]  ? recalibrate_cpu_khz+0x10/0x10
+[  982.520279]  ? ktime_get+0xab/0x1c0
+[  982.524175]  ? usleep_range+0x88/0x130
+[  982.528355]  usleep_range+0xdd/0x130
+[  982.532344]  ? console_conditional_schedule+0x30/0x30
+[  982.537987]  ? igc_put_hw_semaphore+0x17/0x60 [igc]
+[  982.543432]  igc_read_phy_reg_gpy+0x111/0x2b0 [igc]
+[  982.548887]  igc_phy_has_link+0xfa/0x260 [igc]
+[  982.553847]  ? igc_get_phy_id+0x210/0x210 [igc]
+[  982.558894]  ? lock_acquire+0x34d/0x890
+[  982.563187]  ? lock_downgrade+0x710/0x710
+[  982.567659]  ? rcu_read_unlock+0x50/0x50
+[  982.572039]  igc_check_for_copper_link+0x106/0x210 [igc]
+[  982.577970]  ? igc_config_fc_after_link_up+0x840/0x840 [igc]
+[  982.584286]  ? rcu_read_unlock+0x50/0x50
+[  982.588661]  ? lock_release+0x591/0xb80
+[  982.592939]  ? lock_release+0x591/0xb80
+[  982.597220]  igc_has_link+0x113/0x330 [igc]
+[  982.601887]  ? lock_downgrade+0x710/0x710
+[  982.606362]  igc_ethtool_get_link+0x6d/0x90 [igc]
+[  982.611614]  bond_check_dev_link+0x131/0x2c0 [bonding]
+[  982.617350]  ? bond_time_in_interval+0xd0/0xd0 [bonding]
+[  982.623277]  ? rcu_read_lock_held+0x62/0xc0
+[  982.627944]  ? rcu_read_lock_sched_held+0xe0/0xe0
+[  982.633198]  bond_mii_monitor+0x314/0x2500 [bonding]
+[  982.638738]  ? lock_contended+0x880/0x880
+[  982.643214]  ? bond_miimon_link_change+0xa0/0xa0 [bonding]
+[  982.649336]  ? lock_acquire+0x34d/0x890
+[  982.653615]  ? lock_downgrade+0x710/0x710
+[  982.658089]  ? debug_object_deactivate+0x221/0x340
+[  982.663436]  ? rcu_read_unlock+0x50/0x50
+[  982.667811]  ? debug_print_object+0x2b0/0x2b0
+[  982.672672]  ? __switch_to_asm+0x41/0x70
+[  982.677049]  ? __switch_to_asm+0x35/0x70
+[  982.681426]  ? _raw_spin_unlock_irq+0x24/0x40
+[  982.686288]  ? trace_hardirqs_on+0x20/0x195
+[  982.690956]  ? _raw_spin_unlock_irq+0x24/0x40
+[  982.695818]  process_one_work+0x8f0/0x1770
+[  982.700390]  ? pwq_dec_nr_in_flight+0x320/0x320
+[  982.705443]  ? debug_show_held_locks+0x50/0x50
+[  982.710403]  worker_thread+0x87/0xb40
+[  982.714489]  ? process_one_work+0x1770/0x1770
+[  982.719349]  kthread+0x344/0x410
+[  982.722950]  ? kthread_insert_work_sanity_check+0xd0/0xd0
+[  982.728975]  ret_from_fork+0x3a/0x50
+
+Fixes: 5586838fe9ce ("igc: Add code for PHY support")
+Reported-by: Corinna Vinschen <vinschen@redhat.com>
+Suggested-by: Dima Ruinskiy <dima.ruinskiy@intel.com>
+Signed-off-by: Sasha Neftin <sasha.neftin@intel.com>
+Tested-by: Corinna Vinschen <vinschen@redhat.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_phy.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_phy.c b/drivers/net/ethernet/intel/igc/igc_phy.c
+index 1a4947e6933c..6156c76d765f 100644
+--- a/drivers/net/ethernet/intel/igc/igc_phy.c
++++ b/drivers/net/ethernet/intel/igc/igc_phy.c
+@@ -569,7 +569,7 @@ static s32 igc_read_phy_reg_mdic(struct igc_hw *hw, u32 offset, u16 *data)
+        * the lower time out
+        */
+       for (i = 0; i < IGC_GEN_POLL_TIMEOUT; i++) {
+-              usleep_range(500, 1000);
++              udelay(50);
+               mdic = rd32(IGC_MDIC);
+               if (mdic & IGC_MDIC_READY)
+                       break;
+@@ -626,7 +626,7 @@ static s32 igc_write_phy_reg_mdic(struct igc_hw *hw, u32 offset, u16 data)
+        * the lower time out
+        */
+       for (i = 0; i < IGC_GEN_POLL_TIMEOUT; i++) {
+-              usleep_range(500, 1000);
++              udelay(50);
+               mdic = rd32(IGC_MDIC);
+               if (mdic & IGC_MDIC_READY)
+                       break;
+-- 
+2.35.1
+

diff --git a/queue-5.4/igc-fix-infinite-loop-in-release_swfw_sync.patch b/queue-5.4/igc-fix-infinite-loop-in-release_swfw_sync.patch
new file mode 100644 (file)
index 0000000..d428178
--- /dev/null
+++ b/queue-5.4/igc-fix-infinite-loop-in-release_swfw_sync.patch
@@ -0,0 +1,49 @@
+From 3fb5a73fc48a41fb5c0b470ae14fc7398c997941 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Mar 2022 15:32:10 +0200
+Subject: igc: Fix infinite loop in release_swfw_sync
+
+From: Sasha Neftin <sasha.neftin@intel.com>
+
+[ Upstream commit 907862e9aef75bf89e2b265efcc58870be06081e ]
+
+An infinite loop may occur if we fail to acquire the HW semaphore,
+which is needed for resource release.
+This will typically happen if the hardware is surprise-removed.
+At this stage there is nothing to do, except log an error and quit.
+
+Fixes: c0071c7aa5fe ("igc: Add HW initialization code")
+Suggested-by: Dima Ruinskiy <dima.ruinskiy@intel.com>
+Signed-off-by: Sasha Neftin <sasha.neftin@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_i225.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_i225.c b/drivers/net/ethernet/intel/igc/igc_i225.c
+index ed5d09c11c38..79252ca9e213 100644
+--- a/drivers/net/ethernet/intel/igc/igc_i225.c
++++ b/drivers/net/ethernet/intel/igc/igc_i225.c
+@@ -156,8 +156,15 @@ void igc_release_swfw_sync_i225(struct igc_hw *hw, u16 mask)
+ {
+       u32 swfw_sync;
+ 
+-      while (igc_get_hw_semaphore_i225(hw))
+-              ; /* Empty */
++      /* Releasing the resource requires first getting the HW semaphore.
++       * If we fail to get the semaphore, there is nothing we can do,
++       * except log an error and quit. We are not allowed to hang here
++       * indefinitely, as it may cause denial of service or system crash.
++       */
++      if (igc_get_hw_semaphore_i225(hw)) {
++              hw_dbg("Failed to release SW_FW_SYNC.\n");
++              return;
++      }
+ 
+       swfw_sync = rd32(IGC_SW_FW_SYNC);
+       swfw_sync &= ~mask;
+-- 
+2.35.1
+

diff --git a/queue-5.4/l3mdev-l3mdev_master_upper_ifindex_by_index_rcu-shou.patch b/queue-5.4/l3mdev-l3mdev_master_upper_ifindex_by_index_rcu-shou.patch
new file mode 100644 (file)
index 0000000..6d306bf
--- /dev/null
+++ b/queue-5.4/l3mdev-l3mdev_master_upper_ifindex_by_index_rcu-shou.patch
@@ -0,0 +1,65 @@
+From c54e4ddfcd08aa11fcf5410f12918f2b415bbf0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Apr 2022 11:43:19 -0600
+Subject: l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using
+ netdev_master_upper_dev_get_rcu
+
+From: David Ahern <dsahern@kernel.org>
+
+[ Upstream commit 83daab06252ee5d0e1f4373ff28b79304945fc19 ]
+
+Next patch uses l3mdev_master_upper_ifindex_by_index_rcu which throws
+a splat with debug kernels:
+
+[13783.087570] ------------[ cut here ]------------
+[13783.093974] RTNL: assertion failed at net/core/dev.c (6702)
+[13783.100761] WARNING: CPU: 3 PID: 51132 at net/core/dev.c:6702 netdev_master_upper_dev_get+0x16a/0x1a0
+
+[13783.184226] CPU: 3 PID: 51132 Comm: kworker/3:3 Not tainted 5.17.0-custom-100090-g6f963aafb1cc #682
+[13783.194788] Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017
+[13783.204755] Workqueue: mld mld_ifc_work [ipv6]
+[13783.210338] RIP: 0010:netdev_master_upper_dev_get+0x16a/0x1a0
+[13783.217209] Code: 0f 85 e3 fe ff ff e8 65 ac ec fe ba 2e 1a 00 00 48 c7 c6 60 6f 38 83 48 c7 c7 c0 70 38 83 c6 05 5e b5 d7 01 01 e8 c6 29 52 00 <0f> 0b e9 b8 fe ff ff e8 5a 6c 35 ff e9 1c ff ff ff 48 89 ef e8 7d
+[13783.238659] RSP: 0018:ffffc9000b37f5a8 EFLAGS: 00010286
+[13783.244995] RAX: 0000000000000000 RBX: ffff88812ee5c000 RCX: 0000000000000000
+[13783.253379] RDX: ffff88811ce09d40 RSI: ffffffff812d0fcd RDI: fffff5200166fea7
+[13783.261769] RBP: 0000000000000000 R08: 0000000000000001 R09: ffff8882375f4287
+[13783.270138] R10: ffffed1046ebe850 R11: 0000000000000001 R12: dffffc0000000000
+[13783.278510] R13: 0000000000000275 R14: ffffc9000b37f688 R15: ffff8881273b4af8
+[13783.286870] FS:  0000000000000000(0000) GS:ffff888237400000(0000) knlGS:0000000000000000
+[13783.296352] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[13783.303177] CR2: 00007ff25fc9b2e8 CR3: 0000000174d23000 CR4: 00000000001006e0
+[13783.311546] Call Trace:
+[13783.314660]  <TASK>
+[13783.317553]  l3mdev_master_upper_ifindex_by_index_rcu+0x43/0xe0
+...
+
+Change l3mdev_master_upper_ifindex_by_index_rcu to use
+netdev_master_upper_dev_get_rcu.
+
+Fixes: 6a6d6681ac1a ("l3mdev: add function to retreive upper master")
+Signed-off-by: Ido Schimmel <idosch@idosch.org>
+Signed-off-by: David Ahern <dsahern@kernel.org>
+Cc: Alexis Bauvin <abauvin@scaleway.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l3mdev/l3mdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/l3mdev/l3mdev.c b/net/l3mdev/l3mdev.c
+index f35899d45a9a..ff4352f6d168 100644
+--- a/net/l3mdev/l3mdev.c
++++ b/net/l3mdev/l3mdev.c
+@@ -54,7 +54,7 @@ int l3mdev_master_upper_ifindex_by_index_rcu(struct net *net, int ifindex)
+ 
+       dev = dev_get_by_index_rcu(net, ifindex);
+       while (dev && !netif_is_l3_master(dev))
+-              dev = netdev_master_upper_dev_get(dev);
++              dev = netdev_master_upper_dev_get_rcu(dev);
+ 
+       return dev ? dev->ifindex : 0;
+ }
+-- 
+2.35.1
+

diff --git a/queue-5.4/mt76-fix-undefined-behavior-due-to-shift-overflowing.patch b/queue-5.4/mt76-fix-undefined-behavior-due-to-shift-overflowing.patch
new file mode 100644 (file)
index 0000000..dffe480
--- /dev/null
+++ b/queue-5.4/mt76-fix-undefined-behavior-due-to-shift-overflowing.patch
@@ -0,0 +1,56 @@
+From f3cf0a9124cf8ea17cc72cbe0e18f2d665b3ab11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Apr 2022 17:15:14 +0200
+Subject: mt76: Fix undefined behavior due to shift overflowing the constant
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Borislav Petkov <bp@suse.de>
+
+[ Upstream commit dbc2b1764734857d68425468ffa8486e97ab89df ]
+
+Fix:
+
+  drivers/net/wireless/mediatek/mt76/mt76x2/pci.c: In function ‘mt76x2e_probe’:
+  ././include/linux/compiler_types.h:352:38: error: call to ‘__compiletime_assert_946’ \
+       declared with attribute error: FIELD_PREP: mask is not constant
+    _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
+
+See https://lore.kernel.org/r/YkwQ6%2BtIH8GQpuct@zn.tnic for the gory
+details as to why it triggers with older gccs only.
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Felix Fietkau <nbd@nbd.name>
+Cc: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>
+Cc: Ryder Lee <ryder.lee@mediatek.com>
+Cc: Shayne Chen <shayne.chen@mediatek.com>
+Cc: Sean Wang <sean.wang@mediatek.com>
+Cc: Kalle Valo <kvalo@kernel.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: linux-wireless@vger.kernel.org
+Cc: netdev@vger.kernel.org
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20220405151517.29753-9-bp@alien8.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt76x2/pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76x2/pci.c b/drivers/net/wireless/mediatek/mt76/mt76x2/pci.c
+index cf611d1b817c..e6d7646a0d9c 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76x2/pci.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76x2/pci.c
+@@ -76,7 +76,7 @@ mt76pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+       mt76_rmw_field(dev, 0x15a10, 0x1f << 16, 0x9);
+ 
+       /* RG_SSUSB_G1_CDR_BIC_LTR = 0xf */
+-      mt76_rmw_field(dev, 0x15a0c, 0xf << 28, 0xf);
++      mt76_rmw_field(dev, 0x15a0c, 0xfU << 28, 0xf);
+ 
+       /* RG_SSUSB_CDR_BR_PE1D = 0x3 */
+       mt76_rmw_field(dev, 0x15c58, 0x3 << 6, 0x3);
+-- 
+2.35.1
+

diff --git a/queue-5.4/net-macb-restart-tx-only-if-queue-pointer-is-lagging.patch b/queue-5.4/net-macb-restart-tx-only-if-queue-pointer-is-lagging.patch
new file mode 100644 (file)
index 0000000..c6cbc49
--- /dev/null
+++ b/queue-5.4/net-macb-restart-tx-only-if-queue-pointer-is-lagging.patch
@@ -0,0 +1,64 @@
+From cc4e2e1423906c4fb1cec7617d151da37f5b62a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Apr 2022 19:16:59 +0300
+Subject: net: macb: Restart tx only if queue pointer is lagging
+
+From: Tomas Melin <tomas.melin@vaisala.com>
+
+[ Upstream commit 5ad7f18cd82cee8e773d40cc7a1465a526f2615c ]
+
+commit 4298388574da ("net: macb: restart tx after tx used bit read")
+added support for restarting transmission. Restarting tx does not work
+in case controller asserts TXUBR interrupt and TQBP is already at the end
+of the tx queue. In that situation, restarting tx will immediately cause
+assertion of another TXUBR interrupt. The driver will end up in an infinite
+interrupt loop which it cannot break out of.
+
+For cases where TQBP is at the end of the tx queue, instead
+only clear TX_USED interrupt. As more data gets pushed to the queue,
+transmission will resume.
+
+This issue was observed on a Xilinx Zynq-7000 based board.
+During stress test of the network interface,
+driver would get stuck on interrupt loop within seconds or minutes
+causing CPU to stall.
+
+Signed-off-by: Tomas Melin <tomas.melin@vaisala.com>
+Tested-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Reviewed-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Link: https://lore.kernel.org/r/20220407161659.14532-1-tomas.melin@vaisala.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 480d2ca369e6..002a374f197b 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -1378,6 +1378,7 @@ static void macb_tx_restart(struct macb_queue *queue)
+       unsigned int head = queue->tx_head;
+       unsigned int tail = queue->tx_tail;
+       struct macb *bp = queue->bp;
++      unsigned int head_idx, tbqp;
+ 
+       if (bp->caps & MACB_CAPS_ISR_CLEAR_ON_WRITE)
+               queue_writel(queue, ISR, MACB_BIT(TXUBR));
+@@ -1385,6 +1386,13 @@ static void macb_tx_restart(struct macb_queue *queue)
+       if (head == tail)
+               return;
+ 
++      tbqp = queue_readl(queue, TBQP) / macb_dma_desc_get_size(bp);
++      tbqp = macb_adj_dma_desc_idx(bp, macb_tx_ring_wrap(bp, tbqp));
++      head_idx = macb_adj_dma_desc_idx(bp, macb_tx_ring_wrap(bp, head));
++
++      if (tbqp == head_idx)
++              return;
++
+       macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(TSTART));
+ }
+ 
+-- 
+2.35.1
+

diff --git a/queue-5.4/net-packet-fix-packet_sock-xmit-return-value-checkin.patch b/queue-5.4/net-packet-fix-packet_sock-xmit-return-value-checkin.patch
new file mode 100644 (file)
index 0000000..6d33ddc
--- /dev/null
+++ b/queue-5.4/net-packet-fix-packet_sock-xmit-return-value-checkin.patch
@@ -0,0 +1,59 @@
+From 75fa42fac3944f16b9f687ca3d0193ab9b644eff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Apr 2022 16:49:25 +0800
+Subject: net/packet: fix packet_sock xmit return value checking
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 29e8e659f984be00d75ec5fef4e37c88def72712 ]
+
+packet_sock xmit could be dev_queue_xmit, which also returns negative
+errors. So only checking positive errors is not enough, or userspace
+sendmsg may return success while packet is not send out.
+
+Move the net_xmit_errno() assignment in the braces as checkpatch.pl said
+do not use assignment in if condition.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Flavio Leitner <fbl@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 70c102359bfe..a2696acbcd9d 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2791,8 +2791,9 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
+ 
+               status = TP_STATUS_SEND_REQUEST;
+               err = po->xmit(skb);
+-              if (unlikely(err > 0)) {
+-                      err = net_xmit_errno(err);
++              if (unlikely(err != 0)) {
++                      if (err > 0)
++                              err = net_xmit_errno(err);
+                       if (err && __packet_get_status(po, ph) ==
+                                  TP_STATUS_AVAILABLE) {
+                               /* skb was destructed already */
+@@ -2993,8 +2994,12 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
+               skb->no_fcs = 1;
+ 
+       err = po->xmit(skb);
+-      if (err > 0 && (err = net_xmit_errno(err)) != 0)
+-              goto out_unlock;
++      if (unlikely(err != 0)) {
++              if (err > 0)
++                      err = net_xmit_errno(err);
++              if (err)
++                      goto out_unlock;
++      }
+ 
+       dev_put(dev);
+ 
+-- 
+2.35.1
+

diff --git a/queue-5.4/net-sched-cls_u32-fix-possible-leak-in-u32_init_knod.patch b/queue-5.4/net-sched-cls_u32-fix-possible-leak-in-u32_init_knod.patch
new file mode 100644 (file)
index 0000000..7c86236
--- /dev/null
+++ b/queue-5.4/net-sched-cls_u32-fix-possible-leak-in-u32_init_knod.patch
@@ -0,0 +1,57 @@
+From 051c48cc4696d97f23694b4e525b9254b1608d35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Apr 2022 10:35:42 -0700
+Subject: net/sched: cls_u32: fix possible leak in u32_init_knode()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit ec5b0f605b105457f257f2870acad4a5d463984b ]
+
+While investigating a related syzbot report,
+I found that whenever call to tcf_exts_init()
+from u32_init_knode() is failing, we end up
+with an elevated refcount on ht->refcnt
+
+To avoid that, only increase the refcount after
+all possible errors have been evaluated.
+
+Fixes: b9a24bb76bf6 ("net_sched: properly handle failure case of tcf_exts_init()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/cls_u32.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
+index 8cfd5460493c..ed8d26e6468c 100644
+--- a/net/sched/cls_u32.c
++++ b/net/sched/cls_u32.c
+@@ -816,10 +816,6 @@ static struct tc_u_knode *u32_init_knode(struct net *net, struct tcf_proto *tp,
+       new->flags = n->flags;
+       RCU_INIT_POINTER(new->ht_down, ht);
+ 
+-      /* bump reference count as long as we hold pointer to structure */
+-      if (ht)
+-              ht->refcnt++;
+-
+ #ifdef CONFIG_CLS_U32_PERF
+       /* Statistics may be incremented by readers during update
+        * so we must keep them in tact. When the node is later destroyed
+@@ -841,6 +837,10 @@ static struct tc_u_knode *u32_init_knode(struct net *net, struct tcf_proto *tp,
+               return NULL;
+       }
+ 
++      /* bump reference count as long as we hold pointer to structure */
++      if (ht)
++              ht->refcnt++;
++
+       return new;
+ }
+ 
+-- 
+2.35.1
+

diff --git a/queue-5.4/net-smc-fix-sock-leak-when-release-after-smc_shutdow.patch b/queue-5.4/net-smc-fix-sock-leak-when-release-after-smc_shutdow.patch
new file mode 100644 (file)
index 0000000..98b7359
--- /dev/null
+++ b/queue-5.4/net-smc-fix-sock-leak-when-release-after-smc_shutdow.patch
@@ -0,0 +1,45 @@
+From 2c4e7a775b884664ca308ec90ac76c2c0a4b8537 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Apr 2022 15:51:03 +0800
+Subject: net/smc: Fix sock leak when release after smc_shutdown()
+
+From: Tony Lu <tonylu@linux.alibaba.com>
+
+[ Upstream commit 1a74e99323746353bba11562a2f2d0aa8102f402 ]
+
+Since commit e5d5aadcf3cd ("net/smc: fix sk_refcnt underflow on linkdown
+and fallback"), for a fallback connection, __smc_release() does not call
+sock_put() if its state is already SMC_CLOSED.
+
+When calling smc_shutdown() after falling back, its state is set to
+SMC_CLOSED but does not call sock_put(), so this patch calls it.
+
+Reported-and-tested-by: syzbot+6e29a053eb165bd50de5@syzkaller.appspotmail.com
+Fixes: e5d5aadcf3cd ("net/smc: fix sk_refcnt underflow on linkdown and fallback")
+Signed-off-by: Tony Lu <tonylu@linux.alibaba.com>
+Acked-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index 06684ac346ab..5221092cc66d 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -1698,8 +1698,10 @@ static int smc_shutdown(struct socket *sock, int how)
+       if (smc->use_fallback) {
+               rc = kernel_sock_shutdown(smc->clcsock, how);
+               sk->sk_shutdown = smc->clcsock->sk->sk_shutdown;
+-              if (sk->sk_shutdown == SHUTDOWN_MASK)
++              if (sk->sk_shutdown == SHUTDOWN_MASK) {
+                       sk->sk_state = SMC_CLOSED;
++                      sock_put(sk);
++              }
+               goto out;
+       }
+       switch (how) {
+-- 
+2.35.1
+

diff --git a/queue-5.4/netlink-reset-network-and-mac-headers-in-netlink_dum.patch b/queue-5.4/netlink-reset-network-and-mac-headers-in-netlink_dum.patch
new file mode 100644 (file)
index 0000000..4068220
--- /dev/null
+++ b/queue-5.4/netlink-reset-network-and-mac-headers-in-netlink_dum.patch
@@ -0,0 +1,136 @@
+From 86cb2d2c01ee7b0032f9c7f2957947c13bbad975 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Apr 2022 11:14:42 -0700
+Subject: netlink: reset network and mac headers in netlink_dump()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 99c07327ae11e24886d552dddbe4537bfca2765d ]
+
+netlink_dump() is allocating an skb, reserves space in it
+but forgets to reset network header.
+
+This allows a BPF program, invoked later from sk_filter()
+to access uninitialized kernel memory from the reserved
+space.
+
+Theorically mac header reset could be omitted, because
+it is set to a special initial value.
+bpf_internal_load_pointer_neg_helper calls skb_mac_header()
+without checking skb_mac_header_was_set().
+Relying on skb->len not being too big seems fragile.
+We also could add a sanity check in bpf_internal_load_pointer_neg_helper()
+to avoid surprises in the future.
+
+syzbot report was:
+
+BUG: KMSAN: uninit-value in ___bpf_prog_run+0xa22b/0xb420 kernel/bpf/core.c:1637
+ ___bpf_prog_run+0xa22b/0xb420 kernel/bpf/core.c:1637
+ __bpf_prog_run32+0x121/0x180 kernel/bpf/core.c:1796
+ bpf_dispatcher_nop_func include/linux/bpf.h:784 [inline]
+ __bpf_prog_run include/linux/filter.h:626 [inline]
+ bpf_prog_run include/linux/filter.h:633 [inline]
+ __bpf_prog_run_save_cb+0x168/0x580 include/linux/filter.h:756
+ bpf_prog_run_save_cb include/linux/filter.h:770 [inline]
+ sk_filter_trim_cap+0x3bc/0x8c0 net/core/filter.c:150
+ sk_filter include/linux/filter.h:905 [inline]
+ netlink_dump+0xe0c/0x16c0 net/netlink/af_netlink.c:2276
+ netlink_recvmsg+0x1129/0x1c80 net/netlink/af_netlink.c:2002
+ sock_recvmsg_nosec net/socket.c:948 [inline]
+ sock_recvmsg net/socket.c:966 [inline]
+ sock_read_iter+0x5a9/0x630 net/socket.c:1039
+ do_iter_readv_writev+0xa7f/0xc70
+ do_iter_read+0x52c/0x14c0 fs/read_write.c:786
+ vfs_readv fs/read_write.c:906 [inline]
+ do_readv+0x432/0x800 fs/read_write.c:943
+ __do_sys_readv fs/read_write.c:1034 [inline]
+ __se_sys_readv fs/read_write.c:1031 [inline]
+ __x64_sys_readv+0xe5/0x120 fs/read_write.c:1031
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Uninit was stored to memory at:
+ ___bpf_prog_run+0x96c/0xb420 kernel/bpf/core.c:1558
+ __bpf_prog_run32+0x121/0x180 kernel/bpf/core.c:1796
+ bpf_dispatcher_nop_func include/linux/bpf.h:784 [inline]
+ __bpf_prog_run include/linux/filter.h:626 [inline]
+ bpf_prog_run include/linux/filter.h:633 [inline]
+ __bpf_prog_run_save_cb+0x168/0x580 include/linux/filter.h:756
+ bpf_prog_run_save_cb include/linux/filter.h:770 [inline]
+ sk_filter_trim_cap+0x3bc/0x8c0 net/core/filter.c:150
+ sk_filter include/linux/filter.h:905 [inline]
+ netlink_dump+0xe0c/0x16c0 net/netlink/af_netlink.c:2276
+ netlink_recvmsg+0x1129/0x1c80 net/netlink/af_netlink.c:2002
+ sock_recvmsg_nosec net/socket.c:948 [inline]
+ sock_recvmsg net/socket.c:966 [inline]
+ sock_read_iter+0x5a9/0x630 net/socket.c:1039
+ do_iter_readv_writev+0xa7f/0xc70
+ do_iter_read+0x52c/0x14c0 fs/read_write.c:786
+ vfs_readv fs/read_write.c:906 [inline]
+ do_readv+0x432/0x800 fs/read_write.c:943
+ __do_sys_readv fs/read_write.c:1034 [inline]
+ __se_sys_readv fs/read_write.c:1031 [inline]
+ __x64_sys_readv+0xe5/0x120 fs/read_write.c:1031
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slab.h:737 [inline]
+ slab_alloc_node mm/slub.c:3244 [inline]
+ __kmalloc_node_track_caller+0xde3/0x14f0 mm/slub.c:4972
+ kmalloc_reserve net/core/skbuff.c:354 [inline]
+ __alloc_skb+0x545/0xf90 net/core/skbuff.c:426
+ alloc_skb include/linux/skbuff.h:1158 [inline]
+ netlink_dump+0x30f/0x16c0 net/netlink/af_netlink.c:2242
+ netlink_recvmsg+0x1129/0x1c80 net/netlink/af_netlink.c:2002
+ sock_recvmsg_nosec net/socket.c:948 [inline]
+ sock_recvmsg net/socket.c:966 [inline]
+ sock_read_iter+0x5a9/0x630 net/socket.c:1039
+ do_iter_readv_writev+0xa7f/0xc70
+ do_iter_read+0x52c/0x14c0 fs/read_write.c:786
+ vfs_readv fs/read_write.c:906 [inline]
+ do_readv+0x432/0x800 fs/read_write.c:943
+ __do_sys_readv fs/read_write.c:1034 [inline]
+ __se_sys_readv fs/read_write.c:1031 [inline]
+ __x64_sys_readv+0xe5/0x120 fs/read_write.c:1031
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+CPU: 0 PID: 3470 Comm: syz-executor751 Not tainted 5.17.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: db65a3aaf29e ("netlink: Trim skb to alloc size to avoid MSG_TRUNC")
+Fixes: 9063e21fb026 ("netlink: autosize skb lengthes")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Link: https://lore.kernel.org/r/20220415181442.551228-1-eric.dumazet@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlink/af_netlink.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index fb28969899af..8aefc52542a0 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -2253,6 +2253,13 @@ static int netlink_dump(struct sock *sk)
+        * single netdev. The outcome is MSG_TRUNC error.
+        */
+       skb_reserve(skb, skb_tailroom(skb) - alloc_size);
++
++      /* Make sure malicious BPF programs can not read unitialized memory
++       * from skb->head -> skb->data
++       */
++      skb_reset_network_header(skb);
++      skb_reset_mac_header(skb);
++
+       netlink_skb_set_owner_r(skb, sk);
+ 
+       if (nlk->dump_done_errno > 0) {
+-- 
+2.35.1
+

diff --git a/queue-5.4/platform-x86-samsung-laptop-fix-an-unsigned-comparis.patch b/queue-5.4/platform-x86-samsung-laptop-fix-an-unsigned-comparis.patch
new file mode 100644 (file)
index 0000000..83f615c
--- /dev/null
+++ b/queue-5.4/platform-x86-samsung-laptop-fix-an-unsigned-comparis.patch
@@ -0,0 +1,41 @@
+From 258cad9f87d5826118c133e6285b1c34c3e580ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Mar 2022 14:18:30 +0800
+Subject: platform/x86: samsung-laptop: Fix an unsigned comparison which can
+ never be negative
+
+From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+
+[ Upstream commit 0284d4d1be753f648f28b77bdfbe6a959212af5c ]
+
+Eliminate the follow smatch warnings:
+
+drivers/platform/x86/samsung-laptop.c:1124 kbd_led_set() warn: unsigned
+'value' is never less than zero.
+
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20220322061830.105579-1-jiapeng.chong@linux.alibaba.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/samsung-laptop.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/platform/x86/samsung-laptop.c b/drivers/platform/x86/samsung-laptop.c
+index 9b6a93ff41ff..91e468fcaf7c 100644
+--- a/drivers/platform/x86/samsung-laptop.c
++++ b/drivers/platform/x86/samsung-laptop.c
+@@ -1121,8 +1121,6 @@ static void kbd_led_set(struct led_classdev *led_cdev,
+ 
+       if (value > samsung->kbd_led.max_brightness)
+               value = samsung->kbd_led.max_brightness;
+-      else if (value < 0)
+-              value = 0;
+ 
+       samsung->kbd_led_wk = value;
+       queue_work(samsung->led_workqueue, &samsung->kbd_led_work);
+-- 
+2.35.1
+

diff --git a/queue-5.4/reset-tegra-bpmp-restore-handle-errors-in-bpmp-respo.patch b/queue-5.4/reset-tegra-bpmp-restore-handle-errors-in-bpmp-respo.patch
new file mode 100644 (file)
index 0000000..e5b02bd
--- /dev/null
+++ b/queue-5.4/reset-tegra-bpmp-restore-handle-errors-in-bpmp-respo.patch
@@ -0,0 +1,58 @@
+From 89e2ce006887f4e96ffe940897b299e22e80840b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Jan 2022 19:26:46 +0530
+Subject: reset: tegra-bpmp: Restore Handle errors in BPMP response
+
+From: Sameer Pujar <spujar@nvidia.com>
+
+[ Upstream commit d1da1052ffad63aa5181b69f20a6952e31f339c2 ]
+
+This reverts following commit 69125b4b9440 ("reset: tegra-bpmp: Revert
+Handle errors in BPMP response").
+
+The Tegra194 HDA reset failure is fixed by commit d278dc9151a0 ("ALSA:
+hda/tegra: Fix Tegra194 HDA reset failure"). The temporary revert of
+original commit c045ceb5a145 ("reset: tegra-bpmp: Handle errors in BPMP
+response") can be removed now.
+
+Signed-off-by: Sameer Pujar <spujar@nvidia.com>
+Tested-by: Jon Hunter <jonathanh@nvidia.com>
+Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Link: https://lore.kernel.org/r/1641995806-15245-1-git-send-email-spujar@nvidia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/reset/tegra/reset-bpmp.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/reset/tegra/reset-bpmp.c b/drivers/reset/tegra/reset-bpmp.c
+index 24d3395964cc..4c5bba52b105 100644
+--- a/drivers/reset/tegra/reset-bpmp.c
++++ b/drivers/reset/tegra/reset-bpmp.c
+@@ -20,6 +20,7 @@ static int tegra_bpmp_reset_common(struct reset_controller_dev *rstc,
+       struct tegra_bpmp *bpmp = to_tegra_bpmp(rstc);
+       struct mrq_reset_request request;
+       struct tegra_bpmp_message msg;
++      int err;
+ 
+       memset(&request, 0, sizeof(request));
+       request.cmd = command;
+@@ -30,7 +31,13 @@ static int tegra_bpmp_reset_common(struct reset_controller_dev *rstc,
+       msg.tx.data = &request;
+       msg.tx.size = sizeof(request);
+ 
+-      return tegra_bpmp_transfer(bpmp, &msg);
++      err = tegra_bpmp_transfer(bpmp, &msg);
++      if (err)
++              return err;
++      if (msg.rx.ret)
++              return -EINVAL;
++
++      return 0;
+ }
+ 
+ static int tegra_bpmp_reset_module(struct reset_controller_dev *rstc,
+-- 
+2.35.1
+

diff --git a/queue-5.4/rxrpc-restore-removed-timer-deletion.patch b/queue-5.4/rxrpc-restore-removed-timer-deletion.patch
new file mode 100644 (file)
index 0000000..4434b4e
--- /dev/null
+++ b/queue-5.4/rxrpc-restore-removed-timer-deletion.patch
@@ -0,0 +1,59 @@
+From 7f1b2efef62a42551d1bf71beae8e46e0c821cf3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Apr 2022 11:16:25 +0100
+Subject: rxrpc: Restore removed timer deletion
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit ee3b0826b4764f6c13ad6db67495c5a1c38e9025 ]
+
+A recent patch[1] from Eric Dumazet flipped the order in which the
+keepalive timer and the keepalive worker were cancelled in order to fix a
+syzbot reported issue[2].  Unfortunately, this enables the mirror image bug
+whereby the timer races with rxrpc_exit_net(), restarting the worker after
+it has been cancelled:
+
+       CPU 1           CPU 2
+       =============== =====================
+                       if (rxnet->live)
+                       <INTERRUPT>
+       rxnet->live = false;
+       cancel_work_sync(&rxnet->peer_keepalive_work);
+                       rxrpc_queue_work(&rxnet->peer_keepalive_work);
+       del_timer_sync(&rxnet->peer_keepalive_timer);
+
+Fix this by restoring the removed del_timer_sync() so that we try to remove
+the timer twice.  If the timer runs again, it should see ->live == false
+and not restart the worker.
+
+Fixes: 1946014ca3b1 ("rxrpc: fix a race in rxrpc_exit_net()")
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Eric Dumazet <edumazet@google.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Link: https://lore.kernel.org/r/20220404183439.3537837-1-eric.dumazet@gmail.com/ [1]
+Link: https://syzkaller.appspot.com/bug?extid=724378c4bb58f703b09a [2]
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/net_ns.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/rxrpc/net_ns.c b/net/rxrpc/net_ns.c
+index 9a76b74af37b..91a503871116 100644
+--- a/net/rxrpc/net_ns.c
++++ b/net/rxrpc/net_ns.c
+@@ -116,7 +116,9 @@ static __net_exit void rxrpc_exit_net(struct net *net)
+       struct rxrpc_net *rxnet = rxrpc_net(net);
+ 
+       rxnet->live = false;
++      del_timer_sync(&rxnet->peer_keepalive_timer);
+       cancel_work_sync(&rxnet->peer_keepalive_work);
++      /* Remove the timer again as the worker may have restarted it. */
+       del_timer_sync(&rxnet->peer_keepalive_timer);
+       rxrpc_destroy_all_calls(rxnet);
+       rxrpc_destroy_all_connections(rxnet);
+-- 
+2.35.1
+

diff --git a/queue-5.4/scsi-qedi-fix-failed-disconnect-handling.patch b/queue-5.4/scsi-qedi-fix-failed-disconnect-handling.patch
new file mode 100644 (file)
index 0000000..d23b8a1
--- /dev/null
+++ b/queue-5.4/scsi-qedi-fix-failed-disconnect-handling.patch
@@ -0,0 +1,146 @@
+From bc7b879b34c971b7f17c1813e3ed7ff043436d36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Apr 2022 19:13:13 -0500
+Subject: scsi: qedi: Fix failed disconnect handling
+
+From: Mike Christie <michael.christie@oracle.com>
+
+[ Upstream commit 857b06527f707f5df634b854898a191b5c1d0272 ]
+
+We set the qedi_ep state to EP_STATE_OFLDCONN_START when the ep is
+created. Then in qedi_set_path we kick off the offload work. If userspace
+times out the connection and calls ep_disconnect, qedi will only flush the
+offload work if the qedi_ep state has transitioned away from
+EP_STATE_OFLDCONN_START. If we can't connect we will not have transitioned
+state and will leave the offload work running, and we will free the qedi_ep
+from under it.
+
+This patch just has us init the work when we create the ep, then always
+flush it.
+
+Link: https://lore.kernel.org/r/20220408001314.5014-10-michael.christie@oracle.com
+Tested-by: Manish Rangankar <mrangankar@marvell.com>
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Reviewed-by: Chris Leech <cleech@redhat.com>
+Acked-by: Manish Rangankar <mrangankar@marvell.com>
+Signed-off-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedi/qedi_iscsi.c | 69 +++++++++++++++++-----------------
+ 1 file changed, 34 insertions(+), 35 deletions(-)
+
+diff --git a/drivers/scsi/qedi/qedi_iscsi.c b/drivers/scsi/qedi/qedi_iscsi.c
+index 755f66b1ff9c..f05fb4ddeaff 100644
+--- a/drivers/scsi/qedi/qedi_iscsi.c
++++ b/drivers/scsi/qedi/qedi_iscsi.c
+@@ -797,6 +797,37 @@ static int qedi_task_xmit(struct iscsi_task *task)
+       return qedi_iscsi_send_ioreq(task);
+ }
+ 
++static void qedi_offload_work(struct work_struct *work)
++{
++      struct qedi_endpoint *qedi_ep =
++              container_of(work, struct qedi_endpoint, offload_work);
++      struct qedi_ctx *qedi;
++      int wait_delay = 5 * HZ;
++      int ret;
++
++      qedi = qedi_ep->qedi;
++
++      ret = qedi_iscsi_offload_conn(qedi_ep);
++      if (ret) {
++              QEDI_ERR(&qedi->dbg_ctx,
++                       "offload error: iscsi_cid=%u, qedi_ep=%p, ret=%d\n",
++                       qedi_ep->iscsi_cid, qedi_ep, ret);
++              qedi_ep->state = EP_STATE_OFLDCONN_FAILED;
++              return;
++      }
++
++      ret = wait_event_interruptible_timeout(qedi_ep->tcp_ofld_wait,
++                                             (qedi_ep->state ==
++                                             EP_STATE_OFLDCONN_COMPL),
++                                             wait_delay);
++      if (ret <= 0 || qedi_ep->state != EP_STATE_OFLDCONN_COMPL) {
++              qedi_ep->state = EP_STATE_OFLDCONN_FAILED;
++              QEDI_ERR(&qedi->dbg_ctx,
++                       "Offload conn TIMEOUT iscsi_cid=%u, qedi_ep=%p\n",
++                       qedi_ep->iscsi_cid, qedi_ep);
++      }
++}
++
+ static struct iscsi_endpoint *
+ qedi_ep_connect(struct Scsi_Host *shost, struct sockaddr *dst_addr,
+               int non_blocking)
+@@ -840,6 +871,7 @@ qedi_ep_connect(struct Scsi_Host *shost, struct sockaddr *dst_addr,
+       }
+       qedi_ep = ep->dd_data;
+       memset(qedi_ep, 0, sizeof(struct qedi_endpoint));
++      INIT_WORK(&qedi_ep->offload_work, qedi_offload_work);
+       qedi_ep->state = EP_STATE_IDLE;
+       qedi_ep->iscsi_cid = (u32)-1;
+       qedi_ep->qedi = qedi;
+@@ -996,12 +1028,11 @@ static void qedi_ep_disconnect(struct iscsi_endpoint *ep)
+       qedi_ep = ep->dd_data;
+       qedi = qedi_ep->qedi;
+ 
++      flush_work(&qedi_ep->offload_work);
++
+       if (qedi_ep->state == EP_STATE_OFLDCONN_START)
+               goto ep_exit_recover;
+ 
+-      if (qedi_ep->state != EP_STATE_OFLDCONN_NONE)
+-              flush_work(&qedi_ep->offload_work);
+-
+       if (qedi_ep->conn) {
+               qedi_conn = qedi_ep->conn;
+               conn = qedi_conn->cls_conn->dd_data;
+@@ -1161,37 +1192,6 @@ static int qedi_data_avail(struct qedi_ctx *qedi, u16 vlanid)
+       return rc;
+ }
+ 
+-static void qedi_offload_work(struct work_struct *work)
+-{
+-      struct qedi_endpoint *qedi_ep =
+-              container_of(work, struct qedi_endpoint, offload_work);
+-      struct qedi_ctx *qedi;
+-      int wait_delay = 5 * HZ;
+-      int ret;
+-
+-      qedi = qedi_ep->qedi;
+-
+-      ret = qedi_iscsi_offload_conn(qedi_ep);
+-      if (ret) {
+-              QEDI_ERR(&qedi->dbg_ctx,
+-                       "offload error: iscsi_cid=%u, qedi_ep=%p, ret=%d\n",
+-                       qedi_ep->iscsi_cid, qedi_ep, ret);
+-              qedi_ep->state = EP_STATE_OFLDCONN_FAILED;
+-              return;
+-      }
+-
+-      ret = wait_event_interruptible_timeout(qedi_ep->tcp_ofld_wait,
+-                                             (qedi_ep->state ==
+-                                             EP_STATE_OFLDCONN_COMPL),
+-                                             wait_delay);
+-      if ((ret <= 0) || (qedi_ep->state != EP_STATE_OFLDCONN_COMPL)) {
+-              qedi_ep->state = EP_STATE_OFLDCONN_FAILED;
+-              QEDI_ERR(&qedi->dbg_ctx,
+-                       "Offload conn TIMEOUT iscsi_cid=%u, qedi_ep=%p\n",
+-                       qedi_ep->iscsi_cid, qedi_ep);
+-      }
+-}
+-
+ static int qedi_set_path(struct Scsi_Host *shost, struct iscsi_path *path_data)
+ {
+       struct qedi_ctx *qedi;
+@@ -1307,7 +1307,6 @@ static int qedi_set_path(struct Scsi_Host *shost, struct iscsi_path *path_data)
+                         qedi_ep->dst_addr, qedi_ep->dst_port);
+       }
+ 
+-      INIT_WORK(&qedi_ep->offload_work, qedi_offload_work);
+       queue_work(qedi->offload_thread, &qedi_ep->offload_work);
+ 
+       ret = 0;
+-- 
+2.35.1
+

diff --git a/queue-5.4/selftests-mlxsw-vxlan_flooding-prevent-flooding-of-u.patch b/queue-5.4/selftests-mlxsw-vxlan_flooding-prevent-flooding-of-u.patch
new file mode 100644 (file)
index 0000000..76741cd
--- /dev/null
+++ b/queue-5.4/selftests-mlxsw-vxlan_flooding-prevent-flooding-of-u.patch
@@ -0,0 +1,71 @@
+From 249057f708bd8c432efc3322053e3e18c81f8f6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Apr 2022 16:51:54 +0300
+Subject: selftests: mlxsw: vxlan_flooding: Prevent flooding of unwanted
+ packets
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit 044011fdf162c5dd61c02841930c8f438a9adadb ]
+
+The test verifies that packets are correctly flooded by the bridge and
+the VXLAN device by matching on the encapsulated packets at the other
+end. However, if packets other than those generated by the test also
+ingress the bridge (e.g., MLD packets), they will be flooded as well and
+interfere with the expected count.
+
+Make the test more robust by making sure that only the packets generated
+by the test can ingress the bridge. Drop all the rest using tc filters
+on the egress of 'br0' and 'h1'.
+
+In the software data path, the problem can be solved by matching on the
+inner destination MAC or dropping unwanted packets at the egress of the
+VXLAN device, but this is not currently supported by mlxsw.
+
+Fixes: 94d302deae25 ("selftests: mlxsw: Add a test for VxLAN flooding")
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Amit Cohen <amcohen@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../drivers/net/mlxsw/vxlan_flooding.sh         | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/tools/testing/selftests/drivers/net/mlxsw/vxlan_flooding.sh b/tools/testing/selftests/drivers/net/mlxsw/vxlan_flooding.sh
+index fedcb7b35af9..af5ea50ed5c0 100755
+--- a/tools/testing/selftests/drivers/net/mlxsw/vxlan_flooding.sh
++++ b/tools/testing/selftests/drivers/net/mlxsw/vxlan_flooding.sh
+@@ -172,6 +172,17 @@ flooding_filters_add()
+       local lsb
+       local i
+ 
++      # Prevent unwanted packets from entering the bridge and interfering
++      # with the test.
++      tc qdisc add dev br0 clsact
++      tc filter add dev br0 egress protocol all pref 1 handle 1 \
++              matchall skip_hw action drop
++      tc qdisc add dev $h1 clsact
++      tc filter add dev $h1 egress protocol all pref 1 handle 1 \
++              flower skip_hw dst_mac de:ad:be:ef:13:37 action pass
++      tc filter add dev $h1 egress protocol all pref 2 handle 2 \
++              matchall skip_hw action drop
++
+       tc qdisc add dev $rp2 clsact
+ 
+       for i in $(eval echo {1..$num_remotes}); do
+@@ -194,6 +205,12 @@ flooding_filters_del()
+       done
+ 
+       tc qdisc del dev $rp2 clsact
++
++      tc filter del dev $h1 egress protocol all pref 2 handle 2 matchall
++      tc filter del dev $h1 egress protocol all pref 1 handle 1 flower
++      tc qdisc del dev $h1 clsact
++      tc filter del dev br0 egress protocol all pref 1 handle 1 matchall
++      tc qdisc del dev br0 clsact
+ }
+ 
+ flooding_check_packets()
+-- 
+2.35.1
+

diff --git a/queue-5.4/series b/queue-5.4/series
index bfc21df747064e017f4e0761f6739e34570fbb61..6888b91eeedb8cec631de4ba449b1e3be708ad21 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -7,3 +7,29 @@ tcp-fix-race-condition-when-creating-child-sockets-f.patch
 net-sched-cls_u32-fix-netns-refcount-changes-in-u32_change.patch
 tcp-fix-potential-use-after-free-due-to-double-kfree.patch
 alsa-usb-audio-clear-midi-port-active-flag-after-draining.patch
+asoc-atmel-remove-system-clock-tree-configuration-fo.patch
+asoc-msm8916-wcd-digital-check-failure-for-devm_snd_.patch
+dmaengine-imx-sdma-fix-error-checking-in-sdma_event_.patch
+dmaengine-mediatek-fix-pm-usage-reference-leak-of-mt.patch
+igc-fix-infinite-loop-in-release_swfw_sync.patch
+igc-fix-bug-scheduling-while-atomic.patch
+rxrpc-restore-removed-timer-deletion.patch
+net-smc-fix-sock-leak-when-release-after-smc_shutdow.patch
+net-packet-fix-packet_sock-xmit-return-value-checkin.patch
+net-sched-cls_u32-fix-possible-leak-in-u32_init_knod.patch
+l3mdev-l3mdev_master_upper_ifindex_by_index_rcu-shou.patch
+netlink-reset-network-and-mac-headers-in-netlink_dum.patch
+selftests-mlxsw-vxlan_flooding-prevent-flooding-of-u.patch
+arm-vexpress-spc-avoid-negative-array-index-when-smp.patch
+reset-tegra-bpmp-restore-handle-errors-in-bpmp-respo.patch
+platform-x86-samsung-laptop-fix-an-unsigned-comparis.patch
+alsa-usb-audio-fix-undefined-behavior-due-to-shift-o.patch
+vxlan-fix-error-return-code-in-vxlan_fdb_append.patch
+cifs-check-the-iocb_direct-flag-not-o_direct.patch
+mt76-fix-undefined-behavior-due-to-shift-overflowing.patch
+brcmfmac-sdio-fix-undefined-behavior-due-to-shift-ov.patch
+dpaa_eth-fix-missing-of_node_put-in-dpaa_get_ts_info.patch
+drm-msm-mdp5-check-the-return-of-kzalloc.patch
+net-macb-restart-tx-only-if-queue-pointer-is-lagging.patch
+scsi-qedi-fix-failed-disconnect-handling.patch
+stat-fix-inconsistency-between-struct-stat-and-struc.patch

diff --git a/queue-5.4/stat-fix-inconsistency-between-struct-stat-and-struc.patch b/queue-5.4/stat-fix-inconsistency-between-struct-stat-and-struc.patch
new file mode 100644 (file)
index 0000000..29dd615
--- /dev/null
+++ b/queue-5.4/stat-fix-inconsistency-between-struct-stat-and-struc.patch
@@ -0,0 +1,138 @@
+From 082eaa9db817cf10a9c993e2bd2ce9d0a392da00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Apr 2022 05:41:00 -0400
+Subject: stat: fix inconsistency between struct stat and struct compat_stat
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+[ Upstream commit 932aba1e169090357a77af18850a10c256b50819 ]
+
+struct stat (defined in arch/x86/include/uapi/asm/stat.h) has 32-bit
+st_dev and st_rdev; struct compat_stat (defined in
+arch/x86/include/asm/compat.h) has 16-bit st_dev and st_rdev followed by
+a 16-bit padding.
+
+This patch fixes struct compat_stat to match struct stat.
+
+[ Historical note: the old x86 'struct stat' did have that 16-bit field
+  that the compat layer had kept around, but it was changes back in 2003
+  by "struct stat - support larger dev_t":
+
+    https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git/commit/?id=e95b2065677fe32512a597a79db94b77b90c968d
+
+  and back in those days, the x86_64 port was still new, and separate
+  from the i386 code, and had already picked up the old version with a
+  16-bit st_dev field ]
+
+Note that we can't change compat_dev_t because it is used by
+compat_loop_info.
+
+Also, if the st_dev and st_rdev values are 32-bit, we don't have to use
+old_valid_dev to test if the value fits into them.  This fixes
+-EOVERFLOW on filesystems that are on NVMe because NVMe uses the major
+number 259.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: Andreas Schwab <schwab@linux-m68k.org>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Christoph Hellwig <hch@infradead.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/compat.h |  6 ++----
+ fs/stat.c                     | 19 ++++++++++---------
+ 2 files changed, 12 insertions(+), 13 deletions(-)
+
+diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h
+index 22c4dfe65992..b4dd6ab0fdfc 100644
+--- a/arch/x86/include/asm/compat.h
++++ b/arch/x86/include/asm/compat.h
+@@ -31,15 +31,13 @@ typedef s64 __attribute__((aligned(4))) compat_s64;
+ typedef u64 __attribute__((aligned(4))) compat_u64;
+ 
+ struct compat_stat {
+-      compat_dev_t    st_dev;
+-      u16             __pad1;
++      u32             st_dev;
+       compat_ino_t    st_ino;
+       compat_mode_t   st_mode;
+       compat_nlink_t  st_nlink;
+       __compat_uid_t  st_uid;
+       __compat_gid_t  st_gid;
+-      compat_dev_t    st_rdev;
+-      u16             __pad2;
++      u32             st_rdev;
+       u32             st_size;
+       u32             st_blksize;
+       u32             st_blocks;
+diff --git a/fs/stat.c b/fs/stat.c
+index c38e4c2e1221..268c9eb89656 100644
+--- a/fs/stat.c
++++ b/fs/stat.c
+@@ -290,9 +290,6 @@ SYSCALL_DEFINE2(fstat, unsigned int, fd, struct __old_kernel_stat __user *, stat
+ #  define choose_32_64(a,b) b
+ #endif
+ 
+-#define valid_dev(x)  choose_32_64(old_valid_dev(x),true)
+-#define encode_dev(x) choose_32_64(old_encode_dev,new_encode_dev)(x)
+-
+ #ifndef INIT_STRUCT_STAT_PADDING
+ #  define INIT_STRUCT_STAT_PADDING(st) memset(&st, 0, sizeof(st))
+ #endif
+@@ -301,7 +298,9 @@ static int cp_new_stat(struct kstat *stat, struct stat __user *statbuf)
+ {
+       struct stat tmp;
+ 
+-      if (!valid_dev(stat->dev) || !valid_dev(stat->rdev))
++      if (sizeof(tmp.st_dev) < 4 && !old_valid_dev(stat->dev))
++              return -EOVERFLOW;
++      if (sizeof(tmp.st_rdev) < 4 && !old_valid_dev(stat->rdev))
+               return -EOVERFLOW;
+ #if BITS_PER_LONG == 32
+       if (stat->size > MAX_NON_LFS)
+@@ -309,7 +308,7 @@ static int cp_new_stat(struct kstat *stat, struct stat __user *statbuf)
+ #endif
+ 
+       INIT_STRUCT_STAT_PADDING(tmp);
+-      tmp.st_dev = encode_dev(stat->dev);
++      tmp.st_dev = new_encode_dev(stat->dev);
+       tmp.st_ino = stat->ino;
+       if (sizeof(tmp.st_ino) < sizeof(stat->ino) && tmp.st_ino != stat->ino)
+               return -EOVERFLOW;
+@@ -319,7 +318,7 @@ static int cp_new_stat(struct kstat *stat, struct stat __user *statbuf)
+               return -EOVERFLOW;
+       SET_UID(tmp.st_uid, from_kuid_munged(current_user_ns(), stat->uid));
+       SET_GID(tmp.st_gid, from_kgid_munged(current_user_ns(), stat->gid));
+-      tmp.st_rdev = encode_dev(stat->rdev);
++      tmp.st_rdev = new_encode_dev(stat->rdev);
+       tmp.st_size = stat->size;
+       tmp.st_atime = stat->atime.tv_sec;
+       tmp.st_mtime = stat->mtime.tv_sec;
+@@ -593,11 +592,13 @@ static int cp_compat_stat(struct kstat *stat, struct compat_stat __user *ubuf)
+ {
+       struct compat_stat tmp;
+ 
+-      if (!old_valid_dev(stat->dev) || !old_valid_dev(stat->rdev))
++      if (sizeof(tmp.st_dev) < 4 && !old_valid_dev(stat->dev))
++              return -EOVERFLOW;
++      if (sizeof(tmp.st_rdev) < 4 && !old_valid_dev(stat->rdev))
+               return -EOVERFLOW;
+ 
+       memset(&tmp, 0, sizeof(tmp));
+-      tmp.st_dev = old_encode_dev(stat->dev);
++      tmp.st_dev = new_encode_dev(stat->dev);
+       tmp.st_ino = stat->ino;
+       if (sizeof(tmp.st_ino) < sizeof(stat->ino) && tmp.st_ino != stat->ino)
+               return -EOVERFLOW;
+@@ -607,7 +608,7 @@ static int cp_compat_stat(struct kstat *stat, struct compat_stat __user *ubuf)
+               return -EOVERFLOW;
+       SET_UID(tmp.st_uid, from_kuid_munged(current_user_ns(), stat->uid));
+       SET_GID(tmp.st_gid, from_kgid_munged(current_user_ns(), stat->gid));
+-      tmp.st_rdev = old_encode_dev(stat->rdev);
++      tmp.st_rdev = new_encode_dev(stat->rdev);
+       if ((u64) stat->size > MAX_NON_LFS)
+               return -EOVERFLOW;
+       tmp.st_size = stat->size;
+-- 
+2.35.1
+

diff --git a/queue-5.4/vxlan-fix-error-return-code-in-vxlan_fdb_append.patch b/queue-5.4/vxlan-fix-error-return-code-in-vxlan_fdb_append.patch
new file mode 100644 (file)
index 0000000..b65fd3f
--- /dev/null
+++ b/queue-5.4/vxlan-fix-error-return-code-in-vxlan_fdb_append.patch
@@ -0,0 +1,40 @@
+From 37652345b9619c92dcac5bf7bdfe6e15d586ef82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Apr 2022 22:46:22 -0400
+Subject: vxlan: fix error return code in vxlan_fdb_append
+
+From: Hongbin Wang <wh_bin@126.com>
+
+[ Upstream commit 7cea5560bf656b84f9ed01c0cc829d4eecd0640b ]
+
+When kmalloc and dst_cache_init failed,
+should return ENOMEM rather than ENOBUFS.
+
+Signed-off-by: Hongbin Wang <wh_bin@126.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
+index c5991e31c557..f4869b1836f3 100644
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -679,11 +679,11 @@ static int vxlan_fdb_append(struct vxlan_fdb *f,
+ 
+       rd = kmalloc(sizeof(*rd), GFP_ATOMIC);
+       if (rd == NULL)
+-              return -ENOBUFS;
++              return -ENOMEM;
+ 
+       if (dst_cache_init(&rd->dst_cache, GFP_ATOMIC)) {
+               kfree(rd);
+-              return -ENOBUFS;
++              return -ENOMEM;
+       }
+ 
+       rd->remote_ip = *ip;
+-- 
+2.35.1
+