--- /dev/null
+From 965a7d72e798eb7af0aa67210e37cf7ecd1c9cad Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
+Date: Tue, 11 May 2021 20:02:42 +0200
+Subject: mac80211: assure all fragments are encrypted
+
+From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
+
+commit 965a7d72e798eb7af0aa67210e37cf7ecd1c9cad upstream.
+
+Do not mix plaintext and encrypted fragments in protected Wi-Fi
+networks. This fixes CVE-2020-26147.
+
+Previously, an attacker was able to first forward a legitimate encrypted
+fragment towards a victim, followed by a plaintext fragment. The
+encrypted and plaintext fragment would then be reassembled. For further
+details see Section 6.3 and Appendix D in the paper "Fragment and Forge:
+Breaking Wi-Fi Through Frame Aggregation and Fragmentation".
+
+Because of this change there are now two equivalent conditions in the
+code to determine if a received fragment requires sequential PNs, so we
+also move this test to a separate function to make the code easier to
+maintain.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
+Link: https://lore.kernel.org/r/20210511200110.30c4394bb835.I5acfdb552cc1d20c339c262315950b3eac491397@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/rx.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2204,6 +2204,16 @@ ieee80211_reassemble_find(struct ieee802
+ return NULL;
+ }
+
++static bool requires_sequential_pn(struct ieee80211_rx_data *rx, __le16 fc)
++{
++ return rx->key &&
++ (rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP ||
++ rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 ||
++ rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP ||
++ rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) &&
++ ieee80211_has_protected(fc);
++}
++
+ static ieee80211_rx_result debug_noinline
+ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
+ {
+@@ -2248,12 +2258,7 @@ ieee80211_rx_h_defragment(struct ieee802
+ /* This is the first fragment of a new frame. */
+ entry = ieee80211_reassemble_add(rx->sdata, frag, seq,
+ rx->seqno_idx, &(rx->skb));
+- if (rx->key &&
+- (rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP ||
+- rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 ||
+- rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP ||
+- rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) &&
+- ieee80211_has_protected(fc)) {
++ if (requires_sequential_pn(rx, fc)) {
+ int queue = rx->security_idx;
+
+ /* Store CCMP/GCMP PN so that we can verify that the
+@@ -2295,11 +2300,7 @@ ieee80211_rx_h_defragment(struct ieee802
+ u8 pn[IEEE80211_CCMP_PN_LEN], *rpn;
+ int queue;
+
+- if (!rx->key ||
+- (rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP &&
+- rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP_256 &&
+- rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP &&
+- rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP_256))
++ if (!requires_sequential_pn(rx, fc))
+ return RX_DROP_UNUSABLE;
+ memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN);
+ for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) {
--- /dev/null
+From 94034c40ab4a3fcf581fbc7f8fdf4e29943c4a24 Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
+Date: Tue, 11 May 2021 20:02:43 +0200
+Subject: mac80211: prevent mixed key and fragment cache attacks
+
+From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
+
+commit 94034c40ab4a3fcf581fbc7f8fdf4e29943c4a24 upstream.
+
+Simultaneously prevent mixed key attacks (CVE-2020-24587) and fragment
+cache attacks (CVE-2020-24586). This is accomplished by assigning a
+unique color to every key (per interface) and using this to track which
+key was used to decrypt a fragment. When reassembling frames, it is
+now checked whether all fragments were decrypted using the same key.
+
+To assure that fragment cache attacks are also prevented, the ID that is
+assigned to keys is unique even over (re)associations and (re)connects.
+This means fragments separated by a (re)association or (re)connect will
+not be reassembled. Because mac80211 now also prevents the reassembly of
+mixed encrypted and plaintext fragments, all cache attacks are prevented.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
+Link: https://lore.kernel.org/r/20210511200110.3f8290e59823.I622a67769ed39257327a362cfc09c812320eb979@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/ieee80211_i.h | 1 +
+ net/mac80211/key.c | 7 +++++++
+ net/mac80211/key.h | 2 ++
+ net/mac80211/rx.c | 6 ++++++
+ 4 files changed, 16 insertions(+)
+
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -97,6 +97,7 @@ struct ieee80211_fragment_entry {
+ u8 rx_queue;
+ bool check_sequential_pn; /* needed for CCMP/GCMP */
+ u8 last_pn[6]; /* PN of the last fragment if CCMP was used */
++ unsigned int key_color;
+ };
+
+
+--- a/net/mac80211/key.c
++++ b/net/mac80211/key.c
+@@ -799,6 +799,7 @@ int ieee80211_key_link(struct ieee80211_
+ struct ieee80211_sub_if_data *sdata,
+ struct sta_info *sta)
+ {
++ static atomic_t key_color = ATOMIC_INIT(0);
+ struct ieee80211_key *old_key;
+ int idx = key->conf.keyidx;
+ bool pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE;
+@@ -850,6 +851,12 @@ int ieee80211_key_link(struct ieee80211_
+ key->sdata = sdata;
+ key->sta = sta;
+
++ /*
++ * Assign a unique ID to every key so we can easily prevent mixed
++ * key and fragment cache attacks.
++ */
++ key->color = atomic_inc_return(&key_color);
++
+ increment_tailroom_need_count(sdata);
+
+ ret = ieee80211_key_replace(sdata, sta, pairwise, old_key, key);
+--- a/net/mac80211/key.h
++++ b/net/mac80211/key.h
+@@ -128,6 +128,8 @@ struct ieee80211_key {
+ } debugfs;
+ #endif
+
++ unsigned int color;
++
+ /*
+ * key config, must be last because it contains key
+ * material as variable length member
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2265,6 +2265,7 @@ ieee80211_rx_h_defragment(struct ieee802
+ * next fragment has a sequential PN value.
+ */
+ entry->check_sequential_pn = true;
++ entry->key_color = rx->key->color;
+ memcpy(entry->last_pn,
+ rx->key->u.ccmp.rx_pn[queue],
+ IEEE80211_CCMP_PN_LEN);
+@@ -2302,6 +2303,11 @@ ieee80211_rx_h_defragment(struct ieee802
+
+ if (!requires_sequential_pn(rx, fc))
+ return RX_DROP_UNUSABLE;
++
++ /* Prevent mixed key and fragment cache attacks */
++ if (entry->key_color != rx->key->color)
++ return RX_DROP_UNUSABLE;
++
+ memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN);
+ for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) {
+ pn[i]++;
--- /dev/null
+From 1a6e9a9c68c1f183872e4bcc947382111c2e04eb Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 24 May 2021 11:25:11 +0200
+Subject: net: hso: fix control-request directions
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1a6e9a9c68c1f183872e4bcc947382111c2e04eb upstream.
+
+The direction of the pipe argument must match the request-type direction
+bit or control requests may fail depending on the host-controller-driver
+implementation.
+
+Fix the tiocmset and rfkill requests which erroneously used
+usb_rcvctrlpipe().
+
+Fixes: 72dc1c096c70 ("HSO: add option hso driver")
+Cc: stable@vger.kernel.org # 2.6.27
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/hso.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/hso.c
++++ b/drivers/net/usb/hso.c
+@@ -1689,7 +1689,7 @@ static int hso_serial_tiocmset(struct tt
+ spin_unlock_irqrestore(&serial->serial_lock, flags);
+
+ return usb_control_msg(serial->parent->usb,
+- usb_rcvctrlpipe(serial->parent->usb, 0), 0x22,
++ usb_sndctrlpipe(serial->parent->usb, 0), 0x22,
+ 0x21, val, if_num, NULL, 0,
+ USB_CTRL_SET_TIMEOUT);
+ }
+@@ -2436,7 +2436,7 @@ static int hso_rfkill_set_block(void *da
+ if (hso_dev->usb_gone)
+ rv = 0;
+ else
+- rv = usb_control_msg(hso_dev->usb, usb_rcvctrlpipe(hso_dev->usb, 0),
++ rv = usb_control_msg(hso_dev->usb, usb_sndctrlpipe(hso_dev->usb, 0),
+ enabled ? 0x82 : 0x81, 0x40, 0, 0, NULL, 0,
+ USB_CTRL_SET_TIMEOUT);
+ mutex_unlock(&hso_dev->mutex);
--- /dev/null
+From e70f7a11876a1a788ceadf75e9e5f7af2c868680 Mon Sep 17 00:00:00 2001
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Sat, 22 May 2021 15:15:13 +0200
+Subject: net/sched: fq_pie: fix OOB access in the traffic path
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+commit e70f7a11876a1a788ceadf75e9e5f7af2c868680 upstream.
+
+the following script:
+
+ # tc qdisc add dev eth0 handle 0x1 root fq_pie flows 2
+ # tc qdisc add dev eth0 clsact
+ # tc filter add dev eth0 egress matchall action skbedit priority 0x10002
+ # ping 192.0.2.2 -I eth0 -c2 -w1 -q
+
+produces the following splat:
+
+ BUG: KASAN: slab-out-of-bounds in fq_pie_qdisc_enqueue+0x1314/0x19d0 [sch_fq_pie]
+ Read of size 4 at addr ffff888171306924 by task ping/942
+
+ CPU: 3 PID: 942 Comm: ping Not tainted 5.12.0+ #441
+ Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014
+ Call Trace:
+ dump_stack+0x92/0xc1
+ print_address_description.constprop.7+0x1a/0x150
+ kasan_report.cold.13+0x7f/0x111
+ fq_pie_qdisc_enqueue+0x1314/0x19d0 [sch_fq_pie]
+ __dev_queue_xmit+0x1034/0x2b10
+ ip_finish_output2+0xc62/0x2120
+ __ip_finish_output+0x553/0xea0
+ ip_output+0x1ca/0x4d0
+ ip_send_skb+0x37/0xa0
+ raw_sendmsg+0x1c4b/0x2d00
+ sock_sendmsg+0xdb/0x110
+ __sys_sendto+0x1d7/0x2b0
+ __x64_sys_sendto+0xdd/0x1b0
+ do_syscall_64+0x3c/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+ RIP: 0033:0x7fe69735c3eb
+ Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 75 42 2c 00 41 89 ca 8b 00 85 c0 75 14 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 41 57 4d 89 c7 41 56 41 89
+ RSP: 002b:00007fff06d7fb38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+ RAX: ffffffffffffffda RBX: 000055e961413700 RCX: 00007fe69735c3eb
+ RDX: 0000000000000040 RSI: 000055e961413700 RDI: 0000000000000003
+ RBP: 0000000000000040 R08: 000055e961410500 R09: 0000000000000010
+ R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff06d81260
+ R13: 00007fff06d7fb40 R14: 00007fff06d7fc30 R15: 000055e96140f0a0
+
+ Allocated by task 917:
+ kasan_save_stack+0x19/0x40
+ __kasan_kmalloc+0x7f/0xa0
+ __kmalloc_node+0x139/0x280
+ fq_pie_init+0x555/0x8e8 [sch_fq_pie]
+ qdisc_create+0x407/0x11b0
+ tc_modify_qdisc+0x3c2/0x17e0
+ rtnetlink_rcv_msg+0x346/0x8e0
+ netlink_rcv_skb+0x120/0x380
+ netlink_unicast+0x439/0x630
+ netlink_sendmsg+0x719/0xbf0
+ sock_sendmsg+0xe2/0x110
+ ____sys_sendmsg+0x5ba/0x890
+ ___sys_sendmsg+0xe9/0x160
+ __sys_sendmsg+0xd3/0x170
+ do_syscall_64+0x3c/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+ The buggy address belongs to the object at ffff888171306800
+ which belongs to the cache kmalloc-256 of size 256
+ The buggy address is located 36 bytes to the right of
+ 256-byte region [ffff888171306800, ffff888171306900)
+ The buggy address belongs to the page:
+ page:00000000bcfb624e refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x171306
+ head:00000000bcfb624e order:1 compound_mapcount:0
+ flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
+ raw: 0017ffffc0010200 dead000000000100 dead000000000122 ffff888100042b40
+ raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
+ page dumped because: kasan: bad access detected
+
+ Memory state around the buggy address:
+ ffff888171306800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff888171306880: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
+ >ffff888171306900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffff888171306980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff888171306a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+fix fq_pie traffic path to avoid selecting 'q->flows + q->flows_cnt' as a
+valid flow: it's an address beyond the allocated memory.
+
+Fixes: ec97ecf1ebe4 ("net: sched: add Flow Queue PIE packet scheduler")
+CC: stable@vger.kernel.org
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_fq_pie.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/sched/sch_fq_pie.c
++++ b/net/sched/sch_fq_pie.c
+@@ -138,8 +138,15 @@ static int fq_pie_qdisc_enqueue(struct s
+
+ /* Classifies packet into corresponding flow */
+ idx = fq_pie_classify(skb, sch, &ret);
+- sel_flow = &q->flows[idx];
++ if (idx == 0) {
++ if (ret & __NET_XMIT_BYPASS)
++ qdisc_qstats_drop(sch);
++ __qdisc_drop(skb, to_free);
++ return ret;
++ }
++ idx--;
+
++ sel_flow = &q->flows[idx];
+ /* Checks whether adding a new packet would exceed memory limit */
+ get_pie_cb(skb)->mem_usage = skb->truesize;
+ memory_limited = q->memory_usage > q->memory_limit + skb->truesize;
--- /dev/null
+From 3a62fed2fd7b6fea96d720e779cafc30dfb3a22e Mon Sep 17 00:00:00 2001
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Sat, 22 May 2021 15:14:45 +0200
+Subject: net/sched: fq_pie: re-factor fix for fq_pie endless loop
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+commit 3a62fed2fd7b6fea96d720e779cafc30dfb3a22e upstream.
+
+the patch that fixed an endless loop in_fq_pie_init() was not considering
+that 65535 is a valid class id. The correct bugfix for this infinite loop
+is to change 'idx' to become an u32, like Colin proposed in the past [1].
+
+Fix this as follows:
+ - restore 65536 as maximum possible values of 'flows_cnt'
+ - use u32 'idx' when iterating on 'q->flows'
+ - fix the TDC selftest
+
+This reverts commit bb2f930d6dd708469a587dc9ed1efe1ef969c0bf.
+
+[1] https://lore.kernel.org/netdev/20210407163808.499027-1-colin.king@canonical.com/
+
+CC: Colin Ian King <colin.king@canonical.com>
+CC: stable@vger.kernel.org
+Fixes: bb2f930d6dd7 ("net/sched: fix infinite loop in sch_fq_pie")
+Fixes: ec97ecf1ebe4 ("net: sched: add Flow Queue PIE packet scheduler")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_fq_pie.c | 10 +++++-----
+ tools/testing/selftests/tc-testing/tc-tests/qdiscs/fq_pie.json | 8 ++++----
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+--- a/net/sched/sch_fq_pie.c
++++ b/net/sched/sch_fq_pie.c
+@@ -297,9 +297,9 @@ static int fq_pie_change(struct Qdisc *s
+ goto flow_error;
+ }
+ q->flows_cnt = nla_get_u32(tb[TCA_FQ_PIE_FLOWS]);
+- if (!q->flows_cnt || q->flows_cnt >= 65536) {
++ if (!q->flows_cnt || q->flows_cnt > 65536) {
+ NL_SET_ERR_MSG_MOD(extack,
+- "Number of flows must range in [1..65535]");
++ "Number of flows must range in [1..65536]");
+ goto flow_error;
+ }
+ }
+@@ -367,7 +367,7 @@ static void fq_pie_timer(struct timer_li
+ struct fq_pie_sched_data *q = from_timer(q, t, adapt_timer);
+ struct Qdisc *sch = q->sch;
+ spinlock_t *root_lock; /* to lock qdisc for probability calculations */
+- u16 idx;
++ u32 idx;
+
+ root_lock = qdisc_lock(qdisc_root_sleeping(sch));
+ spin_lock(root_lock);
+@@ -388,7 +388,7 @@ static int fq_pie_init(struct Qdisc *sch
+ {
+ struct fq_pie_sched_data *q = qdisc_priv(sch);
+ int err;
+- u16 idx;
++ u32 idx;
+
+ pie_params_init(&q->p_params);
+ sch->limit = 10 * 1024;
+@@ -500,7 +500,7 @@ static int fq_pie_dump_stats(struct Qdis
+ static void fq_pie_reset(struct Qdisc *sch)
+ {
+ struct fq_pie_sched_data *q = qdisc_priv(sch);
+- u16 idx;
++ u32 idx;
+
+ INIT_LIST_HEAD(&q->new_flows);
+ INIT_LIST_HEAD(&q->old_flows);
+--- a/tools/testing/selftests/tc-testing/tc-tests/qdiscs/fq_pie.json
++++ b/tools/testing/selftests/tc-testing/tc-tests/qdiscs/fq_pie.json
+@@ -9,11 +9,11 @@
+ "setup": [
+ "$IP link add dev $DUMMY type dummy || /bin/true"
+ ],
+- "cmdUnderTest": "$TC qdisc add dev $DUMMY root fq_pie flows 65536",
+- "expExitCode": "2",
++ "cmdUnderTest": "$TC qdisc add dev $DUMMY handle 1: root fq_pie flows 65536",
++ "expExitCode": "0",
+ "verifyCmd": "$TC qdisc show dev $DUMMY",
+- "matchPattern": "qdisc",
+- "matchCount": "0",
++ "matchPattern": "qdisc fq_pie 1: root refcnt 2 limit 10240p flows 65536",
++ "matchCount": "1",
+ "teardown": [
+ "$IP link del dev $DUMMY"
+ ]
--- /dev/null
+From f0b3d338064e1fe7531f0d2977e35f3b334abfb4 Mon Sep 17 00:00:00 2001
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Mon, 10 May 2021 07:58:22 +0200
+Subject: netfilter: nft_set_pipapo_avx2: Add irq_fpu_usable() check, fallback to non-AVX2 version
+
+From: Stefano Brivio <sbrivio@redhat.com>
+
+commit f0b3d338064e1fe7531f0d2977e35f3b334abfb4 upstream.
+
+Arturo reported this backtrace:
+
+[709732.358791] WARNING: CPU: 3 PID: 456 at arch/x86/kernel/fpu/core.c:128 kernel_fpu_begin_mask+0xae/0xe0
+[709732.358793] Modules linked in: binfmt_misc nft_nat nft_chain_nat nf_nat nft_counter nft_ct nf_tables nf_conntrack_netlink nfnetlink 8021q garp stp mrp llc vrf intel_rapl_msr intel_rapl_common skx_edac nfit libnvdimm ipmi_ssif x86_pkg_temp_thermal intel_powerclamp coretemp crc32_pclmul mgag200 ghash_clmulni_intel drm_kms_helper cec aesni_intel drm libaes crypto_simd cryptd glue_helper mei_me dell_smbios iTCO_wdt evdev intel_pmc_bxt iTCO_vendor_support dcdbas pcspkr rapl dell_wmi_descriptor wmi_bmof sg i2c_algo_bit watchdog mei acpi_ipmi ipmi_si button nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipmi_devintf ipmi_msghandler ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 dm_mod raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor sd_mod t10_pi crc_t10dif crct10dif_generic raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod ahci libahci tg3 libata xhci_pci libphy xhci_hcd ptp usbcore crct10dif_pclmul crct10dif_common bnxt_en crc32c_intel scsi_mod
+[709732.358941] pps_core i2c_i801 lpc_ich i2c_smbus wmi usb_common
+[709732.358957] CPU: 3 PID: 456 Comm: jbd2/dm-0-8 Not tainted 5.10.0-0.bpo.5-amd64 #1 Debian 5.10.24-1~bpo10+1
+[709732.358959] Hardware name: Dell Inc. PowerEdge R440/04JN2K, BIOS 2.9.3 09/23/2020
+[709732.358964] RIP: 0010:kernel_fpu_begin_mask+0xae/0xe0
+[709732.358969] Code: ae 54 24 04 83 e3 01 75 38 48 8b 44 24 08 65 48 33 04 25 28 00 00 00 75 33 48 83 c4 10 5b c3 65 8a 05 5e 21 5e 76 84 c0 74 92 <0f> 0b eb 8e f0 80 4f 01 40 48 81 c7 00 14 00 00 e8 dd fb ff ff eb
+[709732.358972] RSP: 0018:ffffbb9700304740 EFLAGS: 00010202
+[709732.358976] RAX: 0000000000000001 RBX: 0000000000000003 RCX: 0000000000000001
+[709732.358979] RDX: ffffbb9700304970 RSI: ffff922fe1952e00 RDI: 0000000000000003
+[709732.358981] RBP: ffffbb9700304970 R08: ffff922fc868a600 R09: ffff922fc711e462
+[709732.358984] R10: 000000000000005f R11: ffff922ff0b27180 R12: ffffbb9700304960
+[709732.358987] R13: ffffbb9700304b08 R14: ffff922fc664b6c8 R15: ffff922fc664b660
+[709732.358990] FS: 0000000000000000(0000) GS:ffff92371fec0000(0000) knlGS:0000000000000000
+[709732.358993] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[709732.358996] CR2: 0000557a6655bdd0 CR3: 000000026020a001 CR4: 00000000007706e0
+[709732.358999] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[709732.359001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[709732.359003] PKRU: 55555554
+[709732.359005] Call Trace:
+[709732.359009] <IRQ>
+[709732.359035] nft_pipapo_avx2_lookup+0x4c/0x1cba [nf_tables]
+[709732.359046] ? sched_clock+0x5/0x10
+[709732.359054] ? sched_clock_cpu+0xc/0xb0
+[709732.359061] ? record_times+0x16/0x80
+[709732.359068] ? plist_add+0xc1/0x100
+[709732.359073] ? psi_group_change+0x47/0x230
+[709732.359079] ? skb_clone+0x4d/0xb0
+[709732.359085] ? enqueue_task_rt+0x22b/0x310
+[709732.359098] ? bnxt_start_xmit+0x1e8/0xaf0 [bnxt_en]
+[709732.359102] ? packet_rcv+0x40/0x4a0
+[709732.359121] nft_lookup_eval+0x59/0x160 [nf_tables]
+[709732.359133] nft_do_chain+0x350/0x500 [nf_tables]
+[709732.359152] ? nft_lookup_eval+0x59/0x160 [nf_tables]
+[709732.359163] ? nft_do_chain+0x364/0x500 [nf_tables]
+[709732.359172] ? fib4_rule_action+0x6d/0x80
+[709732.359178] ? fib_rules_lookup+0x107/0x250
+[709732.359184] nft_nat_do_chain+0x8a/0xf2 [nft_chain_nat]
+[709732.359193] nf_nat_inet_fn+0xea/0x210 [nf_nat]
+[709732.359202] nf_nat_ipv4_out+0x14/0xa0 [nf_nat]
+[709732.359207] nf_hook_slow+0x44/0xc0
+[709732.359214] ip_output+0xd2/0x100
+[709732.359221] ? __ip_finish_output+0x210/0x210
+[709732.359226] ip_forward+0x37d/0x4a0
+[709732.359232] ? ip4_key_hashfn+0xb0/0xb0
+[709732.359238] ip_sublist_rcv_finish+0x4f/0x60
+[709732.359243] ip_sublist_rcv+0x196/0x220
+[709732.359250] ? ip_rcv_finish_core.isra.22+0x400/0x400
+[709732.359255] ip_list_rcv+0x137/0x160
+[709732.359264] __netif_receive_skb_list_core+0x29b/0x2c0
+[709732.359272] netif_receive_skb_list_internal+0x1a6/0x2d0
+[709732.359280] gro_normal_list.part.156+0x19/0x40
+[709732.359286] napi_complete_done+0x67/0x170
+[709732.359298] bnxt_poll+0x105/0x190 [bnxt_en]
+[709732.359304] ? irqentry_exit+0x29/0x30
+[709732.359309] ? asm_common_interrupt+0x1e/0x40
+[709732.359315] net_rx_action+0x144/0x3c0
+[709732.359322] __do_softirq+0xd5/0x29c
+[709732.359329] asm_call_irq_on_stack+0xf/0x20
+[709732.359332] </IRQ>
+[709732.359339] do_softirq_own_stack+0x37/0x40
+[709732.359346] irq_exit_rcu+0x9d/0xa0
+[709732.359353] common_interrupt+0x78/0x130
+[709732.359358] asm_common_interrupt+0x1e/0x40
+[709732.359366] RIP: 0010:crc_41+0x0/0x1e [crc32c_intel]
+[709732.359370] Code: ff ff f2 4d 0f 38 f1 93 a8 fe ff ff f2 4c 0f 38 f1 81 b0 fe ff ff f2 4c 0f 38 f1 8a b0 fe ff ff f2 4d 0f 38 f1 93 b0 fe ff ff <f2> 4c 0f 38 f1 81 b8 fe ff ff f2 4c 0f 38 f1 8a b8 fe ff ff f2 4d
+[709732.359373] RSP: 0018:ffffbb97008dfcd0 EFLAGS: 00000246
+[709732.359377] RAX: 000000000000002a RBX: 0000000000000400 RCX: ffff922fc591dd50
+[709732.359379] RDX: ffff922fc591dea0 RSI: 0000000000000a14 RDI: ffffffffc00dddc0
+[709732.359382] RBP: 0000000000001000 R08: 000000000342d8c3 R09: 0000000000000000
+[709732.359384] R10: 0000000000000000 R11: ffff922fc591dff0 R12: ffffbb97008dfe58
+[709732.359386] R13: 000000000000000a R14: ffff922fd2b91e80 R15: ffff922fef83fe38
+[709732.359395] ? crc_43+0x1e/0x1e [crc32c_intel]
+[709732.359403] ? crc32c_pcl_intel_update+0x97/0xb0 [crc32c_intel]
+[709732.359419] ? jbd2_journal_commit_transaction+0xaec/0x1a30 [jbd2]
+[709732.359425] ? irq_exit_rcu+0x3e/0xa0
+[709732.359447] ? kjournald2+0xbd/0x270 [jbd2]
+[709732.359454] ? finish_wait+0x80/0x80
+[709732.359470] ? commit_timeout+0x10/0x10 [jbd2]
+[709732.359476] ? kthread+0x116/0x130
+[709732.359481] ? kthread_park+0x80/0x80
+[709732.359488] ? ret_from_fork+0x1f/0x30
+[709732.359494] ---[ end trace 081a19978e5f09f5 ]---
+
+that is, nft_pipapo_avx2_lookup() uses the FPU running from a softirq
+that interrupted a kthread, also using the FPU.
+
+That's exactly the reason why irq_fpu_usable() is there: use it, and
+if we can't use the FPU, fall back to the non-AVX2 version of the
+lookup operation, i.e. nft_pipapo_lookup().
+
+Reported-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
+Cc: <stable@vger.kernel.org> # 5.6.x
+Fixes: 7400b063969b ("nft_set_pipapo: Introduce AVX2-based lookup implementation")
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_set_pipapo.c | 4 ++--
+ net/netfilter/nft_set_pipapo.h | 2 ++
+ net/netfilter/nft_set_pipapo_avx2.c | 3 +++
+ 3 files changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -408,8 +408,8 @@ int pipapo_refill(unsigned long *map, in
+ *
+ * Return: true on match, false otherwise.
+ */
+-static bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set,
+- const u32 *key, const struct nft_set_ext **ext)
++bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set,
++ const u32 *key, const struct nft_set_ext **ext)
+ {
+ struct nft_pipapo *priv = nft_set_priv(set);
+ unsigned long *res_map, *fill_map;
+--- a/net/netfilter/nft_set_pipapo.h
++++ b/net/netfilter/nft_set_pipapo.h
+@@ -178,6 +178,8 @@ struct nft_pipapo_elem {
+
+ int pipapo_refill(unsigned long *map, int len, int rules, unsigned long *dst,
+ union nft_pipapo_map_bucket *mt, bool match_only);
++bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set,
++ const u32 *key, const struct nft_set_ext **ext);
+
+ /**
+ * pipapo_and_field_buckets_4bit() - Intersect 4-bit buckets
+--- a/net/netfilter/nft_set_pipapo_avx2.c
++++ b/net/netfilter/nft_set_pipapo_avx2.c
+@@ -1131,6 +1131,9 @@ bool nft_pipapo_avx2_lookup(const struct
+ bool map_index;
+ int i, ret = 0;
+
++ if (unlikely(!irq_fpu_usable()))
++ return nft_pipapo_lookup(net, set, key, ext);
++
+ m = rcu_dereference(priv->match);
+
+ /* This also protects access to all data related to scratch maps */
--- /dev/null
+From c954eb72b31a9dc56c99b450253ec5b121add320 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Wed, 19 May 2021 10:45:14 +0300
+Subject: perf intel-pt: Fix sample instruction bytes
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit c954eb72b31a9dc56c99b450253ec5b121add320 upstream.
+
+The decoder reports the current instruction if it was decoded. In some
+cases the current instruction is not decoded, in which case the instruction
+bytes length must be set to zero. Ensure that is always done.
+
+Note perf script can anyway get the instruction bytes for any samples where
+they are not present.
+
+Also note, that there is a redundant "ptq->insn_len = 0" statement which is
+not removed until a subsequent patch in order to make this patch apply
+cleanly to stable branches.
+
+Example:
+
+A machne that supports TSX is required. It will have flag "rtm". Kernel
+parameter tsx=on may be required.
+
+ # for w in `cat /proc/cpuinfo | grep -m1 flags `;do echo $w | grep rtm ; done
+ rtm
+
+Test program:
+
+ #include <stdio.h>
+ #include <immintrin.h>
+
+ int main()
+ {
+ int x = 0;
+
+ if (_xbegin() == _XBEGIN_STARTED) {
+ x = 1;
+ _xabort(1);
+ } else {
+ printf("x = %d\n", x);
+ }
+ return 0;
+ }
+
+Compile with -mrtm i.e.
+
+ gcc -Wall -Wextra -mrtm xabort.c -o xabort
+
+Record:
+
+ perf record -e intel_pt/cyc/u --filter 'filter main @ ./xabort' ./xabort
+
+Before:
+
+ # perf script --itrace=xe -F+flags,+insn,-period --xed --ns
+ xabort 1478 [007] 92161.431348581: transactions: x 400b81 main+0x14 (/root/xabort) mov $0xffffffff, %eax
+ xabort 1478 [007] 92161.431348624: transactions: tx abrt 400b93 main+0x26 (/root/xabort) mov $0xffffffff, %eax
+
+After:
+
+ # perf script --itrace=xe -F+flags,+insn,-period --xed --ns
+ xabort 1478 [007] 92161.431348581: transactions: x 400b81 main+0x14 (/root/xabort) xbegin 0x6
+ xabort 1478 [007] 92161.431348624: transactions: tx abrt 400b93 main+0x26 (/root/xabort) xabort $0x1
+
+Fixes: faaa87680b25d ("perf intel-pt/bts: Report instruction bytes and length in sample")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Link: http://lore.kernel.org/lkml/20210519074515.9262-3-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/intel-pt.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/util/intel-pt.c
++++ b/tools/perf/util/intel-pt.c
+@@ -647,8 +647,10 @@ static int intel_pt_walk_next_insn(struc
+
+ *ip += intel_pt_insn->length;
+
+- if (to_ip && *ip == to_ip)
++ if (to_ip && *ip == to_ip) {
++ intel_pt_insn->length = 0;
+ goto out_no_cache;
++ }
+
+ if (*ip >= al.map->end)
+ break;
+@@ -1131,6 +1133,7 @@ static void intel_pt_set_pid_tid_cpu(str
+
+ static void intel_pt_sample_flags(struct intel_pt_queue *ptq)
+ {
++ ptq->insn_len = 0;
+ if (ptq->state->flags & INTEL_PT_ABORT_TX) {
+ ptq->flags = PERF_IP_FLAG_BRANCH | PERF_IP_FLAG_TX_ABORT;
+ } else if (ptq->state->flags & INTEL_PT_ASYNC) {
--- /dev/null
+From cb7987837c31b217b28089bbc78922d5c9187869 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Wed, 19 May 2021 10:45:13 +0300
+Subject: perf intel-pt: Fix transaction abort handling
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit cb7987837c31b217b28089bbc78922d5c9187869 upstream.
+
+When adding support for power events, some handling of FUP packets was
+unified. That resulted in breaking reporting of TSX aborts, by not
+considering the associated TIP packet. Fix that.
+
+Example:
+
+A machine that supports TSX is required. It will have flag "rtm". Kernel
+parameter tsx=on may be required.
+
+ # for w in `cat /proc/cpuinfo | grep -m1 flags `;do echo $w | grep rtm ; done
+ rtm
+
+Test program:
+
+ #include <stdio.h>
+ #include <immintrin.h>
+
+ int main()
+ {
+ int x = 0;
+
+ if (_xbegin() == _XBEGIN_STARTED) {
+ x = 1;
+ _xabort(1);
+ } else {
+ printf("x = %d\n", x);
+ }
+ return 0;
+ }
+
+Compile with -mrtm i.e.
+
+ gcc -Wall -Wextra -mrtm xabort.c -o xabort
+
+Record:
+
+ perf record -e intel_pt/cyc/u --filter 'filter main @ ./xabort' ./xabort
+
+Before:
+
+ # perf script --itrace=be -F+flags,+addr,-period,-event --ns
+ xabort 1478 [007] 92161.431348552: tr strt 0 [unknown] ([unknown]) => 400b6d main+0x0 (/root/xabort)
+ xabort 1478 [007] 92161.431348624: jmp 400b96 main+0x29 (/root/xabort) => 400bae main+0x41 (/root/xabort)
+ xabort 1478 [007] 92161.431348624: return 400bb4 main+0x47 (/root/xabort) => 400b87 main+0x1a (/root/xabort)
+ xabort 1478 [007] 92161.431348637: jcc 400b8a main+0x1d (/root/xabort) => 400b98 main+0x2b (/root/xabort)
+ xabort 1478 [007] 92161.431348644: tr end call 400ba9 main+0x3c (/root/xabort) => 40f690 printf+0x0 (/root/xabort)
+ xabort 1478 [007] 92161.431360859: tr strt 0 [unknown] ([unknown]) => 400bae main+0x41 (/root/xabort)
+ xabort 1478 [007] 92161.431360882: tr end return 400bb4 main+0x47 (/root/xabort) => 401139 __libc_start_main+0x309 (/root/xabort)
+
+After:
+
+ # perf script --itrace=be -F+flags,+addr,-period,-event --ns
+ xabort 1478 [007] 92161.431348552: tr strt 0 [unknown] ([unknown]) => 400b6d main+0x0 (/root/xabort)
+ xabort 1478 [007] 92161.431348624: tx abrt 400b93 main+0x26 (/root/xabort) => 400b87 main+0x1a (/root/xabort)
+ xabort 1478 [007] 92161.431348637: jcc 400b8a main+0x1d (/root/xabort) => 400b98 main+0x2b (/root/xabort)
+ xabort 1478 [007] 92161.431348644: tr end call 400ba9 main+0x3c (/root/xabort) => 40f690 printf+0x0 (/root/xabort)
+ xabort 1478 [007] 92161.431360859: tr strt 0 [unknown] ([unknown]) => 400bae main+0x41 (/root/xabort)
+ xabort 1478 [007] 92161.431360882: tr end return 400bb4 main+0x47 (/root/xabort) => 401139 __libc_start_main+0x309 (/root/xabort)
+
+Fixes: a472e65fc490a ("perf intel-pt: Add decoder support for ptwrite and power event packets")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Link: http://lore.kernel.org/lkml/20210519074515.9262-2-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+@@ -1120,6 +1120,8 @@ static bool intel_pt_fup_event(struct in
+ decoder->set_fup_tx_flags = false;
+ decoder->tx_flags = decoder->fup_tx_flags;
+ decoder->state.type = INTEL_PT_TRANSACTION;
++ if (decoder->fup_tx_flags & INTEL_PT_ABORT_TX)
++ decoder->state.type |= INTEL_PT_BRANCH;
+ decoder->state.from_ip = decoder->ip;
+ decoder->state.to_ip = 0;
+ decoder->state.flags = decoder->fup_tx_flags;
+@@ -1194,8 +1196,10 @@ static int intel_pt_walk_fup(struct inte
+ return 0;
+ if (err == -EAGAIN ||
+ intel_pt_fup_with_nlip(decoder, &intel_pt_insn, ip, err)) {
++ bool no_tip = decoder->pkt_state != INTEL_PT_STATE_FUP;
++
+ decoder->pkt_state = INTEL_PT_STATE_IN_SYNC;
+- if (intel_pt_fup_event(decoder))
++ if (intel_pt_fup_event(decoder) && no_tip)
+ return 0;
+ return -EAGAIN;
+ }
--- /dev/null
+From fd931b2e234a7cc451a7bbb1965d6ce623189158 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Fri, 21 May 2021 12:20:52 +0300
+Subject: perf scripts python: exported-sql-viewer.py: Fix Array TypeError
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit fd931b2e234a7cc451a7bbb1965d6ce623189158 upstream.
+
+The 'Array' class is present in more than one python standard library.
+In some versions of Python 3, the following error occurs:
+
+Traceback (most recent call last):
+ File "tools/perf/scripts/python/exported-sql-viewer.py", line 4702, in <lambda>
+ reports_menu.addAction(CreateAction(label, "Create a new window displaying branch events", lambda a=None,x=dbid: self.NewBranchView(x), self))
+ File "tools/perf/scripts/python/exported-sql-viewer.py", line 4727, in NewBranchView
+ BranchWindow(self.glb, event_id, ReportVars(), self)
+ File "tools/perf/scripts/python/exported-sql-viewer.py", line 3208, in __init__
+ self.model = LookupCreateModel(model_name, lambda: BranchModel(glb, event_id, report_vars.where_clause))
+ File "tools/perf/scripts/python/exported-sql-viewer.py", line 343, in LookupCreateModel
+ model = create_fn()
+ File "tools/perf/scripts/python/exported-sql-viewer.py", line 3208, in <lambda>
+ self.model = LookupCreateModel(model_name, lambda: BranchModel(glb, event_id, report_vars.where_clause))
+ File "tools/perf/scripts/python/exported-sql-viewer.py", line 3124, in __init__
+ self.fetcher = SQLFetcher(glb, sql, prep, self.AddSample)
+ File "tools/perf/scripts/python/exported-sql-viewer.py", line 2658, in __init__
+ self.buffer = Array(c_char, self.buffer_size, lock=False)
+TypeError: abstract class
+
+This apparently happens because Python can be inconsistent about which
+class of the name 'Array' gets imported. Fix by importing explicitly by
+name so that only the desired 'Array' gets imported.
+
+Fixes: 8392b74b575c3 ("perf scripts python: exported-sql-viewer.py: Add ability to display all the database tables")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Link: http://lore.kernel.org/lkml/20210521092053.25683-3-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/scripts/python/exported-sql-viewer.py | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/tools/perf/scripts/python/exported-sql-viewer.py
++++ b/tools/perf/scripts/python/exported-sql-viewer.py
+@@ -125,8 +125,9 @@ if pyside_version_1:
+ from PySide.QtGui import *
+ from PySide.QtSql import *
+
+-from decimal import *
+-from ctypes import *
++from decimal import Decimal, ROUND_HALF_UP
++from ctypes import CDLL, Structure, create_string_buffer, addressof, sizeof, \
++ c_void_p, c_bool, c_byte, c_char, c_int, c_uint, c_longlong, c_ulonglong
+ from multiprocessing import Process, Array, Value, Event
+
+ # xrange is range in Python3
--- /dev/null
+From a6172059758ba1b496ae024cece7d5bdc8d017db Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Fri, 21 May 2021 12:20:51 +0300
+Subject: perf scripts python: exported-sql-viewer.py: Fix copy to clipboard from Top Calls by elapsed Time report
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit a6172059758ba1b496ae024cece7d5bdc8d017db upstream.
+
+Provide missing argument to prevent following error when copying a
+selection to the clipboard:
+
+Traceback (most recent call last):
+ File "tools/perf/scripts/python/exported-sql-viewer.py", line 4041, in <lambda>
+ menu.addAction(CreateAction("&Copy selection", "Copy to clipboard", lambda: CopyCellsToClipboardHdr(self.view), self.view))
+ File "tools/perf/scripts/python/exported-sql-viewer.py", line 4021, in CopyCellsToClipboardHdr
+ CopyCellsToClipboard(view, False, True)
+ File "tools/perf/scripts/python/exported-sql-viewer.py", line 4018, in CopyCellsToClipboard
+ view.CopyCellsToClipboard(view, as_csv, with_hdr)
+ File "tools/perf/scripts/python/exported-sql-viewer.py", line 3871, in CopyTableCellsToClipboard
+ val = model.headerData(col, Qt.Horizontal)
+TypeError: headerData() missing 1 required positional argument: 'role'
+
+Fixes: 96c43b9a7ab3b ("perf scripts python: exported-sql-viewer.py: Add copy to clipboard")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Link: http://lore.kernel.org/lkml/20210521092053.25683-2-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/scripts/python/exported-sql-viewer.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/scripts/python/exported-sql-viewer.py
++++ b/tools/perf/scripts/python/exported-sql-viewer.py
+@@ -3868,7 +3868,7 @@ def CopyTableCellsToClipboard(view, as_c
+ if with_hdr:
+ model = indexes[0].model()
+ for col in range(min_col, max_col + 1):
+- val = model.headerData(col, Qt.Horizontal)
++ val = model.headerData(col, Qt.Horizontal, Qt.DisplayRole)
+ if as_csv:
+ text += sep + ToCSValue(val)
+ sep = ","
--- /dev/null
+From f56299a9c998e0bfbd4ab07cafe9eb8444512448 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Fri, 21 May 2021 12:20:53 +0300
+Subject: perf scripts python: exported-sql-viewer.py: Fix warning display
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit f56299a9c998e0bfbd4ab07cafe9eb8444512448 upstream.
+
+Deprecation warnings are useful only for the developer, not an end user.
+Display warnings only when requested using the python -W option. This
+stops the display of warnings like:
+
+ tools/perf/scripts/python/exported-sql-viewer.py:5102: DeprecationWarning:
+ an integer is required (got type PySide2.QtCore.Qt.AlignmentFlag).
+ Implicit conversion to integers using __int__ is deprecated, and
+ may be removed in a future version of Python.
+ err = app.exec_()
+
+Since the warning can be fixed only in PySide2, we must wait for it to
+be finally fixed there.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org # v5.3+
+Link: http://lore.kernel.org/lkml/20210521092053.25683-4-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/scripts/python/exported-sql-viewer.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/tools/perf/scripts/python/exported-sql-viewer.py
++++ b/tools/perf/scripts/python/exported-sql-viewer.py
+@@ -91,6 +91,11 @@
+ from __future__ import print_function
+
+ import sys
++# Only change warnings if the python -W option was not used
++if not sys.warnoptions:
++ import warnings
++ # PySide2 causes deprecation warnings, ignore them.
++ warnings.filterwarnings("ignore", category=DeprecationWarning)
+ import argparse
+ import weakref
+ import threading
--- /dev/null
+From bfb819ea20ce8bbeeba17e1a6418bf8bda91fc28 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 25 May 2021 12:37:35 -0700
+Subject: proc: Check /proc/$pid/attr/ writes against file opener
+
+From: Kees Cook <keescook@chromium.org>
+
+commit bfb819ea20ce8bbeeba17e1a6418bf8bda91fc28 upstream.
+
+Fix another "confused deputy" weakness[1]. Writes to /proc/$pid/attr/
+files need to check the opener credentials, since these fds do not
+transition state across execve(). Without this, it is possible to
+trick another process (which may have different credentials) to write
+to its own /proc/$pid/attr/ files, leading to unexpected and possibly
+exploitable behaviors.
+
+[1] https://www.kernel.org/doc/html/latest/security/credentials.html?highlight=confused#open-file-credentials
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/base.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -2704,6 +2704,10 @@ static ssize_t proc_pid_attr_write(struc
+ void *page;
+ int rv;
+
++ /* A task may only write when it was the opener. */
++ if (file->f_cred != current_real_cred())
++ return -EPERM;
++
+ rcu_read_lock();
+ task = pid_task(proc_pid(inode), PIDTYPE_PID);
+ if (!task) {
cifs-set-server-cipher_type-to-aes-128-ccm-for-smb3.0.patch
nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch
iommu-vt-d-fix-sysfs-leak-in-alloc_iommu.patch
+perf-intel-pt-fix-sample-instruction-bytes.patch
+perf-intel-pt-fix-transaction-abort-handling.patch
+perf-scripts-python-exported-sql-viewer.py-fix-copy-to-clipboard-from-top-calls-by-elapsed-time-report.patch
+perf-scripts-python-exported-sql-viewer.py-fix-array-typeerror.patch
+perf-scripts-python-exported-sql-viewer.py-fix-warning-display.patch
+proc-check-proc-pid-attr-writes-against-file-opener.patch
+net-hso-fix-control-request-directions.patch
+net-sched-fq_pie-re-factor-fix-for-fq_pie-endless-loop.patch
+net-sched-fq_pie-fix-oob-access-in-the-traffic-path.patch
+netfilter-nft_set_pipapo_avx2-add-irq_fpu_usable-check-fallback-to-non-avx2-version.patch
+mac80211-assure-all-fragments-are-encrypted.patch
+mac80211-prevent-mixed-key-and-fragment-cache-attacks.patch
selftests-gpio-use-test_gen_progs_extended.patch
selftests-gpio-move-include-of-lib.mk-up.patch
selftests-gpio-fix-build-when-source-tree-is-read-on.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
