From: Sasha Levin Date: Fri, 12 Jun 2020 01:39:56 +0000 (-0400) Subject: Fixes for 5.6 X-Git-Tag: v5.4.47~121 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=004f0b0e4cac661581fbd8601a2646cd94676e8f;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.6 Signed-off-by: Sasha Levin --- diff --git a/queue-5.6/asoc-sof-imx-fix-undefined-reference-issue.patch b/queue-5.6/asoc-sof-imx-fix-undefined-reference-issue.patch new file mode 100644 index 00000000000..bfd45fb8a1e --- /dev/null +++ b/queue-5.6/asoc-sof-imx-fix-undefined-reference-issue.patch @@ -0,0 +1,66 @@ +From e64fd41107edbf2e2308271bcac2f04789591438 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Apr 2020 10:18:29 +0300 +Subject: ASoC: SOF: imx: fix undefined reference issue + +From: Pierre-Louis Bossart + +[ Upstream commit cb0312f61c3e95c71ec8955a94d42bf7eb5ba617 ] + +make.cross ARCH=mips allyesconfig fails with the following error: + +sound/soc/sof/sof-of-dev.o:(.data.sof_of_imx8qxp_desc+0x40): undefined +reference to `sof_imx8x_ops'. + +This seems to be a Makefile order issue, solve by using the same +structure as for Intel platforms. + +Fixes: f9ad75468453 ("ASoC: SOF: imx: fix reverse CONFIG_SND_SOC_SOF_OF +dependency") +Signed-off-by: Pierre-Louis Bossart +Signed-off-by: Daniel Baluta +Link: https://lore.kernel.org/r/20200409071832.2039-3-daniel.baluta@oss.nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/imx/Kconfig | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/sof/imx/Kconfig b/sound/soc/sof/imx/Kconfig +index 812749064ca8..9586635cf8ab 100644 +--- a/sound/soc/sof/imx/Kconfig ++++ b/sound/soc/sof/imx/Kconfig +@@ -11,17 +11,26 @@ config SND_SOC_SOF_IMX_TOPLEVEL + + if SND_SOC_SOF_IMX_TOPLEVEL + ++config SND_SOC_SOF_IMX_OF ++ def_tristate SND_SOC_SOF_OF ++ select SND_SOC_SOF_IMX8 if SND_SOC_SOF_IMX8_SUPPORT ++ help ++ This option is not user-selectable but automagically handled by ++ 'select' statements at a higher level ++ + config SND_SOC_SOF_IMX8_SUPPORT + bool "SOF support for i.MX8" +- depends on IMX_SCU +- select IMX_DSP + help + This adds support for Sound Open Firmware for NXP i.MX8 platforms + Say Y if you have such a device. + If unsure select "N". + + config SND_SOC_SOF_IMX8 +- def_tristate SND_SOC_SOF_OF +- depends on SND_SOC_SOF_IMX8_SUPPORT ++ tristate ++ depends on IMX_SCU ++ select IMX_DSP ++ help ++ This option is not user-selectable but automagically handled by ++ 'select' statements at a higher level + + endif ## SND_SOC_SOF_IMX_IMX_TOPLEVEL +-- +2.25.1 + diff --git a/queue-5.6/asoc-sof-imx8-fix-randbuild-error.patch b/queue-5.6/asoc-sof-imx8-fix-randbuild-error.patch new file mode 100644 index 00000000000..94a8a3a51a7 --- /dev/null +++ b/queue-5.6/asoc-sof-imx8-fix-randbuild-error.patch @@ -0,0 +1,50 @@ +From 7b719d9459231033d48e7763e3f805ce40647528 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Apr 2020 10:18:28 +0300 +Subject: ASoC: SOF: imx8: Fix randbuild error + +From: YueHaibing + +[ Upstream commit fe17e6cdc0fefca96ba9659be4b2b07487cbf0c5 ] + +when do randconfig like this: +CONFIG_SND_SOC_SOF_IMX8_SUPPORT=y +CONFIG_SND_SOC_SOF_IMX8=y +CONFIG_SND_SOC_SOF_OF=y +CONFIG_IMX_DSP=m +CONFIG_IMX_SCU=y + +there is a link error: + +sound/soc/sof/imx/imx8.o: In function 'imx8_send_msg': +imx8.c:(.text+0x380): undefined reference to 'imx_dsp_ring_doorbell' + +Select IMX_DSP in SND_SOC_SOF_IMX8_SUPPORT to fix this + +Fixes: f9ad75468453 ("ASoC: SOF: imx: fix reverse CONFIG_SND_SOC_SOF_OF dependency") +Reported-by: Hulk Robot +Signed-off-by: YueHaibing +Signed-off-by: Daniel Baluta +Link: https://lore.kernel.org/r/20200409071832.2039-2-daniel.baluta@oss.nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/imx/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/sof/imx/Kconfig b/sound/soc/sof/imx/Kconfig +index bae4f7bf5f75..812749064ca8 100644 +--- a/sound/soc/sof/imx/Kconfig ++++ b/sound/soc/sof/imx/Kconfig +@@ -14,7 +14,7 @@ if SND_SOC_SOF_IMX_TOPLEVEL + config SND_SOC_SOF_IMX8_SUPPORT + bool "SOF support for i.MX8" + depends on IMX_SCU +- depends on IMX_DSP ++ select IMX_DSP + help + This adds support for Sound Open Firmware for NXP i.MX8 platforms + Say Y if you have such a device. +-- +2.25.1 + diff --git a/queue-5.6/ath9k_htc-silence-undersized-packet-warnings.patch b/queue-5.6/ath9k_htc-silence-undersized-packet-warnings.patch new file mode 100644 index 00000000000..39221fa88a1 --- /dev/null +++ b/queue-5.6/ath9k_htc-silence-undersized-packet-warnings.patch @@ -0,0 +1,49 @@ +From ff780d52959401d309ecb34962d2b3ff1cc245a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 06:44:43 +0900 +Subject: ath9k_htc: Silence undersized packet warnings + +From: Masashi Honma + +[ Upstream commit 450edd2805982d14ed79733a82927d2857b27cac ] + +Some devices like TP-Link TL-WN722N produces this kind of messages +frequently. + +kernel: ath: phy0: Short RX data len, dropping (dlen: 4) + +This warning is useful for developers to recognize that the device +(Wi-Fi dongle or USB hub etc) is noisy but not for general users. So +this patch make this warning to debug message. + +Reported-By: Denis +Ref: https://bugzilla.kernel.org/show_bug.cgi?id=207539 +Fixes: cd486e627e67 ("ath9k_htc: Discard undersized packets") +Signed-off-by: Masashi Honma +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200504214443.4485-1-masashi.honma@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +index 9cec5c216e1f..118e5550b10c 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +@@ -999,9 +999,9 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv, + * which are not PHY_ERROR (short radar pulses have a length of 3) + */ + if (unlikely(!rs_datalen || (rs_datalen < 10 && !is_phyerr))) { +- ath_warn(common, +- "Short RX data len, dropping (dlen: %d)\n", +- rs_datalen); ++ ath_dbg(common, ANY, ++ "Short RX data len, dropping (dlen: %d)\n", ++ rs_datalen); + goto rx_next; + } + +-- +2.25.1 + diff --git a/queue-5.6/driver-core-update-device-link-status-correctly-for-.patch b/queue-5.6/driver-core-update-device-link-status-correctly-for-.patch new file mode 100644 index 00000000000..cab55271c13 --- /dev/null +++ b/queue-5.6/driver-core-update-device-link-status-correctly-for-.patch @@ -0,0 +1,120 @@ +From b20211fb46e5cfe9f99ed2657f91f72040e1f25a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 May 2020 15:09:27 -0700 +Subject: driver core: Update device link status correctly for SYNC_STATE_ONLY + links + +From: Saravana Kannan + +[ Upstream commit 8c3e315d4296421cd26b3300ee0ac117f0877f20 ] + +When SYNC_STATE_ONLY support was added in commit 05ef983e0d65 ("driver +core: Add device link support for SYNC_STATE_ONLY flag"), +SYNC_STATE_ONLY links were treated similar to STATELESS links in terms +of not blocking consumer probe if the supplier hasn't probed yet. + +That caused a SYNC_STATE_ONLY device link's status to not get updated. +Since SYNC_STATE_ONLY device link is no longer useful once the +consumer probes, commit 21c27f06587d ("driver core: Fix +SYNC_STATE_ONLY device link implementation") addresses the status +update issue by deleting the SYNC_STATE_ONLY device link instead of +complicating the status update code. + +However, there are still some cases where we need to update the status +of a SYNC_STATE_ONLY device link. This is because a SYNC_STATE_ONLY +device link can later get converted into a normal MANAGED device link +when a normal MANAGED device link is created between a supplier and +consumer that already have a SYNC_STATE_ONLY device link between them. + +If a SYNC_STATE_ONLY device link's status isn't maintained correctly +till it's converted to a normal MANAGED device link, then the normal +MANAGED device link will end up with a wrong link status. This can cause +a warning stack trace[1] when the consumer device probes successfully. + +This commit fixes the SYNC_STATE_ONLY device link status update issue +where it wouldn't transition correctly from DL_STATE_DORMANT or +DL_STATE_AVAILABLE to DL_STATE_CONSUMER_PROBE. It also resets the status +back to DL_STATE_DORMANT or DL_STATE_AVAILABLE if the consumer probe +fails. + +[1] - https://lore.kernel.org/lkml/20200522204120.3b3c9ed6@apollo/ +Fixes: 05ef983e0d65 ("driver core: Add device link support for SYNC_STATE_ONLY flag") +Fixes: 21c27f06587d ("driver core: Fix SYNC_STATE_ONLY device link implementation") +Reported-by: Michael Walle +Tested-by: Michael Walle +Signed-off-by: Saravana Kannan +Reviewed-by: Rafael J. Wysocki +Link: https://lore.kernel.org/r/20200526220928.49939-1-saravanak@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/core.c | 34 ++++++++++++++++++++++++++-------- + 1 file changed, 26 insertions(+), 8 deletions(-) + +diff --git a/drivers/base/core.c b/drivers/base/core.c +index 68277687c160..3c4ecb824247 100644 +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -643,9 +643,17 @@ static void device_links_missing_supplier(struct device *dev) + { + struct device_link *link; + +- list_for_each_entry(link, &dev->links.suppliers, c_node) +- if (link->status == DL_STATE_CONSUMER_PROBE) ++ list_for_each_entry(link, &dev->links.suppliers, c_node) { ++ if (link->status != DL_STATE_CONSUMER_PROBE) ++ continue; ++ ++ if (link->supplier->links.status == DL_DEV_DRIVER_BOUND) { + WRITE_ONCE(link->status, DL_STATE_AVAILABLE); ++ } else { ++ WARN_ON(!(link->flags & DL_FLAG_SYNC_STATE_ONLY)); ++ WRITE_ONCE(link->status, DL_STATE_DORMANT); ++ } ++ } + } + + /** +@@ -684,11 +692,11 @@ int device_links_check_suppliers(struct device *dev) + device_links_write_lock(); + + list_for_each_entry(link, &dev->links.suppliers, c_node) { +- if (!(link->flags & DL_FLAG_MANAGED) || +- link->flags & DL_FLAG_SYNC_STATE_ONLY) ++ if (!(link->flags & DL_FLAG_MANAGED)) + continue; + +- if (link->status != DL_STATE_AVAILABLE) { ++ if (link->status != DL_STATE_AVAILABLE && ++ !(link->flags & DL_FLAG_SYNC_STATE_ONLY)) { + device_links_missing_supplier(dev); + ret = -EPROBE_DEFER; + break; +@@ -949,11 +957,21 @@ static void __device_links_no_driver(struct device *dev) + if (!(link->flags & DL_FLAG_MANAGED)) + continue; + +- if (link->flags & DL_FLAG_AUTOREMOVE_CONSUMER) ++ if (link->flags & DL_FLAG_AUTOREMOVE_CONSUMER) { + device_link_drop_managed(link); +- else if (link->status == DL_STATE_CONSUMER_PROBE || +- link->status == DL_STATE_ACTIVE) ++ continue; ++ } ++ ++ if (link->status != DL_STATE_CONSUMER_PROBE && ++ link->status != DL_STATE_ACTIVE) ++ continue; ++ ++ if (link->supplier->links.status == DL_DEV_DRIVER_BOUND) { + WRITE_ONCE(link->status, DL_STATE_AVAILABLE); ++ } else { ++ WARN_ON(!(link->flags & DL_FLAG_SYNC_STATE_ONLY)); ++ WRITE_ONCE(link->status, DL_STATE_DORMANT); ++ } + } + + dev->links.status = DL_DEV_NO_DRIVER; +-- +2.25.1 + diff --git a/queue-5.6/fanotify-fix-ignore-mask-logic-for-events-on-child-a.patch b/queue-5.6/fanotify-fix-ignore-mask-logic-for-events-on-child-a.patch new file mode 100644 index 00000000000..b3abc6652e7 --- /dev/null +++ b/queue-5.6/fanotify-fix-ignore-mask-logic-for-events-on-child-a.patch @@ -0,0 +1,67 @@ +From 76dd67d90c0ee9e69b10a2f35a92fcb50ab653e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 May 2020 10:24:41 +0300 +Subject: fanotify: fix ignore mask logic for events on child and on dir + +From: Amir Goldstein + +[ Upstream commit 2f02fd3fa13e51713b630164f8a8e5b42de8283b ] + +The comments in fanotify_group_event_mask() say: + + "If the event is on dir/child and this mark doesn't care about + events on dir/child, don't send it!" + +Specifically, mount and filesystem marks do not care about events +on child, but they can still specify an ignore mask for those events. +For example, a group that has: +- A mount mark with mask 0 and ignore_mask FAN_OPEN +- An inode mark on a directory with mask FAN_OPEN | FAN_OPEN_EXEC + with flag FAN_EVENT_ON_CHILD + +A child file open for exec would be reported to group with the FAN_OPEN +event despite the fact that FAN_OPEN is in ignore mask of mount mark, +because the mark iteration loop skips over non-inode marks for events +on child when calculating the ignore mask. + +Move ignore mask calculation to the top of the iteration loop block +before excluding marks for events on dir/child. + +Link: https://lore.kernel.org/r/20200524072441.18258-1-amir73il@gmail.com +Reported-by: Jan Kara +Link: https://lore.kernel.org/linux-fsdevel/20200521162443.GA26052@quack2.suse.cz/ +Fixes: 55bf882c7f13 "fanotify: fix merging marks masks with FAN_ONDIR" +Fixes: b469e7e47c8a "fanotify: fix handling of events on child..." +Signed-off-by: Amir Goldstein +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/notify/fanotify/fanotify.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c +index deb13f0a0f7d..d24548ed31b9 100644 +--- a/fs/notify/fanotify/fanotify.c ++++ b/fs/notify/fanotify/fanotify.c +@@ -171,6 +171,10 @@ static u32 fanotify_group_event_mask(struct fsnotify_group *group, + if (!fsnotify_iter_should_report_type(iter_info, type)) + continue; + mark = iter_info->marks[type]; ++ ++ /* Apply ignore mask regardless of ISDIR and ON_CHILD flags */ ++ marks_ignored_mask |= mark->ignored_mask; ++ + /* + * If the event is on dir and this mark doesn't care about + * events on dir, don't send it! +@@ -188,7 +192,6 @@ static u32 fanotify_group_event_mask(struct fsnotify_group *group, + continue; + + marks_mask |= mark->mask; +- marks_ignored_mask |= mark->ignored_mask; + } + + test_mask = event_mask & marks_mask & ~marks_ignored_mask; +-- +2.25.1 + diff --git a/queue-5.6/kobject-make-sure-the-parent-does-not-get-released-b.patch b/queue-5.6/kobject-make-sure-the-parent-does-not-get-released-b.patch new file mode 100644 index 00000000000..748cd5189a9 --- /dev/null +++ b/queue-5.6/kobject-make-sure-the-parent-does-not-get-released-b.patch @@ -0,0 +1,112 @@ +From 985789e2caed2b3b7facc9f8c7dfde8a6ab7666f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 May 2020 18:18:40 +0300 +Subject: kobject: Make sure the parent does not get released before its + children + +From: Heikki Krogerus + +[ Upstream commit 4ef12f7198023c09ad6d25b652bd8748c965c7fa ] + +In the function kobject_cleanup(), kobject_del(kobj) is +called before the kobj->release(). That makes it possible to +release the parent of the kobject before the kobject itself. + +To fix that, adding function __kboject_del() that does +everything that kobject_del() does except release the parent +reference. kobject_cleanup() then calls __kobject_del() +instead of kobject_del(), and separately decrements the +reference count of the parent kobject after kobj->release() +has been called. + +Reported-by: Naresh Kamboju +Reported-by: kernel test robot +Fixes: 7589238a8cf3 ("Revert "software node: Simplify software_node_release() function"") +Suggested-by: "Rafael J. Wysocki" +Signed-off-by: Heikki Krogerus +Reviewed-by: Rafael J. Wysocki +Reviewed-by: Brendan Higgins +Tested-by: Brendan Higgins +Acked-by: Randy Dunlap +Link: https://lore.kernel.org/r/20200513151840.36400-1-heikki.krogerus@linux.intel.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + lib/kobject.c | 30 ++++++++++++++++++++---------- + 1 file changed, 20 insertions(+), 10 deletions(-) + +diff --git a/lib/kobject.c b/lib/kobject.c +index 83198cb37d8d..2bd631460e18 100644 +--- a/lib/kobject.c ++++ b/lib/kobject.c +@@ -599,14 +599,7 @@ int kobject_move(struct kobject *kobj, struct kobject *new_parent) + } + EXPORT_SYMBOL_GPL(kobject_move); + +-/** +- * kobject_del() - Unlink kobject from hierarchy. +- * @kobj: object. +- * +- * This is the function that should be called to delete an object +- * successfully added via kobject_add(). +- */ +-void kobject_del(struct kobject *kobj) ++static void __kobject_del(struct kobject *kobj) + { + struct kernfs_node *sd; + const struct kobj_type *ktype; +@@ -625,9 +618,23 @@ void kobject_del(struct kobject *kobj) + + kobj->state_in_sysfs = 0; + kobj_kset_leave(kobj); +- kobject_put(kobj->parent); + kobj->parent = NULL; + } ++ ++/** ++ * kobject_del() - Unlink kobject from hierarchy. ++ * @kobj: object. ++ * ++ * This is the function that should be called to delete an object ++ * successfully added via kobject_add(). ++ */ ++void kobject_del(struct kobject *kobj) ++{ ++ struct kobject *parent = kobj->parent; ++ ++ __kobject_del(kobj); ++ kobject_put(parent); ++} + EXPORT_SYMBOL(kobject_del); + + /** +@@ -663,6 +670,7 @@ EXPORT_SYMBOL(kobject_get_unless_zero); + */ + static void kobject_cleanup(struct kobject *kobj) + { ++ struct kobject *parent = kobj->parent; + struct kobj_type *t = get_ktype(kobj); + const char *name = kobj->name; + +@@ -684,7 +692,7 @@ static void kobject_cleanup(struct kobject *kobj) + if (kobj->state_in_sysfs) { + pr_debug("kobject: '%s' (%p): auto cleanup kobject_del\n", + kobject_name(kobj), kobj); +- kobject_del(kobj); ++ __kobject_del(kobj); + } + + if (t && t->release) { +@@ -698,6 +706,8 @@ static void kobject_cleanup(struct kobject *kobj) + pr_debug("kobject: '%s': free name\n", name); + kfree_const(name); + } ++ ++ kobject_put(parent); + } + + #ifdef CONFIG_DEBUG_KOBJECT_RELEASE +-- +2.25.1 + diff --git a/queue-5.6/kvm-x86-only-do-l1tf-workaround-on-affected-processo.patch b/queue-5.6/kvm-x86-only-do-l1tf-workaround-on-affected-processo.patch new file mode 100644 index 00000000000..6c161aa3936 --- /dev/null +++ b/queue-5.6/kvm-x86-only-do-l1tf-workaround-on-affected-processo.patch @@ -0,0 +1,80 @@ +From 936beb78f893b1325250c0eb28209d619fd17c54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 May 2020 05:34:41 -0400 +Subject: KVM: x86: only do L1TF workaround on affected processors + +From: Paolo Bonzini + +[ Upstream commit d43e2675e96fc6ae1a633b6a69d296394448cc32 ] + +KVM stores the gfn in MMIO SPTEs as a caching optimization. These are split +in two parts, as in "[high 11111 low]", to thwart any attempt to use these bits +in an L1TF attack. This works as long as there are 5 free bits between +MAXPHYADDR and bit 50 (inclusive), leaving bit 51 free so that the MMIO +access triggers a reserved-bit-set page fault. + +The bit positions however were computed wrongly for AMD processors that have +encryption support. In this case, x86_phys_bits is reduced (for example +from 48 to 43, to account for the C bit at position 47 and four bits used +internally to store the SEV ASID and other stuff) while x86_cache_bits in +would remain set to 48, and _all_ bits between the reduced MAXPHYADDR +and bit 51 are set. Then low_phys_bits would also cover some of the +bits that are set in the shadow_mmio_value, terribly confusing the gfn +caching mechanism. + +To fix this, avoid splitting gfns as long as the processor does not have +the L1TF bug (which includes all AMD processors). When there is no +splitting, low_phys_bits can be set to the reduced MAXPHYADDR removing +the overlap. This fixes "npt=0" operation on EPYC processors. + +Thanks to Maxim Levitsky for bisecting this bug. + +Cc: stable@vger.kernel.org +Fixes: 52918ed5fcf0 ("KVM: SVM: Override default MMIO mask if memory encryption is enabled") +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/mmu/mmu.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c +index 87e9ba27ada1..b0138530d085 100644 +--- a/arch/x86/kvm/mmu/mmu.c ++++ b/arch/x86/kvm/mmu/mmu.c +@@ -343,6 +343,8 @@ void kvm_mmu_set_mmio_spte_mask(u64 mmio_mask, u64 mmio_value, u64 access_mask) + { + BUG_ON((u64)(unsigned)access_mask != access_mask); + BUG_ON((mmio_mask & mmio_value) != mmio_value); ++ WARN_ON(mmio_value & (shadow_nonpresent_or_rsvd_mask << shadow_nonpresent_or_rsvd_mask_len)); ++ WARN_ON(mmio_value & shadow_nonpresent_or_rsvd_lower_gfn_mask); + shadow_mmio_value = mmio_value | SPTE_MMIO_MASK; + shadow_mmio_mask = mmio_mask | SPTE_SPECIAL_MASK; + shadow_mmio_access_mask = access_mask; +@@ -591,16 +593,15 @@ static void kvm_mmu_reset_all_pte_masks(void) + * the most significant bits of legal physical address space. + */ + shadow_nonpresent_or_rsvd_mask = 0; +- low_phys_bits = boot_cpu_data.x86_cache_bits; +- if (boot_cpu_data.x86_cache_bits < +- 52 - shadow_nonpresent_or_rsvd_mask_len) { ++ low_phys_bits = boot_cpu_data.x86_phys_bits; ++ if (boot_cpu_has_bug(X86_BUG_L1TF) && ++ !WARN_ON_ONCE(boot_cpu_data.x86_cache_bits >= ++ 52 - shadow_nonpresent_or_rsvd_mask_len)) { ++ low_phys_bits = boot_cpu_data.x86_cache_bits ++ - shadow_nonpresent_or_rsvd_mask_len; + shadow_nonpresent_or_rsvd_mask = +- rsvd_bits(boot_cpu_data.x86_cache_bits - +- shadow_nonpresent_or_rsvd_mask_len, +- boot_cpu_data.x86_cache_bits - 1); +- low_phys_bits -= shadow_nonpresent_or_rsvd_mask_len; +- } else +- WARN_ON_ONCE(boot_cpu_has_bug(X86_BUG_L1TF)); ++ rsvd_bits(low_phys_bits, boot_cpu_data.x86_cache_bits - 1); ++ } + + shadow_nonpresent_or_rsvd_lower_gfn_mask = + GENMASK_ULL(low_phys_bits - 1, PAGE_SHIFT); +-- +2.25.1 + diff --git a/queue-5.6/mm-add-kvfree_sensitive-for-freeing-sensitive-data-o.patch b/queue-5.6/mm-add-kvfree_sensitive-for-freeing-sensitive-data-o.patch new file mode 100644 index 00000000000..3f032b235e4 --- /dev/null +++ b/queue-5.6/mm-add-kvfree_sensitive-for-freeing-sensitive-data-o.patch @@ -0,0 +1,161 @@ +From 0fa13eafbee0c33a16e4894ae6278527a5f0fa92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 16:48:21 -0700 +Subject: mm: add kvfree_sensitive() for freeing sensitive data objects + +From: Waiman Long + +[ Upstream commit d4eaa2837851db2bfed572898bfc17f9a9f9151e ] + +For kvmalloc'ed data object that contains sensitive information like +cryptographic keys, we need to make sure that the buffer is always cleared +before freeing it. Using memset() alone for buffer clearing may not +provide certainty as the compiler may compile it away. To be sure, the +special memzero_explicit() has to be used. + +This patch introduces a new kvfree_sensitive() for freeing those sensitive +data objects allocated by kvmalloc(). The relevant places where +kvfree_sensitive() can be used are modified to use it. + +Fixes: 4f0882491a14 ("KEYS: Avoid false positive ENOMEM error on key read") +Suggested-by: Linus Torvalds +Signed-off-by: Waiman Long +Signed-off-by: Andrew Morton +Reviewed-by: Eric Biggers +Acked-by: David Howells +Cc: Jarkko Sakkinen +Cc: James Morris +Cc: "Serge E. Hallyn" +Cc: Joe Perches +Cc: Matthew Wilcox +Cc: David Rientjes +Cc: Uladzislau Rezki +Link: http://lkml.kernel.org/r/20200407200318.11711-1-longman@redhat.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/mm.h | 1 + + mm/util.c | 18 ++++++++++++++++++ + security/keys/internal.h | 11 ----------- + security/keys/keyctl.c | 16 +++++----------- + 4 files changed, 24 insertions(+), 22 deletions(-) + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 96deeecd9179..9b9f48489576 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -669,6 +669,7 @@ static inline void *kvcalloc(size_t n, size_t size, gfp_t flags) + } + + extern void kvfree(const void *addr); ++extern void kvfree_sensitive(const void *addr, size_t len); + + /* + * Mapcount of compound page as a whole, does not include mapped sub-pages. +diff --git a/mm/util.c b/mm/util.c +index 988d11e6c17c..dc1c877d5481 100644 +--- a/mm/util.c ++++ b/mm/util.c +@@ -604,6 +604,24 @@ void kvfree(const void *addr) + } + EXPORT_SYMBOL(kvfree); + ++/** ++ * kvfree_sensitive - Free a data object containing sensitive information. ++ * @addr: address of the data object to be freed. ++ * @len: length of the data object. ++ * ++ * Use the special memzero_explicit() function to clear the content of a ++ * kvmalloc'ed object containing sensitive data to make sure that the ++ * compiler won't optimize out the data clearing. ++ */ ++void kvfree_sensitive(const void *addr, size_t len) ++{ ++ if (likely(!ZERO_OR_NULL_PTR(addr))) { ++ memzero_explicit((void *)addr, len); ++ kvfree(addr); ++ } ++} ++EXPORT_SYMBOL(kvfree_sensitive); ++ + static inline void *__page_rmapping(struct page *page) + { + unsigned long mapping; +diff --git a/security/keys/internal.h b/security/keys/internal.h +index 6d0ca48ae9a5..153d35c20d3d 100644 +--- a/security/keys/internal.h ++++ b/security/keys/internal.h +@@ -350,15 +350,4 @@ static inline void key_check(const struct key *key) + #define key_check(key) do {} while(0) + + #endif +- +-/* +- * Helper function to clear and free a kvmalloc'ed memory object. +- */ +-static inline void __kvzfree(const void *addr, size_t len) +-{ +- if (addr) { +- memset((void *)addr, 0, len); +- kvfree(addr); +- } +-} + #endif /* _INTERNAL_H */ +diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c +index 5e01192e222a..edde63a63007 100644 +--- a/security/keys/keyctl.c ++++ b/security/keys/keyctl.c +@@ -142,10 +142,7 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type, + + key_ref_put(keyring_ref); + error3: +- if (payload) { +- memzero_explicit(payload, plen); +- kvfree(payload); +- } ++ kvfree_sensitive(payload, plen); + error2: + kfree(description); + error: +@@ -360,7 +357,7 @@ long keyctl_update_key(key_serial_t id, + + key_ref_put(key_ref); + error2: +- __kvzfree(payload, plen); ++ kvfree_sensitive(payload, plen); + error: + return ret; + } +@@ -914,7 +911,7 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) + */ + if (ret > key_data_len) { + if (unlikely(key_data)) +- __kvzfree(key_data, key_data_len); ++ kvfree_sensitive(key_data, key_data_len); + key_data_len = ret; + continue; /* Allocate buffer */ + } +@@ -923,7 +920,7 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) + ret = -EFAULT; + break; + } +- __kvzfree(key_data, key_data_len); ++ kvfree_sensitive(key_data, key_data_len); + + key_put_out: + key_put(key); +@@ -1225,10 +1222,7 @@ long keyctl_instantiate_key_common(key_serial_t id, + keyctl_change_reqkey_auth(NULL); + + error2: +- if (payload) { +- memzero_explicit(payload, plen); +- kvfree(payload); +- } ++ kvfree_sensitive(payload, plen); + error: + return ret; + } +-- +2.25.1 + diff --git a/queue-5.6/padata-add-separate-cpuhp-node-for-cpuhp_padata_dead.patch b/queue-5.6/padata-add-separate-cpuhp-node-for-cpuhp_padata_dead.patch new file mode 100644 index 00000000000..4a8de02368b --- /dev/null +++ b/queue-5.6/padata-add-separate-cpuhp-node-for-cpuhp_padata_dead.patch @@ -0,0 +1,122 @@ +From 72625a30f9bb129979f5f22e80bfd4c62bf8eae9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Apr 2020 12:34:55 -0400 +Subject: padata: add separate cpuhp node for CPUHP_PADATA_DEAD + +From: Daniel Jordan + +[ Upstream commit 3c2214b6027ff37945799de717c417212e1a8c54 ] + +Removing the pcrypt module triggers this: + + general protection fault, probably for non-canonical + address 0xdead000000000122 + CPU: 5 PID: 264 Comm: modprobe Not tainted 5.6.0+ #2 + Hardware name: QEMU Standard PC + RIP: 0010:__cpuhp_state_remove_instance+0xcc/0x120 + Call Trace: + padata_sysfs_release+0x74/0xce + kobject_put+0x81/0xd0 + padata_free+0x12/0x20 + pcrypt_exit+0x43/0x8ee [pcrypt] + +padata instances wrongly use the same hlist node for the online and dead +states, so __padata_free()'s second cpuhp remove call chokes on the node +that the first poisoned. + +cpuhp multi-instance callbacks only walk forward in cpuhp_step->list and +the same node is linked in both the online and dead lists, so the list +corruption that results from padata_alloc() adding the node to a second +list without removing it from the first doesn't cause problems as long +as no instances are freed. + +Avoid the issue by giving each state its own node. + +Fixes: 894c9ef9780c ("padata: validate cpumask without removed CPU during offline") +Signed-off-by: Daniel Jordan +Cc: Herbert Xu +Cc: Steffen Klassert +Cc: linux-crypto@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org # v5.4+ +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + include/linux/padata.h | 6 ++++-- + kernel/padata.c | 14 ++++++++------ + 2 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/include/linux/padata.h b/include/linux/padata.h +index a0d8b41850b2..693cae9bfe66 100644 +--- a/include/linux/padata.h ++++ b/include/linux/padata.h +@@ -139,7 +139,8 @@ struct padata_shell { + /** + * struct padata_instance - The overall control structure. + * +- * @node: Used by CPU hotplug. ++ * @cpu_online_node: Linkage for CPU online callback. ++ * @cpu_dead_node: Linkage for CPU offline callback. + * @parallel_wq: The workqueue used for parallel work. + * @serial_wq: The workqueue used for serial work. + * @pslist: List of padata_shell objects attached to this instance. +@@ -150,7 +151,8 @@ struct padata_shell { + * @flags: padata flags. + */ + struct padata_instance { +- struct hlist_node node; ++ struct hlist_node cpu_online_node; ++ struct hlist_node cpu_dead_node; + struct workqueue_struct *parallel_wq; + struct workqueue_struct *serial_wq; + struct list_head pslist; +diff --git a/kernel/padata.c b/kernel/padata.c +index 62082597d4a2..fee14ae90d96 100644 +--- a/kernel/padata.c ++++ b/kernel/padata.c +@@ -703,7 +703,7 @@ static int padata_cpu_online(unsigned int cpu, struct hlist_node *node) + struct padata_instance *pinst; + int ret; + +- pinst = hlist_entry_safe(node, struct padata_instance, node); ++ pinst = hlist_entry_safe(node, struct padata_instance, cpu_online_node); + if (!pinst_has_cpu(pinst, cpu)) + return 0; + +@@ -718,7 +718,7 @@ static int padata_cpu_dead(unsigned int cpu, struct hlist_node *node) + struct padata_instance *pinst; + int ret; + +- pinst = hlist_entry_safe(node, struct padata_instance, node); ++ pinst = hlist_entry_safe(node, struct padata_instance, cpu_dead_node); + if (!pinst_has_cpu(pinst, cpu)) + return 0; + +@@ -734,8 +734,9 @@ static enum cpuhp_state hp_online; + static void __padata_free(struct padata_instance *pinst) + { + #ifdef CONFIG_HOTPLUG_CPU +- cpuhp_state_remove_instance_nocalls(CPUHP_PADATA_DEAD, &pinst->node); +- cpuhp_state_remove_instance_nocalls(hp_online, &pinst->node); ++ cpuhp_state_remove_instance_nocalls(CPUHP_PADATA_DEAD, ++ &pinst->cpu_dead_node); ++ cpuhp_state_remove_instance_nocalls(hp_online, &pinst->cpu_online_node); + #endif + + WARN_ON(!list_empty(&pinst->pslist)); +@@ -939,9 +940,10 @@ static struct padata_instance *padata_alloc(const char *name, + mutex_init(&pinst->lock); + + #ifdef CONFIG_HOTPLUG_CPU +- cpuhp_state_add_instance_nocalls_cpuslocked(hp_online, &pinst->node); ++ cpuhp_state_add_instance_nocalls_cpuslocked(hp_online, ++ &pinst->cpu_online_node); + cpuhp_state_add_instance_nocalls_cpuslocked(CPUHP_PADATA_DEAD, +- &pinst->node); ++ &pinst->cpu_dead_node); + #endif + + put_online_cpus(); +-- +2.25.1 + diff --git a/queue-5.6/pci-pm-adjust-pcie_wait_for_link_delay-for-caller-de.patch b/queue-5.6/pci-pm-adjust-pcie_wait_for_link_delay-for-caller-de.patch new file mode 100644 index 00000000000..d37068d8c20 --- /dev/null +++ b/queue-5.6/pci-pm-adjust-pcie_wait_for_link_delay-for-caller-de.patch @@ -0,0 +1,44 @@ +From f3607d81f3f903f3aaf9a15dd891c378745f44dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 May 2020 14:31:16 -0500 +Subject: PCI/PM: Adjust pcie_wait_for_link_delay() for caller delay + +From: Bjorn Helgaas + +[ Upstream commit f044baaff1eb7ae5aa7a36f1b7ad5bd8eeb672c4 ] + +The caller of pcie_wait_for_link_delay() specifies the time to wait after +the link becomes active. When the downstream port doesn't support link +active reporting, obviously we can't tell when the link becomes active, so +we waited the worst-case time (1000 ms) plus 100 ms, ignoring the delay +from the caller. + +Instead, wait for 1000 ms + the delay from the caller. + +Fixes: 4827d63891b6 ("PCI/PM: Add pcie_wait_for_link_delay()") +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index d828ca835a98..fe9fbb74ce72 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -4616,10 +4616,10 @@ static bool pcie_wait_for_link_delay(struct pci_dev *pdev, bool active, + + /* + * Some controllers might not implement link active reporting. In this +- * case, we wait for 1000 + 100 ms. ++ * case, we wait for 1000 ms + any delay requested by the caller. + */ + if (!pdev->link_active_reporting) { +- msleep(1100); ++ msleep(timeout + delay); + return true; + } + +-- +2.25.1 + diff --git a/queue-5.6/perf-probe-accept-the-instance-number-of-kretprobe-e.patch b/queue-5.6/perf-probe-accept-the-instance-number-of-kretprobe-e.patch new file mode 100644 index 00000000000..ca342622b0d --- /dev/null +++ b/queue-5.6/perf-probe-accept-the-instance-number-of-kretprobe-e.patch @@ -0,0 +1,70 @@ +From 0828cbf64bc77dce1391aa3c5eb5c7f2c3f841d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 May 2020 23:29:12 +0900 +Subject: perf probe: Accept the instance number of kretprobe event + +From: Masami Hiramatsu + +[ Upstream commit c6aab66a728b6518772c74bd9dff66e1a1c652fd ] + +Since the commit 6a13a0d7b4d1 ("ftrace/kprobe: Show the maxactive number +on kprobe_events") introduced to show the instance number of kretprobe +events, the length of the 1st format of the kprobe event will not 1, but +it can be longer. This caused a parser error in perf-probe. + +Skip the length check the 1st format of the kprobe event to accept this +instance number. + +Without this fix: + + # perf probe -a vfs_read%return + Added new event: + probe:vfs_read__return (on vfs_read%return) + + You can now use it in all perf tools, such as: + + perf record -e probe:vfs_read__return -aR sleep 1 + + # perf probe -l + Semantic error :Failed to parse event name: r16:probe/vfs_read__return + Error: Failed to show event list. + +And with this fixes: + + # perf probe -a vfs_read%return + ... + # perf probe -l + probe:vfs_read__return (on vfs_read%return) + +Fixes: 6a13a0d7b4d1 ("ftrace/kprobe: Show the maxactive number on kprobe_events") +Reported-by: Yuxuan Shui +Signed-off-by: Masami Hiramatsu +Tested-by: Yuxuan Shui +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: stable@vger.kernel.org +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=207587 +Link: http://lore.kernel.org/lkml/158877535215.26469.1113127926699134067.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/probe-event.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/tools/perf/util/probe-event.c b/tools/perf/util/probe-event.c +index eea132f512b0..c6bcf5709564 100644 +--- a/tools/perf/util/probe-event.c ++++ b/tools/perf/util/probe-event.c +@@ -1765,8 +1765,7 @@ int parse_probe_trace_command(const char *cmd, struct probe_trace_event *tev) + fmt1_str = strtok_r(argv0_str, ":", &fmt); + fmt2_str = strtok_r(NULL, "/", &fmt); + fmt3_str = strtok_r(NULL, " \t", &fmt); +- if (fmt1_str == NULL || strlen(fmt1_str) != 1 || fmt2_str == NULL +- || fmt3_str == NULL) { ++ if (fmt1_str == NULL || fmt2_str == NULL || fmt3_str == NULL) { + semantic_error("Failed to parse event name: %s\n", argv[0]); + ret = -EINVAL; + goto out; +-- +2.25.1 + diff --git a/queue-5.6/powerpc-xive-clear-the-page-tables-for-the-esb-io-ma.patch b/queue-5.6/powerpc-xive-clear-the-page-tables-for-the-esb-io-ma.patch new file mode 100644 index 00000000000..2b86b767e2e --- /dev/null +++ b/queue-5.6/powerpc-xive-clear-the-page-tables-for-the-esb-io-ma.patch @@ -0,0 +1,74 @@ +From 4da0f9d9078951990a3c40ac708f3e0c565d8b09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Apr 2020 09:51:20 +0200 +Subject: powerpc/xive: Clear the page tables for the ESB IO mapping +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cédric Le Goater + +[ Upstream commit a101950fcb78b0ba20cd487be6627dea58d55c2b ] + +Commit 1ca3dec2b2df ("powerpc/xive: Prevent page fault issues in the +machine crash handler") fixed an issue in the FW assisted dump of +machines using hash MMU and the XIVE interrupt mode under the POWER +hypervisor. It forced the mapping of the ESB page of interrupts being +mapped in the Linux IRQ number space to make sure the 'crash kexec' +sequence worked during such an event. But it didn't handle the +un-mapping. + +This mapping is now blocking the removal of a passthrough IO adapter +under the POWER hypervisor because it expects the guest OS to have +cleared all page table entries related to the adapter. If some are +still present, the RTAS call which isolates the PCI slot returns error +9001 "valid outstanding translations". + +Remove these mapping in the IRQ data cleanup routine. + +Under KVM, this cleanup is not required because the ESB pages for the +adapter interrupts are un-mapped from the guest by the hypervisor in +the KVM XIVE native device. This is now redundant but it's harmless. + +Fixes: 1ca3dec2b2df ("powerpc/xive: Prevent page fault issues in the machine crash handler") +Cc: stable@vger.kernel.org # v5.5+ +Signed-off-by: Cédric Le Goater +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200429075122.1216388-2-clg@kaod.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/xive/common.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/powerpc/sysdev/xive/common.c b/arch/powerpc/sysdev/xive/common.c +index fe8d396e2301..16df9cc8f360 100644 +--- a/arch/powerpc/sysdev/xive/common.c ++++ b/arch/powerpc/sysdev/xive/common.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -1013,12 +1014,16 @@ EXPORT_SYMBOL_GPL(is_xive_irq); + void xive_cleanup_irq_data(struct xive_irq_data *xd) + { + if (xd->eoi_mmio) { ++ unmap_kernel_range((unsigned long)xd->eoi_mmio, ++ 1u << xd->esb_shift); + iounmap(xd->eoi_mmio); + if (xd->eoi_mmio == xd->trig_mmio) + xd->trig_mmio = NULL; + xd->eoi_mmio = NULL; + } + if (xd->trig_mmio) { ++ unmap_kernel_range((unsigned long)xd->trig_mmio, ++ 1u << xd->esb_shift); + iounmap(xd->trig_mmio); + xd->trig_mmio = NULL; + } +-- +2.25.1 + diff --git a/queue-5.6/rdma-uverbs-make-the-event_queue-fds-return-pollerr-.patch b/queue-5.6/rdma-uverbs-make-the-event_queue-fds-return-pollerr-.patch new file mode 100644 index 00000000000..a8ed82112af --- /dev/null +++ b/queue-5.6/rdma-uverbs-make-the-event_queue-fds-return-pollerr-.patch @@ -0,0 +1,41 @@ +From c583c92d5761321c7dffa1517f7762d0bb0adfda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2020 21:44:26 -0300 +Subject: RDMA/uverbs: Make the event_queue fds return POLLERR when + disassociated + +From: Jason Gunthorpe + +[ Upstream commit eb356e6dc15a30af604f052cd0e170450193c254 ] + +If is_closed is set, and the event list is empty, then read() will return +-EIO without blocking. After setting is_closed in +ib_uverbs_free_event_queue(), we do trigger a wake_up on the poll_wait, +but the fops->poll() function does not check it, so poll will continue to +sleep on an empty list. + +Fixes: 14e23bd6d221 ("RDMA/core: Fix locking in ib_uverbs_event_read") +Link: https://lore.kernel.org/r/0-v1-ace813388969+48859-uverbs_poll_fix%25jgg@mellanox.com +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/uverbs_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c +index 1bab8de14757..b94572e9c24f 100644 +--- a/drivers/infiniband/core/uverbs_main.c ++++ b/drivers/infiniband/core/uverbs_main.c +@@ -296,6 +296,8 @@ static __poll_t ib_uverbs_event_poll(struct ib_uverbs_event_queue *ev_queue, + spin_lock_irq(&ev_queue->lock); + if (!list_empty(&ev_queue->event_list)) + pollflags = EPOLLIN | EPOLLRDNORM; ++ else if (ev_queue->is_closed) ++ pollflags = EPOLLERR; + spin_unlock_irq(&ev_queue->lock); + + return pollflags; +-- +2.25.1 + diff --git a/queue-5.6/s390-pci-log-new-handle-in-clp_disable_fh.patch b/queue-5.6/s390-pci-log-new-handle-in-clp_disable_fh.patch new file mode 100644 index 00000000000..a3234e3fa4e --- /dev/null +++ b/queue-5.6/s390-pci-log-new-handle-in-clp_disable_fh.patch @@ -0,0 +1,45 @@ +From 1a92d7e00b754fb26897079ae7e3785d037c82f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 May 2020 20:39:22 +0200 +Subject: s390/pci: Log new handle in clp_disable_fh() + +From: Petr Tesarik + +[ Upstream commit e1750a3d9abbea2ece29cac8dc5a6f5bc19c1492 ] + +After disabling a function, the original handle is logged instead of +the disabled handle. + +Link: https://lkml.kernel.org/r/20200522183922.5253-1-ptesarik@suse.com +Fixes: 17cdec960cf7 ("s390/pci: Recover handle in clp_set_pci_fn()") +Reviewed-by: Pierre Morel +Signed-off-by: Petr Tesarik +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/pci/pci_clp.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/s390/pci/pci_clp.c b/arch/s390/pci/pci_clp.c +index 0d3d8f170ea4..25208fa95426 100644 +--- a/arch/s390/pci/pci_clp.c ++++ b/arch/s390/pci/pci_clp.c +@@ -309,14 +309,13 @@ int clp_enable_fh(struct zpci_dev *zdev, u8 nr_dma_as) + + int clp_disable_fh(struct zpci_dev *zdev) + { +- u32 fh = zdev->fh; + int rc; + + if (!zdev_enabled(zdev)) + return 0; + + rc = clp_set_pci_fn(zdev, 0, CLP_SET_DISABLE_PCI_FN); +- zpci_dbg(3, "dis fid:%x, fh:%x, rc:%d\n", zdev->fid, fh, rc); ++ zpci_dbg(3, "dis fid:%x, fh:%x, rc:%d\n", zdev->fid, zdev->fh, rc); + return rc; + } + +-- +2.25.1 + diff --git a/queue-5.6/selftests-fix-flower-parent-qdisc.patch b/queue-5.6/selftests-fix-flower-parent-qdisc.patch new file mode 100644 index 00000000000..c155de47d08 --- /dev/null +++ b/queue-5.6/selftests-fix-flower-parent-qdisc.patch @@ -0,0 +1,86 @@ +From 20e7ce34eb2ba754c405a00682852e42074f98c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 May 2020 09:35:52 +0300 +Subject: selftests: fix flower parent qdisc + +From: Vlad Buslov + +[ Upstream commit 0531b0357ba37464e5c0033e1b7c69bbf5ecd8fb ] + +Flower tests used to create ingress filter with specified parent qdisc +"parent ffff:" but dump them on "ingress". With recent commit that fixed +tcm_parent handling in dump those are not considered same parent anymore, +which causes iproute2 tc to emit additional "parent ffff:" in first line of +filter dump output. The change in output causes filter match in tests to +fail. + +Prevent parent qdisc output when dumping filters in flower tests by always +correctly specifying "ingress" parent both when creating and dumping +filters. + +Fixes: a7df4870d79b ("net_sched: fix tcm_parent in tc filter dump") +Signed-off-by: Vlad Buslov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../selftests/tc-testing/tc-tests/filters/tests.json | 6 +++--- + tools/testing/selftests/tc-testing/tdc_batch.py | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/tc-testing/tc-tests/filters/tests.json b/tools/testing/selftests/tc-testing/tc-tests/filters/tests.json +index 8877f7b2b809..12aa4bc1f6a0 100644 +--- a/tools/testing/selftests/tc-testing/tc-tests/filters/tests.json ++++ b/tools/testing/selftests/tc-testing/tc-tests/filters/tests.json +@@ -32,7 +32,7 @@ + "setup": [ + "$TC qdisc add dev $DEV2 ingress" + ], +- "cmdUnderTest": "$TC filter add dev $DEV2 protocol ip pref 1 parent ffff: handle 0xffffffff flower action ok", ++ "cmdUnderTest": "$TC filter add dev $DEV2 protocol ip pref 1 ingress handle 0xffffffff flower action ok", + "expExitCode": "0", + "verifyCmd": "$TC filter show dev $DEV2 ingress", + "matchPattern": "filter protocol ip pref 1 flower.*handle 0xffffffff", +@@ -77,9 +77,9 @@ + }, + "setup": [ + "$TC qdisc add dev $DEV2 ingress", +- "$TC filter add dev $DEV2 protocol ip prio 1 parent ffff: flower dst_mac e4:11:22:11:4a:51 src_mac e4:11:22:11:4a:50 ip_proto tcp src_ip 1.1.1.1 dst_ip 2.2.2.2 action drop" ++ "$TC filter add dev $DEV2 protocol ip prio 1 ingress flower dst_mac e4:11:22:11:4a:51 src_mac e4:11:22:11:4a:50 ip_proto tcp src_ip 1.1.1.1 dst_ip 2.2.2.2 action drop" + ], +- "cmdUnderTest": "$TC filter add dev $DEV2 protocol ip prio 1 parent ffff: flower dst_mac e4:11:22:11:4a:51 src_mac e4:11:22:11:4a:50 ip_proto tcp src_ip 1.1.1.1 dst_ip 2.2.2.2 action drop", ++ "cmdUnderTest": "$TC filter add dev $DEV2 protocol ip prio 1 ingress flower dst_mac e4:11:22:11:4a:51 src_mac e4:11:22:11:4a:50 ip_proto tcp src_ip 1.1.1.1 dst_ip 2.2.2.2 action drop", + "expExitCode": "2", + "verifyCmd": "$TC -s filter show dev $DEV2 ingress", + "matchPattern": "filter protocol ip pref 1 flower chain 0 handle", +diff --git a/tools/testing/selftests/tc-testing/tdc_batch.py b/tools/testing/selftests/tc-testing/tdc_batch.py +index 6a2bd2cf528e..995f66ce43eb 100755 +--- a/tools/testing/selftests/tc-testing/tdc_batch.py ++++ b/tools/testing/selftests/tc-testing/tdc_batch.py +@@ -72,21 +72,21 @@ mac_prefix = args.mac_prefix + + def format_add_filter(device, prio, handle, skip, src_mac, dst_mac, + share_action): +- return ("filter add dev {} {} protocol ip parent ffff: handle {} " ++ return ("filter add dev {} {} protocol ip ingress handle {} " + " flower {} src_mac {} dst_mac {} action drop {}".format( + device, prio, handle, skip, src_mac, dst_mac, share_action)) + + + def format_rep_filter(device, prio, handle, skip, src_mac, dst_mac, + share_action): +- return ("filter replace dev {} {} protocol ip parent ffff: handle {} " ++ return ("filter replace dev {} {} protocol ip ingress handle {} " + " flower {} src_mac {} dst_mac {} action drop {}".format( + device, prio, handle, skip, src_mac, dst_mac, share_action)) + + + def format_del_filter(device, prio, handle, skip, src_mac, dst_mac, + share_action): +- return ("filter del dev {} {} protocol ip parent ffff: handle {} " ++ return ("filter del dev {} {} protocol ip ingress handle {} " + "flower".format(device, prio, handle)) + + +-- +2.25.1 + diff --git a/queue-5.6/series b/queue-5.6/series index 49f10f84427..15dcd887014 100644 --- a/queue-5.6/series +++ b/queue-5.6/series @@ -19,3 +19,23 @@ input-synaptics-add-a-second-working-pnp_id-for-leno.patch csky-fixup-abiv2-syscall_trace-break-a4-a5.patch gfs2-even-more-gfs2_find_jhead-fixes.patch drivers-net-ibmvnic-update-vnic-protocol-version-rep.patch +staging-wfx-fix-double-free.patch +staging-mt7621-pci-properly-power-off-dual-ported-pc.patch +perf-probe-accept-the-instance-number-of-kretprobe-e.patch +mm-add-kvfree_sensitive-for-freeing-sensitive-data-o.patch +selftests-fix-flower-parent-qdisc.patch +fanotify-fix-ignore-mask-logic-for-events-on-child-a.patch +driver-core-update-device-link-status-correctly-for-.patch +powerpc-xive-clear-the-page-tables-for-the-esb-io-ma.patch +asoc-sof-imx8-fix-randbuild-error.patch +asoc-sof-imx-fix-undefined-reference-issue.patch +spi-dw-fix-native-cs-being-unset.patch +ath9k_htc-silence-undersized-packet-warnings.patch +smack-avoid-unused-sip-variable-warning.patch +rdma-uverbs-make-the-event_queue-fds-return-pollerr-.patch +padata-add-separate-cpuhp-node-for-cpuhp_padata_dead.patch +s390-pci-log-new-handle-in-clp_disable_fh.patch +x86-cpu-amd-make-erratum-1054-a-legacy-erratum.patch +kvm-x86-only-do-l1tf-workaround-on-affected-processo.patch +pci-pm-adjust-pcie_wait_for_link_delay-for-caller-de.patch +kobject-make-sure-the-parent-does-not-get-released-b.patch diff --git a/queue-5.6/smack-avoid-unused-sip-variable-warning.patch b/queue-5.6/smack-avoid-unused-sip-variable-warning.patch new file mode 100644 index 00000000000..29534aa5c3d --- /dev/null +++ b/queue-5.6/smack-avoid-unused-sip-variable-warning.patch @@ -0,0 +1,166 @@ +From 177ca905ab7f1026f4921d1168f45046b0ee22c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Apr 2020 21:04:31 +0200 +Subject: smack: avoid unused 'sip' variable warning + +From: Arnd Bergmann + +[ Upstream commit 00720f0e7f288d29681d265c23b22bb0f0f4e5b4 ] + +The mix of IS_ENABLED() and #ifdef checks has left a combination +that causes a warning about an unused variable: + +security/smack/smack_lsm.c: In function 'smack_socket_connect': +security/smack/smack_lsm.c:2838:24: error: unused variable 'sip' [-Werror=unused-variable] + 2838 | struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; + +Change the code to use C-style checks consistently so the compiler +can handle it correctly. + +Fixes: 87fbfffcc89b ("broken ping to ipv6 linklocal addresses on debian buster") +Signed-off-by: Arnd Bergmann +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smack.h | 6 ------ + security/smack/smack_lsm.c | 25 ++++++++----------------- + 2 files changed, 8 insertions(+), 23 deletions(-) + +diff --git a/security/smack/smack.h b/security/smack/smack.h +index 62529f382942..335d2411abe4 100644 +--- a/security/smack/smack.h ++++ b/security/smack/smack.h +@@ -148,7 +148,6 @@ struct smk_net4addr { + struct smack_known *smk_label; /* label */ + }; + +-#if IS_ENABLED(CONFIG_IPV6) + /* + * An entry in the table identifying IPv6 hosts. + */ +@@ -159,9 +158,7 @@ struct smk_net6addr { + int smk_masks; /* mask size */ + struct smack_known *smk_label; /* label */ + }; +-#endif /* CONFIG_IPV6 */ + +-#ifdef SMACK_IPV6_PORT_LABELING + /* + * An entry in the table identifying ports. + */ +@@ -174,7 +171,6 @@ struct smk_port_label { + short smk_sock_type; /* Socket type */ + short smk_can_reuse; + }; +-#endif /* SMACK_IPV6_PORT_LABELING */ + + struct smack_known_list_elem { + struct list_head list; +@@ -335,9 +331,7 @@ extern struct smack_known smack_known_web; + extern struct mutex smack_known_lock; + extern struct list_head smack_known_list; + extern struct list_head smk_net4addr_list; +-#if IS_ENABLED(CONFIG_IPV6) + extern struct list_head smk_net6addr_list; +-#endif /* CONFIG_IPV6 */ + + extern struct mutex smack_onlycap_lock; + extern struct list_head smack_onlycap_list; +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index 8c61d175e195..14bf2f4aea3b 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -50,10 +50,8 @@ + #define SMK_RECEIVING 1 + #define SMK_SENDING 2 + +-#ifdef SMACK_IPV6_PORT_LABELING +-DEFINE_MUTEX(smack_ipv6_lock); ++static DEFINE_MUTEX(smack_ipv6_lock); + static LIST_HEAD(smk_ipv6_port_list); +-#endif + static struct kmem_cache *smack_inode_cache; + struct kmem_cache *smack_rule_cache; + int smack_enabled; +@@ -2320,7 +2318,6 @@ static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) + return NULL; + } + +-#if IS_ENABLED(CONFIG_IPV6) + /* + * smk_ipv6_localhost - Check for local ipv6 host address + * @sip: the address +@@ -2388,7 +2385,6 @@ static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) + + return NULL; + } +-#endif /* CONFIG_IPV6 */ + + /** + * smack_netlabel - Set the secattr on a socket +@@ -2477,7 +2473,6 @@ static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) + return smack_netlabel(sk, sk_lbl); + } + +-#if IS_ENABLED(CONFIG_IPV6) + /** + * smk_ipv6_check - check Smack access + * @subject: subject Smack label +@@ -2510,7 +2505,6 @@ static int smk_ipv6_check(struct smack_known *subject, + rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); + return rc; + } +-#endif /* CONFIG_IPV6 */ + + #ifdef SMACK_IPV6_PORT_LABELING + /** +@@ -2599,6 +2593,7 @@ static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) + mutex_unlock(&smack_ipv6_lock); + return; + } ++#endif + + /** + * smk_ipv6_port_check - check Smack port access +@@ -2661,7 +2656,6 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, + + return smk_ipv6_check(skp, object, address, act); + } +-#endif /* SMACK_IPV6_PORT_LABELING */ + + /** + * smack_inode_setsecurity - set smack xattrs +@@ -2836,24 +2830,21 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, + return 0; + if (IS_ENABLED(CONFIG_IPV6) && sap->sa_family == AF_INET6) { + struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; +-#ifdef SMACK_IPV6_SECMARK_LABELING +- struct smack_known *rsp; +-#endif ++ struct smack_known *rsp = NULL; + + if (addrlen < SIN6_LEN_RFC2133) + return 0; +-#ifdef SMACK_IPV6_SECMARK_LABELING +- rsp = smack_ipv6host_label(sip); ++ if (__is_defined(SMACK_IPV6_SECMARK_LABELING)) ++ rsp = smack_ipv6host_label(sip); + if (rsp != NULL) { + struct socket_smack *ssp = sock->sk->sk_security; + + rc = smk_ipv6_check(ssp->smk_out, rsp, sip, + SMK_CONNECTING); + } +-#endif +-#ifdef SMACK_IPV6_PORT_LABELING +- rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); +-#endif ++ if (__is_defined(SMACK_IPV6_PORT_LABELING)) ++ rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); ++ + return rc; + } + if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in)) +-- +2.25.1 + diff --git a/queue-5.6/spi-dw-fix-native-cs-being-unset.patch b/queue-5.6/spi-dw-fix-native-cs-being-unset.patch new file mode 100644 index 00000000000..404da7167b8 --- /dev/null +++ b/queue-5.6/spi-dw-fix-native-cs-being-unset.patch @@ -0,0 +1,78 @@ +From e22638324b4d3a02a9012b394957bd0922028a93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jun 2020 20:17:21 -0400 +Subject: spi: dw: Fix native CS being unset + +[ Upstream commit 9aea644ca17b94f82ad7fa767cbc4509642f4420 ] + +Commit 6e0a32d6f376 ("spi: dw: Fix default polarity of native +chipselect") attempted to fix the problem when GPIO active-high +chip-select is utilized to communicate with some SPI slave. It fixed +the problem, but broke the normal native CS support. At the same time +the reversion commit ada9e3fcc175 ("spi: dw: Correct handling of native +chipselect") didn't solve the problem either, since it just inverted +the set_cs() polarity perception without taking into account that +CS-high might be applicable. Here is what is done to finally fix the +problem. + +DW SPI controller demands any native CS being set in order to proceed +with data transfer. So in order to activate the SPI communications we +must set any bit in the Slave Select DW SPI controller register no +matter whether the platform requests the GPIO- or native CS. Preferably +it should be the bit corresponding to the SPI slave CS number. But +currently the dw_spi_set_cs() method activates the chip-select +only if the second argument is false. Since the second argument of the +set_cs callback is expected to be a boolean with "is-high" semantics +(actual chip-select pin state value), the bit in the DW SPI Slave +Select register will be set only if SPI core requests the driver +to set the CS in the low state. So this will work for active-low +GPIO-based CS case, and won't work for active-high CS setting +the bit when SPI core actually needs to deactivate the CS. + +This commit fixes the problem for all described cases. So no matter +whether an SPI slave needs GPIO- or native-based CS with active-high +or low signal the corresponding bit will be set in SER. + +Signed-off-by: Serge Semin +Fixes: ada9e3fcc175 ("spi: dw: Correct handling of native chipselect") +Fixes: 6e0a32d6f376 ("spi: dw: Fix default polarity of native chipselect") +Reviewed-by: Charles Keepax +Reviewed-by: Andy Shevchenko +Acked-by: Linus Walleij + +Link: https://lore.kernel.org/r/20200515104758.6934-5-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-dw.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-dw.c b/drivers/spi/spi-dw.c +index 31e3f866d11a..6c2d8df50507 100644 +--- a/drivers/spi/spi-dw.c ++++ b/drivers/spi/spi-dw.c +@@ -128,12 +128,20 @@ void dw_spi_set_cs(struct spi_device *spi, bool enable) + { + struct dw_spi *dws = spi_controller_get_devdata(spi->controller); + struct chip_data *chip = spi_get_ctldata(spi); ++ bool cs_high = !!(spi->mode & SPI_CS_HIGH); + + /* Chip select logic is inverted from spi_set_cs() */ + if (chip && chip->cs_control) + chip->cs_control(!enable); + +- if (!enable) ++ /* ++ * DW SPI controller demands any native CS being set in order to ++ * proceed with data transfer. So in order to activate the SPI ++ * communications we must set a corresponding bit in the Slave ++ * Enable register no matter whether the SPI core is configured to ++ * support active-high or active-low CS level. ++ */ ++ if (cs_high == enable) + dw_writel(dws, DW_SPI_SER, BIT(spi->chip_select)); + else if (dws->cs_override) + dw_writel(dws, DW_SPI_SER, 0); +-- +2.25.1 + diff --git a/queue-5.6/staging-mt7621-pci-properly-power-off-dual-ported-pc.patch b/queue-5.6/staging-mt7621-pci-properly-power-off-dual-ported-pc.patch new file mode 100644 index 00000000000..4c6ab5da57e --- /dev/null +++ b/queue-5.6/staging-mt7621-pci-properly-power-off-dual-ported-pc.patch @@ -0,0 +1,75 @@ +From c12ccd6aa51c9165d208f281240c03b366a60322 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Apr 2020 13:16:52 +0200 +Subject: staging: mt7621-pci: properly power off dual-ported pcie phy + +From: Sergio Paracuellos + +[ Upstream commit 5fcded5e857cf66c9592e4be28c4dab4520c9177 ] + +Pcie phy for pcie0 and pcie1 is shared using a dual ported +one. Current code was assuming that if nothing is connected +in pcie0 it won't be also nothing connected in pcie1. This +assumtion is wrong for some devices such us 'Mikrotik rbm33g' +and 'ZyXEL LTE3301-PLUS' where only connecting a card to the +second bus on the phy is possible. For such devices kernel +hangs in the same point because of the wrong poweroff of the +phy getting the following trace: + +mt7621-pci-phy 1e149000.pcie-phy: PHY for 0xbe149000 (dual port = 1) +mt7621-pci-phy 1e14a000.pcie-phy: PHY for 0xbe14a000 (dual port = 0) +mt7621-pci-phy 1e149000.pcie-phy: Xtal is 40MHz +mt7621-pci-phy 1e14a000.pcie-phy: Xtal is 40MHz +mt7621-pci 1e140000.pcie: pcie0 no card, disable it (RST & CLK) +[hangs] + +The wrong assumption is located in the 'mt7621_pcie_init_ports' +function where we are just making a power off of the phy for +slots 0 and 2 if nothing is connected in them. Hence, only +poweroff the phy if nothing is connected in both slot 0 and +slot 1 avoiding the kernel to hang. + +Fixes: 5737cfe87a9c ("staging: mt7621-pci: avoid to poweroff the phy for slot one") +Signed-off-by: Sergio Paracuellos +Link: https://lore.kernel.org/r/20200409111652.30964-1-sergio.paracuellos@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/mt7621-pci/pci-mt7621.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/mt7621-pci/pci-mt7621.c b/drivers/staging/mt7621-pci/pci-mt7621.c +index a1dafec0890a..6eb7436af462 100644 +--- a/drivers/staging/mt7621-pci/pci-mt7621.c ++++ b/drivers/staging/mt7621-pci/pci-mt7621.c +@@ -479,17 +479,25 @@ static void mt7621_pcie_init_ports(struct mt7621_pcie *pcie) + + mt7621_perst_gpio_pcie_deassert(pcie); + ++ tmp = NULL; + list_for_each_entry(port, &pcie->ports, list) { + u32 slot = port->slot; + + if (!mt7621_pcie_port_is_linkup(port)) { + dev_err(dev, "pcie%d no card, disable it (RST & CLK)\n", + slot); +- if (slot != 1) +- phy_power_off(port->phy); + mt7621_control_assert(port); + mt7621_pcie_port_clk_disable(port); + port->enabled = false; ++ ++ if (slot == 0) { ++ tmp = port; ++ continue; ++ } ++ ++ if (slot == 1 && tmp && !tmp->enabled) ++ phy_power_off(tmp->phy); ++ + } + } + +-- +2.25.1 + diff --git a/queue-5.6/staging-wfx-fix-double-free.patch b/queue-5.6/staging-wfx-fix-double-free.patch new file mode 100644 index 00000000000..b79a89769d8 --- /dev/null +++ b/queue-5.6/staging-wfx-fix-double-free.patch @@ -0,0 +1,40 @@ +From f8f4b9319671f1f1e547f230630b06f87bb20e9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 14:37:45 +0200 +Subject: staging: wfx: fix double free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jérôme Pouiller + +[ Upstream commit 832cc98141b4b93acbb9231ca9e36f7fbe347f47 ] + +In case of error in wfx_probe(), wdev->hw is freed. Since an error +occurred, wfx_free_common() is called, then wdev->hw is freed again. + +Signed-off-by: Jérôme Pouiller +Reviewed-by: Michał Mirosław +Fixes: 4033714d6cbe ("staging: wfx: fix init/remove vs IRQ race") +Link: https://lore.kernel.org/r/20200505123757.39506-4-Jerome.Pouiller@silabs.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/wfx/main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/staging/wfx/main.c b/drivers/staging/wfx/main.c +index 76b2ff7fc7fe..2c757b81efa9 100644 +--- a/drivers/staging/wfx/main.c ++++ b/drivers/staging/wfx/main.c +@@ -466,7 +466,6 @@ int wfx_probe(struct wfx_dev *wdev) + + err2: + ieee80211_unregister_hw(wdev->hw); +- ieee80211_free_hw(wdev->hw); + err1: + wfx_bh_unregister(wdev); + return err; +-- +2.25.1 + diff --git a/queue-5.6/x86-cpu-amd-make-erratum-1054-a-legacy-erratum.patch b/queue-5.6/x86-cpu-amd-make-erratum-1054-a-legacy-erratum.patch new file mode 100644 index 00000000000..e17928bb994 --- /dev/null +++ b/queue-5.6/x86-cpu-amd-make-erratum-1054-a-legacy-erratum.patch @@ -0,0 +1,55 @@ +From 1f8634ef8b4139e7305d02e37366de489a4d3f3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Apr 2020 09:33:56 -0500 +Subject: x86/cpu/amd: Make erratum #1054 a legacy erratum + +From: Kim Phillips + +[ Upstream commit e2abfc0448a46d8a137505aa180caf14070ec535 ] + +Commit + + 21b5ee59ef18 ("x86/cpu/amd: Enable the fixed Instructions Retired + counter IRPERF") + +mistakenly added erratum #1054 as an OS Visible Workaround (OSVW) ID 0. +Erratum #1054 is not OSVW ID 0 [1], so make it a legacy erratum. + +There would never have been a false positive on older hardware that +has OSVW bit 0 set, since the IRPERF feature was not available. + +However, save a couple of RDMSR executions per thread, on modern +system configurations that correctly set non-zero values in their +OSVW_ID_Length MSRs. + +[1] Revision Guide for AMD Family 17h Models 00h-0Fh Processors. The +revision guide is available from the bugzilla link below. + +Fixes: 21b5ee59ef18 ("x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF") +Reported-by: Andrew Cooper +Signed-off-by: Kim Phillips +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20200417143356.26054-1-kim.phillips@amd.com +Link: https://bugzilla.kernel.org/show_bug.cgi?id=206537 +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/amd.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c +index 1f875fbe1384..f04cc01e629e 100644 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -1111,8 +1111,7 @@ static const int amd_erratum_383[] = + + /* #1054: Instructions Retired Performance Counter May Be Inaccurate */ + static const int amd_erratum_1054[] = +- AMD_OSVW_ERRATUM(0, AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); +- ++ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); + + static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) + { +-- +2.25.1 +