From: Sasha Levin Date: Sat, 12 Mar 2022 08:51:01 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v4.9.307~46 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=06da40728f00b8c7ff89107b455433988aff0b31;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/arm-dts-aspeed-fix-ast2600-quad-spi-group.patch b/queue-5.4/arm-dts-aspeed-fix-ast2600-quad-spi-group.patch new file mode 100644 index 00000000000..8aeb2456b6b --- /dev/null +++ b/queue-5.4/arm-dts-aspeed-fix-ast2600-quad-spi-group.patch @@ -0,0 +1,62 @@ +From 56df6cae318f1df41f3841e5d8d6fcc2ed2fd645 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 10:36:31 +1030 +Subject: ARM: dts: aspeed: Fix AST2600 quad spi group +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Joel Stanley + +[ Upstream commit 2f6edb6bcb2f3f41d876e0eba2ba97f87a0296ea ] + +Requesting quad mode for the FMC resulted in an error: + + &fmc { + status = "okay"; + + pinctrl-names = "default"; + + pinctrl-0 = <&pinctrl_fwqspi_default>' + +[ 0.742963] aspeed-g6-pinctrl 1e6e2000.syscon:pinctrl: invalid function FWQSPID in map table + + +This is because the quad mode pins are a group of pins, not a function. + +After applying this patch we can request the pins and the QSPI data +lines are muxed: + + # cat /sys/kernel/debug/pinctrl/1e6e2000.syscon\:pinctrl-aspeed-g6-pinctrl/pinmux-pins |grep 1e620000.spi + pin 196 (AE12): device 1e620000.spi function FWSPID group FWQSPID + pin 197 (AF12): device 1e620000.spi function FWSPID group FWQSPID + pin 240 (Y1): device 1e620000.spi function FWSPID group FWQSPID + pin 241 (Y2): device 1e620000.spi function FWSPID group FWQSPID + pin 242 (Y3): device 1e620000.spi function FWSPID group FWQSPID + pin 243 (Y4): device 1e620000.spi function FWSPID group FWQSPID + +Fixes: f510f04c8c83 ("ARM: dts: aspeed: Add AST2600 pinmux nodes") +Signed-off-by: Joel Stanley +Reviewed-by: Andrew Jeffery +Link: https://lore.kernel.org/r/20220304011010.974863-1-joel@jms.id.au +Link: https://lore.kernel.org/r/20220304011010.974863-1-joel@jms.id.au' +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi b/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi +index 996e006e06c2..f310f4d3bcc7 100644 +--- a/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi ++++ b/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi +@@ -118,7 +118,7 @@ pinctrl_fwspid_default: fwspid_default { + }; + + pinctrl_fwqspid_default: fwqspid_default { +- function = "FWQSPID"; ++ function = "FWSPID"; + groups = "FWQSPID"; + }; + +-- +2.34.1 + diff --git a/queue-5.4/arm64-dts-armada-3720-turris-mox-add-missing-etherne.patch b/queue-5.4/arm64-dts-armada-3720-turris-mox-add-missing-etherne.patch new file mode 100644 index 00000000000..318da843e60 --- /dev/null +++ b/queue-5.4/arm64-dts-armada-3720-turris-mox-add-missing-etherne.patch @@ -0,0 +1,39 @@ +From 68875e239b92515e14d147b50292fb1d1572c86d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jan 2022 19:20:06 +0100 +Subject: arm64: dts: armada-3720-turris-mox: Add missing ethernet0 alias +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit a0e897d1b36793fe0ab899f2fe93dff25c82f418 ] + +U-Boot uses ethernet* aliases for setting MAC addresses. Therefore define +also alias for ethernet0. + +Fixes: 7109d817db2e ("arm64: dts: marvell: add DTS for Turris Mox") +Signed-off-by: Pali Rohár +Signed-off-by: Gregory CLEMENT +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts b/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts +index 16e73597bb78..cf139c399d03 100644 +--- a/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts ++++ b/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts +@@ -18,6 +18,7 @@ / { + + aliases { + spi0 = &spi0; ++ ethernet0 = ð0; + ethernet1 = ð1; + }; + +-- +2.34.1 + diff --git a/queue-5.4/ax25-fix-null-pointer-dereference-in-ax25_kill_by_de.patch b/queue-5.4/ax25-fix-null-pointer-dereference-in-ax25_kill_by_de.patch new file mode 100644 index 00000000000..1ca8042112d --- /dev/null +++ b/queue-5.4/ax25-fix-null-pointer-dereference-in-ax25_kill_by_de.patch @@ -0,0 +1,65 @@ +From ece5f10a1e87b589558267bb13ad8011c6a073c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 16:12:23 +0800 +Subject: ax25: Fix NULL pointer dereference in ax25_kill_by_device + +From: Duoming Zhou + +[ Upstream commit 71171ac8eb34ce7fe6b3267dce27c313ab3cb3ac ] + +When two ax25 devices attempted to establish connection, the requester use ax25_create(), +ax25_bind() and ax25_connect() to initiate connection. The receiver use ax25_rcv() to +accept connection and use ax25_create_cb() in ax25_rcv() to create ax25_cb, but the +ax25_cb->sk is NULL. When the receiver is detaching, a NULL pointer dereference bug +caused by sock_hold(sk) in ax25_kill_by_device() will happen. The corresponding +fail log is shown below: + +=============================================================== +BUG: KASAN: null-ptr-deref in ax25_device_event+0xfd/0x290 +Call Trace: +... +ax25_device_event+0xfd/0x290 +raw_notifier_call_chain+0x5e/0x70 +dev_close_many+0x174/0x220 +unregister_netdevice_many+0x1f7/0xa60 +unregister_netdevice_queue+0x12f/0x170 +unregister_netdev+0x13/0x20 +mkiss_close+0xcd/0x140 +tty_ldisc_release+0xc0/0x220 +tty_release_struct+0x17/0xa0 +tty_release+0x62d/0x670 +... + +This patch add condition check in ax25_kill_by_device(). If s->sk is +NULL, it will goto if branch to kill device. + +Fixes: 4e0f718daf97 ("ax25: improve the incomplete fix to avoid UAF and NPD bugs") +Reported-by: Thomas Osterried +Signed-off-by: Duoming Zhou +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ax25/af_ax25.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c +index 184af6da0def..093b73c454d2 100644 +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -87,6 +87,13 @@ static void ax25_kill_by_device(struct net_device *dev) + ax25_for_each(s, &ax25_list) { + if (s->ax25_dev == ax25_dev) { + sk = s->sk; ++ if (!sk) { ++ spin_unlock_bh(&ax25_list_lock); ++ s->ax25_dev = NULL; ++ ax25_disconnect(s, ENETUNREACH); ++ spin_lock_bh(&ax25_list_lock); ++ goto again; ++ } + sock_hold(sk); + spin_unlock_bh(&ax25_list_lock); + lock_sock(sk); +-- +2.34.1 + diff --git a/queue-5.4/clk-qcom-gdsc-add-support-to-update-gdsc-transition-.patch b/queue-5.4/clk-qcom-gdsc-add-support-to-update-gdsc-transition-.patch new file mode 100644 index 00000000000..54ce34e7db9 --- /dev/null +++ b/queue-5.4/clk-qcom-gdsc-add-support-to-update-gdsc-transition-.patch @@ -0,0 +1,119 @@ +From c474e6a72a80ee7d3fd2be6015902ed780c60180 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Feb 2022 00:26:05 +0530 +Subject: clk: qcom: gdsc: Add support to update GDSC transition delay + +From: Taniya Das + +[ Upstream commit 4e7c4d3652f96f41179aab3ff53025c7a550d689 ] + +GDSCs have multiple transition delays which are used for the GDSC FSM +states. Older targets/designs required these values to be updated from +gdsc code to certain default values for the FSM state to work as +expected. But on the newer targets/designs the values updated from the +GDSC driver can hamper the FSM state to not work as expected. + +On SC7180 we observe black screens because the gdsc is being +enabled/disabled very rapidly and the GDSC FSM state does not work as +expected. This is due to the fact that the GDSC reset value is being +updated from SW. + +Thus add support to update the transition delay from the clock +controller gdscs as required. + +Fixes: 45dd0e55317cc ("clk: qcom: Add support for GDSCs) +Signed-off-by: Taniya Das +Link: https://lore.kernel.org/r/20220223185606.3941-1-tdas@codeaurora.org +Reviewed-by: Bjorn Andersson +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gdsc.c | 26 +++++++++++++++++++++----- + drivers/clk/qcom/gdsc.h | 8 +++++++- + 2 files changed, 28 insertions(+), 6 deletions(-) + +diff --git a/drivers/clk/qcom/gdsc.c b/drivers/clk/qcom/gdsc.c +index a250f59708d8..888965bb93ed 100644 +--- a/drivers/clk/qcom/gdsc.c ++++ b/drivers/clk/qcom/gdsc.c +@@ -1,6 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0-only + /* +- * Copyright (c) 2015, 2017-2018, The Linux Foundation. All rights reserved. ++ * Copyright (c) 2015, 2017-2018, 2022, The Linux Foundation. All rights reserved. + */ + + #include +@@ -31,9 +31,14 @@ + #define CFG_GDSCR_OFFSET 0x4 + + /* Wait 2^n CXO cycles between all states. Here, n=2 (4 cycles). */ +-#define EN_REST_WAIT_VAL (0x2 << 20) +-#define EN_FEW_WAIT_VAL (0x8 << 16) +-#define CLK_DIS_WAIT_VAL (0x2 << 12) ++#define EN_REST_WAIT_VAL 0x2 ++#define EN_FEW_WAIT_VAL 0x8 ++#define CLK_DIS_WAIT_VAL 0x2 ++ ++/* Transition delay shifts */ ++#define EN_REST_WAIT_SHIFT 20 ++#define EN_FEW_WAIT_SHIFT 16 ++#define CLK_DIS_WAIT_SHIFT 12 + + #define RETAIN_MEM BIT(14) + #define RETAIN_PERIPH BIT(13) +@@ -308,7 +313,18 @@ static int gdsc_init(struct gdsc *sc) + */ + mask = HW_CONTROL_MASK | SW_OVERRIDE_MASK | + EN_REST_WAIT_MASK | EN_FEW_WAIT_MASK | CLK_DIS_WAIT_MASK; +- val = EN_REST_WAIT_VAL | EN_FEW_WAIT_VAL | CLK_DIS_WAIT_VAL; ++ ++ if (!sc->en_rest_wait_val) ++ sc->en_rest_wait_val = EN_REST_WAIT_VAL; ++ if (!sc->en_few_wait_val) ++ sc->en_few_wait_val = EN_FEW_WAIT_VAL; ++ if (!sc->clk_dis_wait_val) ++ sc->clk_dis_wait_val = CLK_DIS_WAIT_VAL; ++ ++ val = sc->en_rest_wait_val << EN_REST_WAIT_SHIFT | ++ sc->en_few_wait_val << EN_FEW_WAIT_SHIFT | ++ sc->clk_dis_wait_val << CLK_DIS_WAIT_SHIFT; ++ + ret = regmap_update_bits(sc->regmap, sc->gdscr, mask, val); + if (ret) + return ret; +diff --git a/drivers/clk/qcom/gdsc.h b/drivers/clk/qcom/gdsc.h +index 64cdc8cf0d4d..907396ccb83f 100644 +--- a/drivers/clk/qcom/gdsc.h ++++ b/drivers/clk/qcom/gdsc.h +@@ -1,6 +1,6 @@ + /* SPDX-License-Identifier: GPL-2.0-only */ + /* +- * Copyright (c) 2015, 2017-2018, The Linux Foundation. All rights reserved. ++ * Copyright (c) 2015, 2017-2018, 2022, The Linux Foundation. All rights reserved. + */ + + #ifndef __QCOM_GDSC_H__ +@@ -21,6 +21,9 @@ struct reset_controller_dev; + * @cxcs: offsets of branch registers to toggle mem/periph bits in + * @cxc_count: number of @cxcs + * @pwrsts: Possible powerdomain power states ++ * @en_rest_wait_val: transition delay value for receiving enr ack signal ++ * @en_few_wait_val: transition delay value for receiving enf ack signal ++ * @clk_dis_wait_val: transition delay value for halting clock + * @resets: ids of resets associated with this gdsc + * @reset_count: number of @resets + * @rcdev: reset controller +@@ -34,6 +37,9 @@ struct gdsc { + unsigned int clamp_io_ctrl; + unsigned int *cxcs; + unsigned int cxc_count; ++ unsigned int en_rest_wait_val; ++ unsigned int en_few_wait_val; ++ unsigned int clk_dis_wait_val; + const u8 pwrsts; + /* Powerdomain allowable state bitfields */ + #define PWRSTS_OFF BIT(0) +-- +2.34.1 + diff --git a/queue-5.4/drm-sun4i-mixer-fix-p010-and-p210-format-numbers.patch b/queue-5.4/drm-sun4i-mixer-fix-p010-and-p210-format-numbers.patch new file mode 100644 index 00000000000..b36cefdb5ff --- /dev/null +++ b/queue-5.4/drm-sun4i-mixer-fix-p010-and-p210-format-numbers.patch @@ -0,0 +1,46 @@ +From 6e676c58a5482998c92f5e1176741d42f5955cda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Feb 2022 19:14:36 +0100 +Subject: drm/sun4i: mixer: Fix P010 and P210 format numbers + +From: Jernej Skrabec + +[ Upstream commit 9470c29faa91c804aa04de4c10634bf02462bfa5 ] + +It turns out that DE3 manual has inverted YUV and YVU format numbers for +P010 and P210. Invert them. + +This was tested by playing video decoded to P010 and additionally +confirmed by looking at BSP driver source. + +Fixes: 169ca4b38932 ("drm/sun4i: Add separate DE3 VI layer formats") +Signed-off-by: Jernej Skrabec +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20220228181436.1424550-1-jernej.skrabec@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sun4i/sun8i_mixer.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/sun4i/sun8i_mixer.h b/drivers/gpu/drm/sun4i/sun8i_mixer.h +index 345b28b0a80a..dc4300a7b019 100644 +--- a/drivers/gpu/drm/sun4i/sun8i_mixer.h ++++ b/drivers/gpu/drm/sun4i/sun8i_mixer.h +@@ -114,10 +114,10 @@ + /* format 13 is semi-planar YUV411 VUVU */ + #define SUN8I_MIXER_FBFMT_YUV411 14 + /* format 15 doesn't exist */ +-/* format 16 is P010 YVU */ +-#define SUN8I_MIXER_FBFMT_P010_YUV 17 +-/* format 18 is P210 YVU */ +-#define SUN8I_MIXER_FBFMT_P210_YUV 19 ++#define SUN8I_MIXER_FBFMT_P010_YUV 16 ++/* format 17 is P010 YVU */ ++#define SUN8I_MIXER_FBFMT_P210_YUV 18 ++/* format 19 is P210 YVU */ + /* format 20 is packed YVU444 10-bit */ + /* format 21 is packed YUV444 10-bit */ + +-- +2.34.1 + diff --git a/queue-5.4/ethernet-fix-error-handling-in-xemaclite_of_probe.patch b/queue-5.4/ethernet-fix-error-handling-in-xemaclite_of_probe.patch new file mode 100644 index 00000000000..a1d69eec3f0 --- /dev/null +++ b/queue-5.4/ethernet-fix-error-handling-in-xemaclite_of_probe.patch @@ -0,0 +1,48 @@ +From 18d25d0b5ffe0f71bcfdd842a14ec692f4df2280 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 02:47:49 +0000 +Subject: ethernet: Fix error handling in xemaclite_of_probe + +From: Miaoqian Lin + +[ Upstream commit b19ab4b38b06aae12442b2de95ccf58b5dc53584 ] + +This node pointer is returned by of_parse_phandle() with refcount +incremented in this function. Calling of_node_put() to avoid the +refcount leak. As the remove function do. + +Fixes: 5cdaaa12866e ("net: emaclite: adding MDIO and phy lib support") +Signed-off-by: Miaoqian Lin +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20220308024751.2320-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/xilinx_emaclite.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_emaclite.c b/drivers/net/ethernet/xilinx/xilinx_emaclite.c +index 53dbf3e28f1e..63a2d1bcccfb 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c ++++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c +@@ -1187,7 +1187,7 @@ static int xemaclite_of_probe(struct platform_device *ofdev) + if (rc) { + dev_err(dev, + "Cannot register network device, aborting\n"); +- goto error; ++ goto put_node; + } + + dev_info(dev, +@@ -1195,6 +1195,8 @@ static int xemaclite_of_probe(struct platform_device *ofdev) + (unsigned int __force)ndev->mem_start, lp->base_addr, ndev->irq); + return 0; + ++put_node: ++ of_node_put(lp->phy_node); + error: + free_netdev(ndev); + return rc; +-- +2.34.1 + diff --git a/queue-5.4/gianfar-ethtool-fix-refcount-leak-in-gfar_get_ts_inf.patch b/queue-5.4/gianfar-ethtool-fix-refcount-leak-in-gfar_get_ts_inf.patch new file mode 100644 index 00000000000..edff154027b --- /dev/null +++ b/queue-5.4/gianfar-ethtool-fix-refcount-leak-in-gfar_get_ts_inf.patch @@ -0,0 +1,39 @@ +From 010e8e21c28401aeaa4466526e7922e4089f2241 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Mar 2022 01:53:13 +0000 +Subject: gianfar: ethtool: Fix refcount leak in gfar_get_ts_info + +From: Miaoqian Lin + +[ Upstream commit 2ac5b58e645c66932438bb021cb5b52097ce70b0 ] + +The of_find_compatible_node() function returns a node pointer with +refcount incremented, We should use of_node_put() on it when done +Add the missing of_node_put() to release the refcount. + +Fixes: 7349a74ea75c ("net: ethernet: gianfar_ethtool: get phc index through drvdata") +Signed-off-by: Miaoqian Lin +Reviewed-by: Jesse Brandeburg +Reviewed-by: Claudiu Manoil +Link: https://lore.kernel.org/r/20220310015313.14938-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/gianfar_ethtool.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/freescale/gianfar_ethtool.c b/drivers/net/ethernet/freescale/gianfar_ethtool.c +index 3c8e4e2efc07..01a7255e86c9 100644 +--- a/drivers/net/ethernet/freescale/gianfar_ethtool.c ++++ b/drivers/net/ethernet/freescale/gianfar_ethtool.c +@@ -1489,6 +1489,7 @@ static int gfar_get_ts_info(struct net_device *dev, + ptp_node = of_find_compatible_node(NULL, NULL, "fsl,etsec-ptp"); + if (ptp_node) { + ptp_dev = of_find_device_by_node(ptp_node); ++ of_node_put(ptp_node); + if (ptp_dev) + ptp = platform_get_drvdata(ptp_dev); + } +-- +2.34.1 + diff --git a/queue-5.4/gpio-ts4900-do-not-set-dat-and-oe-together.patch b/queue-5.4/gpio-ts4900-do-not-set-dat-and-oe-together.patch new file mode 100644 index 00000000000..fab33e2351f --- /dev/null +++ b/queue-5.4/gpio-ts4900-do-not-set-dat-and-oe-together.patch @@ -0,0 +1,82 @@ +From ecaf7e99909173d856c8840018f0b475f20e4989 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Mar 2022 17:16:16 -0800 +Subject: gpio: ts4900: Do not set DAT and OE together + +From: Mark Featherston + +[ Upstream commit 03fe003547975680fdb9ff5ab0e41cb68276c4f2 ] + +This works around an issue with the hardware where both OE and +DAT are exposed in the same register. If both are updated +simultaneously, the harware makes no guarantees that OE or DAT +will actually change in any given order and may result in a +glitch of a few ns on a GPIO pin when changing direction and value +in a single write. + +Setting direction to input now only affects OE bit. Setting +direction to output updates DAT first, then OE. + +Fixes: 9c6686322d74 ("gpio: add Technologic I2C-FPGA gpio support") +Signed-off-by: Mark Featherston +Signed-off-by: Kris Bahnsen +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-ts4900.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpio/gpio-ts4900.c b/drivers/gpio/gpio-ts4900.c +index 1da8d0586329..410452306bf7 100644 +--- a/drivers/gpio/gpio-ts4900.c ++++ b/drivers/gpio/gpio-ts4900.c +@@ -1,7 +1,7 @@ + /* + * Digital I/O driver for Technologic Systems I2C FPGA Core + * +- * Copyright (C) 2015 Technologic Systems ++ * Copyright (C) 2015, 2018 Technologic Systems + * Copyright (C) 2016 Savoir-Faire Linux + * + * This program is free software; you can redistribute it and/or +@@ -52,19 +52,33 @@ static int ts4900_gpio_direction_input(struct gpio_chip *chip, + { + struct ts4900_gpio_priv *priv = gpiochip_get_data(chip); + +- /* +- * This will clear the output enable bit, the other bits are +- * dontcare when this is cleared ++ /* Only clear the OE bit here, requires a RMW. Prevents potential issue ++ * with OE and data getting to the physical pin at different times. + */ +- return regmap_write(priv->regmap, offset, 0); ++ return regmap_update_bits(priv->regmap, offset, TS4900_GPIO_OE, 0); + } + + static int ts4900_gpio_direction_output(struct gpio_chip *chip, + unsigned int offset, int value) + { + struct ts4900_gpio_priv *priv = gpiochip_get_data(chip); ++ unsigned int reg; + int ret; + ++ /* If changing from an input to an output, we need to first set the ++ * proper data bit to what is requested and then set OE bit. This ++ * prevents a glitch that can occur on the IO line ++ */ ++ regmap_read(priv->regmap, offset, ®); ++ if (!(reg & TS4900_GPIO_OE)) { ++ if (value) ++ reg = TS4900_GPIO_OUT; ++ else ++ reg &= ~TS4900_GPIO_OUT; ++ ++ regmap_write(priv->regmap, offset, reg); ++ } ++ + if (value) + ret = regmap_write(priv->regmap, offset, TS4900_GPIO_OE | + TS4900_GPIO_OUT); +-- +2.34.1 + diff --git a/queue-5.4/ipv6-prevent-a-possible-race-condition-with-lifetime.patch b/queue-5.4/ipv6-prevent-a-possible-race-condition-with-lifetime.patch new file mode 100644 index 00000000000..593edc970b2 --- /dev/null +++ b/queue-5.4/ipv6-prevent-a-possible-race-condition-with-lifetime.patch @@ -0,0 +1,47 @@ +From b4b9c1f7cddf9fa6f15ec7510fd2f373155c91c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Feb 2022 14:19:56 +0100 +Subject: ipv6: prevent a possible race condition with lifetimes + +From: Niels Dossche + +[ Upstream commit 6c0d8833a605e195ae219b5042577ce52bf71fff ] + +valid_lft, prefered_lft and tstamp are always accessed under the lock +"lock" in other places. Reading these without taking the lock may result +in inconsistencies regarding the calculation of the valid and preferred +variables since decisions are taken on these fields for those variables. + +Signed-off-by: Niels Dossche +Reviewed-by: David Ahern +Signed-off-by: Niels Dossche +Link: https://lore.kernel.org/r/20220223131954.6570-1-niels.dossche@ugent.be +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index d1f29a3eb70b..60d070b25484 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -4924,6 +4924,7 @@ static int inet6_fill_ifaddr(struct sk_buff *skb, struct inet6_ifaddr *ifa, + nla_put_s32(skb, IFA_TARGET_NETNSID, args->netnsid)) + goto error; + ++ spin_lock_bh(&ifa->lock); + if (!((ifa->flags&IFA_F_PERMANENT) && + (ifa->prefered_lft == INFINITY_LIFE_TIME))) { + preferred = ifa->prefered_lft; +@@ -4945,6 +4946,7 @@ static int inet6_fill_ifaddr(struct sk_buff *skb, struct inet6_ifaddr *ifa, + preferred = INFINITY_LIFE_TIME; + valid = INFINITY_LIFE_TIME; + } ++ spin_unlock_bh(&ifa->lock); + + if (!ipv6_addr_any(&ifa->peer_addr)) { + if (nla_put_in6_addr(skb, IFA_LOCAL, &ifa->addr) < 0 || +-- +2.34.1 + diff --git a/queue-5.4/net-bcmgenet-don-t-claim-wol-when-its-not-available.patch b/queue-5.4/net-bcmgenet-don-t-claim-wol-when-its-not-available.patch new file mode 100644 index 00000000000..cd07b483351 --- /dev/null +++ b/queue-5.4/net-bcmgenet-don-t-claim-wol-when-its-not-available.patch @@ -0,0 +1,58 @@ +From 6690694d24b8c8b437bc139d1f92cb39ca58f2eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Mar 2022 22:55:35 -0600 +Subject: net: bcmgenet: Don't claim WOL when its not available + +From: Jeremy Linton + +[ Upstream commit 00b022f8f876a3a036b0df7f971001bef6398605 ] + +Some of the bcmgenet platforms don't correctly support WOL, yet +ethtool returns: + +"Supports Wake-on: gsf" + +which is false. + +Ideally if there isn't a wol_irq, or there is something else that +keeps the device from being able to wakeup it should display: + +"Supports Wake-on: d" + +This patch checks whether the device can wakup, before using the +hard-coded supported flags. This corrects the ethtool reporting, as +well as the WOL configuration because ethtool verifies that the mode +is supported before attempting it. + +Fixes: c51de7f3976b ("net: bcmgenet: add Wake-on-LAN support code") +Signed-off-by: Jeremy Linton +Tested-by: Peter Robinson +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220310045535.224450-1-jeremy.linton@arm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c +index 164988f3b4fa..a2da09da4907 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c +@@ -41,6 +41,13 @@ + void bcmgenet_get_wol(struct net_device *dev, struct ethtool_wolinfo *wol) + { + struct bcmgenet_priv *priv = netdev_priv(dev); ++ struct device *kdev = &priv->pdev->dev; ++ ++ if (!device_can_wakeup(kdev)) { ++ wol->supported = 0; ++ wol->wolopts = 0; ++ return; ++ } + + wol->supported = WAKE_MAGIC | WAKE_MAGICSECURE; + wol->wolopts = priv->wolopts; +-- +2.34.1 + diff --git a/queue-5.4/net-ethernet-lpc_eth-handle-error-for-clk_enable.patch b/queue-5.4/net-ethernet-lpc_eth-handle-error-for-clk_enable.patch new file mode 100644 index 00000000000..2518851857f --- /dev/null +++ b/queue-5.4/net-ethernet-lpc_eth-handle-error-for-clk_enable.patch @@ -0,0 +1,47 @@ +From 0dbe66c9a2e39663e1310986315ced1d19291871 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 14:57:39 +0800 +Subject: net: ethernet: lpc_eth: Handle error for clk_enable + +From: Jiasheng Jiang + +[ Upstream commit 2169b79258c8be803d2595d6456b1e77129fe154 ] + +As the potential failure of the clk_enable(), +it should be better to check it and return error +if fails. + +Fixes: b7370112f519 ("lpc32xx: Added ethernet driver") +Signed-off-by: Jiasheng Jiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/nxp/lpc_eth.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/nxp/lpc_eth.c b/drivers/net/ethernet/nxp/lpc_eth.c +index 3b177421651f..d2e220a94a57 100644 +--- a/drivers/net/ethernet/nxp/lpc_eth.c ++++ b/drivers/net/ethernet/nxp/lpc_eth.c +@@ -1470,6 +1470,7 @@ static int lpc_eth_drv_resume(struct platform_device *pdev) + { + struct net_device *ndev = platform_get_drvdata(pdev); + struct netdata_local *pldat; ++ int ret; + + if (device_may_wakeup(&pdev->dev)) + disable_irq_wake(ndev->irq); +@@ -1479,7 +1480,9 @@ static int lpc_eth_drv_resume(struct platform_device *pdev) + pldat = netdev_priv(ndev); + + /* Enable interface clock */ +- clk_enable(pldat->clk); ++ ret = clk_enable(pldat->clk); ++ if (ret) ++ return ret; + + /* Reset and initialize */ + __lpc_eth_reset(pldat); +-- +2.34.1 + diff --git a/queue-5.4/net-ethernet-ti-cpts-handle-error-for-clk_enable.patch b/queue-5.4/net-ethernet-ti-cpts-handle-error-for-clk_enable.patch new file mode 100644 index 00000000000..5914a1b17bc --- /dev/null +++ b/queue-5.4/net-ethernet-ti-cpts-handle-error-for-clk_enable.patch @@ -0,0 +1,39 @@ +From 48d64794392b04d4e1b6033499c45beebc260df5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 14:40:07 +0800 +Subject: net: ethernet: ti: cpts: Handle error for clk_enable + +From: Jiasheng Jiang + +[ Upstream commit 6babfc6e6fab068018c36e8f6605184b8c0b349d ] + +As the potential failure of the clk_enable(), +it should be better to check it and return error +if fails. + +Fixes: 8a2c9a5ab4b9 ("net: ethernet: ti: cpts: rework initialization/deinitialization") +Signed-off-by: Jiasheng Jiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/cpts.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ti/cpts.c b/drivers/net/ethernet/ti/cpts.c +index 26cfe3f7ed8d..453ad1247288 100644 +--- a/drivers/net/ethernet/ti/cpts.c ++++ b/drivers/net/ethernet/ti/cpts.c +@@ -454,7 +454,9 @@ int cpts_register(struct cpts *cpts) + for (i = 0; i < CPTS_MAX_EVENTS; i++) + list_add(&cpts->pool_data[i].list, &cpts->pool); + +- clk_enable(cpts->refclk); ++ err = clk_enable(cpts->refclk); ++ if (err) ++ return err; + + cpts_write32(cpts, CPTS_EN, control); + cpts_write32(cpts, TS_PEND_EN, int_enable); +-- +2.34.1 + diff --git a/queue-5.4/net-mlx5-fix-a-race-on-command-flush-flow.patch b/queue-5.4/net-mlx5-fix-a-race-on-command-flush-flow.patch new file mode 100644 index 00000000000..ccdc529a9f6 --- /dev/null +++ b/queue-5.4/net-mlx5-fix-a-race-on-command-flush-flow.patch @@ -0,0 +1,92 @@ +From 246f4730561c09327854ed1f4a3c20125d1f1a20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Feb 2022 11:47:44 +0200 +Subject: net/mlx5: Fix a race on command flush flow + +From: Moshe Shemesh + +[ Upstream commit 063bd355595428750803d8736a9bb7c8db67d42d ] + +Fix a refcount use after free warning due to a race on command entry. +Such race occurs when one of the commands releases its last refcount and +frees its index and entry while another process running command flush +flow takes refcount to this command entry. The process which handles +commands flush may see this command as needed to be flushed if the other +process released its refcount but didn't release the index yet. Fix it +by adding the needed spin lock. + +It fixes the following warning trace: + +refcount_t: addition on 0; use-after-free. +WARNING: CPU: 11 PID: 540311 at lib/refcount.c:25 refcount_warn_saturate+0x80/0xe0 +... +RIP: 0010:refcount_warn_saturate+0x80/0xe0 +... +Call Trace: + + mlx5_cmd_trigger_completions+0x293/0x340 [mlx5_core] + mlx5_cmd_flush+0x3a/0xf0 [mlx5_core] + enter_error_state+0x44/0x80 [mlx5_core] + mlx5_fw_fatal_reporter_err_work+0x37/0xe0 [mlx5_core] + process_one_work+0x1be/0x390 + worker_thread+0x4d/0x3d0 + ? rescuer_thread+0x350/0x350 + kthread+0x141/0x160 + ? set_kthread_struct+0x40/0x40 + ret_from_fork+0x1f/0x30 + + +Fixes: 50b2412b7e78 ("net/mlx5: Avoid possible free of command entry while timeout comp handler") +Signed-off-by: Moshe Shemesh +Reviewed-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index 1a7aa078f351..6c7b364d0bf0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -130,11 +130,8 @@ static int cmd_alloc_index(struct mlx5_cmd *cmd) + + static void cmd_free_index(struct mlx5_cmd *cmd, int idx) + { +- unsigned long flags; +- +- spin_lock_irqsave(&cmd->alloc_lock, flags); ++ lockdep_assert_held(&cmd->alloc_lock); + set_bit(idx, &cmd->bitmask); +- spin_unlock_irqrestore(&cmd->alloc_lock, flags); + } + + static void cmd_ent_get(struct mlx5_cmd_work_ent *ent) +@@ -144,17 +141,21 @@ static void cmd_ent_get(struct mlx5_cmd_work_ent *ent) + + static void cmd_ent_put(struct mlx5_cmd_work_ent *ent) + { ++ struct mlx5_cmd *cmd = ent->cmd; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&cmd->alloc_lock, flags); + if (!refcount_dec_and_test(&ent->refcnt)) +- return; ++ goto out; + + if (ent->idx >= 0) { +- struct mlx5_cmd *cmd = ent->cmd; +- + cmd_free_index(cmd, ent->idx); + up(ent->page_queue ? &cmd->pages_sem : &cmd->sem); + } + + cmd_free_ent(ent); ++out: ++ spin_unlock_irqrestore(&cmd->alloc_lock, flags); + } + + static struct mlx5_cmd_layout *get_inst(struct mlx5_cmd *cmd, int idx) +-- +2.34.1 + diff --git a/queue-5.4/net-mlx5-fix-size-field-in-bufferx_reg-struct.patch b/queue-5.4/net-mlx5-fix-size-field-in-bufferx_reg-struct.patch new file mode 100644 index 00000000000..eacb21b944a --- /dev/null +++ b/queue-5.4/net-mlx5-fix-size-field-in-bufferx_reg-struct.patch @@ -0,0 +1,39 @@ +From 645f2eb280d721de6205c78eea0abdb503eebb83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 14:38:55 +0200 +Subject: net/mlx5: Fix size field in bufferx_reg struct + +From: Mohammad Kabat + +[ Upstream commit ac77998b7ac3044f0509b097da9637184598980d ] + +According to HW spec the field "size" should be 16 bits +in bufferx register. + +Fixes: e281682bf294 ("net/mlx5_core: HW data structs/types definitions cleanup") +Signed-off-by: Mohammad Kabat +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + include/linux/mlx5/mlx5_ifc.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h +index 641a01bc5f6f..031022e32635 100644 +--- a/include/linux/mlx5/mlx5_ifc.h ++++ b/include/linux/mlx5/mlx5_ifc.h +@@ -8975,8 +8975,8 @@ struct mlx5_ifc_bufferx_reg_bits { + u8 reserved_at_0[0x6]; + u8 lossy[0x1]; + u8 epsb[0x1]; +- u8 reserved_at_8[0xc]; +- u8 size[0xc]; ++ u8 reserved_at_8[0x8]; ++ u8 size[0x10]; + + u8 xoff_threshold[0x10]; + u8 xon_threshold[0x10]; +-- +2.34.1 + diff --git a/queue-5.4/net-phy-dp83822-clear-misr2-register-to-disable-inte.patch b/queue-5.4/net-phy-dp83822-clear-misr2-register-to-disable-inte.patch new file mode 100644 index 00000000000..b9c7f24a396 --- /dev/null +++ b/queue-5.4/net-phy-dp83822-clear-misr2-register-to-disable-inte.patch @@ -0,0 +1,43 @@ +From 8238d0de4b89965c6e1f14e3022efb675546040e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Mar 2022 15:22:28 +0100 +Subject: net: phy: DP83822: clear MISR2 register to disable interrupts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Clément Léger + +[ Upstream commit 37c9d66c95564c85a001d8a035354f0220a1e1c3 ] + +MISR1 was cleared twice but the original author intention was probably +to clear MISR1 & MISR2 to completely disable interrupts. Fix it to +clear MISR2. + +Fixes: 87461f7a58ab ("net: phy: DP83822 initial driver submission") +Signed-off-by: Clément Léger +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220309142228.761153-1-clement.leger@bootlin.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/dp83822.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/phy/dp83822.c b/drivers/net/phy/dp83822.c +index 8a4b1d167ce2..ae17d2f9d534 100644 +--- a/drivers/net/phy/dp83822.c ++++ b/drivers/net/phy/dp83822.c +@@ -238,7 +238,7 @@ static int dp83822_config_intr(struct phy_device *phydev) + if (err < 0) + return err; + +- err = phy_write(phydev, MII_DP83822_MISR1, 0); ++ err = phy_write(phydev, MII_DP83822_MISR2, 0); + if (err < 0) + return err; + +-- +2.34.1 + diff --git a/queue-5.4/net-qlogic-check-the-return-value-of-dma_alloc_coher.patch b/queue-5.4/net-qlogic-check-the-return-value-of-dma_alloc_coher.patch new file mode 100644 index 00000000000..605dee51864 --- /dev/null +++ b/queue-5.4/net-qlogic-check-the-return-value-of-dma_alloc_coher.patch @@ -0,0 +1,50 @@ +From 19e35800d42f8f3bec5c19055552547803bf7c67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Mar 2022 01:14:11 -0800 +Subject: net: qlogic: check the return value of dma_alloc_coherent() in + qed_vf_hw_prepare() + +From: Jia-Ju Bai + +[ Upstream commit e0058f0fa80f6e09c4d363779c241c45a3c56b94 ] + +The function dma_alloc_coherent() in qed_vf_hw_prepare() can fail, so +its return value should be checked. + +Fixes: 1408cc1fa48c ("qed: Introduce VFs") +Reported-by: TOTE Robot +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_vf.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_vf.c b/drivers/net/ethernet/qlogic/qed/qed_vf.c +index adc2c8f3d48e..62e4511db857 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_vf.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_vf.c +@@ -539,6 +539,9 @@ int qed_vf_hw_prepare(struct qed_hwfn *p_hwfn) + p_iov->bulletin.size, + &p_iov->bulletin.phys, + GFP_KERNEL); ++ if (!p_iov->bulletin.p_virt) ++ goto free_pf2vf_reply; ++ + DP_VERBOSE(p_hwfn, QED_MSG_IOV, + "VF's bulletin Board [%p virt 0x%llx phys 0x%08x bytes]\n", + p_iov->bulletin.p_virt, +@@ -578,6 +581,10 @@ int qed_vf_hw_prepare(struct qed_hwfn *p_hwfn) + + return rc; + ++free_pf2vf_reply: ++ dma_free_coherent(&p_hwfn->cdev->pdev->dev, ++ sizeof(union pfvf_tlvs), ++ p_iov->pf2vf_reply, p_iov->pf2vf_reply_phys); + free_vf2pf_request: + dma_free_coherent(&p_hwfn->cdev->pdev->dev, + sizeof(union vfpf_tlvs), +-- +2.34.1 + diff --git a/queue-5.4/net-sysfs-add-check-for-netdevice-being-present-to-s.patch b/queue-5.4/net-sysfs-add-check-for-netdevice-being-present-to-s.patch new file mode 100644 index 00000000000..a4e2aca2e2a --- /dev/null +++ b/queue-5.4/net-sysfs-add-check-for-netdevice-being-present-to-s.patch @@ -0,0 +1,78 @@ +From 5b46a44f9d0227631754d8d0ca6456f722e4ee95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Feb 2022 07:25:18 +0530 +Subject: net-sysfs: add check for netdevice being present to speed_show + +From: suresh kumar + +[ Upstream commit 4224cfd7fb6523f7a9d1c8bb91bb5df1e38eb624 ] + +When bringing down the netdevice or system shutdown, a panic can be +triggered while accessing the sysfs path because the device is already +removed. + + [ 755.549084] mlx5_core 0000:12:00.1: Shutdown was called + [ 756.404455] mlx5_core 0000:12:00.0: Shutdown was called + ... + [ 757.937260] BUG: unable to handle kernel NULL pointer dereference at (null) + [ 758.031397] IP: [] dma_pool_alloc+0x1ab/0x280 + + crash> bt + ... + PID: 12649 TASK: ffff8924108f2100 CPU: 1 COMMAND: "amsd" + ... + #9 [ffff89240e1a38b0] page_fault at ffffffff8f38c778 + [exception RIP: dma_pool_alloc+0x1ab] + RIP: ffffffff8ee11acb RSP: ffff89240e1a3968 RFLAGS: 00010046 + RAX: 0000000000000246 RBX: ffff89243d874100 RCX: 0000000000001000 + RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffff89243d874090 + RBP: ffff89240e1a39c0 R8: 000000000001f080 R9: ffff8905ffc03c00 + R10: ffffffffc04680d4 R11: ffffffff8edde9fd R12: 00000000000080d0 + R13: ffff89243d874090 R14: ffff89243d874080 R15: 0000000000000000 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + #10 [ffff89240e1a39c8] mlx5_alloc_cmd_msg at ffffffffc04680f3 [mlx5_core] + #11 [ffff89240e1a3a18] cmd_exec at ffffffffc046ad62 [mlx5_core] + #12 [ffff89240e1a3ab8] mlx5_cmd_exec at ffffffffc046b4fb [mlx5_core] + #13 [ffff89240e1a3ae8] mlx5_core_access_reg at ffffffffc0475434 [mlx5_core] + #14 [ffff89240e1a3b40] mlx5e_get_fec_caps at ffffffffc04a7348 [mlx5_core] + #15 [ffff89240e1a3bb0] get_fec_supported_advertised at ffffffffc04992bf [mlx5_core] + #16 [ffff89240e1a3c08] mlx5e_get_link_ksettings at ffffffffc049ab36 [mlx5_core] + #17 [ffff89240e1a3ce8] __ethtool_get_link_ksettings at ffffffff8f25db46 + #18 [ffff89240e1a3d48] speed_show at ffffffff8f277208 + #19 [ffff89240e1a3dd8] dev_attr_show at ffffffff8f0b70e3 + #20 [ffff89240e1a3df8] sysfs_kf_seq_show at ffffffff8eedbedf + #21 [ffff89240e1a3e18] kernfs_seq_show at ffffffff8eeda596 + #22 [ffff89240e1a3e28] seq_read at ffffffff8ee76d10 + #23 [ffff89240e1a3e98] kernfs_fop_read at ffffffff8eedaef5 + #24 [ffff89240e1a3ed8] vfs_read at ffffffff8ee4e3ff + #25 [ffff89240e1a3f08] sys_read at ffffffff8ee4f27f + #26 [ffff89240e1a3f50] system_call_fastpath at ffffffff8f395f92 + + crash> net_device.state ffff89443b0c0000 + state = 0x5 (__LINK_STATE_START| __LINK_STATE_NOCARRIER) + +To prevent this scenario, we also make sure that the netdevice is present. + +Signed-off-by: suresh kumar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/net-sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c +index bcad7028bbf4..ad45f13a0370 100644 +--- a/net/core/net-sysfs.c ++++ b/net/core/net-sysfs.c +@@ -212,7 +212,7 @@ static ssize_t speed_show(struct device *dev, + if (!rtnl_trylock()) + return restart_syscall(); + +- if (netif_running(netdev)) { ++ if (netif_running(netdev) && netif_device_present(netdev)) { + struct ethtool_link_ksettings cmd; + + if (!__ethtool_get_link_ksettings(netdev, &cmd)) +-- +2.34.1 + diff --git a/queue-5.4/nfc-port100-fix-use-after-free-in-port100_send_compl.patch b/queue-5.4/nfc-port100-fix-use-after-free-in-port100_send_compl.patch new file mode 100644 index 00000000000..398fcd0fc17 --- /dev/null +++ b/queue-5.4/nfc-port100-fix-use-after-free-in-port100_send_compl.patch @@ -0,0 +1,86 @@ +From 9d7c59653bdc05eda6cec0fcbbf43cbd1e470cab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 21:50:07 +0300 +Subject: NFC: port100: fix use-after-free in port100_send_complete + +From: Pavel Skripkin + +[ Upstream commit f80cfe2f26581f188429c12bd937eb905ad3ac7b ] + +Syzbot reported UAF in port100_send_complete(). The root case is in +missing usb_kill_urb() calls on error handling path of ->probe function. + +port100_send_complete() accesses devm allocated memory which will be +freed on probe failure. We should kill this urbs before returning an +error from probe function to prevent reported use-after-free + +Fail log: + +BUG: KASAN: use-after-free in port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 +Read of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26 +... +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 + __kasan_report mm/kasan/report.c:442 [inline] + kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 + port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 + __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670 + +... + +Allocated by task 1255: + kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 + kasan_set_track mm/kasan/common.c:45 [inline] + set_alloc_info mm/kasan/common.c:436 [inline] + ____kasan_kmalloc mm/kasan/common.c:515 [inline] + ____kasan_kmalloc mm/kasan/common.c:474 [inline] + __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524 + alloc_dr drivers/base/devres.c:116 [inline] + devm_kmalloc+0x96/0x1d0 drivers/base/devres.c:823 + devm_kzalloc include/linux/device.h:209 [inline] + port100_probe+0x8a/0x1320 drivers/nfc/port100.c:1502 + +Freed by task 1255: + kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 + kasan_set_track+0x21/0x30 mm/kasan/common.c:45 + kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 + ____kasan_slab_free mm/kasan/common.c:366 [inline] + ____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328 + kasan_slab_free include/linux/kasan.h:236 [inline] + __cache_free mm/slab.c:3437 [inline] + kfree+0xf8/0x2b0 mm/slab.c:3794 + release_nodes+0x112/0x1a0 drivers/base/devres.c:501 + devres_release_all+0x114/0x190 drivers/base/devres.c:530 + really_probe+0x626/0xcc0 drivers/base/dd.c:670 + +Reported-and-tested-by: syzbot+16bcb127fb73baeecb14@syzkaller.appspotmail.com +Fixes: 0347a6ab300a ("NFC: port100: Commands mechanism implementation") +Signed-off-by: Pavel Skripkin +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220308185007.6987-1-paskripkin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/port100.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nfc/port100.c b/drivers/nfc/port100.c +index 1caebefb25ff..2ae1474faede 100644 +--- a/drivers/nfc/port100.c ++++ b/drivers/nfc/port100.c +@@ -1609,7 +1609,9 @@ static int port100_probe(struct usb_interface *interface, + nfc_digital_free_device(dev->nfc_digital_dev); + + error: ++ usb_kill_urb(dev->in_urb); + usb_free_urb(dev->in_urb); ++ usb_kill_urb(dev->out_urb); + usb_free_urb(dev->out_urb); + usb_put_dev(dev->udev); + +-- +2.34.1 + diff --git a/queue-5.4/qed-return-status-of-qed_iov_get_link.patch b/queue-5.4/qed-return-status-of-qed_iov_get_link.patch new file mode 100644 index 00000000000..b339596c6b9 --- /dev/null +++ b/queue-5.4/qed-return-status-of-qed_iov_get_link.patch @@ -0,0 +1,87 @@ +From fe3e6fbcacd7533d3d8da3453f754d62766875a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Mar 2022 07:06:42 -0800 +Subject: qed: return status of qed_iov_get_link + +From: Tom Rix + +[ Upstream commit d9dc0c84ad2d4cc911ba252c973d1bf18d5eb9cf ] + +Clang static analysis reports this issue +qed_sriov.c:4727:19: warning: Assigned value is + garbage or undefined + ivi->max_tx_rate = tx_rate ? tx_rate : link.speed; + ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +link is only sometimes set by the call to qed_iov_get_link() +qed_iov_get_link fails without setting link or returning +status. So change the decl to return status. + +Fixes: 73390ac9d82b ("qed*: support ndo_get_vf_config") +Signed-off-by: Tom Rix +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_sriov.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_sriov.c b/drivers/net/ethernet/qlogic/qed/qed_sriov.c +index fb9c3ca5d36c..5e8f8eb916e6 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_sriov.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.c +@@ -3801,11 +3801,11 @@ bool qed_iov_mark_vf_flr(struct qed_hwfn *p_hwfn, u32 *p_disabled_vfs) + return found; + } + +-static void qed_iov_get_link(struct qed_hwfn *p_hwfn, +- u16 vfid, +- struct qed_mcp_link_params *p_params, +- struct qed_mcp_link_state *p_link, +- struct qed_mcp_link_capabilities *p_caps) ++static int qed_iov_get_link(struct qed_hwfn *p_hwfn, ++ u16 vfid, ++ struct qed_mcp_link_params *p_params, ++ struct qed_mcp_link_state *p_link, ++ struct qed_mcp_link_capabilities *p_caps) + { + struct qed_vf_info *p_vf = qed_iov_get_vf_info(p_hwfn, + vfid, +@@ -3813,7 +3813,7 @@ static void qed_iov_get_link(struct qed_hwfn *p_hwfn, + struct qed_bulletin_content *p_bulletin; + + if (!p_vf) +- return; ++ return -EINVAL; + + p_bulletin = p_vf->bulletin.p_virt; + +@@ -3823,6 +3823,7 @@ static void qed_iov_get_link(struct qed_hwfn *p_hwfn, + __qed_vf_get_link_state(p_hwfn, p_link, p_bulletin); + if (p_caps) + __qed_vf_get_link_caps(p_hwfn, p_caps, p_bulletin); ++ return 0; + } + + static int +@@ -4684,6 +4685,7 @@ static int qed_get_vf_config(struct qed_dev *cdev, + struct qed_public_vf_info *vf_info; + struct qed_mcp_link_state link; + u32 tx_rate; ++ int ret; + + /* Sanitize request */ + if (IS_VF(cdev)) +@@ -4697,7 +4699,9 @@ static int qed_get_vf_config(struct qed_dev *cdev, + + vf_info = qed_iov_get_public_vf_info(hwfn, vf_id, true); + +- qed_iov_get_link(hwfn, vf_id, NULL, &link, NULL); ++ ret = qed_iov_get_link(hwfn, vf_id, NULL, &link, NULL); ++ if (ret) ++ return ret; + + /* Fill information about VF */ + ivi->vf = vf_id; +-- +2.34.1 + diff --git a/queue-5.4/revert-xen-netback-check-for-hotplug-status-existenc.patch b/queue-5.4/revert-xen-netback-check-for-hotplug-status-existenc.patch new file mode 100644 index 00000000000..d346037b804 --- /dev/null +++ b/queue-5.4/revert-xen-netback-check-for-hotplug-status-existenc.patch @@ -0,0 +1,68 @@ +From 15cd302fef0db586e0d2196a46a52d12b7eb2402 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Feb 2022 01:18:17 +0100 +Subject: Revert "xen-netback: Check for hotplug-status existence before + watching" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Marczykowski-Górecki + +[ Upstream commit e8240addd0a3919e0fd7436416afe9aa6429c484 ] + +This reverts commit 2afeec08ab5c86ae21952151f726bfe184f6b23d. + +The reasoning in the commit was wrong - the code expected to setup the +watch even if 'hotplug-status' didn't exist. In fact, it relied on the +watch being fired the first time - to check if maybe 'hotplug-status' is +already set to 'connected'. Not registering a watch for non-existing +path (which is the case if hotplug script hasn't been executed yet), +made the backend not waiting for the hotplug script to execute. This in +turns, made the netfront think the interface is fully operational, while +in fact it was not (the vif interface on xen-netback side might not be +configured yet). + +This was a workaround for 'hotplug-status' erroneously being removed. +But since that is reverted now, the workaround is not necessary either. + +More discussion at +https://lore.kernel.org/xen-devel/afedd7cb-a291-e773-8b0d-4db9b291fa98@ipxe.org/T/#u + +Signed-off-by: Marek Marczykowski-Górecki +Reviewed-by: Paul Durrant +Reviewed-by: Michael Brown +Link: https://lore.kernel.org/r/20220222001817.2264967-2-marmarek@invisiblethingslab.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netback/xenbus.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c +index 0fe0fbd83ce4..44e353dd2ba1 100644 +--- a/drivers/net/xen-netback/xenbus.c ++++ b/drivers/net/xen-netback/xenbus.c +@@ -980,15 +980,11 @@ static void connect(struct backend_info *be) + xenvif_carrier_on(be->vif); + + unregister_hotplug_status_watch(be); +- if (xenbus_exists(XBT_NIL, dev->nodename, "hotplug-status")) { +- err = xenbus_watch_pathfmt(dev, &be->hotplug_status_watch, +- NULL, hotplug_status_changed, +- "%s/%s", dev->nodename, +- "hotplug-status"); +- if (err) +- goto err; ++ err = xenbus_watch_pathfmt(dev, &be->hotplug_status_watch, NULL, ++ hotplug_status_changed, ++ "%s/%s", dev->nodename, "hotplug-status"); ++ if (!err) + be->have_hotplug_status_watch = 1; +- } + + netif_tx_wake_all_queues(be->vif->dev); + +-- +2.34.1 + diff --git a/queue-5.4/revert-xen-netback-remove-hotplug-status-once-it-has.patch b/queue-5.4/revert-xen-netback-remove-hotplug-status-once-it-has.patch new file mode 100644 index 00000000000..b3b3ef20c22 --- /dev/null +++ b/queue-5.4/revert-xen-netback-remove-hotplug-status-once-it-has.patch @@ -0,0 +1,58 @@ +From 6754371bdb38c16e7c69e67aa192c3d145845660 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Feb 2022 01:18:16 +0100 +Subject: Revert "xen-netback: remove 'hotplug-status' once it has served its + purpose" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Marczykowski-Górecki + +[ Upstream commit 0f4558ae91870692ce7f509c31c9d6ee721d8cdc ] + +This reverts commit 1f2565780e9b7218cf92c7630130e82dcc0fe9c2. + +The 'hotplug-status' node should not be removed as long as the vif +device remains configured. Otherwise the xen-netback would wait for +re-running the network script even if it was already called (in case of +the frontent re-connecting). But also, it _should_ be removed when the +vif device is destroyed (for example when unbinding the driver) - +otherwise hotplug script would not configure the device whenever it +re-appear. + +Moving removal of the 'hotplug-status' node was a workaround for nothing +calling network script after xen-netback module is reloaded. But when +vif interface is re-created (on xen-netback unbind/bind for example), +the script should be called, regardless of who does that - currently +this case is not handled by the toolstack, and requires manual +script call. Keeping hotplug-status=connected to skip the call is wrong +and leads to not configured interface. + +More discussion at +https://lore.kernel.org/xen-devel/afedd7cb-a291-e773-8b0d-4db9b291fa98@ipxe.org/T/#u + +Signed-off-by: Marek Marczykowski-Górecki +Reviewed-by: Paul Durrant +Link: https://lore.kernel.org/r/20220222001817.2264967-1-marmarek@invisiblethingslab.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netback/xenbus.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c +index 416305e6d093..0fe0fbd83ce4 100644 +--- a/drivers/net/xen-netback/xenbus.c ++++ b/drivers/net/xen-netback/xenbus.c +@@ -435,6 +435,7 @@ static void backend_disconnect(struct backend_info *be) + unsigned int queue_index; + + xen_unregister_watchers(vif); ++ xenbus_rm(XBT_NIL, be->dev->nodename, "hotplug-status"); + #ifdef CONFIG_DEBUG_FS + xenvif_debugfs_delif(vif); + #endif /* CONFIG_DEBUG_FS */ +-- +2.34.1 + diff --git a/queue-5.4/sctp-fix-kernel-infoleak-for-sctp-sockets.patch b/queue-5.4/sctp-fix-kernel-infoleak-for-sctp-sockets.patch new file mode 100644 index 00000000000..bba579ee51d --- /dev/null +++ b/queue-5.4/sctp-fix-kernel-infoleak-for-sctp-sockets.patch @@ -0,0 +1,128 @@ +From a711d44f8674339be0b3185cf82eb18a94e53a70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Mar 2022 16:11:45 -0800 +Subject: sctp: fix kernel-infoleak for SCTP sockets + +From: Eric Dumazet + +[ Upstream commit 633593a808980f82d251d0ca89730d8bb8b0220c ] + +syzbot reported a kernel infoleak [1] of 4 bytes. + +After analysis, it turned out r->idiag_expires is not initialized +if inet_sctp_diag_fill() calls inet_diag_msg_common_fill() + +Make sure to clear idiag_timer/idiag_retrans/idiag_expires +and let inet_diag_msg_sctpasoc_fill() fill them again if needed. + +[1] + +BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline] +BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:154 [inline] +BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668 + instrument_copy_to_user include/linux/instrumented.h:121 [inline] + copyout lib/iov_iter.c:154 [inline] + _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668 + copy_to_iter include/linux/uio.h:162 [inline] + simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519 + __skb_datagram_iter+0x2d5/0x11b0 net/core/datagram.c:425 + skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533 + skb_copy_datagram_msg include/linux/skbuff.h:3696 [inline] + netlink_recvmsg+0x669/0x1c80 net/netlink/af_netlink.c:1977 + sock_recvmsg_nosec net/socket.c:948 [inline] + sock_recvmsg net/socket.c:966 [inline] + __sys_recvfrom+0x795/0xa10 net/socket.c:2097 + __do_sys_recvfrom net/socket.c:2115 [inline] + __se_sys_recvfrom net/socket.c:2111 [inline] + __x64_sys_recvfrom+0x19d/0x210 net/socket.c:2111 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Uninit was created at: + slab_post_alloc_hook mm/slab.h:737 [inline] + slab_alloc_node mm/slub.c:3247 [inline] + __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4975 + kmalloc_reserve net/core/skbuff.c:354 [inline] + __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 + alloc_skb include/linux/skbuff.h:1158 [inline] + netlink_dump+0x3e5/0x16c0 net/netlink/af_netlink.c:2248 + __netlink_dump_start+0xcf8/0xe90 net/netlink/af_netlink.c:2373 + netlink_dump_start include/linux/netlink.h:254 [inline] + inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1341 + sock_diag_rcv_msg+0x24a/0x620 + netlink_rcv_skb+0x40c/0x7e0 net/netlink/af_netlink.c:2494 + sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:277 + netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] + netlink_unicast+0x1093/0x1360 net/netlink/af_netlink.c:1343 + netlink_sendmsg+0x14d9/0x1720 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg net/socket.c:725 [inline] + sock_write_iter+0x594/0x690 net/socket.c:1061 + do_iter_readv_writev+0xa7f/0xc70 + do_iter_write+0x52c/0x1500 fs/read_write.c:851 + vfs_writev fs/read_write.c:924 [inline] + do_writev+0x645/0xe00 fs/read_write.c:967 + __do_sys_writev fs/read_write.c:1040 [inline] + __se_sys_writev fs/read_write.c:1037 [inline] + __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Bytes 68-71 of 2508 are uninitialized +Memory access of size 2508 starts at ffff888114f9b000 +Data copied to user address 00007f7fe09ff2e0 + +CPU: 1 PID: 3478 Comm: syz-executor306 Not tainted 5.17.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Vlad Yasevich +Cc: Neil Horman +Cc: Marcelo Ricardo Leitner +Reviewed-by: Xin Long +Link: https://lore.kernel.org/r/20220310001145.297371-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/diag.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index 7921e77fa55a..5a918e74bb82 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -61,10 +61,6 @@ static void inet_diag_msg_sctpasoc_fill(struct inet_diag_msg *r, + r->idiag_timer = SCTP_EVENT_TIMEOUT_T3_RTX; + r->idiag_retrans = asoc->rtx_data_chunks; + r->idiag_expires = jiffies_to_msecs(t3_rtx->expires - jiffies); +- } else { +- r->idiag_timer = 0; +- r->idiag_retrans = 0; +- r->idiag_expires = 0; + } + } + +@@ -144,13 +140,14 @@ static int inet_sctp_diag_fill(struct sock *sk, struct sctp_association *asoc, + r = nlmsg_data(nlh); + BUG_ON(!sk_fullsock(sk)); + ++ r->idiag_timer = 0; ++ r->idiag_retrans = 0; ++ r->idiag_expires = 0; + if (asoc) { + inet_diag_msg_sctpasoc_fill(r, sk, asoc); + } else { + inet_diag_msg_common_fill(r, sk); + r->idiag_state = sk->sk_state; +- r->idiag_timer = 0; +- r->idiag_retrans = 0; + } + + if (inet_diag_msg_attrs_fill(sk, skb, r, ext, user_ns, net_admin)) +-- +2.34.1 + diff --git a/queue-5.4/selftest-vm-fix-map_fixed_noreplace-test-failure.patch b/queue-5.4/selftest-vm-fix-map_fixed_noreplace-test-failure.patch new file mode 100644 index 00000000000..bba9c4ad80c --- /dev/null +++ b/queue-5.4/selftest-vm-fix-map_fixed_noreplace-test-failure.patch @@ -0,0 +1,181 @@ +From 2aee105b2d3a8d916bcd872dd653ba37a2f3b105 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Feb 2022 19:11:08 -0800 +Subject: selftest/vm: fix map_fixed_noreplace test failure + +From: Aneesh Kumar K.V + +[ Upstream commit f39c58008dee7ab5fc94c3f1995a21e886801df0 ] + +On the latest RHEL the test fails due to executable mapped at 256MB +address + + # ./map_fixed_noreplace + mmap() @ 0x10000000-0x10050000 p=0xffffffffffffffff result=File exists + 10000000-10010000 r-xp 00000000 fd:04 34905657 /root/rpmbuild/BUILD/kernel-5.14.0-56.el9/linux-5.14.0-56.el9.ppc64le/tools/testing/selftests/vm/map_fixed_noreplace + 10010000-10020000 r--p 00000000 fd:04 34905657 /root/rpmbuild/BUILD/kernel-5.14.0-56.el9/linux-5.14.0-56.el9.ppc64le/tools/testing/selftests/vm/map_fixed_noreplace + 10020000-10030000 rw-p 00010000 fd:04 34905657 /root/rpmbuild/BUILD/kernel-5.14.0-56.el9/linux-5.14.0-56.el9.ppc64le/tools/testing/selftests/vm/map_fixed_noreplace + 10029b90000-10029bc0000 rw-p 00000000 00:00 0 [heap] + 7fffbb510000-7fffbb750000 r-xp 00000000 fd:04 24534 /usr/lib64/libc.so.6 + 7fffbb750000-7fffbb760000 r--p 00230000 fd:04 24534 /usr/lib64/libc.so.6 + 7fffbb760000-7fffbb770000 rw-p 00240000 fd:04 24534 /usr/lib64/libc.so.6 + 7fffbb780000-7fffbb7a0000 r--p 00000000 00:00 0 [vvar] + 7fffbb7a0000-7fffbb7b0000 r-xp 00000000 00:00 0 [vdso] + 7fffbb7b0000-7fffbb800000 r-xp 00000000 fd:04 24514 /usr/lib64/ld64.so.2 + 7fffbb800000-7fffbb810000 r--p 00040000 fd:04 24514 /usr/lib64/ld64.so.2 + 7fffbb810000-7fffbb820000 rw-p 00050000 fd:04 24514 /usr/lib64/ld64.so.2 + 7fffd93f0000-7fffd9420000 rw-p 00000000 00:00 0 [stack] + Error: couldn't map the space we need for the test + +Fix this by finding a free address using mmap instead of hardcoding +BASE_ADDRESS. + +Link: https://lkml.kernel.org/r/20220217083417.373823-1-aneesh.kumar@linux.ibm.com +Signed-off-by: Aneesh Kumar K.V +Cc: Michael Ellerman +Cc: Jann Horn +Cc: Shuah Khan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + .../selftests/vm/map_fixed_noreplace.c | 49 ++++++++++++++----- + 1 file changed, 37 insertions(+), 12 deletions(-) + +diff --git a/tools/testing/selftests/vm/map_fixed_noreplace.c b/tools/testing/selftests/vm/map_fixed_noreplace.c +index d91bde511268..eed44322d1a6 100644 +--- a/tools/testing/selftests/vm/map_fixed_noreplace.c ++++ b/tools/testing/selftests/vm/map_fixed_noreplace.c +@@ -17,9 +17,6 @@ + #define MAP_FIXED_NOREPLACE 0x100000 + #endif + +-#define BASE_ADDRESS (256ul * 1024 * 1024) +- +- + static void dump_maps(void) + { + char cmd[32]; +@@ -28,18 +25,46 @@ static void dump_maps(void) + system(cmd); + } + ++static unsigned long find_base_addr(unsigned long size) ++{ ++ void *addr; ++ unsigned long flags; ++ ++ flags = MAP_PRIVATE | MAP_ANONYMOUS; ++ addr = mmap(NULL, size, PROT_NONE, flags, -1, 0); ++ if (addr == MAP_FAILED) { ++ printf("Error: couldn't map the space we need for the test\n"); ++ return 0; ++ } ++ ++ if (munmap(addr, size) != 0) { ++ printf("Error: couldn't map the space we need for the test\n"); ++ return 0; ++ } ++ return (unsigned long)addr; ++} ++ + int main(void) + { ++ unsigned long base_addr; + unsigned long flags, addr, size, page_size; + char *p; + + page_size = sysconf(_SC_PAGE_SIZE); + ++ //let's find a base addr that is free before we start the tests ++ size = 5 * page_size; ++ base_addr = find_base_addr(size); ++ if (!base_addr) { ++ printf("Error: couldn't map the space we need for the test\n"); ++ return 1; ++ } ++ + flags = MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED_NOREPLACE; + + // Check we can map all the areas we need below + errno = 0; +- addr = BASE_ADDRESS; ++ addr = base_addr; + size = 5 * page_size; + p = mmap((void *)addr, size, PROT_NONE, flags, -1, 0); + +@@ -60,7 +85,7 @@ int main(void) + printf("unmap() successful\n"); + + errno = 0; +- addr = BASE_ADDRESS + page_size; ++ addr = base_addr + page_size; + size = 3 * page_size; + p = mmap((void *)addr, size, PROT_NONE, flags, -1, 0); + printf("mmap() @ 0x%lx-0x%lx p=%p result=%m\n", addr, addr + size, p); +@@ -80,7 +105,7 @@ int main(void) + * +4 | free | new + */ + errno = 0; +- addr = BASE_ADDRESS; ++ addr = base_addr; + size = 5 * page_size; + p = mmap((void *)addr, size, PROT_NONE, flags, -1, 0); + printf("mmap() @ 0x%lx-0x%lx p=%p result=%m\n", addr, addr + size, p); +@@ -101,7 +126,7 @@ int main(void) + * +4 | free | + */ + errno = 0; +- addr = BASE_ADDRESS + (2 * page_size); ++ addr = base_addr + (2 * page_size); + size = page_size; + p = mmap((void *)addr, size, PROT_NONE, flags, -1, 0); + printf("mmap() @ 0x%lx-0x%lx p=%p result=%m\n", addr, addr + size, p); +@@ -121,7 +146,7 @@ int main(void) + * +4 | free | new + */ + errno = 0; +- addr = BASE_ADDRESS + (3 * page_size); ++ addr = base_addr + (3 * page_size); + size = 2 * page_size; + p = mmap((void *)addr, size, PROT_NONE, flags, -1, 0); + printf("mmap() @ 0x%lx-0x%lx p=%p result=%m\n", addr, addr + size, p); +@@ -141,7 +166,7 @@ int main(void) + * +4 | free | + */ + errno = 0; +- addr = BASE_ADDRESS; ++ addr = base_addr; + size = 2 * page_size; + p = mmap((void *)addr, size, PROT_NONE, flags, -1, 0); + printf("mmap() @ 0x%lx-0x%lx p=%p result=%m\n", addr, addr + size, p); +@@ -161,7 +186,7 @@ int main(void) + * +4 | free | + */ + errno = 0; +- addr = BASE_ADDRESS; ++ addr = base_addr; + size = page_size; + p = mmap((void *)addr, size, PROT_NONE, flags, -1, 0); + printf("mmap() @ 0x%lx-0x%lx p=%p result=%m\n", addr, addr + size, p); +@@ -181,7 +206,7 @@ int main(void) + * +4 | free | new + */ + errno = 0; +- addr = BASE_ADDRESS + (4 * page_size); ++ addr = base_addr + (4 * page_size); + size = page_size; + p = mmap((void *)addr, size, PROT_NONE, flags, -1, 0); + printf("mmap() @ 0x%lx-0x%lx p=%p result=%m\n", addr, addr + size, p); +@@ -192,7 +217,7 @@ int main(void) + return 1; + } + +- addr = BASE_ADDRESS; ++ addr = base_addr; + size = 5 * page_size; + if (munmap((void *)addr, size) != 0) { + dump_maps(); +-- +2.34.1 + diff --git a/queue-5.4/selftests-bpf-add-test-for-bpf_timer-overwriting-cra.patch b/queue-5.4/selftests-bpf-add-test-for-bpf_timer-overwriting-cra.patch new file mode 100644 index 00000000000..3188b2eabb7 --- /dev/null +++ b/queue-5.4/selftests-bpf-add-test-for-bpf_timer-overwriting-cra.patch @@ -0,0 +1,125 @@ +From 2ec5dbbfe5b0726bbf0fa8a2be9c8d9656439553 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Feb 2022 12:33:24 +0530 +Subject: selftests/bpf: Add test for bpf_timer overwriting crash + +From: Kumar Kartikeya Dwivedi + +[ Upstream commit a7e75016a0753c24d6c995bc02501ae35368e333 ] + +Add a test that validates that timer value is not overwritten when doing +a copy_map_value call in the kernel. Without the prior fix, this test +triggers a crash. + +Signed-off-by: Kumar Kartikeya Dwivedi +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20220209070324.1093182-3-memxor@gmail.com +Signed-off-by: Sasha Levin +--- + .../selftests/bpf/prog_tests/timer_crash.c | 32 +++++++++++ + .../testing/selftests/bpf/progs/timer_crash.c | 54 +++++++++++++++++++ + 2 files changed, 86 insertions(+) + create mode 100644 tools/testing/selftests/bpf/prog_tests/timer_crash.c + create mode 100644 tools/testing/selftests/bpf/progs/timer_crash.c + +diff --git a/tools/testing/selftests/bpf/prog_tests/timer_crash.c b/tools/testing/selftests/bpf/prog_tests/timer_crash.c +new file mode 100644 +index 000000000000..f74b82305da8 +--- /dev/null ++++ b/tools/testing/selftests/bpf/prog_tests/timer_crash.c +@@ -0,0 +1,32 @@ ++// SPDX-License-Identifier: GPL-2.0 ++#include ++#include "timer_crash.skel.h" ++ ++enum { ++ MODE_ARRAY, ++ MODE_HASH, ++}; ++ ++static void test_timer_crash_mode(int mode) ++{ ++ struct timer_crash *skel; ++ ++ skel = timer_crash__open_and_load(); ++ if (!ASSERT_OK_PTR(skel, "timer_crash__open_and_load")) ++ return; ++ skel->bss->pid = getpid(); ++ skel->bss->crash_map = mode; ++ if (!ASSERT_OK(timer_crash__attach(skel), "timer_crash__attach")) ++ goto end; ++ usleep(1); ++end: ++ timer_crash__destroy(skel); ++} ++ ++void test_timer_crash(void) ++{ ++ if (test__start_subtest("array")) ++ test_timer_crash_mode(MODE_ARRAY); ++ if (test__start_subtest("hash")) ++ test_timer_crash_mode(MODE_HASH); ++} +diff --git a/tools/testing/selftests/bpf/progs/timer_crash.c b/tools/testing/selftests/bpf/progs/timer_crash.c +new file mode 100644 +index 000000000000..f8f7944e70da +--- /dev/null ++++ b/tools/testing/selftests/bpf/progs/timer_crash.c +@@ -0,0 +1,54 @@ ++// SPDX-License-Identifier: GPL-2.0 ++ ++#include ++#include ++#include ++ ++struct map_elem { ++ struct bpf_timer timer; ++ struct bpf_spin_lock lock; ++}; ++ ++struct { ++ __uint(type, BPF_MAP_TYPE_ARRAY); ++ __uint(max_entries, 1); ++ __type(key, int); ++ __type(value, struct map_elem); ++} amap SEC(".maps"); ++ ++struct { ++ __uint(type, BPF_MAP_TYPE_HASH); ++ __uint(max_entries, 1); ++ __type(key, int); ++ __type(value, struct map_elem); ++} hmap SEC(".maps"); ++ ++int pid = 0; ++int crash_map = 0; /* 0 for amap, 1 for hmap */ ++ ++SEC("fentry/do_nanosleep") ++int sys_enter(void *ctx) ++{ ++ struct map_elem *e, value = {}; ++ void *map = crash_map ? (void *)&hmap : (void *)&amap; ++ ++ if (bpf_get_current_task_btf()->tgid != pid) ++ return 0; ++ ++ *(void **)&value = (void *)0xdeadcaf3; ++ ++ bpf_map_update_elem(map, &(int){0}, &value, 0); ++ /* For array map, doing bpf_map_update_elem will do a ++ * check_and_free_timer_in_array, which will trigger the crash if timer ++ * pointer was overwritten, for hmap we need to use bpf_timer_cancel. ++ */ ++ if (crash_map == 1) { ++ e = bpf_map_lookup_elem(map, &(int){0}); ++ if (!e) ++ return 0; ++ bpf_timer_cancel(&e->timer); ++ } ++ return 0; ++} ++ ++char _license[] SEC("license") = "GPL"; +-- +2.34.1 + diff --git a/queue-5.4/selftests-memfd-clean-up-mapping-in-mfd_fail_write.patch b/queue-5.4/selftests-memfd-clean-up-mapping-in-mfd_fail_write.patch new file mode 100644 index 00000000000..54c8fa5a49f --- /dev/null +++ b/queue-5.4/selftests-memfd-clean-up-mapping-in-mfd_fail_write.patch @@ -0,0 +1,57 @@ +From 24284ff7f7b5b0ef1cf5a0370cddfc0c40b60ae6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Feb 2022 19:11:26 -0800 +Subject: selftests/memfd: clean up mapping in mfd_fail_write + +From: Mike Kravetz + +[ Upstream commit fda153c89af344d21df281009a9d046cf587ea0f ] + +Running the memfd script ./run_hugetlbfs_test.sh will often end in error +as follows: + + memfd-hugetlb: CREATE + memfd-hugetlb: BASIC + memfd-hugetlb: SEAL-WRITE + memfd-hugetlb: SEAL-FUTURE-WRITE + memfd-hugetlb: SEAL-SHRINK + fallocate(ALLOC) failed: No space left on device + ./run_hugetlbfs_test.sh: line 60: 166855 Aborted (core dumped) ./memfd_test hugetlbfs + opening: ./mnt/memfd + fuse: DONE + +If no hugetlb pages have been preallocated, run_hugetlbfs_test.sh will +allocate 'just enough' pages to run the test. In the SEAL-FUTURE-WRITE +test the mfd_fail_write routine maps the file, but does not unmap. As a +result, two hugetlb pages remain reserved for the mapping. When the +fallocate call in the SEAL-SHRINK test attempts allocate all hugetlb +pages, it is short by the two reserved pages. + +Fix by making sure to unmap in mfd_fail_write. + +Link: https://lkml.kernel.org/r/20220219004340.56478-1-mike.kravetz@oracle.com +Signed-off-by: Mike Kravetz +Cc: Joel Fernandes +Cc: Shuah Khan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/memfd/memfd_test.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/memfd/memfd_test.c b/tools/testing/selftests/memfd/memfd_test.c +index c67d32eeb668..290cec2a6a33 100644 +--- a/tools/testing/selftests/memfd/memfd_test.c ++++ b/tools/testing/selftests/memfd/memfd_test.c +@@ -421,6 +421,7 @@ static void mfd_fail_write(int fd) + printf("mmap()+mprotect() didn't fail as expected\n"); + abort(); + } ++ munmap(p, mfd_def_size); + } + + /* verify PUNCH_HOLE fails */ +-- +2.34.1 + diff --git a/queue-5.4/selftests-pmtu.sh-kill-tcpdump-processes-launched-by.patch b/queue-5.4/selftests-pmtu.sh-kill-tcpdump-processes-launched-by.patch new file mode 100644 index 00000000000..b69b58e192e --- /dev/null +++ b/queue-5.4/selftests-pmtu.sh-kill-tcpdump-processes-launched-by.patch @@ -0,0 +1,95 @@ +From f667d63d04b7ba0aa2a5590481f2d0e195e4bf3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 23:15:00 +0100 +Subject: selftests: pmtu.sh: Kill tcpdump processes launched by subshell. + +From: Guillaume Nault + +[ Upstream commit 18dfc667550fe9c032a6dcc3402b50e691e18029 ] + +The cleanup() function takes care of killing processes launched by the +test functions. It relies on variables like ${tcpdump_pids} to get the +relevant PIDs. But tests are run in their own subshell, so updated +*_pids values are invisible to other shells. Therefore cleanup() never +sees any process to kill: + +$ ./tools/testing/selftests/net/pmtu.sh -t pmtu_ipv4_exception +TEST: ipv4: PMTU exceptions [ OK ] +TEST: ipv4: PMTU exceptions - nexthop objects [ OK ] + +$ pgrep -af tcpdump +6084 tcpdump -s 0 -i veth_A-R1 -w pmtu_ipv4_exception_veth_A-R1.pcap +6085 tcpdump -s 0 -i veth_R1-A -w pmtu_ipv4_exception_veth_R1-A.pcap +6086 tcpdump -s 0 -i veth_R1-B -w pmtu_ipv4_exception_veth_R1-B.pcap +6087 tcpdump -s 0 -i veth_B-R1 -w pmtu_ipv4_exception_veth_B-R1.pcap +6088 tcpdump -s 0 -i veth_A-R2 -w pmtu_ipv4_exception_veth_A-R2.pcap +6089 tcpdump -s 0 -i veth_R2-A -w pmtu_ipv4_exception_veth_R2-A.pcap +6090 tcpdump -s 0 -i veth_R2-B -w pmtu_ipv4_exception_veth_R2-B.pcap +6091 tcpdump -s 0 -i veth_B-R2 -w pmtu_ipv4_exception_veth_B-R2.pcap +6228 tcpdump -s 0 -i veth_A-R1 -w pmtu_ipv4_exception_veth_A-R1.pcap +6229 tcpdump -s 0 -i veth_R1-A -w pmtu_ipv4_exception_veth_R1-A.pcap +6230 tcpdump -s 0 -i veth_R1-B -w pmtu_ipv4_exception_veth_R1-B.pcap +6231 tcpdump -s 0 -i veth_B-R1 -w pmtu_ipv4_exception_veth_B-R1.pcap +6232 tcpdump -s 0 -i veth_A-R2 -w pmtu_ipv4_exception_veth_A-R2.pcap +6233 tcpdump -s 0 -i veth_R2-A -w pmtu_ipv4_exception_veth_R2-A.pcap +6234 tcpdump -s 0 -i veth_R2-B -w pmtu_ipv4_exception_veth_R2-B.pcap +6235 tcpdump -s 0 -i veth_B-R2 -w pmtu_ipv4_exception_veth_B-R2.pcap + +Fix this by running cleanup() in the context of the test subshell. +Now that each test cleans the environment after completion, there's no +need for calling cleanup() again when the next test starts. So let's +drop it from the setup() function. This is okay because cleanup() is +also called when pmtu.sh starts, so even the first test starts in a +clean environment. + +Also, use tcpdump's immediate mode. Otherwise it might not have time to +process buffered packets, resulting in missing packets or even empty +pcap files for short tests. + +Note: PAUSE_ON_FAIL is still evaluated before cleanup(), so one can +still inspect the test environment upon failure when using -p. + +Fixes: a92a0a7b8e7c ("selftests: pmtu: Simplify cleanup and namespace names") +Signed-off-by: Guillaume Nault +Reviewed-by: Shuah Khan +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/pmtu.sh | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/pmtu.sh b/tools/testing/selftests/net/pmtu.sh +index 3429767cadcd..88be9083b923 100755 +--- a/tools/testing/selftests/net/pmtu.sh ++++ b/tools/testing/selftests/net/pmtu.sh +@@ -579,7 +579,6 @@ setup_routing() { + setup() { + [ "$(id -u)" -ne 0 ] && echo " need to run as root" && return $ksft_skip + +- cleanup + for arg do + eval setup_${arg} || { echo " ${arg} not supported"; return 1; } + done +@@ -590,7 +589,7 @@ trace() { + + for arg do + [ "${ns_cmd}" = "" ] && ns_cmd="${arg}" && continue +- ${ns_cmd} tcpdump -s 0 -i "${arg}" -w "${name}_${arg}.pcap" 2> /dev/null & ++ ${ns_cmd} tcpdump --immediate-mode -s 0 -i "${arg}" -w "${name}_${arg}.pcap" 2> /dev/null & + tcpdump_pids="${tcpdump_pids} $!" + ns_cmd= + done +@@ -1182,6 +1181,10 @@ run_test() { + + unset IFS + ++ # Since cleanup() relies on variables modified by this subshell, it ++ # has to run in this context. ++ trap cleanup EXIT ++ + if [ "$VERBOSE" = "1" ]; then + printf "\n##########################################################################\n\n" + fi +-- +2.34.1 + diff --git a/queue-5.4/series b/queue-5.4/series new file mode 100644 index 00000000000..12520718f04 --- /dev/null +++ b/queue-5.4/series @@ -0,0 +1,28 @@ +clk-qcom-gdsc-add-support-to-update-gdsc-transition-.patch +arm64-dts-armada-3720-turris-mox-add-missing-etherne.patch +virtio-blk-don-t-use-max_discard_segments-if-max_dis.patch +net-qlogic-check-the-return-value-of-dma_alloc_coher.patch +qed-return-status-of-qed_iov_get_link.patch +drm-sun4i-mixer-fix-p010-and-p210-format-numbers.patch +arm-dts-aspeed-fix-ast2600-quad-spi-group.patch +ethernet-fix-error-handling-in-xemaclite_of_probe.patch +net-ethernet-ti-cpts-handle-error-for-clk_enable.patch +net-ethernet-lpc_eth-handle-error-for-clk_enable.patch +ax25-fix-null-pointer-dereference-in-ax25_kill_by_de.patch +net-mlx5-fix-size-field-in-bufferx_reg-struct.patch +net-mlx5-fix-a-race-on-command-flush-flow.patch +nfc-port100-fix-use-after-free-in-port100_send_compl.patch +selftests-pmtu.sh-kill-tcpdump-processes-launched-by.patch +gpio-ts4900-do-not-set-dat-and-oe-together.patch +gianfar-ethtool-fix-refcount-leak-in-gfar_get_ts_inf.patch +net-phy-dp83822-clear-misr2-register-to-disable-inte.patch +sctp-fix-kernel-infoleak-for-sctp-sockets.patch +net-bcmgenet-don-t-claim-wol-when-its-not-available.patch +selftests-bpf-add-test-for-bpf_timer-overwriting-cra.patch +net-sysfs-add-check-for-netdevice-being-present-to-s.patch +revert-xen-netback-remove-hotplug-status-once-it-has.patch +revert-xen-netback-check-for-hotplug-status-existenc.patch +ipv6-prevent-a-possible-race-condition-with-lifetime.patch +tracing-ensure-trace-buffer-is-at-least-4096-bytes-l.patch +selftest-vm-fix-map_fixed_noreplace-test-failure.patch +selftests-memfd-clean-up-mapping-in-mfd_fail_write.patch diff --git a/queue-5.4/tracing-ensure-trace-buffer-is-at-least-4096-bytes-l.patch b/queue-5.4/tracing-ensure-trace-buffer-is-at-least-4096-bytes-l.patch new file mode 100644 index 00000000000..1394eb0534e --- /dev/null +++ b/queue-5.4/tracing-ensure-trace-buffer-is-at-least-4096-bytes-l.patch @@ -0,0 +1,58 @@ +From d06a2175e74a57356a9e2a1cceeb0f5101dfe13f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Feb 2022 14:44:56 +0100 +Subject: tracing: Ensure trace buffer is at least 4096 bytes large + +From: Sven Schnelle + +[ Upstream commit 7acf3a127bb7c65ff39099afd78960e77b2ca5de ] + +Booting the kernel with 'trace_buf_size=1' give a warning at +boot during the ftrace selftests: + +[ 0.892809] Running postponed tracer tests: +[ 0.892893] Testing tracer function: +[ 0.901899] Callback from call_rcu_tasks_trace() invoked. +[ 0.983829] Callback from call_rcu_tasks_rude() invoked. +[ 1.072003] .. bad ring buffer .. corrupted trace buffer .. +[ 1.091944] Callback from call_rcu_tasks() invoked. +[ 1.097695] PASSED +[ 1.097701] Testing dynamic ftrace: .. filter failed count=0 ..FAILED! +[ 1.353474] ------------[ cut here ]------------ +[ 1.353478] WARNING: CPU: 0 PID: 1 at kernel/trace/trace.c:1951 run_tracer_selftest+0x13c/0x1b0 + +Therefore enforce a minimum of 4096 bytes to make the selftest pass. + +Link: https://lkml.kernel.org/r/20220214134456.1751749-1-svens@linux.ibm.com + +Signed-off-by: Sven Schnelle +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 1a89b2bf626a..56619766e910 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -1305,10 +1305,12 @@ static int __init set_buf_size(char *str) + if (!str) + return 0; + buf_size = memparse(str, &str); +- /* nr_entries can not be zero */ +- if (buf_size == 0) +- return 0; +- trace_buf_size = buf_size; ++ /* ++ * nr_entries can not be zero and the startup ++ * tests require some buffer space. Therefore ++ * ensure we have at least 4096 bytes of buffer. ++ */ ++ trace_buf_size = max(4096UL, buf_size); + return 1; + } + __setup("trace_buf_size=", set_buf_size); +-- +2.34.1 + diff --git a/queue-5.4/virtio-blk-don-t-use-max_discard_segments-if-max_dis.patch b/queue-5.4/virtio-blk-don-t-use-max_discard_segments-if-max_dis.patch new file mode 100644 index 00000000000..a2400146ce0 --- /dev/null +++ b/queue-5.4/virtio-blk-don-t-use-max_discard_segments-if-max_dis.patch @@ -0,0 +1,49 @@ +From c1baceb4af7fd91dbefcc2bdc423536969af180a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Mar 2022 18:00:57 +0800 +Subject: virtio-blk: Don't use MAX_DISCARD_SEGMENTS if max_discard_seg is zero + +From: Xie Yongji + +[ Upstream commit dacc73ed0b88f1a787ec20385f42ca9dd9eddcd0 ] + +Currently the value of max_discard_segment will be set to +MAX_DISCARD_SEGMENTS (256) with no basis in hardware if device +set 0 to max_discard_seg in configuration space. It's incorrect +since the device might not be able to handle such large descriptors. +To fix it, let's follow max_segments restrictions in this case. + +Fixes: 1f23816b8eb8 ("virtio_blk: add discard and write zeroes support") +Signed-off-by: Xie Yongji +Link: https://lore.kernel.org/r/20220304100058.116-1-xieyongji@bytedance.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/block/virtio_blk.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c +index 816eb2db7308..4b3645e648ee 100644 +--- a/drivers/block/virtio_blk.c ++++ b/drivers/block/virtio_blk.c +@@ -980,9 +980,15 @@ static int virtblk_probe(struct virtio_device *vdev) + + virtio_cread(vdev, struct virtio_blk_config, max_discard_seg, + &v); ++ ++ /* ++ * max_discard_seg == 0 is out of spec but we always ++ * handled it. ++ */ ++ if (!v) ++ v = sg_elems - 2; + blk_queue_max_discard_segments(q, +- min_not_zero(v, +- MAX_DISCARD_SEGMENTS)); ++ min(v, MAX_DISCARD_SEGMENTS)); + + blk_queue_flag_set(QUEUE_FLAG_DISCARD, q); + } +-- +2.34.1 +