From: Greg Kroah-Hartman Date: Tue, 23 Nov 2021 11:17:11 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v5.15.5~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0d07bd539eedbcb7e87ea98360fe9cff1f0320e9;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch cfg80211-call-cfg80211_stop_ap-when-switch-from-p2p_go-type.patch drivers-hv-balloon-use-vmbus_ring_size-wrapper-for-dm_ring_size.patch drm-amd-display-limit-max-dsc-target-bpp-for-specific-monitors.patch drm-amd-display-update-swizzle-mode-enums.patch fs-handle-circular-mappings-correctly.patch mac80211-drop-check-for-dont_reorder-in-__ieee80211_select_queue.patch mac80211-fix-radiotap-header-generation.patch net-stmmac-fix-signed-unsigned-wreckage.patch parisc-sticon-fix-reverse-colors.patch --- diff --git a/queue-5.15/btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch b/queue-5.15/btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch new file mode 100644 index 00000000000..bcc60af56f5 --- /dev/null +++ b/queue-5.15/btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch @@ -0,0 +1,86 @@ +From 45da9c1767ac31857df572f0a909fbe88fd5a7e9 Mon Sep 17 00:00:00 2001 +From: Nikolay Borisov +Date: Tue, 2 Nov 2021 14:49:16 +0200 +Subject: btrfs: fix memory ordering between normal and ordered work functions + +From: Nikolay Borisov + +commit 45da9c1767ac31857df572f0a909fbe88fd5a7e9 upstream. + +Ordered work functions aren't guaranteed to be handled by the same thread +which executed the normal work functions. The only way execution between +normal/ordered functions is synchronized is via the WORK_DONE_BIT, +unfortunately the used bitops don't guarantee any ordering whatsoever. + +This manifested as seemingly inexplicable crashes on ARM64, where +async_chunk::inode is seen as non-null in async_cow_submit which causes +submit_compressed_extents to be called and crash occurs because +async_chunk::inode suddenly became NULL. The call trace was similar to: + + pc : submit_compressed_extents+0x38/0x3d0 + lr : async_cow_submit+0x50/0xd0 + sp : ffff800015d4bc20 + + + + Call trace: + submit_compressed_extents+0x38/0x3d0 + async_cow_submit+0x50/0xd0 + run_ordered_work+0xc8/0x280 + btrfs_work_helper+0x98/0x250 + process_one_work+0x1f0/0x4ac + worker_thread+0x188/0x504 + kthread+0x110/0x114 + ret_from_fork+0x10/0x18 + +Fix this by adding respective barrier calls which ensure that all +accesses preceding setting of WORK_DONE_BIT are strictly ordered before +setting the flag. At the same time add a read barrier after reading of +WORK_DONE_BIT in run_ordered_work which ensures all subsequent loads +would be strictly ordered after reading the bit. This in turn ensures +are all accesses before WORK_DONE_BIT are going to be strictly ordered +before any access that can occur in ordered_func. + +Reported-by: Chris Murphy +Fixes: 08a9ff326418 ("btrfs: Added btrfs_workqueue_struct implemented ordered execution based on kernel workqueue") +CC: stable@vger.kernel.org # 4.4+ +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2011928 +Reviewed-by: Josef Bacik +Tested-by: Chris Murphy +Signed-off-by: Nikolay Borisov +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/async-thread.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/fs/btrfs/async-thread.c ++++ b/fs/btrfs/async-thread.c +@@ -234,6 +234,13 @@ static void run_ordered_work(struct __bt + ordered_list); + if (!test_bit(WORK_DONE_BIT, &work->flags)) + break; ++ /* ++ * Orders all subsequent loads after reading WORK_DONE_BIT, ++ * paired with the smp_mb__before_atomic in btrfs_work_helper ++ * this guarantees that the ordered function will see all ++ * updates from ordinary work function. ++ */ ++ smp_rmb(); + + /* + * we are going to call the ordered done function, but +@@ -317,6 +324,13 @@ static void btrfs_work_helper(struct wor + thresh_exec_hook(wq); + work->func(work); + if (need_order) { ++ /* ++ * Ensures all memory accesses done in the work function are ++ * ordered before setting the WORK_DONE_BIT. Ensuring the thread ++ * which is going to executed the ordered work sees them. ++ * Pairs with the smp_rmb in run_ordered_work. ++ */ ++ smp_mb__before_atomic(); + set_bit(WORK_DONE_BIT, &work->flags); + run_ordered_work(wq, work); + } else { diff --git a/queue-5.15/cfg80211-call-cfg80211_stop_ap-when-switch-from-p2p_go-type.patch b/queue-5.15/cfg80211-call-cfg80211_stop_ap-when-switch-from-p2p_go-type.patch new file mode 100644 index 00000000000..b0e85d5e4b7 --- /dev/null +++ b/queue-5.15/cfg80211-call-cfg80211_stop_ap-when-switch-from-p2p_go-type.patch @@ -0,0 +1,37 @@ +From 563fbefed46ae4c1f70cffb8eb54c02df480b2c2 Mon Sep 17 00:00:00 2001 +From: Nguyen Dinh Phi +Date: Thu, 28 Oct 2021 01:37:22 +0800 +Subject: cfg80211: call cfg80211_stop_ap when switch from P2P_GO type + +From: Nguyen Dinh Phi + +commit 563fbefed46ae4c1f70cffb8eb54c02df480b2c2 upstream. + +If the userspace tools switch from NL80211_IFTYPE_P2P_GO to +NL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), it +does not call the cleanup cfg80211_stop_ap(), this leads to the +initialization of in-use data. For example, this path re-init the +sdata->assigned_chanctx_list while it is still an element of +assigned_vifs list, and makes that linked list corrupt. + +Signed-off-by: Nguyen Dinh Phi +Reported-by: syzbot+bbf402b783eeb6d908db@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20211027173722.777287-1-phind.uet@gmail.com +Cc: stable@vger.kernel.org +Fixes: ac800140c20e ("cfg80211: .stop_ap when interface is going down") +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/util.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -1044,6 +1044,7 @@ int cfg80211_change_iface(struct cfg8021 + + switch (otype) { + case NL80211_IFTYPE_AP: ++ case NL80211_IFTYPE_P2P_GO: + cfg80211_stop_ap(rdev, dev, true); + break; + case NL80211_IFTYPE_ADHOC: diff --git a/queue-5.15/drivers-hv-balloon-use-vmbus_ring_size-wrapper-for-dm_ring_size.patch b/queue-5.15/drivers-hv-balloon-use-vmbus_ring_size-wrapper-for-dm_ring_size.patch new file mode 100644 index 00000000000..c672a5ec34f --- /dev/null +++ b/queue-5.15/drivers-hv-balloon-use-vmbus_ring_size-wrapper-for-dm_ring_size.patch @@ -0,0 +1,45 @@ +From 8a7eb2d476c6823cd44d8c25a6230a52417d7ef8 Mon Sep 17 00:00:00 2001 +From: Boqun Feng +Date: Mon, 1 Nov 2021 23:00:26 +0800 +Subject: Drivers: hv: balloon: Use VMBUS_RING_SIZE() wrapper for dm_ring_size + +From: Boqun Feng + +commit 8a7eb2d476c6823cd44d8c25a6230a52417d7ef8 upstream. + +Baihua reported an error when boot an ARM64 guest with PAGE_SIZE=64k and +BALLOON is enabled: + + hv_vmbus: registering driver hv_balloon + hv_vmbus: probe failed for device 1eccfd72-4b41-45ef-b73a-4a6e44c12924 (-22) + +The cause of this is that the ringbuffer size for hv_balloon is not +adjusted with VMBUS_RING_SIZE(), which makes the size not large enough +for ringbuffers on guest with PAGE_SIZE=64k. Therefore use +VMBUS_RING_SIZE() to calculate the ringbuffer size. Note that the old +size (20 * 1024) counts a 4k header in the total size, while +VMBUS_RING_SIZE() expects the parameter as the payload size, so use +16 * 1024. + +Cc: # 5.15.x +Reported-by: Baihua Lu +Signed-off-by: Boqun Feng +Tested-by: Vitaly Kuznetsov +Link: https://lore.kernel.org/r/20211101150026.736124-1-boqun.feng@gmail.com +Signed-off-by: Wei Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hv/hv_balloon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hv/hv_balloon.c ++++ b/drivers/hv/hv_balloon.c +@@ -480,7 +480,7 @@ module_param(pressure_report_delay, uint + MODULE_PARM_DESC(pressure_report_delay, "Delay in secs in reporting pressure"); + static atomic_t trans_id = ATOMIC_INIT(0); + +-static int dm_ring_size = 20 * 1024; ++static int dm_ring_size = VMBUS_RING_SIZE(16 * 1024); + + /* + * Driver specific state. diff --git a/queue-5.15/drm-amd-display-limit-max-dsc-target-bpp-for-specific-monitors.patch b/queue-5.15/drm-amd-display-limit-max-dsc-target-bpp-for-specific-monitors.patch new file mode 100644 index 00000000000..33c1bc2f3c6 --- /dev/null +++ b/queue-5.15/drm-amd-display-limit-max-dsc-target-bpp-for-specific-monitors.patch @@ -0,0 +1,78 @@ +From 55eea8ef98641f6e1e1c202bd3a49a57c1dd4059 Mon Sep 17 00:00:00 2001 +From: Roman Li +Date: Fri, 30 Jul 2021 18:30:41 -0400 +Subject: drm/amd/display: Limit max DSC target bpp for specific monitors + +From: Roman Li + +commit 55eea8ef98641f6e1e1c202bd3a49a57c1dd4059 upstream. + +[Why] +Some monitors exhibit corruption at 16bpp DSC. + +[How] +- Add helpers for patching edid caps. +- Use it for limiting DSC target bitrate to 15bpp for known monitors + +Reviewed-by: Rodrigo Siqueira +Acked-by: Qingqing Zhuo +Signed-off-by: Roman Li +Cc: stable@vger.kernel.org +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 35 ++++++++++++++ + 1 file changed, 35 insertions(+) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c +@@ -40,6 +40,39 @@ + + #include "dm_helpers.h" + ++struct monitor_patch_info { ++ unsigned int manufacturer_id; ++ unsigned int product_id; ++ void (*patch_func)(struct dc_edid_caps *edid_caps, unsigned int param); ++ unsigned int patch_param; ++}; ++static void set_max_dsc_bpp_limit(struct dc_edid_caps *edid_caps, unsigned int param); ++ ++static const struct monitor_patch_info monitor_patch_table[] = { ++{0x6D1E, 0x5BBF, set_max_dsc_bpp_limit, 15}, ++{0x6D1E, 0x5B9A, set_max_dsc_bpp_limit, 15}, ++}; ++ ++static void set_max_dsc_bpp_limit(struct dc_edid_caps *edid_caps, unsigned int param) ++{ ++ if (edid_caps) ++ edid_caps->panel_patch.max_dsc_target_bpp_limit = param; ++} ++ ++static int amdgpu_dm_patch_edid_caps(struct dc_edid_caps *edid_caps) ++{ ++ int i, ret = 0; ++ ++ for (i = 0; i < ARRAY_SIZE(monitor_patch_table); i++) ++ if ((edid_caps->manufacturer_id == monitor_patch_table[i].manufacturer_id) ++ && (edid_caps->product_id == monitor_patch_table[i].product_id)) { ++ monitor_patch_table[i].patch_func(edid_caps, monitor_patch_table[i].patch_param); ++ ret++; ++ } ++ ++ return ret; ++} ++ + /* dm_helpers_parse_edid_caps + * + * Parse edid caps +@@ -125,6 +158,8 @@ enum dc_edid_status dm_helpers_parse_edi + kfree(sads); + kfree(sadb); + ++ amdgpu_dm_patch_edid_caps(edid_caps); ++ + return result; + } + diff --git a/queue-5.15/drm-amd-display-update-swizzle-mode-enums.patch b/queue-5.15/drm-amd-display-update-swizzle-mode-enums.patch new file mode 100644 index 00000000000..68cdbb55d14 --- /dev/null +++ b/queue-5.15/drm-amd-display-update-swizzle-mode-enums.patch @@ -0,0 +1,58 @@ +From 58065a1e524de30df9a2d8214661d5d7eed0a2d9 Mon Sep 17 00:00:00 2001 +From: Alvin Lee +Date: Fri, 30 Jul 2021 16:55:06 -0400 +Subject: drm/amd/display: Update swizzle mode enums + +From: Alvin Lee + +commit 58065a1e524de30df9a2d8214661d5d7eed0a2d9 upstream. + +[Why] +Swizzle mode enum for DC_SW_VAR_R_X was existing, +but not mapped correctly. + +[How] +Update mapping and conversion for DC_SW_VAR_R_X. + +Reviewed-by: XiangBing Foo +Reviewed-by: Martin Leung +Acked-by: Qingqing Zhuo +Signed-off-by: Alvin Lee +Cc: stable@vger.kernel.org +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c | 4 +++- + drivers/gpu/drm/amd/display/dc/dml/display_mode_enums.h | 4 ++-- + 2 files changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c +@@ -1854,7 +1854,9 @@ static void swizzle_to_dml_params( + case DC_SW_VAR_D_X: + *sw_mode = dm_sw_var_d_x; + break; +- ++ case DC_SW_VAR_R_X: ++ *sw_mode = dm_sw_var_r_x; ++ break; + default: + ASSERT(0); /* Not supported */ + break; +--- a/drivers/gpu/drm/amd/display/dc/dml/display_mode_enums.h ++++ b/drivers/gpu/drm/amd/display/dc/dml/display_mode_enums.h +@@ -80,11 +80,11 @@ enum dm_swizzle_mode { + dm_sw_SPARE_13 = 24, + dm_sw_64kb_s_x = 25, + dm_sw_64kb_d_x = 26, +- dm_sw_SPARE_14 = 27, ++ dm_sw_64kb_r_x = 27, + dm_sw_SPARE_15 = 28, + dm_sw_var_s_x = 29, + dm_sw_var_d_x = 30, +- dm_sw_64kb_r_x, ++ dm_sw_var_r_x = 31, + dm_sw_gfx7_2d_thin_l_vp, + dm_sw_gfx7_2d_thin_gl, + }; diff --git a/queue-5.15/fs-handle-circular-mappings-correctly.patch b/queue-5.15/fs-handle-circular-mappings-correctly.patch new file mode 100644 index 00000000000..9efbaa1f22e --- /dev/null +++ b/queue-5.15/fs-handle-circular-mappings-correctly.patch @@ -0,0 +1,87 @@ +From 968219708108440b23bc292e0486e3cc1d9a1bed Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Tue, 9 Nov 2021 15:57:12 +0100 +Subject: fs: handle circular mappings correctly + +From: Christian Brauner + +commit 968219708108440b23bc292e0486e3cc1d9a1bed upstream. + +When calling setattr_prepare() to determine the validity of the attributes the +ia_{g,u}id fields contain the value that will be written to inode->i_{g,u}id. +When the {g,u}id attribute of the file isn't altered and the caller's fs{g,u}id +matches the current {g,u}id attribute the attribute change is allowed. + +The value in ia_{g,u}id does already account for idmapped mounts and will have +taken the relevant idmapping into account. So in order to verify that the +{g,u}id attribute isn't changed we simple need to compare the ia_{g,u}id value +against the inode's i_{g,u}id value. + +This only has any meaning for idmapped mounts as idmapping helpers are +idempotent without them. And for idmapped mounts this really only has a meaning +when circular idmappings are used, i.e. mappings where e.g. id 1000 is mapped +to id 1001 and id 1001 is mapped to id 1000. Such ciruclar mappings can e.g. be +useful when sharing the same home directory between multiple users at the same +time. + +As an example consider a directory with two files: /source/file1 owned by +{g,u}id 1000 and /source/file2 owned by {g,u}id 1001. Assume we create an +idmapped mount at /target with an idmapping that maps files owned by {g,u}id +1000 to being owned by {g,u}id 1001 and files owned by {g,u}id 1001 to being +owned by {g,u}id 1000. In effect, the idmapped mount at /target switches the +ownership of /source/file1 and source/file2, i.e. /target/file1 will be owned +by {g,u}id 1001 and /target/file2 will be owned by {g,u}id 1000. + +This means that a user with fs{g,u}id 1000 must be allowed to setattr +/target/file2 from {g,u}id 1000 to {g,u}id 1000. Similar, a user with fs{g,u}id +1001 must be allowed to setattr /target/file1 from {g,u}id 1001 to {g,u}id +1001. Conversely, a user with fs{g,u}id 1000 must fail to setattr /target/file1 +from {g,u}id 1001 to {g,u}id 1000. And a user with fs{g,u}id 1001 must fail to +setattr /target/file2 from {g,u}id 1000 to {g,u}id 1000. Both cases must fail +with EPERM for non-capable callers. + +Before this patch we could end up denying legitimate attribute changes and +allowing invalid attribute changes when circular mappings are used. To even get +into this situation the caller must've been privileged both to create that +mapping and to create that idmapped mount. + +This hasn't been seen in the wild anywhere but came up when expanding the +testsuite during work on a series of hardening patches. All idmapped fstests +pass without any regressions and we add new tests to verify the behavior of +circular mappings. + +Link: https://lore.kernel.org/r/20211109145713.1868404-1-brauner@kernel.org +Fixes: 2f221d6f7b88 ("attr: handle idmapped mounts") +Cc: Seth Forshee +Cc: Christoph Hellwig +Cc: Al Viro +Cc: stable@vger.kernel.org +CC: linux-fsdevel@vger.kernel.org +Reviewed-by: Christoph Hellwig +Acked-by: Seth Forshee +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/attr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/attr.c ++++ b/fs/attr.c +@@ -35,7 +35,7 @@ static bool chown_ok(struct user_namespa + kuid_t uid) + { + kuid_t kuid = i_uid_into_mnt(mnt_userns, inode); +- if (uid_eq(current_fsuid(), kuid) && uid_eq(uid, kuid)) ++ if (uid_eq(current_fsuid(), kuid) && uid_eq(uid, inode->i_uid)) + return true; + if (capable_wrt_inode_uidgid(mnt_userns, inode, CAP_CHOWN)) + return true; +@@ -62,7 +62,7 @@ static bool chgrp_ok(struct user_namespa + { + kgid_t kgid = i_gid_into_mnt(mnt_userns, inode); + if (uid_eq(current_fsuid(), i_uid_into_mnt(mnt_userns, inode)) && +- (in_group_p(gid) || gid_eq(gid, kgid))) ++ (in_group_p(gid) || gid_eq(gid, inode->i_gid))) + return true; + if (capable_wrt_inode_uidgid(mnt_userns, inode, CAP_CHOWN)) + return true; diff --git a/queue-5.15/mac80211-drop-check-for-dont_reorder-in-__ieee80211_select_queue.patch b/queue-5.15/mac80211-drop-check-for-dont_reorder-in-__ieee80211_select_queue.patch new file mode 100644 index 00000000000..02e2511b209 --- /dev/null +++ b/queue-5.15/mac80211-drop-check-for-dont_reorder-in-__ieee80211_select_queue.patch @@ -0,0 +1,46 @@ +From f6ab25d41b18f3d26883cb9c20875e1a85c4f05b Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Wed, 10 Nov 2021 22:22:01 +0100 +Subject: mac80211: drop check for DONT_REORDER in __ieee80211_select_queue + +From: Felix Fietkau + +commit f6ab25d41b18f3d26883cb9c20875e1a85c4f05b upstream. + +When __ieee80211_select_queue is called, skb->cb has not been cleared yet, +which means that info->control.flags can contain garbage. +In some cases this leads to IEEE80211_TX_CTRL_DONT_REORDER being set, causing +packets marked for other queues to randomly end up in BE instead. + +This flag only needs to be checked in ieee80211_select_queue_80211, since +the radiotap parser is the only piece of code that sets it + +Fixes: 66d06c84730c ("mac80211: adhere to Tx control flag that prevents frame reordering") +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20211110212201.35452-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/wme.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/mac80211/wme.c ++++ b/net/mac80211/wme.c +@@ -143,7 +143,6 @@ u16 ieee80211_select_queue_80211(struct + u16 __ieee80211_select_queue(struct ieee80211_sub_if_data *sdata, + struct sta_info *sta, struct sk_buff *skb) + { +- struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); + struct mac80211_qos_map *qos_map; + bool qos; + +@@ -156,7 +155,7 @@ u16 __ieee80211_select_queue(struct ieee + else + qos = false; + +- if (!qos || (info->control.flags & IEEE80211_TX_CTRL_DONT_REORDER)) { ++ if (!qos) { + skb->priority = 0; /* required for correct WPA/11i MIC */ + return IEEE80211_AC_BE; + } diff --git a/queue-5.15/mac80211-fix-radiotap-header-generation.patch b/queue-5.15/mac80211-fix-radiotap-header-generation.patch new file mode 100644 index 00000000000..0c3f0b039da --- /dev/null +++ b/queue-5.15/mac80211-fix-radiotap-header-generation.patch @@ -0,0 +1,57 @@ +From c033a38a81bc539d6c0db8c5387e0b14d819a0cf Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 9 Nov 2021 10:02:04 +0100 +Subject: mac80211: fix radiotap header generation + +From: Johannes Berg + +commit c033a38a81bc539d6c0db8c5387e0b14d819a0cf upstream. + +In commit 8c89f7b3d3f2 ("mac80211: Use flex-array for radiotap header +bitmap") we accidentally pointed the position to the wrong place, so +we overwrite a present bitmap, and thus cause all kinds of trouble. + +To see the issue, note that the previous code read: + + pos = (void *)(it_present + 1); + +The requirement now is that we need to calculate pos via it_optional, +to not trigger the compiler hardening checks, as: + + pos = (void *)&rthdr->it_optional[...]; + +Rewriting the original expression, we get (obviously, since that just +adds "+ x - x" terms): + + pos = (void *)(it_present + 1 + rthdr->it_optional - rthdr->it_optional) + +and moving the "+ rthdr->it_optional" outside to be used as an array: + + pos = (void *)&rthdr->it_optional[it_present + 1 - rthdr->it_optional]; + +The original is off by one, fix it. + +Cc: stable@vger.kernel.org +Fixes: 8c89f7b3d3f2 ("mac80211: Use flex-array for radiotap header bitmap") +Reported-by: Sid Hayn +Signed-off-by: Johannes Berg +Tested-by: Sid Hayn +Reviewed-by: Kees Cook +Link: https://lore.kernel.org/r/20211109100203.c61007433ed6.I1dade57aba7de9c4f48d68249adbae62636fd98c@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -364,7 +364,7 @@ ieee80211_add_rx_radiotap_header(struct + * the compiler to think we have walked past the end of the + * struct member. + */ +- pos = (void *)&rthdr->it_optional[it_present - rthdr->it_optional]; ++ pos = (void *)&rthdr->it_optional[it_present + 1 - rthdr->it_optional]; + + /* the order of the following fields is important */ + diff --git a/queue-5.15/net-stmmac-fix-signed-unsigned-wreckage.patch b/queue-5.15/net-stmmac-fix-signed-unsigned-wreckage.patch new file mode 100644 index 00000000000..0b64b6f573f --- /dev/null +++ b/queue-5.15/net-stmmac-fix-signed-unsigned-wreckage.patch @@ -0,0 +1,116 @@ +From 3751c3d34cd5a750c86d1c8eaf217d8faf7f9325 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Mon, 15 Nov 2021 16:21:23 +0100 +Subject: net: stmmac: Fix signed/unsigned wreckage + +From: Thomas Gleixner + +commit 3751c3d34cd5a750c86d1c8eaf217d8faf7f9325 upstream. + +The recent addition of timestamp correction to compensate the CDC error +introduced a subtle signed/unsigned bug in stmmac_get_tx_hwtstamp() while +it managed for some obscure reason to avoid that in stmmac_get_rx_hwtstamp(). + +The issue is: + + s64 adjust = 0; + u64 ns; + + adjust += -(2 * (NSEC_PER_SEC / priv->plat->clk_ptp_rate)); + ns += adjust; + +works by chance on 64bit, but falls apart on 32bit because the compiler +knows that adjust fits into 32bit and then treats the addition as a u64 + +u32 resulting in an off by ~2 seconds failure. + +The RX variant uses an u64 for adjust and does the adjustment via + + ns -= adjust; + +because consistency is obviously overrated. + +Get rid of the pointless zero initialized adjust variable and do: + + ns -= (2 * NSEC_PER_SEC) / priv->plat->clk_ptp_rate; + +which is obviously correct and spares the adjust obfuscation. Aside of that +it yields a more accurate result because the multiplication takes place +before the integer divide truncation and not afterwards. + +Stick the calculation into an inline so it can't be accidentally +disimproved. Return an u32 from that inline as the result is guaranteed +to fit which lets the compiler optimize the substraction. + +Cc: stable@vger.kernel.org +Fixes: 3600be5f58c1 ("net: stmmac: add timestamp correction to rid CDC sync error") +Reported-by: Benedikt Spranger +Signed-off-by: Thomas Gleixner +Tested-by: Benedikt Spranger +Tested-by: Kurt Kanzenbach # Intel EHL +Link: https://lore.kernel.org/r/87mtm578cs.ffs@tglx +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 23 +++++++++------------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -511,6 +511,14 @@ bool stmmac_eee_init(struct stmmac_priv + return true; + } + ++static inline u32 stmmac_cdc_adjust(struct stmmac_priv *priv) ++{ ++ /* Correct the clk domain crossing(CDC) error */ ++ if (priv->plat->has_gmac4 && priv->plat->clk_ptp_rate) ++ return (2 * NSEC_PER_SEC) / priv->plat->clk_ptp_rate; ++ return 0; ++} ++ + /* stmmac_get_tx_hwtstamp - get HW TX timestamps + * @priv: driver private structure + * @p : descriptor pointer +@@ -524,7 +532,6 @@ static void stmmac_get_tx_hwtstamp(struc + { + struct skb_shared_hwtstamps shhwtstamp; + bool found = false; +- s64 adjust = 0; + u64 ns = 0; + + if (!priv->hwts_tx_en) +@@ -543,12 +550,7 @@ static void stmmac_get_tx_hwtstamp(struc + } + + if (found) { +- /* Correct the clk domain crossing(CDC) error */ +- if (priv->plat->has_gmac4 && priv->plat->clk_ptp_rate) { +- adjust += -(2 * (NSEC_PER_SEC / +- priv->plat->clk_ptp_rate)); +- ns += adjust; +- } ++ ns -= stmmac_cdc_adjust(priv); + + memset(&shhwtstamp, 0, sizeof(struct skb_shared_hwtstamps)); + shhwtstamp.hwtstamp = ns_to_ktime(ns); +@@ -573,7 +575,6 @@ static void stmmac_get_rx_hwtstamp(struc + { + struct skb_shared_hwtstamps *shhwtstamp = NULL; + struct dma_desc *desc = p; +- u64 adjust = 0; + u64 ns = 0; + + if (!priv->hwts_rx_en) +@@ -586,11 +587,7 @@ static void stmmac_get_rx_hwtstamp(struc + if (stmmac_get_rx_timestamp_status(priv, p, np, priv->adv_ts)) { + stmmac_get_timestamp(priv, desc, priv->adv_ts, &ns); + +- /* Correct the clk domain crossing(CDC) error */ +- if (priv->plat->has_gmac4 && priv->plat->clk_ptp_rate) { +- adjust += 2 * (NSEC_PER_SEC / priv->plat->clk_ptp_rate); +- ns -= adjust; +- } ++ ns -= stmmac_cdc_adjust(priv); + + netdev_dbg(priv->dev, "get valid RX hw timestamp %llu\n", ns); + shhwtstamp = skb_hwtstamps(skb); diff --git a/queue-5.15/parisc-sticon-fix-reverse-colors.patch b/queue-5.15/parisc-sticon-fix-reverse-colors.patch new file mode 100644 index 00000000000..e0be8987dfb --- /dev/null +++ b/queue-5.15/parisc-sticon-fix-reverse-colors.patch @@ -0,0 +1,45 @@ +From bec05f33ebc1006899c6d3e59a00c58881fe7626 Mon Sep 17 00:00:00 2001 +From: Sven Schnelle +Date: Sun, 14 Nov 2021 17:08:17 +0100 +Subject: parisc/sticon: fix reverse colors + +From: Sven Schnelle + +commit bec05f33ebc1006899c6d3e59a00c58881fe7626 upstream. + +sticon_build_attr() checked the reverse argument and flipped +background and foreground color, but returned the non-reverse +value afterwards. Fix this and also add two local variables +for foreground and background color to make the code easier +to read. + +Signed-off-by: Sven Schnelle +Cc: +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/console/sticon.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/video/console/sticon.c ++++ b/drivers/video/console/sticon.c +@@ -332,13 +332,13 @@ static u8 sticon_build_attr(struct vc_da + bool blink, bool underline, bool reverse, + bool italic) + { +- u8 attr = ((color & 0x70) >> 1) | ((color & 7)); ++ u8 fg = color & 7; ++ u8 bg = (color & 0x70) >> 4; + +- if (reverse) { +- color = ((color >> 3) & 0x7) | ((color & 0x7) << 3); +- } +- +- return attr; ++ if (reverse) ++ return (fg << 3) | bg; ++ else ++ return (bg << 3) | fg; + } + + static void sticon_invert_region(struct vc_data *conp, u16 *p, int count) diff --git a/queue-5.15/series b/queue-5.15/series index 7377c9f57f9..827545637d4 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -229,3 +229,13 @@ printk-restore-flushing-of-nmi-buffers-on-remote-cpus-after-nmi-backtraces.patch udf-fix-crash-after-seekdir.patch spi-fix-use-after-free-of-the-add_lock-mutex.patch net-stmmac-socfpga-add-runtime-suspend-resume-callback-for-stratix10-platform.patch +drivers-hv-balloon-use-vmbus_ring_size-wrapper-for-dm_ring_size.patch +btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch +fs-handle-circular-mappings-correctly.patch +net-stmmac-fix-signed-unsigned-wreckage.patch +parisc-sticon-fix-reverse-colors.patch +cfg80211-call-cfg80211_stop_ap-when-switch-from-p2p_go-type.patch +mac80211-fix-radiotap-header-generation.patch +mac80211-drop-check-for-dont_reorder-in-__ieee80211_select_queue.patch +drm-amd-display-update-swizzle-mode-enums.patch +drm-amd-display-limit-max-dsc-target-bpp-for-specific-monitors.patch