From: Sasha Levin Date: Mon, 27 Sep 2021 05:02:48 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v5.4.150~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=124452f688afc83779d3c99f7d8a87fa7dfb99b8;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch b/queue-4.14/alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch new file mode 100644 index 00000000000..c310bdd1dcc --- /dev/null +++ b/queue-4.14/alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch @@ -0,0 +1,69 @@ +From a0bebe2b2d06195878043e2dc1a32648c00f3d44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 22:00:33 -0700 +Subject: alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to + volatile + +From: Guenter Roeck + +[ Upstream commit 35a3f4ef0ab543daa1725b0c963eb8c05e3376f8 ] + +Some drivers pass a pointer to volatile data to virt_to_bus() and +virt_to_phys(), and that works fine. One exception is alpha. This +results in a number of compile errors such as + + drivers/net/wan/lmc/lmc_main.c: In function 'lmc_softreset': + drivers/net/wan/lmc/lmc_main.c:1782:50: error: + passing argument 1 of 'virt_to_bus' discards 'volatile' + qualifier from pointer target type + + drivers/atm/ambassador.c: In function 'do_loader_command': + drivers/atm/ambassador.c:1747:58: error: + passing argument 1 of 'virt_to_bus' discards 'volatile' + qualifier from pointer target type + +Declare the parameter of virt_to_phys and virt_to_bus as pointer to +volatile to fix the problem. + +Signed-off-by: Guenter Roeck +Acked-by: Arnd Bergmann +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/alpha/include/asm/io.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/alpha/include/asm/io.h b/arch/alpha/include/asm/io.h +index 9995bed6e92e..204c4fb69ee1 100644 +--- a/arch/alpha/include/asm/io.h ++++ b/arch/alpha/include/asm/io.h +@@ -61,7 +61,7 @@ extern inline void set_hae(unsigned long new_hae) + * Change virtual addresses to physical addresses and vv. + */ + #ifdef USE_48_BIT_KSEG +-static inline unsigned long virt_to_phys(void *address) ++static inline unsigned long virt_to_phys(volatile void *address) + { + return (unsigned long)address - IDENT_ADDR; + } +@@ -71,7 +71,7 @@ static inline void * phys_to_virt(unsigned long address) + return (void *) (address + IDENT_ADDR); + } + #else +-static inline unsigned long virt_to_phys(void *address) ++static inline unsigned long virt_to_phys(volatile void *address) + { + unsigned long phys = (unsigned long)address; + +@@ -112,7 +112,7 @@ static inline dma_addr_t __deprecated isa_page_to_bus(struct page *page) + extern unsigned long __direct_map_base; + extern unsigned long __direct_map_size; + +-static inline unsigned long __deprecated virt_to_bus(void *address) ++static inline unsigned long __deprecated virt_to_bus(volatile void *address) + { + unsigned long phys = virt_to_phys(address); + unsigned long bus = phys + __direct_map_base; +-- +2.33.0 + diff --git a/queue-4.14/arm64-mark-__stack_chk_guard-as-__ro_after_init.patch b/queue-4.14/arm64-mark-__stack_chk_guard-as-__ro_after_init.patch new file mode 100644 index 00000000000..ed132034eb4 --- /dev/null +++ b/queue-4.14/arm64-mark-__stack_chk_guard-as-__ro_after_init.patch @@ -0,0 +1,42 @@ +From 0dbe9d901f77ac037bf4abe224ad196c076a688a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 17:44:02 +0800 +Subject: arm64: Mark __stack_chk_guard as __ro_after_init + +From: Dan Li + +[ Upstream commit 9fcb2e93f41c07a400885325e7dbdfceba6efaec ] + +__stack_chk_guard is setup once while init stage and never changed +after that. + +Although the modification of this variable at runtime will usually +cause the kernel to crash (so does the attacker), it should be marked +as __ro_after_init, and it should not affect performance if it is +placed in the ro_after_init section. + +Signed-off-by: Dan Li +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/1631612642-102881-1-git-send-email-ashimida@linux.alibaba.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/process.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c +index 2ff327651ebe..dac14125f8a2 100644 +--- a/arch/arm64/kernel/process.c ++++ b/arch/arm64/kernel/process.c +@@ -61,7 +61,7 @@ + + #ifdef CONFIG_CC_STACKPROTECTOR + #include +-unsigned long __stack_chk_guard __read_mostly; ++unsigned long __stack_chk_guard __ro_after_init; + EXPORT_SYMBOL(__stack_chk_guard); + #endif + +-- +2.33.0 + diff --git a/queue-4.14/blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch b/queue-4.14/blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch new file mode 100644 index 00000000000..270d31e9a2a --- /dev/null +++ b/queue-4.14/blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch @@ -0,0 +1,93 @@ +From a693a79a393b9915ad8119f4437b372d6aa735c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Sep 2021 21:49:21 +0800 +Subject: blktrace: Fix uaf in blk_trace access after removing by sysfs + +From: Zhihao Cheng + +[ Upstream commit 5afedf670caf30a2b5a52da96eb7eac7dee6a9c9 ] + +There is an use-after-free problem triggered by following process: + + P1(sda) P2(sdb) + echo 0 > /sys/block/sdb/trace/enable + blk_trace_remove_queue + synchronize_rcu + blk_trace_free + relay_close +rcu_read_lock +__blk_add_trace + trace_note_tsk + (Iterate running_trace_list) + relay_close_buf + relay_destroy_buf + kfree(buf) + trace_note(sdb's bt) + relay_reserve + buf->offset <- nullptr deference (use-after-free) !!! +rcu_read_unlock + +[ 502.714379] BUG: kernel NULL pointer dereference, address: +0000000000000010 +[ 502.715260] #PF: supervisor read access in kernel mode +[ 502.715903] #PF: error_code(0x0000) - not-present page +[ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0 +[ 502.717252] Oops: 0000 [#1] SMP +[ 502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360 +[ 502.732872] Call Trace: +[ 502.733193] __blk_add_trace.cold+0x137/0x1a3 +[ 502.733734] blk_add_trace_rq+0x7b/0xd0 +[ 502.734207] blk_add_trace_rq_issue+0x54/0xa0 +[ 502.734755] blk_mq_start_request+0xde/0x1b0 +[ 502.735287] scsi_queue_rq+0x528/0x1140 +... +[ 502.742704] sg_new_write.isra.0+0x16e/0x3e0 +[ 502.747501] sg_ioctl+0x466/0x1100 + +Reproduce method: + ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) + ioctl(/dev/sda, BLKTRACESTART) + ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) + ioctl(/dev/sdb, BLKTRACESTART) + + echo 0 > /sys/block/sdb/trace/enable & + // Add delay(mdelay/msleep) before kernel enters blk_trace_free() + + ioctl$SG_IO(/dev/sda, SG_IO, ...) + // Enters trace_note_tsk() after blk_trace_free() returned + // Use mdelay in rcu region rather than msleep(which may schedule out) + +Remove blk_trace from running_list before calling blk_trace_free() by +sysfs if blk_trace is at Blktrace_running state. + +Fixes: c71a896154119f ("blktrace: add ftrace plugin") +Signed-off-by: Zhihao Cheng +Link: https://lore.kernel.org/r/20210923134921.109194-1-chengzhihao1@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + kernel/trace/blktrace.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c +index b06011b22185..0b22bf622397 100644 +--- a/kernel/trace/blktrace.c ++++ b/kernel/trace/blktrace.c +@@ -1679,6 +1679,14 @@ static int blk_trace_remove_queue(struct request_queue *q) + if (bt == NULL) + return -EINVAL; + ++ if (bt->trace_state == Blktrace_running) { ++ bt->trace_state = Blktrace_stopped; ++ spin_lock_irq(&running_trace_lock); ++ list_del_init(&bt->running_list); ++ spin_unlock_irq(&running_trace_lock); ++ relay_flush(bt->rchan); ++ } ++ + put_probe_ref(); + synchronize_rcu(); + blk_trace_free(bt); +-- +2.33.0 + diff --git a/queue-4.14/compiler.h-introduce-absolute_pointer-macro.patch b/queue-4.14/compiler.h-introduce-absolute_pointer-macro.patch new file mode 100644 index 00000000000..6fccd934028 --- /dev/null +++ b/queue-4.14/compiler.h-introduce-absolute_pointer-macro.patch @@ -0,0 +1,44 @@ +From 574dd22f3b99219c990379e6ae93758bbec4f9bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 20:52:24 -0700 +Subject: compiler.h: Introduce absolute_pointer macro + +From: Guenter Roeck + +[ Upstream commit f6b5f1a56987de837f8e25cd560847106b8632a8 ] + +absolute_pointer() disassociates a pointer from its originating symbol +type and context. Use it to prevent compiler warnings/errors such as + + drivers/net/ethernet/i825xx/82596.c: In function 'i82596_probe': + arch/m68k/include/asm/string.h:72:25: error: + '__builtin_memcpy' reading 6 bytes from a region of size 0 [-Werror=stringop-overread] + +Such warnings may be reported by gcc 11.x for string and memory +operations on fixed addresses. + +Suggested-by: Linus Torvalds +Signed-off-by: Guenter Roeck +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/compiler.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/compiler.h b/include/linux/compiler.h +index 3b6e6522e0ec..d29b68379223 100644 +--- a/include/linux/compiler.h ++++ b/include/linux/compiler.h +@@ -152,6 +152,8 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val, + (typeof(ptr)) (__ptr + (off)); }) + #endif + ++#define absolute_pointer(val) RELOC_HIDE((void *)(val), 0) ++ + #ifndef OPTIMIZER_HIDE_VAR + #define OPTIMIZER_HIDE_VAR(var) barrier() + #endif +-- +2.33.0 + diff --git a/queue-4.14/irqchip-gic-v3-its-fix-potential-vpe-leak-on-error.patch b/queue-4.14/irqchip-gic-v3-its-fix-potential-vpe-leak-on-error.patch new file mode 100644 index 00000000000..6aef45af76d --- /dev/null +++ b/queue-4.14/irqchip-gic-v3-its-fix-potential-vpe-leak-on-error.patch @@ -0,0 +1,41 @@ +From 0f622661905b2c6eb056738b4c213d9be1eb0747 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 10:20:55 +0800 +Subject: irqchip/gic-v3-its: Fix potential VPE leak on error + +From: Kaige Fu + +[ Upstream commit 280bef512933b2dda01d681d8cbe499b98fc5bdd ] + +In its_vpe_irq_domain_alloc, when its_vpe_init() returns an error, +there is an off-by-one in the number of VPEs to be freed. + +Fix it by simply passing the number of VPEs allocated, which is the +index of the loop iterating over the VPEs. + +Fixes: 7d75bbb4bc1a ("irqchip/gic-v3-its: Add VPE irq domain allocation/teardown") +Signed-off-by: Kaige Fu +[maz: fixed commit message] +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/d9e36dee512e63670287ed9eff884a5d8d6d27f2.1631672311.git.kaige.fu@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v3-its.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c +index 1d2267c6d31a..85b4610e6dc4 100644 +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -2730,7 +2730,7 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq + + if (err) { + if (i > 0) +- its_vpe_irq_domain_free(domain, virq, i - 1); ++ its_vpe_irq_domain_free(domain, virq, i); + + its_lpi_free_chunks(bitmap, base, nr_ids); + its_free_prop_table(vprop_page); +-- +2.33.0 + diff --git a/queue-4.14/m68k-double-cast-io-functions-to-unsigned-long.patch b/queue-4.14/m68k-double-cast-io-functions-to-unsigned-long.patch new file mode 100644 index 00000000000..7be033c314b --- /dev/null +++ b/queue-4.14/m68k-double-cast-io-functions-to-unsigned-long.patch @@ -0,0 +1,68 @@ +From 357993f03339a2b0b13a287c227546eebdaa06e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 23:07:29 -0700 +Subject: m68k: Double cast io functions to unsigned long + +From: Guenter Roeck + +[ Upstream commit b1a89856fbf63fffde6a4771d8f1ac21df549e50 ] + +m68k builds fail widely with errors such as + +arch/m68k/include/asm/raw_io.h:20:19: error: + cast to pointer from integer of different size +arch/m68k/include/asm/raw_io.h:30:32: error: + cast to pointer from integer of different size [-Werror=int-to-p + +On m68k, io functions are defined as macros. The problem is seen if the +macro parameter variable size differs from the size of a pointer. Cast +the parameter of all io macros to unsigned long before casting it to +a pointer to fix the problem. + +Signed-off-by: Guenter Roeck +Link: https://lore.kernel.org/r/20210907060729.2391992-1-linux@roeck-us.net +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/include/asm/raw_io.h | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/arch/m68k/include/asm/raw_io.h b/arch/m68k/include/asm/raw_io.h +index 05e940c29b54..cbfff90c2a69 100644 +--- a/arch/m68k/include/asm/raw_io.h ++++ b/arch/m68k/include/asm/raw_io.h +@@ -31,21 +31,21 @@ extern void __iounmap(void *addr, unsigned long size); + * two accesses to memory, which may be undesirable for some devices. + */ + #define in_8(addr) \ +- ({ u8 __v = (*(__force volatile u8 *) (addr)); __v; }) ++ ({ u8 __v = (*(__force volatile u8 *) (unsigned long)(addr)); __v; }) + #define in_be16(addr) \ +- ({ u16 __v = (*(__force volatile u16 *) (addr)); __v; }) ++ ({ u16 __v = (*(__force volatile u16 *) (unsigned long)(addr)); __v; }) + #define in_be32(addr) \ +- ({ u32 __v = (*(__force volatile u32 *) (addr)); __v; }) ++ ({ u32 __v = (*(__force volatile u32 *) (unsigned long)(addr)); __v; }) + #define in_le16(addr) \ +- ({ u16 __v = le16_to_cpu(*(__force volatile __le16 *) (addr)); __v; }) ++ ({ u16 __v = le16_to_cpu(*(__force volatile __le16 *) (unsigned long)(addr)); __v; }) + #define in_le32(addr) \ +- ({ u32 __v = le32_to_cpu(*(__force volatile __le32 *) (addr)); __v; }) ++ ({ u32 __v = le32_to_cpu(*(__force volatile __le32 *) (unsigned long)(addr)); __v; }) + +-#define out_8(addr,b) (void)((*(__force volatile u8 *) (addr)) = (b)) +-#define out_be16(addr,w) (void)((*(__force volatile u16 *) (addr)) = (w)) +-#define out_be32(addr,l) (void)((*(__force volatile u32 *) (addr)) = (l)) +-#define out_le16(addr,w) (void)((*(__force volatile __le16 *) (addr)) = cpu_to_le16(w)) +-#define out_le32(addr,l) (void)((*(__force volatile __le32 *) (addr)) = cpu_to_le32(l)) ++#define out_8(addr,b) (void)((*(__force volatile u8 *) (unsigned long)(addr)) = (b)) ++#define out_be16(addr,w) (void)((*(__force volatile u16 *) (unsigned long)(addr)) = (w)) ++#define out_be32(addr,l) (void)((*(__force volatile u32 *) (unsigned long)(addr)) = (l)) ++#define out_le16(addr,w) (void)((*(__force volatile __le16 *) (unsigned long)(addr)) = cpu_to_le16(w)) ++#define out_le32(addr,l) (void)((*(__force volatile __le32 *) (unsigned long)(addr)) = cpu_to_le32(l)) + + #define raw_inb in_8 + #define raw_inw in_be16 +-- +2.33.0 + diff --git a/queue-4.14/md-fix-a-lock-order-reversal-in-md_alloc.patch b/queue-4.14/md-fix-a-lock-order-reversal-in-md_alloc.patch new file mode 100644 index 00000000000..2d28b06bdf5 --- /dev/null +++ b/queue-4.14/md-fix-a-lock-order-reversal-in-md_alloc.patch @@ -0,0 +1,61 @@ +From 8444cd6ff605b473b375d7afbab5dec5d8de3e2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Sep 2021 13:38:29 +0200 +Subject: md: fix a lock order reversal in md_alloc + +From: Christoph Hellwig + +[ Upstream commit 7df835a32a8bedf7ce88efcfa7c9b245b52ff139 ] + +Commit b0140891a8cea3 ("md: Fix race when creating a new md device.") +not only moved assigning mddev->gendisk before calling add_disk, which +fixes the races described in the commit log, but also added a +mddev->open_mutex critical section over add_disk and creation of the +md kobj. Adding a kobject after add_disk is racy vs deleting the gendisk +right after adding it, but md already prevents against that by holding +a mddev->active reference. + +On the other hand taking this lock added a lock order reversal with what +is not disk->open_mutex (used to be bdev->bd_mutex when the commit was +added) for partition devices, which need that lock for the internal open +for the partition scan, and a recent commit also takes it for +non-partitioned devices, leading to further lockdep splatter. + +Fixes: b0140891a8ce ("md: Fix race when creating a new md device.") +Fixes: d62633873590 ("block: support delayed holder registration") +Reported-by: syzbot+fadc0aaf497e6a493b9f@syzkaller.appspotmail.com +Signed-off-by: Christoph Hellwig +Tested-by: syzbot+fadc0aaf497e6a493b9f@syzkaller.appspotmail.com +Reviewed-by: NeilBrown +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 0af9aa187ce5..5e8706a66c31 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -5375,10 +5375,6 @@ static int md_alloc(dev_t dev, char *name) + */ + disk->flags |= GENHD_FL_EXT_DEVT; + mddev->gendisk = disk; +- /* As soon as we call add_disk(), another thread could get +- * through to md_open, so make sure it doesn't get too far +- */ +- mutex_lock(&mddev->open_mutex); + add_disk(disk); + + error = kobject_init_and_add(&mddev->kobj, &md_ktype, +@@ -5394,7 +5390,6 @@ static int md_alloc(dev_t dev, char *name) + if (mddev->kobj.sd && + sysfs_create_group(&mddev->kobj, &md_bitmap_group)) + pr_debug("pointless warning\n"); +- mutex_unlock(&mddev->open_mutex); + abort: + mutex_unlock(&disks_mutex); + if (!error && mddev->kobj.sd) { +-- +2.33.0 + diff --git a/queue-4.14/net-6pack-fix-tx-timeout-and-slot-time.patch b/queue-4.14/net-6pack-fix-tx-timeout-and-slot-time.patch new file mode 100644 index 00000000000..f2656683124 --- /dev/null +++ b/queue-4.14/net-6pack-fix-tx-timeout-and-slot-time.patch @@ -0,0 +1,59 @@ +From 5aa2f8cf19fab9463dea457a7af28d6da7b7d302 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 20:57:43 -0700 +Subject: net: 6pack: Fix tx timeout and slot time + +From: Guenter Roeck + +[ Upstream commit 3c0d2a46c0141913dc6fd126c57d0615677d946e ] + +tx timeout and slot time are currently specified in units of HZ. On +Alpha, HZ is defined as 1024. When building alpha:allmodconfig, this +results in the following error message. + + drivers/net/hamradio/6pack.c: In function 'sixpack_open': + drivers/net/hamradio/6pack.c:71:41: error: + unsigned conversion from 'int' to 'unsigned char' + changes value from '256' to '0' + +In the 6PACK protocol, tx timeout is specified in units of 10 ms and +transmitted over the wire: + + https://www.linux-ax25.org/wiki/6PACK + +Defining a value dependent on HZ doesn't really make sense, and +presumably comes from the (very historical) situation where HZ was +originally 100. + +Note that the SIXP_SLOTTIME use explicitly is about 10ms granularity: + + mod_timer(&sp->tx_t, jiffies + ((when + 1) * HZ) / 100); + +and the SIXP_TXDELAY walue is sent as a byte over the wire. + +Signed-off-by: Guenter Roeck +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/net/hamradio/6pack.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c +index 231eaef29266..7e430300818e 100644 +--- a/drivers/net/hamradio/6pack.c ++++ b/drivers/net/hamradio/6pack.c +@@ -68,9 +68,9 @@ + #define SIXP_DAMA_OFF 0 + + /* default level 2 parameters */ +-#define SIXP_TXDELAY (HZ/4) /* in 1 s */ ++#define SIXP_TXDELAY 25 /* 250 ms */ + #define SIXP_PERSIST 50 /* in 256ths */ +-#define SIXP_SLOTTIME (HZ/10) /* in 1 s */ ++#define SIXP_SLOTTIME 10 /* 100 ms */ + #define SIXP_INIT_RESYNC_TIMEOUT (3*HZ/2) /* in 1 s */ + #define SIXP_RESYNC_TIMEOUT 5*HZ /* in 1 s */ + +-- +2.33.0 + diff --git a/queue-4.14/net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch b/queue-4.14/net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch new file mode 100644 index 00000000000..32aac6d079b --- /dev/null +++ b/queue-4.14/net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch @@ -0,0 +1,43 @@ +From 63ca47add95cfb4e62d546d1f3640ec63bacd1cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 20:52:25 -0700 +Subject: net: i825xx: Use absolute_pointer for memcpy from fixed memory + location + +From: Guenter Roeck + +[ Upstream commit dff2d13114f0beec448da9b3716204eb34b0cf41 ] + +gcc 11.x reports the following compiler warning/error. + + drivers/net/ethernet/i825xx/82596.c: In function 'i82596_probe': + arch/m68k/include/asm/string.h:72:25: error: + '__builtin_memcpy' reading 6 bytes from a region of size 0 [-Werror=stringop-overread] + +Use absolute_pointer() to work around the problem. + +Cc: Geert Uytterhoeven +Signed-off-by: Guenter Roeck +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/i825xx/82596.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/i825xx/82596.c b/drivers/net/ethernet/i825xx/82596.c +index d719668a6684..8efcec305fc5 100644 +--- a/drivers/net/ethernet/i825xx/82596.c ++++ b/drivers/net/ethernet/i825xx/82596.c +@@ -1155,7 +1155,7 @@ struct net_device * __init i82596_probe(int unit) + err = -ENODEV; + goto out; + } +- memcpy(eth_addr, (void *) 0xfffc1f2c, ETH_ALEN); /* YUCK! Get addr from NOVRAM */ ++ memcpy(eth_addr, absolute_pointer(0xfffc1f2c), ETH_ALEN); /* YUCK! Get addr from NOVRAM */ + dev->base_addr = MVME_I596_BASE; + dev->irq = (unsigned) MVME16x_IRQ_I596; + goto found; +-- +2.33.0 + diff --git a/queue-4.14/net-macb-fix-use-after-free-on-rmmod.patch b/queue-4.14/net-macb-fix-use-after-free-on-rmmod.patch new file mode 100644 index 00000000000..ef489df9a95 --- /dev/null +++ b/queue-4.14/net-macb-fix-use-after-free-on-rmmod.patch @@ -0,0 +1,44 @@ +From 294116b670d093da8a469ac5fa2ec8cb5c0e78e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 12:02:32 -0700 +Subject: net: macb: fix use after free on rmmod + +From: Tong Zhang + +[ Upstream commit d82d5303c4c539db86588ffb5dc5b26c3f1513e8 ] + +plat_dev->dev->platform_data is released by platform_device_unregister(), +use of pclk and hclk is a use-after-free. Since device unregister won't +need a clk device we adjust the function call sequence to fix this issue. + +[ 31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci] +[ 31.275563] Freed by task 306: +[ 30.276782] platform_device_release+0x25/0x80 + +Suggested-by: Nicolas Ferre +Signed-off-by: Tong Zhang +Acked-by: Nicolas Ferre +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cadence/macb_pci.c b/drivers/net/ethernet/cadence/macb_pci.c +index 248a8fc45069..f06fddf9919b 100644 +--- a/drivers/net/ethernet/cadence/macb_pci.c ++++ b/drivers/net/ethernet/cadence/macb_pci.c +@@ -123,9 +123,9 @@ static void macb_remove(struct pci_dev *pdev) + struct platform_device *plat_dev = pci_get_drvdata(pdev); + struct macb_platform_data *plat_data = dev_get_platdata(&plat_dev->dev); + +- platform_device_unregister(plat_dev); + clk_unregister(plat_data->pclk); + clk_unregister(plat_data->hclk); ++ platform_device_unregister(plat_dev); + } + + static const struct pci_device_id dev_id_table[] = { +-- +2.33.0 + diff --git a/queue-4.14/net-stmmac-allow-csr-clock-of-300mhz.patch b/queue-4.14/net-stmmac-allow-csr-clock-of-300mhz.patch new file mode 100644 index 00000000000..5e6dbb4d3bb --- /dev/null +++ b/queue-4.14/net-stmmac-allow-csr-clock-of-300mhz.patch @@ -0,0 +1,59 @@ +From dcca319afb7b8b2b90c7877c19ef6d773a17997a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Sep 2021 21:55:34 +0200 +Subject: net: stmmac: allow CSR clock of 300MHz + +From: Jesper Nilsson + +[ Upstream commit 08dad2f4d541fcfe5e7bfda72cc6314bbfd2802f ] + +The Synopsys Ethernet IP uses the CSR clock as a base clock for MDC. +The divisor used is set in the MAC_MDIO_Address register field CR +(Clock Rate) + +The divisor is there to change the CSR clock into a clock that falls +below the IEEE 802.3 specified max frequency of 2.5MHz. + +If the CSR clock is 300MHz, the code falls back to using the reset +value in the MAC_MDIO_Address register, as described in the comment +above this code. + +However, 300MHz is actually an allowed value and the proper divider +can be estimated quite easily (it's just 1Hz difference!) + +A CSR frequency of 300MHz with the maximum clock rate value of 0x5 +(STMMAC_CSR_250_300M, a divisor of 124) gives somewhere around +~2.42MHz which is below the IEEE 802.3 specified maximum. + +For the ARTPEC-8 SoC, the CSR clock is this problematic 300MHz, +and unfortunately, the reset-value of the MAC_MDIO_Address CR field +is 0x0. + +This leads to a clock rate of zero and a divisor of 42, and gives an +MDC frequency of ~7.14MHz. + +Allow CSR clock of 300MHz by making the comparison inclusive. + +Signed-off-by: Jesper Nilsson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index a7b30f060536..2be2b3055904 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -232,7 +232,7 @@ static void stmmac_clk_csr_set(struct stmmac_priv *priv) + priv->clk_csr = STMMAC_CSR_100_150M; + else if ((clk_rate >= CSR_F_150M) && (clk_rate < CSR_F_250M)) + priv->clk_csr = STMMAC_CSR_150_250M; +- else if ((clk_rate >= CSR_F_250M) && (clk_rate < CSR_F_300M)) ++ else if ((clk_rate >= CSR_F_250M) && (clk_rate <= CSR_F_300M)) + priv->clk_csr = STMMAC_CSR_250_300M; + } + +-- +2.33.0 + diff --git a/queue-4.14/parisc-use-absolute_pointer-to-define-page0.patch b/queue-4.14/parisc-use-absolute_pointer-to-define-page0.patch new file mode 100644 index 00000000000..c80344acfe6 --- /dev/null +++ b/queue-4.14/parisc-use-absolute_pointer-to-define-page0.patch @@ -0,0 +1,38 @@ +From 0dab18f556d93b2c6fcab37a2c9259139f0305c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 08:35:42 +0200 +Subject: parisc: Use absolute_pointer() to define PAGE0 + +From: Helge Deller + +[ Upstream commit 90cc7bed1ed19f869ae7221a6b41887fe762a6a3 ] + +Use absolute_pointer() wrapper for PAGE0 to avoid this compiler warning: + + arch/parisc/kernel/setup.c: In function 'start_parisc': + error: '__builtin_memcmp_eq' specified bound 8 exceeds source size 0 + +Signed-off-by: Helge Deller +Co-Developed-by: Guenter Roeck +Suggested-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/parisc/include/asm/page.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/parisc/include/asm/page.h b/arch/parisc/include/asm/page.h +index af00fe9bf846..c631a8fd856a 100644 +--- a/arch/parisc/include/asm/page.h ++++ b/arch/parisc/include/asm/page.h +@@ -179,7 +179,7 @@ extern int npmem_ranges; + #include + #include + +-#define PAGE0 ((struct zeropage *)__PAGE_OFFSET) ++#define PAGE0 ((struct zeropage *)absolute_pointer(__PAGE_OFFSET)) + + /* DEFINITION OF THE ZERO-PAGE (PAG0) */ + /* based on work by Jason Eckhardt (jason@equator.com) */ +-- +2.33.0 + diff --git a/queue-4.14/qnx4-avoid-stringop-overread-errors.patch b/queue-4.14/qnx4-avoid-stringop-overread-errors.patch new file mode 100644 index 00000000000..3a614d4ec98 --- /dev/null +++ b/queue-4.14/qnx4-avoid-stringop-overread-errors.patch @@ -0,0 +1,134 @@ +From 0e90f324773da96d53085b43fce1c31d15119134 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 13:56:37 -0700 +Subject: qnx4: avoid stringop-overread errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +[ Upstream commit b7213ffa0e585feb1aee3e7173e965e66ee0abaa ] + +The qnx4 directory entries are 64-byte blocks that have different +contents depending on the a status byte that is in the last byte of the +block. + +In particular, a directory entry can be either a "link info" entry with +a 48-byte name and pointers to the real inode information, or an "inode +entry" with a smaller 16-byte name and the full inode information. + +But the code was written to always just treat the directory name as if +it was part of that "inode entry", and just extend the name to the +longer case if the status byte said it was a link entry. + +That work just fine and gives the right results, but now that gcc is +tracking data structure accesses much more, the code can trigger a +compiler error about using up to 48 bytes (the long name) in a structure +that only has that shorter name in it: + + fs/qnx4/dir.c: In function ‘qnx4_readdir’: + fs/qnx4/dir.c:51:32: error: ‘strnlen’ specified bound 48 exceeds source size 16 [-Werror=stringop-overread] + 51 | size = strnlen(de->di_fname, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ + In file included from fs/qnx4/qnx4.h:3, + from fs/qnx4/dir.c:16: + include/uapi/linux/qnx4_fs.h:45:25: note: source object declared here + 45 | char di_fname[QNX4_SHORT_NAME_MAX]; + | ^~~~~~~~ + +which is because the source code doesn't really make this whole "one of +two different types" explicit. + +Fix this by introducing a very explicit union of the two types, and +basically explaining to the compiler what is really going on. + +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/qnx4/dir.c | 51 ++++++++++++++++++++++++++++++++++----------------- + 1 file changed, 34 insertions(+), 17 deletions(-) + +diff --git a/fs/qnx4/dir.c b/fs/qnx4/dir.c +index a6ee23aadd28..2a66844b7ff8 100644 +--- a/fs/qnx4/dir.c ++++ b/fs/qnx4/dir.c +@@ -15,13 +15,27 @@ + #include + #include "qnx4.h" + ++/* ++ * A qnx4 directory entry is an inode entry or link info ++ * depending on the status field in the last byte. The ++ * first byte is where the name start either way, and a ++ * zero means it's empty. ++ */ ++union qnx4_directory_entry { ++ struct { ++ char de_name; ++ char de_pad[62]; ++ char de_status; ++ }; ++ struct qnx4_inode_entry inode; ++ struct qnx4_link_info link; ++}; ++ + static int qnx4_readdir(struct file *file, struct dir_context *ctx) + { + struct inode *inode = file_inode(file); + unsigned int offset; + struct buffer_head *bh; +- struct qnx4_inode_entry *de; +- struct qnx4_link_info *le; + unsigned long blknum; + int ix, ino; + int size; +@@ -38,27 +52,30 @@ static int qnx4_readdir(struct file *file, struct dir_context *ctx) + } + ix = (ctx->pos >> QNX4_DIR_ENTRY_SIZE_BITS) % QNX4_INODES_PER_BLOCK; + for (; ix < QNX4_INODES_PER_BLOCK; ix++, ctx->pos += QNX4_DIR_ENTRY_SIZE) { ++ union qnx4_directory_entry *de; ++ const char *name; ++ + offset = ix * QNX4_DIR_ENTRY_SIZE; +- de = (struct qnx4_inode_entry *) (bh->b_data + offset); +- if (!de->di_fname[0]) ++ de = (union qnx4_directory_entry *) (bh->b_data + offset); ++ ++ if (!de->de_name) + continue; +- if (!(de->di_status & (QNX4_FILE_USED|QNX4_FILE_LINK))) ++ if (!(de->de_status & (QNX4_FILE_USED|QNX4_FILE_LINK))) + continue; +- if (!(de->di_status & QNX4_FILE_LINK)) +- size = QNX4_SHORT_NAME_MAX; +- else +- size = QNX4_NAME_MAX; +- size = strnlen(de->di_fname, size); +- QNX4DEBUG((KERN_INFO "qnx4_readdir:%.*s\n", size, de->di_fname)); +- if (!(de->di_status & QNX4_FILE_LINK)) ++ if (!(de->de_status & QNX4_FILE_LINK)) { ++ size = sizeof(de->inode.di_fname); ++ name = de->inode.di_fname; + ino = blknum * QNX4_INODES_PER_BLOCK + ix - 1; +- else { +- le = (struct qnx4_link_info*)de; +- ino = ( le32_to_cpu(le->dl_inode_blk) - 1 ) * ++ } else { ++ size = sizeof(de->link.dl_fname); ++ name = de->link.dl_fname; ++ ino = ( le32_to_cpu(de->link.dl_inode_blk) - 1 ) * + QNX4_INODES_PER_BLOCK + +- le->dl_inode_ndx; ++ de->link.dl_inode_ndx; + } +- if (!dir_emit(ctx, de->di_fname, size, ino, DT_UNKNOWN)) { ++ size = strnlen(name, size); ++ QNX4DEBUG((KERN_INFO "qnx4_readdir:%.*s\n", size, name)); ++ if (!dir_emit(ctx, name, size, ino, DT_UNKNOWN)) { + brelse(bh); + return 0; + } +-- +2.33.0 + diff --git a/queue-4.14/scsi-iscsi-adjust-iface-sysfs-attr-detection.patch b/queue-4.14/scsi-iscsi-adjust-iface-sysfs-attr-detection.patch new file mode 100644 index 00000000000..941efcf3a31 --- /dev/null +++ b/queue-4.14/scsi-iscsi-adjust-iface-sysfs-attr-detection.patch @@ -0,0 +1,53 @@ +From 766d7f83ece33016b79150141e0ff588976f9c36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Sep 2021 16:53:36 +0800 +Subject: scsi: iscsi: Adjust iface sysfs attr detection + +From: Baokun Li + +[ Upstream commit 4e28550829258f7dab97383acaa477bd724c0ff4 ] + +ISCSI_NET_PARAM_IFACE_ENABLE belongs to enum iscsi_net_param instead of +iscsi_iface_param so move it to ISCSI_NET_PARAM. Otherwise, when we call +into the driver, we might not match and return that we don't want attr +visible in sysfs. Found in code review. + +Link: https://lore.kernel.org/r/20210901085336.2264295-1-libaokun1@huawei.com +Fixes: e746f3451ec7 ("scsi: iscsi: Fix iface sysfs attr detection") +Reviewed-by: Lee Duncan +Signed-off-by: Baokun Li +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 064c941e5483..d276d84c0f7a 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -429,9 +429,7 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + struct iscsi_transport *t = iface->transport; + int param = -1; + +- if (attr == &dev_attr_iface_enabled.attr) +- param = ISCSI_NET_PARAM_IFACE_ENABLE; +- else if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr) ++ if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr) + param = ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO; + else if (attr == &dev_attr_iface_header_digest.attr) + param = ISCSI_IFACE_PARAM_HDRDGST_EN; +@@ -471,7 +469,9 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + if (param != -1) + return t->attr_is_visible(ISCSI_IFACE_PARAM, param); + +- if (attr == &dev_attr_iface_vlan_id.attr) ++ if (attr == &dev_attr_iface_enabled.attr) ++ param = ISCSI_NET_PARAM_IFACE_ENABLE; ++ else if (attr == &dev_attr_iface_vlan_id.attr) + param = ISCSI_NET_PARAM_VLAN_ID; + else if (attr == &dev_attr_iface_vlan_priority.attr) + param = ISCSI_NET_PARAM_VLAN_PRIORITY; +-- +2.33.0 + diff --git a/queue-4.14/series b/queue-4.14/series index d17bbba6966..ab8796d3dc3 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -16,3 +16,21 @@ serial-mvebu-uart-fix-driver-s-tx_empty-callback.patch net-hso-fix-muxed-tty-registration.patch bnxt_en-fix-tx-timeout-when-tx-ring-size-is-set-to-t.patch net-mlx4_en-don-t-allow-arfs-for-encapsulated-packet.patch +scsi-iscsi-adjust-iface-sysfs-attr-detection.patch +thermal-core-potential-buffer-overflow-in-thermal_bu.patch +irqchip-gic-v3-its-fix-potential-vpe-leak-on-error.patch +md-fix-a-lock-order-reversal-in-md_alloc.patch +blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch +net-macb-fix-use-after-free-on-rmmod.patch +net-stmmac-allow-csr-clock-of-300mhz.patch +m68k-double-cast-io-functions-to-unsigned-long.patch +xen-balloon-use-a-kernel-thread-instead-a-workqueue.patch +compiler.h-introduce-absolute_pointer-macro.patch +net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch +sparc-avoid-stringop-overread-errors.patch +qnx4-avoid-stringop-overread-errors.patch +parisc-use-absolute_pointer-to-define-page0.patch +arm64-mark-__stack_chk_guard-as-__ro_after_init.patch +alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch +net-6pack-fix-tx-timeout-and-slot-time.patch +spi-fix-tegra20-build-with-config_pm-n.patch diff --git a/queue-4.14/sparc-avoid-stringop-overread-errors.patch b/queue-4.14/sparc-avoid-stringop-overread-errors.patch new file mode 100644 index 00000000000..abcae967083 --- /dev/null +++ b/queue-4.14/sparc-avoid-stringop-overread-errors.patch @@ -0,0 +1,65 @@ +From b683c3d6c1757c28c9f3746cc18581f24b94f206 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 16:06:04 -0700 +Subject: sparc: avoid stringop-overread errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +[ Upstream commit fc7c028dcdbfe981bca75d2a7b95f363eb691ef3 ] + +The sparc mdesc code does pointer games with 'struct mdesc_hdr', but +didn't describe to the compiler how that header is then followed by the +data that the header describes. + +As a result, gcc is now unhappy since it does stricter pointer range +tracking, and doesn't understand about how these things work. This +results in various errors like: + + arch/sparc/kernel/mdesc.c: In function ‘mdesc_node_by_name’: + arch/sparc/kernel/mdesc.c:647:22: error: ‘strcmp’ reading 1 or more bytes from a region of size 0 [-Werror=stringop-overread] + 647 | if (!strcmp(names + ep[ret].name_offset, name)) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +which are easily avoided by just describing 'struct mdesc_hdr' better, +and making the node_block() helper function look into that unsized +data[] that follows the header. + +This makes the sparc64 build happy again at least for my cross-compiler +version (gcc version 11.2.1). + +Link: https://lore.kernel.org/lkml/CAHk-=wi4NW3NC0xWykkw=6LnjQD6D_rtRtxY9g8gQAJXtQMi8A@mail.gmail.com/ +Cc: Guenter Roeck +Cc: David S. Miller +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/sparc/kernel/mdesc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/sparc/kernel/mdesc.c b/arch/sparc/kernel/mdesc.c +index 8f24f3d60b8c..bfc30439a41d 100644 +--- a/arch/sparc/kernel/mdesc.c ++++ b/arch/sparc/kernel/mdesc.c +@@ -38,6 +38,7 @@ struct mdesc_hdr { + u32 node_sz; /* node block size */ + u32 name_sz; /* name block size */ + u32 data_sz; /* data block size */ ++ char data[]; + } __attribute__((aligned(16))); + + struct mdesc_elem { +@@ -611,7 +612,7 @@ EXPORT_SYMBOL(mdesc_get_node_info); + + static struct mdesc_elem *node_block(struct mdesc_hdr *mdesc) + { +- return (struct mdesc_elem *) (mdesc + 1); ++ return (struct mdesc_elem *) mdesc->data; + } + + static void *name_block(struct mdesc_hdr *mdesc) +-- +2.33.0 + diff --git a/queue-4.14/spi-fix-tegra20-build-with-config_pm-n.patch b/queue-4.14/spi-fix-tegra20-build-with-config_pm-n.patch new file mode 100644 index 00000000000..feaca320508 --- /dev/null +++ b/queue-4.14/spi-fix-tegra20-build-with-config_pm-n.patch @@ -0,0 +1,59 @@ +From 2d2b665b55a32b1f64a34c9b8b941897c0602bd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Sep 2021 10:05:06 -0700 +Subject: spi: Fix tegra20 build with CONFIG_PM=n +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +[ Upstream commit efafec27c5658ed987e720130772f8933c685e87 ] + +Without CONFIG_PM enabled, the SET_RUNTIME_PM_OPS() macro ends up being +empty, and the only use of tegra_slink_runtime_{resume,suspend} goes +away, resulting in + + drivers/spi/spi-tegra20-slink.c:1200:12: error: ‘tegra_slink_runtime_resume’ defined but not used [-Werror=unused-function] + 1200 | static int tegra_slink_runtime_resume(struct device *dev) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~ + drivers/spi/spi-tegra20-slink.c:1188:12: error: ‘tegra_slink_runtime_suspend’ defined but not used [-Werror=unused-function] + 1188 | static int tegra_slink_runtime_suspend(struct device *dev) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ + +mark the functions __maybe_unused to make the build happy. + +This hits the alpha allmodconfig build (and others). + +Reported-by: Guenter Roeck +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-tegra20-slink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-tegra20-slink.c b/drivers/spi/spi-tegra20-slink.c +index c39bfcbda5f2..1548f7b738c1 100644 +--- a/drivers/spi/spi-tegra20-slink.c ++++ b/drivers/spi/spi-tegra20-slink.c +@@ -1210,7 +1210,7 @@ static int tegra_slink_resume(struct device *dev) + } + #endif + +-static int tegra_slink_runtime_suspend(struct device *dev) ++static int __maybe_unused tegra_slink_runtime_suspend(struct device *dev) + { + struct spi_master *master = dev_get_drvdata(dev); + struct tegra_slink_data *tspi = spi_master_get_devdata(master); +@@ -1222,7 +1222,7 @@ static int tegra_slink_runtime_suspend(struct device *dev) + return 0; + } + +-static int tegra_slink_runtime_resume(struct device *dev) ++static int __maybe_unused tegra_slink_runtime_resume(struct device *dev) + { + struct spi_master *master = dev_get_drvdata(dev); + struct tegra_slink_data *tspi = spi_master_get_devdata(master); +-- +2.33.0 + diff --git a/queue-4.14/thermal-core-potential-buffer-overflow-in-thermal_bu.patch b/queue-4.14/thermal-core-potential-buffer-overflow-in-thermal_bu.patch new file mode 100644 index 00000000000..42ca8ae5147 --- /dev/null +++ b/queue-4.14/thermal-core-potential-buffer-overflow-in-thermal_bu.patch @@ -0,0 +1,52 @@ +From fc2d6f5c143f62e73320b509086506f336534d76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 16:13:42 +0300 +Subject: thermal/core: Potential buffer overflow in + thermal_build_list_of_policies() + +From: Dan Carpenter + +[ Upstream commit 1bb30b20b49773369c299d4d6c65227201328663 ] + +After printing the list of thermal governors, then this function prints +a newline character. The problem is that "size" has not been updated +after printing the last governor. This means that it can write one +character (the NUL terminator) beyond the end of the buffer. + +Get rid of the "size" variable and just use "PAGE_SIZE - count" directly. + +Fixes: 1b4f48494eb2 ("thermal: core: group functions related to governor handling") +Signed-off-by: Dan Carpenter +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20210916131342.GB25094@kili +Signed-off-by: Sasha Levin +--- + drivers/thermal/thermal_core.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c +index 2db83b555e59..94820f25a15f 100644 +--- a/drivers/thermal/thermal_core.c ++++ b/drivers/thermal/thermal_core.c +@@ -231,15 +231,14 @@ int thermal_build_list_of_policies(char *buf) + { + struct thermal_governor *pos; + ssize_t count = 0; +- ssize_t size = PAGE_SIZE; + + mutex_lock(&thermal_governor_lock); + + list_for_each_entry(pos, &thermal_governor_list, governor_list) { +- size = PAGE_SIZE - count; +- count += scnprintf(buf + count, size, "%s ", pos->name); ++ count += scnprintf(buf + count, PAGE_SIZE - count, "%s ", ++ pos->name); + } +- count += scnprintf(buf + count, size, "\n"); ++ count += scnprintf(buf + count, PAGE_SIZE - count, "\n"); + + mutex_unlock(&thermal_governor_lock); + +-- +2.33.0 + diff --git a/queue-4.14/xen-balloon-use-a-kernel-thread-instead-a-workqueue.patch b/queue-4.14/xen-balloon-use-a-kernel-thread-instead-a-workqueue.patch new file mode 100644 index 00000000000..231b0be8281 --- /dev/null +++ b/queue-4.14/xen-balloon-use-a-kernel-thread-instead-a-workqueue.patch @@ -0,0 +1,195 @@ +From a58e20f1ccdc415f567ead17db3c4515f4436001 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Aug 2021 14:32:06 +0200 +Subject: xen/balloon: use a kernel thread instead a workqueue + +From: Juergen Gross + +[ Upstream commit 8480ed9c2bbd56fc86524998e5f2e3e22f5038f6 ] + +Today the Xen ballooning is done via delayed work in a workqueue. This +might result in workqueue hangups being reported in case of large +amounts of memory are being ballooned in one go (here 16GB): + +BUG: workqueue lockup - pool cpus=6 node=0 flags=0x0 nice=0 stuck for 64s! +Showing busy workqueues and worker pools: +workqueue events: flags=0x0 + pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=2/256 refcnt=3 + in-flight: 229:balloon_process + pending: cache_reap +workqueue events_freezable_power_: flags=0x84 + pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=1/256 refcnt=2 + pending: disk_events_workfn +workqueue mm_percpu_wq: flags=0x8 + pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=1/256 refcnt=2 + pending: vmstat_update +pool 12: cpus=6 node=0 flags=0x0 nice=0 hung=64s workers=3 idle: 2222 43 + +This can easily be avoided by using a dedicated kernel thread for doing +the ballooning work. + +Reported-by: Jan Beulich +Signed-off-by: Juergen Gross +Reviewed-by: Boris Ostrovsky +Link: https://lore.kernel.org/r/20210827123206.15429-1-jgross@suse.com +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/balloon.c | 62 +++++++++++++++++++++++++++++++------------ + 1 file changed, 45 insertions(+), 17 deletions(-) + +diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c +index a8e0836dffd4..b9abe3ef2188 100644 +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -43,6 +43,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -119,7 +121,7 @@ static struct ctl_table xen_root[] = { + #define EXTENT_ORDER (fls(XEN_PFN_PER_PAGE) - 1) + + /* +- * balloon_process() state: ++ * balloon_thread() state: + * + * BP_DONE: done or nothing to do, + * BP_WAIT: wait to be rescheduled, +@@ -134,6 +136,8 @@ enum bp_state { + BP_ECANCELED + }; + ++/* Main waiting point for xen-balloon thread. */ ++static DECLARE_WAIT_QUEUE_HEAD(balloon_thread_wq); + + static DEFINE_MUTEX(balloon_mutex); + +@@ -148,10 +152,6 @@ static xen_pfn_t frame_list[PAGE_SIZE / sizeof(xen_pfn_t)]; + static LIST_HEAD(ballooned_pages); + static DECLARE_WAIT_QUEUE_HEAD(balloon_wq); + +-/* Main work function, always executed in process context. */ +-static void balloon_process(struct work_struct *work); +-static DECLARE_DELAYED_WORK(balloon_worker, balloon_process); +- + /* When ballooning out (allocating memory to return to Xen) we don't really + want the kernel to try too hard since that can trigger the oom killer. */ + #define GFP_BALLOON \ +@@ -389,7 +389,7 @@ static void xen_online_page(struct page *page) + static int xen_memory_notifier(struct notifier_block *nb, unsigned long val, void *v) + { + if (val == MEM_ONLINE) +- schedule_delayed_work(&balloon_worker, 0); ++ wake_up(&balloon_thread_wq); + + return NOTIFY_OK; + } +@@ -571,18 +571,43 @@ static enum bp_state decrease_reservation(unsigned long nr_pages, gfp_t gfp) + } + + /* +- * As this is a work item it is guaranteed to run as a single instance only. ++ * Stop waiting if either state is not BP_EAGAIN and ballooning action is ++ * needed, or if the credit has changed while state is BP_EAGAIN. ++ */ ++static bool balloon_thread_cond(enum bp_state state, long credit) ++{ ++ if (state != BP_EAGAIN) ++ credit = 0; ++ ++ return current_credit() != credit || kthread_should_stop(); ++} ++ ++/* ++ * As this is a kthread it is guaranteed to run as a single instance only. + * We may of course race updates of the target counts (which are protected + * by the balloon lock), or with changes to the Xen hard limit, but we will + * recover from these in time. + */ +-static void balloon_process(struct work_struct *work) ++static int balloon_thread(void *unused) + { + enum bp_state state = BP_DONE; + long credit; ++ unsigned long timeout; ++ ++ set_freezable(); ++ for (;;) { ++ if (state == BP_EAGAIN) ++ timeout = balloon_stats.schedule_delay * HZ; ++ else ++ timeout = 3600 * HZ; ++ credit = current_credit(); + ++ wait_event_interruptible_timeout(balloon_thread_wq, ++ balloon_thread_cond(state, credit), timeout); ++ ++ if (kthread_should_stop()) ++ return 0; + +- do { + mutex_lock(&balloon_mutex); + + credit = current_credit(); +@@ -609,12 +634,7 @@ static void balloon_process(struct work_struct *work) + mutex_unlock(&balloon_mutex); + + cond_resched(); +- +- } while (credit && state == BP_DONE); +- +- /* Schedule more work if there is some still to be done. */ +- if (state == BP_EAGAIN) +- schedule_delayed_work(&balloon_worker, balloon_stats.schedule_delay * HZ); ++ } + } + + /* Resets the Xen limit, sets new target, and kicks off processing. */ +@@ -622,7 +642,7 @@ void balloon_set_new_target(unsigned long target) + { + /* No need for lock. Not read-modify-write updates. */ + balloon_stats.target_pages = target; +- schedule_delayed_work(&balloon_worker, 0); ++ wake_up(&balloon_thread_wq); + } + EXPORT_SYMBOL_GPL(balloon_set_new_target); + +@@ -727,7 +747,7 @@ void free_xenballooned_pages(int nr_pages, struct page **pages) + + /* The balloon may be too large now. Shrink it if needed. */ + if (current_credit()) +- schedule_delayed_work(&balloon_worker, 0); ++ wake_up(&balloon_thread_wq); + + mutex_unlock(&balloon_mutex); + } +@@ -761,6 +781,8 @@ static void __init balloon_add_region(unsigned long start_pfn, + + static int __init balloon_init(void) + { ++ struct task_struct *task; ++ + if (!xen_domain()) + return -ENODEV; + +@@ -804,6 +826,12 @@ static int __init balloon_init(void) + } + #endif + ++ task = kthread_run(balloon_thread, NULL, "xen-balloon"); ++ if (IS_ERR(task)) { ++ pr_err("xen-balloon thread could not be started, ballooning will not work!\n"); ++ return PTR_ERR(task); ++ } ++ + /* Init the xen-balloon driver. */ + xen_balloon_init(); + +-- +2.33.0 +