From: Greg Kroah-Hartman Date: Mon, 27 Jan 2020 18:28:29 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.4.212~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1f847f2c30e2dce90aee2e8b74ab1fabba4cc2f3;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: do_last-fetch-directory-i_mode-and-i_uid-before-it-s-too-late.patch drm-i915-userptr-fix-size-calculation.patch hsr-fix-a-compilation-error.patch hwmon-nct7802-fix-non-working-alarm-on-voltages.patch hwmon-nct7802-fix-voltage-limits-to-wrong-registers.patch iommu-amd-fix-iommu-perf-counter-clobbering-during-init.patch iwlwifi-mvm-fix-potential-skb-leak-on-txq-tx.patch iwlwifi-mvm-fix-skb-leak-on-invalid-queue.patch leds-gpio-fix-uninitialized-gpio-label-for-fwnode-based-probe.patch lib-reduce-user_access_begin-boundaries-in-strncpy_from_user-and-strnlen_user.patch net-sk_msg-don-t-check-if-sock-is-locked-when-tearing-down-psock.patch net-sonic-fix-cam-initialization.patch readdir-make-user_access_begin-use-the-real-access-range.patch scsi-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch tracing-xen-ordered-comparison-of-function-pointers.patch xfrm-support-output_mark-for-offload-esp-packets.patch --- diff --git a/queue-5.4/do_last-fetch-directory-i_mode-and-i_uid-before-it-s-too-late.patch b/queue-5.4/do_last-fetch-directory-i_mode-and-i_uid-before-it-s-too-late.patch new file mode 100644 index 00000000000..4b194f55c9c --- /dev/null +++ b/queue-5.4/do_last-fetch-directory-i_mode-and-i_uid-before-it-s-too-late.patch @@ -0,0 +1,74 @@ +From d0cb50185ae942b03c4327be322055d622dc79f6 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 26 Jan 2020 09:29:34 -0500 +Subject: do_last(): fetch directory ->i_mode and ->i_uid before it's too late + +From: Al Viro + +commit d0cb50185ae942b03c4327be322055d622dc79f6 upstream. + +may_create_in_sticky() call is done when we already have dropped the +reference to dir. + +Fixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files) +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/namei.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -1001,7 +1001,8 @@ static int may_linkat(struct path *link) + * may_create_in_sticky - Check whether an O_CREAT open in a sticky directory + * should be allowed, or not, on files that already + * exist. +- * @dir: the sticky parent directory ++ * @dir_mode: mode bits of directory ++ * @dir_uid: owner of directory + * @inode: the inode of the file to open + * + * Block an O_CREAT open of a FIFO (or a regular file) when: +@@ -1017,18 +1018,18 @@ static int may_linkat(struct path *link) + * + * Returns 0 if the open is allowed, -ve on error. + */ +-static int may_create_in_sticky(struct dentry * const dir, ++static int may_create_in_sticky(umode_t dir_mode, kuid_t dir_uid, + struct inode * const inode) + { + if ((!sysctl_protected_fifos && S_ISFIFO(inode->i_mode)) || + (!sysctl_protected_regular && S_ISREG(inode->i_mode)) || +- likely(!(dir->d_inode->i_mode & S_ISVTX)) || +- uid_eq(inode->i_uid, dir->d_inode->i_uid) || ++ likely(!(dir_mode & S_ISVTX)) || ++ uid_eq(inode->i_uid, dir_uid) || + uid_eq(current_fsuid(), inode->i_uid)) + return 0; + +- if (likely(dir->d_inode->i_mode & 0002) || +- (dir->d_inode->i_mode & 0020 && ++ if (likely(dir_mode & 0002) || ++ (dir_mode & 0020 && + ((sysctl_protected_fifos >= 2 && S_ISFIFO(inode->i_mode)) || + (sysctl_protected_regular >= 2 && S_ISREG(inode->i_mode))))) { + return -EACCES; +@@ -3248,6 +3249,8 @@ static int do_last(struct nameidata *nd, + struct file *file, const struct open_flags *op) + { + struct dentry *dir = nd->path.dentry; ++ kuid_t dir_uid = dir->d_inode->i_uid; ++ umode_t dir_mode = dir->d_inode->i_mode; + int open_flag = op->open_flag; + bool will_truncate = (open_flag & O_TRUNC) != 0; + bool got_write = false; +@@ -3383,7 +3386,7 @@ finish_open: + error = -EISDIR; + if (d_is_dir(nd->path.dentry)) + goto out; +- error = may_create_in_sticky(dir, ++ error = may_create_in_sticky(dir_mode, dir_uid, + d_backing_inode(nd->path.dentry)); + if (unlikely(error)) + goto out; diff --git a/queue-5.4/drm-i915-userptr-fix-size-calculation.patch b/queue-5.4/drm-i915-userptr-fix-size-calculation.patch new file mode 100644 index 00000000000..74f3363888d --- /dev/null +++ b/queue-5.4/drm-i915-userptr-fix-size-calculation.patch @@ -0,0 +1,86 @@ +From ecc4d2a52df65479de5e333a9065ed02202a400f Mon Sep 17 00:00:00 2001 +From: Matthew Auld +Date: Fri, 17 Jan 2020 13:24:13 +0000 +Subject: drm/i915/userptr: fix size calculation + +From: Matthew Auld + +commit ecc4d2a52df65479de5e333a9065ed02202a400f upstream. + +If we create a rather large userptr object(e.g 1ULL << 32) we might +shift past the type-width of num_pages: (int)num_pages << PAGE_SHIFT, +resulting in a totally bogus sg_table, which fortunately will eventually +manifest as: + +gen8_ppgtt_insert_huge:463 GEM_BUG_ON(iter->sg->length < page_size) +kernel BUG at drivers/gpu/drm/i915/gt/gen8_ppgtt.c:463! + +v2: more unsigned long + prefer I915_GTT_PAGE_SIZE + +Fixes: 5cc9ed4b9a7a ("drm/i915: Introduce mapping of user pages into video memory (userptr) ioctl") +Signed-off-by: Matthew Auld +Cc: Chris Wilson +Reviewed-by: Chris Wilson +Signed-off-by: Chris Wilson +Link: https://patchwork.freedesktop.org/patch/msgid/20200117132413.1170563-2-matthew.auld@intel.com +(cherry picked from commit 8e78871bc1e5efec22c950d3fd24ddb63d4ff28a) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/gem/i915_gem_userptr.c | 9 +++++---- + drivers/gpu/drm/i915/i915_gem_gtt.c | 2 ++ + 2 files changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/i915/gem/i915_gem_userptr.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_userptr.c +@@ -427,7 +427,7 @@ struct get_pages_work { + + static struct sg_table * + __i915_gem_userptr_alloc_pages(struct drm_i915_gem_object *obj, +- struct page **pvec, int num_pages) ++ struct page **pvec, unsigned long num_pages) + { + unsigned int max_segment = i915_sg_segment_size(); + struct sg_table *st; +@@ -473,9 +473,10 @@ __i915_gem_userptr_get_pages_worker(stru + { + struct get_pages_work *work = container_of(_work, typeof(*work), work); + struct drm_i915_gem_object *obj = work->obj; +- const int npages = obj->base.size >> PAGE_SHIFT; ++ const unsigned long npages = obj->base.size >> PAGE_SHIFT; ++ unsigned long pinned; + struct page **pvec; +- int pinned, ret; ++ int ret; + + ret = -ENOMEM; + pinned = 0; +@@ -578,7 +579,7 @@ __i915_gem_userptr_get_pages_schedule(st + + static int i915_gem_userptr_get_pages(struct drm_i915_gem_object *obj) + { +- const int num_pages = obj->base.size >> PAGE_SHIFT; ++ const unsigned long num_pages = obj->base.size >> PAGE_SHIFT; + struct mm_struct *mm = obj->userptr.mm->mm; + struct page **pvec; + struct sg_table *pages; +--- a/drivers/gpu/drm/i915/i915_gem_gtt.c ++++ b/drivers/gpu/drm/i915/i915_gem_gtt.c +@@ -1178,6 +1178,7 @@ gen8_ppgtt_insert_pte(struct i915_ppgtt + pd = i915_pd_entry(pdp, gen8_pd_index(idx, 2)); + vaddr = kmap_atomic_px(i915_pt_entry(pd, gen8_pd_index(idx, 1))); + do { ++ GEM_BUG_ON(iter->sg->length < I915_GTT_PAGE_SIZE); + vaddr[gen8_pd_index(idx, 0)] = pte_encode | iter->dma; + + iter->dma += I915_GTT_PAGE_SIZE; +@@ -1657,6 +1658,7 @@ static void gen6_ppgtt_insert_entries(st + + vaddr = kmap_atomic_px(i915_pt_entry(pd, act_pt)); + do { ++ GEM_BUG_ON(iter.sg->length < I915_GTT_PAGE_SIZE); + vaddr[act_pte] = pte_encode | GEN6_PTE_ADDR_ENCODE(iter.dma); + + iter.dma += I915_GTT_PAGE_SIZE; diff --git a/queue-5.4/hsr-fix-a-compilation-error.patch b/queue-5.4/hsr-fix-a-compilation-error.patch new file mode 100644 index 00000000000..cf8c435f1f8 --- /dev/null +++ b/queue-5.4/hsr-fix-a-compilation-error.patch @@ -0,0 +1,38 @@ +From 80892772c4edac88c538165d26a0105f19b61c1c Mon Sep 17 00:00:00 2001 +From: "xiaofeng.yan" +Date: Mon, 20 Jan 2020 14:26:39 +0800 +Subject: hsr: Fix a compilation error + +From: xiaofeng.yan + +commit 80892772c4edac88c538165d26a0105f19b61c1c upstream. + +A compliation error happen when building branch 5.5-rc7 + +In file included from net/hsr/hsr_main.c:12:0: +net/hsr/hsr_main.h:194:20: error: two or more data types in declaration specifiers + static inline void void hsr_debugfs_rename(struct net_device *dev) + +So Removed one void. + +Fixes: 4c2d5e33dcd3 ("hsr: rename debugfs file when interface name is changed") +Signed-off-by: xiaofeng.yan +Acked-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/hsr/hsr_main.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/hsr/hsr_main.h ++++ b/net/hsr/hsr_main.h +@@ -191,7 +191,7 @@ void hsr_debugfs_term(struct hsr_priv *p + void hsr_debugfs_create_root(void); + void hsr_debugfs_remove_root(void); + #else +-static inline void void hsr_debugfs_rename(struct net_device *dev) ++static inline void hsr_debugfs_rename(struct net_device *dev) + { + } + static inline void hsr_debugfs_init(struct hsr_priv *priv, diff --git a/queue-5.4/hwmon-nct7802-fix-non-working-alarm-on-voltages.patch b/queue-5.4/hwmon-nct7802-fix-non-working-alarm-on-voltages.patch new file mode 100644 index 00000000000..3edb70a1693 --- /dev/null +++ b/queue-5.4/hwmon-nct7802-fix-non-working-alarm-on-voltages.patch @@ -0,0 +1,154 @@ +From e51a7dda299815e92f43960d620cdfc8dfc144f2 Mon Sep 17 00:00:00 2001 +From: Gilles Buloz +Date: Fri, 29 Nov 2019 10:56:05 +0100 +Subject: hwmon: (nct7802) Fix non-working alarm on voltages + +From: Gilles Buloz + +commit e51a7dda299815e92f43960d620cdfc8dfc144f2 upstream. + +No alarm is reported by /sys/.../inX_alarm + +In detail: + +The SMI Voltage status register is the only register giving a status +for voltages, but it does not work like the non-SMI status registers +used for temperatures and fans. +A bit is set for each input crossing a threshold, in both direction, +but the "inside" or "outside" limits info is not available. +Also this register is cleared on read. +Note : this is not explicitly spelled out in the datasheet, but from +experiment. +As a result if an input is crossing a threshold (min or max in any +direction), the alarm is reported only once even if the input is +still outside limits. Also if the alarm for another input is read +before the one of this input, no alarm is reported at all. + +Signed-off-by: Gilles Buloz +Link: https://lore.kernel.org/r/5de0f566.tBga5POKAgHlmd0p%gilles.buloz@kontron.com +Fixes: 3434f3783580 ("hwmon: Driver for Nuvoton NCT7802Y") +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/nct7802.c | 71 +++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 67 insertions(+), 4 deletions(-) + +--- a/drivers/hwmon/nct7802.c ++++ b/drivers/hwmon/nct7802.c +@@ -58,6 +58,8 @@ static const u8 REG_VOLTAGE_LIMIT_MSB_SH + struct nct7802_data { + struct regmap *regmap; + struct mutex access_lock; /* for multi-byte read and write operations */ ++ u8 in_status; ++ struct mutex in_alarm_lock; + }; + + static ssize_t temp_type_show(struct device *dev, +@@ -368,6 +370,66 @@ static ssize_t in_store(struct device *d + return err ? : count; + } + ++static ssize_t in_alarm_show(struct device *dev, struct device_attribute *attr, ++ char *buf) ++{ ++ struct sensor_device_attribute_2 *sattr = to_sensor_dev_attr_2(attr); ++ struct nct7802_data *data = dev_get_drvdata(dev); ++ int volt, min, max, ret; ++ unsigned int val; ++ ++ mutex_lock(&data->in_alarm_lock); ++ ++ /* ++ * The SMI Voltage status register is the only register giving a status ++ * for voltages. A bit is set for each input crossing a threshold, in ++ * both direction, but the "inside" or "outside" limits info is not ++ * available. Also this register is cleared on read. ++ * Note: this is not explicitly spelled out in the datasheet, but ++ * from experiment. ++ * To deal with this we use a status cache with one validity bit and ++ * one status bit for each input. Validity is cleared at startup and ++ * each time the register reports a change, and the status is processed ++ * by software based on current input value and limits. ++ */ ++ ret = regmap_read(data->regmap, 0x1e, &val); /* SMI Voltage status */ ++ if (ret < 0) ++ goto abort; ++ ++ /* invalidate cached status for all inputs crossing a threshold */ ++ data->in_status &= ~((val & 0x0f) << 4); ++ ++ /* if cached status for requested input is invalid, update it */ ++ if (!(data->in_status & (0x10 << sattr->index))) { ++ ret = nct7802_read_voltage(data, sattr->nr, 0); ++ if (ret < 0) ++ goto abort; ++ volt = ret; ++ ++ ret = nct7802_read_voltage(data, sattr->nr, 1); ++ if (ret < 0) ++ goto abort; ++ min = ret; ++ ++ ret = nct7802_read_voltage(data, sattr->nr, 2); ++ if (ret < 0) ++ goto abort; ++ max = ret; ++ ++ if (volt < min || volt > max) ++ data->in_status |= (1 << sattr->index); ++ else ++ data->in_status &= ~(1 << sattr->index); ++ ++ data->in_status |= 0x10 << sattr->index; ++ } ++ ++ ret = sprintf(buf, "%u\n", !!(data->in_status & (1 << sattr->index))); ++abort: ++ mutex_unlock(&data->in_alarm_lock); ++ return ret; ++} ++ + static ssize_t temp_show(struct device *dev, struct device_attribute *attr, + char *buf) + { +@@ -660,7 +722,7 @@ static const struct attribute_group nct7 + static SENSOR_DEVICE_ATTR_2_RO(in0_input, in, 0, 0); + static SENSOR_DEVICE_ATTR_2_RW(in0_min, in, 0, 1); + static SENSOR_DEVICE_ATTR_2_RW(in0_max, in, 0, 2); +-static SENSOR_DEVICE_ATTR_2_RO(in0_alarm, alarm, 0x1e, 3); ++static SENSOR_DEVICE_ATTR_2_RO(in0_alarm, in_alarm, 0, 3); + static SENSOR_DEVICE_ATTR_2_RW(in0_beep, beep, 0x5a, 3); + + static SENSOR_DEVICE_ATTR_2_RO(in1_input, in, 1, 0); +@@ -668,19 +730,19 @@ static SENSOR_DEVICE_ATTR_2_RO(in1_input + static SENSOR_DEVICE_ATTR_2_RO(in2_input, in, 2, 0); + static SENSOR_DEVICE_ATTR_2_RW(in2_min, in, 2, 1); + static SENSOR_DEVICE_ATTR_2_RW(in2_max, in, 2, 2); +-static SENSOR_DEVICE_ATTR_2_RO(in2_alarm, alarm, 0x1e, 0); ++static SENSOR_DEVICE_ATTR_2_RO(in2_alarm, in_alarm, 2, 0); + static SENSOR_DEVICE_ATTR_2_RW(in2_beep, beep, 0x5a, 0); + + static SENSOR_DEVICE_ATTR_2_RO(in3_input, in, 3, 0); + static SENSOR_DEVICE_ATTR_2_RW(in3_min, in, 3, 1); + static SENSOR_DEVICE_ATTR_2_RW(in3_max, in, 3, 2); +-static SENSOR_DEVICE_ATTR_2_RO(in3_alarm, alarm, 0x1e, 1); ++static SENSOR_DEVICE_ATTR_2_RO(in3_alarm, in_alarm, 3, 1); + static SENSOR_DEVICE_ATTR_2_RW(in3_beep, beep, 0x5a, 1); + + static SENSOR_DEVICE_ATTR_2_RO(in4_input, in, 4, 0); + static SENSOR_DEVICE_ATTR_2_RW(in4_min, in, 4, 1); + static SENSOR_DEVICE_ATTR_2_RW(in4_max, in, 4, 2); +-static SENSOR_DEVICE_ATTR_2_RO(in4_alarm, alarm, 0x1e, 2); ++static SENSOR_DEVICE_ATTR_2_RO(in4_alarm, in_alarm, 4, 2); + static SENSOR_DEVICE_ATTR_2_RW(in4_beep, beep, 0x5a, 2); + + static struct attribute *nct7802_in_attrs[] = { +@@ -1011,6 +1073,7 @@ static int nct7802_probe(struct i2c_clie + return PTR_ERR(data->regmap); + + mutex_init(&data->access_lock); ++ mutex_init(&data->in_alarm_lock); + + ret = nct7802_init_chip(data); + if (ret < 0) diff --git a/queue-5.4/hwmon-nct7802-fix-voltage-limits-to-wrong-registers.patch b/queue-5.4/hwmon-nct7802-fix-voltage-limits-to-wrong-registers.patch new file mode 100644 index 00000000000..2892da735e0 --- /dev/null +++ b/queue-5.4/hwmon-nct7802-fix-voltage-limits-to-wrong-registers.patch @@ -0,0 +1,37 @@ +From 7713e62c8623c54dac88d1fa724aa487a38c3efb Mon Sep 17 00:00:00 2001 +From: Gilles Buloz +Date: Wed, 27 Nov 2019 18:09:34 +0100 +Subject: hwmon: (nct7802) Fix voltage limits to wrong registers + +From: Gilles Buloz + +commit 7713e62c8623c54dac88d1fa724aa487a38c3efb upstream. + +in0 thresholds are written to the in2 thresholds registers +in2 thresholds to in3 thresholds +in3 thresholds to in4 thresholds +in4 thresholds to in0 thresholds + +Signed-off-by: Gilles Buloz +Link: https://lore.kernel.org/r/5de0f509.rc0oEvPOMjbfPW1w%gilles.buloz@kontron.com +Fixes: 3434f3783580 ("hwmon: Driver for Nuvoton NCT7802Y") +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/nct7802.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/hwmon/nct7802.c ++++ b/drivers/hwmon/nct7802.c +@@ -23,8 +23,8 @@ + static const u8 REG_VOLTAGE[5] = { 0x09, 0x0a, 0x0c, 0x0d, 0x0e }; + + static const u8 REG_VOLTAGE_LIMIT_LSB[2][5] = { +- { 0x40, 0x00, 0x42, 0x44, 0x46 }, +- { 0x3f, 0x00, 0x41, 0x43, 0x45 }, ++ { 0x46, 0x00, 0x40, 0x42, 0x44 }, ++ { 0x45, 0x00, 0x3f, 0x41, 0x43 }, + }; + + static const u8 REG_VOLTAGE_LIMIT_MSB[5] = { 0x48, 0x00, 0x47, 0x47, 0x48 }; diff --git a/queue-5.4/iommu-amd-fix-iommu-perf-counter-clobbering-during-init.patch b/queue-5.4/iommu-amd-fix-iommu-perf-counter-clobbering-during-init.patch new file mode 100644 index 00000000000..91b891addfe --- /dev/null +++ b/queue-5.4/iommu-amd-fix-iommu-perf-counter-clobbering-during-init.patch @@ -0,0 +1,73 @@ +From 8c17bbf6c8f70058a66305f2e1982552e6ea7f47 Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Thu, 23 Jan 2020 15:32:14 -0700 +Subject: iommu/amd: Fix IOMMU perf counter clobbering during init + +From: Shuah Khan + +commit 8c17bbf6c8f70058a66305f2e1982552e6ea7f47 upstream. + +init_iommu_perf_ctr() clobbers the register when it checks write access +to IOMMU perf counters and fails to restore when they are writable. + +Add save and restore to fix it. + +Signed-off-by: Shuah Khan +Fixes: 30861ddc9cca4 ("perf/x86/amd: Add IOMMU Performance Counter resource management") +Reviewed-by: Suravee Suthikulpanit +Tested-by: Suravee Suthikulpanit +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/amd_iommu_init.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +--- a/drivers/iommu/amd_iommu_init.c ++++ b/drivers/iommu/amd_iommu_init.c +@@ -1655,27 +1655,39 @@ static int iommu_pc_get_set_reg(struct a + static void init_iommu_perf_ctr(struct amd_iommu *iommu) + { + struct pci_dev *pdev = iommu->dev; +- u64 val = 0xabcd, val2 = 0; ++ u64 val = 0xabcd, val2 = 0, save_reg = 0; + + if (!iommu_feature(iommu, FEATURE_PC)) + return; + + amd_iommu_pc_present = true; + ++ /* save the value to restore, if writable */ ++ if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, false)) ++ goto pc_false; ++ + /* Check if the performance counters can be written to */ + if ((iommu_pc_get_set_reg(iommu, 0, 0, 0, &val, true)) || + (iommu_pc_get_set_reg(iommu, 0, 0, 0, &val2, false)) || +- (val != val2)) { +- pci_err(pdev, "Unable to write to IOMMU perf counter.\n"); +- amd_iommu_pc_present = false; +- return; +- } ++ (val != val2)) ++ goto pc_false; ++ ++ /* restore */ ++ if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, true)) ++ goto pc_false; + + pci_info(pdev, "IOMMU performance counters supported\n"); + + val = readl(iommu->mmio_base + MMIO_CNTR_CONF_OFFSET); + iommu->max_banks = (u8) ((val >> 12) & 0x3f); + iommu->max_counters = (u8) ((val >> 7) & 0xf); ++ ++ return; ++ ++pc_false: ++ pci_err(pdev, "Unable to read/write to IOMMU perf counter.\n"); ++ amd_iommu_pc_present = false; ++ return; + } + + static ssize_t amd_iommu_show_cap(struct device *dev, diff --git a/queue-5.4/iwlwifi-mvm-fix-potential-skb-leak-on-txq-tx.patch b/queue-5.4/iwlwifi-mvm-fix-potential-skb-leak-on-txq-tx.patch new file mode 100644 index 00000000000..68457062959 --- /dev/null +++ b/queue-5.4/iwlwifi-mvm-fix-potential-skb-leak-on-txq-tx.patch @@ -0,0 +1,104 @@ +From df2378ab0f2a9dd4cf4501268af1902cc4ebacd8 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 11 Dec 2019 10:15:52 +0100 +Subject: iwlwifi: mvm: fix potential SKB leak on TXQ TX + +From: Johannes Berg + +commit df2378ab0f2a9dd4cf4501268af1902cc4ebacd8 upstream. + +When we transmit after TXQ dequeue, we aren't paying attention to +the return value of the transmit functions, leading to a potential +SKB leak. + +Refactor the code a bit (and rename ..._tx to ..._tx_sta) to check +for this happening. + +Signed-off-by: Johannes Berg +Fixes: cfbc6c4c5b91 ("iwlwifi: mvm: support mac80211 TXQs model") +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 28 ++++++++++++---------- + drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 4 +-- + drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 4 +-- + 3 files changed, 20 insertions(+), 16 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -742,6 +742,20 @@ int iwl_mvm_mac_setup_register(struct iw + return ret; + } + ++static void iwl_mvm_tx_skb(struct iwl_mvm *mvm, struct sk_buff *skb, ++ struct ieee80211_sta *sta) ++{ ++ if (likely(sta)) { ++ if (likely(iwl_mvm_tx_skb_sta(mvm, skb, sta) == 0)) ++ return; ++ } else { ++ if (likely(iwl_mvm_tx_skb_non_sta(mvm, skb) == 0)) ++ return; ++ } ++ ++ ieee80211_free_txskb(mvm->hw, skb); ++} ++ + static void iwl_mvm_mac_tx(struct ieee80211_hw *hw, + struct ieee80211_tx_control *control, + struct sk_buff *skb) +@@ -785,14 +799,7 @@ static void iwl_mvm_mac_tx(struct ieee80 + } + } + +- if (sta) { +- if (iwl_mvm_tx_skb(mvm, skb, sta)) +- goto drop; +- return; +- } +- +- if (iwl_mvm_tx_skb_non_sta(mvm, skb)) +- goto drop; ++ iwl_mvm_tx_skb(mvm, skb, sta); + return; + drop: + ieee80211_free_txskb(hw, skb); +@@ -842,10 +849,7 @@ void iwl_mvm_mac_itxq_xmit(struct ieee80 + break; + } + +- if (!txq->sta) +- iwl_mvm_tx_skb_non_sta(mvm, skb); +- else +- iwl_mvm_tx_skb(mvm, skb, txq->sta); ++ iwl_mvm_tx_skb(mvm, skb, txq->sta); + } + } while (atomic_dec_return(&mvmtxq->tx_request)); + rcu_read_unlock(); +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h +@@ -1508,8 +1508,8 @@ int __must_check iwl_mvm_send_cmd_status + int __must_check iwl_mvm_send_cmd_pdu_status(struct iwl_mvm *mvm, u32 id, + u16 len, const void *data, + u32 *status); +-int iwl_mvm_tx_skb(struct iwl_mvm *mvm, struct sk_buff *skb, +- struct ieee80211_sta *sta); ++int iwl_mvm_tx_skb_sta(struct iwl_mvm *mvm, struct sk_buff *skb, ++ struct ieee80211_sta *sta); + int iwl_mvm_tx_skb_non_sta(struct iwl_mvm *mvm, struct sk_buff *skb); + void iwl_mvm_set_tx_cmd(struct iwl_mvm *mvm, struct sk_buff *skb, + struct iwl_tx_cmd *tx_cmd, +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +@@ -1203,8 +1203,8 @@ drop: + return -1; + } + +-int iwl_mvm_tx_skb(struct iwl_mvm *mvm, struct sk_buff *skb, +- struct ieee80211_sta *sta) ++int iwl_mvm_tx_skb_sta(struct iwl_mvm *mvm, struct sk_buff *skb, ++ struct ieee80211_sta *sta) + { + struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta); + struct ieee80211_tx_info info; diff --git a/queue-5.4/iwlwifi-mvm-fix-skb-leak-on-invalid-queue.patch b/queue-5.4/iwlwifi-mvm-fix-skb-leak-on-invalid-queue.patch new file mode 100644 index 00000000000..1733f8855fd --- /dev/null +++ b/queue-5.4/iwlwifi-mvm-fix-skb-leak-on-invalid-queue.patch @@ -0,0 +1,38 @@ +From b9f726c94224e863d4d3458dfec2e7e1284a39ce Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 11 Dec 2019 10:09:56 +0100 +Subject: iwlwifi: mvm: fix SKB leak on invalid queue + +From: Johannes Berg + +commit b9f726c94224e863d4d3458dfec2e7e1284a39ce upstream. + +It used to be the case that if we got here, we wouldn't warn +but instead allocate the queue (DQA). With using the mac80211 +TXQs model this changed, and we really have nothing to do with +the frame here anymore, hence the warning now. + +However, clearly we missed in coding & review that this is now +a pure error path and leaks the SKB if we return 0 instead of +an indication that the SKB needs to be freed. Fix this. + +Signed-off-by: Johannes Berg +Fixes: cfbc6c4c5b91 ("iwlwifi: mvm: support mac80211 TXQs model") +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +@@ -1151,7 +1151,7 @@ static int iwl_mvm_tx_mpdu(struct iwl_mv + if (WARN_ONCE(txq_id == IWL_MVM_INVALID_QUEUE, "Invalid TXQ id")) { + iwl_trans_free_tx_cmd(mvm->trans, dev_cmd); + spin_unlock(&mvmsta->lock); +- return 0; ++ return -1; + } + + if (!iwl_mvm_has_new_tx_api(mvm)) { diff --git a/queue-5.4/leds-gpio-fix-uninitialized-gpio-label-for-fwnode-based-probe.patch b/queue-5.4/leds-gpio-fix-uninitialized-gpio-label-for-fwnode-based-probe.patch new file mode 100644 index 00000000000..e713d61b1fb --- /dev/null +++ b/queue-5.4/leds-gpio-fix-uninitialized-gpio-label-for-fwnode-based-probe.patch @@ -0,0 +1,62 @@ +From 90a8e82d3ca8c1f85ac63f4a94c9b034f05af4ee Mon Sep 17 00:00:00 2001 +From: Jacek Anaszewski +Date: Thu, 5 Dec 2019 22:25:01 +0100 +Subject: leds: gpio: Fix uninitialized gpio label for fwnode based probe + +From: Jacek Anaszewski + +commit 90a8e82d3ca8c1f85ac63f4a94c9b034f05af4ee upstream. + +When switching to using generic LED name composition mechanism via +devm_led_classdev_register_ext() API the part of code initializing +struct gpio_led's template name property was removed alongside. +It was however overlooked that the property was also passed to +devm_fwnode_get_gpiod_from_child() in place of "label" parameter, +which when set to NULL, results in gpio label being initialized to '?'. + +It could be observed in debugfs and failed to properly identify +gpio association with LED consumer. + +Fix this shortcoming by updating the GPIO label after the LED is +registered and its final name is known. + +Fixes: d7235f5feaa0 ("leds: gpio: Use generic support for composing LED names") +Cc: Russell King +Reviewed-by: Linus Walleij +Signed-off-by: Jacek Anaszewski +[fixed comment] +Signed-off-by: Pavel Machek +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/leds/leds-gpio.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/leds/leds-gpio.c ++++ b/drivers/leds/leds-gpio.c +@@ -151,9 +151,14 @@ static struct gpio_leds_priv *gpio_leds_ + struct gpio_led led = {}; + const char *state = NULL; + ++ /* ++ * Acquire gpiod from DT with uninitialized label, which ++ * will be updated after LED class device is registered, ++ * Only then the final LED name is known. ++ */ + led.gpiod = devm_fwnode_get_gpiod_from_child(dev, NULL, child, + GPIOD_ASIS, +- led.name); ++ NULL); + if (IS_ERR(led.gpiod)) { + fwnode_handle_put(child); + return ERR_CAST(led.gpiod); +@@ -186,6 +191,9 @@ static struct gpio_leds_priv *gpio_leds_ + fwnode_handle_put(child); + return ERR_PTR(ret); + } ++ /* Set gpiod label to match the corresponding LED name. */ ++ gpiod_set_consumer_name(led_dat->gpiod, ++ led_dat->cdev.dev->kobj.name); + priv->num_leds++; + } + diff --git a/queue-5.4/lib-reduce-user_access_begin-boundaries-in-strncpy_from_user-and-strnlen_user.patch b/queue-5.4/lib-reduce-user_access_begin-boundaries-in-strncpy_from_user-and-strnlen_user.patch new file mode 100644 index 00000000000..a7db013dc38 --- /dev/null +++ b/queue-5.4/lib-reduce-user_access_begin-boundaries-in-strncpy_from_user-and-strnlen_user.patch @@ -0,0 +1,89 @@ +From ab10ae1c3bef56c29bac61e1201c752221b87b41 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Thu, 23 Jan 2020 08:34:18 +0000 +Subject: lib: Reduce user_access_begin() boundaries in strncpy_from_user() and strnlen_user() + +From: Christophe Leroy + +commit ab10ae1c3bef56c29bac61e1201c752221b87b41 upstream. + +The range passed to user_access_begin() by strncpy_from_user() and +strnlen_user() starts at 'src' and goes up to the limit of userspace +although reads will be limited by the 'count' param. + +On 32 bits powerpc (book3s/32) access has to be granted for each +256Mbytes segment and the cost increases with the number of segments to +unlock. + +Limit the range with 'count' param. + +Fixes: 594cc251fdd0 ("make 'user_access_begin()' do 'access_ok()'") +Signed-off-by: Christophe Leroy +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/strncpy_from_user.c | 14 +++++++------- + lib/strnlen_user.c | 14 +++++++------- + 2 files changed, 14 insertions(+), 14 deletions(-) + +--- a/lib/strncpy_from_user.c ++++ b/lib/strncpy_from_user.c +@@ -30,13 +30,6 @@ static inline long do_strncpy_from_user( + const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS; + unsigned long res = 0; + +- /* +- * Truncate 'max' to the user-specified limit, so that +- * we only have one limit we need to check in the loop +- */ +- if (max > count) +- max = count; +- + if (IS_UNALIGNED(src, dst)) + goto byte_at_a_time; + +@@ -114,6 +107,13 @@ long strncpy_from_user(char *dst, const + unsigned long max = max_addr - src_addr; + long retval; + ++ /* ++ * Truncate 'max' to the user-specified limit, so that ++ * we only have one limit we need to check in the loop ++ */ ++ if (max > count) ++ max = count; ++ + kasan_check_write(dst, count); + check_object_size(dst, count, false); + if (user_access_begin(src, max)) { +--- a/lib/strnlen_user.c ++++ b/lib/strnlen_user.c +@@ -27,13 +27,6 @@ static inline long do_strnlen_user(const + unsigned long c; + + /* +- * Truncate 'max' to the user-specified limit, so that +- * we only have one limit we need to check in the loop +- */ +- if (max > count) +- max = count; +- +- /* + * Do everything aligned. But that means that we + * need to also expand the maximum.. + */ +@@ -109,6 +102,13 @@ long strnlen_user(const char __user *str + unsigned long max = max_addr - src_addr; + long retval; + ++ /* ++ * Truncate 'max' to the user-specified limit, so that ++ * we only have one limit we need to check in the loop ++ */ ++ if (max > count) ++ max = count; ++ + if (user_access_begin(str, max)) { + retval = do_strnlen_user(str, count, max); + user_access_end(); diff --git a/queue-5.4/net-mlx5-dr-enable-counter-on-non-fwd-dest-objects.patch b/queue-5.4/net-mlx5-dr-enable-counter-on-non-fwd-dest-objects.patch index 97b1abfae68..85dff955e35 100644 --- a/queue-5.4/net-mlx5-dr-enable-counter-on-non-fwd-dest-objects.patch +++ b/queue-5.4/net-mlx5-dr-enable-counter-on-non-fwd-dest-objects.patch @@ -5,6 +5,8 @@ Subject: net/mlx5: DR, Enable counter on non-fwd-dest objects From: Erez Shitrit +commmit b850a82114df9b0ec1d191dc64eed1f20a772e0f upstream. + The current code handles only counters that attached to dest, we still have the cases where we have counter on non-dest, like over drop etc. diff --git a/queue-5.4/net-mlx5-dr-use-non-preemptible-call-to-get-the-current-cpu-number.patch b/queue-5.4/net-mlx5-dr-use-non-preemptible-call-to-get-the-current-cpu-number.patch index f1b49ab3f3d..b4bf10af92e 100644 --- a/queue-5.4/net-mlx5-dr-use-non-preemptible-call-to-get-the-current-cpu-number.patch +++ b/queue-5.4/net-mlx5-dr-use-non-preemptible-call-to-get-the-current-cpu-number.patch @@ -5,6 +5,8 @@ Subject: net/mlx5: DR, use non preemptible call to get the current cpu number From: Erez Shitrit +commit c0702a4bd41829f05638ec2dab70f6bb8d8010ce upstream. + Use raw_smp_processor_id instead of smp_processor_id() otherwise we will get the following trace in debug-kernel: BUG: using smp_processor_id() in preemptible [00000000] code: devlink diff --git a/queue-5.4/net-mlx5-e-switch-prevent-ingress-rate-configuration-of-uplink-rep.patch b/queue-5.4/net-mlx5-e-switch-prevent-ingress-rate-configuration-of-uplink-rep.patch index 5ea69616d27..f6ddde8b46e 100644 --- a/queue-5.4/net-mlx5-e-switch-prevent-ingress-rate-configuration-of-uplink-rep.patch +++ b/queue-5.4/net-mlx5-e-switch-prevent-ingress-rate-configuration-of-uplink-rep.patch @@ -5,6 +5,8 @@ Subject: net/mlx5: E-Switch, Prevent ingress rate configuration of uplink rep From: Eli Cohen +commit e401a1848be87123a2b2049addbf21138cb47081 upstream. + Since the implementation relies on limiting the VF transmit rate to simulate ingress rate limiting, and since either uplink representor or ecpf are not associated with a VF, we limit the rate limit configuration diff --git a/queue-5.4/net-mlx5-fix-lowest-fdb-pool-size.patch b/queue-5.4/net-mlx5-fix-lowest-fdb-pool-size.patch index e622f9ab67a..e9b0fb3e3ad 100644 --- a/queue-5.4/net-mlx5-fix-lowest-fdb-pool-size.patch +++ b/queue-5.4/net-mlx5-fix-lowest-fdb-pool-size.patch @@ -5,6 +5,8 @@ Subject: net/mlx5: Fix lowest FDB pool size From: Paul Blakey +commit 93b8a7ecb7287cc9b0196f12a25b57c2462d11dc upstream. + The pool sizes represent the pool sizes in the fw. when we request a pool size from fw, it will return the next possible group. We track how many pools the fw has left and start requesting groups diff --git a/queue-5.4/net-mlx5-update-the-list-of-the-pci-supported-devices.patch b/queue-5.4/net-mlx5-update-the-list-of-the-pci-supported-devices.patch index 9b99dd78dbc..5d31c5d2234 100644 --- a/queue-5.4/net-mlx5-update-the-list-of-the-pci-supported-devices.patch +++ b/queue-5.4/net-mlx5-update-the-list-of-the-pci-supported-devices.patch @@ -5,6 +5,8 @@ Subject: net/mlx5: Update the list of the PCI supported devices From: Meir Lichtinger +commit 505a7f5478062c6cd11e22022d9f1bf64cd8eab3 upstream + Add the upcoming ConnectX-7 device ID. Fixes: 85327a9c4150 ("net/mlx5: Update the list of the PCI supported devices") diff --git a/queue-5.4/net-mlx5e-ktls-do-not-send-decrypted-marked-skbs-via-non-accel-path.patch b/queue-5.4/net-mlx5e-ktls-do-not-send-decrypted-marked-skbs-via-non-accel-path.patch index f466a0cd428..cfe2e4cb7c6 100644 --- a/queue-5.4/net-mlx5e-ktls-do-not-send-decrypted-marked-skbs-via-non-accel-path.patch +++ b/queue-5.4/net-mlx5e-ktls-do-not-send-decrypted-marked-skbs-via-non-accel-path.patch @@ -5,6 +5,8 @@ Subject: net/mlx5e: kTLS, Do not send decrypted-marked SKBs via non-accel path From: Tariq Toukan +commit 342508c1c7540e281fd36151c175ba5ff954a99f upstream. + When TCP out-of-order is identified (unexpected tcp seq mismatch), driver analyzes the packet and decides what handling should it get: 1. go to accelerated path (to be encrypted in HW), diff --git a/queue-5.4/net-mlx5e-ktls-fix-corner-case-checks-in-tx-resync-flow.patch b/queue-5.4/net-mlx5e-ktls-fix-corner-case-checks-in-tx-resync-flow.patch index 648d22c5c72..d6e1e45eb9b 100644 --- a/queue-5.4/net-mlx5e-ktls-fix-corner-case-checks-in-tx-resync-flow.patch +++ b/queue-5.4/net-mlx5e-ktls-fix-corner-case-checks-in-tx-resync-flow.patch @@ -5,6 +5,8 @@ Subject: net/mlx5e: kTLS, Fix corner-case checks in TX resync flow From: Tariq Toukan +commit ffbd9ca94e2ebbfe802d4b28bab5ba19818de853 upstream. + There are the following cases: 1. Packet ends before start marker: bypass offload. diff --git a/queue-5.4/net-mlx5e-ktls-remove-redundant-posts-in-tx-resync-flow.patch b/queue-5.4/net-mlx5e-ktls-remove-redundant-posts-in-tx-resync-flow.patch index 85cc014bf27..8e0b98d96a5 100644 --- a/queue-5.4/net-mlx5e-ktls-remove-redundant-posts-in-tx-resync-flow.patch +++ b/queue-5.4/net-mlx5e-ktls-remove-redundant-posts-in-tx-resync-flow.patch @@ -5,6 +5,8 @@ Subject: net/mlx5e: kTLS, Remove redundant posts in TX resync flow From: Tariq Toukan +commit 1e92899791358dba94a9db7cc3b6004636b5a2f6 upstream. + The call to tx_post_resync_params() is done earlier in the flow, the post of the control WQEs is unnecessarily repeated. Remove it. diff --git a/queue-5.4/net-sk_msg-don-t-check-if-sock-is-locked-when-tearing-down-psock.patch b/queue-5.4/net-sk_msg-don-t-check-if-sock-is-locked-when-tearing-down-psock.patch new file mode 100644 index 00000000000..aaa02698a90 --- /dev/null +++ b/queue-5.4/net-sk_msg-don-t-check-if-sock-is-locked-when-tearing-down-psock.patch @@ -0,0 +1,52 @@ +From 58c8db929db1c1d785a6f5d8f8692e5dbcc35e84 Mon Sep 17 00:00:00 2001 +From: Jakub Sitnicki +Date: Tue, 21 Jan 2020 13:31:47 +0100 +Subject: net, sk_msg: Don't check if sock is locked when tearing down psock + +From: Jakub Sitnicki + +commit 58c8db929db1c1d785a6f5d8f8692e5dbcc35e84 upstream. + +As John Fastabend reports [0], psock state tear-down can happen on receive +path *after* unlocking the socket, if the only other psock user, that is +sockmap or sockhash, releases its psock reference before tcp_bpf_recvmsg +does so: + + tcp_bpf_recvmsg() + psock = sk_psock_get(sk) <- refcnt 2 + lock_sock(sk); + ... + sock_map_free() <- refcnt 1 + release_sock(sk) + sk_psock_put() <- refcnt 0 + +Remove the lockdep check for socket lock in psock tear-down that got +introduced in 7e81a3530206 ("bpf: Sockmap, ensure sock lock held during +tear down"). + +[0] https://lore.kernel.org/netdev/5e25dc995d7d_74082aaee6e465b441@john-XPS-13-9370.notmuch/ + +Fixes: 7e81a3530206 ("bpf: Sockmap, ensure sock lock held during tear down") +Reported-by: syzbot+d73682fcf7fee6982fe3@syzkaller.appspotmail.com +Suggested-by: John Fastabend +Signed-off-by: Jakub Sitnicki +Acked-by: John Fastabend +Acked-by: Daniel Borkmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/skmsg.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -594,8 +594,6 @@ EXPORT_SYMBOL_GPL(sk_psock_destroy); + + void sk_psock_drop(struct sock *sk, struct sk_psock *psock) + { +- sock_owned_by_me(sk); +- + sk_psock_cork_free(psock); + sk_psock_zap_ingress(psock); + diff --git a/queue-5.4/net-sonic-fix-cam-initialization.patch b/queue-5.4/net-sonic-fix-cam-initialization.patch new file mode 100644 index 00000000000..e3ac4706e51 --- /dev/null +++ b/queue-5.4/net-sonic-fix-cam-initialization.patch @@ -0,0 +1,89 @@ +From 772f66421d5aa0b9f256056f513bbc38ac132271 Mon Sep 17 00:00:00 2001 +From: Finn Thain +Date: Thu, 23 Jan 2020 09:07:26 +1100 +Subject: net/sonic: Fix CAM initialization + +From: Finn Thain + +commit 772f66421d5aa0b9f256056f513bbc38ac132271 upstream. + +Section 4.3.1 of the datasheet says, + + This bit [TXP] must not be set if a Load CAM operation is in + progress (LCAM is set). The SONIC will lock up if both bits are + set simultaneously. + +Testing has shown that the driver sometimes attempts to set LCAM +while TXP is set. Avoid this by waiting for command completion +before and after giving the LCAM command. + +After issuing the Load CAM command, poll for !SONIC_CR_LCAM rather than +SONIC_INT_LCD, because the SONIC_CR_TXP bit can't be used until +!SONIC_CR_LCAM. + +When in reset mode, take the opportunity to reset the CAM Enable +register. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Tested-by: Stan Johnson +Signed-off-by: Finn Thain +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/natsemi/sonic.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/natsemi/sonic.c ++++ b/drivers/net/ethernet/natsemi/sonic.c +@@ -550,6 +550,8 @@ static void sonic_multicast_list(struct + (netdev_mc_count(dev) > 15)) { + rcr |= SONIC_RCR_AMC; + } else { ++ unsigned long flags; ++ + netif_dbg(lp, ifup, dev, "%s: mc_count %d\n", __func__, + netdev_mc_count(dev)); + sonic_set_cam_enable(dev, 1); /* always enable our own address */ +@@ -563,9 +565,14 @@ static void sonic_multicast_list(struct + i++; + } + SONIC_WRITE(SONIC_CDC, 16); +- /* issue Load CAM command */ + SONIC_WRITE(SONIC_CDP, lp->cda_laddr & 0xffff); ++ ++ /* LCAM and TXP commands can't be used simultaneously */ ++ spin_lock_irqsave(&lp->lock, flags); ++ sonic_quiesce(dev, SONIC_CR_TXP); + SONIC_WRITE(SONIC_CMD, SONIC_CR_LCAM); ++ sonic_quiesce(dev, SONIC_CR_LCAM); ++ spin_unlock_irqrestore(&lp->lock, flags); + } + } + +@@ -592,6 +599,9 @@ static int sonic_init(struct net_device + SONIC_WRITE(SONIC_ISR, 0x7fff); + SONIC_WRITE(SONIC_CMD, SONIC_CR_RST); + ++ /* While in reset mode, clear CAM Enable register */ ++ SONIC_WRITE(SONIC_CE, 0); ++ + /* + * clear software reset flag, disable receiver, clear and + * enable interrupts, then completely initialize the SONIC +@@ -713,14 +723,7 @@ static int sonic_init(struct net_device + * load the CAM + */ + SONIC_WRITE(SONIC_CMD, SONIC_CR_LCAM); +- +- i = 0; +- while (i++ < 100) { +- if (SONIC_READ(SONIC_ISR) & SONIC_INT_LCD) +- break; +- } +- netif_dbg(lp, ifup, dev, "%s: CMD=%x, ISR=%x, i=%d\n", __func__, +- SONIC_READ(SONIC_CMD), SONIC_READ(SONIC_ISR), i); ++ sonic_quiesce(dev, SONIC_CR_LCAM); + + /* + * enable receiver, disable loopback diff --git a/queue-5.4/readdir-make-user_access_begin-use-the-real-access-range.patch b/queue-5.4/readdir-make-user_access_begin-use-the-real-access-range.patch new file mode 100644 index 00000000000..b9717500fdc --- /dev/null +++ b/queue-5.4/readdir-make-user_access_begin-use-the-real-access-range.patch @@ -0,0 +1,240 @@ +From 3c2659bd1db81ed6a264a9fc6262d51667d655ad Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 22 Jan 2020 12:37:25 -0800 +Subject: readdir: make user_access_begin() use the real access range + +From: Linus Torvalds + +commit 3c2659bd1db81ed6a264a9fc6262d51667d655ad upstream. + +In commit 9f79b78ef744 ("Convert filldir[64]() from __put_user() to +unsafe_put_user()") I changed filldir to not do individual __put_user() +accesses, but instead use unsafe_put_user() surrounded by the proper +user_access_begin/end() pair. + +That make them enormously faster on modern x86, where the STAC/CLAC +games make individual user accesses fairly heavy-weight. + +However, the user_access_begin() range was not really the exact right +one, since filldir() has the unfortunate problem that it needs to not +only fill out the new directory entry, it also needs to fix up the +previous one to contain the proper file offset. + +It's unfortunate, but the "d_off" field in "struct dirent" is _not_ the +file offset of the directory entry itself - it's the offset of the next +one. So we end up backfilling the offset in the previous entry as we +walk along. + +But since x86 didn't really care about the exact range, and used to be +the only architecture that did anything fancy in user_access_begin() to +begin with, the filldir[64]() changes did something lazy, and even +commented on it: + + /* + * Note! This range-checks 'previous' (which may be NULL). + * The real range was checked in getdents + */ + if (!user_access_begin(dirent, sizeof(*dirent))) + goto efault; + +and it all worked fine. + +But now 32-bit ppc is starting to also implement user_access_begin(), +and the fact that we faked the range to only be the (possibly not even +valid) previous directory entry becomes a problem, because ppc32 will +actually be using the range that is passed in for more than just "check +that it's user space". + +This is a complete rewrite of Christophe's original patch. + +By saving off the record length of the previous entry instead of a +pointer to it in the filldir data structures, we can simplify the range +check and the writing of the previous entry d_off field. No need for +any conditionals in the user accesses themselves, although we retain the +conditional EINTR checking for the "was this the first directory entry" +signal handling latency logic. + +Fixes: 9f79b78ef744 ("Convert filldir[64]() from __put_user() to unsafe_put_user()") +Link: https://lore.kernel.org/lkml/a02d3426f93f7eb04960a4d9140902d278cab0bb.1579697910.git.christophe.leroy@c-s.fr/ +Link: https://lore.kernel.org/lkml/408c90c4068b00ea8f1c41cca45b84ec23d4946b.1579783936.git.christophe.leroy@c-s.fr/ +Reported-and-tested-by: Christophe Leroy +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/readdir.c | 73 ++++++++++++++++++++++++++++------------------------------- + 1 file changed, 35 insertions(+), 38 deletions(-) + +--- a/fs/readdir.c ++++ b/fs/readdir.c +@@ -206,7 +206,7 @@ struct linux_dirent { + struct getdents_callback { + struct dir_context ctx; + struct linux_dirent __user * current_dir; +- struct linux_dirent __user * previous; ++ int prev_reclen; + int count; + int error; + }; +@@ -214,12 +214,13 @@ struct getdents_callback { + static int filldir(struct dir_context *ctx, const char *name, int namlen, + loff_t offset, u64 ino, unsigned int d_type) + { +- struct linux_dirent __user * dirent; ++ struct linux_dirent __user *dirent, *prev; + struct getdents_callback *buf = + container_of(ctx, struct getdents_callback, ctx); + unsigned long d_ino; + int reclen = ALIGN(offsetof(struct linux_dirent, d_name) + namlen + 2, + sizeof(long)); ++ int prev_reclen; + + buf->error = verify_dirent_name(name, namlen); + if (unlikely(buf->error)) +@@ -232,28 +233,24 @@ static int filldir(struct dir_context *c + buf->error = -EOVERFLOW; + return -EOVERFLOW; + } +- dirent = buf->previous; +- if (dirent && signal_pending(current)) ++ prev_reclen = buf->prev_reclen; ++ if (prev_reclen && signal_pending(current)) + return -EINTR; +- +- /* +- * Note! This range-checks 'previous' (which may be NULL). +- * The real range was checked in getdents +- */ +- if (!user_access_begin(dirent, sizeof(*dirent))) +- goto efault; +- if (dirent) +- unsafe_put_user(offset, &dirent->d_off, efault_end); + dirent = buf->current_dir; ++ prev = (void __user *) dirent - prev_reclen; ++ if (!user_access_begin(prev, reclen + prev_reclen)) ++ goto efault; ++ ++ /* This might be 'dirent->d_off', but if so it will get overwritten */ ++ unsafe_put_user(offset, &prev->d_off, efault_end); + unsafe_put_user(d_ino, &dirent->d_ino, efault_end); + unsafe_put_user(reclen, &dirent->d_reclen, efault_end); + unsafe_put_user(d_type, (char __user *) dirent + reclen - 1, efault_end); + unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end); + user_access_end(); + +- buf->previous = dirent; +- dirent = (void __user *)dirent + reclen; +- buf->current_dir = dirent; ++ buf->current_dir = (void __user *)dirent + reclen; ++ buf->prev_reclen = reclen; + buf->count -= reclen; + return 0; + efault_end: +@@ -267,7 +264,6 @@ SYSCALL_DEFINE3(getdents, unsigned int, + struct linux_dirent __user *, dirent, unsigned int, count) + { + struct fd f; +- struct linux_dirent __user * lastdirent; + struct getdents_callback buf = { + .ctx.actor = filldir, + .count = count, +@@ -285,8 +281,10 @@ SYSCALL_DEFINE3(getdents, unsigned int, + error = iterate_dir(f.file, &buf.ctx); + if (error >= 0) + error = buf.error; +- lastdirent = buf.previous; +- if (lastdirent) { ++ if (buf.prev_reclen) { ++ struct linux_dirent __user * lastdirent; ++ lastdirent = (void __user *)buf.current_dir - buf.prev_reclen; ++ + if (put_user(buf.ctx.pos, &lastdirent->d_off)) + error = -EFAULT; + else +@@ -299,7 +297,7 @@ SYSCALL_DEFINE3(getdents, unsigned int, + struct getdents_callback64 { + struct dir_context ctx; + struct linux_dirent64 __user * current_dir; +- struct linux_dirent64 __user * previous; ++ int prev_reclen; + int count; + int error; + }; +@@ -307,11 +305,12 @@ struct getdents_callback64 { + static int filldir64(struct dir_context *ctx, const char *name, int namlen, + loff_t offset, u64 ino, unsigned int d_type) + { +- struct linux_dirent64 __user *dirent; ++ struct linux_dirent64 __user *dirent, *prev; + struct getdents_callback64 *buf = + container_of(ctx, struct getdents_callback64, ctx); + int reclen = ALIGN(offsetof(struct linux_dirent64, d_name) + namlen + 1, + sizeof(u64)); ++ int prev_reclen; + + buf->error = verify_dirent_name(name, namlen); + if (unlikely(buf->error)) +@@ -319,30 +318,27 @@ static int filldir64(struct dir_context + buf->error = -EINVAL; /* only used if we fail.. */ + if (reclen > buf->count) + return -EINVAL; +- dirent = buf->previous; +- if (dirent && signal_pending(current)) ++ prev_reclen = buf->prev_reclen; ++ if (prev_reclen && signal_pending(current)) + return -EINTR; +- +- /* +- * Note! This range-checks 'previous' (which may be NULL). +- * The real range was checked in getdents +- */ +- if (!user_access_begin(dirent, sizeof(*dirent))) +- goto efault; +- if (dirent) +- unsafe_put_user(offset, &dirent->d_off, efault_end); + dirent = buf->current_dir; ++ prev = (void __user *)dirent - prev_reclen; ++ if (!user_access_begin(prev, reclen + prev_reclen)) ++ goto efault; ++ ++ /* This might be 'dirent->d_off', but if so it will get overwritten */ ++ unsafe_put_user(offset, &prev->d_off, efault_end); + unsafe_put_user(ino, &dirent->d_ino, efault_end); + unsafe_put_user(reclen, &dirent->d_reclen, efault_end); + unsafe_put_user(d_type, &dirent->d_type, efault_end); + unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end); + user_access_end(); + +- buf->previous = dirent; +- dirent = (void __user *)dirent + reclen; +- buf->current_dir = dirent; ++ buf->prev_reclen = reclen; ++ buf->current_dir = (void __user *)dirent + reclen; + buf->count -= reclen; + return 0; ++ + efault_end: + user_access_end(); + efault: +@@ -354,7 +350,6 @@ int ksys_getdents64(unsigned int fd, str + unsigned int count) + { + struct fd f; +- struct linux_dirent64 __user * lastdirent; + struct getdents_callback64 buf = { + .ctx.actor = filldir64, + .count = count, +@@ -372,9 +367,11 @@ int ksys_getdents64(unsigned int fd, str + error = iterate_dir(f.file, &buf.ctx); + if (error >= 0) + error = buf.error; +- lastdirent = buf.previous; +- if (lastdirent) { ++ if (buf.prev_reclen) { ++ struct linux_dirent64 __user * lastdirent; + typeof(lastdirent->d_off) d_off = buf.ctx.pos; ++ ++ lastdirent = (void __user *) buf.current_dir - buf.prev_reclen; + if (__put_user(d_off, &lastdirent->d_off)) + error = -EFAULT; + else diff --git a/queue-5.4/scsi-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch b/queue-5.4/scsi-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch new file mode 100644 index 00000000000..481e2afcb46 --- /dev/null +++ b/queue-5.4/scsi-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch @@ -0,0 +1,79 @@ +From 04060db41178c7c244f2c7dcd913e7fd331de915 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 15 Jan 2020 20:47:37 -0800 +Subject: scsi: RDMA/isert: Fix a recently introduced regression related to logout + +From: Bart Van Assche + +commit 04060db41178c7c244f2c7dcd913e7fd331de915 upstream. + +iscsit_close_connection() calls isert_wait_conn(). Due to commit +e9d3009cb936 both functions call target_wait_for_sess_cmds() although that +last function should be called only once. Fix this by removing the +target_wait_for_sess_cmds() call from isert_wait_conn() and by only calling +isert_wait_conn() after target_wait_for_sess_cmds(). + +Fixes: e9d3009cb936 ("scsi: target: iscsi: Wait for all commands to finish before freeing a session"). +Link: https://lore.kernel.org/r/20200116044737.19507-1-bvanassche@acm.org +Reported-by: Rahul Kundu +Signed-off-by: Bart Van Assche +Tested-by: Mike Marciniszyn +Acked-by: Sagi Grimberg +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/isert/ib_isert.c | 12 ------------ + drivers/target/iscsi/iscsi_target.c | 6 +++--- + 2 files changed, 3 insertions(+), 15 deletions(-) + +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -2575,17 +2575,6 @@ isert_wait4logout(struct isert_conn *ise + } + } + +-static void +-isert_wait4cmds(struct iscsi_conn *conn) +-{ +- isert_info("iscsi_conn %p\n", conn); +- +- if (conn->sess) { +- target_sess_cmd_list_set_waiting(conn->sess->se_sess); +- target_wait_for_sess_cmds(conn->sess->se_sess); +- } +-} +- + /** + * isert_put_unsol_pending_cmds() - Drop commands waiting for + * unsolicitate dataout +@@ -2633,7 +2622,6 @@ static void isert_wait_conn(struct iscsi + + ib_drain_qp(isert_conn->qp); + isert_put_unsol_pending_cmds(conn); +- isert_wait4cmds(conn); + isert_wait4logout(isert_conn); + + queue_work(isert_release_wq, &isert_conn->release_work); +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -4151,9 +4151,6 @@ int iscsit_close_connection( + iscsit_stop_nopin_response_timer(conn); + iscsit_stop_nopin_timer(conn); + +- if (conn->conn_transport->iscsit_wait_conn) +- conn->conn_transport->iscsit_wait_conn(conn); +- + /* + * During Connection recovery drop unacknowledged out of order + * commands for this connection, and prepare the other commands +@@ -4239,6 +4236,9 @@ int iscsit_close_connection( + target_sess_cmd_list_set_waiting(sess->se_sess); + target_wait_for_sess_cmds(sess->se_sess); + ++ if (conn->conn_transport->iscsit_wait_conn) ++ conn->conn_transport->iscsit_wait_conn(conn); ++ + ahash_request_free(conn->conn_tx_hash); + if (conn->conn_rx_hash) { + struct crypto_ahash *tfm; diff --git a/queue-5.4/series b/queue-5.4/series index 6d635670777..cd06c12cc90 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -68,3 +68,19 @@ input-aiptek-fix-endpoint-sanity-check.patch input-pegasus_notetaker-fix-endpoint-sanity-check.patch input-sun4i-ts-add-a-check-for-devm_thermal_zone_of_sensor_register.patch netfilter-nft_osf-add-missing-check-for-dreg-attribute.patch +lib-reduce-user_access_begin-boundaries-in-strncpy_from_user-and-strnlen_user.patch +iommu-amd-fix-iommu-perf-counter-clobbering-during-init.patch +readdir-make-user_access_begin-use-the-real-access-range.patch +leds-gpio-fix-uninitialized-gpio-label-for-fwnode-based-probe.patch +hsr-fix-a-compilation-error.patch +hwmon-nct7802-fix-voltage-limits-to-wrong-registers.patch +hwmon-nct7802-fix-non-working-alarm-on-voltages.patch +scsi-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch +tracing-xen-ordered-comparison-of-function-pointers.patch +iwlwifi-mvm-fix-skb-leak-on-invalid-queue.patch +iwlwifi-mvm-fix-potential-skb-leak-on-txq-tx.patch +drm-i915-userptr-fix-size-calculation.patch +xfrm-support-output_mark-for-offload-esp-packets.patch +net-sk_msg-don-t-check-if-sock-is-locked-when-tearing-down-psock.patch +do_last-fetch-directory-i_mode-and-i_uid-before-it-s-too-late.patch +net-sonic-fix-cam-initialization.patch diff --git a/queue-5.4/tracing-xen-ordered-comparison-of-function-pointers.patch b/queue-5.4/tracing-xen-ordered-comparison-of-function-pointers.patch new file mode 100644 index 00000000000..b3b18083b45 --- /dev/null +++ b/queue-5.4/tracing-xen-ordered-comparison-of-function-pointers.patch @@ -0,0 +1,53 @@ +From d0695e2351102affd8efae83989056bc4b275917 Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Sun, 12 Jan 2020 11:42:31 +0800 +Subject: tracing: xen: Ordered comparison of function pointers + +From: Changbin Du + +commit d0695e2351102affd8efae83989056bc4b275917 upstream. + +Just as commit 0566e40ce7 ("tracing: initcall: Ordered comparison of +function pointers"), this patch fixes another remaining one in xen.h +found by clang-9. + +In file included from arch/x86/xen/trace.c:21: +In file included from ./include/trace/events/xen.h:475: +In file included from ./include/trace/define_trace.h:102: +In file included from ./include/trace/trace_events.h:473: +./include/trace/events/xen.h:69:7: warning: ordered comparison of function \ +pointers ('xen_mc_callback_fn_t' (aka 'void (*)(void *)') and 'xen_mc_callback_fn_t') [-Wordered-compare-function-pointers] + __field(xen_mc_callback_fn_t, fn) + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +./include/trace/trace_events.h:421:29: note: expanded from macro '__field' + ^ +./include/trace/trace_events.h:407:6: note: expanded from macro '__field_ext' + is_signed_type(type), filter_type); \ + ^ +./include/linux/trace_events.h:554:44: note: expanded from macro 'is_signed_type' + ^ + +Fixes: c796f213a6934 ("xen/trace: add multicall tracing") +Signed-off-by: Changbin Du +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + include/trace/events/xen.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/include/trace/events/xen.h ++++ b/include/trace/events/xen.h +@@ -66,7 +66,11 @@ TRACE_EVENT(xen_mc_callback, + TP_PROTO(xen_mc_callback_fn_t fn, void *data), + TP_ARGS(fn, data), + TP_STRUCT__entry( +- __field(xen_mc_callback_fn_t, fn) ++ /* ++ * Use field_struct to avoid is_signed_type() ++ * comparison of a function pointer. ++ */ ++ __field_struct(xen_mc_callback_fn_t, fn) + __field(void *, data) + ), + TP_fast_assign( diff --git a/queue-5.4/xfrm-support-output_mark-for-offload-esp-packets.patch b/queue-5.4/xfrm-support-output_mark-for-offload-esp-packets.patch new file mode 100644 index 00000000000..4bb47522f74 --- /dev/null +++ b/queue-5.4/xfrm-support-output_mark-for-offload-esp-packets.patch @@ -0,0 +1,48 @@ +From 4e4362d2bf2a49ff44dbbc9585207977ca3d71d0 Mon Sep 17 00:00:00 2001 +From: Ulrich Weber +Date: Wed, 15 Jan 2020 12:11:29 +0100 +Subject: xfrm: support output_mark for offload ESP packets + +From: Ulrich Weber + +commit 4e4362d2bf2a49ff44dbbc9585207977ca3d71d0 upstream. + +Commit 9b42c1f179a6 ("xfrm: Extend the output_mark") added output_mark +support but missed ESP offload support. + +xfrm_smark_get() is not called within xfrm_input() for packets coming +from esp4_gro_receive() or esp6_gro_receive(). Therefore call +xfrm_smark_get() directly within these functions. + +Fixes: 9b42c1f179a6 ("xfrm: Extend the output_mark to support input direction and masking.") +Signed-off-by: Ulrich Weber +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/esp4_offload.c | 2 ++ + net/ipv6/esp6_offload.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/net/ipv4/esp4_offload.c ++++ b/net/ipv4/esp4_offload.c +@@ -57,6 +57,8 @@ static struct sk_buff *esp4_gro_receive( + if (!x) + goto out_reset; + ++ skb->mark = xfrm_smark_get(skb->mark, x); ++ + sp->xvec[sp->len++] = x; + sp->olen++; + +--- a/net/ipv6/esp6_offload.c ++++ b/net/ipv6/esp6_offload.c +@@ -79,6 +79,8 @@ static struct sk_buff *esp6_gro_receive( + if (!x) + goto out_reset; + ++ skb->mark = xfrm_smark_get(skb->mark, x); ++ + sp->xvec[sp->len++] = x; + sp->olen++; +