From: Sasha Levin Date: Mon, 28 Sep 2020 04:17:06 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.4.238~43 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7300745735128fd7cdac03e939012db5896160de;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/alsa-asihpi-fix-iounmap-in-error-handler.patch b/queue-5.4/alsa-asihpi-fix-iounmap-in-error-handler.patch new file mode 100644 index 00000000000..1a94d886bda --- /dev/null +++ b/queue-5.4/alsa-asihpi-fix-iounmap-in-error-handler.patch @@ -0,0 +1,59 @@ +From 304aacb2f242334847e9917c787f7724922cc529 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Sep 2020 09:52:30 -0700 +Subject: ALSA: asihpi: fix iounmap in error handler + +From: Tom Rix + +[ Upstream commit 472eb39103e885f302fd8fd6eff104fcf5503f1b ] + +clang static analysis flags this problem +hpioctl.c:513:7: warning: Branch condition evaluates to + a garbage value + if (pci.ap_mem_base[idx]) { + ^~~~~~~~~~~~~~~~~~~~ + +If there is a failure in the middle of the memory space loop, +only some of the memory spaces need to be cleaned up. + +At the error handler, idx holds the number of successful +memory spaces mapped. So rework the handler loop to use the +old idx. + +There is a second problem, the memory space loop conditionally +iomaps()/sets the mem_base so it is necessay to initize pci. + +Fixes: 719f82d3987a ("ALSA: Add support of AudioScience ASI boards") +Signed-off-by: Tom Rix +Link: https://lore.kernel.org/r/20200913165230.17166-1-trix@redhat.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/asihpi/hpioctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c +index 496dcde9715d6..9790f5108a166 100644 +--- a/sound/pci/asihpi/hpioctl.c ++++ b/sound/pci/asihpi/hpioctl.c +@@ -343,7 +343,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev, + struct hpi_message hm; + struct hpi_response hr; + struct hpi_adapter adapter; +- struct hpi_pci pci; ++ struct hpi_pci pci = { 0 }; + + memset(&adapter, 0, sizeof(adapter)); + +@@ -499,7 +499,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev, + return 0; + + err: +- for (idx = 0; idx < HPI_MAX_ADAPTER_MEM_SPACES; idx++) { ++ while (--idx >= 0) { + if (pci.ap_mem_base[idx]) { + iounmap(pci.ap_mem_base[idx]); + pci.ap_mem_base[idx] = NULL; +-- +2.25.1 + diff --git a/queue-5.4/atm-eni-fix-the-missed-pci_disable_device-for-eni_in.patch b/queue-5.4/atm-eni-fix-the-missed-pci_disable_device-for-eni_in.patch new file mode 100644 index 00000000000..f3df12f00e7 --- /dev/null +++ b/queue-5.4/atm-eni-fix-the-missed-pci_disable_device-for-eni_in.patch @@ -0,0 +1,36 @@ +From d79cceb7db9e166c8a72c18e1164874ac41c40ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 10:51:03 +0800 +Subject: atm: eni: fix the missed pci_disable_device() for eni_init_one() + +From: Jing Xiangfeng + +[ Upstream commit c2b947879ca320ac5505c6c29a731ff17da5e805 ] + +eni_init_one() misses to call pci_disable_device() in an error path. +Jump to err_disable to fix it. + +Fixes: ede58ef28e10 ("atm: remove deprecated use of pci api") +Signed-off-by: Jing Xiangfeng +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/atm/eni.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/atm/eni.c b/drivers/atm/eni.c +index 9d0d65efcd94e..bedaebd5a4956 100644 +--- a/drivers/atm/eni.c ++++ b/drivers/atm/eni.c +@@ -2245,7 +2245,7 @@ static int eni_init_one(struct pci_dev *pci_dev, + + rc = dma_set_mask_and_coherent(&pci_dev->dev, DMA_BIT_MASK(32)); + if (rc < 0) +- goto out; ++ goto err_disable; + + rc = -ENOMEM; + eni_dev = kmalloc(sizeof(struct eni_dev), GFP_KERNEL); +-- +2.25.1 + diff --git a/queue-5.4/batman-adv-add-missing-include-for-in_interrupt.patch b/queue-5.4/batman-adv-add-missing-include-for-in_interrupt.patch new file mode 100644 index 00000000000..bedcfae355b --- /dev/null +++ b/queue-5.4/batman-adv-add-missing-include-for-in_interrupt.patch @@ -0,0 +1,37 @@ +From 50fbe4ef2d8096c11b0395b3ce992177817e12bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 13:58:16 +0200 +Subject: batman-adv: Add missing include for in_interrupt() + +From: Sven Eckelmann + +[ Upstream commit 4bba9dab86b6ac15ca560ef1f2b5aa4529cbf784 ] + +The fix for receiving (internally generated) bla packets outside the +interrupt context introduced the usage of in_interrupt(). But this +functionality is only defined in linux/preempt.h which was not included +with the same patch. + +Fixes: 279e89b2281a ("batman-adv: bla: use netif_rx_ni when not in interrupt context") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/bridge_loop_avoidance.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index 62d2e766dd392..fe406c17b2c0a 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include + #include + #include +-- +2.25.1 + diff --git a/queue-5.4/batman-adv-bla-fix-type-misuse-for-backbone_gw-hash-.patch b/queue-5.4/batman-adv-bla-fix-type-misuse-for-backbone_gw-hash-.patch new file mode 100644 index 00000000000..cce8cf3c632 --- /dev/null +++ b/queue-5.4/batman-adv-bla-fix-type-misuse-for-backbone_gw-hash-.patch @@ -0,0 +1,54 @@ +From 7c4978d096bcc8c5735dbadf331310d8b017720b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 17:34:48 +0200 +Subject: batman-adv: bla: fix type misuse for backbone_gw hash indexing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +[ Upstream commit 097930e85f90f252c44dc0d084598265dd44ca48 ] + +It seems that due to a copy & paste error the void pointer +in batadv_choose_backbone_gw() is cast to the wrong type. + +Fixing this by using "struct batadv_bla_backbone_gw" instead of "struct +batadv_bla_claim" which better matches the caller's side. + +For now it seems that we were lucky because the two structs both have +their orig/vid and addr/vid in the beginning. However I stumbled over +this issue when I was trying to add some debug variables in front of +"orig" in batadv_backbone_gw, which caused hash lookups to fail. + +Fixes: 07568d0369f9 ("batman-adv: don't rely on positions in struct for hashing") +Signed-off-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Sasha Levin +--- + net/batman-adv/bridge_loop_avoidance.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index 5f6309ade1ea1..62d2e766dd392 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -83,11 +83,12 @@ static inline u32 batadv_choose_claim(const void *data, u32 size) + */ + static inline u32 batadv_choose_backbone_gw(const void *data, u32 size) + { +- const struct batadv_bla_claim *claim = (struct batadv_bla_claim *)data; ++ const struct batadv_bla_backbone_gw *gw; + u32 hash = 0; + +- hash = jhash(&claim->addr, sizeof(claim->addr), hash); +- hash = jhash(&claim->vid, sizeof(claim->vid), hash); ++ gw = (struct batadv_bla_backbone_gw *)data; ++ hash = jhash(&gw->orig, sizeof(gw->orig), hash); ++ hash = jhash(&gw->vid, sizeof(gw->vid), hash); + + return hash % size; + } +-- +2.25.1 + diff --git a/queue-5.4/batman-adv-mcast-fix-duplicate-mcast-packets-from-bl.patch b/queue-5.4/batman-adv-mcast-fix-duplicate-mcast-packets-from-bl.patch new file mode 100644 index 00000000000..fbc7b4cbe79 --- /dev/null +++ b/queue-5.4/batman-adv-mcast-fix-duplicate-mcast-packets-from-bl.patch @@ -0,0 +1,205 @@ +From 08c47d724ab47c04a078efe6cf819d649307a567 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 09:54:10 +0200 +Subject: batman-adv: mcast: fix duplicate mcast packets from BLA backbone to + mesh +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +[ Upstream commit 2369e827046920ef0599e6a36b975ac5c0a359c2 ] + +Scenario: +* Multicast frame send from BLA backbone gateways (multiple nodes + with their bat0 bridged together, with BLA enabled) sharing the same + LAN to nodes in the mesh + +Issue: +* Nodes receive the frame multiple times on bat0 from the mesh, + once from each foreign BLA backbone gateway which shares the same LAN + with another + +For multicast frames via batman-adv broadcast packets coming from the +same BLA backbone but from different backbone gateways duplicates are +currently detected via a CRC history of previously received packets. + +However this CRC so far was not performed for multicast frames received +via batman-adv unicast packets. Fixing this by appyling the same check +for such packets, too. + +Room for improvements in the future: Ideally we would introduce the +possibility to not only claim a client, but a complete originator, too. +This would allow us to only send a multicast-in-unicast packet from a BLA +backbone gateway claiming the node and by that avoid potential redundant +transmissions in the first place. + +Fixes: 279e89b2281a ("batman-adv: add broadcast duplicate check") +Signed-off-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/bridge_loop_avoidance.c | 103 +++++++++++++++++++++---- + 1 file changed, 87 insertions(+), 16 deletions(-) + +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index ffa44d7f7ee5d..a6b26ca5c6973 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -1581,13 +1581,16 @@ int batadv_bla_init(struct batadv_priv *bat_priv) + } + + /** +- * batadv_bla_check_bcast_duplist() - Check if a frame is in the broadcast dup. ++ * batadv_bla_check_duplist() - Check if a frame is in the broadcast dup. + * @bat_priv: the bat priv with all the soft interface information +- * @skb: contains the bcast_packet to be checked ++ * @skb: contains the multicast packet to be checked ++ * @payload_ptr: pointer to position inside the head buffer of the skb ++ * marking the start of the data to be CRC'ed ++ * @orig: originator mac address, NULL if unknown + * +- * check if it is on our broadcast list. Another gateway might +- * have sent the same packet because it is connected to the same backbone, +- * so we have to remove this duplicate. ++ * Check if it is on our broadcast list. Another gateway might have sent the ++ * same packet because it is connected to the same backbone, so we have to ++ * remove this duplicate. + * + * This is performed by checking the CRC, which will tell us + * with a good chance that it is the same packet. If it is furthermore +@@ -1596,19 +1599,17 @@ int batadv_bla_init(struct batadv_priv *bat_priv) + * + * Return: true if a packet is in the duplicate list, false otherwise. + */ +-bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv, +- struct sk_buff *skb) ++static bool batadv_bla_check_duplist(struct batadv_priv *bat_priv, ++ struct sk_buff *skb, u8 *payload_ptr, ++ const u8 *orig) + { +- int i, curr; +- __be32 crc; +- struct batadv_bcast_packet *bcast_packet; + struct batadv_bcast_duplist_entry *entry; + bool ret = false; +- +- bcast_packet = (struct batadv_bcast_packet *)skb->data; ++ int i, curr; ++ __be32 crc; + + /* calculate the crc ... */ +- crc = batadv_skb_crc32(skb, (u8 *)(bcast_packet + 1)); ++ crc = batadv_skb_crc32(skb, payload_ptr); + + spin_lock_bh(&bat_priv->bla.bcast_duplist_lock); + +@@ -1627,8 +1628,21 @@ bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv, + if (entry->crc != crc) + continue; + +- if (batadv_compare_eth(entry->orig, bcast_packet->orig)) +- continue; ++ /* are the originators both known and not anonymous? */ ++ if (orig && !is_zero_ether_addr(orig) && ++ !is_zero_ether_addr(entry->orig)) { ++ /* If known, check if the new frame came from ++ * the same originator: ++ * We are safe to take identical frames from the ++ * same orig, if known, as multiplications in ++ * the mesh are detected via the (orig, seqno) pair. ++ * So we can be a bit more liberal here and allow ++ * identical frames from the same orig which the source ++ * host might have sent multiple times on purpose. ++ */ ++ if (batadv_compare_eth(entry->orig, orig)) ++ continue; ++ } + + /* this entry seems to match: same crc, not too old, + * and from another gw. therefore return true to forbid it. +@@ -1644,7 +1658,14 @@ bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv, + entry = &bat_priv->bla.bcast_duplist[curr]; + entry->crc = crc; + entry->entrytime = jiffies; +- ether_addr_copy(entry->orig, bcast_packet->orig); ++ ++ /* known originator */ ++ if (orig) ++ ether_addr_copy(entry->orig, orig); ++ /* anonymous originator */ ++ else ++ eth_zero_addr(entry->orig); ++ + bat_priv->bla.bcast_duplist_curr = curr; + + out: +@@ -1653,6 +1674,48 @@ bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv, + return ret; + } + ++/** ++ * batadv_bla_check_ucast_duplist() - Check if a frame is in the broadcast dup. ++ * @bat_priv: the bat priv with all the soft interface information ++ * @skb: contains the multicast packet to be checked, decapsulated from a ++ * unicast_packet ++ * ++ * Check if it is on our broadcast list. Another gateway might have sent the ++ * same packet because it is connected to the same backbone, so we have to ++ * remove this duplicate. ++ * ++ * Return: true if a packet is in the duplicate list, false otherwise. ++ */ ++static bool batadv_bla_check_ucast_duplist(struct batadv_priv *bat_priv, ++ struct sk_buff *skb) ++{ ++ return batadv_bla_check_duplist(bat_priv, skb, (u8 *)skb->data, NULL); ++} ++ ++/** ++ * batadv_bla_check_bcast_duplist() - Check if a frame is in the broadcast dup. ++ * @bat_priv: the bat priv with all the soft interface information ++ * @skb: contains the bcast_packet to be checked ++ * ++ * Check if it is on our broadcast list. Another gateway might have sent the ++ * same packet because it is connected to the same backbone, so we have to ++ * remove this duplicate. ++ * ++ * Return: true if a packet is in the duplicate list, false otherwise. ++ */ ++bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv, ++ struct sk_buff *skb) ++{ ++ struct batadv_bcast_packet *bcast_packet; ++ u8 *payload_ptr; ++ ++ bcast_packet = (struct batadv_bcast_packet *)skb->data; ++ payload_ptr = (u8 *)(bcast_packet + 1); ++ ++ return batadv_bla_check_duplist(bat_priv, skb, payload_ptr, ++ bcast_packet->orig); ++} ++ + /** + * batadv_bla_is_backbone_gw_orig() - Check if the originator is a gateway for + * the VLAN identified by vid. +@@ -1867,6 +1930,14 @@ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb, + packet_type == BATADV_UNICAST) + goto handled; + ++ /* potential duplicates from foreign BLA backbone gateways via ++ * multicast-in-unicast packets ++ */ ++ if (is_multicast_ether_addr(ethhdr->h_dest) && ++ packet_type == BATADV_UNICAST && ++ batadv_bla_check_ucast_duplist(bat_priv, skb)) ++ goto handled; ++ + ether_addr_copy(search_claim.addr, ethhdr->h_source); + search_claim.vid = vid; + claim = batadv_claim_hash_find(bat_priv, &search_claim); +-- +2.25.1 + diff --git a/queue-5.4/batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-.patch b/queue-5.4/batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-.patch new file mode 100644 index 00000000000..dc358d3f7ea --- /dev/null +++ b/queue-5.4/batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-.patch @@ -0,0 +1,206 @@ +From 44977e9d7f0b0f389475fee4aaf313f9f38ccbdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 09:54:08 +0200 +Subject: batman-adv: mcast: fix duplicate mcast packets in BLA backbone from + LAN +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +[ Upstream commit 3236d215ad38a3f5372e65cd1e0a52cf93d3c6a2 ] + +Scenario: +* Multicast frame send from a BLA backbone (multiple nodes with + their bat0 bridged together, with BLA enabled) + +Issue: +* BLA backbone nodes receive the frame multiple times on bat0 + +For multicast frames received via batman-adv broadcast packets the +originator of the broadcast packet is checked before decapsulating and +forwarding the frame to bat0 (batadv_bla_is_backbone_gw()-> +batadv_recv_bcast_packet()). If it came from a node which shares the +same BLA backbone with us then it is not forwarded to bat0 to avoid a +loop. + +When sending a multicast frame in a non-4-address batman-adv unicast +packet we are currently missing this check - and cannot do so because +the batman-adv unicast packet has no originator address field. + +However, we can simply fix this on the sender side by only sending the +multicast frame via unicasts to interested nodes which do not share the +same BLA backbone with us. This also nicely avoids some unnecessary +transmissions on mesh side. + +Note that no infinite loop was observed, probably because of dropping +via batadv_interface_tx()->batadv_bla_tx(). However the duplicates still +utterly confuse switches/bridges, ICMPv6 duplicate address detection and +neighbor discovery and therefore leads to long delays before being able +to establish TCP connections, for instance. And it also leads to the Linux +bridge printing messages like: +"br-lan: received packet on eth1 with own address as source address ..." + +Fixes: 2d3f6ccc4ea5 ("batman-adv: Modified forwarding behaviour for multicast packets") +Signed-off-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/multicast.c | 46 ++++++++++++++++++++++++++------- + net/batman-adv/multicast.h | 15 +++++++++++ + net/batman-adv/soft-interface.c | 5 ++-- + 3 files changed, 53 insertions(+), 13 deletions(-) + +diff --git a/net/batman-adv/multicast.c b/net/batman-adv/multicast.c +index 1d5bdf3a4b655..f5bf931252c4b 100644 +--- a/net/batman-adv/multicast.c ++++ b/net/batman-adv/multicast.c +@@ -51,6 +51,7 @@ + #include + #include + ++#include "bridge_loop_avoidance.h" + #include "hard-interface.h" + #include "hash.h" + #include "log.h" +@@ -1434,6 +1435,35 @@ batadv_mcast_forw_mode(struct batadv_priv *bat_priv, struct sk_buff *skb, + return BATADV_FORW_ALL; + } + ++/** ++ * batadv_mcast_forw_send_orig() - send a multicast packet to an originator ++ * @bat_priv: the bat priv with all the soft interface information ++ * @skb: the multicast packet to send ++ * @vid: the vlan identifier ++ * @orig_node: the originator to send the packet to ++ * ++ * Return: NET_XMIT_DROP in case of error or NET_XMIT_SUCCESS otherwise. ++ */ ++int batadv_mcast_forw_send_orig(struct batadv_priv *bat_priv, ++ struct sk_buff *skb, ++ unsigned short vid, ++ struct batadv_orig_node *orig_node) ++{ ++ /* Avoid sending multicast-in-unicast packets to other BLA ++ * gateways - they already got the frame from the LAN side ++ * we share with them. ++ * TODO: Refactor to take BLA into account earlier, to avoid ++ * reducing the mcast_fanout count. ++ */ ++ if (batadv_bla_is_backbone_gw_orig(bat_priv, orig_node->orig, vid)) { ++ dev_kfree_skb(skb); ++ return NET_XMIT_SUCCESS; ++ } ++ ++ return batadv_send_skb_unicast(bat_priv, skb, BATADV_UNICAST, 0, ++ orig_node, vid); ++} ++ + /** + * batadv_mcast_forw_tt() - forwards a packet to multicast listeners + * @bat_priv: the bat priv with all the soft interface information +@@ -1471,8 +1501,8 @@ batadv_mcast_forw_tt(struct batadv_priv *bat_priv, struct sk_buff *skb, + break; + } + +- batadv_send_skb_unicast(bat_priv, newskb, BATADV_UNICAST, 0, +- orig_entry->orig_node, vid); ++ batadv_mcast_forw_send_orig(bat_priv, newskb, vid, ++ orig_entry->orig_node); + } + rcu_read_unlock(); + +@@ -1513,8 +1543,7 @@ batadv_mcast_forw_want_all_ipv4(struct batadv_priv *bat_priv, + break; + } + +- batadv_send_skb_unicast(bat_priv, newskb, BATADV_UNICAST, 0, +- orig_node, vid); ++ batadv_mcast_forw_send_orig(bat_priv, newskb, vid, orig_node); + } + rcu_read_unlock(); + return ret; +@@ -1551,8 +1580,7 @@ batadv_mcast_forw_want_all_ipv6(struct batadv_priv *bat_priv, + break; + } + +- batadv_send_skb_unicast(bat_priv, newskb, BATADV_UNICAST, 0, +- orig_node, vid); ++ batadv_mcast_forw_send_orig(bat_priv, newskb, vid, orig_node); + } + rcu_read_unlock(); + return ret; +@@ -1618,8 +1646,7 @@ batadv_mcast_forw_want_all_rtr4(struct batadv_priv *bat_priv, + break; + } + +- batadv_send_skb_unicast(bat_priv, newskb, BATADV_UNICAST, 0, +- orig_node, vid); ++ batadv_mcast_forw_send_orig(bat_priv, newskb, vid, orig_node); + } + rcu_read_unlock(); + return ret; +@@ -1656,8 +1683,7 @@ batadv_mcast_forw_want_all_rtr6(struct batadv_priv *bat_priv, + break; + } + +- batadv_send_skb_unicast(bat_priv, newskb, BATADV_UNICAST, 0, +- orig_node, vid); ++ batadv_mcast_forw_send_orig(bat_priv, newskb, vid, orig_node); + } + rcu_read_unlock(); + return ret; +diff --git a/net/batman-adv/multicast.h b/net/batman-adv/multicast.h +index 5d9e2bb29c971..403929013ac47 100644 +--- a/net/batman-adv/multicast.h ++++ b/net/batman-adv/multicast.h +@@ -46,6 +46,11 @@ enum batadv_forw_mode + batadv_mcast_forw_mode(struct batadv_priv *bat_priv, struct sk_buff *skb, + struct batadv_orig_node **mcast_single_orig); + ++int batadv_mcast_forw_send_orig(struct batadv_priv *bat_priv, ++ struct sk_buff *skb, ++ unsigned short vid, ++ struct batadv_orig_node *orig_node); ++ + int batadv_mcast_forw_send(struct batadv_priv *bat_priv, struct sk_buff *skb, + unsigned short vid); + +@@ -71,6 +76,16 @@ batadv_mcast_forw_mode(struct batadv_priv *bat_priv, struct sk_buff *skb, + return BATADV_FORW_ALL; + } + ++static inline int ++batadv_mcast_forw_send_orig(struct batadv_priv *bat_priv, ++ struct sk_buff *skb, ++ unsigned short vid, ++ struct batadv_orig_node *orig_node) ++{ ++ kfree_skb(skb); ++ return NET_XMIT_DROP; ++} ++ + static inline int + batadv_mcast_forw_send(struct batadv_priv *bat_priv, struct sk_buff *skb, + unsigned short vid) +diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c +index 5ee8e9a100f90..cf1a8ef7464f5 100644 +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -364,9 +364,8 @@ static netdev_tx_t batadv_interface_tx(struct sk_buff *skb, + goto dropped; + ret = batadv_send_skb_via_gw(bat_priv, skb, vid); + } else if (mcast_single_orig) { +- ret = batadv_send_skb_unicast(bat_priv, skb, +- BATADV_UNICAST, 0, +- mcast_single_orig, vid); ++ ret = batadv_mcast_forw_send_orig(bat_priv, skb, vid, ++ mcast_single_orig); + } else if (forw_mode == BATADV_FORW_SOME) { + ret = batadv_mcast_forw_send(bat_priv, skb, vid); + } else { +-- +2.25.1 + diff --git a/queue-5.4/batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-.patch-6066 b/queue-5.4/batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-.patch-6066 new file mode 100644 index 00000000000..d21447ffc63 --- /dev/null +++ b/queue-5.4/batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-.patch-6066 @@ -0,0 +1,172 @@ +From 1e5d7976f59ea1a5613e51791f1e049c32b7189a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 09:54:09 +0200 +Subject: batman-adv: mcast: fix duplicate mcast packets in BLA backbone from + mesh +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +[ Upstream commit 74c09b7275126da1b642b90c9cdc3ae8b729ad4b ] + +Scenario: +* Multicast frame send from mesh to a BLA backbone (multiple nodes + with their bat0 bridged together, with BLA enabled) + +Issue: +* BLA backbone nodes receive the frame multiple times on bat0, + once from mesh->bat0 and once from each backbone_gw from LAN + +For unicast, a node will send only to the best backbone gateway +according to the TQ. However for multicast we currently cannot determine +if multiple destination nodes share the same backbone if they don't share +the same backbone with us. So we need to keep sending the unicasts to +all backbone gateways and let the backbone gateways decide which one +will forward the frame. We can use the CLAIM mechanism to make this +decision. + +One catch: The batman-adv gateway feature for DHCP packets potentially +sends multicast packets in the same batman-adv unicast header as the +multicast optimizations code. And we are not allowed to drop those even +if we did not claim the source address of the sender, as for such +packets there is only this one multicast-in-unicast packet. + +How can we distinguish the two cases? + +The gateway feature uses a batman-adv unicast 4 address header. While +the multicast-to-unicasts feature uses a simple, 3 address batman-adv +unicast header. So let's use this to distinguish. + +Fixes: fe2da6ff27c7 ("batman-adv: check incoming packet type for bla") +Signed-off-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/bridge_loop_avoidance.c | 34 +++++++++++++++++++------- + net/batman-adv/bridge_loop_avoidance.h | 4 +-- + net/batman-adv/soft-interface.c | 6 ++--- + 3 files changed, 30 insertions(+), 14 deletions(-) + +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index fe406c17b2c0a..ffa44d7f7ee5d 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -1814,7 +1814,7 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb, + * @bat_priv: the bat priv with all the soft interface information + * @skb: the frame to be checked + * @vid: the VLAN ID of the frame +- * @is_bcast: the packet came in a broadcast packet type. ++ * @packet_type: the batman packet type this frame came in + * + * batadv_bla_rx avoidance checks if: + * * we have to race for a claim +@@ -1826,7 +1826,7 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb, + * further process the skb. + */ + bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb, +- unsigned short vid, bool is_bcast) ++ unsigned short vid, int packet_type) + { + struct batadv_bla_backbone_gw *backbone_gw; + struct ethhdr *ethhdr; +@@ -1848,9 +1848,24 @@ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb, + goto handled; + + if (unlikely(atomic_read(&bat_priv->bla.num_requests))) +- /* don't allow broadcasts while requests are in flight */ +- if (is_multicast_ether_addr(ethhdr->h_dest) && is_bcast) +- goto handled; ++ /* don't allow multicast packets while requests are in flight */ ++ if (is_multicast_ether_addr(ethhdr->h_dest)) ++ /* Both broadcast flooding or multicast-via-unicasts ++ * delivery might send to multiple backbone gateways ++ * sharing the same LAN and therefore need to coordinate ++ * which backbone gateway forwards into the LAN, ++ * by claiming the payload source address. ++ * ++ * Broadcast flooding and multicast-via-unicasts ++ * delivery use the following two batman packet types. ++ * Note: explicitly exclude BATADV_UNICAST_4ADDR, ++ * as the DHCP gateway feature will send explicitly ++ * to only one BLA gateway, so the claiming process ++ * should be avoided there. ++ */ ++ if (packet_type == BATADV_BCAST || ++ packet_type == BATADV_UNICAST) ++ goto handled; + + ether_addr_copy(search_claim.addr, ethhdr->h_source); + search_claim.vid = vid; +@@ -1885,13 +1900,14 @@ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb, + goto allow; + } + +- /* if it is a broadcast ... */ +- if (is_multicast_ether_addr(ethhdr->h_dest) && is_bcast) { ++ /* if it is a multicast ... */ ++ if (is_multicast_ether_addr(ethhdr->h_dest) && ++ (packet_type == BATADV_BCAST || packet_type == BATADV_UNICAST)) { + /* ... drop it. the responsible gateway is in charge. + * +- * We need to check is_bcast because with the gateway ++ * We need to check packet type because with the gateway + * feature, broadcasts (like DHCP requests) may be sent +- * using a unicast packet type. ++ * using a unicast 4 address packet type. See comment above. + */ + goto handled; + } else { +diff --git a/net/batman-adv/bridge_loop_avoidance.h b/net/batman-adv/bridge_loop_avoidance.h +index 02b24a861a854..9370be0158130 100644 +--- a/net/batman-adv/bridge_loop_avoidance.h ++++ b/net/batman-adv/bridge_loop_avoidance.h +@@ -35,7 +35,7 @@ static inline bool batadv_bla_is_loopdetect_mac(const uint8_t *mac) + + #ifdef CONFIG_BATMAN_ADV_BLA + bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb, +- unsigned short vid, bool is_bcast); ++ unsigned short vid, int packet_type); + bool batadv_bla_tx(struct batadv_priv *bat_priv, struct sk_buff *skb, + unsigned short vid); + bool batadv_bla_is_backbone_gw(struct sk_buff *skb, +@@ -66,7 +66,7 @@ bool batadv_bla_check_claim(struct batadv_priv *bat_priv, u8 *addr, + + static inline bool batadv_bla_rx(struct batadv_priv *bat_priv, + struct sk_buff *skb, unsigned short vid, +- bool is_bcast) ++ int packet_type) + { + return false; + } +diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c +index cf1a8ef7464f5..7f209390069ea 100644 +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -424,10 +424,10 @@ void batadv_interface_rx(struct net_device *soft_iface, + struct vlan_ethhdr *vhdr; + struct ethhdr *ethhdr; + unsigned short vid; +- bool is_bcast; ++ int packet_type; + + batadv_bcast_packet = (struct batadv_bcast_packet *)skb->data; +- is_bcast = (batadv_bcast_packet->packet_type == BATADV_BCAST); ++ packet_type = batadv_bcast_packet->packet_type; + + skb_pull_rcsum(skb, hdr_size); + skb_reset_mac_header(skb); +@@ -470,7 +470,7 @@ void batadv_interface_rx(struct net_device *soft_iface, + /* Let the bridge loop avoidance check the packet. If will + * not handle it, we can safely push it up. + */ +- if (batadv_bla_rx(bat_priv, skb, vid, is_bcast)) ++ if (batadv_bla_rx(bat_priv, skb, vid, packet_type)) + goto out; + + if (orig_node) +-- +2.25.1 + diff --git a/queue-5.4/batman-adv-mcast-tt-fix-wrongly-dropped-or-rerouted-.patch b/queue-5.4/batman-adv-mcast-tt-fix-wrongly-dropped-or-rerouted-.patch new file mode 100644 index 00000000000..53c48f89e86 --- /dev/null +++ b/queue-5.4/batman-adv-mcast-tt-fix-wrongly-dropped-or-rerouted-.patch @@ -0,0 +1,59 @@ +From d2f2be64c6cd321988e6dcba9c5331fdd779b029 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 20:28:00 +0200 +Subject: batman-adv: mcast/TT: fix wrongly dropped or rerouted packets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +[ Upstream commit 7dda5b3384121181c4e79f6eaeac2b94c0622c8d ] + +The unicast packet rerouting code makes several assumptions. For +instance it assumes that there is always exactly one destination in the +TT. This breaks for multicast frames in a unicast packets in several ways: + +For one thing if there is actually no TT entry and the destination node +was selected due to the multicast tvlv flags it announced. Then an +intermediate node will wrongly drop the packet. + +For another thing if there is a TT entry but the TTVN of this entry is +newer than the originally addressed destination node: Then the +intermediate node will wrongly redirect the packet, leading to +duplicated multicast packets at a multicast listener and missing +packets at other multicast listeners or multicast routers. + +Fixing this by not applying the unicast packet rerouting to batman-adv +unicast packets with a multicast payload. We are not able to detect a +roaming multicast listener at the moment and will just continue to send +the multicast frame to both the new and old destination for a while in +case of such a roaming multicast listener. + +Fixes: a73105b8d4c7 ("batman-adv: improved client announcement mechanism") +Signed-off-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/routing.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c +index f0f864820dead..708e90cb18a6e 100644 +--- a/net/batman-adv/routing.c ++++ b/net/batman-adv/routing.c +@@ -826,6 +826,10 @@ static bool batadv_check_unicast_ttvn(struct batadv_priv *bat_priv, + vid = batadv_get_vid(skb, hdr_len); + ethhdr = (struct ethhdr *)(skb->data + hdr_len); + ++ /* do not reroute multicast frames in a unicast header */ ++ if (is_multicast_ether_addr(ethhdr->h_dest)) ++ return true; ++ + /* check if the destination client was served by this node and it is now + * roaming. In this case, it means that the node has got a ROAM_ADV + * message and that it knows the new destination in the mesh to re-route +-- +2.25.1 + diff --git a/queue-5.4/bpf-fix-a-rcu-warning-for-bpffs-map-pretty-print.patch b/queue-5.4/bpf-fix-a-rcu-warning-for-bpffs-map-pretty-print.patch new file mode 100644 index 00000000000..5bfcef2c194 --- /dev/null +++ b/queue-5.4/bpf-fix-a-rcu-warning-for-bpffs-map-pretty-print.patch @@ -0,0 +1,74 @@ +From da1de77915843d38502847f797eb3e67c10c4de7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 17:44:01 -0700 +Subject: bpf: Fix a rcu warning for bpffs map pretty-print + +From: Yonghong Song + +[ Upstream commit ce880cb825fcc22d4e39046a6c3a3a7f6603883d ] + +Running selftest + ./btf_btf -p +the kernel had the following warning: + [ 51.528185] WARNING: CPU: 3 PID: 1756 at kernel/bpf/hashtab.c:717 htab_map_get_next_key+0x2eb/0x300 + [ 51.529217] Modules linked in: + [ 51.529583] CPU: 3 PID: 1756 Comm: test_btf Not tainted 5.9.0-rc1+ #878 + [ 51.530346] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-1.el7.centos 04/01/2014 + [ 51.531410] RIP: 0010:htab_map_get_next_key+0x2eb/0x300 + ... + [ 51.542826] Call Trace: + [ 51.543119] map_seq_next+0x53/0x80 + [ 51.543528] seq_read+0x263/0x400 + [ 51.543932] vfs_read+0xad/0x1c0 + [ 51.544311] ksys_read+0x5f/0xe0 + [ 51.544689] do_syscall_64+0x33/0x40 + [ 51.545116] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The related source code in kernel/bpf/hashtab.c: + 709 static int htab_map_get_next_key(struct bpf_map *map, void *key, void *next_key) + 710 { + 711 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); + 712 struct hlist_nulls_head *head; + 713 struct htab_elem *l, *next_l; + 714 u32 hash, key_size; + 715 int i = 0; + 716 + 717 WARN_ON_ONCE(!rcu_read_lock_held()); + +In kernel/bpf/inode.c, bpffs map pretty print calls map->ops->map_get_next_key() +without holding a rcu_read_lock(), hence causing the above warning. +To fix the issue, just surrounding map->ops->map_get_next_key() with rcu read lock. + +Fixes: a26ca7c982cb ("bpf: btf: Add pretty print support to the basic arraymap") +Reported-by: Alexei Starovoitov +Signed-off-by: Yonghong Song +Signed-off-by: Alexei Starovoitov +Acked-by: Andrii Nakryiko +Cc: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/20200916004401.146277-1-yhs@fb.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/inode.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c +index 218c09ff6a273..375d93eb71c71 100644 +--- a/kernel/bpf/inode.c ++++ b/kernel/bpf/inode.c +@@ -205,10 +205,12 @@ static void *map_seq_next(struct seq_file *m, void *v, loff_t *pos) + else + prev_key = key; + ++ rcu_read_lock(); + if (map->ops->map_get_next_key(map, prev_key, key)) { + map_iter(m)->done = true; +- return NULL; ++ key = NULL; + } ++ rcu_read_unlock(); + return key; + } + +-- +2.25.1 + diff --git a/queue-5.4/bpf-fix-clobbering-of-r2-in-bpf_gen_ld_abs.patch b/queue-5.4/bpf-fix-clobbering-of-r2-in-bpf_gen_ld_abs.patch new file mode 100644 index 00000000000..cec16edee00 --- /dev/null +++ b/queue-5.4/bpf-fix-clobbering-of-r2-in-bpf_gen_ld_abs.patch @@ -0,0 +1,66 @@ +From 97ce292761905267073d26f280c5a925dedddffe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 00:04:10 +0200 +Subject: bpf: Fix clobbering of r2 in bpf_gen_ld_abs + +From: Daniel Borkmann + +[ Upstream commit e6a18d36118bea3bf497c9df4d9988b6df120689 ] + +Bryce reported that he saw the following with: + + 0: r6 = r1 + 1: r1 = 12 + 2: r0 = *(u16 *)skb[r1] + +The xlated sequence was incorrectly clobbering r2 with pointer +value of r6 ... + + 0: (bf) r6 = r1 + 1: (b7) r1 = 12 + 2: (bf) r1 = r6 + 3: (bf) r2 = r1 + 4: (85) call bpf_skb_load_helper_16_no_cache#7692160 + +... and hence call to the load helper never succeeded given the +offset was too high. Fix it by reordering the load of r6 to r1. + +Other than that the insn has similar calling convention than BPF +helpers, that is, r0 - r5 are scratch regs, so nothing else +affected after the insn. + +Fixes: e0cea7ce988c ("bpf: implement ld_abs/ld_ind in native bpf") +Reported-by: Bryce Kahle +Signed-off-by: Daniel Borkmann +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/cace836e4d07bb63b1a53e49c5dfb238a040c298.1599512096.git.daniel@iogearbox.net +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index cf2a68513bfd5..c441f9961e917 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -6791,8 +6791,6 @@ static int bpf_gen_ld_abs(const struct bpf_insn *orig, + bool indirect = BPF_MODE(orig->code) == BPF_IND; + struct bpf_insn *insn = insn_buf; + +- /* We're guaranteed here that CTX is in R6. */ +- *insn++ = BPF_MOV64_REG(BPF_REG_1, BPF_REG_CTX); + if (!indirect) { + *insn++ = BPF_MOV64_IMM(BPF_REG_2, orig->imm); + } else { +@@ -6800,6 +6798,8 @@ static int bpf_gen_ld_abs(const struct bpf_insn *orig, + if (orig->imm) + *insn++ = BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, orig->imm); + } ++ /* We're guaranteed here that CTX is in R6. */ ++ *insn++ = BPF_MOV64_REG(BPF_REG_1, BPF_REG_CTX); + + switch (BPF_SIZE(orig->code)) { + case BPF_B: +-- +2.25.1 + diff --git a/queue-5.4/clocksource-drivers-h8300_timer8-fix-wrong-return-va.patch b/queue-5.4/clocksource-drivers-h8300_timer8-fix-wrong-return-va.patch new file mode 100644 index 00000000000..1c18990b0fd --- /dev/null +++ b/queue-5.4/clocksource-drivers-h8300_timer8-fix-wrong-return-va.patch @@ -0,0 +1,41 @@ +From e76fc5b840a1292326e763200578920117133bba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 19:15:41 +0800 +Subject: clocksource/drivers/h8300_timer8: Fix wrong return value in + h8300_8timer_init() + +From: Tianjia Zhang + +[ Upstream commit 400d033f5a599120089b5f0c54d14d198499af5a ] + +In the init function, if the call to of_iomap() fails, the return +value is ENXIO instead of -ENXIO. + +Change to the right negative errno. + +Fixes: 691f8f878290f ("clocksource/drivers/h8300_timer8: Convert init function to return error") +Cc: Daniel Lezcano +Signed-off-by: Tianjia Zhang +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20200802111541.5429-1-tianjia.zhang@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + drivers/clocksource/h8300_timer8.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clocksource/h8300_timer8.c b/drivers/clocksource/h8300_timer8.c +index 1d740a8c42ab3..47114c2a7cb54 100644 +--- a/drivers/clocksource/h8300_timer8.c ++++ b/drivers/clocksource/h8300_timer8.c +@@ -169,7 +169,7 @@ static int __init h8300_8timer_init(struct device_node *node) + return PTR_ERR(clk); + } + +- ret = ENXIO; ++ ret = -ENXIO; + base = of_iomap(node, 0); + if (!base) { + pr_err("failed to map registers for clockevent\n"); +-- +2.25.1 + diff --git a/queue-5.4/drm-sun4i-sun8i-csc-secondary-csc-register-correctio.patch b/queue-5.4/drm-sun4i-sun8i-csc-secondary-csc-register-correctio.patch new file mode 100644 index 00000000000..f86c9bb1a35 --- /dev/null +++ b/queue-5.4/drm-sun4i-sun8i-csc-secondary-csc-register-correctio.patch @@ -0,0 +1,39 @@ +From e13c33f35804729a3721fe7844a932711ff3305e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Sep 2020 18:21:39 +0200 +Subject: drm/sun4i: sun8i-csc: Secondary CSC register correction + +From: Martin Cerveny + +[ Upstream commit cab4c03b4ba54c8d9378298cacb8bc0fd74ceece ] + +"Allwinner V3s" has secondary video layer (VI). +Decoded video is displayed in wrong colors until +secondary CSC registers are programmed correctly. + +Fixes: 883029390550 ("drm/sun4i: Add DE2 CSC library") +Signed-off-by: Martin Cerveny +Reviewed-by: Jernej Skrabec +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20200906162140.5584-2-m.cerveny@computer.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sun4i/sun8i_csc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/sun4i/sun8i_csc.h b/drivers/gpu/drm/sun4i/sun8i_csc.h +index f42441b1b14dd..a55a38ad849c1 100644 +--- a/drivers/gpu/drm/sun4i/sun8i_csc.h ++++ b/drivers/gpu/drm/sun4i/sun8i_csc.h +@@ -12,7 +12,7 @@ struct sun8i_mixer; + + /* VI channel CSC units offsets */ + #define CCSC00_OFFSET 0xAA050 +-#define CCSC01_OFFSET 0xFA000 ++#define CCSC01_OFFSET 0xFA050 + #define CCSC10_OFFSET 0xA0000 + #define CCSC11_OFFSET 0xF0000 + +-- +2.25.1 + diff --git a/queue-5.4/drm-vc4-vc4_hdmi-fill-asoc-card-owner.patch b/queue-5.4/drm-vc4-vc4_hdmi-fill-asoc-card-owner.patch new file mode 100644 index 00000000000..1c0964cf008 --- /dev/null +++ b/queue-5.4/drm-vc4-vc4_hdmi-fill-asoc-card-owner.patch @@ -0,0 +1,75 @@ +From c20b13723aa248781a9dbf9301d2e5d9d566915c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jul 2020 09:39:49 +0200 +Subject: drm/vc4/vc4_hdmi: fill ASoC card owner + +From: Marek Szyprowski + +[ Upstream commit ec653df2a0cbc306a4bfcb0e3484d318fa779002 ] + +card->owner is a required property and since commit 81033c6b584b ("ALSA: +core: Warn on empty module") a warning is issued if it is empty. Fix lack +of it. This fixes following warning observed on RaspberryPi 3B board +with ARM 32bit kernel and multi_v7_defconfig: + +------------[ cut here ]------------ +WARNING: CPU: 1 PID: 210 at sound/core/init.c:207 snd_card_new+0x378/0x398 [snd] +Modules linked in: vc4(+) snd_soc_core ac97_bus snd_pcm_dmaengine bluetooth snd_pcm snd_timer crc32_arm_ce raspberrypi_hwmon snd soundcore ecdh_generic ecc bcm2835_thermal phy_generic +CPU: 1 PID: 210 Comm: systemd-udevd Not tainted 5.8.0-rc1-00027-g81033c6b584b #1087 +Hardware name: BCM2835 +[] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[] (show_stack) from [] (dump_stack+0xd4/0xe8) +[] (dump_stack) from [] (__warn+0xdc/0xf4) +[] (__warn) from [] (warn_slowpath_fmt+0xb0/0xb8) +[] (warn_slowpath_fmt) from [] (snd_card_new+0x378/0x398 [snd]) +[] (snd_card_new [snd]) from [] (snd_soc_bind_card+0x280/0x99c [snd_soc_core]) +[] (snd_soc_bind_card [snd_soc_core]) from [] (devm_snd_soc_register_card+0x34/0x6c [snd_soc_core]) +[] (devm_snd_soc_register_card [snd_soc_core]) from [] (vc4_hdmi_bind+0x43c/0x5f4 [vc4]) +[] (vc4_hdmi_bind [vc4]) from [] (component_bind_all+0xec/0x24c) +[] (component_bind_all) from [] (vc4_drm_bind+0xd4/0x174 [vc4]) +[] (vc4_drm_bind [vc4]) from [] (try_to_bring_up_master+0x160/0x1b0) +[] (try_to_bring_up_master) from [] (component_master_add_with_match+0xd0/0x104) +[] (component_master_add_with_match) from [] (vc4_platform_drm_probe+0x9c/0xbc [vc4]) +[] (vc4_platform_drm_probe [vc4]) from [] (platform_drv_probe+0x6c/0xa4) +[] (platform_drv_probe) from [] (really_probe+0x210/0x350) +[] (really_probe) from [] (driver_probe_device+0x5c/0xb4) +[] (driver_probe_device) from [] (device_driver_attach+0x58/0x60) +[] (device_driver_attach) from [] (__driver_attach+0x80/0xbc) +[] (__driver_attach) from [] (bus_for_each_dev+0x68/0xb4) +[] (bus_for_each_dev) from [] (bus_add_driver+0x130/0x1e8) +[] (bus_add_driver) from [] (driver_register+0x78/0x110) +[] (driver_register) from [] (do_one_initcall+0x50/0x220) +[] (do_one_initcall) from [] (do_init_module+0x60/0x210) +[] (do_init_module) from [] (load_module+0x1e34/0x2338) +[] (load_module) from [] (sys_finit_module+0xac/0xbc) +[] (sys_finit_module) from [] (ret_fast_syscall+0x0/0x54) +Exception stack(0xeded9fa8 to 0xeded9ff0) +... +---[ end trace 6414689569c2bc08 ]--- + +Fixes: bb7d78568814 ("drm/vc4: Add HDMI audio support") +Suggested-by: Takashi Iwai +Signed-off-by: Marek Szyprowski +Tested-by: Stefan Wahren +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20200701073949.28941-1-m.szyprowski@samsung.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_hdmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c +index d5f5ba4105241..54435b72b7611 100644 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c +@@ -1125,6 +1125,7 @@ static int vc4_hdmi_audio_init(struct vc4_hdmi *hdmi) + card->num_links = 1; + card->name = "vc4-hdmi"; + card->dev = dev; ++ card->owner = THIS_MODULE; + + /* + * Be careful, snd_soc_register_card() calls dev_set_drvdata() and +-- +2.25.1 + diff --git a/queue-5.4/ieee802154-adf7242-check-status-of-adf7242_read_reg.patch b/queue-5.4/ieee802154-adf7242-check-status-of-adf7242_read_reg.patch new file mode 100644 index 00000000000..28b625fa825 --- /dev/null +++ b/queue-5.4/ieee802154-adf7242-check-status-of-adf7242_read_reg.patch @@ -0,0 +1,51 @@ +From df3ffd2e5df365b216eaa1e6561220d094c0cc4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 07:23:39 -0700 +Subject: ieee802154/adf7242: check status of adf7242_read_reg + +From: Tom Rix + +[ Upstream commit e3914ed6cf44bfe1f169e26241f8314556fd1ac1 ] + +Clang static analysis reports this error + +adf7242.c:887:6: warning: Assigned value is garbage or undefined + len = len_u8; + ^ ~~~~~~ + +len_u8 is set in + adf7242_read_reg(lp, 0, &len_u8); + +When this call fails, len_u8 is not set. + +So check the return code. + +Fixes: 7302b9d90117 ("ieee802154/adf7242: Driver for ADF7242 MAC IEEE802154") + +Signed-off-by: Tom Rix +Acked-by: Michael Hennerich +Link: https://lore.kernel.org/r/20200802142339.21091-1-trix@redhat.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/adf7242.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c +index 8dbccec6ac866..5945ac5f38eea 100644 +--- a/drivers/net/ieee802154/adf7242.c ++++ b/drivers/net/ieee802154/adf7242.c +@@ -882,7 +882,9 @@ static int adf7242_rx(struct adf7242_local *lp) + int ret; + u8 lqi, len_u8, *data; + +- adf7242_read_reg(lp, 0, &len_u8); ++ ret = adf7242_read_reg(lp, 0, &len_u8); ++ if (ret) ++ return ret; + + len = len_u8; + +-- +2.25.1 + diff --git a/queue-5.4/ieee802154-fix-one-possible-memleak-in-ca8210_dev_co.patch b/queue-5.4/ieee802154-fix-one-possible-memleak-in-ca8210_dev_co.patch new file mode 100644 index 00000000000..94b222065b9 --- /dev/null +++ b/queue-5.4/ieee802154-fix-one-possible-memleak-in-ca8210_dev_co.patch @@ -0,0 +1,35 @@ +From e2b1878ab3b2450ea58b17a1d3171fe18294d8bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jul 2020 22:33:15 +0800 +Subject: ieee802154: fix one possible memleak in ca8210_dev_com_init + +From: Liu Jian + +[ Upstream commit 88f46b3fe2ac41c381770ebad9f2ee49346b57a2 ] + +We should call destroy_workqueue to destroy mlme_workqueue in error branch. + +Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") +Signed-off-by: Liu Jian +Link: https://lore.kernel.org/r/20200720143315.40523-1-liujian56@huawei.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/ca8210.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c +index 430c937861534..25dbea302fb6d 100644 +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -2924,6 +2924,7 @@ static int ca8210_dev_com_init(struct ca8210_priv *priv) + ); + if (!priv->irq_workqueue) { + dev_crit(&priv->spi->dev, "alloc of irq_workqueue failed!\n"); ++ destroy_workqueue(priv->mlme_workqueue); + return -ENOMEM; + } + +-- +2.25.1 + diff --git a/queue-5.4/kvm-svm-add-a-dedicated-invd-intercept-routine.patch b/queue-5.4/kvm-svm-add-a-dedicated-invd-intercept-routine.patch new file mode 100644 index 00000000000..113fabf422d --- /dev/null +++ b/queue-5.4/kvm-svm-add-a-dedicated-invd-intercept-routine.patch @@ -0,0 +1,53 @@ +From b6be82379343717e0d16f2b35f0b3905e3a91327 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 13:41:57 -0500 +Subject: KVM: SVM: Add a dedicated INVD intercept routine + +From: Tom Lendacky + +[ Upstream commit 4bb05f30483fd21ea5413eaf1182768f251cf625 ] + +The INVD instruction intercept performs emulation. Emulation can't be done +on an SEV guest because the guest memory is encrypted. + +Provide a dedicated intercept routine for the INVD intercept. And since +the instruction is emulated as a NOP, just skip it instead. + +Fixes: 1654efcbc431 ("KVM: SVM: Add KVM_SEV_INIT command") +Signed-off-by: Tom Lendacky +Message-Id: +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/svm.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 802b5f9ab7446..b58495fde2e89 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3967,6 +3967,12 @@ static int iret_interception(struct vcpu_svm *svm) + return 1; + } + ++static int invd_interception(struct vcpu_svm *svm) ++{ ++ /* Treat an INVD instruction as a NOP and just skip it. */ ++ return kvm_skip_emulated_instruction(&svm->vcpu); ++} ++ + static int invlpg_interception(struct vcpu_svm *svm) + { + if (!static_cpu_has(X86_FEATURE_DECODEASSISTS)) +@@ -4819,7 +4825,7 @@ static int (*const svm_exit_handlers[])(struct vcpu_svm *svm) = { + [SVM_EXIT_RDPMC] = rdpmc_interception, + [SVM_EXIT_CPUID] = cpuid_interception, + [SVM_EXIT_IRET] = iret_interception, +- [SVM_EXIT_INVD] = emulate_on_interception, ++ [SVM_EXIT_INVD] = invd_interception, + [SVM_EXIT_PAUSE] = pause_interception, + [SVM_EXIT_HLT] = halt_interception, + [SVM_EXIT_INVLPG] = invlpg_interception, +-- +2.25.1 + diff --git a/queue-5.4/kvm-x86-reset-mmu-context-if-guest-toggles-cr4.smap-.patch b/queue-5.4/kvm-x86-reset-mmu-context-if-guest-toggles-cr4.smap-.patch new file mode 100644 index 00000000000..f1fa29e3352 --- /dev/null +++ b/queue-5.4/kvm-x86-reset-mmu-context-if-guest-toggles-cr4.smap-.patch @@ -0,0 +1,52 @@ +From 91ff03c94a74ba41c3ae1580c0f5262636ce1f53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 14:53:52 -0700 +Subject: KVM: x86: Reset MMU context if guest toggles CR4.SMAP or CR4.PKE + +From: Sean Christopherson + +[ Upstream commit 8d214c481611b29458a57913bd786f0ac06f0605 ] + +Reset the MMU context during kvm_set_cr4() if SMAP or PKE is toggled. +Recent commits to (correctly) not reload PDPTRs when SMAP/PKE are +toggled inadvertantly skipped the MMU context reset due to the mask +of bits that triggers PDPTR loads also being used to trigger MMU context +resets. + +Fixes: 427890aff855 ("kvm: x86: Toggling CR4.SMAP does not load PDPTEs in PAE mode") +Fixes: cb957adb4ea4 ("kvm: x86: Toggling CR4.PKE does not load PDPTEs in PAE mode") +Cc: Jim Mattson +Cc: Peter Shier +Cc: Oliver Upton +Signed-off-by: Sean Christopherson +Message-Id: <20200923215352.17756-1-sean.j.christopherson@intel.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/x86.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 67ad417a29ca4..12e83297ea020 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -973,6 +973,7 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) + unsigned long old_cr4 = kvm_read_cr4(vcpu); + unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE | + X86_CR4_SMEP; ++ unsigned long mmu_role_bits = pdptr_bits | X86_CR4_SMAP | X86_CR4_PKE; + + if (kvm_valid_cr4(vcpu, cr4)) + return 1; +@@ -1000,7 +1001,7 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) + if (kvm_x86_ops->set_cr4(vcpu, cr4)) + return 1; + +- if (((cr4 ^ old_cr4) & pdptr_bits) || ++ if (((cr4 ^ old_cr4) & mmu_role_bits) || + (!(cr4 & X86_CR4_PCIDE) && (old_cr4 & X86_CR4_PCIDE))) + kvm_mmu_reset_context(vcpu); + +-- +2.25.1 + diff --git a/queue-5.4/lib80211-fix-unmet-direct-dependendices-config-warni.patch b/queue-5.4/lib80211-fix-unmet-direct-dependendices-config-warni.patch new file mode 100644 index 00000000000..b31aba8c42b --- /dev/null +++ b/queue-5.4/lib80211-fix-unmet-direct-dependendices-config-warni.patch @@ -0,0 +1,41 @@ +From 36f63cb20d329ff1169d8d14caac5bcd96405949 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 12:54:53 +0300 +Subject: lib80211: fix unmet direct dependendices config warning when !CRYPTO + +From: Necip Fazil Yildiran + +[ Upstream commit b959ba9f468b1c581f40e92661ad58b093abaa03 ] + +When LIB80211_CRYPT_CCMP is enabled and CRYPTO is disabled, it results in unmet +direct dependencies config warning. The reason is that LIB80211_CRYPT_CCMP +selects CRYPTO_AES and CRYPTO_CCM, which are subordinate to CRYPTO. This is +reproducible with CRYPTO disabled and R8188EU enabled, where R8188EU selects +LIB80211_CRYPT_CCMP but does not select or depend on CRYPTO. + +Honor the kconfig menu hierarchy to remove kconfig dependency warnings. + +Fixes: a11e2f85481c ("lib80211: use crypto API ccm(aes) transform for CCMP processing") +Signed-off-by: Necip Fazil Yildiran +Link: https://lore.kernel.org/r/20200909095452.3080-1-fazilyildiran@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/wireless/Kconfig b/net/wireless/Kconfig +index 63cf7131f601c..211007c091d59 100644 +--- a/net/wireless/Kconfig ++++ b/net/wireless/Kconfig +@@ -217,6 +217,7 @@ config LIB80211_CRYPT_WEP + + config LIB80211_CRYPT_CCMP + tristate ++ select CRYPTO + select CRYPTO_AES + select CRYPTO_CCM + +-- +2.25.1 + diff --git a/queue-5.4/mac802154-tx-fix-use-after-free.patch b/queue-5.4/mac802154-tx-fix-use-after-free.patch new file mode 100644 index 00000000000..fe769e9c2b6 --- /dev/null +++ b/queue-5.4/mac802154-tx-fix-use-after-free.patch @@ -0,0 +1,170 @@ +From 98b22e525dbf2d657acd42cf387e4be7fccf51b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 03:40:25 -0700 +Subject: mac802154: tx: fix use-after-free + +From: Eric Dumazet + +[ Upstream commit 0ff4628f4c6c1ab87eef9f16b25355cadc426d64 ] + +syzbot reported a bug in ieee802154_tx() [1] + +A similar issue in ieee802154_xmit_worker() is also fixed in this patch. + +[1] +BUG: KASAN: use-after-free in ieee802154_tx+0x3d2/0x480 net/mac802154/tx.c:88 +Read of size 4 at addr ffff8880251a8c70 by task syz-executor.3/928 + +CPU: 0 PID: 928 Comm: syz-executor.3 Not tainted 5.9.0-rc3-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x198/0x1fd lib/dump_stack.c:118 + print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383 + __kasan_report mm/kasan/report.c:513 [inline] + kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 + ieee802154_tx+0x3d2/0x480 net/mac802154/tx.c:88 + ieee802154_subif_start_xmit+0xbe/0xe4 net/mac802154/tx.c:130 + __netdev_start_xmit include/linux/netdevice.h:4634 [inline] + netdev_start_xmit include/linux/netdevice.h:4648 [inline] + dev_direct_xmit+0x4e9/0x6e0 net/core/dev.c:4203 + packet_snd net/packet/af_packet.c:2989 [inline] + packet_sendmsg+0x2413/0x5290 net/packet/af_packet.c:3014 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:671 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2407 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x45d5b9 +Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007fc98e749c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 000000000002ccc0 RCX: 000000000045d5b9 +RDX: 0000000000000000 RSI: 0000000020007780 RDI: 000000000000000b +RBP: 000000000118d020 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cfec +R13: 00007fff690c720f R14: 00007fc98e74a9c0 R15: 000000000118cfec + +Allocated by task 928: + kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 + kasan_set_track mm/kasan/common.c:56 [inline] + __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461 + slab_post_alloc_hook mm/slab.h:518 [inline] + slab_alloc_node mm/slab.c:3254 [inline] + kmem_cache_alloc_node+0x136/0x3e0 mm/slab.c:3574 + __alloc_skb+0x71/0x550 net/core/skbuff.c:198 + alloc_skb include/linux/skbuff.h:1094 [inline] + alloc_skb_with_frags+0x92/0x570 net/core/skbuff.c:5771 + sock_alloc_send_pskb+0x72a/0x880 net/core/sock.c:2348 + packet_alloc_skb net/packet/af_packet.c:2837 [inline] + packet_snd net/packet/af_packet.c:2932 [inline] + packet_sendmsg+0x19fb/0x5290 net/packet/af_packet.c:3014 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:671 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2407 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Freed by task 928: + kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 + kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 + kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355 + __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422 + __cache_free mm/slab.c:3418 [inline] + kmem_cache_free.part.0+0x74/0x1e0 mm/slab.c:3693 + kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:622 + __kfree_skb net/core/skbuff.c:679 [inline] + consume_skb net/core/skbuff.c:838 [inline] + consume_skb+0xcf/0x160 net/core/skbuff.c:832 + __dev_kfree_skb_any+0x9c/0xc0 net/core/dev.c:3107 + fakelb_hw_xmit+0x20e/0x2a0 drivers/net/ieee802154/fakelb.c:81 + drv_xmit_async net/mac802154/driver-ops.h:16 [inline] + ieee802154_tx+0x282/0x480 net/mac802154/tx.c:81 + ieee802154_subif_start_xmit+0xbe/0xe4 net/mac802154/tx.c:130 + __netdev_start_xmit include/linux/netdevice.h:4634 [inline] + netdev_start_xmit include/linux/netdevice.h:4648 [inline] + dev_direct_xmit+0x4e9/0x6e0 net/core/dev.c:4203 + packet_snd net/packet/af_packet.c:2989 [inline] + packet_sendmsg+0x2413/0x5290 net/packet/af_packet.c:3014 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:671 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2407 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The buggy address belongs to the object at ffff8880251a8c00 + which belongs to the cache skbuff_head_cache of size 224 +The buggy address is located 112 bytes inside of + 224-byte region [ffff8880251a8c00, ffff8880251a8ce0) +The buggy address belongs to the page: +page:0000000062b6a4f1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x251a8 +flags: 0xfffe0000000200(slab) +raw: 00fffe0000000200 ffffea0000435c88 ffffea00028b6c08 ffff8880a9055d00 +raw: 0000000000000000 ffff8880251a80c0 000000010000000c 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8880251a8b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880251a8b80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc +>ffff8880251a8c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8880251a8c80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc + ffff8880251a8d00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb + +Fixes: 409c3b0c5f03 ("mac802154: tx: move stats tx increment") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Alexander Aring +Cc: Stefan Schmidt +Cc: linux-wpan@vger.kernel.org +Link: https://lore.kernel.org/r/20200908104025.4009085-1-edumazet@google.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + net/mac802154/tx.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/mac802154/tx.c b/net/mac802154/tx.c +index ab52811523e99..c829e4a753256 100644 +--- a/net/mac802154/tx.c ++++ b/net/mac802154/tx.c +@@ -34,11 +34,11 @@ void ieee802154_xmit_worker(struct work_struct *work) + if (res) + goto err_tx; + +- ieee802154_xmit_complete(&local->hw, skb, false); +- + dev->stats.tx_packets++; + dev->stats.tx_bytes += skb->len; + ++ ieee802154_xmit_complete(&local->hw, skb, false); ++ + return; + + err_tx: +@@ -78,6 +78,8 @@ ieee802154_tx(struct ieee802154_local *local, struct sk_buff *skb) + + /* async is priority, otherwise sync is fallback */ + if (local->ops->xmit_async) { ++ unsigned int len = skb->len; ++ + ret = drv_xmit_async(local, skb); + if (ret) { + ieee802154_wake_queue(&local->hw); +@@ -85,7 +87,7 @@ ieee802154_tx(struct ieee802154_local *local, struct sk_buff *skb) + } + + dev->stats.tx_packets++; +- dev->stats.tx_bytes += skb->len; ++ dev->stats.tx_bytes += len; + } else { + local->tx_skb = skb; + queue_work(local->workqueue, &local->tx_work); +-- +2.25.1 + diff --git a/queue-5.4/mips-add-the-missing-cpu_1074k-into-__get_cpu_type.patch b/queue-5.4/mips-add-the-missing-cpu_1074k-into-__get_cpu_type.patch new file mode 100644 index 00000000000..12c722a7fbd --- /dev/null +++ b/queue-5.4/mips-add-the-missing-cpu_1074k-into-__get_cpu_type.patch @@ -0,0 +1,36 @@ +From cb13da86d31510eecce98a1d3f6f3afeba25a597 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 14:53:12 +0800 +Subject: MIPS: Add the missing 'CPU_1074K' into __get_cpu_type() + +From: Wei Li + +[ Upstream commit e393fbe6fa27af23f78df6e16a8fd2963578a8c4 ] + +Commit 442e14a2c55e ("MIPS: Add 1074K CPU support explicitly.") split +1074K from the 74K as an unique CPU type, while it missed to add the +'CPU_1074K' in __get_cpu_type(). So let's add it back. + +Fixes: 442e14a2c55e ("MIPS: Add 1074K CPU support explicitly.") +Signed-off-by: Wei Li +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/cpu-type.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/mips/include/asm/cpu-type.h b/arch/mips/include/asm/cpu-type.h +index 7bbb66760a07c..1809c408736b0 100644 +--- a/arch/mips/include/asm/cpu-type.h ++++ b/arch/mips/include/asm/cpu-type.h +@@ -47,6 +47,7 @@ static inline int __pure __get_cpu_type(const int cpu_type) + case CPU_34K: + case CPU_1004K: + case CPU_74K: ++ case CPU_1074K: + case CPU_M14KC: + case CPU_M14KEC: + case CPU_INTERAPTIV: +-- +2.25.1 + diff --git a/queue-5.4/mm-validate-pmd-after-splitting.patch b/queue-5.4/mm-validate-pmd-after-splitting.patch new file mode 100644 index 00000000000..56d5272a25e --- /dev/null +++ b/queue-5.4/mm-validate-pmd-after-splitting.patch @@ -0,0 +1,74 @@ +From 13ce43984c2e337832e58cf4ea9770968cea5097 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 23:32:15 -0700 +Subject: mm: validate pmd after splitting + +From: Minchan Kim + +[ Upstream commit ce2684254bd4818ca3995c0d021fb62c4cf10a19 ] + +syzbot reported the following KASAN splat: + + general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN + KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] + CPU: 1 PID: 6826 Comm: syz-executor142 Not tainted 5.9.0-rc4-syzkaller #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + RIP: 0010:__lock_acquire+0x84/0x2ae0 kernel/locking/lockdep.c:4296 + Code: ff df 8a 04 30 84 c0 0f 85 e3 16 00 00 83 3d 56 58 35 08 00 0f 84 0e 17 00 00 83 3d 25 c7 f5 07 00 74 2c 4c 89 e8 48 c1 e8 03 <80> 3c 30 00 74 12 4c 89 ef e8 3e d1 5a 00 48 be 00 00 00 00 00 fc + RSP: 0018:ffffc90004b9f850 EFLAGS: 00010006 + Call Trace: + lock_acquire+0x140/0x6f0 kernel/locking/lockdep.c:5006 + __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] + _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 + spin_lock include/linux/spinlock.h:354 [inline] + madvise_cold_or_pageout_pte_range+0x52f/0x25c0 mm/madvise.c:389 + walk_pmd_range mm/pagewalk.c:89 [inline] + walk_pud_range mm/pagewalk.c:160 [inline] + walk_p4d_range mm/pagewalk.c:193 [inline] + walk_pgd_range mm/pagewalk.c:229 [inline] + __walk_page_range+0xe7b/0x1da0 mm/pagewalk.c:331 + walk_page_range+0x2c3/0x5c0 mm/pagewalk.c:427 + madvise_pageout_page_range mm/madvise.c:521 [inline] + madvise_pageout mm/madvise.c:557 [inline] + madvise_vma mm/madvise.c:946 [inline] + do_madvise+0x12d0/0x2090 mm/madvise.c:1145 + __do_sys_madvise mm/madvise.c:1171 [inline] + __se_sys_madvise mm/madvise.c:1169 [inline] + __x64_sys_madvise+0x76/0x80 mm/madvise.c:1169 + do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The backing vma was shmem. + +In case of split page of file-backed THP, madvise zaps the pmd instead +of remapping of sub-pages. So we need to check pmd validity after +split. + +Reported-by: syzbot+ecf80462cb7d5d552bc7@syzkaller.appspotmail.com +Fixes: 1a4e58cce84e ("mm: introduce MADV_PAGEOUT") +Signed-off-by: Minchan Kim +Acked-by: Kirill A. Shutemov +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/madvise.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/madvise.c b/mm/madvise.c +index 26f7954865ed9..1107e99e498b2 100644 +--- a/mm/madvise.c ++++ b/mm/madvise.c +@@ -380,9 +380,9 @@ static int madvise_cold_or_pageout_pte_range(pmd_t *pmd, + return 0; + } + ++regular_page: + if (pmd_trans_unstable(pmd)) + return 0; +-regular_page: + #endif + tlb_change_page_size(tlb, PAGE_SIZE); + orig_pte = pte = pte_offset_map_lock(vma->vm_mm, pmd, addr, &ptl); +-- +2.25.1 + diff --git a/queue-5.4/mwifiex-increase-aes-key-storage-size-to-256-bits.patch b/queue-5.4/mwifiex-increase-aes-key-storage-size-to-256-bits.patch new file mode 100644 index 00000000000..1e4cdc48e16 --- /dev/null +++ b/queue-5.4/mwifiex-increase-aes-key-storage-size-to-256-bits.patch @@ -0,0 +1,80 @@ +From e7269085d8a0cf609291d9d3fabcccb96b041715 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 17:38:29 +0200 +Subject: mwifiex: Increase AES key storage size to 256 bits + +From: Maximilian Luz + +[ Upstream commit 4afc850e2e9e781976fb2c7852ce7bac374af938 ] + +Following commit e18696786548 ("mwifiex: Prevent memory corruption +handling keys") the mwifiex driver fails to authenticate with certain +networks, specifically networks with 256 bit keys, and repeatedly asks +for the password. The kernel log repeats the following lines (id and +bssid redacted): + + mwifiex_pcie 0000:01:00.0: info: trying to associate to '' bssid + mwifiex_pcie 0000:01:00.0: info: associated to bssid successfully + mwifiex_pcie 0000:01:00.0: crypto keys added + mwifiex_pcie 0000:01:00.0: info: successfully disconnected from : reason code 3 + +Tracking down this problem lead to the overflow check introduced by the +aforementioned commit into mwifiex_ret_802_11_key_material_v2(). This +check fails on networks with 256 bit keys due to the current storage +size for AES keys in struct mwifiex_aes_param being only 128 bit. + +To fix this issue, increase the storage size for AES keys to 256 bit. + +Fixes: e18696786548 ("mwifiex: Prevent memory corruption handling keys") +Signed-off-by: Maximilian Luz +Reported-by: Kaloyan Nikolov +Tested-by: Kaloyan Nikolov +Reviewed-by: Dan Carpenter +Reviewed-by: Brian Norris +Tested-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200825153829.38043-1-luzmaximilian@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/fw.h | 2 +- + drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/fw.h b/drivers/net/wireless/marvell/mwifiex/fw.h +index 1fb76d2f5d3fd..8b9d0809daf62 100644 +--- a/drivers/net/wireless/marvell/mwifiex/fw.h ++++ b/drivers/net/wireless/marvell/mwifiex/fw.h +@@ -953,7 +953,7 @@ struct mwifiex_tkip_param { + struct mwifiex_aes_param { + u8 pn[WPA_PN_SIZE]; + __le16 key_len; +- u8 key[WLAN_KEY_LEN_CCMP]; ++ u8 key[WLAN_KEY_LEN_CCMP_256]; + } __packed; + + struct mwifiex_wapi_param { +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c +index 7ae2c34f65db2..4eaa493e33253 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c +@@ -619,7 +619,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, + key_v2 = &resp->params.key_material_v2; + + len = le16_to_cpu(key_v2->key_param_set.key_params.aes.key_len); +- if (len > WLAN_KEY_LEN_CCMP) ++ if (len > sizeof(key_v2->key_param_set.key_params.aes.key)) + return -EINVAL; + + if (le16_to_cpu(key_v2->action) == HostCmd_ACT_GEN_SET) { +@@ -635,7 +635,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, + return 0; + + memset(priv->aes_key_v2.key_param_set.key_params.aes.key, 0, +- WLAN_KEY_LEN_CCMP); ++ sizeof(key_v2->key_param_set.key_params.aes.key)); + priv->aes_key_v2.key_param_set.key_params.aes.key_len = + cpu_to_le16(len); + memcpy(priv->aes_key_v2.key_param_set.key_params.aes.key, +-- +2.25.1 + diff --git a/queue-5.4/net-qed-disable-arfs-for-npar-and-100g.patch b/queue-5.4/net-qed-disable-arfs-for-npar-and-100g.patch new file mode 100644 index 00000000000..6e55abec34d --- /dev/null +++ b/queue-5.4/net-qed-disable-arfs-for-npar-and-100g.patch @@ -0,0 +1,98 @@ +From 6fe6af4024de63a69c41dc8e50e5dbcfc7b84b58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 20:43:08 +0300 +Subject: net: qed: Disable aRFS for NPAR and 100G + +From: Dmitry Bogdanov + +[ Upstream commit 2d2fe8433796603091ac8ea235b9165ac5a85f9a ] + +In CMT and NPAR the PF is unknown when the GFS block processes the +packet. Therefore cannot use searcher as it has a per PF database, +and thus ARFS must be disabled. + +Fixes: d51e4af5c209 ("qed: aRFS infrastructure support") +Signed-off-by: Manish Chopra +Signed-off-by: Igor Russkikh +Signed-off-by: Michal Kalderon +Signed-off-by: Dmitry Bogdanov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_dev.c | 11 ++++++++++- + drivers/net/ethernet/qlogic/qed/qed_l2.c | 3 +++ + drivers/net/ethernet/qlogic/qed/qed_main.c | 2 ++ + include/linux/qed/qed_if.h | 1 + + 4 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c +index 4456ce5325a74..a923c65532702 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c +@@ -4142,7 +4142,8 @@ static int qed_hw_get_nvm_info(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt) + cdev->mf_bits = BIT(QED_MF_LLH_MAC_CLSS) | + BIT(QED_MF_LLH_PROTO_CLSS) | + BIT(QED_MF_LL2_NON_UNICAST) | +- BIT(QED_MF_INTER_PF_SWITCH); ++ BIT(QED_MF_INTER_PF_SWITCH) | ++ BIT(QED_MF_DISABLE_ARFS); + break; + case NVM_CFG1_GLOB_MF_MODE_DEFAULT: + cdev->mf_bits = BIT(QED_MF_LLH_MAC_CLSS) | +@@ -4155,6 +4156,14 @@ static int qed_hw_get_nvm_info(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt) + + DP_INFO(p_hwfn, "Multi function mode is 0x%lx\n", + cdev->mf_bits); ++ ++ /* In CMT the PF is unknown when the GFS block processes the ++ * packet. Therefore cannot use searcher as it has a per PF ++ * database, and thus ARFS must be disabled. ++ * ++ */ ++ if (QED_IS_CMT(cdev)) ++ cdev->mf_bits |= BIT(QED_MF_DISABLE_ARFS); + } + + DP_INFO(p_hwfn, "Multi function mode is 0x%lx\n", +diff --git a/drivers/net/ethernet/qlogic/qed/qed_l2.c b/drivers/net/ethernet/qlogic/qed/qed_l2.c +index 1a5fc2ae351c4..8a73482cb7a88 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_l2.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_l2.c +@@ -2001,6 +2001,9 @@ void qed_arfs_mode_configure(struct qed_hwfn *p_hwfn, + struct qed_ptt *p_ptt, + struct qed_arfs_config_params *p_cfg_params) + { ++ if (test_bit(QED_MF_DISABLE_ARFS, &p_hwfn->cdev->mf_bits)) ++ return; ++ + if (p_cfg_params->mode != QED_FILTER_CONFIG_MODE_DISABLE) { + qed_gft_config(p_hwfn, p_ptt, p_hwfn->rel_pf_id, + p_cfg_params->tcp, +diff --git a/drivers/net/ethernet/qlogic/qed/qed_main.c b/drivers/net/ethernet/qlogic/qed/qed_main.c +index e72f9f1d2e94d..bc1f5b36b5bf2 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_main.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c +@@ -280,6 +280,8 @@ int qed_fill_dev_info(struct qed_dev *cdev, + dev_info->fw_eng = FW_ENGINEERING_VERSION; + dev_info->b_inter_pf_switch = test_bit(QED_MF_INTER_PF_SWITCH, + &cdev->mf_bits); ++ if (!test_bit(QED_MF_DISABLE_ARFS, &cdev->mf_bits)) ++ dev_info->b_arfs_capable = true; + dev_info->tx_switching = true; + + if (hw_info->b_wol_support == QED_WOL_SUPPORT_PME) +diff --git a/include/linux/qed/qed_if.h b/include/linux/qed/qed_if.h +index b5db1ee96d789..65a7355ed07b3 100644 +--- a/include/linux/qed/qed_if.h ++++ b/include/linux/qed/qed_if.h +@@ -637,6 +637,7 @@ struct qed_dev_info { + #define QED_MFW_VERSION_3_OFFSET 24 + + u32 flash_size; ++ bool b_arfs_capable; + bool b_inter_pf_switch; + bool tx_switching; + bool rdma_supported; +-- +2.25.1 + diff --git a/queue-5.4/net-qed-rdma-personality-shouldn-t-fail-vf-load.patch b/queue-5.4/net-qed-rdma-personality-shouldn-t-fail-vf-load.patch new file mode 100644 index 00000000000..7a8caa44d71 --- /dev/null +++ b/queue-5.4/net-qed-rdma-personality-shouldn-t-fail-vf-load.patch @@ -0,0 +1,36 @@ +From 3040291dd747c390a09bb449613d05c983e88cac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 20:43:10 +0300 +Subject: net: qed: RDMA personality shouldn't fail VF load + +From: Dmitry Bogdanov + +[ Upstream commit ce1cf9e5025f4e2d2198728391f1847b3e168bc6 ] + +Fix the assert during VF driver installation when the personality is iWARP + +Fixes: 1fe614d10f45 ("qed: Relax VF firmware requirements") +Signed-off-by: Igor Russkikh +Signed-off-by: Michal Kalderon +Signed-off-by: Dmitry Bogdanov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_sriov.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_sriov.c b/drivers/net/ethernet/qlogic/qed/qed_sriov.c +index dcb5c917f3733..fb9c3ca5d36cc 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_sriov.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.c +@@ -96,6 +96,7 @@ static int qed_sp_vf_start(struct qed_hwfn *p_hwfn, struct qed_vf_info *p_vf) + p_ramrod->personality = PERSONALITY_ETH; + break; + case QED_PCI_ETH_ROCE: ++ case QED_PCI_ETH_IWARP: + p_ramrod->personality = PERSONALITY_RDMA_AND_ETH; + break; + default: +-- +2.25.1 + diff --git a/queue-5.4/net-qede-disable-arfs-for-npar-and-100g.patch b/queue-5.4/net-qede-disable-arfs-for-npar-and-100g.patch new file mode 100644 index 00000000000..674cddaff7e --- /dev/null +++ b/queue-5.4/net-qede-disable-arfs-for-npar-and-100g.patch @@ -0,0 +1,77 @@ +From 5fe968b82e5791181adadb347b11e0a9a51de8a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 20:43:09 +0300 +Subject: net: qede: Disable aRFS for NPAR and 100G + +From: Dmitry Bogdanov + +[ Upstream commit 0367f05885b9f21d062447bd2ba1302ba3cc7392 ] + +In some configurations ARFS cannot be used, so disable it if device +is not capable. + +Fixes: e4917d46a653 ("qede: Add aRFS support") +Signed-off-by: Manish Chopra +Signed-off-by: Igor Russkikh +Signed-off-by: Michal Kalderon +Signed-off-by: Dmitry Bogdanov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qede/qede_filter.c | 3 +++ + drivers/net/ethernet/qlogic/qede/qede_main.c | 11 +++++------ + 2 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qede/qede_filter.c b/drivers/net/ethernet/qlogic/qede/qede_filter.c +index c8bdbf057d5a2..5041994bf03fb 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede_filter.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_filter.c +@@ -336,6 +336,9 @@ int qede_alloc_arfs(struct qede_dev *edev) + { + int i; + ++ if (!edev->dev_info.common.b_arfs_capable) ++ return -EINVAL; ++ + edev->arfs = vzalloc(sizeof(*edev->arfs)); + if (!edev->arfs) + return -ENOMEM; +diff --git a/drivers/net/ethernet/qlogic/qede/qede_main.c b/drivers/net/ethernet/qlogic/qede/qede_main.c +index 2c3d654c84543..ce3e62e73e4cd 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede_main.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_main.c +@@ -770,7 +770,7 @@ static void qede_init_ndev(struct qede_dev *edev) + NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM | + NETIF_F_TSO | NETIF_F_TSO6 | NETIF_F_HW_TC; + +- if (!IS_VF(edev) && edev->dev_info.common.num_hwfns == 1) ++ if (edev->dev_info.common.b_arfs_capable) + hw_features |= NETIF_F_NTUPLE; + + if (edev->dev_info.common.vxlan_enable || +@@ -2211,7 +2211,7 @@ static void qede_unload(struct qede_dev *edev, enum qede_unload_mode mode, + qede_vlan_mark_nonconfigured(edev); + edev->ops->fastpath_stop(edev->cdev); + +- if (!IS_VF(edev) && edev->dev_info.common.num_hwfns == 1) { ++ if (edev->dev_info.common.b_arfs_capable) { + qede_poll_for_freeing_arfs_filters(edev); + qede_free_arfs(edev); + } +@@ -2278,10 +2278,9 @@ static int qede_load(struct qede_dev *edev, enum qede_load_mode mode, + if (rc) + goto err2; + +- if (!IS_VF(edev) && edev->dev_info.common.num_hwfns == 1) { +- rc = qede_alloc_arfs(edev); +- if (rc) +- DP_NOTICE(edev, "aRFS memory allocation failed\n"); ++ if (qede_alloc_arfs(edev)) { ++ edev->ndev->features &= ~NETIF_F_NTUPLE; ++ edev->dev_info.common.b_arfs_capable = false; + } + + qede_napi_add_enable(edev); +-- +2.25.1 + diff --git a/queue-5.4/netfilter-conntrack-nf_conncount_init-is-failing-wit.patch b/queue-5.4/netfilter-conntrack-nf_conncount_init-is-failing-wit.patch new file mode 100644 index 00000000000..efbdea00685 --- /dev/null +++ b/queue-5.4/netfilter-conntrack-nf_conncount_init-is-failing-wit.patch @@ -0,0 +1,50 @@ +From 0ada1f02fe795951e9fa72e0c2840f967e15cff1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Sep 2020 16:56:02 +0200 +Subject: netfilter: conntrack: nf_conncount_init is failing with IPv6 disabled + +From: Eelco Chaudron + +[ Upstream commit 526e81b990e53e31ba40ba304a2285ffd098721f ] + +The openvswitch module fails initialization when used in a kernel +without IPv6 enabled. nf_conncount_init() fails because the ct code +unconditionally tries to initialize the netns IPv6 related bit, +regardless of the build option. The change below ignores the IPv6 +part if not enabled. + +Note that the corresponding _put() function already has this IPv6 +configuration check. + +Fixes: 11efd5cb04a1 ("openvswitch: Support conntrack zone limit") +Signed-off-by: Eelco Chaudron +Reviewed-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_proto.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c +index a0560d175a7ff..aaf4293ddd459 100644 +--- a/net/netfilter/nf_conntrack_proto.c ++++ b/net/netfilter/nf_conntrack_proto.c +@@ -565,6 +565,7 @@ static int nf_ct_netns_inet_get(struct net *net) + int err; + + err = nf_ct_netns_do_get(net, NFPROTO_IPV4); ++#if IS_ENABLED(CONFIG_IPV6) + if (err < 0) + goto err1; + err = nf_ct_netns_do_get(net, NFPROTO_IPV6); +@@ -575,6 +576,7 @@ static int nf_ct_netns_inet_get(struct net *net) + err2: + nf_ct_netns_put(net, NFPROTO_IPV4); + err1: ++#endif + return err; + } + +-- +2.25.1 + diff --git a/queue-5.4/nvme-tcp-fix-kconfig-dependency-warning-when-crypto.patch b/queue-5.4/nvme-tcp-fix-kconfig-dependency-warning-when-crypto.patch new file mode 100644 index 00000000000..f7eb5e66bc6 --- /dev/null +++ b/queue-5.4/nvme-tcp-fix-kconfig-dependency-warning-when-crypto.patch @@ -0,0 +1,46 @@ +From fb9fc804631de93be95e8ae33a982e5917cb9de1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 18:01:21 +0300 +Subject: nvme-tcp: fix kconfig dependency warning when !CRYPTO + +From: Necip Fazil Yildiran + +[ Upstream commit af5ad17854f96a6d3c9775e776bd01ab262672a1 ] + +When NVME_TCP is enabled and CRYPTO is disabled, it results in the +following Kbuild warning: + +WARNING: unmet direct dependencies detected for CRYPTO_CRC32C + Depends on [n]: CRYPTO [=n] + Selected by [y]: + - NVME_TCP [=y] && INET [=y] && BLK_DEV_NVME [=y] + +The reason is that NVME_TCP selects CRYPTO_CRC32C without depending on or +selecting CRYPTO while CRYPTO_CRC32C is subordinate to CRYPTO. + +Honor the kconfig menu hierarchy to remove kconfig dependency warnings. + +Fixes: 79fd751d61aa ("nvme: tcp: selects CRYPTO_CRC32C for nvme-tcp") +Signed-off-by: Necip Fazil Yildiran +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nvme/host/Kconfig b/drivers/nvme/host/Kconfig +index 2b36f052bfb91..7b3f6555e67ba 100644 +--- a/drivers/nvme/host/Kconfig ++++ b/drivers/nvme/host/Kconfig +@@ -64,6 +64,7 @@ config NVME_TCP + depends on INET + depends on BLK_DEV_NVME + select NVME_FABRICS ++ select CRYPTO + select CRYPTO_CRC32C + help + This provides support for the NVMe over Fabrics protocol using +-- +2.25.1 + diff --git a/queue-5.4/regmap-fix-page-selection-for-noinc-reads.patch b/queue-5.4/regmap-fix-page-selection-for-noinc-reads.patch new file mode 100644 index 00000000000..3b7cd74f648 --- /dev/null +++ b/queue-5.4/regmap-fix-page-selection-for-noinc-reads.patch @@ -0,0 +1,84 @@ +From 2998980588d011c0e446bca9914cfb3c242a5b6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 18:34:04 +0300 +Subject: regmap: fix page selection for noinc reads + +From: Dmitry Baryshkov + +[ Upstream commit 4003324856311faebb46cbd56a1616bd3f3b67c2 ] + +Non-incrementing reads can fail if register + length crosses page +border. However for non-incrementing reads we should not check for page +border crossing. Fix this by passing additional flag to _regmap_raw_read +and passing length to _regmap_select_page basing on the flag. + +Signed-off-by: Dmitry Baryshkov +Fixes: 74fe7b551f33 ("regmap: Add regmap_noinc_read API") +Link: https://lore.kernel.org/r/20200917153405.3139200-1-dmitry.baryshkov@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index 927ebde1607be..7244319dd2d52 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -2454,7 +2454,7 @@ int regmap_raw_write_async(struct regmap *map, unsigned int reg, + EXPORT_SYMBOL_GPL(regmap_raw_write_async); + + static int _regmap_raw_read(struct regmap *map, unsigned int reg, void *val, +- unsigned int val_len) ++ unsigned int val_len, bool noinc) + { + struct regmap_range_node *range; + int ret; +@@ -2467,7 +2467,7 @@ static int _regmap_raw_read(struct regmap *map, unsigned int reg, void *val, + range = _regmap_range_lookup(map, reg); + if (range) { + ret = _regmap_select_page(map, ®, range, +- val_len / map->format.val_bytes); ++ noinc ? 1 : val_len / map->format.val_bytes); + if (ret != 0) + return ret; + } +@@ -2505,7 +2505,7 @@ static int _regmap_bus_read(void *context, unsigned int reg, + if (!map->format.parse_val) + return -EINVAL; + +- ret = _regmap_raw_read(map, reg, work_val, map->format.val_bytes); ++ ret = _regmap_raw_read(map, reg, work_val, map->format.val_bytes, false); + if (ret == 0) + *val = map->format.parse_val(work_val); + +@@ -2621,7 +2621,7 @@ int regmap_raw_read(struct regmap *map, unsigned int reg, void *val, + + /* Read bytes that fit into whole chunks */ + for (i = 0; i < chunk_count; i++) { +- ret = _regmap_raw_read(map, reg, val, chunk_bytes); ++ ret = _regmap_raw_read(map, reg, val, chunk_bytes, false); + if (ret != 0) + goto out; + +@@ -2632,7 +2632,7 @@ int regmap_raw_read(struct regmap *map, unsigned int reg, void *val, + + /* Read remaining bytes */ + if (val_len) { +- ret = _regmap_raw_read(map, reg, val, val_len); ++ ret = _regmap_raw_read(map, reg, val, val_len, false); + if (ret != 0) + goto out; + } +@@ -2707,7 +2707,7 @@ int regmap_noinc_read(struct regmap *map, unsigned int reg, + read_len = map->max_raw_read; + else + read_len = val_len; +- ret = _regmap_raw_read(map, reg, val, read_len); ++ ret = _regmap_raw_read(map, reg, val, read_len, true); + if (ret) + goto out_unlock; + val = ((u8 *)val) + read_len; +-- +2.25.1 + diff --git a/queue-5.4/regmap-fix-page-selection-for-noinc-writes.patch b/queue-5.4/regmap-fix-page-selection-for-noinc-writes.patch new file mode 100644 index 00000000000..dbf9c27b1e6 --- /dev/null +++ b/queue-5.4/regmap-fix-page-selection-for-noinc-writes.patch @@ -0,0 +1,149 @@ +From 436da5f9abf1943253f44821f451e4c5856a942a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 18:34:05 +0300 +Subject: regmap: fix page selection for noinc writes + +From: Dmitry Baryshkov + +[ Upstream commit 05669b63170771d554854c0e465b76dc98fc7c84 ] + +Non-incrementing writes can fail if register + length crosses page +border. However for non-incrementing writes we should not check for page +border crossing. Fix this by passing additional flag to _regmap_raw_write +and passing length to _regmap_select_page basing on the flag. + +Signed-off-by: Dmitry Baryshkov +Fixes: cdf6b11daa77 ("regmap: Add regmap_noinc_write API") +Link: https://lore.kernel.org/r/20200917153405.3139200-2-dmitry.baryshkov@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/internal.h | 2 +- + drivers/base/regmap/regcache.c | 2 +- + drivers/base/regmap/regmap.c | 21 +++++++++++---------- + 3 files changed, 13 insertions(+), 12 deletions(-) + +diff --git a/drivers/base/regmap/internal.h b/drivers/base/regmap/internal.h +index 3d80c4b43f720..d7c01b70e43db 100644 +--- a/drivers/base/regmap/internal.h ++++ b/drivers/base/regmap/internal.h +@@ -259,7 +259,7 @@ bool regcache_set_val(struct regmap *map, void *base, unsigned int idx, + int regcache_lookup_reg(struct regmap *map, unsigned int reg); + + int _regmap_raw_write(struct regmap *map, unsigned int reg, +- const void *val, size_t val_len); ++ const void *val, size_t val_len, bool noinc); + + void regmap_async_complete_cb(struct regmap_async *async, int ret); + +diff --git a/drivers/base/regmap/regcache.c b/drivers/base/regmap/regcache.c +index a93cafd7be4f2..7f4b3b62492ca 100644 +--- a/drivers/base/regmap/regcache.c ++++ b/drivers/base/regmap/regcache.c +@@ -717,7 +717,7 @@ static int regcache_sync_block_raw_flush(struct regmap *map, const void **data, + + map->cache_bypass = true; + +- ret = _regmap_raw_write(map, base, *data, count * val_bytes); ++ ret = _regmap_raw_write(map, base, *data, count * val_bytes, false); + if (ret) + dev_err(map->dev, "Unable to sync registers %#x-%#x. %d\n", + base, cur - map->reg_stride, ret); +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index 7244319dd2d52..e0893f1b14522 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -1468,7 +1468,7 @@ static void regmap_set_work_buf_flag_mask(struct regmap *map, int max_bytes, + } + + static int _regmap_raw_write_impl(struct regmap *map, unsigned int reg, +- const void *val, size_t val_len) ++ const void *val, size_t val_len, bool noinc) + { + struct regmap_range_node *range; + unsigned long flags; +@@ -1527,7 +1527,7 @@ static int _regmap_raw_write_impl(struct regmap *map, unsigned int reg, + win_residue, val_len / map->format.val_bytes); + ret = _regmap_raw_write_impl(map, reg, val, + win_residue * +- map->format.val_bytes); ++ map->format.val_bytes, noinc); + if (ret != 0) + return ret; + +@@ -1541,7 +1541,7 @@ static int _regmap_raw_write_impl(struct regmap *map, unsigned int reg, + win_residue = range->window_len - win_offset; + } + +- ret = _regmap_select_page(map, ®, range, val_num); ++ ret = _regmap_select_page(map, ®, range, noinc ? 1 : val_num); + if (ret != 0) + return ret; + } +@@ -1749,7 +1749,8 @@ static int _regmap_bus_raw_write(void *context, unsigned int reg, + map->work_buf + + map->format.reg_bytes + + map->format.pad_bytes, +- map->format.val_bytes); ++ map->format.val_bytes, ++ false); + } + + static inline void *_regmap_map_get_context(struct regmap *map) +@@ -1843,7 +1844,7 @@ int regmap_write_async(struct regmap *map, unsigned int reg, unsigned int val) + EXPORT_SYMBOL_GPL(regmap_write_async); + + int _regmap_raw_write(struct regmap *map, unsigned int reg, +- const void *val, size_t val_len) ++ const void *val, size_t val_len, bool noinc) + { + size_t val_bytes = map->format.val_bytes; + size_t val_count = val_len / val_bytes; +@@ -1864,7 +1865,7 @@ int _regmap_raw_write(struct regmap *map, unsigned int reg, + + /* Write as many bytes as possible with chunk_size */ + for (i = 0; i < chunk_count; i++) { +- ret = _regmap_raw_write_impl(map, reg, val, chunk_bytes); ++ ret = _regmap_raw_write_impl(map, reg, val, chunk_bytes, noinc); + if (ret) + return ret; + +@@ -1875,7 +1876,7 @@ int _regmap_raw_write(struct regmap *map, unsigned int reg, + + /* Write remaining bytes */ + if (val_len) +- ret = _regmap_raw_write_impl(map, reg, val, val_len); ++ ret = _regmap_raw_write_impl(map, reg, val, val_len, noinc); + + return ret; + } +@@ -1908,7 +1909,7 @@ int regmap_raw_write(struct regmap *map, unsigned int reg, + + map->lock(map->lock_arg); + +- ret = _regmap_raw_write(map, reg, val, val_len); ++ ret = _regmap_raw_write(map, reg, val, val_len, false); + + map->unlock(map->lock_arg); + +@@ -1966,7 +1967,7 @@ int regmap_noinc_write(struct regmap *map, unsigned int reg, + write_len = map->max_raw_write; + else + write_len = val_len; +- ret = _regmap_raw_write(map, reg, val, write_len); ++ ret = _regmap_raw_write(map, reg, val, write_len, true); + if (ret) + goto out_unlock; + val = ((u8 *)val) + write_len; +@@ -2443,7 +2444,7 @@ int regmap_raw_write_async(struct regmap *map, unsigned int reg, + + map->async = true; + +- ret = _regmap_raw_write(map, reg, val, val_len); ++ ret = _regmap_raw_write(map, reg, val, val_len, false); + + map->async = false; + +-- +2.25.1 + diff --git a/queue-5.4/regulator-axp20x-fix-ldo2-4-description.patch b/queue-5.4/regulator-axp20x-fix-ldo2-4-description.patch new file mode 100644 index 00000000000..cf888b1861b --- /dev/null +++ b/queue-5.4/regulator-axp20x-fix-ldo2-4-description.patch @@ -0,0 +1,59 @@ +From f314063dd6ee001de2591b81256a99513597591d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 08:51:42 +0800 +Subject: regulator: axp20x: fix LDO2/4 description + +From: Icenowy Zheng + +[ Upstream commit fbb5a79d2fe7b01c6424fbbc04368373b1672d61 ] + +Currently we wrongly set the mask of value of LDO2/4 both to the mask of +LDO2, and the LDO4 voltage configuration is left untouched. This leads +to conflict when LDO2/4 are both in use. + +Fix this issue by setting different vsel_mask to both regulators. + +Fixes: db4a555f7c4c ("regulator: axp20x: use defines for masks") +Signed-off-by: Icenowy Zheng +Link: https://lore.kernel.org/r/20200923005142.147135-1-icenowy@aosc.io +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/axp20x-regulator.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/regulator/axp20x-regulator.c b/drivers/regulator/axp20x-regulator.c +index 16f0c85700360..7075f42b9fcf6 100644 +--- a/drivers/regulator/axp20x-regulator.c ++++ b/drivers/regulator/axp20x-regulator.c +@@ -42,8 +42,9 @@ + + #define AXP20X_DCDC2_V_OUT_MASK GENMASK(5, 0) + #define AXP20X_DCDC3_V_OUT_MASK GENMASK(7, 0) +-#define AXP20X_LDO24_V_OUT_MASK GENMASK(7, 4) ++#define AXP20X_LDO2_V_OUT_MASK GENMASK(7, 4) + #define AXP20X_LDO3_V_OUT_MASK GENMASK(6, 0) ++#define AXP20X_LDO4_V_OUT_MASK GENMASK(3, 0) + #define AXP20X_LDO5_V_OUT_MASK GENMASK(7, 4) + + #define AXP20X_PWR_OUT_EXTEN_MASK BIT_MASK(0) +@@ -544,14 +545,14 @@ static const struct regulator_desc axp20x_regulators[] = { + AXP20X_PWR_OUT_CTRL, AXP20X_PWR_OUT_DCDC3_MASK), + AXP_DESC_FIXED(AXP20X, LDO1, "ldo1", "acin", 1300), + AXP_DESC(AXP20X, LDO2, "ldo2", "ldo24in", 1800, 3300, 100, +- AXP20X_LDO24_V_OUT, AXP20X_LDO24_V_OUT_MASK, ++ AXP20X_LDO24_V_OUT, AXP20X_LDO2_V_OUT_MASK, + AXP20X_PWR_OUT_CTRL, AXP20X_PWR_OUT_LDO2_MASK), + AXP_DESC(AXP20X, LDO3, "ldo3", "ldo3in", 700, 3500, 25, + AXP20X_LDO3_V_OUT, AXP20X_LDO3_V_OUT_MASK, + AXP20X_PWR_OUT_CTRL, AXP20X_PWR_OUT_LDO3_MASK), + AXP_DESC_RANGES(AXP20X, LDO4, "ldo4", "ldo24in", + axp20x_ldo4_ranges, AXP20X_LDO4_V_OUT_NUM_VOLTAGES, +- AXP20X_LDO24_V_OUT, AXP20X_LDO24_V_OUT_MASK, ++ AXP20X_LDO24_V_OUT, AXP20X_LDO4_V_OUT_MASK, + AXP20X_PWR_OUT_CTRL, AXP20X_PWR_OUT_LDO4_MASK), + AXP_DESC_IO(AXP20X, LDO5, "ldo5", "ldo5in", 1800, 3300, 100, + AXP20X_LDO5_V_OUT, AXP20X_LDO5_V_OUT_MASK, +-- +2.25.1 + diff --git a/queue-5.4/series b/queue-5.4/series index bcb1a408fb9..f253408b781 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -339,3 +339,33 @@ drm-amd-display-update-nv1x-stutter-latencies.patch drm-amdgpu-dc-require-primary-plane-to-be-enabled-wh.patch i2c-core-call-i2c_acpi_install_space_handler-before-.patch objtool-fix-noreturn-detection-for-ignored-functions.patch +ieee802154-fix-one-possible-memleak-in-ca8210_dev_co.patch +ieee802154-adf7242-check-status-of-adf7242_read_reg.patch +clocksource-drivers-h8300_timer8-fix-wrong-return-va.patch +mwifiex-increase-aes-key-storage-size-to-256-bits.patch +batman-adv-bla-fix-type-misuse-for-backbone_gw-hash-.patch +atm-eni-fix-the-missed-pci_disable_device-for-eni_in.patch +batman-adv-mcast-tt-fix-wrongly-dropped-or-rerouted-.patch +netfilter-conntrack-nf_conncount_init-is-failing-wit.patch +mac802154-tx-fix-use-after-free.patch +bpf-fix-clobbering-of-r2-in-bpf_gen_ld_abs.patch +drm-vc4-vc4_hdmi-fill-asoc-card-owner.patch +net-qed-disable-arfs-for-npar-and-100g.patch +net-qede-disable-arfs-for-npar-and-100g.patch +net-qed-rdma-personality-shouldn-t-fail-vf-load.patch +drm-sun4i-sun8i-csc-secondary-csc-register-correctio.patch +batman-adv-add-missing-include-for-in_interrupt.patch +nvme-tcp-fix-kconfig-dependency-warning-when-crypto.patch +batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-.patch +batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-.patch-6066 +batman-adv-mcast-fix-duplicate-mcast-packets-from-bl.patch +bpf-fix-a-rcu-warning-for-bpffs-map-pretty-print.patch +lib80211-fix-unmet-direct-dependendices-config-warni.patch +alsa-asihpi-fix-iounmap-in-error-handler.patch +regmap-fix-page-selection-for-noinc-reads.patch +regmap-fix-page-selection-for-noinc-writes.patch +mips-add-the-missing-cpu_1074k-into-__get_cpu_type.patch +regulator-axp20x-fix-ldo2-4-description.patch +kvm-x86-reset-mmu-context-if-guest-toggles-cr4.smap-.patch +kvm-svm-add-a-dedicated-invd-intercept-routine.patch +mm-validate-pmd-after-splitting.patch