From: Greg Kroah-Hartman Date: Mon, 18 Apr 2022 09:25:01 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.9.311~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7efc2925206d541fafc603feec1a89ff5fc3d562;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: alsa-hda-realtek-add-quirk-for-clevo-pd50pnt.patch alsa-pcm-test-for-silence-field-in-struct-pcm_format_data.patch arm-davinci-da850-evm-avoid-null-pointer-dereference.patch ath9k-fix-usage-of-driver-private-space-in-tx_info.patch ath9k-properly-clear-tx-status-area-before-reporting-to-mac80211.patch btrfs-mark-resumed-async-balance-as-writing.patch btrfs-remove-unused-variable-in-btrfs_-start-write-_dirty_block_groups.patch dm-integrity-fix-memory-corruption-when-tag_size-is-less-than-digest-size.patch drm-amd-display-don-t-ignore-alpha-property-on-pre-multiplied-mode.patch genirq-affinity-consider-that-cpus-on-nodes-can-be-unbalanced.patch ipv6-fix-panic-when-forwarding-a-pkt-with-no-in6-dev.patch tick-nohz-use-warn_on_once-to-prevent-console-saturation.patch --- diff --git a/queue-5.4/alsa-hda-realtek-add-quirk-for-clevo-pd50pnt.patch b/queue-5.4/alsa-hda-realtek-add-quirk-for-clevo-pd50pnt.patch new file mode 100644 index 00000000000..54d609ec48c --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-add-quirk-for-clevo-pd50pnt.patch @@ -0,0 +1,30 @@ +From 9eb6f5c388060d8cef3c8b616cc31b765e022359 Mon Sep 17 00:00:00 2001 +From: Tim Crawford +Date: Tue, 5 Apr 2022 12:20:29 -0600 +Subject: ALSA: hda/realtek: Add quirk for Clevo PD50PNT + +From: Tim Crawford + +commit 9eb6f5c388060d8cef3c8b616cc31b765e022359 upstream. + +Fixes speaker output and headset detection on Clevo PD50PNT. + +Signed-off-by: Tim Crawford +Cc: +Link: https://lore.kernel.org/r/20220405182029.27431-1-tcrawford@system76.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2568,6 +2568,7 @@ static const struct snd_pci_quirk alc882 + SND_PCI_QUIRK(0x1558, 0x65e1, "Clevo PB51[ED][DF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x65e5, "Clevo PC50D[PRS](?:-D|-G)?", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x65f1, "Clevo PC50HS", ALC1220_FIXUP_CLEVO_PB51ED_PINS), ++ SND_PCI_QUIRK(0x1558, 0x65f5, "Clevo PD50PN[NRT]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x67d1, "Clevo PB71[ER][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x67e1, "Clevo PB71[DE][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x67e5, "Clevo PC70D[PRS](?:-D|-G)?", ALC1220_FIXUP_CLEVO_PB51ED_PINS), diff --git a/queue-5.4/alsa-pcm-test-for-silence-field-in-struct-pcm_format_data.patch b/queue-5.4/alsa-pcm-test-for-silence-field-in-struct-pcm_format_data.patch new file mode 100644 index 00000000000..f7b831847b4 --- /dev/null +++ b/queue-5.4/alsa-pcm-test-for-silence-field-in-struct-pcm_format_data.patch @@ -0,0 +1,40 @@ +From 2f7a26abb8241a0208c68d22815aa247c5ddacab Mon Sep 17 00:00:00 2001 +From: "Fabio M. De Francesco" +Date: Sat, 9 Apr 2022 03:26:55 +0200 +Subject: ALSA: pcm: Test for "silence" field in struct "pcm_format_data" + +From: Fabio M. De Francesco + +commit 2f7a26abb8241a0208c68d22815aa247c5ddacab upstream. + +Syzbot reports "KASAN: null-ptr-deref Write in +snd_pcm_format_set_silence".[1] + +It is due to missing validation of the "silence" field of struct +"pcm_format_data" in "pcm_formats" array. + +Add a test for valid "pat" and, if it is not so, return -EINVAL. + +[1] https://lore.kernel.org/lkml/000000000000d188ef05dc2c7279@google.com/ + +Reported-and-tested-by: syzbot+205eb15961852c2c5974@syzkaller.appspotmail.com +Signed-off-by: Fabio M. De Francesco +Cc: +Link: https://lore.kernel.org/r/20220409012655.9399-1-fmdefrancesco@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/pcm_misc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/core/pcm_misc.c ++++ b/sound/core/pcm_misc.c +@@ -423,7 +423,7 @@ int snd_pcm_format_set_silence(snd_pcm_f + return 0; + width = pcm_formats[(INT)format].phys; /* physical width */ + pat = pcm_formats[(INT)format].silence; +- if (! width) ++ if (!width || !pat) + return -EINVAL; + /* signed or 1 byte data */ + if (pcm_formats[(INT)format].signd == 1 || width <= 8) { diff --git a/queue-5.4/arm-davinci-da850-evm-avoid-null-pointer-dereference.patch b/queue-5.4/arm-davinci-da850-evm-avoid-null-pointer-dereference.patch new file mode 100644 index 00000000000..6b8f5615c67 --- /dev/null +++ b/queue-5.4/arm-davinci-da850-evm-avoid-null-pointer-dereference.patch @@ -0,0 +1,58 @@ +From 83a1cde5c74bfb44b49cb2a940d044bb2380f4ea Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Thu, 23 Dec 2021 15:21:41 -0700 +Subject: ARM: davinci: da850-evm: Avoid NULL pointer dereference + +From: Nathan Chancellor + +commit 83a1cde5c74bfb44b49cb2a940d044bb2380f4ea upstream. + +With newer versions of GCC, there is a panic in da850_evm_config_emac() +when booting multi_v5_defconfig in QEMU under the palmetto-bmc machine: + +Unable to handle kernel NULL pointer dereference at virtual address 00000020 +pgd = (ptrval) +[00000020] *pgd=00000000 +Internal error: Oops: 5 [#1] PREEMPT ARM +Modules linked in: +CPU: 0 PID: 1 Comm: swapper Not tainted 5.15.0 #1 +Hardware name: Generic DT based system +PC is at da850_evm_config_emac+0x1c/0x120 +LR is at do_one_initcall+0x50/0x1e0 + +The emac_pdata pointer in soc_info is NULL because davinci_soc_info only +gets populated on davinci machines but da850_evm_config_emac() is called +on all machines via device_initcall(). + +Move the rmii_en assignment below the machine check so that it is only +dereferenced when running on a supported SoC. + +Fixes: bae105879f2f ("davinci: DA850/OMAP-L138 EVM: implement autodetect of RMII PHY") +Signed-off-by: Nathan Chancellor +Reviewed-by: Arnd Bergmann +Reviewed-by: Bartosz Golaszewski +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/YcS4xVWs6bQlQSPC@archlinux-ax161/ +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-davinci/board-da850-evm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/arm/mach-davinci/board-da850-evm.c ++++ b/arch/arm/mach-davinci/board-da850-evm.c +@@ -1101,11 +1101,13 @@ static int __init da850_evm_config_emac( + int ret; + u32 val; + struct davinci_soc_info *soc_info = &davinci_soc_info; +- u8 rmii_en = soc_info->emac_pdata->rmii_en; ++ u8 rmii_en; + + if (!machine_is_davinci_da850_evm()) + return 0; + ++ rmii_en = soc_info->emac_pdata->rmii_en; ++ + cfg_chip3_base = DA8XX_SYSCFG0_VIRT(DA8XX_CFGCHIP3_REG); + + val = __raw_readl(cfg_chip3_base); diff --git a/queue-5.4/ath9k-fix-usage-of-driver-private-space-in-tx_info.patch b/queue-5.4/ath9k-fix-usage-of-driver-private-space-in-tx_info.patch new file mode 100644 index 00000000000..5cbc58e1cb6 --- /dev/null +++ b/queue-5.4/ath9k-fix-usage-of-driver-private-space-in-tx_info.patch @@ -0,0 +1,122 @@ +From 5a6b06f5927c940fa44026695779c30b7536474c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= +Date: Mon, 4 Apr 2022 22:48:00 +0200 +Subject: ath9k: Fix usage of driver-private space in tx_info +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +commit 5a6b06f5927c940fa44026695779c30b7536474c upstream. + +The ieee80211_tx_info_clear_status() helper also clears the rate counts and +the driver-private part of struct ieee80211_tx_info, so using it breaks +quite a few other things. So back out of using it, and instead define a +ath-internal helper that only clears the area between the +status_driver_data and the rates info. Combined with moving the +ath_frame_info struct to status_driver_data, this avoids clearing anything +we shouldn't be, and so we can keep the existing code for handling the rate +information. + +While fixing this I also noticed that the setting of +tx_info->status.rates[tx_rateindex].count on hardware underrun errors was +always immediately overridden by the normal setting of the same fields, so +rearrange the code so that the underrun detection actually takes effect. + +The new helper could be generalised to a 'memset_between()' helper, but +leave it as a driver-internal helper for now since this needs to go to +stable. + +Cc: stable@vger.kernel.org +Reported-by: Peter Seiderer +Fixes: 037250f0a45c ("ath9k: Properly clear TX status area before reporting to mac80211") +Signed-off-by: Toke Høiland-Jørgensen +Reviewed-by: Peter Seiderer +Tested-by: Peter Seiderer +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220404204800.2681133-1-toke@toke.dk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath9k/main.c | 2 +- + drivers/net/wireless/ath/ath9k/xmit.c | 30 ++++++++++++++++++++---------- + 2 files changed, 21 insertions(+), 11 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -836,7 +836,7 @@ static bool ath9k_txq_list_has_key(struc + continue; + + txinfo = IEEE80211_SKB_CB(bf->bf_mpdu); +- fi = (struct ath_frame_info *)&txinfo->rate_driver_data[0]; ++ fi = (struct ath_frame_info *)&txinfo->status.status_driver_data[0]; + if (fi->keyix == keyix) + return true; + } +--- a/drivers/net/wireless/ath/ath9k/xmit.c ++++ b/drivers/net/wireless/ath/ath9k/xmit.c +@@ -141,8 +141,8 @@ static struct ath_frame_info *get_frame_ + { + struct ieee80211_tx_info *tx_info = IEEE80211_SKB_CB(skb); + BUILD_BUG_ON(sizeof(struct ath_frame_info) > +- sizeof(tx_info->rate_driver_data)); +- return (struct ath_frame_info *) &tx_info->rate_driver_data[0]; ++ sizeof(tx_info->status.status_driver_data)); ++ return (struct ath_frame_info *) &tx_info->status.status_driver_data[0]; + } + + static void ath_send_bar(struct ath_atx_tid *tid, u16 seqno) +@@ -2498,6 +2498,16 @@ skip_tx_complete: + spin_unlock_irqrestore(&sc->tx.txbuflock, flags); + } + ++static void ath_clear_tx_status(struct ieee80211_tx_info *tx_info) ++{ ++ void *ptr = &tx_info->status; ++ ++ memset(ptr + sizeof(tx_info->status.rates), 0, ++ sizeof(tx_info->status) - ++ sizeof(tx_info->status.rates) - ++ sizeof(tx_info->status.status_driver_data)); ++} ++ + static void ath_tx_rc_status(struct ath_softc *sc, struct ath_buf *bf, + struct ath_tx_status *ts, int nframes, int nbad, + int txok) +@@ -2509,7 +2519,7 @@ static void ath_tx_rc_status(struct ath_ + struct ath_hw *ah = sc->sc_ah; + u8 i, tx_rateindex; + +- ieee80211_tx_info_clear_status(tx_info); ++ ath_clear_tx_status(tx_info); + + if (txok) + tx_info->status.ack_signal = ts->ts_rssi; +@@ -2525,6 +2535,13 @@ static void ath_tx_rc_status(struct ath_ + tx_info->status.ampdu_len = nframes; + tx_info->status.ampdu_ack_len = nframes - nbad; + ++ tx_info->status.rates[tx_rateindex].count = ts->ts_longretry + 1; ++ ++ for (i = tx_rateindex + 1; i < hw->max_rates; i++) { ++ tx_info->status.rates[i].count = 0; ++ tx_info->status.rates[i].idx = -1; ++ } ++ + if ((ts->ts_status & ATH9K_TXERR_FILT) == 0 && + (tx_info->flags & IEEE80211_TX_CTL_NO_ACK) == 0) { + /* +@@ -2546,13 +2563,6 @@ static void ath_tx_rc_status(struct ath_ + tx_info->status.rates[tx_rateindex].count = + hw->max_rate_tries; + } +- +- for (i = tx_rateindex + 1; i < hw->max_rates; i++) { +- tx_info->status.rates[i].count = 0; +- tx_info->status.rates[i].idx = -1; +- } +- +- tx_info->status.rates[tx_rateindex].count = ts->ts_longretry + 1; + } + + static void ath_tx_processq(struct ath_softc *sc, struct ath_txq *txq) diff --git a/queue-5.4/ath9k-properly-clear-tx-status-area-before-reporting-to-mac80211.patch b/queue-5.4/ath9k-properly-clear-tx-status-area-before-reporting-to-mac80211.patch new file mode 100644 index 00000000000..ac12a39cfc6 --- /dev/null +++ b/queue-5.4/ath9k-properly-clear-tx-status-area-before-reporting-to-mac80211.patch @@ -0,0 +1,59 @@ +From 037250f0a45cf9ecf5b52d4b9ff8eadeb609c800 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= +Date: Wed, 30 Mar 2022 18:44:09 +0200 +Subject: ath9k: Properly clear TX status area before reporting to mac80211 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +commit 037250f0a45cf9ecf5b52d4b9ff8eadeb609c800 upstream. + +The ath9k driver was not properly clearing the status area in the +ieee80211_tx_info struct before reporting TX status to mac80211. Instead, +it was manually filling in fields, which meant that fields introduced later +were left as-is. + +Conveniently, mac80211 actually provides a helper to zero out the status +area, so use that to make sure we zero everything. + +The last commit touching the driver function writing the status information +seems to have actually been fixing an issue that was also caused by the +area being uninitialised; but it only added clearing of a single field +instead of the whole struct. That is now redundant, though, so revert that +commit and use it as a convenient Fixes tag. + +Fixes: cc591d77aba1 ("ath9k: Make sure to zero status.tx_time before reporting TX status") +Reported-by: Bagas Sanjaya +Cc: +Signed-off-by: Toke Høiland-Jørgensen +Tested-by: Bagas Sanjaya +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220330164409.16645-1-toke@toke.dk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath9k/xmit.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/xmit.c ++++ b/drivers/net/wireless/ath/ath9k/xmit.c +@@ -2509,6 +2509,8 @@ static void ath_tx_rc_status(struct ath_ + struct ath_hw *ah = sc->sc_ah; + u8 i, tx_rateindex; + ++ ieee80211_tx_info_clear_status(tx_info); ++ + if (txok) + tx_info->status.ack_signal = ts->ts_rssi; + +@@ -2551,9 +2553,6 @@ static void ath_tx_rc_status(struct ath_ + } + + tx_info->status.rates[tx_rateindex].count = ts->ts_longretry + 1; +- +- /* we report airtime in ath_tx_count_airtime(), don't report twice */ +- tx_info->status.tx_time = 0; + } + + static void ath_tx_processq(struct ath_softc *sc, struct ath_txq *txq) diff --git a/queue-5.4/btrfs-mark-resumed-async-balance-as-writing.patch b/queue-5.4/btrfs-mark-resumed-async-balance-as-writing.patch new file mode 100644 index 00000000000..4d386a12b88 --- /dev/null +++ b/queue-5.4/btrfs-mark-resumed-async-balance-as-writing.patch @@ -0,0 +1,39 @@ +From a690e5f2db4d1dca742ce734aaff9f3112d63764 Mon Sep 17 00:00:00 2001 +From: Naohiro Aota +Date: Tue, 29 Mar 2022 15:55:58 +0900 +Subject: btrfs: mark resumed async balance as writing + +From: Naohiro Aota + +commit a690e5f2db4d1dca742ce734aaff9f3112d63764 upstream. + +When btrfs balance is interrupted with umount, the background balance +resumes on the next mount. There is a potential deadlock with FS freezing +here like as described in commit 26559780b953 ("btrfs: zoned: mark +relocation as writing"). Mark the process as sb_writing to avoid it. + +Reviewed-by: Filipe Manana +CC: stable@vger.kernel.org # 4.9+ +Signed-off-by: Naohiro Aota +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -4320,10 +4320,12 @@ static int balance_kthread(void *data) + struct btrfs_fs_info *fs_info = data; + int ret = 0; + ++ sb_start_write(fs_info->sb); + mutex_lock(&fs_info->balance_mutex); + if (fs_info->balance_ctl) + ret = btrfs_balance(fs_info, fs_info->balance_ctl, NULL); + mutex_unlock(&fs_info->balance_mutex); ++ sb_end_write(fs_info->sb); + + return ret; + } diff --git a/queue-5.4/btrfs-remove-unused-variable-in-btrfs_-start-write-_dirty_block_groups.patch b/queue-5.4/btrfs-remove-unused-variable-in-btrfs_-start-write-_dirty_block_groups.patch new file mode 100644 index 00000000000..00affad7f86 --- /dev/null +++ b/queue-5.4/btrfs-remove-unused-variable-in-btrfs_-start-write-_dirty_block_groups.patch @@ -0,0 +1,68 @@ +From 6d4a6b515c39f1f8763093e0f828959b2fbc2f45 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Thu, 24 Mar 2022 08:36:45 -0700 +Subject: btrfs: remove unused variable in btrfs_{start,write}_dirty_block_groups() + +From: Nathan Chancellor + +commit 6d4a6b515c39f1f8763093e0f828959b2fbc2f45 upstream. + +Clang's version of -Wunused-but-set-variable recently gained support for +unary operations, which reveals two unused variables: + + fs/btrfs/block-group.c:2949:6: error: variable 'num_started' set but not used [-Werror,-Wunused-but-set-variable] + int num_started = 0; + ^ + fs/btrfs/block-group.c:3116:6: error: variable 'num_started' set but not used [-Werror,-Wunused-but-set-variable] + int num_started = 0; + ^ + 2 errors generated. + +These variables appear to be unused from their introduction, so just +remove them to silence the warnings. + +Fixes: c9dc4c657850 ("Btrfs: two stage dirty block group writeout") +Fixes: 1bbc621ef284 ("Btrfs: allow block group cache writeout outside critical section in commit") +CC: stable@vger.kernel.org # 5.4+ +Link: https://github.com/ClangBuiltLinux/linux/issues/1614 +Signed-off-by: Nathan Chancellor +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/block-group.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/fs/btrfs/block-group.c ++++ b/fs/btrfs/block-group.c +@@ -2388,7 +2388,6 @@ int btrfs_start_dirty_block_groups(struc + struct btrfs_path *path = NULL; + LIST_HEAD(dirty); + struct list_head *io = &cur_trans->io_bgs; +- int num_started = 0; + int loops = 0; + + spin_lock(&cur_trans->dirty_bgs_lock); +@@ -2455,7 +2454,6 @@ again: + cache->io_ctl.inode = NULL; + ret = btrfs_write_out_cache(trans, cache, path); + if (ret == 0 && cache->io_ctl.inode) { +- num_started++; + should_put = 0; + + /* +@@ -2556,7 +2554,6 @@ int btrfs_write_dirty_block_groups(struc + int should_put; + struct btrfs_path *path; + struct list_head *io = &cur_trans->io_bgs; +- int num_started = 0; + + path = btrfs_alloc_path(); + if (!path) +@@ -2614,7 +2611,6 @@ int btrfs_write_dirty_block_groups(struc + cache->io_ctl.inode = NULL; + ret = btrfs_write_out_cache(trans, cache, path); + if (ret == 0 && cache->io_ctl.inode) { +- num_started++; + should_put = 0; + list_add_tail(&cache->io_list, io); + } else { diff --git a/queue-5.4/dm-integrity-fix-memory-corruption-when-tag_size-is-less-than-digest-size.patch b/queue-5.4/dm-integrity-fix-memory-corruption-when-tag_size-is-less-than-digest-size.patch new file mode 100644 index 00000000000..5dbf7e1d6b4 --- /dev/null +++ b/queue-5.4/dm-integrity-fix-memory-corruption-when-tag_size-is-less-than-digest-size.patch @@ -0,0 +1,53 @@ +From 08c1af8f1c13bbf210f1760132f4df24d0ed46d6 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 3 Apr 2022 14:38:22 -0400 +Subject: dm integrity: fix memory corruption when tag_size is less than digest size + +From: Mikulas Patocka + +commit 08c1af8f1c13bbf210f1760132f4df24d0ed46d6 upstream. + +It is possible to set up dm-integrity in such a way that the +"tag_size" parameter is less than the actual digest size. In this +situation, a part of the digest beyond tag_size is ignored. + +In this case, dm-integrity would write beyond the end of the +ic->recalc_tags array and corrupt memory. The corruption happened in +integrity_recalc->integrity_sector_checksum->crypto_shash_final. + +Fix this corruption by increasing the tags array so that it has enough +padding at the end to accomodate the loop in integrity_recalc() being +able to write a full digest size for the last member of the tags +array. + +Cc: stable@vger.kernel.org # v4.19+ +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-integrity.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-integrity.c ++++ b/drivers/md/dm-integrity.c +@@ -4054,6 +4054,7 @@ try_smaller_buffer: + } + + if (ic->internal_hash) { ++ size_t recalc_tags_size; + ic->recalc_wq = alloc_workqueue("dm-integrity-recalc", WQ_MEM_RECLAIM, 1); + if (!ic->recalc_wq ) { + ti->error = "Cannot allocate workqueue"; +@@ -4067,8 +4068,10 @@ try_smaller_buffer: + r = -ENOMEM; + goto bad; + } +- ic->recalc_tags = kvmalloc_array(RECALC_SECTORS >> ic->sb->log2_sectors_per_block, +- ic->tag_size, GFP_KERNEL); ++ recalc_tags_size = (RECALC_SECTORS >> ic->sb->log2_sectors_per_block) * ic->tag_size; ++ if (crypto_shash_digestsize(ic->internal_hash) > ic->tag_size) ++ recalc_tags_size += crypto_shash_digestsize(ic->internal_hash) - ic->tag_size; ++ ic->recalc_tags = kvmalloc(recalc_tags_size, GFP_KERNEL); + if (!ic->recalc_tags) { + ti->error = "Cannot allocate tags for recalculating"; + r = -ENOMEM; diff --git a/queue-5.4/drm-amd-display-don-t-ignore-alpha-property-on-pre-multiplied-mode.patch b/queue-5.4/drm-amd-display-don-t-ignore-alpha-property-on-pre-multiplied-mode.patch new file mode 100644 index 00000000000..678d3d2425e --- /dev/null +++ b/queue-5.4/drm-amd-display-don-t-ignore-alpha-property-on-pre-multiplied-mode.patch @@ -0,0 +1,97 @@ +From e4f1541caf60fcbe5a59e9d25805c0b5865e546a Mon Sep 17 00:00:00 2001 +From: Melissa Wen +Date: Tue, 29 Mar 2022 19:18:35 -0100 +Subject: drm/amd/display: don't ignore alpha property on pre-multiplied mode + +From: Melissa Wen + +commit e4f1541caf60fcbe5a59e9d25805c0b5865e546a upstream. + +"Pre-multiplied" is the default pixel blend mode for KMS/DRM, as +documented in supported_modes of drm_plane_create_blend_mode_property(): +https://cgit.freedesktop.org/drm/drm-misc/tree/drivers/gpu/drm/drm_blend.c + +In this mode, both 'pixel alpha' and 'plane alpha' participate in the +calculation, as described by the pixel blend mode formula in KMS/DRM +documentation: + +out.rgb = plane_alpha * fg.rgb + + (1 - (plane_alpha * fg.alpha)) * bg.rgb + +Considering the blend config mechanisms we have in the driver so far, +the alpha mode that better fits this blend mode is the +_PER_PIXEL_ALPHA_COMBINED_GLOBAL_GAIN, where the value for global_gain +is the plane alpha (global_alpha). + +With this change, alpha property stops to be ignored. It also addresses +Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1734 + +v2: + * keep the 8-bit value for global_alpha_value (Nicholas) + * correct the logical ordering for combined global gain (Nicholas) + * apply to dcn10 too (Nicholas) + +Signed-off-by: Melissa Wen +Tested-by: Rodrigo Siqueira +Reviewed-by: Harry Wentland +Tested-by: Simon Ser +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 14 +++++++++----- + drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 14 +++++++++----- + 2 files changed, 18 insertions(+), 10 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c +@@ -2202,14 +2202,18 @@ static void dcn10_update_mpcc(struct dc + &blnd_cfg.black_color); + } + +- if (per_pixel_alpha) +- blnd_cfg.alpha_mode = MPCC_ALPHA_BLEND_MODE_PER_PIXEL_ALPHA; +- else +- blnd_cfg.alpha_mode = MPCC_ALPHA_BLEND_MODE_GLOBAL_ALPHA; +- + blnd_cfg.overlap_only = false; + blnd_cfg.global_gain = 0xff; + ++ if (per_pixel_alpha && pipe_ctx->plane_state->global_alpha) { ++ blnd_cfg.alpha_mode = MPCC_ALPHA_BLEND_MODE_PER_PIXEL_ALPHA_COMBINED_GLOBAL_GAIN; ++ blnd_cfg.global_gain = pipe_ctx->plane_state->global_alpha_value; ++ } else if (per_pixel_alpha) { ++ blnd_cfg.alpha_mode = MPCC_ALPHA_BLEND_MODE_PER_PIXEL_ALPHA; ++ } else { ++ blnd_cfg.alpha_mode = MPCC_ALPHA_BLEND_MODE_GLOBAL_ALPHA; ++ } ++ + if (pipe_ctx->plane_state->global_alpha) + blnd_cfg.global_alpha = pipe_ctx->plane_state->global_alpha_value; + else +--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c +@@ -1740,14 +1740,18 @@ static void dcn20_update_mpcc(struct dc + pipe_ctx, &blnd_cfg.black_color); + } + +- if (per_pixel_alpha) +- blnd_cfg.alpha_mode = MPCC_ALPHA_BLEND_MODE_PER_PIXEL_ALPHA; +- else +- blnd_cfg.alpha_mode = MPCC_ALPHA_BLEND_MODE_GLOBAL_ALPHA; +- + blnd_cfg.overlap_only = false; + blnd_cfg.global_gain = 0xff; + ++ if (per_pixel_alpha && pipe_ctx->plane_state->global_alpha) { ++ blnd_cfg.alpha_mode = MPCC_ALPHA_BLEND_MODE_PER_PIXEL_ALPHA_COMBINED_GLOBAL_GAIN; ++ blnd_cfg.global_gain = pipe_ctx->plane_state->global_alpha_value; ++ } else if (per_pixel_alpha) { ++ blnd_cfg.alpha_mode = MPCC_ALPHA_BLEND_MODE_PER_PIXEL_ALPHA; ++ } else { ++ blnd_cfg.alpha_mode = MPCC_ALPHA_BLEND_MODE_GLOBAL_ALPHA; ++ } ++ + if (pipe_ctx->plane_state->global_alpha) + blnd_cfg.global_alpha = pipe_ctx->plane_state->global_alpha_value; + else diff --git a/queue-5.4/genirq-affinity-consider-that-cpus-on-nodes-can-be-unbalanced.patch b/queue-5.4/genirq-affinity-consider-that-cpus-on-nodes-can-be-unbalanced.patch new file mode 100644 index 00000000000..4bae1069ca7 --- /dev/null +++ b/queue-5.4/genirq-affinity-consider-that-cpus-on-nodes-can-be-unbalanced.patch @@ -0,0 +1,47 @@ +From 08d835dff916bfe8f45acc7b92c7af6c4081c8a7 Mon Sep 17 00:00:00 2001 +From: Rei Yamamoto +Date: Thu, 31 Mar 2022 09:33:09 +0900 +Subject: genirq/affinity: Consider that CPUs on nodes can be unbalanced + +From: Rei Yamamoto + +commit 08d835dff916bfe8f45acc7b92c7af6c4081c8a7 upstream. + +If CPUs on a node are offline at boot time, the number of nodes is +different when building affinity masks for present cpus and when building +affinity masks for possible cpus. This causes the following problem: + +In the case that the number of vectors is less than the number of nodes +there are cases where bits of masks for present cpus are overwritten when +building masks for possible cpus. + +Fix this by excluding CPUs, which are not part of the current build mask +(present/possible). + +[ tglx: Massaged changelog and added comment ] + +Fixes: b82592199032 ("genirq/affinity: Spread IRQs to all available NUMA nodes") +Signed-off-by: Rei Yamamoto +Signed-off-by: Thomas Gleixner +Reviewed-by: Ming Lei +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220331003309.10891-1-yamamoto.rei@jp.fujitsu.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/irq/affinity.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/kernel/irq/affinity.c ++++ b/kernel/irq/affinity.c +@@ -269,8 +269,9 @@ static int __irq_build_affinity_masks(un + */ + if (numvecs <= nodes) { + for_each_node_mask(n, nodemsk) { +- cpumask_or(&masks[curvec].mask, &masks[curvec].mask, +- node_to_cpumask[n]); ++ /* Ensure that only CPUs which are in both masks are set */ ++ cpumask_and(nmsk, cpu_mask, node_to_cpumask[n]); ++ cpumask_or(&masks[curvec].mask, &masks[curvec].mask, nmsk); + if (++curvec == last_affv) + curvec = firstvec; + } diff --git a/queue-5.4/ipv6-fix-panic-when-forwarding-a-pkt-with-no-in6-dev.patch b/queue-5.4/ipv6-fix-panic-when-forwarding-a-pkt-with-no-in6-dev.patch new file mode 100644 index 00000000000..4152f5d2515 --- /dev/null +++ b/queue-5.4/ipv6-fix-panic-when-forwarding-a-pkt-with-no-in6-dev.patch @@ -0,0 +1,38 @@ +From e3fa461d8b0e185b7da8a101fe94dfe6dd500ac0 Mon Sep 17 00:00:00 2001 +From: Nicolas Dichtel +Date: Fri, 8 Apr 2022 16:03:42 +0200 +Subject: ipv6: fix panic when forwarding a pkt with no in6 dev + +From: Nicolas Dichtel + +commit e3fa461d8b0e185b7da8a101fe94dfe6dd500ac0 upstream. + +kongweibin reported a kernel panic in ip6_forward() when input interface +has no in6 dev associated. + +The following tc commands were used to reproduce this panic: +tc qdisc del dev vxlan100 root +tc qdisc add dev vxlan100 root netem corrupt 5% + +CC: stable@vger.kernel.org +Fixes: ccd27f05ae7b ("ipv6: fix 'disable_policy' for fwd packets") +Reported-by: kongweibin +Signed-off-by: Nicolas Dichtel +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -506,7 +506,7 @@ int ip6_forward(struct sk_buff *skb) + goto drop; + + if (!net->ipv6.devconf_all->disable_policy && +- !idev->cnf.disable_policy && ++ (!idev || !idev->cnf.disable_policy) && + !xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) { + __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS); + goto drop; diff --git a/queue-5.4/series b/queue-5.4/series index e94e7a2e52d..014c9f4638b 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -38,3 +38,15 @@ mm-page_alloc-fix-build_zonerefs_node.patch mm-kmemleak-take-a-full-lowmem-check-in-kmemleak_-_phys.patch kvm-don-t-create-vm-debugfs-files-outside-of-the-vm-directory.patch gcc-plugins-latent_entropy-use-dev-urandom.patch +ath9k-properly-clear-tx-status-area-before-reporting-to-mac80211.patch +ath9k-fix-usage-of-driver-private-space-in-tx_info.patch +btrfs-remove-unused-variable-in-btrfs_-start-write-_dirty_block_groups.patch +btrfs-mark-resumed-async-balance-as-writing.patch +alsa-hda-realtek-add-quirk-for-clevo-pd50pnt.patch +alsa-pcm-test-for-silence-field-in-struct-pcm_format_data.patch +ipv6-fix-panic-when-forwarding-a-pkt-with-no-in6-dev.patch +drm-amd-display-don-t-ignore-alpha-property-on-pre-multiplied-mode.patch +genirq-affinity-consider-that-cpus-on-nodes-can-be-unbalanced.patch +tick-nohz-use-warn_on_once-to-prevent-console-saturation.patch +arm-davinci-da850-evm-avoid-null-pointer-dereference.patch +dm-integrity-fix-memory-corruption-when-tag_size-is-less-than-digest-size.patch diff --git a/queue-5.4/tick-nohz-use-warn_on_once-to-prevent-console-saturation.patch b/queue-5.4/tick-nohz-use-warn_on_once-to-prevent-console-saturation.patch new file mode 100644 index 00000000000..851e308d66d --- /dev/null +++ b/queue-5.4/tick-nohz-use-warn_on_once-to-prevent-console-saturation.patch @@ -0,0 +1,43 @@ +From 40e97e42961f8c6cc7bd5fe67cc18417e02d78f1 Mon Sep 17 00:00:00 2001 +From: Paul Gortmaker +Date: Mon, 6 Dec 2021 09:59:50 -0500 +Subject: tick/nohz: Use WARN_ON_ONCE() to prevent console saturation + +From: Paul Gortmaker + +commit 40e97e42961f8c6cc7bd5fe67cc18417e02d78f1 upstream. + +While running some testing on code that happened to allow the variable +tick_nohz_full_running to get set but with no "possible" NOHZ cores to +back up that setting, this warning triggered: + + if (unlikely(tick_do_timer_cpu == TICK_DO_TIMER_NONE)) + WARN_ON(tick_nohz_full_running); + +The console was overwhemled with an endless stream of one WARN per tick +per core and there was no way to even see what was going on w/o using a +serial console to capture it and then trace it back to this. + +Change it to WARN_ON_ONCE(). + +Fixes: 08ae95f4fd3b ("nohz_full: Allow the boot CPU to be nohz_full") +Signed-off-by: Paul Gortmaker +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211206145950.10927-3-paul.gortmaker@windriver.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/tick-sched.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -131,7 +131,7 @@ static void tick_sched_do_timer(struct t + */ + if (unlikely(tick_do_timer_cpu == TICK_DO_TIMER_NONE)) { + #ifdef CONFIG_NO_HZ_FULL +- WARN_ON(tick_nohz_full_running); ++ WARN_ON_ONCE(tick_nohz_full_running); + #endif + tick_do_timer_cpu = cpu; + }