From: Sasha Levin Date: Sun, 10 Apr 2022 23:23:05 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.9.310~101 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a18839c207d1edad10396f6c0a8fcbfbadac4c62;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/bnxt_en-reserve-space-inside-receive-page-for-skb_sh.patch b/queue-5.4/bnxt_en-reserve-space-inside-receive-page-for-skb_sh.patch new file mode 100644 index 00000000000..08c701f0be3 --- /dev/null +++ b/queue-5.4/bnxt_en-reserve-space-inside-receive-page-for-skb_sh.patch @@ -0,0 +1,45 @@ +From ee380d8be3a5704dec818844499a8e1d796876ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Apr 2022 20:21:11 -0400 +Subject: bnxt_en: reserve space inside receive page for skb_shared_info + +From: Andy Gospodarek + +[ Upstream commit facc173cf700e55b2ad249ecbd3a7537f7315691 ] + +Insufficient space was being reserved in the page used for packet +reception, so the interface MTU could be set too large to still have +room for the contents of the packet when doing XDP redirect. This +resulted in the following message when redirecting a packet between +3520 and 3822 bytes with an MTU of 3822: + +[311815.561880] XDP_WARN: xdp_update_frame_from_buff(line:200): Driver BUG: missing reserved tailroom + +Fixes: f18c2b77b2e4 ("bnxt_en: optimized XDP_REDIRECT support") +Reviewed-by: Somnath Kotur +Reviewed-by: Pavan Chebbi +Signed-off-by: Andy Gospodarek +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +index 8ba369c0100b..9e8a0c772ca9 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +@@ -559,7 +559,8 @@ struct nqe_cn { + #define BNXT_MAX_MTU 9500 + #define BNXT_MAX_PAGE_MODE_MTU \ + ((unsigned int)PAGE_SIZE - VLAN_ETH_HLEN - NET_IP_ALIGN - \ +- XDP_PACKET_HEADROOM) ++ XDP_PACKET_HEADROOM - \ ++ SKB_DATA_ALIGN((unsigned int)sizeof(struct skb_shared_info))) + + #define BNXT_MIN_PKT_SIZE 52 + +-- +2.35.1 + diff --git a/queue-5.4/bpf-support-dual-stack-sockets-in-bpf_tcp_check_sync.patch b/queue-5.4/bpf-support-dual-stack-sockets-in-bpf_tcp_check_sync.patch new file mode 100644 index 00000000000..886cc1545bd --- /dev/null +++ b/queue-5.4/bpf-support-dual-stack-sockets-in-bpf_tcp_check_sync.patch @@ -0,0 +1,86 @@ +From 16403b39c319b9b9b72eed73316be75be338f1a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Apr 2022 15:41:12 +0300 +Subject: bpf: Support dual-stack sockets in bpf_tcp_check_syncookie + +From: Maxim Mikityanskiy + +[ Upstream commit 2e8702cc0cfa1080f29fd64003c00a3e24ac38de ] + +bpf_tcp_gen_syncookie looks at the IP version in the IP header and +validates the address family of the socket. It supports IPv4 packets in +AF_INET6 dual-stack sockets. + +On the other hand, bpf_tcp_check_syncookie looks only at the address +family of the socket, ignoring the real IP version in headers, and +validates only the packet size. This implementation has some drawbacks: + +1. Packets are not validated properly, allowing a BPF program to trick + bpf_tcp_check_syncookie into handling an IPv6 packet on an IPv4 + socket. + +2. Dual-stack sockets fail the checks on IPv4 packets. IPv4 clients end + up receiving a SYNACK with the cookie, but the following ACK gets + dropped. + +This patch fixes these issues by changing the checks in +bpf_tcp_check_syncookie to match the ones in bpf_tcp_gen_syncookie. IP +version from the header is taken into account, and it is validated +properly with address family. + +Fixes: 399040847084 ("bpf: add helper to check for a valid SYN cookie") +Signed-off-by: Maxim Mikityanskiy +Signed-off-by: Alexei Starovoitov +Reviewed-by: Tariq Toukan +Acked-by: Arthur Fabre +Link: https://lore.kernel.org/bpf/20220406124113.2795730-1-maximmi@nvidia.com +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index 54c5e3c379f6..e16b2b5cda98 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -5824,24 +5824,33 @@ BPF_CALL_5(bpf_tcp_check_syncookie, struct sock *, sk, void *, iph, u32, iph_len + if (!th->ack || th->rst || th->syn) + return -ENOENT; + ++ if (unlikely(iph_len < sizeof(struct iphdr))) ++ return -EINVAL; ++ + if (tcp_synq_no_recent_overflow(sk)) + return -ENOENT; + + cookie = ntohl(th->ack_seq) - 1; + +- switch (sk->sk_family) { +- case AF_INET: +- if (unlikely(iph_len < sizeof(struct iphdr))) ++ /* Both struct iphdr and struct ipv6hdr have the version field at the ++ * same offset so we can cast to the shorter header (struct iphdr). ++ */ ++ switch (((struct iphdr *)iph)->version) { ++ case 4: ++ if (sk->sk_family == AF_INET6 && ipv6_only_sock(sk)) + return -EINVAL; + + ret = __cookie_v4_check((struct iphdr *)iph, th, cookie); + break; + + #if IS_BUILTIN(CONFIG_IPV6) +- case AF_INET6: ++ case 6: + if (unlikely(iph_len < sizeof(struct ipv6hdr))) + return -EINVAL; + ++ if (sk->sk_family != AF_INET6) ++ return -EINVAL; ++ + ret = __cookie_v6_check((struct ipv6hdr *)iph, th, cookie); + break; + #endif /* CONFIG_IPV6 */ +-- +2.35.1 + diff --git a/queue-5.4/dpaa2-ptp-fix-refcount-leak-in-dpaa2_ptp_probe.patch b/queue-5.4/dpaa2-ptp-fix-refcount-leak-in-dpaa2_ptp_probe.patch new file mode 100644 index 00000000000..86dd2841914 --- /dev/null +++ b/queue-5.4/dpaa2-ptp-fix-refcount-leak-in-dpaa2_ptp_probe.patch @@ -0,0 +1,46 @@ +From d00b3a2b0eaa0a6234274541581db255eda8d57a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Apr 2022 12:53:36 +0000 +Subject: dpaa2-ptp: Fix refcount leak in dpaa2_ptp_probe + +From: Miaoqian Lin + +[ Upstream commit 2b04bd4f03bba021959ca339314f6739710f0954 ] + +This node pointer is returned by of_find_compatible_node() with +refcount incremented. Calling of_node_put() to aovid the refcount leak. + +Fixes: d346c9e86d86 ("dpaa2-ptp: reuse ptp_qoriq driver") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220404125336.13427-1-linmq006@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-ptp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-ptp.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-ptp.c +index 6437fe6b9abf..a6b8f573ab5b 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-ptp.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-ptp.c +@@ -148,7 +148,7 @@ static int dpaa2_ptp_probe(struct fsl_mc_device *mc_dev) + base = of_iomap(node, 0); + if (!base) { + err = -ENOMEM; +- goto err_close; ++ goto err_put; + } + + err = fsl_mc_allocate_irqs(mc_dev); +@@ -191,6 +191,8 @@ static int dpaa2_ptp_probe(struct fsl_mc_device *mc_dev) + fsl_mc_free_irqs(mc_dev); + err_unmap: + iounmap(base); ++err_put: ++ of_node_put(node); + err_close: + dprtc_close(mc_dev->mc_io, 0, mc_dev->mc_handle); + err_free_mcp: +-- +2.35.1 + diff --git a/queue-5.4/drbd-fix-five-use-after-free-bugs-in-get_initial_sta.patch b/queue-5.4/drbd-fix-five-use-after-free-bugs-in-get_initial_sta.patch new file mode 100644 index 00000000000..4de2e7e2e67 --- /dev/null +++ b/queue-5.4/drbd-fix-five-use-after-free-bugs-in-get_initial_sta.patch @@ -0,0 +1,344 @@ +From b7f2ac26267f41d089342b28b71571aca441e951 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Apr 2022 21:04:43 +0200 +Subject: drbd: Fix five use after free bugs in get_initial_state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lv Yunlong + +[ Upstream commit aadb22ba2f656581b2f733deb3a467c48cc618f6 ] + +In get_initial_state, it calls notify_initial_state_done(skb,..) if +cb->args[5]==1. If genlmsg_put() failed in notify_initial_state_done(), +the skb will be freed by nlmsg_free(skb). +Then get_initial_state will goto out and the freed skb will be used by +return value skb->len, which is a uaf bug. + +What's worse, the same problem goes even further: skb can also be +freed in the notify_*_state_change -> notify_*_state calls below. +Thus 4 additional uaf bugs happened. + +My patch lets the problem callee functions: notify_initial_state_done +and notify_*_state_change return an error code if errors happen. +So that the error codes could be propagated and the uaf bugs can be avoid. + +v2 reports a compilation warning. This v3 fixed this warning and built +successfully in my local environment with no additional warnings. +v2: https://lore.kernel.org/patchwork/patch/1435218/ + +Fixes: a29728463b254 ("drbd: Backport the "events2" command") +Signed-off-by: Lv Yunlong +Reviewed-by: Christoph Böhmwalder +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/drbd/drbd_int.h | 8 ++--- + drivers/block/drbd/drbd_nl.c | 41 ++++++++++++++++---------- + drivers/block/drbd/drbd_state.c | 18 +++++------ + drivers/block/drbd/drbd_state_change.h | 8 ++--- + 4 files changed, 42 insertions(+), 33 deletions(-) + +diff --git a/drivers/block/drbd/drbd_int.h b/drivers/block/drbd/drbd_int.h +index ddbf56014c51..6da7f5749a7c 100644 +--- a/drivers/block/drbd/drbd_int.h ++++ b/drivers/block/drbd/drbd_int.h +@@ -1673,22 +1673,22 @@ struct sib_info { + }; + void drbd_bcast_event(struct drbd_device *device, const struct sib_info *sib); + +-extern void notify_resource_state(struct sk_buff *, ++extern int notify_resource_state(struct sk_buff *, + unsigned int, + struct drbd_resource *, + struct resource_info *, + enum drbd_notification_type); +-extern void notify_device_state(struct sk_buff *, ++extern int notify_device_state(struct sk_buff *, + unsigned int, + struct drbd_device *, + struct device_info *, + enum drbd_notification_type); +-extern void notify_connection_state(struct sk_buff *, ++extern int notify_connection_state(struct sk_buff *, + unsigned int, + struct drbd_connection *, + struct connection_info *, + enum drbd_notification_type); +-extern void notify_peer_device_state(struct sk_buff *, ++extern int notify_peer_device_state(struct sk_buff *, + unsigned int, + struct drbd_peer_device *, + struct peer_device_info *, +diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c +index 5d52a2d32155..bfb00d3b091f 100644 +--- a/drivers/block/drbd/drbd_nl.c ++++ b/drivers/block/drbd/drbd_nl.c +@@ -4630,7 +4630,7 @@ static int nla_put_notification_header(struct sk_buff *msg, + return drbd_notification_header_to_skb(msg, &nh, true); + } + +-void notify_resource_state(struct sk_buff *skb, ++int notify_resource_state(struct sk_buff *skb, + unsigned int seq, + struct drbd_resource *resource, + struct resource_info *resource_info, +@@ -4672,16 +4672,17 @@ void notify_resource_state(struct sk_buff *skb, + if (err && err != -ESRCH) + goto failed; + } +- return; ++ return 0; + + nla_put_failure: + nlmsg_free(skb); + failed: + drbd_err(resource, "Error %d while broadcasting event. Event seq:%u\n", + err, seq); ++ return err; + } + +-void notify_device_state(struct sk_buff *skb, ++int notify_device_state(struct sk_buff *skb, + unsigned int seq, + struct drbd_device *device, + struct device_info *device_info, +@@ -4721,16 +4722,17 @@ void notify_device_state(struct sk_buff *skb, + if (err && err != -ESRCH) + goto failed; + } +- return; ++ return 0; + + nla_put_failure: + nlmsg_free(skb); + failed: + drbd_err(device, "Error %d while broadcasting event. Event seq:%u\n", + err, seq); ++ return err; + } + +-void notify_connection_state(struct sk_buff *skb, ++int notify_connection_state(struct sk_buff *skb, + unsigned int seq, + struct drbd_connection *connection, + struct connection_info *connection_info, +@@ -4770,16 +4772,17 @@ void notify_connection_state(struct sk_buff *skb, + if (err && err != -ESRCH) + goto failed; + } +- return; ++ return 0; + + nla_put_failure: + nlmsg_free(skb); + failed: + drbd_err(connection, "Error %d while broadcasting event. Event seq:%u\n", + err, seq); ++ return err; + } + +-void notify_peer_device_state(struct sk_buff *skb, ++int notify_peer_device_state(struct sk_buff *skb, + unsigned int seq, + struct drbd_peer_device *peer_device, + struct peer_device_info *peer_device_info, +@@ -4820,13 +4823,14 @@ void notify_peer_device_state(struct sk_buff *skb, + if (err && err != -ESRCH) + goto failed; + } +- return; ++ return 0; + + nla_put_failure: + nlmsg_free(skb); + failed: + drbd_err(peer_device, "Error %d while broadcasting event. Event seq:%u\n", + err, seq); ++ return err; + } + + void notify_helper(enum drbd_notification_type type, +@@ -4877,7 +4881,7 @@ void notify_helper(enum drbd_notification_type type, + err, seq); + } + +-static void notify_initial_state_done(struct sk_buff *skb, unsigned int seq) ++static int notify_initial_state_done(struct sk_buff *skb, unsigned int seq) + { + struct drbd_genlmsghdr *dh; + int err; +@@ -4891,11 +4895,12 @@ static void notify_initial_state_done(struct sk_buff *skb, unsigned int seq) + if (nla_put_notification_header(skb, NOTIFY_EXISTS)) + goto nla_put_failure; + genlmsg_end(skb, dh); +- return; ++ return 0; + + nla_put_failure: + nlmsg_free(skb); + pr_err("Error %d sending event. Event seq:%u\n", err, seq); ++ return err; + } + + static void free_state_changes(struct list_head *list) +@@ -4922,6 +4927,7 @@ static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb) + unsigned int seq = cb->args[2]; + unsigned int n; + enum drbd_notification_type flags = 0; ++ int err = 0; + + /* There is no need for taking notification_mutex here: it doesn't + matter if the initial state events mix with later state chage +@@ -4930,32 +4936,32 @@ static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb) + + cb->args[5]--; + if (cb->args[5] == 1) { +- notify_initial_state_done(skb, seq); ++ err = notify_initial_state_done(skb, seq); + goto out; + } + n = cb->args[4]++; + if (cb->args[4] < cb->args[3]) + flags |= NOTIFY_CONTINUES; + if (n < 1) { +- notify_resource_state_change(skb, seq, state_change->resource, ++ err = notify_resource_state_change(skb, seq, state_change->resource, + NOTIFY_EXISTS | flags); + goto next; + } + n--; + if (n < state_change->n_connections) { +- notify_connection_state_change(skb, seq, &state_change->connections[n], ++ err = notify_connection_state_change(skb, seq, &state_change->connections[n], + NOTIFY_EXISTS | flags); + goto next; + } + n -= state_change->n_connections; + if (n < state_change->n_devices) { +- notify_device_state_change(skb, seq, &state_change->devices[n], ++ err = notify_device_state_change(skb, seq, &state_change->devices[n], + NOTIFY_EXISTS | flags); + goto next; + } + n -= state_change->n_devices; + if (n < state_change->n_devices * state_change->n_connections) { +- notify_peer_device_state_change(skb, seq, &state_change->peer_devices[n], ++ err = notify_peer_device_state_change(skb, seq, &state_change->peer_devices[n], + NOTIFY_EXISTS | flags); + goto next; + } +@@ -4970,7 +4976,10 @@ static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb) + cb->args[4] = 0; + } + out: +- return skb->len; ++ if (err) ++ return err; ++ else ++ return skb->len; + } + + int drbd_adm_get_initial_state(struct sk_buff *skb, struct netlink_callback *cb) +diff --git a/drivers/block/drbd/drbd_state.c b/drivers/block/drbd/drbd_state.c +index eeaa3b49b264..4dad4dd0ceb6 100644 +--- a/drivers/block/drbd/drbd_state.c ++++ b/drivers/block/drbd/drbd_state.c +@@ -1537,7 +1537,7 @@ int drbd_bitmap_io_from_worker(struct drbd_device *device, + return rv; + } + +-void notify_resource_state_change(struct sk_buff *skb, ++int notify_resource_state_change(struct sk_buff *skb, + unsigned int seq, + struct drbd_resource_state_change *resource_state_change, + enum drbd_notification_type type) +@@ -1550,10 +1550,10 @@ void notify_resource_state_change(struct sk_buff *skb, + .res_susp_fen = resource_state_change->susp_fen[NEW], + }; + +- notify_resource_state(skb, seq, resource, &resource_info, type); ++ return notify_resource_state(skb, seq, resource, &resource_info, type); + } + +-void notify_connection_state_change(struct sk_buff *skb, ++int notify_connection_state_change(struct sk_buff *skb, + unsigned int seq, + struct drbd_connection_state_change *connection_state_change, + enum drbd_notification_type type) +@@ -1564,10 +1564,10 @@ void notify_connection_state_change(struct sk_buff *skb, + .conn_role = connection_state_change->peer_role[NEW], + }; + +- notify_connection_state(skb, seq, connection, &connection_info, type); ++ return notify_connection_state(skb, seq, connection, &connection_info, type); + } + +-void notify_device_state_change(struct sk_buff *skb, ++int notify_device_state_change(struct sk_buff *skb, + unsigned int seq, + struct drbd_device_state_change *device_state_change, + enum drbd_notification_type type) +@@ -1577,10 +1577,10 @@ void notify_device_state_change(struct sk_buff *skb, + .dev_disk_state = device_state_change->disk_state[NEW], + }; + +- notify_device_state(skb, seq, device, &device_info, type); ++ return notify_device_state(skb, seq, device, &device_info, type); + } + +-void notify_peer_device_state_change(struct sk_buff *skb, ++int notify_peer_device_state_change(struct sk_buff *skb, + unsigned int seq, + struct drbd_peer_device_state_change *p, + enum drbd_notification_type type) +@@ -1594,7 +1594,7 @@ void notify_peer_device_state_change(struct sk_buff *skb, + .peer_resync_susp_dependency = p->resync_susp_dependency[NEW], + }; + +- notify_peer_device_state(skb, seq, peer_device, &peer_device_info, type); ++ return notify_peer_device_state(skb, seq, peer_device, &peer_device_info, type); + } + + static void broadcast_state_change(struct drbd_state_change *state_change) +@@ -1602,7 +1602,7 @@ static void broadcast_state_change(struct drbd_state_change *state_change) + struct drbd_resource_state_change *resource_state_change = &state_change->resource[0]; + bool resource_state_has_changed; + unsigned int n_device, n_connection, n_peer_device, n_peer_devices; +- void (*last_func)(struct sk_buff *, unsigned int, void *, ++ int (*last_func)(struct sk_buff *, unsigned int, void *, + enum drbd_notification_type) = NULL; + void *uninitialized_var(last_arg); + +diff --git a/drivers/block/drbd/drbd_state_change.h b/drivers/block/drbd/drbd_state_change.h +index ba80f612d6ab..d5b0479bc9a6 100644 +--- a/drivers/block/drbd/drbd_state_change.h ++++ b/drivers/block/drbd/drbd_state_change.h +@@ -44,19 +44,19 @@ extern struct drbd_state_change *remember_old_state(struct drbd_resource *, gfp_ + extern void copy_old_to_new_state_change(struct drbd_state_change *); + extern void forget_state_change(struct drbd_state_change *); + +-extern void notify_resource_state_change(struct sk_buff *, ++extern int notify_resource_state_change(struct sk_buff *, + unsigned int, + struct drbd_resource_state_change *, + enum drbd_notification_type type); +-extern void notify_connection_state_change(struct sk_buff *, ++extern int notify_connection_state_change(struct sk_buff *, + unsigned int, + struct drbd_connection_state_change *, + enum drbd_notification_type type); +-extern void notify_device_state_change(struct sk_buff *, ++extern int notify_device_state_change(struct sk_buff *, + unsigned int, + struct drbd_device_state_change *, + enum drbd_notification_type type); +-extern void notify_peer_device_state_change(struct sk_buff *, ++extern int notify_peer_device_state_change(struct sk_buff *, + unsigned int, + struct drbd_peer_device_state_change *, + enum drbd_notification_type type); +-- +2.35.1 + diff --git a/queue-5.4/drivers-hv-vmbus-fix-potential-crash-on-module-unloa.patch b/queue-5.4/drivers-hv-vmbus-fix-potential-crash-on-module-unloa.patch new file mode 100644 index 00000000000..8092af8e774 --- /dev/null +++ b/queue-5.4/drivers-hv-vmbus-fix-potential-crash-on-module-unloa.patch @@ -0,0 +1,58 @@ +From 7de4a138a01e2e63ba00f748a670532e62ee04c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Mar 2022 17:35:35 -0300 +Subject: Drivers: hv: vmbus: Fix potential crash on module unload + +From: Guilherme G. Piccoli + +[ Upstream commit 792f232d57ff28bbd5f9c4abe0466b23d5879dc8 ] + +The vmbus driver relies on the panic notifier infrastructure to perform +some operations when a panic event is detected. Since vmbus can be built +as module, it is required that the driver handles both registering and +unregistering such panic notifier callback. + +After commit 74347a99e73a ("x86/Hyper-V: Unload vmbus channel in hv panic callback") +though, the panic notifier registration is done unconditionally in the module +initialization routine whereas the unregistering procedure is conditionally +guarded and executes only if HV_FEATURE_GUEST_CRASH_MSR_AVAILABLE capability +is set. + +This patch fixes that by unconditionally unregistering the panic notifier +in the module's exit routine as well. + +Fixes: 74347a99e73a ("x86/Hyper-V: Unload vmbus channel in hv panic callback") +Signed-off-by: Guilherme G. Piccoli +Reviewed-by: Michael Kelley +Link: https://lore.kernel.org/r/20220315203535.682306-1-gpiccoli@igalia.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/vmbus_drv.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index 6b7ab8f234e8..943654ded73d 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -2493,10 +2493,15 @@ static void __exit vmbus_exit(void) + if (ms_hyperv.misc_features & HV_FEATURE_GUEST_CRASH_MSR_AVAILABLE) { + kmsg_dump_unregister(&hv_kmsg_dumper); + unregister_die_notifier(&hyperv_die_block); +- atomic_notifier_chain_unregister(&panic_notifier_list, +- &hyperv_panic_block); + } + ++ /* ++ * The panic notifier is always registered, hence we should ++ * also unconditionally unregister it here as well. ++ */ ++ atomic_notifier_chain_unregister(&panic_notifier_list, ++ &hyperv_panic_block); ++ + free_page((unsigned long)hv_panic_page); + unregister_sysctl_table(hv_ctl_table_hdr); + hv_ctl_table_hdr = NULL; +-- +2.35.1 + diff --git a/queue-5.4/drm-amdgpu-fix-off-by-one-in-amdgpu_gfx_kiq_acquire.patch b/queue-5.4/drm-amdgpu-fix-off-by-one-in-amdgpu_gfx_kiq_acquire.patch new file mode 100644 index 00000000000..1f137e636f6 --- /dev/null +++ b/queue-5.4/drm-amdgpu-fix-off-by-one-in-amdgpu_gfx_kiq_acquire.patch @@ -0,0 +1,37 @@ +From c800b6854977c36bdf7d4bd587ce746a550be886 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Mar 2022 11:41:48 +0300 +Subject: drm/amdgpu: fix off by one in amdgpu_gfx_kiq_acquire() + +From: Dan Carpenter + +[ Upstream commit 1647b54ed55d4d48c7199d439f8834626576cbe9 ] + +This post-op should be a pre-op so that we do not pass -1 as the bit +number to test_bit(). The current code will loop downwards from 63 to +-1. After changing to a pre-op, it loops from 63 to 0. + +Fixes: 71c37505e7ea ("drm/amdgpu/gfx: move more common KIQ code to amdgpu_gfx.c") +Signed-off-by: Dan Carpenter +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c +index f9bef3154b99..2659202f2026 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c +@@ -263,7 +263,7 @@ static int amdgpu_gfx_kiq_acquire(struct amdgpu_device *adev, + * adev->gfx.mec.num_pipe_per_mec + * adev->gfx.mec.num_queue_per_pipe; + +- while (queue_bit-- >= 0) { ++ while (--queue_bit >= 0) { + if (test_bit(queue_bit, adev->gfx.mec.queue_bitmap)) + continue; + +-- +2.35.1 + diff --git a/queue-5.4/drm-imx-fix-memory-leak-in-imx_pd_connector_get_mode.patch b/queue-5.4/drm-imx-fix-memory-leak-in-imx_pd_connector_get_mode.patch new file mode 100644 index 00000000000..98216c2cb28 --- /dev/null +++ b/queue-5.4/drm-imx-fix-memory-leak-in-imx_pd_connector_get_mode.patch @@ -0,0 +1,44 @@ +From 37411b88eb9879f336cef84e15ea61f4b472efea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jan 2022 17:52:30 +0100 +Subject: drm/imx: Fix memory leak in imx_pd_connector_get_modes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +[ Upstream commit bce81feb03a20fca7bbdd1c4af16b4e9d5c0e1d3 ] + +Avoid leaking the display mode variable if of_get_drm_display_mode +fails. + +Fixes: 76ecd9c9fb24 ("drm/imx: parallel-display: check return code from of_get_drm_display_mode()") +Addresses-Coverity-ID: 1443943 ("Resource leak") +Signed-off-by: José Expósito +Signed-off-by: Philipp Zabel +Link: https://lore.kernel.org/r/20220108165230.44610-1-jose.exposito89@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/imx/parallel-display.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/imx/parallel-display.c b/drivers/gpu/drm/imx/parallel-display.c +index be55548f352a..e24272428744 100644 +--- a/drivers/gpu/drm/imx/parallel-display.c ++++ b/drivers/gpu/drm/imx/parallel-display.c +@@ -68,8 +68,10 @@ static int imx_pd_connector_get_modes(struct drm_connector *connector) + ret = of_get_drm_display_mode(np, &imxpd->mode, + &imxpd->bus_flags, + OF_USE_NATIVE_MODE); +- if (ret) ++ if (ret) { ++ drm_mode_destroy(connector->dev, mode); + return ret; ++ } + + drm_mode_copy(mode, &imxpd->mode); + mode->type |= DRM_MODE_TYPE_DRIVER | DRM_MODE_TYPE_PREFERRED, +-- +2.35.1 + diff --git a/queue-5.4/ib-rdmavt-add-lock-to-call-to-rvt_error_qp-to-preven.patch b/queue-5.4/ib-rdmavt-add-lock-to-call-to-rvt_error_qp-to-preven.patch new file mode 100644 index 00000000000..8a60233385c --- /dev/null +++ b/queue-5.4/ib-rdmavt-add-lock-to-call-to-rvt_error_qp-to-preven.patch @@ -0,0 +1,47 @@ +From 244651a8a54d1c18d63b7dedb20c88bd1fe94995 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Feb 2022 17:53:30 +0100 +Subject: IB/rdmavt: add lock to call to rvt_error_qp to prevent a race + condition + +From: Niels Dossche + +[ Upstream commit 4d809f69695d4e7d1378b3a072fa9aef23123018 ] + +The documentation of the function rvt_error_qp says both r_lock and s_lock +need to be held when calling that function. It also asserts using lockdep +that both of those locks are held. However, the commit I referenced in +Fixes accidentally makes the call to rvt_error_qp in rvt_ruc_loopback no +longer covered by r_lock. This results in the lockdep assertion failing +and also possibly in a race condition. + +Fixes: d757c60eca9b ("IB/rdmavt: Fix concurrency panics in QP post_send and modify to error") +Link: https://lore.kernel.org/r/20220228165330.41546-1-dossche.niels@gmail.com +Signed-off-by: Niels Dossche +Acked-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rdmavt/qp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rdmavt/qp.c b/drivers/infiniband/sw/rdmavt/qp.c +index a5152f097cb7..48e8612c1bc8 100644 +--- a/drivers/infiniband/sw/rdmavt/qp.c ++++ b/drivers/infiniband/sw/rdmavt/qp.c +@@ -3227,7 +3227,11 @@ void rvt_ruc_loopback(struct rvt_qp *sqp) + spin_lock_irqsave(&sqp->s_lock, flags); + rvt_send_complete(sqp, wqe, send_status); + if (sqp->ibqp.qp_type == IB_QPT_RC) { +- int lastwqe = rvt_error_qp(sqp, IB_WC_WR_FLUSH_ERR); ++ int lastwqe; ++ ++ spin_lock(&sqp->r_lock); ++ lastwqe = rvt_error_qp(sqp, IB_WC_WR_FLUSH_ERR); ++ spin_unlock(&sqp->r_lock); + + sqp->s_flags &= ~RVT_S_BUSY; + spin_unlock_irqrestore(&sqp->s_lock, flags); +-- +2.35.1 + diff --git a/queue-5.4/ipv6-fix-stats-accounting-in-ip6_pkt_drop.patch b/queue-5.4/ipv6-fix-stats-accounting-in-ip6_pkt_drop.patch new file mode 100644 index 00000000000..8e4c4632c34 --- /dev/null +++ b/queue-5.4/ipv6-fix-stats-accounting-in-ip6_pkt_drop.patch @@ -0,0 +1,40 @@ +From 1b03f1e9e2ccfc9c39f60fbeee5229e27be2e347 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Apr 2022 09:09:08 -0600 +Subject: ipv6: Fix stats accounting in ip6_pkt_drop + +From: David Ahern + +[ Upstream commit 1158f79f82d437093aeed87d57df0548bdd68146 ] + +VRF devices are the loopbacks for VRFs, and a loopback can not be +assigned to a VRF. Accordingly, the condition in ip6_pkt_drop should +be '||' not '&&'. + +Fixes: 1d3fd8a10bed ("vrf: Use orig netdev to count Ip6InNoRoutes and a fresh route lookup when sending dest unreach") +Reported-by: Pudak, Filip +Reported-by: Xiao, Jiguang +Signed-off-by: David Ahern +Link: https://lore.kernel.org/r/20220404150908.2937-1-dsahern@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 2a13394ab854..619d9dffa9e4 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -4403,7 +4403,7 @@ static int ip6_pkt_drop(struct sk_buff *skb, u8 code, int ipstats_mib_noroutes) + struct inet6_dev *idev; + int type; + +- if (netif_is_l3_master(skb->dev) && ++ if (netif_is_l3_master(skb->dev) || + dst->dev == net->loopback_dev) + idev = __in6_dev_get_safely(dev_get_by_index_rcu(net, IP6CB(skb)->iif)); + else +-- +2.35.1 + diff --git a/queue-5.4/net-ipv4-fix-route-with-nexthop-object-delete-warnin.patch b/queue-5.4/net-ipv4-fix-route-with-nexthop-object-delete-warnin.patch new file mode 100644 index 00000000000..c3b425955b6 --- /dev/null +++ b/queue-5.4/net-ipv4-fix-route-with-nexthop-object-delete-warnin.patch @@ -0,0 +1,116 @@ +From 4591c65e1ddd5d3bbc5043ed0834b1767e618b20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Apr 2022 10:33:42 +0300 +Subject: net: ipv4: fix route with nexthop object delete warning + +From: Nikolay Aleksandrov + +[ Upstream commit 6bf92d70e690b7ff12b24f4bfff5e5434d019b82 ] + +FRR folks have hit a kernel warning[1] while deleting routes[2] which is +caused by trying to delete a route pointing to a nexthop id without +specifying nhid but matching on an interface. That is, a route is found +but we hit a warning while matching it. The warning is from +fib_info_nh() in include/net/nexthop.h because we run it on a fib_info +with nexthop object. The call chain is: + inet_rtm_delroute -> fib_table_delete -> fib_nh_match (called with a +nexthop fib_info and also with fc_oif set thus calling fib_info_nh on +the fib_info and triggering the warning). The fix is to not do any +matching in that branch if the fi has a nexthop object because those are +managed separately. I.e. we should match when deleting without nh spec and +should fail when deleting a nexthop route with old-style nh spec because +nexthop objects are managed separately, e.g.: + $ ip r show 1.2.3.4/32 + 1.2.3.4 nhid 12 via 192.168.11.2 dev dummy0 + + $ ip r del 1.2.3.4/32 + $ ip r del 1.2.3.4/32 nhid 12 + + + $ ip r del 1.2.3.4/32 dev dummy0 + + +[1] + [ 523.462226] ------------[ cut here ]------------ + [ 523.462230] WARNING: CPU: 14 PID: 22893 at include/net/nexthop.h:468 fib_nh_match+0x210/0x460 + [ 523.462236] Modules linked in: dummy rpcsec_gss_krb5 xt_socket nf_socket_ipv4 nf_socket_ipv6 ip6table_raw iptable_raw bpf_preload xt_statistic ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs xt_mark nf_tables xt_nat veth nf_conntrack_netlink nfnetlink xt_addrtype br_netfilter overlay dm_crypt nfsv3 nfs fscache netfs vhost_net vhost vhost_iotlb tap tun xt_CHECKSUM xt_MASQUERADE xt_conntrack 8021q garp mrp ipt_REJECT nf_reject_ipv4 ip6table_mangle ip6table_nat iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bridge stp llc rfcomm snd_seq_dummy snd_hrtimer rpcrdma rdma_cm iw_cm ib_cm ib_core ip6table_filter xt_comment ip6_tables vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) qrtr bnep binfmt_misc xfs vfat fat squashfs loop nvidia_drm(POE) nvidia_modeset(POE) nvidia_uvm(POE) nvidia(POE) intel_rapl_msr intel_rapl_common snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi btusb btrtl iwlmvm uvcvideo btbcm snd_hda_intel edac_mce_amd + [ 523.462274] videobuf2_vmalloc videobuf2_memops btintel snd_intel_dspcfg videobuf2_v4l2 snd_intel_sdw_acpi bluetooth snd_usb_audio snd_hda_codec mac80211 snd_usbmidi_lib joydev snd_hda_core videobuf2_common kvm_amd snd_rawmidi snd_hwdep snd_seq videodev ccp snd_seq_device libarc4 ecdh_generic mc snd_pcm kvm iwlwifi snd_timer drm_kms_helper snd cfg80211 cec soundcore irqbypass rapl wmi_bmof i2c_piix4 rfkill k10temp pcspkr acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc drm zram ip_tables crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel nvme sp5100_tco r8169 nvme_core wmi ipmi_devintf ipmi_msghandler fuse + [ 523.462300] CPU: 14 PID: 22893 Comm: ip Tainted: P OE 5.16.18-200.fc35.x86_64 #1 + [ 523.462302] Hardware name: Micro-Star International Co., Ltd. MS-7C37/MPG X570 GAMING EDGE WIFI (MS-7C37), BIOS 1.C0 10/29/2020 + [ 523.462303] RIP: 0010:fib_nh_match+0x210/0x460 + [ 523.462304] Code: 7c 24 20 48 8b b5 90 00 00 00 e8 bb ee f4 ff 48 8b 7c 24 20 41 89 c4 e8 ee eb f4 ff 45 85 e4 0f 85 2e fe ff ff e9 4c ff ff ff <0f> 0b e9 17 ff ff ff 3c 0a 0f 85 61 fe ff ff 48 8b b5 98 00 00 00 + [ 523.462306] RSP: 0018:ffffaa53d4d87928 EFLAGS: 00010286 + [ 523.462307] RAX: 0000000000000000 RBX: ffffaa53d4d87a90 RCX: ffffaa53d4d87bb0 + [ 523.462308] RDX: ffff9e3d2ee6be80 RSI: ffffaa53d4d87a90 RDI: ffffffff920ed380 + [ 523.462309] RBP: ffff9e3d2ee6be80 R08: 0000000000000064 R09: 0000000000000000 + [ 523.462310] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000031 + [ 523.462310] R13: 0000000000000020 R14: 0000000000000000 R15: ffff9e3d331054e0 + [ 523.462311] FS: 00007f245517c1c0(0000) GS:ffff9e492ed80000(0000) knlGS:0000000000000000 + [ 523.462313] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 523.462313] CR2: 000055e5dfdd8268 CR3: 00000003ef488000 CR4: 0000000000350ee0 + [ 523.462315] Call Trace: + [ 523.462316] + [ 523.462320] fib_table_delete+0x1a9/0x310 + [ 523.462323] inet_rtm_delroute+0x93/0x110 + [ 523.462325] rtnetlink_rcv_msg+0x133/0x370 + [ 523.462327] ? _copy_to_iter+0xb5/0x6f0 + [ 523.462330] ? rtnl_calcit.isra.0+0x110/0x110 + [ 523.462331] netlink_rcv_skb+0x50/0xf0 + [ 523.462334] netlink_unicast+0x211/0x330 + [ 523.462336] netlink_sendmsg+0x23f/0x480 + [ 523.462338] sock_sendmsg+0x5e/0x60 + [ 523.462340] ____sys_sendmsg+0x22c/0x270 + [ 523.462341] ? import_iovec+0x17/0x20 + [ 523.462343] ? sendmsg_copy_msghdr+0x59/0x90 + [ 523.462344] ? __mod_lruvec_page_state+0x85/0x110 + [ 523.462348] ___sys_sendmsg+0x81/0xc0 + [ 523.462350] ? netlink_seq_start+0x70/0x70 + [ 523.462352] ? __dentry_kill+0x13a/0x180 + [ 523.462354] ? __fput+0xff/0x250 + [ 523.462356] __sys_sendmsg+0x49/0x80 + [ 523.462358] do_syscall_64+0x3b/0x90 + [ 523.462361] entry_SYSCALL_64_after_hwframe+0x44/0xae + [ 523.462364] RIP: 0033:0x7f24552aa337 + [ 523.462365] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 + [ 523.462366] RSP: 002b:00007fff7f05a838 EFLAGS: 00000246 ORIG_RAX: 000000000000002e + [ 523.462368] RAX: ffffffffffffffda RBX: 000000006245bf91 RCX: 00007f24552aa337 + [ 523.462368] RDX: 0000000000000000 RSI: 00007fff7f05a8a0 RDI: 0000000000000003 + [ 523.462369] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 + [ 523.462370] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001 + [ 523.462370] R13: 00007fff7f05ce08 R14: 0000000000000000 R15: 000055e5dfdd1040 + [ 523.462373] + [ 523.462374] ---[ end trace ba537bc16f6bf4ed ]--- + +[2] https://github.com/FRRouting/frr/issues/6412 + +Fixes: 4c7e8084fd46 ("ipv4: Plumb support for nexthop object in a fib_info") +Signed-off-by: Nikolay Aleksandrov +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_semantics.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index 692ba6d6180f..f99ad4a98907 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -876,8 +876,13 @@ int fib_nh_match(struct fib_config *cfg, struct fib_info *fi, + } + + if (cfg->fc_oif || cfg->fc_gw_family) { +- struct fib_nh *nh = fib_info_nh(fi, 0); ++ struct fib_nh *nh; ++ ++ /* cannot match on nexthop object attributes */ ++ if (fi->nh) ++ return 1; + ++ nh = fib_info_nh(fi, 0); + if (cfg->fc_encap) { + if (fib_encap_match(cfg->fc_encap_type, cfg->fc_encap, + nh, cfg, extack)) +-- +2.35.1 + diff --git a/queue-5.4/net-openvswitch-don-t-send-internal-clone-attribute-.patch b/queue-5.4/net-openvswitch-don-t-send-internal-clone-attribute-.patch new file mode 100644 index 00000000000..6e640ba60a1 --- /dev/null +++ b/queue-5.4/net-openvswitch-don-t-send-internal-clone-attribute-.patch @@ -0,0 +1,79 @@ +From b18771a8e7cf68391acf7bd7a34f70ebddf7f2f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Apr 2022 12:41:50 +0200 +Subject: net: openvswitch: don't send internal clone attribute to the + userspace. + +From: Ilya Maximets + +[ Upstream commit 3f2a3050b4a3e7f32fc0ea3c9b0183090ae00522 ] + +'OVS_CLONE_ATTR_EXEC' is an internal attribute that is used for +performance optimization inside the kernel. It's added by the kernel +while parsing user-provided actions and should not be sent during the +flow dump as it's not part of the uAPI. + +The issue doesn't cause any significant problems to the ovs-vswitchd +process, because reported actions are not really used in the +application lifecycle and only supposed to be shown to a human via +ovs-dpctl flow dump. However, the action list is still incorrect +and causes the following error if the user wants to look at the +datapath flows: + + # ovs-dpctl add-dp system@ovs-system + # ovs-dpctl add-flow "" "clone(ct(commit),0)" + # ovs-dpctl dump-flows + , packets:0, bytes:0, used:never, + actions:clone(bad length 4, expected -1 for: action0(01 00 00 00), + ct(commit),0) + +With the fix: + + # ovs-dpctl dump-flows + , packets:0, bytes:0, used:never, + actions:clone(ct(commit),0) + +Additionally fixed an incorrect attribute name in the comment. + +Fixes: b233504033db ("openvswitch: kernel datapath clone action") +Signed-off-by: Ilya Maximets +Acked-by: Aaron Conole +Link: https://lore.kernel.org/r/20220404104150.2865736-1-i.maximets@ovn.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/actions.c | 2 +- + net/openvswitch/flow_netlink.c | 4 +++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c +index 2c0f8cbc5c43..ae40593daf21 100644 +--- a/net/openvswitch/actions.c ++++ b/net/openvswitch/actions.c +@@ -1037,7 +1037,7 @@ static int clone(struct datapath *dp, struct sk_buff *skb, + int rem = nla_len(attr); + bool dont_clone_flow_key; + +- /* The first action is always 'OVS_CLONE_ATTR_ARG'. */ ++ /* The first action is always 'OVS_CLONE_ATTR_EXEC'. */ + clone_arg = nla_data(attr); + dont_clone_flow_key = nla_get_u32(clone_arg); + actions = nla_next(clone_arg, &rem); +diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c +index e4c23ae9cfe5..d3f068ad154c 100644 +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -3284,7 +3284,9 @@ static int clone_action_to_attr(const struct nlattr *attr, + if (!start) + return -EMSGSIZE; + +- err = ovs_nla_put_actions(nla_data(attr), rem, skb); ++ /* Skipping the OVS_CLONE_ATTR_EXEC that is always the first attribute. */ ++ attr = nla_next(nla_data(attr), &rem); ++ err = ovs_nla_put_actions(attr, rem, skb); + + if (err) + nla_nest_cancel(skb, start); +-- +2.35.1 + diff --git a/queue-5.4/net-stmmac-fix-unset-max_speed-difference-between-dt.patch b/queue-5.4/net-stmmac-fix-unset-max_speed-difference-between-dt.patch new file mode 100644 index 00000000000..da30639e628 --- /dev/null +++ b/queue-5.4/net-stmmac-fix-unset-max_speed-difference-between-dt.patch @@ -0,0 +1,56 @@ +From 7ba1362f24e33d65a5b5cffeb4028a4e00512d99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Apr 2022 02:48:32 +0800 +Subject: net: stmmac: Fix unset max_speed difference between DT and non-DT + platforms + +From: Chen-Yu Tsai + +[ Upstream commit c21cabb0fd0b54b8b54235fc1ecfe1195a23bcb2 ] + +In commit 9cbadf094d9d ("net: stmmac: support max-speed device tree +property"), when DT platforms don't set "max-speed", max_speed is set to +-1; for non-DT platforms, it stays the default 0. + +Prior to commit eeef2f6b9f6e ("net: stmmac: Start adding phylink support"), +the check for a valid max_speed setting was to check if it was greater +than zero. This commit got it right, but subsequent patches just checked +for non-zero, which is incorrect for DT platforms. + +In commit 92c3807b9ac3 ("net: stmmac: convert to phylink_get_linkmodes()") +the conversion switched completely to checking for non-zero value as a +valid value, which caused 1000base-T to stop getting advertised by +default. + +Instead of trying to fix all the checks, simply leave max_speed alone if +DT property parsing fails. + +Fixes: 9cbadf094d9d ("net: stmmac: support max-speed device tree property") +Fixes: 92c3807b9ac3 ("net: stmmac: convert to phylink_get_linkmodes()") +Signed-off-by: Chen-Yu Tsai +Acked-by: Russell King (Oracle) +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20220331184832.16316-1-wens@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +index a46fea472bc4..70cbf48c2c03 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +@@ -428,8 +428,7 @@ stmmac_probe_config_dt(struct platform_device *pdev, const char **mac) + plat->phylink_node = np; + + /* Get max speed of operation from device tree */ +- if (of_property_read_u32(np, "max-speed", &plat->max_speed)) +- plat->max_speed = -1; ++ of_property_read_u32(np, "max-speed", &plat->max_speed); + + plat->bus_id = of_alias_get_id(np, "ethernet"); + if (plat->bus_id < 0) +-- +2.35.1 + diff --git a/queue-5.4/net-tls-fix-slab-out-of-bounds-bug-in-decrypt_intern.patch b/queue-5.4/net-tls-fix-slab-out-of-bounds-bug-in-decrypt_intern.patch new file mode 100644 index 00000000000..1455df13678 --- /dev/null +++ b/queue-5.4/net-tls-fix-slab-out-of-bounds-bug-in-decrypt_intern.patch @@ -0,0 +1,69 @@ +From 16fd4d26290978c9d5d5bb4bd6550691a854fa5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Mar 2022 15:04:28 +0800 +Subject: net/tls: fix slab-out-of-bounds bug in decrypt_internal + +From: Ziyang Xuan + +[ Upstream commit 9381fe8c849cfbe50245ac01fc077554f6eaa0e2 ] + +The memory size of tls_ctx->rx.iv for AES128-CCM is 12 setting in +tls_set_sw_offload(). The return value of crypto_aead_ivsize() +for "ccm(aes)" is 16. So memcpy() require 16 bytes from 12 bytes +memory space will trigger slab-out-of-bounds bug as following: + +================================================================== +BUG: KASAN: slab-out-of-bounds in decrypt_internal+0x385/0xc40 [tls] +Read of size 16 at addr ffff888114e84e60 by task tls/10911 + +Call Trace: + + dump_stack_lvl+0x34/0x44 + print_report.cold+0x5e/0x5db + ? decrypt_internal+0x385/0xc40 [tls] + kasan_report+0xab/0x120 + ? decrypt_internal+0x385/0xc40 [tls] + kasan_check_range+0xf9/0x1e0 + memcpy+0x20/0x60 + decrypt_internal+0x385/0xc40 [tls] + ? tls_get_rec+0x2e0/0x2e0 [tls] + ? process_rx_list+0x1a5/0x420 [tls] + ? tls_setup_from_iter.constprop.0+0x2e0/0x2e0 [tls] + decrypt_skb_update+0x9d/0x400 [tls] + tls_sw_recvmsg+0x3c8/0xb50 [tls] + +Allocated by task 10911: + kasan_save_stack+0x1e/0x40 + __kasan_kmalloc+0x81/0xa0 + tls_set_sw_offload+0x2eb/0xa20 [tls] + tls_setsockopt+0x68c/0x700 [tls] + __sys_setsockopt+0xfe/0x1b0 + +Replace the crypto_aead_ivsize() with prot->iv_size + prot->salt_size +when memcpy() iv value in TLS_1_3_VERSION scenario. + +Fixes: f295b3ae9f59 ("net/tls: Add support of AES128-CCM based ciphers") +Signed-off-by: Ziyang Xuan +Reviewed-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index 1436a36c1934..af3be9a29d6d 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -1479,7 +1479,7 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb, + } + if (prot->version == TLS_1_3_VERSION) + memcpy(iv + iv_offset, tls_ctx->rx.iv, +- crypto_aead_ivsize(ctx->aead_recv)); ++ prot->iv_size + prot->salt_size); + else + memcpy(iv + iv_offset, tls_ctx->rx.iv, prot->salt_size); + +-- +2.35.1 + diff --git a/queue-5.4/perf-session-remap-buf-if-there-is-no-space-for-even.patch b/queue-5.4/perf-session-remap-buf-if-there-is-no-space-for-even.patch new file mode 100644 index 00000000000..fd9b50dec12 --- /dev/null +++ b/queue-5.4/perf-session-remap-buf-if-there-is-no-space-for-even.patch @@ -0,0 +1,78 @@ +From 74f2a2900ee6ebf96f9304025dfb49f0c48a21bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Mar 2022 20:11:30 -0700 +Subject: perf session: Remap buf if there is no space for event + +From: Denis Nikitin + +[ Upstream commit bc21e74d4775f883ae1f542c1f1dc7205b15d925 ] + +If a perf event doesn't fit into remaining buffer space return NULL to +remap buf and fetch the event again. + +Keep the logic to error out on inadequate input from fuzzing. + +This fixes perf failing on ChromeOS (with 32b userspace): + + $ perf report -v -i perf.data + ... + prefetch_event: head=0x1fffff8 event->header_size=0x30, mmap_size=0x2000000: fuzzed or compressed perf.data? + Error: + failed to process sample + +Fixes: 57fc032ad643ffd0 ("perf session: Avoid infinite loop when seeing invalid header.size") +Reviewed-by: James Clark +Signed-off-by: Denis Nikitin +Acked-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Alexey Budankov +Cc: Namhyung Kim +Link: https://lore.kernel.org/r/20220330031130.2152327-1-denik@chromium.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/session.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c +index 8ff2c98e9032..01e15b445cb5 100644 +--- a/tools/perf/util/session.c ++++ b/tools/perf/util/session.c +@@ -1960,6 +1960,7 @@ prefetch_event(char *buf, u64 head, size_t mmap_size, + bool needs_swap, union perf_event *error) + { + union perf_event *event; ++ u16 event_size; + + /* + * Ensure we have enough space remaining to read +@@ -1972,15 +1973,23 @@ prefetch_event(char *buf, u64 head, size_t mmap_size, + if (needs_swap) + perf_event_header__bswap(&event->header); + +- if (head + event->header.size <= mmap_size) ++ event_size = event->header.size; ++ if (head + event_size <= mmap_size) + return event; + + /* We're not fetching the event so swap back again */ + if (needs_swap) + perf_event_header__bswap(&event->header); + +- pr_debug("%s: head=%#" PRIx64 " event->header_size=%#x, mmap_size=%#zx:" +- " fuzzed or compressed perf.data?\n",__func__, head, event->header.size, mmap_size); ++ /* Check if the event fits into the next mmapped buf. */ ++ if (event_size <= mmap_size - head % page_size) { ++ /* Remap buf and fetch again. */ ++ return NULL; ++ } ++ ++ /* Invalid input. Event size should never exceed mmap_size. */ ++ pr_debug("%s: head=%#" PRIx64 " event->header.size=%#x, mmap_size=%#zx:" ++ " fuzzed or compressed perf.data?\n", __func__, head, event_size, mmap_size); + + return error; + } +-- +2.35.1 + diff --git a/queue-5.4/perf-tools-fix-perf-s-libperf_print-callback.patch b/queue-5.4/perf-tools-fix-perf-s-libperf_print-callback.patch new file mode 100644 index 00000000000..9dfb298c1ad --- /dev/null +++ b/queue-5.4/perf-tools-fix-perf-s-libperf_print-callback.patch @@ -0,0 +1,39 @@ +From 0f6c7dd871e43445e53a2dca1da9ce8551c4d098 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Apr 2022 16:26:25 +0300 +Subject: perf tools: Fix perf's libperf_print callback + +From: Adrian Hunter + +[ Upstream commit aeee9dc53ce405d2161f9915f553114e94e5b677 ] + +eprintf() does not expect va_list as the type of the 4th parameter. + +Use veprintf() because it does. + +Signed-off-by: Adrian Hunter +Fixes: 428dab813a56ce94 ("libperf: Merge libperf_set_print() into libperf_init()") +Cc: Jiri Olsa +Link: https://lore.kernel.org/r/20220408132625.2451452-1-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/perf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/perf.c b/tools/perf/perf.c +index 27f94b0bb874..505e2a2f1872 100644 +--- a/tools/perf/perf.c ++++ b/tools/perf/perf.c +@@ -433,7 +433,7 @@ void pthread__unblock_sigwinch(void) + static int libperf_print(enum libperf_print_level level, + const char *fmt, va_list ap) + { +- return eprintf(level, verbose, fmt, ap); ++ return veprintf(level, verbose, fmt, ap); + } + + int main(int argc, const char **argv) +-- +2.35.1 + diff --git a/queue-5.4/qede-confirm-skb-is-allocated-before-using.patch b/queue-5.4/qede-confirm-skb-is-allocated-before-using.patch new file mode 100644 index 00000000000..35c04c7c08a --- /dev/null +++ b/queue-5.4/qede-confirm-skb-is-allocated-before-using.patch @@ -0,0 +1,42 @@ +From e7cf9f0976305808688108e165d3b4b58f362bc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Apr 2022 21:19:19 +1000 +Subject: qede: confirm skb is allocated before using + +From: Jamie Bainbridge + +[ Upstream commit 4e910dbe36508654a896d5735b318c0b88172570 ] + +qede_build_skb() assumes build_skb() always works and goes straight +to skb_reserve(). However, build_skb() can fail under memory pressure. +This results in a kernel panic because the skb to reserve is NULL. + +Add a check in case build_skb() failed to allocate and return NULL. + +The NULL return is handled correctly in callers to qede_build_skb(). + +Fixes: 8a8633978b842 ("qede: Add build_skb() support.") +Signed-off-by: Jamie Bainbridge +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qede/qede_fp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/qede/qede_fp.c b/drivers/net/ethernet/qlogic/qede/qede_fp.c +index b81579afa361..f16032635ba7 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede_fp.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c +@@ -723,6 +723,9 @@ qede_build_skb(struct qede_rx_queue *rxq, + buf = page_address(bd->data) + bd->page_offset; + skb = build_skb(buf, rxq->rx_buf_seg_size); + ++ if (unlikely(!skb)) ++ return NULL; ++ + skb_reserve(skb, pad); + skb_put(skb, len); + +-- +2.35.1 + diff --git a/queue-5.4/rxrpc-fix-a-race-in-rxrpc_exit_net.patch b/queue-5.4/rxrpc-fix-a-race-in-rxrpc_exit_net.patch new file mode 100644 index 00000000000..934d4f62426 --- /dev/null +++ b/queue-5.4/rxrpc-fix-a-race-in-rxrpc_exit_net.patch @@ -0,0 +1,91 @@ +From 4c00c0cc3a6514ae71bf120ef56d40a359b1f703 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Apr 2022 11:34:39 -0700 +Subject: rxrpc: fix a race in rxrpc_exit_net() + +From: Eric Dumazet + +[ Upstream commit 1946014ca3b19be9e485e780e862c375c6f98bad ] + +Current code can lead to the following race: + +CPU0 CPU1 + +rxrpc_exit_net() + rxrpc_peer_keepalive_worker() + if (rxnet->live) + + rxnet->live = false; + del_timer_sync(&rxnet->peer_keepalive_timer); + + timer_reduce(&rxnet->peer_keepalive_timer, jiffies + delay); + + cancel_work_sync(&rxnet->peer_keepalive_work); + +rxrpc_exit_net() exits while peer_keepalive_timer is still armed, +leading to use-after-free. + +syzbot report was: + +ODEBUG: free active (active state 0) object type: timer_list hint: rxrpc_peer_keepalive_timeout+0x0/0xb0 +WARNING: CPU: 0 PID: 3660 at lib/debugobjects.c:505 debug_print_object+0x16e/0x250 lib/debugobjects.c:505 +Modules linked in: +CPU: 0 PID: 3660 Comm: kworker/u4:6 Not tainted 5.17.0-syzkaller-13993-g88e6c0207623 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: netns cleanup_net +RIP: 0010:debug_print_object+0x16e/0x250 lib/debugobjects.c:505 +Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 af 00 00 00 48 8b 14 dd 00 1c 26 8a 4c 89 ee 48 c7 c7 00 10 26 8a e8 b1 e7 28 05 <0f> 0b 83 05 15 eb c5 09 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3 +RSP: 0018:ffffc9000353fb00 EFLAGS: 00010082 +RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 +RDX: ffff888029196140 RSI: ffffffff815efad8 RDI: fffff520006a7f52 +RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 +R10: ffffffff815ea4ae R11: 0000000000000000 R12: ffffffff89ce23e0 +R13: ffffffff8a2614e0 R14: ffffffff816628c0 R15: dffffc0000000000 +FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fe1f2908924 CR3: 0000000043720000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + __debug_check_no_obj_freed lib/debugobjects.c:992 [inline] + debug_check_no_obj_freed+0x301/0x420 lib/debugobjects.c:1023 + kfree+0xd6/0x310 mm/slab.c:3809 + ops_free_list.part.0+0x119/0x370 net/core/net_namespace.c:176 + ops_free_list net/core/net_namespace.c:174 [inline] + cleanup_net+0x591/0xb00 net/core/net_namespace.c:598 + process_one_work+0x996/0x1610 kernel/workqueue.c:2289 + worker_thread+0x665/0x1080 kernel/workqueue.c:2436 + kthread+0x2e9/0x3a0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 + + +Fixes: ace45bec6d77 ("rxrpc: Fix firewall route keepalive") +Signed-off-by: Eric Dumazet +Cc: David Howells +Cc: Marc Dionne +Cc: linux-afs@lists.infradead.org +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rxrpc/net_ns.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rxrpc/net_ns.c b/net/rxrpc/net_ns.c +index b312aab80fed..9a76b74af37b 100644 +--- a/net/rxrpc/net_ns.c ++++ b/net/rxrpc/net_ns.c +@@ -116,8 +116,8 @@ static __net_exit void rxrpc_exit_net(struct net *net) + struct rxrpc_net *rxnet = rxrpc_net(net); + + rxnet->live = false; +- del_timer_sync(&rxnet->peer_keepalive_timer); + cancel_work_sync(&rxnet->peer_keepalive_work); ++ del_timer_sync(&rxnet->peer_keepalive_timer); + rxrpc_destroy_all_calls(rxnet); + rxrpc_destroy_all_connections(rxnet); + rxrpc_destroy_all_peers(rxnet); +-- +2.35.1 + diff --git a/queue-5.4/scsi-zorro7xx-fix-a-resource-leak-in-zorro7xx_remove.patch b/queue-5.4/scsi-zorro7xx-fix-a-resource-leak-in-zorro7xx_remove.patch new file mode 100644 index 00000000000..26904e8803a --- /dev/null +++ b/queue-5.4/scsi-zorro7xx-fix-a-resource-leak-in-zorro7xx_remove.patch @@ -0,0 +1,40 @@ +From 3c36cae94ea796230e439e82a9c9d76a3d7817b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Mar 2022 08:01:24 +0100 +Subject: scsi: zorro7xx: Fix a resource leak in zorro7xx_remove_one() + +From: Christophe JAILLET + +[ Upstream commit 16ed828b872d12ccba8f07bcc446ae89ba662f9c ] + +The error handling path of the probe releases a resource that is not freed +in the remove function. In some cases, a ioremap() must be undone. + +Add the missing iounmap() call in the remove function. + +Link: https://lore.kernel.org/r/247066a3104d25f9a05de8b3270fc3c848763bcc.1647673264.git.christophe.jaillet@wanadoo.fr +Fixes: 45804fbb00ee ("[SCSI] 53c700: Amiga Zorro NCR53c710 SCSI") +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Christophe JAILLET +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/zorro7xx.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/zorro7xx.c b/drivers/scsi/zorro7xx.c +index 27b9e2baab1a..7acf9193a9e8 100644 +--- a/drivers/scsi/zorro7xx.c ++++ b/drivers/scsi/zorro7xx.c +@@ -159,6 +159,8 @@ static void zorro7xx_remove_one(struct zorro_dev *z) + scsi_remove_host(host); + + NCR_700_release(host); ++ if (host->base > 0x01000000) ++ iounmap(hostdata->base); + kfree(hostdata); + free_irq(host->irq, host); + zorro_release_device(z); +-- +2.35.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 547ef0eb059..533cf327650 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -422,3 +422,24 @@ parisc-fix-cpu-affinity-for-lasi-wax-and-dino-chips.patch parisc-fix-patch-code-locking-and-flushing.patch mm-fix-race-between-madv_free-reclaim-and-blkdev-dir.patch kvm-arm64-check-arm64_get_bp_hardening_data-didn-t-r.patch +drm-amdgpu-fix-off-by-one-in-amdgpu_gfx_kiq_acquire.patch +drivers-hv-vmbus-fix-potential-crash-on-module-unloa.patch +scsi-zorro7xx-fix-a-resource-leak-in-zorro7xx_remove.patch +net-tls-fix-slab-out-of-bounds-bug-in-decrypt_intern.patch +net-ipv4-fix-route-with-nexthop-object-delete-warnin.patch +net-stmmac-fix-unset-max_speed-difference-between-dt.patch +drm-imx-fix-memory-leak-in-imx_pd_connector_get_mode.patch +bnxt_en-reserve-space-inside-receive-page-for-skb_sh.patch +ib-rdmavt-add-lock-to-call-to-rvt_error_qp-to-preven.patch +dpaa2-ptp-fix-refcount-leak-in-dpaa2_ptp_probe.patch +ipv6-fix-stats-accounting-in-ip6_pkt_drop.patch +net-openvswitch-don-t-send-internal-clone-attribute-.patch +rxrpc-fix-a-race-in-rxrpc_exit_net.patch +qede-confirm-skb-is-allocated-before-using.patch +spi-bcm-qspi-fix-mspi-only-access-with-bcm_qspi_exec.patch +bpf-support-dual-stack-sockets-in-bpf_tcp_check_sync.patch +drbd-fix-five-use-after-free-bugs-in-get_initial_sta.patch +sunrpc-handle-enomem-in-call_transmit_status.patch +sunrpc-handle-low-memory-situations-in-call_status.patch +perf-tools-fix-perf-s-libperf_print-callback.patch +perf-session-remap-buf-if-there-is-no-space-for-even.patch diff --git a/queue-5.4/spi-bcm-qspi-fix-mspi-only-access-with-bcm_qspi_exec.patch b/queue-5.4/spi-bcm-qspi-fix-mspi-only-access-with-bcm_qspi_exec.patch new file mode 100644 index 00000000000..48d99f7401b --- /dev/null +++ b/queue-5.4/spi-bcm-qspi-fix-mspi-only-access-with-bcm_qspi_exec.patch @@ -0,0 +1,47 @@ +From a73682d94f8a1d781a7d0df800669da8ddb28ace Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Mar 2022 10:24:42 -0400 +Subject: spi: bcm-qspi: fix MSPI only access with bcm_qspi_exec_mem_op() + +From: Kamal Dasu + +[ Upstream commit 2c7d1b281286c46049cd22b43435cecba560edde ] + +This fixes case where MSPI controller is used to access spi-nor +flash and BSPI block is not present. + +Fixes: 5f195ee7d830 ("spi: bcm-qspi: Implement the spi_mem interface") +Signed-off-by: Kamal Dasu +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220328142442.7553-1-kdasu.kdev@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm-qspi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-bcm-qspi.c b/drivers/spi/spi-bcm-qspi.c +index 3755be04346a..d933a6eda5fd 100644 +--- a/drivers/spi/spi-bcm-qspi.c ++++ b/drivers/spi/spi-bcm-qspi.c +@@ -960,7 +960,7 @@ static int bcm_qspi_exec_mem_op(struct spi_mem *mem, + addr = op->addr.val; + len = op->data.nbytes; + +- if (bcm_qspi_bspi_ver_three(qspi) == true) { ++ if (has_bspi(qspi) && bcm_qspi_bspi_ver_three(qspi) == true) { + /* + * The address coming into this function is a raw flash offset. + * But for BSPI <= V3, we need to convert it to a remapped BSPI +@@ -979,7 +979,7 @@ static int bcm_qspi_exec_mem_op(struct spi_mem *mem, + len < 4) + mspi_read = true; + +- if (mspi_read) ++ if (!has_bspi(qspi) || mspi_read) + return bcm_qspi_mspi_exec_mem_op(spi, op); + + ret = bcm_qspi_bspi_set_mode(qspi, op, 0); +-- +2.35.1 + diff --git a/queue-5.4/sunrpc-handle-enomem-in-call_transmit_status.patch b/queue-5.4/sunrpc-handle-enomem-in-call_transmit_status.patch new file mode 100644 index 00000000000..baf55ce2fb8 --- /dev/null +++ b/queue-5.4/sunrpc-handle-enomem-in-call_transmit_status.patch @@ -0,0 +1,42 @@ +From 6f467f0b90bd7fb4b1e7778a292ca9b1c45ddbdd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Apr 2022 23:18:57 -0400 +Subject: SUNRPC: Handle ENOMEM in call_transmit_status() + +From: Trond Myklebust + +[ Upstream commit d3c15033b240767d0287f1c4a529cbbe2d5ded8a ] + +Both call_transmit() and call_bc_transmit() can now return ENOMEM, so +let's make sure that we handle the errors gracefully. + +Fixes: 0472e4766049 ("SUNRPC: Convert socket page send code to use iov_iter()") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/clnt.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index b6039642df67..bc191d2c193e 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -2223,6 +2223,7 @@ call_transmit_status(struct rpc_task *task) + * socket just returned a connection error, + * then hold onto the transport lock. + */ ++ case -ENOMEM: + case -ENOBUFS: + rpc_delay(task, HZ>>2); + /* fall through */ +@@ -2308,6 +2309,7 @@ call_bc_transmit_status(struct rpc_task *task) + case -ENOTCONN: + case -EPIPE: + break; ++ case -ENOMEM: + case -ENOBUFS: + rpc_delay(task, HZ>>2); + /* fall through */ +-- +2.35.1 + diff --git a/queue-5.4/sunrpc-handle-low-memory-situations-in-call_status.patch b/queue-5.4/sunrpc-handle-low-memory-situations-in-call_status.patch new file mode 100644 index 00000000000..fc4fac38e7b --- /dev/null +++ b/queue-5.4/sunrpc-handle-low-memory-situations-in-call_status.patch @@ -0,0 +1,42 @@ +From 8aacff591744725204995a9e6fff23bf9300901d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 09:50:19 -0400 +Subject: SUNRPC: Handle low memory situations in call_status() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Trond Myklebust + +[ Upstream commit 9d82819d5b065348ce623f196bf601028e22ed00 ] + +We need to handle ENFILE, ENOBUFS, and ENOMEM, because +xprt_wake_pending_tasks() can be called with any one of these due to +socket creation failures. + +Fixes: b61d59fffd3e ("SUNRPC: xs_tcp_connect_worker{4,6}: merge common code") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/clnt.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index bc191d2c193e..08e1ccc01e98 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -2394,6 +2394,11 @@ call_status(struct rpc_task *task) + case -EPIPE: + case -EAGAIN: + break; ++ case -ENFILE: ++ case -ENOBUFS: ++ case -ENOMEM: ++ rpc_delay(task, HZ>>2); ++ break; + case -EIO: + /* shutdown or soft timeout */ + goto out_exit; +-- +2.35.1 +