From: Sasha Levin Date: Tue, 10 Aug 2021 12:10:00 +0000 (-0400) Subject: Fixes for 5.13 X-Git-Tag: v4.4.280~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a71c9db4ffecdd162e281af95df154d7a5eb8f2b;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.13 Signed-off-by: Sasha Levin --- diff --git a/queue-5.13/alpha-send-stop-ipi-to-send-to-online-cpus.patch b/queue-5.13/alpha-send-stop-ipi-to-send-to-online-cpus.patch new file mode 100644 index 00000000000..7bbc2c780d3 --- /dev/null +++ b/queue-5.13/alpha-send-stop-ipi-to-send-to-online-cpus.patch @@ -0,0 +1,48 @@ +From e97b9372b6ede70e047ebd1923b50853a9afd8e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jan 2021 10:16:27 -0500 +Subject: alpha: Send stop IPI to send to online CPUs + +From: Prarit Bhargava + +[ Upstream commit caace6ca4e06f09413fb8f8a63319594cfb7d47d ] + +This issue was noticed while debugging a shutdown issue where some +secondary CPUs are not being shutdown correctly. A fix for that [1] requires +that secondary cpus be offlined using the cpu_online_mask so that the +stop operation is a no-op if CPU HOTPLUG is disabled. I, like the author in +[1] looked at the architectures and found that alpha is one of two +architectures that executes smp_send_stop() on all possible CPUs. + +On alpha, smp_send_stop() sends an IPI to all possible CPUs but only needs +to send them to online CPUs. + +Send the stop IPI to only the online CPUs. + +[1] https://lkml.org/lkml/2020/1/10/250 + +Signed-off-by: Prarit Bhargava +Cc: Richard Henderson +Cc: Ivan Kokshaysky +Signed-off-by: Matt Turner +Signed-off-by: Sasha Levin +--- + arch/alpha/kernel/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/alpha/kernel/smp.c b/arch/alpha/kernel/smp.c +index 4b2575f936d4..cb64e4797d2a 100644 +--- a/arch/alpha/kernel/smp.c ++++ b/arch/alpha/kernel/smp.c +@@ -582,7 +582,7 @@ void + smp_send_stop(void) + { + cpumask_t to_whom; +- cpumask_copy(&to_whom, cpu_possible_mask); ++ cpumask_copy(&to_whom, cpu_online_mask); + cpumask_clear_cpu(smp_processor_id(), &to_whom); + #ifdef DEBUG_IPI_MSG + if (hard_smp_processor_id() != boot_cpu_id) +-- +2.30.2 + diff --git a/queue-5.13/drm-amdgpu-display-only-enable-aux-backlight-control.patch b/queue-5.13/drm-amdgpu-display-only-enable-aux-backlight-control.patch new file mode 100644 index 00000000000..3552d7fa651 --- /dev/null +++ b/queue-5.13/drm-amdgpu-display-only-enable-aux-backlight-control.patch @@ -0,0 +1,66 @@ +From 723c717c6e437425d0ef9837cabaf06e502ee4f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 18:11:51 -0400 +Subject: drm/amdgpu/display: only enable aux backlight control for OLED panels + +From: Alex Deucher + +[ Upstream commit f2ad3accefc63e72e9932e141c21875cc04beec8 ] + +We've gotten a number of reports about backlight control not +working on panels which indicate that they use aux backlight +control. A recent patch: + +commit 2d73eabe2984a435737498ab39bb1500a9ffe9a9 +Author: Camille Cho +Date: Thu Jul 8 18:28:37 2021 +0800 + + drm/amd/display: Only set default brightness for OLED + + [Why] + We used to unconditionally set backlight path as AUX for panels capable + of backlight adjustment via DPCD in set default brightness. + + [How] + This should be limited to OLED panel only since we control backlight via + PWM path for SDR mode in LCD HDR panel. + + Reviewed-by: Krunoslav Kovac + Acked-by: Rodrigo Siqueira + Signed-off-by: Camille Cho + Signed-off-by: Alex Deucher + +Changes some other code to only use aux for backlight control on +OLED panels. The commit message seems to indicate that PWM should +be used for SDR mode on HDR panels. Do something similar for +backlight control in general. This may need to be revisited if and +when HDR started to get used. + +Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1438 +Bug: https://bugzilla.kernel.org/show_bug.cgi?id=213715 +Reviewed-by: Roman Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index f44038f8e563..0894cd505361 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -2367,9 +2367,9 @@ static void update_connector_ext_caps(struct amdgpu_dm_connector *aconnector) + max_cll = conn_base->hdr_sink_metadata.hdmi_type1.max_cll; + min_cll = conn_base->hdr_sink_metadata.hdmi_type1.min_cll; + +- if (caps->ext_caps->bits.oled == 1 || ++ if (caps->ext_caps->bits.oled == 1 /*|| + caps->ext_caps->bits.sdr_aux_backlight_control == 1 || +- caps->ext_caps->bits.hdr_aux_backlight_control == 1) ++ caps->ext_caps->bits.hdr_aux_backlight_control == 1*/) + caps->aux_support = true; + + if (amdgpu_backlight == 0) +-- +2.30.2 + diff --git a/queue-5.13/hid-ft260-fix-device-removal-due-to-usb-disconnect.patch b/queue-5.13/hid-ft260-fix-device-removal-due-to-usb-disconnect.patch new file mode 100644 index 00000000000..96b0647ece4 --- /dev/null +++ b/queue-5.13/hid-ft260-fix-device-removal-due-to-usb-disconnect.patch @@ -0,0 +1,118 @@ +From 670b8762e95c057d99be60c82bf699547b02ef6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jul 2021 13:26:03 +0300 +Subject: HID: ft260: fix device removal due to USB disconnect + +From: Michael Zaidman + +[ Upstream commit db8d3a21275c807a4047a21bde3b57d49ca55d82 ] + +This commit fixes a functional regression introduced by the commit 82f09a637dd3 +("HID: ft260: improve error handling of ft260_hid_feature_report_get()") +when upon USB disconnect, the FTDI FT260 i2c device is still available within +the /dev folder. + +In my company's product, where the host USB to FT260 USB connection is +hard-wired in the PCB, the issue is not reproducible. To reproduce it, I used +the VirtualBox Ubuntu 20.04 VM and the UMFT260EV1A development module for the +FTDI FT260 chip: + +Plug the UMFT260EV1A module into a USB port and attach it to VM. + +The VM shows 2 i2c devices under the /dev: + michael@michael-VirtualBox:~$ ls /dev/i2c-* + /dev/i2c-0 /dev/i2c-1 + +The i2c-0 is not related to the FTDI FT260: + michael@michael-VirtualBox:~$ cat /sys/bus/i2c/devices/i2c-0/name + SMBus PIIX4 adapter at 4100 + +The i2c-1 is created by hid-ft260.ko: + michael@michael-VirtualBox:~$ cat /sys/bus/i2c/devices/i2c-1/name + FT260 usb-i2c bridge on hidraw1 + +Now, detach the FTDI FT260 USB device from VM. We expect the /dev/i2c-1 +to disappear, but it's still here: + michael@michael-VirtualBox:~$ ls /dev/i2c-* + /dev/i2c-0 /dev/i2c-1 + +And the kernel log shows: + [ +0.001202] usb 2-2: USB disconnect, device number 3 + [ +0.000109] ft260 0003:0403:6030.0002: failed to retrieve system status + [ +0.000316] ft260 0003:0403:6030.0003: failed to retrieve system status + +It happens because the commit 82f09a637dd3 changed the ft260_get_system_config() +return logic. This caused the ft260_is_interface_enabled() to exit with error +upon the FT260 device USB disconnect, which in turn, aborted the ft260_remove() +before deleting the FT260 i2c device and cleaning its sysfs stuff. + +This commit restores the FT260 USB removal functionality and improves the +ft260_is_interface_enabled() code to handle correctly all chip modes defined +by the device interface configuration pins DCNF0 and DCNF1. + +Signed-off-by: Michael Zaidman +Acked-by: Aaron Jones (FTDI-UK) +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ft260.c | 23 +++++++---------------- + 1 file changed, 7 insertions(+), 16 deletions(-) + +diff --git a/drivers/hid/hid-ft260.c b/drivers/hid/hid-ft260.c +index f43a8406cb9a..e73776ae6976 100644 +--- a/drivers/hid/hid-ft260.c ++++ b/drivers/hid/hid-ft260.c +@@ -742,7 +742,7 @@ static int ft260_is_interface_enabled(struct hid_device *hdev) + int ret; + + ret = ft260_get_system_config(hdev, &cfg); +- if (ret) ++ if (ret < 0) + return ret; + + ft260_dbg("interface: 0x%02x\n", interface); +@@ -754,23 +754,16 @@ static int ft260_is_interface_enabled(struct hid_device *hdev) + switch (cfg.chip_mode) { + case FT260_MODE_ALL: + case FT260_MODE_BOTH: +- if (interface == 1) { ++ if (interface == 1) + hid_info(hdev, "uart interface is not supported\n"); +- return 0; +- } +- ret = 1; ++ else ++ ret = 1; + break; + case FT260_MODE_UART: +- if (interface == 0) { +- hid_info(hdev, "uart is unsupported on interface 0\n"); +- ret = 0; +- } ++ hid_info(hdev, "uart interface is not supported\n"); + break; + case FT260_MODE_I2C: +- if (interface == 1) { +- hid_info(hdev, "i2c is unsupported on interface 1\n"); +- ret = 0; +- } ++ ret = 1; + break; + } + return ret; +@@ -1004,11 +997,9 @@ static int ft260_probe(struct hid_device *hdev, const struct hid_device_id *id) + + static void ft260_remove(struct hid_device *hdev) + { +- int ret; + struct ft260_device *dev = hid_get_drvdata(hdev); + +- ret = ft260_is_interface_enabled(hdev); +- if (ret <= 0) ++ if (!dev) + return; + + sysfs_remove_group(&hdev->dev.kobj, &ft260_attr_group); +-- +2.30.2 + diff --git a/queue-5.13/libata-fix-ata_pio_sector-for-config_highmem.patch b/queue-5.13/libata-fix-ata_pio_sector-for-config_highmem.patch new file mode 100644 index 00000000000..8fc31214a04 --- /dev/null +++ b/queue-5.13/libata-fix-ata_pio_sector-for-config_highmem.patch @@ -0,0 +1,92 @@ +From 257e6ccda222e3a830cd9d7d5ff7688a1ef157d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jul 2021 15:02:37 +0200 +Subject: libata: fix ata_pio_sector for CONFIG_HIGHMEM + +From: Christoph Hellwig + +[ Upstream commit ecef6a9effe49e8e2635c839020b9833b71e934c ] + +Data transfers are not required to be block aligned in memory, so they +span two pages. Fix this by splitting the call to >sff_data_xfer into +two for that case. + +This has been broken since the initial libata import before the damn +of git, but was uncovered by the legacy ide driver removal. + +Reported-by: kernel test robot +Signed-off-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20210709130237.3730959-1-hch@lst.de +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-sff.c | 35 +++++++++++++++++++++++++++-------- + 1 file changed, 27 insertions(+), 8 deletions(-) + +diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c +index ae7189d1a568..b71ea4a680b0 100644 +--- a/drivers/ata/libata-sff.c ++++ b/drivers/ata/libata-sff.c +@@ -637,6 +637,20 @@ unsigned int ata_sff_data_xfer32(struct ata_queued_cmd *qc, unsigned char *buf, + } + EXPORT_SYMBOL_GPL(ata_sff_data_xfer32); + ++static void ata_pio_xfer(struct ata_queued_cmd *qc, struct page *page, ++ unsigned int offset, size_t xfer_size) ++{ ++ bool do_write = (qc->tf.flags & ATA_TFLAG_WRITE); ++ unsigned char *buf; ++ ++ buf = kmap_atomic(page); ++ qc->ap->ops->sff_data_xfer(qc, buf + offset, xfer_size, do_write); ++ kunmap_atomic(buf); ++ ++ if (!do_write && !PageSlab(page)) ++ flush_dcache_page(page); ++} ++ + /** + * ata_pio_sector - Transfer a sector of data. + * @qc: Command on going +@@ -648,11 +662,9 @@ EXPORT_SYMBOL_GPL(ata_sff_data_xfer32); + */ + static void ata_pio_sector(struct ata_queued_cmd *qc) + { +- int do_write = (qc->tf.flags & ATA_TFLAG_WRITE); + struct ata_port *ap = qc->ap; + struct page *page; + unsigned int offset; +- unsigned char *buf; + + if (!qc->cursg) { + qc->curbytes = qc->nbytes; +@@ -670,13 +682,20 @@ static void ata_pio_sector(struct ata_queued_cmd *qc) + + DPRINTK("data %s\n", qc->tf.flags & ATA_TFLAG_WRITE ? "write" : "read"); + +- /* do the actual data transfer */ +- buf = kmap_atomic(page); +- ap->ops->sff_data_xfer(qc, buf + offset, qc->sect_size, do_write); +- kunmap_atomic(buf); ++ /* ++ * Split the transfer when it splits a page boundary. Note that the ++ * split still has to be dword aligned like all ATA data transfers. ++ */ ++ WARN_ON_ONCE(offset % 4); ++ if (offset + qc->sect_size > PAGE_SIZE) { ++ unsigned int split_len = PAGE_SIZE - offset; + +- if (!do_write && !PageSlab(page)) +- flush_dcache_page(page); ++ ata_pio_xfer(qc, page, offset, split_len); ++ ata_pio_xfer(qc, nth_page(page, 1), 0, ++ qc->sect_size - split_len); ++ } else { ++ ata_pio_xfer(qc, page, offset, qc->sect_size); ++ } + + qc->curbytes += qc->sect_size; + qc->cursg_ofs += qc->sect_size; +-- +2.30.2 + diff --git a/queue-5.13/net-qede-fix-end-of-loop-tests-for-list_for_each_ent.patch b/queue-5.13/net-qede-fix-end-of-loop-tests-for-list_for_each_ent.patch new file mode 100644 index 00000000000..6a762c7396b --- /dev/null +++ b/queue-5.13/net-qede-fix-end-of-loop-tests-for-list_for_each_ent.patch @@ -0,0 +1,44 @@ +From ce7cbd39d83847f077835d3403300cd4dbf624c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Jul 2021 23:28:04 +0530 +Subject: net: qede: Fix end of loop tests for list_for_each_entry + +From: Harshvardhan Jha + +[ Upstream commit 795e3d2ea68e489ee7039ac29e98bfea0e34a96c ] + +The list_for_each_entry() iterator, "vlan" in this code, can never be +NULL so the warning will never be printed. + +Signed-off-by: Harshvardhan Jha +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qede/qede_filter.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qede/qede_filter.c b/drivers/net/ethernet/qlogic/qede/qede_filter.c +index c59b72c90293..a2e4dfb5cb44 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede_filter.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_filter.c +@@ -831,7 +831,7 @@ int qede_configure_vlan_filters(struct qede_dev *edev) + int qede_vlan_rx_kill_vid(struct net_device *dev, __be16 proto, u16 vid) + { + struct qede_dev *edev = netdev_priv(dev); +- struct qede_vlan *vlan = NULL; ++ struct qede_vlan *vlan; + int rc = 0; + + DP_VERBOSE(edev, NETIF_MSG_IFDOWN, "Removing vlan 0x%04x\n", vid); +@@ -842,7 +842,7 @@ int qede_vlan_rx_kill_vid(struct net_device *dev, __be16 proto, u16 vid) + if (vlan->vid == vid) + break; + +- if (!vlan || (vlan->vid != vid)) { ++ if (list_entry_is_head(vlan, &edev->vlan_list, list)) { + DP_VERBOSE(edev, (NETIF_MSG_IFUP | NETIF_MSG_IFDOWN), + "Vlan isn't configured\n"); + goto out; +-- +2.30.2 + diff --git a/queue-5.13/net-qla3xxx-fix-schedule-while-atomic-in-ql_wait_for.patch b/queue-5.13/net-qla3xxx-fix-schedule-while-atomic-in-ql_wait_for.patch new file mode 100644 index 00000000000..c86571bbb53 --- /dev/null +++ b/queue-5.13/net-qla3xxx-fix-schedule-while-atomic-in-ql_wait_for.patch @@ -0,0 +1,58 @@ +From 3b5bb1ffec39664615f5f3c72208643c35b49813 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Jul 2021 21:45:12 +0800 +Subject: net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and + ql_adapter_reset + +From: Letu Ren + +[ Upstream commit 92766c4628ea349c8ddab0cd7bd0488f36e5c4ce ] + +When calling the 'ql_wait_for_drvr_lock' and 'ql_adapter_reset', the driver +has already acquired the spin lock, so the driver should not call 'ssleep' +in atomic context. + +This bug can be fixed by using 'mdelay' instead of 'ssleep'. + +Reported-by: Letu Ren +Signed-off-by: Letu Ren +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qla3xxx.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c +index 2376b2729633..c00ad57575ea 100644 +--- a/drivers/net/ethernet/qlogic/qla3xxx.c ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c +@@ -154,7 +154,7 @@ static int ql_wait_for_drvr_lock(struct ql3_adapter *qdev) + "driver lock acquired\n"); + return 1; + } +- ssleep(1); ++ mdelay(1000); + } while (++i < 10); + + netdev_err(qdev->ndev, "Timed out waiting for driver lock...\n"); +@@ -3274,7 +3274,7 @@ static int ql_adapter_reset(struct ql3_adapter *qdev) + if ((value & ISP_CONTROL_SR) == 0) + break; + +- ssleep(1); ++ mdelay(1000); + } while ((--max_wait_time)); + + /* +@@ -3310,7 +3310,7 @@ static int ql_adapter_reset(struct ql3_adapter *qdev) + ispControlStatus); + if ((value & ISP_CONTROL_FSR) == 0) + break; +- ssleep(1); ++ mdelay(1000); + } while ((--max_wait_time)); + } + if (max_wait_time == 0) +-- +2.30.2 + diff --git a/queue-5.13/platform-x86-gigabyte-wmi-add-support-for-b550-aorus.patch b/queue-5.13/platform-x86-gigabyte-wmi-add-support-for-b550-aorus.patch new file mode 100644 index 00000000000..fb1eb9d34a4 --- /dev/null +++ b/queue-5.13/platform-x86-gigabyte-wmi-add-support-for-b550-aorus.patch @@ -0,0 +1,38 @@ +From 9fbe9b6754f91e92163ca783620b3f5708f87418 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jul 2021 17:36:30 +0200 +Subject: platform/x86: gigabyte-wmi: add support for B550 Aorus Elite V2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 2b2c66f607d00d17f879c0d946d44340bfbdc501 ] + +Reported as working here: +https://github.com/t-8ch/linux-gigabyte-wmi-driver/issues/1#issuecomment-879398883 + +Signed-off-by: Thomas Weißschuh +Link: https://lore.kernel.org/r/20210726153630.65213-1-linux@weissschuh.net +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/gigabyte-wmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/gigabyte-wmi.c b/drivers/platform/x86/gigabyte-wmi.c +index 5529d7b0abea..fbb224a82e34 100644 +--- a/drivers/platform/x86/gigabyte-wmi.c ++++ b/drivers/platform/x86/gigabyte-wmi.c +@@ -141,6 +141,7 @@ static u8 gigabyte_wmi_detect_sensor_usability(struct wmi_device *wdev) + + static const struct dmi_system_id gigabyte_wmi_known_working_platforms[] = { + DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B550 AORUS ELITE"), ++ DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B550 AORUS ELITE V2"), + DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B550 GAMING X V2"), + DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B550M AORUS PRO-P"), + DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B550M DS3H"), +-- +2.30.2 + diff --git a/queue-5.13/reiserfs-add-check-for-root_inode-in-reiserfs_fill_s.patch b/queue-5.13/reiserfs-add-check-for-root_inode-in-reiserfs_fill_s.patch new file mode 100644 index 00000000000..c329054ac4c --- /dev/null +++ b/queue-5.13/reiserfs-add-check-for-root_inode-in-reiserfs_fill_s.patch @@ -0,0 +1,98 @@ +From 04870ce7c4a94c99da33feb72564e4e1c9882d5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jul 2021 12:07:43 +0800 +Subject: reiserfs: add check for root_inode in reiserfs_fill_super + +From: Yu Kuai + +[ Upstream commit 2acf15b94d5b8ea8392c4b6753a6ffac3135cd78 ] + +Our syzcaller report a NULL pointer dereference: + +BUG: kernel NULL pointer dereference, address: 0000000000000000 +PGD 116e95067 P4D 116e95067 PUD 1080b5067 PMD 0 +Oops: 0010 [#1] SMP KASAN +CPU: 7 PID: 592 Comm: a.out Not tainted 5.13.0-next-20210629-dirty #67 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-p4 +RIP: 0010:0x0 +Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. +RSP: 0018:ffff888114e779b8 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 1ffff110229cef39 RCX: ffffffffaa67e1aa +RDX: 0000000000000000 RSI: ffff88810a58ee00 RDI: ffff8881233180b0 +RBP: ffffffffac38e9c0 R08: ffffffffaa67e17e R09: 0000000000000001 +R10: ffffffffb91c5557 R11: fffffbfff7238aaa R12: ffff88810a58ee00 +R13: ffff888114e77aa0 R14: 0000000000000000 R15: ffff8881233180b0 +FS: 00007f946163c480(0000) GS:ffff88839f1c0000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffffffffd6 CR3: 00000001099c1000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + __lookup_slow+0x116/0x2d0 + ? page_put_link+0x120/0x120 + ? __d_lookup+0xfc/0x320 + ? d_lookup+0x49/0x90 + lookup_one_len+0x13c/0x170 + ? __lookup_slow+0x2d0/0x2d0 + ? reiserfs_schedule_old_flush+0x31/0x130 + reiserfs_lookup_privroot+0x64/0x150 + reiserfs_fill_super+0x158c/0x1b90 + ? finish_unfinished+0xb10/0xb10 + ? bprintf+0xe0/0xe0 + ? __mutex_lock_slowpath+0x30/0x30 + ? __kasan_check_write+0x20/0x30 + ? up_write+0x51/0xb0 + ? set_blocksize+0x9f/0x1f0 + mount_bdev+0x27c/0x2d0 + ? finish_unfinished+0xb10/0xb10 + ? reiserfs_kill_sb+0x120/0x120 + get_super_block+0x19/0x30 + legacy_get_tree+0x76/0xf0 + vfs_get_tree+0x49/0x160 + ? capable+0x1d/0x30 + path_mount+0xacc/0x1380 + ? putname+0x97/0xd0 + ? finish_automount+0x450/0x450 + ? kmem_cache_free+0xf8/0x5a0 + ? putname+0x97/0xd0 + do_mount+0xe2/0x110 + ? path_mount+0x1380/0x1380 + ? copy_mount_options+0x69/0x140 + __x64_sys_mount+0xf0/0x190 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +This is because 'root_inode' is initialized with wrong mode, and +it's i_op is set to 'reiserfs_special_inode_operations'. Thus add +check for 'root_inode' to fix the problem. + +Link: https://lore.kernel.org/r/20210702040743.1918552-1-yukuai3@huawei.com +Signed-off-by: Yu Kuai +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/reiserfs/super.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c +index 3ffafc73acf0..58481f8d63d5 100644 +--- a/fs/reiserfs/super.c ++++ b/fs/reiserfs/super.c +@@ -2082,6 +2082,14 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent) + unlock_new_inode(root_inode); + } + ++ if (!S_ISDIR(root_inode->i_mode) || !inode_get_bytes(root_inode) || ++ !root_inode->i_size) { ++ SWARN(silent, s, "", "corrupt root inode, run fsck"); ++ iput(root_inode); ++ errval = -EUCLEAN; ++ goto error; ++ } ++ + s->s_root = d_make_root(root_inode); + if (!s->s_root) + goto error; +-- +2.30.2 + diff --git a/queue-5.13/reiserfs-check-directory-items-on-read-from-disk.patch b/queue-5.13/reiserfs-check-directory-items-on-read-from-disk.patch new file mode 100644 index 00000000000..42f5f10eec3 --- /dev/null +++ b/queue-5.13/reiserfs-check-directory-items-on-read-from-disk.patch @@ -0,0 +1,79 @@ +From 9b8b45330e8f49b845f736e60e181e281f4e0e62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jul 2021 20:59:29 +0530 +Subject: reiserfs: check directory items on read from disk + +From: Shreyansh Chouhan + +[ Upstream commit 13d257503c0930010ef9eed78b689cec417ab741 ] + +While verifying the leaf item that we read from the disk, reiserfs +doesn't check the directory items, this could cause a crash when we +read a directory item from the disk that has an invalid deh_location. + +This patch adds a check to the directory items read from the disk that +does a bounds check on deh_location for the directory entries. Any +directory entry header with a directory entry offset greater than the +item length is considered invalid. + +Link: https://lore.kernel.org/r/20210709152929.766363-1-chouhan.shreyansh630@gmail.com +Reported-by: syzbot+c31a48e6702ccb3d64c9@syzkaller.appspotmail.com +Signed-off-by: Shreyansh Chouhan +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/reiserfs/stree.c | 31 ++++++++++++++++++++++++++----- + 1 file changed, 26 insertions(+), 5 deletions(-) + +diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c +index 476a7ff49482..ef42729216d1 100644 +--- a/fs/reiserfs/stree.c ++++ b/fs/reiserfs/stree.c +@@ -387,6 +387,24 @@ void pathrelse(struct treepath *search_path) + search_path->path_length = ILLEGAL_PATH_ELEMENT_OFFSET; + } + ++static int has_valid_deh_location(struct buffer_head *bh, struct item_head *ih) ++{ ++ struct reiserfs_de_head *deh; ++ int i; ++ ++ deh = B_I_DEH(bh, ih); ++ for (i = 0; i < ih_entry_count(ih); i++) { ++ if (deh_location(&deh[i]) > ih_item_len(ih)) { ++ reiserfs_warning(NULL, "reiserfs-5094", ++ "directory entry location seems wrong %h", ++ &deh[i]); ++ return 0; ++ } ++ } ++ ++ return 1; ++} ++ + static int is_leaf(char *buf, int blocksize, struct buffer_head *bh) + { + struct block_head *blkh; +@@ -454,11 +472,14 @@ static int is_leaf(char *buf, int blocksize, struct buffer_head *bh) + "(second one): %h", ih); + return 0; + } +- if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) { +- reiserfs_warning(NULL, "reiserfs-5093", +- "item entry count seems wrong %h", +- ih); +- return 0; ++ if (is_direntry_le_ih(ih)) { ++ if (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE)) { ++ reiserfs_warning(NULL, "reiserfs-5093", ++ "item entry count seems wrong %h", ++ ih); ++ return 0; ++ } ++ return has_valid_deh_location(bh, ih); + } + prev_location = ih_location(ih); + } +-- +2.30.2 + diff --git a/queue-5.13/series b/queue-5.13/series index fde5a3b1df2..55e1cfce98a 100644 --- a/queue-5.13/series +++ b/queue-5.13/series @@ -162,3 +162,14 @@ soc-ixp4xx-qmgr-fix-invalid-__iomem-access.patch perf-x86-amd-don-t-touch-the-amd64_eventsel_hostonly-bit-inside-the-guest.patch sched-rt-fix-double-enqueue-caused-by-rt_effective_prio.patch riscv-dts-fix-memory-size-for-the-sifive-hifive-unmatched.patch +libata-fix-ata_pio_sector-for-config_highmem.patch +reiserfs-add-check-for-root_inode-in-reiserfs_fill_s.patch +reiserfs-check-directory-items-on-read-from-disk.patch +virt_wifi-fix-error-on-connect.patch +net-qede-fix-end-of-loop-tests-for-list_for_each_ent.patch +alpha-send-stop-ipi-to-send-to-online-cpus.patch +net-qla3xxx-fix-schedule-while-atomic-in-ql_wait_for.patch +smb3-rc-uninitialized-in-one-fallocate-path.patch +drm-amdgpu-display-only-enable-aux-backlight-control.patch +platform-x86-gigabyte-wmi-add-support-for-b550-aorus.patch +hid-ft260-fix-device-removal-due-to-usb-disconnect.patch diff --git a/queue-5.13/smb3-rc-uninitialized-in-one-fallocate-path.patch b/queue-5.13/smb3-rc-uninitialized-in-one-fallocate-path.patch new file mode 100644 index 00000000000..30cfe64c39a --- /dev/null +++ b/queue-5.13/smb3-rc-uninitialized-in-one-fallocate-path.patch @@ -0,0 +1,37 @@ +From e278b3f891ab8b323695f513cdea2c20c9a5da49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jul 2021 16:22:55 -0500 +Subject: smb3: rc uninitialized in one fallocate path + +From: Steve French + +[ Upstream commit 5ad4df56cd2158965f73416d41fce37906724822 ] + +Clang detected a problem with rc possibly being unitialized +(when length is zero) in a recently added fallocate code path. + +Reported-by: kernel test robot +Reviewed-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2ops.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index 398c941e3897..f77156187a0a 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -3613,7 +3613,8 @@ static int smb3_simple_fallocate_write_range(unsigned int xid, + char *buf) + { + struct cifs_io_parms io_parms = {0}; +- int rc, nbytes; ++ int nbytes; ++ int rc = 0; + struct kvec iov[2]; + + io_parms.netfid = cfile->fid.netfid; +-- +2.30.2 + diff --git a/queue-5.13/virt_wifi-fix-error-on-connect.patch b/queue-5.13/virt_wifi-fix-error-on-connect.patch new file mode 100644 index 00000000000..3ff78705b5e --- /dev/null +++ b/queue-5.13/virt_wifi-fix-error-on-connect.patch @@ -0,0 +1,155 @@ +From 8e215175190d33f31919d53c06901e6f5ae483ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jul 2021 17:44:23 +0200 +Subject: virt_wifi: fix error on connect + +From: Matteo Croce + +[ Upstream commit 17109e9783799be2a063b2bd861a508194b0a487 ] + +When connecting without first doing a scan, the BSS list is empty +and __cfg80211_connect_result() generates this warning: + +$ iw dev wlan0 connect -w VirtWifi +[ 15.371989] ------------[ cut here ]------------ +[ 15.372179] WARNING: CPU: 0 PID: 92 at net/wireless/sme.c:756 __cfg80211_connect_result+0x402/0x440 +[ 15.372383] CPU: 0 PID: 92 Comm: kworker/u2:2 Not tainted 5.13.0-kvm #444 +[ 15.372512] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-3.fc34 04/01/2014 +[ 15.372597] Workqueue: cfg80211 cfg80211_event_work +[ 15.372756] RIP: 0010:__cfg80211_connect_result+0x402/0x440 +[ 15.372818] Code: 48 2b 04 25 28 00 00 00 75 59 48 8b 3b 48 8b 76 10 48 8d 65 e0 5b 41 5c 41 5d 41 5e 5d 49 8d 65 f0 41 5d e9 d0 d4 fd ff 0f 0b <0f> 0b e9 f6 fd ff ff e8 f2 4a b4 ff e9 ec fd ff ff 0f 0b e9 19 fd +[ 15.372966] RSP: 0018:ffffc900005cbdc0 EFLAGS: 00010246 +[ 15.373022] RAX: 0000000000000000 RBX: ffff8880028e2400 RCX: ffff8880028e2472 +[ 15.373088] RDX: 0000000000000002 RSI: 00000000fffffe01 RDI: ffffffff815335ba +[ 15.373149] RBP: ffffc900005cbe00 R08: 0000000000000008 R09: ffff888002bdf8b8 +[ 15.373209] R10: ffff88803ec208f0 R11: ffffffffffffe9ae R12: ffff88801d687d98 +[ 15.373280] R13: ffff88801b5fe000 R14: ffffc900005cbdc0 R15: dead000000000100 +[ 15.373330] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000 +[ 15.373382] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 15.373425] CR2: 000056421c468958 CR3: 000000001b458001 CR4: 0000000000170eb0 +[ 15.373478] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 15.373529] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 15.373580] Call Trace: +[ 15.373611] ? cfg80211_process_wdev_events+0x10e/0x170 +[ 15.373743] cfg80211_process_wdev_events+0x10e/0x170 +[ 15.373783] cfg80211_process_rdev_events+0x21/0x40 +[ 15.373846] cfg80211_event_work+0x20/0x30 +[ 15.373892] process_one_work+0x1e9/0x340 +[ 15.373956] worker_thread+0x4b/0x3f0 +[ 15.374017] ? process_one_work+0x340/0x340 +[ 15.374053] kthread+0x11f/0x140 +[ 15.374089] ? set_kthread_struct+0x30/0x30 +[ 15.374153] ret_from_fork+0x1f/0x30 +[ 15.374187] ---[ end trace 321ef0cb7e9c0be1 ]--- +wlan0 (phy #0): connected to 00:00:00:00:00:00 + +Add the fake bss just before the connect so that cfg80211_get_bss() +finds the virtual network. +As some code was duplicated, move it in a common function. + +Signed-off-by: Matteo Croce +Link: https://lore.kernel.org/r/20210706154423.11065-1-mcroce@linux.microsoft.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/virt_wifi.c | 52 ++++++++++++++++++++------------ + 1 file changed, 32 insertions(+), 20 deletions(-) + +diff --git a/drivers/net/wireless/virt_wifi.c b/drivers/net/wireless/virt_wifi.c +index 1df959532c7d..514f2c1124b6 100644 +--- a/drivers/net/wireless/virt_wifi.c ++++ b/drivers/net/wireless/virt_wifi.c +@@ -136,6 +136,29 @@ static struct ieee80211_supported_band band_5ghz = { + /* Assigned at module init. Guaranteed locally-administered and unicast. */ + static u8 fake_router_bssid[ETH_ALEN] __ro_after_init = {}; + ++static void virt_wifi_inform_bss(struct wiphy *wiphy) ++{ ++ u64 tsf = div_u64(ktime_get_boottime_ns(), 1000); ++ struct cfg80211_bss *informed_bss; ++ static const struct { ++ u8 tag; ++ u8 len; ++ u8 ssid[8]; ++ } __packed ssid = { ++ .tag = WLAN_EID_SSID, ++ .len = 8, ++ .ssid = "VirtWifi", ++ }; ++ ++ informed_bss = cfg80211_inform_bss(wiphy, &channel_5ghz, ++ CFG80211_BSS_FTYPE_PRESP, ++ fake_router_bssid, tsf, ++ WLAN_CAPABILITY_ESS, 0, ++ (void *)&ssid, sizeof(ssid), ++ DBM_TO_MBM(-50), GFP_KERNEL); ++ cfg80211_put_bss(wiphy, informed_bss); ++} ++ + /* Called with the rtnl lock held. */ + static int virt_wifi_scan(struct wiphy *wiphy, + struct cfg80211_scan_request *request) +@@ -156,28 +179,13 @@ static int virt_wifi_scan(struct wiphy *wiphy, + /* Acquires and releases the rdev BSS lock. */ + static void virt_wifi_scan_result(struct work_struct *work) + { +- struct { +- u8 tag; +- u8 len; +- u8 ssid[8]; +- } __packed ssid = { +- .tag = WLAN_EID_SSID, .len = 8, .ssid = "VirtWifi", +- }; +- struct cfg80211_bss *informed_bss; + struct virt_wifi_wiphy_priv *priv = + container_of(work, struct virt_wifi_wiphy_priv, + scan_result.work); + struct wiphy *wiphy = priv_to_wiphy(priv); + struct cfg80211_scan_info scan_info = { .aborted = false }; +- u64 tsf = div_u64(ktime_get_boottime_ns(), 1000); + +- informed_bss = cfg80211_inform_bss(wiphy, &channel_5ghz, +- CFG80211_BSS_FTYPE_PRESP, +- fake_router_bssid, tsf, +- WLAN_CAPABILITY_ESS, 0, +- (void *)&ssid, sizeof(ssid), +- DBM_TO_MBM(-50), GFP_KERNEL); +- cfg80211_put_bss(wiphy, informed_bss); ++ virt_wifi_inform_bss(wiphy); + + /* Schedules work which acquires and releases the rtnl lock. */ + cfg80211_scan_done(priv->scan_request, &scan_info); +@@ -225,10 +233,12 @@ static int virt_wifi_connect(struct wiphy *wiphy, struct net_device *netdev, + if (!could_schedule) + return -EBUSY; + +- if (sme->bssid) ++ if (sme->bssid) { + ether_addr_copy(priv->connect_requested_bss, sme->bssid); +- else ++ } else { ++ virt_wifi_inform_bss(wiphy); + eth_zero_addr(priv->connect_requested_bss); ++ } + + wiphy_debug(wiphy, "connect\n"); + +@@ -241,11 +251,13 @@ static void virt_wifi_connect_complete(struct work_struct *work) + struct virt_wifi_netdev_priv *priv = + container_of(work, struct virt_wifi_netdev_priv, connect.work); + u8 *requested_bss = priv->connect_requested_bss; +- bool has_addr = !is_zero_ether_addr(requested_bss); + bool right_addr = ether_addr_equal(requested_bss, fake_router_bssid); + u16 status = WLAN_STATUS_SUCCESS; + +- if (!priv->is_up || (has_addr && !right_addr)) ++ if (is_zero_ether_addr(requested_bss)) ++ requested_bss = NULL; ++ ++ if (!priv->is_up || (requested_bss && !right_addr)) + status = WLAN_STATUS_UNSPECIFIED_FAILURE; + else + priv->is_connected = true; +-- +2.30.2 +