From: Sasha Levin Date: Tue, 12 Nov 2019 14:27:15 +0000 (-0500) Subject: fixes for 4.19 X-Git-Tag: v4.4.201~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ad978c49bd46f0da39899d51cc1380f8f858d5ae;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/iio-imu-mpu6050-fix-fifo-layout-for-icm20602.patch b/queue-4.19/iio-imu-mpu6050-fix-fifo-layout-for-icm20602.patch new file mode 100644 index 00000000000..30baa0d4f63 --- /dev/null +++ b/queue-4.19/iio-imu-mpu6050-fix-fifo-layout-for-icm20602.patch @@ -0,0 +1,182 @@ +From bb490825271f8d29c154b77febc840ccb8c0dd79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2019 23:28:56 -0700 +Subject: iio: imu: mpu6050: Fix FIFO layout for ICM20602 + +From: Steve Moskovchenko + +[ Upstream commit 1615fe41a1959a2ee2814ba62736b2bb54e9802a ] + +The MPU6050 driver has recently gained support for the +ICM20602 IMU, which is very similar to MPU6xxx. However, +the ICM20602's FIFO data specifically includes temperature +readings, which were not present on MPU6xxx parts. As a +result, the driver will under-read the ICM20602's FIFO +register, causing the same (partial) sample to be returned +for all reads, until the FIFO overflows. + +Fix this by adding a table of scan elements specifically +for the ICM20602, which takes the extra temperature data +into consideration. + +While we're at it, fix the temperature offset and scaling +on ICM20602, since it uses different scale/offset constants +than the rest of the MPU6xxx devices. + +Signed-off-by: Steve Moskovchenko +Fixes: 22904bdff978 ("iio: imu: mpu6050: Add support for the ICM 20602 IMU") +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/imu/inv_mpu6050/inv_mpu_core.c | 46 ++++++++++++++++++++-- + drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h | 20 +++++++++- + drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c | 3 ++ + 3 files changed, 64 insertions(+), 5 deletions(-) + +diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c +index ea099523e0355..baba8e5459d00 100644 +--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c ++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c +@@ -479,7 +479,10 @@ inv_mpu6050_read_raw(struct iio_dev *indio_dev, + return IIO_VAL_INT_PLUS_MICRO; + case IIO_TEMP: + *val = 0; +- *val2 = INV_MPU6050_TEMP_SCALE; ++ if (st->chip_type == INV_ICM20602) ++ *val2 = INV_ICM20602_TEMP_SCALE; ++ else ++ *val2 = INV_MPU6050_TEMP_SCALE; + + return IIO_VAL_INT_PLUS_MICRO; + default: +@@ -488,7 +491,10 @@ inv_mpu6050_read_raw(struct iio_dev *indio_dev, + case IIO_CHAN_INFO_OFFSET: + switch (chan->type) { + case IIO_TEMP: +- *val = INV_MPU6050_TEMP_OFFSET; ++ if (st->chip_type == INV_ICM20602) ++ *val = INV_ICM20602_TEMP_OFFSET; ++ else ++ *val = INV_MPU6050_TEMP_OFFSET; + + return IIO_VAL_INT; + default: +@@ -853,6 +859,32 @@ static const struct iio_chan_spec inv_mpu_channels[] = { + INV_MPU6050_CHAN(IIO_ACCEL, IIO_MOD_Z, INV_MPU6050_SCAN_ACCL_Z), + }; + ++static const struct iio_chan_spec inv_icm20602_channels[] = { ++ IIO_CHAN_SOFT_TIMESTAMP(INV_ICM20602_SCAN_TIMESTAMP), ++ { ++ .type = IIO_TEMP, ++ .info_mask_separate = BIT(IIO_CHAN_INFO_RAW) ++ | BIT(IIO_CHAN_INFO_OFFSET) ++ | BIT(IIO_CHAN_INFO_SCALE), ++ .scan_index = INV_ICM20602_SCAN_TEMP, ++ .scan_type = { ++ .sign = 's', ++ .realbits = 16, ++ .storagebits = 16, ++ .shift = 0, ++ .endianness = IIO_BE, ++ }, ++ }, ++ ++ INV_MPU6050_CHAN(IIO_ANGL_VEL, IIO_MOD_X, INV_ICM20602_SCAN_GYRO_X), ++ INV_MPU6050_CHAN(IIO_ANGL_VEL, IIO_MOD_Y, INV_ICM20602_SCAN_GYRO_Y), ++ INV_MPU6050_CHAN(IIO_ANGL_VEL, IIO_MOD_Z, INV_ICM20602_SCAN_GYRO_Z), ++ ++ INV_MPU6050_CHAN(IIO_ACCEL, IIO_MOD_Y, INV_ICM20602_SCAN_ACCL_Y), ++ INV_MPU6050_CHAN(IIO_ACCEL, IIO_MOD_X, INV_ICM20602_SCAN_ACCL_X), ++ INV_MPU6050_CHAN(IIO_ACCEL, IIO_MOD_Z, INV_ICM20602_SCAN_ACCL_Z), ++}; ++ + /* + * The user can choose any frequency between INV_MPU6050_MIN_FIFO_RATE and + * INV_MPU6050_MAX_FIFO_RATE, but only these frequencies are matched by the +@@ -1053,8 +1085,14 @@ int inv_mpu_core_probe(struct regmap *regmap, int irq, const char *name, + indio_dev->name = name; + else + indio_dev->name = dev_name(dev); +- indio_dev->channels = inv_mpu_channels; +- indio_dev->num_channels = ARRAY_SIZE(inv_mpu_channels); ++ ++ if (chip_type == INV_ICM20602) { ++ indio_dev->channels = inv_icm20602_channels; ++ indio_dev->num_channels = ARRAY_SIZE(inv_icm20602_channels); ++ } else { ++ indio_dev->channels = inv_mpu_channels; ++ indio_dev->num_channels = ARRAY_SIZE(inv_mpu_channels); ++ } + + indio_dev->info = &mpu_info; + indio_dev->modes = INDIO_BUFFER_TRIGGERED; +diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h b/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h +index e56c1d191ae46..6ef872f97c175 100644 +--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h ++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h +@@ -208,6 +208,9 @@ struct inv_mpu6050_state { + #define INV_MPU6050_BYTES_PER_3AXIS_SENSOR 6 + #define INV_MPU6050_FIFO_COUNT_BYTE 2 + ++/* ICM20602 FIFO samples include temperature readings */ ++#define INV_ICM20602_BYTES_PER_TEMP_SENSOR 2 ++ + /* mpu6500 registers */ + #define INV_MPU6500_REG_ACCEL_CONFIG_2 0x1D + #define INV_MPU6500_REG_ACCEL_OFFSET 0x77 +@@ -229,6 +232,9 @@ struct inv_mpu6050_state { + #define INV_MPU6050_GYRO_CONFIG_FSR_SHIFT 3 + #define INV_MPU6050_ACCL_CONFIG_FSR_SHIFT 3 + ++#define INV_ICM20602_TEMP_OFFSET 8170 ++#define INV_ICM20602_TEMP_SCALE 3060 ++ + /* 6 + 6 round up and plus 8 */ + #define INV_MPU6050_OUTPUT_DATA_SIZE 24 + +@@ -270,7 +276,7 @@ struct inv_mpu6050_state { + #define INV_ICM20608_WHOAMI_VALUE 0xAF + #define INV_ICM20602_WHOAMI_VALUE 0x12 + +-/* scan element definition */ ++/* scan element definition for generic MPU6xxx devices */ + enum inv_mpu6050_scan { + INV_MPU6050_SCAN_ACCL_X, + INV_MPU6050_SCAN_ACCL_Y, +@@ -281,6 +287,18 @@ enum inv_mpu6050_scan { + INV_MPU6050_SCAN_TIMESTAMP, + }; + ++/* scan element definition for ICM20602, which includes temperature */ ++enum inv_icm20602_scan { ++ INV_ICM20602_SCAN_ACCL_X, ++ INV_ICM20602_SCAN_ACCL_Y, ++ INV_ICM20602_SCAN_ACCL_Z, ++ INV_ICM20602_SCAN_TEMP, ++ INV_ICM20602_SCAN_GYRO_X, ++ INV_ICM20602_SCAN_GYRO_Y, ++ INV_ICM20602_SCAN_GYRO_Z, ++ INV_ICM20602_SCAN_TIMESTAMP, ++}; ++ + enum inv_mpu6050_filter_e { + INV_MPU6050_FILTER_256HZ_NOLPF2 = 0, + INV_MPU6050_FILTER_188HZ, +diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c +index 4f9c2765aa23f..0e54f2d54bd70 100644 +--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c ++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c +@@ -204,6 +204,9 @@ irqreturn_t inv_mpu6050_read_fifo(int irq, void *p) + if (st->chip_config.gyro_fifo_enable) + bytes_per_datum += INV_MPU6050_BYTES_PER_3AXIS_SENSOR; + ++ if (st->chip_type == INV_ICM20602) ++ bytes_per_datum += INV_ICM20602_BYTES_PER_TEMP_SENSOR; ++ + /* + * read fifo_count register to know how many bytes are inside the FIFO + * right now +-- +2.20.1 + diff --git a/queue-4.19/net-prevent-load-store-tearing-on-sk-sk_stamp.patch b/queue-4.19/net-prevent-load-store-tearing-on-sk-sk_stamp.patch new file mode 100644 index 00000000000..267a827a00d --- /dev/null +++ b/queue-4.19/net-prevent-load-store-tearing-on-sk-sk_stamp.patch @@ -0,0 +1,50 @@ +From 3d474267252fc00f03ede87bb9b7f5533141089b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Nov 2019 21:38:43 -0800 +Subject: net: prevent load/store tearing on sk->sk_stamp + +From: Eric Dumazet + +[ Upstream commit f75359f3ac855940c5718af10ba089b8977bf339 ] + +Add a couple of READ_ONCE() and WRITE_ONCE() to prevent +load-tearing and store-tearing in sock_read_timestamp() +and sock_write_timestamp() + +This might prevent another KCSAN report. + +Fixes: 3a0ed3e96197 ("sock: Make sock->sk_stamp thread-safe") +Signed-off-by: Eric Dumazet +Cc: Deepa Dinamani +Acked-by: Deepa Dinamani +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 05e8faa84717f..0252c0d003104 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -2318,7 +2318,7 @@ static inline ktime_t sock_read_timestamp(struct sock *sk) + + return kt; + #else +- return sk->sk_stamp; ++ return READ_ONCE(sk->sk_stamp); + #endif + } + +@@ -2329,7 +2329,7 @@ static inline void sock_write_timestamp(struct sock *sk, ktime_t kt) + sk->sk_stamp = kt; + write_sequnlock(&sk->sk_stamp_seq); + #else +- sk->sk_stamp = kt; ++ WRITE_ONCE(sk->sk_stamp, kt); + #endif + } + +-- +2.20.1 + diff --git a/queue-4.19/netfilter-ipset-copy-the-right-mac-address-in-hash-i.patch b/queue-4.19/netfilter-ipset-copy-the-right-mac-address-in-hash-i.patch new file mode 100644 index 00000000000..c98f54fdb0e --- /dev/null +++ b/queue-4.19/netfilter-ipset-copy-the-right-mac-address-in-hash-i.patch @@ -0,0 +1,71 @@ +From eacbff422794191ab65afe8510310289fb51d7db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2019 19:18:14 +0200 +Subject: netfilter: ipset: Copy the right MAC address in hash:ip,mac IPv6 sets + +From: Stefano Brivio + +[ Upstream commit 97664bc2c77e2b65cdedddcae2643fc93291d958 ] + +Same as commit 1b4a75108d5b ("netfilter: ipset: Copy the right MAC +address in bitmap:ip,mac and hash:ip,mac sets"), another copy and paste +went wrong in commit 8cc4ccf58379 ("netfilter: ipset: Allow matching on +destination MAC address for mac and ipmac sets"). + +When I fixed this for IPv4 in 1b4a75108d5b, I didn't realise that +hash:ip,mac sets also support IPv6 as family, and this is covered by a +separate function, hash_ipmac6_kadt(). + +In hash:ip,mac sets, the first dimension is the IP address, and the +second dimension is the MAC address: check the IPSET_DIM_TWO_SRC flag +in flags while deciding which MAC address to copy, destination or +source. + +This way, mixing source and destination matches for the two dimensions +of ip,mac hash type works as expected, also for IPv6. With this setup: + + ip netns add A + ip link add veth1 type veth peer name veth2 netns A + ip addr add 2001:db8::1/64 dev veth1 + ip -net A addr add 2001:db8::2/64 dev veth2 + ip link set veth1 up + ip -net A link set veth2 up + + dst=$(ip netns exec A cat /sys/class/net/veth2/address) + + ip netns exec A ipset create test_hash hash:ip,mac family inet6 + ip netns exec A ipset add test_hash 2001:db8::1,${dst} + ip netns exec A ip6tables -A INPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT + ip netns exec A ip6tables -A INPUT -m set ! --match-set test_hash src,dst -j DROP + +ipset now correctly matches a test packet: + + # ping -c1 2001:db8::2 >/dev/null + # echo $? + 0 + +Reported-by: Chen, Yi +Fixes: 8cc4ccf58379 ("netfilter: ipset: Allow matching on destination MAC address for mac and ipmac sets") +Signed-off-by: Stefano Brivio +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_hash_ipmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/ipset/ip_set_hash_ipmac.c b/net/netfilter/ipset/ip_set_hash_ipmac.c +index 25560ea742d66..f2c2f72e2fffc 100644 +--- a/net/netfilter/ipset/ip_set_hash_ipmac.c ++++ b/net/netfilter/ipset/ip_set_hash_ipmac.c +@@ -212,7 +212,7 @@ hash_ipmac6_kadt(struct ip_set *set, const struct sk_buff *skb, + (skb_mac_header(skb) + ETH_HLEN) > skb->data) + return -EINVAL; + +- if (opt->flags & IPSET_DIM_ONE_SRC) ++ if (opt->flags & IPSET_DIM_TWO_SRC) + ether_addr_copy(e.ether, eth_hdr(skb)->h_source); + else + ether_addr_copy(e.ether, eth_hdr(skb)->h_dest); +-- +2.20.1 + diff --git a/queue-4.19/series b/queue-4.19/series index c3b23277123..b930f6bca77 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -123,3 +123,8 @@ iio-imu-mpu6050-add-support-for-the-icm-20602-imu.patch iio-imu-inv_mpu6050-fix-no-data-on-mpu6050.patch mm-filemap.c-don-t-initiate-writeback-if-mapping-has-no-dirty-pages.patch cgroup-writeback-don-t-switch-wbs-immediately-on-dead-wbs-if-the-memcg-is-dead.patch +usbip-fix-free-of-unallocated-memory-in-vhci-tx.patch +netfilter-ipset-copy-the-right-mac-address-in-hash-i.patch +net-prevent-load-store-tearing-on-sk-sk_stamp.patch +iio-imu-mpu6050-fix-fifo-layout-for-icm20602.patch +vsock-virtio-fix-sock-refcnt-holding-during-the-shut.patch diff --git a/queue-4.19/usbip-fix-free-of-unallocated-memory-in-vhci-tx.patch b/queue-4.19/usbip-fix-free-of-unallocated-memory-in-vhci-tx.patch new file mode 100644 index 00000000000..474aa0d1a06 --- /dev/null +++ b/queue-4.19/usbip-fix-free-of-unallocated-memory-in-vhci-tx.patch @@ -0,0 +1,47 @@ +From 604acb43f872c071848f3aedb8ad4c1d6a397747 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2019 18:30:17 +0900 +Subject: usbip: Fix free of unallocated memory in vhci tx + +From: Suwan Kim + +[ Upstream commit d4d8257754c3300ea2a465dadf8d2b02c713c920 ] + +iso_buffer should be set to NULL after use and free in the while loop. +In the case of isochronous URB in the while loop, iso_buffer is +allocated and after sending it to server, buffer is deallocated. And +then, if the next URB in the while loop is not a isochronous pipe, +iso_buffer still holds the previously deallocated buffer address and +kfree tries to free wrong buffer address. + +Fixes: ea44d190764b ("usbip: Implement SG support to vhci-hcd and stub driver") +Reported-by: kbuild test robot +Reported-by: Julia Lawall +Signed-off-by: Suwan Kim +Reviewed-by: Julia Lawall +Acked-by: Shuah Khan +Link: https://lore.kernel.org/r/20191022093017.8027-1-suwan.kim027@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/usbip/vhci_tx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/usbip/vhci_tx.c b/drivers/usb/usbip/vhci_tx.c +index 61b1fd379ad2f..acac49402c2b1 100644 +--- a/drivers/usb/usbip/vhci_tx.c ++++ b/drivers/usb/usbip/vhci_tx.c +@@ -147,7 +147,10 @@ static int vhci_send_cmd_submit(struct vhci_device *vdev) + } + + kfree(iov); ++ /* This is only for isochronous case */ + kfree(iso_buffer); ++ iso_buffer = NULL; ++ + usbip_dbg_vhci_tx("send txdata\n"); + + total_size += txsize; +-- +2.20.1 + diff --git a/queue-4.19/vsock-virtio-fix-sock-refcnt-holding-during-the-shut.patch b/queue-4.19/vsock-virtio-fix-sock-refcnt-holding-during-the-shut.patch new file mode 100644 index 00000000000..e2ab3de6de1 --- /dev/null +++ b/queue-4.19/vsock-virtio-fix-sock-refcnt-holding-during-the-shut.patch @@ -0,0 +1,53 @@ +From 8473245e0ac7e1d2b863e417cdc3aeae6b242112 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Nov 2019 17:08:50 +0100 +Subject: vsock/virtio: fix sock refcnt holding during the shutdown + +From: Stefano Garzarella + +[ Upstream commit ad8a7220355d39cddce8eac1cea9677333e8b821 ] + +The "42f5cda5eaf4" commit rightly set SOCK_DONE on peer shutdown, +but there is an issue if we receive the SHUTDOWN(RDWR) while the +virtio_transport_close_timeout() is scheduled. +In this case, when the timeout fires, the SOCK_DONE is already +set and the virtio_transport_close_timeout() will not call +virtio_transport_reset() and virtio_transport_do_close(). +This causes that both sockets remain open and will never be released, +preventing the unloading of [virtio|vhost]_transport modules. + +This patch fixes this issue, calling virtio_transport_reset() and +virtio_transport_do_close() when we receive the SHUTDOWN(RDWR) +and there is nothing left to read. + +Fixes: 42f5cda5eaf4 ("vsock/virtio: set SOCK_DONE on peer shutdown") +Cc: Stephen Barber +Signed-off-by: Stefano Garzarella +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport_common.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index 3c199f752fd3c..2a8651aa90c89 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -871,9 +871,11 @@ virtio_transport_recv_connected(struct sock *sk, + if (le32_to_cpu(pkt->hdr.flags) & VIRTIO_VSOCK_SHUTDOWN_SEND) + vsk->peer_shutdown |= SEND_SHUTDOWN; + if (vsk->peer_shutdown == SHUTDOWN_MASK && +- vsock_stream_has_data(vsk) <= 0) { +- sock_set_flag(sk, SOCK_DONE); +- sk->sk_state = TCP_CLOSING; ++ vsock_stream_has_data(vsk) <= 0 && ++ !sock_flag(sk, SOCK_DONE)) { ++ (void)virtio_transport_reset(vsk, NULL); ++ ++ virtio_transport_do_close(vsk, true); + } + if (le32_to_cpu(pkt->hdr.flags)) + sk->sk_state_change(sk); +-- +2.20.1 +