From: Sasha Levin Date: Mon, 24 Aug 2020 01:33:38 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.4.234~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bc56f9ca1f6b84ebf2156f24aa7f6aab5a34ae07;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/afs-fix-null-deref-in-afs_dynroot_depopulate.patch b/queue-5.4/afs-fix-null-deref-in-afs_dynroot_depopulate.patch new file mode 100644 index 00000000000..b8a8b30bcfb --- /dev/null +++ b/queue-5.4/afs-fix-null-deref-in-afs_dynroot_depopulate.patch @@ -0,0 +1,88 @@ +From b70518dbc896ec859f8ff0ee5fc14596fd9de0de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 10:15:12 +0100 +Subject: afs: Fix NULL deref in afs_dynroot_depopulate() + +From: David Howells + +[ Upstream commit 5e0b17b026eb7c6de9baa9b0d45a51b05f05abe1 ] + +If an error occurs during the construction of an afs superblock, it's +possible that an error occurs after a superblock is created, but before +we've created the root dentry. If the superblock has a dynamic root +(ie. what's normally mounted on /afs), the afs_kill_super() will call +afs_dynroot_depopulate() to unpin any created dentries - but this will +oops if the root hasn't been created yet. + +Fix this by skipping that bit of code if there is no root dentry. + +This leads to an oops looking like: + + general protection fault, ... + KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f] + ... + RIP: 0010:afs_dynroot_depopulate+0x25f/0x529 fs/afs/dynroot.c:385 + ... + Call Trace: + afs_kill_super+0x13b/0x180 fs/afs/super.c:535 + deactivate_locked_super+0x94/0x160 fs/super.c:335 + afs_get_tree+0x1124/0x1460 fs/afs/super.c:598 + vfs_get_tree+0x89/0x2f0 fs/super.c:1547 + do_new_mount fs/namespace.c:2875 [inline] + path_mount+0x1387/0x2070 fs/namespace.c:3192 + do_mount fs/namespace.c:3205 [inline] + __do_sys_mount fs/namespace.c:3413 [inline] + __se_sys_mount fs/namespace.c:3390 [inline] + __x64_sys_mount+0x27f/0x300 fs/namespace.c:3390 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +which is oopsing on this line: + + inode_lock(root->d_inode); + +presumably because sb->s_root was NULL. + +Fixes: 0da0b7fd73e4 ("afs: Display manually added cells in dynamic root mount") +Reported-by: syzbot+c1eff8205244ae7e11a6@syzkaller.appspotmail.com +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/dynroot.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c +index 7503899c0a1b5..f07e53ab808e3 100644 +--- a/fs/afs/dynroot.c ++++ b/fs/afs/dynroot.c +@@ -289,15 +289,17 @@ void afs_dynroot_depopulate(struct super_block *sb) + net->dynroot_sb = NULL; + mutex_unlock(&net->proc_cells_lock); + +- inode_lock(root->d_inode); +- +- /* Remove all the pins for dirs created for manually added cells */ +- list_for_each_entry_safe(subdir, tmp, &root->d_subdirs, d_child) { +- if (subdir->d_fsdata) { +- subdir->d_fsdata = NULL; +- dput(subdir); ++ if (root) { ++ inode_lock(root->d_inode); ++ ++ /* Remove all the pins for dirs created for manually added cells */ ++ list_for_each_entry_safe(subdir, tmp, &root->d_subdirs, d_child) { ++ if (subdir->d_fsdata) { ++ subdir->d_fsdata = NULL; ++ dput(subdir); ++ } + } +- } + +- inode_unlock(root->d_inode); ++ inode_unlock(root->d_inode); ++ } + } +-- +2.25.1 + diff --git a/queue-5.4/arm64-vdso32-install-vdso32-from-vdso_install.patch b/queue-5.4/arm64-vdso32-install-vdso32-from-vdso_install.patch new file mode 100644 index 00000000000..ff5108615a1 --- /dev/null +++ b/queue-5.4/arm64-vdso32-install-vdso32-from-vdso_install.patch @@ -0,0 +1,53 @@ +From 6aa7548eb9256d2c2f604911685af018608e0e6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 18:49:50 -0700 +Subject: ARM64: vdso32: Install vdso32 from vdso_install + +From: Stephen Boyd + +[ Upstream commit 8d75785a814241587802655cc33e384230744f0c ] + +Add the 32-bit vdso Makefile to the vdso_install rule so that 'make +vdso_install' installs the 32-bit compat vdso when it is compiled. + +Fixes: a7f71a2c8903 ("arm64: compat: Add vDSO") +Signed-off-by: Stephen Boyd +Reviewed-by: Vincenzo Frascino +Acked-by: Will Deacon +Cc: Vincenzo Frascino +Link: https://lore.kernel.org/r/20200818014950.42492-1-swboyd@chromium.org +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/Makefile | 1 + + arch/arm64/kernel/vdso32/Makefile | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile +index d65aef47ece3b..11a7d6208087f 100644 +--- a/arch/arm64/Makefile ++++ b/arch/arm64/Makefile +@@ -146,6 +146,7 @@ zinstall install: + PHONY += vdso_install + vdso_install: + $(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso $@ ++ $(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso32 $@ + + # We use MRPROPER_FILES and CLEAN_FILES now + archclean: +diff --git a/arch/arm64/kernel/vdso32/Makefile b/arch/arm64/kernel/vdso32/Makefile +index 76b327f88fbb1..40dffe60b8454 100644 +--- a/arch/arm64/kernel/vdso32/Makefile ++++ b/arch/arm64/kernel/vdso32/Makefile +@@ -190,7 +190,7 @@ quiet_cmd_vdsosym = VDSOSYM $@ + cmd_vdsosym = $(NM) $< | $(gen-vdsosym) | LC_ALL=C sort > $@ + + # Install commands for the unstripped file +-quiet_cmd_vdso_install = INSTALL $@ ++quiet_cmd_vdso_install = INSTALL32 $@ + cmd_vdso_install = cp $(obj)/$@.dbg $(MODLIB)/vdso/vdso32.so + + vdso.so: $(obj)/vdso.so.dbg +-- +2.25.1 + diff --git a/queue-5.4/asoc-intel-fix-memleak-in-sst_media_open.patch b/queue-5.4/asoc-intel-fix-memleak-in-sst_media_open.patch new file mode 100644 index 00000000000..cdbf34ba973 --- /dev/null +++ b/queue-5.4/asoc-intel-fix-memleak-in-sst_media_open.patch @@ -0,0 +1,50 @@ +From 210b5e78ef8bfce032fea472ac6b70f5875b66f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 16:41:10 +0800 +Subject: ASoC: intel: Fix memleak in sst_media_open + +From: Dinghao Liu + +[ Upstream commit 062fa09f44f4fb3776a23184d5d296b0c8872eb9 ] + +When power_up_sst() fails, stream needs to be freed +just like when try_module_get() fails. However, current +code is returning directly and ends up leaking memory. + +Fixes: 0121327c1a68b ("ASoC: Intel: mfld-pcm: add control for powering up/down dsp") +Signed-off-by: Dinghao Liu +Acked-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20200813084112.26205-1-dinghao.liu@zju.edu.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/atom/sst-mfld-platform-pcm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/intel/atom/sst-mfld-platform-pcm.c b/sound/soc/intel/atom/sst-mfld-platform-pcm.c +index 8cc3cc363eb03..31f1dd6541aa1 100644 +--- a/sound/soc/intel/atom/sst-mfld-platform-pcm.c ++++ b/sound/soc/intel/atom/sst-mfld-platform-pcm.c +@@ -331,7 +331,7 @@ static int sst_media_open(struct snd_pcm_substream *substream, + + ret_val = power_up_sst(stream); + if (ret_val < 0) +- return ret_val; ++ goto out_power_up; + + /* Make sure, that the period size is always even */ + snd_pcm_hw_constraint_step(substream->runtime, 0, +@@ -340,8 +340,9 @@ static int sst_media_open(struct snd_pcm_substream *substream, + return snd_pcm_hw_constraint_integer(runtime, + SNDRV_PCM_HW_PARAM_PERIODS); + out_ops: +- kfree(stream); + mutex_unlock(&sst_lock); ++out_power_up: ++ kfree(stream); + return ret_val; + } + +-- +2.25.1 + diff --git a/queue-5.4/asoc-msm8916-wcd-analog-fix-register-interrupt-offse.patch b/queue-5.4/asoc-msm8916-wcd-analog-fix-register-interrupt-offse.patch new file mode 100644 index 00000000000..0045d03c73e --- /dev/null +++ b/queue-5.4/asoc-msm8916-wcd-analog-fix-register-interrupt-offse.patch @@ -0,0 +1,42 @@ +From a931ff0a3d7819bf2c2a45d41e560f28861a3f07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 11:34:52 +0100 +Subject: ASoC: msm8916-wcd-analog: fix register Interrupt offset + +From: Srinivas Kandagatla + +[ Upstream commit ff69c97ef84c9f7795adb49e9f07c9adcdd0c288 ] + +For some reason interrupt set and clear register offsets are +not set correctly. +This patch corrects them! + +Fixes: 585e881e5b9e ("ASoC: codecs: Add msm8916-wcd analog codec") +Signed-off-by: Srinivas Kandagatla +Tested-by: Stephan Gerhold +Reviewed-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20200811103452.20448-1-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/msm8916-wcd-analog.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/msm8916-wcd-analog.c b/sound/soc/codecs/msm8916-wcd-analog.c +index 84289ebeae872..337bddb7c2a49 100644 +--- a/sound/soc/codecs/msm8916-wcd-analog.c ++++ b/sound/soc/codecs/msm8916-wcd-analog.c +@@ -19,8 +19,8 @@ + + #define CDC_D_REVISION1 (0xf000) + #define CDC_D_PERPH_SUBTYPE (0xf005) +-#define CDC_D_INT_EN_SET (0x015) +-#define CDC_D_INT_EN_CLR (0x016) ++#define CDC_D_INT_EN_SET (0xf015) ++#define CDC_D_INT_EN_CLR (0xf016) + #define MBHC_SWITCH_INT BIT(7) + #define MBHC_MIC_ELECTRICAL_INS_REM_DET BIT(6) + #define MBHC_BUTTON_PRESS_DET BIT(5) +-- +2.25.1 + diff --git a/queue-5.4/asoc-q6afe-dai-mark-all-widgets-registers-as-snd_soc.patch b/queue-5.4/asoc-q6afe-dai-mark-all-widgets-registers-as-snd_soc.patch new file mode 100644 index 00000000000..2d60a6a83bc --- /dev/null +++ b/queue-5.4/asoc-q6afe-dai-mark-all-widgets-registers-as-snd_soc.patch @@ -0,0 +1,349 @@ +From d1d0db36d99af3f3e038122dd83a0e50257e61da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 13:02:04 +0100 +Subject: ASoC: q6afe-dai: mark all widgets registers as SND_SOC_NOPM + +From: Srinivas Kandagatla + +[ Upstream commit 56235e4bc5ae58cb8fcd9314dba4e9ab077ddda8 ] + +Looks like the q6afe-dai dapm widget registers are set as "0", +which is a not correct. + +As this registers will be read by ASoC core during startup +which will throw up errors, Fix this by making the registers +as SND_SOC_NOPM as these should be never used. + +With recent changes to ASoC core, every register read/write +failures are reported very verbosely. Prior to this fails to reads +are totally ignored, so we never saw any error messages. + +Fixes: 24c4cbcfac09 ("ASoC: qdsp6: q6afe: Add q6afe dai driver") +Reported-by: John Stultz +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20200811120205.21805-1-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/qdsp6/q6afe-dai.c | 210 +++++++++++++++---------------- + 1 file changed, 105 insertions(+), 105 deletions(-) + +diff --git a/sound/soc/qcom/qdsp6/q6afe-dai.c b/sound/soc/qcom/qdsp6/q6afe-dai.c +index 2a5302f1db98a..0168af8492727 100644 +--- a/sound/soc/qcom/qdsp6/q6afe-dai.c ++++ b/sound/soc/qcom/qdsp6/q6afe-dai.c +@@ -1150,206 +1150,206 @@ static int q6afe_of_xlate_dai_name(struct snd_soc_component *component, + } + + static const struct snd_soc_dapm_widget q6afe_dai_widgets[] = { +- SND_SOC_DAPM_AIF_IN("HDMI_RX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SLIMBUS_0_RX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SLIMBUS_1_RX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SLIMBUS_2_RX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SLIMBUS_3_RX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SLIMBUS_4_RX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SLIMBUS_5_RX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SLIMBUS_6_RX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SLIMBUS_0_TX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SLIMBUS_1_TX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SLIMBUS_2_TX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SLIMBUS_3_TX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SLIMBUS_4_TX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SLIMBUS_5_TX", NULL, 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SLIMBUS_6_TX", NULL, 0, 0, 0, 0), ++ SND_SOC_DAPM_AIF_IN("HDMI_RX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_IN("SLIMBUS_0_RX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_IN("SLIMBUS_1_RX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_IN("SLIMBUS_2_RX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_IN("SLIMBUS_3_RX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_IN("SLIMBUS_4_RX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_IN("SLIMBUS_5_RX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_IN("SLIMBUS_6_RX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_0_TX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_1_TX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_2_TX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_3_TX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_4_TX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_5_TX", NULL, 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_6_TX", NULL, 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUAT_MI2S_RX", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUAT_MI2S_TX", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("TERT_MI2S_RX", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("TERT_MI2S_TX", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("SEC_MI2S_RX", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("SEC_MI2S_TX", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("SEC_MI2S_RX_SD1", + "Secondary MI2S Playback SD1", +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("PRI_MI2S_RX", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("PRI_MI2S_TX", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + + SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_0", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_1", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_2", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_3", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_4", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_5", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_6", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_7", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_0", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_1", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_2", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_3", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_4", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_5", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_6", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_7", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + + SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_0", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_1", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_2", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_3", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_4", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_5", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_6", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_7", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_0", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_1", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_2", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_3", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_4", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_5", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_6", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_7", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + + SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_0", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_1", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_2", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_3", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_4", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_5", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_6", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_7", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_0", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_1", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_2", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_3", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_4", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_5", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_6", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_7", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + + SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_0", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_1", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_2", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_3", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_4", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_5", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_6", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_7", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_0", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_1", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_2", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_3", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_4", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_5", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_6", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_7", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + + SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_0", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_1", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_2", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_3", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_4", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_5", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_6", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_7", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_0", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_1", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_2", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_3", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_4", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_5", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_6", NULL, +- 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_7", NULL, +- 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("DISPLAY_PORT_RX", "NULL", 0, 0, 0, 0), ++ 0, SND_SOC_NOPM, 0, 0), ++ SND_SOC_DAPM_AIF_OUT("DISPLAY_PORT_RX", "NULL", 0, SND_SOC_NOPM, 0, 0), + }; + + static const struct snd_soc_component_driver q6afe_dai_component = { +-- +2.25.1 + diff --git a/queue-5.4/asoc-q6routing-add-dummy-register-read-write-functio.patch b/queue-5.4/asoc-q6routing-add-dummy-register-read-write-functio.patch new file mode 100644 index 00000000000..d605718b193 --- /dev/null +++ b/queue-5.4/asoc-q6routing-add-dummy-register-read-write-functio.patch @@ -0,0 +1,68 @@ +From a85057d2ec76c54adcf11bdc1d962d552cf4127b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 13:02:05 +0100 +Subject: ASoC: q6routing: add dummy register read/write function + +From: Srinivas Kandagatla + +[ Upstream commit 796a58fe2b8c9b6668db00d92512ec84be663027 ] + +Most of the DAPM widgets for DSP ASoC components reuse reg field +of the widgets for its internal calculations, however these are not +real registers. So read/writes to these numbers are not really +valid. However ASoC core will read these registers to get default +state during startup. + +With recent changes to ASoC core, every register read/write +failures are reported very verbosely. Prior to this fails to reads +are totally ignored, so we never saw any error messages. + +To fix this add dummy read/write function to return default value. + +Fixes: e3a33673e845 ("ASoC: qdsp6: q6routing: Add q6routing driver") +Reported-by: John Stultz +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20200811120205.21805-2-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/qdsp6/q6routing.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/sound/soc/qcom/qdsp6/q6routing.c b/sound/soc/qcom/qdsp6/q6routing.c +index ddcd9978cf57b..745cc9dd14f38 100644 +--- a/sound/soc/qcom/qdsp6/q6routing.c ++++ b/sound/soc/qcom/qdsp6/q6routing.c +@@ -996,6 +996,20 @@ static int msm_routing_probe(struct snd_soc_component *c) + return 0; + } + ++static unsigned int q6routing_reg_read(struct snd_soc_component *component, ++ unsigned int reg) ++{ ++ /* default value */ ++ return 0; ++} ++ ++static int q6routing_reg_write(struct snd_soc_component *component, ++ unsigned int reg, unsigned int val) ++{ ++ /* dummy */ ++ return 0; ++} ++ + static const struct snd_soc_component_driver msm_soc_routing_component = { + .ops = &q6pcm_routing_ops, + .probe = msm_routing_probe, +@@ -1004,6 +1018,8 @@ static const struct snd_soc_component_driver msm_soc_routing_component = { + .num_dapm_widgets = ARRAY_SIZE(msm_qdsp6_widgets), + .dapm_routes = intercon, + .num_dapm_routes = ARRAY_SIZE(intercon), ++ .read = q6routing_reg_read, ++ .write = q6routing_reg_write, + }; + + static int q6pcm_routing_probe(struct platform_device *pdev) +-- +2.25.1 + diff --git a/queue-5.4/bonding-fix-a-potential-double-unregister.patch b/queue-5.4/bonding-fix-a-potential-double-unregister.patch new file mode 100644 index 00000000000..b3773f395fd --- /dev/null +++ b/queue-5.4/bonding-fix-a-potential-double-unregister.patch @@ -0,0 +1,48 @@ +From e7ba46f4914d3fc2e1ce31d8ca914bab918ad6e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 20:05:58 -0700 +Subject: bonding: fix a potential double-unregister + +From: Cong Wang + +[ Upstream commit 832707021666411d04795c564a4adea5d6b94f17 ] + +When we tear down a network namespace, we unregister all +the netdevices within it. So we may queue a slave device +and a bonding device together in the same unregister queue. + +If the only slave device is non-ethernet, it would +automatically unregister the bonding device as well. Thus, +we may end up unregistering the bonding device twice. + +Workaround this special case by checking reg_state. + +Fixes: 9b5e383c11b0 ("net: Introduce unregister_netdevice_many()") +Reported-by: syzbot+af23e7f3e0a7e10c8b67@syzkaller.appspotmail.com +Cc: Eric Dumazet +Cc: Andy Gospodarek +Cc: Jay Vosburgh +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 11c014586d466..ce829a7a92101 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2037,7 +2037,8 @@ static int bond_release_and_destroy(struct net_device *bond_dev, + int ret; + + ret = __bond_release_one(bond_dev, slave_dev, false, true); +- if (ret == 0 && !bond_has_slaves(bond)) { ++ if (ret == 0 && !bond_has_slaves(bond) && ++ bond_dev->reg_state != NETREG_UNREGISTERING) { + bond_dev->priv_flags |= IFF_DISABLE_NETPOLL; + netdev_info(bond_dev, "Destroying bond\n"); + bond_remove_proc_entry(bond); +-- +2.25.1 + diff --git a/queue-5.4/bonding-fix-active-backup-failover-for-current-arp-s.patch b/queue-5.4/bonding-fix-active-backup-failover-for-current-arp-s.patch new file mode 100644 index 00000000000..ed02ec43d59 --- /dev/null +++ b/queue-5.4/bonding-fix-active-backup-failover-for-current-arp-s.patch @@ -0,0 +1,90 @@ +From 8facc6fcb6e1094e2de3bf05821d46eb8bd11ccd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Aug 2020 20:52:44 +0200 +Subject: bonding: fix active-backup failover for current ARP slave + +From: Jiri Wiesner + +[ Upstream commit 0410d07190961ac526f05085765a8d04d926545b ] + +When the ARP monitor is used for link detection, ARP replies are +validated for all slaves (arp_validate=3) and fail_over_mac is set to +active, two slaves of an active-backup bond may get stuck in a state +where both of them are active and pass packets that they receive to +the bond. This state makes IPv6 duplicate address detection fail. The +state is reached thus: +1. The current active slave goes down because the ARP target + is not reachable. +2. The current ARP slave is chosen and made active. +3. A new slave is enslaved. This new slave becomes the current active + slave and can reach the ARP target. +As a result, the current ARP slave stays active after the enslave +action has finished and the log is littered with "PROBE BAD" messages: +> bond0: PROBE: c_arp ens10 && cas ens11 BAD +The workaround is to remove the slave with "going back" status from +the bond and re-enslave it. This issue was encountered when DPDK PMD +interfaces were being enslaved to an active-backup bond. + +I would be possible to fix the issue in bond_enslave() or +bond_change_active_slave() but the ARP monitor was fixed instead to +keep most of the actions changing the current ARP slave in the ARP +monitor code. The current ARP slave is set as inactive and backup +during the commit phase. A new state, BOND_LINK_FAIL, has been +introduced for slaves in the context of the ARP monitor. This allows +administrators to see how slaves are rotated for sending ARP requests +and attempts are made to find a new active slave. + +Fixes: b2220cad583c9 ("bonding: refactor ARP active-backup monitor") +Signed-off-by: Jiri Wiesner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index ce829a7a92101..0d7a173f8e61c 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2778,6 +2778,9 @@ static int bond_ab_arp_inspect(struct bonding *bond) + if (bond_time_in_interval(bond, last_rx, 1)) { + bond_propose_link_state(slave, BOND_LINK_UP); + commit++; ++ } else if (slave->link == BOND_LINK_BACK) { ++ bond_propose_link_state(slave, BOND_LINK_FAIL); ++ commit++; + } + continue; + } +@@ -2886,6 +2889,19 @@ static void bond_ab_arp_commit(struct bonding *bond) + + continue; + ++ case BOND_LINK_FAIL: ++ bond_set_slave_link_state(slave, BOND_LINK_FAIL, ++ BOND_SLAVE_NOTIFY_NOW); ++ bond_set_slave_inactive_flags(slave, ++ BOND_SLAVE_NOTIFY_NOW); ++ ++ /* A slave has just been enslaved and has become ++ * the current active slave. ++ */ ++ if (rtnl_dereference(bond->curr_active_slave)) ++ RCU_INIT_POINTER(bond->current_arp_slave, NULL); ++ continue; ++ + default: + slave_err(bond->dev, slave->dev, + "impossible: link_new_state %d on slave\n", +@@ -2936,8 +2952,6 @@ static bool bond_ab_arp_probe(struct bonding *bond) + return should_notify_rtnl; + } + +- bond_set_slave_inactive_flags(curr_arp_slave, BOND_SLAVE_NOTIFY_LATER); +- + bond_for_each_slave_rcu(bond, slave, iter) { + if (!found && !before && bond_slave_is_up(slave)) + before = slave; +-- +2.25.1 + diff --git a/queue-5.4/bonding-show-saner-speed-for-broadcast-mode.patch b/queue-5.4/bonding-show-saner-speed-for-broadcast-mode.patch new file mode 100644 index 00000000000..0ff77c617a7 --- /dev/null +++ b/queue-5.4/bonding-show-saner-speed-for-broadcast-mode.patch @@ -0,0 +1,79 @@ +From 40c4ba6b9f269c1dd89858593928a4126620ced5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 10:09:00 -0400 +Subject: bonding: show saner speed for broadcast mode + +From: Jarod Wilson + +[ Upstream commit 4ca0d9ac3fd8f9f90b72a15d8da2aca3ffb58418 ] + +Broadcast mode bonds transmit a copy of all traffic simultaneously out of +all interfaces, so the "speed" of the bond isn't really the aggregate of +all interfaces, but rather, the speed of the slowest active interface. + +Also, the type of the speed field is u32, not unsigned long, so adjust +that accordingly, as required to make min() function here without +complaining about mismatching types. + +Fixes: bb5b052f751b ("bond: add support to read speed and duplex via ethtool") +CC: Jay Vosburgh +CC: Veaceslav Falico +CC: Andy Gospodarek +CC: "David S. Miller" +CC: netdev@vger.kernel.org +Acked-by: Jay Vosburgh +Signed-off-by: Jarod Wilson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 499845c32b1bc..11c014586d466 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -4246,13 +4246,23 @@ static netdev_tx_t bond_start_xmit(struct sk_buff *skb, struct net_device *dev) + return ret; + } + ++static u32 bond_mode_bcast_speed(struct slave *slave, u32 speed) ++{ ++ if (speed == 0 || speed == SPEED_UNKNOWN) ++ speed = slave->speed; ++ else ++ speed = min(speed, slave->speed); ++ ++ return speed; ++} ++ + static int bond_ethtool_get_link_ksettings(struct net_device *bond_dev, + struct ethtool_link_ksettings *cmd) + { + struct bonding *bond = netdev_priv(bond_dev); +- unsigned long speed = 0; + struct list_head *iter; + struct slave *slave; ++ u32 speed = 0; + + cmd->base.duplex = DUPLEX_UNKNOWN; + cmd->base.port = PORT_OTHER; +@@ -4264,8 +4274,13 @@ static int bond_ethtool_get_link_ksettings(struct net_device *bond_dev, + */ + bond_for_each_slave(bond, slave, iter) { + if (bond_slave_can_tx(slave)) { +- if (slave->speed != SPEED_UNKNOWN) +- speed += slave->speed; ++ if (slave->speed != SPEED_UNKNOWN) { ++ if (BOND_MODE(bond) == BOND_MODE_BROADCAST) ++ speed = bond_mode_bcast_speed(slave, ++ speed); ++ else ++ speed += slave->speed; ++ } + if (cmd->base.duplex == DUPLEX_UNKNOWN && + slave->duplex != DUPLEX_UNKNOWN) + cmd->base.duplex = slave->duplex; +-- +2.25.1 + diff --git a/queue-5.4/bpf-sock_ops-sk-access-may-stomp-registers-when-dst_.patch b/queue-5.4/bpf-sock_ops-sk-access-may-stomp-registers-when-dst_.patch new file mode 100644 index 00000000000..37ac79e15a2 --- /dev/null +++ b/queue-5.4/bpf-sock_ops-sk-access-may-stomp-registers-when-dst_.patch @@ -0,0 +1,124 @@ +From ffb7a4171351a1c43c71084d7c830d1ca21b8eba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 15:04:56 -0700 +Subject: bpf: sock_ops sk access may stomp registers when dst_reg = src_reg + +From: John Fastabend + +[ Upstream commit 84f44df664e9f0e261157e16ee1acd77cc1bb78d ] + +Similar to patch ("bpf: sock_ops ctx access may stomp registers") if the +src_reg = dst_reg when reading the sk field of a sock_ops struct we +generate xlated code, + + 53: (61) r9 = *(u32 *)(r9 +28) + 54: (15) if r9 == 0x0 goto pc+3 + 56: (79) r9 = *(u64 *)(r9 +0) + +This stomps on the r9 reg to do the sk_fullsock check and then when +reading the skops->sk field instead of the sk pointer we get the +sk_fullsock. To fix use similar pattern noted in the previous fix +and use the temp field to save/restore a register used to do +sk_fullsock check. + +After the fix the generated xlated code reads, + + 52: (7b) *(u64 *)(r9 +32) = r8 + 53: (61) r8 = *(u32 *)(r9 +28) + 54: (15) if r9 == 0x0 goto pc+3 + 55: (79) r8 = *(u64 *)(r9 +32) + 56: (79) r9 = *(u64 *)(r9 +0) + 57: (05) goto pc+1 + 58: (79) r8 = *(u64 *)(r9 +32) + +Here r9 register was in-use so r8 is chosen as the temporary register. +In line 52 r8 is saved in temp variable and at line 54 restored in case +fullsock != 0. Finally we handle fullsock == 0 case by restoring at +line 58. + +This adds a new macro SOCK_OPS_GET_SK it is almost possible to merge +this with SOCK_OPS_GET_FIELD, but I found the extra branch logic a +bit more confusing than just adding a new macro despite a bit of +duplicating code. + +Fixes: 1314ef561102e ("bpf: export bpf_sock for BPF_PROG_TYPE_SOCK_OPS prog type") +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Acked-by: Song Liu +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/159718349653.4728.6559437186853473612.stgit@john-Precision-5820-Tower +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 49 ++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 38 insertions(+), 11 deletions(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index bd1e46d61d8a1..5c490d473df1d 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -8010,6 +8010,43 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type, + offsetof(OBJ, OBJ_FIELD)); \ + } while (0) + ++#define SOCK_OPS_GET_SK() \ ++ do { \ ++ int fullsock_reg = si->dst_reg, reg = BPF_REG_9, jmp = 1; \ ++ if (si->dst_reg == reg || si->src_reg == reg) \ ++ reg--; \ ++ if (si->dst_reg == reg || si->src_reg == reg) \ ++ reg--; \ ++ if (si->dst_reg == si->src_reg) { \ ++ *insn++ = BPF_STX_MEM(BPF_DW, si->src_reg, reg, \ ++ offsetof(struct bpf_sock_ops_kern, \ ++ temp)); \ ++ fullsock_reg = reg; \ ++ jmp += 2; \ ++ } \ ++ *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( \ ++ struct bpf_sock_ops_kern, \ ++ is_fullsock), \ ++ fullsock_reg, si->src_reg, \ ++ offsetof(struct bpf_sock_ops_kern, \ ++ is_fullsock)); \ ++ *insn++ = BPF_JMP_IMM(BPF_JEQ, fullsock_reg, 0, jmp); \ ++ if (si->dst_reg == si->src_reg) \ ++ *insn++ = BPF_LDX_MEM(BPF_DW, reg, si->src_reg, \ ++ offsetof(struct bpf_sock_ops_kern, \ ++ temp)); \ ++ *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( \ ++ struct bpf_sock_ops_kern, sk),\ ++ si->dst_reg, si->src_reg, \ ++ offsetof(struct bpf_sock_ops_kern, sk));\ ++ if (si->dst_reg == si->src_reg) { \ ++ *insn++ = BPF_JMP_A(1); \ ++ *insn++ = BPF_LDX_MEM(BPF_DW, reg, si->src_reg, \ ++ offsetof(struct bpf_sock_ops_kern, \ ++ temp)); \ ++ } \ ++ } while (0) ++ + #define SOCK_OPS_GET_TCP_SOCK_FIELD(FIELD) \ + SOCK_OPS_GET_FIELD(FIELD, FIELD, struct tcp_sock) + +@@ -8294,17 +8331,7 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type, + SOCK_OPS_GET_TCP_SOCK_FIELD(bytes_acked); + break; + case offsetof(struct bpf_sock_ops, sk): +- *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( +- struct bpf_sock_ops_kern, +- is_fullsock), +- si->dst_reg, si->src_reg, +- offsetof(struct bpf_sock_ops_kern, +- is_fullsock)); +- *insn++ = BPF_JMP_IMM(BPF_JEQ, si->dst_reg, 0, 1); +- *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( +- struct bpf_sock_ops_kern, sk), +- si->dst_reg, si->src_reg, +- offsetof(struct bpf_sock_ops_kern, sk)); ++ SOCK_OPS_GET_SK(); + break; + } + return insn - insn_buf; +-- +2.25.1 + diff --git a/queue-5.4/can-j1939-abort-multipacket-broadcast-session-when-t.patch b/queue-5.4/can-j1939-abort-multipacket-broadcast-session-when-t.patch new file mode 100644 index 00000000000..f4406c4a046 --- /dev/null +++ b/queue-5.4/can-j1939-abort-multipacket-broadcast-session-when-t.patch @@ -0,0 +1,51 @@ +From 28e22a5d5313a2faa496a27c73f4e7fc2bdc4941 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 11:50:24 +0800 +Subject: can: j1939: abort multipacket broadcast session when timeout occurs + +From: Zhang Changzhong + +[ Upstream commit 2b8b2e31555cf55ba3680fb28e2b382e168d7ea1 ] + +If timeout occurs, j1939_tp_rxtimer() first calls hrtimer_start() to restart +rxtimer, and then calls __j1939_session_cancel() to set session->state = +J1939_SESSION_WAITING_ABORT. At next timeout expiration, because of the +J1939_SESSION_WAITING_ABORT session state j1939_tp_rxtimer() will call +j1939_session_deactivate_activate_next() to deactivate current session, and +rxtimer won't be set. + +But for multipacket broadcast session, __j1939_session_cancel() don't set +session->state = J1939_SESSION_WAITING_ABORT, thus current session won't be +deactivate and hrtimer_start() is called to start new rxtimer again and again. + +So fix it by moving session->state = J1939_SESSION_WAITING_ABORT out of if +(!j1939_cb_is_broadcast(&session->skcb)) statement. + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/r/1596599425-5534-4-git-send-email-zhangchangzhong@huawei.com +Acked-by: Oleksij Rempel +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/j1939/transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c +index d1a9adde677b0..e3167619b196f 100644 +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1074,9 +1074,9 @@ static void __j1939_session_cancel(struct j1939_session *session, + lockdep_assert_held(&session->priv->active_session_list_lock); + + session->err = j1939_xtp_abort_to_errno(priv, err); ++ session->state = J1939_SESSION_WAITING_ABORT; + /* do not send aborts on incoming broadcasts */ + if (!j1939_cb_is_broadcast(&session->skcb)) { +- session->state = J1939_SESSION_WAITING_ABORT; + j1939_xtp_tx_abort(priv, &session->skcb, + !session->transmission, + err, session->skcb.addr.pgn); +-- +2.25.1 + diff --git a/queue-5.4/can-j1939-add-rxtimer-for-multipacket-broadcast-sess.patch b/queue-5.4/can-j1939-add-rxtimer-for-multipacket-broadcast-sess.patch new file mode 100644 index 00000000000..03fd0c1f8a3 --- /dev/null +++ b/queue-5.4/can-j1939-add-rxtimer-for-multipacket-broadcast-sess.patch @@ -0,0 +1,99 @@ +From 1ad44c62fae16810c767e7ec4ed563b93fde7f9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 11:50:25 +0800 +Subject: can: j1939: add rxtimer for multipacket broadcast session + +From: Zhang Changzhong + +[ Upstream commit 0ae18a82686f9b9965a8ce0dd81371871b306ffe ] + +According to SAE J1939/21 (Chapter 5.12.3 and APPENDIX C), for transmit side +the required time interval between packets of a multipacket broadcast message +is 50 to 200 ms, the responder shall use a timeout of 250ms (provides margin +allowing for the maximumm spacing of 200ms). For receive side a timeout will +occur when a time of greater than 750 ms elapsed between two message packets +when more packets were expected. + +So this patch fix and add rxtimer for multipacket broadcast session. + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/r/1596599425-5534-5-git-send-email-zhangchangzhong@huawei.com +Acked-by: Oleksij Rempel +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/j1939/transport.c | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c +index e3167619b196f..dbd215cbc53d8 100644 +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -723,10 +723,12 @@ static int j1939_session_tx_rts(struct j1939_session *session) + return ret; + + session->last_txcmd = dat[0]; +- if (dat[0] == J1939_TP_CMD_BAM) ++ if (dat[0] == J1939_TP_CMD_BAM) { + j1939_tp_schedule_txtimer(session, 50); +- +- j1939_tp_set_rxtimeout(session, 1250); ++ j1939_tp_set_rxtimeout(session, 250); ++ } else { ++ j1939_tp_set_rxtimeout(session, 1250); ++ } + + netdev_dbg(session->priv->ndev, "%s: 0x%p\n", __func__, session); + +@@ -1687,11 +1689,15 @@ static void j1939_xtp_rx_rts(struct j1939_priv *priv, struct sk_buff *skb, + } + session->last_cmd = cmd; + +- j1939_tp_set_rxtimeout(session, 1250); +- +- if (cmd != J1939_TP_CMD_BAM && !session->transmission) { +- j1939_session_txtimer_cancel(session); +- j1939_tp_schedule_txtimer(session, 0); ++ if (cmd == J1939_TP_CMD_BAM) { ++ if (!session->transmission) ++ j1939_tp_set_rxtimeout(session, 750); ++ } else { ++ if (!session->transmission) { ++ j1939_session_txtimer_cancel(session); ++ j1939_tp_schedule_txtimer(session, 0); ++ } ++ j1939_tp_set_rxtimeout(session, 1250); + } + + j1939_session_put(session); +@@ -1742,6 +1748,7 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session, + int offset; + int nbytes; + bool final = false; ++ bool remain = false; + bool do_cts_eoma = false; + int packet; + +@@ -1804,6 +1811,8 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session, + j1939_cb_is_broadcast(&session->skcb)) { + if (session->pkt.rx >= session->pkt.total) + final = true; ++ else ++ remain = true; + } else { + /* never final, an EOMA must follow */ + if (session->pkt.rx >= session->pkt.last) +@@ -1813,6 +1822,9 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session, + if (final) { + j1939_session_timers_cancel(session); + j1939_session_completed(session); ++ } else if (remain) { ++ if (!session->transmission) ++ j1939_tp_set_rxtimeout(session, 750); + } else if (do_cts_eoma) { + j1939_tp_set_rxtimeout(session, 1250); + if (!session->transmission) +-- +2.25.1 + diff --git a/queue-5.4/can-j1939-cancel-rxtimer-on-multipacket-broadcast-se.patch b/queue-5.4/can-j1939-cancel-rxtimer-on-multipacket-broadcast-se.patch new file mode 100644 index 00000000000..033cd19936d --- /dev/null +++ b/queue-5.4/can-j1939-cancel-rxtimer-on-multipacket-broadcast-se.patch @@ -0,0 +1,37 @@ +From 027acd9def4c4438a90c174ca479bf80d71c9e57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 11:50:23 +0800 +Subject: can: j1939: cancel rxtimer on multipacket broadcast session complete + +From: Zhang Changzhong + +[ Upstream commit e8b17653088f28a87c81845fa41a2d295a3b458c ] + +If j1939_xtp_rx_dat_one() receive last frame of multipacket broadcast message, +j1939_session_timers_cancel() should be called to cancel rxtimer. + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/r/1596599425-5534-3-git-send-email-zhangchangzhong@huawei.com +Acked-by: Oleksij Rempel +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/j1939/transport.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c +index 67189b4c482c5..d1a9adde677b0 100644 +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1811,6 +1811,7 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session, + } + + if (final) { ++ j1939_session_timers_cancel(session); + j1939_session_completed(session); + } else if (do_cts_eoma) { + j1939_tp_set_rxtimeout(session, 1250); +-- +2.25.1 + diff --git a/queue-5.4/can-j1939-fix-kernel-infoleak-in-j1939_sk_sock2socka.patch b/queue-5.4/can-j1939-fix-kernel-infoleak-in-j1939_sk_sock2socka.patch new file mode 100644 index 00000000000..c9020c7e3d0 --- /dev/null +++ b/queue-5.4/can-j1939-fix-kernel-infoleak-in-j1939_sk_sock2socka.patch @@ -0,0 +1,85 @@ +From 94450e7c92f567801c4d2a3e8d6615a1fc95fb79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 09:18:34 -0700 +Subject: can: j1939: fix kernel-infoleak in j1939_sk_sock2sockaddr_can() + +From: Eric Dumazet + +[ Upstream commit 38ba8b9241f5848a49b80fddac9ab5f4692e434e ] + +syzbot found that at least 2 bytes of kernel information +were leaked during getsockname() on AF_CAN CAN_J1939 socket. + +Since struct sockaddr_can has in fact two holes, simply +clear the whole area before filling it with useful data. + +BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253 +CPU: 0 PID: 8466 Comm: syz-executor511 Not tainted 5.8.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x21c/0x280 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121 + kmsan_internal_check_memory+0x238/0x3d0 mm/kmsan/kmsan.c:423 + kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253 + instrument_copy_to_user include/linux/instrumented.h:91 [inline] + _copy_to_user+0x18e/0x260 lib/usercopy.c:39 + copy_to_user include/linux/uaccess.h:186 [inline] + move_addr_to_user+0x3de/0x670 net/socket.c:237 + __sys_getsockname+0x407/0x5e0 net/socket.c:1909 + __do_sys_getsockname net/socket.c:1920 [inline] + __se_sys_getsockname+0x91/0xb0 net/socket.c:1917 + __x64_sys_getsockname+0x4a/0x70 net/socket.c:1917 + do_syscall_64+0xad/0x160 arch/x86/entry/common.c:386 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x440219 +Code: Bad RIP value. +RSP: 002b:00007ffe5ee150c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000033 +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440219 +RDX: 0000000020000240 RSI: 0000000020000100 RDI: 0000000000000003 +RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a20 +R13: 0000000000401ab0 R14: 0000000000000000 R15: 0000000000000000 + +Local variable ----address@__sys_getsockname created at: + __sys_getsockname+0x91/0x5e0 net/socket.c:1894 + __sys_getsockname+0x91/0x5e0 net/socket.c:1894 + +Bytes 2-3 of 24 are uninitialized +Memory access of size 24 starts at ffff8880ba2c7de8 +Data copied to user address 0000000020000100 + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Robin van der Gracht +Cc: Oleksij Rempel +Cc: Pengutronix Kernel Team +Cc: linux-can@vger.kernel.org +Acked-by: Oleksij Rempel +Link: https://lore.kernel.org/r/20200813161834.4021638-1-edumazet@google.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/j1939/socket.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c +index 11d566c70a944..1b7dc1a8547f3 100644 +--- a/net/can/j1939/socket.c ++++ b/net/can/j1939/socket.c +@@ -561,6 +561,11 @@ static int j1939_sk_connect(struct socket *sock, struct sockaddr *uaddr, + static void j1939_sk_sock2sockaddr_can(struct sockaddr_can *addr, + const struct j1939_sock *jsk, int peer) + { ++ /* There are two holes (2 bytes and 3 bytes) to clear to avoid ++ * leaking kernel information to user space. ++ */ ++ memset(addr, 0, J1939_MIN_NAMELEN); ++ + addr->can_family = AF_CAN; + addr->can_ifindex = jsk->ifindex; + addr->can_addr.j1939.pgn = jsk->addr.pgn; +-- +2.25.1 + diff --git a/queue-5.4/can-j1939-fix-support-for-multipacket-broadcast-mess.patch b/queue-5.4/can-j1939-fix-support-for-multipacket-broadcast-mess.patch new file mode 100644 index 00000000000..7f0570419c6 --- /dev/null +++ b/queue-5.4/can-j1939-fix-support-for-multipacket-broadcast-mess.patch @@ -0,0 +1,81 @@ +From 14a0fcbf74c89dc134aa2c9c88fc328268f6d91a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 11:50:22 +0800 +Subject: can: j1939: fix support for multipacket broadcast message + +From: Zhang Changzhong + +[ Upstream commit f4fd77fd87e9b214c26bb2ebd4f90055eaea5ade ] + +Currently j1939_tp_im_involved_anydir() in j1939_tp_recv() check the previously +set flags J1939_ECU_LOCAL_DST and J1939_ECU_LOCAL_SRC of incoming skb, thus +multipacket broadcast message was aborted by receive side because it may come +from remote ECUs and have no exact dst address. Similarly, j1939_tp_cmd_recv() +and j1939_xtp_rx_dat() didn't process broadcast message. + +So fix it by checking and process broadcast message in j1939_tp_recv(), +j1939_tp_cmd_recv() and j1939_xtp_rx_dat(). + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/r/1596599425-5534-2-git-send-email-zhangchangzhong@huawei.com +Acked-by: Oleksij Rempel +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/j1939/transport.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c +index 90a2baac8a4aa..67189b4c482c5 100644 +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1673,8 +1673,12 @@ static void j1939_xtp_rx_rts(struct j1939_priv *priv, struct sk_buff *skb, + return; + } + session = j1939_xtp_rx_rts_session_new(priv, skb); +- if (!session) ++ if (!session) { ++ if (cmd == J1939_TP_CMD_BAM && j1939_sk_recv_match(priv, skcb)) ++ netdev_info(priv->ndev, "%s: failed to create TP BAM session\n", ++ __func__); + return; ++ } + } else { + if (j1939_xtp_rx_rts_session_active(session, skb)) { + j1939_session_put(session); +@@ -1852,6 +1856,13 @@ static void j1939_xtp_rx_dat(struct j1939_priv *priv, struct sk_buff *skb) + else + j1939_xtp_rx_dat_one(session, skb); + } ++ ++ if (j1939_cb_is_broadcast(skcb)) { ++ session = j1939_session_get_by_addr(priv, &skcb->addr, false, ++ false); ++ if (session) ++ j1939_xtp_rx_dat_one(session, skb); ++ } + } + + /* j1939 main intf */ +@@ -1943,7 +1954,7 @@ static void j1939_tp_cmd_recv(struct j1939_priv *priv, struct sk_buff *skb) + if (j1939_tp_im_transmitter(skcb)) + j1939_xtp_rx_rts(priv, skb, true); + +- if (j1939_tp_im_receiver(skcb)) ++ if (j1939_tp_im_receiver(skcb) || j1939_cb_is_broadcast(skcb)) + j1939_xtp_rx_rts(priv, skb, false); + + break; +@@ -2007,7 +2018,7 @@ int j1939_tp_recv(struct j1939_priv *priv, struct sk_buff *skb) + { + struct j1939_sk_buff_cb *skcb = j1939_skb_to_cb(skb); + +- if (!j1939_tp_im_involved_anydir(skcb)) ++ if (!j1939_tp_im_involved_anydir(skcb) && !j1939_cb_is_broadcast(skcb)) + return 0; + + switch (skcb->addr.pgn) { +-- +2.25.1 + diff --git a/queue-5.4/can-j1939-transport-add-j1939_session_skb_find_by_of.patch b/queue-5.4/can-j1939-transport-add-j1939_session_skb_find_by_of.patch new file mode 100644 index 00000000000..4856d4a9fee --- /dev/null +++ b/queue-5.4/can-j1939-transport-add-j1939_session_skb_find_by_of.patch @@ -0,0 +1,91 @@ +From b75fddf482cc41af6df251cb19bc390918c05833 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Aug 2020 12:51:59 +0200 +Subject: can: j1939: transport: add j1939_session_skb_find_by_offset() + function + +From: Oleksij Rempel + +[ Upstream commit 840835c9281215341d84966a8855f267a971e6a3 ] + +Sometimes it makes no sense to search the skb by pkt.dpo, since we need +next the skb within the transaction block. This may happen if we have an +ETP session with CTS set to less than 255 packets. + +After this patch, we will be able to work with ETP sessions where the +block size (ETP.CM_CTS byte 2) is less than 255 packets. + +Reported-by: Henrique Figueira +Reported-by: https://github.com/linux-can/can-utils/issues/228 +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Signed-off-by: Oleksij Rempel +Link: https://lore.kernel.org/r/20200807105200.26441-5-o.rempel@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/j1939/transport.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c +index 30957c9a8eb7a..90a2baac8a4aa 100644 +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -352,17 +352,16 @@ void j1939_session_skb_queue(struct j1939_session *session, + skb_queue_tail(&session->skb_queue, skb); + } + +-static struct sk_buff *j1939_session_skb_find(struct j1939_session *session) ++static struct ++sk_buff *j1939_session_skb_find_by_offset(struct j1939_session *session, ++ unsigned int offset_start) + { + struct j1939_priv *priv = session->priv; ++ struct j1939_sk_buff_cb *do_skcb; + struct sk_buff *skb = NULL; + struct sk_buff *do_skb; +- struct j1939_sk_buff_cb *do_skcb; +- unsigned int offset_start; + unsigned long flags; + +- offset_start = session->pkt.dpo * 7; +- + spin_lock_irqsave(&session->skb_queue.lock, flags); + skb_queue_walk(&session->skb_queue, do_skb) { + do_skcb = j1939_skb_to_cb(do_skb); +@@ -382,6 +381,14 @@ static struct sk_buff *j1939_session_skb_find(struct j1939_session *session) + return skb; + } + ++static struct sk_buff *j1939_session_skb_find(struct j1939_session *session) ++{ ++ unsigned int offset_start; ++ ++ offset_start = session->pkt.dpo * 7; ++ return j1939_session_skb_find_by_offset(session, offset_start); ++} ++ + /* see if we are receiver + * returns 0 for broadcasts, although we will receive them + */ +@@ -766,7 +773,7 @@ static int j1939_session_tx_dat(struct j1939_session *session) + int ret = 0; + u8 dat[8]; + +- se_skb = j1939_session_skb_find(session); ++ se_skb = j1939_session_skb_find_by_offset(session, session->pkt.tx * 7); + if (!se_skb) + return -ENOBUFS; + +@@ -1765,7 +1772,8 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session, + __func__, session); + goto out_session_cancel; + } +- se_skb = j1939_session_skb_find(session); ++ ++ se_skb = j1939_session_skb_find_by_offset(session, packet * 7); + if (!se_skb) { + netdev_warn(priv->ndev, "%s: 0x%p: no skb found\n", __func__, + session); +-- +2.25.1 + diff --git a/queue-5.4/can-j1939-transport-j1939_simple_recv-ignore-local-j.patch b/queue-5.4/can-j1939-transport-j1939_simple_recv-ignore-local-j.patch new file mode 100644 index 00000000000..4d5b3728b80 --- /dev/null +++ b/queue-5.4/can-j1939-transport-j1939_simple_recv-ignore-local-j.patch @@ -0,0 +1,63 @@ +From 356afd0a5639f8e6a679768dfdc35af5bfa9f4fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Aug 2020 12:51:56 +0200 +Subject: can: j1939: transport: j1939_simple_recv(): ignore local J1939 + messages send not by J1939 stack + +From: Oleksij Rempel + +[ Upstream commit b43e3a82bc432c1caaed8950e7662c143470c54c ] + +In current J1939 stack implementation, we process all locally send +messages as own messages. Even if it was send by CAN_RAW socket. + +To reproduce it use following commands: +testj1939 -P -r can0:0x80 & +cansend can0 18238040#0123 + +This step will trigger false positive not critical warning: +j1939_simple_recv: Received already invalidated message + +With this patch we add additional check to make sure, related skb is own +echo message. + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Signed-off-by: Oleksij Rempel +Link: https://lore.kernel.org/r/20200807105200.26441-2-o.rempel@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/j1939/socket.c | 1 + + net/can/j1939/transport.c | 4 ++++ + 2 files changed, 5 insertions(+) + +diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c +index 1b7dc1a8547f3..bf9fd6ee88fe0 100644 +--- a/net/can/j1939/socket.c ++++ b/net/can/j1939/socket.c +@@ -398,6 +398,7 @@ static int j1939_sk_init(struct sock *sk) + spin_lock_init(&jsk->sk_session_queue_lock); + INIT_LIST_HEAD(&jsk->sk_session_queue); + sk->sk_destruct = j1939_sk_sock_destruct; ++ sk->sk_protocol = CAN_J1939; + + return 0; + } +diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c +index 5bfe6bf15a999..30957c9a8eb7a 100644 +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -2032,6 +2032,10 @@ void j1939_simple_recv(struct j1939_priv *priv, struct sk_buff *skb) + if (!skb->sk) + return; + ++ if (skb->sk->sk_family != AF_CAN || ++ skb->sk->sk_protocol != CAN_J1939) ++ return; ++ + j1939_session_list_lock(priv); + session = j1939_session_get_simple(priv, skb); + j1939_session_list_unlock(priv); +-- +2.25.1 + diff --git a/queue-5.4/efi-avoid-error-message-when-booting-under-xen.patch b/queue-5.4/efi-avoid-error-message-when-booting-under-xen.patch new file mode 100644 index 00000000000..d08ff7376ba --- /dev/null +++ b/queue-5.4/efi-avoid-error-message-when-booting-under-xen.patch @@ -0,0 +1,39 @@ +From 772075486ec94b70c7af005a578d8ff42d5c04d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 16:16:51 +0200 +Subject: efi: avoid error message when booting under Xen + +From: Juergen Gross + +[ Upstream commit 6163a985e50cb19d5bdf73f98e45b8af91a77658 ] + +efifb_probe() will issue an error message in case the kernel is booted +as Xen dom0 from UEFI as EFI_MEMMAP won't be set in this case. Avoid +that message by calling efi_mem_desc_lookup() only if EFI_MEMMAP is set. + +Fixes: 38ac0287b7f4 ("fbdev/efifb: Honour UEFI memory map attributes when mapping the FB") +Signed-off-by: Juergen Gross +Acked-by: Ard Biesheuvel +Acked-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/efifb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c +index 51d97ec4f58f9..e0cbf5b3d2174 100644 +--- a/drivers/video/fbdev/efifb.c ++++ b/drivers/video/fbdev/efifb.c +@@ -453,7 +453,7 @@ static int efifb_probe(struct platform_device *dev) + info->apertures->ranges[0].base = efifb_fix.smem_start; + info->apertures->ranges[0].size = size_remap; + +- if (efi_enabled(EFI_BOOT) && ++ if (efi_enabled(EFI_MEMMAP) && + !efi_mem_desc_lookup(efifb_fix.smem_start, &md)) { + if ((efifb_fix.smem_start + efifb_fix.smem_len) > + (md.phys_addr + (md.num_pages << EFI_PAGE_SHIFT))) { +-- +2.25.1 + diff --git a/queue-5.4/ext4-don-t-allow-overlapping-system-zones.patch b/queue-5.4/ext4-don-t-allow-overlapping-system-zones.patch new file mode 100644 index 00000000000..527b810b2b6 --- /dev/null +++ b/queue-5.4/ext4-don-t-allow-overlapping-system-zones.patch @@ -0,0 +1,85 @@ +From 571f9bc3c02e91de326292c01929fcea601f2e82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jul 2020 15:04:33 +0200 +Subject: ext4: don't allow overlapping system zones + +From: Jan Kara + +[ Upstream commit bf9a379d0980e7413d94cb18dac73db2bfc5f470 ] + +Currently, add_system_zone() just silently merges two added system zones +that overlap. However the overlap should not happen and it generally +suggests that some unrelated metadata overlap which indicates the fs is +corrupted. We should have caught such problems earlier (e.g. in +ext4_check_descriptors()) but add this check as another line of defense. +In later patch we also use this for stricter checking of journal inode +extent tree. + +Reviewed-by: Lukas Czerner +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20200728130437.7804-3-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/block_validity.c | 36 +++++++++++++----------------------- + 1 file changed, 13 insertions(+), 23 deletions(-) + +diff --git a/fs/ext4/block_validity.c b/fs/ext4/block_validity.c +index ff8e1205127ee..ceb54ccc937e9 100644 +--- a/fs/ext4/block_validity.c ++++ b/fs/ext4/block_validity.c +@@ -68,7 +68,7 @@ static int add_system_zone(struct ext4_system_blocks *system_blks, + ext4_fsblk_t start_blk, + unsigned int count) + { +- struct ext4_system_zone *new_entry = NULL, *entry; ++ struct ext4_system_zone *new_entry, *entry; + struct rb_node **n = &system_blks->root.rb_node, *node; + struct rb_node *parent = NULL, *new_node = NULL; + +@@ -79,30 +79,20 @@ static int add_system_zone(struct ext4_system_blocks *system_blks, + n = &(*n)->rb_left; + else if (start_blk >= (entry->start_blk + entry->count)) + n = &(*n)->rb_right; +- else { +- if (start_blk + count > (entry->start_blk + +- entry->count)) +- entry->count = (start_blk + count - +- entry->start_blk); +- new_node = *n; +- new_entry = rb_entry(new_node, struct ext4_system_zone, +- node); +- break; +- } ++ else /* Unexpected overlap of system zones. */ ++ return -EFSCORRUPTED; + } + +- if (!new_entry) { +- new_entry = kmem_cache_alloc(ext4_system_zone_cachep, +- GFP_KERNEL); +- if (!new_entry) +- return -ENOMEM; +- new_entry->start_blk = start_blk; +- new_entry->count = count; +- new_node = &new_entry->node; +- +- rb_link_node(new_node, parent, n); +- rb_insert_color(new_node, &system_blks->root); +- } ++ new_entry = kmem_cache_alloc(ext4_system_zone_cachep, ++ GFP_KERNEL); ++ if (!new_entry) ++ return -ENOMEM; ++ new_entry->start_blk = start_blk; ++ new_entry->count = count; ++ new_node = &new_entry->node; ++ ++ rb_link_node(new_node, parent, n); ++ rb_insert_color(new_node, &system_blks->root); + + /* Can we merge to the left? */ + node = rb_prev(new_node); +-- +2.25.1 + diff --git a/queue-5.4/ext4-fix-potential-negative-array-index-in-do_split.patch b/queue-5.4/ext4-fix-potential-negative-array-index-in-do_split.patch new file mode 100644 index 00000000000..3571769b4a4 --- /dev/null +++ b/queue-5.4/ext4-fix-potential-negative-array-index-in-do_split.patch @@ -0,0 +1,68 @@ +From 638c679db31663428c232ef957655bfc74793c6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jun 2020 14:19:04 -0500 +Subject: ext4: fix potential negative array index in do_split() + +From: Eric Sandeen + +[ Upstream commit 5872331b3d91820e14716632ebb56b1399b34fe1 ] + +If for any reason a directory passed to do_split() does not have enough +active entries to exceed half the size of the block, we can end up +iterating over all "count" entries without finding a split point. + +In this case, count == move, and split will be zero, and we will +attempt a negative index into map[]. + +Guard against this by detecting this case, and falling back to +split-to-half-of-count instead; in this case we will still have +plenty of space (> half blocksize) in each split block. + +Fixes: ef2b02d3e617 ("ext34: ensure do_split leaves enough free space in both blocks") +Signed-off-by: Eric Sandeen +Reviewed-by: Andreas Dilger +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/f53e246b-647c-64bb-16ec-135383c70ad7@redhat.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/namei.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 0218b1407abbb..36a81b57012a5 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1852,7 +1852,7 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, + blocksize, hinfo, map); + map -= count; + dx_sort_map(map, count); +- /* Split the existing block in the middle, size-wise */ ++ /* Ensure that neither split block is over half full */ + size = 0; + move = 0; + for (i = count-1; i >= 0; i--) { +@@ -1862,8 +1862,18 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, + size += map[i].size; + move++; + } +- /* map index at which we will split */ +- split = count - move; ++ /* ++ * map index at which we will split ++ * ++ * If the sum of active entries didn't exceed half the block size, just ++ * split it in half by count; each resulting block will have at least ++ * half the space free. ++ */ ++ if (i > 0) ++ split = count - move; ++ else ++ split = count/2; ++ + hash2 = map[split].hash; + continued = hash2 == map[split - 1].hash; + dxtrace(printk(KERN_INFO "Split block %lu at %x, %i/%i\n", +-- +2.25.1 + diff --git a/queue-5.4/fix-build-error-when-config_acpi-is-not-set-enabled.patch b/queue-5.4/fix-build-error-when-config_acpi-is-not-set-enabled.patch new file mode 100644 index 00000000000..871165969b0 --- /dev/null +++ b/queue-5.4/fix-build-error-when-config_acpi-is-not-set-enabled.patch @@ -0,0 +1,45 @@ +From 042bedd5a400f9be2d4bac2e1c54d536b787e0a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 06:30:47 +0200 +Subject: Fix build error when CONFIG_ACPI is not set/enabled: +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit ee87e1557c42dc9c2da11c38e11b87c311569853 ] + +../arch/x86/pci/xen.c: In function ‘pci_xen_init’: +../arch/x86/pci/xen.c:410:2: error: implicit declaration of function ‘acpi_noirq_set’; did you mean ‘acpi_irq_get’? [-Werror=implicit-function-declaration] + acpi_noirq_set(); + +Fixes: 88e9ca161c13 ("xen/pci: Use acpi_noirq_set() helper to avoid #ifdef") +Signed-off-by: Randy Dunlap +Reviewed-by: Juergen Gross +Cc: Andy Shevchenko +Cc: Bjorn Helgaas +Cc: Konrad Rzeszutek Wilk +Cc: xen-devel@lists.xenproject.org +Cc: linux-pci@vger.kernel.org +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/pci/xen.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/pci/xen.c b/arch/x86/pci/xen.c +index 91220cc258547..5c11ae66b5d8e 100644 +--- a/arch/x86/pci/xen.c ++++ b/arch/x86/pci/xen.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + + static int xen_pcifront_enable_irq(struct pci_dev *dev) +-- +2.25.1 + diff --git a/queue-5.4/hv_netvsc-fix-the-queue_mapping-in-netvsc_vf_xmit.patch b/queue-5.4/hv_netvsc-fix-the-queue_mapping-in-netvsc_vf_xmit.patch new file mode 100644 index 00000000000..d1d3b6c6e1e --- /dev/null +++ b/queue-5.4/hv_netvsc-fix-the-queue_mapping-in-netvsc_vf_xmit.patch @@ -0,0 +1,45 @@ +From 2d6d99232580fe0427ce1e6665a7bf72211927f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 14:53:15 -0700 +Subject: hv_netvsc: Fix the queue_mapping in netvsc_vf_xmit() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Haiyang Zhang + +[ Upstream commit c3d897e01aef8ddc43149e4d661b86f823e3aae7 ] + +netvsc_vf_xmit() / dev_queue_xmit() will call VF NIC’s ndo_select_queue +or netdev_pick_tx() again. They will use skb_get_rx_queue() to get the +queue number, so the “skb->queue_mapping - 1” will be used. This may +cause the last queue of VF not been used. + +Use skb_record_rx_queue() here, so that the skb_get_rx_queue() called +later will get the correct queue number, and VF will be able to use +all queues. + +Fixes: b3bf5666a510 ("hv_netvsc: defer queue selection to VF") +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hyperv/netvsc_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c +index 24bb721a12bc0..42eb7a7ecd96b 100644 +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -501,7 +501,7 @@ static int netvsc_vf_xmit(struct net_device *net, struct net_device *vf_netdev, + int rc; + + skb->dev = vf_netdev; +- skb->queue_mapping = qdisc_skb_cb(skb)->slave_dev_queue_mapping; ++ skb_record_rx_queue(skb, qdisc_skb_cb(skb)->slave_dev_queue_mapping); + + rc = dev_queue_xmit(skb); + if (likely(rc == NET_XMIT_SUCCESS || rc == NET_XMIT_CN)) { +-- +2.25.1 + diff --git a/queue-5.4/i40e-fix-crash-during-removing-i40e-driver.patch b/queue-5.4/i40e-fix-crash-during-removing-i40e-driver.patch new file mode 100644 index 00000000000..3df36ff6048 --- /dev/null +++ b/queue-5.4/i40e-fix-crash-during-removing-i40e-driver.patch @@ -0,0 +1,80 @@ +From a5db4c1227481067d4a481d93671f09c173727cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 10:56:49 +0000 +Subject: i40e: Fix crash during removing i40e driver + +From: Grzegorz Szczurek + +[ Upstream commit 5b6d4a7f20b09c47ca598760f6dafd554af8b6d5 ] + +Fix the reason of crashing system by add waiting time to finish reset +recovery process before starting remove driver procedure. +Now VSI is releasing if VSI is not in reset recovery mode. +Without this fix it was possible to start remove driver if other +processing command need reset recovery procedure which resulted in +null pointer dereference. VSI used by the ethtool process has been +cleared by remove driver process. + +[ 6731.508665] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 6731.508668] #PF: supervisor read access in kernel mode +[ 6731.508670] #PF: error_code(0x0000) - not-present page +[ 6731.508671] PGD 0 P4D 0 +[ 6731.508674] Oops: 0000 [#1] SMP PTI +[ 6731.508679] Hardware name: Intel Corporation S2600WT2R/S2600WT2R, BIOS SE5C610.86B.01.01.0021.032120170601 03/21/2017 +[ 6731.508694] RIP: 0010:i40e_down+0x252/0x310 [i40e] +[ 6731.508696] Code: c7 78 de fa c0 e8 61 02 3a c1 66 83 bb f6 0c 00 00 00 0f 84 bf 00 00 00 45 31 e4 45 31 ff eb 03 41 89 c7 48 8b 83 98 0c 00 00 <4a> 8b 3c 20 e8 a5 79 02 00 48 83 bb d0 0c 00 00 00 74 10 48 8b 83 +[ 6731.508698] RSP: 0018:ffffb75ac7b3faf0 EFLAGS: 00010246 +[ 6731.508700] RAX: 0000000000000000 RBX: ffff9c9874bd5000 RCX: 0000000000000007 +[ 6731.508701] RDX: 0000000000000000 RSI: 0000000000000096 RDI: ffff9c987f4d9780 +[ 6731.508703] RBP: ffffb75ac7b3fb30 R08: 0000000000005b60 R09: 0000000000000004 +[ 6731.508704] R10: ffffb75ac64fbd90 R11: 0000000000000001 R12: 0000000000000000 +[ 6731.508706] R13: ffff9c97a08e0000 R14: ffff9c97a08e0a68 R15: 0000000000000000 +[ 6731.508708] FS: 00007f2617cd2740(0000) GS:ffff9c987f4c0000(0000) knlGS:0000000000000000 +[ 6731.508710] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 6731.508711] CR2: 0000000000000000 CR3: 0000001e765c4006 CR4: 00000000003606e0 +[ 6731.508713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 6731.508714] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 6731.508715] Call Trace: +[ 6731.508734] i40e_vsi_close+0x84/0x90 [i40e] +[ 6731.508742] i40e_quiesce_vsi.part.98+0x3c/0x40 [i40e] +[ 6731.508749] i40e_pf_quiesce_all_vsi+0x55/0x60 [i40e] +[ 6731.508757] i40e_prep_for_reset+0x59/0x130 [i40e] +[ 6731.508765] i40e_reconfig_rss_queues+0x5a/0x120 [i40e] +[ 6731.508774] i40e_set_channels+0xda/0x170 [i40e] +[ 6731.508778] ethtool_set_channels+0xe9/0x150 +[ 6731.508781] dev_ethtool+0x1b94/0x2920 +[ 6731.508805] dev_ioctl+0xc2/0x590 +[ 6731.508811] sock_do_ioctl+0xae/0x150 +[ 6731.508813] sock_ioctl+0x34f/0x3c0 +[ 6731.508821] ksys_ioctl+0x98/0xb0 +[ 6731.508828] __x64_sys_ioctl+0x1a/0x20 +[ 6731.508831] do_syscall_64+0x57/0x1c0 +[ 6731.508835] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 4b8164467b85 ("i40e: Add common function for finding VSI by type") +Signed-off-by: Grzegorz Szczurek +Signed-off-by: Arkadiusz Kubalewski +Tested-by: Aaron Brown +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 095ed81cc0ba4..b3c3911adfc2e 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -15342,6 +15342,9 @@ static void i40e_remove(struct pci_dev *pdev) + i40e_write_rx_ctl(hw, I40E_PFQF_HENA(0), 0); + i40e_write_rx_ctl(hw, I40E_PFQF_HENA(1), 0); + ++ while (test_bit(__I40E_RESET_RECOVERY_PENDING, pf->state)) ++ usleep_range(1000, 2000); ++ + /* no more scheduling of any task */ + set_bit(__I40E_SUSPENDED, pf->state); + set_bit(__I40E_DOWN, pf->state); +-- +2.25.1 + diff --git a/queue-5.4/i40e-set-rx_only-mode-for-unicast-promiscuous-on-vla.patch b/queue-5.4/i40e-set-rx_only-mode-for-unicast-promiscuous-on-vla.patch new file mode 100644 index 00000000000..fb1572698b4 --- /dev/null +++ b/queue-5.4/i40e-set-rx_only-mode-for-unicast-promiscuous-on-vla.patch @@ -0,0 +1,114 @@ +From 973edf07e3606c0c41ba95f22664feed2795d726 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 13:40:59 +0000 +Subject: i40e: Set RX_ONLY mode for unicast promiscuous on VLAN + +From: Przemyslaw Patynowski + +[ Upstream commit 4bd5e02a2ed1575c2f65bd3c557a077dd399f0e8 ] + +Trusted VF with unicast promiscuous mode set, could listen to TX +traffic of other VFs. +Set unicast promiscuous mode to RX traffic, if VSI has port VLAN +configured. Rename misleading I40E_AQC_SET_VSI_PROMISC_TX bit to +I40E_AQC_SET_VSI_PROMISC_RX_ONLY. Aligned unicast promiscuous with +VLAN to the one without VLAN. + +Fixes: 6c41a7606967 ("i40e: Add promiscuous on VLAN support") +Fixes: 3b1200891b7f ("i40e: When in promisc mode apply promisc mode to Tx Traffic as well") +Signed-off-by: Przemyslaw Patynowski +Signed-off-by: Aleksandr Loktionov +Signed-off-by: Arkadiusz Kubalewski +Tested-by: Andrew Bowers +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + .../net/ethernet/intel/i40e/i40e_adminq_cmd.h | 2 +- + drivers/net/ethernet/intel/i40e/i40e_common.c | 35 ++++++++++++++----- + 2 files changed, 28 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h +index 69a2daaca5c56..d7684ac2522ef 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h +@@ -1211,7 +1211,7 @@ struct i40e_aqc_set_vsi_promiscuous_modes { + #define I40E_AQC_SET_VSI_PROMISC_BROADCAST 0x04 + #define I40E_AQC_SET_VSI_DEFAULT 0x08 + #define I40E_AQC_SET_VSI_PROMISC_VLAN 0x10 +-#define I40E_AQC_SET_VSI_PROMISC_TX 0x8000 ++#define I40E_AQC_SET_VSI_PROMISC_RX_ONLY 0x8000 + __le16 seid; + #define I40E_AQC_VSI_PROM_CMD_SEID_MASK 0x3FF + __le16 vlan_tag; +diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c +index 3160b5bbe6728..66f7deaf46ae2 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_common.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_common.c +@@ -1949,6 +1949,21 @@ i40e_status i40e_aq_set_phy_debug(struct i40e_hw *hw, u8 cmd_flags, + return status; + } + ++/** ++ * i40e_is_aq_api_ver_ge ++ * @aq: pointer to AdminQ info containing HW API version to compare ++ * @maj: API major value ++ * @min: API minor value ++ * ++ * Assert whether current HW API version is greater/equal than provided. ++ **/ ++static bool i40e_is_aq_api_ver_ge(struct i40e_adminq_info *aq, u16 maj, ++ u16 min) ++{ ++ return (aq->api_maj_ver > maj || ++ (aq->api_maj_ver == maj && aq->api_min_ver >= min)); ++} ++ + /** + * i40e_aq_add_vsi + * @hw: pointer to the hw struct +@@ -2074,18 +2089,16 @@ i40e_status i40e_aq_set_vsi_unicast_promiscuous(struct i40e_hw *hw, + + if (set) { + flags |= I40E_AQC_SET_VSI_PROMISC_UNICAST; +- if (rx_only_promisc && +- (((hw->aq.api_maj_ver == 1) && (hw->aq.api_min_ver >= 5)) || +- (hw->aq.api_maj_ver > 1))) +- flags |= I40E_AQC_SET_VSI_PROMISC_TX; ++ if (rx_only_promisc && i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) ++ flags |= I40E_AQC_SET_VSI_PROMISC_RX_ONLY; + } + + cmd->promiscuous_flags = cpu_to_le16(flags); + + cmd->valid_flags = cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_UNICAST); +- if (((hw->aq.api_maj_ver >= 1) && (hw->aq.api_min_ver >= 5)) || +- (hw->aq.api_maj_ver > 1)) +- cmd->valid_flags |= cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_TX); ++ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) ++ cmd->valid_flags |= ++ cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_RX_ONLY); + + cmd->seid = cpu_to_le16(seid); + status = i40e_asq_send_command(hw, &desc, NULL, 0, cmd_details); +@@ -2182,11 +2195,17 @@ enum i40e_status_code i40e_aq_set_vsi_uc_promisc_on_vlan(struct i40e_hw *hw, + i40e_fill_default_direct_cmd_desc(&desc, + i40e_aqc_opc_set_vsi_promiscuous_modes); + +- if (enable) ++ if (enable) { + flags |= I40E_AQC_SET_VSI_PROMISC_UNICAST; ++ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) ++ flags |= I40E_AQC_SET_VSI_PROMISC_RX_ONLY; ++ } + + cmd->promiscuous_flags = cpu_to_le16(flags); + cmd->valid_flags = cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_UNICAST); ++ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) ++ cmd->valid_flags |= ++ cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_RX_ONLY); + cmd->seid = cpu_to_le16(seid); + cmd->vlan_tag = cpu_to_le16(vid | I40E_AQC_SET_VSI_VLAN_VALID); + +-- +2.25.1 + diff --git a/queue-5.4/kconfig-qconf-do-not-limit-the-pop-up-menu-to-the-fi.patch b/queue-5.4/kconfig-qconf-do-not-limit-the-pop-up-menu-to-the-fi.patch new file mode 100644 index 00000000000..88ea0592e43 --- /dev/null +++ b/queue-5.4/kconfig-qconf-do-not-limit-the-pop-up-menu-to-the-fi.patch @@ -0,0 +1,112 @@ +From 7a60e86a3542c5bf2d6a6a9bca76958c4d8f281a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Aug 2020 18:19:08 +0900 +Subject: kconfig: qconf: do not limit the pop-up menu to the first row + +From: Masahiro Yamada + +[ Upstream commit fa8de0a3bf3c02e6f00b7746e7e934db522cdda9 ] + +If you right-click the first row in the option tree, the pop-up menu +shows up, but if you right-click the second row or below, the event +is ignored due to the following check: + + if (e->y() <= header()->geometry().bottom()) { + +Perhaps, the intention was to show the pop-menu only when the tree +header was right-clicked, but this handler is not called in that case. + +Since the origin of e->y() starts from the bottom of the header, +this check is odd. + +Going forward, you can right-click anywhere in the tree to get the +pop-up menu. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/qconf.cc | 68 ++++++++++++++++++++-------------------- + 1 file changed, 34 insertions(+), 34 deletions(-) + +diff --git a/scripts/kconfig/qconf.cc b/scripts/kconfig/qconf.cc +index 0f8c77f847114..3e7fbfae798c2 100644 +--- a/scripts/kconfig/qconf.cc ++++ b/scripts/kconfig/qconf.cc +@@ -869,40 +869,40 @@ void ConfigList::focusInEvent(QFocusEvent *e) + + void ConfigList::contextMenuEvent(QContextMenuEvent *e) + { +- if (e->y() <= header()->geometry().bottom()) { +- if (!headerPopup) { +- QAction *action; +- +- headerPopup = new QMenu(this); +- action = new QAction("Show Name", this); +- action->setCheckable(true); +- connect(action, SIGNAL(toggled(bool)), +- parent(), SLOT(setShowName(bool))); +- connect(parent(), SIGNAL(showNameChanged(bool)), +- action, SLOT(setOn(bool))); +- action->setChecked(showName); +- headerPopup->addAction(action); +- action = new QAction("Show Range", this); +- action->setCheckable(true); +- connect(action, SIGNAL(toggled(bool)), +- parent(), SLOT(setShowRange(bool))); +- connect(parent(), SIGNAL(showRangeChanged(bool)), +- action, SLOT(setOn(bool))); +- action->setChecked(showRange); +- headerPopup->addAction(action); +- action = new QAction("Show Data", this); +- action->setCheckable(true); +- connect(action, SIGNAL(toggled(bool)), +- parent(), SLOT(setShowData(bool))); +- connect(parent(), SIGNAL(showDataChanged(bool)), +- action, SLOT(setOn(bool))); +- action->setChecked(showData); +- headerPopup->addAction(action); +- } +- headerPopup->exec(e->globalPos()); +- e->accept(); +- } else +- e->ignore(); ++ if (!headerPopup) { ++ QAction *action; ++ ++ headerPopup = new QMenu(this); ++ action = new QAction("Show Name", this); ++ action->setCheckable(true); ++ connect(action, SIGNAL(toggled(bool)), ++ parent(), SLOT(setShowName(bool))); ++ connect(parent(), SIGNAL(showNameChanged(bool)), ++ action, SLOT(setOn(bool))); ++ action->setChecked(showName); ++ headerPopup->addAction(action); ++ ++ action = new QAction("Show Range", this); ++ action->setCheckable(true); ++ connect(action, SIGNAL(toggled(bool)), ++ parent(), SLOT(setShowRange(bool))); ++ connect(parent(), SIGNAL(showRangeChanged(bool)), ++ action, SLOT(setOn(bool))); ++ action->setChecked(showRange); ++ headerPopup->addAction(action); ++ ++ action = new QAction("Show Data", this); ++ action->setCheckable(true); ++ connect(action, SIGNAL(toggled(bool)), ++ parent(), SLOT(setShowData(bool))); ++ connect(parent(), SIGNAL(showDataChanged(bool)), ++ action, SLOT(setOn(bool))); ++ action->setChecked(showData); ++ headerPopup->addAction(action); ++ } ++ ++ headerPopup->exec(e->globalPos()); ++ e->accept(); + } + + ConfigView*ConfigView::viewList; +-- +2.25.1 + diff --git a/queue-5.4/kconfig-qconf-fix-signal-connection-to-invalid-slots.patch b/queue-5.4/kconfig-qconf-fix-signal-connection-to-invalid-slots.patch new file mode 100644 index 00000000000..b69ffded1e5 --- /dev/null +++ b/queue-5.4/kconfig-qconf-fix-signal-connection-to-invalid-slots.patch @@ -0,0 +1,75 @@ +From 1c494622cacba48113c2e924f5d904a8e7e925cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 01:36:29 +0900 +Subject: kconfig: qconf: fix signal connection to invalid slots + +From: Masahiro Yamada + +[ Upstream commit d85de3399f97467baa2026fbbbe587850d01ba8a ] + +If you right-click in the ConfigList window, you will see the following +messages in the console: + +QObject::connect: No such slot QAction::setOn(bool) in scripts/kconfig/qconf.cc:888 +QObject::connect: (sender name: 'config') +QObject::connect: No such slot QAction::setOn(bool) in scripts/kconfig/qconf.cc:897 +QObject::connect: (sender name: 'config') +QObject::connect: No such slot QAction::setOn(bool) in scripts/kconfig/qconf.cc:906 +QObject::connect: (sender name: 'config') + +Right, there is no such slot in QAction. I think this is a typo of +setChecked. + +Due to this bug, when you toggled the menu "Option->Show Name/Range/Data" +the state of the context menu was not previously updated. Fix this. + +Fixes: d5d973c3f8a9 ("Port xconfig to Qt5 - Put back some of the old implementation(part 2)") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/qconf.cc | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/scripts/kconfig/qconf.cc b/scripts/kconfig/qconf.cc +index 3e7fbfae798c2..a94909ad9a53a 100644 +--- a/scripts/kconfig/qconf.cc ++++ b/scripts/kconfig/qconf.cc +@@ -878,7 +878,7 @@ void ConfigList::contextMenuEvent(QContextMenuEvent *e) + connect(action, SIGNAL(toggled(bool)), + parent(), SLOT(setShowName(bool))); + connect(parent(), SIGNAL(showNameChanged(bool)), +- action, SLOT(setOn(bool))); ++ action, SLOT(setChecked(bool))); + action->setChecked(showName); + headerPopup->addAction(action); + +@@ -887,7 +887,7 @@ void ConfigList::contextMenuEvent(QContextMenuEvent *e) + connect(action, SIGNAL(toggled(bool)), + parent(), SLOT(setShowRange(bool))); + connect(parent(), SIGNAL(showRangeChanged(bool)), +- action, SLOT(setOn(bool))); ++ action, SLOT(setChecked(bool))); + action->setChecked(showRange); + headerPopup->addAction(action); + +@@ -896,7 +896,7 @@ void ConfigList::contextMenuEvent(QContextMenuEvent *e) + connect(action, SIGNAL(toggled(bool)), + parent(), SLOT(setShowData(bool))); + connect(parent(), SIGNAL(showDataChanged(bool)), +- action, SLOT(setOn(bool))); ++ action, SLOT(setChecked(bool))); + action->setChecked(showData); + headerPopup->addAction(action); + } +@@ -1228,7 +1228,7 @@ QMenu* ConfigInfoView::createStandardContextMenu(const QPoint & pos) + + action->setCheckable(true); + connect(action, SIGNAL(toggled(bool)), SLOT(setShowDebug(bool))); +- connect(this, SIGNAL(showDebugChanged(bool)), action, SLOT(setOn(bool))); ++ connect(this, SIGNAL(showDebugChanged(bool)), action, SLOT(setChecked(bool))); + action->setChecked(showDebug()); + popup->addSeparator(); + popup->addAction(action); +-- +2.25.1 + diff --git a/queue-5.4/kvm-x86-toggling-cr4.pke-does-not-load-pdptes-in-pae.patch b/queue-5.4/kvm-x86-toggling-cr4.pke-does-not-load-pdptes-in-pae.patch new file mode 100644 index 00000000000..91d44d17cc8 --- /dev/null +++ b/queue-5.4/kvm-x86-toggling-cr4.pke-does-not-load-pdptes-in-pae.patch @@ -0,0 +1,44 @@ +From bb2ce227b2a78431de635e7cb301320b36ba9c99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 11:16:54 -0700 +Subject: kvm: x86: Toggling CR4.PKE does not load PDPTEs in PAE mode + +From: Jim Mattson + +[ Upstream commit cb957adb4ea422bd758568df5b2478ea3bb34f35 ] + +See the SDM, volume 3, section 4.4.1: + +If PAE paging would be in use following an execution of MOV to CR0 or +MOV to CR4 (see Section 4.1.1) and the instruction is modifying any of +CR0.CD, CR0.NW, CR0.PG, CR4.PAE, CR4.PGE, CR4.PSE, or CR4.SMEP; then +the PDPTEs are loaded from the address in CR3. + +Fixes: b9baba8614890 ("KVM, pkeys: expose CPUID/CR4 to guest") +Cc: Huaitong Han +Signed-off-by: Jim Mattson +Reviewed-by: Peter Shier +Reviewed-by: Oliver Upton +Message-Id: <20200817181655.3716509-1-jmattson@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/x86.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 1721a8c8eb26c..8920ee7b28811 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -972,7 +972,7 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) + { + unsigned long old_cr4 = kvm_read_cr4(vcpu); + unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE | +- X86_CR4_SMEP | X86_CR4_PKE; ++ X86_CR4_SMEP; + + if (kvm_valid_cr4(vcpu, cr4)) + return 1; +-- +2.25.1 + diff --git a/queue-5.4/kvm-x86-toggling-cr4.smap-does-not-load-pdptes-in-pa.patch b/queue-5.4/kvm-x86-toggling-cr4.smap-does-not-load-pdptes-in-pa.patch new file mode 100644 index 00000000000..b0ab762487a --- /dev/null +++ b/queue-5.4/kvm-x86-toggling-cr4.smap-does-not-load-pdptes-in-pa.patch @@ -0,0 +1,44 @@ +From 4eb66a1b8ffe7ac93e056e570aafb9a1a720e980 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 11:16:55 -0700 +Subject: kvm: x86: Toggling CR4.SMAP does not load PDPTEs in PAE mode + +From: Jim Mattson + +[ Upstream commit 427890aff8558eb4326e723835e0eae0e6fe3102 ] + +See the SDM, volume 3, section 4.4.1: + +If PAE paging would be in use following an execution of MOV to CR0 or +MOV to CR4 (see Section 4.1.1) and the instruction is modifying any of +CR0.CD, CR0.NW, CR0.PG, CR4.PAE, CR4.PGE, CR4.PSE, or CR4.SMEP; then +the PDPTEs are loaded from the address in CR3. + +Fixes: 0be0226f07d14 ("KVM: MMU: fix SMAP virtualization") +Cc: Xiao Guangrong +Signed-off-by: Jim Mattson +Reviewed-by: Peter Shier +Reviewed-by: Oliver Upton +Message-Id: <20200817181655.3716509-2-jmattson@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/x86.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 38b2df0e71096..1721a8c8eb26c 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -972,7 +972,7 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) + { + unsigned long old_cr4 = kvm_read_cr4(vcpu); + unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE | +- X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE; ++ X86_CR4_SMEP | X86_CR4_PKE; + + if (kvm_valid_cr4(vcpu, cr4)) + return 1; +-- +2.25.1 + diff --git a/queue-5.4/net-dsa-b53-check-for-timeout.patch b/queue-5.4/net-dsa-b53-check-for-timeout.patch new file mode 100644 index 00000000000..cc838da1025 --- /dev/null +++ b/queue-5.4/net-dsa-b53-check-for-timeout.patch @@ -0,0 +1,51 @@ +From 0a7d169d6cdafeeac18ba004337dcaf1b7a80a0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 06:56:00 -0700 +Subject: net: dsa: b53: check for timeout + +From: Tom Rix + +[ Upstream commit 774d977abfd024e6f73484544b9abe5a5cd62de7 ] + +clang static analysis reports this problem + +b53_common.c:1583:13: warning: The left expression of the compound + assignment is an uninitialized value. The computed value will + also be garbage + ent.port &= ~BIT(port); + ~~~~~~~~ ^ + +ent is set by a successful call to b53_arl_read(). Unsuccessful +calls are caught by an switch statement handling specific returns. +b32_arl_read() calls b53_arl_op_wait() which fails with the +unhandled -ETIMEDOUT. + +So add -ETIMEDOUT to the switch statement. Because +b53_arl_op_wait() already prints out a message, do not add another +one. + +Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") +Signed-off-by: Tom Rix +Acked-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 14850b7fe6d7f..4bd66ba72c03c 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1523,6 +1523,8 @@ static int b53_arl_op(struct b53_device *dev, int op, int port, + return ret; + + switch (ret) { ++ case -ETIMEDOUT: ++ return ret; + case -ENOSPC: + dev_dbg(dev->dev, "{%pM,%.4d} no space left in ARL\n", + addr, vid); +-- +2.25.1 + diff --git a/queue-5.4/net-ena-prevent-reset-after-device-destruction.patch b/queue-5.4/net-ena-prevent-reset-after-device-destruction.patch new file mode 100644 index 00000000000..7d797edd649 --- /dev/null +++ b/queue-5.4/net-ena-prevent-reset-after-device-destruction.patch @@ -0,0 +1,95 @@ +From e3a25a2b42850b050665ac44948a691ab349c670 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 20:28:36 +0300 +Subject: net: ena: Prevent reset after device destruction + +From: Shay Agroskin + +[ Upstream commit 63d4a4c145cca2e84dc6e62d2ef5cb990c9723c2 ] + +The reset work is scheduled by the timer routine whenever it +detects that a device reset is required (e.g. when a keep_alive signal +is missing). +When releasing device resources in ena_destroy_device() the driver +cancels the scheduling of the timer routine without destroying the reset +work explicitly. + +This creates the following bug: + The driver is suspended and the ena_suspend() function is called + -> This function calls ena_destroy_device() to free the net device + resources + -> The driver waits for the timer routine to finish + its execution and then cancels it, thus preventing from it + to be called again. + + If, in its final execution, the timer routine schedules a reset, + the reset routine might be called afterwards,and a redundant call to + ena_restore_device() would be made. + +By changing the reset routine we allow it to read the device's state +accurately. +This is achieved by checking whether ENA_FLAG_TRIGGER_RESET flag is set +before resetting the device and making both the destruction function and +the flag check are under rtnl lock. +The ENA_FLAG_TRIGGER_RESET is cleared at the end of the destruction +routine. Also surround the flag check with 'likely' because +we expect that the reset routine would be called only when +ENA_FLAG_TRIGGER_RESET flag is set. + +The destruction of the timer and reset services in __ena_shutoff() have to +stay, even though the timer routine is destroyed in ena_destroy_device(). +This is to avoid a case in which the reset routine is scheduled after +free_netdev() in __ena_shutoff(), which would create an access to freed +memory in adapter->flags. + +Fixes: 8c5c7abdeb2d ("net: ena: add power management ops to the ENA driver") +Signed-off-by: Shay Agroskin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c +index 26325f7b3c1fa..4d0d13d5d0998 100644 +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -2835,16 +2835,14 @@ static void ena_fw_reset_device(struct work_struct *work) + { + struct ena_adapter *adapter = + container_of(work, struct ena_adapter, reset_task); +- struct pci_dev *pdev = adapter->pdev; + +- if (unlikely(!test_bit(ENA_FLAG_TRIGGER_RESET, &adapter->flags))) { +- dev_err(&pdev->dev, +- "device reset schedule while reset bit is off\n"); +- return; +- } + rtnl_lock(); +- ena_destroy_device(adapter, false); +- ena_restore_device(adapter); ++ ++ if (likely(test_bit(ENA_FLAG_TRIGGER_RESET, &adapter->flags))) { ++ ena_destroy_device(adapter, false); ++ ena_restore_device(adapter); ++ } ++ + rtnl_unlock(); + } + +@@ -3675,8 +3673,11 @@ static void __ena_shutoff(struct pci_dev *pdev, bool shutdown) + netdev->rx_cpu_rmap = NULL; + } + #endif /* CONFIG_RFS_ACCEL */ +- del_timer_sync(&adapter->timer_service); + ++ /* Make sure timer and reset routine won't be called after ++ * freeing device resources. ++ */ ++ del_timer_sync(&adapter->timer_service); + cancel_work_sync(&adapter->reset_task); + + rtnl_lock(); /* lock released inside the below if-else block */ +-- +2.25.1 + diff --git a/queue-5.4/net-fec-correct-the-error-path-for-regulator-disable.patch b/queue-5.4/net-fec-correct-the-error-path-for-regulator-disable.patch new file mode 100644 index 00000000000..e72089de285 --- /dev/null +++ b/queue-5.4/net-fec-correct-the-error-path-for-regulator-disable.patch @@ -0,0 +1,40 @@ +From 0e4676690b5edebada566da2ea54768b0a92b6bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 15:13:14 +0800 +Subject: net: fec: correct the error path for regulator disable in probe + +From: Fugang Duan + +[ Upstream commit c6165cf0dbb82ded90163dce3ac183fc7a913dc4 ] + +Correct the error path for regulator disable. + +Fixes: 9269e5560b26 ("net: fec: add phy-reset-gpios PROBE_DEFER check") +Signed-off-by: Fugang Duan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 39c112f1543c1..a0e4b12ac4ea2 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3707,11 +3707,11 @@ fec_probe(struct platform_device *pdev) + failed_irq: + failed_init: + fec_ptp_stop(pdev); +- if (fep->reg_phy) +- regulator_disable(fep->reg_phy); + failed_reset: + pm_runtime_put_noidle(&pdev->dev); + pm_runtime_disable(&pdev->dev); ++ if (fep->reg_phy) ++ regulator_disable(fep->reg_phy); + failed_regulator: + clk_disable_unprepare(fep->clk_ahb); + failed_clk_ahb: +-- +2.25.1 + diff --git a/queue-5.4/net-gemini-fix-missing-free_netdev-in-error-path-of-.patch b/queue-5.4/net-gemini-fix-missing-free_netdev-in-error-path-of-.patch new file mode 100644 index 00000000000..ae6e66ff260 --- /dev/null +++ b/queue-5.4/net-gemini-fix-missing-free_netdev-in-error-path-of-.patch @@ -0,0 +1,54 @@ +From 4ae4ba8d14a5836b7ad4cb2860f0992a6ecdc0c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 10:33:09 +0800 +Subject: net: gemini: Fix missing free_netdev() in error path of + gemini_ethernet_port_probe() + +From: Wang Hai + +[ Upstream commit cf96d977381d4a23957bade2ddf1c420b74a26b6 ] + +Replace alloc_etherdev_mq with devm_alloc_etherdev_mqs. In this way, +when probe fails, netdev can be freed automatically. + +Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cortina/gemini.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c +index 01ae113f122a0..28d4c54505f9a 100644 +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -2388,7 +2388,7 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev) + + dev_info(dev, "probe %s ID %d\n", dev_name(dev), id); + +- netdev = alloc_etherdev_mq(sizeof(*port), TX_QUEUE_NUM); ++ netdev = devm_alloc_etherdev_mqs(dev, sizeof(*port), TX_QUEUE_NUM, TX_QUEUE_NUM); + if (!netdev) { + dev_err(dev, "Can't allocate ethernet device #%d\n", id); + return -ENOMEM; +@@ -2520,7 +2520,6 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev) + } + + port->netdev = NULL; +- free_netdev(netdev); + return ret; + } + +@@ -2529,7 +2528,6 @@ static int gemini_ethernet_port_remove(struct platform_device *pdev) + struct gemini_ethernet_port *port = platform_get_drvdata(pdev); + + gemini_port_remove(port); +- free_netdev(port->netdev); + return 0; + } + +-- +2.25.1 + diff --git a/queue-5.4/netfilter-nf_tables-nft_exthdr-the-presence-return-v.patch b/queue-5.4/netfilter-nf_tables-nft_exthdr-the-presence-return-v.patch new file mode 100644 index 00000000000..7203ec1ddb7 --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-nft_exthdr-the-presence-return-v.patch @@ -0,0 +1,67 @@ +From 53878b376db3c0d02935fd172075859a753dc484 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Aug 2020 17:44:09 -0400 +Subject: netfilter: nf_tables: nft_exthdr: the presence return value should be + little-endian + +From: Stephen Suryaputra + +[ Upstream commit b428336676dbca363262cc134b6218205df4f530 ] + +On big-endian machine, the returned register data when the exthdr is +present is not being compared correctly because little-endian is +assumed. The function nft_cmp_fast_mask(), called by nft_cmp_fast_eval() +and nft_cmp_fast_init(), calls cpu_to_le32(). + +The following dump also shows that little endian is assumed: + +$ nft --debug=netlink add rule ip recordroute forward ip option rr exists counter +ip + [ exthdr load ipv4 1b @ 7 + 0 present => reg 1 ] + [ cmp eq reg 1 0x01000000 ] + [ counter pkts 0 bytes 0 ] + +Lastly, debug print in nft_cmp_fast_init() and nft_cmp_fast_eval() when +RR option exists in the packet shows that the comparison fails because +the assumption: + +nft_cmp_fast_init:189 priv->sreg=4 desc.len=8 mask=0xff000000 data.data[0]=0x10003e0 +nft_cmp_fast_eval:57 regs->data[priv->sreg=4]=0x1 mask=0xff000000 priv->data=0x1000000 + +v2: use nft_reg_store8() instead (Florian Westphal). Also to avoid the + warnings reported by kernel test robot. + +Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options") +Fixes: c078ca3b0c5b ("netfilter: nft_exthdr: Add support for existence check") +Signed-off-by: Stephen Suryaputra +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_exthdr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c +index a5e8469859e39..427d77b111b17 100644 +--- a/net/netfilter/nft_exthdr.c ++++ b/net/netfilter/nft_exthdr.c +@@ -44,7 +44,7 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr, + + err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL); + if (priv->flags & NFT_EXTHDR_F_PRESENT) { +- *dest = (err >= 0); ++ nft_reg_store8(dest, err >= 0); + return; + } else if (err < 0) { + goto err; +@@ -141,7 +141,7 @@ static void nft_exthdr_ipv4_eval(const struct nft_expr *expr, + + err = ipv4_find_option(nft_net(pkt), skb, &offset, priv->type); + if (priv->flags & NFT_EXTHDR_F_PRESENT) { +- *dest = (err >= 0); ++ nft_reg_store8(dest, err >= 0); + return; + } else if (err < 0) { + goto err; +-- +2.25.1 + diff --git a/queue-5.4/rdma-bnxt_re-do-not-add-user-qps-to-flushlist.patch b/queue-5.4/rdma-bnxt_re-do-not-add-user-qps-to-flushlist.patch new file mode 100644 index 00000000000..56f10086353 --- /dev/null +++ b/queue-5.4/rdma-bnxt_re-do-not-add-user-qps-to-flushlist.patch @@ -0,0 +1,42 @@ +From 7a46d962d5cd429194615073a1e4353caa50edc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 21:45:48 -0700 +Subject: RDMA/bnxt_re: Do not add user qps to flushlist + +From: Selvin Xavier + +[ Upstream commit a812f2d60a9fb7818f9c81f967180317b52545c0 ] + +Driver shall add only the kernel qps to the flush list for clean up. +During async error events from the HW, driver is adding qps to this list +without checking if the qp is kernel qp or not. + +Add a check to avoid user qp addition to the flush list. + +Fixes: 942c9b6ca8de ("RDMA/bnxt_re: Avoid Hard lockup during error CQE processing") +Fixes: c50866e2853a ("bnxt_re: fix the regression due to changes in alloc_pbl") +Link: https://lore.kernel.org/r/1596689148-4023-1-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c +index 27e2df44d043d..cfe5f47d9890e 100644 +--- a/drivers/infiniband/hw/bnxt_re/main.c ++++ b/drivers/infiniband/hw/bnxt_re/main.c +@@ -789,7 +789,8 @@ static int bnxt_re_handle_qp_async_event(struct creq_qp_event *qp_event, + struct ib_event event; + unsigned int flags; + +- if (qp->qplib_qp.state == CMDQ_MODIFY_QP_NEW_STATE_ERR) { ++ if (qp->qplib_qp.state == CMDQ_MODIFY_QP_NEW_STATE_ERR && ++ rdma_is_kernel_res(&qp->ib_qp.res)) { + flags = bnxt_re_lock_cqs(qp); + bnxt_qplib_add_flush_qp(&qp->qplib_qp); + bnxt_re_unlock_cqs(qp, flags); +-- +2.25.1 + diff --git a/queue-5.4/revert-scsi-qla2xxx-disable-t10-dif-feature-with-fc-.patch b/queue-5.4/revert-scsi-qla2xxx-disable-t10-dif-feature-with-fc-.patch new file mode 100644 index 00000000000..b72d285257d --- /dev/null +++ b/queue-5.4/revert-scsi-qla2xxx-disable-t10-dif-feature-with-fc-.patch @@ -0,0 +1,44 @@ +From 3be40acea2eefde28bce91b43c7edac8ca11c157 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 04:10:14 -0700 +Subject: Revert "scsi: qla2xxx: Disable T10-DIF feature with FC-NVMe during + probe" + +From: Quinn Tran + +[ Upstream commit dca93232b361d260413933903cd4bdbd92ebcc7f ] + +FCP T10-PI and NVMe features are independent of each other. This patch +allows both features to co-exist. + +This reverts commit 5da05a26b8305a625bc9d537671b981795b46dab. + +Link: https://lore.kernel.org/r/20200806111014.28434-12-njavali@marvell.com +Fixes: 5da05a26b830 ("scsi: qla2xxx: Disable T10-DIF feature with FC-NVMe during probe") +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_os.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c +index d7ec4083a0911..d91c95d9981ac 100644 +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -2804,10 +2804,6 @@ qla2x00_probe_one(struct pci_dev *pdev, const struct pci_device_id *id) + /* This may fail but that's ok */ + pci_enable_pcie_error_reporting(pdev); + +- /* Turn off T10-DIF when FC-NVMe is enabled */ +- if (ql2xnvmeenable) +- ql2xenabledif = 0; +- + ha = kzalloc(sizeof(struct qla_hw_data), GFP_KERNEL); + if (!ha) { + ql_log_pci(ql_log_fatal, pdev, 0x0009, +-- +2.25.1 + diff --git a/queue-5.4/s390-ptrace-fix-storage-key-handling.patch b/queue-5.4/s390-ptrace-fix-storage-key-handling.patch new file mode 100644 index 00000000000..5d1e9595c09 --- /dev/null +++ b/queue-5.4/s390-ptrace-fix-storage-key-handling.patch @@ -0,0 +1,54 @@ +From aeb6de712776c4f8dddc66af27410cbd5f53c1b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Aug 2020 18:56:28 +0200 +Subject: s390/ptrace: fix storage key handling + +From: Heiko Carstens + +[ Upstream commit fd78c59446b8d050ecf3e0897c5a486c7de7c595 ] + +The key member of the runtime instrumentation control block contains +only the access key, not the complete storage key. Therefore the value +must be shifted by four bits. Since existing user space does not +necessarily query and set the access key correctly, just ignore the +user space provided key and use the correct one. +Note: this is only relevant for debugging purposes in case somebody +compiles a kernel with a default storage access key set to a value not +equal to zero. + +Fixes: 262832bc5acd ("s390/ptrace: add runtime instrumention register get/set") +Reported-by: Claudio Imbrenda +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/ptrace.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c +index 5aa786063eb3e..c6aef2ecf2890 100644 +--- a/arch/s390/kernel/ptrace.c ++++ b/arch/s390/kernel/ptrace.c +@@ -1283,7 +1283,6 @@ static bool is_ri_cb_valid(struct runtime_instr_cb *cb) + cb->pc == 1 && + cb->qc == 0 && + cb->reserved2 == 0 && +- cb->key == PAGE_DEFAULT_KEY && + cb->reserved3 == 0 && + cb->reserved4 == 0 && + cb->reserved5 == 0 && +@@ -1347,7 +1346,11 @@ static int s390_runtime_instr_set(struct task_struct *target, + kfree(data); + return -EINVAL; + } +- ++ /* ++ * Override access key in any case, since user space should ++ * not be able to set it, nor should it care about it. ++ */ ++ ri_cb.key = PAGE_DEFAULT_KEY >> 4; + preempt_disable(); + if (!target->thread.ri_cb) + target->thread.ri_cb = data; +-- +2.25.1 + diff --git a/queue-5.4/s390-runtime_instrumentation-fix-storage-key-handlin.patch b/queue-5.4/s390-runtime_instrumentation-fix-storage-key-handlin.patch new file mode 100644 index 00000000000..ec6dd4f89f1 --- /dev/null +++ b/queue-5.4/s390-runtime_instrumentation-fix-storage-key-handlin.patch @@ -0,0 +1,40 @@ +From 32e04fef3ca6d98500104cacb6965566700cec17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Aug 2020 18:55:41 +0200 +Subject: s390/runtime_instrumentation: fix storage key handling + +From: Heiko Carstens + +[ Upstream commit 9eaba29c7985236e16468f4e6a49cc18cf01443e ] + +The key member of the runtime instrumentation control block contains +only the access key, not the complete storage key. Therefore the value +must be shifted by four bits. +Note: this is only relevant for debugging purposes in case somebody +compiles a kernel with a default storage access key set to a value not +equal to zero. + +Fixes: e4b8b3f33fca ("s390: add support for runtime instrumentation") +Reported-by: Claudio Imbrenda +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/runtime_instr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/runtime_instr.c b/arch/s390/kernel/runtime_instr.c +index 125c7f6e87150..1788a5454b6fc 100644 +--- a/arch/s390/kernel/runtime_instr.c ++++ b/arch/s390/kernel/runtime_instr.c +@@ -57,7 +57,7 @@ static void init_runtime_instr_cb(struct runtime_instr_cb *cb) + cb->k = 1; + cb->ps = 1; + cb->pc = 1; +- cb->key = PAGE_DEFAULT_KEY; ++ cb->key = PAGE_DEFAULT_KEY >> 4; + cb->v = 1; + } + +-- +2.25.1 + diff --git a/queue-5.4/series b/queue-5.4/series index f7e7cd139bf..99b12a44e19 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -60,3 +60,42 @@ tools-testing-selftests-cgroup-cgroup_util.c-cg_read.patch xfs-fix-ubsan-null-ptr-deref-in-xfs_sysfs_init.patch alpha-fix-annotation-of-io-read-write-16-32-be.patch fs-signalfd.c-fix-inconsistent-return-codes-for-sign.patch +ext4-fix-potential-negative-array-index-in-do_split.patch +ext4-don-t-allow-overlapping-system-zones.patch +netfilter-nf_tables-nft_exthdr-the-presence-return-v.patch +spi-stm32-fixes-suspend-resume-management.patch +asoc-q6afe-dai-mark-all-widgets-registers-as-snd_soc.patch +asoc-q6routing-add-dummy-register-read-write-functio.patch +bpf-sock_ops-sk-access-may-stomp-registers-when-dst_.patch +can-j1939-fix-kernel-infoleak-in-j1939_sk_sock2socka.patch +can-j1939-transport-j1939_simple_recv-ignore-local-j.patch +can-j1939-transport-add-j1939_session_skb_find_by_of.patch +i40e-set-rx_only-mode-for-unicast-promiscuous-on-vla.patch +i40e-fix-crash-during-removing-i40e-driver.patch +net-fec-correct-the-error-path-for-regulator-disable.patch +bonding-show-saner-speed-for-broadcast-mode.patch +can-j1939-fix-support-for-multipacket-broadcast-mess.patch +can-j1939-cancel-rxtimer-on-multipacket-broadcast-se.patch +can-j1939-abort-multipacket-broadcast-session-when-t.patch +can-j1939-add-rxtimer-for-multipacket-broadcast-sess.patch +bonding-fix-a-potential-double-unregister.patch +s390-runtime_instrumentation-fix-storage-key-handlin.patch +s390-ptrace-fix-storage-key-handling.patch +asoc-msm8916-wcd-analog-fix-register-interrupt-offse.patch +asoc-intel-fix-memleak-in-sst_media_open.patch +vfio-type1-add-proper-error-unwind-for-vfio_iommu_re.patch +kvm-x86-toggling-cr4.smap-does-not-load-pdptes-in-pa.patch +kvm-x86-toggling-cr4.pke-does-not-load-pdptes-in-pae.patch +revert-scsi-qla2xxx-disable-t10-dif-feature-with-fc-.patch +kconfig-qconf-do-not-limit-the-pop-up-menu-to-the-fi.patch +kconfig-qconf-fix-signal-connection-to-invalid-slots.patch +efi-avoid-error-message-when-booting-under-xen.patch +fix-build-error-when-config_acpi-is-not-set-enabled.patch +rdma-bnxt_re-do-not-add-user-qps-to-flushlist.patch +afs-fix-null-deref-in-afs_dynroot_depopulate.patch +arm64-vdso32-install-vdso32-from-vdso_install.patch +bonding-fix-active-backup-failover-for-current-arp-s.patch +net-ena-prevent-reset-after-device-destruction.patch +net-gemini-fix-missing-free_netdev-in-error-path-of-.patch +hv_netvsc-fix-the-queue_mapping-in-netvsc_vf_xmit.patch +net-dsa-b53-check-for-timeout.patch diff --git a/queue-5.4/spi-stm32-fixes-suspend-resume-management.patch b/queue-5.4/spi-stm32-fixes-suspend-resume-management.patch new file mode 100644 index 00000000000..3f5982575e9 --- /dev/null +++ b/queue-5.4/spi-stm32-fixes-suspend-resume-management.patch @@ -0,0 +1,93 @@ +From 324c89ffd6f401357c2b7d02bef5e263cc63b86d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Aug 2020 09:12:37 +0200 +Subject: spi: stm32: fixes suspend/resume management + +From: Amelie Delaunay + +[ Upstream commit db96bf976a4fc65439be0b4524c0d41427d98814 ] + +This patch adds pinctrl power management, and reconfigure spi controller +in case of resume. + +Fixes: 038ac869c9d2 ("spi: stm32: add runtime PM support") + +Signed-off-by: Amelie Delaunay +Signed-off-by: Alain Volmat +Link: https://lore.kernel.org/r/1597043558-29668-5-git-send-email-alain.volmat@st.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-stm32.c | 27 ++++++++++++++++++++++++--- + 1 file changed, 24 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-stm32.c b/drivers/spi/spi-stm32.c +index b222ce8d083ef..7e92ab0cc9920 100644 +--- a/drivers/spi/spi-stm32.c ++++ b/drivers/spi/spi-stm32.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1986,6 +1987,8 @@ static int stm32_spi_remove(struct platform_device *pdev) + + pm_runtime_disable(&pdev->dev); + ++ pinctrl_pm_select_sleep_state(&pdev->dev); ++ + return 0; + } + +@@ -1997,13 +2000,18 @@ static int stm32_spi_runtime_suspend(struct device *dev) + + clk_disable_unprepare(spi->clk); + +- return 0; ++ return pinctrl_pm_select_sleep_state(dev); + } + + static int stm32_spi_runtime_resume(struct device *dev) + { + struct spi_master *master = dev_get_drvdata(dev); + struct stm32_spi *spi = spi_master_get_devdata(master); ++ int ret; ++ ++ ret = pinctrl_pm_select_default_state(dev); ++ if (ret) ++ return ret; + + return clk_prepare_enable(spi->clk); + } +@@ -2033,10 +2041,23 @@ static int stm32_spi_resume(struct device *dev) + return ret; + + ret = spi_master_resume(master); +- if (ret) ++ if (ret) { + clk_disable_unprepare(spi->clk); ++ return ret; ++ } + +- return ret; ++ ret = pm_runtime_get_sync(dev); ++ if (ret) { ++ dev_err(dev, "Unable to power device:%d\n", ret); ++ return ret; ++ } ++ ++ spi->cfg->config(spi); ++ ++ pm_runtime_mark_last_busy(dev); ++ pm_runtime_put_autosuspend(dev); ++ ++ return 0; + } + #endif + +-- +2.25.1 + diff --git a/queue-5.4/vfio-type1-add-proper-error-unwind-for-vfio_iommu_re.patch b/queue-5.4/vfio-type1-add-proper-error-unwind-for-vfio_iommu_re.patch new file mode 100644 index 00000000000..90eb8b1da07 --- /dev/null +++ b/queue-5.4/vfio-type1-add-proper-error-unwind-for-vfio_iommu_re.patch @@ -0,0 +1,164 @@ +From a96c0c703378d132bdfe24e1d97fab310787e329 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 11:09:13 -0600 +Subject: vfio/type1: Add proper error unwind for vfio_iommu_replay() + +From: Alex Williamson + +[ Upstream commit aae7a75a821a793ed6b8ad502a5890fb8e8f172d ] + +The vfio_iommu_replay() function does not currently unwind on error, +yet it does pin pages, perform IOMMU mapping, and modify the vfio_dma +structure to indicate IOMMU mapping. The IOMMU mappings are torn down +when the domain is destroyed, but the other actions go on to cause +trouble later. For example, the iommu->domain_list can be empty if we +only have a non-IOMMU backed mdev attached. We don't currently check +if the list is empty before getting the first entry in the list, which +leads to a bogus domain pointer. If a vfio_dma entry is erroneously +marked as iommu_mapped, we'll attempt to use that bogus pointer to +retrieve the existing physical page addresses. + +This is the scenario that uncovered this issue, attempting to hot-add +a vfio-pci device to a container with an existing mdev device and DMA +mappings, one of which could not be pinned, causing a failure adding +the new group to the existing container and setting the conditions +for a subsequent attempt to explode. + +To resolve this, we can first check if the domain_list is empty so +that we can reject replay of a bogus domain, should we ever encounter +this inconsistent state again in the future. The real fix though is +to add the necessary unwind support, which means cleaning up the +current pinning if an IOMMU mapping fails, then walking back through +the r-b tree of DMA entries, reading from the IOMMU which ranges are +mapped, and unmapping and unpinning those ranges. To be able to do +this, we also defer marking the DMA entry as IOMMU mapped until all +entries are processed, in order to allow the unwind to know the +disposition of each entry. + +Fixes: a54eb55045ae ("vfio iommu type1: Add support for mediated devices") +Reported-by: Zhiyi Guo +Tested-by: Zhiyi Guo +Reviewed-by: Cornelia Huck +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio_iommu_type1.c | 71 ++++++++++++++++++++++++++++++--- + 1 file changed, 66 insertions(+), 5 deletions(-) + +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c +index 6cc47af1f06d3..ca8c10aa4a4bc 100644 +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -1187,13 +1187,16 @@ static int vfio_bus_type(struct device *dev, void *data) + static int vfio_iommu_replay(struct vfio_iommu *iommu, + struct vfio_domain *domain) + { +- struct vfio_domain *d; ++ struct vfio_domain *d = NULL; + struct rb_node *n; + unsigned long limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT; + int ret; + + /* Arbitrarily pick the first domain in the list for lookups */ +- d = list_first_entry(&iommu->domain_list, struct vfio_domain, next); ++ if (!list_empty(&iommu->domain_list)) ++ d = list_first_entry(&iommu->domain_list, ++ struct vfio_domain, next); ++ + n = rb_first(&iommu->dma_list); + + for (; n; n = rb_next(n)) { +@@ -1211,6 +1214,11 @@ static int vfio_iommu_replay(struct vfio_iommu *iommu, + phys_addr_t p; + dma_addr_t i; + ++ if (WARN_ON(!d)) { /* mapped w/o a domain?! */ ++ ret = -EINVAL; ++ goto unwind; ++ } ++ + phys = iommu_iova_to_phys(d->domain, iova); + + if (WARN_ON(!phys)) { +@@ -1240,7 +1248,7 @@ static int vfio_iommu_replay(struct vfio_iommu *iommu, + if (npage <= 0) { + WARN_ON(!npage); + ret = (int)npage; +- return ret; ++ goto unwind; + } + + phys = pfn << PAGE_SHIFT; +@@ -1249,14 +1257,67 @@ static int vfio_iommu_replay(struct vfio_iommu *iommu, + + ret = iommu_map(domain->domain, iova, phys, + size, dma->prot | domain->prot); +- if (ret) +- return ret; ++ if (ret) { ++ if (!dma->iommu_mapped) ++ vfio_unpin_pages_remote(dma, iova, ++ phys >> PAGE_SHIFT, ++ size >> PAGE_SHIFT, ++ true); ++ goto unwind; ++ } + + iova += size; + } ++ } ++ ++ /* All dmas are now mapped, defer to second tree walk for unwind */ ++ for (n = rb_first(&iommu->dma_list); n; n = rb_next(n)) { ++ struct vfio_dma *dma = rb_entry(n, struct vfio_dma, node); ++ + dma->iommu_mapped = true; + } ++ + return 0; ++ ++unwind: ++ for (; n; n = rb_prev(n)) { ++ struct vfio_dma *dma = rb_entry(n, struct vfio_dma, node); ++ dma_addr_t iova; ++ ++ if (dma->iommu_mapped) { ++ iommu_unmap(domain->domain, dma->iova, dma->size); ++ continue; ++ } ++ ++ iova = dma->iova; ++ while (iova < dma->iova + dma->size) { ++ phys_addr_t phys, p; ++ size_t size; ++ dma_addr_t i; ++ ++ phys = iommu_iova_to_phys(domain->domain, iova); ++ if (!phys) { ++ iova += PAGE_SIZE; ++ continue; ++ } ++ ++ size = PAGE_SIZE; ++ p = phys + size; ++ i = iova + size; ++ while (i < dma->iova + dma->size && ++ p == iommu_iova_to_phys(domain->domain, i)) { ++ size += PAGE_SIZE; ++ p += PAGE_SIZE; ++ i += PAGE_SIZE; ++ } ++ ++ iommu_unmap(domain->domain, iova, size); ++ vfio_unpin_pages_remote(dma, iova, phys >> PAGE_SHIFT, ++ size >> PAGE_SHIFT, true); ++ } ++ } ++ ++ return ret; + } + + /* +-- +2.25.1 +