From: Sasha Levin Date: Mon, 27 Sep 2021 05:02:47 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v5.4.150~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c0535fc30c8f46a2a0e0157a2a8a761b0ec82f83;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch b/queue-5.4/alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch new file mode 100644 index 00000000000..ff31dc8fab1 --- /dev/null +++ b/queue-5.4/alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch @@ -0,0 +1,69 @@ +From 604671ed05bbc253678181f8a34658f7e951912f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 22:00:33 -0700 +Subject: alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to + volatile + +From: Guenter Roeck + +[ Upstream commit 35a3f4ef0ab543daa1725b0c963eb8c05e3376f8 ] + +Some drivers pass a pointer to volatile data to virt_to_bus() and +virt_to_phys(), and that works fine. One exception is alpha. This +results in a number of compile errors such as + + drivers/net/wan/lmc/lmc_main.c: In function 'lmc_softreset': + drivers/net/wan/lmc/lmc_main.c:1782:50: error: + passing argument 1 of 'virt_to_bus' discards 'volatile' + qualifier from pointer target type + + drivers/atm/ambassador.c: In function 'do_loader_command': + drivers/atm/ambassador.c:1747:58: error: + passing argument 1 of 'virt_to_bus' discards 'volatile' + qualifier from pointer target type + +Declare the parameter of virt_to_phys and virt_to_bus as pointer to +volatile to fix the problem. + +Signed-off-by: Guenter Roeck +Acked-by: Arnd Bergmann +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/alpha/include/asm/io.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/alpha/include/asm/io.h b/arch/alpha/include/asm/io.h +index 103270d5a9fc..66a384a4ddba 100644 +--- a/arch/alpha/include/asm/io.h ++++ b/arch/alpha/include/asm/io.h +@@ -61,7 +61,7 @@ extern inline void set_hae(unsigned long new_hae) + * Change virtual addresses to physical addresses and vv. + */ + #ifdef USE_48_BIT_KSEG +-static inline unsigned long virt_to_phys(void *address) ++static inline unsigned long virt_to_phys(volatile void *address) + { + return (unsigned long)address - IDENT_ADDR; + } +@@ -71,7 +71,7 @@ static inline void * phys_to_virt(unsigned long address) + return (void *) (address + IDENT_ADDR); + } + #else +-static inline unsigned long virt_to_phys(void *address) ++static inline unsigned long virt_to_phys(volatile void *address) + { + unsigned long phys = (unsigned long)address; + +@@ -107,7 +107,7 @@ static inline void * phys_to_virt(unsigned long address) + extern unsigned long __direct_map_base; + extern unsigned long __direct_map_size; + +-static inline unsigned long __deprecated virt_to_bus(void *address) ++static inline unsigned long __deprecated virt_to_bus(volatile void *address) + { + unsigned long phys = virt_to_phys(address); + unsigned long bus = phys + __direct_map_base; +-- +2.33.0 + diff --git a/queue-5.4/arm64-mark-__stack_chk_guard-as-__ro_after_init.patch b/queue-5.4/arm64-mark-__stack_chk_guard-as-__ro_after_init.patch new file mode 100644 index 00000000000..9de00401346 --- /dev/null +++ b/queue-5.4/arm64-mark-__stack_chk_guard-as-__ro_after_init.patch @@ -0,0 +1,42 @@ +From 864a911b6e4a7fddb28a1df0ab6b13c8c393cb71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 17:44:02 +0800 +Subject: arm64: Mark __stack_chk_guard as __ro_after_init + +From: Dan Li + +[ Upstream commit 9fcb2e93f41c07a400885325e7dbdfceba6efaec ] + +__stack_chk_guard is setup once while init stage and never changed +after that. + +Although the modification of this variable at runtime will usually +cause the kernel to crash (so does the attacker), it should be marked +as __ro_after_init, and it should not affect performance if it is +placed in the ro_after_init section. + +Signed-off-by: Dan Li +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/1631612642-102881-1-git-send-email-ashimida@linux.alibaba.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/process.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c +index 7d7cfa128b71..f61ef46ebff7 100644 +--- a/arch/arm64/kernel/process.c ++++ b/arch/arm64/kernel/process.c +@@ -56,7 +56,7 @@ + + #if defined(CONFIG_STACKPROTECTOR) && !defined(CONFIG_STACKPROTECTOR_PER_TASK) + #include +-unsigned long __stack_chk_guard __read_mostly; ++unsigned long __stack_chk_guard __ro_after_init; + EXPORT_SYMBOL(__stack_chk_guard); + #endif + +-- +2.33.0 + diff --git a/queue-5.4/blk-cgroup-fix-uaf-by-grabbing-blkcg-lock-before-des.patch b/queue-5.4/blk-cgroup-fix-uaf-by-grabbing-blkcg-lock-before-des.patch new file mode 100644 index 00000000000..4807b66dc0a --- /dev/null +++ b/queue-5.4/blk-cgroup-fix-uaf-by-grabbing-blkcg-lock-before-des.patch @@ -0,0 +1,181 @@ +From c72d60ff0cf42f2b1bc1f1124f6246a1cf555c07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 12:26:05 +0800 +Subject: blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd + +From: Li Jinlin + +[ Upstream commit 858560b27645e7e97aca37ee8f232cccd658fbd2 ] + +KASAN reports a use-after-free report when doing fuzz test: + +[693354.104835] ================================================================== +[693354.105094] BUG: KASAN: use-after-free in bfq_io_set_weight_legacy+0xd3/0x160 +[693354.105336] Read of size 4 at addr ffff888be0a35664 by task sh/1453338 + +[693354.105607] CPU: 41 PID: 1453338 Comm: sh Kdump: loaded Not tainted 4.18.0-147 +[693354.105610] Hardware name: Huawei 2288H V5/BC11SPSCB0, BIOS 0.81 07/02/2018 +[693354.105612] Call Trace: +[693354.105621] dump_stack+0xf1/0x19b +[693354.105626] ? show_regs_print_info+0x5/0x5 +[693354.105634] ? printk+0x9c/0xc3 +[693354.105638] ? cpumask_weight+0x1f/0x1f +[693354.105648] print_address_description+0x70/0x360 +[693354.105654] kasan_report+0x1b2/0x330 +[693354.105659] ? bfq_io_set_weight_legacy+0xd3/0x160 +[693354.105665] ? bfq_io_set_weight_legacy+0xd3/0x160 +[693354.105670] bfq_io_set_weight_legacy+0xd3/0x160 +[693354.105675] ? bfq_cpd_init+0x20/0x20 +[693354.105683] cgroup_file_write+0x3aa/0x510 +[693354.105693] ? ___slab_alloc+0x507/0x540 +[693354.105698] ? cgroup_file_poll+0x60/0x60 +[693354.105702] ? 0xffffffff89600000 +[693354.105708] ? usercopy_abort+0x90/0x90 +[693354.105716] ? mutex_lock+0xef/0x180 +[693354.105726] kernfs_fop_write+0x1ab/0x280 +[693354.105732] ? cgroup_file_poll+0x60/0x60 +[693354.105738] vfs_write+0xe7/0x230 +[693354.105744] ksys_write+0xb0/0x140 +[693354.105749] ? __ia32_sys_read+0x50/0x50 +[693354.105760] do_syscall_64+0x112/0x370 +[693354.105766] ? syscall_return_slowpath+0x260/0x260 +[693354.105772] ? do_page_fault+0x9b/0x270 +[693354.105779] ? prepare_exit_to_usermode+0xf9/0x1a0 +[693354.105784] ? enter_from_user_mode+0x30/0x30 +[693354.105793] entry_SYSCALL_64_after_hwframe+0x65/0xca + +[693354.105875] Allocated by task 1453337: +[693354.106001] kasan_kmalloc+0xa0/0xd0 +[693354.106006] kmem_cache_alloc_node_trace+0x108/0x220 +[693354.106010] bfq_pd_alloc+0x96/0x120 +[693354.106015] blkcg_activate_policy+0x1b7/0x2b0 +[693354.106020] bfq_create_group_hierarchy+0x1e/0x80 +[693354.106026] bfq_init_queue+0x678/0x8c0 +[693354.106031] blk_mq_init_sched+0x1f8/0x460 +[693354.106037] elevator_switch_mq+0xe1/0x240 +[693354.106041] elevator_switch+0x25/0x40 +[693354.106045] elv_iosched_store+0x1a1/0x230 +[693354.106049] queue_attr_store+0x78/0xb0 +[693354.106053] kernfs_fop_write+0x1ab/0x280 +[693354.106056] vfs_write+0xe7/0x230 +[693354.106060] ksys_write+0xb0/0x140 +[693354.106064] do_syscall_64+0x112/0x370 +[693354.106069] entry_SYSCALL_64_after_hwframe+0x65/0xca + +[693354.106114] Freed by task 1453336: +[693354.106225] __kasan_slab_free+0x130/0x180 +[693354.106229] kfree+0x90/0x1b0 +[693354.106233] blkcg_deactivate_policy+0x12c/0x220 +[693354.106238] bfq_exit_queue+0xf5/0x110 +[693354.106241] blk_mq_exit_sched+0x104/0x130 +[693354.106245] __elevator_exit+0x45/0x60 +[693354.106249] elevator_switch_mq+0xd6/0x240 +[693354.106253] elevator_switch+0x25/0x40 +[693354.106257] elv_iosched_store+0x1a1/0x230 +[693354.106261] queue_attr_store+0x78/0xb0 +[693354.106264] kernfs_fop_write+0x1ab/0x280 +[693354.106268] vfs_write+0xe7/0x230 +[693354.106271] ksys_write+0xb0/0x140 +[693354.106275] do_syscall_64+0x112/0x370 +[693354.106280] entry_SYSCALL_64_after_hwframe+0x65/0xca + +[693354.106329] The buggy address belongs to the object at ffff888be0a35580 + which belongs to the cache kmalloc-1k of size 1024 +[693354.106736] The buggy address is located 228 bytes inside of + 1024-byte region [ffff888be0a35580, ffff888be0a35980) +[693354.107114] The buggy address belongs to the page: +[693354.107273] page:ffffea002f828c00 count:1 mapcount:0 mapping:ffff888107c17080 index:0x0 compound_mapcount: 0 +[693354.107606] flags: 0x17ffffc0008100(slab|head) +[693354.107760] raw: 0017ffffc0008100 ffffea002fcbc808 ffffea0030bd3a08 ffff888107c17080 +[693354.108020] raw: 0000000000000000 00000000001c001c 00000001ffffffff 0000000000000000 +[693354.108278] page dumped because: kasan: bad access detected + +[693354.108511] Memory state around the buggy address: +[693354.108671] ffff888be0a35500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[693354.116396] ffff888be0a35580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[693354.124473] >ffff888be0a35600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[693354.132421] ^ +[693354.140284] ffff888be0a35680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[693354.147912] ffff888be0a35700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[693354.155281] ================================================================== + +blkgs are protected by both queue and blkcg locks and holding +either should stabilize them. However, the path of destroying +blkg policy data is only protected by queue lock in +blkcg_activate_policy()/blkcg_deactivate_policy(). Other tasks +can get the blkg policy data before the blkg policy data is +destroyed, and use it after destroyed, which will result in a +use-after-free. + +CPU0 CPU1 +blkcg_deactivate_policy + spin_lock_irq(&q->queue_lock) + bfq_io_set_weight_legacy + spin_lock_irq(&blkcg->lock) + blkg_to_bfqg(blkg) + pd_to_bfqg(blkg->pd[pol->plid]) + ^^^^^^blkg->pd[pol->plid] != NULL + bfqg != NULL + pol->pd_free_fn(blkg->pd[pol->plid]) + pd_to_bfqg(blkg->pd[pol->plid]) + bfqg_put(bfqg) + kfree(bfqg) + blkg->pd[pol->plid] = NULL + spin_unlock_irq(q->queue_lock); + bfq_group_set_weight(bfqg, val, 0) + bfqg->entity.new_weight + ^^^^^^trigger uaf here + spin_unlock_irq(&blkcg->lock); + +Fix by grabbing the matching blkcg lock before trying to +destroy blkg policy data. + +Suggested-by: Tejun Heo +Signed-off-by: Li Jinlin +Acked-by: Tejun Heo +Link: https://lore.kernel.org/r/20210914042605.3260596-1-lijinlin3@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-cgroup.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c +index cb3d44d20005..dde8d0acfb34 100644 +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -1462,10 +1462,14 @@ enomem: + /* alloc failed, nothing's initialized yet, free everything */ + spin_lock_irq(&q->queue_lock); + list_for_each_entry(blkg, &q->blkg_list, q_node) { ++ struct blkcg *blkcg = blkg->blkcg; ++ ++ spin_lock(&blkcg->lock); + if (blkg->pd[pol->plid]) { + pol->pd_free_fn(blkg->pd[pol->plid]); + blkg->pd[pol->plid] = NULL; + } ++ spin_unlock(&blkcg->lock); + } + spin_unlock_irq(&q->queue_lock); + ret = -ENOMEM; +@@ -1497,12 +1501,16 @@ void blkcg_deactivate_policy(struct request_queue *q, + __clear_bit(pol->plid, q->blkcg_pols); + + list_for_each_entry(blkg, &q->blkg_list, q_node) { ++ struct blkcg *blkcg = blkg->blkcg; ++ ++ spin_lock(&blkcg->lock); + if (blkg->pd[pol->plid]) { + if (pol->pd_offline_fn) + pol->pd_offline_fn(blkg->pd[pol->plid]); + pol->pd_free_fn(blkg->pd[pol->plid]); + blkg->pd[pol->plid] = NULL; + } ++ spin_unlock(&blkcg->lock); + } + + spin_unlock_irq(&q->queue_lock); +-- +2.33.0 + diff --git a/queue-5.4/blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch b/queue-5.4/blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch new file mode 100644 index 00000000000..f2f453043ea --- /dev/null +++ b/queue-5.4/blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch @@ -0,0 +1,93 @@ +From f01569da8b7923cca5ccb5c557b5deeefde22ca6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Sep 2021 21:49:21 +0800 +Subject: blktrace: Fix uaf in blk_trace access after removing by sysfs + +From: Zhihao Cheng + +[ Upstream commit 5afedf670caf30a2b5a52da96eb7eac7dee6a9c9 ] + +There is an use-after-free problem triggered by following process: + + P1(sda) P2(sdb) + echo 0 > /sys/block/sdb/trace/enable + blk_trace_remove_queue + synchronize_rcu + blk_trace_free + relay_close +rcu_read_lock +__blk_add_trace + trace_note_tsk + (Iterate running_trace_list) + relay_close_buf + relay_destroy_buf + kfree(buf) + trace_note(sdb's bt) + relay_reserve + buf->offset <- nullptr deference (use-after-free) !!! +rcu_read_unlock + +[ 502.714379] BUG: kernel NULL pointer dereference, address: +0000000000000010 +[ 502.715260] #PF: supervisor read access in kernel mode +[ 502.715903] #PF: error_code(0x0000) - not-present page +[ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0 +[ 502.717252] Oops: 0000 [#1] SMP +[ 502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360 +[ 502.732872] Call Trace: +[ 502.733193] __blk_add_trace.cold+0x137/0x1a3 +[ 502.733734] blk_add_trace_rq+0x7b/0xd0 +[ 502.734207] blk_add_trace_rq_issue+0x54/0xa0 +[ 502.734755] blk_mq_start_request+0xde/0x1b0 +[ 502.735287] scsi_queue_rq+0x528/0x1140 +... +[ 502.742704] sg_new_write.isra.0+0x16e/0x3e0 +[ 502.747501] sg_ioctl+0x466/0x1100 + +Reproduce method: + ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) + ioctl(/dev/sda, BLKTRACESTART) + ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) + ioctl(/dev/sdb, BLKTRACESTART) + + echo 0 > /sys/block/sdb/trace/enable & + // Add delay(mdelay/msleep) before kernel enters blk_trace_free() + + ioctl$SG_IO(/dev/sda, SG_IO, ...) + // Enters trace_note_tsk() after blk_trace_free() returned + // Use mdelay in rcu region rather than msleep(which may schedule out) + +Remove blk_trace from running_list before calling blk_trace_free() by +sysfs if blk_trace is at Blktrace_running state. + +Fixes: c71a896154119f ("blktrace: add ftrace plugin") +Signed-off-by: Zhihao Cheng +Link: https://lore.kernel.org/r/20210923134921.109194-1-chengzhihao1@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + kernel/trace/blktrace.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c +index 884333b9fc76..749b27851f45 100644 +--- a/kernel/trace/blktrace.c ++++ b/kernel/trace/blktrace.c +@@ -1656,6 +1656,14 @@ static int blk_trace_remove_queue(struct request_queue *q) + if (bt == NULL) + return -EINVAL; + ++ if (bt->trace_state == Blktrace_running) { ++ bt->trace_state = Blktrace_stopped; ++ spin_lock_irq(&running_trace_lock); ++ list_del_init(&bt->running_list); ++ spin_unlock_irq(&running_trace_lock); ++ relay_flush(bt->rchan); ++ } ++ + put_probe_ref(); + synchronize_rcu(); + blk_trace_free(bt); +-- +2.33.0 + diff --git a/queue-5.4/bpf-add-oversize-check-before-call-kvcalloc.patch b/queue-5.4/bpf-add-oversize-check-before-call-kvcalloc.patch new file mode 100644 index 00000000000..a018a269592 --- /dev/null +++ b/queue-5.4/bpf-add-oversize-check-before-call-kvcalloc.patch @@ -0,0 +1,60 @@ +From 6e112afb7ca9a5369403ea480ee76445059a1b58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Sep 2021 08:55:57 +0800 +Subject: bpf: Add oversize check before call kvcalloc() + +From: Bixuan Cui + +[ Upstream commit 0e6491b559704da720f6da09dd0a52c4df44c514 ] + +Commit 7661809d493b ("mm: don't allow oversized kvmalloc() calls") add the +oversize check. When the allocation is larger than what kmalloc() supports, +the following warning triggered: + +WARNING: CPU: 0 PID: 8408 at mm/util.c:597 kvmalloc_node+0x108/0x110 mm/util.c:597 +Modules linked in: +CPU: 0 PID: 8408 Comm: syz-executor221 Not tainted 5.14.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:kvmalloc_node+0x108/0x110 mm/util.c:597 +Call Trace: + kvmalloc include/linux/mm.h:806 [inline] + kvmalloc_array include/linux/mm.h:824 [inline] + kvcalloc include/linux/mm.h:829 [inline] + check_btf_line kernel/bpf/verifier.c:9925 [inline] + check_btf_info kernel/bpf/verifier.c:10049 [inline] + bpf_check+0xd634/0x150d0 kernel/bpf/verifier.c:13759 + bpf_prog_load kernel/bpf/syscall.c:2301 [inline] + __sys_bpf+0x11181/0x126e0 kernel/bpf/syscall.c:4587 + __do_sys_bpf kernel/bpf/syscall.c:4691 [inline] + __se_sys_bpf kernel/bpf/syscall.c:4689 [inline] + __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4689 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Reported-by: syzbot+f3e749d4c662818ae439@syzkaller.appspotmail.com +Signed-off-by: Bixuan Cui +Signed-off-by: Alexei Starovoitov +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20210911005557.45518-1-cuibixuan@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 60383b28549b..9c5fa5c52903 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -6839,6 +6839,8 @@ static int check_btf_line(struct bpf_verifier_env *env, + nr_linfo = attr->line_info_cnt; + if (!nr_linfo) + return 0; ++ if (nr_linfo > INT_MAX / sizeof(struct bpf_line_info)) ++ return -EINVAL; + + rec_size = attr->line_info_rec_size; + if (rec_size < MIN_BPF_LINEINFO_SIZE || +-- +2.33.0 + diff --git a/queue-5.4/cifs-fix-a-sign-extension-bug.patch b/queue-5.4/cifs-fix-a-sign-extension-bug.patch new file mode 100644 index 00000000000..508bf4587a1 --- /dev/null +++ b/queue-5.4/cifs-fix-a-sign-extension-bug.patch @@ -0,0 +1,46 @@ +From c727ab98842b45b98a789b26d57eba1efe74a9a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Sep 2021 23:33:35 +0300 +Subject: cifs: fix a sign extension bug + +From: Dan Carpenter + +[ Upstream commit e946d3c887a9dc33aa82a349c6284f4a084163f4 ] + +The problem is the mismatched types between "ctx->total_len" which is +an unsigned int, "rc" which is an int, and "ctx->rc" which is a +ssize_t. The code does: + + ctx->rc = (rc == 0) ? ctx->total_len : rc; + +We want "ctx->rc" to store the negative "rc" error code. But what +happens is that "rc" is type promoted to a high unsigned int and +'ctx->rc" will store the high positive value instead of a negative +value. + +The fix is to change "rc" from an int to a ssize_t. + +Fixes: c610c4b619e5 ("CIFS: Add asynchronous write support through kernel AIO") +Signed-off-by: Dan Carpenter +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index 1aac8d38f887..a9746af5a44d 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -2989,7 +2989,7 @@ static void collect_uncached_write_data(struct cifs_aio_ctx *ctx) + struct cifs_tcon *tcon; + struct cifs_sb_info *cifs_sb; + struct dentry *dentry = ctx->cfile->dentry; +- int rc; ++ ssize_t rc; + + tcon = tlink_tcon(ctx->cfile->tlink); + cifs_sb = CIFS_SB(dentry->d_sb); +-- +2.33.0 + diff --git a/queue-5.4/compiler.h-introduce-absolute_pointer-macro.patch b/queue-5.4/compiler.h-introduce-absolute_pointer-macro.patch new file mode 100644 index 00000000000..380b96ee472 --- /dev/null +++ b/queue-5.4/compiler.h-introduce-absolute_pointer-macro.patch @@ -0,0 +1,44 @@ +From 30c9fe53039de1c7291d290c0b24906101579e79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 20:52:24 -0700 +Subject: compiler.h: Introduce absolute_pointer macro + +From: Guenter Roeck + +[ Upstream commit f6b5f1a56987de837f8e25cd560847106b8632a8 ] + +absolute_pointer() disassociates a pointer from its originating symbol +type and context. Use it to prevent compiler warnings/errors such as + + drivers/net/ethernet/i825xx/82596.c: In function 'i82596_probe': + arch/m68k/include/asm/string.h:72:25: error: + '__builtin_memcpy' reading 6 bytes from a region of size 0 [-Werror=stringop-overread] + +Such warnings may be reported by gcc 11.x for string and memory +operations on fixed addresses. + +Suggested-by: Linus Torvalds +Signed-off-by: Guenter Roeck +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/compiler.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/compiler.h b/include/linux/compiler.h +index 9446e8fbe55c..bce983406aaf 100644 +--- a/include/linux/compiler.h ++++ b/include/linux/compiler.h +@@ -233,6 +233,8 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val, + (typeof(ptr)) (__ptr + (off)); }) + #endif + ++#define absolute_pointer(val) RELOC_HIDE((void *)(val), 0) ++ + #ifndef OPTIMIZER_HIDE_VAR + /* Make the optimizer believe the variable can be manipulated arbitrarily. */ + #define OPTIMIZER_HIDE_VAR(var) \ +-- +2.33.0 + diff --git a/queue-5.4/fpga-machxo2-spi-fix-missing-error-code-in-machxo2_w.patch b/queue-5.4/fpga-machxo2-spi-fix-missing-error-code-in-machxo2_w.patch new file mode 100644 index 00000000000..446cc2b6877 --- /dev/null +++ b/queue-5.4/fpga-machxo2-spi-fix-missing-error-code-in-machxo2_w.patch @@ -0,0 +1,42 @@ +From fca1adb69b87b5e9046197cc459efe6cbb81ac4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Aug 2021 14:40:42 +0800 +Subject: fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() + +From: Jiapeng Chong + +[ Upstream commit a1e4470823d99e75b596748086e120dea169ed3c ] + +The error code is missing in this code scenario, add the error code +'-EINVAL' to the return value 'ret'. + +Eliminate the follow smatch warning: + +drivers/fpga/machxo2-spi.c:341 machxo2_write_complete() + warn: missing error code 'ret'. + +[mdf@kernel.org: Reworded commit message] +Fixes: 88fb3a002330 ("fpga: lattice machxo2: Add Lattice MachXO2 support") +Reported-by: Abaci Robot +Signed-off-by: Jiapeng Chong +Signed-off-by: Moritz Fischer +Signed-off-by: Sasha Levin +--- + drivers/fpga/machxo2-spi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/fpga/machxo2-spi.c b/drivers/fpga/machxo2-spi.c +index 2fd097c3994b..37e54e375528 100644 +--- a/drivers/fpga/machxo2-spi.c ++++ b/drivers/fpga/machxo2-spi.c +@@ -334,6 +334,7 @@ static int machxo2_write_complete(struct fpga_manager *mgr, + break; + if (++refreshloop == MACHXO2_MAX_REFRESH_LOOP) { + machxo2_cleanup(mgr); ++ ret = -EINVAL; + goto fail; + } + } while (1); +-- +2.33.0 + diff --git a/queue-5.4/fpga-machxo2-spi-return-an-error-on-failure.patch b/queue-5.4/fpga-machxo2-spi-return-an-error-on-failure.patch new file mode 100644 index 00000000000..7168fb60563 --- /dev/null +++ b/queue-5.4/fpga-machxo2-spi-return-an-error-on-failure.patch @@ -0,0 +1,56 @@ +From 3fa20fd4655771f1f5fa7b02cc334e13edfa75ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 09:40:36 -0700 +Subject: fpga: machxo2-spi: Return an error on failure + +From: Tom Rix + +[ Upstream commit 34331739e19fd6a293d488add28832ad49c9fc54 ] + +Earlier successes leave 'ret' in a non error state, so these errors are +not reported. Set ret to -EINVAL before going to the error handler. + +This addresses two issues reported by smatch: +drivers/fpga/machxo2-spi.c:229 machxo2_write_init() + warn: missing error code 'ret' + +drivers/fpga/machxo2-spi.c:316 machxo2_write_complete() + warn: missing error code 'ret' + +[mdf@kernel.org: Reworded commit message] +Fixes: 88fb3a002330 ("fpga: lattice machxo2: Add Lattice MachXO2 support") +Reported-by: Dan Carpenter +Signed-off-by: Tom Rix +Signed-off-by: Moritz Fischer +Signed-off-by: Sasha Levin +--- + drivers/fpga/machxo2-spi.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/fpga/machxo2-spi.c b/drivers/fpga/machxo2-spi.c +index 4d8a87641587..2fd097c3994b 100644 +--- a/drivers/fpga/machxo2-spi.c ++++ b/drivers/fpga/machxo2-spi.c +@@ -223,8 +223,10 @@ static int machxo2_write_init(struct fpga_manager *mgr, + goto fail; + + get_status(spi, &status); +- if (test_bit(FAIL, &status)) ++ if (test_bit(FAIL, &status)) { ++ ret = -EINVAL; + goto fail; ++ } + dump_status_reg(&status); + + spi_message_init(&msg); +@@ -310,6 +312,7 @@ static int machxo2_write_complete(struct fpga_manager *mgr, + dump_status_reg(&status); + if (!test_bit(DONE, &status)) { + machxo2_cleanup(mgr); ++ ret = -EINVAL; + goto fail; + } + +-- +2.33.0 + diff --git a/queue-5.4/ipv6-delay-fib6_sernum-increase-in-fib6_add.patch b/queue-5.4/ipv6-delay-fib6_sernum-increase-in-fib6_add.patch new file mode 100644 index 00000000000..5d84467f325 --- /dev/null +++ b/queue-5.4/ipv6-delay-fib6_sernum-increase-in-fib6_add.patch @@ -0,0 +1,44 @@ +From 37073983a482f96c20a32f6729d2b65615a825b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Sep 2021 16:39:18 +0800 +Subject: ipv6: delay fib6_sernum increase in fib6_add + +From: zhang kai + +[ Upstream commit e87b5052271e39d62337ade531992b7e5d8c2cfa ] + +only increase fib6_sernum in net namespace after add fib6_info +successfully. + +Signed-off-by: zhang kai +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_fib.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c +index bb68290ad68d..9a6f66e0e9a2 100644 +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -1310,7 +1310,6 @@ int fib6_add(struct fib6_node *root, struct fib6_info *rt, + int err = -ENOMEM; + int allow_create = 1; + int replace_required = 0; +- int sernum = fib6_new_sernum(info->nl_net); + + if (info->nlh) { + if (!(info->nlh->nlmsg_flags & NLM_F_CREATE)) +@@ -1410,7 +1409,7 @@ int fib6_add(struct fib6_node *root, struct fib6_info *rt, + if (!err) { + if (rt->nh) + list_add(&rt->nh_list, &rt->nh->f6i_list); +- __fib6_update_sernum_upto_root(rt, sernum); ++ __fib6_update_sernum_upto_root(rt, fib6_new_sernum(info->nl_net)); + fib6_start_gc(info->nl_net, rt); + } + +-- +2.33.0 + diff --git a/queue-5.4/irqchip-gic-v3-its-fix-potential-vpe-leak-on-error.patch b/queue-5.4/irqchip-gic-v3-its-fix-potential-vpe-leak-on-error.patch new file mode 100644 index 00000000000..24416e1a41d --- /dev/null +++ b/queue-5.4/irqchip-gic-v3-its-fix-potential-vpe-leak-on-error.patch @@ -0,0 +1,41 @@ +From bdb4c44f8c061a327b8f208cd43fdf26289616f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 10:20:55 +0800 +Subject: irqchip/gic-v3-its: Fix potential VPE leak on error + +From: Kaige Fu + +[ Upstream commit 280bef512933b2dda01d681d8cbe499b98fc5bdd ] + +In its_vpe_irq_domain_alloc, when its_vpe_init() returns an error, +there is an off-by-one in the number of VPEs to be freed. + +Fix it by simply passing the number of VPEs allocated, which is the +index of the loop iterating over the VPEs. + +Fixes: 7d75bbb4bc1a ("irqchip/gic-v3-its: Add VPE irq domain allocation/teardown") +Signed-off-by: Kaige Fu +[maz: fixed commit message] +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/d9e36dee512e63670287ed9eff884a5d8d6d27f2.1631672311.git.kaige.fu@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v3-its.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c +index f298313b87ac..398c54387988 100644 +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -3123,7 +3123,7 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq + + if (err) { + if (i > 0) +- its_vpe_irq_domain_free(domain, virq, i - 1); ++ its_vpe_irq_domain_free(domain, virq, i); + + its_lpi_free(bitmap, base, nr_ids); + its_free_prop_table(vprop_page); +-- +2.33.0 + diff --git a/queue-5.4/irqchip-goldfish-pic-select-generic_irq_chip-to-fix-.patch b/queue-5.4/irqchip-goldfish-pic-select-generic_irq_chip-to-fix-.patch new file mode 100644 index 00000000000..8fb140bd5fb --- /dev/null +++ b/queue-5.4/irqchip-goldfish-pic-select-generic_irq_chip-to-fix-.patch @@ -0,0 +1,55 @@ +From 7fe00b1f42b40bd775f81a5069d92cb58cba03d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Sep 2021 09:25:19 -0700 +Subject: irqchip/goldfish-pic: Select GENERIC_IRQ_CHIP to fix build + +From: Randy Dunlap + +[ Upstream commit 969ac78db78c723a24e9410666b457cc1b0cb3c3 ] + +irq-goldfish-pic uses GENERIC_IRQ_CHIP interfaces so select that symbol +to fix build errors. + +Fixes these build errors: + +mips-linux-ld: drivers/irqchip/irq-goldfish-pic.o: in function `goldfish_pic_of_init': +irq-goldfish-pic.c:(.init.text+0xc0): undefined reference to `irq_alloc_generic_chip' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0xf4): undefined reference to `irq_gc_unmask_enable_reg' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0xf8): undefined reference to `irq_gc_unmask_enable_reg' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x100): undefined reference to `irq_gc_mask_disable_reg' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x104): undefined reference to `irq_gc_mask_disable_reg' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x11c): undefined reference to `irq_setup_generic_chip' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x168): undefined reference to `irq_remove_generic_chip' + +Fixes: 4235ff50cf98 ("irqchip/irq-goldfish-pic: Add Goldfish PIC driver") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Miodrag Dinic +Cc: Geert Uytterhoeven +Cc: Bartosz Golaszewski +Cc: Thomas Gleixner +Cc: Marc Zyngier +Cc: Goran Ferenc +Cc: Aleksandar Markovic +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20210905162519.21507-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + drivers/irqchip/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/irqchip/Kconfig b/drivers/irqchip/Kconfig +index 97f9c001d8ff..20f44ef9c4c9 100644 +--- a/drivers/irqchip/Kconfig ++++ b/drivers/irqchip/Kconfig +@@ -415,6 +415,7 @@ config MESON_IRQ_GPIO + config GOLDFISH_PIC + bool "Goldfish programmable interrupt controller" + depends on MIPS && (GOLDFISH || COMPILE_TEST) ++ select GENERIC_IRQ_CHIP + select IRQ_DOMAIN + help + Say yes here to enable Goldfish interrupt controller driver used +-- +2.33.0 + diff --git a/queue-5.4/m68k-double-cast-io-functions-to-unsigned-long.patch b/queue-5.4/m68k-double-cast-io-functions-to-unsigned-long.patch new file mode 100644 index 00000000000..80ca4530836 --- /dev/null +++ b/queue-5.4/m68k-double-cast-io-functions-to-unsigned-long.patch @@ -0,0 +1,68 @@ +From 143303c8d0d4d749a1fb1beda3e517b2c0295ad8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 23:07:29 -0700 +Subject: m68k: Double cast io functions to unsigned long + +From: Guenter Roeck + +[ Upstream commit b1a89856fbf63fffde6a4771d8f1ac21df549e50 ] + +m68k builds fail widely with errors such as + +arch/m68k/include/asm/raw_io.h:20:19: error: + cast to pointer from integer of different size +arch/m68k/include/asm/raw_io.h:30:32: error: + cast to pointer from integer of different size [-Werror=int-to-p + +On m68k, io functions are defined as macros. The problem is seen if the +macro parameter variable size differs from the size of a pointer. Cast +the parameter of all io macros to unsigned long before casting it to +a pointer to fix the problem. + +Signed-off-by: Guenter Roeck +Link: https://lore.kernel.org/r/20210907060729.2391992-1-linux@roeck-us.net +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/include/asm/raw_io.h | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/arch/m68k/include/asm/raw_io.h b/arch/m68k/include/asm/raw_io.h +index 8a6dc6e5a279..8ab3c350bd53 100644 +--- a/arch/m68k/include/asm/raw_io.h ++++ b/arch/m68k/include/asm/raw_io.h +@@ -17,21 +17,21 @@ + * two accesses to memory, which may be undesirable for some devices. + */ + #define in_8(addr) \ +- ({ u8 __v = (*(__force volatile u8 *) (addr)); __v; }) ++ ({ u8 __v = (*(__force volatile u8 *) (unsigned long)(addr)); __v; }) + #define in_be16(addr) \ +- ({ u16 __v = (*(__force volatile u16 *) (addr)); __v; }) ++ ({ u16 __v = (*(__force volatile u16 *) (unsigned long)(addr)); __v; }) + #define in_be32(addr) \ +- ({ u32 __v = (*(__force volatile u32 *) (addr)); __v; }) ++ ({ u32 __v = (*(__force volatile u32 *) (unsigned long)(addr)); __v; }) + #define in_le16(addr) \ +- ({ u16 __v = le16_to_cpu(*(__force volatile __le16 *) (addr)); __v; }) ++ ({ u16 __v = le16_to_cpu(*(__force volatile __le16 *) (unsigned long)(addr)); __v; }) + #define in_le32(addr) \ +- ({ u32 __v = le32_to_cpu(*(__force volatile __le32 *) (addr)); __v; }) ++ ({ u32 __v = le32_to_cpu(*(__force volatile __le32 *) (unsigned long)(addr)); __v; }) + +-#define out_8(addr,b) (void)((*(__force volatile u8 *) (addr)) = (b)) +-#define out_be16(addr,w) (void)((*(__force volatile u16 *) (addr)) = (w)) +-#define out_be32(addr,l) (void)((*(__force volatile u32 *) (addr)) = (l)) +-#define out_le16(addr,w) (void)((*(__force volatile __le16 *) (addr)) = cpu_to_le16(w)) +-#define out_le32(addr,l) (void)((*(__force volatile __le32 *) (addr)) = cpu_to_le32(l)) ++#define out_8(addr,b) (void)((*(__force volatile u8 *) (unsigned long)(addr)) = (b)) ++#define out_be16(addr,w) (void)((*(__force volatile u16 *) (unsigned long)(addr)) = (w)) ++#define out_be32(addr,l) (void)((*(__force volatile u32 *) (unsigned long)(addr)) = (l)) ++#define out_le16(addr,w) (void)((*(__force volatile __le16 *) (unsigned long)(addr)) = cpu_to_le16(w)) ++#define out_le32(addr,l) (void)((*(__force volatile __le32 *) (unsigned long)(addr)) = cpu_to_le32(l)) + + #define raw_inb in_8 + #define raw_inw in_be16 +-- +2.33.0 + diff --git a/queue-5.4/md-fix-a-lock-order-reversal-in-md_alloc.patch b/queue-5.4/md-fix-a-lock-order-reversal-in-md_alloc.patch new file mode 100644 index 00000000000..57cd798b468 --- /dev/null +++ b/queue-5.4/md-fix-a-lock-order-reversal-in-md_alloc.patch @@ -0,0 +1,61 @@ +From 290d0b5fc0846d83477ec64aade0d58df4fe0686 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Sep 2021 13:38:29 +0200 +Subject: md: fix a lock order reversal in md_alloc + +From: Christoph Hellwig + +[ Upstream commit 7df835a32a8bedf7ce88efcfa7c9b245b52ff139 ] + +Commit b0140891a8cea3 ("md: Fix race when creating a new md device.") +not only moved assigning mddev->gendisk before calling add_disk, which +fixes the races described in the commit log, but also added a +mddev->open_mutex critical section over add_disk and creation of the +md kobj. Adding a kobject after add_disk is racy vs deleting the gendisk +right after adding it, but md already prevents against that by holding +a mddev->active reference. + +On the other hand taking this lock added a lock order reversal with what +is not disk->open_mutex (used to be bdev->bd_mutex when the commit was +added) for partition devices, which need that lock for the internal open +for the partition scan, and a recent commit also takes it for +non-partitioned devices, leading to further lockdep splatter. + +Fixes: b0140891a8ce ("md: Fix race when creating a new md device.") +Fixes: d62633873590 ("block: support delayed holder registration") +Reported-by: syzbot+fadc0aaf497e6a493b9f@syzkaller.appspotmail.com +Signed-off-by: Christoph Hellwig +Tested-by: syzbot+fadc0aaf497e6a493b9f@syzkaller.appspotmail.com +Reviewed-by: NeilBrown +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 761d43829b2b..c178b2f406de 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -5535,10 +5535,6 @@ static int md_alloc(dev_t dev, char *name) + */ + disk->flags |= GENHD_FL_EXT_DEVT; + mddev->gendisk = disk; +- /* As soon as we call add_disk(), another thread could get +- * through to md_open, so make sure it doesn't get too far +- */ +- mutex_lock(&mddev->open_mutex); + add_disk(disk); + + error = kobject_add(&mddev->kobj, &disk_to_dev(disk)->kobj, "%s", "md"); +@@ -5553,7 +5549,6 @@ static int md_alloc(dev_t dev, char *name) + if (mddev->kobj.sd && + sysfs_create_group(&mddev->kobj, &md_bitmap_group)) + pr_debug("pointless warning\n"); +- mutex_unlock(&mddev->open_mutex); + abort: + mutex_unlock(&disks_mutex); + if (!error && mddev->kobj.sd) { +-- +2.33.0 + diff --git a/queue-5.4/net-6pack-fix-tx-timeout-and-slot-time.patch b/queue-5.4/net-6pack-fix-tx-timeout-and-slot-time.patch new file mode 100644 index 00000000000..e59b627911c --- /dev/null +++ b/queue-5.4/net-6pack-fix-tx-timeout-and-slot-time.patch @@ -0,0 +1,59 @@ +From a7f362f271a5e417ca41e5e762e3c50bc8c2c3da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 20:57:43 -0700 +Subject: net: 6pack: Fix tx timeout and slot time + +From: Guenter Roeck + +[ Upstream commit 3c0d2a46c0141913dc6fd126c57d0615677d946e ] + +tx timeout and slot time are currently specified in units of HZ. On +Alpha, HZ is defined as 1024. When building alpha:allmodconfig, this +results in the following error message. + + drivers/net/hamradio/6pack.c: In function 'sixpack_open': + drivers/net/hamradio/6pack.c:71:41: error: + unsigned conversion from 'int' to 'unsigned char' + changes value from '256' to '0' + +In the 6PACK protocol, tx timeout is specified in units of 10 ms and +transmitted over the wire: + + https://www.linux-ax25.org/wiki/6PACK + +Defining a value dependent on HZ doesn't really make sense, and +presumably comes from the (very historical) situation where HZ was +originally 100. + +Note that the SIXP_SLOTTIME use explicitly is about 10ms granularity: + + mod_timer(&sp->tx_t, jiffies + ((when + 1) * HZ) / 100); + +and the SIXP_TXDELAY walue is sent as a byte over the wire. + +Signed-off-by: Guenter Roeck +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/net/hamradio/6pack.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c +index da13683d52d1..bd0beb16d68a 100644 +--- a/drivers/net/hamradio/6pack.c ++++ b/drivers/net/hamradio/6pack.c +@@ -68,9 +68,9 @@ + #define SIXP_DAMA_OFF 0 + + /* default level 2 parameters */ +-#define SIXP_TXDELAY (HZ/4) /* in 1 s */ ++#define SIXP_TXDELAY 25 /* 250 ms */ + #define SIXP_PERSIST 50 /* in 256ths */ +-#define SIXP_SLOTTIME (HZ/10) /* in 1 s */ ++#define SIXP_SLOTTIME 10 /* 100 ms */ + #define SIXP_INIT_RESYNC_TIMEOUT (3*HZ/2) /* in 1 s */ + #define SIXP_RESYNC_TIMEOUT 5*HZ /* in 1 s */ + +-- +2.33.0 + diff --git a/queue-5.4/net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch b/queue-5.4/net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch new file mode 100644 index 00000000000..e19cc2412a7 --- /dev/null +++ b/queue-5.4/net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch @@ -0,0 +1,43 @@ +From 6c1b5c47aee490735a04c9c06a4e8a47a8f1fc66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 20:52:25 -0700 +Subject: net: i825xx: Use absolute_pointer for memcpy from fixed memory + location + +From: Guenter Roeck + +[ Upstream commit dff2d13114f0beec448da9b3716204eb34b0cf41 ] + +gcc 11.x reports the following compiler warning/error. + + drivers/net/ethernet/i825xx/82596.c: In function 'i82596_probe': + arch/m68k/include/asm/string.h:72:25: error: + '__builtin_memcpy' reading 6 bytes from a region of size 0 [-Werror=stringop-overread] + +Use absolute_pointer() to work around the problem. + +Cc: Geert Uytterhoeven +Signed-off-by: Guenter Roeck +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/i825xx/82596.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/i825xx/82596.c b/drivers/net/ethernet/i825xx/82596.c +index 92929750f832..54d5b402b0e8 100644 +--- a/drivers/net/ethernet/i825xx/82596.c ++++ b/drivers/net/ethernet/i825xx/82596.c +@@ -1155,7 +1155,7 @@ struct net_device * __init i82596_probe(int unit) + err = -ENODEV; + goto out; + } +- memcpy(eth_addr, (void *) 0xfffc1f2c, ETH_ALEN); /* YUCK! Get addr from NOVRAM */ ++ memcpy(eth_addr, absolute_pointer(0xfffc1f2c), ETH_ALEN); /* YUCK! Get addr from NOVRAM */ + dev->base_addr = MVME_I596_BASE; + dev->irq = (unsigned) MVME16x_IRQ_I596; + goto found; +-- +2.33.0 + diff --git a/queue-5.4/net-macb-fix-use-after-free-on-rmmod.patch b/queue-5.4/net-macb-fix-use-after-free-on-rmmod.patch new file mode 100644 index 00000000000..8d725c24165 --- /dev/null +++ b/queue-5.4/net-macb-fix-use-after-free-on-rmmod.patch @@ -0,0 +1,44 @@ +From ab221aee6a81c0e68f3666693ca3d6f9b21bc4ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 12:02:32 -0700 +Subject: net: macb: fix use after free on rmmod + +From: Tong Zhang + +[ Upstream commit d82d5303c4c539db86588ffb5dc5b26c3f1513e8 ] + +plat_dev->dev->platform_data is released by platform_device_unregister(), +use of pclk and hclk is a use-after-free. Since device unregister won't +need a clk device we adjust the function call sequence to fix this issue. + +[ 31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci] +[ 31.275563] Freed by task 306: +[ 30.276782] platform_device_release+0x25/0x80 + +Suggested-by: Nicolas Ferre +Signed-off-by: Tong Zhang +Acked-by: Nicolas Ferre +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cadence/macb_pci.c b/drivers/net/ethernet/cadence/macb_pci.c +index 617b3b728dd0..94f3babfad30 100644 +--- a/drivers/net/ethernet/cadence/macb_pci.c ++++ b/drivers/net/ethernet/cadence/macb_pci.c +@@ -112,9 +112,9 @@ static void macb_remove(struct pci_dev *pdev) + struct platform_device *plat_dev = pci_get_drvdata(pdev); + struct macb_platform_data *plat_data = dev_get_platdata(&plat_dev->dev); + +- platform_device_unregister(plat_dev); + clk_unregister(plat_data->pclk); + clk_unregister(plat_data->hclk); ++ platform_device_unregister(plat_dev); + } + + static const struct pci_device_id dev_id_table[] = { +-- +2.33.0 + diff --git a/queue-5.4/net-stmmac-allow-csr-clock-of-300mhz.patch b/queue-5.4/net-stmmac-allow-csr-clock-of-300mhz.patch new file mode 100644 index 00000000000..4f332dcf7db --- /dev/null +++ b/queue-5.4/net-stmmac-allow-csr-clock-of-300mhz.patch @@ -0,0 +1,59 @@ +From 60af33f4902a75b36091cc53bcf8ca943e6f534d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Sep 2021 21:55:34 +0200 +Subject: net: stmmac: allow CSR clock of 300MHz + +From: Jesper Nilsson + +[ Upstream commit 08dad2f4d541fcfe5e7bfda72cc6314bbfd2802f ] + +The Synopsys Ethernet IP uses the CSR clock as a base clock for MDC. +The divisor used is set in the MAC_MDIO_Address register field CR +(Clock Rate) + +The divisor is there to change the CSR clock into a clock that falls +below the IEEE 802.3 specified max frequency of 2.5MHz. + +If the CSR clock is 300MHz, the code falls back to using the reset +value in the MAC_MDIO_Address register, as described in the comment +above this code. + +However, 300MHz is actually an allowed value and the proper divider +can be estimated quite easily (it's just 1Hz difference!) + +A CSR frequency of 300MHz with the maximum clock rate value of 0x5 +(STMMAC_CSR_250_300M, a divisor of 124) gives somewhere around +~2.42MHz which is below the IEEE 802.3 specified maximum. + +For the ARTPEC-8 SoC, the CSR clock is this problematic 300MHz, +and unfortunately, the reset-value of the MAC_MDIO_Address CR field +is 0x0. + +This leads to a clock rate of zero and a divisor of 42, and gives an +MDC frequency of ~7.14MHz. + +Allow CSR clock of 300MHz by making the comparison inclusive. + +Signed-off-by: Jesper Nilsson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 4e7cfd3bfcd2..e09851c7da9b 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -225,7 +225,7 @@ static void stmmac_clk_csr_set(struct stmmac_priv *priv) + priv->clk_csr = STMMAC_CSR_100_150M; + else if ((clk_rate >= CSR_F_150M) && (clk_rate < CSR_F_250M)) + priv->clk_csr = STMMAC_CSR_150_250M; +- else if ((clk_rate >= CSR_F_250M) && (clk_rate < CSR_F_300M)) ++ else if ((clk_rate >= CSR_F_250M) && (clk_rate <= CSR_F_300M)) + priv->clk_csr = STMMAC_CSR_250_300M; + } + +-- +2.33.0 + diff --git a/queue-5.4/nvme-multipath-fix-ana-state-updates-when-a-namespac.patch b/queue-5.4/nvme-multipath-fix-ana-state-updates-when-a-namespac.patch new file mode 100644 index 00000000000..d8618269a7e --- /dev/null +++ b/queue-5.4/nvme-multipath-fix-ana-state-updates-when-a-namespac.patch @@ -0,0 +1,61 @@ +From b6c24ffcf8344d5b8724c67f9c079bd01be5b720 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Sep 2021 12:54:57 -0600 +Subject: nvme-multipath: fix ANA state updates when a namespace is not present + +From: Anton Eidelman + +[ Upstream commit 79f528afa93918519574773ea49a444c104bc1bd ] + +nvme_update_ana_state() has a deficiency that results in a failure to +properly update the ana state for a namespace in the following case: + + NSIDs in ctrl->namespaces: 1, 3, 4 + NSIDs in desc->nsids: 1, 2, 3, 4 + +Loop iteration 0: + ns index = 0, n = 0, ns->head->ns_id = 1, nsid = 1, MATCH. +Loop iteration 1: + ns index = 1, n = 1, ns->head->ns_id = 3, nsid = 2, NO MATCH. +Loop iteration 2: + ns index = 2, n = 2, ns->head->ns_id = 4, nsid = 4, MATCH. + +Where the update to the ANA state of NSID 3 is missed. To fix this +increment n and retry the update with the same ns when ns->head->ns_id is +higher than nsid, + +Signed-off-by: Anton Eidelman +Signed-off-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/multipath.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index 590b040e90a3..016a67fd4198 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -522,14 +522,17 @@ static int nvme_update_ana_state(struct nvme_ctrl *ctrl, + + down_read(&ctrl->namespaces_rwsem); + list_for_each_entry(ns, &ctrl->namespaces, list) { +- unsigned nsid = le32_to_cpu(desc->nsids[n]); +- ++ unsigned nsid; ++again: ++ nsid = le32_to_cpu(desc->nsids[n]); + if (ns->head->ns_id < nsid) + continue; + if (ns->head->ns_id == nsid) + nvme_update_ns_ana_state(desc, ns); + if (++n == nr_nsids) + break; ++ if (ns->head->ns_id > nsid) ++ goto again; + } + up_read(&ctrl->namespaces_rwsem); + return 0; +-- +2.33.0 + diff --git a/queue-5.4/parisc-use-absolute_pointer-to-define-page0.patch b/queue-5.4/parisc-use-absolute_pointer-to-define-page0.patch new file mode 100644 index 00000000000..5243c58dc79 --- /dev/null +++ b/queue-5.4/parisc-use-absolute_pointer-to-define-page0.patch @@ -0,0 +1,38 @@ +From 798ca6e5e43d40d05bc670b19c4b398a4612ee77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 08:35:42 +0200 +Subject: parisc: Use absolute_pointer() to define PAGE0 + +From: Helge Deller + +[ Upstream commit 90cc7bed1ed19f869ae7221a6b41887fe762a6a3 ] + +Use absolute_pointer() wrapper for PAGE0 to avoid this compiler warning: + + arch/parisc/kernel/setup.c: In function 'start_parisc': + error: '__builtin_memcmp_eq' specified bound 8 exceeds source size 0 + +Signed-off-by: Helge Deller +Co-Developed-by: Guenter Roeck +Suggested-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/parisc/include/asm/page.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/parisc/include/asm/page.h b/arch/parisc/include/asm/page.h +index 93caf17ac5e2..9ebf3b0413d5 100644 +--- a/arch/parisc/include/asm/page.h ++++ b/arch/parisc/include/asm/page.h +@@ -181,7 +181,7 @@ extern int npmem_ranges; + #include + #include + +-#define PAGE0 ((struct zeropage *)__PAGE_OFFSET) ++#define PAGE0 ((struct zeropage *)absolute_pointer(__PAGE_OFFSET)) + + /* DEFINITION OF THE ZERO-PAGE (PAG0) */ + /* based on work by Jason Eckhardt (jason@equator.com) */ +-- +2.33.0 + diff --git a/queue-5.4/qnx4-avoid-stringop-overread-errors.patch b/queue-5.4/qnx4-avoid-stringop-overread-errors.patch new file mode 100644 index 00000000000..06e17937f06 --- /dev/null +++ b/queue-5.4/qnx4-avoid-stringop-overread-errors.patch @@ -0,0 +1,134 @@ +From 6ba61e3553152e26de95667c7a419a252b04a60e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 13:56:37 -0700 +Subject: qnx4: avoid stringop-overread errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +[ Upstream commit b7213ffa0e585feb1aee3e7173e965e66ee0abaa ] + +The qnx4 directory entries are 64-byte blocks that have different +contents depending on the a status byte that is in the last byte of the +block. + +In particular, a directory entry can be either a "link info" entry with +a 48-byte name and pointers to the real inode information, or an "inode +entry" with a smaller 16-byte name and the full inode information. + +But the code was written to always just treat the directory name as if +it was part of that "inode entry", and just extend the name to the +longer case if the status byte said it was a link entry. + +That work just fine and gives the right results, but now that gcc is +tracking data structure accesses much more, the code can trigger a +compiler error about using up to 48 bytes (the long name) in a structure +that only has that shorter name in it: + + fs/qnx4/dir.c: In function ‘qnx4_readdir’: + fs/qnx4/dir.c:51:32: error: ‘strnlen’ specified bound 48 exceeds source size 16 [-Werror=stringop-overread] + 51 | size = strnlen(de->di_fname, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ + In file included from fs/qnx4/qnx4.h:3, + from fs/qnx4/dir.c:16: + include/uapi/linux/qnx4_fs.h:45:25: note: source object declared here + 45 | char di_fname[QNX4_SHORT_NAME_MAX]; + | ^~~~~~~~ + +which is because the source code doesn't really make this whole "one of +two different types" explicit. + +Fix this by introducing a very explicit union of the two types, and +basically explaining to the compiler what is really going on. + +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/qnx4/dir.c | 51 ++++++++++++++++++++++++++++++++++----------------- + 1 file changed, 34 insertions(+), 17 deletions(-) + +diff --git a/fs/qnx4/dir.c b/fs/qnx4/dir.c +index a6ee23aadd28..2a66844b7ff8 100644 +--- a/fs/qnx4/dir.c ++++ b/fs/qnx4/dir.c +@@ -15,13 +15,27 @@ + #include + #include "qnx4.h" + ++/* ++ * A qnx4 directory entry is an inode entry or link info ++ * depending on the status field in the last byte. The ++ * first byte is where the name start either way, and a ++ * zero means it's empty. ++ */ ++union qnx4_directory_entry { ++ struct { ++ char de_name; ++ char de_pad[62]; ++ char de_status; ++ }; ++ struct qnx4_inode_entry inode; ++ struct qnx4_link_info link; ++}; ++ + static int qnx4_readdir(struct file *file, struct dir_context *ctx) + { + struct inode *inode = file_inode(file); + unsigned int offset; + struct buffer_head *bh; +- struct qnx4_inode_entry *de; +- struct qnx4_link_info *le; + unsigned long blknum; + int ix, ino; + int size; +@@ -38,27 +52,30 @@ static int qnx4_readdir(struct file *file, struct dir_context *ctx) + } + ix = (ctx->pos >> QNX4_DIR_ENTRY_SIZE_BITS) % QNX4_INODES_PER_BLOCK; + for (; ix < QNX4_INODES_PER_BLOCK; ix++, ctx->pos += QNX4_DIR_ENTRY_SIZE) { ++ union qnx4_directory_entry *de; ++ const char *name; ++ + offset = ix * QNX4_DIR_ENTRY_SIZE; +- de = (struct qnx4_inode_entry *) (bh->b_data + offset); +- if (!de->di_fname[0]) ++ de = (union qnx4_directory_entry *) (bh->b_data + offset); ++ ++ if (!de->de_name) + continue; +- if (!(de->di_status & (QNX4_FILE_USED|QNX4_FILE_LINK))) ++ if (!(de->de_status & (QNX4_FILE_USED|QNX4_FILE_LINK))) + continue; +- if (!(de->di_status & QNX4_FILE_LINK)) +- size = QNX4_SHORT_NAME_MAX; +- else +- size = QNX4_NAME_MAX; +- size = strnlen(de->di_fname, size); +- QNX4DEBUG((KERN_INFO "qnx4_readdir:%.*s\n", size, de->di_fname)); +- if (!(de->di_status & QNX4_FILE_LINK)) ++ if (!(de->de_status & QNX4_FILE_LINK)) { ++ size = sizeof(de->inode.di_fname); ++ name = de->inode.di_fname; + ino = blknum * QNX4_INODES_PER_BLOCK + ix - 1; +- else { +- le = (struct qnx4_link_info*)de; +- ino = ( le32_to_cpu(le->dl_inode_blk) - 1 ) * ++ } else { ++ size = sizeof(de->link.dl_fname); ++ name = de->link.dl_fname; ++ ino = ( le32_to_cpu(de->link.dl_inode_blk) - 1 ) * + QNX4_INODES_PER_BLOCK + +- le->dl_inode_ndx; ++ de->link.dl_inode_ndx; + } +- if (!dir_emit(ctx, de->di_fname, size, ino, DT_UNKNOWN)) { ++ size = strnlen(name, size); ++ QNX4DEBUG((KERN_INFO "qnx4_readdir:%.*s\n", size, name)); ++ if (!dir_emit(ctx, name, size, ino, DT_UNKNOWN)) { + brelse(bh); + return 0; + } +-- +2.33.0 + diff --git a/queue-5.4/scsi-iscsi-adjust-iface-sysfs-attr-detection.patch b/queue-5.4/scsi-iscsi-adjust-iface-sysfs-attr-detection.patch new file mode 100644 index 00000000000..4c9e76e36c3 --- /dev/null +++ b/queue-5.4/scsi-iscsi-adjust-iface-sysfs-attr-detection.patch @@ -0,0 +1,53 @@ +From 0f20b976b7612bb18adff751ea0b38f211b09fa4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Sep 2021 16:53:36 +0800 +Subject: scsi: iscsi: Adjust iface sysfs attr detection + +From: Baokun Li + +[ Upstream commit 4e28550829258f7dab97383acaa477bd724c0ff4 ] + +ISCSI_NET_PARAM_IFACE_ENABLE belongs to enum iscsi_net_param instead of +iscsi_iface_param so move it to ISCSI_NET_PARAM. Otherwise, when we call +into the driver, we might not match and return that we don't want attr +visible in sysfs. Found in code review. + +Link: https://lore.kernel.org/r/20210901085336.2264295-1-libaokun1@huawei.com +Fixes: e746f3451ec7 ("scsi: iscsi: Fix iface sysfs attr detection") +Reviewed-by: Lee Duncan +Signed-off-by: Baokun Li +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 77bba91b5714..6f21cb75d95f 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -434,9 +434,7 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + struct iscsi_transport *t = iface->transport; + int param = -1; + +- if (attr == &dev_attr_iface_enabled.attr) +- param = ISCSI_NET_PARAM_IFACE_ENABLE; +- else if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr) ++ if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr) + param = ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO; + else if (attr == &dev_attr_iface_header_digest.attr) + param = ISCSI_IFACE_PARAM_HDRDGST_EN; +@@ -476,7 +474,9 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + if (param != -1) + return t->attr_is_visible(ISCSI_IFACE_PARAM, param); + +- if (attr == &dev_attr_iface_vlan_id.attr) ++ if (attr == &dev_attr_iface_enabled.attr) ++ param = ISCSI_NET_PARAM_IFACE_ENABLE; ++ else if (attr == &dev_attr_iface_vlan_id.attr) + param = ISCSI_NET_PARAM_VLAN_ID; + else if (attr == &dev_attr_iface_vlan_priority.attr) + param = ISCSI_NET_PARAM_VLAN_PRIORITY; +-- +2.33.0 + diff --git a/queue-5.4/scsi-lpfc-use-correct-scnprintf-limit.patch b/queue-5.4/scsi-lpfc-use-correct-scnprintf-limit.patch new file mode 100644 index 00000000000..9ef5b98289e --- /dev/null +++ b/queue-5.4/scsi-lpfc-use-correct-scnprintf-limit.patch @@ -0,0 +1,39 @@ +From ac3331b546155c9f6117dfb9327c6b0715410693 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 16:23:31 +0300 +Subject: scsi: lpfc: Use correct scnprintf() limit + +From: Dan Carpenter + +[ Upstream commit 6dacc371b77f473770ec646e220303a84fe96c11 ] + +The limit should be "PAGE_SIZE - len" instead of "PAGE_SIZE". We're not +going to hit the limit so this fix will not affect runtime. + +Link: https://lore.kernel.org/r/20210916132331.GE25094@kili +Fixes: 5b9e70b22cc5 ("scsi: lpfc: raise sg count for nvme to use available sg resources") +Reviewed-by: James Smart +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_attr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c +index 45db19e31b34..f0ecfe565660 100644 +--- a/drivers/scsi/lpfc/lpfc_attr.c ++++ b/drivers/scsi/lpfc/lpfc_attr.c +@@ -5881,7 +5881,8 @@ lpfc_sg_seg_cnt_show(struct device *dev, struct device_attribute *attr, + len = scnprintf(buf, PAGE_SIZE, "SGL sz: %d total SGEs: %d\n", + phba->cfg_sg_dma_buf_size, phba->cfg_total_seg_cnt); + +- len += scnprintf(buf + len, PAGE_SIZE, "Cfg: %d SCSI: %d NVME: %d\n", ++ len += scnprintf(buf + len, PAGE_SIZE - len, ++ "Cfg: %d SCSI: %d NVME: %d\n", + phba->cfg_sg_seg_cnt, phba->cfg_scsi_seg_cnt, + phba->cfg_nvme_seg_cnt); + return len; +-- +2.33.0 + diff --git a/queue-5.4/scsi-qla2xxx-restore-initiator-in-dual-mode.patch b/queue-5.4/scsi-qla2xxx-restore-initiator-in-dual-mode.patch new file mode 100644 index 00000000000..ebea2f9fef1 --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-restore-initiator-in-dual-mode.patch @@ -0,0 +1,41 @@ +From 6acf9e4fc38ce1413441507fc2656bcb6ef126c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 18:32:39 +0300 +Subject: scsi: qla2xxx: Restore initiator in dual mode + +From: Dmitry Bogdanov + +[ Upstream commit 5f8579038842d77e6ce05e1df6bf9dd493b0e3ef ] + +In dual mode in case of disabling the target, the whole port goes offline +and initiator is turned off too. + +Fix restoring initiator mode after disabling target in dual mode. + +Link: https://lore.kernel.org/r/20210915153239.8035-1-d.bogdanov@yadro.com +Fixes: 0645cb8350cd ("scsi: qla2xxx: Add mode control for each physical port") +Reviewed-by: Himanshu Madhani +Signed-off-by: Dmitry Bogdanov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_init.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index 643b8ae36cbe..5dae7ac0d3ef 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -6803,7 +6803,8 @@ qla2x00_abort_isp(scsi_qla_host_t *vha) + return 0; + break; + case QLA2XXX_INI_MODE_DUAL: +- if (!qla_dual_mode_enabled(vha)) ++ if (!qla_dual_mode_enabled(vha) && ++ !qla_ini_mode_enabled(vha)) + return 0; + break; + case QLA2XXX_INI_MODE_ENABLED: +-- +2.33.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 27fd7c59f6a..5815c826ae1 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -30,3 +30,34 @@ net-smc-add-missing-error-check-in-smc_clc_prfx_set.patch gpio-uniphier-fix-void-functions-to-remove-return-va.patch qed-rdma-don-t-wait-for-resources-under-hw-error-rec.patch net-mlx4_en-don-t-allow-arfs-for-encapsulated-packet.patch +scsi-iscsi-adjust-iface-sysfs-attr-detection.patch +tty-synclink_gt-drop-unneeded-forward-declarations.patch +tty-synclink_gt-rename-a-conflicting-function-name.patch +fpga-machxo2-spi-return-an-error-on-failure.patch +fpga-machxo2-spi-fix-missing-error-code-in-machxo2_w.patch +thermal-core-potential-buffer-overflow-in-thermal_bu.patch +cifs-fix-a-sign-extension-bug.patch +scsi-qla2xxx-restore-initiator-in-dual-mode.patch +scsi-lpfc-use-correct-scnprintf-limit.patch +irqchip-goldfish-pic-select-generic_irq_chip-to-fix-.patch +irqchip-gic-v3-its-fix-potential-vpe-leak-on-error.patch +md-fix-a-lock-order-reversal-in-md_alloc.patch +blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch +net-macb-fix-use-after-free-on-rmmod.patch +net-stmmac-allow-csr-clock-of-300mhz.patch +m68k-double-cast-io-functions-to-unsigned-long.patch +ipv6-delay-fib6_sernum-increase-in-fib6_add.patch +bpf-add-oversize-check-before-call-kvcalloc.patch +xen-balloon-use-a-kernel-thread-instead-a-workqueue.patch +nvme-multipath-fix-ana-state-updates-when-a-namespac.patch +sparc32-page-align-size-in-arch_dma_alloc.patch +blk-cgroup-fix-uaf-by-grabbing-blkcg-lock-before-des.patch +compiler.h-introduce-absolute_pointer-macro.patch +net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch +sparc-avoid-stringop-overread-errors.patch +qnx4-avoid-stringop-overread-errors.patch +parisc-use-absolute_pointer-to-define-page0.patch +arm64-mark-__stack_chk_guard-as-__ro_after_init.patch +alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch +net-6pack-fix-tx-timeout-and-slot-time.patch +spi-fix-tegra20-build-with-config_pm-n.patch diff --git a/queue-5.4/sparc-avoid-stringop-overread-errors.patch b/queue-5.4/sparc-avoid-stringop-overread-errors.patch new file mode 100644 index 00000000000..99a1bd37b6c --- /dev/null +++ b/queue-5.4/sparc-avoid-stringop-overread-errors.patch @@ -0,0 +1,65 @@ +From 6ce53f7562a377e4cb151add6b6133ecdeb985c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 16:06:04 -0700 +Subject: sparc: avoid stringop-overread errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +[ Upstream commit fc7c028dcdbfe981bca75d2a7b95f363eb691ef3 ] + +The sparc mdesc code does pointer games with 'struct mdesc_hdr', but +didn't describe to the compiler how that header is then followed by the +data that the header describes. + +As a result, gcc is now unhappy since it does stricter pointer range +tracking, and doesn't understand about how these things work. This +results in various errors like: + + arch/sparc/kernel/mdesc.c: In function ‘mdesc_node_by_name’: + arch/sparc/kernel/mdesc.c:647:22: error: ‘strcmp’ reading 1 or more bytes from a region of size 0 [-Werror=stringop-overread] + 647 | if (!strcmp(names + ep[ret].name_offset, name)) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +which are easily avoided by just describing 'struct mdesc_hdr' better, +and making the node_block() helper function look into that unsized +data[] that follows the header. + +This makes the sparc64 build happy again at least for my cross-compiler +version (gcc version 11.2.1). + +Link: https://lore.kernel.org/lkml/CAHk-=wi4NW3NC0xWykkw=6LnjQD6D_rtRtxY9g8gQAJXtQMi8A@mail.gmail.com/ +Cc: Guenter Roeck +Cc: David S. Miller +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/sparc/kernel/mdesc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/sparc/kernel/mdesc.c b/arch/sparc/kernel/mdesc.c +index 8e645ddac58e..30f171b7b00c 100644 +--- a/arch/sparc/kernel/mdesc.c ++++ b/arch/sparc/kernel/mdesc.c +@@ -39,6 +39,7 @@ struct mdesc_hdr { + u32 node_sz; /* node block size */ + u32 name_sz; /* name block size */ + u32 data_sz; /* data block size */ ++ char data[]; + } __attribute__((aligned(16))); + + struct mdesc_elem { +@@ -612,7 +613,7 @@ EXPORT_SYMBOL(mdesc_get_node_info); + + static struct mdesc_elem *node_block(struct mdesc_hdr *mdesc) + { +- return (struct mdesc_elem *) (mdesc + 1); ++ return (struct mdesc_elem *) mdesc->data; + } + + static void *name_block(struct mdesc_hdr *mdesc) +-- +2.33.0 + diff --git a/queue-5.4/sparc32-page-align-size-in-arch_dma_alloc.patch b/queue-5.4/sparc32-page-align-size-in-arch_dma_alloc.patch new file mode 100644 index 00000000000..5c74d40c165 --- /dev/null +++ b/queue-5.4/sparc32-page-align-size-in-arch_dma_alloc.patch @@ -0,0 +1,40 @@ +From 575fabb2ee3efdcb62a23c118bb49523ecf140eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 09:48:22 +0200 +Subject: sparc32: page align size in arch_dma_alloc + +From: Andreas Larsson + +[ Upstream commit 59583f747664046aaae5588d56d5954fab66cce8 ] + +Commit 53b7670e5735 ("sparc: factor the dma coherent mapping into +helper") lost the page align for the calls to dma_make_coherent and +srmmu_unmapiorange. The latter cannot handle a non page aligned len +argument. + +Signed-off-by: Andreas Larsson +Reviewed-by: Sam Ravnborg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + arch/sparc/kernel/ioport.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/sparc/kernel/ioport.c b/arch/sparc/kernel/ioport.c +index f89603855f1e..b87e0002131d 100644 +--- a/arch/sparc/kernel/ioport.c ++++ b/arch/sparc/kernel/ioport.c +@@ -356,7 +356,9 @@ err_nomem: + void arch_dma_free(struct device *dev, size_t size, void *cpu_addr, + dma_addr_t dma_addr, unsigned long attrs) + { +- if (!sparc_dma_free_resource(cpu_addr, PAGE_ALIGN(size))) ++ size = PAGE_ALIGN(size); ++ ++ if (!sparc_dma_free_resource(cpu_addr, size)) + return; + + dma_make_coherent(dma_addr, size); +-- +2.33.0 + diff --git a/queue-5.4/spi-fix-tegra20-build-with-config_pm-n.patch b/queue-5.4/spi-fix-tegra20-build-with-config_pm-n.patch new file mode 100644 index 00000000000..43cefa9335b --- /dev/null +++ b/queue-5.4/spi-fix-tegra20-build-with-config_pm-n.patch @@ -0,0 +1,59 @@ +From 50fe3ffa5ab3a67388c8cb03131712d37facb13b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Sep 2021 10:05:06 -0700 +Subject: spi: Fix tegra20 build with CONFIG_PM=n +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +[ Upstream commit efafec27c5658ed987e720130772f8933c685e87 ] + +Without CONFIG_PM enabled, the SET_RUNTIME_PM_OPS() macro ends up being +empty, and the only use of tegra_slink_runtime_{resume,suspend} goes +away, resulting in + + drivers/spi/spi-tegra20-slink.c:1200:12: error: ‘tegra_slink_runtime_resume’ defined but not used [-Werror=unused-function] + 1200 | static int tegra_slink_runtime_resume(struct device *dev) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~ + drivers/spi/spi-tegra20-slink.c:1188:12: error: ‘tegra_slink_runtime_suspend’ defined but not used [-Werror=unused-function] + 1188 | static int tegra_slink_runtime_suspend(struct device *dev) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ + +mark the functions __maybe_unused to make the build happy. + +This hits the alpha allmodconfig build (and others). + +Reported-by: Guenter Roeck +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-tegra20-slink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-tegra20-slink.c b/drivers/spi/spi-tegra20-slink.c +index 2a1905c43a0b..9b59539c8735 100644 +--- a/drivers/spi/spi-tegra20-slink.c ++++ b/drivers/spi/spi-tegra20-slink.c +@@ -1205,7 +1205,7 @@ static int tegra_slink_resume(struct device *dev) + } + #endif + +-static int tegra_slink_runtime_suspend(struct device *dev) ++static int __maybe_unused tegra_slink_runtime_suspend(struct device *dev) + { + struct spi_master *master = dev_get_drvdata(dev); + struct tegra_slink_data *tspi = spi_master_get_devdata(master); +@@ -1217,7 +1217,7 @@ static int tegra_slink_runtime_suspend(struct device *dev) + return 0; + } + +-static int tegra_slink_runtime_resume(struct device *dev) ++static int __maybe_unused tegra_slink_runtime_resume(struct device *dev) + { + struct spi_master *master = dev_get_drvdata(dev); + struct tegra_slink_data *tspi = spi_master_get_devdata(master); +-- +2.33.0 + diff --git a/queue-5.4/thermal-core-potential-buffer-overflow-in-thermal_bu.patch b/queue-5.4/thermal-core-potential-buffer-overflow-in-thermal_bu.patch new file mode 100644 index 00000000000..b44466bc41f --- /dev/null +++ b/queue-5.4/thermal-core-potential-buffer-overflow-in-thermal_bu.patch @@ -0,0 +1,52 @@ +From 185376edb9ac0b771f3a692e5f65ebf6739b71fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 16:13:42 +0300 +Subject: thermal/core: Potential buffer overflow in + thermal_build_list_of_policies() + +From: Dan Carpenter + +[ Upstream commit 1bb30b20b49773369c299d4d6c65227201328663 ] + +After printing the list of thermal governors, then this function prints +a newline character. The problem is that "size" has not been updated +after printing the last governor. This means that it can write one +character (the NUL terminator) beyond the end of the buffer. + +Get rid of the "size" variable and just use "PAGE_SIZE - count" directly. + +Fixes: 1b4f48494eb2 ("thermal: core: group functions related to governor handling") +Signed-off-by: Dan Carpenter +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20210916131342.GB25094@kili +Signed-off-by: Sasha Levin +--- + drivers/thermal/thermal_core.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c +index f526ce31f5a2..20eab56b02cb 100644 +--- a/drivers/thermal/thermal_core.c ++++ b/drivers/thermal/thermal_core.c +@@ -228,15 +228,14 @@ int thermal_build_list_of_policies(char *buf) + { + struct thermal_governor *pos; + ssize_t count = 0; +- ssize_t size = PAGE_SIZE; + + mutex_lock(&thermal_governor_lock); + + list_for_each_entry(pos, &thermal_governor_list, governor_list) { +- size = PAGE_SIZE - count; +- count += scnprintf(buf + count, size, "%s ", pos->name); ++ count += scnprintf(buf + count, PAGE_SIZE - count, "%s ", ++ pos->name); + } +- count += scnprintf(buf + count, size, "\n"); ++ count += scnprintf(buf + count, PAGE_SIZE - count, "\n"); + + mutex_unlock(&thermal_governor_lock); + +-- +2.33.0 + diff --git a/queue-5.4/tty-synclink_gt-drop-unneeded-forward-declarations.patch b/queue-5.4/tty-synclink_gt-drop-unneeded-forward-declarations.patch new file mode 100644 index 00000000000..ec9127a75ba --- /dev/null +++ b/queue-5.4/tty-synclink_gt-drop-unneeded-forward-declarations.patch @@ -0,0 +1,154 @@ +From cd6ae09e1f880c0ad2b81dea3602adc431304ca5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Mar 2021 07:22:09 +0100 +Subject: tty: synclink_gt, drop unneeded forward declarations + +From: Jiri Slaby + +[ Upstream commit b9b90fe655c0bd816847ac1bcbf179cfa2981ecb ] + +Forward declarations make the code larger and rewrites harder. Harder as +they are often omitted from global changes. Remove forward declarations +which are not really needed, i.e. the definition of the function is +before its first use. + +Signed-off-by: Jiri Slaby +Link: https://lore.kernel.org/r/20210302062214.29627-39-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/synclink_gt.c | 57 +-------------------------------------- + 1 file changed, 1 insertion(+), 56 deletions(-) + +diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c +index 36f1a4d870eb..4ef84ed54ea5 100644 +--- a/drivers/tty/synclink_gt.c ++++ b/drivers/tty/synclink_gt.c +@@ -137,37 +137,14 @@ MODULE_PARM_DESC(maxframe, "Maximum frame size used by device (4096 to 65535)"); + */ + static struct tty_driver *serial_driver; + +-static int open(struct tty_struct *tty, struct file * filp); +-static void close(struct tty_struct *tty, struct file * filp); +-static void hangup(struct tty_struct *tty); +-static void set_termios(struct tty_struct *tty, struct ktermios *old_termios); +- +-static int write(struct tty_struct *tty, const unsigned char *buf, int count); +-static int put_char(struct tty_struct *tty, unsigned char ch); +-static void send_xchar(struct tty_struct *tty, char ch); + static void wait_until_sent(struct tty_struct *tty, int timeout); +-static int write_room(struct tty_struct *tty); +-static void flush_chars(struct tty_struct *tty); + static void flush_buffer(struct tty_struct *tty); +-static void tx_hold(struct tty_struct *tty); + static void tx_release(struct tty_struct *tty); + +-static int ioctl(struct tty_struct *tty, unsigned int cmd, unsigned long arg); +-static int chars_in_buffer(struct tty_struct *tty); +-static void throttle(struct tty_struct * tty); +-static void unthrottle(struct tty_struct * tty); +-static int set_break(struct tty_struct *tty, int break_state); +- + /* +- * generic HDLC support and callbacks ++ * generic HDLC support + */ +-#if SYNCLINK_GENERIC_HDLC + #define dev_to_port(D) (dev_to_hdlc(D)->priv) +-static void hdlcdev_tx_done(struct slgt_info *info); +-static void hdlcdev_rx(struct slgt_info *info, char *buf, int size); +-static int hdlcdev_init(struct slgt_info *info); +-static void hdlcdev_exit(struct slgt_info *info); +-#endif + + + /* +@@ -186,9 +163,6 @@ struct cond_wait { + wait_queue_entry_t wait; + unsigned int data; + }; +-static void init_cond_wait(struct cond_wait *w, unsigned int data); +-static void add_cond_wait(struct cond_wait **head, struct cond_wait *w); +-static void remove_cond_wait(struct cond_wait **head, struct cond_wait *w); + static void flush_cond_wait(struct cond_wait **head); + + /* +@@ -443,12 +417,8 @@ static void shutdown(struct slgt_info *info); + static void program_hw(struct slgt_info *info); + static void change_params(struct slgt_info *info); + +-static int register_test(struct slgt_info *info); +-static int irq_test(struct slgt_info *info); +-static int loopback_test(struct slgt_info *info); + static int adapter_test(struct slgt_info *info); + +-static void reset_adapter(struct slgt_info *info); + static void reset_port(struct slgt_info *info); + static void async_mode(struct slgt_info *info); + static void sync_mode(struct slgt_info *info); +@@ -457,14 +427,12 @@ static void rx_stop(struct slgt_info *info); + static void rx_start(struct slgt_info *info); + static void reset_rbufs(struct slgt_info *info); + static void free_rbufs(struct slgt_info *info, unsigned int first, unsigned int last); +-static void rdma_reset(struct slgt_info *info); + static bool rx_get_frame(struct slgt_info *info); + static bool rx_get_buf(struct slgt_info *info); + + static void tx_start(struct slgt_info *info); + static void tx_stop(struct slgt_info *info); + static void tx_set_idle(struct slgt_info *info); +-static unsigned int free_tbuf_count(struct slgt_info *info); + static unsigned int tbuf_bytes(struct slgt_info *info); + static void reset_tbufs(struct slgt_info *info); + static void tdma_reset(struct slgt_info *info); +@@ -472,26 +440,10 @@ static bool tx_load(struct slgt_info *info, const char *buf, unsigned int count) + + static void get_signals(struct slgt_info *info); + static void set_signals(struct slgt_info *info); +-static void enable_loopback(struct slgt_info *info); + static void set_rate(struct slgt_info *info, u32 data_rate); + +-static int bh_action(struct slgt_info *info); +-static void bh_handler(struct work_struct *work); + static void bh_transmit(struct slgt_info *info); +-static void isr_serial(struct slgt_info *info); +-static void isr_rdma(struct slgt_info *info); + static void isr_txeom(struct slgt_info *info, unsigned short status); +-static void isr_tdma(struct slgt_info *info); +- +-static int alloc_dma_bufs(struct slgt_info *info); +-static void free_dma_bufs(struct slgt_info *info); +-static int alloc_desc(struct slgt_info *info); +-static void free_desc(struct slgt_info *info); +-static int alloc_bufs(struct slgt_info *info, struct slgt_desc *bufs, int count); +-static void free_bufs(struct slgt_info *info, struct slgt_desc *bufs, int count); +- +-static int alloc_tmp_rbuf(struct slgt_info *info); +-static void free_tmp_rbuf(struct slgt_info *info); + + static void tx_timeout(struct timer_list *t); + static void rx_timeout(struct timer_list *t); +@@ -509,10 +461,6 @@ static int tx_abort(struct slgt_info *info); + static int rx_enable(struct slgt_info *info, int enable); + static int modem_input_wait(struct slgt_info *info,int arg); + static int wait_mgsl_event(struct slgt_info *info, int __user *mask_ptr); +-static int tiocmget(struct tty_struct *tty); +-static int tiocmset(struct tty_struct *tty, +- unsigned int set, unsigned int clear); +-static int set_break(struct tty_struct *tty, int break_state); + static int get_interface(struct slgt_info *info, int __user *if_mode); + static int set_interface(struct slgt_info *info, int if_mode); + static int set_gpio(struct slgt_info *info, struct gpio_desc __user *gpio); +@@ -526,9 +474,6 @@ static int set_xctrl(struct slgt_info *info, int if_mode); + /* + * driver functions + */ +-static void add_device(struct slgt_info *info); +-static void device_init(int adapter_num, struct pci_dev *pdev); +-static int claim_resources(struct slgt_info *info); + static void release_resources(struct slgt_info *info); + + /* +-- +2.33.0 + diff --git a/queue-5.4/tty-synclink_gt-rename-a-conflicting-function-name.patch b/queue-5.4/tty-synclink_gt-rename-a-conflicting-function-name.patch new file mode 100644 index 00000000000..d27bc622cd0 --- /dev/null +++ b/queue-5.4/tty-synclink_gt-rename-a-conflicting-function-name.patch @@ -0,0 +1,235 @@ +From 92ca76adcc39b991af415194e606d22212899888 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Sep 2021 17:38:06 -0700 +Subject: tty: synclink_gt: rename a conflicting function name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit 06e49073dfba24df4b1073a068631b13a0039c34 ] + +'set_signals()' in synclink_gt.c conflicts with an exported symbol +in arch/um/, so change set_signals() to set_gtsignals(). Keep +the function names similar by also changing get_signals() to +get_gtsignals(). + +../drivers/tty/synclink_gt.c:442:13: error: conflicting types for ‘set_signals’ + static void set_signals(struct slgt_info *info); + ^~~~~~~~~~~ +In file included from ../include/linux/irqflags.h:16:0, + from ../include/linux/spinlock.h:58, + from ../include/linux/mm_types.h:9, + from ../include/linux/buildid.h:5, + from ../include/linux/module.h:14, + from ../drivers/tty/synclink_gt.c:46: +../arch/um/include/asm/irqflags.h:6:5: note: previous declaration of ‘set_signals’ was here + int set_signals(int enable); + ^~~~~~~~~~~ + +Fixes: 705b6c7b34f2 ("[PATCH] new driver synclink_gt") +Cc: Greg Kroah-Hartman +Cc: Jiri Slaby +Cc: Paul Fulghum +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/r/20210902003806.17054-1-rdunlap@infradead.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/synclink_gt.c | 44 +++++++++++++++++++-------------------- + 1 file changed, 22 insertions(+), 22 deletions(-) + +diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c +index 4ef84ed54ea5..ff345a8e0fcc 100644 +--- a/drivers/tty/synclink_gt.c ++++ b/drivers/tty/synclink_gt.c +@@ -438,8 +438,8 @@ static void reset_tbufs(struct slgt_info *info); + static void tdma_reset(struct slgt_info *info); + static bool tx_load(struct slgt_info *info, const char *buf, unsigned int count); + +-static void get_signals(struct slgt_info *info); +-static void set_signals(struct slgt_info *info); ++static void get_gtsignals(struct slgt_info *info); ++static void set_gtsignals(struct slgt_info *info); + static void set_rate(struct slgt_info *info, u32 data_rate); + + static void bh_transmit(struct slgt_info *info); +@@ -721,7 +721,7 @@ static void set_termios(struct tty_struct *tty, struct ktermios *old_termios) + if ((old_termios->c_cflag & CBAUD) && !C_BAUD(tty)) { + info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR); + spin_lock_irqsave(&info->lock,flags); +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + +@@ -731,7 +731,7 @@ static void set_termios(struct tty_struct *tty, struct ktermios *old_termios) + if (!C_CRTSCTS(tty) || !tty_throttled(tty)) + info->signals |= SerialSignal_RTS; + spin_lock_irqsave(&info->lock,flags); +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + +@@ -1182,7 +1182,7 @@ static inline void line_info(struct seq_file *m, struct slgt_info *info) + + /* output current serial signal states */ + spin_lock_irqsave(&info->lock,flags); +- get_signals(info); ++ get_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + + stat_buf[0] = 0; +@@ -1282,7 +1282,7 @@ static void throttle(struct tty_struct * tty) + if (C_CRTSCTS(tty)) { + spin_lock_irqsave(&info->lock,flags); + info->signals &= ~SerialSignal_RTS; +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + } +@@ -1307,7 +1307,7 @@ static void unthrottle(struct tty_struct * tty) + if (C_CRTSCTS(tty)) { + spin_lock_irqsave(&info->lock,flags); + info->signals |= SerialSignal_RTS; +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + } +@@ -1479,7 +1479,7 @@ static int hdlcdev_open(struct net_device *dev) + + /* inform generic HDLC layer of current DCD status */ + spin_lock_irqsave(&info->lock, flags); +- get_signals(info); ++ get_gtsignals(info); + spin_unlock_irqrestore(&info->lock, flags); + if (info->signals & SerialSignal_DCD) + netif_carrier_on(dev); +@@ -2235,7 +2235,7 @@ static void isr_txeom(struct slgt_info *info, unsigned short status) + if (info->params.mode != MGSL_MODE_ASYNC && info->drop_rts_on_tx_done) { + info->signals &= ~SerialSignal_RTS; + info->drop_rts_on_tx_done = false; +- set_signals(info); ++ set_gtsignals(info); + } + + #if SYNCLINK_GENERIC_HDLC +@@ -2400,7 +2400,7 @@ static void shutdown(struct slgt_info *info) + + if (!info->port.tty || info->port.tty->termios.c_cflag & HUPCL) { + info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR); +- set_signals(info); ++ set_gtsignals(info); + } + + flush_cond_wait(&info->gpio_wait_q); +@@ -2428,7 +2428,7 @@ static void program_hw(struct slgt_info *info) + else + async_mode(info); + +- set_signals(info); ++ set_gtsignals(info); + + info->dcd_chkcount = 0; + info->cts_chkcount = 0; +@@ -2436,7 +2436,7 @@ static void program_hw(struct slgt_info *info) + info->dsr_chkcount = 0; + + slgt_irq_on(info, IRQ_DCD | IRQ_CTS | IRQ_DSR | IRQ_RI); +- get_signals(info); ++ get_gtsignals(info); + + if (info->netcount || + (info->port.tty && info->port.tty->termios.c_cflag & CREAD)) +@@ -2680,7 +2680,7 @@ static int wait_mgsl_event(struct slgt_info *info, int __user *mask_ptr) + spin_lock_irqsave(&info->lock,flags); + + /* return immediately if state matches requested events */ +- get_signals(info); ++ get_gtsignals(info); + s = info->signals; + + events = mask & +@@ -3098,7 +3098,7 @@ static int tiocmget(struct tty_struct *tty) + unsigned long flags; + + spin_lock_irqsave(&info->lock,flags); +- get_signals(info); ++ get_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + + result = ((info->signals & SerialSignal_RTS) ? TIOCM_RTS:0) + +@@ -3137,7 +3137,7 @@ static int tiocmset(struct tty_struct *tty, + info->signals &= ~SerialSignal_DTR; + + spin_lock_irqsave(&info->lock,flags); +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + return 0; + } +@@ -3148,7 +3148,7 @@ static int carrier_raised(struct tty_port *port) + struct slgt_info *info = container_of(port, struct slgt_info, port); + + spin_lock_irqsave(&info->lock,flags); +- get_signals(info); ++ get_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + return (info->signals & SerialSignal_DCD) ? 1 : 0; + } +@@ -3163,7 +3163,7 @@ static void dtr_rts(struct tty_port *port, int on) + info->signals |= SerialSignal_RTS | SerialSignal_DTR; + else + info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR); +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + +@@ -3962,10 +3962,10 @@ static void tx_start(struct slgt_info *info) + + if (info->params.mode != MGSL_MODE_ASYNC) { + if (info->params.flags & HDLC_FLAG_AUTO_RTS) { +- get_signals(info); ++ get_gtsignals(info); + if (!(info->signals & SerialSignal_RTS)) { + info->signals |= SerialSignal_RTS; +- set_signals(info); ++ set_gtsignals(info); + info->drop_rts_on_tx_done = true; + } + } +@@ -4019,7 +4019,7 @@ static void reset_port(struct slgt_info *info) + rx_stop(info); + + info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR); +- set_signals(info); ++ set_gtsignals(info); + + slgt_irq_off(info, IRQ_ALL | IRQ_MASTER); + } +@@ -4441,7 +4441,7 @@ static void tx_set_idle(struct slgt_info *info) + /* + * get state of V24 status (input) signals + */ +-static void get_signals(struct slgt_info *info) ++static void get_gtsignals(struct slgt_info *info) + { + unsigned short status = rd_reg16(info, SSR); + +@@ -4503,7 +4503,7 @@ static void msc_set_vcr(struct slgt_info *info) + /* + * set state of V24 control (output) signals + */ +-static void set_signals(struct slgt_info *info) ++static void set_gtsignals(struct slgt_info *info) + { + unsigned char val = rd_reg8(info, VCR); + if (info->signals & SerialSignal_DTR) +-- +2.33.0 + diff --git a/queue-5.4/xen-balloon-use-a-kernel-thread-instead-a-workqueue.patch b/queue-5.4/xen-balloon-use-a-kernel-thread-instead-a-workqueue.patch new file mode 100644 index 00000000000..872b853d9da --- /dev/null +++ b/queue-5.4/xen-balloon-use-a-kernel-thread-instead-a-workqueue.patch @@ -0,0 +1,195 @@ +From 076144fbe7ea9659561bf81090305328060a2e23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Aug 2021 14:32:06 +0200 +Subject: xen/balloon: use a kernel thread instead a workqueue + +From: Juergen Gross + +[ Upstream commit 8480ed9c2bbd56fc86524998e5f2e3e22f5038f6 ] + +Today the Xen ballooning is done via delayed work in a workqueue. This +might result in workqueue hangups being reported in case of large +amounts of memory are being ballooned in one go (here 16GB): + +BUG: workqueue lockup - pool cpus=6 node=0 flags=0x0 nice=0 stuck for 64s! +Showing busy workqueues and worker pools: +workqueue events: flags=0x0 + pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=2/256 refcnt=3 + in-flight: 229:balloon_process + pending: cache_reap +workqueue events_freezable_power_: flags=0x84 + pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=1/256 refcnt=2 + pending: disk_events_workfn +workqueue mm_percpu_wq: flags=0x8 + pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=1/256 refcnt=2 + pending: vmstat_update +pool 12: cpus=6 node=0 flags=0x0 nice=0 hung=64s workers=3 idle: 2222 43 + +This can easily be avoided by using a dedicated kernel thread for doing +the ballooning work. + +Reported-by: Jan Beulich +Signed-off-by: Juergen Gross +Reviewed-by: Boris Ostrovsky +Link: https://lore.kernel.org/r/20210827123206.15429-1-jgross@suse.com +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/balloon.c | 62 +++++++++++++++++++++++++++++++------------ + 1 file changed, 45 insertions(+), 17 deletions(-) + +diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c +index ebb05517b6aa..2762d246991b 100644 +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -43,6 +43,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -117,7 +119,7 @@ static struct ctl_table xen_root[] = { + #define EXTENT_ORDER (fls(XEN_PFN_PER_PAGE) - 1) + + /* +- * balloon_process() state: ++ * balloon_thread() state: + * + * BP_DONE: done or nothing to do, + * BP_WAIT: wait to be rescheduled, +@@ -132,6 +134,8 @@ enum bp_state { + BP_ECANCELED + }; + ++/* Main waiting point for xen-balloon thread. */ ++static DECLARE_WAIT_QUEUE_HEAD(balloon_thread_wq); + + static DEFINE_MUTEX(balloon_mutex); + +@@ -146,10 +150,6 @@ static xen_pfn_t frame_list[PAGE_SIZE / sizeof(xen_pfn_t)]; + static LIST_HEAD(ballooned_pages); + static DECLARE_WAIT_QUEUE_HEAD(balloon_wq); + +-/* Main work function, always executed in process context. */ +-static void balloon_process(struct work_struct *work); +-static DECLARE_DELAYED_WORK(balloon_worker, balloon_process); +- + /* When ballooning out (allocating memory to return to Xen) we don't really + want the kernel to try too hard since that can trigger the oom killer. */ + #define GFP_BALLOON \ +@@ -383,7 +383,7 @@ static void xen_online_page(struct page *page, unsigned int order) + static int xen_memory_notifier(struct notifier_block *nb, unsigned long val, void *v) + { + if (val == MEM_ONLINE) +- schedule_delayed_work(&balloon_worker, 0); ++ wake_up(&balloon_thread_wq); + + return NOTIFY_OK; + } +@@ -508,18 +508,43 @@ static enum bp_state decrease_reservation(unsigned long nr_pages, gfp_t gfp) + } + + /* +- * As this is a work item it is guaranteed to run as a single instance only. ++ * Stop waiting if either state is not BP_EAGAIN and ballooning action is ++ * needed, or if the credit has changed while state is BP_EAGAIN. ++ */ ++static bool balloon_thread_cond(enum bp_state state, long credit) ++{ ++ if (state != BP_EAGAIN) ++ credit = 0; ++ ++ return current_credit() != credit || kthread_should_stop(); ++} ++ ++/* ++ * As this is a kthread it is guaranteed to run as a single instance only. + * We may of course race updates of the target counts (which are protected + * by the balloon lock), or with changes to the Xen hard limit, but we will + * recover from these in time. + */ +-static void balloon_process(struct work_struct *work) ++static int balloon_thread(void *unused) + { + enum bp_state state = BP_DONE; + long credit; ++ unsigned long timeout; ++ ++ set_freezable(); ++ for (;;) { ++ if (state == BP_EAGAIN) ++ timeout = balloon_stats.schedule_delay * HZ; ++ else ++ timeout = 3600 * HZ; ++ credit = current_credit(); + ++ wait_event_interruptible_timeout(balloon_thread_wq, ++ balloon_thread_cond(state, credit), timeout); ++ ++ if (kthread_should_stop()) ++ return 0; + +- do { + mutex_lock(&balloon_mutex); + + credit = current_credit(); +@@ -546,12 +571,7 @@ static void balloon_process(struct work_struct *work) + mutex_unlock(&balloon_mutex); + + cond_resched(); +- +- } while (credit && state == BP_DONE); +- +- /* Schedule more work if there is some still to be done. */ +- if (state == BP_EAGAIN) +- schedule_delayed_work(&balloon_worker, balloon_stats.schedule_delay * HZ); ++ } + } + + /* Resets the Xen limit, sets new target, and kicks off processing. */ +@@ -559,7 +579,7 @@ void balloon_set_new_target(unsigned long target) + { + /* No need for lock. Not read-modify-write updates. */ + balloon_stats.target_pages = target; +- schedule_delayed_work(&balloon_worker, 0); ++ wake_up(&balloon_thread_wq); + } + EXPORT_SYMBOL_GPL(balloon_set_new_target); + +@@ -664,7 +684,7 @@ void free_xenballooned_pages(int nr_pages, struct page **pages) + + /* The balloon may be too large now. Shrink it if needed. */ + if (current_credit()) +- schedule_delayed_work(&balloon_worker, 0); ++ wake_up(&balloon_thread_wq); + + mutex_unlock(&balloon_mutex); + } +@@ -696,6 +716,8 @@ static void __init balloon_add_region(unsigned long start_pfn, + + static int __init balloon_init(void) + { ++ struct task_struct *task; ++ + if (!xen_domain()) + return -ENODEV; + +@@ -739,6 +761,12 @@ static int __init balloon_init(void) + } + #endif + ++ task = kthread_run(balloon_thread, NULL, "xen-balloon"); ++ if (IS_ERR(task)) { ++ pr_err("xen-balloon thread could not be started, ballooning will not work!\n"); ++ return PTR_ERR(task); ++ } ++ + /* Init the xen-balloon driver. */ + xen_balloon_init(); + +-- +2.33.0 +