From: Greg Kroah-Hartman Date: Thu, 23 Jan 2020 11:28:11 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v5.4.15~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c74a13aa2ea78a02833c914171de1c3f6f6864fa;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: arm-dts-logicpd-torpedo-37xx-devkit-28-reference-new-drm-panel.patch arm-omap2-add-missing-put_device-call-in-omapdss_init_of.patch bpf-force-.btf-section-start-to-zero-when-dumping-from-vmlinux.patch i2c-i2c-stm32f7-fix-10-bits-check-in-slave-free-id-search-loop.patch i2c-stm32f7-rework-slave_id-allocation.patch ice-fix-stack-leakage.patch libbpf-fix-another-potential-overflow-issue-in-bpf_prog_linfo.patch libbpf-fix-call-relocation-offset-calculation-bug.patch libbpf-fix-compatibility-for-kernels-without-need_wakeup.patch libbpf-fix-memory-leak-double-free-issue.patch libbpf-fix-potential-overflow-issue.patch libbpf-make-btf__resolve_size-logic-always-check-size-error-condition.patch mfd-intel-lpss-add-default-i2c-device-properties-for-gemini-lake.patch mt76-mt76u-fix-endpoint-definition-order.patch mt7601u-fix-bbp-version-check-in-mt7601u_wait_bbp_ready.patch net-mlx5e-fix-free-peer_flow-when-refcount-is-0.patch net-phy-broadcom-fix-rgmii-delays-configuration-for-bcm54210e.patch phy-lantiq-vrx200-pcie-fix-error-return-code-in-ltq_vrx200_pcie_phy_power_on.patch phy-ti-gmii-sel-fix-mac-tx-internal-delay-for-rgmii-rxid.patch powerpc-archrandom-fix-arch_get_random_seed_int.patch powerpc-kasan-fix-boot-failure-with-relocatable-fsl_booke.patch powerpc-pseries-enable-support-for-ibm-drc-info-property.patch powerpc-security-fix-debugfs-data-leak-on-32-bit.patch samples-bpf-fix-broken-xdp_rxq_info-due-to-map-order-assumptions.patch samples-bpf-update-map-definition-to-new-syntax-btf-defined-map.patch sunrpc-fix-backchannel-latency-metrics.patch sunrpc-fix-svcauth_gss_proxy_init.patch tipc-fix-potential-memory-leak-in-__tipc_sendmsg.patch tipc-fix-wrong-socket-reference-counter-after-tipc_sk_timeout-returns.patch tipc-fix-wrong-timeout-input-for-tipc_wait_for_cond.patch tipc-reduce-sensitive-to-retransmit-failures.patch tipc-update-mon-s-self-addr-when-node-addr-generated.patch xfs-sanity-check-flags-of-q_xquotarm-call.patch --- diff --git a/queue-5.4/arm-dts-logicpd-torpedo-37xx-devkit-28-reference-new-drm-panel.patch b/queue-5.4/arm-dts-logicpd-torpedo-37xx-devkit-28-reference-new-drm-panel.patch new file mode 100644 index 00000000000..61b80be7a70 --- /dev/null +++ b/queue-5.4/arm-dts-logicpd-torpedo-37xx-devkit-28-reference-new-drm-panel.patch @@ -0,0 +1,51 @@ +From a177057a95f6a3f1e0e52a17eea2178c15073648 Mon Sep 17 00:00:00 2001 +From: Adam Ford +Date: Wed, 16 Oct 2019 08:51:47 -0500 +Subject: ARM: dts: logicpd-torpedo-37xx-devkit-28: Reference new DRM panel + +From: Adam Ford + +commit a177057a95f6a3f1e0e52a17eea2178c15073648 upstream. + +With the removal of the panel-dpi from the omap drivers, the +LCD no longer works. This patch points the device tree to +a newly created panel named "logicpd,type28" + +Fixes: 8bf4b1621178 ("drm/omap: Remove panel-dpi driver") + +Signed-off-by: Adam Ford +Acked-by: Sam Ravnborg +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/logicpd-torpedo-37xx-devkit-28.dts | 20 +------------------ + 1 file changed, 2 insertions(+), 18 deletions(-) + +--- a/arch/arm/boot/dts/logicpd-torpedo-37xx-devkit-28.dts ++++ b/arch/arm/boot/dts/logicpd-torpedo-37xx-devkit-28.dts +@@ -11,22 +11,6 @@ + #include "logicpd-torpedo-37xx-devkit.dts" + + &lcd0 { +- +- label = "28"; +- +- panel-timing { +- clock-frequency = <9000000>; +- hactive = <480>; +- vactive = <272>; +- hfront-porch = <3>; +- hback-porch = <2>; +- hsync-len = <42>; +- vback-porch = <3>; +- vfront-porch = <2>; +- vsync-len = <11>; +- hsync-active = <1>; +- vsync-active = <1>; +- de-active = <1>; +- pixelclk-active = <0>; +- }; ++ /* To make it work, set CONFIG_OMAP2_DSS_MIN_FCK_PER_PCK=4 */ ++ compatible = "logicpd,type28"; + }; diff --git a/queue-5.4/arm-omap2-add-missing-put_device-call-in-omapdss_init_of.patch b/queue-5.4/arm-omap2-add-missing-put_device-call-in-omapdss_init_of.patch new file mode 100644 index 00000000000..6ab27bfd1c1 --- /dev/null +++ b/queue-5.4/arm-omap2-add-missing-put_device-call-in-omapdss_init_of.patch @@ -0,0 +1,39 @@ +From 0b491904f053e41685162af5c5411b85b18c97a7 Mon Sep 17 00:00:00 2001 +From: Markus Elfring +Date: Sat, 9 Nov 2019 17:19:35 +0100 +Subject: ARM: OMAP2+: Add missing put_device() call in omapdss_init_of() + +From: Markus Elfring + +commit 0b491904f053e41685162af5c5411b85b18c97a7 upstream. + +A coccicheck run provided information like the following. + +arch/arm/mach-omap2/display.c:268:2-8: ERROR: missing put_device; +call of_find_device_by_node on line 258, but without a corresponding +object release within this function. + +Generated by: scripts/coccinelle/free/put_device.cocci + +Thus add the missed function call to fix the exception handling for +this function implementation. + +Fixes: e0c827aca0730b51f38081aa4e8ecf0912aab55f ("drm/omap: Populate DSS children in omapdss driver") +Signed-off-by: Markus Elfring +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-omap2/display.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/mach-omap2/display.c ++++ b/arch/arm/mach-omap2/display.c +@@ -265,6 +265,7 @@ static int __init omapdss_init_of(void) + r = of_platform_populate(node, NULL, NULL, &pdev->dev); + if (r) { + pr_err("Unable to populate DSS submodule devices\n"); ++ put_device(&pdev->dev); + return r; + } + diff --git a/queue-5.4/bpf-force-.btf-section-start-to-zero-when-dumping-from-vmlinux.patch b/queue-5.4/bpf-force-.btf-section-start-to-zero-when-dumping-from-vmlinux.patch new file mode 100644 index 00000000000..9c052cc2121 --- /dev/null +++ b/queue-5.4/bpf-force-.btf-section-start-to-zero-when-dumping-from-vmlinux.patch @@ -0,0 +1,61 @@ +From df786c9b947639aedbc7bb44b5dae2a7824af360 Mon Sep 17 00:00:00 2001 +From: Stanislav Fomichev +Date: Wed, 27 Nov 2019 14:57:59 -0800 +Subject: bpf: Force .BTF section start to zero when dumping from vmlinux + +From: Stanislav Fomichev + +commit df786c9b947639aedbc7bb44b5dae2a7824af360 upstream. + +While trying to figure out why fentry_fexit selftest doesn't pass for me +(old pahole, broken BTF), I found out that my latest patch can break vmlinux +.BTF generation. objcopy preserves section start when doing --only-section, +so there is a chance (depending on where pahole inserts .BTF section) to +have leading empty zeroes. Let's explicitly force section offset to zero. + +Before: + +$ objcopy --set-section-flags .BTF=alloc -O binary \ + --only-section=.BTF vmlinux .btf.vmlinux.bin +$ xxd .btf.vmlinux.bin | head -n1 +00000000: 0000 0000 0000 0000 0000 0000 0000 0000 ................ + +After: + +$ objcopy --change-section-address .BTF=0 \ + --set-section-flags .BTF=alloc -O binary \ + --only-section=.BTF vmlinux .btf.vmlinux.bin +$ xxd .btf.vmlinux.bin | head -n1 +00000000: 9feb 0100 1800 0000 0000 0000 80e1 1c00 ................ + ^BTF magic + +As part of this change, I'm also dropping '2>/dev/null' from objcopy +invocation to be able to catch possible other issues (objcopy doesn't +produce any warnings for me anymore, it did before with --dump-section). + +Fixes: da5fb18225b4 ("bpf: Support pre-2.25-binutils objcopy for vmlinux BTF") +Signed-off-by: Stanislav Fomichev +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Cc: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20191127225759.39923-1-sdf@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/link-vmlinux.sh | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/scripts/link-vmlinux.sh ++++ b/scripts/link-vmlinux.sh +@@ -127,8 +127,9 @@ gen_btf() + cut -d, -f1 | cut -d' ' -f2) + bin_format=$(LANG=C ${OBJDUMP} -f ${1} | grep 'file format' | \ + awk '{print $4}') +- ${OBJCOPY} --set-section-flags .BTF=alloc -O binary \ +- --only-section=.BTF ${1} .btf.vmlinux.bin 2>/dev/null ++ ${OBJCOPY} --change-section-address .BTF=0 \ ++ --set-section-flags .BTF=alloc -O binary \ ++ --only-section=.BTF ${1} .btf.vmlinux.bin + ${OBJCOPY} -I binary -O ${bin_format} -B ${bin_arch} \ + --rename-section .data=.BTF .btf.vmlinux.bin ${2} + } diff --git a/queue-5.4/i2c-i2c-stm32f7-fix-10-bits-check-in-slave-free-id-search-loop.patch b/queue-5.4/i2c-i2c-stm32f7-fix-10-bits-check-in-slave-free-id-search-loop.patch new file mode 100644 index 00000000000..06544e9767f --- /dev/null +++ b/queue-5.4/i2c-i2c-stm32f7-fix-10-bits-check-in-slave-free-id-search-loop.patch @@ -0,0 +1,36 @@ +From 7787657d7ee55a9ecf4aea4907b46b87a44eda67 Mon Sep 17 00:00:00 2001 +From: Alain Volmat +Date: Tue, 12 Nov 2019 09:19:44 +0100 +Subject: i2c: i2c-stm32f7: fix 10-bits check in slave free id search loop + +From: Alain Volmat + +commit 7787657d7ee55a9ecf4aea4907b46b87a44eda67 upstream. + +Fix a typo in the free slave id search loop. Instead of I2C_CLIENT_PEC, +it should have been I2C_CLIENT_TEN. The slave id 1 can only handle 7-bit +addresses and thus is not eligible in case of 10-bit addresses. +As a matter of fact none of the slave id support I2C_CLIENT_PEC, overall +check is performed at the beginning of the stm32f7_i2c_reg_slave function. + +Fixes: 60d609f30de2 ("i2c: i2c-stm32f7: Add slave support") +Signed-off-by: Alain Volmat +Reviewed-by: Pierre-Yves MORDRET +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-stm32f7.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-stm32f7.c ++++ b/drivers/i2c/busses/i2c-stm32f7.c +@@ -1268,7 +1268,7 @@ static int stm32f7_i2c_get_free_slave_id + * slave[1] supports 7-bit slave address only + */ + for (i = STM32F7_I2C_MAX_SLAVE - 1; i >= 0; i--) { +- if (i == 1 && (slave->flags & I2C_CLIENT_PEC)) ++ if (i == 1 && (slave->flags & I2C_CLIENT_TEN)) + continue; + if (!i2c_dev->slave[i]) { + *id = i; diff --git a/queue-5.4/i2c-stm32f7-rework-slave_id-allocation.patch b/queue-5.4/i2c-stm32f7-rework-slave_id-allocation.patch new file mode 100644 index 00000000000..3d65fd575f0 --- /dev/null +++ b/queue-5.4/i2c-stm32f7-rework-slave_id-allocation.patch @@ -0,0 +1,37 @@ +From 52d3be711e065a97a57c2f2ffba3098748855bd6 Mon Sep 17 00:00:00 2001 +From: Alain Volmat +Date: Tue, 15 Oct 2019 15:03:09 +0200 +Subject: i2c: stm32f7: rework slave_id allocation + +From: Alain Volmat + +commit 52d3be711e065a97a57c2f2ffba3098748855bd6 upstream. + +The IP can handle two slave addresses. One address can either be +7 bits or 10 bits while the other can only be 7 bits. +In order to ensure that a 10 bits address can always be allocated +(assuming there is only one 7 bits address already allocated), +pick up the 7-bits only address slot in priority when performing a 7-bits +address allocation. + +Fixes: 60d609f30de2 ("i2c: i2c-stm32f7: Add slave support") +Signed-off-by: Alain Volmat +Reviewed-by: Pierre-Yves MORDRET +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-stm32f7.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-stm32f7.c ++++ b/drivers/i2c/busses/i2c-stm32f7.c +@@ -1267,7 +1267,7 @@ static int stm32f7_i2c_get_free_slave_id + * slave[0] supports 7-bit and 10-bit slave address + * slave[1] supports 7-bit slave address only + */ +- for (i = 0; i < STM32F7_I2C_MAX_SLAVE; i++) { ++ for (i = STM32F7_I2C_MAX_SLAVE - 1; i >= 0; i--) { + if (i == 1 && (slave->flags & I2C_CLIENT_PEC)) + continue; + if (!i2c_dev->slave[i]) { diff --git a/queue-5.4/ice-fix-stack-leakage.patch b/queue-5.4/ice-fix-stack-leakage.patch new file mode 100644 index 00000000000..caa8a66916c --- /dev/null +++ b/queue-5.4/ice-fix-stack-leakage.patch @@ -0,0 +1,44 @@ +From 949375de945f7042df2b6488228a1a2b36e69f35 Mon Sep 17 00:00:00 2001 +From: Jesse Brandeburg +Date: Fri, 8 Nov 2019 06:23:21 -0800 +Subject: ice: fix stack leakage + +From: Jesse Brandeburg + +commit 949375de945f7042df2b6488228a1a2b36e69f35 upstream. + +In the case of an invalid virtchannel request the driver +would return uninitialized data to the VF from the PF stack +which is a bug. Fix by initializing the stack variable +earlier in the function before any return paths can be taken. + +Fixes: 1071a8358a28 ("ice: Implement virtchnl commands for AVF support") +Signed-off-by: Jesse Brandeburg +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c +@@ -1873,8 +1873,8 @@ static int ice_vc_get_stats_msg(struct i + enum virtchnl_status_code v_ret = VIRTCHNL_STATUS_SUCCESS; + struct virtchnl_queue_select *vqs = + (struct virtchnl_queue_select *)msg; ++ struct ice_eth_stats stats = { 0 }; + struct ice_pf *pf = vf->pf; +- struct ice_eth_stats stats; + struct ice_vsi *vsi; + + if (!test_bit(ICE_VF_STATE_ACTIVE, vf->vf_states)) { +@@ -1893,7 +1893,6 @@ static int ice_vc_get_stats_msg(struct i + goto error_param; + } + +- memset(&stats, 0, sizeof(struct ice_eth_stats)); + ice_update_eth_stats(vsi); + + stats = vsi->eth_stats; diff --git a/queue-5.4/libbpf-fix-another-potential-overflow-issue-in-bpf_prog_linfo.patch b/queue-5.4/libbpf-fix-another-potential-overflow-issue-in-bpf_prog_linfo.patch new file mode 100644 index 00000000000..73a54e55367 --- /dev/null +++ b/queue-5.4/libbpf-fix-another-potential-overflow-issue-in-bpf_prog_linfo.patch @@ -0,0 +1,63 @@ +From dd3ab126379ec040b3edab8559f9c72de6ef9d29 Mon Sep 17 00:00:00 2001 +From: Andrii Nakryiko +Date: Wed, 6 Nov 2019 18:08:53 -0800 +Subject: libbpf: Fix another potential overflow issue in bpf_prog_linfo + +From: Andrii Nakryiko + +commit dd3ab126379ec040b3edab8559f9c72de6ef9d29 upstream. + +Fix few issues found by Coverity and LGTM. + +Fixes: b053b439b72a ("bpf: libbpf: bpftool: Print bpf_line_info during prog dump") +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20191107020855.3834758-4-andriin@fb.com +Signed-off-by: Greg Kroah-Hartman + +--- + tools/lib/bpf/bpf_prog_linfo.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/tools/lib/bpf/bpf_prog_linfo.c ++++ b/tools/lib/bpf/bpf_prog_linfo.c +@@ -101,6 +101,7 @@ struct bpf_prog_linfo *bpf_prog_linfo__n + { + struct bpf_prog_linfo *prog_linfo; + __u32 nr_linfo, nr_jited_func; ++ __u64 data_sz; + + nr_linfo = info->nr_line_info; + +@@ -122,11 +123,11 @@ struct bpf_prog_linfo *bpf_prog_linfo__n + /* Copy xlated line_info */ + prog_linfo->nr_linfo = nr_linfo; + prog_linfo->rec_size = info->line_info_rec_size; +- prog_linfo->raw_linfo = malloc(nr_linfo * prog_linfo->rec_size); ++ data_sz = (__u64)nr_linfo * prog_linfo->rec_size; ++ prog_linfo->raw_linfo = malloc(data_sz); + if (!prog_linfo->raw_linfo) + goto err_free; +- memcpy(prog_linfo->raw_linfo, (void *)(long)info->line_info, +- nr_linfo * prog_linfo->rec_size); ++ memcpy(prog_linfo->raw_linfo, (void *)(long)info->line_info, data_sz); + + nr_jited_func = info->nr_jited_ksyms; + if (!nr_jited_func || +@@ -142,13 +143,12 @@ struct bpf_prog_linfo *bpf_prog_linfo__n + /* Copy jited_line_info */ + prog_linfo->nr_jited_func = nr_jited_func; + prog_linfo->jited_rec_size = info->jited_line_info_rec_size; +- prog_linfo->raw_jited_linfo = malloc(nr_linfo * +- prog_linfo->jited_rec_size); ++ data_sz = (__u64)nr_linfo * prog_linfo->jited_rec_size; ++ prog_linfo->raw_jited_linfo = malloc(data_sz); + if (!prog_linfo->raw_jited_linfo) + goto err_free; + memcpy(prog_linfo->raw_jited_linfo, +- (void *)(long)info->jited_line_info, +- nr_linfo * prog_linfo->jited_rec_size); ++ (void *)(long)info->jited_line_info, data_sz); + + /* Number of jited_line_info per jited func */ + prog_linfo->nr_jited_linfo_per_func = malloc(nr_jited_func * diff --git a/queue-5.4/libbpf-fix-call-relocation-offset-calculation-bug.patch b/queue-5.4/libbpf-fix-call-relocation-offset-calculation-bug.patch new file mode 100644 index 00000000000..58aab24828a --- /dev/null +++ b/queue-5.4/libbpf-fix-call-relocation-offset-calculation-bug.patch @@ -0,0 +1,228 @@ +From a0d7da26ce86a25e97ae191cb90574ada6daea98 Mon Sep 17 00:00:00 2001 +From: Andrii Nakryiko +Date: Tue, 19 Nov 2019 14:44:47 -0800 +Subject: libbpf: Fix call relocation offset calculation bug + +From: Andrii Nakryiko + +commit a0d7da26ce86a25e97ae191cb90574ada6daea98 upstream. + +When relocating subprogram call, libbpf doesn't take into account +relo->text_off, which comes from symbol's value. This generally works fine for +subprograms implemented as static functions, but breaks for global functions. + +Taking a simplified test_pkt_access.c as an example: + +__attribute__ ((noinline)) +static int test_pkt_access_subprog1(volatile struct __sk_buff *skb) +{ + return skb->len * 2; +} + +__attribute__ ((noinline)) +static int test_pkt_access_subprog2(int val, volatile struct __sk_buff *skb) +{ + return skb->len + val; +} + +SEC("classifier/test_pkt_access") +int test_pkt_access(struct __sk_buff *skb) +{ + if (test_pkt_access_subprog1(skb) != skb->len * 2) + return TC_ACT_SHOT; + if (test_pkt_access_subprog2(2, skb) != skb->len + 2) + return TC_ACT_SHOT; + return TC_ACT_UNSPEC; +} + +When compiled, we get two relocations, pointing to '.text' symbol. .text has +st_value set to 0 (it points to the beginning of .text section): + +0000000000000008 000000050000000a R_BPF_64_32 0000000000000000 .text +0000000000000040 000000050000000a R_BPF_64_32 0000000000000000 .text + +test_pkt_access_subprog1 and test_pkt_access_subprog2 offsets (targets of two +calls) are encoded within call instruction's imm32 part as -1 and 2, +respectively: + +0000000000000000 test_pkt_access_subprog1: + 0: 61 10 00 00 00 00 00 00 r0 = *(u32 *)(r1 + 0) + 1: 64 00 00 00 01 00 00 00 w0 <<= 1 + 2: 95 00 00 00 00 00 00 00 exit + +0000000000000018 test_pkt_access_subprog2: + 3: 61 10 00 00 00 00 00 00 r0 = *(u32 *)(r1 + 0) + 4: 04 00 00 00 02 00 00 00 w0 += 2 + 5: 95 00 00 00 00 00 00 00 exit + +0000000000000000 test_pkt_access: + 0: bf 16 00 00 00 00 00 00 r6 = r1 +===> 1: 85 10 00 00 ff ff ff ff call -1 + 2: bc 01 00 00 00 00 00 00 w1 = w0 + 3: b4 00 00 00 02 00 00 00 w0 = 2 + 4: 61 62 00 00 00 00 00 00 r2 = *(u32 *)(r6 + 0) + 5: 64 02 00 00 01 00 00 00 w2 <<= 1 + 6: 5e 21 08 00 00 00 00 00 if w1 != w2 goto +8 + 7: bf 61 00 00 00 00 00 00 r1 = r6 +===> 8: 85 10 00 00 02 00 00 00 call 2 + 9: bc 01 00 00 00 00 00 00 w1 = w0 + 10: 61 62 00 00 00 00 00 00 r2 = *(u32 *)(r6 + 0) + 11: 04 02 00 00 02 00 00 00 w2 += 2 + 12: b4 00 00 00 ff ff ff ff w0 = -1 + 13: 1e 21 01 00 00 00 00 00 if w1 == w2 goto +1 + 14: b4 00 00 00 02 00 00 00 w0 = 2 +0000000000000078 LBB0_3: + 15: 95 00 00 00 00 00 00 00 exit + +Now, if we compile example with global functions, the setup changes. +Relocations are now against specifically test_pkt_access_subprog1 and +test_pkt_access_subprog2 symbols, with test_pkt_access_subprog2 pointing 24 +bytes into its respective section (.text), i.e., 3 instructions in: + +0000000000000008 000000070000000a R_BPF_64_32 0000000000000000 test_pkt_access_subprog1 +0000000000000048 000000080000000a R_BPF_64_32 0000000000000018 test_pkt_access_subprog2 + +Calls instructions now encode offsets relative to function symbols and are both +set ot -1: + +0000000000000000 test_pkt_access_subprog1: + 0: 61 10 00 00 00 00 00 00 r0 = *(u32 *)(r1 + 0) + 1: 64 00 00 00 01 00 00 00 w0 <<= 1 + 2: 95 00 00 00 00 00 00 00 exit + +0000000000000018 test_pkt_access_subprog2: + 3: 61 20 00 00 00 00 00 00 r0 = *(u32 *)(r2 + 0) + 4: 0c 10 00 00 00 00 00 00 w0 += w1 + 5: 95 00 00 00 00 00 00 00 exit + +0000000000000000 test_pkt_access: + 0: bf 16 00 00 00 00 00 00 r6 = r1 +===> 1: 85 10 00 00 ff ff ff ff call -1 + 2: bc 01 00 00 00 00 00 00 w1 = w0 + 3: b4 00 00 00 02 00 00 00 w0 = 2 + 4: 61 62 00 00 00 00 00 00 r2 = *(u32 *)(r6 + 0) + 5: 64 02 00 00 01 00 00 00 w2 <<= 1 + 6: 5e 21 09 00 00 00 00 00 if w1 != w2 goto +9 + 7: b4 01 00 00 02 00 00 00 w1 = 2 + 8: bf 62 00 00 00 00 00 00 r2 = r6 +===> 9: 85 10 00 00 ff ff ff ff call -1 + 10: bc 01 00 00 00 00 00 00 w1 = w0 + 11: 61 62 00 00 00 00 00 00 r2 = *(u32 *)(r6 + 0) + 12: 04 02 00 00 02 00 00 00 w2 += 2 + 13: b4 00 00 00 ff ff ff ff w0 = -1 + 14: 1e 21 01 00 00 00 00 00 if w1 == w2 goto +1 + 15: b4 00 00 00 02 00 00 00 w0 = 2 +0000000000000080 LBB2_3: + 16: 95 00 00 00 00 00 00 00 exit + +Thus the right formula to calculate target call offset after relocation should +take into account relocation's target symbol value (offset within section), +call instruction's imm32 offset, and (subtracting, to get relative instruction +offset) instruction index of call instruction itself. All that is shifted by +number of instructions in main program, given all sub-programs are copied over +after main program. + +Convert few selftests relying on bpf-to-bpf calls to use global functions +instead of static ones. + +Fixes: 48cca7e44f9f ("libbpf: add support for bpf_call") +Reported-by: Alexei Starovoitov +Signed-off-by: Andrii Nakryiko +Acked-by: Yonghong Song +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20191119224447.3781271-1-andriin@fb.com +Signed-off-by: Greg Kroah-Hartman + +--- + tools/lib/bpf/libbpf.c | 8 ++++++-- + tools/testing/selftests/bpf/progs/test_btf_haskv.c | 4 ++-- + tools/testing/selftests/bpf/progs/test_btf_newkv.c | 4 ++-- + tools/testing/selftests/bpf/progs/test_btf_nokv.c | 4 ++-- + 4 files changed, 12 insertions(+), 8 deletions(-) + +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -1791,9 +1791,13 @@ bpf_program__collect_reloc(struct bpf_pr + pr_warning("incorrect bpf_call opcode\n"); + return -LIBBPF_ERRNO__RELOC; + } ++ if (sym.st_value % 8) { ++ pr_warn("bad call relo offset: %lu\n", sym.st_value); ++ return -LIBBPF_ERRNO__RELOC; ++ } + prog->reloc_desc[i].type = RELO_CALL; + prog->reloc_desc[i].insn_idx = insn_idx; +- prog->reloc_desc[i].text_off = sym.st_value; ++ prog->reloc_desc[i].text_off = sym.st_value / 8; + obj->has_pseudo_calls = true; + continue; + } +@@ -3239,7 +3243,7 @@ bpf_program__reloc_text(struct bpf_progr + prog->section_name); + } + insn = &prog->insns[relo->insn_idx]; +- insn->imm += prog->main_prog_cnt - relo->insn_idx; ++ insn->imm += relo->text_off + prog->main_prog_cnt - relo->insn_idx; + return 0; + } + +--- a/tools/testing/selftests/bpf/progs/test_btf_haskv.c ++++ b/tools/testing/selftests/bpf/progs/test_btf_haskv.c +@@ -25,7 +25,7 @@ struct dummy_tracepoint_args { + }; + + __attribute__((noinline)) +-static int test_long_fname_2(struct dummy_tracepoint_args *arg) ++int test_long_fname_2(struct dummy_tracepoint_args *arg) + { + struct ipv_counts *counts; + int key = 0; +@@ -43,7 +43,7 @@ static int test_long_fname_2(struct dumm + } + + __attribute__((noinline)) +-static int test_long_fname_1(struct dummy_tracepoint_args *arg) ++int test_long_fname_1(struct dummy_tracepoint_args *arg) + { + return test_long_fname_2(arg); + } +--- a/tools/testing/selftests/bpf/progs/test_btf_newkv.c ++++ b/tools/testing/selftests/bpf/progs/test_btf_newkv.c +@@ -33,7 +33,7 @@ struct dummy_tracepoint_args { + }; + + __attribute__((noinline)) +-static int test_long_fname_2(struct dummy_tracepoint_args *arg) ++int test_long_fname_2(struct dummy_tracepoint_args *arg) + { + struct ipv_counts *counts; + int key = 0; +@@ -56,7 +56,7 @@ static int test_long_fname_2(struct dumm + } + + __attribute__((noinline)) +-static int test_long_fname_1(struct dummy_tracepoint_args *arg) ++int test_long_fname_1(struct dummy_tracepoint_args *arg) + { + return test_long_fname_2(arg); + } +--- a/tools/testing/selftests/bpf/progs/test_btf_nokv.c ++++ b/tools/testing/selftests/bpf/progs/test_btf_nokv.c +@@ -23,7 +23,7 @@ struct dummy_tracepoint_args { + }; + + __attribute__((noinline)) +-static int test_long_fname_2(struct dummy_tracepoint_args *arg) ++int test_long_fname_2(struct dummy_tracepoint_args *arg) + { + struct ipv_counts *counts; + int key = 0; +@@ -41,7 +41,7 @@ static int test_long_fname_2(struct dumm + } + + __attribute__((noinline)) +-static int test_long_fname_1(struct dummy_tracepoint_args *arg) ++int test_long_fname_1(struct dummy_tracepoint_args *arg) + { + return test_long_fname_2(arg); + } diff --git a/queue-5.4/libbpf-fix-compatibility-for-kernels-without-need_wakeup.patch b/queue-5.4/libbpf-fix-compatibility-for-kernels-without-need_wakeup.patch new file mode 100644 index 00000000000..1589e7ecf62 --- /dev/null +++ b/queue-5.4/libbpf-fix-compatibility-for-kernels-without-need_wakeup.patch @@ -0,0 +1,194 @@ +From 94ff9ebb49a546b7f009ed840bafa235c96d4c4b Mon Sep 17 00:00:00 2001 +From: Magnus Karlsson +Date: Fri, 25 Oct 2019 11:17:15 +0200 +Subject: libbpf: Fix compatibility for kernels without need_wakeup + +From: Magnus Karlsson + +commit 94ff9ebb49a546b7f009ed840bafa235c96d4c4b upstream. + +When the need_wakeup flag was added to AF_XDP, the format of the +XDP_MMAP_OFFSETS getsockopt was extended. Code was added to the +kernel to take care of compatibility issues arrising from running +applications using any of the two formats. However, libbpf was +not extended to take care of the case when the application/libbpf +uses the new format but the kernel only supports the old +format. This patch adds support in libbpf for parsing the old +format, before the need_wakeup flag was added, and emulating a +set of static need_wakeup flags that will always work for the +application. + +v2 -> v3: +* Incorporated code improvements suggested by Jonathan Lemon + +v1 -> v2: +* Rebased to bpf-next +* Rewrote the code as the previous version made you blind + +Fixes: a4500432c2587cb2a ("libbpf: add support for need_wakeup flag in AF_XDP part") +Reported-by: Eloy Degen +Signed-off-by: Magnus Karlsson +Signed-off-by: Alexei Starovoitov +Acked-by: Jonathan Lemon +Link: https://lore.kernel.org/bpf/1571995035-21889-1-git-send-email-magnus.karlsson@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + tools/lib/bpf/xsk.c | 83 ++++++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 71 insertions(+), 12 deletions(-) + +--- a/tools/lib/bpf/xsk.c ++++ b/tools/lib/bpf/xsk.c +@@ -73,6 +73,21 @@ struct xsk_nl_info { + int fd; + }; + ++/* Up until and including Linux 5.3 */ ++struct xdp_ring_offset_v1 { ++ __u64 producer; ++ __u64 consumer; ++ __u64 desc; ++}; ++ ++/* Up until and including Linux 5.3 */ ++struct xdp_mmap_offsets_v1 { ++ struct xdp_ring_offset_v1 rx; ++ struct xdp_ring_offset_v1 tx; ++ struct xdp_ring_offset_v1 fr; ++ struct xdp_ring_offset_v1 cr; ++}; ++ + int xsk_umem__fd(const struct xsk_umem *umem) + { + return umem ? umem->fd : -EINVAL; +@@ -133,6 +148,58 @@ static int xsk_set_xdp_socket_config(str + return 0; + } + ++static void xsk_mmap_offsets_v1(struct xdp_mmap_offsets *off) ++{ ++ struct xdp_mmap_offsets_v1 off_v1; ++ ++ /* getsockopt on a kernel <= 5.3 has no flags fields. ++ * Copy over the offsets to the correct places in the >=5.4 format ++ * and put the flags where they would have been on that kernel. ++ */ ++ memcpy(&off_v1, off, sizeof(off_v1)); ++ ++ off->rx.producer = off_v1.rx.producer; ++ off->rx.consumer = off_v1.rx.consumer; ++ off->rx.desc = off_v1.rx.desc; ++ off->rx.flags = off_v1.rx.consumer + sizeof(u32); ++ ++ off->tx.producer = off_v1.tx.producer; ++ off->tx.consumer = off_v1.tx.consumer; ++ off->tx.desc = off_v1.tx.desc; ++ off->tx.flags = off_v1.tx.consumer + sizeof(u32); ++ ++ off->fr.producer = off_v1.fr.producer; ++ off->fr.consumer = off_v1.fr.consumer; ++ off->fr.desc = off_v1.fr.desc; ++ off->fr.flags = off_v1.fr.consumer + sizeof(u32); ++ ++ off->cr.producer = off_v1.cr.producer; ++ off->cr.consumer = off_v1.cr.consumer; ++ off->cr.desc = off_v1.cr.desc; ++ off->cr.flags = off_v1.cr.consumer + sizeof(u32); ++} ++ ++static int xsk_get_mmap_offsets(int fd, struct xdp_mmap_offsets *off) ++{ ++ socklen_t optlen; ++ int err; ++ ++ optlen = sizeof(*off); ++ err = getsockopt(fd, SOL_XDP, XDP_MMAP_OFFSETS, off, &optlen); ++ if (err) ++ return err; ++ ++ if (optlen == sizeof(*off)) ++ return 0; ++ ++ if (optlen == sizeof(struct xdp_mmap_offsets_v1)) { ++ xsk_mmap_offsets_v1(off); ++ return 0; ++ } ++ ++ return -EINVAL; ++} ++ + int xsk_umem__create_v0_0_4(struct xsk_umem **umem_ptr, void *umem_area, + __u64 size, struct xsk_ring_prod *fill, + struct xsk_ring_cons *comp, +@@ -141,7 +208,6 @@ int xsk_umem__create_v0_0_4(struct xsk_u + struct xdp_mmap_offsets off; + struct xdp_umem_reg mr; + struct xsk_umem *umem; +- socklen_t optlen; + void *map; + int err; + +@@ -190,8 +256,7 @@ int xsk_umem__create_v0_0_4(struct xsk_u + goto out_socket; + } + +- optlen = sizeof(off); +- err = getsockopt(umem->fd, SOL_XDP, XDP_MMAP_OFFSETS, &off, &optlen); ++ err = xsk_get_mmap_offsets(umem->fd, &off); + if (err) { + err = -errno; + goto out_socket; +@@ -499,7 +564,6 @@ int xsk_socket__create(struct xsk_socket + struct sockaddr_xdp sxdp = {}; + struct xdp_mmap_offsets off; + struct xsk_socket *xsk; +- socklen_t optlen; + int err; + + if (!umem || !xsk_ptr || !rx || !tx) +@@ -558,8 +622,7 @@ int xsk_socket__create(struct xsk_socket + } + } + +- optlen = sizeof(off); +- err = getsockopt(xsk->fd, SOL_XDP, XDP_MMAP_OFFSETS, &off, &optlen); ++ err = xsk_get_mmap_offsets(xsk->fd, &off); + if (err) { + err = -errno; + goto out_socket; +@@ -645,7 +708,6 @@ out_xsk_alloc: + int xsk_umem__delete(struct xsk_umem *umem) + { + struct xdp_mmap_offsets off; +- socklen_t optlen; + int err; + + if (!umem) +@@ -654,8 +716,7 @@ int xsk_umem__delete(struct xsk_umem *um + if (umem->refcount) + return -EBUSY; + +- optlen = sizeof(off); +- err = getsockopt(umem->fd, SOL_XDP, XDP_MMAP_OFFSETS, &off, &optlen); ++ err = xsk_get_mmap_offsets(umem->fd, &off); + if (!err) { + munmap(umem->fill->ring - off.fr.desc, + off.fr.desc + umem->config.fill_size * sizeof(__u64)); +@@ -673,7 +734,6 @@ void xsk_socket__delete(struct xsk_socke + { + size_t desc_sz = sizeof(struct xdp_desc); + struct xdp_mmap_offsets off; +- socklen_t optlen; + int err; + + if (!xsk) +@@ -684,8 +744,7 @@ void xsk_socket__delete(struct xsk_socke + close(xsk->prog_fd); + } + +- optlen = sizeof(off); +- err = getsockopt(xsk->fd, SOL_XDP, XDP_MMAP_OFFSETS, &off, &optlen); ++ err = xsk_get_mmap_offsets(xsk->fd, &off); + if (!err) { + if (xsk->rx) { + munmap(xsk->rx->ring - off.rx.desc, diff --git a/queue-5.4/libbpf-fix-memory-leak-double-free-issue.patch b/queue-5.4/libbpf-fix-memory-leak-double-free-issue.patch new file mode 100644 index 00000000000..46fd607085b --- /dev/null +++ b/queue-5.4/libbpf-fix-memory-leak-double-free-issue.patch @@ -0,0 +1,41 @@ +From 3dc5e059821376974177cc801d377e3fcdac6712 Mon Sep 17 00:00:00 2001 +From: Andrii Nakryiko +Date: Wed, 6 Nov 2019 18:08:51 -0800 +Subject: libbpf: Fix memory leak/double free issue + +From: Andrii Nakryiko + +commit 3dc5e059821376974177cc801d377e3fcdac6712 upstream. + +Coverity scan against Github libbpf code found the issue of not freeing memory and +leaving already freed memory still referenced from bpf_program. Fix it by +re-assigning successfully reallocated memory sooner. + +Fixes: 2993e0515bb4 ("tools/bpf: add support to read .BTF.ext sections") +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20191107020855.3834758-2-andriin@fb.com +Signed-off-by: Greg Kroah-Hartman + +--- + tools/lib/bpf/libbpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -3220,6 +3220,7 @@ bpf_program__reloc_text(struct bpf_progr + pr_warning("oom in prog realloc\n"); + return -ENOMEM; + } ++ prog->insns = new_insn; + + if (obj->btf_ext) { + err = bpf_program_reloc_btf_ext(prog, obj, +@@ -3231,7 +3232,6 @@ bpf_program__reloc_text(struct bpf_progr + + memcpy(new_insn + prog->insns_cnt, text->insns, + text->insns_cnt * sizeof(*insn)); +- prog->insns = new_insn; + prog->main_prog_cnt = prog->insns_cnt; + prog->insns_cnt = new_cnt; + pr_debug("added %zd insn from %s to prog %s\n", diff --git a/queue-5.4/libbpf-fix-potential-overflow-issue.patch b/queue-5.4/libbpf-fix-potential-overflow-issue.patch new file mode 100644 index 00000000000..c0a6ff9b055 --- /dev/null +++ b/queue-5.4/libbpf-fix-potential-overflow-issue.patch @@ -0,0 +1,33 @@ +From 4ee1135615713387b869dfd099ffdf8656be6784 Mon Sep 17 00:00:00 2001 +From: Andrii Nakryiko +Date: Wed, 6 Nov 2019 18:08:52 -0800 +Subject: libbpf: Fix potential overflow issue + +From: Andrii Nakryiko + +commit 4ee1135615713387b869dfd099ffdf8656be6784 upstream. + +Fix a potential overflow issue found by LGTM analysis, based on Github libbpf +source code. + +Fixes: 3d65014146c6 ("bpf: libbpf: Add btf_line_info support to libbpf") +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20191107020855.3834758-3-andriin@fb.com +Signed-off-by: Greg Kroah-Hartman + +--- + tools/lib/bpf/bpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/lib/bpf/bpf.c ++++ b/tools/lib/bpf/bpf.c +@@ -189,7 +189,7 @@ static void * + alloc_zero_tailing_info(const void *orecord, __u32 cnt, + __u32 actual_rec_size, __u32 expected_rec_size) + { +- __u64 info_len = actual_rec_size * cnt; ++ __u64 info_len = (__u64)actual_rec_size * cnt; + void *info, *nrecord; + int i; + diff --git a/queue-5.4/libbpf-make-btf__resolve_size-logic-always-check-size-error-condition.patch b/queue-5.4/libbpf-make-btf__resolve_size-logic-always-check-size-error-condition.patch new file mode 100644 index 00000000000..d6e1794c367 --- /dev/null +++ b/queue-5.4/libbpf-make-btf__resolve_size-logic-always-check-size-error-condition.patch @@ -0,0 +1,37 @@ +From 994021a7e08477f7e51285920aac99fc967fae8a Mon Sep 17 00:00:00 2001 +From: Andrii Nakryiko +Date: Wed, 6 Nov 2019 18:08:54 -0800 +Subject: libbpf: Make btf__resolve_size logic always check size error condition + +From: Andrii Nakryiko + +commit 994021a7e08477f7e51285920aac99fc967fae8a upstream. + +Perform size check always in btf__resolve_size. Makes the logic a bit more +robust against corrupted BTF and silences LGTM/Coverity complaining about +always true (size < 0) check. + +Fixes: 69eaab04c675 ("btf: extract BTF type size calculation") +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20191107020855.3834758-5-andriin@fb.com +Signed-off-by: Greg Kroah-Hartman + +--- + tools/lib/bpf/btf.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/tools/lib/bpf/btf.c ++++ b/tools/lib/bpf/btf.c +@@ -269,10 +269,9 @@ __s64 btf__resolve_size(const struct btf + t = btf__type_by_id(btf, type_id); + } + ++done: + if (size < 0) + return -EINVAL; +- +-done: + if (nelems && size > UINT32_MAX / nelems) + return -E2BIG; + diff --git a/queue-5.4/mfd-intel-lpss-add-default-i2c-device-properties-for-gemini-lake.patch b/queue-5.4/mfd-intel-lpss-add-default-i2c-device-properties-for-gemini-lake.patch new file mode 100644 index 00000000000..7b902d96b50 --- /dev/null +++ b/queue-5.4/mfd-intel-lpss-add-default-i2c-device-properties-for-gemini-lake.patch @@ -0,0 +1,71 @@ +From 3f31bc67e4dc6a555341dffefe328ddd58e8b431 Mon Sep 17 00:00:00 2001 +From: Jarkko Nikula +Date: Wed, 4 Sep 2019 08:56:25 +0300 +Subject: mfd: intel-lpss: Add default I2C device properties for Gemini Lake + +From: Jarkko Nikula + +commit 3f31bc67e4dc6a555341dffefe328ddd58e8b431 upstream. + +It turned out Intel Gemini Lake doesn't use the same I2C timing +parameters as Broxton. + +I got confirmation from the Windows team that Gemini Lake systems should +use updated timing parameters that differ from those used in Broxton +based systems. + +Fixes: f80e78aa11ad ("mfd: intel-lpss: Add Intel Gemini Lake PCI IDs") +Tested-by: Chris Chiu +Signed-off-by: Jarkko Nikula +Acked-by: Andy Shevchenko +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/intel-lpss-pci.c | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +--- a/drivers/mfd/intel-lpss-pci.c ++++ b/drivers/mfd/intel-lpss-pci.c +@@ -122,6 +122,18 @@ static const struct intel_lpss_platform_ + .properties = apl_i2c_properties, + }; + ++static struct property_entry glk_i2c_properties[] = { ++ PROPERTY_ENTRY_U32("i2c-sda-hold-time-ns", 313), ++ PROPERTY_ENTRY_U32("i2c-sda-falling-time-ns", 171), ++ PROPERTY_ENTRY_U32("i2c-scl-falling-time-ns", 290), ++ { }, ++}; ++ ++static const struct intel_lpss_platform_info glk_i2c_info = { ++ .clk_rate = 133000000, ++ .properties = glk_i2c_properties, ++}; ++ + static const struct intel_lpss_platform_info cnl_i2c_info = { + .clk_rate = 216000000, + .properties = spt_i2c_properties, +@@ -174,14 +186,14 @@ static const struct pci_device_id intel_ + { PCI_VDEVICE(INTEL, 0x1ac6), (kernel_ulong_t)&bxt_info }, + { PCI_VDEVICE(INTEL, 0x1aee), (kernel_ulong_t)&bxt_uart_info }, + /* GLK */ +- { PCI_VDEVICE(INTEL, 0x31ac), (kernel_ulong_t)&bxt_i2c_info }, +- { PCI_VDEVICE(INTEL, 0x31ae), (kernel_ulong_t)&bxt_i2c_info }, +- { PCI_VDEVICE(INTEL, 0x31b0), (kernel_ulong_t)&bxt_i2c_info }, +- { PCI_VDEVICE(INTEL, 0x31b2), (kernel_ulong_t)&bxt_i2c_info }, +- { PCI_VDEVICE(INTEL, 0x31b4), (kernel_ulong_t)&bxt_i2c_info }, +- { PCI_VDEVICE(INTEL, 0x31b6), (kernel_ulong_t)&bxt_i2c_info }, +- { PCI_VDEVICE(INTEL, 0x31b8), (kernel_ulong_t)&bxt_i2c_info }, +- { PCI_VDEVICE(INTEL, 0x31ba), (kernel_ulong_t)&bxt_i2c_info }, ++ { PCI_VDEVICE(INTEL, 0x31ac), (kernel_ulong_t)&glk_i2c_info }, ++ { PCI_VDEVICE(INTEL, 0x31ae), (kernel_ulong_t)&glk_i2c_info }, ++ { PCI_VDEVICE(INTEL, 0x31b0), (kernel_ulong_t)&glk_i2c_info }, ++ { PCI_VDEVICE(INTEL, 0x31b2), (kernel_ulong_t)&glk_i2c_info }, ++ { PCI_VDEVICE(INTEL, 0x31b4), (kernel_ulong_t)&glk_i2c_info }, ++ { PCI_VDEVICE(INTEL, 0x31b6), (kernel_ulong_t)&glk_i2c_info }, ++ { PCI_VDEVICE(INTEL, 0x31b8), (kernel_ulong_t)&glk_i2c_info }, ++ { PCI_VDEVICE(INTEL, 0x31ba), (kernel_ulong_t)&glk_i2c_info }, + { PCI_VDEVICE(INTEL, 0x31bc), (kernel_ulong_t)&bxt_uart_info }, + { PCI_VDEVICE(INTEL, 0x31be), (kernel_ulong_t)&bxt_uart_info }, + { PCI_VDEVICE(INTEL, 0x31c0), (kernel_ulong_t)&bxt_uart_info }, diff --git a/queue-5.4/mt76-mt76u-fix-endpoint-definition-order.patch b/queue-5.4/mt76-mt76u-fix-endpoint-definition-order.patch new file mode 100644 index 00000000000..8ae14357c94 --- /dev/null +++ b/queue-5.4/mt76-mt76u-fix-endpoint-definition-order.patch @@ -0,0 +1,32 @@ +From 23cb16d2ccb5f819d7acff602e5a153157bf2884 Mon Sep 17 00:00:00 2001 +From: Lorenzo Bianconi +Date: Sun, 17 Nov 2019 14:26:14 +0200 +Subject: mt76: mt76u: fix endpoint definition order + +From: Lorenzo Bianconi + +commit 23cb16d2ccb5f819d7acff602e5a153157bf2884 upstream. + +Even if they are not currently used fix BK/BE endpoint definition order. + +Fixes: b40b15e1521f ("mt76: add usb support to mt76 layer") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mediatek/mt76/mt76.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/mediatek/mt76/mt76.h ++++ b/drivers/net/wireless/mediatek/mt76/mt76.h +@@ -367,8 +367,8 @@ enum mt76u_in_ep { + + enum mt76u_out_ep { + MT_EP_OUT_INBAND_CMD, +- MT_EP_OUT_AC_BK, + MT_EP_OUT_AC_BE, ++ MT_EP_OUT_AC_BK, + MT_EP_OUT_AC_VI, + MT_EP_OUT_AC_VO, + MT_EP_OUT_HCCA, diff --git a/queue-5.4/mt7601u-fix-bbp-version-check-in-mt7601u_wait_bbp_ready.patch b/queue-5.4/mt7601u-fix-bbp-version-check-in-mt7601u_wait_bbp_ready.patch new file mode 100644 index 00000000000..31fe8962fa4 --- /dev/null +++ b/queue-5.4/mt7601u-fix-bbp-version-check-in-mt7601u_wait_bbp_ready.patch @@ -0,0 +1,38 @@ +From 15e14f76f85f4f0eab3b8146e1cd3c58ce272823 Mon Sep 17 00:00:00 2001 +From: Lorenzo Bianconi +Date: Sat, 21 Sep 2019 10:44:01 +0200 +Subject: mt7601u: fix bbp version check in mt7601u_wait_bbp_ready + +From: Lorenzo Bianconi + +commit 15e14f76f85f4f0eab3b8146e1cd3c58ce272823 upstream. + +Fix bbp ready check in mt7601u_wait_bbp_ready. The issue is reported by +coverity with the following error: + +Logical vs. bitwise operator +The expression's value does not depend on the operands; inadvertent use +of the wrong operator is a likely logic error. + +Addresses-Coverity-ID: 1309441 ("Logical vs. bitwise operator") +Fixes: c869f77d6abb ("add mt7601u driver") +Acked-by: Jakub Kicinski +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mediatek/mt7601u/phy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/mediatek/mt7601u/phy.c ++++ b/drivers/net/wireless/mediatek/mt7601u/phy.c +@@ -213,7 +213,7 @@ int mt7601u_wait_bbp_ready(struct mt7601 + + do { + val = mt7601u_bbp_rr(dev, MT_BBP_REG_VERSION); +- if (val && ~val) ++ if (val && val != 0xff) + break; + } while (--i); + diff --git a/queue-5.4/net-mlx5e-fix-free-peer_flow-when-refcount-is-0.patch b/queue-5.4/net-mlx5e-fix-free-peer_flow-when-refcount-is-0.patch new file mode 100644 index 00000000000..af48583d677 --- /dev/null +++ b/queue-5.4/net-mlx5e-fix-free-peer_flow-when-refcount-is-0.patch @@ -0,0 +1,39 @@ +From eb252c3a24fc5856fa62140c2f8269ddce6ce4e5 Mon Sep 17 00:00:00 2001 +From: Roi Dayan +Date: Mon, 2 Dec 2019 19:19:47 +0200 +Subject: net/mlx5e: Fix free peer_flow when refcount is 0 + +From: Roi Dayan + +commit eb252c3a24fc5856fa62140c2f8269ddce6ce4e5 upstream. + +It could be neigh update flow took a refcount on peer flow so +sometimes we cannot release peer flow even if parent flow is +being freed now. + +Fixes: 5a7e5bcb663d ("net/mlx5e: Extend tc flow struct with reference counter") +Signed-off-by: Roi Dayan +Reviewed-by: Eli Britstein +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -1615,8 +1615,11 @@ static void __mlx5e_tc_del_fdb_peer_flow + + flow_flag_clear(flow, DUP); + +- mlx5e_tc_del_fdb_flow(flow->peer_flow->priv, flow->peer_flow); +- kfree(flow->peer_flow); ++ if (refcount_dec_and_test(&flow->peer_flow->refcnt)) { ++ mlx5e_tc_del_fdb_flow(flow->peer_flow->priv, flow->peer_flow); ++ kfree(flow->peer_flow); ++ } ++ + flow->peer_flow = NULL; + } + diff --git a/queue-5.4/net-phy-broadcom-fix-rgmii-delays-configuration-for-bcm54210e.patch b/queue-5.4/net-phy-broadcom-fix-rgmii-delays-configuration-for-bcm54210e.patch new file mode 100644 index 00000000000..def54461b63 --- /dev/null +++ b/queue-5.4/net-phy-broadcom-fix-rgmii-delays-configuration-for-bcm54210e.patch @@ -0,0 +1,51 @@ +From fea7fda7f50a6059220f83251e70709e45cc8040 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Thu, 3 Oct 2019 11:43:51 -0700 +Subject: net: phy: broadcom: Fix RGMII delays configuration for BCM54210E + +From: Florian Fainelli + +commit fea7fda7f50a6059220f83251e70709e45cc8040 upstream. + +Commit 0fc9ae107669 ("net: phy: broadcom: add support for +BCM54210E") added support for BCM54210E but also unconditionally cleared +the RXC to RXD skew and the TXD to TXC skew, thus only making +PHY_INTERFACE_MODE_RGMII a possible configuration. Use +bcm54xx_config_clock_delay() which correctly sets the registers +depending on the 4 possible PHY interface values that exist for RGMII. + +Fixes: 0fc9ae107669 ("net: phy: broadcom: add support for BCM54210E") +Reported-by: Manasa Mudireddy +Reported-by: Ray Jui +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/phy/broadcom.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +--- a/drivers/net/phy/broadcom.c ++++ b/drivers/net/phy/broadcom.c +@@ -26,18 +26,13 @@ MODULE_DESCRIPTION("Broadcom PHY driver" + MODULE_AUTHOR("Maciej W. Rozycki"); + MODULE_LICENSE("GPL"); + ++static int bcm54xx_config_clock_delay(struct phy_device *phydev); ++ + static int bcm54210e_config_init(struct phy_device *phydev) + { + int val; + +- val = bcm54xx_auxctl_read(phydev, MII_BCM54XX_AUXCTL_SHDWSEL_MISC); +- val &= ~MII_BCM54XX_AUXCTL_SHDWSEL_MISC_RGMII_SKEW_EN; +- val |= MII_BCM54XX_AUXCTL_MISC_WREN; +- bcm54xx_auxctl_write(phydev, MII_BCM54XX_AUXCTL_SHDWSEL_MISC, val); +- +- val = bcm_phy_read_shadow(phydev, BCM54810_SHD_CLK_CTL); +- val &= ~BCM54810_SHD_CLK_CTL_GTXCLK_EN; +- bcm_phy_write_shadow(phydev, BCM54810_SHD_CLK_CTL, val); ++ bcm54xx_config_clock_delay(phydev); + + if (phydev->dev_flags & PHY_BRCM_EN_MASTER_MODE) { + val = phy_read(phydev, MII_CTRL1000); diff --git a/queue-5.4/phy-lantiq-vrx200-pcie-fix-error-return-code-in-ltq_vrx200_pcie_phy_power_on.patch b/queue-5.4/phy-lantiq-vrx200-pcie-fix-error-return-code-in-ltq_vrx200_pcie_phy_power_on.patch new file mode 100644 index 00000000000..67bc8aba18f --- /dev/null +++ b/queue-5.4/phy-lantiq-vrx200-pcie-fix-error-return-code-in-ltq_vrx200_pcie_phy_power_on.patch @@ -0,0 +1,34 @@ +From 82b5d164415549e74cfa1f9156ffd4463d0a76e2 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Wed, 4 Sep 2019 11:40:14 +0000 +Subject: phy: lantiq: vrx200-pcie: fix error return code in ltq_vrx200_pcie_phy_power_on() + +From: Wei Yongjun + +commit 82b5d164415549e74cfa1f9156ffd4463d0a76e2 upstream. + +Fix to return a negative error code from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: e52a632195bf ("phy: lantiq: vrx200-pcie: add a driver for the Lantiq VRX200 PCIe PHY") +Signed-off-by: Wei Yongjun +Reviewed-by: Martin Blumenstingl +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/phy/lantiq/phy-lantiq-vrx200-pcie.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/phy/lantiq/phy-lantiq-vrx200-pcie.c ++++ b/drivers/phy/lantiq/phy-lantiq-vrx200-pcie.c +@@ -323,7 +323,8 @@ static int ltq_vrx200_pcie_phy_power_on( + goto err_disable_pdi_clk; + + /* Check if we are in "startup ready" status */ +- if (ltq_vrx200_pcie_phy_wait_for_pll(phy) != 0) ++ ret = ltq_vrx200_pcie_phy_wait_for_pll(phy); ++ if (ret) + goto err_disable_phy_clk; + + ltq_vrx200_pcie_phy_apply_workarounds(phy); diff --git a/queue-5.4/phy-ti-gmii-sel-fix-mac-tx-internal-delay-for-rgmii-rxid.patch b/queue-5.4/phy-ti-gmii-sel-fix-mac-tx-internal-delay-for-rgmii-rxid.patch new file mode 100644 index 00000000000..9bf56f5d36a --- /dev/null +++ b/queue-5.4/phy-ti-gmii-sel-fix-mac-tx-internal-delay-for-rgmii-rxid.patch @@ -0,0 +1,38 @@ +From 316b429459066215abb50060873ec0832efc4044 Mon Sep 17 00:00:00 2001 +From: Grygorii Strashko +Date: Wed, 23 Oct 2019 17:47:44 +0300 +Subject: phy: ti: gmii-sel: fix mac tx internal delay for rgmii-rxid + +From: Grygorii Strashko + +commit 316b429459066215abb50060873ec0832efc4044 upstream. + +Now phy-gmii-sel will disable MAC TX internal delay for PHY interface mode +"rgmii-rxid" which is incorrect. +Hence, fix it by enabling MAC TX internal delay in the case of "rgmii-rxid" +mode. + +Fixes: 92b58b34741f ("phy: ti: introduce phy-gmii-sel driver") +Signed-off-by: Grygorii Strashko +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/phy/ti/phy-gmii-sel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/phy/ti/phy-gmii-sel.c ++++ b/drivers/phy/ti/phy-gmii-sel.c +@@ -69,11 +69,11 @@ static int phy_gmii_sel_mode(struct phy + break; + + case PHY_INTERFACE_MODE_RGMII: ++ case PHY_INTERFACE_MODE_RGMII_RXID: + gmii_sel_mode = AM33XX_GMII_SEL_MODE_RGMII; + break; + + case PHY_INTERFACE_MODE_RGMII_ID: +- case PHY_INTERFACE_MODE_RGMII_RXID: + case PHY_INTERFACE_MODE_RGMII_TXID: + gmii_sel_mode = AM33XX_GMII_SEL_MODE_RGMII; + rgmii_id = 1; diff --git a/queue-5.4/powerpc-archrandom-fix-arch_get_random_seed_int.patch b/queue-5.4/powerpc-archrandom-fix-arch_get_random_seed_int.patch new file mode 100644 index 00000000000..1f190a81aee --- /dev/null +++ b/queue-5.4/powerpc-archrandom-fix-arch_get_random_seed_int.patch @@ -0,0 +1,43 @@ +From b6afd1234cf93aa0d71b4be4788c47534905f0be Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 4 Dec 2019 11:50:15 +0000 +Subject: powerpc/archrandom: fix arch_get_random_seed_int() + +From: Ard Biesheuvel + +commit b6afd1234cf93aa0d71b4be4788c47534905f0be upstream. + +Commit 01c9348c7620ec65 + + powerpc: Use hardware RNG for arch_get_random_seed_* not arch_get_random_* + +updated arch_get_random_[int|long]() to be NOPs, and moved the hardware +RNG backing to arch_get_random_seed_[int|long]() instead. However, it +failed to take into account that arch_get_random_int() was implemented +in terms of arch_get_random_long(), and so we ended up with a version +of the former that is essentially a NOP as well. + +Fix this by calling arch_get_random_seed_long() from +arch_get_random_seed_int() instead. + +Fixes: 01c9348c7620ec65 ("powerpc: Use hardware RNG for arch_get_random_seed_* not arch_get_random_*") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20191204115015.18015-1-ardb@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/archrandom.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/include/asm/archrandom.h ++++ b/arch/powerpc/include/asm/archrandom.h +@@ -28,7 +28,7 @@ static inline int arch_get_random_seed_i + unsigned long val; + int rc; + +- rc = arch_get_random_long(&val); ++ rc = arch_get_random_seed_long(&val); + if (rc) + *v = val; + diff --git a/queue-5.4/powerpc-kasan-fix-boot-failure-with-relocatable-fsl_booke.patch b/queue-5.4/powerpc-kasan-fix-boot-failure-with-relocatable-fsl_booke.patch new file mode 100644 index 00000000000..de3c3d124d6 --- /dev/null +++ b/queue-5.4/powerpc-kasan-fix-boot-failure-with-relocatable-fsl_booke.patch @@ -0,0 +1,50 @@ +From 71eb40fc53371bc247c8066ae76ad9e22ae1e18d Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Fri, 29 Nov 2019 14:26:41 +0000 +Subject: powerpc/kasan: Fix boot failure with RELOCATABLE && FSL_BOOKE + +From: Christophe Leroy + +commit 71eb40fc53371bc247c8066ae76ad9e22ae1e18d upstream. + +When enabling CONFIG_RELOCATABLE and CONFIG_KASAN on FSL_BOOKE, +the kernel doesn't boot. + +relocate_init() requires KASAN early shadow area to be set up because +it needs access to the device tree through generic functions. + +Call kasan_early_init() before calling relocate_init() + +Reported-by: Lexi Shao +Fixes: 2edb16efc899 ("powerpc/32: Add KASAN support") +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/b58426f1664a4b344ff696d18cacf3b3e8962111.1575036985.git.christophe.leroy@c-s.fr +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/head_fsl_booke.S | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/kernel/head_fsl_booke.S ++++ b/arch/powerpc/kernel/head_fsl_booke.S +@@ -238,6 +238,9 @@ set_ivor: + + bl early_init + ++#ifdef CONFIG_KASAN ++ bl kasan_early_init ++#endif + #ifdef CONFIG_RELOCATABLE + mr r3,r30 + mr r4,r31 +@@ -264,9 +267,6 @@ set_ivor: + /* + * Decide what sort of machine this is and initialize the MMU. + */ +-#ifdef CONFIG_KASAN +- bl kasan_early_init +-#endif + mr r3,r30 + mr r4,r31 + bl machine_init diff --git a/queue-5.4/powerpc-pseries-enable-support-for-ibm-drc-info-property.patch b/queue-5.4/powerpc-pseries-enable-support-for-ibm-drc-info-property.patch new file mode 100644 index 00000000000..2eb52475c92 --- /dev/null +++ b/queue-5.4/powerpc-pseries-enable-support-for-ibm-drc-info-property.patch @@ -0,0 +1,33 @@ +From 0a87ccd3699983645f54cafd2258514a716b20b8 Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Sun, 10 Nov 2019 23:21:37 -0600 +Subject: powerpc/pseries: Enable support for ibm,drc-info property + +From: Tyrel Datwyler + +commit 0a87ccd3699983645f54cafd2258514a716b20b8 upstream. + +Advertise client support for the PAPR architected ibm,drc-info device +tree property during CAS handshake. + +Fixes: c7a3275e0f9e ("powerpc/pseries: Revert support for ibm,drc-info devtree property") +Signed-off-by: Tyrel Datwyler +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1573449697-5448-11-git-send-email-tyreld@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/prom_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/prom_init.c ++++ b/arch/powerpc/kernel/prom_init.c +@@ -1053,7 +1053,7 @@ static const struct ibm_arch_vec ibm_arc + .reserved2 = 0, + .reserved3 = 0, + .subprocessors = 1, +- .byte22 = OV5_FEAT(OV5_DRMEM_V2), ++ .byte22 = OV5_FEAT(OV5_DRMEM_V2) | OV5_FEAT(OV5_DRC_INFO), + .intarch = 0, + .mmu = 0, + .hash_ext = 0, diff --git a/queue-5.4/powerpc-security-fix-debugfs-data-leak-on-32-bit.patch b/queue-5.4/powerpc-security-fix-debugfs-data-leak-on-32-bit.patch new file mode 100644 index 00000000000..b8a4bfda253 --- /dev/null +++ b/queue-5.4/powerpc-security-fix-debugfs-data-leak-on-32-bit.patch @@ -0,0 +1,83 @@ +From 3b05a1e517e1a8cfda4866ec31d28b2bc4fee4c4 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 21 Oct 2019 16:23:09 +0200 +Subject: powerpc/security: Fix debugfs data leak on 32-bit + +From: Geert Uytterhoeven + +commit 3b05a1e517e1a8cfda4866ec31d28b2bc4fee4c4 upstream. + +"powerpc_security_features" is "unsigned long", i.e. 32-bit or 64-bit, +depending on the platform (PPC_FSL_BOOK3E or PPC_BOOK3S_64). Hence +casting its address to "u64 *", and calling debugfs_create_x64() is +wrong, and leaks 32-bit of nearby data to userspace on 32-bit platforms. + +While all currently defined SEC_FTR_* security feature flags fit in +32-bit, they all have "ULL" suffixes to make them 64-bit constants. +Hence fix the leak by changing the type of "powerpc_security_features" +(and the parameter types of its accessors) to "u64". This also allows +to drop the cast. + +Fixes: 398af571128fe75f ("powerpc/security: Show powerpc_security_features in debugfs") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20191021142309.28105-1-geert+renesas@glider.be +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/security_features.h | 8 ++++---- + arch/powerpc/kernel/security.c | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/include/asm/security_features.h ++++ b/arch/powerpc/include/asm/security_features.h +@@ -9,7 +9,7 @@ + #define _ASM_POWERPC_SECURITY_FEATURES_H + + +-extern unsigned long powerpc_security_features; ++extern u64 powerpc_security_features; + extern bool rfi_flush; + + /* These are bit flags */ +@@ -24,17 +24,17 @@ void setup_stf_barrier(void); + void do_stf_barrier_fixups(enum stf_barrier_type types); + void setup_count_cache_flush(void); + +-static inline void security_ftr_set(unsigned long feature) ++static inline void security_ftr_set(u64 feature) + { + powerpc_security_features |= feature; + } + +-static inline void security_ftr_clear(unsigned long feature) ++static inline void security_ftr_clear(u64 feature) + { + powerpc_security_features &= ~feature; + } + +-static inline bool security_ftr_enabled(unsigned long feature) ++static inline bool security_ftr_enabled(u64 feature) + { + return !!(powerpc_security_features & feature); + } +--- a/arch/powerpc/kernel/security.c ++++ b/arch/powerpc/kernel/security.c +@@ -16,7 +16,7 @@ + #include + + +-unsigned long powerpc_security_features __read_mostly = SEC_FTR_DEFAULT; ++u64 powerpc_security_features __read_mostly = SEC_FTR_DEFAULT; + + enum count_cache_flush_type { + COUNT_CACHE_FLUSH_NONE = 0x1, +@@ -109,7 +109,7 @@ device_initcall(barrier_nospec_debugfs_i + static __init int security_feature_debugfs_init(void) + { + debugfs_create_x64("security_features", 0400, powerpc_debugfs_root, +- (u64 *)&powerpc_security_features); ++ &powerpc_security_features); + return 0; + } + device_initcall(security_feature_debugfs_init); diff --git a/queue-5.4/samples-bpf-fix-broken-xdp_rxq_info-due-to-map-order-assumptions.patch b/queue-5.4/samples-bpf-fix-broken-xdp_rxq_info-due-to-map-order-assumptions.patch new file mode 100644 index 00000000000..6ba846079ed --- /dev/null +++ b/queue-5.4/samples-bpf-fix-broken-xdp_rxq_info-due-to-map-order-assumptions.patch @@ -0,0 +1,62 @@ +From edbca120a8cdfa5a5793707e33497aa5185875ca Mon Sep 17 00:00:00 2001 +From: Jesper Dangaard Brouer +Date: Mon, 2 Dec 2019 13:37:31 +0100 +Subject: samples/bpf: Fix broken xdp_rxq_info due to map order assumptions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jesper Dangaard Brouer + +commit edbca120a8cdfa5a5793707e33497aa5185875ca upstream. + +In the days of using bpf_load.c the order in which the 'maps' sections +were defines in BPF side (*_kern.c) file, were used by userspace side +to identify the map via using the map order as an index. In effect the +order-index is created based on the order the maps sections are stored +in the ELF-object file, by the LLVM compiler. + +This have also carried over in libbpf via API bpf_map__next(NULL, obj) +to extract maps in the order libbpf parsed the ELF-object file. + +When BTF based maps were introduced a new section type ".maps" were +created. I found that the LLVM compiler doesn't create the ".maps" +sections in the order they are defined in the C-file. The order in the +ELF file is based on the order the map pointer is referenced in the code. + +This combination of changes lead to xdp_rxq_info mixing up the map +file-descriptors in userspace, resulting in very broken behaviour, but +without warning the user. + +This patch fix issue by instead using bpf_object__find_map_by_name() +to find maps via their names. (Note, this is the ELF name, which can +be longer than the name the kernel retains). + +Fixes: be5bca44aa6b ("samples: bpf: convert some XDP samples from bpf_load to libbpf") +Fixes: 451d1dc886b5 ("samples: bpf: update map definition to new syntax BTF-defined map") +Signed-off-by: Jesper Dangaard Brouer +Signed-off-by: Alexei Starovoitov +Acked-by: Toke Høiland-Jørgensen +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/157529025128.29832.5953245340679936909.stgit@firesoul +Signed-off-by: Greg Kroah-Hartman + +--- + samples/bpf/xdp_rxq_info_user.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/samples/bpf/xdp_rxq_info_user.c ++++ b/samples/bpf/xdp_rxq_info_user.c +@@ -489,9 +489,9 @@ int main(int argc, char **argv) + if (bpf_prog_load_xattr(&prog_load_attr, &obj, &prog_fd)) + return EXIT_FAIL; + +- map = bpf_map__next(NULL, obj); +- stats_global_map = bpf_map__next(map, obj); +- rx_queue_index_map = bpf_map__next(stats_global_map, obj); ++ map = bpf_object__find_map_by_name(obj, "config_map"); ++ stats_global_map = bpf_object__find_map_by_name(obj, "stats_global_map"); ++ rx_queue_index_map = bpf_object__find_map_by_name(obj, "rx_queue_index_map"); + if (!map || !stats_global_map || !rx_queue_index_map) { + printf("finding a map in obj file failed\n"); + return EXIT_FAIL; diff --git a/queue-5.4/samples-bpf-update-map-definition-to-new-syntax-btf-defined-map.patch b/queue-5.4/samples-bpf-update-map-definition-to-new-syntax-btf-defined-map.patch new file mode 100644 index 00000000000..2d46e706d90 --- /dev/null +++ b/queue-5.4/samples-bpf-update-map-definition-to-new-syntax-btf-defined-map.patch @@ -0,0 +1,553 @@ +From 451d1dc886b548d6e18c933adca326c1307023c9 Mon Sep 17 00:00:00 2001 +From: "Daniel T. Lee" +Date: Thu, 7 Nov 2019 09:51:53 +0900 +Subject: samples: bpf: update map definition to new syntax BTF-defined map + +From: Daniel T. Lee + +commit 451d1dc886b548d6e18c933adca326c1307023c9 upstream. + +Since, the new syntax of BTF-defined map has been introduced, +the syntax for using maps under samples directory are mixed up. +For example, some are already using the new syntax, and some are using +existing syntax by calling them as 'legacy'. + +As stated at commit abd29c931459 ("libbpf: allow specifying map +definitions using BTF"), the BTF-defined map has more compatablility +with extending supported map definition features. + +The commit doesn't replace all of the map to new BTF-defined map, +because some of the samples still use bpf_load instead of libbpf, which +can't properly create BTF-defined map. + +This will only updates the samples which uses libbpf API for loading bpf +program. (ex. bpf_prog_load_xattr) + +Signed-off-by: Daniel T. Lee +Acked-by: Andrii Nakryiko +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman + +--- + samples/bpf/sockex1_kern.c | 12 ++-- + samples/bpf/sockex2_kern.c | 12 ++-- + samples/bpf/xdp1_kern.c | 12 ++-- + samples/bpf/xdp2_kern.c | 12 ++-- + samples/bpf/xdp_adjust_tail_kern.c | 12 ++-- + samples/bpf/xdp_fwd_kern.c | 13 ++-- + samples/bpf/xdp_redirect_cpu_kern.c | 108 ++++++++++++++++++------------------ + samples/bpf/xdp_redirect_kern.c | 24 ++++---- + samples/bpf/xdp_redirect_map_kern.c | 24 ++++---- + samples/bpf/xdp_router_ipv4_kern.c | 64 ++++++++++----------- + samples/bpf/xdp_rxq_info_kern.c | 37 ++++++------ + samples/bpf/xdp_tx_iptunnel_kern.c | 24 ++++---- + 12 files changed, 177 insertions(+), 177 deletions(-) + +--- a/samples/bpf/sockex1_kern.c ++++ b/samples/bpf/sockex1_kern.c +@@ -4,12 +4,12 @@ + #include + #include "bpf_helpers.h" + +-struct bpf_map_def SEC("maps") my_map = { +- .type = BPF_MAP_TYPE_ARRAY, +- .key_size = sizeof(u32), +- .value_size = sizeof(long), +- .max_entries = 256, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_ARRAY); ++ __type(key, u32); ++ __type(value, long); ++ __uint(max_entries, 256); ++} my_map SEC(".maps"); + + SEC("socket1") + int bpf_prog1(struct __sk_buff *skb) +--- a/samples/bpf/sockex2_kern.c ++++ b/samples/bpf/sockex2_kern.c +@@ -189,12 +189,12 @@ struct pair { + long bytes; + }; + +-struct bpf_map_def SEC("maps") hash_map = { +- .type = BPF_MAP_TYPE_HASH, +- .key_size = sizeof(__be32), +- .value_size = sizeof(struct pair), +- .max_entries = 1024, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_HASH); ++ __type(key, __be32); ++ __type(value, struct pair); ++ __uint(max_entries, 1024); ++} hash_map SEC(".maps"); + + SEC("socket2") + int bpf_prog2(struct __sk_buff *skb) +--- a/samples/bpf/xdp1_kern.c ++++ b/samples/bpf/xdp1_kern.c +@@ -14,12 +14,12 @@ + #include + #include "bpf_helpers.h" + +-struct bpf_map_def SEC("maps") rxcnt = { +- .type = BPF_MAP_TYPE_PERCPU_ARRAY, +- .key_size = sizeof(u32), +- .value_size = sizeof(long), +- .max_entries = 256, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); ++ __type(key, u32); ++ __type(value, long); ++ __uint(max_entries, 256); ++} rxcnt SEC(".maps"); + + static int parse_ipv4(void *data, u64 nh_off, void *data_end) + { +--- a/samples/bpf/xdp2_kern.c ++++ b/samples/bpf/xdp2_kern.c +@@ -14,12 +14,12 @@ + #include + #include "bpf_helpers.h" + +-struct bpf_map_def SEC("maps") rxcnt = { +- .type = BPF_MAP_TYPE_PERCPU_ARRAY, +- .key_size = sizeof(u32), +- .value_size = sizeof(long), +- .max_entries = 256, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); ++ __type(key, u32); ++ __type(value, long); ++ __uint(max_entries, 256); ++} rxcnt SEC(".maps"); + + static void swap_src_dst_mac(void *data) + { +--- a/samples/bpf/xdp_adjust_tail_kern.c ++++ b/samples/bpf/xdp_adjust_tail_kern.c +@@ -25,12 +25,12 @@ + #define ICMP_TOOBIG_SIZE 98 + #define ICMP_TOOBIG_PAYLOAD_SIZE 92 + +-struct bpf_map_def SEC("maps") icmpcnt = { +- .type = BPF_MAP_TYPE_ARRAY, +- .key_size = sizeof(__u32), +- .value_size = sizeof(__u64), +- .max_entries = 1, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_ARRAY); ++ __type(key, __u32); ++ __type(value, __u64); ++ __uint(max_entries, 1); ++} icmpcnt SEC(".maps"); + + static __always_inline void count_icmp(void) + { +--- a/samples/bpf/xdp_fwd_kern.c ++++ b/samples/bpf/xdp_fwd_kern.c +@@ -23,13 +23,12 @@ + + #define IPV6_FLOWINFO_MASK cpu_to_be32(0x0FFFFFFF) + +-/* For TX-traffic redirect requires net_device ifindex to be in this devmap */ +-struct bpf_map_def SEC("maps") xdp_tx_ports = { +- .type = BPF_MAP_TYPE_DEVMAP, +- .key_size = sizeof(int), +- .value_size = sizeof(int), +- .max_entries = 64, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_DEVMAP); ++ __uint(key_size, sizeof(int)); ++ __uint(value_size, sizeof(int)); ++ __uint(max_entries, 64); ++} xdp_tx_ports SEC(".maps"); + + /* from include/net/ip.h */ + static __always_inline int ip_decrease_ttl(struct iphdr *iph) +--- a/samples/bpf/xdp_redirect_cpu_kern.c ++++ b/samples/bpf/xdp_redirect_cpu_kern.c +@@ -18,12 +18,12 @@ + #define MAX_CPUS 64 /* WARNING - sync with _user.c */ + + /* Special map type that can XDP_REDIRECT frames to another CPU */ +-struct bpf_map_def SEC("maps") cpu_map = { +- .type = BPF_MAP_TYPE_CPUMAP, +- .key_size = sizeof(u32), +- .value_size = sizeof(u32), +- .max_entries = MAX_CPUS, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_CPUMAP); ++ __uint(key_size, sizeof(u32)); ++ __uint(value_size, sizeof(u32)); ++ __uint(max_entries, MAX_CPUS); ++} cpu_map SEC(".maps"); + + /* Common stats data record to keep userspace more simple */ + struct datarec { +@@ -35,67 +35,67 @@ struct datarec { + /* Count RX packets, as XDP bpf_prog doesn't get direct TX-success + * feedback. Redirect TX errors can be caught via a tracepoint. + */ +-struct bpf_map_def SEC("maps") rx_cnt = { +- .type = BPF_MAP_TYPE_PERCPU_ARRAY, +- .key_size = sizeof(u32), +- .value_size = sizeof(struct datarec), +- .max_entries = 1, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); ++ __type(key, u32); ++ __type(value, struct datarec); ++ __uint(max_entries, 1); ++} rx_cnt SEC(".maps"); + + /* Used by trace point */ +-struct bpf_map_def SEC("maps") redirect_err_cnt = { +- .type = BPF_MAP_TYPE_PERCPU_ARRAY, +- .key_size = sizeof(u32), +- .value_size = sizeof(struct datarec), +- .max_entries = 2, ++struct { ++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); ++ __type(key, u32); ++ __type(value, struct datarec); ++ __uint(max_entries, 2); + /* TODO: have entries for all possible errno's */ +-}; ++} redirect_err_cnt SEC(".maps"); + + /* Used by trace point */ +-struct bpf_map_def SEC("maps") cpumap_enqueue_cnt = { +- .type = BPF_MAP_TYPE_PERCPU_ARRAY, +- .key_size = sizeof(u32), +- .value_size = sizeof(struct datarec), +- .max_entries = MAX_CPUS, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); ++ __type(key, u32); ++ __type(value, struct datarec); ++ __uint(max_entries, MAX_CPUS); ++} cpumap_enqueue_cnt SEC(".maps"); + + /* Used by trace point */ +-struct bpf_map_def SEC("maps") cpumap_kthread_cnt = { +- .type = BPF_MAP_TYPE_PERCPU_ARRAY, +- .key_size = sizeof(u32), +- .value_size = sizeof(struct datarec), +- .max_entries = 1, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); ++ __type(key, u32); ++ __type(value, struct datarec); ++ __uint(max_entries, 1); ++} cpumap_kthread_cnt SEC(".maps"); + + /* Set of maps controlling available CPU, and for iterating through + * selectable redirect CPUs. + */ +-struct bpf_map_def SEC("maps") cpus_available = { +- .type = BPF_MAP_TYPE_ARRAY, +- .key_size = sizeof(u32), +- .value_size = sizeof(u32), +- .max_entries = MAX_CPUS, +-}; +-struct bpf_map_def SEC("maps") cpus_count = { +- .type = BPF_MAP_TYPE_ARRAY, +- .key_size = sizeof(u32), +- .value_size = sizeof(u32), +- .max_entries = 1, +-}; +-struct bpf_map_def SEC("maps") cpus_iterator = { +- .type = BPF_MAP_TYPE_PERCPU_ARRAY, +- .key_size = sizeof(u32), +- .value_size = sizeof(u32), +- .max_entries = 1, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_ARRAY); ++ __type(key, u32); ++ __type(value, u32); ++ __uint(max_entries, MAX_CPUS); ++} cpus_available SEC(".maps"); ++struct { ++ __uint(type, BPF_MAP_TYPE_ARRAY); ++ __type(key, u32); ++ __type(value, u32); ++ __uint(max_entries, 1); ++} cpus_count SEC(".maps"); ++struct { ++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); ++ __type(key, u32); ++ __type(value, u32); ++ __uint(max_entries, 1); ++} cpus_iterator SEC(".maps"); + + /* Used by trace point */ +-struct bpf_map_def SEC("maps") exception_cnt = { +- .type = BPF_MAP_TYPE_PERCPU_ARRAY, +- .key_size = sizeof(u32), +- .value_size = sizeof(struct datarec), +- .max_entries = 1, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); ++ __type(key, u32); ++ __type(value, struct datarec); ++ __uint(max_entries, 1); ++} exception_cnt SEC(".maps"); + + /* Helper parse functions */ + +--- a/samples/bpf/xdp_redirect_kern.c ++++ b/samples/bpf/xdp_redirect_kern.c +@@ -19,22 +19,22 @@ + #include + #include "bpf_helpers.h" + +-struct bpf_map_def SEC("maps") tx_port = { +- .type = BPF_MAP_TYPE_ARRAY, +- .key_size = sizeof(int), +- .value_size = sizeof(int), +- .max_entries = 1, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_ARRAY); ++ __type(key, int); ++ __type(value, int); ++ __uint(max_entries, 1); ++} tx_port SEC(".maps"); + + /* Count RX packets, as XDP bpf_prog doesn't get direct TX-success + * feedback. Redirect TX errors can be caught via a tracepoint. + */ +-struct bpf_map_def SEC("maps") rxcnt = { +- .type = BPF_MAP_TYPE_PERCPU_ARRAY, +- .key_size = sizeof(u32), +- .value_size = sizeof(long), +- .max_entries = 1, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); ++ __type(key, u32); ++ __type(value, long); ++ __uint(max_entries, 1); ++} rxcnt SEC(".maps"); + + static void swap_src_dst_mac(void *data) + { +--- a/samples/bpf/xdp_redirect_map_kern.c ++++ b/samples/bpf/xdp_redirect_map_kern.c +@@ -19,22 +19,22 @@ + #include + #include "bpf_helpers.h" + +-struct bpf_map_def SEC("maps") tx_port = { +- .type = BPF_MAP_TYPE_DEVMAP, +- .key_size = sizeof(int), +- .value_size = sizeof(int), +- .max_entries = 100, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_DEVMAP); ++ __uint(key_size, sizeof(int)); ++ __uint(value_size, sizeof(int)); ++ __uint(max_entries, 100); ++} tx_port SEC(".maps"); + + /* Count RX packets, as XDP bpf_prog doesn't get direct TX-success + * feedback. Redirect TX errors can be caught via a tracepoint. + */ +-struct bpf_map_def SEC("maps") rxcnt = { +- .type = BPF_MAP_TYPE_PERCPU_ARRAY, +- .key_size = sizeof(u32), +- .value_size = sizeof(long), +- .max_entries = 1, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); ++ __type(key, u32); ++ __type(value, long); ++ __uint(max_entries, 1); ++} rxcnt SEC(".maps"); + + static void swap_src_dst_mac(void *data) + { +--- a/samples/bpf/xdp_router_ipv4_kern.c ++++ b/samples/bpf/xdp_router_ipv4_kern.c +@@ -42,44 +42,44 @@ struct direct_map { + }; + + /* Map for trie implementation*/ +-struct bpf_map_def SEC("maps") lpm_map = { +- .type = BPF_MAP_TYPE_LPM_TRIE, +- .key_size = 8, +- .value_size = sizeof(struct trie_value), +- .max_entries = 50, +- .map_flags = BPF_F_NO_PREALLOC, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_LPM_TRIE); ++ __uint(key_size, 8); ++ __uint(value_size, sizeof(struct trie_value)); ++ __uint(max_entries, 50); ++ __uint(map_flags, BPF_F_NO_PREALLOC); ++} lpm_map SEC(".maps"); + + /* Map for counter*/ +-struct bpf_map_def SEC("maps") rxcnt = { +- .type = BPF_MAP_TYPE_PERCPU_ARRAY, +- .key_size = sizeof(u32), +- .value_size = sizeof(u64), +- .max_entries = 256, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); ++ __type(key, u32); ++ __type(value, u64); ++ __uint(max_entries, 256); ++} rxcnt SEC(".maps"); + + /* Map for ARP table*/ +-struct bpf_map_def SEC("maps") arp_table = { +- .type = BPF_MAP_TYPE_HASH, +- .key_size = sizeof(__be32), +- .value_size = sizeof(__be64), +- .max_entries = 50, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_HASH); ++ __type(key, __be32); ++ __type(value, __be64); ++ __uint(max_entries, 50); ++} arp_table SEC(".maps"); + + /* Map to keep the exact match entries in the route table*/ +-struct bpf_map_def SEC("maps") exact_match = { +- .type = BPF_MAP_TYPE_HASH, +- .key_size = sizeof(__be32), +- .value_size = sizeof(struct direct_map), +- .max_entries = 50, +-}; +- +-struct bpf_map_def SEC("maps") tx_port = { +- .type = BPF_MAP_TYPE_DEVMAP, +- .key_size = sizeof(int), +- .value_size = sizeof(int), +- .max_entries = 100, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_HASH); ++ __type(key, __be32); ++ __type(value, struct direct_map); ++ __uint(max_entries, 50); ++} exact_match SEC(".maps"); ++ ++struct { ++ __uint(type, BPF_MAP_TYPE_DEVMAP); ++ __uint(key_size, sizeof(int)); ++ __uint(value_size, sizeof(int)); ++ __uint(max_entries, 100); ++} tx_port SEC(".maps"); + + /* Function to set source and destination mac of the packet */ + static inline void set_src_dst_mac(void *data, void *src, void *dst) +--- a/samples/bpf/xdp_rxq_info_kern.c ++++ b/samples/bpf/xdp_rxq_info_kern.c +@@ -23,12 +23,13 @@ enum cfg_options_flags { + READ_MEM = 0x1U, + SWAP_MAC = 0x2U, + }; +-struct bpf_map_def SEC("maps") config_map = { +- .type = BPF_MAP_TYPE_ARRAY, +- .key_size = sizeof(int), +- .value_size = sizeof(struct config), +- .max_entries = 1, +-}; ++ ++struct { ++ __uint(type, BPF_MAP_TYPE_ARRAY); ++ __type(key, int); ++ __type(value, struct config); ++ __uint(max_entries, 1); ++} config_map SEC(".maps"); + + /* Common stats data record (shared with userspace) */ + struct datarec { +@@ -36,22 +37,22 @@ struct datarec { + __u64 issue; + }; + +-struct bpf_map_def SEC("maps") stats_global_map = { +- .type = BPF_MAP_TYPE_PERCPU_ARRAY, +- .key_size = sizeof(u32), +- .value_size = sizeof(struct datarec), +- .max_entries = 1, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); ++ __type(key, u32); ++ __type(value, struct datarec); ++ __uint(max_entries, 1); ++} stats_global_map SEC(".maps"); + + #define MAX_RXQs 64 + + /* Stats per rx_queue_index (per CPU) */ +-struct bpf_map_def SEC("maps") rx_queue_index_map = { +- .type = BPF_MAP_TYPE_PERCPU_ARRAY, +- .key_size = sizeof(u32), +- .value_size = sizeof(struct datarec), +- .max_entries = MAX_RXQs + 1, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); ++ __type(key, u32); ++ __type(value, struct datarec); ++ __uint(max_entries, MAX_RXQs + 1); ++} rx_queue_index_map SEC(".maps"); + + static __always_inline + void swap_src_dst_mac(void *data) +--- a/samples/bpf/xdp_tx_iptunnel_kern.c ++++ b/samples/bpf/xdp_tx_iptunnel_kern.c +@@ -19,19 +19,19 @@ + #include "bpf_helpers.h" + #include "xdp_tx_iptunnel_common.h" + +-struct bpf_map_def SEC("maps") rxcnt = { +- .type = BPF_MAP_TYPE_PERCPU_ARRAY, +- .key_size = sizeof(__u32), +- .value_size = sizeof(__u64), +- .max_entries = 256, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); ++ __type(key, __u32); ++ __type(value, __u64); ++ __uint(max_entries, 256); ++} rxcnt SEC(".maps"); + +-struct bpf_map_def SEC("maps") vip2tnl = { +- .type = BPF_MAP_TYPE_HASH, +- .key_size = sizeof(struct vip), +- .value_size = sizeof(struct iptnl_info), +- .max_entries = MAX_IPTNL_ENTRIES, +-}; ++struct { ++ __uint(type, BPF_MAP_TYPE_HASH); ++ __type(key, struct vip); ++ __type(value, struct iptnl_info); ++ __uint(max_entries, MAX_IPTNL_ENTRIES); ++} vip2tnl SEC(".maps"); + + static __always_inline void count_tx(u32 protocol) + { diff --git a/queue-5.4/series b/queue-5.4/series index f319567864e..eb40c47d7c9 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -1 +1,34 @@ drm-i915-fix-pid-leak-with-banned-clients.patch +libbpf-fix-compatibility-for-kernels-without-need_wakeup.patch +libbpf-fix-memory-leak-double-free-issue.patch +libbpf-fix-potential-overflow-issue.patch +libbpf-fix-another-potential-overflow-issue-in-bpf_prog_linfo.patch +libbpf-make-btf__resolve_size-logic-always-check-size-error-condition.patch +libbpf-fix-call-relocation-offset-calculation-bug.patch +bpf-force-.btf-section-start-to-zero-when-dumping-from-vmlinux.patch +samples-bpf-update-map-definition-to-new-syntax-btf-defined-map.patch +samples-bpf-fix-broken-xdp_rxq_info-due-to-map-order-assumptions.patch +arm-dts-logicpd-torpedo-37xx-devkit-28-reference-new-drm-panel.patch +arm-omap2-add-missing-put_device-call-in-omapdss_init_of.patch +xfs-sanity-check-flags-of-q_xquotarm-call.patch +i2c-stm32f7-rework-slave_id-allocation.patch +i2c-i2c-stm32f7-fix-10-bits-check-in-slave-free-id-search-loop.patch +mfd-intel-lpss-add-default-i2c-device-properties-for-gemini-lake.patch +sunrpc-fix-svcauth_gss_proxy_init.patch +sunrpc-fix-backchannel-latency-metrics.patch +powerpc-security-fix-debugfs-data-leak-on-32-bit.patch +powerpc-pseries-enable-support-for-ibm-drc-info-property.patch +powerpc-kasan-fix-boot-failure-with-relocatable-fsl_booke.patch +powerpc-archrandom-fix-arch_get_random_seed_int.patch +tipc-reduce-sensitive-to-retransmit-failures.patch +tipc-update-mon-s-self-addr-when-node-addr-generated.patch +tipc-fix-potential-memory-leak-in-__tipc_sendmsg.patch +tipc-fix-wrong-socket-reference-counter-after-tipc_sk_timeout-returns.patch +tipc-fix-wrong-timeout-input-for-tipc_wait_for_cond.patch +net-mlx5e-fix-free-peer_flow-when-refcount-is-0.patch +phy-lantiq-vrx200-pcie-fix-error-return-code-in-ltq_vrx200_pcie_phy_power_on.patch +net-phy-broadcom-fix-rgmii-delays-configuration-for-bcm54210e.patch +phy-ti-gmii-sel-fix-mac-tx-internal-delay-for-rgmii-rxid.patch +mt76-mt76u-fix-endpoint-definition-order.patch +mt7601u-fix-bbp-version-check-in-mt7601u_wait_bbp_ready.patch +ice-fix-stack-leakage.patch diff --git a/queue-5.4/sunrpc-fix-backchannel-latency-metrics.patch b/queue-5.4/sunrpc-fix-backchannel-latency-metrics.patch new file mode 100644 index 00000000000..60c3b28d23d --- /dev/null +++ b/queue-5.4/sunrpc-fix-backchannel-latency-metrics.patch @@ -0,0 +1,52 @@ +From 8729aaba74626c4ebce3abf1b9e96bb62d2958ca Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Wed, 20 Nov 2019 16:25:46 -0500 +Subject: SUNRPC: Fix backchannel latency metrics + +From: Chuck Lever + +commit 8729aaba74626c4ebce3abf1b9e96bb62d2958ca upstream. + +I noticed that for callback requests, the reported backlog latency +is always zero, and the rtt value is crazy big. The problem was that +rqst->rq_xtime is never set for backchannel requests. + +Fixes: 78215759e20d ("SUNRPC: Make RTT measurement more ... ") +Signed-off-by: Chuck Lever +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xprtrdma/svc_rdma_backchannel.c | 1 + + net/sunrpc/xprtsock.c | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/net/sunrpc/xprtrdma/svc_rdma_backchannel.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_backchannel.c +@@ -195,6 +195,7 @@ rpcrdma_bc_send_request(struct svcxprt_r + pr_info("%s: %*ph\n", __func__, 64, rqst->rq_buffer); + #endif + ++ rqst->rq_xtime = ktime_get(); + rc = svc_rdma_bc_sendto(rdma, rqst, ctxt); + if (rc) { + svc_rdma_send_ctxt_put(rdma, ctxt); +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -2659,6 +2659,8 @@ static int bc_sendto(struct rpc_rqst *re + .iov_len = sizeof(marker), + }; + ++ req->rq_xtime = ktime_get(); ++ + len = kernel_sendmsg(transport->sock, &msg, &iov, 1, iov.iov_len); + if (len != iov.iov_len) + return -EAGAIN; +@@ -2684,7 +2686,6 @@ static int bc_send_request(struct rpc_rq + struct svc_xprt *xprt; + int len; + +- dprintk("sending request with xid: %08x\n", ntohl(req->rq_xid)); + /* + * Get the server socket associated with this callback xprt + */ diff --git a/queue-5.4/sunrpc-fix-svcauth_gss_proxy_init.patch b/queue-5.4/sunrpc-fix-svcauth_gss_proxy_init.patch new file mode 100644 index 00000000000..e66891d8164 --- /dev/null +++ b/queue-5.4/sunrpc-fix-svcauth_gss_proxy_init.patch @@ -0,0 +1,167 @@ +From 5866efa8cbfbadf3905072798e96652faf02dbe8 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Thu, 24 Oct 2019 09:34:16 -0400 +Subject: SUNRPC: Fix svcauth_gss_proxy_init() + +From: Chuck Lever + +commit 5866efa8cbfbadf3905072798e96652faf02dbe8 upstream. + +gss_read_proxy_verf() assumes things about the XDR buffer containing +the RPC Call that are not true for buffers generated by +svc_rdma_recv(). + +RDMA's buffers look more like what the upper layer generates for +sending: head is a kmalloc'd buffer; it does not point to a page +whose contents are contiguous with the first page in the buffers' +page array. The result is that ACCEPT_SEC_CONTEXT via RPC/RDMA has +stopped working on Linux NFS servers that use gssproxy. + +This does not affect clients that use only TCP to send their +ACCEPT_SEC_CONTEXT operation (that's all Linux clients). Other +clients, like Solaris NFS clients, send ACCEPT_SEC_CONTEXT on the +same transport as they send all other NFS operations. Such clients +can send ACCEPT_SEC_CONTEXT via RPC/RDMA. + +I thought I had found every direct reference in the server RPC code +to the rqstp->rq_pages field. + +Bug found at the 2019 Westford NFS bake-a-thon. + +Fixes: 3316f0631139 ("svcrdma: Persistently allocate and DMA- ... ") +Signed-off-by: Chuck Lever +Tested-by: Bill Baker +Reviewed-by: Simo Sorce +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/auth_gss/svcauth_gss.c | 84 ++++++++++++++++++++++++++++---------- + 1 file changed, 63 insertions(+), 21 deletions(-) + +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -1075,24 +1075,32 @@ gss_read_verf(struct rpc_gss_wire_cred * + return 0; + } + +-/* Ok this is really heavily depending on a set of semantics in +- * how rqstp is set up by svc_recv and pages laid down by the +- * server when reading a request. We are basically guaranteed that +- * the token lays all down linearly across a set of pages, starting +- * at iov_base in rq_arg.head[0] which happens to be the first of a +- * set of pages stored in rq_pages[]. +- * rq_arg.head[0].iov_base will provide us the page_base to pass +- * to the upcall. +- */ +-static inline int +-gss_read_proxy_verf(struct svc_rqst *rqstp, +- struct rpc_gss_wire_cred *gc, __be32 *authp, +- struct xdr_netobj *in_handle, +- struct gssp_in_token *in_token) ++static void gss_free_in_token_pages(struct gssp_in_token *in_token) + { +- struct kvec *argv = &rqstp->rq_arg.head[0]; + u32 inlen; +- int res; ++ int i; ++ ++ i = 0; ++ inlen = in_token->page_len; ++ while (inlen) { ++ if (in_token->pages[i]) ++ put_page(in_token->pages[i]); ++ inlen -= inlen > PAGE_SIZE ? PAGE_SIZE : inlen; ++ } ++ ++ kfree(in_token->pages); ++ in_token->pages = NULL; ++} ++ ++static int gss_read_proxy_verf(struct svc_rqst *rqstp, ++ struct rpc_gss_wire_cred *gc, __be32 *authp, ++ struct xdr_netobj *in_handle, ++ struct gssp_in_token *in_token) ++{ ++ struct kvec *argv = &rqstp->rq_arg.head[0]; ++ unsigned int page_base, length; ++ int pages, i, res; ++ size_t inlen; + + res = gss_read_common_verf(gc, argv, authp, in_handle); + if (res) +@@ -1102,10 +1110,36 @@ gss_read_proxy_verf(struct svc_rqst *rqs + if (inlen > (argv->iov_len + rqstp->rq_arg.page_len)) + return SVC_DENIED; + +- in_token->pages = rqstp->rq_pages; +- in_token->page_base = (ulong)argv->iov_base & ~PAGE_MASK; ++ pages = DIV_ROUND_UP(inlen, PAGE_SIZE); ++ in_token->pages = kcalloc(pages, sizeof(struct page *), GFP_KERNEL); ++ if (!in_token->pages) ++ return SVC_DENIED; ++ in_token->page_base = 0; + in_token->page_len = inlen; ++ for (i = 0; i < pages; i++) { ++ in_token->pages[i] = alloc_page(GFP_KERNEL); ++ if (!in_token->pages[i]) { ++ gss_free_in_token_pages(in_token); ++ return SVC_DENIED; ++ } ++ } + ++ length = min_t(unsigned int, inlen, argv->iov_len); ++ memcpy(page_address(in_token->pages[0]), argv->iov_base, length); ++ inlen -= length; ++ ++ i = 1; ++ page_base = rqstp->rq_arg.page_base; ++ while (inlen) { ++ length = min_t(unsigned int, inlen, PAGE_SIZE); ++ memcpy(page_address(in_token->pages[i]), ++ page_address(rqstp->rq_arg.pages[i]) + page_base, ++ length); ++ ++ inlen -= length; ++ page_base = 0; ++ i++; ++ } + return 0; + } + +@@ -1280,8 +1314,11 @@ static int svcauth_gss_proxy_init(struct + break; + case GSS_S_COMPLETE: + status = gss_proxy_save_rsc(sn->rsc_cache, &ud, &handle); +- if (status) ++ if (status) { ++ pr_info("%s: gss_proxy_save_rsc failed (%d)\n", ++ __func__, status); + goto out; ++ } + cli_handle.data = (u8 *)&handle; + cli_handle.len = sizeof(handle); + break; +@@ -1292,15 +1329,20 @@ static int svcauth_gss_proxy_init(struct + + /* Got an answer to the upcall; use it: */ + if (gss_write_init_verf(sn->rsc_cache, rqstp, +- &cli_handle, &ud.major_status)) ++ &cli_handle, &ud.major_status)) { ++ pr_info("%s: gss_write_init_verf failed\n", __func__); + goto out; ++ } + if (gss_write_resv(resv, PAGE_SIZE, + &cli_handle, &ud.out_token, +- ud.major_status, ud.minor_status)) ++ ud.major_status, ud.minor_status)) { ++ pr_info("%s: gss_write_resv failed\n", __func__); + goto out; ++ } + + ret = SVC_COMPLETE; + out: ++ gss_free_in_token_pages(&ud.in_token); + gssp_free_upcall_data(&ud); + return ret; + } diff --git a/queue-5.4/tipc-fix-potential-memory-leak-in-__tipc_sendmsg.patch b/queue-5.4/tipc-fix-potential-memory-leak-in-__tipc_sendmsg.patch new file mode 100644 index 00000000000..8954f2dfb2a --- /dev/null +++ b/queue-5.4/tipc-fix-potential-memory-leak-in-__tipc_sendmsg.patch @@ -0,0 +1,43 @@ +From 2fe97a578d7bad3116a89dc8a6692a51e6fc1d9c Mon Sep 17 00:00:00 2001 +From: Tung Nguyen +Date: Thu, 28 Nov 2019 10:10:05 +0700 +Subject: tipc: fix potential memory leak in __tipc_sendmsg() + +From: Tung Nguyen + +commit 2fe97a578d7bad3116a89dc8a6692a51e6fc1d9c upstream. + +When initiating a connection message to a server side, the connection +message is cloned and added to the socket write queue. However, if the +cloning is failed, only the socket write queue is purged. It causes +memory leak because the original connection message is not freed. + +This commit fixes it by purging the list of connection message when +it cannot be cloned. + +Fixes: 6787927475e5 ("tipc: buffer overflow handling in listener socket") +Reported-by: Hoang Le +Signed-off-by: Tung Nguyen +Acked-by: Ying Xue +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/tipc/socket.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -1396,8 +1396,10 @@ static int __tipc_sendmsg(struct socket + rc = tipc_msg_build(hdr, m, 0, dlen, mtu, &pkts); + if (unlikely(rc != dlen)) + return rc; +- if (unlikely(syn && !tipc_msg_skb_clone(&pkts, &sk->sk_write_queue))) ++ if (unlikely(syn && !tipc_msg_skb_clone(&pkts, &sk->sk_write_queue))) { ++ __skb_queue_purge(&pkts); + return -ENOMEM; ++ } + + trace_tipc_sk_sendmsg(sk, skb_peek(&pkts), TIPC_DUMP_SK_SNDQ, " "); + rc = tipc_node_xmit(net, &pkts, dnode, tsk->portid); diff --git a/queue-5.4/tipc-fix-wrong-socket-reference-counter-after-tipc_sk_timeout-returns.patch b/queue-5.4/tipc-fix-wrong-socket-reference-counter-after-tipc_sk_timeout-returns.patch new file mode 100644 index 00000000000..8bf4551526b --- /dev/null +++ b/queue-5.4/tipc-fix-wrong-socket-reference-counter-after-tipc_sk_timeout-returns.patch @@ -0,0 +1,38 @@ +From 91a4a3eb433e4d786420c41f3c08d1d16c605962 Mon Sep 17 00:00:00 2001 +From: Tung Nguyen +Date: Thu, 28 Nov 2019 10:10:06 +0700 +Subject: tipc: fix wrong socket reference counter after tipc_sk_timeout() returns + +From: Tung Nguyen + +commit 91a4a3eb433e4d786420c41f3c08d1d16c605962 upstream. + +When tipc_sk_timeout() is executed but user space is grabbing +ownership, this function rearms itself and returns. However, the +socket reference counter is not reduced. This causes potential +unexpected behavior. + +This commit fixes it by calling sock_put() before tipc_sk_timeout() +returns in the above-mentioned case. + +Fixes: afe8792fec69 ("tipc: refactor function tipc_sk_timeout()") +Signed-off-by: Tung Nguyen +Acked-by: Ying Xue +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/tipc/socket.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -2687,6 +2687,7 @@ static void tipc_sk_timeout(struct timer + if (sock_owned_by_user(sk)) { + sk_reset_timer(sk, &sk->sk_timer, jiffies + HZ / 20); + bh_unlock_sock(sk); ++ sock_put(sk); + return; + } + diff --git a/queue-5.4/tipc-fix-wrong-timeout-input-for-tipc_wait_for_cond.patch b/queue-5.4/tipc-fix-wrong-timeout-input-for-tipc_wait_for_cond.patch new file mode 100644 index 00000000000..54d98994aa5 --- /dev/null +++ b/queue-5.4/tipc-fix-wrong-timeout-input-for-tipc_wait_for_cond.patch @@ -0,0 +1,36 @@ +From 12db3c8083fcab4270866a88191933f2d9f24f89 Mon Sep 17 00:00:00 2001 +From: Tung Nguyen +Date: Thu, 28 Nov 2019 10:10:07 +0700 +Subject: tipc: fix wrong timeout input for tipc_wait_for_cond() + +From: Tung Nguyen + +commit 12db3c8083fcab4270866a88191933f2d9f24f89 upstream. + +In function __tipc_shutdown(), the timeout value passed to +tipc_wait_for_cond() is not jiffies. + +This commit fixes it by converting that value from milliseconds +to jiffies. + +Fixes: 365ad353c256 ("tipc: reduce risk of user starvation during link congestion") +Signed-off-by: Tung Nguyen +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/tipc/socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -504,7 +504,7 @@ static void __tipc_shutdown(struct socke + struct sock *sk = sock->sk; + struct tipc_sock *tsk = tipc_sk(sk); + struct net *net = sock_net(sk); +- long timeout = CONN_TIMEOUT_DEFAULT; ++ long timeout = msecs_to_jiffies(CONN_TIMEOUT_DEFAULT); + u32 dnode = tsk_peer_node(tsk); + struct sk_buff *skb; + diff --git a/queue-5.4/tipc-reduce-sensitive-to-retransmit-failures.patch b/queue-5.4/tipc-reduce-sensitive-to-retransmit-failures.patch new file mode 100644 index 00000000000..141555b3383 --- /dev/null +++ b/queue-5.4/tipc-reduce-sensitive-to-retransmit-failures.patch @@ -0,0 +1,40 @@ +From 426071f1f3995d7e9603246bffdcbf344cd31719 Mon Sep 17 00:00:00 2001 +From: Hoang Le +Date: Wed, 6 Nov 2019 13:26:10 +0700 +Subject: tipc: reduce sensitive to retransmit failures + +From: Hoang Le + +commit 426071f1f3995d7e9603246bffdcbf344cd31719 upstream. + +With huge cluster (e.g >200nodes), the amount of that flow: +gap -> retransmit packet -> acked will take time in case of STATE_MSG +dropped/delayed because a lot of traffic. This lead to 1.5 sec tolerance +value criteria made link easy failure around 2nd, 3rd of failed +retransmission attempts. + +Instead of re-introduced criteria of 99 faled retransmissions to fix the +issue, we increase failure detection timer to ten times tolerance value. + +Fixes: 77cf8edbc0e7 ("tipc: simplify stale link failure criteria") +Acked-by: Jon Maloy +Signed-off-by: Hoang Le +Acked-by: Jon +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/tipc/link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/tipc/link.c ++++ b/net/tipc/link.c +@@ -1084,7 +1084,7 @@ static bool link_retransmit_failure(stru + return false; + + if (!time_after(jiffies, TIPC_SKB_CB(skb)->retr_stamp + +- msecs_to_jiffies(r->tolerance))) ++ msecs_to_jiffies(r->tolerance * 10))) + return false; + + hdr = buf_msg(skb); diff --git a/queue-5.4/tipc-update-mon-s-self-addr-when-node-addr-generated.patch b/queue-5.4/tipc-update-mon-s-self-addr-when-node-addr-generated.patch new file mode 100644 index 00000000000..6b266552119 --- /dev/null +++ b/queue-5.4/tipc-update-mon-s-self-addr-when-node-addr-generated.patch @@ -0,0 +1,83 @@ +From 46cb01eeeb86fca6afe24dda1167b0cb95424e29 Mon Sep 17 00:00:00 2001 +From: Hoang Le +Date: Tue, 12 Nov 2019 07:40:04 +0700 +Subject: tipc: update mon's self addr when node addr generated + +From: Hoang Le + +commit 46cb01eeeb86fca6afe24dda1167b0cb95424e29 upstream. + +In commit 25b0b9c4e835 ("tipc: handle collisions of 32-bit node address +hash values"), the 32-bit node address only generated after one second +trial period expired. However the self's addr in struct tipc_monitor do +not update according to node address generated. This lead to it is +always zero as initial value. As result, sorting algorithm using this +value does not work as expected, neither neighbor monitoring framework. + +In this commit, we add a fix to update self's addr when 32-bit node +address generated. + +Fixes: 25b0b9c4e835 ("tipc: handle collisions of 32-bit node address hash values") +Acked-by: Jon Maloy +Signed-off-by: Hoang Le +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/tipc/monitor.c | 15 +++++++++++++++ + net/tipc/monitor.h | 1 + + net/tipc/net.c | 2 ++ + 3 files changed, 18 insertions(+) + +--- a/net/tipc/monitor.c ++++ b/net/tipc/monitor.c +@@ -665,6 +665,21 @@ void tipc_mon_delete(struct net *net, in + kfree(mon); + } + ++void tipc_mon_reinit_self(struct net *net) ++{ ++ struct tipc_monitor *mon; ++ int bearer_id; ++ ++ for (bearer_id = 0; bearer_id < MAX_BEARERS; bearer_id++) { ++ mon = tipc_monitor(net, bearer_id); ++ if (!mon) ++ continue; ++ write_lock_bh(&mon->lock); ++ mon->self->addr = tipc_own_addr(net); ++ write_unlock_bh(&mon->lock); ++ } ++} ++ + int tipc_nl_monitor_set_threshold(struct net *net, u32 cluster_size) + { + struct tipc_net *tn = tipc_net(net); +--- a/net/tipc/monitor.h ++++ b/net/tipc/monitor.h +@@ -77,6 +77,7 @@ int __tipc_nl_add_monitor(struct net *ne + u32 bearer_id); + int tipc_nl_add_monitor_peer(struct net *net, struct tipc_nl_msg *msg, + u32 bearer_id, u32 *prev_node); ++void tipc_mon_reinit_self(struct net *net); + + extern const int tipc_max_domain_size; + #endif +--- a/net/tipc/net.c ++++ b/net/tipc/net.c +@@ -42,6 +42,7 @@ + #include "node.h" + #include "bcast.h" + #include "netlink.h" ++#include "monitor.h" + + /* + * The TIPC locking policy is designed to ensure a very fine locking +@@ -136,6 +137,7 @@ static void tipc_net_finalize(struct net + tipc_set_node_addr(net, addr); + tipc_named_reinit(net); + tipc_sk_reinit(net); ++ tipc_mon_reinit_self(net); + tipc_nametbl_publish(net, TIPC_CFG_SRV, addr, addr, + TIPC_CLUSTER_SCOPE, 0, addr); + } diff --git a/queue-5.4/xfs-sanity-check-flags-of-q_xquotarm-call.patch b/queue-5.4/xfs-sanity-check-flags-of-q_xquotarm-call.patch new file mode 100644 index 00000000000..5fd470a18dd --- /dev/null +++ b/queue-5.4/xfs-sanity-check-flags-of-q_xquotarm-call.patch @@ -0,0 +1,36 @@ +From 3dd4d40b420846dd35869ccc8f8627feef2cff32 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 23 Oct 2019 17:00:45 -0700 +Subject: xfs: Sanity check flags of Q_XQUOTARM call + +From: Jan Kara + +commit 3dd4d40b420846dd35869ccc8f8627feef2cff32 upstream. + +Flags passed to Q_XQUOTARM were not sanity checked for invalid values. +Fix that. + +Fixes: 9da93f9b7cdf ("xfs: fix Q_XQUOTARM ioctl") +Reported-by: Yang Xu +Signed-off-by: Jan Kara +Reviewed-by: Eric Sandeen +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xfs/xfs_quotaops.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/xfs/xfs_quotaops.c ++++ b/fs/xfs/xfs_quotaops.c +@@ -201,6 +201,9 @@ xfs_fs_rm_xquota( + if (XFS_IS_QUOTA_ON(mp)) + return -EINVAL; + ++ if (uflags & ~(FS_USER_QUOTA | FS_GROUP_QUOTA | FS_PROJ_QUOTA)) ++ return -EINVAL; ++ + if (uflags & FS_USER_QUOTA) + flags |= XFS_DQ_USER; + if (uflags & FS_GROUP_QUOTA)